Transcript Towards Wireless Overlay Network Architectures

Network-based Intrusion
Detection, Prevention and
Forensics System
Yan Chen
Department of Electrical Engineering and
Computer Science
Northwestern University
Lab for Internet & Security Technology (LIST)
http://list.cs.northwestern.edu
1
The Spread of Sapphire/Slammer
Worms
2
Current Intrusion Detection Systems
(IDS)
• Mostly host-based and not scalable to highspeed networks
– Slammer worm infected 75,000 machines in <10 mins
– Host-based schemes inefficient and user dependent
»Have to install IDS on all user machines !
• Mostly simple signature-based
– Cannot recognize unknown anomalies/intrusions
– New viruses/worms, polymorphism
3
Current Intrusion Detection
Systems (II)
• Cannot provide quality info for forensics or
situational-aware analysis
– Hard to differentiate malicious events with
unintentional anomalies
» Anomalies can be caused by network element faults, e.g.,
router misconfiguration, link failures, etc., or application
(such as P2P) misconfiguration
– Cannot tell the situational-aware info: attack
scope/target/strategy, attacker (botnet) size, etc.
4
Network-based Intrusion Detection,
Prevention, and Forensics System
• Online traffic recording
[SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear]
– Reversible sketch for data streaming computation
– Record millions of flows (GB traffic) in a few hundred KB
– Small # of memory access per packet
– Scalable to large key space size (232 or 264)
• Online sketch-based flow-level anomaly detection
[IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06]
– Adaptively learn the traffic pattern changes
– As a first step, detect TCP SYN flooding, horizontal and
vertical scans even when mixed
• Online stealthy spreader (botnet scan) detection
[IWQoS 2007]
5
Network-based Intrusion Detection,
Prevention, and Forensics System (II)
• Polymorphic worm signature generation & detection
[IEEE Symposium on Security and Privacy 2006]
[IEEE ICNP 2007 to appear]
• Accurate network diagnostics
[ACM SIGCOMM 2006] [IEEE INFOCOM 2007]
• Scalable distributed intrusion alert fusion w/ DHT
[SIGCOMM Workshop on Large Scale Attack Defense 2006]
• Large-scale botnet and P2P misconfiguration event
forensics [work in progress]
6
System Deployment
• Attached to a router/switch as a black box
• Edge network detection particularly powerful
LAN
Switch
Switch
Inter
net
RAND
system
RAND
system
Inter
net
LAN
scan
port
RAND
system
LAN
Splitter
Switch
Router
scan
port
Switch
LAN
(a)
Router
Switch
LAN
HPNAIDM
system
(b)
Original configuration
Splitter
Router
Switch
LAN
Inter
net
Monitor each port
separately
(c)
Monitor aggregated
7
traffic from all ports
Vulnerability Analysis for
WiMAX Networks
Yan Chen, Hai Zhou
Dept. of Electrical Engineering
and Computer Science
Northwestern University
Z. Judy Fu
Motorola Labs
The Current Threat Landscape and
Countermeasures of WiMAX Networks
• WiMAX: next wireless phenomenon
– Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
network attacks
– E.g., 6 new viruses, including Cabir and Skulls, with 30
variants targeting mobile devices
• Goal: secure WiMAX networks through intrusion
prevention/detection
• Big security risks for WiMAX networks
– No formal analysis about WiMAX security vulnerabilities
Our Approach
• Vulnerability analysis of various layers
Focus on 802.16e specs (WiMAX standards) and
mobile IP v4/6 protocols so far
– Intelligent and complete checking through combo of
manual analysis + auto search through formal methods
– First, manual analysis provide hints and right level of
abstraction for auto search
– Then specify the specs and potential capabilities of
attackers in a formal language TLA+ (the Temporal Logic
of Actions)
– Then model check for any possible attacks
Mobile IPv6 (RFC 3775)
• Provides mobility at IP Layer
• Enables IP-based communication to
continue even when the host moves
from one network to another
• Host movement is completely
transparent to Layer 4 and above
Mobile IPv6 - Entities
• Mobile Node (MN) – Any IP host which is mobile
• Correspondent Node (CN) – Any IP host
communicating with the MN
• Home Agent (HA) – A host/router in the Home
network which:
– Is always aware of MN’s current location
– Forwards any packet destined to MN
– Assists MN to optimize its route to CN
Mobile IPv6 - Process
• (Initially) MN is in home network and connected to
CN
• MN moves to a foreign network:
– Registers new address with HA by sending Binding Update
(BU) and receiving Binding Ack (BA)
– Performs Return Routability to optimize route to CN by
sending HoTI, CoTI and receiving HoT, CoT
– Registers with CN using BU and BA
Mobile IPv6 in Action
Home Network
HoT
Mobile
Mobile
Node
Node
Correspondent
Node
Home Agent
HoTI
HA
BA
HoTI
–M
N
n
Tu
ne
HoT
BU
CoT
BA
l
Foreign Network
CoTI
BU
Internet
Mobile IPv6 Vulnerability
• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138
unprotected
• Man-in-the-middle attack
– Sniffs BU to CN
– Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
optimization and goes through HA
MIPv6
Attack
In
Action
MN
HA
AT
CN
Start
Return
Routability
Restart
Return
Routability
Silently
Discard
Bind Ack
• Only need a wireless network sniffer and a spoofed
wired machine (No MAC needs to be changed !)
• Bind ACK often skipped by CN
MIPv6 Vulnerability - Effects
• Performance degradation by forcing
communication through sub-optimal routes
• Possible overloading of HA and Home Link
• DoS attack, when MN repeatedly tried to
complete the return routability procedure
• Attack can be launched to a large number of
machines in their foreign network
– Small overhead for continuously sending spoofed
Bind ACK to different machines
TLA Analysis and Experiments
• With the spec modeled in TLA, the TLC search
gives two other similar attacks w/ the same
vulnerability
– Complete the search of vulnerabilities w/ unprotected
messages
• Implemented and tested in our lab
– Using Mobile IPv6 Implementation for Linux (MIPL)
– Tunnel IPv6 through IPv4 with Generic Routing
Encapsulation (GRE) by Cisco
– When attack in action, MN repeatedly tried to complete
the return routability procedure – DOS attack !
Extensible Authentication Protocols
(EAP)
EAP-TLS
EAP-TTLS
PEAP
EAP-SIM
EAP-AKA
Authentication
method
EAP-FAST
layer
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
PPP
802.16
802.3
Ethernet
802.5
Token Ring
802.11
WLAN
GSM
CDMA
Data Link
Layer
Extensible Authentication Protocols (EAP)
• EAP is an authenticaiton framework
– Support about 40 different EAP methods
• Current targets
– EAP-SIM for GSM cellular networks
– EAP-AKA for 3G networks, such as UMTS and
CDMA2000
– EAP-FAST (Flexible Authentication via Secure
Tunneling)
» Most Comprehensive and secure EAP method for
WLAN
» Will compare it w/ EAP-SIM and EAP-AKA
Insider Attack Analysis
• Not hard to become a subscriber
• Can five subscribers bring down an entire
WiMAX network ?
• Check vulnerability after authentication
• Plan to analyze various layers of WiMAX
networks
– IEEE 802.16e: MAC layer
– Mobile IP v4/6: network layer
– EAP layer
802.16e SS Init Flowchart
Work Done
Future work
Outline
• Overview of Network Intrusion Detection,
Prevention and Forensics System
• Case Study: Vulnerability analysis of the
MIP v6 system
• Student recruiting
Northwestern Lab for Internet
and Security Technology (LIST)
• About
Northwestern Univ.
– US News and World Report, overall ranking #14, the
Engineering grad school ranking #21.
– On the Michigan lake, close to Chicago downtown
•Sponsors for LIST:
– Department of Energy (Early CAREER Award)
– Air Force Office of Scientific Research (Young
Investigator Award)
– National Science Foundation
– Microsoft Research
– Motorola Inc.
Recruiting Ph.D. Students
• Bachelor in Computer Science or Computer
Engineering
• Research experience a big plus
• TOEFL
• GRE
• Strongly motivated in independent research
• Feel free to talk to me after the talk
27