A Flow-Based Network Monitoring Framework for Wireless Mesh Networks

1
A Flow-Based Network Monitoring Framework for
Wireless Mesh Networks

• Authors
• Feiyi Huang, Yang Yang, University College London
  Liwen He, British Telecom Group CTO
• Presented by
• Sheetal Gupta
• CMSC 681 Fall 2007

2
Agenda

• Wireless Mesh Networks
• Vulnerabilities and Security Challenges
• Proposed MeshFlow Framework
• MeshFlow Record Structure
• Record Creation
• Record Management
• Record Analysis
• Implementation Issues
• Conclusion

3
Wireless Mesh Networks (WMN)

• Are an extension of wireless ad hoc and sensor
  networks.
• Has a hybrid network infrastructure with a
  backbone and an access network.
• It is a group of self-organized and
  self-configured mesh clients and routers
  interconnected via wireless links.
• Applications digital home, community and
  neighborhood networking, enterprise networking,
  emergency and disaster networking.

4
Wireless Mesh Networks (WMN)

• Mesh clients can be user devices with wireless
  network card, like PCs laptop, PDAs and mobile
  phones. They have limited energy, computing power
  and radio range.
• Mesh routers are usually more powerful in terms
  of computation and communication capabilities and
  have continuous power supply.
• They normally are static and provide access
  points to supply internet connections for
  clients.
• User traffic from client is transmitted through a
  multihop, wireless path to its destination
  client-to-client (CC), client-to-router (CR) and
  router-to-router(RR).

5
Wireless Mesh Networks (WMN)

• Wireless mesh backbone network is formed by ad
  hoc mode interconnections of mesh routers.
• When new or existing router joins or leaves the
  backbone, the network self-organizes and
  self-configures accordingly.
• In WMN, usually there is one static mesh router
  and a number of mesh clients that are either
  static or mobile.

6
Vulnerabilities and Challenges

• Security attacks can be in the physical, MAC and
  network layers.
• Physical layer Radio frequency jamming
  Attackers can generate jamming signals to
  interfere with communications on wireless
  channels.
• MAC layer attack In contention based MAC
  protocols, a small back-off interval gives the
  user the advantage of gaining access to the
  wireless channel quickly. Another attack is
  continuously broadcasting busy tone signals
  causing other users to be in waiting status for a
  long period.
• Network layer For reactive routing protocols
  like AODV, the node list in the route request
  (RREQ) and route reply (RREP) can be fabricated,
  replaced or deleted. For proactive routing
  protocols like OLSR, attacker can advertise a
  modified routing table, leading all traffic
  towards an intended address or to generate loops.
  Attacker can steal all packets, produce a
  sink-hole by selectively discarding packets.

7
Vulnerabilities and Challenges(cont.)

• Denial of Service (DoS) attack Handshake
  messages, other access control packets in the MAC
  layer, routing tables and route discovery packets
  in the network layer can be easily falsified to
  exclude vital fields, include a non-existing
  source or destination or replace by malformed
  information.
• MAC message exchange and route discovery
  procedures will be suspended by these unreadable
  packets and tables.
• As a result, additional requests from other
  devices will not be responded to by these
  terminals which are struggling to resolve these
  packets and tables.
• DoS attack can be achieved more easily by
  flooding attacks ICMP flooding, synchronize
  packet in TCP flooding and UDP flooding. In WMN
  flooding is more damaging because of weaker
  network devices.

8
MeshFlow Framework

• All these performance degradations will be
  reflected in the network traffic change.
• By monitoring the traffic change situation, an
  attack can be actively monitored.
• In a WMN the concept of network traffic flow is
  extended and defined as MeshFlow.
• The MeshFlow framework is designed to generate,
  transmit and analyze MeshFlow records.

9
MeshFlow Framework(cont.)

• MeshFlow record is a special kind of packet and
  contains a summary of the properties of packets
  passing through a mesh router.
• Fields included are source and destination
  addresses, next-hop address, number of bytes,
  packets, transport protocols and previous
  transmission delay summation.
• MeshFlow Creation - On each mesh router, part of
  the memory is separated to construct a MeshFlow
  cache dedicated to MeshFlow record creation and
  maintenance.
• When a packet travels through the router, its
  transmission information is extracted and
  comprises a MeshFlow record.
• If 2 packets have the same source, destination,
  next-hop address and the same transport protocol,
  their transmission information is aggregated into
  one record by aggregating the number of packets,
  bytes and delay duration.

10
MeshFlow Framework (cont.)

• MeshFlow Management - When a MeshFlow record is
  created it is stamped to indicate starting time
  of the record.
• An aging mechanism is implemented to calculate
  the overall active duration of the record.
• The records are then exported to a dedicated
  collector and analyzer and permanently deleted
  from the MeshFlow cache.

11
MeshFlow Framework (cont.)

• MeshFlow analysis After exporting the records
  from all routers to the collector, an entire
  network picture can be constructed.
• User monitoring When a packet travels through a
  multi-hop path consisting of mesh routers,
  records are created on each router. On
  aggregating records, the complete transportation
  path of a packet can be derived, including
  source, destination and all intermediate routers.
  So a comprehensive investigation of each traffic
  flow is achieved.
• Router monitoring When records are aggregated
  based on mesh routers, traffic transported on
  each of its channels can be illustrated clearly.

12
MeshFlow Framework (cont.)

• MeshFlow analysis (cont.)
• Security Protection An attack scenario leads to
  abnormal traffic. These can be detected by
  analyzing the MeshFlow records and matching with
  attack signatures. For example, in a flooding
  attack there is burst traffic toward the same
  destination. In MAC abuse there will be no
  successful transmissions for that access network.
  Protection can be achieved by further action like
  letting the flood-generating router block the
  corresponding attack traffic.
• Application and Service Monitoring Different
  network applications usually are performed by
  separate transport protocols. MeshFlow records
  can be aggregated for each application at each
  router. Inappropriate resource utilization is
  reallocated to balance different applications
  performed on each router.

13
Implementation Issues

• Unavoidably the MeshFlow framework induces extra
  overhead on the network.
• Careful designing to suit specific network
  scenarios is required.
• Two static parameters must be determined.
• MeshFlow record structure Different fields are
  used for different monitoring and analysis. It is
  not necessary to generate a complete record for
  every scenario.
• Collection method Three methods possible.
• Dedicated cable line Each router had a
  dedicated cable line
• Distributed antenna The MeshFlow collector has
  antennas deployed around the entire backbone
  network.
• Multi-hop relaying Records are exported as
  normal packet transmissions via multi-hop
  router-to-router wireless links, finally reaching
  the collector.

14
Implementation Issues (cont.)

• Two dynamic parameters must be determined
• Packet sampling rate For each incoming packet
  at a router, information is either extracted
  immediately or ignored, depending on sampling
  rate.
• Time-based Extract information from packets at
  some time intervals
• Packet-based Sample one packet after ignoring a
  certain number
• Terminal-based More frequent sampling for
  packets from terminals having a bad history.
• Exportation time interval
• Idle Export if a record is idle for a certain
  period.
• Active if a record if active for too long
• Oldest record exported when Mesh cache is
  heavily loaded.

15
Conclusion

• We reviewed security challenges, attacks in the
  physical, MAC and network layers of Wireless Mesh
  backbone and access Networks.
• We defined a new concept of MeshFlow and proposed
  a flow-based network monitoring framework to
  tackle the security issues in WMNs.

16
Reference

• A Flow-Based Network Monitoring Framework For
  Wireless Mesh Networks, Feiyi Huang, Yang Yang,
  University College London, Liwen He, British
  Telecom Group CTO

17
Thank you!

• Questions?