Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships

1
Detecting Spoofing and Anomalous Traffic in
Wireless Networks via Forge-Resistant
Relationships

• Qing Li and Wade TrappeIEEE Transactions on
  Information Forensics and Security, VOL. 2, No.
  4, December 2007
• Presented by Ryan Yandle

2
Outline

• Spoofing
• ORBIT
• Family 1 Relationships via Auxiliary Fields
• Method A Sequence Number
• Method B One-way chains
• Family 2 Relationships via Intrinsic Properties
• Method A Interarrival time
• Method B Joint Background Traffic and
  Interarrival time Analysis
• Multilevel Classification
• Conclusion

3
What is Spoofing?

• The practice of impersonating another entity in
  order to subvert security.
• Spoofing allows the attacker to remain anonymous
  and undetected in the network.

4
More Specifically

• This paper refers to MAC address spoofing.
• The attacker tries to gain access to the WLAN by
  cloning the MAC address of a legitimate user.

5
What are Forge-Resistant Relationships?

• Rules that govern the relationship between two
  distinct entities
• These rules define the relationship such that
  another entity (attacker) trying to forge the
  relationship would be caught
• Papers focus is to detect spoofing by creating
  these unique relationships

6
The ORBIT Wireless Test Bed

• Composed of a 2d grid of wireless nodes
• Jointly run by several schools in the NY/NJ area

7
Test Bed Setup
A Legitimate Sender B Attacker X Monitor
8
Strategy Overview

• Consider that the legitimate sender has a unique
  identity
• Associated with their identity will be a
  particular sequence of packets
• From these packets we may we may observe states

9
More Strategery

• A Relationship Consistency Check (RCC) is a
  binary rule that returns 1 if the states obey the
  rule R with respect to each other.

10
But

• Simply using a relationship R and checking the
  corresponding RCC at the monitoring device is not
  going to provide reliable security
• We need to add forgeability requirements to the
  relationship
• Thus, a RRCC (forge-resistant RCC) is needed

11
Definition of RRCC

• A e-forge-resistant relationship R is a rule
  governing the relationship between a set of
  states from a particular identity, for which
  there is a small probability of another device
  being able to forge a set of states such that a
  monitoring device would evaluate the
  corresponding RCC as 1.

12
More

• We will view the output of an RRCC as the result
  of deciding between two different hypotheses.
• H0 the null hypothesis that corresponds to
  non-suspicious activity
• H1 the alternate hypothesis that corresponds to
  anomalous behavior

13
Quantifying Effectiveness

• We will use several measures to quantify the
  effectiveness of R.
• The probability of a false alarm
• PFA Pr(H1H0)
• Probability that we will decide a set of states
  is suspicious when it was really legitimate
• The probability of a missed detection
• PMD Pr(H0H1)
• Probability of deciding that a set of states are
  legitimate when they were not

14
Quantifying Effectiveness Cont.

• The probability of detection
• PD 1 PMD
• Other Symbols
• e PMD
• d PFA
• Therefore, we can define an RRCC by (e,d)

15
Two Proposed Families for Relationships

1. Using auxiliary fields in the MAC frame to create
   a monotonic relationship
2. Using traffic inter-arrival statistics to detect
   anomalous traffic

16
Family I - Forge-Resistant Relationships via
Auxiliary Fields

• Method A
• Anomaly Detection via Sequence Number
  Monotonicity
• Enforce a rule that requires packet sequence
  numbers to follow a monotonic relationship,
  denoted as Rseq

17
802.11 MAC Frame Structure

• Generally used to re-assemble fragmented frames
  or detect duplicate packets.
• Fragment control 4bits
• Sequence number 12bits 4096 possibilities
  ranging from 0,4095
• Firmware

18
Rseq

• It does not matter if the attacker can manipulate
  its own sequence numbers.
• Cloning attempt would be exposed due to duplicate
  sequence numbers
• Therefore, the forge resistance stems from the
  fact that the attacker cannot stop the sender
  from transmitting packets.

19
Single Source Sequence Numbers

• t the difference in sequence numbers between
  two consecutive packets
• The possible values for t 1, 4096
• A value of 4096 is equivalent to a sequence
  number difference of 0 (duplicate sequence
  numbers)
• The mean distribution for t is Et 1/(1-p)2
  where p is the packet loss rate
• The variance for the distribution of t is st
  p/(1-p)2

2
20
Theoretical Packet Loss

• Using the formulas that we just learned, a
  theoretical transmission with packet loss of 50
• Et 2
• st 1.41
• Even for networks with poor connectivity, the
  difference in sequence numbers between successive
  packets will be relatively small

2
21
Dual Source Sequence Numbers

• Let y be the sequence number from the real source
• Let x be the sequence number from the attacker
• z x-y gives us a range of -4095,4095
• This gap will be defined as t z 4096

22
Dual Source Cont.

• If we then map a difference of 0 to 4096, we have
  a uniform distribution over 1,4096
• Et 2048.5
• st 1182

23
Single Source Behavior

• A single node is transmitting packets using a
  specified MAC address to a receiver
• No anomalous behavior is present in this scenario

24
Dual Source Behavior

• Two nodes using the same MAC address to transmit
  packets
• One node is spoofing the others MAC address

25
Lets build a detector

• We will define the RRCC detection scheme as
  follows
• Choose a window of packets coming from a specific
  MAC address
• We will choose a window with size L
• The detector will calculate L-1 sequence number
  gaps

26
More on the detector

• The detector will determine that there is an
  anomaly if MAXl1 to L-1 tl gt g
• g is determined by solving for a desired false
  alarm rate

27
Example L 5 g 3
1
2
3
76
5
7
8
9
10
11
1
73
71
2

MAX
73 gt g , RETURN(1)
73
28
Performance of Sequence Number Monotonicity
L 2
29
Sequence Number Gap Statistics for a Single
Source from ORBIT
30
When would this not work?

• This method of detection could only work with a
  presence of heterogeneous sources the legitimate
  device must be transmitting in order to reveal
  the anomaly.

31
Family I - Forge-Resistant Relationships via
Auxiliary Fields

• Method B
• One-way chain of Temporary Identifiers
• The sender attaches a TIF (temporary identifier
  field) to its identity, forcing the adversary to
  solve a cryptographic puzzle in order to spoof.

32
Temporary Identifier Fields

• Similar to what was proposed in TESLA
• Compute a one-way chain of numbers, and attach
  them to the frames in reverse order.
• In order for the attacker to spoof a message,
  they would need to find the inverse of the
  function used to compute the one-way chain.
• This method is loss-tolerant

33
ROC Curve for one-way chain TIFs
Bit Length 10
Bit Length 16
34
Outline

• Spoofing
• ORBIT
• Family 1 Relationships via Auxiliary Fields
• Method A Sequence Number
• Method B One-way chains
• Family 2 Relationships via Intrinsic Properties
• Method A Interarrival time
• Method B Joint Background Traffic and
  Interarrival time Analysis
• Multilevel Classification
• Conclusion

35
Family II - Forge-Resistant Relationships via
Intrinsic Properties

• Method A) Traffic Arrival Consistency Checks
• Use a traffic shaping tool to control the
  interarrival times observed by the monitoring
  device.
• These interarrival statistics are then used to
  determine anomalous behavior

36
Traffic Arrival Consistency Checks

• Suppose we have our three devices, A, B, X
• A is set to transmit at a fixed interval
• X will take note of this behavior, if B starts
  transmitting (spoofing to impersonate A) then the
  detector will notice a change in the distribution
  of packet arrivals

37
Resulting Histograms
38
Experimental Results 200ms
39
Experimental Results cont.
40
When would this method become unreliable on a
wireless network?

• With the presence of high background traffic,
  this method would become less suitable.
• Background traffic would affect the transmission
  intervals of the sender, possibly causing false
  alarms.

41
Family II - Forge-Resistant Relationships via
Intrinsic Properties

• Method B) Joint Traffic Load and Interarrival
  Time Detector
• Jointly examine the interarrvial time and the
  background traffic load
• Use these two pieces of information to determine
  anomalous behavior, even under heavy traffic
  situations

42
Joint Traffic Load and Interarrival Time Detector

• We can define t to be the observed average
  interarrival time, and L to be the observed
  traffic load.
• We then partition this (L, t) space into two
  regions
• Region I non-suspicious behavior
• Region II anomalous activity
• This idea is later revisited in the experimental
  validation section.

43
Enhanced Detection using Multilevel Classification

• Extremely useful to have a severity analysis
• Plot severity vs. average sequence number gap of
  a particular window
• Severity is defined as the sum of the differences
  between a normal gap and the observed gap for all
  gaps in a window size L

44
Severity vs. Average Sequence Number Gap
45
Conclusion

• All methods have their flaws
• There are already mechanisms in place within
  802.11 that can help detect spoofing attacks
• Thank you for your time!

46
Questions / Comments
47
Sequence Number Gap Statistics for Dual Source
from ORBIT