A Hybrid Intrusion Detection System Approach for IEEE 802.11 Wireless Networks
This research project explores the development of a hybrid intrusion detection system for IEEE 802.11 wireless networks. The study includes research objectives, background information, experimental results, evaluation, and comparison of existing systems, HWIDS design, conclusions, future work, and references. It delves into the introduction of WLAN, its security history, standards, and security issues, along with main security threats and issues with existing WLAN IDSs.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
A HYBRID INTRUSION DETECTION SYSTEMS APPROACH FOR IEEE 802.11 WIRELESS NETWORKS
Outline Research Objectives Introduction Background Experimental Results Evaluation and Comparison HWIDS Design Conclusion Future work References 2
What is WLAN? It is wireless computer network that connects multiple devices within limited range such as enterprises, small offices and home (SOHO). Economic Price Portability Suitability Easy to install 4
Research Motivation WLAN SECURITY HISTORY: IEEE 802.11 standard released in 1997 WEP for encrypting (RC4 algorithm) WEP is cracked IEEE 802.11i ratified in 2004 (RSN) WEP is replaced with WPA2 (AES algorithm) Today s prevalent standard Unprotected Management & Control frames IEEE 802.11w ratified in 2009 Provides protection to some management frames Incompatible with legacy devices 5
Research Motivation WLAN standards and security issues: WLAN standards are good as a first line of defense. Unfortunately, they are still vulnerable to a number of attacks Unprotected management / control frames Ability to spoof MAC address Broadcast Nature of WLAN Misconfiguring of WLAN settings 6
Research Motivation Main WLAN SECURITY THREATS Attack Name Impact Definition Repeatedly collect weak IVs condition to crack all bytes of the WEP key Brute force method to crack WPA/WPA2 keys at first place. After learning the MAC addresses of both client and AP, the attacker sends de-authentication messages to either client or AP on behalf to cause DoS. It has the same effect as de-authentication but a disconnected client needs longer time to re-connect to AP. Honeypot is an AP created by adversary with attracting ESSID to fool users into connecting to it. Evil Twin is a Honeypot AP created by adversary with known ESSID to fool users into connecting to it instead of the valid one FMS Confidentiality Dictionary Confidentiality Deauthentication Availability Disassociation Availability Honeypot Privacy Evil Twin Privacy 7
Research Motivation Issues with existing WLAN IDSs 1. Need assessment using datasets with full attack types such as Aegean Wi-Fi Intrusion Dataset AWID 2. Need improvement of learning and classification speed 3. Need improvement of classification accuracy With such problems in wireless security, developing and implementing enhanced wireless IDS model is definitely a step in the right direction. 8
Research Methodology Studying the IEEE 802.11 protocol standards and architecture Reviewing different types of WLAN attacks and their behavior. Reviewing recently available IDS techniques in the literature and find their limitations Testing different anomaly classifiers using an up to date dataset (AWID) and select the one that meets the research objectives Proposing a novel algorithm to optimize the performance of the anomaly classifiers in the IDS system To achieve the best accuracy, we developed a hybrid IDS approach that combines the anomaly and signature detection components Finally, we conduct different experiments and compare the results of the developed IDS with the literature 9
BACKGROUND 10
Intrusion Detection System What is Network IDS? A software or hardware system that can monitor network traffic and analyze it to identify anomalies and intrusions. IDS represents the second defense line after firewall. Router Internet Firewall IDS 11
Wired and Wireless IDS Wired and Wireless IDS Wireless IDS analyses data link layers of the WLAN whereas wired IDS analyzes the internet protocol layer and above. 12
Anomaly detection VS signature detection Anomaly-based IDS can detect zero-day (new) attacks by creating profiles of normal behavior to distinguish any later deviations. Signature-based IDS is only capable to detect known attacks which have predefined signatures. 13
Anomaly IDS taxonomy Type Definition Example use statistical properties to create the normal behavior Statistical based Markov process find specific patterns of data or anomalies within large historical datasets Decision tree (C4.5) AODE Data mining based depends on rules generated from the knowledge base to detect the attacks Knowledge-based Expert system Machine learning based depends on previous results and improves its detection performance over time SVM 14
Intrusion Detection Techniques AODE (Averaged one-dependence estimators) Weakens the attribute independence assumption of Na ve Bayes classifier AODE considers probability of PAIRS of features independent, given the class P(Y|xi,xj). Na ve Bayes considers the features (X) independent given the class (Y) (P(y|xi)) C4.5 Generates model as a decision tree it classifies testing instances using the rules induced from tree 15
Aegean Wireless Intrusion Dataset Kolias et al. introduced new 802.11 dataset called Aegean WiFi Intrusion Dataset (AWID). Contains real traces of both normal and intrusive WLAN traffic AWID considers the following three classes of attack Flooding Injection Impersonation Crack the network key Affect the privacy Cause DoS 16
Aegean Wireless Intrusion Dataset Types of AWID datasets Dataset name Description intrusion Class Label AWID-CLS-R-Trn Training set (1,795,575) 3 major classes (flooding, injection and impersonation ) Testing set (575,643) AWID-CLS-R-Tst 3 major classes labels correspond to different attack names AWID-ATK-R-Trn Training set labels correspond to different attack names AWID-ATK-R-Tst Testing set 17
Evaluation Methods of IDS Systems Performance measures are used to evaluate the performance and accuracy of IDS systems To calculate performance measures, we need to compute four main statistical measures as shown next Statistical Measure Definition TP The number of correctly classified instances as attack TN The number of correctly classified instances as normal FP Instances that were incorrectly classified as attack FN Instances that were incorrectly classified as normal 18
Binary classification measures Binary classification measures are shown below Formula for binary classification ?? + ?? ?? + ?? + ?? + ?? ?? ?? + ?? ?? ?? + ?? 2?? ? + ? False Positive Rate (FPR) ?? + ?? Measure Evaluation Purpose Accuracy Classifier's overall effectiveness Precision How accurate the detected positive instances are ? = Recall How complete the true positive instances are ? = F-score Balance between precision and recall How accurate the detected negative instances are ?? ??? = The total time taken to build a classifier model (profile), using given training set - Learning time The total time taken to test a classifier model (profile) on the given testing set - Classification time 19
Noisy Data and Feature Selection Presence of noise may affect the classification algorithms Noise Sources: Feature redundancy Irrelevant features Feature selection: the process of selecting the most relevant attributes in model construction Advantages of Feature selection: increases the detection accuracy shortens the computation times of learning and classification 20
Feature Selection Methods 1. Filters: rank attributes based on their contribution to the predict class using independent measure Computationally efficient and immune to overfitting Example: information gain ratio (IGR) 2. Wrappers: evaluate different combinations of attribute subsets and select the one with highest accuracy Require high amount of computation time Example: best-first search 3. Embedded Methods: select variables during the learning phase using a method similar to wrappers 21
Related Work Work Details (HFW) Results Highprecision 96% Enhanced accuracy 98.5% Training time 1.6h Classification time 0.9h FPR of 4% Authors Guennoun et al Selecting the Best Set of Features for Intrusion Detection in 802.11 Network Title Anomaly Classifier k-means classifier Signature Detection --- -A hybrid approach of filter and wrapper methods (HFW) are used -Subset with highest accuracy is selected Feature Selection M. Guennoun, A. Lbekkouri, and K. El-Khatib, Selecting the Best Set of Features for Efficient Intrusion Detection in 802.11 Networks, in 3rd International Conference on Information and Communication Technologies: From Theory to Applications, 2008. ICTTA 2008, 2008, pp. 1 4 22
Related Work Work Details (G-LDA) Results Enhanced accuracy 98.1% Low precision 87% Training time 1.42h Classification time 0.5h High FPR of 14% Authors Kasliwal et al A hybrid anomaly detection model using G-LDA Title Anomaly Classifier Genetic algorithm Latent Dirichlet Allocation Signature Detection --- 1. Attributes with different mode values for the anomaly and Normal packets 2. Attributes mean is close to their mode value Feature Selection B. Kasliwal, S. Bhatia, S. Saini, I. S. Thaseen, and C. A. Kumar, A hybrid anomaly detection model using G- LDA, in Advance Computing Conference (IACC), 2014 IEEE International, 2014, pp. 288 293. 23
Related Work Work Details (NMI) Results High Recall of 98.75% High accuracy 99.25% FPR 1% Training time 1.6h Classification time 1.25h Having a relatively high classification time would miss some attacks Authors Usha and Kavitha Anomaly based IDS for WLAN optimal features using SVM classifier Title Anomaly Classifier SVM classifier Signature Detection --- 1. Ranks the features first using normalized gain (NG) 2. Selects the optimal features using (PSO). Feature Selection M. Usha and P. Kavitha, Anomaly based intrusion detection for 802.11 networks with optimal features using SVM classifier, Wirel. Netw., pp. 1 16, May 2016. 24
Related Work Issues with existing WLAN IDSs NMI G-LDA HFW Precision 99.25% 87% 96% Accuracy 99.25% 98.1% 98.5% Training time 1.6h 1.42h 1.6h Classification time 0.5h 1.25h 0.9h 25
Related Work Issues with existing WLAN IDSs 1. Need improvement of learning and classification speed 2. Need improvement of classification accuracy 26
Research Questions In the present work an improved hybrid wireless intrusion detection system (HWIDS) is developed to address the following research questions: RQ1: How does HWIDS compare to other published intrusion detection approaches in terms of precision and recall? RQ2: Can HWIDS detect attacks in real-world wireless LANs and how fast is it? RQ3: How does HWIDS compare to other commercial intrusion detection systems? 28
Research Problem Research problem: How to enhance existing WLAN IDS to efficiently identify serious attacks in IEEE 802.11i WLANs with fast learning and classification speed and high detection accuracy? 29
Research Objectives The research objectives are as follows: 1. Review and understand different types of WLAN attacks 2. Study, analyze and compare the current WLAN IDSs and identify their limitations . 3. Propose an effective WLAN IDS that is able to overcome the flaws in the existing solutions and improve its performance. 4. Evaluate and test the proposed solution for performance and efficiency. 30
Research Contributions The contribution of the present work is manifold: 1. Proposed a novel algorithm for feature reduction to reduce 155 features in Aegean dataset to 18 features only 2. Development of a hybrid real-time network-based WLAN intrusion detection system (HWIDS). 3. Improved classification accuracy and classification speed. 31
HWIDS DESIGN 32
HWIDS What is HWIDS? It is a hybrid real-time network-based WLAN intrusion detection system It is a hybrid IDS because: 1. It utilizes a hybrid method for feature selection (filter and wrapper) 2. It employs signature and anomaly detection to detect intrusions 33
HWIDS Architecture HWIDS consists of typical IDS components that model the IDS Anomaly Detection HWIDS first preprocesses captured frames and then profiles and signatures. where to collect the raw an alarm is sent to SSO. Reference Data Stores both classifier configurations include If an intrusion is detected, Configuration Data Alarms & SSO Audit Storage &Datasets to store captured WLAN frames selects the effective The profiles can be captures, when to remove old captured files, control Monitored Entity The data source for IDS. HWIDS can monitor wireless network activity of one or more AP devices classifiers detect deviations Audit Collection HWIDS captures the MAC layer information & physical layer information feature set. Next, updated later by incremental learning the volume of captures 34
HWIDS Flowchart Start Remove old captures Yes Receive captures from APs Storage exceeded ? No Preprocess captured frames and select effective features Store Captures Match frames with known attack signatures Classify frames using anomaly classifiers (AODE and C4.5) Store related attack information Attack signature matched ? No Yes 35 Anomaly detected ? Yes Generate online/ offline alarms No End
Data Preprocessing in HWIDS HWIDS preprocess the captured PCAP files from AP Preprocessing includes 1. Conversion of 48-bit MAC addresses to integer values 2. Conversion of any hexadecimal values to long numbers Several ML systems can only process numbers This makes it computationally efficient 36
Effective Feature Selection (EFS) Algorithm We proposed a novel algorithm for feature selection based on hybrid scheme (filtering and wrapper ). The algorithm consists of three main processes 1. Removing redundant attributes or features with fixed values 2. Univariate filtering method 1. Features are ranked based on IGR measure 2. Remove features with IGR value less than the threshold =0.05 3. Computationally efficient, 4. Not biased toward distinct valued features 3. Wrapper method 1. Include features from WLAN Knowledge Subset (WKS) 2. Evaluate different subset combinations using AODE classifier 3. Choose the subset with highest detection accuracy 37
Effective Feature Selection (EFS) Algorithm Effective Feature Selection Algorithm Input: D{F0 , F1, .. ,Fn-1} // training dataset with n number of features // threshold by which features are discarded M // a Machine Learning model SWKS // significant WLAN features set Output: 01 begin 02 initialize: Sbest = {}; // initialize effective features set 03 SIGR = {}; // initialize the set of ranked features with IGR 04 for i=1 to n do 05 for each feature f SIGR do // discard redundant features 06 If redundant(Di ,f) then 07 continue; 08 end 09 If not(distinct(Di)) OR IGR(Di) < then // discard constant features or below 10 continue; 11 end 12 SIGR = SIGR Di ; 13 end for 14 sort(SIGR); // sort features in descending order based on IGR 38
Effective Feature Selection (EFS) Algorithm Effective Feature Selection Algorithm 15 Sbest = SIGR SWKS; 16 Accbest = accuracy(Sbest , M) ; //wrapper method of effective feature selection 17 Sbest_tmp = Sbest ; 18 for i=1 to n do 19 Sbest_tmp = Sbest_tmp - Sbest[i] ; 20 Accnew = accuracy(Sbest_tmp, M) ; 21 If Accnew Accbest then 22 Accbest = Accnew ; 23 else 24 Sbest_tmp = Sbest_ tmp Sbest[i] ; //return the feature if accuracy dropped 25 end 26 end for 27 Sbest = Sbest_tmp ; 28 return: Sbest 30 end 39
WKS and Effective Features WKS: a subset of significant features ,selected after examining the footprints of WLAN attacks They are embedded to the wrapper process, regardless of the their IGR Effective Feature Set: asubset of attributes that results in highest detection accuracy for a classifier. We selected AODE classifier 40
WKS and Effective Features The Result of the First Process Constant Attributes Deleted (36) frame.interface_id frame.dlt frame.offset_shift frame.marked frame.ignored radiotap.version radiotap.pad radiotap.present.rate radiotap.present.fhss radiotap.present.dbm_antnoise radiotap.present.lock_quality radiotap.present.tx_attenuation radiotap.present.db_tx_attenuation radiotap.present.dbm_tx_power radiotap.channel.type.5ghz radiotap.channel.type.passive radiotap.channel.type.dynamic radiotap.channel.type.gfsk radiotap.present.db_antsignal radiotap.present.db_antnoise radiotap.present.xchannel radiotap.present.mcs radiotap.present.ampdu radiotap.present.vht radiotap.present.reserved radiotap.present.rtap_ns radiotap.present.vendor_ns radiotap.present.ext wlan.fc.version wlan.fc.order radiotap.channel.type.turbo radiotap.channel.type.2ghz radiotap.channel.type.gsm radiotap.channel.type.sturbo radiotap.channel.type.half radiotap.channel.type.quarter Redundant Attributes Deleted (11) frame.time_delta_displayed frame.cap_len radiotap.present.tsft radiotap.present.flags radiotap.present.channel radiotap.present.antenna radiotap.present.rxflags wlan.qos.tid wlan.qos.buf_state_indicated wlan.fc.type wlan.fc.subtype 41
WKS and Effective Features The Result of the Second Process Ranked Attribute Subset wlan.fc.pwrmgt wlan.frag wlan.fc.type_subtype wlan.ta wlan.fc.ds radiotap.channel.type.ofdm wlan.duration frame.time_relative radiotap.mactime wlan.ra wlan.wep.iv wlan.seq wlan.fc.frag frame.len data.len radiotap.datarate radiotap.channel.type.cck wlan.sa wlan.fc.protected frame.time_epoch wlan.wep.icv wlan.da wlan.bssid Features that are filtered out by this process: 84 features Remaining features: 23 features with t >= 0.05 42
WKS and Effective Features The Result of the Third Process (Step 1) Ranked Attribute Subset WLAN Significant Features wlan.fc.pwrmgt wlan.fc.frag wlan.fc.type_subtype wlan.da wlan.frag frame.len wlan_mgt.fixed.reason_code wlan.ra wlan.fc.type_subtype data.len wlan_mgt.fixed.beacon wlan.fc.ds wlan.ta radiotap.datarate radiotap.channel.type. cck wlan.sa U radiotap.dbm_antsignal frame.len wlan.fc.ds radiotap.channel.type.ofdm frame.time_delta wlan_mgt.fixed.listen_ival wlan.duration wlan.fc.protected wlan.seq wlan_mgt.fixed.timestamp frame.time_relative frame.time_epoch wlan.fc.retry wlan.wep.iv radiotap.mactime wlan.wep.icv wlan.ra wlan.da wlan.wep.iv wlan.bssid wlan.seq Union of WKS features and the ranked feature subset 7 features included from WKS, others were repeated . The output of this step: 30 features 43
WKS and Effective Features The Result of the Third Process (Step 2) Effective Features frame.len wlan.da radiotap.datarate wlan.sa radiotap.dbm_antsignal wlan.frag wlan.fc.type_subtype wlan.seq wlan.fc.ds wlan_mgt.fixed.timestamp wlan.fc.frag wlan_mgt.fixed.beacon wlan.fc.retry wlan_mgt.fixed.reason_code wlan.fc.pwrmgt wlan.wep.iv wlan.duration class Apply the wrapper methods to 30 features from the step 1 Output is the 18 effective features 44
Experimental Results Setup Notes HWIDS is developed in Java HWIDS integrates libraries from Weka and Tshark We conducted our experiments on Windows 10 64-bit operating system 1.7 GHz i5 CPU, 12 GB RAM AWID dataset is used 1,795,575 instances for training set (9.04% are positives) 575,643 instances for testing (7.8% are positives) Binary performance measurements to evaluate HWIDS Instances with attack classes as positive examples Normal instances as negative examples 46
Learning time VS effective and full feature sets 1600 1386.68 1400 8.66 times faster 88.46% Learning Time (seconds) 1200 10 times faster 90.02% 1000 800 600 451.1 400 160 200 45 0 HWIDS (C4.5) HWIDS (AODE) HWIDS (C4.5) HWIDS (AODE) effective set full set 47
Classification time VS effective and full feature sets 60 47.85 50 Classification time (seconds) 13.7 times faster 92.70% 30.59 times faster 96.73% 40 30 20 8.32 10 3.493 0.272 0 HWIDS (C4.5) HWIDS (AODE) HWIDS (C4.5) HWIDS (AODE) effective set full set 48
Learning time versus WLAN IDSs 7000 5760 6000 5112 Learning time (seconds) 5000 4000 ? ??2 3000 2000 1000 160 45 0 HWIDS (C4.5) HWIDS (AODE) G-LDA NMI AODE has a linear computational complexity with respect to the number of training instances (t), and square complexity w. r. t. the number of features (n). 49
Classification time versus WLAN IDSs 3000 2448 2500 Classification Time (seconds) 2000 1500 ? ??2 1260 1000 500 3.493 0.272 0 HWIDS (C4.5) HWIDS (AODE) G-LDA NMI AODE has a linear computational complexity with respect to the number classes (k), and square complexity w. r. t. the number of features (n). 50