A Mobile Device Classification Mechanism for Efficient Prevention of Wireless Intrusion

Transcription

1 A obile Device Classification echanism for Efficient Prevention of Wireless Intrusion Hyeokchan Kwon 1, Sin-Hyo Kim 1, 1 Electronics and Telecommunications Research Institue, 218 Gajeong-ro, Yuseong-gu, Daejeon, KOREA {hckwon, shykim}@etri.re.kr Abstract. In this paper, we present mobile classification mechanism for preventing wireless intrusion efficiently. Current wireless intrusion prevention system classifying the mobile s into three or four categories: authorized, unauthorized, guest and external. By contrast, the proposed mechanism classified mobile s into 9 categories. For a variety of classification, the proposed mechanism utilizes the -related real-time events from mobile management system and authorization system. This mechanism also provides the security policy generation steps for controlling mobile s access to s in the managed wireless network. The advantage of this mechanism against traditional approach is to identify and take countermeasure against -related potential security threats in advance. Keywords: wireless intrusion prevention, mobile management, mobile classification, wireless access control 1 Introduction Currently, there exist several Wireless Intrusion Prevention System (WIPS) product to detect and prevent wireless intrusion such as IT, DoS attack, rogue (access point)-based attack, unauthorized network access by the mobile and so on. WIPS consist of wireless threat management server that manages overall WLAN threat/security and wireless sensors that monitors radio frequency signals for the presence of rogue access point, unauthorized, unauthorized association, malicious traffic and so forth. Current WIPS classifying the mobile s into three or four categories: authorized, unauthorized, guest and external for preventing wireless intrusion. In case of AirTight [1], a representative wireless intrusion prevention system, classifying the mobile s into three categories: authorized, unauthorized and neighbor. In case of, they classified into three categories: authorized, rogue and external. Previous works on classification for preventing wireless intrusion have difficulty to subtle control the wireless access between mobile s to s because of its simple classification mechanism. And it cannot identify potential threats because its classification mechanism does not reflect the vulnerable state of the such as jailbreaking, rooting and so on. ISI 2013, ASTL Vol. 25, pp , 2013 SERSC

2 Proceedings, The 2nd International Conference on Information Science for Industry In this paper, we present mobile classification mechanism for preventing wireless intrusion efficiently. The proposed mechanism classified mobile s into 9 categories. Each category can be combined, and the category (or combined category) will be mapped into security level which is defined in this mechanism to set-up the security policy for control accesses to managed. In order to make a variety of classification, we utilize the -related events from mobile management system (called D) and authorization system (called AS). The -related events include status of such as authentication, jailbroken, rooted, lost, misplaced, acting role (tethering/hot-spot), deletion of D agent illegally and so on. Currently, WIPS and D are individual products and each is independently deployed and operated. The related research on the WIPS mechanism by utilizing additional -related events from the D has also not yet been investigated. The contents organized as follows. In section 2, we present mobile classification mechanism. Finally, conclusion is given in section 3. 2 obile Device Classification echanism In this section, we present mobile classification mechanism in WIPS system. Fig. 1 shows the system architecture for classifying the mobile. In Fig. 1, wireless intrusion prevention server utilizes the -related events from mobile management system (called D) and authorization system (called AS). In this mechanism, D server provide WIPS with information such as jailbreaking/rooting, lost, misplaced, acting role (tethering/hot-spot), deletion of D agent illegally and so on. And the authentication server provides WIPS with the list of authorized. Policy DB Event DB classification Device classification Access policy Classification policy. Events from AS Events from D server I/F I/F Authorization Server (AS) WIPS Server D Server : D agent Fig. 1. The system architecture for classifying the mobile 318

3 A obile Device Classification echanism for Efficient Prevention of Wireless Intrusion The received events are stored in the event database in Fig. 1, and WIPS server classifying the mobile by analyzing the information in the event database, and the classification information is stored in the policy database. The Table 1 shows the list of -related event from authorization server and D server. Table 1. Device-related event from authorization server (AS) and D server Interface AS WIPS D Server WIPS Server Event List of authorized by the authorization server List of authorized by the D server (i.e., list of with D agent) Jailbroken/rooted, Lost/misplaced, Deletion of D agent illegally Act as a wireless access point by using wi-fi tethering or hotspot application Fig. 2 shows the classification of access point and mobile in this mechanism. We classified the mobile into 9 categories and access point into 5 categories. The detailed classification criteria are described in the Table 2. The classification criteria could be determined by the security policy. The WIPS server classifying the mobile by analyzing the information of the event database which contains the received -related information from authorized server and D server. This paper focuses on the classification of mobile only. From the 9 classification in Table 2, the classification of authorized (AS), authorized (D), risky and tethering can only be classified through the interworking with authentication server and/or D server. classification obile classification (AS) Tethering Rogue Tethering/Soft (anual) (D) External Black-list External Uncategorized Guest risky Uncategorized Fig. 2. Classification of obile and Access Point () Each category can be combined, and the category (or combined category) will be mapped into security level which is defined to set-up the security policy for control accesses to managed. The mapping with security level can be done by wireless network administrator. The higher number of security level means the higher security risk. 319

4 Proceedings, The 2nd International Conference on Information Science for Industry The follows is an example of security policy using combined category mapped with security level. The symbol &, means and, or respectively. (D) & Risky Tethering Security level 2 : A that is classified as authorized (D) and classified as risky or tethering is mapped into the security level 2. Table 2. The classification criteria of mobile Classification Classification Criteria (AS) by the authorization server (anual) The classified as authorized by the WIPS server itself manually beforehand (D) Guest Risky by D server (i.e., with valid D agent) The classified as guest by the WIPS server itself manually beforehand Jailbroken/rooted or Lost In case that, D agent installed in the is deleted illegally Tethering The act as a wireless access point by using wi-fi tethering or hotspot application External The not allowed by the wireless network administrator, but located on the outside of the managed physical domain (e.g., campus, building) and/or not connected with network segment to be protected. Black-list The listed in the blacklist Uncategorized Uncategorized WIPS self-detected information Device related event (from AS and D server) Classify mobile using classification algorithm Device classification ap the classification onto security level Security level Create an access control policy classification Fig. 3. Set-up an Access Control Policy In this mechanism, we defined four levels of access control: Permit (permit access), Prohibit (prohibit access), Inform (inform network administrator of connectivity information), Ignore (ignore the connectivity). The fundamental step to set up an access control policy is shown in Fig. 3. The access control policy in Fig.3 is created by network administrator, and it defines access control between security level and 320

5 A obile Device Classification echanism for Efficient Prevention of Wireless Intrusion classification. For example, the access control policy permit level_2 s to access authorized and prohibit level_3 s to access rogue and so on. 3 Conclusion In this paper, we present mobile classification mechanism for preventing wireless intrusion efficiently. Previous works on classification for preventing wireless intrusion have difficulty to subtle control the wireless communication between mobile s to s, because of its simple classification mechanism. And it cannot identify potential threats because its classification mechanism does not reflect the vulnerable state of itself such as jailbreaking, rooting and loss. In our mechanism, for a variety of classification, we utilize the related events from D and authorization system (called AS). In this approach, we can classify the mobile into 9 categories. To make security policy for preventing wireless intrusion the following steps are presented: (1) Classify mobile using classification algorithm (2) aps classification to security level (3) Create an access control policy using the security level and access point classification. The advantage of this approach is to identify and take countermeasure against -related potential security threats in advance. Such security threats could be arising from the which is jailbroken, rooted, loss and so on. Currently, we are planning to extend the classification mechanism to consider additional mobile related information such as -activity. Acknowledgement This research funded by the ISP (inistry of Science, ICT & Future Planning), Korea in the ICT R&D Program 2013 References 1. AirTight: ethod and system for monitoring a selected region of an airspace associated with local area networks of computer s, Patent, AirTight, US 7,002,943 (2006) 2. R. Beyah, A. Venkataramen: Rogue-Access-Point Detection Challenges, Solutions, and Future Directions, IEEE Security & Privacy, vol. 9, issue 5, pp , IEEE (2011) 3. Tarek S. Sobh, Wired and wireless intrusion detection system: Classifications, good characteristics and state-of-the-art, vol. 28, issue 6, pp , Computer Standards & Interfaces, Elsevier (2006) 4. Anyclick AIR, UNETsystem 321