Fig. 19 proactive wireless IPS architecture
As shown in the system framework (Fig. 18), the proposed WIPS is able to protect network from Wardriving and WEP cracking attacks. Also, with each different types of attack, a proper response mechanism is designed to prevent protected-users on Intranet from further damage. This system component consists of five modules: packet capture, session analysis, intrusion reaction, honeypot and alarm module. Packet capture module collects and stores wireless packets for future analysis and reference. Session analysis module sorts packets into logical order in accords to its protocol and session.
Intrusion reaction module monitors traffics and responds to offensive behaviors.
Honeypot module is a mechanism designed to redirect intruder into a faked AP so that
risk is shifted to a non-production network. Alarm module takes charge of informing network administrator through GSM message service in times of attack.
5.1.1. Packet Capture Module
This module collects wireless frames using Airjack library and stores them into an audit file if requested. Airjack is an open-source library, that supports Prism 2 chip network cards, provides frame capture and injection interfaces. The gathered frames will then be utilized by session analysis module or intrusion reaction module.
5.1.2. TCP Session Analysis Module
Traditional packet analyzer focuses solely on its structure and characteristics.
Consequently, the result is usually a list of raw packets sorted by its collected time;
therefore, no distinct relationship is established between them. Hence network administrator would not be able to utilize this information efficiently. In order to overcome this obstacle, it is necessary to design an algorithm to rearrange the packets into individual session groups. TCP session analysis module is specifically designed to serve that purpose. As defined in IEEE 802.11 standard, there are three types of frames that must be recognized in WLAN:
z Management Frames: WLAN uses these frames to perform authorization and establish connections between AP and clients.
z Control Frames: they are responsible for media access control.
z Data Frames: they are used to deliver data.
5.1.3. Intrusion Reaction Module
It is crucial to respond to the offensive activities immediately after they are detected
by the system. Intrusion reaction module takes such role in handling procedures to prevent further damage. The service type and functions provided by this module include:
5.1.3.1 Anti-Wardriving
Before connecting to a WLAN, client device must first find an AP either by listening for AP’s beacon or broadcasting probe requests consecutively. As stated in 802.11, AP must reply a probe response, as to inform its existence, to the client that issues the request to establish connection. War-Driving takes the advantage of such vulnerability to scan every AP within reach by broadcasting probe request frames.
Two indicators are used in War-Driving detection:
NetStumbler is the most popular tool for War-Driving. However, it is possible to detect NetStumbler, because it always sends out a special packet whenever an AP is detected. This packet contains a unique value that can be used to identify NetStumbler.
Probe Response traffic:War-Driving forces AP to generate probe response frames and is likely to increase the traffic of these frames. Such abnormal increase in traffic can be revealed by monitoring probe response frames. However, legitimate users may also request for AP response. Therefore, detailed analysis is required to determine the main cause of the increased traffic.
5.1.3.2 Anti-WEPcracking
The core of WEP is RC4 stream cipher, which XORs key-stream with plaintext to generate encrypted cipher-text. To crack WEP, attacker reverses encryption procedure to retrieve the key. WEP key vulnerability is first discovered in a research undertaken by Fluhrer, Martin and Shamir[1] which states that IV transferred in clear may divulge WEP key. Obviously, the major flaw that makes WEP vulnerable is the fact that
attacker is able to extract key from the gathered frames. Usually, statistics is used to assists in determining the real key values from the candidates. The real key value often has the highest occurrence among all. Therefore, it is reasonable to conclude that the resulting key is based on the amount and quality of the frames.
That is, the attacker is unlikely to get the right key combination if traffic is scarce or there are more frames resulted in false key values than that of the right ones. WIPS adopted a interference-based mechanism of by poisoning the traffic with frames that are deliberately tailored to generate false result to prevent attacker from getting the correct key value.
5.1.3.3 MAC Authentication
This function is used to determine weather faked MAC address is being used in WLAN. Any users with a faked MAC address will be redirected into honeypot. A rule is set and binds network card manufacturer for a specific MAC pattern. As shown in table 1, MAC address the first 3 bytes of network cards from a producer will always be the same. In other words, it is possible to find out the potential attacker by checking its MAC address pattern.
Table 2 MAC Address rule
Wireless NIC Manufacturer First 3 bytes of MAC
3COM 00-02-9C
5.1.4 Honeypot Module
A honeypot is a security resource whose value lies in being probed, attacked or compromised. This means, that a honeypot is expected to get probed, attacked and potentially exploited. In fact, honeypot provides additional and valuable information about the hacker.
WIPS incorporates a basic honeypot feature, which diverts attacker into a faked AP (honeypot) where he/she is quarantined from the actual WLAN. With the target being deceived, it starts to record every single move made by it. Hopefully, these records can be used as a learning material and reference.
5.1.5 GSM Alarm Module
Although IDS should be designed to handle attacks automatically, there are times whereby manual procedure or decision making is required by administrator. Therefore, as with any IDS, severe attacks must be reported efficiently to administrator.
Traditionally, alarms are delivered through email or other network message services. To be more efficient, WIPS employs SMS (Short Message Service) as a mean to enable immediate reporting.