Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks

Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal

Advisor: Professor Frank Y.S. LinPresent by J.W. Wang

NTU OPLab

2

About this paper•Authors:

Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal

•Title:Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks,

•Provenance:Computers & Electrical Engineering, Volume 36, Issue 2, March 2010, Pages 367-382,

2010/5/11

NTU OPLab

3

Agenda• Introduction•Existing techniques•Proposed solution•Simulation•Conclusions•Comments

2010/5/11

Introduction

NTU OPLab

5

Introduction• New medium, new attack

• Jamming▫ Blocking of a communication channel▫ A subclass of the Denial-of-Service(DoS) attacks▫ One of the most feared forms of attacks in wireless networks

2010/5/11

NTU OPLab

6

Introduction(cont’)• Research topic:

▫ Mitigation▫ Prevention

• Categories of wireless network:▫ Wireless infrastructure-based networks(i.e., WLANs and cellular

networks)▫ Infrastructure-less networks(i.e., ad hoc networks).

2010/5/11

NTU OPLab

7

Wireless infrastructure-based networks• Components:

▫ Base-stations(or access points)

▫ Mobile nodes

• This work is restricted to jamming attacks in wireless infrastructure-based networks.

2010/5/11

NTU OPLab

8

Objective of this work• Propose an efficient algorithm to mitigate jamming attacks in

wireless infrastructure-based networks.

• Provide an efficient solution that can be easily incorporated in the existing network architecture

• Achieve better robustness than the widely used Channel Surfing Algorithm by using honeynodes along with dynamic channel prediction in wireless infrastructure networks

2010/5/11

NTU OPLab

9

Jamming-based DoS attacks• Prevent networked nodes

from communicating.

• Carry out with a “jammer”

• Classifications of jamming attacks:▫ Physical layer jamming▫ By ignoring MAC layer rules

2010/5/11

NTU OPLab

10

Jamming methods• Constant:

Continuously sends random bits of data onto a channel.• Deceptive:

Sends out valid packets at a very fast rate to the nearby nodes. Authentic nodes are thus deceived into believing that the jammer is also a legitimate node.

• Random:This kind of jammer alternates between sleeping and jamming the channel of operation.

• Reactive:This kind of jammer attacks only when it hears communication over the channel it is currently scanning.

2010/5/11

NTU OPLab

11

Jamming methods(cont’)

2010/5/11

NTU OPLab

12

Parameters in attack detection• Signal-to-Noise Ratio (SNR):

▫ SNR refers to the ratio of signal power to the power of noise present in the received signal.

• Packet Delivery Ratio (PDR): ▫ The ratio of number of packets that were successfully delivered to their

respective destination to the total number of packets sent out by the node.

• Carrier Sense Time

2010/5/11

NTU OPLab

13

Parameters in attack detection(cont’)

2010/5/11

NTU OPLab

14

Parameters in attack detection(cont’)

2010/5/11

NTU OPLab

15

Steps of tackling jamming attacks• Attack detection:

▫ The Physical-layer.▫ The MAC-layer

• Attack mitigation:▫ Overcome the effects of the attack.

• Attack prevention(seldom included):▫ Prevent the occurrence of an attack on the network.

2010/5/11

Existing techniques

NTU OPLab

17

Existing techniques• Channel Surfing• Spatial Retreats• Using Wormholes• Jammed region mapping• Spread Spectrum Techniques

2010/5/11

NTU OPLab

18

Channel Surfing• A spectral evasion mechanism:

▫ Move to a different channel of operation.

• On detection of an attack, the nodes:▫ Change the channel of operation based on a pre-defined pseudorandom

sequence.

• An access point frequently sends beacons to all its associated nodes to check if they are still with it or not.

2010/5/11

NTU OPLab

19

Channel Surfing(cont’)

2010/5/11

NTU OPLab

20

Spatial Retreats• Based on spatial evasion:

▫ AP are immobile components▫ Move from the region of their current AP which is currently being

jammed to the region of an emergency AP.

• While moving away:▫ The nodes tries to connect to its jammed AP.

2010/5/11

NTU OPLab

21

Using Wormholes• Two or more attackers act as a single attacker through a

coordinated attack mechanism.

• With the help of a special communication link(worm hole).

• A similar mechanism, when there are some nodes are jammed in a network, they:▫ Communicates through an un-jammed medium▫ Afterward, an attack mitigation followed.

2010/5/11

NTU OPLab

22

Jammed region mapping• Mapping out the jammed region with a protocol.

• Based on the responses received by the nodes which lie on the boundary of the jammed region.

• Mitigate the impact of a jammer by identifying and isolating the jammed region, and then trying to determine alternate routing paths for the data packets.

2010/5/11

NTU OPLab

23

Spread Spectrum Techniques• Traditional techniques:

▫ Push maximum traffic into the minimum amount of bandwidth

• Spread Spectrum:▫ Spreads the signal over a range of bandwidth in the widest

possible manner.▫ Makes the communication very hard to be detected and jammed.

2010/5/11

NTU OPLab

24

Limitations of the existing techniques• Attack detection.

• Most of the jamming attacks detected are false alarms

• Some of the solutions allows a portion of the network to become inoperable.▫ These are not very popular, ▫ as they affect the connectivity of the jammed nodes

2010/5/11

NTU OPLab

25

Limitations of the existing techniques(cont’)• Spatial Retreats

▫ Involves physically moving▫ Restricts the mobility of the nodes.

• Wormholes▫ Requires an additional secure channel between all node pairs

• Spread spectrum▫ Extra costs for small quantity of information▫ High complexity

2010/5/11

NTU OPLab

26

Limitations of the existing techniques(cont’)• A missing aspect:

▫ No prevention mechanisms.

2010/5/11

Proposed solution

NTU OPLab

28

Proposed solution• Providing a mechanism for attack prevention• Can be easily integrated into the existing network architecture

2010/5/11

NTU OPLab

29

Network Architecture• Involve following components:

▫ Base-station ▫ Mobile nodes ▫ Honeynodes

• Honeynode is the only new component added to the existing infrastructure.

2010/5/11

NTU OPLab

30

Honeynodes• Secondary interfaces on base-

stations

• Guard the frequency of operation by:▫ Send out fake signals on a

nearby frequency▫ Prevent the attacks by deceiving

the attacking entity to attack the honeynode.

2010/5/11

2405MHzBase Station

2400 MHzHoneynode

Jammer scans the channel

NTU OPLab

31

Algorithm for proposed mechanism• If the mobile nodes or base-stations detects an attack, it:

▫ changes its frequency of operation based on a pseudorandom sequence.

• If the honeynode detects an attack, it:▫ Continues to send signals on that channel▫ Informs the base-station of the impending attack

• Then the base-station issues a frequency change command to all its associated nodes.

• Later on, the honeynode switches its frequency of operation to the new guard frequency.

2010/5/11

NTU OPLab

32

Algorithm for proposed mechanism(cont’)

2010/5/11

NTU OPLab

33

Algorithm for proposed mechanism(cont’)

2010/5/11

NTU OPLab

34

Contributions• Introduced honeynodes into

the network architecture

• Eliminates the possibility of base station jamming

• Base station jamming can occur only when:▫ base stations move from

one frequency of operation to another.

2010/5/11

2405MHzBase Station

2400 MHzHoneynode

Jammer 1

2430 MHzBase Station

Hop

Run

Jamming

Jammer 2

NTU OPLab

35

Contributions(cont’)• Secondly, they have used a hybrid proactive and reactive

frequency selection algorithm for frequency selection.

• Proactive mechanisms:▫ Based on a pre-defined pseudorandom sequence

• Reactive mechanisms:▫ Determine the next frequency of operation dynamically

• While proactive mechanisms are fast, reactive mechanisms give better performance.

2010/5/11

NTU OPLab

36

Contributions(cont’)• A major constraint on a reactive mechanism:

▫ requires an un-jammed communication link between all participating nodes

• We employ a hybrid technique which follows the ▫ proactive approach when mobile nodes or base stations are

jammed ▫ reactive mechanism in case the honeynode detects an attack.

2010/5/11

NTU OPLab

37

Attacker’s behavior

2010/5/11

NTU OPLab

38

Hybrid frequency selection algorithm• When normal nodes, i.e., mobile nodes and base-stations,

detect an attack, ▫ They use a pre-defined pseudorandom sequence for the selection

of the next frequency. ▫ This sequence is known to every ‘‘legal” node that is present on

the network. ▫A reactive approach cannot be used in such a case because

the regular communication channel would be under attack.

2010/5/11

NTU OPLab

39

Hybrid frequency selection algorithm(cont’)

2010/5/11

• When a honeynode detects an attack, ▫ it alerts the base-station it is attached to about the imminent

attack.

• The base station▫ Maintains a ‘‘blacklist” of all frequencies recently jammed. ▫ On receiving an alert from the honeynode, it selects a frequency

that is farthest away from any blacklisted frequency amongst the list of available frequencies.

NTU OPLab

40

Hybrid frequency selection algorithm(cont’)• When an attack is detected on a frequency

▫ It is added to the ‘‘blacklist” of jammed frequencies▫ For time equal to risk_time.

2010/5/11

NTU OPLab

41

Hybrid frequency selection algorithm(cont’)

2010/5/11

NTU OPLab

42

Hybrid frequency selection algorithm(cont’)

2010/5/11

NTU OPLab

43

Hybrid frequency selection algorithm(cont’)

2010/5/11

NTU OPLab

44

Attack scenarios and respective defence strategies• Scenario 1: Only communicating mobile nodes are jammed. • Scenario 2: Mobile nodes and base-station are jammed. • Scenario 3: Honeynode is jammed.

2010/5/11

NTU OPLab

45

Only communicating mobile nodes are jammed

2010/5/11

NTU OPLab

46

Both mobile nodes and base-station are jammed

2010/5/11

NTU OPLab

47

Honeynode is jammed

2010/5/11

Simulation

NTU OPLab

49

Simulation• In order to determine how effective our proposed algorithm is,

this work simulated the proposed algorithm along with the Channel Surfing Algorithm, to compare their respective performance under similar conditions.

2010/5/11

NTU OPLab

50

Simulation topology• Four BSs• Each BS having seven associated nodes.• The BSs connected to each other through a wired distribution

system.• During the simulations, communications had been set up

randomly between various nodes. • Introduce jammers into the scene and measure the

performance metrics for various attack intensities.

2010/5/11

NTU OPLab

51

Simulation topology(cont’)

2010/5/11

NTU OPLab

52

Simulation topology(cont’)• Simulations were performed with 1 to 3 jammers.

• To achieved the purpose of varying attack intensities,▫ they position jammers around one of the base-stations (base-

station 1 in the figure).

• Performance of the algorithm was tested on how effectively the nodes could communicate(e.g. PDR).

2010/5/11

NTU OPLab

53

Simulation topology(cont’)

2010/5/11

NTU OPLab

54

Assumptions• The following assumptions were made about the Jammer:

▫ Jamming was carried out by sending large packets at a very fast rate.

▫ When a jammer transmits the signal on a given frequency channel, no other communication can take place on that channel till the attack ceases to exist.

▫ Jammer scans frequencies in a linear fashion. ▫ Mobility of a jammer is restricted to the region of the first base

station (the one shown to be jammed in Fig. 14)

2010/5/11

NTU OPLab

55

Assumptions(cont’)• The following assumptions were made about honeynodes,

mobile nodes and base station:▫ The honeynode interface is assumed to be capable of

communicating with the associated base-station, irrespective of the jam status of either (both of them are interfaces of the same node).

▫ All channel hops are assumed to be made instantaneously. ▫ Mobile nodes were kept stationary, in order to prevent packet loss

due to disassociation of nodes from the access point (due to the node moving out of range of the access point) affecting the performance analysis of the jamming attack mitigation algorithm.

2010/5/11

NTU OPLab

56

System ParametersDescription

Simulation area(m2) Physical dimensions of the network topology

Transmission range(m) Of BSs

Packet rate(kbps) Of MNs

Packet size(bytes) Of MNs

Frequency hop time(ms) Time taken to change the channel of operation

Number of base stations More BSs, more honeynodes

Number of attackers To achieve different attack intensities

Jammer configuration Including jam packet rate, jam packet size, transmission power

Channel sense time(ms) The time jammer takes to listen to the current channel

Number of available channel

Over all simulation time

2010/5/11

NTU OPLab

57

Results and discussion• The following metrics were considered for analyzing the

performance of the proposed scheme: ▫ Packet delivery ratio. ▫ Jammed duration versus the simulation time. ▫ Jammed duration versus the number of jammers. ▫ Control message overhead. ▫ Number of channel reconfigurations.

2010/5/11

NTU OPLab

58

Packet delivery ratio

2010/5/11

NTU OPLab

59

Packet delivery ratio(cont’)• Channel Surfing algorithm:

▫ A decrease in the packet delivery ratio up to a certain point at the beginning, after which it was nearly constant.

• Proposed algorithm:▫ Consistently better and nearly constant performance

2010/5/11

NTU OPLab

60

Jammed duration vs. the simulation time

2010/5/11

NTU OPLab

61

Jammed duration vs. the simulation time(cont’)

• Channel Surfing algorithm:▫ Jammed duration grows with simulation time

• Proposed algorithm:▫ Independent of simulation time

2010/5/11

NTU OPLab

62

Jammed duration vs. the number of jammers

2010/5/11

NTU OPLab

63

Jammed duration vs. the number of jammers(cont’)• Note: Simulation time: 100s• Channel Surfing algorithm:

▫ Performance decreases, till the point where it is nearly the same as that of Channel Surfing algorithm, as the number of jammers increased.

• Proposed algorithm:

2010/5/11

NTU OPLab

64

Control message overhead

2010/5/11

65

Control message overhead(cont’)• Channel Surfing algorithm:

▫ reduces network performance marginally, over Channel Surfing Algorithm, as simulation time is increased.

• Proposed algorithm:▫ Less overhead

2010/5/11NTU OPLab

NTU OPLab

66

Number of channel reconfigurations

2010/5/11

NTU OPLab

67

Number of channel reconfigurations(cont’)• Channel Surfing algorithm:

▫ A marginal increase can be observed in the number of frequency as simulation time increased.

• Proposed algorithm:▫ Less frequency hops

2010/5/11

Conclusions

NTU OPLab

69

Conclusions• Proposed algorithm performed consistently better than the Channel

Surfing Algorithm, with the worst case performance being same as that of Channel Surfing.

• However, as the attack intensity increases, the performance of the proposed strategy declines gradually till it converges to the same performance level as that of Channel Surfing.

• They explored the feasibility of implementing pre-emptive channel hopping within 802.11 to protect legitimate communication from jamming.

2010/5/11

Comments

NTU OPLab

71

Limited attacker-defender scenario• Position of BSs• Number of normal nodes• Number of Jammers(intensity)• Mobility:

▫ Attacker’s mobility is limited to the range of the 1st BS▫ Mobile nodes is stationary

• Attack approach:▫ Reactive method▫ Keep jamming till there are no communications on the channel.▫ Linear channel search

2010/5/11

NTU OPLab

72

Limited attacker-defender scenario(cont’)

2010/5/11

2405 MHzBase Station

2400 MHzHoneynode

Jammer

Jamming

2425 MHzBase Station

2420 MHzHoneynode

Jammer

Jamming

RandomScan

NTU OPLab

73

The End•Thanks for your attention.

2010/5/11