Randy C. Marchany

MT6D: A Moving Target IPv6 Defense

The Internet Protocol version 6 (IPv6) brings with it a seemingly endless supply of network addresses. It does not, however, solve many of the vulnerabilities that existed in Internet Protocol version 4 (IPv4). In fact, privacy-related crimes in IPv6 are made easier due to the way IPv6 addresses are formed. We developed a Moving Target IPv6 Defense (MT6D) that leverages the immense address space of IPv6. The two goals of MT6D are maintaining user privacy and protecting against targeted network attacks. These goals are achieved by repeatedly rotating the addresses of both the sender and receiver. Address rotation occurs, regardless of the state of ongoing sessions, to prevent an attacker from discovering the identities of the two communicating hosts. Rotating addresses mid-session prevents an attacker from even determining that the same two hosts are communicating. The continuously changing addresses also force an attacker to repeatedly reacquire the target node before he or she can launch a successful network attack. Our proof of concept demonstrates the feasibility of MT6D and its ability to seamlessly bind new IPv6 addresses. We also demonstrate MT6Ds ability to rotate addresses mid-session without dropping or renegotiating sessions. Since MT6D operates at the network layer of the protocol stack, it provides a powerful moving target solution that is both platform and application independent.

Mobile Device Profiling and Intrusion Detection Using Smart Batteries

This paper introduces capabilities developed for a battery-sensing intrusion protection system (B-SIPS) for mobile computers, which alerts when abnormal current changes are detected. The intrusion detection systems (IDSs) IEEE 802.15.1 (Bluetooth) and 802.11 (Wi-Fi) capabilities are enhanced with iterative safe process checking, wireless connection determination, and an automated intrusion protection disconnect ability. The correlation intrusion detection engine (CIDE) provides power profiling for mobile devices and a correlated view of B-SIPS and snort alerts. An examination of smart battery drain times was conducted to ascertain the optimal transmission rate for the B-SIPS client. A 10 second reporting rate was used to assess 9 device types, which were then compared with their corresponding baseline battery lifetime. Lastly, an extensive usability study was conducted to improve the B-SIPS client and CIDE features. The 31 expert participants provided feedback and data useful for validating the systems viability as a complementary IDS for mobile devices.

Battery Exhaustion Attack Detection with Small Handheld Mobile Computers

This paper describes a unique battery-sensing intrusion protection system (B-SIPS) for mobile computers, which alerts on power changes detected on small wireless devices, using an innovative Dynamic Threshold Calculation algorithm. B-SIPS enabled hosts are employed as sensors in a wireless network and form the basis of the intrusion detection system (IDS). B-SIPS implementation correlates device power consumption with IEEE 802.11 Wi-Fi and 802.15.1 Bluetooth communication activity. This battery exhaustion, Wi-Fi, and Bluetooth attack detection capability is scalable and complementary with existing commercial and open system network IDSs. Irregular and attack activity is detected and reported to an intrusion detection engine for correlation with existing trace signatures in a database and for forensic investigation by a security manager.

Battery-based intrusion detection a first line of defense

This paper proposes a first line of defense early warning system via a host-based form of intrusion detection that can alert security administrators to protect their corporate network(s). This innovative technique operates through the implementation of battery-based intrusion detection (B-bid) on mobile devices by correlating attacks with their impact on device power consumption using a rule-based host intrusion detection engine (HIDE). HIDE monitors power behavior to detect potential intrusions by noting irregularities of power consumption and works in conjunction with a host analysis signature trace engine (HASTE) to provide protection to both mobile hosts and, by extension, their affiliated network.

Using Battery Constraints within Mobile Hosts to Improve Network Security

Distributed battery-based intrusion detection (B-BID) is an efficacious early-warning system that can complement existing intrusion detection systems (IDSs) by alerting users to protect their mobile devices as well as network administrators to protect their corporate networks by correlating device power consumption with application and attack activity data

Using an IPv6 moving target defense to protect the Smart Grid

As advanced Internet Protocol (IP)-based communication systems are proposed for the Smart Grid, security solutions must be developed which address not only the security of the communications, but also the security of the communicating systems. To support the large number of hosts required for the Smart Grid on an IP network, the new Internet Protocol version 6 (IPv6) must be leveraged. Unfortunately, IPv6 inherits the majority of Internet Protocol version 4 (IPv4) vulnerabilities as well as adds new address-based exploits. The embedded systems necessary for Smart Grid deployments using IP communications will be especially vulnerable to attacks due to their limited system resources. A moving target defense not only secures the communications between peers, but also prevents the peers from being located for attack. Implementing security at the network layer mitigates most IP-specific exploits and allows for solutions to be integrated with minimal impact to existing Smart Grid systems, thus reducing costs and increasing reliability. By using a network layer moving target defense, hosts cannot be located for exploitation and secure connectivity is maintained with trusted peers. A robust Smart Grid network must be capable of proactive defense so that components are not consumed with defending incoming attacks. A solution which implements a proactive network layer defense called the Moving Target IPv6 Defense (MT6D) is offered as a potential solution for secure Smart Grid communications.

Battery-Sensing Intrusion Protection for Wireless Handheld Computers Using a Dynamic Threshold Calculation Algorithm for Attack Detection

This paper proposes a pioneering battery-sensing intrusion protection system (B-SIPS) for mobile computers, which alerts on power changes detected on small wireless devices, using an innovative dynamic threshold calculation algorithm. B-SIPS enabled hosts are employed as sensors in a wireless network and form the basis of the intrusion detection system (IDS). This detection capability is scalable and complementary with existing commercial and open system network IDSs. B-SIPS implementation correlates device power consumption with IEEE 802.11 Wi-Fi and 802.15.1 Bluetooth communication activity. Irregular and attack activity is detected and reported to the intrusion detection engine for correlation with existing signatures in a database and for forensic investigation by a security manager

The privacy implications of stateless IPv6 addressing

Current implementations of the Internet Protocol version 6 (IPv6) use a static value determined from the Media Access Control (MAC) address as the host portion, or interface identifier (IID), of the IPv6 address. Some implementations create the IID using the MAC unobscured, while others compute a onetime hash value involving the MAC. As a result of this deterministic address assignment, the IID of the address is the same, regardless of the network the node accesses. This IID assignment provides interested parties (whether malicious or not) with the ability to easily track a nodes physical location using simple tools such as ping and traceroute. Additionally, a static IID provides a means to correlate network traffic with a specific user. This is accomplished through a combination of filtering of the static IID and traffic analysis. The serious breaches in privacy caused by a static IID should be addressed before deployment of IPv6 becomes widespread.

Scaling IPv6 address bindings in support of a moving target defense

Moving target defense is an area of network security research in which machines are moved logically around a network in order to avoid detection. This is done by leveraging the immense size of the IPv6 address space and the statistical improbability of two machines selecting the same IPv6 address. This defensive technique forces a malicious actor to focus on the reconnaissance phase of their attack rather than focusing only on finding holes in a machines static defenses. We have a current implementation of an IPv6 moving target defense entitled MT6D, which works well although is limited to functioning in a peer to peer scenario. As we push our research forward into client server networks, we must discover what the limits are in reference to the client server ratio. In our current implementation of a simple UDP echo server that binds large numbers of IPv6 addresses to the ethernet interface, we discover limits in both the number of addresses that we can successfully bind to an interface and the speed at which UDP requests can be successfully handled across a large number of bound interfaces.

Battery Polling and Trace Determination for Bluetooth Attack Detection in Mobile Devices

This paper introduces a supporting model for a unique battery-sensing intrusion protection system (B-SIPS) for mobile computers, which alerts when power changes are detected on small wireless devices. An analytical model is employed to examine the smart battery characteristics to support the theoretical intrusion detection limits and capabilities of B-SIPS. This research explores the modification of the smart battery polling rates in conjunction with the variance of malicious network activity. Using the results from a previous study of optimized static polling rates to create minimum and maximum thresholds, a dynamic polling rate algorithm was devised. This algorithm allowed the smart battery to gauge the networks illicit attack density and adjust its polling rate to efficiently detect attacks, while conserving battery charge life. Lastly, a trace signature methodology is presented that characterizes unique activity for IEEE 802.15.1 (Bluetooth) attack identification.