1 intrusion monitoring of malicious routing behavior poornima balasubramanyam karl levitt computer...
TRANSCRIPT
1
Intrusion Monitoring of Malicious Routing Behavior
Poornima Balasubramanyam
Karl Levitt
Computer Security Laboratory
Department of Computer Science
UCDavis
UCDavis SecLab MURI October 20022
Security Threats
• Outsider attacks
– infiltrate routing process– modify routing information– cause redirection of network traffic, DoS
attacks, etc.
countermeasure - use of strong integrity mechanisms
UCDavis SecLab MURI October 20023
Security Threats – Contd.
• Insider attacks
– Compromised rogue routers
• legitimately participate in routing protocol• influence local routing behavior• actively disrupt global routing behavior
– Integrity mechanisms are in place• Routers do not masquerade as other routers
– Integrity mechanisms are not in place• Routers masquerade as other routers.
UCDavis SecLab MURI October 20024
Intrusion Monitoring of Networks
• Most intrusion monitoring is fine-grained– E.g., network packet analysis
• Some intrusions require higher level monitoring– Intrusive behavior may be visible earlier
• Our approach is aimed at multi-grained intrusion monitoring
UCDavis SecLab MURI October 20025
Sample Network
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 20026
Link R4-R5 Is Down
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 20027
Area 1
R1 R2
R3
R4
Newly Isolated Node – R5 Single Point of Connection – R6
Area 2
Area 3
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 20028
AS
Centrality of R6 greater even if degree of R6 unchanged
Area 2
R10
Area 1
R4
R5
R6
Area 3
R11
UCDavis SecLab MURI October 20029
Isolated Node – R5 Centrality of Routers R10, R11, R12 Increases
AS
Area 1 Area 2
Area 3
R4
R5
R6
R12
R11
R10
UCDavis SecLab MURI October 200210
Subnet Failure
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 200211
Link Failure
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 200212
Second Link Failure – Temporal Failure Correlation
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 200213
Centrality of R5 Increases EnormouslyResult: Large Scale Traffic Redirection
Area 1 Area 2
Area 3
R1 R2
R3
R4
R5
R6
R12
R11
R13
R7
R8
R9
R10
H1
H2
AS
UCDavis SecLab MURI October 200214
Compromised Routers
Legitimately participate in routing protocol
– Integrity mechanisms are in place• Routers do not masquerade as other routers• May place themselves in more routing paths• Influence local routing behavior• Actively disrupt global routing behavior
– Suitable response • Place routers out of legitimate routing process
before disruption is too great
UCDavis SecLab MURI October 200215
Compromised Routers - Contd.
Legitimately participate in routing protocol
– Integrity mechanisms are not in place• Routers masquerade as other routers• Spoofing attack on victim routers• Rogue router remains invisible
– Suitable Response• Re-route overloaded router traffic and enforce
traffic congestion control policies
UCDavis SecLab MURI October 200216
Centrality Analysis
• Captures structurally central part of a network
• Depends on point of view
– may be nodes with most direct connections to neighbors, or
– nodes that are most connected to network, or– the nodes that are closest to other points
UCDavis SecLab MURI October 200217
• Degree Centrality
– Number of nodes to which a node is directly linked
– Reflective of potential communication activity
– Measure of vulnerability of node since high degree nodes will be less vulnerable to attack
– Node of low degree is isolated and cut off from active participation in ongoing network activity
UCDavis SecLab MURI October 200218
• Degree Centrality of a node is given by:
otherwise 0 =
themconnecting edgean have and iff ,1,
where,,C
:bygiven is node a of Centrality Degree
1D
kiki
n
ikik
ppppa
ppap
UCDavis SecLab MURI October 200219
• Betweenness centrality
– Based on frequency with which a node falls between pairs of other points on shortest paths between them
– Overall index determined by summing partial values for all unordered pairs of points
– Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs
– Defines potential for control of communication
UCDavis SecLab MURI October 200220
Betweenness Centrality of a node
Given nodes and with geodesics (shortest paths) between them, the probability of
using any one of these paths is given by
ip jp ijg
ijg
1
UCDavis SecLab MURI October 200221
• Thus, if = # of geodesics between
and that contain , then the
probability that falls on a randomly
selected geodesic linking and is
given by
=
Betweenness Centrality of a Node – Contd. kij pg
ip jp kp
kp
ip jp
kij pb ij
kij
g
pg
UCDavis SecLab MURI October 200222
• Betweenness Centrality of a node – contd.
The overall centrality of a node is
determined by summing the partial probabilities for
all unordered pairs of points. Thus,
where i ≠ j ≠ k
• When a node falls on the only shortest path between a pair of
points, the centrality of the point increments by 1• applicable in straightforward routing
• With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives
• applicable in equal-cost multi-path routing
,1 1n n
kkB pbpCij
kp kB pC
UCDavis SecLab MURI October 200223
• Computation of betweenness centrality
– Traditional summation methods are very costly, requiring O(n^3) time and O(n^2) space for n nodes and e edges
UCDavis SecLab MURI October 200224
• Approaches to resolve computational issues
• Modified definitions
– egocentric approach
– simplified egocentric approaches
• Heuristics
– Exploit sparsity of connections in large networks
– Exploit correlation between degree centrality and betweenness centrality
UCDavis SecLab MURI October 200225
• Recent Work in Intra-domain Routing Protocols (Application to OSPF)
– Modified Definition of Betweenness Centrality: • Centrality of a node is determined with respect
to root router of SPF tree– Advantages
• Each router independently computes betweenness centrality indices of other routers
• Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router
• Each router can adopt independent response decisions based on this metric
UCDavis SecLab MURI October 200226
• Centrality Analysis in Ad hoc Networks
– Points of Interest• Absence of communication infrastructure • Each mobile node must also perform the duties of router• Dynamically establish routing among themselves to form
ad hoc network
– Routing Protocols being considered • Two routing protocols considered for standardization by
IETF, namely, DSR and AODV• Hybrid ad hoc routing protocols that employ clustering
and hierarchical techniques
UCDavis SecLab MURI October 200227
• Ongoing Work
– For each of DSR, AODV, other hybrids:
• Develop functionality that abstracts global centrality information locally
• Study role of heuristics in addressing computational issues
–Ego-centric approaches–Correlation studies
• Study limits of approach
UCDavis SecLab MURI October 200228
Ongoing Work – contd.
Simulate intrusive behavior of malicious ad hoc hosts involving
- dense, complex networks
- with high node mobility and
- substantial dynamic topologies
UCDavis SecLab MURI October 200229
• Specific Tasks
• Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols
• Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios
UCDavis SecLab MURI October 200230
Fundamental Motivation for Monitoring Routing
– Provide a systematic framework for • developing security specifications/constraints • establishing bounds for secure network behavior
– Create a more secure enhancement to an existing protocol
– Develop a response mechanism for • Isolating intrusive behavior of a malicious node• Use as a QoS metric to prevent traffic congestion
• Aspects to this study– describe knowledge available to each router
• As a response mechanism, study feasibility of employing this information as a metric for–
UCDavis SecLab MURI October 200231
• Conclusions
– Abstract global network control behavior locally at a router
– Capture changing topology to detect network wide routing attacks
– Early detection possible
– Subverting such monitoring harder
– Selectively misrouted packets not detected with this approach