Integrated security architecture for wireless mesh networks

Wireless Mesh Networks (WMNs) have revolutionized provisioning of economical and broadband wireless internet service to the whole community of users. The self-configurable and self-healing ability of WMNs has encouraged their rapid proliferation, as adding a mesh router (MR) is as simple as plugging and turning on. The plug-and-play architecture of WMN, however paves way to malicious intruders. An attacker can raise several security concerns, like rogue routers, selfishness, and denial-of-service attacks. Unfortunately, current thrust of research in WMNs, is primarily focused on developing multi-path routing protocols; and security is very much in its infancy. Owing to the hierarchical architecture of WMNs, security issues are multi-dimensional. As mesh routers form the backbone of the network, it is critical to secure them from various attacks. In this dissertation we develop integrated security architecture to protect the mesh backbone. It is important to provide an end-to-end security for mesh clients and hence we design a novel authentication protocol for mutually authenticating mesh clients and mesh routers. The aim of this dissertation is to explore various issues that affect the performance and security of WMNs. We first examine the threat of an active attack like Denial of service attack on MRs and design a cache based throttle mechanism to control it. Next, we develop a MAC identifier based trace table to determine the precise source of a DoS attacker. We then evaluate the vulnerability of WMNs to passive attacks, like selfishness and propose an adaptive mechanism to penalize selfish MRs that discretely drop other’s packets. In order to handle route disruption attacks like malicious route discovery, we design an intelligent Intrusion Detection System. Through extensive simulations, we evaluate effectiveness of our proposed solutions in mitigating these attacks. Finally, we design a light weight authentication protocol for mesh clients using inexpensive hash operations that enables authentication of important control messages and also performs auto-refresh of authentication tokens.

[1]  Dharma P. Agrawal,et al.  Selfishness in mesh networks: wired multihop MANETs , 2008, IEEE Wireless Communications.

[2]  Romano Fantacci,et al.  Analysis of secure handover for IEEE 802.1x-based wireless ad hoc networks , 2007, IEEE Wireless Communications.

[3]  Yuguang Fang,et al.  A secure authentication and billing architecture for wireless mesh networks , 2007, Wirel. Networks.

[4]  Guido R. Hiertz,et al.  Principles of IEEE 802.11s , 2007, 2007 16th International Conference on Computer Communications and Networks.

[5]  Nagesh Nandiraju,et al.  Wireless Mesh Networks: Current Challenges and Future Directions of Web-In-The-Sky , 2007, IEEE Wireless Communications.

[6]  D.P. Agrawal,et al.  A Cache Based Traffic Regulator for Improving Performance in WEEE 802.11s based Mesh Networks , 2007, 2007 IEEE Radio and Wireless Symposium.

[7]  D.P. Agrawal,et al.  Active Cache Based Defense against DoS Attacks in Wireless Mesh Network , 2007, 2007 2nd International Symposium on Wireless Pervasive Computing.

[8]  D.P. Agrawal,et al.  A Perceptron Based Classifier for Detecting Malicious Route Floods in Wireless Mesh Networks , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[9]  刘礼白 Wireless Mesh Network建议译名为“无线迈适网” , 2007 .

[10]  D. Agrawal,et al.  Low Cost Reliable Traceback based on MAC Address Identifier in Wireless Mesh Network , 2007 .

[11]  Pang-Ning Tan,et al.  Distributed Detection of Selfish Routing in Wireless Mesh Networks , 2007 .

[12]  Chinya V. Ravishankar,et al.  Dynamic Merkle Trees for Verifying Privileges in Sensor Networks , 2006, 2006 IEEE International Conference on Communications.

[13]  Younghwan Yoo,et al.  Distributed Self-policing Architecture for Fostering Node Cooperation in Wireless Mesh Networks , 2006, PWC.

[14]  Ana R. Cavalli,et al.  Light Client Management Protocol for Wireless Mesh Networks , 2006, 7th International Conference on Mobile Data Management (MDM'06).

[15]  Marco Conti,et al.  Reliable and efficient forwarding in ad hoc networks , 2006, Ad Hoc Networks.

[16]  Rami G. Melhem,et al.  Honeypot back-propagation for mitigating spoofing distributed Denial-of-Service attacks , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[17]  Jean-Pierre Hubaux,et al.  Securing wireless mesh networks , 2006, IEEE Wireless Communications.

[18]  Dharma P. Agrawal,et al.  Secured macro/micro-mobility protocol for multi-hop cellular IP , 2006, Pervasive Mob. Comput..

[19]  Simon Blake-Wilson,et al.  EAP Tunneled TLS Authentication Protocol Version 1 (EAP-TTLSv1) , 2006 .

[20]  Dharma P. Agrawal,et al.  Ad Hoc and Sensor Networks: Theory and Applications , 2006 .

[21]  D. Stebila Slightly Improved Merkle Tree Traversal for User Authentication Using Pseudorandomly-Generated Leaves , 2006 .

[22]  H. Chaouchi,et al.  Security architecture in a multi-hop mesh network 1 , 2006 .

[23]  Hung-Yu Wei,et al.  Incentive Mechanism Design for Selfish Hybrid Wireless Relay Networks , 2005, Mob. Networks Appl..

[24]  Nitin H. Vaidya,et al.  Capacity of multi-channel wireless networks: impact of number of channels and interfaces , 2005, MobiCom '05.

[25]  Ahmed Helmy,et al.  SWAT: small world-based attacker traceback in ad-hoc networks , 2005, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services.

[26]  Basil S. Maglaris,et al.  Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics , 2005, 10th IEEE Symposium on Computers and Communications (ISCC'05).

[27]  Younghwan Yoo,et al.  A credit-payment scheme for packet forwarding fairness in mobile ad hoc networks , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[28]  Ratul Mahajan,et al.  Sustaining cooperation in multi-hop wireless networks , 2005, NSDI.

[29]  Rajendra V. Boppana,et al.  Mitigating malicious control packet floods in ad hoc networks , 2005, IEEE Wireless Communications and Networking Conference, 2005.

[30]  Mohan Parthasarathy,et al.  Protocol for Carrying Authentication and Network Access (PANA) Threat Analysis and Security Requirements , 2005, RFC.

[31]  Marco Conti,et al.  Mesh Networks: Commodity Multihop . . . , 2005 .

[32]  D. Berbecaru,et al.  MBS-OCSP: an OCSP based certificate revocation system for wireless environments , 2004, Proceedings of the Fourth IEEE International Symposium on Signal Processing and Information Technology, 2004..

[33]  John S. Baras,et al.  Detection and prevention of MAC layer misbehavior in ad hoc networks , 2004, SASN '04.

[34]  H.C.J. Lee,et al.  IP traceback for wireless ad-hoc networks , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.

[35]  Jon Crowcroft,et al.  Rethinking incentives for mobile ad hoc networks , 2004, PINS '04.

[36]  Robert Tappan Morris,et al.  Link-level measurements from an 802.11b mesh network , 2004, SIGCOMM '04.

[37]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[38]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[39]  Wenke Lee,et al.  A cooperative intrusion detection system for ad hoc networks , 2003, SASN '03.

[40]  Vikram Srinivasan,et al.  Cooperation in wireless ad hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[41]  Sheng Zhong,et al.  Sprite: a simple, cheat-proof, credit-based system for mobile ad-hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[42]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[43]  Bharat Bhargava,et al.  On vulnerability and protection of ad hoc on-demand distance vector protocol , 2003, 10th International Conference on Telecommunications, 2003. ICT 2003..

[44]  Peng Ning,et al.  How to misuse AODV: a case study of insider attacks against mobile ad-hoc routing protocols , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[45]  Scott Shenker,et al.  Core-stateless fair queueing: a scalable architecture to approximate fair bandwidth allocations in high-speed networks , 2003, TNET.

[46]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[47]  Yih-Chun Hu,et al.  Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks , 2002, MobiCom '02.

[48]  Dharma P. Agrawal,et al.  Introduction to Wireless and Mobile Systems , 2002 .

[49]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[50]  Yih-Chun Hu,et al.  SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks , 2002, Proceedings Fourth IEEE Workshop on Mobile Computing Systems and Applications.

[51]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[52]  Shigeyuki Matsuda,et al.  Tracing Network Attacks to Their Sources , 2002, IEEE Internet Comput..

[53]  Yu-Chee Tseng,et al.  The Broadcast Storm Problem in a Mobile Ad Hoc Network , 1999, Wirel. Networks.

[54]  Anu Ramanathan,et al.  WADeS: a tool for Distributed Denial of Service Attack detection , 2002 .

[55]  Jean-Yves Le Boudec,et al.  Performance analysis of the CONFIDANT protocol , 2002, MobiHoc '02.

[56]  Christine E. Jones,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[57]  Kihong Park,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[58]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[59]  Hitesh Tewari,et al.  Lightweight AAA for Cellular IP , 2001 .

[60]  Clay Shields,et al.  Tracing the Source of Network Attack: A Technical, Legal and Societal Problem , 2001 .

[61]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[62]  Yu-Chee Tseng,et al.  A new multi-channel MAC protocol with on-demand channel assignment for multi-hop mobile ad hoc networks , 2000, Proceedings International Symposium on Parallel Architectures, Algorithms and Networks. I-SPAN 2000.

[63]  J.-P. Hubaux,et al.  Enforcing service availability in mobile ad-hoc WANs , 2000, 2000 First Annual Workshop on Mobile and Ad Hoc Networking and Computing. MobiHOC (Cat. No.00EX444).

[64]  Dharma P. Agrawal,et al.  A novel authentication scheme for ad hoc networks , 2000, 2000 IEEE Wireless Communications and Networking Conference. Conference Record (Cat. No.00TH8540).

[65]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[66]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[67]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[68]  Dan Simon,et al.  PPP EAP TLS Authentication Protocol , 1999, RFC.

[69]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[70]  Anup K. Ghosh,et al.  Detecting anomalous and unknown intrusions against programs , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[71]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[72]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[73]  Robert Tappan Morris,et al.  Dynamics of random early detection , 1997, SIGCOMM '97.

[74]  A. M. Abdullah,et al.  Wireless lan medium access control (mac) and physical layer (phy) specifications , 1997 .

[75]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[76]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[77]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.