International Journal of Engineering Trends and Technology (IJETT) – Volume 7 Number 4- Jan 2014
Detect, Localize and Estimate the number of Spoofing
Attackers in Wireless Network
Deepthy Mary Mathai#1
T. K Parani*2
#
Student, M.E Communication Systems engineering, Anna University
DSCE Coimbatore, India
*Assistant professor, dept. Electronics &Communication Engineering
DSCE Coimbatore, India
Abstract— Wireless Networks collect and disseminate data from
the fields where ordinary networks are unreachable.Wireless
network system is prone to various types of attacks. Various
attacks are Eavesdropping, DoS, Spoofing, etc. Among the common
attacks, spoofing attacks has large impact on system’s security.
Conventional methods using cryptography introduces overhead
problems. Spoofing Attacks can be launched with little effort as the
wireless medium is shared. Spoofing attack affect the system
performance. Spoofing attack on mobile wireless devices may
inflict security and privacy damages on social life of Spoofing are
also called IP address Forgery. In the context of network security, a
spoofing Attack is a situation which one person or program
successfully masquerades as another by falsifying data and thereby
gaining an illegitimate advantage. In this project SILENCE
mechanism is used to find number of attackers. GADE technique is
used to find presence of attacker in wireless network. IDOL system
is to localize attackers. Simulation is performed in Network
Simulator.
Keywords--- wireless networks, Spoofing Attacks, GADE,
SILENCE, IDOL, IP address Forgery, cryptography
I.
INTRODUCTION
A wireless network uses wireless network
connection. It eliminates the costly process of laying cables
into any building like homes, telecommunication network.
Wireless network uses Radio waves to connect devices
such as laptops to the internet. Wireless medium is open.A
wireless network is a system for connecting a computer to
a network without the use of cabling. In its simplest form it
consists of a computer with a wireless card and a wireless
router [1].Wireless Network enables computers to be
connected without the use of cabling to a server, hub or
switch. Various types of attacks can affect wireless
networks.
Wireless Networks are prone to many types of attacks
and exploitation. Spoofing attacks are common types of
attacks. Spoofing Attacks can be launched with little effort
as the wireless medium is shared. Spoofing attack occurs
when a malicious party impersonates another device or
user on a network in order to launch attacks against
ISSN: 2231-5381
network hosts, steal data, spread malware, or bypass access
controls.
Many conventional techniques were used to prevent
spoofing attack. Conventional methods were used also to
determine which node is being affected. Main disadvantage
of conventional method is overhead requirement & it
doesn’t have ability to localize the positions of the
adversaries after attack detection. Spatial information is a
physical property associated with each node. This spatial
information is used for:
1) Determining spoofing attack
2) Determining number of attackers
3) Localize Multiple Adversaries
Various spoofing attack detection methods are
used.Existing methods for detecting spoofing attacks
involves cryptographic schemes. Application of
cryptographic schemes requires reliable key distribution,
management, and maintenance mechanisms. Cryptographic
methods cannot be applied because of it’s infrastructural,
computational, and management overhead. Cryptographic
methods are susceptible to node compromise, which is a
serious concern as most wireless nodes are easily accessible,
allowing their memory to be easily scanned. Spatial
correlation is used to detect spoofing attacks and it will not
require any additional cost or modification to the wireless
devices themselves [12].
II.
METHOD USED
Three main methods are used:
1) GADE
2) SILENCE
3) IDOL
GADE is a generalized attack detection model. GADE can
both detect spoofing attacks using cluster analysis methods
grounded on RSS-based spatial correlations among normal
devices and adversaries. In this method it is possible to use
http://www.ijettjournal.org
Page 173
International Journal of Engineering Trends and Technology (IJETT) – Volume 7 Number 4- Jan 2014
the uniqueness of spatial information, but cannot use
location directly as the attackers’ positions are unknown.
Received signal strength (RSS) is a property closely
correlated with location in physical space and is readily
available in the existing wireless networks. This property is
not based on cryptography. RSS is used as the basis for
detecting spoofing attack. Although affected by random
noise, environmental bias, and multipath effects, the RSS
measured at a set of landmarks (i.e., reference points with
known locations) is closely related to the transmitter’s
physical location and is governed by the distance to the
landmarks.
The RSS readings at the same physical location are
similar, whereas the RSS readings at different locations in
physical space are distinctive. Thus, the RSS readings
present strong spatial correlation characteristics. RSS value
vector is defined as s= {s1,s2,....sn }where n is the number
of landmarks/access points that are monitoring the RSS of
the wireless nodes and know their locations. Generally, the
RSS at the ith landmark from wireless node is log normally
distributed,
si(dj) [dBm] =p(d0 )[dBm] – 10γlog(di/dj) + Xi
Where p(d0 )represents the transmitting power of the node
at the reference distance,
d0,djis the distance between the wireless node j and the ith
landmark.
Xi is the shadow fading which follows zero mean Gaussian
distribution.
ROC curves shift to the upper left when
increasing the distance between two devices. This indicates
that the farther away the two nodes are separated, the better
detection performance that this method can achieve. This is
because the detection performance is proportional to the
non centrality parameterλ,which is represented by the
distance between two wireless nodes together with the
landmarks.
Detection performance of the approach is investigated
under RSS variations. The distance is fixed between two
wireless devices as 25 feet. The obtained ROC curves
when the standard deviation of shadowing is set to 2, 3,
and 4 dB, respectively. Better detection performance is
obtained with lower standard deviation of shadowing. A
larger standard deviation of shadowing causes the two
distributions, i.e., non-central chi-square and central chisquare, to get closer to one another. The smaller standard
deviation of shadowing results in a better detection
performance.
SILENCE testing is SILhouette Plot and System EvolutioN
with of cluster, which evaluates the minimum distance
between clusters on top of the pure cluster analysis to
improve the accuracy of determining the number of
attackers. The number of attackers K in SILENCE is thus
determined by
K= Ksp if Ksp= Ksec
K= Ksp if min ( Dm) Ksp> min (Dm)Ksec
K= Ksec if min ( Dm)Ksp< min (Dm)Ksec.
ISSN: 2231-5381
K is the observed value of Dm between two clusters.
SILENCE takes the advantage of both Silhouette Plot
and System Evolution and further makes the judgment
by checking the minimum distance between the
returned clusters to make sure the clusters are
produced by attackers instead of RSS variations and
outliers. Hence, when applying SILENCE to the case
SILENCE returns K = 3 as the number of attackers,
which is the true positive in this example.
Inaccurate estimation of the number of attackers will
cause failure in localizing the multiple adversaries. It’s
not known that how many adversaries will use the
same node identity to launch attacks, determining the
number of attackers becomes a multiclass detection
problem and is similar to determining how many
clusters exist in the RSS readings. If C is the set of all
classes, i.e., all possible combination of number of
attackers. For instance, C={ 1,2,3,4}. For a class of
specific number of attackers ci, e.g., ci= 3, Pi as the
positive class of ci and all other classes (i.e., all other
number of attackers) as negative class Ni,
Pi=ci
IDOL: Integrated Detection and Localization
Framework is used localize multiple adversaries. The
experimental results are presented to evaluate the
effectiveness of our approach, especially when
attackers using different transmission power levels.
The traditional localization approaches are based on
averaged RSS from each node identity inputs to
estimate the position of a node.
In wireless spoofing attacks, the RSS stream of
a node identity may be mixed with RSS readings of
both the original node as well as spoofing nodes from
different physical locations [3]. The traditional method
of averaging RSS readings cannot differentiate RSS
readings from different locations and thus is not
feasible for localizing adversaries. Different from
traditional localization approaches,
integrated
detection and localization system utilizes the RSS
medoids returned from SILENCE as inputs to
localization algorithms to estimate the positions of
adversaries. The return positions from our system
include the location estimate of the original node and
the attackers in the physical space.
RADAR-gridded algorithm is used. The RADARGridded algorithm is a scene-matching localization
algorithm. RADAR-Gridded uses an interpolated
signal map, which is built from a set of averaged RSS
readings with known (x,y) locations. Given an
observed RSS reading with an unknown location,
RADAR returns the x, y of the nearest neighbour in
the signal map to the one to localize, where “nearest”
is defined as the euclidean distance of RSS points in
an N-dimensional signal space, where N is the number
of landmarks[3].
http://www.ijettjournal.org
Page 174
International Journal of Engineering Trends and Technology (IJETT) – Volume 7 Number 4- Jan 2014
III.
RESULTS
After simulation results can be shown in network animator
window.
Figure 3 : Graph shows that number of attackers increases with
time.
In any network number of attackers increases with time and it
will be difficult to prevent the attack. The Precision of the case
of three attackers is lower than the cases of two and four
attackers. This is because the cases of two attackers and four
attackers are likely to be mistakenly determined as the case of
three attackers.
Figure 1 : Network Animator window showing different
Nodes.
Figure 4: Comparison of Localization Errors using Medoids
from Cluster Analysis and using Averaged RSS
Figure 2 : Network Animator window showing malacious
node
ISSN: 2231-5381
Conduct cluster analysis on top of RSS-based spatial
correlation to find out the distance in signal space and further
detect the presence of spoofing attackers in physical space.
Under normal conditions, the test statistic Dm should be small
since there is basically only one cluster from a single physical
location. However, under a spoofing attack, there is more than
one node at different physical locations claiming the same
node identity. As a result, more than one cluster will be formed
in the signal space and Dm will be large as the medoids are
http://www.ijettjournal.org
Page 175
International Journal of Engineering Trends and Technology (IJETT) – Volume 7 Number 4- Jan 2014
derived from the different RSS clusters associated with
different locations in physical space [1].
operation throughout the completion of the paper. I deeply
express my gratitude to all the ECE department staffs for
their valuable advice and co-operation.
REFERENCES
Figure 5: Dm for the 802.11 network when the spoofing
attacker used transmission power of 10dB to send packets
If a spoofing attacker sends packets at a different
transmission power level from the original node, based on
cluster analysis there will be two distinct RSS clusters in
signal space (i.e., Dm will be large).Transmission power for
an attacker is varied from 30 mW (15 dBm) to 1 mW (0
dBm). It is found that in all cases Dm is larger than normal
conditions. Figure presents an example of the Cumulative
Distribution Function of the Dm for the 802.11 network
when the spoofing attacker used transmission power of
10dB to send packets,. Whereas the original node used 15
dB transmission power level. From the curve of D m under
the different transmission power level shifts to the right
indicating larger Dm values.
IV.
CONCLUSION
Received signal strength based spatial correlation is used to
detect attack. It is a physical property associated with each
wireless device that is hard to falsify and not reliant on
cryptography as the basis for detecting spoofing attacks in
wireless networks.
Theoretical analysis is provided of using the spatial correlation
of RSS inherited from wireless nodes or attack detection. The
test statistics based on the cluster analysis of RSS readings.
This approach can detect the presence of attacks as well as
determine the number of adversaries, spoofing the same node
identity, so that it is possible to localize any number of
attackers and eliminate them.
[1]Chandrasekaran.G,Francisco.J,Ganapathy.
V,Gruteser.M,
Trappe.W(2009),‘Detecting Identity Spoofs in IEEE 802.11e
Wireless Network’
IEEE GLOBECOM.
[2] Chen.Y, Trappe.W, and Martin.R.P, (2007), “Attack Detection
in Wireless Localization,” Proc.IEEE INFOCOM, Apr.
2007.(SECON)
[3]Chen.Y, Trappe.W, and Martin. R.P, ‘Detecting and Localizing
Wireless Spoofing Attacks,’Proc. Ann.IEEE Comm. Soc.Conf.
Sensor,(2006)Mesh and Network..
[4] Faria.D and Cheriton.D,(2006), ‘ Detecting Identity-Based
Attacks in Networks Using Signa lprints’ Proc.ACM Workshop
Wireless Security
[5]Ferreri.F, Bernasch.M, and Valcamonic.L,(2004), ‘Access Points
Vulnerabilities to Dos Attacks in 802.11 Networks ,’Proc .IEEE
Wireless Comm. and Networking Conf.
[6]Li.Q and Trapp.W, (2006), ‘Relationship-Based Detection of
Spoofing-Related Anomalous Traffic in Ad Hoc Networks,’Proc.
Ann. IEEE Comm. Soc. on IEEE Conf.
[7]
Li.Q and Trappe.W, (2007),‘ Detecting Spoofing and
Anomalous Traffic in Wireless Network via Forge Resistant
Relationships ’IEEE transactionson information and security, Vol.
2.
[8] Madigan.D, Elnahrawy.E , R. Martin, Ju.W, Krishnan.P, and
Krishnakumar (2005), ‘Bayesian Indoor Positioning Systems’, Proc.
IEEE INFOCOM, pp.324-331.
[9]
Sheng.Y, Tanand .K ,Campbell.A,(2008), ‘Detecting
802.11MAC
Layer Spoofing Using Received
Signal
Strength’,Proc. IEEE Infocom.
[10] Wang.K ,(2007), ‘Estimating the Number of Clusters via
System Evolution
forCluster Analysis of Gene Expression Data’, Technical Report
NO. 2007-258,Computer Science Dept., Xidian Univ., P.R. China.
[11] Xiao.L, Greenstein L.J, Mandayam N.B, and W. Trappe,
(2007), ‘Fingerprints in the Ether: Using the Physical Layer for
Wireless Authentication,’ Proc. IEEE Int
Conf.Comm. (ICC), pp. 4646-4651.
[12] Yang.J, Chen.Y, and Trappe.W, (2009), ‘Detecting Spoofing
Attacks in Mobile Wireless Environments,’ Proc. Ann. IEEE
Comm. Soc. Conf. Sensor, Mes and Ad Hoc Comm. and Networks
(SECON).
[13] Yang.z,Ekici.E, and Xuan.D,(2007), ‘A Localization-Based
Anti-Sensor Network System’, Proc. IEEE INFOCOM, pp. 23962400.
[14] Z. Yang, E. Ekici, and D. Xuan, (2007), ‘A Localization-Based
Anti-Senso Network System’, Proc. IEEE INFOCOM, pp. 23962400.
[15] Zhou.G , He.T, Krishnamurthy.S , and Stankovic.J.A (2006) ,
‘Modelsand Solutions for Radio Irregularity in Wireless Sensor
Networks’, ACM Trans. Sensor Networks, Vol. 2, pp. 221-262.
ACKNOWLEDGMENT
I,DEEPTHY MARY MATHAI, student of M.E
COMMUNICATION SYSTEMS, Dept. of ECE,
Dhanalakshmi Srinivasan College of Engineering,
Coimbatore. I would like to thank Asst. Prof.
Ms.T.K..PARANI for her encouragement and constant co-
ISSN: 2231-5381
http://www.ijettjournal.org
Page 176