Post on 24-Feb-2016
description
Insider Attacker Detection
Presented by Fang Liu
fliu@gwu.edu
04/22/23 2
Outline Introduction Detection of Faulty Sensors Detection of Routing Misbehaviors A General Solution
– Insider Attacker Detection in Wireless Sensor Networks
04/22/23 3
Secure the Sensor Networks Protecting confidentiality, integrity, and availability of the
communications and computations Sensor networks are vulnerable to security attacks due to
the broadcast nature of transmission Jamming, eavesdropping, etc.
Sensor nodes can be physically captured or destroyed All information will be released if not tamper-resistant.
04/22/23 4
Compromised Sensors Sensors are vulnerable.
Subject to physical attacks Not tamper-resistant
Compromised nodes can launch insider attacks. False information
False readings, Data alteration, etc Routing misbehaviors
Message negligence, selective forwarding, jamming, etc.
04/22/23 5
Challenges in Detecting Insider Attackers Compromised nodes know all the information!
Cannot be detected with classical cryptographic security mechanisms Authentication, Integrity protection, etc
Difficult to study the normal/abnormal node activities Dynamic attacks
No centralized server to perform analysis and correlation
04/22/23 6
Existent Solutions
Detection of False Information Detection of Routing Misbehaviors Our Work –
A General Solution to Insider Attacker Detection in Wireless Sensor Networks
04/22/23 7
Detection of False Information Detecting and tolerating false information inserted by
Faulty sensors Compromised sensors
Methods: Centralized solution: The base station collects the data and
checks the correctness [Shen ICC’01, Koushanfar et al. Sensors’03]
Secure data aggregation [Cao et al Mobihoc’06] Fault-tolerant event detection: Disambiguate events from noise-
related error, faulty sensors 0/1 predicate Comparison with neighborhood activities [Cheng et al. Infocom’05]
04/22/23 8
Detection of Routing Misbehaviors Routing misbehaviors:
Selective forwarding, packet dropping, etc.
One contemporary solution: Forward packets only through nodes that share a priori
trust relationship. But, It requires key distribution. Trusted nodes may be still overloaded, broken or
compromised Untrusted nodes may be well behaved.
04/22/23 9
Detection of Routing Misbehaviors
Method: Detect with the help of base station
“Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks”
Detect by monitoring the neighborhood “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks”
04/22/23 10
Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks Misbehavior model
Dropping of queries and data packets
Assume the availability of location information and the ability to perform geographic routing
Main procedure Base stations send marked packets to probe sensors, and
rely on the responses to identify and isolate insecure location Sensors route packets to trusted neighbors
04/22/23 11
TRANS Components
Authentication
Periodic beaconing
04/22/23 12
Trust Routing Protocol Send packets only toward trusted neighbors Trust table based security mechanism
04/22/23 13
TRANS Scenario
04/22/23 14
TRANS Scenario
04/22/23 15
Isolating Insecure Location(1/2) Finding Malicious Node
(Probing) E-TTL
Send probe packet with increasing hop-count
Binary Send probe packet in a
binary search fashion One-Shot
Send probe packet along the path and each node replies its location
04/22/23 16
Isolating Insecure Location(2/2) Isolating Method
Sink finds misbehaving node and generate Black List
Black List Geocast Broadcast black list Remove isolated node from neighbor list Broadcasting overhead
Embedded Black List Embedded black list in packet header Detour point using geographic routing
04/22/23 17
Summary: Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks
Routing misbehaviors detection and isolation Centralized detection Isolating Misbehavior node using black list
Trust routing protocol design Trust evaluation may be not working for insider
attackers Based on authentication
04/22/23 18
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks
Ad hoc networks maximize total network throughput by using all available nodes for routing and forwarding.
A node may misbehave by agreeing to forward the packet and then failing to do so because it is Overloaded, Selfish, Malicious or Broken
Few misbehaving nodes can have a severe impact
04/22/23 19
Proposed Solutions Install extra facilities in the network to detect and
mitigate routing misbehavior. Make only minimal changes to the underlying
routing algorithm.
Two extensions to DSR - “Watchdog” and “Pathrater” Watchdog identifies misbehaving nodes by overhearing
transmissions Pathrater avoids routing packets through these nodes
04/22/23 20
Assumptions
Some assumptions are Links between the nodes are bi-directional Nodes are in promiscuous mode operation Malicious node does not work in groups
AB
C
04/22/23 21
Watchdog The watchdog is implemented by maintaining a buffer of recently Each overheard packet is matched with the packet in the buffer In case of a match, the packet in the buffer in removed By overhearing, tampering of payload or header can also be
detected If the packet, however, has remained in the buffer for longer than a
certain timeout The watchdog increases the failure tally for the node responsible for
forwarding on the packet If the tally exceeds the threshold value, it determines that the node is
misbehaving
04/22/23 22
Watchdog (Contd) Advantages
It can detect misbehavior at the forwarding level
Disadvantages are Might not detect packet drops due to collisions
Ambiguous collisions Receiver collisions Limited transmission power Others
04/22/23 23
Ambiguous Collisions
BA
SPacket # 1
Packet # 1
C
D
IH
F
G
Packet # 1
The ambiguous problem prevents node A from overhearing transmission from B
A cannot overhead B
04/22/23 24
Limited transmission Power
BA
SPacket # 1
Packet # 1
D
EH
F
G
Packet # 1
Misbehaving node can control its transmission power to circumvent the watchdog
A cannot overhead B
04/22/23 25
False Misbehavior
BA
SPacket # 1
Packet # 1
D
FH
C
GFailure Tally ++;If (Failure Tally > Threshold) notify source;
A reports that B is not forwarding packets when in fact it is.
When nodes falsely report other nodes as misbehaving
04/22/23 26
Collusion
BA
SPacket # 1
Packet # 1
D
FH
C
G
A forwards to B, but doesn’t report when B drops the packet.
Multiple nodes in collusion can mount a more sophisticated attack
04/22/23 27
Partial Dropping
BAS
Packet # 1Packet # 1
D
FH
CG
Packet # 2
Failure Tally ++;If (Failure Tally > Threshold) notify source;
B drops packets at a lower rate than the misbehavior detection threshold.
A node can circumvent the watchdog by dropping packets at a lower rate than the watchdog’s configured minimum misbehavior threshold
04/22/23 28
Pathrater Each nodes maintain a rating for every other node
it knows about in the network A path metric is the Average of the Node ratings
along the path. The metric gives a comparison of the overall
reliability of different paths If there are multiple paths to the same destination,
the path with the highest metric is chosen
04/22/23 29
Summary: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks
Enable nodes to avoid malicious nodes (overloaded, malicious, selfish, broken) in their routes Watchdog – identifies misbehavior nodes by listening to the next
node’s transmission Pathrater – helps routing protocols avoid these nodes
Allows nodes to use better paths and thus to increase their throughput
The watchdog determines a malicious through threshold comparison. How the threshold value is calculated ? - it is one of the important
factor in detecting malicious nodes
04/22/23 30
A Framework for Identifying Compromised Nodes in Sensor Networks
Identifying compromised nodes? Use the alert information!
But, compromised nodes may … Raise false alerts Form a local majority and collude Behave arbitrarily
An application-independent framework to identify compromised node based on alert reasoning
04/22/23 31
Assumptions Application-specific detection mechanisms
Beacon probing, watchdog …
Static sensor networks Fixed observability relationship
Message confidentiality and integrity Secure comm. with base stations
Trustable base stations Centralized
04/22/23 32
An Example
The base station should: Have the monitoring relationship Consider the possibility of false alerts Probe beacon nodes regularly
The sensor network The observability graphBeacon
Sensor
04/22/23 33
The Framework Sensor behavior model:
Reliability rm: the percentage of normal activities conducted by an
uncompromised node.
Observer model: Observability rate rb: s1 may not observe each activity of s2
Positive accuracy rp: s1 may not detect the abnormal activity of s2
Negative accuracy rn: s1 raise alert against s2, but s2 is normal.
Security estimation K The max # of compromised nodes that the network can work
04/22/23 34
Identification of compromised nodes Step 1: Label abnormal/normal alerts
Observe the alert pattern Get the expected #Alerts raised by s1 against s2
Compare with the actual #Alerts > expected#: abnormal; o.w. normal
Observability rate
Positive accuracyNegative accuracyReliability
fj(x): the distribution fo #events that can be sensed by j
Pb(alert: i against j)
Rij(t): expected # of alerts raised by i against j, when i, j are uncompromised
04/22/23 35
Identification of compromised nodes Step 2: Derive suspicious node pairs
Labelled observability graph G’(V,Ea+En) Node si and sj are a suspicious pair if:
(si,sj) or (sj,si) is in Ea, or s’ exists
(si,s’) in Ea & (sj,s’) in En, or, (si,s’) in En & (sj,s’) in Ea.
normal
abnormal
At least one of the suspicious pair is compromised!
04/22/23 36
Identification of compromised nodes Step 3: Find the compromised nodes
Definition: valid assignment
To identify the common nodes in all possible assignments: CompromisedCore
The largest number of truly compromised nodes, no false alarms
04/22/23 37
Alert reasoning algorithm Lemma 3.1: Given an inferred graph I(V;E), let VI be
a minimum vertex cover of I. Then the number of compromised nodes is no less than |VI|.
Theorem 3.1 Given an inferred graph I and a security estimation K, for any node s in I, s in CompromisedCore(I;K) if and only if |Ns|+CI’s > K. NP-complete Min vertex cover
04/22/23 38
Alert reasoning algorithm Corollary 3.1: Given an inferred graph I and a
security estimation K, for any node s in I, if |Ns|+MI’s > K, then s in CompromisedCore(I;K). Maximal matching: MG ≤ CG ≤ 2MG
|Ns|+CI’s > |Ns|+MI’s > K Polynomial
04/22/23 39
Simulation General+mm:
The general AppCompromisedCore algorithm + maximum matching
EigenRep PeerTrust
Reputation-based trust functions for P2P Majority Voting
04/22/23 40
Impact of the concentration of compromised nodes
04/22/23 41
Summary: A Framework for Identifying Compromised Nodes in Sensor Networks
Detection algorithm with maximum accuracy without false alarms
Effective with local majority
However, A priori knowledge about:
sensor behavior model observer model: the accuracy of the alert
Observability rate, positive accuracy, negative accuracy, etc. Centralized: the base station does the detection!
04/22/23 42
The Common Methodology
Suspicious Behavior Detection
Information Collection
Diagnosis and notification of the detection result
Watchdog-based,0/1 predicate
Reputation evaluation, threshold comparison, etc.
Requires application-specific knowledge!
Localized/centralized
04/22/23 43
Our Work – A General Solution to Insider Attacker Detection Insider attackers
Compromised nodes under the control of the adversary Data alteration, Message negligence, Selective forwarding,
etc
Challenges: The insider attacker knows all the secret information! The detection scheme must be efficient, flexible, and
localized
Cannot use cryptography-based techniques Localized statistical analysis?
04/22/23 44
The Basic Idea Observation: Similar networking behaviors in close
neighborhood.
Detection of insider attackers with a light, flexible and localized algorithm? Measure the networking behaviors of neighboring
nodes E.g. packet dropping rate, packet sending rate, forwarding
delay time, etc. Detect if any abnormal activities exist Exploiting the spatial correlation among neighboring sensors!
04/22/23 45
The Basic Algorithm Information Collection
Node x gets f (xi) for each neighbor xi in N(x)
Outlier Detection Assume f (xi) ~ Nq(μ,Σ), then the Mahalanobis squared
distance d2(xi) = (f (xi) -μ)TΣ-1(f (xi) -μ) ~ χ2q. Thus,
Prob(d2(xi)> χ2q(α)) = α.
xi could be an outlier if d2(xi) is sufficiently large.
Majority Vote
04/22/23 46
Two Extensions Estimate (µ,Σ) from the data set {f(xi)} with the
existence of outliers? If f(xi) ~ Nq(μ,Σ), d2(xi) = (f(xi) -μ)TΣ-1(f(xi) -μ) ~ χ2
q
(µ,Σ) is about the population of normal sensors Cannot use sample mean, sample covariance-
covariance to estimate (µ,Σ)
Robust statistics: Orthogonalized Gnanadesikan-Ketterring (OGK)
04/22/23 47
Two Extensions For a sparse network, information is collected from
multi-hop neighborhood, which may be inserted with false data.
Trust-based false information filtering
AB
C D
FE
B: (21,42,39)
B: (18,31,37)
B: (20,30,39)
04/22/23 48
Trust-based false information filtering
AB
C D
FE
C: (19,32,40)D: (22,11,42)E: (21,29,38)F: (19,31,39)
C: (0.83,0.63,0.15)D: (1.17,1.49,1.31)E: (0.50,0.33,1.02)F: (0.83,0.53,0.44)
C: 0.83D: 1.49E: 1.02F: 0.83
C: 1D: 0.56E: 0.81F: 1
max min/xstandardize
Sensor (A) should select a reliable relay node (D or F?) based on its own observation.
A’s monitoring results Trust value
standardize(y-μ)/σ
04/22/23 49
Performance Evaluation (1/3)
Evaluation metrics Detection accuracy:
False alarm:
Simulation settings Sparse or Dense networks Compromised relay nodes:
D: Identified outliersO: Real outliers
04/22/23 50
Performance Evaluation (2/3) Dense networks
04/22/23 51
Performance Evaluation (3/3) Sparse networks
04/22/23 52
Conclusion Achieves high detection accuracy, with low
false alarm rate Works well with 25% misbehaving sensors Requires no a priori knowledge about
network activities Relies on localized information exchange
only