End to End Security and Privacy in Distributed Systems and Cloud

About This Presentation

Title:

End to End Security and Privacy in Distributed Systems and Cloud

Description:

... processing technique and machine learning technique to characterize/classify attacks Wavelet transform for anomaly detection ... Manets /Cloud/SoA Prime ... – PowerPoint PPT presentation

Number of Views:568

Avg rating:3.0/5.0

Slides: 122

Provided by: yil8

Learn more at: https://www.cs.purdue.edu

Category:

more less

Transcript and Presenter's Notes

Title: End to End Security and Privacy in Distributed Systems and Cloud

1
End to End Security and Privacy in Distributed
Systems and Cloud

Bharat Bhargava
CERIAS Security Center
CWSA Wireless Center
Department of CS and ECE
Purdue University
bb_at_cs.purdue.edu
Supported by NSF, AFRL, CISCO, Motorola, IBM

2
Visions of AF chief scientist ( Werner Dahm)

U.S Air Force Technology Horizons 2010---2030
http//www.aviationweek.com/media/pdf/Check6/USAF_
Technology_Horizons_report.pdf
Next-Generation High-Bandwidth Secure
Communications
Trusted, Adaptive, Flexibly-Autonomous Systems
New technologies for increased cyber resilience
of Air Force networks and systems
Technologies can provide increased trust in
autonomy to enable reduced manpower requirements
via flexibly autonomous systems

3
PCA1 Inherently Intrusion-Resilient Cyber
Systems

There will be an enduring need for technologies
that can enable a wide range of Air Force
capabilities that support missions, including
better multi-level security solutions to
facilitate sharing of information, systems, and
training with international partners.
Command and Control Center (C2C), exploring
solutions to national security problems with
emphasis on improved information
interoperability, systems integration, and cyber
assurance, including net-centric strategies,
complex systems engineering, and information
technologies.

4
PCA2 Automated Cyber Vulnerability Assessments
and Reactions

Ad hoc networks
Polymorphic networks
Agile networks
Complex adaptive distributed networks
Frequency-agile RF systems
VV for complex adaptive systems
Autonomous systems
Collaborative/cooperative control
Information fusion and understanding
Cyber defense
Cyber resilience
Social network modeling

5
Objective

A trustworthy, secure, and privacy preserving
network platform must be established for trusted
collaboration in an End to End system. The
fundamental research problems include
Trust management
Privacy preserved collaborations
Dealing with a variety of attacks in networks
Intruder identification in ad hoc networks
Trust-based privacy preservation for peer-to-peer
data sharing

6
Applications

Security sensitive applications in the next
generation systems
Cloud Computing
Subscribe/Publish paradigm in DoD
Data sharing for medical research and treatment
Collaboration among government agencies for
homeland security
Transportation system (security check during
travel, hazardous material disposal)
Collaboration among government officials, law
enforcement and security personnel, and health
care facilities during bio-terrorism and other
emergencies

7
The Oppnet Concept ( Navy STTR)
Oppnets recruit and coordinate the capabilities
of diverse networks, sensors, and computational
resources in a way that optimizes resource
utilization and also ensures improved QoS despite
intermittent link connectivity.
Oppnet links
non-Oppnet UCAS links to Carrier
8
Before an Incident
An Incident Occurs
Arrival of Emergency Response Teams
Forming Seed Oppnet Among Emergency Response Teams
Building Expanded Oppnet Discovering Candidate
Helpers,
Expanded Oppnet
Selecting and Integrating Helpers
9
Seek Collaboration with Faculty Interested in

Security/Privacy
Networking
Embedded Systems
Sensors
Distributed Systems
Assistive Technologies

10
Opportunistic Networks (with Navy)

Opportunistic Resource Utilization Networks
(Oppnets) for UAV Ad-Hoc Networking
Novel MANET consisting of an initial seed network
that temporarily recruits resources.
Oppnets
Allow the construction of highly adaptive,
flexible, and maintainable application networks
Utilize and enhance applications, even including
inflexible, stovepiped, legacy applications
Adapt and optimize the use of resources
on-the-fly
Enable and facilitate distributed applications
Virtualize resources across platforms, allow
scalability, and promote dynamic growth
Oppnets are
Opportunistic resource/capability utilization
networks
Opportunistic growth networks
Specialized Ad-Hoc Networks/Systems (SAHNS)

11
AFRL BAA Announcement

To support end to end authenticity, integrity and
confidentiality within the AF, its mission
capabilities must be preceded with strong 2-way
authentication and authorization.
Currently available web browsers lack adequate
support for standard Web Services programming
models or protocols. This limitation presents
the following challenges with the Air Forces
view of the architecture
Authentication and authorization does not take
place across intended end points. Such as between
the requestor and provider.
Termination at intermediate steps of service
execution exposes messages to hostile threats,
for example, Man-in-the-Middle attacks.

https//www.fbo.gov/index?sopportunitymodeform
tabcoreid9c3333a8b3ee0f6d136e1dc6606ef0df_cvie
w0
12
Aspects of Technical Approach ( AFRL Project)

Designed a policy-driven security architecture
for SOA based across service domains
System provides a secure end-to-end message
origin authentication for web service client
requests and web service providers to ensure
confidentiality and integrity in the presence of
man-in-the-middle attacks.
Investigated adoption of web service WS-
standards (WS-Security, WS-Reliability, WS-Trust,
WS-Interoperability) for enterprise Air Force
systems.
Used Taint Analysis for monitoring security
A prototype implementation of proposed approaches
based on open source technologies that integrated
into existing government-off-the-shelf (GOTS)
components in an operational environment.
Developed prototype and conducted experiments in
Cloud environment

13
Problem Overview (AFRL)
14
SOA Reference Scenario

UDDI Registry request
Forwarding the service list to Trust Broker and
receive a ranked list
Invoking a selected service
Second invocation by service in domain A
Invoking a service in public service domain
End points (Reply to user)

15
Reference Scenario Details

Steps
Global UDDI Registry request
User receives a list of services related to the
requested category
User sends a refined list of services to Trust
Broker module
Trust Broker categorizes the list of services and
returns a classified list
Certified, Trusted, Untrusted services
Service Request
User selects a service based on its criteria
(QoS, Trust category of service, Security
preference, etc.) and invokes that service.
User creates a session with Trust Broker and
selected service in Trusted Domain A. (Trust
sessions are shown with dashed lines)

16
Reference Scenario Details (Cont.)

Trusted domain A will invoke another service in
Trusted domain B.
Taint Analysis module will intercept the
communications and reports any illegal external
invocation
Trust session will be extended to this domain (a
new trust link between domain A and trust broker)
Step four is repeated.
At this moment, an external service invocation to
an public service is detected by Taint Analysis
module
This will be reported to Trust Broker. Trust
Broker will maintain the trustworthiness of this
SOA service orchestration and if needed can stop
it.
Service in service domain B invokes a service in
an public (Maybe untrusted) domain C (Possibility
of deploying Taint Analysis in this domain)
Service end points to user
The response of SOA invocation can be sent
directly to the user

17
SOA Security Solution
18
Detecting Service Violation in Internet

Problem statement
Detecting service violation in networks is the
procedure of identifying the misbehaviors of
users or operations that do not adhere to network
protocols.
Collaboartion with
Dr. Albert Legaspi Head, Networks
DivisionSPAWARSYSCEN 55100, NAVY, San Diego

19
Topology Used (Internet)
Victim, V
A3 uses reflector H3 to attack V
H5
A1 spoofs H5s address to attack V
20
Detecting DoS Attacks in Internet
SPIE Source Path Isolation Engine
21

Research Directions
Observe misbehavior flows through service level
agreement (SLA) violation detection
Core-based loss
Stripe based probing
Overlay based monitoring

22
Approach

Develop low overhead and scalable monitoring
techniques to detect service violations,
bandwidth theft, and attacks. The monitor alerts
against possible DoS attacks in early stage
Policy enforcement and controlling the suspected
flows are needed to maintain confidence in the
security and QoS of networks

23
Methods

Network tomography
Stripe based probing is used to infer individual
link loss from edge-to-edge measurements
Overlay network is used to identify congested
links by measuring loss of edge-to-edge paths
Transport layer flow characteristics are used to
protect critical packets of a flow
Edge-to-edge mechanism is used to detect and
control unresponsive flows

24
Monitoring Network Domains

Idea
Excessive traffic changes internal
characteristics inside a domain (high delay
loss, low throughput)
Monitor network domain for unusual patterns
If traffic is aggregating towards a domain (same
IP prefix), probably an attack is coming
Measure delay, link loss, and throughput achieved
by user inside a network domain
Monitoring by periodic polling or deploying
agents in high speed core routers put non-trivial
overhead on them

25
Core-assisted loss measurements

Core reports to the monitor whenever packet drop
exceeds a local threshold
Monitor computes the total drop for time interval
t
If the total drop exceeds a global threshold
a. The monitor sends a query to all edge
routers requesting their current rates
b. The monitor computes total incoming rate
from all edge
c. The monitor computes the loss ratio as the
ratio of the dropped packets and the total
incoming rate
d. If the loss ratio exceeds the SLA loss
ratio, a possible SLA violation is reported

26
Stripe Unicast Probing Duffield et al., INFOCOM
01Idea from Butler Lampson and Howard Sturgis
(Crash Recovery in a Distributed Data Storage
System)

Back-to-back packets experience similar
congestion in a queue with a high probability

Receiver observes the probes to correlate them
for loss inference
Infer internal characteristics using topology
For general tree? Send stripe from root to every
order-pair of leaves
Develop stripe-based monitoring by extending loss
inference for multiple drop precedence

27
Inferring Loss

Calculate how many packets are received by the
two receivers. Transmission probability Ak
where Zi binary variable which takes 1 when
all packets reached their destination and 0
otherwise
Loss is 1 - Ak
For general tree, send stripe from root to every
order-pair of leaves.

28
Overlay-based Monitoring

Problem statement
Given topology of a network domain, identify
which links are congested
Solutions Simple and Advanced methods
Monitor the network for link delay
If delayi gt Thresholdidelay for path i, then
probe the network for loss
If lossj gt Thresholdjloss for any link j, then
probe the network for throughput
If BWk gt ThresholdkBW, flow k is violating
service agreements by taking excess resources.
Upon detection, we control the flows.

29
Probing Simple Method
Congested link

Each peer probes both of its neighbors
Detect congested link in both directions

30
Experiments Evaluation methodology

Simulation using ns-2
Two topologies
C-C links, 20 Mbps
E-C links, 10 Mbps
Parameters
Number of flows order of thousands
Change life time of flows
Simulate attacks by varying traffic intensities
and injecting traffic from multiple entry points
Output Parameters
delay, loss ratio, throughput

Congested link
Topology 1
31
Identified Congested Links
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(a) Counter clockwise probing
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b)
observe high losses, which means link C4 ? E6 is
congested.
32
False Positive (theoretical analysis)

The simple method does not correctly label all
links
The unsolved good links are considered bad
hence false positive happens
Need to refine the solution ? Advanced Method

Example
if 100 links in the network and 20 of them are
congested and 80 are good. The basic probing
method can identify 15 congestion links and 70
good links. The other 15 are labeled as
unknown. If all unknown links are treated as
congested, 10 good link will be falsely labeled
as congested. When the false positive is too
high, the available paths that can be chosen by
the routers are restricted, thus network
performance is impacted.

34
Analyzing Simple Method

Lemma 1. If P and P are probe paths in the first
and the second round of probing respectively,
P P 1
Theorem 1. If only one probe path P is shown to
be congested in any round of probing, the simple
method successfully identifies status of each
link in P
Performs better if edge-to-edge paths are
congested
The average length of the probe paths in the
Simple method is 4

35
Performance Simple Method

Theorem 2. Let p be the probability of a link
being congested in any arbitrary overlay network.
The simple method determines the status of any
link of the topology with probability at least
2(1-p)4-(1-p)7p(1-p)12

Detection Probability
Frac of actual congested links
36
Advanced Method

AdvancedMethod()
begin
Conduct Simple Method. E is the unsolved
equation set
for Each undecided variable Xij of E do
node1 FindNode(Tree T, vi, IN)
node2 FindNode(Tree T, vj , OUT)
if node1 ? NULL AND node2 ? NULL then
Probe(node1, node2). Update equation set E
end if
Stop if no more probe exists
endfor
end

37
Identifying Links Advanced Method
Loss Ratio
Time (sec)
Link E2 ? C2, C1 ? C3, C3 ? C4, and C4 ? E6 are
congested. Simple method identifies all except E2
? C2. Advanced method finds probe E5?E1 to
identify status of E2 ? C2.
38
Analyzing Advanced Method

Lemma 2. For an arbitrary overlay network with n
edge routers, on the average a link lies on b
edge-to-edge paths
Lemma 3. For an arbitrary overlay network with n
edge routers, the average length of all
edge-to-edge paths is d
Theorem 3. Let p be the probability of a link
being congested. The advanced method can detect
the status of a link with probability at least
(1-(1-(1-p)d)b)

39
Bounds on Advanced Method

Graph shows lower and upper bounds
When congestion is 20, links are identified
with O(n) probes with probability 0.98
Does not help if 60 links are congested

Detection Probability
Frac of actual congested links
Advanced method uses output of simple method and
topology to find a probe that can be used to
identify status of an unsolved link in simple
method
40
Experiments Delay Measurements
of traffic
Delay (ms)
Cumulative distribution function (cdf)

Attack changes delay pattern in a network domain
We need to know the delay pattern when there is
not attack

41
Experiments Loss measurements
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(b) Stripe-based
(a) Core-assisted
Core-based measurement is more precise than
stripe-based, however, it has high overhead
42
Attack Scenarios
Delay (ms)
Loss Ratio
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing loss pattern due to attack

Attack 1 violates SLA and causes 15-30 of
packet loss
Attack 2 causes more than 35 of packet loss

43
Detecting DoS Attacks

If many flows aggregate towards a downstream
domain, it might be a DoS attack on the domain
Analyze flows at exit routers of the congested
links to identify misbehaving flows
Activate filters to control the suspected flows
Flow association with ingress routers
Egress routers can backtrack paths, and confirm
entry points of suspected flows

44
Overhead comparison
Communication overhead in KB
Processing overhead (CPU cycle)
Percentage of misbehaving flow
Percentage of misbehaving flow
(b) Communication overhead
(a) Processing overhead

Core has relative low processing overhead
Overlay scheme has an edge over other two schemes

45
Observations

Stripe-based Monitoring
Stripe-based probing can monitor DiffServ
networks only from the edges
It takes 10 sec to converge the inferred loss
ratio to actual loss ratio with 90 accuracy
10-15 delay probes and 20-25 loss probes per
second are sufficient for monitoring
Probe is a 3-packet stripe
3 shows good correlation, 4 does not add much

46
Observations (Contd)

Overlay-based Monitoring
Congestion status of individual links can be
inferred from edge-to-edge measurements
When the network is 20 congested
Status of a link is identified with probability
0.98
Requires O(n) probes, where n is the number of
edge routers
Worst case is O(n2), whereas stripe-based
requires O(n3) probes to achieve same
functionality

47
Observations (Contd)

Analyze existing techniques to defeat DoS attacks
Marking has less overhead than Filtering,
however, it is only a forensic method
Monitoring might have less processing overhead
than marking or filtering, however, monitoring
injects packets and others do not
Monitoring can alert against DoS attacks in early
stage

48
Observations (Contd)

Traffic Conditioner
Using small state table, we can design scalable
traffic conditioner
It can protect critical packets of a flow to
improve application QoS (delay, throughput,
response time, )
Both Round trip time (RTT) Retransmission
time-out (RTO) are necessary to avoid RTT-bias
among flows

49
Observations (Contd)

Flow Control
Network tomography is used to design edge-to-edge
mechanism to detect control unresponsive flows
QoS of adaptive flows improves significantly with
flow control mechanism

50
Conclusion on Monitoring

Elegant way to use probability in inferring loss.
3-packets stripe shows good correlation
Monitoring network can detect service violation
and bandwidth theft using measurements
Monitoring can detect DoS attacks in early stage.
Filter can be used to stop the attacks
Overlay-based monitoring requires only O(n)
probing with a very high probability, where n is
the number of edge routers
Overlay-based monitoring has very low
communication and processing overhead
Stripe-based inference is useful to annotate a
topology tree with loss, delay, and bandwidth.

Intruder Identification in Ad Hoc Networks
(Cisco, Motorola, AFRL)
Problem Statement
Intruder identification in ad hoc networks is
the procedure of identifying the user or host
that conducts the inappropriate, incorrect, or
anomalous activities that threaten the
connectivity or reliability of the networks and
the authenticity of the data traffic in the
networks

52
Research problem Related work Purdue Research

Identification of Intruder SAODV protocol Robust Reverse Labeling Tree scheme, Trust to minimize suspicion of all, Experiments
Identification of Packet Drops Arizona-React system Deals with multiple attackers coordinating, uses audit, hash functions on path
Identification of Collaboration CSCW Intrusion Detection Systems (IDS) capable of correlating CAs, Fuzzy systems, Learning, Experiments

Privacy In Manets/Cloud/SoA Prime project in Europe Protocols to assure privacy of sender, receiver, routes and packets, Partial hash of handle

Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation Lack of data on effects of Multi-port scanning, Multi-threading, Infection time, Multiple starting points, and Collaboration (MMIMC) Measure the effects of MMIMC on infected hosts, Fibonacci Number Sequence (FNS) to model the effects of infection time
53
Introduction to AODV

Introduced in 97 by Perkins at NOKIA, Royer at
UCSB
12 versions of IETF draft in 4 years, 4 academic
implementations, 2 simulations
Combines on-demand and distance vector
Broadcast Route Query, Unicast Route Reply
Quick adaptation to dynamic link condition and
scalability to large scale network
Support multicast

54
Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
55
Attacks on AODV

Route request flooding
query non-existing host (RREQ will flood
throughout the network)
False distance vector
reply one hop to destination to every request
and select a large enough sequence number
False destination sequence number
select a large number (even beat the reply from
the real destination)
Wormhole attacks
tunnel route request through wormhole and attract
the data traffic to the wormhole
Coordinated attacks
The malicious hosts establish trust to frame
other hosts, or conduct attacks alternatively to
avoid being identified

56
False Destination Sequence Attack
Sequence number 5
RREP(D, 4)
D
S4
S3
S
S1
RREQ(D, 3)
RREP(D, 20)
S2
M
Packets from S to D are sinking at M.
57
During Route Rediscovery, False Destination
Sequence Number Attack Is Detected, S needs to
find D again.
Node movement breaks the path from S to M
(trigger route rediscovery).
(1). S broadcasts a request that carries the old
sequence 1 21
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
desti-nation sequence number attack.
D
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
58
Reverse Labeling Restriction (RLR)

Blacklists are updated after an attack is
detected.
Basic Ideas
Every host maintains a blacklist to record
suspicious hosts who gave wrong route related
information.
The destination host will broadcast an INVALID
packet with its signature. The packet carries the
hosts identification, current sequence, new
sequence, and its own blacklist.
Every host receiving this packet will examine its
route entry to the destination host. The previous
host that provides the false route will be added
into this hosts blacklist.

59
BL
D
S3
INVALID ( D, 5, 21, BL, Signature )
BL
S4
S
S1
BL S2
M
S2
S4
Correct destination sequence number is
broadcasted. Blacklist at each host in the path
is determined.
60
D1
D2
S3
M
S4
M
M
D4
D3
M
M
S2
S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and
S4-D4). When the first two false routes are
detected, D3 and D4 add M into their blacklists.
When later D3 and D4 become victim destinations,
they will broadcast their blacklists, and every
host will get two votes that M is malicious host.
Malicious site is in blacklists of multiple
destination hosts.
61
Intruder Identified

If M is in multiple blacklists, M is classified
as a malicious host based on a certain threshold.
Intruder is approximately identified.
Trust values can be used for combining knowledge
from other hosts.

62
Experimental Studies of RLR

The experiments are conducted using ns2.
Various network scenarios are formed by varying
the number of independent attackers, number of
connections, and host mobility.
The examined parameters include
Packet delivery ratio
Identification accuracy false positive and false
negative ratio
Communication and computation overhead

63
Simulation Parameter
Simulation duration 1000 seconds
Simulation area 1000 1000 m
Number of mobile hosts 30
Transmission range 250 m
Pause time between the host reaches current target and moves to next target 0 60 seconds
Maximum speed 5 m/s
Number of CBR connection 25/50
Packet rate 2 pkt / sec
64
Experiment 1 Measure the Changes in Packet
Delivery Ratio

Purpose investigate the impacts of host
mobility, number of attackers, and number of
connections on the performance improvement
brought by RLR
Input parameters host pause time, number of
independent attackers, number of connections
Output parameters packet delivery ratio
Observation When only one attacker exists in the
network, RLR brings a 30 increase in the
packet delivery ratio. When multiple attacker
exist in the system, the delivery ratio will not
recover before all attackers are identified.

65
Increase in Packet Delivery Ratio Single Attacker
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
66
Experiment 2 Measure the Accuracy of Intruder
Identification

Purpose investigate the impacts of host
mobility, number of attackers ,and connection
scenarios on the detection accuracy of RLR
Input parameters number of independent
attackers, number of connections, host
pause time
Output parameters false positive alarm ratio,
false negative alarm ratio
Observation The increase in connections may
improve the detection accuracy of RLR. When
multiple attackers exist in the network, RLR has
a high false positive ratio.

67
Accuracy of RLR Single Attacker
30 hosts, 25 connections 30 hosts, 25 connections 30 hosts, 50 connections 30 hosts, 50 connections
Host Pause time (sec) of normal hosts identify the attacker of normal hosts marked as malicious of normal hosts identify the attacker of normal hosts marked as malicious
0 24 0.22 29 2.2
10 25 0 29 1.4
20 24 0 25 1.1
30 28 0 29 1.1
40 24 0 29 0.6
50 24 0.07 29 1.1
60 24 0.07 24 1.0
The accuracy of RLR when there is only one
attacker in the system
68
Experiment 3 Measure the Communication Overhead

Purpose investigate the impacts of host
mobility and connection scenarios on the
overhead of RLR
Input parameters number of connections, host
pause time
Output parameters control packet overhead
Observation When no false destination sequence
attacks exist in the network, RLR introduces
small packet overhead into the system.

69
Control Packet Overhead
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
70
Research Opportunities Improve Robustness of RLR

Protect the good hosts from being framed by
malicious hosts
The malicious hosts can frame the good hosts by
putting them into blacklist.
By lowering the trust values of both complainer
and complainee, we can restrict the impacts of
the gossip distributed by the attackers.

Avoid putting every host into blacklist
Combining the host density and movement model, we
can estimate the time ratio that two hosts are
neighbors
The counter for a suspicious host decreases as
time passes
Adjusting the decreasing ratio to control the
average percentage of time that a host stays in
the blacklist of another host

Defend against coordinated attacks
The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may
establish trust to frame other hosts, or conduct
attacks alternatively to avoid being identified.
Look for the effective methods to defend against
such attacks. Possible research directions
include
Apply classification methods to detect the hosts
that have similar behavior patterns
Study the behavior histories of the hosts that
belong to the same group and detect the pattern
of malicious behavior (time-based, order-based)

73
Conclusions on Intruder Identification

False destination sequence attacks can be
detected by the anomaly patterns of the sequence
numbers
Reverse labeling method can reconstruct the false
routing tree
Isolating the attackers brings a sharp increase
in network performance
On going research will improve the robustness of
the mechanism and the accuracy of identification

74
Defending against Collaborative Packet Drop
Attacks on MANETs

Work done with
Dr. Weichao Wang ( former student now professor
at UNCC)
and
Dr. Mark Linderman at AFRL

75
Organization of Presentation

Problem Statement
Related Work
REAct System and Its Vulnerability
Our Approach
Analysis
Conclusion

76
Problem Statement

Packet drop attacks put severe threats to Ad Hoc
network performance and safety
Directly impact the parameters such as packet
delivery ratio
Will impact security mechanisms such as
distributed node behavior monitoring
Different approaches have been proposed
Vulnerable to collaborative attacks
Have strong assumptions of the nodes

77
Problem Statement

Many research efforts focus on individual
attackers
The effectiveness of detection methods will be
weakened under collaborative attacks
E.g., in watchdog, multiple malicious nodes can
provide fake evidences to support each others
innocence
In wormhole and Sybil attacks, malicious nodes
may share keys to hide their real identities

78
Problem Statement

Focus on collaborative packet drop attacks. Why?
Secure and robust data delivery is a top priority
for many applications
The proposed approach can be achieved as a
reactive method reduce overhead during normal
operations
Can be applied in parallel to secure routing

79
Related Work

Detecting packet drop attacks
Audit based approaches
Whether or not the next hop forward the packets
Use both first hand and second hand evidences
Problems
Energy consumption of eavesdropping
Can be cheated by directional antenna
Authenticity of the evidence
Incentive based approaches
Nuggets and credits
Multi-hop acknowledgement

80
Related Work

Collaborative attacks and detection
Classification of the collaborative attacks
Collusion attack model on secure routing
protocols
Collaborative attacks on key management in MANET
Detection mechanisms
Collaborative IDS systems
Ideas from immune systems
Byzantine behavior based detection

81
REAct system and vulnerability

REAct system
Proposed by researchers in Univ of Arizona
Published in ACM WiSec 2009
Random audit based detector of packet drop
A reactive approach will be activated only when
something bad happens
Assumptions
At least two node disjoint paths b/w any pair of
nodes
Know the identity of the intermediate nodes
Pair-wise keys b/w the source and the
intermediate nodes

82
REAct system and vulnerability

Working procedure of REAct
Destination detects the drop in packet arriving
rate and notifies the source
Source randomly selects an intermediate node and
asks it to generate a behavioral proof of the
received packets
Intermediate node constructs a bloom filter using
these packets
Source compares the bloom filter to its own value
If match the attacker is after the intermediate
node
Otherwise, it is before the intermediate node
Repeat the procedure until the bad link is located

83
REAct system and vulnerability
Example of REAct the source selects n4 to be the
first audited node. N4 generates the correct
bloom filter, so the attacker is between n4 and D.
84
Collaborative attacks on REAct
n1 and n4 are collusive attackers. n1 discards
the packets but delivers the bloom filter to n4.
Now the source will think that the attacker is
between n4 and D. Why REAct is vulnerable to this
attack the source can verify the bloom filter,
but not the generator of the filter.
85
Proposed approach

Assumptions
Source shares a different secret key and a
different random number with every intermediate
node
All nodes in the network agree on a hash function
h()
There are multiple attackers in the network
They share their secret keys and random numbers
Attackers have their own communication channel
An attacker can impersonate other attackers

86
Proposed approach

Hash based approach
Every node will add a fingerprint into the packet
S1 sends out the packet to n1
S ? n1 (S, D, data packet, random number t0)
Node n1 will combine the received packet and its
random number r1 to calculate the new
fingerprint
t1 h( r1 S D data packet t0 r1
)
n1 ? n2 (S, D, data packet, t1 )
The audited node will generate the bloom filter
based on the data packets and the fingerprints
The source will generate its own bloom filter
and compare it to the value of the audited node

87
Proposed approach

Why our approach is safe
The node behavioral proofs in our proposed
approach contain information from both the data
packets and the intermediate nodes.
Theorem 1. If node ni correctly generates the
value ti, then all innocent nodes in the path
before ni (including ni) must have correctly
received the data packet selected by S.

88
Proposed approach

Why our approach is safe
The ordered hash calculations guarantee that any
update, insertion, and deletion operations to the
sequence of forwarding nodes will be detected.
Therefore, we have
if the behavioral proof passes the test of S, the
suspicious set will be reduced to ni, ni1, ---,
D
if the behavioral proof fails the test of S, the
suspicious set will be reduced to S, n1, ---,
ni

89
Discussion

Indistinguishable audit packets
The malicious node should not tell the difference
between the data packets and audited packets
The source will attach a random number to every
data packet
Reducing computation overhead
A hash function needs 20 machine cycles to
process one byte
We can choose a part of the bytes in the packet
to generate the fingerprint. In this way, we can
balance the overhead and the detection capability.

90
Discussion

Security of the proposed approach
The hash function is easy to compute very hard
to conduct DoS attacks on our approach
It is hard for attackers to generate fake
fingerprint they have to have a non-negligible
advantage in breaking the hash function
The attackers will adjust their behavior to avoid
detection
The source may choose multiple nodes to be
audited at the same time
The source should adopt a random pattern to
determine the audited nodes

91
Conclusion

Previous approach is vulnerable to collaborative
attacks
Propose a new mechanism for nodes to generate
behavioral proofs
Hash based packet commitment
Contain both contents of the packets and
information of the forwarding paths
Introduce limited computation and communication
overhead
Extensions
Investigate other collaborative attacks
Integrate our detection method with secure
routing protocols

92
Another Example of Internal/External Attacks
Collaborative wormhole attacks internal and
external attackers

To combat joint attacks
Example
Node A deceives node S informing it has shortest
path to D
A forwards any packets to X
X sets up a tunnel to Y
Any further packet will go through the tunnel
In tunnel, packets can be selectively dropped or
tampered with

Impacts of collaborative wormhole/packet discard
attack on underwater sensor networks

94
Ideas on characterizing/classifying CAs

Identify the key features of combined attacks
Use signal processing technique and machine
learning technique to characterize/classify
attacks
Wavelet transform for anomaly detection
Fuzzy logic for decision making process

95
Context based Adaptable Defense against
Collaborative Attacks in Service Oriented
Architecture and Cloud

Northrop Grumman Cybersecurity Research
Consortium

96
Motivations/Objectives

Unmanned Aircraft Systems (UAS) can revolutionize
militarys ability to monitor and understand the
global environment. The communication is under
constant attacks (both internal and external).
Mobile environments have disconnections and can
not be sure of global information
SoA and Cloud Environment are being used in
Battle field tactical and emergency response
networks . Require end to end security and
privacy
Need to deal with collaborative, multiple,
concurrent attacks of various types on various
targets
Conduct experiments with real attack scenarios
Develop Cyber Genome ideas for Advanced
Persistent Threats

97
Scope of problem
Step1
Step2
Step3
Static scan for attack graph generation
Distributed monitoring
Build tools for inferring, tracing back, and
dealing with new attacks
Information integration
Identify linkage among malicious attacks
Build prototype and evaluation
Collaborative attack detection engine
Propagate warnings, preempt to thwart attack
98
Identify intruders, Collaboration, origin type
of attack, potential for future attacks
Identification Tomography, Router monitoring,
SLA agreements
Collaboration Agreements, Intent,Targets,
Communication
Observations Neural nets, Learning, Fuzzy
logic
Predication Extrapolation, Evaluation, Causal
analysis
99
Acceleration in Intruder Identification
D3
D2
D1
M2
M3
M1
S2
S1
S3
Coordinated attacks by M1, M2, and M3
Multiple attackers trigger more blacklists to be
broadcasted by D1, D2, D3.
100
Ideas on characterizing/classifying CAs

Identify the key features of Collaborative
attacks
Use signal processing technique and machine
learning technique to characterize/classify
attacks
Wavelet transform for anomaly detection
Fuzzy logic for decision making process

101
Detection and Response at Coordinator Node

Incoming packets are inspected and the
classification parameters are handed to the fuzzy
engine
Parameters are mapped to the membership functions
Black list managment is crucial to the efficiency
of the system

102
Packet Delivery Ratio (PDR) and Throughput

Impact of reaction time on performance is high,
implying that coordinator node must get fast
feedback from other nodes and react properly and
quickly
UDP achieves higher PDR, but drops more packets,
resulting in lower throughput

103
Hardest Challenges

Understanding of the impact of multiple attacks
when they run concurrently
Identify collaboration activity in a realistic
attack scenario in DoD and Emergency
Formalize the model for collaboration and will
relate the computer supported cooperative work
(CSCW) paradigm to this problem.

104
Future Plans

Advanced Persistent Threats ( with NGC and Mitre)
Cyber Genetics ( with DoD)
Prototype and Experiments
Privacy in Cloud ( With Dr. Myong Kang, Naval
Research Lab)
End to End security in SoA (with Asher Sinclair,
AFRL)
Context Modeling (with Dr. Mark Linderman, AFRL)
Cross-domain Information Exchange (with Mike
Mayhew and Yat Fu AFRL)

105
Trust-based Privacy Preservation for Peer-to-peer
Data Sharing ( AFRL)

Problem statement
Privacy in peer-to-peer systems is different from
the anonymity problem
Preserve privacy of requester
A mechanism is needed to remove the association
between the identity of the requester and the
data needed

106
Proposed solution

A mechanism is proposed that allows the peers to
acquire data through trusted proxies to preserve
privacy of requester
The data request is handled through the peers
proxies
The proxy can become a supplier later and mask
the original requester

107
Related work

Trust in privacy preservation
Authorization based on evidence and trust,
Bhargava and Zhong, DaWaK02
Developing pervasive trust Lilien, CGW03
Hiding the subject in a crowd
K-anonymity Sweeney, UFKS02
Broadcast and multicast Scarlata et al, INCP01

108
Related work (2)

Fixed servers and proxies
Publius Waldman et al, USENIX00
Building a multi-hop path to hide the real source
and destination
FreeNet Clarke et al, IC02
Crowds Reiter and Rubin, ACM TISS98
Onion routing Goldschlag et al, ACM Commu.99

109
Related work (3)

Sherwood et al, IEEE SSP02
provides sender-receiver anonymity by
transmitting packets to a broadcast group
Herbivore Goel et al, Cornell Univ Tech
Report03
Provides provable anonymity in peer-to-peer
communication systems by adopting dining
cryptographer networks

110
Privacy measurement

A tuple ltrequester ID, data handle, data contentgt
is defined to describe a data acquirement.
For each element, 0 means that the peer knows
nothing, while 1 means that it knows
everything.
A state in which the requesters privacy is
compromised can be represented as a vector lt1, 1,
ygt, (y ? 0,1) from which one can link the ID of
the requester to the data that it is interested
in.

111
Privacy measurement (2)
For example, line k represents the states that
the requesters privacy is compromised.
112
Mitigating collusion

An operation is defined as
This operation describes the revealed information
after a collusion of two peers when each peer
knows a part of the secret.
The number of collusions required to compromise
the secret can be used to evaluate the achieved
privacy

113
Trust based privacy preservation scheme

The requester asks one proxy to look up the data
on its behalf. Once the supplier is located, the
proxy will get the data and deliver it to the
requester
Advantage other peers, including the supplier,
do not know the real requester
Disadvantage The privacy solely depends on the
trustworthiness and reliability of the proxy

114
Trust based scheme Improvement 1

To avoid specifying the data handle in plain
text, the requester calculates the hash code and
only reveals a part of it to the proxy.
The proxy sends it to possible suppliers.
Receiving the partial hash code, the supplier
compares it to the hash codes of the data handles
that it holds. Depending on the revealed part,
multiple matches may be found.
The suppliers then construct a bloom filter based
on the remaining parts of the matched hash codes
and send it back. They also send back their
public key certificates.

115
Trust based scheme Improvement 1

Examining the filters, the requester can
eliminate some candidate suppliers and finds some
who may have the data.
It then encrypts the full data handle and a data
transfer key with the public key.
The supplier sends the data back using
through the proxy
Advantages
It is difficult to infer the data handle through
the partial hash code
The proxy alone cannot compromise the privacy
Through adjusting the revealed hash code, the
allowable error of the bloom filter can be
determined

116
Data transfer procedure after improvement 1
Requester Proxy of Supplier
Requester
R requester S supplier Step 1, 2 R sends out
the partial hash code of the data handle Step 3,
4 S sends the bloom filter of the handles and
the public key certificates Step 5, 6 R sends
the data handle and encrypted by the
public key Step 7, 8 S sends the required data
encrypted by
117
Trust based scheme Improvement 2

The above scheme does not protect the privacy of
the supplier
To address this problem, the supplier can respond
to a request via its own proxy

118
Trust based scheme Improvement 2
Requester Proxy of Proxy
of Supplier Requester
Supplier
119
Trustworthiness of peers

The trust value of a proxy is assessed based on
its behaviors and other peers recommendations
Using Kalman filtering, the trust model can be
built as a multivariate, time-varying state vector

120
Conclusion

A trust based privacy preservation method for
peer-to-peer data sharing is proposed
It adopts the proxy scheme during the data
acquirement
Extensions
Solid analysis and experiments on large scale
networks are required
A security analysis of the proposed mechanism is
required

121
Related Ongoing Research