A Novel WLAN Client Puzzle against DoS Attack Based on Pattern Matching

Despite the popularity of 802.11 based networks, they suffer several types of DoS attack, launched by an attacker whose aim is to make an access point (AP) unavailable to legitimate users. One of the most common DoS attacks on 802.11 based networks is to deplete the resources of the AP. A serious situation like this can occur when the AP receives a burst of connection requests. This paper addresses this common DoS attack and proposes a lightweight puzzle, based on pattern-matching. Using a pattern-matching technique, this model adequately resists resource-depletion attacks in terms of both puzzle generation and solution verification. Using a sensible series of contextual comparisons, the outcomes were modelled by a simulator, and the security definition and proofs are verified, among other results

An embedded sensor node microcontroller with crypto-processors

Wireless sensor network applications range from industrial automation and control, agricultural and environmental protection, to surveillance and medicine. In most applications, data are highly sensitive and must be protected from any type of attack and abuse. Security challenges in wireless sensor networks are mainly defined by the power and computing resources of sensor devices, memory size, quality of radio channels and susceptibility to physical capture. In this article, an embedded sensor node microcontroller designed to support sensor network applications with severe security demands is presented. It features a low power 16-bitprocessor core supported by a number of hardware accelerators designed to perform complex operations required by advanced crypto algorithms. The microcontroller integrates an embedded Flash and an 8-channel 12-bit analog-to-digital converter making it a good solution for low-power sensor nodes. The article discusses the most important security topics in wireless sensor networks and presents the architecture of the proposed hardware solution. Furthermore, it gives details on the chip implementation, verification and hardware evaluation. Finally, the chip power dissipation and performance figures are estimated and analyzed

A Survey on Wireless Sensor Network Security

Wireless sensor networks (WSNs) have recently attracted a lot of interest in the research community due their wide range of applications. Due to distributed nature of these networks and their deployment in remote areas, these networks are vulnerable to numerous security threats that can adversely affect their proper functioning. This problem is more critical if the network is deployed for some mission-critical applications such as in a tactical battlefield. Random failure of nodes is also very likely in real-life deployment scenarios. Due to resource constraints in the sensor nodes, traditional security mechanisms with large overhead of computation and communication are infeasible in WSNs. Security in sensor networks is, therefore, a particularly challenging task. This paper discusses the current state of the art in security mechanisms for WSNs. Various types of attacks are discussed and their countermeasures presented. A brief discussion on the future direction of research in WSN security is also included.Comment: 24 pages, 4 figures, 2 table

DNA-based client puzzle for WLAN association protocol against connection request flooding

In recent past, Wireless Local Area Network (WLAN) has become more popular because of its flexibility. However, WLANs are subjected to different types of vulnerabilities. To strengthen WLAN security, many high security protocols have been developed. But those solutions are found to be ineffective in preventing Denial of Service (DoS) attacks. A ‘Connection Request Flooding’ DoS (CRF-DoS) attack is launched when an access point (AP) encounters a sudden explosion of connection requests. Among other existing anti CRF-DoS methods, a client puzzle protocol has been noted as a promising and secure potential solution. Nonetheless, so far none of the proposed puzzles satisfy the security requirement of resource-limited and highly heterogeneous WLANs. The CPU disparity, imposing unbearable loads on legitimate users, inefficient puzzle generation and verification algorithms; the susceptibility of puzzle to secondary attacks on legitimate users by embedding fake puzzle parameters; and a notable delay in modifying the puzzle difficulty – these are some drawbacks of currently existing puzzles. To deal with such problems, a secure model of puzzle based on DNA and queuing theory is proposed, which eliminates the above defects while satisfying the Chen puzzle security model. The proposed puzzle (OROD puzzle) is a multifaceted technology that incorporates five main components include DoS detector, queue manager, puzzle generation, puzzle verification, and puzzle solver. To test and evaluate the security and performance, OROD puzzle is developed and implemented in real-world environment. The experimental results showed that the solution verification time of OROD puzzle is up to 289, 160, 9, 3.2, and 2.3 times faster than the Karame-Capkun puzzle, the Rivest time-lock puzzle, the Rangasamy puzzle, the Kuppusamy DLPuz puzzle, and Chen's efficient hash-based puzzle respectively. The results also showed a substantial reduction in puzzle generation time, making the OROD puzzle from 3.7 to 24 times faster than the above puzzles. Moreover, by asking to solve an easy and cost-effective puzzle in OROD puzzle, legitimate users do not suffer from resource exhaustion during puzzle solving, even when under severe DoS attack (high puzzle difficulty)

Achieving network resiliency using sound theoretical and practical methods

Computer networks have revolutionized the life of every citizen in our modern intercon- nected society. The impact of networked systems spans every aspect of our lives, from financial transactions to healthcare and critical services, making these systems an attractive target for malicious entities that aim to make financial or political profit. Specifically, the past decade has witnessed an astounding increase in the number and complexity of sophisti- cated and targeted attacks, known as advanced persistent threats (APT). Those attacks led to a paradigm shift in the security and reliability communities’ perspective on system design; researchers and government agencies accepted the inevitability of incidents and malicious attacks, and marshaled their efforts into the design of resilient systems. Rather than focusing solely on preventing failures and attacks, resilient systems are able to maintain an acceptable level of operation in the presence of such incidents, and then recover gracefully into normal operation. Alongside prevention, resilient system design focuses on incident detection as well as timely response. Unfortunately, the resiliency efforts of research and industry experts have been hindered by an apparent schism between theory and practice, which allows attackers to maintain the upper hand advantage. This lack of compatibility between the theory and practice of system design is attributed to the following challenges. First, theoreticians often make impractical and unjustifiable assumptions that allow for mathematical tractability while sacrificing accuracy. Second, the security and reliability communities often lack clear definitions of success criteria when comparing different system models and designs. Third, system designers often make implicit or unstated assumptions to favor practicality and ease of design. Finally, resilient systems are tested in private and isolated environments where validation and reproducibility of the results are not publicly accessible. In this thesis, we set about showing that the proper synergy between theoretical anal- ysis and practical design can enhance the resiliency of networked systems. We illustrate the benefits of this synergy by presenting resiliency approaches that target the inter- and intra-networking levels. At the inter-networking level, we present CPuzzle as a means to protect the transport control protocol (TCP) connection establishment channel from state- exhaustion distributed denial of service attacks (DDoS). CPuzzle leverages client puzzles to limit the rate at which misbehaving users can establish TCP connections. We modeled the problem of determining the puzzle difficulty as a Stackleberg game and solve for the equilibrium strategy that balances the users’ utilizes against CPuzzle’s resilience capabilities. Furthermore, to handle volumetric DDoS attacks, we extend CPuzzle and implement Midgard, a cooperative approach that involves end-users in the process of tolerating and neutralizing DDoS attacks. Midgard is a middlebox that resides at the edge of an Internet service provider’s network and uses client puzzles at the IP level to allocate bandwidth to its users. At the intra-networking level, we present sShield, a game-theoretic network response engine that manipulates a network’s connectivity in response to an attacker who is moving laterally to compromise a high-value asset. To implement such decision making algorithms, we leverage the recent advances in software-defined networking (SDN) to collect logs and security alerts about the network and implement response actions. However, the programma- bility offered by SDN comes with an increased chance for design-time bugs that can have drastic consequences on the reliability and security of a networked system. We therefore introduce BiFrost, an open-source tool that aims to verify safety and security proper- ties about data-plane programs. BiFrost translates data-plane programs into functionally equivalent sequential circuits, and then uses well-established hardware reduction, abstrac- tion, and verification techniques to establish correctness proofs about data-plane programs. By focusing on those four key efforts, CPuzzle, Midgard, sShield, and BiFrost, we believe that this work illustrates the benefits that the synergy between theory and practice can bring into the world of resilient system design. This thesis is an attempt to pave the way for further cooperation and coordination between theoreticians and practitioners, in the hope of designing resilient networked systems

Security wireless sensor networks: prospects, challenges, and future

With the advancements of networking technologies and miniaturization of electronic devices, wireless sensor network (WSN) has become an emerging area of research in academic, industrial, and defense sectors. Different types of sensing technologies combined with processing power and wireless communication capability make sensor networks very lucrative for their abundant use in near future. However, many issues are yet to be solved before their full-scale practical implementations. Among all the research issues in WSN, security is one of the most challenging topics to deal with. The major hurdle of securing a WSN is imposed by the limited resources of the sensors participating in the network. Again, the reliance on wireless communication technology opens the door for various types of security threats and attacks. Considering the special features of this type of network, in this chapter we address the critical security issues in wireless sensor networks. We talk about cryptography, steganography, and other basics of network security and their applicability in WSN. We explore various types of threats and attacks against wireless sensor networks, possible countermeasures, mentionable works done so far, other research issues, etc. We also introduce the view of holistic security and future trends towards research in wireless sensor network security