detecting spoofing and anomalous traffic in wireless networks via forge-resistant relationships
DESCRIPTION
Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships. Qing Li and Wade Trappe IEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007 Presented by: Ryan Yandle. Outline. Spoofing ORBIT - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/1.jpg)
Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant
Relationships
Qing Li and Wade TrappeIEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007
Presented by: Ryan Yandle
![Page 2: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/2.jpg)
Outline Spoofing ORBIT Family 1 – Relationships via Auxiliary Fields
Method A – Sequence Number Method B – One-way chains
Family 2 – Relationships via Intrinsic Properties Method A – Interarrival time Method B – Joint Background Traffic and Interarrival time
Analysis Multilevel Classification Conclusion
![Page 3: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/3.jpg)
What is Spoofing? The practice of
impersonating another entity in order to subvert security.
Spoofing allows the attacker to remain anonymous and undetected in the network.
![Page 4: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/4.jpg)
More Specifically This paper refers to MAC address spoofing. The attacker tries to gain access to the
WLAN by cloning the MAC address of a legitimate user.
![Page 5: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/5.jpg)
What are Forge-Resistant Relationships? Rules that govern the relationship between
two distinct entities These rules define the relationship such that
another entity (attacker) trying to forge the relationship would be caught
Paper’s focus is to detect spoofing by creating these unique relationships
![Page 6: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/6.jpg)
The ORBIT Wireless Test Bed Composed of a 2d
grid of wireless nodes
Jointly run by several schools in the NY/NJ area
![Page 7: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/7.jpg)
Test Bed Setup
A – Legitimate Sender
B – Attacker
X – Monitor
![Page 8: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/8.jpg)
Strategy Overview Consider that the
legitimate sender has a unique identity
Associated with their identity will be a particular sequence of packets
From these packets we may we may observe states
![Page 9: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/9.jpg)
More Strategery… A Relationship
Consistency Check (RCC) is a binary rule that returns 1 if the states obey the rule R with respect to each other.
![Page 10: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/10.jpg)
But… Simply using a relationship R and checking
the corresponding RCC at the monitoring device is not going to provide reliable security
We need to add forgeability requirements to the relationship
Thus, a RRCC (forge-resistant RCC) is needed
![Page 11: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/11.jpg)
Definition of RRCC A ε-forge-resistant relationship R is a rule
governing the relationship between a set of states from a particular identity, for which there is a small probability of another device being able to forge a set of states such that a monitoring device would evaluate the corresponding RCC as 1.
![Page 12: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/12.jpg)
More… We will view the output of an RRCC as the
result of deciding between two different hypotheses. H0 – the null hypothesis that corresponds to non-
suspicious activity H1 – the alternate hypothesis that corresponds to
anomalous behavior
![Page 13: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/13.jpg)
Quantifying Effectiveness We will use several measures to quantify the
effectiveness of R. The probability of a false alarm
PFA = Pr(H1;H0) Probability that we will decide a set of states is
suspicious when it was really legitimate The probability of a missed detection
PMD = Pr(H0;H1) Probability of deciding that a set of states are
legitimate when they were not
![Page 14: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/14.jpg)
Quantifying Effectiveness Cont.
The probability of detection PD = 1 – PMD
Other Symbols: ε = PMD
δ = PFA
Therefore, we can define an RRCC by (ε,δ)
![Page 15: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/15.jpg)
Two Proposed Families for Relationships
1. Using auxiliary fields in the MAC frame to create a monotonic relationship
2. Using traffic inter-arrival statistics to detect anomalous traffic
![Page 16: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/16.jpg)
Family I - Forge-Resistant Relationships via Auxiliary Fields Method A
Anomaly Detection via Sequence Number Monotonicity Enforce a rule that requires
packet sequence numbers to follow a monotonic relationship, denoted as Rseq
![Page 17: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/17.jpg)
802.11 MAC Frame Structure
Generally used to re-assemble fragmented frames or detect duplicate packets.
Fragment control – 4bits Sequence number – 12bits = 4096 possibilities
ranging from [0,4095] Firmware
![Page 18: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/18.jpg)
Rseq
It does not matter if the attacker can manipulate its own sequence numbers.
Cloning attempt would be exposed due to duplicate sequence numbers
Therefore, the forge resistance stems from the fact that the attacker cannot stop the sender from transmitting packets.
![Page 19: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/19.jpg)
Single Source Sequence Numbers the difference in sequence numbers
between two consecutive packets The possible values for : [1, 4096]
A value of 4096 is equivalent to a sequence number difference of 0 (duplicate sequence numbers)
The mean distribution for is E[] = 1/(1-p)2
where p is the packet loss rate The variance for the distribution of is
σ = p/(1-p)22
![Page 20: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/20.jpg)
Theoretical Packet Loss Using the formula’s that we just learned, a
theoretical transmission with packet loss of 50%: E[τ] = 2 στ = 1.41
Even for networks with poor connectivity, the difference in sequence numbers between successive packets will be relatively small
2
![Page 21: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/21.jpg)
Dual Source Sequence Numbers Let y be the sequence number from the real
source Let x be the sequence number from the
attacker z = x-y gives us a range of [-4095,4095] This gap will be defined as = z % 4096
![Page 22: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/22.jpg)
Dual Source Cont. If we then map a difference of 0 to 4096, we
have a uniform distribution over [1,4096] E[] = 2048.5 σ = 1182
![Page 23: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/23.jpg)
Single Source Behavior A single node is transmitting packets using a
specified MAC address to a receiver No anomalous behavior is present in this scenario
![Page 24: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/24.jpg)
Dual Source Behavior Two nodes using the same MAC address to
transmit packets One node is spoofing the other’s MAC address
![Page 25: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/25.jpg)
Lets build a detector… We will define the RRCC detection scheme as
follows: Choose a window of packets coming from a
specific MAC address We will choose a window with size L The detector will calculate L-1 sequence number
gaps
![Page 26: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/26.jpg)
More on the detector The detector will determine that there is an
anomaly if MAXl=1 to L-1 {l} > is determined by solving for a desired false
alarm rate
![Page 27: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/27.jpg)
Example: L = 5 & = 3
1 2 3 76 5 7 8 9 10 11
1 73 71 2MAX{ }
73 73 > , RETURN(1)
![Page 28: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/28.jpg)
Performance of Sequence Number Monotonicity
L = 2
![Page 29: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/29.jpg)
Sequence Number Gap Statistics for a Single Source from ORBIT
![Page 30: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/30.jpg)
When would this not work? This method of detection could only work with
a presence of heterogeneous sources; the legitimate device must be transmitting in order to reveal the anomaly.
![Page 31: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/31.jpg)
Family I - Forge-Resistant Relationships via Auxiliary Fields Method B
One-way chain of Temporary Identifiers The sender attaches a TIF
(temporary identifier field) to its identity, forcing the adversary to solve a cryptographic puzzle in order to spoof.
![Page 32: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/32.jpg)
Temporary Identifier Fields Similar to what was proposed in TESLA Compute a one-way chain of numbers, and
attach them to the frames in reverse order. In order for the attacker to spoof a message,
they would need to find the inverse of the function used to compute the one-way chain.
This method is loss-tolerant
![Page 33: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/33.jpg)
ROC Curve for one-way chain TIF’s
Bit Length = 10 Bit Length = 16
![Page 34: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/34.jpg)
Outline Spoofing ORBIT Family 1 – Relationships via Auxiliary Fields
Method A – Sequence Number Method B – One-way chains
Family 2 – Relationships via Intrinsic Properties Method A – Interarrival time Method B – Joint Background Traffic and Interarrival time
Analysis Multilevel Classification Conclusion
![Page 35: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/35.jpg)
Family II - Forge-Resistant Relationships via Intrinsic Properties Method A) Traffic Arrival
Consistency Checks Use a traffic shaping tool to
control the interarrival times observed by the monitoring device.
These interarrival statistics are then used to determine anomalous behavior
![Page 36: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/36.jpg)
Traffic Arrival Consistency Checks Suppose we have our three devices, A, B, X
A is set to transmit at a fixed interval X will take note of this behavior, if B starts
transmitting (spoofing to impersonate A) then the detector will notice a change in the distribution of packet arrivals
![Page 37: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/37.jpg)
Resulting Histograms
![Page 38: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/38.jpg)
Experimental Results: 200ms
![Page 39: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/39.jpg)
Experimental Results cont.
![Page 40: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/40.jpg)
When would this method become unreliable on a wireless network?
With the presence of high background traffic, this method would become less suitable.
Background traffic would affect the transmission intervals of the sender, possibly causing false alarms.
![Page 41: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/41.jpg)
Family II - Forge-Resistant Relationships via Intrinsic Properties Method B) Joint Traffic
Load and Interarrival Time Detector Jointly examine the
interarrvial time and the background traffic load
Use these two pieces of information to determine anomalous behavior, even under heavy traffic situations
![Page 42: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/42.jpg)
Joint Traffic Load and Interarrival Time Detector We can define to be the observed average
interarrival time, and to be the observed traffic load.
We then partition this (, ) space into two regions Region I – non-suspicious behavior Region II – anomalous activity
This idea is later revisited in the experimental validation section.
![Page 43: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/43.jpg)
Enhanced Detection using Multilevel Classification Extremely useful to have a severity analysis Plot severity vs. average sequence number
gap of a particular window Severity is defined as the sum of the differences
between a normal gap and the observed gap for all gaps in a window size L
![Page 44: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/44.jpg)
Severity vs. Average Sequence Number Gap
![Page 45: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/45.jpg)
Conclusion All methods have their flaws There are already mechanisms in place
within 802.11 that can help detect spoofing attacks
Thank you for your time!
![Page 46: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/46.jpg)
Questions / Comments
![Page 47: Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships](https://reader035.vdocuments.us/reader035/viewer/2022070500/56816837550346895dddf997/html5/thumbnails/47.jpg)
Sequence Number Gap Statistics for Dual Source from ORBIT