Jens Tölle

Detecting Black Hole Attacks in Tactical MANETs using Topology Graphs

Black hole attacks are a serious threat to communication in tactical MANETs. In this work we present TOGBAD a new centralised approach, using topology graphs to identify nodes attempting to create a black hole. We use well-established techniques to gain knowledge about the network topology and use this knowledge to perform plausibility checks of the routing information propagated by the nodes in the network. We consider a node generating fake routing information as malicious. Therefore, we trigger an alarm if the plausibility check fails. Furthermore, we present promising first simulation results. With our new approach, it is possible to already detect the attempt to create a black hole before the actual impact occurs.

Human mobility in MANET disaster area simulation - a realistic approach

Disaster areas have been figured out as a typical usage scenario for mobile wireless ad-hoc networks (MANETs). In contrast to this, there are no specific mobility or traffic models for MANETs. We present a realistic approach to realize mobility in disaster areas based on tactical issues of civil protection. The new model is analyzed and compared to Gauss-Markov and random waypoint mobility models. Furthermore, we present first simulation results. The mobility model analysis as well as the simulation are based on two real disasters that occurred in Germany in 1999 and 2001. We show that disaster area scenarios have specific characteristics. Thus, they should be considered in MANET performance evaluation.

Tolerant synchronization for distributed simulations of interconnected computer networks

This paper presents the tolerant, hybrid synchronization schema and its benefits for the parallel and distributed simulation of interconnected computer networks. The hybrid schema combines conservative and optimistic synchronization approaches by using lookahead for scheduling special events and using the flexibility of Time Warp in certain cases. In addition to these classical approaches the introduction of the ¦tolerance¦ allows the distributed modules to simulate further ahead than guaranteed by the conservative synchronization schema. This results in significantly smaller simulation runtimes and many other benefits.

From detection to reaction - A holistic approach to cyber defense

The cyber defense context includes various activities that are often investigated and discussed individually. The process from the detection of a threat to its eventual treatment clearly resembles other decision-making paradigms. By aligning the cyber defense process to the well-known OODA loop, in which the activities in one phase of the loop are prerequisites for those in other phases, situational awareness with respect to information assurance can be established.

Impact of Sanitized Message Flows in a Cooperative Intrusion Warning System

This paper discusses the side effects of sanitizing IT security event messages in a cooperative multi-domain intrusion warning system (IWS). To enhance detection capabilities of conventional IT security tools like intrusion detection systems (IDS), virus scanners and packet filters, a centralized, so-called intrusion warning system can be deployed, which collects and analyzes event messages from the different domains. Additionally, the IWS informs the domains about potentially critical situations which might not be covered by the existing tools due to technical limitations, heterogeneous security policies or differences in configuration. The architecture of an IWS relies on centralized storage and analysis components, while the event messages are collected and preprocessed by distributed entities which are under the operational control of the respective domains. In cooperation scenarios like military coalition environments (CEs, e.g. NATO, KFOR, SFOR), potentially confidential or sensitive information still needs to be concealed from the CE partners, as defined by existing information sharing policies. This also holds for the information contained in IDS event messages, since there might be specifications of network addresses and topologies, of products or vendors, of applications and security systems included in the messages. Thus, for enabling a CE wide cooperation of IT security systems, appropriate information sanitizing techniques need to be applied before sharing any security relevant information. This might lead to a negative impact on the centralized analysis capabilities, since potentially important information might be dropped from the messages. In this paper, the impact of sanitizing event message flows in a cooperative IWS is studied by examining the behaviour of an IWS when feeding it with real-life event messages combined with artificial events from an Internet worm spreading simulation. The worm detection capabilities of the analysis components are determined in a multi-domain setup for both situations, with and without applying information sanitizing mechanisms on the event message flow

A robust SNMP based infrastructure for intrusion detection and response in tactical MANETs

Intrusion Detection Systems (IDS) for adhoc networks need secure, reliable, flexible, and lightweight infrastructures for exchanging available sensor data and security event messages. Cooperation is a major concept of Mobile Adhoc Networks (MANETs). Cooperation of intrusion detection components may also help to protect these networks. The approaches and component infrastructures have to consider bandwidth restrictions and highly dynamic network behaviour. Unfortunately, existing infrastructures and communication protocols have some drawbacks for these kinds of environments This paper describes a robust SNMPv3 (Simple Network Management Protocol) based implementation of an IDS infrastructure that connects the components of a generic MANET IDS architecture. This implementation is focused on the requirements of a military tactical scenario. For instance, the adherence of the bandwidth constraints has been shown in a traffic simulation, including all relevant protocols and other properties of a specific tactical MANET scenario and its nodes

Komponenten für kooperative Intrusion-Detection in dynamischen Koalitionsumgebungen

Koalitionsumgebungen sollen fur alle miteinander kooperierenden Mitglieder einen Vorteil bei der Verfolgung eines gemeinsamen Ziels erbringen. Dies gilt fur die verschiedensten Anwendungsbereiche, etwa bei kooperierenden Strafverfolgungsbehorden, Wirtschaftsunternehmen oder Streitkrafte. Auch bei der Erkennung von sicherheitsrelevanten Vorgangen in vernetzten Computersystemen erhofft man sich von der Zusammenarbeit eine verbesserte Erkennungsfahigkeit sowie eine schnelle und koordinierte Reaktion auf Einbruchsversuche. Dieser Beitrag stellt verschiedene praxisorientierte Werkzeuge fur die koalitionsweite Vernetzung von Ereignismeldungs-produzierenden Sicherheitswerkzeugen vor, die wesentliche Probleme des Anwendungsszenarios losen helfen: Fruhzeitige Anomaliewarnung – ein graphbasierter Anomaliedetektor wird als adaptives Fruhwarnmodul fur grosflachige und koordinierte Angriffe, z.B. Internet-Wurmer, eingesetzt. Informationsfilterung – Meldungen werden beim Verlassen der lokalen Domane entsprechend der domanenspezifischen Richtlinien zur Informationsweitergabe modifiziert (d.h. insbesondere anonymisiert bzw. pseudonymisiert). Datenreduktion – zusatzliche Filter zur Datenreduzierung auf der Basis von vordefinierten Abhangigkeitsregeln steigern die Handhabbarkeit des Datenflusses. Die Funktionsfahigkeit der genannten Komponenten wird derzeit in Form einer prototypischen Implementierung eines Meta-IDS fur dynamische Koalitionsumgebungen nachgewiesen.

Meta IDS environments: an event message anomaly detection approach

This paper presents an anomaly detection approach for application in Meta IDS environments, where locally generated event messages from several domains are centrally processed. The basic approach has been successfully used for detection of abnormal traffic structures in computer networks. It creates directed graphs from address specifications contained within event messages and generates clusterings of the graphs. Large differences between subsequent clusterings indicate anomalies. This anomaly detection approach is part of an intrusion warning system (IWS) for dynamic coalition environments. It is designed to indicate suspicious actions and tendencies and to provide decision support on how to react on anomalies. Real-world data, mixed with data from a simulated Internet worm, is used to analyze the system. The results prove the applicability of our approach.

Integration of 3G Protocols into the Linux Kernel to Enable the Use of Generic Bearers

The General Packet Radio Service (GPRS) is widely deployed in second and third generation mobile cellular networks. Special benefits of GPRS are mobility management as well as support of authentication, authorization, and accounting (AAA). However, the data rates of GPRS are low and the price is high, compared to wired networks or Wireless LAN. Furthermore, Wireless LAN hotspots are starting to sprout. While Wireless LAN in fact offers high data rates, it lacks a standard for billing and roaming. One solution is to combine both technologies, GPRS and Wireless LAN. The resulting system would offer Wireless LAN’s higher bandwidth, while keeping GPRS’ sophisticated billing and roaming support. Wireless inter-system roaming supporting seamless handovers could be a benefit beyond. In this paper we present the first step of combining Wireless LAN and GPRS, by integrating the GPRS protocol stack into the Linux kernel. In addition to the integration we present evaluation results and improvements, concerning the choice of GPRS parameters.

Visualization of traffic structures

An in-depth analysis of traffic data provides valuable insights into network traffic structures. This paper presents both methods for such an in depth analysis and their implementation within the system STRUCTUREMINER. Moreover, it is shown in which way the analysis performed by STRUCTUREMINER can be used to tackle several administrative network tasks.