Computer Laboratory

Technical reports

Cooperative attack and defense in distributed networks

Tyler Moore

June 2008, 172 pages

This technical report is based on a dissertation submitted March 2008 by the author for the degree of Doctor of Philosophy to the University of Cambridge, St. John’s College.

Abstract

The advance of computer networking has made cooperation essential to both attackers and defenders. Increased decentralization of network ownership requires devices to interact with entities beyond their own realm of control. The distribution of intelligence forces decisions to be taken at the edge. The exposure of devices makes multiple, simultaneous attacker-chosen compromise a credible threat. Motivation for this thesis derives from the observation that it is often easier for attackers to cooperate than for defenders to do so. I describe a number of attacks which exploit cooperation to devastating effect. I also propose and evaluate defensive strategies which require cooperation.

I first investigate the security of decentralized, or ‘ad-hoc’, wireless networks. Many have proposed pre-loading symmetric keys onto devices. I describe two practical attacks on these schemes. First, attackers may compromise several devices and share the pre-loaded secrets to impersonate legitimate users. Second, whenever some keys are not pre-assigned but exchanged upon deployment, a revoked attacker can rejoin the network.

I next consider defensive strategies where devices collectively decide to remove a malicious device from the network. Existing voting-based protocols are made resilient to the attacks I have developed, and I propose alternative strategies that can be more efficient and secure. First, I describe a reelection protocol which relies on positive affirmation from peers to continue participation. Then I describe a more radical alternative called suicide: a good device removes a bad one unilaterally by declaring both devices dead. Suicide offers significant improvements in speed and efficiency compared to voting-based decision mechanisms. I then apply suicide and voting to revocation in vehicular networks.

Next, I empirically investigate attack and defense in another context: phishing attacks on the Internet. I have found evidence that one group responsible for half of all phishing, the rock-phish gang, cooperates by pooling hosting resources and by targeting many banks simultaneously. These cooperative attacks are shown to be far more effective.

I also study the behavior of defenders – banks and Internet service providers – who must cooperate to remove malicious sites. I find that phishing-website lifetimes follow a long-tailed lognormal distribution. While many sites are removed quickly, others remain much longer. I examine several feeds from professional ‘take-down’ companies and find that a lack of data sharing helps many phishing sites evade removal for long time periods.

One anti-phishing organization has relied on volunteers to submit and verify suspected phishing sites. I find its voting-based decision mechanism to be slower and less comprehensive than unilateral verification performed by companies. I also note that the distribution of user participation is highly skewed, leaving the scheme vulnerable to manipulation.

Full text

PDF (1.7 MB)

BibTeX record

@TechReport{UCAM-CL-TR-718,
  author =	 {Moore, Tyler},
  title = 	 {{Cooperative attack and defense in distributed networks}},
  year = 	 2008,
  month = 	 jun,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-718.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-718}
}