C True C False
Chapter 6 Case Studies
We validate our assessment methods of network security by case studies. In assessing network security from the viewpoint of external attacks, we demon-strate the effectiveness and feasibility of our wireless risk assessment method by two examples. In Example I, we assess the risks of two different networks, and then launch a practical eavesdropping attack against the networks. The measured risk values are consistent with the realistic attack results. We il-lustrate how our method handles the wireless dynamics by Example II, in which configuration snapshots of a wireless network at different timing points are introduced. In assessing network security from internal attacks, Example III and Example IV explain how our framework formalizes and evaluates a control-flow obfuscating transformation. The capability and the overhead of a control-flow obfuscating transformation can be effectively estimated by our framework.
The symbols used in this chapter are the same as those defined in Sec-tion 3.1, SecSec-tion 4.1 and SecSec-tion 5.1.
6.1 Case Study of Wireless Risk Assessment
This section describes two examples for validating our wireless risk assess-ment method. In these examples, we should first build up a risk analytic hierarchy, and then develop the experience mapping tables to further deter-mine the risk levels of configurations, the probabilities of acquiring device configurations, etc. With the hierarchy and the tables, our assessment algo-rithm derives the risk values.
6.1.1 Establish Risk Model
To build up a four-layer risk hierarchy, an administrator needs to select and analyze possible attacks in a wireless network. In the following two exam-ples, we consider 12 known wireless attacks to establish the hierarchy: war driving, eavesdropping, active scan, evil twin, MAC spoofing, IP spoofing, TCP hijacking, beacon flood, association flood, de-authentication flood, key cracking attacks and penetration attacks [74, 75, 76, 77]. These attacks are first classified in terms of their types. Then, we analyze their impacts and prerequisite configurations as listed in Table 6.1. With these analyses, we finally construct the four-layer risk model accordingly.
Type I: The war driving, eavesdropping and active scan attacks fall into this category.
1. War driving targets on exposing and locating accessible wireless networks while driving around a city without a priori information about the target network. With the exposed locations, illicit users
can abuse the networks to interfere services for legitimate users.
2. Eavesdropping imperils traffic confidentiality. Even more, the at-tacker is capable of replaying or deciphering the packets captured to strike network security violently.
3. After an illicit user actively sends a probe request to a target AP, the user may receive a response from the AP. The response provides designate configurations, such as SSID, MAC address and channel, which can be used to inflict additionally severe damages to the network security requirements.
Type II: The evil twin, MAC spoofing, IP spoofing and TCP hijacking attacks are classified as Type II attacks.
1. Masquerade of a physical AP is referred as an evil twin attack. An attacker sets its SSID to be the same as an AP at a local hotspot.
A user may accidentally connect to this malicious AP (called the evil twin), allowing the attacker to intercept all the packets which should be transmitted to the victim AP. Traffic confidentiality, packet integrity and service availability are all jeopardized.
2. An illicit STA can access a network by replacing its MAC address with a permitted one. The MAC spoofing attack obstructs granted access rights and destroys the AP’s service availability.
3. An attacker who alters the source IP address in the packet headers can cheat a router into forwarding the modified packets. Hence, the attacker is allowed to access the network.
4. An attacker utilizes the regularity of SYN and ACK numbers dur-ing a TCP session and then hijacks the TCP session to eavesdrop the secrets exchanged between the two communication parties.
Type III: Flooding attacks, such as beacon flood, association flood and de-authentication flood, are classified as DoS attacks.
1. In a beacon flood attack, a great amount of counterfeit 802.11 beacons are generated to consume wireless resources and to make legitimate users difficult to access the network. The impact sever-ity hence suffers from the network unavailabilsever-ity caused by the attack.
2. In 802.11, the association requests from STAs are kept in the as-sociation table of an AP. Since the memory size of the asas-sociation table is limited, the AP cannot deal with more association re-quests when the table is full. By taking advantage of the limited storage capacity of an association table, the impact severity again suffers from the network unavailability caused by a great amount of forged association requests.
3. An attacker floods a victim STA with repeatedly masqueraded de-authentication or disassociation packets to disconnect the STA from its associated AP. This attack forbids the network availabil-ity.
Type IV: Key cracking attacks attempt to recover WEP or WPA keys, which were proposed to protect data confidentiality and data integrity
Impact severity
War driving (Aap1)SSID(Conf1) Active scan(Aap2) MAC spoofing(Aap3) IP spoofing(Aap4) Associationflood(Aap5) Key cracking(Aap6)
AP MAC(Conf2) AP IP(Conf3) STA MAC(Conf4) STA IP(Conf5) Open port(Conf6) Channel (Conf7) Running services(Conf8)
(a)
Impact severity
Confidentiality (R1) Integrity (R2)
Availability (R3)
Eavesdropping (Asta1) SSID(Conf1) Evil twin(Asta2) TCP hijacking(Asta3) Beacon flood(Asta4) Deauth. flood(Asta5) Key cracking (Asta6) Penetrationattack (Asta7)
AP MAC(Conf2) AP IP(Conf3) STA MAC(Conf4) STA IP(Conf5) Open port(Conf6) Channel (Conf7) Running services(Conf8)
(b)
Figure 6.1: Example of four-layer risk analytic hierarchies (4-RAH):(a)4-RAH of an access point (b)4-RAH of a station
and to prevent unauthorized access to APs.
Type V: The penetration attack exploits existing security flaws and vul-nerabilities in software, which can be but not limited to internet browsers, drivers or media players. In general, an attacker should possess prereq-uisite knowledge of the target machine, like its IP address, OS version, software version and running services, before launching this kind of attack against a selected software program.
Next, we further analyze the above attacks and list the victim devices of the above attacks, where Aapi means the ith attack targeting on an access point and Astai denotes the ith attack aiming at a wireless station. Table 6.1 states the analysis results. Then, we construct the 4-RAH for each type of device according to Table 6.1. Figure 6.1 shows the 4-RAH for an AP and that for a station.
Table 6.1: Attack Analysis