Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Advances in Wireless and Mobile Communications.
ISSN 0973-6972 Volume 10, Number 5 (2017), pp. 1141-1162
© Research India Publications
http://www.ripublication.com
Context aware Wireless Intrusion Detection System
for IEEE 802.11 based Wireless Sensor Networks
Siva Balaji Yadav.C1 and R.Seshadri, PhD2
1(Computer Science and Engineering, SV University, Tirupati, India)
2(SVU Computer center, SV University, Tirupati, India)
Abstract
In recent decades the launch of cyber attacks against wireless network is more
than the wired networks. This is due to the presence of Layer 2 vulnerabilities
in IEEE 802.11 protocol standards. Most of the attacks against the wireless
networks are targeting layer 2 vulnerabilities which are more susceptible to
DoS, MiTM and replay attacks etc. In this paper, we focus only on the
problem of DDoS against IEEE 802.11 and a novel Intrusion Detection
System is designed to detect such DDoS attacks. The key idea used in the
proposed IDS is to apply Kernel Density Derivative Estimator to study the
steady state probabilities (density) of each Station (clients) in the network.
Then correlation is applied to the steady state probabilities to find the
correlativity of each packet generated from different nodes which in turn gives
the results of malformed packets (Deauthentication-DDoS). The primary focus
of this work is on the particular scenario where the attacker injects the
malformed frames on the target network (Broadcast Spoofed De-
authentication DDoS). A strong analysis is made by experimenting the attacks
in the live testbed. The experiments carried out are in house and purely
deployed in the live testbed using Parrot Operating system. From the
observation it is clearly observed that the proposed IDS is optimal enough
with the good results of more than 94% in detection rate.
Keywords: WIDS, IDS, Parrot Operating system, HMM, markov chain,
Intrusion
1142 Siva Balaji Yadav.C and R.Seshadri
I. INTRODUCTION
Recent advancement in wireless technologies is increasing from last decade. This is
due to increase in usage of pervasive devices, mobile gadgets, cloud connected
components etc. The popularity of the technology leads the operational free lower
cost devices. Due to the popularity and increase in usage leads these wireless
technologies prune to attacks. Existing data frame security standards such as WEP,
WPA, WPA2 etc can provide authentication based security cryptographic standard
[1]. However attacks over data and control plane are still possible in Wi-Fi networks.
The most prominent feature available in IEEE 802.11 network is it can operate in both
adhoc and infrastructure mode. This paper focus on the IEEE 802.11 network which
operates only in infrastructure mode with dedicated access point. The basic working
operation of the AP and Stations in IEEE 802.11 are listed into Authentication,
Association, Disassociation, Disconnection, Deauthentication etc. i) Authentication:
Authentication is the initial step for each sensor node operating in IEEE 802.11
standards. Initially client has to send connect request to the AP using authentication
frame with Initialization vector (IVs) to establish connection with the Access Point for
the successful data exchange. ii) Association: Association is the second step carried
out by the sensor nodes to associate itself with the AP after authentication. Address
allocation, node registration etc are carried out in this phase. iii) Disassociation:
Disassociation is the step carried out by the wireless client to initialize the
disassociation of the client from the AP. Here the client sends disassociation frames to
AP to disassociate itself. Disassociation with all connected clients can happen only if
any firmware level upgradation is carried out in AP. iv) Disconnection: Disconnection
is the process where the AP sends disassociation request to the client to disconnect
from the AP. v) Deauthentication: Deauthentication frame (as shown in Figure 1a -
1c) is initiated from the client if the station needs to leave the network gracefully.
Likewise, the AP also sends deauthentication frame if it needs to disconnect from the
client at the particular time interval [2-10].
Figure. 1a Pre-attack - Deauthentication Attack scenario
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1143
Figure. 1b Deauthentication DDoS attack scenario
Figure. 1c Post-attack - Deauthentication attack scenario
The two major frames known as Deauthentication and Disassociation frames are used
for entire handshake of IEEE 802.11 network. These two frames are responsible to
perform association and connection of AP with Stations (STA)[11]. But the hard fact
is these two frames are not encrypted enough hence the attacker make use of these
frames for successful launch of attacks. Attacker can easily masquerades any of these
frames by tapping layer 2 protocols (DLL)[12]. These masquerades result in MAC
address based spoofing and attacks against AP and clients by initializing n number of
deauthentication and disassociation frames. Once these frames are flooded against
client and AP, based on the level of payload and packet generation, AP and STA
never gets connected. Additionally all the STA needs an reauthentication in order to
connect with AP. Figure 2 shows the attack scenario of how an attacker can easily
1144 Siva Balaji Yadav.C and R.Seshadri
launch a powerful DoS over any IEEE 802.11 network by spoofing disassociation and
deauthentication frames [13-20].
Figure. 2 Deauthentication and Disassociation attack scenario.
Present day methods used to mitigate the deauthentication and disassociation based
DDoS attack includes cryptography and newer standards for protocol by modifying
the entire protocol stack. Cryptography techniques include additional hardware and
softwares for special tasking and computing the keys [13][16][18]. Specific server
should be deployed to monitor the key distribution and management. However
protocol stack level upgradation is very expensive tasks and increases administrative
over heads. Upgradation of firmware in critical application deployment is a harder
task and time consuming [14 -15][17][22][23-25]. From the observation, it is not
feasible to adopt the existing mitigation technique. Hence in this paper, novel
software based Intrusion Detection System has been proposed. The proposed Wireless
IDS does not suffer any critical impact which are listed above. The summary of the
contribution is listed below
A novel Context aware Wireless Intrusion Detection System is proposed and
operable in both legacy standards (cryptography implemented networks) and
non- legacy network
The proposed IDS is purely software based and does not require any additional
hardware or firmware updation and can be easily deployable in both client and
server side.
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1145
The paper is organized as follows: Section II presents the security goal, literature
review and some related works about the security issues and mitigation techniques in
WSNs. Section III gives the brief explanation about the proposed CAWIDS. Section
IV dealt with the experimental results and the performance analysis of the proposed
CAWIDS with the state of the art methods is given in the penultimate section. Finally
the paper is concluded in section V.
II. MOTIVATION
Here, we initially discuss about the basics of Wi-Fi and its operating characteristics
and followed by attacks and its attack definitions.
Basic Terminologies
In general, Wi-Fi network consists of many wireless clients such as mobiles, laptops,
tablets etc and an Access point which might be a wireless router. All the
communication will take place by means of AP where the AP is connected to a
backbone network of any ISP. Initial stage is client needs to authenticate itself with
AP in order to associate with the AP and to join the network. The procedure is same
for all the wireless clients which are seeking to form a network.
Deauthentication Attack
Deauthentication attack is launched over the deauthentication frames due to its plain
text in nature. Hence spoofing of these plain-text frames is easier when compared to
encrypted data frames. These management frames are responsible for fast processing
and to proceed with handshaking mechanism with AP to all connected clients. Due to
its open plain text nature, AP is not liable to verify its authenticity and process the
deauthentication spoofed frames. This leads to initiate deauthentication request
against clients resulting the clients to terminate its connection with AP. Once the
client is targeted and redirected with high number of deauthentication frames then the
client has to initiate reauthentication for its next level association. This makes the
client to lose connectivity at any point of range. As per the existing standards of IEEE
802.11, deauthentication request is just a notification not a request. Figure 1 and
Figure 2 clearly shows the actual working mechanism of deauthentication attack
launched against a wireless network [5-20].
State of the art methods
Many researchers proposes various methods for mitigating the Deauthentication based
1146 Siva Balaji Yadav.C and R.Seshadri
DDoS attack in Wi-Fi network. Some of the state of the art methods have been
reviewed and presented here in this section.
Entropy based WIDS
Kamalanaban et al proposed a novel Wireless Intrusion Detection System using
Entropy based approach. Here the authors concentrate on calculating entropy for all
the frames which is going in and around the network. The key advantage of the stated
method is better but requires high computation. The author also addresses some basics
level channel switching and it detection mechanism where their IDS is capable to
detect Deauthentication DDoS attack at any channel in multiple networks. The only
challenge possessed by the WIDS stated by the author is overhead of processing and
execution time [12].
Cryptography based methods
Bellardo proposed a encryption method to encrypt all the frames which is going in
and around the network. The method proposed by the author is robust enough but
needs special upgradation of firmware and hardware as well in both client and server
[25].
III. PROPOSED IDS
In this paper, a new context aware IDS has been developed to detect Deauthentication
DDoS attacks. The proposed IDS is robust and context aware in nature due to its
learning capabilities of real time live feed of network data and cross correlating it with
the addressed pattern in order to detect the DDoS and wireless anomalies. Robustness
of the behavior model proposed in this paper is initially to learn the network traffic
patterns using KDDE function, where Kernel Density function is used to estimate the
PDF of a complete randomness. Here in KDDE, Parzen–Rosenblatt window method
is used for estimating the density values. The KDDE is a kernel function which works
on basis of neural model which is clearly figured in the equation (1). Each input is
tested with the possible output and the learned data is computed with KDDE values.
Firstly in learning phase all the network parameters are learnt and profiled specifically
with KDDE values and approximate KDDE values are computed. Secondly in
detection phase the KDDE values of the live feed are compared with learnt KDDE
values and correlation is applied in order to detect the intrusions [3].
-------------------- 1
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1147
Fig 3. Architecture of Proposed Context aware WIDS
Here, KDDE values are computed for learning phase using specific network patterns
such as IP, port, Link, interface (ETH#, WLAN#), BOOTIF (MAC) and other system
parameter such as NET CONSOLE, CPU utilization, Memory usage, Memory
utilization, Incoming Packet buffer, Outgoing Packet buffer, Cached Bytes etc.
Network packet analyzers are used to analyze the network packets. Packet capturing
interface is widely used to capture all the packets and network data collector acts as
the serialization interface for all the network inputs.
Learning phase
In this phase, the values have been collected from the network parameters which are
related to the network for each connected host. Each host are profiled into system and
network parameters and each value are utilized to compute KDDE. A detailed process
was illustrated in the algorithm 1 which runs in all hosts for 5 working days with all
network and system credentials
1148 Siva Balaji Yadav.C and R.Seshadri
-------------------------------------------------------------------------------------------------------
Algorithm 1 Learning phase
-------------------------------------------------------------------------------------------------------
Begin
Initiate learning and profiling
Profile each host
Collect network credentials
Do feature selection
Compute KDDE
Compute KDDE parameters with appropriate values
End
-------------------------------------------------------------------------------------------------------
Detection phase
In this phase as off the learning phase is cloned to compute KDDE values for the
hosts of same parameters in several time periods. Then the Comparison process is
carried out for the present KDDE values with the learnt KDDE values.
Hypothesis
According to the hypothesis, the correlation values lies between 0 and 1.KDDE value
computed is always lies between 0 to 1. If the values are nearest circumstance of 1,
then the relationship possessed by the parameters is in strong relationship. If the
threshold value falls<0.5, then it is abnormal frame or Deauthentication frame
Correlation phase
Based on the hypothesis defined above the cross correlation values are computed. The
detection phase is exhibited by considering, analyzing and comparing all the defined
network and system parameters. According to the discussion defined in previous
section’s anomalies are the specific event based, so that the proposed methodology
computed here yields the promising results by utilizing the network parameters for
identification.
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1149
-------------------------------------------------------------------------------------------------------
Algorithm 2 Detection phase
-------------------------------------------------------------------------------------------------------
Use learnt data
Procure the live feed
Do feature selection
Compute KDDE
Use KDDE values of Learnt data and live feed
Check all the frame: include (control, management and data frames)
Apply cross correlation
Compare cross correlation value for each network parameter
If the threshold (correlation) < 0.5 then
Caption: Intrusion detection
Trigger Alarm
End
-------------------------------------------------------------------------------------------------------
IV. EXPERIMENTAL RESULTS
The correlation coefficient values of the two collective samples were linearly
inclusive with +1 or -1 which in term shows the deviation range and the proposed
methodology yields the promising results by detecting intrusions in near real time (Fig
4 - Fig 21). Here the correlation values are compared between kernel density function
values along with the trained values. Then the range of threshold is isolated and
correlativity is computed by correlating various system and network parameters.
Using this method all the attacks performed during certain time periods were
identified/detected and experimentally promising results were achieved. The cross
correlation values of attack sequence are clearly defined in the Table 1 for various
attributes like CPU utilization, RAM utilization, outgoing packets, incoming packets
etc.,.
1150 Siva Balaji Yadav.C and R.Seshadri
Figure.4 Kernel Density Estimation for Incoming bytes (Learning phase)
Figure 5: Kernel Density Estimation for Incoming packets (Learning phase)
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1151
Figure 6: Kernel Density Estimation for Outgoing bytes (Learning phase)
Figure.7: Kernel Density Estimation for Outgoing packets (Learning phase)
1152 Siva Balaji Yadav.C and R.Seshadri
Figure.8 Kernel Density Estimation for RAM Buffered (Learning phase)
Figure.9 Kernel Density Estimation for RAM Used (Learning phase)
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1153
Figure.10 Kernel Density Estimation for Incoming bytes (Detection phase)
Figure.11 Kernel Density Estimation for Incoming Packets (Detection phase)
1154 Siva Balaji Yadav.C and R.Seshadri
Figure.12 Kernel Density Estimation for Outgoing bytes (Detection phase)
Figure.13 Kernel Density Estimation for Outgoing Packets (Detection phase)
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1155
Figure.14 Kernel Density Estimation for RAM buffered (Detection phase)
Figure.15 Kernel Density Estimation for RAM Used (Detection phase)
1156 Siva Balaji Yadav.C and R.Seshadri
Figure.16 Kernel Density Estimation for Incoming bytes (Correlation phase)
Figure.17 Kernel Density Estimation for Incoming Packets (Correlation phase)
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1157
Figure.18 Kernel Density Estimation for Outgoing Bytes (Correlation phase)
Figure.19 Kernel Density Estimation for Outgoing Packets (Correlation phase)
1158 Siva Balaji Yadav.C and R.Seshadri
Figure.20 Kernel Density Estimation for RAM Buffered (Correlation phase)
Figure.21 Kernel Density Estimation for RAM used (Correlation phase)
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1159
Table I: Cross correlation values of attacking sequence
S.No Time CPU RAM Outgoing
packets
Incoming
packets
1 1:16:59 1179339978 892986 896046 636809
2 1:17:10 1179339978 896119 896046 636809
3 1:18:28 1179611728 898952 898952 639716
4 1:19:26 1179791914 898231 901233 641997
5 1:20:27 1179972352 900347 903479 644243
6 1:21:27 1180153141 902466 905726 646491
7 1:22:27 1180376311 904659 908039 648815
8 1:23:11 1211149803 926499 937182 664802
9 1:24:4 1262468314 962392 937182 664802
10 1:25:26 1380740088 1043522 1022047 709688
11 1:26:22 1420838212 1071513 1071466 735810
The proposed model can be deployed in both client and server side to detect any form
of wireless attack. Currently it is tested by deploying in both client and server. The
real time implementation result is also given. A command line console is given to
display the alerts from the proposed model. Figure states the attack detection and alert
scenario where the alert consists of Target MAC address, AP with which the client
is connected and attacker’s MAC.
V. CONCLUSION
This paper is concluded by proposing a novel Wireless Intrusion Detection System.
The proposed Context aware WIDS is evaluated and some of the active time stamps
are estimated and tabulated in Table I. In detection the Cross correlation values for
network and system parameters are estimated along with the time stamp and deviation
range of the values are mentioned in the Figures 4 -15 for network and host
parameters. The experimental results demonstrated in the Figure 16 - 21 shows the
results of correlation which shows the optimality of the proposed algorithm in
detection. In future, the proposed IDS is extended to detect the covert
communications in WSN.
1160 Siva Balaji Yadav.C and R.Seshadri
REFERENCES
[1] M. Agarwal, S. Biswas and S. Nandi, "Detection of De-Authentication DoS
Attacks in Wi-Fi Networks: A Machine Learning Approach," Systems, Man,
and Cybernetics (SMC), 2015 IEEE International Conference on, Kowloon,
2015, pp. 246-251.
[2] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based
defense mechanisms countering the dos and ddos problems,” ACM
Computing Survey, vol. 39, no. 1, 2007.
[3] F.Bin Hamid Ali and Y.Y.Len,”Development of host based intrusion
detection system for log files”, in Business, Engineering and Industrial
Applications,2011 IEEE symposium on,Sep2011,pp:281-285.
[4] Yu-Xin Ding,Min Xiao,Ai-Wu-Liu “Research and implementation on
snort-based hybrid intrusion detection system”, in proceedings of the
Eighth International Conference on
a. Machine Learning and Cybernetics,12-15 July 2009.
[5] Ficco, M., & Romano, L. (2011, June). A generic intrusion detection and
diagnoser system based on complex event processing. In Data Compression,
Communications and Processing (CCP), 2011 First International Conference
on (pp. 275-284). IEEE.
[6] V. S. S. Sriram, G. Sahoo and K. K. Agrawal, "Detecting and eliminating
Rogue Access Points in IEEE-802.11 WLAN - a multi-agent sourcing
Methodology," Advance Computing Conference (IACC), 2010 IEEE 2nd
International, Patiala, 2010, pp. 256-260.
[7] Szott, S., "Selfish insider attacks in IEEE 802.11s wireless mesh networks," in
Communications Magazine, IEEE , vol.52, no.6, pp.227-233, June 2014
[8] Milliken, J.; Selis, V.; KianMeng Yap; Marshall, A., "Impact of Metric
Selection on Wireless DeAuthenticationDoS Attack Performance," in
Wireless Communications Letters, IEEE , vol.2, no.5, pp.571-574, October
2013
[9] El-Khatib, K, "Impact of Feature Reduction on the Efficiency of Wireless
Intrusion Detection Systems," in Parallel and Distributed Systems, IEEE
Transactions on , vol.21, no.8, pp.1143-1149, Aug. 2010
[10] Makanju, A.; LaRoche, P.; Zincir-Heywood, A.N., "A Comparison Between
Signature and GP-Based IDSs for Link Layer Attacks on WiFi Networks," in
Computational Intelligence in Security and Defense Applications, 2007.
CISDA 2007. IEEE Symposium on , vol., no., pp.213-219, 1-5 April 2007
[11] R. Mohan, V. Vaidehi, Ajay Krishna A, Mahalakshmi M and S. S.
Chakkaravarthy, "Complex Event Processing based Hybrid Intrusion
Detection System," 2015 3rd International Conference on Signal Processing,
Communication and Networking (ICSCN), Chennai, 2015, pp. 1-6.
Context aware Wireless Intrusion Detection System for IEEE 802.11… 1161
[12] Ethala, K., Sheshadri, R., & Chakkaravarthy, S. S. (2014). WIDS Real-Time
Intrusion Detection System Using Entrophical Approach. Advances in
Intelligent Systems and Computing Artificial Intelligence and Evolutionary
Algorithms in Engineering Systems, 73-79. doi:10.1007/978-81-322-2126-5_9
[13] S.Sibi Chakkaravarthy, V.Vaidehi; "Behavior based anomaly detection model
for. detecting wireless covert attacks in Wi-Fi", Security and Privacy
Symposium, 2015, IIITD, February 13-14,2015.
[14] N. Baharudin, F. H. M. Ali, M. Y. Darus and N. Awang, "Wireless Intruder
Detection System (WIDS) in Detecting De-Authentication and Disassociation
Attacks in IEEE 802.11," 2015 5th International Conference on IT
Convergence and Security (ICITCS), Kuala Lumpur, 2015, pp. 1-5.
[15] M. M. Hafiz and F. H. Mohd Ali, "Profiling and mitigating brute force attack
in home wireless LAN," 2014 International Conference on Computational
Science and Technology (ICCST), Kota Kinabalu, 2014, pp. 1-6.
[16] J. Milliken, V. Selis, K. M. Yap and A. Marshall, "Impact of Metric Selection
on Wireless DeAuthentication DoS Attack Performance," in IEEE Wireless
Communications Letters, vol. 2, no. 5, pp. 571-574, October 2013.
[17] A. Dovhan and M. Grabar, "Analysis of the implementation characteristics of
DDoS attacks on Wi-Fi networks," 2014 First International Scientific-
Practical Conference Problems of Infocommunications Science and
Technology, Kharkov, 2014, pp. 180-181.
[18] A. Alabdulatif, X. Ma and L. Nolle, "Analysing and attacking the 4-way
handshake of IEEE 802.11i standard," 8th International Conference for
Internet Technology and Secured Transactions (ICITST-2013), London, 2013,
pp. 382-387.
[19] R. Singh and T. Parval Sharma, "Detecting and reducing the denial of Service
attacks in WLANs," 2011 World Congress on Information and
Communication Technologies, Mumbai, 2011, pp. 968-973.
[20] B. Könings, F. Schaub, F. Kargl and S. Dietzel, "Channel switch and quiet
attack: New DoS attacks exploiting the 802.11 standard," 2009 IEEE 34th
Conference on Local Computer Networks, Zurich, 2009, pp. 14-21.
[21] T. D. Nguyen, D. H. M. Nguyen, B. N. Tran, H. Vu and N. Mittal, "A
Lightweight Solution for Defending Against Deauthentication/Disassociation
Attacks on 802.11 Networks," 2008 Proceedings of 17th International
Conference on Computer Communications and Networks, St. Thomas, US
Virgin Islands, 2008, pp. 1-6.
[22] C. Liu and J. Yu, "Rogue Access Point Based DoS Attacks against 802.11
WLANs," 2008 Fourth Advanced International Conference on
Telecommunications, Athens, 2008, pp. 271-276.
[23] Wenzhe Zhou, A. Marshall and Qiang Gu, "A novel classification scheme for
802.11 WLAN active attacking traffic patterns," IEEE Wireless
1162 Siva Balaji Yadav.C and R.Seshadri
Communications and Networking Conference, 2006. WCNC 2006., Las
Vegas, NV, 2006, pp. 623-628.
[24] K. El-Khatib, "Impact of Feature Reduction on the Efficiency of Wireless
Intrusion Detection Systems," in IEEE Transactions on Parallel and
Distributed Systems, vol. 21, no. 8, pp. 1143-1149, Aug. 2010.
[25] J. Bellardo, S. Savage, "802.11 Denial-of-Service Attacks: Real
Vulnerabilities and Practical Solutions", Proceedings of the 12th Conference
on USENIX Security Symposium, vol. 12, pp. 15-28, 2003.