Embed Size (px)
Citation preview
A Wireless Intrusion A Wireless Intrusion Detection System and a new Detection System and a new
attack modelattack model
Project Guide: Project Guide: Mr.S.P.Vijayanand M.E Mr.S.P.Vijayanand M.E
by,by,
R.Berlin ManoR.Berlin Mano
M.Gokul Raj M.Gokul Raj
AbstractAbstract
Denial-of-Service attacks, and Denial-of-Service attacks, and jamming in particular, are a threat to jamming in particular, are a threat to wireless networks because they are wireless networks because they are easy to mount and difficult to detect easy to mount and difficult to detect and stop. and stop.
We propose a distributed intrusion We propose a distributed intrusion detection system in which each node detection system in which each node monitors the traffic flow on the monitors the traffic flow on the network and collects relevant network and collects relevant statistics about it.statistics about it.
By combining each node’s view we By combining each node’s view we are able to tell if an attack are able to tell if an attack happened or if the channel is just happened or if the channel is just saturated.saturated.
We propose here an attack We propose here an attack detection mechanism based on detection mechanism based on shared monitoring of the network by shared monitoring of the network by all nodes. all nodes.
SYSTEM ANALYSIS:SYSTEM ANALYSIS:Existing System:Existing System: Traditional systems in place for intrusion Traditional systems in place for intrusion
detection primarily use a method known as detection primarily use a method known as “Finger Printing” to identify malicious users. “Finger Printing” to identify malicious users. They are complex.They are complex.
They are rule dependent. The behavior of They are rule dependent. The behavior of packets flowing in the network is new, then the packets flowing in the network is new, then the system cannot take any decision. So they system cannot take any decision. So they purely work in the basis of initial rules purely work in the basis of initial rules provided.provided.
It cannot create its own rule depending on the It cannot create its own rule depending on the current situation.current situation.
It requires manual energy to monitor the It requires manual energy to monitor the inflowing packets and analyze their behavior.inflowing packets and analyze their behavior.
It cannot take decision in runtime.It cannot take decision in runtime. If the pattern of the packet is new and not If the pattern of the packet is new and not
present in the records, then it allows the present in the records, then it allows the packets to flow without analyzing whether packets to flow without analyzing whether it is an intruder or not.it is an intruder or not.
The packet with a new behavior can easily The packet with a new behavior can easily pass without being filtered.pass without being filtered.
PROPOSED SYSTEM:PROPOSED SYSTEM: It uses matching algorithm, which is an It uses matching algorithm, which is an
artificial intelligence problem-solving model.artificial intelligence problem-solving model. IDS compare learned user characteristics IDS compare learned user characteristics
from an empirical to all users of a system.from an empirical to all users of a system. It includes temporal and spatial information of It includes temporal and spatial information of
the network traffic.the network traffic. It is both network based and host based It is both network based and host based
system.system. It can take decision in runtime. It can take decision in runtime.
Advantages Advantages
It eliminates the need for an attack to be It eliminates the need for an attack to be previously known to be detected because previously known to be detected because malicious behavior is different from normal malicious behavior is different from normal behavior by nature.behavior by nature.
Using a generalized behavioral model is Using a generalized behavioral model is theoretically more accurate, efficient and theoretically more accurate, efficient and easier to maintain than a finger printing easier to maintain than a finger printing system. system.
It uses constant amount of computer It uses constant amount of computer resources per user, drastically reducing the resources per user, drastically reducing the possibility of depleting available resources. possibility of depleting available resources.
System SpecificationSystem Specification
Software Requirements:Software Requirements:Operating System Operating System : Windows : Windows
2000 and Above.2000 and Above.
Programming Package used : Java 1.4 and Programming Package used : Java 1.4 and Above, Above, Swings. Swings.
Hardware Specification :Hardware Specification :
Hard Disk : 40GB and Above.Hard Disk : 40GB and Above.
RAM : 128MB and Above.RAM : 128MB and Above.
Processor : Pentium III and Above. Processor : Pentium III and Above.
System DescriptionSystem Description
The modules in this system are,The modules in this system are,
1. Multicasting the Packets to 1. Multicasting the Packets to Detect Detect Intruder Intruder
2. Matching the List of Events2. Matching the List of Events
3. Multicasting the Intruder to 3. Multicasting the Intruder to the the Neighboring nodes Neighboring nodes
4. Sending Data to the 4. Sending Data to the destinationdestination
Module DescriptionModule Description
Multicasting the packet to Detect the Multicasting the packet to Detect the Intruder:Intruder: The basic idea is to set up a monitor at each The basic idea is to set up a monitor at each
node in the network to produce node in the network to produce evidencesevidences and to share them among all the nodes . and to share them among all the nodes .
An evidence is a set of relevant information An evidence is a set of relevant information about the network state about the network state
The initial process is the training process The initial process is the training process where the source sends the packet with where the source sends the packet with events to all the nodes in the network to events to all the nodes in the network to detect the intruder detect the intruder
This process is known as multicasting. This process is known as multicasting. Before sending the packets to all nodes, Before sending the packets to all nodes,
the source node initiates the timestamp the source node initiates the timestamp for the packets .for the packets .
This training process is stored as an initial This training process is stored as an initial event list #1 in the source node. event list #1 in the source node.
Receivers receive the packets which Receivers receive the packets which contain the timestamp and send contain the timestamp and send appropriate ACK replies. Receivers store appropriate ACK replies. Receivers store the received packets in their event list. the received packets in their event list.
Matching the List of Events:Matching the List of Events:
The basic algorithm to match two lists of The basic algorithm to match two lists of events is as follows: events is as follows:
The matching algorithm will invoke after The matching algorithm will invoke after receiving reply events from the network. receiving reply events from the network.
First we start from the first list and for every First we start from the first list and for every event we try to find a matching event on the event we try to find a matching event on the second list that is, given a packet we look for second list that is, given a packet we look for it on the second list. it on the second list.
As we do this process of matching the events As we do this process of matching the events on the sending and receiving list .on the sending and receiving list .
if we find unmatched events on the second if we find unmatched events on the second list at the end ,it means that the sending and list at the end ,it means that the sending and receiving events are not same and the receiving events are not same and the particular node is a intruder.particular node is a intruder.
Multicasting the Intruder to the Multicasting the Intruder to the neighboring nodes:neighboring nodes:
If anyone from the received ACK packets is If anyone from the received ACK packets is not matched, then that particular node is the not matched, then that particular node is the intruder to be found. intruder to be found.
Now that the intruder is detected the Now that the intruder is detected the address of the intruder is sent to the entire address of the intruder is sent to the entire network by multicasting. network by multicasting.
Neighbor nodes receive the IP address of the Neighbor nodes receive the IP address of the intruder and store it in the event lists to intruder and store it in the event lists to prevent future attacks from that node in the prevent future attacks from that node in the network .network .
The multicasting of the intruder address is The multicasting of the intruder address is done source. done source.
Sending the data destination:Sending the data destination: The data send process is done by splitting the The data send process is done by splitting the
chosen text file into packets for transmission. chosen text file into packets for transmission. The data send process is invoked after the The data send process is invoked after the
source finds out an intruder free path. source finds out an intruder free path. In the case of jamming/network malfunction, In the case of jamming/network malfunction,
the source waits till the network is restored, the source waits till the network is restored, starts the training process to find the starts the training process to find the intruders and if any detected, selects a path intruders and if any detected, selects a path free from intrusion. free from intrusion.
The source sends the data directly to the The source sends the data directly to the destination through the ‘safe’ path. destination through the ‘safe’ path. Destination receives the data in the form of Destination receives the data in the form of packets and checks for anomalies to detect packets and checks for anomalies to detect any loss of data in the data due to intrusion.any loss of data in the data due to intrusion.
Coding: (Multicast)Coding: (Multicast)trytry
{{s1 = "Hello";s1 = "Hello";s2= s2=
InetAddress.getLocalHost().getHostName(InetAddress.getLocalHost().getHostName())+"="+Operations.getPropInt("settings.txt"+"="+Operations.getPropInt("settings.txt","distance");;,"distance");;
j = "Hello Protocol";j = "Hello Protocol"; s = s1 + ":" + s2 +":" + j;s = s1 + ":" + s2 +":" + j;
b = s.getBytes();b = s.getBytes(); t.start();t.start();
}}
Coding:( Hello Receiver)Coding:( Hello Receiver)ia = ia =
InetAddress.getByName(Operations.getProperty("settings.txt"InetAddress.getByName(Operations.getProperty("settings.txt","addres"));,"addres"));
port port =Integer.parseInt(Operations.getProperty("settings.txt","port"=Integer.parseInt(Operations.getProperty("settings.txt","port"));));
ms = new MulticastSocket(port);ms = new MulticastSocket(port);ms.joinGroup(ia);ms.joinGroup(ia);b = new byte[byt];b = new byte[byt];dp = new DatagramPacket(b,b.length);dp = new DatagramPacket(b,b.length);ms.receive(dp);ms.receive(dp);ms.close();ms.close();s = new String(dp.getData());s = new String(dp.getData());StringTokenizer st = new StringTokenizer st = new
StringTokenizer(s.trim(),":");StringTokenizer(s.trim(),":");String s1 = st.nextToken(":");String s1 = st.nextToken(":");String s2 = st.nextToken(":");String s2 = st.nextToken(":");String s3 = st.nextToken(":");String s3 = st.nextToken(":");if(s3.equals("Hello Protocol"))if(s3.equals("Hello Protocol")){{ neighbornode.add(s2);neighbornode.add(s2);}}
}}
Basic GUI Of IDS-MonitorBasic GUI Of IDS-Monitor
ConclusionConclusion The Distributed Intrusion detection The Distributed Intrusion detection
system proposed here detects intrusion system proposed here detects intrusion by distributed collection of relevant by distributed collection of relevant information from the nodes and is also information from the nodes and is also capable of detecting jamming attacks. capable of detecting jamming attacks.
We achieve two goals: we detect more We achieve two goals: we detect more attacks and force the operator to give a attacks and force the operator to give a decent service. decent service.
We allow cheaters to come into play, but We allow cheaters to come into play, but their impact is self-limiting as a working their impact is self-limiting as a working network is needed for them to play. network is needed for them to play.
Strengths of IDS:Strengths of IDS: Similar to a security "camera" or a Similar to a security "camera" or a
"burglar alarm" "burglar alarm" Alert security personnel that Alert security personnel that
someone is picking the "lock" someone is picking the "lock" Alerts security personnel that a Alerts security personnel that a
Network Invasion maybe in progress Network Invasion maybe in progress When well configured, provides a When well configured, provides a
certain "peace" of mind certain "peace" of mind Part of a Total Defense Strategy Part of a Total Defense Strategy
infrastructure infrastructure
References References 1. Aime M and Calandriello G (2005). “Distributed monitoring of 1. Aime M and Calandriello G (2005). “Distributed monitoring of WiFi Channel”.WiFi Channel”.2. Bellardo J and Savage S (2003). “ 802.11 denial of service 2. Bellardo J and Savage S (2003). “ 802.11 denial of service
attacks:realVulnerabilities and practical attacks:realVulnerabilities and practical solutions”. In proceedings of the 11th USENIX security symposium, solutions”. In proceedings of the 11th USENIX security symposium, pages15-18, Washington D.C, USA.pages15-18, Washington D.C, USA.
3. Herbert Schildt “Java 2 the Complete Reference”.3. Herbert Schildt “Java 2 the Complete Reference”.4. Raya M and Jacobson M . “Reputation based WiFi deployment”. 4. Raya M and Jacobson M . “Reputation based WiFi deployment”. SIGMOBILE Mob.comput.commun.SIGMOBILE Mob.comput.commun.5. Shannon C.E. and W. Weaver “A system to Detect greedy 5. Shannon C.E. and W. Weaver “A system to Detect greedy
behaviorbehavior In IEEE 802.11”.In IEEE 802.11”.6. Steven Holzner “The Java 2 Black Book”.6. Steven Holzner “The Java 2 Black Book”.7. Zhang Y, Lee W and Huang Y. “Intrusion detection techniques 7. Zhang Y, Lee W and Huang Y. “Intrusion detection techniques
for for Mobile wireless networks”.Mobile wireless networks”.Web resources:Web resources:www.ethereal.orgwww.ethereal.org
THANK U…THANK U…
