Fusing Beliefs of Multi-Layer Metrics for Detecting Security - - PowerPoint PPT Presentation

fusing beliefs of multi layer metrics for detecting
SMART_READER_LITE
LIVE PREVIEW

Fusing Beliefs of Multi-Layer Metrics for Detecting Security - - PowerPoint PPT Presentation

Apr 13, 2023 42 likes •244 views

Fusing Beliefs of Multi-Layer Metrics for Detecting Security Attacks Konstantinos Kyriakopoulos Francisco J. Aparicio Navarro David Parish Coseners House - July 2011 Wednesday, 6 July 2011 Overview Introduction Aims Metrics -

slide-1
SLIDE 1

Fusing Beliefs of Multi-Layer Metrics for Detecting Security Attacks

Konstantinos Kyriakopoulos Francisco J. Aparicio Navarro David Parish

Cosener’s House - July 2011

Wednesday, 6 July 2011

slide-2
SLIDE 2

Overview

✴ Introduction ✴ Aims ✴ Metrics - Methodology ✴ Data Fusion: D-S ✴ Examined Attacks ✴ Detection Results ✴ Conclusions - Future Work

Wednesday, 6 July 2011

slide-3
SLIDE 3

Introduction

✴ Wireless Network increasingly at risk. ✴ Current IDS tools focus on one layer or do not utilise metrics intelligently. ✴ Performance of single metric can be poor. ✴ Multi-layer approach may result in higher detection accuracy.

Wednesday, 6 July 2011

slide-4
SLIDE 4

Aims

✴ Collect metrics from multiple layers ✴ Combine metrics using Data Fusion ✴ Better accuracy from conventional methods ✴ Concept:

  • low cost
  • scalable
  • applicable to other wireless technologies

Wednesday, 6 July 2011

slide-5
SLIDE 5

Wednesday, 6 July 2011

slide-6
SLIDE 6

Metrics

Network Layer MAC Layer Physical Layer Data Fusion Final decision about attack TTL RSSI

  • Inj. Rate

N A V Seq #

✴ MAC Seq # : counter of frames from node ✴ NAV: Can be used as signature for node

Wednesday, 6 July 2011

slide-7
SLIDE 7

Methodology

Capture Packets Get metrics: Construct statistics (mode-avg) Fuse beliefs for each metric with Dempster-Shafer Assign belief in attack for each metric Distance of metric from (mode/avg of metric)

RSSI RATE TTL per flow NAV SEQ # Most Volatile Least Volatile

Wednesday, 6 July 2011

slide-8
SLIDE 8

Data Fusion

✴ Dempster-Shafer because:

  • Deals with uncertainty
  • No a priori knowledge

Network Layer MAC Layer Physical Layer Data Fusion Final decision about attack TTL RSSI

  • Inj. Rate

N A V Seq #

Wednesday, 6 July 2011

slide-9
SLIDE 9

Test-bed

Monitor BackTrack 4 Atheros Card Attacker BackTrack 4 Atheros Card Client Atheros Card Access Point AP INTERNET

)

)

))

)

)

)

)

))

)

)

)

)

))

)

)

)

)

))

)

)

Wednesday, 6 July 2011

slide-10
SLIDE 10

MitM Attack @ PHY

✴ Man in the Middle (MitM) ✴ Takes advantage of lag time ✴ Injects its own content

Monitor BackTrack 4 Atheros Card Attacker BackTrack 4 Atheros Card Client Atheros Card Access Point AP INTERNET

)

)

)

)

))

  • 1. Intercepts traffic
  • 2. Analyses it
  • 3. Injects forged frames

)

)

)

)

))

)

)

)

)

))

)

)

)

)

))

Wednesday, 6 July 2011

slide-11
SLIDE 11

Metrics Type % Result % NAV + SEQ FN NAV + SEQ FP 7/63 11.1 RSSI + NAV + SEQ FN + SEQ FP 8/63 12.7 RSSI + TTL + RATE FN RATE FP All metrics FN All metrics FP

Results: MitM Attack

Wednesday, 6 July 2011

slide-12
SLIDE 12

Rogue AP attack

Monitor BackTrack 4 Atheros Card Attacker BackTrack 4 Atheros Card Client Atheros Card Access Point AP INTERNET

  • 2. Responds to

Probes Requests

INTERNET

  • 1. Disassociates

client

Wednesday, 6 July 2011

slide-13
SLIDE 13

Rogue AP: Tools

Method Rate ESSID Spoof Airbase Fixed at 1Mbps No Airbase -a Fixed at 1Mbps Yes Host AP Normal Rate No

Wednesday, 6 July 2011

slide-14
SLIDE 14

Metrics Type Airbase Airbase ESSID Spoof HostAP NAV + SEQ Detected ? Yes Yes Yes NAV + SEQ FP 0/405 0/246 0/57 RSSI + NAV + Detected ? Yes Yes Yes NAV + SEQ FP 35/405 2/246 3/57 RSSI + TTL + Detected ? No Yes No TTL + RATE FP 100% 0/246 100% All metrics Detected ? Yes Yes Yes metrics FP 0/405 0/246 0/57

Results: Rogue AP

Wednesday, 6 July 2011

slide-15
SLIDE 15
  • No. of Metrics

Beliefs Attack No Attack Uncertainty NAV-SEQ 0.569 0.314 0.118 RSSI - NAV - SEQ 0.664 0.263 0.073 RSSI - TTL - Rate 0.575 0.329 0.096 5 metrics 0.710 0.272 0.018

Benefit of extra metrics

Wednesday, 6 July 2011

slide-16
SLIDE 16

Benefit of extra metrics

✴ Benefit: Can adapt in case AP resets Seq # for valid reasons

Wednesday, 6 July 2011

slide-17
SLIDE 17

✴ Assume Normal traffic more than Attack ✴ Algorithm cleans polluted metrics from history given that several conditions apply:

  • If attack in NAV and if attack in SEQ #

then remove last metrics from statistics

Things to consider:

Wednesday, 6 July 2011

slide-18
SLIDE 18

Conclusions

✴ Single metrics:

  • Inefficient, Inaccurate, Misleading

✴ Multi-metrics:

  • Synergistic Approach, More Accurate

✴ Data Fusion: Dempster-Shafer

Wednesday, 6 July 2011

slide-19
SLIDE 19

Current and Future Work

✴ Automate assignment of beliefs ✴ Dynamic selection of metrics

Wednesday, 6 July 2011

slide-20
SLIDE 20

Thank You ...

Wednesday, 6 July 2011