User manual - Shtrikh17/ZigBee-attacks-model GitHub Wiki

This manual contains brief description of how the model should be used.

Model structure

The model, like any other model in OMNeT++ simulator, consists of three main parts:

  1. NED files;
  2. C++ files;
  3. Configuration files.

NED files are descriptions of nodes and networks in special built-in NEtwork Description language. Such files exist for every object of the network (in our case - ZigBee modules). And also there are network descriptions for various types of attacks on ZigBee stack of protocols.

C++ files contain descriptions of behavior of the nodes. These files should not be used or comprehended by end-user.

Configuration files specify parameters of networks and are used by simulation environment to start simulations.

The model contains two implementation of networks:

  1. Cluster tree;
  2. Mesh network.

Still distinct implementations for these networks exist. Later they are to be conjucted in order to clarify the code and make development easier. But now the implementations are distinct. All files are stored in corresponding folders.

For every network there are multiple types of nodes which implement a certain type of malware behavior. A list of such nodes is given in section with descriptions of reviewed attacks.

There is a node of special type - collector node. It is used to collect statistical information according to [feature set] (https://github.com/Shtrikh17/ZigBee-attacks-model/blob/master/Feature%20set.pdf).

On modelling assumptions

There are several assumtions used in this work:

The Medium Access Layer

Actually this layer is not simulated. The model is used to study attacks on wireless sensor networks. And such attacks may take up to several minutes, when processes on MAC layer are run in milliseconds and microseconds. Thus a simplification is required. We use a following approach. The transmission delays were precalculated for several types of MAC layer specifications. When node is about to transfer a packet - it waits for some time and then immediately transfers the packet to the next node in the route. The probability of collisions is counted as negligible (again: the purpose of research are attacks, not stability of ZigBee network protocol or IEEE 802.15.4).

Network topology is stable

Neither new nodes enter the network and nor some nodes leave it. The reason is simple: change of topology (same as change of frequency characteristics) leads to change of statistical information, which prevents data mining methods from accurate working. In further researches such a behavior may be added to the model. But those works would demand mathematical rationale for model stadiness or even modification of feature set.

Stochastics in network modelling

Stochastic parameters are used in this model:

  1. All addresses (by default) are chosen from a uniform distribution (an exception is described later);
  2. Packet generation period for every node is defined by normal distribution (expectation and standard deviation are controlled by modeller);
  3. Number of frames inside of packet is defined by geometric distribution (parameter is controlled by modeller).

Types of networks

Two possible types of networks exist: stochastic and determined. Stochastic network is default and normal network nodes behave this way: the periodically send packets to random address according to the previous section.

Still there is second possible type of network: a determined network. Among attacking nodes there is a node with determined destindation address (denial-of-sleep node). It has a parameter - destination address - and all packets generated by the node are sent to this exact address. Actually such behavior is most frequent nowadays, yet in the model such a node is defined among attacking.

Types of behavior (in stochastic network)

  1. dos - denail of sleep: a node sends packets to precise node;
  2. flood - frequency of packets is higher than in normal network;
  3. normal
  4. repeated_transmission - some packets are chosen and later transferred again;
  5. repeated_transmission_dest - same, but only packets to exact destination are counted;
  6. repeated_transmission_src - same, but only packets from exact source are counted;
  7. selective_forward - some packets are thrown away instead of forwarding;
  8. selective_forward_dest - same, but only packets to exact destination are counted;
  9. selective_forward_src - same, but only packets from exact source are counted;
  10. sinkhole - no special nodes specified, the attack demonstration is connected with topology;
  11. spoof - foreign address is given as source for generated packet;
  12. spoof_dest - same, but only packets to exact destination are counted;
  13. spoof_src - same, but only packets from exact source are counted;
  14. sybil - no special nodes specified, the attack demonstration is connected with topology;
  15. wormhole - two nodes are connected by high-rate channel and duplicate some packets.

Model usage

There are multiple pre-defined models of attacks. For every attack listed above there are NED files for both possible topologies and for various number of nodes. Thus to use the model it's enough to modify omnetpp.ini files.

Common features

  1. **.delay - a delay before transfer of packet;
  2. **.node_name.address - addresses of nodes - should not be modified!;
  3. **.packet_generation_period - expectation for normal distribution;
  4. **.dev_packet_generation_period - standard deviation for normal distribution;
  5. **.packet_size_parametr_geometric - parameter for geometric distribution (which defines size of packet in frames);
  6. **.numRFDs - number of RFDs in PAN: actually each node represents PAN of router and several RFDs - it is possible to have up to 10 RFDs inside of such PAN;
  7. **.numNodes - number of nodes in network - it HAS to be correct, otherwise model will fail;
  8. **.collector.period - period for package generation.

Denial of sleep

  1. **.attack_address - address for attack;
  2. **.attack_pan - PAN address for attack.

Selective forward and repeated transmission

  1. **.select_period - period for packet selection;
  2. **.select_address - address for selection;
  3. **.select_pan - PAN for selection;
  4. **.repeat_period - period for repeat.

Spoofing

  1. **.spoof_period - period of spoofed packets;
  2. **.spoof_address - address for attack;
  3. **.spoof_pan - PAN address for attack.

Wormhole

  1. **.wormhole_period - period for packet duplication;
  2. **.wormhole_node.my_num - system variable, has to be 1 for one wormhole node and 2 for another.