1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

Slides:



Advertisements
Similar presentations
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Advertisements

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Applied Cryptography for Network Security
1 Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL Z. Judy Fu Motorola Labs, Schaumburg IL Funded by.
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Lab for Internet and Security Technology Northwestern University, Evanston IL Z. Judy Fu.
Prasad Narayana, Ruiming Chen, Yao Zhao, Yan Chen and Hai Zhou Northwestern University, Evanston IL, USA Z. Judy Fu Motorola Labs, Schaumburg IL, USA Automatic.
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
1 HPNAIDM: the High-Performance Network Anomaly/Intrusion Detection and Mitigation System Yan Chen Lab for Internet & Security Technology (LIST) Department.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Vulnerabilities Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs) Lab for Internet & Security Tech, Northwestern Univ.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
WEP Protocol Weaknesses and Vulnerabilities
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
1 Security for distributed wireless sensor nodes Ingrid Verbauwhede Department of Electrical Engineering University of California Los Angeles
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
3G wireless system  Speeds from 125kbps-2Mbps  Performance in computer networking (WCDMA, WLAN Bluetooth) & mobile devices area (cell.
Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Northwestern Lab for Internet & Security Technology (LIST)
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Security Methods and Practice CET4884
Introduction Wireless devices offering IP connectivity
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Network-based Intrusion Detection, Prevention and Forensics System
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Prasad Narayana, Yao Zhao, Yan Chen, Judy Fu (Motorola Labs)
Network Intrusion Detection and Mitigation
Yan Chen Lab for Internet & Security Technology (LIST)
End-user Based Network Measurement and Diagnosis
Northwestern Lab for Internet and Security Technology (LIST)
Presentation transcript:

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern

Introduction Work on network security, measurement and monitoring Five Ph.D. students and two M.S. students Collaborate widely –NU colleagues: Peter Dinda, Ming-Yang Kao, Aleksandar Kuzmanovic, Gokhan Memik, and Hai Zhou (and their students) –Other industry & academia researchers, e.g., Judy Fu, Phil Robert and Pete McCann in Motorola. 2

3 Automatic Vulnerability Checking of Wireless Protocols through TLA+ Published in Workshop of Network Protocol Security 2006

4 TLA+ Vulnerability Checking Flow Avoid state space explosion in property checking Model attackers’ capabilities for finding realistic attacks

5 Case Studies Initial ranging Authentication process Choices based on the criticality of function and the probability of vulnerability

6 Initial Ranging Process Initial ranging: the first step an SS communicates with a BS via message exchanges. An SS acquires correct timing offset and power adjustments The request-response communication happens until the BS is satisfied with the ranging parameters. ’Actual’ data communication can happen only if the initial ranging is successful.

7 Property to Check SS can get service (getting into “Done” state) infinitely often []<>(SSstate = “Done”) –Need to make sure that such a property is true even without an attacker (weakest attacker model)

8 DOS during Initial Ranging (found by TLC Model Checking) DL Subframe Contention-based Initial Ranging Slots UL Subframe REQ

9 Conclusions First step towards automatic vulnerability checking of WiMAX protocol with completeness and correctness guarantees Use TLA+/TLC to model malfunction DoS attacks –Avoid state space explosion in property checking –Model attackers’ capabilities for finding realistic attacks Analyzed initial ranging and authentication process in protocols

10 Ongoing Work Development of a rigorous process in protocol specification using TLA+ Check vulnerabilities in other parts of standards such as mobility support and handoff procedures Examination of WiMAX upper layer protocols: Proxy Mobile IPv4, Mobile IPv6, etc.

Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Published in IEEE Symposium on Security and Privacy, ACM SIGCOMM, IEEE/ACM Transaction on Networking, IEEE Infocom, ACM SIGCOMM IMC, IEEE ICDCS

12 The Spread of Sapphire/Slammer Worms

13 How can it affect cell phones? Cabir worm can infect a cell phone –Infect phones running Symbian OS –Started in Philippines at the end of 2004, surfaced in Asia, Latin America, Europe, and US –Posing as a security management utility –Once infected, propagate itself to other phones via Bluetooth wireless connections –Symbian officials said security was a high priority of the latest software, Symbian OS Version 9. With ubiquitous Internet connections, more severe viruses/worms for mobile devices will happen soon …

Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Could be differentiator for Motorola’s products Original configuration WAIDM deployed Inter net BS User s (a) (b) BS User s Switch/ BS controller Internet scan port WAIDM system BS Users BS Users Switch/ BS controller

Features of WAIDM Scalability (ready for field testing) –Online traffic recording »Reversible sketch for data streaming computation »Record millions of flows (GB traffic) in a few hundred KB »Infer the key characteristics (e.g., source IP) of culprit flows for mitigation –Online sketch-based flow-level anomaly detection »Adaptively learn the traffic pattern changes Accuracy (initial design & evaluation done) Integrated approach for false positive reduction –Automatic polymorphic worm signature generation(Hamsa) –Network element fault Diagnostics

WAIDM Architecture Reversible sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Polymorphic worm detection (Hamsa) Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault diagnosis (ODD)

Hamsa: First Network-based Zero-day Polymorphic Worm Signature Generation System Fast: in the order of seconds Noise tolerant and attack resilient Detect multiple worms in one protocol

18 Thanks

19 TLA+ Protocol Specification Protocol specification in TLA+ can be easy or difficult –FSM easily translate to TLA+ –Tricky from English description to TLA+ spec: ambiguity, re-design, etc. Process of protocol specification: –Identify principals –Modularize principal behaviour using TLA+ –Combine principal specs to form a protocol spec

20 TLA+ Protocol Specification Challenges Challenge: Vagueness in English specification and the correctness in its translation to TLA+. Common problem for all approaches Solutions: –No easy solution exists! –Best designing protocols in TLA+ –Consult standards committee, product implementation teams among other things

21 Attacker Modelling Attacker capability model similar to Dolev-Yao model: Basically, attackers can: –Eavesdrop on and store messages. –Replay old messages. –Inject or spoof unprotected messages. –Corrupt messages on the channel by causing collisions. Assume the ideal cryptography: unforgeable signatures, safe encryption, and safe digest

22 Attacker Modelling Challenges Challenge: How to find all realistic attacks? –Model too strong: hide stealthy attacks –Model too weak: missing vulnerabilities Our solution: –Start with a relatively strong attacker model »TLC model-checks may yield unrealistic attacks. –Then weaken the attacker model »E.g.: the attacker can continuously corrupt a response from the BS. »Add restrictions on attacker to exclude such attacks. This dynamic modification of attacker model will end up with –a complete robustness proof OR –report of all attacks

23 Property Spec Focus on malfunction DoS attacks currently –Client needs to reach a termination <>[] (\A i\in PartySet: Party[i].state=ObjState) –Client may not terminate []<>(\A \in PartySet: Party[i].state=ObjState)

24 Property Spec Challenges Challenge: TLC cannot check all properties expressible in TLA+ Our Solution: Specify properties in restricted format

25 Model Checking by TLC TLC is a model checker for TLA+ Has both simulation mode and model checking mode –We run simulations before a complete model checking Terminate w/o violation: robustness proved Produce violation sequence: attack trace

26 Model Checking Challenges Challenge: State space explosions Our Solutions –Combine similar states without loss of functionality into one state –Identify symmetry in system, which will treat the different states as one common state. –Replace some random numbers with constants having some additional properties to simulate the effects of randomness

27 Outline Motivation Our approach Background on TLA+ General methods and challenges Results on WiMAX initial ranging and authentication Conclusions and future work

28 PKMv2 Authentication Process SS and BS mutually authenticate each other and exchange keys for data encryption PKMv2 is directed by two state machines in the SS –Authentication State Machine –TEK State Machine PKMv2 employs a SATEK three-way handshake for the BS and the SS to exchange security capabilities

29 Authentication – TLA Model Each key has a life time, so the SS needs to get authorized from time to time –SS will reach the “Authorized” state infinite times []<>(SSstate =”Authorized”) TLC encounters space explosion problem –We restrict the SS to reach “Authorized” state at most a given # of times. With our attacker model, TLC model checking completed w/o violation Hence, authentication process is resistant to any attempt under the given attacker model