AFOSR-review-June07 - Computer Science Division
Download
Report
Transcript AFOSR-review-June07 - Computer Science Division
Intrusion Detection and
Forensics for Self-defending
Wireless Networks
Yan Chen
Lab for Internet and Security Technology (LIST)
Dept. of Electrical Engineering and Computer Science
Northwestern University
http://list.cs.northwestern.edu
The Spread of Sapphire/Slammer Worms
The Current Threat Landscape of
Wireless Networks
• Wireless networks, crucial for GIG, face both
Internet attacks and their unique attacks
– Viruses/worms: e.g., 6 new viruses, including Cabir and
Skulls, with 30 variants targeting mobile devices
– Botnets: underground army of the Internet, emerging for
wireless networks
• Big security risks for wireless networks
– Few formal analysis about wireless network protocol
vulnerabilities
– Existing (wireless) IDSes only focus on existing attacks
» Ineffective for unknown attacks or polymorphic worms
– Little work on attack forensics
» E.g., how to identify the command-and-control (C&C) channel of
botnets?
Self-Defending Wireless Networks
• Proactively search of vulnerability for wireless
network protocols
– Intelligent and thorough checking through combo of
manual analysis + auto search with formal methods
– First, manual analysis provide hints and right level of
abstraction for auto search
– Then specify the specs and potential capabilities of
attackers in a formal language TLA+ (the Temporal Logic
of Actions)
– Then model check for any possible attacks
• Defend against emerging threat
– Worm: network-based polymorphic worm signature
generations
– Botnet: IRC (Internet relay chat) based C&C detection
and mitigation
Outline
• Threat landscape and motivation
• Our approach
• Accomplishment of this year
– Vulnerability analysis of Mobile IPv6
protocols
– Polymorphic worm signature generation
• Plan for the next year
Accomplishments This Year (I)
• Intelligent vulnerability analysis
– Focused on outsider attacks, i.e., w/ unprotected msgs
– Checked the complete spec of 802.16e before
authentication
» Found some vulnerability, e.g., for ranging (but needs to change
MAC)
– Checked the mobile IPv4/v6
» Find an easy attack to disable the route optimization of MIPv6 !
– Partnered with Motorola, very interested in the
vulnerability found
• Automatic polymorphic worm signature generation
systems for high-speed networks
– Fast, noise tolerant w/ proved attack resilience
– Talking with Cisco IPS group for tech transfer
– Patent filed
Accomplishments This Year (II)
• Six conference, one journal papers and a book chap
– Honeynet-based Botnet Scan Traffic Analysis, invited book chapter
for Botnet Detection: Countering the Largest Security Threat
– Detecting Stealthy Spreaders Using Online Outdegree Histograms,
in the Proc. of the 15th IEEE International Workshop on Quality of
Service (IWQoS), 2007 (26.6%).
– Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms
with Provable Attack Resilience, to appear in IEEE Symposium on
Security and Privacy, 2006 (9%).
– Towards Scalable and Robust Distributed Intrusion Alert Fusion with
Good Load Balancing, in Proc. of ACM SIGCOMM Workshop on LargeScale Attack Defense 2006(33%).
– Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols
through TLA+, in Proc. of the Second Workshop on Secure Network
Protocols (NPSec) (33%).
– A DoS Resilient Flow-level Intrusion Detection Approach for Highspeed Networks, to appear in IEEE International Conference on
Distributed Computing Systems (ICDCS), 2006 (14%).
– Reverse Hashing for High-speed Network Monitoring: Algorithms,
Evaluation, and Applications, Proc. of IEEE INFOCOM, 2006 (18%).
Full version to appear in ACM/IEEE Transaction on Networking.
Mobile IPv6 (RFC 3775)
• Provides mobility at IP Layer
• Enables IP-based communication to
continue even when the host moves
from one network to another
• Host movement is completely
transparent to Layer 4 and above
Mobile IPv6 - Entities
• Mobile Node (MN) – Any IP host which is mobile
• Correspondent Node (CN) – Any IP host
communicating with the MN
• Home Agent (HA) – A host/router in the Home
network which:
– Is always aware of MN’s current location
– Forwards any packet destined to MN
– Assists MN to optimize its route to CN
Mobile IPv6 - Process
• (Initially) MN is in home network and connected to
CN
• MN moves to a foreign network:
– Registers new address with HA by sending Binding Update
(BU) and receiving Binding Ack (BA)
– Performs Return Routability to optimize route to CN by
sending HoTI, CoTI and receiving HoT, CoT
– Registers with CN using BU and BA
Mobile IPv6 in Action
Home Network
HoT
Mobile
Mobile
Node
Node
Correspondent
Node
Home Agent
HoTI
HA
BA
HoTI
–M
N
n
Tu
ne
HoT
BU
CoT
BA
l
Foreign Network
CoTI
BU
Internet
Mobile IPv6 Vulnerability
• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138
unprotected
• Man-in-the-middle attack
– Sniffs BU to CN
– Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
optimization and goes through HA
MIPv6
Attack
In
Action
MN
HA
AT
CN
Start
Return
Routability
Restart
Return
Routability
Silently
Discard
Bind Ack
• Only need a wireless network sniffer and a spoofed
wired machine (No MAC needs to be changed !)
• Bind ACK often skipped by CN
MIPv6 Vulnerability - Effects
• Performance degradation by forcing
communication through sub-optimal routes
• Possible overloading of HA and Home Link
• DoS attack, when MN repeatedly tried to
complete the return routability procedure
• Attack can be launched to a large number of
machines in their foreign network
– Small overhead for continuously sending spoofed
Bind ACK to different machines
TLA Analysis and Experiments
• With the spec modeled in TLA, the TLC search
gives two other similar attacks w/ the same
vulnerability
– Complete the search of vulnerabilities w/ unprotected
messages
• Implemented and tested in our lab
– Using Mobile IPv6 Implementation for Linux (MIPL)
– Tunnel IPv6 through IPv4 with Generic Routing
Encapsulation (GRE) by Cisco
– When attack in action, MN repeatedly tried to complete
the return routability procedure – DOS attack !
Outline
• Threat landscape and motivation
• Our approach
• Accomplishment of this year
– Vulnerability analysis of Mobile IPv6
protocols
– Polymorphic worm signature generation
• Plan for the next year
Deployment of SDWN
• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of global scale
attacks
• Significantly more challenging compared w/ host-based
IDS/IPS
– Huge data volume and lack of host-level information
Inter
net
802.1x
BS
802.1x
BS
Internet
Users
scan
port SDWN
system
User
s
802.1x
BS
Switch/
BS controller
Router/
switch
802.1x
BS
Gateway
User
s
Users
(a)
Original configuration
SDWN
system
Hone
ynet
(b) SDWN
deployed
Automatic Length Based Worm
Signature Generation
• Majority of worms exploit buffer overflow
vulnerabilities
• Worm packets have a particular field longer
than normal
• Length signature generation
– Parse the traffic to different fields
– Find abnormally long field
– Apply a three-step algorithm to determine a length
signature
– Length based signature is hard to evade if the
attacker has to overflow the buffer.
Length Based Signature Generator
Protocol
Specification
Normal
Traffic Pool
Protocol
Parser
Parsed
Normal
LESG
Core
Signatures
Parsed
Suspicious
Suspicious
Traffic Pool
NO
Pool size
too small?
Quit
YES
Filter
Evaluation of Signature Quality
• Seven polymorphic worms based on real-world
vulnerabilities and exploits from securityfocus.com
• Real traffic collected at two gigabit links of a
campus edge routers in 2006 (40GB for evaluation)
• Another 123GB SPAM dataset
Outline
•
•
•
•
Threat landscape and motivation
Our approach
Accomplishment
Achievement highlight: a Mobile IPv6
vulnerability
• Plan for the next year
– Insider attack analysis
– Complete the polymorphic worm signature
generation
– Intrusion forensics for botnet command and
control channel detection
Insider Attack Analysis
• Not hard to become a subscriber
• Can five subscribers bring down an entire
wireless network (e.g., WiMAX) ?
• Check vulnerability after authentication
• Plan to analyze various layers of WiMAX
networks
– IEEE 802.16e: MAC layer
– Mobile IP v4/6: network layer
– EAP layer
802.16e SS Init Flowchart
Work Done
Future work
Intrusion Detection and Forensics for
Self-defending Wireless Networks
Yan Chen, Northwestern University
Tel. (847) 491-4946, E-Mail: [email protected]
Internet
Users
scan
port SDWN
system
Objective
•Proactively secure the wireless networks
• Search of network protocol vulnerabilities
• Automatically detect and filter unknown
and/or polymorphic worms
• Intrusion forensics and mitigation for
botnet-based attacks
802.1x
BS
Switch/
BS controller
802.1x
BS
Gateway
Users
Hone
ynet
SDWN
system
Accomplishments
Scientific/Technical Approach
• Intelligent and complete vulnerability
search through the combo of manual
analysis & verification via formal methods
• Network-based automatic signature
generation for polymorphic worms
• Botnet command-and-control channel
detection and mitigation
• Successfully check for outsider attack
vulnerabilities of MIP v4/6 and 802.16e
(WiMAX) protocols
• Network-based automatic signature
generations
Challenges
• State space explosion for vulnerability
search w/ formal methods
• Large amount of traffic to monitor on
high-speed links
Conclusions
• Vulnerability analysis of wireless network protocols:
802.16e and mobile IP specs
• Network-based polymorphic worm signature
generation for self-defending wireless networks
Thank You !