(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009

A Scalable Wireless Intrusion Detection System Mouhcine Guennoun

Khalil El-Khatib

University of Ontario Institute of Technology 2000 Simcoe Drive Street North Oshawa, Canada, L1H 7K4 [email protected]

University of Ontario Institute of Technology 2000 Simcoe Street North Oshawa, Canada, L1H 7K4 [email protected]

Abstract—Wireless Intrusion Detection Systems have recently gained a considerable attention in both research and industry communities due to the widespread use of Wireless Local Area Networks (WLANs). New threats and vulnerabilities specific to these networks have urged for the development of efficient systems that can meet the requirements of wireless networks. In this paper, we present a scalable architecture of wireless intrusion detection. The proposed framework is divided into several modules that collaborate between them in order to protect network resources. Sensor agents collect and analyze traffic to detect trace of signatures. Controllers are central entities that perform anomaly detection by correlating data and information sent by the wireless sensors. Keywords:Wireless Intrusion Detection Detection; Misuse Detectio; Sensors.

I.

Figure 1. Number of Vulnerabilities Reported to CERT

The financial impact of intrusions into computer systems is considerable. According to estimates by Computer Economics [2], the global economic impact of Code Red is estimated to 2.62 billion dollars, the SirCam to 1.15 billion dollars and that of Nimda to 635 million and these figures are increasing.

System;Anomaly

INTRODUCTION

The prevalence of open networks makes them vulnerable to attacks with aggression tools such as computer viruses, malicious code, and infiltration software. The interconnection of networks increased by the deployment of wireless technologies pushes the boundaries of information and communication systems to uncontrolled boundaries and spreads the risk from operational level to decision making levels. In this environment, the establishment of mechanisms for intrusion detection and prevention is essential for the safe operation of the system.

Therefore, Intrusion Detection Systems (IDS) are becoming a critical security component. These systems are designed to be able to detect and block attacks. They operate on several levels of protocol. Host Intrusion Detection systems (HIDS) ensure the protection of software resources of a host against different types of threats such as viruses and malwares, while Network Intrusion Detection Systems (NIDS) monitors all network traffic to detect any damage. IDSs are generally based on statistical classifiers that distinguish between normal and abnormal traffics. Several classification techniques are used by researchers to build detectors for anomalies. Among these techniques, we mention expert systems, neural networks and machine learning.

Vulnerabilities are the result of flaws in the design and implementation of computer systems, operating systems, applications and communication protocols. Statistics [1], fig. 1, show that the number of vulnerabilities identified is growing. Exploitation of these vulnerabilities is becoming easier because the knowledge and tools to launch attacks are readily available and usable. It has become easy for a novice to find attacks programs on the Internet that he/she can use without knowing how they were designed by the specialists in security.

The emerging technology of wireless networks created a new problematic. Although HIDS and NIDS are able to protect the application and software components of TCP/IP networks against intrusion attempts, the physical and data link layers are vulnerable to intrusions specific to these communication layers. In addition to the vulnerabilities of wired networks, wireless networks are the subject of new types of attacks which range from the passive eavesdropping to more devastating attacks such as denial of service. These vulnerabilities are the result of the nature of media transmission. Indeed, the absence of physical boundaries of the network to monitor, and therefore an attack can be perpetrated from anywhere, is a major threat that can be exploited to undermine the integrity and security of the network. It is therefore essential to take into account these considerations when designing and deploying an intrusion detection system.

53

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 Extensible Authentication Protocol, or EAP, is a universal authentication platform commonly used in wireless networks and point to point connections. It is defined in RFC 3748 [6] and RFC 5247 [7]. The flooding of the network by EAP handshake messages is designed to overwhelm the system authentication of a wireless network. The attacker intercepts a sequence of EAP authentication and then generates a very high volume of EAPOL messages requesting 802.1x authentication.

The organization of the paper is as follows. After an introductory part of the problem in the first section, the second section presents the vulnerabilities of wireless local area networks. In the third section, we describe the state of the art of intrusion detection technology. The fourth and fifth sections discusses the challenges and requirements of wireless IDS. The sixth section proposes a distributed and modular architecture that meets the requirements of wireless local area networks. We conclude this document by a summary and the prospects of research that seem appropriate to explore in the future. II.

C. Fake Access Points Fake Access Points is a tool originally created to deter attacks by flooding the network by hundreds of beacon frames containing different addresses to hide the real access point. Although the tool is still in use for this purpose, an attack can be performed by flooding the wireless network with fake access points to prevent legitimate users to find an access point and increase the processing time of the operating system of the client.

VULNERABILITIES OF WIRELESS LOCAL AREA NEYTWORKS

The security problems of a system are the result of vulnerabilities. Vulnerabilities are the weaknesses of a system that can be exploited in ways that violate network policies [3]. They take different forms, for example, they may occur in the design and implementation of software and hardware components of a system. Weaknesses of wireless local area networks can be classified into the following categories:

D. Eavesdropping By monitoring unsecured wireless network, an attacker can capture sensitive data. To overcome the risks of eavesdropping, it is imperative to use an encryption protocol at the link layer such as WEP or TKIP; or at the network layer, like IPSec encryption. However, the encryption protocols are not completely immunized against passive and active listening. For example, WEP protocol contains a weakness that allows an attacker to crack the WEP keys. Indeed, by capturing enough 802.11 frames with weak initialization vectors, an attack known as the FMS attack can retrieve the encrypt key of WEP session [8]. We believe that it’s a matter of time for other encryption protocols, like TKIP and WPA, to be broken.

A. Exploration and Network Discovery Network Discovery is part of the 802.11 protocol. It allows the client to discover the available access points and the services offered by the network. Although the network discovery is not in itself a security threat, it is the first step that an attacker performs before moving onto more serious intrusion attempts. NetStumbler [4] and Wellenreiter [5] are two applications used to locate the access points that offer free Internet access. NetStumbler is equipped with a GPS receiver that can locate the location of wireless networks on a topographic map.

E.

Identity Theft Identity theft is performed by spoofing the address of a legitimate station or an access point to access network services. The attacker can obtain the privileges of a valid client to threaten the network security. This attack is difficult to detect because the connection is through a non-physical media that doesn’t identify the origin of a frame.

B. Denial of Service Attack Denial of Service (DoS) Attack is designed to prevent legitimate access to the network. This includes total outage of the network; degradation of the services offered by the network and increased network traffic to overload the network equipments. 1) Network Saturation by Management Frames This type of attack consists of flooding the access point with 802.11 protocol management frames. This may include requests for authentication or association in order to fulfill the association table of the access point. Flooding the network with other types of management frames, such as probe request, can consume processing resources of the access point.

1) MAC Spoofing The MAC address spoofing is a typical attack on wireless local area networks. An attacker forges the MAC address of a valid station in an attempt to gain the access privileges of the client. 2) Rogue Access Points A rogue access point is a clandestine wireless equipment installed on a secure network without the permission of a network administrator. It is installed to allow an attacker to carry out man-in-the-middle attack. A rogue access point may pose a threat to the security of companies because anyone with access to the WLAN can install a wireless router that could potentially give access to unauthorized parties.

2) Radio Interference The attacker can transmit radio signals to disrupt communications by decreasing the signal to noise ratio. Some tools may use high RF power to destroy network equipments. 3) Null Probe Reply During this attack, a client sending a probe request will be answered by a frame containing a null SSID. A number of network cards hang when receiving such a frame due to a design flaw in the firmware.

Furthermore, an attacker can place an access point with a strong signal outside the premises of the organization and assign a service identifier (SSID) similar to that of the legitimate access point. The user, who is usually unable to distinguish a fake access point and another that is legitimate, can be easily fooled by this trap.

4) Saturation with EAP Handshake

54

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 Intrusion detection systems are developed in response to increasingly ubiquitous attacks. The pervasiveness of security problems requires solutions that operate on different protocol levels. The defense strategy should be layered so that if an attack is beyond the detection algorithm within a layer, it will be detected by the next layer. This strategy must combine defense policies defined specifically for networks, devices and host applications. Efficient IDS must respond immediately to any attempt to break into the system with a low rate of false alarms and false negatives..

3) Man-In-The-Middle The Man-In-The-Middle (MITM) attack is a form of eavesdropping where the attacker is located between a station and the access point and relays messages between them. It suggests that they are connected directly, while the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going on between the two victims. The man-in-the-middle attack can succeed only if the attacker can impersonate each point of the communication. Unfortunately, the 802.11 protocol does not include some form of authentication designed specifically to prevent MITM attacks.

The attacks used by hackers are very different. Some of these attacks exploit vulnerabilities in the network while others use programming flaws. It is therefore imperative to detect such intrusions on several levels. Thus, there are different types of IDSs that operate on different protocol levels: Host, networks and applications. These IDS are complementary and can be physically integrated into one system. We describe below the main features of each type of IDS.

F. De-authentication attack De-authentication attack is an example of an easy to mount attack that can work on any type of 802.11 networks (WEP and WPA). It enables an attacker to terminate the connection of all stations connected to the wireless network. The attacker sends a de-authentication frame with a destination address" FF: FF: FF: FF:FF:FF". The stations that receive this frame will automatically disconnect from the network. The operation is repeated continuously to prevent the stations from maintaining their connections to the access point.

A. Network Intrusion Detection Systems (NIDS) NIDS analyze network traffic to identify suspicious activities. They capture all packets passing through the network and process the header and payload of the packets in order to detect signs of intrusions. They are most often deployed on the border between networks, near firewall, virtual private network (VPN) servers, remote access servers, and wireless networks. The NIDS work alongside with other security systems such as firewalls. For example, NIDS can use the blacklisting of a firewall with the IP addresses of attackers. The NIDS can exist in two forms: a dedicated device or in the form of software. They offer a wide range of security features. These functions can be classified into four categories: information gathering, logging events, detection and prevention.

G. Duration Attack Duration Attack is another example of a simple attack that exploits a vulnerability in the access method CSMA / CA (Carrier Sense Multiple Access - Collision Avoidance) [9]. CSMA / CA allows stations to reserve the communication channel for a limited period of time specified in the duration field of the frame. The attack is mounted as follows: The attacker sends a frame with a high value of duration. This prevents all the stations from using the communication channel before the expiration of a counter initialized to the NAV value of the duration The attacker sends a second frame before the expiration of the timer. This process is repeated indefinitely, which prohibits legitimate stations to use the communication channel.

Most NIDS use a combination of approaches to detect intrusions: misuse, anomaly detection, and protocol analysis. The types of events detected by an intrusion detection system are diverse and include known attacks on all levels of the protocol stack.

Encryption protocol vulnerabilities can be also added to the previously mentioned vulnerabilities. For example, the WEP encryption protocol, used by 802.11 based networks, suffers from several weaknesses that were exploited to compromise the confidentiality and integrity of wireless communications. Examples of these vulnerabilities are: FMS, ChopChop and Fragmentation attacks [9] [10] [11]. In [9], the authors analyzed numerous attacks specific to 802.11 protocol and demonstrated that they present a real threat to network availability. III.

1) Application Level They analyze traffic meant for a specific application. The protocols analyzed include DNS, HTTP, POP3, IMAP, and FTP protocols. 2) Transport Level The NIDS can detect attacks on the transport layer. This layer is known for being the target of multiple attacks such as port scanning and saturation by the SYN packets. 3) Network Level This layer is known to be vulnerable to a series of attacks. Ping of death is an example of attack that can cause significant damage to a network. Other attacks, such as IP spoofing and packet fragmentation are also dangerous and can adversely affect the operation of the network. The detection of these attacks is also a function of the NIDS.

INTRUSION DETECTION SYSTEMS

Intrusion detection is the process of monitoring events that occur in a system or a network; analyzing incidents to identify signs of security violations; and triggering an alarm when there is an observation of a malicious activity. These systems provide surveillance and alarm functions and alert network administrators when a violation or an imminent threat of violation of the policies of the security occurs. Using standard prevention and detection techniques, intrusion detectors provide protection against worms, Trojans, spyware, key loggers, and other malicious programs.

4) Policy Violation The NIDS also monitor the network to discover breaches of network policies such as the installation of services not

55

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 A HIDS is responsible for resource protection against intrusions. The activities of a HIDS can be grouped into five main functions: surveillance of system files, code analysis, analysis of logs, monitoring of network data, and kernel level intrusion detection.

permitted by the administrators. It may use port scanning and analysis of data flow techniques to detect illegal services. NIDS generate different alerts depending on the severity of the event detected. For example, if an attacker launches an attack on a service not vulnerable to this attack, NIDS must generate an alert with a low severity.

C. Intrusion Detection Approaches Three approaches are mainly used by intrusion detection systems: misuse detection, anomaly detection, and protocol analysis.

The accuracy of detection is an important factor that can distinguish between different NIDS solutions. These systems are known to have a high rate of false positives. Most commercial solutions are based on misuse detection which prevents them from successfully detecting unknown attacks. False negatives and false alarms may decrease if the complexity of the networks monitored is reduced. The NIDS should include details of the network configuration, types of applications and services, and communication protocols.

1) Misuse Detection The first approach, also called pattern correlation, identifies each attack by a signature. These fingerprints or signatures are rules that describe known attacks. They are usually stored in a database of signatures. The IDS then proceeded to search in the activity of the monitored element for trace of signatures. The signature recognition is very efficient for detecting known attacks, but remains unable to cope with new attacks or slightly modified attacks. For example, if a signature attack is made with port 80, which is the standard port of a web server, it fails to detect intrusions against a web server listening on alternate port 8080. Detection by recognition of signatures is the easiest type of intrusion detection because it uses the pattern matching techniques to compare a unit of activity, such as header frames or packets, to a list of signatures. However, this approach cannot be used to detect complex intrusions that require a thorough knowledge of communication protocols. It also suffers from the fact that it does not store the system state to be able to detect intrusions that combine several types of events.

5) Prevention Prevention techniques used by the NIDS are diverse and depend on the type of the event detected. They range from termination of the communication session to reconfiguration of the network equipments. A NIDS can reconfigure a firewall, switches or generate access control lists to prevent an attack. It can also send a RST packet to the two communication parties to end the session before the completion of the attack. In special cases, it can replace the contents of a malicious packet by benign content; a technique generally used by the antivirus system upon detection of a virus as an attachment to an email. Finally, it can run administrators scripts that are responsible for the protection and prevention against the attack.

2) Detection of Anomalies The second approach of detection is based on observing the behavior of the system to generate profiles and data structures that describe the normal state of the system. Any subsequent deviation from normal generates an alert. Beforehand, the IDS must learn the behavior of the network to establish the standard. This learning phase is critical to build an efficient anomaly detector. The definition of normal user behavior is the main difficulty. Indeed, if during the learning phase malicious activity takes place, it will be considered as a normal activity and will therefore not be detected during the deployment of the detector. Another problem that affects a correct definition of standard profiles is that activities in a system are often complex. For example, if a backup occurs once a month and involves the transfer of large files, the anomaly detector will generate a false alarm when such activity occurs. Anomaly detection is effective for the detection of abnormal behavior, but it is often difficult for administrators to determine the cause of this abnormality.

B. Host Intrusion Detection Systems (HIDS) A HIDS is installed on a single machine and monitors the activities running on this machine to ensure that the system is not compromised by malware, or viruses. The elements analyzed by a HIDS are: processes running on the machine, system logs, access and modifications to files, and changes to system configuration and applications. For each item checked, the HIDS stores attributes such as permissions, size and dates of access and modifications in a secure database. It creates a checksum of type MD5 or SHA1 to verify that these elements are not altered by malicious programs. A HIDS also ensures that the regions of memory have not been altered such as system call tables of Linux, and various vtable structures in Microsoft Windows. The general architecture of a HIDS is composed of one or more agents, a management station and a console. Each agent monitors the activities of a station and may implement prevention activities. The agents transmit the information to the management station. Consoles are used for administration and monitoring purposes. Most commercial products encrypt communications between these entities to prevent unauthorized parties from accessing sensitive information.

3) Protocol Analysis The third method, protocol analysis, compares patterns of standard protocols with the flow of data collected from the activities of the component being monitored. This method uses models of each protocol as they are set by the vendor or the bodies of standardization. These profiles define how a protocol should behave and what behaviors are normal. The intrusion detection systems based on this method are able to monitor the state of an activity, for example ftp session, and determine if it complies with the protocol specification. They observe the fields and parameters in suspicious packets to identify a

An agent is generally dedicated to the protection of a server, a station or an application. The latter is also known as application intrusion detection system. Unlike network-type systems, the host type detectors can analyze the encrypted content because of their location in the system.

56

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 to these threats is therefore essential and must be done quickly in a transparent manner without user intervention.

deviation from the normal. Non-compliance of an activity with these standards is often the result of an intrusion. The protocol analysis is implemented as preprocessors to analyze each layer of the protocol stack (HTTP, FTP, IP). These preprocessors monitor simultaneously several sessions at once. They also control commands to identify excessive size of arguments. If for example, the maximum size of an argument is 20, a size of 100 is a sign of malicious activity. If the argument contains a binary code, the activity is even more suspicious. A drawback of this approach is that the use of preprocessors for the analysis of each layer can severely degrade the overall performance of the IDS.

4) Speed Current networks operate with very high rates which can vary from few megabits/s to many gigabits/s. The IDS must be able to operate in such environments without impact on their availability. A detection system with poor performance can be a bottleneck and cause loss of packets. Most of these systems operate in promiscuous mode where they must collect all the packets in transit through the network for deep analysis. It is estimated that a network processor requires one Hz of processing capacity against every bit of traffic. In overloaded networks, decentralization of feature detection becomes a vital necessity.

A major issue with protocol analysis approach is that vendors do not follow the standards or may use proprietary extensions. Furthermore, the definition of a protocol can be upgraded to improve the current version. This can lead to false alarms due to non compliance of the model used by the IDS with the new definition of the protocol. The code of the IDS must be regularly updated to reflect new versions of protocols.

5) Modularity The software architecture of IDS must meet the requirements of components reusability. Administrator tools must be separated from collection and data analysis modules. The hardware architecture should also be modular. Indeed, it is often useful to position the probes of an IDS in different locations to assess the effectiveness of detection; therefore, the positioning of probes must be flexible. For example, a probe may be placed outside the firewall and another within the local network. The first is used to detect intrusion attempts against the monitored network. The second detects attacks that have escaped the firewall. Finally, the modularity of an IDS allows each administrator to create its own architecture based on the needs and threats incurred by his company.

D. Evaluation and Selection The characteristics to consider when choosing IDS are multiple and depend on the network infrastructure to protect. These criteria enable to compare the performance of IDS and their ability to detect and prevent attacks. We describe below some important factors for the evaluation and selection of an IDS. 1) Accuracy IDS must be able to detect and prevent attacks in a precise and reliable fashion. It must contain a complete database of attacks that should be updated frequently. A main problem with existing solutions is the high number of false positives generated. These false alarms disrupt the normal functioning of the system and affect legitimate traffic. The IDS must include effective methods of detection that have been proven for providing a high detection capability and a minimum rate of false alarms. It is also important that IDS correlates events to minimize the false alarm rates and provides the tools necessary to evaluate the severity of an attack.

6) Security It is necessary that the detection system is not itself the object of attack. It is therefore imperative that the IDS is equipped with tools of protection and deterrence that are outside the danger of any attack. For example, an IDS should encrypt communications between its components such as agents and the control station. This measure aims to prevent the wiretapping of communications between the modules of intrusion detector. It must also be discreet. Indeed, like any software or hardware platform, IDS may contain vulnerabilities. Its stealth makes it secure against the exploitation of its vulnerabilities.

2) Anticipation The development of new attacks by hackers to bypass intrusion detection systems is a real threat to the IDS. One of the important factors when choosing an IDS is its ability to resist these entirely new classes of attacks. Indeed, an intrusion detection system should have simple and transparent mechanisms to update the attack signatures. It should also include features that respond to certain classes of attacks that are not known. The use of expert and intelligent systems that can characterize the traffic models using advanced profiling is strongly recommended.

7) Interoperability An IDS solution is not always the product of a single company. It is therefore necessary that the components of an intrusion detection system are able to work with existing or future systems. The IDS must fit easily into the production environment. To do this, adherence to standards is critical for interoperability between systems from different manufacturers. Unfortunately, the technology of intrusion detection suffers from a lack of standardization. The few attempts to standardize IDS products have failed [12]. The only existing standard is developed by the Intrusion Detection Working Group (IDWG) of IETF [13]. It proposes a standard format for representing information exchanged between the agents and monitoring stations. A uniform signature format is required to facilitate the exchange and the update of signatures. Finally, IDS should operate in conformance with the overall security solution of the company. It should be working with the functions of firewalls, VPNs and antivirus.

3) Reactivity Computer security is a dynamic and rapidly evolving field; therefore, it requires a rapid response against attacks. The Code Red worm took a day to spread. His successor while Code Red II took 12 hours to attack computer systems. Worse, Nimda needed only one hour to cause damages to the Internet. New attacks are growing every day with amazing speed and new system vulnerabilities are announced regularly. Responsiveness

57

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 this information with mapping tools to locate the origin of the attack and take the steps necessary to neutralize it. Adlestein & al. [14] have developed a tracking system using a bidirectional antenna. Their method is based on the triangulation of data, such as the signal strength obtained from two directional antennas located in different locations.

8) Ergonomic The IDS should be easy to configure and administer. It must have an easy to use graphical interface (preferably web interface) for the definition and configuration of devices. The interface should provide several features such as tools for analyzing suspicious incidents. Because the high volume of alerts generated, it is important to provide dashboards that facilitate the assessment of risks incurred by the company.

E. Interference Several equipments such as microwaves, Bluetooth devices and cordless phones operate on the same frequency bands as 802.11 networks. The collection of data by an IDS sensor is constrained by these data sources. Therefore, the introduction of several probes is required to ensure reliable detection of intrusions.

9) Price Last but not least, the price is another important factor to take into consideration for the selection of an IDS solution. The price should take into account the size of the network to protect and the budget of the company. IV.

F. Multiplicity of Communication Channels 802.11 protocol dedicates 14 communication channels for wireless local area networks in the 2.4GHz frequency band. A probe must be able to capture traffic on multiple channels at once. Most network cards available on the market offer the ability to capture traffic for one channel at a time.

CHALLENGES OF WIRELESS IDS

The design of a system for detecting intrusions in a wireless networks is facing difficulties due to the nature of the data transmission medium. A. Absence of a Physical Protection In addition to the challenges of wired systems, designers of wireless IDS are facing new challenges caused by the lack of physical boundaries of the network to monitor. In a wired network, data streams are controlled by the physical architecture of the network. The traffic goes through switches and bridges constantly protected by surveillance systems such as firewalls and intrusion detectors. This physical protection is not available in a wireless network. An attacker can gain access to network equipments without going through the security fortifications.

G. MAC Spoofing The open nature of wireless communication media enables attackers to capture MAC addresses of legitimate stations [15]. These addresses can be used by attackers to identify themselves as legitimate users in order to infiltrate the network. It is difficult to use MAC addresses in the formulation of attack signatures. In addition, an IDS must be able to distinguish between two stations with the same MAC address. H. Location of Probes The location of the sensors must take into consideration the physical architecture of the network. The positioning of probes in inappropriate places limits their ability to listen and collect data and thus degrades the effectiveness of the wireless IDS. On the other hand, overloading the network with sensors for a better coverage affects the price of the solution.

B. Difficulty to Interrupt the Intrusions The intrusion detection systems in wired networks are installed as intermediate nodes between the different communication parties. This positioning allows them to monitor traffic and suspend it it in case of an attack. This capability is not possible in a wireless network. Indeed, wireless networks share the air as a media of communication, on which all parties can communicate directly without necessarily passing through intermediate nodes. Wireless IDS in this environment is merely an observer, which makes the task of prevention more difficult.

I.

Data Fusion The use of several probes is justified by lower error rates. In addition, it allows to aggregate local data of each sensor to build a global wireless network map. The fusion of data from multiple sensors is another problem that designers of wireless intrusion detection systems have to overcome. The major problem of data fusion is how to synchronize the data as each of them is stamped according to the clock of the sensor. The authors in [16] propose a method for merging data from multiple sensors. Their approach is based on the use of stamped beacon frames to synchronize the clocks of each sensor.

C. Mobility The mobility of nodes is a major drawback when detecting intrusions. An attacker can target a wireless network from multiple cells. Therefore, data must be collected on all cells and then correlated to identify any threat to the integrity of the network. D. Physical Location of Intruders Identifying the physical location of an attack is an important feature of a wireless intrusion detection system. Most of the attacks on the wireless network are performed for a short duration to avoid detection. When a response to an attempted attack is applied, it is important that it is both logical and physical. In addition to security measures undertaken, human intervention is needed to identify the attacker and should be done as soon as possible. The wireless IDS should provide the response teams the details of the attack. They can then combine

V.

CHARACTERISTICS OF A WIRELESS IDS

The design of an intrusion detection system must take into consideration certain characteristics to enable efficient and accurate detection of threats [17]. A. Distribution Many network attacks are characterized by abnormal behavior in various network elements. The distribution of functionalities of detection over several different entities that

58

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 AirMagnet [19] is another commercial product that allows the detection of intrusions like denial of service by saturation. Among the functions of performance analysis it offers, there are the detection of access points with weak signals, excessive packet retransmission, overloaded access points, conflicts of configurations, and use of excessive bandwidth.

monitor the network is therefore necessary to detect these types of attacks. B. Autonomy The flow rates of wireless networks generate a large amount of information to analyze. The choice of a core architecture, in which the processing occurs at a single node, is not suitable for such networks. Indeed, the excessive exchange of information between the sensors and the central station can congest the network. It is therefore important that the elements of the IDS have some autonomy in order to detect local intruders.

Non-commercial solutions are also available and are often used by researchers to implement prototypes of intrusion detection systems. Fake AP [20] is a Linux program that simulates an access point by transmitting beacon frames. Snortwireless is an open source program that can create custom filters and rules from the header information of the frames. AirSnare [21] is a Windows program that detects unauthorized MAC addresses trying to connect to an access point.

C. Delegation The sensors must be able to perform certain tasks sent by the central station. This enables the IDS to adapt to changes occurring in the monitored network.

VII. WIRELESS INTRUSION DETECTION SYSTEM ARCHITECTURE

D. Cooperation The complexity of coordinated attacks makes detection by a single sensor a difficult task. In a system where each probe has a limited local view of the network, it is very difficult to detect distributed and coordinated attacks. The detection of such attacks requires a correlation of different analysis carried out at various points along the network. The different sensors must communicate their analysis to the control station to effectively detect coordinated attacks.

Existing systems for intrusion detection are based either on a distributed architecture using large expensive sensors or a centralized architecture in which the probes move unprocessed data to the server which requires a high consumption of bandwidth and processing resources of the monitored stations. We propose an architecture that offers the flexibility of the first solution and the simplicity of the second. Analysis of data is shared between the sensors and the control station. The sensors provide data filtering to identify and transfer to the controller only essential information. Bandwidth requirements are minimized which improves the scalability of the distributed environment. The analysis of events is accurate through the aggregation and correlation of vital information from the sensors; this information is encrypted and securely transmitted to the controller.

E. Reactivity The major objective of the intrusion detection is to react quickly when an attack occurs to limit damages that can be caused to the network. F. Adaptability The intrusion detection system must adapt to changes in company policies. A change of a network should be immediately implemented by the system. VI.

The proposed software architecture, figure 1, is modular. This has several advantages, such as the partitioning of components between micro-processors and processes, portability to multiple environments, and code reuse.

EXISTING SYSTEMS

A. Sensor The sensor is a unit for processing 802.11 protocol frames. It handles all network data, analyzes the traffic, and makes decisions regarding transfer, classification, and filtering according to information provided by the control station. It consists of a set of software and hardware modules which we detail below the main characteristics.

There are currently few solutions that provide detection and prevention against attacks. However, none provide adequate protection for wireless networks. Although these systems are capable of detecting illegal access, the capabilities of intrusion detection are limited. The existing solutions are limited to functions that monitor network performance and enable auditing of security configurations. Most commercial solutions are based on misuse detection, an effective approach for detecting known attacks, but it is unable to detect variances of the same attack. The cost of these solutions is another factor preventing their deployment in most wireless networks.

1) Frame Sensor The frame sensor is a radio hardware abstraction layer. There are two frequency bands on which communications are carried: the 2.4 GHz frequency band which is divided into 14 channels and the 5GHz frequency band which contains 24 communication channels. To be able to simultaneously monitor all channels, the frame sensor has several radio cards; each of them is dedicated to one channel.

Airdefense [18] is a hardware and software system which consists of several sensors deployed in the network and managed by a control station. The starter kit contains five sensors and can protect up to ten access points. The Airdefense product offers an additional security measure to redirect an attacker to a honey pot. A honey pot is a security system that provides a shadow system in order to trap an attacker. This enables the administrators to analyze the attacker’s attempts.

59

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 Management Plane

Web Interface

Command Line

of processing capacity. The decentralization of signature recognition process allows, on one hand, reduction of traffic between the probe and the control station and, on the other hand, the reduction of the processing overhead at the controller. It should be noted that one control station can handle a number sensors depending on the size of the network to monitor.

Management Interface

Configuration and Management Channel Control

Detection of signatures can be extended to the detection of viruses that spread using wireless networks. The current solutions for virus detection are based on the installation of antivirus software on each network. The update should be done regularly to ensure optimal protection from infections. This is difficult to guarantee in an open environment where the wireless stations are not under the administration of a single authority. Our approach is based on a virus scanner that can scan the air, medium for data transmission, to intercept the virus signatures. This solution has the advantage of ensuring an up to date antivirus database and save resources such as electricity, memory and CPU time of the stations. These resources are limited in mobile nodes like mobile phones or embedded systems. It also has the advantage of detecting viruses before they infect their targets.

Log

Alerts Controller

Anomaly Detection

Network Profiles

Correlation

Secure Communication Channel (SSL) Data Plane

Application Environment

Socket API Sensor

Update

Misuse Detection

5) Update Misuse intrusion detection requires regular updates of scenario databases in order to detect the latest versions of attacks. The update module regularly downloads the list of signatures from the central station. It is also used to install new versions of the modules of the sensor.

Signatures Database

Feature Extraction Decoder/Classifier Frame Sensor

6) Socket API The Socket API is a programming interface that provides the application process an easy way to extract data received by the sensor. This layer is in direct communication with the frame classifier module to receive data stream requested by the applications.

802.11 Interface

Figure 2. Wireless IDS Architecture

7) Application Environment The application environment is a software platform where user scripts and code can be executed. It allows the extension of the sensor functionalities. An administrator can download the code to perform a thorough analysis of frames. The Socket interface facilitates retrieving data according to the criteria specified by the programmer.

2) Decoder / Classifier This module is used to decode the frames collected by the communication channel. It’s also responsible for decrypting the frames payload in secure networks. The frame classifier creates logical flow of data according to requests received from the application layer. Data can be classified according to different information contained in the frame, for example, the communication channel, the frame type (management, data or control), the MAC address of the transmitter or receiver, type of encryption protocol (WEP, WPA), and communication protocol (802.11a, 802.11b, 802.11g).

B. Controller The control station operates the sensors deployed in the network. It receives alerts from sensors and analyzes them to detect attacks not detected in the data plane. It consists of four modules: Correlation of events, anomaly detection, logging and alert.

3) Feature Extraction This module is responsible for the extraction of attributes and characteristics that are most effective for intrusion detection. The attributes selected depend on the type of the frame and the detection algorithm. This set of characteristics is sent to the local misuse detection, and the central module for detecting anomalies.

1) Correlation Evidence of an attack against wireless network resources can be spread over several nodes. The sensors collect traces of attacks and transmit them to the controller. The correlation module group alerts in classes; each class contains warnings of a single attack. For example, all alarms triggered by the same MAC address are classified in one class. This module uses statistical methods to determine if a group of alarms are related and are the signs of the same intrusion. A similar approach has been observed in [22] where the authors used a probabilistic

4) Misuse Detector The sensor has database of signatures where known attack scenarios are stored. It uses pattern matching techniques to find the trace of signatures characterizing an attack. The module is local to each sensor. This choice is motivated by the fact that the detection of signatures is a simple process that requires a lot

60

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 contained in this list are unable to associate with the access points of the network. Drastic preventive measures are proposed in [28] where the authors suggest counterattacking the pirate stations by exploiting the vulnerabilities of the attacking machines. For example, the wireless IDS can send to the attacking machine malformed frames in order to exploit vulnerabilities in implementation of the 802.11 layer. However, these measures are theoretical, and no prototype has been implemented to confirm the validity of their assumptions.

method to correlate the attributes of alarms from multiple heterogeneous sensors. 2) Anomaly Detector The anomaly detector is based on a classifier that identifies attacks not detected by the sensor’s misuse detection module. This module is a centralized element which has an overview of the network through the alerts and information gathered from sensors deployed in the network. The detection phase is preceded by a learning phase during which the classifier constructs profiles of normal network behavior from the history of recorded events. During the detection phase, the classifier compares the statistical data flow with the profiles of the network. Any deviation of the analyzed traffic from the normal behavior is often a sign of intrusion. This detection method is complementary to misuse detection. It has the advantage of being able to detect new attacks.

In addition, the module offers the possibility to execute scripts in case of attack. These scripts represent the policies of the network monitored and specify appropriate measures to be taken to neutralize threats. C. Management Plane The Management Plane provides tools to manage and configure sensors and control stations. It enables the update of the components of the wireless intrusion detection system and the monitoring of their states. Through the console, administrators can access detailed reports of the distribution of sensors and access points in the network, statistics of attacks, and the actions taken to prevent intrusions. Three types of interface are included in the console: web interface, command line and management interface. The web interface is a GUI based interface that implements a user friendly interface to manage the components of the IDS. It can be accessed remotely through HTTP protocol. The command line is used to configure the sensors locally through a serial port or USB. The capabilities of the command line are limited and it’s used only in case of a malfunction of the remote management of sensors. The third type of interface is a SNMP management interface. It is a software interface that allows an SNMP manager to collect management variables.

Several classification techniques, such as artificial neural network (ANN) [23] and machine learning [24] [25], have been used in literature to automate the detection process in order to minimize human intervention. A comparative study of the performance of four artificial intelligence techniques, namely, Support Vector Machine (SVMs), Artificial Neural Networks, Adaptation Multivariate Regression Splines (MARS) and Linear Genetic Programs, performed on a dataset of attacks on wired networks, showed that the accuracy of Linear Genetic Programs technique surpasses the other techniques [26]. However, this study was conducted on a small sample of four attacks and the differences between the performances of the four techniques are not statistically significant. No similar study has been done to evaluate the performance of classification techniques in wireless networks. This is due to the fact that there is no dataset for wireless attacks equivalent to the one generated by DARPA [27]. Therefore, choosing a classification method depends more on the cost of development, maintenance and implementation of the technique used.

D.

Deployment The sensor may exist in different forms: it can be implemented as a dedicated device that provides the function of collecting and analyzing data, or they can be grouped with an access point as a coprocessor. Dedicated sensors are passive elements that monitor the network. They form a parallel wireless network and should cover the entire area of the corporate network. This choice has the advantage of performing the functions of detection independently of data transmission. This choice maximizes the performance and efficiency of the detection system. However, the location of probes does not allow the interruption of communication in case of an incident. On the other side, clustering features of the sensor with the access point minimizes the efforts of deployment and maintenance. In this form, the sensor is able to listen and filter communications. The disadvantage of this choice is that the sensor is vulnerable to attacks that can undergo the access point.

3) Log Log module stores detected events. These data are then analyzed to confirm the validity of the alarms, investigate incidents and determine the causes of an intrusion. The relevant information of an intrusion stored by this module are: timestamp (date and time), event type, class, communication channel, SSID, source and destination MAC address, identifier of the sensor that captured the event, and preventive action performed . 4) Alert The controller has a set of active and passive prevention actions to be implemented in the case of intrusion detection. Passive actions include logging the event, sending a SNMP trap to a network manager, sending an e-mail or an SMS message to an administrator. The active actions are diverse and depend on the nature of the intrusion. In the case of detection of an illegal access point, two measures are necessary. The first is to physically locate the access point and report its position to an administrator. The second action prevents stations from joining the rogue access point by sending dissociation frames. If the intrusion comes from a station, the response module adds the MAC address to a blacklist. The MAC addresses that are

The location of the probes is crucial for the efficiency and accuracy of the IDS. The positioning of sensors should not be limited to areas where wireless traffic is permitted, but must also take into account where the wireless network is not allowed by company policy. Sensors should monitor critical areas to guarantee that no illegal access points are deployed. Administrators should use specialized tools to determine the location of each sensor to ensure full coverage of the network.

61

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009 [8]

The problem of the physical location of sensors depends on their range and the physical nature of the network. This issue has been widely addressed in literature and the solutions are detailed in [29] [30]. A sensor can monitor multiple access points at once. The number of access points monitored depends on the processing capacity of the sensor and its range. It is more suitable to cover each access point by at least two sensors for reliability reasons. This redundancy has a significant impact on the cost of the solution. Wireless sensors should be deployed in areas monitored by cameras to ensure physical protection of the sensors.

[9]

[10] [11] [12] [13]

The management network provides communication between various components of the IDS. It must be isolated from the intranet of the company. This isolation allows the protection of the detection system against attacks from inside or outside the company premises. Moreover, communications between its components, such as sensors and control station, are encrypted. This measure aims to prevent the wiretapping of communications between the modules of the intrusion detector.

[14]

[15] [16]

[17]

VIII. CONCLUSION AND FUTURE WORK The aim of this paper was to design a scalable wireless intrusion detection system. We presented a modular architecture that takes into consideration the requirements of the media of transmission. Misuse detection is carried out by sensors, while anomaly detection is centralized at the level of controllers that have a global view of the activities of the monitored network. The latter is based on classifiers that process features extracted from the traffic in order to identify intrusions.

[18] [19] [20]

[21] [22]

Feature selection is an interesting area to explore. A major problem that many researches face is how to select the best set of features to maximize the accuracy and reduce the learning time of the classifier. It’s obvious that not all features extracted from the wireless traffic are suitable for the construction of the IDS detector. In some cases, irrelevant and redundant features can introduce noisy data that distracts the learning algorithm and therefore severely degrade the accuracy of the detector and cause slow training and testing process. In the future, we are planning to study the impact of feature selection on the performance and learning time of classifiers based on artificial neural networks, machine learning and support vector machines.

[23]

[24]

[25]

[26]

[27]

REFERENCES [1] [2] [3] [4] [5] [6]

[7]

CERT, http://www.cert.org/stats/, accessed on 04/09/2009. Computer Economics, http://www.computereconomics.com, accessed on 04/09/2009. [9] Rebecca Curley Bace, Intrusion Detection, Technology Series, New Riders. Netstumbler, http://www.netstumbler.com/, accessed on 04/09/2009. Wellenreiter, http://sourceforge.net/projects/wellenreiter/, accessed on 04/09/2009. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz, "Extensible Authentication Protocol (EAP)", Request for Comments 3748, June 2004. B. Aboba, D. Simon, P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", Request for Comments 5247, August 2008.

[28]

[29]

[30]

62

S. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of RC4,” Eighth Annual Workshop on Selected Areas in Cryptography, August 2001. J. Bellardo, S. Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions.”, USENIX Security Symposium, pages 15-28, 2003. http://www.aircrack-ng.org/, Accessed on 2007-12-12. A. Bittau, M. Handley, J. Lackey, "The final nail in WEP's coffin", 2006 IEEE Symposium on Security andPrivacy, May 2006. The Common Intrusion Detection Framework (CIDF), http://gost.isi.edu/cidf/, accessed on 04/09/2009. Intrusion Detection Working Group, http://www.ietf.org/proceedings/05nov/idwg.html F. Adelstein, P. Alla, R. Joyce, G. Richard III, “Physically Locating Wireless Intruders”, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04), 2004. J. Wright, “Detecting wireless LAN MAC address spoofing”, http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf J.Yeo, M.Youssef and A.Agrawala, “A framework for wireless LAN monitoring and its applications”, Proceedings of the 2004 ACM workshop on Wireless security, Philadelphia, PA, USA, pp 70 - 79 Yu-Xi Lim, Tim Schmoyer, John Levine, Henry L.Owen, "Wireless intrusion detection and response", Proceedings of the 2003 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY June 2003, pp 68-75. Air Defense Inc, “Wireless LAN Security for the Enterprise,” Air Defense, http://www.airdefense.net/ AirMagnet, “Air Magnet”, http://www.airmagnet.com/ Black Alchemy Enterprises, “Black Alchemy Weapons Lab: Fake AP,” Black Alchemy Entemrises, http://www.blackalchemy.to/Projects/fakeap/fa-kaep .html J. L. DeBoer, “Digital Matrix - Airsnare”, http://home.attbi .corn/digitalmatrix/airsnare/ A. Valdes, K. Skinner,"Probabilistic Alert Correlation", In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001 A. K. Ghosh, “Learning Program Behavior Profiles for Intrusion Detection”, Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999. S. Mukkamala, G. Janoski, A. H. Sung, “Intrusion Detection Using Neural Networks and Support Vector Machines”, Proceedings of IEEE International Joint Conference on Neural Networks, 2002, pp.17021707. J. Stolfo, F. Wei, W. Lee, A. Prodromidis, and P. K. Chan, “Cost-based Modeling and Evaluation for Data Mining with Application to Fraud and Intrusion Detection”, Results from the JAM Project by Salvatore,1999. S. Mukkamala, A. H. Sun, “A Comparative Study of Techniques for Intrusion Detection” Proceedings of the 15th IEEE International Conference on Tools with Artificial Intelligence (ICTAI’03). MIT Lincoln Laboratory, DARPA Intrusion Detection Evaluation Data Sets, http://www.ll.mit.edu/IST/ideval/data/data_index.html Y. Lim, T. Schmoyer, J. Levine, H. L. Owen, “Wireless Intrusion Detection and Response”, Proceedings of the 2003 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, June 2003. X. Wang, G. Xing, Y. Zhang, C. Lu, R. Pless, C. Gill, “Integrated coverage and connectivity configuration in wireless sensor networks”, in ACM SenSys’03, 2003. X. Liu, "Coverage with Connectivity in Wireless Sensor Networks", 3rd International Conference on Broadband Communications, Networks and Systems, BROADNETS 2006, October 2006, San Jose, CA.