Escolar Documentos
Profissional Documentos
Cultura Documentos
6, 2011
Detecting and Localizing Wireless Spoofing attacks using Frequency Domain Link Signature
Sathish Kumar V *1, Prabu M*2, Dr.Shanmugalakshmi R#3
*1PG Scholar, Department of Computer Science, Adhiyamaan College of Engineering, Hosur, Tamilnadu, India. *2 Lecturer Department of Computer Science, Adhiyamaan College of Engineering, Hosur, Tamilnadu, India #3 Assistant Professor, Department of Computer Science, Government College of Technology, Coimbatore, Tamilnadu, India
Abstract
Traditionally, a lot of issues in wireless sensor network using Temporal Link Signature, especially in the part of False alarm rate and Moment Detection. Here we mainly focus on Frequency Domain-Link Signature, which is the alternate method for temporal link signature. In general, we use of wider bandwidths and longer path lengths to generate a richer link signature space and make quality measurement on link signatures, more unique as a function of Transmitter (TX) and Receiver (RX) locations. In Temporal link signature is utilized 40 MHz chip rate on DS-SS system and covered relatively short path lengths (an average path length of 7.7 m).This is the major deficiency of the Temporal Link Signature. In this article, to investigate using a frequency domain link signature to uniquely identify the link between transmitter (TX) and a receiver (RX). When the TX changes location, or if an attacker at a different location assumes the identity of the TX, the proposed location distinction algorithm used to physical channel. The very high reliability of frequency domain link signature location distinction enables location distinction systems to detect the change in position of a transmitter even when using a single or multiple receivers. Hence, the methods are susceptible to node compromise. A good location distinction technique that can distinguish the location of spoofed nodes from the authentic nodes can prevent these attacks and increases the moment detection and reduce the false alarm rate. Index Terms: Location Distinction, Measurements, Deficiency, Spoofed, WSN.
1. INTRODUCTION
1.1. Wireless Sensor Networks
`Wireless Local Area Network (WLAN), which became increasingly viable for many reasons, the same wireless technology that can erase the physical limitations of wired communications to increase user flexibility, improve employee productivity, and lower cost of wireless network ownership. Wireless frequencies are designed for wireless receiver to connect any wireless network in the same way that they can tune into a radio station. A Wireless Local Area Network (WLAN) is a flexible data communications system that can use either infrared or radio frequency technology to transmit and receive information over the air. In 1997, 802.11 were implemented as the first WLAN standard. It is based on radio technology operating in the 2.4 GHz frequency and has a maximum throughput of 1 to 2 Mbps [5]. The currently most spread and deployed standard, IEEE 802.11b, was introduced late 1999. It still operates in the same frequency range, but with a maximum speed of 11 Mbps [11]. Sensor location must associate with measured sensor data and is needed geographic location-based routing methods. Location estimation must be done in an energy efficient manner, especially for networks of sensors with small batteries that must last for years. The energy required to estimate location must be expended
December Issue
Page 73 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
when a sensor node moves, however the energy-efficient localization systems should not re-estimate location unless movement actually occurs. This implies that for energy efficiency in location estimation, sensor nodes must detect motion or a change in location.
December Issue
Page 74 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
Most assets should be stationary Focus resources on rare moving assets Detect change in object location Most assets should be stationary Focus resources on rare moving assets Sensitive to object movement (~1m) DS-SS system and covered relatively short path lengths Location estimation must be done in an energy efficient manner, especially for networks of sensors with small batteries that must last for years. The energy required to estimate location must be expended when a sensor node moves, however, energy-efficient localization systems should not re-estimate location unless movement actually occurs. This implies that for energy efficiency in location estimation, sensor nodes must detect motion or a change in location. To propose a robust location distinction mechanism that uses a physical layer characteristic of the radio channel between TX and RX, that we call a frequency domain- link signature. The frequency domain- link signature is the sum of the effects of the multiple paths from the TX to the RX, each with its own time delay and complex amplitude. Such a signature changes when the TX or RX changes position because the multipath in the link [15] change with the positions of the endpoints of that radio link.
2. METHODOLOGY
In this section, first define about the Frequency Domain Link Signature and highlight the strong dependence of the link signature on the multipath radio channel. To describe a real-time location distinction algorithm and then describe the multiple channel data gathered, which used to evaluate the location distinction algorithm. Then also describe the about link signatures, which is used to identify the state of the multipath channel at a given time and the metrics used to determine the difference between recent link signatures and the link signature history.
December Issue
Page 75 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
Under use case (1) the algorithm should detect a new location with each transmission, while under use case (2) the algorithm should decide the new transmission is from a different location.
Fig. 1. Location Distinction Process Here to evaluate the performance of the general location distinction algorithm shown in Figure 1, in which channel impulse response measurements, called link signatures, are measured over time for a given link, and each new link signature is compared to those in a history of previous measurements in order to detect changes in position. To the authors knowledge no implementation and experimental evaluation of MIMO-based location distinction has been performed. To present the following work in order to characterize the performance of temporal signature-based location distinction in the context of a MIMO channel: 1) To introduce MIMO temporal link signatures for quantifying the state of the MIMO channel. 2) To perform two measurement experiments with two different experimental test beds in order to evaluate location distinction under two distinct use cases. 3) To evaluate spatially dense channel measurements in order to study the spatial evolution of temporal link signatures. 4) To evaluate several trade-offs between system design parameters and performance, including, link signature history size, bandwidth, complex vs. magnitude-only signatures, use of delay between measurements, and number of antenna elements. A real-time location distinction algorithm [18] is defined by the following steps, 1) Measure the current link signature. 2) Calculate the minimum distance E between the current link signature and the link signatures in the FIFO history H. 3) Compare the minimum distance E to a threshold . If E > , raise an alarm to Indicate that the receiver has moved since the last link signature was measured. If E < , do not raise an alarm, thereby indicating that the receiver has not moved since the last link signature was measured. 4) Add the current link signature to a FIFO delay buffer and add the oldest link signature in the delay buffer to the FIFO history H. 5) Return to step 1. The FDLS channel data used in this paper is collected using an 8 x 8 channel sounder [7]. For this data set, a multi-tone baseband signal is mixed with a carrier frequency of 2.55 GHz and transmitted to a stationary and a moving receiver. The transmitter is stationary for these measurements. The multi-tone signal is constructed as follows 39 xCB(t) = ej(2fit+i) i=0 (1)
December Issue
Page 76 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
And I is a fixed random phase shift between 0 and included for each tone in order to spread the signal energy in time [3]. The signal xCB (t) is multiplied by a Gaussian window to combat artifacts generated by switching the signals on and off.
Fig. 2. Diagram of antenna array. The transmitter and receiver use identical arrays. The transmitter and receiver use uniform circular antenna arrays, as in Figure 2. These arrays have a nominal element spacing of /2 (where is the wavelength) and are well synchronized in both carrier frequency and phase. The wideband channel frequency response H (fi) for each antenna pair is computed by dividing the Fourier transform of the measured signal by the Fourier transform of the known transmit signal and separating the results into bins which correspond to the tones in the transmitted signal. The wideband channel impulse response is calculated as
h(t)=F-1{H(f)}
(3)
Channel measurements are collected at 8 different receiver locations on a single floor of an office building. In the cases where the receiver is moving, it moves with a speed of 31.75 cm/sec. In the measurements made with a moving receiver, the multi-tone probe is sent every 3.2 ms, or given the receiver speed of 31.75 cm/sec, each 1.016 mm. This provides the opportunity to study very dense (in time and space) link signatures. It is beneficial in the case of such dense measurements to add a delay to simulate the case when the most resent link signature in the history was measured further in the past.
2.2 Spoofing
Attacks Due to the open-nature of the wireless medium, it is easy for adversaries to monitor communications to find the layer-2 Media Access Control (MAC) addresses of the other entities. Recall that the MAC address is typically used as a unique identifier for all the nodes on the network. Further, for most commodity wireless devices, attackers can easily forge their MAC address in order to masquerade as another transmitter. As a result, these attackers appear to the network as if they are a different device. Such spoofing attacks can have a serious impact on the network performance as well as facilitate many forms of security weaknesses, such as attacks on access control mechanisms in access points [16], and denial-ofservice through a deauthentication attack [17]. A broad survey of possible spoofing attacks can be found in [7], [2].To address potential spoofing attacks, the conventional approach uses authentication. However, the application of authentication requires reliable key distribution, management, and maintenance mechanisms.
December Issue
Page 77 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
2.1.1 Formulation of Spoofing Attack Detection It is not always desirable to apply authentication because of its infrastructural, computational, and management overhead. Further, cryptographic methods are susceptible to node compromise a serious concern as most wireless nodes are easily accessible, allowing their memory to be easily scanned. It is desirable to use properties that cannot be undermined even when nodes are compromised. To propose the Received Signal Strength (RSS), a property associated with the transmission and reception of communication (and hence not reliant on cryptography), as the basis for detecting spoofing. Employing RSS[7] as a means to detect spoofing will not require any additional cost to the wireless devices themselves they will merely use their existing communication methods, while the wireless network will use a collection of base stations to monitor received signal strength[6] for the potential of spoofing. In addition, to built a real-time localization system to estimate the positions of both the original nodes and the spoofing nodes. Randomly selected points out of the above locations as the training data for use by the localization algorithms. For the 802.11 network, the size of the training data is 115 locations, while for the 802.15.4 network, the size of the training data is 70 locations. To test our approachs ability to detect spoofing, we randomly chose a point pair on the floor and treated one point as the position of the original node, and the other as the position of the spoofing node. We ran the spoofing test through all the possible combinations of point pairs on the floor using all the testing locations in both networks. There are total 14535 pairs for the 802.11 network and 4371 pairs for the 802.15.4 network. The focus of this Frequency Domain Link Signature [14] is to further develop these two security objectives at the PHY-layer. Towards this end, we discuss the following. 2.2.2 Channel-based Authentication Rather than employ a shared cryptographic authentication key" between Alice and Bob, instead exploit the uniqueness of the Alice-Bob channel relative to the Eve-Bob channel. The outline techniques to distinguish between legitimate transmissions from Alice and anomalous traffic from an adversary Eve. Realizing channel-based authentication in a time-varying radio environment involves two aspects. One is the authenticator signalling technique for a fixed instantiation of the channel, and the other is the necessary measures for ensuring the continuity of such an authentication procedure when the channel changes in subsequent epochs. We first discuss approaches for authenticator signalling and then techniques or maintenance of such authentication. Seek to exploit the uniqueness of the Alice-Bob channel as an authenticator to distinguish between a legitimate transmitter and an illegitimate transmitter. The ability to distinguish between different transmitters would be particularly valuable for preventing spoofing attacks, in which one wireless device claims to be another wireless device. Currently, spoofing attacks are very easy to launch in many wireless networks. For example, in commodity networks, such as 802.11 networks, it is easy for a device to alter its MAC address by simply issuing an config command. This weakness is a serious threat, and there are numerous attacks, ranging from session hijacking [14] to attacks on access control lists [2] that are facilitated by the fact that an adversarial device may masquerade as another device. To describe two strategies for authenticator signalling, but note that other forms of channel sounding, such as used for multiple-input multiple-output (MIMO) channels[18],[8] are also appropriate. 2.2.3 Secret Key Establishment via Multipath Channel Confidentiality is traditionally achieved through encryption using a shared key between Alice and Bob that is unknown to Eve. In multipath environments, the unique characteristics [15], [16] of the channel between Alice and Bob can provide parameters that create a unique private key between them a key that cannot be created from any other location. Finally, note that the two security objectives that have been focused on are a fraction of what can be accomplished at the physical layer of the protocol stack. For example, a non-repudiation service can exploit the broadcast nature of the wireless medium by introducing witnesses, making it harder for wireless entities to deny carriage of information. An availability service can use spreading and power control to maintain network connectivity in the presence of RF interference attacks. Overall, envision that it will be possible to develop a
December Issue
Page 78 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
suite of lower-layer enforcement strategies that can complement traditional methods, and ultimately lead to more secure wireless systems
3. PHY-ENHANCED CONFIDENTIALITY
Confidentiality services, like encryption and key management, are the work horses for many security protocols. A fundamental belief held by the security community is that, when designing confidentiality services, one should not replace traditional ciphers, such as AES, with new ciphers as existing ciphers are very thoroughly crypt analyzed and designed for bulk-data processing[12],[13]. Hence, our approach to achieving confidentiality focuses on the issue of establishing keys between wireless entities. In one sense, the methods that describe are analogous to Diffie-Hellman key establishment, and can be considered as building blocks rather than complete security solutions. Bob receives a signal that is a result of the Alice-Bob channel, while Eve receives a signal that follows from the Alice-Eve channel. Alice's objective is to maximize the rate at which she communicates with Bob (i.e. the key establishment rate), while simultaneously minimizing the information that Eve learns. There are two different extremes to using the wireless channel to establish keys, Extraction and Dissemination. In Extraction, Alice's signal may be a probing signal that Bob uses to estimate channel state information hAB, [12], and [13] from which keys are extracted. In Dissemination, however, Alice transmits a signal that is an appropriately coded version of the information Alice wishes to give to Bob. To present several constructions that represents a variety of methods ranging between these two extremes. From all of these methods to describe, let assume as a starting point that Alice and Bob each have estimates of their shared channel [15], e.g. by probing in a TDD fashion. To denote hAB to be Bob's estimate of the Alice-Bob channel, and hBA to be Alice's estimate of the Bob-Alice channel. Similarly, we will denote hAE to be Eve's estimate of the Alice-Eve channel [13]. The channel estimates may correspond to scalar or vector channel estimate.
4 ATTACK DETECTOR
In this section we propose our spoofing attack detector. We first formulate the spoofing attack detection problem as one using classical statistical testing. Next, we describe the test statistic for spoofing detection. We then introduce the metrics to evaluate the effectiveness of our approach. Finally, we present our experimental results.
December Issue
Page 79 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
space, while the RSS readings from different locations in the physical space should form different clusters in signal space. This observation suggests that we may conduct Kmeans cluster analysis [13] on the RSS readings from each MAC address in order to identify spoofing. If there are M RSS sample readings for a MAC address, the Kmeans clustering algorithm partitions M sample points into K disjoint subsets Sj containing Mj sample points so as to minimize the sum-of-squares criterion: k ||sm j||2 j=1 sm2Sj k
Jmin =
(1)
where sm is a RSS vector representing the mth sample point and j is the geometric centroid of the sample points for Sj in signal space. Under normal conditions, the distance between the centroids should be close to each other since there is basically only one cluster. Under a spoofing attack, however, the distance between the centroids is larger as the centroids are derived from the different RSS clusters associated with different locations in physical space. We thus choose the distance between two centroids as the test statistic T for spoofing detection, Dc = ||i j || (2)
with i, j 2 {1, 2..K}. Next, we will use empirical methodologies from the collected data set to determine thresholds for defining the critical region for the significance testing. To illustrate, we use the following definitions, an original node Porg is referred to as the wireless device with the legitimate MAC address, while a spoofing node Pspoof is referred to as the wireless device that is forging its identity and masquerading as another device. There can be multiple spoofing nodes of the same MAC address. Note that our K-means spoofing detector can handle packets from different transmission power levels. If an attacker sends packets at a different transmission power level from the original node with the same MAC address, there will be two distinct RSS clusters in signal space. Thus, the spoofing attack will be detected based on the distance of the two centroids obtained from the RSS clusters.
5 RELATED WORKS
There are three potential applications for location distinction mentioned in Section 1, and this section presents the related work and existing methods used in these areas.
December Issue
Page 80 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
December Issue
Page 81 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
2. Device-Based Authentication: Manufacturing variation may make one devices transmitted signal measurably different from another [21]. If such device characteristics can be measured at an access point, they could also be measured (and recreated) by a capable eavesdropper. Link signatures cannot be eavesdropped by an eavesdropper at a different location than the RX; and cannot be arbitrarily recreated except at the identical TX location 3. GPS-Based Authentication: In [10], signals from GPS receivers are used to form signatures unique to each location. Each node and access point must have a GPS receiver, which limits the method to outdoor and costinsensitive applications. In comparison to our past work [29], this paper presents a method to estimate the MI between a link and its measured link signature, which quantifies the amount of uncertainty about the link removed by measurement of a link signature. We investigate the distribution of the measured data set, and then, apply the Edge worth approximation, which does not assume a particular distributional model, to estimate required differential entropies. This paper also compares narrowband and wideband implementations of the RSS signal print method and shows the superior performance of the wideband implementation of methods
6. Discussion
Our results, based on our experimental data, show that measuring link signature removes about 66 bits of uncertainty about the mean link signature. If the mean link signature for each link is known (from past measurements) and unique, then a link signature measurement removes 66 bits of uncertainty about which link was measured. These estimates are not obtained by assuming a known distribution, rather, by the Edge worth approximation, which uses the third order cumulates in addition to the covariance, and thus, is a higher order approximation than would be obtained by a multivariate Gaussian assumption. Finally, the two security objectives that have been focused on, they are a fraction of what can be accomplished at the physical layer of the protocol stack. For example, a non-repudiation service can exploit the broadcast nature of the wireless medium by introducing witnesses, making it harder for wireless entities to deny carriage of information.
7. Conclusion
Investigated using Frequency Domain Link Signature to uniquely identify the link between transmitter (TX) and a receiver (RX). When the TX changes the location, or if an attacker at a different location assumes the identity of the TX, the proposed location distinction algorithm used to physical channel. The high reliability of the frequency domain Link Signature location distinction enables location distinction system to detect the change in position of a transmitter even when using a single or multiple receivers. Hence the methods are susceptible to node compromise. Good location distinction techniques have distinguished the location of spoofed nodes from the authentic nodes to prevent these attacks and increase the moment detection and reduce the false alarm rate. REFERENCES [1] G. Chandrasekaran, M. Ergin, M. Gruteser, R. Martin, J. Yang, and Y. Chen, DECODE: Detecting CoMoving Wireless Devices,Proc. Fifth IEEE Intl Conf. Mobile Ad Hoc and Sensor Systems (MASS 08), pp. 315-320, 2008. [2] Y. Chen, W. Trappe, and R.P. Martin, Detecting and Localizing Wireless Spoofing attacks, Proc. IEEE Comm. Soc. Conf. Sensor Mesh and Ad Hoc Comm. and Networks (SECON 07), pp. 193-202,2007. [3] T. Burchfield and S. Venkatesan, Accelerometer-Based Human Abnormal Movement Detection in Wireless Sensor Networks,Proc. First ACM Intl Workshop Systems and Networking Support for Healthcare and Assisted Living Environments, pp. 67-69, 2007. [4] D.E. Denning and P.F. MacDoran, Location-Based Authentication: Grounding Cyberspace for Better Security, Computer Fraud and Security, pp. 12-16, Feb. 1996. [5] N. Patwari and S.K. Kasera, Robust Location Distinction Using Temporal Link signatures, Proc. ACM MobiCom, Sept. 2007 [6] M.M. Van Hulle, Edge worth Approximation of Multivariate Differential Entropy, Neural Computation, vol. 17, no. 9, pp. 1903-1910, 2005. [7] K. Woyach, D. Puccinelli, and M. Haenggi, Sensorless Sensing in Wireless Networks: Implementation and Measurements, Proc. Intl Symp. Modelling and Optimization in Mobile Ad Hoc and Wireless Networks, Apr. 2006. [8] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, MIMO Assisted Channel-Based Authentication in Wireless Networks, Proc. Conf. Information Sciences and Systems (CISS 08), pp. 642-646 Mar. 2008. [9]H. Hashemi. The Indoor Radio Propagation Channel. Proceedings of IEE ,81(7):943-968, July 1993.
December Issue
Page 82 of 103
International Journal of Research and Reviews in Applicable Mathematics & Computer Science, Vol. 1, No.6, 2011
[10]T. S. Rappaport. Wireless Communications Principles and Practice. Prentice Hall PTR, 2nd edition, Jan. 2002. [11] K. J. Ellis and N. Serinken. Characteristics of Radio Transmitter Fingerprints. [12]Liang Xiao, Larry J. Greenstein, Narayan B. Mandayam, Using the Physical Layer for Wireless Authentication in Time-Variant Channels. [13]Attacks on Physical-layer Identification. [14] James F. Plusquellic, Donald M. Chiarulli@ and Steven P. Levitan Time and Frequency Domain Transient Signal Analysis for Defect Detection in CMOS Digital ICs. [15]Advances in Wireless Security Using Unique Link and Device Characteristics(July 2009 August 2010)Sneha Kumar Kasera.s [16]Advancing Wireless Link Signatures for Location Distinction Junxing Zhang Mohammad H. Firooz Neal Patwari Sneha K. Kasera [17]D.B. Faria and D.R. Cheriton, Radio-Layer Security: Detecting Identity-Based Attacks in Wireless Networks Using Signalprints, Proc. Workshop Wireless Security (WiSe 06), pp. 43-52, Sept. 2006. [18]Dustin Maas, Neal Patwari, Junxing Zhang, Sneha K. Kasera and Michael A. Jensen Location Distinction in a MIMO Channel. [19]Two frequency coherence measurements on a 55GHz mobile radio link R. S. COLE, PhD*H.J.THOMAS, BSc* and G. L.SIQUEIRA,MSc*'Electronics.
Authors Profile
V.SathishKumar received his B.E degree in Computer Science and Engineering from Paavai Engineering College in the year 2008. He is currently a post graduate student in the Computer Science and Engineering Department of Adhiyamaan College of Engineering, Hosur, Tamil Nadu. His area of interest is Network Security, Cryptography and Mobile Computing. This paper is the work of his academic project.
M.Prabu is working as a Lecturer in the Department of Computer Science and Engineering in Adhiyamaan college of Engineering, Hosur, Tamil Nadu, India. He has published more than 15 International/National journals and presented the 15 International/ National Conferences.He is presently doing his Ph.D in Anna University, Coimbatore, India. His area of interest are computer Networks, Information Security and Cryptography. He is life member of ISTE.
Dr. R.Shanmugalakshmi is working as an Assistant Professor in the Department of Computer Science and Engineering in Government College of Technology, Coimbatore, India. She has published more than 50 International/National journals. Her research area includes Image Processing, Neural Networks, Information Security and Cryptography. She has received Vijya Ratna Award from India International Friendship Society in the year of 1996, she has received Mahila Jyothi Award from Integrated Council for Socio-Economic Progress in the year of 2001 and she has received Eminent Educationalist Award from International Institute of Management, New Delhi in the year of 2008.She is member of Computer Society of India, ISTE and FIE.
December Issue
Page 83 of 103