Secure Framework for Ddos Attack Detection and Defense in Ieee 802.11 Wlan

Security is one of the most important problems to be considered in the Wireless Local Area Networks (WLANs). Several security techniques were initiated to solve the available security bugs. In this study, we propose to design a detection and defense mechanism against DDoS attacks. Initially GIDA module is deployed, so that DDoS attack is detected using the game theory decision model in the Access Point (AP). A Master Session Key (MSK) is calculated and a hash function is created for security. For the authentication and association of frames a client puzzle based defense mechanism is used in the AP. Here the client solves a puzzle which has been send by the AP. In the next phase, de-authentication or disassociation of frames of AP or client can be protected by the random bit authentication mechanism. It inserts the current 3-bit unit into the unused bit positions of each frame and then advances the index to point to the next unit. The respective frames can be protected by the hash function and master session key. This framework provides a complete solution for the DDoS attacks targeted at both clients and AP.


BASICS OF GAME THEORY
Game theory is a branch of applied mathematics that is related to the study of environments which involve conflicting interests.It aims to capture the behavior in environments in which the individual's success in making choices depends on the choices of others.
In Game theory, multiple decision-makers are involved and the participants or competitors are considered as players.In each game, players can make a sequence of personal moves among several possibilities or random move.
A game should terminate with the achievement of the greatest possible utility.
Utility is a degree of achieved outcomes which occur as a result of using certain choices or strategies.If the strategies are consistent with our intentions, then the outcome is said be a payoff or gain.If they are conflicting with the desired status, then the outcome is said be a loss.

Classification of Games
(i) Based on players: Game with two players and games with multiple players.Multiple players can be finite or infinite.
(ii) Based on the sum of payoffs: Games with a constant sum and games with varying sum.
A specific example of a constant sum game is a zero sum game.
(iii) Based on player's interests: Antagonistic games and non-antagonistic games.In antagonistic games the main idea is to win at the expense of the opponent.In nonantagonistic games, any positive payoff of the opponent is irrelevant for the choice of player's strategy.
(iv) Based on nature of payoffs: Cooperative and non-cooperative.In cooperative games the payoff of both players maximizes in a situation of cooperation, in non-cooperative games the payoff is independent of the cooperation.

Game Formulations
In a game, each player makes an action which optimizes its own objective function and success in making decisions depends on the decisions of the other players.
A non-cooperative game G is defined as an object specified by the triplet (M,S,Ω, J), where is the action space, and J : Ω →R m , defined as is the vector of objective functions associated to each of the m players participating in the game.Conventionally J represents a vector of cost functions to be minimized by the players.A strategy can be regarded as a rule for choosing an action, depending on external conditions.

GAME THEORY BASED DDOS ATTACK DETECTION
The Game theory based DDoS attack detection is a decision module [26] which analyzes the incoming flow of UDP flooding attack by restricting the access to the Target Server (TS) based on its computed decisions.These decisions are based on certain properties of the incoming flow.
Game theory model mainly consists of two major components such as game decision system and firewall.Incoming flows are analyzed using the game decision system and the appropriate defensive decisions are proposed and then implemented in the firewall.

Attack detection
The attack detection performs by allowing the traffic flow to TS, redirecting either to Honey Pot (HP) or dropping it.
The detector selects two thresholds T1 and T2 for deciding the actions for the incoming flows.The total flow rate (x) of a source node is calculated as, r denotes the Bit-rate per flow, n is the number of flows per node.
In this approach, the detector observes, if the total flow rate The firewall drops the flow of rate with a probability ( ) and redirects with a probability of ( ) In order to make a decision, the detector designs three probabilistic functions such as, for dropping ( ) 1 and for re-directing ( )

Elliptic Curve Cryptography (ECC)
Elliptic curves are used to construct the public key cryptography system.The private key d is randomly selected from the interval [1,n-1], where n is integer.Then the public key Q is computed by the scalar multiplication of P, where P,Q are points on the elliptic curve.Scalar multiplication is not only used for the computation of the public key but also for the signature, encryption and key agreement in the ECC system.
Elliptic curve parameters over the finite field F p or F 2m can be described by the tuple: Where, q refers the prime number that defines the field and decides the curve form FR denotes the field representation, the method to represent the elements in the field (polynomial basis or normal basis or subfield basis for F 2m , Montgomery residue for F p ) a, b are the curve coefficients, depending on the security requirement; G is the base point (Gx, Gy) on the curve which has the largest order n andÎ Setting an Elliptic curve cryptosystem requires the following components: (i) An underlying field F q , where q = p, q = 2m or q = pm where p is prime and greater than 3 (ii) A representation of the finite field elements (iii)Algorithms implementing the operations in the field (iv) An appropriate elliptic curve (v) Algorithm for implementing the elliptic curve operations i.e., point addition, point scalar, inverse.
(vi) Elliptic Curve Cryptography protocol (ECDSA, ECDH etc.) For the public key scheme, the first step is to generate the public and private key pair.
With the domain parameters (q, FR, a, b, G, n, h) to generate key pair, the entity does the following: d is the private key, and Q is the public key.

MSK Generation Algorithm
Apart from detecting the DDoS flooding attack, in order to provide defense against various DDoS attacks, MSK is generated.
The operation of MSK generation is given as follows [53].
1. STA sends probe request (R p1 ) to AP. AP has a pre generated pool of random numbers t F along with pre computed private key (K AP ) and corresponding public key (PK AP ) pairs are generated using ECC.AP selects one of the public keys (PK AP ) from its group for the current session.
2. AP response to STA includes R p2 , selected public key PK AP , set of random numbers t F and elliptic curve parameters (EC Param ).
3. If STA want to probe the network.It generates its pair of keys, key (K STA ) and public key (PK STA ).Later it then utilizes its key (K STA ) and the public key (PK AP ) of AP for generating the Master Key (MK).
4. STA selects one of the numbers (R 1 ) from the random number set which was received from AP. STA selects another random number (R 2 ).This number along with MK is used to calculate the Master Session Key (MSK) using Pseudo Random Function (PRF).

MSK=PRF {R2, MK}
… (3.4) 5. STA calculates hash H of R 1 and σ as indicated by ( 8).This hash is used for AP protection under DoS attacks.STA stores MK, MSK and H for use in authentication phase.

Hash Function Generation
Next a hash function is generated using (3.5) R1 refers as random number, x denotes the private key, h is a collision resistant one-way hash function from G refers the STA public information generation, l denotes the Random number

CLIENT PUZZLE MECHANISM FOR AUTHENTICATION AND ASSOCIATION ATTACKS
The main idea behind cryptographic puzzle is to force the recipient of a puzzle to

Algorithm
Step 1: Station (STA) generates, stores a random number N STA = R {0,1} 64 and send to the AP.Before sending, it embeds N STA into the probe request frame.
Step 2: After receiving the probe request by AP, it generates the random number (N AP ), Time stamp (T AP ), puzzle according to the current remaining resources and attack degree.
Later AP embeds the N AP , T AP and the puzzle into the probe response and sends it to the STA.

(3.6)
where H= h (R, σ) which is a hash function used for protecting the puzzle.
Here, the secret is changed periodically.Puzzle can be created as the length of one byte and the range of value is from 0 to 64.AP can dynamically decide the value of k.
STA should solve the puzzle and answer the solution satisfying the following equation.
Step 3: STA after accepting the probe response frame from the AP, solves the puzzle by brute force approach.Then embeds the solution to the puzzle, T AP , N AP and N STA into the authentication request frame and sends to the AP.
Step 4: After receiving the authentication request frame, AP checks whether N AP is valid or not.If validation is acceptable, then the mechanism is continued.Subsequently, AP generates a new N AP′ , T AP ′ and puzzle′ when the secret is refreshed.Consequently, AP embeds N AP′ , T AP′ , puzzle′ into authentication response frame and sends to STA.
Step 5: After receiving the authentication response from AP, STA solves the puzzle′, embed the solution of the puzzle′, N AP′ , T AP ′ and N STA into the authentication request frame and send it to the AP.
Step 6: After receiving an association request frame, AP checks whether N AP is valid or not.If the validation is satisfactory, AP allocates memory space for STA.Before Step 6, AP does not allocate any memory space for STA.AP sends reply to STA through association response frame.An identical random bit stream is independently generated.The stream is divided into equal-sized chunks, each having "N" authentication bits called as "N random bits".
Each chunk is associated with an index number.In the proposed design, 8 chunks are used in 802.11.
In RBA method, when AP or STA sends de-authentication or disassociation frames, RBA inserts current 3-bit unit along with a hash key H and MSK into the unused bit positions of each frame, and then it is moved forward the index to point to the next unit.Receiving node checks whether the random authentication bits from the incoming bits matches the corresponding bit stream unit on the receiver side.If not, the incoming frame is rejected.

Figure 3.3 Random bit authentication method
In Figure 3.3, the 5 th and the 8 th units would be matched for legitimate deauthentication and disassociation frames, respectively.Though, the attackers are unknown the values of those units, it keeps deducing the authentication bits until it is equal.
Attacker takes a brute force approach and cycles via all the possible values and random bits.In case of 3-bit random authentication unit, the attacker can successively substitute the values from 0 to 7 as the authentication bits used in the attacking frame.
Here one out of the 8 spoofed frames pass the authentication test.The success rate of an attacker to disconnect the session between the AP and the STA is 1/8 per cycle.If the number of authentication bits used is increased, the success rate for achieving DoS is exponentially decreased.

SIMULATION RESULTS AND DISCUSSION
The proposed Secure Framework for DDoS Attack Detection and Defense (SFDADD) is valuated through NS-2 [14] simulation.A wired-wireless network is considered and deployed in an area of 500 X 500m.The number of wireless nodes is fixed as 10 and the number of wired nodes is fixed as 2. The simulated traffic is CBR with UDP and TCP with FTP.The transmission rate is 250Kbps.The simulation topology is given in Figure 3.4.The simulation parameters are shown in Table 3.1.

Performance Metrics
The performance of SFDADD is compared with the GIDA [26] scheme.The performance is evaluated mainly, according to the following metrics.
• Delay: It is the average time taken by the packets to reach the destination.
• Average Packet Delivery Ratio: It is the ratio of the number of packets received successfully and the total number of packets transmitted.
• Packet Drop: The number of packets dropped during the data transmission.

Results
Three set of attackers are considered.The first one performing the DDoS flooding attack, the second one performing authentication and association attack and the third one performing deauthentication and disassociation of frames attack.The DDoS flooding attack is tested with both CBR and TCP traffic flows.

Results for CBR flows
The number of CBR traffic flows is varied as 2,4,6,8 and 10.Table 3.2 shows the performance results of both the schemes when the number of flows is varied from 2 to 10.When the number of flows is increased, the delivery ratio of SFDADD reduces from 0.97 to 0.55 and the delivery ratio of GIDA reduces from 0.88 to 0.28.Since GIDA detects only the flooding attacks, there will be more packet drops due to the other DDoS attacks which leads to decrease in delivery ratio.Hence the delivery ratio of SFDADD is 37% of higher than the GIDA approach.Table 3.3 shows the percentage wise improvement of SFDADD over GIDA for varying the CBR flows.

Results for the TCP Flows
The number of TCP traffic flows is varied as 2,4,6,8 and 10.Table 3.4 shows the performance results of both the schemes when the number of TCP flows is varied from 2 to 10.   .9shows the delivery ratio of SFDADD and GIDA techniques when the TCP traffic flows are increased.When the number of flows is increased, the delivery ratio of SFDADD reduces from 0.97 to 0.89 and the delivery ratio of GIDA reduces from 0.92 to 0.84.Since GIDA detects only the flooding attacks, there will be more packet drops due to the other DDoS attacks which leads to decrease in delivery ratio.Hence the delivery ratio of SFDADD is 4% of higher than the GIDA approach.Table 3.5 shows the percentage wise improvement of SFDADD for varying the TCP flows.

Detection Accuracy
The detection accuracy of the SFDADD scheme is evaluated for each of the   The figure shows that among the 3 schemes, CPDM achieves the highest detection accuracy upto 96% and GADD achieves the lowest detection accuracy upto 78%.

CONCLUSION
In this chapter, a detection and defense mechanism against DDoS attacks is proposed.Initially DDoS attack is detected using the game theory decision agent in the Architecture (GIDA) module [26] reduces the DoS attacks in TCP-friendly flows.GIDA module acts as a defender which is the combination of Game decision agent and firewall.Since management frames are not authenticated in 802.11WLAN, it is susceptible to DoS attacks.The common attack is flooding that provides the surroundings with huge amounts of deauthentication or disassociation frames.Authentication and Association attack leads to exhaustion of wireless APs.GIDA does not provide complete solutions for defense against all these DDoS attacks in WLAN.In this chapter, a secure framework for DDoS detection and defense is proposed in IEEE 802.11WLAN.The block diagram of the proposed framework is shown n Figure 3.1.The framework describes the solution for three attacks.UDP flooding attack is detected using the game theory decision model by analyzing the traffic flows.Attacked flows are identified and marked as attackers by the AP.Using a Master Session Key (MSK), hash function is generated.For the authentication and association attacks, a client puzzle based defense mechanism is used in the AP.The client solves a puzzle which has been send by the AP.The puzzle can be protected by means of hash function and easily adjusted by the AP.De-authentication or disassociation attacks on AP can be protected by the random bit authentication mechanism that inserts the current 3-bit unit into the unused bit positions of each frame, and then advances the index to point to the next unit.The respective frames can be protected by the hash function and master session key.

Figure 3 . 1
Figure 3.1 Block diagram of the Framework the flows from the source node is dropped by the firewall.modeled for allowing, dropping and redirecting the probabilities of flow per source node.It is designed as: for which the probability of dropping and redirecting a flow is 0.5 respectively, Let x refer as total flow rate.σdenotes the scaling parameter, b refers is the variable which represents the bandwidth consumed per node.

oo
execute a predefined set of computations before extracting a secret of interest.Time required for obtaining the solution of a puzzle depends on its hardness and the computational ability of the solver[35].Cryptographic puzzles have been used in defending against junk e-mail, creating digital time capsules and metering web site usage[63].A client puzzle is a quickly computable cryptographic puzzle, which consists of a secret issued by the server, time and client request information.While legitimate clients experience only a small degradation in connection time when a server is attacked, an attacker must have access to large computational resources to launch an attack[33].One of the main advantages of clientpuzzle technique is its robustness in a stronger attack model than the standard techniques.The following are the properties of good client puzzle [54]: o The puzzles should not introduce any new DoS vulnerabilities.o The difficulty of the puzzle should be easy to adjust.o The puzzles should require that the client commit adequate computational resources.It should not be possible for a client to cheat by precomputing the solutions to puzzles.The puzzles should be time-dependent so that the client has a limited amount of time to compute the solution Puzzle based mechanism [30] is used to resist the authentication and association attacks.The attacker computes a puzzle send by the AP when it produce authentication and association frames.The degree of puzzle difficulty is simply adjusted by the AP.The procedure involved in the client puzzle mechanism is illustrated in Figure-3.2The detailed algorithm is given below.

Figure
Figure 3.2 Mechanism of Client-based puzzle

Figure
Figure 3.4 Simulation Topology

Figures 3 .
Figures 3.5 to 3.7 show the graphical representation of the results.

FlowFigure 3 Flows
Figure 3.5 Delay for Varying CBR Flows

FlowFigure 3
Figure 3.7 Packet Drop for Varying CBR Flows Figures 3.8 to 3.10 show the graphical representation of the results

FlowFigure 3 Flows
Figure 3.8 Delay for Varying TCP Flows

FlowFigure 3 .
Figure 3.10 Packet Drop for Varying TCP Flows modules namely Game theory based DDoS Detection (GDAD), Client Puzzle based Defense Mechanism (CPDM) for the authentication and association attacks, Random Bit Authentication (RBA) for deauthentication and disassociation attacks.

Figure 3 .
Figure 3.11 shows the percentage of detection accuracy for all these 3 techniques.

Figure 3 .
Figure 3.11 Detection Accuracy for all the 3 techniques of SFDADD AP.A Master Session Key (MSK) is calculated and a hash function is created for security.For the authentication and association of frames a client puzzle based defense mechanism is used in the AP.The client solves the puzzle which has been send by the AP.In the next phase, de-authentication or disassociation of frames of AP or client is by the random bit authentication mechanism.It inserts the current 3-bit unit into the unused bit positions of each frame, and then advances the index to point to the next unit.The respective frames can be protected by the hash function and master session key.This framework provides a complete solution for the DDoS attacks targeted at both clients and AP.