Yan%20Chen

1
Intrusion Detection and Forensics for
Self-defending Wireless Networks

• Yan Chen
• Lab for Internet and Security Technology (LIST)
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University
• http//list.cs.northwestern.edu

2
The Spread of Sapphire/Slammer Worms
3
The Current Threat Landscape of Wireless Networks

• Wireless networks, crucial for GIG, face both
  Internet attacks and their unique attacks
• Viruses/worms e.g., 6 new viruses, including
  Cabir and Skulls, with 30 variants targeting
  mobile devices
• Botnets underground army of the Internet,
  emerging for wireless networks
• Big security risks for wireless networks
• Few formal analysis about wireless network
  protocol vulnerabilities
• Existing (wireless) IDSes only focus on existing
  attacks
• Ineffective for unknown attacks or polymorphic
  worms
• Little work on attack forensics
• E.g., how to identify the command-and-control
  (CC) channel of botnets?

4
Self-Defending Wireless Networks

• Proactively search of vulnerability for wireless
  network protocols
• Intelligent and thorough checking through combo
  of manual analysis auto search with formal
  methods
• First, manual analysis provide hints and right
  level of abstraction for auto search
• Then specify the specs and potential capabilities
  of attackers in a formal language TLA (the
  Temporal Logic of Actions)
• Then model check for any possible attacks
• Defend against emerging threat
• Worm network-based polymorphic worm signature
  generations
• Botnet IRC (Internet relay chat) based CC
  detection and mitigation

5
Outline

• Threat landscape and motivation
• Our approach
• Accomplishment of this year
• Vulnerability analysis of Mobile IPv6 protocols
• Polymorphic worm signature generation
• Plan for the next year

6
Accomplishments This Year (I)

• Intelligent vulnerability analysis
• Focused on outsider attacks, i.e., w/ unprotected
  msgs
• Checked the complete spec of 802.16e before
  authentication
• Found some vulnerability, e.g., for ranging (but
  needs to change MAC)
• Checked the mobile IPv4/v6
• Find an easy attack to disable the route
  optimization of MIPv6 !
• Partnered with Motorola, very interested in the
  vulnerability found
• Automatic polymorphic worm signature generation
  systems for high-speed networks
• Fast, noise tolerant w/ proved attack resilience
• Talking with Cisco IPS group for tech transfer
• Patent filed

7
Accomplishments This Year (II)

• Six conference, one journal papers and a book
  chap
• Honeynet-based Botnet Scan Traffic Analysis,
  invited book chapter for Botnet Detection
  Countering the Largest Security Threat
• Detecting Stealthy Spreaders Using Online
  Outdegree Histograms, in the Proc. of the 15th
  IEEE International Workshop on Quality of Service
  (IWQoS), 2007 (26.6).
• Hamsa Fast Signature Generation for Zero-day
  Polymorphic Worms with Provable Attack
  Resilience, to appear in IEEE Symposium on
  Security and Privacy, 2006 (9).
• Towards Scalable and Robust Distributed Intrusion
  Alert Fusion with Good Load Balancing, in Proc.
  of ACM SIGCOMM Workshop on Large-Scale Attack
  Defense 2006(33).
• Automatic Vulnerability Checking of IEEE 802.16
  WiMAX Protocols through TLA, in Proc. of the
  Second Workshop on Secure Network Protocols
  (NPSec) (33).
• A DoS Resilient Flow-level Intrusion Detection
  Approach for High-speed Networks, to appear in
  IEEE International Conference on Distributed
  Computing Systems (ICDCS), 2006 (14).
• Reverse Hashing for High-speed Network
  Monitoring Algorithms, Evaluation, and
  Applications, Proc. of IEEE INFOCOM, 2006 (18).
  Full version to appear in ACM/IEEE Transaction on
  Networking.

8
Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer
• Enables IP-based communication to continue even
  when the host moves from one network to another
• Host movement is completely transparent to Layer
  4 and above

9
Mobile IPv6 - Entities

• Mobile Node (MN) Any IP host which is mobile
• Correspondent Node (CN) Any IP host
  communicating with the MN
• Home Agent (HA) A host/router in the Home
  network which
• Is always aware of MNs current location
• Forwards any packet destined to MN
• Assists MN to optimize its route to CN

10
Mobile IPv6 - Process

• (Initially) MN is in home network and connected
  to CN
• MN moves to a foreign network
• Registers new address with HA by sending Binding
  Update (BU) and receiving Binding Ack (BA)
• Performs Return Routability to optimize route to
  CN by sending HoTI, CoTI and receiving HoT, CoT
• Registers with CN using BU and BA

11
Mobile IPv6 in Action
Home Network
HoT
Internet
Correspondent
Mobile
Node
Home Agent
Node
HoTI
BA
CoT
HoTI
BA

CoTI
HoT
BU
BU
Foreign Network
12
Mobile IPv6 Vulnerability

• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138 unprotected
• Man-in-the-middle attack
• Sniffs BU to CN
• Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
  optimization and goes through HA

13
MIPv6 Attack In Action
MN
HA
AT
CN
Start
H
o
T
I
Return
o
C
T
I
Routability
H
o
T
I
T
o
C
o
T
H
T
o
H
Bind Update (Sniffed by AT along the way)






Bind Ack Spoofed by AT


Routability
Bind Ack

Bind Ack

• Only need a wireless network sniffer and a
  spoofed wired machine (No MAC needs to be
  changed !)
• Bind ACK often skipped by CN

14
MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication
  through sub-optimal routes
• Possible overloading of HA and Home Link
• DoS attack, when MN repeatedly tried to complete
  the return routability procedure
• Attack can be launched to a large number of
  machines in their foreign network
• Small overhead for continuously sending spoofed
  Bind ACK to different machines

15
TLA Analysis and Experiments

• With the spec modeled in TLA, the TLC search
  gives two other similar attacks w/ the same
  vulnerability
• Complete the search of vulnerabilities w/
  unprotected messages
• Implemented and tested in our lab
• Using Mobile IPv6 Implementation for Linux (MIPL)
• Tunnel IPv6 through IPv4 with Generic Routing
  Encapsulation (GRE) by Cisco
• When attack in action, MN repeatedly tried to
  complete the return routability procedure DOS
  attack !

16
Outline

• Threat landscape and motivation
• Our approach
• Accomplishment of this year
• Vulnerability analysis of Mobile IPv6 protocols
• Polymorphic worm signature generation
• Plan for the next year

17
Deployment of SDWN

• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of
  global scale attacks
• Significantly more challenging compared w/
  host-based IDS/IPS
• Huge data volume and lack of host-level
  information

Users
Internet
Internet
Users
SDWN
system
802.1x BS
802.1x
scan
port
BS
Router/switch
Switch/
BS controller
802.1x BS
802.1x
BS
Gateway
Users
Honeynet
Users
SDWN system
(a)
(b)
SDWN deployed
Original configuration
18
Automatic Length Based Worm Signature Generation

• Majority of worms exploit buffer overflow
  vulnerabilities
• Worm packets have a particular field longer than
  normal
• Length signature generation
• Parse the traffic to different fields
• Find abnormally long field
• Apply a three-step algorithm to determine a
  length signature
• Length based signature is hard to evade if the
  attacker has to overflow the buffer.

19
Length Based Signature Generator
20
Evaluation of Signature Quality

• Seven polymorphic worms based on real-world
  vulnerabilities and exploits from
  securityfocus.com
• Real traffic collected at two gigabit links of a
  campus edge routers in 2006 (40GB for evaluation)
• Another 123GB SPAM dataset

21
Outline

• Threat landscape and motivation
• Our approach
• Accomplishment
• Achievement highlight a Mobile IPv6
  vulnerability
• Plan for the next year
• Insider attack analysis
• Complete the polymorphic worm signature
  generation
• Intrusion forensics for botnet command and
  control channel detection

22
Insider Attack Analysis

• Not hard to become a subscriber
• Can five subscribers bring down an entire
  wireless network (e.g., WiMAX) ?
• Check vulnerability after authentication
• Plan to analyze various layers of WiMAX networks
• IEEE 802.16e MAC layer
• Mobile IP v4/6 network layer
• EAP layer

23
802.16e SS Init Flowchart
24
Work Done
25
Future work
26
Intrusion Detection and Forensics for
Self-defending Wireless Networks Yan Chen,
Northwestern University Tel. (847) 491-4946,
E-Mail ychen_at_northwestern.edu

• Proactively secure the wireless networks
• Search of network protocol vulnerabili-
• ties
• Automatically detect and filter unknown
• and/or polymorphic worms
• Intrusion forensics and mitigation for
• botnet-based attacks

Objective
Internet
Users
SDWN
system
802.1x
scan
port
BS
Switch/
BS controller
802.1x
BS
Gateway
Honeynet
Users
SDWN system

• Accomplishments
• Successfully check for outsider attack
  vulnerabilities of MIP v4/6 and 802.16e (WiMAX)
  protocols
• Network-based automatic signature generations
• Challenges
• State space explosion for vulnerability search
  w/ formal methods
• Large amount of traffic to monitor on high-speed
  links

• Intelligent and complete vulnerability
• search through the combo of manual
• analysis verification via formal methods
• Network-based automatic signature
• generation for polymorphic worms
• Botnet command-and-control channel
• detection and mitigation

Scientific/Technical Approach
27
Conclusions

• Vulnerability analysis of wireless network
  protocols 802.16e and mobile IP specs
• Network-based polymorphic worm signature
  generation for self-defending wireless networks

Thank You !