IP-CHOCK (filter)-Based Detection Scheme for Denial ...

IP-CHOCK (filter)-Based Detection Scheme for Denial of Service (DoS) attacks in VANET Karan Verma, Halabi Hasbullah Deptt. of Computer & Information Sciences Universiti Teknologi PETRONAS, Malaysia Bandar Seri Iskandar, 31750, Tronoh, Perak [email protected], [email protected]

Abstract—The vehicular ad-hoc Network (VANET) has drawn increasing attention in recent years due to its wide range of applications. At the present time, a vehicle’s communication is exposed to many security threats such as Denial of Service (DoS) attacks, in which a malicious node forges a large number of fake identities. Internet Protocol (IP) spoofing of addresses – is initiated to disrupt the proper functioning of the fair data transfer between two fast moving vehicles. In this paper, the Bloom-filter-based detection method, which provides the availability of a service for the legitimate vehicles in the VANET, as used to detect and defend against the IP spoofing of addresses of the DoS attacks. The IP spoofing of addresses in the DoS attacks which is committed by fraudulent and malicious nodes has been investigated. This method provides a secure communication and also frees the bandwidth. This proposed approach requires fewer resources and is easy to deploy. Simulation results have shown that this method is efficient and effective to defend against and detect DoS attacks. Specifically, this method provides a faster detection time, lower storage capacity and computational cost.

comfortable travelling on the roads, secure communication between fast moving vehicles and limit the number of fatalities [2, 3, 8, and 11]. The unique characteristics of VANET systems are high mobility, rapidly changing network topology caused by the high travelling speed of the nodes, the cons trained pattern due to the restricted roads, limitations of bandwidth due to the absence of a central coordinator that controls nodes, disconnection problems owing to the frequent fragmentation in the network and signal fading caused by the obstacles between the communicating nodes [4, 6, 8, and 9].

Keywords- Internet Protocol (IP), Bloom-Filter (BF), Hash Function, User Datagram Protocol (UDP), MANET

I.

INTRODUCTION

The mass production of the internet enabled personal mobile phones and the unprecedented growth in the number of internet service providers (ISPs) are commonly accessible to everyone. This can enhance the criminal’s ability to perform unlawful or unethical activities including attacks on vehicles and other personal mobile applications. The most common DoS attacks are the UDP SYN flood attack and the IP spoofing of addresses attack [1, 3, and 10]. Vehicle drivers have no ability to predict the conditions ahead on the road, such as the speed of the other vehicles, traffic congestion and other possible risks. Therefore, vehicles crash on the roads due to traffic congestion and other possible risks [4, 7, 10 and 11]. This is an important no. These can be reduce with the aid of sensors, computer equipment, wireless communication devices, and other technologically equipment devices on the vehicles. By using these pieces of equipment and devices, vehicle drivers can foresee the speed of the other vehicles, traffic congestion and other possible risks. So, the researchers working in the area of VANET systems can provide safe, clean,

978-1-4799-0059-6/13/$31.00 ©2014 IEEE

Figure 1: DoS attacks on a VANET infrastructure

An attempt to make a mobile resource or a service unavailable to its intended users is called Denial of Service (DoS) attacks [5, 7, and 10]. Firstly, the attacker can control a large number of vulnerable hosts on the internet by compromising them as shown in Figure 1. The attacker can use these vulnerable hosts to send a huge number of packets to the victim vehicles, simultaneously. During DoS attacks, massive amounts of traffic arrive at the target of the victim vehicles. The target is either the vehicle’s network service or

the vehicles themselves. The victim’s services are disrupted due to the huge amount of traffic. The computational overhead is increased due to the lack of infrastructure and difficulties involved in providing comprehensive coverage for all roads because of the high expenses associated with the installation. This research concentrates on the V2V communication type rather than theV2I communication type [1, 2, 5, and 7]. A Bloom-filter-based detection method which can detect and defend against the IP spoofing of addresses in the DoS attacks in a VANET system has been presented in this research paper. It has focused on increasing the system’s connectivity and, reliability. It has also focused on, the reduction of bandwidth consumption and the, reduction of the probability of the packet detection time in a sparse environment, leading towards an efficient mechanism as well as the, - increase in the VANET safety infrastructure [4, 9, 10, and 11]. The remainder of this paper is organised as follows: Section II reviews some related works, Section III describes the overviews of the filtering detection mechanisms, Section IV shows the performance evaluation and finally the paper concludes in Section V. II.

RELATED WORK

This section explains the Bloom-filter and traffic capacity - based DoS detection schemes and compares the different DoS detection schemes with the different related work [1, 5, and 9]. A. Bloom-filter-based DoS detection scheme In recent years, the EU, the USA and Japan have concentrated on inter-vehicle communication (IVC).This is, - owing to its ability to expand the driver’s prospects which leads to enhanced safety, security no’s relating to road traffic and an increase in the efficiency of vehicles (systems ) [7, 8, and 10]. In this type of communication, vehicles are managed in decentralised manners which allow vehicles to initiate direct communication with other vehicles without traffic congestion or any support from infrastructure [2, 6, 8, and 9]. The Bloom-filter-based DoS detection scheme is a class that uses a combination of reactive and proactive approaches. The proactive approach is used to maintain the new IP addresses (nodes) and the reactive approach is used to determine all of the connected vehicles’ (nodes) [5, 7, and 10]. In this type of detection scheme, the network scalability is increased by forming a near zone by the closer vehicles which reduces the bandwidth, collision and computational overhead. The Bloom-filter is a compact and space-efficient probabilistic data structure for high-speed online membership which checks against large data sets. It includes an array of bits, which are initialised to zero. Each member of a data set is mapped to bits that are randomly , selected from array through hash functions; 1 , whose range is 0, 1 [21, 5, and 8]. The false positive ratio , is the probability of mistakenly treating a non-member as a member. It is given by: 1

1

1

(1)

Where n is the number of members in the data set. The false positive ratio decreases as m increases.

1

1

(2)

hence, the probability of a false positive (the probability that all k bits have been previously set) is given by: 1

1

1

1

(3)

In equation (3) is minimised for ln 2 0.7 ⁄ 0.6185 ⁄ hash functions [2, 3, and 7]. B. Traffic capacity based DoS detection scheme Consequently, most of the detection schemes that have been developed for VANET assume that there are a high number of traffic nodes available in the network and these nodes act as intermediate nodes [9, and 10]. The traffic capacity- based DoS detection scheme is the process of identifying accurately which of the flows aimed at the victim are attack flows and which ones are legitimate. Raya et al. [9] extended the traffic capacity model for the DoS detection and prevention of IP spoofed addresses in DoS attacks by using the packet detection mechanism. When the packet reaches the destination it contains the marking which is marked by all of the RSU’s on the path that the packet traverses. According to this scheme, packets that traverse on the same path contain the same mark. Based on this information, the Bloom-filter out the packets and learns the signatures from the dropped packets and detects the list of the upstream hosts to rate the limit of the traffic before it reaches the victim [3, 5, 9, and 11]. Table I shows that similarities and differences among different detection schemes by the different researchers, which will support the process to develop the detection of DoS attack schemes are: (i) Traffic analysis attack detection, (ii) Position attack detection, (iii) Misbehaving and faulty node detection, (iv) DoS attack detection [9, and 10]. Related Work

Traffic analysis attack detection

Position attack detection

K. Bicakci et at. (2008) X. Hu et al. (2012)

X

M. Raya et al. (2006)

X

X

K. Ren et al. (2006)

X

X

Misbehaving and faulty node detection

DoS attack detection

X

X

X

X

X

M. E. Mathew et al. (2013)

X

X

B. Mishra et al. (2011)

X

X

TABLE I.

III.

X

MISBEHAVIOUR DETECTION SCHEMES

IP-CHOCK (FILTERING) DETECTION ALGORITHM

Due to the high mobility and unreliable nature of the VANET system, detection of DoS attacks is more difficult. The IP-chock detection scheme depends on the store and the checking of the abnormal traffic. The aspect of this relies on the process of sending incoming traffic from the moving source to the moving outgoing traffic destination, taking the

decision of electing the mobility of the vehicles which are restricted by the traffic pattern and traffic layout. The IP-Chock DoS attack detection module perceives abnormal traffic by using IP-chock algorithms. Let one assume that many vehicles are travelling on a highway, each vehicle travelling on the highway maintains its speed in a , which comprises the three fixed range main phases of the process as shown in Figure 2. The three main phases of the process are the Detection Engine phase 1, Detection Engine phase 2 and Bloom Filter phase. The consequence of these processes is based on the first stage for sensing the change through the mounted sensors on the vehicle. In the second stage, it processes the values of these sensors to decide if these values indicate the possibility to affect the network. Once the decision has been taken, the third stage plays the role of detecting the DoS attacks in the infrastructure. Start

, , … … , be an independent and randomly Let , , … be an distributed 0, 1 variable, and let independent and randomly distributed , 1 variable, where n is the unknown random sequence. · indicates the random density function.

Bloom filter

Detection Engine 2: Checking new IP addresses

Active BF with hash function Stop IP

addresses

1, ∑ Where ∏ 0 The equation of (4) is implemented in the ln

DoS attacks

no attacks detected

Update: if IP addresses not exit otherwise generate a reference link to communication with vehicles

End Figure 2: Detection Mechanism

The detection Engine phase 1 (DE-1) is responsible for gathering the data (IP addresses) required to be processed later in the next phase. The main function of this phase is checking for all incoming traffic information. The detection Engine phase 2 (DE-2) processes the information collected in the previous stage (DE-1), if this stage has not found malicious IP addresses, then information is stored in a database; otherwise, it is sent to the Decision Engine (DE). The last phase is the active Bloom-Filter with a hash function. If in the information collected by the Decision Engine, stage contains malicious IP addresses, then it generates an alarm and sends a reference link to all of the connected vehicles and does not send it to the VANET infrastructure. The successful detection process from the , to the outgoing traffic, , is incoming traffic, significantly dependent on the DE. At the DE stage, the , is at the boundaries of the threshold’s outgoing traffic, . limitations

then,; (5)

,

So,

,

(6) 0, then

If the threshold value is max ,

Then the formula

S

(7)

0

∑ , =0 can be presented as: ∑ ∑ max = min T T S min min

For, Decision Engine

(4)

∏

∑

S attacks detected

∏

∏

Let Detection Engine 1: Checking (entity abnormal traffic volume (IP addresses))

∏

∏ ,

(8)

S

(9)

, then min

, min 0, S min

So,

(10)

min , min (11) , The recursive formula of can be represented as: max 0, , 1,2 … . . , , where alarm is set , for the traffic For sequence i, where indicates the different thresholds of different flow sequences, if an anomaly is not detected in the 1 time period, the sufficient and necessary conditions of the detected abnormality are: 1,2, , , , , ·

1

(12) (13)

where · is the function and is the threshold. is the decision at time , which gives a value of 1 to indicate an attack and 0 to indicate a normal condition. IV.

PERFORMANCE EVALUATION

A simulation was carried out on NS 2.34 [4] to verify the efficiency of the proposed secure IP address communication for the IVC application. In order to get a proper estimate, a real world road system was considered. In the real world, vehicles move within a fixed region of E19 (Ipoh - Lumut Highway) from Ipoh to Lumut in a suburb of Universiti Teknologi PETRONAS (UTP) [8]. It is a two way highway and has two lanes in each direction. As shown in Figure 3, there are four exits through which vehicles may leave the highway. To have a random number of vehicles in the

simulation, it was assumed that the exit vehicles would enter the highway at the nearest highway end (A or B) and immediately start to send messages. Each vehicle in the simulation could initiate queries for its interested data [3, 5]. In the simulation model, the number of mobile vehicles was set to the range from 10 to 100 mobile vehicles placed randomly within the boundaries of the simulation area. They were restricted by travel in only two directions, - so as to represent the two opposite directions on the road. Each simulation was executed for 200 seconds of the simulation time. The deployed area for each simulation was chosen as a 5000m x 4200 m rectangle area, representing a street.

A. Performance Evaluation Matrices:The simulation results have been analysed and compared by two different metrics for the evaluation of the performance of the detected DoS attacks. These metrics are as follows: Detection Time: Detection time represents the number of data packets (IP addresses) detected during the processing rather than completed. (14) was the detection time performance in the where simulation, was the number of malicious nodes correctly identified as attacks and, was the malicious nodes incorrectly identified as legitimate nodes in the network. Detection Probability: Detection probability represents the time delay required to transfer a date packet from a source to its destination, including the time consumed during the process of buffering and retransmission operations. ! 1 · (15). !

Figure 3: Simulation Setup (an 8km highway section of E19 in the UTP area)

The Constant Bit Rate (CBR) was set to vary from 0.1 to 1.0 bits as a network traffic model. The pattern of communications used in the simulation was peer-to-peer. The speed of the vehicles in this simulation varied from 27.78-33.33 m/sec; all the settings given above were intended to reflect a near realistic situation of a road layout in an authentic scenario. The performance of the protocol was evaluated using a set of metrics; these were data delivery ratio, generated traffic detection time and detection probability. All parameters are shown in Table II. TABLE II. Parameter

SIMULATION PARA METERS Default Value

No. of Nodes

10, 100

Max. Vehicle Speed

27.78-33.33 m/sec

Simulation Time

200 sec

Network Space

5000-4200 meter

Data Size

1.0 MB, 2.0MB

Data Transmission Range

24 Mbps

Vehicles Speed Model Volume Beacon Interval

Our proposed without using cluster concepts in simple highway mobility model (SHWM) 0.2 sec

Antenna Model

Omni-directional Antenna

Traffic Type

CBR

Visualization Tools

NAM

MAC layer

IEEE 802.11p

!

where was the detection probability in the simulation, was the number of legitimate client detection, was the total number of legitimate clients in the network and was the probability. B. Result:The efficiency of the data packet detection ratio for the IP-Chock scheme has been measured against three parameters. These parameters were the number of attacks, detection time and detection probability. The measured efficiency was compared with the theoretical values. The performance of the protocol was evaluated using a set of parameters. 1) Detection Time: Figsure 4 and 5 show the efficiency of the data packet detection time versus the number of attacks with a, - 27.78 m/sec detection time, respectively. From Figure 4 and Figure 5, it is observed that the efficiency of the data packet detection ratio slightly increased when the number of attacks increased. It increased due to the impact of the attacks and bandwidth consumption. The bandwidth was limited in the VANET systems and caused an no. for the contention for the wireless channels. In addition, Figure 4 and 5 show a significant improvement in the IP-chock performance in terms of the efficiency of the data packet detection ratio over the theoretical scenario.

Figure 4: Detection Time v/s Percentage of attacks (27.78 m/sec) in highway

Figure 4 shows the detection time v/s the number of for a typical normal traffic at 27.78 m/sec. attacks, - with This implies that with increase in the number of vehicles attacked per lane (highway), the Bloom-filter detection time automatically decreased to as low as 0.79sec.It is notable that the number of attacks reached as high as 80% for the random traffic and the Bloom-filter detection time was found to be 0.79sec.

From Figure 6 and 7, it is observed that the efficiency of the data packet detection delay time significantly decreased initially when the number of attacks increased. It then started to settle due to the increasing detection probability in the normal and random traffic as compared to the number of attacks per lane. In addition, Figure 6 and 7 show a significant improvement in the IP-chock performance in terms of the efficiency of the data packet detection probability over the theoretical scenario. Figure 6 and 7 depict the impact of different traffic (Normal and Random traffic) values on the detection delay time for the different number of attacks. For IP-trackback and simulated traffic scenarios, the normal and random traffic detection time was considered as 27.78 m/sec and 33.33 m/sec, respectively. It is observed that the detection probability value was 0.17% on the highway and 0.20% on the street. Normal traffic (27.78 m/sec)

Normal traffic (33.33 m/sec)

Random traffic (27.78 m/sec)

Random traffic (33.33 m/sec)

IP-trackback (27.78 m/sec)

IP-trackback (33 m/sec)

Figure 5: Detection Time v/s Percentage of attacks (27.78m/sec) on Street

For the random traffic as shown in Figure 5, the detection time reached 0.49sec when the number of attacks was 80%. Comparatively, the detection time was 0.49sec observed for the theoretical traffic as high as 80%. For 27.78 m/sec with the normal traffic, the detection time was 0.49sec on the highway and for 27.78 m/sec with the random traffic, the detection time of 0.96sec was achieved on the street.

1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

Normal traffic (27.78 m/sec)

Normal traffic (33.33m/sec)

Random traffic (27.78 m/sec)

Random traffic (33.33 m/sec)

IP-trackback (27.78 m/sec)

IP-trackback (33.33 m/sec)

0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0

20

20 Number 40 of 60 80 100 attacks per lane

120

Figure 6: Detection Delay time v/s Percentage of attacks per lane (highway)

60

80

100

120

Figure 7: Detection Delay time v/s Percentage of attacks (street)

IP-trackback (highway) Simulated (highway)

IP-trackback (street) Simulated (street)

1.8 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 0

0

40

Number of attacks

Figure 8 shows the IP-Chock DoS attack detection probability versus the number of attacks. From Figure 8, a low detection time delay is observed when the numbers of attacks were increased. Moreover, it can be seen that the performance was very sensitive to the parameter setting and it was relatively easy to deploy.

Detection time (secs)

Detection Dely Time (%)

2. Detection Probability Figure 6 and 7 show the efficiency of the data packet detection probability versus an increase in the periodic interval of the number of attacks.

Detection Dely Time (%)

0.9

20

40

Number of attacks

60

80

Figure 8: Detection Time v/s Number of attacks (different type of traffic)

Figure 9 shows that the counters in the proposed scheme have close to zero values when the UDP traffic is mostly

Detection probability (%)

symmetric and there is no attack. From m Figure 9, it is observed that the detection probability deecreased when the numbers of attacks increased as comparedd to the theoretical value on the street and highway. The propposed scheme was able to detect DoS attacks accurately even with a small threshold value. IP-trackback (street) IP-trackkback (highway) Simulated (street) Simulatted (highway) 1 0.8 0.6 0.4 0.2

CON NCLUSION

Efficiency and scalability are the key requirements in the design of immunity against DoS attacks in a VANET system. This scheme provides an end-to-end solution for immunity against DoS attackss. This is a novel scheme for detecting DoS attacks which is i based on the Bloom-filter. The Bloom-filter based deteection method, provides the availability of a service for thhe legitimate vehicles in the VANET and can detect and deefend against the IP spoofing of addresses in DoS attacks. Thhis proposed scheme is simple and highly efficient in terms of o computational cost as well as storage space. This schemee works fine for high attack rates. This scheme can be ussed for the trace-back of the source of the attacks. ACKNOWLED DGMENT

0 20

40 60 80 Number of attacks

100

Figure 9: Detection Probability v/s Number of attaccks (different type of traffic)

From Figure 8 and 9, it can be concludded that when the number of attacks increased, the detectioon probability was decreased. For higher percentages of attaacks, the detection probability is low, which results in a high detection d time. Table III shows the comparison of the proposed scheme with the IP-trackback scheme and RT-VTII scheme. TABLE III.

COMPARSION OF DOS DEFEN NSE SCHEMES

Parameter

Proposed Scheme

IPtracckback (PP PM) [7]

RTVTI [3]

Detection accuracy Response accuracy False positive rate Complexity Attack source information

High High Low Middle High

Middle M L Low Midddle-Low Midddle-Low L Low

Middle Middle Middle Low Middle

Capability High M Middle Middle Figure 10 shows the comparsion result of the proposed VTI schemes. The scheme with the IP-trackback and RT-V gap in the detection rate between the prooposed and the IPtrackback at 9.4 ~ 41.0%, and the proposeed and the RT-VTI at 3.8 ~ 35.6% were analysed. Proposed Work 1 Detection rate (%)

V.

IP-trackback (PP PM)

RT-VTI

0.8 0.6 0.4 0.2 0 0

20

40

60

Number of attacks

Figure 10: Comparison of detectionn rate

80

100

This work has been funded by the Universiti Teknologi PETRONAS Postgraduate Assiistantship Scheme (GA). VI.

REFFERENCES

[1] X. Hu, J. Hu, T. Yang, W. Xiin, and Z. Chen “Efficient privacypreserving authentication protoocol for vehicular communications with trustworthy” Wiley Journnal of Security and communication Networks, vol. 5, Issue 12, pp. 1441-1451, Dec. 2012. [2] M. Raya, l. Aad, J. P. Hubauux, and A. El Fawal "DOMINO: detection MAC layer greedy behavior b in 802.11 hotspots” IEEE Transactions on mobile Compputing, vol. 5, Issue 12, pp. 16911705, Dec. 2006. [3] K. Ren, W. Lou, RH. Deng, and K. Kim “A novel privacy a control scheme in pervasive preserving authentication and access computing environment” IE EEE Transactions on vehicular Technology, vol. 55, Issue 4, ppp. 1373-1384, July 2006. [4] B. Mishra, S. K. Panigrahy, T. C. Tripathy, D. Jena, S. K. Jena “A secure & efficient message auuthentication protocol for VANETs with privacy preservation” in proceeding p of the World Congress on Information and Communnication Technology, pp. 884-889, Dec. 2011. [5] B. H. Bloom “Space/Time trade-offs in hash coding with allowable errors” Communicaation of the ACM, vol. 13, Issue 7, pp. 422-426, July 1970. [6] S. Biswa, J. Misic, and V. Misiic “DDoS attack on WAVE-enabled VANET through synchronizzation” in proceeding of the Communication & Informatioon System Security Symposium Globecom, pp. 1097-1102, Julyy 2012. [7] M. E. Mathew, A. Raj kumaar P. “Threat analysis & defense mechanisms in VANET” Intternational journal of Advanced Research in Computer Sciencee and software Engineering, vol. 3, Issue 1, pp. 47-53, Jan. 2013. [8] K. Bicakci, and B. Tavli “Denial-of-service attacks and countermeasures in IEEE 8002.11 wireless networks” Elsevier Journal of Computer Standardds & Interfaces, vol. 31, pp. 931941, Nov. 2008. I Aad, D. Jungels, and J. Hubaux [9] M. Raya, P. Papadimitratos, I. “Eviction of misbehaving and faulty f node in vehicular networks” IEEE Journal on Selected Arreas in Communications, vol. 25, Issue 8, pp. 1557-1568, July 20007. [10] J.T. Isaac, S. Zeadally, and J.S. Ca’Mara “Security attacks and solutions for vehicular ad hocc networks”, IET Communication, vol. 4, Issue 7, pp. 894-903, Appril 2010. [11] W. Haining, Z. Danlu, and K. G, Shin “Change-point monitoring for detection of DoS attacks”, IEEE Transactions on Dependable I 4, pp. 193-204, Dec. 2004. and Secure computing, vol. 1, Issue