Selective Forwarding Attack Detecting Colluding Nodes in Wireless

Selective Forwarding Attack: Detecting Colluding Nodes in Wireless Mesh Networks Shankar Karuppayah National Advanced IPv 6 Centre (NAv 6) Universiti Sains Malaysia Network Security Workshop, February 14, 2012

Contents Introduction Problem Statement Related Work Our Proposed Mechanism Result and Analysis Conclusion and Future Work Shankar Karuppayah 2/15

Introduction Wireless mesh networks (WMNs) Self-organized Self-configured Self-healing Low up front costs Scalable Shankar Karuppayah 3/15

Introduction (cont. ) Overcome last-mile Internet access problems Advantages: ¾ Adapts to dynamic topology changes ¾ Distributed cooperation routing WMN applications: ¾ Community networking ¾ Disaster relief ¾ Surveillance and monitoring Vulnerabilities exist in WMNs ¾ Shared wireless medium ¾ Distributed architecture Shankar Karuppayah 4/15

Problem Statement Two type of attacks Passive attack Active attack Denial of service (Do. S) attacks ¾ Preventing legitimate users from accessing information, services or resources Gray Hole attack ¾ Also known as selective forwarding attack ¾ A variation from Black Hole attack Motivation of the attacks: ¾ Rational intentions Network Performance Deteriorates!!! ¾ Malicious intentions Shankar Karuppayah 5/15

Problem Statement (cont. ) Existing security solutions Cryptographic mechanisms ¾ Public/private key exchange Not entirely applicable in WMNs Decentralized network architecture Routers physically tampered or software vulnerabilities exploited The need for non-cryptographic security mechanism arises Shankar Karuppayah 6/15

Related Work Marti et al. introduce watchdog Monitoring principle in “promiscuous” mode S. Banerjee propose an algorithm to detect and remove Black/Gray Hole attackers Splits transmission data into several blocks Introduction of prelude and postlude message Shila et al. introduce Channel Aware Detection (CAD) algorithm to detect Gray Hole attackers Consider normal losses ¾ medium access collisions ¾ bad channel quality Shankar Karuppayah 7/15

CAD (Channel Aware Detection) Algorithm Methodology: S|2|0 • Channel estimation 0|V 0|2|0 0|V 1|2|1 (Dynamic detection threshold) • Hop-by-hop packet loss monitoring 2 0 1 2 Data transmission: 0|Vinto 1|V(W 2|2|0 several blocks 3|1 ) Split s 0 1 2 0 1 However… New packet types : When node forwards a packet: WMN router nodes: • PROBE packets Buffer in link acknowledgement Maintain count history CAD algorithm will notwith be able to detect an • attack thelayer event of colluding nodes Packet marking with opinion (MAC-ACK) corresponding packet sequence number and behavior parameter • Overhears downstream traffic • PROBE-ACK PROBE replies Shankar Karuppayah 8/15

Assumptions Routers have no energy constraints and have buffer of infinite size Packet drop due to: Bad channel quality Medium access collision Presence of attackers Free from general wireless attacks: Sybil attacks Jamming (signal) attacks Colluding nodes are located next to each other Route caching to mitigate overhead Nodes have authentication methods implemented Shankar Karuppayah 9/15

CAD+ Algorithm Packet Seq. No. Hash Packet Hash. Value • Source compares the filtered irregularities with the list of sent packets Retains existing features of CADpacket • Destination keeps a list of monitoring nodes 24 MN monitors data packets received and forwarded byfinal the Destination compares the reported irregularities with the list 1 … Introduction of three new packet types: When MN overhears a PROBE sent Destination, itofforwards the list … • • • Source refers the verified irregularities list totoconduct confirmation 2 43 • node Source and Destination perform hashing on sent (MN) vs monitored nodes being monitored based on the monitoring parameters received packets then replies to Source with a modified 14 46 • Prelude of irregularities (if and applicable) towards Destination. … … and received data packets respectively • PROBE-ACK MN maintains irregularities historyirregularities) • Prelude-Notify (including filtered 50 … 15 … • Prelude-Ack 14 … 46 … Monitored Node Packet Seq. No. Hash Value Irregularity Type Count > COUNT_THRESH ? v 2 15 50 Interval > INTERVAL_THRESH? v 2 34 v 2 Node Intermediate v 0 14. 9 47 Injection 22. 8 35 Dropping Irregularity Type 35. 6 3 2 Alteration Irregularities which are monitored by MN 2 6 1 Injection v 2 1 1 Dropping 1 4 Dropping v 1 2 … Monitored Node… v 14 2 15 Source 16 v 2 Interval Alteration v 0 3 Packet Seq. No. v 2 55 Count … v 2 …S Timestamp Packet Seq. No. Hash Value Verified 24 Irregularities List 43 … Timestamp Packet Seq. Hash No. … Value 15 46 50 14. 9 34 33 Monitored 69 45 Node … 61 v 2… 47 31 35 Irregularity Type Alteration 22. 8 Next Hop v 3 Alteration Incoming Outgoing 35. 0 Counter Dropping Counter 44. 2 Injection 10 5 Hashed Sent Packets which are monitored Irregularities MN 2 Monitoringby Parameters Hash Value 15 33 47 16 69 33 … 35 … … … … Hashed … Received Packets … 34 … 14 … 46 15 33 … … 45 null 34 24 35 … … … 33 … …. . . 46 … … 38 … … 60 17 45 31 61 35 46 … … 38 MNID … … MN 0 60 17 Next Monitoring Hashed Sent Packets (time) Hashed Received Packets v 0 MN 1 v 1 MN 2 v 2 34. 30 MNbe 3 reliable *MNx is not colluding but may not Shankar Karuppayah Monitored Node v 3 Monitoring Node Vs Monitored Node Pair 10/15

Detection of Threats detected (colluding nodes): Gray Hole attack ¾ Selectively drops packet Packet Injection ¾ Fabricates packet towards Destination node Packet Alteration ¾ Node alters a received packet (bit or data manipulation) Bad Mouthing Attack ¾ Framing an innocent node Stealthy attacks by colluding nodes!!! Shankar Karuppayah 11/15

Result and Analysis Packet delivery ratio comparison with colluding selective dropping rate. (no channel loss) Parameters Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Attacker Nodes (random) 30% Source Pairs Shankar Karuppayah Value 2 12/15

Result and Analysis (cont. ) Packet delivery ratio comparison with channel loss rate. Colluding selective dropping attacks present. Parameters Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Channel Error Nodes (random) 30% Attacker Nodes (random) 30% Source Pairs Shankar Karuppayah Value 2 13/15

Result and Analysis (cont. ) Average detection rate of Gray Hole attackers with respect to simulation time. Parameters Simulator Ns Nodes 60 Simulation Time (seconds) 500 Warm Up Period (seconds) 50 Normal Channel Loss Rate 10% Channel Error Nodes (random) 30% Source Pairs Shankar Karuppayah Value 2 14/15

Conclusion and Future Work Developed a detection algorithm CAD+ which: Integrates CAD with neighborhood monitoring feature Enables detection and isolation of colluding Gray Hole attackers Detects other variation of colluding attacks: ¾ Packet alteration ¾ Packet injection ¾ Packet dropping Future Work: Investigate possibilities of mobile MN Incentives for MN to encourage cooperation Extend CAD+ to detect other network layer attacks Shankar Karuppayah 15/15

References Sergio Marti, T. J. Giuli, Kevin Lai, and Mary Baker. Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of the 6 th annual international conference on Mobile computing and networking, Mobi. Com ’ 00, pages 255– 265, New York, NY, USA, 2000. Sukla Banerjee. Detection/Removal of Cooperative Black and Gray Hole Attack in Mobile Ad-Hoc Networks. In Proceedings of the World Congress on Engineering and Computer Science 2008, WCECS ’ 08, October 22 - 24, 2008, San Francisco, USA, Lecture Notes in Engineering and Computer Science, pages 337– 342. Newswood Limited, 2008. D. M. Shila, Yu Cheng, and T. Anjali. Mitigating selective forwarding attacks with a channel-aware approach in WMNS. Wireless Communications, IEEE Transactions on, 9(5): 1661 – 1675, May 2010. Shankar Karuppayah 16/15