Efficient Traceback of DoS Attacks using Small Worlds in MANET



Similar documents
IDENTIFICATION OF THE DYNAMICS OF THE GOOGLE S RANKING ALGORITHM. A. Khaki Sedigh, Mehdi Roudaki

6.7 Network analysis Introduction. References - Network analysis. Topological analysis

Green Master based on MapReduce Cluster

Optimal Packetization Interval for VoIP Applications Over IEEE Networks

Numerical Methods with MS Excel

Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), January Edition, 2011

ANOVA Notes Page 1. Analysis of Variance for a One-Way Classification of Data

APPENDIX III THE ENVELOPE PROPERTY

A DISTRIBUTED REPUTATION BROKER FRAMEWORK FOR WEB SERVICE APPLICATIONS

ANALYTICAL MODEL FOR TCP FILE TRANSFERS OVER UMTS. Janne Peisa Ericsson Research Jorvas, Finland. Michael Meyer Ericsson Research, Germany

Proactive Detection of DDoS Attacks Utilizing k-nn Classifier in an Anti-DDos Framework

AnySee: Peer-to-Peer Live Streaming

Preprocess a planar map S. Given a query point p, report the face of S containing p. Goal: O(n)-size data structure that enables O(log n) query time.

ADAPTATION OF SHAPIRO-WILK TEST TO THE CASE OF KNOWN MEAN

The impact of service-oriented architecture on the scheduling algorithm in cloud computing

ECONOMIC CHOICE OF OPTIMUM FEEDER CABLE CONSIDERING RISK ANALYSIS. University of Brasilia (UnB) and The Brazilian Regulatory Agency (ANEEL), Brazil

Discrete-Event Simulation of Network Systems Using Distributed Object Computing

Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks

Using Phase Swapping to Solve Load Phase Balancing by ADSCHNN in LV Distribution Network

Fast, Secure Encryption for Indexing in a Column-Oriented DBMS

Security Analysis of RAPP: An RFID Authentication Protocol based on Permutation

Abraham Zaks. Technion I.I.T. Haifa ISRAEL. and. University of Haifa, Haifa ISRAEL. Abstract

Optimal multi-degree reduction of Bézier curves with constraints of endpoints continuity

Dynamic Two-phase Truncated Rayleigh Model for Release Date Prediction of Software

Mobile Agents in Telecommunications Networks A Simulative Approach to Load Balancing

SHAPIRO-WILK TEST FOR NORMALITY WITH KNOWN MEAN

RUSSIAN ROULETTE AND PARTICLE SPLITTING

A Study of Unrelated Parallel-Machine Scheduling with Deteriorating Maintenance Activities to Minimize the Total Completion Time

1. The Time Value of Money

CHAPTER 2. Time Value of Money 6-1

STATISTICAL PROPERTIES OF LEAST SQUARES ESTIMATORS. x, where. = y - ˆ " 1

Load Balancing Algorithm based Virtual Machine Dynamic Migration Scheme for Datacenter Application with Optical Networks

Projection model for Computer Network Security Evaluation with interval-valued intuitionistic fuzzy information. Qingxiang Li

Chapter 3. AMORTIZATION OF LOAN. SINKING FUNDS R =

A New Bayesian Network Method for Computing Bottom Event's Structural Importance Degree using Jointree

Fractal-Structured Karatsuba`s Algorithm for Binary Field Multiplication: FK

The Digital Signature Scheme MQQ-SIG

of the relationship between time and the value of money.

Simple Linear Regression

Banking (Early Repayment of Housing Loans) Order,

An Approach to Evaluating the Computer Network Security with Hesitant Fuzzy Information

Classic Problems at a Glance using the TVM Solver

Compressive Sensing over Strongly Connected Digraph and Its Application in Traffic Monitoring

How To Make A Supply Chain System Work

Capacitated Production Planning and Inventory Control when Demand is Unpredictable for Most Items: The No B/C Strategy

CHAPTER 13. Simple Linear Regression LEARNING OBJECTIVES. USING Sunflowers Apparel

Impact of Interference on the GPRS Multislot Link Level Performance

Web Service Composition Optimization Based on Improved Artificial Bee Colony Algorithm

Average Price Ratios

Settlement Prediction by Spatial-temporal Random Process

The Popularity Parameter in Unstructured P2P File Sharing Networks

Applications of Support Vector Machine Based on Boolean Kernel to Spam Filtering

Dynamic Provisioning Modeling for Virtualized Multi-tier Applications in Cloud Data Center

Integrating Production Scheduling and Maintenance: Practical Implications

The Gompertz-Makeham distribution. Fredrik Norström. Supervisor: Yuri Belyaev

Load Balancing Control for Parallel Systems

DIGITAL AUDIO WATERMARKING: SURVEY

Chapter = 3000 ( ( 1 ) Present Value of an Annuity. Section 4 Present Value of an Annuity; Amortization

Suspicious Transaction Detection for Anti-Money Laundering

Statistical Pattern Recognition (CE-725) Department of Computer Engineering Sharif University of Technology

The analysis of annuities relies on the formula for geometric sums: r k = rn+1 1 r 1. (2.1) k=0

Proceedings of the 2010 Winter Simulation Conference B. Johansson, S. Jain, J. Montoya-Torres, J. Hugan, and E. Yücesan, eds.

On formula to compute primes and the n th prime

The simple linear Regression Model

AN ALGORITHM ABOUT PARTNER SELECTION PROBLEM ON CLOUD SERVICE PROVIDER BASED ON GENETIC

Report 52 Fixed Maturity EUR Industrial Bond Funds

TESTING AND SECURITY IN DISTRIBUTED ECONOMETRIC APPLICATIONS REENGINEERING VIA SOFTWARE EVOLUTION

A Parallel Transmission Remote Backup System

A particle Swarm Optimization-based Framework for Agile Software Effort Estimation

Reinsurance and the distribution of term insurance claims

How To Balance Load On A Weght-Based Metadata Server Cluster

IP Network Topology Link Prediction Based on Improved Local Information Similarity Algorithm

Load and Resistance Factor Design (LRFD)

ON SLANT HELICES AND GENERAL HELICES IN EUCLIDEAN n -SPACE. Yusuf YAYLI 1, Evren ZIPLAR 2. yayli@science.ankara.edu.tr. evrenziplar@yahoo.

DECISION MAKING WITH THE OWA OPERATOR IN SPORT MANAGEMENT

Real-Time Scheduling Models: an Experimental Approach

Speeding up k-means Clustering by Bootstrap Averaging

Maintenance Scheduling of Distribution System with Optimal Economy and Reliability

Transcription:

Effcet Traceback of DoS Attacks usg Small Worlds MANET Yog Km, Vshal Sakhla, Ahmed Helmy Departmet. of Electrcal Egeerg, Uversty of Souther Calfora, U.S.A {yogkm, sakhla, helmy}@ceg.usc.edu Abstract Moble Ad hoc NETwork (MANET) s a creasgly promsg area of research wth may practcal applcatos. However, MANET s vulerable to a umber of attacks cludg Dealof-Servce (DoS) attacks due to ts autoomous ature. DoS attacker traceback s challegg ssue MANET sce each ode works as a autoomous termal, actg as both host ad router. Moblty of odes MANET makes problem eve worse sce t s hard to trace back attacker whe they are movg aroud frequetly chagg etwork topology. We propose to use a effcet o-the-fly search techque to trace back DoS attackers. Our scheme s based o small world cocept ad effectvely exteds Cotacts [3] for MANET utlzg locato formato. I addto, to deal wth address spoofg problems DoS attacks, we use Traffc Patters Matchg (TPM) [5] ad propose to use Traffc Volume Matchg (TVM) as matchg-depth to detfy a attacker. We also processg etwork processg ad drectoal expaded rg search to reduce commucato overhead attacker traceback. We show that our scheme successfully trace back attacker usg both TPM ad TVM. I addto, we show our scheme curs very low commucato overhead. INTRODUCTION Deal-of-servce (DoS) attacks cosume the resources of a remote host or etwork, thereby deyg or degradg servce to legtmate users. Such attacks are amog the most trcate securty problems to address because they are easy to mplemet, dffcult to prevet, ad very dffcult to trace. The most commo DoS clude attacks smlar SYN Flood, Smurf, UDP Flood. Determg the source geeratg attack traffc s especally dffcult whe usg stateless routg protocols (as the Iteret or geographc routg). Attackers routely dsguse ther locato usg correct, or spoofed, source address. Ahmed Helmy was supported by NSF Career, Itel ad Pratt & Whtey PWICE Isttute There are may IP traceback scheme proposed for the Iteret such as lk testg, packet markg, loggg, ICMP traceback, etc [],[5],[6],[7]. Such traceback schemes are ot drectly applcable to Moble Ad Hoc NETwork (MANET) due to the followg reasos. I MANET, there s o fxed frastructure. Each ode works as a autoomous termal, actg as both host ad a router. Each ode moves ad out, frequetly chagg etwork topology. Network badwdth ad battery power are lmted. To perform effcet DoS attacker traceback uder such a harsh evromet MANET, we propose to use a effcet o-the-fly search techque. For that, we propose to use the small world cocept. Establshg a small world reduces the degrees of separato betwee the attacked ode (vctm) ad the attacker ad provdes a effcet traceback mechasm. Helmy et,.al [3] establshed the applcablty of small world graphs to wreless etworks. I ths paper, we effectvely exted Cotacts [3] for MANET utlzg locato formato. By usg locato formato, we ca optmally select Cotacts reducg coverage overlap ad costruct a small world to detfy ad trace attackers wth reduced commucato overhead. I addto, to deal wth address spoofg problems, we use traffc patters [5] to detfy a attacker. We also propose traffc volume matchg to complemet the traffc patter matchg. We call ths matchg-depth. A traffc patter s defed by the sequece of umber of packet a tme slot at each ode. We also use -etwork processg ad drectoal expaded rg search to reduce commucato overhead. Our paper s orgazed as follows. I secto, we provde related work o DoS attack traceback the Iteret. I secto 3, we troduce our Cotact-based DoS traceback archtecture. We show smulato result secto 4. I secto 5, we coclude our paper preset future works. -783-85-7/4/$. 4 IEEE 3979 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.

RELATED WORKS There are two exstg approaches to the problem of determg the route of a packet flow the Iteret: oe ca audt [5],[6],[7] the flow as t traverses the etwork, or oe ca attempt to fer the route based upo ts mpact o the state of the etwork []. Route ferece was poeered by Burch ad Cheswck who cosdered the restrcted problem of large packet flows ad proposed a ovel techque that systematcally floods caddate etwork lks. By watchg for varatos the receved packet flow due to the restrcted lk badwdth, they are able to fer the flow s route. Ths requres cosderable kowledge of etwork topology ad the ablty to geerate large packet floods o arbtrary etwork lk. Oe ca categorze audtg techques to two classes accordg to the way whch they balace resource requremet across the etwork compoets. Some techques requre resources at both the ed host ad the routg frastructure; others requre resources oly wth the etwork tself. Of those that requre oly frastructure support, some add packet processg to the forwardg ege of the routers whle others offload the computato to the cotrol path of the routers. Both approaches are ot feasble ad effcet MANET sce they cosume sgfcat badwdth/power ad each ode moves aroud frequet chagg etwork topology. 3 CONTACT-BASED TRACEBACK ARCHITECUTRE 3. Desg Requremets The desg requremets for effcet traceback MANET clude: (I) (II) (III) (IV) Robustess to moblty: The mechasm should be robust to hadle frequet moblty. That s, we should be able to trace a attacker despte of frequet termedate ode moblty. Robustess to address spoofg: It s a commo attackg techque to spoof addresses. We should be able to trace a attacker spte of address spoofg. Scalablty: Applcatos of large-scale ad hoc etworks volve mltary ad sesor etwork evromets that may clude thousads of odes. Hece traceback mechasm should be scalable term of commucato overhead wth crease etwork sze. Effcecy: Ad hoc etworks clude portable devces wth lmted battery power. (V) Traceback mechasm should be powereffcet. Decetralzed operato: For the etwork to be rapdly deployable, t should ot requre ay cetralzed cotrol. 3. Archtecture ad Deftos Each ode matas formato oly about ts Vcty usg very lmted broadcasts wth square from the ode. Ulke [3], a ode does ot eed to mata formato about a set of odes, called Cotacts, beyod the vcty. I our scheme, Cotact s selected usg locato formato, whch further reduces commucato overhead. Ideal locato of Cotacts s selected frst. The, odes closest to the deal Cotacts are selected as Cotacts. For stace, fg., there are 8 deal locatos of Cotacts ad odes whch are the closest to the each deal Cotact locatos each rectagle are selected as actual Cotacts. Cotacts of a ode are called level- Cotacts. Cotacts of the Cotacts are called level- Cotacts, ad so o. Durg a search for the attack traffc patter the wreless etwork a ode queres ts Cotacts, ad ther Cotacts, so o, up to level-d Cotacts. D s called the depth-of-search. Whe each Cotact performs lmted broadcast, they sed queres to eghbor odes specfyg ts rectagle rego. Whe, eghbor odes receve the query, they check whether they are the square rego or they have already receved the same query from other odes. If they are outsde the square rego or they have already receved the same query, they dscard the query. Otherwse, they broadcast the query to ther eghbors. The attack Traffc patter s defed by the varato of packet umber over tme. For stace, whe the umber of data s m for a tme wdow, traffc patter s expressed as A (A,A,A 3,,A m ). I DoS attack, large amout of packets s geerated towards the vctm. For stace, -5 pps of SYN packets are geerated []. However, ormal case, oly oe SYN packet s geerated per coecto. Accordgly, a large amout of SYN packets ca be suspected as attack. The quered odes are asked to perform a TPM to determe the correlato coeffcet betwee two traffc patter (A,B). I case correlato coeffcet of (A,B) s hgh (greater tha.7), the traffc A s sad to match traffc B (fg.). For stace, whe traffc patter observed at ode s gve as L (,,, N ), ad traffc patter observed at ode s L (m,m,,m N ), correlato coeffcet s obtaed as follows. -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.

r( A, B) S S where, S S A)( L A) B) ( k) B) (Eq.) (Eq.3), ad A & B s the average of data, L ad L. Cotact3(X3,Y3) Cotact4(X4,Y4) Cotact5(X5,Y5) [Fgure.] Locato-based Cotact selecto (Eq.) We propose to use TVM to complemet the traffc patter matchg. We defe that traffc volume s matchg betwee two pots, whe L ad L shows smlar traffc volume sze. Mathematcally, we use the followg equato (least-squares method) to kow the matchg level. a N k N k Cotact(X,Y) (Eq.4) Whe, the a s close to, the traffc volume s matchg. Traffc volume matchg s ecessary for correct traceback MANET sce other ode ca show hgh correlato coeffcet uder heavy backgroud traffc. By checkg TVM level as well as TPM level (we call ths matchg--depth), we ca reduce false postves our trace back. Note that mere traffc volume matchg s also ot eough sce traffc volume ca fluctuate showg dfferet traffc volume each ode depedg o backgroud traffc. Cotact(X,Y) Cotact8(X8,Y8) Cotact7(X7,Y7) Cotact6(X6,Y6) 3.3 Mechasm Descrpto Each ode motors the traffc patter/volume for a certa tme wdow. The tme vares based o the attack type. A ode keeps oly the varace of packet umber over tme, whch reduces the processg load. attacker vctm [Fgure.] Traffc patter based traceback We descrbe the traceback scheme as follows: () Whe a vctm ode, s, detects attack such as SYN floodg applcato level, t seds query to odes wth vcty ad level- Cotact specfyg depth of search (D) whch s large eough to detect a attacker. We use greedy forwardg to sed a query to Cotact. I case of local maxmum, permeter mode [3] s used to take a detour. () I case a traffc patter/volume matchg report s observed by vctm ad other odes, frst step of trace s competed. For stace, we sed query to 3 level- Cotacts aroud the vctm. (Fg.3.) The, oe level- Cotact reports that some of ts vcty odes observed matchg traffc patter/volume. Level- Level- Attack route Route of X [Fgure.3] Queres to level- Cotacts (3) Next, oly the Cotacts that observe matchg traffc patters ther vcty sed ext level query to level- Cotacts wth the path from vctm after reducg D by. Other Cotacts stop forwardg the query (I-etwork processg). I dog so, we ca perform drectoal expaded rg search. (4) Whe there are o more Cotact reports, last Cotact report to the vctm the complete attack route (Fg.4.). Our scheme s based o maorty ode report. That s, eve f some odes move out from the attack route, we ca stll fd a attack route. Respose -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.

after tracg back the attacker may clude flterg, rate lmtg, re-orgazg to preclude the compromsed ode, or blacklstg. Attack route um ber of packets 5 5 5 3 4 5 6 attacker traffc vctm traffc tme(s) [Fgure.5] Sample traffc patter comparso betwee attacker ad vctm [Fgure.4] Attack route 4 SIMULATION RESULTS We performed smulato to vestgate the desg space parameters ad evaluate the performace of our protocol. We put odes m x m areas ad trasmsso rage s take as 5m. We used greedy forwardg as a routg protocol. Note that our scheme s geerally applcable to other adhoc routg protocols (e.g., DSR, AODV). As attack traffc, we used SYN packets ad pps traffc was geerated from attacker to vctm. Geographc locatos of all odes are radomly chose sde the rego. Backgroud traffc s geerated radomly amog [,] pps. Sce backgroud traffc ca mpact o the correct traceback of attacker, we vared the umber of seders that geerate SYN packet a gve tme wdow ad evaluated the mpact of backgroud traffc o correct traceback. Fgure 5 shows the traffc patter take at the attacker ad vctm ode. Radom umber of backgroud SYN traffc s geerated by radomly chose 5% of total odes (.e, 5 odes) at every secod. Traffc sample s take every secod. At secod, we ca observe sudde SYN packet crease. We have sampled the traffc patter whe t goes up more tha packets (Th up ) per secod. Whe, the traffc goes dow below (Th up /), we stopped samplg traffc patter. I fgure 4, we ca observe very smlar traffc patter betwee vctm ode ad attacker ode. Fgure 6 shows successful traceback rate wth small backgroud traffc (e.g., up to 4% of odes geerates backgroud traffc). It shows % traceback success rate wth oly TPM method. The correlato coeffcet of termedate odes located betwee attacker ad vctm ode shows hgh value over.9 (fg.7.). I ths case, backgroud traffc volume s very low, so we could obta hgh correlato amog vctm ode ad termedate ode. I addto, o other ode vctes showed hgh correlato coeffcet (greater tha.7) except the odes whch attacker s packet have traversed. [Fgure.6] Success rate wth low backgroud traffc [Fgure.7] Correlato coeffcet wth low backgroud traffc -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.

Fgure 8 shows traceback success rate whe varyg rather hgh volume of backgroud traffc. I ths case, traffc volume matchg becomes ecessary sce other odes show hgh correlato due to heavy backgroud traffc. I case of usg oly TPM method, traceback success rate goes dow as backgroud traffc crease. Traceback success rate.8.6.4. 5 7 9 Seder umber [Fgure.8] Success rate wth hgh backgroud traffc It s because of clusterg effect as show fgure 9. Both clusterg show hgh correlato coeffcet. traffc patter at termedate odes 5 5 5 3 4 traffc patter at vctm [Fgure.9] Traffc volume correlato We ca separate the clusterg by traffc volume matchg usg equato (4). We set.5<r<.5 (Proper value of low boud ad hgh boud depeds o backgroud traffc volume). Note that ths s much computatoally lghter compared to clusterg algorthms such as K-meas method []. Our smulato showed that by usg both TPM ad TVM, traceback success rate becomes %. We compared our proposed scheme to floodg terms of query overhead. Fgure shows query traffc geerated. m x m area, odes, ad 8 meter trasmsso rage was used the smulato. Overhead cludes trasmsso as well as recepto packet umber. As we ca expect, our query scheme curs much less overhead sce our scheme performs drectoal expaded rg search. As etwork sze becomes bgger, the dfferece becomes sgfcat. Overhead(T x+rx p kts) 5 5 5 6 4 Network Sze(odes) Floodg Drectoal expaded rg [Fgure.] Overhead comparso 5 CONCLUSIONS AND FUTURE WORK Our Cotact-based DoS attacker traceback mechasm MANET has the followg advatages: (I) By usg Cotacts/drectoal expaded-rgsearch/-etwork processg, we ca effectvely reduce commucato overhead to trace a attacker. (II) Usg the traffc patter eables us to fd attack routes effcetly wth reduced processg load eve f the ode address s spoofed. (III) Eve uder moblty of termedate odes, we ca trace back by utlzg less moble odes alog the attack route. I the future, we wll perform smulato wth dfferet moblty model to verfy the effcecy of our scheme uder dyamc topology chage. [REFERENCES] [] H. Burch, et al, Tracg Aoymous Packets to Ther Approxmate Source, Proc. USENIX LISA Cof., pp.39-37, Dec. [] V. Guralk ad G. Karyps, Workshop o Data Mg Boformatcs () 73-8 [3] A.Helmy, et al, A Cotact-based Archtecture for Resource Dscovery Ad Hoc Networks, ACM Baltzer MONET Joural, 4 [4] B. Karp, T. Kug, GPSR: Greedy Permeter Stateless Routg for Wreless Networks ACM Mobcom, Aug. [5] G.Masfeld, et al., Towards trappg wly truders the large, Computer Networks, Vol.34, pp.65-67, [6] Alex C. Soere, et al, Hash-Based IP Traceback, ACM SIGCOMM, [7] Stefa Savage, et al., Practcal Network Support for IP Traceback, ACM SIGCOMM, -783-85-7/4/$. 4 IEEE 3983 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.