Wireless Ad-hoc Network Intrusion Detection System
|
||
|
||
Applications of Wireless Ad-hoc NetworksWireless ad-hoc networks are used commonly in the military and emergency situations because of their quick and easy setup and robust properties. A more typical use for wireless ad-hoc networks are mobile ad-hoc networks (MANet), Wireless Sensor Networks and Wireless mesh networks. Any network with mobile devices such as laptops can run a MANet where a wireless ad-hoc network protocol would be used for connecting all the devices. This self-configuring network creates its routing tables dynamically making updates pro-actively or reactively based on the protocol used. There are benefits and downfalls to all the protocols available. Devices can be set up on a Wireless Sensor Network that typically run on a battery life of its own and sends data to a main repository via wireless connections to other devices. Wireless Sensor Networks for obtaining temperature and climate conditions are commonly used. Wireless mesh networks are called the self-healing network since a network does not disconnect when a single access point goes down; a new route is determined dynamically. Freifunk of Germany, an OLSR Wireless Mesh Network was setup with approximately 80,000 access points and was used for streaming reliable video across the city at a high bandwidth. Wireless Mesh Networks take advantage of multiple channels of connections to send signals at a high rate. |
||
Conventional Intrusion Detection SystemsFor a wired network where connections must pass through a common gateway, an intrusion detection system or an intrusion prevention system (IPS) is typically implemented network-based at the router. It can also be implemented on a host-based system but this is less common from the overhead of this system and security weaknesses created per host. Wireless intrusion detection systems are implemented by having a central device analyze and restrict access to the network with one or multiple antennas, picking up radio frequencies connecting to the network then sending their MAC address to the intrusion detection system. Repeaters can be added to extend the range of the antennas. |
||
FingerprintsMAC addresses used for authorization by intrusion detection systems can be spoofed to grant access to intruders on a wireless network. A new authorization signature being researched is fingerprints which are generated by the signal and silicon configuration of a network device. These fingerprints can be generated at 2 microseconds for authorization. A probabilistic neural network is used to compare the fingerprint to others stored in some central location in the network that have been verified by the network system administrator as authentic. |
||
Misuse Detection SystemsIn an ad-hoc network, encryption and authentication can be used to reduce malicious use of networks, but it cannot eliminate them. If a node becomes compromised by an attack or through social engineering, private keys are already stored for network access. Once a node has been compromised, false routing tables can be disseminated to cripple a network or to route all information through the compromised node. There are also integrity validation methods for checking redundant data which relies on trustworthy nodes, which could be a weakness for sophisticated attacks. Using a misuse detection system can alert an administrator of abnormal activities in a session indicating a compromised attack. Building intrusion detection system from audit data of active sessions gives a way to identify abnormal attacks as they happen. Defining a set of predictive features that accurately capture the representation behaviours of intrusive or normal activities is the most important step in building an effective intrusion detection model, and can be independent of the design of modeling algorithms [Zhang, Wenke]. A system build on typical use can learn to protect from new types of attacks by recognizing an abnormal use of the system. |
||
Data CollectionA system using audit data for an intrusion detection system needs to acquire an accurate set of data that models typical use of the network. A temporary training session will run collecting audit data that will be used to define the predictive activities of the network. After the training data is collected the system is tested to check that normal activities do not register as abnormal and vice versa. It may take several training sessions to find a good set of accurate data. |
||
Local DetectionWhen abnormal activities begin, the malicious user will be signal that abnormal activity is occurring on the host being attacked. Local intrusion prevention will prevent the computer from being compromised. Packets being sent through the wireless node will be analyzed by the data transfered. When irregular data is analyzed, such as adminstrative commands for a unix machine that would not be part of normal usage, the occurrence is put through the probability statistics from audit data. A probability of a malicious attack is given and actions are determined retroactively. |
||
Cooperative DetectionWhen a host detects local abnormal activities, it will communicate with hosts nearest itself and possibly a few hops away to gather audit data based on the abnormal activities. Neighbouring hosts will then respond with a probability that the activity is abnormal or not. Based on probabilities that the abnormal attack is malicious, a response will be issued to prevent attack. |
||
Local ResponseA local host that has identified abnormal activities will take appropriate actions to alert the administrator for terminating the connection and will record data about the attack. Further actions can then be decided by the system administrator or triggers can automatically take actions to preventing unauthorized access. The simplest result would be denial of service from the node being attacked as well as blacklisting the MAC address or even the media fingerprint. |
||
Global ResponseGlobally, a response to an attack on a network will be recorded throughout the network increasing the probability of detecting an attack of the same type effectively learning to prevent new attacks. Each host directly connect to a host detecting an attack has its audit data updated based on the attack and the decision made to deny or allow service. As a whole, the network becomes stronger being able to determine irregular activities collectively. |
||
References
|
||
See Also |
||
External Links |