background arsenal a cross layer architecture for secure
TRANSCRIPT
Microsoft PowerPoint - Seminar2.ppt [Compatibility Mode]SEcure
resilieNt tacticAL mobile d h t kad hoc networks
Faculty: David Tipper and Prashant Krishnamurthy
Students: Thaier Hayajneh, Tae-Hoon Kim, y j , , Siriluck Tipmongkonsilp, Razvi Doouman, and
Korporn Panyim
A collection of communicating nodes – that self-configure
Nodes are mobile – having differing capabilities
Communicate over wireless links in multi hop peer to peer fashion (nomulti-hop peer to peer fashion (no fixed infrastructure)
2
2
Participants Participants UC-Davis (lead) UC-Riverside UC-Santa Barbara UC-Irvine BYU
Network Proactive, Reactive
MAC Contention-free, contention-
based Physical
802.11, Proprietary
Critical Research Issue How can one increase the security and resilience of tactical mobile
ad hoc networks (MANETs)? Why Important?
ARSENAL Project
Why Important? Tactical MANETs important part of military communications infrastructure Operate in a open un-trusted environment Face set of unique challenges: wireless channel characteristics, node
mobility, and attacks
Performing measurements via real deployments to enhance our understanding of layer dependencies and vulnerabilities in MANETs.
Build analytical models to characterize the behavioral nuances of these Build analytical models to characterize the behavioral nuances of these networks and applications
Design new cross layer protocols that will protect against vulnerabilities and provide the desired robustness, security, and fault-tolerance
5
/critical points – Developing cross layer approaches toDeveloping cross layer approaches to
strengthen critical points or reduce their importance (Joint with UC Irvine)
Security – Detecting & mitigating the effects
of cryptographic resistant attacks » Wormholes » Packet Dropping/Jamming
6
Analysis Techniques for MANETs – Verifying/improving with UC Davis test-
bed data
Alternate routes with spare capacity between communication partners
In MANETs, robustness is a challenge U d f h k l
7
Connectivity in MANETs Topological Connectivity is a prerequisite to applying many
robustness techniques (e.g., hot standby connection) Want highly connected network
k connectivity every pair of nodes has k node disjoint paths– k-connectivity - every pair of nodes has k node disjoint paths – Probability of the network is k-connected is less than or equal
to the probability of the minimum node degree is greater than or equal to k
M i i l l d d it t
)()( min kdPconnectedkNetworkP
8
Many papers on examining power level, node density, etc., effects on connectivity – Asymptotic results under idealized assumptions (e.g.,
identical nodes with UDG propagation, etc.) » Typically use P(dmin > k) as a proxy for k-connectivity
5
Minimum node degree does not guarantee k-connectivity especially in sparse networks
– Necessary condition not sufficient Example,
– 1000 random connected topologies with 75, 100, 125, 150, and 175 nodes in 1500x1500 m2 , identical nodes each with 250m range, 95% confidence intervals on results
k = 3
connectivity due to existence of critical points in topology
Critical points: bridge links and Critical points: bridge links and articulation nodes
Bridge link D-E
10 Articulation node D
• Can we develop an algorithm to identify these critical/weak points in the topology?
• How one defines critical points depends on number of disjoint paths desired
6
Critical Point Identification Algorithm
Use results from algebraic graph theory to develop critical point identification algorithm – Multiplicity of the zero eigenvalue of the Laplacian matrix of a graph is
equivalent to the number of connected components in the graph [C, Godsil and G. Royle, Algebraic Graph Theory, 2001]
– Laplacian is L(t) = D(t) – A(t) where D(t) is the diagonal matrix of node degres and A(t) is the adjacency matrix
Steps of Algorithm 1. Test point is chosen to check its critical status 2. Eliminate test point i from the adjacency matrix A and recompute the nodal degrees in
11
p j y p g D. If i is a node then remove row i and column i from A and adjust D, if i is a link then set the appropriate link values in A to zero and adjust the nodal degrees in D
3. Compute the eigenvalues of the Laplacian matrix L. 4. If there exist more than one zero among the Laplacian eigenvalues then i is a critical
point, otherwise i is not critical and the network is still connected 5. Choose next test point and go back to step 2
Numerical Results 100 connected uniformly distributed network
topologies with different number of nodes in 1500x1500 m2 for Figure 1
Average number of single critical points Average number of single critical points decreases when the network is denser, while average node degree and the number of disjoint paths increase
Mobility effects – 3 different scenarios over 1000 seconds of
simulation time using RWP – 125 nodes over 1500x1500 m2
Figure 1. Average number of critical points
12
– Snapshots every 100 seconds – Count number of critical points in each
snapshot – Figure shows number of critical points varies
over time
Numerical Results
Effect of limited information – Use H hop local information to determine critical point – Algorithm same – reduced L matrix
Example – Node A is a critical node when H is 3 (false positive) – Node A is not a critical node when global information is
used 100 connected topologies examined for k = 3, 4, 5, and 6 in 50 65 75 85 100 d 125 d
13
50, 65, 75, 85, 100, and 125 nodes in 1500x1500 m2
False Positive decreases as H value increases
Current/Planned Robustness Work Adaptive/incremental computation Extending approach to asymmetric links Incorporation of cross layer info into critical p y
point detection – like ETX, signal strength, etc.
Developing techniques to strengthen critical points or reduce their importance – increase/decrease power – reposition nodes to provide alternate path
14
point, etc
Security Work
A physical wormhole is a connection between two physical locations in the network controlled by an adversaryadversary – Attracts traffic flow due to appearance of short route
15
S: sender node D: destination M1 and M2 are the transceivers of the wormhole link
Initial Accomplishments in Security
Wormhole Attack – Developed “DeWorm”, a simple protocol to
effectively detect physical wormhole attacks.y p y » Does not need any special hardware, location or
synchronization requirements. » Extensive simulations showing effectiveness, overhead, etc.
Overhead Idea
9
S 7 Step 1
– node S wants to communicate with node D and the shortest path provided by some standard routing protocol is (S-A-B-C-E-D)
Step 2 – The sender will discover all his one-hop neighbors by broadcasting a
"hello" message.
Step 3 – The one-hop neighbors (A, 1, 2, ,3) of the sender will hear the hello
message and will reply to the sender
Step 4 – S will ask nodes 1, 2, and 3 to find a route to the target node, in this
case node B, which does not go through any node from the one-hop neighbors
– The neighbors will reply with their route length (4, 2, and 2) The sender will pick the longest route as the selected route.
– Step 5 – If the number of hops of the selected route minus 2 hops is greater than the sensitivity parameter (chosen as 2 in this example) then the sender will assume that a wormhole is detected. In this example the selected route minus 2 will be
4 - 2 = 2 which is not greater than the sensitivity parameter. Thus, no wormhole is detected.
– Step 6 – The next hop -- node A -- will become the new ``sender" (there is now
a new target as well --C)
Step 7: Steps numbered 2 to 6 will be repeated by the new sender until either a
wormhole is detected or the destination node is reached (i.e., the sender node becomes the last node on the route before the destination
D
Node A will pick nodes 3 and 4. The length of the routes will be 4 and 2. Again the wormhole is not yet
detected
Node B will ask its neighbors nodes 4, 6, 7, 8, 9, 10 to find route to node E. The selected route will be from node 4, the length of the route is 11. Thus we
have 11 – 2 =9 > 2 wormhole is detected
Node B (which is within the transmission range of M1 becomes the new sender) the new target now is node E.
Why did DeWorm work?
Nodes at M2 side were all avoided wormhole link will never be used
17
Initial Accomplishments in Security
Malicious Packet Drops/Jamming – Developed model to diagnose causes of packet loss in
802.11 networks » Distinguishes between collisions, channel error and
malicious behavior » Ongoing work extending this to include buffer overflows » Simulations to evaluate the effectiveness » Paper to appear in Proceedings of ICC 2009
– Collected preliminary measurements on jamming 802.11 with signal generator
Causes of Packet Loss in Ad Hoc Networks
Collisions Channel Error Buffer overflow Malicious dropping
10
“Modeling Dynamic Behavior for Mobile Ad- Hoc Networks”
Performance of MANETs normally relies on standard simulators using steady state
Fully Connected
standard simulators using steady-state statistical analysis
Issues of accuracy and scalability on standard simulation tools (ns2, Qualnet, etc)
New approach: Analytical based performance model
– Focus on both time-varying and steady state behavior
19
model (i.e., mobility model, traffic patterns, etc)
( )( ) ( ) ( ) 1 ( )
,
• Fluid flow model to represent network queues
l i l h i i i l i d l• Analytical approach accurate in comparison to simulation model and enables the scalable study of dynamic of MANET behavior
• Currently trying to validate with measurements from UC-Davis
20
11
– Actively encouraging collaboration across the universities (hosting group meeting at Pitt in ( g g p g April)
Pitt focus – Robustness
» Topological connectivity – Security
– Modeling » Network Layer performance
Dynamic Data Driven Defense Mechanisms for Cybersecurity
NSF exploratory project with J.Joshi and P. Krishnamurthy Problem
H d f d i l l di ib d DOS k d– How to defend against large scale distributed DOS attacks and intrusions
Technical Approach – Collaborative adaptive defense infrastructure
» Place Sentinels throughout network » Sentinels watch traffic for (probabilistic inspection of packets ) for
anomaliesanomalies » Sentinels collaborate to deploy packet filtering firewalls based on
observed data » Dynamically redeploy Sentinels based on data
12
MiMANSaS: Metrics, Models and Analysis of Network Security and Survivability, NSF CT-ER Grant
NSF Cybertrust Exploratory Grant with Kishor Trivedi - Duke University and Deep Medhi - University of Missouri
Problem Problem – How to measure and model Information Security/Assurance levels ? – Can one evaluate tradeoffs between levels of IA, performance and cost
Technical Approach – Develop a unified set of dependability and security metrics and
associated modeling framework. Unify attack graphs and fault trees into a common scalable framework– Unify attack graphs and fault trees into a common scalable framework with a well defined set of metrics and application scenarios.
– Extend the basic model to include state information, stochastic properties and rewards via Markov chains models
Other Research Interests
1. Network Design and Survivability – Multi-layer survivable network design – Risk based approaches to survivable design – Resilient Infrastructure Protection
2. Network Control and Traffic Engineering – Signaling overload control – Traffic restoration protocols
24
4. Information Assurance
Faculty: David Tipper and Prashant Krishnamurthy
Students: Thaier Hayajneh, Tae-Hoon Kim, y j , , Siriluck Tipmongkonsilp, Razvi Doouman, and
Korporn Panyim
A collection of communicating nodes – that self-configure
Nodes are mobile – having differing capabilities
Communicate over wireless links in multi hop peer to peer fashion (nomulti-hop peer to peer fashion (no fixed infrastructure)
2
2
Participants Participants UC-Davis (lead) UC-Riverside UC-Santa Barbara UC-Irvine BYU
Network Proactive, Reactive
MAC Contention-free, contention-
based Physical
802.11, Proprietary
Critical Research Issue How can one increase the security and resilience of tactical mobile
ad hoc networks (MANETs)? Why Important?
ARSENAL Project
Why Important? Tactical MANETs important part of military communications infrastructure Operate in a open un-trusted environment Face set of unique challenges: wireless channel characteristics, node
mobility, and attacks
Performing measurements via real deployments to enhance our understanding of layer dependencies and vulnerabilities in MANETs.
Build analytical models to characterize the behavioral nuances of these Build analytical models to characterize the behavioral nuances of these networks and applications
Design new cross layer protocols that will protect against vulnerabilities and provide the desired robustness, security, and fault-tolerance
5
/critical points – Developing cross layer approaches toDeveloping cross layer approaches to
strengthen critical points or reduce their importance (Joint with UC Irvine)
Security – Detecting & mitigating the effects
of cryptographic resistant attacks » Wormholes » Packet Dropping/Jamming
6
Analysis Techniques for MANETs – Verifying/improving with UC Davis test-
bed data
Alternate routes with spare capacity between communication partners
In MANETs, robustness is a challenge U d f h k l
7
Connectivity in MANETs Topological Connectivity is a prerequisite to applying many
robustness techniques (e.g., hot standby connection) Want highly connected network
k connectivity every pair of nodes has k node disjoint paths– k-connectivity - every pair of nodes has k node disjoint paths – Probability of the network is k-connected is less than or equal
to the probability of the minimum node degree is greater than or equal to k
M i i l l d d it t
)()( min kdPconnectedkNetworkP
8
Many papers on examining power level, node density, etc., effects on connectivity – Asymptotic results under idealized assumptions (e.g.,
identical nodes with UDG propagation, etc.) » Typically use P(dmin > k) as a proxy for k-connectivity
5
Minimum node degree does not guarantee k-connectivity especially in sparse networks
– Necessary condition not sufficient Example,
– 1000 random connected topologies with 75, 100, 125, 150, and 175 nodes in 1500x1500 m2 , identical nodes each with 250m range, 95% confidence intervals on results
k = 3
connectivity due to existence of critical points in topology
Critical points: bridge links and Critical points: bridge links and articulation nodes
Bridge link D-E
10 Articulation node D
• Can we develop an algorithm to identify these critical/weak points in the topology?
• How one defines critical points depends on number of disjoint paths desired
6
Critical Point Identification Algorithm
Use results from algebraic graph theory to develop critical point identification algorithm – Multiplicity of the zero eigenvalue of the Laplacian matrix of a graph is
equivalent to the number of connected components in the graph [C, Godsil and G. Royle, Algebraic Graph Theory, 2001]
– Laplacian is L(t) = D(t) – A(t) where D(t) is the diagonal matrix of node degres and A(t) is the adjacency matrix
Steps of Algorithm 1. Test point is chosen to check its critical status 2. Eliminate test point i from the adjacency matrix A and recompute the nodal degrees in
11
p j y p g D. If i is a node then remove row i and column i from A and adjust D, if i is a link then set the appropriate link values in A to zero and adjust the nodal degrees in D
3. Compute the eigenvalues of the Laplacian matrix L. 4. If there exist more than one zero among the Laplacian eigenvalues then i is a critical
point, otherwise i is not critical and the network is still connected 5. Choose next test point and go back to step 2
Numerical Results 100 connected uniformly distributed network
topologies with different number of nodes in 1500x1500 m2 for Figure 1
Average number of single critical points Average number of single critical points decreases when the network is denser, while average node degree and the number of disjoint paths increase
Mobility effects – 3 different scenarios over 1000 seconds of
simulation time using RWP – 125 nodes over 1500x1500 m2
Figure 1. Average number of critical points
12
– Snapshots every 100 seconds – Count number of critical points in each
snapshot – Figure shows number of critical points varies
over time
Numerical Results
Effect of limited information – Use H hop local information to determine critical point – Algorithm same – reduced L matrix
Example – Node A is a critical node when H is 3 (false positive) – Node A is not a critical node when global information is
used 100 connected topologies examined for k = 3, 4, 5, and 6 in 50 65 75 85 100 d 125 d
13
50, 65, 75, 85, 100, and 125 nodes in 1500x1500 m2
False Positive decreases as H value increases
Current/Planned Robustness Work Adaptive/incremental computation Extending approach to asymmetric links Incorporation of cross layer info into critical p y
point detection – like ETX, signal strength, etc.
Developing techniques to strengthen critical points or reduce their importance – increase/decrease power – reposition nodes to provide alternate path
14
point, etc
Security Work
A physical wormhole is a connection between two physical locations in the network controlled by an adversaryadversary – Attracts traffic flow due to appearance of short route
15
S: sender node D: destination M1 and M2 are the transceivers of the wormhole link
Initial Accomplishments in Security
Wormhole Attack – Developed “DeWorm”, a simple protocol to
effectively detect physical wormhole attacks.y p y » Does not need any special hardware, location or
synchronization requirements. » Extensive simulations showing effectiveness, overhead, etc.
Overhead Idea
9
S 7 Step 1
– node S wants to communicate with node D and the shortest path provided by some standard routing protocol is (S-A-B-C-E-D)
Step 2 – The sender will discover all his one-hop neighbors by broadcasting a
"hello" message.
Step 3 – The one-hop neighbors (A, 1, 2, ,3) of the sender will hear the hello
message and will reply to the sender
Step 4 – S will ask nodes 1, 2, and 3 to find a route to the target node, in this
case node B, which does not go through any node from the one-hop neighbors
– The neighbors will reply with their route length (4, 2, and 2) The sender will pick the longest route as the selected route.
– Step 5 – If the number of hops of the selected route minus 2 hops is greater than the sensitivity parameter (chosen as 2 in this example) then the sender will assume that a wormhole is detected. In this example the selected route minus 2 will be
4 - 2 = 2 which is not greater than the sensitivity parameter. Thus, no wormhole is detected.
– Step 6 – The next hop -- node A -- will become the new ``sender" (there is now
a new target as well --C)
Step 7: Steps numbered 2 to 6 will be repeated by the new sender until either a
wormhole is detected or the destination node is reached (i.e., the sender node becomes the last node on the route before the destination
D
Node A will pick nodes 3 and 4. The length of the routes will be 4 and 2. Again the wormhole is not yet
detected
Node B will ask its neighbors nodes 4, 6, 7, 8, 9, 10 to find route to node E. The selected route will be from node 4, the length of the route is 11. Thus we
have 11 – 2 =9 > 2 wormhole is detected
Node B (which is within the transmission range of M1 becomes the new sender) the new target now is node E.
Why did DeWorm work?
Nodes at M2 side were all avoided wormhole link will never be used
17
Initial Accomplishments in Security
Malicious Packet Drops/Jamming – Developed model to diagnose causes of packet loss in
802.11 networks » Distinguishes between collisions, channel error and
malicious behavior » Ongoing work extending this to include buffer overflows » Simulations to evaluate the effectiveness » Paper to appear in Proceedings of ICC 2009
– Collected preliminary measurements on jamming 802.11 with signal generator
Causes of Packet Loss in Ad Hoc Networks
Collisions Channel Error Buffer overflow Malicious dropping
10
“Modeling Dynamic Behavior for Mobile Ad- Hoc Networks”
Performance of MANETs normally relies on standard simulators using steady state
Fully Connected
standard simulators using steady-state statistical analysis
Issues of accuracy and scalability on standard simulation tools (ns2, Qualnet, etc)
New approach: Analytical based performance model
– Focus on both time-varying and steady state behavior
19
model (i.e., mobility model, traffic patterns, etc)
( )( ) ( ) ( ) 1 ( )
,
• Fluid flow model to represent network queues
l i l h i i i l i d l• Analytical approach accurate in comparison to simulation model and enables the scalable study of dynamic of MANET behavior
• Currently trying to validate with measurements from UC-Davis
20
11
– Actively encouraging collaboration across the universities (hosting group meeting at Pitt in ( g g p g April)
Pitt focus – Robustness
» Topological connectivity – Security
– Modeling » Network Layer performance
Dynamic Data Driven Defense Mechanisms for Cybersecurity
NSF exploratory project with J.Joshi and P. Krishnamurthy Problem
H d f d i l l di ib d DOS k d– How to defend against large scale distributed DOS attacks and intrusions
Technical Approach – Collaborative adaptive defense infrastructure
» Place Sentinels throughout network » Sentinels watch traffic for (probabilistic inspection of packets ) for
anomaliesanomalies » Sentinels collaborate to deploy packet filtering firewalls based on
observed data » Dynamically redeploy Sentinels based on data
12
MiMANSaS: Metrics, Models and Analysis of Network Security and Survivability, NSF CT-ER Grant
NSF Cybertrust Exploratory Grant with Kishor Trivedi - Duke University and Deep Medhi - University of Missouri
Problem Problem – How to measure and model Information Security/Assurance levels ? – Can one evaluate tradeoffs between levels of IA, performance and cost
Technical Approach – Develop a unified set of dependability and security metrics and
associated modeling framework. Unify attack graphs and fault trees into a common scalable framework– Unify attack graphs and fault trees into a common scalable framework with a well defined set of metrics and application scenarios.
– Extend the basic model to include state information, stochastic properties and rewards via Markov chains models
Other Research Interests
1. Network Design and Survivability – Multi-layer survivable network design – Risk based approaches to survivable design – Resilient Infrastructure Protection
2. Network Control and Traffic Engineering – Signaling overload control – Traffic restoration protocols
24
4. Information Assurance