Poten&al Denial- of- Service Threat Assessment for Cogni&ve Radios

Transcription

1 oten&al Denial- of- Service Threat Assessment for Cogni&ve Radios Timothy X Brown*, Amita Sethi + *, + Interdisciplinary Telecommunica&ons *Electrical, Computer, and Energy Engineering University of Colorado, Boulder *Visi&ng rofessor Carnegie Mellon University, Rwanda resented at the ICT School on Applica&ons of Open Spectrum and White Spaces Technologies March 10,

2 Cogni&ve vs. Tradi&onal Radios User Interaction Via Operating System olicy Input Cognitive Engine Geo locator Sensor Radio A CR does more than a traditional radio 2

3 Cogni&ve Radios a Secure aradigm? Wireless Mobile Remotely Reconfigurable Opportunis&c Transmission based on Spectrum Availability Device s Spectrum Access Control via Spectrum olicies 3

4 Research Ques&on Which poten&al denial- of- service (DoS) awacks are cogni&ve radios suscep&ble to, what are the risks they represent, which security mechanisms can be employed to forestall the high- priority risk awacks, and which cogni&ve radio (CR) designs are the most suscep&ble to these cri&cal risks? 4

5 Denial- of- Service (DoS) AWacks DoS is the preven&on of authorized access to a system resource or the delaying of system opera&ons and func&ons [RFC2828]. 5

6 Tradi&onal DoS AWack Transmitter Receiver Communications Receiver Jamming 6

7 DoS AWack Categories Denial / Induce Deny Communication When Could Immediate DoS Induce Communication When Should Not Long term DoS 7

8 Example Denial AWacks Sensor Failures Scenario1: AWacker Emulates rimary User CR Attacker CR Detect Range Attacker Denies Access 8

9 Example Induce AWacks Sensor Failures Scenario 2: AWacker Masks rimary User`s Signals. U CR Attacker Attacker Induces CR to Interfere with rimary User 9

10 Example Denial/Induce AWacks olicy Failure in Beaconing System Spoofs Beacon Jams Beacon Intercepts CR Transmitter Range Misuses Operational Frequency Information to launch Denial/Induce attacks 10

11 CR Avenues of AWack Victim CR CR Detection Range Jam Received Signal Replay/Spoof/Relay acket Spoof Signal CR Jamming Range CR Receive Range CR Detect Range 11

12 AWack Analysis Methodology Hypothesize the AWack Scenario Iden&fy the Associated Threats Organize the Associated Threats in a Hammer Model framework Assign a Quan&ta&ve Risk Value to the AWack based on its Likelihood and Impact (Risk Assessment) 12

13 AWack Analysis: Threat Categoriza&on Ini&a&ng (Triggering Event) Associated (Other Causal Events) Contributory rimary (Outcome) 13

14 AWack Analysis: Hammer Model Framework Modeling tool to represent an awack scenario into a sequence of ini&a&ng and contributory threats that result in one of more primary threats. rimarily Used for Qualita&ve Scenario based AWack Analysis. Example Applica&on in System Safety Hazard Analysis in Federal Avia&on Administra&on. 14

15 Threats from Attackers Outside the CR system Threats from Within the Example Fuel Tank Rupture Scenario CR system DoS Outcomes 15

16 AWack Analysis: Risk Assessment (1/3) 1. Assess the Technical Likelihood of the AWack Rationale: Technical roblems to Attacker Likelihood Case Rank Insolvable Impossible 0 Strong Low 1 Solvable Medium 2 None High 3 16

17 AWack Analysis: Risk Assessment (2/3) Assess the Impact of the Attack Rationale: Impact on Victim Denial Attacks Induce Attacks Impact Case Rank None None None 0 erceptible but insignificant degradation in CR communication. Significant degradation but still operational CR communication. Non-operational CR communication erceptible but infrequent interference to active primary users erceptible frequent interference to active primary users Continuous interference to active primary users Low 1 Medium 2 High 3

18 AWack Analysis: Risk Assessment (3/3) 3. Risk Level = Likelihood Rank Х Impact Rank High MINOR MAJOR CRIT. CRIT. Medium Low Likelihood MINOR MINOR MAJOR CRIT. MINOR MINOR MINOR MAJOR None MINOR MINOR MINOR MINOR None Impact Low Medium High Risk Case Minor Major Critical Risk Mitigation Action No Countermeasures Required Threat cannot be Ignored Mandates High riority Handling 18

19 Research Methodology Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 19

20 Acceptable Risk Levels Every Cri&cal or Major Threats should be countered in the CR System. Any Major Threats with high likelihood but low impact, or low likelihood but high impact need to be countered but are ul&mately acceptable. Minor Threats can be ignored. 20

21 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 21

22 System Descrip&on Target System: Cogni&ve Radios Key Challenge: Mul&- Dimensional CR Configura&ons 22

23 Mul&- Dimensional CR Configura&ons Underlay Spectrum Access Method Overlay NoncooperativeCooperative Centralized Distributed Cooperative Spectrum Awareness Method Detection/ Sensing CR Network Architecture Beacon/ Control Signal Geo-locate/ Access DB 23

24 CR Network Architectures CR N/w Architectures Non- coopera&ve Non-Cooperative Cooperative Centralized Distributed Attacker Emulates rimary User CR Detect Range Victim CR Attacker Successfully Denies Access 24

25 CR Network Architectures CR N/w Architectures Distributed Coopera&ve Non-Cooperative Cooperative Centralized Distributed Attacker Emulates rimary User (Spoofs Sensor Input) Cooperative CR Network Collated Sensor Network Measurements make the attack less effective. 25

26 CR Network Architectures CR N/w Architectures Centralized Coopera&ve Non-Cooperative Cooperative Centralized Distributed Attacker Emulates rimary User Sensor Node Central Authority Active rimary Users Database CR Attack is Ineffective due to ossible Verification of Collated Network Measurement against Active rimary User s DB 26

27 Spectrum Access Methods Spectrum Access Methods Overlay Underlay Overlay Underlay CR CR Spoof Spoof CR CR does not React to rimary User Emulation CR is Denied Access Time CR Or Induced to Interfere 27

28 Spectrum Awareness Methods Spectrum Awareness Geo-locate/ Access DB Beacon/ Control Signal Detection/ Sensing rone to Location/ DB Spoof, Jam, Replay Geo-locate/ Access DB Detection/ Sensing rone to Sensing Spoof, Jam, Replay TV Database olicy Database Cellular Database Radar Database rimary Users Database Beacon/ Control Signal rone to Beacon/Control Signal Spoof, Jam, Relay RF Environment 28

29 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 29

30 DoS AWack Iden&fica&on ossible AWack Methods Considered Constant or Direct Jamming Intelligent Jamming Intercept or Eavesdropping Spoofing Replay Relay Cryptanalysis 30

31 DoS AWacks Iden&fied Against.. olicy, Sensor, Geo- loca&on and Other Networked Informa&on exchanged Between CR Elements in a Distributed CR. Among CRs in a Distributed Coopera&ve Setup. Between CRs and Central En&ty in a Centralized Coopera&ve Setup. From Central En&ty to Non- coopera&ve CRs. 31

32 DoS AWacks Iden&fied Against.. Networked CR Network En&&es such as Elements in a Distributed CR. Networked CRs in a Distributed Coopera&ve Setup. En&&es in a Centralized Coopera&ve Setup. Spectrum Informa&on Sensed by CR CR Transmission/Recep&on 32

33 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 33

34 Example AWack Analysis: rimary User Emula&on AWack in Non- Coopera&ve Architecture Attack reconditions Main Initiating Threat INITIATING THREATS Spoofed Signal is detected by Victim, factors to consider: Attacker s Signal ower and Distance > Victim s signal detection threshold. Frequency of Victim Sensing. Spoofed Signal is relevant to the Victim, factors to consider: olicy requires CR to vacate licensed bands on detecting the presence of primary users. Attacker Spoofs or Replays Licensed User Transmissions on Target Channel (S) Attacker Spoofs/Replays Licensed User Transmissions On Every ossible Licensed Channel (S) AND asses Energybased rimary User Detection Technique AND CONTRIBUTORY THREATS SECTRUM AVAILABILITY DATA VALIDATION ACROSS CO-OERATIVE GROU MEMBERS AND No Other On Device Spectrum Availability Data Validation Method Accessible (S) No Spectrum Availability Data Accessible From Co-operative Group Members (NC) AND SECTRUM AVAILABILITY DATA VALIDATION ACROSS MULTILE ON-DEVICE METHODS AND RIMARY THREATS revents CR Communication on Target Channel Induces Spectrum Handoff if CR is Operating on Target Channel Denies CR Communication 34

35 Example AWack Analysis: rimary User Emula&on AWack in Coopera&ve Architectures INITIATING THREATS Attacker Spoofs/Replays Licensed User Transmissions in Multiple Cooperative Group Members ((DC) OR (CC)) Attacker Injects Spoofed Spectrum Availability Information in Multiple Cooperative Group Members ((DC) OR (CC)) Attacker Blocks Access to Networked Spectrum Availability Information In Multiple Cooperative Group Members ((DC) OR (CC)) Spoofed Signal is detected by Victim, factors to consider: Attacker s Signal ower and Distance > Victim s signal detection threshold. Frequency of Victim Sensing. Spoofed Signal is relevant to the Victim, factors to consider: olicy requires CR to vacate licensed bands on detecting the presence of primary users. Attacker Spoofs or Replays Licensed User Transmissions on Target Channel (S) Attacker Spoofs or Replays Licensed User Transmissions On Every ossible Licensed Channel (S) AND asses Energybased rimary User Detection Technique AND CONTRIBUTORY THREATS asses Spectrum Availability Data Validation With Co-operative Group Members (CC) OR (DC) AND OR SECTRUM AVAILABILITY DATA VALIDATION ACROSS CO-OERATIVE GROU MEMBERS No Other On Device Spectrum Availability Data Validation Method Accessible (S) OR AND SECTRUM AVAILABILITY DATA VALIDATION ACROSS MULTILE ON-DEVICE METHODS No Spectrum Availability Data Validation ossible With Co-operative Group Members (CC) OR (DC) AND RIMARY THREATS revents CR Communication on Target Channel Induces Spectrum Handoff if CR is Operating on Target Channel Denies CR Communication 35

36 Example AWack Analysis: General Hammer Model for rimary User Emula&on AWack INITIATING THREATS Attacker Spoofs/Replays Licensed User Transmissions in Multiple Cooperative Group Members ((DC) OR (CC)) Attacker Injects Spoofed Spectrum Availability Information in Multiple Cooperative Group Members ((DC) OR (CC)) Attacker Blocks Access to Networked Spectrum Availability Information In Multiple Cooperative Group Members ((DC) OR (CC)) Spoofed Signal is detected by Victim, factors to consider: Attacker s Signal ower and Distance > Victim s signal detection threshold. Frequency of Victim Sensing. Spoofed Signal is relevant to the Victim, factors to consider: olicy requires CR to vacate licensed bands on detecting the presence of primary users. Attacker Spoofs or Replays Licensed User Transmissions on Target Channel (S) OR (S AND B) OR (S AND G) OR (S AND G AND B) Attacker Injects Spoofed Spectrum Availability Information through Multiple Methods employed by the victim (S AND B) OR (S AND G) OR (S AND G AND B) Attacker Blocks Spectrum Availability Information Access through Multiple Methods employed by the victim (S AND B) OR (S AND G) OR (S AND G AND B) Attacker Spoofs/Replays Licensed User Transmissions On Every ossible Licensed Channel (S) OR (S AND B) OR (S AND G) OR (S AND G AND B) AND asses Energybased rimary User Detection Technique AND asses Spectrum Availability Data Validation With On Device Methods (S AND B) OR (S AND G) OR (S AND G AND B) CONTRIBUTORY THREATS asses Spectrum Availability Data Validation With Cooperative Group Members (CC) OR (DC) AND OR No Other On Device Spectrum Availability Data Validation Method Accessible (S) SECTRUM AVAILABILITY DATA VALIDATION ACROSS MULTILE ON- DEVICE METHODS SECTRUM AVAILABILITY DATA VALIDATION ACROSS CO-OERATIVE GROU MEMBERS No Spectrum Availability Data Accessible From Co-operative Group Members (NC) OR ((CC OR DC) AND (No Sharing)) OR AND No Spectrum Availability Data Accessible from any other of Multiple Methods (S AND B) OR (S AND G) OR (S AND G AND B) No Spectrum Availability Data Validation ossible With Cooperative Group Members (CC) OR (DC) AND RIMARY THREATS revents CR Communication on Target Channel Induces Spectrum Handoff if CR is Operating on Target Channel Denies CR Communication 36

37 Example Risk Assessment Likely ossible Low Likelihood Spectrum Access Method: Overlay OR Underlay Spectrum Awareness Method: Detection/Sensing Impact Low Medium High Attack.. The Attacker Emulates rimary User Non- Cooperative Centralized Cooperative Distributed Cooperative On all Licensed Channels CRITICAL MAJOR MAJOR On Specific Licensed Channel MAJOR MINOR MINOR 37

38 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 38

39 Risk Management: hase I Risk Assessment Results (1/2) 39

40 Risk Management: hase I Risk Assessment Results (2/2) Cumulative CRITICAL Risk Value Non- Cooperative Centralized Cooperative Distributed Cooperative Total Risk Value Total CRITICAL + MAJOR Risk Value Beacon Cumulative MAJOR Risk Value Overlay Underlay Total Geo-locate Detection Beacon Geo-locate Detection Risk Database Sensing Database Sensing Value 18, 4 42, 6 12, 6 6, 8 30, 6 6, , 4 39, 6 9, 10 6, 8 27, 6 6, , 4 6, 9 6, 10 6, 8 6, 3 0,

41 Risk Management: Next Steps Devise Countermeasure for Above Acceptable Risk Level AWacks. Example: rimary User Emula&on AWack Mi&ga&on CR uses Feature based rimary User Detec&on Technique Modify CR System: Harden with Countermeasures 41

42 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Finalize System Design 42

43 hase II Risk Analysis Re- analyze High- riority AWacks for Modified CR System Re- assess Risk Level based on Likelihood and Impact 43

44 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 44

45 Risk Management: hase II Risk Assessment Results CR Configuration used in Non- Cooperative Centralized Cooperative Distributed Cooperative Total Risk Value Beacon Overlay Underlay Total Geo-locate Detection Beacon Geo-locate Detection Risk Database Sensing Database Sensing Value 6, 6 0, 9 0, 6 0, 7 0, 3 0, , 9 0, 9 0, 9 0, 3 0, 3 0, , 9 0, 9 0, 6 0, 3 0, 3 0, Least Vulnerable CR Configurations 45

46 Research Outline Define Acceptable Risk Levels System Description DoS Attack Identification: Identify DoS Attacks and Consequences Risk Analysis: Analyze Attacks and Identify Risks Risk Assessment: Consolidate and rioritize Risks Risk Management Risks Above Acceptable Risk Levels? Yes Risk Mitigation: Identify Countermeasures for high priority risks Modify System No Recommend System Design 46

47 CR Design Recommenda&ons Underlay Spectrum Access Method Overlay NoncooperativeCooperative Centralized Distributed Cooperative Spectrum Awareness Method Beacon/ Control Signal Detection/ Sensing CR Network Architecture Geo-locate/ Access DB 47

48 Conclusion CRs are suscep&ble to awacks. CRs open new avenues of awack. A Formal Risk Analysis and Assessment rocess can help guide the least vulnerable CR Design aradigm NOW is the best &me to devise countermeasures to reduce CR- specific vulnerabili&es. 48

49 References T. X Brown, A. Sethi, oten&al Cogni&ve Radio Denial- of- Service Vulnerabili&es and rotec&on Countermeasures: a Mul&- dimensional Analysis and Assessment, Journal Mobile Networks and Applica6ons, v. 13, n. 5, October 2008, pp , 17 p. A. Sethi, T. X Brown, Hammer Model Threat Assessment of Cogni&ve Radio Denial of Service AWacks, IEEE Dynamic Spectrum Access Networks (DySpAN), Chicago, Oct , T. X Brown, A. Sethi, oten&al Cogni&ve Radio Denial- of- Service Vulnerabili&es And rotec&on Countermeasures: A Mul&- dimensional Analysis/Assessment, roc. Second Int. Conf. on Cogni6ve Radio Oriented Wireless Networks and Communica6ons (CrownCom), Orlando, FL, Aug 1-3, pp. T. X Brown, A. Sethi, oten&al Cogni&ve Radio Denial- of- Service Vulnerabili&es and Countermeasures, in roc. Int. Symposium on Advanced Radio Technologies (ISART), Boulder, Feb February 25, 2008 Thesis Defense resentation 49