A Wireless Intrusion

Detection System and a

new attack model
Project Guide: Mr.S.P.Vijayanand M.E

by,
R.Berlin Mano
M.Gokul Raj
 Abstract
§ Denial-of-Service attacks, and jamming in
particular, are a threat to wireless
networks because they are easy to mount
and difficult to detect and stop.
§ We propose a distributed intrusion
detection system in which each node
monitors the traffic flow on the network
and collects relevant statistics about it.
§ By combining each node’s view we
are able to tell if an attack happened
or if the channel is just saturated.
§ We propose here an attack detection
mechanism based on shared
monitoring of the network by all
nodes.
SYSTEM ANALYSIS:
Existing System:
§ Traditional systems in place for intrusion detection
primarily use a method known as “Finger Printing”
to identify malicious users. They are complex.
§ They are rule dependent. The behavior of packets
flowing in the network is new, then the system
cannot take any decision. So they purely work in the
basis of initial rules provided.
§ It cannot create its own rule depending on the
current situation.
§ It requires manual energy to monitor the inflowing
packets and analyze their behavior.
§ It cannot take decision in runtime.
§ If the pattern of the packet is new and not
present in the records, then it allows the
packets to flow without analyzing whether
it is an intruder or not.
§ The packet with a new behavior can easily
pass without being filtered.
PROPOSED SYSTEM:
§ It uses matching algorithm, which is an
artificial intelligence problem-solving model.
§ IDS compare learned user characteristics from
an empirical to all users of a system.
§ It includes temporal and spatial information of
the network traffic.
§ It is both network based and host based
system.
§ It can take decision in runtime.
 Advantages
It eliminates the need for an attack to be
previously known to be detected because
malicious behavior is different from normal
behavior by nature.
Using a generalized behavioral model is
theoretically more accurate, efficient and easier
to maintain than a finger printing system.
It uses constant amount of computer resources
per user, drastically reducing the possibility of
depleting available resources.
 System Specification

Software Requirements:
Operating System : Windows 2000
and Above.
Programming Package used : Java 1.4 and
Above, Swings.
Hardware Specification :

Hard Disk : 40GB and Above.

RAM : 128MB and Above.
Processor : Pentium III and Above.
 System Description

The modules in this system are,

1. Multicasting the Packets to Detect
Intruder
2. Matching the List of Events
3. Multicasting the Intruder to the
Neighboring nodes
4. Sending Data to the destination
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
 Module Description
Multicasting the packet to Detect the
Intruder:
§ The basic idea is to set up a monitor at each node
in the network to produce evidences and to share
them among all the nodes .
§ An evidence is a set of relevant information about
the network state
§ The initial process is the training process where
the source sends the packet with events to all the
nodes in the network to detect the intruder
§ This process is known as multicasting.
§ Before sending the packets to all nodes, the source
node initiates the timestamp for the packets .
§ This training process is stored as an initial event list
#1 in the source node.
§ Receivers receive the packets which contain the
timestamp and send appropriate ACK replies.
Receivers store the received packets in their event
list.
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
Matching the List of Events:

The basic algorithm to match two lists of

events is as follows:
§ The matching algorithm will invoke after
receiving reply events from the network.
§ First we start from the first list and for every
event we try to find a matching event on the
second list that is, given a packet we look for it
on the second list.
§ As we do this process of matching the events on
the sending and receiving list .
§ if we find unmatched events on the second list
at the end ,it means that the sending and
receiving events are not same and the particular
node is a intruder.
Multicasting the Intruder to the
neighboring nodes:

§ If anyone from the received ACK packets is not

matched, then that particular node is the
intruder to be found.
§ Now that the intruder is detected the address of
the intruder is sent to the entire network by
multicasting.
§ Neighbor nodes receive the IP address of the
intruder and store it in the event lists to prevent
future attacks from that node in the network .
§ The multicasting of the intruder address is done
source.
Sending the data destination:
§ The data send process is done by splitting the chosen
text file into packets for transmission.
§ The data send process is invoked after the source finds
out an intruder free path.
§ In the case of jamming/network malfunction, the
source waits till the network is restored, starts the
training process to find the intruders and if any
detected, selects a path free from intrusion.
§ The source sends the data directly to the destination
through the ‘safe’ path. Destination receives the data
in the form of packets and checks for anomalies to
detect any loss of data in the data due to intrusion.
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
 Coding: (Multicast)
try
{
s1 = "Hello";
s2=
InetAddress.getLocalHost().getHostName()
+"="+Operations.getPropInt("settings.txt","dis
tance");;
j = "Hello Protocol";
s = s1 + ":" + s2 +":" + j;
b = s.getBytes();
t.start();
}
Coding:( Hello Receiver)
ia = InetAddress.getByName(Operations.getProperty("settings.txt","addres"));
port =Integer.parseInt(Operations.getProperty("settings.txt","port"));
ms = new MulticastSocket(port);
ms.joinGroup(ia);
b = new byte[byt];
dp = new DatagramPacket(b,b.length);
ms.receive(dp);
ms.close();
s = new String(dp.getData());
StringTokenizer st = new StringTokenizer(s.trim(),":");
String s1 = st.nextToken(":");
String s2 = st.nextToken(":");
String s3 = st.nextToken(":");
if(s3.equals("Hello Protocol"))
{
neighbornode.add(s2);
}
}
Basic GUI Of IDS-Monitor
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
Click to edit Master text styles
Second level
● Third level

● Fourth level

● Fifth level
 Conclusion
§ The Distributed Intrusion detection system
proposed here detects intrusion by distributed
collection of relevant information from the nodes
and is also capable of detecting jamming attacks.
§ We achieve two goals: we detect more attacks and
force the operator to give a decent service.
§ We allow cheaters to come into play, but their
impact is self-limiting as a working network is
needed for them to play.
 Strengths of IDS:
n Similar to a security "camera" or a "burglar
alarm"
n Alert security personnel that someone is
picking the "lock"
n Alerts security personnel that a Network
Invasion maybe in progress
n When well configured, provides a certain
"peace" of mind
n Part of a Total Defense Strategy
infrastructure
 References
1. Aime M and Calandriello G (2005). “Distributed monitoring of
WiFi Channel”.
2. Bellardo J and Savage S (2003). “ 802.11 denial of service
attacks:realVulnerabilities and practical solutions”. In proceedings of the
11th USENIX security symposium, pages15-18, Washington D.C, USA.
3. Herbert Schildt “Java 2 the Complete Reference”.
4. Raya M and Jacobson M . “Reputation based WiFi deployment”.
SIGMOBILE Mob.comput.commun.
5. Shannon C.E. and W. Weaver “A system to Detect greedy behavior
In IEEE 802.11”.
6. Steven Holzner “The Java 2 Black Book”.
7. Zhang Y, Lee W and Huang Y. “Intrusion detection techniques for
Mobile wireless networks”.
Web resources:
www.ethereal.org
THANK U…