Mitigation of topology control traffic attacks in OLSR networks

The core of the Optimized Link State Routing (OLSR) protocol is the selection of Multipoint Relays (MPRs) as a flooding mechanism for distributing control traffic messages. A node in an OLSR network, selects its MPR set such that all two-hop neighbors are reachable through, at least, one MPR. However, if an MPR misbehaves during the execution of the protocol, the connectivity of the network is compromised. Additional coverage in the selection of the MPRs helps to mitigate the effect of control traffic attacks. RFC3626 defines the selection of MPRs with additional coverage. Nevertheless, the overhead of the network increases due to the added number of control traffic messages. In this paper, we propose an improved MPR selection with additional coverage. Every node selects, if it is possible, k + 1 disjoint MPR sets. The union of those sets, is a k-robust-MPR set. Thus, given a node, alternative paths are created to reach any destination two-hops away. We test both approaches against two kinds of adversaries misbehaving during the execution of the protocol. Our proposed MPR selection with additional coverage mitigates the effect of control traffic attacks by offering equivalent protectio

Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures

Abstract—Software-Defined Networking (SDN) is a new net-working paradigm that grants a controller and its applications an omnipotent power to have holistic network visibility and flexible network programmability, thus enabling new innovations in network protocols and applications. One of the core advantages of SDN is its logically centralized control plane to provide the entire network visibility, on which many SDN applications rely. For the first time in the literature, we propose new attack vectors unique to SDN that seriously challenge this foundation. Our new attacks are somewhat similar in spirit to spoofing attacks in legacy networks (e.g., ARP poisoning attack), however with significant differences in exploiting unique vulnerabilities how current S-DN operates differently from legacy networks. The successful attacks can effectively poison the network topology information, a fundamental building block for core SDN components and topology-aware SDN applications. With the poisoned network visibility, the upper-layer OpenFlow controller services/apps may be totally misled, leading to serious hijacking, denial of service or man-in-the-middle attacks. According to our study, all current major SDN controllers we find in the market (e.g., Floodlight, OpenDaylight, Beacon, and POX) are affected, i.e., they are subject to the Network Topology Poisoning Attacks. We then investigate the mitigation methods against the Network Topology Poisoning Attacks and present TopoGuard, a new security exten-sion to SDN controllers, which provides automatic and real-time detection of Network Topology Poisoning Attacks. Our evaluation on a prototype implementation of TopoGuard in the Floodlight controller shows that the defense solution can effectively secure network topology while introducing only a minor impact on normal operations of OpenFlow controllers. I

Security and Energy Efficiency in Resource-Constrained Wireless Multi-hop Networks

In recent decades, there has been a huge improvement and interest from the research community in wireless multi-hop networks. Such networks have widespread applications in civil, commercial and military applications. Paradigms of this type of networks that are critical for many aspects of human lives are mobile ad-hoc networks, sensor networks, which are used for monitoring buildings and large agricultural areas, and vehicular networks with applications in traffic monitoring and regulation. Internet of Things (IoT) is also envisioned as a multi-hop network consisting of small interconnected devices, called ``things", such as smart meters, smart traffic lights, thermostats etc. Wireless multi-hop networks suffer from resource constraints, because all the devices have limited battery, computational power and memory. Battery level of these devices should be preserved in order to ensure reliability and communication across the network. In addition, these devices are not a priori designed to defend against sophisticated adversaries, which may be deployed across the network in order to disrupt network operation. In addition, the distributed nature of this type of networks introduces another limitation to protocol performance in the presence of adversaries. Hence, the inherit nature of this type of networks poses severe limitations on designing and optimizing protocols and network operations. In this dissertation, we focus on proposing novel techniques for designing more resilient protocols to attackers and more energy efficient protocols. In the first part of the dissertation, we investigate the scenario of multiple adversaries deployed across the network, which reduce significantly the network performance. We adopt a component-based and a cross-layer view of network protocols to make protocols secure and resilient to attacks and to utilize our techniques across existing network protocols. We use the notion of trust between network entities to propose lightweight defense mechanisms, which also satisfy performance requirements. Using cryptographic primitives in our network scenario can introduce significant computational overhead. In addition, behavioral aspects of entities are not captured by cryptographic primitives. Hence, trust metrics provide an efficient security metric in these scenarios, which can be utilized to introduce lightweight defense mechanisms applicable to deployed network protocols. In the second part of the dissertation, we focus on energy efficiency considerations in this type of networks. Our motivation for this work is to extend network lifetime, but at the same time maintain critical performance requirements. We propose a distributed sleep management framework for heterogeneous machine-to-machine networks and two novel energy efficient metrics. This framework and the routing metrics are integrated into existing routing protocols for machine-to-machine networks. We demonstrate the efficiency of our approach in terms of increasing network lifetime and maintaining packet delivery ratio. Furthermore, we propose a novel multi-metric energy efficient routing protocol for dynamic networks (i.e. mobile ad-hoc networks) and illustrate its performance in terms of network lifetime. Finally, we investigate the energy-aware sensor coverage problem and we propose a novel game theoretic approach to capture the tradeoff between sensor coverage efficiency and energy consumption

MITIGATING NODE ISOLATION ATTACK IN OLSR PROTOCOL USING DCFM TECHNIQUE

A Mobile Ad Hoc Network (MANET) is a collection of mobile devices which are connected by wireless links without the use of any fixed infrastructures or centralized access points. The Optimized Link State Routing (OLSR) protocol is an important proactive routing protocol designed for mobile ad hoc networks. It employs periodic exchange of messages to maintain topology information of the network at each node. Based on topology information, each node is able to calculate the optimal route to a destination. One major DoS attack against the Optimized Link State Routing protocol (OLSR) known as the node isolation attack occurs when topological knowledge of the network is exploited by an attacker who is able to isolate the victim from the rest of the network and subsequently deny communication services to the victim. The proposed method named Denial Contradictions with Fictitious Node Mechanism (DCFM) relies on the internal knowledge acquired by each node during routine routing, and augmentation of virtual (fictitious) nodes. Moreover, DCFM utilizes the same techniques used by the attack in order to prevent it. DCFM successfully prevents the attack, specifically in the realistic scenario in which all nodes in the network are mobile

A Novel Method of Enhancing Security Solutions and Energy Efficiency of IoT Protocols

Mobile Ad-hoc Networks (MANET’s) are wireless networks that are capable of operating without any fixed infrastructure. MANET routing protocols must adhere to strict secrecy, integrity, availability and non-repudiation criteria. In MANETs, attacks are roughly categorised into two types: active and passive. An active attack attempts to modify or remove data being transferred across a network. On the other hand, passive attack does not modify or erase the data being sent over the network. The majority of routing protocols for MANETs were built with little regard for security and are therefore susceptible to a variety of assaults. Routing technologies such as AODV and dynamic source routing are quite common. Both however are susceptible to a variety of network layer attacks, including black holes, wormholes, rushing, byzantine, information disclosure. The mobility of the nodes and the open architecture in which the nodes are free to join or leave the network keep changing the topology of the network. The routing in such scenarios becomes a challenging task since it has to take into account the constraints of resources of mobile devices. In this an analysis of these protocols indicates that, though proactive routing protocols maintain a route to every destination and have low latency, they suffer from high routing overheads and inability to keep up with the dynamic topology in a large sized network. The reactive routing protocols in contrast have low routing overheads, better throughput and higher packet delivery ratio. AODVACO-PSO-DHKE Methodology boosts throughput by 10% while reducing routing overhead by 7%, latency by 8% and energy consumption by 5%. To avoid nodes always being on, a duty cycle procedure that's also paired with the hybrid method is used ACO-FDR PSO is applied to a 100-node network and NS-3 is used to measure various metrics such as throughput, latency, overhead, energy consumption and packet delivery ratio