Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks Motorola Liaisons Greg W. Cox, Z. Judy Fu, Peter McCann, and Philip R. Roberts Motorola Labs
The Current Threat Landscape and Countermeasures of WiMAX Networks WiMAX: next wireless phenomenon –Predicted multi-billion dollar industry WiMAX faces both Internet attacks and wireless network attacks –E.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices Goal of this project: secure WiMAX networks Big security risks for WiMAX networks –No formal analysis about WiMAX security vulnerabilities –No intrusion detection/mitigation product/research tailored towards WiMAX networks
Security Challenges in Wireless Networks Wireless networks are more vulnerable than wired networks –Open media »Easy to sniff, spoof and inject packets –Open access »Hotspots and potential large user population Attacking is more diverse –On media access (e.g., jamming), but easy to detect –On protocols (our focus)
Our Approach Vulnerability analysis of WiMAX networks at various layers –IEEE e: MAC layer (done in year 2) –Mobile IP v4/6: network layer (started in year 2) –EAP layer Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) –Could be differentiator for Motorola’s products –Focus on the emerging threats: polymorphic zero-day worms and botnets
Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols
Accomplishments This Year (I) Most achieved with close interaction with Motorola liaisons Automatic polymorphic worm signature generation systems for high-speed networks –Fast, noise tolerant w/ proved attack resilience –Resulted a joint paper with Motorola Labs “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, published in to IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate). –Patent filed through Motorola. »“Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths”, U.S. Patent Application No. 11/985,760. Filed on Dec. 18, –A journal paper submitted to IEEE/ACM Trans. on Net.
Accomplishments This Year (II) Vulnerability analysis of wireless network protocols –IP layer and authentication layer Found a general “error-message” based attacks Attacking requirements –Sniffing –Spoofing before authenticated Basic ideas –Spoof and inject error messages or wrong messages that trigger error messages –Clients’ requests fail -- lead to DoS attacks Examples of vulnerable protocols –EAP-TLS protocol –Mobile IPv6 routing optimization
Accomplishments on Publications Three conference, one journal papers and two book chapters –“Accurate and Efficient Traffic Monitoring Using Adaptive Non- linear Sampling Method", to appear in the Proc. of IEEE INFOCOM, 2008 –“Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for “Botnet Detection: Countering the Largest Security Threat”, Springer, –“Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, –“Reversible Sketches: Enabling Monitoring and Analysis over High- speed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct –“Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE International Conference on Network Protocols (ICNP), 2007 –“Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. of the 15th IEEE International Workshop on Quality of Service (IWQoS), 2007
Students Involved PhD students: –Zhichun Li, Yao Zhao (all in their 4th years) –Lanjia Wang, Yanmei Zhang (visiting PhD students) MS students: –Sagar Vemuri (1st year) –Jiazhen Chen (2 nd year)
Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols
11 Limitations of Exploit Based Signature Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worms may not have any exact exploit based signatures. Polymorphism!
12 Vulnerability Signature Works for polymorphic worms Works for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Unknown Vulnerability X X
13 Benefits of Network Based Detection At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which might have scalability issues. Gateway routers Internet Our network Host based detection Early Detection!
14 Basic Ideas At least 75% vulnerabilities are due to buffer overflow Intrinsic to buffer overflow vulnerability and hard to evade However, there could be thousands of fields to select the optimal field set is hard Vulnerable buffer Protocol message Overflow!
15 Framework ICDCS06, INFOCOM06, TON 07
16 LESG Signature Generator
17 Evaluation Methodology Worm workload –Eight polymorphic worms created based on real world vulnerabilities including CodeRed II and Lion worms. –DNS, SNMP, FTP, SMTP Normal traffic data –27GB from a university gateway and 123GB log
18 Results Single/Multiple worms with noise –Noise ratio: 0~80% –False negative: 0~1% (mostly 0) –False positive: 0~0.01% (mostly 0 ) Pool size requirement –10 or 20 flows are enough even with 20% noises Speed results –With 500 samples in suspicious pool and 320K samples in normal pool, For DNS, parsing 58 secs, LESG 18 secs
19 In Summary A novel network-based automated worm signature generation approach –Works for zero day polymorphic worms with unknown vulnerabilities –First work which is both Vulnerability based and Network based using length signature for buffer overflow vulnerabilities –Provable attack resilience –Fast and accurate through experiments
Outline Threat Landscape and Motivation Our approach Accomplishment Network-based zero-day polymorphic worm signature generation DoS attacks of wireless networks with error messages on EAP-TLS protocols
EAP Authentication on Wireless Networks EAP-FASTPEAPEAP-TTLS EAP Over LAN (EAPOL) Extensible Authentication Protocol (EAP) EAP Layer Data Link Layer WLAN EAP-TLS Authentication method layer Transport Layer Security (TLS) Authentication primitive TLS provides mutual authentication and key exchange.
TLS Conversation (Successful) TLS Handshake Protocol A TLS client and server negotiate a stateful connection using a handshake procedure.
TLS Conversation (Failed) When transmission or receipt of an fatal alert message, both parties immediately close the connection.
24 EAP-TLS - Vulnerability Sniffing to know the client MAC address and IDs –Packet in clear text before authentication –Regardless of whether WEP, WPA, or WPA2 is used Spoofing error messages –Before authentication is done, attacker spoofs an alert message of level ‘fatal‘, followed by a close notify alert. –Then the handshake protocol fails and needs to be tried again. Complete DoS attack –The attacker repeats the previous steps to stop all the retries Experiments with Northwestern wireless network is in progress.
Conclusions Network-based zero-day polymorphic worm signature generation Vulnerability analysis of wireless network protocols: mobile IP and EAP-TLS Closed work w/ Motorola liaisons –Joint conference paper published, a journal paper submitted and a patent filed Completed prototype/implementation code accessible to Motorola under the agreement Thank You !
Deployment of WAIDM Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Could be differentiator for Motorola’s products Original configuration WAIDM deployed Inter net BS User s (a) (b) BS User s Switch/ BS controller Internet scan port WAIDM system BS Users BS Users Switch/ BS controller
27 Experiment in Lab We conducted a real-world experiment demonstrating the practicality of the attack on TLS by performing a DoS attack on Northwestern University’s wireless network. Northwestern Wireless requires the users to authenticate to it using PEAP (Protected EAP), which internally uses TLS 1.0 as the security method for authentication. The user provides his ID (NetID) and password, which are then verified at a back- end Authentication Server. We used: libpcap library to sniff the channel lorcon libray to set the different parameters of the wireless network card and send spoofed messages. Proxim Orinoco Gold wireless network adapter MADWifi (madwifi-ng) drivers.
28 EAP-TLS - Attack in Action Simple attack: Error alert message of level ‘fatal‘ followed by a close notify alert
29 Potential Solutions Enhance the robustness of authentication protocols for wireless access –Delayed response »Wait for a short time to allow multiple responses –Trust good response »Attacker cannot finally pass authentication by always spoofing good responses