Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Published bySusan Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"— Presentation transcript:

1 Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Intrusion Detection and Forensics for Self-defending Wireless Networks

2 Security Challenges in GIG Wireless Networks In addition to sharing similar challenge of wired net –High speed traffic (e.g., WiMAX) –Zero-day threats –Lack of quality info for situational-aware analysis: attack target/strategy, attacker (botnet) size, etc. Wireless networks are more vulnerable –Open media Easy to sniff, spoof and inject packets –Open access Hotspots and potential large user population Attacking is more diverse –On media access (e.g., jamming), but easy to detect –On protocols (our focus)

3 Self-Defending Wireless Networks Network-based adaptive intrusion detection and mitigation systems for emerging threats –Polymorphic zero-day worm signature generation (done) –Automated analysis of large-scale botnet probing events for situation aware info (ongoing) Proactive vulnerability analysis and defense of wireless network protocols at various layers –WiMAX IEEE 802.16e: MAC layer (done) –Mobile IP v4/6: network layer (done) –Authentication layer (generalized to various wireless & cellular networks, ongoing)

4 Outline Overall approach and achievement Accomplishment this year Highlight: Error-message based DoS attacks of wireless networks and the defense

5 Accomplishments on Publications Four conference, one journal papers and two book chapters –“Accurate and Efficient Traffic Monitoring Using Adaptive Non-linear Sampling Method", in the Proc. of IEEE INFOCOM, 2008 –“A Survey of Existing Botnet Defenses “, in Proc. of IEEE IWSSE 2008. –“Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for “Botnet Detection: Countering the Largest Security Threat”, Springer, 2007. –“Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, 2007. –“Reversible Sketches: Enabling Monitoring and Analysis over High-speed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct. 2007. –“Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the IEEE ICNP, 2007. –“Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. Of IEEE International Workshop on Quality of Service, 2007. Collaborated publication with Dr. Keesook Han from AFRL Resulted from joint research on botnet. Obtain binary/source from Dr. Han Plan to use the testbed developed at AFRL

6 Accomplishments This Year Automatic zero-day polymorphic worm signature generation systems for high-speed networks –Fast, noise tolerant w/ proved attack resilience –Published in IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate). –A patent filed through Motorola. –Potential technology transfer thru Motorola

7 Limitations of Exploit Based Signatures 1010101 10111101 11111100 00010111 Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worms might not have exact exploit based signatures. Polymorphism!

8 Vulnerability Signatures Use protocol semantics to express vulnerability Work for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Vulnerability X X

9 Accomplishments This Year II Automating Analysis of Large-Scale Botnet Probing Events What scanning strategies does the probing employ ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger attack ? Leverage honeynet for bot probe detection Ten /24 honeynet from LBNL, five running honeyd, others dark.

10 Approaches Statistical testing of scan properties: trend, uniformity, coordination, and use of pre-generated “hit lists.” Two approaches for global property extrapolation Use IPID and ephemeral port # continuity Use probe interarrival times

11 11 Extrapolated Properties and Results Evaluated w/ 12 month LBNL traces (220GB) –49% uniform random scan –40% hit list scan, majority of them (94%) also uniform Cross-validation with Dshield dataset –Largest global alert repository –All extrapolated scope within a factor of 1.5

12 12 Error-message Based DoS Attacks of Wireless Networks and the Defense

13 13 Vulnerability and Attack Methodology Processing error messages imprudently –Error messages are in clear text before authentication –Messages are trusted without integrity check Attacking requirements –Sniffing: easy for wireless networks –Spoofing before authenticated Easy for wireless LANs & doable for cellular networks Basic attack ideas Spoof and inject error messages or wrong messages that trigger error messages to clients and/or servers. Maybe a known problem but largely ignored

14 14 Outline Vulnerability and Attack Methodology Attack Case Studies –EAP protocols for wireless and cellular networks –Mobile IPv6 route optimization protocol (skipped) Countermeasures Conclusions

15 15 EAP Authentication on Wireless Networks EAP-FASTPEAPEAP-TTLS EAP Over LAN (EAPOL) Extensible Authentication Protocol (EAP) EAP Layer Data Link Layer 802.11 WLAN EAP-TLS Authentication method layer TLS Authentication primitive GSM UMTS/ CDMA2000 EAP-AKAEAP-SIM Challenge/Response

16 16 TLS Authentication Procedure TLS Handshake Protocol Client and server negotiate a stateful connection using a handshake procedure.

17 17 DoS Attacks on TLS Authentication Sniff to get the client MAC address and IDs –Packet in clear text before authentication Send spoofed error messages –Before authentication is done, attacker spoofs an alert message of level ‘fatal‘, followed by a close notify alert. –Then the handshake protocol fails and needs to be tried again. Complete the DoS attack –The attacker repeats the previous steps to stop all the retries When this attack happens, WPA2,WPA or WEP are all in clear text.

18 18 DoS Attacks on TLS: Illustration Sending Error Alert message of level Fatal Can either attack client or server

19 19 DoS Attack on Challenge/Response over EAP-AKA Simple attack: Sending Error Rejection/ Notification message Client End Server End EAP-Request/Identity EAP-Response/Identity (NAI) AKA-Challenge (RAND, AUTN, MAC) AKA-Response (RES, MAC) EAP-Success AKA-Authentication-Reject AKA-Notification

20 20 DoS Attack Experiment on a WiFi Network with PEAP Protocols Hardware –Wifi cards with Atheros chipsets (e.g., Proxim Orinoco Gold wireless adapter) –MADWifi driver Code implementation –Libraries Sniffing: Libpcap library Spoofing: Lorcon library –Attacking code About 1200 lines of C++ code in Ubuntu linux

21 21 Field Test Results We conducted the EAP-TLS attack experiments at a Cafeteria. 7 mobile hosts and one Attacker We’ve successfully attacked all of them in one of the two channels

22 22 Attack Efficiency Evaluation For example, when attack happens at the second point –Just need to send 156 bytes of message to screw the whole 1049 bytes authentication messages. Attack Point 1 Ratio by # of Messages25.00% [1/4] Ratio by Bytes15.89% [78/491 ] Attack Point 2 Ratio by # of Messages28.57% [2/7] Ratio by Bytes14.87% [156/1049]

23 23 Scalability Evaluation by NS2 Simulations Vary the # of simultaneous sign-on clients up to 100 –All results are based on an average of 100 runs. Shows that the attacker is scalable: very few clients are able to authenticate successfully.

24 24 NS-2 Simulation Results II Even better results when sending error messages more aggressively by reducing the CWMin parameter of the attacker –The back-off time of attacker is reduced.

25 25 Outline Vulnerability and Attack Methodology Attack Case Studies –EAP protocols for wireless and cellular networks –Mobile IPv6 route optimization protocol (skipped) Countermeasures Conclusions

26 26 Countermeasures Enhance the robustness of the authentication protocol for wireless access –Delay decision making process by waiting for a short time for a success message (if any) to arrive; and –Give preference to success messages than the error ones. –Implemented and successfully thwart EAP-TLS attacks

27 27 Conclusions We have designed new methods to launch DoS attacks on security protocols using error messages. We found that any security protocol is vulnerable to such attacks as long as it supports a few error messages before the authentication step. As far as we know, no authentication protocol currently is secure against such attacks. We demonstrated the effect of these attacks on TLS and MIPv6 protocols. We suggest a few guidelines for the protocol designers and implementers to defend such attacks.

28 asdf Proactively secure wireless networks via searching unknown protocol vulnerabilities. Automatically detect and filter zero-day polymorphic worms. Accurate network-based intrusion detection and prevention. Complete protocol vulnerability search and defense Network-based automatic signature generation for polymorphic worms Efficient matching with a large vulnerability signature ruleset Intrusion Detection and Forensics for Self-defending Wireless Networks Yan Chen, Northwestern University Objective Scientific/Technical Approach Accomplishments Find error-message based attacks and propose defense schemes. Design & implement length-based signature generation for zero-day polymorphic worms. Challenges Various and complicated network protocols Large number of vulnerability signatures and high-speed traffic volume. EAP-FASTPEAPEAP-TTLS EAP Over LAN (EAPOL) Extensible Authentication Protocol (EAP) 802.11 WLAN EAP-TLS TLS GSM UMTS/ CDMA2000 EAP-AKAEAP-SIM Challenge/Response Vulnerability analysis of various wireless network protocols.

29 Backup Slides 29

30 The Spread of Sapphire/Slammer Worms

31 The Current Threat Landscape of Wireless Networks Wireless networks, crucial for GIG, face both Internet attacks and their unique attacks –Viruses/worms: e.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices –Botnets: underground army of the Internet, emerging for wireless networks Big security risks for wireless networks –Few formal analysis about wireless network protocol vulnerabilities –Existing (wireless) IDSes only focus on existing attacks Ineffective for unknown attacks or polymorphic worms –Little work on attack forensics E.g., how to identify the command-and-control (C&C) channel of botnets?

32 Evaluation Methodology Fully implemented and deployed to sniff a campus router hosting university Web servers and several labs. Run on a P4 3.8Ghz single core PC w/ 4GB memory. Much smaller memory usage. E.g., http 791 vulnerability sigs from 941 Snort rules: DFA: 5.29 GB vs. NetShield 1.08MB 32

33 33 EAP and TLS Authentication Extensible Authentication Protocol (EAP) is a PPP extension –Provides support for additional authentication methods within PPP. Transport Layer Security (TLS) –Mutual authentication –Integrity-protected cipher suite negotiation –Key exchange Challenge/Response authentication with pre-shared keys –Pre-shared key (Ki) in SIM and AuC –Auc challenges mobile station with RAND –Both sides derive keys based on Ki and RAND

34 34 Practical Experiment For the 33 different tries –All suffered an attack at Attack Point-1 –21% survive from the first attack but failed at the 2 nd Attack Point.

35 35 Simulate one TLS-Server, one TLS-Attacker and range the TLS-Clients between 1 to a maximum of 100. –The number of clients authenticate to the TLS server simultaneously. –It’s extremely rare case Base Station was set up to interface between the wired and wireless networks. The duplex-link between the BS and the TLS- Server was of 100MBps with a 10ms delay.

36 36 Case 2: Mobile IPv6 Routing-Optimization protocol

37 37 Mobile IPv6 Mobile IPv6 is a protocol which allows nodes to remain reachable while moving around in the IPv6 Internet. –Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. –IPv6 packets addressed to a mobile node's home address are transparently routed to its care-of address. –The protocol enables IPv6 nodes to cache the binding of a mobile node's home address with its care-of address, and to then send any packets destined for the mobile node directly to it at this care-of address

38 38 Return Routability Procedure The procedure begins when the MN sends HoTI message to CN through HA and CoTI message directly to CN. Upon the receipt of the Binding Update, CN adds an entry for the MN in its Binding Cache and optionally sends Binding Acknowledgement. Once this happens, MN and CN will be capable of communicating over a direct route. –This way, the route between MN and CN is optimized.

39 39 Once Return Routability happens, MN and CN will be capable of communicating over a direct route The route between MN and CN is optimized. Return Routability Procedure

40 40 The Vulnerability Binding Error Vulnerability –Used to disable the Routing Optimization procedure. Binding Error message set Status to 2 (unrecognized MH Type value), Then the mobile node SHOULD cease the attempt to use route optimization. The Binding Error message is not protected. Bind Acknowledgement Vulnerability –The Bind Acknowledgement vulnerability affects the Return Routability procedure Binding Acknowledgement with status 136, 137 and 138 is used to indicate an error and not protected in any way Hence, it could be easily spoofed by an external entity

41 41 Bind Error Vulnerability The Vulnerability

42 42 Bind Acknowledgement Vulnerability The Vulnerability

43 43 Experiment Environment

44 44 Evaluation The MIPv6 Experiment is based on a LAN testbed. –Except the Mobile Node, all other components such as Home Agent and Correspondence Node are all connected via wired cable in the Northwestern network. We collected the data through 100 times experiment. Observed via the Wireshark running on the Mobile Node, for one successful attack, the time window is about 5ms in average and the Standard Deviation is 0.108ms for distribution The time consumed by computing the spoofed Error message is 0.0203ms in average. The closer the attack to the Mobile Node, the higher probability we get for launching a successful Error Message attack.

45 45 PEAP Enhancement Original WPA supplicant v0.5.10 –Generate TLS ALERT on unexpected messages –Stop authentication on TLS ALERT Delayed response implementation –Drop unexpected message silently –Wait for 1 second when receiving TLS ALERT to allow multiple responses, and ignore TLS ALERT response if good responses are received. Verification – Redid the attack experiments and prove the effect of the countermeasures

Download ppt "Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"

Similar presentations

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI

Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
1 Exception Triggered DoS Attacks on Wireless Networks Yao Zhao, Sagar Vemuri, Jiazhen Chen, Yan Chen, Hai Zhou Lab for Internet and Security Technology.

1 Exception Triggered DoS Attacks on Wireless Networks Yao Zhao, Sagar Vemuri, Jiazhen Chen, Yan Chen, Hai Zhou Lab for Internet and Security Technology.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
6/3/2015 1 Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross-Layer Information Awareness CS495 – Spring 2005 Northwestern University.

6/3/ Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross-Layer Information Awareness CS495 – Spring 2005 Northwestern University.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Similar presentations

Ads by Google