Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi - - PowerPoint PPT Presentation

Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure

Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile Computing, 2011 Presented by Yang Chen

1 CS6204 – Mobile Computing

Khalil-TMC11

Outline

 Background and Foundations  Stealthy Dropping Attack Description and Mitigation  Model Analysis  Simulation Result  Conclusion

CS6204 – Mobile Computing 2

Khalil-TMC11

Background

 Wireless Ad Hoc and Sensor Networks (WASN) are

becoming an important platform

 WASN is vulnerable to attacks

 Control traffic: wormhole, rushing, Sybil  Data traffic: blackhole, selective forwarding, delaying

 Cryptographic mechanisms alone cannot prevent attacks  Local Monitoring

 Behavior-based detection

CS6204 – Mobile Computing 3

Khalil-TMC11

Background

 Baseline Local Monitoring (BLM)

 Guard nodes perform local monitoring with

the objective of detecting security attacks

 Monitoring: non-modification, acceptable delay,

appropriate next hop

 Stealthy packet dropping

 Disrupt the packet from reaching the

destination by malicious behavior

 Action likely correct to its neighbors.  Four different modes

CS6204 – Mobile Computing 4

Khalil-TMC11

Attack Model & System Assumption

 Attacker can control an external node or internal node

 External node: does not possess the cryptographic keys  Internal node: does, but compromised

 Malicious node can perform packet dropping

 By itself or by colluding with other nodes

 Malicious node can have high-powered controllable

transmission capability

 Communication are bidirectional  Every node know both first-, second-hop neighbors.  Key management protocol exists

CS6204 – Mobile Computing 5

Khalil-TMC11

Local Monitoring

 Collaborative detection strategy  Guard node

 A node is able to watch another node, must

be a neighbor of the node and previous hop

 G(N1, N2) = R(N1) ∩ R(N2) - N2

R(N) radio range of N

CS6204 – Mobile Computing 6

Khalil-TMC11

Local Monitoring

 Malicious counter is maintained at guard node

 MalC(i,j) within time Twin, increases for

malicious activity

 If MalC(i,j) exceed threshold

 node i revoke j from neighbor list (direct isolation), send alert  neighbor of node i, verify it. When get enough alert, revoke j

(indirect isolation)

 Detection confidence index γ

CS6204 – Mobile Computing 7

Khalil-TMC11

Stealthy Dropping Attack

 Objective: dropping a packet  Four modes

 Packet misrouting  Power control  Colluding collision  Identify delegation

 Side effect

 A legitimate node is accused of packet

dropping

CS6204 – Mobile Computing 8

Khalil-TMC11

Packet Misrouting

 Malicious node relay the packet to wrong next hop.

 A node receives a packet to relay without being in the route

to the destination will drop the packet

 A M B, Node M relay the packet to E

 E will drop the packet  Result

 M drops packet without

being detected (I & II)

 E is accused by guards

Over ME (II & III)

CS6204 – Mobile Computing 9

Khalil-TMC11

Power Control

 Malicious node controls it power to reduce its

transmission range by excluding the next-hop node

 The next-hop can not receive the packet

 SMT, M reduces its r

 I guards will accuse M, II not  If the number of I is greater

than detection confidence index γ-1, M will refrain from lowering the power.

CS6204 – Mobile Computing 10

Khalil-TMC11

Colluding Collision

 Malicious node coordinates its transmission with a

transmission of its colluding partner to next-hop node

 The two packet will cause collision at T, so T will not

receive the packet from M

 Result

 M1 drop the packet  T is accused by I guards

CS6204 – Mobile Computing 11

Khalil-TMC11

Identity Delegation

 This attack involves two malicious nodes.

 One is the next hop of the sender, M2  One is spatially close to sender, M1, which

is allowed to use M2’s identity to transmit.

 T will not receive the packet, T out of range of M1  Result

 M2 drop the packet

I guards are satisfied

 T is accused by II guards

CS6204 – Mobile Computing 12

Khalil-TMC11

Mitigation

 The four modes of Stealthy Dropping Attack can

categorized as two subsets

 Misrouting  Power Control, Colluding Collision, Identify

Delegation

 Key observation: make sure the number of unsatisfied

guards less than detection index γ.

 Two mechanisms to augment traditional local

monitoring to detect stealthy dropping attack.

 Stealthy Attacks in Wireless Ad Hoc Networks:

Detection and Countermeasure: SADEC

CS6204 – Mobile Computing 13

Khalil-TMC11

Mitigating Packet Misrouting

 Basic Idea: extend the knowledge of each guard to

include the identify of the next hop for the packet being relayed

 Proactive protocols and some reactive protocols: each

packet carries the router information in its header

 no extra information

 Some other reactive protocols: need flooding REQs

and REPs to establish the route

 Add previous two hops to the header of REQ packet

 Guards collect info. during route establishment phase

CS6204 – Mobile Computing 14

Khalil-TMC11

Mitigating Other Three attacks

 Key observation: attackers reduce the number of

unsatisfied guards less than detection index γ.

 Basic idea: Expand the guard nodes to all the

neighbors of the node being monitors

 Additional tasks of nodes

 Each node, X, keeps a count of the number of messages each of

its neighbors, Y, had forwarded (FC(X, Y)) over a predefined time interval.

 Each node has to announce the number of packets it has

forwarded over some period time.

CS6204 – Mobile Computing 15

Khalil-TMC11

Mitigating Other Three attacks

 Comparator, C(N)

 a neighbor of a node, N, that collects the number of

forwarded packets by N and compare the result with the count announced by N.

 All nodes in radio range R(N)

 If a comparator’s count is not within the acceptable

range of announced forward count, the MalC of comparator will increase

 When a node overhear a packet from non-neighbor

nodes, it will request three-hops node to announce.

CS6204 – Mobile Computing 16

Khalil-TMC11

Analysis

 Assumptions

 Homogeneous network  Nodes are uniformly distributed, density d  No edge effects

 Attacker model

 Reduced transmission range of M is y  Output parameters:

 Probability of detection  Probability of isolation  Probability of false detection or isolation  Probability of framing detection or isolation

CS6204 – Mobile Computing 17

Khalil-TMC11

Analysis of Misrouting

 Misrouting Stealthy Packet Dropping

 Four different possibilities for the guard G

 G misses both Pin and Pmr  missed detection  G misses Pin but gets Pmr  detection as fabricate  G gets Pin but misses Pmr  detection as drop  G gets both Pin and Pmr  successful misrouting detection for

SADEC and missed detection for BLM

 Natural channel error is Pc  𝜔 packets, be relayed by M in Twin  M misroutes prob. 𝑄𝑛𝑏𝑚  MalC threshold is 𝛾

CS6204 – Mobile Computing 18

Khalil-TMC11

BLM To Misrouting

 Scenario analysis

 Case 1: missed detection  Case 4: normal  Cases 2&3: detection of malicious nodes and false detection for good

nodes

 The probability of cases 2&3  Under binomial distr., the prob. of detection a malicious

 𝜈 > 𝛾, otherwise, 𝑄𝑒𝑓𝑢𝑓𝑑𝑢 = 0

CS6204 – Mobile Computing 19

Khalil-TMC11

BLM To Misrouting

 A node is isolated when it is detected by at least 𝛿

neighbors when # of neighbors ≥ 𝛿, if neighbors < 𝛿, for all the neighbors.

 Frame  Framing detection  Framing isolation

CS6204 – Mobile Computing 20

Khalil-TMC11

SADEC To Misrouting

 Difference and same

 Case 4: correct detection at a guard with SADEC  Cases 2&3 are same

 Probability of case 2,3,4:  Probability of detection:  Probability of isolation:

CS6204 – Mobile Computing 21

Khalil-TMC11

SADEC To Misrouting

 The probability of false detection and isolation is

same to BLM.

 The probability of frame detection and isolation is 0.

CS6204 – Mobile Computing 22

Khalil-TMC11

Analysis of Misrouting

 With high enough density, both can completely

isolate the malicious code, but SAEDC with low d

CS6204 – Mobile Computing 23

Khalil-TMC11

Analysis of Misrouting

 As d increases, BLM quickly reaches 1, but SADEC not

CS6204 – Mobile Computing 24

Khalil-TMC11

BLM To Power Control

 𝑕ℎ: happy guards, in (c)  𝑕𝑔: fooled guards, in (d)  Assume distance SM,

MT are same

 𝑕ℎ = 𝑕𝑔 = 𝐵𝑠𝑓𝑏 𝑑 ∗ 𝑒  The number of nodes that

detect the attack is 𝑕𝑒 = 𝑕 − 𝑕ℎ

CS6204 – Mobile Computing 25

Khalil-TMC11

BLM To Power Control

 The 𝑄𝑒𝑓𝑢𝑓𝑑𝑢 is same as misrouting  𝑄𝑗𝑡𝑝𝑚𝑏𝑢𝑓 is same but replacing 𝑕 by 𝑕𝑒  The probability of false detection and isolation is

same as misrouting

 The probability of framing detection is same as

misrouting

 The probability of framing isolation is the same after

replacing 𝑕 with 𝑕𝑔

CS6204 – Mobile Computing 26

Khalil-TMC11

SADEC To Power Control

 Plus Comparators 𝐷𝑞; Minus Comparators 𝐷𝑛  Malicious node will announce 0 or 𝜈  𝐷𝑞 could be in one of three states

 it overhears at least 𝜈 + 1 − 𝐺𝐷𝑢ℎ, will match 𝜈 count  it overhears less than 𝐺𝐷𝑢ℎpackets, will match 0 count  it overhears ≥ 𝐺𝐷𝑢ℎand < 𝜈 + 1 − 𝐺𝐷𝑢ℎ, not match any.

CS6204 – Mobile Computing 27

Khalil-TMC11

SADEC To Power Control

 The actual number of plus comparators:  The actual number of minus comparators:  A malicious node can launch power control attack if

min 𝐷𝑞𝑏, 𝐷𝑛𝑏 < 𝛿 . The probability of isolation is:

 Smart part!

CS6204 – Mobile Computing 28

Khalil-TMC11

SADEC To Power Control

 Isolation is deterministic. If the # of comparators in the smaller

class (𝐷𝑛𝑏 or 𝐷𝑞𝑏) exceeds 𝛿, the isolation happens.

CS6204 – Mobile Computing 29

Khalil-TMC11

SADEC To Power Control

 False detection

 Node X falsely detected by its neighbor Y, if

𝐺𝐷 𝑌, 𝑌 − 𝐺𝐷 𝑍, 𝑌 ≥ 𝐺𝐷𝑢ℎ, when Y miss 𝐺𝐷𝑢ℎ or more packets

 Probability of false detection  Probability of false isolation

CS6204 – Mobile Computing 30

Khalil-TMC11

SADEC To Power Control

 The probability of framing detection and isolation is 0  The figure of false isolation

CS6204 – Mobile Computing 31

Khalil-TMC11

Overhead Analysis

 The energy spent by CPU running  The energy spent in sending/receiving packets  The energy spent in idle listening

 The additional of SADEC

 state maintenance: next-hop information, forward counters  Broadcast of the forward counters  Two node identifiers in each REQ and REP

 Testbed

 𝛿 = 3  Twin = 0.2s

CS6204 – Mobile Computing 32

Khalil-TMC11

Overhead Analysis

 Average total computational energy consumed per

node

CS6204 – Mobile Computing 33

Khalil-TMC11

Overhead Analysis

 Average total overhead energy per node due to

monitoring for both BLM and SADEC over the experiment time one hour

CS6204 – Mobile Computing 34

Khalil-TMC11

Simulation Results

 ns-2 simulation environment  Nodes over a square field (1500m*1500m)  NM for the number of malicious nodes  N for total number of nodes

CS6204 – Mobile Computing 35

Khalil-TMC11

Misrouting Attack

 Effect of number of malicious node on delivery ratio

 The packets drop before isolation

 BLM decreases faster: a) fail to detect malicious,

b)good nodes get framed

CS6204 – Mobile Computing 36

Khalil-TMC11

Misrouting Attack

 Effect of number of malicious node on isolation

probability and false isolation probability

CS6204 – Mobile Computing 37

Khalil-TMC11

Misrouting Attack

 Effect of number of malicious node on end-to-end

delay and framing ratio

CS6204 – Mobile Computing 38

Khalil-TMC11

Power Control Attack

 Effect of number of malicious node on delivery ratio,

isolation probability

CS6204 – Mobile Computing 39

Khalil-TMC11

Power Control Attack

 Effect of number of malicious node on framing

ration, average isolation time

CS6204 – Mobile Computing 40

Khalil-TMC11

Effect of 𝛿

CS6204 – Mobile Computing 41

Khalil-TMC11

Conclusion

 Stealthy Packet Dropping

 Misrouting, power control, identity

delegation, colluding collision

 SADEC protocol to remedy each attack type with

minimal addition to the resource consumption and node responsibility over BLM

 The SADEC effectively improve the performance in

terms of increase in the probability of isolation of malicious nodes and decrease in the probability of isolation of legitimate nodes

CS6204 – Mobile Computing 42

Khalil-TMC11

Thank you Q&A

CS6204 – Mobile Computing 43