Yan Chen - PowerPoint PPT Presentation

Loading...

PPT – Yan Chen PowerPoint presentation | free to download - id: 7c02b9-ODU0M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Yan Chen

Description:

Intrusion Detection and Forensics for Self-defending Wireless Networks Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 46
Provided by: Yao83
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Yan Chen


1
Intrusion Detection and Forensics for
Self-defending Wireless Networks
  • Yan Chen
  • Lab for Internet and Security Technology (LIST)
  • Dept. of Electrical Engineering and Computer
    Science
  • Northwestern University
  • http//list.cs.northwestern.edu

2
Security Challenges in GIG Wireless Networks
  • In addition to sharing similar challenge of wired
    net
  • High speed traffic (e.g., WiMAX)
  • Zero-day threats
  • Lack of quality info for situational-aware
    analysis attack target/strategy, attacker
    (botnet) size, etc.
  • Wireless networks are more vulnerable
  • Open media
  • Easy to sniff, spoof and inject packets
  • Open access
  • Hotspots and potential large user population
  • Attacking is more diverse
  • On media access (e.g., jamming), but easy to
    detect
  • On protocols (our focus)

3
Self-Defending Wireless Networks
  • Network-based adaptive intrusion detection and
    mitigation systems for emerging threats
  • Polymorphic zero-day worm signature generation
    (done)
  • Automated analysis of large-scale botnet probing
    events for situation aware info (ongoing)
  • Proactive vulnerability analysis and defense of
    wireless network protocols at various layers
  • WiMAX IEEE 802.16e MAC layer (done)
  • Mobile IP v4/6 network layer (done)
  • Authentication layer (generalized to various
    wireless cellular networks, ongoing)

4
Outline
  • Overall approach and achievement
  • Accomplishment this year
  • Highlight Error-message based DoS attacks of
    wireless networks and the defense

5
Accomplishments on Publications
  • Four conference, one journal papers and two book
    chapters
  • Accurate and Efficient Traffic Monitoring Using
    Adaptive Non-linear Sampling Method", in the
    Proc. of IEEE INFOCOM, 2008
  • A Survey of Existing Botnet Defenses , in Proc.
    of IEEE IWSSE 2008.
  • Honeynet-based Botnet Scan Traffic Analysis",
    invited book chapter for Botnet Detection
    Countering the Largest Security Threat,
    Springer, 2007.
  • Integrated Fault and Security Management,
    invited book chapter for Information Assurance
    Dependability and Security in Networked Systems,
    Morgan Kaufmann Publishers, 2007.
  • Reversible Sketches Enabling Monitoring and
    Analysis over High-speed Data Streams, in
    ACM/IEEE Transaction on Networking, Volume 15,
    Issue 5, Oct. 2007.
  • Network-based and Attack-resilient Length
    Signature Generation for Zero-day Polymorphic
    Worms, in the Proc. of the IEEE ICNP, 2007.
  • Detecting Stealthy Spreaders Using Online
    Outdegree Histograms, in the Proc. Of IEEE
    International Workshop on Quality of Service,
    2007.
  • Collaborated publication with Dr. Keesook Han
    from AFRL
  • Resulted from joint research on botnet.
  • Obtain binary/source from Dr. Han
  • Plan to use the testbed developed at AFRL

6
Accomplishments This Year
  • Automatic zero-day polymorphic worm signature
    generation systems for high-speed networks
  • Fast, noise tolerant w/ proved attack resilience
  • Published in IEEE International Conference on
    Network Protocols (ICNP) 2007 (14 acceptance
    rate).
  • A patent filed through Motorola.
  • Potential technology transfer thru Motorola

7
Limitations of Exploit Based Signatures
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worms might not have exact exploit
based signatures.
8
Vulnerability Signatures
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability
  • Use protocol semantics to express vulnerability
  • Work for all the worms which target the same
    vulnerability

9
Accomplishments This Year II
  • Automating Analysis of Large-Scale Botnet
    Probing Events
  • What scanning strategies does the probing employ
    ?
  • Is this an attack that specifically targets the
    site, or is the site only incidentally probed as
    part of a larger attack ?
  • Leverage honeynet for bot probe detection
  • Ten /24 honeynet from LBNL, five running honeyd,
    others dark.

10
Approaches
  • Statistical testing of scan properties trend,
    uniformity, coordination, and use of
    pre-generated hit lists.
  • Two approaches for global property extrapolation
  • Use IPID and ephemeral port continuity
  • Use probe interarrival times

11
Extrapolated Properties and Results
  • Evaluated w/ 12 month LBNL traces (220GB)
  • 49 uniform random scan
  • 40 hit list scan, majority of them (94) also
    uniform
  • Cross-validation with Dshield dataset
  • Largest global alert repository
  • All extrapolated scope within a factor of 1.5

12
Error-message Based DoS Attacks of Wireless
Networks and the Defense
13
Vulnerability and Attack Methodology
  • Processing error messages imprudently
  • Error messages are in clear text before
    authentication
  • Messages are trusted without integrity check
  • Attacking requirements
  • Sniffing easy for wireless networks
  • Spoofing before authenticated
  • Easy for wireless LANs doable for cellular
    networks
  • Basic attack ideas
  • Spoof and inject error messages or wrong messages
    that trigger error messages to clients and/or
    servers.
  • Maybe a known problem but largely ignored

14
Outline
  • Vulnerability and Attack Methodology
  • Attack Case Studies
  • EAP protocols for wireless and cellular networks
  • Mobile IPv6 route optimization protocol (skipped)
  • Countermeasures
  • Conclusions

15
EAP Authentication on Wireless Networks
Challenge/Response
TLS
Authentication primitive
EAP-FAST
PEAP
EAP-TTLS
EAP-AKA
EAP-SIM
EAP-TLS
Authentication method layer
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
802.11 WLAN
GSM
UMTS/ CDMA2000
Data Link Layer
16
TLS Authentication Procedure
TLS Handshake Protocol Client and server
negotiate a stateful connection using a handshake
procedure.
17
DoS Attacks on TLS Authentication
  • Sniff to get the client MAC address and IDs
  • Packet in clear text before authentication
  • Send spoofed error messages
  • Before authentication is done, attacker spoofs an
    alert message of level fatal, followed by a
    close notify alert.
  • Then the handshake protocol fails and needs to be
    tried again.
  • Complete the DoS attack
  • The attacker repeats the previous steps to stop
    all the retries
  • When this attack happens, WPA2,WPA or WEP are all
    in clear text.

18
DoS Attacks on TLS Illustration
  • Sending Error Alert message of level Fatal
  • Can either attack client or server

19
DoS Attack on Challenge/Response over EAP-AKA
Server End
Client End
EAP-Request/Identity
EAP-Response/Identity (NAI)
AKA-Challenge (RAND, AUTN, MAC)
AKA-Response (RES, MAC)
EAP-Success
Simple attack Sending Error Rejection/
Notification message
20
DoS Attack Experiment on a WiFi Network with PEAP
Protocols
  • Hardware
  • Wifi cards with Atheros chipsets (e.g., Proxim
    Orinoco Gold wireless adapter)
  • MADWifi driver
  • Code implementation
  • Libraries
  • Sniffing Libpcap library
  • Spoofing Lorcon library
  • Attacking code
  • About 1200 lines of C code in Ubuntu linux

21
Field Test Results
  • We conducted the EAP-TLS attack experiments at a
    Cafeteria.
  • 7 mobile hosts and one Attacker
  • Weve successfully attacked all of them in one
    of the two channels

22
Attack Efficiency Evaluation
Attack Point 1 Attack Point 1
Ratio by of Messages 25.00 1/4
Ratio by Bytes 15.89 78/491
Attack Point 2 Attack Point 2
Ratio by of Messages 28.57 2/7
Ratio by Bytes 14.87 156/1049
  • For example, when attack happens at the second
    point
  • Just need to send 156 bytes of message to screw
    the whole 1049 bytes authentication messages.

23
Scalability Evaluation by NS2 Simulations
  • Vary the of simultaneous sign-on clients up to
    100
  • All results are based on an average of 100 runs.
  • Shows that the attacker is scalable very few
    clients are able to authenticate successfully.

24
NS-2 Simulation Results II
  • Even better results when sending error messages
    more aggressively by reducing the CWMin parameter
    of the attacker
  • The back-off time of attacker is reduced.

25
Outline
  • Vulnerability and Attack Methodology
  • Attack Case Studies
  • EAP protocols for wireless and cellular networks
  • Mobile IPv6 route optimization protocol (skipped)
  • Countermeasures
  • Conclusions

26
Countermeasures
  • Enhance the robustness of the authentication
    protocol for wireless access
  • Delay decision making process by waiting for a
    short time for a success message (if any) to
    arrive and
  • Give preference to success messages than the
    error ones.
  • Implemented and successfully thwart EAP-TLS
    attacks

27
Conclusions
  • We have designed new methods to launch DoS
    attacks on security protocols using error
    messages.
  • We found that any security protocol is vulnerable
    to such attacks as long as it supports a few
    error messages before the authentication step.
  • As far as we know, no authentication protocol
    currently is secure against such attacks.
  • We demonstrated the effect of these attacks on
    TLS and MIPv6 protocols.
  • We suggest a few guidelines for the protocol
    designers and implementers to defend such
    attacks.

28
Intrusion Detection and Forensics for
Self-defending Wireless Networks Yan Chen,
Northwestern University
asdf
  • Proactively secure wireless networks via
  • searching unknown protocol vulnerabilities.
  • Automatically detect and filter zero-day
  • polymorphic worms.
  • Accurate network-based intrusion
  • detection and prevention.

Objective
Vulnerability analysis of various wireless
network protocols.
  • Accomplishments
  • Find error-message based attacks and propose
    defense schemes.
  • Design implement length-based signature
    generation for zero-day polymorphic worms.
  • Challenges
  • Various and complicated network protocols
  • Large number of vulnerability signatures and
    high-speed traffic volume.
  • Complete protocol vulnerability
  • search and defense
  • Network-based automatic signature
  • generation for polymorphic worms
  • Efficient matching with a large vulnerability
  • signature ruleset

Scientific/Technical Approach
29
Backup Slides
30
The Spread of Sapphire/Slammer Worms
31
The Current Threat Landscape of Wireless Networks
  • Wireless networks, crucial for GIG, face both
    Internet attacks and their unique attacks
  • Viruses/worms e.g., 6 new viruses, including
    Cabir and Skulls, with 30 variants targeting
    mobile devices
  • Botnets underground army of the Internet,
    emerging for wireless networks
  • Big security risks for wireless networks
  • Few formal analysis about wireless network
    protocol vulnerabilities
  • Existing (wireless) IDSes only focus on existing
    attacks
  • Ineffective for unknown attacks or polymorphic
    worms
  • Little work on attack forensics
  • E.g., how to identify the command-and-control
    (CC) channel of botnets?

32
Evaluation Methodology
  • Fully implemented and deployed to sniff a campus
    router hosting university Web servers and several
    labs.
  • Run on a P4 3.8Ghz single core PC w/ 4GB memory.
  • Much smaller memory usage. E.g., http 791
    vulnerability sigs from 941 Snort rules
  • DFA 5.29 GB vs. NetShield 1.08MB

33
EAP and TLS Authentication
  • Extensible Authentication Protocol (EAP) is a PPP
    extension
  • Provides support for additional authentication
    methods within PPP.
  • Transport Layer Security (TLS)
  • Mutual authentication
  • Integrity-protected cipher suite negotiation
  • Key exchange
  • Challenge/Response authentication with pre-shared
    keys
  • Pre-shared key (Ki) in SIM and AuC
  • Auc challenges mobile station with RAND
  • Both sides derive keys based on Ki and RAND

34
Practical Experiment
  • For the 33 different tries
  • All suffered an attack at Attack Point-1
  • 21 survive from the first attack but failed at
    the 2nd Attack Point.

35
  • Simulate one TLS-Server, one TLS-Attacker and
    range the TLS-Clients between 1 to a maximum of
    100.
  • The number of clients authenticate to the TLS
    server simultaneously.
  • Its extremely rare case
  • Base Station was set up to interface between the
    wired and wireless networks.
  • The duplex-link between the BS and the TLS-Server
    was of 100MBps with a 10ms delay.

36
Case 2 Mobile IPv6 Routing-Optimization
protocol
37
Mobile IPv6
  • Mobile IPv6 is a protocol which allows nodes to
    remain reachable while moving around in the IPv6
    Internet.
  • Each mobile node is always identified by its home
    address, regardless of its current point of
    attachment to the Internet.
  • IPv6 packets addressed to a mobile node's home
    address are transparently routed to its care-of
    address.
  • The protocol enables IPv6 nodes to cache the
    binding of a mobile node's home address with its
    care-of address, and to then send any packets
    destined for the mobile node directly to it at
    this care-of address

38
Return Routability Procedure
  • The procedure begins when the MN sends HoTI
    message to CN through HA and CoTI message
    directly to CN.
  • Upon the receipt of the Binding Update, CN adds
    an entry for the MN in its Binding Cache and
    optionally sends Binding Acknowledgement.
  • Once this happens, MN and CN will be capable of
    communicating over a direct route.
  • This way, the route between MN and CN is
    optimized.

39
Return Routability Procedure
  • Once Return Routability happens, MN and CN will
    be capable of communicating over a direct route
  • The route between MN and CN is optimized.

40
The Vulnerability
  • Binding Error Vulnerability
  • Used to disable the Routing Optimization
    procedure.
  • Binding Error message set Status to 2
    (unrecognized MH Type value), Then the mobile
    node SHOULD cease the attempt to use route
    optimization.
  • The Binding Error message is not protected.
  • Bind Acknowledgement Vulnerability
  • The Bind Acknowledgement vulnerability affects
    the Return Routability procedure
  • Binding Acknowledgement with status 136, 137 and
    138 is used to indicate an error and not
    protected in any way
  • Hence, it could be easily spoofed by an external
    entity

41
The Vulnerability
  • Bind Error Vulnerability

42
The Vulnerability
  • Bind Acknowledgement Vulnerability

43
Experiment Environment
44
Evaluation
  • The MIPv6 Experiment is based on a LAN testbed.
  • Except the Mobile Node, all other components such
    as Home Agent and Correspondence Node are all
    connected via wired cable in the Northwestern
    network.
  • We collected the data through 100 times
    experiment. Observed via the Wireshark running on
    the Mobile Node, for one successful attack, the
    time window is about 5ms in average and the
    Standard Deviation is 0.108ms for distribution
  • The time consumed by computing the spoofed Error
    message is 0.0203ms in average. The closer the
    attack to the Mobile Node, the higher probability
    we get for launching a successful Error Message
    attack.

45
PEAP Enhancement
  • Original WPA supplicant v0.5.10
  • Generate TLS ALERT on unexpected messages
  • Stop authentication on TLS ALERT
  • Delayed response implementation
  • Drop unexpected message silently
  • Wait for 1 second when receiving TLS ALERT to
    allow multiple responses, and ignore TLS ALERT
    response if good responses are received.
  • Verification
  • Redid the attack experiments and prove the
    effect of the countermeasures
About PowerShow.com