20100511_Using Honeynodes for Defense Against Jamming Attacks in Wireless Infrastructure-based Networks

7/30/2019 20100511_Using Honeynodes for Defense Against Jamming Attacks in Wireless Infrastructure-based Networks

1/73


2/73

About this paper

Authors:Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh

Agrawal

Title:Using honeynodes for defense against jamming attacks in wireless

infrastructure-based networks,

Provenance:Computers & Electrical Engineering, Volume 36, Issue 2, March 2010,

Pages 367-382,

2010/5/11

2

NTU OPLab


3/73

Agenda

Introduction

Existing techniques

Proposed solution

Simulation

Conclusions

Comments

2010/5/11

3

NTU OPLab


4/73

Introduction


5/73

Introduction

New medium, new attack

Jamming Blocking of a communication channel

A subclass of the Denial-of-Service(DoS) attacks

One of the most feared forms of attacks in wireless networks

2010/5/11

5

NTU OPLab


6/73

Introduction(cont)

Research topic:

Mitigation

Prevention

Categories of wireless network:

Wireless infrastructure-based networks(i.e., WLANs and cellular

networks) Infrastructure-less networks(i.e., ad hoc networks).

2010/5/11

6

NTU OPLab


7/73

Wireless infrastructure-based networks

Components:

Base-stations(or access

points) Mobile nodes

This work is restricted to jamming

attacks in wireless infrastructure-

based networks.

2010/5/11

7

NTU OPLab


8/73

Objective of this work

Propose an efficient algorithm to mitigate jamming attacks in

wireless infrastructure-based networks.

Provide an efficient solution that can be easily incorporated in

the existing network architecture

Achieve better robustness than the widely used ChannelSurfing Algorithm by using honeynodes along with dynamic

channel prediction in wireless infrastructure networks

2010/5/11

8

NTU OPLab


9/73

Jamming-based DoS attacks Prevent networked nodes from

communicating.

Carry out with a jammer

Classifications of jamming

attacks:

Physical layer jamming By ignoring MAC layer rules

2010/5/11

9

NTU OPLab


10/73

Jamming methods

Constant:

Continuously sends random bits of data onto a channel.

Deceptive:Sends out valid packets at a very fast rate to the nearby nodes.

Authentic nodes are thus deceived into believing that the jammer is

also a legitimate node.

Random:

This kind of jammer alternates between sleeping and jamming the

channel of operation.

Reactive:

This kind of jammer attacks only when it hears communication over

the channel it is currently scanning.

2010/5/11

10

NTU OPLab


11/73

Jamming methods(cont)

2010/5/11

11

NTU OPLab


12/73

Parameters in attack detection

Signal-to-Noise Ratio (SNR):

SNR refers to the ratio of signal power to the power of noise present in

the received signal.

Packet Delivery Ratio (PDR):

The ratio of number of packets that were successfully delivered to their

respective destination to the total number of packets sent out by the

node.

Carrier Sense Time

2010/5/11

12

NTU OPLab


13/73

Parameters in attack detection(cont)

2010/5/11

13

NTU OPLab


14/73

Parameters in attack detection(cont)

2010/5/11

14

NTU OPLab


15/73

Steps of tackling jamming attacks

Attack detection:

The Physical-layer.

The MAC-layer

Attack mitigation:

Overcome the effects of the attack.

Attack prevention(seldom included):

Prevent the occurrence of an attack on the network.

2010/5/11

15

NTU OPLab


16/73

Existing techniques


17/73

Existing techniques

Channel Surfing

Spatial Retreats

Using Wormholes

Jammed region mapping

Spread Spectrum Techniques

2010/5/11

17

NTU OPLab

8


18/73

Channel Surfing

A spectral evasion mechanism:

Move to a different channel of operation.

On detection of an attack, the nodes:

Change the channel of operation based on a pre-defined pseudorandom

sequence.

An access point frequently sends beacons to all its associated

nodes to check if they are still with it or not.

2010/5/11

18

NTU OPLab


19/73

Channel Surfing(cont)

2010/5/11

19

NTU OPLab

20


20/73

Spatial Retreats

Based on spatial evasion:

AP are immobile components

Move from the region of their current AP which is currently beingjammedto the region of an emergency AP.

While moving away:

The nodes tries to connect to its jammed AP.

2010/5/11

20

NTU OPLab

21


21/73

Using Wormholes

Two or more attackers act as a single attacker through a

coordinated attack mechanism.

With the help of a special communication link(worm hole).

A similar mechanism, when there are some nodes are jammed

in a network, they: Communicates through an un-jammed medium

Afterward, an attack mitigation followed.

2010/5/11

21

NTU OPLab

22


22/73

Jammed region mapping

Mapping out the jammed region with a protocol.

Based on the responses received by the nodes which lie on theboundary of the jammed region.

Mitigate the impact of a jammer by identifying and isolatingthe

jammed region, and then trying to determine alternate routing pathsfor the data packets.

2010/5/11

22

NTU OPLab

23


23/73

Spread Spectrum Techniques

Traditional techniques:

Push maximum traffic into the minimum amount of bandwidth

Spread Spectrum:

Spreads the signal over a range of bandwidth in the widest

possible manner.

Makes the communication very hard to be detected and jammed.

2010/5/11

23

NTU OPLab

24


24/73

Limitations of the existing techniques

Attack detection.

Most of the jamming attacks detected arefalse alarms

Some of the solutions allows a portion of the network to

become inoperable.

These are not very popular, as they affect the connectivity of the jammed nodes

2010/5/11

24

NTU OPLab

25


25/73

Limitations of the existing techniques(cont)

Spatial Retreats

Involvesphysically moving

Restricts the mobility of the nodes.

Wormholes

Requires an additional secure channel between all node pairs

Spread spectrum

Extra costs for small quantity of information

High complexity

2010/5/11

25

NTU OPLab

26


26/73

Limitations of the existing techniques(cont)

A missing aspect:

No prevention mechanisms.

2010/5/11

26

NTU OPLab


27/73

Proposed solution

28


28/73

Proposed solution

Providing a mechanism for attack prevention

Can be easily integrated into the existing network architecture

2010/5/11

28

NTU OPLab

29


29/73

Network Architecture Involve following components:

Base-station

Mobile nodes

Honeynodes

Honeynode is the only new

component added to the existing

infrastructure.

2010/5/11

29

NTU OPLab

30


30/73

Honeynodes Secondary interfaces on base-

stations

Guard the frequency of

operation by:

Send out fake signals on a nearby

frequency

Prevent the attacks by deceivingthe attacking entity to attack the

honeynode.

2010/5/11

30

2405MHzBase Station

2400 MHzHoneynode

Jammer scansthe channel

NTU OPLab

31


31/73

Algorithm for proposed mechanism

If the mobile nodes or base-stations detects an attack, it:

changes its frequency of operation based on a pseudorandom

sequence.

If the honeynode detects an attack, it:

Continues to send signals on that channel

Informs the base-station of the impending attack Then the base-station issues afrequency change commandto

all its associated nodes.

Later on, the honeynode switches its frequency of operation to

the new guard frequency.

2010/5/11

31

NTU OPLab

32


32/73

Algorithm for proposed mechanism(cont)

2010/5/11

32

NTU OPLab

33


33/73

Algorithm for proposed mechanism(cont)

2010/5/11

33

NTU OPLab

34


34/73

Contributions

Introduced honeynodes into

the network architecture

Eliminates the possibility

of base station jamming

Base station jamming canoccur only when:

base stations move from

one frequency of operation

to another.

2010/5/11

34

NTU OPLab

2405MHzBase Station

2400 MHzHoneynode

Jammer 1

2430 MHzBase Station

Hop

Run

Jamming

Jammer 2

35


35/73

Contributions(cont) Secondly, they have used a hybridproactive and reactive

frequency selection algorithm for frequency selection.

Proactive mechanisms:

Based on a pre-defined pseudorandom sequence

Reactive mechanisms:

Determine the next frequency of operation dynamically

Whileproactive mechanisms arefast, reactive mechanisms

give better performance.

2010/5/11

35

NTU OPLab

36


36/73

Contributions(cont) A major constraint on a reactive mechanism:

requires an un-jammed communication linkbetween all

participating nodes

We employ a hybrid technique which follows the

proactive approach when mobile nodes or base stations are

jammed

reactive mechanism in case the honeynode detects an attack.

2010/5/11

3

NTU OPLab

37


37/73

Attackers behavior

2010/5/11

37

NTU OPLab

38


38/73

Hybrid frequency selection algorithm When normal nodes, i.e., mobile nodes and base-stations,

detect an attack,

They use a pre-defined pseudorandom sequence for the selectionof the next frequency.

This sequence is known to every legal node that is present on

the network.

A reactive approach cannot be used in such a case because

the regular communication channel would be under attack.

2010/5/11

3

NTU OPLab

39


39/73

Hybrid frequency selection algorithm(cont)

2010/5/11NTU OPLab

When a honeynode detects an attack,

it alerts the base-station it is attached to about the imminent

attack.

The base station

Maintains a blacklist of all frequencies recently jammed.

On receiving an alert from the honeynode, it selects a frequency

that isfarthest away from any blacklisted frequency amongst the

list of available frequencies.

40


40/73


When an attack is detected on a frequency

It is added to the blacklist of jammed frequencies

For time equal to risk_time.

2010/5/11NTU OPLab

41


41/73


2010/5/11NTU OPLab

42


42/73


2010/5/11NTU OPLab

43


43/73


2010/5/11NTU OPLab

44


44/73

Attack scenarios and respective defence

strategies Scenario 1: Only communicating mobile nodes are jammed.

Scenario 2: Mobile nodes and base-station are jammed.

Scenario 3: Honeynode is jammed.

2010/5/11NTU OPLab

45


45/73

Only communicating mobile nodes are

jammed

2010/5/11NTU OPLab

46


46/73

Both mobile nodes and base-station are

jammed

2010/5/11NTU OPLab

47


47/73

Honeynode is jammed

2010/5/11NTU OPLab


48/73

Simulation

49


49/73

Simulation In order to determine how effective our proposed algorithm is,

this work simulated the proposed algorithm along with the

Channel Surfing Algorithm, to compare their respectiveperformance under similar conditions.

2010/5/11NTU OPLab

50


50/73

Simulation topology Four BSs

Each BS having seven associated nodes.

The BSs connected to each other through a wired distributionsystem.

During the simulations, communications had been set up

randomly between various nodes.

Introduce jammers into the scene and measure theperformance metrics for various attack intensities.

2010/5/11NTU OPLab

51


51/73

Simulation topology(cont)

2010/5/11NTU OPLab

52


52/73

Simulation topology(cont) Simulations were performed with 1 to 3 jammers.

To achieved the purpose ofvarying attack intensities, they position jammers around one of the base-stations (base-

station 1 in the figure).

Performance of the algorithm was tested on how effectivelythe nodes could communicate(e.g. PDR).

2010/5/11NTU OPLab

53


53/73

Simulation topology(cont)

2010/5/11NTU OPLab

54


54/73

Assumptions The following assumptions were made about the Jammer:

Jamming was carried out by sending large packets at a very fast

rate. When a jammer transmits the signal on a given frequency channel,

no other communication can take place on that channel till the

attack ceases to exist.

Jammer scans frequencies in a linear fashion.

Mobility of a jammer is restricted to the region of the first base

station (the one shown to be jammed in Fig. 14)

2010/5/11NTU OPLab

55


55/73

Assumptions(cont) The following assumptions were made about honeynodes,

mobile nodes and base station:

The honeynode interface is assumed to be capable ofcommunicating with the associated base-station, irrespective of

the jam status of either (both of them are interfaces of the same

node).

All channel hops are assumed to be made instantaneously.

Mobile nodes were kept stationary, in order to prevent packet lossdue to disassociation of nodes from the access point (due to the

node moving out of range of the access point) affecting the

performance analysis of the jamming attack mitigation algorithm.

2010/5/11NTU OPLab

56


56/73

System ParametersDescription

Simulation area(m2) Physical dimensions of the network topology

Transmission range(m) Of BSs

Packet rate(kbps) Of MNs

Packet size(bytes) Of MNs

Frequency hop time(ms) Time taken to change the channel of operation

Number of base stations More BSs, more honeynodes

Number of attackers To achieve different attack intensities

Jammer configuration Including jam packet rate, jam packet size, transmission

power

Channel sense time(ms) The time jammer takes to listen to the current channel

Number of available channel

Over all simulation time

2010/5/11NTU OPLab

57


57/73

Results and discussion The following metrics were considered for analyzing the

performance of the proposed scheme:

Packet delivery ratio. Jammed duration versus the simulation time.

Jammed duration versus the number of jammers.

Control message overhead.

Number of channel reconfigurations.

2010/5/11NTU OPLab

58


58/73

Packet delivery ratio

2010/5/11NTU OPLab

59


59/73

Packet delivery ratio(cont) Channel Surfing algorithm:

A decrease in the packet delivery ratio up to a certain point at the

beginning, after which it was nearly constant.

Proposed algorithm:

Consistently better and nearly constant performance

2010/5/11NTU OPLab


60/73

61


61/73

Jammed duration vs. the simulation

time(cont) Channel Surfing algorithm:

Jammed duration grows with simulation time

Proposed algorithm:

Independent of simulation time

2010/5/11NTU OPLab

62


62/73

Jammed duration vs. the number of

jammers

2010/5/11NTU OPLab

63


63/73

Jammed duration vs. the number of

jammers(cont) Note: Simulation time: 100s

Channel Surfing algorithm:

Performance decreases, till the point where it is nearly the same as thatof Channel Surfing algorithm, as the number of jammers increased.

Proposed algorithm:

2010/5/11NTU OPLab

64


64/73

Control message overhead

2010/5/11NTU OPLab

65


65/73

Control message overhead(cont) Channel Surfing algorithm:

reduces network performance marginally, over Channel Surfing

Algorithm, as simulation time is increased.

Proposed algorithm:

Less overhead

2010/5/11NTU OPLab

66


66/73

Number of channel reconfigurations

2010/5/11NTU OPLab

67


67/73

Number of channel reconfigurations(cont)

Channel Surfing algorithm:

A marginal increase can be observed in the number of frequency as

simulation time increased.

Proposed algorithm:

Less frequency hops

2010/5/11NTU OPLab


68/73

Conclusions

69


69/73

Conclusions Proposed algorithm performed consistently better than the Channel

Surfing Algorithm, with the worst case performance being same as

that of Channel Surfing.

However, as the attack intensity increases, the performance of the

proposed strategy declines gradually till it converges to the same

performance level as that of Channel Surfing.

They explored thefeasibility of implementingpre-emptive channel

hopping within 802.11 to protect legitimate communication fromjamming.

2010/5/11NTU OPLab


70/73

Comments

71


71/73

Limited attacker-defender scenario Position of BSs

Number of normal nodes

Number of Jammers(intensity)

Mobility:

Attackers mobility is limited to the range of the 1st BS

Mobile nodes is stationary

Attack approach: Reactive method

Keep jamming till there are no communications on the channel.

Linear channel search

2010/5/11NTU OPLab

72


72/73

Limited attacker-defender scenario(cont)

2010/5/11NTU OPLab


2400 MHzHoneynode

Jammer

Jamming


2420 MHzHoneynode

Jammer

Jamming

Random

Scan

73


73/73

The End Thanks for your attention.

2010/5/11NTU OPLab

Documents

20100511_Using Honeynodes for Defense Against Jamming Attacks in Wireless Infrastructure-based Networks