Health & Fitness

A Formal Rule-Based Scheme for Digital Investigation in Wireless Ad-hoc Networks

Description
A Formal Rule-Based Scheme for Digital Investigation in Wireless Ad-hoc Networks
Published
of 11
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  A Formal Rule-based Scheme for Digital Investigation in Wireless Ad-hoc Networks Slim Rekhis and Noureddine Boudriga Communication Networks and Security Research Lab.University of the 7th November at Carthage, Tunisia.http://www.cnas.org.tnslim.rekhis@gmail.com, nab@supcom.rnu.tn Abstract Existing investigation schemes are not suitable to cope with attacks in wireless networks, especially in MANet. We proposein this paper a formal approach for digital investigation of security attacks in wireless networks. We provide a model fordescribing attack scenarios in wireless environment, and system and network evidences generated consequently. We developan inference system that integrates the two types of evidences, handles incompleteness and duplication of information in them,and allows to generate potential and provable actions and attack scenarios. To exemplify the proposal, we consider a case studydealing with a Denial of Service attack on a web server, where the attacker and the target represent mobile nodes. Keywords Digital Investigation, Wireless Networks, Formal Proof, Attack Scenarios Reconstruction, Network of Observation. I. I NTRODUCTION Digital investigation of security incidents emerged in response to the increasing number and sophistication of securityattacks. It is defined as the use of scientifically derived and proven methods towards the preservation, collection, validation,identification, analysis, interpretation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal or helping to anticipate the unauthorized actionsshown to be disruptive to planned operations [1]. One important element of digital forensic investigation is the examinationof the digital evidences collected from the compromised systems to: a) reconstruct the occurred attack scenario; b) identifythe location(s) from which the attacker has remotely executed the actions part of the scenario; c) understand what occurredto prevent future similar incidents; and d) argument the results with non refutable proofs.Few propositions where made by the literature to formalize and automate the reconstruction of potential attack scenarios,provide irrefutable proofs, and alleviate the complexity of their generation. Stephenson took interest [2] to the root causeanalysis of digital incidents and used Colored Petri Nets. Stallard and Levitt used [3] an expert system with a decision treethat exploits invariants relationship between existing data redundancies within the investigated system. Gladychev providedin [4] a Finite State Machine (FSM) approach for the construction of potential attack scenarios discarding scenarios thatdisagree with the available evidences.In spite of their efficiency, all the approaches cited above are unsuitable to cope with attacks in wireless networks,especially, in Mobile Ad-hoc Networks (MANet). The following assumptions they made do not go with the characteristicsof MANets: a) intermediate routers are assumed to be trusted and do not contribute to the security incident; b) the routingpath followed by the malicious traffic is assumed to be, in the great majority of cases, unchangeable during the attack scenario; and c) the network topology is kept static during the attack, making the network security solutions (e.g., IDS)installed to monitor the attacker or the victim network, able to capture all the network traffic that convey the attack. Therefore,providing a formal investigation scheme, which is suitable for the reconstruction of potential attack scenarios in the contextof MANet, is of major importance.To the best of our knowledge, the literature contains no paper treating the problem of formal investigation of digital securityattacks in the context of wireless networks. Some few works have just pointed out the problematic. Slay and Turnbul [5],for instance, discussed the forensic issues associated with the 802.11a/b/g wireless technology. They stressed on the needfor technical solutions to evidences collection that cope with wireless environment. Some other works have concentratedon a specific issue which is the traceback of intruders’ source. Huang and lee [6], for instance, proposed a Hotspot-basedtraceback approach to reconstruct the attack path in MANet and handle topology variation. They used Tagged Bloom Filtersto store information on incoming packets when they cross the network routers. The technique is tolerant to adversaries, thattry to mislead the investigation by injecting false information. It allows to detect suspicious areas, called Hotspots, wheresome adversaries may reside. Kim and Helmy [7] used small worlds in MANET, and base the traceback scheme on traffic 2009 Fourth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering 978-0-7695-3792-4/09 $25.00 © 2009 IEEEDOI 10.1109/SADFE.2009.1662   2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering 978-0-7695-3792-4/09 $25.00 © 2009 IEEEDOI 10.1109/SADFE.2009.1662  pattern and volume matching. Despite its significant results, the proposed scheme is not suitable for a precise tracking of the mobility of intermediate nodes and attack path variation.We provide in this work a framework for formal digital investigation of security attacks in MANet. We propose a model fordescribing attack scenarios and characterizing two types of evidences that can be generated consequently, namely network and system evidences. Evidences in the network are generated by a set of nodes, called observers, that we distribute inthe MANet in order to monitor the traffic sent to/from nodes within their transmission range. Evidences in the systemare generated by the set of installed security solutions. We propose an inference system that integrates the two types of evidences, handles incompleteness and duplication of information in them, and allows to generate potential and provableactions and attack scenarios. We consider a case study dealing with a Denial of Service attack on a Web server, where theattacker and the target represent mobile nodes. To best of our knowledge, this is the first work that copes with the problemof formal digital investigation in wireless networks.The paper is organized as follows. The next section describes the set of requirements for digital investigation in MANetand describes the characteristics of the considered MANet. Section III provides a model for describing wireless attack scenarios and characterizes evidences provided by security solutions and observer nodes. Section IV proposes an inferencesystem to prove attack scenarios in wireless networks. In Section V, we describe a methodology for digital investigationwhich shows the use of the inference system. In Section VI a case study is proposed. The last section concludes the work.II. S TATEMENTS FOR INVESTIGATION IN WIRELESS ENVIRONMENTS In this section, we take interest in identifying the requirements to be fulfilled by a digital investigation scheme suitable tosupport attack scenarios reconstruction in wireless networks. After that, we describe the characteristics of an investigation-prone MANet.  A. Requirements for digital investigation in MANet  Defining a framework for digital investigation in wireless networks, especially the Ad-Hoc networks, turns out to be moretricky and challenging than in wireline networks. To do so, a set of requirements should be fulfilled.First, attacks are mobile, meaning that during an attack scenario, the attacker can change its identity, position, location,and point of access. Using a formal model of digital investigation in wireless networks should integrate such mobility-basedinformation when modeling actions in the attack scenario.Second, to efficiently collect the mobility-based information, a set of trusted nodes should be distributed over the network and used for that purpose. These nodes, which we call  observers , should be equipped with a set of mechanisms and solutionsuseful to supervise, log, and track events related to nodes movement, topology variation, roaming and IP handoff, and clusterscreation, splitting and merging.Third, as observer nodes are distributed over the network and under mobility, an occurring event may be: a) detected andreported by all observers in the network, b) detected and reported by a subset of observer nodes, since some of them areout of the communication range of the attacker, the victim, and the intermediate nodes which route the attack traffic, or c)totally unobserved as the attack propagation zone was not covered by any observer during the attack scenario occurrence. Toefficiently investigate an attack scenario, mechanisms for correlating, filtering, and aggregating the collected events shouldbe developed.Fourth, typically the investigation of an attack requires a secure delivery of observations to a central investigation node.However, due to mobility effects, the establishment of a routing path between an observer and the central investigation nodemay not be guaranteed. Therefore choosing any observer node in the network (based, for instance, on the availability rate of its computational resources, or the degree of its connectivity to other observer nodes that have observed the traffic relatedto the attack) to be in charge of collecting observation and investigating the attack, is of high interest.Fifth, some malicious events, part of an attack scenario, may target the network layer and therefore do not generateevidences in the system. Conversely, some of the events that compromise the system, are invisible by the network secu-rity solutions. Providing suitable mechanisms to correlate all types of evidences (network, system, and storage), handleincompleteness in them, and characterize provable system properties is of utmost importance.Finally, to prove attack scenarios starting from incomplete evidences, a formalism for hypotheses generation should bedeveloped to provide tolerance to missing information.  B. Characteristics of the considered MANet  We consider in this work a MANet composed of two types of nodes which are randomly deployed over the network andunder mobility, namely user nodes, and observer nodes. A user node can be a malicious or a legitimate node, and mayalso be the target of the attack scenarios. Typically, user devices can dynamically connect and disconnect to the network, 63   63  making their number be variable. Observers nodes form a network of observation and are responsible for: a) maintaininga library of known attacks and their patterns; b) generating, for every pair of communicating user nodes, digital evidencescontaining information on the remotely executed actions and values of some parameters extracted from the datagrams sentby the attacker; and c) securely sending and forwarding evidences generated by other observers to the node in charge of investigation. The latter can be any observer node which is chosen (based for instance on the distance separating observersto the attacker node) to: a) securely collect observations from the remaining observer nodes and the compromised node; b)correlate and merge collected evidences; and c) reconstruct and identify potential attack scenarios satisfying the obtainedevidences; and c) generate hypotheses regarding undetected actions.Depending of the sensitivity of the traffic exchanged between nodes, the observer nodes can be special nodes in charge of observation or any user node endowed with extra investigation and evidence-collection based functions. We believe that, forefficiency of observation and investigation, the network of observers is appropriate. Knowing that if the nodes in the MANetare sufficiently dense in a special area, the size of the observer network would be smaller than the number of nodes in theMANet with a factor of      where    and    are the communication radius of observer nodes and user nodes, respectively.Two security levels are assumed. The first level is related to mobile devices which can either be legitimate or malicious.The second level is related to observers and the central investigation node. The latter are assumed to be highly secured,trusted, compromise independent, and able to securely communicate. To do so, a set of key credentials are securely distributedand stored in each node during the system initialization and a set of cryptographic protocols are used. Properties such asauthentication, secrecy, non repudiation, and anti-replay are assumed to be guaranteed.All network links are supposed to be bidirectional allowing an observer node to continuously monitor the network whiledelivering its observations to the central investigation nodes. The probability of datagrams collisions is reduced to itslowest value. All observer nodes are supposed to overhear traffic within their transmission range. Their interfaces operatein promiscuous mode to monitor traffic of neighboring nodes. For every node in the network a list of neighbors is supposedto be available. A secure neighbor discovery protocol could be used for that purpose.III. M ODELING WIRELESS ATTACK SCENARIOS We describe in this section a model for describing attack scenarios, digital evidences, and the security solutions thatgenerate them.  A. Modeling attack scenarios from the system viewpoint  We consider a system specification    that models the investigated system by a set of variables  V   and a library of elementary actions  A  containing suspicious and legitimate actions. A system state    ∈ S   is a valuation of all variables in V  . It can be written as    = (    1 [    ] , ...,      [    ]) , where  ∀    ∈  [1 ..    ] :      ∈ V   and      [    ]  is the value of       in state    . A systemaction    ∈ A , denotes the event to be executed on the specified system. It describes for every variable    in  V   the relationbetween its value in the previous state state, say    , and its value in the new state, say    .    (    ,    ) =    , iff action    isenabled in state    and the execution of action    on state    would produce state    .A wireless attack scenario, say  ω , such that  ω  ∈  Ω  is generated by sequentially executing a series of actions in  A , startingfrom an initial state, say    0 , letting the system move to a state, say      , along by a series of intermediate states. Formally,we define a system execution  ω  in the following form  ω  =      0 ,    1 ,    1 ,...,      − 1 ,      ,       , where: a)  ∀    ∈  [0 ..    ] :  (      ∈ A ) ;and b)  ∀ (      ∈ A∧    ∈  [1 ..    ]) :    (      − 1 ) =      . An execution  ω  =      0 ,    1 ,    1 ,...,            can be written as  ω  =  ω    | ω    where ω    =      0 ,    1 ,    1 ,...,      ,        and  ω    =        +1 ,      +1 ,...,      ,        for    ∈  [1 ,    − 1] . We denote by  ω    the series of actionsobtained from  ω  after deleting all system states, and by  ω    the series of system states obtained from  ω  after deleting allexecuted actions.Actions parts of   ω    are locally or remotely executed on the target system. An action can be executed locally if it istriggered by a script which is installed by the attacker on the compromised system. It can also be executed by the attackedsystem (potentially by the installed security solutions) as a response to a previous executed malicious action in order tocancel or mitigate its effect. We denote by  ω    |   the series of remote actions obtained from  ω    after deleting localactions, and by  ω    |   the series of local actions obtained from  ω    after deleting remote actions.  B. Modeling security solutions and system evidences We consider an observation function    ()  over states, and attack scenarios. It allows to characterize security solutionsused to monitor the investigated system. The output of     ()  function allows to represent the evidence generated by therelated security solution. Such evidence will only show incomplete information regarding the executed actions and thedescription of the system states generated consequently.We define the observable part of a state    , as    (    ) = [    (    1 [    ]) ,    (    2 [    ]) ,  ... ,    (      [    ])]  where    ()  represents a labelingfunction, that is used to affect to      [    ] , a value equal to one of the following three: 64   64  •      [    ] : The variable      is visible and its value can be captured by the observer. The variable value is thus kept unchanged. •  A fictive value    such that    / ∈    . The variable is visible by the observer but the variation of its value does not bringit any supplementary information (e.g., the observer is monitoring a variable value which is encrypted). The variablevalue is transformed to a fictive value   . •  An empty value  ∅ : The variable is invisible, such that none information regarding its value could be determined by theobserver.Note that    (      [    ])  can be defined in a conditional form letting it depend on the value of an additional predicate.Given an attack scenario  ω  =      0 ,    1 ,    1 ,...,      − 1 ,      ,       , we define the observable part of   ω , by    ( ω ) .    ( ω )  iscomputed in two stages. First, by letting    ( ω    )  be the sequence obtained from  ω    =     (    0 ) ,  ... ,    (      )   after replacingeach state      by    (      ) .    ( ω )  is obtained from    ( ω    )  by replacing any maximal sub-sequence      (      ) ,  ... ,    (       )  such that    (      ) =  ...  =    (       )  by a single state observation, namely    (      ) .The intermediate steps followed to compute    ( ω )  is based on that fact that: a) the great majority of installed securitysolutions are able to monitor the system behavior further to the execution of an action and not the executed action itself;and b) if a set of successive states has the same observation, an observer of the execution is not able to distinguish whetherthe system has progressed from a state to another or not.  Example 1:  ExampleWe consider a system modeled by two variables, namely    1  and    2 . Variable    1  represents the state of a service, say    .It can take value  0  or  1  to mean that the service is down or up, respectively. Variable    2  represents the size (in bytes) of the buffer from which the service    reads the user commands. It can take any integer value between  0  and  2 , where  2  isthe buffer size limit. We consider a library of elementary actions composed of two actions, namely    1  and    2 . Action    1 consists in stopping the service. It sets the value of variable    1  to  0 . Action    2  consists in typing a specific user commandwhose size is equal to  1  byte. It is only enabled if the value of variable    2  is less or equal to  2 . If the value of     2  isstrictly less than  2 , only the value of variable    2  in the new state is set to  1  greater that its value in its old state. If thevalue of variable    2  is equal to  2 , its value is kept unchanged while the value of variable    1  becomes equal to  0  (the bufferis overloaded. Consequently    2  remains equal to  2  while the service becomes unexpectedly down). A state    , which is avaluation of the two variables    1  and    2 , is represented as  (    1 [    ] ,    2 [    ]) . The initial system state, say    0 , which is equalto  (1 , 0)  denotes that the service is running and the buffer is empty. We consider two scenarios. The first, say  ω 1 , whichconsists in administratively shutting down the service, consists in only executing action    1 . The second, say  ω 2 , whichrepresents a buffer overflow attack against the running service, consists in executing action    2  twice. The two scenarios  ω 1 and  ω 2  are formally equal to   (1 ,  0) ,  (0 ,  0)   and   (1 ,  0) ,  (1 ,  1) ,  (0 ,  2)  , respectively.We consider two security solutions deployed on the considered system. The first allows to only monitor variable    1  and ischaracterized by the observation function    1 () , while the second allows to only monitor variable    2  and is characterizedby the observation function    2 () . The observation function    1 ()  is characterized by a labeling function, say    1 () , andwe have  ∀    :    1 (    1 [    ]) =    1 [    ]  and    2 (    2 [    ]) =  ∅ . The second, is characterized by a labeling function, say    2 () , and wehave  ∀    :    2 (    1 [    ]) =  ∅  and    2 (    2 [    ]) =    2 [    ] . The digital evidences generated by the first security solution if   ω 1  are  ω 2  areexecuted, are given, respectively, by: •    1 ( ω 1 ) =      1 (1 ,  0) ,    1 (0 ,  0)   =   (1 , ∅ ) , (0 , ∅ )  •    1 ( ω 2 ) =      1 (1 ,  0) ,    1 (1 ,  1) ,    1 (0 ,  2)   =   (1 ,  ∅ ) , (0 ,  ∅ )  The digital evidences generated by the second security solution if   ω 1  are  ω 2  are executed, are given, respectively, by: •    2 ( ω 1 ) =      1 (1 ,  0) ,    1 (0 ,  0)   =   ( ∅ ,  0)  •    2 ( ω 2 ) =      2 (1 ,  0) ,    2 (1 ,  1) ,    2 (0 ,  2)   =   ( ∅ , 0) , ( ∅ , 1) , ( ∅ , 2)  According to the obtained observations, the first security solution, which is modeled by observation function    1 () , wouldnot differentiate between the two executed scenarios. In other words, an investigator, which tries to reconstruct the potentialoccurred scenarios based on the evidence generated by    1 () , should consider that the two scenarios  ω 1  and  ω 2  are potential.This is not the case for the evidence generated by observation function    2 () . C. Modeling attack scenarios from the network viewpoint  From the network viewpoint, an attack scenario  ω  creates a series of network datagrams, say  π , sent from the attackerhost to the victim host over the MANet, in order to remotely execute actions in  ω    |   . Formally,  π  =      0 ,    1 , ...,       where every    ∈  π  represents a network datagram and is a valuation of six variables, namely,      ,      ,    ,    ,    ,    .The first five variables represent the source IP address related the attacker node, the destination IP address related to thevictim node, , the routing path which is composed of the ordered set of identities related to nodes used to forward thepacket, the initial Time To Live value of the generated packet, and the location of the node when it sends the datagram, 65   65  respectively. The last variable    represents a global action as a pair of information, say  (    ,    )  representing: a) the actionremotely executed by the attacker on the target system, and the packet digest computed over the immutable fields of the IPheader and portion of the payload [8], respectively. We denote by    .    and    .    the value of the executed action and thepacket digest contained in the global action    , respectively. Since an action may be executed several times within an attack scenario, the used packet digest information allows to differentiate between the two situations: a) an action is observed inthe network by several observers, and b) an action is executed several times by the attacker and leads to the generation of many datagrams. In Ad hoc networks the identity of the attacker may change when it changes its point of attachment. Inthis work, we suppose that this identity remains unchangeable during the occurrence of an attack scenario. In this model,we suppose that every pattern (created by remotely executed actions) in the network datagram is supposed to be associatedto unique action in the library of elementary system actions. Due to dynamic topology of the network, datagrams sent bythe attacker to remotely execute actions, may follow different routing paths.  D. Modeling wireless network evidences Given an attack scenario  ω  and the related series of submitted datagrams  π  sent by the attacker to execute actions in  ω    .Note that observer nodes are mobile and may go out of the transmission range of intermediate nodes that participated inrouting the traffic  π  related to the executed attack scenario  ω , or nodes representing the attacker or the victim. Consequently,an observer node will only be able to: a) detect from  π  a sub-series, say  π    , containing only datagrams that went acrossits coverage ; and b) have access to the observable part, say    ( π    ) , which will be provided as a network evidence (theobserver is assumed to also mention its location in the network when it captured the packet). Similarly to the observationof an attack scenario,    ( π    )  is computed based on the observation of candidate datagrams. Given a series of capturednetwork, datagrams  π    =      0 , ..,       , related to the same attack scenario,    ( π    ) =      (    0 ) , ...,    (      )  .  ∀    ∈  π    ,we have    (    ) = [    (      [    ]) ,    (      [    ]) ,    (    [    ]) ,    (    [    ]) ,    (    [    ]) ,    (    [    ])] . The computed labels follow these rules: •    (      [    ]) ,    (      [    ])  , are equal to    (      [    ]) ,    (      [    ]) , respectively, since the IP source and destination address of theattacker are supposed to always be interpretable. •    (    [    ])  is obtained by deleting the identities of intermediate nodes whose identities cannot be determined. •    (    [    ])  is equal to    [    ]  as the TTL value can always be read from the packet header. •    (    [    ])  highly depends on the chosen model to represent the location. At best, it is equal to    [    ]  if the attacker isin the coverage of the observer node and the latter has the possibility to determine its exact position. At worse, its isequal to  ∅ . •    (    [    ])  is equal to  (    [    ] ,    (    ))  if the pattern of the executed action in datagram is readable and can be determined.Otherwise it is set to  ∅  (i.e., the traffic is encrypted).Given a packet    , we denote by      the tuple of information composed of the packet digest and the remote executed action.Formally      = (    [    ] ,    [    ]) .      is called a global action. We denote by      .    and      .    the action and the packetdigest respectively.IV. C ONDUCTING PROOFS IN THE WIRELESS CONTEXT We propose a deduction system which is described using a set of inference rules. For the sake of space, we settle for onlydescribing those that have to be inevitably used to generate proofs. An investigator is assumed to have a complete knowledgeof the specification of the investigated system (i.e., possible initial system states, variables, and library of elementary actions).Let  O  =  ∪    { (      ,      ()) }  be the set of tuple  (      ,      ())  where: a)      ()  represents the observation function thatcharacterizes the      security solution deployed on the system; and b)      represents the system evidence locally generatedby that solution further to the execution of an attack scenario  ω . In other words, ∀    :      ( ω ) =      .  Π  represents the aggregatednetwork evidences, as a sequence of global actions, computed using all available network observations.  E   =  ∪     {    ( π     ) } represents the set of network evidences delivered by the different observer nodes, and are related to the execution of theattack scenario  ω . Note that     represents the identity of observer nodes deployed in the network. Other information of interestcan be added to generated observation such as the observer position in the network, or its list of neighbors. All of theseinformation would be useful during the correlation of the collected evidences.  Rules for aggregating network evidences:  Rule 2 appends to the aggregated evidence under construction  Π  the sequenceof global actions extracted from a network evidence, say    , which represents the longest evidence in the set of availablenetwork evidences in  Π . The operator    transforms the sequence of packets observations in a network evidence into asequence of global actions. Function    ()  computes the length of a network observation in terms of packets observations. Π =  ∅ ,    ∈ E  ,  ∀     ∈ E     .    .      =    :    (     )  ≤    (    )Π = Π ∪      (1) 66   66
Search
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks