310 likes | 461 Views
Intrusion Monitoring of Malicious Routing Behavior. Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis. Security Threats. Outsider attacks infiltrate routing process modify routing information
E N D
Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis
Security Threats • Outsider attacks • infiltrate routing process • modify routing information • cause redirection of network traffic, DoS attacks, etc. countermeasure - use of strong integrity mechanisms UCDavis SecLab MURI October 2002
Security Threats – Contd. • Insider attacks • Compromised rogue routers • legitimately participate in routing protocol • influence local routing behavior • actively disrupt global routing behavior • Integrity mechanisms are in place • Routers do not masquerade as other routers • Integrity mechanisms are not in place • Routers masquerade as other routers. UCDavis SecLab MURI October 2002
Intrusion Monitoring of Networks • Most intrusion monitoring is fine-grained • E.g., network packet analysis • Some intrusions require higher level monitoring • Intrusive behavior may be visible earlier • Our approach is aimed at multi-grained intrusion monitoring UCDavis SecLab MURI October 2002
Sample Network R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Link R4-R5 Is Down R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Newly Isolated Node – R5 Single Point of Connection – R6 R1 R2 R3 Area 1 R4 R8 H2 R7 R9 Area 2 R6 R10 R11 R12 R5 H1 R13 Area 3 AS UCDavis SecLab MURI October 2002
Area 1 Area 2 R4 R6 R10 R11 R5 Area 3 Centralityof R6 greater even if degree of R6 unchanged AS UCDavis SecLab MURI October 2002
Isolated Node – R5 Centrality of Routers R10, R11, R12 Increases Area 1 Area 2 R4 R6 R10 R11 R12 R5 Area 3 AS UCDavis SecLab MURI October 2002
Subnet Failure R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Link Failure R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Second Link Failure – Temporal Failure Correlation R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Centrality of R5 Increases EnormouslyResult: Large Scale Traffic Redirection R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002
Compromised Routers Legitimately participate in routing protocol • Integrity mechanisms are in place • Routers do not masquerade as other routers • May place themselves in more routing paths • Influence local routing behavior • Actively disrupt global routing behavior • Suitable response • Place routers out of legitimate routing process before disruption is too great UCDavis SecLab MURI October 2002
Compromised Routers - Contd. Legitimately participate in routing protocol • Integrity mechanisms are not in place • Routers masquerade as other routers • Spoofing attack on victim routers • Rogue router remains invisible • Suitable Response • Re-route overloaded router traffic and enforce traffic congestion control policies UCDavis SecLab MURI October 2002
CentralityAnalysis • Captures structurally central part of a network • Depends on point of view • may be nodes with most direct connections to neighbors, or • nodes that are most connected to network, or • the nodes that are closest to other points UCDavis SecLab MURI October 2002
Degree Centrality • Number of nodes to which a node is directly linked • Reflective of potential communication activity • Measure of vulnerability of node since high degree nodes will be less vulnerable to attack • Node of low degree is isolated and cut off from active participation in ongoing network activity UCDavis SecLab MURI October 2002
Degree Centrality of a node is given by: UCDavis SecLab MURI October 2002
Betweenness centrality • Based on frequency with which a node falls between pairs of other points on shortest paths between them • Overall index determined by summing partial values for all unordered pairs of points • Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs • Defines potential for control of communication UCDavis SecLab MURI October 2002
Betweenness Centrality of a node Given nodes and with geodesics (shortest paths) between them, the probability of using any one of these paths is given by UCDavis SecLab MURI October 2002
Betweenness Centrality of a Node – Contd. • Thus, if = # of geodesics between and that contain , then the probability that falls on a randomly selected geodesic linking and is given by = UCDavis SecLab MURI October 2002
Betweenness Centrality of a node – contd. The overall centrality of a node is determined by summing the partial probabilities for all unordered pairs of points. Thus, where i ≠ j ≠ k • When a node falls on the only shortest path between a pair of points, the centrality of the point increments by 1 • applicable in straightforward routing • With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives • applicable in equal-cost multi-path routing UCDavis SecLab MURI October 2002
Computation of betweenness centrality • Traditional summation methods are very costly, requiring O(n^3) time and O(n^2) space for n nodes and e edges UCDavis SecLab MURI October 2002
Approaches to resolve computational issues • Modified definitions • egocentric approach • simplified egocentric approaches • Heuristics • Exploit sparsity of connections in large networks • Exploit correlation between degree centrality and betweenness centrality UCDavis SecLab MURI October 2002
Recent Work in Intra-domain Routing Protocols (Application to OSPF) • Modified Definition of Betweenness Centrality: • Centrality of a node is determined with respect to root router of SPF tree • Advantages • Each router independently computes betweenness centrality indices of other routers • Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router • Each router can adopt independent response decisions based on this metric UCDavis SecLab MURI October 2002
Centrality Analysis in Ad hoc Networks • Points of Interest • Absence of communication infrastructure • Each mobile node must also perform the duties of router • Dynamically establish routing among themselves to form ad hoc network • Routing Protocols being considered • Two routing protocols considered for standardization by IETF, namely, DSR and AODV • Hybrid ad hoc routing protocols that employ clustering and hierarchical techniques UCDavis SecLab MURI October 2002
Ongoing Work • For each of DSR, AODV, other hybrids: • Develop functionality that abstracts global centrality information locally • Study role of heuristics in addressing computational issues • Ego-centric approaches • Correlation studies • Study limits of approach UCDavis SecLab MURI October 2002
Ongoing Work – contd. • Simulate intrusive behavior of • malicious ad hoc hosts involving • - dense, complex networks • - with high node mobility and • - substantial dynamic topologies UCDavis SecLab MURI October 2002
Specific Tasks • Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols • Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios UCDavis SecLab MURI October 2002
Fundamental Motivation for Monitoring Routing • Provide a systematic framework for • developing security specifications/constraints • establishing bounds for secure network behavior • Create a more secure enhancement to an existing protocol • Develop a response mechanism for • Isolating intrusive behavior of a malicious node • Use as a QoS metric to prevent traffic congestion • Aspects to this study • describe knowledge available to each router • As a response mechanism, study feasibility of employing this information as a metric for UCDavis SecLab MURI October 2002
Conclusions • Abstract global network control behavior locally at a router • Capture changing topology to detect network wide routing attacks • Early detection possible • Subverting such monitoring harder • Selectively misrouted packets not detected with this approach UCDavis SecLab MURI October 2002