Close
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
A protocol framework for attacker traceback in wireless multi-hop networks
(USC Thesis Other)
A protocol framework for attacker traceback in wireless multi-hop networks
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
A PROTOCOL FRAMEWORK FOR ATTACKER TRACEBACK IN WIRELESS MULTI-HOP NETWORKS by Yongjin Kim A Dissertation Presented to the FACULTY OF THE GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA In Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (COMPUTER ENGINEERING) December 2006 Copyright 2006 Yongjin Kim ii Dedication To my lovely family Hyeweon, Jiyae and, Eunjae for their everlasting love and support iii Acknowledgements I would like to express my deepest appreciation and gratefulness to my advisor, Ahmed Helmy. Not even single accomplishment in this dissertation would have been possible without Dr.Helmy’s advice. He has encouraged me not only in research, but also life, and career, which made me overcome many obstacles during my PhD program. My wife Hyeweon supported me in every aspects of life with her everlasting love. I want to thank you my daughter, Esther for her lovable support in my life. My second son, Evan, who was born during my PhD program, is another great accomplishment during my PhD program. I also would like to thank members on my defense and qualifying exam committee, including Prof.Bhaskar Krishnamachari, Prof.Ramesh Govindan, Prof. C.-C. Jay Kuo, and Prof.Antonio Ortega. They have offered many useful feedbacks that finally brings the completion of this thesis. I feel so lucky because I could meet very good and considerate colleagues at Nomads Lab, at USC. They stimulated my research and also made my PhD student life much more enjoyable. They will be my friends forever. My thesis is in part supported grants from National Science Foundation (NSF) Career Award, and NSF ACQUIRE project. iv Table of Contents Dedication ................................ ................................ ................................ .... ii Acknowledgements ................................ ................................ .................... iii List of Tables ................................ ................................ ............................. vii List of Figures ................................ ................................ ........................... viii Abstract ................................ ................................ ................................ ....... xi Chapter 1 Introduction ................................ ................................ .................. 1 1.1 Characteristics of Wirele ss Multi - hop Networks ................................ ................ 1 1.2 Security Issues in Wireless Multi - hop Networks ................................ ................ 4 1.3 Attacker Traceback in Wireless Multi - hop Networks ................................ ........ 7 1.4 Contributions of the Dissertation ................................ ................................ ....... 10 1.5 Organization of the Dissertation ................................ ................................ ......... 13 Chapter 2 Related Work ................................ ................................ ............ 14 2.1 Overview of Previous Work on Attacker Traceback ................................ ........ 14 2.2 ICMP Traceback Messages ................................ ................................ ................ 15 2.3 Packet M arking ................................ ................................ ................................ .... 18 2.4 Logging - based Traceback ................................ ................................ ................... 20 2.5 Controlled Flooding ................................ ................................ ............................ 22 2.6 Design Requirements ................................ ................................ .......................... 23 Chapter 3 Abnormality Detection ................................ ............................. 27 3.1 Overview ................................ ................................ ................................ .............. 27 3.2 Definition of Abnormality ................................ ................................ .................. 28 3.3 Abnormality Detection with FDM ................................ ................................ ..... 34 3.4 Abrnormality Detection with Piv ot Method ................................ ...................... 34 3.5 Abnormality Detection with EWMA ................................ ................................ . 37 3.6 Coarse - grained vs. Fine - grained Abnormality Detection ................................ . 38 3.7 Important Parameters ................................ ................................ .......................... 41 3.8 Performance Analysis ................................ ................................ ........................ 42 v Chapter 4 Abnormality Characterization ................................ ................. 49 4.1 Overview ................................ ................................ ................................ .............. 49 4.2 Abnormality Characteri zation with Traffic Pattern ................................ .......... 49 4.3 Abnormality Characterization with Distribution Function ............................... 50 4.4 Coarse - grained vs. Fine - grained Abnormality Characterization ...................... 52 4.5 Important Parameters for Abnormality Characterization ................................ . 53 Chapter 5 Abnormality Matching ................................ ............................. 54 5.1 Overview ................................ ................................ ................................ .............. 54 5.2 Traffic Pattern/Volume matching ................................ ................................ ....... 54 5.3 Kolmogorv - Smirnov Fitness Test ................................ ................................ ...... 57 5.4 Coarse - grained vs. Fine - grained Abnormality Matching ................................ . 5 9 5.5 Performance Analysis ................................ ................................ ......................... 68 Chapter 6 Abnormality Searching ................................ ............................ 75 6.1 Overview ................................ ................................ ................................ .............. 75 6.2 Small World - based Extended Contact Architecture ................................ ......... 75 6.3 Relay Node - based Searching vs. Majority Voting - based Searching ............... 79 6.4 Performance Analysis ................................ ................................ ......................... 80 Chap ter 7 Countermeasure ................................ ................................ ........ 84 7.1 Overview ................................ ................................ ................................ .............. 84 7.2 Packet Filtering vs. Rate - Limiting ................................ ................................ ..... 84 7.3 Traceback - assisted Countermeasure ................................ ................................ .. 8 5 7.4 Performance Analysis ................................ ................................ ......................... 88 Chapter 8 Overall Traceback Protocol ................................ ..................... 92 8.1 Overview ................................ ................................ ................................ .............. 92 8.2 Relay Node - based Protocol ................................ ................................ ................ 92 8.3 Majority Voting - based Protocol ................................ ................................ ......... 97 8.4 Performance Analysis ................................ ................................ ....................... 10 0 Chapter 9 Risk Analysis in Mobile Network ................................ ......... 10 3 9.1 Ov erview ................................ ................................ ................................ ............ 10 3 9.2 Dimensions in Mobile Networks ................................ ................................ ...... 10 5 9.2.1 Temporal Transition Dimension (T - dimension) ................................ 10 5 9.2.2 Spatial Transition Dimension (S - dimension) ................................ ..... 10 6 9.2.3 Address Dimension (Addr - dimension) ................................ .............. 10 8 vi 9.2.4 Area Dimension (A - dimension) ................................ ......................... 10 8 9.2.5 Node Coordination Dimension (N - dimension) ................................ .. 10 8 9.3 Combinational Set - based Risk Analysis ................................ .......................... 10 8 9.3.1 Simple Mobility Misuse (SMM) Attack ................................ ............ 10 9 9.3.2 Mobility and Address Misuse (MAM) Attack ................................ ... 11 0 9.3.3 False Mobility Generation (FMG) Attack ................................ ......... 11 1 9.3.4 Distributed Blinking (DB) Attack ................................ ...................... 11 1 9.3.5 Disabling Targeted Area (DTA) Attack ................................ ............. 11 2 9.3.6 Di sabling Targeted Address (DTAddr) Attack ................................ .. 11 3 9.4 Risk Analysis of Intermediate/Victim Node Mobility ................................ .... 11 4 9.4.1 Risk Classification ................................ ................................ ............... 11 4 9.4.2 Risk Analysis Methodology ................................ ................................ 11 5 9.5 Impact of Mobility Model on Traceback ................................ ......................... 11 8 9.5.1 Atomic Mobility Metrics ................................ ................................ ..... 11 8 9.5.2 Mobility Dependency ................................ ................................ .......... 1 19 9.6 Simulation - based Risk Analysis ................................ ................................ ....... 12 0 Chapter 10 Multi - dimensional Information Fusion Architecture ......... 12 6 10.1 Overview ................................ ................................ ................................ ............ 12 6 10.2 Information Gatherin g ................................ ................................ ...................... 12 7 10.3 Multi - dimensional Information Fusion ................................ ............................ 12 7 10.4 Mobile Attack Detection and Classification ................................ .................... 13 0 10.5 Performance Analysis ................................ ................................ ....................... 13 4 Chapter 11 Conclusion and Future Research Direction ........................ 13 5 11.1 Conclusion ................................ ................................ ................................ ......... 13 5 11.2 Future Research Direction ................................ ................................ ................ 13 6 References…………………………………………………………….137 vii List of Tables Table 2.1 : Protocol requirement for attacker traceback in wireless multi - hop networks ..... 26 Table 4.1 : Abnormality table using cross - layer informatio n ................................ ................. 52 Table 10.1: Attack classification using SRF and TRF metrics ................................ .............. 13 4 viii List of Figures Figure 2.2 : Main building blocks of attacker traceback ................................ ......................... 24 Figure 3.1 : Protocol layer abnormality ................................ ................................ .................... 30 Figure 3.2 : Variance of abnormality Inform ation ................................ ................................ ... 31 Figure 3.3 : Dependency of protocol activity on attack ................................ ........................... 3 3 Figure 3.4 : Illustration of forward noise reduction ................................ ................................ . 39 Figure 3.5 : Illustration of backward noise reduction ................................ .............................. 40 Figure 3.6 : Illustration of forward/backward noise reduction using CLM ........................... 41 Figure 3.7 : Detection success rate under stable background traffic ................................ ...... 4 3 Figure 3.8 : Detection success rate under fluctuating background traffic .............................. 44 Figure 3.9 : Detection success rate under increasing background traffic ............................... 45 Figure 3.10 : Detection success rate under decreasing background traffic ............................. 46 Figure 3.11 : Detection improvement with F - MLM ................................ ................................ . 47 Figure 3.12 : Detection improvement with F - NLM ................................ ................................ .. 48 Figure 3.13 : Detection improvement with CM ................................ ................................ ........ 48 Figure 4.1 : Abnormality characterization with traffic pattern ................................ ............... 50 Figure 4.2 : Abnormality chara cterization with distribution function ................................ .... 51 Figure 5.1 : Traffic pattern/volume matching ................................ ................................ .......... 56 Figure 5.2 : Kolmogorv - Smirnov Fitness Test ................................ ................................ ......... 58 Figure 5.3 : N oise reduction rate with F - NLM ................................ ................................ ........ 61 Figure 5.4: Noise rate with F - NLM ................................ ................................ .......................... 62 Figure 5.5 : Noise reduction rate with F - MLM ................................ ................................ ........ 64 ix Figure 5.6 : Noise rate with F - M LM ................................ ................................ ........................ 65 Figure 5.7 : Noise reduction rate with CLM ................................ ................................ ............ 67 Figure 5.8 : Noise rate with CLM ................................ ................................ ............................. 67 Figure 5.9 : Impact of time asynchrony on matching test ................................ ....................... 69 Fig ure 5.10 : Impact of time asynchrony on matching test (with KS fitness test) .................. 69 Figure 5.11 : Impact of unit monitoring window on matching test (with pattern matching) . 70 Figure 5.12 : Impact of unit monitoring window on matching test (with KS fitness test) ..... 71 Figure 5.13 : Impact of background traffic on matching test (with pattern matching) ........... 72 Figure 5.14 : Impact of background traffic on matching test (with KS fitness test) ............... 72 Figure 5.15 : False positive by background traffic (with KS fitness test) ............................... 74 Figure 6.1 : Contac t - based small world construction ................................ .............................. 76 Figure 6.2 : Small world construction with multi - level contacts ................................ ............ 77 Figure 6.3 : Communication overhead in DoS attacker traceback ................................ ......... 81 Figure 6.4 : Com munication overhead in DDoS attacker traceback ................................ ...... 82 Figure 6.5 : Robustness against node compromise ................................ ................................ .. 83 Figure 7.1 : CI - based countermeasure ................................ ................................ ...................... 86 Figure 7.2 : Comparison of attack traffic dropping efficiency ................................ ................ 88 Figure 7.3 : Comparison of legitimate traffic survuval rate ................................ .................... 89 Figure 7.4 : SDP improvement with F - MLM ................................ ................................ ........... 90 Figure 7.5 : SDP improvement with F - NLM ................................ ................................ ........... 90 Figure 7.6 : SDP improvement with CLM ................................ ................................ ............... 91 Figure 8.1 : DoS attacker traceback with relay node - based protocol . ................................ .... 94 Figure 8.2 DDoS attacker traceback with relay node - based protocol . ................................ ... 96 Figure 8.3 : Logical view of DDoS attackers ................................ ................................ ........... 96 x Figure 8.4 : DoS attacker traceback with majority voting . ................................ ...................... 97 Figure 8.5 : DDoS attacker traceback with majority voting ................................ .................... 99 Figure 8.6 : Comparison of DoS attacker trace back success rate ................................ ......... 101 Figure 8.7 : Comparison of DDoS attacker traceback success rate - 1 ................................ ... 102 Figure 8.8 : Comparison of DDoS attacker traceback success rate - 2 ................................ ... 102 Figure 9.1 : Vulnerability analysis using mobile network dimensions and attributes ......... 105 Figu re 9.2 : Three attributes of T - dimension ................................ ................................ ......... 10 6 Figure 9.3 : Spatial continuity of mobile DoS attack. Attacker ................................ ............ 10 7 Figure 9.4 : Spatial discontinuity of mobile DDoS attack ................................ ..................... 107 Figure 9.5 : Illustration of local signature energy strength.without mobility ....................... 11 7 Figure 9.6 : Illustration of local signature energy strength.with active mobility ................. 11 7 Figure 9.5 : Relative energy in 1 group RPGM with speed variance ................................ ... 12 2 Figure 9.6 : Relative energy in 4 group RPGM with angle variance ................................ .... 12 2 Figure 9.7 : Relative energy in 1 group R PGM model and 4 group RPGM model ............. 12 3 Figure 9.8 : Relative energy in freeway model (attacker and victim on the same lane) ..... 12 4 Figure 9.9 : Relative energy in freeway model (attacker and victim on the opposite lane). 12 5 Figure 10.1 : SMM attack detection example ................................ ................................ ......... 13 0 Figure 10.2: Illustration of information fusion process ................................ .......................... 13 1 Figure 10.3 : Overall algorithm to detect mobile attack ................................ ......................... 13 3 xi Abstract Denial - of - Service (DoS) and Distributed DoS (DDoS) attack s can cause serious problem in wireless networks due to its limited network /host resources. Attacker traceback is a promi si ng solution to take a proper countermeasure near the attack origi n, for forensics and to discourage attacker from launching attacks . However, attacker traceback in wireless multi - hop networks is a challenging problem and existing IP traceback schemes developed for the Internet cannot be directly applied to wireless mult i - hop networks due to the peculiar characteristics of wireless multi - hop networks, i.e., dynamic network topology, limited network resources , and mobility . W e introduce a protocol framework for attacker traceback that is geared towards wireless multi - hop n etworks, robust against address spoofing and node compromise, and node mobility. The basic building block of our protocol framework consists of abnormality characterization, abnormality searching, and abnormality matching. Abnormality characterization is f urther divided into network - layer abnormality monitoring, MAC - layer abnormal i ty monitoring, and hybrid abnormality monitoring. For efficient abnormality searching, we propose directional searching that is based on small - world model. We use correlation coef ficient, least - square method, and K - S fitness test for abnormality matching. In addition, our protocol framework includes spatio - temporal fusion architecture to detect mobile attack. Traceback of mobile attack is a challenging problem that we identified an d solved in this dissertation. In mobile wireless multi - hop networks, it is important to detect and track down mobile attackers to prevent false traceabck result and find current location of attacker. It is especially challenging in the context of mobile D DoS xii attack. Lastly, we analyze how mobility model affects the traceback performance. We find that traceback performance drastically varies depending on the mobility model. We show that our hybrid protocol successfully tracks down attacker under diverse net work environment (e.g., high background traffic, DDoS attack, and partial node compromise) with low communication, computation, and memory overhead. 1 Chapter 1 1 Introduction Wireless multi-hop networks include Mobile Ad-hoc NETworks (MANET) [8][17][24], wireless mesh networks, and wireless sensor networks [5][13], among others. Wireless multi-hop networks have been under active research area recently due to their numerous promising applications and practical deployment is near. However, security issues are not properly addressed in these networks design. It is very important to consider security aspects of network in the initial design stage. As we can see in the Internet history, one of the major issues in the provisioning of security assurance in the Internet is how the security mechanisms can be deployed on already existing infrastructure. Learning these lesson from the Internet history, we aim to develop security assurance mechanism in the initial stage of wireless multi-hop network design. 1.1 Characteristics of Wireless Multi-hop Networks We introduce two types of the most popular wireless multi-hop networks: ad hoc networks and sensor networks. There are many commonalities between them (both are multi-hop networks of wireless nodes without an infrastructure) and sometimes the boundaries are not clear. Ad hoc networks are multi-hop wireless networks where all nodes cooperatively maintain network connectivity. In areas in which there is little or no communication infrastructure or the existing infrastructure is expensive or inconvenient to use, wireless 2 mobile users may still be able to communicate through the formation of an ad hoc network. In such a network, each mobile node operates not only as a host but also as a router, forwarding packets for other mobile nodes in the network that may not be within direct wireless transmission range of each other. Each node participates in an ad hoc routing protocol that allows it to discover “multi-hop” paths through the network to any other node. The idea of ad hoc networking is sometimes also called infrastructureless networking, since the mobile nodes in the network dynamically establish routing among themselves to form their own network “on the fly.” Some examples of the possible uses of ad hoc networking include students using laptop computers to participate in an interactive lecture, business associates sharing information during a meeting, soldiers relaying information for situational awareness on the battlefield, and emergency disaster relief personnel coordinating efforts after a hurricane or earthquake. Building such as hoc networks poses a significant technical challenge because of the many constraints imposed by the environment. Thus, the devices used in the field must be lightweight. Furthermore, since they are battery operated, they need to be energy conserving so that battery life is maximized. Several technologies are being developed to achieve these goals by targeting specific components of the computer and optimizing their energy consumption. For instance, low-power displays, algorithms to reduce power consumption of disk drives, low-power I/O devices such as cameras, etc. all contribute to overall energy savings. Recent advances in wireless communications and electronics have enabled the development of low-cost, low-power, multifunctional sensor nodes that are small in size and communicate untethered in short distances. These tiny sensor nodes, which consist of sensing, data processing, and communicating components, leverage the idea of sensor networks. Sensor networks represent a significant improvement over traditional sensors. A 3 sensor networks is composed of a large number of sensor nodes that are densely deployed either inside the phenomenon or very close to it. The position of sensor nodes need not be engineered or predetermined. This allows random deployment in accessible terrains or disaster relief operations. On the other hand, this also means that sensor network protocols and algorithms must possess self-organizing capabilities. Another unique feature of sensor networks is the cooperative effort of sensor nodes. Sensor nodes are fitted with an onboard processor. Instead of sending the raw data to the nodes responsible for the fusion, they use their processing abilities to locally carry out simple computations and transmit only the required and partially processed data. The above described features ensure a wide range of applications for sensor networks. Some of the application areas are health, military, and home. In military, for example, the rapid deployment, self-organization, and fault tolerance characteristics of sensor networks make them a very promising sensing technique for military command, control, communications, computing, intelligence, surveillance, reconnaissance, and targeting systems. In health, sensor nodes can also be deployed to monitor patients and assist disabled patients. Some other commercial applications include managing inventory, monitoring product quality, a monitoring disaster area. Realization of these and other sensor network applications require wireless ad hoc networking techniques. We can find some commonality of different types of wireless multi-hop networks as follows: • In wireless multi-hop networks, there is little or no fixed infrastructure. Each node works as an autonomous terminal, acting as both host and a router. • Each node can move in and out of the network, frequently changing network topology. • In general, network bandwidth and battery power are severely limited in wireless networks compared to wired networks. 4 • It may be difficult to physically secure a mobile node that could be captured, compromised and later rejoin the networks as Byzantine node. 1.2 Security Issues in Wireless Multi-hop Networks Security is an important issue for ad hoc networks, especially for those security-sensitive applications. To secure an wireless multi-hop networks, we can consider the following attributes: availability, confidentiality, integrity, authentication, and non-repudiation [25][31]. Availability ensures the survivability of network services despite denial of service attacks. A denial of service attack could be launched at any layer of an ad hoc network. On the physical and medium access control layers, and an adversary could employ jamming to interfere with communication on physical channels. On the network layer, an adversary could disrupt the routing protocol and disconnect the network. On the higher layers, an adversary could bring down high-level services. One such target is the key management service, an essential service for any security framework. Confidentiality ensures that certain information is never disclosed to unauthorized entities. Network transmission of sensitive information, such as strategic or tactical military information, requires confidentiality. Leakage of such information to enemies could have devastating consequences. Routing information must also remain confidential in certain cases, because the information might be valuable for enemies to identify and to locate their targets in a battlefield. Integrity protection guarantees that a message being transferred is never corrupted. A message could be corrupted because of benign failures, such as radio propagation impairment, or malicious attacks on the network. 5 Authentication enables a node to ensure the identity of the peer node it is communicating with. Without authentication, an adversary could masquerade a node, thus, gaining unauthorized access to resource and sensitive information and interering with the operation of other nodes. Non-repudiation ensures that the origin of a message cannot deny having sent the message. Non-repudiation is useful for detection and isolation of compromised nodes. When a node A receives an erroneous message from a node B, non-repudiation allows A accuse B using this message and to convince other nodes that B is compromised. Bogus information detection is a security mechanism to detect false information report from malicious node. Sensor network is mainly applied for environment, battlefield, or structure monitoring. Under these scenarios, if attacker sends false information (e.g., fire alarm), entire network can be in confusion and network functionality becomes useless. Even if first level security wall such as authentication can help to alleviate these risks, it cannot completely remove the risk (e.g., insider attacker) Intrusion detection is send level security war after intrusion prevention (e.g., authentication, authorization, etc). The history of security research has taught us a valuable lesson –no matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in. Intrusion detection presents a second wall of defense and it is a necessity in any high survivability network. In this dissertation, we focus on availability issue, especially high protocol layer DoS/DDoS attack, which is one of the most critical security issues in resource-constrained wireless multi-hop networks. High protocol-layer DoS (Denial of Service) and DDoS attacks can cause serious problems in wireless multi-hop networks since (1) it is easy to perform 6 using popular tools and (2) wireless multi-hop networks are severely limited in network resources (e.g., bandwidth) and host resources (e.g., battery, memory, etc). The different types of high protocol layer denial of service attacks can be broadly classified into software exploits and flooding attacks. In software exploits (e.g., Land attack, teardrop attack, [1], [32]), the attacker sends a few packets or even single packet to exercise specific software bugs within the target’s OS or application, disabling or harming the victim. On the other hand, in flooding attacks, one or more attackers send incessant streams of packets aimed at overwhelming link bandwidth or computing resources at the victim. We mainly focus on flooding-type DoS/DDoS attack since it cannot be fixed with software debugging and propose protocol framework for attacker traceback. In flooding-type DoS/DDoS attack, an attacker transmits a large number of packets toward victim with spoofed source address. For instance, in SYN Flood [2], at least 200-500 pps (packet per second) of SYN packets are transmitted to a single victim. UDP Echo- Chargen [4] and Smurf [3] also attacks victim using a large amount of packets with spoofed address. It is reported that DoS attack occurs more than 4,000 times per week and more than 600,000 pps of attack packets are used for attack in some cases [12] in the Internet. In general, we can say that the following are some characteristics of flooding-type DoS/DDoS attacks: (I) Traffic volume is abnormally increased during attack period. (II) Attackers routinely disguise their location using incorrect/spoofed addresses. (III) Such attacks may persist for tens of minutes and in some case for several days [1]. 7 1.3 Attacker Traceback in Wireless Multi-hop Networks The goal of attacker traceback is to identify the machines or the neighbors of the machine that directly generate attack traffic and the network path this traffic subsequently follows [7]. Attacker traceback is a useful technique not only for forensics, but also to take a proper countermeasure near attack origin and discourage attackers from launching attacks. There are several attacker traceback schemes proposed for the Internet such as packet marking [28,29], logging [26,27], ICMP traceback [10][30], etc [7]. Such traceback schemes developed for the fixed networks are not directly applicable to wireless multi-hop networks due to the following peculiar characteristics of wireless multi-hop networks as explained in chapter 1.1. To perform efficient DoS and DDoS attacker traceback under such a harsh environment in wireless multi-hop networks, we propose a protocol framework for attacker traceback. The building block of our framework consists of (I) abnormality detection (II) abnormality characterization, (III) abnormality searching, (V) abnormality matching and (VI) countermeasure. For efficient traceback, we divide abnormality into two classes: coarse-grained abnormality, and fine-grained monitoring. Basically, with coarse-grained abnormality, we track down attacker without using content-level details of packet or frame. Traceback with coarse-grained abnormality is further divided into the following two classes: Coarse-grained Network Layer Monitoring (C-NLM) and Coarse-grained MAC Layer Monitoring (C-MLM). On the other hand, with fine-grained abnormality, we track down attacker by analyzing content-level details of packet or frame. Fine-grained abnormality monitoring is further divided into the following three ways: Fine-grained Network Layer Monitoring (F-NLM), 8 Fine-grained MAC Layer Monitoring (F-MLM) and Cross Layer Monitoring (CLM) that includes both network layer monitoring and MAC layer monitoring. Obviously, there exists tradeoff between two mechanisms. In coarse-grained traceback, computational/storage overhead is minimized by sacrificing content level analysis for traceback. It is effective in many cases when attack traffic shows abnormality and background traffic is moderate. In fine-grained traceback, packet/frame level information is considered and analyzed to trace back attackers. Even if we can more accurately trace back attacker with fine-grained traceback, it requires more computation/storage overhead because we need to store/analyze detailed information of attack traffic. A challenging issue in abnormality monitoring-based traceback is the reduced abnormality and high background traffic. Especially in DDoS attack, reduced abnormality is observed near the edges of attack route. In addition, high background traffic makes the abnormality matching level lower. We show that we can increase traceback accuracy under low abnormality (i.e., DDoS attack) and high background traffic by using cross-layer monitoring since it removes a lot of noise traffic (i.e., background traffic). The cross-layer information is utilized in abnormality detection, characterization, matching, and countermeasure. We briefly explain about each atomic component of our protocol framework. Abnormality detection: Each node monitors abnormality and if the abnormality is above certain threshold, it is captured as abnormality and characterized/logged for traceback. We provide several classes of abnormality detection schemes which has advantage/disadvantages depending on environment. Abnormality characterization and matching: Once abnormality is detected, the abnormality needs to be characterized for traceback. Characterized abnormality at victim is called attack signature and characterized abnormality at intermediate is called candidate 9 attack signature. Abnormality matching is done between attack signature and candidate attack signature. If the matching test is passed, we can infer that attack traffic is passed through the nodes that observed candidate attack signature. Abnormality characterization and matching has close correlation. Matching test depends on efficient abnormality characterization. We propose a set of matching test (KS fitness test, pattern matching, etc). We perform a wide set of analysis to find optimal characterization method (e.g., optimal unit window size, total window size, etc). Cross-layer information is efficiently used for abnormality characterization and matching. Abnormality searching: To perform abnormality matching, we need to find nodes that observe candidate abnormality. To provide energy efficiency and robustness against misdirection by false report, we use majority voting. Majority voting is performed by multiple nodes that observes or overhears abnormality is a region. We extend contact-based architecture which is based on small world model to increase searching efficiency. Countermeasure: After we identify the close region to attack origin, we take countermeasure. Existing countermeasure (e.g., packet filtering, rate-limiting) has drawbacks in the sense that packet filtering drops legitimate packet and rate limiting does not have reasonable mechanism to set optimal rate. We take hybrid approach between packet filtering and rate limiting. We use matching level – we call it confidence index – to find optimal rate for limiting. If matching level increases, our scheme turned into packet filtering. In addition, cross-layer information increases attack packet dropping efficiency and decrease negative impact on legitimate traffic. We also propose a scheme to track down mobile attacker and analyze how mobility affects traceback performance. One of the most serious obstacles in attacker traceback in mobile wireless networks is the mobility of nodes. Existing IP traceback schemes cannot be 10 directly applied under the presence of node mobility in wireless networks. We classify mobility into two classes, (I) intentional malicious mobility by attacker, (II) legitimate mobility by intermediate or victim. Intentional malicious mobility of attacker can cause number problems. We provide systematic analysis how mobility can be exploited by attacker with network domain/attribute combination-based analysis. Even innocent mobility by intermediate/victim can bring negative impact on traceback performance. To track down mobile attack effectively, we introduce multi-dimensional information fusion architecture. In the multi-dimensional information fusion architecture, the location of attacker is estimated using various information that contains spatial and temporal information of attack signature movement. In addition, we systematically analyze how mobility model and various parameters of mobility pattern can affect the traceback performance. We also identify limitation of attacker traceback in the presence of sophisticated attacker, which exploit diverse set of network domain/attributes. 1.4 Contributions of the Dissertation In this dissertation, we first identify the attacker traceback problem in wireless multi-hop networks and analyze the applicability of existing attacker traceback schemes to the wireless multi-hop networks. We provide design requirements for robust and efficient attacker traceback in wireless multi-hop networks. To the best of our knowledge, this is the first systematic research work on the attacker traceback in wireless multi-hop networks. We propose several classes of traceback protocol framework. In Network Layer Monitoring-based (NLM-based) traceback architecture, we pay attention to network layer abnormality observed during flooding-type DoS/DDoS attack. 11 In Coarse-grained NLM scheme, aggregate-level traffic information is used as attack signature. It shows successful traceback results under low/medium background traffic and DoS attack with minimal overhead. In fine-grained NLM scheme, minimal packet-content information (i.e., destination address) is used for attack signature characterization. Fine- grained traceback mechanism provides robustness against high background traffic and DDoS attack with reduced overhead. We also propose efficient searching technique (directional search) to track down attacker with reduced communication overhead. Through simulation, we confirmed that our scheme (with coarse-grained scheme) successfully (75% success rate in DoS attacker traceback) track down DoS attacker. Fine-grained scheme also shows 95% of success rate of DoS attacker traceback and 92% of success rate for DDoS attacker traceback. Communication overhead reduction (78% in DoS and 44% in DDoS) compared with flooding is significant especially when network size is large. We propose MAC Layer Monitoring-based (MLM-based) traceback architecture. We characterize the MAC layer abnormality (e.g., increase busy time/collision/frame count) observed during DoS/DDoS attack and use the MAC layer abnormality as attack signature for traceback. The attack signature is consistently observed on the attack path from attacker to victim, which enables us to track down attacker. The merits of MAC layer abnormality- based attacker traceback are multifold. First, we can track down attacker in spite of address spoofing using MAC abnormality-based attack signature. Second, the attack signature is observed by many neighbor nodes sharing the medium through overhearing. This overhearing can be efficiently used (i.e., majority voting) to prevent false/malicious reporting by compromised node or inside attacker. In addition, overhearing can be used for attacker traceback under node mobility. In multi-hop wireless networks, nodes frequently move in and out changing network topology. When a node that relayed attack traffic moves 12 out, it is hard to trace back attack origin. In such a case, we can use information from the nodes that overhear and stay in the region around attack path for traceback. MLM-based scheme also consists of coarse-grained scheme and fine-grained scheme. In coarse-grained MLM scheme, regional abnormality characteristics is used for attack signature. In fine- grained MLM scheme, minimal frame information (previous MAC address) is used for attack signature characterization. Our simulation analysis shows 79% of traceback success rate in DoS attacker traceback with coarse-grained attack signature. In addition, with fine- grained attack signature, it shows 94% of success rate in DoS attacker traceback and 89% of success rate in DDoS attacker traceback. We provide Cross Layer Monitoring-based (CLM-based) traceback architecture, which utilize the advantages of both NLM-based and MLM-based scheme. We show that CLM- based scheme removes much of the noise (i.e., background) traffic (98%) and consequent negative impact of background traffic with marginal increase of overhead. We also propose multi-dimensional information fusion architecture to track down mobile attack. Mobility problem in attacker traceback is first identified and systematically analyzed in this dissertation. We provide proper traceback mechanism and countermeasure to provide robustness against mobile attack. Our analysis shows that the multi-dimension information fusion architecture effectively detects mobile attack. We also systematically analyze how mobility model and various parameters of mobility pattern affect traceback performance, which is also the first work in traceback literature. We show that traceback performance drastically varies depending on mobility model. 13 1.5 Organization of the Dissertation The dissertation is organized as follows: In chapter 2, we briefly describe existing traceback schemes and design requirement for robustness attacker traceback in wireless multi-hop networks. In chapter 3, we propose abnormality detection scheme, which is the first component of our traceback protocol framework. In chapter 4, we provide abnormality characterization methods. We provide abnormality matching, and searching schemes in chapter 5 and 6 respectively. In chapter 7, we propose traceback-assisted countermeasure scheme. Then, we perform overall protocol performance analysis in chapter 8. In chapter 9, we analyze risks caused by mobile environment. In chapter 10, we provide multi- dimensional information fusion architecture to provide mobile attacker traceback. Lastly, we conclude our thesis and present future research direction in chapter 11. 14 Chapter 2 2 Related Work 2.1 Overview Attacker traceback scheme is a method to help the victim reveal the true identity even under address spoofing of an attacker. It can help restore normal network functionality blocking attack near the origin of attack packet generator and prevent reoccurrences. In addition, it holds attackers accountable for their crime. Current attacker traceback schemes developed for the Internet can be classified from several different points of view. • Preventative vs. Reactive: Ingress filtering is an example of preventative scheme, in which it checks IP address at the router and blocks packets if the address does not belong to proper subnet address space. In reactive scheme, traceback is performed after attack is detected by intrusion detection system. Link testing, logging, ICMP traceback, and packet marking are classified as reactive scheme. • Post-mortem vs. On-going: In On-going scheme, traceback must be completed while the attack is in progress. It is useless once the attack is over. It could be effective for small controlled network. An example is link testing which will be explained in detail later. In post-mortem capable scheme, traceback can be performed after the attack is complete. It basically records tracing information as packets are routed through the network. 15 Then the information is pieced together to form the attack path resulting in attacker identification. Examples of such scheme are logging, ICMP traceback, and packet marking. • End-host storage vs. infrastructure-storage: In end host storage, some kind of information to trace back attacker is delivered to end host. End-host takes responsibility to reconstruct attacker path from attacker to the victim. An example of end-host storage is packet marking and ICMP Traceback. On the other hand, in infrastructure-storage scheme, information for traceback is stored in the network and a victim requests the information to reconstruct the attack path. An example of the traceback scheme is logging-based traceback, traffic pattern-based traceback scheme. In this chapter, we describe existing attacker traceback schemes in the following subsections. Then, we identify design requirement for efficient attacker traceback for wireless multi-hop networks, and point out reasons that existing attacker traceback schemes cannot be directly applied to wireless multi-hop networks. 2.2 ICMP Traceback Messages The basic of idea of ICMP traceback (iTrace) message which is defined in IETF draft [10][30] is very simple. Each router generates ICMP traceback messages for every 20,000 packets (recommended) and sends them to the victim. In the receiver side, if enough traceback messages are arrived from enough routers along the path, the attack path can be identified. The traceback message contains the following field: • Identity of the router generating traceback message. • Destination address that will receive the traceback message 16 • Timestamp: It is used to identify the actual path of the attack • As many bytes of the traced packet as possible, which are copied in the payload of ICMP traceback message. Receiver use the information included in the message and infer the attack path. For instance, victim received traceback message from routers, R12 (TTL 4), R1 (TTL6), R3(TTL12), R6(TT15). Then by using TTL and router identity, we can reconstruct the attack path as R12→ R1→ R3 → R6. Security consideration of the pure ICMP traceback scheme is that attacker can generate false traceback message to conceal the real source attack. To address the problems, [10] left some hooks to authenticate the message using HMAC authentication, digital signature. However, they did not elaborate on authentication issue. One important drawback of iTrace scheme is that it is hard to provide useful information for DDoS attacks. Especially, if attacker tries to orchestrate DDoS attacks which can conceal attack by reducing the volume of packet generated at each slave. In that case, the victim is hard to infer attack route using small number of ICMP packet. Another disadvantage is that many possible receivers receive iTrace message without usefulness. That is, even if there is no DoS/DDoS attack, a lot of router should generate iTrace packet. To address those problems, [30] proposed “Intension-driven ICMP traceback”. Intension is associated with interest of receiving iTrace packet. There are two possible cases; first, if receiver is not under attack, it is not interested in receiving iTrace packet. Second, even if attack is under way, if victim is not interested in tracking attacker, it is useless. By victim’s indication of intention to the router, only useful/valuable ICMP traceback message is generated. A message, which expresses intention, is sent to BGP router when a particular network is under DDoS attack and intrusion detection system detects it. Intention-driven iTrace scheme is composed of two 17 different modules: (1) decision module and (2) iTrace generation module. Decision module determines which entry in the packet-forwarding table should be the target for iTrace generation. Based on this decision, one special bit in the packet-forwarding table (iTrace generation bit) will be set to 1. Then, this chosen packet will be processed by the “iTrace generation” module, and a new iTrace message will be sent. One fundamental problem is how to propagate the intention bit. They propose to use BGP message to propagate intention bits throughout the Internet. Specifically, they utilize “community attribute” in BGP message to propagate intention bit. Their claim of usefulness of BGP message is threefold: First, the intention bit is propagated with BGP update message and the update is limited by BGP keepAlive interval. Consequently, their scheme does not introduce extra traffic while the intention bit can be propagated throughout the Internet. Second, they can utilize BGP route aggregation which reduces overhead. Third, it is practical since it will not require too many changes to all the routers. The advantages of ICMP traceback scheme are as follows: (1) It does not require ISP cooperation. That is, once the ICMP traceback message is implemented in each router, attack path reconstruction is done by end-host. (2) It allows for post-attack analysis with accumulated ICMP packet. (3) It support for incremental implementation. That is, even if ICMP traceback message is implemented only in partial network, attack path can be inferred with Internet topology map to approximate origin of attackers. The disadvantages of the scheme are that (1) it generate high traffic even in low frequency message generate rate. (2) If message generation frequency becomes low, convergence time becomes long. (3) Attacker can inject false ICMP message. (4) It requires high processing power to reconstruct attack path. 18 2.3 Packet Marking This scheme [28][29] is based on packet marking by intermediate router which will then be used by victim to infer the attack route. PPM has two components: (1) a probabilistic marking procedure executed by routers in the network and (2) a path reconstruction procedure implemented by the victim. A router “marks” one or more packets by augmenting them with additional information such as the address of router, about the path they are traveling. The victim attempts to reconstruct the attack path using only the information in these marked packets. The convergence time of an algorithm is the number of packets that the victim must observe to reconstruct the attack path. Marking algorithm can be classified as follows. Node append It is the simplest algorithm, where each router appends its own IP address to all the packets which traverses the router. Consequently, convergence time is very quick and it is possible to trace back an attacker with only one packet. However, it is impractical due to unfeasibly high router overhead incurred by appending data to packets in flight. In addition, it is impossible to ensure that there is sufficient unused space in the packet for complete list since the length of the path is not known a priori. Node sampling To solve the problems of node append, a single static “node” field is reserved in the packet header in Node sampling. That is, only one router information can be inserted in node sampling. If enough packets are received from intermediate router, it is possible to reconstruct attack path. 19 Although it might seem impossible to reconstruct an ordered path given only an unordered collection of node samples, it turns out that with a sufficient number of trials, the order can be deduced from the relative number of samples per node. Since routers are arranged serially, the probability that a packet will be marked by a router and then left unmolested by all downstream routers is a strictly decreasing function of the distance to the victim. The problem is slow convergence time to infer the total router order. In addition, if there are multiple attackers, then multiple routers may exist at the same distance- and hence be sampled with the same probability. Edge sampling To address the problems of node sampling, edge sampling is proposed. When a router decides to mark a packet, it writes its own address into the start field and writes a zero into the distance field. Otherwise, if the distance field is already zero this indicates that the packet was marked by the previous router. In this case, the router writes its own address into the end field- thereby representing the edge between itself and the previous router-and increments the distance field to one. Finally, if the router does not mark the packet, then it always increments the distance field. The number of data packets, X, required for the victim to reconstruct an attack path of length, d, will then have the following bounded expectation: 1 ) 1 ( ) ln( ) ( - - • < d P p d X E (Eq.2-1) Where p is the probabilistic of marking a packet at an intermediate router. However, the significant practical limitation of this approach that it requires additional space in the IP packet header. Therefore, the Compressed Edge Fragment Sampling approach is proposed to store fragments of edge id for the edge between two routers in the 20 identification field of the IP packet header. Of the 16 bits identification field, only 8 bits are used for the encoding of the edge-id fragment, while the others are used for encoding the fragment offset and distance. The advantages of this scheme are that (1) Cooperation among ISP is not required for the same reason as ICMP traceback. (2) Incremental deployment is effective with network topology map. (3) It allows for post-attack analysis. The disadvantage of this is as follows: (1) It requires modification of existing IP protocol for marking. (2) Increased packet size. (3) Slow convergence time with probabilistic packet marking. (4) It requires high processing power of end-host to reconstruct attack path 2.4 Logging-based Traceback Logging-based scheme [26][27] is based on logging information which is stored in the router throughout the Internet to trace an attacker. Since, storing pure information requires huge amount of storage (On a fast network link, traffic could consume 750Gbytes in just 10 mins), [22,23] proposed hash-based traceback, which is called SPIE (Source Path Isolation Engine). In SPIE, traffic auditing is accomplished by computing and storing packet digests rather than storing the packets themselves. In addition to reducing storage requirements, storing packet digests instead of the actual packet contents preserves traffic confidentiality by preventing SPIE from being used as a tool for eavesdropping. SPIE is composed of three functions: STM (SPIE traceback manager), SCAR (SPIE collection and reduction agents), and DGA (Data Generation Agents). DGA is implemented in the routers and captures partial packet information of every packet that passes through the router, to be able to in the future determine if that packet is passed through it. Digested field of packet is IP header and the first 8 bytes of the payload of each packets. 21 Digests are stored in a space-efficient data structure called bloom filter, which reduces storage requirements by several orders of magnitude. When a given bloom filter is about 70 percent full, it is archived for later querying. The duration of using a single bloom filter is called a time period. SCAR is implemented in every region in the network and connected to DGAs to query for necessary information. The network logically divided into regions to place SCAR. STM is the functional unit which communicates with IDSs of the victims and SCARs. Example of traceback utilizing DGA, SCAR, and STM, is described in the following sequence. 1. Victim’s IDS send notification of attacks to STM 2. STM send request to trace back an attacker to SCAR 3. SCAR obtains digest of packet information from DGA and perform analysis to correlate between information given by STM and DGA. 4. If SCAR figures out whether the attack packet have traversed certain logical region, it reports to the STM. 5. Finally, STM can reconstruct the path through the networks. One problem of packet logging is that packet might be modified during the forwarding process due to NAT or IPSec, etc. To reconstruct under transformation, SPIE store they type of transformation and the data necessary in the TLT (Transform Lookup Table). Each bloom filter for a given time period has its own TLT associated with it. When DGA send digest information to SCAR, it returns copies of the digests and TLT for analyzing and correlating the tables. 22 Advantages of the logging-based scheme are as follows: (1) It allows for ability to trace a single packet. While distributed denial-of-service attacks, typically conducted by flooding network links with large amounts of traffic, are the most widely reported, there are other forms of network attacks, many of which require significantly smaller packet flows. In fact, there are a number of widely-deployed operating systems and routers that can be disabled by a single well-targeted packet such as the teaddrop attack. To institute accountability for these attacks, the source of individual packets must be identified. (2) It incurs only insignificant network traffic overhead since it is “logging-based” traceback. (3) It allows for post-attack analysis. (4) It does not require any change in existing protocols. On the other hand, there exist several disadvantages: (1) It requires intensive storage and processing resource in router and dedicated machines for STM and SCAR even if hash- based scheme can somewhat reduce the requirements. The authors propose to use probabilistic logging update similar to probabilistic packet marking to reduce required amount of storage. That is, they claim that they can extend the length of time queries can be conduced without linearly increasing the memory requirements is by relaxing the set of packets that can be traced. In particular rather than discard packet digests as they expire, they discard logging probabilistically as they age. However, they did not elaborate about the efficiency and effectiveness of the proposal. (2) It requires sharing of logged information between ISPs, which leads to privacy issues. 2.5 Controlled Flooding In controlled flooding [11], downstream router sends a burst of network traffic to the upstream network segments intentionally. At the same time, a victim checks incoming attack 23 traffic for any change. From the changes and frequency of the incoming attack traffic, victim can know which upstream router the traffic is coming from. The same process is continued a level higher until finally reaching the attacker. The links are suggested to be loaded using the chargen service on the routers. The originator of the chargen service opens a connection to a device on TCP or UDP port 19. In response, this device generates a large amount of data back to the originator. This outcome is not desirable since the task here is to only load a single link. In order to avoid this, the source address of the equipment is spoofed as the next hop address to this router. In order to load the link between A and controlled flooding equipment spoofs its source address as the interface of B connecting to A and starts the chargen service on A. The packets generated would be directed to B, thus loading the link between these two routers. Advantage of this scheme is that (1) it does not require change of existing router and (2) it does not require per packet processing at a router. The obvious disadvantage of this scheme is as follows: (1) it itself is another kind of DoS (2) Traceback should be accomplished during attacks (3) this approach assumes access to routers on the ISP network. 2.6 Design Requirement for Attacker Traceback in Wireless Multi-hop Networks To identify protocol requirements for traceback mechanism in wireless multi-hop networks, we classify the main building blocks of the attacker traceback schemes as follows: (I) information searching and gathering, (II) information storage, and (III) information analysis. Information gathering is the process to put or seek clues on the attack packets. 24 Information storage is the process to store the gathered clue in some device for post- analysis. Information analysis is the process to reconstruct the attack path based on clue obtained through information storing process or real-time data provided by information gathering process. The overall architecture is depicted in Fig.2.2. Based on the classified building blocks above, we identify the traceback protocol requirements in wireless multi-hop networks. In addition, we identify the limitations of existing IP traceback schemes to be applied to wireless multi-hop networks. DoS/DDoS Attack Detection Information Searching and Gathering Information Storage Information Analysis Attacker Traceback Architecture [Figure 2.1] Main building blocks of attacker traceback (I) Information searching and gathering For robust and efficient information gathering in wireless multi-hop networks, we need to satisfy the following protocol requirements; first, nodes move in and out frequently and autonomously, which results in topology change. Hence, we need traceback scheme that is robust against route instability. Second, it may be difficult to physically secure nodes that could be captured, compromised and later rejoin the networks as Byzantine node. Hence, we need robustness against node compromise. Third, in general, wireless multi-hop networks 25 are severely limited in networks resource (i.e., bandwidth). In addition, energy conservation is one of major concern. Hence, we need to reduce communication overhead and energy consumption. For that, we need efficient searching scheme (vs. flooding-type searching). Existing schemes essentially relies on hop-by-hop traceback. Hence, when one intermediate node moves out or powered down, traceback is stopped or confused in the middle of traceback. In addition, when several nodes are compromised by attacker, traceback process cannot be continued at the compromised nodes and can be easily broken. Consequently, majority-based scheme is required in wireless multi-hop networks. In addition, efficient searching scheme needs to be developed optimized for wireless multi-hop networks. (II) Information storage Clue information, obtained through information gathering process, needs to be stored for traceback. Information can be stored at the end-host or inside the network. However, in general, nodes in wireless multi-hop network have limited storage space. Hence, it is important to reduce storage requirement. iTrace or PPM is end-host storage scheme. ICMP or marked packets are stored at the end-host and used for path reconstruction. Logging scheme is network-storage scheme, where clue information is stored in inside networks. Obvious drawback of the schemes is that large amount of data needs to be stored at either end-host or inside the network since they require per-packet information. On the other hand, controlled flooding does not require information storage. However, it consumes network bandwidth, which is highly undesirable in resource constrained wireless networks. 26 (III) Information analysis For energy-efficient information analysis and to reduce delay in attack route reconstruction, we need to reduce computational overhead both in intermediate nodes and victim. In iTrace and PPM, the path is reconstructed by end-host. Consequently, the burden of end-host is increased. For instance, in iTrace, end host first searches the database, which stores packet information. Then, based on the packet information, end-host should reconstruct the attack path. On the other hand, in case of logging and controlled flooding, analysis burden is put on the network. Information analysis of existing schemes require a lot of computation power of either end-host or network to reconstruct the attack path based on accumulated large per-packet information. In addition, controlled flooding requires lots of bandwidth consumption even if it is short term. We summarize the requirement for IP traceback in wireless multi-hop networks in table 2.1. P ro toc o l b u ild in g b lo c k D e sig n re q u irem en t In fo rm a tio n g ath erin g R o b u s tn e ss ag a in st n o d e co llu s io n R o b u s tn e ss ag a in st ro u te in s ta bility L o w co m m u n ic atio n o v erhe ad L o w en erg y co n s u m p tio n In fo rm a tio n sto ra g e L o w storag e req u ire m e n t fo r in term e d iate L o w storag e req u ire m e n t fo r v ictim In fo rm a tio n an alys is L o w c o m p u ta tio n a l o v e rh ea d fo r in te rm e d iate L o w co m p u tatio n al o v e rh ea d for victim [Tab le 2 .1 ] P ro to cl re q u irem e n t fo r attac k er trace b ack in w ire les s m u lti-h o p n e tw o rk s 27 Chapter 3 3 Abnormality Detection 3.1 Overview Abnormality detection is the first stage in our traceback protocol framework. Abnormality detection is the process to detect protocol layer abnormality and start logging the abnormality information. Each node monitors protocol layer activity (e.g., packet count in network layer, or busy time/collision/frame count in MAC layer) and if abnormality is observed, a node logs the abnormality information as candidate attack signature. When the abnormality is detected at the victim’s intrusion detection system, we call it attack signature. The candidate attack signature is compared with attack signature to find the nodes that have relayed attack traffic. Note that there exists distinction between attack detection and abnormality detection for traceback. In attack detection, reducing false positive is critically important issue to accurately detect attack in intrusion detection system. However, in the abnormality detection for traceback, reduction of false positive is not a critical issue since false positive is easily filtered out in abnormality matching process, which is occurred between candidate attack signature and attack signature. Our goal is to reduce false negative with moderate memory consumption, which is caused by abnormality logging. In this chapter we provide a set of abnormality detection methods, namely FDM (Fractional Deviation from the Mean), Pivot method, and EWMA (Exponential Weighted Moving Average). We compare the performance of each proposed detection scheme. 28 3.2 Definition of Abnormality Once flooding-type DoS/DDoS attack is launched, a large volume of traffic is generated towards a victim to disable or harm network bandwidth or host resources. The flooding-type attack causes protocol layer (network layer and MAC) layer abnormality. In addition, the MAC layer abnormality is observed by neighbor nodes around attack route by overhearing capability of MAC layer activity. In this dissertation, we use 802.11 MAC mechanism, which is widely used for MAC layer of MANETs. Note that our scheme can be generally applied to other MAC protocols. We analyze how the flooding-type attack traffic causes abnormality in network and MAC layer in the following. Increased packet count in network layer Flooding-type DoS/DDoS attack causes abnormally increased packet count both in relay nodes of attack traffic and victim .The increase can be statistically detected as abnormality. Increased collisions in MAC layer Increased collision can be inferred by several symptoms. (I) Increased retry count due to lack of ACK or CTS: frame or fragment has a single retry counter associated with it. Frames that are shorter than the RTS threshold have short retry count. Frames that are longer than the threshold are considered long frames and have long retry count. Frame retry counts begin at 0 and are incremented when a frame transmission fails. (II) Large contention window (CW). After each unsuccessful transmission, CW is doubled up to a maximum value CW max = 2 m *CW min , where m is the number of attempt. (III) Long lifetime: when the first fragment is transmitted, the lifetime counter is started. When the lifetime limit is reached, the frame is discarded and no attempt is made to transmit any remaining fragments. 29 Increased busy time in MAC layer A node monitors channel to check whether it is idle or not. If it is busy less than certain time interval, it cannot go into backoff stage and should defer. Frequent busy time and consequent transition from backoff state to defer stage are considered as symptom of heavy traffic. Increased frames in MAC layer As attack packets are increased, the number of corresponding data frames and ACK are increased. In addition, to access channel, the number of RTS and CTS frames are also increased. We performed simulation to verify the abnormal behavior of network and MAC layer under DoS attack. We used ns-2 for simulation with 50 nodes. The network size is 670m X 670m and DSDV is used for underlying routing protocol. Average distance between attacker and victim is 4 hops. In Fig.3.1, we varied the number of nodes that generate background traffic from 1 to 25 and measured the increase rate. Increase rate is defined as the ratio between abnormal behavior and normal behavior. For instance, when collision count under attack is η and collision count under normal background traffic is η’, the increase rate is calculated as η/η’. In the simulation, attack traffic is generated as ten times of normal traffic size. As shown in the Fig.3.1, frame count, packet counts and busy time show high increase rate when background traffic is low, and the increase rate decrease as background traffic increases. This is because when the background traffic increases the attack traffic does not show drastic abnormality. On the other hand, in collision, increase rate is low when background traffic is low. It is because collision rarely occurs when there exists only attack traffic. The increase rate of collision gradually goes up as background traffic increases and decreases after certain point. Fig.3.2 show relative variance of abnormality information. 30 Relative variance is defined as (variance of abnormality observation)/(mean of abnormality observation). Collision rate show the highest variance. It is because collision occurrence randomly varies depending on temporal and spatial traffic distribution. Consequently, we mainly use packet count information in the network layer and frame count information in MAC layer for abnormality information. 0 2 4 6 8 10 12 1 5 10 15 20 25 Number of nodes that generate background traffic Increase rate Increase packets Increased frames Increased busy time Increased collision [Figure 3.1] Protocol layer abnormality 31 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 0 10 20 30 40 Number of nodes that generate background traffic Relative variance Packet count Frame count Busy time Collision [Figure 3.2] Variance of abnormality information To find optimal indication factor for attack signature, we use statistical test (categorical data analysis) [19]. The optimal indicator should possess the following property: “Majority of neighbor nodes around the attack path observe abnormal activity”. We use two-way contingency table to evaluate the dependency of protocol layer activity on attack traffic. In two-way contingency table, data is classified according to the direction (row and column) of classification, according to two qualitative variables. In our test, row is the normal/abnormal and column is attack region/non-attack region as in table 3.1. Attack region is the area around the attack path where nodes can overhear attack traffic activity. In the contents of table, the number of nodes that observes corresponding protocol layer abnormality is written. N is the total number of nodes in the networks. 32 Non-attack region Attack region Totals Normal n 11 n 12 n 1. Abnormal n 21 n 22 n 2. Totals n .1 n .2 N [Table 3.1] Two-way contingency table Then, we set the following null and alternative hypothesis to test the dependency of two classifications. H 0 : The two classifications are independent H a : The two classifications are dependent Test statistic: ∑∑ = = - = c j r i ij ij ij n E n E n 1 1 2 2 ) ( ˆ )] ( ˆ [ χ (Eq.3.1) Where, n n n n E j i ij . . ) ( ˆ = , n i . is total for row i and n .j is total for column j. The rejection region where we can conclude that two classifications are dependent is as follow. 2 2 α χ χ > (Eq.3.2) Where χ 2 is chi-square probability distribution with (r-1)(c-1) degree of freedom and α is the probability of a type I error (a type I error is made if H 0 is rejected when H 0 is true). Intuitively, χ 2 shows high value as the percentage of nodes that observes abnormality increases. 33 In Fig.3.3, we show the χ 2 value of each abnormality component. The threshold χ α 2 is 5.02 with 97.5% confidence interval. We can infer that if the χ 2 value is above the threshold, there exists dependency (reject the null hypothesis H 0 ). As shown in the Fig.3.3, when the number of nodes that generates background traffic is low (less than 10% of entire network nodes), the dependency of frame count and busy time on attack is high. As background traffic increases the dependency is decreased since there is little difference between attack traffic and background traffic. On the other hand, the dependency of collision on attack is low when background traffic is low since there is only small background traffic that collides with attack traffic. When the background traffic is high (above 30), the dependency is low. It is because there is only little difference between attack traffic and background traffic. In other region, we can constantly observe high χ 2 value (χ 2 >χ α 2 ), which means that attack traffic have clear impact (dependency) on the overhearing nodes around attack route. In addition, packet count shows low dependency. It is because packet count is based on network layer information that cannot use overhearing capability. 0 5 10 15 20 25 30 35 40 45 0 10 20 30 40 Number of nodes that generate background traffic Chi-square value Packet count Frame count Busy time Collision Threshold (5.02) [Figure 3.3] Dependency of protocol activity on attack 34 Based on the observation, we use MAC layer frame count as major abnormality information and use packet count information to complement MAC layer information (i.e., cross-layer abnormality) in this dissertation. 3.3 Abnormality Detection with FDM Let A S the number of packets or frames in a given time slot and A R be the average number of packets or frames of the long-term reference model, then the distance of the fractional deviation from the mean statistic is given as follows. R R S A A A Dist - = (Eq.3.3) The distance, Dist, is defined as abnormality level. If the abnormality level is over a threshold (e.g., 0.5), it is considered suspicious and traffic signature is logged. The obvious advantage of FDM is its simplicity in defining the threshold. However, it does not consider the variance of background traffic to detect abnormality. 3.4 Abnormality Detection with Pivot method To consider the background traffic variance, we use pivotal method [28]. We calculate the normal interval with the confidence interval 100(1-α)% as follows. ) ( ) ( 2 / 2 / n s z x n z x n n n α α σ ± ≈ ± (Eq.3.4) 35 Where, n x is the sample mean and σ is the standard deviation. Since the value of σ is unknown, the sample standard deviation s n is used. The mean and variance is calculated and updated as follows: The average n x of the time series data given n points is obtained as follows ∑ = n i n x n x 1 1 (Eq.3.5) If a new point x n+1 is measured and it is within normal range, we can recompute n x , but it is more efficient to use the old value of n x and make a small correction using x n+1 . The correction is easy to derive, since, ∑ ∑ + + + + + = + = n n i n i n x n x n n n x n x 1 1 1 1 1 ) 1 1 ( 1 1 1 (Eq.3.6) And so, 1 + n x can be written as ) ( 1 1 1 1 1 1 n n n n n n x x K x x n x n n x - + = + + + = + + + (Eq.3.7) Where, K=1/n+1 as gain factor. The gain K adjusts how big the correction will be. We can also recalculate recursively the quadratic standard deviation (variance) of the time series data. Given n points, the quadratic standard deviation is given by: ∑ - = n n i n x x n s 1 2 2 ) ( 1 (Eq.3.8) 36 If a new point x n+1 is measured, the new variance is ∑ ∑ + + + + + - - - + = - + = 1 1 1 1 2 1 2 1 2 1 ) ) ( ( 1 1 ) ( 1 1 n n n n n i n i n x x K x x n x x n s (Eq.3.9) The whole expression reduces to ) ) ( )( 1 ( ) ) ( ( 1 2 1 2 2 1 2 2 1 n n n n n n n x x K s K x x K s n n s - + - = - + + = + + + (Eq.3.10) The whole process can now be cast into as a series of steps to be followed iteratively. Given the first n points, and our calculation of n x and n s , then (1) When a new point x n+1 is measured, we compute the gain factor K=1/(n+1). (2) We compute the new estimation of the average ) ( 1 1 n n n n x x K x x - + = + + (Eq.3.11) (3) We compute also a provisional estimate of the new standard deviation 2 1 2 2 ' ) ( n n n n x x K s s - + = + (Eq.3.12) (4) Then, we find the correct 1 + n s using the correction 2 ' 2 1 ) 1 ( n n s K s - = + (Eq.3.13) (5) Finally, we calculate the normal range )) ( ), ( ( 2 / 2 / n s z x n s z x n n n n α α + - (Eq.3.14) 37 The iterative computation is used for updating average, standard deviation and consequent normal range. When the new value is outside the normal range, we define it as abnormality. Each node monitors protocol layer activity to detect the abnormality. Once the abnormality is observed, a node characterizes (Chapter 4) the abnormality as attack signature and it is logged for traceback. The abnormal range is excluded from calculating normal range. The advantage of using Pivot method, we can more accurately detect abnormality. However, it increases computational overhead. 3.5 Abnormality Detection with EWMA To define normal profile (A R and n x ), we need to monitor protocol layer activity for certain time window. Short time window will accommodate more recent activity. On the other hand, long time interval will accommodate longer activity information. There is tradeoff between short time window and long time window. That is, short time window can accommodate short-term traffic fluctuation. However, it can erroneously capture short-term bursty traffic as normal profile. On the other hand long time window can eliminate short- term bursty traffic fluctuation. However, it takes more time to calculate normal profile and fail to accommodate short-term fluctuation. To overcome disadvantage of above two extremes, we use EWMA (Exponential Weighted Moving Average) to consider short-term and long-term protocol activity. EWMA at time k+1 is calculated with the following equation. 38 ) 1 ( * ) 1 ( ) ( * ) 1 ( + - + = + k a k a k Norm β β (Eq.3.15) where, ) (k a is abnormality observed at time k and ) 1 ( + k a is abnormality observed at time k+1. Based on the vale, β , we can put more weight on short-term observation or long-term observation. We will investigate how this metric affects accurate detection in the analysis section. 3.6 Coarse-gained vs. Fine-grained Abnormality Detection We define coarse-grained detection and fine-grained detection. In coarse-grained detection, abnormality is detected in aggregate traffic level without payload inspection. The advantage of coarse-grained detection is that it is computationally simple. However, the problem of aggregate (or coarse-grained) traffic-based abnormality detection is that it is hard to detect low abnormality, which occurs under the presence of high background traffic. IN addition, low abnormality is observed near distributed attack origin. Low abnormality is not detected as abnormality since it is under threshold. If we lower the threshold, there is high chance that we erroneously capture normal traffic as abnormality and decrease logging efficiency. To address the problem, we define fine-grained abnormality detection, which uses minimal fine-grained information (i.e., destination address, previous-hop MAC address), we can drastically reduce noise traffic (i.e., background traffic from non-attacker nodes) that is included in attack traffic. In Fine-grained Network Layer Monitoring (F-NLM), attack signature is captured based on traffic destined to each destination (i.e., we make abnormality table indexed by destination address). 39 We can rely on destination address since attacker does not spoof destination address to achieve his goal. As shown in Fig.3.4, a monitoring node (inside dotted circle) can remove noise traffic that is destined to non-victim node. We call the noise traffic as forward noise. Attack traffic Forward noise Attacker V ictim intermediate nodes [Figure 3.4] Illustration of forward noise reduction In addition, by using fine-grained MAC Layer Monitoring (F-MLM), we can drastically reduce noise traffic that is included in attack traffic. As shown in Fig.3.5, a monitoring node (inside dotted circle, solid circle represents the overhearing range) can remove noise traffic that is not coming from the same previous hop MAC address as attack traffic. We call the noise traffic as backward noise. 40 Attack traffic backward noise Attacker V ictim intermediate nodes [Figure 3.5] Illustration of backward noise reduction. By using fine-grained information of network layer and MAC layer (i.e., destination address, previous hop MAC address), which we call Cross Layer Monitoring (CLM) we can drastically reduce noise traffic that is included in attack traffic. As shown in Fig.3.6, both backward noise and forward noise can be reduced by using fine-grained network layer and MAC layer information. This cross-layer monitoring is effectively used throughout this dissertation, i.e., abnormality characterization, abnormality matching, and countermeasure. 41 Attack traffic Forward noise Attacker V ictim intermediate nodes Backward noise [Figure 3.6] Illustration of forward/backward noise reduction using CLM 3.7 Important Parameters For accurate abnormality detection, we need to carefully design several parameters. We identify several important parameters for accurate detection and analyze their impact in the next analysis section. Monitoring Window Monitoring window (N) is defined as the time duration during which protocol layer activity is monitored and normal profile is calculated. We need to answer how long do we have to monitor protocol activity to calculate normal profile (e.g., average). What is the advantage of longer monitoring duration and short monitoring duration? What is optimal monitoring duration under different background traffic? We will answer these questions in the analysis section. 42 Normal profile calculation method How do we calculate the normal profile? The simplest way is to put the same weight regardless of time. On the other hand we can put different weight, using EWMA (Exponentially Weighted Moving Average) on monitored value depending on time (e.g, more weight on recent value, etc). We will identify the advantage/disadvantage of different normal profile calculation methods. Threshold calculation To detect and define abnormality, we need to set detection threshold. We can set the threshold as reasonable fixed value. On the other hand we can adapt the threshold value using variance of background traffic. For fixed threshold, we use Fractional Deviation from the Mean (FDM), and we use Pivot method for adaptive threshold. We will analyze advantages and disadvantages of each scheme. 3.8 Performance Analysis We use several abnormality detection mechanisms and compare them. For normal profile calculation, we use EWMA and uniform weight average. In EWMA, more weight is put on recent data. On the other hand, in uniform weight average, uniform weight is put on across all the history data. In addition, for threshold setting, we use FDM and Pivot method. Overall we compare FDM, MFDM (FDM with EWMA), Pivot, and MPivot (Pivot method with EWMA) schemes. In Fig.3.7 shows the detection success rate under stable background traffic. We define the background traffic as “stable” when the variance of underlying background traffic is distributed [0%,10%] of average background traffic. 43 Attack percentage represents the relative size of average attack traffic compared to average normal traffic. FDM and MFDM use fixed average calculation and fixed threshold of 0.5. Pivot and MPivot have a variant/adaptive threshold based on standard deviation. As shown in Fig.3.7, FDM, MFDM (with threshold of 0.5) shows low detection success rate when relative attack is low. It is because it uses fixed threshold. Consequently, when attack size is small it fails to capture the abnormality because attack volume goes below the fixed threshold. There is not much difference between using average and moving average since background traffic is stable across the monitoring period in these experiments. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10% 40% 70% 100% 130% 160% 190% Attack Percentage Detection Success Rate FDM MFDM Pivot Mpivot [Figure 3.7] Detection success rate under stable background traffic Fig.3.8 shows detection success rate under highly fluctuating background traffic. Under fluctuating background traffic, background traffic is randomly distributed [1, MAX] per time slot, where MAX is the size of the maximum background traffic. Pivot and MPivot show better performance compared to FDM and MFDM. The result is similar to that in Fig.3.7. 44 However, EWMA incurs slightly lower performance, which is counter-intuitive. That means putting more weight on recent data incurs negative impact on detection success rate. It is because short-term (i.e., recent) average can incur high average leading to false negative. Short-term low average does not increase detection success rate since attack traffic is captured only if it is above average. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10% 40% 70% 100% 130% 160% 190% Attack Percentage Detection Success Rate FDM MFDM Pivot Mpivot [Figure 3.8] Detection success rate under fluctuating background traffic Fig.3.10 shows traceback success rate under increasing background traffic. Increasing background traffic represents that background traffic is constantly increasing within [1,10%] of variance. It shows similar trend that of Fig.3.9. However, it shows worse performance when we put more weight on recent data. It is because, when the average of recent data is 45 higher than long-term average. Consequently, the abnormality is hardly captured when attacker percentage is low. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.10.3 0.5 0.7 0.9 1.11.31.51.7 1.9 Attack Percentage Detection Success Rate F D M M F D M P i v o t M p i v o t [Figure 3.9] Detection success rate under increasing background traffic Fig.3.10 show different trend compared to Fig.3.8, Fig.3.9, and Fig.3.10. When background traffic is constantly decreasing, EWMA shows high success rate. It is because EWMA captures recent low average and can capture abnormality. However, if we use long-term average, the average goes up, and it incurs low detection success rate. 46 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.10.3 0.5 0.7 0.9 1.11.31.51.7 1.9 Attack Percentage Detection Success Rate F D M M F D M P i v o t M p i v o t [Figure 3.10] Detection success rate under decreasing background traffic Fig.3.12, Fig.3.13, and Fig.3.14 shows the detection success rate using fine-grained information (MAC information in Fig, 3.12 Network information in Fig.3.13 Cross-layer information in Fig. 3.14). Fig.3.12 shows the improvement when only MAC layer information is used and Fig.3.13 shows when only network layer information is used. By using both MAC and network-layer information, we can drastically increase the success rate as evident in Fig.3.14. It is because noise traffic is removed and average background traffic is reduced. Consequently, we can detect successfully abnormality in more fine-grained manner. High detection success rate does not increase false positive in our traceback. It is because we perform matching test through which false positive is eliminated. We shall illustrate this by example in the next section. 47 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.10.3 0.5 0.7 0.9 1.11.31.51.7 1.9 Attack Percentage Detection Success Rate F D M M F D M P i v o t M p i v o t [Figure 3.11] Detection improvement with F-MLM 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.10.30.5 0.7 0.91.11.31.51.71.9 Attack Percentage Detection Success Rate F D M M F D M P i v o t M p i v o t [Figure 3.12] Detection improvement with F-NLM 48 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 0.3 0.5 0.7 0.9 1.1 1.3 1.5 1.7 1.9 Attack Percentage Detection Success Rate F D M M F D M P i v o t M P i v o t [Figure 3.13] Detection improvement with CLM 49 Chapter 4 3 Abnormality Characterization 4.1 Overview Once an attack is detected by the abnormality detection process, we start characterizing the abnormality. The characterized abnormality at the victim is called attack signature. In addition, characterized abnormality at intermediate nodes is called candidate attack signature. Candidate attack signature and attack signature are used for the abnormality matching test. We provide two classes of abnormality characterization methods, namely (I) Traffic pattern-based abnormality characterization (II) Cumulative distribution function-based abnormality characterization. We will compare the advantages and disadvantages of each characterization process in the coming subsection. 4.2 Abnormality Characterization with Traffic Pattern With traffic pattern, abnormality is characterized using time-series data of abnormality information (e.g., packet count, frame count, collision rate, etc). More specifically, when the abnormality information observed at node A at time slot i is define as a i , the abnormality between time slots [1,n] is characterized as the following pattern information. 50 Characterized abnormality = (a 1 ,a 2 ,…,a n ) (Eq.4.1) Fig.4.1 shows the graphical representation of characterized abnormality information. Sampling window, D, is expressed as follows. d n D • = (Eq.4-2) Where d is time slot length. The V a factor considers time-series fluctuation of abnormality information and the H a factor considers abnormality volume increase. ti me Packet count Va Ha Sampl i ng wi ndow D sl ot si ze d t t + D [Figure 4.1] Abnormality characterization with traffic pattern 4.3 Abnormality Characterization with Distribution Function The second scheme by which we characterize the abnormality is using the cumulative distribution function [20]. That is, when the time series abnormality data (e.g.,, number of frames per unit time slot) in n unit time window, (a 1 ,a 2 ,…,a n ), is observed, the distribution function is given in terms of the order statistic. Let y 1 <y 2 ,<…<y n be the observed values of 51 the order statistics of a sample a 1 ,a 2 ,…,a n of size n. Then, the distribution function is defined as follows. ≤ < ≤ < = + . , 1 , , / , , 0 ) ( 1 1 x y y x y n k y x x F n k k n (Eq.4-3) Where k = 1,2,…,n-1. We use F n (x) as characterized attack signature. Fig.4-2 shows graphical representation of F n (x). Traceback performance varies depending on the characterization process. For efficient characterization, parameters such as unit time windows, and total time window, need to be carefully designed. X ) (x F n 1 A m A s [Figure 4.2] Abnormality characterization using distribution function 52 4.4 Coarse-grained vs. Fine-grained Abnormality Characterization In coarse-grained abnormality characterization, abnormality information is captured using aggregate traffic information (e.g., aggregate packet count, aggregate frame count) observed at each node. Coarse-grained abnormality characterization process does not consider packet or frame content information such as destination address, and MAC address. On the other hand, in fine-grained characterization with cross-layer information, the destination address and previous hop MAC address are used for characterization (Table 4-1). D e s t n a t i o n _ a d d r S o u r c e _ M A C _ a d d r A b r n o a m l i t y 1 2 Ξ ( 1 , 2 ) 1 3 Ξ ( 1 , 3 ) . . . . . . . . . . . . [Table 4.1] Abnormality table using cross-layer information There is an obvious tradeoff between coarse-grained and fine-grained characterization. When coarse-grained characterization is used, space complexity for abnormality logging becomes O(1). However, abnormality matching and consequent traceback performance becomes low. On the other hand, when fine-grained characterization is used, space complexity becomes O(N*M), where N is the number of destination_addr and M is 53 source_MAC_addr. However, traceback performance is improved since background traffic is decreased. 4.5 Important Parameters for Abnormality Characterization Several parameters can affect abnormality characterization process and matching test, which is performed with the characterized abnormality. Following, we identify some of these parameters. Unit time window The unit time slot is the atomic parameter during which abnormality is observed. A short unit time slot has merit that abnormality detection becomes fast. On the other hand, a short unit time slot can suffer from time asynchrony problem in the matching process. Matching comparison is performed between nodes that are geographically separated. When attack traffic traverses multiple nodes that are geographically separated, the attack signature date shows time shift. Longer unit time slot can alleviate the time asynchrony problem. However, the disadvantage of long unit time slot of attack signature the is delay of abnormality characterization. Total signature window Total signature frame is the summation of all unit time slots during which abnormality is observed and logged. Similar to unit time slot of attack signature, total signature frame affects traceback performance. Depending on total signature window size, false positive and negative can be increased or decreased. We will analyze these aspects in detail in analysis section. Since, the performance of abnormality characterization is closely related with abnormality matching, we will perform extensive analysis on abnormality characterization and matching together in chapter 5. 54 Chapter 5 5 Abnormality Matching 5.1 Overview Abnormality matching technique is needed to compare between attack signature and candidate attack signature characterized through abnormality characterization process. When high matching level is observed, we can infer that attack traffic is traversed the region where high matching is observed. We provide two classes of abnormality matching techniques, namely traffic pattern matching technique and Kolmogorv-Smirnov (K-S) fitness test. We compare the advantages and disadvantages of each scheme in the performance analysis section. 5.2 Traffic Pattern/Volume Matching Traffic Pattern Matching (TPM) defines the correlation coefficient between attack signatures and candidate attack signature at node A (victim) and B (intermediate node). TPM captures the variation of traffic volume V a in Fig.5.1. When the abnormality observed at node A is given as (a 1 ,a 2 ,…,a n ), and the abnormality observed at node B is given as (b 1 ,b 2 ,…,b n ), the correlation coefficient is obtained as follows. ∑ = - - = n i i i B A B b A a S nS B A r 1 ) )( ( 1 ) , ( (Eq.5.1) 55 Where, ∑ = - = n i i A A a n S 1 2 ) ( 1 (Eq.5.2) ∑ = - = n i i B B b n S 1 2 ) ( 1 (Eq.5.3) and A and B are the averages of (a 1 ,a 2 ,…,a n ), and (b 1 ,b 2 ,…,b n ). In case the correlation coefficient r(A,B) is high (greater than 0.7), then the abnormality at A is said to match abnormality at B. We also use Traffic Volume Matching (TVM) to reflect H a factor in Fig.5.1 and complement the TPM. We define that traffic volume is matching between two points A and B, when traffic volume at A and B show similar volume size. Mathematically, we use the following equation (least-squares method) to know the matching level. ∑ ∑ = = = N i i N i i i a b a c 1 2 1 (Eq.5.4) When c is close to 1 (e.g., greater than 0.7), the traffic volume at node A and B is matching. Fig.5-1 shows graphical representation of TPM and TVM between attack signature and candidate attack signature. 56 T im e Packet count Attack signature Candidate attack signature [Figure 5.1] Traffic pattern/volume matching Matching test in DoS attacker traceback is straightforward since there exists only one attack signature and candidate attack signature. However, unlike DoS attack, DDoS attack is performed from multiple nodes. Hence abnormality matching test becomes complicated. Partial attack traffic is merged at the victim or intermediate node. Consequently, combination of partial traffic from multiple nodes should be compared with the merged traffic to find distributed attack routes. There are two possible scenarios in the merging of partial attack traffic: (i) partial attack traffic shows different traffic pattern from merged traffic. That is, r(P i ,M) is low, where P i is partial attack signature and M is merged attack signature, or (ii) partial attack signature shows similar traffic pattern with merged attack traffic. That is r(P i ,M) is high. For the second scenario, TVM is especially important to detect multiple attack routes. With TPM only scheme, many false negatives are inevitable since each partial attack traffic may show high TPM with merged attack traffic. In case 57 correlation coefficient of r( ∑ = L i i p 1 , M) - where L is the total number of partial attack signature, and M merged attack signature – is high, we can say that the summation of partial attack signature of p i matches merged attack signature. There can be S number of combinations from K candidate (L≤K) partial attack traffic as follows. ∑ = = K i i K C S 1 (Eq.5.5) In our scheme, the combination that shows the highest TPM/TVM level is selected as the path of distributed DDoS attack traffic. 5.3 Kolmogorv-Smirnov Fitness Test We are interested in using the Kolmogorov-Smirnov (KS) statistic D n [28] to test the hypothesis that the two abnormality, F n (x), F 0 (x) is matching. F 0 (x) corresponds to reference abnormality, which is included in query message, and F n (x) is the candidate abnormality observed by vicinity nodes. ] | ) ( ) ( | [ sup 0 x F x F D n x n - = (Eq.5.6) H 0 : F n (x)=F 0 (x) H a : F n (x) ≠F 0 (x) (Eq.5.7) 58 ) (x F n distance Attack signature Candidate attack signature [Figure 5.2] Kolmogorv-Smirnov Fitness Test We accept H 0 if the distribution function F n (x) is sufficiently close to F 0 (x), that is, if the value of D n is sufficiently small. The hypothesis H 0 is rejected if the observed value of D n is greater than the selected critical value that depends on the desired significance level and sample size. When the H 0 is accepted (sufficiently similar), we can infer that the abnormality is matching, meaning that the attack traffic is traversed the region, where similar abnormality is observed. In DDoS attacker traceback, multiple candidate attack signatures are observed from multiple abnormality observers. Unlike DoS attacker traceback, a combinational matching test needs to be done. That is, abnormality matching should be performed between the attack signature and all multiple candidate attack signatures. Then, contacts that show the highest matching level are selected as branch attack routes. Unlike TPM/TVM, K-S fitness test considers both pattern and volume information simultaneously. 59 5.4 Coarse-grained vs. Fine-grained Abnormality Matching Similar to detection and characterization, we use coarse-grained and fine-grained matching. By reducing noise with fine-grained information, we can increase matching accuracy. The noise can be reduced with MAC (previous-hop MAC address) and network address (destination) information. In this section, we analyze how much noise can be reduced in more detail. • Fine-grained matching with network address information To investigate how much noise traffic can be removed using fine-grained network-layer information, we perform simple connection-level analysis. We first define total noise as follows. n S n D n TN N N N + = (Eq.5.8) Where, N n D :Noise traffic (Number of connection) which is heading to different destinations from victim N n s : Noise traffic (Number of connection), which is heading to the same destination (victim) but not from attacker Noise reduction rate that can be achieved through our fine-grained traceback scheme is calculated as follows. n S n D n D n RN N N N N + = n TN n S n TN N N N - = 60 n TN n S N N - = 1 (Eq.5.9) The noise reduction rate depends on congestion factor and destination diversity. Basically, if there are much traffic (high congestion) coming into a node, there is high chance that there exist normal traffic that heads to a victim. In addition, if destination of traffic is not uniformlly distributed (e.g., traffic is going into several sever nodes only - low destination diversity), the chance of sharing same destination as attack traffic becomes high. Taking into the congestion and destination diversity factor, we performed simple analysis to show how much noise traffic can be reduced as follows. ∑ = = • = ≈ C N i S n S n S i N i N E N 0 } Pr{ ) ( (Eq.5.10) where, i N i i N S TN TN M M C i N - - • = = ) / 1 1 ( ) / 1 ( } Pr{ (Eq.5.11) M: Destination diversity factor N n C : congestion factor Hence, noise reduction rate is calculated as follows. n C N i i N i i N n RN N M M C i N n C C n TN ∑ = - - • • - = 0 ) / 1 1 ( ) / 1 ( 1 (Eq.5.12) 61 In addition, actual noise rate that is included in attack traffic is calculated as follows. n RN n RN N N rate Noise + = 1 (Eq.5.13) There exists difference between noise reduction rate and noise rate. Even if we can drastically reduce relative noise rate (i.e., noise reduction rate) with fine-grained scheme compared to coarse-grained scheme, the noise may still exist in attack traffic (noise rate >0). As we can see in Fig.5.3, we can drastically reduce noise rate (Congestion Factor (CF) represents how many connections are coming into a node and Destination Diversity (DD) represents how many destinations exist). The reduction rate shows constant value regardless of congestion factor. It is because more noise can be reduced as more traffic comes into a node. However, noise still exists shown in Fig.5.4 and the noise rate is high when destination diversion is low. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 CF 10 CF 15 CF 20 CF Congestion Factor Noise reduction rate 5 DD 10 DD 15 DD 20 DD 25 DD 30 DD 35 DD [Figure 5.3] Noise reduction rate with F-NLM 62 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 15 25 35 45 55 65 75 85 95 Destination diversity Noise rate 5 CF 10 CF 15 CF 20 CF [Figure 5.4] Noise rate with F-NLM • Fine-grained matching with MAC address information Noise reduction rate that can be achieved through our fine-grained traceback scheme is calculated as follows. m DD m SD m D m D m RN N N N N N + + = TN m DD m SD m TN N N N N - - = ) ( 1 TN m DD TN m SD N N N N + - = (Eq.5.14) The noise reduction rate depends on how many previous hop nodes exist. If there are many previous hop nodes that generate background traffic to a node, we can reduce the 63 background traffic noise by keeping separate traffic signature based on previous hop node. The actual noise reduction rate and noise rate is calculated as follows. ∑ = = + • = + ≈ + m C N i m SD m DD m SD m DD m SD m DD i N N i N N E N N 0 } Pr{ ) ( (Eq.5.15) where, i N i i N m SD m DD TN TN P P C i N N - - • = = + ) / 1 1 ( ) / 1 ( } Pr{ (Eq.5.16) P: Number of one-hop neighbor N m C : congestion factor Hence, noise reduction rate with NLM-FT is calculated as follows. m C N i i N i i N m RN N P P C i N m C TN TN ∑ = - - • • - = 0 ' ) / 1 1 ( ) / 1 ( 1 (Eq.5.17) Noise rate is defined as follows. m RN m RN N N rate Noise + = 1 (Eq.5.18) There exists difference between noise reduction rate and noise rate. Even if we can drastically reduce relative noise rate (i.e., noise reduction rate) compared to coarse-grained scheme, the noise is still included in attack traffic (noise rate >0). 64 As we can see in Fig.5.5, we can drastically reduce noise rate. (Congestion Factor (CF) represents how many connections are coming into a node and N represents how many one- hop neighbor exist for a monitoring node). The reduction rate shows constant value regardless of CF. It is because more noise is reduced as more traffic comes into a node. However, noise still exists as shown in Fig.5.6 and the noise rate is high when number of one-hop neighbor is small. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 CF 10 CF 15 CF 20 CF Congestion Factor Noise reduction rate N=5 N=6 N=7 N=8 N=9 N=10 [Figure 5.5] Noise reduction rate using F-MLM 65 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 6 7 8 9 10 Number of one- hop neighbor Noise rate 5 CF 10 CF 15 CF 20 CF [Figure 5.6] Noise rate of F-MLM • Fine-grained matching with MAC/network address information To investigate how much noise traffic can be removed using F-MLM, we perform connection-level analysis. We define total noise as follows. m DD m SD m D m TN N N N N + + = (Eq.5.19) Where, N m D : Noise traffic which is coming from neigbor node that does not relay attack traffic N m SD : Noise traffic that is coming from neighbor that relays attack traffic, and heading to the victim (but, not attack traffic). N m DD : Noise traffic that is coming from neighbor that relays attack traffic, but not heading to the victim 66 Noise reduction rate that can be achieved through our fine-grained traceback scheme is calculated as follows. m DD m SD m D m D m RN N N N N N + + = TN m DD m SD m TN N N N N - - = ) ( 1 TN m DD TN m SD N N N N + - = (Eq.5.20) Actual noise rate that is included in attack traffic (noise rate) is calculated as follows. h RN h RN N N rate Noise + = 1 (Eq.5.21) There exists difference between noise reduction rate and noise rate. Even if we can drastically reduce relative noise rate (i.e., noise reduction rate) compared to coarse-grained scheme, the noise is still included in attack traffic (noise rate >0). As shown in Fig.5.7, the noise reduction rate is very high with MAC/network information. In addition, the actual noise rate that is included in attack traffic is also very low as shown in Fig.5.8. 67 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 CF 10 CF 15 CF 20 CF Congestion Factor Noise reduction rate 5 DD 10 DD 15 DD 20 DD 25 DD 30 DD 35 DD [Figure 5.7] Noise reduction rate with CLM 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 5 15 25 35 45 55 65 75 85 95 Destination diversity Noise rate 5 CF 10 CF 15 CF 20 CF [Figure 5.8] Noise rate with CLM 68 5.5 Performance Analysis We investigate the impact of abnormality characterization and matching on traceback performance. Abnoramlity characterization can affect traceback performance in the following factors: (1) Unit monitoring time window. (2) Total monitoring time window. We will investigate optimal window size for efficiecnt traceback. On the other hand, abnormality matching can affect performance in the following factors. (1) KS fitness test (2) Traffic pattern matching (with correlation coefficient) (3) Traffic volume matching (with least square method). Abnormality characterization and matching is correlated in a close manner. For instance, short unit time window can affect matching test accuracy. Fig.5.9, and Fig.5.10 show the impact of time asynchrony on matching test. Time asynchrony represents attack signature shift among nodes, which is caused by geographically spread nodes that observe traversing attack signature. We compare the impact of time asynchrony on matching performance between traffic pattern matching-based approach, and KS fitness test. In Fig.5.9, and Fig.5.10, N represents the percentage of time asynchrony in attack signature. For example when N is 0, two abnormalities (i.e., attack signature, candidate attack signature) is observed exactly at same time slot, which is unrealistic, due to propagation/transmission/queueing delay. ST size represents the total number of unit monitoring windows. In Fig.5.9, as N becomes bigger, the matching level (i.e., correlation coefficient) becomes lower, which may result in high false negatives. Obviously, it is because time asynchrony results in traffic pattern distortion between different observing nodes. On the other hand, KS-fitness test in Fig.5.10, shows less negative impact by time asynchrony. All the distances are below threshold (threshold is set with significance level of 0.1%), which represents a high matching level. This is because the KS- fitness test checks abnormality distribution function instead of the time-series traffic pattern. 69 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Matching Level N=0 N=0.1 N=0.2 N=0.3 N=0.4 N=0.5 [Figure 5.9] Impact of time asynchrony on matching test (with pattern matching) 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Distance N=0 N=0.1 N=0.2 N=0.3 N=0.4 N=0.5 Threshold(a=0.1) [Figure 5.10] Impact of time asynchrony on matching test (with KS fitness test). 70 In Fig.5.11 and Fig.5.12, we analyze the impact of unit monitoring window size (10 seconds, 20 seconds, 40 seconds and 60 seconds) and time asynchrony. It is shown that the negative impact of time asynchrony is increased when unit monitoring window is small in pattern matching (Fig.5.11). It is because a small distortion of traffic pattern can result in overall pattern mismatching with small unit window size. On the other hand, long unit monitoring window causes a delay in abnormality characterization. KS fitness test (Fig.5.12) shows stable performance across different unit window size due to the same reason as in Fig.5.10. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Matching Level N=10 N=20 N=40 N=60 [Figure 5.11] Impact of unit monitoring window on matching test (with pattern matching) 71 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Distance Threshold(a=0.1) N=10 N=20 N=40 N=60 [Figure 5.12] Impact of unit monitoring window on matching test (with KS fitness test) Fig.5-13 shows the impact of various background traffic on traffic pattern-based matching test. Unlike our initial expectation, larger ST size shows low matching level. That is, when high bursty traffic exists with larger ST size, traffic matching level drastically decreases. It is because as ST size is increased, there is more chance that the burstiness can affect the traffic pattern. Fig.5.14 shows the impact of total background traffic on KS fitness test-based matching level. We observe a high matching level (low distance) regardless of ST window. This is because abnormality distribution of candidate attack signature is not affected by a small deviation from the reference profile (i.e., attack signature) in KS-fitness test. 72 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Matching Level High Burstiness Medium Burstiness Low Burstiness [Figure 5.13] Impact of background traffic on matching test (with pattern matching) 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Distance High Burstiness Medium Burstiness Low Burstiness Threshold(a=0.1) [Figure 5.14] Impact of background traffic on matching test (with KS fitness test) 73 Fig.5.15 shows an abnormality matching level between an attack signature and random bursty background traffic, where N is the number of unit monitoring windows. High matching level (low distance) represents a false positive. Originally, we were expecting that KS-fitness test would show a high false positive rate. However, KS-fitness shows a low false positive rate with high distance across most ST sizes. Consequently, we can conclude that KS fitness test-based scheme outperforms traffic pattern-based traceback in terms of false positives and negatives. There can be one exceptional case where a KS-test shows low performance. That is, when both traffic attack signature and candidate attack signature shows the same statistical characteristics (i.e., same average, variance, etc.) with different time-series traffic patterns, the KS test can cause false positives. However, this is considered a very rare case. In addition, there is no reason for an attacker to launch this kind of attack, since it can cause traceback success anyway. 74 - 0.4 - 0.2 0 0.2 0.4 0.6 0.8 1 10 30 50 70 90 110 130 150 170 190 Signature Timeframe (ST) Size Distance N=10 N=20 N=30 N=40 [Figure 5.15] False positive by background traffic (with KS fitness test) 75 Chapter 6 6 Abnormality Searching 6.1 Overview Abnormality searching is the process to find candidate attack signature that shows high matching level with attack signature. For efficient and robust attacker searching in wireless multi-hop networks, we use small world model. Helmy [11] found that path length in wireless networks is drastically reduced by adding a few random links (resembling a small world). These random links need not be totally random, but in fact may be confined to small fraction of the network diameter, thus reducing the overhead of creating such network. The random links can be established using contacts [12]. Contact nodes are a set of nodes outside the vicinity, which are used as short-cut (random links) to build small world. We extend the contact architecture to build small world in wireless networks, and increase attacker searching efficiency with increased robustness against node compromise. We describe detailed small world construction scheme in the following. 6.2 Small World-based Extended Contact Architecture Each node in the ad hoc network keeps track of a number of nodes in its vicinity within R hops away. This defines the vicinity of a node. The vicinity information is obtained through underlying routing protocol. Each node chooses its vicinity independently, and 76 hence no major re-configuration is needed when a node moves or fails. There is no notion of cluster head, and no elections that require consensus among nodes. As shown in Fig.6.1, victim node, V, sends queries with attack signature to its vicinity nodes (nodes within radius R) and contacts (C1, C2, and C3). To send to the contacts, the victim node chooses three borders, B1, B2 and B3, to which it sends the queries. The borders in turn choose three contacts at r hops away to which the borders forward the queries. V V V V : : : : V V V V i i i i c c c c t t t t i i i i m m m m n n n n o o o o d d d d e e e e C C C C : : : : C C C C o o o o n n n n t t t t a a a a c c c c t t t t n n n n o o o o d d d d e e e e B B B B : : : : B B B B o o o o r r r r d d d d e e e e r r r r n n n n o o o o d d d d e e e e R R R R : : : : V V V V i i i i c c c c i i i i n n n n i i i i t t t t y y y y r r r r a a a a d d d d i i i i u u u u s s s s R R R R R R R R R R R R R R R R V V V V C C C C 1 1 1 1 C C C C 2 2 2 2 C C C C 3 3 3 3 B B B B 1 1 1 1 B B B B 2 2 2 2 B B B B 3 3 3 3 r r r r [Figure 6.1] Contact-based small world construction. . On-demand, a victim node selects a set of contacts outside its vicinity. The main purpose of contact nodes is to act as a short cut. Hence, it is important for contacts to have vicinity that does not overlap significantly with that of the victim node, V, or the other contacts of V. The first kind of overlap (vicinity overlap) occurs between the contact’s vicinity and the victim’s vicinity. To reduce this overlap, victim node attempts to push the request as far out from the victim’s vicinity as possible. Let the borders of victim V be B (Fig.6.2). 77 V sends a query to the number of (NoC) its B. B constructs a topology view up to R hops away using its own vicinity information, and chooses a border in its vicinity that has maximum distance to V. The second type of overlap, route overlap, occurs between vicinities of contacts. To reduce this overlap, V selects NoC borders with maximum separation. This is done using vicinity information. V V V V C C C C _ _ _ _ L L L L 1 1 1 1 C C C C _ _ _ _ L L L L 1 1 1 1 C C C C _ _ _ _ L L L L 2 2 2 2 C C C C _ _ _ _ L L L L 2 2 2 2 C C C C _ _ _ _ L L L L 2 2 2 2 C C C C _ _ _ _ L L L L 2 2 2 2 R R R R B B B B B B B B B B B B B B B B B B B B B B B B R R R R R R R R R R R R R R R R R R R R R R R R V V V V : : : : V i c t i m C C C C_ _ _ _L L L L 1 1 1 1 : : : : L e v e l -1 c o n t a c t C C C C_ _ _ _L L L L 2 2 2 2 : : : : L e v e l -2 c o n t a c t B B B B : : : : B o r d e r n o d e R R R R : : : : V i c i n i t y r a d i u s r r r r : : : : C o n t a c t d i s t a n c e [Figure 6.2] Small world construction with muti-level contacts The above contact selection scheme provides a mechanism to select NoC contacts that have distances up to R+r hops away from V. We call these contacts level-1 contacts. To select farther contacts (contact of contact), this process is further repeated as needed at the level-1 contacts, level-2 contacts and so on, up to a number of levels called maxDepth, D. Based on the contact architecture, query that include attack signature is propagated to the vicinity nodes and first level contacts. If there is no node that observed (relayed or 78 overheard) attack signature, it suppresses query. Otherwise, it sends next level query to the contact of contact. In doing so, we can perform directional search for DoS attacker traceback and multi-directional search for DDoS attacker traceback, where the search process has directionality towards attacker(s). Directional and multi-directional search significantly reduces communication overhead. We will verify the reduction in the analysis section. To provide robustness against node compromise we take majority voting approach. That is we take a region as attack route region where majority of nodes observes abnormality. Majority of nodes can be found in a region since contact region consists of multiple hops. More importantly, by using MAC layer information, we can drastically increase the number of abnormality observers using MAC layer overhearing. Our contact selection and search policy have the following important distinctions from [12]: (1) Contacts are randomly selected every time it launches search to prevent divulgence of contact information to attackers. That is, if contact nodes for a victim are fixed, attacker will try to compromise the fixed contact nodes to prevent traceback. To reduce this risk, we select contacts randomly. (2) Contacts in our protocol perform in-network processing (TPM/TVM test or KS- fitness test) to check whether attack traffic is traversed through vicinity nodes or not. (3) We perform (multi-) directional search where the search is directed towards the attacker(s) to reduce communication overhead. (Multi-) Directional search becomes possible through query suppression where contacts that do not have attack route in their vicinity suppress further queries. 79 (4) To increase robustness against node compromise and topology change, we take majority-voting approach. That is, we try to find abnormality observer within each contact vicinity, which is multi-hop region from contact. In addition, we can drastically increase the number of abnormality observers by using MAC layer overhearing capability of node around attack route. (5) Our contact selection is performed upon underlying ad-hoc routing protocols and independent of any specific ad-hoc routing protocol. 6.3 Relay Node-based Searching vs. Majority Voting-based Searching We introduce two classes of searching scheme, relay node-based searching and majority voting-based search. In relay node-based searching, we try to find intermediate nodes that relayed attack traffic. The relay node shows high abnormality matching level with attack signature. Based on parameter selection in contact architecture, each contact region can include multiple relay nodes. In majority voting-based architecture, we utilize MAC layer overhearing capability. That is, nodes around relay nodes can also observe abnormality by overhearing MAC layer activity. For instance, overhearing nodes can observe increased busy time, collision rate, and frame count. There are advantages and disadvantages between relay node-based searching and majority voting-based searching. Relay node-based searching is based on only relay nodes that observe abnormality. Under high mobility or high background traffic, there is high chance of 80 false negative. It is because nodes can move out from attack route or some nodes can show low abnormality matching level. Majority voting-based searching shows more robustness compared to relay node-based searching since more nodes can observe the abnormality. However, communication overhead is increased since more nodes need to report the abnormality to contacts or victim. 6.4 Performance Analysis We compared communication overhead (the number of transmitted/received packets) of our protocol framework in Fig.6.3 and Fig.6.4. We varied the number of nodes 480 (area of 1680m x 1680m), 1089 (area of 2560m x 2560m), 1936 (area of 3440m x 3440m), and 3025 (area of 4320m x 4320m). A victim is located at the center of a network and an attacker is located at a random position (17 hops away in DoS and 10 hops away in DDoS) on the edge of a network. In flooding, a query message with an attack signature is flooded to the entire network. Consequently, communication overhead shows exponential growth as the network size increases. Majority voting-based searching shows very low communication overhead (24% in case network size is 3025 nodes) compared to flooding, since it deploys directional search and query suppression to reduce communication overhead. Note that the energy saving becomes significant, especially when network size increases. Majority voting scheme shows slightly higher communication overhead compared with relay node-based scheme since overhearing nodes around attack route report the attack signature. However, the overhead increase is not significant. (less than 8%). 81 0 2000 4000 6000 8000 10000 12000 14000 484 1089 1936 3025 Number of nodes Communication overhead flooding Relay node- based Majority voting [Figure 6-3] Communication overhead in DoS attacker traceback Similar to DoS case, our protocol incurs low communication overhead in DDoS attacker traceback. As the number of attackers increases, communication overhead to search distributed attackers is also increased. However, compared with flooding mechanism, majority voting-based scheme incurs very low communication overhead, as shown in Fig. 6.4. The improvement (40% reduction in 4-attacker case) becomes significant as the network size increases. Similar to DoS case, overhead is slightly increased in majority voting-based scheme compared with relay node-based scheme. 82 0 2000 4000 6000 8000 10000 12000 14000 484 1089 1936 3025 Number of nodes Communication overhead flooding 4 attackers (Relay node-based) 6 attackers (Relay node-based) 4 attackers (Majority voting) 6 attackers (Majority voting [Figure 6-4] Communication overheadin DDoS attacker traceback Fig.6.5 compares robustness against node compromise between relay node-based scheme and majority voting scheme. N represents the number of distributed attackers. To disable traceback, an attacker needs to compromise nodes that observe abnormality and prevent them from reporting candidate attack signature. Majority voting shows high robustness compared with relay node-based scheme, which relies only on relay node for traceback. This is because we utilize overhearing witness node around the attack route. 83 0 20 40 60 80 100 120 140 160 5 10 15 20 25 Hop count between attacker and victim Necessary compromise count Relay node- based(N=4 or N=8) Majority voting (N=4) Majority voting (N=8) [Figure 6-5] Robustness against node compromise 84 Chapter 7 7 Countermeasure 7.1 Overview In this chapter, we present efficient countermeasure technique against flooding type DoS/DDoS attack. Countermeasure is taken once attack origin is identified through traceback process. We take advantage of the information obtained from traceback process to maximize countermeasure efficiency against attack traffic and minimize negative impact on legitimate traffic. In this chapter, we describe existing countermeasure schemes and explain the limitations. Then, we present our traceback-assisted countermeasure, which overcomes the limitation of existing countermeasure schemes. 7.2 Packet Filtering vs. Rate Limiting Existing countermeasure against DoS/DDoS attack can be broadly classified into packet filtering, and rate limiting. Current packet filtering, and rate limiting techniques against DoS/DDoS attack have the following drawbacks: (1) It is taken at the nodes where attack is detected. For instance, it is taken at the ingress point of victim’s network. However, it is inefficient since attack traffic exhausts valuable network/host resources of intermediate nodes. 85 (2) Packet filtering is challenging since it is hard to distinguish between bad and good traffic. Legitimate traffic experience sudden QoS degradation due to packet filtering. (3) In rate limiting, it is hard to know how much rate should be limited to reduce negative traffic against legitimate traffic and increase rate-limiting efficiency against attack traffic. 7.3 Traceback-assisted Countermeasure Our traceback protocol can find the closest point to the attack origin. Once the attack origin is identified, we take a countermeasure process using the information obtained through traceback process, i.e., abnormality matching level. We also use cross-layer information (i.e., destination address, previous MAC address) to increase countermeasure efficiency. That is, using cross-layer information, we can distinguish between attack traffic and legitimate traffic. Thus, we can reduce negative impact on legitimate traffic and increase packet drop/rate-limiting efficiency against attack traffic. Our scheme can be considered as a hybrid scheme between packet filtering and rate limiting with abnormality matching level information and fine-grained protocol information. That is, when abnormality matching level is the highest, we apply packet filtering. On the other hand, when abnormality matching is moderate level, we apply rate limiting based on abnormality matching level. To determine optimal rate limiting level under medium matching level, we define and use Confidence Index (CI). CI is normalized value between [0,1] of inverse of distance in KS fitness test. Rate limiting level (P) is determined with the following equation: (refer to Fig.7.1) 86 h MinCIThres h MaxCIThres h MinCIThres CI MaxP P - - • = (Eq.7.1) As shown in the Fig.7.1, when CI is very high it reduces to packet filtering, since it implies that there is no background traffic. On the other hand, when CI is medium, it becomes rate limiting based on CI level to reduce negative impact on legitimate traffic. The advantage of using a CI-based countermeasure over applying fixed drop rate is multifold: (1) When CI is low, only a small amount of packets (either attack or legitimate packets) are dropped. Even if we cannot drop more attack packets, it does not cause a serious problem, since only a small amount of attack traffic exists. (2) On the other hand, the negative impact on legitimate traffic is largely reduced. When CI is high, more packets are dropped. Even if a higher percentage of legitimate packets is also dropped, its negative impact is not significant, since only a small amount of legitimate traffic exists. We will compare our CI-based countermeasure with fixed rate-limiting scheme in detail in the analysis section. MinCIThresh MaxCIThresh MaxP 1.0 P(drop) CI Rate limiting Packet filtering [Figure 7.1] CI-based countermeasure 87 To further reduce the QoS degradation of legitimate traffic under this countermeasure, we use cross-layer information (e.g., MAC, network-layer information). Traffic is classified based on fine-grained information (i.e., destination address, previous-hop MAC address). When one class of traffic is identified as highly matching traffic with an attack signature, we apply rate limiting based on CI value for the class of traffic only. To measure countermeasure efficiency formally, we define SDP as follows: SDP = Survived legitimate Traffic*Dropped attack traffic (Eq.7-2) We will show the efficiency of our traceback-assisted countermeasure using SDP in the following analysis section. 7.4 Performance Analysis In this section, we investigate the efficiency of our traceback-assisted countermeasure and compare it with existing countermeasure (e.g., rate limiting, packet filtering). We measured dropped attack packet (Fig.7.2), survived legitimate packet (Fig.7.3), and SDP. As shown in the Fig.7.2, attack packet filtering efficiency is drastically increased as attack percentage is increased. It is because abnormality matching level (CI) is increased as attack percentage is increased. Consequently, more attack packets are dropped. Fig.7.3 shows survived legitimate packet. When attack percentage is low, more legitimate packet is survived because matching level is low and consequently only small amount of packets are dropped. On the other hand, only small legitimate packet is survived when attack percentage is high, since more packets are dropped due to high abnormality matching level. 88 However, the difference is not significant compared with existing scheme (i.e., fixed packet filtering) since there is only small amount of legitimate traffic when attack percentage is high. Overall, we can say that positive impact dominates low negative impact. 0 50 100 150 200 250 10% 30% 50% 70% 90% Attack Percentage Dropped Packet Count Fixed CI- based [Figure 7.2] Comparison of attack traffic dropping efficiency 89 0 50 100 150 200 250 300 10% 30% 50% 70% 90% Attack Percentage Survived Legitimate Packets Fixed CI- based [Figure 7.3] Comparison of legitimate traffic survival rate We measured SDP with fine-grained information. SDP shows drastic increase when MAC (Fig.7.4), network (Fig.7.5), cross-layer information (Fig.7.6) are considered. SDP rate show 400% of increase with cross-layer information in Fig.7.6 It is because we can differentiate between legitimate traffic and attack traffic more accurately with cross-layer information. 90 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 10% 30% 50% 70% 90% Attack Percentage SDP Fixed 5 Neighbors 6 Neighbors 7 Neighbors 8 Neighbors 9 Neighbors 10 Neighbors [Figure7.4] SDP improvement with F-MLM 0 2000 4000 6000 8000 10000 12000 14000 16000 10% 30% 50% 70% 90% Attack Percentage LPP Fixed 5 Neighbors 6 Neighbors 7 Neighbors 8 Neighbors 9 Neighbors [Figure7.5] SDP improvement with F-NLM 91 0 5000 10000 15000 20000 25000 10% 30% 50% 70% 90% Attack Percentage SDP Fixed 5 Neighbors 6 Neighbors 7 Neighbors 8 Neighbors 9 Neighbors [Figure 7.6] SDP improvement with CLM 92 Chapter 8 8 Overall Traceback Protocol 8.1 Overview In this chapter, we provide overall protocol mechanism, which integrate all the components of our traceback protocol framework., i.e., abnormality detection, abnormality characterization, abnormality matching, abnormality searching, and countermeasure. We first describe overall protocol mechanism. Then, we perform simulation-based analysis to verify the traceback success rate. 8.2 Relay Node-based Protocol In relay node-based protocol, we describe a protocol mechanism that uses only intermediate node that relayed attack traffic. In addition, we use TPM and TVM for abnormality matching. DoS Attacker Traceback We describe the DoS attack traceback scheme as follows: (1) When a victim node, V, detects attack such as SYN flooding, it first extracts attack traffic signature described by the traffic pattern and volume. It then sends a query to nodes within its vicinity and level-1 contacts specifying the depth of search (D) large enough to detect an attacker. The query contains sequence number (SN) and attack traffic signature. 93 (2) As the query is forwarded, each node traversed records the SN, and V. If a node receives a request with the same SN and V, it drops the query. This provides for loop prevention and avoidance of re-visits to the covered parts of the network. (3) In case high TPM and TVM reports are observed by vicinity nodes and contacts, the first step of trace is competed. For instance, we send query to the vicinity nodes and 2 level-1 Contacts (CL_1a and CL_1b) around the victim in Fig.8.1 (transmission arrows to vicinity nodes by each contact are omitted in the figures). Then, one level-1 (CL_1b) contact reports to the victim that some of its vicinity nodes observed matching traffic pattern/volume. To reduce the risk of false matching report from vicinity nodes, contact requests traffic signature observed at the vicinity nodes at given time slots instead of distributing attack traffic signature to all vicinity nodes and waiting for TPM and TVM response. TPM and TVM calculations are done at each contact. Although it cannot completely remove the risk of false matching report, it can reduce such risk. (4) Next, only the contact, CL_1b, that observes traffic signature matching in its vicinity sends next level query to level-2 contacts (CL_2c, and CL_2d) with the partial attack path appended to the query. It also reduces D by 1. This processing by contact is called in-network processing. Other contacts that do not have relay nodes of attack traffic in their vicinities, suppress forwarding the query (query suppression). This results in directional search towards the attacker. (5) When there are no more contact reports or no other nodes outside the vicinity, the last contact (CL_2c) reports the complete attack route to the victim. 94 (6) Our scheme is based on majority node reporting. That is, even if some nodes move out from the attack route or are compromised by attackers, we can still find an attack route using available information from good nodes in the vicinity. v V V V V C C C C _ _ _ _ L L L L 1 1 1 1 b b b b C C C C _ _ _ _ L L L L 1 1 1 1 a a a a C C C C _ _ _ _ L L L L 2 2 2 2 d d d d C C C C _ _ _ _ L L L L 2 2 2 2 c c c c C C C C _ _ _ _ L L L L 2 2 2 2 b b b b C C C C _ _ _ _ L L L L 2 2 2 2 a a a a V V V V : : : : V i c t i m A A A A : : : : A t t a c k e r C C C C _ _ _ _ L L L L 1 1 1 1 : : : : L e v e l - 1 c o n t a c t C C C C _ _ _ _ L L L L 2 2 2 2 : : : : L e v e l - 2 c o n t a c t - - - -- - - -- - - -> > > > Q u e r y - - - - - - - -> > > > A t t a c k r o u t e A A A A [Figure 8.1] DoS attacker traceback with relay node-based protocol. . DDoS Attacker Traceback In this section, we describe the DDoS attacker traceback scheme. DDoS attacks involve a sufficient number of compromised nodes to send useless packets toward a victim around the same time. The magnitude of the combined traffic is significant enough to jam, or even crash, the victim or connection links. Similar to DoS case, a victim node sends traffic pattern/volume matching query to its vicinity and level-1 contacts with its characterized attack traffic signature. In DDoS attacker traceback, multiple candidate attack signatures are observed and returned from multiple 95 contacts. For instance, in Fig. 6, three responses are returned from level-1 contacts (CL_1a, CL_1b, and CL_1c) and the victim calculates TPM and TVM level from all possible combinations. In this example, TPM and TVM show highest value between the summation of two traffic signatures (CL_1a, and CL_1b) and attack traffic at the victim. As a result, a victim concludes that attack traffic comes from CL_1a and CL_1b vicinity nodes. Note that TPM between partial attack traffic (either from CL_1a or CL_1b) and merged attack traffic at the victim may show high TPM level. We need TVM test to decide whether it is distributed attack traffic or single attack traffic. In case TPM level is high and TVM level is low (less than 0.5), we conclude that it is partial attack traffic and seek for other partial traffic which forms DDoS attack traffic. Contacts that are determined as attack route by the victim node perform next level query in a recursive manner. Each level-1 contact finds two other branches of attack route in two level-2 (CL_2a, CL_2b, CL_2c, and CL_2d) contacts. Final attack route is reported to the victim by the last contact nodes. Fig.8.3 illustrates logical view of DDoS attacker traceback tree, from the victim (root) to distributed attackers (leaves). Intermediate contacts have child contacts from which partial attack traffic is coming. DDoS attacker search is slightly different from DoS attacker traceback. To track down distributed attack routes, TPM and TVM test should be done at lower level contacts with all possible combination of partial attack traffic coming from higher-level contacts. That is, if higher level contacts receive TPM/TVM test request from lower level contacts and find vicinity nodes that observes abnormal traffic increase with small TVM level (<1), the contacts sends the traffic signature to the lower level contacts. Then, lower level contacts or victim compares with all possible combination of partial attack traffic that is reported from higher level contact and decides distributed attack route. 96 V V V V C C C C_ _ _ _L L L L1 1 1 1b b b b C C C C_ _ _ _L L L L1 1 1 1a a a a C C C C _ _ _ _ L L L L 2 2 2 2 d d d d C C C C _ _ _ _ L L L L 2 2 2 2 c c c c C C C C _ _ _ _ L L L L 2 2 2 2 b b b b C C C C _ _ _ _ L L L L 2 2 2 2 a a a a V V V V : : : : V i c t i m A A A A : : : : A t t a c k e r C C C C _ _ _ _ L L L L 1 1 1 1 : : : : L e v e l - 1 c o n t a c t C C C C _ _ _ _ L L L L 2 2 2 2 : : : : L e v e l - 2 c o n t a c t - - - -- - - -- - - -> > > > Q u e r y - - - - - - - -> > > > A t t a c k r o u t e A A A A A A A A A A A A A A A A C C C C _ _ _ _ L L L L 1 1 1 1 c c c c [Figure 8.2] DDoS attacker traceback with relay node-based protocol A A A A C C V L e v e l - 2 C o n t a c t L e v e l - 1 C o n t a c t A : A t t a c k e r C : C o n t a c t s V : V i c t i m C C C C [Figure 8.3] Logical view of DDoS attackers 97 8.3 Mojority Voting-based Protocol In majority voting-based protocol, overhearing capability of the nodes around relay nodes are effectively used. In addition, we use K-S fitness test for matching test. DoS Attacker Traceback We describe overall DoS attack traceback scheme as follows: (1) When a victim node, V, detects an attack such as SYN flooding, it first extracts attack signature. It then sends a query to the nodes within its vicinity and level-1 contacts, specifying the depth of search (D) large enough to detect an attacker. The query contains a sequence number (SN) and an attack traffic signature. (2) As the query is forwarded, each traversed node records the SN and V. If a node receives a request with the same SN and V, it drops the query. This provides for loop prevention and avoidance of re-visits to the covered parts of the network. H1 H2 H3 H4 H5 H6 H7 V1 V2 V3 V4 V5 V6 V A [Figure 8.4] DoS attacker traceback with majority voting. Victim (V) sends queries with attack traffic signature to its neighbor region {(H3,V1), (H3,V2), (H4,V2), (H5,V1), (H5,V2)}. Only (H4,V2) region that observed highest RE sends next level queries to its own neighbor region. (Each cell corresponds to contact region, and intensity of color represents RE). 98 (3) In case a high RE is observed by vicinity of a victim and contacts, the first step of trace is completed. For instance, victim (V) sends query to the vicinity nodes and 5 level-1 contacts in regions {(H3,V1), (H3,V2), (H4,V2), (H5,V1), (H5,V2)} around the victim in Fig. 8.4. Then, one level-1 contact in region (H4,V2) reports to the victim that some of its vicinity nodes have observed high RE. To reduce the risk of false matching reports from vicinity nodes, the contact requests traffic signature observed at the vicinity nodes during given time slots instead of distributing attack traffic signature to all vicinity nodes and waiting for individual attack signature energy response. Matching test is done at each contact. Although it cannot completely eliminate the risk of false matching report, it can reduce such risk. (4) Next, only the contact in region (H4,V2) that observes attack signature matching in its vicinity sends next level query to level-2 contacts, with the partial attack path appended to the query. It also reduces D by 1. This processing by contact is called in-network processing. Other contacts that do not have nodes that observe attack signature, suppress forwarding the query (query suppression). This results in directional search towards the attacker. (5) When there are no more contact reports or no other nodes outside the vicinity, the last contact reports the complete attack route to the victim. (6) Our scheme drastically increases robustness against node compromise and topology change since the number of abnormality observers is drastically increased by using MAC activity overhearing nodes. 99 DDoS Attacker Traceback In this section, we describe an overall DDoS attacker traceback scheme. DDoS attacks involve a sufficient number of compromised nodes to send useless packets toward a victim around the same time. The magnitude of the combined traffic is significant enough to jam, or even crash, the victim or connection links. A V H1 H2 H3 H4 H5 H6 H7 V1 V2 V3 V4 V5 V6 A V A A [Figure 8.5] DDoS attacker traceback with majority voting Similar to DoS case, a victim node sends a query to its vicinity and level-1 contacts with its characterized attack traffic signature. In DDoS attacker traceback, multiple candidate attack signatures are observed and returned from multiple contacts. Unlike DoS attacker traceback, a combinational matching test needs to be done by a victim or lower level contact to find the branch attack route. That is, abnormality matching should be performed between the attack signature and all multiple candidate attack signatures. Then, contacts that show the highest matching level are selected as branch attack routes. For instance, in Fig.8.5, three responses are returned from level-1 contacts in regions {(H3,V2), (H4,V2), (H5,V2)}. In this example, the highest abnormality matching is observed between the summation of three 100 candidate attack signatures from regions {(H3,V2), (H4,V2), (H5,V2)} and attack signature at the victim. As a result, a victim concludes that branch attack traffic comes from regions {(H3,V2), (H4,V2), (H5,V2)}. Contacts that are determined as the attack route by the victim node perform next level query in a recursive manner. 8.4 Performance Analysis • Overall Traceback Success Rate We performed a simulation and measured the overall traceback success rate with the proposed traceback. The number of nodes is set at 1089 in the network size of 2560m x 2560m. DoS attacker is performed 17 hops away from victim, and DDoS attacker is performed 10 hops away from victim. Background traffic is generated with the volume of 7.5% of attack traffic (i.e., if attack traffic=500pps, then, background traffic=(7.5*500pps)/100≈38pps) from random nodes to random destinations. Note that the background traffic is generated at the same time slots as the attack traffic. Consequently, it represents high (i.e., bursty) background traffic within short time slots. Attacker(s) and victim are randomly selected for every simulation. Fig.8.6 shows DoS attacker traceback success rate with MAC layer monitoring, network-layer monitoring and cross-layer monitoring. Cross-layer monitoring shows perfect traceback success even under a high volume of background traffic. 101 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10% 20% 30% 40% 50% Percentage of nodes that generate background traffic Traceback success rate MAC-layer Network-layer Cross-layer [Figure 8.6] Comparison of DoS attacker traceback success rate Fig.8.7 shows DDoS attacker traceback success rate with various destination diversity. In this simulation, we set the number of one-hop neighbors at 6. Percentage of nodes that generate background traffic is set to 50%. When destination diversity is low (<20), traceback success rate is low with network-layer information. However, traceback with cross-layer information shows high success rate (>80%) across different diversity levels. This is because MAC layer information complements network layer information, which further reduces noise traffic. Fig.8-8 shows the success rate with a various number of one-hop neighbors. Traceback with cross-layer information shows greater improvement compared with traceback with MAC layer information only. 102 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 20 40 60 80 100 Destination diversity Traceback success rate Cross- layer Network- layer [Figure 8.7] Comparison of DDoS attacker traceback success rate 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 4 6 8 10 12 Average number of one- hop neighbors Traceback success rate Cross- layer MAC- layer [Figure 8.8] Comparison of DDoS attacker traceback success rate 103 Chapter 9 9 Risk Analysis in Mobile Networks 9.1 Overview Mobility can pose significant challenges in attacker traceback. First, attacker can maliciously use mobility to attack a victim, avoid traceback, and increase attack efficiency. Second, mobility of intermediate and victim nodes can decrease traceback performance even if they do not have malicious intention. In this chapter, we analyze how attacker’s mobility can affect traceback and identify possible mobile attacks. In addition, we analyze traceback performance under intermediate/victim mobility. To systematically analyze how attacker’s mobility can affect traceback, we classify mobile network dimension into temporal transition dimension, spatial transition dimension, address dimension, area dimension, and node coordination dimension. Each dimension includes multiple attributes. Then, we take combinational set-based approach to identify possible risks under attacker’s mobility. Before we describe on the dimensions and attributes in detail, we explain important parameters to perform risk analysis on attacker’s mobility. I. Attack Efficiency Attack efficiency represents how effectively attack can be performed. Attack efficiency is increased (1) when attack intensity is increased (2) attack is performed with temporal continuity. 104 II. Traceback Avoidability Attacker can move away from attack region or perform intermittent attack to avoid traceback. Mobility can be maliciously used to increase traceback avoidability. However, there exists tradeoff between attack efficiency and traceback avoidability. That is, when traceback avoidability is increased, it can reduce attack efficiency, and vice versa. III. Attack Sophistication Attack sophistication represents the level of attack skill by attacker. When attack sophistication level is high, it increases attack efficiency and traceback avoidability. On the other hand, when attack sophistication level is low, attack efficiency is decreased and avoidability is also decreased. Attack sophistication can be measured with the following metrics: (1) the number of compromised nodes (2) temporal coordination of compromised node (3) spatial coordination of compromised node. To analyze the impact of intermediate and victim nodes’ mobility on traceback performance, we use several classes of mobility model. Traceback performance drastically varies depending on mobility model. 105 [Figure 9.1] Vulnerability analysis using mobile network domain and attributes 9.2 Dimensions in Mobile Networks 9.2.1 Temporal Transition Dimension (T-dimension) T-dimension defines the temporal relation of attack duration. T-dimension consists of three attributes: temporal continuity (T c ), temporal discontinuity (T d ), and temporal overlap (T o ) as in Fig.9.2. T0, T1, and T2 are the time slot at which the attack is observed. In Fig.9.2 (a), attack signature (ξ) is observed at T0, T1, and T2 time slots continuously (Temporal continuity). On the other hand, temporal discontinuity is defined as in Fig.9.2 (b). The attack signature (ξ) is observed at discontinuous time slots T0 and T2. Temporal overlap (Fig. 9.2 (c)) implies that attack is occurring simultaneously from different nodes. I. S p a t ia l tra n sitio n d im e n s io n C o n tin u ity D is c o n tin u ity R a n d o m n e s s M o b ile n e tw o rk d im e n s io n III. A d d re s s d im e n s io n S in g le a d d re s s M u ltip le a d d re s s e s T a rg e te d a d d re s s R a n d o m a d d re s s II. T e m p o ra l tra n s itio n d im e n s io n C o n tin u ity D is c o n tin u ity R a n d o m O v e rla p V . A re a d im e n s io n S in g le a re a M u ltip le a re a s T a rg e te d a re a R a n d o m a re a IV . C o o rd in a tio n d im e n s io n S p a tia l c o o rd in a tio n T e m p o ra l c o o rd ia tio n S p a tio -te m p o ra l c o o rd in a tio n 106 T 2 T 1 T 0 ξ ξ ξ (a) Temporal continuity (Attribute T c ) T 2 T 1 T 0 ξ ξ (b) Temporal discontinuity(Attribute T d ) T 2 T 1 T 0 ξ ξ (c) Temporal overlap(Attribute T o ) [Figure 9.2] Three attributes of T-Dimension 9.2.2 Spatial Transition Dimension (S-dimension) S-dimension defines spatial relation of attack occurrence. S-dimension has three attributes: (1) spatial continuity (S c ) (2) spatial discontinuity (S d ) (3) spatial randomness (S r ). For instance, in mobile DoS attack, the attack signature (ξ) is observed in a spatially continuous manner (Fig.9.3 (a)). In general, spatial discontinuity is observed in DDoS attack 107 as in Fig. 9.3 (b). Note that DDoS attack can also show spatial continuity. In that case, we can distinguish DDoS attack and mobile DoS attack using temporal relation. Note that each cell logically corresponds to contact vicinity in our traceback architecture (Fig.9.3). A V A [Figure 9.3] Spatial continuity of mobile DoS attack. Attacker A 1 A 2 A 3 V [Figure 9.4] Spatial discontinuity of DDoS attack 108 9.2.3 Address domain (Addr-dimension) Attacker can try to perform some malicious activity using address dimension. Attributes under address dimension is (1) single address (Addr s ) (2) multiple address (Addr m ) (3) targeted address (Addr t ) (4) random address (Addr r ). Unlike fixed network, address dimension is not fixed in mobile networks. Attacker can generate false node with false address. In addition, attacker tries to disguise its address to intentionally impose negative impact on specific address. 9.2.4 Area dimension (A-dimension) Attacker can utilize area in the networks. It is because attacker can chose its location freely. The attributes of area dimension are as follows: (1) single area (A s ) (2) multiple area (A m ) (3) random area (A r ) (4) targeted area (A t ) 9.2.5 Node coordination dimension (N-dimension) Attacker can try to orchestrate multiple compromised nodes to generate confusion/illusion to the victim or networks. Coordination of nodes can pose serious confusion to the victim or network. We classify attributes of node coordination dimension as follows: (1) temporal coordination of compromised node (N t ) (3) spatial coordination of compromised node (N s ) (3) spatio-temporal coordination of compromised nodes (N s,t ). 9.3 Combinational Set-based Risk Analysis Combination and sequence of mobile network dimension/attribute can create unique 109 attack scenario. We take combinational set-based approach to identify subset of the possible attacks. Note that this is not exhaustive set of attack and there exist more attack with different combination/sequence. We will identify the attack scenario from easy attack to the most sophisticated attack. Easy attack represents attack with low attack sophistication level. 9.3.1 Simple Mobility Misuse (SMM) Attack • Attack Strategy In SMM attack, attacker sends attack traffic continuously to a victim. To avoid traceback, attacker constantly changes its location. Consequently, the SMM attack has the following set requirement. Attribute Set Requirement = {T c , S c } • Attack Impact As a result of SMM attack, a victim will confuse between DDoS attack and mobile attack. Without considering attacker’s mobility, existing traceback scheme will infer that attack traffic is coming from distributed location. • Attack Analysis Attack efficiency is high in SMM attack since attack has temporal continuity. In addition, attack intensity can be increased by performing distributed SMM attack. However, traceback avoidability since it shows regularity in terms of spatial transition and temporal transition. We will prove how SMM attack can be easily detected. Attack sophistication level is low since it does not require temporal/spatial coordination and local/global coordination of multiple nodes. 110 9.3.2 Mobility and Address Misuse (MAM) Attack • Attack Strategy In MAM attack, attacker sends attack traffic continuously to a victim. To avoid traceback, attacker changes not only its location but also it address. Consequently, the MAM attack has the following set requirement. Attribute Set Requirement = {T c , S c ,Addr m } • Attack Impact Similar to SMM attack, a victim will confuse between DDoS attack and mobile attack. In addition, since attacker can change its address, some preventive technique such as ingress filtering will be useless (if applicable) in this type of attack. • Attack Analysis Attack efficiency is high in MAM attack since attack has temporal continuity. In addition, attack intensity can be increased by performing distributed MAM attack. However, traceback avoidability is medium since it shows regularity in terms of spatial transition and temporal transition. However, it can avoid preventive measure such as ingress filtering if used in wireless multi-hop networks. We will prove how MAM attack can be easily detected in chapter10. Attack sophistication level is low since it does not require temporal/spatial coordination and local/global coordination of multiple nodes. 111 9.3.3 False Mobility Generation (FMG) Attack • Attack Strategy In FMG attack, attacker intentionally generates illusive mobility of node. That is, attack is performed from multiple nodes at continuous time. Consequently, attribute set requirement is as follows: Attribute Set Requirement = {T d , S c ,Addr m ,N s,,t ,} • Attack Impact Traceback mechanism that is capable of detecting mobile attack (e.g., SMM attack) can fooled by FMG attack. That is, even if attack is launched from distributed node, a victim might conclude that attacker is moving and performing attack. • Attack Analysis Attack efficiency is low in FMG attack since attack has temporal discontinuity. However, traceback avoidability is increased since it makes illusive spatial transition. Attack sophistication level is high since it does require temporal/spatial coordination with multiple node compromise. 9.3.4 Distributed Blinking (DB) Attack • Attack Strategy The drawback of SMM attack and FMG attack is that there is tradeoff between increasing attack efficiency and decrease avoidability. To overcom this, DB attack can be 112 performed by attacker with high attack sophistication level. In DB attack, attacker compromise multiple nodes and perform attack from distributed random node at random time. Attack is launched with spatial/temporal transition randomness. Attribute Set Requirement = {T r , S r ,N s,t } • Attack Impact From victim’s view, attack traffic is coming from random location. However, attack traffic is coming continuously since multiple nodes are compromised. • Attack Analysis Attack efficiency is high in DB attack since attack has temporal continuity. In addition, traceback avoidability is increased since each node moves its location with temporal/spatial randomness. Attack sophistication level is medium since it needs multiple node to be compromised. However, it does require temporal/spatial coordination with multiple node compromise. 9.3.5 Disabling Targeted Area (DTA) Attack • Attack Strategy In DTA attack, attacker is aware of countermeasure which is taken after traceback. Attacker intentionally generates attack traffic near certain area where attacker want to disable through countermeasure (e.g., packet filtering, rate limiting). Attacker launch attack with randomly spoofed address. Attribute Set Requirement = {T c ,A t } 113 • Attack Impact Once traceback mechanism identifies attack origin area, countermeasure is taken near attack origin. However, since attacker intentionally chooses the attack area, innocent packet is negatively affected by countermeasure. • Attack Analysis Attack efficiency is medium in DTA attack since certain area is negatively affected by countermeasure. However, traceback avoidability is increased since it has temporal/spatial discontinuity. Attack sophistication level is low since it does not require temporal/spatial coordination and local/global coordination of multiple nodes. 9.3.6 Disabling Targeted Address (DTAddr) Attack • Attack Strategy In DTAddr attack, attacker intentionally generates attack with targeted address. If attacker is close enough with the node that has the same spoofed address, it can cause confusion. Attribute Set Requirement = {T c , Addr t } • Attack Impact Unlike fixed networks, attacker can move close to a node that attacker want to disable. Then, attacker performs attack with the targeted victim’s address. If countermeasure is taken with the spoofed address, the victim’s traffic can be blocked by the countermeasure. 114 • Attack Analysis Attack efficiency is medium in DTAddr attack since certain node with specific is negatively affected by countermeasure. However, traceback avoidability is increased since it has temporal/spatial discontinuity. Attack sophistication level is low since it does not require temporal/spatial coordination and local/global coordination of multiple nodes. 9.4 Risk Analysis of Intermediate/Victim Node Mobility Mobility of nodes by intermediate and victim can affect the traceback performance. We classify the negative impact of node mobility into three classes as follows. 9.4.1 Risk Classification 1) Reduction of witness nodes Intermediate nodes that observe abnormality can move away from attack route, which results in traceback failure. The problem becomes worse when we rely only on intermediate nodes (NLM-based scheme) that relayed attack traffic. It is because once the relay nodes move out from attack route, the traceback cannot be continued after that point. By using MLM-based scheme, we can reduce the negative impact of intermediate node mobility since there exist more number of nodes that have observed attack signature through overhearing capability and we can use the overhearing nodes even if some relay nodes move out from attack route. 115 2) Abnormality mismatching For attack signature matching, contact nodes need to find intermediate nodes that observe similar attack signature (i.e., high signature matching level). However, during attack period, new nodes can move in the attack route, or nodes can move out from the attack route in the middle of attack, which can lower signature matching level. 3) Dispersion of witness nodes Under high mobility, it is possible that nodes that observe high attack signature matching level are found far from attack route. It can cause traceback confusion. 9.4.2 Risk Analysis Methodology To systematically analyze how mobiility affects traceback performance, we use Global attack signature Energy (GE). GE is defined as follows. ∑ = = n i i t E t GE 1 ) ( ) ( (Eq.9.1) Where E(t) is individual signature energy defined in previous chapter. GE(t) provides useful value for analysis how mobility affects traceback performance. As shown in the Fig.9.4 (a) (In this example, we only considered intermediate node mobility for illustration simplicity), when attack is occurred, high signature energy is observed around attack route and the energy level decreases as the distance increases from attack route (the intensity of color represents the signature matching level). However, under intermediate node mobility in t, the attack signature energy is dispersed as shown in Fig.9.4 (b). It is because of the components mentioned above (i.e., Reduction of witness nodes, abnormality mismatching, dispersion of witness nodes). High local energy along attack path leads to high global energy. 116 For analysis purpose we also define Relative Energy (RE) is defined as follows. ) ( ) ( ) ( t GE t GE t RE static dynamic = (Eq.9.2) GE static (t) represents GE(t) under no mobility, and GE dynamic (t) represents GE(t) under mobility. RE(t) is affected by the mobility model. When RE(t) becomes low, attacker traceback becomes difficult since attack energy is reduced by node mobility. That is, when intermediate nodes that observed attack signature move actively, the energy level can go down by time, which prevents successful traceback. In addition, attacker mobility and victim mobility can make RE(t) even lower. 117 H1 H2 H3 H4 H5 H6 H7 V1 V2 V3 V4 V5 V6 (a) A V [Figure 9.4] Illustration of local signature energy strength without mobility H1 H2 H3 H4 H5 H6 H7 V1 V2 V3 V4 V5 V6 (b) A V [Figure 9.5] Illustration of local signature energy strength with active mobility. In the following, we define mobility metrics to systematically analyze how mobility affects traceback performance. Some of metrics are borrowed from existing literature [6]. 118 9.5 Impact of Mobility Model on Traceback We analyze how intermediate and victim mobility can affect traceback performance. To systematically analyze the impact, we use atomic mobility metrics, mobility dependence between intermediate nodes and victim. 9.5.1 Atomic mobility metrics 1)Directional Correlation (DC): DC is defined as follows. | | | | ) ( ) ( ) , , ( j i j i v v t v t v t j i DC r r r r * • = (Eq.9.3) where, ) (t v i r and ) (t v j r is the velocity vector of node i and node j at time t. High DC implies, two node i, and j are moving to similar direction. One the contrarily, low DC implies two nodes i and j are moving the opposite direction. 2)Speed Correlation (SC): SC is defined as follows. |) ) ( | |, ) ( max(| |) ) ( | |, ) ( min(| ) , , ( t v t v t v t v t j i SC j i j i r r r r = (Eq.9.4) High SC implies, two node i, and j are moving with similar speed. One the contrarily, low DC implies two nodes i, and j are moving different speed. 3)Geographic Restriction (GR): Geographic restriction represents the degree of freedom of points on a map, on which a node can move. That is, degree of freedom of a point is the number of directions a node can go after reaching a point. 119 4)Reference Restriction (RR): Reference restriction represents the degree of freedom of reference points nodes are heading to. When all the nodes are going to the same reference point, high RR is observed. Each component (DC, SC, GR, and RR) affects the performance of traceback protocol. We also define mobility dependence which consists of atomic mobility metrics. 9.5.2 Mobility dependency By using atomic mobility metrics, we can express mobility dependence between nodes or between groups of nodes as follows. 1)Mobility Dependence between attacker, and victim We define mobility dependence between attacker and victim as follows. ) , , ( * ) , , ( ) , , ( t v a SC t v a DC t v a MD = (Eq.9.5) When attacker and victim have high directional correlation and speed correlation, mobility dependence becomes high. 2)Mobility Dependence between intermediate nodes Mobility dependence between intermediate nodes is defined as follows. ) , ' , ( * ) , ' , ( ) , ' , ( t i i SC t i i DC t i i MD = (Eq.9.6) When intermediate nodes move to similar direction with similar speed, the correlation becomes high. Mean mobility dependence is also defined as follows: 120 P t i i MD i D M N i T t T t ∑ ∑ ∑ = = = = 1 1 1 ' ) , ' , ( ) ( (Eq.9.7) 3)Mobility Dependence among attacker, intermediate, and victim ) ( * ) , , ( ) , , , ( i D M t v a MD t i v a MD = (Eq.9.8) When, attacker, victim and intermediate nodes are moving similar direction with similar speed, the dependence becomes high. We perform simulation how each mobility metrics and dependence affect the performance of attacker traceback. 9.6 Simulation-based Risk Analysis Different mobility models show different characteristics (i.e., high/low DC, SC, GR, RR). We performed simulation with RPGM model and freeway model that include the different characteristics of DC, SC, GR. and RR. Transmission range of each node is set 50m and networks size is 670m X 670m. We repeated each simulation 10 times in random topology and calculated the average value. DoS attacker is 4 hops away from victim. To focus on mobility problem, we do not generate background traffic in this simulation. 121 RPGM model [13] introduced this model. Each group has a logical center (group leader) that determines the group’s motion behavior. Initially, each member of the group is uniformly distributed in the neighborhood of the group leader. Subsequently, at each instant, every node has a speed and direction (angle) that is derived by randomly deviating from that of the group leader. RPGM model can be used in military battlefield communications where the commander and soliders form a logical group. More applications are mentioned in [13] Fig.9.5 shows relative energy of RPGM model with single group (angle deviation of 20). It shows high relative energy rate, which implies high attack signature energy is observed on the attack route even under mobility. Consequently, negative impact of moibility is neligible in RPGM (single group). It is because RPGM model with single group has high mobility dependency (i.e., high MD(a,v,i,t) among attacker, victim and intermediate node. As Signature Timeframe (ST) is increased, relative energy is slightly reduced. It is because there is higher chance that some nodes move out/in from attack route during longer duration of timeframe. It shows lower relative energy rate when speed is high. It is because a few intermediate nodes can move out from overhearing range deviating from reference points (group leader). However, angle deviation (Fig.9.6) does not affect relative energy rate as speed does. It is because angle does not cause deviation of witness node from contact region unless speed is fast. High RR of RPGM (with 1 group) leads to high RE and consequently high traceback success rate. 122 0.5 0.55 0.6 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 10 20 30 40 50 Max.Speed (m/sec) Relative energy rate 10 ST 20 ST 30 ST 40 ST 50 ST [Figure 9.5] Relative energy in 1 group RPGM with speed variance 0.5 0.55 0.6 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 20 40 60 80 100 Angle deviation Relative energy rate 10 ST 20 ST 30 ST 40 ST 50 ST [Figure 9.6] Relative energy in 1 group RPGM with angle variance 123 Fig.9.7 shows RPGM model with multiple groups. It shows lower relative energy rate than single group since there is low DC and SC between groups and RR is loose between groups. In RPGM model, GR does not exist. RPGM model with multiple groups also shows low relative energy rate when speed is high due to the same reason as 1 group case. 0.5 0.55 0.6 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 10 20 30 40 50 Max. Speed (m/sec) Relative energy rate RPGM(1Group) RPGM(4Group) [Figure 9.7] Relative energy in 1 group RPGM model and 4 group RPGM model Freeway model Fig.9.8 shows Relative Energy (RE) in freeway model (attacker and victim on the same lane) and Fig.9.9 shows relative energy rate in freeway model (attacker and victim on the opposite lane). RE shows medium value and consequently traceback performance is relatively high in freeway model when attacker and victim exist on the same lane. It is because there exist high MD among attacker, intermediate and victim on the same lane due to high SC, DC, and GR. However, the relative energy rate is not as high as RPGM model 124 since high DC and SC are observed only in the nodes on the same lane. On the other hand, traceback performance drastically reduced when the attacker and victim is on opposite direction (i.e., low MD). High GR in freeway model leads to constant remained energy rate regardless of signature timeframe. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10 20 30 40 50 Max.Speed (m/sec) Relative energy rate 10 ST 20 ST 30 ST 40 ST 50 ST [Figure 9.8] Relative energy in freeway model (attacker and victim on the same lane) 125 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 10 20 30 40 50 Max.Speed (m/sec) Relative energy rate 10 ST 20 ST 30 ST 40 ST 50 ST [Figure 9.9] Relative energy in freeway model (attacker and victim on the opposite lane) 126 Chapter 10 10 Multi-Dimensional Information Fusion Architectures 10.1 Overview In wireless multi-hop networks, many risks exist due to mobility as described in chapter 9. DoS/DDoS attacker traceback under such a mobile scenarios can cause several problems/illusions. For example, in SMM attack can be easily launched, when attacker changes its location and performs DoS attack. Victim might confuse the SMM attack with DDoS attack, which leads to false traceback result. To countermeasure mobile attack under diverse mobility scenario, we propose multi- dimensional information fusion architecture. Basically, we gather multi-dimensional information (spatial, temporal, address, area, and coordination information) from networks and analyze/correlate the information to infer attack type. To gather the multi-dimensional information, we define multi-dimensional attack signature, which include age information, spatial location information, and abnormality information. Age is defined as the first and last (or most recent) time (t S , t L ) the abnormality is observed. We propose multi-dimensional information fusion architecture, which consists of information gathering, and information fusion process. 127 10.2 Information Gathering In information gathering stage, abnormality information plus age information, and location information is gathered by contacts from vicinity nodes. More formally, multi- dimensional attack signature consists of (ξ,t S ,,t L, S). ξ is the attack signature that is either coarse-grained or fine-grained. S is the relative position of attacker (e.g., 2 hops away from level-1 contact i). t S is the start time of abnormality, t L is the last time abnormality observed. This tuple space (ξ,t S ,,t L, S) is effectively used to classify attack type (e.g., DDoS attack, and mobile attack, etc). Similar to static attacker traceback, contacts that observe attack signature expand the queries to next level contacts and other contacts suppress query, which results in (multi) directional information gathering. The difference between multi-dimension information fusion architecture and static attacker traceback is that all the attack information from every level of contact is returned to the victim and the victim analyzes the multi-dimensional abnormality information. 10.3 Multi-dimensional Information Fusion Information fusion is the process to correlate and analyze the multi-dimensional information obtained through information gathering process. In this chapter, we present an example to detect SMM attack using two of multi-dimensional information - spatial information and temporal information. To quantatively formulate spatial relation, we define Spatial Relation Factor (SRF) as follows. 128 ∑ ∑ = = • = 2 _ 2 _ 1 _ 1 _ 1 2 _ 1 _ 1 ) , , ( C C C C N C C S N D P SRF η η ξ η η α (Eq.10.1) Where, 2 _ 1 _ C C S N N n + = α (Eq.10.2) N c-1 is the total number of vicinity nodes of contact c_1 and N c-2 is the total number of vicinity nodes of contact c_2. n S is the number of nodes that observe similar attack signature, ξ, in the vicinity of contact c_1 and the vicinity of contact c_2. η c-1 is a vicinity node of contact c_1 and η c-2 is a vicinity node of contact c_2. D S (η c-1 , η c-2 , ξ) is the hop count between node η c-1 and η c-2 that observe the attack signature ξ. The hop count information is obtained using underlying routing table or through explicit query. D S (η c-1 , η c-2 , ξ)=0 if node η c-1 and η c-2 do not observe the similar attack signature, ξ. P is the total number of tuples where D S (η c-1 , η c-2 , ξ)>0. By high α value, we can infer that attacker is occurring near the central region of c_1’s vicinity and c_2’s vicinity. It is because more neighbors can overhear the abnormality when attacker passes through near the central region of the contact’s vicinity. When α is small, we can infer that the attacker is not passing through the central region of the contact’s vicinity or the matching report is not reliable (false reporting). In addition, when attacker moves from vicinity of c_1 to vicinity of c_2, we can observe small D S (η c-1 , η c-2 , ξ). Consequently, when c_1 and c_2 is not adjacent contact and η c-1 and η c-2 is far away, large D S (η c-1 , η c-2 , ξ) is obtained, which leads to low SRF. We quantatively formulate the temporal relation as Temporal Relation Factor (TRF). 129 ∑ ∑ = = • = 2 _ 2 _ 1 _ 1 _ 1 2 _ 1 _ 1 ) ), ( ), ( ( C C C C N C S C L T N t t D P TRF η η ξ η η α (Eq.10.3) Where, ) ), ( ), ( ( 2 _ 1 _ ξ η η C S C L T t t D is the difference between the start time (i.e., t S (η c-2 )) when attack signature is observed at node η c-2 and the last (or most recent) time (i.e., t L (η c-1 )) when the attack signature is observed at η c-1 where t S (η c-2 )≥ t S (η c-1 ). Under mobile attack, temporal continuity is observed and TRF becomes large since ) ), ( ), ( ( 2 _ 1 _ ξ η η C S C L T t t D becomes small. On the other hand, under DDoS attack, temporal overlap is observed and TRF becomes negative value since t L (η c-1 )> t S (η c-2 ). We use SRF and TRF metrics to infer attack type as follows (Fig10.1): (I) When high SRF and high TRF is observed, we can infer that mobile attack has occurred. (II) When high SRF and low TRF are observed, we can infer that intermittent attack has occurred from clustered attackers. (III) When high SRF, and negative TRF are observed, we can infer that DDoS attack has occurred from geographically clustered attackers. (Clustered DDoS attack) (IV) When low SRF, and high TRF are observed, we can infer that attack has occurred from geographically spread attackers with temporal continuity. (V) When low SRF and low TRF are observed, we can infer that intermittent attack has occurred from geographically spread attackers. (VI) When low SRF and negative TRF are observed, we can infer that DDoS attack from geographically spread attackers has occurred (spread DDoS attack). 130 We provide algorithm to track down mobile attack based on the above classification in the following. S R F T R F G e o g r a p h i c a ll y s p r e a d i n t e r m i t t e n t a t t a c k G e o g r a p h i c a l l y s p r e a d D D o S a t t a c k G e o g r a p h i c a ll y s p r e a d a t t a c k I n t e r m i t t e n t c l u s t e r e d a t t a c k C l u s t e r e d D D o S a t t a c k M o b i l e a t t a c k L o w H ig h H ig h L o w N e g a t iv e [Figure 10.1] SMM attack detection example 10.4 Mobile Attack Detection and Classification Mobile DoS attack Fig. 10-2(a) shows an example of mobile DoS attack detection using the TRF and SRF metrics. In the figure, attacker moved from region 10→9→8→7. 131 1 0 9 8 6 4 V 1 2 3 5 7 (a) Mobile DoS attack 1 1 1 0 9 7 6 V 1 2 3 5 4 8 (b) Crossing mobile DDoS attack [Figure 10.2] Illustration of information fusion process for mobile DoS/DDoS attack detection Attack path from each cell is as follows: (10→6→4→2→1→v), (9→6→3→2→1→v), (8→5→3→2→1→v), (7→5→3→2→1→v). A victim finds first level temporal/spatial relation of attack at region 3, and 4. In region 3 and region 4, high TRF and high SRF (4→3) are observed. At this point, we can infer that mobile attack is occurring. Similarly, in region 5 and 6, high TRF and high SRF are observed. Lastly, in region 7, 8, 9, 132 10, high TRF and SRF are observed, which leads us to conclude that attacker is moving and currently located in the region 7. Relative location of attacker is inferred from gathered information at region 7. Vertical or diagonal movement of attacker can be detected similarly. Mobile DDoS attack Basically, mobile DDoS attack can be detected and traced through separate path with the same mechanism as mobile DoS attacker traceback. The difficult problem in mobile DDoS attack occurs when two attacker are crossing each other as in Fig.10-2 (b). The crossing mobile DDoS attack can be detected by using TRF and SRF metrics plus the detection of attack signature surge. Attack signature surge is observed since two attack traffic are merged when crossing each other. For instance, in Fig.10-2 (b), first attacker is moving from 7→8→9 and the second attacker is moving from 11→10→9 and attack traffic is merged on the path from 9→6→3→2→1. Region 4, and 5 observe high SRF and high TRF with attack signature ξ 1 . Region 5, and 6 also observe high SRF and high TRF with attack signature ξ 2 . The relation enables us to infer mobile attack has occurred in region 4, 5, and 6. In addition region 5 observes the surge of attack traffic (≈ξ 1 +ξ 2 ), which enable us to infer the cross of mobile attack traffic. Similarly region 7,8 and 9 observe high SRF and high TRF. Region 11,10, and 9 observe high SRF and high TRF. Region 9 observes the surge of attack signature. Relative location of attacker is inferred from gathered information at contact region 9. The overall algorithm to detect and trace mobile DDoS attack is summarized in Fig.10-3. 133 Procedure at victim v STEP 1: Detect flooding-type DoS/DDoS attack. STEP 2: Send attack signature query to level-1 contacts. STEP 3: If there are multiple signature reports from contacts, calculate SRF and TRF. STEP 4: If SRF > SRF_thresh and TRF > TRF_thresh between contact c 1a and c 1b , infer that attacker is moving from region c 1a to region c 1a . STEP 5: Check signature surging. If the surging exists, infer that multiple attackers are crossing. STEP 6: Wait matching report from higher level contacts and perform SRF and TRF calculation. STEP 7: If there is no more report after receiving level-N contact report, infer the current relative position of attack at level-i contact, which has the largest age. Procedure at intermediate contact c i STEP 1: Receive attack signature query from contact c i-1 or victim. STEP 2: Gather abnormality information from its vicinity nodes. STEP 3: If abnormality exists, report the candidate attack signature to the victim. STEP 4: If there exists contact of contact (c i+1 ) and abnormality is observed, send next-level query c i+1 . Otherwise suppress query. [Figure 10-3] Overall algorithm to detect mobile attack 134 10.1 Performance Analysis We compared SRF and TRF value between DDoS attack and mobile DoS attack. DDoS attack is performed from randomly selected 6 nodes. In mobile DoS attack, attacker and 5% of intermediate nodes are moving with random waypoint mobility model (V max =2m/s, pause time=2.5s). Average SRF and TRF value are calculated where mobility is detected. We excluded the regions where α (Eq.10.1) is small (<0.1) since it implies that the nodes that reports attack signature moved out from original attack path. As shown in table 10.1, SRF is high in both in mobile attack and clustered DDoS attack since attack is observed in close region. SRF shows low value when DDoS attack is performed from geographically spread locations. TRF can differentiate between mobile attack and clustered DDoS attack since DDoS attack is launched around same time regardless of observation region. Consequently, we can effectively differentiate DDoS attack and mobile attack using combination SRF and TRF metrics (high TRF in mobile DoS attack and low TRF in clustered DDoS attack). SRF TRF Mobile DoS 0.17 28.1 Clustered DDoS 0.18 5.12x10 -3 Spread DDoS 0.032 5.38x10 -3 [Table 10.1] Attack classification using SRF and TRF metrics 135 Chapter 11 Conclusion and Future Research Direction 11.1 Conclusion In this dissertation, we proposed a protocol framework for efficient attacker traceback geared toward wireless multi-hop networks. We first systematically analyzed traceback protocol design requirement for wireless multi-hop networks. Then, we identified each protocol component to satisfy the design requirement. We paid special attention to cross- layer information (i.e., network layer and MAC layer) to increase traceback accuracy and use overhearing capability of MAC layer information, which drastically increases robustness against node compromise, high background traffic, and DDoS attack. In addition, we proposed a traceback-assisted countermeasure, which increases dropping efficiency against attack traffic and decreases negative impact on legitimate traffic. The efficacy of our traceback architecture is verified through extensive simulation in this dissertation. We analyzed how mobility affects traceback performance and proposed a scheme to track down mobile attacker. One of the most serious obstacles in attacker traceback in mobile wireless networks is the mobility of nodes. Existing attacker traceback schemes cannot be directly applied under the presence of node mobility in wireless networks. We classify mobility into two classes, (I) intentional malicious mobility by attacker, (II) legitimate mobility by intermediate or victim. Intentional malicious mobility of attacker can cause a number of problems. We provide systematic analysis how mobility can be exploited by attacker with network combinational set-based multi-dimensional analysis. We also 136 identify possible attack exploiting mobility. Even innocent mobility by intermediate/victim can bring negative impact on traceback performance. To track down mobile attack effectively, we introduce multi-dimensional information fusion architecture. In the multi- dimensional information fusion architecture, the location of attacker is estimated using various correlated information that includes spatial and temporal information of attack signature movement. In addition, we systematically analyzed how mobility model and various parameters of mobility pattern can affect the traceback performance. 11.2 Future Research Direction As a future work, we can consider preventive attacker traceback scheme in wireless multi-hop networks. The proposed traecback protocol in this dissertation is reactive attacker traceback scheme, which is performed after attack is launched. However, we can take an approach from new network design aspect. For instance, ingress filtering is preventive traecback and prevention scheme, which can be effectively used in the Internet. However, since wireless multi-hope networks do not have subnet concept, ingress filtering cannot be directly applied. In the initial stage of wireless multi-hop network design, we need to include security issues. These security-considered network design can provide much easy and strong way of security assurance compared with reactive mechanism. 137 References [1] CERT Advisory CA-97.28, IP Denial-of-Service Attacks, May 26, 1996. [2] CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks, Sept. 24, 1996 [3] CERT Advisory CA-98.01, Smurf IP Denial-of-Service Attacks, Jan. 5, 1998. [4] CERT Advisory CA-96.01, UDP Port Denial-of-Service Attack, Feb. 8, 1996. [5] I.F. Akyildiz, W. S. Sankarasubramaniam, Y. Cayirici, E. “A Survey on Sensor Networks,” IEEE Communication Magazine, August 2002 [6] F.Bai, N.Sadagopan, A.Helmy, “The IMPORTANT Framework for Analyzing the Impact of Mobility on Performance of Routing for Ad Hoc Networks,” AdHoc Networks Journal – Elsevier, Vol.1, Issue 4, 2003 [7] A. Belenky and Nirwan Ansari, “On IP Traceback,” IEEE Communication Magazine, July 2003 [8] J. Broch, D. A. Maltz, D.B.Johnson, Y.-C. Hu, and J. Jetcheva, “A Performance Comparison of Multi-hop Wireless ad Hoc Network Routing Protocols,” in Proceedings of the Fourth Annual ACM/IEEE International Conference on Mobile Computing and Networking, ACM, October 1998 [9] L. Breslau, D. Estrin, K. Fall, S. floyd, J. Heidemann, A. Helmy, P. Huang, S. McCanne, K. Varadhan, Y. Xu, and H. Yu, “Advances in network simulation,” IEEE Computer, Vol. 33, No.5, May 2000 [10]S.M.Bellovin, “ICMP Traceback Messages,” IETF draft 2000; http://www.research.att.com/smb/papers/draft-bellovin-itrace-00.txt. [11] H. Burch, et al, “Tracing Anonymous Packets to Their Approximate Source,” Proceedings of 2000 USENIX LISA Conf., pp.319-327, Dec. 2000 [12] R.K.C.Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Communication Magazine, Oct. 2002 [13] D. Estrin, R. Govindan, J. Heidemann, S. Kumar, “Next Century Challenge: Scalable Coordination in Sensor Networks,” International Conference on Mobile Computing and Networking, 1999 138 [14] A.Helmy, “Small World in Wireless Networks,” IEEE communication letters, 2001 [15] A.Helmy, et al, “A Contact-based Architecture for Resource Discovery in Ad Hoc Networks,” ACM Baltzer MONET Journal, 2004 [16] X. Hong, M. Gerla, G. Pei, and C.-C Chiang, “A group mobility model for ad hoc wireless networks,” ACM/IEEE MSWiM, Aug. 1999 [17] D.B.Johnson, D. A. Maltz, and J. Broch, “DSR: The Dynamic Source Routing Protocol for Multi-hop Wireless Ad Hoc Networks,” in Ad Hoc Networking, C.Perkins, Ed. Addison- Wesley, 2001, pp.139-172 [18] Yongjin Kim, A.Helmy, “SWAT: Small world-based Attacker Traceback in Ad-hoc Networks,” IEEE INFOCOM 2005, Poster/Demo session [19] Yongjin Kim, A.Helmy, “SWAT: Small World-based Attacker Traceback in Ad-hoc Networks,” IEEE/ACM Mobiquitous, July 2005 [20] Yongjin Kim, Ahmed Helmy, " ATTENTION: Attacker Traceback using MAC Layer Abnormality Detection," USC Technical Report, 2005 [21] Yongjin Kim, Vishal Sankhla, Ahmed helmy,"Efficient Traceback of DoS attack with Small World in MANET," Proceedings of IEEE VTC (Vehicle Technology Conference), Los Angeles, U.S.A, Sep 2004 [22] G.Mansfield, et al., “Towards trapping wily intruders in the large,” Computer Networks, Vol.34, pp.650-670, 2000 [23] S.Milgram, “The small world problem,” Psychology Today 1, 61 (1967) [24] C.E. Perkins and P. Bhagwat, “Highly dynamic destination sequenced distance vector routing (DSDV) for mobile computers,” ACM SIGCOMM, 1994, pp. 234-244 [25] A. Perrig, et al., “SPINS: Security Protocols for Sensor Networks,” ACM MOBICOM, 2001 [26] Alex C. Snoeren, et al, “Hash-Based IP Traceback,” ACM SIGCOMM, 2001 [27] Alex C. Snoeren, et al, “Single-Packet IP Traceback,” IEEE/ACM Trans. Net., Dec. 2002 [28] Stefan Savage, et al., “Practical Network Support for IP Traceback,” ACM SIGCOMM, 2000 [29] Stefan Savage, et al., “Network Support for IP Traceback,” IEEE/ACM Trans. On Nets. June 2001 139 [30] A.D. Wu et al., “On Design and Evaluation of Intention-driven ICMP Traceback,” Proceedings of 10 th Int’l. Conf. Comp. Commun. And Nets., 2001 [31] Lidong Zhou and Zygmunt J. Hass, “Securing Ad Hoc Networks,” IEEE Networks Special Issue on Network Security, November/December, 1999 [32] Microsoft Corporation, “Stop 0A in tcpip.sys when receiving out of band (OOB) data,” http://support.microsoft.com/support/kb/articles/Q143/4/78.asp [33] Hogg and Tanis, Probability and Statistical Inference, Prentice Hall, 2001 [34] W. Mendenhall, T. Sincich, Statistics for Engineering and the Sciences, Prentice Hall
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Congestion control in multi-hop wireless networks
PDF
Robust routing and energy management in wireless sensor networks
PDF
A framework for worst-case performance evaluation of MAC protocols for wireless adhoc networks
PDF
Gradient-based active query routing in wireless sensor networks
PDF
IEEE 802.11 is good enough to build wireless multi-hop networks
PDF
On location support and one-hop data collection in wireless sensor networks
PDF
Transport layer rate control protocols for wireless sensor networks: from theory to practice
PDF
Realistic modeling of wireless communication graphs for the design of efficient sensor network routing protocols
PDF
Analysis and countermeasures of worm propagations and interactions in wired and wireless networks
PDF
Collaborative detection and filtering of DDoS attacks in ISP core networks
PDF
Design of cost-efficient multi-sensor collaboration in wireless sensor networks
PDF
Balancing security and performance of network request-response protocols
PDF
Efficient and accurate in-network processing for monitoring applications in wireless sensor networks
PDF
Multichannel data collection for throughput maximization in wireless sensor networks
PDF
Cooperation in wireless networks with selfish users
PDF
Towards interference-aware protocol design in low-power wireless networks
PDF
Aging analysis in large-scale wireless sensor networks
PDF
Robust and efficient geographic routing for wireless networks
PDF
Dynamic routing and rate control in stochastic network optimization: from theory to practice
PDF
Coexistence mechanisms for legacy and next generation wireless networks protocols
Asset Metadata
Creator
Kim, Yongjin
(author)
Core Title
A protocol framework for attacker traceback in wireless multi-hop networks
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Computer Engineering
Publication Date
09/27/2006
Defense Date
07/24/2006
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
attacker traceback,denial of service,network security,OAI-PMH Harvest
Language
English
Advisor
Helmy, Ahmed (
committee chair
), Govindan, Ramesh (
committee member
), Krishnamachari, Bhaskar (
committee member
)
Creator Email
v2yjkim@gmail.com
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-m44
Unique identifier
UC150857
Identifier
etd-Kim-20060927 (filename),usctheses-m40 (legacy collection record id),usctheses-c127-11064 (legacy record id),usctheses-m44 (legacy record id)
Legacy Identifier
etd-Kim-20060927-0.pdf
Dmrecord
11064
Document Type
Dissertation
Rights
Kim, Yongjin
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Repository Name
Libraries, University of Southern California
Repository Location
Los Angeles, California
Repository Email
cisadmin@lib.usc.edu
Tags
attacker traceback
denial of service
network security