DAPV: Diagnosing Anomalies in MANETs Routing With Provenance and Verification

Routing security plays an important role in the mobile ad hoc networks (MANETs). Despite many attempts to improve its security, the routing mechanism of MANETs remains vulnerable to attacks. Unlike most existing solutions that prevent the specific problems, our approach tends to detect the misbehavior and identify the anomalous nodes in MANETs automatically. The existing approaches offer support for detecting attacks or debugging in different routing phases, but many of them cannot answer the absence of an event. Besides, without considering the privacy of the nodes, these methods depend on the central control program or a third party to supervise the whole network. In this paper, we present a system called DAPV that can find single or collaborative malicious nodes and the paralyzed nodes which behave abnormally. DAPV can detect both direct and indirect attacks launched during the routing phase. To detect malicious or abnormal nodes, DAPV relies on two main techniques. First, the provenance tracking enables the hosts to deduce the expected log information of the peers with the known log entries. Second, the privacy-preserving verification uses Merkle Hash Tree to verify the logs without revealing any privacy of the nodes. We demonstrate the effectiveness of our approach by applying DAPV to three scenarios: 1) detecting injected malicious intermediated routers which commit active and passive attacks in MANETs; 2) resisting the collaborative black-hole attack of the AODV protocol, and; 3) detecting paralyzed routers in university campus networks. Our experimental results show that our approach can detect the malicious and paralyzed nodes, and the overhead of DAPV is moderate.

[1]  Elizabeth M. Belding-Royer,et al.  A secure routing protocol for ad hoc networks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[2]  Michael P. Howarth,et al.  A Survey of MANET Intrusion Detection & Prevention Approaches for Network Layer Attacks , 2013, IEEE Communications Surveys & Tutorials.

[3]  Minho Park,et al.  Collaborative approach to mitigating ARP poisoning-based Man-in-the-Middle attacks , 2013, Comput. Networks.

[4]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[5]  Jian Jiang,et al.  A network accountability based verification mechanism for detecting inter-domain routing path inconsistency , 2013, J. Netw. Comput. Appl..

[6]  Andreas Haeberlen,et al.  Diagnosing missing events in distributed systems with negative provenance , 2014, SIGCOMM.

[7]  Gene Tsudik,et al.  Lowering security overhead in link state routing , 1999, Comput. Networks.

[8]  Cong Sun,et al.  NetPro: detecting attacks in MANET routing with provenance and verification , 2016, Science China Information Sciences.

[9]  Victor C. M. Leung,et al.  Secure Routing for Mobile Ad Hoc Networks , 2006 .

[10]  Andreas Haeberlen,et al.  Automated Bug Removal for Software-Defined Networks , 2017, NSDI.

[11]  Jianfeng Ma,et al.  Dlog: diagnosing router events with syslogs for anomaly detection , 2017, The Journal of Supercomputing.

[12]  Somesh Jha,et al.  MCI : Modeling-based Causality Inference in Audit Logging for Attack Investigation , 2018, NDSS.

[13]  Charles E. Perkins,et al.  Ad hoc On-Demand Distance Vector (AODV) Routing , 2001, RFC.

[14]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[15]  Mohsen Guizani,et al.  A survey of secure mobile Ad Hoc routing protocols , 2008, IEEE Communications Surveys & Tutorials.

[16]  Andreas Haeberlen,et al.  Towards privacy-preserving fault detection , 2013, HotDep.

[17]  J. Broach,et al.  The dynamic source routing protocol for mobile ad-hoc networks , 1998 .

[18]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[19]  Paul Laskowski,et al.  Network monitors and contracting systems: competition and innovation , 2006, SIGCOMM 2006.

[20]  Andreas Haeberlen,et al.  NetTrails: a declarative platform for maintaining and querying provenance in distributed systems , 2011, SIGMOD '11.

[21]  Xiangjian He,et al.  A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis , 2014, IEEE Transactions on Parallel and Distributed Systems.

[22]  Wang Heng-jun Routing in AD HOC Networks of Mobile Hosts , 2002 .

[23]  V. Vianu,et al.  Edinburgh Why and Where: A Characterization of Data Provenance , 2017 .

[24]  Andreas Haeberlen,et al.  Answering why-not queries in software-defined networks with negative provenance , 2013, HotNets.

[25]  Jeffrey S. Chase,et al.  The role of accountability in dependable distributed systems , 2005 .

[26]  Andreas Haeberlen,et al.  Having your cake and eating it too: routing security with privacy protections , 2011, HotNets-X.

[27]  Feifei Li,et al.  DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning , 2017, CCS.

[28]  Jianfeng Ma,et al.  CRVad: Confidential Reasoning and Verification Towards Secure Routing in Ad Hoc Networks , 2015, ICA3PP.

[29]  Mu Zhang,et al.  Towards a Timely Causality Analysis for Enterprise Security , 2018, NDSS.

[30]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[31]  Dharma P. Agrawal,et al.  Routing security in wireless ad hoc networks , 2002, IEEE Commun. Mag..

[32]  Xiaozhou Li,et al.  Efficient querying and maintenance of network provenance at internet-scale , 2010, SIGMOD Conference.

[33]  Emin Gün Sirer,et al.  Optimal parameter selection for efficient memory integrity verification using Merkle hash trees , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[34]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[35]  Wassim El-Hajj,et al.  The most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures , 2012, Secur. Commun. Networks.

[36]  Andreas Haeberlen,et al.  NetReview: Detecting When Interdomain Routing Goes Wrong , 2009, NSDI.