Title: Spyware on Internet. Sybil Attacks on Sensor Networks.
1Spyware on Internet. Sybil Attacks on Sensor
Networks.
- csci599 Spring 2004
-
- Siddharth Thakkar
2Presentation Outline
- Spyware
- Introduction
- Spyware basics and Classes
- Study in the Paper Gator, eZula, SaveNow, Cydoor
- Analysis
- Results - details
- Spyware Vulnerabilities
- Scaling on to the Internet
- Conclusions
- Sybil Attacks
- Introduction Basics
- Taxonomy
- Attacks
- Defenses Especially Random Key Distribution
Approaches - Summary
- In P2P networks
3Spyware
Reference Measurement and Analysis of Spyware
in a University Environment Saroiu et al.
4Introduction Stealth/Parasite programs
- Stealth and Parasite Programs
- CIAC Technical report (Nov 2002)
- Distributed and installed along with a known
program. - get onto a system by piggybacking on an installer
- Not Viruses! Viruses attach themselves to other
programs in order to steal a ride onto another
persons system - Parasite programs are intentionally attached to
the programs they ride on. - Classes
- Adware advertisements, web-pages, pop-ups or
cookies from Browsers - when you access a web
page that contains an ad from the adware server. - Spyware Intelligently spy on all your browsing
activity, looking into browser temp
files/cookies/histories and all collected
information is sent back to the spyware server to
target future misuse of information. - Stealth Networks Networks of computers, usually
P2P, to store files on and queue jobs for
execution on someone elses system (needs program
installed there) - Browser Helper Objects BHOs are essentially
add-in programs /executable code for IE
difficult to detect have to clean Registry.
5Spyware Basics
- Definition (users perspective)
- Software that gathers information about the
computers use (with or without users consent)
and relays it back to a 3rd party for its
benefit. - Risks
- Users privacy is compromised
- Affect usability/stability of users computing
environment - Can Self-Update Introduce new security
vulnerabilities - Can put millions of computers at risk
- Why do they exist?
- Because information is valuable and can be
capitalized upon. - How can I get it?
- Your behavior
- Popular software with embedded spyware
- Website prompting to install browser extensions
- Cookies to track behavior across cooperating
websites - Usability Vs. Security O.S.s are meant to be
extensible!
6Classes of Spyware (characteristics, working and
threats) - 1
- Cookies and Web Bugs
- Passive form of Spyware (no code of their own)
- Cookies
- State stored in clients web browsers
- Website/general Advertisement providers who
stored can retrieve them. - Can track users behavior across various sites
- Web Bugs
- Invisible images embedded in page placed by
advertisement networks - Browser Hijackers
- Try to change browser settings (start page,
search) by - BHOs (helper objects), windows registry, browser
preference files
7Classes of Spyware (characteristics, working and
threats) - 2
- Keyloggers
- Record all keystrokes
- Passwords, credit card numbers, etc.
- New ones capture logs of visited sites, chat
sessions, windows and programs opened. - Tracks
- Application records info. About users actions
(recently visited websites) - O.S. also does it. Such Tracks can be mined by
malicious programs. - Malware
- Viruses, worms, trojan horses, automatic phone
dialers!
8Classes of Spyware (characteristics, working and
threats) - 3
- Spybots
- Prototypical example of spyware
- Monitor users behavior, collects activity logs,
transmits them to 3rd party - Info. Like web form data, email addresses for
spam, URL lists, etc. - Installed as BHO, or DLL, or separate process on
O.S. booting! - Adware
- Benign variety of Spybots.
- Display advertisements tuned to users activity,
reporting browsing behavior.
9Show me a reason to worry!
- The extent denoted by
- Results of this paper (well see soon)
- Spyware Signatures
- E.g. SpyBot SD program has 790 signatures as of
Jan 27th, 2004.
- The spread
- Freeware/Shareware
- Authors downloaded (10 famous titles reporting
872 million downlaods) from http//download.com - Kazaa, iMesh, Morpheus, Download Accelerator had
spyware! - 12 spyware in free Kazaa (MORAL theres no free
meal!) - Kazaas paid version doesnt have spyware!! ?
10Spyware studied by this paper
- Aim
- First academic attempt to understand the nature
and extent of spyware, for attention of research
community. - Studied software versions between Aug 03 to Jan
04. - Network signatures to detect spyware. Traces
of traffic between Univ. of Washington and the
Internet. - Focused on 4 spyware Gator, Cydoor, SaveNow,
eZula - All are from the Spybot or Adware class
- Affect approx. 5.1 of active university hosts.
- Can easily get into users system via free
software - Easy to derive signatures by sniffing n/w traffic
(they use http with their servers) - Bad servers listed using name/IP lists as. in
ARIN RIPE registries
11Gator - 1
- An Adware AKA OfferCompanion, Trickler, GAIN
- collects/transmits users web activity info.(URLs
visited), demographic info (name, zipcode),
computer configuration info. - Generates users profile of interests and targets
advertisements - Installed by
- Free s/w by Claria Corporation
- P2P clients
- Websites prompting popups to install
- Runs as
- DLL linked with free s/w
- Own process gain.exe, cmesys.exe
- Capable of Self-updating !!
12Gator 2
- Smartness
- Usually spyware can be de-fanged
- hosts.txt file can be manipulated to remap the
DNS names of spyware servers by adding adding
entries. - Gator on the other hand
- Comments out entries referring to gator.com
- Caches IP addresses of gator.com DNS names.
- You are a l-user! ?
13Cydoor
- About
- Made by Cydoor Technologies
- Client prefetches targeted pop-up advertisements
from servers when containing App. Is run - Online or Offline!
- Gets users demographic info. From a
Questionnaire filled while installing the
containing application! - Inside scoop ?
- Company also offers a free SDK
- To use to embed Cydoor DLL in any Windows
programs and generate revenue for them. - Removal of the DLL causes program to crash!
- Dont spread the word! ?
14SaveNow
- About
- Save.exe image
- Show advertisements when user appears to be
shopping - Doesnt transmit information to servers
- But still collects such info. To target ads
- Contacts server to update its advertisement-cache
- Comes with P2P free s/w. (Kazaa)
15eZula
- About
- Ezulamain.exe process
- AKA TopText, ContextPro, HotText
- Attached to browser Modifies incoming HTML to
create links to ads on keywords - artificial links are highlighted to redirect
away from original legitimate advertisers to its
own! - Bundled with free P2P s/w (Kazaa, LimeWire) or as
a standalone tool. - Can Self-Update!
16Analysis Goals Methodology
- To understand how widespread spyware is within
the Univ. of Washington at - Individual clients granularity
- Academic departments granularity
- Gain insight into kinds of user behavior that are
correlated with spyware. - Monitoring Host Traces
- Relevant info. of HTTP activity from
reconstructed TCP/HTTP request/response streams
is Logged at the Monitoring Host. - Sensitive information (IP) is anonymized using
1-way hashing.
17Analysis - Environment
- Univ. of Washington Infrastructure
18Aside- some USC network facts
- Network as presented in June 03 (James Pepin,
ISD)
19Analysis Limitations/Assumptions
- Anonymization
- 2bits of IP lost. Cant uniquely find IP of
infected client - DHCP effect
- No fix client IP. So dial-up excluded.
- But even with all this, Gator infected clients
could be numbered! - Gator happens to provide a unique identifier in
its request packets ? - Signature analysis
- Might miss some spyware traffic because of
pattern matching errors - But result would be underestimated value,
Threat might be higher!
20Results Spread of Spyware - 1
21Results Spread of Spyware - 2
- Gator 3.4 clients that communicated during the
study (weeklong trace) - Cydoor 1.3
- SaveNow 1.3
- eZula 0.2
- Bad news
- In total, 1587 clients (5.1 of total hosts)
infected with one or more spyware programs! - This is just 4 programs studied!
- Gator
- Only 52 new installations found over the week by
studying Gator client registration packets and
timestamp with date of installation. - Means many Gators were installed months/years in
the past!
22Results Spread of Spyware - 3
- Values indicate percentage of 872
Dates discovered for 872 out of the 1077 Gator
Clients.
23Results Modem Vs. Non-Modems
- Modem Pool IPs
- Though DHCP made authors exclude dialup IPs
- Gator timestamps used to identify uniquely within
the modem-pool clients - 942 Gator installations out of 12,435 accounts
using modem-pool. (7.6) - Note that 872 were already in the 31,303
host-non-modem pool network (2.8) - Which means
- Spyware is prevalent on personally-owned
computers - But also significance presence even in University
computers !!
24Results Cross Infection rates - 1
25Results Cross Infection rates - 2
- Once infected, forever vulnerable!
- eZula
- Only 28.6 of eZula infected hosts are infected
with ONLY eZula - Whatevers causing eZula infections also causes
infections of other Spyware programs! - Spyware open new vulnerabilities!
26Results Web activity - 1
- Usual causes
- P2P client software
- Downloading/installing executables off the
internet - Software bundled with spyware.
- Correlation for such activity can be derived.
(graphs in following slide)
27Results Web activity - 2
- Servers contacted by infected clients
- Servers contacted by ALL clients
28Results Web activity - 3
- Web request issued by infected clients
- Web requests issued by ALL clients
29Results Downloading executables
30Results Using P2P File-sharing
- Analysis revealed that
- 38 of clients issuing at least one Kazaa request
were infected by spyware! - Mainly containing Cydoor, and Gator (28.2 17
respectively.) - Compared to previous table (Web clients/requests)
- These values are almost 22 times higher!
- Impliesfile sharing programs expose clients to
spyware.! - Kazaa is not the only one.!
31Results Todays Security Infrastructure
- Spyware bypass it!
- Univ. of Washington Core is centrally managed
- Each department is responsible for managing its
own systems/security policies. - Independent trust domain, with own set of
defenses - Still 69 of organizations are infected with at
least one variety of spyware! - 64 have Gator!
- Perimeter protection mechanisms such as Firewalls
are not helpful! - Spyware need cooperation from user (willing or
not willing) - An exploit could leave major network vulnerable!
- 47 of top most popular web-servers in Univ. share
a subnet with Gator client - Backdoor in spyware can lead the attacker easily
inside major trust boundary!
32Bugs in Spyware?!
- Gator/eZula
- Client (Software) downloads updates for code and
data - Doesnt verify authenticity or integrity of the
downloaded archive before extracting files from
it. - Attacker can cause his/her OWN file to be
extracted by hijacking/spoofing gator.com or
ezula.com! - Authors reported this vulnerability to make the
spyware stronger and secure ??!!!!
33Finally, Scaling it on to the Internet
- Kazaa as an example
- Kazaa users counters on websites report 4 million
concurrent clients. - Using this papers 38 infection rate, estimate
is - 1.5 million spyware infected hosts active on
Kazaa network!! - Estimate based on external Kazaa hosts contacting
Univ. of Washington hosts, is that - 2.6 million spyware-infected Kazaa hosts!
- Research at UC Berkeley estimates this to be 3.4
million!
34Spyware Conclusions/Comments
- This Paper
- Authors present a very justified argument about
the spread of Spyware in a controlled environment
as Univ. of Washington - Results serve as an alert to the research
community. - Active monitoring of network traffic avoids
doubts! - Spyware
- Significant local and global security
implications - Next trend after annoying banners ?
- Signatures can ease detection
- Free software are the most harmful
- Wide spread make spyware a potential entry for
any system-wide vulnerability break-down! - Need alert system administration for regular
cleanup! - Social aspects train the users to avoid
clicking OK without reading! ?
35Sybil Attacks
Reference The Sybil Attack in Sensor Network
Analysis and Defenses by Newsome et al.
36Sybil Attacks - Introduction
- The term Sybil attack
- Sybil Dorsett, a survivor of child abuse who was
diagnosed with the first multiple personality
disorder, reveals that she played host to sixteen
separate and distinct personalities before making
the long journey to recovery. - Definition
- In networks,
- An attack where the attacker posses multiple
identities a malicious node behaves as if it
were a larger number of nodes, by impersonating
other nodes or simply by claiming false
identities! - First identified for P2P networks by John Douceur.
37Sybil attacks and Sensor Networks
- Motivation
- Sensor networks may monitor critical information.
- Sybil attacks may exploit, confuse or overwhelm
the sensor network. - Need to identify, classify such attacks
- Need to choose the best defense mechanism for
sensor networks. - This paper
- Is the first study of Sybil attacks for Sensor
Networks - Authors attempt to identify attacks, classify
them and then evaluate various Defense mechanisms!
38Sybil Attacks Taxonomy -1
39Sybil Attacks Taxonomy -2
- Direct
- Malicious node listens to Radio message from
legitimate node! - Indirect
- Messages to Sybil node are routed through one of
the malicious nodes! - Fabricated
- For. E.g. Attacker assigns each Sybil node a
random-bit value if each node is generally
identified by a 32-bit integer - Stolen
- If mechanism can identify legitimate node
identities, Attacker needs to assign other
legitimate identities by destroying or
temporarily disabling the impersonated identities - Simultaneous
- All Sybil identities participate in the network
at once, may be cycle through! - Non-Simultaneous
- Attacker having large number of identities over
time, he may only act as a smaller number at any
given time. May be Leave and Join multiple times
with separate identities!
40List of Sybil Attacks -1
- Known Attacks
- Distributed Storage
- Can defeat replication and fragmentation
mechanism - Easily defeat DHTs based on Geographic Hash
(GHT)s - System designed to replicate data on several
nodes - But it might be storing on Sybil identities
generated by malicious node! ? - Routing
- Multipath or Dispersity Routing
- Seemingly disjoint paths could in fact go through
a single malicious node presenting several Sybil
identities ? - Geographic routing
- Sybil node could appear at multiplce locations. ?
- Attempt to Detect routing attacks like BlackHoles
- Sybil attack could confuse the detection
mechanism! ?
41List of Sybil Attacks -2
- New Attacks
- Data Aggregation
- One malicious node could contribute to the
computed aggregate of readings many times. - May completely alter the aggregate reading! ?
- Voting
- Wireless Sensor networks use voting for many
tasks. - Sybil attack for false ballots or
ballot-stuffing! ? - May be able to determine/influence outcome of any
vote to declare a legitimate node as misbehaving!
? - May save a misbehaving node by favoring votes!
42List of Sybil Attacks -3
- Fair Resource Allocation
- Used to allow a malicious node to obtain an
unfair share of shared resource (like radio
channel). - Denial of service to legitimate nodes
- Gives attacker more resources to perform More
attacks! ? - Misbehavior Detection
- Usually, due to false-positives considerations,
any misbehavior detection system delays action. - An attacker with Sybil identities could spread
the blame and pass unnoticed by only small
misbehavior per identity! ? - If action taken to revoke an identity, attacker
can create new identities and continue
misbehavior without himself getting revoked! ?
43Vulnerable protocols
44Sybil Attack Identity Validation
- Identity Validation
- Types
- DIRECT VALIDATION node directly tests another
node identity - INDIRECT VALIDATION nodes that have already been
verified are allowed to vouch for or refute other
nodes. - Note
- Paper focuses on Direct Validation schemes only.
45Defenses
- Previous Defenses
- Resource testing
- Assumption limited resource per physical entity
- Verify that each identity has as much of tested
resource as the physical device. - More implies multiple identities!
- Communication as a critical resource for Sensor
Networks - One method Broadcast a request of identities
and accept replies that occur within a given time
interval. - Unsuitable for wireless sensor networks because
of network congestion by all replies! ? - New Defenses
- New approaches suggested by the Authors
- Topics to follow -gt
46Radio Resource Testing -1
- Assumption
- Physical device has only 1 radio and cant
send/receive on more than 1 channel
simultaneously - Working
- A verifier s assigns its n neighbors different
channels. - Listens on a randomly chosen channel.
- If neighbor was assigned that channel is
legitimate, it should hear the message. - Choosing a channel to listen which isnt being
transmitted on, is a Sybil node detection! - Probability s/n
- Probability of Not detecting sybil node (n-s)/n
- If repeated for r rounds, its ((n-s)/n)r
47Radio Resource Testing -2
- Case Not enough channels
- To assign to each neighbor
- Can test c neighbors at a time, does r rounds
- There are S Sybil nodes, M malicious nodes and G
good nodes
- More channels means easy/faster to detect (See
next graph)
48Radio Resource Testing -3
- Advantages
- Effective defense against simultaneous
direct-communication variant of Sybil attacks. - Disadvantages
- Assumptions that device cant send on multiple
channels simultaneously! - Software radio negates this assumption!
49Random Key Predistribution - 1
- Basic Idea
- Assign a random set of keys or key-related info.
To each node - Key-setup phase
- each node can computer the common keys it shares
with neighbors - Shared secret session key for node-to-node
secrecy! - Key Validation
- Network able to verify part or all of the keys
that an identity claims to have! - Bad guy mightve been able to capture only
limited set of keys. - Little probability that arbitrarily generated
identity will work!
50Random Key Predistribution - 2
- Validation
- 2 ways
- Direct each node challenges an identity using
its own limited knowledge - ? May not reach globally consistent decision
- Indirect nodes collaborate
- ? Effective since sensor nodes have limited
memory/knowledge! - ? Costly- communication overhead
- Random key Predistribution Approaches
- (modified to use as Sybil Defenses by authors)
- Key Pool
- Single-space pair-wise key distribution
- Multiple-space pair-wise key distribution
51Key Pool - 1
- Core Scheme
- Set of keys assigned to a node
- If two nodes share q common keys, they can
establish a secret link. - ith key from key pool goes to node depending on
the one-way Pseudo Random hash Function. - Attacker cant just gather bunch of keys and
claim an identity PRF is one way! - Validation
- Challenge the identity
- If a key Ki should be in Omega(ID) but it isnt
in the compromised key set S, ID is cheating!
52Key Pool - 2
- Time complexity -1
- Full validation case
- Partial challenged by d nodes
- Pr(tcardinality of intersection set of
Omega(ID) and S) - x Pr(ID passes validation with all d
verifiers conditioned over tcardinality of
intersection set) - Detailed mathematical steps in paper.
53Key Pool - 3
- Time complexity 2
- If Tolerance threshold Pr(a random Sybil IS is
usable) 2-64 - Attacker needs to compromise only 30 nodes in
partial validation! -
- 150 if full validation!
54Single Space Pairwise Key Distribution
- Scheme
- Assign unique key to each pair
- Bloms scheme polynomial-based scheme
(references) - Node i stores unique public information Ui and
private information Vi. - Node i computes key from f(Vi,Uj) with node j.
- Lambda secure property
- Secure against direct/indirect sybil attacks till
Lambda nodes are compromised (c lt Lambda) - Validation
- A node validates an identity provided it has the
pairwise key between it and the verifier! - No consideration of OTHER nodes! ?
- Need globally consistent validation. ?
55Multi-space Pairwise Key Distribution-1
- Scheme
- Each sensor node is assigned k out of the m Key
Spaces generated by the setup server. - If 2 neighbors have gt1 keyspaces common,
- Compute pairwise secret key like Single space
scheme! ? - Preventing Sybil Attacks
- Without Validation
- Direct communication sybil attacks
- Node needs to capture nodes such that at least 1
key-space is compromised! - Indirect communication sybil attacks need more
validation! (next slide)
56Multi-space Pairwise Key Distribution-2
- With Validation
- Indirect validation needed to challenge if an
adversary claims to have key-spaces Ti. - For Globally consistent decision
- Full Validation
- Adversary has to compromise all k key-spaces!
- Probability calculation
- Si event that space i is compromised
- m all key spaces
- If S1 is compromised, it is less likely that so
is S2!
57Multi-space Pairwise Key Distribution-3
- Note
- Different kind of probability on Y-axis
- Compared to Fig.3 before
58Other Defenses
- Registration
- Trusted central authority managing the network
could poll the network and compare to known
deployment - Sensor networks are unlike P2P may have central
control - ? Registration list of known identities has to be
secured! - Position Verification
- Sybil nodes will appear to be exactly at the same
location! - Assuming sensor nodes are immobile, attack
detected! - For Mobile attacker Need to verify ALL nodes
position simultaneously! - Code Attestation
- Validate node by verifying memory contents!
- Not yet applicable to wireless network
- Trusted hardware with security guarantees for
this? - Future
- Costly and high energy consumption! ?
59Sybil attacks on Sensor networks - Summary
- Current defenses cant fight every type of Sybil
attack (Table before) - Each defense has diff. cost and assumptions ?
- Random key predistribution
- Sounds most promising seeing the difficulty of
attack - Basic Pool
- Mapping nodes identity to the indices of its
keys using 1-way function - Single-space
- Good as long as Lambda nodes are not captured!
- Direct validation ensures global consistent
validation - Multi-space
- Need Lambda instances of EACH key space to
attack! ? - Has to compromise at least k key spaces to
succeed! ? - Paper presents a detailed analytical first-take
on Sybil attacks on Sensor networks! (for P2P see
next slides!) - Area needs to explore lot more options!
- Way to AVOID creation of multiple identities?
- Associate a node to an owner? Attacker cant
misuse existing node for Sybil identities! - Who does this?
60Appendix Sybil attacks P2P
- Systems and Attacks
- P2P systems are heterogenous WITH unlimited
computing power! - Attackers can cause Sybil identities and they
need to to be validated concurrently and
simultaneously! - Infrastructure
- Identities communicate via messages over a cloud
through pipes! - Intentional replication for duplication,
reliability, etc. can be misused as multiple
identities! - Existing relied upon mechanisms
- Certification Verisign
- CFS identify node by hash of IP address
- SFS append host path to a DNS name
- EMBASSY bind machine to cryptographic keys in
hardware! - Dependent mechanisms might get obsolete (IPv6 and
CFS!) - New ideas?
- Resource-demanding challenges to identities!
- Not administrable on large distributed network! ?
61References
- Measurement and Analysis of Spyware in a
University Environment - Stefan Saroiu, Steen Gribble, Henry Levy
- Proceedings of the First Symposium on Networked
Systems Design and Implementation (NSDI '04),
March 2004 - The Sybil Attack in Sensor Networks Analysis and
Defense - James Newsome, Elaine Shi, Dawn Song, Adrian
Perrig - Proceedings of 3rd International Symposium on
Information Processing in Sensor Networks (IPSN
04), April 2004 - The Sybil Attack
- John R. Douceur
- First International Workshop on Peer-to-Peer
Systems, March 2002 - Leveraging the High performance computing
Environment - Michael Pierce, Jim Pepin
- HPC - High Performance Computing - Consortium
Meeting, June 2003 - Parasite Programs Adware, Spyware, and Stealth
Networks - CIAC Tech02-004-Technical Bulletin, Revised in
November 2002 - http//www.ciac.org/ciac/techbull/CIACTech02-004.s
html