A Wireless Intrusion Detection System and a new

Download Report

Transcript A Wireless Intrusion Detection System and a new

A Wireless Intrusion Detection
System and a new attack model
Project Guide: Mr.S.P.Vijayanand M.E
by,
R.Berlin Mano
M.Gokul Raj
Abstract


Denial-of-Service attacks, and jamming in
particular, are a threat to wireless networks
because they are easy to mount and difficult to
detect and stop.
We propose a distributed intrusion detection
system in which each node monitors the traffic
flow on the network and collects relevant
statistics about it.


By combining each node’s view we are able to
tell if an attack happened or if the channel is
just saturated.
We propose here an attack detection
mechanism based on shared monitoring of the
network by all nodes.
SYSTEM ANALYSIS:
Existing System:
 Traditional systems in place for intrusion detection primarily
use a method known as “Finger Printing” to identify malicious
users. They are complex.
 They are rule dependent. The behavior of packets flowing in
the network is new, then the system cannot take any decision.
So they purely work in the basis of initial rules provided.
 It cannot create its own rule depending on the current
situation.
 It requires manual energy to monitor the inflowing packets
and analyze their behavior.



It cannot take decision in runtime.
If the pattern of the packet is new and not present in
the records, then it allows the packets to flow without
analyzing whether it is an intruder or not.
The packet with a new behavior can easily pass without
being filtered.
PROPOSED SYSTEM:





It uses matching algorithm, which is an artificial intelligence
problem-solving model.
IDS compare learned user characteristics from an empirical
to all users of a system.
It includes temporal and spatial information of the network
traffic.
It is both network based and host based system.
It can take decision in runtime.
Advantages



It eliminates the need for an attack to be previously
known to be detected because malicious behavior is
different from normal behavior by nature.
Using a generalized behavioral model is theoretically
more accurate, efficient and easier to maintain than a
finger printing system.
It uses constant amount of computer resources per
user, drastically reducing the possibility of depleting
available resources.
System Specification
Software Requirements:
Operating System
: Windows 2000 and Above.
Programming Package used : Java 1.4 and Above,
Swings.
Hardware Specification :
Hard Disk
RAM
Processor
: 40GB and Above.
: 128MB and Above.
: Pentium III and Above.
System Description
The modules in this system are,
1. Multicasting the Packets to Detect
Intruder
2. Matching the List of Events
3. Multicasting the Intruder to the
Neighboring nodes
4. Sending Data to the destination
Module Description
Multicasting the packet to Detect the
Intruder:
 The basic idea is to set up a monitor at each node in the
network to produce evidences and to share them
among all the nodes .
 An evidence is a set of relevant information about the
network state
 The initial process is the training process where the
source sends the packet with events to all the nodes in
the network to detect the intruder




This process is known as multicasting.
Before sending the packets to all nodes, the source
node initiates the timestamp for the packets .
This training process is stored as an initial event list #1
in the source node.
Receivers receive the packets which contain the
timestamp and send appropriate ACK replies. Receivers
store the received packets in their event list.
Matching the List of Events:
The basic algorithm to match two lists of events is
as follows:




The matching algorithm will invoke after receiving reply
events from the network.
First we start from the first list and for every event we
try to find a matching event on the second list that is,
given a packet we look for it on the second list.
As we do this process of matching the events on the
sending and receiving list .
if we find unmatched events on the second list at the
end ,it means that the sending and receiving events are
not same and the particular node is a intruder.
Multicasting the Intruder to the
neighboring nodes:




If anyone from the received ACK packets is not
matched, then that particular node is the intruder to be
found.
Now that the intruder is detected the address of the
intruder is sent to the entire network by multicasting.
Neighbor nodes receive the IP address of the intruder
and store it in the event lists to prevent future attacks
from that node in the network .
The multicasting of the intruder address is done
source.
Sending the data destination:




The data send process is done by splitting the chosen
text file into packets for transmission.
The data send process is invoked after the source finds
out an intruder free path.
In the case of jamming/network malfunction, the source
waits till the network is restored, starts the training
process to find the intruders and if any detected, selects
a path free from intrusion.
The source sends the data directly to the destination
through the ‘safe’ path. Destination receives the data in
the form of packets and checks for anomalies to detect
any loss of data in the data due to intrusion.
Coding: (Multicast)
try
{
s1 = "Hello";
s2=
InetAddress.getLocalHost().getHostName()+"="
+Operations.getPropInt("settings.txt","distance");;
j = "Hello Protocol";
s = s1 + ":" + s2 +":" + j;
b = s.getBytes();
t.start();
}
Coding:( Hello Receiver)
ia = InetAddress.getByName(Operations.getProperty("settings.txt","addres"));
port
=Integer.parseInt(Operations.getProperty("settings.txt","port"));
ms = new MulticastSocket(port);
ms.joinGroup(ia);
b = new byte[byt];
dp = new DatagramPacket(b,b.length);
ms.receive(dp);
ms.close();
s = new String(dp.getData());
StringTokenizer st = new StringTokenizer(s.trim(),":");
String s1 = st.nextToken(":");
String s2 = st.nextToken(":");
String s3 = st.nextToken(":");
if(s3.equals("Hello Protocol"))
{
neighbornode.add(s2);
}
}
Basic GUI Of IDS-Monitor
Conclusion



The Distributed Intrusion detection system
proposed here detects intrusion by distributed
collection of relevant information from the nodes
and is also capable of detecting jamming attacks.
We achieve two goals: we detect more attacks and
force the operator to give a decent service.
We allow cheaters to come into play, but their
impact is self-limiting as a working network is
needed for them to play.
Strengths of IDS:





Similar to a security "camera" or a "burglar
alarm"
Alert security personnel that someone is picking
the "lock"
Alerts security personnel that a Network
Invasion maybe in progress
When well configured, provides a certain
"peace" of mind
Part of a Total Defense Strategy infrastructure
References
1.
Aime M and Calandriello G (2005). “Distributed monitoring of
WiFi Channel”.
2.
Bellardo J and Savage S (2003). “ 802.11 denial of service
attacks:realVulnerabilities and practical solutions”. In proceedings of the 11th
USENIX security symposium, pages15-18, Washington D.C, USA.
3.
Herbert Schildt “Java 2 the Complete Reference”.
4.
Raya M and Jacobson M . “Reputation based WiFi deployment”.
SIGMOBILE Mob.comput.commun.
5.
Shannon C.E. and W. Weaver “A system to Detect greedy behavior
In IEEE 802.11”.
6.
Steven Holzner “The Java 2 Black Book”.
7.
Zhang Y, Lee W and Huang Y. “Intrusion detection techniques for
Mobile wireless networks”.
Web resources:
www.ethereal.org
THANK U…