* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download motorola-review-Feb0.. - Computer Science Division
Airborne Networking wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Network tap wikipedia , lookup
Computer network wikipedia , lookup
Computer security wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Cross-site scripting wikipedia , lookup
Internet protocol suite wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transport Layer Security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks Yan Chen, Hai Zhou Motorola Liaisons Northwestern Lab for Internet Greg W. Cox, Z. Judy Fu, and Security Technology (LIST) Peter McCann, and Philip R. Roberts Dept. of Electrical Engineering and Computer Science Motorola Labs Northwestern University http://list.cs.northwestern.edu The Current Threat Landscape and Countermeasures of WiMAX Networks • WiMAX: next wireless phenomenon – Predicted multi-billion dollar industry • WiMAX faces both Internet attacks and wireless network attacks – E.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices • Goal of this project: secure WiMAX networks • Big security risks for WiMAX networks – No formal analysis about WiMAX security vulnerabilities – No intrusion detection/mitigation product/research tailored towards WiMAX networks Security Challenges in Wireless Networks • Wireless networks are more vulnerable than wired networks – Open media » Easy to sniff, spoof and inject packets – Open access » Hotspots and potential large user population • Attacking is more diverse – On media access (e.g., jamming), but easy to detect – On protocols (our focus) Our Approach • Vulnerability analysis of WiMAX networks at various layers – IEEE 802.16e: MAC layer (done in year 2) – Mobile IP v4/6: network layer (started in year 2) – EAP layer • Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) – Could be differentiator for Motorola’s 802.16 products – Focus on the emerging threats: polymorphic zero-day worms and botnets Outline • Threat Landscape and Motivation • Our approach • Accomplishment • Network-based zero-day polymorphic worm signature generation • DoS attacks of wireless networks with error messages on EAP-TLS protocols Accomplishments This Year (I) • Most achieved with close interaction with Motorola liaisons • Automatic polymorphic worm signature generation systems for high-speed networks – Fast, noise tolerant w/ proved attack resilience – Resulted a joint paper with Motorola Labs “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, published in to IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate). – Patent filed through Motorola. » “Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths”, U.S. Patent Application No. 11/985,760. Filed on Dec. 18, 2007. – A journal paper submitted to IEEE/ACM Trans. on Net. Accomplishments This Year (II) • Vulnerability analysis of wireless network protocols – IP layer and authentication layer • Found a general “error-message” based attacks • Attacking requirements – Sniffing – Spoofing before authenticated • Basic ideas – Spoof and inject error messages or wrong messages that trigger error messages – Clients’ requests fail -- lead to DoS attacks • Examples of vulnerable protocols – EAP-TLS protocol – Mobile IPv6 routing optimization Accomplishments on Publications • Three conference, one journal papers and two book chapters – “Accurate and Efficient Traffic Monitoring Using Adaptive Nonlinear Sampling Method", to appear in the Proc. of IEEE INFOCOM, 2008 – “Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for “Botnet Detection: Countering the Largest Security Threat”, Springer, 2007. – “Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, 2007. – “Reversible Sketches: Enabling Monitoring and Analysis over Highspeed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct. 2007. – “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE International Conference on Network Protocols (ICNP), 2007 – “Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. of the 15th IEEE International Workshop on Quality of Service (IWQoS), 2007 Students Involved • PhD students: – Zhichun Li, Yao Zhao (all in their 4th years) – Lanjia Wang, Yanmei Zhang (visiting PhD students) • MS students: – Sagar Vemuri (1st year) – Jiazhen Chen (2nd year) Outline • Threat Landscape and Motivation • Our approach • Accomplishment • Network-based zero-day polymorphic worm signature generation • DoS attacks of wireless networks with error messages on EAP-TLS protocols Limitations of Exploit Based Signature Signature: 10.*01 1010101 10111101 Internet Traffic Filtering X X 11111100 Our network 00010111 Polymorphism! Polymorphic worms may not have any exact exploit based signatures. 11 Vulnerability Signature Internet Vulnerability signature traffic filtering X X Our network X X Unknown Vulnerability Works for polymorphic worms Works for all the worms which target the same vulnerability 12 Benefits of Network Based Detection Internet Gateway routers Our network Host based detection • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which might have scalability 13 issues. Early Detection! Basic Ideas • At least 75% vulnerabilities are due to buffer overflow • Intrinsic to buffer overflow vulnerability and hard to evade • However, there could be thousands of fields to select the optimal field set is hard Overflow! Protocol message Vulnerable buffer 14 Framework Network Tap TCP 25 Known Worm Filter Worm Flow Classifier Protocol Classifier TCP 53 TCP 80 . . . Suspicious Traffic Pool TCP 137 UDP 1434 LESG Signatures Real time Normal traffic reservoir ICDCS06, INFOCOM06, TON 07 Normal Traffic Pool Policy driven 15 LESG Signature Generator 16 Evaluation Methodology • Worm workload – Eight polymorphic worms created based on real world vulnerabilities including CodeRed II and Lion worms. – DNS, SNMP, FTP, SMTP • Normal traffic data – 27GB from a university gateway and 123GB email log 17 Results • Single/Multiple worms with noise – Noise ratio: 0~80% – False negative: 0~1% (mostly 0) – False positive: 0~0.01% (mostly 0) • Pool size requirement – 10 or 20 flows are enough even with 20% noises • Speed results – With 500 samples in suspicious pool and 320K samples in normal pool, For DNS, parsing 58 secs, LESG 18 secs 18 In Summary • A novel network-based automated worm signature generation approach – Works for zero day polymorphic worms with unknown vulnerabilities – First work which is both Vulnerability based and Network based using length signature for buffer overflow vulnerabilities – Provable attack resilience – Fast and accurate through experiments 19 Outline • Threat Landscape and Motivation • Our approach • Accomplishment • Network-based zero-day polymorphic worm signature generation • DoS attacks of wireless networks with error messages on EAP-TLS protocols EAP Authentication on Wireless Networks • TLS provides mutual authentication and key exchange. Authentication primitive Transport Layer Security (TLS) EAP-TLS EAP-TTLS PEAP EAP-FAST Authentication method layer Extensible Authentication Protocol (EAP) EAP Layer EAP Over LAN (EAPOL) 802.11 WLAN Data Link Layer TLS Conversation (Successful) Server End Client End TLS Handshake Protocol Hello Request A TLS client and server negotiate a stateful connection using a handshake procedure. Server Hello Server Certificate Key-exchange message Server Hello Done Client Hello Client Key-exchange message Change cipher Spec TLS finished Change cipher Spec TLS finished Encrypted conversation over TLS TLS Conversation (Failed) Server End Client End Hello Request Client Hello When transmission or receipt of an fatal alert message, both parties immediately close the connection. Server Hello Server Certificate Server Key-exchange message Server Hello Done Client Key-exchange message Change cipher spec TLS Finished Error_Alert (Fatal level) Close_notify Close_notify EAP-TLS - Vulnerability • Sniffing to know the client MAC address and IDs – Packet in clear text before authentication – Regardless of whether WEP, WPA, or WPA2 is used • Spoofing error messages – Before authentication is done, attacker spoofs an alert message of level ‘fatal‘, followed by a close notify alert. – Then the handshake protocol fails and needs to be tried again. • Complete DoS attack – The attacker repeats the previous steps to stop all the retries Experiments with Northwestern wireless network is in progress. 24 Conclusions • Network-based zero-day polymorphic worm signature generation • Vulnerability analysis of wireless network protocols: mobile IP and EAP-TLS • Closed work w/ Motorola liaisons – Joint conference paper published, a journal paper submitted and a patent filed • Completed prototype/implementation code accessible to Motorola under the agreement Thank You ! Deployment of WAIDM User s 802.16 BS 802.16 BS 802.16 BS User s Internet Users Inter net scan port WAIDM system • Attached to a switch connecting BS as a black box • Enable the early detection and mitigation of global scale attacks • Could be differentiator for Motorola’s 802.16 products Switch/ BS controller Switch/ BS controller 802.16 BS Users (a) Original configuration (b) WAIDM deployed Experiment in Lab Server End Client End Attacker • We conducted a real-world experiment demonstrating the practicality of the attack on TLS by performing a DoS attack on Northwestern University’s wireless network. • Northwestern Wireless requires the users to authenticate to it using PEAP (Protected EAP), which internally uses TLS 1.0 as the security method for authentication. • The user provides his ID (NetID) and password, which are then verified at a backend Authentication Server. •We used: •libpcap library to sniff the channel •lorcon libray to set the different parameters of the wireless network card and send spoofed messages. •Proxim Orinoco Gold wireless network adapter •MADWifi (madwifi-ng) drivers. 27 EAP-TLS - Attack in Action Attacker Client End Server End Hello Request Error Alert Client Hello (Fatal) Close_Notify Server Hello Server Certificate Server Key-exchange message Certification Request Server Hello Done •Simple attack: Error alert message of level ‘fatal‘ followed by a close notify alert 28 Potential Solutions • Enhance the robustness of authentication protocols for wireless access – Delayed response » Wait for a short time to allow multiple responses – Trust good response » Attacker cannot finally pass authentication by always spoofing good responses 29