Microsoft PowerPoint - Seminar2.ppt [Compatibility Mode]SEcure
resilieNt tacticAL mobile d h t kad hoc networks
Faculty: David Tipper and Prashant Krishnamurthy
Students: Thaier Hayajneh, Tae-Hoon Kim, y j , , Siriluck
Tipmongkonsilp, Razvi Doouman, and
Korporn Panyim
A collection of communicating nodes – that self-configure
Nodes are mobile – having differing capabilities
Communicate over wireless links in multi hop peer to peer fashion
(nomulti-hop peer to peer fashion (no fixed infrastructure)
2
2
Participants Participants UC-Davis (lead) UC-Riverside UC-Santa
Barbara UC-Irvine BYU
Network Proactive, Reactive
MAC Contention-free, contention-
based Physical
802.11, Proprietary
Critical Research Issue How can one increase the security and
resilience of tactical mobile
ad hoc networks (MANETs)? Why Important?
ARSENAL Project
Why Important? Tactical MANETs important part of military
communications infrastructure Operate in a open un-trusted
environment Face set of unique challenges: wireless channel
characteristics, node
mobility, and attacks
Performing measurements via real deployments to enhance our
understanding of layer dependencies and vulnerabilities in
MANETs.
Build analytical models to characterize the behavioral nuances of
these Build analytical models to characterize the behavioral
nuances of these networks and applications
Design new cross layer protocols that will protect against
vulnerabilities and provide the desired robustness, security, and
fault-tolerance
5
/critical points – Developing cross layer approaches toDeveloping
cross layer approaches to
strengthen critical points or reduce their importance (Joint with
UC Irvine)
Security – Detecting & mitigating the effects
of cryptographic resistant attacks » Wormholes » Packet
Dropping/Jamming
6
Analysis Techniques for MANETs – Verifying/improving with UC Davis
test-
bed data
Alternate routes with spare capacity between communication
partners
In MANETs, robustness is a challenge U d f h k l
7
Connectivity in MANETs Topological Connectivity is a prerequisite
to applying many
robustness techniques (e.g., hot standby connection) Want highly
connected network
k connectivity every pair of nodes has k node disjoint paths–
k-connectivity - every pair of nodes has k node disjoint paths –
Probability of the network is k-connected is less than or
equal
to the probability of the minimum node degree is greater than or
equal to k
M i i l l d d it t
)()( min kdPconnectedkNetworkP
8
Many papers on examining power level, node density, etc., effects
on connectivity – Asymptotic results under idealized assumptions
(e.g.,
identical nodes with UDG propagation, etc.) » Typically use P(dmin
> k) as a proxy for k-connectivity
5
Minimum node degree does not guarantee k-connectivity especially in
sparse networks
– Necessary condition not sufficient Example,
– 1000 random connected topologies with 75, 100, 125, 150, and 175
nodes in 1500x1500 m2 , identical nodes each with 250m range, 95%
confidence intervals on results
k = 3
connectivity due to existence of critical points in topology
Critical points: bridge links and Critical points: bridge links and
articulation nodes
Bridge link D-E
10 Articulation node D
• Can we develop an algorithm to identify these critical/weak
points in the topology?
• How one defines critical points depends on number of disjoint
paths desired
6
Critical Point Identification Algorithm
Use results from algebraic graph theory to develop critical point
identification algorithm – Multiplicity of the zero eigenvalue of
the Laplacian matrix of a graph is
equivalent to the number of connected components in the graph [C,
Godsil and G. Royle, Algebraic Graph Theory, 2001]
– Laplacian is L(t) = D(t) – A(t) where D(t) is the diagonal matrix
of node degres and A(t) is the adjacency matrix
Steps of Algorithm 1. Test point is chosen to check its critical
status 2. Eliminate test point i from the adjacency matrix A and
recompute the nodal degrees in
11
p j y p g D. If i is a node then remove row i and column i from A
and adjust D, if i is a link then set the appropriate link values
in A to zero and adjust the nodal degrees in D
3. Compute the eigenvalues of the Laplacian matrix L. 4. If there
exist more than one zero among the Laplacian eigenvalues then i is
a critical
point, otherwise i is not critical and the network is still
connected 5. Choose next test point and go back to step 2
Numerical Results 100 connected uniformly distributed network
topologies with different number of nodes in 1500x1500 m2 for
Figure 1
Average number of single critical points Average number of single
critical points decreases when the network is denser, while average
node degree and the number of disjoint paths increase
Mobility effects – 3 different scenarios over 1000 seconds of
simulation time using RWP – 125 nodes over 1500x1500 m2
Figure 1. Average number of critical points
12
– Snapshots every 100 seconds – Count number of critical points in
each
snapshot – Figure shows number of critical points varies
over time
Numerical Results
Effect of limited information – Use H hop local information to
determine critical point – Algorithm same – reduced L matrix
Example – Node A is a critical node when H is 3 (false positive) –
Node A is not a critical node when global information is
used 100 connected topologies examined for k = 3, 4, 5, and 6 in 50
65 75 85 100 d 125 d
13
50, 65, 75, 85, 100, and 125 nodes in 1500x1500 m2
False Positive decreases as H value increases
Current/Planned Robustness Work Adaptive/incremental computation
Extending approach to asymmetric links Incorporation of cross layer
info into critical p y
point detection – like ETX, signal strength, etc.
Developing techniques to strengthen critical points or reduce their
importance – increase/decrease power – reposition nodes to provide
alternate path
14
point, etc
Security Work
A physical wormhole is a connection between two physical locations
in the network controlled by an adversaryadversary – Attracts
traffic flow due to appearance of short route
15
S: sender node D: destination M1 and M2 are the transceivers of the
wormhole link
Initial Accomplishments in Security
Wormhole Attack – Developed “DeWorm”, a simple protocol to
effectively detect physical wormhole attacks.y p y » Does not need
any special hardware, location or
synchronization requirements. » Extensive simulations showing
effectiveness, overhead, etc.
Overhead Idea
9
S 7 Step 1
– node S wants to communicate with node D and the shortest path
provided by some standard routing protocol is (S-A-B-C-E-D)
Step 2 – The sender will discover all his one-hop neighbors by
broadcasting a
"hello" message.
Step 3 – The one-hop neighbors (A, 1, 2, ,3) of the sender will
hear the hello
message and will reply to the sender
Step 4 – S will ask nodes 1, 2, and 3 to find a route to the target
node, in this
case node B, which does not go through any node from the one-hop
neighbors
– The neighbors will reply with their route length (4, 2, and 2)
The sender will pick the longest route as the selected route.
– Step 5 – If the number of hops of the selected route minus 2 hops
is greater than the sensitivity parameter (chosen as 2 in this
example) then the sender will assume that a wormhole is detected.
In this example the selected route minus 2 will be
4 - 2 = 2 which is not greater than the sensitivity parameter.
Thus, no wormhole is detected.
– Step 6 – The next hop -- node A -- will become the new ``sender"
(there is now
a new target as well --C)
Step 7: Steps numbered 2 to 6 will be repeated by the new sender
until either a
wormhole is detected or the destination node is reached (i.e., the
sender node becomes the last node on the route before the
destination
D
Node A will pick nodes 3 and 4. The length of the routes will be 4
and 2. Again the wormhole is not yet
detected
Node B will ask its neighbors nodes 4, 6, 7, 8, 9, 10 to find route
to node E. The selected route will be from node 4, the length of
the route is 11. Thus we
have 11 – 2 =9 > 2 wormhole is detected
Node B (which is within the transmission range of M1 becomes the
new sender) the new target now is node E.
Why did DeWorm work?
Nodes at M2 side were all avoided wormhole link will never be
used
17
Initial Accomplishments in Security
Malicious Packet Drops/Jamming – Developed model to diagnose causes
of packet loss in
802.11 networks » Distinguishes between collisions, channel error
and
malicious behavior » Ongoing work extending this to include buffer
overflows » Simulations to evaluate the effectiveness » Paper to
appear in Proceedings of ICC 2009
– Collected preliminary measurements on jamming 802.11 with signal
generator
Causes of Packet Loss in Ad Hoc Networks
Collisions Channel Error Buffer overflow Malicious dropping
10
“Modeling Dynamic Behavior for Mobile Ad- Hoc Networks”
Performance of MANETs normally relies on standard simulators using
steady state
Fully Connected
standard simulators using steady-state statistical analysis
Issues of accuracy and scalability on standard simulation tools
(ns2, Qualnet, etc)
New approach: Analytical based performance model
– Focus on both time-varying and steady state behavior
19
model (i.e., mobility model, traffic patterns, etc)
( )( ) ( ) ( ) 1 ( )
,
• Fluid flow model to represent network queues
l i l h i i i l i d l• Analytical approach accurate in comparison
to simulation model and enables the scalable study of dynamic of
MANET behavior
• Currently trying to validate with measurements from
UC-Davis
20
11
– Actively encouraging collaboration across the universities
(hosting group meeting at Pitt in ( g g p g April)
Pitt focus – Robustness
» Topological connectivity – Security
– Modeling » Network Layer performance
Dynamic Data Driven Defense Mechanisms for Cybersecurity
NSF exploratory project with J.Joshi and P. Krishnamurthy
Problem
H d f d i l l di ib d DOS k d– How to defend against large scale
distributed DOS attacks and intrusions
Technical Approach – Collaborative adaptive defense
infrastructure
» Place Sentinels throughout network » Sentinels watch traffic for
(probabilistic inspection of packets ) for
anomaliesanomalies » Sentinels collaborate to deploy packet
filtering firewalls based on
observed data » Dynamically redeploy Sentinels based on data
12
MiMANSaS: Metrics, Models and Analysis of Network Security and
Survivability, NSF CT-ER Grant
NSF Cybertrust Exploratory Grant with Kishor Trivedi - Duke
University and Deep Medhi - University of Missouri
Problem Problem – How to measure and model Information
Security/Assurance levels ? – Can one evaluate tradeoffs between
levels of IA, performance and cost
Technical Approach – Develop a unified set of dependability and
security metrics and
associated modeling framework. Unify attack graphs and fault trees
into a common scalable framework– Unify attack graphs and fault
trees into a common scalable framework with a well defined set of
metrics and application scenarios.
– Extend the basic model to include state information, stochastic
properties and rewards via Markov chains models
Other Research Interests
1. Network Design and Survivability – Multi-layer survivable
network design – Risk based approaches to survivable design –
Resilient Infrastructure Protection
2. Network Control and Traffic Engineering – Signaling overload
control – Traffic restoration protocols
24
4. Information Assurance