catch: a protocol framework for cross-layer attacker traceback...

Ad Hoc Networks 8 (2010) 193–213

Contents lists available at ScienceDirect

Ad Hoc Networks

journal homepage: www.elsevier .com/locate /adhoc

CATCH: A protocol framework for cross-layer attackertraceback in mobile multi-hop networks

Yongjin Kim a,*, Ahmed Helmy b

a Qualcomm, 5775 Morehouse Drive, San Diego, CA, USAb Computer and Information Science and Engineering (CISE) Department, University of Florida, Gainesville, FL, USA

a r t i c l e i n f o a b s t r a c t

Article history:Received 30 July 2008Received in revised form 29 March 2009Accepted 13 July 2009Available online 17 July 2009

Keywords:Attacker tracebackMobile multi-hop networksDenial of Service (DoS) attackDistributed DoS (DDoS) attack

1570-8705/$ - see front matter � 2009 Elsevier B.Vdoi:10.1016/j.adhoc.2009.07.002

* Corresponding author. Tel.: +1 858 740 4505.E-mail addresses: [email protected], v2

Kim), [email protected] (A. Helmy).

Flooding-type Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks can cause seri-ous problems in mobile multi-hop networks due to its limited network/host resources.Attacker traceback is a promising solution to take a proper countermeasure near attack ori-gins, for forensics and to discourage attackers from launching the attacks. However,attacker traceback in mobile multi-hop networks is a challenging problem. Existing IPtraceback schemes developed for the fixed networks cannot be directly applied to mobilemulti-hop networks due to the peculiar characteristics of the mobile multi-hop networks(e.g., dynamic/autonomous network topology, limited network/host resources such asmemory, bandwidth and battery life). We introduce a protocol framework for attackertraceback, CATCH, geared towards mobile multi-hop networks utilizing MAC and networkcross-layer approach. We also perform systematic risk analysis on mobile multi-hop net-works. Based on the risk analysis, we extend CATCH for a mobile attacker tracebackscheme. We show that CATCH successfully tracks down attacker under diverse mobilemulti-hop network environment with low communication, computation, and memoryoverhead. We provide comprehensive evaluation of our proposed protocols through exten-sive simulations.

� 2009 Elsevier B.V. All rights reserved.

1. Introduction

Mobile multi-hop networks include Mobile Ad-hocNETworks (MANET), wireless mesh networks, and wirelesssensor networks, among others. Various types of mobilemulti-hop networks have been under active researchrecently due to its numerous promising applications andpractical deployment is near. However, in general, securityissues are not properly addressed in the design of suchnetworks. DoS/DDoS attack can cause serious problems inmobile multi-hop networks since (1) it is easy to performattack using existing tools, and (2) in general, mobile mul-ti-hop networks are severely limited in network resources

. All rights reserved.

[email protected] (Y.

(e.g., bandwidth) and host resources (e.g., battery, memory,etc).

Different types of DoS/DDoS attacks can be broadly clas-sified into software exploits and flooding-type attacks. Insoftware exploits (e.g., Course of silence attack [8]), attack-er sends a few packets or even single packet to exercisespecific software bugs within the target’s OS or applicationdisabling or harming the victim. On the other hand, inflooding-type attack [7], one or more attackers send inces-sant streams of packets aimed at overwhelming link band-width or computing resources at the victim. We focus onflooding-type DoS/DDoS attack since it cannot be fixedwith software debugging. In flooding-type DoS/DDoS at-tack, an attacker transmits a large number of packets to-wards a victim with spoofed source address. For instance,in SYN Flood [18], at least 200–500 pps (packet per second)of SYN packets are transmitted to a single victim. DNSamplification attack [16] also attacks victim using a large

http://dx.doi.org/10.1016/j.adhoc.2009.07.002

mailto:[email protected]



http://www.sciencedirect.com/science/journal/15708705

http://www.elsevier.com/locate/adhoc

194 Y. Kim, A. Helmy / Ad Hoc Networks 8 (2010) 193–213

amount of packets with spoofed DNS server address. Ingeneral, we can say that the following are some character-istics of flooding-type DoS/DDoS attacks: (I) Traffic volumeis abnormally increased during attack period. (II) Attackersroutinely disguise their location using incorrect/spoofedaddresses. (III) Such attacks may persist for tens of minutesand in some case for several days.

We define our goal of attacker traceback as the ability toidentify the machines that directly generate attack trafficand the network path this traffic subsequently follows[4], or at least identify their neighborhood (e.g., location,neighboring nodes) if not identity. There are several at-tacker traceback schemes proposed for the Internet suchas packet marking, logging, and ICMP traceback [4]. Suchtraceback schemes were developed for the fixed networksand are not directly applicable to mobile multi-hop net-works due to the following particular characteristics ofmobile multi-hop networks. (1) In mobile multi-hopnetworks, there is no fixed infrastructure, gateways or fire-walls. Each node works as an autonomous terminal, actingas both host and a router. (2) Each node can move in andout of the network, frequently changing network topology.(3) In general, network bandwidth and battery power areseverely limited. (4) It may be difficult to physically securea mobile node that could be captured, compromised tolater rejoin the networks as a Byzantine node.

To perform efficient DoS/DDoS attacker traceback undersuch a harsh environment in mobile multi-hop networks,we propose an efficient protocol framework, called CATCH.The building blocks of our framework consist of (I) abnor-mality detection, (II) abnormality characterization, (III)abnormality searching, (V) countermeasures. We validateand evaluate our framework through extensive simula-tion-based analysis and comparison. We utilize cross-layertraffic monitoring and filtering to dramatically improve thesuccess and accuracy of our proposed protocol.

We also systematically analyze mobility-induced risks.One of the most serious obstacles in attacker traceback un-der mobile multi-hop networks is dynamic topology. Exist-ing attacker traceback schemes cannot be directly usedunder the presence of node mobility. Node mobility canbe classified into two classes; intentional/malicious attack-er’s mobility and legitimate mobility of intermediate/vic-tim nodes. Intentional/malicious attacker’s mobility cancause numerous problems and illusions in traceback. Toidentify various risks caused by attacker’s mobility, wepropose multi-dimensional set-based risk analysis method.In addition, we analyze how various innocent mobility ofintermediate and victim can affect traceback performance.

In sum, we make the following contributions in thispaper:

� We provide a complete set of attacker traceback proto-col framework for mobile multi-hop networks. In eachcomponent of the framework (i.e., abnormality detec-tion, characterization, and searching), we compare vari-ous possible sets of schemes and identify the mostoptimal scheme among those sets.

� We use cross-layer (i.e., network and MAC layer) infor-mation to increase traceback efficiency and decreasethe associated overhead. We also effectively utilize

overhearing capability of the wireless MAC layer, todrastically increase robustness against node compro-mise and mobility and to reduce false positive and neg-ative rates.

� We propose traceback-assisted countermeasure, whichprovides an effective defense strategy.

� We propose systematic risk analysis methodology basedon multi-dimensional set-based approach. The risk anal-ysis methodology provides an effective way to analyzehow attackers can exploit mobility and associated risks.We also propose mobile attacker traceback scheme, sys-tematically analyze how legitimate mobility can affectthe traceback performance, and use various mobilitymodels to evaluate the traceback performance.

The rest of the paper is organized as follows. In Section2, we discuss design requirements for robust attackertraceback in mobile multi-hop networks and provide com-parison of existing schemes. In Section 3, we provide anoverview of our traceback protocol framework. We de-scribe abnormality detection, characterization, searching,and the overall traceback algorithm in Sections 4–7,respectively. In Section 8, we provide the traceback-as-sisted countermeasure scheme. In Section 9, we performsystematic risk analysis of sophisticated mobile attacks.Then, we describe how legitimate mobility can affect trace-back performance in Section 10 and provide mobile attack-er traceback scheme in Section 11. Finally, we conclude ourpaper in Section 12.

2. Design requirements

To analyze and identify design requirements for trace-back protocol in mobile multi-hop networks, we classifythe main building blocks of the attacker traceback protocolas follows: (I) information searching and gathering, (II)information storage, and (III) information analysis. Infor-mation searching and gathering are the processes to puttogether or seek clues on the attack traffic. Informationstorage is the process to store the gathered clue in somestorage for analysis. Information analysis is the process toreconstruct the attack path based on the clue obtainedthrough information storing process or real-time data pro-vided by information searching and gathering processes.Based on the classified building blocks, we identify the de-sign requirements (Table 1) for our traceback protocol inmobile multi-hop networks.

2.1. Information gathering

For robust and efficient information searching and gath-ering in mobile multi-hop networks, we need to satisfy thefollowing protocol requirements: First, the tracebackscheme should be robust against route instability due tonode mobility and topology change. Second, it may be dif-ficult to physically secure nodes that could be captured,compromised and later rejoin the networks as Byzantinenode. Hence, we need robustness against node compro-mise. Third, in general, mobile multi-hop networks areseverely limited in networks resource (i.e., bandwidth). In

Table 1Design requirements for attacker traceback in mobile multi-hop networks.

Protocol buildingblock

Design requirement

Informationgathering

� Robustness against topology change and mobility� Robustness against node collusion� Low communication overhead and energy

consumption

Informationstorage

� Low storage consumption

Informationanalysis

� Low computational overhead� Low delay

Y. Kim, A. Helmy / Ad Hoc Networks 8 (2010) 193–213 195

addition, energy conservation is one of major concern.Hence, we need to reduce communication overhead andenergy consumption.

Existing attacker traceback schemes (e.g., packet mark-ing [13], iTrace [4]) rely on hop-by-hop traceback. Hence,when one intermediate node moves out or powered down,the traceback process fails. In addition, when several nodesare compromised, the traceback process stops at the com-promised nodes. Consequently, a majority-based scheme isrequired in mobile multi-hop networks, which is robustagainst multiple node compromises and failures. Huangand Lee [11] provides dynamic topology reconstructionmechanism using TTL and neighbor node information totraceback attacker. However, it still suffers form informa-tion storage/analysis problem as will be mentioned in thefollowing.

2.2. Information storage

Clue information, obtained through information search-ing and gathering processes, needs to be stored for trace-back. Information can be stored at the end-host or insidethe network. However, in general, nodes in mobile multi-hop network have limited storage space. Hence, it isimportant to reduce storage requirement.

iTrace [5] or FIT [17] is end-host storage scheme. ICMPor marked packets are stored at the end-host and used forpath reconstruction. The logging scheme in [11,13] is anetwork-storage scheme, where clue information is storedin inside networks. An obvious drawback of theseschemes is that large amount of data needs to be storedat either the end-host or inside the network since per-packet information is required. Sy and Bao [15] tries tosolve the storage problem by gradual refreshing of mem-ory. Sung et al. [14] also tries to solve storage problem bystoring small percentage of packets and using sophisti-cated scheme to reconstruct the attack path. However,those schemes still suffer form information gatheringproblem under dynamic topology change. Al-Duwair andGoyindarasu [1] proposes hybrid scheme between packetmarking and logging to reduce amount of data to bestored. However, it does not resolve information gather-ing/analysis issue.

On the other hand, controlled flooding [6] does not re-quire information storage. However, it consumes networkbandwidth, which is highly undesirable in resource con-strained mobile multi-hop networks.

2.3. Information analysis

Information analysis in existing schemes (e.g., iTrace [5],FIT [17], logging [13]) incurs high processing overhead anddelay since it takes per-packet analysis approach. Forinstance, in iTrace, end host first searches the database,which stores packet information. Then, based on the packetinformation, end-host should reconstruct the attack path.

3. Overview of the CATCH protocol framework

Our CATCH traceback protocol consists of the followingfour components: (1) abnormality detection, (2) abnormal-ity characterization, (3) abnormality searching, and (4)countermeasures.

Abnormality is monitored by all nodes in the network.Each node monitors network and MAC layer activity (e.g.,number of packet, busy time in MAC layer). Once abnormal-ity is detected, the information is captured and logged. Weintroduce several classes of detection technique to accu-rately detect attack with low overhead. We classify abnor-mality into two classes: coarse-grained abnormality andfine-grained abnormality. Basically, with coarse-grainedabnormality, we trace-back attackers using only packetcounters, without using payload-level details. Coarse-grained abnormality monitoring is further divided intothe following two classes: Coarse-grained Network LayerMonitoring (C-NLM) and Coarse-grained MAC Layer Moni-toring (C-MLM). On the other hand, with fine-grained trace-back, we trace-back attackers by analyzing payload-leveldetails. Fine-grained abnormality monitoring is further di-vided into the following three classes: Fine-grained Net-work Layer Monitoring (F-NLM), Fine-grained MAC LayerMonitoring (F-MLM) and Fine-grained Cross-layer Moni-toring (F-CM) that includes both network layer and MAClayer monitoring. There exists a clear tradeoff betweenthe two above mechanisms. In coarse-grained abnormal-ity-based traceback, computational/storage overhead isminimized by sacrificing payload level analysis for trace-back. It is an effective way of traceback in many cases whenattack traffic shows obvious abnormality and backgroundtraffic is low or moderate, as we shall show. In fine-grainedabnormality-based traceback, payload-level information isconsidered and analyzed to trace back attackers. It requiresmore computation/storage overhead because we need tostore and analyze more detailed information, but it canmore accurately trace back attackers. Fine-grained abnor-mality-based traceback becomes essential in the followingcases: (1) In DDoS attacks only reduced abnormality is ob-served near the edges of the attack route. Hence, we need todifferentiate between attack traffic and background trafficaccurately. (2) Under high background traffic, abnormalitybecomes less obvious. We show that we can increasetraceback accuracy even under low abnormality and highbackground traffic by using fine-grained abnormalitymonitoring by filtering much of the noise traffic (i.e., back-ground traffic). The fine-grained cross-layer informationcan further filter out background traffic. With the variousclasses of abnormalities defined above, we perform the fol-lowing traceback process.


Once abnormality is detected, the abnormality needs tobe characterized for traceback. Characterized abnormalityat the victim is called the ‘attack signature’ and abnormal-ity characterized at an intermediate node is called ‘candi-date attack signature’.

We need to find nodes that observe candidate attack sig-nature which is sufficiently similar to attack signature. Byprogressively finding nodes that observe similar attack sig-nature from nodes near victim to attack origin, we can findattack route. To provide energy efficiency and robustnessagainst false reports, we use majority voting. Majority vot-ing is performed by multiple nodes that observe or over-hear abnormality in a certain region. We also utilize thesmall world model [9,10] to increase the search efficiency.

After we identify the attack origin(s), we carry outcountermeasures (Section 9) to ameliorate the intensityof (or stop) the attack. Existing countermeasures (e.g.,packet filtering, rate limiting) suffer from several draw-backs. A packet filtering scheme drops a large volume oflegitimate packets. While in a rate limiting scheme it ishard to find the optimal limiting rate. We take a hybrid ap-proach of packet filtering and rate limiting. We use match-ing level – that we call ‘confidence index’ – to find areasonable limiting rate.

We also analyze how mobility affects traceback perfor-mance (Sections 10 and 11) and propose a scheme to trackdown mobile attackers (Section 12). We first systematicallyanalyze how mobility can be exploited by attacker(s). Legit-imate mobility of intermediate/victim can also bring aboutnegative impact on traceback performance and is also ana-lyzed. To track down mobile attackers effectively, we utilizespatio-temporal relation of attack signature. In addition, wesystematically evaluate how various parameters of themobility pattern can affect the traceback performance.

4. Abnormality detection

The first component of our framework is the abnormal-ity or attack detection by the victim node and intermediatenodes. Based on this scheme the victim node may trigger atraceback search, and intermediate nodes log informationto be used during the search as needed.

4.1. Definition of abnormality

Once flooding-type DoS/DDoS attack is launched, alarge volume of traffic is generated towards a victim. Theflooding-type attack causes protocol layer (i.e., networklayer and MAC layer) abnormality. MAC layer abnormalityis observed by neighboring nodes around the attack routeby the overhearing capability of MAC layer activity. In thispaper, we use 802.11 MAC mechanism, which is widelyused as MAC layer for wireless devices. However, note thatour scheme can be generally applied to other MAC proto-cols. We analyze how the flooding-type attack trafficcauses abnormality in network and MAC layer as follows:

4.1.1. Increased packets at network layerFlooding-type DoS/DDoS attack causes abnormally in-

creased packets both in relay nodes of attack traffic and

the victim. The increase can be statistically detected andidentified as abnormality.

4.1.2. Increased collisions at MAC layerIncreased collision can be inferred by several symp-

toms. (I) Increased retry count due to lack of ACK or CTS:frame or fragment has a single retry counter associatedwith it. Frames that are shorter than the RTS thresholdhave short retry count. Frames that are longer than thethreshold are considered long frames and have long retrycount. Frame retry counts begin at 0 and are incrementedwhen a frame transmission fails. (II) Large contention win-dow (CW). After each unsuccessful transmission, CW isdoubled up to a maximum value CWmax ¼ 2m � CWmin,where m is the number of attempt. (III) Long lifetime:when the first fragment is transmitted, the lifetime counteris started. When the lifetime limit is reached, the frame isdiscarded and no attempt is made to transmit any remain-ing fragments.

4.1.3. Increased busy time at MAC layerA node monitors the channel to check whether it is idle

or not. If it is busy for a certain time interval, it cannot gointo backoff stage and should defer. Frequent busy timeand consequent transition from backoff state to defer stageare considered as symptom of abnormal traffic.

4.1.4. Increased frames at MAC layerAs attack packets are increased, the number of corre-

sponding data frames and ACK frames are increased. Inaddition, to access channel, the number of RTS and CTSframes are also increased.

We perform simulations to investigate the abnormalbehavior of network and MAC layer under DoS attack,and to address the following question: what is the bestinformation to use as indicator of the attack signature? Weuse ns-2 for simulation with 50 nodes. The network sizeis 670 m � 670 m and DSDV is used for underlying routingprotocol. Average distance between attacker and victim isfour hops. In Figs. 1 and 2, we varied the number of nodesthat generate background traffic from 1 to 25 and mea-sured increased rate. Increased rate is defined as the ratiobetween abnormal behavior and normal behavior. For in-stance, when collision count under attack is g and collisioncount under normal background traffic is g0, the increasedrate is calculated as g=g0. In the simulation, attack traffic isgenerated as ten times of normal traffic size. As shown inthe Fig. 2, frame count, packet counts and busy time showhigh increased rate when background traffic is low, and theincreased rate decrease as background traffic increases. Itis because as background traffic increases the attack trafficdoes not show drastic abnormality. On the other hand, in-creased rate in collision is low even when background traf-fic is low. It is because collision rarely occurs when thereexists only attack traffic. The increased rate of collisiongradually goes up as background traffic increases and de-creases after certain point.

Fig. 3 show relative variance of abnormality informa-tion. Relative variance is defined as (variance of abnormalityinformation)/(mean of abnormality information). Collisionrate shows the highest variance. It is because collision

Abnormality Detection

Abnormality Characterization

Abnormality Searching

Countermeasure

Fig. 1. Attacker traceback protocol framework.

0

2

4

6

8

10

12

1 5 10 15 20 25

Number of nodes that generate

background traffic

Incr

ease

d ra

te

Increased packets

Increased frames

Increased busy time

Increased collision

Fig. 2. Network and MAC layer abnormality.

0

0.5

1

1.5

2

0 5 10 15 20 25Number of nodes that generate background traffic

Rel

ativ

e va

rianc

e

Packet count

Frame count

Busy time

Collision

Fig. 3. Variance of network/MAC layer abnormality.

0

10

20

30

40

50

0 10 20 30 40

Number of nodes that generate background traffic

Chi

-squ

are

valu

e

Packet count

Frame count

Busy time

Collision

Threshold (5.02)

Fig. 4. Relation between attack traffic and protocol layer activity.


occurrence varies depending on temporal and spatial traf-fic distribution, which is not desirable as our abnormalityinformation.

We use a two-way contingency table to evaluate thedependency of protocol layer activity on attack traffic. Intwo-way contingency table, data is classified according tothe directions (row and column) of classification, basedon two qualitative variables. In our test, the row is the nor-mal/abnormal and the column is attack region/non-attackregion. Attack region is the area around the attack pathwhere nodes can observe attack traffic activity. In the con-tents of table, the number of nodes that observes corre-sponding protocol layer abnormality is used. Here, wedefine abnormality as traffic with increased rate greater

than 2. More formal definition of abnormality follows inthe next section. Then, we set the following null and alter-native hypotheses to test the dependency of the twoclassifications.

H0: The two classifications are independent.Ha: The two classifications are dependent.

Test statistic : v2 ¼Xc

j�1

Xr

i�1

½nij � EðnijÞ�2

EðnijÞ; ð1Þ

where EðnijÞ ¼ni:n:j

n ;ni is total for row i and nj is total for col-umn j. The rejection region where we can conclude thattwo classifications are dependent is as follow.

v2 > v2a ð2Þ

where v2 is chi-square probability distribution with(r � 1)(c � 1) degree of freedom and a is the probabilityof a type I error (a type I error is made if H0 is rejectedwhen H0 is true). Intuitively, v2 is high when more the per-centage of nodes observe abnormality.

In Fig. 4, we show v2 value of each abnormality compo-nent. The threshold v2

a is 5.02 with 97.5% confidence inter-val. We can infer that if the v2 value is above the threshold,there exists dependency (reject the null hypothesis H0Þ. Asshown in the Fig. 4, We can constantly observe high v2

value ðv2 > v2aÞ with frame count and busy time informa-

tion, which means that attack traffic have clear impact(dependency) on the overhearing nodes around the attackroute. On the other hand, packet count shows low depen-dency. It is because packet count is based on network layerinformation that cannot use overhearing capability. Conse-quently, we can say that frame count and busy time arebetter candidates as abnormality information to be robustagainst node collusion.

Based on all the observation above, we can conclude thatthe frame count information is the best candidate as attacksignature. We will use the frame count as our main abnor-mality indicator. In addition, we will utilize network layerinformation (i.e., packet-header information) to comple-ment MAC layer information.

Each node monitors protocol layer activity. Once abnor-mality is detected, the node logs the abnormality informa-tion as candidate attack signature. Later, during the search

Attacktraffic

Backwardnoise

Forward noise

Attacker

Victim

Relay nodes

Fig. 5. Illustration of forward/backward noise reduction using cross-layermonitoring.


phase the candidate attack signature is compared with theattack signature which is characterized by a victim. To de-tect abnormality, we need to define a threshold. If the ob-served value exceeds the threshold, it is defined asabnormality. Threshold can be set either as fixed value oradaptive value. For fixed threshold, we use the FractionalDeviation from the Mean (FDM), and we use the Pivotmethod for the adaptive threshold. Both methods will beconsidered and compared in our study.

4.2. FDM-based detection

Let AS be the number of frames in a given time slot andAR be the average number of frames in the long-term refer-ence model. Then the distance of the Fractional Deviationfrom the Mean (FDM) statistic is given as follows:

Dist ¼ AS � AR

AR: ð3Þ

The distance, Dist, is defined as the abnormality level. Ifthe abnormality level is over the threshold (e.g., 0.5), it isconsidered suspicious and the (candidate) attack signatureis characterized and logged. The obvious advantage of FDMis its simplicity in defining the threshold. However, it doesnot consider the variance of background traffic to detectabnormality.

4.3. Pivot-based detection

To consider the background traffic variance, we use thepivotal method. We calculate the normal interval with theconfidence interval of 100(1 � aÞ% as follows:

�xn � za=2rffiffiffinp� �

� �xn � za=2snffiffiffi

np� �

; ð4Þ

where �xn is the sample mean of xi and r is the standarddeviation of xi. Since the value of r is unknown, the samplestandard deviation sn is used.

When the new value of xi is outside the normal range,we define it as abnormality. The abnormal values are ex-cluded from calculating normal range. The advantage ofusing the Pivotal method is accurate abnormality detec-tion. The computational complexity of Pivot-based methodis O(1) in each detection.

In both FDM-based and Pivot-based detection, we caneither use simple average or leverage ExponentiallyWeighted Moving Average (EWMA) to calculate normalprofile (i.e., AR. or �xnÞ. In EWMA, normal profile at timenþ 1 (i.e., �xnþ1Þ is calculated as follows:

�xnþ1 ¼ b � �xn þ ð1� bÞ � xnþ1; ð5Þ

where xnþ1 is abnormality observed at time nþ 1 and �xn isnormal abnormality profile up to time n. Based on thevalue of b, we can put more weight on short-term observa-tion or long-term observation. In performance analysissection, we compare performance difference based onselection of b. In addition, to accommodate spatial trafficvariation in mobile network, we recommend obtainingnew normal profile whenever movement is detected (e.g.,using GPS or routing table change). In addition, to accom-

modate temporal traffic variance, we recommend updatingnormal profile every hour.

4.4. Coarse-grained vs. fine-grained detection

In coarse-grained detection, abnormality is detected bythe aggregate traffic level using total counts, without keep-ing track of individual flow statistics. The advantage ofcoarse-grained detection is its computational efficiency.However, the problem of aggregate (or coarse-grained)traffic-based abnormality detection is that it is hard to de-tect small abnormalities accurately under the presence oflarge/bursty background traffic, which will prove neces-sary, especially for DDoS attacks. To address this problem,we define fine-grained abnormality detection, which usesminimal fine-grained cross-layer information (i.e., destina-tion address, previous-hop MAC address).

Fine-grained cross-layer information provides the fol-lowing advantages: First, we can reduce noise traffic usingminimal network-layer (i.e., destination address) informa-tion. We call this Fine-grained Network layer Monitoring(F-NLM) scheme compared to Coarse-grained NLM(C-NLM) where only aggregate network layer informationis used. In F-NLM, the attack signature is captured basedon the traffic destined to each destination (i.e., we makean abnormality table indexed by destination address).We can rely on the destination address since attackers donot spoof destination address to achieve their goal. Asshown in Fig. 5, a monitoring node (inside the dotted cir-cle) can remove noise traffic that is destined to non-victimnodes. We call the noise traffic as forward noise.

Secondly, by using minimal information from MAC layer(i.e., previous hop MAC address), we can also drasticallyreduce noise traffic. As shown in Fig. 5, a monitoring node(inside dotted circle) can remove noise traffic that is notcoming from the same previous-hop MAC address as attacktraffic. We call the noise traffic as backward noise. We alsocall it Fine-grained MAC Layer Monitoring (F-MLM) schemecompared to Coarse-grained MLM (C-MLM) where onlyaggregate MAC layer information is used.

By using fine-grained information of both network andMAC layer (i.e., destination address, previous hop MAC

00.10.20.30.40.50.60.70.80.9

1

10% 50% 90% 130% 170%

Attack Percentage

Det

ectio

n Su

cces

s R

ate

FDM

MFDM

Pivot

Mpivot

Fig. 7. Detection success rate under fluctuating background traffic.

00.10.20.30.40.50.60.70.80.9

1

10% 50% 90% 130% 170%

Attack Percentage

Det

ectio

n Su

cces

s R

ate F D M

M F D M

P i v o t

M P i v o t

Fig. 8. Improvement in detection success rate with F-CM.


address), we can drastically reduce noise. We call this Fine-grained Cross-layer Monitoring (F-CM) scheme.

4.5. Performance analysis

In this section, we evaluate the performance of the pro-posed abnormality detection schemes. We use the follow-ing simulation environment. This simulation setting isused throughout this paper, unless otherwise noted. Wehave performed simulations using ns-2 and C code. Trans-mission range of each node is set at 150 m. We repeatedeach simulation 10 times using various random topologiesand calculated the average value. We set NoC (Number ofContacts) = 6, R (vicinity radius) = 3, r (contact distance) =3, d (search depth) = 5 for contact selection (refer toSection 7). DSDV is used as underlying routing protocol.Network size is 2750 m � 2750 m. The number of nodesis 1500 and the nodes are static (except in the mobilitysimulation section). Average node degree is 14. Attacktraffic is generated from random positions (in some casesclustered or spread as noted).

The performance of abnormality detection depends onthe following several factors: (1) Underlying backgroundtraffic. (2) Normal profile calculation method. (3) Thresholdvalue to detect abnormality. We varied each of the abovefactors and investigated its impact on the performance.

We say that the background traffic is ‘‘stable” if the var-iance of the background traffic is between 0% and 10% ofthe average background traffic. The attack percentage rep-resents the ratio of average attack traffic to the averagenormal traffic. FDM and MFDM use fixed normal profile cal-culation and fixed threshold of 0.5. MPivot varies thethreshold based on the standard deviation of the normaltraffic. Fig. 6 shows the detection success rate under stablebackground traffic, with the use of the F-MLM as abnormal-ity monitoring method. The Pivot and MPivot schemesshow 100% success rate consistently. On the other hand,FDM, and MFDM show low detection success rate when at-tack percentage is low. It is because of the use of fixedthresholds. More specifically, when the attack traffic vol-ume is small, it fails to capture the abnormality becausethe abnormality goes below the fixed threshold. There isnot much performance difference between using average

00.10.20.30.40.50.60.70.80.9

1

10% 50% 90% 130% 170%Attack Percentage

Det

ectio

n Su

cces

s R

ate

FDM

MFDM

Pivot

Mpivot

Fig. 6. Detection success rate under stable background traffic with F-MLM.

and moving average (i.e., EWMA) when the backgroundtraffic is stable.

Fig. 7 shows detection success rate under highly fluctu-ating background traffic. In fluctuating background traffic,the variance of background traffic is between 0% and100% of average background traffic. Pivot and MPivot showbetter performance than FDM and MFDM. The result issimilar to Fig. 6. However, EWMA ðb ¼ 0:8Þ causes approx-imately 10% lower performance, which is counterintuitive.It means that putting more weight on the recent data re-duces detection success rate. After careful investigation,we found that it is because recent short-term bursty trafficleads to high average normal profile, which leads to detec-tion failure with small abnormality.

Fig. 8 shows the detection success rate with F-CM underfluctuating background traffic. As expected, the detectionsuccess rate is largely improved by using F-CM since it fil-ters out a lot of noise traffic. More detailed evaluation of F-CM is given in the next section where the results consis-tently show the superiority of the cross-layer monitoringwith fine-grained information.

5. Abnormality characterization

Once abnormality is detected, the abnormality needs tobe characterized. We characterize the abnormality as time

Table 2Abnormality table using cross-layer information.

Destination_addr Sourse_MAC_addr Abnormality

1 2 nð1;2Þ1 3 nð1;3Þ


series data. That is, attack signature is defined by thesequence of number of frames in n. time slots, ða1; a2; . . . ;

anÞ, where aið1 6 i 6 nÞ is the number of frames at time sloti. Sampling window, D, is expressed as:

D ¼ n d; ð6Þ

where d is the time slot length.For fine-grained characterization, destination address,

and previous hop MAC address are used (Table 2). Thereis obvious tradeoff between coarse-grained and fine-grained characterization. When coarse-grained character-ization is used, space complexity for abnormality loggingbecomes O(1). However, abnormality matching and subse-quent traceback result becomes less accurate. On the otherhand, when fine-grained characterization is used, spacecomplexity becomes ðON �MÞ, where N is the number ofdestination network addresses and M is the number ofprevious hop source MAC addresses. N can grow to thenumber of nodes in the network, and M is the average nodedegree (number of direct neighbors). However, tracebackaccuracy is improved since we can reduce noise traffic, aswe shall show later in this section.

6. Abnormality searching

Once abnormality is characterized, abnormality match-ing is done between candidate attack signature and attacksignature. If the two signatures are closely matching, wecan infer the attack route. Following, we examine andcompare two techniques for signature matching: 1. trafficpattern matching and 2. KS-fitness test.

6.1. Traffic pattern matching

Traffic Pattern Matching (TPM) is defined in [12]. It usesthe correlation coefficient between two signatures at nodeA and B. When a signature observed at node A is given asða1; a2; . . . ; anÞ, and a signature observed at node B is givenas ðb1; b2; . . . ; bnÞ, the correlation coefficient is obtained asfollows:

rðA;BÞ ¼ 1nSASB

Xn

i¼1

ðai � AÞðbi � BÞ; ð7Þ

where

SA ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1n

Xn

i¼1

ðai � AÞ2vuut ; ð8Þ

SB ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1n

Xn

i¼1

ðbi � BÞ2vuut ð9Þ

and A and B are the averages of ða1; a2; . . . ; anÞ, andðb1; b2; . . . ; bnÞ, respectively. In case the correlation coeffi-cient rðA;BÞ is high (greater than 0.7), the signature at nodeA is said to match the signature at node B. Computationalcomplexity of TPM is O(n), where n is the number of obser-vation time slots.

6.2. KS-fitness test

We use the Kolmogorov–Smirnov (KS) statistic Dn totest the hypothesis that the two attack signature, FnðxÞ,and F0ðxÞ are matching. F0ðxÞ corresponds to the attack sig-nature, which is characterized by a victim and FnðxÞ is thecandidate attack signature, which is characterized by theintermediate nodes.

Dn ¼ supx½jFnðxÞ � F0ðxÞj�; ð10Þ

H0 : FnðxÞ ¼ F0ðxÞ;Ha : FnðxÞ–F0ðxÞ:

ð11Þ

We accept H0 if the distribution function FnðxÞ is suffi-ciently close to F0ðxÞ, i.e., if the value of Dn is sufficientlysmall. The hypothesis H0 is rejected if the observed valueof Dn is greater than the selected critical value that de-pends on the desired significance level and sample size.When the H0 is accepted (sufficiently similar), we can inferthat the abnormality is matching, meaning that the attacktraffic has traversed the region, where candidate attack sig-nature is observed. Computational complexity of KS-fitnesstest is O(nlogn) and it is not considered significant since wecan achieve good matching performance with reasonablesmall n (observation time slots). We will verify this inthe analysis section. In addition, traceback is initiated on-demand only when a device detects attack. Hence, theshort-term matching process should not affect scalability.

In case of DDoS attack, there is a subtle problem inusing KS-fitness test or TPM. DDoS attack is performedfrom multiple nodes. Partial attack traffic is merged atthe victim or intermediate nodes. Consequently, combina-tion of partial candidate attack signature from multipleincoming interfaces should be compared with the attacksignature to find the distributed attack routes. There canbe S number of combinations from K candidate ðL 6 KÞ par-tial attack signatures as follows:

S ¼Xi¼1

KK Ci: ð12Þ

In our scheme, the combination that shows the highestmatching level is selected as the branch paths of distrib-uted DDoS attack traffic.

Similar to abnormality detection and characterization,we use coarse-grained and fine-grained matching. Byreducing the noise with fine-grained information, we canincrease the matching accuracy. The noise can be reducedwith MAC address (previous-hop MAC address) and net-work address (destination) information.

For efficient and robust attacker searching, we use thesmall world model. Helmy [9] found that path length inwireless networks is drastically reduced by adding a fewrandom links (resembling a small world). These randomlinks need not be totally random, but in fact may be

V i c t i mL e v e l -1 c o n t a c tL e v e l -2 c o n t a c t

B o r d e r n o d eV i c i n i t y r a d i u sC o n t a c t d i s t a n c e

Fig. 9. Small world construction with multi-level contacts. Victim, v,selects level-1 contacts. Level-1 contacts select its level-2 contacts, and soon.


confined to small fraction of the network diameter, thusreducing the overhead of creating such network. Therandom links can be established using contacts [10]. Weextend the contact architecture to build a small world inwireless networks, to increase attacker searching effi-ciency, and to increase robustness against node compro-mise. Contact nodes are a set of nodes outside thevicinity, which are used as short-cut (random links) tobuild small world. Following, we describe small worldconstruction scheme.

Each node in the networks keeps track of a number ofnodes in its ‘vicinity’ within R hops away. This definesthe vicinity of a node. The vicinity information is obtainedthrough underlying routing protocol. Each node chooses itsvicinity independently, and hence no major re-configura-tion is needed when a node moves or fails. There is nonotion of cluster head, and no elections that require con-sensus among nodes.

On-demand, a victim node selects a set of contacts out-side its vicinity. The main purpose of contact nodes is to actas a short cut. Hence, it is important for contacts to havevicinity that does not overlap significantly with that ofthe victim node, V, or the other contacts of V. The vicinityoverlap occurs between the contact’s vicinity and the vic-tim’s vicinity. To reduce this overlap, victim node attemptsto push the request as far out from the victim’s vicinity aspossible. Let the borders of victim V be B (Fig. 9). V sends aquery to the number of contacts (NoC) through its bordernodes (denoted by B in Fig. 9). B constructs a topology viewup to R hops away using its own vicinity information, andchooses a border in its vicinity that has maximum distanceto V. V also selects NoC borders with maximum separationto reduce route overlap. This is done using vicinity infor-mation [10].

The above contact selection scheme provides a mecha-nism to select NoC contacts that have distances up toRþ r hops away from V. We call these contacts level-1contacts. To select farther contacts (contact of contact), thisprocess is further repeated as needed at the level-1 con-tacts, level-2 contacts and so on, up to a number of levels

called maxDepth, D. Detailed evaluation of this generalarchitecture is given in [10].

Our contact selection and search policy have the follow-ing important distinctions from [10]: (1) Contacts are ran-domly selected every time it launches search to preventthe divulgence of contact information to attackers. Thatis, if contact nodes for a victim are fixed, an attacker mayattempt to compromise the fixed contact nodes to disabletraceback. To reduce this risk, we select the contactsrandomly. (2) The contacts in our protocol perform in-net-work processing to check whether attack traffic istraversed through vicinity nodes or not. (3) We performdirectional search in which the searching process is direc-ted towards only the attacker(s) to reduce communicationoverhead. Directional search becomes possible throughquery suppression, in which contacts that do not observematching abnormality in their vicinity suppress furtherqueries. (4) Our contact selection is independent of anyspecific routing protocols.

The attack traffic may not have traversed the contactsthemselves but may have traversed nodes in their vicinity.To find region through which attack traffic has traversed,we define attack signature energy. Attack signature energyincorporates abnormality matching level, geographiccloseness, and majority voting factor, as we shall show inour evaluation section. Use of attack signature energy pro-vides robustness against node compromise, accurate attackroute selection, and robustness against bursty backgroundtraffic. Basically, we choose the region that shows high at-tack signature energy as attack path. Attack signature en-ergy is divided into three classes: individual signatureenergy, local signature energy, and global signature energy.

6.2.1. Individual attack signature energyEach contact gathers individual attack signature energy

from nodes in its vicinity. The individual attack signatureenergy is defined as follows.

EiðDtÞ ¼ 1DiðDtÞ ; ð13Þ

where DiðDtÞ is the inverse of abnormality matching levelbetween candidate attack signature and attack signature.Hence, DnðDtÞ becomes small when there is high abnor-mality matching between attack signature and candidateattack signature during timeframe Dt. Individual signatureenergy is affected by noise traffic (i.e., background traffic).

The individual attack signature energy concept can bedirectly applied to DoS attacker traceback. However, incase of DDoS attack, the individual attack signature energycan not be directly applied since multiple partial attacksignatures are merged at either victim or intermediatenodes. Hence, the protocol first identifies branch attacksignature and applies the individual attack signature en-ergy concept. As was mentioned in Section 6.2, branch at-tack signature is identified by finding a combination ofcandidate attack signatures which shows the highestmatching level with the attack signature or branch attacksignature. For instance, when there are multiple candidateattack signatures, ðw1;w2;w3; . . . ;wNÞ in multiple contactregions, we select k out of N candidate attack signaturewhich shows the highest matching level with v. Then those

00.10.20.30.40.50.60.70.80.9

1

10 30 50 70 90 110 130 150 170 190Signature Timeframe (ST) Size

Mat

chin

g Le

vel

N=0N=0.1N=0.2N=0.3N=0.4N=0.5

Fig. 10. Impact of time asynchronization on abnormality matching test(with TPM).


k candidate attack signature become a branch attack signa-ture. Then, traceback process proceeds like DoS attackertraceback case with each branch attack signature.

6.2.2. Local attack signature energyGiven individual attack signature energy, a contact cal-

culates the local attack signature energy as follows:

LEðDtÞ ¼Eu

1=2ðDtÞl1=2

; ð14Þ

where Eui ðDtÞ is the median of the individual attack signa-

ture energy observed by the vicinity nodes of contact u.l1=2 is the median distance (in hops) between contactand the nodes that observe similar abnormality. The rea-son that we use median value instead of average is to pre-vent negative impact of false report from malicious orcompromised node on LEðtDtÞ. In addition, LEðtDtÞ shouldsatisfy the following condition.

a ¼ nN> d; ð15Þ

where a is the voting factor, N is the total number of vicin-ity nodes of the contact, and n. is the number of nodes thatobserve abnormality. When a is extremely low, we can in-fer that there is high chance of false reporting. The regionsaround the victim and relay nodes of the attack trafficshould show high LEðtDtÞ. The local signature energy is af-fected by the percentage of nodes observing the signatureenergy, median distance from contact, and median individ-ual signature energy in the contact region. Intuitively, wecan infer the attacker origin or attack traffic route wherehigh local attack signature energy is observed.

If we use only network layer information, a becomeslow. It is because only intermediate nodes that relay attacktraffic observe abnormality. Consequently, it has weaknessagainst node compromise and mobility. On the other hand,if we use MAC layer information or cross layer information,a becomes high since neighbor of relay nodes can alsooverhear the abnormality, which drastically increasesrobustness against node compromise and mobility.

Attacker may try to maliciously use the searching pro-cess to launch DoS attack which we are aiming to protect.However, since we are taking directional searching, querysuppression, and majority voting, attacker’s malicioussearching query will be confined in local area. To furtherprotect searching query/response messages, we can con-sider authentication of the messages. However, theauthentication process is out of the scope of this paper.

6.2.3. Global attack signature energyTo systematically analyze how mobility affects trace-

back performance, we define the global attack signatureenergy. Global attack signature Energy (GE) is defined asfollows:

GEðDtÞ ¼Xn

i¼1

EiðDtÞ; ð16Þ

where n is the total number of nodes that observe highabnormality matching around the attack route(s). This

metric provides useful information to analyze mobilityeffects on traceback performance, but is not used in ourprotocol per se because it is centralized.

6.3. Performance analysis

We evaluate the previous two schemes for signaturematching to assess their abnormality detection ability.Abnormality characterization has the following twoparameters: (1) unit monitoring window: this is the atom-ic time window during which abnormality is monitored,and (2) total monitoring time window. This is the aggrega-tion of unit monitoring windows. We use Signature Time-frame (ST) size to denote total number of unit monitoringwindows.

Fig. 10 shows the impact of time asynchronization be-tween attack signature and candidate attack signature onmatching test with TPM. Asynchronization occurs since at-tack signatures are monitored from geographically spreadlocations on the attack route. N represents the degree oftime asynchronization. For instance with N = 0.5%, 50% ofattack signatures are asynchronized. As time asynchroni-zation degree becomes larger, the matching level becomeslower in TPM (in general, it is considered ‘‘closely match-ing” if correlation coefficient (i.e., matching level) is at orabove 0.7).

Unlike TPM-based matching test, KS-fitness test doesnot show negative impact by time asynchronization asshown in Fig. 11. That is, the distance in KS-fitness test isalways below threshold. It is because KS-fitness test usesstatistical abnormality distribution instead of time-seriesabnormality data.

Fig. 12 shows correlation between unit monitoringwindow and time asynchronization. We used N ¼ 0:5 torepresent the worst time asynchronization case. L repre-sents the size of unit monitoring window. The negativeimpact of time asynchronization is reduced when the unitmonitoring window is larger. It is because short-termabnormality outlier can be smoothed out with larger unitmonitoring window. However, the obvious disadvantageof larger unit monitoring window is its delay in abnormal-ity characterization.

0

0. 1

0. 2

0. 3

0. 4

0. 5

0. 6

0. 7

0. 8

0. 9

1

10 40 70 100 130 160 190

Signature Time fram e (ST) Size

Mat

chin

g Le

vel

N=10 N=20

N=40 N=60

Fig. 12. Impact of unit monitoring window on matching test (with TPM).

0

0. 05

0. 1

0. 15

0. 2

0. 25

0. 3

0. 35

0. 4

10 30 50 70 90 110 130 150 170 190

Signature Timeframe (ST) Size

Dis

tanc

e

Threshold (a=0.1)

N= 10

N= 20

N= 40

N= 60

Fig. 13. Impact of unit monitoring window on matching test (with K–Stest).

00. 10. 20. 30. 40. 50. 60. 70. 80. 9

1


Mat

chin

g Le

vel

High BurstinessMedium BurstinessLow Burstiness

Fig. 14. Impact of background traffic on abnormality matching test (withTPM).

0

0. 05

0. 1

0. 15

0. 2

0. 25

0. 3

0. 35

0. 4


Dis

tanc

e

N=0N=0.1N=0.2N=0.3N=0.4N=0.5Threshold(a=0.1)

Fig. 11. Impact of time asynchronization on abnormality matching test(with K–S test).

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4


Dis

tanc

e

High BurstinessMedium BurstinessLow BurstinessThreshold(a=0.1)

Fig. 15. Impact of background traffic on abnormality matching test (withK–S test).


Under the same situation as Fig. 12, KS fitness test inFig. 13 constantly shows good performance (i.e., belowthreshold of 0.1), regardless of unit monitoring windowsize. It is because K–S test uses statistical abnormality

distribution instead of time-series data. Hence, delay inabnormality characterization can be avoided.

Fig. 14 shows the impact of various background trafficon the TPM level. Unlike our initial expectation, larger STsize showed lower performance. More specifically, whenhigh bursty traffic exists under large ST size, traffic match-ing level drastically goes down (0.32 with ST size of 190). Itis because there is more chance that the short-term bursti-ness is included in the attack signature as ST size isincreased.

Fig. 15 shows the impact of various background trafficon KS fitness test. We observed high matching level (i.e.,below threshold of 0.1) regardless of ST size. It is becauseabnormality distribution statistics is not affected by smallamount of deviation from the reference profile.

Fig. 16 shows the false positive in abnormality match-ing test with KS test. We compare the distance between(1) attack signature and candidate attack signature withMLM, (2) attack signature and normal traffic with MLM,(3) attack signature and normal traffic with F-MLM, (4)attack signature and normal traffic with F-NLM, and (5)attack signature and normal traffic with F-CM. Originally,we expected that KS-fitness test would show high false

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

10% 60% 110% 160%

Attack Percentage

Dis

tanc

e

Thresho ld

no rmal(M LM )

no rmal(F-M LM )

no rmal(F-N LM )

no rmal(F-C M )

Fig. 16. False positive by normal bursy traffic.

0

2000

4000

6000

8000

10000

12000

14000

484 1089 1936 3025

Number of nodes

Com

mun

icat

ion

over

head

Flooding

DirectionalSearch

Fig. 17. Comparison of communication overhead in DoS attack.

0

2000

4000

6000

8000

10000

12000

14000

484 1089 1936 3025

Number of nodes

Com

mun

icatio

n ov

erhe

ad

flooding

4 attackers (Relay node-based)

6 attackers (Relay node-based)

4 attackers (Majority voting)

6 attackers (Majority voting

Fig. 18. Comparison of communication overhead in DDoS attack (DS:Directional Search).

0

20

40

60

80

100

120

140

160

5 10 15 20 25

Hop count between attacker and victim

Nec

essa

ry c

ompr

omis

e co

unt

Relay node-based(N=4 orN=8)

Majority voting(D=4)

Majority voting (D=8)

Fig. 19. Robustness against node compromise.


positive rate since it shows low false negative rate. How-ever, KS-fitness shows low false positive rate, i.e., most ofbursty normal traffic is far above threshold.

Based on the analysis, we can conclude that KS fitnesstest far outperforms TPM for abnormality matching test.There is one exceptional case where KS fitness test canshow low performance. It when both signatures (i.e., attacksignature, and candidate attack signature) show the samestatistical characteristics (i.e., same average, variance,etc.) even if its time-series characteristics is different. Un-der such scenario, we cannot differentiate between attacktraffic and normal bursty traffic, which may lead to falsepositive. However, this is extremely rare case as we can in-fer from Fig. 16.

We estimates communication overhead (the number oftransmitted/received packets) to trace back an attacker inFig. 17. A victim is located at the center of network andan attacker is located at random positions (17 hops away)on the edge of the network. In flooding, query messagewith attack signature is flooded to the entire network. Con-sequently, communication overhead drastically increasesas network size increases. On the other hand, our schemeshows very low communication overhead (22% with net-work size of 3025 nodes) compared to flooding since it de-ploys directional search and query suppression to reducecommunication overhead. Note that the energy savingbecomes more significant as the network size increases.

Similar to the DoS case, our scheme incurs low commu-nication overhead in DDoS traceback. In the simulations, avictim is located at the center of the network and attackersare located at random positions at the edges of the network(average of 10 hops away). As the number of attackersincrease, communication overhead to search distributedattackers also increases. However, compared with flood-ing-type query, our scheme incurs lower communicationoverhead (52% reduction with 4 attackers and 3025 nodes)than flooding as shown in Fig. 18. Note that the number ofattacker does not affect flooding-type query overheadsince it is flooded to the entire network anyway. Theimprovement becomes significant as the network sizeincreases.

Fig. 19 shows the number of nodes around the attackroute(s) that observes attack signature. To avoid traceback,attacker needs to compromise the observers. Generaltraceback schemes (e.g., PPM, iTrace, logging, etc) rely onlyon the intermediate nodes that relay the attack traffic fortraceback. On the other hand, our scheme (e.g., MLM,F-CM) tracks down attackers by utilizing the informationfrom overhearing nodes around the attack route(s). Whennode density (D: average number of nodes within trans-mission range) increases, more nodes (approximately

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

10% 20% 30% 40% 50%

Percentage of nodes that generate backgroundtraffic

Trac

ebac

k su

cces

s ra

te

F-MLMF-CM

Fig. 21. DoS attacker traceback success rate comparison between F-MLMand F-CM.

00.10.20.30.40.50.60.70.80.9

4 6 8 10 12Average numberof one-hop neighbor

Trac

ebac

k su

cces

s ra

te

C-MLMF-MLM

Fig. 22. DDoS Attacker traceback success rate comparison between C-MLM and F-MLM.


700% increase with D = 8 and 5 hop distance) are able tooverhear the attack signature, which drastically increasesthe robustness against node compromise.

7. Overall attacker traceback

We compare traceback success rate for DoS and DDoSattacker traceback. Traceback success is defined as theevent of identifying all the attack origins that generatedthe attack traffic. We use the Kolmogorov–Smirnov (K–S)fitness test for abnormality matching.

We set up a simulation network size of 2750 m �2750 m with transmission range of each node set to150 m and about 20 hops network diameter. We repeateach simulation 10 times in random topology with 1000–3000 static nodes and calculate the average value. We alsoset NoC (Number of Contacts) = 6, R (vicinity radius) = 3, r(contact distance) = 3, d (search depth) = 5 for contactselection. DSDV is used as underlying routing protocol.DoS attacker is 17 hops away from a victim, and DDoSattackers are 10 hops away from a victim.

Fig. 20 shows success rate for DoS attacker tracebackwith C-MLM and F-MLM. F-MLM shows higher success rate(Average 20% higher than C-MLM). The improvement be-comes significant as background traffic is increased. It isbecause F-MLM uses fine-grained information (i.e., previ-ous-hop MAC address). Fig. 21. shows further improve-ment (100% success rate) when we use F-CM since weuse network layer information to filter out more back-ground noise traffic. Figs. 22 and 23 show success ratefor DDoS attacker traceback with 25% of background traf-fic. C-MLM shows low performance since branch attacktraffic has low abnormality. F-MLM shows high successrate when average number of one-hop neighbor is large.However, when average number of one-hop neighbor issmall (<4), traceback success goes down in even F-MLM.It is because more noise (i.e., background traffic) is carriedover the link where the attack traffic passes.

In Fig. 23, the success rate drastically increases (Average51%) by using fine-grained network-layer information (i.e.,destination address) in addition to fine-grained MAC-layer

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

10% 20% 30% 40% 50%Percentage of nodes that generate background

traffic

Trac

ebac

k su

cces

s ra

te

C-MLMF-MLM

Fig. 20. DoS attacker traceback success rate comparison between C-MLMand F-MLM.

information. It is because network layer information canfilter out most of the noise traffic.

8. Traceback-aided countermeasures

Existing countermeasures against DoS/DDoS attack canbe broadly classified into two classes: packet filtering, andrate limiting. Current techniques against DoS/DDoS attackhave the following drawbacks: (1) The countermeasure istaken at the nodes where the attack is detected. For in-stance, it is taken at the ingress points of the victim net-work. However, it is inefficient since the attack trafficexhausts valuable network/host resources of intermediatenodes. (2) Packet filtering is challenging since it is hardto distinguish between bad and good traffic. Legitimatetraffic can experience sudden QoS degradation due topacket filtering. (3) In rate limiting, it is hard to knowhow much the applied rate limit should be to strike a bal-ance between dropping attack traffic and saving legitimatetraffic.

We propose a countermeasure which effectively makesuse of traceback information. Basically, our countermea-sure finds the closest node where the attack occurred

00.10.20.30.40.50.60.70.80.9

1

4 6 8 10 12Average number of one-hop neighbors

Trac

e ba

ck s

ucce

ss ra

te

F-CMF-MLM

Fig. 23. DDoS attacker traceback success rate comparison between F-MLM and F-CM.

MinCIThresh MaxCIThresh

MaxP

1.0

P(drop)

CI

Rate limiting

Packet filtering

Fig. 24. Hybrid countermeasure.

0

50

100

150

200

250

10% 30% 50% 70% 90%

Attack Percentage

Dro

pped

Pac

ket C

ount

Fixed

CI-based

Fig. 25. Dropping efficiency of attack traffic.


and takes countermeasure based on abnormality matchinglevel. We also use cross-layer information (i.e., destinationaddress, previous MAC address), to increase countermea-sure efficiency. More specifically, using cross-layer infor-mation, we reduce negative impact on legitimate trafficand increase packet-dropping efficiency on attack traffic.Basically, our scheme can be considered as a hybridscheme between packet filtering and rate limiting. Thatis, when abnormality matching level is high, we applypacket filtering. On the other hand, when abnormalitymatching is medium/low level, we apply rate limiting. Todetermine a reasonable rate limiting level under med-ium/low matching level, we use a Confidence Index (CI).CI is the inverse of normalized matching level as follows:

CI ¼ 1normðDnÞ

: ð17Þ

The rate limiting level (P is determined through the follow-ing equation:

P ¼ MaxP CI �MinCIThreshMaxCIThresh�MinCIThresh

ð18Þ

MaxP, MinCIThresh, and MinCIThresh are parameters se-lected based on the design policy (see Fig. 24). For instance,high MaxP(>0.7) shall be selected to sharply increase therate limiting effect between MinCIThresh and MaxCIThresh.When CI is very high it reduces to packet filtering since itimplies that there is no background traffic. On the otherhand, when CI is medium/low, it becomes rate limitingbased on CI level to reduce negative impact on the legiti-mate traffic. The advantage of using CI-based rate limitingover fixed rate limiting is multifold: (1) When CI is low,only small amount of traffic (both attack and legitimatepacket) are dropped. Even if we cannot drop much attacktraffic in such case, it does not decrease countermeasureefficiency since there exist only small amounts of attacktraffic (perhaps part of DDoS attack). On the other hand,when CI is high, many packets are dropped. Even if morelegitimate packets are also dropped, its negative impactis not significant since, there exists only small amount oflegitimate traffic. We shall investigate our insight furtherthrough simulations later in this section.

To further alleviate QoS degradation of legitimate trafficunder the countermeasure, we use cross-layer information.That is, traffic is classified into several classes based on thefine-grained information. When one class (e.g., previousMAC address X, and destination network address Y) of traf-fic is identified as highly matching candidate attack traffic,we apply rate limiting to the class based on the CI value.

To measure countermeasure efficiency, we define theLPP as follows.

LPP ¼ ðSurvived legitimate trafficÞ� ðDropped attack trafficÞ: ð19Þ

A high LPP value indicates that a large amount of attackpackets are blocked and small amount of legitimate pack-ets are dropped. On the other hand, a low LPP value indi-cates that a large amount of legitimate packets aredropped and small amount of attack packets are blocked.

We evaluate the performance of our traceback-assistedcountermeasure scheme. We measure the dropped packetcount (Fig. 25), survived legitimate packet count (Fig. 26),and LPP (Eq. (19)). We compare our scheme with fixed-rate(i.e.,0.5) packet filtering countermeasure scheme, in whichpackets are dropped with a given rate under DoS/DDoSattack. As shown in Fig. 25, our scheme shows drasticincrease in the attack packet dropping as attack percentageincreases (400% higher than fixed scheme). It is becauseabnormality matching level (i.e., confidence index, CI)

0

50

100

150

200

250

300

10% 20% 30% 40% 50% 60% 70% 80% 90%

Attack Percentage

Surv

ived

Leg

itim

ate

Pack

ets

Fixed

CI-based

Fig. 26. Comparison of legitimate traffic survival rate.

0

5000

10000

15000

20000

25000

10% 30% 50% 70% 90%Attack Percentage

LPP

Fixed

5 Neighbors

6 Neighbors

7 Neighbors

8 Neighbors

9 Neighbors

10 Neighbors

Fig. 27. LPP improvement.

T2T1T0

2 1

0

(a) Temporal continuity (Attribute Tc)

T2T1T0

2

1

(b) Temporal discontinuity (Attribute Td)

Fig. 28. Three attributes of the temporal T-domain.


increases as attack percentage increases. Consequently,more attack packets can be dropped. Fig. 26 shows thenumber of survived legitimate packets. When attack per-centage is low, more legitimate packets survive becausematching level is low. On the other hand, only a smallnumber of legitimate packets survive when attack percent-age is high, since more packets are dropped due to highabnormality matching level. However, the negative impactis not significant (1.4% less survival rate than fixed schemeat 90% attack percentage) because there is only smallamount of legitimate traffic when abnormality matchinglevel is high. Overall, we can say that the positive impactfar exceeds the negative impact with our scheme.

In Fig. 27, we measured LPP with fine-grained informa-tion (i.e., F-CM) with varying number of one-hopneighbors. LPP shows drastic increase with CI-based coun-termeasure scheme. More specifically, LPP increasesapproximately 110% with CI-based countermeasure com-pared to the scheme without using CI information (i.e., fixedscheme). It is because we can drop attack traffic moreaggressively when there is more attack traffic.

9. Systematic RISK analysis of mobile attacks

Mobility poses several challenges for attacker trace-back. First, the attacker(s) can maliciously exploit mobility

to avoid traceback, and increase attack efficiency. Second,mobility of intermediate and victim nodes can degradetraceback performance even without malicious intention.To systematically analyze how mobility can affect trace-back performance, we take a multi-dimensional approach.In this approach, mobile multi-hop network domains areclassified into multiple dimensions: (1) temporal transitiondomain, (2) spatial transition domain, (3) address domain,(4) area domain, and (5) the node coordination domain.These domains were selected after a careful process. Weshow that the combination of each domain attributes canidentify a class of attack scenarios with a unique risk inmobile multi-hop networks.

9.1. Mobile multi-hop network domains

9.1.1. Temporal transition domain (T-domain)The T domain defines the temporal relation among at-

tack traffic observed at different location. T domain con-sists of three attributes: temporal continuity ðTcÞ,temporal discontinuity ðTdÞ, and temporal randomnessðTrÞ as described in Fig. 28. T0, T1, and T2 are the time slotsduring which the attack is observed. In Fig. 28a, attack sig-natures n1; n2, and n3 are observed at T0; T1, and T2 timeslots continuously (Temporal continuity). On the otherhand, temporal discontinuity is observed in Fig. 29b. Theattack signatures (n1, and n2) are observed at discontinu-ous time slots at T0 and T2.

9.1.2. Spatial transition domain (S-domain)S-domain defines spatial relation among attack occur-

rence. S-domain has three attributes: (1) spatial continuityðScÞ (2) spatial discontinuity ðSdÞ (3) spatial randomnessðSrÞ. For instance, in mobile DoS attack, the attack signatureis observed in a spatially continuous manner (Fig. 29a). Ingeneral, spatial discontinuity is observed in DDoS attack asin Fig. 29b. Note that DDoS attack can also show spatialcontinuity. In that case, we can distinguish between DDoSattack and mobile DoS attack using temporal relation (i.e.,T-domain).

9.1.3. Address domain (AD-domain)An attacker can perform malicious attack by spoofing,

sometimes using multiple addresses. Some possible attackscenarios include (1) single random address ðADsrÞ (2) mul-tiple random addresses ðADmrÞ (3) targeted single address

Fig. 29. (a) Spatial continuity of mobile DoS attack. Attacker, A, is movingfrom right to left attacking victim V. (b) Spatial discontinuity of DDoSattack. Attackers, A1, A2, and A3 are launching attacks towards victim V.Each cell logically corresponds to a contact vicinity.


ðADstÞ, and (4) targeted multiple addresses ðADmtÞ. Unlikefixed networks, the address is not fixed in mobile multi-hop networks. An attacker can easily use false, changingaddresses.

9.1.4. Area domain (A-domain)In mobile multi-hop networks, an attacker can choose

its location freely, where an attacker can choose: (1) singlerandom area ðAsrÞ (2) multiple random area ðAmrÞ (3) tar-geted single area ðAstÞ (4) targeted multiple areas ðAmtÞ.

9.1.5. Node coordination domain (N-domain)Coordination of multiple nodes can lead to serious con-

fusion to a victim. Coordination maybe: (1) temporal coor-dination of compromised nodes ðNtÞ, or (2) spatialcoordination of compromised nodes ðNsÞ.

9.2. Mobile attack identification

Using various combinations of domain assignments wecan identify numerous attack scenarios and assess theirrisks. We define the combinational set as the set of minimalnecessary entities in mobile network domains/attributes toperform certain attack. We identify some of the attack sce-narios in this section. Note that these are five example at-tacks to show the usefulness of the combinational-setbased approach and not exhaustive set of all attackscenarios.

9.2.1. Mobility misuse (MM) attackMM is the simplest form of attack exploiting mobility.

In the MM attack, attacker sends attack traffic continu-ously to a victim. To avoid traceback, the attacker con-stantly changes its location. The MM attack has thefollowing domain setting:

MM Domain Setting ¼ fTc; Sc;Amrg:

As a result of the MM attack, a victim can be confused be-tween DDoS attack and mobile attack. Without consideringattacker’s mobility, existing traceback schemes will inferthat attack traffic is coming from distributed locations,which leads to false positive in distributed nodes.

9.2.2. Mobility and address misuse (MAM) attackIn MAM attack, an attacker sends attack traffic continu-

ously to a victim. To avoid traceback, attacker changes notonly its location but also it address.

MAM Domain Setting ¼ fTc; Sc;ADmr;Amrg:

Similar to MM attack, a victim will be confused betweenDDoS attack and mobile attack. In addition, since the at-tacker changes its address, some preventive techniquessuch as firewalls or filtering become useless.

9.2.3. False mobility generation (FMG) attackIn FMG attack, the attackers intentionally generate false

mobility. That is, the attack is performed from multiplenodes with spatial and temporal continuity.

FMG Domain Setting ¼ fTd; Sc;Ns;Ntg

A traceback mechanism capable of detecting mobile attack(e.g., MM attack) may be misled by FMG attack. That is,even if the attack is launched from distributed nodes, a vic-tim might conclude that attacker is moving and perform-ing MM attack.

9.2.4. Distributed blinking (DB) attackThe drawback of FMG attack is that the continuity of the

attack is detectable. To overcome this, DB attack can beperformed by an attacker. In DB attack, the attackercompromises multiple nodes and performs the attack fromdistributed random nodes at random times. Attack islaunched with spatial/temporal transition randomness.

DB Domain Setting ¼ fTr; Sr;Ns;Ntg:

From victim’s point of view, attack traffic comes from ran-dom location for short period of time. However, bulk attacktraffic comes continuously to a victim since multiple nodesare compromised.

9.2.5. Disabling targeted area (DTA) attackIn DTA attack, the attacker is aware of the countermea-

sure after traceback process. The attacker intentionallygenerates attack traffic near targeted area where attackerwants to disable or harm networking through expectedcountermeasure (e.g., packet filtering, or rate limiting).Attacker launches attack at targeted area.

DTA Domain Setting ¼ fTc;Astg:

Once the traceback mechanism identifies the attack ori-gin(s), countermeasures are taken near those origin(s).However, since the attacker may intentionally choose theattack origin, legitimate traffic may also be dropped bythe countermeasure.

10. Impact of legitimate mobility on traceback

Legitimate mobility of nodes can affect traceback per-formance. The negative impact of legitimate node mobilityoccurs due to the following factors:

� Reduction of witness nodesIntermediate nodes thatobserve abnormality (i.e., witness nodes) can moveaway from the attack route(s). The problem can becomeworse when we rely only on intermediate nodes thatrelayed the attack traffic. Once the relay nodes moveaway from the attack route, the traceback cannotproceed after that point. By using MAC or cross-layer


monitoring, we can reduce the negative impact by inter-mediate node mobility since we can use multiple nodesaround the attack route that stay and overhear theabnormality.

� Abnormality mismatchingFor traceback, we need to findintermediate nodes that observe similar attack signature(i.e., high signature matching level). However, duringattack period, new nodes can move into the attack route,which can reduce signature matching level due to insuf-ficient abnormality monitoring.

To systematically analyze how mobility affects trace-back performance, we use the Global signature Energy(GE). GE is defined in Eq. (16), and provides useful informa-tion in analyzing how mobility affects traceback perfor-mance. We further define Relative attack signatureEnergy (RE) as follows:

REðDtÞ ¼ GEdynamicðDtÞGEstaticðDtÞ

: ð20Þ

GEstaticðDtÞ represents GEðDtÞ without mobility, andGEdynamicðDtÞ represents GEðDtÞ with mobility during giventime duration, Dt. REðDtÞ is affected by the mobility model.When REðDtÞ is low, attacker traceback becomes difficultsince attack signature energy around attack route is re-duced due to high node mobility.

In the following sections, we define mobility metrics tosystematically analyze how mobility affects traceback per-formance. Some of metrics are borrowed from our group’searlier work [2].

10.1. Mobility metrics10.1.1. Directional correlation (DC)

DC is defined as follows:

DCði; j; tÞ ¼~v iðtÞ ~v jðtÞj~v ij � j~v jj

; ð21Þ

where ~v iðtÞ and ~v jðtÞ are the velocity vectors of nodes i andj at time t. High DC implies, two nodes i and j are moving inthe same direction. One the contrary, low DC implies twonodes i and j are moving in opposite directions.

10.1.2. Speed correlation (SC)SC is defined as follows:

SCði; j; tÞ ¼ minðj~v iðtÞj; j~v jðtÞjÞmaxðj~v iðtÞj; j~v jðtÞjÞ

: ð22Þ

High SC implies that two nodes i and j are moving withsimilar speed. One the contrary, low DC implies two nodesi and j are moving at different speed.

10.1.3. Geographic restriction (GR)Geographic restriction represents the degree of freedom

of node movement on a map. More specifically, the degree offreedom represents the number of directions a node can go.

10.1.4. Reference restriction (RR)Reference restriction represents the degree of freedom

of reference point nodes. When all the nodes are going tothe same reference point, high RR is observed.

10.2. Mobility dependence

By using the mobility metrics defined above, we canfurther define mobility dependence among nodes oramong groups of nodes as follows:

10.2.1. Mobility dependence between attacker and victimWe define mobility dependence between attacker and

victim as follows:

MDða; v; tÞ ¼ DCða;v ; tÞ � SCða;v ; tÞ: ð23Þ

When attacker ðaÞ and victim ðvÞ have high directional cor-relation and speed correlation, mobility dependence be-comes high.

10.2.2. Mobility dependence among intermediate nodesMobility dependence between intermediate nodes is

defined as follows:

MDði; i0; tÞ ¼ DCði; i0; tÞ � SCði; i0; tÞ: ð24Þ

When intermediate nodes (i and i0Þmove in a similar direc-tion with similar speed, the mobility dependence becomeshigh. Mean mobility dependence among nodes N duringtime duration T is also defined as follows:

MDðiÞ ¼PN

i¼1

PTt¼1

PTt0¼1MDði; i0; tÞP

: ð25Þ

10.2.3. Mobility dependence among attacker, intermediate,and victim

MDða; v; i; tÞ ¼ MDða;v ; tÞ �MDðiÞ: ð26Þ

When attacker, victim and intermediate nodes are movingin a similar direction with similar speed, the dependencebecomes high.

We note that mobility can affect traceback performance.Different mobility models have different characteristics(i.e., high/low DC, SC, GR, RR). To analyze the impact ofmobility on traceback performance, we perform numeroussimulations with the group and freeway mobility models[2] that encompass various mobility characteristics of DC,SC, GR and RR. To focus on the mobility related effects, wedo not generate background traffic in these simulations.

10.2.4. Reference point group mobility (RPGM) modelThe RPGM model is defined in [2,3]. Each group has a

logical center (group leader) that determines the group’smotion behavior. Initially, each member of the group isuniformly distributed in the neighborhood of the groupleader. Subsequently, at each instant, every node has aspeed and direction (angle) that is derived by randomlydeviating from that of the group leader. RPGM model canbe used in military battlefield communications where thecommander and soldiers form a logical group.

Fig. 30 shows REðDtÞ (Eq. (20)) of RPGM model with sin-gle group (angle deviation of 20). It shows high REðDtÞ(0.99 with 10 ST), which implies that high attack signatureenergy is observed on the attack route even under highmobility. Consequently, negative impact of mobility is neg-ligible in RPGM with single group. It is because RPGM

00.10.20.30.40.50.60.70.80.9

1

10 20 30 40 50

Max.Speed (m/sec)

Rel

ativ

e en

ergy

rate

10 S T

20 S T

30 S T

40 S T

50 S T

Fig. 32. Relative attack signature energy rate with the freeway model(attacker and victim on the same lane).

0.6

0.7

0.8

0.9

1

ergy

rat

e

10 S T

20 S T


model with single group has high mobility dependency(i.e., high MD(a,v,i,t)) among attacker, victim and interme-diate nodes. As Signature Timeframe (ST) increases, REðDtÞis slightly decreased. It is because there is a higher chancethat some nodes move out/in from attack route during alonger timeframe. In addition, it shows lower REðDtÞ whenspeed is high. It is because a few intermediate nodes canmove out from overhearing range deviating from the refer-ence points (group leader).

Fig. 31 shows RPGM model with single and multiple(i.e., 4) groups with 10 ST. RPGM with 4 group shows lowerREðDtÞ (Avg. 32% reduction) than single group case. It is be-cause DC and SC among groups are low and RR is looseamong groups. In RPGM model, there is no geographicrestriction (GR). RPGM model with 4 groups also showslower relative energy rate when speed is high due to thesame reason as single group case.

10.2.5. Freeway modelThe freeway model is introduced in [2]. Fig. 32 shows

REðDtÞ in freeway model when attacker and victim are onthe same lane. Relative energy rate shows medium value(�Average 0.5) and consequently traceback performanceis relatively good in freeway model when attacker and

0.50.550.6

0.650.7

0.750.8

0.850.9

0.951

10 20 30 40 50Max.Speed (m/sec)

Rel

ativ

e en

ergy

rate

10 ST20 ST30 ST40 ST50 ST

Fig. 30. Relative attack signature energy rate with various SignatureTimeframe (ST) size for the RPGM (single group) mobility model.

0.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

10 20 30 40 50

Max. Speed (m/sec)

Rel

ativ

e en

ergy

rat

e RPGM(1Group)

RPGM(4Group)

Fig. 31. Relative attack signature energy rate with 1 group RPGM modeland 4 group RPGM model.

0

0.1

0.2

0.3

0.4

0.5

10 20 30 40 50

Max.Speed (m/sec)

Rel

ativ

e en 30 S T

40 S T

50 S T

Fig. 33. Relative attack signature energy rate with freeway model(attacker and victim on the opposite lane).

victim exist on the same lane. It is because of high mobilitydependency (MD) among attacker, intermediate and vic-tim on the same lane. However, the relative energy rateis not as high as RPGM model since high DC and SC are ob-served only in the intermediate nodes on the same lane. Onthe other hand, traceback performance is drastically de-graded (�Average 0.18 of REðDtÞ when attacker and victimare on the opposite direction (i.e., low MD) as shown inFig. 33. High GR in freeway model leads to constantREðDtÞ across diverse ST size.

11. Mobile attacker traceback

In this section, we propose a mobile attacker tracebackscheme. Our scheme consists of: (1) information gathering,and (2) information fusion processes.

11.1. Information gathering

Information gathering in mobile attacker traceback hasthe following features: (1) In addition to traceback infor-mation used in static attacker traceback, age informationis gathered by contact nodes. More specifically, spatio-temporal attack signatures ðn; tS; tL;SÞ are gathered. n is


candidate attack signature, S is the relative position of at-tacker (e.g., 2 hops away from level-1 contact i), tS is thestart time of (or time since) abnormality and tL is the last(or most recent) time when abnormality is observed. Thisspatio-temporal attack signature is effectively used to clas-sify attack type (e.g., DDoS attack, mobile attack, etc). (2)All the attack signature information (i.e., spatio-temporalattack signature) from every level of contact needs to bereturned to the victim for network-wide analysis.

11.2. Information fusion

Information fusion is the process to correlate and ana-lyze the spatio-temporal signature information obtainedthrough the information gathering process.

To quantitatively represent spatial relation among can-didate attack signatures, we define Spatial Relation Factor(SRF) as follows:

SRF ¼ a PPNC 1gC 1¼1

PNC 2gC 2¼1DSðgC 1;gC 2; nC 1; nC 2Þ

; ð27Þ

where

a ¼ nS

NC 1 þ NC 2: ð28Þ

Nc�1 is the total number of vicinity nodes of contact c_1and Nc�2 is the total number of vicinity nodes of contactc_2. nS is the number of nodes that observe attack signa-ture, nc�1 and nc�2 in the vicinity of contacts c_1 and c_2I,respectively. gc�1 is a vicinity node of contact c_1and gc�2

is a vicinity node of contact c 2:DSðgc�1;gc�2; nc�1; nc�2Þ isthe hop count between node gc�1 and gc�2 that observethe attack signature nc�1, and nc�2, respectively. The hopcount information can be obtained using underlying rout-ing table or through explicit query. DSðgc�1;gc�2; ;nc�1;

nc�2Þ ¼ 0 if node gc�1 and gc�2 do not observe any candi-date attack signature. P is the total number of pairs ofðgc�1;gc�2Þ, where DSðgc�1;gc�2; nc�1; nc�2Þ > 0. a is majorityvoting factor. For a high value of a, we can infer that attackis occurring near the central region of c_1’s vicinity andc_2’s vicinity. It is because more vicinity nodes can over-hear the abnormality when attack traffic passes throughthe central region of the contact’s vicinity. When a is small,we can infer that the attack traffic is not passing throughthe central region of the contact’s vicinity or the candidateattack signature report is not reliable (false reporting).When attacker moves from vicinity of c_1 to vicinity ofc_2, we can observe small DSðgc�1;gc�2; nc�1; nc�2Þ and highSRF. When c_1 and c_2 is not adjacent contacts and gc�1

and gc�2 are far away, large DSðgc�1;gc�2; nÞ is obtained,which leads to low SRF.

We also quantitatively formulate temporal relation ofcandidate attack signatures as Temporal Relation Factor(TRF).

TRF ¼ a PPNC 1gC 1¼1

PNC 2gC 2¼1DTðtLðgC 1Þ; tSðgC 2Þ; nC 1; nC 2Þ

; ð29Þ

where DTðtLðgc�1Þ; tSðgc�2Þ; nc�1; nc�2Þ is the time differencebetween the start time (i.e., tSðgc�2Þ) when attack signa-tures nc�2 is observed by node gc�2 and the last (or most

recent) time (i.e., tLðgc�1Þ) when the attack signaturenc�1is observed by gc�1 where tSðgc�2ÞP tSðgc�1Þ. Undermobile attack, temporal continuity is observed and TRF be-comes large since DTðtLðgc�1Þ; tSðgc�2Þ; nc�1; nc�2Þ becomessmall.

We use SRF and TRF metrics to infer attack type as fol-lows: (I) When high SRF and high TRF is observed, we caninfer that mobile attack has occurred. (II) When high SRFand low TRF are observed, we can infer that attack traffichas been intermittently generated from geographicallyclustered attackers. (III) When high SRF and negative TRFare observed, we can infer that DDoS attack has occurredfrom clustered attackers (clustered DDoS attack) (IV)When low SRF and high TRF are observed, we can infer thatattack has occurred from geographically spread attackerswith temporal continuity. (V) When low SRF and low TRFare observed, we can infer that attack traffic has been gen-erated from geographically spread attackers. (VI) Whenlow SRF and negative TRF are observed, we can infer thatDDoS attack from geographically spread attackers has beengenerated (spread DDoS attack). These results have beenvalidated via extensive simulations.

11.3. Examples for mobile attacker traceback

11.3.1. Mobile DoS attacker tracebackFig. 34a shows the example of mobile DoS attacker

traceback using the TRF and SRF metrics. In the figure, at-tacker moved from region 10! 9! 8! 7. Attack pathsfrom each attack origin are as follows: 10! 6! 4!2! 1! v, ð9! 6! 3! 2! 1! vÞ, ð8! 5! 3! 2!1! vÞ, ð7! 5! 3! 2! 1! vÞ. A victim will find thefirst level temporal/spatial relation in regions 3 and 4. Inregion 3 and region 4, high TRF and high SRF are observed.At this point, we can infer that mobile attack is occurring.Similarly, in region 5 and 6, high TRF and high SRF areobserved. Lastly, in region 7, 8, 9, 10, high TRF and SRFare observed, which leads us to conclude that attacker ismoving and currently located in the region 7. Vertical ordiagonal movement of attacker can be detected similarly.

11.3.2. Mobile DDoS attacker tracebackBasically, mobile DDoS attacker can be detected and

tracked down using the same mechanism mentionedabove with separate threads for each branch attack route.A difficult problem in mobile DDoS attack occurs whenmultiple attackers are crossing each other as in Fig. 34b.The crossing mobile DDoS attack can be detected by usingTRF and SRF metrics plus attack signature surge detection.For instance, in Fig. 34b, the first attacker is moving 7! 8! 9 and the second attacker is moving 11! 10!9. Attacktraffic is merged on the path 9! 6! 3! 2! 1. Region 4,and 5 observe high SRF and high TRF. In addition, region 5,and 6 also observe high SRF and high TRF. The relations en-able us to infer mobile attack has occurred in (4,5) regionsand (5, 6) regions. In addition, region 5 observes attacktraffic surge, which allows us to infer the crossing of mo-bile attack traffic. Similarly, region 7, 8 and 9 observe highSRF and high TRF. In addition, region 11, 10, and 9 observehigh SRF and high TRF. Region 9 will also observe attacksignature surge. Consequently, relative location of an

109 8

6

4

V

1

2

3

5

7 11109 7

6

V

1

2

3

5 4

8

(a) MobileDoS attack (b) CrossingmobileDDoS

attack

Fig. 34. Illustration of mobile attacks.

Fig. 35. Algorithm for mobile DDoS attack trace-back.

Table 3Attack classification using SRF and TRF metrics.

SRF ðm�1Þ TRF ðs�1Þ

Mobile DoS 0.17 28.1Clustered DDoS 0.18 5.12 � 10�3

Spread DDoS 0.032 5.38 � 10�3


attacker can be inferred from gathered information atcontact region 9. The overall algorithm to detect and tracemobile DDoS attack is outlined in Fig. 35.

11.4. Performance analysis for mobile attacks

To evaluate and show the effectiveness of our mobileattacker traceback scheme, we compare the SRF and TRFvalues in DDoS attacks and mobile DoS attacks. DDoS at-tacks are performed from six randomly selected nodes. Inmobile DoS attacks, the attacker and 5% of intermediatenodes move with random waypoint mobility model(Vmax ¼ 2 m=s, pause time = 2.5 s). Average SRF and TRFvalues are calculated where mobility is detected. We ex-clude the regions where a (Eq. (28)) is small (<0.1) since

it implies that the nodes that report the attack signaturemoved out from original attack path. As shown in Table3, SRF is high (>0.1) in both in mobile attack and clusteredDDoS the attack since attack is observed in a close region.SRF shows low value (<0.1) when DDoS attacks are per-formed from geographically spread locations. TRF can dif-ferentiate between mobile attacks and clustered DDoSattacks since DDoS attacks are launched at around thesame time regardless of the observation region. Conse-quently, we can effectively differentiate between DDoS at-tacks and mobile attacks using combination SRF and TRFmetrics.

12. Conclusions

In this paper, we propose the CATCH framework with acomprehensive set of attacker traceback protocols for mo-bile multi-hop networks. We use cross-layer (i.e., networkand MAC layer) information to increase traceback effi-ciency and decrease associated overhead. We also effec-tively utilize overhearing capability of MAC layer, whichdrastically increases robustness against node compromiseand mobility. In addition, it reduces false positive and neg-ative rates. We also proposed traceback-assisted counter-measure, which provides an effective defense strategyutilizing cross-layer information.

We propose a systematic attack risk analysis using amulti-dimensional approach. This risk analysis providesinsight to how mobility can be exploited for wireless at-tacks. We also propose a mobile attacker tracebackscheme. We further analyze how mobility, legitimate orotherwise, can affect the traceback performance.

Through extensive simulation-based performance anal-ysis, we showed that our proposed scheme satisfy all thedesign requirements (Table 1) for attacker traceback inmobile multi-hop networks.

References

[1] B. Al-Duwair, M. Goyindarasu, Novel hybrid schemes employingpacket marking and logging for IP traceback, IEEE Transactions onParallel and Distributed Systems 17 (5) (2006) 403–418. May.

[2] F. Bai, N. Sadagopan, A. Helmy, The IMPORTANT framework foranalyzing the impact of mobility on performance of routing foradhoc networks, Ad Hoc Networks Journal 1 (4) (2003).

[3] F. Bai, N. Sadagopan, B. Krishnamachari, A. Helmy, Modeling pathduration distributions in MANETs and their impact on routingperformance, IEEE Journal on Selected Areas of Communications(JSAC) 22 (7) (2004) 1357–1373. September.

[4] A. Belenky, Nirwan Ansari, On IP traceback, IEEE CommunicationMagazine (2003). July.

[5] S.M. Bellovin, M. Leech, T. Taylor, ICMP Traceback Messages, October2001. <draft-ietf-itrace-01.txt>.

[6] H. Burch et al., Tracing anonymous packets to their approximatesource, in: Proceedings of 2000 USENIX LISA Conference, December2000, pp. 319–327.

http://draft-ietf-itrace-01.txt

Y. Kim, A. Helmy / Ad Hoc Netw

[7] R.K.C. Chang, Defending against flooding-based distributed denial-of-service attacks: a tutorial, IEEE Communication Magazine (2002).October.

[8] T. Engel, Course of Silence Attack, Chaos Communication Congress,Berlin, 2008. <http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt>.

[9] A. Helmy, Small world in wireless networks, IEEE CommunicationLetters (2001).

[10] A. Helmy et al., A contact-based architecture for resource discoveryin ad hoc networks, ACM Baltzer MONET Journal (2004).

[11] Yi-an Huang, Wenke Lee, Hotspot-based traceback for mobile ad hocnetworks, in: Proceedings of the 4th ACM Workshop on WirelessSecurity, WiSe ’05.

[12] G. Mansfield et al., Towards trapping wily intruders in the large,Computer Networks 34 (2000) 650–670.

[13] A.C. Snoeren et al., Hash-based IP traceback, ACM SIGCOMM (2001).[14] Minho Sung, Jun Xu, Jun Li, Li Li, Large-scale IP traceback in high-

speed internet: practical techniques and information-theoreticfoundation, IEEE/ACM Transactions on Networking 26 (6) (2008)1253–1266. December.

[15] Denh Sy, Lichun Bao, CAPTRA: coordinated packet traceback, in:Proceedings of the 5th International Conference on InformationProcessing in Sensor Networks, IEEE/ACM IPSN 06.

[16] R. Vaughn, G. Evron, DNS Amplification Attack, 2006. <http://www.isotf.org/news/DNS-Amplification-Attack.pdf>.

[17] A. Yaar, A. Perrig, D. Song, FIT: fast internet traceback, in:Proceedings of IEEE INFOCOM, Miami, USA, March 2005.

[18] CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks,September 24, 1996.

Yongjin Kim received his B.S. degree fromElectronics Engineering Department at YonseiUniversity in South Korean, M.S. degree fromInformation Science Department at Tohokuuniversity in Japan, and Ph.D. degree fromComputer Engineering Department at Uni-versity of Southern California, USA in 2006.His research interest lies in attacker trace-back, risk analysis of various mobile wirelesssystem and software security. He has beenalso working on QoS provisioning in wirelessand wired networks. He is current working at

Qualcomm on various security issues for wireless system.

Ahmed Helmy received his Ph.D. in ComputerScience (1999), M.S. in Electrical Engineering
(EE) (1995) from the University of SouthernCalifornia (USC), M.S. Eng. Math. (1994) andB.S. in EE (1992) with highest honors fromCairo University, Egypt. He is an AssociateProfessor and the founder and director of thewireless networking lab at the Computer andInformation Science and Engineering (CISE)Department, University of Florida, Gainesville.
From 1999 to 2006, he was an AssistantProfessor of Electrical Engineering (EE) at USC.

He was also the founder and director of the wireless networking labo-ratory at USC. He was a key researcher in the network simulator (NS-2)and the protocol independent multicast (PIM-SM) projects in the Infor-

orks 8 (2010) 193–213 213

mation Sciences Institute (ISI), USC. He is leading (or has led) the STRESS,MARS, ACQUIRE and Aware NSF-funded projects. His research interests liein the areas of network protocol design and analysis for mobile ad hocand sensor networks, mobility modeling, multicast protocols, IP micro-mobility, and network simulation. In 2002, he received the National Sci-ence Foundation (NSF) CAREER Award. In 2000, he received the USCZumberge Research Award, and in 2002, he received the best paper awardfrom the IEEE/IFIP International Conference on Management of Multi-media and Mobile Networks and Services (MMNS). In 2003, he was the EEnominee for the USC Engineering Jr. Faculty Research Award and anominee for the Sloan Fellowship. In 2004 and 2005, he got the best meritranking in the EE-USC faculty. In 2007, he was a winner in the ACMMobiCom SRC research competition, and a finalist in 2008. His projectshave been funded by NSF, DARPA, NASA, Cisco, Intel, Nortel, P&W andSilicon Graphics.

He is an Area editor of the Adhoc Networks Journal - Elsevier since2004. He served as co-chair for the IFIP/IEEE MMNS 2006 and IEEEINFOCOM Global Internet (GI) Workshop 2008, local chair for IEEE ICNP2008, poster and area chair for ICNP 2009, vice-chair for IEEE ICPADS2006, and IEEE HiPC 2007. He has been the ACM SIGMOBILE workshopcoordination chair (for ACM MobiCom, MobiHoc, MobiSys, and SenSys)since 2006. He served on the program committees for numerous IEEE andACM conferences in the areas of computer and wireless networks. URL:http://www.cise.ufl.edu/~helmy.

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

http://www.isotf.org/news/DNS-Amplification-Attack.pdf

http://www.isotf.org/news/DNS-Amplification-Attack.pdf

http://www.cise.ufl.edu/~helmy

catch: a protocol framework for cross-layer attacker traceback...

Documents