Moving Target Defense for IP-based Control

Similar documents
REDUCING PACKET OVERHEAD IN MOBILE IPV6

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

VPN. Date: 4/15/2004 By: Heena Patel

Mobile Internet Protocol v6 MIPv6

Early Binding Updates for Mobile IPv6

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

Mobile IP Part I: IPv4

Introducing Reliability and Load Balancing in Mobile IPv6 based Networks

Introduction to Mobile IPv6

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

An Active Network Based Hierarchical Mobile Internet Protocol Version 6 Framework

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

SERVICE DISCOVERY AND MOBILITY MANAGEMENT

Mobile Routing. When a host moves, its point of attachment in the network changes. This is called a handoff.

Chapter 9. IP Secure

Internet Architecture for Robust Mobility. Sangheon Pack (백상헌) Korea University

Keywords: VoIP, Mobile convergence, NGN networks

Security of IPv6 and DNSSEC for penetration testers

Mobility Management 嚴 力 行 高 雄 大 學 資 工 系

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

6 Mobility Management

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Early Binding Updates and Credit-Based Authorization A Status Update

Performance Evaluation of a QoS-Aware Handover Mechanism

SHISA: The IPv6 Mobility Framework for BSD Operating Systems

Network Security Administrator

Enhancing network security with SDN

Network Security Part II: Standards

Boosting mobility performance with Multi-Path TCP

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

21.4 Network Address Translation (NAT) NAT concept

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SECURE DATA TRANSMISSION USING INDISCRIMINATE DATA PATHS FOR STAGNANT DESTINATION IN MANET

Mobility Management Advanced

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

Behavior Analysis of TCP Traffic in Mobile Ad Hoc Network using Reactive Routing Protocols

G.Vijaya kumar et al, Int. J. Comp. Tech. Appl., Vol 2 (5),

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Protocol Security Where?

IT 3202 Internet Working (New)

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Mobility on IPv6 Networks

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Wireless Networks: Network Protocols/Mobile IP

Research Article A Two-Layered Mobility Architecture Using Fast Mobile IPv6 and Session Initiation Protocol

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Security vulnerabilities in the Internet and possible solutions

MOBILITY SUPPORT USING INTELLIGENT USER SHADOWS FOR NEXT-GENERATION WIRELESS NETWORKS

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

XPROBE-NG. What s new with upcoming version of the tool. Fyodor Yarochkin Armorize Technologies

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Ethernet. Ethernet Frame Structure. Ethernet Frame Structure (more) Ethernet: uses CSMA/CD

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

CS335 Sample Questions for Exam #2

On the Design of Mobility Management Scheme for based Network Environment

Mobility Management for Vehicular Ad Hoc Networks

Bit Chat: A Peer-to-Peer Instant Messenger

Using IPsec VPN to provide communication between offices

Network Access Control and Cloud Security

Networked AV Systems Pretest

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

Handover Management based on the Number of Retries for VoIP on WLANs

A Proxy Mobile IP based Layer-3 Handover Scheme for Mobile WiMAX based Wireless Mesh Networks

Quality-of-Service Support for Mobile Users using NSIS Roland Bless, Martin Röhricht Networking 2009, Aachen

Tomás P. de Miguel DIT-UPM. dit UPM

Security issues with Mobile IP

Internet, Part 2. 1) Session Initiating Protocol (SIP) 2) Quality of Service (QoS) support. 3) Mobility aspects (terminal vs. personal mobility)

Post-Class Quiz: Telecommunication & Network Security Domain

A NOVEL OVERLAY IDS FOR WIRELESS SENSOR NETWORKS

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

CS 5480/6480: Computer Networks Spring 2012 Homework 4 Solutions Due by 1:25 PM on April 11 th 2012

Network Security: A Practical Approach. Jan L. Harrington

Performance Evaluation of AODV, OLSR Routing Protocol in VOIP Over Ad Hoc

Introduction to Security and PIX Firewall

Reliable Multicast Protocol with Packet Forwarding in Wireless Internet

Network Layer: Network Layer and IP Protocol

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

OF-RHM: Transparent Moving Target Defense using Software Defined Networking

Mobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP

Internet Control Protocols Reading: Chapter 3

NETWORK SECURITY (W/LAB) Course Syllabus

Ethernet. Ethernet. Network Devices

CS5008: Internet Computing

Comparison of Various Passive Distributed Denial of Service Attack in Mobile Adhoc Networks

How To Improve Alancom Vpn On A Pc Or Mac Or Ipad (For A Laptop) With A Network Card (For Ipad) With An Ipad Or Ipa (For An Ipa) With The Ipa 2.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Cisco Integrated Services Routers Performance Overview

SCADA SYSTEMS AND SECURITY WHITEPAPER

Proxy Mobile IPv6-Based Handovers for VoIP Services in Wireless Heterogeneous Networks

... Lecture 10. Network Security I. Information & Communication Security (WS 2014) Prof. Dr. Kai Rannenberg

LANs. Local Area Networks. via the Media Access Control (MAC) SubLayer. Networks: Local Area Networks

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

A Review on Zero Day Attack Safety Using Different Scenarios

IPsec Details 1 / 43. IPsec Details

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

AERONAUTICAL COMMUNICATIONS PANEL (ACP) ATN and IP

School of Computer Science

Transcription:

Moving Target Defense for IP-based Control Vahid Heydari University of Alabama in Huntsville vahid.heydari@uah.edu

Outline IP-based Control Remote attacks and zero-day vulnerability Moving target defense Related work Mobile IPv6 and route optimization MTM6D Implementation of MTM6D

Why use IP for Remote Control? Faster communication Scalability Large number of off-the-shelf test and simulation applications Remote connection capability through satellites using the Internet

IP-based Control

Boeing Uninterruptible Autopilot Take control of an aircraft away from the pilot or flight crew in the event of a hijacking through wireless connection between the aircraft and a ground station. prevent tragic events such as the 9/11 attack, the Malaysia Airlines flight 370 crash, or the Germanwings flight 9525 crash. Problem: The technology would allow cyberterrorists to hack into an airliner s controls.

Remote Attacks Attack from unlimited distance Two main categories: Denial-of-Service (DoS) attacks Remote exploits Take advantage of a bug or vulnerability Countermeasure IPsec Intrusion Detection and Prevention Systems (IDPS) Firewall Vulnerability scanner (Nessus) Penetration testing (Metasploit)

Zero-Day Vulnerability Undisclosed and uncorrected computer application vulnerability that could be exploited. Zero-day exploits can defeat the best firewalls and IDPSs. Knowing the IP address of a victim is enough to attack.

Moving Target Defense The first step of cyber-attacks: finding information about attack surface IP scanning, port scanning, etc. Solution: changing randomly some of the features of the attack surface Static IP addresses: Easily discoverable Long time access A mechanism to change the IP addresses randomly and dynamically is Moving Target Defense (MTD)

MT6D (Related Work) Proactive network layer MTD Rapidly changes IPv6 mid-session without dropping sessions. Peers use the same algorithm with pre-shared symmetric key Generate a random IPv6 per each time interval based on the MAC address as input. Use the peer s MAC address as input to find the peer s IP during the current time interval. Encapsulated by UDP

Limitations of MT6D Possibility of packet loss because of address collision For example lack of access to an aircraft, that is in uninterruptible autopilot, during 10 seconds could make a disaster. Key management limitation Relatively tight time synchronization is needed Static address rotation interval

Our Approach Static IP is needed to be transparent to the upper layers. Should not be accessible through the Internet. Dynamic IP is needed for connecting to other nodes. Changing the dynamic IP should not cause any delay or packet loss in the network. A mechanism is needed to update peer nodes with the new IP. Add capability of having dynamic address rotation interval. Combination of standard protocols should be used instead of creating a new protocol because: New protocol can add new vulnerabilities to the system. New protocols may have security or scalability problems. Avoid adding new requirements like time synchronization.

Mobile IPv6 Overview (RFC 6275) Mobile Node (MN) Home Agent (HA): Acts on behalf of MN (like a proxy) Home address (HoA): Permanent IP of MN typically attached to the HA Care-of-address (CoA): Actual IP that MN uses while in a foreign network Corresponding Node (CN): A node that MN is communicating with Binding Update (BU) message: Updating the HA and correspondent nodes with MN s current CoA Image source: Q. Li, T. Jinmei and K. Shima, IPv6 advanced protocols implementation. Amsterdam: Elsevier/Morgan Kaufmann Publishers, 2007.

Route Optimization (RFC 6275) Routing packets between a MN and a CN using the shortest possible path Return routability procedure Home Test: Verify the "right" of the MN to use a specific HoA Care-of Test: Verify the validity of the claimed CoA Image source: Q. Li, T. Jinmei and K. Shima, IPv6 advanced protocols implementation. Amsterdam: Elsevier/Morgan Kaufmann Publishers, 2007.

Route Optimization (RFC 4449) Static shared key method Uses a shared symmetric key to omit all messages relating to the return routability tests. Pros: HA is not needed in this process. Low signaling overhead for route optimization. Cons: The CN should have a good reason to trust the actions of the MN. (trust the peer or use Care-of Test) Shared symmetric keys between a MN and each CN are needed. (solved by IPsec + IKEv2) Cannot resist against replay attacks. (solved by IPsec + IKEv2)

Moving Target Mobile IPv6 Defense (MTM6D) Use a permanent IP (HoA) to avoid disrupting TCP sessions and a temporary IP for connecting to other nodes (CoA) as explained in Mobile IPv6. Each peer acts like a mobile node of Mobile IPv6. MTM6D dynamically changes the CoA for moving targets. Permanent home address is not accessible through the Internet because we do not have any HA in the network.

IP Address Rotator Script Randomly generate a new IP address as the CoA of the MN. Create a random 64 bits address Combine it with the highest significant 64 bits of current CoA to generate the new CoA. This new CoA is checked to be unoccupied by sending a neighbor solicitation message before registering it. Regenerate a new CoA if address collision is occurred. Remove the previous CoA after registering the new CoA. According to the Mobile IPv6, each MN will send the BU message to another MN to inform it of its new CoA.

Peer-to-Peer Lossless MTM6D Dynamic IPs on both peers (MN-to-MN communication). Send Binding Updates directly to the peer node s CoA. Solution for IP-based control: Dynamic IPs on both peers Zero packet loss by Multiple CoAs Security by IPsec

Implementation

Implementation (cont d)

Conclusion A novel mobile IPv6 based moving target defense strategy is designed to continuously change IP addresses such that attackers are difficult to find them. Zero extra network delay Zero packet loss Overhead: Signaling overhead: Each round of changing IP needs two message transmissions at each MN (BU and BA messages) with each being 158 bytes (using IPsec). Transmission overhead: For each data packet, we have 24 bytes of overhead due to the use of IPsec (ESP).

References P. K. Manadhata and J. M. Wing, An Attack Surface Metric, IEEE Trans. Softw. Eng., vol. 37, no. 3, pp. 371 386, May 2011 M. Dunlop, S. Groat, W. Urbanski, R. Marchany, and J. Tront, MT6D: A Moving Target IPv6 Defense, in Proceedings of Military Communications Conference - MILCOM 2011, 2011, pp. 1321 1326 E. D. Brown, D. C. Cameron, K. R. Krothapalli, W. v. K. Jr, and T. M. Williams, System and method for automatically controlling a path of travel of a vehicle, U.S. Patent US7142971 B2, Nov., 2006, [Online]. Available: http://www.google.com.au/patents/us7142971 V. Heydari and S.M. Yoo. Securing Critical Infrastructure by Moving Target Defense. 11 th International Conference on Cyber Warfare and Security, (ICCWS 2016). V. Heydari, S. Kim, and S.M. Yoo. Anti-Censorship Framework using Mobile IPv6 based Moving Target Defense. In Proceedings of ACM 11 th Annual Cyber and Information Security Research, (CISR 2016). V. Heydari, S. Kim, and S.M. Yoo. Secure VPN using Mobile IPv6 based Moving Target Defense. Submitted to IEEE GLOBECOM 2016. V. Heydari and S.M. Yoo. Preventing Remote Cyber Attacks against Aircraft Avionics Systems. Submitted to IEEE MILCOM 2016.

Thank you! QUESTIONS?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information