WLAN Intrusion Detection System Ms. Sushama Shirke 1, Mr. S.B.Vanjale 2

Similar documents
ON FAST AND ACCURATE DETECTION OF UNAUTHORIZED WIRELESS ACCESS POINTS USING CLOCK SKEWS

On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews

On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews

Wireless Protocols. Training materials for wireless trainers

Detecting & Eliminating Rogue Access Point in IEEE WLAN

A Passive Approach to Wireless NIC Identification

EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Table of Contents 1 WLAN Service Configuration 1-1

Wireless technology Principles of Security

WIRELESS EVIL TWIN ATTACK

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

Wireless Router at Home

Data Communications. Data Link Layer Protocols Wireless LANs

WIDS Technology White Paper

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

CWAP-402.exam. Number: CWAP-402 Passing Score: 800 Time Limit: 120 min File Version: CWAP-402

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Wireless Attacks and Countermeasures

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Guide to Wireless Communications, Third Edition. Objectives

NETWORK SECURITY. Ch. 3: Network Attacks

Lure10: Exploiting Windows Automatic Wireless Association Algorithm

Mobile Communications Chapter 7: Wireless LANs

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

Requirements from the

IEEE WLANs (WiFi) Part II/III System Overview and MAC Layer

Wireless Network Security

5 Tips to Fortify your Wireless Network

Engineering Swarm- Services CS

CCNA 3 (v v6.0) Chapter 4 Exam Answers % Full

WL-5420AP. User s Guide

On the Reliability of Wireless Fingerprinting using Clock Skews

6.9 Summary. 11/20/2013 Wireless and Mobile Networks (SSL) 6-1. Characteristics of selected wireless link standards a, g point-to-point

3.1. Introduction to WLAN IEEE

Standard For IIUM Wireless Networking

Improving Channel Scanning Procedures for WLAN Handoffs 1

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

Clock-Skew-Based Computer Identification: Traps and Pitfalls

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

Complexity. An introduction to protocol chaos. Andrés Blanco. CC License - Swtiruty Rgbytw

CWNP PW Certified Wireless Network Administrator (CWNA) Download Full Version :

Applications and Performance Analysis of Bridging with L3 Forwarding on Wireless LANs

Detection and Removal of Black Hole Attack in Mobile Ad hoc Network

Viewing Status and Statistics

Computer Networks. Wireless LANs

Wireless# Guide to Wireless Communications. Objectives

Wireless LANs. ITS 413 Internet Technologies and Applications

System-Level Failures in Security

User s Guide AIR-USB112NH November, VRTL8191SU

Wednesday, May 16, 2018

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Wireless Networks. Lecture 4: Wireless Networking Devices. Assistant Teacher Samraa Adnan Al-Asadi 1

Managing Rogue Devices

IEEE Technical Tutorial. Introduction. IEEE Architecture

Securing MANETs using Cluster-based Certificate Revocation Method: An Overview

ECE442 Communications Lecture 3. Wireless Local Area Networks

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Supporting Service Differentiation for Real-Time and Best-Effort Traffic in Stateless Wireless Ad-Hoc Networks (SWAN)

Wireless and Mobile Networks 7-2

VLANs and Association Redirection. Jon Ellch

Basic processes in IEEE networks

packet-switched networks. For example, multimedia applications which process

PMS 138 C Moto Black spine width spine width 100% 100%

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Reliable Multicast Scheme Based on Busy Signal in Wireless LANs

Mobile Security Fall 2013

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Optional Point Coordination Function (PCF)

Chapter 7. Basic Wireless Concepts and Configuration. Part I

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross

Dolphin-M. User s Manual

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Managing Rogue Devices

Wireless LAN Security (RM12/2002)

Security in Mobile Ad-hoc Networks. Wormhole Attacks

An Implementation of Cross Layer Approach to Improve TCP Performance in MANET

Topic 2b Wireless MAC. Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Obstacle Avoiding Wireless Surveillance Bot

Challenges in Mobile Ad Hoc Network

Wireless# Guide to Wireless Communications. Objectives

Improving the latency of Hand-offs using Sentinel based Architecture

Information extraction from WLAN traffic traces in multi-network scenarios

DOMINO: A System to Detect Greedy Behavior in IEEE Hotspots

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

Ekahau RTLS Interop Note & Configuration Guide

AWUS036NHR Long-Range Indoor IEEE n USB Adapter User Manual

Security Challenges Facing the Future Wireless World (aka.. Alice and Bob in the Wireless Wonderland) Wade Trappe

Rogue Access Point Detection using Challenge-Response Mechanism

Networking Basics. Crystal Printer Network Installation Guidelines

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

BYOD: BRING YOUR OWN DEVICE.

Multipot: A More Potent Variant of Evil Twin

Configuring Layer2 Security

Implementation of Wireless Sensor Hub to Support Protocols Interoperability

Enterprise Data Communication Products. Feature Description - WLAN. Issue 02 Date HUAWEI TECHNOLOGIES CO., LTD.

CIT 380: Securing Computer Systems. Network Security Concepts

Transcription:

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 25 WLAN Intrusion Detection System Ms. Sushama Shirke 1, Mr. S.B.Vanjale 2 1 B.V.D.U. Pune (India) Susha_1720@rediffmail.com 2 B.V.D.U. Pune (India) svanjale@rediffmail.com Abstract This is an implementation of the Wireless LAN Intrusion Detection System (WIDS ) using clock-skews as a fingerprinting property as suggested by Jana-Kasera [1]. Our objective is to detect the presence of a fake access point (AP) in a Wireless LAN (WLAN). Use of clock -skew enables us to effectively detect Medium Access Control (MAC) Address spoofing. The principle used in this project is that clock s k e w s remain consistent over time for the same AP but vary significantly across AP s. We have also tried to explore probable points of failure and implemented algorithms to overcome these problems. Advantage of this implementation is that fake AP can be detected very quickly as WLAN Intrusion Detection System needs only 100-200 packets in most cases. Keywords: IEEE 802.11, fake access point, fingerprint, M AC Address spoofing, timestamp s. I. INTRODUCTION WIRELESS LAN is a broadcast service. As a result, it is quite vulnerable to the various attacks. Different encryption techniques have been devised to provide securit y to the Wireless Networks. Yet, it s e em s to be inadequate. Consider an organization X. It has a wireless broadcast t router which provides service to its employees. A malicious attacker can set up a fake Access Point (AP) which emulates this authorized AP. Now, the attacker can lure the clients of this authorized AP and the clients get connected to the fake AP believing that they are connected to the authorized one. Now, the attacker can easily launch various types of attacks on the connected clients. Some security mechanisms like new wireless security enhancement 802.11i RSNA (Robust Security Network association) can be used to provide strong mutual authentication between the authorized AP and its clients, But its disadvantage is that it becomes very difficult to manage and verify the digital certificates over the network across different domains. Also, practical limitations to this cryptographic encryption technique can introduce vulnerabilities in the wireless networks using 802.11i RSNA cryptographic encryption techniques. However, the system becomes robust and secure if this technique is combined with validations using the fingerprint of the authorized AP calculated by the clock- skew of the AP with respect to the fingerprinting node. Fig.1. Structure of WLAN Intrusion Detection System II. WIRELESS LAN a. Basic Information Wireless Communication is one of the fastest growing technologies. IEEE 802.11 is a standard defined by IEEE for specifications of Wireless LAN. This specification over physical and data link layers. b. Architecture IEEE 802.11 defines two types of services Basic Service Set (BSS) and Extended Service Set (ESS). BSS is a building block of wireless s L A N. It contains wireless clients and an optional Access Point (AP). BSS without A P i s ad-hoc architecture while BSS with AP is called as an infrastructure network. Two o r more B S S connected with a distribution system form an ESS. Fig.2. Architecture of t he Wireless LAN IEEE 802.11 s specifies three types of frames for communication:

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 26 i. Data Frame: This frame is used for s ending receiving data ii. Control Frame: This type includes various frames such as Request-To-Send (RTS), Clear-To-Send (CTS), ACK, etc. iii. Management Frame: These frames are used for maintenance of WLAN. Frames such as probe request, probe response, beacon are covered in this type of frames. In our project, we extensively make us e of beacon frame for extracting Times tamp information. Fig.3. Frame structure of t he captured beacon frame c. Radio Tap Headers Radio tap Header is also specified by the IEEE 802.11 protocol. It is 32 byte in length. Wireless driver (in this case, Mad Wi-Fi driver for Linux) writes time of arrival of the beacon frame in 8 byte Time interval field in Radio tap header. We extract this field to get the hardware times tamp [ii]. Once this fake AP is set up, users of authorized AP think that fake AP is the real one and connect to it. Now, the attacker can launch various attacks on these clients [iv]. Fake APs are dangerous than a direct attack on the network. This is due to following reasons. i. When different clients try to connect to the authorized AP, they use election algorithms that are purely based on signal strength. If the attacker manages to increase its signal strength, he can easily lure the clients into using fake AP instead of authorized one. Once connected, attacker can make sure that client never uses authorized AP again by keeping its signal strength at constant level. Thus, client is now virtually quarantined from the result of the network of authorized AP and he has no way of knowing this fact. ii. Beacons sent by fake AP have their fields copied from beacons of authorized AP. As a result, security system can also be fooled as it thinks that packets are coming from authorized AP itself. Thus, fake AP evades its detection. It is difficult to detect the presence of fake AP in a wireless network. It is more difficult to exactly identify the device and block it. iii. These fake access points can be easily created using beacon snuffers and packet injectors which only need a wireless Network Interface Card (NIC) which can work in monitor mode [iii]. iv. This is why clock-skews come into picture for detection of fake APs. They are discussed in-depth in section V. v. IV. THREAT MODEL Fig. 4 Structure of Radio taps of Header III. FAKE ACCESS POINT A wireless network can be attacked by many ways. One such way is by creation of unauthorized fake Access Point (AP) in the network. A malicious attacker can sniff the beacon frames of authorized AP. He then extracts Medium Access Control (MAC) Address, SSID and BSSID of the authorized AP and puts it into his own frame [iv]. Thus, newly created AP now acts as a duplicate AP of the authorized AP. a. Scenarios There are two scenarios in which a fake AP can operate. i. Authorized AP and fake AP are both active in the network. A client can receive beacons from both the APs. The attacker can keep the signal strength of fake AP above that of authorized AP s o that user will be forced to connect with the fake AP.

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 27 t i = TSF Time Stamp of 1 beacon Figure 5 ii. Only fake AP is active and authorized AP cannot be reached by the client. This can happen in some situations like failure of authorized AP due to internal reasons or due to attack by the adversary. The attacker can also follow the client beyond the field of influence of authorized AP. Fig.6. Threat scenario 2 For c a l c u l a t i o n of clock-skew, w e n e e d t o gather time measured by two difference devices. We have made use of types of times tamps in this project as suggested by Kohno and co-authors and verified its usefulness by Jana -Kasera [1]. Source Times tamp Whenever a beacon is sent from an access point, the device driver of the AP writes the time of s ending in the times tamp field of Beacon Header. This is called source times tamp. TSF Times tamp Whenever a client receives a frame, the device driver on the client side writes time of arrival as indicated by the client s clock into the times tamp field of Radio tap Header. It is called as Time Synchronization Function (TSF) times tamps. These times tamps help us in determining the exact clock skew between the clock of client / WIDS node and that of an Access Point. b. Calculation Of Clock Skew We have used the method explained by Jana -Kasera [1] for the calculation of clock skews. This method can be explained as follows. Let, Implementation of the Passive online scheme that can detect fake APs can handle both these situations effectively. Ti = Source Times tamp of i th beacon We calibrate our system before actual work in the network. As a result we have accurate clock-skew of the authorized AP with which we can compare with detected APs. If more than one AP is detected with same MAC Address, SSID and BSSID but with different clock-skews, we can determine that attack des cried in scenario 1 is taking place. If an AP is found with same MAC Address, SSID and BSSID but having different frame clock-skew than pre-calibrated value, we can determine that attack explained in scenario 2 is taking place. xi = Time difference between arrival of 1 fingerprinting node and I frame at us O i = Estimated offset of i th xi = ti t1 oi = (Ti T1) (ti t1) V. CLOCK SKEW i. Definition Clock Skew can be defined as the difference in time shown by the clocks at different nodes in the network. It can act as an identifying property for a network device. Thus, using clock- skews, we can uniquely fingerprint up to 512 different APs. Clock-skew arises in a network due to difference between the physical properties of clocks present in different devices connected to network. An electronic clock consists of two parts Oscillator Oscillator is controlled by a crystal and it ticks at a fixed frequency Counter It keeps track of number of ticks produced by the oscillator. Oscillator frequency depends on type of crystal and angle at which the crystal was cut relative to its axes. Practically, no two crystals can have exactly equal frequency of oscillation. This introduces skew in the time measured by different nodes Ẉe plot the graph of (o i) vs (xi) which is approximately linear. Slope of this line represents the clock-skew between the AP and WIDS node. To estimate the value of clock-skew, we can us e different methods. a. Linear Programming Method (LPM) In this method, we have to minimize the function two

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 28 VI. IMPLEMENTATION Where δ is the estimated clock skew. Limitation of this method is that it has high tolerance towards the outliers. Even if a point lies outside of the line, it treats it as a point on the line. In our calculations, value of clock-skew is calculated at microsecond precision and there is high possibility that LPM will be unable to distinguish between the two APs with closely located clock-skews. As a result, we us e Leas t Square Fitting b. Least Square Fit(LSF) In this method, we have to minimize the function This method allows low tolerance towards outliers. As a result it can distinguish between two APs even if their clock skew values are very closely located. Thus, it helps us in identifying fake APs that have engineered the clock skew very close to the clock skew of authorized AP[i]. Implementation of LSF: We have already defined a function which we have to minimize. Applying standard procedure to find minima, we differentiate it partially with respect to δ and ϕ and equate it to zero. f/ δ = 0 and f / ϕ = 0 Solving them simultaneously, we get estimated value of δ as Approximately 200 beacon frames are sufficient to determine the clock-skew accurately. When these beacons are captured, we estimate the value of δ (clock - skew) using the result obtained in previous section. That is, we apply Leas t Square Fitting. PHASE I: Calibration of the System The process is described below: i. This step must be carried out before a wireless network is deployed s o that there is guaranty that no fake AP is active. ii. System gathers beacon packets from s elected AP. iii. Maximum value of the s lope of line between various points is determined. This is the threshold of clockskew for differentiating between frames from different APs. PHASE II: Detection of Fake AP Values of threshold and clock -skew are written to the file for us e in Phase II. The process is described below. i. Capture desired number of packets. Again, 150-200 packets from each source are sufficient to determine accurate clock-skew. ii. Now, based on threshold value, we separate the packets into various data sets. iii. We apply Leas t Square Fitting (LSF) on each of the datasets and calculate its estimated clock skew. iv. If we get beacons having same MAC Address, SSID and BSSID but lying in different ranges of clock skew, we can determine that Fake AP is present in the network. a. Algorithm WLAN Intrusion Detection System follows a t step process.in the first phase, system is calibrated for the desired AP. In the second phase, system searches for available beacons which are coming from the authorized AP or which seem to come from the authorized AP and then tries to establish whether a fake AP is active or not. b. Hardware Requirement Thus, we get the clock skew using this result. TREND net TEW -651BR Wireless Router, HP Pavilion dv4 Laptop having AR9285 wireless network adapter with Atheros Chips

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 29 c. Software Requirement Platform: Ubuntu Linux 10.04 Lucid Lynx, Environment: Java 6, Additional Libraries: net.sourceforge.jp cap package with native libpcap library support,customized Mad Wifi device drivers which write TSF times tamps in microsecond precision instead of usual millisecond precision, IDE: Eclipse. VII. PROBLEM POINTS OF FAILURE AND ITS SOLUTIONS tolerance towards outliers. Hence, a slight deviation from desired clock-skew can be detected instantaneously. VIII. RESULTS a. Calibration Result for TRENDnet651BR Packets available: 228, clock skew = 5.248028109901964E-5 Calibration Success fully Performed. TABLE 1 EXPERIMENTAL RESULT Clock-skew of a d e v i c e w i t h r e s p e c t to another device remains constant under same external working conditions. But this skew may change due to change in external factors, resulting in failure of WIDS Scheme. As a result, we have to make changes in our implementation s o that the system is immune to these changes. a. Temperature Variations Temperature of the core of the AP can change due to various factors. The change can be due to change in atmospheric temperature or it can be due to varying loads on the CPU. The changes in clock-skew because of change in temperature are consistent and gradual. As a result, we implement a rolling signature scheme in which we update the value of clock-skew[i]. TABLE 2 OBSERVATION b. Virtualization A virtual AP is an s ingle hardware AP used to simulate multiple APs with different MAC Addresses, SSIDs and BSSIDs. As all virtual APs are simulated on the same hardware, there clock-skew is in the same range as that of the real AP. Hence, even if the authorized AP is using virtualization to implement various APs, our system can detect Fake APs [i]. Engineered Clock skew which imitate that of authorized access point: Fake AP can copy the value of times tamp from the source beacon. As a result, Fake AP that exhibits clockskew nearly same as that of authorized AP can be constructed. But when such beacon frame is reconstructed, there is delay of few microseconds between the retransmission of the frame from fake AP. Thus, client will get duplicate frames having different sequence numbers and system will be able to detect the Fake AP. Also, we have implemented Leas t Square Fitting Technique which has very low b. WIDS in working conditions Total no. of packets: 218, Set one: 218, Unique AP found! Network does not contain any fake AP. Number of AP's detected: 1, their clock Skews are as follows: AP No. 0, clock Skew = 5.182813495610108E-5 The clock skew of original AP is: 5.248028109901964E-5 IX. FURTHER IMPROVEMENTS In this implementation, we can only detect the presence of Fake AP and get its clock-skew. But we cannot identify the device physically and take corrective

International Journal of Computer Science and Management Studies, Vol. 11, Issue 02, Aug 2011 30 measures to block this device. This facility can be incorporated in the WLAN intrusion Detection System. [8] Wire Shark Net work Analyzer, ht t p://www.wireshark.org [9] Java Packet Sniffer lib REFERENCES [1] S. Jana and S. Kasera, On Fast and Accurate Detect ion of Unauthorized Wireless Access Point s Using Clock Skewsϕ, IEEE Transactions on Mobile Computing, vol. 9, no. 3,March 2010 [2] T. Kohno, A. Broido, and K.C. Claffy, Remote Physical Device Fingerprinting IEEE Trans. Dependable Secure Computing, vol.2, no. 2, pp. 93-108, Apr.-June 2005 [3] B. Forouzan, Data Communication and Net working, McGraw Hill, Fourt h Edit ion [4] IEEE Standard 802.11 Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, T he IEEE, Inc., 1999. [5] ht t p://www.madwifi-project.org [6] ht t p://www.rfakeap.t uxfamily.org [7] B.V. Ramana, Higher Engineering Mathematics, T at a McGraw Hill

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback