Proposal Presentation
-
Upload
johnsondon -
Category
Documents
-
view
220 -
download
0
Transcript of Proposal Presentation
Wireless Intrusion Detection & Response
ECE 4006 Group 2:Seng Ooh TohVarun KanotraNitin Namjoshi
Yu-Xi Lim
Contents Project Description & Demo Competitors & Market Building Blocks & Project Timeline Challenges, Risks and Difficulty Level Product Testing Hardware and Software
Requirements
Project Description
What is the product? An access point which can detect
intruders and take counter measures Detection of Netstumbler Blocking / Jamming Netstumbler without
affecting network performance Product will be open source and will
integrate several available technologies
Project Demo Several computers on a wireless
network Wireless network intruder using
Netstumbler Three Phases
Network setup Netstumbler and intrusion Intrusion detection and counter
measures
Phase I – Network Setup 2-3 Linux machines setup with an
access point to form a 802.11b network
Data (packets) routed from linux machines to each other through AP
Access point monitor used to detect source and destination of packets passing through the access point
Phase II – Intrusion Intrusion detection and jamming
turned off Netstumbler used to access
information on the wireless network
Netstumbler captured packet information shown
Phase III – Intrusion Detection & Counter Measures Netstumbler packet detection Blocking of Netstumbler packets,
RF jamming or fake AP barrage Data rate on wireless network
measured w/ and w/o counter measures
User Interface Focus on proving the concept Open source allows end users to
develop UI according to their needs
Basic text-based user interface for testing, debugging and demo
Competitors & Market
Competitors Fake AP – Product developed by
Black Alchemy. Used for flooding the wireless
network with false AP beacon packets.
Netstumbler gets overwhelmed with thousands of access points.
Open Source, supported by linux.
Competitors (contd.) Air Defense – Enterprise/Military
wireless intrusion detection system. Sold as a complete system which
includes AirDefense sensors, server appliance.
Does not take action against intruder, just monitors the network, and informs the administrator of any suspicious activity.
Price Fake AP is a freeware. Available
at: http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
AirDefense system costs between $19,000 to $25,000.
Our Product No product in the market today
combines both Intrusion detection and response.
Our product shall be freely available.
This makes product unique and attractive to potential users.
Building Blocks Setup – Installing network cards on
two linux machines, installing HostAP drivers, installing wireless sniffers, packet sniffer libraries.
Detect NetStumbler – recognize netstumbler signature, UI design for reporting malicious activity.
Building Blocks (contd.) Counter-measures – - Logging event information (MAC, time,
physical location)- Sending bogus AP information.- DoS
Port to Open AP – combine detection and countermeasure and run it on an AP.
Building Blocks (contd.) OpenAP PC interface – write a TCP
sockets client-server program.
Allow network administrator to remotely configure and acquire information from Access Point.
Projected Timeline 12 weeks to complete.
Task Assignments
Challenges, Risks and Difficulty Level
Initial Setup – Challenges and Difficulty Lack of resources for experimental
drivers Recompilation of kernel and other
support packages Compatibility and interoperability
of hardware
Initial Setup - Risk Project could be severely delayed
if we are plagued with compatibility issues
Incompatible hardware might require extra expenses to get different cards
Wardriving Detection – Challenges and Difficulty Limited storage memory Libpcap vs. low-level syscalls Development of algorithm for
heuristic Wardriving detection
Wardriving Detection – Risks Inability to differentiate between
Wardriver and legitimate client renders module useless
Forced to resort to low-level syscalls without availability of experimental driver documentation
Countermeasure – Challenges and Difficulty Limited storage memory Countermeasures without affecting
normal network performance Discovering new denial-of-service
attacks attains Wardriving client
Porting to Access Point Different development framework Inaccessibility of access point Limited debug tools
Product Testing
Stage 1 : Wardriver Detection Reliable Wardriver detection Does not pick up legitimate traffic
from a variety of wireless cards Logging
Stage 2 : Countermeasure Executed in parallel with Stage 1 Sufficiently confuses Wardriver Disables Wardriver Does not affect normal network
traffic
Stage 3 : Access Point Remote deployment Durability (uptime) Status monitored remotely
Hardware and Software Requirements
Hardware Required 2x Linksys Wireless PC Card 1x Orinoco Gold Wireless Card 2x PCI-PC Card adapter USR 2450 Access Point Pretec 4MB Linear Mapped Card
Software Required Host AP Open AP Net Stumbler Ethereal Other scanners Other sniffers
Parts Designed and Adapted
Parts Adapted or Reused Host AP Open AP Fake AP
Parts Designed Intrusion detection algorithm Integration on Host AP Integration on Open AP