Seguridad en las Redes

MANET security evaluations within current literature primarily focus on a single evaluation approach and limit their analysis through restricted operational assumptions. While the attack possibilities discovered by the simulatability model [21,45,54] were followed by visual inspection to find scenarios where attacks were possible, visual inspection itself was not used as an independent analysis technique. We contend that the analysis techniques currently being used to evaluate security in MANET routing protocols have different, yet often complimentary properties.

The visual inspection process benefits from unrestricted human intuition, offering a useful approach to discover protocol attacks. However, the visual inspection iterative cycle illustrated in Figure 5 on page 14 cannot prove security properties exist for all cases, as new attacks are routinely discovered.

Network simulation packages are primarily used to project average case performance, based on statistical analysis over independent runs. While it is critical we understand the performance characteristics resulting from implemented security mechanisms, network simulation cannot identify undiscovered attacks nor can it be used to guarantee any posed security property. Attacks utilized in any network simulation must be known a priori in order to code the attacker actions into the simulation package. Network simulation cannot be used to answer binary type questions since an attack possibility is not statistical in nature. Binary type questions result in a simple yes or no answer. The answer must be exhaustive for the given scenario. For instance, does the given security property hold, yes or no? Statistical network simulations that indicate an attack is not likely or do not identify an attack do not ensure a protocol is secure against the attack. Furthermore, the resulting performance effects may also be misleading due to variations between simulation packages and improper statistical analysis procedures [46].

Analytical proofs, simulatability models, and formal methods can determine if stated security properties can be met or not for a given scenario, determined by the attacker strength and network topology. In the case a security property is shown to fail, one can infer an attack exists, enabling the given analysis approach the ability to discover unknown attacks. In the formal methods approaches utilizing model checking, security failures produce a protocol counterexample illustrating the respective attack.

Based on these security analysis approach descriptions, we propose combing techniques to provide a comprehensive security analysis capability for MANET routing protocols. Since the route discovery and the data communication phases must be individually secured, as illustrated in Figure 4 on page 10, a comprehensive analysis framework must cover both phases. However, researchers commonly target only one individual phase. In Table 4 we propose a comprehensive security analysis framework to analyze security over a complete MANET routing solution. The framework can also be used to target an individual phase being specified by a given protocol development.

Table 4. Comprehensive Security Analysis Framework Targeted Phase Security Analysis Technique

Visual Inspection Route Discovery Formal Methods Visual Inspection Data Forwarding Network Simulation

Evaluating data forwarding. We first look at the security analysis techniques for the data forwarding phase used once a route has been discovered. The goal in the data forwarding phase is to deliver data packets over an established route. Security mechanisms in this phase must first identify when packet delivery is not being maintained and mitigate the failure by choosing an alternative available path, notifying the route discovery phase to initiate a new route discovery process, or identifying malicious nodes to avoid in future paths. Packet deliverability thresholds attempt to differentiate between non-malicious and malicious failures. Since the attacks against this phase are not binary in nature, formal analysis techniques cannot be used to guarantee that a security property exists. Security mechanisms designed for the data communication phase are generally evaluated using network simulation and focus on performance criteria.

Network simulation, as it is currently being used, provides an avenue to study the operation and performance of the mechanisms being designed to secure the data forwarding phase. The question becomes, does the security enhancement provide a higher deliverability ratio than without any enhancement? However, the results are only applicable to the given attacker and network topology scenario simulated. According to the comprehensive security analysis framework in Table 4, we complement network simulation with the intuitive power inherent in the

visual inspection technique to find attacks that reduce the security enhancement's effectiveness against the data forwarding phase. For example, consider a protocol such as ODSBR [22], which attempts to eliminate malicious nodes by blacklisting them. What effects would a malicious node simply relaying data have within the network? What effect would a malicious insider node have that operates maliciously only against data forwarding packets and fully cooperates during probing activity attempting to identify the malicious nodes?

Evaluating route discovery. Analyzing security properties provided in the route discovery phase can benefit by combing visual inspection and formal methods, as indicated by the comprehensive security analysis framework in Table 4. The power inherent in the visual inspection approach provides an unrestricted look at route discovery. Many simple attacks, such as the invisible node attack [44,94] and the Sybil [56] attack, can be easily identified through visual inspection.

Complementing visual inspection with formal methods techniques allows us to search for attacks that actively corrupt the route discovery process. Since visual inspection cannot provide property guarantees, a formal approach must also be used. If a binary security property can be stated, a formal approach can evaluate if the property holds or not. For instance, if we evaluate route discovery over a static network for an instance in time, returned routes either exist or do not exist in the current network topology. However, analysis is currently limited by restricting attacker capabilities and by the specific network topology investigated.

We choose formal methods to complement the visual inspection technique to evaluate the route discovery process, since the analytical proof and simulatability exhaustive analysis techniques are not automated. Formal methods using model checking can provide automated analysis. However, model checking techniques must be adapted to evaluate MANET route discovery security properties before they can complete Table 4’s comprehensive security analysis framework. Chapter 6 provides research into automated model checking procedures to evaluate security in the MANET route discovery process.