Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant Relationships

Many wireless networks are susceptible to spoofing attacks. Conventionally, ensuring the identity of the communicator and detecting an adversarial presence is performed via device authentication. Unfortunately, full-scale authentication is not always desirable as it requires key management and more extensive computations. In this paper, we propose noncryptographic mechanisms that are complementary to authentication and can detect device spoofing with little or no dependency on cryptographic keys. We introduce forge-resistant relationships associated with transmitted packets, and forge-resistant consistency checks, which allow other network entities to detect anomalous activity. We then provide several practical examples of forge-resistant relationships for detecting anomalous network activity. We explore the use of monotonic relationships in the sequence number fields, the use of a supplemental identifier field that evolves in time according to a reverse one-way function chain, and the use of traffic statistics to differentiate between anomalous traffic and congestion. We then show how these relationships can be used to construct classifiers that provide a multilevel threat assessment. We validate these methods through experiments conducted on the ORBIT wireless testbed.