Transcript Proposal Presentation

Wireless Intrusion Detection &
Response
ECE 4006 Group 2:
Seng Ooh Toh
Varun Kanotra
Nitin Namjoshi
Yu-Xi Lim
Contents






Project Description & Demo
Competitors & Market
Building Blocks & Project Timeline
Challenges, Risks and Difficulty Level
Product Testing
Hardware and Software Requirements
Project Description
What is the product?




An access point which can detect
intruders and take counter measures
Detection of Netstumbler
Blocking / Jamming Netstumbler
without affecting network performance
Product will be open source and will
integrate several available technologies
Project Demo



Several computers on a wireless
network
Wireless network intruder using
Netstumbler
Three Phases



Network setup
Netstumbler and intrusion
Intrusion detection and counter measures
Phase I – Network Setup



2-3 Linux machines setup with an
access point to form a 802.11b network
Data (packets) routed from linux
machines to each other through AP
Access point monitor used to detect
source and destination of packets
passing through the access point
Phase II – Intrusion



Intrusion detection and jamming turned
off
Netstumbler used to access information
on the wireless network
Netstumbler captured packet
information shown
Phase III – Intrusion
Detection & Counter Measures



Netstumbler packet detection
Blocking of Netstumbler packets, RF
jamming or fake AP barrage
Data rate on wireless network
measured w/ and w/o counter
measures
User Interface



Focus on proving the concept
Open source allows end users to
develop UI according to their needs
Basic text-based user interface for
testing, debugging and demo
Competitors & Market
Competitors




Fake AP – Product developed by Black
Alchemy.
Used for flooding the wireless network
with false AP beacon packets.
Netstumbler gets overwhelmed with
thousands of access points.
Open Source, supported by linux.
Competitors (contd.)



Air Defense – Enterprise/Military wireless
intrusion detection system.
Sold as a complete system which includes
AirDefense sensors, server appliance.
Does not take action against intruder, just
monitors the network, and informs the
administrator of any suspicious activity.
Price


Fake AP is a freeware. Available at:
http://www.blackalchemy.to/Projects/fa
keap/fake-ap.html
AirDefense system costs between
$19,000 to $25,000.
Our Product



No product in the market today
combines both Intrusion detection and
response.
Our product shall be freely available.
This makes product unique and
attractive to potential users.
Building Blocks


Setup – Installing network cards on two
linux machines, installing HostAP
drivers, installing wireless sniffers,
packet sniffer libraries.
Detect NetStumbler – recognize
netstumbler signature, UI design for
reporting malicious activity.
Building Blocks (contd.)
Counter-measures –
- Logging event information (MAC, time,
physical location)
- Sending bogus AP information.
- DoS


Port to Open AP – combine detection and
countermeasure and run it on an AP.
Building Blocks (contd.)


OpenAP PC interface – write a TCP
sockets client-server program.
Allow network administrator to remotely
configure and acquire information from
Access Point.
Projected Timeline

12 weeks to complete.
Task Assignments
Challenges, Risks and
Difficulty Level
Initial Setup – Challenges and
Difficulty



Lack of resources for experimental
drivers
Recompilation of kernel and other
support packages
Compatibility and interoperability of
hardware
Initial Setup - Risk


Project could be severely delayed if we
are plagued with compatibility issues
Incompatible hardware might require
extra expenses to get different cards
Wardriving Detection –
Challenges and Difficulty



Limited storage memory
Libpcap vs. low-level syscalls
Development of algorithm for heuristic
Wardriving detection
Wardriving Detection – Risks


Inability to differentiate between
Wardriver and legitimate client renders
module useless
Forced to resort to low-level syscalls
without availability of experimental
driver documentation
Countermeasure – Challenges
and Difficulty



Limited storage memory
Countermeasures without affecting
normal network performance
Discovering new denial-of-service
attacks attains Wardriving client
Porting to Access Point



Different development framework
Inaccessibility of access point
Limited debug tools
Product Testing
Stage 1 : Wardriver Detection



Reliable Wardriver detection
Does not pick up legitimate traffic from
a variety of wireless cards
Logging
Stage 2 : Countermeasure




Executed in parallel with Stage 1
Sufficiently confuses Wardriver
Disables Wardriver
Does not affect normal network traffic
Stage 3 : Access Point



Remote deployment
Durability (uptime)
Status monitored remotely
Hardware and Software
Requirements
Hardware Required





2x Linksys Wireless PC Card
1x Orinoco Gold Wireless Card
2x PCI-PC Card adapter
USR 2450 Access Point
Pretec 4MB Linear Mapped Card
Software Required






Host AP
Open AP
Net Stumbler
Ethereal
Other scanners
Other sniffers
Parts Designed and Adapted
Parts Adapted or Reused



Host AP
Open AP
Fake AP
Parts Designed



Intrusion detection algorithm
Integration on Host AP
Integration on Open AP