Detecting Spoofing and Anomalous Traffic in Wireless Networks via
Download
Report
Transcript Detecting Spoofing and Anomalous Traffic in Wireless Networks via
Detecting Spoofing and
Anomalous Traffic in Wireless
Networks via Forge-Resistant
Relationships
Qing Li and Wade Trappe
IEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007
Presented by: Ryan Yandle
Outline
Spoofing
ORBIT
Family 1 – Relationships via Auxiliary Fields
Family 2 – Relationships via Intrinsic Properties
Method A – Sequence Number
Method B – One-way chains
Method A – Interarrival time
Method B – Joint Background Traffic and Interarrival time
Analysis
Multilevel Classification
Conclusion
What is Spoofing?
The practice of
impersonating another
entity in order to
subvert security.
Spoofing allows the
attacker to remain
anonymous and
undetected in the
network.
More Specifically
This paper refers to MAC address spoofing.
The attacker tries to gain access to the
WLAN by cloning the MAC address of a
legitimate user.
What are Forge-Resistant
Relationships?
Rules that govern the relationship between
two distinct entities
These rules define the relationship such that
another entity (attacker) trying to forge the
relationship would be caught
Paper’s focus is to detect spoofing by
creating these unique relationships
The ORBIT Wireless Test Bed
Composed of a 2d
grid of wireless
nodes
Jointly run by
several schools in
the NY/NJ area
Test Bed Setup
A – Legitimate Sender
B – Attacker
X – Monitor
Strategy Overview
Consider that the
legitimate sender has a
unique identity
Associated with their
identity will be a particular
sequence of packets
From these packets we
may we may observe
states
More Strategery…
A Relationship
Consistency Check
(RCC) is a binary rule
that returns 1 if the
states obey the rule R
with respect to each
other.
But…
Simply using a relationship R and checking
the corresponding RCC at the monitoring
device is not going to provide reliable security
We need to add forgeability requirements to
the relationship
Thus, a RRCC (forge-resistant RCC) is
needed
Definition of RRCC
A ε-forge-resistant relationship R is a rule
governing the relationship between a set of
states from a particular identity, for which
there is a small probability of another device
being able to forge a set of states such that a
monitoring device would evaluate the
corresponding RCC as 1.
More…
We will view the output of an RRCC as the
result of deciding between two different
hypotheses.
H0 – the null hypothesis that corresponds to nonsuspicious activity
H1 – the alternate hypothesis that corresponds to
anomalous behavior
Quantifying Effectiveness
We will use several measures to quantify the
effectiveness of R.
The probability of a false alarm
PFA = Pr(H1;H0)
Probability that we will decide a set of states is
suspicious when it was really legitimate
The probability of a missed detection
PMD = Pr(H0;H1)
Probability of deciding that a set of states are
legitimate when they were not
Quantifying Effectiveness
Cont.
The probability of detection
Other Symbols:
PD = 1 – PMD
ε = PMD
δ = PFA
Therefore, we can define an RRCC by (ε,δ)
Two Proposed Families for
Relationships
1.
2.
Using auxiliary fields in the MAC frame to
create a monotonic relationship
Using traffic inter-arrival statistics to detect
anomalous traffic
Family I - Forge-Resistant
Relationships via Auxiliary Fields
Method A
Anomaly Detection via
Sequence Number
Monotonicity
Enforce a rule that requires
packet sequence numbers to
follow a monotonic
relationship, denoted as Rseq
802.11 MAC Frame Structure
Generally used to re-assemble fragmented frames
or detect duplicate packets.
Fragment control – 4bits
Sequence number – 12bits = 4096 possibilities
ranging from [0,4095]
Firmware
Rseq
It does not matter if the attacker can
manipulate its own sequence numbers.
Cloning attempt would be exposed due to
duplicate sequence numbers
Therefore, the forge resistance stems from
the fact that the attacker cannot stop the
sender from transmitting packets.
Single Source Sequence
Numbers
t: the difference in sequence numbers
between two consecutive packets
The possible values for t : [1, 4096]
A value of 4096 is equivalent to a sequence number
difference of 0 (duplicate sequence numbers)
The mean distribution for t is E[t] = 1/(1-p)2
where p is the packet loss rate
The variance for the distribution of t is
σt2 = p/(1-p)2
Theoretical Packet Loss
Using the formula’s that we just learned, a
theoretical transmission with packet loss of
50%:
E[τ] = 2
στ2= 1.41
Even for networks with poor connectivity, the
difference in sequence numbers between
successive packets will be relatively small
Dual Source Sequence
Numbers
Let y be the sequence number from the real
source
Let x be the sequence number from the
attacker
z = x-y gives us a range of [-4095,4095]
This gap will be defined as t = z % 4096
Dual Source Cont.
If we then map a difference of 0 to 4096, we
have a uniform distribution over [1,4096]
E[t] = 2048.5
σt = 1182
Single Source Behavior
A single node is transmitting packets using a
specified MAC address to a receiver
No anomalous behavior is present in this scenario
Dual Source Behavior
Two nodes using the same MAC address to
transmit packets
One node is spoofing the other’s MAC address
Lets build a detector…
We will define the RRCC detection scheme as
follows:
Choose a window of packets coming from a
specific MAC address
We will choose a window with size L
The detector will calculate L-1 sequence number
gaps
More on the detector
The detector will determine that there is an
anomaly if MAXl=1 to L-1 {tl} > g
g is determined by solving for a desired false
alarm rate
Example: L = 5 & g = 3
1
MAX{
2
3
1
76
73
71
73
5
7
2
8
9
10
11
}
73 > g , RETURN(1)
Performance of Sequence
Number Monotonicity
L=2
Sequence Number Gap Statistics
for a Single Source from ORBIT
When would this not work?
This method of detection could only work with
a presence of heterogeneous sources; the
legitimate device must be transmitting in
order to reveal the anomaly.
Family I - Forge-Resistant
Relationships via Auxiliary Fields
Method B
One-way chain of
Temporary Identifiers
The sender attaches a TIF
(temporary identifier field) to
its identity, forcing the
adversary to solve a
cryptographic puzzle in order
to spoof.
Temporary Identifier Fields
Similar to what was proposed in TESLA
Compute a one-way chain of numbers, and
attach them to the frames in reverse order.
In order for the attacker to spoof a message,
they would need to find the inverse of the
function used to compute the one-way chain.
This method is loss-tolerant
ROC Curve for one-way chain
TIF’s
Bit Length = 10
Bit Length = 16
Outline
Spoofing
ORBIT
Family 1 – Relationships via Auxiliary Fields
Family 2 – Relationships via Intrinsic Properties
Method A – Sequence Number
Method B – One-way chains
Method A – Interarrival time
Method B – Joint Background Traffic and Interarrival time
Analysis
Multilevel Classification
Conclusion
Family II - Forge-Resistant
Relationships via Intrinsic
Properties
Method A) Traffic Arrival
Consistency Checks
Use a traffic shaping tool to
control the interarrival times
observed by the monitoring
device.
These interarrival statistics
are then used to determine
anomalous behavior
Traffic Arrival Consistency
Checks
Suppose we have our three devices, A, B, X
A is set to transmit at a fixed interval
X will take note of this behavior, if B starts
transmitting (spoofing to impersonate A) then the
detector will notice a change in the distribution of
packet arrivals
Resulting Histograms
Experimental Results: 200ms
Experimental Results cont.
When would this method become
unreliable on a wireless network?
With the presence of high background traffic,
this method would become less suitable.
Background traffic would affect the
transmission intervals of the sender, possibly
causing false alarms.
Family II - Forge-Resistant
Relationships via Intrinsic
Properties
Method B) Joint Traffic
Load and Interarrival Time
Detector
Jointly examine the
interarrvial time and the
background traffic load
Use these two pieces of
information to determine
anomalous behavior, even
under heavy traffic
situations
Joint Traffic Load and
Interarrival Time Detector
We can define t to be the observed average
interarrival time, and L to be the observed
traffic load.
We then partition this (L, t) space into two
regions
Region I – non-suspicious behavior
Region II – anomalous activity
This idea is later revisited in the experimental
validation section.
Enhanced Detection using
Multilevel Classification
Extremely useful to have a severity analysis
Plot severity vs. average sequence number
gap of a particular window
Severity is defined as the sum of the differences
between a normal gap and the observed gap for
all gaps in a window size L
Severity vs. Average Sequence
Number Gap
Conclusion
All methods have their flaws
There are already mechanisms in place
within 802.11 that can help detect spoofing
attacks
Thank you for your time!
Questions / Comments
Sequence Number Gap Statistics
for Dual Source from ORBIT