1

報告者 : 陳志昇

Self-Measurement of the Information Security Level

in a Monitoring SystemBased on Mobile Ad Hoc Networks

2

Outline

Ad-hoc network security overview (background) Security MetricsSecurity MeasurementSelf-Measurement of the Information

Security Level in a Monitoring SystemCompare with IDS (Intrusion Detection System)Conclusions and future workReferences

3

Ad-hoc network security overview (background)(1/4)

為什麼 Ad hoc network 更需要做好 securityAd hoc network 是分散的情況下，用互相合作以來達到網路連結溝通的目的，但也就是因為需互相合作，而容易有自私帶來的問題，進而對網路安全產生危害。資訊會隨 ad hoc network 的高流動率( 因為可移動性高 ) 而加速傳播，所以病毒、謠言等更要加以防範。 Wireless 的環境是使用一公開的媒體來通訊傳輸。這樣的媒體雖然可公開自由使用，相對的也帶來嚴重的威脅。

4

Ad-hoc network security overview (background)(2/4)

Ad-hoc network比wired network 更難做security

的原因 :每個點都可能有價值而被當做目標 (Routing、

resources) 沒有可信任的點 ( 缺少中控管理 ) 做像一整個網路的網安防範公共配備 ( 防火牆 ) ，不能用在自已可隨時形成網路的狀態下

網路裡各自用自己的入侵防護，但總會有一、二個防護特別弱而形成漏洞。

睡眠和省電模式對於 ad-hoc network 來說是很重要的，因為可移動性的特點需要電力維持，故產生了睡眠剝奪攻奪的新型攻擊方式。

5

Ad-hoc network security overview (background)(3/4)

Table 1. Types of attacks targeted at MANETs

ATTACK TYPE EXPLANATION

Passive Eavedropping Discovery of desired information by listening to routing data. Detection of this type of attack is challenging.

Denial of service Produced either by unintentional failure or malicious action.

Impersonation Nodes joining the network undetectably, or sending false routing information (black hole and wormhole attacks)

Energy exhaustion Sleep deprivation torture is used by attackers

Disclosure Disclosure of critical information

(data in nodes, routing data)

6

Ad-hoc network security overview (background)(4/4)

MANETS recent popularity

Self-configuration

Self-maintenance

7

Security Metrics(1/20)

The most widely used of these maturity models is the Systems Security Engineering Capability Maturity Model SSE-CMM (ISO/IEC Standard 21827) Another well-known model, Trusted Computer Security Evaluation Criteria (TCSEC, The Orange Book) ,expresses the security engineering process using classes and divisions as evaluation levelsTechnical security metrics can be used to describe, and hence compare, technical objects

8

Security Metrics (2/20)

Technical security metrics can be used in the following ways:

Goal establishment;Prediction: the security level can be predicted before implementation or in an implemented system;Comparison of the security level of technical objects;Monitoring or scanning the security level of an object;Enabling analysis: for example, in the case of fault injection method, metrics enable analysis.

9

Security Metrics (3/20)

The high-level security metrics will be a composition of a number of security metrics concentrating on different aspects of security.

A technical security metrics model consists of three components:

The object being measured,The security objectives, i.e. the “measuring rod” the object is being measured againstThe method of measurement.

10

Security Metrics (4/20)

Table 3. An Example metrics Repository Structure

METRICS CLASS OBJECTS METHODS MEASURING ROD

Trust management

Routing

Mobility

Human factors

Cryptography

Wireless-ness

Scale

Physical protection

Product quality

…

11

Security Metrics (5/20)

A compositional approach can be used to define security metrics for MANETs, with the following:

Define security objectives: the security objectives can be defined based on the knowledge of the security environment, assumptions and threats. Among other things, they should determine the required security level;Select component metrics based on the security objectives;Compose integrated security level information: the final composition mainly depends on the method of measurement. The composition can be used for both quantitative and qualitative security metrics.

12

Security Metrics (6/20)

Some critical component metric areas that can be used in estimating the security level in mobile ad hoc networks:

Critical Control Information Distribution in Network

Cryptographic Algorithm Metrics

Human Factors

Product Quality

Other Factors

13

Security Metrics (7/20)

Critical Control Information Distribution in Network

Trust information (e.g. keys, certicates, signatures)

Routing information

Mobile entity identity information A concept of friends to the establishment of security associations

14

Security Metrics (8/20)

Trust information

The way to distribute trust can vary between two

extreme cases:

• Single Certification Authority (CA): there is a single authority domain (a trusted entity), that issues certificates and/or keys

• Full self-distribution of trust: in this case security does not originally rely on any trusted entity. There is no distinction between a CA and an end user (node)

15

Security Metrics (9/20)

Trust informationTrust management in mobile ad hoc networks

is currently the most critical and complex

technical security challenge, having a strong

impact on the overall security level

16

Security Metrics (10/20)

Routing information

惡意節點可以修改 routing 資訊來瓦解routing 協定的功能正確性，或假冒其他節點來製造錯誤的 routing 資訊。自私的節點會故意丟掉資料封包，或者操作routing 的資訊來使其它節點不能使用他們來當傳送路徑裡居中的節點。這種自私背後的理由是”對他們而言，這樣作資源耗費比較少”，這些資源有電池電力、CPU 或是網路頻寬。

17

Security Metrics (11/20)

Cryptographic Algorithm MetricsAttack steps metric: attack steps is defined as the number of steps required to perform “the best known attack”;Attack time metric: attack time is defined as the time required to perform the fastest known attack;Rounds metric: rounds are important to the strength of some ciphers;

18

Security Metrics (12/20)

Cryptographic Algorithm Metrics

Key length metric: the security of a symmetric cryptosystem is a function of the length of the key. However, adding an extra bit does not always exactly double the effort required to break public key algorithms;

Algorithm strength metric: we can use algorithm strength as a name of a scale developed for expressing the overall measurement of a cryptographic algorithm’s strength.

19

Security Metrics (13/20)

Human Factors

An enormous impact on the global security level of mobile ad hoc networks

Metrics such as usability metrics, and performance metrics form the baseline for metrics representing human factors

Performance issues have a strong influence on the usability of mobile ad hoc networks

In general, systems with a poor usability design tend to evoke a greater degree of user resistance

20

Security Metrics (14/20)

Product Quality

It must be noted that there are a lot of situations when the requirements of the different quality attributes and security conflict. (In the case of MANETs, the “product” is both a node in the network and the whole network.)software product quality can be evaluated by measuring internal attribute or by measuring external attributes or by measuring quality in use attributes

21

Security Metrics (15/20)

Product Quality

measuring internal attributes : typically,static measures of intermediate products

Measuring external attributes : typically, by measuring the behavior of the code

when executedThe characteristics of the ISO/IEC 9126 quality model for external and internal quality is depicted are Table 2

22

Security Metrics (16/20)

Product Quality Table 2. External and internal quality

CHARACTERIC SUB-CHARACTERISTICSFunctionality Suitability, accuracy, interoperability,

security, functionality compliance

Reliability Maturity, fault tolerance, recoverability, reliability compliance

Usability Understandability, learnability, operability attractiveness, usability Compliance

Efficiency Time behavior, resource utilization, efficiency compliance

Maintainability Analysabilty, changeability, stability, testability, maintainability compliance

23

Security Metrics (17/20)

Product Quality

Quality in use consists of effectiveness, productivity, safety, and satisfaction. The reader is referred to the above-mentioned standards for more information.

24

Security Metrics (18/20)

Other Factors

The wireless environment uses an open medium for communications. This medium is freely available and is a serious threatthe bigger the network, the more tempting it is for the attackersThe level of protection affects the level of security

25

Security Metrics (19/20)

Challenges in Metrics Development

測量網安技術未成熟 :

許多需警戒範圍，目前公制衡量 (metrics) 的定義和使用仍有問題。缺乏發展者的貢獻 :

在發展一些網路新技術的草圖裡，網安問題常被放在往後的日子才來決定對應方法。缺乏相同及不含糊的記號 :

如果沒有相同的記號來描述網安，則不太可能被廣泛提倡。使用主觀評估 :

如果大家都普遍主觀的話，公制衡量 (metrics) 將很難被廣泛使用，大家應該多多使用客觀評估。

26

Security Measurement (20/20)

The methods of security measurement into the

following techniques:

Risk analysis is an estimation of the probability of specific threats, vulnerabilities and their consequences and costs – it can be thought of as a trade-off to the corresponding costs for protection;

Certification is the classification of the system in classes based on the design characteristics and security mechanisms;

Measures of the intrusion process is a statistical measurement of a system based on the effort it takes to make an intrusion.

27

Security Measurement (1/2)

The objectives for the mechanism include thefollowing:

No central database can be used,Local monitoring in each node,Statistical knowledge of the security level is utilized,Measurement should be independent of the routing mechanism, andDecision mechanism to revocate the trust of suspicious nodes based on the observations of more than one node.

28

Security Measurement (2/2)

Clearly, there are two separate goals in the estimation

process:

Estimation of the security level of a node

Estimation of the security level of the network

29

Self-Measurement of the Information Security Level in a Monitoring System(1/12)

此監控系統裡與IDS 很相像，故能參考左圖的 IDS Agent 架構。

30

Self-Measurement of the Information Security Level in a Monitoring System (2/12)

入侵偵測系統 (Intrusion Detection System) 主要可偵

測三種網路攻擊行為：1. 網路探測偵察：例如未經授權的探測系統及服務上的漏洞與弱點，如SATAN， NMAP， NESSUS 等軟體工具 。2. 非法存取：例如系統入侵使得竊取權限提昇等，工具如 Brate force 或利用系統管理者缺失及Protocol 弱點。3. 阻斷服務攻擊：使得系統服務或者網路無法正常提供服務或遭受破壞，例如 ping floods 、 SYN flood 、 UDP bombs 等。

31

Self-Measurement of the Information Security Level in a Monitoring System (3/12)

The estimation approach the key elements of the architecture are:

A Measurement Entity (ME) attached to each node, and A Voting Entity (VE).A Countermeasure Entity(CME) is also used for the Intrusion Detection functionality.The estimation is carried out in a mobile ad hoc network by co-operation between MEs and VEs

32

Self-Measurement of the Information Security Level in a Monitoring System

(4/12)Each ME in the network maintains a private metrics

repository with the following information for each metric:

Metric objects: a collection of measurable objects to be measured, e.g. a property in routing information messages;

Metric methods: methods associated with the metrics;

Metric measuring rod: a database associated with the metrics that consists of reference information classified according to the level of security. The classification in the reference information may be based on quantitative or qualitative (using thresholds) reasoning.

33

Self-Measurement of the Information Security Level in a Monitoring System (5/12)

The measuring rod database can include security level data that is either generally known or gathered from statistical data

Downloadable updates for measuring rod information can be arranged. It could be also possible to develop a learning mechanism for the node, making it capable of learning about the security level and updating the measuring rod information itself.

34

Self-Measurement of the Information Security Level in a Monitoring System (6/12)

A Voting Entity (VE) contains the same functionality as ME. In addition, it has an organizer role in case that that several MEs are going to make decisions concerning the security level and trustworthiness of a node. In an ad hoc network, certain trusted nodes can act as VEs.A Countermeasure Entity (CME) acts on the results obtained from the voting process. Certain trusted nodes can act as CMEs.Because critical information is distributed among MEs, VEs, and CMEs, a trust establishment and distribution mechanism is needed to enable the estimation and voting processes.

35

Self-Measurement of the Information Security Level in a Monitoring System

(7/12)Estimation Process

ME 用存放在公制安全衡量 (security metrics)和名聲儲存處 (reputation repository) 的資料，來評估出從他所擁有的自己觀點的正確安全等級(security level ) 。VE 用節點改變的主要資訊訊息來更新自己的 ME ，如些才能知道要向哪些周圍的點做通訊。ME 主要的名聲儲存處 (reputation repository)之資訊更新，能用來支援評估網路安全等級(security level ) 。VE 可以從其它位於網路不同部份的 VE那裡取得資訊更新。

36

Self-Measurement of the Information Security Level in a Monitoring System

(8/12)

37

Self-Measurement of the Information Security Level in a Monitoring System (9/12)

Table 4. An Example Reputation repositoryOBJECT SEC. LEVEL CLASSIFICATION

AND MAPPING TO METRICS

Node 1 of own VE

Node 2 of own VE

…

Node N of own VE

Node a of another VE

Node b of another VE

Message type c

Application d

Application e

User f

User g

…

38

Self-Measurement of the Information Security Level in a Monitoring System

(10/12)Voting Process

單個 ME 也可以向 VE 回報他評估某物件之安全等級 (security level ) 。而投票處理 (voting process) 可以用來做與其他 ME對同一物件的意見比較。投票處理 (voting process) 的過程 :

1.一ME 偵測到鄰居的可疑活動 ; 2. 此ME 則將發現報告給他的 VE 。 3. 該 VE 通知他的所有 ME; 且每個 ME 都回報他們對於該可 疑點的意見給 VE; 5. VE 將聚集完所得的結果送到 CME ，且回送給所有

ME。 ; 6. CME 依投票出來的結果做出決策。比如是一個重大威 脅的話，則可以收回發配給被懷疑的點之 IP ，以做到 隔離。 7. 每個 ME 的關於此被懷疑的點之信任等級 (trust level) ， 將可依投票結果做更新。

39

Self-Measurement of the Information Security Level in a Monitoring System

(11/12)

40

Self-Measurement of the Information Security Level in a Monitoring System

(12/12)Challenges in Estimation of the Security Level

Trust management is also needed to enable the communication between the VEs, MEs and CMEs

Suitable estimation algorithms should be developed for the metrics framework. This is a challenging task and requires a rigorous analysis of the metrics to be used

As a long-time goal, general-level statistical knowledge has to be collected on: security algorithms, network products, user behavior, applications, experiences from virus and worm attacks, etc

41

Compare with IDS

通訊架構和 IDS 很相像，不過有重大不同點 :這評估是依據一堆公制安全衡量 (security metrics) ，能反應出全方面的網路安全等級(security level ) ， 而典型的 IDS 則集中在偵測入侵部份。這安全等級 (security level ) 分類資訊是由不同的技術物件之統計資料所組成。 每個點主要由自己完成安全等級 (security level )的論據 ; 而安全等級的資訊是可由評估程序(estimation process) 得到，這種安全等級的資訊可用來當這個點的決策參考。此方式與 IDS 的只有入侵偵測和一些決策有著極大不同。 每個點所收到的不同種類物件之安全等級 (security level ) 資訊、民主公投 (democratic voting ) ，這 2 樣在決策是否要讓令一點加入網路和決定新加入的點的可信賴度時，都是非常珍貴而 IDS 所沒有的。

42

Conclusions and future work

Network-level security is increased due to the

democratic voting mechanism of independent

measurement entities, each independently

aiming at a higher security level in the network

Our future work will include further

exploration of component metric areas and

identification of the dependencies between

them

43

References

[1]Savola, R.; Holappa, J. Self-measurement of the information security level in a monitoring system based on mobile ad hoc networks. In Measurement Systems for Homeland Security, Contraband Detection and Personal Safety Workshop, 2005. (IMS 2005) Proceedings of the 2005 IEEE International Workshop on 29-30 March 2005 Page(s):42 – 49.

[2] 資安人科技網， http://www.isecutech.com.tw/

[3] Zhang, Y., and Lee, W. Intrusion Detection in Wireless Ad Hoc Networks. In Proceedings of the 6 th Annual International Conference on Mobile Computing and Networking (MobiCom). Aug. 2000, 275-283.

[4] Savola, R. Estimation of the Security Level in Wireless E-Commerce Environment based on Ad Hoc Networks. In Proceedings of the 5 th European Conference of E-Learning, E-Business, E-Government, EWork, E-Co-operation E-COMM-LINE 2004, Bucharest, Romania, 21- 22 Oct. 2004. 6 p.