Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang

Research Direction Introduction

Advisor: Professor Frank Y.S. LinPresent by Hubert J.W. Wang

NTU OPLab

2

Outline

•Problem Description•Mathematical Formulation

2010/12/16

Problem Description

NTU OPLab

4

Problem Description

• Problem▫Topology information gathering▫ Jamming attack

• Environment▫ Infrastructure/Backbone WMNs

• Role▫Attacker▫Defender(Service provider)

2010/12/16

NTU OPLab

5

Defender

• Attributes▫Nodes

Base Station Mesh router(with 2 NICs) Mesh client Honeynode(with 3 NICs) Locator

Static Mobile

2010/12/16

NTU OPLab

6

Defender(cont’)

• Attributes▫Budget

Planning phase Topology planning Non-deception based

▫ General defense resource▫ Detection resource▫ Localization resource

Deception based

Defending phase Jamming mitigation Localization

▫Approximate▫Precise

2010/12/16

NTU OPLab

7

Defender(cont’)

• Strategies▫Planning phase

Deterrence Deception

▫Goal Protect BS Protect Nodes with high population Protect with high traffic Protect valuable information(ex. routing table, traffic)

2010/12/16

NTU OPLab

8

Defender(cont’)

• Strategies▫Defending phase

Population re-allocation Average population Average traffic

Priority of jammer removing Importance oriented Difficulty oriented

2010/12/16

NTU OPLab

9

Attacker

• Attributes▫Budget

Preparing phase Node compromising Jammer choosing

▫High quality jammers▫Normal jammers

▫Capability Capability of compromising nodes Capability of recognizing fake info.

2010/12/16

NTU OPLab

10

Attacker(cont’)

• Strategies▫Preparing phase

Node compromising Be aggressive Least resistance Be stealthy Easiest to find Topology extending Random

2010/12/16

NTU OPLab

11

Attacker(cont’)

• Strategies▫Preparing phase(cont’)

Jammer selection Maximize attack effectiveness Maximize jammed range

2010/12/16

NTU OPLab

12

Attacker(cont’)

• Strategies▫Attacking phase

Maximize jammed users Maximize affected traffic

2010/12/16

NTU OPLab

13

Scenario2010/12/16

Base Station

Mesh router

Honeynode

Compromised mesh routerJammed mesh router

Jammer

Attacker

Nodes with more defense resource

NTU OPLab

14

Scenario(cont’)

• For attacker▫Objective:

Service disruption▫ Incomplete information of the network▫Budget limited

• For defender▫Objective:

Maintain the quality of service▫Budget limited

2010/12/16

NTU OPLab

15

Scenario – Network Architecture2010/12/16

Base Station

Mesh router

NTU OPLab

16

I must protect Core Nodes

Scenario – Defender’s Planning Phase2010/12/16

BS

Node with high population

Base Station

Mesh router

NTU OPLab

17

Scenario – Defender’s Planning Phase(cont’)2010/12/16

Base Station

Mesh router

Honeynode

Attacker



AB

C

D

E

FG

Why didn’t the defender protect all the nodes with high population?1. Budget limited.2. The effectiveness of doing so

may not be the best.3. There are other ways to deploy

resources.

NTU OPLab

18


Base Station

Mesh router

Honeynode

Attacker



Effect of the defense resource may be:

1. Reduce the probability of being compromised

NTU OPLab

19


Base Station

Mesh router

Honeynode

Attacker




2. Prevent the attacker from getting closer to the important nodes.

NTU OPLab

20


Base Station

Mesh router

Honeynode

Attacker




3. Attract attacks to prevent it from getting close to the important nodes.

NTU OPLab

21


Base Station

Mesh router

Honeynode

Attacker



AB

C

D

E

FG


4. Avoid attacks to prevent it from getting close to the important nodes.

NTU OPLab

22

Scenario – Attacker’s Preparing Phase2010/12/16

Signal Strength

20

20

90

20

90

Initially, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh

node.

20

90

A

B

C

D

E

F

G

NTU OPLab

23

Scenario – Attacker’s Preparing Phase(cont’)2010/12/16

Signal Strength

20

20

90

20

90

The honeynode: If the real channel is compromised, the attacker will be able to identify this target in attacking phase

20

90

A

B

C

D

E

F

G

NTU OPLab

24


Signal Strength

90

20

The attacker’s strategies:Maximize attack effectiveness.Maximize jammed users

The initial node will be..

The node with the strongest signal power

90

A

B

90

C

20

D

E

20

F

20

G

NTU OPLab

25


Base Station

Mesh router

Honeynode

Compromised mesh router

Attacker


AB

C

D

E

FG

H I

J

K L

NTU OPLab

26


Signal Strength

After compromise a mesh router, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh

node.

And…

90

9020

9020

20

90

20

90

90

20

G

L

B

I

D

E

A

H

K

F

JBeing compromised, and obtained:1. routing table info2. Location info of the mesh router.3. Traffic info4. Number of users

NTU OPLab

27


Signal Strength

After compromise a mesh router, the attacker has following info:1. Number of channels.2. Signal power of each channel.3. Traffic amount of each channel.4. Defense strength of each mesh

node.5. Number of traffic sources

90

21

20

35

90

31

20

3520

28

90

28

20

6

Number of users

90

95 90

21

90

88

20

G

L

B

I

D

E

A

H

K

F

J

NTU OPLab

28


Signal Strength

The attacker selects next hop with obtained info from compromised mesh routers if available.

The node with the highest number of traffic sources

20

6G90

21L

90

95B

I

20

D

20

28E

90

21A

90

28H

90

31K

20

35F

20

35J90

88

NTU OPLab

29


Base Station

Mesh router

Honeynode


Attacker


The action of compromising a honeynode will has following results:1. Succeed• Aware of the fact that it’s a

honeynode.• Not aware of

2. Failed

AB

C

D

E

FG

H I

J

K L

M N

NTU OPLab

30


Signal Strength

The attacker selects next hop with obtained info from compromised mesh routers if available.

90

30B

90

21A

20

6G

90

112C

20

28E

20

90D

90

27K

90

24L

90

25M

90

18N

NTU OPLab

31


Signal Strength

90

30B

90

21A

20

6G

20

28E

90

27K

90

24L

90

25M

90

18N

However, the node which was compromised by attacker was a honeynode. Thus, it obtained following fake info:1. Population2. Traffic of the neighbors

The defender will lead the attacker to:1. Unimportant area2. Nodes with greater defense strength.

90

112C

20

90D

NTU OPLab

32


Signal Strength

90

30B

90

21A

20

6G

20

28E

90

27K

90

24L

90

25M

90

18N

Relatively low traffic sources on important nodes.

High traffic sources on unimportant nodes.

90

112C

20

90D

Select node C as next hop

NTU OPLab

33


Base Station

Mesh router

Honeynode


Attacker


AB

C

D

E

FG

H I

J

K L

M N

Failed to compromise

NTU OPLab

34


Base Station

Mesh router

Honeynode


Attacker


Compromised 2nd choice node D

AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

NTU OPLab

35


Signal Strength90

30B

90

21A

20

6G

20

28E20

29O

20

22R

90

98Q

90

32C

20

8D

90

35P

Select node N as next hop.

But what will the attacker do if he compromised a honeynode?

When the attacker compromised a honeynode, he may obtain:1. Only fake info2. Mixture of fake

and true info.

What should I do ? Just ignore it?Or attack the node they try to protect?

Attackers with high capacity have greater probability to distinguish between true and fake.

NTU OPLab

36

Scenario – Attacker’s Preparing Phase – Attack Detection2010/12/16

Signal Strength90

30B

90

21A

20

6G

20

28E20

29O

20

22R

90

98Q

90

32C

20

8D

90

35P

Being attacked? What should I do to protect QoS?

Capable of attack detection

NTU OPLab

37

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)2010/12/16

Signal Strength90

30B

90

21A

20

6G

20

28E20

29O

20

22R

90

98Q

90

32C

20

8D

90

35P

Re-allocate the population on its neighbors.


NTU OPLab

38


Signal Strength90

2B

90

5A

20

6G

20

20E20

8O

20

4R

90

3Q

90

15C

20

8D

90

22P


Real population on D’s neighbor

Re-allocation strategy might be:

NTU OPLab

39


Signal Strength90

10B

90

9A

20

9G

20

9E20

9O

20

10R

90

10Q

90

9C

20

9D

90

9P



Re-allocation strategy: Average Population

Average the QoS impact caused by jamming

NTU OPLab

40

Normal Jammed70

75

80

85

90

OriginMaximumAverageMinimum

93

91

84

71

2010/12/16

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)

NTU OPLab

41

Normal Jammed75%

80%

85%

90%

95%

OriginMaximumAverageMinimum

100%

97.8%

90.3%

76.3%

2010/12/16

Scenario – Attacker’s Preparing Phase – Attack Detection(cont’)

NTU OPLab

42


Signal Strength90

2B

90

5A

20

6G

20

20E20

8O

20

4R

90

3Q

90

15C

20

8D

90

22P



Re-allocation strategy: Average Traffic

Minimize the QoS impact caused by jamming

NTU OPLab

43


Base Station

Mesh router

Honeynode


Attacker


AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

ST U

V

WX

NTU OPLab

44

Scenario – Attacker’s Attacking Phase2010/12/16

AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

ST U

V

WX

Base Station

Mesh router

Honeynode


Jammer

Attacker


Jammed honeynode B

Jammed node V with high population

Jammed node P(not fake channel)

Jammed normal node F

Jammed honeynode U

NTU OPLab

45

Scenario – Attacker’s Attacking Phase(cont’)2010/12/16

AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

ST U

V

WX

Base Station

Mesh router

Honeynode


Jammer

Attacker


Range overlapped, the fake channel jammed.

Although they seems overlapped, but the jammers attacked two different channel

NTU OPLab

46

Scenario – Defender’s Defending Phase2010/12/16

AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

ST U

V

WX

Base Station

Mesh router

Honeynode


Jammer

Attacker


To minimize the total effectiveness of jamming, the defender will tend to remove these nodes first:1. High population2. Not fake channel

Their sequence will be…1)Jammed node V with high population

2)Jammed normal node F

3)Jammed node P(not fake channel)

5)Jammed honeynode U

4)Jammed honeynode B

NTU OPLab

47

Scenario – Defender’s Defending Phase - Channel Surfing2010/12/16

AB

C

D

E

FG

H I

J

K L

M N

OP Q

R

ST U

V

WX

Base Station

Mesh router

Honeynode


Jammer

Attacker


The function of channel surfing function:1. Mitigate the impact of jamming Time EffectivenessRange overlapped. If the mesh

router switch to other channel:1. Jammed time shotened.2. Jammers are not able to know

which channel is the origin channel unless it’s compromised.

NTU OPLab

48

Scenario – Defender’s Defending Phase - Localization2010/12/16

Base Station

Mesh router

Honeynode


Jammer

Attacker


Two types of locator:1. Static2. Mobile

NTU OPLab

49


Base Station

Mesh router

Honeynode


Jammer

Attacker


Static locator:1. Mesh routers

NTU OPLab

50


Base Station

Mesh router

Honeynode


Jammer

Attacker


Static locator:2. Reference points

0 10 20 300

10

20

30

meter

Deployed in the topology with the given density

The density is defined as locater per length unit. In this case, the unit is 10 meter

NTU OPLab

51

0 10 20 300

10

20

30

meter


Base Station

Mesh router

Honeynode


Jammer

Attacker


Mobile locatorCapable of precise localization function

Jammer which is not able to be approximately localized

NTU OPLab

52

0 10 20 300

10

20

30

meter


Base Station

Mesh router

Honeynode


Jammer

Attacker


Mobile locator

Reference point 1

Reference point 2

NTU OPLab

53

0 10 20 300

10

20

30

meter


Base Station

Mesh router

Honeynode


Jammer

Attacker


Mobile locator

Reference point 1(useless)

Reference point 2

Multiple jammers

Reference point 3

Reference point 4

One of the jammers removed

Mathematical Formulation

NTU OPLab

55

Assumptions

1. The communications between mesh routers and between mesh routers and

mesh clients use different communication protocol.

2. All the packets are encrypted. Thus, the attacker can’t directly obtain

information in the communication channels.

3. The defender has complete information of the network which is attacked by

a single attacker with different strategies.

4. The attacker is not aware of the topology of the network. Namely, it doesn’t

know that there are honeynodes in the network and which nodes are

important, i.e., the attacker only has incomplete information of the network.

2010/12/16

NTU OPLab

56

Assumptions(cont’)

5. There are two kinds of defense resources, the non-deception based resources

and the deception based resources.

6. There are multiple jammers in the network, and their jamming ranges might

be overlapped.

7. There is only constructive interference between jamming signals.

2010/12/16

NTU OPLab

57

Given parameters

2010/12/16

Notation Description

N The index set of all nodes

H The index set of all honeynodes

P The index set of the nodes with channel surfing technique

Q The index set of the nodes with precise localization technique

R The index set of the nodes with detection technique

NTU OPLab

58

Given parameters

2010/12/16


B The defender’s total budget

ZAll possible attack configuration, including attacker’s attributes and corresponding strategies.

EAll possible defense configuration, including defense resources allocation and defending strategies

F Total attacking times of all attackers

An attack configuration, including the attributes and corresponding strategies , where 1≤ i ≤ F

1 if the attacker can achieve his goal successfully, and 0 otherwise, where 1≤ i ≤ F( , )i iT D A

��

iA��

NTU OPLab

59

Given parameters

2010/12/16


m(ρi)The cost of constructing a node with the quality with quality ρi, where i∈N

ni

The non-deception based defense resources allocated to node i, where i∈N

h(εi)The cost of constructing a honeynode with the interactive capability εi, where i∈H

a(φ)The cost of constructing static locators with the density φ

bThe cost of constructing a channel surfing function to one node

cThe cost of constructing a precise localization technique to one node

d The cost of constructing a detection technique to one node

t(ρi) The maximum traffic of node i with quality ρi, where i∈N

NTU OPLab

60

Decision variables

2010/12/16


The information regarding resources allocating and defending

wi

1 if node i is equipped with honeynode function, and 0 otherwise, where i∈N

xi

1 if node i is equipped with channel surfing function, and 0 otherwise, where i∈N

yi

1 if node i is implemented with precise localization technique, and 0 otherwise, where i∈N

zi

1 if node i is implemented with the detection technique, and 0 otherwise, where i∈N

εi The interactive capability of honeypot i, where i∈N

ρi The quality of node i, where i∈N

φ The density of static locator

D��

NTU OPLab

61

Objective function

2010/12/16

1

( , )F

i ii

D

T D Amin

F

��

��(IP 1)

NTU OPLab

62

Constraints

•Defender’s budget constraints

2010/12/16

(IP 1.1)

D E��

(IP 1.2)iA Z

��

NTU OPLab

63

Constraints


2010/12/16

1 1 1 1

1 1

( ) ( ) ( )N N H P

i i i i ii i i i

Q R

i ii i

m n w h a x b

y c z d B

(IP 1.3)

NTU OPLab

64

Constraints


2010/12/16

1

( )N

ii

m B

1

N

ii

n B

1

( )H

i ii

w h B

( )a B

(IP 1.6)

(IP 1.7)

(IP 1.5)

(IP 1.4)

NTU OPLab

65

Constraints


2010/12/16

1

R

ii

z d B

(IP 1.10)

(IP 1.9)

1

Q

ii

y c B

1

P

ii

x b B

(IP 1.8)

NTU OPLab

66

Constraints

• QoS constraints▫ QoS is a function of:

1. BS loading2. Utilization of mesh routers on the path to BS3. Hops to core node4. Fake traffic effect, 5. Population re-allocation effect6. Channel surfing effect7. Jammer removal

2010/12/16

(IP 1.11)

1 ( , , , , , , )threshold

Yy BS link tocore effect effect effect effectQ L U H F P C J dy

QY

NTU OPLab

67

Constraints

• QoS constraints▫ ▫ The performance reduction cause by the jammed node should not

violate IP1.11.▫ The performance reduction cause by the channel surfing should

not violate IP1.11.

2010/12/16

(IP 1.12)

(IP 1.13)

QoS after population re-allocationthreshold

Q

(IP 1.14)

NTU OPLab

68

Constraints• Channel surfing constraints

▫ The mesh router must equipped with channel surfing technique.▫ The next channel to be selected must not be in use.▫ Channel surfing function triggers only if the jammed channel is

not a fake channel.• Population re-allocation constraints

▫ The mesh clients to be re-allocated must be in the transmission range of the mesh routers other than current mesh router.

▫ The total traffic of the mesh router i after re-allocation must not exceed the maximum traffic limit t(ρi), where i∈N.

2010/12/16

(IP 1.15)(IP 1.16)(IP 1.17)

(IP 1.18)

(IP 1.19)

NTU OPLab

69

Constraints• Approximate localization

▫ There must be at least three available reference points which is under the effect of jamming attack in the jammed channel.

• Precise localization▫ There must be at least one mobile locator in the network.

• Fake traffic▫ The fake traffic sent to mesh router i from the honeynodes must not

make it exceed the maximum traffic limit t(ρi), where i∈N

2010/12/16

(IP 1.21)

(IP 1.22)

(IP 1.20)

NTU OPLab

70

Constraints

2010/12/16

(IP 1.25)

(IP 1.24)

i N (IP 1.23)

(IP 1.26)

i N

i N

i N

0 1iw or

0 1ix or0 1iy or0 1iz or

• Integer constraints

NTU OPLab

71

The End

•Thanks for your attention.

2010/12/16

Documents

Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang