Agent Based Intrusion Detection and Response System for Wireless LANs

Wireless LAN technology, despite the numerous advantages it has over competing technologies, has not seen widespread deployment. A primary reason for markets not adopting this technology is its failure to provide adequate security. Data that is sent over wireless links can be compromised with utmost ease. In this project, we propose a distributed agent based intrusion detection and response system for wireless LANs that can detect unauthorized wireless elements like access points, wireless clients that are in promiscuous mode etc. The system reacts to intrusions by either notifying the concerned personnel, in case of rogue access points and promiscuous nodes, or by blocking unauthorized users from accessing the network resources

Detecting And Eliminating Rogue Access Points In Ieee-802.11 Wlan - A Multi-Agent Sourcing Methodology

For the Wireless Networks, presence of unapproved access points is becoming the major security issue. If this kind of network threats are not detected and mitigated on time, those will lead to the serious network damage and data loss. There are many researchers proposed solutions to overcome this security problem of WLAN, but those proposed tools having limitations or maybe they not automated to adopt the frequent changes in WLAN. We are into this research to present the new approach based on Master and Slave agents. This proposed approach not only looking for fast detection of Rogue Access points in the network but also presenting the solution to mitigate the WLAN from them. In short new framework is dealing with detecting as well as eliminating the Rough Access Points in the network. In proposed approach, the Master and slave agents are automatically scanning the networks for any unauthorized access points using the skew intervals. Thi

СЦЕНАРІЙ АТАКИ З ВИКОРИСТАННЯМ НЕСАНКЦІОНОВАНОЇ ТОЧКИ ДОСТУПУ У МЕРЕЖАХ IEEE 802.11

One of the most serious security threats to wireless local area networks (WLANs) in recent years is rogue access points that intruders use to spy on and attack. Due to the open nature of the wireless transmission medium, an attacker can easily detect the MAC addresses of other devices, commonly used as unique identifiers for all nodes in the network, and implement a spoofing attack, creating a rogue access point, the so-called "Evil Twin". The attacker goal is to connect legitimate users to a rogue access point and gain access to confidential information. This article discusses the concept, demonstrates the practical implementation and analysis of the “Evil Twin” attack. The algorithm of the intruder's actions, the scenario of attack on the client, and also procedure for setting up the program-implemented rogue access point is shown. It has been proven that the implementation of the attack is possible due to the existence of several access points with the same service set identifier and MAC address in the same area, allowed by 802.11 standard. The reasons for failure operation of the network and possible interception of information as a result of the attack are identified, methods of detecting rogue access points are analyzed. During the experiment, observations of the 802.11 frames showed that there were deviations in the behavior of beacon frames at the time of the "Evil Twin" attack. First, the number of beacon frames coming from the access point which succumbed to the attack is increasing. Secondly, the traffic analyzer detected significant fluctuations in the values of the received signal level, which simultaneously come from a legitimate and rogue access point, which allows to distinguish two groups of beacon frames. The "Evil Twin" attack was implemented and researched using Aircrack-ng – a package of software for auditing wireless networks, and Wireshark – network traffic analyzer. In the future, the results obtained can be used to improve methods of protection against intrusion into wireless networks, in order to develop effective systems for detecting and preventing intrusions into WLAN.Однією з найсерйозніших загроз безпеці безпроводових локальних мереж (WLAN) в останні роки є шахрайські несанкціоновані точки доступу, які зловмисники використовують для шпигунства і атак. Через відкритий характер середовища передачі безпроводових мереж, зловмисник може легко виявляти МАС-адреси інших пристроїв, що зазвичай використовуються як унікальні ідентифікатори для всіх вузлів в мережі та реалізовуючи спуфінг-атаку, створювати несанкціоновану безпроводову точку доступу, так званий, "Злий двійник" (“Evil Twin”). Зловмисник має на меті перепідключити законних користувачів до шахрайської точки доступу та отримати доступ до конфіденційної інформації. У даній статті розглянуто концепцію, продемонстровано практичну реалізацію та досліджено атаку “Evil Twin”. Показано алгоритм дій зловмисника, сценарій атаки на клієнта, а також процедуру налаштування програмно-реалізованої несанкціонованої точки доступу. Доведено, що реалізація атаки можлива завдяки, дозволеному стандартом 802.11, існуванню кількох точок доступу з однаковими ідентифікатором набору послуг та MAC-адресою в одній і тій же області. Виявлено причини порушення функціонування мережі та можливого перехоплення інформації в результаті атаки, проаналізовано сучасні методи виявлення несанкціонованих точок доступу. В ході експерименту, проведено спостереження за кадрами 802.11 та показано, що існують відхилення в поведінці кадрів-маяків під час атаки "Evil Twin". По-перше кількість кадрів-маяків, які надходять від точки доступу, що піддалась атаці, зростає. По-друге, аналізатором трафіку зафіксовано суттєві флуктуації значень рівня прийнятого сигналу, які одночасно надходять від легітимної та шахрайської точки доступу, що дозволяє виділити дві групи кадрів-маяків.  Реалізація та дослідження даного виду атаки проведено з використанням пакету програм для аудиту безпроводових мереж Aircrack-ng та Wireshark для захоплення і аналізу мережного трафіку. В подальшому отримані результати можуть бути використані для вдосконалення методів захисту від стороннього втручання в безпроводові мережі, з метою розробки ефективних систем виявлення і запобігання вторгнень в WLAN

Rogue access point detection framework on a multivendor access point WLAN

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Technology (MSIT) at Strathmore UniversityWireless internet access has become common throughout the world. IEEE 802.11 Wireless fidelity (Wi-Fi) is now a common internet access standard almost becoming a requirement in homes, offices, universities and public places due to developments in Bring-Your-Own-Device (BYOD), mobile telephony and telecommuting. With the proliferation of Wi-Fi comes a number of information security challenges that have to be addressed. One of the major security threats that comes with Wi-Fi is the presence of rogue access points (APs) on the network. Unsuspecting employees in a company or attackers can introduce rogue APs to a secure wired network. The problem is amplified if the wireless local area network (WLAN) consist of multivendor APs. Malicious people can leverage on rogue APs to perform passive or active attacks on a computer network. Therefore, there is need for network administrators to accurately, with less effort, detect and control presence of rogue APs on multivendor WLANs. In this thesis, a solution that can accurately support detection of rogues APs on a multi-vendor AP WLAN without extra hardware or modification of AP firmware is presented. In the solution, information from beacon frames is compared to a set of approved parameters. Intervention of a network administrator is included to prevent MAC address spoofing. A structured methodology was adopted in developing the model on a Windows operating system. Python programming language was used in coding the system with Scapy and Tkinter as the main modules. SQLite database was used to store required data. The system was tested on a setup WLAN that composed of three different access points in a University lab. It was able to capture beacon frames sent by the access points and extracted MAC address, SSID and capability information as the key parameters used in identifying and classifying the access points. The system uses the captured information to automatically compare it against an existing database of authorized parameters. It is then able to classify an access point as either rogue or authorized. The system issued alerts that described the detected APs to a network administrator. The rest of this document gives details of scholarly works that are pertinent to the study, the research methodology used, implementation and testing of the model followed by discussions of findings and the conclusions and recommendations made by the researcher

Система виявлення аномальних станів комп’ютерної мережі

У роботі досліджуються найпоширеніший різновидів аномалій у бездротових мережах - навмисні атаки на бездротові мережі, а саме : Denial of Service, Eavesdropping, Encryption Cracking, Authentication Attack, Wireless Hijacking, Social Engineering. На основі проведеного дослідження маркерів за якими можна ідентифікувати ці аномалії в роботі представлено теоретичні висновки на підставі яких зроблено практичне дослідження методів моніторингу та виявлення атаки в реальному часу. А саме для атак типу “Session Hijacking” запропоновано використовувати моніторинг отриманої потужності сигналу (RSS). Потужність отриманого сигналу це міра енергії, яка спостерігається на рівні фізичний рівень моделі OSI антеною приймача. У мережах IEEE 802.11 значення індикації RSS (RSSI) використовується, коли виконується CCA та в роумінгових операціях. Потужність радіочастотного сигналу може бути виміряна або в абсолюті (децибел міліват) або відносно (RSSI)

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

User-side wi-fi hotspot spoofing detection on android-based devices

A Dissertation Submitted in Partial Fulfilment of the Requirements for the Degree of Master’s in Wireless and Mobile Computing of the Nelson Mandela African Institution of Science and TechnologyNetwork spoofing is becoming a common attack in wireless networks. Similarly, there is a rapid growth of numbers in mobile devices in the working environments. The trends pose a huge threat to users since they become the prime target of attackers. More unfortunately, mobile devices have weak security measures due to their limited computational powers, making them an easy target for attackers. Current approaches to detect spoofing attacks focus on personal computers and rely on the network hosts’ capacity, leaving users with mobile devices at risk. Furthermore, some approaches on Android-based devices demand root privilege, which is highly discouraged. This research aims to study users' susceptibility to network spoofing attacks and propose a detection solution in Android-based devices. The presented approach considers the difference in security information and signal levels of an access point to determine its legitimacy. On the other hand, it tests the legitimacy of the captive portal with fake login credentials since, usually, fake captive portals do not authenticate users. The detection approaches are presented in three networks: (a) open networks, (b) closed networks and (c) networks with captive portals. As a departure from existing works, this solution does not require root access for detection, and it is developed for portability and better performance. Experimental results show that this approach can detect fake access points with an accuracy of 98% and 99% at an average of 24.64 and 7.78 milliseconds in open and closed networks, respectively. On the other hand, it can detect the existence of a fake captive portal at an accuracy of 88%. Despite achieving this performance, the presented detection approach does not cover APs that do not mimic legitimate APs. As an improvement, future work may focus on pcap files which is rich of information to be used in detection