Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi - PowerPoint PPT Presentation

Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile Computing, 2011 Presented by Yang Chen 1 CS6204 – Mobile Computing

Khalil-TMC11 Outline  Background and Foundations  Stealthy Dropping Attack Description and Mitigation  Model Analysis  Simulation Result  Conclusion 2 CS6204 – Mobile Computing

Khalil-TMC11 Background  Wireless Ad Hoc and Sensor Networks (WASN) are becoming an important platform  WASN is vulnerable to attacks  Control traffic: wormhole, rushing, Sybil  Data traffic: blackhole, selective forwarding, delaying  Cryptographic mechanisms alone cannot prevent attacks  Local Monitoring  Behavior-based detection 3 CS6204 – Mobile Computing

Khalil-TMC11 Background  Baseline Local Monitoring (BLM)  Guard nodes perform local monitoring with the objective of detecting security attacks  Monitoring: non-modification, acceptable delay, appropriate next hop  Stealthy packet dropping  Disrupt the packet from reaching the destination by malicious behavior  Action likely correct to its neighbors.  Four different modes 4 CS6204 – Mobile Computing

Khalil-TMC11 Attack Model & System Assumption  Attacker can control an external node or internal node  External node: does not possess the cryptographic keys  Internal node: does, but compromised  Malicious node can perform packet dropping  By itself or by colluding with other nodes  Malicious node can have high-powered controllable transmission capability  Communication are bidirectional  Every node know both first-, second-hop neighbors.  Key management protocol exists 5 CS6204 – Mobile Computing

Khalil-TMC11 Local Monitoring  Collaborative detection strategy  Guard node  A node is able to watch another node, must be a neighbor of the node and previous hop  G(N 1 , N 2 ) = R(N 1 ) ∩ R(N 2 ) - N 2 R(N) radio range of N 6 CS6204 – Mobile Computing

Khalil-TMC11 Local Monitoring  Malicious counter is maintained at guard node  MalC(i,j) within time T win , increases for malicious activity  If MalC(i,j) exceed threshold  node i revoke j from neighbor list ( direct isolation ), send alert  neighbor of node i, verify it. When get enough alert, revoke j ( indirect isolation )  Detection confidence index γ 7 CS6204 – Mobile Computing

Khalil-TMC11 Stealthy Dropping Attack  Objective: dropping a packet  Four modes  Packet misrouting  Power control  Colluding collision  Identify delegation  Side effect  A legitimate node is accused of packet dropping 8 CS6204 – Mobile Computing

Khalil-TMC11 Packet Misrouting  Malicious node relay the packet to wrong next hop.  A node receives a packet to relay without being in the route to the destination will drop the packet  A  M  B, Node M relay the packet to E  E will drop the packet  Result  M drops packet without being detected (I & II)  E is accused by guards Over M  E (II & III) 9 CS6204 – Mobile Computing

Khalil-TMC11 Power Control  Malicious node controls it power to reduce its transmission range by excluding the next-hop node  The next-hop can not receive the packet  S  M  T, M reduces its r  I guards will accuse M, II not  If the number of I is greater than detection confidence index γ -1, M will refrain from lowering the power. 10 CS6204 – Mobile Computing

Khalil-TMC11 Colluding Collision  Malicious node coordinates its transmission with a transmission of its colluding partner to next-hop node  The two packet will cause collision at T, so T will not receive the packet from M  Result  M 1 drop the packet  T is accused by I guards 11 CS6204 – Mobile Computing

Khalil-TMC11 Identity Delegation  This attack involves two malicious nodes.  One is the next hop of the sender, M 2  One is spatially close to sender, M 1 , which is allowed to use M 2 ’s identity to transmit.  T will not receive the packet, T out of range of M 1  Result  M2 drop the packet I guards are satisfied  T is accused by II guards 12 CS6204 – Mobile Computing

Khalil-TMC11 Mitigation  The four modes of Stealthy Dropping Attack can categorized as two subsets  Misrouting  Power Control, Colluding Collision, Identify Delegation  Key observation: make sure the number of unsatisfied guards less than detection index γ .  Two mechanisms to augment traditional local monitoring to detect stealthy dropping attack.  S tealthy A ttacks in Wireless Ad Hoc Networks: De tection and C ountermeasure: SADEC 13 CS6204 – Mobile Computing

Khalil-TMC11 Mitigating Packet Misrouting  Basic Idea: extend the knowledge of each guard to include the identify of the next hop for the packet being relayed  Proactive protocols and some reactive protocols: each packet carries the router information in its header  no extra information  Some other reactive protocols: need flooding REQs and REPs to establish the route  Add previous two hops to the header of REQ packet  Guards collect info. during route establishment phase 14 CS6204 – Mobile Computing

Khalil-TMC11 Mitigating Other Three attacks  Key observation: attackers reduce the number of unsatisfied guards less than detection index γ .  Basic idea: Expand the guard nodes to all the neighbors of the node being monitors  Additional tasks of nodes  Each node, X, keeps a count of the number of messages each of its neighbors, Y, had forwarded (FC(X, Y)) over a predefined time interval.  Each node has to announce the number of packets it has forwarded over some period time. 15 CS6204 – Mobile Computing

Khalil-TMC11 Mitigating Other Three attacks  Comparator, C(N)  a neighbor of a node, N, that collects the number of forwarded packets by N and compare the result with the count announced by N.  All nodes in radio range R(N)  If a comparator’s count is not within the acceptable range of announced forward count, the MalC of comparator will increase  When a node overhear a packet from non-neighbor nodes, it will request three-hops node to announce. 16 CS6204 – Mobile Computing

Khalil-TMC11 Analysis  Assumptions  Homogeneous network  Nodes are uniformly distributed, density d  No edge effects  Attacker model  Reduced transmission range of M is y  Output parameters:  Probability of detection  Probability of isolation  Probability of false detection or isolation  Probability of framing detection or isolation 17 CS6204 – Mobile Computing

Khalil-TMC11 Analysis of Misrouting  Misrouting Stealthy Packet Dropping  Four different possibilities for the guard G  G misses both P in and P mr  missed detection  G misses P in but gets P mr  detection as fabricate  G gets P in but misses P mr  detection as drop  G gets both P in and P mr  successful misrouting detection for SADEC and missed detection for BLM  Natural channel error is P c  𝜔 packets, be relayed by M in T win  M misroutes prob. 𝑄 𝑛𝑏𝑚  MalC threshold is 𝛾 18 CS6204 – Mobile Computing

Khalil-TMC11 BLM To Misrouting  Scenario analysis  Case 1: missed detection  Case 4: normal  Cases 2&3: detection of malicious nodes and false detection for good nodes  The probability of cases 2&3  Under binomial distr., the prob. of detection a malicious  𝜈 > 𝛾 , otherwise, 𝑄 𝑒𝑓𝑢𝑓𝑑𝑢 = 0 19 CS6204 – Mobile Computing

Khalil-TMC11 BLM To Misrouting  A node is isolated when it is detected by at least 𝛿 neighbors when # of neighbors ≥ 𝛿 , if neighbors < 𝛿 , for all the neighbors.  Frame  Framing detection  Framing isolation 20 CS6204 – Mobile Computing

Khalil-TMC11 SADEC To Misrouting  Difference and same  Case 4: correct detection at a guard with SADEC  Cases 2&3 are same  Probability of case 2,3,4:  Probability of detection:  Probability of isolation: 21 CS6204 – Mobile Computing

Khalil-TMC11 SADEC To Misrouting  The probability of false detection and isolation is same to BLM.  The probability of frame detection and isolation is 0. 22 CS6204 – Mobile Computing

Khalil-TMC11 Analysis of Misrouting  With high enough density, both can completely isolate the malicious code, but SAEDC with low d 23 CS6204 – Mobile Computing

Khalil-TMC11 Analysis of Misrouting  As d increases, BLM quickly reaches 1, but SADEC not 24 CS6204 – Mobile Computing

Khalil-TMC11 BLM To Power Control  𝑕 ℎ : happy guards, in (c)  𝑕 𝑔 : fooled guards, in (d)  Assume distance S  M, M  T are same  𝑕 ℎ = 𝑕 𝑔 = 𝐵𝑠𝑓𝑏 𝑑 ∗ 𝑒  The number of nodes that detect the attack is 𝑕 𝑒 = 𝑕 − 𝑕 ℎ 25 CS6204 – Mobile Computing

Khalil-TMC11 BLM To Power Control  The 𝑄 𝑒𝑓𝑢𝑓𝑑𝑢 is same as misrouting  𝑄 𝑗𝑡𝑝𝑚𝑏𝑢𝑓 is same but replacing 𝑕 by 𝑕 𝑒  The probability of false detection and isolation is same as misrouting  The probability of framing detection is same as misrouting  The probability of framing isolation is the same after replacing 𝑕 with 𝑕 𝑔 26 CS6204 – Mobile Computing