A wireless Intrusion detection system and a new attack model

The rapid proliferation of wireless networks and mobile computing applications has changed the landscape of network security. The nature of mobility creates new vulnerabilities that do not exist in a fixed wired network, and yet many of the proven security measures turn out to be ineffective. Therefore, the traditional way of protecting networks with firewalls and encryption software is no longer sufficient. We need to develop new architecture and mechanisms to protect the wireless networks and mobile computing applications. Vulnerabilities of obile Wireless !etworks

The nature of mobile computing environment makes it very vulnerable to an adversary"s malicious attacks. #irst of all, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. $nlike wired networks where adversary must gain physical access to the network wires or pass through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. %amages can include leaking secret information, message contamination, and node impersonation. All these mean that a wireless ad&hoc network will not have a clear line of defense, and every node must be prepared for encounters with an adversary directly or indirectly. 'econd, mobile nodes are autonomous units that are capable of roaming independently. This means that nodes with inade(uate physical protection are receptive to being captured, compromised, and hi)acked. 'ince tracking down a particular mobile node in a global scale network cannot be done easily, attacks by a compromised node from within the network are far more damaging and much harder to detect. Therefore, mobile nodes and the infrastructure must be prepared to operate in a mode that trusts no peer. Third, decision&making in mobile computing environment is sometimes decentrali*ed and some wireless network algorithms rely on the cooperative participation of all nodes and the infrastructure. The lack of centrali*ed authority means that the

adversaries can exploit this vulnerability for new types of attacks designed to break the cooperative algorithms. To summari*e, a mobile wireless network is vulnerable due to its features of open medium, dynamic changing network topology, cooperative algorithms, lack of centrali*ed monitoring and management point, and lack of a clear line of defense. The !eed for Intrusion %etection Intrusion prevention measures, such as encryption and authentication, can be used in ad&hoc networks to reduce intrusions, but cannot eliminate them. #or example, encryption and authentication cannot defend against compromised mobile nodes, which often carry the private keys. Integrity validation using redundant information +from different nodes,, such as those being used in secure routing, also relies on the trustworthiness of other nodes, which could likewise be a weak link for sophisticated attacks. To secure mobile computing applications, we need to deploy intrusion detection and response techni(ues, and further research is necessary to adapt these techni(ues to the new environment, from their original applications in fixed wired network. In this paper, we focus on a particular type of mobile computing environment called mobile ad& hoc networks and propose a new model for intrusion detection and response for this environment. We will first give a background on intrusion detection, and then present our new architecture. -./$I-. .!T '0.1I#I1ATI2!

3ardware 'pecifications 3ard %isk -A 0rocessor 4 5678 and Above. 4 9:; 8 and Above. 4 0entium III and Above.

'oftware 'pecifications 2perating 'ystem 2%$=. %.'1-I0TI2! The modules contained in this pro)ect are as follows4 %istributed detection. a, ulticast the packet to detect the intruder. atching the =ist of events. ulticast the intruder to the neighboring nodes. 'ending data to destination. 4 Windows :666 and Above.

0rogramming 0ackage used 4 <ava 9.5 and Above, 'wings.

%I'T-I8$T.% %.T.1TI2! The basic idea is to set up a monitor at each node in the network to produce evidences and to share them among all the nodes .An evidence is a set of relevant information about the network state A monitor can be thought of as an instance of the ethereal network packet sniffer4 It captures the traffic and displays the detailed information on it.#or each captured packet .thereal displays a complete view of packet headers +i.e. from .thernet to the application level, and payload and add some general statistics as the timestamp, frame number and length in bytes. #or our purposes we>ll look at the .thernet level header, and as we>re focusing on ;6:.99 frames we>ll consider source, destination and 8''Id addresses, se(uence number, frame type and subtype and the -etry flag. Together with the captured packets, we add relevant statistics collected by the device driver, like counters for transmission retries and for frames received with wrong #1' +other papers?@A use different statistics as signal strength and carrier sensing time,, and packet transmission time. We built in this way a list of events at each node. .vents are the single transmitted packet or the times in which the channel is idle, which can be inferred from the timestamp of the packets and the packet transmission times.

The combination of different list of events leads to the better understanding of what happened in the network, in particular in distinguishing the )amming attacks and channel failures, where packets are sent by one peer and never received by other peer. 8oth the channel failure and a )amming attack make the #1' check of the packet fail, thus the packet in transit will be incorrectly received and dropped, incrementing the Bdropped framesC counter in the device driver at the receiver. The difference between the : cases is the amount of incorrectly received frames at the receiver. 'uppose if the receiving station is under )amming network, where the packets which pass through the )amming area get scrambled. The monitor placed at the sender>s side will see the number of frames sent on the channel and the monitor at the receiver end won>t see anything received correctly, and will keep on increasing the incorrectly received frames counter. The sender will retry the transmission a number of times and all these retransmissions will be dropped as well, incrementing the counter. We are able to detect the attack by combining what both monitors saw, as a single one is not able to do the same4 the receiver>s evidences +no packets received and counter updated, are in fact not enough to distinguish the attack. #or the receiver, receiving incorrect frames can happen for various reasons4 frames from stations at the limit of the radio range, frames from neighbor networks or noisy channel are all examples of this. If the counter is not updated, then staying idle without having transmissions aimed at it or experiencing a device failure is undistinguished from being under attack. 2n the other side, the transmitter cannot tell if the other peer is out of range given the retransmissions only.

D.:.: %.T.1T T3. I!T-$%.The initial process is the training process where the source sends the packet with events to all the nodes in the network to detect the intruder. This process is known as multicasting. 8efore sending the packets to all nodes, the source node initiates the

timestamp for the packets. This training process is stored as an initial event list E9 in the source node. -eceivers receive the packets which contain the timestamp and send appropriate A1F replies. -eceivers store the received packets in their event list. After receiving all the packets from sourceGinitiator receiver sends the reply A1F by using multicast method. Intruder detection is done by checking the received A1F packets for anomalies. This is done by the matching algorithm. AT13I!7 T3. =I'T 2# .V.!T' The basic algorithm to match two lists of events is as follows4 we start from the first list and for every event +packet or channel idle, we try to find a matching event on the second list that is, given a packet we look for it on the second list. As we don>t have cheaters into play for now, what we find is that for every packet on the first list we find it on the second one if the network worked fine, else we find a channel idle event if some problem +)amming or malfunctioning, happened. 1ontinuing the example above, we>d have transmitted packets on the first event list and channel idle +together with a high number of dropped packets, on the second one. We can find unmatched events on the second list at the end +for example if the first node was )ammed,, so we swap the : lists and run the matching algorithm again. The final output is a single list of events which combines the two. <amming and channel failure have the same basic signature +which is packets transmitted and never received,, but differentiate on their position in the event list. A few packets disappearing here and there are index of channel failures, while a se(uence of disappearing packets is considered as )amming. A large number of non&consecutive channel failures are index of bad /o'. 'ince all nodes participate in the detection process, we extend it in order to match multiple lists. The idea is to merge one list at a time with the result of the previous merge. In other words, we merge lists E9 and E:, and then we match the result with list EH, until we processed every list. We obtain in this way an aggregated list of all events which happened in the network in a given time frame. We have to notice here that a node might not overhear the traffic of every other node because of range. We supposed that each node has relevant information to offer, but this is not always true.

The key feature here is that the monitoring system is distributed. A single station alone cannot tell if it is experiencing an attack or )ust a temporary network failure, and cooperation among all nodes is re(uired for the nodes to understand what is going on. The event lists are shared among all nodes in the network. All nodes send their evidences to every other node in the network. 0art in the protocol. .very node executes the matching algorithm to generate the aggregated event list to have a clear view of what happened in the network in the given time frame. $=TI1A'T T3. I!T-$%.- T2 T3. !.I7382$-I!7 !2%.'

The matching algorithm will invoke after receiving reply events from the network. It compares events from the other nodes with that of the initiator. If anyone from the received A1F packets is not matched, then that particular node is the intruder to be found. !ow that the intruder is detected the address of the intruder is sent to the entire network by multicasting. !eighbor nodes receive the I0 address of the intruder and store it in the event lists to prevent future attacks from that node in the network. The multicasting of the intruder address is done source. D.:.D '.!%I!7 %ATA T2 T3. %.'TI!ATI2! The data send process is done by splitting the chosen text file into packets for transmission. The data send process is invoked after the source finds out an intruder free path. In the case of )ammingGnetwork malfunction, the source waits till the network is restored, starts the training process to find the intruders and if any detected, selects a path free from intrusion. The path selection is done by the %ynamic 'ource -outing 0rotocol +%'-,. The source sends the data directly to the destination through the Isafe> path. %estination receives the data in the form of packets and checks for anomalies to detect any loss of data in the data due to intrusion.

The control flow and se(uence of events of the pro)ect is described in the diagram below.

#igD.5 Intrusion Detection System flow chart