Selective Forwarding Attack: Detecting Colluding Nodes in Wireless Mesh Networks Shankar Karuppayah National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Network Security Workshop, February 14, 2012

Contents Introduction Problem Statement Related Work Our Proposed Mechanism Result and Analysis Conclusion and Future Work

Wireless mesh networks (WMNs) Introduction Wireless mesh networks (WMNs) Self-organized Self-configured Self-healing Low up front costs Scalable

Overcome last-mile Internet access problems Advantages: Introduction (cont.) Overcome last-mile Internet access problems Advantages: Adapts to dynamic topology changes Distributed cooperation routing WMN applications: Community networking Disaster relief Surveillance and monitoring Vulnerabilities exist in WMNs Shared wireless medium Distributed architecture Rational : Selfish and Greedy bandwidth, QoS, resource Malicious : Deprive rights@

Network Performance Deteriorates!!! Problem Statement Two type of attacks Passive attack Active attack Denial of service (DoS) attacks Preventing legitimate users from accessing information, services or resources Gray Hole attack Also known as selective forwarding attack A variation from Black Hole attack Motivation of the attacks: Rational intentions Malicious intentions Rational : Selfish and Greedy bandwidth, QoS, resource Malicious : Deprive rights@ Network Performance Deteriorates!!!

Problem Statement (cont.) Existing security solutions Cryptographic mechanisms Public/private key exchange Not entirely applicable in WMNs Decentralized network architecture Routers physically tampered or software vulnerabilities exploited The need for non-cryptographic security mechanism arises Rational : Selfish and Greedy bandwidth, QoS, resource Malicious : Deprive rights@

Marti et al. introduce watchdog Related Work Marti et al. introduce watchdog Monitoring principle in “promiscuous” mode S. Banerjee propose an algorithm to detect and remove Black/Gray Hole attackers Splits transmission data into several blocks Introduction of prelude and postlude message Shila et al. introduce Channel Aware Detection (CAD) algorithm to detect Gray Hole attackers Consider normal losses medium access collisions bad channel quality

CAD (Channel Aware Detection) Algorithm Methodology: Channel estimation (Dynamic detection threshold) Hop-by-hop packet loss monitoring Data transmission: Split into several blocks (Ws) S|2|0 0|V0|2|0 0|V1|2|1 0|V2|2|0 1|V3|1 1 2 2 1 2 1 1 1 However… CAD algorithm will not be able to detect an attack in the event of colluding nodes WMN router nodes: Maintain packets count history with corresponding packet sequence number New packet types : PROBE Packet marking with opinion and behavior parameter PROBE-ACK PROBE replies When node forwards a packet: Buffer link layer acknowledgement (MAC-ACK) Overhears downstream traffic Since WMN-R is statically deployed, normal losses cn be estimated Channel Qlty : historical data medm accss colision) : channel busyness ratio Explain colluding situations here!

Routers have no energy constraints and have buffer of infinite size Assumptions Routers have no energy constraints and have buffer of infinite size Packet drop due to: Bad channel quality Medium access collision Presence of attackers Free from general wireless attacks: Sybil attacks Jamming (signal) attacks Colluding nodes are located next to each other Route caching to mitigate overhead Nodes have authentication methods implemented

CAD+ Algorithm Source compares the filtered irregularities with the list of sent packets Source refers the verified irregularities list to conduct final confirmation Packet Seq. No. Hash Value 1 2 … … 14 24 43 … … 46 15 33 16 … … 69 … … Hashed Received Packets Packet Seq. No. Hash Value … 14 … 46 15 50 … 34 47 35 … … … 33 … … … 45 null 46 … … 38 … … 60 17 61 35 Hashed Received Packets Introduction of three new packet types: Prelude Prelude-Notify Prelude-Ack MN monitors data packets received and forwarded by the node being monitored based on the monitoring parameters MN maintains irregularities history Retains existing features of CAD Source and Destination perform hashing on sent and received data packets respectively Destination compares the reported irregularities with the list of received packets and then replies to Source with a modified PROBE-ACK(including filtered irregularities) Destination keeps a list of monitoring nodes (MN) vs monitored nodes When MN overhears a PROBE packet sent to Destination, it forwards the list of irregularities (if applicable) towards Destination. Monitored Node Packet Seq. No. Hash Value Irregularity Type Timestamp v2 15 50 Alteration 14.9 34 47 Injection 22.8 55 35 Dropping 35.6 Irregularities which are monitored by MN2 Packet Seq. No. Hash Value … 14 … 46 15 33 … 34 24 35 … … … 33 … … ... 45 31 46 … … 38 … … 60 17 Hashed Sent Packets Count > COUNT_THRESH ? Interval > INTERVAL_THRESH? Intermediate Node Count Interval Irregularity Type v0 3 2 Alteration 6 1 Injection v2 Dropping v3 4 Verified Irregularities List Packet Seq. No. Hash Value 1 2 … … 14 24 43 … … 46 15 33 16 … … 69 … … Hashed Sent Packets Monitored Node Packet Seq. No. Hash Value Timestamp Irregularity Type v2 15 50 14.9 Alteration 34 47 22.8 45 31 35.0 Dropping 61 35 44.2 Injection Irregularities which are monitored by MN2 MNID Monitored Node MN0 v0 MN1 v1 MN2 v2 MN3 v3 Monitoring Node Vs Monitored Node Pair Source Monitored Node Next Hop Incoming Counter Outgoing Counter Next Monitoring (time) S v2 v3 5 10 34.30 Monitoring Parameters *MNx is not colluding but may not be reliable

Stealthy attacks by colluding nodes!!! Detection of Threats Threats detected (colluding nodes): Gray Hole attack Selectively drops packet Packet Injection Fabricates packet towards Destination node Packet Alteration Node alters a received packet (bit or data manipulation) Bad Mouthing Attack Framing an innocent node Stealthy attacks by colluding nodes!!!

Result and Analysis Packet delivery ratio comparison with colluding selective dropping rate. (no channel loss) Parameters Value Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Attacker Nodes (random) 30% Source Pairs 2

Result and Analysis (cont.) Packet delivery ratio comparison with channel loss rate. Colluding selective dropping attacks present. Parameters Value Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Channel Error Nodes (random) 30% Attacker Nodes (random) Source Pairs 2

Result and Analysis (cont.) Average detection rate of Gray Hole attackers with respect to simulation time. Parameters Value Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Normal Channel Loss Rate 10% Channel Error Nodes (random) 30% Source Pairs 2

Conclusion and Future Work Developed a detection algorithm CAD+ which: Integrates CAD with neighborhood monitoring feature Enables detection and isolation of colluding Gray Hole attackers Detects other variation of colluding attacks: Packet alteration Packet injection Packet dropping Future Work: Investigate possibilities of mobile MN Incentives for MN to encourage cooperation Extend CAD+ to detect other network layer attacks

References Sergio Marti, T. J. Giuli, Kevin Lai, and Mary Baker. Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of the 6th annual international conference on Mobile computing and networking, MobiCom ’00, pages 255–265, New York, NY, USA, 2000. Sukla Banerjee. Detection/Removal of Cooperative Black and Gray Hole Attack in Mobile Ad-Hoc Networks. In Proceedings of the World Congress on Engineering and Computer Science 2008, WCECS ’08, October 22 - 24, 2008, San Francisco, USA, Lecture Notes in Engineering and Computer Science, pages 337–342. Newswood Limited, 2008. D.M. Shila, Yu Cheng, and T. Anjali. Mitigating selective forwarding attacks with a channel-aware approach in WMNS. Wireless Communications, IEEE Transactions on, 9(5):1661 –1675, May 2010.