[2] Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin. Breaking 104 bit WEP in less than 60 seconds. [3] Andreas Klein. Attacks on the RC4 stream cipher.
Ph.D. Thesis Progress Report
Wireless Network Intrusion Detection System: implementation and architectural issues Gianluca Papaleo Dipartimento di Informatica e Scienze dell’Informazione Universit`a degli Studi di Genova
Supervisors: Dott. Maurizio Aiello (CNR - IEIIT) Prof. Giovanni Chiola (DISI)
1
1
Introduction
The nature of mobile computing environment makes it very vulnerable to an adversary’s malicious attacks. First of all, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. Unlike wired networks where an adversary must gain physical access to the network wires or pass through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. Damages can include leaking secret information, message contamination, and node impersonation. All these mean that a wireless network will not have a clear line of defense, and every node must be prepared for encounters with an adversary directly or indirectly. The problem of detecting anomalies, intrusions, and other forms of computer abuses can be viewed as finding non-permitted deviations (or security violations) of the characteristic properties in the monitored (network) systems. This assumption is based on the fact that intruders’ activities must be different (in some ways) from the normal users’ activities. However, in most situations, it is very difficult to realize or detect such differences before any damage occur during break-ins. A data mining approach to network intrusion detection [1] provides an opportunity to learn the behaviors of network users by mining the data trails of their activities. While recent research has investigated data mining for intrusion detection, considerable challenges remain unexplored, including intrusion detection models for wireless networks and intrusion detection without prior knowledge of relationships between attack types and attributes of network audit data. The aim is to develop and implement an efficient WIDS (Wireless Intrusion Detection System) in an infrastructure-based wireless network and try to use anomaly-detection techniques to detect different types of attacks within the wireless network. To do this we investigate in recent evolution in intrusion detection using data mining approaches and use the skills in intrusion detection developed during this year. The main difficulty is to use the intrusion detection techiniques knowns in wired network and adapt them in a wireless environment.
2
Activity Report
During this year many activities have been carried out and good results have been obtained with respect to the goal already mentioned and the work plan 2
outlined in the thesis proposal. Even many problems have been encountered and overcome to achieve our goals. In the following subsections an overview of these activities and results are presented.
2.1
Security Wireless State of Art
We investigated in new attack methods and security threats about 802.11. We distinguished these parts: • Wep cracking ptw attack [2] [3] • Fragmentation attack [4] [5] • ChopChop attack [6] • Wpa-psk hashtables [7] • Dos attacks [8] [9] 2.1.1
Obtained Results
The research activity about this stage is concerned about study of prominent papers in the field and practical experiments. For all the item about security wireless state of art these are the results: • Through the ptw attack we are able to crack a wireless network with wep encryption using fewer data packets respect to old FMS crack attack [10]. The cracking succes rate is about 50% using just 40,000 packets, with 65.000 packets the cracking succes rate raises about 90%. To crack wep encryption with FMS crack attack [11] we needed about 2,000,000 data packets. At this moment this method works only with arp packet. • To be able to achieve wep cracking attack quickly, we need to inject several small data packet in a short period of time, arp packet are ideal for this goal. Through the fragmentation attack we are able to recover a keystream and to reuse the keystream to send arbitrary data. • Chopchop attack try to use a previously captured valid packet and starts the decryption process. It truncates the last data byte, calculates a ”Value” based upon the guessed byte, XORs this ”Value” with the captured packet to create a new packet, rebuilds the packet, and then injects it into the wireless network. This byte is recorded, along with 3
the PRGA value that would be used to encrypt the byte, and then this whole routine is repeated with the new and valid captured packet until the entire PRGA has been deduced. Once the entire PRGA is deduced we are able to inject a valid packet to collect enough data packet to decrypt wep. • It’s been known for a while that WPA-PSK was vulnerable to brute force attack [12]. To exploit this weakness we need to provide a way to test keys against dictionaries. The Problem is that such a process is very slow. Each passphrase is hashed 4096 times with SHA-1 and 256 bits of the output is the resulting hash. This is then compared to the hash generated in the initial key exchange. Alot of computing power is required for this operation. To complicate matters, the key hash can be different depending on the network it’s implimented on. The SSID and the SSID length is seeded into the passphrase hash. This means that the passphrase of ’password’ will be hashed differently on a network with the SSID of ’linksys’ than it will on a network of ’default’. To overcome this constraints pre-computed hash tables with top used SSID have been created. This method found a way to speed up WPAPSK cracking. • Despite recent 802.11 security advances, WLANs remain very vulnerable to denial-of-service (DoS) attacks. We achieved Dos attacks through these methods: – Deauth Flood – Associate Flood – 802.1X EAP Logoff Flood – EAP Start Flood – EAP-of-Death attacks
2.2
Anomaly Intrusion Detection Techniques
In our study on anomaly intrusion detection techniques, instead to search for a general method that tries to detect all the attacks, we focus our attention on singles attacks using different techniques for every different attack.
4
2.2.1
Obtained Results
These techniques use different metrics to detects attacks [13] [14] [17]. For each method we used, we list the relevant metric used. • Wep cracking (Number of Arp packets) • Dos attacks (Management Frame Distribution) • War driving (Probe request analysis) • Mac spoofing (Mac address distribution) • Rogue Ap (Beacon frame analysis)
2.3
Implementation of our system
During this year we used intrusion detection techniques to implement our wireless intrusion detection system. The implementazion work has two main parts: • Sensor deployment and wireless monitoring • Traffic analysis 2.3.1
Obtained Results
To implement our system we put a wireless card to monitor an access point using wep encryption. We made this choice to allow to perform more kinds of attacks. We have encountered problems in this phase about driver implementatio to put wireless card in monitor mode. We identified bugs about monitor mode implementation and alerted driver’s programmer to fix these bugs [15]. We monitored the ap for about five months. During this period we tried to perform various attacks. In a second moment we analyzed the traffic captured and used intrusion detection techniques explained above to detect attack we performed [16]. Till now we indentified correctly wep attacks and deauthentication flood attacks. In the first months of next year we try to identify other attack types and implement the system for an online detection.
5
3
Thesis Structure
The thesis is structured in three different parts: • Investigation of Security Wireless State of Art, • Study of anomaly intrusion detection techniques • Implementation of our system The three steps have strictly related: in fact, the first point permits to be aware of current attacks techniques and security threats. Through the first point we can develop new intrusion detecion techniques that take in account attacks characterization. Finally, through the new technique we are able to improve our prototype of wireless intrusion detection system.
4
Work Plan
This is the work plan for the next year. During this year we have predated the experimental setup activity and delayed the implementation of the system respect to the work plan presented last year in the thesis proposal. It follows the up to date work plan sketch.
Figure 1: Work Plan.
References [1] S. V. Nath, S. Zhong, and T. Khoshgoftaar. Wireless network intrusion detection: A data mining approach.
6
[2] Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin. Breaking 104 bit WEP in less than 60 seconds. [3] Andreas Klein. Attacks on the RC4 stream cipher. [4] Andrea Bittau, Mark Handley, and Joshua Lackey. The final nail in WEP’s coffin. [5] Andrea Bittau. The Fragmentation Attack in Practice. [6] KoreK. chopchop (experimental WEP attacks) [7] RenderMan, Joshua Wright. Church of Wifi WPA-PSK Rainbow Tables [8] John Bellardo and Stefan Savage. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions [9] AusCERT. Denial of Service Vulnerability in IEEE 802.11 Wireless Devices. [10] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. [11] A. Stubblefield, J. Ioannidis, and A. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. [12] Takehiro Takahashi WPA Passive Dictionary Attack Overview [13] J. Wright. Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection [14] Wenzhe Zhou, Alan Marshall and Qiang Gu. A Novel Classification Scheme for 802.11 WLAN Active Attacking Traffic Patterns [15] Aspj. RaLink RT73 USB Enhanced Driver [16] The Aircrack-NG team. Aircrack-ng suite [17] Shi Zhong, Taghi M. Khoshgoftaar and Shyarn V. Nath A Clustering Approach to Wireless Network Intrusion Detection
7
