Network-based Intrusion Detection, Prevention and Forensics System

1
Network-based Intrusion Detection, Prevention and
Forensics System

• Yan Chen
• Department of Electrical Engineering and Computer
  Science
• Northwestern University
• Lab for Internet Security Technology (LIST)
• http//list.cs.northwestern.edu

2
The Spread of Sapphire/Slammer Worms
3
Current Intrusion Detection Systems (IDS)

• Mostly host-based and not scalable to high-speed
  networks
• Slammer worm infected 75,000 machines in lt10 mins
• Host-based schemes inefficient and user dependent
• Have to install IDS on all user machines !
• Mostly simple signature-based
• Cannot recognize unknown anomalies/intrusions
• New viruses/worms, polymorphism

4
Current Intrusion Detection Systems (II)

• Cannot provide quality info for forensics or
  situational-aware analysis
• Hard to differentiate malicious events with
  unintentional anomalies
• Anomalies can be caused by network element
  faults, e.g., router misconfiguration, link
  failures, etc., or application (such as P2P)
  misconfiguration
• Cannot tell the situational-aware info attack
  scope/target/strategy, attacker (botnet) size,
  etc.

5
Network-based Intrusion Detection, Prevention,
and Forensics System

• Online traffic recording
• SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear
• Reversible sketch for data streaming computation
• Record millions of flows (GB traffic) in a few
  hundred KB
• Small of memory access per packet
• Scalable to large key space size (232 or 264)
• Online sketch-based flow-level anomaly detection
• IEEE ICDCS 2006 IEEE CGA, Security
  Visualization 06
• Adaptively learn the traffic pattern changes
• As a first step, detect TCP SYN flooding,
  horizontal and vertical scans even when mixed
• Online stealthy spreader (botnet scan) detection
• IWQoS 2007

6
Network-based Intrusion Detection, Prevention,
and Forensics System (II)

• Polymorphic worm signature generation detection
• IEEE Symposium on Security and Privacy 2006
• IEEE ICNP 2007 to appear
• Accurate network diagnostics
• ACM SIGCOMM 2006 IEEE INFOCOM 2007
• Scalable distributed intrusion alert fusion w/
  DHT
• SIGCOMM Workshop on Large Scale Attack Defense
  2006
• Large-scale botnet and P2P misconfiguration event
  forensics work in progress

7
System Deployment

• Attached to a router/switch as a black box
• Edge network detection particularly powerful

Monitor each port separately
Monitor aggregated traffic from all ports
Original configuration
8
Vulnerability Analysis for WiMAX Networks

• Yan Chen, Hai Zhou
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University

Z. Judy Fu Motorola Labs
9
The Current Threat Landscape and Countermeasures
of WiMAX Networks

• WiMAX next wireless phenomenon
• Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
  network attacks
• E.g., 6 new viruses, including Cabir and Skulls,
  with 30 variants targeting mobile devices
• Goal secure WiMAX networks through intrusion
  prevention/detection
• Big security risks for WiMAX networks
• No formal analysis about WiMAX security
  vulnerabilities

10
Our Approach

• Vulnerability analysis of various layers
• Focus on 802.16e specs (WiMAX standards) and
  mobile IP v4/6 protocols so far
• Intelligent and complete checking through combo
  of manual analysis auto search through formal
  methods
• First, manual analysis provide hints and right
  level of abstraction for auto search
• Then specify the specs and potential capabilities
  of attackers in a formal language TLA (the
  Temporal Logic of Actions)
• Then model check for any possible attacks

11
Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer
• Enables IP-based communication to continue even
  when the host moves from one network to another
• Host movement is completely transparent to Layer
  4 and above

12
Mobile IPv6 - Entities

• Mobile Node (MN) Any IP host which is mobile
• Correspondent Node (CN) Any IP host
  communicating with the MN
• Home Agent (HA) A host/router in the Home
  network which
• Is always aware of MNs current location
• Forwards any packet destined to MN
• Assists MN to optimize its route to CN

13
Mobile IPv6 - Process

• (Initially) MN is in home network and connected
  to CN
• MN moves to a foreign network
• Registers new address with HA by sending Binding
  Update (BU) and receiving Binding Ack (BA)
• Performs Return Routability to optimize route to
  CN by sending HoTI, CoTI and receiving HoT, CoT
• Registers with CN using BU and BA

14
Mobile IPv6 in Action
Home Network
HoT
Internet
Correspondent
Mobile
Node
Home Agent
Node
HoTI
BA
CoT
HoTI
BA

CoTI
HoT
BU
BU
Foreign Network
15
Mobile IPv6 Vulnerability

• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138 unprotected
• Man-in-the-middle attack
• Sniffs BU to CN
• Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
  optimization and goes through HA

16
MIPv6 Attack In Action
MN
HA
AT
CN
Start
H
o
T
I
Return
o
C
T
I
Routability
H
o
T
I
T
o
C
o
T
H
T
o
H
Bind Update (Sniffed by AT along the way)






Bind Ack Spoofed by AT


Routability
Bind Ack

Bind Ack

• Only need a wireless network sniffer and a
  spoofed wired machine (No MAC needs to be
  changed !)
• Bind ACK often skipped by CN

17
MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication
  through sub-optimal routes
• Possible overloading of HA and Home Link
• DoS attack, when MN repeatedly tried to complete
  the return routability procedure
• Attack can be launched to a large number of
  machines in their foreign network
• Small overhead for continuously sending spoofed
  Bind ACK to different machines

18
TLA Analysis and Experiments

• With the spec modeled in TLA, the TLC search
  gives two other similar attacks w/ the same
  vulnerability
• Complete the search of vulnerabilities w/
  unprotected messages
• Implemented and tested in our lab
• Using Mobile IPv6 Implementation for Linux (MIPL)
• Tunnel IPv6 through IPv4 with Generic Routing
  Encapsulation (GRE) by Cisco
• When attack in action, MN repeatedly tried to
  complete the return routability procedure DOS
  attack !

19
Extensible Authentication Protocols (EAP)
Authentication method layer
EAP-TTLS
EAP-SIM
EAP-AKA
EAP-TLS
PEAP
EAP-FAST
Extensible Authentication Protocol (EAP)
EAP Over LAN (EAPOL)
EAP Layer
Data Link Layer
802.16
CDMA
PPP
802.3 Ethernet
802.5 Token Ring
802.11 WLAN
GSM
20
Extensible Authentication Protocols (EAP)

• EAP is an authenticaiton framework
• Support about 40 different EAP methods
• Current targets
• EAP-SIM for GSM cellular networks
• EAP-AKA for 3G networks, such as UMTS and
  CDMA2000
• EAP-FAST (Flexible Authentication via Secure
  Tunneling)
• Most Comprehensive and secure EAP method for WLAN
• Will compare it w/ EAP-SIM and EAP-AKA

21
Insider Attack Analysis

• Not hard to become a subscriber
• Can five subscribers bring down an entire WiMAX
  network ?
• Check vulnerability after authentication
• Plan to analyze various layers of WiMAX networks
• IEEE 802.16e MAC layer
• Mobile IP v4/6 network layer
• EAP layer

22
802.16e SS Init Flowchart
23
Work Done
24
Future work
25
Outline

• Overview of Network Intrusion Detection,
  Prevention and Forensics System
• Case Study Vulnerability analysis of the MIP v6
  system
• Student recruiting

26
Northwestern Lab for Internet and Security
Technology (LIST)

• About Northwestern Univ.
• US News and World Report, overall ranking 14,
  the Engineering grad school ranking 21.
• On the Michigan lake, close to Chicago downtown
  
• Sponsors for LIST
• Department of Energy (Early CAREER Award)
• Air Force Office of Scientific Research (Young
• Investigator Award)
• National Science Foundation
• Microsoft Research
• Motorola Inc.

27
Recruiting Ph.D. Students

• Bachelor in Computer Science or Computer
  Engineering
• Research experience a big plus
• TOEFL
• GRE
• Strongly motivated in independent research
• Feel free to talk to me after the talk

28
? ? ?