(DoS) Attacks in VANET - Semantic Scholar

An Efficient Defense Method against UDP Spoofed Flooding Traffic of Denial of Service (DoS) Attacks in VANET Karan Verma, Halabi Hasbullah

Ashok Kumar

Deptt. of Computer & Information Sciences Universiti Teknologi PETRONAS, Malaysia [email protected], [email protected] Abstract— Vehicular Ad hoc Networks (VANET) have emerged as a subset of the Mobile Ad hoc Network (MANET) application; it is considered to be a substantial approach to the Intelligent Transportation System (ITS). VANETs were introduced to support drivers and improve safety issues and driving comfort, as a step towards constructing a safer, cleaner and more intelligent environment. At the present time, vehicles are exposed to many security threats. One of them is the User Datagram Protocol (UDP)- based flooding which is a common form of Denial of Service (DoS) attacks, in which a malicious node forges a large number of fake identities, i.e.-, Internet Protocol (IP) spoofing addresses in order to disrupt the proper functions of the fair data transfer between two fast moving vehicles. Incorporating IP spoofing in the DoS attacks makes it even more difficult to defend against such attacks. In this paper, an efficient method is proposed to detect and defend against UDP flooding attacks under different IP spoofing types. The method makes use of a storage-efficient data structure and a Bloom filter based IPCHOCKREFERENCE detection method. This lightweight approach makes it relatively easy to deploy as its resource requirement is reasonably low. Simulation results consistently showed that the method is both efficient and effective in defending against UDP flooding attacks under different IP spoofing types. Specifically, the method outperformed others in achieving a higher detection rate yet with lower storage and computational costs. Keywords— Internet Protocol (IP), Bloom Filter, Hash Function, User Datagram protocol (UDP), Vehicular Ad hoc Network (VANET), Mobile Ad hoc Network (MANET).

I.

INTRODUCTION

Traffic congestion caused by vehicle crashes is considered to be an issue of great importance of the roads. Therefore, safety applications are the focus of most researchers working in the area of VANET systems. As a consequence, increasing the efficiency of these applications has a vital impact on their contribution to limiting the number of fatalities and providing safer, cleaner and more comfortable travelling on roads. Vehicle drivers have no ability to predict the conditions on the road ahead [1]. However, with the aid of sensors, computer equipment and wireless communication devices as well as, a combination of technologically equipped devices, it is possible to provide methods by which vehicles on the roads can foresee the speed of other vehicles and assess possible risk [2]. Through use of such methods, warning messages could be sent

c 978-1-4673-4529-3/12/$31.00 2012 IEEE

Deptt. of Electronics & Communication Engg. Government Women Engineering College, Ajmer [email protected]

periodically to predict vehicle speed in order to eliminate the occurrence of accidents [3]. The unique characteristics of VANET are the high mobility and rapidly changing network topology caused by the high travelling speed of the nodes, the constraint pattern due to the restricted roads, limitations of bandwidth due to the absence of a central coordinator that controls and manages communications between nodes, disconnection problems owing to the frequent fragmentation in the networks and signal fading, caused by objects that form obstacles between the communicating nodes. The rapid growth and increasing the utility of VANET have made security issues increasingly important. Denial-of-service (DoS) attacks are one of the most serious problems and a means of preventing such attacks must be devised as soon as possible. DoS attacks are even more difficult to fight against if IP spoofing is incorporated into such attacks. IP spoofing, or vehicle IP spoofing, refers to the technique of lying about the return address (i.e., Vehicle request) of a message; with IP spoofing, attackers can gain unauthorized access to a vehicle or a network by making it appear that a message has come from a certain trusted vehicle by “spoofing” the IP address of the vehicle [4]. Figure 1 show, - that the technique has been used by attackers for years-, and is commonly used in DoS attacks launched against commercial servers. Since the attackers are mainly concerned with consuming network bandwidth and resources, they usually do not care about properly completing communications and transactions. Rather, they simply want to flood the victim vehicle with as many messages as possible within a short period of time. In order to prolong the effects of an attack, they spoof the request IP addresses to make tracing and stopping the DoS as difficult as possible [1]. In real life a router is faced with many types of flooding attacks. One algorithm may not be able to detect all the attack types [5]. There is, therefore, a need to combine detection systems that use different methods for detection in order to build a more effective detection system in VANET [5]. Spoofing techniques can be categorized into different types according to what spoofed request addresses are used in the attacking message. In random spoofing, the attacker randomly generates 32-bit numbers for use as request addresses for the attacking message [6].

550

which is used in nonparametric methods [8]. CUSUM works for random and nonparametric tests and its computational requirements are quite low. After some information about the traffic is extracted and stored in the Bloom filter, CUSUM is then applied to detect abnormal changes in the digested traffic [5]. Table 1 summarizes the security and classifies them according to whether a problem scheme uses (i) High mobility, (ii) Flexibility, (iii) Dynamic, (iv) Link-ability, and (v) Traceability [9]. Table 1: Taxonomy of Security and Certificate Revocation Schemes. Revocation Schemes

Figure 1: DoS attacks on a VANET infrastructure. Most existing defense schemes against IP spoofing focus on random spoofing. One example is to limit the changes of random IP spoofing by filtering at the routers. Implementing ingress and egress filtering at the border router is one specific realization of the approach. At the upstream interface, the ingress filter should only allow request vehicle addresses within a valid range, thus preventing spoofed traffic from reaching VANET [7]. Unfortunately, this method does not work for subnet spoofing. Implementing encryption and authentication can also reduce the spoofing threats. In fact, both measures are already included in IPv6 to eliminate spoofing threats [5]. The three major aims of this paper are summarized below: i)

ii)

iii)

Increasing the message delivery ratio, by increasing the stability of the link route message and decreasing the generated overhead, by reducing the retransmission of the message caused by drops occurring. Increasing the vehicle system's reliability and connectivity, by decreasing the link breakage between two communicating nodes and providing the forwarding node with up-to-date information about the circumstances of the neighbouring nodes to be utilized in the process of selecting the next-hop node. Reducing the overhead that results from sending beacon messages between nodes by finding a new technique to organize the broadcasting of those messages in the network, which promises not to be unnecessary. To defend against spoofed flooding traffic, especially that with subnet spoofing, a scheme has been proposes that is based on a storage-efficient data structure and a Bloom filter based IPCHOCKREFERENCE detection method in VANET. The storage-efficient data structure, which is a variant of the Bloom filter (Bloom 1990)-, was used to generate a hash digest of the traffic. The IPCHOCKREFERENCE detection method is based on the CUSUM algorithm (Brodsky 1993),

Theodore et al. (2009) Yang et al. (2011) Krishna et al. (2007) Chun et al. (2008) David et al. (2012) Amadeo et al. (2012) Hsiao et al. (2011) Isaac et al. (2012) Rongxing et al. (2012) Yi et al. (2008)

High Mobilit y x

Flexibil ity

Dynamic

Linkability

Trace ability

x x

x x

x

x

x

x x

x

x x

x

x

x

x

x

x

II.

x

RELATED WORK

A. Denial of Service attacks (DoS) A Denial of Service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service [10]. The Denial of Service attack (DoS) is even worse than the DoS attack. A DoS attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted vehicle. i) Flooding Attacks These attacks overwhelm the victim’s vehicle with a huge amount of network traffic and end up saturating network links, queues and processors with workload [3]. Examples of such attacks include: Smurf attack: This relies on misconfigured network devices that allow messages to be sent to all the vehicle hosts on a particular network via the broadcast address of the network, rather than a specific vehicle. The network then serves as a smurf amplifier. In such an

2013 3rd IEEE International Advance Computing Conference (IACC)

551

attack, the perpetrators will send large numbers of IP messages to the response address faked to appear to be the address of the victim’s vehicle. Ping floods: This is based on sending the victim’s vehicle an overwhelming number of ping messages. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim’s vehicle. UDP floods: An example of UDP floods includes the “Fraggle attacks”. In a fraggle attack an attacker sends a large amount of UDP echo traffic to the IP broadcast addresses, all of it having fake source vehicle addresses. It is a simple rewrite of the smurf attack code. Table 2 summarizes the DoS attack protection schemes and classifies them according to scheme uses (i) Sybil attack protection, (ii) Message suspension protection, (iii) Replay attack, or (iv) Alteration attack protection. Table 2: Taxonomy of DoS attacks protection schemes. Revocation Schemes Gilles et al. (2007) Ali et al. (2009) Jyoti et al. (2010) Irshad et al. (2011) Nicole et al. (2012)

Sybil attack protection No

Message suspension protection Yes

Replay attack protection No

Alteration attack protection No

No

No

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

No

Yes

No

No

Yes

III.

PRELIMINARIES

A. Data Access in VANET There are two different approaches for vehicles to access data in VANETs. The first approach is dependent on the road side infrastructures. Each vehicle indirectly communication with servers or other vehicles via base stations (e.g., WiMax) or via access points (WiFi/802.11a, b, g, DSRC/802.11p). The approach is based on vehicle-to-vehicle communications, by which vehicles can communicate with their router or multirouter neighbouring vehicles, exchanging and sharing information. Many studies have shown that the first approach is expensive and not convenient due to the high cost as well as low bandwidth of the cellular communication, as well as the limited access opportunity and the infrastructure deployment constraint in the access point based communication. The vehicle-to-vehicle approach, however, is more flexible and cost effective in VANETs, particularly in rural or highway areas [11]. B. Hash Function with Bloom filter-based IPCHOCKREFERENCE (BFICR) The hash function with the bloom filter-based IPCHOCKREFERENCE (BFICR) is an important tool in the

552

field of vehicle sensors and database checking of IP addresses due to their efficiency with regard to computational costs and is suitable for resource-constrained devices [4]. In addition, the security of a hash function is based on the hardness of inverting the inputs from the outputs; that is, given š and it is easy to compute . However, only given ›, it is hard to find š, satisfying . A Bloom filter is a simple space-efficient randomized data structure for representing a set in order to support membership queries [12]. The space efficiency is achieved at the cost of a small probability of false positives. Here the bloom filter theory is briefly introduced. A Bloom filter for representing a set of n elements is described by an array of m bits, initially all set to with a 0. It uses a k independent hash function range 1 to m. Here, it is assumed that the hash functions are , the bits are perfectly random. For each element set to 1 for , it is checked to see if Then false positive rate as:

Then

In this paper, the focus has been on the design of independent hash functions that have a low probability of collision, using the 32-bit IP address IP as the key of the hash functions. The hash functions are defined as follows: Now, is a discussion of the condition that makes two different keys collide m all k hash functions, i.e., for

Then have, This condition is strictly for two keys,to satisfy for all hash functions. Thus it can be concluded that the false positive rate should be very low. C. System Model Before presenting the details about the Bloom filter-based IPCHOCKREFERNCE (BFICR) called the Master Node, a need brief introduction of some background is needed about the Random Deterministic Message Marking (IP-CHOCK) [11] and the Mark-Aided Distributed Filtering (MADF) [10]. There is no discussion as to how to gather intelligence and set router signatures in order to drop attack messages here, which

2013 3rd IEEE International Advance Computing Conference (IACC)

is mainly MADF’s work. Instead, in this paper, the discussion is on the message classification based on known IPCHOCKREFERENCE signatures. As shown in Figure 2, the MADF system has an Offline Training System (OTS) and an Online Filtering System (OFS) and is deployed between the source end (one hop behind IP-CHOCK encoding module) and the victim’s vehicle end. The IP-CHOCK encoding modules are deployed at the edge routers that are close to the vehicle attack request source end. When messages enter the VANET network, they are dynamic (IPCHOCK) marked by the encoding modules.

victim, because the attack traffic has been removed before it travels to the victim, without causing overall vehicle congestion in the network. IV.

IPCHOCKREFERENCE DETECTION MECHANISM

Suppose the observations of a random process (with discrete or continuous time) are received sequentially. At a certain moment (random or not, but unknown), some probability of this process changes. An observer must make a decision as quickly as possible as to whether an IP-Chock has happened or not, while keeping the false alarm rate to be a slow as possible. Suppose that a sequence of an independent random variable is observed. For each consider the hypothesis that have the same density function and have another density function . A hypothesis of the stochastic homogeneity of the sample is denoted by y . Then the likelihood rate statistic for testing the composite hypothesis against is , Where The method statistic in the following recurrent form:

can be written

Where for some and is the characteristic function of set A. The mathematical expectation of this statistic is easy to understand. The mathematical expectation of is negative before and Figure 2: System Model. The real vehicle request source IP addresses of the entry points (on-board unit) are stored in the marking fields. When the messages reach the victim’s vehicle response end, the vehicle request source IP addresses of the entry points can be reconstructed. Messages are tapped into both OTS and OFS. OTS is a lightweight neural network with a back-propagation algorithm [11], which consists of three parts:-, data collecting part, training part and rule generating part. It is usually deployed close to the victim’s vehicle response end, in order to obtain better training results. The trained neural networks are transferred back to OFS for testing. Once the messages are identified as the attack messages, they will be filtered out by the Master Node (the Bloom filter-based IPCHOCKREFERNCE (BFICR)). In DoS vehicle message filtering problems, message classification becomes a twocategory classification process on VANET. While the Bloom filter provides good space and speed efficiencies with low false positives, it also offers a fast decision making function to filter the vehicle attack messages. The OFS can be deployed at any point in the protected V2V communication network. If it is deployed close to the vehicle attack request source end, it can protect even better the rest of the network from it to the

positive after the change-point. The stopping rule for BFICR detection is: Where is the alarm threshold. There is a nonparametric version of the method statistic: and the corresponding decision rule is

Where the indicator is the function and is the threshold. is the decision at time r, which gives a value of 1 to indicate an attack and 0 to indicate a normal condition. In general, A parameter is chosen as the upper bound of c, i.e., a > c. Then, is defined so that it has a negative value during normal operation. When an attack takes place, the increased rate will suddenly become large and the value will be positive.

2013 3rd IEEE International Advance Computing Conference (IACC)

553

V.

PERFORMANCE EVALUATION

A simulation is conducted to verify the efficiency of the proposed secure IP address communication for the IVC application with NS-2.34 [4]. In order to get a proper estimate, a real world road system is considered. In the real world, vehicles move within a fixed region of E19 (Ipoh Lumut Highway) from Tronoh to Batu Gajah in a suburb of Universiti Teknologi PETRONAS (UTP). It is a two way highway and has two lines each direction. As shown in Figure 3, there are five exits through which vehicles may leave the highway. To have a fixed number of vehicles in the simulation, assume that the exit vehicles will enter the highway at the nearest highway end (A or B) and immediately start to send messages. Each vehicle in the simulation can initiate queries for its interested data. A simulation has been carried out to evaluate the performance of the proposed method. Each vehicle is first randomly scattered on one intersection along the paths in Figure 3. Each vehicle is driven at a randomly fluctuating speed on a range of 5mi/h centered at the road speed limit that ranges from 40 to 80 mi/h along different streets. In the case, the RSU is allocated every 700 m along each road, which sends messages every 400 ms, other simulation parameters are listed in Table 4.

Table 4: Simulation Configuration Parameter Simulation Time Number of Vehicles Simulation Area Communication Range Data Size Data Transmission Range Vehicles Speed Model Traffic Volume Node Speed Node Density Traffic Type Visualization Tools MAC layer

Default Value 100 minutes 80, 30 8km highway on E19 400m 1.5 MB, 2.5MB 24 Mbps Our proposed without using cluster concepts in simple highway mobility model (SHWM) 1000 vehicle/hour/street 60 km/hr 100 vehicles/street CBR NAM IEEE 802.11p

Where ε Detection Performance in the simulation, z is the number of malicious client detection, Z is the number of total number of malicious client in the network. (5.2). Where γ false positive ratio in the simulation, y is the number of legitimate client detection, Y is the number of total number of legitimate client in the network. A. Impact of Detection efficiency and false positive ratio

Figure 3: Simulation Setup (an 8km highway section of E19 in the UTP area). The simulation results are displayed in the NAM file and the routing parameters are obtained from the trace file. To evaluate the performance of the routing protocols, some parameters have been used in the TCL file for measuring the efficiency of vehicle-to-vehicle communication. The study of these parameters is analyzed by the NS-2.34 Trace file. Therefore the Agent Trace ON and Route Trace ON in the TCL file are activated. The speed of the vehicles is assumed to be constant between 5m/sec and 25m/sec. An IEEE working group has invented a new PHY/MAC layer amendment to the 802.11p standard, which is designed for vehicle-to-vehicle and vehicle-to-infrastructure communication only.

554

The density of the vehicles on the road is the main factor that has a major impact on the system performance, since it is related to the total number of messages received by each vehicle. Previous studies considered the effect brought by the actual vehicle density on the road, such as vehicles per kilometer or vehicles per square kilometer, which failed to capture the varying relationship between the communication range (IP addresses) and the actual vehicle density. In the simulations, there are 30 vehicle nodes. Randomly, vehicle nodes are selected as the victim. The vehicle nodes randomly select one or more vehicle nodes as destinations for establishing connections. Regardless of what spoofing type is used, observe that the flooding traffic can trigger one counter in each row of table to have an abnormally large value. To classify the spoofing into one of the two types, the counter values in table have to monitor. The values of the counters in one row of under random spoofing, relatively small values which are distributed somewhat uniformly across different counter because the spoofed IPs are generated randomly. This type of spoofing is much easier to identify since only a few counters have nonzero values and they are heavy counters with extremely high values.

2013 3rd IEEE International Advance Computing Conference (IACC)

Although IP spoofing is not an attack on itself, it is commonly used with real UDP-based attacks by exploiting the characteristics of UDP/IP. To defend against spoofed flooding attacks, propose in this paper is an efficient method that can detect two types of spoofing: random, and subnet spoofing. Based on the Bloom filter, a storage-efficient data structure is proposed which only requires a fixed-length table for recording relevant traffic information. A Bloom filter based IPCHOCKREFERENCE (BFICR) method, CUSUM, is then applied to detect abrupt changes in the traffic characteristics which correspond to the occurrence of the flooding attacks. When malicious events are detected, they can further be classified into random spoofing, subnet spoofing or fixed spoofing types by analyzing a hash table for the source IP characteristics. Simulation experiments show that the proposed method yields very accurate detection and classification results yet with low computational cost. ACKNOWLEDGMENT

Figure 4: Detection efficiency & false positive

This work is funded by Universiti PETRONAS Postgraduate Assistantship Scheme.

Teknologi

REFERENCES [1]

[2]

[3]

[4]

[5] [6]

Figure 5: Detection efficiency & false positive Simulation results are shown in Figure 4 and 5. It can be seen that, with the increases of traffic load (i.e., the number of vehicles within the communication range), the detection efficiency does not vary a lot and, is smaller than the maximum allowable message end-to-end transmission latency of 100ms. However, the message false positive ratio increases when the traffic load is increased. It is notable that the detection ratio reaches as high as 60% when the detection load is up to 100%. However, such traffic can only be simulated when there is a severe traffic jam according to the relationship between the communication range and the inter-vehicle distance or attacker vehicles. In the situation, it is acceptable if a large number of messages are lost because most of the messages are repeatedly sent by the attacker vehicles. Normal traffic load happens when the traffic load is below 50, where 35% false positive ratio is achieved. VI. CONCLUSION IP spoofing is a problem without any easy solution because it is inherent to the design of the VANETs on the UDP suite.

[7]

[8]

[9]

[10]

[11]

[12]

Amadeo, M., C. Campolo, and A. Molinaro, Enhancing IEEE 802.11p/WAVE to provide infotainment applications in VANETs. Ad Hoc Networks, 2012. 10(2): p. 253-269. Blum, J.J., A. Eskandarian, and L.J. Hoffman, Challenges of intervehicle ad hoc networks. Intelligent Transportation Systems, IEEE Transactions on, 2004. 5(4): p. 347-351. Raymond, D.R. and S.F. Midkiff, Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses. Pervasive Computing, IEEE, 2008. 7(1): p. 74-81. Sampigethaya, K., et al., AMOEBA: Robust Location Privacy Scheme for VANET. Selected Areas in Communications, IEEE Journal on, 2007. 25(8): p. 1569-1589. Rongxing, L., et al. SPARK: A New VANET-Based Smart Parking Scheme for Large Parking Lots. in INFOCOM 2009, IEEE. 2009. Li, C.-T., M.-S. Hwang, and Y.-P. Chu, A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks. Computer Communications, 2008. 31(12): p. 2803-2814. Grover, J., M.S. Gaur, and V. Laxmi, A novel defense mechanism against sybil attacks in VANET, in Proceedings of the 3rd international conference on Security of information and networks. 2010, ACM: Taganrog, Rostov-on-Don, Russian Federation. p. 249-255. Igure, V. and R. Williams, Taxonomies of attacks and vulnerabilities in computer systems. Communications Surveys & Tutorials, IEEE, 2008. 10(1): p. 6-19. Studer, A., M. Luk, and A. Perrig. Efficient mechanisms to provide convoy member and vehicle sequence authentication in VANETs. in Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on. 2007. Willke, T.L., P. Tientrakool, and N.F. Maxemchuk, A survey of inter-vehicle communication protocols and their applications. Communications Surveys & Tutorials, IEEE, 2009. 11(2): p. 3-20. van der Merwe, J., D.S. Dawoud, and R. Peplow. Vulnerability windows in vehicular communications. in Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology, 2009. Wireless VITAE 2009. 1st International Conference on. 2009. Antolino Rivas, D., et al., Security on VANETs: Privacy, misbehaving nodes, false information and secure data aggregation. Journal of Network and Computer Applications, 2011. 34(6): p. 1942-1955.

2013 3rd IEEE International Advance Computing Conference (IACC)

555