1 intrusion monitoring of malicious routing behavior poornima balasubramanyam karl levitt computer...

1

Intrusion Monitoring of Malicious Routing Behavior

Poornima Balasubramanyam

Karl Levitt

Computer Security Laboratory

Department of Computer Science

UCDavis

UCDavis SecLab MURI October 20022

Security Threats

• Outsider attacks

– infiltrate routing process– modify routing information– cause redirection of network traffic, DoS

attacks, etc.

countermeasure - use of strong integrity mechanisms


Security Threats – Contd.

• Insider attacks

– Compromised rogue routers

• legitimately participate in routing protocol• influence local routing behavior• actively disrupt global routing behavior

– Integrity mechanisms are in place• Routers do not masquerade as other routers

– Integrity mechanisms are not in place• Routers masquerade as other routers.


Intrusion Monitoring of Networks

• Most intrusion monitoring is fine-grained– E.g., network packet analysis

• Some intrusions require higher level monitoring– Intrusive behavior may be visible earlier

• Our approach is aimed at multi-grained intrusion monitoring


Sample Network

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Link R4-R5 Is Down

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Area 1

R1 R2

R3

R4

Newly Isolated Node – R5 Single Point of Connection – R6

Area 2

Area 3

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


AS

Centrality of R6 greater even if degree of R6 unchanged

Area 2

R10

Area 1

R4

R5

R6

Area 3

R11


Isolated Node – R5 Centrality of Routers R10, R11, R12 Increases

AS

Area 1 Area 2

Area 3

R4

R5

R6

R12

R11

R10


Subnet Failure

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Link Failure

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Second Link Failure – Temporal Failure Correlation

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Centrality of R5 Increases EnormouslyResult: Large Scale Traffic Redirection

Area 1 Area 2

Area 3

R1 R2

R3

R4

R5

R6

R12

R11

R13

R7

R8

R9

R10

H1

H2

AS


Compromised Routers

Legitimately participate in routing protocol

– Integrity mechanisms are in place• Routers do not masquerade as other routers• May place themselves in more routing paths• Influence local routing behavior• Actively disrupt global routing behavior

– Suitable response • Place routers out of legitimate routing process

before disruption is too great


Compromised Routers - Contd.

Legitimately participate in routing protocol

– Integrity mechanisms are not in place• Routers masquerade as other routers• Spoofing attack on victim routers• Rogue router remains invisible

– Suitable Response• Re-route overloaded router traffic and enforce

traffic congestion control policies


Centrality Analysis

• Captures structurally central part of a network

• Depends on point of view

– may be nodes with most direct connections to neighbors, or

– nodes that are most connected to network, or– the nodes that are closest to other points


• Degree Centrality

– Number of nodes to which a node is directly linked

– Reflective of potential communication activity

– Measure of vulnerability of node since high degree nodes will be less vulnerable to attack

– Node of low degree is isolated and cut off from active participation in ongoing network activity


• Degree Centrality of a node is given by:

otherwise 0 =

themconnecting edgean have and iff ,1,

where,,C

:bygiven is node a of Centrality Degree

1D

kiki

n

ikik

ppppa

ppap


• Betweenness centrality

– Based on frequency with which a node falls between pairs of other points on shortest paths between them

– Overall index determined by summing partial values for all unordered pairs of points

– Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs

– Defines potential for control of communication


Betweenness Centrality of a node

Given nodes and with geodesics (shortest paths) between them, the probability of

using any one of these paths is given by

ip jp ijg

ijg

1


• Thus, if = # of geodesics between

and that contain , then the

probability that falls on a randomly

selected geodesic linking and is

given by

=

Betweenness Centrality of a Node – Contd. kij pg

ip jp kp

kp

ip jp

kij pb ij

kij

g

pg


• Betweenness Centrality of a node – contd.

The overall centrality of a node is

determined by summing the partial probabilities for

all unordered pairs of points. Thus,

where i ≠ j ≠ k

• When a node falls on the only shortest path between a pair of

points, the centrality of the point increments by 1• applicable in straightforward routing

• With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives

• applicable in equal-cost multi-path routing

,1 1n n

kkB pbpCij

kp kB pC


• Computation of betweenness centrality

– Traditional summation methods are very costly, requiring O(n^3) time and O(n^2) space for n nodes and e edges


• Approaches to resolve computational issues

• Modified definitions

– egocentric approach

– simplified egocentric approaches

• Heuristics

– Exploit sparsity of connections in large networks

– Exploit correlation between degree centrality and betweenness centrality


• Recent Work in Intra-domain Routing Protocols (Application to OSPF)

– Modified Definition of Betweenness Centrality: • Centrality of a node is determined with respect

to root router of SPF tree– Advantages

• Each router independently computes betweenness centrality indices of other routers

• Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router

• Each router can adopt independent response decisions based on this metric


• Centrality Analysis in Ad hoc Networks

– Points of Interest• Absence of communication infrastructure • Each mobile node must also perform the duties of router• Dynamically establish routing among themselves to form

ad hoc network

– Routing Protocols being considered • Two routing protocols considered for standardization by

IETF, namely, DSR and AODV• Hybrid ad hoc routing protocols that employ clustering

and hierarchical techniques


• Ongoing Work

– For each of DSR, AODV, other hybrids:

• Develop functionality that abstracts global centrality information locally

• Study role of heuristics in addressing computational issues

–Ego-centric approaches–Correlation studies

• Study limits of approach


Ongoing Work – contd.

Simulate intrusive behavior of malicious ad hoc hosts involving

- dense, complex networks

- with high node mobility and

- substantial dynamic topologies


• Specific Tasks

• Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols

• Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios


Fundamental Motivation for Monitoring Routing

– Provide a systematic framework for • developing security specifications/constraints • establishing bounds for secure network behavior

– Create a more secure enhancement to an existing protocol

– Develop a response mechanism for • Isolating intrusive behavior of a malicious node• Use as a QoS metric to prevent traffic congestion

• Aspects to this study– describe knowledge available to each router

• As a response mechanism, study feasibility of employing this information as a metric for–


• Conclusions

– Abstract global network control behavior locally at a router

– Capture changing topology to detect network wide routing attacks

– Early detection possible

– Subverting such monitoring harder

– Selectively misrouted packets not detected with this approach

1 intrusion monitoring of malicious routing behavior poornima balasubramanyam karl levitt computer...

Documents

r10 area

r4 r5 r6 area

ucdavis seclab muri

r11 slide

r4 r5 r6 r12 r11 r10

link failure area

subnet failure area

sample network area