Forensics Application in Parallel Agent based ...

Forensics Application in Parallel Agent based Wireless IDS Architecture Hafiz Gulfam Ahmad1, Chuandong Li2 and Zeeshan Ahmad3 1

College of Computer Science, Chongqing University. College of Computer and information Science, Southwest University 3 School of Communication Engineering, Chongqing University

2

Abstract Wireless networking has escalated in popularity since its inauguration. Wireless networks signals normally omnidirectional and emanate beyond the projected coverage area. Such properties make WLAN security impractical. Many Intrusion detection systems used to monitor network and system activities for malicious behaviors. These IDS system detect the intrusion and generate the log alerts but there is no proper mechanism to know the behavior of attack and to save the evidence of attack. The main focus of our proposed architecture is design a system which is capable to forensics adequate solution for wireless network traffic.. In addition, the collected evidence will provide details, what kind of attack conducted and digital evidence to aid in digital forensic investigation. The proposed system architecture of our model consists of two components an IDS system and forensic server. Keywords: Intrusion Detection System, Wireless Networks Forensics.

1. Introduction This article consists of an overlap of three Information Technology (IT) areas. Firstly, intrusion detection, secondly wireless network technologies and third is digital forensic. Network forensics is a branch of digital forensics that focus on the monitoring and analysis of the dynamic and volatile network traffic.[1] The ideas of intrusion detection and forensic analysis often are not considered together, because the intrusion detection system (IDS) mostly deployed for gathering information useful in tracing and analyzing a network-based computer security incident.[2].An extension to forensic analysis is essential for the events going outside the parameters of most intrusion detection systems [3]. The existing network forensics techniques, emphasis on the network traffic capture and traffic replay, which mostly result in the performance bottleneck or forensics analysis difficulties [4].

Fig. 1: Real time detection and analyses Fig 1 describes how IDS system detects the log alerts and refers these alerts for forensic analysis. In our proposed architecture, we use the signature base agent approach for the information gathering, such as the log and audit system, including IP address, MAC address. These agents contain small databases that update automatically. Identify and analyze the attacked traffic use forensic server by utilizing sinkhole security tool. Which can accelerate the investigation of the incident and improve the ability of quick response.[5] The goal of the framework is dumping the misbehavior packets traffic on the basis of adaptive setting filter, analyzing the overall log data and traffic data to discover the potential misbehavior, launching the investigation at the intrusion time. The WLAN IDS working is different as compare to the traditional LAN [6]. It monitor the radio spectrum to detect the unauthorized access points and other wireless attacking tools and WIDS immediately generate the alerts whenever unencrypted wireless data traffic has been detected. To date, miscellaneous soft computing and machine learning techniques in terms of computational intelligence have been utilized to create Intrusion Detection. Still the literature does not report any state-of- the-art reviews investigating. The performance and consequences of such techniques solving wireless environment intrusion recognition issues [9]. The paper is organized as follows: in Section II, concept of forensic WIDS and related work are discussed. This is followed by risk and vulnerabilities in the wireless networks in Section III. In Section IV describe the proposed framework. Finally, the conclusion and future work are presented in Section V.

2. Parallel agent base architecture WNIDS With increasing threats of intrusion or vulnerabilities, networks require flexible and efficient security systems. Intrusion detection system (IDS) is the basic component of any network defense scheme. (IDS) can be defined as “ hardware or software systems that mechanize the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems MCI techniques based on multi-agent systems enhance the performance of detection and response against any intrusion in network system [8].Different IDS use several techniques for Intrusion detection. Signature base detection techniques are widely used in networks for fast response to detect threats. Regarding the intrusion detection technique, one of the main challenges

is to control the huge traffic volume where each packet needs to be compared with the known signature database and reduce the comparison time of signatures in it. Fig 2 describes the basic functionality of our proposed signature base IDS system, which play fundamental role for forensic analysis.

Fig. 2: Agent base architecture We analyze different techniques and proposed a new architecture that can handle the attacks by using multiple agents with small databases at high success rate by dynamically updating the signature database. Proposed method reduces the IDS processing time and improves its efficiency.

3. Proposed Architecture The goals of proposed wireless IDS forensic system are to discover the attacking behavior, efficient forensic analysis and to be able swiftly response to any wireless vulnerability. Fig 3 shows our proposed system where we use wireless access point, firewall and WIDS based on parallel agents architecture to generate the alerts. The forensic server has two databases and traffic monitoring module. Log database has the required information received from the traffic monitor and the WIDS. After analysis it generates the statistical report about malicious activities on basis of this data and our proposed goals are achieved.

Fig. 3: Proposed Architecture Diagram

4. Results and Discussions The wireless intrusion detection and forensic system utilize Ubuntu 10.10 Server, wireless traffic capturing tool Kismet that is a trace information tool. It collects the information such as the MAC address, SSID and related clients of wireless networks in range which may contain vital clues for future forensic investigations. In order to evaluate the proposed system design we use Aireplayng, as attacking tools against the existing WLAN to collect evidentiary trails and measure the ability of the WFM. The IDS system will also provide additional log evidence of the attacks conducted. Our parallel agent based IDS use the signature-based database that is updated automatically. In order to analyze the packet capture log files, the Wireshark application are used. Specific wireless network traffic filters that are built into Wireshark will be used to filter the entire packet capture log files and identify the wireless network traffic that has been generated using the various attacks. In real WAN, traffic size will be huge and it becomes difficult to capture and compare all data. Table 1: WLAN packet analysis Generated Logged Log % Duration packets packets

Packet / second

1

213000

212050

98.6150235

58.7614

3574.626

2

220000

199969

90.8950002

59.7513

3346.689

3

243000

230020

94.6584362

60.8659

3779.128

4

212000

211680

99.8490566

59.8246

3538.344

Average

222000

212929.8

96.0043791

59.8008

3559.696

Table 2 Attack findings by proposed Forensic system Fake Acess Point attack

Denial of Service Attack

Frame Gen

Accourd by FS

% Accourd by FS

Frame Gen

Accourd by FS

% Accourd by FS

WIDS Alerts

63216

62216

98.4181220

20133

19901

98.84766

118

60126

59120

98.3268471

20145

19540

96.99677

109

63216

62266

98.4972159

20226

20160

99.67369

110

61315

60268

98.2924244

20128

19315

95.96085

117

61968

60967

98.3836523

20158

19729

97.86974

113

We extract only the header parts to overcome the size issue and filter the data which we want to store in evidences database. Table 1 show the number of log with percentage and duration per second. Fig 4 is graphical illustration of table 1. Table 3: Forensic Analytical Report. Date & Time

DA

SA

Udpsp

DIP

UIP

2014-02-10 7:40

00:0c:0e:30:e 3:52

00:0b:1b:42:9 2

54988

192.168. 129.3

192.168. 129.89

2014-02-10 7:40

00:0c:0e:30:e 3:52

00:0b:1b:42:9 2

54988

192.168. 129.3

192.168. 129.89

2014-02-10 7:40

00:0c:0e:30:e 3:52

00:0b:1b:42:9 2

54989

192.168. 129.3

192.168. 129.89

2014-02-10 7:40

00:0c:0e:30:e 3:52

00:0b:1b:42:9 2

54990

192.168. 129.3

192.168. 129.89

Table 2 present the efficiency of the proposed system by analyzing two types of attacks (FAP and DSA) and table 3 describe is generated forensic analytical report. 300000 200000

Gen Pak Log Pakc

100000

Duration 0 58.7614 59.7513 60.8659 59.8246

Fig. 4: Packet log graph

5. Conclusion In this paper we interlinked the Forensics Application with Parallel Agent based Wireless IDS Architecture. WLAN forensic server is the control and storage center of the system. The information obtained from the IDS and forensic analysis is used to know the attacking behavior of intrusion and as evidence. The collected evidence information will provide details of the type of attacks and

digital evidence to aid in digital forensic investigation that can be used as evidence against any criminal activity. WLAN forensic approach is the positive step to enhance the security, and future scope of the forensic is very bright in the field of computer science. Further investigation in the particular field of digital forensics in wireless networks is crucial.

References [1] Mc Grath, K.P.; Nelson, J., "A Wireless Network Forensic System," Irish Signals and Systems Conference, 2006. IET , vol., no., pp.93,98, 28-30 June 2006 [2] Wei Ren; Hai Jin, "Distributed agent-based real time network intrusion forensics system architecture design," Advanced Information Networking and Applications, 2005. AINA 2005. 19th International Conference on , vol.1, no., pp.177,182 vol.1, 28-30 March 2005 [3] Gary, P. "A Road Map for Digital Forensic Research, Technical Report" , DTRT0010-01, DFRWS, 2001. [4] Srinivas Mukkamala1 & Andrew H. Sung, “Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques”, International Journal of Digital Evidence, Volume 1, Issue 4, 2003 [5] Azzedine Boukerche et al., “An agent based and biological inspired real-time intrusion detection and security model for computer network operations", Computer Communications, Volume 30, Issue 13, 26 September 2007, Science Direct. [6] Donghyuk Yim; Jae-Yoon Lim; Seunghwan Yun; Sun-Hee Lim; Okyeon Yi; Jongin Lim, "The Evidence Collection of DoS Attack in WLAN by Using WLAN Forensic Profiling System," Information Science and Security, 2008. ICISS. International Conference on, vol., no., pp.197,204, 10-12 Jan. 2008 [7] Yu-Xi Lim; Yer, T.S.; Levine, J.; Owen, Henry L., "Wireless intrusion detection and response," Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society , vol., no., pp.68,75, 18-20 June 2003 [8] Alpadin, E., 2010. Introduction to Machine Learning. MIT Press. [9] Shahaboddin Shamshirband et al, “An appraisal and design of a multiagent system based cooperative wireless intrusion detection computational intelligence technique”. Engineering Applications of Artificial Intelligence 26 (2013) 2105–2127.