wireless ids & new attack model-report (1)
TRANSCRIPT
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
1/47
CHAPTER 1
INTRODUCTION
The rapid proliferation of wireless networks and mobile computing
applications has changed the landscape of network security. The nature of mobility
creates new vulnerabilities that do not exist in a fixed wired network, and yet many
of the proven security measures turn out to be ineffective. Therefore, the traditional
way of protecting networks with firewalls and encryption software is no longer
sufficient. We need to develop new architecture and mechanisms to protect the
wireless networks and mobile computing applications.
1.1. Vulnerabilities of Mobile Wireless Networs
The nature of mobile computing environment makes it very vulnerable to an
adversary's malicious attacks. First of all, the use of wireless links renders the
network susceptible to attacks ranging from passive eavesdropping to active
interfering. Unlike wired networks where adversary must gain physical access to the
network wires or pass through several lines of defense at firewalls and gateways,
attacks on a wireless network can come from all directions and target at any node.
amages can include leaking secret information, message contamination, and node
impersonation. !ll these mean that a wireless ad"hoc network will not have a clear
line of defense, and every node must be prepared for encounters with an adversary
directly or indirectly.
#econd, mobile nodes are autonomous units that are capable of roaming
independently. This means that nodes with inade$uate physical protection are
receptive to being captured, compromised, and hi%acked. #ince tracking down a
particular mobile node in a global scale network cannot be done easily, attacks by a
compromised node from within the network are far more damaging and much harder
to detect. Therefore, mobile nodes and the infrastructure must be prepared to
operate in a mode that trusts no peer. Third, decision"making in mobile computing environment is sometimes
decentrali&ed and some wireless network algorithms rely on the cooperative
participation of all nodes and the infrastructure. The lack of centrali&ed authority
means that the adversaries can exploit this vulnerability for new types of attacks
designed to break the cooperative algorithms.
1
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
2/47
To summari&e, a mobile wireless network is vulnerable due to its features of
open medium, dynamic changing network topology, cooperative algorithms, lack of
centrali&ed monitoring and management point, and lack of a clear line of defense.
1.!. T"e Nee# for Intrusion Dete$tion
ntrusion prevention measures, such as encryption and authentication, can
be used in ad"hoc networks to reduce intrusions, but cannot eliminate them. For
example, encryption and authentication cannot defend against compromised mobile
nodes, which often carry the private keys. ntegrity validation using redundant
information (from different nodes), such as those being used in secure routing, also
relies on the trustworthiness of other nodes, which could likewise be a weak link for
sophisticated attacks. To secure mobile computing applications, we need to deploy
intrusion detection and response techni$ues, and further research is necessary to
adapt these techni$ues to the new environment, from their original applications in
fixed wired network. n this paper, we focus on a particular type of mobile computing
environment called mobile ad"hoc networks and propose a new model for intrusion
detection and response for this environment. We will first give a background on
intrusion detection, and then present our new architecture.
2
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
3/47
CHAPTER !
RE%UIREMENT &PECI'ICATION
Har#ware &(e$ifi$ations
*ard isk + -/ or !bove.
0!1 + 2341/ or !bove.
5rocessor + 5entium 6 or !bove.
&oftware &(e$ifi$ations
7perating #ystem + Windows 3--- or !bove.
5rogramming 5ackage used + 8ava 2. or !bove, #wings.
3
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
4/47
CHAPTER )
&O'TWARE RE%UIREMENT& &PECI'ICATION
).1 E*ternal Interfa$e Re+uire,ents
UserInterfa$es
The user can interact with the system through the user interface. There are
different screens are available for the users to enter the details. 9rror messages are
also generated.
Har#ware Interfa$es
:etwork cable, :etwork interface ;ard.
&oftware Interfa$es
The operating system used Windows 3---. ! can be viewed as a tool to help
generate knowledge for the 0ule /ased #ystem (0/#).
Co,,uni$ations Interfa$es
The 5rotocol to be used is T;5
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
5/47
).!.) &oftware %ualit- Attributes
Using genetic algorithm at run time the set of new rules will be generated.
nitially, there are only fifty rules. =ater, there will be more than thousand rules. The
set of rules will be reused. #o it is flexible, reliable, secure and maintainable
5
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
6/47
CHAPTER
/ITERATURE &URVE0
.1 RE%UIREMENT ANA/0&I&
! mobile !d"hoc network is a collection of nodes that is connected through
a wireless medium forming rapidly changing topologies. The ynamic topology of
wireless !d"*oc network allows the node to %oin and leave the network at any point
of time. This generic characteristic of wireless !d"hoc network has rendered it
vulnerable to security attacks. !ttackers maybe of any type. dentifying the attack
type and providing the solution to the real time attacks can be done in real"time, by
forming multiple numbers of wireless nodes in the cluster, cluster head, and
implementing the ynamic #ource 0outing (#0) protocol, detection of attack types,
prevention of attacks, etc.
There are several ways to categori&e #
Misuse #ete$tion vs. ano,al- #ete$tion+ in misuse detection, the #
analy&e the information it gathers and compares it to large databases of
attack signatures. 9ssentially, the # look for a specific attack that has
already been documented. =ike a virusdetection system, misuse detection
software is only as good as the database of attack signatures that it uses tocompare packets against. n anomaly detection, the system administrator
defines the baseline, or normal, state of the network>s traffic load,
breakdown, protocol, and typical packet si&e. The anomaly detector monitors
network segments to compare their state to the normal baseline and look for
anomalies.
Networbase# vs. "ostbase# s-ste,s+ in a network"based system, or
:#, the individual packets flowing through a network are analy&ed. The
:# can detect malicious packets that are designed to be overlooked by a
firewall>s simplistic filtering rules. n a host"based system, the # examines
at the activity on each individual computer or host.
Passi2e s-ste,vs. rea$ti2e s-ste,+ in a passive system, the # detect a
potential security breach, log the information and signal an alert. n a reactive
system, the # respond to the suspicious activity by logging off a user or by
6
http://www.webopedia.com/TERM/I/intrusion_detection_system.html#%23http://www.webopedia.com/TERM/I/intrusion_detection_system.html#%23 -
8/13/2019 Wireless IDS & New Attack Model-Report (1)
7/47
reprogramming the firewall to block network traffic from the suspected
malicious source.
.! ATTAC3& IN ADHOC NETWOR3&
From the point of view of intrusion detection and response, we need to
observe and analy&e the anomalies due to both the conse$uence and techni$ue of an
attack. While the conse$uence gives evidence that an attack has succeeded or is
unfolding, the techni$ue can often help identify the attack type and even the identity
of the attacker.
!ttacks in 1!:9T can be categori&ed according to their conse$uences as the
following+
4la$"ole+ !ll traffic are redirected to a specific node, which may not forward anytraffic at all.
Routin5/oo(+ ! loop is introduced in a route path.
Networ Partition+ ! connected network is partitioned into k (k ?@ 3) sub
networks where nodes in different sub networks cannot communicate even though a
route between them actually does exist.
&elfis"ness+ ! node is not serving as a relay to other nodes.
&lee(De(ri2ation+ ! node is forced to exhaust its battery power.
Denial-of-&er2i$e:! node is prevented from receiving and sending data
packets to its destinations
#ome of the common attacking techni$ues are+
Ca$"ePoisonin5+ nformation stored in routing tables is either modified, deleted or
in%ected with false information.
'abri$ate# Route Messa5es+ 0oute messages (route re$uests, route replies,
route errors, etc.) with malicious contents are in%ected into the network.
#pecific methods include+
a) False #ource 0oute+ !n incorrect route is advertised into the network, e.g.,
setting the route length to be 2 regardless where the destination is.
b) 1aximum #e$uence+ 1odify the se$uence held in control messages to the
maximal allowed value. ue to some implementation issues, a few protocol
implementations cannot effectively detect and purge these ApollutedB messages
timely so that they can invalidate all legitimate messages with a se$uence number
falling into normal ranges for a fairly long time
7
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
8/47
Rus"in5: This can be used to improve Fabricated 0oute 1essages. n several
routing protocols, some route message types have the property that only the
message that arrives first is accepted by a recipient. The attacker simply
disseminates a malicious control message $uickly to block legitimate messages that
arrive later.
Wor,"ole:! tunnel is created between two nodes that can be utili&ed to secretly
transmit packets.
Pa$et#ro((in56! node drops data packets (conditionally or randomly) that it is
supposed to forward.
&(oofin5+ n%ect data or control packets with modified source addresses.
Mali$ious'loo#in5+ eliver unusually large amount of data or control packets to
the whole network or some target nodes.
.!.1 IDENTI'0IN7 THE ATTAC3&
For each attack, we call the node that runs the corresponding detection rule
the AmonitoringB node, and the node whose behavior is being analy&ed (i.e., the
possible attacking or misbehaving node) the AmonitoredB node. For attacks related to
5acket ropping, the monitoring node is a 2"hop
:eighborhood of the AmonitoredB node. /oth the attack type and the attacker can be
identified because the monitoring node can overhear traffic within its 2"hop
neighborhood. For /lackhole attacks, the monitoring node is also the monitored node
because the detection rule relies on information that is available only on the node
(obviously, if an attacker has full control of the node, then the detection modules can
be disabled unless they run on some tamper"resistant device). For Flooding and
1aximum #e$uence attacks, only the attack type, but not the attacker, can be
identified by a monitoring node. We now describe some notations of statistics
(features) used in these rules. We use 1 to represent the monitoring node and m the
monitored node.
C(DEm)+ the number of incoming packets on the monitored
node m.
C(mED)+ the number of outgoing packets from the monitored
node m.
8
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
9/47
C(mGED)+ the number of outgoing packets of which the
monitored node m is the source.
C(DEmG)+ the number of incoming packets of which the
monitored node m is the destination.
C(sGEm)+ the number of incoming packets on m of
which node s is the source.
C(mEdG)+ the number of outgoing packets from m of
which node d is the destination.
C(mEn)+ the number of outgoing packets from m of
which n is the next hop.
C(sGE1Em), the number of packets that are originated
from s and transmitted from 1 to m.
C(sGE1EmG), the number of packets that are originated
from s and transmitted from 1 to m, of which m is
the final destination.
C(sGEdG), the number of packets received on the monitored
node (m) which is originated from s and destined
to d.
These statistics are computed over a feature sampling interval, denoted as =s. n
addition, we often need the same set of statistics that are computed over a longer
period. These longer"term statistics can be computed directly from basic features by
aggregating them in multiple feature sampling intervals. We use F9!TU09= to denotethe aggregated F9!TU09 over a long period =. We always assume that time interval
= is multiples of =s, for simplicity. For example, the notion,
C=(DEm) are computed by summing up all C(DEm) in =@=s rounds of feature
sampling intervals.
9
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
10/47
We also need finer"grained statistics on specific types of packets, e.g., the
number of certain route control messages. These specific statistics are denoted by
appending a predicate to the corresponding feature. For instance, C(DEm)
(TH59@009I) represents the number of incoming 009I (route re$uest) packets on
the monitored node m.
The other common problem with this systemis one where the operator or the users
start cheating. n either way, the misuse of the system cannot be detected by the
system proposed so far. The system misuse problem is clearly discussed below.
.!.) &0&TEM MI&U&E
The system presented so far works as long as cheaters stay out of the game.
Why should a user cheatJ The main reason is to get an advantage over other users.!s stated in before, nodes can alter their network card random back off times and
get an advantage over unmodified ones. n detail, a modified node will win the
contention for the channel more often, getting a higher bandwidth share. 7ther
techni$ues to do so are to launch o# attacks against other nodes, like %amming or
eauthentication. !nother possible reason would be to get the fee from the operator
when the Io# is good in the commercial scenario we outlined above. For the
following, we>ll consider this later case. ;heaters modify their lists of events to
pretend to have bad Io# while it is good to get the fee from the operator. We>ll
explain how to treat the other case later on .;heaters will make the matching of the
event list fail. n fact, a cheater will provide a list which is (at least in part)
incompatible with the correct ones provided by the other honest nodes.
For example, let>s imagine that a node receives a packet K and claims not to
have received it. The sender will of course report that it sent the packet. The receiver
will alter his event list by marking packet KL2 from the sender as K, packet KL3 as
KL2 and so on. When the matching will take place, it will show this difference. We
modify then our algorithm, and for every event we keep track of which nodereported it and of clashing and incompatible events. n the example above, assuming
! as the sender and / as the receiver, the list will report Achannel free (reported by
node /) !: packet K from ! to / (reported by node !)M Mpacket K from ! to / (/)
!: packet KL2 from ! to / (!)M,Mpacket KL2 from ! to / (/) !: packet KL3 from
! to / (!)M. Under the hypotheses that all nodes are in range of each other, and that
10
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
11/47
each node is either honest or cheater, when we try to build an aggregated list of
events we>ll end up with all honest users agreeing on a list, and cheaters disagreeing
from it (eventually agreeing among themselves). What we are doing is building
clusters from the different lists of events. Under an optimistic assumption that most
nodes are honest we>ll end up with a big cluster of honest nodes and a small number
of outliers, representing the cheaters.
*owever, if we don>t assume the general goodwill of the users, cheaters can
coordinate their attack and become the bigger cluster. n this case, since there are
no trust mechanisms we cannot decide which cluster represents the honest users
and which one the cheaters. !s we note that each node can trust only itself, we
modify the matching algorithm+ each node runs the basic 3"list matching algorithm
between its own event list and each of the other nodes> lists. For each event, we
mark if it>s shared among the two nodes or not. !t the end, the number of matched
events will be a measure of similarity between the two lists. When all the matching
will be done, each node will know how many other nodes share the same opinion as
itself and thus how many other nodes are honest users or cheaters. This system will
%ust tell how many nodes agree or disagree with a given node.
To make every node know the opinion of all the other nodes, each node
repeats the matching algorithm using the list of events of another node (instead of
its own) as starting point, and iterates on all nodes. This modified algorithm will
re$uire n 2 iterations to match a list of events with all the other ones. To match
every list with all the other ones, if we do not repeat the already made matching (for
example, when matching node C2 with every other one we match C2 with C3, CN
etc.
.) E8I&TIN7 &0&TEM
Traditional systems in place for intrusion detection primarily use a method
known as AFinger 5rintingM to identify malicious users. They are complex.
They are rule dependent. The behavior of packets flowing in the network is
new, then the system cannot take any decision. #o they purely work in the
basis of initial rules provided.
11
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
12/47
The rules in the database are static unless the network administrator
manually enters the rules. t does not provide any option for generating
dynamic rule set.
t cannot create its own rule depending on the current situation.
t re$uires manual energy to monitor the inflowing packets and analy&e their
behavior.
t cannot take decision in runtime.
f the pattern of the packet is new and not present in the records, then it
allows the packets to flow without analy&ing whether it is an intruder or not.
The packet with a new behavior can easily pass without being filtered.
. PROPO&ED &0&TEM
t uses matching algorithm, which is an artificial intelligence problem"solving
model.
# compare learned user characteristics from an empirical to all users of a
system.
t includes temporal and spatial information of the network traffic.
t is both network based and host based system.
t can take decision in runtime.
.9 ADVANTA7E&
t eliminates the need for an attack to be previously known to be detected
because malicious behavior is different from normal behavior by nature.
12
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
13/47
Using a generali&ed behavioral model is theoretically more accurate, efficient
and easier to maintain than a finger printing system.
t uses constant amount of computer resources per user, drastically reducing
the possibility of depleting available resources.
7nce installed, there is no need for any manual energy to monitor the
system.
t promotes high detection rate of malicious behavior and a low false positive
rate of normal behavior classified as malicious.
13
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
14/47
CHAPTER 9
&0&TEM DE&I7N
9.1 NETWOR3 MODE/
The rapid growth of WiFi networks over the past years is due primarily to the fact
that they solve several of the intrinsic drawbacks of cellular data services such as
#1
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
15/47
ndeed, without an appropriate scheme, only large stakeholders would be
able to operate their network in a profitable way, and would impose a market
organi&ation very similar to the one observed today for cellular networksE one of the
greatest opportunities to fuel innovation in wireless communications would bemissed. The second problem is the lack of a good $uality of service guarantee for the
users.
9.1.1 A##in5 a new no#e to t"e networ
:ode addition to the network can best be explained by use of an example.
;onsider a building with an existing wireless network maintained by an already
present maintenance team. uring an intervention, a rescue team enters a building,
and, to maintain connectivity, regularly deploys new nodes. /ecause of the nature of
this procedure, the network will have a relaying character. We assume that each
node has a maximum of two wireless interfaces. /ased on this scenario, the dynamic
channel selection algorithm, assigns channels to each link, in such way that, for each
node the uplink and downlink connections are configured at different channels.
15
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
16/47
Fig.O.3. !dding a node to the network
To reduce interference between non"ad%acent links, each newly deployed
node will scan the environment and will assign a channel that is not yet in use, to
one of its interfaces. The other interface is set to the default channel, as seen in
Figure 2. While the underlying character of the network is a mesh topology, due to
channel assignment, a relaying network is created. To dynamically assign the
channels when a new node is deployed, several messages are exchanged
16
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
17/47
'i59.) Pa$et 'low
9.! MODU/E DE&CRIPTION
The modules contained in this pro%ect are as follows+
istributed detection.
a) 1ulticast the packet to detect the intruder.
1atching the =ist of events.
17
PREVIOUS NEW LAST
New Node New Node
ACK ACK
SWITCH TO CHANNEL X
Channel SwitchChannel Switch
ACK
Resue OLSR Resue OLSR
ACKACK
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
18/47
1ulticast the intruder to the neighboring nodes.
#ending data to destination.
9.!.1 DI&TRI4UTED DETECTION
The basic idea is to set up a monitor at each node in the network to produce
e2i#en$esand to share them among all the nodes .!n evidence is a set of relevant
information about the network state
! monitor can be thought of as an instance of the ethereal network packet
sniffer+ t captures the traffic and displays the detailed information on it.For each
captured packet 9thereal displays a complete view of packet headers (i.e. from
9thernet to the application level) and payload and add some general statistics as the
timestamp, frame number and length in bytes. For our purposes we>ll look at the
9thernet level header, and as we>re focusing on 4-3.22 frames we>ll consider source,
destination and /##d addresses, se$uence number, frame type and subtype and the
0etry flag. Together with the captured packets, we add relevant statistics collected
by the device driver, like counters for transmission retries and for frames received
with wrong F;# (other papersPG use different statistics as signal strength and
carrier sensing time), and packet transmission time. We built in this way a list of
eventsat each node. 9ventsare the single transmitted packet or the times in which
the channel is idle, which can be inferred from the timestamp of the packets and the
packet transmission times.
The combination of different list of events leads to the better understanding of
what happened in the network, in particular in distinguishing the %amming attacks
and channel failures, where packets are sent by one peer and never received by
other peer. /oth the channel failure and a %amming attack make the F;# check of
the packet fail, thus the packet in transit will be incorrectly received and dropped,
incrementing the AdroppedframesM counter in the device driver at the receiver.
The difference between the 3 cases is the amount of incorrectly received
frames at the receiver. #uppose if the receiving station is under %amming network,
where the packets which pass through the %amming area get scrambled. The monitor
placed at the sender>s side will see the number of frames sent on the channel and
the monitor at the receiver end won>t see anything received correctly, and will keep
on increasing the incorrectly received frames counter. The sender will retry the
18
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
19/47
transmission a number of times and all these retransmissions will be dropped as
well, incrementing the counter.
We are able to detect the attack by combining what both monitors saw, as a
single one is not able to do the same+ the receiver>s evidences (no packets received
and counter updated) are in fact not enough to distinguish the attack. For the
receiver, receiving incorrect frames can happen for various reasons+ frames from
stations at the limit of the radio range, frames from neighbor networks or noisy
channel are all examples of this. f the counter is not updated, then staying idle
without having transmissions aimed at it or experiencing a device failure is
undistinguished from being under attack. 7n the other side, the transmitter cannot
tell if the other peer is out of range given the retransmissions only.
9.!.! DETECT THE INTRUDER
The initial process is the training process where the source sends the packet
with events to all the nodes in the network to detect the intruder. This process is
known as multicasting. /efore sending the packets to all nodes, the source node
initiates the timestamp for the packets. This training process is stored as an initial
event list C2 in the source node. 0eceivers receive the packets which contain the
timestamp and send appropriate !;Q replies. 0eceivers store the received packets in
their event list. !fter receiving all the packets from source
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
20/47
first node was %ammed), so we swap the 3 lists and run the matching algorithm
again.
The final output is a single list of events which combines the two. 8amming
and channel failure have the same basic signature (which is packets transmitted and
never received), but differentiate on their position in the event list. ! few packets
disappearing here and there are index of channel failures, while a se$uence of
disappearing packets is considered as %amming. ! large number of non"consecutive
channel failures are index of bad Io#.
#ince all nodes participate in the detection process, we extend it in order to
match multiple lists. The idea is to merge one list at a time with the result of the
previous merge. n other words, we merge lists C2 and C3, and then we match the
result with list CN, until we processed every list. We obtain in this way an
aggregated list of all events which happened in the network in a given time frame.
We have to notice here that a node might not overhear the traffic of every other
node because of range. We supposed that each node has relevant information to
offer, but this is not always true.
The key feature here is that the monitoring system is distributed. ! single
station alone cannot tell if it is experiencing an attack or %ust a temporary network
failure, and cooperation among all nodes is re$uired for the nodes to understand
what is going on. The event lists are shared among all nodes in the network.
!ll nodes send their evidences to every other node in the network. 5art in the
protocol. 9very node executes the matching algorithm to generate the aggregated
event list to have a clear view of what happened in the network in the given time
frame.
9.!. MU/TICA&T THE INTRUDER TO THE NEI7H4OURIN7 NODE&
The matching algorithm will invoke after receiving reply events from the
network. t compares events from the other nodes with that of the initiator. f
anyone from the received !;Q packets is not matched, then that particular node is
the intruder to be found. :ow that the intruder is detected the address of theintruder is sent to the entire network by multicasting. :eighbor nodes receive the 5
address of the intruder and store it in the event lists to prevent future attacks from
that node in the network. The multicasting of the intruder address is done source.
20
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
21/47
9.!.9 &ENDIN7 DATA TO THE DE&TINATION
The data send process is done by splitting the chosen text file into packets for
transmission. The data send process is invoked after the source finds out an intruder
free path. n the case of %amming path. estination receives the data in the form of
packets and checks for anomalies to detect any loss of data in the data due to
intrusion.
The control flow and se$uence of events of the pro%ect is described in the
diagram below.
'i59.Intrusion Detection System flow chart
21
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
22/47
9.) PROTOCO/& U&ED
9.).1 D0NAMIC &OURCE ROUTIN7 :D&R; PROTOCO/
ynamic #ource 0outing 5rotocol is a simple and efficient, reactive
7n"demand routing protocol used in multihop wireless adhoc network. #0 makes
the network self"organi&ing and self configuring. Two important mechanisms in #0
are 0oute discovery and 0oute maintenance. :odes discover and maintain routes
through the net work using these mechanisms. #0 uses source routing, which
allows routing of packets to be loop free and allows caching of routes in nodes for
future use.
0oute discovery is the mechanism by which a node # wishing to send a
packet to destination node obtains a source route to . 0oute discovery is used
only when # attempts to send a packet to and does not already know a route to .
0oute maintenance is the mechanism by which node # is able to detect, while
using a source route to , if the network topology has changed such that it can no
longer use its route to because a link along the route no longer works. When route
maintenance indicates a source route is broken # can attempt to use any other route
it happens to know to , or can invoke route discovery again to find a new route.
0oute maintenance is used only when # is actually sending packets to .
22
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
23/47
CHAPTER 'ail $riteria The buttons should navigate to the correct pages and should
produce the correct results.
In#i2i#ual test
$ases
Test $ase 16
Test $ase i#entifier+ 0esort /utton
In(ut ?16 User enters a valid *ost :ame and clicks
resort to start the training packet process.
E*(e$te# out(ut1+ 0outing table initiali&ation with
display of role played by coherent nodes in network.
29
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
30/47
E*(e$te# out(ut"!E 0esort button ;hanges to #end
/utton
In(ut!+ User enters an invalid *ost name or leaves
the *ost name field blank.
E*(e$te# out(ut!6 isplay an error message and ask
for reentry.
En2iron,ent6 8ava, Windows 5latform.
Pre$e#en$e an# #e(en#en$ies6 This test case has to
perform at first itself. This test case has no
dependencies.
Test $ase !6
Test Case I#entifier+ /rowse /utton
In(ut ?16 User enters valid *ost name of node in
network.
E*(e$te# out(ut16 ;licking on /rowse button, opens
a file selection dialog box.
E*(e$te# out(ut1.16 #elected file is of text type and
is displayed in #endata field before sending it.
In(ut?!6 User enters the invalid *ost name and selects
invalid file.
E*(e$te# out(ut!6isplay an error message and ask
for reentry.
En2iron,ent
o 8ava, Windows 5latform.
Pre$e#en$e an# #e(en#en$ies
o This test case has to perform at first itself. This
test case has no dependencies.
Test $ase )6
Test Case I#entifier+ #end /utton
In(ut6 User selects the specified button.
30
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
31/47
E*(e$te# out(ut
o The data is split as packets and sent to the
destination node. :o. of 5ackets and destination
node>s receipt of those packets is shown in the
routing table.
En2iron,ent
o 8ava, Windows 5latform
Pre$e#en$e an# #e(en#en$ies
o This test case has to perform at first itself. This
test case has no dependencies.
Test $ase )6
Test Case I#entifier+ ;lear /utton
In(ut6 User selects the specified button.
E*(e$te# out(ut
o !ll data in the #endata and *ost name fields
are deleted and cleared.
En2iron,ent
o 8ava, Windows 5latform
Pre$e#en$e an# #e(en#en$ies
This test case has to perform at first itself. This test
case has no dependencies
Table =.1 User Interfa$e testin5
=.!.! Mo#ule Testin5
Test $ase 5rou(
i#entifi$ation1atching !lgorithm and 1ulticasting of ata packets.
'un$tions to beFunctions Tested nclude the main functions for
31
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
32/47
teste#o 1ulticast#ocket
o ;omparator
Testin5
a((roa$"
Testing whether the packets are multicast to all the nodes.
;omparing and detection of packets received to find anomaly by use
of matching algorithm.
Pass>'ail
$riteria
The matching algorithm should detect anomaly in packets received.
!ll nodes should receive training packets and destination node
should receive re$uest packets from source in 0eceivedata text
box.
In#i2i#ual test
$ases
Test $ase i#entifier+ ;omparator
In(ut16 0eceive the packets and compare with initial event
list.
E*(e$te# out(ut 1
o The 5rogram should display coherent nodes and their
role as source or destination or intermediate in the
routing table.
In(ut!6 0eceive reduced packet number from unassigned
node.
E*(e$te# out(ut !6
o The 5rogram should display unassigned node as
intruder and show intruder free path in 5ath table.
En2iron,ent
o 8ava, Windows 5latform.
Pre$e#en$e an# #e(en#en$ies6 This test can be done
after the training process.
Table =.! Mo#ule testin5
32
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
33/47
CHAPTER @
CONC/U&ION AND 'UTURE WOR3
@.1 CONC/U&ION
The istributed ntrusion detection system proposed here detects intrusion by
distributed collection of relevant information from the nodes and is also capable of
detecting %amming attacks. We also suggested a commercial use of the system, in
order to provide a better service to customers+ however, this use allows cheaters to
come into play. !nyway, their impact is limited+ we showed that the operator cannot
lower the $uality of service under a certain threshold (as without such a system),
otherwise unhappy users will take over and get a pay back. We also showed that
cheating users cannot push too muchE otherwise the system will go towards the total
shutdown. We achieve two goals+ we detect more attacks and force the operator to
give a decent service. We allow cheaters to come into play, but their impact is self"
limiting as a working network is needed for them to play. 7ne interesting scenario to
analy&e would be with cheaters who don>t care about the service, thus don>t stop
cheating when Io# gets too low. This might be a sabotage attack from a rival
provider to get more market shares. t would also be interesting to add trust and
user reputation mechanisms to the system, to improve the matching algorithm
@.! 'UTURE WOR3
To,orrows ID&
ue to the inability of :# to see all the traffic on switched 9thernet, many
companies are now turning to *ost"based # (second generation). These products
can use far more efficient intrusion detection techni$ues such as heuristic rules and
analysis. epending on the sophistication of the sensor, it may also learn andestablish user profiles as part of its behavioral database. ;harting what is normal
behavior on the network would be accomplished over a period of time.
#trength
! strong # #ecurity 5olicy is the *9!0T of commercial #
5rovides worthwhile information about malicious network traffic
33
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
34/47
;an be programmed to minimi&e damage
! useful tool for ones :etwork #ecurity !rmory
*elp identify the source of the incoming probes or attacks
;an collect forensic evidence, which could be used to identify intruders
#imilar to a security BcameraB or a Bburglar alarmB
!lert security personnel that someone is picking the BlockB
!lerts security personnel that a :etwork nvasion maybe in progress
When well configured, provides a certain BpeaceB of mind
5art of a Total efense #trategy infrastructure
APPENDI8 1
&/E CODE
package com.gts.src.UE
import com.gts.src.=ogic.*ello0eceiverEimport com.gts.src.=ogic.1ulticstE
import com.gts.src.=ogic.7perationsEimport com.gts.src.=ogic.0eceiverE
import com.gts.src.=ogic.0e$uestEimport com.gts.src.=ogic.#enderE
import com.gts.src.=ogic.TimerEimport %ava.io.DE
import %ava.util.6ectorE
import %avax.swing.DEimport %avax.swing.table.!bstractTable1odelE
import %avax.swing.table.efaultTable1odelEimport %avax.swing.table.Table;olumnE
import %avax.swing.table.Table1odelEimport %ava.awt.DE
import %ava.awt.event.!ction9ventE
import %ava.awt.event.!ction=istenerE
public class esign extends 8Frame implements !ction=istener
0eceiver receiverE
Timer timerEpublic static 8TextField destinationE
public static Text!rea data,recievedata,msgEpublic static 8=abel
msgl,destinationVl,senddataVl,recievedataVl,intrudVl,pathVlEpublic static 8/utton send,browse,close,clears,cleardE
34
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
35/47
public static 8Table tableEpublic static efaultTable1odel data1odelE
public static #tring receivetext@BBE public static #tring se@B#endataB,re@B0eceivedataBE
8#croll5ane scrollpaneEpublic static =ist pathE
public static #tring destnode@BBE
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
36/47
senddataVl @ new 8=abel(BataB)E senddataVl.set/ounds(N-,X-,2--,2O)E
panel.add(senddataVl)E
data@ new Text!rea(O,N-)Edata.set/ounds(N-,23-,NN-,2P-)E
panel.add(data)E
recievedataVl @ new 8=abel(B;oherent :odesB)E
recievedataVl.set/ounds(N-,N2O,2S-,2O)E
panel.add(recievedataVl)E
recievedata@ new Text!rea(O,N-)E recievedata.set/ounds(N-,NNO,32-,2-)E
panel.add(recievedata)E
send@new 8/utton(B0esortB)E
send.set/ounds(2O,O--,4-,3P)E
panel.add(send)E send.add!ction=istener(this)E
browse@new 8/utton(B/rowseB)E browse.set/ounds(2-X,O--,4-,3P)E
panel.add(browse)E
browse.add!ction=istener(this)E
close@new 8/utton(B;loseB)E close.set/ounds(3-3,O--,4-,3P)E
panel.add(close)E
close.add!ction=istener(this)E
clears@new 8/utton(B;learB)E clears.set/ounds(3XP,O--,4-,3P)E
panel.add(clears)E clears.add!ction=istener(this)E
return panelE
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
37/47
table @ new 8Table(data1odel)E data1odel.add;olumn(B#ourceB)E
data1odel.add;olumn(BestinationB)E data1odel.add;olumn(B5B)E
data1odel.add;olumn(B75B)E data1odel.add;olumn(B0oleB)E
data1odel.set;olumn;ount(O)E
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
38/47
if(return6al @@ 8File;hooser.!550769V75T7:)
try
#tring op@BBE int d@-E
Filenput#tream cont@new Filenput#tream(newFile(chooser.get#electedFile().get!bsolute5ath()))E
while(([email protected]())Z@"2)
op@opL(char)dE
data.setText(data.getText()Lop)E cont.close()E
catch(9xception e2)
e2.print#tackTrace()E
data.set9ditable(false)E
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
39/47
msg.setText(msg.getText()LBYnBLmesg)E
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
40/47
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
41/47
new *ello0eceiver()Enew 1ulticst()E
41
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
42/47
APPENDI8 !
&CREEN &HOT&
T"e basi$ 7UI of ID&Monitor
42
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
43/47
Multi$astin5 to #ete$t intru#er
43
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
44/47
Intru#er #ete$te# b- t"e sen#er
44
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
45/47
Intru#er #ete$te# b- t"e re$ei2er
45
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
46/47
&en#in5 #ata to t"e #estination
46
-
8/13/2019 Wireless IDS & New Attack Model-Report (1)
47/47
RE'ERENCE&
2. !ime 1 and ;alandriello (3--O). Aistributed monitoring of WiFi ;hannelM.
3. /ellardo 8 and #avage # (3--N). A4-3.22 denial of service
attacks+real6ulnerabilities and practical solutionsM. n proceedings of the 22th
U#9:K security symposium, pages2O"24, Washington .;, U#!.
N. *erbert #childt A8ava 3 the ;omplete 0eferenceM.
. 0aya 1 and 8acobson 1 . A0eputation based WiFi deploymentM.
O. #17/=9 1ob.comput.commun.
S. #hannon ;.9. and W. Weaver A! system to etect greedy behavior
P. n 999 4-3.22M.
4. #teven *ol&ner AThe 8ava 3 /lack /ookM.
X. \hang H, =ee W and *uang H. Antrusion detection techni$ues for
2-.1obile wireless networksM.
Web resour$es6
www.ethereal.org