Cross-layer Analysis for detecting Wireless Misbehavior
Cross-layer Analysis for detecting Wireless Misbehavior
Anand PatwardhanAnand Patwardhan
Ph.D CandidatePh.D CandidateeBiquity GroupeBiquity Group
Computer Science and Electrical Engineering DepartmentComputer Science and Electrical Engineering Department
Anand PatwardhanAnand Patwardhan
Ph.D CandidatePh.D CandidateeBiquity GroupeBiquity Group
Computer Science and Electrical Engineering DepartmentComputer Science and Electrical Engineering Department
October 19, 2005October 19, 2005October 19, 2005October 19, 2005
Securing MANETsSecuring MANETs
• Security for resources• Malicious behavior (Activity monitoring)• Misuse (Resource protection)• Response/recourse (Accountability)
• Trust in other resources• Dependence on recommendations (Identities and
Reputations)• Reliability of information
Security IssuesSecurity Issues• Wireless communication
• Short range (802.11, Bluetooth etc.)• Open medium
• Identification and Authentication• PKI based solutions infeasible• No prior trust relationships
• Routing• Based on dynamic cooperative peer relations• Key to survival of MANET
• Device constraints• Power Conservation• Finite Storage• Computation power
• Identity– Use SUCVs
• Mobility, congestion, radio interference– False positives
• Scalability– Large radio-ranges or dense networks
• Aggregation of data– Communicate intrusions data to warn others
Intrusion Detection ChallengesIntrusion Detection Challenges
Packet ForwardingPacket Forwarding
A
C
B
Datagram dgram_in has:Source IPv6 address, x U – {B,C}Destination IPv6 address, y U – {B,C} MAC source, mac(u), u U – {B,C}MAC destination, mac(B)
Corresponding dgram_out must have:Source IPv6 address, xDestination IPv6 address, yMAC source, mac(B)MAC destination, mac(u), u ε U – {B,C}
dgram_in dgram_out
Stateful Packet MonitoringStateful Packet Monitoring
AODV TCP
IPv6
Ethernet Frame
{ RREQ, RREP, RERR }{ TCP Sequence no., TCP checksum }
Updatein-memoryHash table
Build andMaintainNeighbor table(mac, ipv6) pairsAnd route status
From the packet capture library (pcap)
Packets that should be forwarded
ThreatsThreats
• MAC/PHY level attacks • RTS, CTS attacks – gain unfair share of bandwidth,
disruption
• Routing attacks • gray holes, black holes, worm holes …
• Attacks on data traffic• Dropping, mangling or injecting data packets
• Trustworthiness of resources, reliability of information• Identities, reputations, trust evolution
MAC vulnerabilitiesMAC vulnerabilities
• Wireless Misbehavior• MAC protocols have no inbuilt mechanism to prevent
unfair contention resolution• Adversaries can:
• gain unfair share of bandwidth• temporarily stall parts of the network, affect the routing
process
• Prevention• Misbehavior-resilient backoff for contention resolution
• Challenges and shortcomings• Require core MAC protocol to be changed• Colluding adversaries can still subvert the scheme
Related WorkRelated Work
• Proposed approaches• Game theoretic models• Incentives for fair-sharing• Misbehavior resistant MAC contention
• Drawbacks• Colluding adversaries can subvert these schemes• Require changing core MAC protocol• Inefficient• Cannot prevent jamming
Sophisticated attacksSophisticated attacks
• Classical attacks are easy to detect using thresholds• Packet dropping, mangling,misrouting etc.• To evade detection attacker must stay under the
detection threshold (insignificant disruption)
• However more sophisticated attacks are possible• Launching attacks at multiple levels, e.g. Combining
RTS attacks and packet drops• Any single attack signature might not suffice for
detection• Observations on a single layer in isolation will be
inconclusive
Intrusion Detection challenges
Intrusion Detection challenges
• Classifying intrusions• Threshold based• False positives – mobility, environmental
conditions, limited radio range, short period of observations
• Increase accuracy and efficiency by• Incorporate factors like mobility, congestion and
distance in classifying intrusions• Use signal strengths, response times to judge
distance• Monitor media contention and incoming traffic to
judge congestion
Cross-layer AnalysisCross-layer Analysis
ApplicationApplication
TransportTransport
LinkLink
MAC/PHYMAC/PHY
CommendationsCommendationsAccusationsAccusations
(to other devices)(to other devices)
CommendationsCommendationsAccusationsAccusations
(to other devices)(to other devices)
Routing attacks,Routing attacks,disruptionsdisruptions
Routing attacks,Routing attacks,disruptionsdisruptions
Unfair contention,Unfair contention,JammingJamming
Unfair contention,Unfair contention,JammingJamming
IntrusionDetectionIntrusionDetection
ResponseResponse
Packet dropping,Packet dropping,Mangling, injectionMangling, injectionPacket dropping,Packet dropping,
Mangling, injectionMangling, injection
Trust evolution, reputation management,Trust evolution, reputation management,recourserecourse
Trust evolution, reputation management,Trust evolution, reputation management,recourserecourse
Neighbor table sizeNeighbor table size
True positives (no RTS attack)True positives (no RTS attack)
True positives (RTS attack)True positives (RTS attack)
Goodput with RTS attacksGoodput with RTS attacks
ReferencesReferences• Jim Parker et al., “Cross Layer Analysis for Detecting Wireless
Misbehavior,” Proceedings of CCNC 2006
• Anand Patwardhan et al., "Active Collaborations for Trustworthy Data Management in Ad Hoc Networks", Proceedings of the 2nd IEEE International Conference on Mobile Ad-Hoc and Sensor Systems, November 2005
• Anand Patwardhan et al., "Secure Routing and Intrusion Detection in Ad Hoc Networks", Proceedings of the 3rd International Conference on Pervasive Computing and Communications, March 2005
• Jim Parker et al., "On Intrusion Detection in Mobile Ad Hoc Networks", 23rd IEEE International Performance Computing and Communications Conference -- Workshop on Information Assurance , April 2004
Top Related