International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 3, Volume 1 (February 2013)

ISSN: 2250-1797

Detection and Elimination of Unauthorized Hosts using MA based

WIPS
Hitesh Thawani1, Vivek Waykule2, Geetsagar Pagare3, Saket Raut4, Shashi Athawale5
Computer Department,
AISSMS, College of Engineering,
Pune, Maharashtra, India
__________________________________________________________________________________________
Abstract - The incredible rise in the deployment of WLANs is observed in commercial, military and various other
domains in past few years. But still there are many loopholes found in present era of wireless network security of which
adversaries can easily take advantage. However unauthorized hosts that may be either intruders or Rouge Access Points i.e.
Access points which are setup without any knowledge or permission of network admin still continue to be a major threat to
this security. The common practice of intrusion is observed with intent of accessing free internet while the Rouge Access
Points may exist with intent of spoofing the data from somebodys private Network. The adversaries take advantage of
common vulnerabilities found in almost every network in order to make an intrusion attempt into network. Taking into
account all the existing network security standards, we propose our paper which contains an approach to detect such type of
unauthorized hosts and eliminate them. The main premise of our approach is to distinguish authorized WLAN hosts from
unauthorized WLAN hosts by making use of Intelligent Mobile Agents (MA) and other traditional parameters like IP, MAC
Address and SSID and then eliminate these unauthorized hosts. We take into account various Qos parameters like network
payload, time complexity and latency in order to make sure that performance of network is not compromised to a large
extent.
Keywords Intrusion, Intelligent Mobile Agents (MA), Rouge Access Point, Unauthorized Host, Wireless LAN (WLan).

__________________________________________________________________________________________
I. INTRODUCTION
We are living in era of convergence. Convergence is synergistic integration of various technologies of
different domain and discrete Information technology (IT) systems .Wireless Local Area Network (WLAN) is
most rapidly growing networking technology in this era due to immense advantages of it. Access to the WLAN
is made using the Hotspot or Access Points. Least expensive, high data rates, easy installation, mobility,
productivity, flexibility, handiness, constant connections and easy extensions are some of the plus points of
WLAN technology. Transmission & receiving of data is done through high frequency radio waves over range of
few hundred meters. Network looks pretty good with no wires and increases flexibility too. WLAN also have
capability to wired local area networks (LAN) or other WLAN workstations. These all factors helped for
booming of this technology. WLANs have been criticized a lot concerning their ability to provide security
equivalent to wired LANs. Moreover, security in wireless networks was considered to be sparse ever since its
introduction. Wired Equivalent Privacy (WEP), the first security protocol which was created by IEEE proved to
be inadequate. However, it has been proved form time to time that WEP has failed to meet security goals like
data confidentiality, access control and data integrity up to the expected level. New class of attacks has been
said to be emerged in past few years. Abundance of wireless technologies has enabled attackers to enter
networks. Using simple, free software, a new breed of adversaries is able to locate wireless networks, eavesdrop
on ongoing communications, and resources in the Network. With the proper antenna, the attack can come from
far away. Thus detection and identification of the intruder presents exclusive challenges which render many
conventional intrusion detection techniques ineffective. Data security is biggest concern for network
administrators while implementing WLAN. In a WLAN it is impossible for the Access Point to detect the
location of intruder. Considering the college situation Intruder could be in lobby, or in class room, or in
laboratory, or in library, or in the car parked just outside the gate of college. Data passing across unreliable radio
link could lead to spoofing. According to a study rogue APs are present on about 40% of all enterprise networks.
The key reason is advancements in hardware and software have made AP installation, AP discovery, and AP
compromise an effortless task for intruders. It is handy to obtain an AP and plug into a network without being
discovered for some time. Moreover, Wi-Fi network cards have the capability to capture all 802.11
transmissions. This has led to increase in the process of driving around and looking for vulnerable APs (wardriving activities). The shortcomings in the current security standards have led to a new breed of security
products known as Intrusion Prevention Systems (IPS). An Intrusion Prevention System is a network
device/software that goes deeper than a firewall to identify and block network threats.So the main theme of our
paper is to provide an efficient and reliable approach to detect and eliminate unauthorized hosts which
compromise the security and confidentiality of wireless Networks and tackle all the above problems.

Page 39

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 3, Volume 1 (February 2013)

ISSN: 2250-1797

II. RELATED WORK

A WIPS with an intelligent plan recognition and pre-decision engine that makes use of honeypots to detect
and prevent potential intrusions have been put forth, but however it failed to recognize unknown wireless attacks
[1]. There system that used Detector used to monitor wireless data timely, Intrusion detection system IDS which
is used to collect the data came from detector and determine the rogue device, Network management software,
which is used to communicate with the wired network, determine the switch port which meets the rogue device
and disconnect the port was proposed by author[4]. A novel lightweight user-side evil twin attack detection
technique using TMM(Trained Mean Matching) and HDT(Hop Differentiating Technique)algorithms has been
proposed[2]. A system detects the illegal behaviour of corrupted machines based on policies indicating allowed
communications was presented, but this system relied on third party to check violation of policies and to notify
network admin [3].
III. PROPOSED SYSTEM
To deal with different kind of unauthorized hosts we make use of intelligent Mobile Agent (MA). Mobile
agents perform a task by migrating and executing on several computers connected to the network.
A. Initial Setup of Network
In this Mobile Agent System (MAS) is deployed on every computer in the Network. We make use of two
MAs programs which communicate with each other. The first program is deployed on the centralized Host(s)
(Host that is supposed to detect unauthorized host(s)) and Second program is deployed on other trusted
computers in the Network.MA on each Host in the Network is given a set of Agent IDs (AIDs) which are in
the encrypted form. These AIDs are mapped to MAC, SSID and IP of that particular computer. The
information (MAC, SSID, IP and AIDs (In decrypted form)) about each computer in the Network is stored in
the database file at the centralized System(s).Every time whenever we need a new computer system to be
brought in the Network it should be authorized first by installing MAS, deploying second MA program on it and
then updating the information of corresponding computer in the database at centralized system.
B. Basic Detection and prevention Methodology
Refer Fig.1 a MA from the centralized system 2 will randomly select one of the Active computers from those
which are connected to Access Point (A) and visit there. While a MA from the centralized system 1 will
randomly select one of the Active computers from the Network and visit there. If the selected computer contains
MAS then MA gets executed on that system and returns back to centralized system. Selected computer gets
Authenticated if the information supplied by it matches with the corresponding information that is present in the
database at the centralized system. If the selected computer doesnt contain MAS then that computer is
considered as unauthorized and is not allowed to get authenticated. It is responsibility of the Centralized system
2 to prevent any type of unauthorized host to get connected to Access Point (A).Similarly it is responsibility of
the Centralized system 1 to prevent any type of unauthorized host to get connected to Network. In general it is
responsibility of Centralized system to prevent any type of intrusion in the Network to which it (Centralized
system) is directly connected.
C. Detection and prevention Methodology in Different Cases
Case 1: Suppose intruder tries to connect his laptop directly to Access Point A .There is no MAS installed on
his laptop.
Prevention Technique: The MA from centralized System 2 will migrate to intruders laptop. As there is no
MAS on this laptop then MA wont be able to execute itself. This will be noticed at the centralized system 2 an
intruders laptop is not allowed to get authenticated.
Case 2: In fig. above Access Point (B) is brought up in the Network by an intruder. Next he connects his
laptop to this Access Point (i.e. Access Point B) and assigns MAC, SSID and IP of one of the trusted computers
in the Network to accomplish his desires. Assume that there is no MAS on his laptop.
Prevention Technique:

MA form Centralized system 1 will randomly select one of the active computers in the Network and
visit there.
Suppose MA from Centralized system 1 select Trusted Host (A) it will visit there. This MA will get all
the information from the MA program present on this host that is needed for Authentication purpose
and get back to Centralized System 1 and as this information is correct then this Host is authenticated.
The above step will be repeated for each trusted Host.

Page 40

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 3, Volume 1 (February 2013)

ISSN: 2250-1797

Fig. 1 Working of our proposed system in real world scenario

When the MA will reach the intruders laptop then it wont be able to execute itself on that laptop.
Hence the intrusion is confirmed and the Access point at which this intrusion takes place is considered
as Rouge Access Point.
Once the Rouge Access Point is confirmed it can be eliminated by making use of switch.
A SNMP command is given to switch to block the port to which RAP is connected.
In this way a RAP can be eliminated.

Case 3: Lets make minor changes in above case and assume that now the intruder installs the MAS system
on his laptop and again connects it to Access Point B. Assume that he also deploys the MA program which will
provide information to MA of centralized system 1.
Prevention Technique:

MA form Centralized system 1 will randomly select one of the active computers in the Network and
visit there.
Suppose MA from Centralized system 1 select intruders laptop it will visit there. This MA will get all
the information from the MA program present on this host that is needed for Authentication purpose
and get back to Centralized System 1 and as this information is incorrect then this computer is
considered as unauthorized and Access Point to which it is connected is considered as Rouge.
Once the Rouge Access Point is confirmed it can be eliminated by making use of switch.
A SNMP command is given to switch to block the port to which RAP is connected.
In this way a RAP can be eliminated.

Page 41

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 3, Volume 1 (February 2013)

ISSN: 2250-1797

IV. ADVANTAGES OF USING MA BASED APPROACH

Most of the existing strategies make use of underlying Network protocols to detect any un-trusted host
(conventional intruder or RAP).This in turn increase Network traffic and hence decrease the performance of the
Network. To tackle with the above drawbacks and increase the level of security we make use of Mobile Agents.
Mobile Agents can take advantage of natural parallelism of large Networks to offer performance improvements
over usual centralized security monitoring by distributing the workload over the Network.MA can be used in
any type of Network i.e. either wired or wireless or both (wired and wireless). Moreover it is difficult for
intruder to disturb working of Mobile Agent Based System. The feature of fault-tolerance also gets added with
the introduction of MA, it means that now Network is not susceptible to single point failure.
V. CONCLUSIONS
In the beginning of this paper we first do the analysis of the threats to wireless LANs, then give an overview
of existing intrusion prevention system and RAP detection systems in WLANs. To detect and response these
wireless attacks, we design an intelligent MA based WIPS. This System is believed to be more reliable and
efficient then most of the existing systems.
REFERENCES
[1]
[2]
[3]
[4]

Zebing Wang., Research of Wireless Intrusion Prevention Systems based on Plan Recognition and Honeypot, IEEE,2009.
Chao Yang, Active User-Side Evil Twin Access Point Detection Using Statistical Techniques, IEEE TRANSACTIONS ON
INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 5, OCTOBER 2012
Kenichi Takahashi Intrusion Detection using Third-Parties Support, in 12th IEEE International Workshop on Future Trends of
Distributed Computing Systems,2008.
R. E. Sorace, V. S. Reinhardt, and S. A. Vaughn, The Intrusion Detection System design in WLAN based on rogue AP IEEE
Computer Engineering and Technology (ICCET), 2010 2nd International Conference,VOL. 7,APRIL 2010

Page 42