Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks

Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal

Advisor: Professor Frank Y.S. Lin Present by J.W. Wang

2
NTU OPLab 2010/5/11

About this paper

Authors:
Sudip Misra, Sanjay K. Dhurandher, Avanish Rayankula, Deepansh Agrawal

Title:
Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks,

Provenance:
Computers & Electrical Engineering, Volume 36, Issue 2, March 2010, Pages 367-382,

3
NTU OPLab 2010/5/11

Agenda
Introduction Existing techniques Proposed solution Simulation Conclusions Comments

Introduction

5
NTU OPLab 2010/5/11

Introduction
New medium, new attack Jamming
Blocking of a communication channel A subclass of the Denial-of-Service(DoS) attacks

One of the most feared forms of attacks in wireless networks

6
NTU OPLab 2010/5/11

Introduction(cont)
Research topic:
Mitigation Prevention

Categories of wireless network:

Wireless infrastructure-based networks(i.e., WLANs and cellular networks) Infrastructure-less networks(i.e., ad hoc networks).

7
NTU OPLab 2010/5/11

Wireless infrastructure-based networks

Components:
Base-stations(or access points) Mobile nodes
This work is restricted to jamming attacks in wireless infrastructurebased networks.

8
NTU OPLab 2010/5/11

Objective of this work

Propose an efficient algorithm to mitigate jamming attacks in wireless infrastructure-based networks.

Provide an efficient solution that can be easily incorporated in the existing network architecture
Achieve better robustness than the widely used Channel Surfing Algorithm by using honeynodes along with dynamic channel prediction in wireless infrastructure networks

9
NTU OPLab 2010/5/11

Jamming-based DoS attacks

Prevent networked nodes from communicating. Carry out with a jammer Classifications of jamming attacks:
Physical layer jamming By ignoring MAC layer rules

10
NTU OPLab 2010/5/11

Jamming methods
Constant:
Continuously sends random bits of data onto a channel.

Deceptive:
Sends out valid packets at a very fast rate to the nearby nodes. Authentic nodes are thus deceived into believing that the jammer is also a legitimate node.

Random:
This kind of jammer alternates between sleeping and jamming the channel of operation.

Reactive:
This kind of jammer attacks only when it hears communication over the channel it is currently scanning.

11
NTU OPLab 2010/5/11

Jamming methods(cont)

12
NTU OPLab 2010/5/11

Parameters in attack detection

Signal-to-Noise Ratio (SNR):
SNR refers to the ratio of signal power to the power of noise present in the received signal.

Packet Delivery Ratio (PDR):

The ratio of number of packets that were successfully delivered to their respective destination to the total number of packets sent out by the node.

Carrier Sense Time

13
NTU OPLab 2010/5/11

Parameters in attack detection(cont)

14
NTU OPLab 2010/5/11

Parameters in attack detection(cont)

15
NTU OPLab 2010/5/11

Steps of tackling jamming attacks

Attack detection:
The Physical-layer. The MAC-layer

Attack mitigation:
Overcome the effects of the attack.

Attack prevention(seldom included):

Prevent the occurrence of an attack on the network.

Existing techniques

17
NTU OPLab 2010/5/11

Existing techniques
Channel Surfing Spatial Retreats Using Wormholes Jammed region mapping Spread Spectrum Techniques

18
NTU OPLab 2010/5/11

Channel Surfing
A spectral evasion mechanism:
Move to a different channel of operation.

On detection of an attack, the nodes:

Change the channel of operation based on a pre-defined pseudorandom sequence.

An access point frequently sends beacons to all its associated nodes to check if they are still with it or not.

19
NTU OPLab 2010/5/11

Channel Surfing(cont)

20
NTU OPLab 2010/5/11

Spatial Retreats
Based on spatial evasion:
AP are immobile components Move from the region of their current AP which is currently being jammed to the region of an emergency AP.

While moving away:

The nodes tries to connect to its jammed AP.

21
NTU OPLab 2010/5/11

Using Wormholes
Two or more attackers act as a single attacker through a coordinated attack mechanism.

With the help of a special communication link(worm hole).

A similar mechanism, when there are some nodes are jammed in a network, they:
Communicates through an un-jammed medium Afterward, an attack mitigation followed.

22
NTU OPLab 2010/5/11

Jammed region mapping

Mapping out the jammed region with a protocol. Based on the responses received by the nodes which lie on the boundary of the jammed region. Mitigate the impact of a jammer by identifying and isolating the
jammed region, and then trying to determine alternate routing paths for the data packets.

23
NTU OPLab 2010/5/11

Spread Spectrum Techniques

Traditional techniques:
Push maximum traffic into the minimum amount of bandwidth

Spread Spectrum:
Spreads the signal over a range of bandwidth in the widest possible manner. Makes the communication very hard to be detected and jammed.

24
NTU OPLab 2010/5/11

Limitations of the existing techniques

Attack detection. Most of the jamming attacks detected are false alarms Some of the solutions allows a portion of the network to become inoperable.
These are not very popular, as they affect the connectivity of the jammed nodes

25
NTU OPLab 2010/5/11

Limitations of the existing techniques(cont)

Spatial Retreats
Involves physically moving Restricts the mobility of the nodes.

Wormholes
Requires an additional secure channel between all node pairs

Spread spectrum
Extra costs for small quantity of information High complexity

26
NTU OPLab 2010/5/11

Limitations of the existing techniques(cont)

A missing aspect:
No prevention mechanisms.

Proposed solution

28
NTU OPLab 2010/5/11

Proposed solution
Providing a mechanism for attack prevention Can be easily integrated into the existing network architecture

29
NTU OPLab 2010/5/11

Network Architecture
Involve following components:
Base-station Mobile nodes Honeynodes

Honeynode is the only new component added to the existing infrastructure.

30
NTU OPLab 2010/5/11

Honeynodes
Secondary interfaces on basestations

Jammer scans the channel

Guard the frequency of operation by:

Send out fake signals on a nearby frequency Prevent the attacks by deceiving the attacking entity to attack the honeynode.

2400 MHz Honeynode 2405MHz Base Station

31
NTU OPLab 2010/5/11

Algorithm for proposed mechanism

If the mobile nodes or base-stations detects an attack, it:
changes its frequency of operation based on a pseudorandom sequence.

If the honeynode detects an attack, it:

Continues to send signals on that channel Informs the base-station of the impending attack

Then the base-station issues a frequency change command to all its associated nodes. Later on, the honeynode switches its frequency of operation to the new guard frequency.

32
NTU OPLab 2010/5/11

Algorithm for proposed mechanism(cont)

33
NTU OPLab 2010/5/11

Algorithm for proposed mechanism(cont)

34
NTU OPLab 2010/5/11

Contributions
Introduced honeynodes into the network architecture
Jammer 1 2400 MHz Honeynode 2405MHz Base Station

Eliminates the possibility of base station jamming

Base station jamming can occur only when:
base stations move from one frequency of operation to another.
Jamming

Run

Jammer 2

Hop

2430 MHz Base Station

35
NTU OPLab 2010/5/11

Contributions(cont)
Secondly, they have used a hybrid proactive and reactive frequency selection algorithm for frequency selection.

Proactive mechanisms:
Based on a pre-defined pseudorandom sequence

Reactive mechanisms:
Determine the next frequency of operation dynamically

While proactive mechanisms are fast, reactive mechanisms give better performance.

36
NTU OPLab 2010/5/11

Contributions(cont)
A major constraint on a reactive mechanism:
requires an un-jammed communication link between all participating nodes

We employ a hybrid technique which follows the

proactive approach when mobile nodes or base stations are jammed reactive mechanism in case the honeynode detects an attack.

37
NTU OPLab 2010/5/11

Attackers behavior

38
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm

When normal nodes, i.e., mobile nodes and base-stations, detect an attack,
They use a pre-defined pseudorandom sequence for the selection of the next frequency. This sequence is known to every legal node that is present on the network.

A reactive approach cannot be used in such a case because the regular communication channel would be under attack.

39
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm(cont)

When a honeynode detects an attack,
it alerts the base-station it is attached to about the imminent attack.

The base station

Maintains a blacklist of all frequencies recently jammed. On receiving an alert from the honeynode, it selects a frequency that is farthest away from any blacklisted frequency amongst the list of available frequencies.

40
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm(cont)

When an attack is detected on a frequency
It is added to the blacklist of jammed frequencies For time equal to risk_time.

41
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm(cont)

42
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm(cont)

43
NTU OPLab 2010/5/11

Hybrid frequency selection algorithm(cont)

44
NTU OPLab 2010/5/11

Attack scenarios and respective defence strategies

Scenario 1: Only communicating mobile nodes are jammed. Scenario 2: Mobile nodes and base-station are jammed. Scenario 3: Honeynode is jammed.

45
NTU OPLab 2010/5/11

Only communicating mobile nodes are jammed

46
NTU OPLab 2010/5/11

Both mobile nodes and base-station are jammed

47
NTU OPLab 2010/5/11

Honeynode is jammed

Simulation

49
NTU OPLab 2010/5/11

Simulation
In order to determine how effective our proposed algorithm is, this work simulated the proposed algorithm along with the Channel Surfing Algorithm, to compare their respective performance under similar conditions.

50
NTU OPLab 2010/5/11

Simulation topology
Four BSs Each BS having seven associated nodes. The BSs connected to each other through a wired distribution system. During the simulations, communications had been set up randomly between various nodes. Introduce jammers into the scene and measure the performance metrics for various attack intensities.

51
NTU OPLab 2010/5/11

Simulation topology(cont)

52
NTU OPLab 2010/5/11

Simulation topology(cont)
Simulations were performed with 1 to 3 jammers. To achieved the purpose of varying attack intensities,
they position jammers around one of the base-stations (basestation 1 in the figure).

Performance of the algorithm was tested on how effectively the nodes could communicate(e.g. PDR).

53
NTU OPLab 2010/5/11

Simulation topology(cont)

54
NTU OPLab 2010/5/11

Assumptions
The following assumptions were made about the Jammer:
Jamming was carried out by sending large packets at a very fast rate. When a jammer transmits the signal on a given frequency channel, no other communication can take place on that channel till the attack ceases to exist. Jammer scans frequencies in a linear fashion. Mobility of a jammer is restricted to the region of the first base station (the one shown to be jammed in Fig. 14)

55
NTU OPLab 2010/5/11

Assumptions(cont)
The following assumptions were made about honeynodes, mobile nodes and base station:
The honeynode interface is assumed to be capable of communicating with the associated base-station, irrespective of the jam status of either (both of them are interfaces of the same node). All channel hops are assumed to be made instantaneously. Mobile nodes were kept stationary, in order to prevent packet loss due to disassociation of nodes from the access point (due to the node moving out of range of the access point) affecting the performance analysis of the jamming attack mitigation algorithm.

56
NTU OPLab 2010/5/11

System Parameters
Description Simulation area(m2) Transmission range(m) Packet rate(kbps) Packet size(bytes) Frequency hop time(ms) Physical dimensions of the network topology Of BSs Of MNs Of MNs Time taken to change the channel of operation

Number of base stations

Number of attackers Jammer configuration Channel sense time(ms) Number of available channel Over all simulation time

More BSs, more honeynodes

To achieve different attack intensities Including jam packet rate, jam packet size, transmission power The time jammer takes to listen to the current channel

57
NTU OPLab 2010/5/11

Results and discussion

The following metrics were considered for analyzing the performance of the proposed scheme:
Packet delivery ratio. Jammed duration versus the simulation time. Jammed duration versus the number of jammers. Control message overhead. Number of channel reconfigurations.

58
NTU OPLab 2010/5/11

Packet delivery ratio

59
NTU OPLab 2010/5/11

Packet delivery ratio(cont)

Channel Surfing algorithm:
A decrease in the packet delivery ratio up to a certain point at the beginning, after which it was nearly constant.

Proposed algorithm:
Consistently better and nearly constant performance

60
NTU OPLab 2010/5/11

Jammed duration vs. the simulation time

61
NTU OPLab 2010/5/11

Jammed duration vs. the simulation time(cont)

Channel Surfing algorithm:
Jammed duration grows with simulation time

Proposed algorithm:
Independent of simulation time

62
NTU OPLab 2010/5/11

Jammed duration vs. the number of jammers

63
NTU OPLab 2010/5/11

Jammed duration vs. the number of jammers(cont)

Note: Simulation time: 100s Channel Surfing algorithm:
Performance decreases, till the point where it is nearly the same as that of Channel Surfing algorithm, as the number of jammers increased.

Proposed algorithm:

64
NTU OPLab 2010/5/11

Control message overhead

65
NTU OPLab 2010/5/11

Control message overhead(cont)

Channel Surfing algorithm:
reduces network performance marginally, over Channel Surfing Algorithm, as simulation time is increased.

Proposed algorithm:
Less overhead

66
NTU OPLab 2010/5/11

Number of channel reconfigurations

67
NTU OPLab 2010/5/11

Number of channel reconfigurations(cont)

Channel Surfing algorithm:
A marginal increase can be observed in the number of frequency as simulation time increased.

Proposed algorithm:
Less frequency hops

Conclusions

69
NTU OPLab 2010/5/11

Conclusions
Proposed algorithm performed consistently better than the Channel Surfing Algorithm, with the worst case performance being same as that of Channel Surfing. However, as the attack intensity increases, the performance of the proposed strategy declines gradually till it converges to the same performance level as that of Channel Surfing. They explored the feasibility of implementing pre-emptive channel hopping within 802.11 to protect legitimate communication from jamming.

Comments

71
NTU OPLab 2010/5/11

Limited attacker-defender scenario

Position of BSs Number of normal nodes Number of Jammers(intensity) Mobility:
Attackers mobility is limited to the range of the 1st BS Mobile nodes is stationary

Attack approach:
Reactive method Keep jamming till there are no communications on the channel. Linear channel search

72
NTU OPLab 2010/5/11

Limited attacker-defender scenario(cont)

2400 MHz Honeynode Jamming 2405 MHz Base Station

Random Scan

Jammer

Jammer Jamming

2420 MHz Honeynode 2425 MHz Base Station

73
NTU OPLab 2010/5/11

The End
Thanks for your attention.