Spyware on Internet. Sybil Attacks on Sensor Networks. - PowerPoint PPT Presentation

1 / 61
About This Presentation

Spyware on Internet. Sybil Attacks on Sensor Networks.


Spyware on Internet. Sybil Attacks on Sensor Networks. csci599 Spring 2004 Siddharth Thakkar Presentation Outline Spyware Introduction Spyware basics and Classes ... – PowerPoint PPT presentation

Number of Views:363
Avg rating:3.0/5.0
Slides: 62
Provided by: Siddhart91


Transcript and Presenter's Notes

Title: Spyware on Internet. Sybil Attacks on Sensor Networks.

Spyware on Internet. Sybil Attacks on Sensor
  • csci599 Spring 2004
  • Siddharth Thakkar

Presentation Outline
  • Spyware
  • Introduction
  • Spyware basics and Classes
  • Study in the Paper Gator, eZula, SaveNow, Cydoor
  • Analysis
  • Results - details
  • Spyware Vulnerabilities
  • Scaling on to the Internet
  • Conclusions
  • Sybil Attacks
  • Introduction Basics
  • Taxonomy
  • Attacks
  • Defenses Especially Random Key Distribution
  • Summary
  • In P2P networks

Reference Measurement and Analysis of Spyware
in a University Environment Saroiu et al.
Introduction Stealth/Parasite programs
  • Stealth and Parasite Programs
  • CIAC Technical report (Nov 2002)
  • Distributed and installed along with a known
  • get onto a system by piggybacking on an installer
  • Not Viruses! Viruses attach themselves to other
    programs in order to steal a ride onto another
    persons system
  • Parasite programs are intentionally attached to
    the programs they ride on.
  • Classes
  • Adware advertisements, web-pages, pop-ups or
    cookies from Browsers - when you access a web
    page that contains an ad from the adware server.
  • Spyware Intelligently spy on all your browsing
    activity, looking into browser temp
    files/cookies/histories and all collected
    information is sent back to the spyware server to
    target future misuse of information.
  • Stealth Networks Networks of computers, usually
    P2P, to store files on and queue jobs for
    execution on someone elses system (needs program
    installed there)
  • Browser Helper Objects BHOs are essentially
    add-in programs /executable code for IE
    difficult to detect have to clean Registry.

Spyware Basics
  • Definition (users perspective)
  • Software that gathers information about the
    computers use (with or without users consent)
    and relays it back to a 3rd party for its
  • Risks
  • Users privacy is compromised
  • Affect usability/stability of users computing
  • Can Self-Update Introduce new security
  • Can put millions of computers at risk
  • Why do they exist?
  • Because information is valuable and can be
    capitalized upon.
  • How can I get it?
  • Your behavior
  • Popular software with embedded spyware
  • Website prompting to install browser extensions
  • Cookies to track behavior across cooperating
  • Usability Vs. Security O.S.s are meant to be

Classes of Spyware (characteristics, working and
threats) - 1
  • Cookies and Web Bugs
  • Passive form of Spyware (no code of their own)
  • Cookies
  • State stored in clients web browsers
  • Website/general Advertisement providers who
    stored can retrieve them.
  • Can track users behavior across various sites
  • Web Bugs
  • Invisible images embedded in page placed by
    advertisement networks
  • Browser Hijackers
  • Try to change browser settings (start page,
    search) by
  • BHOs (helper objects), windows registry, browser
    preference files

Classes of Spyware (characteristics, working and
threats) - 2
  • Keyloggers
  • Record all keystrokes
  • Passwords, credit card numbers, etc.
  • New ones capture logs of visited sites, chat
    sessions, windows and programs opened.
  • Tracks
  • Application records info. About users actions
    (recently visited websites)
  • O.S. also does it. Such Tracks can be mined by
    malicious programs.
  • Malware
  • Viruses, worms, trojan horses, automatic phone

Classes of Spyware (characteristics, working and
threats) - 3
  • Spybots
  • Prototypical example of spyware
  • Monitor users behavior, collects activity logs,
    transmits them to 3rd party
  • Info. Like web form data, email addresses for
    spam, URL lists, etc.
  • Installed as BHO, or DLL, or separate process on
    O.S. booting!
  • Adware
  • Benign variety of Spybots.
  • Display advertisements tuned to users activity,
    reporting browsing behavior.

Show me a reason to worry!
  • The extent denoted by
  • Results of this paper (well see soon)
  • Spyware Signatures
  • E.g. SpyBot SD program has 790 signatures as of
    Jan 27th, 2004.
  • The spread
  • Freeware/Shareware
  • Authors downloaded (10 famous titles reporting
    872 million downlaods) from http//download.com
  • Kazaa, iMesh, Morpheus, Download Accelerator had
  • 12 spyware in free Kazaa (MORAL theres no free
  • Kazaas paid version doesnt have spyware!! ?

Spyware studied by this paper
  • Aim
  • First academic attempt to understand the nature
    and extent of spyware, for attention of research
  • Studied software versions between Aug 03 to Jan
  • Network signatures to detect spyware. Traces
    of traffic between Univ. of Washington and the
  • Focused on 4 spyware Gator, Cydoor, SaveNow,
  • All are from the Spybot or Adware class
  • Affect approx. 5.1 of active university hosts.
  • Can easily get into users system via free
  • Easy to derive signatures by sniffing n/w traffic
    (they use http with their servers)
  • Bad servers listed using name/IP lists as. in
    ARIN RIPE registries

Gator - 1
  • An Adware AKA OfferCompanion, Trickler, GAIN
  • collects/transmits users web activity info.(URLs
    visited), demographic info (name, zipcode),
    computer configuration info.
  • Generates users profile of interests and targets
  • Installed by
  • Free s/w by Claria Corporation
  • P2P clients
  • Websites prompting popups to install
  • Runs as
  • DLL linked with free s/w
  • Own process gain.exe, cmesys.exe
  • Capable of Self-updating !!

Gator 2
  • Smartness
  • Usually spyware can be de-fanged
  • hosts.txt file can be manipulated to remap the
    DNS names of spyware servers by adding adding
  • Gator on the other hand
  • Comments out entries referring to gator.com
  • Caches IP addresses of gator.com DNS names.
  • You are a l-user! ?

  • About
  • Made by Cydoor Technologies
  • Client prefetches targeted pop-up advertisements
    from servers when containing App. Is run
  • Online or Offline!
  • Gets users demographic info. From a
    Questionnaire filled while installing the
    containing application!
  • Inside scoop ?
  • Company also offers a free SDK
  • To use to embed Cydoor DLL in any Windows
    programs and generate revenue for them.
  • Removal of the DLL causes program to crash!
  • Dont spread the word! ?

  • About
  • Save.exe image
  • Show advertisements when user appears to be
  • Doesnt transmit information to servers
  • But still collects such info. To target ads
  • Contacts server to update its advertisement-cache
  • Comes with P2P free s/w. (Kazaa)

  • About
  • Ezulamain.exe process
  • AKA TopText, ContextPro, HotText
  • Attached to browser Modifies incoming HTML to
    create links to ads on keywords
  • artificial links are highlighted to redirect
    away from original legitimate advertisers to its
  • Bundled with free P2P s/w (Kazaa, LimeWire) or as
    a standalone tool.
  • Can Self-Update!

Analysis Goals Methodology
  • To understand how widespread spyware is within
    the Univ. of Washington at
  • Individual clients granularity
  • Academic departments granularity
  • Gain insight into kinds of user behavior that are
    correlated with spyware.
  • Monitoring Host Traces
  • Relevant info. of HTTP activity from
    reconstructed TCP/HTTP request/response streams
    is Logged at the Monitoring Host.
  • Sensitive information (IP) is anonymized using
    1-way hashing.

Analysis - Environment
  • Univ. of Washington Infrastructure

Aside- some USC network facts
  • Network as presented in June 03 (James Pepin,

Analysis Limitations/Assumptions
  • Anonymization
  • 2bits of IP lost. Cant uniquely find IP of
    infected client
  • DHCP effect
  • No fix client IP. So dial-up excluded.
  • But even with all this, Gator infected clients
    could be numbered!
  • Gator happens to provide a unique identifier in
    its request packets ?
  • Signature analysis
  • Might miss some spyware traffic because of
    pattern matching errors
  • But result would be underestimated value,
    Threat might be higher!

Results Spread of Spyware - 1
  • Traces Summary (Table 3)

Results Spread of Spyware - 2
  • Gator 3.4 clients that communicated during the
    study (weeklong trace)
  • Cydoor 1.3
  • SaveNow 1.3
  • eZula 0.2
  • Bad news
  • In total, 1587 clients (5.1 of total hosts)
    infected with one or more spyware programs!
  • This is just 4 programs studied!
  • Gator
  • Only 52 new installations found over the week by
    studying Gator client registration packets and
    timestamp with date of installation.
  • Means many Gators were installed months/years in
    the past!

Results Spread of Spyware - 3
  • Values indicate percentage of 872

Dates discovered for 872 out of the 1077 Gator
Results Modem Vs. Non-Modems
  • Modem Pool IPs
  • Though DHCP made authors exclude dialup IPs
  • Gator timestamps used to identify uniquely within
    the modem-pool clients
  • 942 Gator installations out of 12,435 accounts
    using modem-pool. (7.6)
  • Note that 872 were already in the 31,303
    host-non-modem pool network (2.8)
  • Which means
  • Spyware is prevalent on personally-owned
  • But also significance presence even in University
    computers !!

Results Cross Infection rates - 1
Results Cross Infection rates - 2
  • Once infected, forever vulnerable!
  • eZula
  • Only 28.6 of eZula infected hosts are infected
    with ONLY eZula
  • Whatevers causing eZula infections also causes
    infections of other Spyware programs!
  • Spyware open new vulnerabilities!

Results Web activity - 1
  • Usual causes
  • P2P client software
  • Downloading/installing executables off the
  • Software bundled with spyware.
  • Correlation for such activity can be derived.
    (graphs in following slide)

Results Web activity - 2
  • Servers contacted by infected clients
  • Servers contacted by ALL clients

Results Web activity - 3
  • Web request issued by infected clients
  • Web requests issued by ALL clients

Results Downloading executables
Results Using P2P File-sharing
  • Analysis revealed that
  • 38 of clients issuing at least one Kazaa request
    were infected by spyware!
  • Mainly containing Cydoor, and Gator (28.2 17
  • Compared to previous table (Web clients/requests)
  • These values are almost 22 times higher!
  • Impliesfile sharing programs expose clients to
  • Kazaa is not the only one.!

Results Todays Security Infrastructure
  • Spyware bypass it!
  • Univ. of Washington Core is centrally managed
  • Each department is responsible for managing its
    own systems/security policies.
  • Independent trust domain, with own set of
  • Still 69 of organizations are infected with at
    least one variety of spyware!
  • 64 have Gator!
  • Perimeter protection mechanisms such as Firewalls
    are not helpful!
  • Spyware need cooperation from user (willing or
    not willing)
  • An exploit could leave major network vulnerable!
  • 47 of top most popular web-servers in Univ. share
    a subnet with Gator client
  • Backdoor in spyware can lead the attacker easily
    inside major trust boundary!

Bugs in Spyware?!
  • Gator/eZula
  • Client (Software) downloads updates for code and
  • Doesnt verify authenticity or integrity of the
    downloaded archive before extracting files from
  • Attacker can cause his/her OWN file to be
    extracted by hijacking/spoofing gator.com or
  • Authors reported this vulnerability to make the
    spyware stronger and secure ??!!!!

Finally, Scaling it on to the Internet
  • Kazaa as an example
  • Kazaa users counters on websites report 4 million
    concurrent clients.
  • Using this papers 38 infection rate, estimate
  • 1.5 million spyware infected hosts active on
    Kazaa network!!
  • Estimate based on external Kazaa hosts contacting
    Univ. of Washington hosts, is that
  • 2.6 million spyware-infected Kazaa hosts!
  • Research at UC Berkeley estimates this to be 3.4

Spyware Conclusions/Comments
  • This Paper
  • Authors present a very justified argument about
    the spread of Spyware in a controlled environment
    as Univ. of Washington
  • Results serve as an alert to the research
  • Active monitoring of network traffic avoids
  • Spyware
  • Significant local and global security
  • Next trend after annoying banners ?
  • Signatures can ease detection
  • Free software are the most harmful
  • Wide spread make spyware a potential entry for
    any system-wide vulnerability break-down!
  • Need alert system administration for regular
  • Social aspects train the users to avoid
    clicking OK without reading! ?

Sybil Attacks
Reference The Sybil Attack in Sensor Network
Analysis and Defenses by Newsome et al.
Sybil Attacks - Introduction
  • The term Sybil attack
  • Sybil Dorsett, a survivor of child abuse who was
    diagnosed with the first multiple personality
    disorder, reveals that she played host to sixteen
    separate and distinct personalities before making
    the long journey to recovery.
  • Definition
  • In networks,
  • An attack where the attacker posses multiple
    identities a malicious node behaves as if it
    were a larger number of nodes, by impersonating
    other nodes or simply by claiming false
  • First identified for P2P networks by John Douceur.

Sybil attacks and Sensor Networks
  • Motivation
  • Sensor networks may monitor critical information.
  • Sybil attacks may exploit, confuse or overwhelm
    the sensor network.
  • Need to identify, classify such attacks
  • Need to choose the best defense mechanism for
    sensor networks.
  • This paper
  • Is the first study of Sybil attacks for Sensor
  • Authors attempt to identify attacks, classify
    them and then evaluate various Defense mechanisms!

Sybil Attacks Taxonomy -1
  • For Sensor networks

Sybil Attacks Taxonomy -2
  • Direct
  • Malicious node listens to Radio message from
    legitimate node!
  • Indirect
  • Messages to Sybil node are routed through one of
    the malicious nodes!
  • Fabricated
  • For. E.g. Attacker assigns each Sybil node a
    random-bit value if each node is generally
    identified by a 32-bit integer
  • Stolen
  • If mechanism can identify legitimate node
    identities, Attacker needs to assign other
    legitimate identities by destroying or
    temporarily disabling the impersonated identities
  • Simultaneous
  • All Sybil identities participate in the network
    at once, may be cycle through!
  • Non-Simultaneous
  • Attacker having large number of identities over
    time, he may only act as a smaller number at any
    given time. May be Leave and Join multiple times
    with separate identities!

List of Sybil Attacks -1
  • Known Attacks
  • Distributed Storage
  • Can defeat replication and fragmentation
  • Easily defeat DHTs based on Geographic Hash
  • System designed to replicate data on several
  • But it might be storing on Sybil identities
    generated by malicious node! ?
  • Routing
  • Multipath or Dispersity Routing
  • Seemingly disjoint paths could in fact go through
    a single malicious node presenting several Sybil
    identities ?
  • Geographic routing
  • Sybil node could appear at multiplce locations. ?
  • Attempt to Detect routing attacks like BlackHoles
  • Sybil attack could confuse the detection
    mechanism! ?

List of Sybil Attacks -2
  • New Attacks
  • Data Aggregation
  • One malicious node could contribute to the
    computed aggregate of readings many times.
  • May completely alter the aggregate reading! ?
  • Voting
  • Wireless Sensor networks use voting for many
  • Sybil attack for false ballots or
    ballot-stuffing! ?
  • May be able to determine/influence outcome of any
    vote to declare a legitimate node as misbehaving!
  • May save a misbehaving node by favoring votes!

List of Sybil Attacks -3
  • Fair Resource Allocation
  • Used to allow a malicious node to obtain an
    unfair share of shared resource (like radio
  • Denial of service to legitimate nodes
  • Gives attacker more resources to perform More
    attacks! ?
  • Misbehavior Detection
  • Usually, due to false-positives considerations,
    any misbehavior detection system delays action.
  • An attacker with Sybil identities could spread
    the blame and pass unnoticed by only small
    misbehavior per identity! ?
  • If action taken to revoke an identity, attacker
    can create new identities and continue
    misbehavior without himself getting revoked! ?

Vulnerable protocols
Sybil Attack Identity Validation
  • Identity Validation
  • Types
  • DIRECT VALIDATION node directly tests another
    node identity
  • INDIRECT VALIDATION nodes that have already been
    verified are allowed to vouch for or refute other
  • Note
  • Paper focuses on Direct Validation schemes only.

  • Previous Defenses
  • Resource testing
  • Assumption limited resource per physical entity
  • Verify that each identity has as much of tested
    resource as the physical device.
  • More implies multiple identities!
  • Communication as a critical resource for Sensor
  • One method Broadcast a request of identities
    and accept replies that occur within a given time
  • Unsuitable for wireless sensor networks because
    of network congestion by all replies! ?
  • New Defenses
  • New approaches suggested by the Authors
  • Topics to follow -gt

Radio Resource Testing -1
  • Assumption
  • Physical device has only 1 radio and cant
    send/receive on more than 1 channel
  • Working
  • A verifier s assigns its n neighbors different
  • Listens on a randomly chosen channel.
  • If neighbor was assigned that channel is
    legitimate, it should hear the message.
  • Choosing a channel to listen which isnt being
    transmitted on, is a Sybil node detection!
  • Probability s/n
  • Probability of Not detecting sybil node (n-s)/n
  • If repeated for r rounds, its ((n-s)/n)r

Radio Resource Testing -2
  • Case Not enough channels
  • To assign to each neighbor
  • Can test c neighbors at a time, does r rounds
  • There are S Sybil nodes, M malicious nodes and G
    good nodes
  • More channels means easy/faster to detect (See
    next graph)

Radio Resource Testing -3
  • Advantages
  • Effective defense against simultaneous
    direct-communication variant of Sybil attacks.
  • Disadvantages
  • Assumptions that device cant send on multiple
    channels simultaneously!
  • Software radio negates this assumption!

Random Key Predistribution - 1
  • Basic Idea
  • Assign a random set of keys or key-related info.
    To each node
  • Key-setup phase
  • each node can computer the common keys it shares
    with neighbors
  • Shared secret session key for node-to-node
  • Key Validation
  • Network able to verify part or all of the keys
    that an identity claims to have!
  • Bad guy mightve been able to capture only
    limited set of keys.
  • Little probability that arbitrarily generated
    identity will work!

Random Key Predistribution - 2
  • Validation
  • 2 ways
  • Direct each node challenges an identity using
    its own limited knowledge
  • ? May not reach globally consistent decision
  • Indirect nodes collaborate
  • ? Effective since sensor nodes have limited
  • ? Costly- communication overhead
  • Random key Predistribution Approaches
  • (modified to use as Sybil Defenses by authors)
  • Key Pool
  • Single-space pair-wise key distribution
  • Multiple-space pair-wise key distribution

Key Pool - 1
  • Core Scheme
  • Set of keys assigned to a node
  • If two nodes share q common keys, they can
    establish a secret link.
  • ith key from key pool goes to node depending on
    the one-way Pseudo Random hash Function.
  • Attacker cant just gather bunch of keys and
    claim an identity PRF is one way!
  • Validation
  • Challenge the identity
  • If a key Ki should be in Omega(ID) but it isnt
    in the compromised key set S, ID is cheating!

Key Pool - 2
  • Time complexity -1
  • Full validation case
  • Partial challenged by d nodes
  • Pr(tcardinality of intersection set of
    Omega(ID) and S)
  • x Pr(ID passes validation with all d
    verifiers conditioned over tcardinality of
    intersection set)
  • Detailed mathematical steps in paper.

Key Pool - 3
  • Time complexity 2
  • If Tolerance threshold Pr(a random Sybil IS is
    usable) 2-64
  • Attacker needs to compromise only 30 nodes in
    partial validation!
  • 150 if full validation!

Single Space Pairwise Key Distribution
  • Scheme
  • Assign unique key to each pair
  • Bloms scheme polynomial-based scheme
  • Node i stores unique public information Ui and
    private information Vi.
  • Node i computes key from f(Vi,Uj) with node j.
  • Lambda secure property
  • Secure against direct/indirect sybil attacks till
    Lambda nodes are compromised (c lt Lambda)
  • Validation
  • A node validates an identity provided it has the
    pairwise key between it and the verifier!
  • No consideration of OTHER nodes! ?
  • Need globally consistent validation. ?

Multi-space Pairwise Key Distribution-1
  • Scheme
  • Each sensor node is assigned k out of the m Key
    Spaces generated by the setup server.
  • If 2 neighbors have gt1 keyspaces common,
  • Compute pairwise secret key like Single space
    scheme! ?
  • Preventing Sybil Attacks
  • Without Validation
  • Direct communication sybil attacks
  • Node needs to capture nodes such that at least 1
    key-space is compromised!
  • Indirect communication sybil attacks need more
    validation! (next slide)

Multi-space Pairwise Key Distribution-2
  • With Validation
  • Indirect validation needed to challenge if an
    adversary claims to have key-spaces Ti.
  • For Globally consistent decision
  • Full Validation
  • Adversary has to compromise all k key-spaces!
  • Probability calculation
  • Si event that space i is compromised
  • m all key spaces
  • If S1 is compromised, it is less likely that so
    is S2!

Multi-space Pairwise Key Distribution-3
  • Note
  • Different kind of probability on Y-axis
  • Compared to Fig.3 before

Other Defenses
  • Registration
  • Trusted central authority managing the network
    could poll the network and compare to known
  • Sensor networks are unlike P2P may have central
  • ? Registration list of known identities has to be
  • Position Verification
  • Sybil nodes will appear to be exactly at the same
  • Assuming sensor nodes are immobile, attack
  • For Mobile attacker Need to verify ALL nodes
    position simultaneously!
  • Code Attestation
  • Validate node by verifying memory contents!
  • Not yet applicable to wireless network
  • Trusted hardware with security guarantees for
  • Future
  • Costly and high energy consumption! ?

Sybil attacks on Sensor networks - Summary
  • Current defenses cant fight every type of Sybil
    attack (Table before)
  • Each defense has diff. cost and assumptions ?
  • Random key predistribution
  • Sounds most promising seeing the difficulty of
  • Basic Pool
  • Mapping nodes identity to the indices of its
    keys using 1-way function
  • Single-space
  • Good as long as Lambda nodes are not captured!
  • Direct validation ensures global consistent
  • Multi-space
  • Need Lambda instances of EACH key space to
    attack! ?
  • Has to compromise at least k key spaces to
    succeed! ?
  • Paper presents a detailed analytical first-take
    on Sybil attacks on Sensor networks! (for P2P see
    next slides!)
  • Area needs to explore lot more options!
  • Way to AVOID creation of multiple identities?
  • Associate a node to an owner? Attacker cant
    misuse existing node for Sybil identities!
  • Who does this?

Appendix Sybil attacks P2P
  • Systems and Attacks
  • P2P systems are heterogenous WITH unlimited
    computing power!
  • Attackers can cause Sybil identities and they
    need to to be validated concurrently and
  • Infrastructure
  • Identities communicate via messages over a cloud
    through pipes!
  • Intentional replication for duplication,
    reliability, etc. can be misused as multiple
  • Existing relied upon mechanisms
  • Certification Verisign
  • CFS identify node by hash of IP address
  • SFS append host path to a DNS name
  • EMBASSY bind machine to cryptographic keys in
  • Dependent mechanisms might get obsolete (IPv6 and
  • New ideas?
  • Resource-demanding challenges to identities!
  • Not administrable on large distributed network! ?

  • Measurement and Analysis of Spyware in a
    University Environment
  • Stefan Saroiu, Steen Gribble, Henry Levy
  • Proceedings of the First Symposium on Networked
    Systems Design and Implementation (NSDI '04),
    March 2004
  • The Sybil Attack in Sensor Networks Analysis and
  • James Newsome, Elaine Shi, Dawn Song, Adrian
  • Proceedings of 3rd International Symposium on
    Information Processing in Sensor Networks (IPSN
    04), April 2004
  • The Sybil Attack
  • John R. Douceur
  • First International Workshop on Peer-to-Peer
    Systems, March 2002
  • Leveraging the High performance computing
  • Michael Pierce, Jim Pepin
  • HPC - High Performance Computing - Consortium
    Meeting, June 2003
  • Parasite Programs Adware, Spyware, and Stealth
  • CIAC Tech02-004-Technical Bulletin, Revised in
    November 2002
  • http//www.ciac.org/ciac/techbull/CIACTech02-004.s
Write a Comment
User Comments (0)
About PowerShow.com