International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
Detection and Localization of Multiple Spoofers in
Wireless Networks
R. Ramakrishnan#1, Vankayala Chethan Prakash*2, R.S.Raghav#3, Logesh R*4
1
2,3,,4
Associate Professor, MCA, Sri Manakula Vinayagar Engg College, Puducherry
PG Scholar, M.Tech, Networking, Sri Manakula Vinayagar Engg College, Puducherry
Abstract— Spoofing bouts are one of the imminent threats in
open cradle network where the attacks are yonder the
scrutinizing range. Spoofing bouts can be localized and grounded
upon on localization; it can be eradicated such that the spoofer is
flabbergasted in a particular network coverage region. The
preceding methodologies are based on frequency face a squall
when the amount of data ecstatic from source to destination is
not constant. The TOA fails in probing the meticulous location of
the spoofer. The novel approach of DALD (Distance based
Attack Localization and Detection) is a pawn measure to the
spoofing and a methodology to overcome the drawbacks of the
existing frequency based approaches.
Keywords— Time of Arrival, DALD, Spoofing.
I. INTRODUCTION
The traditional approach to prevent spoofing
attacks is to use cryptographic-based authentication
have introduced a secure and efficient key
management
(SEKM)
framework.
SEKM
physiques a Public Key Infrastructure (PKI) by
smearing a surreptitious partaking scheme and an
underlying multicast server group. [1] Wool
implemented a key management mechanism with
periodic key refresh and host revocation to prevent
the compromise of authentication keys. An
authentication framework for hierarchical, ad hoc
sensor networks was proposed. However, the
cryptographic authentication may not be always
applicable because of the limited resources on
wireless devices and lacking of a fixed key
management infrastructure in the wireless network.
Recently, new approaches utilizing physical
properties associated with wireless transmission to
combat attacks in wireless networks have been
proposed. Based on the fact that wireless channel
response de-correlates quite rapidly in space, a
channel-based authentication scheme was proposed
ISSN: 2231-5381
to discriminate between transmitters at different
locations, and thus to detect spoofing attacks in
wireless networks. Another approach focused on
building fingerprints of 802.11b WLAN NICs by
extracting radiometric signatures, such as frequency
magnitude, phase errors, and I/Q origin offset, to
defend against identity attacks. However, there is
additional overhead associated with wireless
channel response and radiometric signature
extraction in wireless networks. [2] Another
approach was introduced a security layer that used
forge resistant relationships based on the packet
traffic, including MAC sequence number and traffic
pattern, to detect spoofing attacks. The MAC
sequence number has also been used to perform
spoofing detection. Both the sequence number and
the traffic pattern can be manipulated by an
adversary as long as the adversary learns the traffic
pattern under normal conditions.
A. RSSI and LQI
This method was proposed to use the node’s
“spatial signature,” including Received Signal
Strength Indicator (RSSI) and Link Quality
Indicator (LQI) to authenticate messages in wireless
networks. However, none of these approaches are
capable of determining the number of attackers
when there are multiple adversaries collaborating to
use the same identity to launch malicious attacks.
Further, they do not have the ability to localize the
positions of the adversaries after attack detection.
Turning to studying localization techniques, in spite
of its several meter-level accuracy, using RSS is an
attractive approach because it can reuse the existing
wireless infrastructure and is highly correlated with
physical locations. [4] Dealing with ranging
methodology, range-based algorithms involve
http://www.ijettjournal.org
Page 594
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
distance estimation to landmarks using the
measurement of various physical properties such as
RSS, Time Of Arrival (TOA), Time Difference Of
Arrival (TDOA), and direction of arrival (DoA).
Whereas range-free algorithms use coarser metrics
to place bounds on candidate positions. Another
method of classification describes the strategy used
to map a node to a location. [5] Lateration
approaches use distances to landmarks, while
angulation uses the angles from landmarks. Scene
matching strategies use a function that maps
observed radio properties to locations on a preconstructed signal map or database. Further, Chen
et al. proposed to perform detection of attacks on
wireless localization and Yang et al. proposed to
use the direction of arrival and received signal
strength of the signals to localize adversary’s sensor
nodes. In this work, we choose a group of
algorithms employing RSS to perform the task of
localizing multiple attackers and evaluate their
performance in terms of localization accuracy.
B. Attack Detection Using Cluster Analysis
The above analysis provides the theoretical
support of using the RSS-based spatial correlation
inherited from wireless nodes to perform spoofing
attack detection. It also showed that the RSS
readings from a wireless node may fluctuate and
should cluster together. In particular, the RSS
readings over time from the same physical location
will belong to the same cluster points in the ndimensional signal space, while the RSS readings
from different locations over time should form
different clusters in signal space. We illustrated this
important observation, which presents RSS reading
vectors of three landmarks (i.e., n ¼ 3) from two
different physical locations. Under the spoofing
attack, the victim and the attacker are using the
same ID to transmit data packets, and the RSS
readings of that ID is the mixture readings
measured from each individual node (i.e., spoofing
node or victim node). Since under a spoofing attack,
the RSS readings from the victim node and the
spoofing attackers are mixed together, this
observation suggests that we may conduct cluster
analysis on top of RSS-based spatial correlation to
ISSN: 2231-5381
find out the distance in signal space and further
detect the presence of spoofing attackers in physical
space. We utilize the Partitioning Around Medoids
Method to perform clustering analysis in RSS. [10]
The PAM Method is a popular iterative descent
clustering algorithm. Compared to the popular Kmeans method, the PAM method is more robust in
the presence of noise and outliers. Thus, the PAM
method is more suitable in determining clusters
from RSS streams, which can be unreliable and
fluctuating over time due to random noise and
environmental bias.
C. Support Vector Machines-Based Mechanism
Provided the training data collected during
the offline training phase, we can further improve
the performance of determining the number of
spoofing attackers. In addition, given several
statistic methods available to detect the number of
attackers, such as System Evolution and SILENCE,
[7] we can combine the characteristics of these
methods to achieve a higher detection rate. In this
section, we explore using Support Vector Machines
to classify the number of the spoofing attackers.
The advantage of using SVM is that it can combine
the intermediate results (i.e., features) from
different statistic methods to build a model based
on training data to accurately predict the number of
attackers.
D. The SILENCE Mechanism
The advantage of Silhouette Plot is that it is
suitable for estimating the best partition. [6]
Whereas the System Evolution method performs
well under difficult cases such as when there exists
slightly overlapping between clusters and there are
smaller clusters near larger clusters. However, we
observed that for both Silhouette Plot and System
Evolution methods, the Hit Rate decreases as the
number of attackers increases, although the
Precision increases. This is because the clustering
algorithms cannot tell the difference between real
RSS clusters formed by attackers at different
positions and fake RSS clusters caused by outliers
and variations of the signal strength.
http://www.ijettjournal.org
Page 595
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
II.EXISTING SYSTEM
A. RSS based Attack Detection
The challenge in spoofing detection is to
devise strategies that use the uniqueness of spatial
information, but not using location directly as the
attackers’ positions are unknown. [4] We propose
to study RSS; a property closely correlated with
location in physical space and is readily available in
the existing wireless networks. Although affected
by random noise, environmental bias, and multipath
effects, the RSS measured at a set of landmarks (i.e.,
reference points with known locations) is closely
related to the transmitter’s physical location and is
governed by the distance to the landmarks. The
RSS readings at the same physical location are
similar, whereas the RSS readings at different
locations in physical space are distinctive. Thus, the
RSS readings present strong spatial correlation
characteristics.
two distinct RSS clusters in signal space (i.e., Dm
will be large). We varied transmission power for an
attacker from 30 mW (15 dBm) to 1 mW (0 dBm).
We found that in all cases Dm is larger than normal
conditions. [9] When the spoofing attacker used
transmission power of 10 dB to send packets,
whereas the original node used 15 dB transmission
power levels. We observed that the curve of Dm
under the different transmission power level shifts
to the right indicating larger Dm values. Thus,
spoofing attacks launched by using different
transmission power levels will be detected
effectively in GADE.
C. Attacker Number Determination
The System Evolution is a new method to
analyze cluster structures and estimate the number
of clusters. [14] The System Evolution method uses
the twin-cluster model, which are the two closest
clusters (e.g., clusters a and b) among K potential
clusters of a data set. The twin-cluster model is
The detection power of the existing used for energy calculation.
approach is by using the RSS-based spatial
correlation. There are four landmarks deployed at
the four corners of the square area. The physical D. IDOL: Integrated Detection And Localization Framework
distance between two wireless devices is 16, 20,
The traditional localization approaches are
and 25 feet, respectively. The path loss exponent _
based on averaged RSS from each node identity
is set to 2.5 and the standard deviation of
inputs to estimate the position of a node. However,
shadowing is 2 dB. The ROC curves shift to the
in wireless spoofing attacks, [6] the RSS stream of
upper left when increasing the distance between
a node identity may be mixed with RSS readings of
two devices. [11] This indicates that the farther
both the original node as well as spoofing nodes
away the two nodes are separated, the better
from different physical locations. The traditional
detection performance that our method can achieve.
method of averaging RSS readings cannot
This is because the detection performance is
differentiate RSS readings from different locations
proportional to the no centrality parameter, which is
and thus is not feasible for localizing adversaries.
represented by the distance between two wireless
nodes together with the landmarks. A larger
Different from traditional localization
standard deviation of shadowing causes the two
approaches, our integrated detection and
distributions, i.e., no central chi-square and central
localization system utilize the RSS medoids
chi-square, to get closer to one another.
returned from SILENCE as inputs to localization
algorithms to estimate the positions of adversaries.
The return positions from our system include the
B. Handling Different Transmission Power Levels
location estimate of the original node and the
If a spoofing attacker sends packets at a attackers in the physical space. Handling
different transmission power level from the original adversaries using different transmission power
node, based on our cluster analysis there will be levels. An adversary may vary the transmission
ISSN: 2231-5381
http://www.ijettjournal.org
Page 596
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
power levels when performing spoofing attacks so A. DALD (Distance based Attack Localization and
that the localization system cannot estimate its Detection)
location accurately.
The DALD approach is based on the
distance of each data that travels from source to
E. Algorithms
destination. For one cycle of data transmission, the
In order to evaluate the generality of IDOL distance is calculated based on the TOA and the
for localizing adversaries, we have chosen a set of sender node’s position. The frequency parameter is
representative localization algorithms ranging from excluded from the scenario. It means the node can
nearest neighbour matching in signal space operate in any frequency or 2 or more nodes can
(RADAR), to probability-based (Area-Based exist in a same frequency or in a same frequency
Probability (ABP)), and to multi-lateration region. The difference is that each node has
(Bayesian Networks (BN)), RADAR-gridded. The different physical locations despite they even share
RADAR-Gridded algorithm is a scene-matching the common frequency or exist in the same
localization algorithm extended from. [11] frequency region.
RADAR-Gridded uses an interpolated signal map,
which is built from a set of averaged RSS readings A. The DALD works as follows:
with known locations. Given an observed RSS
 Compute the sender node’s location with
reading with an unknown location, RADAR returns
respect to the co-ordinates.
the x, y of the nearest neighbour in the signal map
to the one to localize, where “nearest” is defined as
 Compute the location of the receiver (Self
the Euclidean distance of RSS points in an NKnown)
dimensional signal space, where N is the number of
landmarks.
 Calculate the distance between source and
F. Area-based probability
destination using the co-ordinate positions
of both the source and destination.
ABP also utilizes an interpolated signal map.
Further, the experimental area is divided into a
 Store the difference in distance of the
regular grid of equal-sized tiles. ABP assumes the
request packet in a localization table.
distribution of RSS for each landmark.[13]
 For every “i” in “n” cycle of data transfer,
check if the data is arriving from the same
II. PROPOSED SYSTEM
destination (based on distance).
We propose an algorithm based on the
distance by using received signal strength the
attackers can be found easily. The DALD
Algorithm will provide the location of the attackers
easily by the difference in distance or frequency
since the packet flow from source will be at some
frequency whereas the attacker will have some
other frequency so the frequency mismatch will
provide the difference between the source and the
attacker
ISSN: 2231-5381

If any of the data is occurring from a
different localization value then drop the
packet and terminate the connection.
B. IDS
An intrusion detection system (IDS)
scrutinizes all inbound and outbound network
bustle and ascertains chary patterns that may
indicate a network or system attack from someone
endeavouring to break into or conciliate a system.[3]
There are numerous techniques to catalogue IDS:
http://www.ijettjournal.org
Page 597
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
Misuse detection vs. anomaly detection: in misuse
detection, the IDS scrutinize the information it
wrinkles and parallels it to hefty databases of spasm
monikers. Basically, the IDS miens for a
unambiguous attack that has previously been
renowned. Like a virus detection system, misuse
detection software is merely as virtuous as the
database of attack signatures that it routines to
match packets against. In anomaly detection, the
system administrator delineates the baseline, or
normal, state of the networks traffic load,
breakdown, protocol, and typical packet size. The
anomaly detector monitors network slices to
associate their state to the customary baseline and
guise for anomalies.

IV.
EXPERIMENTAL RESULTS
Nodes changes their location often so stale routes
are generated which leads to unnecessary routing
overhead so packet filtering is used to control the
flow of packets. If a packet is sent on a local
segment of the devices if it is not acceptable by
other devices then those packets are discarded. But
our proposed algorithm provides the advancement
of preventing the attackers and their location can be
identified easily.
Network-based vs. host-based systems: in a
network-based system, or NIDS, the distinct
packets flowing through a network are
scrutinized. The NIDS can spot malevolent
packets that are premeditated to be
unheeded by firewalls simplistic filtering
procedures. [8] In a host-based system, the
IDS inspects at the bustle on each discrete
computer or host.
Fig 1 Results of DALD algorithm for routing overhead

Passive system vs. reactive system: in a
passive system, the IDS identify a potential
security breach, log the information and
gesture an alert. In a reactive system, the
IDS retort to the apprehensive activity by
logging off a user or by reprogramming the
firewall to hunk network traffic from the
alleged malevolent source.
Due to RSS based detections, the routing faces
deprecation at the intermediate nodes as each node
operate at different frequencies. From Fig 1
DALD work upon the distance and then proceed
with routing such the overhead is lessening by few
percent.
However they both transmit to network security, ID
fluctuates from a firewall in that a firewall looks out
for incursions in order to sojourn them from
happening. The firewall restricts the access amongst
networks in order to foil incursion and does not
gesture an attack from privileged network. An IDS
gauges a distrusted intrusion once it has taken place
and gestures an alarm. An IDS also watches for
bouts that instigates since within a system.
Fig 2 Delay advancement using DALD Algorithm
As the number of requests increases the servicing
time for each request increases. Thereby the overall
ISSN: 2231-5381
http://www.ijettjournal.org
Page 598
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 12 - Mar 2014
delay increases. From Fig 2 the DALD method
provides less delay when compared to RSS scheme
where the delay is based on the receiving frequency
and the data rate.
[6] A. Wool, “Lightweight Key Management for
IEEE 802.11 Wireless Lans With Key Refresh and
Host Revocation,” ACM/Springer Wireless
Networks, vol. 11, no. 6, pp. 677-686, 2005.
V.CONCLUSION
[7] Y. Sheng, K. Tan, G. Chen, D. Kotz, and A.
Campbell, 泥etecting 802.11 MAC Layer Spoofing
Attacker detection and localization using RSS faces
storm when the attacker is operating at the same Using Received Signal Strength, ・ Proc. IEEE
frequency as the host. It fails when the distance INFOCOM, Apr. 2008.
between source and destination decreases. The
location based attacker localization computes the [8] J. Yang, Y. Chen, and W. Trappe, “Detecting
Attacks
in
Mobile
Wireless
exact position of the attacker with correspondence Spoofing
Environments,”
Proc.
Ann.
IEEE
Comm.
Soc.
Conf.
to the geological positions and thus measures the
Sensor,
Mesh
and
Ad
Hoc
Comm.
and
Networks
physical distance based on the locations. Hence a
client can inspect if a packet travels from the same (SECON), 2009.
distance as the source in the following approaches.
This reduces the possibility of attack and attack [9] Y. Chen, W. Trappe, and R.P. Martin, Detecting
and Localizing Wireless Spoofing Attacks,・ Proc.
detection.
VI.REFERENCES
Ann. IEEE Comm. Soc. Conf. Sensor, Mesh and
Ad Hoc Comm. and Networks (SECON), May
2007.
[1] J. Bellardo and S. Savage, ・802.11 Denial-ofService Attacks: Real Vulnerabilities and Practical
Solutions,・ Proc. USENIX Security Symp., pp. 15- [10] M. Bohge and W. Trappe, “An Authentication
28, 2003.
Framework for Hierarchical Ad Hoc Sensor
Networks,” Proc. ACM Workshop Wireless
[2] F. Ferreri, M. Bernaschi, and L. Valcamonici, Security (WiSe), pp. 79-87, 2003.
“Access Points Vulnerabilities to Dos Attacks in
802.11 Networks,” Proc. IEEE Wireless Comm. [11] L. Xiao, L.J. Greenstein, N.B. Mandayam, and
and Networking Conf., 2004.
W. Trappe, Fingerprints in the Ether: Using the
Physical Layer for Wireless Authentication,・ Proc.
[3] D. Faria and D. Cheriton, 泥etecting Identity- IEEE Int値 Conf. Comm. (ICC), pp. 4646-4651,
Based Attacks in Wireless Networks Using June 2007.
Signalprints, ・ Proc. ACM Workshop Wireless
Security (WiSe), Sept. 2006.
[12] V. Brik, S. Banerjee, M. Gruteser, and S. Oh,
“Wireless Device Identification with Radiometric
[4] Q. Li and W. Trappe, “Relationship-Based Signatures,” Proc. 14th ACM Int’l Conf. Mobile
Detection of Spoofing-Related Anomalous Traffic Computing and Networking, pp. 116-127, 2008.
in Ad Hoc Networks,” Proc. Ann. IEEE Comm.
Soc. on IEEE and Sensor and Ad Hoc Comm. and [13] F. Guo and T. Chiueh, 鉄equence NumberNetworks (SECON), 2006.
Based MAC Address Spoof Detection, ・ Proc.
Eighth Int Conf. Recent Advances in Intrusion
[5] B. Wu, J. Wu, E. Fernandez, and S. Magliveras, Detection, pp. 309-329, 2006.
鉄ecure and Efficient Key Management in Mobile
Ad Hoc Networks,・ Proc. IEEE Int値 Parallel and [14] L. Sang and A. Arora, 鉄patial Signatures for
Distributed Processing Symp. (IPDPS), 2005.
Lightweight Security
ISSN: 2231-5381
http://www.ijettjournal.org
Page 599