AUTHOR : Anushka Linge
Aim : To view and understand how Intrusion Detection Systems are used in different types of networks and devices.
Abstract: This research paper aims to view and understand how Intrusion Detection Systems (IDSs) are used in different types of networks and devices and techniques employed for improved detection of security attacks. Different types of networks are susceptible to different kinds of attacks. This research paper views how IDSs could be implemented for Android smartphones, for 802.11 wireless networks.
Keywords: classifiers, algorithm, training data, testing data, de-authentication attack, evil twin attack, machine learning
The main function of Intrusion Detection Systems (IDSs) is to detect intrusive activity in a host or a network. The network could be of any type, wired, wireless etc. Intrusive activity is any unauthorized access to information or unauthorized alteration of information resources thus compromising the confidentiality or integrity of the system respectively. IDSs can be host-based or network-based. The host-based IDSs only monitor the activity of the host on which they are installed and report to the user when they detect an intrusion. On the other hand, a network-based IDS monitors the entire network for unusual or anomalous activity and reports it to a central administrator on detecting it. An IDS can use various methods for doing its work of detection. It could be either anomaly-based or signature-based. An anomaly-based IDS establishes a baseline of normal activity and stores it in a database. When it detects any activity not present in the database, it raises and alarm and reports the intrusion to the concerned authority. Thus, an anomaly-based IDS is highly susceptible to false positives. The signature-based database stores the signatures of attacks in a database and uses these signatures to detect an attack. Thus, a signature-based IDS is highly susceptible to false negatives i.e. the IDS is not able to detect certain attacks if it does not have its signature in its database. In the first part of this paper, we will review the Protego IDS designed for Android smartphones. We will also review the WIDS IDS designed for 802.11 wireless networks in the second part of this paper. The Protego IDS has been implemented and works using machine learning. The WIDS IDS has not been implemented but the mechanisms of detecting two common attacks in wireless networks have been proposed.
Study of Protego IDS:
With the increase in the usage of smartphones in recent times, an IDS is required to protect the users against the security threats. Protego is a host-based, behavior-based passive IDS designed for the Android platform. There are two version of Protego – static and dynamic. The dynamic version is capable of analyzing live traffic and reporting intrusions. The static version uses machine learning, and uses the method of feature reduction to improve the accuracy of the classifiers. The Protego system can identify the Dos attacks as well as probing. The following points had to be considered while designing this IDS for smartphones:
- Smartphones have a low computation power as compared to everyday computers, hence they are restricted in the amount of processing they can do for the classification and monitoring of network
- Intrusions should be detected and reported as soon as they occur. The existing host-based IDSs fail to do
- There has been a rise in the number and kinds of attacks launched on smartphones, hence it becomes an uphill task to identify and report all
- An appropriate dataset has to be selected to train the classifiers in Protego to reduce the number of false positives and false negatives
The paper describes the different IDSs that have been studied and analyzed to decide the right architecture for Protego. It talks about AndroIDS which is an open source, network-based IDS/IPS which works in real time. Its architecture consists of a sensor component and a server component. The sensor is installed on the host system and it analyses the host’s traffic and sends
alerts to the user when it detects an intrusion. It also commands the remote server to drop certain packets. Andromaly is a host-based IDS for Android smartphones. Since it is host-based, it can also monitor the system parameters such as the battery usage of the device, CPU consumption etc. in addition to network traffic to detect security attacks.
The server component in AndroIDS sends attack signatures to the remote devices using which the sensors on these remote devices detect attacks. Multi Level Anomaly Detector for Android Malware (MADAM) uses machine learning techniques such as decision trees, clustering etc. to distinguish between malicious activity and normal activity. Thus, it was learned that the machine learning approach used by MADAM is more efficient and flexible than the signature-based approach used by AndroIDS. Protego, therefore, uses the machine learning approach too.
The existing behavior-based IDSs for Android smartphones were studied to identify the techniques used to improve the accuracy of classifiers. Andromaly and SwarmDroid both use feature selection and reduction methods to optimize the dataset used for training the classifiers. This helps to reduce the running time of the classifier and also to improve its accuracy.
We will be focusing on the static version of Protego.
Overview of Protego:
Protego is a host-based, behavior-based passive IDS for Android smartphones. There are two versions of this IDS – static and dynamic. The dynamic version is capable of detecting and reporting intrusions in real time. In the static version, the packets travelling in the network, for the duration of time specified by the user, are captured in a packet capture file. This packet capture file is later given as input to the classifier which then classifies the data into the correct category. The architecture of Protego consists of 3 modules:
1. Classifier Training
- Packet Capture and Analysis
- Packet Classification
Classifier Training
We use the concept of supervised learning here. In supervised learning, an algorithm called the classification algorithm is given data, called the training data, which is already classified into different categories. The classification algorithm learns from this data and generates rules which it uses to classify non-categorized data into the correct categories. We use the
publicly available NSL-KDD dataset to train the classifier. This dataset has been modified to suit the needs of smartphones.
a) Classifier Algorithm:
We have used an ensemble approach for classification since accuracy is of utmost importance in IDSs. The classifier here is a composite model which is made up of many classifiers. These classifiers vote and a class label prediction is returned on the basis of these votes. Thus, the label is decided by the votes of all classifiers. Multiple classification algorithms were evaluated and Adaboost was chosen because it gives the maximum accuracy with the modified NSL-KDD dataset. Adaboost uses boosting which improves the performance of an algorithm.
b) Feature Reduction:
This method is used to reduce the number of dimensions of the dataset since all dimensions are often not required to classify test data correctly. This method consists of feature selection and extraction. Feature selection consists of selecting a small set of features which are representative of the entire information in the dataset and have a high information gain and are useful for our purposes. In the static version of Protego, we have used the method of Principal Component Analysis (PCA) for feature reduction.
c) Training data set:
The publicly available NSL-KDD dataset is used which consists of 41 features and a class label of either ‘normal’ or ‘attack’. Out of these 41 features, 13 do not apply to smartphones and hence they are manually removed from the dataset.
Packet Capture and Analysis
There are two different structures of this module for the static and the dynamic versions of Protego:
a) Structure for static version
The network packet data is captured and stored in a packet capture file. The 13 features are extracted from this data and the file is converted to a .csv file. The next step of feature reduction using Principal Component Analysis is carried out on this .csv file.
b) Structure for dynamic version
The data from the packets is extracted and reduced to the 28 features in real time. This data is then passed as input to the classifier.
Packet Classification:
The classification model which was trained with the training data is saved and loaded. It is now run with the test data that consists of 3 categories: normal, attack and torrent. Since the torrent category wasn’t originally present in the NSL-KDD dataset, torrent client was installed on a smartphone and torrent data was generate and added to the test data.
Study of WIDS:
Wireless networks are used on a large scale nowadays, especially in homes and public places such as cafes, restaurants, hospitals etc. These networks are susceptible to several attacks related to identity spoofing due to vulnerabilities in the 802.11 standard. This research paper studies two attacks called the de-authentication attack and the evil twin attack and proposes mechanisms to detect these attacks.
Confidentiality, integrity, and availability (CIA) are the three main pillars of security. The confidentiality and the integrity is ensured by the security protocols operating in wireless networks such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and WPA2. However, availability has been ignored to some extent. There are three kinds of data frames which are travelling in a wireless network namely, the data frames, the management frames and the control frames. The data frames contain the data whereas the management frames are used to maintain connectivity between the Access Point (AP) and the clients connected to the AP. The control frames perform several functions to ensure the smooth functioning of the network. The security protocols such WEP protect only the data frames. Thus, the management and the control frames are unprotected i.e. they are not encrypted before transmission. The fields present in these frames such as the source and the destination MAC addresses can be read and spoofed by an attacker using several tools which are easily available. The attacker can use identity spoofing to perform unauthorized access and also to ensure that the intrusion is not traced back to him/her. The attacker can launch DoS attacks to disrupt the wireless network. The DoS attacks can be carried out at all layers of the OSI model but the attacks at the lower layers of 1 and 2 are of more importance in wireless networks. IDSs and firewalls are the main tools of enforcing security in networks but these layers focus on the upper layers of OSI model. The proposed WIDS works in wireless networks operating in the infrastructure mode (which contains an access point).
A comparative study of IDSs developed for wireless networks has been performed by the authors of this research paper. Not many have been developed for wireless networks. Many of these IDSs are limited in their capacities and hence cannot be used in a real network.
Two attacks that WIDS detects:
a) De-authentication attack
De-authentication frames are subtypes of management frames. These frames are used to gracefully terminate an existing authentication in an 802.11 wireless network operating
in infrastructure mode. In a de-authentication attack, an attacker sits between a client station and the access point (AP) to which the client is connected. The attacker waits for the client to authenticate itself to the AP and then injects spoofed (source/destination MAC address) de-authentication frames into the network destined to either party. Once stations receive such frames, they follow the standard and stop the ongoing communication by resetting their connection states.
The test bed in the above figure, consists of a wireless network with an AP and two clients. The AP is connected to the internet and provides the service to all the authenticated clients. The attacker machine operates on Kali Linux v1.0.6. This machine is used to launch the de-authentication attack using the aircrack-ng tool in the manner defined by its documentation. After a successful attack, the client stations are disconnected from the network and are not able to connect back until the attack is stopped.
b) Evil twin attack
may mistake this evil twin AP as the original AP and connect to it. If clients are tricked to connect to such an evil twin AP, then different malicious activities can be performed because the attacker is now essentially man-in-the-middle. The above figure shows the test bed used to implement the evil twin attack. First, a new AP is started using the airbase-ng module of aircrack-ng tool. This AP assumes the role of a legitimate AP in the testing. Once this AP was up and running, a client (windows machine) was connected to it (displayed as blue lines). Later, a new AP with the same SSID was configured and started to emulate an evil twin of the legitimate AP. The attacker can simply wait for the client to connect to evil twin AP or alternatively can launch a de-authentication attack to break the authentication between the client and the legitimate AP (displayed as red lines).An evil twin attack consists of an attacker controlled AP which is used to draw clients toward it. The attack is named evil twin because the attacker configures an AP to use the same Service Set Identifier (SSID) in beacon frames as some other active legitimate AP nearby. The reason behind using same SSID is to fool clients. Unsuspecting clients
The client will immediately try to reconnect and instead connect to evil twin AP. A key observation during the implementation was that for the attack to be successful, the evil twin AP always needs to have a higher transmit power level compared to the legitimate AP’s power level. The notion behind this is that given two resembling APs (same SSID, etc.), a client always prefers an AP with higher transmit power level.
After a successful evil twin attack, the evil AP becomes a man-in-the-middle and can eavesdrop on or modify the traffic.
The Proposed WIDS:
Components of the proposed WIDS are:
Collection module
This module collects the wireless traffic using a wireless network card and operates in the monitor mode because of which it can sniff every packet. It passes this traffic to the logging module next.
2. Logging module
This module logs the traffic for further analysis. It ensures that the size of the log file remains constant by discarding the old data from time to time.
3. Analysis and detection module
It is the core module. It is responsible for reading the captured traffic, parsing it in understandable form and examining it using the logic discussed in the forthcoming sections to detect attacks.
Detection of the De-authentication attack:
Indicators used by the detection and analysis module are:
1. Number of De-authentication frames (threshold):
This is a typical indicator that involves identifying and counting the number of de- authentication frames within a time frame and comparing the count with a threshold value. The threshold value is the maximum acceptable de-authentication frames.
2. Time span or duration:
The time window the analysis is performed on.
3. Number of duplicates (same src MAC to same dst MAC):
Number of duplicate de-authentication frames can further help in filtering the attack de- authentication frames from the benign ones. Under normal conditions, duplicate de- authentication frames are uncommon in a network during a sampling time. Therefore, the hypothesis that many duplicate de-authentication frames in one snapshot (10 seconds) indicate a flood de-authentication attack is logical.
4. Reason for de-authentication:
The IEEE 802.11 standard defines different reason codes to identify the reason for
which a station was disconnected. During the attack implementation, it was observed that most attack tools use a constant reason code e.g., code 7 in all the de-authentication frames. This observation of a consistent reason code can be used as an attack indicator.
5. Data frames after de-authentication:
This test is based on the 802.11 standard specification that de-authentication frames are notifications which stop all communication. No data frames should be sent by the communication parties after these frames. However, in an attack scenario, since the de- authentication frames are spoofed and injected by an attacker, the detected de- authentication frames do not necessarily mean that stations have already terminated the communication. In fact, the stations could be unaware of these frames and might be sending the regular data frames.
Detection of the Evil twin attack:
Indicators used by the detection and analysis module are:
1. Number of beacon frames:
The evil twin attack involves an AP which broadcasts beacon frames to advertise its existence to clients. These beacon frames are counted and compared against a threshold. The threshold is set to almost twice the average number of beacon frames in normal
conditions.
2. SSID:
Part of the beacon frame is also a name, which is the SSID of the AP broadcasting the beacon frames. This SSID is identical to that of a legitimate AP in the case of an
evil twin attack. SSID of every beacon frame is recorded.
3. Power:
Beacon frames also contain a Received Signal Strength (RSS) value. This RSS value co- relates directly with the transmit power of an AP and can be used to keep track of
the transmit power level of an AP. This RSS value is recorded.
4. Timestamp:
This is a typical indicator which relies on the observation that beacon frames include a timestamp that should increase incrementally with every transmitted beacon frame.
However, in an attack scenario, the timestamps are often set to use a constant value.
Analysis
Both IDSs offer satisfactory detection rates as per the tests carried out in the research papers. Both IDSs offer feature which have not been implemented in any IDS previously. The numbers of false positives and false negatives have reduced too as demonstrated in their tests. The Protego IDs is the first host-based, behaviour-based passive intrusion detection system for the Android platform. The WIDs is the first intrusion detection system for 802.11 wireless networks which operates effectively to detect two common attacks that wireless networks are prone to. The WIDS operates to target attacks at the lower layers of OSI model.
Conclusion
We have studied and understood the working of both IDSs.
Future enhancements
To improve the detection rates of these attacks further. To also target other attacks.
Bibliography
https://en.wikipedia.org/wiki/Cracking_of_wireless_networks