A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK

Nowadays Wireless local area networks (WLANs) are growing very rapidly. Due to the popularity of 802.11 networks, possibilities of various attacks to the wireless network have also increased. In this paper, a special type of attack De-Authentication/disassociation attack has been investigated. In a normal scenario, a wireless client or user sends a de-authentication frame when it wants to terminate the connection. These frames are in plain text and are not encrypted. These are not authenticated by the access point. Attackers take advantage of this, and spoof these packets and disable the communication between the connected client and access point. In this paper, an algorithm based on radio-tap header information is suggested to identify whether there is a De-Authentication attack on the client or not

Performance analysis of wireless intrusion detection systems

Wireless intrusion detection system (WIDS) has become a matter of increasing concern in recent years as a crucial element in wireless network security. WIDS monitors 802.11 traffic to identify the intrusive activities, and then alerts the complementary prevention part to combat the attacks. Selecting a reliable WIDS system necessitates inevitably taking into account a credible evaluation of WIDSs performance. WIDS effectiveness is considered the basic factor in evaluating the WIDS performance, thus it receives great attention in this thesis. Most previous experimental evaluations of intrusion detection systems (IDSs) were concerned with the wired IDSs, with an apparent lack of evaluating the wireless IDSs (WIDSs). In this thesis, we try to manipulate three main critiques of most pervious evaluations; lack of comprehensive evaluation methodology, holistic attack classification, and expressive evaluation metrics. In this thesis, we introduce a comprehensive evaluation methodology that covers all the essential dimensions for a credible evaluation of WIDSs performance. The main pivotal dimensions in our methodology are characterizing and generating the evaluation dataset, defining reliable and expressive evaluation metrics, and overcoming the evaluation limitations. Basically, evaluation dataset consists of two main parts; normal traffic (as a background) and malicious traffic. The background traffic, which comprises normal and benign activities in the absence of attacks, was generated in our experimental evaluation tests as real controlled traffic. The second and important part of the dataset is the malicious traffic which is composed of intrusive activities. Comprehensive and credible evaluation of WIDSs necessitates taking into account all possible attacks. While this is operationally impossible, it is necessary to select representative attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, we have developed a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. The second pivotal dimension in our methodology is defining reliable evaluation metrics. We introduce a new evaluation metric EID (intrusion detection effectiveness) that manipulates the drawbacks of the previously proposed metrics, especially the common drawback of their main notion that leads to measuring a relative effectiveness. The notion of our developed metric EID helps in measuring the actual effectiveness. We also introduce another metric RR (attack recognition rate) to evaluate the ability of WIDS to recognize the attack type. The third important dimension in our methodology is overcoming the evaluation limitations. The great challenge that we have faced in the experimental evaluation of WIDSs is the uncontrolled traffic over the open wireless medium. This uncontrolled traffic affects the accuracy of the measurements. We overcame this problem by constructing an RF shielded testbed to take all the measurements under our control without any interfering from any adjacent stations. Finally, we followed our methodology and conducted experimental evaluation tests of two popular WIDSs (Kismet and AirSnare), and demonstrated the utility of our proposed solutions

Analyse de performance des systèmes de détection d’intrusion sans-fil

La sécurité des réseaux sans fil fait l’objet d’une attention considérable ces dernières années. Toutefois, les communications sans fil sont confrontées à plusieurs types de menaces et d’attaques. Par conséquent, d’importants efforts, visant à sécuriser davantage les réseaux sans fil, ont dû être fournis pour en vue de lutter contre les attaques sans fil. Seulement, croire qu’une prévention intégrale des attaques peut s’effectuer au niveau de la première ligne de défense d’un système (pare-feux, chiffrement, …) n’est malheureusement qu’illusion. Ainsi, l’accent est de plus en plus porté sur la détection des attaques sans fil au travers d’une seconde ligne de défense, matérialisée par les systèmes de détection d’intrusions sans fil (WIDS). Les WIDS inspectent le trafic sans fil, respectant la norme 802.11, ainsi que les activités du système dans le but de détecter des activités malicieuses. Une alerte est ensuite envoyée aux briques chargées de la prévention pour contrer l’attaque. Sélectionner un WIDS fiable dépend principalement de l’évaluation méticuleuse de ses performances. L’efficacité du WIDS est considérée comme le facteur fondamental lors de l’évaluation de ses performances, nous lui accordons donc un grand intérêt dans ces travaux de thèse. La majeure partie des études expérimentales visant l’évaluation des systèmes de détection d’intrusions (IDS) s’intéressait aux IDS filaires, reflétant ainsi une carence claire en matière d’évaluation des IDS sans fil (WIDS). Au cours de cette thèse, nous avons mis l’accent sur trois principales critiques visant la plupart des précédentes évaluations : le manque de méthodologie d’évaluation globale, de classification d’attaque et de métriques d’évaluation fiables. Au cours de cette thèse, nous sommes parvenus à développer une méthodologie complète d’évaluation couvrant toutes les dimensions nécessaires pour une évaluation crédible des performances des WIDSs. Les axes principaux de notre méthodologie sont la caractérisation et la génération des données d’évaluation, la définition de métriques d’évaluation fiables tout en évitant les limitations de l’évaluation. Fondamentalement, les données d’évaluation sont constituées de deux principales composantes à savoir: un trafic normal et un trafic malveillant. Le trafic normal que nous avons généré au cours de nos tests d’évaluation était un trafic réel que nous contrôlions. La deuxième composante des données, qui se trouve être la plus importante, est le trafic malveillant consistant en des activités intrusives. Une évaluation complète et crédible des WIDSs impose la prise en compte de tous les scénarios et types d’attaques éventuels. Cela étant impossible à réaliser, il est nécessaire de sélectionner certains cas d’attaque représentatifs, principalement extraits d’une classification complète des attaques sans fil. Pour relever ce défi, nous avons développé une taxinomie globale des attaques visant la sécurité des réseaux sans fil, d’un point de vue de l’évaluateur des WIDS. Le deuxième axe de notre méthodologie est la définition de métriques fiables d’évaluation. Nous avons introduit une nouvelle métrique d’évaluation, EID (Efficacité de la détection d’intrusion), visant à pallier les limitations des précédentes métriques proposées. Nous avons démontré l’utilité de la métrique EID par rapport aux autres métriques proposées précédemment et comment elle parvenait à mesurer l’efficacité réelle tandis que les précédentes métriques ne mesuraient qu’une efficacité relative. L’EID peut tout aussi bien être utilisé pour l’évaluation de l’efficacité des IDS filaires et sans fil. Nous avons aussi introduit une autre métrique notée RR (Taux de Reconnaissance), pour mesurer l’attribut de reconnaissance d’attaque. Un important problème se pose lorsque des tests d’évaluation des WIDS sont menés, il s’agit des données de trafics incontrôlés sur le support ouvert de transmission. Ce trafic incontrôlé affecte sérieusement la pertinence des mesures. Pour outrepasser ce problème, nous avons construit un banc d’essai RF blindé, ce qui nous a permis de prendre des mesures nettes sans aucune interférence avec quelconque source de trafic incontrôlé. Pour finir, nous avons appliqué notre méthodologie et effectué des évaluations expérimentales relatives à deux WIDSs populaires (Kismet et AirSnare); nous avons démontré à l’issue de ces évaluations pratiques et l’utilité de nos solutions proposées. ABSTRACT : Wireless intrusion detection system (WIDS) has become a matter of increasing concern in recent years as a crucial element in wireless network security. WIDS monitors 802.11 traffic to identify the intrusive activities, and then alerts the complementary prevention part to combat the attacks. Selecting a reliable WIDS system necessitates inevitably taking into account a credible evaluation of WIDSs performance. WIDS effectiveness is considered the basic factor in evaluating the WIDS performance, thus it receives great attention in this thesis. Most previous experimental evaluations of intrusion detection systems (IDSs) were concerned with the wired IDSs, with an apparent lack of evaluating the wireless IDSs (WIDSs). In this thesis, we try to manipulate three main critiques of most pervious evaluations; lack of comprehensive evaluation methodology, holistic attack classification, and expressive evaluation metrics. In this thesis, we introduce a comprehensive evaluation methodology that covers all the essential dimensions for a credible evaluation of WIDSs performance. The main pivotal dimensions in our methodology are characterizing and generating the evaluation dataset, defining reliable and expressive evaluation metrics, and overcoming the evaluation limitations. Basically, evaluation dataset consists of two main parts; normal traffic (as a background) and malicious traffic. The background traffic, which comprises normal and benign activities in the absence of attacks, was generated in our experimental evaluation tests as real controlled traffic. The second and important part of the dataset is the malicious traffic which is composed of intrusive activities. Comprehensive and credible evaluation of WIDSs necessitates taking into account all possible attacks. While this is operationally impossible, it is necessary to select representative attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, we have developed a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. The second pivotal dimension in our methodology is defining reliable evaluation metrics. We introduce a new evaluation metric EID (intrusion detection effectiveness) that manipulates the drawbacks of the previously proposed metrics, especially the common drawback of their main notion that leads to measuring a relative effectiveness. The notion of our developed metric EID helps in measuring the actual effectiveness. We also introduce another metric RR (attack recognition rate) to evaluate the ability of WIDS to recognize the attack type. The third important dimension in our methodology is overcoming the evaluation limitations. The great challenge that we have faced in the experimental evaluation of WIDSs is the uncontrolled traffic over the open wireless medium. This uncontrolled traffic affects the accuracy of the measurements. We overcame this problem by constructing an RF shielded testbed to take all the measurements under our control without any interfering from any adjacent stations. Finally, we followed our methodology and conducted experimental evaluation tests of two popular WIDSs (Kismet and AirSnare), and demonstrated the utility of our proposed solutions

Empirical Techniques To Detect Rogue Wireless Devices

Media Access Control (MAC) addresses in wireless networks can be trivially spoofed using off-the-shelf devices. We proposed a solution to detect MAC address spoofing in wireless networks using a hard-to-spoof measurement that is correlated to the location of the wireless device, namely the Received Signal Strength (RSS). We developed a passive solution that does not require modification for standards or protocols. The solution was tested in a live test-bed (i.e., a Wireless Local Area Network with the aid of two air monitors acting as sensors) and achieved 99.77%, 93.16%, and 88.38% accuracy when the attacker is 8–13 m, 4–8 m, and less than 4 m away from the victim device, respectively. We implemented three previous methods on the same test-bed and found that our solution outperforms existing solutions. Our solution is based on an ensemble method known as Random Forests. We also proposed an anomaly detection solution to deal with situations where it is impossible to cover the whole intended area. The solution is totally passive and unsupervised (using unlabeled data points) to build the profile of the legitimate device. It only requires the training of one location which is the location of the legitimate device (unlike the misuse detection solution that train and simulate the existing of the attacker in every possible spot in the network diameter). The solution was tested in the same test-bed and yield about 79% overall accuracy. We build a misuseWireless Local Area Network Intrusion Detection System (WIDS) and discover some important fields in WLAN MAC-layer frame to differentiate the attackers from the legitimate devices. We tested several machine learning algorithms and found some promising ones to improve the accuracy and computation time on a public dataset. The best performing algorithms that we found are Extra Trees, Random Forests, and Bagging. We then used a majority voting technique to vote on these algorithms. Bagging classifier and our customized voting technique have good results (about 96.25 % and 96.32 %respectively) when tested on all the features. We also used a data mining technique based on Extra Trees ensemble method to find the most important features on AWID public dataset. After selecting the most 20 important features, Extra Trees and our voting technique are the best performing classifiers in term of accuracy (96.31 % and 96.32 % respectively)

NeuDetect: A neural network data mining system for wireless network intrusion detection

This thesis proposes an Intrusion Detection System, NeuDetect, which applies Neural Network technique to wireless network packets captured through hardware sensors for purposes of real time detection of anomalous packets. To address the problem of high false alarm rate confronted by the current wireless intrusion detection systems, this thesis presents a method of applying the artificial neural networks technique to the wireless network intrusion detection system. The proposed system solution approach is to find normal and anomalous patterns on preprocessed wireless packet records by comparing them with training data using Back-propagation algorithm. An anomaly score is assigned to each packet by calculating the difference between the output error and threshold. If the anomaly score is positive then the wireless packet is flagged as anomalous and is negative then the packet is flagged as normal. If the anomaly score is zero or close to zero it will be flagged as an unknown attack and will be sent back to training process for re-evaluation

Darma: Defeating And Reconnaissance Manna-Karma Attacks In 802.11 With Multiple Detections And Prevention

The vast growing usage of mobile phones increases Wi-Fi technology. At present, the pattern of human interaction with the internet is not a desktop or laptop anymore. The assimilation of tools for surfing, working, and communication is now shifting to mobile phones. Thus, this is the motivation to expand Wi-Fi technology so that it will be the primary medium for internet connectivity. Hence, increasing the security risk for it attracts attackers despite its popularity among users. The DOS attack in 802.11 management frames is widely known as an initial process before Man-in-the-middle (MiTM) attacks in 802.11 takes part. Karma and Manna's attacks are an unprecedented attack in the 802.11 management frames. This paper proposed a mechanism called Defeating and Reconnaissance Manna-karma Attack (DARMA), which is client-side multiple detection techniques to defeat and prevent karma-manna attack. The proposed mechanism consisted of 4 layers of processes inclusive of monitors, detection, confirmation, and preventions. The effectiveness of the detection is base of the current real-time behaviour of the packets

Planning and realization of a WiFi 6 network to replace wired connections in an enterprise environment

WiFi (Wireless Fidelity) is a popular wireless LAN technology. It provides broadband wireless connectivity to all the users in the unlicensed 2.4 GHz and 5 GHz frequency bands. Given the fact that the WiFi technology is much easier and cost-efficient to deploy, it is rapidly gaining acceptance as an alternative to a wired local area network. Nowadays the Wireless access to data is a necessity for everyone in the daily life. Considering the last 30 years, the unlimited access to information has transformed entire industries, fueling growth, productivity and profits.The WiFi technology, which is governed by the IEEE 802.11 standards body, has played a key role in this transformation. In fact, thanks to WiFi, users can benefit of low cost access to high data rate wireless connectivity. The first version of the IEEE 802.11 protocol was released in 1997. IEEE 802.11 has been improved with different versions in order to enhance the throughput and support new technologies. WiFi networks are now experiencing the bandwidth-demanding media content as well as multiple WiFi devices for each user. As a consequence of this, WiFi 6, which is based on the IEEE 802.11ax standard, is focused on improving the efficiency of the radio link. However, there is a relatively modest increase in peak data rate too. In this thesis we have planned and realized a WiFi 6 network to replace wired connections in an enterprise environment. To do this the optimal access point placement problem has been taken into account, resulting in an improvement of the coverage. Subsequently, after the configuration from the controller, the performance of the new network has been tested in order to study if WiFi 6 can be used instead of wired connections.WiFi (Wireless Fidelity) is a popular wireless LAN technology. It provides broadband wireless connectivity to all the users in the unlicensed 2.4 GHz and 5 GHz frequency bands. Given the fact that the WiFi technology is much easier and cost-efficient to deploy, it is rapidly gaining acceptance as an alternative to a wired local area network. Nowadays the Wireless access to data is a necessity for everyone in the daily life. Considering the last 30 years, the unlimited access to information has transformed entire industries, fueling growth, productivity and profits.The WiFi technology, which is governed by the IEEE 802.11 standards body, has played a key role in this transformation. In fact, thanks to WiFi, users can benefit of low cost access to high data rate wireless connectivity. The first version of the IEEE 802.11 protocol was released in 1997. IEEE 802.11 has been improved with different versions in order to enhance the throughput and support new technologies. WiFi networks are now experiencing the bandwidth-demanding media content as well as multiple WiFi devices for each user. As a consequence of this, WiFi 6, which is based on the IEEE 802.11ax standard, is focused on improving the efficiency of the radio link. However, there is a relatively modest increase in peak data rate too. In this thesis we have planned and realized a WiFi 6 network to replace wired connections in an enterprise environment. To do this the optimal access point placement problem has been taken into account, resulting in an improvement of the coverage. Subsequently, after the configuration from the controller, the performance of the new network has been tested in order to study if WiFi 6 can be used instead of wired connections

Kooperative Angriffserkennung in drahtlosen Ad-hoc- und Infrastrukturnetzen: Anforderungsanalyse, Systementwurf und Umsetzung

Mit der zunehmenden Verbreitung mobiler Endgeräte und Dienste ergeben sich auch neue Herausforderungen für ihre Sicherheit. Diese lassen sich nur teilweise mit herkömmlichen Sicherheitsparadigmen und -mechanismen meistern. Die Gründe hierfür sind in den veränderten Voraussetzungen durch die inhärenten Eigenschaften mobiler Systeme zu suchen. Die vorliegende Arbeit thematisiert am Beispiel von Wireless LANs die Entwicklung von Sicherheitsmechanismen für drahtlose Ad-hoc- und Infrastrukturnetze. Sie stellt dabei den umfassenden Schutz der einzelnen Endgeräte in den Vordergrund, die zur Kompensation fehlender infrastruktureller Sicherheitsmaßnahmen miteinander kooperieren. Den Ausgangspunkt der Arbeit bildet eine Analyse der Charakteristika mobiler Umgebungen, um grundlegende Anforderungen an eine Sicherheitslösung zu identifizieren. Anhand dieser werden existierende Lösungen bewertet und miteinander verglichen. Der so gewonnene Einblick in die Vor- und Nachteile präventiver, reaktiver und angriffstoleranter Mechanismen führt zu der Konzeption einer hybriden universellen Rahmenarchitektur zur Integration beliebiger Sicherheitsmechanismen in einem kooperativen Verbund. Die Validierung des Systementwurfs erfolgt anhand einer zweigeteilten prototypischen Implementierung. Den ersten Teil bildet die Realisierung eines verteilten Network Intrusion Detection Systems als Beispiel für einen Sicherheitsmechanismus. Hierzu wird eine Methodik beschrieben, um anomalie- und missbrauchserkennende Strategien auf beliebige Netzprotokolle anzuwenden. Die Machbarkeit des geschilderten Ansatzes wird am Beispiel von infrastrukturellem WLAN nach IEEE 802.11 demonstriert. Den zweiten Teil der Validierung bildet der Prototyp einer Kooperations-Middleware auf Basis von Peer-to-Peer-Technologien für die gemeinsame Angriffserkennung lose gekoppelter Endgeräte. Dieser kompensiert bisher fehlende Mechanismen zur optimierten Abbildung des Overlay-Netzes auf die physische Struktur drahtloser Netze, indem er nachträglich die räumliche Position mobiler Knoten in die Auswahl eines Kooperationspartners einbezieht. Die zusätzlich definierte Schnittstelle zu einem Vertrauensmanagementsystem ermöglicht die Etablierung von Vertrauensbeziehungen auf Kooperationsebene als wichtige Voraussetzung für den Einsatz in realen Umgebungen. Als Beispiel für ein Vertrauensmanagementsystem wird der Einsatz von Reputationssystemen zur Bewertung der Verlässlichkeit eines mobilen Knotens diskutiert. Neben einem kurzen Abriss zum Stand der Forschung in diesem Gebiet werden dazu zwei Vorschläge für die Gestaltung eines solchen Systems für mobile Ad-hoc-Netze gemacht.The increasing deployment of mobile devices and accompanying services leads to new security challenges. Due to the changed premises caused by particular features of mobile systems, these obstacles cannot be solved solely by traditional security paradigms and mechanisms. Drawing on the example of wireless LANs, this thesis examines the development of security mechanisms for wireless ad hoc and infrastructural networks. It places special emphasis on the comprehensive protection of each single device as well as compensating missing infrastructural security means by cooperation. As a starting point this thesis analyses the characteristics of mobile environments to identify basic requirements for a security solution. Based on these requirements existing preventive, reactive and intrusion tolerant approaches are evaluated. This leads to the conception of a hybrid and universal framework to integrate arbitrary security mechanisms within cooperative formations. The resulting system design is then validated by a twofold prototype implementation. The first part consists of a distributed network intrusion detection system as an example for a security mechanism. After describing a methodology for applying anomaly- as well as misuse-based detection strategies to arbitrary network protocols, the feasibility of this approach is demonstrated for IEEE 802.11 infrastructural wireless LAN. The second part of the validation is represented by the prototype of a P2P-based cooperation middleware for collaborative intrusion detection by loosely coupled devices. Missing mechanisms for the improved mapping of overlay and physical network structures are compensated by subsequently considering the spatial position of a mobile node when choosing a cooperation partner. Furthermore, an additional interface to an external trust management system enables the establishment of trust relationships as a prerequisite for a deployment in real world scenarios. Reputation systems serve as an example of such a trust management system that can be used to estimate the reliability of a mobile node. After outlining the state of the art, two design patterns of a reputation system for mobile ad hoc networks are presented

Intrusion Detection: Embedded Software Machine Learning and Hardware Rules Based Co-Designs

Security of innovative technologies in future generation networks such as (Cyber Physical Systems (CPS) and Wi-Fi has become a critical universal issue for individuals, economy, enterprises, organizations and governments. The rate of cyber-attacks has increased dramatically, and the tactics used by the attackers are continuing to evolve and have become ingenious during the attacks. Intrusion Detection is one of the solutions against these attacks. One approach in designing an intrusion detection system (IDS) is software-based machine learning. Such approach can predict and detect threats before they result in major security incidents. Moreover, despite the considerable research in machine learning based designs, there is still a relatively small body of literature that is concerned with imbalanced class distributions from the intrusion detection system perspective. In addition, it is necessary to have an effective performance metric that can compare multiple multi-class as well as binary-class systems with respect to class distribution. Furthermore, the expectant detection techniques must have the ability to identify real attacks from random defects, ingrained defects in the design, misconfigurations of the system devices, system faults, human errors, and software implementation errors. Moreover, a lightweight IDS that is small, real-time, flexible and reconfigurable enough to be used as permanent elements of the system's security infrastructure is essential. The main goal of the current study is to design an effective and accurate intrusion detection framework with minimum features that are more discriminative and representative. Three publicly available datasets representing variant networking environments are adopted which also reflect realistic imbalanced class distributions as well as updated attack patterns. The presented intrusion detection framework is composed of three main modules: feature selection and dimensionality reduction, handling imbalanced class distributions, and classification. The feature selection mechanism utilizes searching algorithms and correlation based subset evaluation techniques, whereas the feature dimensionality reduction part utilizes principal component analysis and auto-encoder as an instance of deep learning. Various classifiers, including eight single-learning classifiers, four ensemble classifiers, one stacked classifier, and five imbalanced class handling approaches are evaluated to identify the most efficient and accurate one(s) for the proposed intrusion detection framework. A hardware-based approach to detect malicious behaviors of sensors and actuators embedded in medical devices, in which the safety of the patient is critical and of utmost importance, is additionally proposed. The idea is based on a methodology that transforms a device's behavior rules into a state machine to build a Behavior Specification Rules Monitoring (BSRM) tool for four medical devices. Simulation and synthesis results demonstrate that the BSRM tool can effectively identify the expected normal behavior of the device and detect any deviation from its normal behavior. The performance of the BSRM approach has also been compared with a machine learning based approach for the same problem. The FPGA module of the BSRM can be embedded in medical devices as an IDS and can be further integrated with the machine learning based approach. The reconfigurable nature of the FPGA chip adds an extra advantage to the designed model in which the behavior rules can be easily updated and tailored according to the requirements of the device, patient, treatment algorithm, and/or pervasive healthcare application