Survey of Techniques for Robust and Secure Communication in Computer Networks*

maidtweetNetworking and Communications

Oct 29, 2013 (3 years and 8 months ago)

116 views

1

Survey of Techniques for Robust and Secure Communication

in Computer Networks
*


Maitreya Natu, University of Delaware (natu@cis.udel.edu)

Adarshpal Sethi, University of Delaware (sethi@cis.udel.edu)

Richard Gopaul, U.S. Army Research Laboratory

(
rgopaul@arl.army.mil
)

Rommie Hardy, U.S. Army Research Laboratory (rhardy@arl.army.mil)


Technical Report No. 2007/337

Department of Computer & Information Sciences

University of Delaware

Newark, DE 19716

December 2006


1
. Introduction:


Various approaches have been presented in the past for measurement of network
performance metrics to detect faults, performance bottlenecks, or malicious behavior.
These approaches can be broadly classified into control plane and data plan
e approaches.
Control plane approaches verify the operation of
the
routing protocol
and
correctness of
protocol messages
.
D
ata plane approaches observe violations in the forwarding decisions
made by
a router.


In a control plan
e attack, falsely issued rou
ting advertisements can manipulate other
routers' view of
the
network and disrupt network services [
KRUU06
]. Various attempts
have been made to solve this problem

including the development of

s
ecure routing
protocols [
HU00
,
KENT00
,
MURP97
,
SUBR04
,
GOOD03
,
PERL88
,
ZHU02
]
which
ensure that valid routing advertisements correctly identify the links between non
-
faulty
routers. However
,

even these secure protocols
can not prevent
the spread of
false
information during a
collusion
type
attack. An example of such
a
n
attack is
the

wormhole
attack
[
KRUU06
] in which colluding nodes create
the

illusion that two remote regions of
a
MANET are directly connected through nodes that appear to be neighbors, but are
actually distant from one another. Th
e routing protocol, in t
his case, will propagate the
false wormhole link information allowing

the
attackers to attract traffic from other parts
of the network so it is routed through them and can subsequently be controlled, e. g., to
delay, damage, discard, or misroute packets. T
here have been a variety of efforts [
HU98
,
KENT00
,
SUBR04
,
CHEU97
] to impart guarantees to existing routing protocols with
varying levels of cost and protection. These approaches are based on ensuring
authenticity of route updates and detecting inconsisten
cy between route updates.




* Prepared through collaborative participation in the Communications and Networks Consortium sponsored
by the U.S. Army Research Laboratory under the Collaborative Technology Alliance Program, Cooperative
Agreement DAAD19
-
01
-
2
-
0011. The U.S. Government is authorized to reproduce and distribute reprints
for Government purposes notwithstanding any copyright notation thereon.

2


Because routing protocols do not verify forwarding behavior, availability can still be
compromised even in

the
presence of secure routing protocols. This
type of
attack
presents opportunities for denial
of service, as well as
packet sniffing, modification
,

and
insertion. To mitigate the risk due to malicious forwarding, secure forwarding protocols
[
AVRA04
a
,
AW
ER02
,
MIZR05
] have been proposed. Perlman
[PERL99]
proposed use
of reserved buffers, digital signatures
,

and source routing for robust routing.
Subsequently
,

other
researchers have proposed approaches to probe the path to test
consistency of the advertised

routes. [
SUBR04
] compares TCP data and ACK packets to
analyze end
-
to
-
end connectivity paths. [
PADM02
] performs traffic monitoring at the
intermediate routers. [
AVRA06
] performs end
-
to
-
end probing using source routing and
authentication mechanisms. WATCHER
S [
BRAD98
] proposes a distributed monitoring
approach based on the concept of conservation of flow. However, the WATCHERS
protocol has many limitations, many of which are documented by Hug
hes et al

[
HUGH00
]. Herzberg and Kutten in [
HERZ00
]

have proposed th
e combined use

of
acknowledgements, timeouts, and fault announcements to detect packet forwarding
faults. They present various protocols trading off the communication and time optimality.


In this
report
, we present a survey of
previous

research

on securi
ng communication
against malicious attacks. In Section 2, we
discuss

different

approaches
proposed
to
secure the routing protocols.

Section 3 presents the work do
n
e in securing the data plane
,
separated into
passive monitoring and probing approaches.
W
e
t
hen
conclude

section
3
with

a survey of work done in Active Networks.
Section 4

offers

potential directions for
future research and
in Section 5 we present our
conclusion
s
.


2. Secure routing protocols:


Encryption to make data and control traffic indisti
nguishable

was first suggested by
Perlman

[
PERL88
,
PERL99
]
.

Perlman classifies network failures into simple and
Byzantine failures. In
the
case of a simple failure, a component simply becomes
inoperative, whereas in a Byzantine failure, a component becomes

faulty, and yet
continues to work (incorrectly). The routing protocols proposed by Perlman use reserved
buffers, together with digital signatures to ensure that a packet will not be dropped
because of congestion at a node by excessive traffic. Digital sig
natures authenticate the
source of each packet, and a buffer should be specifically allocated to accommodate a
packet from its intended source. The key idea is to use robust flooding to distribute link
-
state packets and the public keys of all nodes through
out the network. Robust data
routing is then accomplished by having end hosts construct digitally signed source routes
using the link
-
state information they have gathered. However
,

flooding on a global scale
is likely to be infeasible. Secondly
,

allowing e
ach end host to do source routing would
weaken
an
ISP’s ability to engineer network traffic.


Perlman developed robust flooding, a method to deliver a packet to all good routers. This
requires a good path condition, which states that each pair of non
-
faul
ty routers is
connected by at least one path of non
-
faulty routers. Robust floo
ding was designed to be
3

used
for public key distribution and broadcasting link state packets. Perlman also
developed a novel method for robust routing on top of a link state pro
tocol. In this
method, a source router first computes a route based on it
s

local database and then sends
a digitally signed route
-
setup packet along the chosen route. Each intermediate router on
the route verifies the signature and allocates the necessary
resources for the data packet.
If the source router receives an acknowledgment of route
-
setup from each of the
intermediate router
s

on the chosen route, then it sends the data packet. The destination
router sends
back another acknowledgment when it receive
s the data packet.
If the source
does not receive this acknowledgment for the data packet from the destination, then it
detects that the chosen route is not reliable and computes a new route.


Research has been done on securing link state [
HAUS97
,
CHEU97
,

ZHAN98
,
GOOD01
]
and distance vector [
SMIT97
] routing protocols for wired networks. Researchers have
also addressed the security issues in OSPF [
MURP96
] and BGP [
SMIY98
]. [
WU97
,
QU97
,
WU99
] address the intrusion detection problem for generic link state an
d OSPF.


Predominant inter
-
domain routing protocols in the Internet like BGP include no
mechanism for verifying either the authenticity or the accuracy of the distributed routing
information. Thus
,

traffic can be severely disrupted by routers
that
refus
e

t
o serve their
advertised routes due to malfunction or malice. To solve this problem, s
everal

approaches
have been proposed.
One approach,
Secure BGP
[
KENT00
] requires routing information
to be authenticated. In particular, Secure BGP proposes use of publi
c key infrastructure
(PKI) and IPSec to enable a BGP speaker to validate the authenticity

and data integrity of
BGP UPDAT
E messages that it receives and to verify the identity and authorization of
the senders. However
,

the overhead of authentication could
be large and prohibitive.
Moreover
,

authentication can only ensure reliable identification of the information’s
origin. It does not solve the problem of identifying the faulty routing information com
ing
from a compromised router. Ano
ther approach is propos
ed in the Router Arbiter
[
MERI95
], where a central registry of plausibility information about routing
advertisements is maintained. This allows discarding
of
blatantly invalid routing
information, but it is still vulnerable to false rout
es

that a router
ca
n
advertise but may not

actually

serve. [
SUBR04
] proposes
a protection mechanism that uses cryptographic
techniques in
the
BGP protocol (
Whisper
) and data
-
packet flow monitors that verify
whether the routes obtained by
Whisper

are operational (
Listen
).
Wh
isper

uses
cryptographic functions along with routing redundancy to detect bogus route
advertisements in the control plane.
Listen

passively
monitors

the data plane and checks
whether the underlying routes to different destinations work. The general idea
of
Listen

is
to monitor TCP flows and to draw conclusions about the state of a route from this
informatio
n.


Research has been done in securing distance vector routing protocols.
One p
roposed

mechanism

uses Message Authentication Codes
to secure
the

proto
col.
Current

proposed
approach
es
, however,

can

not with
stand node compromise. Smith et al

[
SMIT97
]
analyzed security requirements of distance vector routing protocols.
They identified
vulnerabilities in these protocols and present
ed

measures to protect rou
t
e

transmissions
4

across the network.

They also proposed a protection mechanism based on the use of
predecessor information to protect routing updates from subverted routers. Zapata
[
ZAPA01
] proposes SAODV as a security extension to AODV using
a
one
-
way has
h
chain for each Route Discovery. A number of security protocols have
also
been designed
for RIP [
MALK94
,
BAKE97
]. These protocols

protect

packet integrity but are still
vulnerable to the case when a node
becomes

compromised. The use of asymmetric
cryptogr
aphy has been proposed by
s
everal

researchers [
KENT00
,
ZAPA01
,
ZHOU99
],
but overhead of asymmetric signature verification poses a Denial of Service threat.
Symmetric primitives have been used by Cheung [
CHEU97
], Hauser et al

[
HAUS97
],
and Perrig et al

[
PER
R01
] for secure routing. [
AVRA04
a
,
AVRA04
b
] proposes
Byzantine detection protocols that are based on efficient symmetric cryptographic
primitives and addresses the issues such as replay and denial of service protection.
Heffernan [
HEFF98
] and Basagni et al

[
BASA01
] have used shared keys to secure
routing communication.


As mentioned in [
HAUS97
], source authentication is more of a concern in routing than
con
fidentiality. Papadimitratos et al

[
PAPA02
] suggested disabling route caching and
using end
-
to
-
end au
thentication to prevent impersonatio
n and replay attacks. Dahill et al

[
DAHI01
] present security threats against ad hoc routing protocols, specifically
examining AODV [
PERK00
] and DSR [
JOHN01
]. They propose a protocol,
Authenticated Routing for Ad hoc Netw
orks (ARAN), which provides
a
solution for
securing routing in the managed
-
open environment. It provides authentication and non
-
repudiation services using predetermined cryptogr
aphic certificates that guarantee

end
-
to
-
end authentication. In doing so, ARAN
limits or prevents attacks that can afflict other
insecure protocols.


Hu et al

have proposed various approaches [
HU02
,
HU98
,
HU00
] in securing routing
protocols. In [
HU02
] they propose a secure ad hoc network routing protocol based on the
design of Destin
ation
-
Sequenced Distance
-
Vector routing protocol (DSDV). SEAD uses
1
-
way hash functions instead of asymmetric cryptographic operations to create an
efficient, practical appro
ach. In their other work, Hu et al

have designed a secure on
-
demand routing protoc
ol for ad hoc networks, called Ariadne [
HU98
]. Ariadne uses end
-
to
-
end measures for security and Message Authentication Codes

for authentication
.
SEAD unlike Ariadne operates on a hop
-
bu
-
hop basis and uses elements from a one
-
way
hash chain for authenticat
ion.


[
SAVA00
b
] proposes a self
-
organized PKI suitable for mobile ad hoc networks.
[
MURP97
] proposes securing OSPF with digital signatures.


Researchers have worked on providing an effective public key infrastructure in an ad
-
hoc
wireless environment. Huba
ux et al

[
HUBA01
] proposed a completely decentralized
public
-
key distribution system similar to the PGP (Pretty Good Privacy) public
-
key
cryptography software that has become the
de facto

standard for the encryption of
electronic mail and data [
ZIMM95
]. B
rown et al

[
BROW00
] showed how PGP is a
viable option for wireless constrained devices. [
YI01
] proposes the use of digital
5

signatures and shared key encryption to secure ad hoc routing protocols. Zhou and Haas
[
ZHOU99
] use traditional security mechanisms,
such as authentication protocols, digital
signat
ures, and encryption to secure
ad hoc networks. Besides that, they further take
advantage of redundancies in the network topology (i.e., multiple routes between nodes)
to achieve availability. They also propo
se another principle called distributio
n of trust.
Although no single
node is trustworthy in ad hoc network
s because of lo
w physical
security and availability, trust can be distributed to an aggregation of nodes. Assuming
it
is unlikely
that any
set of
t+1

nodes will be all compromised, consensus of at least t+1
nodes is trustworthy.


3. Securing the data plane:


IP routing is vulnerable to disruptions caused by malfunctioning or malicious attacks.
Although secure routing protocols are an important defense,

the data plane must be part
of any complete solution. The approaches to secure the data plane can be broadly
classified into two categories: passive monitoring and probing.


Passive monitoring does not produce additional traffic. Rather it listens to tra
ffic that
transits through a particular point on a network. At its simplest, counts are made of
packets; in more sophisticated implementations, analysis is done by inspecting packet
headers. Passive measurements are mainly used to measure metrics pertainin
g to a certain
network element, e.g., at
-
a
-
point metrics such as link throughput, and packet size
statistics. Some passive monitoring schemes are presented in [
HUGH00
,
MIZR05
]. The
passive monitoring approach presented in [
HUGH00
] analyzes traffic at vario
us points in
the network. Inconsistency in ingress and egress traffic indicate
s

potential problems.
While [
HUGH00
] detects dropping of packets, Fatih [
MIZR05
] also considers other types
of attacks like modification, substitution, reordering, and incorrect
forwarding of packets.
[
LEE06
] propose an approa
ch where a subset of packets is

sampled by routers and these
packets are examined by an external engine.


Probing or active monitoring involves sending traffic onto a network to sample its
behavior. This traf
fic is sent in the form of probes which can vary from simple probes
such as pings to complex test transactions

[
NATU06
,
BROD02
]
. Probing is typically
used to obtain end
-
to
-
end statistics such as latency, loss, and route availability. The main
disadvantage
of probing is its invasive character. Probes may modify route conditions
and perturb the very traffic one is trying to monitor. To minimize these effects, probe
streams of

low average bandwidth are used.

Some examples of probing approaches are
secure trace
rout
e and stealthy probing. Secure t
raceroute [
PADM02
] sends probing
packets to detect packet drop, modification
,

and incorrect forwarding of packets. Stealth
probing [
AVRA06
] sends probing packets through an encrypted channel with normal
packets taking ca
re to make probe packets indistinguishable from normal packets.


Below we look at both of these approaches in more detail. We also present a survey of
research done in the field of active networks as a possible defense tool to secure the data
plane attack
s.

6


3.1 Passive monitoring:

[
LEE06
] propose a system to detect malicious routers

that

identifies

suspicious routers
when packets do not follow their predicted paths. The system works
as part of

a traffic
measurement platform using packet sampling. Differen
t subsets of packets are sampled
over different groups of routers to ensure that an attacker can not completely evade
detection. The sampled packets are
then
examined by an external measurement engine.


Bradley et al

in the WATCHERS [
BRAD98
] project exploi
t th
e conservation of flow
principle

to propose a protocol for detecting and avoiding routers that are dropping or
misrouting packets. The law of Conservation of Flow states that an input must either be
absorbed or sent on as an output (possibly with modif
ication). The conservation of flow
is tested by letting routers periodically count and report the number of bytes which enter
and leave their interfaces. This approach requires the presence of at least one good
neighbor to an adversarial router. [
HUGH00
] r
eviews the WATCHERS protocol and
discuss
es several attacks that defeat the

protocol, followed with suggestions for
improvements to make the use of Conservation of Flow valid. Fatih [
MIZR05
] considers
other types of attacks including packet modification, su
bstitution, mis
-
forwarding and
reordering, by making routers compute hashes of packet content as well as ordering.


[
MIZR05
,
BRAD98
] uses a reliable traffic validation mechanism to build an anomalous
behavior detector for compromised routers. The paper pr
esents protocols where each
router collects traffic information over some agreed
-
upon time interval, and then uses
consensus to have other
non
-
compromised
routers agree upon traffic information. With
this information, each router agrees upon which routers
might be faulty.


In [
MART00
], a technique for wireless ad
-
hoc networks is proposed to enable a node to
check if the neighboring node did in fact forward the packet onward without tampering
with
it. [
MART00
] proposes the use of promiscuous mode to make tru
sted nodes monitor
their neighbors. The strategy does not work well when a node is not able to listen to its
neighbor due to different modulations in multi
-
rate wireless networks. The method is also
vulnerable to collaborating adversaries. This technique m
akes a strong assumption that
nodes can hear the onward transmissions of their neighbors.


3.2 Probing:

[
AVRA06
] proposes a light
-
weight data
-
plane mechanism called stealth probing to
monitor the availability of paths in a secure fashion. This approach ad
dresses threats that
arise when routers
are

compromised. Stealth probing creates an encrypted tunnel between
two end
-
routers and diverts both the data and probe traffic into the tunnel. Since data and
probe traffic are indistinguishable, the adversary can
not drop the data packets without
dropping the probe packets as well, making it difficult to evade detection. Rather than
requiring ubiquitous deployment, stealth probing deployment can be need
-
based to
protect critical traffic between selected edge networ
ks.


7

Secure traceroute [
PADM02
,
MATH04
] proposes another approach in which routers and
end
-
hosts adaptively detect poorly performing routers and use a secure traceroute
protocol to identify offending routers. The normal traceroute [
MALK93
] involves the
sen
der simply sending packets with increasing TTL values, and waiting for an ICMP
time
-
exceeded response from the node that receives the packet when the TTL expires.
Normally this generates addresses of the nodes on
the
path to the destination or up to the
po
int where packets are being dropped on a faulty link. However a mali
cious router could
alter the tra
ceroute traffic to give a misleading impression. For instance, a malicious
router can selectively allow only traceroute packets to go through while dropping

all
other traffic, or can
misrepresent
a fully functional path, or a path with problem
s

elsewhere. Secure traceroute can prevent such disruptions by verifying the origin of
responses, and preventing traceroute packets from being handled differently from
o
rdinary traffic. The key idea behind secure traceroute is to securely trace the path of
existing traffic, rather than special traceroute packets to prevent
an
adversary from
treating the probe traffic and normal traffic differently. Secure traceroute respo
nses are
also authenticated, to verify their origin and prevent spoofing and tampering.


Work on IP traceback [
SAVA00
a
] solves a different problem related to
the
one addressed
by secure traceroute. IP traceback determines which routers a specified subset
of traffic
traverses. The information provided by the routers is trusted. This approach is used to
typically identify the attack traffic. Secure traceroute, on the other hand, is used to
determine whether
the
traffic did in fact traverse a router.


Curren
t network protocols do not have the capability to detect the malicious packet
dropping attack. Link layer acknowledgment
s
, such as
in the
IEEE 802.11 MAC
protocol, can detect link layer break, but can not detect forwarding level break. Upper
layer acknowle
dgement
s
, such as TCP ACK
s, allow

for detecting end
-
to
-
end
communication break, but they

can be inefficient. Also,
they
can not detect the failure
location. [
JUST03
] presents a proactive distributed probing technique to detect and
mitigate malicious packet

dropping attack. In the proposed approach, every node pro
-
actively monitors the forwarding behavior of other nodes to detect if any of them fail to
perform the forwarding function. Probes are made indistinguishable from the data traffic
to prevent special

treatment of probe packets by the malicious nodes.


[
BURC00
] outlines a technique to trace spoofed packets coming from DoS attackers back
to their actual source. The approach is based on mapping the paths from
the
victim to all
possible networks and then
working back through the tree, loading lines or router
s
,
observing changes in the rate of invading packets. The technique
eventually allows

elimination of all but a handful of networks that could be the source of the attacking
packet stream.


Herzberg and
Kutten in [
HERZ00
]

have proposed the combined use

of
acknowledgements, timeouts, and fault announcements to detect packet forwarding
faults. They present various protocols trading off the communication and time optimality.
The protocols presented are in an

abstract model. Some of the issues involved in
the
8

realization of these protocols are addressed in
[AVRA04a, AVRA04
b]
. Nicephorus
[
AVRA04
c
] presents
a
Byzantine detection protocol and switches between the
communication optimal and time optimal protocols b
ased on the degree of penetration of
the adversary in the network.


Secure forwarding protocols such as [
AVRA04
a
,
MIZR05
,
AWER02
] provide
availability monitoring and secure fault localization at
the
link level. However, such
protocols lead to high overhea
d inappropriate for the general forwarding paradigm.
[AVRA04
a]

proposes protocols that are able to route packets as long as at least one non
-
faulty path exists between the source and the destination. The protocol uses source
routing, destination acknowledg
ments, timeouts, fault announcements, authentication,
reserved buffers, sequence numbers, and round
-
robin scheduling to provide Byz
antine
robustness and detection
. [
AWER02
] proposes an on
-
demand routing protocol for ad hoc
wireless networks that provides r
esilience to Byzantine failures. It presents an adaptive
probing technique that detects a malicious link after log n faults have occurred, where n is
the path length. These links are then avoided by multiplicatively increasing their weights
and by using an

on
-
demand route discovery protocol that finds
the

least weight path to
the destination. While [
AWER02
] proposes use of MACs and encryption, Nicephorus
[
AVRA04
c
] uses MACs and hashes for building Byzantine detection protocols.


3.3 Active networks:

Active
networks integrated with probing techniques hold potential to provide effective
monitoring solutions. In the past [
TENN97
], research has been done on active networks
to develop an architecture in which network nodes perform customized computations on
the m
essages flowing through them. Two approaches to active networks have been
proposed, discrete and integrated. Programmable switches provide a discrete approach
where the processing of the messages is architecturally separated from the business of
injecting
programs into the node. Users would first inject their custom processing
routines into the required routers. Then they would send their packets through such
programmable nodes. When a packet arrives at a node, its header is examined and the
appropriate pro
gram is dispatched to operate on its contents. Capsules provide a more
extreme view of active networks in which every message is a program. Every message, or
capsule, that passes between nodes contains a program fragment that may include
embedded data. Whe
n a capsule arrives at an active node, its contents are evaluated.
Development of this infrastructure suggests development
of common models for

the
program encoding, the built
-
in primitives available at each node, and the description and
allocation of node

resources.


Active networks [
SCHW00
] enabl
e new applications that rely on

the network based
merging of information, user
-
aware network protection, and active network management.
[
WETH98
] discusses the potential impact of active network services on applic
ations and
how such services can be built and deployed. It presents an architecture that adds
extensibility at the network layer and allows for incremental deployment of active nodes
within the network. [
LEGE98
] argues that the ability to introduce active
protocols offers
important opportunities for end
-
to
-
end performance improvement of distributed
9

applications. It presents and analyzes the performance of an active network protocol that
uses caching within the network backbone to reduce load on both servers

and backbone
routers.


4. Promising directions for future research:


Despite all
the research done so far, current network
s

are

still vulnerable to
a variety of
malicious attacks. There are several reasons that account for this network state. The
attacks

manifest themselves in innovative ways, defeating the mechanisms that defend
against a specific attack. Secondly, there is lack of deployment incentive for these
defenses. The amou
nt of instrumentation involved
and the added overhead also cause a
resistan
ce against large scale deployment of the solutions. With increasing usage of
wireless networks, attackers are exploiting new vulnerabilities in the network. Thus there
is a need to develop more robust solutions to defend against these attacks. In this sect
ion,
we discuss some potential dire
ctions to develop such defenses.



The end
-
to
-
end nature and inherent probe selection flexibility of probing techniques
provide potentially

light
-
weight yet effective solutions. A possible research direction
could be
to
d
evelop innovative probes that not just detect availability, but also compute
various performance metrics. One possible direction is to integrate probing techniques
with active networks, where probes could carry instructions to run specific routines at
spe
cific nodes. Another approach could be
to
make probes carry self
-
executable code
with them to run on the destination nodes. Such powerful tools could provide innovative
and robust solutions to defend against many intelligent intrusions and DDoS attacks.
A
specific example of such probing techniques is to use probes that instruct a few selected
nodes to probabilistically drop or delay packets for a certain period of time. This
technique can help to detect false reporting of statistics by compromised nodes. M
ore
research is needed to test the effectiveness of this scheme.


Another avenue of research worth exploring is to prevent compromised nodes from
detecting probe traffic, either by explicitly viewing the contents of packets passing
through them or through
an analysis of traffic patterns.
Use of encrypted tunnels can
prevent snooping by intermediate nodes, but has high overhead so it may not be desirable
to use for all traffic. A promising direction of research is to send probe traffic in the form
of ripples

through different paths

to prevent an attacker from

correlating traffic patterns.


Both active probing and passive monitoring techniques have their own strengths and
weaknesses. However, the approaches complement each other in certain ways. An
integrated
active probing and passive monitoring solution can provide a sophisticated
solution against many malicious attacks. Passive monitoring techniques could provide
fine
-
grained monitoring of per node performance parameters, while active probing could
provide a
n efficient correlation and analysis of the collected information.


With increasing usage of wireless networks and presence of dynamic environments like
MANETs, it is very important to develop solutions that can adapt to changing network
10

conditions [
NATU05
].
This presents
a need to develop
an
adaptive network monitoring
architecture. It would be interesting to explore solutions that could work
with
less or
even
no topology information.


5. Conclusion:


In this
report
, we presented a survey of
previous
resea
rch done
o
n
securing
communication against malicious attacks
. We presented various security measures
proposed to secure the

routing protocols. We then discussed various passive monitoring
and probing approaches proposed to secure the data plane.
W
e
then co
ncluded with a
discuss
ion of

promising directions for future research to develop effective
means

to
secure communication in today's dynamic environment of wireless networks.


The views and conclusions contained in this document are those of the authors
and

should not be
interpreted as representing the official policies, either expressed or
implied of the Army Research
Laboratory or the U.S. Government.


References:


[AVRA04
a] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy,
“Highly Secure and E
fficient Routing”, In Proc. IEEE Infocom, Mar. 2004
.


[AVRA04
b] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy,
“Amendment to Highly Secure and Efficient Routing,” Feb. 2004. Addendum to
[AVRA04
a]
.


[AVRA04
c] I. Avramopoulos, A. Krishnamurthy
,

H. Kobayashi, and R.
Y. Wang,
“Nicephorus: Striking a Balance between the Recovery Capability and the Overhead
of Byzantine Detection,” Technical Report TR
-
710
-
04, Dept. of Computer Science,
Princeton University,
Princeton, NJ,
Oct. 2004.


[AVRA06] I. Avr
amopoulos and J. Rexford, “Stealth Probing: Efficient Data
-
Plane
Security for IP Routing,” In Proc. USENIX Annual Technical Conference, Boston,
MA, May 2006
.


[AWER02] B. Awerbuch, D. Holmer, C. Nita
-
Rotaru, and H. Rubens, “An On
-
Demand Secure Routing Prot
ocol Resilient to Byzantine Failures”, In Proc. ACM
Workshop on Wireless Security, Sep. 2002
.


[BAKE97] F. Baker and R. Atkinson, “RIP
-
2 MD5 Authentication,” RFC 2082, Jan.
1997.


[BASA01] S. Basagni, K. Herrin, E. Rosti, and D. Bruschi, “Secure Pebblenets
,” In
ACM International Symposium on Mobile Ad Hoc Networking and Comp
uting
(MobiHoc 2001), pages 156
-
163, Long Beach, CA, Oct.

2001.


11

[BRAD98] K.
A. Bradley, S. Cheung, N. Puketza, B. Mukherjee, and R. A. Olsson,
“Detecting Disruptive Routers: A Distribute
d Network Monitoring Approach,” In
Proc. of the 1998 IEEE Symposium on Securit
y and Privacy, pp. 115
-
124, May
1998.


[BROD02]
M. Brodie, I. Rish, S. Ma, G. Grabarnik, and N. Odintsova.

Active

probing,”

Technical report, IBM

Research Labs
, 2002
.


[BROW00]
M. Brown, D. Cheung, D. Hankerson, J. Hernandez, M. Kirkup, and A.
Menezes, “PGP in con
strained wireless devices,” in t
he 9
th

USENIX Security
Symposium, USENIX, Aug. 2000
.


[BURC00] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their
Approximate
Source”, 2000 Usenix LISA conference, New Orleans
.


[CHEU97] S. Cheung, “An Efficient Message Authentication Scheme for Link State
Routing,” In 13th Annual Computer Security Applications Conference, 1997.


[DAHI01] B. Dahill, B. Levine, C. Shields, and E.
Royer, “A Secure routing protocol
for ad hoc networks,” Technical Report 01
-
37, Department of Computer Science,
University of Massachusetts,
Amherst, MA,
Aug. 2001.


[GOOD01] M. T. Goodrich, “Efficient and secure network routing algorithms,”
Provisional pa
tent filing, Jan. 2001.


[GOOD03] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, a
nd A.
Rubin, “Working around BGP
: An incremental approach to improving security and
accuracy of interdomain routing,” In Proc. Network and Distributed System S
ecurity
Symposium, NDSS 03, San Diego, CA, Feb. 2003.


[HAUS97] R. Hauser, A. Przygienda, and G. Tsudik, “Reducing the Cost of
Security in Link State Routing,” In Symposium on Network and Distributed Syste
ms
Security (NDSS 97), pages 93
-
99, Feb.

1997.


[HEFF98] A. Heffernan, “Protection of BGP Sessions via the TCP MD5 Sig
nature
Option,” RFC 2385, Aug.

1998.


[HERZ00] A. Herzberg and S. Kutten, “Early Detection of Message Forwarding
Faults,”
SIAM Journal on Computing
, Vol. 30, No. 4, pages 1169
-
1196, 2000
.


[HU00] Y.
-
C. Hu, A. Perrig, and M. Sirbu, “SPV: A Secure Path Vector Routing
Scheme for Securing BGP,” In Proc. ACM SIGCOMM, Sep. 2004.


[HU02] Y.
-
C. Hu, A. Perrig, and D. B. Johnson, “SEAD: Secure Efficient Distance
Vector Routing for Mobile

Wireless A
d Hoc Networks,” I
EEE WMCSA 2002, June
2002.

12


[HU98] Y.
-
C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A Secure On
-
Demand
Routing Protocol for Wireless Ad Hoc Networks,” Technical Report TR01
-
383,
Department of Computer Science, Rice University
, Dec.

2001.


[HUBA01] J,
-
P. Hubaux L. Buttyan, and S. Capkun, “The Quest for Security
in
Mobile Ad Hoc Networks,” in t
he 2
nd

ACM Symposium on Mobile Ad Hoc
Networking and Computing, Oct. 2001.


[HUGH00] J.
R. Hughes, T. Aura,
and
M. Bishop, "Using Conservation of Flow

as a
Security Mechanism in N
etwork Protocols,"

2000 IEEE Symposium on Security and
Privacy (S&P 2000), 2000.


[JOHN01]

D.B. Johnson, D.
A. Maltz, and J. Broch, “DSR: The Dynamic Source
Routing Protocol for Multi
-
Hop Wireless Ad Hoc Networks,” in Ad Hoc Net
working,
ch. 5, pp. 139
-
172, Addison
-
Wesley, 2001.


[JUST03] M. Just, E. Kranakis,
and
T. Wan, “Resisting malicious packet dropping in
wireless ad
-
hoc networks using distributed probing,” in Proce
edings of ADHOC
-
NOW ’03, Oct.

2003.


[KENT00] S. Kent, C. L
ynn, and K. Seo. “Secure Border Gateway Protocol (Secure
-
BGP)”,
IEEE Journal on Selected Areas in Communications
,
Vol. 18 No.
4
, pages
582
-
592, Apr. 2000.


[KRUU06] P. Kruus, D. Sterne, R. Gopaul, M. Heyman, B. Rivera, P. Budulas, B.
Luu, T. Johnson,
and
N
. Ivanic, “In Band Wormholes and Countermeasures in OLSR
Networks,” SecureComm2006, Baltimore, MD, Aug. 2006.


[LEE06] S. Lee, T. Wong, and H. Kim, “Secure Split Assignment Trajectory
Sampling: A Malicious Router Detection System,” in Proceedings of IEEE
C
onference on Dependable Systems and Networks (DSN), Jun
e

2006.


[LEGE98] U. Legedza, D. Wetherall,
and
J. Guttag, “Improving the Performance of
Distributed Applications Using Active Networks,”
In Proceedings of IEEE
INFOCOM 1998, pages
590
-
599
, 1998.


[MAL
K93] G. Malkin, “
Traceroute Using an IP Option”,
RFC 1393,
Jan. 1993.


[MALK94] G.
S. Malkin, “RIP Version 2 Protocol Applicability Statement”, RFC
1722, Nov. 1994.


[MART00] S.

Marti, T.
J. Giuli, K. Lai, and M. Baker, “Mitigating Routing
Misbehavior in Mob
ile Ad Hoc Networks”, ACM Mobicom 2000, Aug. 2000.


13

[MATH04] G. Mathur, V. Padmanabhan, and D. Simon, “Secure Routing in Open
Networks Using Secure Traceroute,” Technical Report MSR
-
TR
-
2004
-
66, Microsoft
Research, Jul. 2004.


[MERI95]
MERIT Network Inc.,

Routing Arbiter for the NSFNET and

the NREN,
First Annual Report,”
Apr. 1995.


[MIZR05] A. Mizrak, Y.
-
C. Cheng
, K. Marzullo, and S. Savage, “
Fatih: Detecting
Malicious Routers,” In Proc. International Conference on Dependable Systems and
Networks, Jun. 200
5.


[MURP96] S.L. Murphy and M.
R. Badger, “Digital signature protection of the OSPF
routing protocol,” in Symposium on Networks and Distributed Systems Security,
1996.


[MURP97] S. Murphy, M. Badger, and B. Wellington, “OSPF with dig
ital
signatures,” RFC 2
154
, Jun. 1997.


[NATU05] M. Natu and A.S. Sethi, “Adaptive Fault Localization for Mobile, Ad
-
Hoc
Battlefield Networks.” Proc. Milcom
-
2005, IEEE Military Communications
Conference, Atlantic City, NJ
, Oct. 2005
.


[NATU06] M. Natu and A.S. Sethi, “Active Pro
bing Approach for Fault Localization
in Computer Networks.” Proc. End
-
to
-
End Monitoring Workshop, Vancouver, B.C.,
Canada
, Apr. 2006
.


[PADM02] V. Padmanabhan and D. Simon, “Secure Traceroute to Detect Faulty or
Malicious Routing,” In Proc. ACM SIGCOMM Hot
Nets Workshop, Oct. 2002.


[PAPA02] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc
networks,” in SCS Communication Networks and Distributed Modeli
ng and
Simulation Conference, pages 27
-
31, Jan.

2002.


[PERK00] C.E. Perkins and E.
M.
Royer,

“Ad hoc Networking”, In
Ad hoc On
-
Demand Distance Vector Routing. Addison
-
Wesley, 2000.


[PERL88] R. Perlman, “Network Layer Protocols with Byzantine Robustness
,” Ph.D.
Thesis,
Department of Electrical Engineering a
nd Computer Science, MIT, Aug.

1988.


[P
ERL99] R. Perlman, “Interconnections: Bridges, Routers, Switches, and
Internetworking Protocols”, Addison
-
Wesley Professional Computing Series, Second
edition, 1999.


14

[PERR01] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar, “SPINS:
Security Pro
tocols for Sensor Networks,” In Seventh Annual ACM International
Conference on Mobile Computing and Networks (MobiCom 2001), Rome, Italy, July
2001.


[QU97]
D. Qu, B.
M.
Vetter, F. Wang, R. Narayan, S.F. Wu, Y.
F. Jou, F. Gong, and
C. Sargor, “Statistical an
omaly detection for link
-
state routing protocols," in IEEE
Symposium on Security and Privacy (5 Minutes), May 1997.


[SAVA00
a
] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network
Support for IP Traceback,” ACM SIGCOMM 2000, Aug. 2000.


[SAVA00
b] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. “Practical Network
Support for IP Traceback”, ACM SIGCOMM 2000, Aug. 2000.


[SCHW00] B. Sch
wartz, A.W. Jackson, W.T. Strayer, W. Zhou, R.
D. Rockwell, and
C. Partridge, "Smart Packets: Applying
Active Networks to Network Management,"
ACM Transactions on Computer Systems
, Vol. 18, No. 1, 2000, pp. 67
-
88.


[SMIT97] B. Smith, S. Murthy, and J. Garcia
-
Lun
a
-
Aceves, “Securing Distance
Vector Routing Protocols,” In Proc. Symposium on Network and Distrib
uted System
Security, NDSS '96, San Diego, CA, 1997.


[SMIT98] B. Smith and J. Garcia
-
Luna
-
Aceves, “Efficie
nt security mechanisms for
the Border G
ateway

R
outing
P
rotocol,”
Computer Communications

(Elsevier), Vol.
21 No. 3, pages

203
-
210, 1998.


[SUBR04] L.

Subramanian, V. Roth, I. Sanchez, S. Shenker, and R. Katz, “Listen and
Whisper: Security mechanisms for BGP,” In Proc. Symposium on Networked System
Design and Implementation, Mar. 2004.


[TENN97]
D. Tennhouse, J. Smith, W. Sincoskie, D. Wetherall, and G.

Minden, “A
survey of active network research,”
IEEE Communications Magazine
,
Vol. 35 No. 1,
pages 80
--
86, Jan.

1997.


[WETH98]

D. Wetherall, U. Legedza, and J. Guttag, "Introducing New Internet
Services: Why and How,”
IEEE Network
, July/August 1998.


[WU
97] S.F. Wu, F.Y. Wang, B.M. Vetter, W.R. Cleaveland, Y.
F. Jou, F. Gong, and
C. Sargor, “Intrusion detection for link
-
state routing protocols,” in IEEE Symposium
on Security and Privacy, 1997.


[W
U99] S. Wu, H. Chang, D. Qu, F.W.
F. Jou, F. Gong, C. Sargor,

and R.
Cleaveland, “JiNao: Design and implementation of a scalable intrusion detection
15

system for the OSPF routing protocol,"
Journal of Computer Networks and ISDN
Systems
, 1999.


[YI01] S. Yi, P. Naldurg, and R. Kravets, “Security aware ad hoc rout
ing
for wireless
networks,” in the
2
nd

ACM Symposium on Mobile Ah Hoc Networking and
Computing, Oct. 2001.


[ZAPA01]
M.
G. Zapata, “Secure Ad hoc On
-
Demand Distance Vector (SAODV)
Routin
g,” IETF Internet Draft, Aug.

2001.


[ZHAN98] K. Zhang, “Efficient protoco
ls for signing routing messages,” in
Symposium on Networks and Distributed Systems Security, 1998.


[ZHOU99] L. Zhou and Z. Haas, “Securing Ad Hoc Networks,”
IEEE Network
,
Vol.
13 No. 6,

Nov./Dec. 1999.


[ZHU02] D. Zhu, M. Gritter, and D. Cheriton, “Feedba
ck based routing,” In Proc.
ACM SIGCOMM HotNets Workshop, Oct. 2002.


[ZIMM95] P. Zimmerman, “The Official PGP User's Guide,” MIT Press, 1995.