Context aware Wireless Intrusion Detection System for IEEE ... · Context aware Wireless Intrusion...

Advances in Wireless and Mobile Communications.

ISSN 0973-6972 Volume 10, Number 5 (2017), pp. 1141-1162

© Research India Publications

http://www.ripublication.com

Context aware Wireless Intrusion Detection System

for IEEE 802.11 based Wireless Sensor Networks

Siva Balaji Yadav.C1 and R.Seshadri, PhD2

1(Computer Science and Engineering, SV University, Tirupati, India)

2(SVU Computer center, SV University, Tirupati, India)

Abstract

In recent decades the launch of cyber attacks against wireless network is more

than the wired networks. This is due to the presence of Layer 2 vulnerabilities

in IEEE 802.11 protocol standards. Most of the attacks against the wireless

networks are targeting layer 2 vulnerabilities which are more susceptible to

DoS, MiTM and replay attacks etc. In this paper, we focus only on the

problem of DDoS against IEEE 802.11 and a novel Intrusion Detection

System is designed to detect such DDoS attacks. The key idea used in the

proposed IDS is to apply Kernel Density Derivative Estimator to study the

steady state probabilities (density) of each Station (clients) in the network.

Then correlation is applied to the steady state probabilities to find the

correlativity of each packet generated from different nodes which in turn gives

the results of malformed packets (Deauthentication-DDoS). The primary focus

of this work is on the particular scenario where the attacker injects the

malformed frames on the target network (Broadcast Spoofed De-

authentication DDoS). A strong analysis is made by experimenting the attacks

in the live testbed. The experiments carried out are in house and purely

deployed in the live testbed using Parrot Operating system. From the

observation it is clearly observed that the proposed IDS is optimal enough

with the good results of more than 94% in detection rate.

Keywords: WIDS, IDS, Parrot Operating system, HMM, markov chain,

Intrusion

1142 Siva Balaji Yadav.C and R.Seshadri

I. INTRODUCTION

Recent advancement in wireless technologies is increasing from last decade. This is

due to increase in usage of pervasive devices, mobile gadgets, cloud connected

components etc. The popularity of the technology leads the operational free lower

cost devices. Due to the popularity and increase in usage leads these wireless

technologies prune to attacks. Existing data frame security standards such as WEP,

WPA, WPA2 etc can provide authentication based security cryptographic standard

[1]. However attacks over data and control plane are still possible in Wi-Fi networks.

The most prominent feature available in IEEE 802.11 network is it can operate in both

adhoc and infrastructure mode. This paper focus on the IEEE 802.11 network which

operates only in infrastructure mode with dedicated access point. The basic working

operation of the AP and Stations in IEEE 802.11 are listed into Authentication,

Association, Disassociation, Disconnection, Deauthentication etc. i) Authentication:

Authentication is the initial step for each sensor node operating in IEEE 802.11

standards. Initially client has to send connect request to the AP using authentication

frame with Initialization vector (IVs) to establish connection with the Access Point for

the successful data exchange. ii) Association: Association is the second step carried

out by the sensor nodes to associate itself with the AP after authentication. Address

allocation, node registration etc are carried out in this phase. iii) Disassociation:

Disassociation is the step carried out by the wireless client to initialize the

disassociation of the client from the AP. Here the client sends disassociation frames to

AP to disassociate itself. Disassociation with all connected clients can happen only if

any firmware level upgradation is carried out in AP. iv) Disconnection: Disconnection

is the process where the AP sends disassociation request to the client to disconnect

from the AP. v) Deauthentication: Deauthentication frame (as shown in Figure 1a -

1c) is initiated from the client if the station needs to leave the network gracefully.

Likewise, the AP also sends deauthentication frame if it needs to disconnect from the

client at the particular time interval [2-10].

Figure. 1a Pre-attack - Deauthentication Attack scenario

Context aware Wireless Intrusion Detection System for IEEE 802.11… 1143

Figure. 1b Deauthentication DDoS attack scenario

Figure. 1c Post-attack - Deauthentication attack scenario

The two major frames known as Deauthentication and Disassociation frames are used

for entire handshake of IEEE 802.11 network. These two frames are responsible to

perform association and connection of AP with Stations (STA)[11]. But the hard fact

is these two frames are not encrypted enough hence the attacker make use of these

frames for successful launch of attacks. Attacker can easily masquerades any of these

frames by tapping layer 2 protocols (DLL)[12]. These masquerades result in MAC

address based spoofing and attacks against AP and clients by initializing n number of

deauthentication and disassociation frames. Once these frames are flooded against

client and AP, based on the level of payload and packet generation, AP and STA

never gets connected. Additionally all the STA needs an reauthentication in order to

connect with AP. Figure 2 shows the attack scenario of how an attacker can easily


launch a powerful DoS over any IEEE 802.11 network by spoofing disassociation and

deauthentication frames [13-20].

Figure. 2 Deauthentication and Disassociation attack scenario.

Present day methods used to mitigate the deauthentication and disassociation based

DDoS attack includes cryptography and newer standards for protocol by modifying

the entire protocol stack. Cryptography techniques include additional hardware and

softwares for special tasking and computing the keys [13][16][18]. Specific server

should be deployed to monitor the key distribution and management. However

protocol stack level upgradation is very expensive tasks and increases administrative

over heads. Upgradation of firmware in critical application deployment is a harder

task and time consuming [14 -15][17][22][23-25]. From the observation, it is not

feasible to adopt the existing mitigation technique. Hence in this paper, novel

software based Intrusion Detection System has been proposed. The proposed Wireless

IDS does not suffer any critical impact which are listed above. The summary of the

contribution is listed below

A novel Context aware Wireless Intrusion Detection System is proposed and

operable in both legacy standards (cryptography implemented networks) and

non- legacy network

The proposed IDS is purely software based and does not require any additional

hardware or firmware updation and can be easily deployable in both client and

server side.


The paper is organized as follows: Section II presents the security goal, literature

review and some related works about the security issues and mitigation techniques in

WSNs. Section III gives the brief explanation about the proposed CAWIDS. Section

IV dealt with the experimental results and the performance analysis of the proposed

CAWIDS with the state of the art methods is given in the penultimate section. Finally

the paper is concluded in section V.

II. MOTIVATION

Here, we initially discuss about the basics of Wi-Fi and its operating characteristics

and followed by attacks and its attack definitions.

Basic Terminologies

In general, Wi-Fi network consists of many wireless clients such as mobiles, laptops,

tablets etc and an Access point which might be a wireless router. All the

communication will take place by means of AP where the AP is connected to a

backbone network of any ISP. Initial stage is client needs to authenticate itself with

AP in order to associate with the AP and to join the network. The procedure is same

for all the wireless clients which are seeking to form a network.

Deauthentication Attack

Deauthentication attack is launched over the deauthentication frames due to its plain

text in nature. Hence spoofing of these plain-text frames is easier when compared to

encrypted data frames. These management frames are responsible for fast processing

and to proceed with handshaking mechanism with AP to all connected clients. Due to

its open plain text nature, AP is not liable to verify its authenticity and process the

deauthentication spoofed frames. This leads to initiate deauthentication request

against clients resulting the clients to terminate its connection with AP. Once the

client is targeted and redirected with high number of deauthentication frames then the

client has to initiate reauthentication for its next level association. This makes the

client to lose connectivity at any point of range. As per the existing standards of IEEE

802.11, deauthentication request is just a notification not a request. Figure 1 and

Figure 2 clearly shows the actual working mechanism of deauthentication attack

launched against a wireless network [5-20].

State of the art methods

Many researchers proposes various methods for mitigating the Deauthentication based


DDoS attack in Wi-Fi network. Some of the state of the art methods have been

reviewed and presented here in this section.

Entropy based WIDS

Kamalanaban et al proposed a novel Wireless Intrusion Detection System using

Entropy based approach. Here the authors concentrate on calculating entropy for all

the frames which is going in and around the network. The key advantage of the stated

method is better but requires high computation. The author also addresses some basics

level channel switching and it detection mechanism where their IDS is capable to

detect Deauthentication DDoS attack at any channel in multiple networks. The only

challenge possessed by the WIDS stated by the author is overhead of processing and

execution time [12].

Cryptography based methods

Bellardo proposed a encryption method to encrypt all the frames which is going in

and around the network. The method proposed by the author is robust enough but

needs special upgradation of firmware and hardware as well in both client and server

[25].

III. PROPOSED IDS

In this paper, a new context aware IDS has been developed to detect Deauthentication

DDoS attacks. The proposed IDS is robust and context aware in nature due to its

learning capabilities of real time live feed of network data and cross correlating it with

the addressed pattern in order to detect the DDoS and wireless anomalies. Robustness

of the behavior model proposed in this paper is initially to learn the network traffic

patterns using KDDE function, where Kernel Density function is used to estimate the

PDF of a complete randomness. Here in KDDE, Parzen–Rosenblatt window method

is used for estimating the density values. The KDDE is a kernel function which works

on basis of neural model which is clearly figured in the equation (1). Each input is

tested with the possible output and the learned data is computed with KDDE values.

Firstly in learning phase all the network parameters are learnt and profiled specifically

with KDDE values and approximate KDDE values are computed. Secondly in

detection phase the KDDE values of the live feed are compared with learnt KDDE

values and correlation is applied in order to detect the intrusions [3].

-------------------- 1


Fig 3. Architecture of Proposed Context aware WIDS

Here, KDDE values are computed for learning phase using specific network patterns

such as IP, port, Link, interface (ETH#, WLAN#), BOOTIF (MAC) and other system

parameter such as NET CONSOLE, CPU utilization, Memory usage, Memory

utilization, Incoming Packet buffer, Outgoing Packet buffer, Cached Bytes etc.

Network packet analyzers are used to analyze the network packets. Packet capturing

interface is widely used to capture all the packets and network data collector acts as

the serialization interface for all the network inputs.

Learning phase

In this phase, the values have been collected from the network parameters which are

related to the network for each connected host. Each host are profiled into system and

network parameters and each value are utilized to compute KDDE. A detailed process

was illustrated in the algorithm 1 which runs in all hosts for 5 working days with all

network and system credentials


-------------------------------------------------------------------------------------------------------

Algorithm 1 Learning phase

-------------------------------------------------------------------------------------------------------

Begin

Initiate learning and profiling

Profile each host

Collect network credentials

Do feature selection

Compute KDDE

Compute KDDE parameters with appropriate values

End

-------------------------------------------------------------------------------------------------------

Detection phase

In this phase as off the learning phase is cloned to compute KDDE values for the

hosts of same parameters in several time periods. Then the Comparison process is

carried out for the present KDDE values with the learnt KDDE values.

Hypothesis

According to the hypothesis, the correlation values lies between 0 and 1.KDDE value

computed is always lies between 0 to 1. If the values are nearest circumstance of 1,

then the relationship possessed by the parameters is in strong relationship. If the

threshold value falls<0.5, then it is abnormal frame or Deauthentication frame

Correlation phase

Based on the hypothesis defined above the cross correlation values are computed. The

detection phase is exhibited by considering, analyzing and comparing all the defined

network and system parameters. According to the discussion defined in previous

section’s anomalies are the specific event based, so that the proposed methodology

computed here yields the promising results by utilizing the network parameters for

identification.


-------------------------------------------------------------------------------------------------------

Algorithm 2 Detection phase

-------------------------------------------------------------------------------------------------------

Use learnt data

Procure the live feed

Do feature selection

Compute KDDE

Use KDDE values of Learnt data and live feed

Check all the frame: include (control, management and data frames)

Apply cross correlation

Compare cross correlation value for each network parameter

If the threshold (correlation) < 0.5 then

Caption: Intrusion detection

Trigger Alarm

End

-------------------------------------------------------------------------------------------------------

IV. EXPERIMENTAL RESULTS

The correlation coefficient values of the two collective samples were linearly

inclusive with +1 or -1 which in term shows the deviation range and the proposed

methodology yields the promising results by detecting intrusions in near real time (Fig

4 - Fig 21). Here the correlation values are compared between kernel density function

values along with the trained values. Then the range of threshold is isolated and

correlativity is computed by correlating various system and network parameters.

Using this method all the attacks performed during certain time periods were

identified/detected and experimentally promising results were achieved. The cross

correlation values of attack sequence are clearly defined in the Table 1 for various

attributes like CPU utilization, RAM utilization, outgoing packets, incoming packets

etc.,.


Figure.4 Kernel Density Estimation for Incoming bytes (Learning phase)

Figure 5: Kernel Density Estimation for Incoming packets (Learning phase)


Figure 6: Kernel Density Estimation for Outgoing bytes (Learning phase)

Figure.7: Kernel Density Estimation for Outgoing packets (Learning phase)


Figure.8 Kernel Density Estimation for RAM Buffered (Learning phase)

Figure.9 Kernel Density Estimation for RAM Used (Learning phase)


Figure.10 Kernel Density Estimation for Incoming bytes (Detection phase)

Figure.11 Kernel Density Estimation for Incoming Packets (Detection phase)


Figure.12 Kernel Density Estimation for Outgoing bytes (Detection phase)

Figure.13 Kernel Density Estimation for Outgoing Packets (Detection phase)


Figure.14 Kernel Density Estimation for RAM buffered (Detection phase)

Figure.15 Kernel Density Estimation for RAM Used (Detection phase)


Figure.16 Kernel Density Estimation for Incoming bytes (Correlation phase)

Figure.17 Kernel Density Estimation for Incoming Packets (Correlation phase)


Figure.18 Kernel Density Estimation for Outgoing Bytes (Correlation phase)

Figure.19 Kernel Density Estimation for Outgoing Packets (Correlation phase)


Figure.20 Kernel Density Estimation for RAM Buffered (Correlation phase)

Figure.21 Kernel Density Estimation for RAM used (Correlation phase)


Table I: Cross correlation values of attacking sequence

S.No Time CPU RAM Outgoing

packets

Incoming

packets

1 1:16:59 1179339978 892986 896046 636809

2 1:17:10 1179339978 896119 896046 636809

3 1:18:28 1179611728 898952 898952 639716

4 1:19:26 1179791914 898231 901233 641997

5 1:20:27 1179972352 900347 903479 644243

6 1:21:27 1180153141 902466 905726 646491

7 1:22:27 1180376311 904659 908039 648815

8 1:23:11 1211149803 926499 937182 664802

9 1:24:4 1262468314 962392 937182 664802

10 1:25:26 1380740088 1043522 1022047 709688

11 1:26:22 1420838212 1071513 1071466 735810

The proposed model can be deployed in both client and server side to detect any form

of wireless attack. Currently it is tested by deploying in both client and server. The

real time implementation result is also given. A command line console is given to

display the alerts from the proposed model. Figure states the attack detection and alert

scenario where the alert consists of Target MAC address, AP with which the client

is connected and attacker’s MAC.

V. CONCLUSION

This paper is concluded by proposing a novel Wireless Intrusion Detection System.

The proposed Context aware WIDS is evaluated and some of the active time stamps

are estimated and tabulated in Table I. In detection the Cross correlation values for

network and system parameters are estimated along with the time stamp and deviation

range of the values are mentioned in the Figures 4 -15 for network and host

parameters. The experimental results demonstrated in the Figure 16 - 21 shows the

results of correlation which shows the optimality of the proposed algorithm in

detection. In future, the proposed IDS is extended to detect the covert

communications in WSN.


REFERENCES

[1] M. Agarwal, S. Biswas and S. Nandi, "Detection of De-Authentication DoS

Attacks in Wi-Fi Networks: A Machine Learning Approach," Systems, Man,

and Cybernetics (SMC), 2015 IEEE International Conference on, Kowloon,

2015, pp. 246-251.

[2] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based

defense mechanisms countering the dos and ddos problems,” ACM

Computing Survey, vol. 39, no. 1, 2007.

[3] F.Bin Hamid Ali and Y.Y.Len,”Development of host based intrusion

detection system for log files”, in Business, Engineering and Industrial

Applications,2011 IEEE symposium on,Sep2011,pp:281-285.

[4] Yu-Xin Ding,Min Xiao,Ai-Wu-Liu “Research and implementation on

snort-based hybrid intrusion detection system”, in proceedings of the

Eighth International Conference on

a. Machine Learning and Cybernetics,12-15 July 2009.

[5] Ficco, M., & Romano, L. (2011, June). A generic intrusion detection and

diagnoser system based on complex event processing. In Data Compression,

Communications and Processing (CCP), 2011 First International Conference

on (pp. 275-284). IEEE.

[6] V. S. S. Sriram, G. Sahoo and K. K. Agrawal, "Detecting and eliminating

Rogue Access Points in IEEE-802.11 WLAN - a multi-agent sourcing

Methodology," Advance Computing Conference (IACC), 2010 IEEE 2nd

International, Patiala, 2010, pp. 256-260.

[7] Szott, S., "Selfish insider attacks in IEEE 802.11s wireless mesh networks," in

Communications Magazine, IEEE , vol.52, no.6, pp.227-233, June 2014

[8] Milliken, J.; Selis, V.; KianMeng Yap; Marshall, A., "Impact of Metric

Selection on Wireless DeAuthenticationDoS Attack Performance," in

Wireless Communications Letters, IEEE , vol.2, no.5, pp.571-574, October

2013

[9] El-Khatib, K, "Impact of Feature Reduction on the Efficiency of Wireless

Intrusion Detection Systems," in Parallel and Distributed Systems, IEEE

Transactions on , vol.21, no.8, pp.1143-1149, Aug. 2010

[10] Makanju, A.; LaRoche, P.; Zincir-Heywood, A.N., "A Comparison Between

Signature and GP-Based IDSs for Link Layer Attacks on WiFi Networks," in

Computational Intelligence in Security and Defense Applications, 2007.

CISDA 2007. IEEE Symposium on , vol., no., pp.213-219, 1-5 April 2007

[11] R. Mohan, V. Vaidehi, Ajay Krishna A, Mahalakshmi M and S. S.

Chakkaravarthy, "Complex Event Processing based Hybrid Intrusion

Detection System," 2015 3rd International Conference on Signal Processing,

Communication and Networking (ICSCN), Chennai, 2015, pp. 1-6.


[12] Ethala, K., Sheshadri, R., & Chakkaravarthy, S. S. (2014). WIDS Real-Time

Intrusion Detection System Using Entrophical Approach. Advances in

Intelligent Systems and Computing Artificial Intelligence and Evolutionary

Algorithms in Engineering Systems, 73-79. doi:10.1007/978-81-322-2126-5_9

[13] S.Sibi Chakkaravarthy, V.Vaidehi; "Behavior based anomaly detection model

for. detecting wireless covert attacks in Wi-Fi", Security and Privacy

Symposium, 2015, IIITD, February 13-14,2015.

[14] N. Baharudin, F. H. M. Ali, M. Y. Darus and N. Awang, "Wireless Intruder

Detection System (WIDS) in Detecting De-Authentication and Disassociation

Attacks in IEEE 802.11," 2015 5th International Conference on IT

Convergence and Security (ICITCS), Kuala Lumpur, 2015, pp. 1-5.

[15] M. M. Hafiz and F. H. Mohd Ali, "Profiling and mitigating brute force attack

in home wireless LAN," 2014 International Conference on Computational

Science and Technology (ICCST), Kota Kinabalu, 2014, pp. 1-6.

[16] J. Milliken, V. Selis, K. M. Yap and A. Marshall, "Impact of Metric Selection

on Wireless DeAuthentication DoS Attack Performance," in IEEE Wireless

Communications Letters, vol. 2, no. 5, pp. 571-574, October 2013.

[17] A. Dovhan and M. Grabar, "Analysis of the implementation characteristics of

DDoS attacks on Wi-Fi networks," 2014 First International Scientific-

Practical Conference Problems of Infocommunications Science and

Technology, Kharkov, 2014, pp. 180-181.

[18] A. Alabdulatif, X. Ma and L. Nolle, "Analysing and attacking the 4-way

handshake of IEEE 802.11i standard," 8th International Conference for

Internet Technology and Secured Transactions (ICITST-2013), London, 2013,

pp. 382-387.

[19] R. Singh and T. Parval Sharma, "Detecting and reducing the denial of Service

attacks in WLANs," 2011 World Congress on Information and

Communication Technologies, Mumbai, 2011, pp. 968-973.

[20] B. Könings, F. Schaub, F. Kargl and S. Dietzel, "Channel switch and quiet

attack: New DoS attacks exploiting the 802.11 standard," 2009 IEEE 34th

Conference on Local Computer Networks, Zurich, 2009, pp. 14-21.

[21] T. D. Nguyen, D. H. M. Nguyen, B. N. Tran, H. Vu and N. Mittal, "A

Lightweight Solution for Defending Against Deauthentication/Disassociation

Attacks on 802.11 Networks," 2008 Proceedings of 17th International

Conference on Computer Communications and Networks, St. Thomas, US

Virgin Islands, 2008, pp. 1-6.

[22] C. Liu and J. Yu, "Rogue Access Point Based DoS Attacks against 802.11

WLANs," 2008 Fourth Advanced International Conference on

Telecommunications, Athens, 2008, pp. 271-276.

[23] Wenzhe Zhou, A. Marshall and Qiang Gu, "A novel classification scheme for

802.11 WLAN active attacking traffic patterns," IEEE Wireless


Communications and Networking Conference, 2006. WCNC 2006., Las

Vegas, NV, 2006, pp. 623-628.

[24] K. El-Khatib, "Impact of Feature Reduction on the Efficiency of Wireless

Intrusion Detection Systems," in IEEE Transactions on Parallel and

Distributed Systems, vol. 21, no. 8, pp. 1143-1149, Aug. 2010.

[25] J. Bellardo, S. Savage, "802.11 Denial-of-Service Attacks: Real

Vulnerabilities and Practical Solutions", Proceedings of the 12th Conference

on USENIX Security Symposium, vol. 12, pp. 15-28, 2003.

Context aware Wireless Intrusion Detection System for IEEE ... · Context aware Wireless Intrusion...

Documents

Transcript of Context aware Wireless Intrusion Detection System for IEEE ... · Context aware Wireless Intrusion...