Wireless Network Security Spring 2015

Similar documents
Wireless Network Security Spring 2016

Wireless Network Security Spring 2014

Wireless Network Security Spring 2016

Wireless Network Security Spring 2012

Wireless Network Security Spring 2015

Jamming Wireless Networks: Attack and Defense Strategies

Wireless Network Security Spring 2016

Wireless Network Security Spring 2015

Keeping Your Eyes Peeled: Sensing-Driven Feedback- Computing for Network Security

Robust Location Distinction Using Temporal Link Signatures

Wireless Sensor Networks

DEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks

Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service

Lightweight Decentralized Algorithm for Localizing Reactive Jammers in Wireless Sensor Network

LOCALIZATION AND ROUTING AGAINST JAMMERS IN WIRELESS NETWORKS

1 Interference Cancellation

Jamming-resistant Broadcast Communication without Shared Keys

Background: Cellular network technology

UNDERSTANDING AND MITIGATING

A Wireless Communication System using Multicasting with an Acknowledgement Mark

Simplified Reference Model

Mobile Security Fall 2015

CSIsnoop: Attacker Inference of Channel State Information in Multi-User WLANs

Avoid Impact of Jamming Using Multipath Routing Based on Wireless Mesh Networks

Spectrum Sensing Brief Overview of the Research at WINLAB

Wireless Network Security Spring 2011

On Practical Selective Jamming of Bluetooth Low Energy Advertising

Eavesdroppers using Full-Duplex

FILA: Fine-grained Indoor Localization

Cryptography Based Method for Preventing Jamming Attacks in Wireless Network Ms. Bhoomi Patel 1

CIS 632 / EEC 687 Mobile Computing. Mobile Communications (for Dummies) Chansu Yu. Contents. Modulation Propagation Spread spectrum

UNIT 4 Spread Spectrum and Multiple. Access Technique

USD-FH: Jamming-resistant Wireless Communication using Frequency Hopping with Uncoordinated Seed Disclosure

Medium Access Control

Wireless Transmission & Media Access

RF Management in SonicOS 4.0 Enhanced

SPREAD SPECTRUM (SS) SIGNALS FOR DIGITAL COMMUNICATIONS

Channel selection for IEEE based wireless LANs using 2.4 GHz band

An Effective Defensive Node against Jamming Attacks in Sensor Networks

Pseudo-random Polarization Hopping ( PPH ) Technology Brief

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Simple Algorithm in (older) Selection Diversity. Receiver Diversity Can we Do Better? Receiver Diversity Optimization.

Cognitive Wireless Network : Computer Networking. Overview. Cognitive Wireless Networks

Optimizing future wireless communication systems

Defending DSSS-based Broadcast Communication against Insider Jammers via Delayed Seed-Disclosure

ZigBee Propagation Testing

Spread Spectrum Techniques

Wireless Networks (PHY): Design for Diversity

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

A Routing Approach to Jamming Effects Mitigation in Wireless Multihop Networks. by Umang Sureshbhai Patel

Multiplexing Module W.tra.2

Detection and Prevention of Physical Jamming Attacks in Vehicular Environment

Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

Physical Layer Security for Wireless Networks

Lecture LTE (4G) -Technologies used in 4G and 5G. Spread Spectrum Communications

Prevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods

Prevention of Eavesdropping in OFDMA Systems

Wireless technologies Test systems

Compressed Sensing for Multiple Access

Chapter 2 Overview. Duplexing, Multiple Access - 1 -

Book Title: XXXXXXXXXXXXXXXXXXXXXXXXXX. Editors

A Combined Approach for Distinguishing Different Types of Jamming Attacks Against Wireless Networks

Collaborative transmission in wireless sensor networks

Wireless ad hoc networks. Acknowledgement: Slides borrowed from Richard Y. Yale

The Impact of Channel Bonding on n Network Management

Badri Nath Dept. of Computer Science/WINLAB Rutgers University Jointly with Wade Trappe, Yanyong Zhang WINLAB IAB meeting November, 2004

Denial of Service Attacks in Wireless Networks: The case of Jammers

A Practical Method to Achieve Perfect Secrecy

Multiple Receiver Strategies for Minimizing Packet Loss in Dense Sensor Networks

CHAPTER 2. Instructor: Mr. Abhijit Parmar Course: Mobile Computing and Wireless Communication ( )

Question Points Score Total 100

On the Security of Millimeter Wave Vehicular Communication Systems using Random Antenna Subsets

White Space Security: Securing our Spectral Resources. (Aka: Its going to be hard to understand what s going on in order to secure spectrum )

SYSTEM SENSOR WIRELESS REMOTE INDICATOR PRODUCT SPECIFICATION

Student Seminars: Kickoff

PhyCloak: Obfuscating Sensing from Communication Signals

Multipath and Diversity

Fine-grained Channel Access in Wireless LAN. Cristian Petrescu Arvind Jadoo UCL Computer Science 20 th March 2012

Mobile Computing. Chapter 3: Medium Access Control

Sense in Order: Channel Selection for Sensing in Cognitive Radio Networks

Multiple Access Schemes

Research Article Cognitive Security of Wireless Communication Systems in the Physical Layer

Mitigation of Periodic Jamming in a Spread Spectrum System by Adaptive Filter Selection

CS263: Wireless Communications and Sensor Networks

Using Channel Hopping to Increase Resilience to Jamming Attacks

BASIC CONCEPTS OF HSPA

Reference guide for Wireless Config Analyzer Express

Jamming Attacks with its Various Techniques and AODV in Wireless Networks

Real-World Range Testing By Christopher Hofmeister August, 2011

Practical Implementation of Physical-Layer Key Generation using Standard WLAN Cards and Performance Evaluation

DDRS algorithm over DoS Attack in Wireless Communication Due to Jammers Prof. Bhaumik Machhi 1

Spread Spectrum. Chapter 18. FHSS Frequency Hopping Spread Spectrum DSSS Direct Sequence Spread Spectrum DSSS using CDMA Code Division Multiple Access

Common Control Channel Allocation in Cognitive Radio Networks through UWB Multi-hop Communications

Performance Evaluation of AODV, DSDV and DSR or Avoiding Selective Jamming Attacks in WLAN

Wireless Communication

Randomized Channel Access Reduces Network Local Delay

HOW DO MIMO RADIOS WORK? Adaptability of Modern and LTE Technology. By Fanny Mlinarsky 1/12/2014

A Review of Vulnerabilities of ADS-B

c 2013 Sang-Yoon Chang

Transcription:

Wireless Network Security Spring 2015 Patrick Tague Class #5 Jamming, Physical Layer Security 2015 Patrick Tague 1

Class #5 Jamming attacks and defenses Secrecy using physical layer properties Authentication using physical layer properties 2015 Patrick Tague 2

Let's focus on Jamming 2015 Patrick Tague 3

Jamming Conceptually, jamming is a physical layer denial-ofservice attack that aims to prevent wireless communication between parties Alice Messages Mallory Interference Bob 2015 Patrick Tague 4

How Does Jamming Work? Sender Path Loss Interference Jamming + Noise Receiver Receiver can decode message if SINR Jamming decreases SINR, causes decoding failure and packet loss But, it's much more complicated than that... 2015 Patrick Tague 5

Geometry Matters Attacker Attacker Attacker can has be to MUCH would be have quieter louder than to be speaker VERY loud SINR metric captures effects of geometry SINR = (Rx signal power) / (noise power + Rx jamming power) Often modeled as P tr = k t P t d tr -a Typically random variable N 0 Often modeled as P jr = k j P j d jr -a 2015 Patrick Tague 6

Timing Matters HIT! hit? hit... Can be modeled as a (random) multiplier in the I term of the SINR metric 2015 Patrick Tague 7

Orthogonality Matters Channel k Channel m k fail DSSS encoded narrowband fail? 2015 Patrick Tague 8

Generalized Jamming A jammer allocates energy/signal to diverse time, freq, etc. resources according to an attack strategy S Effect E(S) of the attack Cost C(S) of the attack Risk R(S) of being detected / punished Frequency With other metrics, an optimization emerges Time 2015 Patrick Tague 9

Jamming Strategies Time Domain time Link Traffic Pkt Pkt Pkt Pkt P Constant Random Periodic Reactive [Xu et al., 2006; Mpitziopoulos et al., 2009] 2015 Patrick Tague 10

Link Traffic Jamming Strategies Frequency Domain Ch. 1 Ch. 2 Ch. 3 Ch. k Broadband Single Ch. Single Sub-Ch. Multiple Sub-Ch. 2015 Patrick Tague 11

How can we protect against jamming? 2015 Patrick Tague 12

Jamming Detection & Defense [Xu et al., IEEE Network 2006] Goal: detect and localize jamming attacks, then evade them or otherwise respond to them Challenge: distinguish between adversarial and natural behaviors (poor connectivity, battery depletion, congestion, node failure, etc.) Certain level of detection error is going to occur Appropriate for deployment in sensor networks Approach: coarse detection based on packet observation 2015 Patrick Tague 13

Basic Detection Statistics Received signal strength (RSSI) Jamming signal will affect RSSI measurements Very difficult to distinguish between jamming/natural Carrier sensing time Helps to detect jamming as MAC misbehavior Doesn't help for random or reactive cases Packet delivery ratio (PDR) Jamming significantly reduces PDR (to ~0) Robust to congestion, but other dynamics (node failure, outside comm range) also cause PDR 0 2015 Patrick Tague 14

Advanced Detection Combining multiple statistics in detection can help High PDR + High RSSI OK Low PDR + Low RSSI Poor connectivity Low PDR + High RSSI? Jamming attack? Caveat: this assumes RSSI can be accurately measured See [DeBruhl & Tague, SECON 2013] 2015 Patrick Tague 15

Jammed Area Mapping Based on advanced detection technique, nodes can figure out when they are jammed At the boundary of the jammed area, nodes can get messages out to free nodes Free nodes can collaborate to perform boundary detection using location information 2015 Patrick Tague 16

Evading Jamming Nodes in the jammed region can evade the attack, either spectrally or spatially Spectral evasion channel surfing to find open spectrum and talk with free nodes Spatial evasion mobile retreat out of jammed area Need to compensate for mobile jammers ability to partition the network (see figure in paper) 2015 Patrick Tague 17

What about dynamic attack and defense strategies? 2015 Patrick Tague 18

Optimal Jamming & Detection [Li et al., Infocom 2007] Problem setup: each of the network and the jammer have control over random jamming and transmission probabilities Network parameter g is probability each node will transmit in a time slot Attack parameter q is probability the jammer will transmit in a time slot Opponents can learn about goals through observation and optimize for min-max/max-min 2015 Patrick Tague 19

Jamming Games [DeBruhl & Tague, PMC 2014] What if both the attacker and defender are freely adapting in response to each other? 2015 Patrick Tague 20

How can the properties of the wireless medium actually help to achieve secure communication? 2015 Patrick Tague 21

Snooping on the Party 2015 Patrick Tague 22

Wiretapping In 1975, A. D. Wyner defined the wiretap channel to formalize eavesdropping Alice Bob M Encoder Channel Decoder M In Wyner's model, the wiretap channel is degraded, meaning Eve only sees a noisier signal than Bob sees Channel Eve 2015 Patrick Tague 23

Secrecy Capacity Since the Alice Eve channel is noisier than the Alice Bob channel: Eve can't decode everything that Bob can decode i.e., there exists an encoding such that Alice can encode messages that Bob can decode but Alice can't There's a really nice Information Theory formalization of the concept of secrecy capacity, namely the amount of secret information Alice can send to Bob without Eve being able to decode I'll leave the details for you to explore 2015 Patrick Tague 24

Degraded Eavesdropper? In a practical scenario, is it reasonable to assume the eavesdropper's signal is more degraded than the receiver's? Probably not. What else can we do to tip the scales in the favor of the Alice-Bob channel? 2015 Patrick Tague 25

Diversity of Receivers The signal emitted by a transmitter looks different to receivers in distinct locations 2015 Patrick Tague 26

Measurement + Feedback Channel State Information (CSI): CSI is the term used to describe measurements of the channel condition If Alice knows the CSI to Bob and to Eve, she can find an appropriate encoding using the measurements If Alice and Bob interact repeatedly, the measurement and feedback actually increase the secrecy capacity This can allow for secrecy capacity >0 even if Eve's channel is less noisy than Bob's channel 2015 Patrick Tague 27

Jamming for Good If Alice has diversity in the form of multiple radios or some collaborators: Alice & friends can use a jamming attack to prevent Eve from eavesdropping As long as they don't jam Bob at the same time Ex: if the deployment geometry is known, Alice can adjust power, antenna config, etc. so Bob's SINR is high but Eve's is low 2015 Patrick Tague 28

Secure Array Transmission [Li, Hwu, & Ratazzi, ICASSP 2006] Antenna control can be used for transmission with low probability of interception 2015 Patrick Tague 29

Application Building on secrecy capacity: If two devices can communicate with a high probability guarantee that eavesdroppers cannot hear them, whatever they say is secret Secret messages keys! Secret key generation is now possible using inherent properties of the wireless medium 2015 Patrick Tague 30

Further Reading For a really good summary of secrecy capacity, the formalization, secret key generation, and lots of excellent details: Physical Layer Security by Bloch and Barros Available as e-book through CMU library I have a hard copy if anyone wants to borrow it 2015 Patrick Tague 31

More Benefit for the Party? 2015 Patrick Tague 32

Physical layer properties can help with authentication! 2015 Patrick Tague 33

Diversity of Senders Signals captured by a receiver from senders in distinct locations look different 2015 Patrick Tague 34

Signalprints [Faria & Cheriton, WISE 2006] In a WLAN with multiple APs, each AP sees different characteristics of packets from each sender Each AP can measure various packet features, some of which are relatively static over packets: e.g., received signal strength A back-end server can collect measurements and keep history of packets from different senders 2015 Patrick Tague 35

Verification & Matching Requirements for verification: Robust to transmission power control, random fluctuations, and error High correlation AP 1 measured AP among 2 didn't RSSI signals hear = -50 from this dbm same packet, sender Distinct signalprints on this between Differential Mis-match Match within a tolerance sensitivity packetdifferent power = -95 dbm senders analysis beyond tolerance 0-30 -23-38 -10 Sender 1-50 -95-80 -73-88 -95-60 A matching rule based on matches and mis-matches is used to declare Sender 2packets -63 from -80 the -95same -85or different -80-73 -75 0source -17(similar to -22 any IDS) -17-10 -12 2015 Patrick Tague 36

Difficult to spoof Signalprint Properties Spoofing node would require control of medium Transmission power control creates lower RSS at every AP; differential analysis reveals power control Correlated with physical location Attacker needs to be physically near target device Sequential packets have similar signalprints RSSI values are highly correlated for stationary sender and receiver Note: not highly correlated with distance, but very highly correlated with subsequent transmissions 2015 Patrick Tague 37

Limitations Signalprints with any reasonable matching rule cannot differentiate between nearby devices Masquerading/spoofing attacks are possible if physical proximity is easily achieved Low-rate attacks cannot be detected But, low-rate attacks have limited effects Multi-antenna attackers can cheat Highly mobile devices can't be printed 2015 Patrick Tague 38

Summary Interference and eavesdropping are two of the most fundamental yet least understood vulnerabilities in wireless. There's still a lot of work to be done. 2015 Patrick Tague 39

Assignment #2 Assignment #2 will be posted later today Due date is February 12, 11:59pm PST We're asking you to do a lot of things with OMNET++ and INET that we didn't cover in the tutorial. Use the other examples and resources before asking us how to do something. 2015 Patrick Tague 40

January 29: Link Layer Threats; WiFi Security 2015 Patrick Tague 41

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback