A protocol framework for attacker traceback in wireless multi-hop networks

Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks can cause serious problem in wireless networks due to its limited network/host resources. Attacker traceback is a promising solution to take a proper countermeasure near the attack origin, for forensics and to discourage attacker from launching attacks. However, attacker traceback in wireless multi-hop networks is a challenging problem and existing IP traceback schemes developed for the Internet cannot be directly applied to wireless multi-hop networks due to the peculiar characteristics of wireless multi-hop networks, i.e., dynamic network topology, limited network resources, and mobility. We introduce a protocol framework for attacker traceback that is geared towards wireless multi-hop networks, robust against address spoofing and node compromise, and node mobility. The basic building block of our protocol framework consists of abnormality characterization, abnormality searching, and abnormality matching. Abnormality characterization is further divided into network-layer abnormality monitoring, MAC-layer abnormality monitoring, and hybrid abnormality monitoring. For efficient abnormality searching, we propose directional searching that is based on small-world model. We use correlation coefficient, least-square method, and K-S fitness test for abnormality matching. In addition, our protocol framework includes spatio-temporal fusion architecture to detect mobile attack. Traceback of mobile attack is a challenging problem that we identified and solved in this dissertation. In mobile wireless multi-hop networks, it is important to detect and track down mobile attackers to prevent false traceabck result and find current location of attacker. It is especially challenging in the context of mobile DDoS attack. Lastly, we analyze how mobility model affects the traceback performance. We find that traceback performance drastically varies depending on the mobility model. We show that our hybrid protocol successfully tracks down attacker under diverse network environment (e.g., high background traffic, DDoS attack, and partial node compromise) with low communication, computation, and memory overhead.