The European Social Fund
Prague & EU: We Invest in Your Future
Network Traffic and Intrusion
Simulations II
Network Security
Department of Computer Systems
Faculty of Information Technologies
Czech Technical University in Prague
© Rudolf Blažek 2010-2011
Mgr. Rudolf B. Bla
ž
ek, Ph.D.
Simulace sí
ť
ového provozu a útok
ů
II
Sí
ť
ová bezpe
č
nost
Katedra počítačových systémů
Fakulta informačních technologií
České vysoké učení technické v Praze
© Rudolf Blažek 2010-2011
Mgr. Rudolf B. Bla
ž
ek, Ph.D.
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection
Complex Network
Simulation Continued
802.11 Deauthentication Attack
Network Simulation / Intrusion Detection
WLAN Intrusion Simulation and Detection 802.11 Deauthentication Attack
802.11
Client
802.11
Access
Point
Probe Request
Probe Response
Authentication Request
Authentication Challenge
Authentication Response
Authentication Success
Association Request
Association Response
Data
Data
802.11 Handshake
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection 802.11 Deauthentication Attack
Deauthentication Attack
802.11
Client
802.11
Access
Point
Data
Deauthentication
Deauthentication
Data
Intruder
5WLAN Intrusion Simulation and Detection Simulation Experiment
Tools Used
Tools created for Simulations
•
A random number generator that can be called from shell
•
The seed information is returned to the generator
•
Micro sleep command to wait for decimal parts of seconds in
shell
Tools created for Detection
•
Program in C that observers WiFi deauthentication frames
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Simulation Experiment
Background HTTP traffic
802.11g
WLAN
Simulated
HTTP Traffic
7WLAN Intrusion Simulation and Detection Simulation Experiment
Unix Shell Script
Random Generator rg Developed In-house Initial Random Generator Seed Random Generator rg Developed In-house
Random File Size Random Pareto Value
k = 81KB, β = 1.1 New Random Generator Seed
Traffic Generator tg
From USC ISI
Random Wait Time Random Exponential μ = EX = 5 New Random Generator Seed
Simulated
HTTP Traffic
Simulated Web Server
Web Client
Delay using microsleep Precision ~ 300μs Developed In-house tg Finished? Transmission Finished Yes
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Simulation Experiment
Mobile user arrival and departure
simulation
802.11g
WLAN
Deauthentication
Frames
9WLAN Intrusion Simulation and Detection Simulation Experiment
Unix Shell Script
Random Generator
rg
Developed In-house
Initial Random
Generator Seed
Random Interarrival &
Connected Times
EI = 5, EC = 3
Disconnect Times
New Random
Generator Seed
Deauthentication
Packets (11)
Scapy
Simulated
Deauthentications
Simulated Customer Arrivals and Departures
Additional
Data?
No
Yes
Delay using microsleep
Precision ~ 300
μ
s
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Detection of the Intrusion
WLAN Intrusion Simulation and Detection Intrusion Detection
Ad-hoc detection of the WiFi attack
Snort wireless detection rule:
•
Count number of WiFi deauthentication frames per second
•
Detect the intrusion if the observed number exceeds a
chosen threshold
Non-statistical features of network intrusions:
•
Network protocols are deterministic and well understood
•
Protocol anomalies can be detected by stateful analysis
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Ad-hoc detection of the WiFi attack
Snort: Signature based detection
•
Only detects selected sets of attacks
•
Tremendous false alarm rates
•
Frequently missed detections, especially of unknown attacks
Questions:
•
How do you decide what thresholds to use?
•
What about false alerts?
WLAN Intrusion Simulation and Detection Intrusion Detection
Statistical Aspects of Intrusion Detection
Statistical features of network intrusions:
•
Network intrusions occur randomly
•
Intrusions occur at unknown points in time
•
Intrusions lead to changes of statistical properties of some
observable characteristics
Attack detection viewed as a change-point detection (CPD):
•
Detect changes in the distributions (models, parameters)
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
How to Measure Intrusion Detection
System Performance?
Probability of false alarm and probability of successful
detection?
•
How long period are we considering?
•
False alarms will occur for sure when we monitor the
network for a long period
•
Attacks that stop quickly are harder to detect than
long-term intrusions
•
Even very weak attacks should be detected if they last
long enough
WLAN Intrusion Simulation and Detection Sequential Statistical Detection
A network characteristic observed in
the
n
thtime interval:
•
Number of UDP packets in a size bin
•
Number of packets of a particular type
(WiFi Deauthentication, TCP SYN,
S
n
= max
{
0
, S
n
−
1
+
X
n
−
µ
−
ε
θ
ˆ
n
}
,
S
0
= 0
Sequential Statistical Learning
Sequential
NP-CUSUM
statistic
Historical estimate of
E
(
X
n
)
An estimate
of
E
(
X
n
)
under
attack
Tuning parameter
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Sequential Statistical Detection
Sequential ID Algorithm with Reflection
threshold
S
k
update
information
attack
begins
detected
attack
detection
delay
possible
false
alarms
time
17WLAN Intrusion Simulation and Detection Intrusion Detection
Experimental Detection of the attack
802.11g
WLAN
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
WIND
WLAN Intrusion Detection System
Process No. 2
Process No. 1
Unix Alarm
Signal
Fires at
Prescribed
Interval,
e.g. 1 sec
Reset Packet Count
New
Packet
Updated
Packet
Count
WiFi Network Traffic
WiFi card in
Monitor Mode
Function
processPacket
Filter Packets &
Count Packets of
Interest
libpcap library
Function pcap_loop()
Monitor All Packets
Function
updateStatistics
Calculate Sequential
Statistics
Threshold
Exceeded
Yes
Issue
an Alert
New Time Period
WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – based on libpcap
/** Purpose:
*
! !
- Be able to sniff wifi frames
*
! !
- Identify the frame type : Distinguish Management frames (Probe Request, Probe
! !
!
Response, Beacon)
*
! !
from Control Frames and Data Frames
*
! !
- Count the number of Probe Request Frames or Deauthentication Frames
*
! !
- Analyze the statistics
*/
#include
<math.h>
#include
<ctype.h>
#include
<pcap.h>
#include
<string.h>
#include
<stdlib.h>
#include
<stdio.h>
#include
<netinet/if_ether.h>
#include
<sys/ioctl.h>
#include
<unistd.h>
#include
<signal.h>
#include
<time.h>
#include
<pthread.h>
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – packet monitoring parameters
....
#define MAXBYTES2CAPTURE
2048
//setting parameters
#define START
144
#define START_SSID
160
#define TYPE
12
#define SUBTYPE
240
#define MANAG
0
#define CONTROL
4
#define DATA
8
#define RESERVED
12
#define REQUEST
64
#define RESPONSE
80
#define BEACON
128
#define DEAUTH
192
#define BSSID_LENGTH
6
#define CHANNEL
56
21WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – monitoring initialization
!
// Open the device in promiscuous mode
!
descr=pcap_open_live(iface, MAXBYTES2CAPTURE,
1
,
512
, errbuf);
!
// Enumerate the data link types, and display
!
// readable-human names and descriptions for them
!
num= pcap_list_datalinks(descr, &dlt_buf);
!
for
(ii=
0
; ii<num; ii++) {
! !
printf(
"%d - %s - %s\n\n"
,dlt_buf[ii],
! !
!
pcap_datalink_val_to_name(dlt_buf[ii]),
! !
!
pcap_datalink_val_to_description(dlt_buf[ii]));
!
}
!
// Signals declared in sa_mask field ignored during
!
// execution of the signal handler
!
setmasks(&ALRMsig);
!
ALRMsig.sa_handler= actALRMsig;
!
!
// Launch the detector thread
!
pthread_create (&th,
NULL
, process_signal, (
void
*)
"1"
);
!
// Start infinite packet processing loop
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – monitoring initialization
!
...
// Start infinite packet processing loop
!
pcap_loop(descr, -
1
, processPacket, (u_char *) &count);
!
// Wait for the end of the thread
!
// But we really do not get here
!
pthread_join (th, &ret);
!
// Close the descriptor of the opened device
!
pcap_close(descr);
!
return
EXIT_SUCCESS;
WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – processing of arrived packets
/** Filter packets and print some characteristics of each packet */
void
processPacket(u_char *arg,
const
struct
pcap_pkthdr* hdr,
const
u_char* packet) {
!
u_char type_sub= packet[START];
// Get the interesting byte to analyze the frame type
!
u_char ch= packet[CHANNEL];
!
printf(
"Channel = %d\n"
, ch);
!
// Filter by channel
!
if
( ( ( channel ==
0
) || ( channel == ch )) &&
! !
filter_bssid(packet) && filter_type(type_sub) )
!
{
! !
counter++;
!
}
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
A network characteristic observed in
the
n
thtime interval:
•
Number of observed WiFi
Deauthentication frames
S
n
= max
{
0
, S
n
−
1
+
X
n
−
µ
−
ε
θ
ˆ
n
}
,
S
0
= 0
Sequential Statistical Learning
Sequential
NP-CUSUM
statistic
Historical estimate of
E
(
X
n
)
An estimate
of
E
(
X
n
)
under
attack
Tuning parameter
25WLAN Intrusion Simulation and Detection Intrusion Detection
Detector – periodical detection step
/** Function processing the SIGALRM signal */
/** It is used to process and reset the observed packet counts */
/** The intrusion detection is done here */
void
actALRMsig(
int
sig) {
!
double
SnNew;
! !
!
!
!
// new value of Sn
!
long
lastCounter= counter;
! !
// former value of counter
!
counter=
0
;
!
SnNew= Sn + lastCounter - mu - epsilon * theta;
!
// Maximum between 0 and SnNew
!
if
(SnNew <
0
) {
! !
SnNew=
0
;
!
}
!
Sn= SnNew;
!
if
(SnNew > threshold) {
! !
printf(
"HELP!! I am under ATTACK!!!!\n"
);
!
}
!
printf(
"Xn = %d\t SnNew=%g\n"
, lastCounter, SnNew);
!
printf(
"Counter = %d\n"
, counter);
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Sequential Detection of 802.11
Deauthentication Attack
50 100 150 200 250 300 Sequential Statistics S(k)Sequential Detection of an 802.11 Deauthentication Attack
20 40 60 80 100 120 140 160 180 Sequential Statistics S(k)
Network Security MI-SIB, ZS 2011/12, Lecture 7
Rudolf Blažek, Ph.D. (FIT ČVUT)
WLAN Intrusion Simulation and Detection Intrusion Detection
Performance of the Detection
29