Professional Documents
Culture Documents
Secure Wireless Network System Against Malicious Rogue Threats
Secure Wireless Network System Against Malicious Rogue Threats
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 77
1
Head of the Department, 2Research Scholar, 3Lecturer
Department of Computer Science & Engineering
Samrat Ashok Technological Institute
Vidisha (M. P.) 464001 India.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 78
by a manual mechanism of spreading such as through scenario a standard consumer grade wireless access
email. Worms, however, are self-propagating and point has been configured and installed within a
may infect a system without depending on some corporate network. Network administrators typically
action to be taken by a user of the victim system. The focus on protecting the gateway to the Internet in
effects of a worm or virus infection can vary greatly order to prevent outsiders from entering the network.
as the infection is essentially a programming However, in this case an outsider may be able to
executing on the victim system. The malicious associate with the rogue wireless access point to gain
program can engage in activities such as erasing files, access to the network. Thus, in order to fully secure
copying data, forwarding the infection to other the network, administrators must not only protect the
systems, or consuming resources such as memory, gateway, but must defend against rogue devices
storage, and CPU [2] and [3]. which may potentially exist in the network. Rogue
systems are not limited to wireless access points as
Denial-of-Service (DoS) attacks may be very costly any network device could potentially be configured
to a company in terms of lost time and money. The to be a rogue system. This fact makes detecting rogue
purpose of a DoS attack is to somehow render the systems very difficult as rogue systems can infiltrate
victim network useless, typically by overwhelming a network in many ways and engage in a variety of
the network or systems on the network resulting in malicious activities. Thus, network administrators
congestion levels which prevent the efficient flow of and end users must not only know what types of
data through the network. Distributed DoS (DDoS) rogue systems may exist, but must also know how to
attacks are an extremely potent form of the attack detect or defend against these systems. This
because in this scenario the attack is launched from a dissertation addresses the rogue system problem
large number of locations making identifying the within a cooperative distributed network environment
source of the attack very difficult. While the attack is and within various types of wireless environments.
being executed employees may be unable to perform
their duties and customers may be unable to utilize Background
services. In terms of lost time and revenue, and the
degradation of customer satisfaction, the negative Unknown Rogue System-
impact can be dramatic. Unknown rogue systems pose a significant threat to a
An individual computer hacker gaining access to a wide range of networks. Large corporate networks
corporate system is a very targeted and dangerous are susceptible due to the vastness of the network and
attack. This motive behind such a targeted attack is difficulty of constantly monitoring all attached
typically for the purpose of obtaining some kind of devices and connection points. Wireless networks
confidential information. Financial information, make even small home networks vulnerable as the
private customer or employee data, and trade secrets physical boundaries of the network are expanded and
are all valuable pieces of information to an attacker. wireless data can be gathered from remote locations.
The loss of such information may have a significant In order to properly secure electronic data it is
negative impact on the finances of the company as imperative to defend against rogue systems, thereby
well as the reputation of the company. Protecting a protecting users, administrators, and associated
computer network requires the implementation of a communication data. From the outset it may seem
variety of devices and procedures. Firewalls, virus that installing a rogue device in a network would be a
scanners, and intrusion detection systems (IDS) are difficult task, especially in a tightly managed network
commonly used devices which are designed to such as in a large corporation [2] and [4].
protect a network from outside attack. Network
resources are typically password protected to prevent Wired Network Rogue System-
access by unauthorized parties. Highly trained and In a corporate network there is typically a significant
knowledgeable individuals are crucial in order to barrier-to-entry from being able to install a rogue
administer the network protection plan. A plan which device close to the core of the network. This is a
utilizes knowledgeable personnel and state-or-the-art physical barrier as access to core network hardware is
security devices may provide an effective defense not accessible except by authorized personnel. A
against network attacks, however, attacks evolve and rogue device deep within the routing infrastructure of
new attacks are created leaving even highly protected a network would be in position to do a significant
networks vulnerable to compromise. amount of damage in terms of data and system
compromise. However, it is not required that a rogue
Rogue Systems- device be installed in this manner in order to attack
Figure is an example of a rogue wireless access point network resources. The easiest access to a network is
which is discussed in detail in future chapters. In this obtained at the edge. Throughout corporate offices
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 79
there are Ethernet jacks which are used to connect the wireless network. In addition, however, many
desktop machines for employee use. These jacks may wireless networks require an encryption key or some
be very easy to access and are an easy target for a other type of authentication mechanism in order to
rogue device to be connected. It is possible that gain access to the network. If the encryption key can
unused Ethernet ports are not active and cannot be be discovered or if the network does not require such
used without the authorization of network authentication then the rogue system can associate
administrators. However, if this is the case an with the network. Without connecting to an existing
authorized system can simply be disconnected from wireless network other wireless attacks are still
the Ethernet jack and be replaced by the rogue possible. Mimicking an authorized network may trick
device. In a corporate network there is typically a users into associating with a malicious wireless
significant barrier-to- entry from being able to install network rather than the intended one. Passively
a rogue device close to the core of the network. This monitoring the wireless medium is another attack
is a physical barrier as access to core network which may result in the malicious device discovering
hardware is not accessible except by authorized sensitive information [6].
personnel. A rogue device deep within the routing
infrastructure of a network would be in position to do Attack Environment and Problem Statement-
a significant amount of damage in terms of data and Computer security is a critical component of business
system compromise. However, it is not required that operations for companies ranging from small
a rogue device be installed in this manner in order to businesses to international conglomerates. Corporate
attack network resources. The easiest access to a networks can be extremely large and complex
network is obtained at the edge. Throughout making the task of securing the network extremely
corporate offices there are Ethernet jacks which are challenging, even to a team of highly qualified
used to connect desktop machines for employee use. individuals. A key part of successfully defending a
These jacks may be very easy to access and are an network is the vigilant deployment of security
easy target for a rogue device to be connected. It is devices such as firewalls, virus scanners, intrusion
possible that unused Ethernet ports are not active and detection systems, and the ability of those devices to
cannot be used without the authorization of network quickly and accurately identify malicious intruders.
administrators. However, if this is the case an These security devices are most commonly deployed
authorized system can simply be disconnected from in the network at the gateway, the point which
the Ethernet jack and be replaced by the rogue connects the corporate network with the outside
device. Various security mechanisms may be in place Internet. In terms of security, this is the most
which identify the system connected to each Ethernet important point of the network to protect as any
port and would prevent a rogue device, without outside attack must pass through this pipe. However,
modification, from being properly configured in the with the advent of inexpensive consumer grade
network. A common method of doing this is through wireless access points a new entryway into the
MAC address filtering which depends on the MAC network may be opened, without network
address of the client machine for identifying network administrators knowing the door even exists. The
systems. This information however is easily spoofed motives behind installing a Rogue Wireless Access
and a rogue system can be configured to mimic the Point (RWAP) range from the purely benign to the
settings of the authorized system. A rogue device can extremely vicious. From the benign perspective, an
launch a variety of attacks by injecting traffic into the employee may simply desire to use a personal
network or by mimicking the authorized system and wireless device, such as a notebook computer or
attempting to penetrate deep into the network PDA, on the corporate network. They would provide
infrastructure [1], [2] and [4]. a greater freedom of movement and allow the
employee to continue to receive email and access
Wireless Network Rogue System- other network resources. An attacker with malicious
Wireless rogue systems are very similar to wired intent, however, may seek to install the RWAP
systems installed at the edge of a network. However, specifically to enable remote access to network data
an advantage of wireless attacks, from the attackers and resources. From the point-of-view of the network
perspective, is that a wireless rogue system may be administrator either case is just as dangerous as they
even easier to establish as physical access to the both put network resources at risk. Installing an
network hardware is not required. As shown in RWAP is not a highly technical task as configuration
Figure, the attacker must only be within reach of the steps are simple and are in fact designed for the
wireless signal in order to attempt an attack. Similar average home user to be able to create a wireless
to wired spoofing, a wireless rogue device can spoof network at home. Therefore, even an employee with
certain settings which enable the ability to connect to only basic computer skills can easily purchase an
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 80
inexpensive WAP and quickly configure/install it Proposed Techniques and Algorithm
into a corporate network. Basic protection provided
by MAC filtering can be easily subverted by MAC Our thesis work on the Rogue Identifying Packet
spoofing, a common feature of WAPs, enabling Payload Slicer (RIPPS) system which is designed to
simple integration into the wired network. Once the quickly and accurately detect RWAPs using a novel
device has been properly configured and installed the technique which overcomes the limitations discussed
backdoor has been opened for any malicious party previously. The system combines an active network
within reach of the wireless signal. Of course, the traffic conditioning technique with a packet timing
most significant problem is the fact that system analysis to effectively detect when a new RWAP has
administrators may be totally unaware that the been activated on the network. The wireless medium
vulnerability even exists. The ability to quickly and detection technique is based on a statistical analysis
accurately detect the existence of an RWAP device is of the local round-trip time (LRTT) of network
vital to protecting the integrity of the network [1] and communication. The LRTT metric identifies
[5]. invariant characteristics of wired and wireless media,
The Rogue Identifying Packet Payload Slicer enabling the identification of the connection type of a
(RIPPS) system which is designed to quickly and host. While the LRTT metric is based on purely
accurately detect RWAPs using a novel technique passive network observation, it suffers due to the
which overcomes the limitations discussed limited number of optimally sized packets available
previously. The system combines an active network for analysis. Therefore, a packet payload slicing
traffic conditioning technique with a packet timing technique is implemented which performs network
analysis to effectively detect when a new RWAP has traffic conditioning to significantly enhance the
been activated on the network. The wireless medium effectiveness of LRTT measurements. This
detection technique is based on a statistical analysis conditioning technique manipulates existing traffic
of the local round-trip time (LRTT) of network and does not require modifications to client systems
communication. The LRTT metric identifies nor the ability to communicate directly with these
invariant characteristics of wired and wireless media, systems. RIPPS operates as a pass-through device
enabling the identification of the connection type of a which works transparently to both clients and servers.
host. While the LRTT metric is based on purely It conditions traffic by taking individual large TCP
passive network observation, it suffers due to the packets and slicing them into many smaller packets.
limited number of optimally sized packets available This action enables the LRTT metric to quickly
for analysis. Therefore, a packet payload slicing exacerbate invariant physical characteristics of the
technique is implemented which performs network wireless medium while negating influences of
traffic conditioning to significantly enhance the transmission speed capabilities. Through this process,
effectiveness of LRTT measurements. This RIPPS is able to quickly and efficiently identify
conditioning technique manipulates existing traffic unauthorized WAPs with minimal false alarms.
and does not require modifications to client systems Furthermore, RIPPS incorporates intelligent dynamic
nor the ability to communicate directly with these triggers to selectively monitor hosts, thus resulting in
systems. RIPPS operates as a pass-through device a minimal impact on the overall performance of
which works transparently to both clients and servers. monitored systems and the network in general.
It conditions traffic by taking individual large TCP
packets and slicing them into many smaller packets. Metric Description-
This action enables the LRTT metric to quickly Latency of network based communication can be
exacerbate invariant physical characteristics of the viewed as the result of either WAN-side or LAN-side
wireless medium while negating influences of effects. WAN-side latency is the result of many
transmission speed capabilities. Through this process, factors which can vary significantly between
RIPPS is able to quickly and efficiently identify communication sessions and especially between
unauthorized WAPs with minimal false alarms. differing communication host pairings. On the other
Furthermore, RIPPS incorporates intelligent dynamic hand, LAN-side latency, while not constant, is the
triggers to selectively monitor hosts, thus resulting in result of a more controlled and consistent
a minimal impact on the overall performance of environment. Therefore, the metric is limited to the
monitored systems and the network in general [2] and RTT associated only with LAN-side traffic in order
[4]. to remove WAN-side jitter effects and emphasize the
connectivity medium of hosts in the LAN. Local
round-trip time is a measurement of the time delay
between a message to and response from a specific
host in the LAN. A sensor placed at the edge of the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 81
LAN collects data in a passive manner. The metric is //
obtained by categorizing packets based on for each packet arrival do
source/destination pairing and storing both a
timestamp as well as an expected acknowledgment identify source host host
(ACK) number based on the sequence number in the
packet, as described in Algorithm 1. The timestamp if monitoring host
associated with the messages is calculated solely by
the sensor; hence the relative time between messages if ACK flag set
is consistent and free from time synchronization
problems. Outbound packets are similarly classified match ACK = ACKEXP
by source/destination pairs and the ACK number
from the TCP header is compared to the expected get stored time stamp TSold
ACK numbers calculated previously, as described in
Algorithm 2. The LRTT is the time difference calculate LRTT = TSnew − TSold
between incoming packets and corresponding ACK
packets as observed by the monitor. end if
end if
forward packet to destination
// end for
for each packet do //
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 82
notes the source host, sequence (SEQ) number, and systems which are being monitored, and on the
the port number. B responds with a SYN/ACK, overall network is minimal.
followed by an ACK from A, completing the
handshake. Once communication is established,
Results
RIPPS monitors incoming traffic for packets with the
appropriate destination address and port number. The overall performance of the system can be
Based on a size threshold, s, RIPPS filters the determined by measuring the packet loss on the
identified packets. Packets which are smaller than s server while varying the number of clients and the
are forwarded on as normal. Larger packets are speed of the input data. The packet loss rate of the
queued for slicing. Packet payload slicing essentially system with only a single client logging packets. The
spreads a single payload over multiple packets, input speed is the average speed over the trace file
attaching each payload slice to an appropriate header. replay. Peak bandwidth during the replay is
The headers from the original packet are used to approximately 50% higher than the average speed. A
easily create valid headers for each new packet. The single client is able to avoid packet loss at
Ethernet header is unchanged from the original, and approximately an average bandwidth speed of
the IP and TCP headers are modified slightly to 85Mb/s. At higher rates the storage buffer of the
validate the newly created packet. server reaches maximum capacity and packets are
lost. As the average bandwidth rate increases, Packet
Loss Rate (%) the system reaches a threshold where
the buffer loses all effectiveness and extreme packet
loss occurs. This can be seen in each case where a
dramatic increase in packet loss occurs. At an
average data rate of approximately 375Mb/s the
number of dropped packets for the five client system
is non-zero, although somewhat negligible (0.6%).
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 83
Conclusion and Future Work [6] Bharath Madhusudan, John Lockwood, “Design of
a System for Real-Time Worm Detection”, 12th
The importance of computer security continues to Annual IEEE Symposium on High Performance
grow as the reach of the Internet spreads and the Interconnects, pp. 77 – 83, 2004.
dependence on networks for daily business increases. [7] Atul Adya, Paramvir Bahl, Ranveer Chandra, and
A system or network which has been compromised Lili Qiu, “Architecture and techniques for
by a successful attack can result in an extremely high diagnosing faults in IEEE 802.11 infrastructure
amount of lost time and money. Individuals and networks”, 10th annual ACM international
organizations must protect valuable information and conference on Mobile computing and networking,
resources by building defenses against attacks and MobiCom’04, , pp. 30–44, September 2004.
establishing means of identifying currently active or
already successful attacks. Many types of attacks can [8] IEEE Std 802.11: IEEE Standard for Wireless LAN
stem from the presence of a rogue system within a Medium Access Control (MAC) and Physical Layer
(PHY) Specification, June 1997.
network. Rogue systems are devices which are
unknown to system administrators and users, and are [9] Broadcom radically simplifies the Wi-Fi setup
engaged in malicious behavior. This dissertation has experience. Press Release, Broadcom Corporation,
presented new approaches to aid in the defense May 2004.
against rogue systems in order to protect individuals
and organizations. [10] Giuseppe Ateniese, Michael Steiner, and Gene
The weaknesses in communication standards will be Tsudik, “New multiparty authentication services
investigated on a per-environment basis in order and key agreement protocols”, IEEE Journal on
provide increased overall protection for users. Selected Areas in Communications, vol. 18, no. 4,
pp. 628–639, 2000.
Perhaps the most challenging future work will be in
addressing detection techniques for current and [11] Steven M. Bellovin, “Spamming, phishing,
newly discovered attack techniques. authentication, and privacy”, Communications of
the ACM, vol. 47, no. 12, pp. 144, Dec. 2004.