Network Traffic and Intrusion Simulations II

(1)

The European Social Fund

Prague & EU: We Invest in Your Future

Network Traffic and Intrusion

Simulations II

Network Security

Department of Computer Systems

Faculty of Information Technologies

Czech Technical University in Prague

© Rudolf Blažek 2010-2011

Mgr. Rudolf B. Bla

ž

ek, Ph.D.

(2)

Simulace sí

ť

ového provozu a útok

ů

II

Sí

ť

ová bezpe

č

nost

Katedra počítačových systémů

Fakulta informačních technologií

České vysoké učení technické v Praze

© Rudolf Blažek 2010-2011

Mgr. Rudolf B. Bla

ž

ek, Ph.D.

(3)

Network Security MI-SIB, ZS 2011/12, Lecture 7

Rudolf Blažek, Ph.D. (FIT ČVUT)

WLAN Intrusion Simulation and Detection

Complex Network

Simulation Continued

802.11 Deauthentication Attack

Network Simulation / Intrusion Detection

(4)

WLAN Intrusion Simulation and Detection 802.11 Deauthentication Attack

802.11 Client

802.11 Access

Point

Probe Request

Probe Response

Authentication Request

Authentication Challenge

Authentication Response

Authentication Success

Association Request

Association Response

Data

802.11 Handshake

(5)

WLAN Intrusion Simulation and Detection 802.11 Deauthentication Attack

Deauthentication Attack

802.11 Client

802.11 Access

Point

Data

Deauthentication

Data

Intruder

5

(6)

WLAN Intrusion Simulation and Detection Simulation Experiment

Tools Used

Tools created for Simulations

• A random number generator that can be called from shell

• The seed information is returned to the generator

• Micro sleep command to wait for decimal parts of seconds in

shell

Tools created for Detection

• Program in C that observers WiFi deauthentication frames

(7)

Background HTTP traffic

802.11g

WLAN

Simulated

HTTP Traffic

7

(8)

Unix Shell Script

Random Generator rg Developed In-house Initial Random Generator Seed Random Generator rg Developed In-house

Random File Size Random Pareto Value

k = 81KB, β = 1.1 New Random Generator Seed

Traffic Generator tg

From USC ISI

Random Wait Time Random Exponential μ = EX = 5 New Random Generator Seed

Simulated

HTTP Traffic

Simulated Web Server

Web Client

Delay using microsleep Precision ~ 300μs Developed In-house tg Finished? Transmission Finished Yes

(9)

Mobile user arrival and departure

simulation

802.11g

WLAN

Deauthentication

Frames

9

(10)

Unix Shell Script

Random Generator

rg

Developed In-house

Initial Random

Generator Seed

Random Interarrival &

Connected Times

EI = 5, EC = 3

Disconnect Times

New Random

Generator Seed

Deauthentication

Packets (11)

Scapy

Simulated

Deauthentications

Simulated Customer Arrivals and Departures

Additional

Data?

No

Yes

Delay using microsleep

Precision ~ 300

μ

s

(11)

WLAN Intrusion Simulation and Detection Intrusion Detection

Detection of the Intrusion

(12)

Ad-hoc detection of the WiFi attack

Snort wireless detection rule:

• Count number of WiFi deauthentication frames per second

• Detect the intrusion if the observed number exceeds a

chosen threshold

Non-statistical features of network intrusions:

• Network protocols are deterministic and well understood

• Protocol anomalies can be detected by stateful analysis

(13)

Ad-hoc detection of the WiFi attack

Snort: Signature based detection

• Only detects selected sets of attacks

• Tremendous false alarm rates

• Frequently missed detections, especially of unknown attacks

Questions:

• How do you decide what thresholds to use?

• What about false alerts?

(14)

Statistical Aspects of Intrusion Detection

Statistical features of network intrusions:

• Network intrusions occur randomly

• Intrusions occur at unknown points in time

• Intrusions lead to changes of statistical properties of some

observable characteristics

Attack detection viewed as a change-point detection (CPD):

• Detect changes in the distributions (models, parameters)

(15)

How to Measure Intrusion Detection

System Performance?

Probability of false alarm and probability of successful

detection?

• How long period are we considering?

• False alarms will occur for sure when we monitor the

network for a long period

• Attacks that stop quickly are harder to detect than

long-term intrusions

• Even very weak attacks should be detected if they last

long enough

(16)

WLAN Intrusion Simulation and Detection Sequential Statistical Detection

A network characteristic observed in

the

n

th

time interval:

• Number of UDP packets in a size bin

• Number of packets of a particular type

(WiFi Deauthentication, TCP SYN,

S

_n

= max

_{

0 , S

_n

₋

₁

+

X

_n

₋

µ

₋

ε

θ

ˆ

_n

_}

,

S

₀

= 0

Sequential Statistical Learning

Sequential

NP-CUSUM

statistic

Historical estimate of

E

(

X

_n

)

An estimate

of

E

(

X

_n

)

under

attack

Tuning parameter

(17)

WLAN Intrusion Simulation and Detection Sequential Statistical Detection

Sequential ID Algorithm with Reflection

threshold

S

k

update

information

attack

begins

detected

attack

detection

delay

possible

false

alarms

time

17

(18)

Experimental Detection of the attack

802.11g

WLAN

(19)

WIND

WLAN Intrusion Detection System

Process No. 2

Process No. 1

Unix Alarm

Signal

Fires at

Prescribed

Interval,

e.g. 1 sec

Reset Packet Count

New

Packet

Updated

Packet

Count

WiFi Network Traffic

WiFi card in

Monitor Mode

Function

processPacket

Filter Packets &

Count Packets of

Interest

libpcap library

Function pcap_loop()

Monitor All Packets

Function

updateStatistics

Calculate Sequential

Statistics

Threshold

Exceeded

Yes

Issue

an Alert

New Time Period

(20)

Detector – based on libpcap

/** Purpose:

*

! !

- Be able to sniff wifi frames

*

! !

- Identify the frame type : Distinguish Management frames (Probe Request, Probe

! !

!

Response, Beacon)

*

! !

from Control Frames and Data Frames

*

! !

- Count the number of Probe Request Frames or Deauthentication Frames

*

! !

- Analyze the statistics

*/

#include

<math.h>

#include

<ctype.h>

#include

<pcap.h>

#include

<string.h>

#include

<stdlib.h>

#include

<stdio.h>

#include

<netinet/if_ether.h>

#include

<sys/ioctl.h>

#include

<unistd.h>

#include

<signal.h>

#include

<time.h>

#include

<pthread.h>

(21)

Detector – packet monitoring parameters

....

#define MAXBYTES2CAPTURE

2048

//setting parameters

#define START

144 #define START_SSID

160 #define TYPE

12 #define SUBTYPE

240 #define MANAG

0 #define CONTROL

4 #define DATA

8 #define RESERVED

12 #define REQUEST

64 #define RESPONSE

80 #define BEACON

128 #define DEAUTH

192 #define BSSID_LENGTH

6 #define CHANNEL

56

21

(22)

Detector – monitoring initialization

!

// Open the device in promiscuous mode

!

descr=pcap_open_live(iface, MAXBYTES2CAPTURE,

1 ,

512 , errbuf);

!

// Enumerate the data link types, and display

!

// readable-human names and descriptions for them

!

num= pcap_list_datalinks(descr, &dlt_buf);

!

for

(ii=

0 ; ii<num; ii++) {

! !

printf(

"%d - %s - %s\n\n"

,dlt_buf[ii],

! !

!

pcap_datalink_val_to_name(dlt_buf[ii]),

! !

!

pcap_datalink_val_to_description(dlt_buf[ii]));

!

}

!

// Signals declared in sa_mask field ignored during

!

// execution of the signal handler

!

setmasks(&ALRMsig);

!

ALRMsig.sa_handler= actALRMsig;

!

// Launch the detector thread

!

pthread_create (&th,

NULL

, process_signal, (

void

*)

"1"

);

!

// Start infinite packet processing loop

(23)

Detector – monitoring initialization

!

...

// Start infinite packet processing loop

!

pcap_loop(descr, -

1 , processPacket, (u_char *) &count);

!

// Wait for the end of the thread

!

// But we really do not get here

!

pthread_join (th, &ret);

!

// Close the descriptor of the opened device

!

pcap_close(descr);

!

return

EXIT_SUCCESS;

(24)

Detector – processing of arrived packets

/** Filter packets and print some characteristics of each packet */

void

processPacket(u_char *arg,

const

struct

pcap_pkthdr* hdr,

const

u_char* packet) {

!

u_char type_sub= packet[START];

// Get the interesting byte to analyze the frame type

!

u_char ch= packet[CHANNEL];

!

printf(

"Channel = %d\n"

, ch);

!

// Filter by channel

!

if

( ( ( channel ==

0 ) || ( channel == ch )) &&

! !

filter_bssid(packet) && filter_type(type_sub) )

!

{

! !

counter++;

!

}

(25)

A network characteristic observed in

the

n

th

time interval:

• Number of observed WiFi

Deauthentication frames

S

_n

= max

_{

0 , S

_n

₋

₁

+

X

_n

₋

µ

₋

ε

θ

ˆ

_n

_}

,

S

₀

= 0

Sequential Statistical Learning

Sequential

NP-CUSUM

statistic

Historical estimate of

E

(

X

_n

)

An estimate

of

E

(

X

_n

)

under

attack

Tuning parameter

25

(26)

Detector – periodical detection step

/** Function processing the SIGALRM signal */

/** It is used to process and reset the observed packet counts */

/** The intrusion detection is done here */

void

actALRMsig(

int

sig) {

!

double

SnNew;

! !

!

// new value of Sn

!

long

lastCounter= counter;

! !

// former value of counter

!

counter=

0 ;

!

SnNew= Sn + lastCounter - mu - epsilon * theta;

!

// Maximum between 0 and SnNew

!

if

(SnNew <

0 ) {

! !

SnNew=

0 ;

!

}

!

Sn= SnNew;

!

if

(SnNew > threshold) {

! !

printf(

"HELP!! I am under ATTACK!!!!\n"

);

!

}

!

printf(

"Xn = %d\t SnNew=%g\n"

, lastCounter, SnNew);

!

printf(

"Counter = %d\n"

, counter);

(27)

(28)

Sequential Detection of 802.11

Deauthentication Attack

50 100 150 200 250 300 Sequential Statistics S(k)

Sequential Detection of an 802.11 Deauthentication Attack

20 40 60 80 100 120 140 160 180 Sequential Statistics S(k)

(29)

Performance of the Detection

29

2

3

4

5

6

7

8

9

0

20

40

60

80

100

120

140

160 !Log (FAR)

ADD

Sequential Detection of an 802.11 Deauthentication Attack

Not Optimized Statistic