1. 1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University http://list.cs.northwestern.edu Adaptive Intrusion Detection and Mitigation Systems for WiMAX Networks Motorola Liaisons Gregory W. Cox, Z. Judy Fu, Philip R. Roberts Motorola Labs

2. 2 Battling Hackers is a Growth Industry! The past decade has seen an explosion in the concern for the security of information Denial of service (DoS) attacks –Cost $1.2 billion in 2000 Viruses and worms faster and more powerful –Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. --Wall Street Journal (11/10/2004)

3. 3 Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN Regional Wireline Regional Voice Cell Cable Modem LAN Premises- based WLAN Premises- based Operator- based H.323 Data RAS Analog DSLAM H.323

4. 4 Motivation Viruses/worms moving into the wireless world … –6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices IEEE 802.16 WiMAX networks emerging –Predicted multi-billion dollar industry –No existing research/product tailored towards 802.16 anomaly/intrusion detection and mitigation 802.16 IDS development can potentially lead to critical gain in market share –All major WLAN vendors integrated IDS into products Strategically important to lead in WiMAX product portfolio with security & trouble shooting capability –Simply buy off-the-shelf IDSes blind to their limitations

5. 5 Existing Intrusion Detection Systems (IDS) Insufficient Mostly host-based and not scalable to high-speed networks –Slammer worm infected 75,000 machines in < 10 mins –Host-based schemes inefficient and user dependent »Have to install IDS on all user machines ! Mostly signature-based –Cannot recognize unknown anomalies/intrusions –New viruses/worms, polymorphism

6. 6 Current IDS Insufficient (II) Statistical detection –Hard to adapt to traffic pattern changes –Unscalable for flow-level detection »IDS vulnerable to DoS attacks »WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory –Overall traffic based: inaccurate, high false positives »Most existing high-speed IDS here Cannot differentiate malicious events with unintentional anomalies –E.g., signal interference of wireless network

7. 7 Adaptive Intrusion Detection System for Wireless Networks (WAIDM) Online traffic recording and analysis for high- speed WiMAX networks –Leverage sketches for data streaming computation –Record millions of flows (GB traffic) in a few Kilobytes Online flow-level intrusion detection & mitigation –Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes –Flow-level mitigation of attacks –Combine with 802.16 specific signature-based detection »Automatic polymorphic worm signature generation

8. 8 WAIDM Systems (II) Anomaly diagnosis for false positive reduction –Use statistics from MIB of base station to understand the wireless network status »E.g., distinguish packet flooding, signal interference, and other intrusions »Successfully experimented with 802.11 networks –Root cause analysis for diagnose link failures, routing misconfiguration, etc. –Useful for managing and trouble-shooting the WiMAX networks

9. 9 WAIDM Deployment Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Highly ranked as “powerful and flexible" by the DARPA research agenda Original configuration WAIDM deployed Inter net 802.16 BS User s (a) (b) 802.16 BS User s Switch/ BS controller Internet scan port WAIDM system 802.16 BS Users 802.16 BS Users Switch/ BS controller

10. 10 WAIDM Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection

11. 11 Intrusion Mitigation Attacks detectedMitigation Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim Port Scan and wormsIngress filtering with attacker IP Vertical port scanQuarantine the victim machine Horizontal port scanMonitor traffic with the same port # for compromised machine SpywaresWarn the end users being spied

12. 12 Evaluated with NU traces (536M flows, 3.5TB traffic) Scalable and efficient traffic monitoring –For the worst case traffic, all 40 byte packets: »16 Gbps on a single FPGA board »526 Mbps on a Pentium-IV 2.4GHz PC –Only less than 10MB memory used Accurate and fast detection –19 SYN flooding, 1784 horizontal scans and 29 vertical scans detected in one-day NU traces in 719 seconds –Validation »All flooding and vertical scans, and top 10 and bottom 10 for horizontal scans »Both well-known and new worms found (new confirmed in DShield) Patent filed Evaluation of Sketch-based Detection

13. 13 Research methodology Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment

14. 14 Backup Slides

15. 15 Scalable Traffic Monitoring and Analysis - Challenge Potentially tens of millions of time series ! –Need to work at very low aggregation level (e.g., IP level) –Each access point (AP) can have 200 Mbps – a collection of 10-100 APs can easily go up to 2-20 Gbps –The Moore’s Law on traffic growth …  Per-flow analysis is too slow or too expensive –Want to work in near real time

16. 16 Sketch-based Change Detection (ACM SIGCOMM IMC 2003, 2004) Input stream: (key, update) Sketch module Forecast module(s) Change detection module (k,u) … Sketches Error Sketch Alarms Report flows with large forecast errors Summarize input stream using sketches Build forecast models on top of sketches

17. 17 GRAID Sensor Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection

18. 18 Current IDS Insufficient for Wireless Networks Most existing IDS signature-based –Especially for wireless networks –Detect denial-of-service attacks caused by the WEP authentication vulnerability, e.g., Airespace Current statistical IDS has manually set parameters –Cannot adapt to the traffic pattern changes However, wireless networks often have transient connections –Hard to differentiate collisions, interference, and attacks

19. 19 Statistical Anomaly/Intrusion Detection and Mitigation for Wireless Networks Use statistics from MIB of BS to understand the current wireless network status –Interference Detection MIB Group »Retry count, FCS err count, Failed count … –Intrusion Detection MIB Group »Duplicate count, Authentication failure count, EAP negotiation failure count, Abnormal termination percentage … –DoS Detection MIB Group »Auth flood to BS, De-Auth flood to SS Automatically adapt to different learned profiles on observing status changes

20. 20 Preliminary Algorithm Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group Collect MIBs Intrusion Intru H Inter Interference H L DoS DoS Attack H Collect MIBs Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group InterDoS Interference H DoS Attack H Inter Intru L H Intrusion

21. 21 Attacker AiroPeek CS AP Project Review Internet IDS MIB, SysLog Client1 Attacker AP 2.4 GHz

22. 22 Info Measurements Info Resources –SNMP MIB »A collection of objects that can be accessed via a network management protocol –System Log »Event/Trap Captures –Wireless Capture

23. 23 Info Measurements Info Collection Tools –Hardware »Cisco Access Point »Cisco Wireless Card –Software »Visual Studio »Net SNMP »AiroPeek »Netstumbler

24. 24 MIB Collection & Storage

25. 25 SysLog

26. 26 Data Analysis Measurement Based Analysis Correlate Parameters w/ Events –Contention Interference –RF Interference –Wireless Intrusion –Wireless DoS Attack

27. 27 Sample Experiments Contention Interference CS AP Client1 Test AP Client2 Chl 9 MIB

28. 28 Contention Interference MIB –dot11ACKFailureCount.1 –dot11FailedCount.1 –dot11FCSErrorCount.1 –dot11FrameDuplicateCount.1 –dot11MulticastTransmittedFrameCount.1 –dot11MultipleRetryCount.1 –dot11RTSFailureCount.1 –dot11TransmittedFrameCount.1

29. 29 Contention Interference

30. 30 Contention Interference

31. 31 Contention Interference

32. 32 Contention Interference

33. 33 802.16 Protocol Layering

34. 34 802.16 MIB Structure

35. 35 802.16 MIB Structure

36. 36 802.16 MIB Structure

37. 37 802.16 MIB Structure

38. 38 Thank You! More Questions?