Selective_Forwarding_Attack

Report
Selective Forwarding Attack:
Detecting Colluding Nodes in
Wireless Mesh Networks
Shankar Karuppayah
National Advanced IPv6 Centre (NAv6)
Universiti Sains Malaysia
Network Security Workshop, February 14, 2012
Contents
 Introduction
 Problem Statement
 Related Work
 Our Proposed Mechanism
 Result and Analysis
 Conclusion and Future Work
Shankar Karuppayah
2/15
Introduction
Wireless mesh networks (WMNs)
IEEE 802.3 Ethernet LAN
 Self-organized
 Self-configured
Internet
 Self-healing
Wireless Mesh Backbone
 Low up front costs
 Scalable
Mesh Router with
Gateway/Bridge
Mesh Router
Wi-Fi Access Point
WiMAX Base Station
Ethernet Switch
IEEE 802.11 Wireless LAN
Shankar Karuppayah
IEEE 802.16 WiMAX
3/15
Introduction (cont.)
 Overcome last-mile Internet access problems
 Advantages:
 Adapts to dynamic topology changes
 Distributed cooperation routing
 WMN applications:
 Community networking
 Disaster relief
 Surveillance and monitoring
 Vulnerabilities exist in WMNs
 Shared wireless medium
 Distributed architecture
Shankar Karuppayah
4/15
Problem Statement
 Two type of attacks
 Passive attack
 Active attack
 Denial of service (DoS) attacks
 Preventing legitimate users from accessing information, services or
resources
 Gray Hole attack
 Also known as selective forwarding attack
 A variation from Black Hole attack
 Motivation of the attacks:
 Rational intentions
Network Performance Deteriorates!!!
 Malicious intentions
Shankar Karuppayah
5/15
Problem Statement (cont.)
 Existing security solutions
 Cryptographic mechanisms
 Public/private key exchange
 Not entirely applicable in WMNs
 Decentralized network architecture
 Routers physically tampered or software vulnerabilities exploited
The need for non-cryptographic security mechanism arises
Shankar Karuppayah
6/15
Related Work
 Marti et al. introduce watchdog
 Monitoring principle in “promiscuous” mode
 S. Banerjee propose an algorithm to detect and remove
Black/Gray Hole attackers
 Splits transmission data into several blocks
 Introduction of prelude and postlude message
 Shila et al. introduce Channel Aware Detection (CAD)
algorithm to detect Gray Hole attackers
 Consider normal losses
 medium access collisions
 bad channel quality
Shankar Karuppayah
7/15
CAD (Channel Aware Detection) Algorithm
Methodology:
S|2|0•Channel estimation
0|V0|2|0
0|V1|2|1
(Dynamic detection threshold)
•Hop-by-hop packet loss monitoring
S
Data transmission:
0|Vinto
1|V(W
2|2|0several blocks
3|1 )
Split
s
2
0
1
0
1
2
0
1
2
0
1
0
1
v0
v1
v2
v3
D
WMN Router Node
(Forwarding Path)
Malicious Node
However…
New
packet
types
:
When node forwards a packet:
WMN router nodes:
•PROBE packets
link
layer
acknowledgement
Maintain
count history
CAD algorithm
will notwith
be able to detect an •Buffer
attack in
the
event
of colluding nodes
Packet marking
with opinion
(MAC-ACK)
corresponding
packet
sequence number
and behavior parameter
•Overhears downstream traffic
•PROBE-ACK
PROBE replies
Shankar Karuppayah
8/15
Assumptions
 Routers have no energy constraints and have buffer of
infinite size
 Packet drop due to:
 Bad channel quality
 Medium access collision
 Presence of attackers
 Free from general wireless attacks:
 Sybil attacks
 Jamming (signal) attacks
 Colluding nodes are located next to each other
 Route caching to mitigate overhead
 Nodes have authentication methods implemented
Shankar Karuppayah
9/15
CAD+ Algorithm
Packet
Seq. Seq.
No. No.
Hash
Packet
HashValue
Value
•Source compares the filtered irregularities with the list of sent packets
•Retains
existing
features
of
CADpacket
•Destination
keeps
a list of monitoring
nodes24
•MN
monitors
data
packets
received
and
forwarded
byfinal
the
•Destination
compares
the
reported
irregularities
with
the
list
1 …
•Introduction
of
three
new
packet
types:
•When
MN
overhears
a PROBE
sent
Destination,
itofforwards
the list
…
•Source
refers
the
verified
irregularities
list
totoconduct
confirmation
2
43
•Source
and
Destination
perform
hashing
on
sent
(MN)
vs
monitored
nodes
node
being
monitored
based
on
the
monitoring
parameters
received
packets
and
then
replies
to
Source
with
a
modified
14
46
•Prelude (if applicable) towards Destination.
of irregularities
…
…
and
received
data
packets
respectively
•MN
maintains
irregularities
historyirregularities)
•Prelude-Notify
PROBE-ACK
(including
filtered
50
… 15
…
•Prelude-Ack
14 …
46
…
Monitored
Node
Packet Seq.
No.
Hash Value
Irregularity
Type
Count > COUNT_THRESH ?
v2
15
50
Interval
> INTERVAL_THRESH?
v2
34
v2 Node
Intermediate
v0
Interval
14.9
47
Alteration
MN1
Injection
35
Dropping
Irregularity
Type
35.6
22.8
3
2
Alteration
Irregularities
which
are monitored
by MN2
v0
v2
55
Count
Timestamp
Packet Seq. No.
S
v
3
Packet Seq.
No.
1
2
…
Monitored
Node…
v 14
2
6
1
Injection
1
v0 1
v1
Dropping
1
4
Dropping
Hash Value
Verified
24 Irregularities List
43
…
Timestamp
Packet Seq.
Hash
MN0
No. …
Value
15 46
50
14.9
v2
…
14
…
46
15
33
…
…
34
24
35
…
…
…
45
Irregularity Type
MN2
Alteration
Hash
Value
46
…
…
v3
33
47
16
69
33
… 35
…
…
…
…
…
…
…
Hashed …
Received Packets
…
33
…
…
...
31
38 MNID
MN3 …
… MN0
15
34
45
null
46
…
D
…
38
…
…
60
17
61
35
Hashed Received Packets
Monitored Node
v0
60
17 MN
v1
34 33
47
22.8
Alteration
1
WMN
Router
Node
WMN
Router
Node
Malicious Hashed
Monitored
Next Hop
Incoming
Outgoing
Next Monitoring
Monitoring
Sent Packets Overhearing
69
45Node
31
35.0Forwarding
Dropping
MN2
v2
(Forwarding
Path)
(Non
Counter Path)
Counter
(time) (MNX)
Node
Node
…
61 v2…
35
44.2
Injection 10
v3
5
34.30
MNbe
v3
3 reliable
*MNx is not colluding but may not
Hashed Sent
Packets which are monitored
Irregularities
MN2
Monitoringby
Parameters
Monitoring Node Vs Monitored Node Pair
v2 15
Source
16
v2
…
v2 …S
Shankar Karuppayah
10/15
Detection of Threats
 Threats detected (colluding nodes):
 Gray Hole attack
 Selectively drops packet
 Packet Injection
 Fabricates packet towards Destination node
 Packet Alteration
 Node alters a received packet (bit or data manipulation)
 Bad Mouthing Attack
 Framing an innocent node
Stealthy attacks by colluding nodes!!!
Shankar Karuppayah
11/15
Result and Analysis
Packet delivery ratio comparison with colluding selective dropping rate. (no channel loss)
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Attacker Nodes
(random)
30%
Source Pairs
Shankar Karuppayah
Value
2
12/15
Result and Analysis (cont.)
Packet delivery ratio comparison with channel loss rate. Colluding selective dropping attacks present.
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Channel Error
Nodes (random)
30%
Attacker Nodes
(random)
30%
Source Pairs
Shankar Karuppayah
Value
2
13/15
Result and Analysis (cont.)
Average detection rate of Gray Hole attackers with respect to simulation time.
Parameters
Simulator
Ns
Nodes
60
Simulation Time
(seconds)
500
Warm Up Period
(seconds)
50
Normal Channel
Loss Rate
10%
Channel Error
Nodes (random)
30%
Source Pairs
Shankar Karuppayah
Value
2
14/15
Conclusion and Future Work
 Developed a detection algorithm CAD+ which:
 Integrates CAD with neighborhood monitoring feature
 Enables detection and isolation of colluding Gray Hole attackers
 Detects other variation of colluding attacks:
 Packet alteration
 Packet injection
 Packet dropping
 Future Work:
 Investigate possibilities of mobile MN
 Incentives for MN to encourage cooperation
 Extend CAD+ to detect other network layer attacks
Shankar Karuppayah
15/15
References
 Sergio Marti, T. J. Giuli, Kevin Lai, and Mary Baker. Mitigating routing
misbehavior in mobile ad hoc networks. In Proceedings of the 6th annual
international conference on Mobile computing and networking, MobiCom ’00,
pages 255–265, New York, NY, USA, 2000.
 Sukla Banerjee. Detection/Removal of Cooperative Black and Gray Hole Attack
in Mobile Ad-Hoc Networks. In Proceedings of the World Congress on
Engineering and Computer Science 2008, WCECS ’08, October 22 - 24, 2008,
San Francisco, USA, Lecture Notes in Engineering and Computer Science,
pages 337–342. Newswood Limited, 2008.
 D.M. Shila, Yu Cheng, and T. Anjali. Mitigating selective forwarding attacks with a
channel-aware approach in WMNS. Wireless Communications, IEEE
Transactions on, 9(5):1661 –1675, May 2010.
Shankar Karuppayah
16/15

similar documents