communication systems group Detection of Attacks on Application and Routing Layer in Tactical MANETs Elmar Gerhards-Padilla, Nils Aschenbruck 1
Structure Mobile Ad-hoc Network (MANET) Tactical MANET Reference scenario Routing in MANETs Security risks Routing attacks Topology Graph based Anomaly Detection (TOGBAD) Summary 2
Vision of Mobile Ad-hoc Networks Ad hoc networks aim for ubiquitous communication communication everywhere self-configuration No manual interaction small devices such as mobile phones, wrist watches... low cost efficient 3
Characteristics of Mobile Ad-hoc Networks No Infrastructure every station is potentially a router small devices have limited: power memory CPU Stations are (potentially) mobile topology is highly dynamic networks may split and (re-)merge route lifetimes are potentially very short Capacity is limited frequent exchange of routing information may lead to severe capacity degradation 4
Tactical MANETs Specialised for military scenarios disaster area scenarios Command structure supervising nodes Stay in the background Have access to power supply More powerful hardware supervised nodes High probability of enemies Hostile units Terrorists 5
Reference Scenario Figure: http://www.streitkraeftebasis.de/ 6
Routing in MANETs Wired networks Central router Difficult access Well secured In MANETs (potentially) every station router Easy access Badly secured Network nodes can easily influence routing 7
Routing in MANETs Example Optimized Link State Routing Neighbor: B 2-Hop: A Hello Hello Neighbor: A C A B Nodes transmit special routing messages Nodes learn about available routes by routing messages Quelle Abbildungen: http://www.streitkraeftebasis.de/ 8
Security risks Routing layer (MANETs) Routing attacks TOGBAD Application layer (known from wired networks) Denial of Service Worms Viruses CBAD Lower layers (wireless networks) Jamming Open Medium 9
Routing attacks Approach Attacker sends falsified routing messages Gains control over routes Gains control of traffic between nodes Goals Eavesdropping messages Selectively dropping data Manipulating data Launching a Denial of Service attack 10
Routing attacks Black Hole Hello Neighbor: A, B, C, D, E, F, G Figure: http://www.streitkraeftebasis.de/ 11
TOGBAD Topology graph nodes monitor traffic send traffic statistics to central TOGBAD instance creation of topology graph at TOGBAD instance Hello messages nodes extract number of neighbors from Hello messages send number of neighbors to central TOGBAD instance Plausibility check Compare number of neighbors from Hello messages to number of neighbors in topology graph 12
TOGBAD Messages (Data+Routing) of all nodes Send statistics to central TOGBAD instance 1 Extraction of Number of neighbours in Hello Message 4 Topology-Graph 2 Send to central TOGBAD instance Graph analysis Number of neighbours in Topology-Graph Received Number of neighbours in message 5 3 Plausibility check 6 13
TOGBAD Hello Neighbor: A B Statistics: Connection A-B, A-C Neighbors advertised: B 1, C 1 A Hello Neighbor: A TOGBAD instance C Figure: http://www.streitkraeftebasis.de/ 14
Evaluation TOGBAD Scenario: 25 nodes on 1000m x 1000m 200m transmission range Movement according to Random Waypoint Model Black Hole sends Hello-Messages with 24 neighbors Black Hole diff-values bigger than Maximum of diff-values over all other nodes 15
Summary MANETs Different attacks possible Especially routing attacks Different sensors needed TOGBAD Uses topology graphs Performs plausibility checks for routing messages Identifies attackers sending falsified routing messages Future work Further evaluation needed Overhead introduced by TOGBAD Attacks against TOGBAD Influence of Black Hole on TOGBAD messages 16