detection of spoofing attack in wireless networks...

International Journal of Mechatronics, Electrical and Computer Technology

Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543

http://www.aeuso.orgAvailable online at:

© Austrian E-Journals of Universal Scientific Organization

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1366

Detection of Spoofing Attack in Wireless Networks

Using Fuzzy Logic

Seyedeh Zahra Rajabi1*

, Seyed Javad Mirabedini Shirazani2, Ali Haronabadi

3

1 M.A. student of Computer, Khuzestan Science and Research Branch, Islamic Azad University,

Ahvaz, Iran

2 Department of Computer, Central Tehran Branch, Islamic Azad University, Tehran, Iran.

3 Department of Computer, Central Tehran Branch, Islamic Azad University, Tehran, Iran.

[email protected] mail:-Corresponding Author's E *

Abstract

Using air as shared medium of wireless networks, attackers easily penetrate the

networks. Of most important attacks in wireless networks is spoofing attacks that disrupt

or reduce the efficiency of the network. In this paper, using fuzzy logic, a novel method is

presented for detection of spoofing attacks in wireless networks on the basis of received

signal strength (RSS); it is related to node physical characteristics that cannot simply be

spoofed. It is used fuzzy logic due to the fact that behavior of nodes and attackers is

different and variable in wireless networks and also RSS is affected by environmental

impacts, such as signal loss, shadowing and nodes’ movement, resulting in system

uncertainty. In this method, by collecting the values of nodes’ RSS using 4 access points

in 802.11 wireless networks, various levels of signals are evaluated, it is estimated

through fuzzy rules nodes’ location and they are distinguished through fuzzy rules of

attacks. The results of proposed detection method show that detection rate increase, false

detection rate and running time decrease comparing other methods.

Keywords: Spoofing attack, fuzzy logic, RSS

1. Introduction

Increasing use of wireless networks, security issues have become important. Since air

is common as transition medium in wireless networks, intrusion and attack to these

networks are readily performed. Spoofing is regarded as one of the most important

mailto:[email protected]


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1367

attacks in wireless networks in which attacker can penetrate, eavesdrop and disrupts the

network and leads to other attacks, including DOS and Man-In-Middle attack [1]. Thus,

detection of identity spoofing attacks is one of the most important issues in security and

intrusion detection in wireless networks. Among most important spoofing attacks in

interior wireless networks, like 802.11, it can be pointed to MAC address spoofing in

which the attacker attempts to send packets and network attack via MAC address

spoofing instead of an allowed node in the network [1]. There are primary techniques,

including encryption of WPA and WPA2, SSDI method and MAC address filtering

preventing intrusion. However, attackers can simply pass through the security barriers.

Using various encryption methods, like spoofing attacks is among most general and

traditional methods for attack prevention in wireless networks. But encrypting techniques

have always complicated calculation with data overhead and hence using this technique is

not appropriate in all networks. Moreover, encryption techniques protect data frames and

an attacker can spoof administrative and control frames and penetrate the network [1]-[2].

Recently, it has been used received signal strength (RSS) for detecting spoofing attacks.

RSS is one of the physical characteristics of wireless nodes and stations which are unique

for each device and it can be regarded asreceived energy value of signal from received

frame measured by received antenna. RSS is a measurement value which can hardly be

spoofed and it has correlation with the location of message sender. Since a wireless

device cannot usually change its sending power, strong and severe changes in RSS

measurements of a MAC address sending frames might indicate a spoofing attack [1]-[3].

RSS has a relationship with sending power, the distance between receiver and sender

and radio environment and thereby it is affected by environmental conditions, including

signal loss, absorption impact, fading and shadowing [1]-[4]. Due to the fact that

environmental conditions affect RSS values and it has some changes and also nodes and

attackers’ behaviors are different and variable in wireless networks, it is used fuzzy logic

for issues with vague and indecisive information. The most important advantage of using

fuzzy logic is its strength in dealing with indecisive issues [4]-[5].


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1368

In this paper, a new technique is presented for detection of spoofing attacks in wireless

networks using fuzzy logic on the basis of RSS feature. In the technique, attack detections

are explained by analysis of different levels of nodereceived energy in several access

points and estimation of nodes location using fuzzy logic. Of most important advantages

of the technique is detection of nodes and attackers movement, because if nodes and

attackers are mobile which is contributed to signal level change, the attack detection and

location will become more difficult. Using fuzzy logic based on RSS features of nodes for

detecting spoofing attacks has led to detection rate increase, reduction of detection false

rate and running time comparing other methods.

2. Literature Review

Using various encryption methods, like spoofing attacks is among most general and

old methods for attack prevention in wireless networks. The presented technique in [6] of

data and messages using DUAL RSA algorithm is encrypted and it is transferred via a

random port. DUAL RSA algorithm is a more advanced sample of RSA algorithm which

produces two components; it has reduced sufficient storage memory of buttons by

reduction of their size.

A technique is simultaneously presented for encryption and identity authentication.

Through VPN, an encrypted session is launched for traffic exchange between server and

client. VPN confirms the identified authentication and only registered users are allowed

to exchange information with the access points. In this technique, clients use 802.11B

standards in access points and all users should be identified at MAC level to be connected

to access points [7].

A combined encryption method with MAC filtering method and periodical identity

authentication is presented after sending every specific number of data frames. In the

method, the process of identity authentication has two parts; in the first part, the unique

information of each client, like computer name, CPU username and current time, is

encrypted as a value through hash method and it is added to header of data frame. In the


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1369

second part, access points make some changes in control lists by adding this unique

information for each data frame of clients in which its MAC address is available in MAC

filtering list. Therefore, when a data frame is received from each client, MAC address of

the node is checked and after verification, the encrypted button value which is based on

node information and the time of frame creation is recalculated and compared to the value

of encrypted button stored in available list [8].

One of the most popular and traditional methods for prevention of attacks in the

wireless networks are encryption methods but these methods are not always desirable to

apply because of its computational cost, and data overhead.moreover most of them only

protect data frames so an attacker can spoof administrative and control frames to impose

fundamental impacts. Hence, other methods, like sequence number (SN) analysis, finger

print of sender and RSS are presented for MAC spoofing attack detection [1]- [3]. SN

analysis method is on the basis of frame header of MAC layer. Consider the assumption

that a legitimate device produces a linear succession of set of numbers and attacker

cannot manipulate numbers’ sequence, because it is among available firmware in network

cards. When attacker’s SN counter is different from victim’s card, an abnormal SN gap is

appeared in frame sequence of MAC address which demonstrates a spoofing attack. But

there is possibility of SN frame manipulation and also spoofing of all MAC layers [6].

Range frequency patterns of radio frequency (RF) signal is used as finger print for

sender identity detection. In the method, it has used RF samples for comparison rate

based on RF operating frequency and it needs measurement device for indicating both

devices efficiency, like RF spectrum analysis and analysis device. These supplies and

requirements result in removal of this application [7]. Another recently presented method

uses RSS for distinguishing and spoofing detection attacks. Many 802.11 chipsets

provide pre-frame of RSS. There is a relationship between RSS value and sending power,

distance of receiver and sender and radio environment [8]- [10]. In [1], based on Gaussian

distribution model, creating RSS profiles is presented for spoofing attack detection. By

analysis and evaluation of RSS pattern using several access points for collecting RSS


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1370

values, it considers providing a template for creating RSS profiles based on distribution

function of combined Gaussian. If attackers are away from victims, their RSS is so

different and it is readily detectable. Despite the high number of access points, even if an

attacker change and manipulate its sending power and strength in order to imitate the

pattern of victim node, there will be a possibility to detect attacks.

In more conducted studies [2], Yang et al. using GADM model with nodes and

attackers localization deal with spoofing attack detection via RSS. Given that the

environmental factors impact RSS values and it is associated with fluctuations, clustering

analysis with PAM algorithms has been used to enhance accuracy. If RSS value is for a

node, it shows the node presence in a cluster and if it is in two different locations, thus

they will be placed in two clusters. During the attack, the victim and the attacker have an

identical ID for sending packets and read received signal is a combination of attacker

node and victim for each ID.In the detection of each signal vector from the identified

point, it is divided to two clusters. During the attack, a confirmed identity is in more than

one physical location in two different clusters which indicates an attack. Also if the

attacker with different energy levels intends to send the packet, it would be placed in two

different clusters in spite of cluster model and the attack is detected. It is worth noting

that nodes location is assumed as fixed.

A method is presented for spoofing attack detection in mobile wireless networks

which is improved version of Demote system [3]. The main idea of demote technique is

using the connection between RSS and physical location of a mobile device. Through

determining a threshold value for clustering, the values of RSS and restoring consider

attack detection. In normal condition that there is no attack, RSS value of a node has an

identity for a physical location. If a spoofing attack occurs, the impact of attacker node

RSS is a combination of victim node RSS and attacker node’s RSS. These two impacts

are addressed two physical locations not related much to each other. Attack detection is

occurred based on RSS and nodes’ localization. There are also other techniques for

wireless nodes’ localization in a network [2].Another localization method is using GPS,


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1371

but it is used more for open environments and it is not precise for closed areas or inside

buildings [4]- [5]. Method presented [4] deals with Wi-Fi localization on the basis of

fuzzy techniques with the least localization errors and measurement management of

uncertain signals. For improving the location system in Wi-Fi, it is important to consider

the environmental variables which affect the signal level, such as situation impacts, signal

loss due to large distance, movement and displacement of nodes, resulting in system’s

indecision. In this technique, signal levels are divided by membership functions and they

are estimated based on designed fuzzy rules of node location. Fuzzy rules of this

technique are on the basis of two movement models of node; it can be horizontal, vertical

and centric.

Using fuzzy logic, it has been considered nodes location in wireless sensor networks.

When the signal is emitted, signal attenuation is occurred because of the moving distance

and thereby the nodes distance can be achieved [5]. For location estimation of a device,

RSS level of each access point is measured. Signal level depends on the distance of two

nodes and the barriers between access point and sender.The new offered method deals

with spoofing attack detection and localization of nodes and attackers using fuzzy logic

and based on nodes’ RSS with the least calculations.

3. proposed technique of spoofing attack detection

In this section, suggested technique is explained and designed fuzzy system is

presented. The technique considers two conditions:

- If a node RSS is fixed and level difference is low with not much change, the node

is fixed and static and then node location is estimated using fuzzy rules. And an

attack is detected, if calculated condition is outside the desired range.

- If the received energy level of nodes is variable, this node can be regarded as a

suspicious one or energy change is due to location change and node’s mobility.

Thus, node condition is estimated as [4] method.

- If the attacker is intended to spoof its condition, the suggested technique can

detect the attack; since in each time interval, localization and the analysis of


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1372

received signal level are occurred in several access points. Other access points

can detect this location spoofing. So that after localization and status of each

node, access points send information for an access point which is selected as the

server; for another comparison occurs according to condition and signal level in

time intervals of all access points and thus detection rate increases and error rate

decreases.

Proposed fuzzy logic system of figure 1 includes two blocks: RSS values of nodes are

available with their MAC address and after obtaining the set of signal values from each

access point, they are divided based on membership functions. These values are then

analyzed and evaluated according to block fuzzy rules. After implementing fuzzy rules,

the output of the block detects the nodes which signal level is variable and is not in

defined interval or the energy level frequencies of node is so variable, as a suspicious or

mobile one and it is reported to block 2.

In block 2, the fuzzy system of nodes’ location is estimated. The localization method

used in the block is an improved technique of method [4] designed in two phases.

It is worth noting that blocks 1 and 2 are paralleled conducted in order to reduce

implementation time and increase detection speed. Also, access points are fixed and their

location and distance of each other are specified. In block 1, the nodes that have too

weak/strong signal level as attacker are removedfrom the network. In block 2, each access

pointcalculates the location of all nodes and the points outside of environment interval is

detected as attacker and they are removed from the network.


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1373

Figure1: Suggested fuzzy system

4. Simulation

The simulation is performed through MATLAB 2010 software via a Core i7 processor

laptop. Tested data of [11] include sent packets of 330 nodes with 13 access points in a

wireless network and the Standard of 802.11. In the simulation, four access points are

selected for analysis and location calculation and 15 nodes out of 330 ones are considered

as attacker node. In block 1 (figure 2), the value of received signal level is categorized in

[-90, -40] interval and 7 membership functions of {VH, H, HM, M, LM, L, VL}.

According to designed fuzzy rules (table 1), the signal differences are evaluated and the

output is placed in [0, 1] in four groups of {High, Medium1, Medium2, Low}.

Since the data are so outspread and it is difficult to determine a defined interval for

received signals, it is used the mean and standard deviation of signals for determining

membership function intervals and their grouping. Regarding block 1 output, if there is a

node with signal level less or more than [-90, -40], it is out of network and should be

removed. If it has different levels of signals, there is the possibility for mobility or

attacking reported to block 2.


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1374

Table1: Fuzzy rules of block 1

Figure2 (a): The membership functions of block1 Figure2 (b): Output of block1

In block 2, localization and detection is taken place in two phases. As it can be seen in

figure 3, in first phase, it is used 7 membership functions of {VH, H, MH, M, LM, L,

VL} for categorization of signal level and distance determination. The output of node

AP4 AP3 AP2 AP2

VH VH H VH High

H H HM H

HM HM M HM Medium1

M H M H

H M M M Medium2

LM LM LM LM

L L L L Low

VL VL VL VL

OUT OUT OUT OUT OUT


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1375

estimated distance from access points are in [0-35] divided into five-meter distances. In

second phase, it is used localization technique of [2] for localization and positioning and

if the node is mobile, the next location is recognized.

Table2: Fuzzy rules of block 2

OUT 30-35 25-30 20-25 15-20 10-15 5-10 0-5

OUT H H HM HM L VL VL AP1

OUT H H HM HM L VL VL AP2

OUT H H HM HM L VL VL Ap3

OUT H H HM HM L VL VL Ap4

Figure3 (a): The membership functions of block 2 Figure3 (b): Output of block 2

5. Results

According to table 3, considering 4 access points, detection rate over than 99% and

erroneous detection are of 0.009 were obtained and also the duration of attack detection

time was 18 seconds. As the number of Access Points increase, the detection rate of

attack increases and the rate of false detection decrease. Presented attack detection rate is


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1376

improved compared to GADE algorithm in [2] and false detection rate is decreased.

Furthermore, since fuzzy logic has low calculations, the implementation time of

suggested method has significantly reduced.

Table3: Attack detection rate and failure rate in suggested technique

Table4: The comparison of suggested method results regarding [2]

Conclusion

In the suggested method, for determining the attack detection of identity spoofing in

wireless networks,it is used RSS which can hardly be spoofed. And because this feature is

affected by environmental factors, detection failure can be reduced and detection rate is

increased through fuzzy logic. Also, due to the fact that comparing other methods this

method has low calculations, attack detection time of these systems are very short. The

method can determine the attack detection of identity spoofing, node’s mobility or

fixation and its localization.

4 3 2 1 Access points

0.99 0.918 0.848 0.80 Attack detection rate

0.008 0.053 0.103 0.25 False detection rate

Detection time

(sec)

Failure detection

rate

Attack detection

rate Method

18 0.008 0.990 Suggested method

34 0.10 0.985 GADE


Vol. 4(12), Jul, 2014, pp. 1366-1377, ISSN: 2305-0543



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1377

References

[1] Y.Sheng,K.Tan,G.Chen,D.Kotz And A.Campbell, "Detecting 802.11 Mac Layer Spoofing Using

Received Signal Strength",Proc.IEEEInfocom,(2008), pp. 2441-2449.

[2] J.Yang ,Y.Chen, "Detection And Localization Of Multiple Spoofing Attackers In Wireless Networks

",Ieee , Vol.24 ,No.1,(2013), pp. 44-57.

[3] J.Yang,Y.Chen And W.Trappe, "Detecting Spoofing Attacks In Mobile Wireless Environments",(2009)

proc.IEEE SECON.

[4] N.Hernandez And F.Hernanz,"Wifi Localization System Based On Fuzzy Logic To Deal With Signal

Variations", IEEE Conference on Emerging Technologies & Factory Automation (2009), pp. 1-6.

[5] S.Kianush and A.Dana, "Self Localization in Sensor Networks Using Fuzzy Logic", The scientific-

specific journal of Electricity Engineering,(2007),pp. 39-46.

[6] J.wright,"Detection Wireless Lan Mac Address Spoofing ",technical document (2003) .[online]Available:

http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf .

[7] J.Hall and M.bareau,"Using transceiver prints for anomaly based instrusiondetection”, in processing of

3rd IASTED,CIIT (2004),pp. 22-24.

[8] P. Jinesh ,S.FeshlinAnish Mon And Dr. TahsinUgurulu, " Security Enhancement For Wi-Fi Through

Multiple Encryptions", ICWN (2010), pp.182-177.

[9] A.Rashid, M. Saleem Khan and F.Zafar,” A New Approach of Wireless Network Traffic on VPN”, World

Academy Of Science, Engineering And Technology 77, (2011)pp. 376-371.

[10] S.Bhaya and A.AlAsady, "Prevention of spoofing Attack in the Infrastructure wireless Network”, Journal

of computer science 8 (2012),pp. 1769-1779.

[11] "CRAWDAD: Acommunity resource for archiving wireless data at Dartmouth", available At

http://crawdad.org/mannheim/compass/online.

detection of spoofing attack in wireless networks...

Documents