Selective_Forwarding_Attack
Download
Report
Transcript Selective_Forwarding_Attack
Selective Forwarding Attack:
Detecting Colluding Nodes in
Wireless Mesh Networks
Shankar Karuppayah
National Advanced IPv6 Centre (NAv6)
Universiti Sains Malaysia
Network Security Workshop, February 14, 2012
Contents
Introduction
Problem Statement
Related Work
Our Proposed Mechanism
Result and Analysis
Conclusion and Future Work
Shankar Karuppayah
2/15
Introduction
Wireless mesh networks (WMNs)
IEEE 802.3 Ethernet LAN
Self-organized
Self-configured
Internet
Self-healing
Wireless Mesh Backbone
Low up front costs
Scalable
Mesh Router with
Gateway/Bridge
Mesh Router
Wi-Fi Access Point
WiMAX Base Station
Ethernet Switch
IEEE 802.11 Wireless LAN
Shankar Karuppayah
IEEE 802.16 WiMAX
3/15
Introduction (cont.)
Overcome last-mile Internet access problems
Advantages:
Adapts to dynamic topology changes
Distributed cooperation routing
WMN applications:
Community networking
Disaster relief
Surveillance and monitoring
Vulnerabilities exist in WMNs
Shared wireless medium
Distributed architecture
Shankar Karuppayah
4/15
Problem Statement
Two type of attacks
Passive attack
Active attack
Denial of service (DoS) attacks
Preventing legitimate users from accessing information, services or
resources
Gray Hole attack
Also known as selective forwarding attack
A variation from Black Hole attack
Motivation of the attacks:
Rational intentions
Network Performance Deteriorates!!!
Malicious intentions
Shankar Karuppayah
5/15
Problem Statement (cont.)
Existing security solutions
Cryptographic mechanisms
Public/private key exchange
Not entirely applicable in WMNs
Decentralized network architecture
Routers physically tampered or software vulnerabilities exploited
The need for non-cryptographic security mechanism arises
Shankar Karuppayah
6/15
Related Work
Marti et al. introduce watchdog
Monitoring principle in “promiscuous” mode
S. Banerjee propose an algorithm to detect and remove
Black/Gray Hole attackers
Splits transmission data into several blocks
Introduction of prelude and postlude message
Shila et al. introduce Channel Aware Detection (CAD)
algorithm to detect Gray Hole attackers
Consider normal losses
medium access collisions
bad channel quality
Shankar Karuppayah
7/15
CAD (Channel Aware Detection) Algorithm
Methodology:
S|2|0•Channel estimation
0|V0|2|0
0|V1|2|1
(Dynamic detection threshold)
•Hop-by-hop packet loss monitoring
S
Data transmission:
0|Vinto
1|V(W
2|2|0several blocks
3|1 )
Split
s
2
0
1
0
1
2
0
1
2
0
1
0
1
v0
v1
v2
v3
D
WMN Router Node
(Forwarding Path)
Malicious Node
However…
New
packet
types
:
When node forwards a packet:
WMN router nodes:
•PROBE packets
link
layer
acknowledgement
Maintain
count history
CAD algorithm
will notwith
be able to detect an •Buffer
attack in
the
event
of colluding nodes
Packet marking
with opinion
(MAC-ACK)
corresponding
packet
sequence number
and behavior parameter
•Overhears downstream traffic
•PROBE-ACK
PROBE replies
Shankar Karuppayah
8/15
Assumptions
Routers have no energy constraints and have buffer of
infinite size
Packet drop due to:
Bad channel quality
Medium access collision
Presence of attackers
Free from general wireless attacks:
Sybil attacks
Jamming (signal) attacks
Colluding nodes are located next to each other
Route caching to mitigate overhead
Nodes have authentication methods implemented
Shankar Karuppayah
9/15
CAD+ Algorithm
Packet
Seq. Seq.
No. No.
Hash
Packet
HashValue
Value
•Source compares the filtered irregularities with the list of sent packets
•Retains
existing
features
of
CADpacket
•Destination
keeps
a list of monitoring
nodes24
•MN
monitors
data
packets
received
and
forwarded
byfinal
the
•Destination
compares
the
reported
irregularities
with
the
list
1 …
•Introduction
of
three
new
packet
types:
•When
MN
overhears
a PROBE
sent
Destination,
itofforwards
the list
…
•Source
refers
the
verified
irregularities
list
totoconduct
confirmation
2
43
•Source
and
Destination
perform
hashing
on
sent
(MN)
vs
monitored
nodes
node
being
monitored
based
on
the
monitoring
parameters
received
packets
and
then
replies
to
Source
with
a
modified
14
46
•Prelude (if applicable) towards Destination.
of irregularities
…
…
and
received
data
packets
respectively
•MN
maintains
irregularities
historyirregularities)
•Prelude-Notify
PROBE-ACK
(including
filtered
50
… 15
…
•Prelude-Ack
14 …
46
…
Monitored
Node
Packet Seq.
No.
Hash Value
Irregularity
Type
Count > COUNT_THRESH ?
v2
15
50
Interval
> INTERVAL_THRESH?
v2
34
v2 Node
Intermediate
v0
Interval
14.9
47
Alteration
MN1
Injection
35
Dropping
Irregularity
Type
35.6
22.8
3
2
Alteration
Irregularities
which
are monitored
by MN2
v0
v2
55
Count
Timestamp
Packet Seq. No.
S
v
3
Packet Seq.
No.
1
2
…
Monitored
Node…
v 14
2
6
1
Injection
1
v0 1
v1
Dropping
1
4
Dropping
Hash Value
Verified
24 Irregularities List
43
…
Timestamp
Packet Seq.
Hash
MN0
No. …
Value
15 46
50
14.9
v2
…
14
…
46
15
33
…
…
34
24
35
…
…
…
45
Irregularity Type
MN2
Alteration
Hash
Value
46
…
…
v3
33
47
16
69
33
… 35
…
…
…
…
…
…
…
Hashed …
Received Packets
…
33
…
…
...
31
38 MNID
MN3 …
… MN0
15
34
45
null
46
…
D
…
38
…
…
60
17
61
35
Hashed Received Packets
Monitored Node
v0
60
17 MN
v1
34 33
47
22.8
Alteration
1
WMN
Router
Node
WMN
Router
Node
Malicious Hashed
Monitored
Next Hop
Incoming
Outgoing
Next Monitoring
Monitoring
Sent Packets Overhearing
69
45Node
31
35.0Forwarding
Dropping
MN2
v2
(Forwarding
Path)
(Non
Counter Path)
Counter
(time) (MNX)
Node
Node
…
61 v2…
35
44.2
Injection 10
v3
5
34.30
MNbe
v3
3 reliable
*MNx is not colluding but may not
Hashed Sent
Packets which are monitored
Irregularities
MN2
Monitoringby
Parameters
Monitoring Node Vs Monitored Node Pair
v2 15
Source
16
v2
…
v2 …S
Shankar Karuppayah
10/15
Detection of Threats
Threats detected (colluding nodes):
Gray Hole attack
Selectively drops packet
Packet Injection
Fabricates packet towards Destination node
Packet Alteration
Node alters a received packet (bit or data manipulation)
Bad Mouthing Attack
Framing an innocent node
Stealthy attacks by colluding nodes!!!
Shankar Karuppayah
11/15
Result and Analysis
Packet delivery ratio comparison with colluding selective dropping rate. (no channel loss)
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Attacker Nodes
(random)
30%
Source Pairs
Shankar Karuppayah
Value
2
12/15
Result and Analysis (cont.)
Packet delivery ratio comparison with channel loss rate. Colluding selective dropping attacks present.
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Channel Error
Nodes (random)
30%
Attacker Nodes
(random)
30%
Source Pairs
Shankar Karuppayah
Value
2
13/15
Result and Analysis (cont.)
Average detection rate of Gray Hole attackers with respect to simulation time.
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Normal Channel
Loss Rate
10%
Channel Error
Nodes (random)
30%
Source Pairs
Shankar Karuppayah
Value
2
14/15
Conclusion and Future Work
Developed a detection algorithm CAD+ which:
Integrates CAD with neighborhood monitoring feature
Enables detection and isolation of colluding Gray Hole attackers
Detects other variation of colluding attacks:
Packet alteration
Packet injection
Packet dropping
Future Work:
Investigate possibilities of mobile MN
Incentives for MN to encourage cooperation
Extend CAD+ to detect other network layer attacks
Shankar Karuppayah
15/15
References
Sergio Marti, T. J. Giuli, Kevin Lai, and Mary Baker. Mitigating routing
misbehavior in mobile ad hoc networks. In Proceedings of the 6th annual
international conference on Mobile computing and networking, MobiCom ’00,
pages 255–265, New York, NY, USA, 2000.
Sukla Banerjee. Detection/Removal of Cooperative Black and Gray Hole Attack
in Mobile Ad-Hoc Networks. In Proceedings of the World Congress on
Engineering and Computer Science 2008, WCECS ’08, October 22 - 24, 2008,
San Francisco, USA, Lecture Notes in Engineering and Computer Science,
pages 337–342. Newswood Limited, 2008.
D.M. Shila, Yu Cheng, and T. Anjali. Mitigating selective forwarding attacks with a
channel-aware approach in WMNS. Wireless Communications, IEEE
Transactions on, 9(5):1661 –1675, May 2010.
Shankar Karuppayah
16/15