To restrict against DoS attacks we must implement the DoS detection table and associated equations. For this we use Eq. 4.1 to determine a neighboring node’s timeout ratio. As previously mentioned, we use the channel measurement as an offset to distinguish between environmental factors versus malicious behavior. In Eq. 4.2 and 4.3 we review transmission dominance and PIT byte usage separately. All three of these equations use an independent threshold variable that can be tweaked either by our proposed algorithm or by node behavior techniques. By observing these thresholds we are able to declare if a neighboring node has abnormal behavior and is potentially an attacker. Additionally, dependent on the specific thresholds which are exceeded, we can declare what type of attack restriction steps should be taken.
Alg. 4.1 shows our proposed DoS detection and restriction algorithm. This algorithm is executed on each relay node, recursively, using a predetermined delay period between executions. Each neighboring node, i, is analyzed to determine if its previous behavior warrants it as a potential attacker. Since each network node can only overhear neighboring nodes within communication range we denote detectionT able as the node’s DoS detection table of unbounded space. We make this assumption based on the typical UAN node density ranging in tens to hundreds of nodes with limited transmission range. Therefore a given node’s DoS detection table will have a limited amount of entries and can be managed in reasonable time and computational complexity. In our algorithm we break down the sections by their predetermined goal. The F indEntryRatios(i) function provides the current ratios in terms of Eq. 4.1-4.3 for neighboring node i. For lines 3 through 5 we review potential DoS focus attacks and its associated pushback restriction mechanism. In lines 6 and 7 we detect potential DoS spread attacks and implement a throttling phase. Finally, we collect
ongoing information on node behavior in lines 9 through 14. This information can then be managed in our three different node behavior techniques. These various behavior collections focus on adapting to attacker actions over a larger period of time.
Algorithm 4.1: DoS Detection and Restriction Algorithm Input: detectionTable
begin
1 for i := 1 to detectionT able entries do
2 FindEntryRatios(i)
3 if αi∗ inti > intTi and βi > βTi
4 Reduce intTi and βTi ; // Pushback(i)
5 SendAlertPacket(i)
6 else if αi∗ inti > intTi and δi > δTi
7 Reduce intTi and δTi ; // Throttle(i)
8 end if
9 SvmT able ← SvmInput(i)
10 if SvmModelTrained()
11 SvmPredict(i)
12 end if
13 StatisticalTable ← detectionT ablei 14 RulesMiningTable ← detectionT ablei
15 end for
When discovering if a node is potentially performing a focus attack we incorporate Eq. 4.1. In this way we can decide if neighboring node i’s timeout ratio exceeds a preset threshold value with the associated channel measurement offset. This comparison alone may not be reliable due to network interest spikes creating false positives. Instead we couple this comparison with Eq. 4.2. If both of these equations exceed their specific thresholds then we begin the pushback phase. In this phase we reduce the specific timeout and PIT byte usage thresholds for only the ith node. Furthermore, the node currently running this algorithm will send out an alert packet to all neighboring nodes for this potential attacker as well as restrict all incoming interest packets from this attacker’s ID for a given period of time. All
network nodes who receive this alert packet will also reduce their associated thresholds for the questionable attacker node. While this type of phase will not immediately stop an attacker it will instead trigger nodes to become more sensitive to the ith node being an attacker. The goal of this pushback is to completely restrict a focus attack, given a short detection delay and assuming the DoS remains consistent allowing for network nodes closer to the attacker to negate the negative behavior. Additionally, we incorporate threshold resets after a set period of time, with no pushback alerts or attacker detection, to reduce inaccuracy in our algorithm.
The proposed DoS detection and restriction algorithm must also target spread attacks. Based on this type of attack’s characteristics we use both Eq. 4.1 and 4.3. Therefore, we analyze the timeout ratio for the ith node as well as its transmission dominance. The goal of this type of detection is to stop the malicious source at the point of network injection. Since the spread attacker may constantly vary their targeted routing path when creating malicious packets, we instead must measure how many packets are originating from each neighboring node. If both timeout and transmission dominance thresholds are exceeded, in these equations, then we begin the Throttle phase. Similar to pushback, we reduce both threshold values for the ith node in question making it more susceptible to future throttling. Additionally, we restrict interest packets generated from this node for a preset period of time. Like the pushback sequence, we use a threshold reset after a given period of time in which no spread attack is detected. This is important in the case of high network mobility and potential for false positives.