Académique Documents
Professionnel Documents
Culture Documents
of
INTRUSION DETECTION SYSTEM
In
Wireless Network
By
Jitender Singh Chauhan (B00722078)
Dalhousie University
Faculty of Engineering
Internetworking
The undersigned hereby certify that they have read and award a pass in INWK 6800 for
the seminar project entitled study of intrusion detection system in wireless network" by
JITENDER SINGH CHAUHAN in partial fulfilment of the requirements for the degree
of Master of Engineering.
___________________________
Instructors name here under the line
ii
DALHOUSIE UNIVERSITY
INTERNETWORKING PROGRAM
The Internetworking Program may make available or authorize others to make available
individual photo/microfilm or soft copies of this report without restrictions after
November 2017
The author attests that permission has been obtained for the use of any copyrighted
material appearing in this report (other than brief excerpts requiring only proper
acknowledgement in scholarly writing) and that all such use is clearly acknowledged.
_________________________
Date:
________________________
iii
TABLE OF CONTENTS
INTRODUCTION ...............................................................................................................................1
CONTRIBUTION ..................................................................................................................................7
METHODOLOGY .................................................................................................................................7
OUTCOME ........................................................................................................................................12
iv
LIST OF FIGURES
LIST OF FIGURES
vi
ACKNOWLEDGEMENTS
vii
EXECUTIVE SUMMARY
viii
1 INTRODUCTION
Intrusion detection systems (IDS) are software or hardware system that automate the
process of monitoring that events occurring in computer system or network, analyzing
them for signs of security problems. As network attacks have increased in number
and severity over the past few years, intrusion detection systems have become a
necessary addition to the security infrastructure of most organizations. This guidance
document is intended as a primer in intrusion detection, developed for those who need
to understand what security goals intrusion detection mechanisms serve, how to select
and configure intrusion detection systems for their specific system and network
environments, how to manage the output of intrusion detection systems, and how to
integrate intrusion detection functions with the rest of the organizational security
infrastructure. References to other information sources are also provided for the
reader who requires specialized or more detailed advice on specific intrusion
detection issues.
2 LITERATURE REVIEW
In todays world everything works Wireless Networks and they are so popular for
different kind of Software and Applications because they provide flow of information
and data or we can say that a kind of communication between number of systems
with no predetermined infrastructure. Because of this kind of changes and flexibility
in Wireless Networks we have being introduced with new security risks [1]. The
wireless networks are dynamic in nature that is they are having number of difficulties
and challenges while maintaining their security so there is a strong and flexible
requirement of intrusion detection and prevention system.
Wireless network security is a complicated study and can be only be protected by
some trained and well experienced experts in the same field because of its vast field
while talking about intrusion detection we should also consider firewalls and network
threats. As network security includes every measure companies deploy to prevent
their data and functionalities. Intrusion is basically a kind of processes or activities
that is being used by a system and are damaging the security policies of the system. In
network security if intrusion prevention doesnt work then here comes the role of
Intrusion detection system.
The term used for processing and detecting these kind of threats, intrusion and
maintaining a record or report against these issues in a network is known as Intrusion
Detection. It is used to recognize these attacked against the wireless or any networks.
This intrusion detection system collects all the data. Detection system mainly involve
three main components: Prevention, Detection and Mitigation that is first concerns is
defense against attack, being aware of the attacks and reacting to the attack with an
optimal solution. [2] Detection of policy violation, unauthorized activities regarding
system as well monitoring these activities for wireless networks are the main
characteristics of IDS (Intrusion Detection system). There are lots of chances of
attacks on wireless network due to dynamic topology.so this we will basically focus
on different type of wireless attacks and various detection techniques and their
comparisons.
In wired network packets/information move to different place over a give physical wire
that is protected as it is private line but as compared to wireless network data travel over a
space shared between numbers of another system and is not private. This is why wireless
network are more vulnerable and have more chances of getting affected by threats as
compared to wired networks. Wireless networks lacks in various things such absence of
3
centralized administration and low protection of nodes and because of dynamic topology
in wireless there is no boundary, so methods like firewall are not useful as security.
Number of vulnerabilities in Wireless Networks are as follows:
Analysis the part of intrusion detection systems that actually organizes and makes
sense of the events derived from the information sources, deciding when those events
indicate that intrusions are occurring or have already taken place. The most common
analysis approaches are misuse detection and anomaly detection.
Response the set of actions that the system takes once it detects intrusions. These
are typically grouped into active and passive measures, with active measures
involving some automated intervention on the part of the system, and passive
measures involving reporting IDS findings to humans, who are then expected to take
action based on those reports.
2.6 NIDS
It work as process on a given hardware. It places the NIC card on the system into
promiscuous mode that is all the traffic incoming to the NIC card is passed through the
5
NIDS process application then the traffic is basically is checked through set of rules and
analyzed that is attack analyzation uses basically four techniques:
Frequency crossing
6
obtuse and much smaller than audit trails, and are furthermore far easier to comprehend.
Some host-based IDSs are designed to support a centralized IDS
Advantages:
Host-based IDSs, with their ability to monitor events local to a host, can
detect attacks that cannot be seen by a network-based IDS.
3.1 Contribution
The main approach regarding the making of this project is of security feature in
wireless networks. It basically describes the systems purpose, it works that is mainly
including a collection of methodologies, mechanism required and the architecture on
which intrusion and detection is based on and how we can use it to improve feature of
wireless network systems.
So to basically start with the project the main idea behind the detection in wireless
network system works on an important step of first identifying the intruders those
who are trying to cause the problem in network security, and it is the only part that is
important step toward the goal. As we all know that building an overall security
system includes number of technical component with sound policy to create a total
group of packages.
Here our main goal or you can say main approach is to provide and administrative
point of view to our system that mentioning an administrator to know what is
happening on their network. As providing an admin is better decision to take several
decisions to improve network security.
Here the main contribution from our side is creating and improved version of
intrusion detection system that basically works for a wireless network system.
Traditionally network security model relies heavily in perimeter protections, here in
this project we are creating a system that will basically create and reports a complete
report regarding the intruders.
3.2 Methodology
The main architecture of the intrusion detection system is as follows
Listeners
Correlation
Notification
Interface
Listener
8
We can say that a listener is basically a collection point of wireless data that is being
passed. That is these machines actively monitor the flow of Ethernet traffic 802.11b
that comes with in the range.
Here our listener basically consists of standard PCs and laptop using any card capable
of running in monitor mode. Here we are using operating system installation is based
on Red hat 7.0 that is Linux 2.4 kernel that is being installed on the device that we are
using too such as pcs and laptops.
In addition to this we are also using to software components that is:
- Kismet
Snort
Kismet
Kismet is basically a software package that is used for monitoring or we can say the
sniffing the packet between 802.11b channels to gather data that is being passed with
the flow of traffic. Other than standard packet sniffer such as Ethereal or TCPDUMP,
kismet more useful as it is able to works as monitoring the level 2nd wireless traffic.
It basically monitors and record the packet by placing the wireless card in the monitor
mode. The data that is being collected by the kismet is then analyzed in real time to
see is there any kind of various suspicious activities
The TCP / IP traffic is then passed through Snort that is a kind of IDS in its own, to
watch is there any kind of malicious activity on the wireless network that is being
monitored right now. If yes, then it is being processed with different method to fix
this and to provide a prevention from the future aspects.
Snort
Snort is a kind of and open and free source of software package used for sniffing the
packet for the purpose of monitoring network traffic in real time. The important thing
about the snort is that it works very closely to each packet. That is works very deeply
to detect is there any kind of dangerous or suspicious activities being running. Or we
can simply say that Snort is an open source free and lightweight network intrusion
detection system on its own for UNIX and windows.
After collection of packet has been done that has to be monitored we have to move on
other components of detection system, now here comes the role of Correlation
module
Correlation
This module of our intrusion detection system take its inputs from the previous
module that is Listener, it receives the data that has been collected by the listeners.
After having the data, it has to be processed into various series of MySQL tables for
use. If there are multiple listeners, we can use the either the PHP or Perl Scripts to
compare all the alerts it is basically done to see there are no duplicates being send
found.
9
Our correlation module is processed or we can say is implemented on a PC server
running of RedHat Linux 7.0. Here we are using few different software packages that
has to be installed on the Linux based system such as: -
Packages Installed:
GPSMap
All these above mentioned Packages are open source and are easily available on
internet.
Development
Either the PHP or Perl script can be used to start the sniffer, and collect the data. We
are creating a script that watch for suspicious activity and report in real time, the main
purpose of the script will be refining the package data and the upload it to correlation
module.
Here in correlation module we are again running a script for the correlation purpose
of alerts the main purpose of script in correlation module is to insert the event in
database.
Notification
This module and the correlation module and different from each other but in technical
terms .the are working of one need the other. Main function of the part in our project
is that it works as notification scripts gathering alert data from the above defined
process and after gather these alert it has to be passed/deliver to an administrator.
Now here comes an admin part that if admin doesnt care about any real time than
this module is disabled.
We can configure the module by either enabling or disabling the Nmap scans.
Administrator notification requires access to an SMTP mail gateway for delivery of
emailed alerts.
10
Listen
er Physical
component
Laptop or PC with an 802.11b wireless
card and Ethernet Card
Software: RedHat 7.0 , Kismet sniffer ,Snort: IDS
Correlati
on Physical Component:
Pc server
Software
Components:
RedHat
Notificati
on Physical Component
Server portion
E-mail: - SMTP Server
Interfac
e Physical Component
Server portion
Browser (Mozilla, chrome or IE)
11
`
Interface
This is the last module of our architecture of the project
Its basically a web-based console to view alerts, IDS incidents and client and access
point that has been created. While accessing this kind of system is secured by
providing an OpenSSL certificate connection that is to login it uses a username and
password.
12
4 OUTCOME
Wireless intrusion detection system will monitor a WLAN using mixture of hardware
and software called intrusion detection sensors. 802.11 will handle these sensor and
examine all network.
Based on the information from and information gathers from sniffing the wireless
network using kismet the open source software we easily build up a picture of what
Wlan looks like where APs are located and who used them.
Here we have done testing using some of the open source software used for sniffing
the packet in wireless network and the access point.
Kismet
It can be used to carry out site surveys, for detecting wireless network, access point
and signal strength.
Kismet is a network detector, packet sniffer, and intrusion detection system for
802.11 wireless LANs. Kismet will work with any wireless card which supports raw
monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic
13
Netstumbler
It is one of the most popular scanner used on windows. Netstumbler is the easiest to
setup and work by sending the 802.11 probes that actively scan by sending out
request every second and reporting on responses received.
14
ATTACKER:
Laptop
15
VICTIM
Laptop
16
17
18
REFERENCES
[1] Ismail Butun, Salvatore D. Morgera, and Ravi Sankar , A Survey of Intrusion Detection
Systems in Wireless Networks
[2] By Opinder Singh & Dr. Jatinder Singh , Competitive Study of various Intrusion Detection
System for wireless Lan
[3] Madge ,Wireless Intrusion Detection System evolve to 3rd genertation proactive
protection systems
19