Detection and Localization of Multiple Spoofing Attackers in

Wireless Networks
ABSTRACT:
Wireless spoofing attacks are easy to launch and can significantly impact the
performance of networks. Although the identity of a node can be verified through
cryptographic authentication, conventional security approaches are not always
desirable because of their overhead requirements. In this paper, we propose to use
spatial information, a physical property associated with each node, hard to falsify,
and not reliant on cryptography, as the basis for 1) detecting spoofing attacks; 2)
determining the number of attackers when multiple adversaries masquerading as
the same node identity; and 3) localizing multiple adversaries. We propose to use
the spatial correlation of received signal strength (RSS) inherited from wireless
nodes to detect the spoofing attacks. We then formulate the problem of determining
the number of attackers as a multiclass detection problem. Cluster-based
mechanisms are developed to determine the number of attackers. When the training
data are available, we explore using the Support Vector Machines (SVM) method
to further improve the accuracy of determining the number of attackers. In
addition, we developed an integrated detection and localization system that can
localize the positions of multiple attackers. We evaluated our techniques through
two test beds using both an 802.11 (WiFi) network and an 802.15.4 (ZigBee)
network in two real office buildings. Our experimental results show that our
proposed methods can achieve over 90 percent Hit Rate and Precision when
determining the number of attackers. Our localization results using a representative
set of algorithms provide strong evidence of high accuracy of localizing multiple
adversaries.

EXISTING SYSTEM:
In spite of existing 802.11 security techniques including Wired Equivalent Privacy
(WEP), WiFi Protected Access (WPA), or 802.11i (WPA2), such methodology can
only protect data framesan attacker can still spoof management or control frames
to cause significant impact on networks. Spoofing attacks can further facilitate a
variety of traffic injection attacks, such as attacks on access control lists, rogue
access point (AP) attacks, and eventually Denial of-Service (DoS) attacks. A broad
survey of possible spoofing attacks can be found. Moreover, in a large-scale
network, multiple adversaries may masquerade as the same identity and collaborate
to launch malicious attacks such as network resource utilization attack and denialof-service attack quickly. Therefore, it is important to 1) detect the presence of
spoofing attacks, 2) determine the number of attackers, and 3) localize multiple
adversaries and eliminate them. Most existing approaches to address potential
spoofing attacks employ cryptographic schemes. However, the application of
cryptographic schemes requires reliable key distribution, management, and
maintenance mechanisms. It is not always desirable to apply these cryptographic
methods because of its infrastructural, computational, and management overhead.
Further, cryptographic methods are susceptible to node compromise, which is a
serious concern as most wireless nodes are easily accessible, allowing their
memory to be easily scanned.
DISADVANTAGES OF EXISTING SYSTEM:
Among various types of attacks, identity-based spoofing attacks are
especially easy to launch and can cause significant damage to network
performance.

 For instance, in an 802.11 network, it is easy for an attacker to gather useful

MAC address information during passive monitoring and then modify its
MAC address by simply issuing anifconfig command to masquerade as
another device.
Not self defensive
Effective only when implemented by large number of networks
Deployment is costly
Incentive for an ISP is very low

PROPOSED SYSTEM:
In this work, we propose to use received signal strength (RSS)-based spatial
correlation, a physical property associated with each wireless node that is hard to
falsify and not reliant on cryptography as the basis for detecting spoofing attacks.
Since we are concerned with attackers who have different locations than legitimate
wireless nodes, utilizing spatial information to address spoofing attacks has the
unique power to not only identify the presence of these attacks but also localize
adversaries. An added advantage of employing spatial correlation to detect
spoofing attacks is that it will not require any additional cost or modification to the
wireless devices themselves. We focus on static nodes in this work, which are
common for spoofing scenarios. We addressed spoofing detection in mobile
environments in our other work. Faria and Cheriton proposed the use of matching

rules of signal prints for spoofing detection, Sheng et al. modeled the RSS readings
using a Gaussian mixture model and Chen et al. used RSS and K-means cluster
analysis to detect spoofing attacks. However, none of these approaches have the
ability to determine the number of attackers when multiple adversaries use the
same identity to launch attacks, which is the basis to further localize multiple
adversaries after attack detection. Although Chen et al. studied how to localize
adversaries, it can only handle the case of a single spoofing attacker and cannot
localize the attacker if the adversary uses different transmission power levels.
The proposed System used Inter domain Packet filters (IDPFs) architecture,
a system that can be constructed solely based on the locally exchanged BGP
updates.
Each node only selects and propagates to neighbors based on two set of
routing policies. They are Import and Export Routing policies.
The IDPFs uses a feasible path from source node to the destination node,
and a packet can reach to the destination through one of its upstream
neighbors.
The training data is available, we explore using Support Vector Machines
(SVM) method to further improve the accuracy of determining the number
of attackers.
In localization results using a representative set of algorithms provide strong
evidence of high accuracy of localizing multiple adversaries.
The Cluster Based wireless Sensor Network data received signal strength
(RSS) based spatial correlation of network Strategy.
A physical property associated with each wireless device that is hard to
falsify and not reliant on cryptography as the basis for detecting spoofing
attacks in wireless networks.

ADVANTAGES OF PROPOSED SYSTEM:

GADE: a generalized attack detection model (GADE) that can both detect
spoofing attacks as well as determine the number of adversaries using cluster
analysis methods grounded on RSS-based spatial correlations among normal
devices and adversaries
IDOL: an integrated detection and localization system that can both detect
attacks as well as find the positions of multiple adversary even when the
adversaries vary their transmission power levels.
Damage Reduction under SPM Defense is high
Client Traffic
Comparing to other methods the benefits of SPM are more.
SPM is generic because their only goal is to filter spoofed packets.

MODULES:

Blind & Non-Blind Spoofing

Man in the Middle Attack
Constructing Routing Table
Finding Feasible path
Constructing Inter-Domain Packet Filters
Receiving the valid packets

MODULES DESCRIPTION
Blind & Non-Blind Spoofing:

Spoofing detection is to devise strategies that use the uniqueness of spatial

information.
In location directly as the attackers positions are unknown network RSS, a
property closely correlated with location in physical space and is readily
available in the wireless networks.
The RSS readings at the same physical location are similar, whereas the RSS
readings at different locations in physical space are distinctive.
The number of attackers when there are multiple adversaries masquerading
as the same identity.

Man in the Middle Attack:

Localization is based on the assumption that all measurements gathered
received signal strength (RSS) are from a single station and, based on this
assumption, the localization algorithm matches a point in the measurement
space with a point in the physical space.
The spoofing attack, the victim and the attacker are using the same ID to
transmit data packets, and the RSS readings of that ID is the mixture
readings measured from each individual node.

 RSS-based spatial correlation to find out the distance in signal space and
further detect the presence of spoofing attackers in physical space.
Constructing Routing Table:
The channel frequency response is sensitive to each multipath. An impulse
in the time domain is a constant in the frequency domain, and thus a change
to a single path may change the entire multiple tone link of Network.
In wireless networks classes that provide automatic reconfiguration of APs,
adjusting power levels and channel assignments to optimize coverage while
minimizing contention between neighbors.
The RSS readings over time from the same physical location will belong to
the same cluster points in the n-dimensional signal space.

Finding feasible path (Attack Computation):

Converting the large dataset into medium format for the computation
purpose.
In this medium the rows consists of http request and columns consists of
time for a particular user (IP address).
Received Signal Strength Indicator Formula,

 The RSS stream of a node identity may be mixed with RSS readings of
both the original node as well as spoofing nodes from different physical
locations.
Constructing Inter-Domain Packet Filters:
The clustering algorithms cannot tell the difference between real RSS
clusters formed by attackers at different positions and fake RSS clusters
caused by outliers and variations of the signal strength.
The minimum distance between two clusters is large indicating that the
clusters are from different physical locations.
The minimum distance between the returned clusters to make sure the
clusters are produced by attackers instead of RSS variations and outliers.
Receiving different Transmission Power:
The transmission power levels when performing spoofing attacks so that the
localization system cannot estimate its location accurately.
The CDF of localization error of RADAR-Gridded and ABP when
adversaries using different transmission power levels.
In detection mechanisms are highly effective in both detecting the presence
of attacks with detection rates over 98% and determining the number of
network.

DATA FLOW DIAGRAM:

Select Network

SVF Connect Oriented

MAC Address Verify

SVM Network Data

Using
Node Connectivity

Cluster Grouping
Spoofing Prevention Data

Dos Attack

Cluster Based Network

NIC Data Connectivity

Spatial Correlation of RSS

Attack Validity

Deploy Network
WLAN Detection

Wi-Fi Activity Data Restriction

Cluster Based Network

Check Point

Source User

Static Cluster

Destination User

Attack Countmeaure

Data Failed

Cluster Measuring

Dos Attack

Node Data Locate

SILENCE Mechanisms

Attack Evaluation

System Evaluation
Cluster Simulation

SYSTEM CONFIGURATION:RSS Estimation

HARDWARE REQUIREMENTS:Graph Generation

Mobility Cluster

 Processor

-Pentium III

Speed

1.1 Ghz

RAM

256 MB(min)

Hard Disk

- 20 GB

Floppy Drive

1.44 MB

Key Board

Standard Windows Keyboard

Mouse

- Two or Three Button Mouse

Monitor

SVGA

SOFTWARE REQUIREMENTS:-

Operating System

: WINDOWS XP

Front End

: C#.NET

TOOL

: VISUAL STUDIO 2008

Database

: SQL SERVER 2005

REFERENCE:
Jie Yang,Student Member, IEEE, Yingying (Jennifer) Chen, Senior Member, IEEE,
Wade Trappe,Member, IEEE, and Jerry Cheng Detection and Localization of
Multiple Spoofing Attackers in Wireless Networks- IEEE TRANSACTIONS

ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 24, NO. 1,

JANUARY 2013.