april, 2016 - prr.hec.gov.pkprr.hec.gov.pk/jspui/bitstream/123456789/7741/1/muhammad altaf … ·...
TRANSCRIPT
DISTRIBUTED FLOOD ATTACK DETECTION
MECHANISM USING ARTIFICIAL NEURAL NETWORK IN
WIRELESS MESH NETWORKS
Submitted in partial fulfillment of the requirements for the degree of
DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE
by
MUHAMMAD ALTAF KHAN
CS420112003
Supervisor-I Dr. Shafiullah Khan Institute of information Technology .................
KUST, Kohat Signature
Supervisor-II Dr. Amjad Mehmood Institute of information Technology .................
KUST, Kohat Signature
Institute of Information Technology
Kohat University of Science & Technology, Kohat-2600,
Khyber- Pakhtunkhwa, Pakistan
April, 2016
i
Similarity Index Certificate
Ref No.KUST/QEC.QA-1/AP-C/1696
The Thesis/Synopsis: Distributed Flood Attack Detection Mechanism Using Artificial Neural
Network in Wireless Mesh Network
Submitted by: Muhammad Altaf Khan
CS420112003
Through the: Director, Institute of Information Technology
(Chairman/Director)
Institute of Information Technology
(Department/Institute)
was scanned using the software Turnitin. A total number of 22256 words (Excluding
the table of contents, references, and the other preliminary pages) were scanned and a
similarity of 06% percent was found against the acceptable limit (19%) set by the
Higher Education Commission of Pakistan. The above titled document is, therefore, declared
Not Plagiarized. This certificate is issued on September 17,2015
(Plagiarized/Not Plagiarized) (Date)
Prepared by: Hameed Khan ______________________
(Full Name of the QEC official who scanned the document) Signature
Kohat 26000, Khyber Pakhtunkhwa, Pakistan, Tel #0922-52914786, Fax # 0922-554556
Kohat University of Science and Technology
ii
CERTIFICATION FROM THE SUPERVISORS
This thesis entitled Distributed Flood Attack Detection Mechanism Using
Artificial Neural Network in Wireless Mesh Network submitted by Mr.
Muhammad Altaf Khan to the Kohat University of Science &Technology for the
award of Doctor Of Philosophy in Computer Science presents bonafide research
work carried out under our supervision. This work (in full or in part) has not been
submitted to any other Institution for award of any degree/ diploma/certificate.
Supervisor-I ________________________ __________________
(Name) (Signature)
______________________________________________________
(Affiliation)
Supervisor-II ________________________ __________________
(Name) (Signature)
______________________________________________________
(Affiliation)
Dr. Shafiullah Khan
Dr. Amjad Mehmood
Institute of IT, KUST
Institute of IT, KUST
iii
CERTIFICATION FROM THE EXAMINERS
This thesis entitled Distributed Flood Attack Detection Mechanism Using Artificial
Neural Network n Wireless Mesh Network presents a bonafide record of original
research work carried out by Mr. Muhammad Altaf Khan in partial fulfillment of the
degree of Doctor of Philosophy in Computer Science , Kohat University of Science
& Technology, Kohat. We find the work satisfactory for the award of the degree if
other requirements are met. The Viva Voce was held on April 15th 2016. .
Internal Examiner Dr. Abdul Shahid
(Name) (Signature)
Institute of IT, KUST
(Affiliation)
External Examiner Dr. Abdul Wahid
(Name) (Signature)
Dept of Computer Science, COMSATS, IIT, Islamabad
(Affiliation)
Chairman/Director: Dr. ShafiUllah Khan
(Name & Signature)
iv
ACKNOWLEDGMENTS
The achievement and final outcome of this research required a lot of guidance and
assistance from many people and I am extremely fortunate to have got this all along the
completion of my research work. Whatever I have done is only due to such guidance and
assistance and I would not forget to thank them.
I would like to express my sincere gratitude to my supervisor-I Dr. ShafiUllah Khan,
Asst. Prof. Institute of Information Technology, KUST, for the continuous support of my
Ph.D study and related research, for his patience, motivation, and immense knowledge.
His advice on both research as well as on my career have been priceless. I could not have
imagined having a better supervisor and mentor for my Ph.D study.
Besides my Supervisor-I, I would like to thank to my supervisor-II, Dr. Amjad
Mehmood, Lecturer, Institute of Information Technology, KUST, for encouraging my
research and for allowing me to grow as a research scientist. I am extremely obliged to
him for providing such a nice support and guidance though he had busy schedule of
managing the office affairs.
I would also like to thank Dr. Abdul Shahid, Dr. Asad Habib, Dr. Jawad Ashraf, Mr.
Zeeshan Iqbal, Mr. Noor Mast and Mr. Roman of Institute of Information Technology,
KUST, for letting my defense be an enjoyable moment, and for their brilliant comments
and suggestions.
I am thankful to and fortunate enough to get constant encouragement, support and
guidance from my elder brother Muhammad Alamgir Khan and all teaching staffs of
Institute of Information Technology, KUST. Without their precious support, it would not
be possible to conduct this research. Also, I would like to extend my sincere regards to all
the non-teaching staff of my Institute of Information Technology, KUST, for their
support.
Muhammad Altaf Khan
v
Every challenging work needs self
effort as well as guidance of elders
especially those who were very close to
our heart.
My humble effort I dedicate to my
sweet and loving
Father and Mother
Whose affection, love, encourage and
prays of day and night made me able
to get success and honor.
vi
By Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
SUMMARY
PhD Thesis (2016)
vii
Abstract
With the increasing curiosity in multi-hop wireless communications networks, wireless
mesh networks (WMNs) have emerged as an affordable and scalable solution to provide
broadband packet data communications across wide geographic areas. In WMN, mesh-
gateway provides the facility of integration with other networks to provide numerous
services for the mesh clients. However, due to open wireless nature of WMNs, mesh-
gateways are prone to various security threats. Among them, WMN are more vulnerable
to Distributed Denial of Service (DDoS) attacks. These attacks utilize the power of
millions of compromised nodes to attack the mesh-gateway to break down the whole
network. Consequently, the study of DDoS attacks, and the development of techniques to
precisely and consistently detect and diminish their impact is an important area of
research. The work presented in this thesis addresses the above challenges and provides a
contribution for detection of DDoS attacks in WMNs based on artificial neural network
(ANN) technique.
Proposed mechanism is a multilayer perceptron which uses back-propagation learning
algorithm to train the system with the real traffic. After training the system, it is
implemented in the real environment. Due to adoptive nature of our proposed
mechanism, it adjusts itself according to the environment and detects both intermediate
and severe distributed flood attack. It distributes the incoming traffic into one of three
possible categories i.e. normal traffic, intermediate or severe distributed flood attack
traffic.
viii
In order to demonstrate the efficiency of proposed mechanism, its performance is
compared with some of the previously proposed mechanisms for the same purpose using
a network simulator (NS2). Experimental results proved that proposed mechanism is
more reliable and accurate than them.
ix
CONTENTS
PhD Thesis (2016)
By Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
x
Table of Contents
ACKNOWLEDGMENT .......................................................................................................... IV
SUMMARY ............................................................................................................................... VI
ABSTRACT ............................................................................................................................ VII
TABLE OFCONTENTS ........................................................................................................... X
LIST OF FIGURES ................................................................................................................ XII
LIST OF TABLES ................................................................................................................. XIV
LIST OF ACRONYMS .......................................................................................................... XV
CHAPTER # 01
INTRODUCTION
1.1 CONTEXT AND BACKGROUND ................................................................................... 1
1.2 MOTIVATION AND OBJECTIVES ................................................................................ 3
1.3 ORGANIZATION OF THESIS .......................................................................................... 5
CHAPTER # 02
LITERATURE REVIEW
2.1 INTRODUCTION .................................................................................................................. 6
2.2 WIRELESS MESH NETWORKS .............................................................................................. 6
2.2.1 Applications of WMN .................................................................................................. 9
2.3 SECURITY ISSUES IN WMN ............................................................................................... 10
2.3.1 Desired requirements of security .................................................................................. 12
2.3.2 Passive attacks ............................................................................................................ 12
2.3.3 Active attacks ............................................................................................................. 18
2.3.4 Denial of Service (DoS) Attack .................................................................................. 25
2.4 DISTRIBUTED DENIAL OF SERVICE ATTACK (DDOS) ....................................................... 27
2.4.1 Architectures of DDoS attacks: .................................................................................. 28
2.4.2 Discrimination of flash crowd from DDoS attack ...................................................... 36
2.5 ARTIFICIAL INTELLIGENCE ............................................................................................... 37
2.5.1 Fuzzy Logic ................................................................................................................ 38
2.5.2 Artificial Immune System .......................................................................................... 39
2.5.3 Genetic Algorithm ...................................................................................................... 39
2.5.4 Artificial Neural Network .......................................................................................... 41
2.6 CONCLUSION ................................................................................................................ 54
CHAPTER # 03
DISTRIBUTED FLOOD ATTACK DETECTION MECHANISM USING ARTIFICIAL
NEURAL NETWORK IN WIRELESS MESH NETWORKS
3.1. INTRODUCTION ................................................................................................................ 57
3.2. PROPOSED MECHANISM .................................................................................................... 57
3.2.1. Training ...................................................................................................................... 58
3.2.2. Testing ........................................................................................................................ 62
3.3. EXPERIMENTAL RESULTS .................................................................................................. 64
3.3.1. Simulation results ....................................................................................................... 64
3.3.2. Real implementation results ....................................................................................... 70
xi
3.4. CONCLUSION ................................................................................................................ 78
CHAPTER # 04
CONCLUSIONS AND FUTURE WORK
4.1 CONCLUSION ................................................................................................................ 79
4.2 FUTURE WORK ................................................................................................................ 82
BIBLIOGRAPHY
xii
List of Figures
Figure 2.1 Infrastructure-less WMN ................................................................................................ 7
Figure 2.2 Infrastructure-based WMN ............................................................................................. 8
Figure 2.3 Hybrid WMN.................................................................................................................. 8
Figure 2.4 Black hole attack .......................................................................................................... 20
Figure 2.5 Architecture of agent-based DDOS attack ................................................................... 28
Figure 2.6 Architecture of reflectors-based DDOS attack ............................................................. 29
Figure 2.7 Structure of a biological neuron ................................................................................... 41
Figure 2.8 Structure of perceptron ................................................................................................. 43
Figure 2.9 Feed-forward ANN & Feed-back ANN ....................................................................... 45
Figure 2.10 Structure of a node (Processing Unit) ......................................................................... 45
Figure 2.11 Supervised learning .................................................................................................... 47
Figure 2.12 Unsupervised learning ................................................................................................ 49
Figure 3.1 Flowchart of DFAD ...................................................................................................... 56
Figure 3.2 Algorithm of DFAD ..................................................................................................... 57
Figure 3.3 Forward-pass of first input vector ................................................................................ 60
Figure 3.4 Updated weights and biases .......................................................................................... 61
Figure 3.5 Test result of an input vector ........................................................................................ 62
Figure 3.6 UDP Traffic classification by DFAD ........................................................................... 63
Figure 3.7 TCP Traffic classification by DFAD ............................................................................ 64
Figure 3.8 Simulation performed by NS 2.34 ................................................................................ 65
Figure 3.9 Packets receiving rates of UDP traffic ......................................................................... 66
Figure 3.10Packets receiving rates of TCP traffic ......................................................................... 66
Figure 3.11Packets dropping rates of UDP traffic ......................................................................... 67
Figure 3.12Packets dropping rates of TCP traffic .......................................................................... 67
Figure 3.13 Analysis of distributed UDP flood attack ................................................................... 68
Figure 3.14 Analysis of distributed TCP flood attack ................................................................... 68
Figure 3.15 Analysis of distributed UDP flood attack ................................................................... 69
Figure 3.16 Analysis of distributed TCP flood attack .................................................................. 69
Figure 3.17 Comparison of detection rates against throughput ..................................................... 70
Figure 3.18 Distribution of UDP traffic flows at single system .................................................... 71
Figure 3.19 Distribution of TCP traffic flows at single system ..................................................... 71
Figure 3.20 Packets Dropping rates of UDP traffic flows at single system ................................... 72
Figure 3.21Packets Dropping rates of TCP traffic flows at single system .................................... 72
xiii
Figure 3.22 Distribution of UDP traffic flows at server ................................................................ 73
Figure 3.23 Distribution of TCP traffic flows at server ................................................................. 73
Figure 3.24 Packets dropping rates of UDP traffic flows at server ............................................... 74
Figure 3.25 Packets dropping rates of TCP traffic flows at server ................................................ 74
xiv
LIST OF TABLES
Table 2.1. Features of WEP, TKIP and WPA ................................................................................ 18
Table 3.1. Input vectors, weights and biases used in training ........................................................ 58
Table 3.2. Comparison of UDP and TCP distributed flood attacks ............................................... 68
Table 3.3: Comparison of UDP distributed flood attack at server ................................................. 69
xv
List of Acronyms
Wireless Mesh Network WMN
Artificial Neural Networks ANN
Denial of Service DOS
Distributed Denial of Service DDoS
Multi Layer Perceptron MLP
Genetic Algorithm GA
Medium Access Control MAC
Time Division Multiple Access TDMA
Mobile Ad hoc Network MANET
Self-Organizing Map SOM
Distance Source Routing DSR
Destination-Sequenced Distance Vector Routing DSDV
Ad hoc on Demand Distance Vector Routing AODV
Wireless Sensor Networks WSNs
Optimal Objective Entropy OOE
Mixture of two multi-layer-perceptron and one k-nearest neighbor models M2KMIX
Flow Statistics Based Detection FSD
Worldwide Inter-operability for Microwave access WIMAX
Secure Key Management Scheme SKeMS
wireless local area networks WLAN
Wireless Fidelity WiFi
Mesh Gateway MG
Mesh Client MC
Mesh Router MR
Back-Propagation BP
Distributed Flood Attack Detector DFAD
Enhanced Distributed Flood Attack Detector EDFAD
Intermediate Distributed Flood Attack Detection IDFAD
Severe Distributed Flood Attack Detection SDFAD
User Datagram Protocol UDP
Transmission Control Protocol TCP
Institute of Electrical and Electronic Engineers IEEE
Massage Authentication Code MAC
Access Point AP
Personal Digital Assistant PDA
xvi
Internet Protocol IP
Wired Equivalent Privacy WEP
Temporal Key Integrity Protocol TKIP
Wi-Fi Protected Access WPA
Tribe Flood Network TNF2K
INTRODUCTION
PhD Thesis (2016)
By Mr. Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
1
1
1.1 Context and Background
The world is considered a global village because of wired and wireless networks which is the most
notable technological breakthroughs in the recent past. A surprising evolution has been experienced by
such networks in terms of technological potentials, worldwide utilization by millions of users to connect
anywhere, anytime and at a reasonable cost.
Communication networks are grouped into two main categories. One of the two is infrastructure-based
network where gateways are fixed and both static and mobile nodes communicate with these gateways
through nearest base stations or access points. Local area networks (LAN), Wide Area Networks (WAN),
Personal Area Networks (PAN), Metropolitan Area Networks (MAN) Wireless Local Area Networks
(WLAN) and cellular networks are the most significant examples of such category. Infrastructure-less
network is the second category of communication networks where there is no concept of access points or
base stations. Nodes in such category of network possess routing capabilities and these have random
topology. Mobile ad-hoc networks (MANET) and Wireless Mesh Networks (WMN) etc. are the patterns
of such network.
Mainly, the cellular networks are considered to be a revolutionary technology by having great impact on
the daily life of its users; afterwards, the broadband networks like WIMAX, WLAN, Mobile broadband
and UWB are making swift growth. Multi-hop, multi radio WMNs have got most fame in research
community and telecom industries due to existence of many unresolved challenges that must be addressed
before utilization of WMN at large scale. Currently, high broadband coverage solutions provided by the
WMN; not only facilitates home users but also number of commodities and industries. There are many
limitations in deployment of other broadband networks. These need to be controlled and managed
centrally. Also r, these require an expensive maintenance cost. WMN has overcome all these limitations
as it is decentralized, easily deployable, self-configuring, self-healing and needs low maintenance cost.
WMN is used for many applications like building automation, community / metropolitan area networking
2
and broadband networking. WMNs may also be used to provide backhaul in rescue operations and
industrial controls. Due to such applications, WMN has made life of users effortless.
Regardless of all these traits, the multi-radio, multi-hop WMNs are vulnerable to some serious security
threats due to the open wireless medium access and topological changes of WMNs. These security threats
not only affect the confidentiality of the end-users but also the entire network can be fallen down by these
security threats [1,2]. Distributed Denial of Service (DDoS) is one of the most destructive security attacks
as it can compromise both integrity and availability of WMNs. The main intension of DDoS attack is
either to absolutely tie up of the victim known as resource depletion attack or to fell down the complete
network by flooding the victim with huge traffic to prevent the traffic of valid users to access their
services known as bandwidth depletion attack. In distributed flood attack, thousands of compromised
nodes called zombies are involved to send huge amount of UDP or ICMP traffic concurrently to victim
with the aim to congest either its bandwidth or exhaust its resources [3].
For detection of such attack many mechanisms have been proposed [4,5] using different approaches. It
has been observed that the potential of technologies used in these attacks are becoming more and more
superior. Therefore, instead of using conventional approaches for securing WMNs, some intelligent
approaches must be considered. Detection mechanisms based on artificial intelligence (AI) approaches
provided promising alternatives. Among all AI approaches, ANN based approaches are considered to be
more reliable and accurate, showing high detection rates [6,7,8].
ANN is a model of information processing that is motivated by the means biological nervous systems
(brain) process information. Structure of ANN is consisted of huge number of highly interconnected
neurons (processing elements) that works in groups to solve particular problems. A Neural networks, with
its outstanding skills to derive meaning from a complex or vague data, can be utilized to detect trends and
to extract patterns, that seems very difficult to be noticed by either humans or conventional computer
approaches. Like human beings, ANN learns by examples. In biological systems, learning involves
amendment to the synaptic connections that are existed in neurons. Exactly in ANN, adjustment of
3
connection weights is performed during training of the network. When an ANN is trained using learning
algorithms it can be considered as an expert in that particular class on information for which it has
assigned to analyze. ANN can be used in different applications like classification, prediction, recognition,
data filtering, data association and planning.
ANNs can be distributed in two architectures, one is called feed-forward and other is known as feedback
ANN. Both architectures are distributed among three different layers called input, hidden (if any) and
output layer. Main difference between these architectures is the flow of information signals. The network
in which values of the output layer is traced back to the neurons in the input layer by creating a loop in the
network to get the desired output value is called feed-back ANN. While in feed-forward ANN,
information signal travels in only one direction i.e. from input layer to the output layer through hidden
layer. Learning of these ANN can be performed through different algorithms which are categorized in two
main categories i.e. supervised and unsupervised learning algorithms. In supervised learning algorithms,
each input vector of the network is provided with its target output. A transfer function (Sigmoid, Tangent
etc.) is used in each neuron of the hidden and output layer to compute its output. Error in the both outputs
i.e. actual and target output is calculated. Weights of the network connections are adjusted according to
the calculated error. Back-propagation learning algorithm is one of the simplest and most commonly used
feed-forward learning algorithms. While, in un-supervised algorithms just inputs along with the guideline
for construction of clusters is provided to the network. In this type of ANN, weights of the connections
are modified to assign same cluster to the similar input vectors. Self-organizing map (SOM) is one of the
most common unsupervised learning algorithms.
1.2 Motivation and Objectives
Instead of many services provided by WMN to make the life of its user comfortable, still there are many
issues concerned with security of WMN. Despite benefits, security is always a big concern of associated
users and administrators of WMN. Without satisfactory level of security mechanism, WMN users are
hesitant and there is a lack of motivation for the users to use services provided by WMN. A
4
distinguishable popularity can be achieved by these networks if an overwhelmed security against
distributed flood attacks and reliable services are provided to its users. There are many motives that paved
the ground for establishing new protocols for detection of distributed flood attacks. Some of the very
important features of our research about WMNs security are given below.
i. Due to multi-hop architecture of WMNs, there is a need of much more complex security mechanism.
Currently available security mechanisms are inefficient for reliable and robust WMNs.
ii. Two levels of security are required in WMN. One level is required when mesh clients access mesh
routers and the other level is needed when mesh router to mesh router communication is accrued. As
these two security levels are divergent to each other; therefore, security in WMNs are handled
differently from other wireless networks.
iii. Due to absence of centralized trusted authority, WMNs are secured through mutual or distributed trust
established among nodes. Therefore, WMNs require security which should be dynamic in nature.
iv. In WMNs architectures, mesh-gateway routers are used to connect the mesh clients with other
networks. If these routers are compromised by attackers then it would be easy for them to disrupt the
services of the WMNs or to bring down the whole networks. Therefore, there is a need of the most
reliable and efficient security mechanism that can stop the desired activities of attackers.
Gateway is the most important components of WMNs, as all incoming and outgoing traffic passes
through it. Bandwidth assigned to this gateway is fixed, so throughput for each client in a WMN will be
reduced as the number of clients increase or the traffic from these clients’ increases. In addition, gateway
is a point through which all the traffic for wired internet and other networks passes, so security risks at
gateway is much higher than any other point in WMNs. So, the intruders launching distributed flood
attacks will aim either to eavesdrop the traffic or to absolute bring down the whole network. The main
objectives of this research work are:
i. To perform a detailed review of known literature about DDoS attacks in wireless networks particularly
in WMNs.
5
ii. To detect both internal and external distributed UDP and TCP SYN flood attacks at mesh gateway
router.
iii. To differentiate between flash crowd and attack traffic
iv. To achieve high detection rates with low false positive and negative rates
1.3 Organization of Thesis
The chapter-wise organization of the thesis is as follows:
Chapter 2: Discusses existing detection mechanisms for DDoS attacks in wireless networks.
Chapters 3: Explains the proposed mechanism for distributed flooding attack in WMN using artificial
neural network.
Chapter 4: Conclusion and future work directions are given in this chapter.
LITERATURE REVIEW
PhD Thesis (2016)
By Mr. Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
2
6
2.1 Introduction
In this chapter, section 2.1 describes WMN, its architectures and applications. In Section 2.2, security
issues of WMN and techniques proposed for their detection are discussed. Section 2.3 describes
distributed denial of service attacks and its types. In Section 2.4, intelligent techniques like genetic
algorithms, fuzzy logic, human immune system and ANNs based mechanisms are explored. At the end of
this chapter, detail study of ANNs is conducted.
2.2 Wireless Mesh Networks
Multi-hop wireless mesh networks (WMNs) have put on interests of wireless communication industries
and research communities towards itself over last two decades. In WMNs, connectivity among nodes is
established automatically and sustained without any central controlling body therefore WMNs are called
decentralized and self-organizing networks [9]. WMNs have low installation and maintenance cost, and
easily deployable. These features bring many advantages for WMN over existing broadband networks
such as cellular networks, wireless local area networks (WLANs) and worldwide inter-operability for
microwave access (WIMAX).
A typical WMN may consists of three main components i.e. mobile or static nodes called mesh client
(MC), mesh routers (MR) and gateway routers (MG). MCs are often cell phones, laptops or other wireless
devices that access broadband services provided by the WMN. Sometimes, MC performs dual role by
providing routing facilities for those MCs whose target nodes are out of their wireless communication
range. MRs are fixed while in some cases they have minimal mobility and construct the multi-hop
backbone of a WMN. MRs forward traffic to and from MCs and MGs MR are equipped with multiple
wireless interfaces that may be used for communication with MCs and MRs to form a backbone of a
WMN. MRs are different than conventional wireless routers because MRs provide additional services that
support mesh networking. Moreover MR can provide multi-hop communication which enabled them to
provide wireless communication for the same area with much lover transmission power. MGs are the
7
mesh routers that are connected with existing networks through wired link to provide broadband services
to the MCs of WMN through MRs. Due to use of MGs, a WMN can easily be integrated into existing
wired and wireless networks including cellular networks, sensor networks, WLAN and WIMAX. WMNs
architectures can be organized into three types [10].
i. Infrastructure-less WMNs: As shown in Figure 2.1, this architecture resembles with mobile
ad-hoc networks because in this architecture there is no enthusiastic network infrastructure
available. Here, MCs play an active role during communication because MCs take routing
overhead while forwarding the packets of those MCs which are not in direct wireless range of
each other and self-configuration of themselves.
Figure 2.1 infrastructure-less WMN
ii. Infrastructure-based WMNs: In this type of architecture MRs and MGs are used to provide a
wireless backbone infrastructure for multi-hop communication between MCs and other
networks as shown in Figure 1.2. In this architecture, MCs have a passive role because there is
no contribution of MCs to the mesh infrastructure.
Mesh Client
Mesh Client
Mesh Client
Mesh Client
Mesh Client
Mesh Client
8
Figure 2.2 Infrastructure-based WMN
iii. Hybrid WMNs: Both infrastructure-less and infrastructure-based architectures are combined
in this architecture as shown in Figure 2.3. In this architecture, MRs and MGs are used to form
a wireless backbone of network. In addition, MCs may also be used to establish a mesh by
routing and forwarding packets of other MCs.
Figure 2.3 Hybrid WMN
There are different modes in which a MR of WMN may operate; it includes single-radio, dual-radio and
multi-radio wireless mesh at the physical layer [11]. In Single-radio mesh mode each MR just relays the
received traffic to other node or MRs. This mode is considered to be an economic wireless mesh
networking, but congestion may be occurred in a large coverage area due to heavy traffic load. In dual-
----- Mesh GatewayInternet
----- Mesh Router
-----Mesh Client
Wireless link
Wired Link
Wir
ele
ss Mesh
Back
bo
ne
Wi-MAX
Sensor Networks
Cellular Networks
etc
9
radio mode scalability of WMNs is improved, where MRs are equipped with two radios for client and
backhaul connectivity to improve the performance. In dual-radio the problem of medium contention of
backhaul raised which may resulted in decline of link capacity and enhanced latency. To overcome this
problem a multi-radio mesh networks are proposed, where single radio is used for communication with
clients and multiple radios are used for backhaul communication to enhance capacity and decrease
latency.
2.2.1 Applications of WMN
The research and growth of wireless mesh networking has determined by its provided applications. Their
promising market values have been demonstrated clearly by most of these deployed applications. For
instance, broadband home networking, enterprise networking, automation of buildings, community &
neighborhood networking, metropolitan area networking, transportation system, health and medical
systems [10] are the common applications of WMN.
i. Broadband Home networking: Mostly, broadband home networking is usually provided through
IEEE 802.11 WLANs. A wired access point is used in the current broadband home networking to
provide the internet services. Sometimes, due to the dead zone found in a house, it needs more access
point to be deployed to increase the coverage range, which seems to be costly. Moreover, using more
access points may affect the efficiency of communication. These problems may be overcome by
substituting access points with mesh routers in WMNs. In wireless broadband home networking, by use
of multiple mesh routers, a robust and wide range of wireless communication is provided for data
communication.
ii. Community or neighborhood networking: An improved data sharing and connectivity is also
provided by the WMNs to construct a community or neighborhood networking. A WMN can also be
used to offer wireless communication between offices or buildings to provide an enterprise networking.
WMN is an efficient alternative to provide broadband networking among large areas particularly in
underdeveloped areas.
10
iii. Transportation system: A WMN may also be used to provide an application of instant traffic
information for travelers by means of infrastructure deployed on trains ferries and buses. Moreover, due
to high bandwidth and effortless access of WMNs, it may also be deployed in many health and medical
systems.
iv. Automation of building: WMN can also be used in building automation by monitoring where various
electrical appliances like lights, fans and air conditioners etc. Wired networks may also be used, but it
would be more expensive. Usually, wired networks are used which is of course expensive. Substituting
mesh routers for controlling networks and building automation decrease the cost as well as deployment
will be more simplified.
Instead of such applications provision, different security attacks can be launched in WMNs because of the
wireless medium, dynamic topology changes and distributed architecture provided by it. So far, many
security mechanisms have been proposed by research community for Ad-hoc wireless networks that can
also be considered while making WMNs secure. However, due to changes in the structure of both
networks, some solutions proposed for the Ad-hoc wireless networks cannot perform effectively in
WMNs. Therefore, there is a need to propose more reliable, secure and robust security mechanisms for
WMNs that can easily detect and prevent all possible active and passive attacks.
2.3 Security issues in WMN
Broad band WMN is faced by different types of security issues, while some of the most important issues
are discussed here.
2.3.1 Desired requirements of security
Wireless communication is the need of today therefore significance of security concerns are becoming
prime issues. Major sources of different security risks are due to the wireless infrastructure and open
medium of transmission. Unfortunately, none of the existing wireless networks are considered to be
11
secured, mainly; broadband wireless networks where extra level of complications and security issues are
introduced due to the internet connectivity [12].
Due to decentralized infrastructure, frequent dynamic changes in the network topology and open shared
wireless medium, security of WMN is highly desirable. Moreover, both data and resources of network are
precious to users therefore it is highly important to protect both. Basic requirements of any broadband
network can be categorized into three main categories i.e. confidentially, integrity, authentication and
availability [13].
i. Confidentiality: concerns with that there must be a concealment of network traffic, and it guarantees
that the data is received by desired destination without being eavesdropped or disclosed by any others.
This feature of security is being compromised through many passive attacks in wireless broadband
networks.
ii. Integrity: is concerned with the matter of making contents of network traffic secure. It ensures that the
packets received by the intended user are in the same format and sequence being sent by dispatcher.
Attacks launched to compromise this feature of security are aimed to alter or edit the contents of
received packets before reaching to the actual destination.
iii. Authentication: This feature is meant to ensure reliability of data by recognizing its source. An
attacker may not only change the packets data, he/she may also change the whole stream of packets by
adding some malicious packets. Consequently there is a need to verify that received packets are
originated from the valid source. In construction of WMN, authentication plays a vital role in verifying
that the received packets are originated by the claimed sender. To ensure authentication, there may be
used a shared secret key between sender and receiver to calculate massage authentication code (MAC).
iv. Availability: is the most significant feature while securing wireless networks. This feature is concerned
with the issue that resources should be available for the users. There must be a reliable communication
between sender and receiver. This feature is compromised by many DoS attacks, where intruders try to
prevent normal services or to make the network unavailable for the legitimate users.
12
Confidentiality and authentication of a wireless broadband networks are being compromised by launching
passive attacks, while integrity and availability features are compromised through active attacks
2.3.2 Passive attacks
In passive attacks, the intruders just aim to detain sensitive information of the desired system through
either listening or analyzing the network traffic constantly. That’s why, sometimes, intruders became able
to get access of target system without disturbing network traffic transmission. Detection of passive
attacks is considered to be very hard as during these attacks user data is kept safe from destruction and
also network operation remained normal [14]. In most of the passive attacks intruders measures the
duration and frequency of transmission to get important information that may paves the path for
launching active attacks. Some of the well-known passive attacks are as follows:
i. Traffic analysis
ii. Eavesdropping
iii. War driving attack
iv. Corrupt access point
v. Brute force attack
Traffic analysis: It is a network based attack where the ongoing network traffic is in which the network
traffic is interrupted and noted to collect information regarding to ongoing network activities, protocols
currently being used in network, users in communication, military intelligence and to find out active
access point of the network [15]. Due to multi-hop architecture, WMNs are more prone to traffic analysis
attacks than single-hop IEEE 802.11. In WMN, routing overheads and security risks will be enhanced as
the number of hops among source and target enhance. Mostly, this attack is launched by intermediate
malicious node which can easily analyze incoming and outgoing traffic of the network. Traffic analysis
may also provide basis for the homing attack where intruders aim to find out the gateway. Later on, this
information may be used to launch a DoS attack by jamming gateway and making it unavailable for the
users [16].
13
To prevent traffic analysis attack, multi-path routing is one of the best mechanism in which multiple
routes are established between source and destination to transfer the data. Due to many possible routes
intruders will be unable to capture complete conversation. In spite of that, this multi-path concept may
also enhance the routing overhead and masking i.e. transmission of nonstop encrypted signals even
there is no traffic transmission accrued between source and destination [17]
i. Eavesdropping: Due to the medium (air) used by the broadband wireless networks for data
transmission, it is easier to compromise them for eavesdropping. It is easier to launch eavesdropping
attack in WMN as compare to IEEE 802.11. As the broadband services provided by the IEEE 802.11
are limited to organizations or there might be a small group of users that use these services due to
limited transmission range therefore to eavesdrop a wireless link attacker must be close to the premises
of that organization. Despite that, in multi-hop community based WMN, the broadband services are
being used by large number of users covering a large geographical area. So it is easy for an attacker that
may serve as an intermediate node to eavesdrop any wireless link. The eavesdropper may keep copy of
traffic secretly and forward it towards the destination. There are many tools available through which an
eavesdropper can easily listen or analyze the network traffic.
Sniffer is an example of the most commonly used tools used for eavesdropping. It is may either be a
device or an application which perform the network packets capturing efficiently. The SSID of a
wireless networks may also be detected through this application, which may further helps in collection
of MAC addresses of the users. Eavesdropping is considered to be less harsh for wireless networks, but
it will be more harmful for the users in a case if its personal information including credit card numbers,
social security numbers etc. are captured by eavesdropper. To avoid such attacks, strong encryption
mechanisms are required during network communication [17]. Secure Key Management Scheme
(SKeMS) is the scheme that is implemented in combination with an intrusion detection system.
Proposed scheme provides assignment of encryption key between all the nodes and is very useful in
14
dropping eavesdropping attacks in WMNs. SKeMS is proved to be more resilient against harmful
eavesdropping attacks [18].
ii. War driving attack: As APs or MRs periodically transmits beacon frames in the network, therefore In
War-driving attack, intruders move around the city or organization to capture these beacon frames of
active APs or MRs. Intruders may get information like network SSID, MAC address, status of WEP
protocol, either the device is AP or peer device, strength of the signals and existing level of noise etc. If
the exposed APs or MRs are not configured securely, exploitation of bandwidth for free internet access,
stealing secret data for illegitimate usage may occurred by intruder. Moreover, obtained sensitive
information may also results in s serious active or DoS attacks. A Wireless Fidelity (WiFi) Scanning
tool and MAC OS X platform is used for analysis of war driving attacks through different activities in
[19]. Through different experiments it is concluded that there is either no security or weak security
protocols are implemented by more than 50% of the users in Dubai UAE.
iii. Corrupt access point: It is most versatile kind of passive attacks in which the intruders aims to target
the AP or MR of IEEE 802.11 WMN without modifying its configuration. Due to large scale nature of
WMN, it is easier to launch corrupt AP attack on WMN than WLAN. After compromising AP or MR
intruder would be able to analyze the network traffic passing through it. Detection of such attack is a
very difficult. Periodic erasure and reprogramming of AP was considered to be one of the promising
mechanisms for detection of such attack [17]. Though, this mechanism resulted in degrading the
network performance because during erasure and reprogramming of AP the network was not accessed
by its valid users. Through this attack, intruder may easily launch any active attack by either fully or
partially dropping received packets. Sometime these passive attacks may create space for DoS attacks
by disconnecting the compromised victims from the WMN.
iv. Brute force attack: It may be used to find out the password of MRs by sporadically trying every
expected password from dictionary of brute force. It is recommended to use different strict passwords
for different MRs in a WMN; otherwise, their passwords may easily be broken through brute force
15
attacks. To prevent Brute force attack, it is a good practice to change the passwords of MRs with a
passage of time or requests of a user should be denied after a specific number of attempts of
authentication [17].
Normally, these passive attacks pave the ground for active attacks or DoS attacks. For instance, an
intruder, after getting illegitimate access of AP or MR with the help of sniffers or brute-force techniques
he/she can monitor all the ongoing network traffic passively. Intruder may easily select the victim node
for either partially or fully dropping and/or modifying received packets that cut off the victim node from
performing normal network operations. This attack may result in more severe attack when intruder aims
to harm the AP or MR by separating that segment of the WMN.
Passive attacks compromise confidentiality and authentication of WMN, therefore to implement security
we need to adopt a strong encryption and authentication techniques. For this purpose WMN adopted
following techniques:
i. Wired Equivalent Privacy (WEP) /WEP2
ii. Temporal Key Integrity Protocol (TKIP)
iii. Wi-Fi Protected Access (WPA) /WPA2
i. WEP/WEP2: WEP is a MAC layer protocol through which security of wireless networks is provided
in two ways i.e. using a secret key and encryption. Length of the secret key may wary from 5 to 13
characters, which is shared among all nodes and AP. This key is used when encryption of frames is
performed by network interface card (NIC) of each node before sending frames to the AP. Received
frames are decrypted by the AP for appropriate action. Encryption of frames is performed through RC4
scheme. CRC-32 checksum is used in WEP for maintaining data integrity checksum. An initialization
Vector (IV) is also used in WEP to make sure the avoidance of encryption of two cipher texts with
similar keys, so each time a different RC4 key is produced for each frame. A 64 bit encryption i.e. 40-
bit encryption, 24-bit IV is used in WEP for both nodes and AP [20]. With WEP, It was assumed that if
an eavesdropper listen transmission it would be difficult for him/her to predict the plaintext but it was
16
not the case. As the size of IV was small and it was transferred as a plaintext, therefore it may result in
IV key reuse attack. Moreover, as the secret key remained constant for a long time therefore it provided
enough time for intruders to analyze the network traffic and break the key by using brute force attack
[13]. So to overcome these vulnerabilities, an updated version of WEP was introduced known as WEP2
which was 128-bit. But it also suffered from the same deficiencies as found in WEP.
ii. Temporal Key Integrity Protocol (TKIP): It is a security protocol that aimed to provide solution to
the problems found in WEP like the tiny size of IV and encryption keys [20]. TKIP is a collection of
algorithms that wrapped around the WEP to provide more security. In TKIP, rotation of temporal keys
is made, so each time a different key is used with each packet; therefore, it is considered more reliable
than WEP. TKIP uses 48 bit serial number that is used during transmission of each packet and
incremented with transmission of new packet. This sequence number ensures that each packet is
transmitted with a different key. A fresh base key is generated whenever a wireless node is connected
with AP or MR. This base key is composed of special session secret key, some random numbers
generated by the AP and node, and MAC addresses of AP and node. Due to this mixing operation,
chances of breaking this base key by intruders are reduced but performance overhead has increased at
many AP or MR. By the use of different key with each packet in TKIP, the collision attack problem is
reduced. TKIP also provide integrity checking attribute known as Message Integrity Check (MIC),
which ensures that intruders are not able to inject their data into captured packets. RC4 algorithm is also
used in TKIP, but it avoids the problem of weak key by generating a new key at every 10,000 packets.
Moreover in TKIP IV values are hashed which were sent as plaintext in WEP.
iii. WPA/WPA2: WPA security protocol was introduced by the Wi-Fi alliance when the problems
associated with WEP were exposed. It was used as an intermediate standard. So far, IEEE 802.11
working group launched a more reliable and secures protocol. It was also based on WEP protocol, but
used stronger encryption technique that was used in TKIP, which provided key mixing with each packet
and MIC. Moreover, there is a need of firmware upgrade of current hardware or sometimes it is
required to use a new hardware to take full advantages of encryption technique used in WPA. WPA key
17
is composed of 8 to 63 characters, which is longer and safer than WEP/WEP2. In WPA, network will
be shut down for a specific period of time, if at least two packets are consecutively transmitted with the
wrong key. As this feature is designed for safety purpose but it is used by the hackers to shut down
WPA based network. If AP or MR is able to detect unauthorized data then WPA is also considered to
be vulnerable to 60-seconds DoS attack [13].
WPA2 was developed in 2004 and is used currently as a wireless security slandered. WPA2
concentrates on three main security features: authentication, data transfer privacy and key management.
Advanced Encryption Standard (AES) is used for data encryption in WPA2 which is backward
compatible with WPA. The key length of AES may be comprised of 128 bits, 192 bits and 256 bits. In
every session, a fresh set of keys therefore; a unique key is used for encryption to transmit the packets.
Just like WPA, WPA2 is also available in two modes i.e. Personal and Enterprise modes. In Personal
mode, WPA2 requires only an AP or MR and there is a need of pre-shared key for authentication while
in Enterprise mode, Remote Authentication Dial in User Service (RADIUS) authentication server is
required. Extensible Authentication Protocol (EAP) is being used in Enterprise mode. EAP is available
in different flavors, like lightweight EAP (LEAP), EAP MD5, Protected EAP (PEAP) and EAP-
Tunneled TLS (EAP-TTLS). Each AP or MR has EAP and does not provide connection to the network
port until its authentication is completed [21].
Discussed features of WEP, TKIP and WPA are summarized in the Table 2.1. Due to limitations found in
the mechanisms used for encryption and authentication so far, there is a need of more secure and reliable
security mechanisms for multi-hop WMNs to cope with passive attacks and to protect confidentiality of
the data being transferred in the WMN.
18
Characteristics WEP TKIP WPA
Encryption method RC4 RC4 RC4, AES
Key size 40 bits 128 –bits 128 ,192 and 256-bits
Data Integrity CRC-32 MIC MIC, CCM
Hash Method ICV ICV ICV
Authentication Optional Required Required
Packet Key Concatenated Mixing function Mixing function
Replay Attack None IV sequence IV sequence
Vulnerabilities Key reuse attack,
Weak encryption
Key-stream recovery
attack,
Differential cryptanalytic
attack, Birthday attack,
DoS
Table 2.1 Features of WEP, TKIP and WPA
2.3.3 Active Attacks
Active attacks are considered to be more disruptive in nature as compare to passive attacks. It may disturb
the normal traffic flows between nodes by adding, tempering or dropping packets of the network traffic.
Even though, firmware’s of most of wireless network interface cards (WNICs) that follow 802.11
standards, have been protected from such type of injection but still there are many techniques with the
attacker to control the network flows. With active attacks, intruder may create jitter in transmission to
reduce the overall throughput of the network [22]. As compare to passive attacks, active attacks are more
19
destructive in WMN. Despite that, active attacks are easier to detect than passive attacks because of
interactive approach being adopted during active attacks Active attacks may either be launched through
internal or external nodes. Most commonly launched active attacks in WMN are as follows [23]
i. Black hole attack
ii. Grey hole attack
iii. Worm hole attack
iv. Sink hole attack
v. Sybil attack
i. Black hole attack: Black hole attack aims to degrade performance of network by contributing in
network activities. In this attack, compromised routing protocols are being used by the malicious node
to advertise itself as one of the nearest node to all the destination nodes, having shortest and fresh routes
towards destinations. By claiming this, a malicious node easily intercepts or holds packets of the victim
system. Once, a forged route between malicious node and requesting node is established then it is up to
the malicious node to either drop the received packets or to forward them towards anonymous address
in the network. [24]. An example of a black hole attack is given in the Figure 2.4. Where node “A” is a
source node, node “D” is destination node and node “G” is a malicious node. Node “G” replies RREQ
packets to the node “A” by claiming that it has the shortest and fresh path towards the destination node
“D”. Therefore, after completion of route discovery process, node “A” starts to send packets to node
“D” through node “G” by ignoring all other possible paths discovered during route discovery process.
Malicious node “G” will be called a black hole node, because it can drop or consume received packets
[25,26].
20
Virmani et al [27] proposed algorithm, detects malicious nodes with the help of Selective Repeat ARQ
in watchdog, where transmissions between source and destination nodes are monitored by a node X.
Moreover node ‘X’ is also responsible to inform the source node if there is any node found
misbehaving during transmission. Proposed method in [28] used a watchdog mechanism and time to
flight for detection of both black hole and worm hole attack. In Watchdog mechanism, two extra tables
are maintained by each node, one is called pending packet table and the other one is known as node
rating table. In pending packet table, packet ID, next hop address, destination address and an expiry
time of each sent packet is maintained in each node. While in node rating table, rating of nodes in the
communication range of each node is maintained in this table. This table maintains the nodes addresses,
record of dropped and forwarded packets by that particular node. A threshold value has been used to
distinguish a malicious node from legitimate node. Black hole attack may also be implemented by
number of black hole nodes, where black hole nodes cooperatively target the traffic of a victim [29].
Cooperative black hole attack detection is proposed in [30], where DR1 table keeps track of each node
transmission with its neighbors. Reliability of a node is determined by the next-hop-neighbor (NHP)
information available in the DR1 table.
ii. Grey hole attack: Grey hole attack, also known as selective forwarding attack, is one of the serious
threats to wireless networks. Like black hole attack, in grey hole attack, during route discovery process,
C
E
A
G F
B
D
Figure 2.4 Black hole attack
21
a malicious node reveals that it is a legitimate node and then it starts refusals to send some of the
received packets towards the destination, even though there is no congestion. Hence, route discovery
process and performance of the network could be degraded by these malicious nodes. It is very hard to
detect occurrences of grey hole nodes in wireless networks because grey hole nodes may not drop
packets continuously, after dropping some packets of intended victim, these may act like a normal node
by forwarding all the received packets. Despite that, collisions of packets, poor quality signals or
deliberate dropping of packets may also be the reasons to increase packet loss rate [31].
Collaborative selective forwarding attacks are detected in [32] using extended channel aware detection
(CAD). Proposed method is composed of two phases. In first phase, malicious nodes are detected
through CAD while in second phase colluding nodes are detected by using information gathered during
first phase. In [33] a fuzzy logic based technique is used to detect the black hole and gray hole
attack. Proposed system also provides prevention of these attacks by implementing efficient
node blocking mechanism and ensures security during communication.
In [34] a channel aware detection mechanism is proposed. By using a threshold value, differentiation of
normal packet loss rate from selective forwarding attack has been done by considering that packets loss
rate occurred either due to low channel quality or collisions at MAC layer during estimation of channels
and monitoring traffic. If observed packet loss rate crossed threshold value then respective nodes are
declared as malicious nodes. Moreover, proposed method also detects bad mounting on-off attack.
Another mechanism, based on CAD is proposed in [35]. Two different strategies i.e. hope-by-hope loss
monitoring and traffic overhearing are used to detect malicious gray hole nodes in WMN. To analyze
false alarms and probabilities of false detection of CAD, an optimal threshold is derived.
iii. Worm hole Attack: Worm hole attack is considered to be one of the severe active attacks because the
channels are fully disrupted by it without interruption of traditional routing protocols. During this attack
one of the malicious nodes receives packets from one location in the network and tunnels these received
packets to the other malicious node through a direct low-latency communication link known as the
22
Worm hole link. There are many ways through which this link is established between Worm hole nodes
like through an Ethernet cable, an optical link, using a high power wireless transmission or packet
encapsulation etc. after establishing this Worm hole link, Worm hole nodes sends received packets to
each other and make the illusion that Worm holes at the both end of tunnel are very close to each other,
having less number of hopes. That’s why source node that generated route request (RREQ) for the
destination, will select the path provided by Worm hole nodes and drops legitimate multi-hop path
[36,37]. Once Worm hole nodes become part of the communication then it is up to these malicious
nodes to replay, tamper the packets, drop the packets or forward packets selectively [38]. Possibility of
a Worm hole attack has analyzed in [39] and proposed an architecture that can countermeasures
occurrences of such attack. Shared information is communicated among access points to with the aim to
avoid rouge access points from concealing as false neighbors. Neither the information regarding to
location nor clock synchronization is required, in order to provide protection against Worm hole attack.
A method for detection of byzantine Worm hole attack in WMNs is proposed in [40]. Proposed
mechanism uses digital signatures to avoid construction of Worm holes at some stage of route
discovery process. This mechanism is specifically designed for on-demand-hop-by-hop routing
protocols e.g. Hybrid Wireless Mesh Protocol (HWMP). Moreover, proposed mechanism also performs
well for source routing protocols e.g. Dynamic Source Routing (DSR) protocol. Detection of malicious
nodes in [41] is performed without alteration in routing protocol. It performs analysis of hop-count and
time delay to discover suspicious routes that can be used in tunneling attack. Without exploitation of
any node in the network it can impede with the route discovery process.
Detection and prevention of both exposed and hidden Worm hole attack is performed by using
Euclidean distance formula [42]. It only required information regarding to location of nodes. This
proposed mechanism made the communication among the nodes secure and reliable having high
throughput and low packet loss rate during Worm hole attack. An efficient mechanism for detection of
Worm hole attack in WMN is proposed in [43]. In proposed method, Efficiency of detection of Worm
23
holes has been enhanced by using Worm hole detection based on neighbor’s neighbor scheme
(WDNN). WDNN is based on two-hop neighbor in the network. Moreover, to put off routes from
Worm holes, simple random walk route scheme (RWR) is proposed which selects the rout without
considering low latency link created by Worm holes. An algorithm proposed in [44], detected Worm
hole attack in WMN. It manipulated directional neighbors list and neighbors list of the source node.
Approximated location of nodes and effects of ongoing Worm hole attack on entire nodes has provided
in proposed algorithm, therefore implementation of countermeasures became easy. Number of attacking
Worm hole nodes is varied to evaluate the performance of algorithm.
iv. Sink hole Attack: Sink hole attack is considered to be a severe threat to the wireless networks. In this
attack, sequence number in RREQ packet is modified by the Sink hole node which ensures that it is the
better route towards destination. Therefore neighboring nodes updates their routing tables and transmit
it to the destination. RREP will be generated by the destination node in response of that fake RREQ
packet. Hence, Sink hole became part of the communication. Instead of modifying sequence number a
Sink hole may also modifies the hop count information in the received RREQ to attract the network
traffic towards itself. In this fashion, the path offered by malicious node appeared to be the preeminent
existing route for the nodes to perform communication [45,46]. Various parameters have been
described in [47] to detect Sink hole attack which is based on discontinuity of sequence number. It
describes Sink hole attack detection by recognizing those requests that have higher sequence numbers.
A Sink hole detection algorithm proposed in [48] is composed of three types of packets known as Sink
hole alarm packet (SAP), Sink hole detection packet (SDP) and Sink hole node packet (SNP). In
proposed mechanism, an indicator is used to evaluate RREQ packet. If ID of the source and receiving
node is found equivalent in the received RREQ packet, then it ensures the sequence number in the
RREQ. If it is found greater than the sequence number than it identifies that there is a Sink hole node
existed in the path. After this Sink hole detection algorithm distributes SAP, SDP and SNP for detection
of Sink hole node. In [49], Sink hole attack is detected through Security-Aware Routing (SAR). In
24
SAR, received RREQ is forwarded to next node after desired security features are verified. Otherwise
received packets are dropped. Moreover, SAR also performs routing message protection and routing
update protection.
v. Sybil Attack: In a Sybil attack, the intruder generates numerous false identities where each identity is
claimed as a legitimate identity. In a Sybil attack, a malicious node that spoofs the identities of other
nodes is known as Sybil attacker and the node whose identity is spoofed by Sybil attacker is known as
Sybil identity. Mostly, Sybil attacks are launched in distributed systems where multiple identities are
used to exploit the redundancy in the system. In WMN, a number of services including packets
forwarding, collaborative security and routing protocols can be interrupted by intruder using Sybil
attack. In a Sybil attack, as multiple fake identities are being created by intruder, which are assumed
legal by other nodes. All legal nodes will update their list of distinct paths for a particular destination
with these fake identities. Hence malicious nodes will take part in all communication of the network.
Afterwards, any of the earlier discussed attack may easily be launched by intruders. In case of no other
attack is launched, Sybil attack may reduce path diversity which degrades network performance [50]
A location-based cryptographic keys (LBCK) scheme known as pairing is introduced in [51]. Proposed
scheme combines each node’s private key with its geographic location and ID. Pairing is used to generate
LBCK. A secure LBCK neighborhood authentication method, establishment of both immediate and
multi-hop pair wise shared keys are included in the protocol. Therefore without an authentic LBCK a
malicious node cannot claim to be a valid node and will be easily detected when it attempts to forge
locations and IDS of other valid nodes. Performance of proposed scheme is degraded in a large scale
network. In [52] comparison of lightweight and robust algorithms used for detection of Sybil attack is
done. Directional antenna are used in robust Sybil attack detection technique to detect the location of
nodes while in lightweight Sybil attack detection no extra hardware is used for detection of Sybil attack.
Detection rate of Sybil nodes in robust Sybil attack algorithms is 80% while lightweight Sybil attack
algorithm detection rate is 90%. Time Difference of Arrival (TDOA) among source node and beacon
25
node has considered in [53]. At least three beacon nodes are required by proposed method where one
node is declared as primary beacon node and the rest are considered as secondary nodes. When malicious
node transmits packets using a Sybil ID, arrival time of each packet is recorded by secondary beacon
nodes respectively. Recorded information regarding to the arrival time of packets is sent to the primary
beacon node. Ratio of difference between arrival times at secondary beacon nodes and itself are being
calculated by the primary beacon node. If malicious node attempts to send packets through different Sybil
node, same process is repeated to compute the difference between arrival times. If the difference between
both calculated ratios is low then Sybil attack is declared. A botminor detection framework has proposed
in [54] for detection to malicious node in a mesh network. It prevented many routing attacks like
Distributed Denial of Service, Sink hole, Worm hole, Botnet and Sybil attack. In proposed architecture,
behavior of all nodes is monitored. If the entries about a particular node reached to a predefined threshold
value then that node is declared malicious by the system. So a root kit analysis of all the flows at that
node was performed again at the virtual environment to detect zero day’s exploits.
Passive attacks resulted to offer a ground for initiations of active attacks, when the severity of an active
attack increases it become a DoS attack.
2.3.4 Denial of Service (DoS) Attack
DoS attack is considered a serious threat for all types of WMNs as it is primarily intended for internet
access. In DoS attack, the intruder wants to exhaust the victim resources (CPU or network resources) to
make it unavailable for the valid users. A DoS attack would be encountered if the requested services of
valid users are not fulfilled within the within the defined utmost waiting time. In DoS attack, both
availability and integrity are violated by targeting any OSI layer of WMN [55,56,57]. Radio jamming of a
device is a physical layer DoS attack, MAC layer is targeted by sending a heavy immensity of MAC
control packets towards the naive neighbors or capturing the MAC channel for a long period of time for
needless continuous transmission. Due to multi-hop routing in WMN, most of the DoS attacks are
launched on network layer to disrupt the routing mechanism and degrade the network performance [58].
26
Strength and impact of a DoS attack is dependent to the temperament of the DoS attack and kind of its
desired target. Mostly DoS attacks are launched against three main components of WMN:
i. Single node: A DoS attack launched against a single node of WMN aims to either drain its battery or to
cut it off from all operation of the network. As this DoS attack has little impact therefore it is treated as
low intensity DoS attack.
ii. Entire network: When a DoS attack is launched against either a mesh-router or gateway router, it may
affect whole or part of the network. This type of DoS attack is considered to be more brutal in nature
than DoS attack launched against a single node.
iii. Network resources: In this type of DoS attack network resources are being exhausted to either delay or
prevent the valid user’s requests to reach to their destinations [59].
Impact of a DoS attack would be more severe if it is launched when there is a warfare situation, a natural
disaster happened or in a situation where a secure communication is extremely essential. DoS attack flows
are detected in [60] by deploying a cache based defense mechanism on each router of WMN. Proposed
algorithm is composed of two modules i.e. Active DoS attack detection module which is responsible for
identification of high bandwidth flows and DoS attack regulator module, which drops the packets of those
identified flows. DoS attacks are detected quickly in cognitive wireless network using Cumulative Sum
(CUSUM) algorithm in [61]. CUSUM minimized detection delay; therefore effects of the attacks are
minimized. In the proposed method, on the basis of percentage appearance of nodes in the resulting path
they are placed into “bins” and COSUM value for each entry is noted. After that COSUM value is
checked to ensure that the traffic is normal or DoS attack traffic.
A comparative study of three techniques i.e. wavelet analysis, change-point detection and activity
profiling extensively used for DoS attack detection is performed in [62]. After analyzing each technique
it is found that change-point detection is occupied less space and is computationally inexpensive as
compare to other mentioned two techniques. [63]Is an effective method for detection of DoS attacks in
WMN. An improved priority mechanism is used for preserving resources of a node. Modification of IP
27
for a forged identity is prevented in proposed method by using end-to-end authentication. Moreover,
parameters like distributed voting, two threshold values and cache memory utilization rates are used to
detect the DoS attack in WMN. A cross layer mechanism for detection of DoS attack in WMN is
proposed [64]. Information from different layers is collected in this system to identify the DoS attacks and
provide a high bandwidth spectral efficiency. A monitor is selected in first level, which analyze the trace
files for attackers and then information is collected from different layers in second level and then
collected information is combined to discover attack. Monitoring system initiates when sender doesn’t
receive ACK. Monitor nodes are selected randomly by the sender, algorithms are applied and HITLIST of
expected malicious nodes is created. The list is sent to second level to determine the cause of the attack.
Decision module decides that if the attack is launched form attackers or not. On the basis of conclusions
an appropriate alarm is set by the generator.
A rate limiting client puzzle scheme is used to mitigate the DoS attack [65] by proposing a mechanism of
leaky bucket rate limiting queue. It restricts those incoming request through the server is overloads. At
application server, client puzzle defense is deployed that serves as a watcher to avoid server overloading
by preventing DoS attack efficiently. Incoming requests are fed into the bucket and a difficulty parameter
Q is assigned to the client puzzle. The client needs to finish this puzzle as early as possible. Total number
of assigned, submitted and projected puzzle solutions is counted that helps in prevention of DoS attack. A
huge revenue loss can be occurred if total breakdown of WMN happened due to a severe DoS attack
known as DDoS attack.
2.4 Distributed Denial of Service Attack (DDoS)
DDoS attack is one of key security threat in the current broadband wireless networks. It is launched by
numerous compromised nodes simultaneously with the aim to exhaust the communication and
computational power of the victim rapidly or slowly by flooding it with large volume of malicious traffic
[66].
28
2.4.1 Architectures of DDoS attacks
Architectures of DDoS attacks are Agent-handler-based, Internet Relay Chat (IRC) based and Reflector-
based architecture, discussed in [67]. Each architecture aims to strengthen the effects of DDoS attacks and
conceal the existence of actual attackers. Agent-handler-based architecture is consisted of three main
components i.e. attacker, handlers and agents as illustrated in Figure 2.5. In this architecture, Attacker
launches the DDoS attack on the victim by sending the control information to the compromised agents
through the handlers. In IRC-based architecture same mechanism of agent-handler-based architecture is
followed with the difference that control information are sent by the attacker to the agents through IRC
communication channel.
In Figure 2.6 reflector-based architecture is illustrated, it has an extra layer of reflectors. During DDoS
attack, real IP addresses of the agents are replaced with IP address of the victim while sending request
messages to the reflector and then response messages are generated by the reflectors to the victim.
Consequently, victim is flooded by a huge traffic. There is no need for an attacker to compromise
reflectors to control them like agent hosts because any host on the network that replies the received
request, can serves as a reflector. Moreover, reflector may also serve their legitimate services while attack
traffic has been generated by them [68].
Handler-1 Handler-2 Handler-3 Handler-4
Agent-1 Agent-2 Agent-3 Agent-4 Agent-5 Agent-6 Agent-7 Agent-8 Agent-9 Agent-10 Agent-11 Agent-12
Attacker
Victim
Figure 1.4. An architecture of a agent-handler DDOS attack
Control message
Attack Traffic
Figure 2.5 Architecture of agent-based DDoS attack
29
DDoS attacks may also be distributed on the bases of attack rates dynamics i.e. Predictable and Non-
predictable rates DDoS attack [69]. In Predictable attack rates, the attacker launches the DDoS attack in a
predictable manner through agents. For instance, during DDoS attack, the packets arrival rates at victim
would be same in different interval of time because agents will follow the instructions given in the
program until it receive additional instructions from the attacker. Predictable DDoS attack rates can be
grouped into three different categories i.e. constant attack rate, increasing rate attack and periodical rate
attack. In constant attack rate the victim resources are exhausted by the agents by sending packets with
the constant rate. For instance, if victim is flooded with high rate DDoS traffic then this transmission
would remain same till the fully destruction of victim resources. In increasing rate attacks the impact of
the DDoS attack would be increased gradually or dramatically. While in periodical attack rates the impact
of the DDoS attack may not be same in different interval of time but transmission behavior may be
repeated as a regular pattern. In non-predictable DDoS attack rate, transmission of flooded packets may
occur with different rates and different intervals, which has resemblance with the flash crowd [70,71,72].
Hence, it seems to be hard to detect this kind of DDoS attack easily.
Attacker
Figure 1.4. An architecture of reflectors-based DDOS attack
Victim
Handler-1 Handler-2
Control message
Attack Traffic
Agent-1 Agent-2 Agent-3 Agent-4 Agent-5 Agent-6
Ref-1 Ref-2 Ref-3 Ref-5 Ref-6 Ref-7 Ref-8 Ref-9 Ref-10 Ref-12 Ref-13Ref-11Ref-4
Figure 2.6 Architecture of reflectors-based DDoS attack
30
DDoS attacks, mentioned above may either aim to destruct the services offered by the victim to the
legitimate users by exploiting the software and protocols vulnerabilities of the victim or to send an
enormous quantity of attack traffic, may also be identified as distributed-flooding-based DDoS attack,
towards the victims networks that congests the bandwidth of the victim network and disrupts valid users-
victim communication [73]. In WMN, distributed flooding attack is considered to be more destructive due
to unstable wireless links and disturbed utilization of network resources. Some of the well-known
application and network layer distributed flooding attacks are HTTP (Hyper Text Transfer Protocol) flood
attack, TCP SYN (synchronize packet in transmission control protocol) flood attack, UDP (user datagram
protocol) flood attack and internet control message protocol (ICMP) flood attack.
i. HTTP flood attack: It is an example of application layer attack, during this attack the intruder wants to
saturate the victim computing resources by sending so many GET or POST requests. POST requests
include parameters that typically trigger relatively complex processing on the victim, which are more
exclusive for the victim than serving GET requests which includes normal links to retrieve images and
information. Hence, POST-based flooding attacks are likely to be more effective than GET-based
flooding attacks to destruct the victim. There are three main type of HTTP flood attack i.e. HTTP
malformed attacks, HTTP request attacks and HTTP idle attacks.
In HTTP malformed attack, the attacker sends a large number of invalid HTTP packets to web server
with aim to exhaust its resources. When a large number of HTTP GETS and POSTS requests are sent
by the legitimate users to web servers is considered to be a HTTP Request Attacks. It will also exhaust
the victim resources [74]. If incomplete HTTP requests are sent from an attacker and web server keeps
the HTTP connection open and idle then it is considered a HTTP Idle attack. In [75] author dribbled out
a limited number of bytes in each packet to avoid the timing out of the connection and hence the
requests will remain incomplete.
An offline clustering technique [76] that used an entropy-based clustering and information-theoretical
measurements application to differentiate over 80% of the valid and attacking sequences, in spite of the
31
approach selected by the HTTP Flooding attackers. Current behavior of the web users are focused by
analyzing real sequences of the web requests that are unknown to the attacker and cannot be
reproduced. Rarely-changing and frequently-changing are the two kinds of attacking hosts being
targeted in the proposed technique. Three diverse scenarios are used in [77] to detect HTTP GET
flooding attack. In Random Flooding App-DoS scenario HTTP request arrivals are compared against
input threshold values to detect the attack. In shrew flooding App-DoS, generation of legitimate access
pattern (LAP) and calculation of pattern disagreement (PD) are used to detect the attack. While in Flash
Crowds App-DoS, offline analysis of attack datasets is performed by DSB detection mechanism.
ii. TCP SYN flood attack: It is a transport layer attack where three-way hand shake of TCP protocol is
exploited by sending a huge number of TCP SYN requests by zombies using spoofed IP addresses.
SYN-ACK packets are sent in response by the victim to the spoofed IP addresses. Ultimately victim
runs out of resources because it maintains half open ports and allocate resources for each connection
requested by the zombies.
A skillful spoofed SYN flood attack is detected by SACK2 in [78] by identifying the victim server and
attacked TCP port by utilizing SYN/ACK-CliACK pair behavior. SACK2 exhibits low false positive
and negative rates. Moreover, detection delay in SACK2 is very short. An active probing has been used
in DARB [79] for detection and filtering of SYN flood attack traffic precisely and autonomously on the
victim. It used a TTL based rate-limit counteraction method.
iii. UDP flood attack: It is another transport layer attack, where Intruders usually use spoofed IPs to send
a large number of UDP packets towards random ports on the victim system. Consequently, victim
checks for the applications specified in received packets. As there is no desire application listening on
those ports so victim replies with an ICMP destination unreachable packet. After receiving such a
large number of UDP packets, the victim reaches to its maximum connection bandwidth and it became
unavailable for it legitimate users. UDP flood attack is detected in [80] by using a framework consisted
of victim computer agent (VCA), timer agent (TA) and filter agent (FA) components. Moreover a
32
history buffer (HB) is also used that stores a list of illegal IP addresses that can provide assistance to
the FA. In the proposed framework, IP address of received packet is searched in HB, if no match is
found then packet is considered valid and forwarded to the TA for additional processing. TA assigns a
time stamp and forwards it to the VCA. If an IP address is matched in the FA, VCA will be informed
to temporarily block communication with the host computer.
iv. ICMP flood attack: is a network layer attack. Occasionally this attack is referred as a "Smurf" attack
or "Ping" flood. It is a ping-based DDoS attack where a huge number of ICMP packets are transmitted
simultaneously with the aim to crash the TCP/IP stack on the victim and hence responding to incoming
TCP/IP requests by the victim is stopped. ICMP flood is launched through hping or custom perl script
that is installed on the zombies. The main purpose of this attack is to consume existing bandwidth of
victim. Some of the well-known ICMP flood attacks are ICMP Smurf Attack, ICMP Ping Flood Attack
and ICMP nuke attack [81]. Detection of malicious packets that overwhelm the resources is performed
through DDoS-Shield and DDoS-resilient scheduler [82]. DDoS-Shield observes requests regarding to
UDP, TCP and ICMP session and a suspicion value is assigned to the sessions. The assigned suspicion
value has been used by DDoS-resilient scheduler to perform decision about forwarding of the sessions.
Moreover rate-limiting is also performed by the scheduler. Victim performance is improved by DDoS
Shield, as less memory is required to buffer the requests and responses.
DDoS attack is a destructive threat for the wireless broadband network. Instead of that, research done in
the previous decades for early and accurate detection of DDoS attack remained a challenging task for the
research community and still is considered an active research area. Mechanisms proposed for accurate
and early detection of DDoS attack can be distributed into three main categories i.e. signature-based,
anomaly-based and hybrid detection of DDoS attacks [83,84].
i. Signature-based: A huge repository, containing signatures of malicious activities is used in this
method. This repository is consulted when traffic is received at victim to recognize the happening of
an attack. This kind of detection is more suitable in a case when victim is intended to detect known
33
attacks otherwise performance of signature-based detection techniques degrades when there is an
attack having new or unknown signatures [85,86].The key benefit of using signature-based DDoS
attack detection mechanism is its precision. An immediate response will be generated if a signature of
specific kind of attack is matched. Due to its precision, signature-based detection is broadly favored in
commercial systems. Signature-based DDoS attack detection mechanisms proposed for WMNs are
limited because it needs to update signature repository constantly at each node whenever a new attack
is revealed. It seems to be a difficult task in mesh architecture and hence system results in high false
negative rates. A path signature based (PS) detection system is proposed [87] to detect DDoS attack.
Proposed mechanism requires that for all incoming packets their chosen bits in the field of IP
identification must be flipped by all the routers. Hence, these marking bits would help to generate an
exceptional PS for the packets originated from the same source and a DDoS attack would be detected
if inconsistent modifications of received traffic from of a PS are monitored. A rate limit value is set
subsequently. A signature based DDoS attack detection technique in [88] is inspired by immunology
and danger theory. Molecular patterns are analogous to signatures in the proposed system. Two
different type of roles are being used in it: stationary agents analogous to bone marrow, thymus, local
tissue and lymph node performs like body tissues and mobile agents serve as immune cells used in the
human body. Weighted sum of totals of safe, danger concentration levels and density of matching
molecular patterns are being considered during detection.
ii. Anomaly-based: Anomaly-based DDoS attack detection techniques are based on a profile called
normal profile, which is generally created through a statistical analysis of the training data observed
during previous normal behavior of the traffic. A Significant divergence of traffic from the normal
behavior is considered to be an anomaly. Hence, normal profile is used as a benchmark for
differentiating normal flows of traffic from attack traffic. As compare to signature-based techniques,
anomaly-based techniques are able to detect new or unknown attacks. Instead of that sometimes
anomaly-based techniques result in high false negative rate as a change in behavior of traffic is not
always malicious. Therefore investigations must be carried out by the administrator to identify that
34
either attack is actually launched or not. Moreover, detection of anomalies in the traffic does not
recognize the type of attack [89,90].
STONE is an online anomaly-based detection system proposed in [66]. The proposed framework is
composed of two modules i.e. detection control center, responsible for detection of anomalies and
mitigation center, responsible to filter and prevent the network from DDoS attack. Without separation
of traffic flows, properties of aggregate traffic are used in [91] to detect anomalies existed in the
network traffic by using parametric methods called bivariate parametric detection mechanism (bPDM).
It uses traffic rate and packet size statistics during test of probability ratio and reduced the false
positive rates to great extent. Bitrate signal to noise ratio (SNR) has used as metric for detection of
anomalies. Evaluation of bPDM is performed with bit-rate SNR and concluded that it is more efficient
to detect network traffic anomalies using bit-rate SNR. An anomaly based IDS which is based on RSSI
presented in [92] to detect spoofing attacks. Raw multi-trust data is used in the system to detect
malicious behavior of traffic. Performance of the system is improved due to the use of multi-trust data
from unreliable nodes. Weakness in the system is that it did not consider mobility of the nodes.
A cross layer mechanism for detection of probe flooding, black hole and gray hole attacks is proposed
in [93]. Proposed scheme collects required data from physical, data-link and network layers of the
stack. A particular machine learning technique i.e. decision tree, bayesian network or SVM is used as a
controlling variable in the performed experiments. Proposed mechanism resulted in high detection rate
with low false alarm rate than the proposed single layer systems. Host-network based metrics is used
in [94] to find out the network anomalies causing DDoS attacks. Proposed method is deployed at
distributed routers for identification and filtering of malicious packets immediately. It improved
throughput of legitimate traffic and reduced the throughput of the attack traffic. To effectively mitigate
the DDoS traffic an interface based rate limiting (IBRL) has been used. After collection of all traffic
from the network, performance metrics like memory consumption, CPU usage, latency, packet loss
rate and throughput are used to measure the impact of traffic. Throughput of the edge router at its each
35
serial-interface i.e. serial-interface1, serial-interface2 and serial-interface3 is tested out. If throughput
at serial-interface1is found greater than other interfaces than link-utilization of the serial-interface1is
tested out. If link-utilization is greater than 95% of available bandwidth then rate-limit-rules are
applied on serial-interface1for mitigation of attack.
An online k-means algorithm based detection system is proposed in [95]. Proposed algorithm is used
to cluster network traffic for detection of attackers, where Suspects distance from the biggest cluster
used as criteria. Nominal features like wireless access point identifier is used instead of numerical
values like interval, ratio or ordinal that confuses results. Weakness of the proposed system is its
assumption that the most of network activities are assumed to be normal and the normal activities
clusters firmly. Nodes which produce packets abnormally in a bulk are considered to be the source of
probing or DoS attacks.
iii. Hybrid detection: These techniques use both signature and anomaly-based detection. Where
repository of malicious activities is compared against the incoming traffic and it is updated with the
help of anomaly-based detection for detection of new or unknown attack traffic. A hybrid detection
system for detection of DDoS and man-in-the-middle attacks, using traffic based collection is
proposed in [96]. In this system both signature and anomaly detection modules performs in parallel to
build the first stage of the system. If they fail to classify the traffic as normal or attack traffic then audit
data is reviewed in the probable attack detection module in next stage. Hence the traffic is classified in
its suitable category.
Moreover, the probabilistic based approaches are also used to secure wireless networks. It is consisted of
assigning a threat level probability to the activities that happened in a network or in a computer. A
network intrusion could, for example, be considered similar to two classes’ classification problem. A
probability approach could be used to assign a probability to each incoming packet or activity. The
probability value determined the class to which the activity belonged to. Probabilistic filter scheduling
(PFS) in [97] efficiently defeated DDoS attacks and satisfied the necessary properties. In PFS, filter
36
routers identified attack paths using probabilistic packet marking, and maintained filters using a
scheduling policy to maximize the defense effectiveness. Defense effectiveness is maximized by
maintaining filters via a desired scheduling policy. Experimental results have shown that PFS achieves
44% higher effectiveness than other filter-based approaches. A hop-count-filtering (HCF) is used in [98]
to check the probability of each packet by using their time-to-live (TTL) values to mitigate the accruing
of DDoS attack. In proposed method, due to used probabilistic approach there is no need to calculate the
hop count value of each packet which results in both reduced memory consumption and computational
time.
Most of the detection techniques considered in this section concentrate on DDoS detection without
considering flash crowd (FC) which is generated by valid users. Number of characteristics is shared
between DDoS attack and FC. Some of the mechanisms proposed to differentiate DDoS attack traffic
from FC are discussed in the next section.
2.4.2 Discrimination of flash crowd from DDoS attack
Discrimination of FC from DDoS attack is a critical challenge while addressing the problem of detection
of DDoS attack. FC refers to the situation where a huge number of legal users send requests to the victim
concurrently. For instance, due to occurrence of major events like elections, sports event or due to any
disasters, a victim may experience a huge amount of incoming traffic from its legal users. Sometimes, this
dramatic increase in the incoming traffic at the victim may cause degradation in its services. As a set of
geographically separated compromised nodes are used in DDoS attack and conversely, FC is generated by
legal users trying to access the victim resources. Hence, the problem to differentiate the DDoS attack
from FC can be mapped onto the problem of differentiation between nodes (machines) and human. One
of the most common approaches to prevent FC is to utilize graphical puzzle for differentiation of
machines and human. CAPTCHA (Completely Automated Public Turing test to tell Computers and
Humans Apart) puzzle is an efficient approach to prevent application layer DDoS attack, where a
challenge response test has to be passed by the client to set up a connection with the server [99]. An
37
overview of the research conducted in this regard to detect DDoS attack and differentiate it from the FC
traffic is presented here.
An approach for detection and discrimination of DDoS attack traffic from FC is proposed in [100].
Proposed approach is composed of two steps. Initially, flash crowd detection algorithm is used for
differentiation of normal traffic from FC. Secondly, calculated value of flow correlation coefficient (FCC)
is used in the proposed algorithm i.e. adaptive discrimination algorithm to discriminate FC events from
DDoS attack traffic. Attacked traffic is detected and filtered out more accurately and efficiently by using
sequential detection and packing algorithm. Probability metrics is used in [101] for discrimination of FC
from DDoS attack traffic. Proposed method performs efficiently with low DDoS attack and FC traffic, but
its performance degrades when huge attack traffic is encountered. Characteristics of DDoS and FC traffic
are analyzed in [102] to discriminate traffic of each type efficiently in VoIP networks. Proposed approach
is validated through simulation. Packet Arrival Patterns, Flow Correlation Coefficient, Probability
Metrics and Information Distance methods for discrimination of DDoS attack traffic from FC are
surveyed in [72]. Author declared that, among all methods, FCC based detection method performed well.
2.5 Artificial Intelligence
Artificial Intelligence (AI) could make the detection of DDoS attack easier than the methods described
above. AI based detection systems are more fault tolerant because they can handle noisy and
deficient data efficiently. They are capable to handle nonlinear problems and after training,
generalization and prediction can be carried out at high speed by them. Many AI techniques like
Fuzzy logic, Artificial Immune System, Genetic Algorithms and Artificial Neural Networks are available
for detection of such attacks, more efficiently and intelligently. These techniques may also be used in
combination i.e. genetic algorithms may be used in combination with neural networks and probabilistic
reasoning may be used to build fuzzy logic.
38
2.5.1 Fuzzy Logic
In fuzzy logic, human reasoning is represented mathematically that allows in-between values to be
defined among logical estimates like yes-no, on-off, true-false etc. It is very hard to explain the
boundaries for differentiation of normal traffic and abnormal intrusive traffic in a network. Therefore
anomaly based intrusion detection systems proposed for such purpose may result in a high false alarm
rate. This problem is overcome to great extent by involving fuzzy logic for detecting intrusive traffic.
Primary building blocks of fuzzy logic are fuzzy sets that enable a successful classification in uncertain
situations [103,104].
The method presented in [105] determines flooding attacks in real time and can also assess the intensity
of the attackers based on fuzzy reasoning. Initially, the method analyze network traffic time series using
Schwarz information criterion (SIC) and discrete wavelet transform (DWT) to find the change point of
the Hurst parameters resulting from DDoS flood attack. Next, it will do the identification and assessment
of the DDoS attacks based on an intelligent fuzzy reasoning mechanism. The test results demonstrate that
the method could detect DDoS flood attack intelligently and effectively. Another method presented in
[106] detects DDoS attacks based on a fuzzy estimator using mean packet inter -arrival times. It detects
the suspected host and traces the IP address to drop packets within 3 second detection windows. A fuzzy
based detection and prediction (FBDPS) system detects DDoS attack launched against IEEE 802.15.4
MAC layer [107]. It discriminates legal and attacker sensor nodes by comparing their energy
consumption using fuzzy Markov chain model. Nodes with higher consumption rate of energy are
considered attacker nodes.
Analysis based on fuzzy logic produce better results for detection of both high and low intensity attacks
rapidly with reduced cost. Problem with this technique is that it is a rule based therefore fine tuning of
rules is required constantly.
39
2.5.2 Artificial Immune System
Artificial immune system (AIS) involves proficient techniques in the manner of biologically inspired
computing that is used to solve diverse problems in the field of information security. Inspiration for AIS
is provided by human immune system (HIS). HIS is an enormously complex assortment of organs and
cells. It has the aptitude to differentiate interior cells and molecules of the body also known as self-cells
from exterior pathogens (non-self-cells), and defends human body from diseases. As discrimination
between self and non-self-cells is a trivial attribute of AIS therefore it may be used to construct a
proficient anomaly based IDS [108,109]. In a way, protection provided against foreign pathogens by HIS
using Innate or Adaptive mechanisms, a multi layered protection structure is suggested by AIS for
protection of computer networks from DDoS attacks [110]. In AIS, like other anomaly-based detection
techniques, a predefined activity profile is used to monitor variations of system’s behavior as an adaptive
immune mechanism. In this mechanism, learning of the system is performed through a data set,
containing data of all desired profiles. Hence, learning data sets play an important role in increasing
proficiency of AIS in detection of anomalies in the system. So far, a considerable research has been
carried out in the enhancement and employment of AIS-based IDS [111,112].
P2P-AIS proposed to detect DDoS attack using AIS approach [113]. In proposed mechanism information
regarding to intrusion detection is exchanged between peers with the aim to increase detection and
mitigation of attack. Peers are organized through distributed hash table (DHT). A multi-agent based
cooperative AIS employs dynamic association among each AIS agents with the aim to deal with the
problems found in most of the anomaly based detection systems [114]. A set of detectors acquired by
negative selection are being used by AIS while training the system. In the proposed mechanism, status
information is exchanged periodically while detector information is shared on the basis of event-driven. A
hybrid approach based on dendritic cell algorithm (DCA) and dumpster belief theory is used in [115] for
detection of intrusive behavior in the traffic. Moreover, in the proposed approach, classification of the
40
incoming traffic into normal and attack category is performed through SVM and DCA to improve the
detection rate.
2.5.3 Genetic Algorithm
Genetic algorithm (GA) is one of the prime approaches of evolutionary computation (EC), motivated by
biological evaluation, genetic recombination and natural selection. It is mostly used in optimization,
classification and search techniques. In GA, concept of generation of an efficient population of candidates
that are closer to a predefined fitness is based on Darwin’s theory of evaluation and survival of fittest.
Most of the GAs based detection systems are composed of two modules i.e. training and detection
modules. In training module, GAs are employed on received network traffic, to generate a set of rules for
classification purpose. These rules are the imitation of chromosomes within the population. A fitness
function is utilized in GA to measure the excellence of each rule as a quantitative depiction of each rule’s
adjustment to a certain environment. The population is evolved until the desired evaluation criteria is
obtained in the training phase. Whereas in detection module, defined rules are implemented on the
network traffic in real time to classify the receiving traffic with high detection rates [116,104].
GA based approach is used in [117] to create rules for detection of DoS attack. Proposed system is trained
on datasets of KDD (knowledge discovery and data mining) cup 99. Rules are applied on IDS to perform
the data encryption with the aim to protect the network traffic. If a rule set is matched then the attack is
declared by the system.
Network destructive activities of different types are efficiently detected by implementing GA [118].
Standard KDD 99 intrusion detection benchmark dataset is used to measure the competence of proposed
mechanism. While, standard deviation with distance equation is used by the author to measure the fitness
of chromosomes. Improved rules for traffic matrix building operation are constructed by implementing
GA [119]. Parameters like matrix size, packet- based window size and threshold values are optimized by
GA. Training dataset of the proposed system is constructed through GA and testing is carried out on
traffic matrix of one window size. Traffic matrix is used to calculate the variance. If the obtained variance
41
falls below the threshold then DoS attack is declared. Another system proposed for detection of many
attacks like DoS and Probe attacks from data set of DDCUP is also based on GA and correlation
techniques [120]. In the proposed system, GA is used for detection of malicious activities and correlation
techniques are responsible for identification of features of a network connection. Optimization of
parameters used in the algorithm reduces the training time required by the system. An efficient
mechanism composed of fuzzy logic and GA is proposed for detection of various kinds of network
intrusions [121]. Fuzzy confusion matrix is used in the proposed mechanism to measure the fitness of
chromosomes. Implementation and performance of the system with high detection rate is carried out
through KDDCup99 data set. Proposed system is adoptive in nature because its repository of rules is
updated when new intrusions are detected.
2.5.4 Artificial Neural Network
Artificial neural network is a computational network which is an attempt to replicate, in a gross way, a
biological network of neurons (nerve cells) of human nervous system. ANN is a network of such
biological neurons in which concept of neurophysiological information of biological neurons is borrowed.
Hence, it diverges from conventional computing machines which are used to improve, replace or speed-
up computation power of human brain without considering the association of computing elements and
their networking. Still, it is emphasized that replication provided by neural networks is very gross. A
biological neural network is composed of millions of interconnected neurons (nerve cells). Structure of
biological neuron is depicted in Figure 2.7.
42
Figure 2.7 Structure of a biological neuron
Nucleus is located in the cell body (Soma) of the neuron which is responsible to perform most of the
neural computation. In terms of electrical triggers, neural activities are passed between neurons by means
of axon through electrochemical progression of voltage-gated ion exchange down the axon. The axon can
be considered as a connection wire. Moreover, the signal flow between neurons is performed by means of
charge exchange that is carried out by dispersion of ions down the axon and then by means of synaptic
terminals to the dendrites and/ or soma of the other neuron. There may be number of dendrites per neuron
to receive messages from number of neurons. It is to be noted that all interconnections are not equally
weighted in the biological neural network. Some of them contain high weights showing higher priority
than other connections. There may also be some connections that are responsible to obstruct transmission.
Difference in the chemistry of these connections, due to presence of chemical transmitter, axons and
synaptic terminals may affect these connection weights. The same concept of interconnections among
neurons and weighting of massages are considered in the ANN.
An ANN is composed of number of processing units called neurons which are interconnected with each
other through weighted connections. Mostly an ANN is adaptive in nature because changes may occur in
its structure due to internal and/or external flows of information while training the system. ANN may also
be known as a non-linear statistical data modeling tool. Complex association can be modeled among
inputs and outputs or to extract desired patterns through ANN. Though neural network approaches are
considered complex and mysterious but still they are widely applied in pattern recognition problems
Soma
Dendrites
Axon
Nucleus Synaptic
Terminals
43
particularly in intrusion detection. Main purpose of using artificial intelligence techniques and
specifically ANN for developing IDSs is to incorporate a system by such an intelligent agent that may
disclose the concealed patterns in normal and abnormal connection audit records and to distribute patterns
of similar groups found in new connection records. Moreover, prettiness of ANNs in intrusion detection is
due to the fact that there are no signatures or even rules are required for detection of abnormal behavior in
a system. An ANN is considered to be well suited for picking up new patterns of attacks efficiently if it is
trained properly.
Structure of a typical neuron used as computational unit in a perceptron i.e. one of an earliest ANN is
depicted in Figure 2.8.
In given perceptron, binary inputs of a neuron are represented by X1, X2…. Xn and weighted connection
of each input unit is given by W1, W2…..Wn. Activation function ‘f ’, used in a perceptron will result in
binary value ‘1’ if the sum of products of input values and their respective weights exceeds the threshold
value otherwise ‘0’ will be the output of the perceptron. Output signal of a neuron used in a perceptron is
calculated by using the Equation.1, 2 and 3
WX = W1X1+W2X2………WnXn (1)
OutPut = f(WX) = (∑ (WKXK)nK=1 ) (2)
Output = f(WX) = {1 if WX ≥ Ө0 otherwise
(3)
Output (0/1)
X1
X2
X3
Xn
Fig 2.2 Structure of perceptron
Fig 2.2 Artificial Neuron
Figure 2.8 Structure of perceptron
44
Where WX represents the sum of scalar product of inputs and their connected weights and f(WX) is the
activation function that produces ‘1’ as a Output if the computed value of WX is greater than or equal to
‘Ө’ otherwise binary ‘1’ will be generated as Output [13].
2.5.4.1 Types of ANN
ANN may be used for different purposes like prediction, classification, association and intrusion
detection. ANNs are categorized into two types i.e. Feed-forward neural network (non-recurrent) and
Feed-back (recurrent) neural network.
i. Feed-forward neural network
First and possibly simplest type of ANN is considered to be a feed-forward neural network (FFNN) also
known as multi-layer perceptron (MLP). As its name suggests that in this type of ANN there is only one
available direction for information to move forward from input layer to the output layer via hidden layer
(if any). There is no perception about backward connections in the layers of feed-forward ANN and a
layer may not be skipped by any connection. In general, all the layers are fully connected. It is composed
of one input (neurons) in each layer and number of layers in the hidden layer is dependent to the nature of
the problem. Nodes of these layers are connected to each other through weighted connections but there is
no connection between nodes of the same layer. FFNN are more suitable for the problems of functional
mapping where it is desired to identify that how can number of input variable influence the output
variable.
ii. Feed-back neural networks
Feed-back neural networks (FBNN), unlike FFNN, allows signals flow in both forward and backward
direction by initiating loops in the network. Computations obtained from prior input are fed back into the
FBNN, which provides a kind of memory to FBNN. FBNNs are dynamic in nature as continuous changes
are occurred in their stats until they achieve an equilibrium point. They remain at this point until
provided input is changed and a fresh equilibrium point is required to be found [122,123]. FBNN is
45
mainly consisted of interconnected self-feedback connection weights, activation functions, delays and
amplification functions. There are usually two approaches are adopted to set up competent stability
criteria. One approach is to competently utilize information of FBNN under diverse assumptions and
second approach is to utilize mathematical techniques to settle down these assumptions in the neural
networks. FBNN are considered to be more competent in order to provide long range predictions even if
measurements noise is existed.
Fully connected FFNN and FBNN with three input nodes, one hidden layer with four nodes and two
nodes in the output layer are shown in the figure…
Output value of a node, shown in figure.., is computed from received inputs as follows:
𝑁𝑒𝑡𝑘 = ∑ 𝑊𝑘𝑛𝑋𝑛𝑚𝑛=1 (4)
𝑓𝑘(𝑁𝑒𝑡𝑘) =1
1+𝑒−𝑁𝑒𝑡𝑘 (5)
𝑂𝑢𝑡𝑘 = 𝑓𝑘(𝑁𝑒𝑡𝑘) (6)
Where Outk is the output value of Nodek that is produced after applying sigmoid activation function f k on
Node k, Xn is the nth input to Nodek , Wkn is the connection weight from the nth input to Nodek .
Figure 2.9. Feed-forward ANN Feed-back ANN
46
An activation function is used by each node of hidden and output layer in ANN to compute the output
regarding to the inputs being received to it. There are number of useful activation functions to be used by
processing units of ANN. Some of the most commonly used activation functions are the linear function,
threshold function and sigmoid function. In threshold functions, output of the a node is set at one of two
desired points, depending on either sum of the product of inputs and their associated weights is greater or
less than the predefined certain threshold value. In linear function, output of a node is proportional to its
net inputs. In sigmoid activation function output of a node fluctuates between ‘0’ and ‘1’ continuously not
linearly as its input values changes. Sigmoid function increases monotonically. It can be calculated and
differentiated easily; therefore it is considered to be a most common activation function in ANN. Nodes
using sigmoid activation function have more resemblance to the real biological neurons than the nodes
using linear or threshold activation function. In ANN, same activation function may be used in all layers
of ANN or it may be different in different layers of ANN.
2.5.4.2 Types of ANN
Learning can be referred as the process to either acquire or enhance knowledge. In ANN, during learning
process, a network acclimatizes itself to a stimulus and ultimately, after performing adjustments of its
desired parameters, it generates preferred outputs. It is an incessant classification process of appeared
input stimuli; as a stimulus reaches at the input layer of a network it either identifies it or it builds up a
new classification. In response to the inputs, synaptic weights are adjusted during learning process.
Fig 2.10 Structure of a node (Processing Unit)
∑
X1
X2
X3
Xn Nodek
𝑓𝑘(𝑁𝑒𝑡𝑘) Outk
𝑁𝑒𝑡𝑘 = 𝑊𝑘𝑛𝑋𝑛
𝑚
𝑛=1
47
Eventually its produced outputs are converged to the desired outputs. Most common learning methods
include supervised, unsupervised learning and reinforcement learning algorithms.
i. Supervised Learning
In this method, a neural network is learned or trained by providing a sequence of input vectors with
associated target outputs from the data source. Input is then processed by the network to produce outputs.
Afterwards produced outputs are compared with the target outputs to calculate the error. Weights are than
adjusted on the bases of calculated errors. The process is repeated over and over till the error between
actual and target output is reached to the minimum value. Adjustment of weights to produce the desired
outputs is performed through the learning algorithm being used in the network. Supervised learning (SL)
algorithm is depicted in Figure 2.11.
Among different SL algorithms, back propagation is one of the most commonly used SL algorithms for
FFNN.
Back propagation
Back propagation (B.P) is one of the most common and oldest learning algorithms used by the FFNN.
With the help of mean square error in the actual and target outputs and their derivatives assist B.P to
Weights and
Biases
Adjustment
Erro
rOutput
Inp
ut
Vecto
r
ANN Compute
Error
Ta
rg
etO
utp
ut
Supervised Learning
Algorithm
Figure 2.11 Supervised learning
48
calculate gradient descent with the aim to find out the required changes in the weights of the connections.
Learning of B.P algorithm is performed in two passes i.e. forward-pass and backward-pass [124].
Forward-pass: Forward-pass starts by initializing connection weights with the random values
and then input vectors are forwarded from input layer to the output layer. Calculation of the
error between actual output of each input vector and its desired target output is performed
afterwards.
Backward-pass: Backward-pass uses error calculated in the forward-pass to find out the
gradient decent of outputs in the output layer. This is then back propagated to the hidden layer
of the network to update the weights and biases of hidden to output layer. Afterwards, local
gradient for each node in the hidden layer is calculated and back propagated to the input layer
to update the weights and biases of input to hidden layer. Weights and biases values of the
network are updated as follows.
∆wij = −ŋ ∗ E ∗ OutGrad + α∆wij(n − 1) (7)
Where ŋ is momentum and α is used to mention the learning rate, which signifies gradient descent step
width. [125]. Momentum helps the B.P algorithm to keep away from situations in which the algorithm
oscillates and does not converge to a desired value. There is no hard and fast rule which helps us in
selection of correct momentum and learning values. Therefore finding best values for them is more art
than science.
After updating weights and biases value, forward-pass for an input vector is taken place again. The
process of updating weights and biases is repeated recursively till the error between the target output and
the actual output of each input vector at the output layer arrives at minimum value.
Different supervised algorithms are used as benchmark to compare performance of B.P algorithms in
[126]. An optimized solution is proposed by author with respect to MSE after performing numerous
experiments in order to detect the attack. Mainly, they focused to discover best B.P algorithm for training
neural network.
49
ii. Unsupervised Learning
Unsupervised learning (UL) is also known as self-organizing learning algorithm, as in training, a
sequence of input vector is provided without any target output. Weights are modified by the network
through some sort of contest among the output layer nodes where the node with the highest value will be
declared as a successful candidate. In other words, on the basis of outputs, identical input vectors are
grouped into same cluster [127]. There is no use of external source or target outputs; it just requires a
strategy to determine the construction of clusters at the output layer. Structure of UL is shown in Fig.4.
The points which are out of training grid space cannot be predicted by UL; therefore the accurate outputs
cannot be provided by the network when the input is outside the range of training data.
Among different UL algorithms, self-organizing map (SOM) is one the utmost UL algorithm [128,129].
Self-Organizing Map (SOM)
Self-Organizing Map (SOM) is also recognized as Kohonen Self-Organizing Map (KSOM). In KSOM,
data from upper dimensional space is transformed into a regular one or two dimensional array of neurons
[130].It constructs clusters of data as an output of the trained KSOM where similar inputs are placed in
the same region of the output space. KSOMs are considered to be valuable for determining clusters and
Weights Adjustment
Target
Output
Input
ANN
Erro
r
Unsupervised
Learning Algorithm
Figure 2.12 Unsupervised learning
50
association in the data. The characteristics of the training dataset are used to train KSOM. These are
competitive, as only one neuron is used in the output layer. That is why the SOM is also known as a
winner-take-all UL neural network. KSOMs are widely used for visualization and data analysis [131,132].
Following steps are involved in the learning procedure of the KSOM [133]:
a. Initialization of weights Wij with random small values.
b. Selection of the desired pattern of inputs
c. Selection of winner node by calculating Euclidian distance among the input vector X and weights
Wij of each neuron. Using Equation. a,
O(X) = argmin||X −Wij|| Where j=1, 2, 3, 4, 5….. K (a)
d. All neighborhood weights are adjusted with the aim to accomplish the topological mapping using
Equation.b.
⩝j: wij(t) = wij(t − 1) + α(t)η(t′). (Xi(t) − wij(t − 1)) (b)
Where ′α′ denotes the used learning rate, ′η′ describes the neighbor function and ‘t’ is the time
consumed in the current circumstance. These adjustments are dependent to their distances from
the winning neuron.
e. Repetition of all steps except step a till the occurrence convergence
Consequently, desired classification of the input data is accomplished through SOM. The observer can
learn the classes allocated to the observed data and decide on the intrusiveness level of the data packets.
Using SOM hidden relations in the data and segments can be seen visually. It provides better conversion
rates and requires minimal expert knowledge as compare to other learning algorithms without extensive
off-line training [134,135].
The correctness of all ANN-based techniques is highly dependent to the values picked up for the ‘𝛂’ and
‘η’ parameters used in the algorithm. Total number of input classes defines the size of map in a 2D space.
Furthermore, features involved in the data packets like source or destination addresses of the packets,
51
types of the packets i.e. UDP, TCP etc.) must be selected prior to the learning phase of the system is
initiated. In literature, ANN based techniques are widely used for the detection of DDoS attack.
2.5.4.3 Applications of ANN for detection of DDoS attack
With the growth of wireless networks and their significance, the types and number of the DDoS attacks
have also grown-up. Distributed flooding attacks are the most hazardous DDoS attacks. In literature, there
are many techniques in which ANN is effectively used to detect these attacks.
An ANN based framework is proposed for detection of TCP, UDP and ICMP DDoS attack in [136]. It is
based on characteristic patterns that played a vital role in separation of normal traffic from DDoS attack.
Back-propagation based learning is performed by reproducing the mirror image of the actual traffic. Java
Neural Network Simulator is used to collect old and up-to-date datasets, to perform preprocessing and to
train the algorithm. Proposed mechanism is integrated with Snort-AI to detect known and unknown DDoS
attacks. Simulation results proved higher detection rates for both known and unknown DDoS attacks,
when it was trained with the up-to-date datasets. The status of network traffic is classified in [137].
Ongoing DDoS attack is distributed into different phases and features of DDoS attack in each phase is
extracted. Finally, the network status is classified in each phase of DDoS attack by applying K-nearest
neighbor (KNN) technique. A maximum likelihood criterion with random neural networks (RNN) is
commenced in [5] for detection of geriatric DoS attack. Primarily, in offline mode, a set of traffic
features are obtained in this approach with the aim to get probability density function (pdf) estimates for
evaluation of their probability ratios. Features of received traffic are measured in it and a desired decision
is taken accordingly to each feature. At the end, feed-forward and recurrent architectures of RNN are
being utilized to make the final decision about received traffic.
Radial Basis Function Neural Networks (RBFNN) based detector is utilized for classification and
detection of DoS attack in [135]. There is a considerable impact of selection of sample interval, the
number of neurons in each hidden layer and training of proposed system. In order to achieve a consistent
performance of the proposed system, desired features are selected with the help of method previously
52
proposed method. Another RBF based neural network is utilized in [138] to analyze the traffic for
detection of DDoS attack. The proposed method is deployed on edge routers of victim network. RBF
neural network is activated by using seven different featured vectors at each time window. Output of the
proposed RBF neural network is either normal or attack traffic. In case of attack traffic, address of the
source IP is forwarded to the filtering and attack alarm modules of the system. Otherwise, normal traffic
is forwarded to the destination. Detection of DDoS attack is performed in [139] using RBF neural
network detector. Behavior of DDoS attacks is described through a small number of statistical descriptors
estimated during a short time window analysis of received traffic. RBFNN provided an efficient
classification of the traffic with the detection rate of 98% utilizing three statistical features. Moreover, the
classification of real traffic is also performed in the proposed method with the detection rate of 100%.
Number of zombies involved in launching DDoS attack are estimated in [140] using FFNN. Proposed
method is not dependent to the frequency of attack therefore it can predict therefore the problem of low
detection accuracy and weak detection firmness of ANN is solved in it. These problems are normally
faced with the ANN based system in a situation when low frequent attacks are estimated. Different sizes
of network are simulated in NS-2 by utilizing MSE to estimate performance of proposed FFNN.
Detection rate of in the proposed technique is very high. Another BP based neural network is proposed to
predict numbers of zombies launching DDoS attack in [140]. Input of the system is the discrepancies
found in the traffic entropy and output of the system is actual number of zombies involved in launching
DDoS attack. Proposed system is trained with the dataset having 10 to 100 zombies with a fixed traffic
rate of 25 Mbps. Different variations in the entropy are used to provide input to the system. Number of
zombies involved in the DDoS attack is the output of the system. Proposed system produced more
efficient and promising results generalized entropy as network size is increased. Renyi’sentropy, Hartley
entropy, generalized entropy, Shannon entropy, Kullback–Leibler are the different key information
metrics, which are empirically evaluated in [141] to detect low-rate and high-rate DDoS attack.
Characteristics of network flows are described by using these metrics and an effective model for detection
of such attacks is built by using one of the appropriate metric.
53
An entropy based detection mechanism is proposed in [142] for detection of both low and high rate DDoS
flooding attacks. In case of low rate DDoS attacks, the entropy value is increased than the value when
there is normal flow of traffic while in case of high rate DDoS attacks, the entropy value decreased.
Simulation experiments were done in NS-2. The detection rates for both low and high rate DDoS attacks
is considerably high. Performance of the proposed mechanism degraded when mixed rate attacks were
occurred. Because in the proposed mechanism varying rate attack flows canceled out each other effects on
entropy value and the false positive rate was increased to 23.7 %.
Mixture of two multi-layer-perceptron and one k-nearest neighbor models (M2KMIX) is an intelligent
technique for high rate flood detection based on mixture of expert classifiers [143]. This mechanism is
basically designed for infrastructure based network servers and services for detection of just high rate
DDoS attack. There is no protection from low rate DDoS attack. As the impact of low rate DDoS attack
may be severe then the high rate DDoS attack in some cases because low rate attacks are normally
launched for long period of time. Furthermore, different feature sets are obtained from different datasets
using many different classifiers, which may not be a suitable solution for multi-hop wireless networks.
M2KMIX has good detection rate for SYN flood when three layers MLP has been used, however the
detection rate of UDP flooding is still low. Surprisingly, the system is not analyzed in terms of system
overheads and response time. In our opinion, operations of many classifiers may create reasonable system
overheads which need further investigations.
Another ensemble architecture for detection of intrusions in the system is proposed in [144], where SVM,
multivariate adaptive regression splines (MARS) and ANN techniques are utilized. Performance results of
the experiments proved that proposed system resulted with high detection rates. Though, due to ensemble
detection technique more computational time is required by the proposed system. Moreover, proposed
system is unable to perform in real-time. Another ensemble of classifiers is proposed in [145] where
resilient back propagation (RBP) neural network classifier performed outstanding for detection of DDoS
54
attack therefore it is selected as base classifier by the author. The main focus is to enhance the efficiency
of the base classifier.
The output of the ensemble classifiers and neymanpearson cost minimization approach [146] is combined
in the proposed algorithm i.e. RPPBoost for ultimate classification assessment. SOM based approach is
utilized in [130] for detection of DoS attack. In the proposed method supplementary neurons at upper
layers are used to perform clustering of the network traffic. It performs the classification of incoming
traffic as normal or abnormal traffic. This approach allows automatic classification of events which is
found in logs and visualization of network traffic. A research found in [147] detects DDoS attack in real
time. Training of proposed mechanism is performed through B.P algorithms using a dataset of 20
different samples. Input of the network is the deviation in traffic entropy and output of the network is the
corresponding strength of the DDoS attack low or high DDoS attack with low false positive and false
negative rates. Moreover, proposed system is also tested with the varying number of neurons in the
processing layer of the network. More accuracy is achieved with increase in the network size. With the
real traffic, increase in the network size required increased training time and cost of implementation.
In [148] different types of DoS attacks are detected using neural networks. Statistical preprocessor is used
in it to extracts desired statistical features in a short time frame from the received traffic at victim name
server. B.P, RBF and SOM neural networks are used in it to detect and classify the traffic diverse DoS
attacks. Simulation results showed that B.P based feed-forward neural network performed well with
accuracy of 99%.
2.6 Conclusion
From the above discussion and analysis, some key facts regarding to WMN are found. WMN is a large
scale multi-hop, decentralized network consists of three main components i.e. gateway, backbone of mesh
routers and ad-hoc mesh clients. The gateway is connected to internet by wires. The backbone of mesh
routers usually operates at two radio links. One radio link is used to connect the end users and the second
radio link is used to connect with the gateway. The end user nodes may be static or mobile in WMN.
55
Furthermore, the end user nodes may or may not be directly connected with the backbone of mesh
routers. As mesh nodes have ad-hoc characteristics having routing capabilities. If any node is not in the
direct communication range of backbone mesh routers, then the nearby mesh node relay and route the
traffic for neighbor nodes. This kind of arrangement not only increases the coverage area but also reduces
the cost of installing mesh routers and can be used for variety of applications. It includes provision of low
cost broadband services, emergency situations, military application and integration of different networks
such as wireless sensor networks, mobile ad-hoc networks, local area networks, personal area networks,
cellular networks.
The end users can connect to WMN from anywhere anytime. This is the reason that normal as well as
malicious users can connect with WMNs anytime from anywhere. This kind of freedom in WMN may
invite huge number of attackers to conduct malicious activities. Multi hop wireless networks have some
security requirements such as confidentiality, integrity and availability. Confidentiality deals with user
and data secrecy. Integrity deals with packet sequence and reliable delivery. Availability means that
network resources are always available to end users. Malicious activities can be either passive or active in
nature. In passive attacks, there is no direct harm to the network operations or network resources,
however, user confidentiality and user data is at risk in case of successful passive attacks. WMN has some
built in mechanisms such as WEP, WPA etc. to handle most of passive attacks; however, these
mechanisms have some known weaknesses which can be exploited by the attackers. Active attacks are
usually conducted to harm the network traffic (in the form of packet modification, alteration or
redirection) or network resources (bandwidth, memory, processing). If the intensity of active attacks is
higher and it resulted in breakdown or shutdown of network operations is termed as Denial of Service
(DoS) attacks. In other words, active attacks compromise integrity while DoS attacks compromise the
availability of wireless networks functions and operations.
WMN is highly vulnerable to multilayer security threats especially DDoS. Countering DDoS attacks such
as flooding is one of the most important research areas in WMNs security. There are many intelligent
based techniques to detect or deduce the severity of flooding type DDoS attacks. ANN is one of the most
56
important techniques which can detect such attacks with lower false negative statistics. However, the
design must consider some important factors such as scalability, robustness, adaptive in nature and take
care of mesh nodes and mesh routers. Designing and implementing proper, secure and intelligent
mechanism for the integrated and decentralized WMNs, having high degree of mobile nodes is very
complex task.
DISTRIBUTED FLOOD ATTACK DETECTION
MECHANISM USING ARTIFICIAL NEURAL
NETWORK IN WIRELESS MESH NETWORKS
PhD Thesis (2016)
By Mr. Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
3
57
3.1 Introduction
Due to the discrimination and generalization capabilities of ANN, It attracted more concentration
compared to other intelligent techniques used for classification and detection of flooding attacks. If ANN
based systems were designed and implemented properly, they have the potential to tackle many of the
problems faced by other intelligent techniques. This chapter describes the contribution of our thesis.
3.2 Proposed Mechanism
Architecture of our proposed mechanism i.e. distributed flood attack detector (DFAD) is based on ANN
approach, containing one input layer, one hidden layer, and one output layer. This type of ANN is also
known as multiple layered perceptron. The input layer of DFAD is composed of five nodes, where each
node’s entry represents the number of packets received in a second. So, DFAD tested the network traffic
after each five seconds. Network traffic may be checked after each second but it would put extra
processing burden on the system. The hidden layer is composed of three nodes. Different numbers of
nodes and layers in the hidden layer were tested during training but a false rate with the four nodes in the
hidden layer was found low. The output layer is consisted of three nodes that produces three different
outputs, that are, {1, 0, 0}, {0, 1, 0}, and {0, 0, 1} for normal traffic, intermediate attack, and high attack
traffic, respectively.
The proposed mechanism worked in two phases i.e. training and testing shown in Figure 3.1 and Figure
3.2. In first phase, training of the system was performed on the obtained dataset afterwards in the next
phase; trained system was tested with the remaining vectors of the dataset. After using different sizes of
datasets in our experiments, we got the optimal results with the dataset of size 10,000 input vectors
having 6000 input vectors for training and remaining 4000 input vectors for testing incoming traffic.
Input vectors of this dataset were consisted of normal, intermediate and severe distributed flood attack
traffic. Total time required to train our proposed system for the used dataset was 5seconds. In training
phase, input vectors were passed to the system with their desired outputs, while in testing phase, input
vectors were provided without required outputs.
58
Both the Training and testing phases were composed of three layers i.e. Input, hidden and output layer.
Input to the system was provided through the Input layer. Provided input vector was then forwarded to
the hidden layer. Each node of the hidden layer performs two tasks i.e. first to calculate the sum of the
product of provided inputs and weights associated with each connection and then produce the output of
each hidden layer node by using a sigmoid function. Output of each node of the hidden layer was then
forwarded to the nodes of output layer. In each node of the output layer, same steps that were carried out
by each node of the hidden layer were conceded again to produce the output of the system. Final step in
training of provided input vector was to calculate the error between desired output and the output that was
produced by the system called actual output in the first iteration. The output values were compared with
the actual results for different range of error values. The ranges were [0.1 - 0.2], [0.2- 0.3], [0.1-0.4], [0.1-
0.5], [0.1-0.6], [0.1-0.7], [0.1-0.8], [0.1-0.9], [0-1]. During different number of experiments performed for
the identification of optimal error value, it was found that the system produced accurate results when the
weights of connection and biases values were updated with the error value of 0.25. After updating the
weights and biases values, same steps were repeated to produce the output from the output layer and to
calculate the error between the outputs for that particular input vector till this error reduced to the error
value of 0.25. After that the system was trained with the remaining input vectors of the training dataset,
using same steps carried out earlier. After completion of training new updated weights and biases values
were used in testing phase for classification of input vector into its desired category. Out1, Out2 and Out3
in the testing phase were the outputs of each node in the output layer. Input vector in the testing phase
was provided without desired output and there was no error calculation phase involved in the testing
phase.
59
As DFAD was adoptive in nature, therefore classification decision of incoming traffic in testing phase
was based on the training phase. ANN based mechanisms produce best results if they were trained
efficiently with both all types of data [149]. In ANN, accuracy of classification is also concerned with the
size of the training dataset. A too small training dataset may not result in optimal classification. As the
size increases the accuracy will be increased but at some stage, increase in the size of training dataset
doesn’t increase the accuracy significantly and results in lot of training time utilization without any major
significance [150]. Detailed description of the proposed DFAD is given in the next sections of this
chapter.
c c
Input Layer
Hidden Layer
Output Layer
Error Calculation
Error >= 0.25
Ba
ck
-Pro
pa
ga
tio
n
Feed
-F
orw
ard
En
ter n
ew
in
pu
t v
ecto
rInput Layer
Hidden Layer
Output Layer
Feed
-F
orw
ard
En
ter n
ew
test
vecto
r
(Out1>= Out2)
&&
(Out1> Out3)
Normal Traffic
(Out2>= Out1)
&&
(Out2> Out3) Cla
ssif
icati
on
SDFA-Traffic
IDFA-TrafficYes
No
No
Yes
No
Yes
Training Testing
Fig 6. Flow chart of proposed mechanism Figure 3.1 Flow chart of DFAD
60
=================================================================== Training
========================================================================= 1. Initialize all weights and biases with small random numbers
2. For ∀ Input vectors in the training set
3. Input Current pattern and target output to the network
4. // Propagated the input forward through the network:
5. For ∀ node in the Hidden layer
i. Calculate the sum of product of weights and inputs to the node using Eq.2
ii. Add the bias of each node to the calculated sum
iii. Calculate the output using Eq.4 for each node
6. Next 7. For ∀ node in the Output layer
i. Calculate the sum of product of weights and inputs to the node using Eq.2
ii. Add the bias of each node to the calculated sum
iii. Calculate the output using Eq.4 for each node
8. Next 9. Calculate sum of error between target and actual output using Eq.5
10. IF ((maximum number of iterations (epochs) < 100) && (Error>=0.25))
11. // Propagate the errors backward through the network
12. For ∀ node in the output layer
i. Calculate Gradient value for node in the output layer using Eq.6
ii. Update each node's weight and bias values in the output layer using Eq.7 and Eq.8
13. Next 14. For ∀ node in the hidden layer
i. Calculate the Gradient of node's in the hidden layer using Eq.6
ii. Update each node's weight and bias value in the hidden layer using Eq.7 and Eq.8
15. Next
16. With updated weights and biases repeat from Step-5
17. endif
18. Next // select next input vector for training
=========================================================================
Testing
========================================================================= 1. Assign all Updated weights and biases obtained from training phase
2. Input Current pattern to the network
3. // Propagated the input forward through the network:
4. For ∀ node in the Hidden layer
i. Calculate the sum of product of weights and inputs to the node using Eq.2
ii. Add the Bias of each node to the calculated sum
iii. Calculate the output using Eq.4 for each node
5. Next
6. For ∀ node in the Output layer
i. Calculate the sum of product of weights and inputs to the node using Eq.2
ii. Add the Bias of each node to the calculated sum
iii. Calculate the output using Eq.4 for each node
7. Next 8. // Output Layer: Node1’s output: out1, Node2’s output: out2,Node3’s output: out1;
9. IF(out1>out2&&out1> out3)
10. printf (“Normal Traffic”);
11. elseif (out2> out1&&out2> out3)
12. printf(“IDFA-Traffic”);
13. else
14. printf(“SDFA-Traffic”);
15. endif
Figure 3.2 Algorithm of DFAD
61
3.2.1 Training
The purpose of Training was to make the system able to learn that how to classify the input traffic into
desired category. Training of proposed system was composed of two steps i.e. Feed-forward and Back-
propagation.
i. Feed-forward: In Feed-Forward, a vector of input values and its desired output value was passed to the
system. In our proposed mechanism size of input vector was set to be five because we wanted to check
the incoming traffic after each five seconds. The format of the input vector was {5,1,6,3,4,0,0,1}, where
5,1,6,3,4, represents number of packets received in each second and the remaining values of the input
vector that was {0,0,1} represented the desired output for the entered input values. Where {0, 0, 1} was
supposed as normal traffic, {0, 1, 0} was supposed to be an intermediate distributed flood attack and {1,
0, 0} was supposed to be a severe distributed flood attack traffic. Some of input vectors, initial weights
associated with each connection and biases associated with each node of hidden and output layer used
in training of proposed mechanism are given in the Table 3.1.
Input
Vectors
5, 1, 6, 3, 4, 0, 0, 1, 32, 36, 32, 28, 39, 0, 1, 0, 43, 53, 63, 54, 43, 1, 0, 0, 14, 4, 15, 4,
28, 0, 0, 1, 35, 25, 27, 28, 25, 0, 1, 0, 45, 55, 53, 47, 43, 1, 0, 0, 6, 16, 12, 6, 20, 0, 0,
1, 34, 38, 41, 31, 35, 0, 1, 0, 56, 52, 57, 42, 47, 1, 0, 0,……..…..
Weights
and Biases
0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1.0,0.1,0.2,0.3,0.4,0.5,-2.0, -6.0, -1.0, 1.3, 1.4,
1.5, 1.6, 1.7, 1.8, 1.9, 2.0,2.1,-2.5, -5.0, -7.0
Table 3.1 Input vectors, weights and biases used in training
Selection of initial weights and bias values was a real challenge because these values helped us to
generate the desired outputs.
Each input vector set in training phase was consisted of 8 values, where first 5 values depicted the
number of received packets and the remaining 3 values of the input vector showed the desired output of
provided input vector. Sum of product of the number of received packets at each node of the input layer
62
and their associated weights was calculated at each node of to the hidden layer using Equation.4, as
shown in Figure3.3.
𝐼𝐻𝑘 = ∑ ∑ 𝑋𝑖𝑊𝑗𝑡𝑗=𝑠 + 𝑏𝑘
5𝑖=1 (4)
Where IHk (local input) was sum of scalar product of each input value times its associated weight and
bias associated with each node in the hidden layer. Possible values of variables used in Equation.4were
k=1, 2, 3: s=1, 6, 11: t=5, 10, 15.
Output of each node in the hidden layer was determined by using sigmoid activation function given in
Equation.9.
𝑂𝐻𝑘 =1(1 + 𝑒−𝐼𝐻𝑘)⁄ (5)
OHk determines output of each hidden layer node and IHk was the local input calculated in Equation.8.
The calculated outputs of hidden layer served as input values for each node in the output layer.
Procedure used in hidden layer nodes to calculate the local inputs and outputs was repeated by each
node of output layer using following Equation.6 and 7.
𝐼𝑂𝑘 = ∑ ∑ 𝑂𝐻𝑖𝑊𝑗𝑡𝑗=𝑠 + 𝑏𝑘
3𝑖=1 (6)
𝑂𝑢𝑡𝑘 =1(1 + 𝑒−(𝐼𝑂𝑘))⁄ (7)
Where OHk determines local input of each output layer node and Outk determines the actual output for
the entered input values. Possible values of variables used in Equation.10 and 11 were k=1,2,3 :
s=1,4,7: t=3,6,9.
Last step in feed-forward of proposed mechanism was to calculate the error between the actual output
(Out) and target output (TO) usingEquation.8
𝐸 =1
2∑ (𝑇𝑖 − 𝑂𝑢𝑡𝑖)
23𝑖=1 (8)
63
Error rate proposed in our mechanism was 0.25. If the error determined in Equation.12 was greater than
0.25 then the calculated error would be back-propagated until it satisfied the given error rate. The first
feed-forward mechanism for input vector {5, 1, 6, 3, 4} is described in Figure 3.3.
Figure 3.3 Forward-pass of first input vector
ii. Back-propagation: Difference in error produced in feed-forward was used in back-propagation
to calculate gradient values for each node in the output layer using Equation.6. After finding
gradient descent error we calculated Gradient value for each output layer node using
Equation.9
𝑂𝐺𝑟𝑎𝑑𝑖 = 𝑂𝑢𝑡𝑖(1 − 𝑂𝑢𝑡𝑖) ∗ 𝐸𝑟𝑟𝑜𝑟 (9)
Next step in back-propagation was to find rate of change in the hidden to output layer connection
weights and bias value associated with each output layer node. These rates of change calculated as
∆𝑤𝑖𝑗 = 𝐿𝑅 ∗ 𝑂𝐺𝑟𝑎𝑑𝑗 ∗ 𝑂𝐻𝑖 (10)
∆𝑏𝑗 = 𝐿𝑅 ∗ 𝑂𝐺𝑟𝑎𝑑𝑗 (11)
w11=.1
Input Layer Hidden Layer Output Layer
b3=-1
w9=2.1
b2=-6.0
w8=.8
w2=.2
X2=1
X1=5
b1=-2.0
w1=.1
w15=.5
w1=1.3
b1=-2.5
b2=-5.0
b3=-5.7
X3=6
X4=3
X5=4
IH1=3.7, OH1=0.98, IH2=9.2, OH2=1.0, IH3=4.7, OH3=0.99
IO1=1.65, Out1=0.84 IO2=0.05, Out2=0.51 IO3=0.26, Out3=0.56 Error = - 0.42
𝑶𝒖𝒕𝟐 = 𝟏(𝟏+ 𝒆−𝑰𝑶𝟐)⁄
𝑶𝒖𝒕𝟏 = 𝟏(𝟏+ 𝒆−𝑰𝑶𝟏)⁄
𝑶𝒖𝒕𝟑 = 𝟏(𝟏+ 𝒆−𝑰𝑶𝟐)⁄
𝑶𝑯𝟏 = 𝟏(𝟏+ 𝒆−𝑰𝑯𝟏)⁄
𝑶𝑯𝟐 = 𝟏(𝟏+ 𝒆−𝑰𝑯𝟐)⁄
𝑶𝑯𝟑 = 𝟏(𝟏+ 𝒆−𝑰𝑯𝟑)⁄
𝑬𝒓𝒓𝒐𝒓
=𝟏 𝟐 ( 𝑻𝒊−𝑶𝒖𝒕 𝒊)𝟐
𝟑
𝒊=𝟏
𝑰𝑯𝟑 = 𝑿𝒊𝑾𝒋
𝟏𝟓
𝒋=𝟏𝟏
+ 𝒃𝟑
𝟓
𝒊=𝟏
𝑰𝑯𝟐 = 𝑿𝒊𝑾𝒋
𝟏𝟎
𝒋=𝟔
+ 𝒃𝟐
𝟓
𝒊=𝟏
𝑰𝑯𝟏 = 𝑿𝒊𝑾𝒋
𝟓
𝒋=𝟏
+ 𝒃𝟏
𝟓
𝒊=𝟏
𝑰𝑶𝟏 = 𝑶𝑯𝒊𝑾𝒋
𝟑
𝒋=𝟏
+ 𝒃𝟏
𝟑
𝒊=𝟏
𝑰𝑶𝟐 = 𝑶𝑯𝒊𝑾𝒋
𝟔
𝒋=𝟒
+ 𝒃𝟐
𝟑
𝒊=𝟏
𝑰𝑶𝟑 = 𝑶𝑯𝒊𝑾𝒋
𝟗
𝒋=𝟕
+ 𝒃𝟑
𝟑
𝒊=𝟏
64
LR used in Equations.14 -15 was the learning rate, which manages how fast back-propagation algorithm
learns. Bigger values of ‘LR’ resulted in bigger changes in ∆w with the risk of overshooting a good
answer. So, the value used for ‘LR’ in DFAD was ‘0.03’. This value of ‘LR’ was found by trial and
error. After that weights and biases associated with hidden to output layer were upgraded using obtained
∆𝑤𝑖𝑗 𝑎𝑛𝑑 ∆𝑏𝑗 .
Next we computed the gradient, rate of change in weights of input to hidden layer connections and bias
values for each node in the hidden layer using Equation.12-13 and 14.
𝐻𝐺𝑟𝑎𝑑𝑖 = 𝑂𝐻𝑖(1 − 𝑂𝐻𝑖) ∗ (∑ 𝑂𝑢𝑡𝐺𝑟𝑎𝑑𝑗3𝑗=1 ∗ 𝑊𝑗) (12)
∆𝑤𝑘𝑖 = 𝐿𝑅 ∗ 𝐻𝐺𝑟𝑎𝑑𝑖 ∗ 𝑋𝑘(13)
∆𝑏𝑖 = 𝐿𝑅 ∗ 𝐻𝐺𝑟𝑎𝑑𝑖 (14)
Now the feed-forward started again. The process of feed-forward and back-propagation for the given
vector i.e. {5, 1, 6, 3, 4} repeated until produced gradient descent error satisfies the required error.
Figure 3.4 displays both initial weights and biases mentioned in Table 3.1and updated weights and biases
generated after training.
Figure 3.4 Updated weights and biases
65
After generating the updated weights and biases, training of DFAD was completed. Remaining 4000
input vectors of the dataset were used for testing.
3.2.2 Testing
After training the system, the new updated weights and biases values were used by the system to classify
the remaining 4000 input vectors of the dataset into their required category. During testing the system,
same values of learning rate, momentum, error rate and number of epochs were same. Moreover, same
steps of Feed-forward used in training the system, were followed in testing to generate the outputs from
the output layer nodes. Unlike training the system, input vectors used for testing were provided without
desired output values.
Figure 3.5 shows classification of input data into one of its desire category. To evaluate performance of
proposed system we performed analysis of different parameters like detection rate, false positive and false
negative.
Figure 3.5 Test result of an input vector
66
The detection rate was defined as number of attacks (intermediate and severe attack) detected divided by
total number of attacks input vectors present in the test dataset. The false positive rate was defined as
number of normal input vectors declared as attack traffic divided by total number of normal input vectors.
False negative was defined as number of attack input vectors declared as normal traffic divided by total
number of attack input vectors available in the test dataset.
Instead of testing the DFAD from dataset, the proposed mechanism was also evaluated with the real
traffic as shown in Figure 3.6 and Figure 3.7. After each five (05) seconds, received UDP and TCP traffic
at network interface card of a single system was forwarded to DFAD for classification. DFAD classified
both UDP and TCP traffic intelligently into its desired categories i.e. normal, intermediate distributed
flood attack and severe distributed flood attack traffic.
Fig 8. UDP Traffic classification by DFADFigure 3.6 UDP Traffic classification by DFAD
67
3.3 Experimental results
In this section, we presented the used simulation approach and results obtained by DFAD to classify the
network traffic into three different categories. Different approaches were used to generate the datasets.
Some datasets were generated from simulations and the other datasets were generated from real traffic to
perform training and testing of the proposed mechanism. The distribution of normal, intermediate and
severe distributed attack traffic input vectors in each dataset were 50%, 25% and 25% respectively.
3.3.1 Simulation results
Simulations were carried out by using NS2 network simulator [151], the best choice for simulating
wireless network systems. Our simulated network was consisted of 100 nodes placed within 1000 x
1000m area. Each node had transmission range of 250m. Where 10 nodes were fixed, among them 09
nodes were considered as mesh routers and 01 node was declared as mesh gateway router. Remaining 90
nodes were placed randomly and move with the speed of 5m/s. For training, the datasets were generated
Fig 9. TCP Traffic classification by DFADFigure 3.7 TCP Traffic classification by DFAD
68
by transmission of only 30 nodes towards the gateway at different times. Normal traffic was generated
with the rate of 10 Kbps and attack traffic was generated with different attack rates from 20 Kbps to 40
Kbps. Simulation performed by the NS2 network simulator is given in Figure 3.8, where all the traffic for
Mesh-Gateway was transferred through the mesh routers.
Extensive simulations were carried out to test the accuracy of the proposed mechanism. For the said
purpose we generated both UDP and TCP traffic with different rates for a fixed interval of time i.e. 60
seconds. In first experiment, 20 nodes with transmission rate of 10Kbps were used. In second experiment
we used 25 nodes, where transmission rate of 20 nodes was same to the nodes used in first experiment
while transmission rate of 05 nodes, which were declared as attacker nodes, was increased to 20Kbps.
Last experiment was performed with 30 nodes where 20 nodes were transmitting the data with normal
rates i.e. 10Kbps while 10 nodes were sending data with higher rates of 20Kbps. Destination node in each
experiment was a node declared as mash gateway.
Fig 10. Simulation performed by NS 2.34Figure 3.8 Simulation performed by NS 2.34
69
DFAD distributed traffic of each experiment accordingly in one of three desired category i.e. Normal
traffic, Intermediate distributed flood attack (IDFA) traffic and severe distributed flood (SDFA) attack.
Distribution of traffic generated in each experiment is shown in Figure 3.9 and Figure. 3.10.
Figure 3.11 and Figure 3.12 demonstrates that as we increased the traffic, packets dropping rate of both
UDP and TCP traffic has been increased instantly. Most number of packets was dropped during SDFA.
Figure 3.9 Packets receiving rates of UDP traffic
Figure 3.10 Packets receiving rates of TCP traffic
70
To evaluate the performance of DFAD we also compared it with the simulation results of already
proposed mechanisms for detection of distributed flood attacks in [143,142]. M2KMIXwas proposed to
classify both UDP and TCP distributed flood attack traffic and normal traffic using five different
classifiers. Among these classifiers, a multi-layer perceptron produced best results. Therefore, we
compared performance of DFAD with the results produced by it. Table 3.2 shows that DFAD performs
well in all respects than M2KMIX. Same analysis can be seen in Figure 3.13 and Figure 3.14.
Figure 3.11 Packets dropping rates of UDP traffic
Figure 3.12 Packets dropping rates of TCP traffic
71
Table 3.2 Comparison of UDP and TCP distributed flood attacks
In Table 3.3 we compared DFAD with flow statistics based detection (FSD) of low and high rate distributed
UDP flood attack implemented on server. Detection rate of FSD were slightly different than DFAD but there
was a huge difference in the false positive rates while detecting both intermediate and severe distributed
UDP flood attacks. Same analysis is given in Figure 3.15 and Figure 3.16.
Traffic
Type
Attack Type Detection-Rate % False-Positive % False-Negative %
DFAD M2KMIX DFAD M2KMIX DFAD M2KMIX
UDP Severe-Dist-
Flood Attack
99.98% 93.3% 3.25% 6.2% 2.63% 7.1%
TCP Severe-Dist-
Flood Attack
97.65% 95.30% 3.56% 4.7% 2.10% 4.6%
Figure 3.13 Analysis of distributed UDP
flood attack
Figure 3.14 Analysis of distributed TCP
flood attack
72
Table 3.3 Comparison of UDP distributed flood attack at server
In Figure 3.17, detection rates against throughputs of different methods proposed for detection of
distributed flood attack were compared. It was evident from Figure 3.16 that performance of DFAD
remains almost constant in both intermediate and severe distributed flood attack. While optimal objective
entropy (OOE) [152] and FSD methods performed well when there was an intermediate distributed flood
attack but their performance degrades rapidly during as the intensity of distributed flood attack increased.
Fig 17. Analysis of intermediate distributed
UDP flood attack
Fig 18. Analysis of severe distributed
UDP flood attack
Detection-rate False-positive Detection-rate False-positive
Traffic Type Detection-Rate % False-Positive %
DFAD FSD DFAD FSD
Inter-Dist-Flood Attack 99.99% 99.99% 0.89% 2.0%
Severe-Dist-Flood Attack 99.98% 99.97% 3.25% 23.7%
Figure 3.15 Analysis of distributed UDP flood
attack
Figure 3.16 Analysis of distributed TCP flood
attack
73
For more performance evaluation of DFAD, we also tested it with real traffic captured from the network
on a single system and a gateway server.
3.3.2 Real implementation results
Proposed mechanism was implemented on two different systems, where one system was a node having
2.8 GHz core2Due processor and 2 GB RAM while other system was the gateway server having Quad
core 2.0 GHz processor with 4 GB RAM. We used Tribe Flood Network 2000 (TFN2K) tool to launch
both UDP and TCP distributed flooding attack. It had a client-server architecture where client controls the
server that when and how to attack victim by forwarding received commands from attacker. Primarily,
both systems were trained by sending traffic with different rates in absence and presence of TFN2K tool.
After training, each system was ready to distribute incoming traffic accordingly into its desire category.
Results of each implementation were discussed below.
i. Single system implementation
Distribution of both UDP and TCP traffic received at victim (laptop) node is given in Figure 3.18 and
Figure 3.19. We forwarded traffic towards the victim with different rates for same interval of time i.e. 60
sec. Initially, there was no attack on the victim, so DFAD classified the received traffic as normal. After
91
92.5
94
95.5
97
98.5
100
45 75 105 135 165 195
Det
ecti
on
Ra
te %
Throughput
DFAD M2KMIX FSD OOE
Figure 3.17 Comparison of detection rates against throughput
74
that we launched the distributed attack through TFN2K tool by compromising six (06) nodes, where one
(01) node served as a client host (handler) and five (05) nodes served as server hosts (agents). So the
traffic received in that time was classified as intermediate distributed flood attack by DFAD because
UDP packets were received with higher rates. To ensure the results of proposed mechanism we also
extended the effect of attack by increasing number of compromised nodes. This time client hosts were
two (02) and server hosts were ten (10). Due to increase in the number of client and server hosts, rate of
received packets at victim nodes increased. As a result, DFAD classified incoming traffic as severe
distributed flood attack.
Figure 3.18 Distribution of UDP traffic flows at single system
0
20
40
60
80
100
0 10 20 30 40 50 60
Pa
ck
ets
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
Figure 3.19 Distribution of TCP traffic flows at single system
0
20
40
60
80
0 10 20 30 40 50 60
Pa
cket
s
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
75
Dropping rates of packets during traffic flows of different strength are shown in Figure 3.20 and Figure
3.21. It shows that due to increase in the traffic flows, rate of dropping packets at the victim system was
also increased.
ii. Server implementation
To show the consistency and performance of DFAD, we also implemented it on a gateway server. As
gateway plays a vital role in communication of any network therefore any attacker would love to target
it. For distribution of traffic into desired categories we had to train DFAD accordingly. Therefore we
trained our systems with different rates of UDP and TCP traffic flows. We again used NTF2K tool to
increase the traffic flow at server (victim). Test results of proposed mechanism on gateway server are
Figure 3.20 Packets dropping rates of UDP traffic flows at single system
0
20
40
60
80
100
0 10 20 30 40 50 60
Pk
t-D
rop
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
Figure 3.21 Packets dropping rates of TCP traffic flows at single system
0
20
40
60
80
0 10 20 30 40 50 60
Pk
t-D
ro
p
Time(Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
76
shown in Figure 3.22and Figure 3.23 where normal traffic shows the number of packets received by the
gateway under normal circumferences. This time, we launched the attack through NTF2K tool by
compromising 20 nodes having 2 client hosts (handlers) and 18 server hosts (agents). At first, attack was
launched through only 10 server hosts, so DFAD declared the incoming traffic in that interval of time as
intermediate distributed flood attack. After a passage of time remaining eight (08) server hosts were also
directed through clients to launch the attack on victim server to increase the impact of attack. The
numbers of packets received by server in that interval of time were classified as severe distributed flood
attack by DFAD.
0
50
100
150
200
250
0 10 20 30 40 50 60
Pa
ck
ets
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
Figure 3.22 Distribution of UDP traffic flows at server
Figure 3.23 Distribution of TCP traffic flows at server
0
50
100
150
200
0 10 20 30 40 50 60
Pa
ck
ets
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
77
Figure 3.24 and Figure 3.25 depicts the dropping packets rates of traffic received at server. Number of
packets dropped during normal traffic flows were less than intermediate and severe distributed flood
attack traffic. Most of the requests of its valid users were fulfilled by the server during normal traffic
flows. While in presence of intermediate and severe distributed flood attack, due to high packets
dropping rates, most of the requests of its users were not fulfilled by the server.
As it was mentioned earlier that DFAD was adaptive in nature therefore the distribution of same traffic in
each implementation was performed in different manner. This was the key to intelligence of any back-
propagation based ANN system that it can adopt itself in any environment by changing the values of
parameters such as learning rate, momentum rate, error rate and number of epochs to get desired weights
for classification.
0
20
40
60
80
100
120
140
160
0 10 20 30 40 50 60
Pk
t-D
ro
p
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
Figure 3.24 Packets dropping rates of UDP traffic flows at server
0
20
40
60
80
100
120
140
0 10 20 30 40 50 60 70
Pk
t-D
ro
p
Time (Sec)
Normal Traffic Inter-Dist-Flood Attack Severe-Dist-Flood Attack
Figure 3.25 Packets dropping rates of TCP traffic flows at server
78
3.4 Conclusion
In this chapter, we discussed our proposed mechanism i.e. DFAD. It was composed of training and testing
phase. During training phase, input vectors were presented to the system along with their desired outputs.
If the error between the outputs produced by the system and desired output was greater than the threshold
error then calculated gradient descent error would be used to update all the connection weights and biases
values of the system. After that, same input vector would be presented again to the system. The number of
iterations of each input vector was dependent to the calculated gradient descent error between actual
output and desired output. After training, updated connection weights and biases values were used to test
the proposed system. DFAD was trained and tested also trained and tested with the real traffic. Analysis
of experimental results proved that it was an efficient intelligent and secure mechanism for the detection
of distributed flood attack in WMN. DFAD was designed to be implemented at mesh gateway in WMN.
Trained DFAD receives traffic and then distributes incoming UDP and TCP traffic intelligently into its
desired categories that were normal, IDFA and SDFA traffic by using ANN. DFAD can detect both low
and high rate distributed UDP and TCP flood attacks as well. Performance comparisons of DFAD with
M2KMIX under severe distributed UDP and TCP flood attack proved efficiency of DFAD. Moreover
efficiency of DFAD was also compared with FSD system. Detection rate of both DFAD and FSD
remained same during severe and intermediate distributed flood attack but the false positive rate of DFAD
was much better than FSD. Simulation results and comparison of performance analysis of DFAD with
M2KMIX, FSD and optimal objective entropy, proves that our mechanism was more intelligent, effective,
and accurate than the other mechanisms.
.
CONCLUSION AND FUTURE WORK
PhD Thesis (2016)
By Mr. Muhammad Altaf Khan
Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
4
79
4.1 Conclusion
WMN is a novel wireless network, which is used to provide both high-speed wireless internet services
and data network access over an extensive wide area. It uses a decentralize approach to control multi-hop
network communication. Also, flexibility, dynamic self-configuration and self-healing are favorable
features of WMN. Wireless infrastructure networks are being replaced by WMNs in several areas because
of their superior flexibility and lesser implementation cost. It consists of mesh nodes and mesh routers,
connected with one another using full or partial mesh topology. A mesh node performs dual job i.e. a
client and a relay router. Mesh and conventional nodes can access the services provided by the WMN
through mesh nodes and mesh routers. Mesh routers also offers nominal mobility and provide a backbone
for the connectivity of mesh nodes. A Mesh router is different from conventional wireless routers because
it provides additional routing features, multi-hop communication and multiple wireless interfaces. Some
of the powerful mesh routers may also perform services of gateway to provide internet connectivity to the
mesh nodes and integration of a WMN with other networks like wireless local area networks (WLANs),
Cellular Networks, and Wireless Sensor Networks (WSN) etc. WMN owe tremendous features like low
implementation cost, scalability, mobility, high data rates etc. Although the benefits that can be grasped
through WMN, it may be susceptible to various security threats.
Because of frequent dynamic changes in the network topology, open shared wireless medium, absence of
central security control and provision of multi-hoping in WMN, its security may be exploited through
passive and active attacks. Naturally, passive attacks are silent that’s why network is not harmed by them
itself. In passive attacks the intruder just listens and analyzes the network traffic with the aim to get
significant information about to the resources of the network or users of the network. Nevertheless, by
getting such information, passive attacks pave the path to other serious attacks like active attacks. In
active attacks, the intruder may either damage traffic of the network or resources of the victim network by
adding, tempering or dropping packets. All the layers of OSI model can be attacked by active attacks.
Brutal kind of active attacks are known as DDoS attacks where intruders may either fully prevents the
80
network traffic or completely unavailable the network resources to its users by flooding huge UDP,
TCP/SYN or HTTP request traffic towards the victim through numerous compromised nodes. DDoS
attacks may either be carried out through different tools, worms or botnets utilizing diverse strategies for
packet transmission to thrash the applied defense mechanisms. Botnets are the collection of compromised
nodes i.e. handlers and zombies. Handlers control and coordinate the attack by forwarding received
instruction from the attacker to the zombies. Zombies are used to attack the victim directly. There may be
involved a group of handlers in a DDoS attack where each handler controls a group of zombies to flood
the victim. Impact of these distributed flooding attacks is dependent to the size of botnets. To launch most
disastrous and severe distributed flooding attack, larger botnets are required. As both handlers and
zombies are compromised by the attacker therefore users of these systems unconsciously participate in
launching a distributed flooding attack. So many detection systems have been anticipated in this regard,
but the detection mechanisms based on artificial intelligence are considered to be more promising than
others.
Artificial intelligence has been stirring in the direction of new techniques for knowledge representation
and computation that are greatly nearer to the human reasoning. This forceful characteristic permits
artificial intelligence to work in numerous fields effortlessly. It is novel and rising field in detection of
distributed flooding attacks. That’s why, a detection system that is based on artificial intelligence
technique, can behaves like a human. Artificial intelligent techniques like fuzzy logic, artificial immune
system, genetic algorithms and ANNs are available to detect distributed flooding attacks more efficiently
and intelligently. These techniques may also be used in combination to develop a robust detection system.
Among all AI techniques ANNs are the most common AI technique used for detection of distributed
flooding attacks.
ANN used the concepts of biological neural networks found in human brain. With the assistance of this
network a brain involves millions of interconnected neurons to fully control the human body. Following
the same concepts, ANN is a network of interconnected nodes (neurons) that provide required solution
after performing parallel processing. Two types of structures are existed in ANN i.e. feed-forward and
81
feed-back neural networks. Main difference between both structures is the flow of signals. Numbers of
parameters are involved in these structures, which needs some adjustments to carry out particular tasks.
These structures are mainly distributed in three main layers: input-layer, hidden-layer and output-layers.
Moreover, hidden-layer may be composed of more than one layer. There may be different number of
neurons in each layer. As quantity of layers and nodes in hidden-layer increases, complexity of ANN will
be increased. On the other hand, probability of accurate learning is increased. Learning of ANNs can be
performed through either supervised or un-supervised learning algorithms. In supervised learning, an
output is provided with each input during training while in unsupervised learning algorithms, target
outputs are not provided with input data during training. Hence ANNs perform data compression or
clustering to categorize patterns of the same attributes into same output cluster. The learning problem in
ANNs is formulated in terms of minimizing the error in order to produce desired outputs. In feed-forward
ANNs, most commonly used supervised learning algorithms may include delta rule, perceptron and back-
propagation. For learning a feed-forward ANN, BP algorithm is most commonly used among entire
algorithms, while self-organizing map is the most well-known un-supervised learning algorithm.
Over proposed mechanism i.e. DFAD is an intelligent and secure mechanism for detection of distributed
flood attack at mesh gateway in WMN. It is a feed-forward neural network consisted of one input, one
hidden and one output layer. DFAD trains itself from the incoming traffic by using back-propagation
learning algorithm. Sigmoid function is used as an activation function in each node of hidden and output
layer. The reason for selecting sigmoid function among other activation functions is that we required the
output of each node in the output layer between ‘0’ and ‘1’. The error of actual and target output in each
iteration of the training input vector is calculated through gradient descent error function. During training,
if the generated error is found greater than the threshold error then the error is back-propagated to the
network. The process of back-propagation is repeated for each input vector till it satisfies the threshold
error or the number of iterations reached to its maximum value i.e. 100 iterations. After completion of
training, updated weights and biases values are forwarded to test the DFAD with the live network traffic.
Where it extracted the UDP and TCP packets from received traffic and distributed the traffic accordingly.
82
Because of adoptive nature of DFAD, it has the ability to detect both low and high distributed flood
attacks. After testing DFAD, its performance is evaluated by implementing it on a single system as well
as on a server system. Moreover simulations of the DFAD are also performed through NS2.34.
Simulations results and comparison of performance analysis of DFAD with M2KMIX, FSD and OOE
proved that DFAD is more effective and accurate than these defense mechanisms proposed for detection
of distributed flood attacks. In DFAD, one of the major challenges in detection of distributed flood attack
is faced by the flash-crowd (FC) event.
4.2 Future Work
The significant part of the future work is to develop an improved version of DFAD that can detect and
differentiate both the distributed flooding attack and FC traffic. FC attack is the occurrence of a huge
volume of traffic simultaneously or within a short period of time, forwarded by the legitimate users
towards the victim. It may be considered as an attack because it dramatically increases consumption of
victim resources or results in heavy packet loss and congestion of victim’s network. For instance, when
there is a cricket match or there is release of latest version of software or occurrence of any interesting
event, which demands a constant live streaming then traffic at that particular server or network will be
higher than its normal routine. Due to such FC, the server may not be able to fulfill all the requests
efficiently of its users.
Just like DDoS attack, FC is also considered to be a network anomaly because it can tear down the quality
of provided services. Unlike DDoS attack, in FC event legitimate users generates all requests to access the
offered services. Occurrence of DDoS attack is a deliberate incident while event of flash crowd happens
unintentionally. Though both share analogous behaviors, so it is a huge challenge to develop a system that
can distinguish distributed flooding attack traffic from FC competently otherwise there may be some
serious consequences if it is not discriminated efficiently. Enhancement in the DFAD is done using
stream mining technique. Stream mining is significant to many applications such as sensor data [153],
network traffic data [154], and web-click streams data [155].
83
Data stream has un-deterministic and unordered arrival rate and it has unbounded size. The mining
methods used for streaming data must keep an eye over the discussed observations. Because of the
unbounded length of the data stream, the mining methods can afford only a single scan of the data. The
stream mining methods should keep all the information about the history of the data because any item or
patterns not significant at the moment can get significant later on.
The mining over stream data can be performed using three types of window approaches i.e., landmark
window, sliding window, and damped sliding window. The landmark window approach allows the stream
mining over the arrived data values between the landmark and the present. Following sliding window
approach, stream mining is performed over a fixed number of W (size of the window) recently arrived
data values. The damped sliding window gives more importance to recent data. While performing stream
mining using damped sliding window higher weights are assigned to the recent data.
Proposed algorithm i.e. Enhanced Distributed Flood Attack Detector (EDFAD) of our future work, given
in figure 5.1, is based on sliding window approach, to detect and discriminate FC from distributed
flooding attack. In EDFAD, the incoming packet streams are collected in a buffer. When buffer becomes
full after a particular interval of time‘t’ it is copied to a table named as PS (Packet streams). The PS table
is formulated after every time interval‘t’. The algorithm EDFAD is designed to perform detection over the
input Packet Stream PS. The input packet stream is composed of packets. Every packet contains IP
number, receiving time (RT), and content type entries. From every PS maximal packet references (MPR)
are extracted by extractMPR routine. Every MPR entry consists of IP number, total packets (TP) entry,
receiving time RT, and content flag indicating that incoming traffic contains the same content or not.
84
Algorithm: Enhanced distributed flood attack detector (EDFAD)
Input:
N: set of packet streams, N = {PS1, PS2, PS3, ………….}
Where every PS = {t, P1, P2, P3…….Pn} and Pi = (IP, RT, Ctype) , ∀𝑖 =1,2,3,…… , 𝑛/*packet stream arrived at time t*/
TP: total packets
RT: packets receiving time
Output:
A-IP: Attacked nodes IP’s
1) foreach 𝑃𝑆𝑖 ∈ 𝑁 , 𝑤ℎ𝑒𝑟𝑒 𝑖 = 1,2,3……… .. {
2) foreach 𝑃𝑗 ∈ 𝑃𝑆𝑖 , 𝑤ℎ𝑒𝑟𝑒 𝑗 = 1,2,3……… . . 𝑛{
3) 𝜌𝑃𝑗.𝐼𝑃 = 𝜌𝑃𝑗.𝐼𝑃 ∪ 𝑃𝑗 /*Maximal IP reference MIR =
{IP,RT1, RT2,RT3,...RTn, Cflag}*/
}// inner for loop
}//outer for loop 4) A-IP = ∅ 5) foreach 𝑀𝐼𝑅𝑖 ∈ 𝜌, 𝑤ℎ𝑒𝑟𝑒 𝑖 = 1,2,3,…… , 𝑛 {
6) TP = |𝑀𝐼𝑅𝑖| – 2
7) RT = 𝑀𝐼𝑅𝑖. 𝑅𝑇𝑛–𝑀𝐼𝑅𝑖. 𝑅𝑇1 8) if𝑇𝑃 > 𝜑
9) if(𝑅𝑇 < 𝜎&&𝐶𝑓𝑙𝑎𝑔 == 𝑠𝑎𝑚𝑒)
10) A-IP = A-IP ∪𝑀𝑃𝑅𝑖(𝐼𝑃) 11) if(𝑅𝑇 < 𝜎&&𝐶𝑓𝑙𝑎𝑔 == 𝑑𝑖𝑠𝑠𝑖𝑚𝑖𝑙𝑎𝑟)
12) print flash crowd;
}//for loop end
13) Return A-IP;
One of the key components of the EDFAD is to find those IP’s from where distributed flood attack is
initiated. Therefore the extracted MPR and Attack-IP (A-IP) parameter are passed to detect abnormal
traffic routine. The Detect abnormal traffic routine basically performs check on two types of entries i.e.
receiving time RT, and total number of packets received from particular IP. If the total number packets
received in a particular stream chunk is greater than specified threshold "𝜑" and receiving time is less
than the specified limit‘𝜎′, than this traffic will considered as abnormal traffic if the content type is also
dissimilar.
.
Figure 5.1 Proposed EDFAD algorithm
85
In future, extensive simulations and experiments on real traffic will be carried out to evaluate and
compare the performance of the EDFAD with different existing methodologies.
BIBLIOGRAPHY
PhD Thesis (2016)
By Mr. Muhammad Altaf Khan Institute of Information Technology, KUST, Kohat, Khyber Pakhtunkhwa, Pakistan
[1] D. Gómez, P. Garrido, C. Rabadan, R. Agüero, and L. Muñoz, "TCP Performance Enhancement
over Wireless Mesh Networks by means of the Combination of Multi-RAT Devices and the
MPTCP Protocol," Network Protocols and Algorithms, vol. 6, no. 3, pp. 56-81, 2014.
[2] R. Lacuesta, J. Lloret, M. Garcia, and L. Peñalver, "Two Secure and Energy-Saving Spontaneous
Ad-Hoc Protocol for Wireless Mesh Client networks," Journal of Network and Computer
Applications, vol. 34, no. 2, pp. 492-505, 2011.
[3] B. Hallaj and M. Masdari, "A comprehensive analysis of DoS attacks and countermeasures in
wireless mesh networks," ACADEMIE ROYALE DES SCIENCES D OUTRE-MER BULLETIN DES
SEANCES, vol. 4, no. 4, pp. 1-10, 2015.
[4] G. Zhang and M. Parashar, "Cooperative Defence Against DDoS Attacks," Journal of Research and
Practice in Information Technology, vol. 38, no. 1, pp. 1-14, 2006.
[5] G. Oke and G. Loukas, "A Denial of Service Detector based on Maximum Likelihood Detection
and the Random Neural Network," ComputerJournal, vol. 50, no. 6, p. 717–727, 2007.
[6] D. Novikov, R. V. Yampolskiy, and L. Reznik, "Artificial Intelligence Approaches For Intrusion,"
in IEEE Long Island Systems, Applications and Technology Conference (LISAT 2006), Long Island,
NY, 2006.
[7] R. Jaggi and J. Sangade, "Detecting and Classifying Attacks using Artificial Neural Network,"
International Journal on Recent and Innovation Trends in Computing and Communication, vol. 2,
no. 5, pp. 1136-1142, 2014.
[8] T. Pandit and A. Dudy, "A Feed Forward Artificial Neural Network Based System To Minimize
Dos Attack In Wireless Network," International Journal of Advances in Engineering &
Technology, vol. 7, no. 3, pp. 938-947, 2014.
[9] S. Khan, K. K. Loo, and Z. Din, "Framework for Intrusion Detection in IEEE 802.11 Wireless
Mesh Networks ," International Arab Journal of Information Technology, vol. 7, no. 4, pp. 435-
439, 2010.
[10] D. Benyamina, A. Hafid, and M. Gendreau, "Wireless Mesh Networks Design — A Survey," IEEE
Communications Surveys & Tutorials, vol. 14, no. 2, pp. 299-310, 2011.
[11] V. A. Siris, E. Z. Tragos, and N. E. Petroulakis, "Experiences with a Metropolitan Multiradio
Wireless Mesh Network: Design, Performance and Application," IEEE Communications Magazine,
vol. 50, no. 7, pp. 128-136, 2012.
[12] P. Yi, Y. Wu, F. Zou, and N. Liu, "A Survey on Security in Wireless Mesh Networks," IETE
Technical Review, vol. 27, no. 1, pp. 6-14, 2010.
[13] F. Xing and W. Wang, "Understanding Dynamic Denial of Service Attack in Mobile Ad hoc
Networks," IEEE Military communication conference (MILCOM), pp. 1-7, 2006.
[14] S. Khan, N. Mast, K. K. Loo, and A. Salahuddin, "Passive Security Threats and Consequences in
IEEE 802.11 Wireless Mesh Networks,," International Journal of Digital Content Technology and
its Application, vol. 2, no. 8, pp. 4-8, 2008.
[15] G. A. Marin, "Network Security Basics," IEEE Security and Privacy, vol. 3, pp. 68-72, 2005.
[16] D. R. Raymond and S. F. Midkiff, "Denial-of-Service in wireless sensor networks: attacks and
defences," IEEE Security and Privacy, pp. 74-81, 2008.
[17] N. B. Salem and J. .-P. Hubaux, "Securing Wireless Mesh Networks," IEEE Wireless
Communication, vol. 13, no. 2, pp. 50-55, 2006.
[18] H. Kandavalli and M. V. S. S. NagendraNath, "Minimizing Malicious Eavesdropping Ability in
Wireless Mesh Networks using SKeMS," International Journal of Computer Science and
Information Technologies (IJCSIT), vol. 3, no. 2, pp. 3476-3478, 2012.
[19] H. Said, M. Guimaraes, and M. N. A. Unknown, "Forensics and War Driving on Unsecured
Wireless Network," in In: Proc 6th International Conference on Internet Technology and Secured
Transactions, vol. , Abu Dhabi, UAE, 2011.
[20] A. M. Al Naamany, A. Al Shidhani, and H. Bourdoucen, "IEEE 802.11 Wireless LAN Security
Overview," International Journal of Computer Science and Network Security (IJCSNS), vol. 6, no.
5, pp. 138-156, 2006.
[21] A. Tsakountakis, g. Kambourak, and S. Gritzalis, "Towards effective Wireless Intrusion Deection in
IEEE 802.11i," in In: Proc. of Third International Workshop on Security Privacy nd Trust in
Pervasive and Uniquitous Computing, IEEE SecPerU, 2007.
[22] J. Bellardo and S. Savage, "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical
Solutions," in In the USENIX Security Symposium, August 2003, p. 15–28.
[23] S. Singh and I. kaur, "Security against Active Attacks in Wireless Mesh Networks," International
Journal of Advanced Research in Computer Science and Software Engineering, vol. 2, no. 7, pp.
66-69, 2012.
[24] Usha and Bose, "Understanding Black Hole Attack in Manet‖,," European Journal of Scientific
Research, vol. 83, no. 3, pp. 383-396, 2012.
[25] S. Shrivastava, C. Agrawal, and A. Jain, "Survey of Black Hole Attack and Security Scheme in
MANET," International Journal of Information and Communication Technology Research, vol. 4,
no. 3, 2014.
[26] N. Mohd, S. Annapurna, and H. S. Bhadauria, "Taxonomy on Security Attacks on Self
Configurable Networks," World Applied Sciences Journal, vol. 31, no. 3, pp. 390-398, 2014.
[27] D. Virmani, N. Batra, and A. Soni, "Detection of Malicious nodes using Selective Repeat
Automatic Repeat Request protocol for Wireless Sensor Networks," in Proceedings of the Third
International Conference on Computational Intelligence and Information Technology, 2013, pp. 62-
67.
[28] A. Bhosle, P. Thosar, and S. Mehatre, "Black-Hole and Wormhole Attack in Routing Protocol
AODV in MANET," International Journal of Computer Science, Engineering and Applications
(IJCSEA), vol. 2, no. 1, 2012.
[29] R. Kaur and J. Kalra, " Detection and Prevention of Black Hole Attack with Digital Signature,"
International Journal of Advanced Research in Computer Science and Software Engineering, vol.
4, no. 8, pp. 37-40, 2014.
[30] H. Weerasinghe and H. Fu, "Preventing Cooperative Black Hole Attacks in Mobile Ad Hoc
Networks: Simulation Implementation and Evaluation," International Journal of Software
engineering and Its Applications, vol. 2, no. 3, pp. 39-54, 2008.
[31] K. Geete, P. K. Shukla, and A. J. Deen, "A Survey on Grey Hole Attack in Wireless mesh
Networks," International Journal of Computer Applications (0975 – 8887), vol. 95, no. 23, pp. 23-
29, 2014.
[32] V. V. Vigilkumar and M. A. Rajam, "Detection of Colluding Selective Forwarding Nodes in
Wireless Mesh Networks based on Channel Aware Detection Algorithm," MES Journal of
Technology and Management, vol. 2, no. 1, pp. 62-66, 2011.
[33] E. V. Balan, M. K. Priyan, C. Gokulnath, and G. U. Devi, "Fuzzy Based Intrusion Detection
Systems in MANET," in 2nd International Symposium on Big Data and Cloud Computing
(ISBCC’15), , vol. 50, 2015, pp. 109-114.
[34] D. M. Shila, Anjali, Y. Cheng, and T. Unknown, "Mitigating Selective Forwarding Attacks with a
Channel-Aware Approach in WMN’s," IEEE Transaction of Wireless Communication, vol. 9, no. 5,
pp. 1661-1675, 2010.
[35] D. M. Shila, Y. Cheng, and T. Anjali, "Channel-Aware Detection of Gray Hole Attacks in Wireless
Mesh Networks," IEEE Global Telecommunications Conference, pp. 1-6, 2009.
[36] L. Y. Luan, Y. F. Fu, P. Xiao, and L. X. Peng, "Preventing Wormhole Attacks in Wireless Mesh
Networks," Applied Mechanics and Materials, vol. 443, pp. 440-445, 2014.
[37] M. Azer, S. El-Kassas, and M. El-Soudani, "A Full Image of the Wormhole Attacks Towards
Introducing Complex Wormhole Attacks in wireless Ad Hoc Networks," International Journal of
Computer Science and Information Security (IJCSIS), vol. 1, no. 1, pp. 41-52, 2009.
[38] K. Singh and G. Singh, "Review on Wormhole Security and Their Detection Scheme,"
International Journal of Advanced Research in Computer Science and Software Engineering, vol.
4, no. 1, pp. 1166-1174, 2014.
[39] V. S. S. Sriram, A. P. Singh, and G. Sahoo, "Methodology for Securing Wireless LANs Against
Wormhole Attack," International Journal of Recent Trends in Engineering, vol. 1, no. 1, pp. 148-
152, 2009.
[40] P. Subhash and S. Ramachandram, "Preventing Wormholes in Multihop Wireless Mesh Networks,"
in Third International Conference on Advanced Computing & Communication Technologies, 2013,
pp. 293-300.
[41] P. Niranjan, P. Srivastava, R. K. Soni, and R. Pratap, "Detection of Wormhole Attack using Hop-
Count and Time-Delay Analysis," International Journal of Scientific and Research Publications,
vol. 2, no. 4, pp. 2250-5153, 2012.
[42] N. Sharma and U. Singh, "A Location Based Approach to Prevent Wormhole Attack in WSN”,"
International Journal of Advanced Research in (IJARCSSE), vol. 4, no. 1, pp. 840-845, 2014.
[43] H. Wen and G. Luo, "Wormhole Attacks Detection and Prevention Based on 2-Hop Neighbour in
Wireless Mesh Networks” 10:14 (2013)," Journal of Information & Computational Science, vol.
10, no. 14, p. 4461–4476, 2013.
[44] P. Gupta and S. Moudgil, "A Novel Scheme to Detect Wormhole Attacks in Wireless Mesh
Network Wireless Mesh Network," International Journal of Computer Science and Information
Technologies (IJCSIT), vol. 5, no. 3, pp. 4798-4801, 2014.
[45] S. Khan, N. A. Alrajeh, and K. K. Loo, "Secure Route Selection in Wireless Mesh Networks,"
Elsevier Computer Networks, vol. 56, no. 1, pp. 491-503, 2012.
[46] G. Vennila, D. Arivazhagan, and N. Manickasankari, "A Survey of Sinkhole Attack on DSR in
MANET," International Journal of Computer Science and Mobile Computing , vol. 3, no. 5, pp.
239-244, 2014.
[47] S. R. Jathe and D. M. Dakhane, "Detection of Sinkhole Attack against DSR Protocol MANET,"
International Journal of Advanced Research in Computer Science and Software Engineering, vol.
2, no. 4, pp. 460-464, 2012.
[48] G. Kim, Y. Han, and S. Kim, "A Cooperative-Sinkhole Detection Method for Mobile Adhoc
Networks," AEU-International Journal of Electronics and Communications, vol. 64, no. 5, pp. 390-
397, 2010.
[49] G. Unknown and A. Unknown, "Study on Sinkhole Attacks in Wireless Ad hoc Networks,"
International Journal on Computer Science and Engineering (IJCSE), vol. 4, no. 6, pp. 1078-1085,
2012.
[50] G. M. Jacqueline and M. P. Ponnusamy, "Sybil Attack In High Throughput Multicast Routing In
Wireless Mesh Networks," International Journal of Modern Engineering Research (IJMER), vol. 2,
no. 1, pp. 534-539, 2012.
[51] Y. C. Zhang, W. Liu, W. J. Lou, and Y. G. Fang, "Location Based Compromise-Tolerant Security
Mechanisms for Wireless Sensor Networks," IEEE Journal on Selected Areas in Communications,
vol. 24, no. 2, p. 247–260, 2006.
[52] R. Garg and H. Sharma, "Comparison between Sybil Attack Detection Techniques: Lightweight
and Robust," International Journal of Advanced Research in Electrical, Electronics and
Instrumentation Engineering, vol. 3, no. 2, pp. 7142-7147, 2014.
[53] M. Wen, H. Li, Y. F. Zheng, and K. F. Chen, "TDOA-Based Sybil Attack Detection Scheme for
Wireless Sensor Networks," Journal of Shanghai University (English Edition), vol. 12, no. 1, pp.
66-70, 2008.
[54] A. Rajput, S. Goyal, and R. Agrawal, "Detecting Malicious Traffic in Wireless Mesh Network,"
International Journal of Engineering Research and General Science, vol. 3, no. 2, pp. 767-774,
Mar. 2015.
[55] S. Khan, N. Mast, and K. Loo, "Denial of Service Threats and Mitigation Techniques in IEEE
802.11 Wireless Mesh Networks," INFORMATION-AN INTERNATIONAL INTERDISCIPLINARY
JOURNAL, vol. 12, no. 1, pp. 209-216, 2009.
[56] S. T. Zargar, J. Joshi, and D. Tipper, "A Survey of Defense Mechanisms Against Distributed Denial
of Service (DDoS) Flooding Attacks," IEEE, Communications Surveys & Tutorials, vol. 15, no. 4,
pp. 2046-2069, 2013.
[57] H. Jing and W. Wen, "Research on the Detection and Defense Systems Against DDoS Attacks in
ad-hoc Networks," WIT Transactions on Information and Communication Technologies, vol. 46,
no. 2, pp. 1161-1168, 2014.
[58] Monika, "Denial of Service Attacks in Wireless Mesh Networks," International Journal of
ComputerScience and Information Technologies, vol. 3, no. 3, pp. 4516-4522, 2012.
[59] S. Khan, K. K. Loo, T. Naeem, and M. I. Khan, "Denial of Service Attacks and Challenges in
Broadband Wireless Networks," International Journal of Computer Science and Network Security
(IJCSNS), vol. 8, no. 7, pp. 1-6, 2008.
[60] L. Santhanam, D. Nandiraju, N. Nandiraju, and D. Agarwal, "Active Cache based Defense Against
DoS Attacks in Wireless Mesh Network," in 2nd International symposium on Wireless Passive
Computing( ISWPC '07), 2007.
[61] C. Sorrells and L. Qian, "Quickest Detection of Denial-of-Service Attacks in Cognitive Wireless
Networks," International Journal of Network Security, vol. 16, no. 6, pp. 468-476, 2014.
[62] G. Carl, G. Kesidis, R. R. Brooks, and S. Rai, "Denial-of-Service Attack Detection Techniques.,"
Internet Computing, IEEE, vol. 10, no. 1, pp. 82-89, 2006.
[63] L. Luan, Y. Fu, and P. Xiao, "An Effective Denial of Service Attack Detection Method in Wireless
Mesh Networks," International Conference on Medical Physics and Biomedical Engineering
(ICMPBE2012), vol. 33, pp. 354-360, 2012.
[64] D. Bansal and S. Sofat, "Use of Cross Layer Interactions for Detecting Denial of Service Attacks in
WMN," IEEE, 14th International Telecommunications Network Strategy and Planning Symposium
(NETWORKS), pp. 1-6, 2010.
[65] J. Y. Koh, J. T. C. Ming, and D. Niyato, "Rate limiting client puzzle schemes for Denial of-Service
mitigation," IEEE, Wireless Communications and Networking Conference (WCNC) : Networks, pp.
1848-1853, 2013.
[66] V. Gulisano, et al., "STONE: A streaming DDoS defense framework," Expert Systems With
Applications, ELSEVIER, vol. 42, no. 1, pp. 9620-9633, 2015.
[67] C. Douligeris and A. Mitrokotsa, "DDoS Attacks and Defense Mechanisms: Classification and
State-of-the-art," Computer Networks, vol. 44, no. 5, p. 643–666, 2004.
[68] S. M. Speech and R. B. Lee, "Distributed Denial of Service: Taxonomies of Attacks, Tools and
Countermeasures," in Proceedings of the 17th International Conference on Parallel and Distributed
Computing Systems, pp. 543-550, 2004.
[69] F. Yi, S. Yu, W. Zhou, J. Hai, and A. Bonti, "Source-Based Filtering Algorithms against DDoS
Attacks," International Journal of Database Theory and Applications, vol. 1, no. 1, pp. 9-22, 2008.
[70] Y. Chen and K. Hwang, "Spectral Analysis of TCP Flows for Defense against Reduction-of-Quality
Attack,," IEEE International Conference on Communications (ICC’07), p. 1203–1210, 2007.
[71] K. W. M. Ghazali and R. Hassan, "Flooding Distributed Denial of Service Attacks-A Review,"
Journal of Computer Science, vol. 7, no. 8, pp. 1218-1223, 2011.
[72] P. R. Reddy and C. Malathi, "Techniques to Differentiate DDOS Attacks from Flash Crowd,"
International Journal of Advanced Research in Computer Science and Software Engineering, vol.
3, no. 6, pp. 295-299, 2013.
[73] V. Gopinath and C. Anand, "An Efficient Approach to Block DDoS Attacks Using Adaptive
Selective Verification Protocol," International Journal of Computer Science and Information
Technologies (IJCSIT), vol. 5, no. 2, pp. 1349-1351, 2014.
[74] C. Linhart, A. Klein, R. Heled, and S. Orrin, "Http Request Smuggling," Computer Security
Journal, vol. 22, no. 1, pp. 13-26, 2006.
[75] S. Heron, "Denial of Service: Motivations and Trends," Network Security, no. 5, pp. 10-12, 2010.
[76] P. Chwalinski, R. Belavkin, and X. Cheng, "Detection of HTTP-GET Attack with Clustering and
Information Theoretic Measurements," in In Foundations And Practice Of Security, J. Garcia-
Alfaro, et al., Eds. Springer Berlin Heidelberg, 2013, vol. 7743, pp. 45-61.
[77] D. Das, U. Sharma, and D. K. Bhattacharyya, " Detection Of Http Flooding Attacks In Multiple
Scenarios,", Rourkela, Odisha, India, 2011," in International Conference On Communication,
Computing And Security, 2011.
[78] C. Sun, C. Hu, and B. Liu, "SACK2: Effective SYN Flood Detection Against Skillful Spoofs," IET,
Information Security, vol. 6, no. 3, p. 149–156, 2012.
[79] B. Xiaoa, W. Chen, and Y. Hec, "An Autonomous Defense Against SYN Flooding Attacks: Detect
and Throttle Attacks at the Victim Side Independently," Journal of Parallel and Distributed
Computing, vol. 68, no. 1, p. 456–470, 2008.
[80] A. Singh and D. Juneja, "Agent Based Preventive Measure for UDP Flood Attack in DDoS
Attacks," International Journal of Engineering Science and Technology, vol. 2, no. 8, pp. 3405-
3411, 2010.
[81] F. Wong and C. X. Tan, "Survey of Trends in Massive DDoS Attacks and Cloud-Based
Mitigations," International Journal of Network Security & Its Applications (IJNSA), vol. 6, no. 3,
pp. 57-71, 2014.
[82] S. R. Ranjan, M. Uysal, and N. A. Unknown, " Knightly E DDoS-Shield: DDoS-Resilient
scheduling to counter application layer attack ," IEEE/ACM Trans Networking, vol. 17, no. 1, p.
26–39, 2009.
[83] H. J. Liao, C. H. Richard Lin, Y. C. Lin, and K. Y. Tung, "Intrusion Detection System: A
Comprehensive Review," Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16-24,
2013.
[84] T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of Network-based Defense Mechanisms
Countering the DoS and DDoS Problems. , 39(1):3, 2007," ACM Computing Surveys, vol. 39, no. 1,
pp. 1-42, 2007.
[85] A. Hussain, J. Heidemann, and C. Papadopoulos, "Identification of repeated denial of service
attacks,," in Preecding of 25th IEEE International Conference on Computer Communications
(INFOCOM), pp. 1-5, 2006.
[86] M. A. Jamshed, et al., "Kargus: A Highly-Scalable Software-based Intrusion Detection System,,"
Proceedings of the 2012 ACM Conference on Computer and Communications Security CCS ’12,
ACM,, p. 317–328, 2012.
[87] Y. Kim, J. Y. Jo, F. Merat, M. Yang, and Y. Jiang, "Mitigating Distributed Denial-of-service Attack
With Deterministic Bit Marking," International Journal of Information Technology, vol. 11, no. 2,
pp. 62-82, 2005.
[88] M. Zamani, M. Movahedi, M. Ebadzadeh, and H. Pedram, "A DDOS-Aware IDS Model Based on
Danger Theory and Mobile Agents," International Conference on Computational Intelligence and
Security, vol. 1, p. 516–520, 2009.
[89] A. Tajbakhsh, M. Rohmati, and A. Mirzaei, "Intrusion Detection using Fuzzy Association Rules,"
Applied Soft Computing, vol. 9, no. 2, p. 462–469, 2009.
[90] K. Lee, J. Kim, K. H. Kwon, y. Han, and S. Kim, "DDoS Attack Detection Method using Cluster
Analysis," Expert Systems with Applications, vol. 34, no. 3, p. 1659–1665, 2008.
[91] G. Thatte, U. Mitra, and J. Heidemann, "Parametric Methods for Anomaly Detection in Aggregate
Traffic," IEEE/ACM Transactions On Networking, vol. 19, no. 2, pp. 512-525, 2011.
[92] R. Mitchell, R. I. Chen, and M. Eltoweissy, "Signalprint-based Intrusion Detection in Wireless
Networks," Security in Emerging Wireless Communication and Networking Systems, pp. 77-88,
2010.
[93] X. Wang, J. Wong, F. Stanly, and S. Basu, "Cross-layer based Anomaly Detection in Wireless
Mesh Networks," 9th Annual International Symposium on Applications and the Internet, pp. 9-15,
2009.
[94] B. S. K. Devi, G. Preetha, and S. M. Shalinie, "DDoS Detection using Host-network based Metrics
and Mitigation in Experimental Testbed," IEEE ,International Conference on Recent Trends In
Information Technology (ICRTIT), pp. 423-427, 2012.
[95] S. Zhong, T. M. Khoshgoftaar, and S. Nath, " A Clustering Approach to Wireless Network
Intrusion Detection," Proceedings of the 17th IEEE International Conference on Tools with
Artificial Intelligence, pp. 190-196, 2005.
[96] F. Haddad and M. Sarram, "Wireless Intrusion Detection System Using a Lightweight Agent,"
International Conference on Computer and Network Technology, vol. 2, p. 84–87], 2010.
[97] H. L. a. A. P. Dongwon Seo, "PFS: Probabilistic Filter Scheduling Against Distributed Denial-of-
Service Attacks," 36th Annual IEEE Conference on Local Computer Networks( LCN), pp. 9-17,
2011.
[98] A. R. Swain and B. Sahoo, "Mitigating DDoS Attack and Saving Computational Time using a
Probabilistic approach and HCF method," in IEEE International Advance Computing Conference
(IACC 2009), 2009, pp. 1170-1172.
[99] M. Aamir and M. Arif, "Study and Performance Evaluation on Recent DDoS Trends of Attack &
Defense," International Journal of Information Technology and Computer Science, vol. 8, pp. 54-
65, 2013.
[100] N. V. Poorrni ma, K. ChandraPrabha, and B. G. Geet ha, "Adaptive Discriminating Detection for
DDoS Attacks from Flash Crowds Usi ng Flow Correlation Coefficient with Collective Feedback,"
International Journal of Innovative Research in Computer and Communication Engineering, vol. 2,
no. 1, 2014.
[101] K. Li, W. Zhou, P. Li, and J. Liu, "Distinguishing DDoS Attacks from Flash Crowds Using
Probability Metrics," 3rd International Conference on Network and System Security (IEEE), pp. 9-
17, 2009.
[102] N. Jeyanthi and N. C. Sriman Narayana Iyengar, "An Entropy based Approach to Detect and
Distinguish DDoS Attacks from Flash Crowds in VoIP Networks," International Journal of
Network Security, vol. 14, no. 5, p. 257–269, 2012.
[103] B. K. Hemanta, "Towards Forming A Field Of Fuzzy Sets," International Journal of Energy,
Information and Communications (IJEIC), vol. 2, no. 1, pp. 1-22, 2011.
[104] M. M. M. Hassan, "Current Studies on Intrusion Detection System, Genetic Algorithm and Fuzzy
Logic," International Journal of Distributed and Parallel Systems, vol. 4, no. 2, pp. 35-47, 2013.
[105] Z. Xia, S. Lu, J. Li, and J. Tang, "Enhancing DDoS Flood Attack Detection via Intelligent Fuzzy
Logic," Informatica, vol. 34, no. 4, p. 497–507, 2010.
[106] S. N. Shiaeles, V. Katos, A. S. Karakos, and B. K. Papadopoulos, "Real Time DDoS Detection
using Fuzzy Estimators," Computers & Security, vol. 31, no. 1, p. 782–790, 2012.
[107] C. Balarengadurai and S. Saraswathi, "Fuzzy Based Detection and Prediction of DDoS Attacks in
IEEE 802.15.4 Low Rate Wireless Personal Area Network," International Journal of Computer
Science (IJCS), vol. 6, no. 1, pp. 293-301, 2013.
[108] F. Sun and G. Guo, "Research of Immunity-based Anomaly Intrusion Detection and Its Application
for Security Evaluation of E-government Affair Systems," International Journal of Digital Content
Technology and its Applications(JDCTA), vol. 6, no. 20, pp. 429-437, 2012.
[109] F. Sun, "Artificial Immune Danger Theory Based Model for Network Security Evaluation," Journal
of Networks, vol. 6, no. 2, pp. 255-272, 2011.
[110] X. Dong, X. Lv, Y. Guan, and J. Yang, "Multi-word-Agent Autonomy Learning Based on Adaptive
Immune Theories," International Journal of Digital Content Technology and its
Applications(JDCTA), vol. 7, no. 3, p. 723–745, 2013.
[111] D. Dal, S. Abraham, A. Abraham, S. Sanyal, and M. Sanglikar, "Evolution Induced
SecondaryImmunity: An Artificial Immune System Based Intrusion Detection System," 7th
ComputerInformation Systems and Industrial Management Applications, p. 65–70, 2008.
[112] F. Hosseinpour, A. Meulenberg, S. Ramadass, P. A. Vahdani, and Z. Moghaddasi, "Distributed
Agent Based Model for Intrusion Detection System Based on Artificial Immune System,"
International Journal of Digital Content Technology and its Applications(JDCTA), vol. 7, no. 9, p.
206–214, 2013.
[113] K. Ali, I. Aib, and R. Boutaba, "P2P-AIS: A P2P Artificial Immune Systems Architecture for
Detecting DDoS Flooding Attacks," Information Infrastructure Symposium, IEEE, pp. 1-4, 2009.
[114] K. Luther, R. Bye, T. Alpcan, A. Muller, and S. Albayrak, "A Cooperative AIS Framework For
Intrusion Detection," IEEE International Conference on Communications (ICC '07), p. 1409–1416,
2007.
[115] S. Singh, P. J. Singh, and G. Shrivastva, "A Hybrid Artificial Immune System or IDS based on
SVM and Belief Function," 4th International Conference on Computing, Communications and
Networking Technologies(ICCCNT), IEEE, 2013.
[116] A. A. Ojugo, A. O. Eboka, O. E. Okonta, R. E. Yoro, and F. O. Aghware, "Genetic Algorithm Rule-
Based Intrusion Detection System (GAIDS)," Journal of Emerging Trends in Computing and
Information Sciences, vol. 3, no. 8, pp. 1182-1194, 2012.
[117] P. Salunkhe and M. Shishupal, "enial-Of -Service Attack Detection Using KDD," International
Journal of Application or Innovation in Engineering & Management (IJAIEM), vol. 4, no. 3, pp. 1-
5, 2015.
[118] M. S. Hoque, A. Mukit, and A. N. Bikas, "An Implementation of Intrusion Detection System using
Genetic Algorithm," International Journal of Network Securityand Its Applications (IJNSA), vol. 4,
no. 2, pp. 109-120, 2012.
[119] J. H. Lee, D. S. Kim, S. M. Lee, and J. S. Park, "DDoS Attacks Detection Using GA based
Optimized Traffic Matrix," IEEE Conference on Innovative Mobile and Internet Services in
Ubiquitous Computing, pp. 216-220, 2011.
[120] B. Upalhaiah, K. Anand, B. Narsimha, S. Swaraj, and T. Bharat, "Genetic Algorithm Approach to
Intrusion Detection System," International Journal of Computer Science and Telecommunications
(IJSCT), vol. 3, no. 1, pp. 156-160, 2012.
[121] M. M. Md and M. Hassan, "Network Intrusion Detection System Using Genetic Algorithm and
Fuzzy Logic," International Journal of Innovative Rresearch in Coputer and communication
engineering, vol. 1, no. 7, pp. 1435-1445, 2013.
[122] A. Panchal and O. Kale, "A Literature Survey on Recurrent Neural Network and Various
Techniques for Speech Recognition," International Journal of Science and Research (IJSR), vol. 3,
no. 12, pp. 1270-1272, 2014.
[123] R. K. Al Seyab and Y. Cao, "Nonlinear System Identification for Predictive Control using
Continuous Time Recurrent Neural Networks and Automatic Differentiation," Journal of Process
Control, vol. 18, no. 6, pp. 568-581, 2008.
[124] I. Ahmad, S. U. Swati, and S. Mohsin, "Intrusion Detection Mechanism by Resilient Back
Propagation (RPROP)," European Journal Of Scientific Research, vol. 17, no. 4, pp. 523-530,
2007.
[125] M. Al Doori and B. Beyrouti, "Credit Scoring Model Based on Back Propagation Neural," IJCSNS
International Journal of Computer Science and Network Security, vol. 14, no. 03, pp. 16-24, 2014.
[126] I. Ahmad, M. A. Ansari, and M. Sajjad, "Performance Comparison between Backpropagation
Algorithms Applied to Intrusion Detection in Computer Network Systems," in 9th WSEAS
International Conference on NEURAL NETWORKS (NN’08), Sofia, Bulgaria, 2008, pp. 231-236.
[127] A. Garg and R. P. Singh, "Voltage Profile Analysis in Power Transmission System based on
STATCOM using Artificial Neural Network in MATLAB/SIMULINK," International Journal of
Applied Information Systems(IJAIS), Foundation of Computer Science, vol. 6, no. 1, 2013.
[128] Ippoliti, Dennis, and X. Zhou, "AGHSOM: An Adaptive Growing Hierarchical Self Organizing
Map for Network Anomaly Detection," Journal of Parallel and Distributed Computing, vol. 72, no.
12, pp. 1576-1590, 2012.
[129] K. Choksi, B. Shah, and O. Kale, "Intrusion Detection System using Self Organizing Map: A
Survey," Internarional Journal of Engineering Research and Applications, vol. 4, no. 12, pp. 11-16,
2014.
[130] V. Pachghare, P. Kulkarni, and D. M. Nikam, "Intrusion Detection System Using self Organizing
Maps," International Conference on Intelligent Agent Multi-Agent Systems (IAMA), pp. 1-5, 2009.
[131] S. Haykin, Neural Networks: A comprehensive Foundation, 2nd ed. New Jersey, USA: Prentice
Hall, 2103.
[132] M. Amini, R. Jalili, and H. R. Shahriari, "RT-UNNID: A Practical Solution to Real-Time Network-
based Intrusion Detection using Unsupervised Neural Networks," Computers & Security, Elsevier,
vol. 25, no. 1, pp. 459-468, 2006.
[133] A. Balaz and L. Vokorokos, "Ntrusion Detection System Using Self Organizing Map," Acta
Electrotechnica et Informatica, vol. 6, no. 1, pp. 1-6, 2006.
[134] A. Mitrokotsa and C. Douligeris, "Detecting Denial of Service Attacks Using Emergent Self-
Organizing Maps," IEEE International Symposium on Signal Processing and Information
Technology, pp. 375-380, 2005.
[135] F. M. Khodaie, M. A. J. Jamali, and A. Farzan, "Intrusion Detection System Using Self Organizing
Map Algorithm," International Journal of Computer Applications Technology and Research, vol. 3,
no. 2, pp. 585-588, 2014.
[136] A. Saied, E. Richard, O. Unknown, and T. Radzik, "Detection of known and unknown DDoS
attacks using Artificial Neural Networks," Neurocomputing, ELSEVIER, vol. 172, no. 1, pp. 385-
393, 2016.
[137] H. V. Nguyen and Y. Choi, "Proactive Detection of DDoS Attacks Utilizing K-NN Classifiers in an
Anti-DDOS Framework," International Journal of Electrical, Conmputer and System Engineering,
vol. 4, no. 1, pp. 247-252, 2010.
[138] R. Karimazad and A. Faraahi, "An Anomaly based Method For DDoS Attacks Detection Using
RBF Neural Networks," Proceedings of the International Conference on Network and Electronics
Engineering, vol. 11, pp. 44-48, 2011.
[139] D. Gavrilis and E. Dermatas, "Real-Time Detection of Distributed Denial-of-Service Attacks using
RBF Networks and Statistical Features," Computer Networks, vol. 48, no. 1, pp. 235-245, 2005.
[140] B. B. Gupta, et al., "Predicting Number of Zombies in a DDoS Attack Using ANN Based Scheme,"
Communications in Computer and Information Science, Springer, vol. 147, no. 1, pp. 117-122,
2011.
[141] M. H. Bhuyan, D. K. Bhattacharyya, and K. J. Kalita, "An empirical evaluation of information
metrics for low-rate and high-rate DDoS attack detection," Pattern Recognition Letters, ELSEVIER,
vol. 51, no. 1, pp. 1-7, 2015.
[142] N. Tewari and A. Bhardwaj, "Flow Statistics Based Detection of Low Rate and High Rate DDoS
Attacks," International Journal of Scientific & Engineering Research, vol. 4, no. 5, pp. 348-353,
2013.
[143] A. R. Kumar and P. S. Selvakumar, "M2KMIX: Identifying the Type of High Rate Flooding
Attacks using a Mixture of Expert Systems," I. J. Computer Network and Information Security, vol.
1, no. 1, pp. 1-16, 2012.
[144] S. Mukkamala, A. H. Sung, and A. Abraham, "Intrusion Detection using an Ensemble of Intelligent
Paradigms," Journal of Network and Computer Applications, vol. 28, no. 2, pp. 167-182, 2005.
[145] P. A. R. Kumar and S. Selvakumar, "Distributed Denial of Service Attack Detection using an
Ensemble of Neural Classifier," Computer Communication, vol. 34, no. 11, p. 1328–1341, 2011.
[146] C. Scott and R. Nowak, "A Neyman Pearson Approach to statistical learning," Technical Report
TREE 0407.
[147] P. K. Agarwal, B. B. Gupta, S. Jain, and M. K. Pattanshetti, "Estimating Strength of a DDoS Attack
in Real Time Using ANN Based Scheme," Communications in Computer and Information Science,
Springer, vol. 157, no. 6, pp. 301-310, 2011.
[148] S. Rastegari, M. I. Saripan, M. Fadlee, and A. Rasid, "Detection of Denial of Service Attacks
against Domain Name System Using Neural Networks," International Journal of Computer Science
Issues (IJCSI), vol. 6, no. 1, pp. 23-27, 2009.
[149] N. A. Alrajeh, S. Khan, J. Lloret, and J. Loo, "Artificial Neural Network based Detection of Energy
Exhaustion Attacks in Wireless Sensor Networks capable of Energy Harvesting,Vol.22, Issue3-4,
2014.," Ad Hoc & Sensor Wireless Networks, vol. 3, no. 4, 2014.
[150] A. Nuchitprasittichai and S. Cremaschi, "Aroonsri Nuchitprasittichai and Selen Cremaschi An
Algorithm to Determine Sample Sizes for Optimization with Artificial Aeural Networks," AIChE
Journal, vol. 59, no. 3, pp. 805-812, 2013.
[151] The Network Simulator -ns-2 web page,"http://nsnam.isi.edu/nsnam/index.php/Main_Page"
[Online]. [Accessed Feb 2014].
[152] P. N. Jadhav and B. M. Patil, "Low-rate DDOS Attack Detection using Optimal Objective Entropy
Method," International Journal of Computer Applications, vol. 78, no. 3, pp. 33-38,, 2013.
[153] P. Bonnet, J. Gehrke, and P. Seshadri, "Towards Sensor Database Systems," 2nd IEEE MDM
International Conference on Mobile Data Management, pp. 3-14, 2001.
[154] E. Demaine, A. L. Opez-Ortiz, and J. Munro, "Frequency Estimation of Internet Packet Streams
with Limited Space," In Proceedings of the 10th ESA Annual European Symposium on Algorithms,
pp. 348-360, 2002.
[155] S. Gunduz and M. Ozsu, "A Web Page Prediction Model Based on Click-Stream Tree
Representation of User Behavior," In Proceedings of the 9th ACM SIGKDD International
Conference on Knowledge Discovery and Data Mining, pp. 535-540, 2003.