Upload
newman
View
52
Download
0
Embed Size (px)
DESCRIPTION
Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal. Advisor: Professor Frank Y.S. Lin Present by J.W. Wang. About this paper. Authors: - PowerPoint PPT Presentation
Citation preview
Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks
Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal
Advisor: Professor Frank Y.S. LinPresent by J.W. Wang
NTU OPLab
2
About this paper•Authors:
Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal
•Title:Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks,
•Provenance:Computers & Electrical Engineering, Volume 36, Issue 2, March 2010, Pages 367-382,
2010/5/11
NTU OPLab
3
Agenda• Introduction•Existing techniques•Proposed solution•Simulation•Conclusions•Comments
2010/5/11
Introduction
NTU OPLab
5
Introduction• New medium, new attack
• Jamming▫ Blocking of a communication channel▫ A subclass of the Denial-of-Service(DoS) attacks▫ One of the most feared forms of attacks in wireless networks
2010/5/11
NTU OPLab
6
Introduction(cont’)• Research topic:
▫ Mitigation▫ Prevention
• Categories of wireless network:▫ Wireless infrastructure-based networks(i.e., WLANs and cellular
networks)▫ Infrastructure-less networks(i.e., ad hoc networks).
2010/5/11
NTU OPLab
7
Wireless infrastructure-based networks• Components:
▫ Base-stations(or access points)
▫ Mobile nodes
• This work is restricted to jamming attacks in wireless infrastructure-based networks.
2010/5/11
NTU OPLab
8
Objective of this work• Propose an efficient algorithm to mitigate jamming attacks in
wireless infrastructure-based networks.
• Provide an efficient solution that can be easily incorporated in the existing network architecture
• Achieve better robustness than the widely used Channel Surfing Algorithm by using honeynodes along with dynamic channel prediction in wireless infrastructure networks
2010/5/11
NTU OPLab
9
Jamming-based DoS attacks• Prevent networked nodes
from communicating.
• Carry out with a “jammer”
• Classifications of jamming attacks:▫ Physical layer jamming▫ By ignoring MAC layer rules
2010/5/11
NTU OPLab
10
Jamming methods• Constant:
Continuously sends random bits of data onto a channel.• Deceptive:
Sends out valid packets at a very fast rate to the nearby nodes. Authentic nodes are thus deceived into believing that the jammer is also a legitimate node.
• Random:This kind of jammer alternates between sleeping and jamming the channel of operation.
• Reactive:This kind of jammer attacks only when it hears communication over the channel it is currently scanning.
2010/5/11
NTU OPLab
11
Jamming methods(cont’)
2010/5/11
NTU OPLab
12
Parameters in attack detection• Signal-to-Noise Ratio (SNR):
▫ SNR refers to the ratio of signal power to the power of noise present in the received signal.
• Packet Delivery Ratio (PDR): ▫ The ratio of number of packets that were successfully delivered to their
respective destination to the total number of packets sent out by the node.
• Carrier Sense Time
2010/5/11
NTU OPLab
13
Parameters in attack detection(cont’)
2010/5/11
NTU OPLab
14
Parameters in attack detection(cont’)
2010/5/11
NTU OPLab
15
Steps of tackling jamming attacks• Attack detection:
▫ The Physical-layer.▫ The MAC-layer
• Attack mitigation:▫ Overcome the effects of the attack.
• Attack prevention(seldom included):▫ Prevent the occurrence of an attack on the network.
2010/5/11
Existing techniques
NTU OPLab
17
Existing techniques• Channel Surfing• Spatial Retreats• Using Wormholes• Jammed region mapping• Spread Spectrum Techniques
2010/5/11
NTU OPLab
18
Channel Surfing• A spectral evasion mechanism:
▫ Move to a different channel of operation.
• On detection of an attack, the nodes:▫ Change the channel of operation based on a pre-defined pseudorandom
sequence.
• An access point frequently sends beacons to all its associated nodes to check if they are still with it or not.
2010/5/11
NTU OPLab
19
Channel Surfing(cont’)
2010/5/11
NTU OPLab
20
Spatial Retreats• Based on spatial evasion:
▫ AP are immobile components▫ Move from the region of their current AP which is currently being
jammed to the region of an emergency AP.
• While moving away:▫ The nodes tries to connect to its jammed AP.
2010/5/11
NTU OPLab
21
Using Wormholes• Two or more attackers act as a single attacker through a
coordinated attack mechanism.
• With the help of a special communication link(worm hole).
• A similar mechanism, when there are some nodes are jammed in a network, they:▫ Communicates through an un-jammed medium▫ Afterward, an attack mitigation followed.
2010/5/11
NTU OPLab
22
Jammed region mapping• Mapping out the jammed region with a protocol.
• Based on the responses received by the nodes which lie on the boundary of the jammed region.
• Mitigate the impact of a jammer by identifying and isolating the jammed region, and then trying to determine alternate routing paths for the data packets.
2010/5/11
NTU OPLab
23
Spread Spectrum Techniques• Traditional techniques:
▫ Push maximum traffic into the minimum amount of bandwidth
• Spread Spectrum:▫ Spreads the signal over a range of bandwidth in the widest
possible manner.▫ Makes the communication very hard to be detected and jammed.
2010/5/11
NTU OPLab
24
Limitations of the existing techniques• Attack detection.
• Most of the jamming attacks detected are false alarms
• Some of the solutions allows a portion of the network to become inoperable.▫ These are not very popular, ▫ as they affect the connectivity of the jammed nodes
2010/5/11
NTU OPLab
25
Limitations of the existing techniques(cont’)• Spatial Retreats
▫ Involves physically moving▫ Restricts the mobility of the nodes.
• Wormholes▫ Requires an additional secure channel between all node pairs
• Spread spectrum▫ Extra costs for small quantity of information▫ High complexity
2010/5/11
NTU OPLab
26
Limitations of the existing techniques(cont’)• A missing aspect:
▫ No prevention mechanisms.
2010/5/11
Proposed solution
NTU OPLab
28
Proposed solution• Providing a mechanism for attack prevention• Can be easily integrated into the existing network architecture
2010/5/11
NTU OPLab
29
Network Architecture• Involve following components:
▫ Base-station ▫ Mobile nodes ▫ Honeynodes
• Honeynode is the only new component added to the existing infrastructure.
2010/5/11
NTU OPLab
30
Honeynodes• Secondary interfaces on base-
stations
• Guard the frequency of operation by:▫ Send out fake signals on a
nearby frequency▫ Prevent the attacks by deceiving
the attacking entity to attack the honeynode.
2010/5/11
2405MHzBase Station
2400 MHzHoneynode
Jammer scans the channel
NTU OPLab
31
Algorithm for proposed mechanism• If the mobile nodes or base-stations detects an attack, it:
▫ changes its frequency of operation based on a pseudorandom sequence.
• If the honeynode detects an attack, it:▫ Continues to send signals on that channel▫ Informs the base-station of the impending attack
• Then the base-station issues a frequency change command to all its associated nodes.
• Later on, the honeynode switches its frequency of operation to the new guard frequency.
2010/5/11
NTU OPLab
32
Algorithm for proposed mechanism(cont’)
2010/5/11
NTU OPLab
33
Algorithm for proposed mechanism(cont’)
2010/5/11
NTU OPLab
34
Contributions• Introduced honeynodes into
the network architecture
• Eliminates the possibility of base station jamming
• Base station jamming can occur only when:▫ base stations move from
one frequency of operation to another.
2010/5/11
2405MHzBase Station
2400 MHzHoneynode
Jammer 1
2430 MHzBase Station
Hop
Run
Jamming
Jammer 2
NTU OPLab
35
Contributions(cont’)• Secondly, they have used a hybrid proactive and reactive
frequency selection algorithm for frequency selection.
• Proactive mechanisms:▫ Based on a pre-defined pseudorandom sequence
• Reactive mechanisms:▫ Determine the next frequency of operation dynamically
• While proactive mechanisms are fast, reactive mechanisms give better performance.
2010/5/11
NTU OPLab
36
Contributions(cont’)• A major constraint on a reactive mechanism:
▫ requires an un-jammed communication link between all participating nodes
• We employ a hybrid technique which follows the ▫ proactive approach when mobile nodes or base stations are
jammed ▫ reactive mechanism in case the honeynode detects an attack.
2010/5/11
NTU OPLab
37
Attacker’s behavior
2010/5/11
NTU OPLab
38
Hybrid frequency selection algorithm• When normal nodes, i.e., mobile nodes and base-stations,
detect an attack, ▫ They use a pre-defined pseudorandom sequence for the selection
of the next frequency. ▫ This sequence is known to every ‘‘legal” node that is present on
the network. ▫A reactive approach cannot be used in such a case because
the regular communication channel would be under attack.
2010/5/11
NTU OPLab
39
Hybrid frequency selection algorithm(cont’)
2010/5/11
• When a honeynode detects an attack, ▫ it alerts the base-station it is attached to about the imminent
attack.
• The base station▫ Maintains a ‘‘blacklist” of all frequencies recently jammed. ▫ On receiving an alert from the honeynode, it selects a frequency
that is farthest away from any blacklisted frequency amongst the list of available frequencies.
NTU OPLab
40
Hybrid frequency selection algorithm(cont’)• When an attack is detected on a frequency
▫ It is added to the ‘‘blacklist” of jammed frequencies▫ For time equal to risk_time.
2010/5/11
NTU OPLab
41
Hybrid frequency selection algorithm(cont’)
2010/5/11
NTU OPLab
42
Hybrid frequency selection algorithm(cont’)
2010/5/11
NTU OPLab
43
Hybrid frequency selection algorithm(cont’)
2010/5/11
NTU OPLab
44
Attack scenarios and respective defence strategies• Scenario 1: Only communicating mobile nodes are jammed. • Scenario 2: Mobile nodes and base-station are jammed. • Scenario 3: Honeynode is jammed.
2010/5/11
NTU OPLab
45
Only communicating mobile nodes are jammed
2010/5/11
NTU OPLab
46
Both mobile nodes and base-station are jammed
2010/5/11
NTU OPLab
47
Honeynode is jammed
2010/5/11
Simulation
NTU OPLab
49
Simulation• In order to determine how effective our proposed algorithm is,
this work simulated the proposed algorithm along with the Channel Surfing Algorithm, to compare their respective performance under similar conditions.
2010/5/11
NTU OPLab
50
Simulation topology• Four BSs• Each BS having seven associated nodes.• The BSs connected to each other through a wired distribution
system.• During the simulations, communications had been set up
randomly between various nodes. • Introduce jammers into the scene and measure the
performance metrics for various attack intensities.
2010/5/11
NTU OPLab
51
Simulation topology(cont’)
2010/5/11
NTU OPLab
52
Simulation topology(cont’)• Simulations were performed with 1 to 3 jammers.
• To achieved the purpose of varying attack intensities,▫ they position jammers around one of the base-stations (base-
station 1 in the figure).
• Performance of the algorithm was tested on how effectively the nodes could communicate(e.g. PDR).
2010/5/11
NTU OPLab
53
Simulation topology(cont’)
2010/5/11
NTU OPLab
54
Assumptions• The following assumptions were made about the Jammer:
▫ Jamming was carried out by sending large packets at a very fast rate.
▫ When a jammer transmits the signal on a given frequency channel, no other communication can take place on that channel till the attack ceases to exist.
▫ Jammer scans frequencies in a linear fashion. ▫ Mobility of a jammer is restricted to the region of the first base
station (the one shown to be jammed in Fig. 14)
2010/5/11
NTU OPLab
55
Assumptions(cont’)• The following assumptions were made about honeynodes,
mobile nodes and base station:▫ The honeynode interface is assumed to be capable of
communicating with the associated base-station, irrespective of the jam status of either (both of them are interfaces of the same node).
▫ All channel hops are assumed to be made instantaneously. ▫ Mobile nodes were kept stationary, in order to prevent packet loss
due to disassociation of nodes from the access point (due to the node moving out of range of the access point) affecting the performance analysis of the jamming attack mitigation algorithm.
2010/5/11
NTU OPLab
56
System ParametersDescription
Simulation area(m2) Physical dimensions of the network topology
Transmission range(m) Of BSs
Packet rate(kbps) Of MNs
Packet size(bytes) Of MNs
Frequency hop time(ms) Time taken to change the channel of operation
Number of base stations More BSs, more honeynodes
Number of attackers To achieve different attack intensities
Jammer configuration Including jam packet rate, jam packet size, transmission power
Channel sense time(ms) The time jammer takes to listen to the current channel
Number of available channel
Over all simulation time
2010/5/11
NTU OPLab
57
Results and discussion• The following metrics were considered for analyzing the
performance of the proposed scheme: ▫ Packet delivery ratio. ▫ Jammed duration versus the simulation time. ▫ Jammed duration versus the number of jammers. ▫ Control message overhead. ▫ Number of channel reconfigurations.
2010/5/11
NTU OPLab
58
Packet delivery ratio
2010/5/11
NTU OPLab
59
Packet delivery ratio(cont’)• Channel Surfing algorithm:
▫ A decrease in the packet delivery ratio up to a certain point at the beginning, after which it was nearly constant.
• Proposed algorithm:▫ Consistently better and nearly constant performance
2010/5/11
NTU OPLab
60
Jammed duration vs. the simulation time
2010/5/11
NTU OPLab
61
Jammed duration vs. the simulation time(cont’)
• Channel Surfing algorithm:▫ Jammed duration grows with simulation time
• Proposed algorithm:▫ Independent of simulation time
2010/5/11
NTU OPLab
62
Jammed duration vs. the number of jammers
2010/5/11
NTU OPLab
63
Jammed duration vs. the number of jammers(cont’)• Note: Simulation time: 100s• Channel Surfing algorithm:
▫ Performance decreases, till the point where it is nearly the same as that of Channel Surfing algorithm, as the number of jammers increased.
• Proposed algorithm:
2010/5/11
NTU OPLab
64
Control message overhead
2010/5/11
65
Control message overhead(cont’)• Channel Surfing algorithm:
▫ reduces network performance marginally, over Channel Surfing Algorithm, as simulation time is increased.
• Proposed algorithm:▫ Less overhead
2010/5/11NTU OPLab
NTU OPLab
66
Number of channel reconfigurations
2010/5/11
NTU OPLab
67
Number of channel reconfigurations(cont’)• Channel Surfing algorithm:
▫ A marginal increase can be observed in the number of frequency as simulation time increased.
• Proposed algorithm:▫ Less frequency hops
2010/5/11
Conclusions
NTU OPLab
69
Conclusions• Proposed algorithm performed consistently better than the Channel
Surfing Algorithm, with the worst case performance being same as that of Channel Surfing.
• However, as the attack intensity increases, the performance of the proposed strategy declines gradually till it converges to the same performance level as that of Channel Surfing.
• They explored the feasibility of implementing pre-emptive channel hopping within 802.11 to protect legitimate communication from jamming.
2010/5/11
Comments
NTU OPLab
71
Limited attacker-defender scenario• Position of BSs• Number of normal nodes• Number of Jammers(intensity)• Mobility:
▫ Attacker’s mobility is limited to the range of the 1st BS▫ Mobile nodes is stationary
• Attack approach:▫ Reactive method▫ Keep jamming till there are no communications on the channel.▫ Linear channel search
2010/5/11
NTU OPLab
72
Limited attacker-defender scenario(cont’)
2010/5/11
2405 MHzBase Station
2400 MHzHoneynode
Jammer
Jamming
2425 MHzBase Station
2420 MHzHoneynode
Jammer
Jamming
RandomScan
NTU OPLab
73
The End•Thanks for your attention.
2010/5/11