• No results found

Detection of Stealthy Denial of Service (S-DoS) Attacks in Wireless Sensor Networks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Detection of Stealthy Denial of Service (S-DoS) Attacks in Wireless Sensor Networks"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Detection of Stealthy Denial of Service (S-DoS) Attacks in Wireless Sensor

Networks

Ram Pradheep Manohar

1

E.Baburaj

2

1

Research Scholar, St.Peter’s University, Chennai,

2

Professor, Narayanaguru College of Engineering, Nagercoil.

_________________________________________________________________________________________

Abstract—Wireless sensor networks (WSNs) supports and involving various security applications like industrial automation, medical monitoring, homeland security and a variety of military applications. More researches highlight the need of better security for these networks. The new networking protocols account the limited resources available in WSN platforms, but they must tailor security mechanisms to such resource constraints. The existing denial of service (DoS) attacks aims as service denial to targeted legitimate node(s). In particular, this paper address the stealthy denial-of-service (S-DoS)attack, which targets at minimizing their visibility, and at the same time, they can be as harmful as other attacks in resource usage of the wireless sensor networks. The impacts of Stealthy Denial of Service (S-DoS) attacks involve not only the denial of the service, but also the resource maintenance costs in terms of resource usage. Specifically, the longer the detection latency is, the higher the costs to be incurred. Therefore, a particular attention has to be paid for stealthy DoS attacks in WSN. In this paper, we propose a new attack strategy namely Slowly Increasing and Decreasing under Constraint DoS Attack Strategy (SIDCAS) that leverage the application vulnerabilities, in order to degrade the performance of the base station in WSN. Finally we analyses the characteristics of the S-DoS attack against the existing Intrusion Detection System (IDS) running in the base station.

Index Terms— resource constraints, denial-of-service attack, Intrusion Detection System

___________________________________________________________________________________________________________

I Introduction

ireless sensor network (WSN) is a fast growing technology that is currently attracting considerable research interest. Recent advances in this field have enabled the development of low-cost, low-power and multi-functional sensors in wireless communications and electronics that are small in size and communicate in short distances. Cheap and smart sensors are networked through wireless links and deployed in large number, provide extraordinary opportunities for monitoring and controlling homes, cities, and the environment. Moreover, the sensor network has a wide range of applications in the area of defense, surveillance, generating new capabilities for reconnaissance and also for other tactical applications.

The threats in the WSN can be from outside the network and within the network. The attack in the WSN is much harmful if it is from the native network and also it is difficult to detect the malicious or compromised node within the network. The classification of the attack can be of two types: active attack and passive attack. The passive attacks do not alter or modify the data whereas the active attacks do.

The classification of the WSN attack can be done in two broad categories: invasive and non-invasive. The targets of the non-invasive attacks are timings, power and frequency of channel whereas the targets of the invasive attacks are the availability of service, transit of information, routing etc. In Denial of Service (DoS) attack tries to make system or service inaccessible. However during the transmission of information, more common attacks are also encountered. Routing attacks are generally inside attacks that occur within the network.

DoS and Distributed DoS (DDoS) aim at reducing the service availability and performance by exhausting the resources of the base station (service’s host system) [1]. Such attacks have special effects in the WSN. The delay of the service to diagnose the causes of the degradation in the service (i.e., if it is due to either an attack or an overload) can be considered as a vulnerability to the security. It can be oppressed by attackers that aim at exhausting the base station resources, and seriously degrading the Quality of Service (QoS).

There are varieties of conditions for the DOS attack and these conditions may annoy the WSN nodes and network functionality. These conditions leads to the resource exhaustion, any software bug, or any other complication will be created in

W

(2)

the application during the interaction, infrastructure and hence the normal routines of the network is disturbed. These conditions that hinder the network functionality are called as the DoS as it affects the availability or entire functionality of service but when it is caused intentionally by the opponent then it is called DoS attacks.

Many techniques have been proposed for the detection of DDoS attacks in distributed environment. Security prevention mechanisms usually use approaches based on rate-controlling, time-window, worst-case threshold, and pattern-matching methods to discriminate between the nominal system operation and malicious behaviors [2]. But the attackers are aware of the presence of such protection mechanisms. Hence the attackers attempt to perform their activities in a stealthy manner in order to escape from the security mechanisms, by planning and coordinating the attack. The timing attack patterns leverage specific weaknesses of target systems [3]. They are carried out by directing flows of legitimate service requests against a specific base station at such a low-rate that would hinder the DDoS detection mechanisms, and elongate the attack latency, i.e., the amount of time that the intruder attacking the system has been undetected.

The proposed attack strategy, namely Slowly Increasing and Decreasing under Constraint DoS Attack Strategy (SIDCAS) leverage the application vulnerabilities, in order to degrade the performance of the base station in WSN. The term under constraint is inspired to attacks which change message sequence at every successive infection in detection mechanisms [9] by using inter arrival rate of the message. Even if the victim detects the SIDCAS attack, the attack strategy can be re-initiate by using a different volume of message sequence.

The rest of the paper is organized as follows. The related work is presented in section 2. The section 3 explains in detail about the stealthy attack model. The detail about the attack approach is presented in the section 4. The evaluation of the proposed stealthy attack method is done in the section 5. Conclusion is described in section 6.

II Related work

Sophisticated DDoS attacks are defined as the attacks, which are adapted to the target system, in order to carry out denial of service or just to significantly degrade the performance of the target system [5], [8]. The term stealthy has been used in [9] to identify sophisticated attacks that are purposely designed to keep the malicious behaviors almost invisible to the detection mechanisms. These attacks can be significantly harder to detect compared with the brute-force and flooding style attacks [3].

DoS attacks can seriously degrade the network performance by interrupt the routing mechanism and thus exhausting network

resources. The network layer DoS attacks in WSN can be of different category. Blackhole attack in which the malicious or compromised node absorb all the traffic going toward the target node [10], Greyhole attack in which the compromised node forwards the packets selectively to the destination node, Wormhole attack to produce routing disruptions [11], Flooding attack in which the compromised node in order to congest the network transmit the flood of packets to the target node to degrade the networks performance. A flooding DoS attacks are difficult to handle and hence an active cache based defense against the flooding style of DoS attacks is proposed in [12]; however this mechanism does not effectively handle the Distributed DoS attack. All these DoS attacks are observed in WSN due to its multi-hop nature. A distributed flooding DoS attack is a huge challenge for all the wireless sensor networks because this type of attack greatly reduces the performance of the network by consuming the network bandwidth to the large extent. This kind of denial of service attack is first launched by compromising large number of innocent nodes in the wireless network termed as Zombies [13], which are programmed by highly trained programmer. These zombies send data to selected attack targets such that the aggregate traffic congests the network. In most of the cases, the DDoS is difficult to prevent and it has the ability to flood and overflow the network [16]. In recent years, variants of DoS attacks that use low-rate traffic have been proposed some of them are Reduction of Quality attacks (RoQ), Shrew attacks (LDoS), and Low-Rate DoS attacks against application servers (LoRDAS).

Therefore, several works have proposed techniques to detect the different forms of the above mentioned denial of service attacks, which monitor anomalies in the fluctuation of the incoming traffic through either a time or frequency-domain analysis [14], [15], [16]. They assume that, the main anomaly can be incurred during a low-rate attack is that, the incoming service requests fluctuate in a more extreme manner during an attack. The two different types of behaviors are combined together to form the abnormal fluctuation: (i) a periodic and impulse trend in the attack pattern, and (ii) the fast decline in the incoming traffic volume (the legitimate requests are continually discarded).

To the best of our knowledge, none of the works proposed in the literature focus on stealthy attacks against application that run in the WSN.

III Stealthy attack model

III.1. Base Station under Attack Model

We suppose that the system consists of set of sensor nodes as clients or users and set of services provided by the Base Station (BS), on the basis of which application instances run. Moreover,

(3)

we assume that a load balancing mechanism dispatches the user service requests among the instances. Specifically, we model the system under attack with a comprehensive capability , which represents a global amount of work the system is able to perform in order to process the service requests.

Fig. 1. Base Station Queue Capacity.

Such capability is affected by several parameters, such as the number of process assigned to the application, the base station performance, the memory capability, etc. Each service request consumes a certain amount of the capability on the base of the payload of the service request. The BS Queue Capacity is shown in the Fig. 1. The parameter 0 – no queue, – manageable queue and – maximum queue capacity (bottle -neck).

III.2. Stealthy Attack Objectives

We define the characteristics that a DDoS attack against an application running in the wireless sensor network should have to be stealthy. Regarding the quality of service of the system, we assume that the system performance under a DDoS attack is more degraded, as higher the average time to process the user service requests compared to the normal operation.

The stealthy attackers aim is that a complicated attacker would like to achieve, and the requirements the attack pattern has to satisfy to be stealth. The purpose of the attack against wireless sensor applications is not to necessarily deny the service, but rather to impose significant degradation in some aspect of the service (e.g., service response time), namely benefit of attack

, in order to maximize the base station computation cost to process malicious requests. Therefore, in order to perform the attack in stealthy fashion with respect to the proposed detection techniques, an attacker has to inject low-rate message flows;

, , , , … , , (1)

where 1, 2, … , is the number of Attackers and 1, 2, … , is the number of messages. Stealthy DoS attack pattern in WSN denote the number of attack flows, and consider a time window , the DoS attack is successful in the WSN, if it maximizes the following functions of Benefit of Attack ( ) and Computation Cost ( ):

∑ ∑ , (2)

where is the benifit of the malicious request , , which

expresses the service degradation (e.g., in terms of increment of

average service time to process the user requests with respect to the normal operation);

∑ ∑ , (3)

where is the computation cost in terms of base station resources necessary to process.

III.3. Creating Service Degradation

Considering a base station with a comprehensive capability to process service requests , and a queue with size that represents the bottleneck shared by the customer’s flows

and the DoS flows . That is the base station work under the safe condition (not in bottleneck stage) under the condition;

∑ ∑ (4) where is the normal nodes message flows, is the attacker nodes message flow and is the base station safe stage threshold. So that, number of message flows in time

∑ ∑ the base station under service degradation stage.

III.4. Minimize Attack Visibility

According to the stealthy attack definition, in order to reduce the attack visibility the attacker exhibits a pattern neither periodic nor impulsive and also exhibits a slowly increasing intensity in the attack rate. Therefore, through the analysis of both the attacker system and the normal service requests not exceed the base station safe stage threshold . So that the attacker system maintains the stealthy attack by balancing the message flows.

Fig. 2. Increment of stealthy attack intensity.

To implement an attack pattern that maximizes and , as well as satisfies stealthy condition, without knowing in advance the target system characteristics, we propose a attack strategy,

(4)

which is an iterative and incremental process. At the first iteration only a limited number of flows are injected. The value p is increased by one unit at each iteration , until the desired service degradation is achieved.

During each iteration, the flows exhibit the attack intensity shown in Fig. 2. Specifically, each flow

consists of burst of messages, in which the parameter means the initial attack intensity at the iteration (which can be orchestrated by varying the number and type of injected requests), is the length of the burst period, and is the increment of the attack intensity each time a specific condition is false. is tested at the end of each period . The satisfaction of the condition identifies the achievement of the desired service degradation.

IV Attack approach

In order to implement SIDCAS-based attacks, the following components are involved:

• a Master that coordinates the attack ;

• Agents that perform the attack ,each Agent injects a single flow of messages ; and

• Meter that evaluates the attack effects.

Algorithm 1 describes the approach implemented by each Agent to perform stealthy service degradation in the WSN. Specifically, the attack is performed by injecting polymorphic bursts of length with an increasing intensity until the attack is either successful or detected and is the inter-arrival time between two consecutive requests. Each burst is formatted in

such a way as to inflict a certain average level of load . In particular, we assume that is proportional to the attack intensity of the flow during the period . Therefore, denote as the initial intensity of the attack.

Algorithm 1: Working Algorithm of SIDCAS-based Attack

: : : : 1: 0; 2: 3: ; 4: ; 5: ; 6: 7: ! 8: ; 9: else 10: ! _ 11: ; 12: ; 13: ; 14: 15: (a)

(5)

(b)

Fig. 3. Resultant Attack Strategy (a) Existing methods (b) Proposed Stealthy Attack. The attack intensity in case of the normal attack strategy and

the stealthy attack strategy is shown in the Fig.3. In the case of the normal existing attack strategy in Fig. 3(a), the attack intensity increases linearly towards a high value and hence the intensity of the message request increases beyond the maximum intensity of the queue. This dramatic increase in the request intensity allows the server to detect the presence of the attacker and prevention measures will be taken by the server. But in the case of the stealthy attack pattern in Fig. 3(b) the attack intensity increases iteratively and incrementally. Also the attack intensity does not exceed after the maximum attack intensity and hence the server will not be able to determine the presence of the attacker.

V. Performance evaluation

The effectiveness of the proposed stealthy attack can be evaluated with the Attack Detection Ratio (ADR) and the Resource Usability (RU). The ADR is the detection rate of the attacker request by the base station and it is given by the Equation (4):

. . (4) The ADR of the DOS attack and the Stealthy attack is shown in the Fig. 4. From the comparison plot it can be seen that the detection rate of the DOS attack increases as the number of the attacker increases but the ADR value remains lower for the stealthy attack pattern even if the number of attacker increases.

Fig. 4. Attack Detection Ratio.

The stealthy attack pattern mainly concentrates on the resource usability rather than the denial of service. Hence the RU of the base station in case of the DOS attack and the proposed stealthy attack is shown in the Fig. 5.

Fig. 5. Resource Usability.

From the plot it can be shown clearly that the stealthy attack pattern utilizes more resources as the number of attacker

(6)

increases. Because as the number of attacker is increased in the stealthy manner the base station cannot detect the presence of the attacker and this will lead to more resource usability even if the number of authorized nodes in the queue is low.

The RU is also dependent on the time required for the base station for processing the request. That is, in the case of the DOS attack if the number of attacker increases the presence of the attacker will be detected by the IDS and hence the processing time required for the attack request will be reduced. But in the case of the stealthy attack pattern the even if the number of attacker is more the presence of the attacker will not be detected by the IDS and hence more resources will be utilized for the processing of the attacker request.

VI. Conclusion

In this paper, we propose a new strategy to implement stealthy attack patterns in WSN, which reveal a stealthy behavior that can be greatly unrecognizable by the techniques proposed in the existing intrusion detection system against the DoS attacks. For developing a vulnerability of the target base station or access point in the WSN, an intelligent attacker can organize a customize or dynamic flows of access, indistinguishable from legitimate access requests. In particular, the proposed attack pattern, instead of aiming at making the access unavailable, it aims at make use of the resources, forcing the system to consume more resources than needed, affecting the entire network more on resource aspects than on the access availability. In the future work, we aim at developing an approach that able to detect stealthy nature attacks in the wireless sensor network environment.

References

[1] K. Lu, D. Wu, J. Fan, S. Todorovic, and A. Nucci, “Robust and efficient detection of DDoS attacks for large-scale internet,” Comput. Netw., vol. 51, no. 18, pp. 5036–5056, 2007.

[2] H. Sun, J. C. S. Lui, and D. K. Yau, “Defending against low-rate TCP attacks: Dynamic detection and protection,” in Proc. 12th IEEE Int. Conf. Netw. Protocol., 2004, pp. 196-205.

[3] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-Targeted denial of service attacks: The shrew vs. the mice and elephants,” in Proc. Int. Conf. Appl., Technol., Archit., Protocols Comput. Commun., 2003, pp. 75–86.

[4] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, “Reduction of quality (RoQ) attacks on internet

end-systems,” in Proc. IEEE Int. Conf. Comput. Commun., Mar. 2005, pp. 1362–1372.

[5] X. Xu, X. Guo, and S. Zhu, “A queuing analysis for low-rate DoS attacks against application servers,” in Proc. IEEE Int. Conf. Wireless Commun., Netw. Inf. Security, 2010, pp. 500–504.

[6] L. Wang, Z. Li, Y. Chen, Z. Fu, and X. Li, “Thwarting zero-day polymorphic worms with network-level length-based signature generation,” IEEE/ACM Trans. Netw., vol. 18, no. 1, pp. 53–66, Feb. 2010.

[7] U. Ben-Porat, A. Bremler-Barr, and H. Levy, “Evaluating the vulnerability of network mechanisms to sophisticated DDoS attacks,” in Proc. IEEE Int. Conf. Comput. Commun., 2008, pp. 2297–2305.

[8] S. Antonatos, M. Locasto, S. Sidiroglou, A. D. Keromytis, and E. Markatos, “Defending against next generation through network/ endpoint collaboration and interaction,” in Proc. IEEE 3rd Eur. Int. Conf. Comput. Netw. Defense, 2008, vol. 30, pp. 131–141.

[9] H-.M. Deng, W. Li, D.P. Agarwal, “Routing Security in Wireless Ad Hoc Networks,” IEEE Communication Magazine, Vol. 40, pp. 70-75, October 2002.

[10] F.N. Abdesselam, B. Bensaou and T. Taleb, “Detecting and avoiding wormhole attacks in wireless Ad hoc networks,” IEEE Communication Magazine, Vol.46, Issue 4, pp. 127-133, April 2008.

[11] L. Santhanam, D. Nandiraju, N. Nandiraju and D. P. Agrawal, “Active cache based defence against DoS attacks in Wireless Mesh Network,” Proceedings of the 2nd IEEE Int. Symp.Wireless Pervasive Computing (ISWPC2007), 2007.

[12] G.A Marin “Network security basics,” In IEEE Security and Privacy, Vol.3, p 68-72, November 2005.

[13] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-targeted denial of service attacks and counter strategies,” IEEE/ACM Trans. Netw., vol. 14, no. 4, pp. 683–696, Aug. 2006.

[14] X. Luo and R. K. Chang, “On a new class of pulsing denial-of-service attacks and the defense,” in Proc. Netw. Distrib. Syst. Security Symp., Feb. 2005, pp. 61–79.

[15] Y. Chen and K. Hwang, “Collaborative detection and filtering of shrew DDoS attacks using spectral analysis,” J. Parallel Distrib. Comput., vol. 66, no. 9, pp. 1137–1151, Sep. 2006.

[16] P. Dasgupta, T. Boyd, “Wireless Network Security,” Annual Review of Communications, Vol.57, International Engineering Consortium, 2004.

 

References

Download now ( PDF - 6 Page - 620.70 KB )

Related documents

Stationary Features and Cat Detection

Such a strategy is evidently foolhardy in the standard detection problems where the pose to be estimated is the location and scale of the target since it would mean separately

Finasteride monotherapy maintains stable lower urinary tract symptoms in men with benign prostatic hyperplasia following cessation of alpha blockers

untitled by inhibiting synthesis of dihydrotestosterone 3 However, it may not be necessary to con tinue the ? blocker therapy We performed an open label multicentre trial to

Association Rule Summarization for Relative Risk Analysis of Diabetes Mellitus

International Journal of Scientific Research in Computer Science, Engineering and Information Technology CSEIT1172692 | Received 12 March 2018 | Accepted 24 March 2018 | March April 2018

PHYSICIANS / SURGEONS

American Assisted Living Nurses Association American Association of Heart Failure Nurses American Association of Managed Care Nurses American Association of Neuroscience Nurses

Eisenmann, Michael (2007): Struktur-basiertes Wirkstoffdisign neuer Aldose-Reduktase-Inhibitoren. Dissertation, LMU München: Fakultät für Chemie und Pharmazie

Die vereinigten organischen Phasen werden zweimal mit 100 ml gesättigter Natriumcarbonat- Lösung gewaschen, über Natriumsulfat getrocknet und das Lösungsmittel wird dann

Quantification of a Neuroprotective Agent Edaravone by Stability Indicating TLC Method and UV–Visible Spectroscopic Method in Bulk and Pharmaceutical Dosage Form

Confirmation of content and related substance of edaravone injection by HPLC [7] and confirmation of concentration of edaravone in human serum [8], thus shows that none

HAP Midwest MI Health Link Medicare-Medicaid Plan

A Care Coordinator is a person who will work with you to help you get the Medicare and Michigan Medicaid covered supports and services you need and want.. Care Coordination is

Techniques, strategies for giving an effective feedback.

Brookhart (2010) formative assessment includes having clear learning aims, crafting clear lessons and assignments that communicate those targets to students, and