Relationship -based Detection of Spoofing -related Anomalous Traffic in Ad Hoc Networks

Spoofing is a serious threat for both ad hoc and sensor networks, that can cause adverse effects on a network´s operations. Although cryptographic authentication can assure the identity of a transmitter, authentication is not always desirable or possible as it requires key management and more extensive computations. In this paper we argue that it is desirable to have a functionality complementary to traditional authentication that can detect device spoofing with no dependency on cryptographic material. Towards this objective, we propose using forge-resistant relationships associated with transmitted packets to detect anomalous activity. Our strategy is generic, operates in a 1-hop neighborhood, and thus can locally provide protection in order to defend ad hoc or sensor networks from anomalous intrusions. As two specific constructions, we explore the use of monotonic relationships in the sequence number fields, and the enforcement of statistical characteristics of legitimate traffic. We then provide an example of how these relationships can be used to construct a classifier that provides a multi-level threat assessment. We validate the usefulness of these methods for anomalous traffic scenarios involving multiple sources sharing the same MAC address through experiments conducted on the ORBIT wireless testbed