“ Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths”, U.S. Patent Application No. 11/985,760. Filed on Dec. 18, 2007.
EAP-AKA for UMTS EAP-SIM for GSM
“ Hello request” is a simple notification that the client should begin the negotiation process by sending a client hello message. Hello request will be ignored by the client if the client is currently negotiating a session.
NAI: network access identifier RAND: random number; AUTN: authentication token, to authenticate the server MAC: message authentication code
Encrypt and authenticate messages for secure wireless channel High layer protocols remain the same
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.
The measured links experience a sustained traffic rate of roughly 20Mbps with bursts of up to 106Mbps.
AuC: the authentication center
NAV: network allocation vector
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Intrusion Detection and Forensics for Self-defending Wireless Networks
Automatic zero-day polymorphic worm signature generation systems for high-speed networks
Fast, noise tolerant w/ proved attack resilience
Published in IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate).
A patent filed through Motorola.
Potential technology transfer thru Motorola
Limitations of Exploit Based Signatures Our network Traffic Filtering Internet Signatur e: 10.*01 X X Polymorphic worms might not have exact exploit based signatures. Polymorphism! 1010101 10111101 11111100 00010111
Mobile IPv6 is a protocol which allows nodes to remain reachable while moving around in the IPv6 Internet.
Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet.
IPv6 packets addressed to a mobile node's home address are transparently routed to its care-of address.
The protocol enables IPv6 nodes to cache the binding of a mobile node's home address with its care-of address, and to then send any packets destined for the mobile node directly to it at this care-of address
Except the Mobile Node, all other components such as Home Agent and Correspondence Node are all connected via wired cable in the Northwestern network.
We collected the data through 100 times experiment. Observed via the Wireshark running on the Mobile Node, for one successful attack, the time window is about 5ms in average and the Standard Deviation is 0.108ms for distribution
The time consumed by computing the spoofed Error message is 0.0203ms in average. The closer the attack to the Mobile Node, the higher probability we get for launching a successful Error Message attack.