Information Technology Reference
In-Depth Information
5.2 Signals
The DCA uses the four different types of input signals discussed in Section 5.1. In the
following, we introduce various input signals that can be collected from a sensor
network environment in order to detect an interest cache poisoning attack. Signals are
categorised into the four groups: (i) Danger Signals (
DS
), (ii) Safe Signals (
SS
), (iii)
PAMP signals (
PS
) and (iv) Inflammatory Cytokines (
IC
). A detailed explanation on
how these four categories are defined is presented in [5].
•
DS1
- Generated from the interest cache insertion rate
This is the first Danger Signal collected from abnormal interest cache insertion rates.
DS1
signals are aimed at indicating that bogus interest packets have corrupted the
interest cache of a node. In order to calculate this rate, a sliding time window is used
to track the number of interest cache insertions per given time unit (such as 10 sec)
and a total count is calculated by summing the window counts. After a minimum
training period, the mean (
) of the total count are
calculated.
DS1
is generated with the concentration given by (
X
i
-
μ
) and standard deviation (
σ
μ
) /
σ
, where
X
i
is
the count of in window
i
.
•
DS2
- Generated from the interest cache entry expiration
There are two ways for an entry to be removed from the interest cache: (i) When its
expiration time (a predefined time interval set by the sink node) has passed, or (ii)
when the cache is already full and it is replaced by a new entry. Though a sink is able
to overwrite its own entries in a cache by carelessly sending a large number of
different interests during a short time interval, within in a well-behaved network, we
do not expect this behaviour to be the norm. Therefore, the overwriting of entries long
before their expiration time can indicate the presence of an attack. In order to identify
such an event, the expiration field is checked whenever an entry is inserted. The
concentration of a
DS2
signal is the time difference between the expiration time and
the entry overwriting time. Overwriting a very recent entry will lead to a much
stronger signal than overwriting a nearly expired entry.
•
SS
-
Generated from the arrival of data packets
This measurement shows that the data requested by the sink node has been forwarded
to a given node. The nature of the Safe Signal is to indicate normal data flow. The
absence of a Safe Signal does not necessarily indicate the existence of an attack, but a
Safe Signal can be used to suppress a false detection alert. The entry of a data cache,
which records the data packet forwarded, would serve this purpose. Whenever a data
packet that matches an interest in the interest cache arrives, it will be forwarded and
recorded in the data cache. Therefore, whenever a new entry is inserted into the data
cache, an
SS
is generated and the concentration of the
SS
is 1.0.
•
PS - Generated from the data delivery failure at the sink node
A PAMP signal is a strong indicator of a pathogenic presence. For an interest cache
poisoning attack, the failure of data delivery to the sink node strongly indicates the
possibility of an attack. Though delivery failures may result from many factors such
as node failures on the established path or the absence of sensor nodes generating the
requested data - the PAMP signal definitively establishes that what was expected did
not happen and can be used to launch further investigation. This relative difference of
confidence in abnormal behaviour makes the PAMP signal stronger than a Danger
