WiFi networks have created opportunities for businesses and the public to expand ... the âopenâ services provided by companies such as The. Cloud [17] in that ...
THE EFFECT OF PROBE INTERVAL ESTIMATION ON ATTACK DETECTION PERFORMANCE OF A WLAN INDEPENDENT INTRUSION DETECTION SYSTEM J. Milliken1, V. Selis1, K.M. Yap2, A. Marshall12 1
Department of Electrical & Electronic Engineering, Queens University Belfast, Northern Ireland, UK. {mmilliken02,v.selis,a.marshall}@qub.ac.uk 2 Department of Computer Science and Networked Systems, Sunway University, Kuala Lumpur, Malaysia.
Keywords: WLAN, MAC, Probe, Frames, Intrusion.
Abstract A new niche of densely populated, unprotected networks is becoming more prevalent in public areas such as Shopping Malls, defined here as independent open-access networks, which have attributes that make attack detection more challenging than in typical enterprise networks. To address these challenges, new detection systems which do not rely on knowledge of internal device state are investigated here. This paper shows that this lack of state information requires an additional metric (The exchange timeout window) for detection of WLAN Denial of Service Probe Flood attacks. Variability in this metric has a significant influence on the ability of a detection system to reliably detect the presence of attacks. A parameter selection method is proposed which is shown to provide reliability and repeatability in attack detection in WLANs. Results obtained from ongoing live trials are presented that demonstrate the importance of accurately estimating probe request and probe response timeouts in future Independent Intrusion Detection Systems.
1 Introduction WiFi networks have created opportunities for businesses and the public to expand Internet availability to the point where it has become almost universal in large metropolitan areas. One attractive way of providing this service is through the use of open access WiFi hotspots which do not require any encryption credentials [9]. These hotspots are distinct from the “open” services provided by companies such as The Cloud [17] in that they require no subscription or prepayment to gain internet access. However as the barrier to gaining connectivity is lowered then the security implications have become more prevalent. With increased use of these insecure networks the geographical attack area increases exponentially, leaving network users at risk [5]. One method of protecting them networks is through deployment of an Intrusion Detection System (IDS) [10]. Typically however, these defence systems are deployed in corporate environments to protect business devices from intrusions [4] and are not targeted or adapted to public, open access networks. Public, open-access networks
however are generally unsuited to this type of IDS due to three aspects; low equipment availability, limited security budget, and limited technical expertise. Techniques to overcome these challenges can be envisioned with cooperation between participating networks. The current focus of IDS technology on corporate and enterprise networks means that a large number of vulnerable WiFi points remain unprotected. In order to better protect these networks, an adapted approach needs to be developed for different environments [6]. One approach, advocated by the authors in previous work [15], is to design systems which can avail of unencrypted Layer 2 traffic for intrusion detection. Monitoring this freely available data-source gives a legal and practical basis on which to develop a public, openaccess security system. Thus attack detection can be provided for networks without the need to divulge critical infrastructure information or files. Questions remain regarding such a system however, particularly where information about device state is required. This lack of information requires assumptions to be made about device state, specifically regarding packet reception success in this instance. Currently these parameters are estimated based on human “expert knowledge” or best guess. As these values are not chosen systematically, a different choice of best guess can impact on detection or traffic collection performance. 1.1 Background WiFi is known to be an insecure protocol, vulnerable to Denial of Service (DoS) and Rogue Access Point attacks. DoS attacks can be considered to be attacks that compromise the availability of a network, through either resource exhaustion or protocol abuse. DoS attacks based on floods of Probe and Association frames are considered to be the most dangerous WLAN DoS attacks as they are considered trivial to carry out [2,3] but difficult to detect. The reason for this difficulty is that high levels of these frames can be legitimately present in a congested environment. An increase in the levels of association frames, authentication frames or probe requests in a network has been experimentally shown in [2] and [12] to degrade network performance, but their effect on attack detection is not considered. In [2] it has been proposed that the vulnerability
lies in unacknowledged frame retransmission, which causes memory exhaustion and freezes AP functionality. Despite the danger posed by these attacks, [12] laments the scarcity of studies to investigate the impact of DoS Flooding attacks or propose solutions. Threshold and feature selection remains a problem for detecting flooding attacks, as in [7] where a subset of features are deemed relevant for detection but their values are not developed. [8] has established that threshold selection is an integral part of detection that can be overlooked due to the time and effort required to tune the correct values. The most notable modern Layer 2 IDS in current use is Kismet [11], which detects attacks by employing detection thresholds. However the algorithms in use are basic and few works have evaluated their successful use [16]. In order to ensure that research results are backed up by real network behaviour, experiments in WiFi networks need to be carried out on real WLAN equipment with real network drivers and software, rather than in laboratories or simulations [8, 11]. Very little detailed information on live network data and its collection is available in published research [14], even though the subject is of great interest. In order to capture the influence of operational complexities, wireless-side collection is necessary [13]. One reason for the lack of information and datasets collected in this fashion is the fear of violating user privacy, but also the perceived difficulty in collecting and sanitising the information [1]. The authors’ previous work on this subject has demonstrated methods which can overcome these barriers [15]. WiFi intrusion detection solutions have been deployed in previous research, however very few have examined publically accessible live network data from public WiFi environments [3, 15]. Research in real life environments is thus of great importance to further the research in the field.
2 Independent Networks There are two frame types in 802.11 which are exploited to carry out a Flood DoS attack, Association & Probe. In legitimate connections both of these frame types are accepted and processed by the AP, however practical handling of frame processing presents a problem. Should the victim AP become overloaded with processing requests then resource exhaustion can cause it to malfunction. 2.1 802.11 MAC Frames in Theory and in Practice In 802.11 the MAC layer is designed to provide availability and addressing to all devices within the vicinity of the AP. Dealing with the two frame types in question, their normal use is: Probe: To determine the existence of devices within the network, specifically Clients detecting APs. These frames should be processed, replied to and dropped. Association: To advance the connecting client through the 802.11 access state machine. These frames should be processed, replied to and dropped.
The problem in this scenario is that in practice it is not a matter of a single packet being sent and a single packet sent in response. There are many legitimate reasons why a packet may not be received correctly, such as; collisions, multipath effects, link degradation or processing error. As a result retries are employed, which allow multiple transmissions of the same request or response frame. The key problem here is that the sender has to wait a certain amount of time before it estimates that a frame has not been received and will have to send again. The AP has the same problem with replies. The delay in responding can be based on processing time or environmental factors and is regulated by a response timeout attribute in both the client and AP. Regarding the retry timeout on the AP, if the limit is set too high, many packets can be held in the buffer waiting to be processed, making the AP more prone to resource exhaustion. In both [2] and [3] however it is remarked that this retry limit is difficult to set via software or even at the firmware level. To compound this threat the timeout limit has been observed as having different sizes for different frame types handled by a given AP and between different APs [2]. Even if a DoS is not caused, the response time for an AP can be affected by the size of this limit, increasing the time by up to 60-80%. If an AP is loaded with a high level of legitimate traffic then the rate of frames required in order to cause resource exhaustion drops, making the attack easier to perform and more difficult to detect. Research in [13] also observed that as few as 3 requests generated 21 responses from a real AP, consuming more resources than would be expected. Thus the environment in which DoS Flooding occurs does not strictly follow the 802.11 protocol. 2.2 Independent Intrusion Detection Systems (IIDS) Challenges for implementing an Independent Intrusion Detection System (IIDS) system are rooted in the lack of state information for monitored APs. In cases where an IDS can be connected to the monitored network all information about what has or has not been received and processed (i.e. probe request or response acceptance) is available through direct query or analysis of encrypted traffic. This information is not available to an outside entity, and thus the lack of this state information means that an IIDS must infer the same data from any unencrypted packets observed over the wireless medium, which can lead to errors. This error has an as yet undetermined effect on the performance of the attack detection algorithm employed. One impact of this obfuscated state on detection algorithms is that additional parameters need to be considered in order to perform optimally. These parameters constitute the estimation of successful packet reception timeout values, termed here the exchange timeout window. The extent to which IIDS detection ability is influenced by this additional parameter is of prime concern. Thus it is paramount that a systematic method is developed to test and ascertain reasonable and repeatable selection of values. Such a method would allow more accurate and effective attack alert algorithm
development. It also ensures that this timeout effect is taken into account when comparing algorithmic performance in research. The effect of these parameters on attack detection performance for frame floods DoS attacks has not been broached in current research to date.
3 Data Collection System An example of independent open-access WLAN networks can be found in shopping malls. In these environments a significant number of the open-access deployments are small scale, fractured, independent networks which cannot be serviced by a single, common security system. The reasons for this can be lack of co-ordination between administrators or privacy risks regarding potential leakage of corporate information. Thus many conventional IDSs used for enterprises are not suitable for these environments. In WLANs many networks can be monitored at the same time, even if they are totally disconnected from each other, as all traffic is available to devices within reception distance. Using this collection method it is possible to detect intrusions without active co-operation or access to the internal information of networks. This work proposes that a single security system, monitoring the traffic to the systems around it but not physically connected to them, can provide security for multiple independent network installations with minimal threat to the private data of users or network administrators.
MAC header to be dissected whilst also ensuring that all other payload data is obfuscated. 3.2 Data Processing WLAN activity in the Pyramid centre was monitored from October 21 2011 until January 8th 2012, from which the first 3 weeks were extracted as a subset. This data was then analysed to examine the effect of timeout values on the observed probe requests and responses received by each MS. The timeout operates by invoking a frame window of size equal to any “x” consecutive frames of any type, where “x” is to be varied. This frame window is established after the reception of a request or response frame between a client-AP pair and then decrements on reception of every subsequent frame that is not a probe request or response. If an additional request or response frame is received for the client –AP pair before the frame window expires then the window is reset to the maximum value, as described in Figure 2. If the window expires then the interval between the logged request and logged response is the calculated interval for that exchange.
3.1 Data Acquisition To investigate the use of WLAN MAC-layer data in providing security for independent networks, a dedicated system was designed and deployed in the Sunway Pyramid Shopping Mall in Kuala Lumpur, Malaysia. This installation was used to assess the impact of frame estimation on security algorithmic performance. A system similar to the one used here is briefly outlined in [15], as are the motivations and challenges associated with design and deployment. Nonetheless, some brief information on the system and a network diagram is given in Figure 1.
Fig 1. Layout of monitoring equipment. In Figure 1, Monitoring Stations MS#1 and MS#2 operate on channel 8 and MS#3 and MS#4 operate on channel 11. Data collection is restricted to 802.11 Layer 2 MAC frames as this alleviates many of the confidentiality and user privacy issues that can act as barriers to working with live network data. In many cases these are the primary concerns for network owners and administrators. All monitored data is truncated to a maximum frame size of 115bytes in order to allow for the
Fig 2. Description of Req. – Rsp. Timeout Operation. In this analysis the two frame timeout windows are varied in discrete intervals: 1-14 frames for probe Requests and 1-18 frames for probe Responses. The time between the last observed request and last observed response after both windows have timed out is considered to be the conversation time. This is then expressed as an average percentage increase relative to the conversation time had no windows existed (i.e. both window sizes = 1 packet). This analysis was performed for each MS indicated in Figure 1. A similar approach was briefly discussed in previous work in [15] however that analysis only established that an effect is present, and was performed on a different dataset that varied only one of the windows, not both.
4 Probe Frame Estimation Table 1 gives an overview of the variability in conversation time for each MS in the analysis. The values in the table show
a large percentage increase in the conversation time even for minimum window values. It can be observed that varying these timeout values has a significant effect on the conversation time estimation. Table 1. Overview of the Average Increase (Av. Inc.) in conversation time. Each increase is followed by the RequestResponse packet lengths where the increase was observed. MS 1 2 3 4
Minimum Av. Inc. Req 73.27% 14 102.96% 14 89.20% 14 85.46% 14
Rsp 1 1 1 1
Maximum Av. Inc. Req 2963.98% 1 1191.11% 1 1532.84% 1 1353.41% 1
Rsp 18 18 18 18
The relationship between the time increases and the RequestResponse values in Table 1 indicates that the minimum and maximum values occur at opposite ends of the Req-Rsp spectrum. Hence it is expected that a gradual increase in conversation time is observed as the window sizes move from Req=14, Rsp=1 up to Req=1, Rsp =18. Figures 3 and 4 show this trend for an increase in Request and Response values respectively. As the request window increases in Figure 3, the percentage probe exchange time converges towards a smaller increase, with a similar behaviour observed in Figure 4. For responses, an increase in timeout window shows a growth in exchange percentage but appears to plateau at higher numbers, implying convergence there too. Hence there is a convergence point to be found where both Request and Response timeout values have a reduced impact on exchange.
considered to be primarily due to variation in the reception characteristics. Nonetheless, the data for all MSs exhibit a similar trend. The important factor now is establishing a commonality between them. 4.1 Influence on Detection Performance Algorithms of varying complexity have been applied in previous research to detect attacks in WLANs; however few have been applied directly to Probe Flood Attacks. In this work a series of simple flood detection algorithms are constructed and their performance is assessed as the request and response timeout windows are varied. The algorithms are not designed to be perfect detectors; their use here is to show the variability in performance depending on frame window estimation. The 2 algorithms under consideration are: 1. Probe chains: Tracks the number of times that a requestresponse chain is extended by accepting a new packet within the window. Each time a chain is extended the AP continues to hold the connection in the memory buffer, consuming resources. If the chain lasts more than a threshold amount then an attack is reported, 2. Probe Conversations per minute: Tracks the number of times a matching response is found for an open request per minute. Each time a request is sent and a response is observed, the AP has consumed resources in trying to process this request. If there is more than a threshold of matching responses per minute then an attack is reported. Each algorithm detects Probe Flood attacks by tracking the number of successful request – response exchanges between clients and APs. Both algorithms were tested with a threshold value of 4. Whilst threshold selection is an important aspect of successful intrusion detection the impact of this threshold choice in isolation is not the focus of this work.
Fig 3. Exchange time, dependent on Request Timeout.
Fig 5. Exchange time, dependent on Response Timeout for Probe Chain IDS Algorithm.
Fig 4. Exchange time, dependent on Response Timeout. The difference in maximum and minimum results between each MS in Table 1 shows that location and orientation play a strong part in frame estimation. Even though the physical separation between MSs is small, this reports a significant difference in the average estimation. Thus this difference is
The performance of the probe chains algorithm is assessed by tracking the total number of attacks that are reported within the timeframe under consideration. The performance of the probe conversations algorithm is assessed by accumulating the severity of threshold violations (i.e. count per minute / threshold) for each minute. Figures 5-8 show the effect of Request and Response timeout selection on these algorithms. The trends observed in Figures 5-8 show a marked increase in the number of detections observed as a result of increases in
Request or Response timeout value. Each presents a convergence, or settling point, which is different for each graph. This shows that there is no one value that is applicable to both algorithms and both timeout windows. In each case, when assessed visually, it is possible for there to be disagreement on this convergence point. A better means is required in order to be able to determine these points automatically so that comparisons between locations and in repetition are accurate.
cover attack scenarios and a high enough value to reduce instability in the conversation time. 5.1 Determining Parameter Values Another means of viewing the data which removes variance can be created if the values are plotted in a percentage graph, showing current value relative to the maximum achieved for that MS. These graphs are given in Figures 9 and 10, showing convergence for request and response values, which removes much of the variance between values. These graphs are different from Figures 3 and 4 as all request values converge to a point, 100%, whilst the response values continue to converge on their own local convergence point. Again this indicates that for both values there exists a settling point whereby deviation in values becomes less and less.
Fig 6. Exchange time, dependent on Request Timeout for Probe Chain IDS Algorithm.
Fig 9. Exchange time dependent on Response Timeout.
Fig 7. Exchange time, dependent on Response Timeout for Probe Conv. IDS Algorithm.
Fig 10. Exchange time dependent on Request Timeout. The plateaus observed in the previous graphs allow for the determination of possible settling points based on empirical data. Thus sizes of both windows can be determined rather than guessed, by creating an algorithm to determine this settling point. The algorithm employed here to calculate the parameter bound takes the following steps: Fig 8. Exchange time, dependent on Request Timeout for Probe Conv. IDS Algorithm.
5 Parameter Selection Algorithms The selection of request and response timeout window size has been shown to influence the conversation time, so the next step is to establish a method of selecting these values. An effective means of selection would be one which will provide reasonably stable values across time. The obvious choice for this value would be the convergence point in the case of requests (18) and the settling point for response (14), however an increase in this timeout can allow a greater number of attacks to be perpetrated, so lowering the value is desirable. This implies a balance between having a low enough value to
1. Calculate the standard deviation of each of the percentage graph values and remove outliers, 2. If the minimum of the standard deviations is less than 1x10-8 then the settling point is 0.1. Otherwise the settling point is the minimum + (minimum * 0.1), 3. The window size is calculated as the matching variable value for the largest standard deviation nearest the settling point. The automatic selection system described here generates the recommended window values, listed in Table 2. This generates more informed and stable results but also allows independent researchers to arrive at the same results for the same data set; parameters are no longer guessed or attributed
to “expert knowledge” but are based on repeatable processes. This complements the threshold level rather than replacing it. The threshold level determines how sensitive the detection algorithm is to possible attacks. Appropriate selection of timeout parameters determines how accurate and replicable the results are.
[2]
Table 2. Recommended Estimation Algorithm Timeouts.
[4]
MS 1 2 3 4
Request 3 3 11 8
Response 16 18 18 16
6 Conclusion In WiFi networks the selection of attack detection parameters plays an important role in ensuring reliable and accurate intrusion detection. In networks where access to internal device state is not available then some parameters need to be estimated. The estimation of two parameters: the probe request and probe response timeouts are shown to significantly impact on the traffic characteristics gathered from the network. Varying the values of these timeout parameters has been shown to have a serious impact on the performance of 2 flood detection algorithms. Thus use of the developed algorithm to ensure repeatability and accuracy of parameter selection is an important step in WLAN attack detection. In order to ensure reliable and repeatable parameter selection in this important metric, a selection algorithm has been developed which strikes a balance between result reliability and attack susceptibility. The selection algorithm is not concerned with increasing the detection ability of algorithms. It ensures that detection results are repeatable and replicable, which was not previously the case as “best guess” human estimation was employed. 6.1 Future Work Future work on this subject will investigate other Layer 2 not currently considered in intrusion detection systems in live environments. This will include the spectrum of WLAN threats, such as Deauthentication DoS and Rogue AP attacks.
[3]
[5]
[6]
[7]
[8]
[9]
[10]
[11] [12]
[13]
[14]
Acknowledgements The authors gratefully acknowledge the assistance of EPRSC under grant number EP/H004793/1, Sunway University under grant number INT-SCT-0111-03, Queens University Belfast First Trust Travel Grant and Sunway Pyramid management.
[15]
References
[16]
[1]
M. Afanasyev, et al. “Usage Patterns in an Urban WiFi Network” IEEE / ACM Transactions on Networking, vol 18, pp. 1359-1372, (2010). [17]
M. Bernaschi, F. Ferreri, L. Valcamonici. “Access points vulnerabilities to DoS attacks in 802.11 networks”, Journal of Wireless Networks, vol 14, pp. 159-169, (2008). K. Bicacki, B. Tavli. “Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks”, Journal of Computer Standards and Interfaces, vol 1, pp. 931-941, (2009). Y.C. Cheng, et al. “Jigsaw: solving the puzzle of enterprise 802.11 analysis”, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 39-50, (2006). CPP. “UK Wireless Network Hijacking, A CPP White Paper” [online]. Available at: http://blog.cpp.co.uk/files/uploads/cppresearch/UK_ Wireless_Network_Hijacking_2010.pdf [online] (2010). B. Crainicu. “Wireless LAN Security Mechanisms at the Enterprise and Home Level”, Novel Algorithms and Techniques in Telecommunications, Automation and Industrial Electronics, pp. 306-310, Springer Netherlands, (2008). S. Fayssal, S. Hariri, Y. Al-Nashif. “Anomaly-Based Behavior Analysis of Wireless Network Security”, Proceedings of International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 1-8, (2007). R. Gill, J. Smith, A. Clark. “Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks”, Proceedings of the 2006 Australasian workshop on Grid computing and e-research, vol 54, pp. 221-230, (2006). JiWire. “JiWire Mobile Audience Insights Report” [online]. Available at http://www.jiwire.com/downloads /pdf/JiWire_MobileAudienceInsights_1H09.pdf (2011) W. Junqi, H. Zhenbing. “Study of Intrusion Detection Systems (IDSs) in Network Security”, Proceedings of the 4th international conference on Wireless Communications, Networking and Mobile Computing, pp. 1-4, (2009). Kismet. Available at http://www.kismetwireless.net/ [online] (2012). C. Liu, J. Yu. “A Solution to WLAN Authentication and Association DoS Attacks”, IAENG International Journal of Computer Science, vol 34, pp. 31-36, (2007). C. Liu, J. Yu, G. Brewster. “Empirical studies and queuing modeling of denial of service attacks against 802.11 WLANs” Proceedings of the 2010 International Symposium on a World of Wireless Mobile and Multimedia Networks, pp. 1-9, (2010). R. Mahajan, et al. “Analyzing the MAC-level behavior of wireless networks in the wild” Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, pp.75-86, (2006). J. Milliken A. Marshall. “Design and Analysis of an Independent, Layer 2, Open-Access WiFi Monitoring Infrastructure in the Wild”, Proceedings of the 2012 International Conference on Wireless Networks, (2012). J. Milliken, A. Marshall. “The Threat-Victim Table: A security prioritisation framework for diverse WLAN network topographies”, Proceedings of the 2010 International Conference on Security and Cryptography, pp. 1-6, (2010). The Cloud.Available at http://thecloud.net/ [online] (2012).
