1 intrusion monitoring of malicious routing behavior poornima balasubramanyam karl levitt computer...

1

Intrusion Monitoring of Malicious Routing Behavior

Poornima Balasubramanyam

Karl Levitt

Computer Security Laboratory

Department of Computer Science

UCDavis

UCDavis SecLab MURI October 20022

Security Threats

• Outsider attacks

– infiltrate routing process– modify routing information– cause redirection of network traffic, DoS

attacks, etc.

countermeasure - use of strong integrity mechanisms

UCDavis SecLab MURI October 20023

Security Threats – Contd.

• Insider attacks

– Compromised rogue routers

• legitimately participate in routing protocol• influence local routing behavior• actively disrupt global routing behavior

– Integrity mechanisms are in place• Routers do not masquerade as other routers

– Integrity mechanisms are not in place• Routers masquerade as other routers.

UCDavis SecLab MURI October 20024

Intrusion Monitoring of Networks

• Most intrusion monitoring is fine-grained– E.g., network packet analysis

• Some intrusions require higher level monitoring– Intrusive behavior may be visible earlier

• Our approach is aimed at multi-grained intrusion monitoring

UCDavis SecLab MURI October 20025

Sample Network

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 20026

Link R4-R5 Is Down

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 20027

Area 1

R1 R2

R3

R4

Newly Isolated Node – R5 Single Point of Connection – R6

Area 2

Area 3

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 20028

AS

Centrality of R6 greater even if degree of R6 unchanged

Area 2

R10

Area 1

R4

R5

R6

Area 3

R11

UCDavis SecLab MURI October 20029

Isolated Node – R5 Centrality of Routers R10, R11, R12 Increases

AS

Area 1 Area 2

Area 3

R4

R5

R6

R12

R11

R10

UCDavis SecLab MURI October 200210

Subnet Failure

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 200211

Link Failure

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 200212

Second Link Failure – Temporal Failure Correlation

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 200213

Centrality of R5 Increases EnormouslyResult: Large Scale Traffic Redirection

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS

UCDavis SecLab MURI October 200214

Compromised Routers

Legitimately participate in routing protocol

– Integrity mechanisms are in place• Routers do not masquerade as other routers• May place themselves in more routing paths• Influence local routing behavior• Actively disrupt global routing behavior

– Suitable response • Place routers out of legitimate routing process

before disruption is too great

UCDavis SecLab MURI October 200215

Compromised Routers - Contd.

Legitimately participate in routing protocol

– Integrity mechanisms are not in place• Routers masquerade as other routers• Spoofing attack on victim routers• Rogue router remains invisible

– Suitable Response• Re-route overloaded router traffic and enforce

traffic congestion control policies

UCDavis SecLab MURI October 200216

Centrality Analysis

• Captures structurally central part of a network

• Depends on point of view

– may be nodes with most direct connections to neighbors, or

– nodes that are most connected to network, or– the nodes that are closest to other points

UCDavis SecLab MURI October 200217

• Degree Centrality

– Number of nodes to which a node is directly linked

– Reflective of potential communication activity

– Measure of vulnerability of node since high degree nodes will be less vulnerable to attack

– Node of low degree is isolated and cut off from active participation in ongoing network activity

UCDavis SecLab MURI October 200218

• Degree Centrality of a node is given by:

otherwise 0 =

themconnecting edgean have and iff ,1,

where,,C

:bygiven is node a of Centrality Degree

1D

kiki

n

ikik

ppppa

ppap

UCDavis SecLab MURI October 200219

• Betweenness centrality

– Based on frequency with which a node falls between pairs of other points on shortest paths between them

– Overall index determined by summing partial values for all unordered pairs of points

– Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs

– Defines potential for control of communication

UCDavis SecLab MURI October 200220

Betweenness Centrality of a node

Given nodes and with geodesics (shortest paths) between them, the probability of

using any one of these paths is given by

ip jp ijg

ijg

1

UCDavis SecLab MURI October 200221

• Thus, if = # of geodesics between

and that contain , then the

probability that falls on a randomly

selected geodesic linking and is

given by

=

Betweenness Centrality of a Node – Contd. kij pg

ip jp kp

kp

ip jp

kij pb ij

kij

g

pg

UCDavis SecLab MURI October 200222

• Betweenness Centrality of a node – contd.

The overall centrality of a node is

determined by summing the partial probabilities for

all unordered pairs of points. Thus,

where i ≠ j ≠ k

• When a node falls on the only shortest path between a pair of

points, the centrality of the point increments by 1• applicable in straightforward routing

• With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives

• applicable in equal-cost multi-path routing

,1 1n n

kkB pbpCij

kp kB pC

UCDavis SecLab MURI October 200223

• Computation of betweenness centrality

– Traditional summation methods are very costly, requiring O(n^3) time and O(n^2) space for n nodes and e edges

UCDavis SecLab MURI October 200224

• Approaches to resolve computational issues

• Modified definitions

– egocentric approach

– simplified egocentric approaches

• Heuristics

– Exploit sparsity of connections in large networks

– Exploit correlation between degree centrality and betweenness centrality

UCDavis SecLab MURI October 200225

• Recent Work in Intra-domain Routing Protocols (Application to OSPF)

– Modified Definition of Betweenness Centrality: • Centrality of a node is determined with respect

to root router of SPF tree– Advantages

• Each router independently computes betweenness centrality indices of other routers

• Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router

• Each router can adopt independent response decisions based on this metric

UCDavis SecLab MURI October 200226

• Centrality Analysis in Ad hoc Networks

– Points of Interest• Absence of communication infrastructure • Each mobile node must also perform the duties of router• Dynamically establish routing among themselves to form

ad hoc network

– Routing Protocols being considered • Two routing protocols considered for standardization by

IETF, namely, DSR and AODV• Hybrid ad hoc routing protocols that employ clustering

and hierarchical techniques

UCDavis SecLab MURI October 200227

• Ongoing Work

– For each of DSR, AODV, other hybrids:

• Develop functionality that abstracts global centrality information locally

• Study role of heuristics in addressing computational issues

–Ego-centric approaches–Correlation studies

• Study limits of approach

UCDavis SecLab MURI October 200228

Ongoing Work – contd.

Simulate intrusive behavior of malicious ad hoc hosts involving

- dense, complex networks

- with high node mobility and

- substantial dynamic topologies

UCDavis SecLab MURI October 200229

• Specific Tasks

• Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols

• Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios

UCDavis SecLab MURI October 200230

Fundamental Motivation for Monitoring Routing

– Provide a systematic framework for • developing security specifications/constraints • establishing bounds for secure network behavior

– Create a more secure enhancement to an existing protocol

– Develop a response mechanism for • Isolating intrusive behavior of a malicious node• Use as a QoS metric to prevent traffic congestion

• Aspects to this study– describe knowledge available to each router

• As a response mechanism, study feasibility of employing this information as a metric for–

UCDavis SecLab MURI October 200231

• Conclusions

– Abstract global network control behavior locally at a router

– Capture changing topology to detect network wide routing attacks

– Early detection possible

– Subverting such monitoring harder

– Selectively misrouted packets not detected with this approach