research progress report
DESCRIPTION
Research Progress Report. Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang. Effective Network Planning and Defending Strategies to Maximize System Survivability of Wireless Mesh Networks under Malicious and Jamming Attacks. 無線網狀網路中考量惡意與多重干擾器攻擊下最大化系統存活度之高效網路規劃與防禦策略. Outline. - PowerPoint PPT PresentationTRANSCRIPT
Research Progress Report
Advisor: Professor Frank Y.S. LinPresent by Hubert J.W. Wang
Effective Network Planning and Defending Strategies to Maximize System Survivability of Wireless Mesh Networks under Malicious and Jamming Attacks
無線網狀網路中考量惡意與多重干擾器攻擊下最大化系統存活度之高效網路規劃與防禦策略
Outline•Problem Description
2011/5/16
Problem Description
Problem Description• Problem
▫ Topology information gathering▫ Jamming attack
• Environment▫ Infrastructure/Backbone WMNs
• Role▫ Attacker▫ Defender(Service provider)
2011/5/16
Problem Description(cont’)
2011/5/16
Scenario – Network Architecture2011/5/16
Base Station
Mesh router
Scenario – Defender’s Planning Phase2011/5/16
AB
C
D
E
FG
Base Station
Mesh router
HoneynodeAttacker
Nodes with more defense resource
Why didn’t the defender protect all the nodes with high population?1. Budget limited.2. The effectiveness of doing so
may not be the best.3. There are other ways to deploy
resources.
Scenario – Attacker’s Preparing Phase2011/5/16
Signal Strength
20
20
90
20
90
Initially, the attacker has following info:(Communication channel)1. Defense Resource2. Signal Strength3. Traffic Amount
20
90
A
B
C
D
E
F
G
Defense strength
Traffic amount
Signal Strength
Scenario – Attacker’s Preparing Phase(cont’)2011/5/16
Signal Strength
20
20
90
20
90
The honeynode: If the real channel is compromised, the attacker will be able to identify this target in Attacking Phase
20
90
A
B
C
D
E
F
G
Scenario – Attacker’s Preparing Phase(cont’)2011/5/16
Signal Strength
90
20
The attacker’s goal:Maximize attack effectiveness.Maximize jammed range
The next hop selecting criteria would be..
90
A
B
90
C
20
D
E
20
F
20
G
The node with the strongest signal power
(Easiest fo find)
The node with highest defense
resource(Aggressive)
Scenario – Attacker’s Preparing Phase(cont’)2011/5/16
Signal Strength
After compromise a mesh router, the attacker has following info:(Communication channel)1. Defense Resource2. Signal Strength3. Traffic AmountAnd…
90
9020
9020
20
90
20
90
90
20
G
L
B
I
D
E
A
H
K
F
JBeing compromised, and obtained:(Routing channel)1. Traffic Source2. Traffic Amount3. User number
Scenario –Population Re-allocation2011/5/16
Signal Strength90
2B
90
5A
20
6G
20
20E20
8O
20
4R
90
3Q
90
15C
20
8D
90
22P
Intrusion detected
Reallocate population on D’s neighbor
Re-allocation strategy might be:
Scenario –Population Re-allocation(cont’)2011/5/16
Signal Strength90
10B
90
9A
20
9G
20
9E20
9O
20
10R
90
10Q
90
9C
20
9D
90
9P
Capable of attack detection
Reallocate population on D’s neighbor
Re-allocation strategy: Average Population
Average the QoS impact caused by jamming
Scenario –Population Re-allocation(cont’)2011/5/16
Signal Strength90
2B
90
5A
20
6G
20
20E20
8O
20
4R
90
3Q
90
15C
20
8D
90
22P
Capable of attack detection
Real population on D’s neighbor
Re-allocation strategy: Average Traffic
Minimize the QoS impact caused by jamming
Scenario – Fake Traffic Generation2011/5/16
Signal Strength
90
30B
90
21A
20
6G
90
112C
20
28E
20
90D
90
27K
90
24L
90
25M
90
18N
Relatively low traffic sources on important nodes.
High traffic sources on unimportant nodes.
Select node C as next hop
Fake Traffic Generation
Scenario – Attacker’s Preparing Phase(cont’)2011/5/16
Base Station
Mesh router
Honeynode
Compromised mesh router
Attacker
Nodes with more defense resource
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WXSucceed
Failed
Scenario – Attacker’s Attacking Phase2011/5/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
1) Jammed honeynode B
2) Jammed node V with high population
3) Jammed node P(not fake channel)
4) Jammed normal node F
5) Jammed honeynode U
Scenario – Defender’s Defending Phase - Channel Surfing2011/5/16
AB
C
D
E
FG
H I
J
K L
M N
OP Q
R
ST UV
WX
Base Station
Mesh router
Honeynode
Compromised mesh routerJammed mesh router
Jammer
Attacker
Nodes with more defense resource
The function of channel surfing function:1. Mitigate the impact of jamming Time Effectiveness2. Reduce difficulty to remove
jammer
Range overlapped. If the mesh router switch to other channel:1. Jammed time shotened.2. Jammers are not able to know
which channel is the origin channel unless it’s compromised.
Scenario – Defender’s Defending Phase - Localization2011/5/16
Mobile locator
0 100 200 3000
100
200
300
meter
Reference point 1(useless)
Reference point 2
Multiple jammers
Reference point 3
Reference point 4
One of the jammers removed
Static locator
Mobile locator
Jammer
Defender• Nodes
▫ Base Station▫ Mesh router(with 2 NICs) Routing channel Communication channel
▫ Honeynode(with 3 NICs)[1] Routing channel Communication channel Fake communication channel
▫ Locator
2011/5/16
[1] S. Misra, et al., "Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks," Computers & Electrical Engineering, vol. 36, pp. 367-382, 2010.
Defender(cont’)• Planning phase
▫ Build Topology▫ Deploy non-deception based defense resources General defense resource (ex. Firewall, Antivirus, etc.) Localization resource (routers with minimum capability)
▫ Deploy deception based defense resources Honeynode
• Defending phase▫ Jamming mitigation▫ Jammer localization
2011/5/16
Defender(cont’)• Defense Mechanisms
▫ False target (Honeynodes)▫ Fake traffic generation (Honeynodes)▫ Channel surfing (BSs 、 Mesh Routers 、 Honeynodes)▫ Population re-allocation (BSs 、 Mesh Routers 、 Honeynodes)▫ Jammer localization (BSs 、 Mesh
Routers 、 Honeynodes 、 Locators)
2011/5/16
Defender(cont’)• Honeynode[1] as false target
▫ Effect: Preparing Phase Act as a false target to attract attack
and consume attacker’s budget. Provide fake routing table information
when compromised. Attacking Phase Prevent true channel from being
jammed.
▫ Tradeoff Occupying available communication
channels. (indirectly affects QoS)
2011/5/16
Defender(cont’)• Honeynode[1] as fake traffic generator
▫ Effect: Send fake traffic to neighbors to deceive
attackers into believing that this node is important.
▫ Tradeoff Channel capacity
▫ Triggers when node compromising actions are detected by the nodes in the topology and the defender think it helps to turn on this function.
2011/5/16
Defender(cont’)• Channel Surfing[1]
▫ Effect: Change frequency to another free channel to prevent from being jammed(with the help of
honeynode) or reduce jamming effect.▫ Tradeoff Availability
▫ Triggers when jamming attacks are detected by the nodes in the topology.• Population re-allocation
▫ Effect: Reduce jamming effectiveness by re-allocating users.
▫ Strategies Average population Average traffic
▫ Tradeoff QoS
▫ Triggers when node compromising actions are detected by the nodes in the topology and the defender think it helps to turn on this function.
2011/5/16
Defender(cont’)• Jammer localization[2]
▫ Effect: Localize jammer by exploiting hearing
ranges of boundary nodes to permanently remove jammer from the topology.
▫ Strategies Importance oriented Difficulty oriented
▫ Tradeoff Budget QoS
▫ Triggers QoS constraints has not been met.
2011/5/16
[2] Z. Liu, et al., "Wireless Jamming Localization by Exploiting Nodes’ Hearing Ranges," in Distributed Computing in Sensor Systems. vol. 6131, R. Rajaraman, et al., Eds., ed: Springer Berlin / Heidelberg, 2010, pp. 348-361.
Total Attackers
2011/5/16
[3] F. Cohen. Managing Network Security: Attack and Defense Strategies. Available: http
://www.blacksheepnetworks.com/security/info/misc/9907.html
Attacker’s Next Hop Selecting Criteria
2011/5/16
Preferences Next Hop Selecting Criteria of Strategies
Aggressive Least resistance
Easiest to find Stealthy Topology
extending Random
Defense ResourceHigh ↑ ↓ - X -
Low ↓ ↑ - ○ -
Traffic AmountHigh - - ○ X -
Low - - X ○ -
Signal StrengthHigh - - ○ - X
Low - - X - ○
2011/5/16
PS: ↑: Prefer when certain factor has high value ○: Purely prefer high - : No preference↓: Prefer when certain factor has low value X : Purely prefer low
Attacker’s Attributes• Budget
▫ General Distribution▫ Preparing phase
Node compromising▫ Defending phase
Buy jammers(Quality of jammer will affect the effectiveness of jamming.)
▫ Effects: Goal of attacker
• Capability▫ General Distribution▫ Effects:
Goal of attacker Probability of:
compromising nodes seeing through false target seeing through fake routing table information
2011/5/16
Attacker’s Attributes(cont’)• Mentality
▫ General Distribution▫ Effects: Next hop criteria selection Preference of success probability of compromising nodes Preference of using fake routing table information
2011/5/16
Attacker’s Goal and Corresponding Strategies
• Maximize effectiveness▫ Aggressive▫ Easiest to find▫ Random
• Maximize jammed range▫ Least resistance▫ Stealthy▫ Topology extending▫ Random
2011/5/16
Attacker’s Next Hop Selecting Criteria• From Surface Information (communication channel)
▫ Defense Resource▫ Signal Strength▫ Traffic Amount
• From Depth Information (routing channel)▫ Traffic Source▫ Traffic Amount
2011/5/16
Attacker’s Strategy transition rule
• Probability to choose strategy i :
• Strategyi’s success rate:
2011/5/16
1
1
1
1
is the continus success times for strategy is the level of risk avoidance for attacker
i
i
n
ijjConstFactor
n
ijj
i i k
i
k
TotalSuccessTimesv BaseValue
TotalAttackTimes
ContFactor cc i
k
1
in
ii
v
v
1
1
1
1
n
ijj
n
ijj
TotalSuccessTimes
TotalAttackTimes
Attacker’s Next Hop Selecting Criteria Transition Rule
• Probability of strategy i to choose criteria j :
• Criteraj’s success rate:
2011/5/16
1( , ) ( )
1
1 , when the criteria is from deep information( )
0
j
j
ConstFactor j
j
j j k
j j
j
TotalSuccessTimesv BaseValue pref i j diff j
TotalAttackTimes
ContFactor c
MaxOfCriteria MinOfCriteriaMaxOfCriteriadiff j
, otherwise is the continus success times for next hop selecting criteria is the level of risk avoidance for attacker
( , ) is the preferen
i
k
c jk
pref i j
ce of strategy of criteria i j
1
jn
jj
v
v
11
j
j
TotalSuccessTimesTotalAttackTimes
Attacker’s Next Hop Selecting Criteria Transition Rule(cont’)
2011/5/16
Value of pref(i,j) Aggressive Least resistance
Easiest to find Stealthy Topology
extending Random
Defense ResourceHigh 1 0.5 1
Low 1 1.5 1
Traffic AmountHigh 1 1 1.5 0.5 1
Low 1 1 0.5 1.5 1
Signal StrengthHigh 1 1 1.5 1 0.5
Low 1 1 0.5 1 1.5
PS: ↑: Prefer when certain factor has high value ○: Purely prefer high - : No preference↓: Prefer when certain factor has low value X : Purely prefer low
1.5 k
k
CurrentBudget
TotalBudget
0.5 1 k
k
CurrentBudget
TotalBudget
0.5 1 k
k
CurrentBudget
TotalBudget
1.5 k
k
CurrentBudget
TotalBudget
Contest Success Function
• Determine the success probability of the attacker.• Attackers will set a probability of success according to its mentality.• : Function of attacker’s attack effectiveness.• : Function of defender’s defense effectiveness.
2011/5/16
( )mAW T
( )mDW t
( )( ) ( )
( ) (1 )
( )
mA
m mA D
mmA
m mD
W TW T W t
W T T Capability
W t t
Risk Level• For fake traffic generator
• Vij computes when node i compromising action are detected.• Vij is the risk level of honeynode j with fake traffic generating function.• Vij determines whether to turn on fake traffic generating function or not.• Factor of defense strength of path from nodes being attacked to nodes equipped with the function :
• Factor of link degree of nodes equipped with the function :• Factor of distance between nodes being attacked and nodes equipped with the function : • Factor of distance between nodes equipped with the function and nearest BS :
2011/5/16
1 2 3 4+ , when
1, otherwise
ij j j j
ij
pathDefenseResource maxLinkDegree linkDegree pathToNode pathToCoreNodew w w w i j
V maxPathDefenseResource maxLinkDegree maxPathToNode maxPathToCoreNode
jmaxLinkDegree linkDegreemaxLinkDegree
ijpathDefenseResourcemaxPathDefenseResource
jpathToNodemaxPathToNode
jpathToCoreNodemaxPathToCoreNode
Risk Level(cont’)• For population re-allocation
• Vij computes when node i compromising action are detected.• Vij is the risk level of node j with population re-allocation function.• Vij determines whether to turn on population re-allocation function or not.• Factor of user numbers of nodes being attacked and its neighbor• Factor of defense strength of path from nodes being attacked to nodes equipped with the function :
• Factor of link degree of nodes equipped with the function :• Factor of distance between nodes being attacked and nodes equipped with the function :
2011/5/16
1 2 3 4 , when
0, otherwise
ij j ji
ij
pathDefenseResource maxLinkDegree linkDegree pathToNodemaxUserNum maxNeighborUserNumw w w w i j
V maxUserNum maxPathDefenseResource maxLinkDegree maxPathToNode
jpathToCoreNodemaxPathToCoreNode
jpathToNodemaxPathToNode
jmaxLinkDegree linkDegreemaxLinkDegree
The End•Thanks for your attention.
2011/5/16
Mathematical Formulation
Assumptions
1. The communications between mesh routers and between mesh routers and
mesh clients use different communication protocol.
2. All the packets are encrypted. Thus, the attacker can’t directly obtain
information in the communication channels.
3. The defender has complete information of the network which is attacked by
a single attacker with different strategies.
4. The attacker is not aware of the topology of the network. Namely, it doesn’t
know that there are honeynodes in the network and which nodes are
important, i.e., the attacker only has incomplete information of the network.
2011/5/16
Assumptions(cont’)
5. There are two kinds of defense resources, the non-deception based resources
and the deception based resources.
6. There are multiple jammers in the network, and their jamming ranges might
overlap.
7. There is only constructive interference between jamming signals.
2011/5/16
Given parameters
2011/5/16
Notation DescriptionN The index set of all nodesH The index set of all honeynodesP The index set of the nodes with channel surfing techniqueQ The index set of the nodes with precise localization techniqueR The index set of the nodes with detection technique
Given parameters
2011/5/16
Notation DescriptionB The defender’s total budget
Z All possible attack configuration, including attacker’s attributes and corresponding strategies.
E All possible defense configuration, including defense resources allocation and defending strategies
F Total attacking times of all attackersAn attack configuration, including the attributes and corresponding strategies , where 1≤ i ≤ F1 if the attacker can achieve his goal successfully, and 0 otherwise, where 1≤ i ≤ F( , )i iT D A
iA
Given parameters
2011/5/16
Notation Description
m(ρi)The cost of constructing a node with the quality with quality ρi, where i∈N
ni
The non-deception based defense resources allocated to node i, where i∈N
h(εi)The cost of constructing a honeynode with the interactive capability εi, where i∈H
a(φ) The cost of constructing static locators with the density φ
b The cost of constructing a channel surfing function to one node
c The cost of constructing a precise localization technique to one node
d The cost of constructing a detection technique to one nodet(ρi) The maximum traffic of node i with quality ρi, where i∈N
Decision variables
2011/5/16
Notation DescriptionThe information regarding resources allocating and defending
wi1 if node i is equipped with honeynode function, and 0 otherwise, where i∈N
xi1 if node i is equipped with channel surfing function, and 0 otherwise, where i∈N
yi1 if node i is implemented with precise localization technique, and 0 otherwise, where i∈N
zi1 if node i is implemented with the detection technique, and 0 otherwise, where i∈N
εi The interactive capability of honeypot i, where i∈N
ρi The quality of node i, where i∈N
φ The density of static locator
D
Objective function
2011/5/16
1
( , )F
i ii
D
T D Amin
F
(IP 1)
Constraints•Defender’s budget constraints
2011/5/16
(IP 1.1)
D E
(IP 1.2)iA Z
Constraints•Defender’s budget constraints
2011/5/16
1 1 1 1
1 1
( ) ( ) ( )N N H P
i i i i ii i i i
Q R
i ii i
m n w h a x b
y c z d B
(IP 1.3)
Constraints•Defender’s budget constraints
2011/5/16
1
( )N
ii
m B
1
N
ii
n B
1
( )H
i ii
w h B
( )a B
(IP 1.6)
(IP 1.7)
(IP 1.5)
(IP 1.4)
Constraints•Defender’s budget constraints
2011/5/16
1
R
ii
z d B
(IP 1.10)
(IP 1.9)
1
Q
ii
y c B
1
P
ii
x b B
(IP 1.8)
Constraints• QoS constraints
▫ QoS is a function of:1. BS loading2. Utilization of mesh routers on the path to BS3. Hops to core node4. Fake traffic effect, 5. Population re-allocation effect6. Channel surfing effect7. Jammer removal
2011/5/16
(IP 1.11)
1 ( , , , , , , )threshold
Yy BS link tocore effect effect effect effectQ L U H F P I J dy
QY
Constraints• QoS constraints
▫ ▫ The performance reduction cause by the jammed node should not
violate IP1.11.▫ The performance reduction cause by the channel surfing should
not violate IP1.11.
2011/5/16
(IP 1.12)
(IP 1.13)
QoS after population re-allocationthreshold
Q
(IP 1.14)
Constraints• Channel surfing constraints
▫ The mesh router must equipped with channel surfing technique.▫ The next channel to be selected must not be in use.▫ Channel surfing function triggers only if the jammed channel is
not a fake channel.• Population re-allocation constraints
▫ The mesh clients to be re-allocated must be in the transmission range of the mesh routers other than current mesh router.
▫ The total traffic of the mesh router i after re-allocation must not exceed the maximum traffic limit t(ρi), where i∈N.
2011/5/16
(IP 1.15)(IP 1.16)(IP 1.17)
(IP 1.18)
(IP 1.19)
Constraints• Approximate localization
▫ There must be at least three available reference points which is under the effect of jamming attack in the jammed channel.
• Precise localization▫ There must be at least one mobile locator in the network.
• Fake traffic▫ The fake traffic sent to mesh router i from the honeynodes must not
make it exceed the maximum traffic limit t(ρi), where i∈N
2011/5/16
(IP 1.21)
(IP 1.22)
(IP 1.20)
Constraints
2011/5/16
(IP 1.25)
(IP 1.24)
i N (IP 1.23)
(IP 1.26)
i N
i N
i N
0 1iw or
0 1ix or0 1iy or0 1iz or
• Integer constraints