Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang

Outline Problem Description Mathematical Formulation 2010/12/16 2 NTU OPLab

Problem Description

Problem ▫ Topology information gathering ▫ Jamming attack Environment ▫ Infrastructure/Backbone WMNs Role ▫ Attacker ▫ Defender(Service provider) 2010/12/16 4 NTU OPLab

Defender Attributes ▫ Nodes  Base Station  Mesh router(with 2 NICs)  Mesh client  Honeynode(with 3 NICs)  Locator  Static  Mobile 2010/12/16 5 NTU OPLab

Defender(cont’) Attributes ▫ Budget  Planning phase  Topology planning  Non-deception based ▫ General defense resource ▫ Detection resource ▫ Localization resource  Deception based  Defending phase  Jamming mitigation  Localization ▫ Approximate ▫ Precise 2010/12/16 6 NTU OPLab

Defender(cont’) Strategies ▫ Planning phase  Deterrence  Deception ▫ Goal  Protect BS  Protect Nodes with high population  Protect with high traffic  Protect valuable information(ex. routing table, traffic) 2010/12/16 7 NTU OPLab

Defender(cont’) Strategies ▫ Defending phase  Population re-allocation  Average population  Average traffic  Priority of jammer removing  Importance oriented  Difficulty oriented 2010/12/16 8 NTU OPLab

Attacker Attributes ▫ Budget  Preparing phase  Node compromising  Jammer choosing ▫ High quality jammers ▫ Normal jammers ▫ Capability  Capability of compromising nodes  Capability of recognizing fake info. 2010/12/16 9 NTU OPLab

Attacker(cont’) Strategies ▫ Preparing phase  Node compromising  Be aggressive  Least resistance  Be stealthy  Easiest to find  Topology extending  Random 2010/12/16 10 NTU OPLab

Attacker(cont’) Strategies ▫ Preparing phase(cont’)  Jammer selection  Maximize attack effectiveness  Maximize jammed range 2010/12/16 11 NTU OPLab

Attacker(cont’) Strategies ▫ Attacking phase  Maximize jammed users  Maximize affected traffic 2010/12/16 12 NTU OPLab

Scenario 2010/12/16 13 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource

Scenario(cont’) For attacker ▫ Objective:  Service disruption ▫ Incomplete information of the network ▫ Budget limited For defender ▫ Objective:  Maintain the quality of service ▫ Budget limited 2010/12/16 14 NTU OPLab

Scenario – Network Architecture 2010/12/16 15 NTU OPLab Base Station Mesh router

I must protect Core Nodes Scenario – Defender’s Planning Phase 2010/12/16 16 NTU OPLab BS Node with high population Base Station Mesh router

Scenario – Defender’s Planning Phase(cont’) 2010/12/16 17 NTU OPLab Base Station Mesh router Honeynode Attacker Nodes with more defense resource I must protect Core Nodes A B C D E F G Why didn’t the defender protect all the nodes with high population? 1.Budget limited. 2.The effectiveness of doing so may not be the best. 3.There are other ways to deploy resources.

Scenario – Defender’s Planning Phase(cont’) 2010/12/16 18 NTU OPLab Base Station Mesh router Honeynode Attacker Nodes with more defense resource I must protect Core Nodes Effect of the defense resource may be: 1.Reduce the probability of being compromised

Scenario – Defender’s Planning Phase(cont’) 2010/12/16 19 NTU OPLab Base Station Mesh router Honeynode Attacker Nodes with more defense resource I must protect Core Nodes Effect of the defense resource may be: 2.Prevent the attacker from getting closer to the important nodes.

Scenario – Defender’s Planning Phase(cont’) 2010/12/16 20 NTU OPLab Base Station Mesh router Honeynode Attacker Nodes with more defense resource I must protect Core Nodes Effect of the defense resource may be: 3.Attract attacks to prevent it from getting close to the important nodes.

Scenario – Defender’s Planning Phase(cont’) 2010/12/16 21 NTU OPLab Base Station Mesh router Honeynode Attacker Nodes with more defense resource I must protect Core Nodes A B C D E F G Effect of the defense resource may be: 4.Avoid attacks to prevent it from getting close to the important nodes.

Scenario – Attacker’s Preparing Phase 2010/12/16 22 NTU OPLab Signal Strength Initially, the attacker has following info: 1.Number of channels. 2.Signal power of each channel. 3.Traffic amount of each channel. 4.Defense strength of each mesh node A B C D E F G

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 23 NTU OPLab Signal Strength The honeynode: If the real channel is compromised, the attacker will be able to identify this target in attacking phase A B C D E F G

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 24 NTU OPLab Signal Strength The attacker’s strategies: Maximize attack effectiveness. Maximize jammed users The initial node will be.. The node with the strongest signal power 90 A B C 20 D E F G

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 25 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Attacker Nodes with more defense resource A B C D E F G H I J K L

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 26 NTU OPLab Signal Strength After compromise a mesh router, the attacker has following info: 1.Number of channels. 2.Signal power of each channel. 3.Traffic amount of each channel. 4.Defense strength of each mesh node. And… G L B I D E A H K F J Being compromised, and obtained: 1.routing table info 2.Location info of the mesh router. 3.Traffic info 4.Number of users

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 27 NTU OPLab Signal Strength After compromise a mesh router, the attacker has following info: 1.Number of channels. 2.Signal power of each channel. 3.Traffic amount of each channel. 4.Defense strength of each mesh node. 5.Number of traffic sources Number of users G L B I D E A H K F J

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 28 NTU OPLab Signal Strength The attacker selects next hop with obtained info from compromised mesh routers if available. The node with the highest number of traffic sources 20 6 G L B I 20 D 28 E A H K F J 90 88

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 29 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Attacker Nodes with more defense resource The action of compromising a honeynode will has following results: 1.Succeed Aware of the fact that it’s a honeynode. Not aware of 2.Failed A B C D E F G HI J K L M N

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 30 NTU OPLab Signal Strength The attacker selects next hop with obtained info from compromised mesh routers if available B A 20 6 G C E D 27 K L M N

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 31 NTU OPLab Signal Strength B A 20 6 G 28 E K L M N However, the node which was compromised by attacker was a honeynode. Thus, it obtained following fake info: 1.Population 2.Traffic of the neighbors The defender will lead the attacker to: 1.Unimportant area 2.Nodes with greater defense strength C D

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 32 NTU OPLab Signal Strength B A 20 6 G 28 E K L M N Relatively low traffic sources on important nodes. High traffic sources on unimportant nodes C D Select node C as next hop

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 33 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Attacker Nodes with more defense resource A B C D E F G HI J K L M N Failed to compromise

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 34 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Attacker Nodes with more defense resource Compromised 2 nd choice node D A B C D E F G HI J K L M N O PQ R

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 35 NTU OPLab Signal Strength B A 20 6 G 28 E O R Q C 20 8 D P Select node N as next hop. But what will the attacker do if he compromised a honeynode? When the attacker compromised a honeynode, he may obtain: 1.Only fake info 2.Mixture of fake and true info. What should I do ? Just ignore it? Or attack the node they try to protect? Attackers with high capacity have greater probability to distinguish between true and fake.

Scenario – Attacker’s Preparing Phase – Attack Detection 2010/12/16 36 NTU OPLab Signal Strength B A 20 6 G 28 E O R Q C 20 8 D P Being attacked? What should I do to protect QoS? Capable of attack detection

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’) 2010/12/16 37 NTU OPLab Signal Strength B A 20 6 G 28 E O R Q C 20 8 D P Re-allocate the population on its neighbors. Capable of attack detection

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’) 2010/12/16 38 NTU OPLab Signal Strength 90 2 B 5 A 20 6 G E 8 O 4 R 90 3 Q 15 C 20 8 D P Capable of attack detection Real population on D’s neighbor Re-allocation strategy might be:

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’) 2010/12/16 39 NTU OPLab Signal Strength B 90 9 A 20 9 G 9 E 9 O 10 R Q 90 9 C 20 9 D 90 9 P Capable of attack detection Real population on D’s neighbor Re-allocation strategy: Average Population Average the QoS impact caused by jamming

2010/12/16NTU OPLab 40 Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)

2010/12/16NTU OPLab 41 Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)

2010/12/16 42 NTU OPLab Signal Strength 90 2 B 5 A 20 6 G E 8 O 4 R 90 3 Q 15 C 20 8 D P Capable of attack detection Real population on D’s neighbor Re-allocation strategy: Average Traffic Minimize the QoS impact caused by jamming

Scenario – Attacker’s Preparing Phase(cont’) 2010/12/16 43 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Attacker Nodes with more defense resource A B C D E F G HI J K L M N O PQ R S TU V W X

Scenario – Attacker’s Attacking Phase 2010/12/16 44 NTU OPLab A B C D E F G HI J K L M N O PQ R S TU V W X Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Jammed honeynode B Jammed node V with high population Jammed node P(not fake channel) Jammed normal node F Jammed honeynode U

Scenario – Attacker’s Attacking Phase(cont’) 2010/12/16 45 NTU OPLab A B C D E F G HI J K L M N O PQ R S TU V W X Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Range overlapped, the fake channel jammed. Although they seems overlapped, but the jammers attacked two different channel

Scenario – Defender’s Defending Phase 2010/12/16 46 NTU OPLab A B C D E F G HI J K L M N O PQ R S TU V W X Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource To minimize the total effectiveness of jamming, the defender will tend to remove these nodes first: 1.High population 2.Not fake channel Their sequence will be… 1)Jammed node V with high population 2)Jammed normal node F 3)Jammed node P(not fake channel) 5)Jammed honeynode U 4)Jammed honeynode B

Scenario – Defender’s Defending Phase - Channel Surfing 2010/12/16 47 NTU OPLab A B C D E F G HI J K L M N O PQ R S TU V W X Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource The function of channel surfing function: 1.Mitigate the impact of jamming Time Effectiveness Range overlapped. If the mesh router switch to other channel: 1.Jammed time shotened. 2.Jammers are not able to know which channel is the origin channel unless it’s compromised.

Scenario – Defender’s Defending Phase - Localization 2010/12/16 48 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Two types of locator: 1.Static 2.Mobile

Scenario – Defender’s Defending Phase - Localization 2010/12/16 49 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Static locator: 1.Mesh routers

Scenario – Defender’s Defending Phase - Localization 2010/12/16 50 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Static locator: 2.Reference points Deployed in the topology with the given density The density is defined as locater per length unit. In this case, the unit is 10 meter

Scenario – Defender’s Defending Phase - Localization 2010/12/16 51 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Mobile locator Capable of precise localization function Jammer which is not able to be approximately localized

Scenario – Defender’s Defending Phase - Localization 2010/12/16 52 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Mobile locator Reference point 1 Reference point 2

Scenario – Defender’s Defending Phase - Localization 2010/12/16 53 NTU OPLab Base Station Mesh router Honeynode Compromised mesh router Jammed mesh router Jammer Attacker Nodes with more defense resource Mobile locator Reference point 1 (useless) Reference point 2Multiple jammers Reference point 3 Reference point 4 One of the jammers removed

Mathematical Formulation

Assumptions 1.The communications between mesh routers and between mesh routers and mesh clients use different communication protocol. 2.All the packets are encrypted. Thus, the attacker can’t directly obtain information in the communication channels. 3.The defender has complete information of the network which is attacked by a single attacker with different strategies. 4.The attacker is not aware of the topology of the network. Namely, it doesn’t know that there are honeynodes in the network and which nodes are important, i.e., the attacker only has incomplete information of the network. 2010/12/16 55 NTU OPLab

Assumptions(cont’) 5.There are two kinds of defense resources, the non-deception based resources and the deception based resources. 6.There are multiple jammers in the network, and their jamming ranges might be overlapped. 7.There is only constructive interference between jamming signals. 2010/12/16 56 NTU OPLab

Given parameters 2010/12/16NTU OPLab 57 NotationDescription NThe index set of all nodes HThe index set of all honeynodes PThe index set of the nodes with channel surfing technique QThe index set of the nodes with precise localization technique RThe index set of the nodes with detection technique

Given parameters 2010/12/16NTU OPLab 58 NotationDescription BThe defender’s total budget Z All possible attack configuration, including attacker’s attributes and corresponding strategies. E All possible defense configuration, including defense resources allocation and defending strategies FTotal attacking times of all attackers An attack configuration, including the attributes and corresponding strategies, where 1≤ i ≤ F 1 if the attacker can achieve his goal successfully, and 0 otherwise, where 1≤ i ≤ F

Given parameters 2010/12/16NTU OPLab 59 NotationDescription m(ρi)m(ρi) The cost of constructing a node with the quality with quality ρ i, where i ∈ N nini The non-deception based defense resources allocated to node i, where i ∈ N h(εi)h(εi) The cost of constructing a honeynode with the interactive capability ε i, where i ∈ H a(φ)a(φ) The cost of constructing static locators with the density φ b The cost of constructing a channel surfing function to one node c The cost of constructing a precise localization technique to one node d The cost of constructing a detection technique to one node t(ρi)t(ρi) The maximum traffic of node i with quality ρ i, where i ∈ N

Decision variables 2010/12/16NTU OPLab 60 NotationDescription The information regarding resources allocating and defending wiwi 1 if node i is equipped with honeynode function, and 0 otherwise, where i ∈ N xixi 1 if node i is equipped with channel surfing function, and 0 otherwise, where i ∈ N yiyi 1 if node i is implemented with precise localization technique, and 0 otherwise, where i ∈ N zizi 1 if node i is implemented with the detection technique, and 0 otherwise, where i ∈ N εiεi The interactive capability of honeypot i, where i ∈ N ρiρi The quality of node i, where i ∈ N φThe density of static locator

Objective function 2010/12/16NTU OPLab 61 (IP 1)

Constraints Defender’s budget constraints 2010/12/16NTU OPLab 62 (IP 1.1) (IP 1.2)

Constraints Defender’s budget constraints 2010/12/16NTU OPLab 63 (IP 1.3)

Constraints Defender’s budget constraints 2010/12/16NTU OPLab 64 (IP 1.6) (IP 1.7) (IP 1.5) (IP 1.4)

Constraints Defender’s budget constraints 2010/12/16NTU OPLab 65 (IP 1.10) (IP 1.9) (IP 1.8)

Constraints QoS constraints ▫ QoS is a function of: 1.BS loading 2.Utilization of mesh routers on the path to BS 3.Hops to core node 4.Fake traffic effect, 5.Population re-allocation effect 6.Channel surfing effect 7.Jammer removal 2010/12/16NTU OPLab 66 (IP 1.11)

Constraints QoS constraints ▫ ▫ The performance reduction cause by the jammed node should not violate IP1.11. ▫ The performance reduction cause by the channel surfing should not violate IP /12/16NTU OPLab 67 (IP 1.12) (IP 1.13) (IP 1.14)

Constraints Channel surfing constraints ▫ The mesh router must equipped with channel surfing technique. ▫ The next channel to be selected must not be in use. ▫ Channel surfing function triggers only if the jammed channel is not a fake channel. Population re-allocation constraints ▫ The mesh clients to be re-allocated must be in the transmission range of the mesh routers other than current mesh router. ▫ The total traffic of the mesh router i after re-allocation must not exceed the maximum traffic limit t(ρ i ), where i ∈ N. 2010/12/16NTU OPLab 68 (IP 1.15) (IP 1.16) (IP 1.17) (IP 1.18) (IP 1.19)

Constraints Approximate localization ▫ There must be at least three available reference points which is under the effect of jamming attack in the jammed channel. Precise localization ▫ There must be at least one mobile locator in the network. Fake traffic ▫ The fake traffic sent to mesh router i from the honeynodes must not make it exceed the maximum traffic limit t(ρ i ), where i ∈ N 2010/12/16NTU OPLab 69 (IP 1.21) (IP 1.22) (IP 1.20)

Constraints 2010/12/16NTU OPLab 70 (IP 1.25) (IP 1.24) (IP 1.23) (IP 1.26) Integer constraints

The End Thanks for your attention. 2010/12/16 71 NTU OPLab