Yan Chen

1
Intrusion Detection and Forensics for
Self-defending Wireless Networks

• Yan Chen
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University
• Spring Review 2008
• Award  FA9550-07-1-0074

2
Technical Approach Self-Defending Wireless
Networks

• Proactively search of vulnerability for wireless
  network protocols
• Intelligent and thorough checking through combo
  of manual analysis auto search with formal
  methods
• First, manual analysis provide hints and right
  level of abstraction for auto search
• Then specify the specs and potential capabilities
  of attackers in a formal language TLA
• Then model check for any possible attacks
• Defend against emerging threat
• Worm network-based polymorphic worm signature
  generations
• Botnet IRC (Internet relay chat) based CC
  detection and mitigation

3
Technical Breakthroughs (I)

• Intelligent vulnerability analysis
• Focused on outsider attacks, i.e., w/ unprotected
  error msgs
• Checked the complete spec of 802.16e before
  authentication
• Found some vulnerability, e.g., for ranging (but
  needs to change MAC)
• Checked the mobile IPv4/v6
• Find an easy attack to disable the route
  optimization of MIPv6 !
• Checked the WiFi 802.11
• Find an easy attack to DoS any new clients from
  joining the
• Partnered with Motorola, very interested in the
  vulnerability found

4
Technical Breakthroughs (II)

• Automatic polymorphic worm signature generation
  systems for high-speed networks
• Fast, noise tolerant w/ proved attack resilience
• Work for any worms target the same vulnerability
• Patent filed

Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability
5
Accomplishments of 2007

• Four conference papers, one journal paper and two
  book chapters
• Accurate and Efficient Traffic Monitoring Using
  Adaptive Non-linear Sampling Method", to appear
  in the Proc. of IEEE INFOCOM, 2008
• Honeynet-based Botnet Scan Traffic Analysis,
  invited book chapter for Botnet Detection
  Countering the Largest Security Threat, Springer,
  2007.
• Reversible Sketches Enabling Monitoring and
  Analysis over High-speed Data Streams, in
  ACM/IEEE Transaction on Networking, Volume 15,
  Issue 5, Oct. 2007.
• Network-based and Attack-resilient Length
  Signature Generation for Zero-day Polymorphic
  Worms, in the Proc. of the 15th IEEE
  International Conference on Network Protocols
  (ICNP), 2007.
• Integrated Fault and Security Management, invited
  book chapter for Information Assurance
  Dependability and Security in Networked Systems,
  Morgan Kaufmann Publishers, 2007.
• Detecting Stealthy Spreaders Using Online
  Outdegree Histograms, in the Proc. of the 15th
  IEEE International Workshop on Quality of Service
  (IWQoS), 2007.
• A Suite of Schemes for User-level Network
  Diagnosis without Infrastructure, in the Proc. of
  IEEE INFOCOM, 2007

6
Why AFOSR Support Important

• Wireless networks prevalent and mission critical
  for AF GIG
• Security particularly important for defense
• AFOSR support opens door for collaboration with
  AFRL researchers
• Annual PI meeting is a great venue for fostering
  collaboration
• Currently working with Dr. Keesook Han for
  analyzing the next generation CC of botnet
• Obtain binary/source from Dr. Han
• Plan to use the testbed developed at AFRL
• Enable technology transfer to better secure AF
  wireless networks

7
Collaborations for Real Impact

• Dr. Keesook Han from AFRL
• Dr. Judy Fu from Motorola Labs
• Talk to real product group on system
  implementations
• Potential tech transfer to make more secure
  wireless network products