Yan Chen

1
Adaptive Intrusion Detection and Mitigation
Systems for WiMAX Networks

• Yan Chen
• Northwestern Lab for Internet and Security
  Technology (LIST)
• Dept. of Computer Science
• Northwestern University
• http//list.cs.northwestern.edu

Motorola Liaisons Gregory W. Cox, Z. Judy Fu,
Philip R. Roberts Motorola Labs
2
Battling Hackers is a Growth Industry!
--Wall Street Journal (11/10/2004)

• The past decade has seen an explosion in the
  concern for the security of information
• Denial of service (DoS) attacks
• Cost 1.2 billion in 2000
• Viruses and worms faster and more powerful
• Cause over 28 billion in economic losses in
  2003, growing to over 75 billion in economic
  losses by 2007.

3
The Current Internet Connectivity and Processing
4
Motivation

• Viruses/worms moving into the wireless world
• 6 new viruses, including Cabir and Skulls, with
  30 variants targeting mobile devices
• IEEE 802.16 WiMAX networks emerging
• Predicted multi-billion dollar industry
• No existing research/product tailored towards
  802.16 anomaly/intrusion detection and mitigation
• 802.16 IDS development can potentially lead to
  critical gain in market share
• All major WLAN vendors integrated IDS into
  products
• Strategically important to lead in WiMAX product
  portfolio with security trouble shooting
  capability
• Simply buy off-the-shelf IDSes blind to their
  limitations

5
Existing Intrusion Detection Systems (IDS)
Insufficient

• Mostly host-based and not scalable to high-speed
  networks
• Slammer worm infected 75,000 machines in lt 10
  mins
• Host-based schemes inefficient and user dependent
• Have to install IDS on all user machines !
• Mostly signature-based
• Cannot recognize unknown anomalies/intrusions
• New viruses/worms, polymorphism

6
Current IDS Insufficient (II)

• Statistical detection
• Hard to adapt to traffic pattern changes
• Unscalable for flow-level detection
• IDS vulnerable to DoS attacks
• WiMAX, up to 134Mbps, 10 min traffic may take 4GB
  memory
• Overall traffic based inaccurate, high false
  positives
• Most existing high-speed IDS here
• Cannot differentiate malicious events with
  unintentional anomalies
• E.g., signal interference of wireless network

7
Adaptive Intrusion Detection System for Wireless
Networks (WAIDM)

• Online traffic recording and analysis for
  high-speed WiMAX networks
• Leverage sketches for data streaming computation
• Record millions of flows (GB traffic) in a few
  Kilobytes
• Online flow-level intrusion detection
  mitigation
• Leverage statistical learning theory (SLT)
  adaptively learn the traffic pattern changes
• Flow-level mitigation of attacks
• Combine with 802.16 specific signature-based
  detection
• Automatic polymorphic worm signature generation

8
WAIDM Systems (II)

• Anomaly diagnosis for false positive reduction
• Use statistics from MIB of base station to
  understand the wireless network status
• E.g., distinguish packet flooding, signal
  interference, and other intrusions
• Successfully experimented with 802.11 networks
• Root cause analysis for diagnose link failures,
  routing misconfiguration, etc.
• Useful for managing and trouble-shooting the
  WiMAX networks

9
WAIDM Deployment

• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of
  global scale attacks
• Highly ranked as powerful and flexible" by the
  DARPA research agenda

Users
Internet
Users
WAIDM
system
Internet
802.16
scan
802.16 BS
port
BS
Switch/
Switch/
BS controller
BS controller
802.16
802.16 BS
BS
Users
Users
(a)
(b)
WAIDM deployed
Original configuration
10
WAIDM Architecture
Remote aggregated sketch records
Sent out for aggregation
Reversible k-ary sketch monitoring
Part I Sketch-based monitoring detection
Normal flows
Sketch based statistical anomaly detection (SSAD)
Local sketch records
Streaming packet data
Keys of suspicious flows
Filtering
Keys of normal flows
Statistical detection
Signature-based detection
Per-flow monitoring
Network fault detection
Part II Per-flow monitoring detection
Suspicious flows
Traffic profile checking
Intrusion or anomaly alarms to fusion centers
Modules on the critical path
Modules on the non-critical path
Data path
Control path
11
Intrusion Mitigation
Attacks detected Mitigation
Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim
Port Scan and worms Ingress filtering with attacker IP
Vertical port scan Quarantine the victim machine
Horizontal port scan Monitor traffic with the same port for compromised machine
Spywares Warn the end users being spied
12
Evaluation of Sketch-based Detection

• Evaluated with NU traces (536M flows, 3.5TB
  traffic)
• Scalable and efficient traffic monitoring
• For the worst case traffic, all 40 byte packets
• 16 Gbps on a single FPGA board
• 526 Mbps on a Pentium-IV 2.4GHz PC
• Only less than 10MB memory used
• Accurate and fast detection
• 19 SYN flooding, 1784 horizontal scans and 29
  vertical scans detected in one-day NU traces in
  719 seconds
• Validation
• All flooding and vertical scans, and top 10 and
  bottom 10 for horizontal scans
• Both well-known and new worms found (new
  confirmed in DShield)
• Patent filed

13
Research methodology

• Combination of theory, synthetic/real trace
  driven simulation, and real-world implementation
  and deployment

14
Backup Slides
15
Scalable Traffic Monitoring and Analysis -
Challenge

• Potentially tens of millions of time series !
• Need to work at very low aggregation level (e.g.,
  IP level)
• Each access point (AP) can have 200 Mbps a
  collection of 10-100 APs can easily go up to 2-20
  Gbps
• The Moores Law on traffic growth ?
• Per-flow analysis is too slow or too expensive
• Want to work in near real time

16
Sketch-based Change Detection(ACM SIGCOMM IMC
2003, 2004)

• Input stream (key, update)

• Summarize input stream using sketches

• Build forecast models on top of sketches

• Report flows with large forecast errors

17
GRAID Sensor Architecture
Remote aggregated sketch records
Sent out for aggregation
Reversible k-ary sketch monitoring
Part I Sketch-based monitoring detection
Normal flows
Sketch based statistical anomaly detection (SSAD)
Local sketch records
Streaming packet data
Keys of suspicious flows
Filtering
Keys of normal flows
Statistical detection
Signature-based detection
Per-flow monitoring
Network fault detection
Part II Per-flow monitoring detection
Suspicious flows
Traffic profile checking
Intrusion or anomaly alarms to fusion centers
Modules on the critical path
Modules on the non-critical path
Data path
Control path
18
Current IDS Insufficient for Wireless Networks

• Most existing IDS signature-based
• Especially for wireless networks
• Detect denial-of-service attacks caused by the
  WEP authentication vulnerability, e.g., Airespace
  
• Current statistical IDS has manually set
  parameters
• Cannot adapt to the traffic pattern changes
• However, wireless networks often have transient
  connections
• Hard to differentiate collisions, interference,
  and attacks

19
Statistical Anomaly/Intrusion Detection and
Mitigation for Wireless Networks

• Use statistics from MIB of BS to understand the
  current wireless network status
• Interference Detection MIB Group
• Retry count, FCS err count, Failed count
• Intrusion Detection MIB Group
• Duplicate count, Authentication failure count,
  EAP negotiation failure count, Abnormal
  termination percentage
• DoS Detection MIB Group
• Auth flood to BS, De-Auth flood to SS
• Automatically adapt to different learned profiles
  on observing status changes

20
Preliminary Algorithm
Collect MIBs
Collect MIBs
Process Interference Collision MIB Group
Process Intrusion Detection MIB Group
Process DoS MIB Group
L
Inter
DoS
Inter
DoS
Intrusion
21
Project Review
Internet
Client1
Attacker
MIB, SysLog
AiroPeek
IDS
22
Info Measurements

• Info Resources
• SNMP MIB
• A collection of objects that can be accessed via
  a network management protocol
• System Log
• Event/Trap Captures
• Wireless Capture

23
Info Measurements

• Info Collection Tools
• Hardware
• Cisco Access Point
• Cisco Wireless Card
• Software
• Visual Studio
• Net SNMP
• AiroPeek
• Netstumbler

24
MIB Collection Storage
25
SysLog
26
Data Analysis

• Measurement Based Analysis
• Correlate Parameters w/ Events
• Contention Interference
• RF Interference
• Wireless Intrusion
• Wireless DoS Attack

27
Sample Experiments

• Contention Interference

Chl 9
Chl 9
Client1
Client2
MIB
28
Contention Interference

• MIB
• dot11ACKFailureCount.1
• dot11FailedCount.1
• dot11FCSErrorCount.1
• dot11FrameDuplicateCount.1
• dot11MulticastTransmittedFrameCount.1
• dot11MultipleRetryCount.1
• dot11RTSFailureCount.1
• dot11TransmittedFrameCount.1

29
Contention Interference
30
Contention Interference
31
Contention Interference
32
Contention Interference
33
802.16 Protocol Layering
34
802.16 MIB Structure
35
802.16 MIB Structure
36
802.16 MIB Structure
37
802.16 MIB Structure
38
Thank You!

• More Questions?