ABSTRACT. This thesis focuses on the detection of attacks in Wireless networks (802.11b). As the

Transcription

1 ABSTRACT Kaniganti, MadhaviLatha. Master of Science. The University of Memphis. December An Agent-Based Intrusion Detection System for Wireless LANs. Major professor: Dr. Dipankar Dasgupta. This thesis focuses on the detection of attacks in Wireless networks (802.11b). As the Wireless LAN (WLAN) has some inherent flaws, it is prone to different attacks. The widespread deployment of WLANs makes detection of attacks on these networks essential. This work uses an agent-based system called Cougaar Intrusion Detection System (CIDS) developed at the ISSRL lab for wireless LAN, which was earlier used for detection of attacks in wired networks. Presented in this work are some specific features of CIDS along with a modified monitor agent to detect attacks in WLAN. The CIDS is an efficient tool that uses intelligent techniques like Fuzzy Decision System to detect different attacks in the network. To test the efficiency of the system, three of the most common attacks that occur on a WLAN are implemented and these are detected using the modified CIDS. Two of these attacks are launched in a real environment and the remaining one is performed using a network simulator, NS2. Some of these attacks are launched in an ad-hoc network and the others are tested in an infrastructure network. Accordingly, data are collected; preprocessed and fuzzy rules are generated for different attack detection. The results indicate that in all the three cases CIDS was able to detect the attacks with good detection rate. v

2 Table of Contents 1 INTRODUCTION Purpose of the Study Description of the Problem Limitation of the Study Literature Review General Security Issues Agent Technology Wireless LAN and WLAN Security Issues Network Simulator Fuzzy Logic Genetic Algorithms TECHNIQUES AND TOOLS USED Intrusion Detection System Wireless LAN Attacks Type of Attacks Attack Generation and Tools Used EXPERIMENTS AND RESULTS Attack I Experiment Settings Data Collection and Preprocessing...78 vi

3 3.1.3 Results and Analysis Attack II Experiment Settings Data Collection and Preprocessing Results and Analysis Attack III Experiment Settings Data Collection and Preprocessing Results and Analysis CONCLUSIONS AND FUTURE WORK Conclusions Future Work REFERENCES APPENDIX vii

4 List of Figures Figure 1: A network of six mobile agents...5 Figure 2: Mobile agent architecture (Dasgupta and Brian 2001)...11 Figure 3: Architecture of the IDS proposed in (Helmer et al. 1998)...12 Figure 4: CIDS Architecture with four Agents...17 Figure 5: Manager Agent...19 Figure 6: Monitor Agent...20 Figure 7: Decision Agent...21 Figure 8: Action Agent...22 Figure 9: IEEE WLAN Standard...24 Figure 10: Extended Service Set with two Basic Service Sets and a Distributed System.25 Figure 11: Physical layer frames...26 Figure 12: MAC Frame Format...28 Figure 13: Hidden Node Problem...29 Figure 14: Ad-Hoc Network with 3 mobile stations...31 Figure 15: Infrastructure Network with 10 mobile stations and 3 access points communicating with the wired network...33 Figure 16: Challenge-Response Mechanism in WEP...36 Figure 17(a): Encryption Mechanism at the sender...37 Figure 17(b): Decryption Mechanism at the receiver...38 Figure 18: Security Threats in Wireless LAN...39 Figure 19: Membership function with three sets (A, B and C)...52 Figure 20: Possibility distribution of a fuzzy set...54 Figure 21: Chromosome with n genes...57 Figure 22: Binary encoding of Chromosome X...59 Figure 23: Permutation encoding of Chromosome X...59 Figure 24: Value encoding of Chromosome X...60 Figure 25: Tree Representation of a chromosome...60 Figure 26: Flowchart of a Basic Genetic Algorithm...62 Figure 27: Roulette Wheel for Four Chromosomes...63 Figure 28: Mutation operation on the last bit of a chromosome...66 Figure 29: Snapshot of an Airsnort interface while capturing packets to hack the WEP key...70 Figure 30: Snapshot of the Ethereal interface during the MAC Spoofing Attack...72 Figure 31: Wellenreiter snapshot displaying a list of wireless networks in reachable range...74 Figure 32: Snapshot from Orinoco Client Manager and SMAC before attack generation75 Figure 33: MAC authorization list assigned by the access point...77 Figure 34: Experimental Environment illustrating four authorized wireless machines associated with the access point (AP) and the machine launching attack...78 viii

5 Figure 35: A Snapshot of Ethereal interface displaying a sequence number of 86 for a machine with MAC address 00:02:2d:2a:aa:ad...80 Figure 36: A Snapshot of Ethereal interface displaying a sequence number of 2084 for a machine with the same MAC address as in Figure Figure 37: Snapshot from Orinoco Client Manager and SMAC after the MAC address is spoofed Figure 38: The sequence number of the entire Training set plotted against time...84 Figure 39: The sequence number of the entire Testing set plotted against time...84 Figure 40: Deviation level produced by Fuzzy Classifier during testing phase indicating the abnormality in sequence number for the entire testing data set...85 Figure 41a: Observed change in sequence number in wireless traffic during testing phase between 300 and 700 seconds...86 Figure 41b: Deviation level produced by Fuzzy Classifier during testing phase indicating the abnormality in sequence number between 300 and 700 seconds...87 Figure 42: Ping Flood DoS in Ad-Hoc Network...88 Figure 43: Difference in ICMP Sequence Numbers plotted against Time for the entire training data set...92 Figure 44: Difference in ICMP Sequence Numbers plotted against Time for the entire test data set...92 Figure 45: Deviation level produced by Fuzzy System for the test data set indicating the abnormality in icmp sequence number...93 Figure 46: Difference in ICMP sequence numbers against Time for attack period between 1 to 200 seconds...94 Figure 47: Deviation level produced by the Fuzzy System for the test data set between 13 to 200 seconds...95 Figure 48: DoS attack by a compromised node in the WLAN...96 Figure 49: Difference in Sequence Numbers against Time for the Training data set...99 Figure 50: Difference in Sequence Numbers against Time for the Test data set Figure 51: Detection level provided by the fuzzy system for the test data set shown in Figure Figure 52: Difference in sequence numbers against time for certain portion of the test date set (between 1 to 100 seconds) Figure 53: Detection level provided by the fuzzy system for the test data set shown in Figure ix

6 Chapter 1 1 INTRODUCTION 1.1 Purpose of the Study The purpose of this thesis is to study different security problems or flaws in b wireless networks and to detect some of these attacks using an intrusion detection system proposed in (Dasgupta et al. 2002). It is known that b wireless networks are prone to more attacks than wired networks because there is no need of any physical access to wireless networks. Thus the main aim is to study some of the vulnerabilities and possible attacks on b networks, to implement some of these attacks, and to determine the efficiency of the intrusion detection system (Dasgupta et al. 2002) in detecting these attacks. 1.2 Description of the Problem This thesis reports the implementation of three familiar attacks occurring in present day b wireless networks and their detection using IDS. The three attacks implemented are MAC Spoofing Attack, Denial of Service attack from an attacker machine outside the wireless network, and Denial of Service attack from a compromised machine inside the wireless network. The first two attacks were launched on a real environment consisting of some wireless stations and an Access Point, while the third one 1

7 is implemented using a network simulator tool called NS2. These attacks are described in more detail in later sections. 1.3 Limitation of the Study The study is limited to b networks only. Though there exist other kinds of wireless networks, like a, such networks are limited in use, unlike the b networks. Moreover, the literature review reports the possible and more common attacks occurring on the wireless networks, there may be more possible attacks occurring on b attacks. Also, three among the reported attacks are implemented and detected with the IDS (Dasgupta et al. 2002) to test its detection level. 1.4 Literature Review General Security Issues Securing information about computers has always been a major problem in the field of Computer Security. The weakest point is deemed to be the most serious vulnerability. An intruder can use any available means of penetration. Thus strengthening one vulnerability might make other means appealing to the intruder. The intruder might try to infringe the confidentiality and integrity of the system (Pfleeger 2003). 2

8 1.4.2 Agent Technology Types of Agents A software agent can be considered as a program or a process that performs the tasks of a user. These agents are autonomous; they can learn as well as communicate. Agents can be classified into static agents and mobile agents. Static agents, as the name implies are static in the network. They focus on the co-operation among several such static agents. Mobile agents have the capability to move around in the network. They are mostly focused on achieving security in the network. These two can be better differentiated with an understanding of how an agent works (Agents). A client using Post Office Protocol (POP) and communicating with the server using Simple Mail Transfer Protocol (SMTP) can be considered as an example of a static agent. A POP client collects mail from the SMTP server at regular intervals. Also the SMTP server stores the incoming mail at particular places for each client. It can be observed that this type of communication involves agents, which are static; the network is just used for data transfer. The same kind of transaction can be implemented using mobile agents. In this case, one mobile agent collects the new mail messages, and goes round the network handing over the corresponding message at each node to their respective agents Mobile Agents The software agents can be treated as mobile agents, as they are able to migrate from one computer to another computer. Even if the host machine, which launched the 3

9 agents, is eliminated from the network, the agents can still work. Thus, mobile agents are very powerful programs, which can act even in the absence of the machine that initiated them. After completion of their assigned tasks, the mobile agents return to the host machine to report the results or else they simply terminate. Figure 1 shows the interaction among different agents in the network. This network model has three domains, Domain1, Domain2, and Domain3. Each domain has two agents. Agent 1 communicates (sends and receives data, executes specific tasks, etc) with Agent 4. Agent 4 depending on its tasks may have to migrate to a different domain as shown in Figure 1. When an agent is migrating, the code, data, and context are also moved along with it. The dashed lines in Figure 1 represent the communication among the agents and the normal lines represent an agent in transit. 4

10 1 Domain 1 Agent 1 Agent 2 2 Domain 2 Agent 3 Agent 4 Agent 4 in transit. Code, data and context. Agent 5 Agent 6 3 Domain 3 Figure 1: A network of six mobile agents The evolution of the mobile agents is clearly explained in (Neeran 1998). This work describes the evolution of mobile agents from Remote Procedure Calls (RPC) through Remote Evaluation (REV). It states the advantages of carrying the entire context with the mobile agent during transit to another node. The type of communication provided is more efficient in mobile agents than the communication mechanisms used in RPC and REV. There are currently several areas in which mobile agents find potential usage. They are used in industries such as in telecommunication systems, on-line transactions, personal digital assistants etc. They are also widely used in educational institutions in simulation tools. 5

11 Applications of Mobile Agents Mobile agents have potential applications in several areas (Java World). Few are mentioned below: 1. They can be used in backup routines where a mobile agent can sequentially go around the network and do the backup. 2. Mobile agents can be helpful in searching for particular information from a collection of huge database. Based on the search criterion specified by the user, a mobile agent can search many sites and build an index of relevant links for the user. Thus mobile agents help in searching and filtering the required information. 3. They are also helpful to the user in performing some monitoring activities. Mobile nodes can monitor various sources and fetch the relevant information needed by the user. By this activity, mobile nodes are considered to operate asynchronously. 4. Mobile agents find tremendous applications to disseminate information like advertisements and news to concerned parties. 5. They can also act as negotiating agents. They can try to get information from other agents and negotiate a meeting based on the user s schedule. 6. They also find potential application in bartering, like in electronic commerce. They can do shopping on behalf of the client or user and also can place orders. 7. Few more applications of mobile agents include parallel processing of jobs, serve as entertainment media etc. 6

12 Intrusion Detection using Agents Related Work Many Intrusion Detection Systems were developed so far, some using agent technology and others without using agents. My review below first discusses the limitations of the IDS, which do not use agents. Later, I present reports on some IDS, which use agent technology. Finally, the advantages and disadvantages of using mobile agents are listed. It is interesting to see how agents can be applied to intrusion detection. Some IDS use autonomous agents, some use intelligent agents, some use mobile agents and others use combination of some of these. It is also interesting to note that mobileagent technology is combined with different fields like Artificial Intelligence, Neural Networks, Fuzzy Logic, Genetic Algorithms, and etc. to make them intelligent Limitations of IDS which does not use Agent Technology The main aim in employing mobile agents was to overcome some of the problems encountered by current IDS. Among them the most important characteristic is that, an IDS should be able to run continuously with minimal human interaction. Also it must be able to withstand any crashes made intentionally or accidentally. IDS should be able to constantly monitor any malicious modifications. One of the most desired features of IDS is to put less overhead on the machine on which it is running. Finally, it should be capable of being adaptable to new changes in the system. Considering the growth of the network day by day, it is necessary that the IDS be able to scale well to monitor huge networks without compromising timely results. Other characteristics include capability to 7

13 monitor the network even when some machines in the IDS fail, provision for runtime configuration, providing end-to-end encryption, bestow high-speed communications. However, the IDS, which do not employ mobile agents, have the following drawbacks: Employee Central Controller: Most of the IDS tend to use central controller, where all the controlling rests. This central controller can be a single point of failure. The Intruder can discover the central point by some means and try to crash it. Custom Made: Some IDS s are developed with the intention to overcome the present situation. They might not scale well for large networks. Some tend to process entire data at a single point. This results in limiting the size of the network to be monitored. Reconfiguration Problems: Some IDS s does not allow reconfiguring the system at run time. At times it is achievable, but it involves tedious task of editing a configuration file, which requires special knowledge. Also sometimes the IDS has to be restarted to incorporate these changes. High False Positive Rate: The rate of false alarms is high in current IDS. This is because, they detect attacks based on the information from a single host or a single application. Different types of hierarchical IDS that are vulnerable to attacks are described in (Mell et al. 2000). Also more detailed information on the drawbacks of traditional IDS is mentioned in (Jansen et al. 1999). 8

14 IDS s using Agent Technology Many research works have been conducted in the area of applying mobile agents to intrusion detection systems. Most of them describe the drawbacks associated with traditional intrusion detection systems (those which do not employ agent technology) and highlight the advantages obtained by using mobile agents. The following discussion is about some of these intrusion detection systems (IDS). Intrusion detection using Autonomous agents is proposed in (Jai et al. 1998). They propose a new hierarchical architecture called AAFID for developing IDS. This architecture is composed of agents at the lowest level, which perform data collection and analysis tasks. Agents, transceivers and monitors constitute the major components of the IDS. Each host has an agent performing the monitoring activity and reporting any abnormality to the transceivers. Transceivers are used to control these agents and they report the results to the monitors. These monitors then perform high-level correlation among several hosts and thus to the entire network. The paper also discusses the importance of communication mechanism among the network entities, thus making sure that the network is not overloaded. The AAFID architecture collects data from several sources and allows building IDS that is more capable to detect intrusions than the centralized systems. An extension to the above work (Jai et al. 1998) is reported in (Roque 2003). Their work uses intelligent agents, which draw intelligence from artificial intelligence techniques. An intelligent agent is defined as an agent capable of detecting attacks in a timely manner and should be able to detect unknown intrusions also. The system is trained for known attacks with Neural Networks. Apart from these, an intelligent agent 9

15 should also communicate its knowledge to other agents. Thus, this work provides an extension to AAFID but with intelligence added to the system. The work reported in (Jai et al. 1998) and (Roque 2003) did not incorporate mobile agents. Some applications of mobile agents for detecting intrusions are presented in (Aslam et al. 2001). Here the D Agents, an infrastructure used for developing the IDS is proposed. These D Agents are used in Serval, a scalable information retrieval server. The agents are provided with the capability to move around the network and search for information on any server. They are provided with a document index to connect to the server. There are several phases in which the Serval agent operates. In the incident handling phase, all the operations performed by the attacker can be identified. In forensic analysis phase, it provides correlation among logs from different machines. In the response phase, it is possible to stop the intrusion at early stages. Work reported in (Dasgupta and Brian 2001) applies mobile agents for network traffic analysis. It describes the mobile agent architecture, which is used in a project called SANTA. Here, the application of agents can be seen at several levels down the hierarchy. Each agent performs individual tasks. The IDS works by learning and detecting different kinds of attacks. Also, it describes is the application of ART-2 Neural Networks for decision support modules needed to make appropriate decisions. One of the mobile agents collects the data from the network, which is used to analyze the network traffic by SANTA. Figure 2 gives the architecture of a mobile agent. 10

16 Figure 2: Mobile agent architecture (Dasgupta and Brian 2001) Depicting the application of data mining concepts with mobile agents, an IDS has been developed and reported in (Helmer et al. 1998). Their work is mostly an extension to an existing IDS which uses intelligence modules but does not make use of mobile agents. They proposed an IDS architecture and were able to classify the NFS and rlogin attacks by monitoring the system call sequences. Their work proved that by employing intelligent mobile agents, it would result in more efficient means of attack detection than the normal IDS. Figure 3 shows the architecture of the system. 11

17 Figure 3: Architecture of the IDS proposed in (Helmer et al. 1998) Mobile agents have also found their way into wireless networks. The use of mobile agents for detecting intrusions in dynamic mobile networks is discussed in (Kruegel and Toth 2002). The report presents Sparta, a mobile agent based IDS that detects intrusions even in a changing dynamic environment. The main feature of Sparta is that the agents do not view the network topology globally and hence are naturally suited for operating in dynamic environment. Because of this capability of managing the sensors remotely and providing automatic updates and integration of new devices, Sparta can overcome the challenges faced by the traditional IDS when they are used in mobile environment. IDS architecture reported in (Mell et al. 2000) thwarts the attempts of hacker to use passive sniffing or active probing to detect IDS. They employ a strategy where the critical IDS hosts are invisible to the attacker. The architecture is based on the mobile agent technology providing communication between different types of IDS components. 12

18 An important work on mobile agents is reported in (Kruegel and Toth 2001). AAFID, which is discussed in Report 1 above, used autonomous agents where mobility is given least importance. This work focuses on using mobile agent technology. It provides new taxonomy for IDS like the agent tasks, description of the attack scenarios, how to relate information from different sources and persistence of agents. Based on the new taxonomy they incorporated mobile-agent based IDS into Sparta (an existing IDS discussed in Report 6). They also used Public Key Infrastructure (PKI) authentication to provide secure communication among mobile agents. The advantages of mobile agents in general and their application to IDS in particular are listed else where (Kruegel and Toth 2001). It is a nice work, which highlights the advantages and disadvantages obtained by using mobile agents and also report several IDS that use mobile agents Advantages and Disadvantages of using Mobile Agents in Intrusion Detection Several advantages related to mobile agent usage are listed in literature (Jansen et al. 1999, Lange and Oshima 1998, Smith 1988). Some of them are listed here: Delay caused by Networks: When hierarchical IDS s are used in a network, it results in slower response when an attack occurs. This is because; the central controller (machine) has to send the information about the attack and the response to be taken to that particular host through the network. This may not always result in immediate response against the 13

19 attack, as the time taken for the information to reach the destination host might be too long. Thus traditional hierarchical IDS may not be successful in achieving on time detection of attacks. On the other hand, if mobile agents are used, they can respond faster as they are directly dispatched from the central controller to the target host. Minimizing the network traffic: Traditional IDS employed different data collection mechanisms to collect data both at the host and the network level. This data was later used to track any intrusions. Generally, the collected data is very huge and for an intrusion to be detected, data from different hosts have to be collected and processed by the central controller. This results in increasing the network traffic and creating an overhead on the network. By employing mobile agents, the load on the network can be reduced as these mobile agents employ efficient search mechanisms there by reducing the necessity for data traffic among several hosts. Persistency: As mobile nodes operate autonomously and asynchronously, they are not prone to failure even if the machine, which hosted them, fails. This provides added advantage of employing mobile agents in IDS. In the case of the centralized machines, when the central controller fails, the entire IDS is considered to be down as there is no communication among other hosts. Structure and Platform Independence: Mobile agents can be used in IDS with a flexible structure. For example, one agent can be designated for collecting the data in the network, the other agent can be used to detect and report anomalies while the rest of them can be used to take appropriate action. Due to this structure, the mobile agents find tremendous application in IDS. Also, mobile agents from different vendors can be used to 14

20 build IDS. Moreover, it is possible to write our own mobile code to make it applicable to the existing environment. Dynamic Nature: The dynamic nature of mobile agents enables them to be moved around the network. This makes it possible to reconfigure the system during runtime also. Mobile agents can be cloned, dispatched or put to sleep when the network configuration has to be changed. Also they can sense their execution environment and dynamically adapt to the situation. Heterogeneous Environment: Mobile agents can be interoperable on multiple platforms. This is possible because of the virtual interpreter installed on the host machine. Mobile agents are generally computer and transport-layer independent and are dependent only on the execution environment. This feature enables the mobile agents to be used on several different platforms without compatibility problems. Robust in Nature: Even if one of the agents fails, the other agents in the IDS can take up the tasks of the failed agent and continue the detection. This robust behavior of mobile agents makes them more applicable in large environments where several agents and their interaction is needed for proper monitoring of the network. Scalability: By employing distributed mobile-agent IDS, however large the network grows, it could be easily handled. Agents have the capability to clone and distribute themselves to the new machines when they are added to the network. Drawbacks in using mobile agents: 1. The main problem in using mobile agents rests in security. Mobile agents require administration rights as they initiate a response when an intrusion is identified. By granting a mobile agent all permissions to the host it is operating on, an intruder can 15

21 easily induce any virus. These security problems are the main hindrances for vast growth of mobile technology. Some preliminary measures can be taken in order to alleviate these security problems. Some of them include providing limited access control to important resources, applying cryptographic methods to exchange information etc. 2. One more potential problem involved, is when the mobile agent contains credit card details of the user. Some hosts might try to get the private information from the mobile agents, which contain client details. 3. Observing the manner in which, the network attacks are increasing, it becomes obligatory on IDS to detect attacks immediately and report them spontaneously. If mobile agents are used to accomplish this, the result is that it reduces the performance of the entire network. 4. One more disadvantage arises when the code size of IDS is large. This results in slowing the network because when ever the mobile agent has to go round the network, the entire code has to be moved along with it. Though there are drawbacks associated with using mobile agents, they still find potential application in industry, academics and research institutes. A paper (Harrison et al. 1995) discussing the advantages and disadvantages of using mobile agents states that While none of the individual advantages of mobile agents...is overwhelmingly strong, we believe that the aggregate advantages of mobile agents is overwhelmingly strong. 16

22 Application of security agent system This thesis uses an intrusion detection system based on intelligent mobile agents presented in (Dasgupta et al. 2002). This IDS is called CIDS (Cougaar-Based Intrusion Detection System), which uses intelligent decision support modules for intrusion detection. The architecture of CIDS is shown in Figure 4. It has four different agents each performing a unique task. However, not all the four agents are used in this work. Only the Monitor and the Decision Agents, which are the main components of CIDS, are used. Since CIDS is being used on a WLAN, the Monitor agent can be loaded on any machine to capture the network traffic, unlike the Wired LAN, where Monitor agent should be loaded on a machine to be monitored. The Decision agent is the same one, which is used in CIDS. Figure 4: CIDS Architecture with four Agents 17

23 Cougaar, Cognitive Agent Architecture, was initially under DARPA sponsorship for the purpose of Military Logistics and is open available as open source (Cougaar). Cougaar is built on component-based, distributed agent architecture. Each agent is composed of two major components: Blackboard and PlugIn. Tasks and assets are the elements of the Blackboard. PlugIns are self-contained software components that can be loaded dynamically into agents. Functionality to the agents is provided by PlugIns. Agents can also have special PlugIns called Plan Service PlugIns (PSP). These PSP s can be communicated with the help of user program interfaces. Detail description of these agents is given in the following sections Manager Agent The Manager Agent assigns tasks to its subordinate agents. It also coordinates the work of these agents. The Plug-Ins used in this agent provide the functionality as indicated by their names. Manager agent is diagrammatically shown in Figure 5. 18

24 PSP PlugIn Plan Manager Agent Information Consumer PlugIn Coordinator PlugIn Sender Messenger PlugIn Figure 5: Manager Agent Monitor Agent The monitor agent is responsible for collecting data at different levels in the system. The Monitoring system collects data from the Data Collector PlugIn as shown in Figure 6. This PlugIn in turn has a JMonitor system, which collects data at different levels like User, System, Process and Network. An additional MAC layer is added to the original Monitor agent in order to capture the WLAN traffic (specific to this thesis). 19

25 BlackBoard Monitor Agent PSP_Monitor Plan Server Messenger PlugIn Data Collector PlugIn (Jmonitor) Anomaly Detection PlugIn Monitoring System Figure 6: Monitor Agent Decision Agent This agent is the heart of CIDS. It determines the occurrence of intrusion with the help of fuzzy inference controller and knowledge base. The Fuzzy Controller Decision Engine uses Fuzzy Logic to evolve fuzzy rules. This controller decides whether an attack has occurred or not based on the rules generated. Information on fuzzy logic is reported in Section Figure 7 shows the Decision Agent. It has three PlugIns, Classifier Decision PlugIn, Immune System Decision PlugIn and Fuzzy Controller Decision PlugIn. The Classifier PlugIn is used to classify the type of attack. Currently, this work does not report the type of attack. The Immune Decision and the Fuzzy Controller PlugIn s analyze the data and determine the abnormality if it occurs. The classes needed to implement the Fuzzy controller are composed in a library form called jml library (developed by Jonatan Gomez). 20

26 Plan Decision Agent PSP PlugIn Classifier Decision PlugIn Immune System Decision PlugIn Fuzzy Controller Decision PlugIn Fuzzy Controller Decision PlugIn Figure 7: Decision Agent Action Agent The main purpose of action agent is to raise alarms when an intrusion is noticed. These alarms or alerts are specified in IDMEF (Intrusion Detection Message Exchange Format). This format is used, as it is a common language any IDS can understand. The action agent should also be capable of sending responses to other manager agents, which is not yet implemented in the current model. Figure 8 shows the action agent. 21

27 Receiver Messenger Action Agent Plan Action PlugIn PSP PlugIn Figure 8: Action Agent Sequence of Operations: CIDS monitoring and detection starts with user interaction to the Manager agent. The Manager agent then sends a signal to the Monitor agent, which then starts collecting data on the machine, which is to be monitored. The Monitor agent also tries to detect deviations from the normal. If any deviation is noticed, information about deviated parameters is sent to Decision agent. The Decision agent then detects the type of anomaly based on the fuzzy rules. Once the anomaly is classified, a report is sent to the Action agent, which raises an alert, signaling an anomaly to the security administrator with status information. 22

28 1.4.3 Wireless LAN and WLAN Security Issues Standard IEEE defines the wireless LAN (WLAN) standard. Details about this standard can be obtained from ( LAN/MAN 1999). IEEE focuses on the Physical and Medium Access Control (MAC) layers of the WLANs standard is designed to support mobility, provide fault tolerance, and allow all network protocols to run over WLAN. The WLAN standard is shown in Figure 9. 23

29 APPLICATION LAYER PRESENTATION LAYER SESSION LAYER Frequency Hopping Spread Spectrum Direct Sequence Spread Spectrum Baseband Infrared Data rates from 1 to 54Mbps Frequency band: 2.4GHz to 5.8GHz TRANSPORT LAYER NETWORK LAYER LOGICAL LINK CONTROL Carrier Sense Multiple Access Distributed Coordination Function with optional Point Coordination Function Error Correction and Access Control MEDIUM ACCESS CONTROL PHYSICAL LAYER Figure 9: IEEE WLAN Standard 24

30 The major component of the standard is the Basic Service Set (BSS). A BSS consists of several stations communicating among themselves. The stations in the BSS can be isolated or connected to the backbone with the help of an Access Point (AP). Thus a BSS can be operated in two modes: 1. Independent Basic Service Set or Ad-Hoc Network 2. Using a backbone or Infrastructure Network Ad-Hoc and Infrastructure Networks are discussed in the section Two or more BSS s can be connected together with the help of a Distributed System (DS). Such an interconnection among BSS s is called Extended Service Set (ESS). Figure 10 illustrates the BSS, DS and ESS. ESS BSS1 AP AP STA 1 STA 1 STA 2 DS STA 2 STA 3 BSS2 Figure 10: Extended Service Set with two Basic Service Sets and a Distributed System 25

31 There are several services, which are provided by the station and the distributed system also. Some of them are mentioned here. Each station has to authenticate and associate before connecting to the access point (security mechanisms are mentioned in section ). This process can be explained in three stages. In the first stage, the station is in unauthenticated and unassociated state. In the second stage, after successful authentication it enters into authenticated and unassociated state. After successful association to the AP, the station is in authenticated and associated state. Now, the station can communicate with the AP. Here we concentrate on the attacks generated in the b networks. Hence, the subsequent sections concentrate on the b WLAN IEEE b Physical Layer b Physical Layer uses direct sequence spread spectrum (DSSS) technology. It supports data rates up to 11Mbps data rates in the 2.4GHz band. Figure 11 shows the physical layer frames. PLCP Sub-layer PHY Sub-layer PMD Sub-layer Management Entity Figure 11: Physical layer frames 26

32 802.11b standard for physical layer defines two sub-layers, Physical Layer Convergence Procedure (PLCP) and Physical Medium Dependent (PMD). The frames needed for the transmission are constructed by the PLCP sub-layer and are then transmitted by the PMD sub-layer. This frame prepared by PLCP complies with standard and is called PLCP protocol data unit (PPDU). Detailed description of the fields of PPDU can be obtained from (802.11b LAN/MAN 1999). The AP s should be set to specific channels in order to avoid overlap. The channels, which are considered to be non-overlapping, are 1,6 and 11 in United States IEEE b Medium Access Control Layer IEEE MAC layer is common for all the three different physical layer spectrums. It can be considered as an interface between the physical layer and the device. The MAC frame format is shown in Figure 12. Detailed description of each of these fields is provided in (802.11b LAN/MAN 1999). A brief description is as follows: Frame Control: Gives the protocol version and frame type. Duration ID: This has two meanings. When the station is in power save mode it represents the Station ID otherwise it represents the duration value, which is used for Network Allocation Vector (NAV) calculation. Address Fields: There can be up to four address fields depending on the ToDS and the FromDS field values. These are defined in the Frame Control Field. 27

33 Sequence Control: It is further divided into two subfields, Fragment Number and Sequence Number. Sequence Number defines the frame and Fragment Number defines the number of the fragments in the frame. CRC: It represents the Cyclic Redundancy Check (CRC). It is a 32-bit field. MAC HEADER Figure 12: MAC Frame Format IEEE b uses Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), which is also referred to as the Distributed Coordination Function (DCF). The frames are transmitted based on CSMS/CA Back-off algorithm using four different inter frame spacing (IFS), Short IFS, Point Coordinated IFS, Distributed IFS and Extended IFS (802.11b LAN/MAN 1999). When a station is ready to transmit a frame, it has to first sense the channel. If the channel is idle then the station can transmit the frame, if not then the station has to back off for random time period. When the channel becomes idle, upon receiving the ACK from the receiver, the station waits for DIFS plus random 28

34 number for slots and then transmits. Some times Point Coordination Function (PCF) is also used for the AP, which acts as point coordinator. Physical Carrier Sensing might result in two potential problems in WLAN. Hidden Node Problem and Exposed Station Problem. Hidden Node Problem arises when two stations A and B, which are not reachable (not in reachable radio range) try to communicate simultaneously with a different station C, reachable from both A and B. This is shown in Figure 13 below. Barrier between A & B Station A Station B Station C Figure 13: Hidden Node Problem Similarly, in the case of Exposed Station Problem, suppose if stations A and B are in radio range. Also, suppose that A and C; and B and D are in radio range. Now, when A is trying to communicate with C, B senses the channel as busy and stops communicating 29

35 with D. In order to avoid these problems, Virtual Carrier Sensing is introduced, which uses Request To Send/Clear to Send (RTS/CTS), 4-Way Handshake to avoid collisions and to prevent the problems Ad-Hoc and Infrastructure Networks Ad-hoc or Independent BSS Network Description and Example of an Ad-Hoc Network Ad-Hoc Networks are a kind of wireless networks, where the mobile nodes dynamically form a wireless network without the aid of any infrastructure. The wireless networks have a predefined radio range. The radio range defines the area within which only the mobile nodes can communicate with each other. The process of establishing connection among mobile nodes, which are not in the same radio range, can be explained with an example, as follows: Suppose mobile node MN1 which is in radio range R1 wishes to communicate with a mobile node MN2 which is in a radio range, R2 different from R1. In such a case, MN1 has to check for a mobile node, which falls under the radio range of both MN1 and MN2. Figure 14 shows a simple Ad-Hoc network of four mobile stations communicating with each other. 30

36 Station A Station C Station D Station B Figure 14: Ad-Hoc Network with 3 mobile stations Advantages of Ad-Hoc Network Does not need any additional infrastructure as the communication is directly among nodes Stations can join or withdraw from the network at any time. This is because the network is not dependent on any predefined topology Disadvantages of Ad-Hoc Network Mobility of the nodes requires the routing tables to be updated in all the mobile nodes constantly 31

37 Due to lack of power control, the signals transmitted by the mobile stations might overlap As there is no central controller, there could be collisions when accessing the medium Infrastructure Network Description and Example of an Infrastructure Network In an infrastructure network, the mobile stations communicate with each other through a central controller called Access Point (AP). This AP in turn can be connected to a wired network thus establishing connection between a wired network and a wireless network. Each AP has a Service Set ID (SSID) associated with it. An AP continuously keeps sending beacon frames, which contain the SSID of the AP. The mobile stations, which are in the radio range of this AP, receives the beacon frames and tries to establish connection with it. Figure 15 shows and example of an infrastructure network. It has ten mobile stations and three APs. It can be seen in the diagram that few mobile stations fall in the radio range of one AP, while some other fall in the radio range of a different AP. Also, Figure 15 shows a Wired LAN with six wired machines. Two of the access points are connected to the access point, thus establishing communication between the Wired LAN and the Wireless LAN. 32

38 Figure 15: Infrastructure Network with 10 mobile stations and 3 access points communicating with the wired network Advantages of an Infrastructure Network The AP represents the central controller and hence provides coordination among the stations It is simple to design, as it is only the AP that needs to be configured This type of configuration is useful when quality of service requirements have to be met. AP can allocate different bandwidths for different stations 33

39 Disadvantages of an Infrastructure Network This type of configuration may not provide disaster recovery always Might result in collision if the medium access used by a mobile stations is not coordinated with that of the AP Security Mechanisms Wired vs. Wireless LAN security: Threats posed to the wired LAN also apply to the wireless LAN. These threats include unauthorized access and eavesdropping, attack from within the network's user community (WLANA security white paper). An additional security measure that is needed to be implemented in the wireless LAN pertains to the physical layer. The physical medium of the wireless LAN (radio signals) is different from that of the wired medium. These radio signals can be easily trapped and hence need additional security mechanisms. That is the reason security of a wireless LAN is of more concern than that of the wired LAN. Following sections describe the security issues related to b networks. Security in b networks is accomplished with the help of Wired Equivalent Privacy (WEP) protocol. This protocol is used to protect link level data transmission. WEP is designed to achieve the basic security features: authentication, confidentiality and integrity. The wireless clients trying to communicate should provide proper form of authentication, which is establishing the right key using WEP. Taxonomy of b 34

40 authentication techniques is presented in (Karygiannis and Owens 2002). There are two authentication means. One is using cryptographic techniques and the other noncryptographic technique. Non-cryptographic authentication requires an identity from the clients trying to communicate with the access point (AP). Again, non-cryptographic authentication can be divided into two categories. Open System Authentication, where null SSID is also accepted as a means of authentication and Closed System Authentication, where a mobile station is allowed access only if valid SSID is provided. On the other hand cryptographic authentication uses Challenge-Response form of authentication. Both the participating entities have a common shared secret key. This form of authentication is shown in Figure 16. This figure shows the mobile station and the AP. When the station requests access to the AP, it is asked to break the challenge. The station then using the WEP key encrypts the challenge and sends the obtained response to the AP. The AP then compares the decrypted response to the original challenge and permits access to the station only if they are similar. 35

41 Request to connect Challenge Response Success Figure 16: Challenge-Response Mechanism in WEP WEP provides confidentiality of information by using RC4 symmetric key cryptography. The RC4 key sizes generally used are between 40-bits and 104-bits. This key is appended with a 24-bit Initialization Vector (IV). Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The plain text is XORed with the key to generate the cipher text. At the receiving end, the cipher text is again XORed with the key to recover the original plain text. The security measures and integrity are also given importance in WEP, by trying to ensure that messages are not modified in transit. This is achieved by using Cyclic Redundancy Check (CRC) approach. The CRC-32 is computed for the payload of each packet. The CRC along with the payload of the packet is encrypted during transmission. 36

42 At the receiving end, after recalculating the CRC, it is then compared to the original CRC. If the CRC s do not match it is concluded that the message is modified either intentionally or accidentally. The encryption of messages in b takes place as shown in Figure 17 (a and b). IV RC4 Secret Key APPEND XOR PLAIN TEXT Integrity Check IV CIPHER TEXT ICV Figure 17(a): Encryption Mechanism at the sender 37

43 RC4 Secret Key IV CIPHER TEXT ICV APPEND XOR Integrity Check PLAIN TEXT COMPARE ICV s Figure 17(b): Decryption Mechanism at the receiver Thus Mathematically generation of cipher text is represented as C = P RC4 (IV, k) Where C is cipher text, P is plain text, IV is initialization vector and k is RC4 key Security Threats in b Networks There are several vulnerabilities associated by using WEP (Borisov et al. 2001,Stubblefield et al. 2002). Details about these weaknesses are given in (Karygiannis and Owens 2002). The following list gives a brief overview of some of these vulnerabilities. 38

44 WEP s use of static keys makes it vulnerable to attacks As seen in Figure 8a, the 24-bit IV is transmitted in plain text during communication between the wireless clients and the AP. This may provide the intruder with an easy access to the IV. Also, the IV does not guarantee that the key stream generated will not be repeated, i.e.; the key stream generated using the IV might repeat if the network is very busy. One more major hurdle encountered in using the WEP is that there is no cryptographic integrity protection provided. Though CRC is provided at the MAC layer, it is not encrypted which opens an attack channel for the intruder Security threats associated with WLAN s can be classified as shown in Figure 18. Security Threats Eavesdropping Traffic Analysis Spoofing Man-In-The-Middle DoS Session High-Jacking Passive Active Figure 18: Security Threats in Wireless LAN 39

45 Passive Eavesdropping: This is assumed to occur when the intruder has access to the transmission medium. When the WEP is not enabled, analyzing the packets to obtain relevant information like source address, destination address, and message length is not difficult. Even when the WEP is enabled, still passive eavesdropping is not difficult because of the flaws associated with WEP. It is shown that in 10 minutes, it is possible to capture 11,362 packets from the WLAN cloud. Though by passively listening to the traffic the attacker might not cause huge damage to the WLAN, but the traffic thus obtained might be used by the intruder to perform some other attack. This thesis is also based on the same application, where the attack is generated and the WLAN traffic is passively sniffed. The monitored traffic is used by the intruder to determine the MAC address of the legitimate node. Active Eavesdropping: Active eavesdropping is similar to passive eavesdropping as the attacker not only listens but also induces traffic into the network. IP spoofing can be considered as an example of active eavesdropping. The IP address in the captured packet is changed to the IP address of the desired host through which all the communication passes by. The attacker machine keeps sending packets between the hosts and the AP thus making the attack opaque. Traffic Analysis: Analyzing the traffic is useful to determine the number of packets going through the WLAN. Also, it is helpful to determine the size of each packet. By analyzing the traffic, the attacker gets to know that there is an AP and also the location of the AP if Global Positioning System (GPS) is used. With the aid of this knowledge the intruder can determine the type of protocols being used for the communication. 40

46 Spoofing: This kind of attack tries to spoof the IP address or the MAC address of the legitimate wireless client. The attacker has to alter the mapping of the MAC address to the IP address to reroute the network traffic. This attack is generally used to overcome the authorization mechanism employed in the AP. This thesis performs a MAC spoofing attack, details of which are given in sections and 3.1. Man-In-The-Middle: This attack violates the integrity of the session. In this attack, the attacker first tires to break the communication between the AP and the wireless client. Once this is accomplished, the attacker machine acts as a legitimate wireless client and associates with the AP. Similarly, it acts as an AP and gains access from the client. Thus, it obtains the traffic from both the AP and the client. Denial of Service (DoS): The attacker might try to gain access of the network (because of the inherent flaws in WEP and performs DoS attack. This is one of the attacks used in this thesis. Session Highjacking: This is an attack where one of the target machine is in the WLAN cloud is made to terminate the session. But the target machine assumes that the session was ended because of some normal malfunction in the network. The attacker then authorizes as the target machine and gains access to the WLAN Uses of IDS s to overcome the WLAN threats Considering the weakness inherent in WEP, several measures are suggested. Some are security advices on what kind of communication to be employed; some involve 41

47 improvement of the RC4 algorithm currently used in WEP. Different type of encryption employing Advanced Encryption Standard (AES) is being developed to replace the current usage of RC4 algorithm in WEP. Also, other techniques like Temporal Key Integrity Protocol (TKIP) using per packet authentication is developed. But the application of b networks is so wide spread that changing to a different encryption scheme is not simple. In order to overcome WEP problems few others have developed IDS. This thesis is based on a similar approach. I have generated WLAN attack (MAC Spoofing) and tried to detect the attack with an IDS developed in Intelligent Security Systems Research Lab (Univ. of Memphis) and reported in (Dasgupta et al. 2002). The following gives a list of some measures to be considered while using WLAN: The Access Control List (MAC Filtering) should be enabled on the AP. This ensures that MAC addresses of only authenticated clients are permitted. The default broadcasting of the SSID should be disabled on the AP. By doing so, the presence of the AP is not obvious to an intruder. IP-Sec or Virtual Private Network (VPN) should be used to allow wireless clients access the network. Wireless LAN s and Wired LAN s should not be connected even if WEP is enabled on the AP. The following are some IDS s that were designed to secure WLAN. An ID used to detect abnormalities in Ad-Hoc networks is described in (Zhang and Lee 2000). It suggests that the current IDS used for wired networks in not sufficient for wireless networks. The proposed IDS detect intrusions like abnormal routing table updates and attacks at the MAC layer. It also provides a multi-layer integrated intrusion 42

48 detection and response. On the similar grounds one more IDS is reported in (Lim et al. 2003). In this they propose a new IDS for WLAN, which encompasses components like data collection, intrusion detection and an additional secure database used to log the anomaly signatures, detected so far. One more IDS system reported in (Smith 2001) tries to detect the hacking tools deployed on our network. For example, there are several hacking tools available like NetStumbler (used to detect the presence of AP s) (Slavin). This IDS helps in detecting the application of such tools on the WLAN and also it provides statistics like the length of the attack session to the administrator Network Simulator Network Simulator (NS) is a discrete event simulator mainly used for simulating wired and wireless networks. It supports several protocols like Transmission Control Protocol (TCP), Routing protocols and other multicast protocols. Detailed information about NS can be obtained from (VINT Group). The simulator is written using C++ language and Object Tool Command Language (OTCL). The actual protocols are implemented in C++ language and OTCL is used as a configuration interface to run the simulations. This study mainly focuses on the simulation of wireless LAN using NS. The details on how an attack is implemented using NS is given in section 3.3. A brief explanation of a simple Ad-Hoc wireless network in NS is discussed here. Before implementation the number of mobile nodes operating in the WLAN should be 43

49 considered. The following example shows how to create and Ad-Hoc mobile network with two nodes. Example of configuring a simple Ad-Hoc network using NS set val(chan) set val(prop) set val(ant) set val(ll) set val(ifq) Channel/WirelessChannel Propagation/TwoRayGround Antenna/OmniAntenna LL Queue/DropTail/PriQueue set val(ifqlen) 50 set val(netif) set val(mac) set val(rp) Phy/WirelessPhy Mac/802_11 DSDV set val(nn) 2 set val(x) 800 set val(y) 600 The different parameters that are set indicate that it is a simulation of a wireless network. The language used is TCL. The chan parameter should be set as the WirelessChannel. The propagation model used is TwoRayGround, which indicates that it is a radio propagation model. Similarly, the other parameters are set accordingly. One 44

50 interesting point to consider is the routing protocol used. Currently, the simulator supports four different routing protocols in WLAN. They are Destination Sequence Distance Vector (DSDV), Dynamic Source Routing (DSR), Temporally Ordered Routing Algorithm (TORA) and Ad-hoc On-demand Distance Vector (AODV). Having set the parameter values, the next step is to create an instance of the Simulator class (details about this class can be obtained from (VINT Group)) as follows: set ns_ [new Simulator] NS helps to collect the data while the simulation is running by creating a trace file (tr file). It also creates a network animator file (nam file). The animator file when opened with the NS nam command, displays the node topology and the traffic between them. Currently, the simulator does not support movement of nodes in wireless networks. The trace and the nam files can be created by calling the functions trace-all and namtrace-allwireless as shown below: set tracefd [open file1.tr w] set namtrace [open file1.nam w] $ns_ trace-all $tracefd $ns_ namtrace-all-wireless $namtrace $val(x) $val(y) in write mode. The tracefd and namtrace variables point to the corresponding files and open them 45

51 The next step is to create a topology object and to define it based on the given parameter values as below: set topo [new Topography] $topo load_flatgrid $val(x) $val(y) The topology can be represented as a grid, flatgrid in this case. The default grid resolution is one. The next step is to store the global information about the environment. This is achieved by creating a General Operations Director (GOD) object in NS. The total number of mobile nodes and a table of shortest number of hops required to reach from one node to another are stored in the GOD object. Before the simulation starts, the next hop information is loaded into god object from movement pattern files. This helps in reducing the time needed to calculate the next hop information on the fly. The GOD object is created by calling the create-god procedure as: Set god_ [create-god $val(nn)] The next task is to configure the mobile nodes with the help of node-config procedure. This procedure helps in configuring the mobile node to the given parameter values as follows: $ns_ node-config -adhocrouting $val(rp) \ 46

52 -lltype $val(ll) \ -mactype $val(mac) \ -ifqtype $val(ifq) \ -ifqlen $val(ifqlen) \ -anttype $val(ant) \ -proptype $val(prop) \ -phytype $val(netif) \ -topoinstance $topo \ -channeltype $val(chan) \ -agenttrace ON \ -routertrace ON \ -mactrace OFF \ -movementtrace OFF Having configured the mobile nodes, the next step is the creation of the mobile nodes. The node class of the Simulator class is used to create the mobile node object, which is shown as follows: for {set i 0} {$i < $val(nn) } {incr i} { set node_($i) [$ns_ node ] $node_($i) random-motion 0 } 47

53 Now, the initial node positions for the two nodes have to be defined as follows: $node_(0) set X_ 80.0 $node_(0) set Y_ 60.0 $node_(0) set Z_ 0.0 $node_(1) set X_ $node_(1) set Y_ $node_(1) set Z_ 0.0 In this case, node 0 is at position (80, 60) and node 1 is at location (200,350). Also, the nodes can be given a destination location and the timings when the movement has to start as shown below: $ns_ at 10.0 "$node_(1) setdest " $ns_ at 20.0 "$node_(0) setdest " The traffic flow between the nodes has to be defined. This can be specified in a separate connection pattern file and that file can be included to represent the flow of traffic between the nodes. An example of File Transfer Protocol (FTP) using TCP connection between the two nodes is shown below: set tcp [new Agent/TCP] $tcp set class_ 2 48

54 set sink [new Agent/TCPSink] $ns_ attach-agent $node_(0) $tcp $ns_ attach-agent $node_(1) $sink $ns_ connect $tcp $sink set ftp [new Application/FTP] $ftp attach-agent $tcp $ns_ at 10.0 "$ftp start" Each node is attached to an agent. The agent in this case is TCP. A variable called tcp represents the TCP agent and the variable called sink represents the TCP Sink agent. Node 0 is attached with the TCP agent and node 1 is attached with the TCP Sink agent. FTP traffic is defined between the agents connected to node 0 and node 1. The traffic is made to start at 10 seconds since the start time of the simulation. The final task is to inform the nodes that the simulation reached to an end and to reset the nodes to their initial positions as shown below: for {set i 0} {$i < $val(nn) } {incr i} { $ns_ at "$node_($i) reset"; } $ns_ at "stop" $ns_ at "puts \"NS EXITING...\" ; $ns_ halt" proc stop {} { 49

55 global ns_ tracefd close $tracefd } The above logic tells the two nodes to reset to their initial positions at 300seconds. The simulation is stopped at around the same time ( seconds). Next the procedure stop is called to close the opened trace file. A new trace format is defined for the wireless network Fuzzy Logic Fuzzy Logic is used in concepts, which can be better expressed as an interval in classical set theory. Such concepts do not have a well-defined boundary (Yen and Langari 1998). Fuzzy logic does not require precise and noise-free inputs hence it is robust. Also since it is based on the user-defined rules governing the target system, it can be modified to improve the system s performance (Kaehler). Fuzzy logic uses the notion of membership to a set (degree of belongingness). Fuzzy logic is composed of four basic concepts: Fuzzy sets, Linguistic variables, Possibility distributions and Fuzzy if-then rules (Yen and Langari 1998). 50

56 Differences Between Fuzzy Sets and Crisp Sets In crisp sets an element has to belong to a set completely or it may not belong to it at all, whereas fuzzy sets allow elements to be partially in a set. Few differences are shown in Table 1. Table 1: Differences between Fuzzy sets and Classic sets FUZZY SETS In fuzzy sets, an object can partially be in a set. The membership degree takes values between 0 and 1. 1 means entirely in the set, 0 means entirely no in the set, other values means partially in the set. CLASSIC SETS In classic sets, an object is entirely in a set or is not. The membership degree takes only two values: 0 or 1. 1 means entirely in the set, 0 means entirely outside the set. Other values are not allowed Fuzzy Sets Fuzzy sets have smooth boundaries unlike the classical sets, which always have sharp boundaries. In classical sets, membership in a set can be described as a black-andwhite concept, i.e.; and object either completely belongs to the set or does not belong to the set at all. Fuzzy set theory allows membership in a set to be a matter of degree. The degree of membership is expressed between 0 and 1. 0 indicates that the object does not 51

57 belong to the set, 1 indicates object belongs to that set entirely and any other number in between indicates partial belongingness to the set. Fuzzy sets define a membership function that map objects of the domain to their membership values in the set. Membership function should provide a gradual transition from regions completely outside a set to regions completely in the set. Triangular membership functions are more commonly used. Figure 19 shows an example of a triangular membership function. Centers Degree of Membership A B C A&B B&C Objects Figure 19: Membership function with three sets (A, B and C) 52

58 Figure 19 shows a triangular membership function of a certain system. The system is represented using three different fuzzy sets (A, B and C). As seen, unlike the classical sets, fuzzy sets allow an object to partially belong to two different sets at the same time. Thus an object can partially belong to both sets A and B at the same time Linguistic Variables A linguistic variable is a symbol representing the name of a fuzzy set. It gives a qualitative and quantitative description to a corresponding membership function (Yen and Langari 1998). Linguistic variables represent general terms like small, medium and large, which are used to capture range of numerical values (Pacific Northwest Lab) Possibility Distributions Possibility distributions for the fuzzy sets are possible in order to provide desirable values for the linguistic variables. This is not achievable in crisp sets because of the interval-valued assignment constraints. For example, if the age of a person is considered, in crisp sets it can be defined by certain interval like (20, 33) and so on. In the case of fuzzy sets, it is defined as possibility distribution (degree of membership). A fuzzy set with possibility distribution is shown in Figure

59 1 Possibility distribution Age Figure 20: Possibility distribution of a fuzzy set From Figure 20, it is clear that the possibility degree that a person has age 19 is 0.8 and so on. Hence unlike in crisp sets it is possible to define membership degrees in fuzzy sets, which is, at times very desirable (Yen and Langari 1998) Fuzzy Rules Structure of Fuzzy Rules Fuzzy logic relies on the basic unit Fuzzy Rules. These rules are used for capturing knowledge in the fuzzy systems. A fuzzy rule is made up of two basic components, an if-part and a then-part. The if-part is called antecedent and the then-part is called consequent. Thus a fuzzy rule can be represented as: IF <antecedent> THEN <consequent> 54

60 Antecedent and consequent of Fuzzy Rules The antecedent of a fuzzy rule describes the condition. The consequent of a fuzzy rule describes the conclusion that is drawn when the condition is satisfied Examples of Fuzzy rules A simple fuzzy rule can be written as follows: IF x is HIGH and y is LOW THEN alarm Where x and y are parameters, HIGH and LOW represent the fuzzy sets. The above rule says that if the value of x falls under HIGH and the value of y falls under LOW then the corresponding action to be taken is alarm. An algorithm is used to draw inferences from fuzzy rules. This algorithm can be briefly explained in three steps. Firstly, the antecedent of each rule over the deviation of parameters has to be evaluated. Secondly, a rule with the biggest antecedent truth-value has to be selected and finally, the corresponding action to be taken will be the consequent of such rule. An example on how to draw an inference is shown in examples (Gomez and Dasgupta 2002) below. Consider the following rules: Rule1: IF x is HIGH and y is LOW THEN action3 Rule2: IF x is MEDIUM HIGH and y is MEDIUM THEN action3 Rule3: IF x is MEDIUM and y is MEDIUM LOW THEN action1 Let the variables values be: x is 0.7 and y is

61 The Degree of Membership is: x in HIGH is 0.2, x in MEDIUM HIGH 0.7, and, x in MEDIUM is 0.3 y in LOW is 0.4, y in MEDIUM LOW is 0.8, and, y in MEDIUM is 0.4 The truth values for the rules are: for Rule1 = 0.2, for R2 = 0.4, and for R3 = 0.3 Hence the chosen rule is R2: with high truth-value and thus the conclusion is action3 has to be taken Genetic Algorithms John Holland invented genetic Algorithms and they mimic some of the processes involved in natural evolution. These are part of evolutionary computation. Genetic algorithms are search algorithms based on the concept of natural selection. They combine survival of the fittest with structured randomized information exchange to form a search algorithm. New sets of strings are created in each generation from pieces obtained from the fittest individuals. Genetic algorithms have their origin in biology Differences between Genetic Algorithms and Traditional Methods Genetic algorithms work with the coded parameter set of the optimization problem. They do not work with the parameters themselves. For example to maximize a certain function f (x), first of all x has to be coded as a finite-length string. The next difference between these two methods is that a genetic algorithm searches from a population of points. Traditional methods search from a single point in the decision 56

62 space. They use some transition rule to determine the next point. This could be dangerous as it might result in locating false peaks in search spaces. This problem is not encountered with genetic algorithms as they search from a rich set of database. Other major difference is that the genetic algorithms do not need any auxiliary information like the traditional methods to work properly. Some traditional methods like gradient techniques require derivative information to climb the current peak, whereas genetic algorithms just need some payoff values to perform effective search over the population. The last difference listed here between the two methods is that the genetic algorithm uses probabilistic transition rules and not the deterministic methods to guide their search (Goldberg 1953) Genetic Algorithm Concepts Genetic Algorithms use biological concepts like chromosomal representation, reproduction and survivability of fitness individuals. Chromosomes consist of genes (shown in Figure 21), which are blocks of DNA. An entire set of genetic material or all chromosomes is termed as genome. A set of genes in genome is called a genotype. G1 G2 Gn-1 Gn Figure 21: Chromosome with n genes 57

63 During reproduction, crossover occurs first. In crossover, genes from two parents combine together and form a new chromosome. After crossover, mutation takes place. In mutation, elements or genes of a chromosome can be flipped (randomly) to generate variability in the chromosome. Genetic algorithm can be viewed as a two-stage process. Selection is applied on the current population. This results in intermediate population. Then on the intermediate population, recombination and mutation are applied to generate the next population. This process of selection and recombination is called one generation of a genetic algorithm (Whitley 1993). However, in a steady state GA, a portion of population gets replaced in each iteration resulting in parents and offspring competing each other Representation of Chromosomes A genetic algorithm optimizes a given function by encoding the chromosomes or the individuals in the population. Different methods can be used to encode the chromosome. 58

64 Binary encoding Binary encoding is the most commonly used form of encoding. In this type of encoding, the genes in the chromosome are represented as binary bits. An example of chromosome represented using binary encoding is shown in Figure 22. Chromosome X: Figure 22: Binary encoding of Chromosome X Permutation Encoding In this type of encoding, the genes in the chromosome represent certain order. This order provides a certain direction for the problem, which is solved. This type of encoding is generally used for ordering problems. Figure 23 shows an example of permutation encoding. Chromosome X: Figure 23: Permutation encoding of Chromosome X 59

65 Value Encoding As the name implies, in value encoding the genes in the chromosome are assigned sequence of values. These values are somehow related to the problem being solved. Figure 24 gives an example of value encoding. Chromosome X: Figure 24: Value encoding of Chromosome X Tree Encoding This type of encoding is generally used for representing programs or expressions. A tree is used to represent the genes in the chromosome for this type of encoding. Figure 25 shows chromosome represented using tree encoding for the expression (6-(y+2)). 6 + y 2 Figure 25: Tree Representation of a chromosome 60

66 Search Space As mentioned earlier, the genetic algorithm searches from a database of initial chromosomes. This space of all feasible solutions is called search space. Each point in the search space is a possible solution. Fitness represents the value for each solution, which is marked for each solution on the space. Genetic algorithm, searches for the best solution among all possible solutions. At the beginning the search space may be small. As the evolution proceeds the search space could become large Simple Genetic Algorithm The implementation of a single process of selection and recombination is termed as Simple Genetic Algorithm. It is composed of Reproduction (Selection), Crossover and Mutation. Figure 26 shows the flowchart of a genetic algorithm. It starts with random population, and continuous to evolve new individuals in the population based on their fitness values. It uses crossover and mutation operators as needed. Finally the algorithm halts when the specified final condition is encountered. 61

67 Generate Random Population Evaluate Fitness Generate New Population. Apply Selection, Crossover and Mutation Replace the population Stop condition satisfied? False True Stop and give the result Figure 26: Flowchart of a Basic Genetic Algorithm Reproduction In reproduction, individual chromosomes are copied to next generation based on their objective function. This implies that chromosomes with higher fitness value have a higher probability of being in the next generation. Reproduction operator can be 62

68 implemented in different ways. Some of them are Roulette Wheel Selection, Rank Selection, Steady-State Selection and Elitism Roulette Wheel Selection Each chromosome in the population has a roulette wheel slot. Each slot is sized in proportion to its fitness value. Better the fitness value for the string, more are the chances for the chromosome to get selected. Chromosome 2 Chromosome 3 20% 15% 15% 50% Chromosome 1 Chromosome 4 Figure 27: Roulette Wheel for Four Chromosomes Figure 27 shows a roulette wheel for population size of four individuals. Each individual chromosome has a fitness value which is a product of its respective percentage 63

69 and the total fitness value. To reproduce, the weighted roulette wheel has to be rotated and the chromosome where it stops will be selected. Obviously, the chromosome with larger fitness value has more chances of getting selected. Whenever a new offspring is required, a spin of the weighted roulette wheel yields the reproductive offspring Rank Selection In roulette wheel selection, individuals with higher fitness function have higher probability of getting selected. This may not be an efficient selection criterion always. Hence rank based selection is used instead of roulette wheel selection. In this method, the chromosomes are ranked based on certain criterion. Then the chromosomes are ranked based on their obtained ranks. This method may result in slower convergence, as the best chromosomes do not differ much from other chromosomes Steady-State Selection In this selection, few good chromosomes are selected to create a new offspring. Then the bad chromosomes in the current population are replaced with this new offspring thus eliminating bad chromosomes. 64

70 Elitism In this selection, the best chromosomes are first copied to the population to participate in the later generations. This type of selection enables good chromosomes to be retained in the population for later generations. The rest of the population is selected using any of the selection methods discussed so far. This selection strategy fosters the performance of genetic algorithm as best chromosomes are always retained in the population Crossover One of the major operators of a genetic algorithm is crossover. In crossover two chromosomes are randomly chosen and mated to produce a new chromosome, which is fitter than at least one of the parent chromosomes. There are four different types of crossover operations: single point crossover, two-point crossover, uniform crossover and arithmetic crossover Mutation Mutation is the next important operator in genetic algorithms. In mutation the bits are simply flipped to result in a new chromosome. Figure 28 shows an example of a chromosome whose last bit is mutated. Mutation helps in exploring the search space with new individuals being generated always. 65

71 is mutated to Figure 28: Mutation operation on the last bit of a chromosome 66

72 Chapter 2 2 TECHNIQUES AND TOOLS USED 2.1 Intrusion Detection System The thesis uses an Intrusion Detection System reported in (Dasgupta et al. 2002). The details about these attacks are mentioned in section It has a Fuzzy decision engine used to detect the type of abnormalities based on the fuzzy rules generated. 2.2 Wireless LAN Attacks Type of Attacks This thesis reports generation of two kinds of attacks on the wireless networks and tests the ability of the Intrusion detection system to detect these attacks. One attack is performed on Infrastructure network (BSS) while the other is provided on Ad-Hoc network (IBSS). MAC Address Spoofing and Bypassing ACL: This attack is performed on an Infrastructure network. Most of the access points are provided with the feature of rejecting connection to unauthorized wireless cards. This feature is provided with the help of MAC authorization list (Access Control List). The user may wish to enable or disable this service depending on the level of security needed. The MAC addresses of the desired wireless cards only should be provided in the access list. Research has shown (Wright 2003) that it is possible to by pass the ACL. This is because it is 67

73 possible to change the MAC address of a wireless card. Section 3.1 gives more details about how the attack is launched and the detection rate provided by the IDS. Denial of Service Attack: This attack is performed on an Ad-Hoc network. It is possible for an intruder to easily connect to a wireless network just with the help of wireless card. Thus wireless networks are easily prone to many attacks. One among such attacks is the Denial of Service (DoS), which is also commonly known in wired networks. But to launch such an attack in WLAN is much easier than in wired network because the intruder need not have physical contact (a cable wire) to get connected to the network. DoS can be of several forms. Some drop the connection of the wireless machine from its AP, few others flood the network with huge number of packets rendering the wireless cloud inaccessible by the wireless machines. Also, when a signal, greater than the frequency range of b WLAN (2.4GHz) is available, DoS may occur. This work performs DoS on the WLAN cloud by flooding the network with large numbers of packets. The details of this attack are given in Section Attack Generation and Tools Used Some wireless tools, which are freely available, are used to perform the experiments. These include Airsnort, Ethereal, Wellenreiter and SMAC. Experiments are conducted in Intelligent Security Systems Research Lab (Univ. of Memphis), with four machines having Orinoco (silver) wireless cards and an Access Point (Linksys). Two 68

74 among the four machines are Linux machines with Debian installed on them. The other two are windows XP machines. The details of each of these tools are given in the following sections Airsnort Airsnort is a tool used for determining the encryption key used in WEP. It passively monitors the network for packets and discovers the key when sufficient packets are captured. Detailed description about Airsnort is given in (Shmoo Group). Here, Airsnort version is used on a Linux machine. Figure 29 shows a snapshot of the Airsnort interface when the key is being recovered. The highlighted portion shows out AP. The description of each of these fields follows: BSSID: The Basic Service Set ID. This is unique for each AP. Name: The name given to the AP. In our experiments, we named the AP as seclabtest. WEP: Indicates whether the WEP key is enabled or not on the AP Last IV: This gives the IV associated with the communication between the wireless stations and the APs. Chan: The channel on which the AP is currently operating Packets: The number of packets captured so far for each AP. Encrypted: The total number of encrypted packets captured. Interesting: These are the packets from which some useful information can be derived to hack the WEP key. 69

75 Figure 29: Snapshot of an Airsnort interface while capturing packets to hack the WEP key Ethereal Ethereal is a tool used for capturing data from the network. The data so collected can later be used for analysis. Details about this tool can be obtained from (Combs). Ethereal stable version is used here to conduct the experiment. Figure 30 shows the snapshot of the ethereal interface while the first attack experiment was running. The highlighted portion shows the information about a packet. It displays the frame number, the time that the packet is captured, source address from which the packet originated, destination address to which the packet was intended, to be delivered protocol (here 70

76 802.11) and the info field. The info field lists the different frames like management frames, beacon frames and data frames. The middle region of the interface shows the details of each collected packet. It not only includes the time duration for the packet to be transmitted but also lists other information like source MAC address, destination MAC address, fragment number and the sequence number. Each wireless client has got a sequence number assigned to it by the access point, which keeps increasing. Whatever be the application or service between the AP and the client, they follow a particular sequence. The bottom region of the interface displays the information about the packet in binary format. 71

77 Figure 30: Snapshot of the Ethereal interface during the MAC Spoofing Attack Wellenreiter Wellenreiter is a tool used for discovering wireless networks. It lists all the Ad- Hoc and Infrastructure networks which are reachable by it. It sends probe packets to determine the existing networks. If there are networks in the reachable range, then the networks respond with beacon frames. Wellenreiter version 1.8 is used for the experiment. A screenshot of the Wellenreiter interface while capturing the network traffic 72

78 is shown in Figure 31. The highlighted line shows our AP. The software gives the following information about the networks: State: Determines whether the network broadcasts its MAC address (in the form of beacon frames) or not. Green light represents that the network broadcasts its presence to the wireless nodes and the red light indicates a non-broadcasting network. Channel: The channel the network is operating on. Network ESSID: The extended service set identification name is given to the network MAC-address: As the name suggests, it displays the MAC address of the network or the AP. WEP: Indicates whether Wired Equivalent Privacy is enabled or not. Manufactor: Gives the type of manufacture. Network type: This indicates whether it is an Ad-Hoc network or an Infrastructure network. If it is an Infrastructure network it is represented as IBSS which means Infrastructure Basic Service Set or else it is represented as BSS. Pkt: This indicates whether there is any communication going on in the network. 73

79 Figure 31: Wellenreiter snapshot displaying a list of wireless networks in reachable range Spoof MAC Spoof MAC (SMAC) is a tool used for changing the MAC addresses of the network cards on a machine (KLC Consulting Inc.). Currently this tool is capable of performing such changes only on Windows machine. This thesis employs the version 1.1 of SMAC to change the MAC address of a wireless card on a Windows XP machine (Attacker machine). An interface showing the ORiNOCO client Manager (Manager to configure the wireless card) and the SMAC interface before spoofing is shown in Figure 74

80 32. The client manager displays the Stations name and the MAC address of a wireless card. This machine is used as an attacker machine. Also shown is the SMAC snapshot. It lists the network cards available on the machine and provides capability to change the MAC address on these displayed cards. It can be seen from the SMAC interface of Figure 32, the original or active MAC address of the wireless machine is 00:02:2D:51:7F:3C and the new address to spoof is 00:02:2D:2A:AA:AD. Among the several fields shown, the Spoofed field shows that whether the card is spoofed or not. Currently, it shows that no spoofing has been done, but Figure 37 (Section 3.1.2) shows the interface when spoofing is done. Figure 32: Snapshot from Orinoco Client Manager and SMAC before attack generation 75

81 Chapter 3 3 EXPERIMENTS AND RESULTS 3.1 Attack I Experiment Settings The experimental environment consists of a Linksys access point (model WAP11). All the security features described in the introduction section (such as WEP, MAC filtering, and disabling SSID) are enabled on the access point during the experiments. Four legitimate mobile nodes are assigned to communicate with the access point. The MAC addresses of these four mobile nodes are specified in the MAC filtering list of the access point (as shown in Figure 33). Thus the access point allows only these four clients to communicate in the network if they provide the correct encryption key (i.e.; authorized). 76

82 Figure 33: MAC authorization list assigned by the access point The MAC spoofing attack is generated, where the attacker machine (windows XP) gets the WEP key by running Airsnort software (Shmoo Group). The attacker also needs to know the MAC address of one of the legitimate node by passively sniffing the network. Here, Ethereal tool is used for sniffing. The attack is launched against a legitimate node with the MAC address 00:02:2D:2A:AA:AD. The attacker machine uses a tool called Spoof MAC (SMAC) to change its MAC address to 00:02:2D:2A:AA:AD and gains access to the network. The wireless network environment used in the experiments and the sequence of steps used to launch MAC spoofing attack is shown in Figure

83 Attacker Machine 00:02:2D:65:8B:5D AP 00:02:2D:2A:AB:5C 00:02:2D:2A:AB:6D 00:02:2D:2A:AA:AD 00:02:2D:51:7F:3C Running Wellenreiter and Ethereal to monitor the network Try to capture the network on each wireless node Monitor the sequence numbers obtained from the captured packets Runs Airsnort to get the key from the Wireless LAN Sniff the Wireless cloud to get the MAC address of one of the legitimate nodes using Ethereal or Wellenreiter Use SMAC tool to change its own MAC address to that of the legitimate nodes MAC address Figure 34: Experimental Environment illustrating four authorized wireless machines associated with the access point (AP) and the machine launching attack Data Collection and Preprocessing In order to test the efficiency of the IDS to detect this attack, the wireless network is monitored by collecting data on one of the nodes. This is performed with the help of Wellenreiter (Lauer) and Ethereal (Combs) tools. The data thus captured is processed to get the traffic going to and from the victim machine. The sequence number field of the packets so captured is monitored for the experiment. This showed an interesting pattern. Normally, when attack is performed each wireless node connected to the AP should have 78

84 their sequence numbers in the increasing order. But here an uncommon instance having two sets of sequence numbers between a single machine and the AP was observed. The attack is launched twice to collect two different data sets; one is used as the training data to train the detection system and the other for testing the data to detect how far the fuzzy classifier is able to detect such attacks. A Java program is written to preprocess the so collected data sets. The training and testing sets are created using a window size of four consecutive values for capturing temporal behavior. The training data set contains 2800 records and the testing data set is made up of 1000 records. These records are normalized, labeled and given to the Decision Agent and the results of detection are shown in section Figure 35 and Figure 36 show two instances when the attack was generated. Change in the sequence number from 86 to 2084 can be observed, the source addresses being the same, which is an indication of attack. 79

85 Figure 35: A Snapshot of Ethereal interface displaying a sequence number of 86 for a machine with MAC address 00:02:2d:2a:aa:ad 80

86 Figure 36: A Snapshot of Ethereal interface displaying a sequence number of 2084 for a machine with the same MAC address as in Figure 35 Figure 37 shows the MAC address on the attacker machine when the attack is generated. When compared to Figure 32, it is clear that the Spoofed field changed to Yes indicating that the card is spoofed. Also the MAC address is changed from 00:02:2D:51:7F:3C to 00:02:2D:2A:AA:AD (victim machine). Though this may not be interesting or accessible to the user, it is shown here to illustrate how this attack is generated. 81