Building the Classifier
The dataset was formatted into the WEKA (Hall, et al., 2009) data-mining toolset file format and the REPTree algorithm was used to generate the classifiers. A subset of the parameters was used as training attributes to predict hijackability (parameter 8). Initially, parameters 1−7 were used (called the partial set) and then parameters 9−20 were added (called the all set).
As described earlier, the dataset used for evaluation consists of all combinations of the following configurations:
- Routing Protocols: OSPFv3MDR, OLSR
- Topologies: chain, connected_grid, cycle, star, tree, two-centroid, and wheel
- Attacks: forwarding, spoofing
Additionally, there are 10 nodes with 3 outgoing connections (2 UDP and 1 TCP). Each emulation instance contains one attacking node selected using a round-robin approach. In very few cases, a malfunction in CORE caused some nodes to stop capturing data and as a result, the dataset contains a small amount of noise.
Four REPTree classifiers were generated (OLSR forwarding, OLSR spoofing, OSPF forwarding, OSPF spoofing); performance was evaluated using 10 fold cross-validation. Table 3 and Table 4 contain the results for OLSR and OSPF respectively.
Table 3 Classification of hijackability with OLSR
| Attack | Parameters Used | True Positive Rate | False Positive Rate | F-Measure |
|---|---|---|---|---|
| Forwarding | Partial | 0.998 | 0.018 | 0.998 |
| All | 0.998 | 0.018 | 0.998 | |
| Spoofing | Partial | 0.975 | 0.161 | 0.975 |
| All | 0.983 | 0.103 | 0.983 |
Table 4 Classification of hijackability with OSPFv3MDR
| Attack | Parameters Used | True Positive Rate | False Positive Rate | F-Measure |
|---|---|---|---|---|
| Forwarding | Partial | 1 | 0 | 1 |
| All | 1 | 0 | 1 | |
| Spoofing | Partial | 0.997 | 0.248 | 0.991 |
The results show that the classifiers perform well when the all parameters are used. To assess risk associated with traffic hijacking, these models are used in conjunction with attack graph generation software.
Attack Graphs
Attack graphs enable system stakeholders to understand the stepping stones or exploitation procedures that an adversary could potentially execute to impact the confidentiality, integrity, and availability of a network system. These graphs are used to assess risk and to determine components that, when hardened, contribute most to risk reduction. Attack graphs work by reading a system topology and a vulnerability scan of the nodes in a network. Vulnerability database information is used to determine the outcome of exploitation. Until now, attack graphs were incapable of representing traffic hijacking attacks. Success or failure of these attacks depends on specific implementations of routing protocols and on the operating environment. Through a collaborative effort, ARL has partnered with the University of Texas at El Paso (UTEP), Abilene Christian University (ACU), and University of South Florida (USF) to tackle this issue by leveraging impact prediction models and state of the art attack graph software.