STUDY

of
INTRUSION DETECTION SYSTEM
In
Wireless Network

By
Jitender Singh Chauhan (B00722078)

Submitted in partial fulfilment of the requirements for the degree of

MASTER OF ENGINEERING
Major Subject: Internetworking
At
DALHOUSIE UNIVERSITY
Halifax, Nova Scotia
Month, 2016

Copyright by Jitender Singh Chauhan, 2016

Dalhousie University
Faculty of Engineering
Internetworking

The undersigned hereby certify that they have read and award a pass in INWK 6800 for
the seminar project entitled study of intrusion detection system in wireless network" by
JITENDER SINGH CHAUHAN in partial fulfilment of the requirements for the degree
of Master of Engineering.

___________________________
Instructors name here under the line

ii

DALHOUSIE UNIVERSITY
INTERNETWORKING PROGRAM

AUTHORITY TO DISTRIBUTE REPORT

Study of Intrusion Detection System in Wireless Network

The Internetworking Program may make available or authorize others to make available
individual photo/microfilm or soft copies of this report without restrictions after
November 2017
The author attests that permission has been obtained for the use of any copyrighted
material appearing in this report (other than brief excerpts requiring only proper
acknowledgement in scholarly writing) and that all such use is clearly acknowledged.

Full Name of Author: JITENDER SINGH CHAUHAN

Signature of Author:

_________________________

Date:

________________________

iii

TABLE OF CONTENTS

LIST OF FIGURES ......................................................................................................................................v

LIST OF FIGURES .....................................................................................................................................vi
ACKNOWLEDGEMENTS ....................................................................................................................... vii
EXECUTIVE SUMMARY ....................................................................................................................... viii
1

INTRODUCTION ...............................................................................................................................1

LITERATURE REVIEW ...................................................................................................................2

2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9

VULNERABILITIES IN WIRELESS NETWORKS......................................................................................2

VARIOUS TYPE OF INTRUSION IN WIRELESS NETWORK .....................................................................3
CLASSIFICATION OF INTRUSION DETECTION SYSTEM ........................................................................3
PROCESS MODEL FOR INTRUSION DETECTION ....................................................................................4
BASED ON DATA COLLECTION MECHANISM ......................................................................................4
NIDS .................................................................................................................................................4
HOST BASED IDS ...............................................................................................................................5
HYBRID IDS ......................................................................................................................................6
BASED ON DETECTION TECHNIQUES ..................................................................................................7

CONTRIBUTION AND METHODOLOGY ....................................................................................7

3.1
3.2

CONTRIBUTION ..................................................................................................................................7
METHODOLOGY .................................................................................................................................7

OUTCOME ........................................................................................................................................12

CONCLUSIONS AND RECOMMENDATIONS ...........................................................................17

iv

LIST OF FIGURES

Figure 2.1 : Architecture of IDS ........................................................................................ 11

Figure 3.1 : SURVEY OF KISMET .................................................................................. 13
Figure 3.2 : RESULT O NETSTUMBLER PROCESSING WLAN ................................ 14
Figure 3.3 : SEARCHING FOR ALL SUBNET ............................................................... 15
Figure 3.4 : SYSTEM UNDER SAME IP......................................................................... 16

LIST OF FIGURES

IDS : Intrusion Detection System

HIDS : Hybrid Intrusion Detection System
NIDS : Network Intrusion Detection System
WSN : Wireless Sensor Network

vi

ACKNOWLEDGEMENTS

I would like to express my

vii

EXECUTIVE SUMMARY

Network security can be defined as a specialized field in computer networking that

involves securing a computer network infrastructure or we can say that its a kind
of measure taken to protect our data that has been used while transmission process
along the media. Whereas protecting the internet means taking steps to protect
information while transmission over a number of network of networks that are
interconnected with each other. Network security is handled by the administrator
such network admin or system admin who implements firewalls, security policy
and related software.
Security means protection against the loss of data. A network security
system depends on number layer of protection and include of network monitoring
and different software in addition to hardware. Intruders tries to act as host
computer and obtain the information from the network. These information is
changed or destroyed. This process of manipulating the changing the information
is considered as attack. So to number of steps must be taken as security measure to
protect the data from intruders.
Network security is the most important issue in the vast field of wireless networks.
In order to improve network security, there are a number of products that are
available in the market that use packet filtering. For a network administrator,
packet filtering is an effective tool for security purpose but he /she has to have an
in depth knowledge of the capability of this tool. Our firewall software contains a
set of protocol for which the filters will be applied. We have devised a packet
filtering firewall called Netkapp for Microsoft Windows operating systems.
The whole field of network and its security is vast. The structure of internet itself
allows many threat and problem related to its security to occur. The architecture of
the internet, when modified can reduce the possible attacks that can be sent across
the network.
Knowing the attacks methods, allows for the appropriate
security to emerge. Many businesses secure themselves from the internet by means
of firewalls and encryption mechanisms. The entire field of network security is
vast and in an evolutionary stage. To get current knowledge of environment we
should get the knowledge internet and security technology and they should be
reviewed as they are important in order to understand the research.

viii

1 INTRODUCTION
Intrusion detection systems (IDS) are software or hardware system that automate the
process of monitoring that events occurring in computer system or network, analyzing
them for signs of security problems. As network attacks have increased in number
and severity over the past few years, intrusion detection systems have become a
necessary addition to the security infrastructure of most organizations. This guidance
document is intended as a primer in intrusion detection, developed for those who need
to understand what security goals intrusion detection mechanisms serve, how to select
and configure intrusion detection systems for their specific system and network
environments, how to manage the output of intrusion detection systems, and how to
integrate intrusion detection functions with the rest of the organizational security
infrastructure. References to other information sources are also provided for the
reader who requires specialized or more detailed advice on specific intrusion
detection issues.

What is Intrusion Detection System?

Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of intrusions, defined as attempts to compromise the
confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or
network. Intrusions are caused by attackers accessing the systems from the Internet,
authorized users of the systems who attempt to gain additional privileges for which they are
not authorized, and authorized users who misuse the privileges given them. Intrusion
Detection Systems (IDSs) are software or hardware products that automate this monitoring
and analysis process

2 LITERATURE REVIEW
In todays world everything works Wireless Networks and they are so popular for
different kind of Software and Applications because they provide flow of information
and data or we can say that a kind of communication between number of systems
with no predetermined infrastructure. Because of this kind of changes and flexibility
in Wireless Networks we have being introduced with new security risks [1]. The
wireless networks are dynamic in nature that is they are having number of difficulties
and challenges while maintaining their security so there is a strong and flexible
requirement of intrusion detection and prevention system.
Wireless network security is a complicated study and can be only be protected by
some trained and well experienced experts in the same field because of its vast field
while talking about intrusion detection we should also consider firewalls and network
threats. As network security includes every measure companies deploy to prevent
their data and functionalities. Intrusion is basically a kind of processes or activities
that is being used by a system and are damaging the security policies of the system. In
network security if intrusion prevention doesnt work then here comes the role of
Intrusion detection system.
The term used for processing and detecting these kind of threats, intrusion and
maintaining a record or report against these issues in a network is known as Intrusion
Detection. It is used to recognize these attacked against the wireless or any networks.
This intrusion detection system collects all the data. Detection system mainly involve
three main components: Prevention, Detection and Mitigation that is first concerns is
defense against attack, being aware of the attacks and reacting to the attack with an
optimal solution. [2] Detection of policy violation, unauthorized activities regarding
system as well monitoring these activities for wireless networks are the main
characteristics of IDS (Intrusion Detection system). There are lots of chances of
attacks on wireless network due to dynamic topology.so this we will basically focus
on different type of wireless attacks and various detection techniques and their
comparisons.

2.1 Vulnerabilities in Wireless Networks

In wired network packets/information move to different place over a give physical wire
that is protected as it is private line but as compared to wireless network data travel over a
space shared between numbers of another system and is not private. This is why wireless
network are more vulnerable and have more chances of getting affected by threats as
compared to wired networks. Wireless networks lacks in various things such absence of

3
centralized administration and low protection of nodes and because of dynamic topology
in wireless there is no boundary, so methods like firewall are not useful as security.
Number of vulnerabilities in Wireless Networks are as follows:

Due to lack of infrastructure.

Vulnerability due to channels

Dynamic topology
Vulnerability due to node.

2.2 Various Type of Intrusion in Wireless Network

Intrusion is an active sequence of related events that deliberately try to cause harm such
as rendering system unusable accessing unauthorized information or manipulating
information [3]. There are different types of attacks in wireless networks.it is basically
unwanted activity in a network that is either information gathering and harmful packets
forwarded
(A) Packet Dropping: Such as Black hole attack, Routing loop, Delay packet
transmission and Fabricated route message.
(B) Gray Hole attack: Such as Worm hole, Denial of service and access attacks.
(C) Trojans horse programs

2.3 Classification of Intrusion Detection System

Intrusion detection systems falls into different category but here we will consider two
main categories: Network based intrusion detection system (NIDS) and Host based
intrusion detection system (HIDS). NIDS works by checking and analyzing the traffic
over the network and its detection process basically work on two methods anomaly or
pattern detection whereas the Host based system work as totally opposite of NIDS that is
it considered and analyze operating system and their traffic.

2.4 Process model for Intrusion Detection

Many IDSs can be described in terms of three fundamental functional
Components:
Information Sources the different sources of event information used to determine
whether an intrusion has taken place. These Sources can be drawn from different
levels of the system, with network, host, and application monitoring most common.

Analysis the part of intrusion detection systems that actually organizes and makes
sense of the events derived from the information sources, deciding when those events
indicate that intrusions are occurring or have already taken place. The most common
analysis approaches are misuse detection and anomaly detection.
Response the set of actions that the system takes once it detects intrusions. These
are typically grouped into active and passive measures, with active measures
involving some automated intervention on the part of the system, and passive
measures involving reporting IDS findings to humans, who are then expected to take
action based on those reports.

2.5 Based on Data Collection Mechanism

As intrusion detection can be divided into three types considering as data collection that
is NIDS network based, HIDS host based Hybrid intrusion detection system. A brief
description about them is given below.

2.6 NIDS
It work as process on a given hardware. It places the NIC card on the system into
promiscuous mode that is all the traffic incoming to the NIC card is passed through the

5
NIDS process application then the traffic is basically is checked through set of rules and
analyzed that is attack analyzation uses basically four techniques:

Pattern or byte code matching

Frequency crossing

Correlation of lesser events

Statistical anomaly detection

Advantages of Network-Based IDSs:

A few well-placed network-based IDSs can monitor a large network.

Network-based IDSs can be made very secure against attack and even made
invisible to many attackers

Figure 2.1 : NETWORK BASED IDS

2.7 Host based IDS

As the name follows host based, these detection system are basically installed as software
package on host system. All the logs for a specific data is passed through it and is being
examined. This process continues time to time or we can say periodically then started by
looking number of different new logs entries and started comparing them with preconfigured ones. Host-based IDSs normally utilize information sources of two types,
operating system audit trails, and system logs. Operating system audit trails are usually
generated at the innermost (kernel) level of the operating system, and are therefore more
detailed and better protected than system logs. However, system logs are much less

6
obtuse and much smaller than audit trails, and are furthermore far easier to comprehend.
Some host-based IDSs are designed to support a centralized IDS
Advantages:

Host-based IDSs, with their ability to monitor events local to a host, can
detect attacks that cannot be seen by a network-based IDS.

Host-based IDSs are unaffected by switched networks

Figure 2.2 : Host Based IDS

2.8 Hybrid IDS

This is basically a kind of IDS that work as a combination of both above NIDS and Host
based that is it combine the functionality of NIDS and HIDS which means it analyze the
traffic applied on a particular host where this IDS application has been installed.

2.9 Based on Detection techniques

We can also categorize IDS on the basis of data detection techniques also such as
Signature or Anomaly based intrusion detecting techniques.

3 CONTRIBUTION AND METHODOLOGY

3.1 Contribution
The main approach regarding the making of this project is of security feature in
wireless networks. It basically describes the systems purpose, it works that is mainly
including a collection of methodologies, mechanism required and the architecture on
which intrusion and detection is based on and how we can use it to improve feature of
wireless network systems.
So to basically start with the project the main idea behind the detection in wireless
network system works on an important step of first identifying the intruders those
who are trying to cause the problem in network security, and it is the only part that is
important step toward the goal. As we all know that building an overall security
system includes number of technical component with sound policy to create a total
group of packages.
Here our main goal or you can say main approach is to provide and administrative
point of view to our system that mentioning an administrator to know what is
happening on their network. As providing an admin is better decision to take several
decisions to improve network security.
Here the main contribution from our side is creating and improved version of
intrusion detection system that basically works for a wireless network system.
Traditionally network security model relies heavily in perimeter protections, here in
this project we are creating a system that will basically create and reports a complete
report regarding the intruders.

3.2 Methodology
The main architecture of the intrusion detection system is as follows

Listeners

Correlation

Notification

Interface

Listener

8
We can say that a listener is basically a collection point of wireless data that is being
passed. That is these machines actively monitor the flow of Ethernet traffic 802.11b
that comes with in the range.
Here our listener basically consists of standard PCs and laptop using any card capable
of running in monitor mode. Here we are using operating system installation is based
on Red hat 7.0 that is Linux 2.4 kernel that is being installed on the device that we are
using too such as pcs and laptops.
In addition to this we are also using to software components that is:
- Kismet

Snort

Kismet
Kismet is basically a software package that is used for monitoring or we can say the
sniffing the packet between 802.11b channels to gather data that is being passed with
the flow of traffic. Other than standard packet sniffer such as Ethereal or TCPDUMP,
kismet more useful as it is able to works as monitoring the level 2nd wireless traffic.
It basically monitors and record the packet by placing the wireless card in the monitor
mode. The data that is being collected by the kismet is then analyzed in real time to
see is there any kind of various suspicious activities
The TCP / IP traffic is then passed through Snort that is a kind of IDS in its own, to
watch is there any kind of malicious activity on the wireless network that is being
monitored right now. If yes, then it is being processed with different method to fix
this and to provide a prevention from the future aspects.
Snort
Snort is a kind of and open and free source of software package used for sniffing the
packet for the purpose of monitoring network traffic in real time. The important thing
about the snort is that it works very closely to each packet. That is works very deeply
to detect is there any kind of dangerous or suspicious activities being running. Or we
can simply say that Snort is an open source free and lightweight network intrusion
detection system on its own for UNIX and windows.
After collection of packet has been done that has to be monitored we have to move on
other components of detection system, now here comes the role of Correlation
module
Correlation
This module of our intrusion detection system take its inputs from the previous
module that is Listener, it receives the data that has been collected by the listeners.
After having the data, it has to be processed into various series of MySQL tables for
use. If there are multiple listeners, we can use the either the PHP or Perl Scripts to
compare all the alerts it is basically done to see there are no duplicates being send
found.

9
Our correlation module is processed or we can say is implemented on a PC server
running of RedHat Linux 7.0. Here we are using few different software packages that
has to be installed on the Linux based system such as: -

Packages Installed:

MySQL for creating the database

Apache Web Server

OpenSSl Certificate Management

GPSMap

All these above mentioned Packages are open source and are easily available on
internet.
Development
Either the PHP or Perl script can be used to start the sniffer, and collect the data. We
are creating a script that watch for suspicious activity and report in real time, the main
purpose of the script will be refining the package data and the upload it to correlation
module.
Here in correlation module we are again running a script for the correlation purpose
of alerts the main purpose of script in correlation module is to insert the event in
database.
Notification
This module and the correlation module and different from each other but in technical
terms .the are working of one need the other. Main function of the part in our project
is that it works as notification scripts gathering alert data from the above defined
process and after gather these alert it has to be passed/deliver to an administrator.
Now here comes an admin part that if admin doesnt care about any real time than
this module is disabled.
We can configure the module by either enabling or disabling the Nmap scans.
Administrator notification requires access to an SMTP mail gateway for delivery of
emailed alerts.

10

Listen
er Physical
component
Laptop or PC with an 802.11b wireless
card and Ethernet Card
Software: RedHat 7.0 , Kismet sniffer ,Snort: IDS

Correlati
on Physical Component:
Pc server
Software
Components:
RedHat

Notificati
on Physical Component
Server portion
E-mail: - SMTP Server

Interfac
e Physical Component
Server portion
Browser (Mozilla, chrome or IE)

11

Figure 3.1 : Architecture of IDS

`
Interface
This is the last module of our architecture of the project
Its basically a web-based console to view alerts, IDS incidents and client and access
point that has been created. While accessing this kind of system is secured by
providing an OpenSSL certificate connection that is to login it uses a username and
password.

12

4 OUTCOME

Wireless intrusion detection system will monitor a WLAN using mixture of hardware
and software called intrusion detection sensors. 802.11 will handle these sensor and
examine all network.
Based on the information from and information gathers from sniffing the wireless
network using kismet the open source software we easily build up a picture of what
Wlan looks like where APs are located and who used them.
Here we have done testing using some of the open source software used for sniffing
the packet in wireless network and the access point.
Kismet
It can be used to carry out site surveys, for detecting wireless network, access point
and signal strength.
Kismet is a network detector, packet sniffer, and intrusion detection system for
802.11 wireless LANs. Kismet will work with any wireless card which supports raw
monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic

13

Figure 3.1 : SURVEY OF KISMET

Netstumbler
It is one of the most popular scanner used on windows. Netstumbler is the easiest to
setup and work by sending the 802.11 probes that actively scan by sending out
request every second and reporting on responses received.

14

Figure 3.2 : RESULT O NETSTUMBLER PROCESSING WLAN

Here Access point by default, respond to probes but can be configured to stay silent
also. This is basic image of a Netstumbler examine the network.
CAIN
It allows for network sniffing, which gives us the ability to monitor all traffic from
host in your subnet. For example as follows.
Two laptop were used with same subnet mask

ATTACKER:
Laptop

15
VICTIM
Laptop

Figure 3.3 : SEARCHING FOR ALL SUBNET

16

Figure 3.4 : SYSTEM UNDER SAME IP

17

5 CONCLUSIONS AND RECOMMENDATIONS

Wireless networking provides numerous opportunities to increase the productivity

and cut cost. It also alters an organization overall computer security risk profile and
we all know that it is impossible to eliminate all the risk associated with wireless. Ids
are here to stay for s0upporting the development of wireless security products. This
report discussed about the different types of vulnerabilities in wireless network and
major types of IDS that can be used to protect wireless network.
As security incidents become more numerous, IDS tools are becoming increasingly
necessary. They round out the security arsenal, working in conjunction with other
information security tools, such as firewalls, and allow for the complete supervision
of all network activity. it is clear that using intrusion detection systems is an
important and necessary tool in the security.

18

REFERENCES
[1] Ismail Butun, Salvatore D. Morgera, and Ravi Sankar , A Survey of Intrusion Detection
Systems in Wireless Networks

[2] By Opinder Singh & Dr. Jatinder Singh , Competitive Study of various Intrusion Detection
System for wireless Lan

[3] Madge ,Wireless Intrusion Detection System evolve to 3rd genertation proactive
protection systems

[4] Venkatraman, Balaji (2008) EE284: Network Security

[5] SANS (Editor): Wireless Networking Concepts - Network Security, Security Essentials
V2.2. ISBN 0-9724273-6-8.
[10] Garza, Victor R: May 2004; Wireless IDSs Help Network Admins Keep An Ear to the Air;
http://www.infoworld.com/article/04/05/14/20TCwids_1.html; 2004-09-17 22:12.
[11] Internet Security Systems Wireless Products [PDF file]

19