International Journal of Recent Trends in Electrical & Electronics Engg., Feb. 2014. IJRTE ISSN: 2231-6612



Similar documents
Detection of Tricking Attack and Localization Of Deceivers In Multiple Wireless Networks

Detection and Localization of Multiple Spoofing Attackers in Wireless Networks

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 9, March 2014

Mitigating Spoofing Attacks through Received Signal Strength in Wireless Networks

DETECTION AND LOCALIZATION OF MULTIPLE SPOOFING ATTACKERS FOR MOBILE WIRELESS NETWORKS

How To Detect Spoofing Attacks On Wireless Networks

AS MORE WIRELESS and sensor networks are deployed,

Sensing vulnerabilities and multiple spoofing adversaries in wireless LAN

GMFAD and CDAL-M Models for Identification of Adversary Attacks in Wireless Sensor Network using RSS

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

Security in Ad Hoc Network

Using Received Signal Strength Indicator to Detect Node Replacement and Replication Attacks in Wireless Sensor Networks

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Efficient Detection of Ddos Attacks by Entropy Variation

1. discovery phase 2. authentication and association phase 3. EAP/802.1x/RADIUS authentication 4. 4-way handshake 5. group key handshake 6.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

CHAPTER 1 INTRODUCTION

Prediction of DDoS Attack Scheme

Preventing DDOS attack in Mobile Ad-hoc Network using a Secure Intrusion Detection System

Wireless Sensor Networks Chapter 14: Security in WSNs

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Ashok Kumar Gonela MTech Department of CSE Miracle Educational Group Of Institutions Bhogapuram.

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Intrusion Detection for Mobile Ad Hoc Networks

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

COSC 472 Network Security

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

Analysis of IP Spoofed DDoS Attack by Cryptography

An Efficient Hybrid Data Gathering Scheme in Wireless Sensor Networks

How To Write A Transport Layer Protocol For Wireless Networks

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Security and Privacy Issues in Wireless Ad Hoc, Mesh, and Sensor Networks

Own your LAN with Arp Poison Routing

Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems

Wireless Sensor Network Security. Seth A. Hellbusch CMPE 257

Defense in Cyber Space Beating Cyber Threats that Target Mesh Networks

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Single Sign-On Secure Authentication Password Mechanism

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Enterprise A Closer Look at Wireless Intrusion Detection:

SECURE DATA TRANSMISSION USING INDISCRIMINATE DATA PATHS FOR STAGNANT DESTINATION IN MANET

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

CS5008: Internet Computing

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

Comparison of Various Passive Distributed Denial of Service Attack in Mobile Adhoc Networks

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

IY2760/CS3760: Part 6. IY2760: Part 6

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Securing Ad Hoc Wireless Networks Against Data Injection Attacks Using Firewalls

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

Link Layer and Network Layer Security for Wireless Networks

Link Layer and Network Layer Security for Wireless Networks

Wireless Security: Secure and Public Networks Kory Kirk

United States Trustee Program s Wireless LAN Security Checklist

Multimodal Biometric Recognition Security System

A Catechistic Method for Traffic Pattern Discovery in MANET

ENHANCED GREEN FIREWALL FOR EFFICIENT DETECTION AND PREVENTION OF MOBILE INTRUDER USING GREYLISTING METHOD

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Detecting Multiple Selfish Attack Nodes Using Replica Allocation in Cognitive Radio Ad-Hoc Networks

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

An Implementation of Secure Wireless Network for Avoiding Black hole Attack

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY

SECURE SIGNATURE BASED CEDAR ROUTING IN MOBILE ADHOC NETWORKS

Preventing Resource Exhaustion Attacks in Ad Hoc Networks

SIMULATION STUDY OF BLACKHOLE ATTACK IN THE MOBILE AD HOC NETWORKS

Keywords: Location Distinction, measurements, Deficiency, Spoofed, WSN Secure wireless networks

Tema 5.- Seguridad. Problemas Soluciones

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Security vulnerabilities in the Internet and possible solutions

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

AN EFFICIENT STRATEGY OF AGGREGATE SECURE DATA TRANSMISSION

Firewalls, Tunnels, and Network Intrusion Detection

Packet Level Authentication Overview

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626


Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System

The Trivial Cisco IP Phones Compromise

All You Wanted to Know About WiFi Rogue Access Points

A Novel Technique to Isolate and Detect Jamming Attack in MANET

Study of Different Types of Attacks on Multicast in Mobile Ad Hoc Networks

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Adaptive Anomaly Detection for Network Security

Protecting Privacy Secure Mechanism for Data Reporting In Wireless Sensor Networks

DETECTING AND PREVENTING IP SPOOFED ATTACK BY HASHED ENCRYPTION

A Protocol Based Packet Sniffer

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Transcription:

Spoofing Attack Detection and Localization of Multiple Adversaries in Wireless Networks S. Bhava Dharani, P. Kumar Department of Computer Science and Engineering, Nandha College of Technology, Erode, Tamilnadu, India ABSTRACT In wireless networks, Spoofing attacks are easy to launch but it degrades the performance of the networks. To identity an attacker node, it can be verified through cryptographic authentication, authentication is always not possible because it requires key management and additional infrastructural overhead. The proposed approach is used for 1) Detecting spoofing attacks 2) Determining the number of attackers when multiple adversaries masquerading the same node identity and 3) Localizing multiple adversaries. The proposed system uses spatial correlation of received signal strength (RSS) to detect the spoofing attacks. Cluster-based mechanisms are introduced to determine the number of attackers. In this paper, K-Nearest-Neighbor classifier (KNN) is proposed to improve the performance of determining the number of attacks. Finally, An Integrated Detection and Localization system is used to localize the positions of multiple attackers. KEYWORDS: Wireless network security, Spoofing attack, KNN, Localization I. INTRODUCTION Spoofing attacks are a serious threat as they represent a form of identity compromise and can facilitate a variety of traffic injection attacks, such as evil twin access point attacks. Spoofing is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. In a large-scale network, multiple adversaries may masquerade as the same identity and collaborate to launch malicious attacks such as network resource utilization attack and denial-of-service attack quickly. Among various types of attacks, spoofing attacks are especially easy to launch but it degrades its network performance. Due to the openness of wireless networks, they are especially vulnerable to spoofing attacks where an attacker forges its identity to masquerade as another device and creates multiple illegitimate identities. Spoofing is when an attacker pretends to be someone else in order gain access to restricted resources or steal information. An attacker can impersonate the Internet Protocol (IP) address of a legitimate user in order to get into their accounts. Spoofing attacker may send fraudulent emails and set up fake websites in order to capture user s login names, passwords, and account information. Another type of spoofing involves setting up a fake wireless access point and tricking victims into connecting to them through the illegitimate connection. Different spoofing attacks such as IP spoofing, E-mail spoofing and ARP spoofing, used to leverage. Man-in-the middle attacks against hosts on a computer network. For example IP spoofing is shown in Fig 1. Attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message. The header of each IP packet contains the numerical source and destination address of the packet. The address where the packet was sent from is the source address. The header which can be forged, contains a different address, an attacker can make it appear that the packet was sent by a different machine. The traditional approaches to address spoofing attacks are to apply cryptographic authentication. However, cryptographic authentication requires additional infrastructural overhead and computational power associated with distributing, and maintaining cryptographic keys. Due to the limited power and resources available to the wireless devices, it is not Volume 3, Issue 2, pg: 133-134 133

always possible to deploy authentication. Thus, it is desirable to detect the presence of spoofing attacks and eliminate them from the network. In this paper, we take different approaches by using the physical properties associated with wireless transmissions to detect spoofing. Detecting spoofing attacks and as well as localizing the positions of the adversaries performing the attacks, different schemes are used. In exiting system, matching rules of signal prints are used for spoofing detection. K-means cluster analysis to detect spoofing attacks. However, none of these schemes have the ability to determine the number of attackers when multiple adversaries use the same identity to launch attacks, which is the basis to localize multiple adversaries after attack detection. Existing approaches can only handle the case of a single spoofing attacker and cannot localize the attacker if the adversary uses different transmission power levels. Target Spoofed Host Attack Packet with Spoofed source IP Response is observed by Attacker via network sniffing software. Attacker Figure 1. IP Spoofing Our approach utilizes the Received Signal Strength (RSS) measured across a set of access points to perform spoofing detection and localization. Our scheme does not add any overhead to the wireless devices. Employing Received Signal Strength (RSS) as a means to detect spoofing attacker will not require any additional cost to the wireless devices. They will merely use their existing communication methods, while the wireless network will use a collection of base stations to monitor received signal strength for the potential of spoofing. Since we are concerned with attackers who have different locations than legitimate wireless nodes, that utilizing spatial information to address spoofing attacks has the unique power to not only identify the presence of these attacks but also localize adversaries. After detecting the spoofing attack we have to determine the number of attackers. To improve the performance of determining the number of attacks K-Nearest-neighbor classifier (KNN) are proposed. In exiting system Support Vector Machines (SVM) method are used. Compared to SVM, KNN is very simple and well understood. KNN classifiers can achieve good overall performance and are much faster than SVM to use. Indeed, the cost to train SVM for large-scale network is a clear drawback. Hence we are using KNN classifiers to improve the performance of determining the number of attacks If the spoofing attacks are determined to be present by the spoofing attack detector, we want to localize the multiple adversaries and further to eliminate the spoofing attackers from the network. Simulations are conducted to evaluate the performance of proposed work in terms of entropy variation and strength of attacks. Evaluate the effectiveness and efficiency of the proposed K-Nearest-Neighbor classifiers Attacks Detection and SVM. Based on the comparison and the results from the experiment shows that the proposed approach works better than the existing systems. The rest of the paper is organized as follows. We place our work in the context of related research in Section 2.We describe the proposed system model in Section 3. We evaluate the performance analysis in Section 4. Finally, we conclude our work in Section 5. II. RELATED WORK Sheng et al (2008) presented approach, received signal strength (RSS) to distinguish wireless devices for spoofing detection. Initially, the signal strength of a received frame is measured at the receiver s Volume 3, Issue 2, pg: 133-134 134

antenna. The attacker is from its victim, their RSS patterns differ significantly. It is difficult to detect spoofing attack. Since an attacker can manipulate its transmission power with a dense array of AMs, to mimic the RSS pattern of the victim to one AM and also it is inherently difficult to fool the majority of these AMs which have different radio environment. It represents the readings of received Signal Strength for any given transmitter/am pair as a Gaussian Mixture Models (GMM). A RSS profiling algorithm based on the Expectation-Maximization (EM) learning algorithm for GMMs. The RSS profile is once established for a transmitter in normal conditions, any significant differences in the RSS patterns is considered as a potential spoofing attack. MAC spoofing is using air monitors (AMs) and these devices are used to passively sniff wireless traffic, without cooperation from access points (APs) or client stations. Wu et al (2005) presented a secure and efficient key management (SEKM) framework. It builds a Public Key Infrastructure (PKI) by applying a secret sharing approach and an underlying multicast server group. In SEKM, the server cluster creates a certification authority (CA) view and it provides certificate update service for all nodes, together with the servers themselves. A ticket based scheme is introduced for efficient certificate service. Additionally, an efficient server cluster updating scheme is introduced. In fact, any cryptologic means that is ineffective if the key management is weak. Key management could be a central side for security in networks. Arora et al (2008) proposed to use the node s spatial signature, together with Received Signal Strength Indicator (RSSI) and Link Quality Indicator (LQI) to authenticate messages in wireless networks. However, none of these techniques are capable of determining the number of attackers when there are multiple adversaries collaborating to use the same identity to launch malicious attacks and also does not have the ability to localize the positions of the adversaries after attack detection. Li et al (2006) introduced a security layer which used forge-resistant relationships for detecting spoofing attacks based on the packet traffic together with traffic pattern. The MAC sequence number has also been used to perform spoofing detection. The sequence number and the traffic pattern, these both can be manipulated by an adversary as long as the adversary learns the traffic pattern under normal conditions. Brik et al (2008) focused on building fingerprints of Wireless LAN by extracting radiometric signatures like frequency magnitude; I/Q origin offset and phase errors, to defend against attacks. Further there is overhead associated with wireless channel response and radiometric signature extraction in wireless networks. Xiao (2007) proposed approaches which utilized physical properties associated with wireless transmission to combat attacks in wireless networks. Based on the fact that, in space, wireless channel response decorrelates quite rapidly, a channel-based authentication scheme was proposed to discriminate between transmitters at different locations and thus to detect spoofing attacks in wireless networks. Jie Yang et al (2013) proposed Support Vector Machines (SVM) to classify the number of the spoofing attackers. Using SVM is that it can combine the intermediate results (i.e., features) from different statistic methods to build a model based on training data to predict the number of adversaries. Particularly, SVM is a set of kernel-based learning methods for data classification that involves a training phase and a testing phase. Each data instance in the training set consists of a target value (i.e., class label) and several attributes (i.e., features). But when we used SVM method to classify the number of the spoofing attackers, the performance is not good and also it requires additional cost for large-scale network. III. SYSTEM MODEL 3.1 Received signal strength based spatial correlation Spoofing detection is to devise strategies that use the uniqueness of spatial information, but not using the location directly because the attacker s positions are unknown. RSS is a property closely correlated with location in physical space and is readily available in the wireless network. Even though it was affected by random noise, multipath effects, and environmental bias, received signal strength measured at a set of landmarks reference points with known locations is closely associated with the transmitter s physical location and is governed by the distance to the landmarks. The RSS readings at the different physical location are distinctive, whereas the RSS readings at same locations Volume 3, Issue 2, pg: 133-134 135

in physical space are similar. Thus, the RSS readings present strong spatial correlation characteristics. The RSS value vector as S = {S1, S2..Sn} where n is the number of landmarks/access points that monitors the RSS of the wireless nodes and know their locations. 3.2 Spoofing Attack Detection and Determining the number of Attackers To perform spoofing attack detection, the RSS-based spatial correlation inherited from wireless nodes is used. And also the RSS readings from a wireless node may fluctuate and should cluster together. Especially, the RSS readings over time from the same physical location will belong to the same cluster points in the n-dimensional signal space, where as the RSS readings from different locations over time should form different clusters in signal space. The PAM technique is a popular iterative descent clustering algorithm. The PAM technique is more robust in the presence of noise and outliers. Hence the PAM method is more suitable in determining clusters from RSS streams, which may be unreliable and fluctuating over time due to random noise and environmental bias. The number of attackers will cause failure in localizing the multiple adversaries. Since we do not know how many adversaries will use the same node identity to launch spoofing attacks and determining the number of attackers becomes a multiclass detection problem and is similar to determining how many clusters exist in the RSS readings. The minimum distance between two clusters is large indicating that the clusters are from different physical locations. The minimum distance between the returned clusters to make sure the clusters are produced by attackers instead of RSS variations and outliers. Cluster analysis Received signal strength value Attack Detection KNN Mechanism Number of attackers Exact number of attackers and its location Localize and eliminate identified attackers Integrated Detection and Localization 3.3 K- Nearest-Neighbor classifiers Figure 2. System Model To improve the performance of determining the number of attackers, K- Nearest Neighbor classifiers (KNN) are used, that are based on learning by analogy. That is, by comparing a given new node with known node that is similar to it. The known node is described by N attributes. Each node represents a point in an N-dimensional space. In this way, the entire known node is stored in an N-dimensional pattern space. When given an unknown node, a k-nearest-neighbor classifier searches the pattern space for the k known node that are closest to the unknown node. This k known node are the k nearest neighbor of the unknown node. For k-nearest-neighbor Classification, the unknown node is assigned the most common class among its k nearest neighbors. 3.4 Integrated Detection and Localization Framework Volume 3, Issue 2, pg: 133-134 136

Integrated systems that can detect spoofing attackers, determine the number of attackers, and localize the multiple adversaries. Especially when attackers using different transmission power levels, traditional localization techniques are based on averaged RSS from each node identity inputs to estimate the position of a node. In wireless spoofing attacks, the RSS stream of a node identity may be mixed with RSS readings of both the original node as well as spoofing nodes from different physical location. The traditional technique of averaging RSS readings cannot totally differentiate RSS readings from different locations and therefore it is not feasible for localizing adversaries. Different from traditional localization techniques, our integrated detection and localization system utilize the RSS medoids as inputs to localization algorithms to estimate the positions of adversaries. The return positions from our system include the location for estimation of the original node and also the attackers with in the physical space. IV. PERFORMANCE ANALYSIS Finally the proposed approaches are illustrated and evaluated to compare the performance of all the approaches. Simulations are conducted to analyze the performance of proposed work in terms of entropy variation and strength of attacks. We evaluate the effectiveness and efficiency of the proposed K- Nearest-Neighbor classifiers and SVM. Based on the comparison and the results from the experiment shows that the proposed approach works better than the existing systems. V. CONCLUSION In this work, Received Signal Strength (RSS) can be used to detect the spoofing attack. After detecting the spoofing attack, we have to determine the number of adversaries. Since multiple adversaries can use the same identity node to launch the attack, determining the number of adversaries could be a significantly difficult drawback. We proposed a mechanism K-Nearest-Neighbor classifier that employs the minimum distance testing in addition to cluster analysis to achieve higher accuracy of determining the number of attackers than other methods. Simulations are conducted to analyze the performance of proposed work in terms of entropy variation and strength of attacks. By evaluating the effectiveness and efficiency of the proposed K-Nearest-Neighbor classifiers (KNN) and existing SVM method, based on the comparison and the results from the experiment shows that our proposed approach works better than the existing systems. If the spoofing attacks are determined to be present by the spoofing attack detector, we want to localize the multiple adversaries and further to eliminate the spoofing attackers from the network. Finally, we localized the positions of multiple attackers by using an Integrated Detection and Localization system. REFERENCES [1] Brik V, Banerjee S, Gruteser M and Oh S,(2008) Wireless Device Identification with Radiometric Signatures, Proceedings of International Conference on Mobile Computing and Networking, pp.116-127. [2] Chen Y, Trappe W and Martin R,(2007) Attack Detection in Wireless Localization, Proceedings of IEEE INFOCOM. [3] Fabrice Colas and Pavel Brazdi,(2006) Comparison of SVM and Some Older Classification Algorithms in Text Classification Tasks, ACM/Springer Wireless Networks, Volume 217, pp.169-178. [4] Jie Yang, Yingying Chen, Wade Trappe and Jerry Cheng,(2013) Detection and Localization of Multiple Spoofing Attackers in Wireless Networks, IEEE Transactions on Parallel and Distributed systems, Volume. 24. [5] Li Q and Trappe W,(2006) Relationship-Based Detection of Spoofing - Related Anomalous Traffic in Ad Hoc Networks, IEEE Communication Social Conference on Sensor, Mesh and Ad Hoc Communication and Networks (SECON). [6] Sang L and Arora A,(2008) Spatial Signatures for Lightweight Security in Wireless Sensor Networks, Proceedings of IEEE INFOCOM, pp. 2137-2145, 2008. [7] Sheng Y, Chen G, Kotz D and Campbell A,(2008) Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength, Proceedings of IEEE INFOCOM. [8] Wool A,(2005) Lightweight Key Management for IEEE 802.11 Wireless Lan with Key Refresh and Host Revocation, Springer Wireless Networks, volume 11, no. 6, pp. 677-686. [9] Wu B, Fernandez E and Magliveras S,(2005) Secure and Efficient Key Management in Mobile Ad Hoc Networks, IEEE International Parallel and Distributed Processing Symposium (IPDPS). Volume 3, Issue 2, pg: 133-134 137

[10] Xiao L and Trappe W, (2007) Fingerprints in the Ether: Using the Physical Layer for Wireless Authentication, Proceedings of IEEE International Conference on Communications (ICC), pp. 4646-4651. [11] Yang J, Chen Y and Trappe W, (2009) Detecting Spoofing Attacks in Mobile Wireless Environment, Proceedings of IEEE Communication Social Conference on Sensor, Mesh and Ad Hoc Communication and Networks (SECON). Volume 3, Issue 2, pg: 133-134 138

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information