Noureddine Boucif,Frederik Golchert,Alexander Siemer,Patrick Felke,Frederik Gosewehr

DOI: https://doi.org/10.48550/arXiv.2001.08497

2020-01-23

Abstract:This paper describes two denial of service attacks against the Z-Wave protocol and their effects on smart home gateways. Both utilize modified unencrypted packets, which are used in the inclusion phase and during normal operation. These are the commands Nonce Get/S2 Nonce Get and Find Nodes In Range. This paper shows how both can be manipulated and used to block a Z-Wave gateway's communication processing which in turn disables the whole Z-Wave network connected to it

Cryptography and Security

Wenyuan Xu,Ke Ma,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1109/mnet.2006.1637931

IF: 10.294

2006-01-01

IEEE Network

Abstract:Wireless sensor networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming, attacks that effectively cause a denial of service of either transmission or reception functionalities. These attacks can easily be accomplished by an adversary by either bypassing MAC-layer protocols or emitting a radio signal targeted at jamming a particular channel. In this article we survey different jamming attacks that may be employed against a sensor network. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. We highlight the challenges associated with detecting jamming. To cope with jamming, we propose two different but complementary approaches. One approach is to simply retreat from the interferer which may be accomplished by either spectral evasion (channel surfing) or spatial evasion (spatial retreats). The second approach aims to compete more actively with the interferer by adjusting resources, such as power levels and communication coding, to achieve communication in the presence of the jammer.

Zhiguo Shi,Rongxing Lu,Jian Qiao,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/wcnc.2013.6555338

2013-01-01

Abstract:In this paper, we propose a wormhole attack resistant secure neighbor discovery scheme, named SND, for 60 GHz directional wireless network with a centralized network controller (NC). In specific, the proposed SND scheme consists of three phases: the NC broadcasting phase, the network node response/authentication phase and the NC time-delay analysis phase. In the broadcasting phase and response/authentication phase, local time information and antenna direction information are elegantly exchanged with signature based authentication techniques between the NC and legislate network nodes, which can prevent most of the wormhole attacks. In the NC time-delay analysis phase, the NC can further detect the possible attack by using the time-delay information from the network node. To solve the transmission collision problem in the response/authentication phase, an RD-TDMA protocol is also proposed. Both simulation results and security analysis demonstrate that the proposed SND scheme can effectively resist wormhole attack for the 60 GHz communication network with directional antenna.

Hongyan Liu,Xiang Chen,Yi Shen,Qun Huang,Zhengyan Zhou,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iwqos57198.2023.10188714

2023-01-01

Abstract:In programmable networks, some networking systems coordinate data plane switches to realize in-network functions (e.g., in-band network telemetry). However, the vulnerabilities of inter-device coordination are still largely unknown and neglected, which is highly concerning given the increasing popularity of this paradigm. In this paper, we identify three attack scenarios built upon such vulnerabilities, where attackers mislead the behaviors of networking systems that exploit inter-device coordination to execute in-network functions. We implement 20 existing networking systems on Tofino-based switches and a simulator, and attack these systems with the identified attacks. The experimental results indicate that our attacks significantly interfere with the normal operations of the selected networking systems, e.g., the cache hit rate of NetCache drops 38%. Our analysis also demonstrates that none of existing methods can fully mitigate our attacks since they fail to verify the packets for inter-device coordination.

Haiding Tang,Zhouzheng Lu,Lifu Zhang,Yang Chen,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/etfa.2015.7301498

2015-01-01

Abstract:Recently, the industrial wireless protocols have been widely used around the world. However, the unreliable communication media between the sensors and the central controller renders the wireless signal channel vulnerable to many attacks. Various efforts have been devoted to study the influence of specific malicious attacks from the aspect of theoretical investigation based on different assumptions. This paper focuses on verifying the optimal Denial-of-Service (DoS) jamming attack strategy on a class of wireless industrial control system from the view of experiments. We first introduce typical control system model and DoS attack model, and an optimal DoS attack schedule against LQG control based on these models. Then, we establish a semi-physical security testbed which consists of virtual plant, physical controller and communication process. We also realize wireless DoS attacks by exploiting the USRP device. Through extensive experiments and analysis, we investigate the performance of different DoS attack strategies on the LQG control system over an inverted pendulum.

Xianghui Cao,Devu Manikantan Shila,Yu Cheng,Zequ Yang,Yang Zhou,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2016.2516102

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:ZigBee has been widely recognized as an important enabling technique for Internet of Things (IoT). However, the ZigBee nodes are normally resource-limited, making the network susceptible to a variety of security threats. This paper closely investigates a severe attack on ZigBee networks termed as ghost, which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the nodes. We show that the impact of ghost is very large and that it can facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

Wade Trappe,Wenyuan Xu

DOI: https://doi.org/10.7282/t3rj4jw7

2007-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of either transmission or reception functionalities. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this thesis, we examine the issue of jamming wireless networks, and sensor networks in particular, by studying both the attack and defense side of the problem. On the attack side, we present four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that single measurement statistics are not enough to reliably classify the presence of a jamming attack, and propose multimodal detection methods. To cope with jamming, we propose a technique, channel surfing, which involves evading the interferer in the spectral domain. Several different channel surfing models are presented, and we evaluate their effectiveness using a testbed of MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is possible to establish a low data rate jamming resistant communication channel by modulating the interarrival times between jammed packets.

Zhiguo Shi,Ruixue Sun,Rongxing Lu,Jian Qiao,Jiming Chen,Xuemin Shen

DOI: https://doi.org/10.1109/TETC.2013.2273220

2013-01-01

Abstract:In this paper, we propose a wormhole attack resistant secure neighbor discovery (SND) scheme for a centralized 60-GHz directional wireless network. Specifically, the proposed SND scheme consists of three phases: the network controller (NC) broadcasting phase, the network nodes response/authentication phase, and the NC time analysis phase. In the broadcasting phase and the response/authentication phase, local time information and antenna direction information are elegantly exchanged with signature-based authentication techniques between the NC and the legislate network nodes, which can prevent most of the wormhole attacks. In the NC time analysis phase, the NC can further detect the possible attack using the time-delay information from the network nodes. To solve the transmission collision problem in the response/authentication phase, we also introduce a novel random delay multiple access (RDMA) protocol to divide the RA phase into M periods, within which the unsuccessfully transmitting nodes randomly select a time slot to transmit. The optimal parameter setting of the RDMA protocol and the optional strategies of the NC are discussed. Both neighbor discovery time analysis and security analysis demonstrate the efficiency and effectiveness of the proposed SND scheme in conjunction with the RDMA protocol.

Zhenhua Liu,Wenyuan Xu

DOI: https://doi.org/10.1007/s11276-011-0403-2

IF: 2.701

2011-01-01

Wireless Networks

Abstract:The viability and success of wireless sensor networks critically hinge on the ability of a small number of sinks to glean sensor data throughout the networks. Thus, the locations of sinks are critically important. In this paper, we examine the sink location privacy problem from both the attack and defense perspectives. First, we examine resource-constrained adversaries who can only eavesdrop the network at their vicinities. To determine the sink location, they can launch a Zeroing-In attack by leveraging the fact that several network metrics are 2-dimensional functions in the plane of the network, and their values minimize at the sink. Thus, determining the sink location is equivalent to finding the minima of those functions. We demonstrate that by obtaining the hop counts or the arrival time of a broadcast packet at a few spots in the network, the adversaries are able to determine the sink location with the accuracy of one radio range, which is sufficient to disable the sink by launching jamming attacks, for example. To cope with the Zeroing-In attacks, we present a directed-walk-based routing scheme and show that the defense strategy is effective in deceiving adversaries at little energy costs.

Christopher Vattheuer,Charlie Liu,Ali Abedi,Omid Abari

DOI: https://doi.org/10.48550/arXiv.2301.07202

2023-01-18

Abstract:Home security systems have become increasingly popular since they provide an additional layer of protection and peace of mind. These systems typically include battery-powered motion sensors, contact sensors, and smart locks. Z-Wave is a very popular wireless communication technology for these low-power systems. In this paper, we demonstrate two new attacks targeting Z-Wave devices. First, we show how an attacker can remotely attack Z-Wave security devices to increase their power consumption by three orders of magnitude, reducing their battery life from a few years to just a few hours. Second, we show multiple Denial of Service (DoS) attacks which enables an attacker to interrupt the operation of security systems in just a few seconds. Our experiments show that these attacks are effective even when the attacker device is in a car 100 meters away from the targeted house.

Cryptography and Security,Networking and Internet Architecture

Yong Xu,Mei Fang,Zheng-Guang Wu,Ya-Jun Pan,Mohammed Chadli,Tingwen Huang

DOI: https://doi.org/10.1109/tsmc.2018.2875250

2020-01-01

Abstract:This paper applies an input-based triggering approach to investigate the secure consensus problem in multiagent systems under denial-of-service (DoS) attacks. The DoS attacks are based on the time-sequence fashion and occur aperiodically in an unknown attack strategy, which can usually damage the control channels executed by an intelligent adversary. A novel event-triggered control scheme on the basis of the relative interagent state is developed under the DoS attacks, by designing a link-based estimator to estimate the relative interagent state between intermitted communication instead of the absolute state. Compared with most of the existing work on the design of the triggering condition related to the state measurement error, the proposed triggering condition is designed based on the control input signal from the view of privacy protection, which can avoid continuous sampling for every agent. Besides, the attack frequency and attack duration of DoS attacks are analyzed and the secure consensus is reachable provided that the attack frequency and attack duration satisfy some certain conditions under the proposed control algorithm. "Zeno phenomenon" does not exhibit by proving that there exist different positive lower bounds corresponding to different link-based triggering conditions. Finally, the effectiveness of the proposed algorithm is verified by a numerical example.

Nataša Trkulja,David Starobinski,Randall A. Berry

DOI: https://doi.org/10.48550/arXiv.2010.13725

2020-10-27

Abstract:Cellular Vehicle-to-Everything (C-V2X) networks are increasingly adopted by automotive original equipment manufacturers (OEMs). C-V2X, as defined in 3GPP Release 14 Mode 4, allows vehicles to self-manage the network in absence of a cellular base-station. Since C-V2X networks convey safety-critical messages, it is crucial to assess their security posture. This work contributes a novel set of Denial-of-Service (DoS) attacks on C-V2X networks operating in Mode 4. The attacks are caused by adversarial resource block selection and vary in sophistication and efficiency. In particular, we consider "oblivious" adversaries that ignore recent transmission activity on resource blocks, "smart" adversaries that do monitor activity on each resource block, and "cooperative" adversaries that work together to ensure they attack different targets. We analyze and simulate these attacks to showcase their effectiveness. Assuming a fixed number of attackers, we show that at low vehicle density, smart and cooperative attacks can significantly impact network performance, while at high vehicle density, oblivious attacks are almost as effective as the more sophisticated attacks.

Cryptography and Security,Networking and Internet Architecture

Weiwei Zhan,Zhiqiang Miao,Yanjie Chen,Zheng-Guang Wu,Yaonan Wang

DOI: https://doi.org/10.1109/tnse.2023.3273205

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:This article studies the finite-time formation control problem for networked nonholonomic mobile robots (NMRs) under denial-of-service (DoS) attacks. The communication signals are transmitted among topology-connected NMRs by threatened networks, which might be disconnected or recovered at any time due to DoS attacks. Under DoS attacks, the received discontinuous date packets resulting from the directed graph might make the formation error escape to an unknown boundary. In addition, it is demonstrated that the frequency of DoS attacks directly affects the convergence time of controllers. A novel distributed observer is developed for each follower to narrow the unknown boundary, in which a projection operation is used to restrain the estimation of state with a known bounded set. An event-triggered mechanism is developed for each follower to identify the intermittent DoS attacks by verifying the time stamps of the received data packets. To reduce the effects of the attacker on the closed-loop system, a finite-time formation controller is proposed to guarantee formation convergence to the desired position in every duration of DoS attack-shut, preventing formation error accumulation. The Lyapunov tools are utilized to derive the conditions for guaranteeing the finite-time formation convergence under DoS attacks subject to a certain frequency. It is proved that the state estimation errors and formation errors can be regulated to the neighborhoods of origin in every duration of DoS attacks shut. The DoS attack and distributed DoS attack examples are provided to illustrate the correctness and performance of the proposed method for networked NMRs through numerical simulation comparisons.

Zeming Xu,Wangli He

DOI: https://doi.org/10.1109/iecon43393.2020.9255247

2020-10-18

Abstract:Quantized synchronization of master-slave neural networks with an event-triggered scheme under denial-of-service (DoS) attacks is studied in this paper. A kind of DoS attacks with constraints on attack frequency and duration is considered. Firstly, a quantized output feedback control scheme based on event-triggered strategy is proposed. Then a sufficient condition for secure event-triggered feedback control based on quantized output measurements is derived, from which the attack frequency and duration that the system can render is given. It is shown that the slave system is able to synchronize with the master system meanwhile the Zeno behavior can be excluded. The controller design is also included. Finally, an example is given to verify the theoretical results.

Jingyu Hua,Zidong Zhou,Sheng Zhong

DOI: https://doi.org/10.1109/tifs.2020.3013093

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Link Layer Discovery Protocol (LLDP), which is widely used by the controller in Software-Defined Networking to discover the network topology, has been demonstrated to be unable to guarantee the integrity of its messages. Attackers could exploit this vulnerability to fabricate LLDP packets to declare a false link connecting two distant switches to the controller. By doing so, the controller would be misled to route flows to the false links, which leads to further DoS, eavesdropping and even hijacking attacks. This attack seems very similar to the well-known Worm-Hole Attack in wireless sensor networking (WSN). Nevertheless, in WSN, attackers are assumed to leverage an out-of-band wired channel to achieve the true packet transmission between the two cheating sensor nodes. Unfortunately, in SDN, there usually does not exist any out-of-band channels between the distant cheating switches. Flows misguided to the fake link will cause 100% packet loss, and thus be detected soon. In this article, we address this problem and propose the first True worm-hole attack in SDN, which could achieve packet transmission over the forged link without using any out-of-band channels. Instead, it introduces a relay host in the networks to build a completely in-band covert channel between the two cheating switches. Unlike the existing studies, a relay host is not required to be directly linked to them. Moreover, attackers are only assumed to poss the remote read and write privileges of the flow tables of the both cheating switches and do not have to alter any of their software or hardware. Our extensive experiments demonstrate the high feasibility of this attack. Both the increases of transmission delays and packet loss rates are within a reasonable range. We finally present and evaluate the countermeasures against the proposed attack.

Qian Wang,Timothy Dunlap,Youngho Cho,Gang Qu

DOI: https://doi.org/10.1109/wocc.2017.7928974

2017-01-01

Abstract:Denial of service (DoS) attacks have been one of the major network security problems over the last decades. DoS attacks can usually be mounted on hardware devices such as routers and firewalls to send spoofing messages to the target network. Thus, methods for defeating such DoS attacks are highly related to the vulnerabilities in the hardware devices. In this paper, we investigate the potential attacks specific to the hardware infrastructure of the network and also categorize the countermeasures against DoS attacks that can be implemented on hardware devices. Moreover, we analyze the advantages of the emerging silicon physical unclonable functions and discuss the potential of integrating them into authentication methods in order to defend against DoS attacks.

Gustavo A. Nunez Segura,Sotiris Skaperas,Arsenia Chorti,Lefteris Mamatas,Cintia Borges Margi

DOI: https://doi.org/10.48550/arXiv.2003.12027

2020-03-27

Abstract:Software-defined networking (SDN) is a promising technology to overcome many challenges in wireless sensor networks (WSN), particularly with respect to flexibility and reuse. Conversely, the centralization and the planes' separation turn SDNs vulnerable to new security threats in the general context of distributed denial of service (DDoS) attacks. State-of-the-art approaches to identify DDoS do not always take into consideration restrictions in typical WSNs e.g., computational complexity and power constraints, while further performance improvement is always a target. The objective of this work is to propose a lightweight but very efficient DDoS attack detection approach using change point analysis. Our approach has a high detection rate and linear complexity, so that it is suitable for WSNs. We demonstrate the performance of our detector in software-defined WSNs of 36 and 100 nodes with varying attack intensity (the number of attackers ranges from 5% to 20% of nodes). We use change point detectors to monitor anomalies in two metrics: the data packets delivery rate and the control packets overhead. Our results show that with increasing intensity of attack, our approach can achieve a detection rate close to100% and that the type of attack can also be inferred.

Cryptography and Security,Networking and Internet Architecture

Kaigui Bian,Jung-Min Park,Ruiliang Chen

DOI: https://doi.org/10.1109/glocom.2006.266

2006-01-01

Abstract:Denial-of-Service (DoS) attacks pose a major threat to the availability of wireless ad hoc networks. Fault tolerant operation of wireless ad hoc networks will depend on the placement of DoS countermeasures in sufficiently robust form. In this paper, we describe a novel type of DoS attack called the Stasis Trap attack, and propose a technique for detecting such an attack. Stasis Trap attack has two distinguishing characteristics-it has a cross-layer design, and is stealthy. The Stasis Trap attack has a cross-layer design in that it is launched from the MAC layer but its aim is to degrade the end-to-end throughput of flows at the transport layer by exploiting TCP's congestion-control mechanism. Specifically, an adversary launches a Stasis Trap attack against neighboring nodes by periodically preempting the wireless channel in order to cause large variations in the round trip time (RTT) of TCP flows. Channel preemptions are carried out by manipulating the back-off mechanism of the Distributed Coordinating Function of the 802.11 MAC protocol. The periodic preemptions induce large RTT variations in the TCP flows that are within the transmission range of the adversary. This in turn causes a significant drop in the throughput of those flows, thereby creating a "stasis trap" around the adversary that entangles TCP flows. The aforementioned attack severely degrades end-to-end throughput but has very little effect on MAC-layer throughput, and hence it is very hard to detect at the MAC layer, which is its point of attack. In this sense, this attack is stealthy. To detect the Stasis Trap attack, we propose a minimax robust decentralized detection framework with robust hypothesis testing.

Yinghong Zhao,Xiao He,Donghua Zhou

DOI: https://doi.org/10.1049/iet-cta.2016.0601

IF: 2.67

2017-01-01

IET Control Theory and Applications

Abstract:This study is concerned with the optimal control and scheduling problem for linear networked control systems with communication constraints and security issues. The communication channel, which connects remote sensors with a controller, has limited transmission capability and may suffer denial of service attacks from an external attacker. Unlike most existing cyber-attack-related literature which presumed a prior well-designed control or estimating strategy on which triggering and jamming strategies were established, in the present work, optimal strategies of the controller, the trigger as well as the external attacker are considered simultaneously under the renowned linear quadratic criteria. A designer, who can jointly devise the controller and the trigger, aims to improve the system's performance while the attacker's goal is just the opposite. With the assumption that the trigger and the attacker have limited opportunities to send or attack, a zero-sum static game of complete information is first utilised to investigate the optimal strategies for both players, i.e. the designer and the attacker. The existence of Nash equilibrium (NE) point, i.e. the combination of optimal strategy for each player, is proven afterwards. Finally, the property of none pure-strategy NE in a special case is provided with rigorous proofs. A numerical example is employed to demonstrate how to derive the optimal strategies for the designer and the attacker.

Xin Jin,Yaoxue Zhang,Yi Pan,Yuezhi Zhou

DOI: https://doi.org/10.1155/wcn/2006/96157

2006-01-01

EURASIP Journal on Wireless Communications and Networking

Abstract:Denial of service (DoS) attack is a major class of security threats today. They consume resources of remote hosts or network and make them deny or degrade services for legitimate users. Compared with traditional Internet, the resources, such as bandwidth, memory, and battery power, of each node are more limited in mobile ad hoc networks (MANETs). Therefore, nodes in MANETs are more vulnerable to DoS attacks. Moreover, attackers in MANETs cannot only use IP spoofing to conceal their real identities but also move arbitrarily, which makes it a challenging task to trace a remote attacker in MANETs. In this paper, we proposed a zone sampling-based traceback (ZSBT) algorithm for tracing DoS attackers in MANETs. In our algorithm, when a node forwards a packet, the node writes its zone ID into the packet with a probability. After receiving these packets, the victim can reconstruct the path between the attacker and itself. Simulations were carried out to illustrate the validity of the algorithm; even with a little communication overhead.