Forensics and Management Challenges in Wireless and M obile Network Environments

1. Forensics and Management Challenges in Wireless and Mobile Network Environments A dissertation outline presented by Sookhyun Yang Advisor: Jim Kurose

2. Wireless and Mobile Network Trends • Proliferation of smartphones, laptops, tablets, and M2M devices. • # of broadband wireless/devices > # of wired PCs and servers. • By 2016, wireless/mobile devices will account for 61% of IP traffic. • Profoundly changing many characteristics of network applications, protocols, and operation.

3. Wireless and Mobile Characteristics The broadcast nature of wireless communication enables nearby nodes to overhear; the openness of wireless communication can be exposed to misuse; more complicated mobility management in users’ usage of multiple devices and multiple networks.

4. Thesis Contributions • Wireless and mobile forensics • Detecting forwarding misbehavior in a wireless ad hoc network • Disambiguating wired and wireless access in a forensic setting • Mobility management • User transitioning among networks – a measurement and modeling study • Communication-efficient group mobility via indirection: approach and analysis

5. Wireless and Mobile Forensics Problem. Identifying a malicious node during data forwarding in a wireless ad hoc network. The broadcast nature of wireless communication Wireless ad hoc

6. Wireless and Mobile Forensics Problem. Remotely and legally determining the geographic location of a network misuser from the perspective of law enforcement. Law enforcement 1 Broadcast nature of wireless communication Openness of an AP Wireless ad hoc

7. Mobility Management Problem. Measurement and Modeling study of user location tracking workload. User Location Tracking management User: UMass→ Verizon Verizon NET UMass NET AT&T NET 1 Broadcast nature of wireless communication 2 Multihomed Openness of an AP User’s transitioning among networks Laptop is connected to UMass. Then, smartphone is connected to Verizon. User Wireless ad hoc Multihomed or multi-device carrying user

8. Mobility Management Problem. Handling group mobility via indirection. MobilityFIrst Architecture Routing, location tracking, mobility management Workload Model? Verizon NET UMass NET AT&T NET 1 Broadcast nature of wireless communication 2 Multihomed Openness of an AP Single- homed … 3 Wireless ad hoc Group mobility Multihomed or multi-device carrying user’s transitioning among networks Multihomed or multi-device carrying user

9. Outline • Introduction • Wireless/Mobile forensics • Detection of forwarding misbehavior in a wireless ad hoc network • Disambiguation of wired and wireless access in a forensic setting • Mobility management • User transitioning among networks – a measurement and modeling study • Communication-efficient group mobility indirection • Conclusions and Future Work

10. Problem Statement data data data data ack ack ack ack Reliable hop-by-hop data forwarding in a wireless ad hoc network S A B C D Destination Source Question: How to verify that node B correctly forwards frame to C on S-A-B-C-D path?

11. Neighborhood Watch [Marti00] Node B’s transmission range Node A’s transmission range Witness data data A B C W Decision accuracy can be low due to link reliability, or evidence faking!

12. Data-path-based Detection [Huan05] Data A B C ACK ACK Decision accuracy is also low, for the same reasons!

13. Our Work: Witness-based Detection Node C’s transmission range Node B’s transmission range Tamper-proof evidence W Node A knows “what” message B should forward to “whom.” Data A B C ACK W Reliable transmission via multiple paths by multiple witness nodes including node C

14. Tamper-proof Evidence Using public key cryptography, Claim #2 signed by W or C’s private key: I (W or C) overheard or received that B sent data with to C. Claim #1 signed by B’s private key: “I (Node B) sent data to C.” W B’s claim + W’s claim B’s claim Data B’s claim B’s claim A B C ACK C’s claim B’s claim

15. Example of B’s Forwarding Misbehavior Suppose that “only” node B is compromised. But I (node W) overheard that B sent data to X!” W W’s claim B’s claim compromised B C A Inconsistent Evidence “I (node B) sent data to C.” Data + B’s claim X

16. What if Node W or C is Compromised? Badmouthing Inconsistent evidence Data B C A W1 compromised Consistent evidence Consistent evidence W2 If there is at least one uncompromised node, node A can distinguish who is bad (assuming no collusion).

17. Other Threat Scenarios Considered • Forwarding misbehavior attacks • Packet drop, packet reorder, message corruption, power control, fake forwarding, and route deviation • Multiple nodes (B, C, or W) without collusion are compromised. • If there is at least one uncompromised node (C or W), node A can distinguish who is bad. • Multiple compromised nodes (B, C, or W) collude. • If there is at least one uncompromised node (C or W), node A cannot distinguish who is bad but can expose the existence of compromised nodes.

18. Detection Accuracy in Lossy Links Our analytic model ploss: the loss probability that a node fails to receive or overhear a packet from its one-hop neighbor pc: the probability that a node is compromised (=0.5) Λ: the expected number of witness nodes based on 2D-Poisson distribution

19. Numerical Results As the density of witness nodes grows, detection accuracy improves.

20. Conclusions and Future Work • Conclusions • Witness-based detection supports error-free detection under various threat scenarios in reliable links. • Using an analytical model, we showed that our scheme can support low FPP and low FNP even in lossy wireless links. • This work appeared in IEEE Workshop on Wireless Mesh Networks 2010.

21. Outline • Introduction • Wireless/Mobile forensics • Detecting forwarding misbehavior in a wireless ad hoc network • Disambiguating wired and wireless access in a forensic setting • Mobility management • User transitioning among networks – a measurement and modeling study • Communication-efficient group mobility indirection • Conclusions and Future Work

22. Illegal content distributed P2P from known location Someone used my open Wi-Fi! Step2. Known sender Location (Subpoena) “wired or wireless access? ” Step1. Public IP address peer peer P2P network peer Wireless router Illegal content distributor (e.g., CP) peer Law enforcement Challenge: “Can we legally determine that a suspect used wired access, thus making the resident user more likely to be a responsible party?”

23. Can We Intercept Data at Intermediate Nodes? Wireless router router … … peer Data interception Illegal content distributor Data interception via a sniffer Law enforcement No, law enforcement can not legally take traces at intermediate nodes without a warrant. Reasonable expectation of privacy (REP) for the sources of data. The Wiretap Act and the Pen Register statute in US 4th amendment protections.

24. Can We Intercept Data as a Peer? P2P network Wireless router Illegal content distributor Law enforcement peer Yes, measurements taken at a peer, before a warrant, are legal! Users of P2P file sharing networks have no “reasonable expectation of privacy”. Law enforcement software that monitors P2P activity does not violate US 4th amendment protections.

25. Our Problem Setting Challenge: can we classify the access network type of target sender using remotely measured P2P traces? Wired access? Law enforcement peer Cable network P2P Internet Ethernet Wi-Fi AP Cable modem Target ? ? ? ? ? ? ? ? Complexities in this forensic setting: hidden and unknown residential factors can affect classification results. ?

26. Investigating Diverse Factors in P2P Traces in Controlled Settings Host-side vs. Cablenetwork Remotely collecting pairs of wired and wireless datasets Single full-rate TCP flow. 802.11g or 1Gbps Ethernet. Multiple TCP flows. Cable network effect (different times, and houses) Internet Linux vs. Windows XP … Wi-Fi AP Cable modem Target device UMass server Less than 1m (the worst case) Purdue server Wired sniffer Houses near UMass We take measurement here to help us explain/understand classification. but do NOT use them in classification.

27. Classification Procedures • Classification features investigated: • 25th, 50th, 75th percentiles, entropy of packet inter-arrival times distribution for datasets. • We train and cross-validate decision tree, logistic regression, SVM, and EM classifiers. • Classification performance metrics. • TPR (True Positive Rate). • FPR (False Positive Rate). • FPR≤0.10 and 0.90≤TPR are acceptable classification results.

28. Multiple Flows Classification Results Multiple flows cases can show acceptable result. But single flow cases accurate classification is difficult. • Key insight: In acceptable results, packet inter-arrival times were not significantly changed a by cable network access protocol or a network. • (In [1], we have a model to explain why and how the classifier works reliably.) [1] Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst.

29. Conclusions and Open Questions • Conclusions • Traces gathering method based on current US law. • Through extensive experimentation, we determined scenarios where our classifier works reliably. • Open questions • Other hidden or unknown residential factors such as 802.11n, Mac OS, and multiple-flow across multiple sites • Long-term traces • This work recently appeared in INFOCOM mini-conference 2013.

30. Outline • Introduction • Wireless/Mobile forensics • Detecting forwarding misbehavior in a wireless ad hoc network • Disambiguating wired and wireless access in a forensic setting • Mobility management • User transitioning among networks – a measurement and modeling study • Communication-efficient group mobility indirection • Conclusions and Future Work

31. Problem Statement • Motivation: new user mobility model • User uses multiple networks with multiple devices (or NICs). • User transitions among networks across different ISPs. • Mobility in network (i.e., user’s network transitioning) differs from physical human mobility. • Our problem • We characterize user’s transitioning among networks via a measurement and modeling study. • We thus give insight into user-location tracking workload model for new name/location resolution protocols.

32. Our Traces • IMAP servers in UMass CS • IMAP access log: a user’s account ID, timestamp, and a client-side IP address • Conservative estimate of user’s network access • Monitor a user’s multiple devices across different ISPs • 3 months (April-to-July 2013) • 70 users mostly consisting of UMass CS faculty, and staff members • 398 unique IP prefixes, 183 unique ASes

33. User Location Tracking Workload • User characteristics of interest: • Network residency time • Degree of multihoming • Network transitioning rate

34. Network Residency Time (over all users) Users spend 70% to 90% of time in a small number of ASes. From network-level point of view, the workload on updating new inter-domain level routing paths might not be that heavy. vs. resident-network update rate might not be that heavy Home. Comcast cable, Verizon online, Charter communications, Hughes network ASes Work. Five college AS (including UMass networks) Mobile-access. Verizon Wireless, AT&T Wireless, Sprint Wireless ASes MISC.

35. Network Residency Time (individual) 75% User distribution 90~100% Approx. 75% of users spend between 90 and 100% of their time in their top three ASes.

36. Contemporaneous Connectivity From network-level point of view, multiple locations for a user’s location tracking need to be tracked simultaneously. 98% consisted of “two” ASes. User distribution The fraction of (multiple-AS-connection time) to (network usage time) 80% of users were connected to more than one ASes in 15mins.

37. Contemporaneous connectivity: which networks? • Case #1: physically different location or VPN access (22%). • Comcast cable ASes and Five college AS • Case #2: transitions in the same ISP (8%). • Free mobile SAS ASes • Case #3: a user’s carrying multiple devices or NICs(46%). • Comcast cable AS and Verizon wireless AS, Five college AS and AT&T AS, Charter AS and AT&T AS, etc

38. Network Transition Rate (over all users) Users change their networks at least once a day 50% of transitions happen in 15mins. 16 hours 15mins

39. User Network Transition Model # of new networks # of currently connected networks (2, 0) … (1, 1) … (2, 1) (0, 0) … (1, 0) Discrete-time Markov model (2, 2) … A, B, A, A A, B A, A, A C, A, B t+2 t+1 t-1 t state (3,1) state (2,0) state (1,0) Goal: Characterize location tracking signaling overhead using parsimonious Markov chain model of individual user

40. Location Tracking Workload Our model is a good fit to the empirical distribution. (based on the Chi-square goodness-of-fit test with 5% significance level.) Number of location tracking messages generated by 70users

41. Conclusions We performed a measurement study of user transitioning among networks. We discussed insights and implications of the measurements. This work is submitted to IEEE INFOCOM 2014.

42. Outline • Introduction • Wireless/Mobile forensics • Detecting forwarding misbehavior in a wireless ad hoc network • Disambiguating of wired and wireless access in a forensic setting • Mobility management • User transitioning among networks – a measurement and modeling study • Communication-efficient group mobility indirection • Conclusions and Future Work

43. Overview of MobilityFirst Architecture Logically centralized but geographically distributed GUID-to-network address translation 2. Global name and location resolution service (GNRS) Routing, location tracking, mobility management 3. Hierarchical structure 1. User or Content: Globally unique and flat (location-independent) ID (GUID)

44. Location Tracking in MobilityFirst Global name and location resolution service (GNRS) Routing, location tracking, mobility management GUID -> T2 GUID -> T1 “GUID is connected to T2.” Hierarchical structure “GUID is connected to T1.” T2 T1 T3 C A B GUID Hierarchical mobility management: the GNRS only keeps track of GUID’s transitioning among networks.

45. Problem Statement: Group Mobility Question: How can we efficiently handle such group mobility? Global name and location resolution service (GNRS) Routing, location tracking, mobility management “GUID1 is connected to T2.” “GUID2 is connected to T2.” “GUID3 is connected to T2.” Hierarchical structure … … T2 T1 T3 C A B … … Social group such as family, and faculty A group of users in the same transportation A multiple-device carrying user Group mobility. A group of GUIDs move to a network simultaneously.

46. Group Mobility Indirection Global name and location resolution service (GNRS) Routing, location tracking, mobility management aGUID->{GUID1,GUID2, …} aGUID -> T2 “aGUID is connected to T2.” T2 T1 T3 C A B … GUID2 GUID1

47. Group Splitting and Joining Global Name and location resolution service (GNRS) Routing, location tracking, mobility management aGUID->{GUID1,GUID2, …, GUID5, …} aGUID -> ??? T2 T1 T3 C A B But I am at T1! We are at T2! … GUID2 GUID5 GUID1

48. Should all the networks be tracked? Global Name and location resolution service (GNRS) Routing, location tracking, mobility management aGUID->{GUID1,GUID2, …, GUID5, …} aGUID -> T1 and T2? T2 T1 T3 I want to send data to GUID5. C A B … sender GUID2 GUID5 GUID1 Tradeoff between data and control communication overhead: aGUID is communication-efficient if “only one” network is tracked.

49. What group-member should be tracked for maximizing aGUID performance? Random algorithm N-step look-ahead algorithm Follow-the-largest algorithm

50. Follow-the-Largest Algorithm Global name and location resolution service (GNRS) Routing, location tracking, mobility management aGUID->{GUID1,GUID2, …, GUID5, …} aGUID -> T2 aGUID -> T3 GUID5 -> T1 GUID1 -> T2 T2 T1 T3 C A B leader … GUID5 GUID2 GUID1