1. Research Progress Report
Advisor: Professor Frank Y.S. Lin
Present by Hubert J.W. Wang

2. 無線網狀網路中考量惡意與多重干擾器攻擊下最大化系統 存活度之高效網路規劃與防禦策略
Effective Network Planning and Defending Strategies to Maximize System Survivability of Wireless Mesh Networks under Malicious and Jamming Attacks
無線網狀網路中考量惡意與多重干擾器攻擊下最大化系統 存活度之高效網路規劃與防禦策略

3. 2011/5/16
Outline
Problem Description

4. Problem Description

5. Problem Description Problem Environment Role
2011/5/16
Problem Description
Problem
Topology information gathering
Jamming attack
Environment
Infrastructure/Backbone WMNs
Role
Attacker
Defender(Service provider)

6. Problem Description(cont’)
2011/5/16
Problem Description(cont’)

7. Scenario – Network Architecture
2011/5/16
Scenario – Network Architecture
Base Station
Mesh router

8. Scenario – Defender’s Planning Phase
2011/5/16
Scenario – Defender’s Planning Phase
Base Station
Mesh router
Honeynode
Attacker
Nodes with more defense resource
Why didn’t the defender protect all the nodes with high population?
Budget limited.
The effectiveness of doing so may not be the best.
There are other ways to deploy resources. A B C D E F G

9. Scenario – Attacker’s Preparing Phase
Signal Strength 20 90
Initially, the attacker has following info:
(Communication channel)
Defense Resource
Traffic Amount A B C D E F G
Defense strength
Traffic amount
2011/5/16
Scenario – Attacker’s Preparing Phase
Signal Strength

10. Scenario – Attacker’s Preparing Phase(cont’)
Signal Strength 20 90
The honeynode:
If the real channel is compromised, the attacker will be able to identify this target in Attacking Phase A B C D E F G
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)

11. Scenario – Attacker’s Preparing Phase(cont’)
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
The attacker’s goal:
Maximize attack effectiveness.
Maximize jammed range 20 F 20 D
The node with the strongest signal power
(Easiest fo find)
The next hop selecting criteria would be.. 90 A 90 C E 20
The node with highest defense resource(Aggressive) 20 G 90 B
Signal Strength

12. Scenario – Attacker’s Preparing Phase(cont’)
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’) G L B I D E A H K F J 20 90
After compromise a mesh router, the attacker has following info:
(Communication channel)
Defense Resource
Signal Strength
Traffic Amount
And… 90 20
Being compromised, and obtained:
(Routing channel)
Traffic Source
Traffic Amount
User number 90 90 20 90 20 20 90
Signal Strength

13. Scenario –Population Re-allocation
2011/5/16
Scenario –Population Re-allocation
Reallocate population on D’s neighbor 20 6 G 90 22 P
Intrusion detected 20 8 O 90 3 Q 20 E 90 5 A 20 4 R 90 15 C 20 8 D
Re-allocation strategy might be: 90 2 B
Signal Strength

14. Scenario –Population Re-allocation(cont’)
2011/5/16
Scenario –Population Re-allocation(cont’)
Reallocate population on D’s neighbor 20 9 G 90 9 P
Re-allocation strategy:
Average Population
Capable of attack detection 20 9 O 90 10 Q 20 9 E 90 9 A 20 10 R 90 9 C 20 9 D
Average the QoS impact caused by jamming 90 10 B
Signal Strength

15. Scenario –Population Re-allocation(cont’)
2011/5/16
Scenario –Population Re-allocation(cont’)
Real population on D’s neighbor 20 6 G 90 22 P
Re-allocation strategy:
Average Traffic
Capable of attack detection 20 8 O 90 3 Q 20 E 90 5 A 20 4 R 90 15 C 20 8 D
Minimize the QoS impact caused by jamming B 2 90
Signal Strength

16. Scenario – Fake Traffic Generation
Signal Strength 90 30 B 21 A 20 6 G
112 C 28 E D 27 K 24 L 25 M 18 N
Relatively low traffic sources on important nodes.
High traffic sources on unimportant nodes.
Select node C as next hop
2011/5/16
Scenario – Fake Traffic Generation
Fake Traffic Generation

17. Scenario – Attacker’s Preparing Phase(cont’)
2011/5/16
Scenario – Attacker’s Preparing Phase(cont’)
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource A B C D E F G H I J K L M N O P Q R S T U V W X
Succeed
Failed

18. Scenario – Attacker’s Attacking Phase
2011/5/16
Scenario – Attacker’s Attacking Phase A B C D E F G H I J K L M N O P Q R S T U V W X
Base Station
Mesh router
Honeynode
Compromised mesh router
Jammed mesh router
Jammer
Attacker
Nodes with more defense resource
1) Jammed honeynode B
2) Jammed node V with high population
3) Jammed node P(not fake channel)
4) Jammed normal node F
5) Jammed honeynode U

19. Scenario – Defender’s Defending Phase - Channel Surfing
2011/5/16
Scenario – Defender’s Defending Phase - Channel Surfing
The function of channel surfing function:
Mitigate the impact of jamming
Time
Effectiveness
Reduce difficulty to remove jammer
Base Station
Mesh router
Honeynode
Compromised mesh router
Jammed mesh router
Jammer
Attacker
Nodes with more defense resource
Range overlapped. If the mesh router switch to other channel:
Jammed time shotened.
Jammers are not able to know which channel is the origin channel unless it’s compromised. H I T U V S W F J G X K L E R A D M N B C P Q O

20. Scenario – Defender’s Defending Phase - Localization
2011/5/16
Scenario – Defender’s Defending Phase - Localization
Reference point 1
(useless)
Reference point 2
Multiple jammers
Reference point 3
Reference point 4
One of the jammers removed
Static locator
Mobile locator
Jammer
Mobile locator

21. Defender Nodes Base Station Mesh router(with 2 NICs)
2011/5/16
Defender
Nodes
Base Station
Mesh router(with 2 NICs)
Routing channel
Communication channel
Honeynode(with 3 NICs)[1]
Fake communication channel
Locator
[1] S. Misra, et al., "Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks," Computers & Electrical Engineering, vol. 36, pp , 2010.

22. Defender(cont’) Planning phase Defending phase Build Topology
2011/5/16
Defender(cont’)
Planning phase
Build Topology
Deploy non-deception based defense resources
General defense resource (ex. Firewall, Antivirus, etc.)
Localization resource (routers with minimum capability)
Deploy deception based defense resources
Honeynode
Defending phase
Jamming mitigation
Jammer localization

23. Defender(cont’) Defense Mechanisms False target (Honeynodes)
2011/5/16
Defender(cont’)
Defense Mechanisms
False target (Honeynodes)
Fake traffic generation (Honeynodes)
Channel surfing (BSs、Mesh Routers、Honeynodes)
Population re-allocation (BSs、Mesh Routers、Honeynodes)
Jammer localization (BSs、Mesh Routers、Honeynodes、Locators)

24. Defender(cont’) Honeynode[1] as false target Effect: Tradeoff
2011/5/16
Defender(cont’)
Honeynode[1] as false target
Effect:
Preparing Phase
Act as a false target to attract attack and consume attacker’s budget.
Provide fake routing table information when compromised.
Attacking Phase
Prevent true channel from being jammed.
Tradeoff
Occupying available communication channels. (indirectly affects QoS)

25. Defender(cont’) Honeynode[1] as fake traffic generator Effect:
2011/5/16
Defender(cont’)
Honeynode[1] as fake traffic generator
Effect:
Send fake traffic to neighbors to deceive attackers into believing that this node is important.
Tradeoff
Channel capacity
Triggers when node compromising actions are detected by the nodes in the topology and the defender think it helps to turn on this function.

26. Defender(cont’) Channel Surfing[1] Population re-allocation Effect:
2011/5/16
Defender(cont’)
Channel Surfing[1]
Effect:
Change frequency to another free channel to prevent from being jammed(with the help of honeynode) or reduce jamming effect.
Tradeoff
Availability
Triggers when jamming attacks are detected by the nodes in the topology.
Population re-allocation
Reduce jamming effectiveness by re-allocating users.
Strategies
Average population
Average traffic
QoS
Triggers when node compromising actions are detected by the nodes in the topology and the defender think it helps to turn on this function.

27. Defender(cont’) Jammer localization[2] Effect: Strategies Tradeoff
2011/5/16
Defender(cont’)
Jammer localization[2]
Effect:
Localize jammer by exploiting hearing ranges of boundary nodes to permanently remove jammer from the topology.
Strategies
Importance oriented
Difficulty oriented
Tradeoff
Budget
QoS
Triggers QoS constraints has not been met.
[2] Z. Liu, et al., "Wireless Jamming Localization by Exploiting Nodes’ Hearing Ranges," in Distributed Computing in Sensor Systems. vol. 6131, R. Rajaraman, et al., Eds., ed: Springer Berlin / Heidelberg, 2010, pp

28. 2011/5/16
[3] F. Cohen. Managing Network Security: Attack and Defense Strategies. Available:
Total Attackers

29. Attacker’s Next Hop Selecting Criteria
2011/5/16
Attacker’s Next Hop Selecting Criteria

30. Preferences Next Hop Selecting Criteria of Strategies
2011/5/16
Preferences Next Hop Selecting Criteria of Strategies
Aggressive
Least resistance
Easiest to find
Stealthy
Topology extending
Random
Defense Resource
High ↑ ↓ - X
Low ○
Traffic Amount
Signal Strength
PS:
↑: Prefer when certain factor has high value ○: Purely prefer high - : No preference
↓: Prefer when certain factor has low value X : Purely prefer low

31. Attacker’s Attributes
2011/5/16
Attacker’s Attributes
Budget
General Distribution
Preparing phase
Node compromising
Defending phase
Buy jammers
(Quality of jammer will affect the effectiveness of jamming.)
Effects:
Goal of attacker
Capability
Probability of:
compromising nodes
seeing through false target
seeing through fake routing table information

32. Attacker’s Attributes(cont’)
2011/5/16
Attacker’s Attributes(cont’)
Mentality
General Distribution
Effects:
Next hop criteria selection
Preference of success probability of compromising nodes
Preference of using fake routing table information

33. Attacker’s Goal and Corresponding Strategies
2011/5/16
Attacker’s Goal and Corresponding Strategies
Maximize effectiveness
Aggressive
Easiest to find
Random
Maximize jammed range
Least resistance
Stealthy
Topology extending

34. Attacker’s Next Hop Selecting Criteria
2011/5/16
Attacker’s Next Hop Selecting Criteria
From Surface Information (communication channel)
Defense Resource
Signal Strength
Traffic Amount
From Depth Information (routing channel)
Traffic Source

35. Attacker’s Strategy transition rule
2011/5/16
Attacker’s Strategy transition rule
Probability to choose strategy i :
Strategyi’s success rate:

36. Attacker’s Next Hop Selecting Criteria Transition Rule
2011/5/16
Attacker’s Next Hop Selecting Criteria Transition Rule
Probability of strategy i to choose criteria j :
Criteraj’s success rate:

37. Attacker’s Next Hop Selecting Criteria Transition Rule(cont’)
2011/5/16
Attacker’s Next Hop Selecting Criteria Transition Rule(cont’)
Value of pref(i,j)
Aggressive
Least resistance
Easiest to find
Stealthy
Topology extending
Random
Defense Resource
High 1
0.5
Low
1.5
Traffic Amount
Signal Strength
PS:
↑: Prefer when certain factor has high value ○: Purely prefer high - : No preference
↓: Prefer when certain factor has low value X : Purely prefer low

38. Contest Success Function
2011/5/16
Contest Success Function
Determine the success probability of the attacker.
Attackers will set a probability of success according to its mentality.
: Function of attacker’s attack effectiveness.
: Function of defender’s defense effectiveness.

39. Risk Level For fake traffic generator
2011/5/16
Risk Level
For fake traffic generator
Vij computes when node i compromising action are detected.
Vij is the risk level of honeynode j with fake traffic generating function.
Vij determines whether to turn on fake traffic generating function or not.
Factor of defense strength of path from nodes being attacked to nodes equipped with the function：
Factor of link degree of nodes equipped with the function：
Factor of distance between nodes being attacked and nodes equipped with the function：
Factor of distance between nodes equipped with the function and nearest BS：

40. Risk Level(cont’) For population re-allocation
2011/5/16
Risk Level(cont’)
For population re-allocation
Vij computes when node i compromising action are detected.
Vij is the risk level of node j with population re-allocation function.
Vij determines whether to turn on population re-allocation function or not.
Factor of user numbers of nodes being attacked and its neighbor
Factor of defense strength of path from nodes being attacked to nodes equipped with the function：
Factor of link degree of nodes equipped with the function：
Factor of distance between nodes being attacked and nodes equipped with the function：

41. 2011/5/16
The End
Thanks for your attention.

42. Mathematical Formulation

43. 2011/5/16
Assumptions
The communications between mesh routers and between mesh routers and mesh clients use different communication protocol.
All the packets are encrypted. Thus, the attacker can’t directly obtain information in the communication channels.
The defender has complete information of the network which is attacked by a single attacker with different strategies.
The attacker is not aware of the topology of the network. Namely, it doesn’t know that there are honeynodes in the network and which nodes are important, i.e., the attacker only has incomplete information of the network.

44. 2011/5/16
Assumptions(cont’)
There are two kinds of defense resources, the non-deception based resources and the deception based resources.
There are multiple jammers in the network, and their jamming ranges might overlap.
There is only constructive interference between jamming signals.

45. Given parameters Notation Description N The index set of all nodes H
2011/5/16
Given parameters
Notation
Description N
The index set of all nodes H
The index set of all honeynodes P
The index set of the nodes with channel surfing technique Q
The index set of the nodes with precise localization technique R
The index set of the nodes with detection technique

46. Given parameters Notation Description B The defender’s total budget Z
2011/5/16
Given parameters
Notation
Description B
The defender’s total budget Z
All possible attack configuration, including attacker’s attributes and corresponding strategies. E
All possible defense configuration, including defense resources allocation and defending strategies F
Total attacking times of all attackers
An attack configuration, including the attributes and corresponding strategies , where 1≤ i ≤ F
1 if the attacker can achieve his goal successfully, and 0 otherwise, where 1≤ i ≤ F

47. Given parameters Notation Description m(ρi)
2011/5/16
Given parameters
Notation
Description
m(ρi)
The cost of constructing a node with the quality with quality ρi, where i∈N ni
The non-deception based defense resources allocated to node i, where i∈N
h(εi)
The cost of constructing a honeynode with the interactive capability εi, where i∈H
a(φ)
The cost of constructing static locators with the density φ b
The cost of constructing a channel surfing function to one node c
The cost of constructing a precise localization technique to one node d
The cost of constructing a detection technique to one node
t(ρi)
The maximum traffic of node i with quality ρi, where i∈N

48. Decision variables Notation Description
2011/5/16
Decision variables
Notation
Description
The information regarding resources allocating and defending wi
1 if node i is equipped with honeynode function, and 0 otherwise, where i∈N xi
1 if node i is equipped with channel surfing function, and 0 otherwise, where i∈N yi
1 if node i is implemented with precise localization technique
, and 0 otherwise, where i∈N zi
1 if node i is implemented with the detection technique, and 0 otherwise, where i∈N εi
The interactive capability of honeypot i, where i∈N ρi
The quality of node i, where i∈N φ
The density of static locator

49. 2011/5/16
Objective function
(IP 1)

50. 2011/5/16
Constraints
Defender’s budget constraints
(IP 1.1)
(IP 1.2)

51. 2011/5/16
Constraints
Defender’s budget constraints
(IP 1.3)

52. Constraints Defender’s budget constraints (IP 1.4) (IP 1.5) (IP 1.6)
2011/5/16
Constraints
Defender’s budget constraints
(IP 1.4)
(IP 1.5)
(IP 1.6)
(IP 1.7)

53. Constraints Defender’s budget constraints (IP 1.8) (IP 1.9) (IP 1.10)
2011/5/16
Constraints
Defender’s budget constraints
(IP 1.8)
(IP 1.9)
(IP 1.10)

54. Constraints QoS constraints QoS is a function of: BS loading
2011/5/16
Constraints
QoS constraints
QoS is a function of:
BS loading
Utilization of mesh routers on the path to BS
Hops to core node
Fake traffic effect,
Population re-allocation effect
Channel surfing effect
Jammer removal
(IP 1.11)

55. Constraints QoS constraints
2011/5/16
Constraints
QoS constraints
The performance reduction cause by the jammed node should not violate IP1.11.
The performance reduction cause by the channel surfing should not violate IP1.11.
(IP 1.12)
(IP 1.13)
(IP 1.14)

56. Constraints Channel surfing constraints
2011/5/16
Constraints
Channel surfing constraints
The mesh router must equipped with channel surfing technique.
The next channel to be selected must not be in use.
Channel surfing function triggers only if the jammed channel is not a fake channel.
Population re-allocation constraints
The mesh clients to be re-allocated must be in the transmission range of the mesh routers other than current mesh router.
The total traffic of the mesh router i after re-allocation must not exceed the maximum traffic limit t(ρi), where i∈N.
(IP 1.15)
(IP 1.16)
(IP 1.17)
(IP 1.18)
(IP 1.19)

57. Constraints Approximate localization
2011/5/16
Constraints
Approximate localization
There must be at least three available reference points which is under the effect of jamming attack in the jammed channel.
Precise localization
There must be at least one mobile locator in the network.
Fake traffic
The fake traffic sent to mesh router i from the honeynodes must not make it exceed the maximum traffic limit t(ρi), where i∈N
(IP 1.20)
(IP 1.21)
(IP 1.22)

58. Constraints Integer constraints (IP 1.23) (IP 1.24) (IP 1.25)
2011/5/16
Constraints
Integer constraints
(IP 1.23)
(IP 1.24)
(IP 1.25)
(IP 1.26)