20110516_Research Di..

Download Report

Transcript 20110516_Research Di..

Research Progress Report
Advisor: Professor Frank Y.S. Lin
Present by Hubert J.W. Wang
Effective Network Planning and Defending Strategies to
Maximize System Survivability of Wireless Mesh
Networks under Malicious and Jamming Attacks
無線網狀網路中考量惡意與多重干擾器攻擊下最大化系統
存活度之高效網路規劃與防禦策略
2011/5/16
Outline
• Problem Description
Problem Description
2011/5/16
Problem Description
• Problem
▫ Topology information gathering
▫ Jamming attack
• Environment
▫ Infrastructure/Backbone WMNs
• Role
▫ Attacker
▫ Defender(Service provider)
2011/5/16
Problem Description(cont’)
2011/5/16
Scenario – Network Architecture
Base Station
Mesh router
2011/5/16
Scenario – Defender’s Planning Phase
Why didn’t the defender protect
all the nodes with high
population?
Base Station
Mesh router
1.
2.
Nodes with
more defense
resource
Honeynode
3.
Attacker
F
G
E
A
D
B
C
Budget limited.
The effectiveness of doing so
may not be the best.
There are other ways to deploy
resources.
2011/5/16
Scenario – Attacker’s Preparing Phase
Initially, the attacker has
following info:
(Communication channel)
F
D
20
1.
2.
3.
Defense Resource
Signal Strength
Traffic Amount
20
A
C
E
90
20
90
B
G
Traffic amount
20
Signal Strength
90
Defense strength
Signal Strength
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
The honeynode:
F
If the real channel is
compromised, the attacker
will be able to identify this
target in Attacking Phase
D
20
20
A
C
E
90
20
90
B
G
20
90
Signal Strength
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
The attacker’s goal:
Maximize attack effectiveness.
Maximize jammed range
F
D
20
The node with the strongest
signal power
(Easiest fo find)
20
The next hop
selecting
criteria would
be..
A
C
E
90
20
90
The node with highest
defense resource(Aggressive)
B
G
20
90
Signal Strength
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
I
E
After compromise a mesh router,
the attacker has following info:
(Communication channel)
20
K
J
Being compromised, and obtained:
(Routing channel)
1. Traffic Source20
2. Traffic Amount
3. User number
H
90
1.
2.
3.
90
Defense Resource
Signal Strength
Traffic Amount
And…
L
90
G
90
B
F
D
20
20
90
20
A
90
Signal Strength
2011/5/16
Scenario –Population Re-allocation
Reallocate population
on D’s neighbor
6
G
22
P
20
Intrusion detected
E
90
8
O
20
20
C
8
20
Re-allocation
strategy might
be:
90
15
90
20
90
B
4
R
5
A
20
D
3
Q
2
90
Signal Strength
2011/5/16
Scenario –Population Re-allocation(cont’)
Reallocate population
on D’s neighbor
9
G
9
P
20
Capable of attack
detection
E
90
9
O
20
Average the QoS
impact caused by
jamming
90
9
90
R
9
A
C
9
10
Q
20
9
20
D
Re-allocation strategy:
 Average Population
20
90
B
10
10
90
Signal Strength
2011/5/16
Scenario –Population Re-allocation(cont’)
Real population on
D’s neighbor
6
G
22
P
20
Capable of attack
detection
E
90
8
O
20
Minimize the QoS
impact caused by
jamming
90
15
90
20
90
B
4
R
5
A
C
8
3
Q
20
20
20
D
Re-allocation strategy:
 Average Traffic
2
90
Signal Strength
2011/5/16
Scenario – Fake Traffic Generation
Fake Traffic Generation
L
28
E
Relatively low
traffic sources on
important nodes.
24
27
K
20
D
90
90
90
18
N
M
25
G
20
B
90
90
30
20
C
90
6
A
21
90
High traffic
sources on
unimportant
nodes.
112
90
Select node C
as next hop
Signal Strength
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
Base Station
Mesh router
Nodes with
more defense
resource
Compromised
mesh router
Honeynode
Attacker
H I
V
Succeed
Failed
W
X
T U
S
F
G
J
K L
E
R
MN
A
D
B
C
PQ
O
2011/5/16
Scenario – Attacker’s Attacking Phase
Base Station
4) Jammed
normal node F
Mesh router
Nodes with
more defense
resource
2) Jammed node V
with high population
5) Jammed
honeynode U
Compromised
mesh router
Jammed mesh
router
Honeynode
H I
V
Jammer
Attacker1) Jammed
honeynode B
W
X
T U
S
F
G
J
K L
E
R
MN
A
D
B
C
PQ
O
3) Jammed
node P(not
fake channel)
2011/5/16
Scenario – Defender’s Defending Phase - Channel Surfing
The function of channel surfing
function:
Base Station
1.


2.
Mesh router
Range overlapped. If the mesh
Nodes with
router switch to other channel:
more defense
1. Jammed time shotened.
resource
Compromised
mesh router
Jammed mesh
router
Honeynode
2.
Jammers are not able to know
which channel is the origin
channel unless it’s compromised.
H I
V
Jammer
Attacker
Mitigate the impact of jamming
Time
Effectiveness
Reduce difficulty to remove
jammer
W
X
T U
S
F
G
J
K L
E
R
MN
A
D
B
C
PQ
O
2011/5/16
Scenario – Defender’s Defending Phase - Localization
Mobile locator
Static locator
Mobile locator
300
Jammer
Reference point 1
(useless)
Multiple jammers
200
Reference point 2
100
0
One of the jammers
0
removed
100
200
meter
Reference point 4
300
Reference point 3
2011/5/16
Defender
• Nodes
▫ Base Station
▫ Mesh router(with 2 NICs)
 Routing channel
 Communication channel
▫ Honeynode(with 3 NICs)[1]
 Routing channel
 Communication channel
 Fake communication channel
▫ Locator
[1]
S. Misra, et al., "Using honeynodes for defense against jamming attacks in wireless infrastructure-based
networks," Computers & Electrical Engineering, vol. 36, pp. 367-382, 2010.
2011/5/16
Defender(cont’)
• Planning phase
▫ Build Topology
▫ Deploy non-deception based defense resources
 General defense resource (ex. Firewall, Antivirus, etc.)
 Localization resource (routers with minimum capability)
▫ Deploy deception based defense resources
 Honeynode
• Defending phase
▫ Jamming mitigation
▫ Jammer localization
2011/5/16
Defender(cont’)
• Defense Mechanisms
▫
▫
▫
▫
▫
False target (Honeynodes)
Fake traffic generation (Honeynodes)
Channel surfing (BSs、Mesh Routers、Honeynodes)
Population re-allocation (BSs、Mesh Routers、Honeynodes)
Jammer localization (BSs、Mesh Routers、Honeynodes、Locators)
2011/5/16
Defender(cont’)
• Honeynode[1] as false target
▫ Effect:
 Preparing Phase
 Act as a false target to attract attack
and consume attacker’s budget.
 Provide fake routing table
information when compromised.
 Attacking Phase
 Prevent true channel from being
jammed.
▫ Tradeoff
 Occupying available
communication channels.
(indirectly affects QoS)
2011/5/16
Defender(cont’)
• Honeynode[1] as fake traffic
generator
▫ Effect:
 Send fake traffic to neighbors to
deceive attackers into believing that
this node is important.
▫ Tradeoff
 Channel capacity
▫ Triggers when node compromising
actions are detected by the nodes in
the topology and the defender think
it helps to turn on this function.
2011/5/16
Defender(cont’)
• Channel Surfing[1]
▫ Effect:
 Change frequency to another free channel to prevent from being jammed(with the
help of honeynode) or reduce jamming effect.
▫ Tradeoff
 Availability
▫ Triggers when jamming attacks are detected by the nodes in the topology.
• Population re-allocation
▫ Effect:
 Reduce jamming effectiveness by re-allocating users.
▫ Strategies
 Average population
 Average traffic
▫ Tradeoff
 QoS
▫ Triggers when node compromising actions are detected by the nodes in the
topology and the defender think it helps to turn on this function.
2011/5/16
Defender(cont’)
• Jammer localization[2]
▫ Effect:
 Localize jammer by exploiting hearing
ranges of boundary nodes to permanently
remove jammer from the topology.
▫ Strategies
 Importance oriented
 Difficulty oriented
▫ Tradeoff
 Budget
 QoS
▫ Triggers QoS constraints has not been met.
[2]
Z. Liu, et al., "Wireless Jamming Localization by Exploiting Nodes’ Hearing Ranges," in Distributed Computing
in Sensor Systems. vol. 6131, R. Rajaraman, et al., Eds., ed: Springer Berlin / Heidelberg, 2010, pp. 348-361.
2011/5/16
[3]
Total Attackers
F. Cohen. Managing Network Security: Attack
and Defense Strategies. Available:
http://www.blacksheepnetworks.com/security/info/misc/9907
.html
2011/5/16
Attacker’s Next Hop Selecting Criteria
2011/5/16
Preferences Next Hop Selecting Criteria of
Strategies
Aggressive
Least
resistance
High
↑
↓
Low
↓
High
Easiest to
find
Stealthy
Topology
extending
-
X
-
↑
-
○
-
-
-
○
X
-
Low
-
-
X
○
-
High
-
-
○
-
X
Low
-
-
X
-
○
Defense Resource
Traffic Amount
Signal Strength
PS: ↑: Prefer when certain factor has high value
↓: Prefer when certain factor has low value
○: Purely prefer high
X : Purely prefer low
- : No preference
Random
2011/5/16
Attacker’s Attributes
• Budget
▫ General Distribution
▫ Preparing phase
 Node compromising
▫ Defending phase
 Buy jammers
(Quality of jammer will affect the effectiveness of jamming.)
▫ Effects:
 Goal of attacker
• Capability
▫ General Distribution
▫ Effects:
 Goal of attacker
 Probability of:
 compromising nodes
 seeing through false target
 seeing through fake routing table information
2011/5/16
Attacker’s Attributes(cont’)
• Mentality
▫ General Distribution
▫ Effects:
 Next hop criteria selection
 Preference of success probability of compromising nodes
 Preference of using fake routing table information
2011/5/16
Attacker’s Goal and Corresponding Strategies
• Maximize effectiveness
▫ Aggressive
▫ Easiest to find
▫ Random
• Maximize jammed range
▫
▫
▫
▫
Least resistance
Stealthy
Topology extending
Random
2011/5/16
Attacker’s Next Hop Selecting Criteria
• From Surface Information (communication channel)
▫ Defense Resource
▫ Signal Strength
▫ Traffic Amount
• From Depth Information (routing channel)
▫ Traffic Source
▫ Traffic Amount
2011/5/16
Attacker’s Strategy transition rule
n
vi  BaseValueConstFactori 
 TotalSuccessTimes
ij
j 1
n
 TotalAttackTimes
ij
j 1
ContFactori  ci   k
ci is the continus success times for strategy i
 k is the level of risk avoidance for attacker k
• Probability to choose strategy i :
n
• Strategyi’s success rate:
vi
n
v
i 1
i
 TotalSuccessTimes
ij
j 1
n
 TotalAttackTimes
j 1
ij
1
1
1
1
2011/5/16
Attacker’s Next Hop Selecting Criteria
Transition Rule
v j  BaseValue
ConstFactorj

TotalSuccessTimes j  1
TotalAttackTimes j  1
 pref (i, j )  diff ( j )
ContFactorj  c j   k
 MaxOfCriteria j  MinOfCriteria j

1

,
when
the
criteria
is
from
deep
information


MaxOfCriteria j
diff ( j )  

0

, otherwise


ci is the continus success times for next hop selecting criteria j
 k is the level of risk avoidance for attacker k
pref (i, j ) is the preference of strategy i of criteria j
vj
n
• Probability of strategy i to choose criteria j :  v j
j 1
• Criteraj’s success rate:
TotalSuccessTimes j  1
TotalAttackTimes j  1
2011/5/16
Attacker’s Next Hop Selecting Criteria
Transition Rule(cont’)
Value of pref(i,j)
Least
resistance
Aggressive
High
Defense Resource
 CurrentBudget 

 TotalBudget 
1.5  
k
Easiest
to find
Stealthy
Topology
extending



1
0.5
1
 CurrentBudget 

 TotalBudget 
1
1.5
1


0.5   1 
CurrentBudget
TotalBudget
k
k
k
Low


0.5   1 
CurrentBudget
TotalBudget
k
k



1.5  
k
k
High
1
1
1.5
0.5
1
Low
1
1
0.5
1.5
1
High
1
1
1.5
1
0.5
Low
1
1
0.5
1
1.5
Traffic Amount
Signal Strength
PS: ↑: Prefer when certain factor has high value
↓: Prefer when certain factor has low value
○: Purely prefer high
X : Purely prefer low
- : No preference
Random
2011/5/16
Contest Success Function
WAm (T )
WAm (T )  WDm (t )
WAm (T )  T  (1  Capability ) 
m
WDm (t )  t m
•
•
•
•
Determine the success probability of the attacker.
Attackers will set a probability of success according to its mentality.
WAm (T ) : Function of attacker’s attack effectiveness.
WDm (t ) : Function of defender’s defense effectiveness.
2011/5/16
Risk Level
• For fake traffic generator
pathDefenseResourceij
maxLinkDegree  linkDegree j
pathToNode j
pathToCoreNode j

 w2 
 w3 
+w4 
, when i 
 w1 
Vij  
maxPathDefenseResource
maxLinkDegree
maxPathToNode
maxPathToCoreNode
1, otherwise

• Vij computes when node i compromising action are detected.
• Vij is the risk level of honeynode j with fake traffic generating function.
• Vij determines whether to turn on fake traffic generating function or not.
•
Factor of defense strength of path from nodes being attacked to nodes equipped with the function:
pathDefenseResourceij
maxPathDefenseResource
•
Factor of link degree of nodes equipped with the function:
maxLinkDegree  linkDegree j
maxLinkDegree
pathToNode j
•
Factor of distance between nodes being attacked and nodes equipped with the function:maxPathToNode
•
Factor of distance between nodes equipped with the function and nearest BS: maxPathToCoreNode
pathToCoreNode j

j



2011/5/16
Risk Level(cont’)
• For population re-allocation
pathDefenseResourceij
maxLinkDegree  linkDegree j
pathToNode j

maxUserNum  maxNeighborUserNumi
 w2 
 w3 
 w4 
, when i 
 w1 
Vij  
maxUserNum
maxPathDefenseResource
maxLinkDegree
maxPathToNode
0, otherwise


j



• Vij computes when node i compromising action are detected.
• Vij is the risk level of node j with population re-allocation function.
• Vij determines whether to turn on population re-allocation function or not.
•
•
Factor of user numbers of nodes being attacked and its neighbor
Factor of defense strength of path from nodes being attacked to nodes equipped with the function:
maxLinkDegree  linkDegree j
maxLinkDegree
• Factor of link degree of nodes equipped with the function:
pathToNode j
maxPathToNode
pathToCoreNode j
• Factor of distance between nodes being attacked and nodes equipped with the function:maxPathToCoreNode
2011/5/16
The End
• Thanks for your attention.
Mathematical Formulation
2011/5/16
Assumptions
1.
The communications between mesh routers and between mesh routers and
mesh clients use different communication protocol.
2.
All the packets are encrypted. Thus, the attacker can’t directly obtain
information in the communication channels.
3.
The defender has complete information of the network which is attacked by a
single attacker with different strategies.
4.
The attacker is not aware of the topology of the network. Namely, it doesn’t
know that there are honeynodes in the network and which nodes are
important, i.e., the attacker only has incomplete information of the network.
2011/5/16
Assumptions(cont’)
5.
There are two kinds of defense resources, the non-deception based resources
and the deception based resources.
6.
There are multiple jammers in the network, and their jamming ranges might
overlap.
7.
There is only constructive interference between jamming signals.
2011/5/16
Given parameters
Notation
Description
N
The index set of all nodes
H
The index set of all honeynodes
P
The index set of the nodes with channel surfing technique
Q
The index set of the nodes with precise localization technique
R
The index set of the nodes with detection technique
2011/5/16
Given parameters
Notation
Description
B
The defender’s total budget
Z
All possible attack configuration, including attacker’s attributes and
corresponding strategies.
E
All possible defense configuration, including defense resources
allocation and defending strategies
F
Total attacking times of all attackers
Ai
An attack configuration, including the attributes and corresponding
strategies , where 1≤ i ≤ F
1 if the attacker can achieve his goal successfully, and 0 otherwise,
Ti ( D, Ai ) where 1≤ i ≤ F
2011/5/16
Given parameters
Notation
Description
m(ρi)
The cost of constructing a node with the quality with quality ρi, where
i∈N
ni
The non-deception based defense resources allocated to node i, where
i∈N
h(εi)
The cost of constructing a honeynode with the interactive capability εi,
where i∈H
a(φ)
The cost of constructing static locators with the density φ
b
The cost of constructing a channel surfing function to one node
c
The cost of constructing a precise localization technique to one node
d
The cost of constructing a detection technique to one node
t(ρi)
The maximum traffic of node i with quality ρi, where i∈N
2011/5/16
Decision variables
Notation
Description
D
The information regarding resources allocating and defending
wi
1 if node i is equipped with honeynode function, and 0 otherwise,
where i∈N
xi
1 if node i is equipped with channel surfing function, and 0 otherwise,
where i∈N
yi
1 if node i is implemented with precise localization technique
, and 0 otherwise, where i∈N
zi
1 if node i is implemented with the detection technique, and 0
otherwise, where i∈N
εi
The interactive capability of honeypot i, where i∈N
ρi
The quality of node i, where i∈N
φ
The density of static locator
2011/5/16
Objective function
F
 T ( D, A )
min
D
i 1
i
i
F
(IP 1)
2011/5/16
Constraints
• Defender’s budget constraints
DE
Ai  Z
(IP 1.1)
(IP 1.2)
2011/5/16
Constraints
• Defender’s budget constraints
N
N
H
P
 m(  )   n   w  h( )  a( )   x  b
i 1
i
i 1
Q
R
i 1
i 1
i
i 1
i
  yi  c   zi  d  B
i
i 1
i
(IP 1.3)
2011/5/16
Constraints
• Defender’s budget constraints
N
 m(  )  B
(IP 1.4)
i
i 1
N
 ni  B
(IP 1.5)
i 1
H
 w  h( )  B
(IP 1.6)
a( )  B
(IP 1.7)
i 1
i
i
2011/5/16
Constraints
• Defender’s budget constraints
P
 x b  B
i 1
(IP 1.8)
i
Q
 yi  c  B
(IP 1.9)
i 1
R
zi  d  B

i 1
(IP 1.10)
2011/5/16
Constraints
• QoS constraints
▫ QoS is a function of:
1.
2.
3.
4.
5.
6.
7.

BS loading
Utilization of mesh routers on the path to BS
Hops to core node
Fake traffic effect,
Population re-allocation effect
Channel surfing effect
Jammer removal
Y
y 1
Q( LBS ,U link , H tocore , Feffect , Peffect , I effect , J effect )dy
Y
 Qthreshold
(IP 1.11)
2011/5/16
Constraints
• QoS constraints
▫ QoS after population re-allocation  Qthreshold
(IP 1.12)
▫ The performance reduction cause by the jammed node should not
violate IP1.11.
(IP 1.13)
▫ The performance reduction cause by the channel surfing should
(IP 1.14)
not violate IP1.11.
2011/5/16
Constraints
• Channel surfing constraints
▫ The mesh router must equipped with channel surfing technique.(IP 1.15)
▫ The next channel to be selected must not be in use.
(IP 1.16)
▫ Channel surfing function triggers only if the jammed channel is(IP 1.17)
not a fake channel.
• Population re-allocation constraints
▫ The mesh clients to be re-allocated must be in the transmission (IP 1.18)
range of the mesh routers other than current mesh router.
▫ The total traffic of the mesh router i after re-allocation must not
(IP 1.19)
exceed the maximum traffic limit t(ρi), where i∈N.
2011/5/16
Constraints
• Approximate localization
▫ There must be at least three available reference points which is
(IP 1.20)
under the effect of jamming attack in the jammed channel.
• Precise localization
▫ There must be at least one mobile locator in the network.
(IP 1.21)
• Fake traffic
▫ The fake traffic sent to mesh router i from the honeynodes must not
make it exceed the maximum traffic limit t(ρi), where i∈N
(IP 1.22)
2011/5/16
Constraints
• Integer constraints
wi  0 or 1
i  N
(IP 1.23)
xi  0 or 1
yi  0 or 1
zi  0 or 1
i  N
(IP 1.24)
i  N
(IP 1.25)
i  N
(IP 1.26)