International Journal of Electronics and JOURNAL Communication Engineering & Technology (IJECET), ISSN 0976 INTERNATIONAL OF ELECTRONICS AND

D 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

ISSN 0976 6464(Print) ISSN 0976 6472(Online) Volume 5, Issue 2, February (2014), pp. 01-09 IAEME: www.iaeme.com/ijecet.asp Journal Impact Factor (2014): 3.7215 (Calculated by GISI) www.jifactor.com

IJECET
IAEME

PERFORMANCE EVALUATION OF BYZANTINE FLOOD RUSHING ATTACK IN AD HOC NETWORK

Sharada Valiveti,
1 2

Swati R Sharma,

Dr. K Kotecha

Nirma University, Ahmedabad, India Darshan Engineering College, Rajkot 3 Director, Institute of Technology, Nirma University

ABSTRACT Ad hoc network provides decentralized infrastructure-less environment, where nodes cooperate with each other for the purpose of communication, thus susceptible to compromise. This characteristic of ad hoc network leads to security threats. The networks are particularly vulnerable to denial of service (DoS) attacks that launched through colluding nodes. This paper focus on Byzantine Flood Rushing attack that threatens the security of system, and studying its effect on ad hoc network. The objective of work is to implement Flood Rushing attack in AODV enabled ad hoc network. Paper presents approach to implement and analyze the effect of Byzantine Flood Rushing attack and implementation results are plotted. Keywords: Ad hoc network, security services, mechanisms and attacks, Flood Rushing, Intrusion Detection Systems, denial of service attacks I. INTRODUCTION

Ad hoc networks are self-organized multi-hop networks where nodes contribute in the process of data packet forwarding and communication among nodes. The most essential part of security system is Distributed Intrusion Detection System (DIDS), which also present challenges due to lack of central organization, dynamic nature and their highly constrained nodes of ad hoc networks. Intrusion Detection System (IDS) is required to provide protection against internal attacks. The goal is to implement an effective protocol to detect adversarial behavior and avoid it. Assuming that an intermediate node can demonstrate such behavior either alone or in collusion with other nodes. The main goal of Flood Rushing Byzantine attack is distraction or degradation of the routing service. An adversarial node or group of adversarial nodes can change, capture, or fabricate packets,
1

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

which can form routing self-loops, drop packets selectively, artificially delay packets, route packets along non-optimal paths, or make a path look either longer or shorter than actual version [1]. The paper focuses on several types of byzantine attacks and narrow down the scope towards flood rushing attack. Focus is to develop flood rushing attack involving multiple nodes of an ad hoc network, colluding to perform an effective damage to the network. The results were then analyzed based on the suggested evaluation metrics in order to evaluate damage due to attack and to verify effectiveness of detection and recovery system using network simulator (NS-2.34). II. RELATED WORK

The following Distributed Intrusion Detection System apparently consists of more than just detector. To rationale Sys-tem characteristics, the taxonomy has been shown as follows. In this paper, the Distributed IDS is divided based on their approach of detecting an Intrusion. Attack can be defined as an attempt that takes place against a target with the intention of doing damage. Passive Attack are the attack that attempts to learn or make use of information from the system but does not affect system resources. Active attacks are the attacks that attempt to alter system resources or affect their operation [2]. An internal attack is initiated by an authorized entity that make use of system resource in such a manner which is not approved by an administration [2]. An external attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system [2]. The adversarial behavior initiated by the nodes in the network can be classified under the Network Layer Attack. When Adversaries have full control over the legitimate device and act arbitrarily to disrupt the network is known as Byzantine Attack [1]. Flood rushing attack that exploits the flood duplicate stifle technique which is used by many routing protocols. Byzantine wormhole attack are the attack in which two adversaries collude by tunneling packets between each other in order to create a shortcut (or wormhole) in the network [3] Super Worm-hole Attack is the generalized form of Byzantine wormhole attack, in which several nodes are compromised and form an overlay network [1]. When an adversarial node is selected during the route discovery by the routing protocol, it prevents communication on that route can be defined as Byzantine blackhole attack [1]. We have not found related papers on the effect of Byzantine Flood Rushing attack in AODV enabled ad hoc networks by far. Many of the papers relate the work towards, way to defend flooding attack and present some ways to recover flooding attack. In these papers, research work only relate to defining the approach for Flood Rushing attack and Implementation for the same, Evaluation of experimental analysis of Flood Rushing attack with and without the effect of colluding nodes which represents the byzantine behavior in AODV enabled ad hoc network. 2.1 Classification of IDS 2.1.1 DIDS-Distributed Intrusion Detection System Distributed Intrusion Detection System (DIDS) generalizes the target environment in order to monitor multiple hosts connected via a network and the network itself [4]. This architecture provides the capability to aggregate information from numerous different sources. 2.1.2 DPEM-Distributed Program Execution Monitoring The authors have designed a prototype-the distributed program execution monitor (DPEM) that reads the security specifications of acceptable behavior of privileged UNIX programs, and checks audit trails for violations of these security specifications [5]. The DPEM prototype, monitors programs executed in a distributed system.

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

2.1.3 GrIDS-Graph based IDS for large networks GrIDS accumulates data related to activity on nodes and network traffic between them. It aggregates this information into activity graphs which reveal the structure of network actions. This allows huge range of automated or co-ordinated intrusion to be detected in real-time [6]. 2.1.4 CSM- Co-operating Security Managers The basic idea behind CSM is to have each host on a network (or internetwork) run a copy of CSM as a background process [7]. The authors of co-operating security managers note that as networks grow larger, centralized intrusion detection will not scale up well. 2.1.5 JiNao-Scalable IDS for Emerging Network Infrastructure This Intrusion Detection System doesnt protect individual host but rather entire network infrastructure [8]. The prototype assumes that the routers communicate via the OSPF protocol. JiNao is operated using three different paradigms: misuse based detection, anomaly based detection, and protocol based (misuse) detection. 2.1.6 EMERALD-Event Monitoring Enabling Responses to Anomalous Live Disturbances EMERALD is proposed as a framework for scalable, distributed, inter-operable computer and network intrusion detection [9]. These large computing resources typically contain Commercial OffThe-Shelf (COTS) components, as well as non-COTS components and legacy systems integrated with current technology. 2.2 Classification of Byzantine Attack The following classification includes the study of several byzantine attack such as black hole attack, flood rushing attack, worm-hole attack, super worm-hole attack. Moreover, it also inculdes attack goal, working, constraint and result shown in Table-I. TABLE I: Classification of the surveyed Byzantine Attack and their characteristics [1]

III.

THE MODEL FOR FLOOD RUSHING ATTACK

3.1 The model for IDS In this paper approach can be abstractly classified into three categories as follows: 1.1.1 Implementation of Byzantine attack(i.e. Flood Rushing Attack) 1.1.2 Analyze the effect of Attack on ad hoc network
3

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

1.1.3 Adoption of an Efficient recovery techniques This section explains the approach adopted to implement, analyze and mitigate Flood Rushing attacks. The approach is narrow down towards one of the type of Byzantine attack known as Flood Rushing Attack (Flood Propagation Attack). Paper introduces this attack, which is an efficient denial-of-service attack against all the recovery techniques designed. Flood Rushing Attack exploits the flood duplicate stifle technique which is used by many routing protocols. The attack takes place during the propagation of legitimate flow and can be seen as a race between the legitimate flow and the adversarial version of it. If an adversary fruitfully reaches some of its neighbors with its own version of the flood data packet before they get a version through a legitimate route, then those nodes will disregard the legitimate one and will relay the adversarial version. This may result into a persistent inability to establish a valid route, even when end-to-end or path authentication techniques are used. If an adversary is present on multipath route, it may cause more distraction. Thus any additional attack that selects the nodes in multipath route can increase the impact of attack on ad hoc network. 1.2 Implementation of Flood Rushing Implementation of Flood Rushing can be classified into three categories:

Fig. 1 Approach to Implement Byzantine Flood Rushing Attack 3.2.1 Flood Rushing Attack on Route discovery When a node wants to join a forwarding set or find a route to a destination, the attacker pretend to be the member and sends a route packet to next forwarding set. In this attack, an adversarial node respond to the message with the goal of misleading the node by believing that, it has found the optimal path to reach destination. 3.2.2 Flood Rushing Attack on route establishment Adopt typical method of routing metric in any path routing. During the route establishment the adversarial node is added which may eventually outcome more cost of the link compared to legitimate node. 3.2.3 Flood Rushing Attacks on route maintenance In this attack, the adversaries send false information to its neighbors, which makes them a part of a forwarding set. Moreover the adversarial node drops the packets it receives rather than to deliver the packets to the destination.

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

3.3 Overview of AODV Proposed protocol in this paper is AODV (Ad-Hoc On-demand Distance Vector) routing protocol. It is Reactive on-demand routing protocol, where route updates are carried out when requested. Reactive protocol eliminate periodic updates and adaptive to the dynamics of network. Unlike DSR( Dynamic Source Routing) AODV hop by hop routing protocol is capable of handling congestion, lower memory overhead, prevent self-loops as contains sequence number for each packets, support both multicast and unicast, uniform packet size and each route contains lifetime. Protocol maintain only one route to destination so it needs to initiate route discovery for every change. In this protocol node discovers path with Route Request (RREQ)-Route Reply (RREP) cycles as shown in Fig. 2.

Fig. 2 AODV Protocol Flow for Request-Reply Node request a path to destination by broadcasting RREQ message to their neighbors. When a node receives RREQ message, and doesnt have path to the requested destination, it will rebroadcast RREQ message. AODV also remember reverse-path through the intermediate nodes until reaches to original requesting source node. This process is repeated till the RREQ reaches a node which is destined through a valid route. Protocol will respond to valid route with RREP message. RREQ broadcasted, while RREP is unicasted to reverse-path till it reaches to original requesting source node. Thus, at the end of RREQ-RREP cycle, a bidirectional route is established between original requesting source node and destination. When any node within network loses the connectivity to its next hop, it invalidates the path by sending Route Error (RERR) to all the nodes that receives its RREP. 3.3 Proposed approach for implementation of Flood Rushing Attack In this paper, the proposed approach for implementing an adversarial behavior, which can gain advantage in forwarding speed which keep transmission of interface queues of neighbor nodes full. (Ad Hoc On Demand Distance Vector) is chosen as a routing protocol to illustrate the scope of IDS security in ad hoc network. Here, the colluding adversarial node floods mass Route Request (RREQ) messages for a particular IP address. The adversary sends mass RREQ without considering ROUTE REQUEST RATE LIMIT per second and successively send RREQ without waiting for Route Reply (RREP). In flood rushing attack, the whole network will be flooded with RREQ packets that originates from adversarial node. As a result communication bandwidth, node resource and
5

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

router queue get exhausted, as the storage capacity of routing table is limited. In other words, if the mass RREQs are flooded within very short interval, the storage of router get exhaust and node will not be capable of receiving new RREQ packets. Due to such adversarial behavior legitimate nodes may not be able to set up the path. Thus, flooding RREQ may consume lot of resource in the network and will get succeed by setting the path through non-legitimate node. This attack exploits the duplicate flooding technique used in many routing protocol. Here, the source node initiates a route discovery for the target node. If the route request forwarded by an adversarial node reach to the neighbor of target node earlier than any other legitimate version then, that route will include route through adversarial node. If the legitimate request arrives later, the neighbor nodes will discard those legitimate requests. Approach for attack implementation is represented in form of flowchart as shown in Fig. 3.

Fig. 3 Flowchart for Implementation of Flood Rushing Attack IV. SIMULATION OUTCOME AND RESULT ANALYSIS 4.1 Experimental setup Experimental work carried out to study the outcome of Flood Rushing attack in AODV enable ad hoc network with following parameters. The work includes, implementation of Flood Rushing attack in network simulator (NS-2.34), and had carried out successive experiments to evaluate attack effectiveness. NS-2.34 includes simulation of wireless ad hoc network, and wireless ad hoc protocols. Simulation area taken is 500 by 500 meter flat space. Total number of nodes are 25. The MAC layer used is IEEE 802.11, included in NS-2.34. The propagation model used is TwoRayGround. User Datagram Protocol (UDP) is used as Transport Layer Protocol. Each data packet is 1000 bytes long. Routing protocol used for simulation is AODV. Traffic type is CBR. Simulation time is 150 second.
6

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

4.2 Evaluation matrices The work carried out uses following metrics to evaluate the effectiveness of Flood Rushing attack. 1. Throughput: The average rate of successful data packet delivery over a communication channel. 2. Latency: Latency or End-to-End delay is a measure of the time delay experienced by a system. 3. Packet Delivery Ratio (PDR): The percentage of the number of packets that are received by destination to the number of packets sent by source. 4.3 Experimental Evaluation of Flood Rushing Attack Figure 4 shows Throughput where x-axis defines different systems with number of adversaries present in the network, and y-axis defines throughput in kilo-bits per second(kbps). The larger this metric, the more efficient network will be.

Fig. 4 Throughput Analysis As shown in Figure 5 for Latency, x-axis defines different systems with number of adversary present in the network, and y-axis defines latency in milli seconds (ms). The smaller this metric, more efficient the network will be.

Fig. 5 Latency Analysis

7

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

Figure 6 shows Packet Delivery Ratio (PDR) where x-axis defines different systems with number of adversary present in the network, and y-axis defines PDR. The larger this metric, the more efficient network will be.

Fig. 6: Packet Delivery Ratio (PDR) Analysis V. CONCLUSION In this paper, we had evaluated Flood Rushing attack on entire network performance, in the presence of different number of adversarial nodes. From the simulation outcome and result analysis we can conclude that, with ascending increase in number of adversarial node, throughput decreases, latency increases and PDR decreases. Moreover, the experimental evaluation of Byzantine attack having colluding nodes is comparatively more efficient that former. The paper concludes that Flood Rushing attack is most significant factor for an efficient attack against insecure on-demand protocols, mainly when adversaries collude. The most effective property of flood rushing attack is it amplifies any attack that merge with it, as it permit adversaries to have control over route discovery and overall network. VI. FUTURE WORK Implementation of an efficient IDS (Intrusion Detection System) for Flood Rushing attack and Byzantine Flood Rushing attack may be considered as future work. The way in which network should behave once any node is identified as malicious may be considered as future scope. Moreover future scope of research on security protocol will incline approach towards MANET security. Another scope is to determine the allocation of bandwidth in MANET environment with limited resource. Moreover, future work also includes the optimal way over the constraints on the resource and power of adversaries. REFERENCES [1] [2] [3] B. A. David Holmer, Reza Curtmola, Mitigating byzantine attacks in ad hocwireless networks, Technical Report Version 1, March 2004. http://en.wikipedia.org/wiki/Attack(computing), August 2012. C. X. Lujie Zhong, Byzantine attack with anypath routing in wireless mesh networks, IEEE Proceedings of IC-BNMT, vol. 1.0, pp. 711715, 26-28 Oct 2010. 3rd IEEE International Conference.
8

International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 6464(Print), ISSN 0976 6472(Online), Volume 5, Issue 2, February (2014), pp. 01-09 IAEME

[4] [5]

[6]

[7] [8]

[9]

[10]

[11]

[12]

[13]

[14]

[15] [16]

[17]

[18]

[19]

S. E. S. Steven R Snapp, The distributed intrusion detection system prototype, In Proceedings of the Summer USENIX Conference, pp. 227 233, June 1992. G. F. Calvin Ko, Automated detection of vulnerabilities in privileged programs by execution monitoring, In Proceedings of the 10th Annual Computer Security Applications Conference, IEEE Computer Society Press, vol. xiii, pp. 134144, May 1994. S. C. S. Stani ford Chen, Grids-a graph based intrusion detection system for large networks, In Proceedings of the 19th National Information Systems Security Conference, 1996. G. White and V. Pooch, Cooperating security managers: Distributed intrusion detection systems, Computers & Security, Elsevier Science Ltd., 1996. F. G. Y. Frank Jou, Architecture design of a scalable intrusion detection system for the emerging network infrastructure, Department of Com-puter Science, North Carolina State University, Releigh, N.C, USA, April 1997. P. A. Porras and P. G. Neumann, Automated detection of vulnerabilities in privileged programs by execution monitoring, In Proceedings of the 10th Annual Computer Security Applications Conference, IEEE Computer Society Press, October 1997. Cabrera, Gutierrez, and Mehra, Infrastructures and algorithms for dis-tributed anomalybased intrusion detection in mobile ad-hoc networks, Military Communications Conference, 2005. MILCOM 2005,IEEE, vol. 3, pp. 18311837, October 2005. S. Marano, V. Matta, and L. Tong, Distributed detection in the presence of byzantine attack in large wireless sensor networks, Military Com-munications Conference, 2006. MILCOM 2006, IEEE, pp. 14, October 2006. A. R. Sangi, J. Liu, and L. Zou, A performance analysis of aodv routing protocol under combined byzantine attacks in manets, Computational Intelligence and Software Engineering, 2009. CiSE 2009, IEEE, vol. 3, pp. 15, December 2009. P. Yi, Y. Wu, and J. Ma, Experimental evaluation of flooding attacks in mobile ad hoc networks, Communications Workshops, 2009. ICC Workshops 2009. IEEE International Conference, pp. 14 ISBN:9781 424434374, 2009. A. S. ALshahrani, Rushing attack in mobile ad hoc networks, Third International Conference on Intelligent Networking and Collaborative Systems, pp. 752758 ISBN: 978 1457719080, 2011. M. H. Rehmani, S. Doria, and M. R. Senouci, A Tutorial on the Implementation of Ad-hoc On Demand Distance Vector Protocol in Network Simulator. June 2009. Prof. S.B. Javheri and Shwetambari Ramesh Patil, Attacks Classification in Network, International Journal of Information Technology and Management Information Systems (IJITMIS), Volume 4, Issue 3, 2013, pp. 1 - 11, ISSN Print: 0976 6405, ISSN Online: 0976 6413. Nada M. Badr and Noureldien A. Noureldien, Review of Mobile Ad Hoc Networks Security Attacks and Countermeasures, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 6, 2013, pp. 145 - 155, ISSN Print: 0976 6367, ISSN Online: 0976 6375. Neha Kaushik and Ajay Dureja, A Comparative Study of Black Hole Attack in Manet, International Journal of Electronics and Communication Engineering & Technology (IJECET), Volume 4, Issue 2, 2013, pp. 93 - 102, ISSN Print: 0976- 6464, ISSN Online: 0976 6472. Sharada Valiveti, Hetuk Upadhyay and Dr. K Kotecha, Analyzing The Performance of Bandwidth Starvation Attack in Lan, International Journal of Advanced Research in Engineering & Technology (IJARET), Volume 5, Issue 1, 2013, pp. 145 - 153, ISSN Print: 0976-6480, ISSN Online: 0976-6499.
9