Attack Mitigation in Gateways of Pervasive Systems

TL;DR

This work addresses UDP Flood Attacks against Gateways in pervasive systems by integrating traffic shaping (SQF) with an adaptive attack mitigation (AAM) framework that jointly optimizes AD workload and packet loss. The approach uses a quasi-deterministic policy to cap backlog, a windowed attack detector to trigger selective packet drops, and a mathematically derived m* that minimizes a combined cost of AD testing and reprocessing dropped packets. Experimental results on a Raspberry Pi–to–Server testbed show dramatic reductions in server queue lengths and maintain high attack-detection accuracy ($TPR \approx 99.71\%$, $TNR \approx 98.48\%$) while keeping AD processing overhead manageable. The findings demonstrate practical viability for real-time defense on resource-constrained Gateways and open avenues for extending the framework to networks with multiple Gateways and dynamic AD policies.

Abstract

In pervasive systems, mobile devices and other sensors access Gateways, which are Servers that communicate with the devices, provide low latency services, connect them with each other, and connect them to the Internet and backbone networks. Gateway Servers are often equipped with Attack Detection (AD) software that analyzes the incoming traffic to protect the system against Cyberattacks, which can overwhelm the Gateway and the system as a whole. This paper describes a traffiic shaping, attack detection and an optimum attack mitigation scheme to protect the Gateway and the system as a whole from Cyberattacks. The approach is described and evaluated in an experimental testbed. The key parameter of the optimum mitigation technique is chosen based on an analytical model whose predictions are validated through detailed experiments.

Figures (7)

• Figure 1: The experimental test bed consists of Gateway devices connected directly to the Server via a switch using Ethernet (above). In the modified architecture, the SQF is placed between the Server and the Gateway devices, isolating the Server and acting as a traffic-shaping interface (below).
• Figure 2: The performance of the AADRNN attack detector that was evaluated on the test-bed LCN23.
• Figure 3: Theoretical graph of the optimum value $m^*$, which minimizes $C(AAM)$, as a function of $E[X]$ for $W=20$ and different values of $\frac{\beta}{\alpha}$.
• Figure 4: Schematic representation of the Server's software organization, featuring the simple network management processor (SNMP), the AD or Intrusion Detection System (labelled IDS in the figure), followed by the processing software for incoming data.
• Figure 5: The Server queue length, measured experimentally and displayed on a logarithmic scale, is shown for a UDP Flood Attack lasting $10$ seconds (above) and $60$ seconds (below). The red curves represent the queue lengths without SQF, while the blue curves show the impact of SQF in reducing the queue length during both attacks duration, with $D = 3$ ms.