A Wireless Intrusion Detection System and a new attack model

Project Guide: Mr.S.P.Vijayanand M.E

by, R.Berlin Mano M.Gokul Raj

Abstract

Denial-of-Service attacks, and jamming in particular, are a threat to wireless networks because they are easy to mount and difficult to detect and stop. We propose a distributed intrusion detection system in which each node monitors the traffic flow on the network and collects relevant statistics about it.

By combining each nodes view we are able to tell if an attack happened or if the channel is just saturated. We propose here an attack detection mechanism based on shared monitoring of the network by all nodes.

SYSTEM ANALYSIS:
Existing System: Traditional systems in place for intrusion detection primarily use a method known as Finger Printing to identify malicious users. They are complex. They are rule dependent. The behavior of packets flowing in the network is new, then the system cannot take any decision. So they purely work in the basis of initial rules provided. It cannot create its own rule depending on the current situation. It requires manual energy to monitor the inflowing packets and analyze their behavior.

It cannot take decision in runtime. If the pattern of the packet is new and not present in the records, then it allows the packets to flow without analyzing whether it is an intruder or not. The packet with a new behavior can easily pass without being filtered.

PROPOSED SYSTEM:

It uses matching algorithm, which is an artificial intelligence problem-solving model. IDS compare learned user characteristics from an empirical to all users of a system. It includes temporal and spatial information of the network traffic. It is both network based and host based system. It can take decision in runtime.

Advantages

It eliminates the need for an attack to be previously known to be detected because malicious behavior is different from normal behavior by nature. Using a generalized behavioral model is theoretically more accurate, efficient and easier to maintain than a finger printing system. It uses constant amount of computer resources per user, drastically reducing the possibility of depleting available resources.

System Specification
Software Requirements:
Operating System : Windows 2000 and Above. Programming Package used : Java 1.4 and Above, Swings.

Hardware Specification : Hard Disk RAM Processor : 40GB and Above. : 128MB and Above. : Pentium III and Above.

System Description
The modules in this system are, 1. Multicasting the Packets to Detect Intruder 2. Matching the List of Events 3. Multicasting the Intruder to the Neighboring nodes 4. Sending Data to the destination

Module Description
Multicasting the packet to Detect the Intruder: The basic idea is to set up a monitor at each node in the network to produce evidences and to share them among all the nodes . An evidence is a set of relevant information about the network state The initial process is the training process where the source sends the packet with events to all the nodes in the network to detect the intruder

This process is known as multicasting. Before sending the packets to all nodes, the source node initiates the timestamp for the packets . This training process is stored as an initial event list #1 in the source node. Receivers receive the packets which contain the timestamp and send appropriate ACK replies. Receivers store the received packets in their event list.

Matching the List of Events:

The basic algorithm to match two lists of events is as follows:

The matching algorithm will invoke after receiving reply events from the network. First we start from the first list and for every event we try to find a matching event on the second list that is, given a packet we look for it on the second list. As we do this process of matching the events on the sending and receiving list . if we find unmatched events on the second list at the end ,it means that the sending and receiving events are not same and the particular node is a intruder.

Multicasting the Intruder to the neighboring nodes:

If anyone from the received ACK packets is not matched, then that particular node is the intruder to be found. Now that the intruder is detected the address of the intruder is sent to the entire network by multicasting. Neighbor nodes receive the IP address of the intruder and store it in the event lists to prevent future attacks from that node in the network . The multicasting of the intruder address is done source.

Sending the data destination:

The data send process is done by splitting the chosen text file into packets for transmission. The data send process is invoked after the source finds out an intruder free path. In the case of jamming/network malfunction, the source waits till the network is restored, starts the training process to find the intruders and if any detected, selects a path free from intrusion. The source sends the data directly to the destination through the safe path. Destination receives the data in the form of packets and checks for anomalies to detect any loss of data in the data due to intrusion.

Coding: (Multicast)
try {

s1 = "Hello"; s2= InetAddress.getLocalHost().getHostName()+"=" +Operations.getPropInt("settings.txt","distance");; j = "Hello Protocol"; s = s1 + ":" + s2 +":" + j; b = s.getBytes(); t.start();
}

Coding:( Hello Receiver)

ia = InetAddress.getByName(Operations.getProperty("settings.txt","addres")); port =Integer.parseInt(Operations.getProperty("settings.txt","port")); ms = new MulticastSocket(port); ms.joinGroup(ia); b = new byte[byt]; dp = new DatagramPacket(b,b.length); ms.receive(dp); ms.close(); s = new String(dp.getData()); StringTokenizer st = new StringTokenizer(s.trim(),":"); String s1 = st.nextToken(":"); String s2 = st.nextToken(":"); String s3 = st.nextToken(":"); if(s3.equals("Hello Protocol")) { neighbornode.add(s2); } }

Basic GUI Of IDS-Monitor

Conclusion

The Distributed Intrusion detection system proposed here detects intrusion by distributed collection of relevant information from the nodes and is also capable of detecting jamming attacks. We achieve two goals: we detect more attacks and force the operator to give a decent service. We allow cheaters to come into play, but their impact is self-limiting as a working network is needed for them to play.

Strengths of IDS:

Similar to a security "camera" or a "burglar alarm" Alert security personnel that someone is picking the "lock" Alerts security personnel that a Network Invasion maybe in progress When well configured, provides a certain "peace" of mind Part of a Total Defense Strategy infrastructure

References
1. Aime M and Calandriello G (2005). Distributed monitoring of WiFi Channel. 2. Bellardo J and Savage S (2003). 802.11 denial of service attacks:realVulnerabilities and practical solutions. In proceedings of the 11th USENIX security symposium, pages15-18, Washington D.C, USA. 3. Herbert Schildt Java 2 the Complete Reference. 4. Raya M and Jacobson M . Reputation based WiFi deployment. SIGMOBILE Mob.comput.commun. 5. Shannon C.E. and W. Weaver A system to Detect greedy behavior In IEEE 802.11. 6. Steven Holzner The Java 2 Black Book. 7. Zhang Y, Lee W and Huang Y. Intrusion detection techniques for Mobile wireless networks. Web resources: www.ethereal.org

THANK U