Report PDF

Detection and Localization of Spoofing Attackers in Wireless Networks 2017-18
CHAPTER 1
INTRODUCTION
Spoofing is when an attacker pretends to be someone else in order gain access to
restricted resources or steal information. This type of attack can take a variety of different
forms; for instance, an attacker can impersonate the Internet Protocol (IP) address of a
legitimate user in order to get into their accounts. Also, an attacker may send fraudulent
emails and set up fake websites in order to capture users‘ login names, passwords, and
account information. Faking an email or website is sometimes called a phishing attack.
Another type of spoofing involves setting up a fake wireless access point and tricking victims
into connecting to them through the illegitimate connection.
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the

goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not
care about receiving responses to the attack packets. Packets with spoofed addresses are thus
suitable for such attacks. They have additional advantages for this purpose—they are more
difficult to filter since each spoofed packet appears to come from a different address, and they
hide the true source of the attack. Denial of service attacks that use spoofing typically
randomly choose addresses from the entire IP address space, though more sophisticated
spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address
space. The proliferation of large botnets makes spoofing less important in denial of service
attacks, but attackers typically have spoofing available as a tool, if they want to use it, so
defenses against denial-of-service attacks that rely on the validity of the source IP address in
attack packets might have trouble with spoofed packets. Backscatter, a technique used to
observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing
for its effectiveness.
Due to the openness of wireless and sensor networks, they are especially vulnerable to
spoofing attacks where an attacker forges its identity to masquerade as another device, or
even creates multiple illegitimate identities. Spoofing attacks are a serious threat as they
represent a form of identity compromise and can facilitate a variety of traffic injection
attacks, such as evil twin access point attacks. It is thus desirable to detect the presence of
spoofing and eliminate them from the network. In spite of existing 802.11 security techniques
including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), or 802.11i
Dept of CSE, BIGCE, Solapur Page 1

(WPA2), such methodology can only protect data frames – an attacker can still spoof
management or control frames to cause significant impact on networks. Wireless spoofing
attacks are easy to launch and can significantly impact the performance of networks. In a
large-scale wireless network, multiple adversaries may masquerade as the same identity and
collaborate to launch malicious attacks such as network resource utilization attack and denial-
of-service attack quickly. Therefore, the problem can be divided into three folds such as (1)
detect the presence of spoofing attacks, (2) determine the number of attackers, and (3)
localize multiple adversaries. To determine the number of attackers when multiple
adversaries use a same identity to launch attacks, this is the basis to further localize multiple
adversaries after attack detection. Moreover, in a large-scale network, multiple adversaries
may masquerade as the same identity and collaborate to launch malicious attacks such as
network resource utilization attack and denial-of-service attack quickly. Therefore, it is
important to
 detect the presence of spoofing attacks,
 determine the number of attackers, and
 localize multiple adversaries and eliminate them.
Most existing approaches employ cryptographic schemes to address potential spoofing

attacks .However, the application of cryptographic schemes requires reliable key distribution,
management, and maintenance mechanisms. It is not always desirable to apply these
cryptographic methods because of its infrastructural, computational, and management
overhead. Further, cryptographic methods are susceptible to node compromise, which is a
serious concern as most wireless nodes are easily accessible, allowing their memory to be
easily scanned.
This method proposes to use RSS-based spatial correlation, a physical property
associated with each wireless node that is hard to falsify and not reliant on cryptography as
the basis for detecting spoofing attacks. Since the concern is on the attackers who have
different locations than legitimate wireless nodes, utilizing spatial information to address
spoofing attacks has the unique power to not only identify the presence of these attacks but
also localize adversaries.
An added advantage of employing spatial correlation to detect spoofing attacks is that
it will not require any additional cost or modification to the wireless devices themselves.
The focus is on static nodes in this work, which are common for spoofing scenarios [7]. The
works that are closely related are [3], [7], [9]. [3] Proposed the use of matching rules of signal

prints for spoofing detection, [7] modeled the RSS readings using a Gaussian mixture model
and [9] used RSS and K-means cluster analysis to detect spoofing attacks.However, none of
these approaches have the ability to determine the number of attackers when multiple
adversaries use a same identity to launch attacks, which is the basis to further localize
multiple adversaries after attack detection.

CHAPTER 2
LITERATURE SURVEY
Recently, new approaches utilizing physical properties associated with wireless
transmission to combat attacks in wireless networks have been proposed. Based on the fact
that wireless channel response decorelates quite rapidly in space, a channel-based
authentication scheme was proposed to discriminate between transmitters at different
locations, and thus to detect spoofing attacks in wireless networks [11].Brik et al. [12]
focused on building fingerprints of 802.11bWLAN NICs by extracting radiometric
signatures, such as frequency magnitude, phase errors, and I/Q origin offset, to defend against
identity attacks. However, there is additional overhead associated with wireless channel
response and radiometric signature extraction in wireless networks. Li and Trappe [4]
introduced a security layer that used forge-resistant relationships based on the packet traffic,
including MAC sequence number and traffic pattern, to detect spoofing attacks.
The MAC sequence number has also been used in [13] to perform spoofing detection.
Both the sequence number and the traffic pattern can be manipulated by an adversary as long
as the adversary learns the traffic pattern under normal conditions. The works [3], [7], [14]
using RSS to defend against spoofing attacks are most closely related to us. Faria and
Cheriton [3] proposed the use of matching rules of signal prints for spoofing detection. Sheng
et al. [7] modelled the RSS readings using a Gaussian mixture model. Sang and Arora [14]
proposed to use the node‘s ―spatial signature,‖ including Received Signal Strength Indicator
(RSSI) and Link Quality Indicator (LQI) to authenticate messages in wireless networks.
However, none of these approaches are capable of determining the number of attackers when
there are multiple adversaries collaborating to use the same identity to launch malicious
attacks. Further, they do not have the ability to localize the positions of the adversaries after
attack detection.
2.1 Detecting Identity Based Attacks in Wireless Networks Using

Signal prints.
Daniel B. Faria, Computer Science Department, Stanford University; David R.
Cheriton, Computer Science Department, Stanford University.
Wireless networks are vulnerable to many identity-based attacks in which a malicious
device uses forged MAC addresses to masquerade as a specific client or to create multiple
illegitimate identities. For example, several link-layer services in IEEE 802.11 networks have

been shown to be vulnerable to such attacks even when 802.11i/1X and other security
mechanisms are deployed. In this paper we show that a transmitting device can be robustly
identified by its signal print, a tuple of signal strength values reported by access points acting
as sensors. We show that, different from MAC addresses or other packet contents, attackers
do not have as much control regarding the signal prints they produce.
Moreover, using measurements in a test bed network, we demonstrate that signal
prints are strongly correlated with the physical location of clients, with similar values found
mostly in close proximity. By tagging suspicious packets with their corresponding signal
prints, the network is able to robustly identify each transmitter independently of packet
contents, allowing detection of a of a large class of identity-based attacks with high
probability.
2.2 Secure and efficient key management in mobile ad hoc

networks.
Bing Wua,Jie Wua, Eduardo B. Fernandeza, Mohammad Ilyasa, Spyros Magliverasb
In mobile ad hoc networks, due to unreliable wireless media, host mobility and lack of
infrastructure, providing secure communications is a big challenge. Usually, cryptographic
techniques are used for secure communications in wired and wireless networks. Symmetric
and asymmetric cryptography have their advantages and disadvantages. In fact, any
cryptographic means is ineffective if its key management is weak. Key management is also a
central aspect for security in mobile ad hoc networks. In mobile ad hoc networks, the
computational load and complexity for key management are strongly subject to restriction by
the node‘s available resources and the dynamic nature of network topology.
In this model a secure and efficient key management (SEKM) framework for mobile
ad hoc networks. SEKM builds a public key infrastructure (PKI) by applying a secret sharing
scheme and using an underlying multi-cast server groups. We give detailed information on
the formation and maintenance of the server groups. In SEKM, each server group creates a
view of the certificate authority (CA) and provides certificate update service for all nodes,
including the servers themselves. A ticket scheme is introduced for efficient certificate
service. In addition, an efficient server group updating scheme is proposed. The performance
of SEKM is evaluated through simulation.

2.3 Lightweight Key Management For IEEE 802.11 Wireless

LANs With Key Refresh and Host Revocation.
Avishai Wool, Dept. Electrical Engineering - Systems, Tel Aviv University, Ramat
Aviv 69978, ISRAEL
IEEE 802.11 has been designed with very limited key management capabilities, using
up to 4 static, long terms, keys, shared by all the stations on the LAN. This design makes it
quite difficult to fully revoke access from previously-authorized hosts. A host is fully revoked
when it can no longer eavesdrop and decrypt traffic generated by other hosts on the wireless
LAN. This paper proposes WEP, a lightweight solution to the host-revocation problem. The
key management in WEP is in the style of pay-TV systems:
The Access Point periodically generates new keys, and these keys are transferred to
the hosts at authentication time. The fact that the keys are only valid for one re-key period
makes host revocation possible, and scalable: A revoked host will simply not receive the new
keys. Clearly, WEP is not an ideal solution, and does not address all the security problems
that IEEE 802.11 suffers from. However, what makes WEP worthwhile is that it is 100%
compatible with the existing standard. And, unlike other solutions, WEP does not rely on
external authentication servers. Therefore, WEP is suitable for use even in the most basic
IEEE 802.11 LAN configurations, such as those deployed in small or home offices, or built
using free, open-source tools.
2.4 An Authentication Framework for Hierarchical Ad Hoc

Sensor Networks.
Mathias Bohge, Wireless Information Network Laboratory (WINLAB), Rutgers,
The State University of New Jersey, 73 Brett Rd. Piscataway, NJ 08854;WadeTrappe,
Wireless Information Network Laboratory (WINLAB), Rutgers, The State University.
Recent results indicate scalability problems for flat ad hoc networks. To address the
issue of scalability, self-organizing hierarchical ad hoc architectures are being investigated. In
this paper, we explore the task of providing data and entity authentication for hierarchical ad
hoc sensor networks. Our sensor network consists of three tiers of devices with varying levels
of computational and communication capabilities. Our lowest tier consists of compute-
constrained sensors that are unable to perform public key cryptography.
To address this resource constraint, we present a new type of certificate, called a
TESLA certificate, that can be used by low powered nodes to perform entity authentication.

Our framework authenticates incoming nodes, maintains trust relationships during topology
changes through an efficient handoff scheme, and provides data origin authentication for
sensor data. Further, our framework assigns authentication tasks to nodes according to their
computational resources, with resource-abundant access points performing digital signatures
and maintaining most of the security parameters. We conclude by providing an initial
performance evaluation and security analysis for our framework.
2.5 Sequence Number-Based MAC Address Spoof Detection

Fanglu Guo and Tzi-cker Chiueh, Computer Science Department, Stony Brook
University.
The exponential growth in the deployment of IEEE 802.11- based wireless LAN
(WLAN) in enterprises and homes makes WLAN an attractive target for attackers. Attacks
that exploit vulnerabilities at the IP layer or above can be readily addressed by intrusion
detection systems designed for wired networks.
However, attacks exploiting link- layer protocol vulnerabilities require a different set
of intrusion detection mechanism. Most link-layer attacks in WLANs are denial of service at-
tacks and work by spoofing either access points (APs) or wireless stations. Spoofing is
possible because the IEEE 802.11 standard does not provide per-frame source authentication,
but can be effectively prevented if a proper authentication is added into the standard.
Unfortunately, it is unlikely that commercial WLANs will support link-layer source
authentication that covers both management and control frames in the near future.
Even if it is available in next-generation WLANs equipments, it cannot protect the
large installed base of legacy WLAN devices. This paper proposes an algorithm to detect
spoofing by leveraging the sequence number held in the link-layer header of IEEE 802.11
frames, and demonstrates how it can detect various spoofing without modifying the APs or
wireless stations. The false positive rate of the proposed algorithm is zero, and the false
negative rate is close to zero. In the worst case, the proposed algorithm can detect a spoofing
activity, even though it can only detect some but not all spoofed frames.

2.6 Spatial Signatures for Lightweight Security in Wireless Sensor

Networks.
Lifeng Sang and Anish Arora, Department of Computer Science and Engineering,
The Ohio State University, Columbus, Ohio
This paper experimentally investigates the feasibility of crypto free communications
in resource-constrained wireless sensor networks. We exploit the spatial signature induced by
the radio communications of a node on its neighboring nodes. We design a primitive that
robustly and efficiently realizes this concept, even at the level of individual packets and when
the network is relatively sparse. Using this primitive, we design a protocol that robustly and
efficiently validates the authenticity of the source of messages: authentic messages incur no
communication overhead whereas masqueraded communications are detected cooperatively
by the neighboring nodes.
The protocol enables lightweight collusion-resistant methods for broadcast
authentication, unicast authentication, non-repudiation and integrity of communication. We
have implemented our primitive and protocol, and quantified the high-level of accuracy of the
protocol via testbed experiments with CC1000 radio-enabled motes.
2.7 Why Wireless Sensor Networks Are Difficult to Protect.

As mentioned above, wireless sensor nodes are typically small, battery operated devices
with three main subsystems:
 The sensing subsystem consists of one or more sensors or transducers which convert
the monitored physical variable to an electrical, possibly digital, signal.
 The computational subsystem is a small microcontroller with integrated memory; it
controls the operation of the other two subsystems.
 The communication or radio subsystem enables the node to communicate with other
nodes in its vicinity through wireless transmissions.
Three main problems that make wireless sensor networks difficult to protect and
secure against intrusions can be readily identified. First problem is the very nature of the
wireless communication medium, which makes wire-less communication inherently insecure.
Unlike wired networks, where a device has to be physically connected to the medium, the
wireless medium is open and accessible to anyone.
Moreover, the range in which the impact of an intruder can be felt primarily depends
on the characteristics of intruder's equipment; an intruder with a strong transmitter can easily

produce interference from a distance which makes any physical response infeasible or, in
some applications, plain impossible. The second problem is the absence of any infrastructure
{ in particular, there is no central or master controller to monitor the operation of the network
and analyze the data to detect intrusions.
While most such networks have a designated network sink, its role is typically
restricted to data collection and query distribution, and does not include any form of actual
control. As a result, any intrusion detection technique has to be implemented as a
cooperative, distributed effort of many among the nodes in the sensor network, or even all of
them together. An added difficulty stems from the unstable topology of the network, which
may be due to battery exhaustion or (in some cases) node mobility.
Yet other wireless networks exist that have both of these problems: wireless ad hoc
networks. In those networks, wireless communication medium is used, and they operate with
little infrastructure or none at all. A number of intrusion prevention techniques has been
proposed for such networks [10], and also a few techniques for intrusion detection [5, 17, 28,
29]. Such techniques are a combination of several approaches, including use of cooperating
mobile agents [6, 15], possibly combined with the analysis of audit logs [13], a game-
theoretic approach [1], and a number of others. However, the main problem with wireless
sensor network lies elsewhere: in their limited computational and communication resources.
Namely, wire-less sensor networks need to operate autonomously for prolonged periods of
time, and they have to run on battery power.
To cater to those goals, the energy consumption of sensor nodes has to be minimized;
this necessitates both the power efficiency of the hardware (and its small size) and the
efficiency of communications protocols and the software that implements those protocols.
The processing subsystem is invariably implemented with a small microprocessor with
limited resources, which runs at low clock speeds, and thus offers only modest computational
and memory capabilities. As a result,
 The processing power of such subsystems is generally insufficient to run a full-scale
software agent dedicated to intrusion detection.
Even if sufficient computational capability were available, the low data rate of typical
communication channels|250kbps for IEEE 802.15.4 networks operating in the ISM band at
2.4GHz, but only 20 or 40 kbps when operating in other bands [12]|simply does not source
for the rather intense communication that those agents need.

By the same token, any substantial computation is infeasible. Moreover, since

memory capacity is of the order of hundreds or, at best, thousands of bytes, an audit log of
realistic size cannot be maintained.
Simple and efficient protocols mean that individual layers which are traditionally
observed in wired networks (but also in other wireless networks) [24] must be integrated;
after all, a wireless sensor network is a highly specialized network for limited class of
applications, and such integration makes perfect sense in view of the inherent limitations of
wireless sensor networks [ The important implication is that existing techniques which focus
on one layer only |for example, routing [3, 18] or media access control (MAC) [26]|cannot
readily be applied. Further problems pertinent to wireless sensor network include Sensor
networks have a large number of nodes, which may exceed hundreds or even thousands [2].
Security architectures developed for small scale ad hoc networks are infeasible for resource-
limited large- scale sensor networks.
Sensor networks exhibit comparatively stable communication patterns as opposed to
ad hoc networks. In ad hoc networks, nodes are assumed to communicate among themselves
and traffic patterns are reasonably random. On the contrary, in sensor networks most of the
traffic is created as many-to-one nearly-periodic transmission, as nodes have to report sensor
readings to a central, more capable node.
In ad hoc networks, communications are generally of the point-to- point, and often of
multi-hop, variety. There is no source or destination of packets; instead, roles change over
time. The only exception might be slightly increased traffic to and from nodes which act as
access points to the wired network. In sensor networks, data flow is directional and there is a
single common destination for most, if not all, traffic Sensor devices are physically
vulnerable { they are susceptible to being damaged, captured and subverted (perhaps through
reprogramming), or simply destroyed by the attacker. The inescapable conclusion is that
existing solutions for intrusion detection cannot be re-used directly; instead, they have to be
adapted to the characteristics of wireless sensor networks [6,14,22]. In particular, intrusion
detection, like other security-related challenges, requires an integrated and comprehensive
approach; if added as an afterthought, it cannot be as effective.
That makes us particularly hard to design ideal security architecture for the whole
layers. In practical applications, we should design our protocols in each layer with security in
mind. Before security considerations, there exist several protocols in every layer. But when it
comes to the security, we should incorporate the security method into already existing

protocol or cooperate with them. The consequence is that the original architecture works
inefficiently or otherwise should be redesigned.
2.8 Security Considerations.

As is well known [4], main aspects of security include the following: Authentication
is necessary to enable sensor nodes to detect maliciously injected or spoofed packets. It
enables a node to verify the origin of a packet and ensure data integrity. Almost all
applications require data authentication. In many applications, military as well as civilian
ones, an adversary has clear incentives to join the network in order to inject false information
such as fake data or routing information.
Although authentication tries to prevent outsiders from injecting or spoofing packets,
it does not solve the problem of compromised nodes. Since an attacker may have access to
the secret keys of a compromised node, it can authenticate itself to the network. However, we
may be able to use intrusion detection techniques to and the compromised nodes and revoke
their cryptographic keys network-wide. Confidentiality or secrecy of data communications
prevents unauthorized users from learning the contents of the messages. To that end, we can
use standard encryption functions which might include secret keys shared among the
communicating parties. (Note that the use of public-private key cryptography, while much
more resilient to attacks, is out of the question on account of limited computational resources
of sensor nodes.
However, encryption itself is not sufficient for protecting the privacy of data, as an
eavesdropper can perform traffic analysis on the overheard cipher text, and this can release
sensitive information about the data. In addition to encryption, privacy of sensed data also
needs to be enforced through access control policies at the base station to prevent misuse of
information. Availability requires that the sensor network is functional throughout its
lifetime. Denial of Service (DoS) attacks result in a loss of availability [26]. In practice, loss
of availability may have serious impacts. cause failure to detect a potential accident and result
in financial loss in a battlefield surveillance application, loss of availability may open a back
door for enemy invasion. Various attacks can compromise the availability of the sensor
network. When considering availability in sensor networks, it is important to achieve graceful
degradation in the presence of node compromise or benign node failures.
Integrity of services is another security requirement. Above the networking layer, the
sensor network usually implements several application-level services. Data aggregation is
one of the most important sensor network services. In data aggregation, a sensor node collects

readings from neighboring nodes, aggregates them, and sends them to the base station or
another data processing node. The goal of secure data aggregation is to obtain a relatively
accurate estimate of the real-world quantity being measured, and to be able to detect and
reject a reported value that is significantly distorted by corrupted nodes.
2.9 Classifying the Intrusions.

Intrusion attacks can be categorized according to different criteria.
2.9.1 Location of the attacker with respect to the network.
According to this criterion, attacks can be classified into insider and outsider attacks.
In an outsider attack, the attack node is not an authorized participant of the sensor network.
As the sensor network communicates over a wireless channel, a passive attacker can easily
eavesdrop on the used frequency range to steal private or sensitive information.
The adversary can also alter or spoof packets to attack the authenticity of communication or inject
interfering wireless signals to jam the network. Another form of outsider attack is to disable sensor
nodes. An attacker can inject useless packets to drain the receivers battery, or he can capture and
physically destroy nodes. A failed node is similar to a disabled node. Unlike outsider attacks, insider
attacks are performed by compromised nodes in the WSN. With node compromise, an adversary can
perform an insider attack. In contrast to disabled node, compromised node generally seeks to disrupt
or paralyze the network. A compromised node may be a subverted sensor node or a more powerful
device, like laptop, with more computational power, memory, and powerful radio. It may be running
some malicious code and seek to steal secrets from the sensor network or disrupt its normal functions.
It may have a radio compatible with sensor nodes suchthat it can communicate with the sensor
network.
2.9.2 Networking layer in which the attack takes place.
Attacks on wireless sensor networks can occur in different networking layers such as
application, data link, network and physical layers, or in two or more of these layer
simultaneously. Attacks on the physical layer are, in fact, the easiest to launch. Since wireless
sensor networks can be deployed in hostile environment or densely populated areas, physical
access to individual nodes is possible. Even casual passers-by may be able to damage,
destroy, or tamper with sensor devices.
Destruction of the node could cause gaps in sensor or communication coverage.
Better equipped attackers can interrogate a devices memory, stealing its data or cryptographic

keys. The code can be replaced with a malicious program which is potentially undetectable to
neighboring nodes. The capability process of the subverted node becomes a fully authorized
insider Attacks on program which is potentially undetectable to neighboring nodes. The
capability profile of the subverted node becomes a fully authorized insider Attacks on the
data link layer, including the media access control layer, are also comparatively simple. Many
data link protocols in wireless sensor networks just consider the efficiency and fairness of
utilizing the common channel. In these protocols, all the nodes in the network follow the
same set of rules to access the media. For these reasons, many data link protocols are very
vulnerable. Currently known attacks on the data link layer are mainly focused on the channel
access. That's to say, the malicious node could randomly access to the link and transmit or
eavesdrop messages from the channel.
More seriously, this node may inject and alter transmitted data. These attacks can be
organized in three categories: collision attack, unfairness attack, and exhaustion attack.
Collision Attack: Each node could inform its neighbors that he has some data to send or
receive by exchanging RTS (Request To Send)/CTS(Clear To Send) control packets.
Neighbor nodes could detect that the public channel is busy, and they would back o® their
sending even if they have some data packets to send. Using this mechanism, the collision
only happens in the exchanging period of RTS and CTS pack-ets, which means the data
packet sending process is a non-collision process. In addition, each node will check whether
the channel is busy or idle before sending RTS and CTS packets.
That‘s why the probability of collision is very low. Under the condition, when there is
a packet transmitting on channel, adversaries can easily conduct attacks through sending out
some packets to disrupt it(such as data packs, control packets sent by normal nodes).
Unfairness Attack:
For most RTS/CTS-based data link protocols, each node has the same priority to get
the common channel. The rule is that the tried node gets hold of the channel. Besides, all
other nodes have to wait for a random length time before trying to transmit packets. This rule
could ensure that every node accesses common channel fairly. Adversaries could utilize these
characteristics to attack the network. They send out packets just waiting for a very short time
or without waiting. This causes the common channel used more by adversaries than by
normal nodes.

2.9.3 Attacks on Network Layer

It is not enough to secure our sensor networks by only using the data link layer
security countermeasures. Those countermeasures can only protect against the outsider
attacks. Some insider attacks which cannot be defended against in the link layer involve the
routing protocols in the sensor networks. These attacks can be categorized into the following
kinds: selective forwarding, sinkhole attacks, wormhole attacks, Sybil attacks, and HELLO
attacks:
In sensor networks, each node can act as a router, that is to say, it could forward
messages received. In selective forwarding attacks, once a middle node is captured by a
malicious node, this node may refuse to forward certain messages and simply drop them. This
behaves like a black hole. In practical applications, the malicious nodes use the attack to
modify the packets.
The neighboring nodes will conclude that the compromised node has failed and
decide to seek another route skipping this node. In sinkhole attacks, the malicious node's goal
is to lure all the tracks from a particular area to gain the entire message from the inspect area.
The motivation of a sinkhole attack is that it makes selective forwarding trivial. By
transmitting all track to the base station, the adversary can easily modify packets origination
from any node in the area. In wormhole attacks, the powerful adversary is usually close to a
base station. Remote powerful nodes are often colluded to establish an artificial links to
transmit packets the remote nodes collected. Since these packets are originated the base
station, all the packets may be 10 captured by the adversary.
So the wormhole usually happens with the sinkhole. The sinkhole and wormhole
attacks can be difficult to detect. In Sybil attack, the adversary presents multiple identities to
other nodes in the network. So if other nodes are fooled, the data will be transmitted through
the adversary and the control of substantial fractions of the network system will be in risk. In
HELLO attacks, since all nodes have to send HELLO packets to neighbor nodes before the
network established. A powerful adversary could use this characteristic to send HELLO
packets to all nodes thus destroy the network.
Some or all of these attacks can be combined to attack the current routing
protocols, for example, Tiny OS beaconing protocol is used to construct the topology through
a broadcast message from the base station and the rebroadcast message from the node who
received the message. An adversary with the ability of powerful transmission may replace the
base station.

If authentication is introduced, another adversary which situated near the base station can
launch a wormhole and sinkhole attack.
Also, the adversary can use HELLO to make itself as a parent of other node in the
network. Attacks on Application Layer The most common kind of application level attack is
the Denial of Services (DoS) attack. A DoS attack is any event that diminishes or eliminates a
networks capability to perform its expected functions. It is the general result of any action
that prevents anypart of a WSN from functioning correctly or in a timely manner. Hardware
failures, software bugs, resource exhaustion, environmental conditions, or any complicated
interaction between these factors can cause a DoS.
2.10 Intrusion Detection

As noted above, intrusion prevention techniques (which typically use encryption
and authentication) are generally insufficient to ensure security, and must be complemented
with intrusion detection [10]. However, close collaboration of those techniques would allow
the latter to make use of the information provided by the former and vice versa, and thus
improve the efficiency of both of them [11].Detection technique An Intrusion Detection
System (IDS) may be classified on the basis of its detection technique [4]. The main
techniques include: A potential intrusion is reported by Misuse or Signature-based detection
if a sequence of events within a system matches a set of known security policy violations. In
order to detect an intrusion by Misuse model knowledge of potential vulnerabilities of the
system should be available. The intrusion detection system then applies this rule set to the
sequences of data to determine a possible intrusion.
This technique may exhibit low false positives, but does not perform well at detecting
previously unknown attacks. Subhadrabandhu et al. [25] present a robust intrusion detection
using misuse detection techniques. Anjum et al. [3] deal with the ability of various routing
protocols to facilitate intrusion detection techniques when the attack signatures are
completely known in network. Anomaly detection uses a set of expected values to compare
with system's behavior. If the computed statistics do not match the expected values, an
anomaly is reported. Anomaly-based detection defines a profile of normal behavior and
classifies any deviation of that profile as an intrusion. The normal profile is updated as the
system learns the subjects behavior.
This technique may detect previously unknown attacks but may exhibit high false
positives. Zhang et al. [28], present an anomaly detection model. They use trace data which
describes the normal updates of routing information Since, the main concern is that false

routing will be used by other nodes. The generated trace data will then bear evidence of
normality or anomaly. High false positive rates are reported based on their simulation results.
Anomaly detection may be used to detect attacks against a network daemon or a SetUID
program by building a normal profile of the system calls made during program execution. If
the process execution deviates significantly from the established profile, an intrusion is
assumed. Okazaki et al. [19] have proposed a lightweight approach using profiles consisting
of the type of system call and its frequency occurrence, in which speech recognition methods
is used to calculate the optimal match between a normal profile and a sample profile.
Compared to the Misuse modeling, specification modeling takes the opposite approach; it
looks for specification of how a system or pro-gram executes and marks a sequence of
instructions as a potential intrusion if it violates the specification. This technique may provide
the capability to detect previously unknown attacks, while exhibiting a low false positive rate.
For example, Snort [23] is an open source network intrusion prevention and detection
system utilizing a rule-driven language, which combines the benefits of signature-based and
anomaly-based detection methods. Location of the Intrusion Detection System A second
distinction can be made in terms of the placement of the IDS. In this respect IDSs are usually
divided into host-based and network-based systems and once again, both systems offer the
advantages and disadvantages:
Host-based systems are present on each host that requires monitoring, and collect data
concerning the operation of this host, usually logles, network traffic to and from the host, or
information on processes running on the host. Host-based systems are able to determine if an
attempted attack was indeed successful, and can detect local attacks, privilege escalation
attacks and attacks which are encrypted. However, such systems can be difficult to deploy
and manage, especially when the number of hosts needing protection is large. Furthermore,
these systems are unable to detect attacks against multiple targets within the network.
Network-based IDSs monitor the network traffic on the network containing the hosts
to be protected, and are usually run on a separate machine termed a sensor. Network-based
systems are able to monitor a large number of hosts with relatively little deployment costs,
and are able to identify attacks to and from multiple hosts. However, they are unable to detect
whether an attempted attack was indeed successful, and are unable to deal with local or
encrypted attacks. Hybrid systems, which incorporate host- and network-based elements can
o®er the best protective capabilities and systems to protect against attacks from multiple
sources are also under development.

CHAPTER 3
SYSTEM ANALYSIS
3.1 Existing System
In spite of existing 802.11 security techniques including Wired Equivalent Privacy
(WEP), Wi-Fi Protected Access (WPA), or 802.11i (WPA2), such methodology can only
protect data frames—an attacker can still spoof management or control frames to cause
significant impact on networks. Spoofing attacks can further facilitate a variety of traffic
injection attacks [9],[10], such as attacks on access control lists, rogue access point (AP)
attacks, and eventually Denial of-Service (DoS) attacks. A broad survey of possible spoofing
attacks can be found in [6],[7]. Moreover, in a large-scale network, multiple adversaries may
masquerade as the same identity and collaborate to launch malicious attacks such as network
resource utilization attack and denial-of-service attack quickly. Therefore, it is important to
 detect the presence of spoofing attacks,
 determine the number of attackers, and
 localize multiple adversaries and eliminate them.
Most existing approaches to address potential spoofing attacks employ cryptographic
schemes. However, the application of cryptographic schemes [8] requires reliable key
distribution, management, and maintenance mechanisms. It is not always desirable to apply
these cryptographic methods because of its infrastructural, computational, and management
overhead. Further, cryptographic methods are susceptible to node compromise, which is a
serious concern as most wireless nodes are easily accessible, and easily scanned.
3.1.1 Disadvantages of existing system
 Among various types of attacks, identity-based spoofing attacks are especially easy to
launch and can cause significant damage to network performance.
 For instance, in an 802.11 network, it is easy for an attacker to gather useful MAC
address information during passive monitoring and then modify its MAC address by
simply issuing an ifconfig command to masquerade as another device.
 Effective only when implemented by large number of networks.
 Deployment is costly, Incentive for an ISP is very low.

3.2 PRPOSED SYSTEM

In this work, we propose to use received signal strength (RSS)-based spatial
correlation, a physical property associated with each wireless node that is hard to falsify and
not reliant on cryptography as the basis for detecting spoofing attacks. Since we are
concerned with attackers who have different locations than legitimate wireless nodes,
utilizing spatial information to address spoofing attacks has the unique power to not only
identify the presence of these attacks but also localize adversaries. An added advantage of
employing spatial correlation to detect spoofing attacks is that it will not require any
additional cost or modification to the wireless devices themselves. We focus on static nodes
in this work, which are common for spoofing scenarios.
We addressed spoofing detection in mobile environments in our other work. Faria and
Cheriton proposed the use of matching rules of signal prints for spoofing detection, Sheng et
al. modeled the RSS readings using a Gaussian mixture model and Chen et al. used RSS and
K-means cluster analysis to detect spoofing attacks. However, none of these approaches have
the ability to determine the number of attackers when multiple adversaries use the same
identity to launch attacks, which is the basis to further localize multiple adversaries after
attack detection.
Although Chen et al. studied how to localize adversaries, it can only handle the case of a
single spoofing attacker and cannot localize the attacker if the adversary uses different
transmission power levels.
 The proposed System used Inter domain Packet filters (IDPFs) architecture, a system
that can be constructed solely based on the locally exchanged BGP updates.
 Each node only selects and propagates to neighbors based on two set of routing
policies. They are Import and Export Routing policies.
 The IDPFs uses a feasible path from source node to the destination node, and a packet
can reach to the destination through one of its upstream neighbors.
 The training data is available, we explore using Support Vector Machines (SVM)
method to further improve the accuracy of determining the number of attackers.
 In localization results using a representative set of algorithms provide strong evidence
of high accuracy of localizing multiple adversaries.
 The Cluster Based wireless Sensor Network data received signal strength (RSS) based
spatial correlation of network Strategy.

3.2.1 Advantages of proposed system.

 GADE: a generalized attack detection model (GADE)[5] that can both detect spoofing
attacks as well as determine the number of adversaries using cluster analysis methods
grounded on RSS-based spatial correlations among normal devices and adversaries
 IDOL: an integrated detection and localization system[5] that can both detect attacks
as well as find the positions of multiple adversaries even when the adversaries vary
their transmission power levels.
 Damage Reduction under SPM Defense is high
 Client Traffic
 Comparing to other methods the benefits of SPM are more.
 SPM is generic because their only goal is to filter spoofed packets.
3.3 Spoofing Attack

A spoofing attack is when a malicious party impersonates another device or user on a
network in order to launch attacks against network hosts, steal data, spread malware, or
bypass access controls. There are several different types of spoofing attacks that malicious
parties can use to accomplish this. Some of the most common methods include IP address
spoofing attacks, ARP spoofing attacks, and DNS server spoofing attacks. In the context of
network security, a spoofing attack is a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
3.3.1 Spoofing Attack Prevention and Mitigation
There are many tools and practices that organizations can employ to reduce the threat
of spoofing attacks. The attackers in the client server topology is shown in the figure 2.1
Common measures that organizations can take for spoofing attack prevention include:
 Packet filtering: Packet filters inspect packets as they are transmitted across a
network. Packet filters are useful in IP address spoofing attack prevention because
they are capable of filtering out and blocking packets with conflicting source address
information (packets from outside the network that show source addresses from inside
the network and vice-versa).
 Avoid trust relationships: Organizations should develop protocols that rely on trust
relationships as little as possible. It is significantly easier for attackers to run spoofing
attacks when trust relationships are in place because trust relationships only use IP
addresses for authentication.

 Use spoofing detection software: There are many programs available that help
organizations detect spoofing attacks, particularly ARP spoofing. These programs
work by inspecting and certifying data before it is transmitted and blocking data that
appears to be spoofed.
Use cryptographic network protocols: Transport Layer Security (TLS), Secure

Shell(SSH),HTTP Secure (HTTPS), and other secure communications protocols bolster
spoofing attack prevention efforts by encrypting data before it is sent a authenticating data as
it is received.
Fig 6.1: client server topology
3.4 Wireless Spoofing:

There are well-known attack techniques known as spoofing in both wired and wireless
networks. The attacker constructs frames by filling selected fields that contain addresses or
identifiers with legitimate looking but non-existent values, or with values that belong to
others. The attacker would have collected these legitimate values through sniffing.

3.4.1 MAC Address Spoofing:

The attacker generally desires to be hidden. But the probing activity injects frames
that are observable by system administrators. The attacker fills the Sender MAC Address
field of the injected frames with a spoofed value so that his equipment is not identified.
Typical APs control access by permitting only those stations with known
MACaddresses. Either the attacker has to compromise a computer system that has a station,
or he spoofs with legitimate MAC addresses in frames that he manufactures. MAC addresses
are assigned at the time of manufacture, but setting the MAC address of a wireless card or AP
to an arbitrary chosen value is a simple matter of invoking an appropriate software tool that
engages in a dialog with the user and accepts values. Such tools are routinely included when
a station or AP is purchased. The attacker, however, changes the MAC address
programmatically, sends several frames with that address, and repeats this with another MAC
address. In a period of a second, this can happen several thousand times.
When an AP is not filtering MAC addresses, there is no need for the attacker to use
legitimate MAC addresses. However, in certain attacks, the attacker needs to have a large
number of MAC addresses than he could collect by sniffing. Random MAC addresses are
generated. However, not every random sequence of six bytes is a MAC address. The IEEE
assigns globally the first three bytes, and the manufacturer chooses the last three bytes. The
officially assigned numbers are publicly available. The attacker generates a random MAC
address by selecting an IEEE-assigned three bytes appended with an additional three random
bytes.
3.5 IP Spoofing:
Replacing the true IP address of the sender with a different address is known as IP
spoofing. This is a necessary operation in many attacks. The IP layer of the OS simply trusts
that the source address, as it appears in an IP packet is valid. It assumes that the packet it
received indeed was sent by the host officially assigned that source address. Because the IP
layer of the OS normally adds these IP addresses to a data packet, a spoofer must circumvent
the IP layer and talk directly to the raw network device. Note that the attacker‘s machine
cannot simply be assigned the IP address of another host X using ifconfig or a similar
configuration tool. Other hosts, as well as X, will discover that there are two machines with
the same IP address.
IP spoofing is an integral part of many attacks. For example, an attacker can silence a
host A from sending further packets to B by sending a spoofed packet announcing a window

size of zero to A as though it originated from B.

IP spoofing can also be a method of attack used by network intruders to defeat
network security measures, such as authentication based on IP addresses. This method of
attack on a remote system can be extremely difficult, as it involves modifying thousands of
packets at a time. This type of attack is most effective where trust relationships exist between
machines. For example, it is common on some corporate networks to have internal systems
trust each other, so that users can log in without a username or password provided they are
connecting from another machine on the internal network (and so must already be logged in).
By spoofing a connection from a trusted machine, an attacker may be able to access the target
machine without an authentication.
You can prevent spoofing for networks you own by rejecting addresses that come in
on the wrong interface. You can prevent spoofing by those on your network by only allowing
a source address that is in your range. A lack of routing capability for the average end user
prevents most attack scenarios by preventing two-way communication. Nothing stops one of
the "big boys" from grabbing the ability to use an IP address if they're in the announcement
path, however. Many of them can also influence that announcement path.
Since things can change so dynamically and you can get packets received that have no
path home because of broken routing, there is no simple tell as to whether a packet is
spoofed. There are packets spoofing detection mechanisms, although they tend to act a little
different.
3.6 TCP-UDP Ports

TCP stands for Transmission Control Protocol. Using this method, the computer
sending the data connects directly to the computer it is sending the data it to, and stays
connected for the duration of the transfer. With this method, the two computers can guarantee
that the data has arrived safely and correctly, and then they disconnect the connection.
This method of transferring data tends to be quicker and more reliable, but puts a
higher load on the computer as it has to monitor the connection and the data going across it.
A real life comparison to this method would be to pick up the phone and call a friend. You
have a conversation and when it is over, you both hang up, releasing the connection.
UDP stands for User Datagram Protocol. Using this method, the computer sending the
data packages the information into a nice little package and releases it into the network with
the hopes that it will get to the right place. What this means is that UDP does not connect
directly to the receiving computer like TCP does, but rather sends the data out and relies on

the devices in between the sending computer and the receiving computer to get the data
where it is supposed to go properly.
This method of transmission does not provide any guarantee that the data you send
will ever reach its destination. On the other hand, this method of transmission has a very low
overhead and is therefore very popular to use for services that are not that important to work
on the first try.
A comparison you can use for this method is the plain old US Postal Service. You
place your mail in the mailbox and hope the Postal Service will get it to the proper location.
Most of the time they do, but sometimes it gets lost along the way.
Now that you understand what TCP and UDP are, we can start discussing TCP and
UDP ports in detail. Let‘s move on to the next section where we can describe the concept of
ports better.
As you know every computer or device on the Internet must have a unique number
assigned to it called the IP address. This IP address is used to recognize your particular
computer out of the millions of other computers connected to the Internet. When information
is sent over the Internet to your computer how does your computer accept that information? It
accepts that information by using TCP or UDP ports.
An easy way to understand ports is to imagine your IP address is a cable box and the
ports are the different channels on that cable box. The cable company knows how to send
cable to your cable box based upon a unique serial number associated with that box (IP
Address), and then you receive the individual shows on different channels (Ports).
Ports work the same way which is shown in the figure 2.2 . You have an IP address,
and then many ports on that IP address. When I say many, I mean many. You can have a total
of 65,535 TCP Ports and another 65,535 UDP ports.
If it uses the TCP protocol to send and receive the data then it will connect and bind
itself to a TCP port. If it uses the UDP protocol to send and receive data, it will use a UDP
port. Figure 1, below, is a representation of an IP address split into its many TCP and UDP
ports.
0 1 2 3 4 5 .. .. .. .. .. .. .. .. 65531 65532 65533 65534 65535
Fig 3.6: IP address with Ports

This all probably still feels confusing to you, and there is nothing wrong with that,
as this is a complicated concept to grasp. Therefore, I will give you an example of how
this works in real life so you can have a better understanding. We will use web servers in
our example as you all know that a web server is a computer running an application that
allows other computers to connect to it and retrieve the web pages stored there.
In order for a web server to accept connections from remote computers, such as
yourself, it must bind the web server application to a local port. It will then use this port
to listen for and accept connections from remote computers. Web servers typically bind to
the TCP port 80, which is what the http protocol uses by default, and then will wait and
listen for connections from remote devices. Once a device is connected, it will send the
requested web pages to the remote device, and when done disconnect the connection.
On the other hand, if you are the remote user connecting to a web server it would
work in reverse. Your web browser would pick a random TCP port from a certain range
of port numbers, and attempt to connect to port 80 on the IP address of the web server.
When the connection is established, the web browser will send the request for a particular
web page and receive it from the web server.
Then both computers will disconnect the connection. Now, what if you wanted to
run an FTP server, which is a server that allows you to transfer and receive files from
remote computers, on the same web server. FTP servers use TCP ports 20 and 21 to send
and receive information, so you won't have any conflicts with the web server running on
TCP port 80.

CHAPTER 4
SYSTEM REQUIREMENT AND SPECIFICATION
4.1 Functional Requirements:
The Functional Requirements Specification documents the operations and activities
that a system must be able to perform. a functional requirement defines a function of a
software system or its component. A function is described as a set of inputs, the behavior, and
outputs. Functional requirements may be calculations, technical details, data manipulation
and processing and other specific functionality that define what a system is supposed to
accomplish. Behavioral requirements describing all the cases where the system uses the
functional requirements are captured in use cases.
As defined in requirements engineering, functional requirements specify particular
results of a system. This should be contrasted with non-functional requirements which
specify overall characteristics such as cost and reliability. Functional requirements drive the
application architecture of a system, while non-functional requirements drive the technical
architecture of a system.
Functional requirements of system are
 Wireless Network
 Spoofing attack
 Determine the attack
 Calculating number of adversary
4.2 Non-functional requirement:

In systems engineering and requirements engineering, a non-functional requirement is a
requirement that specifies criteria that can be used to judge the operation of a system, rather
than specific behaviors. This should be contrasted with functional requirements that define
specific behavior or functions. The plan for implementing functional requirements is detailed
in the system design. The plan for implementing non-functional requirements is detailed in
the system architecture.
Non-functional requirements are often called qualities of a system. Other terms for non-
functional requirements are "constraints", "quality attributes", "quality goals", "quality of
service requirements" and "non-behavioral requirements‖. Informally these are sometimes
called the
"ilities", from attributes like stability and portability. Qualities, that are non-functional

requirements, can be divided into two main categories:

 Execution qualities, such as security and usability, which are observable at run time.
 Evolution qualities, such as testability, maintainability, extensibility and scalability,
which are embodied in the static structure of the software system.
Nonfunctional requirements of t
he system are:
 Reliable than cryptography.
 Securing wire-less network.
4.3 System Requirements:

Requirements analysis is critical to the success of the system or the software project.
The requirements should be documented, actionable, measurable, testable, traceable and
defined to a level of detail sufficient for system design.
Hardware Requirements (minimum):

CPU – Pentium IV 2.4 GHz.
RAM – 512 GB or above.
Hard-Disk – 40 GB or above.
Software Requirements (minimum):

Operating System -Microsoft Windows XP or latest.
Front End -Visual Studio 2010.
Database -SQL Server 2008.

Language: - Windows Forms with C#.

4.4. .NET is a Framework.

First and foremost, .NET is a framework that covers all the layers of software
development from the operating system up. It provides the richest level of integration among
presentation technologies, component technologies, and data technologies ever seen on a
Microsoft platform. Secondly, the entire architecture has been created to make it as easy to
develop Internet applications as it is to develop for the desktop environment.
DOT NET actually "wraps" the operating system, insulating software developed with
.NET from most operating system specifics such as file handling and memory allocation as
shown in the figure 3.1. This prepares for a possible future in which the software developed
for.NET is portable to a wide variety of hardware and operating system foundations. (Beta
one of Visual Studio.NET supports all versions of Windows 2000 plus Windows NT4,
Windows 9x, and Windows Millennium Edition.)A Common Substrate for all Development.
The framework starts all the way down at the memory management and component
loading level, and goes all the way up to multiple ways of rendering user and program
interfaces. In between, there are layers that provide just about any system-level capability that
a developer would need.
At the base is the Common Language Runtime, often abbreviated to CLR. This is the
heart of the .NET framework, the engine that drives key functionality. It includes, for
example, a common system of data types. These common types, plus a standard interface
convention, make cross-language inheritance possible. In addition to allocation and
management of memory, the CLR also does reference counting for objects, and handles
garbage collection.
The middle layer includes the next generation of standard system services such as
ADO.NET and XML. These services are brought under the control of the framework, making
them universally available and standardizing their usage across languages. The top layer
includes user and program interfaces. Windows Forms (often informally referred to as Win
Forms) are a new way to create standard Win32 desktop applications, based on the Windows
Foundation Classes (WFC) produced for J++. Web Forms provide a powerful, forms-based
UI for the web

Fig 4.4: The .NET Framework Overview.

Web Services, which are perhaps the most revolutionary, provide a mechanism for
programs to communicate over the Internet using SOAP. Web Services provide an analog of
COM and DCOM for object brokering and interfacing, but based on Internet technologies so
that allowance is made for integration even with non-Microsoft platforms. Web Forms and
Web Services, comprise the Internet interface portion of .NET, and are implemented through
a section of the .NET Framework referred to as ASP.NET.
All of these are available to any language that is based on the .NET platform. For
completeness, there is also a console interface that allows creation of character-based
applications.
4.5 The Common Language Runtime:

Let's start with a definition. A runtime is an environment in which programs are
executed. The Common Language Runtime is therefore the environment in which we run our
.NET applications that have been compiled to a common language, namely Microsoft
Intermediate Language (MSIL), often referred to simply as IL. Runtimes have been around
even longer than DOS, but the Common Language Runtime (CLR) is as advanced over

traditional runtimes as a light bulb is over a candle. A quick diagrammatic summary of the
major pieces of the CLR shown in the figure 8.2.
Fig 8.2: Common Language Runtime (CLR)

That small part in the middle, called Execution Support contains most of the
capabilities normally associated with a language runtime (such as the VBRUNxxx.DLL
runtime used with Visual Basic). The rest is new, at least for Microsoft platforms.
Understanding the CLR is key to understanding the rest of .NET, hence, here is a short
introduction.
The design of the CLR is based on the following goals:
 Simpler, faster development
 Automatic handling of "plumbing" such as memory management and
process communication.
 Good Tool support.
 Scalability.

4.6 Windows Application Technology:

This is especially true with Windows applications, which have historically required
sophisticated setup programs to copy the correct dynamic link libraries (DLLs) and support
files to the end user's computer and to register the applications appropriately with the
operating system. This first of a two-article series discusses the features provided by the
.NET Framework for deploying Windows applications onto the end user's machine. To this
end, it discusses the different types of deployment options the .NET Framework provides.
It also takes a look at the architecture of the Windows Installer and then goes on to
discuss the differences between XCOPY and Windows Installer. Along the way, it
demonstrates the process of packaging up Windows forms applications using the setup and
deployment project types supported by Visual Studio.NET.
4.6.1 Setup versus Deployment:
Before you can understand the processes involved in setting up and deploying
applications, you need to understand the difference between setup and deployment. A setup is
an application or process that allows you to package up your application into an easy-to-
deploy format, which then can be used to install the application on another machine.
Deployment is the process of taking the application and installing it in on another machine,
usually by using a setup application.
4.7 Planning for Deployment:

At one time or another, most computer users have experienced the dark side of installing
Windows programs. For example, in the pre-.NET era, when you installed a new version of
your Windows application, the installation program copied the new version of your DLLs
into the system directory and made all the necessary Registry changes. This installation could
impact other applications running on the machine, especially if an existing application was
using the shared version of the installed component. If the installed component was backward
compatible with the previous versions, then it was fine. In many cases, however, backward
compatibility may be impossible to maintain. If you cannot maintain backward compatibility,
you often end up breaking the existing applications as a result of new installations.
One of the areas Visual Studio .NET was designed to address was the installation
shortcomings of Windows applications that relied heavily on COM components. Visual
Studio .NET can simplify the installation process because Visual Studio .NET applications
rely on .NET assemblies (which are built on a completely different programming model) for
much of their functionality. In addition, Visual Studio .NET applications compile as

assemblies, a deployment unit consisting of one or more files.

To fully understand how Visual Studio .NET simplifies the deployment process, take a
brief look at the structure of the assembly that provides for this simplification. Assemblies
contain four elements:

MSIL (Microsoft Intermediate Language) code—Language code (C#, VB.NET, and
others) is compiled into this intermediate common language that can be

understand by the common language runtime (CLR).

Metadata—Contains information about the types, methods, and other elements
defined in the code

Manifest—Contains name and version information, a list of included files in the
assembly, security information, and so on

Non-executable content, such as supporting files and resources
As you can see, assemblies are so comprehensive and self-describing that Visual Studio .NET
applications don't need to be registered with the Registry. This means that Visual Studio
.NET applications can be installed by simply copying the required files to the target machine
that has the .NET Framework installed. This is called XCOPY installation. However, it is
also possible to automate the setup process by making use of the deployment projects that
Visual Studio .NET provides. The next section examines Visual Studio .NET's various
deployment options.
4.8. NET Deployment Options:

You can deploy Windows forms applications using any one of the following two
deployment options:

XCOPY deployment

Deployment using Visual Studio .NET Installer
The following sections discuss both these deployment options and explain when to use each.
4.9 Using XCOPY for Deploying Applications:

The .NET framework simplifies deployment by enabling XCOPY deployment. Prior
to .NET, installing a component required copying the component to the appropriate
directories and making the appropriate Registry entries. But with XCOPY deployment, all
you have to do to install the component is copy the assembly into the bin directory of the

client application. The application will be able to start using it right away because of `the
self-describing nature of the assembly. This is possible because compilers in the .NET
framework embed identifiers or metadata into compiled modules, and the CLR uses this
information to load the appropriate version of the assemblies. The identifiers contain all the
information required to load and run modules and to locate all the other modules referenced
by the assembly.
An XCOPY deployment is also called a zero-impact install because the way you
configure the Registry entries and the component does not impact the machine. This zero-
impact installation also makes it possible to uninstall a component without affecting the
system in any manner.
4.9.1 Using Visual Studio .NET Installer for Deploying Applications:
Even though XCOPY deployment is very easy to use, it does not lend itself well to all
deployment requirements. For example, if your application has more robust setup and
deployment requirements, Visual Studio .NET Installer is a better option. Because Visual
Studio .NET Installer is built on top of Windows Installer technology, it takes advantage of
Windows Installer's features.
4.9.2 Additional Visual Studio .NET Features:

 In addition to the Windows Installer, the deployment projects in Visual Studio.

NET also provide the following features: Reading or writing of Registry keys.

Enables creating directories in the Windows file system.

Provides a mechanism to register both COM components and .NET components (in
the GAC) .

Gathers information from the users during installation.

Enables setting launch conditions, such as checking the user name, computer name,
current operating system, software application installed, presence of .NET CLR, and
so forth.

Enables running a custom setup program or script after installation.
You will take an in-depth look at all the above-mentioned features when you create
deployment projects using Visual Studio .NET in an upcoming section of this article.

4.10 The Features of C# Language:


Simple

Object-oriented

Interoperability

Type safe
Simple
 No Pointers.
 Unsafe operations such as direct memory access are not allowed.
 In C# there is no use of ―::‖ or ―->‖ operator.
 Since it is on .NET it inherits the features of automatic memory management.
 Integer‘s value such as 0 and 1 are no longer accepted as Boolean values. Boolean
values are pure true or false in C# of ―=‖ operator and ―==‖ operator. ―==‖ operator is
used for comparison operation and ―=‖ is used for assignment operation.
Object-Oriented
 C# supports data encapsulation, polymorphism, interfaces, and inheritance.
(int,float,double) are not objects in java but c# has introduced structures(structs)
which enable the primitive type to become objects inti;
 String a = i.Tostring; //conversion or boxing
Interoperability
 C# includes native support for the computer windows based applications.
 Allowing restricted use of native pointers.
 Users need not explicitly implement unknown and other computer interfaces those
Features are built in.
 C# allows the users to use pointers as unsafe code blocks to manipulate your old code.
Type-safe
 In c3 we cannot perform unsafe casts like convert to a Boolean.
 Value types are initialized to zeros and reference type objects are initialized to null by
compiler automatically.
 Arrays are zero based indexed and are bound checked.
 Overflow of types can be checked.
4.11 SQL Server:

The main unit of data storage is a database, which is a collection of tables with typed
columns. SQL Server supports different data types, including primary type such as integer,

Float, Decimal, Char (including character strings), varchar (variable length character strings),
binary (for unstructured blobs of data), Text (for textual data) among others. The rounding of
floats to integers uses either Symmetric Arithmetic Rounding or Symmetric Round Down
(Fix) depending on arguments: SELECT Round(2.5,0) gives 3.
SQL Server Management Studio is a GUI tool included with SQL Server 2008 and
later for configuring, managing, and administering all components within Microsoft SQL
Server. The tool includes both script editors and graphical tools that work with objects and
features of the server. SQL Server Management Studio replaces Enterprise Manager as the
primary management interface for Microsoft SQL Server since SQL Server 2008. A version
of SQL Server Management Studio is also available for SQL Server Express Edition, for
which it is known as SQL Server Management Studio Express (SSMSE).
A central feature of SQL Server Management Studio is the Object Explorer, which
allows the user to browse, select, and act upon any of the objects within the server. It can be
used to visually observe and analyze query plans and optimize the database performance,
among others. SQL Server Management Studio can also be used to create a new database,
alter any existing database schema by adding or modifying tables and indexes, or analyze
performance. It includes the query windows which provide a GUI based interface to write
and execute queries
The advantages of SQL Server 2008

SQL Server 2008 has reduced application downtime, increased scalability and
performance, and tight yet flexible security controls.

SQL Server 2008 makes it simpler and easier to deploy, manage, and optimize
enterprise data and analytical applications.

It enables you to monitor, manage, and tune all of the databases in the effective way.

Failure of the primary system, applications can immediately reconnect to the database
on the secondary server using Database Mirroring.

SQL Server 2008 provides a new capability for the partitioning of tables across file
groups in a database.

CHAPTER 5
SYSTEM DESIGN
The design and implementation of a system basically deals with the system‘s control
flow and the interaction of the system with outside environment.
5.1 System Design

Design is a creative process; a good design is the key to effective system. The system
―Design‖ is defined as ―The process of applying various techniques and principles for the
purpose of defining a process or a system in sufficient detail to permit its physical
realization‖.
Various design features are followed to develop the system. The design specification
describes the features of the system, the components or elements of the system and their
appearance to end-users. In system design high-end decisions are taken regarding the basic
system architecture platforms and tools to be used. The system design transforms a logical
representation of what a given system is required to be into the physical specification. Design
starts with the system‘s requirement specification and converts it into a physical reality
during the development. Important design factors such as reliability, response time,
throughput of the system, maintainability etc should be taken into account.
Any design problem must be tackled in three stages:


Understanding the problem.

Identifying gross features of at least one possible solution.

Describing each abstraction that is used in the solution.
5.2 Data Flow Diagram (DFD):

DFD is a means of representing a system at any level of detail with a graphic network of
symbols showing data flows, data stores, data processes, and data sources/destinations. DFD
is also defined as, a diagrammatic representation of the information flow within a system
showing

How information enters and leaves the system?

What changes the information?

Where information is stored?

5.3 Purpose of DFD:

 The purpose of data flow diagrams is to provide a semantic bridge between users and
 systems developers. The diagrams are:
 Graphical, eliminating thousands of words,
 Logical representations, modeling what a system does, rather than physical models
showing how it does it,
 Hierarchical, showing systems at any level of detail and
Jargon less, allowing user understanding and reviewing.
The goal of data flow diagram is to have a commonly understood model of a system. The
diagrams are the basis of structured system analysis. Data flow diagrams are supported by
other techniques of structured systems analysis such as data structure diagrams, data
dictionaries and procedure-representing techniques such as decision tables, decision trees,
and structured English.
5.4 Description of DFD:

Data Flow Diagrams are composed of the four basic symbols shown in the below figure
4.1.
Fig 4.1: DFD Symbols

The External Entity symbol represents sources of data to the system or destinations of
data from the system.

The Data Flow symbol represents movement of data.
The Data Store symbol represents data that is not moving (delayed data at rest).


The Process symbol represents an activity that transforms or manipulates the data
(combines, reorders, converts, etc.).

Any system can be represented at any level of detail by these four symbols.
5.5 Sequence diagram:

A sequence diagram is an interaction diagram that shows how processes operate with
one another and in what order. It is a construct of a Message Sequence Chart. A sequence
diagram shows object interactions arranged in time sequence. It depicts the objects and
classes involved in the scenario and the sequence of messages exchanged between the objects
needed to carry out the functionality of the scenario. Sequence diagrams are typically
associated with use case realizations in the Logical View of the system under development.
Sequence diagrams are sometimes called event diagrams, event scenarios.
A sequence diagram shows, as parallel vertical lines (lifelines), different processes or
objects that live simultaneously, and, as horizontal arrows, the messages exchanged between
them, in the order in which they occur. This allows the specification of simple runtime
scenarios in a graphical manner.
Fig 5.5: Sequence Diagram of attack detection

In figure 5.5, Client, Spoofer, server are the entities. The client make a request to the
server after the successful registration process. It has shown by the horizontal line. The
statement written above the line mention the interaction between client and server. The server

on receiving the request, it set the path of the requested file to the client. Meanwhile, the key
logger will be running in the client system and in will send the valid user name and password
to the spoofer account. Next, the client will view the server message and respond to it by
opening the connection between server and client through. Server will select the request and
send the requested file to the client through the established channel. During this transaction,
the spoofer will try to update the node IP address to his IP address. Spoofer will try to receive
a file through the established channel. But, at the same time analysis processing of the RSS
will alert the server. By sending the RSS values to GADE and idol the will detect the spoofer
and blocked those nodes. The file will sent to the client successfully through other nodes.
5.6 Use Case Diagrams:

Use case diagrams are usually referred to as behavior diagrams used to describe a set
of actions that some system or systems should or can perform in collaboration with one or
more external users of the system .Each use case should provide some observable and
valuable result to the actors or other stakeholders of the system.
Use case diagrams are in fact twofold - they are both behavior diagrams, because
they describe behavior of the system, and they are also structure diagrams - as a special case
of class diagrams where classifiers are restricted to be either actors or use cases related to
each other with associations.
Fig 5.6: Use case of client

In figure 11.6, the client is an actor and list in the rectangle box are his use cases. The

use cases are the set of action that client can perform with the system i.e. client can
register to the application, login to the application, send a request to the server, can
view requested data, can response to the server and finally will receive the requested
file.
Fig 5.6.1: use case of spoofer

In fig 5.6.1, the spoofer is an actor. Spoofer will be having following use cases such
as login, server and client connection, spoofing not possible, cluster and attacker.

Fig 5.6.2: Use case of server

In figure 5.6.2, server is an actor. Right side of the server are the use cases. Server can
login to the application, can view the requested details, can view the registered user, can does
the transaction with client, can analyses the RSS value and perform the GADE and idol to
detect the attackers.

CHAPTER 6
MODULES
The design process involves developing several models of the system at different levels
of abstraction. As design is decomposed, errors and omissions in earlier stages are discovered
and their feed backs help in earlier design models to be improved. Here we have divided this
project into three major module, they are
 Server module
 Client module
 Spoofer module
6.1 Server Module:

A server is a computer that provides data to other computers. It may serve data to
systems on a local area network (LAN) or a wide area network (WAN) over the Internet.
While server software is specific to the type of server, the hardware is not as important. In
fact, a regular desktop computers can be turned into a server by adding the appropriate
software. For example, a computer connected to a home network can be designated as a file
server, print server, or both.
Functionalities of server
 Server manages all the client registrations.
 Server will maintain a log of client logins.
 Server will maintain the list of all client requests.
 Each time server will check the record to view and fulfill the client requests.
 Server can respond to the client request, only after the establishment of client server
connection from the client side.
 After the successful client-server connection, sever will start to browse the requested
file from its database.
 If requested file is found, than the server will send the file to the client through the
established channel. With the help of GADE and Idol mechanism, the sever will find
out any updations in the nodes and will be blocked.
6.2 Server Login

The System administrator is a person who maintains the server. Each time he or she
get login to the server by providing valid user name and password as shown in figure 11.2.
After logging, administrator can view the request and provide the requested services to client.

Fig 6.1.2: Dataflow diagram of Server
6.3 Server client connection

This form will open, once the sever view and start to fulfill all the requests of client. The
destination IP address field will be automatically filled by client ip address. Server can fulfill
the client request only after establishment of client server connection from client side. Once
the connection is established, the server will be provided with browsing option to browse the
requested file and send it to the client by clicking the transfer button.
6.3.1. Client Module:
Functionalities of client
 Client can send a request to the server.
 Client can view the requested data.
 Client can view the response message sent by the server.
 Client can also view the files & download the file which has sent by the server.
Client Receiver form plays important role in client module. Here client needs to connect
with server, once connected with server. Client need to set the path to receive a file (if server
not connected to the client, client will be in waiting state), after setting the path client will be
waiting to receive the file. Once Server successfully sent a file to the client through port,
automatically client will receive the file to the selected path and client gets the notification
message as ―Successfully file has been received‖. This process is shown in the figure 61.2.
6.3.2 Client Signup
Client will get registered into the application by providing the above details. If all the
provided information is valid by the client, then he/she will be registered successfully. Now,
client will be considered as a valid user. System name and ip address need to be entered by
the client
6.3.3 Client Login
After the successful registration process, client will get login to the application by
entering a valid user name and password as shown in the above figure. Now, client can use
the application to get the service from the server. If the user name and password is not valid
then client cannot login to the application and get the service from the server. If all the
information provided by him is proper then he will be considered as valid user by the server.
6.3.4 Client Request

Client has the following options in the Request form as shown above.
6.3.5 File Receiver
By clicking this button, the client get another form to connect to the server.
6.3.6 Send Request
By clicking this button, client will get the request form. There client will request
the services from the server.

6.3.7 View Details

By clicking this button the client can view the log that maintains all the received,
requested files details and server respond messages.
6.4 Spoofer Module:

In this module, spoofer will know the username and password of a valid user by using
key logger mechanism (A computer program that records every keystroke made by a
computer user, especially in order to gain fraudulent access to passwords and other
confidential information.) Key logger application running in background which is unknown
to the client when user enter the username and password in the login form spoofer hacks the
login credentials using key strokes and then automatically user credentials will be sent to the
spoofer through mail, with this spoofer will login to the application and the server will
blindly consider him as a valid user. Once the communication channel has been established
between client and server the RSS based cluster nodes will be activated, then spoofer is going
to update the nodes of the cluster to spoofer IP address to receive the requested file of the
client and also tries to append text to that file making a client to receive a modified file. The
entire module is shown in the figure 4.4

6.4.1 Spoofer Login

Spoofer will login into the application by providing user name and password of other
client that spoofer obtained illegally by using key logger software. After logging spoofer tries
to get or modify the file requested by the client.
6.4.2 Spoofing attack
Spoofer tries to get or modify the file, which has to be sent by the server to the client.
Spoofer tries to get the file by replacing the receiver ip address by his/her ip address in the
transmitting node of the cluster. Spoofer can append the text to the file by typing the text in
the append text region.
Fig 6.4.1: Dataflow diagram of Spoofe

CHAPTER 7
Testing and Analysis
Importance of Testing:
Testing is the measurement of software quality hence, one of the most important stages
in software development. It involves executing an implementation of the software and its
operational behavior to check that it is performing as required. One of the main goals of
testing is to have a minimum number of test cases that will find a majority of the
implementation errors.
Some important types of testing are as follows:

UNIT TESTING

INTEGRATED TESTING

SYSTEM TESTING

BLACK BOX TESTING

WHITE BOX TESTING
7.1 Unit Testing:
In unit testing application developer tests the system. The whole application is made
up of different modules. Unit testing focuses on each sub module independent of one another,
to locate errors. This enables the programmer to detect errors. While testing the module the
concept of trace and breakpoints are applied at different stages of testing. The unit testing of
this project was done in which each and every module was tested with certain test data to
ensure that the program works accurately. The unit testing was carried out successfully.
7.2 Integrated Testing:
Integrated testing is to test the system as a whole. That is to test the system when all
the modules and its sub modules are integrated. This testing is done to ensure that all the
modules, which works correctly when independent, works without any discrepancies when
integrated. System testing ensures that the related modules work together to achieve the main
objective of the application.
The project was tested with all its modules integrated and ensured that there were no
errors. Samples of data were keyed into the application. It has been seen the application is
working perfectly, to the satisfactory of the user.

7.3 System Testing:

System testing can be defined in many ways but a simple definition is that the
validation succeeds when the system function in a manner that reasonably expected by the
user. Validation testing provides the final assurance that the system meets all the functional,
behavioral and performance requirements.
The project was tested with all its modules and ensured that there were no errors. It
has been seen that the system is working perfectly, to the satisfaction of the user meeting all
the requirement of user.
7.4 Black Box Testing:
Black box testing is an approach to testing where the tests are derived from the
program or component specification. The system is a ―black box ―whose behavior can only
be determined by studying its inputs and the related outputs. Black box is only concerned
with the functionality and not the implementation of the software. Black box testing attempts
to derive sets of inputs that will fully exercise all the functional requirements of a system.
Here the system is a ―black-box‖ whose behavior can only be determined by studying its
inputs and related outputs which is shown in the figure 7.4.1
This type of testing attempts to find errors in the following category:

 Incorrect or missing functions.
 Errors in data structures or external database access.
 Interface and performance errors.
Fig 7.4.1: Black-box testing

7.5 White Box Testing:

White box testing uses an internal perspective of the system to design test cases based
on internal structure. It requires programming skills to identify all paths through the software.
The tester chooses test case inputs to exercise paths through the code and determines the
appropriate outputs which is shown in the figure 12.5. In electrical hardware testing, every
node in a circuit may be probed and measured. Since the tests are based on the actual
implementation,if the implementation changes, the tests probably will need to change, too.
White box testing is an approach to testing where the tests are derived from
knowledge of the software structure and implementation. This testing technique is basically
applied to relatively small program units such as subroutines or operations associated with an
object. The tester can analyze the code and use the knowledge of a component to derive test
data. The analysis of the code can be used to find out how many test cases are needed to
guarantee a larger test coverage that is all of the statements in the program or component
must be executed at least once during the testing process.
Fig 7.5: White-box testing

7.6 Test Case:

Test case is a set of test inputs, executions, and expected results developed
for a particular objective. An excellent test case satisfies the following criteria:

Reasonable probability of catching an error.

Does interesting things

Doesn‘t do unnecessary things

Neither too simple nor too complex

Not redundant with other tests

Allows isolation and identification of errors
7.7 Testing Phases:

The software testing process has two important phases, namely, Component Testing
and Integration Testing
Component Testing
It refers to testing of individual components. Each component is independent to
ensure that they function correctly
Integration Testing
The tested components are integrated in to a sub systems or a complete system. The
testing focuses on functionality interface between the components and performance of the
system as a whole. The component testing is normally performed by the programmers
whereas integration testing is carried out by a team of software testers.

CHAPTER 8
Test Cases, Suites, Scripts and Scenarios:
A test is a software testing document, which consists of event, action, input, output
expected results and actual result. Clinically defined (IEEE 829-1998) a test case is an input
and expected result. This can be as pragmatic as ‗for condition x your derived result is y‘,
whereas the other test cases described in more detail the input scenario and what results
might be expected. It can occasionally be a series of steps (but often steps are contained in a
separate test procedure that can be exercised against multiple test cases, as matter of
economy) but with one expected result or expected outcome.
The optional fields are the test case ID, test step or order of execution number, related
requirement (s), depth, test category, author, and check boxes for whether the test is
Automatable and has been automated. Larger test cases may also contain pre-requisite states
or steps, and descriptions. A test case should also contain a place for the actual result. These
steps can be stored in a word processor document, spread sheet, database or other common
repository. In a database system, you may also be able to see past test results and who
generated the results and the system configuration used to generate those results. These past
results would usually be stored in a separate table.
The term test script is the combination of a test case, test procedure and test data.
Initially the term was derived from the byproduct of work created by automated regression
test tools. Today, test scripts can be manual, automated or combination of both.
The most common term for a collection of test cases is a Test Suite. The test suite
often also contains more detailed instructions or goals for each collection of test cases. It
definitely contains a section where the tester identifies the system configuration used during
testing.
A group of test cases may also contain pre-requisite states or steps, and descriptions
of the following tests. Collections of test cases are sometimes incorrectly termed a test plan.
They might correctly be called a Test specification. If sequence is specified, it can be a test
script, scenario or procedure.
8.1 Unit Testing:

In computer programming, unit testing is a software verification and validation
method in which a programmer tests if individual units of source code are fit for use. A unit
is the smallest testable part of an application. In procedural programming a unit may be an

individual function or procedure.
8.2 Integration Testing:

Integration testing is the phase in software testing in which individual software
modules are combined and tested as a group. It occurs after unit testing and before system
testing.
Integration testing takes as its input modules that have been unit tested, groups them in larger
aggregates, applies tests defined in an integration test plan to those aggregates, and delivers
as its output the integrated system ready for system testing.
8.3 System Testing:

System testing of software or hardware is testing conducted on a complete, integrated
system to evaluate the system's compliance with its specified requirements. System testing
falls within the scope of black box testing, and as such, should require no knowledge of the
inner design of the code or logic.
As a rule, system testing takes, as its input, all of the "integrated" software
components that have successfully passed integration testing and also the software system
itself integrated with any applicable hardware system(s). The purpose of integration testing is
to detect any inconsistencies between the software units that are integrated together (called
assemblages) or between any of the assemblages and the hardware. System testing is a more
limiting type of testing; it seeks to detect defects both within the "inter-assemblages" and also
within the system as a whole.
8.4 User Acceptance Testing:

User Acceptance test of a system was the factor for the success of the system. The system
under consideration was listed for user acceptance by keeping constant touch with the
perspective user of the system at the time of design, development and making changes
whenever required. This was done as follows:
 Input screen design
 Output design
 Menu Drive
 Formats for reports

CHAPTER 9
Snapshots
Snapshot 1: Client’s home page

Snapshot 2: client’s login with signup window

Snapshot 3: Spoofer’s login window

Snapshot 4: Spoofer’s home page

page
Snapshot 5: Server’s login window

Snapshot 6: Client sending request message

Snapshot 7: spoofer attacking cluster 1

Snapshot 8: File receiving window

Conclusion
In this system an approach is used to detect the presence of attacks as well as determine the
number of adversaries, spoofing the same node identity, so that we can localize any number
of attackers and eliminate them. Determining the number of adversaries is a particularly
challenging problem. To validate our approach, we conducted experiments found that our
detection mechanisms are highly effective in both detecting the presence of attacks with
detection rates over 98 percent and determining the number of adversaries, achieving over 90
percent hit rates and precision simultaneously. Further, based on the number of attackers
determined by our mechanisms, our integrated detection and localization system can localize
any number of adversaries even when attackers using different transmission power levels.
The performance of localizing adversaries achieves similar results as those under normal
conditions, thereby, providing strong evidence of the effectiveness of our approach in
detecting wireless spoofing attacks, determining the number of attackers and localizing
adversaries.

Future Scope and Enhancements
This project can be enhanced to

 To deploy for ‗n‘ number of clusters
 To serve multiple clients at a time by creating multiple channel
 To detect any kind of attacks which may be active or passive
 To find the exact geographical location of the attackers.

List of Publications
 Chandrakant M. Jadhav and Sharad S. Shinde, Detection and Localization of

Spoofing in Wireless and Sensor Networks, International Journal of Computer
Science and Information Technologies, Vol. 5(6), 2014, 7545-7552
 Sharad S. Shinde and Chandrakant M. Jadhav, Research on Wireless Network
Security Awareness of Average Users, IJARCCE, VOL. 5, Issue 03, May 2017.

REFERENCES
[1] A. Agah, S. K. Das, K. Basu, and M. Asadi. A non-cooperative game approach for
intrusion detection in sensor networks. In Third IEEE In- ternational Symposium on Network
Computing and Applications, pages 343{346, 2004.
[2] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. A survey on sensor

networks. In IEEE Communication Magazine 40 (8)., 2002.
[3] F. Anjum, D. Subhadrabandhu, and S. Sarkar. Signature based intrusion detection for
wireless ad-hoc networks: A comparative study of various routing protocols. In Vehicular
Technology Conference, Wire- less Security Symposium, Orlando, Florida, 2003.
[4] M. Bishop. Computer Security: Art and Science. Addison Wesley, Pearson Education,
Inc., Boston, 2004.
[5] P. Brutch and C. Ko. Challenges in intrusion detection for wireless ad- hoc networks. In
SAINT: Symposium on Applications and the Internet, pages 368{373, 2003.
[6] A. P. R. da Silva, M. H. T. Martins, B. P. S. Rocha, A. A. F. Loureiro, L. B. Ruiz, and H.

C. Wong. Decentralized intrusion detection in wire-less sensor networks. Proceedings of the
1st ACM international workshop on Quality of service & security in wireless and mobile
networks, pages 16{23, 2005.
[7] J. R. Douceur. The sybil attack. In International Workshop on Peer-to-Peer Systems,

pages 251{260, 2002.
[8] S. S. Doumit and D. P. Agrawal. Self-organized criticality and stochastic

learning based intrusion detection system for wireless sensor networks.
In MILCOM: IEEE Military Communications Conference, pages 609614, 2003.
[9] W. Du, L. Fang, and P. Ning. Lad: Localization anomaly detection for wireless sensor
networks. In IPDPS: 19th IEEE International Parallel and Distributed Processing
Symposium, 2005.

[10] F. Hu and N. K. Sharma. Security considerations in ad hoc sensor networks. Ad Hoc

Networks, 3(1):69{89, 2005.
[11] Y. Huang and W. Lee. A cooperative intrusion detection system for ad hoc networks. In
SASN: Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks,
pages 135{147, 2003.
[12] IEEE. Standard for part 15.4: Wireless MAC and PHY speci¯cationsfor low rate WPAN.
IEEE Std 802.15.4, IEEE, New York, NY, Oct. 2003.
[13] O. Kachirski and R. K. Guha. E®ective intrusion detection using multi-ple sensors in
wireless ad hoc networks. In Proceedings of the 36th An-nual Hawaii International
Conference on System Sciences, pages 57{65,2003.
[14] C. Karlof and D. Wagner. Secure routing in wireless sensor networks: Attacks and
countermeasures. In First IEEE International Workshop on Sensor Network Protocols and
Applications, pages 113{127, May 2003.
[15] C. Kruegel. Applying mobile agent technology to intrusion detection.In Distributed

Systems Group, Technical University of Vienna, 2002.
[16] J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher. Internet Denial ofService: Attack and
Defense Mechanisms. Prentice Hall, 2005.
[17] A. Mishra, K. Nadkarni, and A. Patcha. Intrusion Detection in Wireless Ad Hoc

Networks. IEEE Wireless Communications, Vol. 11, No. 1, pp. 48{60, February 2004.

Report PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Report PDF

Uploaded by

Copyright:

Available Formats

Detection and Localization of Spoofing Attackers in Wireless Networks 2017-18

IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the

Dept of CSE, BIGCE, Solapur Page 1

Most existing approaches employ cryptographic schemes to address potential spoofing

Dept of CSE, BIGCE, Solapur Page 2

Dept of CSE, BIGCE, Solapur Page 3

2.1 Detecting Identity Based Attacks in Wireless Networks Using

Dept of CSE, BIGCE, Solapur Page 4

2.2 Secure and efficient key management in mobile ad hoc

Dept of CSE, BIGCE, Solapur Page 5

2.3 Lightweight Key Management For IEEE 802.11 Wireless

2.4 An Authentication Framework for Hierarchical Ad Hoc

Dept of CSE, BIGCE, Solapur Page 6

2.5 Sequence Number-Based MAC Address Spoof Detection

Dept of CSE, BIGCE, Solapur Page 7

2.6 Spatial Signatures for Lightweight Security in Wireless Sensor

2.7 Why Wireless Sensor Networks Are Difficult to Protect.

Dept of CSE, BIGCE, Solapur Page 8

Dept of CSE, BIGCE, Solapur Page 9

By the same token, any substantial computation is infeasible. Moreover, since

Dept of CSE, BIGCE, Solapur Page 10

2.8 Security Considerations.

Dept of CSE, BIGCE, Solapur Page 11

2.9 Classifying the Intrusions.

2.9.2 Networking layer in which the attack takes place.

Dept of CSE, BIGCE, Solapur Page 12

Dept of CSE, BIGCE, Solapur Page 13

2.9.3 Attacks on Network Layer

Dept of CSE, BIGCE, Solapur Page 14

2.10 Intrusion Detection

Dept of CSE, BIGCE, Solapur Page 15

Dept of CSE, BIGCE, Solapur Page 16

Dept of CSE, BIGCE, Solapur Page 17

3.2 PRPOSED SYSTEM

Dept of CSE, BIGCE, Solapur Page 18

3.2.1 Advantages of proposed system.

3.3 Spoofing Attack

Dept of CSE, BIGCE, Solapur Page 19

Use cryptographic network protocols: Transport Layer Security (TLS), Secure

Fig 6.1: client server topology

3.4 Wireless Spoofing:

Dept of CSE, BIGCE, Solapur Page 20

3.4.1 MAC Address Spoofing:

Dept of CSE, BIGCE, Solapur Page 21

size of zero to A as though it originated from B.

3.6 TCP-UDP Ports

Dept of CSE, BIGCE, Solapur Page 22

Fig 3.6: IP address with Ports

Dept of CSE, BIGCE, Solapur Page 23

Dept of CSE, BIGCE, Solapur Page 24

4.2 Non-functional requirement:

Dept of CSE, BIGCE, Solapur Page 25

requirements, can be divided into two main categories:

4.3 System Requirements:

Hardware Requirements (minimum):

Software Requirements (minimum):

Database -SQL Server 2008.

Dept of CSE, BIGCE, Solapur Page 26

4.4. .NET is a Framework.

Dept of CSE, BIGCE, Solapur Page 27

Fig 4.4: The .NET Framework Overview.

4.5 The Common Language Runtime:

Dept of CSE, BIGCE, Solapur Page 28