Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Published byBertha Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University."— Presentation transcript:

1 Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks Motorola Liaisons Greg W. Cox, Z. Judy Fu, Peter McCann, and Philip R. Roberts Motorola Labs

2 The Current Threat Landscape and Countermeasures of WiMAX Networks WiMAX: next wireless phenomenon –Predicted multi-billion dollar industry WiMAX faces both Internet attacks and wireless network attacks –E.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices Goal of this project: secure WiMAX networks Big security risks for WiMAX networks –No formal analysis about WiMAX security vulnerabilities –No intrusion detection/mitigation product/research tailored towards WiMAX networks

3 Security Challenges in Wireless Networks Wireless networks are more vulnerable than wired networks –Open media »Easy to sniff, spoof and inject packets –Open access »Hotspots and potential large user population Attacking is more diverse –On media access (e.g., jamming), but easy to detect –On protocols (our focus)

4 Our Approach Vulnerability analysis of WiMAX networks at various layers –IEEE 802.16e: MAC layer (done in year 2) –Mobile IP v4/6: network layer (started in year 2) –EAP layer Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) –Could be differentiator for Motorola’s 802.16 products –Focus on the emerging threats: polymorphic zero-day worms and botnets

5 Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols

6 Accomplishments This Year (I) Most achieved with close interaction with Motorola liaisons Automatic polymorphic worm signature generation systems for high-speed networks –Fast, noise tolerant w/ proved attack resilience –Resulted a joint paper with Motorola Labs “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, published in to IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate). –Patent filed through Motorola. »“Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths”, U.S. Patent Application No. 11/985,760. Filed on Dec. 18, 2007. –A journal paper submitted to IEEE/ACM Trans. on Net.

7 Accomplishments This Year (II) Vulnerability analysis of wireless network protocols –IP layer and authentication layer Found a general “error-message” based attacks Attacking requirements –Sniffing –Spoofing before authenticated Basic ideas –Spoof and inject error messages or wrong messages that trigger error messages –Clients’ requests fail -- lead to DoS attacks Examples of vulnerable protocols –EAP-TLS protocol –Mobile IPv6 routing optimization

8 Accomplishments on Publications Three conference, one journal papers and two book chapters –“Accurate and Efficient Traffic Monitoring Using Adaptive Non- linear Sampling Method", to appear in the Proc. of IEEE INFOCOM, 2008 –“Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for “Botnet Detection: Countering the Largest Security Threat”, Springer, 2007. –“Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, 2007. –“Reversible Sketches: Enabling Monitoring and Analysis over High- speed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct. 2007. –“Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE International Conference on Network Protocols (ICNP), 2007 –“Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. of the 15th IEEE International Workshop on Quality of Service (IWQoS), 2007

9 Students Involved PhD students: –Zhichun Li, Yao Zhao (all in their 4th years) –Lanjia Wang, Yanmei Zhang (visiting PhD students) MS students: –Sagar Vemuri (1st year) –Jiazhen Chen (2 nd year)

10 Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols

11 11 Limitations of Exploit Based Signature 1010101 10111101 11111100 00010111 Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worms may not have any exact exploit based signatures. Polymorphism!

12 12 Vulnerability Signature Works for polymorphic worms Works for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Unknown Vulnerability X X

13 13 Benefits of Network Based Detection At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which might have scalability issues. Gateway routers Internet Our network Host based detection Early Detection!

14 14 Basic Ideas At least 75% vulnerabilities are due to buffer overflow Intrinsic to buffer overflow vulnerability and hard to evade However, there could be thousands of fields to select the optimal field set is hard Vulnerable buffer Protocol message Overflow!

15 15 Framework ICDCS06, INFOCOM06, TON 07

16 16 LESG Signature Generator

17 17 Evaluation Methodology Worm workload –Eight polymorphic worms created based on real world vulnerabilities including CodeRed II and Lion worms. –DNS, SNMP, FTP, SMTP Normal traffic data –27GB from a university gateway and 123GB email log

18 18 Results Single/Multiple worms with noise –Noise ratio: 0~80% –False negative: 0~1% (mostly 0) –False positive: 0~0.01% (mostly 0 ) Pool size requirement –10 or 20 flows are enough even with 20% noises Speed results –With 500 samples in suspicious pool and 320K samples in normal pool, For DNS, parsing 58 secs, LESG 18 secs

19 19 In Summary A novel network-based automated worm signature generation approach –Works for zero day polymorphic worms with unknown vulnerabilities –First work which is both Vulnerability based and Network based using length signature for buffer overflow vulnerabilities –Provable attack resilience –Fast and accurate through experiments

20 Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols

21 EAP Authentication on Wireless Networks EAP-FASTPEAPEAP-TTLS EAP Over LAN (EAPOL) Extensible Authentication Protocol (EAP) EAP Layer Data Link Layer 802.11 WLAN EAP-TLS Authentication method layer Transport Layer Security (TLS) Authentication primitive TLS provides mutual authentication and key exchange.

22 TLS Conversation (Successful) TLS Handshake Protocol A TLS client and server negotiate a stateful connection using a handshake procedure.

23 TLS Conversation (Failed) When transmission or receipt of an fatal alert message, both parties immediately close the connection.

24 24 EAP-TLS - Vulnerability Sniffing to know the client MAC address and IDs –Packet in clear text before authentication –Regardless of whether WEP, WPA, or WPA2 is used Spoofing error messages –Before authentication is done, attacker spoofs an alert message of level ‘fatal‘, followed by a close notify alert. –Then the handshake protocol fails and needs to be tried again. Complete DoS attack –The attacker repeats the previous steps to stop all the retries Experiments with Northwestern wireless network is in progress.

25 Conclusions Network-based zero-day polymorphic worm signature generation Vulnerability analysis of wireless network protocols: mobile IP and EAP-TLS Closed work w/ Motorola liaisons –Joint conference paper published, a journal paper submitted and a patent filed Completed prototype/implementation code accessible to Motorola under the agreement Thank You !

26 Deployment of WAIDM Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Could be differentiator for Motorola’s 802.16 products Original configuration WAIDM deployed Inter net 802.16 BS User s (a) (b) 802.16 BS User s Switch/ BS controller Internet scan port WAIDM system 802.16 BS Users 802.16 BS Users Switch/ BS controller

27 27 Experiment in Lab We conducted a real-world experiment demonstrating the practicality of the attack on TLS by performing a DoS attack on Northwestern University’s wireless network. Northwestern Wireless requires the users to authenticate to it using PEAP (Protected EAP), which internally uses TLS 1.0 as the security method for authentication. The user provides his ID (NetID) and password, which are then verified at a back- end Authentication Server. We used: libpcap library to sniff the channel lorcon libray to set the different parameters of the wireless network card and send spoofed messages. Proxim Orinoco Gold wireless network adapter MADWifi (madwifi-ng) drivers.

28 28 EAP-TLS - Attack in Action Simple attack: Error alert message of level ‘fatal‘ followed by a close notify alert

29 29 Potential Solutions Enhance the robustness of authentication protocols for wireless access –Delayed response »Wait for a short time to allow multiple responses –Trust good response »Attacker cannot finally pass authentication by always spoofing good responses

Download ppt "Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University."

Similar presentations

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
1 Exception Triggered DoS Attacks on Wireless Networks Yao Zhao, Sagar Vemuri, Jiazhen Chen, Yan Chen, Hai Zhou Lab for Internet and Security Technology.

1 Exception Triggered DoS Attacks on Wireless Networks Yao Zhao, Sagar Vemuri, Jiazhen Chen, Yan Chen, Hai Zhou Lab for Internet and Security Technology.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google