Intruder Identification in Ad Hoc Networks

1
Intruder Identification in Ad Hoc Networks
2
Problem Statement

• Intruder identification in ad hoc networks is the
  procedure of identifying the user or host that
  conducts the inappropriate, incorrect, or
  anomalous activities that threaten the
  connectivity or reliability of the networks and
  the authenticity of the data traffic in the
  networks.

Papers On Security Study of Two Distance
Vector Routing Protocols for Mobile Ad Hoc
Networks, in Proceedings of IEEE International
Conference on Pervasive Computing and
Communications (PerCom), 2003. On Vulnerability
and Protection of Ad Hoc On-demand Distance
Vector Protocol, in Proceedings of 10th IEEE
International Conference on Telecommunication
(ICT), 2003.
3
Research Motivation

• More than ten routing protocols for Ad Hoc
  networks have been proposed (AODV, DSR, DSDV,
  TORA, ZRP, etc.)
• Research focus has been on performance comparison
  and optimizations such as multicast and multiple
  path detection
• Research is needed on the security of Ad Hoc
  networks.
• Applications Battlefields, Disaster recovery.

4
Research Motivation

• Two types of attacks target Ad Hoc network
• External attacks
• MAC layer jamming
• Traffic analysis
• Internal attacks
• Compromised host sending false routing
  information
• Fake authentication and authorization
• Traffic flooding

5
Research Motivation

• Protection of Ad Hoc networks
• Intrusion Prevention
• Traffic encryption
• Sending data through multiple paths
• Authentication and authorization
• Intrusion Detection
• Anomaly pattern examination
• Protocol analytical study

6
Research Motivation

• Deficiencies of intrusion prevention
• Increases the overhead during normal operations
  of Ad Hoc networks
• Restriction on power consumption and computation
  capability prevent the usage of complex
  encryption algorithms
• Flat infrastructure increases the difficulty for
  the key management and distribution
• Cannot guard against internal attacks

7
Research Motivation

• Why intrusion detection itself is not enough
• Detecting intrusion without removing the
  malicious host leaves the protection in a passive
  mode
• Identifying the source of the attack may
  accelerate the detection of other attacks

8
Research Motivation

• Research problem Intruder Identification
• Research challenges
• How to locate the source of an attack ?
• How to safely combine the information from
  multiple hosts and enable individual host to make
  decision by itself ?
• How to achieve consistency among the conclusions
  of a group of hosts ?

9
Related Work in wired Networks

• Secure routing / intrusion detection in wired
  networks
• Routers have more bandwidth and CPU power
• Steady network topology enables the use of static
  routing and default routers
• Large storage and history of operations enable
  the system to collect enough information to
  extract traffic patterns
• Easier to establish trust relation in the
  hierarchical infrastructure

10
Related Work in wired networks

• Attack on RIP (Distance Vector)
• False distance vector
• Solution (Bellovin 89)
• Static routing
• Listen to specific IP address
• Default router
• Cannot apply in Ad Hoc networks

11
Related Work in wired networks

• Attack on OSPF (Link State)
• False connectivity
• Attack on Sequence Number
• Attack on lifetime
• Solution
• JiNAONCSU and MCNC
• Encryption and digital signature

12
Related Work in Ad Hoc Networks

• Lee at GaTech summarizes the difficulties in
  building IDS in Ad Hoc networks and raises
  questions
• what is a good architecture and response system?
• what are the appropriated audit data sources?
• what is the good model to separate normal and
  anomaly patterns?
• Haas at Cornell lists the 2 challenges in
  securing Ad Hoc networks
• secure routing
• key management service

13
Related Work in Ad Hoc Networks

• Agrawal at University of Cincinnati presents the
  general security schemes for the secure routing
  in Ad Hoc networks
• Nikander at Helsinki discusses the
  authentication, authorization, and accounting in
  Ad Hoc networks
• Bhargavan at UIUC presents the method to enhance
  security by dynamic virtual infrastructure
• Vaidya at UIUC presents the idea of securing Ad
  Hoc networks with directional antennas

14
Related Work ongoing projects

• TIARA Techniques for Intrusion Resistant Ad-Hoc
  Routing Algorithm (DARPA)
• develop general design techniques
• focus on DoS attack
• sustain continued network operations
• Secure Communication for Ad Hoc Networking (NSF)
• Two main principles
• redundancy in networking topology, route
  discovery and maintenance
• distribution of trust, quorum for trust

15
Related Work ongoing projects

• On Robust and Secure Mobile Ad Hoc and Sensor
  Network (NSF)
• local route repair
• performance analysis
• malicious traffic profile extraction
• distributed IDs
• proposed a scalable routing protocol
• Adaptive Intrusion Detection System (NSF)
• enable data mining approach
• proactive intrusion detection
• establish algorithms for auditing data

16
Problem Statement

• Intruder identification in ad hoc networks is the
  procedure of identifying the user or host that
  conducts the inappropriate, incorrect, or
  anomalous activities that threaten the
  connectivity or reliability of the networks and
  the authenticity of the data traffic in the
  networks.

17
Evaluation Criteria

• Accuracy
• False coverage Number of normal hosts that are
  incorrectly marked as suspected.
• False exclusion Number of malicious hosts that
  are not identified as such.
• Overhead
• Overhead measures the increases in control
  packets and computation costs for identifying the
  attackers (e.g. verifying signed packets,
  updating blacklists).
• Workload of identifying the malicious hosts in
  multiple rounds

18
Evaluation Criteria

• Effectiveness
• Effectiveness Increase in the performance of ad
  hoc networks after the malicious hosts are
  identified and isolated. Metrics include the
  increase of the packet delivery ratio, the
  decrease of average delay, or the decrease of
  normalized protocol overhead (control
  packets/delivered packets).
• Robustness
• Robustness of the algorithm Its ability to
  resist different kinds of attacks.

19
Assumptions

• A1. Every host can be uniquely identified and its
  ID cannot be changed throughout the lifetime of
  the ad hoc network. The ID is used in the
  identification procedure.
• A2. A malicious host has total control on the
  time, the target and the mechanism of an attack.
  The malicious hosts continue attacking the
  network.
• A3. Digital signature and verification keys of
  the hosts have been distributed to every host.
  The key distribution in ad hoc networks is a
  tough problem and deserves further research.
  Several solutions have been proposed. We assume
  that the distribution procedure is finished, so
  that all hosts can examine the genuineness of the
  signed packets.
• A4. Every host has a local blacklist to record
  the hosts it suspects. The host has total control
  on adding and deleting elements from its list.
  For the clarity of the remainder of this paper,
  we call the real attacker as malicious host,
  while the hosts in blacklists are called
  suspected hosts.

20
Applying Reverse Labeling Restriction to Protect
AODV

• Introduction to AODV
• Attacks on AODV and their impacts
• Detecting False Destination Sequence Attack
• Reverse Labeling Restriction Protocol
• Simulation results

21
Introduction to AODV

• Introduced in 97 by Perkins at NOKIA, Royer at
  UCSB
• 12 versions of IETF draft in 3 years, 4 academic
  implementations, 2 simulations
• Combines on-demand and distance vector
• Broadcast Route Query, Unicast Route Reply
• Quick adaptation to dynamic link condition and
  scalability to large scale network
• Support Multicast

22
Security Considerations for AODV

• AODV does not specify any special security
  measures. Route protocols, however, are prime
  targets for impersonation attacks. If there is
  danger of such attacks, AODV control messages
  must be protected by use of authentication
  techniques, such as those involving generation of
  unforgeable and cryptographically strong message
  digests or digital signatures.
• - http//www.ietf.org/internet-drafts/draft-ietf
  -manet-aodv-11.txt

23
Message Types in AODV

• RREQ route request
• RREP route reply
• RERR route error

24
Route Discovery in AODV
D
Establish path to the destination
Establish path to the source
S1
S3
Establish path to the source
Establish path to the destination
S2
S4
Establish path to the destination
Establish path to the source
S
25
Introduction to AODV (cond)

• Security Features of AODV
• Combination of Broadcast and Unicast
• Route reply is sent out along a single path,
  prevent the disclosure of routing information
• Fast Expiration of Reverse Route Entry
• Route entry created by un-replied route request
  will expire in a short time
• Freshness of Routing Information
• Unique, monotonic destination sequence for every
  host, could only be updated by destination/request
  initiator

26
Attacks on AODV

• Malicious route request
• query non-existing host (RREQ will flood
  throughout the network)
• False route error
• route broken message sent back to source (route
  discovery is re-initiated)
• False distance vector
• reply one hop to destination to every request
  and select a large enough sequence number
• False destination sequence
• select a large number (even beat the reply from
  real destination)

27
Impacts of Attacks on AODV
28
False Destination Sequence Attack
D
S3
S
S1
S2
M
29
Attacks on AODV and Simulation Results

• Simulation of Attacks
• A module called AODV Attack added into ns2
• Four attacks have been implemented
• malicious route request
• silently discard
• false distance vector
• false destination sequence

30
Attacks to AODV and Simulation Results

• Simulation parameters

31
Attacks to AODV and Simulation Results
X-axis is max moving speed, which evaluates the
mobility of host. Y-axis is delivery ratio. Two
attacks false distance vector and false
destination sequence, are considered. They lead
to about 30 and 50 of packets to be dropped.
32
Detecting false destination sequence attackby
destination host during route rediscovery
(1). S broadcasts a request that carries the old
sequence 1 21
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
desti-nation sequence attack.
D
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
33
Reverse Labeling Restriction (RLR)

• Basic Ideas
• Every host maintains a blacklist to record
  suspicious hosts. Suspicious hosts can be
  released from the blacklist or put there
  permanently.
• The destination host will broadcast an INVALID
  packet with its signature when it finds that the
  system is under attack on sequence. The packet
  carries the hosts identification, current
  sequence, new sequence, and its own blacklist.
• Every host receiving this packet will examine its
  route entry to the destination host. If the
  sequence number is larger than the current
  sequence in INVALID packet, the presence of an
  attack is noted. The next hop to the destination
  will be added into this hosts blacklist.

34
Reverse Labeling Restriction (RLR)

• All routing information or intruder
  identification packets from hosts in blacklist
  will be ignored, unless the information is about
  themselves.
• After a host is released from the blacklist, the
  routing information or identification results
  from it will be processed.

35
Example to illustrate RLR
D
S3
INVALID ( D, 5, 21, , SIGN )
S
S1
S2
M
S4
D sends INVALID packet with current sequence 5,
new sequence 21. S3 examines its route table,
the entry to D is not false. S3 forward packet to
S1. S1 finds that its route entry to D has
sequence 20, which is gt 5. It knows that the
route is false. The hop which provides this false
route to S1 was S2. S2 will be put into S1s
blacklist. S1 forward packet to S2 and S. S2 adds
M into its blacklist. S adds S1 into its
blacklist. S forward packet to S4. S4 does not
change its blacklist since it is not involved in
this route.
36
Reverse Labeling Restriction (cond)

• Update Blacklist by INVALID Packet
• Next hop on the invalid route will be put into
  local blacklist, a timer starts, a counter
• Labeling process will be done in the reverse
  direction of route
• When timer expires, the suspicious host will be
  released from the blacklist and routing
  information from it will be accepted
• If counter gt threshold, the suspicious host will
  be permanently put into blacklist

37
RLR creates suspicion trees. If a host is the
root of a quorum of suspicion trees, it is
labeled as the attacker.
38
Reverse Labeling Restriction (cond)

• Update local blacklist by other hosts blacklist
• Attach local blacklist to INVALID packet with
  digital signature to prevent impersonation
• Every host will count the hosts involved in
  different routes that say a specific host is
  suspicious. If the number gt threshold, it will be
  permanently added into local blacklist and
  identified as an attacker.
• Threshold can be dynamically changed or can be
  different on various hosts

39
Reverse Labeling Restriction (cond)

• Two other effects of INVALID packets
• Establish routes to the destination host when
  the host sends out INVALID packet with digital
  signature, every host receiving this packet can
  update its route to the destination host through
  the path it gets the INVALID packet.
• Enable new sequence When the destination
  sequence reaches its max number (0x7fffffff) and
  needs to round back to 0, the host sends an
  INVALID packet with current sequence
  0x7fffffff, new sequence 0.

40
Reverse Labeling Restriction (cond)

• Packets from suspicious hosts
• Route request If the request is from suspicious
  hosts, ignore it.
• Route reply If the previous hop is suspicious
  and the query destination is not the previous
  hop, the reply will be ignored.
• Route error will be processed as usual. RERR
  will activate re-discovery, which will help to
  detect attacks on destination sequence.
• INVALID if the sender is suspicious, the packet
  will be processed but the blacklist will be
  ignored.

41
Simulation parameter
42
Reverse Labeling Restriction (cond)Simulation
results

• The following metrics are chosen
• Delivery ratio (evaluate effectiveness of RLR)
• Number of normal hosts that identify the attacker
  (evaluate accuracy of RLR)
• Number of normal hosts that are marked as
  attacker by mistake (evaluate accuracy of RLR)
• Normalized overhead (evaluate communication
  overhead of RLR)
• Number of packets to be signed (evaluate
  computation overhead of RLR)

43
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
44
Reverse Labeling Restriction (cond)
X-axis is number of attackers. Y-axis is delivery
ratio. 25 connections and 50 connections are
considered. RLR brings a 20 to 30 increase in
delivery ratio.
45
Reverse Labeling Restriction (cond)
The accuracy of RLR when there is only one
attacker in the system
46
Reverse Labeling Restriction (cond)
The accuracy of RLR when there are multiple
attackers
47
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
48
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is the number of signed
packets processed by every host. 25 connections
and 50 connections are considered. RLR does not
severely increase the computation overhead to
mobile host.
49
Reverse Labeling Restriction (cond)
X-axis is number of attackers. Y-axis is number
of signed packets processed by every host. 25
connections and 50 connections are considered.
RLR does not severely increase the computation
overhead of mobile host.
50
Robustness of RLR

• If the malicious host sends false INVALID packet
• Because the INVALID packets are signed, it cannot
  send the packets in other hosts name
• If it sends INVALID in its own name, the reverse
  labeling procedure will converge on the malicious
  host and identify the attacker. The normal hosts
  will put it into their blacklists.

51
Robustness of RLR

• If the malicious host frames other innocent hosts
  by sending false Blacklist
• If the malicious host has been identified, the
  blacklist will be ignored
• If the malicious host has not been identified,
  this operation can only lower the threshold by
  one. If the threshold is selected properly, it
  will not impact the identification results.

52
Robustness of RLR

• If the malicious host only sends false
  destination sequence about some special host
• The special host will detect the attack and send
  INVALID packets.
• Other hosts can establish new routes to the
  destination by receiving the INVALID packets.

53
Securing Ad Hoc networks -- Establish trust
relationship in open area

• Evaluate known knowledge
• Known knowledge
• Interpretations of observations
• Recommendations
• An algorithm that evaluates trust among hosts is
  being developed
• A hosts trustworthiness affects the trust toward
  the hosts on the route
• Predict of trustworthiness of a host
• Current approach uses the result of evaluation as
  prediction.

54
Securing Ad Hoc networks -- Establish trust
relationship in open area

• What trust information is needed when adding/
  removing suspicious host from blacklist?
• The trust opinion of S1 towards an entity S2 in a
  certain context R
• What characteristics of trust need to be included
  in the model?
• Dependability combination of competence,
  benevolence, and integrity
• Predictability

55
Securing Ad Hoc networks -- Establish trust
relationship in open area

• What is the suitable representation of trust?
• A random variable is used to represent trust so
  that the inherent uncertainty of deriving trust
  from behaviors can be accommodated.
• How to represent the interpretation of an
  observation?
• A trust distribution function

56
Further Work

• Design a set of formalized criteria to evaluate
  identification algorithms
• Study more features of Ad Hoc networks and
  exploit their vulnerability
• Simulate attacks on RLR, examine its robustness
• Integrate with research on trust
• Methods to identify the non-attackers and release
  them from blacklist
• Mechanisms to release hosts from the permanent
  blacklist

57

• More information may be found at
• http//raidlab.cs.purdue.edu
• Our papers and tech reports
• W. Wang, Y. Lu, B. Bhargava, On vulnerability and
  protection of AODV, CERIAS Tech Report TR-02-18.
• B. Bhargava, Y. Zhong, Authorization based on
  Evidence and Trust, in Proceedings of Data
  Warehouse and Knowledge Management Conference
  (DaWak), 2002
• Y. Lu, B. Bhargava and M. Hefeeda, An
  Architecture for Secure Wireless Networking, IEEE
  Workshop on Reliable and Secure Application in
  Mobile Environment, 2001
• W. Wang, Y. Lu, B. Bharagav, On vulnerability
  and protection of AODV, in proceedings of ICT
  2003.
• W. Wang, Y. Lu, B. Bhargava, On security study
  of two distance vector routing protocols for two
  mobile ad hoc networks, in proceedings of PerCOm
  2003.

58
Selected References

• 1 C. Perkins and E. Royer, Ad-hoc on-demand
  distance vector routing, in Proceedings of the
  2nd IEEE Workshop on Mobile Computing Systems and
  Applications, 1999.
• 2 C. Perkins, Highly dynamic
  destination-sequenced distancevector routing
  (DSDV) for mobile computers, in Proceedings of
  SIGCOMM, 1994.
• 3 Z. Haas and M. Pearlman, The zone routing
  protocol (ZRP) for ad hoc networks, IETF
  Internet Draft, Version 4, July, 2002.
• 4 T. Camp, J. Boleng, B. Williams, L. Wilcox,
  and W. Navidi, Performance comparison of two
  location based routing protocols for ad hoc
  networks, in Proceedings of the IEEE INFOCOM,
  2002.
• 5 Z. Haas, J. Halpern, and L. Li, Gossip-based
  ad hoc routing, in Proceedings of the IEEE
  INFOCOM, 2002.
• 6 C. Perkins, E. Royer, and S. Das,
  Performance comparison of two on-demand routing
  protocols for ad hoc networks, in Proceedings of
  IEEE INFOCOM, 2000.
• 7 S. Das and R. Sengupta, Comparative
  performance evaluation of routing protocol for
  mobile, ad hoc networks, in Proceedings of IEEE
  the Seventh International Conference on Computer
  Communications and Networks, 1998.
• 8 L. Venkatraman and D. Agrawal,
  Authentication in ad hoc networks, in
  Proceedings of the 2nd IEEE Wireless
  Communications and Networking Conference, 2000.

59
Selected References

• 9 Y. Zhang and W. Lee, Intrusion detection in
  wireless ad-hoc networks, in Proceedings of ACM
  MobiCom, 2000.
• 10 Z. Zhou and Z. Haas, Secure ad hoc
  networks, IEEE Networks, vol. 13, no. 6, pp.
  2430, 1999.
• 11 V. Bharghavan, Secure wireless LANs, in
  Proceedings of the ACM Conference on Computers
  and Communications Security, 1994.
• 12 P. Sinha, R. Sivakumar, and V. Bharghavan,
  Enhancing ad-hoc routing with dynamic virtual
  infrastructures., in Proceedings of IEEE
  INFOCOM, 2001.
• 13 S. Bhargava and D. Agrawal, Security
  enhancements in AODV protocol for wireless ad hoc
  networks, in Proceedings of Vehicular Technology
  Conference, 2001.
• 14 P. Papadimitratos and Z. Haas, Secure
  routing for mobile ad hoc networks, in
  Proceedings of SCS Communication Networks and
  Distributed Systems Modeling and Simulation
  Conference (CNDS), 2002.
• 15 P. Albers and O. Camp, Security in ad hoc
  network A general id architecture enhancing
  trust based approaches, in Proceedings of
  International Conference on Enterprise
  Information Systems (ICEIS), 2002.