Outline
• Past Research: Intrusion Prevention for MANET– Intrusion Detection for MANET– Automatic Response for MANET
– Current NSC Research– Intrusion Prevention for VANET– Botnet Research
– Web application Defense– Botnet Communication Detection
• Work Experience:– McAFee IntruShield: Packet and Thread analysis, DDOS Defense – Cisco IOS OSPF DE: Role of Cisco DE, Major IOS OSPF features– Telcordia Applied Research: Vehicular Network Application Platform
Intrusion Prevention Overview
• Intrusion Prevention– Intrusion Detection + Automatic Response
• Intrusion Detection– Threat and Vulnerability Analysis– Detection Approach– Alarm and Recovery
• Automatic Response– Cooperative Response– Cost Sensitive Response
Intrusion Prevention for MANETs
• Specification based Intrusion Detection• DEMEM:
– Distributed Evidence-driven Message Exchanging Model for intrusion detection in MANETs
• Automatic Response System(ARS) for MANETs– Intrusion Prevention = IDS + ARS
• Three publications in top IDS symposium– RAID, Recent Advanced Intrusion Detection
Threats in MANET
• Fundamental Assumptions of MANET– Nodes are cooperative– Nodes are honest
• Vulnerable characteristics– Wireless channel– Mobile dynamic network topology– Fully distributed environment
6
MANET Routing Attack Model
• Drop packets– Limited damage – Detect by trained statistical profile
• Forge forwarded routing message– Including forge identity– Public key based authentication can prevent it
• Forge originated routing message– Difficult to detect due to mobility– This is our target
7
Intrusion Detection Approaches
• Signature based detection– Known attack patterns– “0” day detection
• Statistical based detection– Data mining– Statistical profile
• Anomaly based detection– Detection by rules or policies
Specification based Approach
• Describe normal behavior of target protocol • Point out vulnerable message fields • Demonstrate potential attack methods• Develop detection engines to prevent attacks • Develop distributed message exchange
framework
Optimized Link State Routing (OLSR)
• Link state routing: Similar to OSPF• Multipoint Relays (MPR)
– Subset of 1-hop neighbors reaching all 2-hop neighbors. – Reduce flooding packets
10
MPR of A
B CA
MPR selector of B,C and D
B
D
C
A
Routing Attack Methods in OLSR
• Attacker is message originator– Forge 1-hop neighbors in a Hello– Forge MPRs in a Hello– Forge MPR selectors in an initiated TC
• Attacker is message forwarder – Forge MPR selectors in a forwarded TC
11
Detection Constraints
12
First constraint (C1)
Neighbors in Hello messages must be reciprocal
Second constraint (C2)
MPRs must reach all 2-hop neighbors
Third constraint (C3)
MPR selectors must match corresponding MPRs
Fourth constraint (C4)
Fidelity of forwarded TC messages must be maintained
DEMEM Architecture(Distributed Evidence-driven Message Exchanging Intrusion detection Model)
13
ID Message for local neighbors
Outgoing Message
ID Message
Routing
Authentication
Intrusion Detection
IP
Incoming Message
C
ID
B
ID
A
ID
S
ID
Detectors validate routing messages from neighbors
Detector acts as intrusion detection layer processing ingoing & outgoing routing messages
ID Messages in OLSR
• ID-Evidence: Supply OLSR Evidence for 2-hop neighbors
• ID-Forward: Trigger selected Forwarders sending ID-Evidence
• ID-Request: Ask resending ID-Evidence in case of message lost
14
B
ID
ID-Forward
A
ID
S
ID
ID-Evidence
ID-Request
Detection and Recovery
• Exchange routing evidence• Detect fake routing information• Remove fake routing info from control messages• Recalculate correct routing table
Man in the middle Attack
16
7
1
68
2
4
3
5TC (6) = {1,5,7,3,8}
Hello (6) = {1,5,7,9,3,8}1, 5, 7 correct their tables, and send correct TC(6) =1,5,7}
Automatic Response Models for MANETs
• Cooperative Automatic Response model– Distributed agents exchange local alarms and raise global alarm
• Intrusion Alarm Validation – Temporary coordinator– An ARS Protocol that gathers local alarms and raises global
alarms– Prevent false/fake alarms
• Cost-Sensitive Intrusion Responses
Response Architecture
Mobile nodes
IDS ARS
Distributed, Cooperative, Each node has detection
and response agents deployed !!
Intrusion Alarm Validation
• Local Alarm – direct Observation
• AREQ (Alarm Request) – Handling message lost of local alarms
• Global Alarm – indirect Observation
Cost-Sensitive Approach
• Attack Damage– Attack Damage Index (ADI)
• Response Cost– Topology Dependency Index (TDI)
• Response Cost < Attack Damage– Compare TDI and ADI
20
Adaptive Isolation
• Compare ADI with TDI – ADI >> TDI Isolate the attacker– ADI << TDI Relocate first and then isolate
• Adaptive Isolation– Isolate the attacker only when ADI > 2* TDI
– If isolate an attacker, it loses 2-way connection– ADI is only for 1 way connection
21
Current NSC Projects
• Intrusion Prevention for VANETs– NCKU: 2 PhD & 2 MS students from Prof. Laih’s team– IPS of AODV, OLSR, VADD by following works of RAID papers– 3 years (Co-PI), New PI will be NCKU Prof. 林輝堂
• May be reduced to 1 year due to changing PI
• Botnet– Testbed@NCKU: 1 year (3rd year)– Web application Defense: 1 year– Botnet Communication Detection (new proposal)– NTPU: 4 MS, 15 BS students, 14 PCs
Intrusion Detection for VANETs
• New detection model for VANETs– Apply specification based approach to protect routing establishing
process
• Target Protocols– AODV, OLSR: for urban VANETs– VADD: Protecting Intersection Mode
VANET Simulation Experiment
• VANET mobility trace generation– MOVE
• MOVE+Ns2– VADD: 1 PhD thesis
• MOVE+GlomoSim– AODV: 1 PhD thesis– OLSR: Rewriting RAID papers
AODV IPS
• Issues– Tracing dynamic request on remand flooding messages– Deploying at fully distributed environment– Message Overhead– False positives– Message Delay
• Modeling IPS– Tracing mechanism– FSM of AODV IPS algorithm & Deployment Architecture– Attack model & scenario– Experiment & Overhead measurement
VADD IPS
• VADD Analysis– LVADD– DVADD– HVADD
• Modeling– Extended FSM modeling for VADD– FSM of IPS algorithm– Attack model scenario– Experiment & Overhead measurement
Testbed@NCKU
• Emulab from Utah U.– 200 nodes, freely swap in & out– Running at NCHC network, 3rd year project– Having several good sample research projects– About 10 professors getting envolved
• Issues– Close network environment
• cannot connect real C&C
– Not for regular fixed servers
Our solutions
• Active & passive malware collection – Collection latest samples from TANET & HiNet– Building malware database & fixed testbed
• Botnet replay mechanism for testbed– Build network replay of botnet malware– Build test & replay tools for testbed
Passive Malware Collection
• Nepenthes– Same as NCHC– Running since this summer
• Current results– No output from campus network due to IPS– Install Hinet DSL since October– Two samples per day from DSL
Active Malware Collection
• Migration from NCTU NBL– Lots of samples at NCTU beta site – Most of them are new and not detected by anti-virus program in
the beginning until 1-2 weeks
• Integrating into NTPU NSL Lab– Spam mail module: rewrite 2/3 codes to be integrated with NTPU
Spam mail database– P2P module: cannot work at campus network due to IPS policy
Solution: collect malware from DSL link– Integration works will be done this month and expect lots of results
Replay botnet at Testbed@NCKU
• Build network replay of botnet malware– Test malware at HiNet
• Build PCAP files for replay
– Differentiate botnet malware • by active network traffic toward C&C
• Build test & replay tools for testbed– Replay tools for PCAP files– Replay traffic between bot & C&C
Web application Defense
• Spec based IPS for web application– Selecting a target web application– Dealing with XSS attacks by spec based approach
• Collect Botnet malware against web applications• Testing Wireless Application Firewall (WAF)
– Deploy spec based IPS as rule at WAF
Botnet Communication Detection
• New NSC proposal– Survey Guofei Gu & Wenke Lee’s works
• BotHunter, BotSniffer, BotMiner
– Base on botnet collection & analysis testbed
• C&C protocol profiling– FSM profile of C&C protocols
• IRC botnet
• HTTP bonet
– Hybrid of rule base and statistical profile– Detect C&C communication at real traffic
McAFee IntruShield
• IntruVert Networks Inc.– Invented IntruShield; established in 2000– McAFee acquired it in 2003 by USD 100M
• Major features– Network signature based IDS for ISP; – Support 4G bps traffic; monitor each connection
• Development teams– Embedded System Team– Intrusion Detection Team (IDT)– I was in IDT during 2001.7 – 2002.6– 2002.7 first release 1.0
Language for Intrusion Detection
• Written by XML– Define language syntax by DTD– Define detection behavior by XML
• Protocol Spec FSM in XML– Define protocol header parsing state machine– Define field name for data retrieval
• Attack Signature in XML– Define attack patterns by protocol field names
HTTP Analysis FSM
• HTTP Message field– (Protocol)-(Command)-uri-path
• Valid in “In uri” state
– (Protocol)-(Command)-uri-query-params• Valid in “In param” state
• HTTP Attack Signature– http-req-uri-path = \.php3$“/– http-req-uri-query-params =
PHP_AUTH_USER=boogieman– Whitehats ids206
• Allow login Phorum 3.0.8 web page w/o password
SNMP Analysis FSM
• Message field– (Protocol)-(Command)-(Field Type)-field : Value State– (Protocol)-(Command)-(Field Type)-length: Length State
• Attack Signature– snmp-set-varbind-object-id-field = 1.3.6.1.2.1.1.5.0– snmp-set-varbind-value-field-length > 256– Buffer overflow attack against data field of SNMP MIB DB:
ID=1.3.6.1.2.1.1.5.0
Type
Value
Length
Type
LengthValue
Summary
• McAFee IntruShield– Successful high speed gateway IDS – Still available in the market
• IDS language – Based on XML & DTD– Describe packet header analysis behavior
• Prototype of IDS industry– Need to improve its Intrusion Response system
Cisco IOS OSPF
• Cisco IOS– 80% of Cisco products, 60% of high end routers– Huge embedded system based on FreeBSD– Pure C, single process and Heap
• OSPF– Major routing protocol (and BGP)
• IOS OSPF– Support major Cisco routing features
42
Major Feature (1)
• High Availability– Duplicate router in hot
standby– Take over Master router
without traffic loss
• Related Features– Stateful switchover – Non-Stop Forwarding – IETF Graceful Restart– Bidirectional Forwarding
Detection43
Major Feature (2)
• Virtual Routing Forwarding (VRF)– Supports several virtual networks– Separated routing tables and processes (Multi-
Topology Routing (MTR))– Work with BGP/MPLS/LDP
44
Cisco IOS Debug
• Network debug– Enable necessary debugs
• Memory debug– Single process, Single heap
• Regression test– Ensure quality of original features
• Reproduce bugs– Difficult if customer’s bugs
45
Telcordia Research
• Former Bell Core – Created from Bell System in 1984– 1800 US patents: caller ID, DSL, ATM, 3G
• Applied Research– Service provider contracts– Government projects– Cooperate with III and ITRI
46
Rudolph: Telematics Application Solution
47
Context Aware Application Service (CAAS):CAAS provides personal tracking services to children and elders for safety reason, such as real-time monitoring, personal mobility analysis, geo-fence protection, and behavior report.
Core Telematics Platform (CTP):CTP is the core communication center of the Telematics system. It offers GUIs for administrators and coordinates the communications between administrators, service modules, and data sensors.
Fleet Management Application Service (FMAS):FMAS is a complete fleet management solution. It provides task management service and communication interface. Managers can trace drivers, vehicles, and task schedules in real time.
Metro Transit Telematics Application Platform
48
Bus Fleet Management
Bus TracingBus Arrangement Statistics & Audit
Joint Service Agent
Bus Telematics Service Interface
3rd Party Data Exchange
Bus Data InputBus
ScheduleSearch
Service Management
On-Board Diagnostics(OBD)
• OBD II– Stand interface of vehicle's self-diagnostic system– Access state of health information for various vehicle sub-systems
• Implementation– ELM 327– Diagnosis software
• Application– Remote vehicle health monitoring and management
49
Recommended