Anil Mehta

Performance analysis of beacon-enabled IEEE 802.15.4 MAC for emergency response applications

IEEE 802.15.4 standard provides a viable MAC and PHY specification for wireless sensor networks. Performance evaluation of these networks has been reported in literature. Previous works focus largely on analyzing the CSMA/CA traffic and frame delay due to Guaranteed Time Slots (GTS) allocations. In this work, we propose a analytical model to understand and characterize the performance of GTS traffic in IEEE 802.15.4 networks for emergency response situations.We study two crucial performance metrics, latency and frame drop rate, for GTS frames. The results from our analysis closely match with those from simulations of IEEE 802.15.4 MAC reported earlier.

Statistical Analysis of Self-Similar Session Initiation Protocol (SIP) Messages for Anomaly Detection

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, widespread usage over UDP, limited use of encryption), it becomes relatively easy to attack the protocol at the message level to launch denial of service attacks. To mitigate this, self- learning systems have been proposed to detect anomalous SIP messages and filter them. However, previous works use datasets with large differences between the normal and anomalous message. This gives high performance for existing classification systems, including those based on Euclidean distances. We present our analysis on a new dataset that has minimal difference between normal and anomalous messages. Our findings indicate that existing classification schemes behave unsatisfactorily on our dataset. We demonstrate why this is the case by statistical analysis of our dataset, and furthermore, present feature reduction techniques to enhance the classification performance of existing classification schemes on our dataset.

On the inefficacy of Euclidean classifiers for detecting self-similar Session Initiation Protocol (SIP) messages

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, most deployments over UDP, limited use of message encryption), it becomes relatively easy to attack the protocol at the message level. To mitigate this, self-learning systems have been proposed to counteract new threats. However the efficacy of existing machine learning algorithms must be studied on varied data sets before they can be successfully used. Existing literature indicates that Euclidean distance based classifiers work well to detect anomalous messages. Our work suggests that such classifiers do not produce adequate results for well-crafted malicious messages that differ very slightly from normal messages. To demonstrate this, we gather SIP traffic and minimally perturb it using 13 generic transforms to create malicious SIP messages. We use the Levenshtein distance, L, as a measure of similarity between normal and malicious SIP messages. We subject our dataset — consisting of malicious and normal SIP messages — to Euclidean distance-based classifiers as well as four standard classifiers. Our results show vast differences for Euclidean distance-based classifiers on our dataset than reported in current literature. We further see that the standard classifiers are better able to classify an anomalous message when L is small.

A modified beacon-enabled IEEE 802.15.4 MAC emergency response applications

IEEE 802.15.4 specification for MAC and PHY offers a standard for general purpose wireless sensor networks. The TG4e of IEEE 802.15 is currently engaged in defining a specification particularly suitable for industrial and commercial applications, which impose severe constraints of low latency and high reliability. In this work, we present a simple MAC scheme to address these requirements of emergency response sensing applications for wireless sensor networks. We evaluate the proposed scheme for varying channel and traffic load conditions using simulations. Our results show that the latency and packet loss rate performance of emergency response traffic, consisting of guaranteed time slot (GTS) frames, significantly improves in comparison with the performance of original IEEE 802.15.4 MAC. The proposed MAC was also evaluated for potential adverse impact on the non-critical traffic, which consists of frames that use contention access period (CAP) of the superframe. It is shown that under realistic load conditions, the impact on the CAP traffic is minimal.

Throughput performance of an adaptive ARQ scheme in Rayleigh fading channels

Using a simulation study we analyze the throughput performance of Yaos adaptive ARQ scheme in time-varying channels. The simulation takes into account the Rayleigh amplitude and the fast or the slow fading characteristics of a wireless channel, under a representative M-FSK modulation and Reed-Solomon coding scheme. We show that, for a specific set of design parameters, Yaos adaptive procedure works well for all channel fading rates, except for moderately slow rates. By observing variations of packet error rates at a specified SNR we provide an explanation for these varied behaviors under different channel fading rates.

Mitigating Mimicry Attacks Against the Session Initiation Protocol

The U.S. National Academies of Sciences Board on Science, Technology and Economic Policy estimates that the Internet and voice-over-IP (VoIP) communications infrastructure generates 10% of U.S. economic growth. As market forces move increasingly towards Internet and VoIP communications, there is proportional increase in telephony denial of service (TDoS) attacks. Like denial of service (DoS) attacks, TDoS attacks seek to disrupt business and commerce by directing a flood of anomalous traffic towards key communication servers. In this work, we focus on a new class of anomalous traffic that exhibits a mimicry TDoS attack. Such an attack can be launched by crafting malformed messages with small changes from normal ones. We show that such malicious messages easily bypass intrusion detection systems (IDS) and degrade the goodput of the server drastically by forcing it to parse the message looking for the needed token. Our approach is not to parse at all; instead, we use multiple classifier systems (MCS) to exploit the strength of multiple learners to predict the true class of a message with high probability (98.50% ≤ p ≤ 99.12%). We proceed systematically by first formulating an optimization problem of picking the minimum number of classifiers such that their combination yields the optimal classification performance. Next, we analytically bound the maximum performance of such a system and empirically demonstrate that it is possible to attain close to the maximum theoretical performance across varied datasets. Finally, guided by our analysis we construct an MCS appliance that demonstrates superior classification accuracy with O(1) runtime complexity across varied datasets.

On using multiple classifier systems for Session Initiation Protocol (SIP) anomaly detection

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. It is a text-based protocol, which is complex to parse due to the wide variability in representing the information elements. Building a parser for SIP may appear straight-forward; however, writing an efficient, robust, and scalable parser that is immune to low-effort attacks using malformed messages is surprisingly difficult. To mitigate this, self-learning systems based on Euclidean distance classifiers have been proposed to determine whether a message is well-formed or not. The efficacy of such machine learning algorithms must be studied on varied data sets before they can be successfully used. Our previous work has shown that Euclidean distance-based classifiers and standard classifiers used for self-learning problems are unable to detect malformed self-similar SIP messages (i.e., invalid SIP messages that differ by only a few bytes from normal SIP messages). This paper proposes using multiple classifier systems to detect malformed self-similar SIP messages. Our results show that a judiciously constructed multiple classifier system yields classification performance as high as 97.56% of the messages being classified correctly. We further show that for self-similar SIP messages, feature reduction measures based on the first moment are insufficient for improving classification accuracy.