Which of the following security protections is used to prevent passive attacks?

Active OS Fingerprinting

Nmap can scan a system and identify the OS based on various findings. In Figure 10.16, we see the result of an OS scan against the target 192.168.1.100. Nmap has identified the OS as Linux 2.6 and gives us a range of versions to work with.

Another tool we can use is xprobe2, which performs similar tasks as Nmap. In Figure 10.17, we can see a portion of the scan results using xprobe2 when given the command: xprobe2 –p tcp:80:open 192.168.1.100. The results are confirmed as before – it seems the target is using a version of Linux 2.6.

An additional method of identifying a host OS is to look at the applications running on the host itself. We will see an example of an application providing OS information later in this chapter.

Passive OS Fingerprinting

Identifying a target system's OS passively requires a lot of patience. The objective behind passive OS fingerprinting is to capture TCP packets stealthfully, which contain window's size and Time to Live (TTL) information, and then analyze the packets to guess the OS manually. The problem is passive attacks on a network are sometimes difficult – unless the target system needs to communicate with the attack system directly (which pushes the attack out of the definition of “passive”) or the attacking system is able to collect all packets traveling across the network, there is no easy way to obtain the data needed.

Are You Owned?

If we are lucky enough to obtain access to TCP packets (by having access to a router or another system), we would see the results found in Figure 10.18 using the p0f application.

Another technique we could use is Address Resolution Protocol (ARP) poisoning to force the target system to talk with us. Repeating the above scenario, we will use an additional tool – arpspoof. In Figure 10.19, we make arpspoof announce to our target (192.168.1.100) that our attack system is the network gateway (192.168.1.1). We would let arpspoof run until p0f confirmed the OS; in Figure 10.19, we see what happens when arpspoof is terminated – the ARP table of the target system is given the correct Media Access Control (MAC) address of the gateway (as seen in Figure 10.5), clearing the target's ARP cache.

To verify that the ARP poisoning actually works, we can look at the target system's ARP cache, as seen in Figure 10.20. We see that our target system believes that the attack system and the gateway have the same MAC address. The result is that any time our target wants to send data through the default gateway, it will instead send data to our attack system and then the attack system will send it out to the correct gateway system acting as a man-in-middle to avoid detection.

Given enough time, we will gather enough packets that we will get similar results as those found in Figure 10.18. Until then, we are unfortunately creating a denial of service attack against the target system. Unless we establish a communication tunnel with the actual gateway, effectively creating a Man-in-the-Middle (MITM) attack, we increase our chances of discovery.

Warning

Depending on the criticality of the target system, ARP cache poisoning may be unacceptable. ARP poisoning is an aggressive method of intercepting data and can easily cause denial of services. If the objective is to simply identify the OS, ARP poisoning may be too aggressive unless you use it as a man-in-middle scenario.

3.1 Privacy Breach

Privacy breach deals with identifying nodes and learns the edge relations among them. Passive attack is to observe the released anonymized social network without interfering and is undetectable. Active attack creates some new nodes (e.g., new email accounts) and (patterned) edges among new nodes and to victim nodes. It is hard to detect.

3.2 Passive Attack

A network is studied carefully for loose points or points which can be captured under control easily. The information is gathered about a target node such that except for collecting the information no changes are made in their value or structure. Similar nodes form a group H in a network and an intruder can involve itself as a member in the community which is small and can be identified easily. The intruder can come to a secret understanding with the other k − 1 nodes so that it becomes easier to know about other nodes which are in contact with the nodes in H. Of course, in order that such an attack can be fruitful, all the nodes in H should be aware of themselves and the connectivity inside H such that the members of H know the identity of the nodes outside their group.

3.3 Active Attack

In active attack, before releasing the anonymized network G of n − k nodes an attacker does the following:

selects a set of b-targeted users

creates a subgraph H containing k nodes

attaches H to the targeted nodes

Creating such a subgraph H is called structural steganography.

After the anonymized network is released it performs:

Find the subgraph H in the graph G

Follow edges from H to locate b target nodes and their true location in G

Now, it is determined that all edges among these b nodes lead to the breach of privacy.

Finding a subgraph H should have the following characteristics:

Subgraph H must be uniquely and efficiently identifiable regardless of G

No other subgraph S ≠ H in G such that S and H are isomorphic

Subgraph H has no automorphism

3.3.1 Broad Category of Active Attacks

There are two types of active attacks proposed in Ref. [3]. These attacks are concerned with anonymizing social networks using privacy of edges. These attacks are conceived on the notion that the structure and size of the social network can be changed by the adversaries before the network is published. The set of nodes for which the intruder wants to violate their privacy is identified and by creating a few factious accounts it connects to all of the target nodes in such a manner that after the publication of the anonymized version, this structure can be easily identified. The intruder creates Sybil nodes (that is nodes which claim multiple identities in a social network), whose outgoing edges help reidentify nodes. The two categories of active attacks are as follows (Fig. 1):

Fig. 1. Scenario

•

walk-based attack

•

cut-based attack

In walk-based attack, the steps are:

•

Generate subgraph H = {x1, x2, …xk} with k = θ(logn)

•

Link each targeted node wi to distinct subset of nodes in H

•

Create each edge within H with a probability of 0.5

•

Number of compromised nodes b = θ((logn)2)

Construction of H can be carried out such that

•

H = set of nodes X size k = (2 + δ) log n (δ > 0)

•

W = set of targeted users size b = O((logn)2)

•

External degree for node xi is Di, where Di ∈ [d0, d1] such that d0 ≤ d1 = O(logn)

•

Each wi connects to a set of nodesNi ⊆ X.

•

Set Nj must be of size at most c = 3 and are distinct across all nodes wj.

Add arbitrary edges from H to G − H to make it Di for all xi.

Add internal edges in H: edge {xi, xi + 1}.

Add additional internal edges connecting {xi, xj} with probability 0.5.

Therefore, each node xi has total degrees of Di' = Di + # (internal edges).

In cut-based attack, the steps are:

Theoretical asymptotic lower bound for #new nodes: Ωlogn.

Randomly generate subgraph H = {x1, x2, …xk} with k=Ologn.

Number of compromised nodes b=θlogn .

Construction of H can be carried out as follows:

For W = {w1, w2, …wb} is the set of targeted users,

Create X = {x1, x2, …xk} where k = 3b + 3 nodes.

Create links between each pair {xi, xj} with probability = 0.5.

Choose arbitrary b nodes {x1, x2, …xb}.

Connect xi to wi.

A comparison between active and passive attack is shown in Table 1.

Table 1. Comparison Between Active and Passive Attack

Passive Attack	Active attack
Attackers may not be able to identify themselves after seeing the released anonymized network	More effective. Work with high probability in any network
The victims are only those linked to the attackers	Can choose the victims
Harder to detect	Risk of being detected

The applicability of active attack is limited to small-sized networks and cannot be applied to offline networks.

The intruder has control over the edges coming out of the nodes and has no control over other types of edges. In fact, the legal nodes are not likely to connect these Sybil nodes. So, it provides an indication to the network administrator about something fishy and hence he may anticipate about a Sybil attack [3].

The next limitation in these attacks is related to the link structure. The social networks which are online work on the principle that the connections between nodes should be both ways so that the information can be available. But, the connections from the added nodes to the existing nodes do not show up in the published network. If the size of active attacks increases, the number of Sybil nodes also increases in a huge way, which makes the process infeasible practically.

Again, the passive attacks were also considered in Ref. [3] so that a small group of nodes form an alliance among themselves so that the nodes around them (in a small neighborhood) can be identified by using the existing knowledge and structure of the nodes in the anonymized network. Again, the size of the network to which such attacks can be applied should be very small.

The algorithm proposed in Ref. [3] can be applied to larger sized networks and does not have the assumptions made above and requires a few Sybil nodes to be added.

The privacy protection techniques proposed so far are not that efficient as either they have some heavy assumptions like the intruders have restricted efficiency or the networks used for testing are small or synthetic ones which are different from the story when it comes to real social networks. One can take for instance the anonymization algorithm proposed in Ref. [4]. It does not take into consideration the background knowledge of the intruder. However, somewhat better architectural approaches are used in Refs. [5, 6], an idea which depends on a more sound architecture based on the server-side Facebook application.

For privacy, perhaps the most popular technique used is anonymity. In Ref. [7], the users represented by tokens drawn randomly are taken into consideration instead of the users themselves. Similarly, the approach in Ref. [2], unidentifiable graphs are generated from the information hold by the respondents and used in instead of them so that the information of social network will not be disclosed during the analysis process.

An idea where a group of p nodes are treated to be equivalent through an automated procedure such that a heavy requirement like the graph generated maps the nodes into one another is used in Ref. [5]. This heavy requirement is used in the case of very strong invaders. The concept of edge addition is used in Ref. [8] so that groups of p 1-neighborhoods are made to be similar through isomorphism to p − 1 other 1-neighborhoods and are anonymized as a group. Here a liberal assumption is made that the attacker knows only the 1-neighborhood information of the nodes. The disadvantage in this case is that the process of addition of edges requires a high amount of nodes being used and it varies directly with the degrees of the nodes sharply.

Several conclusions are derived in Ref. [3]. We present them below.

It may be noted that k-anonymity criteria even when it is satisfied we cannot guarantee anonymity of the network as it is a syntactic property.

Another problem with these algorithms is that a lot of restrictions are imposed on the properties of the social network and also the knowledge of the attackers is supposed to be limited to a certain extent. This is a heavy restriction and in reality cannot be satisfied.

Moreover, the restriction that the information available with the intruders is to only 1-neighborhood is very strong and in most of real life situations it is much wider than this assumption.

The above observations encouraged the authors in [1] to develop an algorithm, which uses the background knowledge of the intruders to de-anonymize or reidentify the nodes after the anonymization is done by using any algorithm to this extent. This is a cyclic process as once some of the nodes are identified, more information gets available and this is added to the background knowledge of the adversaries to identify further nodes.

Isolating Vulnerabilities

From the abstract model, the major vulnerable-to-attacks network components are: (1) data sources; (2) agents (more generally called service logic); and (3) signaling messages. By exploiting each of these vulnerabilities, data items that are crucial to the correct working of a cellular network can be corrupted, leading to ultimate service disruption through cascading effects.

In addition, the effect of corrupt signaling messages is different from the effect of corrupt data sources. By corrupting data items in a data source of a service node, all the subscribers attached to this service node may be affected. However, by corrupting a signaling message, only the subscribers (such as the caller and called party in case of call delivery service) associated with the message are affected. Likewise, corrupting the agent in the service node can affect all subscribers using the agent in the service node. Hence, in the three-dimensional taxonomy, a vulnerability exploited is considered as an attack dimension, since the effect on each vulnerability is different.

Likewise, the adversary’s physical access to a cellular network also affects how the vulnerability is exploited and how the attack cascades. For example, consider the case when a subscriber has access to the air interface. The adversary can only affect messages on the air interface. Similarly, if the adversary has access to a service node, the data sources and service logic may be corrupted. Hence, in the three-dimensional taxonomy, the physical access is considered a category as it affects how the vulnerability is exploited and its ultimate effect on the subscriber.

Finally, the way the adversary chooses to launch an attack ultimately affects the service in a different way. Consider a passive attack such as interception. Here the service is not affected, but it can have a later effect on the subscriber, such as identity theft or loss of privacy. An active attack such as interruption can cause complete service disruption. Hence, in the three-dimensional taxonomy, the attack means are considered a category due the ultimate effect on service. In the next part of the chapter, we detail the cellular network specific three-dimensional taxonomy and the way the previously mentioned dimensions are incorporated (see checklist: “An Agenda For Action When Incorporating The Cellular Network Specific Three-Dimensional Attack Taxonomy”).

An Agenda for Action when Incorporating the Cellular Network Specific Three-Dimensional Attack Taxonomy

The three dimensions in the taxonomy include Dimension I: Physical Access to the Network, Dimension II: Attack Categories and Dimension III: Vulnerability Exploited. In the following, we outline each dimension (check all tasks completed):

Dimension I–Physical Access to the Network: In this dimension, attacks are classified based on the adversary’s level of physical access to a cellular network. Dimension I may be further classified into single infrastructure attacks (Level I–III) and cross-infrastructure cyber-attacks (Level IV–V):

Level I: Access to air interface with physical device. Here the adversary launches attacks via access to the radio access network using standard inexpensive “off-the-shelf” equipment [26]. Attacks include false base station attacks, eavesdropping, and man-in-the-middle attacks and correspond to attacks previously mentioned.

Level II: Access to links connecting core service nodes. Here the adversary has access to links connecting to core service nodes. Attacks include disrupting normal transmission of signaling messages and correspond to message corruption attacks previously mentioned.

Level III: Access core service nodes. In this case, the adversary could be an insider who managed to gain physical access to core service nodes. Attacks include editing the service logic or modifying data sources, such as subscriber data (profile, security and services) stored in the service node and corresponding to corrupt service logic, data source, and node impersonation attacks previously mentioned.

Level IV: Access to links connecting the Internet and the core network service nodes. This is a cross-infrastructure cyber-attack. Here the adversary has access to links connecting the core network and Internet service nodes. Attacks include editing and deleting signaling messages between the two networks. This level of attack is easier to achieve than Level II.

Level V: Access to Internet servers or cross-network servers: This is a cross-infrastructure cyber-attack. Here the adversary can cause damage by editing the service logic or modifying subscriber data (profile, security and services) stored in the cross-network servers. Such an attack was previously outlined earlier in the chapter. This level of attack is easier to achieve than Level III.

Dimension II–Attack Type: In this dimension, attacks are classified based on the type of attack. The attack categories are based on Stallings [27] work in this area:

Interception. The adversary intercepts signaling messages on a cable (Level II access) but does not modify or delete them. This is a passive attack. This affects the privacy of the subscriber and the network operator. The adversary may use the data obtained from interception to analyze traffic and eliminate the competition provided by the network operator.

Fabrication or replay. In this case, the adversary inserts spurious messages, data, or service logic into the system, depending on the level of physical access. For example, via a Level II access, the adversary inserts fake signaling messages; and via a Level III access, the adversary inserts fake service logic or fake subscriber data into this system.

Modification of resources. Here the adversary modifies data, messages, or service logic. For example, via a Level II access, the adversary modifies signaling messages on the link; and via a Level III access, the adversary modifies service logic or data.

Modification of resources. Here the adversary modifies data, messages, or service logic. For example, via a Level II access, the adversary modifies signaling messages on the link; and via a Level III access, the adversary modifies service logic or data.

Denial of service. In this case, the adversary takes actions to overload a network results in legitimate subscribers not receiving service.

Interruption. Here the adversary causes an interruption by destroying data, messages, or service logic.

Dimension III–Vulnerability Exploited: In this dimension, attacks are classified based on the vulnerability exploited to cause the attack. Vulnerabilities exploited are explained as follows:

Data. The adversary attacks the data stored in the system. Damage is inflicted by modifying, inserting, and deleting the data stored in the system.

Messages. The adversary adds, modifies, deletes, or replays signaling messages.

Service logic. Here the adversary inflicts damage by attacking the service logic running in the various cellular core network service nodes.

Attack classification. In classifying attacks, we can group them according to Case 1: Dimension I versus Dimension II, and Case 2: Dimension II versus Dimension III. Note that the Dimension I versus Dimension III case can be transitively inferred from Case 1 and Case 2.

Table 11.1 shows a sample tabulation of Level I attacks grouped in Case 1. For example, with Level I access an adversary causes interception attacks by observing traffic and eavesdropping. Likewise, fabrication attacks due to Level I access include sending spurious registration messages. Modification of resources due to Level I access includes modifying conversations in the radio access network. DoS due to Level I access occurs when a large number of fake registration messages are sent to keep the network busy so as to not provide service to legitimate subscribers. Finally, interruption attacks due to Level I access occur when adversaries jam the radio access channel so that legitimate subscribers cannot access the network. For further details on attack categories, refer to [22].

Table 11.1. Sample Case 1 Classification.