Congestion control in wireless network

A report submitted in partial fulfillment of the requirements for

approximate design assignment

M.Tech.
in
ADVANCE NETWORK
by
Ashish Kumar (2015-AN-05)

ABV INDIAN INSTITUTE OF INFORMATION

TECHNOLOGY AND MANAGEMENT
GWALIOR-474 010
2016

ABSTRACT

People increasingly depend and relying on mobile browsers to perform transaction

sensitive operations as well as important data exchange. So that must be secure enough
to guarantees the exploitation of very sensitive data when it is transmitted over unsecure
network. The browser acts as end entity at users side. It should have some sort of
signals or indications here called as security indicators, for indicating the credibility of
website that the user visiting. As mobile is as capable as a desktop browser is. But
due to reduction in size of mobile browser, these security indicators are not properly
implemented as guided by W3C. This makes the soft way to attackers to attack the
mobile user. According to 2011 records, mobile users access the phishing websites three
times more than desktop browser users. The security indicators implementation must
be in the same way as guidelines provided by W3C for UI.
Key words: web browser, phishing attack, security indicators, SSL and EV-SSL certificate

Contents
1 INTRODUCTION

2 MOTIVATION

3 OBJECTIVES

4 METHODOLOGY

10

5 IMPLEMENTATION DETAILS AND RESULTS

12

6 CONCLUSION

21

List of Figures
1
2
3
4
5
6
7

Architecture of sensor node . . . .

Component of sensor node. . . . . .
Congestion due to Buffer overflows.
Congestion due to Link collision. .
Possible phishing attacks. . . . . .
Work Flow of WebFish. . . . . . .
Architecture for tacle with CSS . .

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

5
6
6
7
17
19
20

List of Tables

INTRODUCTION

Wireless sensor network in collection of different sensor node, which is used to sense
the environment conditions or physical condition such as vibration, temperature, pressure, sound, motion and pollutants in environment. It is also known as wireless sensor
and actuator networks (WSAN). WSN is made of several node or hundreds or thousands of node, where every node is associated to one (or sometimes many) sensors node.
These sensor node is an self-governing device which contains communication device,
Transceiver, sensor devices and Storage devices. Which interchange the data among
various sensor nodes. WSN have engaged the medium access control (MAC) protocol to
co-ordinate the signal broadcast over the common wireless channels. Otherwise, several
nodes may attempt to access the transmission channel concurrently, which indications
to signals collision, data loss, retransmission, depletion of energy, delay in packets transmission and so on.
WSN have limited resources which is uses for computation, communication bandwidth

Figure 1: Architecture of sensor node

and to supply energy. These resources are directly affecting the quality of services parameter such as packet delivery, end to end delivery and energy consumption for sensor
node. Due to event driven nature of WSN, Resource Constraints, Many to one communication, Topology arrangement of sensor node and high traffic of sensor node create
congestion in network.

Mainly there are two type of congestion occurs in WSN Known as buffer overflow
and link collision. Buffer overflow occurs when

node.JPG
Figure 2: Component of sensor node.
Buffer overflow occurs when a node receive data with higher data rate as compared
to his transmission rate in this case packet will be dropped.And Link collision occurs
when multiple node send a data simultaneously at some point of time collision occur
between the node.Fig. 3 and Fig.4 illustrate these congestion.

Figure 3: Congestion due to Buffer overflows.

Figure 4: Congestion due to Link collision.

The more recent networks are bi-directional, furthermore permitting achieve of sensor attempt. The growth of wireless sensor networks used to be encouraged via military
purposes reminiscent of battlefield surveillance; at present such networks are utilized
in many industrial and patron purposes, similar to industrial approach monitoring and
manipulate, desktop well-being monitoring, and many others.

MOTIVATION

Wireless sensor network have a limited resources such as power, bandwidth, computing
capability and storage space. Energy is the very important in wsn because battery power
is consumed it is difficult to replace or charge exhausted batteries.
The bandwidth in a Wireless sensor network is low as compared to wired network like
fiber optical networking.
Wireless sensor network uses wireless channel as transmission media for data transmission, which suffer signals misrepresentation and loss due to diminution, duplication,
diffusion, trickle.
In hidden terminal problem, if collision occurs then other side node cannot detect the
collision due to wireless networking this it may fail in avoiding collision. This collision
can result in channel wastage in wireless networking.
When two or more sender nodes send a data to other side nodes concurrently with same
transmission channel, then there is chance of collision between multiple signals at some
point of time. To ensure reliable data transmission, a retransmissions of data occurs
to recover data from the collision. A collision result in wastage of energy, Bandwidth
and larger data loss occurs. In wired networking collision can be detected easily by sent
signal to received signals at sender side. But in wireless sensor network, the signal sent
from the sender is not same as signals receive from the receiver due to signal loss or
obstacles.

OBJECTIVES

There are some objective that I try to cover in this report.They are as follows:
to understand guidelines provided by W3C for user interface in mobile browser.
to study about different security indicators in mobile browser.
to check credibility of website.
to see how indicators are actually implemented
to access website with ensuring security with the help of SSL indicators.
to discuss various attacks possible on browser due to not proper implementation
of guidelines provided by W3C.

METHODOLOGY

Ten mobiles and two tablet programs are utilized against the W3C prescribed rules for
security markers. Furthermore some desktop programs are assessed.The W3C proposals
for UI of versatile programs are as per the following:
W3C RECOMMENDATIONS
1. Identity signal: availability
The security markers indicating personality of a site MUST be accessible to the
client either through the essential on the other hand the optional interface at all
times.
2. Certificates: required content
Notwithstanding the character flag, the web programs MUST make the accompanying security connection data accessible through data sources (testaments): the
site pages space name and the motivation behind why the showed data is trusted
(or not).
3. TLS indicators
a) Significance of presence
Any UI pointer, (for example, the lock) MUST NOT flag the nearness of a declaration unless all parts of the site page are stacked from servers showing in any
event accepted testaments over firmly TLSprotected associations.
b) Content and Indicator Proximity
Content MUST NOT be shown in a way that befuddles facilitated content whats
more, program chrome pointers, by permitting that substance to copy chrome
markers in a position near them.
c) Availability
The TLS pointers MUST be accessible to the client through the essential or the
auxiliary interface at all times.
4. Robustness: visibility of indicators
Web content necessity does not hide the security UI.
5. Error messages
a) Interruption:
Both cautioning/alert and threat messages MUST interfere with the clients present
errand, to such an extent that the client needs to recognize the message.
10

b) Proceeding options:
Cautioning/alert messages MUST furnish the client with particular choices for how
to continue (i.e., these messages MUST NOT prompt a circumstance in which the
main alternative exhibited to the client is to reject the notice and proceed).
c) Inhibit interaction:
The associations for risk messages MUST be displayed in a way that makes it
unimaginable for the client to go to or collaborate with the goal site that made
the peril circumstance happen, without first unequivocally communicating with
the threat message.

11

IMPLEMENTATION DETAILS AND RESULTS

Empirical Observations
Ten mobile and two tablet browsers are estimated versus the W3C recommended guidelines for security indicators.
1. Identity Signal: Availability Certificates: Required Content
Identity signal includes knowledge about the owner of a website and the like certificate issuer. Since issuing a certificate, the certificate provider asks the communication mail address for the website from a public domain name recorder, and
notes that issued address against the email address supplied in the certificate request. Hence, the purchaser of a website is someone in contact with the person
who registered the domain name. Popular browsers reproduce the owner information of a website using various specification containing owner, name, resident
and company.The results are shown in the table given below against this guidelines.

This table shows the results of the experience that is carried out on all mobile that
are listed above against the first and second W3C guidelines given above.

This table shows the results of the experience that is carried out on all browsers
that are listed above against the first and second W3C guidelines given above.
12

2. Certificates: Required Conten

A certificate from a website necessity provides the identical websites domain name
and the purpose why the shown information is trusted (or not). Trust reasons
include either or not a certificate was acquired interactively, either an own-signed
certificate was practiced, either the own-signed certificate was pinned to the site
that the user interacts with, and whether trust related contexts of the user agent
were otherwise neglected by user activity. We guess that information such as
certificate is inherently trusted and the certificate chain is trusted/valid also sends
the purpose following a browser assuming or not trusting a selective website.The
results are shown in the table given above against this guidelines
3. TLS indicators
It contains the https prefix, the padlock icon, information regarding the ciphers
applied in the connection and url coloring (or site identity button) to describe the
variation among EV-SSL and SSL certified webpages.
a) Significance of presence
On the off chance that a web program shows a TLS pointer for the nearness of an
authentication for a site page comprising of substance acquired over both http and
https associations (blended substance), this rule is not took after. We made a basic
site page that uses a solid TLS association with recover the top level asset and
installed a guide acquired from an outsider over an unsecured http association. We
investigated the programs while rendering the this page for two fundamental TLS
security pointers: the https URL prefix and the lock symbol. On the off chance
that a program appears any of these two pointers on a blended substance site
page, it doesnt take after the W3C rule. We likewise watched whether a program
demonstrates a notice to the client proposing the nearness of blended substance
on the website page.The results are shown in the table given below against this
guidelines
b) Content and Indicator Proximity
The padlock icon practiced as a security indicator and the favicon practiced as
an identity element of a website are two famous components that use a browsers
chrome. In the event that a program permits a favicon to be put alongside the
latch, an aggressor can fake a protected site by copying the favicon as a security
pointer.
This table shows the results of the experience that is carried out on all mobile
browsers that are listed above against the third W3C guidelines given above.
This table shows the results of the experience that is carried out on all desktop
13

browsers that are listed above against the third W3C guidelines given above.
c) Availability
We concentrated on the nearness of the bolt symbol, the https URL prefix and
points of interest of the figure utilized as a part of a TLS association by going to a
TLS secured page utilizing all applicant programs. The latch symbol and the https
URL prefix are essential interface markers and figure data is an optional interface
marker on desktop programs.
4. Robustness: Visibility of indicators
The TLS markers for the most part found on the essential interface are bolt symbol,
https URL prefix, URL shading and site personality catch. Ordinarily, the address
bar in a web program holds these markers. Consequently, we inspected whether
web content overwrites or pushes the address bar containing security markers out
of a clients view amid perusing.
5. Error messages
It is made illustration situations that request the notice/ alert and risk messages,

14

given the definitions in theW3C archive. The W3C archive gives cases of situations
that request a risk alarm. Be that as it may, as the archive does not determine any
situations that ought to trigger notices, we did our tests utilizing the accompanying situation. It is characterized the situation of a program rendering a blended
substance website page as one that ought to trigger a notice. This is on account of
on a page with both uncertain and secure substance, the client could conceivably
communicate with the unreliable substance on the page.
a) Interruption:
It is inspected whether the versatile and tablet programs show a notice or risk
message in our test situations. At that point encourage watched the way of the
messages to affirm that they really interfere with the clients activities as determined by the W3C rules and are not showed at a position on the screen which a
client can overlook furthermore, keep interfacing with the site.
b) Proceeding options:
It is inspected whether the versatile and tablet programs show a notice or risk
message in our test situations. At that point encourage watched the way of the
messages to affirm that they really interfere with the clients activities as determined by the W3C rules and are not showed at a position on the screen which a
client can overlook furthermore, keep interfacing with the site. This table shows

the results of the experience that is carried out on all mobile browsers that are
listed above against the forth and fifth W3C guidelines given above.
c) Inhibit interaction:
This rule requires a program to keep a client from communicating with a site that
triggers a peril message, before client cooperation with the threat message. We
15

went to a site displaying an untrusted selfsigned declaration from every one of the
programs.
Possible Attacks
As W3C has provided guidelines for UI in browsers of mobile to alert the user from
security issue. If these guidelines are not implemented correctly and fully then attacker
can take advantage of this that flaw to mislead the user. There are number of attacks
possible due to the not appropriate implementation of W3C guidelines. Some of these
are as follows:
1. Phishing without SSL:
An aggressor takes on the appearance of a dependable substance in a phishing
assault. By nearly emulating a genuine sites character data in mix with bolt
symbol satirizing, a noxious site can dispatch a phishing assault without SSL
on a program abusing the W3C rules 1, 2 and 3b as takes after. An aggressor
purchases a space name that intently looks like the space name of the honest to
goodness site. For instance, to parody www.bankofmaharashtra.com, the aggressor
purchases the area name www.bankofmaharashtraa.com. The assailant at that
point impersonates the substance of the focused on true website.
Rather than burning through cash on obtaining a SSL endorsement to build the
bogus believability of the noxious site, an assailant rather makes the favicon of
the pernicious site a bolt picture. Along these lines, the nearly imitated space
name gives an impression of right character of the proposed site and the satirize
bolt gives a fantasy of solid encryption. At the point when this vindictive site is
rendered in a program that makes seeing the URL of the site troublesome, arranges
the favicon beside the latch symbol and does not offer a UI to view personality
data, for example, site proprietors name, indeed, even a propelled client may be
subjected to phishing.
2. Phishing with SSL
Rather than burning through cash on obtaining a SSL endorsement to build the
bogus believability of the noxious site, an assailant rather makes the favicon of
the pernicious site a bolt picture. Along these lines, the nearly imitated space
name gives an impression of right character of the proposed site and the satirize
bolt gives a fantasy of solid encryption. At the point when this vindictive site is
rendered in a program that makes seeing the URL of the site troublesome, arranges
the favicon beside the latch symbol and does not offer a UI to view personality
data, for example, site proprietors name, indeed, even a propelled client may be
subjected to phishing.
16

Figure 5: Possible phishing attacks.

Phishing using a compromised CA
Compromised CA permits an assailant to acquire rebel authentications for authentic
sites. There have been a few such assaults as of late On the off chance that a clients
program believes a CA, the program will acknowledge all endorsements marked by the
CA without demonstrating any notice to the client. This conduct perseveres notwithstanding when the same CA is traded off and the fundamental overhaul to expel the
trusted CA from the program has not been introduced. A specialist client who is educated of a CA bargain can confirm each authentication guarantors association in the
authentication chain, in this way declining interfacing with a malevolent site with a rebel
testament. On the off chance that a program neglects to meet rules 1 and 2, in this way
not showing UI to empower authentication seeing, indeed, even a specialist client could
be presented to a phishing assault.
Industrial espionage / eavesdropping
A man-in-middle (arrange) aggressor can utilize any of the figure minimize, substituting
http for https or embeddings blended substance procedures for client misleading to
dispatch an listening stealthily assault on a clients session as takes after:
a) SSLstrip attack
At the point when the assailant distinguishes a demand to an encoded https site, he
substitutes a copy of the proposed goal as a decoded http site. This exchanging strips
away the security that keeps an outsider from taking or altering information, while
deluding the server that a scrambled page has been sent to the customer. The system
assailant can likewise fake a secure symbol in the stripped http page, by supplanting the
favicon by a bolt symbol. In the event that the https prefix is not accessible to a client
perseveringly, he will most likely be unable to perceive that he is utilizing an unsecured
association by taking note the change from https to http in the address bar. A program
not showing the https prefix perseveringly does not take after prerequisite 3c.
b) Cipher downgrade attack
17

A man-in-the-middle (system assailant) can mess with the underlying messages sent by
a customer program to set up a SSL association with a site server. Prior to a TLS
association is set up, a customer and server trade a rundown of figures that they bolster.
A system assailant can alter the rundown of bolstered figures sent by the customer to
a rundown containing just powerless figures, and at that point forward the customers
demand/reaction to the server. On accepting a rundown of just powerless figures (e.g.,
DES-CBCSHA), the server can either drop the association on the grounds that no figures
are commonly upheld, or give backing to that figure and start a scrambled session with
the powerless figure. At the point when an association utilizing the feeble figure is
started, every one of the information in travel is secured utilizing the feeble figures
encryption plot. This permits a system aggressor to catch the surge of information and
break the feeble encryption disconnected.
c) Mixed content attack
A man-in-the-middle aggressor can alter (e.g., code infusion) with the decoded content
exhibit on a page comprising of blended substance and supplant the first substance with
any malignant substance of his decision. On the off chance that a web program shows
SSL markers for a website page containing blended substance (infringement of rule 3a),
even a specialist client might be not able distinguish a system assault misusing the
blended substance on a page.
Mobifish Scheme: Anti-phishing attack
This sheme consist of two independent component as WebFish and AppFish.They are
designed for mobile web page and mobile applications respectively.
1) WebFish Scheme:
At the point when a program endeavors to stack a website page, WebFish first outputs
its URL to see whether the area name is an IP address. Honest to goodness sites dependably utilize space names as check of their personalities while phishers are probably
going to rundown IP address in URL to mask their fake characters. Next, WebFish
acquires the HTML source code of the stacking page and checks if there is any shape
in that page. The presence of shape is vital since phishers additionally require a shape
with info label which permits client to enter (classified) data and after that submit.
2) AppFish Scheme:
It maintains database called as SAS (suspecious app set).Clients can include the applications they think into SAS, and just applications recorded in SAS are under the
observing of AppFish.
On the off chance that found, the logging procedure starts, in which AppFish takes a
screenshot of the login interface and separates the content with the OCR apparatus. At

18

Figure 6: Work Flow of WebFish.

that point, the content alongside the application Uid and propelling time are signed into
the profile of that application. After the client has entered the accreditations furthermore, taps the sign in catch, the verification stage starts. True blue applications (like
Facebook and Twitter) normally send the clients accreditations to a remote server for
verification by means of HttpGet/HttpPost.
Other attacks:
1. Cross Site Scripting(CSS) attacks:
Cross site scripting is a string-based code infusion assault focused at web applications. An assailant normally embeds noxious scripts into the web applications
code and whenever parsed and rendered by a clients portable program can cause
an assortment of things to happen contingent upon how the script was composed
by an aggressor. It might permit them access to classified data, permit assailants
to take control of associated gadgets, for example, a web cam, or different sorts
of pernicious exercises. XSS is ordinarily partitioned into two distinctive sorts reflected XSS and put away XSS.
A case of reflected XSS is the point at which an aggressor can trap a client into
tapping on a noxious connection which they accepted to be something else that
then initiates the noxious script. Put away XSS is the place assailants infuse
19

noxious script into a web applications stockpiling which then causes the script to
be executed by each client that page is served to.

Figure 7: Architecture for tacle with CSS .

20

CONCLUSION

Mobiles are used to perform many sensitive operations over SSL/TSL connections. The
mobile browsers provides similar functionality as that of the desktop browsers, still due
to reduction in size of screen the security indicators availability and presentation get
affected. It is found that W3C guidelines for UI of mobile browser is not implemented
appropriately. And also there is no consistency in security indicators in all browsers. So
as the security indicators are not implemented correctly even the expert user get mislead
by the attacker. Also some attacks can possible due above problem I have discussed. The
attackers take advantage of absence of or wrong implementation of security indicators.

21

References
[1] C. Amrutkar, P. Traynor, and P. C. V. Oorschot, An Empirical Evaluation of Security Indicators in Mobile Web Browsers, IEEE Transactions on Mobile Computing,
vol. 14, no. 5, pp. 889903, 2015.
[2] Soojin Yoon, JongHun Jung, HwanKuk Kim, Attacks on Web Browsers with
HTML5, The 10th International Conference for Internet Technology and Secured
Transactions, 2015.
[3] Biswajit Panja, Tyler Gennarelli,Priyanka Meharia, Handling Cross Site Scripting
Attacks using Cache Check to Reduce Webpage Rendering Time with Elimination
of Sanitization and Filtering in Light Weight Mobile Web browser, Mobile and
Secure Services, 2015.
[4]
[5] S. Rauti, J. Teuhola, and V. Leppanen, Diversifying SQL to Prevent Injection
Attacks, 2015 IEEE Trustcom/BigDataSE/ISPA, 2015.
[6] A. Ramesh, A. Bhowmick, and A. V. Lal, An authentication mechanism to prevent
SQL injection by syntactic analysis, 2015 International Conference on Trends in
Automation, Communications and Computing Technology (I-TACT-15), 2015.
[7] Longfei Wu, Xiaojiang Du, and Jie Wu, MobiFish: A Lightweight Anti-Phishing
Scheme for Mobile Phones, Computer Communication and Networks Conference
(ICCCN), 2014.
[8] Nikos Virvilis1, Nikolaos Tsalis1, Alexios Mylonas1, Mobile Devices A Phishers
Paradise, Conference on Security and Cryptography,2014.
[9] A. Joshi and V. Geetha, SQL Injection detection using machine learning, 2014
International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), 2014.
[10] H. Alnabulsi, I. Alsmadi, and M. A. Jarrah, Textual Manipulation for SQL Injection
Attacks, International Journal of Computer Network and Information Security, vol.
6, no. 1, pp. 2633, Jul. 2013.
[11] S. Avireddy, V. Perumal, N. Gowraj, R. S. Kannan, P. Thinakaran, S. Ganapthi, J.
R. Gunasekaran, and S. Prabhu, Random4: An Application Specific Randomized
Encryption Algorithm to Prevent SQL Injection, 2012 IEEE 11th International
Conference on Trust, Security and Privacy in Computing and Communications,
2012.
[12] GoDaddy SSL Certificate [Online]. Available:
http://www.godaddy.com/Compare/gdcompares sl.aspx?isc = sslqgo016b

22

[13] VeriSign Certificate [Online]. Available:

https://www.verisign.com/ssl/buy-ssl-certificates/index.html?sl
=t72010166130000002gclid=CIKMyY2GuKgCFYg32godV28 Bw
[14] Overflow Clickjacking. (Nov. 2008) [Online]. Available:
http://research.zscaler.com/2008/11/clickjacking-iphone-style. html

23