Wireless Intrusion Detection Method



The Wireless Intrusion Detection Method (WIDS) proposes a new architecture-based solution for Wireless Intrusion Detection Systems for IEEE 802.11 wireless networks. It aims to provide specific protection against Man-In-The-Middle attacks in wireless networks by analyzing channel gaps and TCP SYN Flooding attack in wired networks by protecting Access Points.
This Wireless Intrusion Detection System is based on the Snort Wireless project. Snort Wireless is an open-source intrusion detection system that currently allows detection of rogueAP, AdHoc network and Netstumbler. WIDS attempts to extend the current capabilities provided in the Snort Wireless project with channel by channel detection of the rogue AP and protection against the SYN Flood attack. For the purposes of this paper, only the portion involving wireless protection against Man-In-The-Middle attacks shall be discussed.

WIDS Framework


The WIDS framework is divided into six modules; the packet capture modules, protocol analysis module, intrusion detection module, storage module and the response module are shown in Figure 1 below. The packet capture modules are responsible for capturing data on the network, and the protocol analysis module accesses the defined types of frames, and the storage module stores defined types of frames. The intrusion detection module listens for unusual behavior according to a pre-determined set of rules, and triggers a response through the response module. The system provides two intrusion detectionmodules, one for defense against Man-In-The-Middle attacks, and one for SYN Flood attack protection.

Man-In-The-Middle Defense Framework


Three modules are included in the Man-In-The-Middle Intrusion Detection module – the monitoringmodule, the beacon frame processing module, and re-request frame processing module. The monitoringmodule monitors network packets and sends them to the appropriate frame processing module. For example, a beacon frame is sent to the beacon frame processing module. If the packet matches the characteristics of a Man-In-The-Middle Attack, the rogue Access Control List is updated. If the packet is also associated with the re-association request frame, it is forwarded to the re-request frame processing
module. If the packet matches the characteristics of a Man-In-The-Middle Attack and its Access Point’s BSSID is not on the rogue Access Point control list, then a warning message is returned and the Access Point is added to the control list. It is then up to the network administrators to process the warning messages and carry out preventative mechanisms against the attack.

Performance Validation


Experiments on a developed prototype were carried out in order to validate this wireless intrusion detection system framework. The prototype made the rogue Access Point the Host Access Point, implemented with two wireless network adapters using Linux’s Red Hat Enterprise 5. One adapter was used to counterfeit legitimate STA to obtain a link request to the Access Point, while the other adapter was used to counterfeit a legitimate Access Point in order to lift certified radio beacon frames and frames. The rogue Access Point was located at least five channels away from the legitimate Access Point, and attempted to intercept the STA connection with the original Access Point. The re-association request initiation was then detected by the STA.

The MAC address of the Re-association request frame’s destination was then compared against the rogue Access Point control list in order to confirm whether a Man-In-The-Middle-Attack was attempted against the STA site.

The results reported in this approach claim that the proposed Rogue Access Point detection framework is accurate and can detect the attempt of a Man-In-The-Middle Attack. Furthermore, the approach is believed to collect information about the victim host so that network administrators can implement manual defense against the attack. While this provides a method of defense against the Man-In-The-Middle attack, the manual nature of this method is considered to be a weakness. Future plans for this project include the application of machine learning technology in order to automatically defend against the Man-In-The-Middle Attack.

4 comments: