TCP FIN Flood Attack Pattern Recognition on Internet of Things with Rule Based Signature Analysis

Focus of this research is Transmission Control Protocol (TCP) FIN flood attack pattern recognition in Internet of Things network using rule based signature analysis method. Dataset is created using three traffic scenarios: normal, attack and normal-attack. The process of identification and recognition of TCP FIN flood attack pattern is done by observing and analyzing packet’s attributes from raw data (pcap format) through a feature extraction and feature selection processes. Further experiments were conducted using Snort as intrusion detection system (IDS). The evaluation results of the rate of confusion matrix detection against the Snort as IDS show the average percentage of the precision level. Keywords—Internet of Things (IoT), TCP FIN flood attacks, Denial of Service, rule-based, signature analysis, confusion matrix.


Introduction
Internet of Things (IoT) is a network which integrates various identification, sensing and communication technology devices such as Radio Frequency Identification (RFID), tags, sensors, actuators, cameras, mobile phones, and various wire/wireless devices via a unique addressing schema based on standard communication protocol [1]. Each object in the IoT network is capable to interact, work together, processing and delivering information autonomously to produce services, such as statistical information, monitoring and control systems [2]. IOT is classified into three layers, which are Application Layer, Network Layer and Perception Layer [3], [4]. Main challenge in implementation of IoT is security issue, such as privacy, authorization, verification, system configuration, access control, storage and information management [5]. Meanwhile, Denial of Service attacks (DoS) is one of the security threats on IoT network. DoS is defined as one of attacking method by attacker to spend resources, such as bandwidth and increasing energy consumption which results in energy source on the device will be quickly exhausted [6], [7]. Research work in [8], explained DoS attacks can be grouped into two main categories, which are (i) DoS Flooding Attack is defined as an attack with technique of sending many packets to the target with aim to keep the function of the CPU, memory and network resource is not optimal. (ii) Logic attack defined as attack by taking advantage of existing weaknesses to cause system malfunction.
TCP connection model uses two control flags, the SYN and FIN. Both normally are not set in the same TCP segment header (See Figure 1). The SYN flag synchronizes sequence numbers to initiate a TCP connection. The FIN flag indicates the end of data transmission to finish a TCP connection. Their purposes are mutually exclusive. A TCP header with the SYN and FIN flags set is anomalous TCP behavior, causing various responses from the recipient, depending on the operating system (OS). A FIN scan is a type of scan whose usual aim is to perform network reconnaissance. What is attractive about A FIN scan from the attacker's point of view is that the attacker sends a special signal (a TCP packet with only the FIN flag set) that tends to get past many firewalls. To address this casualty of the DoS attack, this paper attempts to come up with a strategy to detect the TCP FIN-based DoS flooding attacks in IoT. Therein answered how to identify those patterns of the attack using a rule-based signature analysis on WiFi communications. The main contribution of this paper is a strategy to analyze the TCP FIN DoS attack by characterizing the attack patterns thru thresholding deployment of IoT dataset and varying the attacks on the IoT network traffic, in contrast to the previous works that focus on TCP SYN message to analyze TCP flood DoS attacks. Thus, this work is the first work that characterizes and analyzes the patterns of TCP FIN DoS attacks and uses the characteristics for generating the rules for detection.
The paper is arranged into five sections as follows. Section 2 discusses related works on overlay gaps of IoT threats and the assignment problem along with their current uses. Section 3 presents the experimental scenario. The results and discussion are described in Section 4. The paper ends with a conclusion and future works delivered in Section 5.

Related Work
Research works in [5] and [9], discusses about security issue on the nodes (sensors or controllers) that use Radio Frequency (RF) communication protocol such as WiFi, RFID, IEEE 802.15.4/ZigBee and bluetooth which generally apply broadcast mechanism to communicate with each other. This Mechanism is difficult to protect from the attack. The node on IoT is susceptible to various types of threats and attacks that include capturing, eavesdropping and tampering. Limited resources on a node are utilized by performing DoS attacks, such as DOS flooding which causing the node performs at their maximum ability that consumes its energy as well as bandwidth.
Authors in [10] discusse three types of DoS attacks on IoT nodes, which are ICMP flood, SYN flood and TCP flood. The authors compare the three types of the attacks by considering parameters: CPU utility, memory utility, delay time and packet loss rate.
There are many research works on TCP SYN flood attacks such as [11], [12], [13], however very few research works on TCP FIN flood attacks. Yoon et al. [14] discuss defense against general TCP Flooding Attack including the TCP FIN attacks. The authors describe the TCP FIN attacks in detail using state transition diagram. After a TCP session connection is created, a FIN packet or a Reset (RST) packet is instantly transmitted while data packet is not transmitted, so that the session is terminated, thereby adding to the load of the server. The connection flooding attack is able to be detected when the number of sessions, in which the FIN packet or the RST packet is received in the session state "waiting for FIN packet" or "waiting for RST packet", is equal to or larger than a threshold.
Then, proposal works by [6] and [15] discuss the mechanism implementation of the attacks detection in an Intrusion Detection System (IDS) on IoT network by using rule based. In these works the IDS is distributed among a group of nodes in the network to avoid problems related to the limited resource on IoT devices.

Experiment Scenario
This research uses rule based signature analysis method to identify and recognize the type of DoS attack patterns in the form of TCP FIN flood attacks on IoT network. Several stages involve in this experiments: • The design of a testbed system for the IoT network • Running experiments on the testbed network with a normal scenario, attack scenario, and normal attack scenario for the purpose of a dataset creation • Feature Extraction • Identification of TCP FIN flood attack patterns

Testbed network design stage
The testbed network is developed by the following steps: designing the topology, hardware requirement identification, software requirement identification, installation and system configuration, and then experimenting some scenarios for creating dataset.
The testbed network consists of multiple hardware including DHT22 sensor, MQ2 sensor, soil moisture sensor, water level sensor, and WeMos D1 microcontroller equipped with ESP8266 WiFi module. In addition, the testbed utilizes supporting software such as MySQL database, DoS tools Hping3, Apache Web Server and Snort as IDS. Hping3 injects the TCP FIN flood attacks to the testbed network. Figure 2 illustrates the topology of the testbed network.
As shown in Figure 2, the testbed network topology consists of four sensors nodes, one server, and two laptops as sniffing and attacker.
The type of topology is star topology where each sensor node and the server are connected in one network via wireless router with Dynamic Host Configuration Protocol (DHCP) for IP address configuration.

Dataset creation stage
Dataset creation in this research was done by running three scenarios: • Normal traffic • TCP FIN flood attack traffic • Normal data-TCP FIN flood attack traffic Each scenario of the dataset creation was conducted for five minutes at sensor node 1 to sensor node 4 and the server. Sniffer modules capture the traffic packets and save them as a raw data in pcap format. Then, the next stage; feature extraction is conducted with the aim to get detail information from the generated dataset. This stage is one part of identification process of TCP FIN flood attack pattern based on observation and analysis toward package attributes from raw data (pcap format).

3.3
Feature extraction stage Figure 3 shows the flowchart of feature extraction process. The attributes used in this process include frame.number, frame.time, frame.len, ip.src, ip.dst, tcp.srcport, tcp.dstport, tcp.ack, tcp.hdr_len, tcp.window_size_value, ip.protocol, ip.flags, ip.len, ip.TTL. A converter module changes the pcap format file into a CSV (Comma Separated Value) format.

TCP FIN Flood attack pattern detection stage
Attack patterns identification is conducted to recognize patterns which have already known/recognized (as a signature) through the following steps: analysis of the raw data (pcap) normal packets compared to attack packets, testing dataset with Snort as IDS, and the analysis of the correlation between Snort alert logs from the raw data (pcap format) and feature extraction results from CSV type file. The TCP FIN attack detection engine will be using the recognized patterns as a basis for its rule-based.

Performance evaluation
The IDS is expected to maximize the detection accuracy of the existence of attacks (true positive) and at the same time to reduce false detection where a normal network traffic is indicated as an attack (false positive). Sometimes it may happen the IDS fails to give alert of attack which occurred (false negative), or if an attack occurs and the system alarm detection does not appear (true negative).
There are seven performance indicators of IDS. They measure the level of accuracy, detection rate, false alarm rate, and the rate of precission as represented in (1) to (7). This work uses these indicators.

Experiment Results and Discussion
The result of running the testbed network topology in Figure 2 creates six datasets with two different types of data packets: normal data packets and TCP FIN flood attack data packets as shown in Table 1. Experimental results are categorized based on the attack objects either server or sensor nodes. The results shown in Table 1 show the significance size changes on each experiment category. In the category of attack with the server as the target object, the size changes happened in experiment #2 and experiment #3. Whereas for the attack with the sensor nodes as the targeted objects, the size changes happened, in

Dataset analysis
The calculation of the number of packets on the dataset is done based on category of the used protocols. The experimental results show the number of TCP data packets is significantly larger compared to the other data packets. Table 2 shows the calculation results of the number of data packets. The highest percentage of the packet number is for TCP with 98.32%, followed by Address Resolution Protocol (ARP) with 1.07%, Internet Control & Management Protocol (ICMP) with 0.72%, User Datagram Protocol (UDP) with 0.52%, and unknown protocols with 0.02%.  Table 3 shows the highest number of packets for sensor nodes 1 to 4 as follows. TCP with 98.39%, followed by ARP with 1.07%, UDP with 0.52%, and unknown protocols with 0.02%. The analysis on the elaboration of protocol category of the captured data packets resulting in domination of TCP packets in each of the experiment on server as the target object as well as sensor nodes as the target objects and reached up to 98%. The huge number of TCP packets is an initial observation that indicates there are already packets from TCP FIN flood attacks on the testbed network of experiment scenario #2, #3, #5 and #6. Having done the initial observation, the next stage is to perform data correlation analysis by comparing raw data (pcap) and the results of feature extraction by considering attributes resulted by the flowchart in Figure 3. The feature extraction results are at the bottom of Figure 4 and the information from pcap file that displayed on Snort are on the top of the figure. Findings of this analysis is the information in feature extraction process and the information in pcap file are consistent. For example, the time stamp information of the packet from feature extraction process is the same with the information in the pcap file (indicated by yellow color/ point 2). The standard rules in the Snort IDS are not accurate enough in detecting the TCP FIN attacks. Thus, the rules in the Snort IDS are customized by incorporating the rules produced by detection engine in Section 3.4.

Attack pattern analysis
Now, the running dataset shown in Table 1 is used to conduct experiment with Snort as Intrusion Detection System (IDS). Snort generates alert log, subsequently identified as attack pattern and correlation analysis was performed to validate the generated alerts. Table 4 shows the results. In Snort, a priority tag assigns a severity level to rules. A classtype rule assigns a default priority (defined by the configuration classification option) that may be overridden with a priority rule. Thus, in this work alerts with priority=2 are more severe than alerts with priority=3. Figure 5 depicts the priority as severity levels.  Table 4 shows that the modified Snort IDS is able to detect the TCP FIN flood attacks and displays the Scan FIN alerts accurately in running experiment #2, #3, #5, and #6.    Table 5.
The pattern of attacks in Table 5 are defined as rules which required as knowledge based of attacks, patterns and filtered data for the modified Snort intrusion detection engine.

Results analysis
Having done running the experiments on Snort-based IDS, an assessment is conducted on the total alerts (TP, FP, TN, and FN) by the use of confusion matrix. The assessment results are in the form of binary classification, detection rate and the level of detection accuracy.
Based on the information in Table 6, binary classification in running 2 shows the number of successfully detected attacks (TP) is 540,408 (0.173%), The number of normal packages classified as attacks (False Potive) = 9 packets (0.l %). Alarms/alerts did not appear when attacks happened is 2,578,383 packets (0. 8253%). Alerts appear when attack did not happen is 5,436 packets (0.0017%). Calculations of confusion matrix on the running Snort-based IDS are shown in Table 6. The calculation involves the total alert resulted from the running dataset as follows.
• On server attack dataset (running 2); 540,408 out of 3,124,236 packets are indicated as alerts or 0.1730%, • Normal -attack server dataset (running 3) 251,561 out of 3,696,730 packets are indicated as alerts or 0.0680%, • Node Wi-Fi attack dataset (running 5); 517,041 out of 2,239,432 packets are indicated as alerts or 0.2309%, • Normal -Wi-Fi sensor nodes attacks dataset-running running 6); total alerts generated is 555,779 out of 2,278,444 packets or 0.2439%.
Furthermore, from the information in Table 6, binary classification in running 2 shows the number of successfully detected attacks (TP) is 540,408 (0.173%), The number of normal packages classified as attacks (FP) = 9 packets (0.0000%). Alarms/alerts did not appear when attacks happened (FN) =2,578,383 packets (0.8235%) and alerts appear when attacks did not happen (TN) =5,436 packets (0.0017%).
Hence, TP average = 17.8958%, FP average = 0.0004%, FN average = 78.6513% and TN average = 3.4524%, Figure 7 shows the binary classification comparison chart with the False Negative (FN) parameter has the highest average value of percentage of 78.6513%. From the four measurements, the performance of the Snort-based detection with default rules relies mainly on two aspects: True Positive and False Positive numbers. The following is an example on the steps of the confusion matrix calculation to measure accuracy level of the IDS against the TCP FIN flood attack using experimental data #2 of Table 6. Therefore, from the data in Table 6, for the four running experiments we obtain the following. The comparison on detection rate is visualized in Figure 8 (the data is chunked with only 3 decimal points). Overall, the experiment results show that the TCP flood attack detection using TCP FIN feature relatively provides better accuracy compare to the detection that use TCP SYN, because this work has successfully characterized the TCP FIN attacks then uses the characteristics for developing better rules.
Evaluation results of confusion matrix of the detection rate against the Snort IDS running results showed the average percentage of True Positive Rate (TPR) is 18.7632%, the False Positive Rate (FPR) is 0.0646%, True Negative Rate (TNR) is 99.9353%, False Negative Rate (FNR) is 81.2367%, the level of precision is 99.9977%, non-precision level is 4.5124% and accuracy level is 21.3482%. The results showed that the TCP DoS attack detection using TCP FIN message provides better accuracy compared to the detection using TCP SYN message. As for further research, the authors consider to make the running dataset to have more varied scenarios to generate variety attack patterns with the aim to seek more complicated attack patterns.