Collaborative Attacks in Wireless Ad Hoc Networks*

1
Collaborative Attacks in Wireless Ad Hoc Networks

• Prof. Bharat Bhargava
• Department of Computer Sciences
• Center for Education and Research in Information
  Assurance and Security (CERIAS )
• Purdue University
• www.cs.purdue.edu/people/bb
• Supported in part by NSF grant IIS 0209059,
  0242840

2
Outline

• Characterizing collaborative/coordinated attacks
• Types of collaborative attacks
• Open issues
• Proposed solutions
• Conclusions and outlook

3
Collaborative Attacks

• Informal definition
• Collaborative attacks (CA) occur when more than
  one attacker or running process synchronize their
  actions to disturb a target network

4
Collaborative Attacks (contd)

• Forms of collaborative attacks
• Multiple attacks occur when a system is disturbed
  by more than one attacker
• Attacks in quick sequences is another way to
  perpetrate CA by launching sequential disruptions
  in short intervals
• Attacks may concentrate on a group of nodes or
  spread to different group of nodes just for
  confusing the detection/prevention system in
  place
• Attacks may be long-lived or short-lived
• Attacks on routing

5
Collaborative Attacks (contd)

• Open issues
• Comprehensive understanding of the coordination
  among attacks and/or the collaboration among
  various attackers
• Characterization and Modeling of CAs
• Intrusion Detection Systems (IDS) capable of
  correlating CAs
• Coordinated prevention/defense mechanisms

6
Collaborative Attacks (contd)

• From a low-level technical point of view, attacks
  can be categorized into
• Attacks that may overshadow (cover) each other
• Attacks that may diminish the effects of others
• Attacks that interfere with each other
• Attacks that may expose other attacks
• Attacks that may be launched in sequence
• Attacks that may target different areas of the
  network
• Attacks that are just below the threshold of
  detection but persist in large numbers

7
Examples of Attacks that can Collaborate

• Denial-of-Messages (DoM) attacks
• Blackhole attacks
• Wormhole attacks
• Replication attacks
• Sybil attacks
• Rushing attacks
• Malicious flooding

We are investigating the interactions among these
forms of attacks
Example of probably incompatible
attacks Wormhole attacks need fast connections,
but DoM attacks reduce bandwidth!
8
Examples of Attacks that can Collaborate (contd)

• Denial-of-Messages (DoM) attacks
• Malicious nodes may prevent other honest ones
  from receiving broadcast messages by interfering
  with their radio
• Blackhole attacks
• A node transmits a malicious broadcast informing
  that it has the shortest and most current path to
  the destination aiming to intercept messages
• Wormhole attacks
• An attacker records packets (or bits) at one
  location in the network, tunnels them to another
  location, and retransmits them into the network
  at that location

9
Examples of Attacks that can Collaborate (contd)

• Replication attacks
• Adversaries can insert additional replicated
  hostile nodes into the network after obtaining
  some secret information from the captured nodes
  or by infiltration. Sybil attack is one form of
  replicated attacks
• Sybil attacks
• A malicious user obtains multiple fake identities
  and pretends to be multiple, distinct nodes in
  the system. This way the malicious nodes can
  control the decisions of the system, especially
  if the decision process involves voting or any
  other type of collaboration

10
Examples of Attacks that can Collaborate (contd)

• Rushing attacks
• An attacker disseminates a malicious control
  messages fast enough to block legitimate messages
  that arrive later (uses the fact that only the
  first message received by a node is used
  preventing loops)
• Malicious flooding
• A bad node floods the network or a specific
  target node with data or control messages

11
Current Proposed Solutions

• Blackhole attack detection
• Reverse Labeling Restriction (RLR)
• Wormhole Attacks defense mechanism
• E2E detector and Cell-based Open Tunnel Avoidance
  (COTA)
• Sybil Attack detection
• Light-weight method based on hierarchical
  architecture Yi06
• Modeling Collaborative Attacks using Causal Model
  

12
Blackhole attack detection Reverse Labeling
Restriction (RLR)

• Every host maintains a blacklist to record
  suspicious hosts who gave wrong route related
  information
• Blacklists are updated after an attack is
  detected
• The destination host will broadcast an INVALID
  packet with its signature when it finds that the
  system is under attack on sequence. The packet
  carries the hosts identification, current
  sequence, new sequence, and its own blacklist
• Every host receiving this packet will examine its
  route entry to the destination host. The previous
  host that provides the false route will be added
  into this hosts blacklist

13
RLR (contd)
Detecting false destination sequence attack by
destination host during route rediscovery

• During Route Rediscovery, False Destination
  Sequence Number Attack is Detected, S needs to
  find D again
• Node movement breaks the path from S to M
  (trigger route rediscovery)

(1). S broadcasts a request that carries the old
sequence 1 21
D
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
destination sequence number attack.
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
14
RLR (contd)

• Correct destination sequence number is
  broadcasted. Blacklist at each host in the path
  is determined

BL
D
S3
INVALID ( D, 5, 21, BL, Signature )
BL
S4
S
S1
BL S2
M
S2
S4
15
RLR (contd)

• Malicious site is in blacklists of multiple
  destination hosts

D1
D2
S3
M
S4
M
M
D4
D3
M
M
S2
S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and
S4-D4). When the first two false routes are
detected, D3 and D4 add M into their blacklists.
When later D3 and D4 become victim destinations,
they will broadcast their blacklists, and every
host will get two votes that M is malicious host
16
RLR (contd)

• Acceleration in Intruder Identification
• Multiple attackers trigger more blacklists to be
  broadcasted by D1, D2, D3

D3
D2
D1
M2
M3
M1
S2
S1
S3
Coordinated attacks by M1, M2, and M3
17
RLR (contd)

• Update Blacklist by Broadcasted Packets from
  Destinations under Attack
• Next hop on the false route will be put into
  local blacklist, and a counter increases. The
  time duration that the host stays in blacklist
  increases exponentially to the counter value
• When timer expires, the suspicious host will be
  released from the blacklist and routing
  information from it will be accepted

18
RLR Deal With Hosts in Blacklist

• Packets from hosts in blacklist
• Route request If the request is from suspicious
  hosts, ignore it
• Route reply If the previous hop is suspicious
  and the query destination is not the previous
  hop, the reply will be ignored
• Route error Will be processed as usual. RERR
  will activate re-discovery, which will help to
  detect attacks on destination sequence
• Broadcast of INVALID packet If the sender is
  suspicious, the packet will be processed but the
  blacklist will be ignored

19
Attacks of Malicious Hosts on RLR

• Attack 1 Malicious host M sends false INVALID
  packet
• Because the INVALID packets are signed, it cannot
  send the packets in other hosts name
• M sends INVALID in its own name
• If the reported sequence number is greater than
  the real sequence number, every host ignores this
  attack
• If the reported sequence number is less than the
  real sequence number, RLR will converge at the
  malicious host. M is included in blacklist of
  more hosts. M accelerated the intruder
  identification directing towards M

20
Attacks on RLR (contd)

• Attack 2 Malicious host M frames other innocent
  hosts by sending false blacklist
• If the malicious host has been identified, the
  blacklist will be updated
• If the malicious host has not been identified,
  this operation can only make the threshold lower.
  If the threshold is selected properly, it will
  not impact the identification results
• Combining trust can further limit the impact of
  this attack

21
Attacks on RLR (contd)

• Attack 3 Malicious host M only sends false
  destination sequence about some special host
• The special host will detect the attack and send
  INVALID packets
• Other hosts can establish new routes to the
  destination by receiving the INVALID packets

22
Two Attacks in Collaboration blackhole
replication

• The RLR scheme cannot detect the two attacks
  working simultaneously
• The malicious node M relies on the replicated
  neighboring nodes to avoid the blacklist

D1
D2
S3
M
S4
M
M
D4
D3
M
M
Replicated nodes
Regular nodes
S2
S1
23
Wormhole Attacks defense

• A pair of attackers can form a tunnel,
  fabricating a false scenario that a short path
  between sender and receiver exists, and so
  packets go through a wormhole path being either
  compromised or dropped
• In many routing protocols, mobile nodes depend on
  the neighbor discovery procedure to construct the
  local network topology
• Wormhole attacks can harm some routing protocols
  by inducing a node to believe that a further away
  node is its neighbor

24
Wormhole Attacks proposed defense mechanism

• This is a preliminary mechanism to classify
  wormhole attacks in its various forms
• It takes a more generic approach than previous
  work in the sense that it is end-to-end and does
  not rely on trust among neighbors
• It assumes trust between sender and receiver only
  to detect wormhole attacks on a multi-hop route
• Geographic information is used to detect
  anomalies in neighbor relation and node movements

25
Wormhole Attacks proposed defense mechanism
(contd)

• The e2e mechanism can detect
• Closed wormhole
• Half open wormhole
• Open wormhole

26
Wormhole Attacks proposed defense mechanism
(contd)

• The approach requires considerable computation
  and storage power as periodical wormhole
  detection packets are transmitted and the
  response are used to compute nodes position,
  velocity etc
• Because of that, an additional scheme called COTA
  is proposed to manage the detection information.
  It records and compares only a part of the lttime,
  positiongt pairs
• Using a suitable relaxation, COTA has the same
  detection capability as the end-to-end mechanism

27
Wormhole Attacks proposed defense mechanism
(contd)

• Simulation evaluations false positive with no
  attack

28
Wormhole Attacks proposed defense mechanism
(contd)

• Simulation evaluations false positive with
  attack

29
Sybil Attack Detection

• A Hierarchical Architecture for Sybil Attack
  Detection
• The Sybil attack is a harmful threat to sensor
  networks
• Sybil attack can disrupt multi-path routing
  protocols by using a single node to present
  multiple identities for the multiple paths
• Existing approaches are not oriented toward
  energy

30
Sybil Attack Detection Proposed Method

• Use identity certificates to defend against Sybil
  attacks
• Each node is assigned some unique information by
  the setup server
• The server then creates an identity certificate
  for each level-0 node binding this nodes
  identity to the assigned unique information
• The group leader creates an identity certificate
  for its group member (level-1 node)
• To securely demonstrate its identity, a node
  first presents its identity certificate, then it
  proves that it possesses the associated unique
  information

31
Sybil Attack Detection System Assumption

• Two types of nodes Level-0 and level-1 nodes
• The distribution of level-0 nodes is roughly
  uniform
• All nodes are preloaded with a global initial key
  KI
• Each node has a unique ID

32
Identity Certificate Generation for Level-0 Nodes
Kg,l

• Each level-0 node g uses its key seed to
  generates N-1 key seeds. Ex. The key seed of node
  g for node f as
• Node g generates a one-way key chain
• The setup server first creates the low-level
  Merkle hash tree using the key chain
• commitment
• The setup server then creates a high-level Merkle
  hash tree for level-0 nodes

Kg,l f
,
, ,
33
Identity Certificate Generation for Level-0 Nodes
(contd)

• The setup server then downloads the identity
  certificate IDCertg and the label of the
  high-level Merkle trees root C to each level-0
  node g
• IDCertg ltvg , AuthPathggt
• Level-0 node g can create a low-level certificate
  for level-0 node f using the low-level Merkle
  hash tree
• lt , AuthPathg,fgt

34
An example of Two Levels of Merkle Hash Trees
IDCert4 ltv4, AuthPath4gt AuthPath4v3, u3, u2
35
Identity Certificate Generation for Level-1 Nodes

• After deployment, the level-0 node g as the group
  leader starts the self-organization process
• After the localized self-organization process,
  the group leader g stores its group members
  identity i and the key seed commitment Ki,0

36
Identity Verification

• After deployment, level-0 node g can prove its
  identity to another level-0 node f on demand
• node g ? node f ltgIDCertg gt
• Indirect identity verification between the group
  members in the different groups
• Let node i and node k be neighboring nodes, but
  belong to two different groups
• Node i can prove its identity to its group leader
  g
• Node k can prove its identity to its group leader
  f
• Group leaders g and f pass the verification
  results to each other

37
Secure Communication
Intra-group exchanges

• i and i ? same group
• In round 0, two nodes i and j exchange their
  identity and identity certificates together with
  the hashes of their first messages
• Then, they continue exchanging messages
  authentications with successive keys in their key
  chains

38
Secure Communication (contd)
Inter-group exchanges

• g and f ? group leaders
• In round 0, two nodes i and k prove their
  identity to each other and exchange the hashes of
  their first messages through their group leaders
• Then, they continue exchanging messages
  authentications with successive keys in their key
  chains

39
Performance Evaluation
40
Identity Certificate Generation for Level-1 Nodes
(contd)

• The group leader g first creates a low-level
  Merkle hash tree using the key chain commitment
• The group leader g then creates a high-level
  Merkle hash tree for its group members
• The group leader g then downloads the identity
  certificate IDCerti to each group member i
• The group leader g downloads the low-level Merkle
  hash tree to each group member i
• Then the group member i can create a low-level
  certificate for another group member j using the
  low-level Merkle hash tree

41
Modeling Collaborative Attacks

• Attack graph
• A general model technique used in assessing
  security vulnerabilities of a system and all
  possible sequences of exploits an intruder can
  take to achieve a specific goal
• We are currently working on a modeling for
  collaborative graph attacks to identify not only
  sequence of exploits but also concurrent and
  collaborative exploits. This leads to our Causal
  Model

42
Causal model

• Purposes
• Identify all attacks events that occur during the
  launch of individual and collaborative attacks
• Establish a partial order (or causal
  relationship) among all attack events and produce
  a causal attack graph
• Verify the security properties of the causal
  attack graph using model checking techniques.
• Specifically, verify a sequence of events that
  lets the security checker proceeds from initial
  state to the goal state

43
Causal model (contd)

• Identify the set of events that are critical to
  perform the attacks.
• Specifically, investigate how to find a minimum
  set of events that, once removed, would disable
  the attacks
• Determine whether the occurrences of some
  event/state transitions are based on message
  transmission or collaboration
• Based on this, one can infer the degree of
  collaboration and temporal ordering in the system

44
Causal model (contd)

• A collaborative attack X can be modeled as a set
  of attacks Xi such that Xi is the local attack
  launched by attacker n
• Each local attack Xi is modeled by a FSM (finite
  state machine) and has independent state and
  event specifications, such as preconditions,
  postconditions, and state transition rules
• In simple distributed attacks such as Distributed
  Denial-of-Service Attacks, the FSMs of each local
  attack can be the same. However, in sophisticated
  collaborative attacks, FSMs of local attacks are
  not necessarily homogeneous
• Each local attack Xi can be formally defined as
• ltSn, En, Mn, Lngt
• Sn denotes a set of states in the local attack,
  En denotes a set of events in the local attack,
  Mn denotes a set of communication messages, and
  Ln denotes a set of local operations on Mn.

45
Causal model (contd)

• In collaborative attacks, events in attacks occur
  in certain sequences. A sequence of attack events
  may cause more damage to the system than others
• There are certain relationships among the events
  and we model the relationships by causal rules.
• Definition of causal rules
• A causal rule U consists of
• ltP, Q, Agt
• P and Q are events
• A is one of the causal relationships (-gt, ?, - ?gt)

46
Conclusions

• Exciting area of research
• Modeling attacks in collaboration is a very
  topical issue
• Tradeoff between accuracy and computation
  inexpensiveness is critical

47
Future work

• A lightweight learning toll is to be applied to
  enhance our current approaches
• The remaining types of attacks will be addressed
• Models for detecting attacks in collaboration are
  underway and the causal model will be evaluated
  in depth
• General guidelines will be defined to protect ad
  hoc networks from potential attacks
• More simulations and real life experiments

48
References (1)

• BC03 P. Brutch and C. Ko, Challenges in
  Intrusion Detection for Ad Hoc Networks, Proc.
  IEEE Workshop on Security and Assurance in Ad hoc
  Networks, Jan. 2003.
• BH83 B. Bhargava and C. Hua, A Causal Model
  for Analyzing Distributed Concurrency Control
  Algorithms, IEEE Transactions on Software
  Engineering, 1983.
• CT04 B. Culpepper, H. Tseng, Sinkhole
  Intrusion Indicators in DSR MANETs, Proc.
  Broadnet, 2004.
• DB05 S. Desilva and RV. Boppana, Mitigating
  Malicious Control Packet Floods in Ad Hoc
  Networks, Proc. IEEE Wireless Communications and
  Networking Conference, 2005.
• DETER DETER A Laboratory for Security
  Research, http//www.isi.edu/deter/.
• Do02 J. Douceur, The Sybil Attack, Proc.
  IPTPS, Feb. 2002.
• FQL06 H. Fu , S. Kawamura, and C. Li,
  Blom-based Q-composite A Generalized Framework
  of Random Key Pre-distribution Schemes for
  Wireless Sensor Networks, Proc. IEEE
  International Conference on Intelligent Robots
  and Systems, Oct. 2006.
• HPJ03 Y.-C. Hu, A. Perrig and D. B. Johnson,
  Packet Leashes A Defense against Wormhole
  Attacks in Wireless Ad Hoc Networks, Proc.
  INFOCOM, Apr 2003.
• HPJ03a Y.-C. Hu, A. Perrig, and D. B. Johnson,
  Rushing Attacks and Defense in Wireless Ad Hoc
  Network Routing Protocols, ACM Workshop on
  Wireless Security (WiSe), Sep 2003.
• HL03 Y. Huang, W. Lee, A cooperative intrusion
  detection system for ad hoc networks, Proc.
  SASN, 2003.
• HPJ03 Y. Hu, A. Perrig, and D. Johnson,
  Rushing Attacks and Defense in Wireless Ad Hoc
  Network Routing Protocols, Proc. ACM workshop on
  Wireless Security (WiSe), 2003.

49
References (2)

• La78 L. Lamport, Time clocks, and the ordering
  of events in a distributed, system, Communication
  of ACM, vol.21, pp.558-564, July 1978.
• MGLB00 S. Marti, T. J. Giuli, K. Lai, and M.
  Baker, Mitigating routing misbehavior in mobile
  ad hoc networks, Proc. ACM/IEEE Internatl.
  Conference on Mobile Computing and Networking.,
  2000.
• MSPR05 J. M. McCune, E. Shi, A. Perrig and M.
  K.Reiter, Detection of Denial-of-Message Attacks
  on Sensor Network Broadcasts, Proc. IEEE
  Symposium on Security and Privacy, May 2005.
• MFMG05 K. Mandalas, D. Flitzanis, G. F. Marias,
  and P. Georgiadis, "A Survey of Several
  Cooperation Enforcement Schemes for MANETs,"
  Proc. IEEE ISSPIT2005, Symposium on "Security and
  Privacy in Mobile and Wireless Computing, Dec.
  2005,
• NM04 K. Nadkarni and A. Mishra, "A novel
  intrusion detection scheme for wireless ad hoc.
  networks, Proc. IEEE WCNC04, Mar., 2004.
• PPJK05 A. Patwardhan, J. Parker, A. Joshi, A.
  Karygiannis and M. Iorga. "Secure Routing and
  Intrusion Detection in Ad Hoc Networks," Proc.
  third IEEE International Conference on Pervasive
  Computing and Communications, Mar. 2005.
• PM03 A. Patcha and A. Mishra, Collaborative
  security architecture for black hole attack
  prevention in mobile ad hoc networks, Proc.
  Radio and Wireless Conference RAWCON, Aug. 2003.
• QSL05 L. Qian, N. Song and X. Li, Detecting
  and locating wormhole attacks in wireless ad hoc
  networks through statistical analysis of
  multi-path, IEEE Wireless Communications and
  Networking Conference (WCNC), Mar. 2005.

50
References (3)

• RB05 R. Oliveira and T. Braun, "A Dynamic
  Adaptive Acknowledgment Strategy for TCP over
  Multihop Wireless Networks," Proc. IEEE INFOCOM,
  Mar.2005.
• RB07 R. Oliveira and T. Braun, "A Smart TCP
  Acknowledgment Approach for Multihop Wireless
  Networks," IEEE Transactions on Mobile Computing,
  Vol. 6, No. 2, pp. 192-205, Feb. 2007.
• RFKN05 S. Ramaswamy, H. Fu, and K. Nygard,
  Effect of Cooperative Black Hole Attack on
  Mobile Ad Hoc Networks, Proc. ICWN, Jun. 2005.
• SBCW05 D. Sterne, et al.,A General Cooperative
  Intrusion Detection Architecture for MANETs,
  Proc. Third IEEE IWIA05, Mar. 2005.
• SLDL05 K. Sanzgiri, D. LaFlamme, B. Dahill, B.
  Levine, C. Shields, and E. Belding-Royer,
  "Authenticated Routing for Ad hoc Networks," IEEE
  Journal on Selected Areas in Commun., pp.
  598-610, 2005.
• Yi06 J. Yin, Poblems and Solutions for
  Handling Attacks in Sensor Networks, Ph.D.
  thesis, University of Missouri-Rolla, Dez. 2006.
• YML02 H. Yang, X. Meng, and S. Lu,
  Self-organized network-layer security in mobile
  ad hoc networks, Proc. ACM Workshop on Wireless
  Security (WiSe), 2002.
• WBLW06 W. Wang, B. Bhargava, Y. Lu, and X. Wu,
  Defending against Wormhole Attacks in Mobile Ad
  Hoc Networks, WCMC, vol. 6, issue 4, pp.
  483-503, Jun. 2006.