Title: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships
1Detecting Spoofing and Anomalous Traffic in
Wireless Networks via Forge-Resistant
Relationships
- Qing Li and Wade TrappeIEEE Transactions on
Information Forensics and Security, VOL. 2, No.
4, December 2007 - Presented by Ryan Yandle
2Outline
- Spoofing
- ORBIT
- Family 1 Relationships via Auxiliary Fields
- Method A Sequence Number
- Method B One-way chains
- Family 2 Relationships via Intrinsic Properties
- Method A Interarrival time
- Method B Joint Background Traffic and
Interarrival time Analysis - Multilevel Classification
- Conclusion
3What is Spoofing?
- The practice of impersonating another entity in
order to subvert security. - Spoofing allows the attacker to remain anonymous
and undetected in the network.
4More Specifically
- This paper refers to MAC address spoofing.
- The attacker tries to gain access to the WLAN by
cloning the MAC address of a legitimate user.
5What are Forge-Resistant Relationships?
- Rules that govern the relationship between two
distinct entities - These rules define the relationship such that
another entity (attacker) trying to forge the
relationship would be caught - Papers focus is to detect spoofing by creating
these unique relationships
6The ORBIT Wireless Test Bed
- Composed of a 2d grid of wireless nodes
- Jointly run by several schools in the NY/NJ area
7Test Bed Setup
A Legitimate Sender B Attacker X Monitor
8Strategy Overview
- Consider that the legitimate sender has a unique
identity - Associated with their identity will be a
particular sequence of packets - From these packets we may we may observe states
9More Strategery
- A Relationship Consistency Check (RCC) is a
binary rule that returns 1 if the states obey the
rule R with respect to each other.
10But
- Simply using a relationship R and checking the
corresponding RCC at the monitoring device is not
going to provide reliable security - We need to add forgeability requirements to the
relationship - Thus, a RRCC (forge-resistant RCC) is needed
11Definition of RRCC
- A e-forge-resistant relationship R is a rule
governing the relationship between a set of
states from a particular identity, for which
there is a small probability of another device
being able to forge a set of states such that a
monitoring device would evaluate the
corresponding RCC as 1.
12More
- We will view the output of an RRCC as the result
of deciding between two different hypotheses. - H0 the null hypothesis that corresponds to
non-suspicious activity - H1 the alternate hypothesis that corresponds to
anomalous behavior
13Quantifying Effectiveness
- We will use several measures to quantify the
effectiveness of R. - The probability of a false alarm
- PFA Pr(H1H0)
- Probability that we will decide a set of states
is suspicious when it was really legitimate - The probability of a missed detection
- PMD Pr(H0H1)
- Probability of deciding that a set of states are
legitimate when they were not
14Quantifying Effectiveness Cont.
- The probability of detection
- PD 1 PMD
- Other Symbols
- e PMD
- d PFA
- Therefore, we can define an RRCC by (e,d)
15Two Proposed Families for Relationships
- Using auxiliary fields in the MAC frame to create
a monotonic relationship - Using traffic inter-arrival statistics to detect
anomalous traffic
16Family I - Forge-Resistant Relationships via
Auxiliary Fields
- Method A
- Anomaly Detection via Sequence Number
Monotonicity - Enforce a rule that requires packet sequence
numbers to follow a monotonic relationship,
denoted as Rseq
17802.11 MAC Frame Structure
- Generally used to re-assemble fragmented frames
or detect duplicate packets. - Fragment control 4bits
- Sequence number 12bits 4096 possibilities
ranging from 0,4095 - Firmware
18Rseq
- It does not matter if the attacker can manipulate
its own sequence numbers. - Cloning attempt would be exposed due to duplicate
sequence numbers - Therefore, the forge resistance stems from the
fact that the attacker cannot stop the sender
from transmitting packets.
19Single Source Sequence Numbers
- t the difference in sequence numbers between
two consecutive packets - The possible values for t 1, 4096
- A value of 4096 is equivalent to a sequence
number difference of 0 (duplicate sequence
numbers) - The mean distribution for t is Et 1/(1-p)2
where p is the packet loss rate - The variance for the distribution of t is st
p/(1-p)2
2
20Theoretical Packet Loss
- Using the formulas that we just learned, a
theoretical transmission with packet loss of 50 - Et 2
- st 1.41
- Even for networks with poor connectivity, the
difference in sequence numbers between successive
packets will be relatively small
2
21Dual Source Sequence Numbers
- Let y be the sequence number from the real source
- Let x be the sequence number from the attacker
- z x-y gives us a range of -4095,4095
- This gap will be defined as t z 4096
22Dual Source Cont.
- If we then map a difference of 0 to 4096, we have
a uniform distribution over 1,4096 - Et 2048.5
- st 1182
23Single Source Behavior
- A single node is transmitting packets using a
specified MAC address to a receiver - No anomalous behavior is present in this scenario
24Dual Source Behavior
- Two nodes using the same MAC address to transmit
packets - One node is spoofing the others MAC address
25Lets build a detector
- We will define the RRCC detection scheme as
follows - Choose a window of packets coming from a specific
MAC address - We will choose a window with size L
- The detector will calculate L-1 sequence number
gaps
26More on the detector
- The detector will determine that there is an
anomaly if MAXl1 to L-1 tl gt g - g is determined by solving for a desired false
alarm rate
27Example L 5 g 3
1
2
3
76
5
7
8
9
10
11
1
73
71
2
MAX
73 gt g , RETURN(1)
73
28Performance of Sequence Number Monotonicity
L 2
29Sequence Number Gap Statistics for a Single
Source from ORBIT
30When would this not work?
- This method of detection could only work with a
presence of heterogeneous sources the legitimate
device must be transmitting in order to reveal
the anomaly.
31Family I - Forge-Resistant Relationships via
Auxiliary Fields
- Method B
- One-way chain of Temporary Identifiers
- The sender attaches a TIF (temporary identifier
field) to its identity, forcing the adversary to
solve a cryptographic puzzle in order to spoof.
32Temporary Identifier Fields
- Similar to what was proposed in TESLA
- Compute a one-way chain of numbers, and attach
them to the frames in reverse order. - In order for the attacker to spoof a message,
they would need to find the inverse of the
function used to compute the one-way chain. - This method is loss-tolerant
33ROC Curve for one-way chain TIFs
Bit Length 10
Bit Length 16
34Outline
- Spoofing
- ORBIT
- Family 1 Relationships via Auxiliary Fields
- Method A Sequence Number
- Method B One-way chains
- Family 2 Relationships via Intrinsic Properties
- Method A Interarrival time
- Method B Joint Background Traffic and
Interarrival time Analysis - Multilevel Classification
- Conclusion
35Family II - Forge-Resistant Relationships via
Intrinsic Properties
- Method A) Traffic Arrival Consistency Checks
- Use a traffic shaping tool to control the
interarrival times observed by the monitoring
device. - These interarrival statistics are then used to
determine anomalous behavior
36Traffic Arrival Consistency Checks
- Suppose we have our three devices, A, B, X
- A is set to transmit at a fixed interval
- X will take note of this behavior, if B starts
transmitting (spoofing to impersonate A) then the
detector will notice a change in the distribution
of packet arrivals
37Resulting Histograms
38Experimental Results 200ms
39Experimental Results cont.
40When would this method become unreliable on a
wireless network?
- With the presence of high background traffic,
this method would become less suitable. - Background traffic would affect the transmission
intervals of the sender, possibly causing false
alarms.
41Family II - Forge-Resistant Relationships via
Intrinsic Properties
- Method B) Joint Traffic Load and Interarrival
Time Detector - Jointly examine the interarrvial time and the
background traffic load - Use these two pieces of information to determine
anomalous behavior, even under heavy traffic
situations
42Joint Traffic Load and Interarrival Time Detector
- We can define t to be the observed average
interarrival time, and L to be the observed
traffic load. - We then partition this (L, t) space into two
regions - Region I non-suspicious behavior
- Region II anomalous activity
- This idea is later revisited in the experimental
validation section.
43Enhanced Detection using Multilevel Classification
- Extremely useful to have a severity analysis
- Plot severity vs. average sequence number gap of
a particular window - Severity is defined as the sum of the differences
between a normal gap and the observed gap for all
gaps in a window size L
44Severity vs. Average Sequence Number Gap
45Conclusion
- All methods have their flaws
- There are already mechanisms in place within
802.11 that can help detect spoofing attacks - Thank you for your time!
46Questions / Comments
47Sequence Number Gap Statistics for Dual Source
from ORBIT