Download Detecting Spoofing and Anomalous Traffic in Wireless

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts
no text concepts found
Transcript 
Detecting Spoofing and
Anomalous Traffic in Wireless
Networks via Forge-Resistant
Relationships
Qing Li and Wade Trappe
IEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007
Presented by: Ryan Yandle
Outline



Spoofing
ORBIT
Family 1 – Relationships via Auxiliary Fields



Family 2 – Relationships via Intrinsic Properties




Method A – Sequence Number
Method B – One-way chains
Method A – Interarrival time
Method B – Joint Background Traffic and Interarrival time
Analysis
Multilevel Classification
Conclusion
What is Spoofing?


The practice of
impersonating another
entity in order to
subvert security.
Spoofing allows the
attacker to remain
anonymous and
undetected in the
network.
More Specifically


This paper refers to MAC address spoofing.
The attacker tries to gain access to the
WLAN by cloning the MAC address of a
legitimate user.
What are Forge-Resistant
Relationships?



Rules that govern the relationship between
two distinct entities
These rules define the relationship such that
another entity (attacker) trying to forge the
relationship would be caught
Paper’s focus is to detect spoofing by
creating these unique relationships
The ORBIT Wireless Test Bed


Composed of a 2d
grid of wireless
nodes
Jointly run by
several schools in
the NY/NJ area
Test Bed Setup
A – Legitimate Sender
B – Attacker
X – Monitor
Strategy Overview



Consider that the
legitimate sender has a
unique identity
Associated with their
identity will be a particular
sequence of packets
From these packets we
may we may observe
states
More Strategery…

A Relationship
Consistency Check
(RCC) is a binary rule
that returns 1 if the
states obey the rule R
with respect to each
other.
But…



Simply using a relationship R and checking
the corresponding RCC at the monitoring
device is not going to provide reliable security
We need to add forgeability requirements to
the relationship
Thus, a RRCC (forge-resistant RCC) is
needed
Definition of RRCC

A ε-forge-resistant relationship R is a rule
governing the relationship between a set of
states from a particular identity, for which
there is a small probability of another device
being able to forge a set of states such that a
monitoring device would evaluate the
corresponding RCC as 1.
More…

We will view the output of an RRCC as the
result of deciding between two different
hypotheses.


H0 – the null hypothesis that corresponds to nonsuspicious activity
H1 – the alternate hypothesis that corresponds to
anomalous behavior
Quantifying Effectiveness

We will use several measures to quantify the
effectiveness of R.

The probability of a false alarm



PFA = Pr(H1;H0)
Probability that we will decide a set of states is
suspicious when it was really legitimate
The probability of a missed detection


PMD = Pr(H0;H1)
Probability of deciding that a set of states are
legitimate when they were not
Quantifying Effectiveness
Cont.

The probability of detection


Other Symbols:



PD = 1 – PMD
ε = PMD
δ = PFA
Therefore, we can define an RRCC by (ε,δ)
Two Proposed Families for
Relationships
1.
2.
Using auxiliary fields in the MAC frame to
create a monotonic relationship
Using traffic inter-arrival statistics to detect
anomalous traffic
Family I - Forge-Resistant
Relationships via Auxiliary Fields

Method A

Anomaly Detection via
Sequence Number
Monotonicity

Enforce a rule that requires
packet sequence numbers to
follow a monotonic
relationship, denoted as Rseq
802.11 MAC Frame Structure




Generally used to re-assemble fragmented frames
or detect duplicate packets.
Fragment control – 4bits
Sequence number – 12bits = 4096 possibilities
ranging from [0,4095]
Firmware
Rseq



It does not matter if the attacker can
manipulate its own sequence numbers.
Cloning attempt would be exposed due to
duplicate sequence numbers
Therefore, the forge resistance stems from
the fact that the attacker cannot stop the
sender from transmitting packets.
Single Source Sequence
Numbers


t: the difference in sequence numbers
between two consecutive packets
The possible values for t : [1, 4096]



A value of 4096 is equivalent to a sequence number
difference of 0 (duplicate sequence numbers)
The mean distribution for t is E[t] = 1/(1-p)2
where p is the packet loss rate
The variance for the distribution of t is
σt2 = p/(1-p)2
Theoretical Packet Loss

Using the formula’s that we just learned, a
theoretical transmission with packet loss of
50%:



E[τ] = 2
στ2= 1.41
Even for networks with poor connectivity, the
difference in sequence numbers between
successive packets will be relatively small
Dual Source Sequence
Numbers




Let y be the sequence number from the real
source
Let x be the sequence number from the
attacker
z = x-y gives us a range of [-4095,4095]
This gap will be defined as t = z % 4096
Dual Source Cont.

If we then map a difference of 0 to 4096, we
have a uniform distribution over [1,4096]


E[t] = 2048.5
σt = 1182
Single Source Behavior

A single node is transmitting packets using a
specified MAC address to a receiver

No anomalous behavior is present in this scenario
Dual Source Behavior

Two nodes using the same MAC address to
transmit packets

One node is spoofing the other’s MAC address
Lets build a detector…




We will define the RRCC detection scheme as
follows:
Choose a window of packets coming from a
specific MAC address
We will choose a window with size L
The detector will calculate L-1 sequence number
gaps
More on the detector


The detector will determine that there is an
anomaly if MAXl=1 to L-1 {tl} > g
g is determined by solving for a desired false
alarm rate
Example: L = 5 & g = 3
1
MAX{
2
3
1
76
73
71
73
5
7
2
8
9
10
11
}
73 > g , RETURN(1)
Performance of Sequence
Number Monotonicity
L=2
Sequence Number Gap Statistics
for a Single Source from ORBIT
When would this not work?

This method of detection could only work with
a presence of heterogeneous sources; the
legitimate device must be transmitting in
order to reveal the anomaly.
Family I - Forge-Resistant
Relationships via Auxiliary Fields

Method B

One-way chain of
Temporary Identifiers

The sender attaches a TIF
(temporary identifier field) to
its identity, forcing the
adversary to solve a
cryptographic puzzle in order
to spoof.
Temporary Identifier Fields




Similar to what was proposed in TESLA
Compute a one-way chain of numbers, and
attach them to the frames in reverse order.
In order for the attacker to spoof a message,
they would need to find the inverse of the
function used to compute the one-way chain.
This method is loss-tolerant
ROC Curve for one-way chain
TIF’s
Bit Length = 10
Bit Length = 16
Outline



Spoofing
ORBIT
Family 1 – Relationships via Auxiliary Fields



Family 2 – Relationships via Intrinsic Properties




Method A – Sequence Number
Method B – One-way chains
Method A – Interarrival time
Method B – Joint Background Traffic and Interarrival time
Analysis
Multilevel Classification
Conclusion
Family II - Forge-Resistant
Relationships via Intrinsic
Properties

Method A) Traffic Arrival
Consistency Checks


Use a traffic shaping tool to
control the interarrival times
observed by the monitoring
device.
These interarrival statistics
are then used to determine
anomalous behavior
Traffic Arrival Consistency
Checks

Suppose we have our three devices, A, B, X


A is set to transmit at a fixed interval
X will take note of this behavior, if B starts
transmitting (spoofing to impersonate A) then the
detector will notice a change in the distribution of
packet arrivals
Resulting Histograms
Experimental Results: 200ms
Experimental Results cont.
When would this method become
unreliable on a wireless network?


With the presence of high background traffic,
this method would become less suitable.
Background traffic would affect the
transmission intervals of the sender, possibly
causing false alarms.
Family II - Forge-Resistant
Relationships via Intrinsic
Properties

Method B) Joint Traffic
Load and Interarrival Time
Detector


Jointly examine the
interarrvial time and the
background traffic load
Use these two pieces of
information to determine
anomalous behavior, even
under heavy traffic
situations
Joint Traffic Load and
Interarrival Time Detector


We can define t to be the observed average
interarrival time, and L to be the observed
traffic load.
We then partition this (L, t) space into two
regions



Region I – non-suspicious behavior
Region II – anomalous activity
This idea is later revisited in the experimental
validation section.
Enhanced Detection using
Multilevel Classification


Extremely useful to have a severity analysis
Plot severity vs. average sequence number
gap of a particular window

Severity is defined as the sum of the differences
between a normal gap and the observed gap for
all gaps in a window size L
Severity vs. Average Sequence
Number Gap
Conclusion



All methods have their flaws
There are already mechanisms in place
within 802.11 that can help detect spoofing
attacks
Thank you for your time!
Questions / Comments
Sequence Number Gap Statistics
for Dual Source from ORBIT
Related documents
ip spoofing ppt pdf
ip spoofing ppt pdf
BUNDLE PROTOCOL
BUNDLE PROTOCOL
Forms of Network Attacks
Forms of Network Attacks
Joshua White - Everis Inc.
Joshua White - Everis Inc.
The Need for Security
The Need for Security
Sniffing/Spoofing - Dr. Stephen C. Hayne
Sniffing/Spoofing - Dr. Stephen C. Hayne
PUBLIC CHARACTER OF THE SCHOOL
PUBLIC CHARACTER OF THE SCHOOL
9-0 Internet Protocol Attacks and some Defenses
9-0 Internet Protocol Attacks and some Defenses
1. Application layer, Transport layer, Internet layer, Link layer 2
1. Application layer, Transport layer, Internet layer, Link layer 2
The Internet and Security
The Internet and Security
common network terms - Amazon Web Services
common network terms - Amazon Web Services
Chap11 Spoofing Attack
Chap11 Spoofing Attack
OSI Model Layers
OSI Model Layers
pptx
pptx
Df-pn - Imai Laboratory
Df-pn - Imai Laboratory
Spoofing Attacks
Spoofing Attacks
Chapter8 Phase3: Gaining Access Using Network Attacks
Chapter8 Phase3: Gaining Access Using Network Attacks