260 likes | 653 Views
Evaluating the Vulnerability of Network Traffic Using Joint Security and Routing Analysis. Patrick Tague, David Slater, and Radha Poovendran Network Security Lab, Dept. of Electrical Engineering, University of Washington, Seattle, WA In collaboration with: Jason Rogers
E N D
Evaluating the Vulnerability of Network Traffic Using Joint Security and Routing Analysis Patrick Tague, David Slater, and Radha Poovendran Network Security Lab, Dept. of Electrical Engineering, University of Washington, Seattle, WA In collaboration with: Jason Rogers Naval Research Laboratory
Outline • Impact of Routing on Security in Ad Hoc Networks • Identifying Cross-Layer Vulnerabilities • Quantifying Cross-Layer Vulnerabilities • Examples/Applications NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Securing Network Assets Denial of Service Attacks Resource Depletion Attacks Performance Degradation Attacks Crypto Attacks How do we understand the impact of these attacks? NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Challenges in Establishing Ad Hoc Network Security Ad Hoc Networks consist of resource-constrained nodes with no global network view Network protocols rely on local information and peer cooperation Security is established per-hop (i.e. link security) between neighboring nodes NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Impact of Locality Constraints • Per-hop security properties may not extend globally • Data routed over multiple hops may traverse links that are vulnerable to attack • How to evaluate confidentiality and/or integrity (C/I) of data traversing numerous links with differing security properties? • Does the global exchange of data in networks using per-hop security weaken C/I? What vulnerabilities are introduced? NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Goals of this Work • Investigate the impact of routing on data security built on per-hop security • Characterize & quantify the strength (weakness) of data security in multi-hop networks • Provide a basis for joint evaluation of security and routing protocols with respect to cross-layer network vulnerabilities NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Impact of Routing on Security • Example 1: Fixed single-path routing • Binary characterization of data security, i.e. either secure or insecure d s Compromise of a single link leads to recovery of all data. NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Impact of Routing on Security • Example 2: Fixed multi-path routing • M-ary (fractional) metric for data security • 2M possible values for data security Fraction (1-f) d s Fraction f Compromise of a single link leads to recovery of a fraction of data. 8 NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Impact of Routing on Security • Example 3: Fixed multi-path routing with dependent packets (threshold sharing, network coding, etc.) d s Compromise of a single link leads to no data recovery. How to model routing/security interactions and provide a unified characterization of data security for arbitrary topologies and routing protocols? NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Modeling Interactions between Routing and Security • Gsd – labeled, directed graph representing data flow from s to d • LSi – level of security provided by link i • Function of node capabilities, crypto protocol, etc. • Varies between links • Varies over time (e.g. decreases with attack) LS1 LS3 s LS4 LS7 LS2 LS5 d Gsd LS8 LS6 NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Route Vulnerability Metric • Characterize data (in)security • V(Gsd) – the route vulnerabilityof the s-d flow • Relative to a reference state G0sd (e.g. prior to attack) • Varies continuously from V(G0sd) = 0 to V(Gsd) = 1 as attack progresses NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Defining Route Vulnerability • Compose the labeled graph Gsd to an overall measure of data security • Metric units are same as link labels • Ex: if link labels represent #shared keys securing the link, data security is equivalent #shared keys • Transform data security measure to satisfy requirements of route vulnerability How do we define a composition rule for overall data security as a function of Gsd? NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Composition: Step I d s Claim: All data in an s-d flow is compromised if and only if an edge cut of links in the s-d flow is compromised. Composition - Step I: Map the routing topology to a collection of edge cuts (noting forward- vs. reverse-flow edges). NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Composition: Step II d s Analogy: Security measures resistance to attack, just as electric resistance measures resistance to current. Composition - Step II: Map each edge cut to a (directed)resistive current path with zero resistance (unrestricted flow) along reverse-flow edges. NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Composition: Step III • Circuit elements combine using the principle of superposition, but… • We have directional current path constraints which cannot be combined using superposition. • Solution: Construct directed resistors! R W R W Ideal diode 0 W Composition Step III: Replace each directed current path with a path of directed resistors and combine into an electric circuit E using superposition. NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Composition: Evaluation 1 3 d 1 1 2 2 3 1 2 s 2 1 2 2 1 Composition Rule: Equivalent security of data is the equivalent resistanceR(Gsd) of the circuit E, referred to as the route resistance. Edge mapping to resistors is a 1-to-1 mapping NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Mapping to Electric Circuit • Circuit construction • Efficient: edge cut decomposition not required • For planar graphs, the electric circuit is related to the planar dual of the graph Gsd • For non-planar graphs, circuit duality properties give alternate construction using Gsd • Properties • “Weakest link” property of sequential links is maintained (i.e. parallel), R1 || R2 ≤ min{R1,R2} • Additive security for disjoint paths (i.e. series) NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Circuit Theoretic Metric • To compute V(Gsd): • Construct equivalent circuit E • Compute equivalent resistance R(Gsd) • Define V(Gsd) proportional to R(Gsd)-1 • Linear (affine) transformation maps to [0,1] as a function of R(G0sd) NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Application of Route Vulnerability Metric • Example: node capture attacks • Active adversary eavesdrops, analyzes network traffic, participates in protocols • Data flow graph Gsd = Gsd(C) • C = set of captured nodes • G0sd = Gsd(ø) • Link labels indicate number of shared keys providing C/I for the link NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Node Capture Attacks using Route Vulnerability • Optimal node capture attack: • Compute the set of nodes C s.t. • V(Gsd(C)) = 1 for all target s-d data flows • cost(C) is minimized • Iterative Heuristic: • Given C captured, choose n s.t. • Aggregate increase in vulnerability per-unit-cost for all target flows is maximized NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Examples to Illustrate Route Vulnerability Evaluation • An adversary can use the route vulnerability metric to improve attacks • Allows cross-layer adversary to perform near-optimal attack • Examples: • Compromise of data integrity in target tracking • Compromise of data confidentiality in distributed content dissemination using network coding • Simulation: • Compromise of data confidentiality in large-scale ad hoc network using random key assignment NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Example: Target Tracking Application • Goal: • Compromise integrity of alarm data • Modify/erase alarm signals to base nodes • Attack: • Use V(Gsd) for single-path routes to identify vulnerabilities • Heuristic algorithm • Compromise link integrity using recovered keys NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Example: Data Dissemination using Network Coding • Goal of attack: • Compromise confidentiality of data • E.g. violation of user privacy • Attack: • Use V(Gsd) for dependent data flow to identify vulnerabilities • Heuristic algorithm • Compromise link integrity using recovered keys NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Large-Scale Simulation Results • Comparison: • Node capture attacks using • Random capture • #Recovered keys • #Compromised links • Total traffic through captured nodes • Route Vulnerability • For • Single path routing • Dependent multi-path routing NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Summary of Contributions • Impact of routing on security • Route vulnerability metric • Provides insight into the impact of cross-layer adversaries • Allows for joint evaluation of security and routing protocols • Exposes cross-layer vulnerabilities • Can help determine suitable protocols for a given application/deployment NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA
Thank you for your time & attention! ? ? ? ? Questions? ? ? ? NSA Protocol eXchange Meeting – January 24, 2008 Navy Postgraduate School, Monterey, CA