The document presents a taxonomy for classifying wireless network attacks. It proposes an 8 category taxonomy covering: (1) the stage of the attack, (2) effects on power consumption, (3) the OSI layer targeted, (4) security attributes utilized, (5) vulnerabilities exploited, (6) effects of the attacks, (7) precautions for each attack, and (8) the network type. The taxonomy aims to provide a simple classification system for end users to understand wireless network security requirements and emerging threats. It analyzes common wireless attacks and categorizes them according to the proposed taxonomy.
1. Abstract:
Even if networks have been evolved from wired to wireless,network security objectives remain the
same for both. Previous taxonomies classifies attacks according to categories or dimensions that
applies to both wired and wireless networks, but these categories cannot be applied specifically on
wireless network attacks.Some aspects that are particularly important for wireless networks are not
covered in the previous work for example power consumption, stage at which attack occurs etc.
This research focuses on classification of wireless network attacks; providing a taxonomy that
covers both general and specific aspects of wireless networks .This will help end user to combat
emerging wireless attacks and improve wireless network security.The proposed taxonomy consist
of eight categories in order to classify attacks.The first category classifies attacks according to
stage at which they occur.The second category covers the effects of attack on power consumption
which is more inherent in wireless networks.The third category classifies attacks according to
layers of OSI model. The fourth category explains the utilization of security attribute for each
attack.The fifth category classifies attacks according to vulnerabilities.Effects of attacks are
classified in the sixth category.The seventh category is about precautions for each attack. In last
category, attacks are classified according to network type.The taxonomy is very benificial for end
users with little knowledge about wireless networks and their security measures.
Acknowledgements:
We would like to express our deep and sincere grattitude to our honourable Supervisors
Sir Azhar Mushtaq and Sir Ahmad Fareed,our Advisors, for their support and advisory
work during the course of this project.They inspired us greatly to work in this project. their
willingness to motivate us contributed tremendously to our project.
Also,we would like to credit the CS & I.T department providing us with resources for
which we are very grateful.Lastly,We would like to thank our families and friends for all their
love and encouragement,for our parents who raised us with love and supported us in all our
pursuits.
Contents:
1 Introduction
2 Computer and network attacks
2.1 What is a computer and network attack?
2.2 Wired and wireless attacks
2.2.1 Attack Method
2.2.2 Viruses
2. 2.2.2.1 Types of Viruses
2.2.2.2 Macroviruses
2.2.3 Worm
2.2.3.1 Mass Mailing Worm
2.2.3.2 Network-Aware Worms
2.2.4 Trojan
2.2.5 Replay Attacks
2.2.6 War Driving
2.2.7 Rogue Access Point
2.2.8 Denial of service attacks
2.2.8.1 Host Based
2.2.8.2 Network Based
2.2.8.3 Distributed
2.2.9 Power Consumption Attacks
2.2.9.1 Sleep Deprivation Attacks
2.2.9.2 Barrage Attack
2.2.10 Man In The Middle Attack
2.2.11 Forced Deauthentication/Deassociation Request
2.2.11.1 Deauthentication Attack
2.2.11.2 Deassociation Attack
2.2.12 Wormhole Attacks
2.2.13 Spoofing
2.2.14 Physical Attacks
3 Related Work
3.1 Requirnments of taxonomy
3.2 Previous taxonomies
3.2.1 Landveir's Taxonomy
3.2.2 Howard's Taxonomy
3.2.3 Lough's Taxonomy
3.2.4 Hansman Taxonomy
3.3 Critical Review
4 Taxonomy
4.1 The Proposed Taxonomy
4.2 Classification
4.2.1 Stage
4.2.1.1 Discovery
4.2.1.2 Authentication
4.2.1.3 Association
4.2.2 Power Consumption
4.2.3 Layers
4.2.3.1 Physical Layer
4.2.3.2 Data Link Layer
4.2.3.3 Network Layer
4.2.3.4 Transport Layer
4.2.3.5 Application Layer
3. 4.2.3.6 Multi-Layer
4.2.4 Attributes Utilized
4.2.4.1 Integrity
4.2.4.2 Confidentiallity
4.2.4.3 Access Control
4.2.4.4 Availability
4.2.5 Flaw Utilization
4.2.5.1 Design Flaws
4.2.5.2 Implementation Flaws
4.2.5.3 Configuration Flaws
4.2.5.4 Exposed Medium
4.2.6 Effects
4.2.6.1 Disclosure of information
4.2.6.2 Theft of resources
4.2.6.3 Denial of service
4.2.6.4 Corruption of information
4.2.7 Precautions
4.2.8 Network Type
4.2.8.1 Adhoc Network
4.2.8.2 Infrastructure Network
5 Evaluation Of Proposed Taxonomy
5.1 Wireless Attacks Categorization
5.2 Table
6 Conclusion
7 References
Chapter 1
Introduction
The field of wireless networks has witnessed tremendous growth in recent years and it has become
one of the fastest growing segments of telecommunication industry.Wireless communication
systems have found widespread use and have become an essential tool to many people in everyday
life.The popularity of wireless networks is so great that we will soon reach the point where the
number of worldwide wireless subscribers will be higher than the number of wireline
subscribers.This popularity of wireless communication is due to its advantages compared to wired
systems.The most important of these advantages is the freedom from cables, which enables
communication with anyone,anywhere and anytime.However wireless network security is still a
major issue in deployment of wireless networks.
4. In this paper,focus is done at security of wireless networks.Apart from their excessive use,wireless
networks are much more vulnerable to attacks as compared to wired networks.An attack is an
attempt on a computer or network that either damages; discloses information;subverts; or denies or
steals services.When it comes to wireless networks,there is no such thing as physical security as in
wireless networks,radio waves are used that have the ability to penetrate carrying data with them.
A taxonomy is a method of classifying attacks.In this paper,wireless attacks have been classified
according to categories.The classification is done in order to provide simplicity in language so that
an end user can understand the security requirnments for his wireless network.
Chapter 2 is based on attacks on both wired and wireless networks in order to provide awareness to
user with comprehensive knowledge of attacks.Chapter 3 describes the requirnments of a
taxonomy and previous work on taxonomies.Previous security taxonomies are critically reviewed
so as to point their advantages and disadvantages.In chapter 4,need for proposed taxonomy is
discussed alongwith features of proposed taxonomy.In chapter 5,evaluation of proposed taxonomy
is done in detail.
Chapter 2
Computer And Network Attacks
2.1 What is a computer and network attack?
It is necessary to know about computer and network attacks to combat these attacks.A computer
attack is an attack on computer which results in degradation of performance of computer
system,disruption of data or stealing information.A network attack is mostly an attack on a
computer in a network that may destroy some part of a network or whole network. For example
worm is a network attack that propagate across network.Some network attacks does not attack a
single computer in a network rather whole network.
2.2 Wired And Wireless Attacks
Wired networks use physical medium for transmission of data while in wireless there is no
physical medium.Instead of wires and cables,elecromagnetic radiations like radio waves are used
to transmit data from one end of wireless network to another end.Beacause of openness of
medium,wireless networks are more susceptible to attacks as compared to wired networks.
2.2.1 Attack Methodology
5. There are several distinct stages that make up an attack on a computer or network. In general there
are four main stages:
1. Attacker Motivation and Objectives
2. Information Gathering/Target Selection
3. Attack Selection
4. Attack Execution
Howard has a detailed taxonomy built on attack processes, similar to the above stages.
An attacker may have many different reasons for launching an attack. Some attackers may simply
want to test their skills, others may want to prove a point.Each attacker has his own motivation in
launching an attack.Before launching the attack, the attacker must select a target and gather
information. These two activities take place either concurrently or consecutively, depending on
what the attacker wishes to achieve.Information gathering involves extracting useful information
from the target network or host, while target selection is the choosing of a target. During these
stages, the attacker will usually use tools such as packet sniffers and port scanners to gather
information on potential targets.Once the attacker has a target and some information on the
potential weaknesses of the target, they can select an attack that is appropriate. The final stage is
the execution of the attack, in which the attacker
proceeds to launch the attack against the target[19].
2.2.2 Viruses
A virus is a piece of software that can infect other programs by modifying them as viruses attach
themselve to a program and propagates copies of themselves to other programs[31].Once a virus is
executing,it can perform any function such as erasing files and programs.Usually viruses will
attach themselves to a file and run when the file is opened. There are several main types of viruses
which are described below[22].
2.2.2.1 Types of Viruses
The following categories are the most significant types of viruses.
Parasitic Virus: It attaches itself to executable file and copies itself to other executable
files when the infected program is executed.
Memory-resident Virus: It resides in main memory(Random Access Memory) and infect
every program that executes.
Boot Sector Virus:It installs into master boot record file on hard disc.The virus can run
itself every time the computer is booted up.
Stealth Virus:A stealth virus is designed to hide itself from detection by antivirus software
as it uses compression so that the infected program is of same length as uninfected version
of the same program.
Polymorphic Virus:A virus that has the ability to change itself as time goes by, or when
it replicates Such type of virus is called polymorphic virus.
Metamorphic virus:It changes itself with every infection.The difference between a
6. polymorphic and metamorphic virus is that a metamorphic virus rewrite itself completely
at each itration increasing the difficulty of detection, while polymorphic virus only changes
its signature.
2.2.2.2 Macro Viruses
Macro viruses infect Microsof Word documents.For example, they may delete information from a
document or insert phrases into it. Propagation is usually through the infected files. If a user opens
a document that is infected, the virus may install itself so that any subsequent documents are also
infected. Some macro viruses propagate via email1, such as the Melissa virus.
The Melissa virus is the best known macro virus. It targeted MicrosoftWord 97 and 2000. The
virus worked by emailing a victim with an email that appeared to come from a known contact. The
email contained an MicrosoftWord document as an attachment, that if opened, would infect
Microsoft Word and if the victim used the Microsoft Outlook 97 or 98 email client, the virus would
be forwarded to the first 50 contacts in the victim’s address book.
2.2.3 Worms
Worms are special types of viruses that can replicate themselves and use memory but cannot attach
themselves to other programs.Unlike viruses,worms do not require human interaction and can
spread automatically from ane computer to the other across the network[32].Worms are not always
malicious,they can occur as a result of a logic error in a well-intentioned program[33].There are
two main types of worms are described below.
2.2.3.1 Mass-Mailing Worms
Mass-mailing worms can be classified as a worm, virus or both. A mass-mailing worm is a worm
that spreads through email. Once the email has reached its target it may have a payload in the form
of a virus or trojan.
2.2.3.2 Network-Aware Worms
Network-aware worms are a major problem for the Internet. Network-aware worms need four
stages for propagation.The first step is target selection. The compromised host(an attacked
computer) targets a host. The compromised host then attempts to gain access to the target host by
exploitation. Once the worm has access to the target host, it can infect it. Infection may include
loading trojans onto the target host, creating back doors or modifying files. Once infection is
complete, the target host is now compromised and can be used by the worm to continue
propagation.
2.2.4 Trojan
Trojan horses are one of the serious threats.The name has been derived from a Greek story in
which the Greeks won the trojan war by hiding in a huge hollow wooden horse to get into the
fortified city of Troy.Trojan horse is a malicious, security breaking program that seems to be
beneficial to user in the form of a screen saver or a game.Many trojan horses permit password
crackers(People who crack password) to control a person's computer remotely in order to use the
computer for denial of services attacks.Moreover trojans can be designed for destroying
7. data,software and hardware,or transferring a computer virus or worm.
2.2.4.1 Logic Bombs
Logic bombs are a special form of trojans that only release their payload once a certain condition is
met.Logic bombs involves installing a hidden program that is designed to activate after a
predefined date and time[34].
2.2.5 Replay Attacks
A replay attack is a kind of active attack (that involves modification,redirection,blockage or
destruction of data,devices or communication links ) where attacker records a communication
session(a period devoted to a specific activity) or a part of it and later replays the entire session or
a portion of the recorded session to take advatage of it[35].Replay attacks are used to gain access to
the network with the authorizations of the target, but the actual session is not altered. This attack is
not a real-time attack i.e the attacker will access the network after the original session. The attacker
captures the authentication of a session and then either replays the authenticated session at a later
time[36].
2.2.6 War Driving
War Driving is a process of driving around an area searching for wireless network. It is mostly
performed by the hackers looking for unsecure networks[6].Attacker search for a wireless network by
listening to beacon frames(The beacon frame advertise the existence and basic configuration of a network
after periodic intervals,described in detail in section 4.3.1.1) or sending probe requests(The probe request is
sent by the client looking for a specific SSID or any SSID within its area,details in section 4.3.1.2) to access
point.Attacker uses wardriving softwares like netstumbler and airodump in order to attain following
information:
The Basic service set identifier(MAC address of access point(A.P))[37]
The Service Set Identifier(SSID) or network name which identifies network to users.
The channel number.Channel used by Access Point or independent basic service
set(IBSS:Adhoc network;where stations or nodes communicate directly with each other
without an access point ).
2.2.7 Rogue Access Point
8. After attaining probe responses by sending probe requests or sniffing(listening) beacon
frames(The beacon frame advertise the existence and basic configuration of a network after periodic
intervals,described in detail in section 4.3.1.1). Attacker sets his own access point with the same MAC
address and Service set identifier(SSID;name of the network) as the legitimate Access Point(A.P),
but with the stronger signals,that access point is called rogue access point. When a station
configured with legitimate A.P enter within the coverage area of rogue access point, the default
configuration of the network will make the station automatically associated with rogue access
point.Rogue access point perform illegal acts for example it can direct fake traffic to the associated
station or can drop the disassociated request made by the station[38].Rogue access point can also
pose a significant threat to wireless networks by creating a backdoor(A software that allows access
to a system without normal authentication[39]).
2.2.8 Denial of service attacks
Denial of Service (DoS) attacks, sometimes known as nuke attacks, are designed to deny
legitimate users of a system from accessing or using the system in a satisfactory manner. DoS
attacks usually disrupt the service of a network or a computer, so that it is either impossible to use,
or its performance is seriously degraded. There are three main types of DoS attacks: host based,
network based and distributed[22].
2.2.8.1 Host Based
Host based DoS attacks aim at attacking computers. Either a vulnerability in the operating system,
application software or in the configuration of the host are targeted.Crashers are a form of host
based DoS that are simply designed to crash the host system, so that it must
be restarted. Crashers usually target a vulnerability in the host’s operating system. Many crashers
work by exploiting the implementation of network protocols by various operating systems. Some
operating systems cannot handle certain packets, and if received, cause the operating system to
hang or crash.
2.2.8.2 Network Based
Network based DoS attacks target network resources in an attempt to disrupt legitimate use.
Network based DoS usually flood the network and the target with packets. To succeed in flooding,
more packets than the target can handle must be sent, or if the attacker is attacking the network,
enough packets must be flooded so that the bandwidth left for legitimate users is severely reduced.
Three main methods of flooding have been identified :
TCP Floods: TCP packets are streamed to the target.
ICMP Echo Request/Reply: ICMP packets are streamed to the target.
UDP Floods: UDP(User Datagram Protocol) packets are streamed to the target.
2.2.8.3 Distributed
The last type of DoS attack is perhaps the most interesting. Distributed DoS (DDoS) attacks are a
9. recent development in computer and network attack methodologies.he DDoS attacks are effective
enough to disrupt the website's operation for several hours.DDoS attacks work by using a large
number of attack hosts to direct a simultaneous attack on a target or targets.
2.2.9 Power Consumption attacks
Power consumption attacks occurs in wireless sensor networks(WSNs;a network that consists of number of
low cost and resource limited sensor nodes that sense important data and trasmit information[41] ).When an
attack occurs,it may consume power of the wireless device or wireless network under attack.Sensor nodes
are mostly equipped with limited power supply.There are two types of power consumption attacks in
WSNs.
2.2.9.1 Sleep Deprivation Attack
A sleep deprivation attack is severe attack in WSNs because recharging or replacing batteries of nodes may
be impossible.In the sleep deprivation attack, the malicious node makes requests to sensor nodes to
keep them awake[25].This attack causes large amount of power consumption so that the limited
power sensor nodes stop working, ultimately causing denial of service attacks through denial of
sleep attack[41].In case of densely populated area,this attack may also lead to more energy
consumption due to congestion and contention at the data link layer.
2.2.9.2 Barrage Attack
The barrage attack bombards victim nodes with legitimate requests.It causes its victims to spend
slightly more energy, it is more easily detected and requires more effort on behalf of the attacker as
compared to sleep deprivation attack.The purpose of these requests is to waste the victim’s limited
power supply by causing it to stay out of its sleep mode and perform energy intensive
operations.The main difference between sleep deprivation attack and barrage attack is that in sleep
deprivation attacks,victim nodes are kept awake, but are not made to perform energy intensive
operations as is the case in the barrage attack[25].
2.2.10 Man In The Middle Attack
A man-in-the-middle attack occurs when an attacker is able to place itself in the middle of two
hosts that are communicating.The attacker can observe all traffic before relaying it to intended
recipient,modify or block traffic,thus violating the integrity of a session. This is a real-time attack,
meaning that the attack occurs during a target machine’s session.To the target host,it appears that
all communication is taking place normally since all expected replies are being received.In case of
encrypted traffic,attacker will gain limited information but sensitive information may still be
obtained since knowing what communication is being conducted between which individuals may
provide valuable information[40].
There are multiple ways to implement this attack. One example is when the target has an
authenticated session underway. In step one, the attacker breaks the session and does not allow the
target to re-associate with the access point. In step two, the target machine attempts to re-associate
10. with the wireless network through the access point and is only able to associate with the attacker’s
machine which is mimicking the access point. Also in step two, the attacker associates and
authenticates with the access point on behalf of the target[36].
2.2.11 Forced deauthentication/disassociation request Attack
Disassociation and deauthenication attacks exploit the unauthenticated nature of management
frames in wireless networks.When a station wants to connect to an access point,it first exchanges
authentication frames and then association frames.Any station can spoof a disassociate or
deauthenticate message,pretending to be another station.As a result the access point disassociates
the targeted station,which cannot send traffic until it is associated again[45].By repeating the attack
persistently,a client may be kept from transmitting or receiving data.To accomplish this attack,it is required
that attacker promiscuously moniter the channel and send deauthentication messages only when a new
authentication has successfully taken place[24].
802.11w allows the receiving station to refuse disassociation and deauthentication when management
frame protection(MFP) is on and message integrity check(Message integrity check adds two new fields
inside an encrypted frame;the sequence number and the integrity check.Sequence number checks the order
of the packet and discard unordered packet) fails[46]. this attack occurs at Layer 2 i.e MAC layer.
2.2.12 Wormhole Attacks
During this attack, a malicious node captures packet from one location in the network and transfer
them to another malicious node at a distant point,which replays them locally Wormhole link can be
established by an ethernet cable,optical link or long range wireless tranmission antennas .This link
makes the packet arrive either sooner or with less number of hops compared to the packets
transmitted over normal multihop routes.As a result the two end points of a wormhole link appears
to be close to each other. This can disrupt network routing protocols,clustering protocols, prevent
critical messages to be received by intended recipients and disrupt location based wireless security
systems[47].
Wormhole attack is possible even if the attacker has not compromised any hosts and even if all
communication provide authenticity and confidentiallity.
Prevention:Wormhole attack can be prevented by security policy that is designed such that a
group A only trusts connections to group B.Because this is an asymmetric trust, a wormhole attack
from B to A is not possible.this is an important step in preventing wormhole attack that seeks to
skip a sensor or group of sensors in a sequence by generating a wormhole around it[47].
2.2.13 Spoofing
Spoofing is a type of attack in which a hacker modifies the source address of a network packet
(which is a piece of information sent on a network containing data alongwith header
information;the header contains the source and destination address of the packet[43]).In this type
of attack,the attacker can convince any computeror network to be a legitimate user[42]
There are three major types of spoofing.
MAC Spoofing
MAC spoofing occurs when the hacker modifies the source MAC address of the packet.MAC
address is the address at the data-link layer that identifies each network's physical network
connection[44].MAC addresses are also called burned-in-addresses because the address is burned
11. into read only memory(ROM) and copied into random access memory(RAM).MAC address
spoofing is only useful to an attacker if their target is on the same subnet as they are.MAC operates
at the data-link layer, and so is only used locally. To spoof beyond the local subnet, an attacker
must spoof at a higher layer, for example the network layer.
IP Spoofing
Attacker uses an IP address of another computer to acquire information or gain access to network
resources.Attacker will alter the source IP address of the packet.ip spoofing occurs at network
layer. Further information is provided in [48].
Email Spoofing
Email spoofing may occur in different forms, but all have a similar result: a user receives email
that appears to have originated from one source when it actually was sent from another source.
Email spoofing is often an attempt to trick the user into making a damaging statement or releasing
sensitive information (such as passwords)[50].
Examples of spoofed email that could affect the security of your site include:
Email claiming to be from a system administrator requesting users to change their
passwords to a specified string and threatening to suspend their account if they do not do
this
Email claiming to be from a person in authority requesting users to send them a copy of a password
file or other sensitive information
2.2.15 Physical Attacks
A physical attack disrupts the reliability of computer equipment and availability of data. Physical
attack is implemented either through use of conventional weapons, creating heat, blast, and
fragmentation, or through direct manipulation of wiring or equipment, usually aftergaining
unauthorized physical access.
In 1991, during Operation Desert Storm, the U.S. military reportedly disrupted Iraqi
communications and computer centers by sending cruise missiles to scatter
carbon filaments that short circuited power supply lines. Also, the Al Qaeda attacks directed
against the World Trade Center and the Pentagon on September 11, 2001,destroyed many
important computer databases and disrupted civilian and military financial and communications
systems that were linked globally.The temporary loss of communications links and important data
added to the effects of the physical attack by closing financial markets for up to a week[49].
Chapter 3
Related Work
3.1 Requirnments of taxonomy
To develop taxonomy for computer and network attacks is not a straight or easy task. Attacks can
12. be classified by many ways. Mostly depending on the environment one stays in. Scientifically
speaking taxonomy is an approximation of reality that is used to gain greater understanding of a
field of study. As such taxonomy should have classification categories with the following
characteristics:
1. Accepted
The taxonomy should be structured so that it can be become generally Approved.
2. Comprehensible
A comprehensible taxonomy will be able to be understood by those who are in the security field, as
well as those who only have an interest in it.
3. Completeness/exhaustive
For taxonomy to be complete/exhaustive, it should account for all possible attacks and provide
categories for them. While it is hard to prove taxonomy is complete or exhaustive, they can be
justified through the successful categorization of actual attacks.
4. Determinism
The procedure of classifying must be clearly determined.
5. Mutually exclusive
A mutually exclusive taxonomy will categorize each attack into, at most, one category.
6. Repeatable
Classifications should be repeatable.
7. Terminology complying with established security terminology
Existing terminology should be used in the taxonomy so as to avoid Confusion.
8. Terms well defined
There should be no confusion as to what a term means.
9. Unambiguous
Each category of the taxonomy must be clearly defined so that there is no ambiguity as to where an
attack should be classified.
10. Useful
A useful taxonomy will be able to be used in the security industry
13. 3.2 Previous taxonomies
3.2.1 Landveir's Taxonomy
The taxonomy is based on computer program security flaws. A security flaw is a part of
a program that can cause the system to violate from its security requirnments.Firstly; we should
know what the security requirements of our system are and then identify flaws. Taxonomy
proposed here classifies flaws according to how, when and where it was introduced into the
system.
Classification of Flaws
Landveir has made following categories in order to classify flaws:
1. By Genesis
This (the ―how‖ of error introduction) is the most key part of the taxonomy to this Dissertation.
How does a security flaw find its way into a program? It may be introduced intentionally or
inadvertently.
Sub-Categories are:
1. Malicious Flaws
2. Intentional, Non-Malicious Flaws
3. Inadvertent Flaws
2. By Time of Introduction
Classifying identified security flaws, both intentional and inadvertent, according to the Phase of
the system life cycle in which they were introduced can help us understand where To look for more
errors and where to focus efforts to prevent their introduction.
Sub-Categories are:
1. during Development
2. during Maintenance
3. during Operation
3. By Location
A security flaw can be classified according to where in the system it is introduced or found. Most
computer security flaws occur in software, but flaws affecting security may occur in Hardware as
14. well.
3.2.2 Howard's Taxonomy
Howard provides an incident taxonomy that classifies attacks by events, which is an attack
directed at a specific target intended to result in a changed state. The event involves the
action and the target. He highlights all steps that encompass an attack and how an attack develops.
The attack consists of five logical steps which an attacker performs to achieve an unauthorized
result. Those steps are: tools, vulnerability, action, target, and
unauthorized result.
The tool refers to the mechanism used to perform the attack
The vulnerability is the type of exploit used to perform attack.
The action refers to the method used by the attacker to perform the attack (i.e. Probe, Scan,
Authenticate,Etc.).
The target is the intention the attack is attempting to Compromise
The unauthorized result is the change state caused due to the attack.
Although Howard presents a useful Taxonomy that provides an informative baseline for cyber
Intrusions, he lacks the details needed for thorough insight into the attack.
3.2.3 Lough's Taxonomy
Lough proposed an attack-centric taxonomy called VERDICT (Validation Exposure Randomness
Deallocation Improper Conditions Taxonomy). Lough focuses on four major
Causes of security errors: Improper Validation, Improper Exposure, Improper Randomness, and
Improper Deallocation.He labels these four characteristics with a prefix of ―Improper‖
With attacks being thought of as improper conditions.
Validation refers to improperly validating or unconstrained Data, which also includes
physical security.
Exposure involves the improper exposure of information that could be used Directly or
indirectly for the exploitation of a vulnerability.
Randomness deals with the fundamentals of cryptography and the improper usage of
randomness.
Deallocation is the Improper destruction of information, or residuals of data, which also
includes dumpster diving.
He uses one or more of the above given Characteristics to describe vulnerability within a system.
3.2.4 Hansman Taxonomy
Hansman and Hunt aim to develop a ―pragmatic taxonomy that is useful to those dealing with
attacks on a regular basis.‖ They also analyze a few of the existing taxonomies.
They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks. Instead
they propose four taxonomies of attacks based on four different
dimensions of classification.
Dimensions
This taxonomy works by using the concept of dimensions. Dimensions are a way of allowing for a
15. classification of an attack to take a more holistic view of the attack. The taxonomy proposes four
dimensions for attack classification.
The First Dimension
Classification in the first dimension consists of two options:
If the attack uses an attack vector, categories’ by the vector.
Otherwise find the most appropriate category.
The attack vector of an attack is the main means in which the attack reaches its target. For example,
the Melissa ―Virus‖ uses email as its main form of propagation, and therefore is, in the first
dimension, a mass-mailing worm.
The Second Dimension
The second dimension covers the target(s) of the attack. As an attack may have multiple targets,
there maybe multiple entries in this dimension.ike target can be hardware. in hardware it can be
Computer, in computer main target can be Hard-disks.for example, if Code Red attacked Server A,
the target would not be Server A, but the IIS server that Server A was running.
The Third Dimension
The third dimension covers the vulnerabilities and exploits that the attack uses. An attack may
exploit multiple vulnerabilities, so there may be more than one entry in the third dimension.
Entries in the third dimension are usually a Common Vulnerabilities and Exposures (CVE) entry.
Howard suggests three general types of vulnerabilities:
Vulnerability in implementation
Vulnerability in design
Vulnerability in configuration
If no CVE entry exists, then one of Howard’s types of vulnerabilities should be selected, and a
description of the vulnerability should be created.
The Fourth Dimension
The third dimension deals with attacks having payloads or effects beyond themselves. For
example, a worm may have a Trojan payload, or it may simply destroy some files. The payload
may be another attack itself and so the first dimension can be used to classify the payload if this is
the case. The fourth dimension consists of five categories:
1. First Dimension Attack Payload
2. Corruption of Information
16. 3. Disclosure of Information
4. Theft of Service
5. Subversion
A number of further dimensions could be added to enhance the taxonomy like damage, cost in
recovery etc.
3.3 Critical Review
Landwehr's state taxonomy is most useful when it classifies threats in scope that correspond to
potential defenses. This taxonomy differs from previous taxonomies, as it helps to not only
identify attacks, but also provides measures to mitigate attack vulnerabilities.One approach in
gaining Insight into attacker’s target is to consider the attack paths, or Combination of
exploits.They did not limit their taxonomy to operating systems but provided a more general
taxonomy of flaws in computer programs.
Howard criticizes Landwehr's taxonomy because use of terms like ―Trojan horse, trapdoor,
logic/time bomb for which there are no accepted definitions‖ is made in this taxonomy. Although
Landwehr give in his paper fairly standard definitions, they are a little vague. The authors quote
that, ―A time-bomb might be placed within either a replicating or nonreplicating Trojan horse.‖
However, ―Trojan Horse‖ and ―Logic/Time Bomb‖ are on the same level.The authors recognized
the limitations of their taxonomy. They know it is, ―...an approach for evaluating problems in
systems as they have been built.‖ They also realize that, the assignment of a flaw to a category may
rest on relatively fine distinctions.‖ Their 50 flaws documents are just a small set of data, and
statistically valid conclusions cannot be made from such a set. Although the taxonomy may not
meet the stringent standards of taxonomies, it does give the system user an idea of how, when, and
where errors come from. This is precisely what they intended to show.
Howard presents a useful taxonomy that provides an informative baseline for cyber Intrusions, he
lacks the details needed for thorough insight into the attack.In such a taxonomy the classes are not
mutually exclusive, but it is useful for understanding the nature of attacks.
Lough’s taxonomy directly includes the cause of the attack as a category; it is useful for a security
assessment process. However, Lough’s taxonomy has many limitations. First, Lough’s taxonomy
is not application-specific. Lough combines information from a wide variety of attacks and
vulnerabilities, including operating system flaws and network attacks. This makes his taxonomy
very general. Second, Lough uses both attack and vulnerability taxonomies to derive his new
taxonomy. He compares attack classes with vulnerability classes and even equates many of them.
From a security assessment perspective this has two side effects. First, it mixes cause and effects.
Vulnerability is the cause for an attack. Therefore, it is beneficial to the assessment process to
organize information such that these causes and effects are properly separated. Second, as we have
seen so far, the number of attack classes is limited, and the number of vulnerabilities can be very
high. Therefore, equating attacks and vulnerabilities has the effect of hiding many of the
vulnerabilities under a single class of attacks. This leads to the third limitation in using Lough’s
work for security assessment: Lough has a single- level taxonomy. This implies that many types of
vulnerabilities are abstracted under a single category. All attacks are put into four categories, and
17. there is no refinement of the upperlevel categories into lower-level details. Such taxonomy is not
ideally suited for security assessments.
In Hansman and Hunt aim to develop a ―pragmatic taxonomy that is useful to those dealing with
attacks on a regular basis.‖ They also analyze a few of the existing taxonomies.
They conclude that it is difficult to develop effective tree-structure taxonomy of attacks. Instead
they propose four taxonomies of attacks based on four different dimensions of classification. The
four dimensions are:
• Attack vector
• Attack target
• Vulnerabilities and exploits
• Attacks with payloads
Each of the four taxonomies is hierarchical with subsequent layers providing greater details of the
attack. The four taxonomies taken together provide useful information and meet the goals of
developing a ―pragmatic taxonomy.‖ It might be true, as argued by Hansman and Hunt, that
developing a single tree-structure taxonomy incorporating all these dimensions would be
cumbersome. However, if the taxonomy were application- specific instead of trying to incorporate
all possible kinds of attacks, it might not be very difficult to develop single tree-structure
taxonomy of attacks. A tree structure in the taxonomy provides the basis for the systematic process
of security assessment. The assessment must cover the breadth of attacks while simultaneously
exploring the depth of the system’s functional blocks to unearth vulnerable features.
Chapter 4
Taxonomy
4.1 The Proposed Taxonomy
Security is a key service for both wired and wireless communications.The previous taxonomies
focus mostly upon wired networks while there is a limited work corresponding to security of
wireless networks.The evolution in the variety and application of wireless networks has vastly
increased the urgency of identifying security threats and countermeasures to combat these threats.
Maintaining a secure wireless network is an ongoing process that requires greater effort than that
required for other networks and systems.
Our taxonomy actively addresses risks inherent in wireless networks to protect these networks before
deployment.We have proposed the necessary and sufficient categories to create a satisfactory
taxonomy of wireless network attacks.Basicaly these categories can be extracted from the
conception of attack generation.Taxonomies such as Howard’s give a good overview of the attack
process, but avoid examining the categories of attacks that face computers and networks each day.
18. The taxonomy may have two types of structure:
Tree-Like Structure
List-Based Structure
The taxonomy resulting from a tree-like structure will have more general categories at the top, and
specific categories at the leaves. However, while such a taxonomy is certainly desirable, in
practice it is not possible to do so in an acceptable manner.The first problem with such a taxonomy
is how to deal with attacks that cause other attacks. To allow for attacks to contain other attacks
there are two possible solutions. One is to allow for cross-tree references, that is when one leaf
node points to another leaf node somewhere else in the taxonomy. This approach leads to a messy
tree and would be hard to use in classifying. The second is to have recursive trees, so that each leaf
on the base tree may have another tree (or more) under it. This again leads to a messy structure and
would be of limited use.
The second problem is that attacks, unlike animals, often do not have many common traits. This
makes the creation of broad categories hard. While worms and viruses can be related, there is little
in common between them and a buffer-overflow. This means that the taxonomy tree would have to
branch out immediately into a number of categories that are unrelated. The benefits of the tree-like
structure are therefore lost. With these two problems, the tree-like taxonomy was discarded.
Another way taxonomies are sometimes created, is through lists. A list based taxonomy contains a
flatlist of categories. There are two approaches that could have been taken in the proposed
taxonomy. Firstly, a flat-list with general categories could be suggested, or secondly, a flat-list
with very specific categories could be proposed. We have utilize both these approaches for the
proposed taxonomy.Our classification consist of general and specific categories so as to give a
detail classification of each attack leading towards specific taxonomy.
4.2 Classification
4.3.1 Stage
In wireless networks, there are three stages that need to be passed before transmission of data.These
stages are:
• Discovery
• Authentication
• Association
In the Proposed taxonomy, firstly the attacks have been categorized according to stage at which they occur
as each of the attack occurs during one of the stage or after passing through the above mentioned three
stages. According to Lough[2],When a station wishes to join a Basic Service Set (BSS)( a collection of
stations communicating with each other through an access point ) , it first has to "authenticate" to the BSS
by a challenge-response protocol (Challenge-response authentication is a family of protocols in which one
party presents a question ("challenge") and another party must provide a valid answer ("response") to be
authenticated). After authentication, the station then "associates" with the BSS.When a station wants to
leave a BSS, it "disassociates" the BSS.
4.3.1.1 Discovery/Probing/scanning:
In wireless world,station must identify a compatible network before joining it. Discovery is a stage where a
19. station or access point(A.P) discovers the presence of other stations or access points.Access Points (and
their equivalent stations in adhoc networks) send management packets at periodic intervals for example
beacon frames and probe requests[27]
Beacon Frames:
The beacon frame is a management frame for synchronization,power management and delivering
parameters.The beacon frame advertise the existence and basic configuration of a network.The access point
of a basic service set sends beacon frames and clients listens to the beacon frames.In adhoc network(where
stations or nodes communicate directly with each other without an access point),clients themselves transmit
beacon frames[29].MAC(Medium access control) layer is responsible of generating beacon
frames[30].Beacon frames are generated at regular intervals called target beacon transmission
time(TBTT).Beacon frames includes the following:
Time Stamp:Each beacon contains the timestamp which is used by stations to keep their clocks
synchronized with access point.
Channel information:Channel used by AP or independent basic service set(IBSS:Adhoc
network).
Data Rates:supported data transfer rates
Service Set Identifier(SSID):The name of the Wireless Network.All devices in wireless network
must use same SSID to communicate with each other
Probe Requests/Probe Responses:
The probe request is sent by the client looking for a specific SSID(Directed Probe request) or any SSID
within its area(Null Probe request).After the probe request is sent,all A.Ps in the area with the same SSID
will reply with probe response.The probe responce frame contain same information that was contained in
beacon frame[29].
1.1.1.1.Active probing(use of probe requests) involves the attacker actively sending probe requests
containing the desired identity in order to attain a probe response from an A.P that has matched identity in
probe request. Active probing cannot detect for access points that are cloaked(configured not to respond to
probe requests with no SSID set) or out of range of the attacker’s wireless transmission range.
1.1.1.2.When an attacker engages in Passive probing(use of beacon frames), he is listening on all
channels for all wireless packets without sending even a single packet. cloaked APs with no wireless
activities would not be detected.Passive scanning is used when stations wants to conserve power.
4.3.1.2 Authentication
Authentication is used by A.P or a station to verify identity of another station.This security service is critical
for preventing unauthorized access to network resources. In an infrastructure wireless network,
authentication provides protection against unauthorized users , since the AP is the entry point into the
Extended Service Set. Improper authentication can undermine all security measures in an enterprise.
Mutual authentication also allows the Wireless Network to prove its identity to the STA, which allows the
STA to validate positively that it is communicating with a legitimate Wireless Network, as opposed to an
unauthorized or ―rogue‖ WLAN. The station sends an authentication request to the access point. The
access point authenticates the station.
The IEEE 802.11 standard defines two types of WEP authentication:
• Open System Authentication allows any device to join the network, assuming that the device SSID
matches the access point SSID. Alternatively, the device can use the ―ANY‖ SSID option to associate with
20. any available access point within range, regardless of its SSID.
• Shared Key Authentication requires that the station and the access point have the same key to
authenticate.Shared key authentication is made possible because of challenge response protocol.
Chalenge response Protocol:
In challenge response protocol,one node selects a random number,encrypts it with a shared key and sends
the ciphertext[encrypted text],which is called a challenge,to the other node.If the node that has received
challenge can decrypt the challenge and return the original random number,the identity of the challenged
node will be proved because it has the correct key[28].
4.3.1.3 Association
The station sends an association request to the access point. The access point associates with the station.
According to Mathew Gast[4]
"Association is a recordkeeping process that allows the distribution system to track the location of each
mobile station,so that frames destined for the mobile station can be forwarded to correct access point"
After association completes,the station gets registered on access point.Association is restricted to
infrastructure networks.Association process is a three step process:
1-After station has authenticated,it can issue an Association request frame.Stations that have not yet
authenticated receives a deauthentication frame from the access point in responce.
2-The access point then processes the association request.802.11 does not specify how to determine
whether an association should be granted.It is specific to access point implementation.
A-When association request is granted,the access point responds with status code 0 and an association ID
used to logically identify the station to which buffered frames need to be transmitted.
B-Unsuccessful Association requests include only a status code and the procedure ends.
3-After succesful association,access point begin processing frames for mobile station.
4.3.2 Power Consumption
Most adhoc nodes have limited power supply and no capability to generate their own power.When
an attack occurs,it may consume power of the wireless device or wireless network under attack.We
have added this category in order to distinguish attacks that consume much power.Some attacks
does'nt consume power,instead of power these attacks consume other resources such as in
eavesdropping,information leakage occurs.Attacks like Sleep deprivation attacks[25] aims to
consume as much power of wireless network as causing Denial of service attack.Such attacks of
power consumption mostly occurs on battery powered wireless devices or sensor nodes.Physical
and network level power conservation is an important security design consideration to extend
battery Life[54].
Sleep deprivation attacks are a form of denial of service attack whereby an attacker renders a
computing device inoperable by draining the battery more quickly than it would be drained under
normal usage[26].Moreover there are specific attacks that aims to attack only the power of
wireless node.For example:
(1) Service request power attacks where repeated requests are made to the victim for services,
typically over a network—even if the service is not provided the victim must expend energy
deciding whether or not to honor the request;
(2) Benign power attacks where the victim is made to execute a valid but energy-hungry task
21. repeatedly, and
(3) Malignant power attacks where the attacker modifies or creates an executable to make the
system consume more energy than it would otherwise.
In order to save energy,wireless clients are allowed to enter a sleep mode in which they cannot
transmit or receive messages.The client and the access points agree on a schedule of sleeping and
wakeup period ahead of time.Access point buffer packets destined for station that is in sleep
mode.When the client wakes up it poles the access point for the buffered messages.An attacker can
desynchronize the client and the access point to make the client wake up at wrong interval.This
polling frame can be spoofed by an attacker causing the AP to send the collected packets and flush
its internal buffers. An attacker can repeat these polling messages so that when the legitimate
station periodically awakens and polls, AP will inform that there are no pending packets.
4.3.3 Layers
The attacks can be furthur classified according to layers of Open System Interconnection(OSI)
model.All kinds of networks including wireless networks are organized in a layering
hierarchy.The OSI model is the widely used layering model.It comprises seven layers[52].Each
layer is made up of many protocols and serves some specific functionsAttacks may launch at one
of the layer of OSI layer while some attacks can be launched at more than one layer.
We will consider only those layers that are involved in wireless network.Wireless network
mostly functions at lowest two layers of OSI model i.e physical layer and data link layer,however
to some extent,layer 3 i.e network layer plays some role in launching attacks[53].
4.3.3.1 Physical Layer
As the name suggest the physical layer defines the physical media or hardware that carries signals
between end points of network connection.The physical layer might be a coaxial cable, twisted
pair cable or fibre optic cable in wired while in case of wireless,radio frequency waves are
component of the physical layer that is responsible for specifying the frequency range and type of
modulation.for example Jamming and Eavesdropping occurs at physical layer.
4.3.3.2 Data Link Layer
The data link layer handles transmission of data across the link defined by the physical layer.It
ensures that data is tranferred correctly between adjacent nodes.This layer detects and possibly
correct those errors that occur at physical layer.The link layer is responsible for sending
frames(collection of bits)Frames contain a cyclic redundancy check(CRC)(Checksum for error
detection)When the frame is received,CRC is computed and compared to the value in frame.If the
values donot match,the receiver requests the message to be retransmitted.The frame has a source
address and destination address.It uses MAC(medium access control) address, 6 byte address
uniquely assigned to hardware.This layer has the responsibillity of flow control i.e it regulates the
rate at which endpoints sends data so that all nodes get fair chance.Attacks at this layer are
focussed on trying to hijack a user's network connection,intercept traffic or spoof a device's
identity[51].
Examples:
Traffic analysis,Man in the middle attack or session hijacking and Spoofing
4.3.3.3 Network Layer
The fundamental unit of communication at this layer is IP (internet protocol) packet.IP packet
22. contain an IP header,which specifies the source and destination IP address (that is defined as a
numerical identifier or logical address assigned to network device) alongwith
some amount of data[51].This layer is also responsible for routing functions of data.
Examples:
Wormhole,black hole,byzantine,flooding,spoofing,data alteration,replays of routing
information,HELLO flood attacks
4.3.3.4 Multi-Layer
Many attacks can target multiple layers for example DoS,Impersonation,Man-In-The-Middle
attack.The countermeasures for these attacks need to be implemented at different layers.
We have used similar categorization.Main reason of categorizing attacks according to Layers
makes it easy to search for vulnerabilities at each layer.
4.3.4 Attributes Utilized
There are five main attributes of security for wireless networks that should be met in order to
ensure security.Violation of anyone of these attributes lead to insecure network.According to Yan
Xiao:
" Security is a combination of Processes,Procedures and systems used to ensure
integrity,confidentiality,authentication,availability, access control and non-repudiation"
Every attack violates one or more than one security attributes.thats why we have categorized each
attack according to attibute it disrupts.
Each security attribute is explained below:
4.3.4.1 Integrity
Data integrity addresses the threat of unauthorized manipulation of data.Data integrity is also
linked to authentication,since any modification can be seen as a result of modification of origin of
data[17].For example if packet fragmentation and aggregation cannot be performed securely ,the
end-to-end security mechanisms assuring data integrity could fail[18].
4.3.4.2 Confidentiallity
The goal of confidentiallity is to keep information sent unreadable to unauthorized users or nodes
or to keep data secret for a defined set of recipients during transmission while the transmission
channel can be unprotected[17].Attacks like Eavesdropping destroy confidential transmission of
data.
4.3.4.3 Access Control
The goal of access control is to prevent unauthorized use of network services and system
resources.Access control is tied with authentication.it is the ability that restrict access to resources
to priviledged entities
4.3.4.4 Availability
The goal of availability is to keep the network services or resources available to legitimate users.It
ensures that network services are available when required by various entities in network.
4.3.5 Flaw Utilization
23. A vulnerability is a weakness or fault in system security procedures,design,implementation or
communication medium that could be accidently triggered or intentionally exploited and result in a
security break down[11].There are two main categories of wireless vulnerabilities,
1.Physical Vulnerabilities
2.Logical Vulnerabilities
Physical vulnerabilities are exploited by tampering and vandalism() attacks.Our major focus is on
Logical vulnerabilities which exist in network services,protocols and applications and can be
exploited by logical attacks.Logical vulnerabilities are classified into four main categories[11]:
4.3.5.1 Design Flaws
Design flaws refers to using a protocol to violate the assumptions of the normal behaviour in the
network,while conforming the protocol specification design[11].For example,an attacker can
exploit the vulnerability in the TCP protocol design to undergo a TCP-SYN flooding attack.The
attacker violates the three way handshake operation of the TCP connection making a half open
connection that ties up the servers allocated resources.
Denial of service attack at MAC layer is due to protocol vulnerabilities.There are a number of
network management frame types that are required for connection and discovery in wireless
networks.because this management information and MAC address of every device is
broadcast,there is no security and no means of sender verification.Among the various management
sub frames,there are deauthentication and disassociation sub frames that are targeted for misuse in
wireless networks[13].these two frames will disconnect clients[14].The deauthentication
sub-frame is sent by a client to an A.P or to another client,to inform that it wants to terminate the
current connection.The problem or flaw associated with this type of frame is that there is no
verification of the sender;the receiver will trust that source MAC address is valid.The attacker can
spoof the MAC address and send deauthenication and disassociation packets causing denial of
service to the victim[13].
4.3.5.2 Implementation Flaws
Refer to errors in hardware construction or software coding due to unfamiliarity with the
programming language or the ignorance of security issues.For example,inadequate boundry
checking which may result in a buffer overflowing with attacker controlled contents[11].
Moreover some access points produce initialization vectors using only 18 of the 24 bit space which
increase the probability of collisions.Moreover Random IV selection results in random reuse of
IV(collisions) which results in more attacks.Some manufacturers select IVs simply
sequentially[16].
4.3.5.3 Configuration Flaws
Configuration errors are result of improper settings of a particular envoirnment or threat model
,programs/utilities that are installed in incorrect place or incorrect installation of program/utilities
parameters[12]such as having system accounts with default passwords, having ―world write‖
permission for new files, or having vulnerable services enabled[19].
4.3.5.4 Exposed Medium
24. Due to the openness of the exposed wireless medium,the attacker can easily access the wireless
network with poor authentication.However most of wireless networks are not configured securely
and usually only MAC address spoofing is required to gain full access.
4.3.6 Effects
This category is similar to a category of "Results" in [19].According to Howard and Longstaff[19]:
"the logical end of a successful attack is an unauthorized result. At this point, an attacker has used
a tool to exploit a vulnerability in order to cause an event to take place"
We divide unauthorized result into following categories:
4.3.6.1 Disclosure of information
Exposure of information to anyone who is not authorized to access that information.
4.3.6.2 Theft of resources
unauthorized use of computer or network resources
4.3.6.3 Denial of service
intentional degradation or blocking of computer or network resources
4.3.6.4 Corruption of information
unauthorized alteration of data on a computer or network
4.3.7 Precautions
The best way to prevent an attack to your wireless network is to be secure from the start.This
means designing a secure installation,maintaining firewalls and server logs and continually
patrolling your network for possible points of attack.A secure wireless network is one which takes
as many precautions as possible[23].We have added precautions for every attack.
4.3.8 Network Type
A wireless network operates in one of two modes:
4.3.8.1 Adhoc mode
In the ad hoc mode, each station has a peer to peer connection with the other stations and
communicates directly with other stations within the network. No access point is involved in this
type of network. All stations can send Beacon and Probe frames. The stations in ad hoc mode form
an Independent Basic Service Set (IBSS).
4.3.8.2 Infrastructure mode
A station in the infrastructure mode communicates only with an AP. Basic Service Set (BSS) is a
set of stations that are logically associated with each other and controlled by a single AP. Together
they operate as a fully connected wireless network. The BSSID is a 48-bit number of the same
format as a MAC address. This field uniquely identifies each BSS. The value of this field is the
MAC address of the AP.
5 Evaluation Of Proposed Taxonomy
25. 5.1 Wireless Attacks Categorization
5.1.1 War Driving
War driving is the act of traveling around public areas and randomly accessing 802.11 wireless
access points with less security.
5.1.1.1 Stage
The stage of the war driving is Discovery/probing because it sends probe request or sniff packets
by probing to have SSID(Service Set Identifier).When attacker gains SSID it may launch other
attacks by behaving as a rogue access point. Discovery is described before in detail in section
4.3.1.1.
5.1.1.2 Power consumption
In this attack, attacker just discover the existence of wireless network .This attack does not effect
power consumption of the wireless network it discovers.
5.1.1.3 Layers
This attack occur on both physical and data link layer. All communication ultimately takes place at
physical layer and frames are created and sent at data link layer. War drivers sniff these frames and
make attack possible.This attack is a prime example of a vulnerability with both layer one and two
elements involved[4]
5.1.1.4 Attributes Utilized
After sending probe request attacker may receive probe response.After discovering wireless LAN,
attacker may authenticate with the access point. When it becomes authentic as a station or an
access point,it may launch other attacks i.e. rogue access point attack where an attacker violates
the access control Security attributes[5].
5.1.1.5 Flaw Utilization
War driving utilize the flaw of openness of medium which may include broadcasting of SSID
(through beacon frames), keeping factory default SSID(Service Set Identifier),unencrypted
communication,Not filtering MAC addresses that are allowed to connect to specific A.P.Moreover
26. attacker make use of the fact that management frames are completely unauthenticated
5.1.1.6 Effects
By this attack,attacker come to know Basic service set id,whether WEP() is enabled or not
alongwith MAC address of wireless device[2]. Many attacks can be done based on war driving for
example rogue access point, denial of service attacks.
5.1.1.7 Precautions
For controlling war driving,following precautionery steps are to be taken:
Change the default Admin password on your Access Point.
Check if the firmware for your Wireless Access Point and drivers for your Wireless
Adapter(s) are up to date. Update if necessary. Keep checking for new releases in the
future.
Use a high level of encryption
Use WLAN security tools for securing the wireless network.
Use a proxy (In computer networks, a proxy server is a server that acts as an intermediary
for requests from clients seeking resources from other servers) with access control for
outgoing requests.
Regularly test the security of your wireless network, using the latest war driving tools (the
same tools the attacker will use). Don't use these tools on other networks, and always check
local laws and regulations before using any war driving tools[6].
5.1.1.8 Network-Type
This attack can occur on all type of wireless network whether networks are in ad hoc or
infrastructure mode.
5.1.2 Rogue Access Point
5.1.2.1 Stage
The stage on which it occur is ―Discovery/probing‖ state of unassociated un authenticated,
because Rogue Access point masquerade as an authenticated access point by using MAC address
and SSID of authenticated access point which it gains by sending probe request to the open
wireless network.
5.1.2.2 Power consumption
In this attack an unautherize access point sends probe requests to be an autherize access point.In
the act of doing this,it can degrade power of the original access point.
27. 5.1.2.3 Layers
This attack use the vulnerabilities of physical layer and data link layer .At physical layer, physical
medium for transmition is air which is open for any one to access. This is the reason that wireless
networks are harder to secure, it is needed to make link layer protection powerful that is
responsible for data encryption and user authentication. This attack starts from sending probe
request to take SSID and MAC address of authenticated access point, to act as a legitimate access
point after authentication due to unsecured or weak security at data link layer.
5.1.2.4 Attributes Utilized
It violates the access control attribute as access control means to prevent unauthorized use of
services and when this attack occur it may leads the unauthorized access of resources[7].
5.1.2.5 Flaw Utilization
This uses the flaw of expose medium in which Attacker can easily access the medium due to poor
authentication method.MAC addresses of the A.Ps can be forged by sending probe request and can
get BSSID and MAC.[2]WEP is vulnerable to attack.(Wired Equivalent Privacy (WEP) is part of
the 802.11 specification in which we use keys for encrypting data between A.P and station). As
with WEP encryption, sniffing is eliminated but when we use weak WEP encryption technique it
will be possible [9].
5.1.2.6 Effects
The result of this attack is data leakage,when it masqurade as a lagitimate access point it can
communicate with any other station in the network and can take any kind of required data for its
purpose.When rogue access point act as a client it can get free internet access.Rogue access point
attack can also cause the Denial of service attack ,Man in the Middle attack and Evil twin A.P
attack.
5.1.2.7 Precautions
To prevent this attack we should validate new joining access point according to their MAC
addresses this technique is called distributed management Access point. In this technique all
Access point of the network should have the list of all access points with their MAC addresses by
this process whenever a rogue access point try to join its MAC address fist checked and then allow
joining [8].
Public secure packet forwarding (PSPF) is a feature that can be enabled on WLAN access points to
block wireless clients to communicate with other wireless client with the same wireless segment in
this way when a rogue access point try to communicate with other clients in the same network it
will be bloked [23].
28. 5.1.2.8 Network-Type
It can be possible on all type of wireless network.In infrastructure mode it act as an access point
with MAC address of original access point but with strong signal and in this mode all station of
the network associated themselves with it due to stronger signal.In adhoc mode where peer-to-peer
communication takes place a rogue access point act as a client that can communicate directly with
other station in the same segment of network
5.1.3 Probe Request Flood attack
Probe request frames are used by station to actively scan an area in order to discover existing
wireless networks.Any AP receiving a probe request frame must respond with a proper probe
response frame that contain information about the network,to allow the station to associate.Probe
requests are furthur explained in section 4.3.1.1.Probe request flooding occurs when an attacker
sends a burst of probe request frames very quickly,each request with a different MAC address to
simulate the presence of large number of scanning stations in the area.This results in a heavy
workload on A.P.
5.1.3.1 Stage
Probe request flood attack can occur at discovery stage because this attack make use of probe
frames that are transfered at the discovery stage.
5.1.3.2 Power consumption
This attack causes much power consumption as the A.P(in infrasture mode) or a station(in adhoc
mode) is continuously engaged in responsing the probe request frames with probe response
frames.
5.1.3.3 Layers
Probe request flood attack make use of vulnerabilities of MAC layer(explained furthur in
5.1.5.6)as the transmission of frames occur at this layer.In this attack, an attacker transmits probe
request frames with different MAC addresses consequently.
5.1.3.4 Attributes Utilized
The probe request flooding attack leads to failure of availability.The goal of this attack is to keep
the network services or resources unavailable to authorized users.
5.1.3.5 Flaw Utilization
In this attack, attacker utilizes design flaw.Design flaws use a protocol to violate the assumptions
of the normal behaviour of the network, while protocol specification design remains the same [11].
29. Likewise in this attack,the normal operation of probe frames is disturbed.
By identifying message sequences that could lead to an attack towards the AP,the attacker will
come to know that the management frames of the 802.11 protocol look like the most suitable for
flooding because any management frame sent to an AP triggers an elaboration with consequent
consumption of computational resources. The scheme is quite simple; each request message sent
by a station must be responded with a response message sent by the AP.
5.1.3.6 Effects
The aim of probe request flood attack is to largely reduce or completely deny the normal services
provided by a network or a host. This attack causes Denial of services as it uses up all of the
network's resources and forces it to shut down.In this attack, workload on A.P increases resulting
in the wastage of computing power and memory resources.
5.1.3.7 Precautions
The most fundamental protection against DoS is developing and maintaining strong security
practices. Actions such as implementing and updating firewalls, maintaining updated virus
protection, installing up-to-date security patches, ensuring strong passwords, and turning off
network devices when they are not in need should be routine practices for all companies. In
addition, deploy DoS detection tools, such as Airdefence and airmagnet.
5.1.3.8 Network-Type
This attack occurs in both adhoc and infrastructure modes of wireless networks.In adhoc mode,any
station floods any other station with bursts of probe request frames.While in infrastructure
mode,an attacker sends consequent probe requests to an A.P.
5.1.4 Forced deauthentication/disassociation attack
5.1.4.1 Stage
This attack occurs when a station has already passed through stages of authentication and
association as depicted in figure.
5.1.4.2 Power consumption
Power is consumed as after this attack reauthentication and reassociation is required which
requires energy.
5.1.4.3 Layer
This attack occurs at data link layer of OSI model as the transmission of frames occur at this
layer.In a deauthentication/disassociation attack, an attacker transmits spoofed frames with the
source address of the access point. When the recipient receives the frames, they will be
disconnected from the network and will try to to reconnect[55].Another way to leave the network
is that a wireless station sends a deauthentication or disassociation frame to the access point.
30. Figure : A deauthentication attack on an open wireless network
5.1.4.4 Attributes Utilized
Attacker destroys the integrity of the victim's station as data integrity addresses the threat of
unauthorized manipulation of data(details in section 4.3.4.1).The message,that is meant to be
originated from victim's station,is actually altered by the attacker keeping the MAC address of
the victim same.In other words,attacker is making unauthorized manipulation of message of
victim.Access Point will interpret the message as it has been originated from the client but
actually that message was originated from attacker.Thus this attack will lead to integrity failure.
5.1.4.5 Flaw Utilization
Attacker utilizes design flaw here.In this attack,two frames are involved i.e deauthentication and
disassociation frames. These two frames, however, are sent unencrypted and are not
authenticated by the access point. This vulnerabillity allows an attacker to launch this type of
attack by spoofing the frames involved [56].The attacker even does not need to break the
authentication protocol or to obtain shared secret keys between the Stationss and the AP.
5.1.4.6 Effects
After the deauthentication and disassociation attack, communication between wireless devices
and their access points is disabled.For communication again,devices will have to reconnect with
access point that causes delay in communication and power is also consumed.If this attack
31. continues for long time,it can lead to permanent denial of service attack.If the attacker sends a
disassociation frame, the victim clients must set up a new association session with the AP.Even
though the deauthentication frame and the disassociation frame are similar, spoofing the
deauthentication frame is more effective since it requires that stations and the access points
perform the authentication again in order to resume the connectivity.
5.1.4.7 Precautions
There are a number of ideas that have been proposed to defend against this attack[56] but each
has some drawbacks that are covered in detail in [56].Some of the important solutions are
discussed below:
•eliminating the deauthentication and disassociation
frames, or allowing them for a fix interval
of time.
• detecting spoofed frames based on frame
sequence number.
• developing a lightweight authentication
protocol for management frames, such as using 1 bit
for authentication
• modifying the current authentication
framework to authenticate deauthentication and disassociation
frames.
5.1.4.8 Network-Type
This attack mostly occurs in infrastructure networks because association is restricted to
infrastructure networks only(Section 4.3.1.3).After authentication and association,If a station
(STA) wants to disassociate with an AP, it sends a disassociation frame to that AP. In case the
station wants to gracefully leave the network, it sends a deauthentication frame to the AP.
Similarly, when the AP wants to disconnect a client, it sends a disassociation frame to that client.
In case the AP wants to disassociate with all the STAs , it broadcasts the disassociation frame to
all clients.
5.1.5 MAC Address Spoofing
MAC address (also called physical or link address) is the address of a node identified by its
Local Area Network (LANs).It is included in the frame by data link layer[61].The MAC address
of a station is used as an authentication mechanism for granting various levels of network or
system privilege or access to a user.This method of client authentication through MAC addresses
is also employed in 802.11 wireless networks.Attackers targeting wireless LANs have the ability
32. to change their MAC address to pass through network security measures [60]. The original MAC
address is burnt and imprinted to the network card, and cannot be changed. However, operating
system can spoof as if there is different MAC address for the network interface card .After
sniffing the legitimate MAC addresses out of the air in MAC Address filtering, the attacker will
spoof the MAC address of the authorized user.
5.1.5.1 Stage
As far as stage is concerned,MAC address spoofing can occur at any of the stage.If an attacker is
not authenicated and associated,he can launch this attack in order to gain access to system
resources that are used by an authenticated and authorized user.If the attacker is authenticated
and associated, it can launch the attack in order to gain sensitive information that is intended for
the victim station.
5.1.5.2 Power consumption
When an attacker spoof the MAC address of an authorized user,he can utilize the power used by
the targeted node.Thus,In this attack power is consumed.
5.1.5.3 Layers
MAC address spoofing,as the name indicates,make use of attributes of MAC layer i.e MAC
addressing at MAC layer.This attack cause its effects on other layers also for example it disturbs
the network layer's routing mechanism (explained furthur in 5.1.5.6)
5.1.5.4 Attributes Utilized
Spoofing destroys access control mechanisms as it provides access to unauthorized users.
5.1.5.5 Flaw Utilization
In this attack,attacker make use of design flaw.Nearly all 802.11 cards in use permit their MAC
addresses to be altered, often with full support and drivers from the manufacturer. Using Linux
open-source drivers, a user can change their MAC address with the ifconfig tool, or with a short
C program [60].
5.1.5.6 Effects
This attack is used for any of the following effects depending on the intent of the attacker[60].
Hiding presence of the attacker's station
An attacker might choose to change their MAC address in an
attempt to pass through network intrusion detection systems (NIDS). A common example is an
attacker executing a brute- force attack script with a random MAC address for each successive
connection attempt.
Bypassing access control lists
Administrators typically have the option to configure access points or neighboring routers to
33. permit only registered MAC addresses to communicate on the network. An attacker could
circumvent this form of access control by passively monitoring the network and generate a list of
MAC addresses that are authorized to communicate. With the list of authorized MAC addresses
in hand, an attacker is free to set their MAC address to any of the authorized addresses,bypassing
the intended security mechanism.
Impersonation of authenticated user
Certain hardware WLAN security authentication devices rely on matching user authentication
credentials to the source MAC address of a client. After a user has successfully authenticated, the
security gateway permits traffic based on a dynamic list of authorized MAC addresses. An
attacker wishing to circumvent the security of the device only needs to monitor network activity
for an authorized client MAC address and then alter their sMAC address to match the
authenticated client before communicating on the network.
Launch denial of service attacks
MAC spoofing also potentially triggers a Denial of Service (DoS) attack by causing routing
problem by duplicating MAC addresses that exists in the network.Especially duplicating the
MAC addresses that are similar to gateway and Access point's BSSID (Basic Service Set
Identifier) will lead to routing problems.
5.1.5.7 Precautions
The attack can be prevented by using encryption and wireless intrusion prevention
systems.Another way to prevent this attack is by comparing the unique signatures exhibited by
the signals emitted by each wireless device against the known signatures of pre-authorized
devices[62].Moreover MAC based authentication should not be used alone for authentication
rather it should be used with EAP.
5.1.5.8 Network-Type
MAC address spoofing occurs in both infrastructure and adhoc mode wireless network as this
attack make use of MAC addresses that are present in both networks.
5.1.6 Man In The Middle attack
Man in the Middle Attack is a form of active eavesdropping (in active eavesdropping attacker
not only listen transmission; it can modify the data packets also). In which the attacker makes
independent connections with the target nodes and relays messages between them, making them
believe that they are talking directly to each other over a private connection when in fact the
entire conversation is controlled by the attacker.
34. 5.1.6.1 Stage
The stage at which this attack occurs depends on the intent of the attacker and scenario
involved.An attacker can be an authenticated or unauthenticated.
5.1.6.2 Power consumption
In this attack attacker do not force hosts to consume their power so power of the network is not
affected by this attack.
5.1.6.3 Layers
It is a multi layer attack [5]. If the packets being transmitted are encrypted only at the network
layer, or layer 3, then the attacker can obtain the header information (senders and receivers
addresses) from the data link layer and information about encryption technique from network
layer [14].As a result,attacker breaks the session of the sender and the receiver and fix himself in
the middle of them.
5.1.6.4 Attributes Utilized
In Man In the Middle attack,confidentiality is exploited as attacker can read data that is
transmitted between any two wireless devices.Also,the attacker can modify the messages it has
captured,thus violating integrity of the session between authorized users as integrity is violated
by unauthorized manipulation of data which can happen in Man in The Middle attack [14].
5.1.6.5 Flaw Utilization
In this attack attacker can exploit vulnerabilities of management frames. First of all attacker finds
the client which is associated with an access point in the wireless network and will get the
channel information and MAC address of this client and now he will enforce the client to
35. disassociate from the access point by sending disassociation and deauthentication frames to the
client station. After this he will use the SSID and MAC address of original access point by sniffing
beacon frames. Attacker now broadcast the SSID of the original access point with strong signals;
all clients with the same network segment will associate with the attacker.
5.1.6.6 Effects
A Man In The Middle (MITM) attack is done in order to hijack a connection or to sniff traffic.It
may steal required information.It can read or modify data for some purpose.Replay attacks, fake
access points, 802.11 protocol manipulation.
5.1.6.7 Precautions
In recent years the threat of man in the middle attack on wireless network has increased. Because
it’s no longer necessary to connect to the wire, a malicious rogue can be outside the building
intercepting packets, altering them and sending them on. A common solution to this problem is to
enforce mutual authentication and wired equivalent privacy (WEP) across the wireless network.
5.1.6.8 Network-Type
In the infrastructure mode, this attack occurs by spoofing an access point by deauthenticating and
disassociating a client.Now the attacker force the client to reauthenticate with the A.P that is
controlled by the attacker.
5.1.7 Sleep deprivation attack
The idea behind this attack is to request the services a certain node offers, over and over again,
so it can not go into an idle or power preserving state.This results in depriving the target node of
its sleep[64].This attack can occur by requesting excessive route discovery, or by forwarding
unnecessary packets to the victim node.A malicious user may interact with a node in an
otherwise legitimate way, but for no other purpose than to consume its battery energy.
5.1.7.1 Stage
This attack mostly occur when the intruder is authenticated and able to send legitimate requests
to the target node.However the requests are sent just for exausting power of the target node.
5.1.7.2 Power consumption
All the power of the victim device ultimately is exausted in this attack leading towards denial of
service.This attack aims to maximize power consumption.Battery life is the critical parameter for
many portable devices,and many techniques are used to maximize it; Mostly sensor nodes try to
spend most of the time in sleep mode to save their energy.In this environment,energy
exhaustion attacks are a real threat, and are much more powerful than better known denial of
36. service threats such as CPU exhaustion; once the battery runs out the attacker can stop and walk
away, leaving the victim disabled.
5.1.7.3 Layers
As the attacker sends packets or frames in this attack,it will occur at MAC layer.Attacker can
also send route discovery requests to consume energy,then this will occur at network or routing
layer.
5.1.7.4 Attributes Utilized
Availaibility is disrupted in sleep deprivation attack by an attacker.Attacker will make the
services, given by sensor nodes,unavailable.Availability is discussed further in section 4.3.4.4
5.1.7.5 Flaw Utilization
Wireless sensor nodes are of limited battery power.If an attacker engages sensor nodes in
excessive operation by sending packets or requests,the nodes will not be able to perform their
work,rather they will response to the requests send by a malicious user.The unattended nature of
wireless sensor networks makes them more susceptible to this attack as compared to wireless ad
hoc networks because they can be under user control [58].
5.1.7.6 Effects
The effects of this attack are to maximize power consumption of the target node,ultimately
decreasing battery life of that node.This attack also lead to denial of service attack as the sensor
nodes stop working due to high consumption of energy [11].Once the battery power of target
node is exausted and the node is diabled,the attacker looks for another victim. for example in
telemedicine,if a sensor is out of order due to low power,patient data can no longer be read and
network will not receive vital information.
5.1.7.7 Precautions
Measures to prevent such attacks are hard to take, but the effects can be minimized by prioritizing
functions of the targeted node, so that constant requests of low-priority services do not block
high-priority requests. Furthermore, resources can be shared unequally between different types of
services.Emphasis has been put on making it as hard as possible to intrude a network.As we have
seen, many attacks are only possible or only effective, if the malicious party is a participant of the
network, so it is highly important to implement secure mechanisms to authenticate entities entering
the network[64].
5.1.7.8 Network-Type
Sleep Deprivation Attack mostly occur in wireless adhoc sensor networks but may be encountered
in conventional or wired networks as well.As this attack can be very harmful to nodes that have
limited resources, for example battery power,it targets mostly ad hoc sensor networks[64]
37. 5.1.8 Wormhole Attack
In this attack,an attacker captures packets at one location in the network and tunnels them to
another location.The tunnel is created between two or more compromised malicious nodes that
are linked through a hidden network connection.This hidden connection is created by using long
range directional antennas [18].The tunneled packets are then replayed at another point in the
network.
5.1.8.1 Stage
In this attack,the attacker might be unauthenticated and unassociated.Malicious nodes involved
in this attack enter the network during its establishment or operation phase, while others may
originate by compromising an existing node. The attacker just use discovery stage to discover
networks in order to make the target for attack.The compromised nodes,that are used to transfer
traffic from one location to another,may be authenticated because they can only receive packets
from other nodes if they are authenticated in the network.Whereas if mutual authentication is
absent in the network,then the nodes have no need to be authenticated.Moreover, MAC spoofing
can be done by an attacker so as to pretend to be an authenticated user.
5.1.8.2 Power consumption
Wormhole attacks also increase the time in which data is transmitted to the destination.As a
result,power consumption is increased by posing extra node to node data transmissions when one
wormhole node attracts packets near the base station and replays them at the other end that is far
from the base station[65].
5.1.8.3 Layers
38. Wormhole attack acts against ad hoc routing algorithms.As routing is done by network layer,so
attacker in wormhole attack,disrupts the attributes of this layer.If the attacker is spoofing MAC
address of an authenticated user,then both MAC layer and network layer are involved in this
attack.
5.1.8.4 Attributes Utilized
The severity of the wormhole attack comes from the fact that it is difficult to detect, and is
effective even in a network where confidentiality, integrity, authentication, and non-repudiation
are preserved.
5.1.8.5 Flaw Utilization
Wormhole attack occurs due to broadcast nature of radio waves.Ad hoc network routing
protocols are in particular vulnerable to Wormhole attacks.For example launching the wormhole
against a routing protocol allows the attacker to tunnel each route request packet,which is
transmitted during the route discovery phase,straight to the target destination node.As a result,
any routes other than through wormhole are unable to discovered.The attacker creates an
appearance to know the shortest path to a desired destination node.This grants an exceptionally
high probability to the attacker in forwarding packets.Attacker can also discard all packets
leading toward Denial of service Attack [18]. Due to the nature of wireless transmission, the
attacker can create a wormhole even for packets not addressed to itself, since it can overhear
them in wireless transmission and tunnel them to the colluding attacker at the opposite end of the
wormhole.
5.1.8.6 Effects
Wormhole attack allows an adversary to create paths with lower hop counts that appear to be
more desirable than legitimate routes.Wormholes can either be used to analyze the traffic
through the network i.e eavesdropping or to drop packets selectively or completely.When an
attacker discard all packets,this leads towards Denial of Service Attack.
5.1.8.7 Precautions
A wormhole attack is implemented with few resources and is difficult to detect..Several
techniques such as localization schemes and packet leashes can possibly
prevent wormhole attacks. Localization systems verify the relative locations of nodes in
a wireless network. Packet leashes restrict the packet’s maximum allowed distance of
transmission.
5.1.8.8 Network-Type
The wormhole attack is particularly dangerous against many ad hoc network routing
protocols.In all ad hoc networks,neighbour discovery is an important phenomena thats why
wormhole attack is successful in these types of wireless networks.
39. 5.1.9 Traffic Analysis
Traffic analysis means making use of the traffic data of a communication to extract
information.There are many techniques for traffic analysis for example an attacker can
manipulate routing tables on a network forcing traffic to pass through a specific device that will
analyze traffic.
5.1.9.1 Stage
Traffic analysis attack is possible on the stage of discovery/probing .When any access point
broadcast its service set identifier (SSID) to identify itself to wireless nodes desiring access to
the network. Attacker masquerades as a desiring node and associate itself to the access point.
When attacker place itself in the network; it can analyze traffic and can also manipulates routing
table as wells.
5.1.9.2 Power consumption
In this attack, attacker just analyze traffic so this attack does not consume power.
5.1.9.3 Layers
This attack occurs on data link layer and network layer. From data link layer attacker gain the
header information (source and destination addresses) and network layer header gives him IP
addresses of hosts [63].
5.1.9.4 Attributes Utilized
Loss of confidentiality occurs in traffic analysis attack. After authentication attacker analyze
traffic of the network and manipulate the routing tables.
5.1.9.5 Flaw Utilization
Due to the openness of the exposed wireless medium, the attacker can easily access the wireless
network with poor authentication.
5.1.9.6 Effects
From data link layer attacker gain the header information (source and destination addresses) and
network layer header gives IP addresses of hosts [63].So here disclosure of information is done.
40. Attacker can redirect the traffic after association with access point.
5.1.9.7 Precautions
Using a wireless Intrusion Detection System (IDS) and monitoring the network with products
such as AirDefence we can prevent Man in the Middle Attack. By using directional antennas,
lowering the AP's broadcast range or explicitly turned off, broad casting of SSID.As well as a
strong encryption mechanism is the best countermeasure against Man in the Middle Attack.
5.1.9.8 Network-Type
Traffic analysis can occur in both infrastructure and ad hoc mode.
5.2 Table
Chapter 6
Conclusion
Since the invention of wireless networks, attackers have found various ways to attack them. This
research has focused on wireless network attacks and providing a taxonomy of them to help
combat new attacks.In chapter one, a brief introduction of our taxonomy along with attack
description is provided.
In Chapter 2, a wide range of wired and wireless attacks were discussed in order to lay down a
foundation for the proposed taxonomy. Taxonomy requires knowledge of the area being
classified, thus examining the attacks was crucial.
In chapter 3, existing taxonomies were examined and critically evaluated. Requirements for the
taxonomy were also defined with the help of past research.In chapter 4,the proposed taxonomy is
explained.The proposed taxonomy consists of eight categories in order to classify attacks.These
categories were both general and specific.Moreover,each category is divided furher into
41. sub-categories.The first category covered the stage at which attack occurs.The "stage" category
is furthur divided into three sub categories;discovery,authentication and association.The second
category is the most specific category of wireless networks that is particularly important for
attacks in battery powered adhoc wireless devices.The third category explains the layers that are
specific to wireless networks i.e physical,MAC and routing/network layer.Attacks are furthur
classified according to the attributes that are disrupted by the attacker.The fifth category
classifies attacks according to flaws that are utilized by the attacker to make attack possible.In
the sixth category,effects of the attacks are explained.The seventh category explains the attack's
precautionary measures.The last category classifies attacks according to the type of network that
are attacked.
In Chapter 5, the evaluation of the proposed taxonomy is done by classifying wireless attacks
according to the given categories.
A taxonomy allows for better understanding of attacks, and better understanding allows for better
defence.The proposed taxonomy will benefit the security of networks and computers as it
provides a more systematic way of understanding attacks.
Chapter 7
References
42. 1.WIRELESS NETWORKS: Security Problems and Solution by jonathan weiss
2:TAXONOMIES OF ATTACKS AND VULNERABILITIES IN COMPUTER SYSTEMS
VINAY M. IGURE, AND RONALD D. WILLIAMS, UNIVERSITY OF VIRGINIA
3:Study of the Impact of Wormhole Attacks On DV-Hop Positioning in Wireless Sensor
Networks
4:Security in Ad hoc Networks‖, Refik Molva and Pietro Michiardi.
5:A Survey of 802.11a Wireless Security
Threats and Security Mechanisms
A Technical Report to the
Army G6 Investigators
Colonel Donald J. Welch, Ph.D.
Major Scott D. Lathrop.
6:Securing Wireless Networks from ARP Cache
Poisoning By
Roney Philip
May 2007.
7:Denial-of-Service Attacks in
Wireless Sensor Networks by
Anthony D. Wood and John A. Stankovic
8:Modeling of Man-in-the-Middle Attack in the
Wireless Networks
Zhe Chen, Shize Guo, Kangfeng Zheng and Yixian Yang.
9:Wireless Hacking - A WiFi Hack By Cracking WEP
by
S Vinjosh Reddy*.KRijutha.K SaiRaman.Sk Mohammad Ali.
10:An Examination of Security Algorithm Flaws in Wireless Networks
Erica Simcoe, Hirsh Goldberg, and Mehmet Ucal
Advisor: Dr. Sennur Ulukus.
11.Wormhole Attacks in Wireless Networks
Yih-Chun Hu, Member, IEEE, Adrian Perrig, Member, IEEE, and David B. Johnson, Member,
IEEE.
12:Jamming Attack Detection and Countermeasures In Wireless Sensor
Network Using Ant System
Rajani Muraleedharan and Lisa Ann Osadciw.
13:Estimating the Effects of Jammers via Conservation
of Flow in Wireless AdHoc Networks
Usman Yaseen, Ali Zahir, Faraz Ahsan and Sajjad Mohsin
Department of Computer Science,
COMSATS Institute of Information Technology, Islamabad, Pakistan.
{(usman_yaseen, alizahir, fahsan, smohsin)@comsats.edu.pk}.
14 Grouped black hole attacks security model for wireless adhoc networks.
by S.Bajvah and K. Khan.
15:Protecting your Daily In-Home Activity Information from a
Wireless Snooping Attack by Vijay Srinivasan
University of Virginia
43. Dept of Computer Science
vs8h@virginia.edu John Stankovic
University of Virginia
Dept of Computer Science
stankovic@cs.virginia.edu
KaminWhitehouse
University of Virginia
Dept of Computer Science
whitehouse@cs.virginia.edu.
16:Denial-of-Service Attacks on Battery-powered Mobile Computers
Thomas Martin, Michael Hsiao, Dong Ha, Jayan Krishnaswami
Virginia Tech, Dept. of ECE
{tlmartin, mhsiao, ha, jkrishna}@vt.edu.
17:The Sleep Deprivation Attack in Sensor Networks: Analysis
and Methods of Defense
Matthew Pirretti, Sencun Zhu, Vijaykrishnan Narayanan,
Patrick McDaniel, and Mahmut Kandemir
The Pennsylvania State University
University Park, PA 16801
Email: pirretti@cse.edu
Richard Brooks
Clemson University
Clemson, SC 29634
Email: rrb@acm.org.
18:PACKET LOSS IN TCP HYBRID WIRELESS NETWORKS
Paolo Barsocchi, Gabriele Oligeri, and Francesco Potortì.
19:A Solution to WLAN Authentication and Association DoS Attacks
Chibiao Liu, and James Yu, Member, IEEE.
20:Vulnerability Analysis of Extensible Authentication Protocol (EAP) DoS Attack
over Wireless Networks
Mina Malekzadeh1, Abdul Azim Abdul Ghani2, Jalil Desa3, and Shamala Subramaniam4
Department of Communication Technology and Networks, Faculty of Computer Science and
Information Technology,
University of Putra Malaysia
1minarzh@yahoo.com, 2azim@fsktm.upm.edu.my,3drjalil@tmrnd.com.my,
4drshamala@gmail.com.
21:Using Wireless Technology Securely by US-CERT
Denial-of-Service Attacks on Battery-powered Mobile Computers
Thomas Martin, Michael Hsiao, Dong Ha, Jayan Krishnaswami
Virginia Tech, Dept. of ECE
{tlmartin, mhsiao, ha, jkrishna}@vt.edu.
22:AN ANALYSIS OF THE COMPUTER AND NETWORK ATTACK TAXONOMY
THESIS
Richard C. Daigle, Captain, USAF
AFIT/GIR/ENV/01M-04
DEPARTMENT OF THE AIR FORCE