Unique Challenges in WiFi Intrusion Detection

Dr. Jonny Milliken

Queens University Belfast

{}

Abstract

The IDS (Intrusion Detection System) is a common means of protecting networked systems from attack or malicious misuse. WIDSs (Wireless Intrusion Detection System) perform the same function for WiFi networks but must also compensate for data exchange through an open and contended wireless medium. Usage of the wireless medium requires fundamental changes to operating protocols at the Physical and MAC layers. WIDS need to be considered in more detail at these lower layers than their wired counterparts as they face unique challenges. The remainder of this chapter will investigate three of these challenges where WiFi deviates significantly from that of wired counterparts:

·  Attacks Specific to WiFi Networks: Outlining the additional threats which WIDS must account for: Denial of Service, Encryption Bypass and AP Masquerading attacks.

·  The Effect of Deployment Architecture on WIDS Performance: Demonstrating that the deployment environment of a network protected by a WIDS should influence the prioritisation of attacks.

·  The Importance of Live Data in WiFi Research: Investigating the different choices for research data sources with an emphasis on encouraging live network data collection for future WiFi research.

1. WiFi Security

WLAN networks are increasingly common in public, private and commercial environments. As proliferation of these networks increases, the opportunity for exploitation of their vulnerabilities also increases. Perpetration of attacks on WLAN networks is increasingly frequent in real-life environments. The 2012 Verizon Breach Report [1] summarises cyber-security breaches reported to the national security agencies of Australia, The Netherlands, Ireland, The United Kingdom and The United States of America. This report estimates that 174 million compromised records were stolen through cyber-attacks in 2011. These attacks represent a global problem, as shown by the distribution of attack locations reported in Figure 1. In the same report it is estimated that 81% of attacks incorporated some form of hacking and 69% contained malware.

Figure 1: Countries in which a Successful Cyber Security Breach was Recorded (In Black) for 2011. (From Verizon 2012 Data Breach Investigations Report. With Permission.)

The UK insurance group CPP has produced a white paper [2] which specifically deals with the threat and danger of attacks on WiFi. The report states that, “Wireless device users […] should think about what they may be forfeiting by continuing to utilise wireless network technology without thinking about their online security”. This was backed up by the actions of an ethical hacker who was hired to carry out wireless attacks on public WiFi hotspots in September 2010 in 6 cities across the UK. Findings remark the majority of users mistakenly think their networks are secure, all in spite of well-known examples of WiFi insecurity. This false assumption of security is also exposed when 20% of respondents admit to having logged onto unsecured wireless networks without permission. Reasons for this included:

·  Because it was available,

·  Because it was convenient,

·  Because it was easy to do,

·  Because they were having access problems of their own,

·  By accident.

The CPP investigation also uncovered that 1 in 6 wireless users say they regularly use public networks. When directly investigating public, open-access networks the report uncovered that passwords and usernames could be gathered from these networks at a rate of more than 350 per hour in a typical town centre. Furthermore, when a Rogue Access Point was deployed at the same location, more than 200 users unsuspectingly connected, putting themselves at risk from fraudsters. This is particularly dangerous given that over 60% of respondents use these networks for online banking and shopping, potentially exposing their identity and credit card information to malicious hackers.

These threats in WiFi networks are an area of increasing concern for businesses as well as the public. The virus company Symantec has released commentaries [3] on how municipal WiFi offers threats to businesses through employees using these networks ahead of corporate options and thus potentially revealing internal information to hackers through a backdoor. One of the largest and most expensive examples of WiFi attacks on businesses was carried out against TJX, a large American department store, in 2007. The attackers carried out their attack whilst sitting in a car nearby to the head office and pointing a directional antenna at the building. Within a short timeframe sufficient packets were collected to allow bypass of the WEP security on the internal company WiFi. Once this access was achieved the attackers then set up a back door into the system and employed a home PC to harvest nearly 46 million credit card details from the database.

2. Attacks Specific to WiFi Networks

WiFi fundamentally differs from Ethernet at the Physical (Layer 1) and Medium Access (Layer 2) OSI layers. The shift from a wired medium to an openly contended wireless medium mandated that significant changes needed to be implemented. These changes expose WiFi connected machines to unique attacks. This means that WIDS have a unique 802.11 threat burden which is additional to that of their wired counterparts.

The basic catalogue of WiFi attacks can be distilled into three rudimentary attack types: DoS (Denial of Service), Encryption Bypass and AP (Access Point) Masquerading. Each of these attacks allows the hacker a different level of control over the network; control of the access medium, control of data confidentiality or control over network access.

2.1 WiFi Denial of Service (DoS)

The vulnerabilities which allow DoS attacks in wireless networks come from two sources. The first is the trust placed in the fidelity of source MAC addresses. MAC addresses are expected to be unique identifiers used to distinguish one device from another; however there is no mechanism for validating these addresses. An attacker can spoof the address of any client.

Figure 2: Deauthentication DoS Attack.

The second vulnerability is the lack of authentication on Deauthentication frames. This means that any attacker armed with knowledge of a Client’s MAC address can deauthenticate the Client by sending forged Deauthentication frames, known as a DeAuth attack, as shown in Figure 2 and discussed in [4]. Although the Client will soon attempt to reconnect, if the attack is continued then the victim remains disconnected indefinitely.

It is possible to perform the same attack using disassociation frames; however, due to the single rather than double state retraction (see Figure 3) there is less work and time required by the victim to reconnect. This requires more effort for the attacker to maintain a loss of connection.

While this situation deals with a DoS attack on a single client there is the possibility of using the same method to broadcast the attack to all users connected to the AP. The principle is the same, except that only the AP MAC address is needed. The attacker forges a frame seemingly to have come from the broadcast address of the AP, telling all Clients that they have been disconnected.

A second DoS attack category for WLANs is the Frame Flood attack. The goal of this attack is to overload the victim AP with frames (usually either Probe or Association). This ensures that either no more Clients can connect or overloading of the AP processor causes it to crash. The key difference between the two DoS methods is that the Deauthentication attack exploits the authentication state machine (Figure 3) while the Flooding attack exploits the limited resources available for APs.

Figure 3: 802.11 Authentication State Machine.

Now that the method of perpetrating these attacks is clear, why would an attacker wish to carry out such an attack? There can be many motives for a DoS attack:

·  Nuisance,

·  Attacking adjacent networks,

·  Forcing a re-authentication to capture a Client authentication handshake,

·  Tricking a client to re-authenticate to a Masquerading AP,

·  Tricking a client to re-authenticate for a MITM (Man In The Middle) attack,

·  Buffer overflow attack,

·  Blanket spamming the network to perform other attacks.

Deauthentication Attack Detection

Current approaches to DeAuth DoS attacks have attempted to develop algorithms to detect these attacks [5] [6]. The effectiveness of these algorithms is highly dependent on the data which is being used to fuel them [7]. As a result there has been a trend in more recent publications towards identifying and classifying the features or metrics which are optimal for DeAuth DoS detection [7] [8]. It has been shown from these investigations that there are subsets of features which are optimal for attack detection. In some cases using a reduced feature set can improve detection performance, as there are less confounding factors or noise for an algorithm to filter [9].

Much of the work on feature selection has concentrated on the effects seen in the application and network layer [5] [8]. Work in [7] has identified a set of features that are applicable to WiFi, since Layer 2 is an area of limited investigation in current research. What is lacking from each of these works is information on the parameters or bounds of these metrics. Some research has prioritised the features under consideration, but there is no identification of what values the metrics or features would undertake to detect an attack [8] [7] [9].

Underpinning the importance of parameter bound selection for DoS metrics is the appreciation of the effect that thresholds and windowing factors can have on performance [5]. The effect of thresholds is investigated in [10], showing that the choice of the value for this parameter must be both dynamic and considered unique for each deployment. Windowing refers to the selection of data under consideration of an algorithm, usually determined as number of packets in a given timeframe. The effect of varying this window is considered to influence the outcome of a detection algorithm [5] [11], however it is not always taken into account in WLAN experiments, as demonstrated by [6] [8] [12].

The effect of varying the parameter bounds in these values on detection outcome has been investigated in higher layers. If threshold values and metric parameters are set too high then valid detections can be missed, while if they are set too low then a larger number of false alerts can be generated, which obfuscates the real security concerns [10]. The same effect is observed for windowing, if the window of data under consideration is too small then larger attack chains may be missed, while too large a window size wastes computational resources and can obfuscate attacks in a large pool of normal data [13].

Flooding DoS Attack Detection

Probe and association flooding attacks are considered trivial to carry out [14] [15] but are much more difficult to detect as high levels of these frames can be legitimately present in a congested environment. The effect of increased levels of authentication or probe requests has been experimentally shown in [15] and [16] to have an impact on network performance, which is attributed to the overwhelming consumption of AP resources. Association request floods are equally effective as many practical 802.11 implementations are flawed and allow the AP to respond to these requests without having first gone through authentication [14].

Despite the danger that these attacks pose, the authors in [16] lament the scarcity of studies to investigate the impact and propose solutions to DoS Flooding attacks. In order to address this deficit the authors suggest several mitigation techniques for a VoIP application but consider them to be insufficient in practice. MAC address filtering can mitigate the effects, however this does not scale as the whitelist grows. Furthermore, it is only appropriate for SOHO (Single Office / Home Office) environments, since enterprise and open access deployments can have legitimately large number of unknown MAC addresses connecting to the AP. Another suggested defence technique employs a threshold for accepted requests, estimated at 5 per second. However this threshold is acknowledged as having to vary with time as traffic loads increase, which poses similar problems as alluded to above.

Threshold and feature selection remains a problem for Flooding attacks as observed in [17], where a subset of features is determined as relevant for attack detection but the values of which are not developed. Work in [18] has established that threshold selection is an integral part of detection which is sometimes overlooked due to the time and effort required to tune the correct values. Even in cases where this is done, the first step is for a human to arbitrarily guess the correct level and then tune based on traffic. Nonetheless these factors are not always taken into consideration in Flooding investigations, as observed in [19].

Factors which impact on the performance of a DoS attack are listed in [12] as attack duration, attack rate and average processing time for a frame. Research carried out in [14] [15] and [12] however suggests that these are not the only relevant factors in causing a DoS condition, parameters set within the AP can contribute too. In [15] it has been proposed that the main vulnerability actually lies in unacknowledged frame retransmission, which causes memory buffer exhaustion and freezes AP functionality. An AP requires a certain amount of memory and computing time to store and retransmit frames that have not been replied to, and if the limit of frames scheduled for retry is reached then other received frames can be discarded and the AP can hang.

If the AP retry limit is set too high, then many packets can be held in the buffer and make the AP more likely to fall victim to a flooding attack. In both [14] and [15] it is remarked that this retry limit is difficult to set via software or even at the firmware level. To compound this threat the retry level has been observed as having different sizes for different frame types handled by a given AP and between different APs [15].

Even if a DoS condition is not caused, the response time for an AP can be affected by the size of this limit. This decreases the efficiency of the AP by increasing response time by up to 60-80% versus the base value, as seen in [15] for PRF (Probe Request Flood), ASRF (Association Request Flood) and ARF (Authentication Request Flood). If an AP is also loaded with a high level of legitimate traffic processing requirements, the rate of frames required in order to cause resource exhaustion drops, making the attack more easy to perform and difficult to detect. Research carried out in [12] observed that as few as 3 requests generated 21 responses from a real AP, consuming more resources than would be expected. Thus the practical environment for DoS Flooding does not necessarily follow the strict 802.11 protocol in all cases.