A Novel WLAN Client Puzzle against DoS Attack Based on Pattern Matching

Despite the popularity of 802.11 based networks, they suffer several types of DoS attack, launched by an attacker whose aim is to make an access point (AP) unavailable to legitimate users. One of the most common DoS attacks on 802.11 based networks is to deplete the resources of the AP. A serious situation like this can occur when the AP receives a burst of connection requests. This paper addresses this common DoS attack and proposes a lightweight puzzle, based on pattern-matching. Using a pattern-matching technique, this model adequately resists resource-depletion attacks in terms of both puzzle generation and solution verification. Using a sensible series of contextual comparisons, the outcomes were modelled by a simulator, and the security definition and proofs are verified, among other results.


Introduction
Despite an unprecedented growth in popularity, using an open shared transmission medium makes wireless LANs (WLAN) extremely vulnerable to many attacks [1].A series of security extensions to 802.11 have already been ratified to fix some of these vulnerabilities.However, these extensions primarily deal with vulnerabilities related to unauthorized access and confidentiality breaches.As our dependence on wireless access increases, it also becomes essential to consider the issue of availability as another important security requirement [2].Denial-of-service (DoS) attacks strike against availability, attempting to prevent legitimate users from accessing the network.There are many 802.11-specificDoS vulnerabilities, which have been experimentally demonstrated in the literature of recent years.
Denial-of-service (DoS) attacks are a growing concern to networked services like the Internet.A DoS attack intends to deny access to shared services or resources by legitimate users [3].A common form of WLAN DoS attack is a resource depletion attack, in which an attacker tries to overload the Access Point's (AP) resources, such as its memoryhosted association table, rendering the AP unable to service honest clients.A potential way to deal with this problem is for a defending server to identify and segregate malicious traffic as quickly as possible.Other forms of DoS attack are jamming attacks, semantic attacks, and implementation specific attacks.
To deal with DoS attack, a number of methods have been proposed by researchers.Particularly for resource depletion or connection request flooding attack, in [4] a number of countermeasures both in the physical and MAC layers have been discussed.These solutions are cryptographic protection, security protocol repair, intrusion detection systems (IDS), decreasing the retry limit, identifying with signal strength info, and identifying through RF fingerprint.
Client puzzles, also known as proofs of work, have been shown to be a promising tool to thwart DoS attacks on network protocols, particularly on authentication protocols.A puzzle is issued by the server in reply to each request when the server is under attack.After receiving a puzzle, the client has to solve it in order to convince the server to grant 2 Mathematical Problems in Engineering access to its resources.The main idea is that puzzle generation and solution verification should be easy for the server, while computing the puzzle solution should be somewhat hard, computationally speaking, for the client.
Many client puzzles have been proposed since they were first introduced by Dwork and Naor in 1992 [5].An important recent development has been the analysis of client puzzles within the provable security framework [6,7].The main contribution of our paper is proposing a faster puzzle in verification and generation phases.Compared to other hash based puzzles, our work consumes at least 30% less resources in both generation and verification phases, all without the need for additional hardware.It also addresses the security definition of Chen et al. [6] and proves that our proposed puzzle is secure.
To emphasize the importance of CRF DoS attacks and to show how they are launched, we shall highlight parts of the 802.11 standard which present malicious users with opportunities to breach secure, fair, and efficient protocol operations.
The following section will describe how connectionrequest flooding attacks and spoofed disconnect attacks on 802.11 based networks occur.Section 3 will review the methods and approaches proposed by other researchers in the literature.However, more information related to other attacks and issues of network security can be found in .More information related to patterns can be found in [33][34][35][36].In Section 4, the details of the proposed puzzle will be discussed.The experimental results will be demonstrated in Section 5. Using security definition of Chen et al. [6] alongside the client puzzle protocol security properties, a security analysis of the proposed approach will be provided prior to the conclusion.

CRF DoS Attack on WLANs
Fundamentally, 802.11-based networks operate in two modes: Ad-hoc and Infrastructure.In addition, WLANs are deployed in three architectural models: Independent Basic Service Set (IBSS), Infrastructure BSS, and Extended BSS [37].This paper will pay special attention to CRF DoS attacks on WLAN in Infrastructure mode, where a Basic Service Set (BSS) is orchestrated by the AP.
To get access eligibility, STAs must initially authenticate themselves to the AP.This is the same sort of operation as connecting a PC to a certain wired network outlet.In order to simplify the attachment of wireless stations (STA) to a network, the connection procedure in wireless networks has been designed without providing an authentication mechanism on MAC frame header fields, [38], particularly in open authentication mode.This security hole makes forging the source address of an MAC frame so easy that identifying the source of traffic is virtually impossible.Sending false connection requests is much cheaper than validating those requests.If the authentication server does not protect the limitedresource AP against false requests (whose aim is to exhaust available resources), the solution becomes challenging.
In addition, the authentication and association procedure has been designed as a stateful process.This means that AP is required to allocate a certain amount of resources-normally memory capacity-for every connection request in order to track the current state, as shown in Figure 1.
Despite the significant benefits of the authentication and association procedure, there is a clear sign that this procedure could easily become a simple route to deny service [39].An attacker can effortlessly launch a CRF DoS attack by forwarding a burst of bogus connection requests-whether probe, authentication, or association request frame-over a relatively short time, towards an unprotected AP.Consequently, the victimized AP runs out of resources (i.e.association table) quickly, so that legitimate requests remain unanswered [3,40].In addition, after making a wireless network disappear, a fake system belonging to an attacker may pose as the legitimate wireless infrastructure, which enables the attacker to launch a man-in-the-middle attack [41].
Even though a number of anti-CRF DoS schemes have already been proposed for wired networks, they are unsuitable to protect resource-limited wireless infrastructure [42].

Related Works
Over the past decades, a whole bunch of countermeasures have been proposed by researchers to mitigate or even eliminate the harmful effects of CRF DoS attacks on computer networks.In this section, we review the relevant literature on client puzzles, with an emphasis on hash-based puzzles.
Client Puzzle.The idea of client puzzle protocol is quite simple [43].When server is not under attack, it follows its normal activity and accepts connection requests.When a server comes under attack, the server forwards a unique puzzle to each client wishing to attach to the network.Solving these puzzles imposes a certain amount of computation and storage cost on clients.If a client submits the valid solution to the server, the server will allocate the required resources to that client.As it turns out, a legitimate client has to undergo an insignificant computational cost when a server comes under attack, while an attacker needs large computational resources to make a noticeable interruption in the network service.The use of puzzles in cryptography was pioneered by Merkle [44], who used puzzles to establish a secret key between parties over an insecure channel.Client puzzles were first proposed by Dwork and Naor [5] as a countermeasure for email spam.The computational problems underlying most puzzles are either number-theoretic [5,45,46] or based on hash inversions [6,47,48].Hash-based puzzles are very efficient-generation and verification typically requires only one or two hash function calls-but concrete realizations to date have been shown to be secure only in the random oracle model.Number-theoretic puzzles, on the other hand, have been shown to be secure in the standard model but have tended to be relatively inefficient, typically requiring the server to perform a large-integer modular exponentiation, making it unsuitable for resource-limited WLANs.Hence, some researchers focused on other payment schemes than CPU cycles, for example, memory-bound puzzles [49][50][51], knapsack puzzles [52], NST puzzles [53], bandwidth puzzles [54,55], or human interaction with so-called CAPTCHAs [56].
Hash-Based Puzzle.Juels and Brainard (see [57]) employed a cryptographic client puzzle protocol to protect servers against CRF DoS attack.Aura et al. [48] employed the client puzzle in an authentication protocol.They proposed a CPU-bound puzzle based on partial collision in a one-way hash function, protected by digital signature.The client solves  from the following equation by brute force and sends the signed solution  back to the server: The  first bits of the hash ⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞ 000 ⋅ ⋅ ⋅ 000 . ( The authors claimed that their method is a lightweight puzzle and consumes as little CPU-cycle as possible.However, using a public-key signature may increase significantly the likelihood of resource-exhaustion on the authenticator's side (AP or server), particularly when the network environment is WLAN [58].Moreover, when using hash-based puzzles, some issues have to be taken into consideration, including the following: (i) The puzzle difficulty is not fine-grain controlled [59].
In other words, the difficulty grows exponentially while the number of bits needed for partial collision increases.
(ii) Like other CPU-bound puzzles, this puzzle suffers from the CPU-power disparity issue [59].CPUpower disparity issues occur where a puzzle depends on computational power.In such circumstances, clients equipped with high resources are able to solve puzzles in a shorter time than others.Attackers take full advantage of this security hole.
(iii) This method is recognized as a parallelizable puzzle, so the attacker can solve the puzzle in a parallel manner using a number of employed clients.
To mitigate the overloading of Aura's puzzle on APs, Shi and Ma [60] designed a lightweight anti-DoS attack wireless authentication scheme on the basis of a hash function.They put a signature computation only after the puzzle verification.
Still, the AP has to generate a puzzle for every client's request and to store it.To handle a burst of connection requests containing spoofed or unauthenticated MAC addresses, the AP has to exhaust more resources to generate more puzzles.This may lead to memory exhaustion.Moreover, this puzzle still suffers from the hash reversal puzzle issues mentioned above.
To eliminate the Aura puzzle defect, Dong et al. [58] proposed a hash based puzzle to handle two key problems: avoiding the possible memory-exhaustion in the earlier puzzle and combating the CRF attack.They took advantage of beacon frames to distribute the puzzle parameters.This protects the AP against a second DoS attack on puzzle generation where AP faces a sudden burst of puzzle requests.However, this scheme does not provide a solution to the problems raised by hash-based puzzles.The authors in [61] proposed a CPU-bound client puzzle based on extracting square roots.Table 1 exposes the proposed client puzzle in detail.
By using beacon frames as the puzzle carrier, this puzzle keeps the AP away from a puzzle request flooding attack.Moreover, it is claimed that by choosing two large prime numbers  and  along with Δ, it is ensured that forging multiple solutions in a short time is impossible.Despite these valuable achievements, a number of drawbacks should be taken into consideration: (i) Using quadratic residue problems imposes a large computational load on an STA, which in the case of a PDA, tablet, or other limited-resource device can be a problem.
(ii) Allocating 77 bytes of management frame to a puzzle wastes wireless bandwidth.
(iii) Even though the verification is low cost, sending too many fake solutions can overburden the AP.
(iv) The results show the puzzle difficulty of this puzzle is poorly granular.
(v) Like other CPU-bound puzzles, this puzzle suffers from CPU-power disparity issue.
As the granularity of hash-based reversal puzzles is too coarse, Feng et al. [62] proposed the idea of a hint-based hash reversal puzzle to allow the granularity to be linear.The behind idea of the proposed puzzle is that the server gives  the client a hint about the range within which the solution lies.For example, suppose a randomly generated number  is used as the input to the hash ℎ().To generate a puzzle with () difficulty, the server passes the client the hash and a hint,  − (0, ).Where (0, ) is a randomly chosen number uniformly distributed between 0 and .Instead of checking every possible solution, the client starts at the hint and searches the range linearly for the answer.Apart from the last process, all remaining processes are similar to Jules and Brainard's puzzle.Hence, the simple puzzle generation and verification, as well as the linear granularity for fine grained control are the strengths of this solution.However, it is still susceptible to parallel processing attacks.Also it is suspicious of DoS puzzle attacks on the AP during puzzlegeneration, where an attacker sends a burst of puzzle requests and the AP has to produce a unique puzzle for every request.Moreover, like other CPU-bound puzzle, a hint-based hashreversal puzzle suffers from CPU speed disparity issue.
Similarly, Lei et al. [63] introduced the quasi-partial collision concept to provide a granularity of puzzle difficulty in a more controlled way.The results show a marked improvement on earlier puzzles; however, the hash-based CPU-bound problems still remain.
Number-Theoretic Puzzle.Rivest et al. [64] proposed a nonparallelizable time-lock puzzle based on repeated-squaring to enable time-release cryptography.The idea behind it is that a client has to allocate a certain amount of computational resource time to execute repeated squaring.First, a server calculates roughly how many squaring operations a client is able to run per second: .Then it specifies the time required by a client to find the puzzle's solution: .Considering this information, server computes how many times a client must run the squaring function to find the solution:  =  × .Finally, the server encrypts a message  into a cipher text  as follows:  =  +    mod , given an integer , an exponent , a large integer , and an appropriate semiprime modulus .To acquire  from , the client needs to compute    mod  given , , , and  in log (  ) ≈  modular multiplications.This computation can be performed efficiently using the trapdoor offered by Euler's function:    mod  ≡    mod () mod .Surprisingly, time-lock puzzles are able to provide a precise and fixed amount of work.To verify the puzzle, the server checks the solution through the trapdoor offered by Euler's function in  (log()) modular multiplications.
Although this nonparallelizable puzzle eliminates the CPU-power disparity problem, there are some fundamental drawbacks which make this puzzle impractical in the real world.
(i) Generating and storing big prime numbers may be resource-exhausting on the server side.As a result, time-lock puzzles meet the inefficiency threshold in puzzle generation in the order of microseconds [65].
(ii) To verify the puzzle, the server has to allocate a significant amount of resources to compute  =   (mod()) and  =   (mod) for every received puzzle solution, which is undesirable in WLANs.
(iii) The server has to find out some information, such as CPU-power, from the clients in order to calculate the precise puzzle parameters.Attaining this information from a heterogeneous environment of clients, such as in WLANs, is almost impossible.
To reduce the costs of puzzle verification of Rivest's puzzle, Karame and Čapkun [45] adapted Rivest's puzzle by employing an RSA key pair with small private exponent.This puzzle is based on the assumption that it is computationally intractable to compute a small private exponent  when the public exponent  is larger by several orders of magnitude than the modulus .The server must still perform a modular exponentiation but, given a semiprime modulus , the number of multiplications is decreased by a factor of ||/ where  is a security parameter.For example, a factor 12.8 for a 1024 bit modulus results in 120 modular multiplications instead of 1536.In spite of this significant reduction in the verification and generation cost, still the verification costs remain too high to provide viable DoS protection for WLANs where resources are much limited [66].In particular, the puzzle setup is extremely costly.Also, this method suffers from difficult granularity issues.Furthermore, this puzzle wastes the network's bandwidth due to employing large numbers.
Recently, Rangasamy et al. [67] proposed a modular exponentiation-based client puzzle which can be seen as an efficient alternative to Rivest et al. 's time-lock puzzle.Unlike the Rivest et al. and Karame-Čapkun puzzle, Rangasamy et al. 's puzzle does not require the server to perform any online exponentiations.In fact, the server has to perform a total of two hash operations and a few modular multiplications for the puzzle generation and verification.Although it is a significant improvement over the Karame-Ĉapkun puzzle construction, the security of the puzzle does not rely on the standard security assumptions.
Kuppusamy et al. [68] also proposed a DLPuz puzzle based on the interval-discrete logarithm problem.This puzzle is claimed to be efficient while remaining secure in the standard model.Among other number theoretic puzzles, DLPuz puzzles demonstrate an extremely efficient verification algorithm, although the results show a costly puzzle generation which is prone to DoS attack.

PatPuz: A Superfast Hash-Based WLAN Puzzle
This section describes our new client puzzle construction PatPuz, which is based on finding a pattern key through reversing a one-way hash function.First, we will review the definition of a client puzzle and then present our construction.The PatPuz will be able to manage connection requests so that they lose their importance as a valuable target for launching a DoS attack.Furthermore, this puzzle resists bogus puzzle solution flood attack where attackers strive to overload an AP during the puzzle verification stage.
Notation.If  is an integer, then we use || to denote the length in bits of .The puzzle makes use of a family of keyed hash function H := {  } ∈ , where each   is a function mapping  to {0, 1} ℓ and  is security parameter.We let ←   denote an uniformly random choosing of  from  where  is a set.We write  ← A() to assign the output of algorithm A to  when run with the input .If  is a security parameter, then () denotes a function that is negligible in , namely asymptotically smaller than the inverse of any polynomial in .Let  , () be a pattern function and (  ) denotes the  th bit of , then the following patterns are applied on : (i) Extract  values of length ℓ from ℎ() as shown in Figure 4.

The PatPuz
Puzzle.This scheme aims to provide a unique puzzle for every connection request received by an AP.The task of an STA is to find a pattern key through inversing a one-way hash function and to use that pattern key to create a unique pattern as the puzzle solution.Then, the AP only verifies those patterns.In many scenarios, it is essential that the GenPuz, VerAuth, and VerSoln algorithms be extremely efficient.In a denial-of-service setting, these algorithms are run online by the AP many times, and if they were expensive, then an attacker could induce a second resource depletion attack by asking for many puzzles to be generated or verified.
FindSoln(, ).One typical method for a legitimate client to implement the FindSoln algorithm is a brute-force search.While this algorithm is within the allowed number of clock cycles of execution, it randomly samples elements from the set of possible solutions without replacement and for each potential   ∈ X computes   ← (  ,   , ).If   =  then it computes   ← P   , () output   then halts and otherwise continues with random sampling.If this algorithm reaches the last clock cycle of execution then it outputs an   computed from a random element of the remaining unsampled preimage space.
VerSoln(  ,   ).Given a potential solution   this checks if   ∈ P  and if so outputs are true and otherwise output is false.
Remark 2. In PatPuz, the AP has to store the short-term secrets  and   in order to speed up the verification phases.These secrets are expired when a cycle times out and the new values are replaced.
When the pattern sent by the STA passes the verification step, the AP will send an authentication response frame back to the STA and allocates the required resources.

Performance Experiment of PatPuz
NS2 simulates our scheme over a core i5 2.27 GHz/4G Ubuntu system.Since our goal is to balance the resource consumption between AP and STA, we focus on the time consumed on the puzzle generation and verification on the one hand and puzzle solving on the other.We will consider the puzzle difficulty  to be less than 22 for simplicity reasons.The difficulty of a client puzzle gives a measure of the likelihood of an adversary finding a solution to a given puzzle within a given number of clock cycles of execution.Intuitively, the difficulty of solving a puzzle is ensured by the hardness of inverting the one-way function.
Figure 2 demonstrates the link between difficulties and time-consumption in both puzzle generation and solution verification.The obtained results are important for two  reasons.First of all, the time the AP spends to generate and verify a new puzzle is considerably shorter.It is less than 0.6 and 0.3 milliseconds in generation and verification procedure, respectively.Secondly, the fluctuation in generation and verification time is almost constant when the difficulty degree goes up or down.Therefore, increasing or decreasing the difficulty degree does not affect the time needed by the CPU for generating and verifying the puzzle.Consequently, the proposed scheme eliminates any chance for an attacker to make puzzle generation and verification phases into a valuable target to launch DoS attacks by using fake solutions.
The most important impact of our scheme is to force STAs to cost their resources for every connection request.Therefore, the chance of attacker exhausting AP's resources by sending a burst of fake connection requests is very small.As shown in Figure 3, the solving time increases considerably, by nearly exponential growth, when difficulty of degree goes up.

Security Analysis of PatPuz
In this section, we analyse the PatPuz puzzle using the security model of Chen et al. [6].Chen et al. introduced two security properties that a client puzzle should satisfy: unforgeability and difficulty.We shall give a brief description of these two properties.Intuitively, the unforgeability of PatPuz is ensured by the use of a pseudo-random function and the difficulty of solving PatPuz puzzles is ensured by difficulty of inverting the one-way function.
6.1.Unforgeability.This experiment measures the ability of an adversary to produce a valid client puzzle and force a server to accept it as one that was not originally generated by a server in a probabilistic way.In general, unforgeability can easily be provided by using a message authentication code (MAC) or pseudo-random function to tag puzzles generated by the server, and this is what is done in PatPuz.First we review the formal definition of puzzle unforgeability in the next section.The results show that PatPuz is indeed unforgeable.We shall make use of a sequence of games [69] to prove the security properties.
Return  to A. (b) CheckPuz(): if puz was not an output for any of the CreatePuz() query made previously and VerAuth(, ) = true then stop the experiment and output 1.Otherwise, return false to A.
We say that A wins the game if  UF A, () = 1 and loses otherwise.The advantage of A is defined as: A puzzle is said to be unforgeable if this advantage is negligible in  for probabilistic algorithms A running in time polynomial in .
In this unforgeability experiment, the adversary is allowed to query the CreatePuz oracle by choosing puzzle difficulty level  at will.This is to ensure that even after seeing puzzles with different difficulty levels, the adversary cannot create a valid looking puzzle.

Theorem 4 (unforgeability of PatPuz puzzle). The PatPuz puzzle is unforgeable.
Proof.We prove the theorem using a sequence of games.Let A be a probabilistic algorithm with running time .Let   be the event that A wins in game   .
Game  0 .Let  0 be the original unforgeability game  UF A,PatPuz ().Then Game  1 .In this game, we modify game  0 by replacing the   with a truly random function R to compute the pattern key .This change has a negligible effect on adversary A because of the pseudo-randomness of   .Hence,     Pr ( 0 ) − Pr ( 1 )     ≤ V where B is an algorithm running in time (), and the second inequality follows whenever   is a pseudo-random function.
Since the function R in game 1 is truly random, the probability that an adversary without access to R can guess an output is negligible: Combining ( 3) through (5), we obtain the final result that the adversary's success in forging a puzzle is negligible.

Difficulty.
To prove our puzzle difficulty, we shall mainly focus on generating a valid pattern without having to find.Like the previous property, we shall first define the formal form of the puzzle difficulty presented by Chen et al., then we will show that our puzzle is a difficult puzzle.
Definition 5 (puzzle difficulty).Let  be a security parameter and let  be a difficulty parameter which is kept fixed through the experiment.Let A be a probabilistic algorithm and  be a client puzzle.The game  , A, () is defined for each hardness parameter  ∈ N as follows: (1) (, ) ←  (1  ) (2) Run A() with oracle access to CreatePuzSoln(⋅) and Test(⋅), which are answered as follows: (a) CreatePuzSoln():  ← (, , ).We say that A wins the game if  , A, () = 1 and loses otherwise.We define the success of an adversary A against  as Let  , () be a family of functions monotonically increasing in .A puzzle is  , (⋅)- if, for all probabilistic algorithm A running in time at most ,  , , () ≤  , () .
Theorem 6 (difficulty of PatPuz puzzle).Let  be a security parameter and let  be a difficulty parameter.Let H := {  } ∈ be a family function of keyed hash function, where each   is a function mapping {0, 1} ℓ 1 to {0, 1} ℓ 2 , and let F be a pseudo-random function.Then PatPuz puzzle is  , ()- for all probabilistic algorithms A running in time at most .
Proof.Like previous properties, we shall employ a sequence of games to prove our theorem.In game  0 the adversary tries to break our construction whereas in game  1 the adversary works against an idealized version of our construction, where random function F has been replaced with a truly random function.Let A be a probabilistic algorithm with running time .Let   be the event that A wins the game   .
Game  0 .This game represents the original difficulty game  , A,PatPuz ().For clarity, we shall write the full definition of this game:   (2) The adversary A will then start to ask CreatePuz-Soln() queries.C answers to queries as follows: (a) CreatePuzSoln(): as in game  1 except replacing  † to compute .
(3) At any time during the game, A is allowed to issue a Test() query for which C do the same as  1 except replacing  † to compute .
(4) The adversary A may continue to ask CreatePuz-Soln() queries which the challenger C answers as before.
(5) Eventually, after  clock cycles A outputs a potential solution  * =  * .If VerSoln( * ,  * ) = true, the adversary A wins and then the challenger C outputs 1 and terminates and otherwise outputs 0 and terminates.
In the above game, a truly random function R is input to the function  † to compute .As a result the only way A could find a correct solution   would be for A to invert the function  † .Hence we have where  2 is the event that A wins the game  2 ,  is the number of pattern points, ℓ is the length of pattern points such that 2 ℓ = |ℎ()|, and V OWF , is defined as below.The second inequality follows the fact that the only way a protected (by our scheme) AP may be attacked is to reveal the pattern.An attacker can reach the correct pattern either through solving the puzzle or guessing the pattern.If he or she chooses the first way, the main goal of our scheme is satisfied.The probability of finding a correct   is 1/2 ×ℓ×|| in which in case of  = 6, ℓ = 7, and || = 2 the result would be 1/2 43 which is negligible.
Definition 7.For an adversary A we define its advantage against a function  : X  → Y, where X is fixed and finite, in terms of OWF as Let   : N  → [0, 1] be a monotonically increasing function.Then the function  is an   (⋅)-OWF if for all adversaries A it holds that V OWF A, ≤   ().
We also claim that     Pr ( 1 ) − Pr ( 2 )     =  ℎ () , where  ℎ is the h-advantage of some efficient algorithm (which is negligible assuming H is entropy smoothing).
To prove this claim, any difference between Pr( 1 ) and Pr( 2 ) can be parlayed into a corresponding h-advantage.The following algorithm  interpolates between game  1 and game  2 and so has h-advantage equal to | Pr( 1 ) − Pr( 2 )|.

Security Properties.
In [70,71], some general criteria are listed to specify the properties a puzzle must meet to be considered as an effective and efficient anti-DoS approach.Simply put, these criteria prove how secure and powerful the proposed client puzzle protocol is.Here we review these properties with an emphasis on PatPuz puzzle.
Computation Guarantee.Since the hash function is considered to resist preimage and collision attack, the only way to solve a puzzle is to use a brute force method.Hence, STAs have to look up a range of 2  possible solutions to find out the right pattern.Even though this range may be reduced to 2 /2 possible solutions due to a birthday attack [72], the client (and also attacker) still has to spend enough time to find the puzzle's solution.
Adjustability of Difficulty.In our scheme, the AP adjusts the difficulty degree by increasing or decreasing .Note that these variations have no effect on the time spent to generate or verify the puzzle.
Efficiency.Since the puzzle verification is done only by looking for a correct pattern in a puzzle solution   -a significantly low computational process-the proposed client puzzle protocol resists a puzzle verification attack where an attacker forwards too many bogus puzzle solutions.In addition, a protected AP is required to store only a long-term secret value , to verify the received solutions.To make the verification phase more efficient, a short-term value, which is a -bit length, can be stored by AP.
Correlation Free.The PatPuz puzzle is correlation-free.That means knowing all previous puzzle solutions does not help to solve the current puzzle in any way.This property is provided by the unpredictability feature of the random numbers generated in puzzle generation stage () and puzzle solving ().
Stateless.The proposed client puzzle protocol does not require storing any client's or puzzle related information, except , and .Moreover, the memory allocated to  is cleared after changing the puzzle, meaning that the algorithm utilizes a fixed-size memory to handle the puzzle.Hence, a protected AP in our scheme will face no memory shortage in a relatively short time.
Tamper-Resistance.No STA (attacker) is able to learn  by examining the other STAs' solutions.Every STA, in our scheme, is required to apply the produced pattern over its own  which is basically random.

Conclusion and Future Work
The main consideration for implementing any security protocol in 802.11 based networks is how much cost the proposed algorithm imposes on both the CPU and memory to complete its tasks.This paper proposes a novel puzzle to meet the AP's constraints and protect wireless network against CRF DoS attacks.
The following items are satisfied by the proposed scheme: (i) Low-cost generation.The CPU load in our proposed scheme is very low during initial setup and puzzle generation.The simulation output shows that this phase takes less than 6 milliseconds.
(ii) Low-cost verification.Like the generation phase, our proposed verification load is very low on the AP's CPU.Hence, the simulation output shows that the time an AP has to spend to accomplish the verification phase is less than 0.4 milliseconds.
(iii) Antireassign DoS attack.Since both generation and verification in our scheme are very cost-effective, the proposed scheme eliminates a second DoS attack on the AP which can be posed by attack-prone security puzzles.
(iv) The memory usage of PatPaz puzzle is fixed and very small, so much so as to be almost negligible.Therefore, the proposed puzzle will never suffer from memory exhaustion.
(v) The proposed scheme also defines  exp to limit the puzzle's solution life.Before  exp expires, all received puzzle solutions are discarded.Hence, launching an effective DoS attack becomes more challenging.
7.1.Future Work.This paper proposes a lightweight method based on a cryptographic client puzzle.Cryptographic puzzles are very low-cost in puzzle generation and verification; however, they pose some problems.First of all, they are naturally solved within a probabilistic time.Secondly, the puzzle may be solved through parallelization.Thirdly, varying the difficulty level in this approach is too coarse.That means the difficulty of solving an  − 1 bit puzzle is two times less than solving an  bit puzzle.Thus it is very troublesome to design and implement an appropriate difficulty degree which increases efficiency as much as possible.
Future work can be focused on designing a new puzzle which mitigates (or even eliminates) the aforementioned problems of cryptographic client puzzles.A future study can also focus on finding a smarter mechanism to perceive and apprehend DoS attacks, in order to adjust the puzzle difficulty efficiently.

Figure 1 :
Figure 1: Authentication and association states.

Figure 2 :
Figure 2: The curve relationship between difficulties and timeconsuming on generating and verifying the puzzle.

Figure 3 :
Figure 3: The curve relationship between difficulty degree and timeconsuming on solving the puzzle.

Figure 4 :
Figure 4: Extracting the values from ℎ() to calculate the correct positions for applying the pattern accordingly.

( 3 )
Find a solution  such as VerSoln(, ) = true.Return (, ) to A. (b) Test( * ): This query may ask once, at any point during the game.The challenger generates a puzzle  * ← (, , ) and returns  * to A. Then A may continue to ask Cre-atePuzSoln queries.A output a potential solution  * .(4) Output 1 if VerSoln( * ,  * ) = true and 0 otherwise.

( 3 )( 5 )
At any time during the game, A is allowed to issue a Test() query for which C generates a puzzle  * = (, ,  *  ,  * ) and returns  * to A. (4) The adversary A may continue to ask CreatePuz-Soln() queries which the challenger C answers as before.Eventually, after  clock cycles A outputs a potential solution  * =  * .If VerSoln( * ,  * ) = true, the adversary A wins and then the challenger C outputs 1 and terminates and otherwise outputs 0 and terminates.Hence, Pr ( , A, () = 1) = Pr ( 0 ) .

Table 1 :
DoS-resistant authentication based on extracting square roots.
[6].Client Puzzle Formal Definition.In[6], Chen et al. defines a client puzzle formally as follows.Definition 1 (client puzzle).A client puzzle Puz is a tuple consisting of the following algorithms:(i) Setup(1  ): a p.p.t.setup algorithm that generates and returns a set of public parameters  and a secret key , the former of which includes a puzzle difficulty parameter space .(ii)GenPuz(,, ): a p.p.t.puzzle generation algorithm which accepts a secret key , difficulty parameter , and a session string  and returns a puzzle .(iii)FindSoln(, ): a probabilistic puzzle solving algorithm that returns a potential solution  for puzzle  after running time at most .

)
Game  1 .Now we transform game  0 into game  1 , replacing the pseudo-random function  with a truly random function R.This change is indistinguishable due to the pseudo-randomness of , so     Pr ( 0 ) − Pr ( 1 )     ≤  () .Game  2 .We now transform game  1 into game  2 , replacing the hash function (⋅) with a randomly chosen one, .We assume that the family function of hash function H is entropy smoothing.This means that it is hard to distinguish (,   ()) from (, ℎ), where  is a random element of ,  is a random element of , and ℎ is a random element of {0, 1} ℓ .Algorithmically, game  2 looks like this:(1) The challenger C first runs the Setup on 1  and $ ← {0, 1} ℓ