prevention of dos attacks in vanet
TRANSCRIPT
Wireless Pers CommunDOI 10.1007/s11277-013-1161-5
Prevention of DoS Attacks in VANET
Karan Verma · Halabi Hasbullah · Ashok Kumar
© Springer Science+Business Media New York 2013
Abstract Privacy and Security have become an indispensable matter of attention in theVehicular Ad-Hoc Network, which is vulnerable to many security threats these days. One ofthem is the Denial of Service (DoS) attacks, where a malicious node forges a large number offake identities, i.e., Internet Protocol (IP) addresses in order to disrupt the proper functioningof fair data transfer between two fast-moving vehicles. In this paper, a distributed and robustapproach is presented to defend against DoS attacks. In this proposed scheme, the fakeidentities of malicious vehicles are analyzed with the help of consistent existing IP addressinformation. Beacon packets are exchanged periodically by all the vehicles to announce theirpresence and to become aware of the next node. Each node periodically keeps a record of itsdatabase by exchanging the information in its environment. If some nodes observe that theyhave similar IP addresses in the database, these similar IP addresses are identified as DoSattacks. However, it can be expected that security attacks are likely to increase in the comingfuture due to more and more wireless applications being developed onto the well-knownexposed nature of the wireless medium. In this respect, the network availability is exposedto many types of attacks. A DoS attack on the network availability is being elaborated inthis paper. A model of a product interaction for DoS prevention has been developed called“IP-CHOCK” that will lead to the prevention of DoS attacks. The proposed approach will beable to locate malicious nodes without the requirement of any secret information exchangeand special hardware support. Simulation results demonstrate that the detection rate increaseswhen optimal numbers of nodes are forged by the attackers.
K. Verma (B) · H. HasbullahDepartment of Computer & Information Sciences, Universiti Teknologi PETRONAS,Seri Iskandar, Malaysiae-mail: [email protected]
H. Hasbullahe-mail: [email protected]
A. KumarElectronics and Communication Engineering, Government Women Engineering College,Ajmer, Indiae-mail: [email protected]
123
K. Verma et al.
Keywords Vehicular ad hoc network · Security · Denial of Service (DoS) · Attacks · IPaddresses · Bloom filter · Hash function
1 Introduction
The growth of population is leading to an increase in the growth of transportation. Thesedays advancement of technology provides an intelligent transportation system. These trans-portation facilities are equipped with communication devices and internet facilities. Suchfacilities are based on fixed wired networks, mobile wireless networks and hybrid networks.The fixed wired infrastructural network faces a lot of problems such as access points, cellsites and a lot of digital equipment’s and cables. On the other hand a wireless network iseasy to be installed and maintained [1,2,5,16,19,28]. A wireless network is divided intotwo sections; one section is with infrastructure and another is without infrastructure. Suchnetworks are called Mobile Ad Hoc Networks (MANETs). MANETs applied in intelligenttransportation systems are called Vehicular Ad Hoc Networks (VANETs). VANET providesgreat flexibility, an efficient transportation service and also an efficient management of thetransportation service. Traffic safety is one of the most important problems in the intelligentVANET [1,9,15,25]. The generation of VANET is significant to traffic management and road-side safety. Unfortunately, VANET also comes with its own set of challenges, especially inthe aspects of security and privacy. As a special implementation of Mobile Ad Hoc Networks(MANETs), VANET can be subjected to many security threats which may lead to increasedmalicious attacks and service abuses [2,25,29]. Figure 1 describes the communication ofVANET.
VANET has been suffering some serious attacks and threats. Such attacks cause the serviceof the network to break and are called Denial of Service attacks (DoS). A service distributorapplies various attack patterns for a DoS attack such as a Sybil attack, Fabrication attack,Alteration attack or a Reply attack. Due to the mobility and motion of VANET, it is easyfor an attacker to access the threat and destroy the service of VANET. Some attackers areinsiders and some attackers are outsiders of the network [3,7,4,19,21,23].
Fig. 1 Communication in VANET
123
Prevention of DoS Attacks
The general aim of the research work is to develop a communication link between allmobile nodes and IP addresses “IP-CHOCK” through which we maintain the service abilitiesfor the prevention of DoS attacks in VANET. Based on these improvements, this paper hastwo objectives.
• To develop a secure communication network.• To develop a hybrid method of packet filtering (IP address) that combines Clock Syn-
chronization (between nodes) and a Reference Broadcast Method.
The growth of technology and facilities of the transportation industry need a secure VANETfor proper communication and data transmission. However, due to the node mobility anddynamic infrastructure, the network is not secured. Various attackers attack with differentapproaches and perform some illegal task and interrupt the service of VANET [3,9,13]. Theproper management of VANET is a challenging task due to the mobility and velocity ofVehicle nodes. All devices work in an open channel area which makes security a challengingtask for the vehicles. Due to the mobility in an open channel area, the possibility of threatsand attacks are very high. On the basis of related work and found data, DoS attacks areserious attacks on the environment of VANET. Various methods and applications are usedfor the prevention of DoS attacks but all these methods and processes are not up to the mark[4,7,17,26,40,44].
Due to the high mobility of vehicles, the distribution of nodes within the network changesvery rapidly and unexpectedly. Moreover the wireless links initialize and breakdown fre-quently and even unpredictably. Impersonation is an attempt by a node to send a modifiedversion of a message received from the real originator for the wrong purpose and it claimsthat the message has come from the same originator. To overcome this problem, a uniqueidentifier (IP address) is assigned to each vehicle node in a VANET, which is used to verifythe real message originator [5]. It is important to protect this identifier so that it is not misusedby the attacker [4,7,18,19].
The attacker attacks the communication medium to jam the channels or to create someproblem for the nodes (IP addresses) to access the network. A malicious user sends highfrequency channels and jams the communication in various nodes and thus the nodes cannotsend or receive messages. If the malicious user sends a warning message, every node receivesthis message. However, by sending the same messages repeatedly, the receiver’s side becomesbusy. The Road Side Unit (RSU) continuously becomes busy in trying to verify the IP addressmessage sent by IP-CHOCK. Because of this any other IP address (node) communicatingwith the RSU will not be able to get any response from it. This causes the unavailability ofthe service for all IP address nodes by IP-CHOCK [1,5,17,25].
We provide a security analysis on our schemes and on the effectiveness of using Bloomfilter having Hash Function in the vehicles detected. Through the analysis and simulationresult we want to show that our scheme increases the detection rate and reduces the band-width by the attacker. The detection rate is 90 % when compared with the existing Bloomfilter [10,35,37].
The remaining of this paper is organized as follows: Sect. 2 reviews some related works,Sect. 3 describes the overviews of the system architecture, Sect. 4 proposes DoS defensemodel and idea of proposed schemes, Sect. 5 describes the mathematical analysis of filter-ing mechanisms, Sect. 6 shows performance evaluation and finally the paper concludes inSect. 7.
123
K. Verma et al.
Fig. 2 Classification of DoS attacks
2 Related Work
In this section, we first describe the security threats in VANET, and then briefly explain trafficdetection filtering management for VANET, and finally describe detecton monitoring table(Bloom Filter with Hash Function).
2.1 Security Threats in VANET
These days the most common destructive attack found in VANET regarding communicationnetworks is the DoS attack. Such an attack denies all services provided by the VANET.Figure 2 describes classification of DoS attacks. DoS attacks can be carried into two differentmodes [39]:
• Application Mode
The Network Mode of the DoS attack creates a serious problem in the VANET. In this attacka provided bandwidth is blocked by the attacker and the communication network becomesas if it is jammed [32].
• Network Mode
The Application Mode attack broadcasts a wrong message to mobile vehicle drivers anddiverts them to another path [42].
(1) Sybil Attack
This attack happens when an attacker creates a large number of pseudonyms and claimsor acts like more than a hundred vehicles in order to tell other vehicles that there is a jamahead and forces them to take an alternate route. Sybil attack depends on firstly, how cheaplyidentities can be generated, secondly the degree to which the system accepts inputs fromentities that do not have a chain of trust linking them to a trusted entity and thirdly whetherthe system treats all entities identically. For instance an attacker can act like hundred vehiclesto convince the other vehicles on the road that there is congestion and instruct them to go toanother route, so that the road will be clear for him/her [15,20].
123
Prevention of DoS Attacks
(2) Message Suspension Attack
An attacker selectively drops packets from the network. These packets may hold criticalinformation for the receiver. The attacker suppresses these packets and can use them againat another time. The goal of such an attacker would be to prevent registration and insuranceauthorities from learning about collisions involving his/her vehicle and or to avoid deliveringcollision reports to roadside access points. For instance, an attacker may suppress a congestionwarning and use it at another time so that vehicles do not receive the warning and can beforced to wait in the traffic [7,15].
(3) Fabrication Attack
An attacker can make this attack by transmitting false information into the network. Thisinformation can be false or the transmitter can claim that it is someone else. This attackincludes fabricated messages, warnings, certificates and identities [13,26].
(4) Alteration Attack
This attack happens when attacker alters the existing data. It includes delaying the trans-mission of information, replaying earlier transmissions or altering the actual entry of thedata transmitted. For instance, an attacker can alter a message telling other vehicles that thecurrent road is clear while the road is really congested [6,12].
(5) Replay Attack
This attack happens when an attacker replays the transmission of earlier information to takeadvantage of the situation of the message at the time of sending [8]. Basic 802.11 securitieshave no protection against replay. It does not contain sequence numbers or timestamps. Askeys can be reused, it is possible to replay stored messages with the same keys to insert bogusmessages into the system without any detection. Individual packets must be authenticated, notjust encrypted. Packets must have timestamps. The goal of such an attack can be, to confusethe authorities and possibly to prevent identification of vehicles in hit-and-run incidents[15,28].
2.2 Traffic Detection Filtering Management for VANETs
Study of various research papers and journals found the problem of VANET and its relatedsolutions. Some existing mechanisms for filtering the IP-spoofed packet problems and itssolutions are discussed here in the form of summary.
C. Yuh-Shyan, H. Chih-Shun and Y. Wei-Han “An IP passing protocol for vehicular ad hocnetworks with network fragmentation”. According to the authors, the IP addresses protocolmay be able to reduce the handoff delay and maintain the connectivity of the vehicle to theinternet when the entire vehicle is connected. When network fragmentation occurs, a vehiclecannot pass IP address to the intended vehicle through existing IP passing protocols and thusincurs longer handoff latency and higher packet loss rate. This lowers down the throughputof the network. To improve IP addresses, passing protocols can postpone the time to releaseIP addresses to the DHCP server and select a faster way to get the vehicle new IP address [3].
L. Nai-Wei and T. Hsiao-Chien “Illusion Attack on VANET Applications—A MessagePlausibility Problem”. In this title, the author deals with an illusion attack which is similarto DoS attack. This attack also jams the network. Such attack is described as based on thecurrent condition of the road, the adversary broadcasts and the scene-aligned traffic warningmessages which produce an illusion to cars in its neighborhood. In consequence to this the
123
K. Verma et al.
illusion can largely manipulate other drivers’ behaviors on their responses. The illusion attackcan easily cause car accidents, traffic jams and the decrease of VANET performance in termsof bandwidth utilization. Why traditional authentication mechanisms cannot resolve thissecurity threat effectively and propose a new model, called Plausibility Validation Network(PVN) to remedy the illusion attack [13].
T. W. Chim, S. M. Yiu, C. K. Lucas and L. O. K. Victor “SPECS—secure and privacyenhancing communication schemes for VANETs.” Messages should be signed and verifiedbefore they are trusted.The real identity of vehicles should not be revealed, but must betraceable by the authorized party. We provide a software-based solution which makes use ofonly two shared secrets to satisfy the privacy requirements (with security analysis) and giveslower message overhead. It provides 45 % higher successful rate than previous solutions inthe message verification phase using the bloom filter and the binary search techniques [11].The computation power of an OBU is not strong enough to handle all verifications in ashort time especially in places where the traffic density is high.To verify a message from anunknown vehicle involves the transmission of a public key certificate which causes heavymessage overhead [14].
C. Jianmin and W. Jie “Cooperative Anonymity Authentication in Vehicular Networks”deals in the field of Data privacy in Vehicular Ad hoc NETworks (VANET) is a practical issuecurrently under the research and development. Privacy preserving anonymity authenticationin network is a challenging topic combining anonymity, authentication, data privacy andnetwork. Existing anonymity authentication in VANET is based on k-anonymity model,but K-anonymity model group selection may leak information due to absence of diversityin the sensitive attribute etc., and thus group selection is a problem left unresolved. Thispaper address anonymity authentication attack issues, how to improve efficiency and sustainanonymity service using cooperation instead of zero trust model, and flexibility of vehicularside group selection to adapt changing privacy-preserving concern [31].
K. Sampigethaya, L. Mingyan, H. Lepingand R. Poovendrann “AMOEBA: Robust Loca-tion Privacy Scheme for VANET” Ensuring the safety rendered by the V2V communicationstests the VANET connectivity and the authenticity and integrity of the communication. Theunique requirement of maintaining the liability of vehicles when accidents occur necessitatesthat vehicles be identifiable at any given time, hence giving rise to privacy concerns. Com-munication messages in vehicular ad hoc networks (VANET) can be used to locate and trackvehicles. While tracking can be beneficial for vehicle navigation, it can also lead to threatson location privacy of vehicle user. In this paper, we address the problem of mitigating unau-thorized tracking of vehicles based on their broadcast communications, to enhance the userlocation privacy in VANET. Compared to other mobile networks, VANET exhibits uniquecharacteristics in terms of vehicular mobility constraints, application requirements such as asafety message broadcast period, and vehicular network connectivity [17].
J. T. Isaac, S. Zeadally and J. S. Camara “Security attack and solutions for vehicular adhoc networks.” In this title author describes improved road safety and enables a wide varietyof value added services. Many forms of attacks against VANET have emerged recentlywhich attempt to compromise with the security of such networks. Such security attacks onVANET may lead to catastrophic result such as the loss of lives of revenue for those valuesadded services. This paper presents some of the main security threats and attacks that can beexploited in VANET and corresponding security solutions that can be implemented [2].
A. Baber, P. Soyoung and C. Z. Cliff “Secure Traffic Data Propagation in Vehicular AdHoc Networks”. Vehicles can share traffic/emergency information. The information shouldnot be modified/manipulated during transmission without detection. There are two novelapproaches providing reliable traffic information propagation: two directional data verifica-
123
Prevention of DoS Attacks
Table 1 Taxonomy of security and certificate revocation schemes
Revocation schemes High mobility Flexibility Dynamic Link-ability Traceability
Yuh-Shyan et al. [3] x x x x
Nai-We and Hsiao-Chien [13] x x x
Chim et al. [14] x x x
Jianmin and Jie [31] x x x
Sampigethaya et al. [17] x x x
Isaac et al. [2] x x x x
Baber et al. [11] x x x
tion and time based data verification. A recipient vehicle verifies the message integrity bychecking wheather the data received from both channels are compariable with the IP addresssecurity system [11].
Table 1 summarizes the security and classifies them according to whether a problemscheme uses (i) High mobility (ii) Flexibility (iii) Dynamic (iv)Link-ability (v) Traceability[9].
Table 2 summarizes the difference between related work and the proposed work.
2.3 Detection Monitoring Table (Bloom Filter with Hash Function)
In order to capture an abnormal connection on the request of the vehicle side, the traffic isanalyzed and recorded. Considering the volume of traffic on the internet, a significant memoryand computational resource to record the behavior of each packet is required. Therefore, basedon the Bloom Filter, a space-efficient hash data structure is used to record the behavior ofeach packet. An introduction to the original Bloom Filter is given below followed by theintroduction to the Modified Bloom Filter [15,19,23,29,30].
(1) Bloom Filter
Bloom Filter was first described in 1970 by Burton Bloom [15] and is being widely usedin many applications such as database, peer to peer networks, resource allocation and packetrouting in order to reduce the disk access to differential files and other applications, e.g., spellcheckers [5,9,15,34,40].
A Bloom Filter is a space-efficient data structure which is used to test whether an elementis a member of the set or not. It is an array of m bits {b1, b2, . . . , bn}, initialized to zero and isused to represent the set of n element, S = {x1, x2, . . . , xn}. The filter used k as independentand uniform hash functions, {h1, , h2, . . . , hn} each returning a value between 1 and m. Toadd an element xt ∈ {x1, x2, . . . , xn} to the filter k , hash functions are applied on the inputXi and the corresponding bits in the filter set (Fig. 3). The following is the pseudo code foradding an element x to the filter [15,17,23,29,39].
123
K. Verma et al.
Table 2 Difference between related work and the proposed work
Related work Strengthens Weakness Proposed work
By Yuh-Shyanet al. [3]
Such attack describe aneffective reduce of thehandoff delay andmaintain with theconnectivity of a vehiclewith an internet. UsingDHCP server andselecting a faster way toget IP addresses. Duringthe extended IP lifetime,vehicle can acquire an IPaddress through multi-hoprelays from the vehicles
Verify a message from anunknown vehicleinvolves thetransmissions of anetwork fragmentationwhich causes heavymess-age overhead
So find the attackerbroken intermitted nodeso un-authenticatedmessage sent to beIPCHOCK and find itsreal node. Find nodeauthentication
By Nai-Wei andHsiao-Chien[13]
Such attack desertion isbased on the currentduring condition on theroad, the adversarybroadcasts thescene-aligned trafficwarning messages, whichproduce an illusion to carsat its neighborhood.
Verify a message from anunknown vehicleinvolves thetransmissions of apublic key certificatewhich cause heavymessage overhead.
So find the attackerbroken intermitted nodeso un authenticatedmessage sent to beIPCHOCK and find itsreal node. Find nodeauthentication
By Chim et al.[14]
In this title the authordescribe location basedprivacy in VANE using agroup communication
The computation powerof an OBU is not strongenough to handle allverifications in a shorttime, especially inplaces where the trafficdensity is high
So find the attacker whohas sent so much fakenode requests then filterthe (Master Node) bydoing connection allmobility node andcheck IP Address andsent to IP-Chock
To proposes a groupcommunication protocolto allow known vehiclesto form a group for securecommunication
Individual vehicles cannotbe communicated
If Vehicles in the samegroup can stillcommunicate, withoutRSU
By Jianmin andJie [31]
Deal in the field of dosattack and preventionused cryptographytechnique and puzzle forthe prevention of dosattack
The work is only for RSUUnit
So find the attacker aresent so much packet in anetwork level. So usefitter design and sendpacket in RBS(Reference Broadcast)and reduces frequencyjamming
Cooperative design alsorelaxes restraints andsupports anonymityaccommodating variousanonymity models
123
Prevention of DoS Attacks
Table 2 continued
Related work Strengthens Weakness Proposed work
BySampige-thayaet al. (2009,Globecom’09)
Vehicular Groups foranonymous access tolocation based serviceapplication in VANET
Mitigation ofunauthorized locationtracking of vehicles
So find the location of onenode to another.VANET due tounauthorized trackingof vehicles based ontheir broadcast
The robustness of the userprivacy is consideredunder various attacks
All information goes tolocation server
By Isaac et al.([2],InternationalJournal Adhoc& UniquitousComputing)
Behavior of attacker andsome new possible attacks
That model works only inthe primary level andevery time verificationdata and time baseddata so message passingspeed slow and so costly
So find an approach andsend the IP to andverification IP scanningprocess then send to thenext level so connectiontime is less andband-width depletionare free
Deals in the field of attackin the vehicular adhocnetwork and it poses abehavior model forattacker for prevention ofthe attack
By Baber et al.(2011,Elsevier)
Author measure the strengthof frequency for theprevention of DOS attack
Only data access cost,considering variousvehicle splits
Reference nodesynchronization
It should be noted that when a bit is already set to “1” the n additional settings do notchange it. The existing “1” is just overwritten which is a simple operation of all the hashvalues. To test the membership of an element y the k hash functions are applied to y andthe corresponding bits are checked. If all the bits are equal to “1” then we can say that theelement belongs to the set. The following pseudo-code checks if y is an element of the set[15,17,19,34,41].
If an element z has all the corresponding bits equal to “1” without the element itselfbelonging to the set then we get a false positive. The false positive rate can be calculated asfollows [17,24,29,34].
When a given hash function hi is applied to an input Xi , the result is a value between1 and m. Since the hash functions are uniform, the probability that this result is equal to aparticular number b is 1/m. Therefore, the probability of the bit at position b being 1 afterone hash function is 1/m and the probability that it is 0 is 1 − 1/m. The probability that itis 0 after all k hash functions are applied is (1 − 1/m)k . Since there are n elements in the
123
K. Verma et al.
Fig. 3 Modified Bloom filter uses independent hash functions to map input into corresponding bits
set, the probability that bit b is equal to 0 after we process all n elements is (1 − 1/m)kn .Hence, 1− (1 − 1/m)kn is the probability that a given bit b is set to 1 after all input elements{x1, x2, . . . , xn} are processed. Since we want the false positive rate, we need the probabilitythat for an arbitrary input y, the corresponding k bits are 1 without y belonging to the set.This probability is:
fn =(
1 −(
1 − 1
m
)kn)k
(1)
Similarly, we can express equation (2), as;
≈(
1 − e−kn
m
)k = exp(k ln(1 − e−kn/m)) (2)
Finally, Eqs. (1) and (2) combine;
dy
dk= ln(1 − e−kn/m) + kn
m
e−kn/m
1 − e−kn/m(3)
It is easy to show that the expression (1 − e−nk
m )k is minimized when k = ln 2. (m/n) ≈0.7m/k, giving a false positive probability f of;
f =(
1 − e−nk
m
)k = (1/2)k ≈ (0.6185)m/n (4)
From the above Eq. (4), we can say that the positive rate depends on k and the ratiom/k [12,23,31,40]. Now, the Bloom filter with hash functions has been extended to defendagainst DoS attacks [23,24,26]. Propose a modified Bloom filter in order to construct a hashtable that can record UDP control packets at a limited storage cost. The modified structure ofthe hash table makes it possible to capture abnormal connections even where the volume oftraffic is large and also avoid hash collisions with a fixed space efficient data structure [2,7].
123
Prevention of DoS Attacks
Fig. 4 Communication vehicle node and IP addresses
3 Preliminaries
In this section we will first describe the system architecture, then briefly explain the modifiedmonitoring table used in Bloom Filter and finally the vehicles detection schemes.
3.1 System Architecture
The defense system architecture of our scheme is as shown in Fig. 4. The proposed schemeis designed for VANETs with communication network on a highway with two lanes in eachdirection. We assume that there are base stations (WiMAX, 3G, GPRS/UMTS) scatteredalong the roadside [43]. In this system HA is our master node and it records, scans thevehicle’s request and generates the reference link. Each vehicle, regarded as an IP address isequipped with two communication interface: one for communication with the Master nodeand second for the communication base station. Each vehicle can connect to the internet viaWiMAX (WiMAX, 3G, and GPRS/UMTS) interface and can communicate with the othervehicle via IEEE 802.11p interface.
3.2 Basic Idea and Challenges
The scheme must be able to differentiate between legitimate and attack traffic. In simpleattack, the traffic is generally somewhat differentiable from legitimate traffic. But in most ofthe cases there is a need to gather enough information before the attack can be detected. Thismakes the response and prevention of the attack almost impossible. We must strike a balancebetween gathering enough information to characterize the attack and not overloading thelogging and analysis capabilities. Moreover, responding to the attack requires faster detectionand accurate characterization of the attack streams so that they can be filtered or their rate canbe limited. A DoS attack exhausts host resources or the network bandwidth. It is consequentlyimportant to detect resource usage changes and reduce the detection time. Choosing a set
123
K. Verma et al.
of parameters to monitor for anomalies directly affects detections and preventions, accuracyand time. A properly chosen set of parameters does not generate too many false positives buton the other hand detects the majority of attacks early [30,34,38,40].
A Bloom filter based detection scheme (presented here) incorporates the methods forfiltering with independent hash functions. The main goals of this scheme are to [15,19,25,30,33,39]:
• Make a space-efficient data structure• Distinguish the IP Spoofed packets from the legitimate packets• Reduce hash collisions
Each edge of the router filters the incoming packets and forwards them to the downstreamrouter. The basic aims of this scheme are to defend against the DoS attacks for which thefeatures of detection and filtering mechanisms are combined into a single mechanism. Thiskind of methodology has not been attempted in earlier reported works [29,36,39,41].
4 Proposed DoS Defense Model
In this section, first of all efforts have been made to show the flowchart of the proposedschemes and then described the algorithm for the request and response detection scheme.
Design Monitoring TableAs shown in Fig. 5, considering the numerous IP addresses in network traffic using a
limited m bit array to record IP addresses is not sufficient and may bring high false positives.For this first use a large array of hash tables to substitute the m bit array, secondly use split theIP address into several segments and hash them separately into hash tables in which countsare initialized to 0. It is then split up into segments because it keeps track of the recent arrivalrates of the packets of different destination IP addresses passing through the router. Afterusing a count table to replace the m bits array, all the counts are initially 0. When a key isinserted or deleted, the value of the count is incremented or decremented by 1, accordingly.When the count changes from 0 to 1, the corresponding bit is turned on. When a countchanges from 1 to 0 the corresponding bit is turned off. The value in the count indicates thestatistical results of the traffic, as shown in Fig. 5. Original Bloom filter uses independenthash functions to map into corresponding bits. The advantage of the modified Bloom filteris that it reduces the space by using a counter for each of the possible destination IP address[11,19,21,29,34].
The IP address is split into k segments and set k = 4. Each segment is an octet in the IPaddress which is more convenient to process. Since the value range for each octet is from0 to 255, m is set to 256, i.e., each table contains 256 counts. If the IP address is directlyhashed into a monitoring table [26], there will be more hash collisions. The reason for thisis that the number of counts is relatively limited as compared to the numerous values ofthe IP addresses of the internet. When the IP address is separated into several segments thevalue range becomes small for each segment. This may reduce collisions and also have lowfalse positive rates [5,7,9,12,19,34]. In the proposed scheme, both the source IP and thedestination IP are recorded in the hash table. In the Bloom filter, k tables by m bins with kindependent hash functions are used to record the IP address of the UDP handshake. Althoughit is possible that some segments of the two IP addresses are mapped into the same countin one table but he probability is rather lower than that of the segment of two different IPaddresses being mapped to the same count in all k tables [2,8,13,19,21].
(1) Detection Scheme
123
Prevention of DoS Attacks
Fig. 5 Original Bloom filter uses independent hash functions to map into corresponding bits
To detect a DoS attacks at an early stage, the cooperation scheme is proposed which consistsof a request detector and a response detector. The request detector, deployed at the edge routerof innocent hosts, checks the UDP control packets flowing through the edge router. Whenit captures suspicious events, it notifies the protected response detector of a potential DoSattacks. The response detector, deployed by the protected Chock detector, detects attacksnot only by passively listening for warning from the request detector to confirm alarms. So,the attacks are not only detected by the request side but it also needs the cooperation of theIP-CHOCK to warn of the DoS attacks.
• The Request Detector
The request is deployed at the edge router on the innocent request side. One of the main tasksof the request detector is to monitor the UDP control packets entering and leaving the domain.The detector scheme was developed from a modified hash table. The design of the new hashtable is based on the Bloom filter method. Each state of the UDP connection is recordedin the hash table and the abnormal asymmetric connection is recorded and seen inside therequest detector. After the accumulation of the suspicious alarms, the request detector at thethreshold score issues a DoS attacks warning that is then sent to all the response nodes.
As shown in Fig. 6, to detect an attacking traffic with a spoofed source request IP, thedestination response IP is recorded in the monitoring table. When a SYN packet, for the firstround time, is captured from the outgoing traffic, the destination IP (response’s IP) is splitinto several segments and then hashed into the monitoring table. If the corresponding countis 0, the corresponding count is turned on. If the count is already turned on, the count isincremented by 1. If the corresponding ACK/SYN packet for the second round of the Bloomfilter is captured in the incoming traffic, the source IP (the response’s IP) is hashed into thehash table again. But this time the corresponding count is decremented by 1. When a countchanges from 1 to 0, the corresponding bit is turned off, i.e., there is space made for the otherpackets. The count will remain unchanged if the first two rounds of the UDP connections are
123
K. Verma et al.
completely captured at the request and response detectors at the source side. These countsare reset to 0 and monitoring process is restarted for every period of t.
If there is no ACK/SYN packet sent back to respond to the previous SYN, the count hasno change to be decremented by 1 for this connection. The value in the count will grow largerbecause it is increased by 1 for each spoofed SYN packet. When a DoS attacks happens,exceptional heavy volume of packets are sent towards the victim IP addresses. If there is atleast one count in the table containing a suspicious value, then it is recorded in the databasefor further analysis. So, when the value of a count exceeds the predefined threshold duringperiod t , then this value is regarded as suspicious and the DoS attack alarm will be sent.
As shown in Algorithm 1, the detection scheme requires only simple hash operationsand addition subtraction operations. These operations bring little overhead to the computers.When a new Suspicious Alarm (SA) is reported, the request detector analyzes the source IPdistribution of the SAs in the database. During a DoS attack, the request detector searches forirregularities of SAs in its database of-ACK/SYN packets sent from victim vehicles. WhenSAs are reported from the packets with the same Vehicles’ request IP’s in a short period,there is probably a DoS attack targeting the host. However, each SAs comes from a differentVehicle request IP. To evaluate the distribution of the Vehicle request IP of the SAs, a Scoreis calculated as follows:
S =∑
seI Plist
(|Xs | − 1)2 (5)
123
Prevention of DoS Attacks
Fig. 6 Flow chart showing detection scheme using Bloom filter
where Xs stands for a subset of the IP list that contains the reported SAs, and S is score value.All elements in Xs have the same IP value, s, in a certain period. The score will increase,when the number of SAs containing the same source vehicle IP increases. On the other hand,if each of the SAs has a different source vehicle IP, the score will be 0. This score value canbe an indicator of a DoS attacks. To save computation when new SAs comes, the followingexpression has been used to calculate the score value:
Sc ={
SP
Sp+ 2 × |Xs | − 1 s not in the histor y I P list
s in the histor y I P list (6)
where Sc is score current value and SP is score previous value. The equation describes thatupon the arrival of a SAs whose source IP is not in the history IP list, the score remainsunchanged while if it is in the history lists we have a new increased score. Because the scoreis the sum of (|Xs | − 1)2, the new score is equal to the previous score adding the current(|Xs | − 1)2. When the score exceeds a predefined threshold, the reported SAs with the IPof the victim is sent to the vehicle detector address. On the other hand, whenever a query isreceived from a vehicle detector, the number of SAs with the IP of the server in the databaseof the client vehicles detector is sent back.
• The Response Detector
The response detector is deployed at the protected master node. With the assistance of vehiclerequest detector, a master node (as response detector) can detect a forthcoming DoS attackat an early stage. As shown in Algorithm 2, the two parts operate independently and con-currently. They issue a confirmed DoS attack alarm. Since this confirmation has no negative
123
K. Verma et al.
effect on the protected master node, the master node can perform a query as soon as anysuspicious vehicle request connections are observed.
This is a distinct advantage over many other DoS detection methods which must waitto capture sufficient DoS attack evidence before taking any further action, a requirementwhich delays DoS attack detection and prevention. In our scheme, cooperation between thevehicle request and vehicle response detectors ensures that the vehicle response detectorlaunches DoS alarms at a very early stage. The response detector scheme is composed oftwo parts. Part one shows that the master node may passively wait for the potential DoSalarm from vehicle request detector. A confirmed DoS attack alarm is sent to the masternode after enough potential DoS attack alarms arrive. Part two shows, that the master nodealso performs more active detection by sending queries to the vehicle request detector whentoo many vehicle requests are observed. However, it is possible, that the requested IP of thespoofed packet is widely distributed with the result that the number of SA’s (suspicious alarm)at the request detector is insufficient to provoke the sending of an SA to the master node. Inthis scheme, the master node will select several cooperative request detectors to query aboutthe number of SA’s. The selection of request detector depends on the requested vehicles IPaddress connections reserved by the master node. A query is first sent to a request detectorthat is in a routing domain containing the most pending connections. After receiving replies,the master node tells that whether the connection is caused by a spoofed DoS packet and analarm is made or whether it is caused by something else and no action is required.
The DoS attack can be detected based on the updated monitoring table. Since, the listmaintains the distance, energy, number of hops, packet delivery rate and acceptance rate ofevery optimal node taken, a random validation between the current node and listed path ismatched for any distance or energy variation from the threshold. If the error falls within anexpected threshold, the nodes along the route is assumed to be legitimate otherwise the entireroute is penalized for a time instant t seconds. The random validation ensures longevity ofroutes and resources. If found real emergency vehicles, then send the request information tothe master node. Master node sets, if found any emergency vehicles then provides as newIP addresses and store in BF, but found DoS attack by any emergency vehicles, then masternode generate as same reference link for all malicious emergency vehicles.
123
Prevention of DoS Attacks
5 Analysis of Filtering Mechanisms
In this section, initially efforts have been made to describe the analysis on hash table approach,and finally briefly explain Analysis on Bloom filter approach.
5.1 Analysis on Hash Table Approach
The hash (·) function h in the bloom filter-based IP CHOCK is an important tool in the fieldof vehicle sensors and database checking of IP addresses due to their efficiency with regardto the computational costs and is suitable for resource-constrained devices [4]. In addition tothis, the security of a hash function is based on the hardness of inverting the inputs from theoutputs that is, for given x and h (·) , it is easy to compute h (x) = y. However, if only y isgiven, it is hard to find x , satisfying h (x) = y.
A Bloom filter is a simple space-efficient randomized data structure for representing a setin order to support membership queries [12]. The space efficiency is achieved at the cost ofa small probability of false positives. Here, a brief introduction to the BF theory is required.A BF for representing a set S = {x1, . . . , xn} of n elements is described by an array of mbits, initially all set to 0. It uses a k independent hash function h1, . . . .., hk with a range from1 to m. Here, it is assumed that the hash functions are perfectly random. For each element, x ∈ S, the bits hi (x) are set to 1 for 1 ≤ i ≤ k. It is checked to see if
∀i, hi (y) = 1, I f ∀ hi (i) �= 1, then y ∈ S.
In this paper, the focus has been made on the design of independent hash functions thathave a low probability of collision, using the 32-bit IP address IP as the key of the hashfunctions. The hash functions are defined as follows:
hi (I Pads) = (I Pi + I P mod pi ) mod m, 1 ≤ i ≤ k, (7)
In next phase discussions have been made about the condition that makes two differentkeys collide m all k hash functions, i.e., for
I P1 �= I P2,
hi (I P2) = h2 (I P2) , 1 ≤ i ≤ k,
if hi (I P1) = hi (I P2) ,
h j (I P1) = h j (I P2) f ori �= j that means
I P1 + I P1 mod pi = I P2 + I P2 mod pi + mk,
I P1 + I P1 mod p j = I P2 + I P2 mod p j + ml,
Then we have,
I P1 mod pi − I P2 mod pi = I P1 mod p j − I P2 mod p j + m (k − l) (8)
This condition is strictly for two keys, I P1 �= I P2, to satisfy hi (I P1) = hi (I P2) for allk hash functions. Thus it can be concluded that the false positive rate should be very low.
5.2 Analysis on Bloom Filter Approach
Assume that a BF with m bits and k hash functions is used to store a set S with n elements.Denote the number of zero in the bitmap as b and the number of ones as y so that m = b + z.Now suppose this BF is used for detection on S in the following way.
123
K. Verma et al.
To determine whether a given vehicle request query is a member of the table set S,different hash functions {h1, , h2, . . . , hn} are calculated sequentially up to k for this vehiclerequest query. Each hash function selects one bit from this bitmap {b1, b2, . . . , bn}. The hashfunctions are calculated randomly, starting from the bit selected by h1. If hash functions selecta bit with a value zero, and finds that the vehicle request query is claimed to be a memberof the set then only the response reference link is allowed to communicate. Otherwise, thenext hash function is calculated. On the other hand if this selected bit has a value one andthe vehicle request query is a non-member then the IP-chock generates reference link andimmediately discards the request. Although, it can also be a non-member m is identifiedas a member (i.e., false positive). A false positive vehicle request query definitely requiresk hash operations. However, for a false positive vehicle request query, the decision can bemade earlier (as discussed above). The expected number of hash functions required for afalse positive vehicle request query can be calculated as follows. The number of bits selectedafter k hash operations with value zero follows the binomial distribution with parameters kand b/m and the expected number of bits with value zero after k hash operations is;
Hk [i] = bk
m(9)
Similarly, the expected number of bits with value one after k hash operations is;
Hk [i] = zk
m(10)
Let, θ ≤ k define the hash function with bit value zero as h∅. Then the probability that θ = ∅is;
Pθ (∅) ={∑i=n−1
i=0
(Hk [0]−i
k−i
)· Hk [1]−i
k−∅+i , i f ∅ ≤ Hk [1] − 1
1(11)
As a result, the expected number of hash operations required to discard a non-membervehicle request query is equal to the expected ∅ andcan be given as
H [k] = H [θ ] =k∑
i=0
i × Pθ (i) (12)
For an optimal BF, b ≈ z ≈ m/2, then optimal case H [i] = k/2 form equation number(11);
Pθopt (∅) ={∑i=n−1
i=0
(k/2−ik−i
).
k/2−ik−∅+i , i f ∅ ≤ k/2 − 1
1(13)
A build monitoring table of the bloom filter according to the dynamic of the request IPaddresses in case hop-counter between a known and unknown vehicles. Given an IP addresses,divide it into n segment, S0, S1, . . . , Sn where 1 ≤ n − 1 ≤ 32, and the segment range is 0to n−1. Mb denote length of the Vector V used in Bloom filter, and N flows are stored in V,∅ denoting the percentage of entries of V with value 0, is
∅ =(
1 − k
Mb
)n
(14)
where k is the number of hash functions, assuming k � Mb, so
∅ = exp
(−kn
Mb
)(15)
123
Prevention of DoS Attacks
Bloom Filter detection (V, S) identifies s to be stored in V if and only if result of all khash function point to bits with value 1, which is known as a collision. ϕN is the collisionprobability under the collision that N flows have been recorded. Then;
ϕN = (1 − ∅)k =[
1 − exp
(−kn
Mb
)]k
(16)
Therefore, the average collision probability is
ϕ =R�∑
n=0
ϕn Pr [N = n] = 1
R� + 1
R�∑n=0
[1 − exp
(−kn
Mb
)]k
(17)
where N is uniformly distributed. Compare | f (s)| with a given threshold δ. If the followingholds, then it is an attack packet.
| f (s)| ≥ δ · b (18)
When the probability that some bits are 0 then (1 − 1/m) . Using k function and n elementsinto the BF need set bits of m bits as 1 for to kn times. So, after n element are stored, theprobability P0 that bits is still 0 is an following;
P0 =(
1 − 1
m
)kn
≈ e−kn/m (19)
And then,
P1 = (kn) (1 − 1/m) (1 − 1/m)kn−1 (20)
Then, probability is k/m bits region collision free is given by (1 − Pc). Finally, for m ≥ kand n ≥ k, probability of an element being delectable.
As found in Fig. 7, if the detection time and rate in the vehicle request increases, the attackdetection rate also increases and collision rate decreases. (Refer to Fig. 7 for more detailedanalysis)
6 Simulation Model
To investigate the effectiveness of the proposed scheme in defending against VANET DoSattacks, the simulation on a topology was carried out using Network Simulator version (NS2.34).
6.1 System Components
The system consists of the following components;
(1) Vehicle Clients
Two types of clients are considered for the system: (i) Legitimate Clients and; (ii) AttackerVehicles. The legitimate clients are modeled by CBR applications running on UDP NewReno (a flavor of UCP). They obey the constraints imposed by the UCP protocol.
(2) Response Server (IP chock)
123
K. Verma et al.
Fig. 7 Detection rate v/s number of vehicles
The service provided by the responding server is a generic TCP/UDP-based service. Theresponding server is modeled by a simple Sink which sends out ACK packets for packets itreceives. The legitimate clients connect to the responding server with the aim of achieving filedownload, whereas the attackers aim at clogging the bottleneck link leading to the respondingserver in order to make the service unavailable to the legitimate clients.
(3) Agents on Edge Routers
One new agent (Bloom-Filter) is created in order to provide the functionality of theproposed scheme. They are deployed at the edge routers.
(4) Bloom-Filter based Hash Function
Agent is deployed on the routers which are located at a certain pre-determined distancefrom the client’s vehicle and responding server. These agent receiving packets from the client(legitimate and attackers) are actually for the server and they store them in the monitoringtable before sending it to the responding server.
6.2 System Topology
The simulation scenario is designed according to the normal state of a car running on a roadas shown in Fig. 1. The position and the movement of the nodes are given in the screenscenario generator file shown in Table 3. A simulation is conducted to verify the efficiencyof the proposed secure IP address communication for the IVC application with NS-2.34 [4].In order to get a proper estimate, a real world road system is considered. In the real world,
123
Prevention of DoS Attacks
Table 3 Simulation environment Parameter Value
Network area 1,500×1,500 m
Radio range 200m
Traffic type CBR
Visualization tools NAM, tracing
Duration 80 s
MAC Layer IEEE 802.11p
Mobility Our proposed without using clusterin simple high way mobility model(SHWM)
No. of nodes 25, 50, 75, 100, 125, and 150
Speed 5, 10, 15, 20, and 25 m/s
Node speed 60 km/h
Node density 100 vehicle/hour/street
Data transmission range 3.0 MB
vehicles move within a fixed region of E19 (Ipoh Lumut Highway) from Tronoh to BatuGajah in a suburb of Universiti Teknologi PETRONAS (UTP). It is a two way highway andhas two lines in each direction. As shown in Fig. 8, there are five exits through which vehiclesmay leave the highway. To have a fixed number of vehicles in the simulation, assume thatthe exiting vehicles will enter the highway at the nearest highway end (A or B) and willimmediately start to send messages. Each vehicle in the simulation can initiate queries for itsinterested data. A simulation has been carried out to evaluate the performance of the proposedmethod. Each vehicle is first randomly scattered on one intersection along the paths in Fig. 8.
The simulation results are displayed in the NAM file and the routing parameters wereobtained from the trace file. To evaluate the performance of the routing protocols, someparameters have been used in the TCL file for measuring the efficiency of vehicle-to-vehiclecommunication. The study of these parameters is analyzed by the NS-2 Trace file. Thereforethe Agent Trace ON and Route Trace ON in the TCL file are activated. The speed of thevehicles is assumed to be constant between 5 and 25 m/s. An IEEE working group hasinvented a new PHY/MAC layer amendment to the 802.11p standard, which is designed forvehicle-to-vehicle and vehicle-to-infrastructural communication only.
6.3 Simulation Parameters
Table 4 lists the simulation parameters, their values and a description of the parameters usedin the simulation.
6.4 Performance Evaluation Metrics
For comparing the performance of our scheme with the existing scheme, the following per-formance metrics has been used.
(1) Packet Acceptance Ratio (P Ar )
This is defined as the ratio of the number of vehicles requested for packets accepted whichis calculated according to the number of attackers at different thresholds. The acceptance
123
K. Verma et al.
Exit 1
Exit 2
Enters 1
Enters 2
Fig. 8 Simulation setup (highway section of 5 in the UTP area)
Table 4 Simulation parameters
Parameter Value Description
Set Val (chan) Channel/wireless channel Channel type
Set Val (prop) Propagation/TwoRayGround Radio propagation model
Set Val (netif) Phy/Wireless Phy Network interface type
Set Val (mac) Mac/802.11p MAC Type
Set Val (ifq) Queue/Drop Tail/ PriQueu Interface queue type
Set Val (ll) LL Link layer type
Set Val (ant) Antenna/Omni Antenna Antenna model
Set Val (ifqlen) 50 nn Max. packet in ifq
Set Val (nn) 100 nn Number of mobile nodes
Set Val (rp) AODV Routing protocol
Set Val (X) 1,500 m X dimension of topography
Set Val (Y) 1,500 m Y dimension of topography
Set Val (seed) 0.0 s Time of simulation start
Set Val (stop) 80 s Time of simulation end
ratio is calculated in terms of the percentage of the vehicle request for packets acceptedas legitimate and spoofed, when the filtering scheme is applied on the edge router underdifferent magnitudes of attacks. As the number of the attacker increases, there is a slightdecrease in the acceptance ratio of legitimate packets due to the heavy congestion as someof the legitimate packets are dropped. When the legitimate packet acceptance ratio decreases
123
Prevention of DoS Attacks
a little with the increasing number of attackers, then the spoofed packets acceptance ratiostays at a very low level.
P Ar = R PA
F PA(21)
where R PA percentage of the vehicle request for packets is accepted as legitimate and spoofedand F PA is filtering scheme applied on the edge router under different magnitudes of attacks.
(2) Mean False Positive Ratio(Rp
)(1) A false positive occurs when a beginning of an event is declared as an attack and is
observed as:
Rp = Number of f alse posi tve rate
T otal number of attacks(22)
(2) Detection Efficiency for Density of the Traffic and Density of Request Detector
The performance metrics considered here are the Detection Efficiency for Density of theTraffic and Density of Request Detector and the false positive ratio, which are denoted as ρ
and ϑ , respectively and are expressed as follows:
ρ = α
β(23)
where ρ is the Detection Performance in the simulation, α is the number of malicious clientdetection and β is the number of total number of malicious client in the network.
ϑ = σ
ω(24)
where ϑ is the Density of Request Detector in the simulation, σ is the number of legitimateclient detection and ω is the number of total number of legitimate client’s in the network.
7 Result and Analysis
To evaluate the detection performance, there scenarios are designed. There is no attackingtraffic, and the total traffic contains 1 % attacking traffic and also total traffic contains 5 %attacking traffic. The network delay from the sources vehicles to the victim vehicle is set tobe 100 ms and the bottleneck bandwidth for victim vehicles is 10 Mb. The attacking trafficbegins at the simulation time of 20 s and the whole simulation lasts for 80 s. The results shownin Figs. 9, 10 and 11 are the counter values in the hash table. When this value goes beyonda threshold, an attack is detected. The threshold chosen was based on the number of nodesand the size of the hash table.
As shown in Fig. 9, the value of the count fluctuates between 0 and threshold when thereis no attack traffic and with an attack.
As shown in Fig. 10, when the counter value increases then attack starts and crosses thethreshold. When 1 % traffic increases then detection rate is 30 %.
In case of an attack, the counter value increases rapidly when the attack starts and crossesthe threshold. As shown in Figs. 10 and 11, the 5 % attacking traffic experiences a muchlarger increase in the counter values than that of the 1 % attacking traffic. This shows thatour method can accurately detect DoS attacks with a fixed length monitoring table.
123
K. Verma et al.
Fig. 9 No attacking traffic
Time (sec)
80
70
60
50
40
30
20
10
0
Cou
nter
val
ues
The changes in the counter: No attack traffic
No attacking
traffic
Fig. 10 The total traffic contains1 % attacking traffic
Cou
nter
val
ues
The changes in the counter: 1% of total traffic
1% of total traffic is attacking traffic
Attack begins at 20 second
80
70
60
50
40
30
20
10
0
Time (sec)
is the attacking traffic
Fig. 11 The total traffic contains5 % attacking traffic
Cou
nter
val
ues
The changes in the counter: 5% of total
traffic is the attacking traffic
5% of total traffic is attacking traffic
Attack begins at 20 second
80
70
60
50
40
30
20
10
0
Time (sec)
In the next set of experiments, on study it has been found that the effect of the change inthe number of attackers for different threshold values. Each time, the percentage of legiti-mate packets accepted and the percent of spoofed packets accepted were observed and the
123
Prevention of DoS Attacks
0 1 2 3 4 5
Number of attackers
120
100
80
60
40
20
0
Acc
epta
nce
Rat
io o
f Pa
cket
s (%
)
Legitimate packets
Attack begins at 20 second
Legitimate packets (IPCHOCK)
Spoofed packets
Spoofed packets (IPCHOCK)
Fig. 12 Acceptance ratio of packet v/s number of attacks with threshold 1
results were plotted in Figs. 12, 13 and 14. The values plotted are the mean values from 20independent simulation runs. From the method adopted comparison of the results has alsobeen made with the IP CHOCK method.
Figure 12 shows the percentage of the legitimate and spoofed packets accepted underdifferent magnitudes of the attack. Here we observed that around 25 % of the legitimatepackets from an innocent host were dropped and around 6 % of the spoofed packets werepassed through the filter, then the values of the counter in the hash table were incremented.
When the counter values goes above the threshold values, then some of the legitimatepackets were dropped and some of the spoofed packets were accepted. As the number ofattackers increased, it was found that a slight decrease in the acceptance ratio of the legitimatepackets. The solid lines in Fig. 12 shows the acceptance ratio of the packets of our proposedscheme and the dash lines show the acceptance ratio of the packets of the IP CHOCK method[27].
Figure 13 shows the ratio of packet accepted under different magnitudes of attack whenthe threshold value is 2. Here we observed that around 20 % of the legitimate packets weredropped and the acceptance ratio of the spoofed attacks were 7 % which was only 1 % moreas compared to the spoofed packets accepted with the threshold at 1. It was also observedthat there was an increase in the acceptance of the number of legitimate packets.
According to Fig. 14, the acceptance of ratio packets under different magnitudes of attackfor the threshold value 3, were observed. Only around 9 % of the legitimate packets weredropped and the acceptance ratio of the spoofed packets was 9 % which was only 2 % moreas compared to the spoofed packets accepted at threshold 2. These experiments show that asthe threshold value increases the acceptance ratio of the legitimate packets also increases.
Figure 15 shows the mean false positive rate of our proposed scheme under differentmagnitudes of attack for different threshold values of the counter. A false positive occurswhen a being event is declared as an attack. By observing Fig. 13, it can be said that the falsepositive rate of the filtering procedure decreases with an increase in the threshold values.
A BF is an array b of l addresses, each IP addresses of which is w bits long. The totalnumber m of bits is l × w. To encode a member e during the filter setup, first obtain a
123
K. Verma et al.
0 1 2 3 4 5
Number of attackers
120
100
80
60
40
20
0 Acc
epta
nce
Rat
io o
f Pa
cket
s ( %
)
Legitimate packets
Legitimate packets (IPCHOCK)
Spoofed packets
Spoofed packets (IPCHOCK)
Fig. 13 Acceptance ratio of packet v/s number of attacks with threshold 2
0 1 2 3 4 5
Number of attackers
120
100
80
60
40
20
0 Acc
epta
nce
Rat
io o
f Pa
cket
s (%
)
Spoofed Packets
Legitimate packets (IPCHOCK)
Legitimate packets
Spoofed packets (IPCHOCK)
Fig. 14 Acceptance ratio of packet v/s number of attacks with threshold 3
number of hash bits from e, and use log2 l hash bits to map e to a IP addresses in b. It iscalled the membership vehicle of e in the b. Then use k log2 w hash bits to further map e tok membership bits in the IP addresses and set them to ones. The total number of hash bitsthat are needed is log2 l + k log2 w. Suppose m = 220, k = 3, w = 226, and l = 214. Only32 hash bits are needed, smaller than the 60 hash bits required in the previous BF exampleunder similar parameters. To check if an element e is a member in the set that is encoded ina b, first perform hash operations on e to obtain log2 l + k log2 w hash bits. Use log2 l bitsto locate its membership vehicle in b, and then use k log2 w bits to identify the membershipvehicle request bits in the table. If all membership vehicle bits are zero, it is considered to bea member. Otherwise, it is not.
Figure 16 shows the false positive rate for BF under different traffic. Therefore above,it can be concluded that for higher percentage of traffic load, the false positive rate is high,which results to high detection time as compare to the theoretical traffic.
123
Prevention of DoS Attacks
1 2 3 4 5
Number of attackers
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
Mea
ns F
alse
Pos
itive
rat
e
Threshold 1 Threshold 2 Threshold 3
Fig. 15 Mean false positive rate v/s number of attacks for different threshold
Fal
se p
osit
ive
rate
Load factor k/m
Street Highway Theortical traffic
Fig. 16 False positive rate for Bloom filter under different traffic
The simulation results are shown in Figs. 17 and 18. It can be seen that, with the increaseof traffic load (i.e., the number of vehicles within the communication range), the detectionefficiency does not vary a lot and, is smaller than the maximum allowable message end-to-endtransmission latency of 100 ms. However, the false positive ratio increases when the trafficload is increased.
It is notable that the detection ratio reaches as high as 60 % when the detection load isup to 100 %. However, such traffic can only be simulated when there is a severe traffic jamaccording to the relationship between the communication range and the inter-vehicle distanceor attacker vehicles. In this situation, it is acceptable if a large number of messages are lostbecause most of the messages are repeatedly sent by the attacker vehicles. Normal trafficload happens when the traffic load is below 50, where 35 % false positive ratio is achieved.
Figure 19 shows the comparison result of the proposed scheme with Bloom filter andModified Bloom filter.
The gap in detection rate between proposed and improved Bloom filter is 9.0 ≈ 39 % andthe gap of detection rate between proposed and improved Bloom filter is 3.9 ≈ 28 %.
123
K. Verma et al.
Fig. 17 Detection efficiency for density of the traffic and false positive
Fig. 18 Detection of response detector and false positive
8 Conclusion and Future Work
Safety is the primary concern for many road users. The safety requirements can be powerfullysupported by many safety applications, such as traffic reports and accident notifications. AVANET application has the opportunity to provide such safety requirements. However, lifecritical messages must be transmitted from node to node in the VANET network in a reliableand timely manner. To achieve this, secure communication and network availability must beobtained in the VANET set up. An efficient method that can detect all malicious IP addressesis being proposed in this paper. Based on the Bloom filter, a storage-efficient data structurewhich only requires a fixed-length table for recording relevant vehicle traffic information isproposed. An IP CHOCK method is then applied to detect abrupt changes in the vehicle trafficcharacteristics which correspond to the occurrence of flooding attacks. The adopted method,
123
Prevention of DoS Attacks
Fig. 19 Comparison between proposed and modified Bloom filter
Table 5 Comparison between the proposed methods and existing mechanisms
Method I II III IV V
Loop free [16] Yes Yes Yes Yes Yes
Multicast routes [17] Yes No No Yes No
Distributed [18] Yes Yes Yes No No
Uni-direction link Yes No No Yes Yes
Support [19,20]
Multicast [12] No No No Yes No
Periodic broadcast [25] No Yes Yes No No
QoS support [23] No No No Yes Yes
Routes maintained [27] Route Route Route Route Route
Cache Table Table Table Table
Reactive [15] Yes No Yes No Yes
Proposed scheme using Bloom filter with hash function [22] Yes No Yes Yes Yes
which uses the Bloom filter for the filtering process, is best suitable for small scale as wellas large scale DoS attacks. Table 5 shows, the comparison between the proposed methodsand the existing mechanisms based on different parameters. The following are the differentparameters which have been used to compare the proposed and existing mechanisms.
• Support for Filtering• Support for Trace back• Small scale DoS attacks prevention• Large scale DoS attacks prevention
123
K. Verma et al.
• Work fine for any path length of routers
When malicious IP addresses are detected, then hash table for the requesting IP addressesis analyzed. There are some parameters used in this method. Currently, these parameters areset manually based on the simulation. A further extension is to devise an automated schemefor setting or adapting these parameters. Another interesting direction to pursue this is todesign an adaptive hash function mechanism which maximizes the utilization of the hashtable entries and hence further reduces the false positive rate. Moreover, another plan is toevaluate this method in a reasonably large real network.
Acknowledgments This work is funded by Universiti Teknologi PETRONAS Postgraduate AssistantshipScheme.
References
1. Rivas, D. A., Barcelo-ordinas, J. M., Zapata, M. G., & Morillo-pozo, J. D. (2011). Security on VANETs:Privacy, misbehaving nodes, false information and secure aggregation. Elsevier Journal of Network andComputer Applications, 34(6), 1942–1955.
2. Isaac, J. T., Zeadally, S., & Camara, J. S. (2010). Security attack and solutions for vehicular ad hocnetworks. IET Communications Journal, 4(7), 894–903.
3. Yuh-Shyan, C., Chih-Shun, H., & Wei-Han, Y. (2012). An IP passing protocol for vehicular ad hocnetworks with network fragmentation. Elsevier Computer and Mathematics with Applications, 63(2),407–426.
4. Wu, B., Chen, J., Wu, J., & Cardei, M. (2007). A survey on attacks and countermeasures in mobile adhoc networks. Springer Journal of Wireless Network Security, 2, 103–135.
5. Yousefi, S., Mousavi, M. S., & Fathy, M. (2006). Vehicular ad hoc networks (VANET): Challenges andperspectives. In 6th ITS telecommunications conference (pp. 761–766), June 21–23.
6. Muraleedharan, R., & Osadciw, L. A. (2009). Cognitive security protocol for sensor based VANET usingswarm intelligence. In 43th IEEE Asilomar signals, systems and computers conference (pp. 288–290),July 1–4.
7. Hamieh, A., Ben-Othman, J., & Mokdad, L. (2009). Detection of radio interference attacks in VANET.In IEEE global telecommunications conference, GLOBECOM (pp. 1–5), Nov. 30–Dec. 4, 2009.
8. Albert, W., Rongxing, L., Xiaodong, L., & Xuemin, S. (2010). Complementing public key infrastructureto secure vehicular ad hoc networks. IEEE Wireless Communication, 17(5), 22–28.
9. Yang, Z., & Guohong, C. (2011). V-PADA: Vehicle-Platoon-aware data access in VANETs. IEEE Trans-actions on Vehicular Technology, 60(5), 2326–2339.
10. Chun-Ta, L., Min-Shiang, H., & Yen-Ping, C. (2008). A secure and efficient communication scheme withauthenticated key establishment & privacy preserve for vehicular ad hoc network. ELSEVIER Journal ofComputer Communications, 31(12), 2803–2814.
11. Baber, A., Soyoung, P., & Cliff, Z. C. (2010). Secure traffic data propagation in vehicular ad hoc networks.International Journal Ad Hoc and Ubiquitous Computing, 6(1), 24–39.
12. Soyoung, P., & Cliff, Z. C. (2008). Reliable traffic information propagation in vehicular ad hoc networks.IEEE Sarnoff Symposium Conference (pp. 1–6), April 28–30, 2008.
13. Nai-Wei, L., & Hsiao-Chien, T. (2007). Illusion attack on VANET applications—A message plausibilityproblem. IEEE Globecom workshops (pp. 1–8), Nov. 26–30, 2007.
14. Chim, T. W., Yiu, S. M., Hui, L. C. K., & Li, V. O. K. (2011). SPECS: Secure & privacy enhancingcommunications schemes for VANETs. ELSEVIER Ad Hoc Networks, 9(2), 189–203.
15. Sichitiu, M. L., & Kini, M. (2008). Inter-vehicle communication system: A survey. IEEE CommunicationsSurveys and Tutorials, 10(2), 88–105.
16. Nzouonta, J., Rajgure, N., Guiling, W., & Borcea, C. (2009). VANET routing on city roads using real-timevehicular traffic information. IEEE Transactions on Vehicular Technology, 58(7), 234–245.
17. Sampigethaya, K., Mingyan, L., Lepin, H., & Poovendran, R. (2007). AMOEBA: Robust location privacyscheme for VANET. IEEE Journal on Selected Areas in Communications, 25(8), 1569–1589.
18. Mohandas, B. K., & Liscano, R. (2008). IP address configuration in VANET using centralized DHCP. In33rd IEEE local computer networks conference, LCN (pp. 608–613), Oct. 14–17, 2008.
19. Wu, M., Yang, L., Li, C., & Jiang, H. (2008). Capacity, collision and interference of VANET with IEEE802.11 MAC. In 1st Intelligent networks and intelligent systems conference, ICINIS (pp. 251–254), Nov.1–3, 2008.
123
Prevention of DoS Attacks
20. Willke, T. L., Tientrakool, P., & Maxemchuk, N. F. (2009). A survey of inter-vehicle communicationprotocols & their applications. IEEE Communications Surveys & Tutorials, 11(2), 3–20.
21. Jingxuan, W., & Wei, Y. (2009). RBM: A role based mobility model for VANET. In Communications andmobile computing conference (pp. 437–443), Jan. 6–8, 2009.
22. Abedi, O., Barangi, R., & Azgomi, M. A. (2009). Improving route stability and overhead of the AODVrouting protocol and make it usable for VANETs. In 29th IEEE distributed computing systems workshops(pp. 464–467), June 22–26, 2009.
23. Khaled, Y., Tsukada, M., & Ernst, T. (2009). Geographical information extension for IPv6: application toVANET. In 9th Intelligent transport systems telecommunications conference, ITST (pp. 304–308), Oct.20–22, 2009.
24. Raja, M., & Hubaux, J. P. (2007). Securing vehicular ad hoc networks. Journal of Computer Security(Computer & Communication Science), 15(1), 39–68.
25. Tiecheng, W., & Gang, W. (2010). TIBCRPH: Traffic infrastructure based cluster routing protocol withhandoff in VANET. In 19th IEEE wireless & optical communication conference, WOCC (pp. 1–5), July14–15, 2010.
26. Ohta, T., Ogasawara, K., & Kakuda, Y. (2010). End-to-end transfer rate adjustment mechanism forVANET. In 3rd Dependability conference, DEPEND (pp. 1–6), July 18–25, 2010.
27. Hao, J., Siyue, C., Yangg, Y., Zhizhong, J., Henry, L., Xu, J., & Wang L. (2010). Estimation of packet lossrate at wireless link of Vanerple. In 6th IEEE wireless communications networks & mobile computingconference, WICOM (pp. 1–5), Sept. 23–25, 2010.
28. Mishra, T., Garg, D., & Gore, M. M. (2011). A publish/subscribe communication infrastructure forVANET applications. In IEEE advanced information networking and applications (WAINA) workshops(pp. 442–446), March 22–25, 2011.
29. Hamieh, A., Ben-Othman, J., & Mokdad, L. (2009). Detection of radio interference attacks in VANET.In IEEE global telecommunications conference (pp. 1–5), Nov. 30–Dec. 4, 2009.
30. Wasef, A., & Rongxing, L. (2010). Complementing public key infrastructure to secure vehicular ad hocnetworks. IEEE Wireless Communications (Security & Privacy in Emerging), 17(5), 22–28.
31. Jianmin, C., & Jie, W. (2009). Cooperative anonymity authentication in vehicular networks. In 6th IEEEmobile ad hoc & sensor system conference, Mass (pp. 1018–1023), Oct. 12–15, 2009.
32. Xiaodong, L., Xiaohui, L., & Xuemin, S. (2010). FLIP: An efficient privacy-preserving protocol forfinding like mined vehicles on the road. In IEEE global telecommunications conference, GLOBECOM(pp. 1–5), Dec. 6–10, 2010.
33. Ramakrishnan, B., Rajesh, R. S., & Shaji, R. S. (2011). Analysis of routing protocols for highway modelwithout using and cluster. International Journal of Scientific & Engineering Research, 2(1), 1–9.
34. Ramakrishnan, B., Rajesh, R. S., & Shaji, R. S. (2010). Performance analysis of 802.11 and 802.11p incluster based simple highway model. International Journal of Scientific & Engineering Research, 1(5),420–426.
35. Jing, Z., & Guonong, C. (2008, April). VADD: Vehicle-assisted data delivery in vehicular ad hoc networks.In IEEE transactions on vehicular technology (Vol. 57, no. 3, pp. 1910–1922).
36. Kui-Ten, F., Chung-Hsien, H., & Tse-En, L. (2008). Velocity assisted predictive mobility and locationaware routing protocols for mobile ad hoc networks. IEEE Transactions on Vehicular Technology, 57(1),448–464.
37. Xiaoping, X., & Jia, D. (2011). LPA: A new location-based privacy-preserving authentication protocolin VANET. WILEY Journal of Security and Communication, Networks, 5(1), 69–78.
38. Rongxing, L., Xuemin, S., Xiaodong, L., & Haojin, Z. (2009). Security in service oriented vehicular adhoc networks. IEEE Wireless Communications, 16(4), 16–22.
39. Kargl, F., Papadimitrators, P., Buttyan, L., Muter, M., Schoch, E., Wiedersheim, B., et al. (2008). Securevehicular communication systems: Implementation, performance, and research challenges. IEEE Com-munications Magazine, 46(11), 110–118.
40. Choffnes, D. R., & Bustamante, F. E. (2005, Sept.). An integrated mobility and traffic model for vehicularwireless networks. In 2nd Vehicular ad hoc networks (VANET), workshop (pp. 69–78).
41. Grover, J., Gaur, M. S., & Laxmi, V. (2011). A sybil attack detection approach using neighboring vehiclesin VANET. In 4th Security of information and networks conference (pp. 151–158), Nov. 14–19, 2011.
42. Grover, J., Gaur, M. S., & Laxmi, V. (2010, Nov.). A novel defense mechanism against sybil attacks inVANET. In 3rd Security of information and networks conference, SIN (pp. 249–255).
43. Khaleel, M., Hassan, A., & Mario, G. (2012). ROAMER: Roadside units as message router in VANETs.Elsevier, Ad Hoc Networks, 10(3), 479–496.
44. Congyi, L., & Chunxiao, C. (2012). RPB-MD: Providing robust message dissemination for vehicular adhoc networks. Elsevier, Ad Hoc Networks, 10(3), 497–511.
123
K. Verma et al.
Author Biographies
Karan Verma received his B.E and M. Tech degrees in InformationTechnology and Computer Science & Engineering, respectively, fromthe University of Rajasthan in 2008, and Indian Institute of Technol-ogy, Roorkee in 2010. He is currently reading for his Ph.D. degreein Department of Computer and Information Science at the UniversitiTeknologi PETRONAS, Malaysia. His research interests include infor-mation security and VANET.
Halabi Hasbullah was born in Muar, Johor, Malaysia. He has receivedPh.D degree in Electrical, Electronics and System Engineering fromNational University of Malaysia (Universiti Kebangsaan Malaysia) in2007. He started his career in academic in 1994, which prior to that hehas worked in the IT field for IT companies and government IT depart-ments. He joined the Department of Computer and Information Sci-ences, Universiti Teknologi PETRONAS (UTP), Malaysia as a SeniorLecturer in 1999. In the recent years, he has involved in a number ofresearch projects, including VANET and Cloud Computing. His currentresearch interests include wireless sensor networks, Bluetooth radionetworks, ad hoc wireless networks, mobile computing, network secu-rity, and traffic analysis.
Ashok Kumar received his B.E degree in electronics and communi-cation engineering from University of Rajasthan, Jaipur (2008) and M.Tech degree in communication stream from Malaviya National Insti-tute of Technology, Jaipur (2011). His research interest includes designand applications of microwave planer antennas, wireless communica-tion and vehicular ad-hoc networks (VANETs). He is currently work-ing as Assistant Professor in the Department of Electronics and Com-munication Engineering at Government Women Engineering College,Ajmer, India.
123