Jin Tang

Sketch-Based SIP Flooding Detection Using Hellinger Distance

The Voice over IP (VoIP) application utilizes the Internet to provide voice service; thus it is susceptible to various security issues common on the IP networks, such as the flooding attack. Moreover, VoIP uses the Session Initiation Protocol (SIP) for session control and management. The transactional nature of SIP makes flooding attack an even severer threat, which can consequentially lead to denial of service (DoS). In this paper, we develop an efficient online SIP flooding detection scheme by integrating the sketch technique with Hellinger distance (HD) based detection. The sketch data structure can summarize the SIP call generating process into a fixed set of data for developing a probability model. The HD technique, combined with on-line traffic estimation, can efficiently identify attacks by monitoring the distance between current traffic distribution and the estimated distribution based on history information. Compared to the original HD detection system, our technique achieves the advantages of higher accuracy, flexibility to deal with multi-attribute attacks and DDoS attacks, and the ability to track the period of attack. Computer simulation results are presented to demonstrate the performance of the proposed technique.

Real-Time Misbehavior Detection in IEEE 802.11-Based Wireless Networks: An Analytical Approach

The distributed nature of the CSMA/CA-based wireless protocols, for example, the IEEE 802.11 distributed coordinated function (DCF), allows malicious nodes to deliberately manipulate their backoff parameters and, thus, unfairly gain a large share of the network throughput. In this paper, we first design a real-time backoff misbehavior detector, termed as the fair share detector (FS detector), which exploits the nonparametric cumulative sum (CUSUM) test to quickly find a selfish malicious node without any a priori knowledge of the statistics of the selfish misbehavior. While most of the existing schemes for selfish misbehavior detection depend on heuristic parameter configuration and experimental performance evaluation, we develop a Markov chain-based analytical model to systematically study the performance of the FS detector in real-time backoff misbehavior detection. Based on the analytical model, we can quantitatively compute the system configuration parameters for guaranteed performance in terms of average false positive rate, average detection delay, and missed detection ratio under a detection delay constraint. We present thorough simulation results to confirm the accuracy of our theoretical analysis as well as demonstrate the performance of the developed FS detector.

Quick Detection of Stealthy SIP Flooding Attacks in VoIP Networks

Denial of Service (DoS) attacks such as the SIP flooding pose great threats to normal operations of VoIP networks, and can bear various forms to elude detection. In this paper, we address the stealthy SIP flooding attack, where intelligent attackers deliberately increase the flooding rates in a slow pace. As the attack only gradually influences the traffic, it can effectively be disguised from previous SIP flooding detection methods. In order to identify the stealthy attack in its early stage for timely response, we propose a detection scheme based on the signal processing technique wavelet, which is able to quickly expose the changes induced by the attack. In particular, we monitor the percentage of energy corresponding to the detail signal obtained from the wavelet analysis as an indication of the attack. Also, considering the scalability of the proposed scheme, we resort to the sketch technique, which can summarize the traffic observations to a fixed-size hash table to provide raw traffic signals for the wavelet analysis regardless how many users exist in the VoIP network. We validate the performance of the proposed scheme through computer simulation and demonstrate its ability to quickly and accurately detect the attacks.

An analytical approach to real-time misbehavior detection in IEEE 802.11 based wireless networks

The distributed nature of the CSMA/CA based wireless protocols, e.g., the IEEE 802.11 distributed coordinated function (DCF), allows malicious nodes to deliberately manipulate their backoff parameters and thus unfairly gain a large share of the network throughput. The non-parametric cumulative sum (CUSUM) test is a promising method for real-time misbehavior detection due to its ability to quickly find abrupt changes in a process without any a priori knowledge of the statistics of the change occurrences. While most of the existing schemes for selfish behavior detection depend on heuristic parameter configuration and experimental performance evaluation, we develop a Markov chain based analytical model to systematically study the CUSUM based scheme for real-time detection of the backoff misbehavior. Based on the analytical model, we can quantitatively compute the system configuration parameters for guaranteed performance in terms of average false positive rate, average detection delay and missed detection ratio under a detection delay constraint. Moreover, we find that the short-term fairness issue of the 802.11 DCF impacts the transition probabilities of the Markov model and thus the detection accuracy. We develop a shuffle scheme to mitigate the short-term fairness impact on the sample series, and investigate the proper shuffle period (in terms of observation windows) that can maintain the randomness in each nodes backoff behavior while resolving the short-term fairness issue. We present simulation results to confirm the accuracy of our theoretical analysis as well as demonstrate the performance of the developed real-time detection scheme.

Detection and prevention of SIP flooding attacks in voice over IP networks

As voice over IP (VoIP) increasingly gains popularity, traffic anomalies such as the SIP flooding attacks are also emerging and becoming into a major threat to the technology. Thus, detecting and preventing such anomalies is critical to ensure an effective VoIP system. The existing flooding detection schemes are inefficient in detecting low-rate flooding from dynamic background traffic, or may even totally fail when flooding is launched in a multi-attribute manner by simultaneously manipulating different types of SIP messages. In this paper, we develop an online scheme to detect and subsequently prevent the flooding attacks, by integrating a novel three-dimensional sketch design with the Hellinger distance (HD) detection technique. The sketch data structure summarizes the incoming SIP messages into a compact and constant-size data set based on which a separate probability distribution can be established for each SIP attribute. The HD monitors the evolution of the probability distributions and detects flooding attacks when abnormal variations are observed. The three-dimensional design equips our scheme with the advantages of high detection accuracy even for low-rate flooding, robust performance under multi-attribute flooding, and the capability of selectively discarding the offending SIP messages to prevent the attacks. Moreover, we develop an estimation freeze mechanism to protect the detection threshold from being polluted by attacks. Not only do we theoretically analyze the performance of the proposed detection and prevention techniques, but also resort to extensive simulations to thoroughly examine the performance.

Real-Time Detection of False Data Injection in Smart Grid Networks: An Adaptive CUSUM Method and Analysis

A smart grid is delay sensitive and requires the techniques that can identify and react on the abnormal changes (i.e., system fault, attacker, shortcut, etc.) in a timely manner. In this paper, we propose a real-time detection scheme against false data injection attack in smart grid networks. Unlike the classical detection test, the proposed algorithm is able to tackle the unknown parameters with low complexity and process multiple measurements at once, leading to a shorter decision time and a better detection accuracy. The objective is to detect the adversary as quickly as possible while satisfying certain detection error constraints. A Markov-chain-based analytical model is constructed to systematically analyze the proposed scheme. With the analytical model, we are able to configure the system parameters for guaranteed performance in terms of false alarm rate, average detection delay, and missed detection ratio under a detection delay constraint. The simulations are conducted with MATPOWER 4.0 package for different IEEE test systems.

Real-Time Detection of Selfish Behavior in IEEE 802.11 Wireless Networks

The open and distributed nature of the IEEE 802.11 based wireless network makes it easy for selfish nodes to gain unfair share on the networks by manipulating the protocol parameters. In this paper, we address the detection of such selfish behavior. The two main challenges associated with the detection problem are the unknown selfish behavior strategy and real-time detection of the behavior. While the two challenges are correlated for efficient detection, existing solutions can not address both of them well at the same time. In our work, we propose a new observation method monitoring the number of successful transmissions of the tagged node. This enables us to capture the short-term dynamic of the traffic behavior which is crucial for real-time detection. Integrating our the observation method with the CUSUM test, we develop a detection scheme to deal with both the challenges without any modification to the existing protocols. Moreover, we utilize a discrete Markov chain based model to characterize the behavior of the CUSUM test statistic, which enables us to quantitatively analyze the tunable parameters in the scheme for guaranteed detection performance. The performance of the proposed scheme is validated through ns-2 simulation. We show that the scheme is capable of quickly and accurately detecting the selfish behavior without knowledge of the selfish strategy.

Selfish misbehavior detection in 802.11 based wireless networks: An adaptive approach based on Markov decision process

The open and distributed nature of the IEEE 802.11 based wireless networks provides selfish users the opportunity to to gain an unfair share of the network throughput by manipulating the protocol parameters, say, using a smaller contention window. In this paper, we propose an adaptive approach for real-time detection of such selfish misbehavior. An adaptive detector is necessary in practice, as it needs to deal with different misbehaving scenarios where the number of selfish users and the contention windows exploited by each selfish user are different. In this paper, we first design a basic misbehavior detector based on the non-parametric cumulative sum (CUSUM) test. While the basic detector can be modeled with a Markov chain, we further resort to the Markov decision process (MDP) technique to enhance the basic detector to an adaptive design. In particular, we develop a novel reward function based on which the optimal policy of the MDP can be determined. The optimal policy indicates how the adaptive detector should operate at each state. Another important feature of our detector is that it enables an effective iterative method to detect multiple misbehaving nodes. We present thorough simulation results to confirm the accuracy of our analysis, and demonstrate the efficiency of the adaptive detector compared to a static solution.

Intrusion Detection for IP-Based Multimedia Communications over Wireless Networks

In this chapter, we address the selfish misbehavior in the IEEE 802.11TM based wireless network. After a brief description on selfish misbehavior in 802.11TM, we first design a real-time backoff misbehavior detector, termed as the fair share detector (FS detector), which exploits the non-parametric cumulative sum (CUSUM) test to quickly find a selfish malicious node without any a priori knowledge of the statistics of the selfish misbehavior. We then develop a Markov chain based analytical model to systematically study the performance of the FS detector. Based on the analytical model, we can quantitatively compute the system configuration parameters for guaranteed performance in terms of average false positive rate, average detection delay and missed detection ratio under a detection delay constraint. We present simulation results to confirm the accuracy of our theoretical analysis as well as demonstrate the performance of the FS detector. 2.1 Selfish Misbehavior in 802.11TM 2.1.1 IEEE 802.11TM DCF There are two major functions in the IEEE 802.11TM protocols: the point coordination function (PCF) and the distributed coordination function (DCF). The PCF is a centralized function and is an optional feature in 802.11TM. In this book, our concentration is the more widely used DCF which operates in a distributed manner. In the DCF, every node contends for access to the wireless medium following the CSMA/CA function [1]. When a node attempts to transmit a packet, it needs to sense the medium idle for a specified time. The time is divided into slots, and a node can only transmit at the beginning of a slot time. If the medium is not idle, the node will enter a backoff stage and defer the transmission according to a timer before attempting the next transmission. This backoff timer is a random value uniformly selected from a set {0,1, . . . ,CWmin − 1}, where CWmin is called the minimum conJ. Tang and Y. Cheng, Intrusion Detection for IP-Based Multimedia Communications over Wireless Networks, SpringerBriefs in Computer Science, DOI 10.1007/978-1-4614-8996-2 2,