Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships

1. Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships Qing Li and Wade TrappeIEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007 Presented by: Ryan Yandle

2. Outline • Spoofing • ORBIT • Family 1 – Relationships via Auxiliary Fields • Method A – Sequence Number • Method B – One-way chains • Family 2 – Relationships via Intrinsic Properties • Method A – Interarrival time • Method B – Joint Background Traffic and Interarrival time Analysis • Multilevel Classification • Conclusion

3. What is Spoofing? • The practice of impersonating another entity in order to subvert security. • Spoofing allows the attacker to remain anonymous and undetected in the network.

4. More Specifically • This paper refers to MAC address spoofing. • The attacker tries to gain access to the WLAN by cloning the MAC address of a legitimate user.

5. What are Forge-Resistant Relationships? • Rules that govern the relationship between two distinct entities • These rules define the relationship such that another entity (attacker) trying to forge the relationship would be caught • Paper’s focus is to detect spoofing by creating these unique relationships

6. The ORBIT Wireless Test Bed • Composed of a 2d grid of wireless nodes • Jointly run by several schools in the NY/NJ area

7. Test Bed Setup A – Legitimate Sender B – Attacker X – Monitor

8. Strategy Overview • Consider that the legitimate sender has a unique identity • Associated with their identity will be a particular sequence of packets • From these packets we may we may observe states

9. More Strategery… • A Relationship Consistency Check (RCC) is a binary rule that returns 1 if the states obey the rule R with respect to each other.

10. But… • Simply using a relationship R and checking the corresponding RCC at the monitoring device is not going to provide reliable security • We need to add forgeability requirements to the relationship • Thus, a RRCC (forge-resistant RCC) is needed

11. Definition of RRCC • A ε-forge-resistant relationship R is a rule governing the relationship between a set of states from a particular identity, for which there is a small probability of another device being able to forge a set of states such that a monitoring device would evaluate the corresponding RCC as 1.

12. More… • We will view the output of an RRCC as the result of deciding between two different hypotheses. • H0 – the null hypothesis that corresponds to non-suspicious activity • H1 – the alternate hypothesis that corresponds to anomalous behavior

13. Quantifying Effectiveness • We will use several measures to quantify the effectiveness of R. • The probability of a false alarm • PFA = Pr(H1;H0) • Probability that we will decide a set of statesis suspicious when it was really legitimate • The probability of a missed detection • PMD = Pr(H0;H1) • Probability of deciding that a set of statesare legitimate when they were not

14. Quantifying Effectiveness Cont. • The probability of detection • PD = 1 – PMD • Other Symbols: • ε = PMD • δ = PFA • Therefore, we can define an RRCC by (ε,δ)

15. Two Proposed Families for Relationships • Using auxiliary fields in the MAC frame to create a monotonic relationship • Using traffic inter-arrival statistics to detect anomalous traffic

16. Family I - Forge-Resistant Relationships via Auxiliary Fields • Method A • Anomaly Detection via Sequence Number Monotonicity • Enforce a rule that requires packet sequence numbers to follow a monotonic relationship, denoted as Rseq

17. 802.11 MAC Frame Structure • Generally used to re-assemble fragmented frames or detect duplicate packets. • Fragment control – 4bits • Sequence number – 12bits = 4096 possibilities ranging from [0,4095] • Firmware

18. Rseq • It does not matter if the attacker can manipulate its own sequence numbers. • Cloning attempt would be exposed due to duplicate sequence numbers • Therefore, the forge resistance stems from the fact that the attacker cannot stop the sender from transmitting packets.

19. Single Source Sequence Numbers • t: the difference in sequence numbers between two consecutive packets • The possible values for t : [1, 4096] • A value of 4096 is equivalent to a sequence number difference of 0 (duplicate sequence numbers) • The mean distribution for t is E[t] = 1/(1-p)2where p is the packet loss rate • The variance for the distribution of t isσt= p/(1-p)2 2

20. Theoretical Packet Loss • Using the formula’s that we just learned, a theoretical transmission with packet loss of 50%: • E[τ] = 2 • στ= 1.41 • Even for networks with poor connectivity, the difference in sequence numbers between successive packets will be relatively small 2

21. Dual Source Sequence Numbers • Let y be the sequence number from the real source • Let x be the sequence number from the attacker • z = x-y gives us a range of [-4095,4095] • This gap will be defined as t = z % 4096

22. Dual Source Cont. • If we then map a difference of 0 to 4096, we have a uniform distribution over [1,4096] • E[t] = 2048.5 • σt= 1182

23. Single Source Behavior • A single node is transmitting packets using a specified MAC address to a receiver • No anomalous behavior is present in this scenario

24. Dual Source Behavior • Two nodes using the same MAC address to transmit packets • One node is spoofing the other’s MAC address

25. Lets build a detector… • We will define the RRCC detection scheme as follows: • Choose a window of packets coming from a specific MAC address • We will choose a window with size L • The detector will calculate L-1 sequence number gaps

26. More on the detector • The detector will determine that there is an anomaly if MAXl=1 to L-1 {tl} > g • g is determined by solving for a desired false alarm rate

27. Example: L = 5 & g = 3 1 2 3 76 5 7 8 9 10 11 1 73 71 2 } MAX{ 73 > g , RETURN(1) 73

28. Performance of Sequence Number Monotonicity L = 2

29. Sequence Number Gap Statistics for a Single Source from ORBIT

30. When would this not work? • This method of detection could only work with a presence of heterogeneous sources; the legitimate device must be transmitting in order to reveal the anomaly.

31. Family I - Forge-Resistant Relationships via Auxiliary Fields • Method B • One-way chain of Temporary Identifiers • The sender attaches a TIF (temporary identifier field) to its identity, forcing the adversary to solve a cryptographic puzzle in order to spoof.

32. Temporary Identifier Fields • Similar to what was proposed in TESLA • Compute a one-way chain of numbers, and attach them to the frames in reverse order. • In order for the attacker to spoof a message, they would need to find the inverse of the function used to compute the one-way chain. • This method is loss-tolerant

33. ROC Curve for one-way chain TIF’s Bit Length = 10 Bit Length = 16

34. Outline • Spoofing • ORBIT • Family 1 – Relationships via Auxiliary Fields • Method A – Sequence Number • Method B – One-way chains • Family 2 – Relationships via Intrinsic Properties • Method A – Interarrival time • Method B – Joint Background Traffic and Interarrival time Analysis • Multilevel Classification • Conclusion

35. Family II - Forge-Resistant Relationships via Intrinsic Properties • Method A) Traffic Arrival Consistency Checks • Use a traffic shaping tool to control the interarrival times observed by the monitoring device. • These interarrival statistics are then used to determine anomalous behavior

36. Traffic Arrival Consistency Checks • Suppose we have our three devices, A, B, X • A is set to transmit at a fixed interval • X will take note of this behavior, if B starts transmitting (spoofing to impersonate A) then the detector will notice a change in the distribution of packet arrivals

37. Resulting Histograms

38. Experimental Results: 200ms

39. Experimental Results cont.

40. When would this method become unreliable on a wireless network? • With the presence of high background traffic, this method would become less suitable. • Background traffic would affect the transmission intervals of the sender, possibly causing false alarms.

41. Family II - Forge-Resistant Relationships via Intrinsic Properties • Method B) Joint Traffic Load and Interarrival Time Detector • Jointly examine the interarrvial time and the background traffic load • Use these two pieces of information to determine anomalous behavior, even under heavy traffic situations

42. Joint Traffic Load and Interarrival Time Detector • We can define t to be the observed average interarrival time, and L to be the observed traffic load. • We then partition this (L, t) space into two regions • Region I – non-suspicious behavior • Region II – anomalous activity • This idea is later revisited in the experimental validation section.

43. Enhanced Detection using Multilevel Classification • Extremely useful to have a severity analysis • Plot severity vs. average sequence number gap of a particular window • Severity is defined as the sum of the differences between a normal gap and the observed gap for all gaps in a window size L

44. Severity vs. Average Sequence Number Gap

45. Conclusion • All methods have their flaws • There are already mechanisms in place within 802.11 that can help detect spoofing attacks • Thank you for your time!

46. Questions / Comments

47. Sequence Number Gap Statistics for Dual Source from ORBIT