30-05-2013, 04:37 PM
Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure
Stealthy Attacks.pdf (Size: 1.9 MB / Downloads: 26)
Abstract
Stealthy packet dropping is a suite of four attacks—misrouting, power control, identity delegation, and colluding
collision—that can be easily launched against multihop wireless ad hoc networks. Stealthy packet dropping disrupts the packet from
reaching the destination through malicious behavior at an intermediate node. However, the malicious node gives the impression to its
neighbors that it performs the legitimate forwarding action. Moreover, a legitimate node comes under suspicion. A popular method for
detecting attacks in wireless networks is behavior-based detection performed by normal network nodes through overhearing the
communication in their neighborhood. This leverages the open broadcast nature of wireless communication. An instantiation of this
technology is local monitoring. We show that local monitoring, and the wider class of overhearing-based detection, cannot detect
stealthy packet dropping attacks. Additionally, it mistakenly detects and isolates a legitimate node. We present a protocol called SADEC
that can detect and isolate stealthy packet dropping attack efficiently. SADEC presents two techniques that can be overlaid on baseline
local monitoring: having the neighbors maintain additional information about the routing path, and adding some checking responsibility
to each neighbor. Additionally, SADEC provides an innovative mechanism to better utilize local monitoring by considerably increasing the
number of nodes in a neighborhood that can do monitoring. We show through analysis and simulation experiments that baseline local
monitoring fails to efficiently mitigate most of the presented attacks while SADEC successfully mitigates them.
INTRODUCTION
WIRELESS Ad hoc and Sensor Networks (WASN) are
becoming an important platform in several domains,
including military warfare and command and control of
civilian critical infrastructure [33], [34]. They are especially
attractive in scenarios where it is infeasible or expensive to
deploy significant networking infrastructure. Examples in
the military domain include monitoring of friendly and
enemy forces, equipment and ammunition monitoring,
targeting, and nuclear, biological, and chemical attack
detection [33], [34]. Consider a military network scenario
where more powerful and less energy-constrained ad hoc
nodes may be carried by soldiers or in vehicles, while a
large number of low cost and low-energy sensor nodes with
limited energy resources may be distributed over the
battlefield. This network setup can guide a troop of soldiers
to move through the battlefield by detecting and locating
enemy tanks and troops. The soldiers can use information
collected by the sensor nodes to strategically position to
minimize any possible causality. Examples in the civilian
domain include habitat monitoring, animal tracking, forestfire
detection, disaster relief and rescue, oil industry
management, and traffic control and monitoring [33], [35].
RELATED WORK
In the last few years, researchers have been actively
exploring many mechanisms to ensure the security of
control and data traffic in wireless networks. These
mechanisms can be broadly categorized into the following
classes—authentication and integrity services, protocols
that rely on path diversity, protocols that use specialized
hardware, protocols that require explicit acknowledgments
or use statistical methods, and protocols that overhear
neighbor communication.
The path diversity techniques increase route robustness
by first discovering multipath routes [9], [13] and then using
these paths to provide redundancy in the data transmission
between a source and a destination. The data are encoded
and divided into multiple shares sent to the destination via
different routes. The method is effective in well-connected
networks, but does not provide enough path diversity in
sparse networks. Moreover, many of these schemes are
expensive for resource-constrained networks due to the
data redundancy. Additionally, these protocols could be
vulnerable to route discovery attacks, such as the Sybil
attack, that prevent the discovery of nonadversarial paths.
Examples of protection mechanisms that require specialized
hardware include [5] and [11]. The authors in [5]
introduce a scheme called packet leashes that uses either tight
time synchronization or location awareness through GPS
hardware. The work in [11] relies on hardware threshold
signature implementations to prevent one node from
propagating errors or attacks in the whole network.
FOUNDATIONS
Attack Model and System Assumptions
Attack Model
An attacker can control an external node or an internal
node, which, since it possesses the keys, can be authenticated
by other nodes in the network. An insider node may
be created, for example, by compromising a legitimate
node. A malicious node can perform packet dropping by
itself or by colluding with other nodes. The collusion may
happen through out-of-band channels (e.g., a wireline
channel). However, we do not consider the denial of service
attacks through physical-layer jamming [22], or through
identity spoofing and Sybil attacks [10]. There exist several
approaches to mitigate these attacks—[22] for jamming and
[10] for the Sybil attack. A malicious node can be more
powerful than a legitimate node and can have highpowered
controllable transmission capability but is limited
to Omnidirectional antennas. The attacks do not affect only
a specific routing protocol; rather, they apply to a wide class
where an intermediate node determines the next-hop node
toward the final destination. This includes routing protocols
specific to WSNs such as the beacon routing protocol.
Drop through Power Control
In this type of attack, a malicious node relays the packet by
carefully reducing its transmission power, thereby reducing
the range and excluding the legitimate next-hop node. This
kind of transmission power control is available in today’s
commercial wireless nodes, such as the Crossbow Mica
family of nodes.
Consider the scenario shown in Fig. 3. A node S sends a
packet to a malicious node M to be relayed to node T. Node
M drops the packet by sending it over a range that does not
reach T (the dotted circle centered at M). Fig. 3a shows the
guards ofM that are satisfied by the controlled transmission
ofM (region II) and the set of guards that detectM (region I)
as dropping the packet since they did not overhear M.
Fig. 3b shows all the guards of M over S ! M. Fig. 3d
shows the set of guards of T over M ! T that wrongly
accuse T of dropping the packet. The farther T is from M,
the better it is for the attacker since more guards can be
satisfied and therefore, the stealthier the attack.
Drop through Identity Delegation
In this form of the attack, the attacker uses two malicious
nodes to drop the packet. One node is spatially close to the
sender. The other node is the next hop from the sender. The
first malicious node could be externally or an internally
compromised node while the latter has to be an internally
compromised node. Consider the scenario shown in Fig. 5,
node S sends a packet to a malicious next-hop node M2 to
be relayed to node T. The attacker delegates the identity
and the credentials of the compromised node M2 to a
colluding node M1 close to S. After S sends the packet to
M2, M1 uses the delegated identity of M2 and transmits the
packet. The intended next hop T does not hear the message
since T 62 RðM1Þ. The guards of M2 over S ! M2 are the
nodes in the shaded areas I and II and they are all satisfied
since they are in RðM1Þ. Again, the consequences of this
attack are twofold: 1) the packet has been successfully
dropped without detection, and 2) the set of nodes in the
shaded area II overhear a packet transmission (purportedly)
from M2 to T. These nodes are included in GðM2; TÞ and
will subsequently accuse T of dropping the packet.
Mitigating Other Stealthy Drop Attacks
The key observation behind the other types of the stealthy
packet dropping attack is that the attack defeats local
monitoring-based detection by reducing the number of
guards that overhear a packet to zero or to a number that is
less than the confidence index . In the power control attack
shown in Fig. 3a, the attacker narrows the guards that can
detect the packet drop into the lightly shaded area (region I in
Fig. 3a) while the majority of the guards (region II in Fig. 3a)
are satisfied. In the colluding collision attack (Fig. 4) and
identity delegation attack (Fig. 5), the attacker completely
evades detection by satisfying all the guards (the nodes in
region I of Figs. 4 and 5).
The countermeasure we propose against these attacks is
based on the observation that an adversary evades
detection by allowing only a subset of guards to overhear
the message being forwarded. Therefore, we expand the set
of nodes that can guard a node from only the common
neighbors of the node being monitored and its previoushop
node to include all the neighbors of the node being
monitored. Since the number of guards involved in
monitoring a node (all the node’s neighbors) increases,
the probability of detecting the stealthy packet drop
increases. SADEC’S detection technique makes use of the
fact that, under the stealthy packet dropping attacks,
neighbors have differing views of a node in terms of the
volume of traffic it has forwarded and all the neighbors
cannot be convinced by a single broadcast.
CONCLUSION
We have introduced a new class of attacks called stealthy
packet dropping which disrupts a packet from reaching the
destination by malicious behavior at an intermediate node.
This can be achieved through misrouting, controlling
transmission power, malicious jamming at an opportune
time, or identity sharing among malicious nodes. However,
the malicious behavior cannot be detected by any behaviorbased
detection scheme presented to date. Specifically, we
showed that BLM-based detection cannot detect these
attacks. Additionally, it will cause a legitimate node to be
accused. We then presented a protocol called SADEC that
successfully mitigates all the presented attacks. SADEC
builds on local monitoring and requires nodes to maintain
additional routing path information and adds some checking
responsibility to each neighbor.
Stealthy Attacks.pdf (Size: 1.9 MB / Downloads: 26)
Abstract
Stealthy packet dropping is a suite of four attacks—misrouting, power control, identity delegation, and colluding
collision—that can be easily launched against multihop wireless ad hoc networks. Stealthy packet dropping disrupts the packet from
reaching the destination through malicious behavior at an intermediate node. However, the malicious node gives the impression to its
neighbors that it performs the legitimate forwarding action. Moreover, a legitimate node comes under suspicion. A popular method for
detecting attacks in wireless networks is behavior-based detection performed by normal network nodes through overhearing the
communication in their neighborhood. This leverages the open broadcast nature of wireless communication. An instantiation of this
technology is local monitoring. We show that local monitoring, and the wider class of overhearing-based detection, cannot detect
stealthy packet dropping attacks. Additionally, it mistakenly detects and isolates a legitimate node. We present a protocol called SADEC
that can detect and isolate stealthy packet dropping attack efficiently. SADEC presents two techniques that can be overlaid on baseline
local monitoring: having the neighbors maintain additional information about the routing path, and adding some checking responsibility
to each neighbor. Additionally, SADEC provides an innovative mechanism to better utilize local monitoring by considerably increasing the
number of nodes in a neighborhood that can do monitoring. We show through analysis and simulation experiments that baseline local
monitoring fails to efficiently mitigate most of the presented attacks while SADEC successfully mitigates them.
INTRODUCTION
WIRELESS Ad hoc and Sensor Networks (WASN) are
becoming an important platform in several domains,
including military warfare and command and control of
civilian critical infrastructure [33], [34]. They are especially
attractive in scenarios where it is infeasible or expensive to
deploy significant networking infrastructure. Examples in
the military domain include monitoring of friendly and
enemy forces, equipment and ammunition monitoring,
targeting, and nuclear, biological, and chemical attack
detection [33], [34]. Consider a military network scenario
where more powerful and less energy-constrained ad hoc
nodes may be carried by soldiers or in vehicles, while a
large number of low cost and low-energy sensor nodes with
limited energy resources may be distributed over the
battlefield. This network setup can guide a troop of soldiers
to move through the battlefield by detecting and locating
enemy tanks and troops. The soldiers can use information
collected by the sensor nodes to strategically position to
minimize any possible causality. Examples in the civilian
domain include habitat monitoring, animal tracking, forestfire
detection, disaster relief and rescue, oil industry
management, and traffic control and monitoring [33], [35].
RELATED WORK
In the last few years, researchers have been actively
exploring many mechanisms to ensure the security of
control and data traffic in wireless networks. These
mechanisms can be broadly categorized into the following
classes—authentication and integrity services, protocols
that rely on path diversity, protocols that use specialized
hardware, protocols that require explicit acknowledgments
or use statistical methods, and protocols that overhear
neighbor communication.
The path diversity techniques increase route robustness
by first discovering multipath routes [9], [13] and then using
these paths to provide redundancy in the data transmission
between a source and a destination. The data are encoded
and divided into multiple shares sent to the destination via
different routes. The method is effective in well-connected
networks, but does not provide enough path diversity in
sparse networks. Moreover, many of these schemes are
expensive for resource-constrained networks due to the
data redundancy. Additionally, these protocols could be
vulnerable to route discovery attacks, such as the Sybil
attack, that prevent the discovery of nonadversarial paths.
Examples of protection mechanisms that require specialized
hardware include [5] and [11]. The authors in [5]
introduce a scheme called packet leashes that uses either tight
time synchronization or location awareness through GPS
hardware. The work in [11] relies on hardware threshold
signature implementations to prevent one node from
propagating errors or attacks in the whole network.
FOUNDATIONS
Attack Model and System Assumptions
Attack Model
An attacker can control an external node or an internal
node, which, since it possesses the keys, can be authenticated
by other nodes in the network. An insider node may
be created, for example, by compromising a legitimate
node. A malicious node can perform packet dropping by
itself or by colluding with other nodes. The collusion may
happen through out-of-band channels (e.g., a wireline
channel). However, we do not consider the denial of service
attacks through physical-layer jamming [22], or through
identity spoofing and Sybil attacks [10]. There exist several
approaches to mitigate these attacks—[22] for jamming and
[10] for the Sybil attack. A malicious node can be more
powerful than a legitimate node and can have highpowered
controllable transmission capability but is limited
to Omnidirectional antennas. The attacks do not affect only
a specific routing protocol; rather, they apply to a wide class
where an intermediate node determines the next-hop node
toward the final destination. This includes routing protocols
specific to WSNs such as the beacon routing protocol.
Drop through Power Control
In this type of attack, a malicious node relays the packet by
carefully reducing its transmission power, thereby reducing
the range and excluding the legitimate next-hop node. This
kind of transmission power control is available in today’s
commercial wireless nodes, such as the Crossbow Mica
family of nodes.
Consider the scenario shown in Fig. 3. A node S sends a
packet to a malicious node M to be relayed to node T. Node
M drops the packet by sending it over a range that does not
reach T (the dotted circle centered at M). Fig. 3a shows the
guards ofM that are satisfied by the controlled transmission
ofM (region II) and the set of guards that detectM (region I)
as dropping the packet since they did not overhear M.
Fig. 3b shows all the guards of M over S ! M. Fig. 3d
shows the set of guards of T over M ! T that wrongly
accuse T of dropping the packet. The farther T is from M,
the better it is for the attacker since more guards can be
satisfied and therefore, the stealthier the attack.
Drop through Identity Delegation
In this form of the attack, the attacker uses two malicious
nodes to drop the packet. One node is spatially close to the
sender. The other node is the next hop from the sender. The
first malicious node could be externally or an internally
compromised node while the latter has to be an internally
compromised node. Consider the scenario shown in Fig. 5,
node S sends a packet to a malicious next-hop node M2 to
be relayed to node T. The attacker delegates the identity
and the credentials of the compromised node M2 to a
colluding node M1 close to S. After S sends the packet to
M2, M1 uses the delegated identity of M2 and transmits the
packet. The intended next hop T does not hear the message
since T 62 RðM1Þ. The guards of M2 over S ! M2 are the
nodes in the shaded areas I and II and they are all satisfied
since they are in RðM1Þ. Again, the consequences of this
attack are twofold: 1) the packet has been successfully
dropped without detection, and 2) the set of nodes in the
shaded area II overhear a packet transmission (purportedly)
from M2 to T. These nodes are included in GðM2; TÞ and
will subsequently accuse T of dropping the packet.
Mitigating Other Stealthy Drop Attacks
The key observation behind the other types of the stealthy
packet dropping attack is that the attack defeats local
monitoring-based detection by reducing the number of
guards that overhear a packet to zero or to a number that is
less than the confidence index . In the power control attack
shown in Fig. 3a, the attacker narrows the guards that can
detect the packet drop into the lightly shaded area (region I in
Fig. 3a) while the majority of the guards (region II in Fig. 3a)
are satisfied. In the colluding collision attack (Fig. 4) and
identity delegation attack (Fig. 5), the attacker completely
evades detection by satisfying all the guards (the nodes in
region I of Figs. 4 and 5).
The countermeasure we propose against these attacks is
based on the observation that an adversary evades
detection by allowing only a subset of guards to overhear
the message being forwarded. Therefore, we expand the set
of nodes that can guard a node from only the common
neighbors of the node being monitored and its previoushop
node to include all the neighbors of the node being
monitored. Since the number of guards involved in
monitoring a node (all the node’s neighbors) increases,
the probability of detecting the stealthy packet drop
increases. SADEC’S detection technique makes use of the
fact that, under the stealthy packet dropping attacks,
neighbors have differing views of a node in terms of the
volume of traffic it has forwarded and all the neighbors
cannot be convinced by a single broadcast.
CONCLUSION
We have introduced a new class of attacks called stealthy
packet dropping which disrupts a packet from reaching the
destination by malicious behavior at an intermediate node.
This can be achieved through misrouting, controlling
transmission power, malicious jamming at an opportune
time, or identity sharing among malicious nodes. However,
the malicious behavior cannot be detected by any behaviorbased
detection scheme presented to date. Specifically, we
showed that BLM-based detection cannot detect these
attacks. Additionally, it will cause a legitimate node to be
accused. We then presented a protocol called SADEC that
successfully mitigates all the presented attacks. SADEC
builds on local monitoring and requires nodes to maintain
additional routing path information and adds some checking
responsibility to each neighbor.