Custom Rules for Route Hijacking
One of the existing rules, principalCompromised, was overloaded to account for weak or null authentication in dynamic routing protocols (see Figure 6). This rule can be read as follows: the principal is compromised if it has an account, an active connection to a login service on a node, and OLSR is misconfigured. It is important to note that route hijacking does not require the attacker to be located in the victim’s subnet.
The impact prediction models are used to determine if a flow is susceptible to hijacking. This information is then used to generate the MulVAL attack graph input file that uses the custom rules to represent the hijacking behavior. Alternatively, instead of using the impact prediction models, a user may indicate hijacking susceptibility using different sources, e.g., theoretical models such as (Santiraveewan & and Permpoontanalarp, 2004).
1 principalCompromised(Victim) :- 2 /* The victim has a user account on the remote host */ 3 hasAccount(Victim, RemoteHost, User), 4 /* nrlolsr is being used */ 5 networkServiceInfo(H, nrlolsr, olsr, _no_port, _user), 6 /* nrlolsr is misconfigured allowing traffic hijacking */ 7 vulExists(H, nrlolsrVul, nrlolsr, remoteExploit, nrlolsrHijack), 8 /* The User has an account on a login service on the remote host */ 9 logInService(RemoteHost, Protocol, Port), 10 /* There is an active connection from the host to the remote machine */ 11 flowExists(H, RemoteHost, Protocol, Port, User).
Figure 6 Custom Rule for Null or Weak Authentication in OLSR