Post on 22-Feb-2016
description
Research Direction Introduction
Advisor: Professor Frank Y.S. LinPresent by Hubert J.W. Wang
NTU OPLab
2
Outline•Problem Description•Mathematical Formulation
2010/12/16
Problem Description
NTU OPLab
4
Problem Description
• Problem▫Topology information gathering▫ Jamming attack
• Environment▫ Infrastructure/Backbone WMNs
• Role▫Attacker▫Defender(Service provider)
2010/12/16
NTU OPLab
5
Defender
• Attributes▫Nodes
Base Station Mesh router(with 2 NICs) Mesh client Honeynode(with 3 NICs) Locator
Static Mobile
2010/12/16
NTU OPLab
6
Defender(cont’)• Attributes
▫Budget Planning phase
Topology planning Non-deception based
▫ General defense resource▫ Detection resource▫ Localization resource
Deception based Defending phase
Jamming mitigation Localization
▫Approximate▫Precise
2010/12/16
NTU OPLab
7
Defender(cont’)
• Strategies▫Planning phase
Deterrence Deception
▫Goal Protect BS Protect Nodes with high population Protect with high traffic Protect valuable information(ex. routing table, traffic)
2010/12/16
NTU OPLab
8
Defender(cont’)
• Strategies▫Defending phase
Population re-allocation Average population Average traffic
Priority of jammer removing Importance oriented Difficulty oriented
2010/12/16
NTU OPLab
9
Attacker
• Attributes▫Budget
Preparing phase Node compromising Jammer choosing
▫High quality jammers▫Normal jammers
▫Capability Capability of compromising nodes Capability of recognizing fake info.
2010/12/16
NTU OPLab
10
Attacker(cont’)
• Strategies▫Preparing phase
Node compromising Be aggressive Least resistance Be stealthy Easiest to find Topology extending Random
2010/12/16
NTU OPLab
11
Attacker(cont’)
• Strategies▫Preparing phase(cont’)
Jammer selection Maximize attack effectiveness Maximize jammed range
2010/12/16
NTU OPLab
12
Attacker(cont’)
• Strategies▫Attacking phase
Maximize jammed users Maximize affected traffic
2010/12/16
NTU OPLab
13
Scenario 2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
NTU OPLab
14
Scenario(cont’)
• For attacker▫Objective:
Service disruption▫ Incomplete information of the network▫Budget limited
• For defender▫Objective:
Maintain the quality of service▫Budget limited
2010/12/16
NTU OPLab
15
Scenario – Network Architecture2010/12/16
Base Station
Mesh router
NTU OPLab
16
I must protect Core Nodes
Scenario – Defender’s Planning Phase2010/12/16
BS
Node with high population
Base Station
Mesh router
NTU OPLab
17
Scenario – Defender’s Planning Phase(cont’)2010/12/16
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
I must protect Core Nodes
AB
C
D
E
FG
Why didn’t the defender protect all the nodes with high population?1. Budget limited.2. The effectiveness of doing so
may not be the best.3. There are other ways to deploy
resources.
NTU OPLab
18
Scenario – Defender’s Planning Phase(cont’)2010/12/16
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
I must protect Core Nodes
Effect of the defense resource may be:
1. Reduce the probability of being compromised
NTU OPLab
19
Scenario – Defender’s Planning Phase(cont’)2010/12/16
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
I must protect Core Nodes
Effect of the defense resource may be:
2. Prevent the attacker from getting closer to the important nodes.
NTU OPLab
20
Scenario – Defender’s Planning Phase(cont’)2010/12/16
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
I must protect Core Nodes
Effect of the defense resource may be:
3. Attract attacks to prevent it from getting close to the important nodes.
NTU OPLab
21
Scenario – Defender’s Planning Phase(cont’)2010/12/16
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
I must protect Core Nodes
AB
C
D
E
FG
Effect of the defense resource may be:
4. Avoid attacks to prevent it from getting close to the important nodes.
NTU OPLab
22
Scenario – Attacker’s Preparing Phase2010/12/16
Signal Strength
20
20
90
20
90
Initially, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh
node.
20
90
A
B
C
D
E
F
G
NTU OPLab
23
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
20
20
90
20
90
The honeynode: If the real channel is compromised, the attacker will be able to identify this target in attacking phase
20
90
A
B
C
D
E
F
G
NTU OPLab
24
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
90
20
The attacker’s strategies:Maximize attack effectiveness.Maximize jammed users
The initial node will be..
The node with the strongest signal power
90
A
B
90
C
20
D
E
20
F
20
G
NTU OPLab
25
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
AB
C
D
E
FG
H I
J
K L
NTU OPLab
26
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
After compromise a mesh router, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh
node.And…
90
9020
9020
20
90
20
90
90
20
G
L
B
I
D
E
A
H
K
F
JBeing compromised, and obtained:1. routing table info2. Location info of the mesh router.3. Traffic info4. Number of users
NTU OPLab
27
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
After compromise a mesh router, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh
node.5. Number of traffic sources
90
21
20
35
90
31
20
3520
28
90
28
20
6
Number of users
90
95 90
21
90
88
20
G
L
B
I
D
E
A
H
K
F
J
NTU OPLab
28
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
The attacker selects next hop with obtained info from compromised mesh routers if available.
The node with the highest number of traffic sources
20
6G90
21L
90
95B
I
20
D
20
28E
90
21A
90
28H
90
31K
20
35F
20
35J90
88
NTU OPLab
29
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
The action of compromising a honeynode will has following results:1. Succeed• Aware of the fact that it’s a
honeynode.• Not aware of
2. Failed
AB
C
D
E
FG
H I
J
K L
M N
NTU OPLab
30
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
The attacker selects next hop with obtained info from compromised mesh routers if available.
90
30B
90
21A
20
6G
90
112C
20
28E
20
90D
90
27K
90
24L
90
25M
90
18N
NTU OPLab
31
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
90
30B
90
21A
20
6G
20
28E
90
27K
90
24L
90
25M
90
18N
However, the node which was compromised by attacker was a honeynode. Thus, it obtained following fake info:1. Population2. Traffic of the neighbors
The defender will lead the attacker to:1. Unimportant area2. Nodes with greater defense strength.
90
112C
20
90D
NTU OPLab
32
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength
90
30B
90
21A
20
6G
20
28E
90
27K
90
24L
90
25M
90
18N
Relatively low traffic sources on important nodes.
High traffic sources on unimportant nodes.
90
112C
20
90D
Select node C as next hop
NTU OPLab
33
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
AB
C
D
E
FG
H I
J
K L
M N
Failed to compromise
NTU OPLab
34
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
Compromised 2nd choice node D
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
NTU OPLab
35
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Signal Strength90
30B
90
21A
20
6G
20
28E20
29O
20
22R
90
98Q
90
32C
20
8D
90
35P
Select node N as next hop.
But what will the attacker do if he compromised a honeynode?
When the attacker compromised a honeynode, he may obtain:1. Only fake info2. Mixture of fake
and true info.
What should I do ? Just ignore it?Or attack the node they try to protect?
Attackers with high capacity have greater probability to distinguish between true and fake.
NTU OPLab
36
Scenario – Attacker’s Preparing Phase – Attack Detection2010/12/16
Signal Strength90
30B
90
21A
20
6G
20
28E20
29O
20
22R
90
98Q
90
32C
20
8D
90
35P
Being attacked? What should I do to protect QoS?
Capable of attack detection
NTU OPLab
37
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)2010/12/16
Signal Strength90
30B
90
21A
20
6G
20
28E20
29O
20
22R
90
98Q
90
32C
20
8D
90
35P
Re-allocate the population on its neighbors.
Capable of attack detection
NTU OPLab
38
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)2010/12/16
Signal Strength90
2B
90
5A
20
6G
20
20E20
8O
20
4R
90
3Q
90
15C
20
8D
90
22P
Capable of attack detection
Real population on D’s neighbor
Re-allocation strategy might be:
NTU OPLab
39
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)2010/12/16
Signal Strength90
10B
90
9A
20
9G
20
9E20
9O
20
10R
90
10Q
90
9C
20
9D
90
9P
Capable of attack detection
Real population on D’s neighbor
Re-allocation strategy: Average Population
Average the QoS impact caused by jamming
NTU OPLab
40
Normal Jammed70
75
80
85
90
OriginMaximumAverageMinimum
93
91
84
71
2010/12/16
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)
NTU OPLab
41
Normal Jammed75%
80%
85%
90%
95%
OriginMaximumAverageMinimum
100%
97.8%
90.3%
76.3%
2010/12/16
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)
NTU OPLab
42
Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)2010/12/16
Signal Strength90
2B
90
5A
20
6G
20
20E20
8O
20
4R
90
3Q
90
15C
20
8D
90
22P
Capable of attack detection
Real population on D’s neighbor
Re-allocation strategy: Average Traffic
Minimize the QoS impact caused by jamming
NTU OPLab
43
Scenario – Attacker’s Preparing Phase(cont’)2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
NTU OPLab
44
Scenario – Attacker’s Attacking Phase2010/12/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Jammed honeynode B
Jammed node V with high population
Jammed node P(not fake channel)
Jammed normal node F
Jammed honeynode U
NTU OPLab
45
Scenario – Attacker’s Attacking Phase(cont’)2010/12/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Range overlapped, the fake channel jammed.
Although they seems overlapped, but the jammers attacked two different channel
NTU OPLab
46
Scenario – Defender’s Defending Phase2010/12/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
To minimize the total effectiveness of jamming, the defender will tend to remove these nodes first:1. High population2. Not fake channel
Their sequence will be…1)Jammed node V with high population
2)Jammed normal node F
3)Jammed node P(not fake channel)
5)Jammed honeynode U
4)Jammed honeynode B
NTU OPLab
47
Scenario – Defender’s Defending Phase - Channel Surfing2010/12/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
The function of channel surfing function:1. Mitigate the impact of jamming Time EffectivenessRange overlapped. If the mesh
router switch to other channel:1. Jammed time shotened.2. Jammers are not able to know
which channel is the origin channel unless it’s compromised.
NTU OPLab
48
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Two types of locator:1. Static2. Mobile
NTU OPLab
49
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Static locator:1. Mesh routers
NTU OPLab
50
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Static locator:2. Reference points
0 10 20 300
10
20
30
meter
Deployed in the topology with the given density
The density is defined as locater per length unit. In this case, the unit is 10 meter
NTU OPLab
51
0 10 20 300
10
20
30
meter
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Mobile locatorCapable of precise localization function
Jammer which is not able to be approximately localized
NTU OPLab
52
0 10 20 300
10
20
30
meter
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Mobile locator
Reference point 1
Reference point 2
NTU OPLab
53
0 10 20 300
10
20
30
meter
Scenario – Defender’s Defending Phase - Localization2010/12/16
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
Mobile locator
Reference point 1(useless)
Reference point 2
Multiple jammers
Reference point 3
Reference point 4
One of the jammers removed
Mathematical Formulation
NTU OPLab
55
Assumptions
1. The communications between mesh routers and between mesh routers and
mesh clients use different communication protocol.
2. All the packets are encrypted. Thus, the attacker can’t directly obtain
information in the communication channels.
3. The defender has complete information of the network which is attacked by
a single attacker with different strategies.
4. The attacker is not aware of the topology of the network. Namely, it doesn’t
know that there are honeynodes in the network and which nodes are
important, i.e., the attacker only has incomplete information of the network.
2010/12/16
NTU OPLab
56
Assumptions(cont’)
5. There are two kinds of defense resources, the non-deception based resources
and the deception based resources.
6. There are multiple jammers in the network, and their jamming ranges might
be overlapped.
7. There is only constructive interference between jamming signals.
2010/12/16
NTU OPLab
57
Given parameters
2010/12/16
Notation DescriptionN The index set of all nodesH The index set of all honeynodesP The index set of the nodes with channel surfing techniqueQ The index set of the nodes with precise localization techniqueR The index set of the nodes with detection technique
NTU OPLab
58
Given parameters
2010/12/16
Notation DescriptionB The defender’s total budget
Z All possible attack configuration, including attacker’s attributes and corresponding strategies.
E All possible defense configuration, including defense resources allocation and defending strategies
F Total attacking times of all attackersAn attack configuration, including the attributes and corresponding strategies , where 1≤ i ≤ F1 if the attacker can achieve his goal successfully, and 0 otherwise, where 1≤ i ≤ F( , )i iT D A
iA
NTU OPLab
59
Given parameters
2010/12/16
Notation Description
m(ρi)The cost of constructing a node with the quality with quality ρi, where i∈N
ni
The non-deception based defense resources allocated to node i, where i∈N
h(εi)The cost of constructing a honeynode with the interactive capability εi, where i∈H
a(φ) The cost of constructing static locators with the density φ
b The cost of constructing a channel surfing function to one node
c The cost of constructing a precise localization technique to one node
d The cost of constructing a detection technique to one nodet(ρi) The maximum traffic of node i with quality ρi, where i∈N
NTU OPLab
60
Decision variables
2010/12/16
Notation DescriptionThe information regarding resources allocating and defending
wi1 if node i is equipped with honeynode function, and 0 otherwise, where i∈N
xi1 if node i is equipped with channel surfing function, and 0 otherwise, where i∈N
yi1 if node i is implemented with precise localization technique, and 0 otherwise, where i∈N
zi1 if node i is implemented with the detection technique, and 0 otherwise, where i∈N
εi The interactive capability of honeypot i, where i∈N
ρi The quality of node i, where i∈N
φ The density of static locator
D
NTU OPLab
61
Objective function
2010/12/16
1
( , )F
i ii
D
T D Amin
F
(IP 1)
NTU OPLab
62
Constraints•Defender’s budget constraints
2010/12/16
(IP 1.1)
D E
(IP 1.2)iA Z
NTU OPLab
63
Constraints•Defender’s budget constraints
2010/12/16
1 1 1 1
1 1
( ) ( ) ( )N N H P
i i i i ii i i i
Q R
i ii i
m n w h a x b
y c z d B
(IP 1.3)
NTU OPLab
64
Constraints•Defender’s budget constraints
2010/12/16
1
( )N
ii
m B
1
N
ii
n B
1
( )H
i ii
w h B
( )a B
(IP 1.6)
(IP 1.7)
(IP 1.5)
(IP 1.4)
NTU OPLab
65
Constraints•Defender’s budget constraints
2010/12/16
1
R
ii
z d B
(IP 1.10)
(IP 1.9)
1
Q
ii
y c B
1
P
ii
x b B
(IP 1.8)
NTU OPLab
66
Constraints• QoS constraints
▫ QoS is a function of:1. BS loading2. Utilization of mesh routers on the path to BS3. Hops to core node4. Fake traffic effect, 5. Population re-allocation effect6. Channel surfing effect7. Jammer removal
2010/12/16
(IP 1.11)
1 ( , , , , , , )threshold
Yy BS link tocore effect effect effect effectQ L U H F P C J dy
QY
NTU OPLab
67
Constraints• QoS constraints
▫ ▫ The performance reduction cause by the jammed node should not
violate IP1.11.▫ The performance reduction cause by the channel surfing should
not violate IP1.11.
2010/12/16
(IP 1.12)
(IP 1.13)
QoS after population re-allocationthreshold
Q
(IP 1.14)
NTU OPLab
68
Constraints• Channel surfing constraints
▫ The mesh router must equipped with channel surfing technique.▫ The next channel to be selected must not be in use.▫ Channel surfing function triggers only if the jammed channel is
not a fake channel.• Population re-allocation constraints
▫ The mesh clients to be re-allocated must be in the transmission range of the mesh routers other than current mesh router.
▫ The total traffic of the mesh router i after re-allocation must not exceed the maximum traffic limit t(ρi), where i∈N.
2010/12/16
(IP 1.15)(IP 1.16)(IP 1.17)
(IP 1.18)
(IP 1.19)
NTU OPLab
69
Constraints• Approximate localization
▫ There must be at least three available reference points which is under the effect of jamming attack in the jammed channel.
• Precise localization▫ There must be at least one mobile locator in the network.
• Fake traffic▫ The fake traffic sent to mesh router i from the honeynodes must not
make it exceed the maximum traffic limit t(ρi), where i∈N
2010/12/16
(IP 1.21)
(IP 1.22)
(IP 1.20)
NTU OPLab
70
Constraints
2010/12/16
(IP 1.25)
(IP 1.24)
i N (IP 1.23)
(IP 1.26)
i N
i N
i N
0 1iw or
0 1ix or0 1iy or0 1iz or
• Integer constraints
NTU OPLab
71
The End•Thanks for your attention.
2010/12/16