Title: End to End Security and Privacy in Distributed Systems and Cloud
1End to End Security and Privacy in Distributed
Systems and Cloud
- Bharat Bhargava
- CERIAS Security Center
- CWSA Wireless Center
- Department of CS and ECE
- Purdue University
- bb_at_cs.purdue.edu
- Supported by NSF, AFRL, CISCO, Motorola, IBM
2Visions of AF chief scientist ( Werner Dahm)
- U.S Air Force Technology Horizons 2010---2030
- http//www.aviationweek.com/media/pdf/Check6/USAF_
Technology_Horizons_report.pdf - Next-Generation High-Bandwidth Secure
Communications - Trusted, Adaptive, Flexibly-Autonomous Systems
- New technologies for increased cyber resilience
of Air Force networks and systems - Technologies can provide increased trust in
autonomy to enable reduced manpower requirements
via flexibly autonomous systems
3PCA1 Inherently Intrusion-Resilient Cyber
Systems
- There will be an enduring need for technologies
that can enable a wide range of Air Force
capabilities that support missions, including
better multi-level security solutions to
facilitate sharing of information, systems, and
training with international partners. - Command and Control Center (C2C), exploring
solutions to national security problems with
emphasis on improved information
interoperability, systems integration, and cyber
assurance, including net-centric strategies,
complex systems engineering, and information
technologies.
4PCA2 Automated Cyber Vulnerability Assessments
and Reactions
- Ad hoc networks
- Polymorphic networks
- Agile networks
- Complex adaptive distributed networks
- Frequency-agile RF systems
- VV for complex adaptive systems
- Autonomous systems
- Collaborative/cooperative control
- Information fusion and understanding
- Cyber defense
- Cyber resilience
- Social network modeling
5Objective
- A trustworthy, secure, and privacy preserving
network platform must be established for trusted
collaboration in an End to End system. The
fundamental research problems include - Trust management
- Privacy preserved collaborations
- Dealing with a variety of attacks in networks
- Intruder identification in ad hoc networks
- Trust-based privacy preservation for peer-to-peer
data sharing
6Applications
- Security sensitive applications in the next
generation systems - Cloud Computing
- Subscribe/Publish paradigm in DoD
- Data sharing for medical research and treatment
- Collaboration among government agencies for
homeland security - Transportation system (security check during
travel, hazardous material disposal) - Collaboration among government officials, law
enforcement and security personnel, and health
care facilities during bio-terrorism and other
emergencies
7The Oppnet Concept ( Navy STTR)
Oppnets recruit and coordinate the capabilities
of diverse networks, sensors, and computational
resources in a way that optimizes resource
utilization and also ensures improved QoS despite
intermittent link connectivity.
Oppnet links
non-Oppnet UCAS links to Carrier
8Before an Incident
An Incident Occurs
Arrival of Emergency Response Teams
Forming Seed Oppnet Among Emergency Response Teams
Building Expanded Oppnet Discovering Candidate
Helpers,
Expanded Oppnet
Selecting and Integrating Helpers
9Seek Collaboration with Faculty Interested in
- Security/Privacy
- Networking
- Embedded Systems
- Sensors
- Distributed Systems
- Assistive Technologies
10Opportunistic Networks (with Navy)
- Opportunistic Resource Utilization Networks
(Oppnets) for UAV Ad-Hoc Networking - Novel MANET consisting of an initial seed network
that temporarily recruits resources. - Oppnets
- Allow the construction of highly adaptive,
flexible, and maintainable application networks - Utilize and enhance applications, even including
inflexible, stovepiped, legacy applications - Adapt and optimize the use of resources
on-the-fly - Enable and facilitate distributed applications
- Virtualize resources across platforms, allow
scalability, and promote dynamic growth - Oppnets are
- Opportunistic resource/capability utilization
networks - Opportunistic growth networks
- Specialized Ad-Hoc Networks/Systems (SAHNS)
11AFRL BAA Announcement
- To support end to end authenticity, integrity and
confidentiality within the AF, its mission
capabilities must be preceded with strong 2-way
authentication and authorization. - Currently available web browsers lack adequate
support for standard Web Services programming
models or protocols. This limitation presents
the following challenges with the Air Forces
view of the architecture - Authentication and authorization does not take
place across intended end points. Such as between
the requestor and provider. - Termination at intermediate steps of service
execution exposes messages to hostile threats,
for example, Man-in-the-Middle attacks. -
https//www.fbo.gov/index?sopportunitymodeform
tabcoreid9c3333a8b3ee0f6d136e1dc6606ef0df_cvie
w0
12Aspects of Technical Approach ( AFRL Project)
- Designed a policy-driven security architecture
for SOA based across service domains - System provides a secure end-to-end message
origin authentication for web service client
requests and web service providers to ensure
confidentiality and integrity in the presence of
man-in-the-middle attacks. - Investigated adoption of web service WS-
standards (WS-Security, WS-Reliability, WS-Trust,
WS-Interoperability) for enterprise Air Force
systems. - Used Taint Analysis for monitoring security
- A prototype implementation of proposed approaches
based on open source technologies that integrated
into existing government-off-the-shelf (GOTS)
components in an operational environment.
Developed prototype and conducted experiments in
Cloud environment
13Problem Overview (AFRL)
14SOA Reference Scenario
- UDDI Registry request
- Forwarding the service list to Trust Broker and
receive a ranked list - Invoking a selected service
- Second invocation by service in domain A
- Invoking a service in public service domain
- End points (Reply to user)
15Reference Scenario Details
- Steps
- Global UDDI Registry request
- User receives a list of services related to the
requested category - User sends a refined list of services to Trust
Broker module - Trust Broker categorizes the list of services and
returns a classified list - Certified, Trusted, Untrusted services
- Service Request
- User selects a service based on its criteria
(QoS, Trust category of service, Security
preference, etc.) and invokes that service. - User creates a session with Trust Broker and
selected service in Trusted Domain A. (Trust
sessions are shown with dashed lines)
16Reference Scenario Details (Cont.)
- Trusted domain A will invoke another service in
Trusted domain B. - Taint Analysis module will intercept the
communications and reports any illegal external
invocation - Trust session will be extended to this domain (a
new trust link between domain A and trust broker) - Step four is repeated.
- At this moment, an external service invocation to
an public service is detected by Taint Analysis
module - This will be reported to Trust Broker. Trust
Broker will maintain the trustworthiness of this
SOA service orchestration and if needed can stop
it. - Service in service domain B invokes a service in
an public (Maybe untrusted) domain C (Possibility
of deploying Taint Analysis in this domain) - Service end points to user
- The response of SOA invocation can be sent
directly to the user
17SOA Security Solution
18Detecting Service Violation in Internet
- Problem statement
- Detecting service violation in networks is the
procedure of identifying the misbehaviors of
users or operations that do not adhere to network
protocols. - Collaboartion with
- Dr. Albert Legaspi Head, Networks
DivisionSPAWARSYSCEN 55100, NAVY, San Diego
19Topology Used (Internet)
Victim, V
A3 uses reflector H3 to attack V
H5
A1 spoofs H5s address to attack V
20Detecting DoS Attacks in Internet
SPIE Source Path Isolation Engine
21- Research Directions
- Observe misbehavior flows through service level
agreement (SLA) violation detection - Core-based loss
- Stripe based probing
- Overlay based monitoring
22Approach
- Develop low overhead and scalable monitoring
techniques to detect service violations,
bandwidth theft, and attacks. The monitor alerts
against possible DoS attacks in early stage - Policy enforcement and controlling the suspected
flows are needed to maintain confidence in the
security and QoS of networks
23Methods
- Network tomography
- Stripe based probing is used to infer individual
link loss from edge-to-edge measurements - Overlay network is used to identify congested
links by measuring loss of edge-to-edge paths - Transport layer flow characteristics are used to
protect critical packets of a flow - Edge-to-edge mechanism is used to detect and
control unresponsive flows
24Monitoring Network Domains
- Idea
- Excessive traffic changes internal
characteristics inside a domain (high delay
loss, low throughput) - Monitor network domain for unusual patterns
- If traffic is aggregating towards a domain (same
IP prefix), probably an attack is coming - Measure delay, link loss, and throughput achieved
by user inside a network domain - Monitoring by periodic polling or deploying
agents in high speed core routers put non-trivial
overhead on them
25Core-assisted loss measurements
- Core reports to the monitor whenever packet drop
exceeds a local threshold - Monitor computes the total drop for time interval
t - If the total drop exceeds a global threshold
- a. The monitor sends a query to all edge
routers requesting their current rates - b. The monitor computes total incoming rate
from all edge - c. The monitor computes the loss ratio as the
ratio of the dropped packets and the total
incoming rate - d. If the loss ratio exceeds the SLA loss
ratio, a possible SLA violation is reported
26Stripe Unicast Probing Duffield et al., INFOCOM
01Idea from Butler Lampson and Howard Sturgis
(Crash Recovery in a Distributed Data Storage
System)
- Back-to-back packets experience similar
congestion in a queue with a high probability
- Receiver observes the probes to correlate them
for loss inference - Infer internal characteristics using topology
- For general tree? Send stripe from root to every
order-pair of leaves - Develop stripe-based monitoring by extending loss
inference for multiple drop precedence
27Inferring Loss
- Calculate how many packets are received by the
two receivers. Transmission probability Ak -
- where Zi binary variable which takes 1 when
all packets reached their destination and 0
otherwise - Loss is 1 - Ak
- For general tree, send stripe from root to every
order-pair of leaves.
28Overlay-based Monitoring
- Problem statement
- Given topology of a network domain, identify
which links are congested - Solutions Simple and Advanced methods
- Monitor the network for link delay
- If delayi gt Thresholdidelay for path i, then
probe the network for loss - If lossj gt Thresholdjloss for any link j, then
probe the network for throughput - If BWk gt ThresholdkBW, flow k is violating
service agreements by taking excess resources.
Upon detection, we control the flows.
29Probing Simple Method
Congested link
- Each peer probes both of its neighbors
- Detect congested link in both directions
30Experiments Evaluation methodology
- Simulation using ns-2
- Two topologies
- C-C links, 20 Mbps
- E-C links, 10 Mbps
- Parameters
- Number of flows order of thousands
- Change life time of flows
- Simulate attacks by varying traffic intensities
and injecting traffic from multiple entry points - Output Parameters
- delay, loss ratio, throughput
Congested link
Topology 1
31Identified Congested Links
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(a) Counter clockwise probing
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b)
observe high losses, which means link C4 ? E6 is
congested.
32False Positive (theoretical analysis)
- The simple method does not correctly label all
links - The unsolved good links are considered bad
hence false positive happens - Need to refine the solution ? Advanced Method
33- Example
- if 100 links in the network and 20 of them are
congested and 80 are good. The basic probing
method can identify 15 congestion links and 70
good links. The other 15 are labeled as
unknown. If all unknown links are treated as
congested, 10 good link will be falsely labeled
as congested. When the false positive is too
high, the available paths that can be chosen by
the routers are restricted, thus network
performance is impacted.
34Analyzing Simple Method
- Lemma 1. If P and P are probe paths in the first
and the second round of probing respectively,
P P 1 - Theorem 1. If only one probe path P is shown to
be congested in any round of probing, the simple
method successfully identifies status of each
link in P - Performs better if edge-to-edge paths are
congested - The average length of the probe paths in the
Simple method is 4
35Performance Simple Method
- Theorem 2. Let p be the probability of a link
being congested in any arbitrary overlay network.
The simple method determines the status of any
link of the topology with probability at least
2(1-p)4-(1-p)7p(1-p)12
Detection Probability
Frac of actual congested links
36Advanced Method
- AdvancedMethod()
- begin
- Conduct Simple Method. E is the unsolved
equation set - for Each undecided variable Xij of E do
- node1 FindNode(Tree T, vi, IN)
- node2 FindNode(Tree T, vj , OUT)
- if node1 ? NULL AND node2 ? NULL then
- Probe(node1, node2). Update equation set E
- end if
- Stop if no more probe exists
- endfor
- end
37Identifying Links Advanced Method
Loss Ratio
Time (sec)
Link E2 ? C2, C1 ? C3, C3 ? C4, and C4 ? E6 are
congested. Simple method identifies all except E2
? C2. Advanced method finds probe E5?E1 to
identify status of E2 ? C2.
38Analyzing Advanced Method
- Lemma 2. For an arbitrary overlay network with n
edge routers, on the average a link lies on b
edge-to-edge paths - Lemma 3. For an arbitrary overlay network with n
edge routers, the average length of all
edge-to-edge paths is d - Theorem 3. Let p be the probability of a link
being congested. The advanced method can detect
the status of a link with probability at least
(1-(1-(1-p)d)b)
39Bounds on Advanced Method
- Graph shows lower and upper bounds
- When congestion is 20, links are identified
with O(n) probes with probability 0.98 - Does not help if 60 links are congested
Detection Probability
Frac of actual congested links
Advanced method uses output of simple method and
topology to find a probe that can be used to
identify status of an unsolved link in simple
method
40Experiments Delay Measurements
of traffic
Delay (ms)
Cumulative distribution function (cdf)
- Attack changes delay pattern in a network domain
- We need to know the delay pattern when there is
not attack
41Experiments Loss measurements
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(b) Stripe-based
(a) Core-assisted
Core-based measurement is more precise than
stripe-based, however, it has high overhead
42Attack Scenarios
Delay (ms)
Loss Ratio
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing loss pattern due to attack
- Attack 1 violates SLA and causes 15-30 of
packet loss - Attack 2 causes more than 35 of packet loss
43Detecting DoS Attacks
- If many flows aggregate towards a downstream
domain, it might be a DoS attack on the domain - Analyze flows at exit routers of the congested
links to identify misbehaving flows - Activate filters to control the suspected flows
- Flow association with ingress routers
- Egress routers can backtrack paths, and confirm
entry points of suspected flows
44Overhead comparison
Communication overhead in KB
Processing overhead (CPU cycle)
Percentage of misbehaving flow
Percentage of misbehaving flow
(b) Communication overhead
(a) Processing overhead
- Core has relative low processing overhead
- Overlay scheme has an edge over other two schemes
45Observations
- Stripe-based Monitoring
- Stripe-based probing can monitor DiffServ
networks only from the edges - It takes 10 sec to converge the inferred loss
ratio to actual loss ratio with 90 accuracy - 10-15 delay probes and 20-25 loss probes per
second are sufficient for monitoring - Probe is a 3-packet stripe
- 3 shows good correlation, 4 does not add much
46Observations (Contd)
- Overlay-based Monitoring
- Congestion status of individual links can be
inferred from edge-to-edge measurements - When the network is 20 congested
- Status of a link is identified with probability
0.98 - Requires O(n) probes, where n is the number of
edge routers - Worst case is O(n2), whereas stripe-based
requires O(n3) probes to achieve same
functionality
47Observations (Contd)
- Analyze existing techniques to defeat DoS attacks
- Marking has less overhead than Filtering,
however, it is only a forensic method - Monitoring might have less processing overhead
than marking or filtering, however, monitoring
injects packets and others do not - Monitoring can alert against DoS attacks in early
stage
48Observations (Contd)
- Traffic Conditioner
- Using small state table, we can design scalable
traffic conditioner - It can protect critical packets of a flow to
improve application QoS (delay, throughput,
response time, ) - Both Round trip time (RTT) Retransmission
time-out (RTO) are necessary to avoid RTT-bias
among flows
49Observations (Contd)
- Flow Control
- Network tomography is used to design edge-to-edge
mechanism to detect control unresponsive flows - QoS of adaptive flows improves significantly with
flow control mechanism
50Conclusion on Monitoring
- Elegant way to use probability in inferring loss.
3-packets stripe shows good correlation - Monitoring network can detect service violation
and bandwidth theft using measurements - Monitoring can detect DoS attacks in early stage.
Filter can be used to stop the attacks - Overlay-based monitoring requires only O(n)
probing with a very high probability, where n is
the number of edge routers - Overlay-based monitoring has very low
communication and processing overhead - Stripe-based inference is useful to annotate a
topology tree with loss, delay, and bandwidth.
51- Intruder Identification in Ad Hoc Networks
(Cisco, Motorola, AFRL) - Problem Statement
- Intruder identification in ad hoc networks is
the procedure of identifying the user or host
that conducts the inappropriate, incorrect, or
anomalous activities that threaten the
connectivity or reliability of the networks and
the authenticity of the data traffic in the
networks
52Research problem Related work Purdue Research
Identification of Intruder SAODV protocol Robust Reverse Labeling Tree scheme, Trust to minimize suspicion of all, Experiments
Identification of Packet Drops Arizona-React system Deals with multiple attackers coordinating, uses audit, hash functions on path
Identification of Collaboration CSCW Intrusion Detection Systems (IDS) capable of correlating CAs, Fuzzy systems, Learning, Experiments
Privacy In Manets/Cloud/SoA Prime project in Europe Protocols to assure privacy of sender, receiver, routes and packets, Partial hash of handle
Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation Lack of data on effects of Multi-port scanning, Multi-threading, Infection time, Multiple starting points, and Collaboration (MMIMC) Measure the effects of MMIMC on infected hosts, Fibonacci Number Sequence (FNS) to model the effects of infection time
53Introduction to AODV
- Introduced in 97 by Perkins at NOKIA, Royer at
UCSB - 12 versions of IETF draft in 4 years, 4 academic
implementations, 2 simulations - Combines on-demand and distance vector
- Broadcast Route Query, Unicast Route Reply
- Quick adaptation to dynamic link condition and
scalability to large scale network - Support multicast
54Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
55Attacks on AODV
- Route request flooding
- query non-existing host (RREQ will flood
throughout the network) - False distance vector
- reply one hop to destination to every request
and select a large enough sequence number - False destination sequence number
- select a large number (even beat the reply from
the real destination) - Wormhole attacks
- tunnel route request through wormhole and attract
the data traffic to the wormhole - Coordinated attacks
- The malicious hosts establish trust to frame
other hosts, or conduct attacks alternatively to
avoid being identified
56False Destination Sequence Attack
Sequence number 5
RREP(D, 4)
D
S4
S3
S
S1
RREQ(D, 3)
RREP(D, 20)
S2
M
Packets from S to D are sinking at M.
57During Route Rediscovery, False Destination
Sequence Number Attack Is Detected, S needs to
find D again.
Node movement breaks the path from S to M
(trigger route rediscovery).
(1). S broadcasts a request that carries the old
sequence 1 21
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
desti-nation sequence number attack.
D
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
58Reverse Labeling Restriction (RLR)
- Blacklists are updated after an attack is
detected. - Basic Ideas
- Every host maintains a blacklist to record
suspicious hosts who gave wrong route related
information. - The destination host will broadcast an INVALID
packet with its signature. The packet carries the
hosts identification, current sequence, new
sequence, and its own blacklist. - Every host receiving this packet will examine its
route entry to the destination host. The previous
host that provides the false route will be added
into this hosts blacklist.
59BL
D
S3
INVALID ( D, 5, 21, BL, Signature )
BL
S4
S
S1
BL S2
M
S2
S4
Correct destination sequence number is
broadcasted. Blacklist at each host in the path
is determined.
60D1
D2
S3
M
S4
M
M
D4
D3
M
M
S2
S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and
S4-D4). When the first two false routes are
detected, D3 and D4 add M into their blacklists.
When later D3 and D4 become victim destinations,
they will broadcast their blacklists, and every
host will get two votes that M is malicious host.
Malicious site is in blacklists of multiple
destination hosts.
61Intruder Identified
- If M is in multiple blacklists, M is classified
as a malicious host based on a certain threshold. - Intruder is approximately identified.
- Trust values can be used for combining knowledge
from other hosts.
62Experimental Studies of RLR
- The experiments are conducted using ns2.
- Various network scenarios are formed by varying
the number of independent attackers, number of
connections, and host mobility. - The examined parameters include
- Packet delivery ratio
- Identification accuracy false positive and false
negative ratio - Communication and computation overhead
63Simulation Parameter
Simulation duration 1000 seconds
Simulation area 1000 1000 m
Number of mobile hosts 30
Transmission range 250 m
Pause time between the host reaches current target and moves to next target 0 60 seconds
Maximum speed 5 m/s
Number of CBR connection 25/50
Packet rate 2 pkt / sec
64Experiment 1 Measure the Changes in Packet
Delivery Ratio
- Purpose investigate the impacts of host
mobility, number of attackers, and number of
connections on the performance improvement
brought by RLR - Input parameters host pause time, number of
independent attackers, number of connections - Output parameters packet delivery ratio
- Observation When only one attacker exists in the
network, RLR brings a 30 increase in the
packet delivery ratio. When multiple attacker
exist in the system, the delivery ratio will not
recover before all attackers are identified.
65Increase in Packet Delivery Ratio Single Attacker
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
66Experiment 2 Measure the Accuracy of Intruder
Identification
- Purpose investigate the impacts of host
mobility, number of attackers ,and connection
scenarios on the detection accuracy of RLR - Input parameters number of independent
attackers, number of connections, host
pause time - Output parameters false positive alarm ratio,
false negative alarm ratio - Observation The increase in connections may
improve the detection accuracy of RLR. When
multiple attackers exist in the network, RLR has
a high false positive ratio.
67Accuracy of RLR Single Attacker
30 hosts, 25 connections 30 hosts, 25 connections 30 hosts, 50 connections 30 hosts, 50 connections
Host Pause time (sec) of normal hosts identify the attacker of normal hosts marked as malicious of normal hosts identify the attacker of normal hosts marked as malicious
0 24 0.22 29 2.2
10 25 0 29 1.4
20 24 0 25 1.1
30 28 0 29 1.1
40 24 0 29 0.6
50 24 0.07 29 1.1
60 24 0.07 24 1.0
The accuracy of RLR when there is only one
attacker in the system
68Experiment 3 Measure the Communication Overhead
- Purpose investigate the impacts of host
mobility and connection scenarios on the
overhead of RLR - Input parameters number of connections, host
pause time - Output parameters control packet overhead
- Observation When no false destination sequence
attacks exist in the network, RLR introduces
small packet overhead into the system.
69Control Packet Overhead
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
70Research Opportunities Improve Robustness of RLR
- Protect the good hosts from being framed by
malicious hosts - The malicious hosts can frame the good hosts by
putting them into blacklist. - By lowering the trust values of both complainer
and complainee, we can restrict the impacts of
the gossip distributed by the attackers.
71- Avoid putting every host into blacklist
- Combining the host density and movement model, we
can estimate the time ratio that two hosts are
neighbors - The counter for a suspicious host decreases as
time passes - Adjusting the decreasing ratio to control the
average percentage of time that a host stays in
the blacklist of another host
72- Defend against coordinated attacks
- The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may
establish trust to frame other hosts, or conduct
attacks alternatively to avoid being identified. - Look for the effective methods to defend against
such attacks. Possible research directions
include - Apply classification methods to detect the hosts
that have similar behavior patterns - Study the behavior histories of the hosts that
belong to the same group and detect the pattern
of malicious behavior (time-based, order-based)
73Conclusions on Intruder Identification
- False destination sequence attacks can be
detected by the anomaly patterns of the sequence
numbers - Reverse labeling method can reconstruct the false
routing tree - Isolating the attackers brings a sharp increase
in network performance - On going research will improve the robustness of
the mechanism and the accuracy of identification
74Defending against Collaborative Packet Drop
Attacks on MANETs
- Work done with
- Dr. Weichao Wang ( former student now professor
at UNCC) - and
- Dr. Mark Linderman at AFRL
75Organization of Presentation
- Problem Statement
- Related Work
- REAct System and Its Vulnerability
- Our Approach
- Analysis
- Conclusion
76Problem Statement
- Packet drop attacks put severe threats to Ad Hoc
network performance and safety - Directly impact the parameters such as packet
delivery ratio - Will impact security mechanisms such as
distributed node behavior monitoring - Different approaches have been proposed
- Vulnerable to collaborative attacks
- Have strong assumptions of the nodes
77Problem Statement
- Many research efforts focus on individual
attackers - The effectiveness of detection methods will be
weakened under collaborative attacks - E.g., in watchdog, multiple malicious nodes can
provide fake evidences to support each others
innocence - In wormhole and Sybil attacks, malicious nodes
may share keys to hide their real identities
78Problem Statement
- Focus on collaborative packet drop attacks. Why?
- Secure and robust data delivery is a top priority
for many applications - The proposed approach can be achieved as a
reactive method reduce overhead during normal
operations - Can be applied in parallel to secure routing
79Related Work
- Detecting packet drop attacks
- Audit based approaches
- Whether or not the next hop forward the packets
- Use both first hand and second hand evidences
- Problems
- Energy consumption of eavesdropping
- Can be cheated by directional antenna
- Authenticity of the evidence
- Incentive based approaches
- Nuggets and credits
- Multi-hop acknowledgement
80Related Work
- Collaborative attacks and detection
- Classification of the collaborative attacks
- Collusion attack model on secure routing
protocols - Collaborative attacks on key management in MANET
- Detection mechanisms
- Collaborative IDS systems
- Ideas from immune systems
- Byzantine behavior based detection
81REAct system and vulnerability
- REAct system
- Proposed by researchers in Univ of Arizona
- Published in ACM WiSec 2009
- Random audit based detector of packet drop
- A reactive approach will be activated only when
something bad happens - Assumptions
- At least two node disjoint paths b/w any pair of
nodes - Know the identity of the intermediate nodes
- Pair-wise keys b/w the source and the
intermediate nodes
82REAct system and vulnerability
- Working procedure of REAct
- Destination detects the drop in packet arriving
rate and notifies the source - Source randomly selects an intermediate node and
asks it to generate a behavioral proof of the
received packets - Intermediate node constructs a bloom filter using
these packets - Source compares the bloom filter to its own value
- If match the attacker is after the intermediate
node - Otherwise, it is before the intermediate node
- Repeat the procedure until the bad link is located
83REAct system and vulnerability
Example of REAct the source selects n4 to be the
first audited node. N4 generates the correct
bloom filter, so the attacker is between n4 and D.
84Collaborative attacks on REAct
n1 and n4 are collusive attackers. n1 discards
the packets but delivers the bloom filter to n4.
Now the source will think that the attacker is
between n4 and D. Why REAct is vulnerable to this
attack the source can verify the bloom filter,
but not the generator of the filter.
85Proposed approach
- Assumptions
- Source shares a different secret key and a
different random number with every intermediate
node - All nodes in the network agree on a hash function
h() - There are multiple attackers in the network
- They share their secret keys and random numbers
- Attackers have their own communication channel
- An attacker can impersonate other attackers
86Proposed approach
- Hash based approach
- Every node will add a fingerprint into the packet
- S1 sends out the packet to n1
- S ? n1 (S, D, data packet, random number t0)
- Node n1 will combine the received packet and its
random number r1 to calculate the new
fingerprint - t1 h( r1 S D data packet t0 r1
) - n1 ? n2 (S, D, data packet, t1 )
- The audited node will generate the bloom filter
based on the data packets and the fingerprints - The source will generate its own bloom filter
and compare it to the value of the audited node
87Proposed approach
- Why our approach is safe
- The node behavioral proofs in our proposed
approach contain information from both the data
packets and the intermediate nodes. - Theorem 1. If node ni correctly generates the
value ti, then all innocent nodes in the path
before ni (including ni) must have correctly
received the data packet selected by S.
88Proposed approach
- Why our approach is safe
- The ordered hash calculations guarantee that any
update, insertion, and deletion operations to the
sequence of forwarding nodes will be detected. - Therefore, we have
- if the behavioral proof passes the test of S, the
suspicious set will be reduced to ni, ni1, ---,
D - if the behavioral proof fails the test of S, the
suspicious set will be reduced to S, n1, ---,
ni
89Discussion
- Indistinguishable audit packets
- The malicious node should not tell the difference
between the data packets and audited packets - The source will attach a random number to every
data packet - Reducing computation overhead
- A hash function needs 20 machine cycles to
process one byte - We can choose a part of the bytes in the packet
to generate the fingerprint. In this way, we can
balance the overhead and the detection capability.
90Discussion
- Security of the proposed approach
- The hash function is easy to compute very hard
to conduct DoS attacks on our approach - It is hard for attackers to generate fake
fingerprint they have to have a non-negligible
advantage in breaking the hash function - The attackers will adjust their behavior to avoid
detection - The source may choose multiple nodes to be
audited at the same time - The source should adopt a random pattern to
determine the audited nodes
91Conclusion
- Previous approach is vulnerable to collaborative
attacks - Propose a new mechanism for nodes to generate
behavioral proofs - Hash based packet commitment
- Contain both contents of the packets and
information of the forwarding paths - Introduce limited computation and communication
overhead - Extensions
- Investigate other collaborative attacks
- Integrate our detection method with secure
routing protocols
92Another Example of Internal/External Attacks
Collaborative wormhole attacks internal and
external attackers
- To combat joint attacks
- Example
- Node A deceives node S informing it has shortest
path to D - A forwards any packets to X
- X sets up a tunnel to Y
- Any further packet will go through the tunnel
- In tunnel, packets can be selectively dropped or
tampered with
93- Impacts of collaborative wormhole/packet discard
attack on underwater sensor networks
94Ideas on characterizing/classifying CAs
- Identify the key features of combined attacks
- Use signal processing technique and machine
learning technique to characterize/classify
attacks - Wavelet transform for anomaly detection
- Fuzzy logic for decision making process
95 Context based Adaptable Defense against
Collaborative Attacks in Service Oriented
Architecture and Cloud
- Northrop Grumman Cybersecurity Research
Consortium
96Motivations/Objectives
- Unmanned Aircraft Systems (UAS) can revolutionize
militarys ability to monitor and understand the
global environment. The communication is under
constant attacks (both internal and external).
Mobile environments have disconnections and can
not be sure of global information - SoA and Cloud Environment are being used in
Battle field tactical and emergency response
networks . Require end to end security and
privacy - Need to deal with collaborative, multiple,
concurrent attacks of various types on various
targets - Conduct experiments with real attack scenarios
- Develop Cyber Genome ideas for Advanced
Persistent Threats
97Scope of problem
Step1
Step2
Step3
Static scan for attack graph generation
Distributed monitoring
Build tools for inferring, tracing back, and
dealing with new attacks
Information integration
Identify linkage among malicious attacks
Build prototype and evaluation
Collaborative attack detection engine
Propagate warnings, preempt to thwart attack
98Identify intruders, Collaboration, origin type
of attack, potential for future attacks
Identification Tomography, Router monitoring,
SLA agreements
Collaboration Agreements, Intent,Targets,
Communication
Observations Neural nets, Learning, Fuzzy
logic
Predication Extrapolation, Evaluation, Causal
analysis
99Acceleration in Intruder Identification
D3
D2
D1
M2
M3
M1
S2
S1
S3
Coordinated attacks by M1, M2, and M3
Multiple attackers trigger more blacklists to be
broadcasted by D1, D2, D3.
100Ideas on characterizing/classifying CAs
- Identify the key features of Collaborative
attacks - Use signal processing technique and machine
learning technique to characterize/classify
attacks - Wavelet transform for anomaly detection
- Fuzzy logic for decision making process
101Detection and Response at Coordinator Node
- Incoming packets are inspected and the
classification parameters are handed to the fuzzy
engine - Parameters are mapped to the membership functions
- Black list managment is crucial to the efficiency
of the system
102Packet Delivery Ratio (PDR) and Throughput
- Impact of reaction time on performance is high,
implying that coordinator node must get fast
feedback from other nodes and react properly and
quickly - UDP achieves higher PDR, but drops more packets,
resulting in lower throughput
103Hardest Challenges
- Understanding of the impact of multiple attacks
when they run concurrently - Identify collaboration activity in a realistic
attack scenario in DoD and Emergency - Formalize the model for collaboration and will
relate the computer supported cooperative work
(CSCW) paradigm to this problem.
104Future Plans
- Advanced Persistent Threats ( with NGC and Mitre)
- Cyber Genetics ( with DoD)
- Prototype and Experiments
- Privacy in Cloud ( With Dr. Myong Kang, Naval
Research Lab) - End to End security in SoA (with Asher Sinclair,
AFRL) - Context Modeling (with Dr. Mark Linderman, AFRL)
- Cross-domain Information Exchange (with Mike
Mayhew and Yat Fu AFRL)
105Trust-based Privacy Preservation for Peer-to-peer
Data Sharing ( AFRL)
- Problem statement
- Privacy in peer-to-peer systems is different from
the anonymity problem - Preserve privacy of requester
- A mechanism is needed to remove the association
between the identity of the requester and the
data needed
106Proposed solution
- A mechanism is proposed that allows the peers to
acquire data through trusted proxies to preserve
privacy of requester - The data request is handled through the peers
proxies - The proxy can become a supplier later and mask
the original requester
107Related work
- Trust in privacy preservation
- Authorization based on evidence and trust,
Bhargava and Zhong, DaWaK02 - Developing pervasive trust Lilien, CGW03
- Hiding the subject in a crowd
- K-anonymity Sweeney, UFKS02
- Broadcast and multicast Scarlata et al, INCP01
108Related work (2)
- Fixed servers and proxies
- Publius Waldman et al, USENIX00
- Building a multi-hop path to hide the real source
and destination - FreeNet Clarke et al, IC02
- Crowds Reiter and Rubin, ACM TISS98
- Onion routing Goldschlag et al, ACM Commu.99
109Related work (3)
- Sherwood et al, IEEE SSP02
- provides sender-receiver anonymity by
transmitting packets to a broadcast group - Herbivore Goel et al, Cornell Univ Tech
Report03 - Provides provable anonymity in peer-to-peer
communication systems by adopting dining
cryptographer networks
110Privacy measurement
- A tuple ltrequester ID, data handle, data contentgt
is defined to describe a data acquirement. - For each element, 0 means that the peer knows
nothing, while 1 means that it knows
everything. - A state in which the requesters privacy is
compromised can be represented as a vector lt1, 1,
ygt, (y ? 0,1) from which one can link the ID of
the requester to the data that it is interested
in.
111Privacy measurement (2)
For example, line k represents the states that
the requesters privacy is compromised.
112Mitigating collusion
- An operation is defined as
- This operation describes the revealed information
after a collusion of two peers when each peer
knows a part of the secret. - The number of collusions required to compromise
the secret can be used to evaluate the achieved
privacy
113Trust based privacy preservation scheme
- The requester asks one proxy to look up the data
on its behalf. Once the supplier is located, the
proxy will get the data and deliver it to the
requester - Advantage other peers, including the supplier,
do not know the real requester - Disadvantage The privacy solely depends on the
trustworthiness and reliability of the proxy
114Trust based scheme Improvement 1
- To avoid specifying the data handle in plain
text, the requester calculates the hash code and
only reveals a part of it to the proxy. - The proxy sends it to possible suppliers.
- Receiving the partial hash code, the supplier
compares it to the hash codes of the data handles
that it holds. Depending on the revealed part,
multiple matches may be found. - The suppliers then construct a bloom filter based
on the remaining parts of the matched hash codes
and send it back. They also send back their
public key certificates.
115Trust based scheme Improvement 1
- Examining the filters, the requester can
eliminate some candidate suppliers and finds some
who may have the data. - It then encrypts the full data handle and a data
transfer key with the public key. - The supplier sends the data back using
through the proxy - Advantages
- It is difficult to infer the data handle through
the partial hash code - The proxy alone cannot compromise the privacy
- Through adjusting the revealed hash code, the
allowable error of the bloom filter can be
determined
116Data transfer procedure after improvement 1
Requester Proxy of Supplier
Requester
R requester S supplier Step 1, 2 R sends out
the partial hash code of the data handle Step 3,
4 S sends the bloom filter of the handles and
the public key certificates Step 5, 6 R sends
the data handle and encrypted by the
public key Step 7, 8 S sends the required data
encrypted by
117Trust based scheme Improvement 2
- The above scheme does not protect the privacy of
the supplier - To address this problem, the supplier can respond
to a request via its own proxy
118Trust based scheme Improvement 2
Requester Proxy of Proxy
of Supplier Requester
Supplier
119Trustworthiness of peers
- The trust value of a proxy is assessed based on
its behaviors and other peers recommendations - Using Kalman filtering, the trust model can be
built as a multivariate, time-varying state vector
120Conclusion
- A trust based privacy preservation method for
peer-to-peer data sharing is proposed - It adopts the proxy scheme during the data
acquirement - Extensions
- Solid analysis and experiments on large scale
networks are required - A security analysis of the proposed mechanism is
required
121Related Ongoing Research
- Detecting wormhole attacks ( Prof Mario Gerla,
UCLA) - Position-based private routing in ad hoc networks
(Motorola) - Private routing in ad hoc networks
- Privacy Preserving Data Dissemination in
Cross-Domains ( AFRL) - Congestion aware distance vector (CADV) protocol
for ad hoc networks