Chapter 15. Counterintelligence: Wireless IDS Systems

"Assess opponents conditions, observe what they do, and you can find out their plans and measures. "

—Meng Shi

Intrusion detection systems (IDSs) are divided into two major categories: signature-based and knowledge-based.

Signature-based IDSs are the most common and easy to implement, but they are also the easiest to bypass and lack the capability to detect novel attacks. These IDSs compare events on the network to signs of known attacks called attack signatures. If a hacking tool is modified to alter some part of its attack signature, the attack is likely to go unmentioned. Besides, the attack signatures database has to be well secured and frequently updated.

Knowledge-based IDSs monitor the network, collect statistics about standard network behavior, detect possible deviations, and flag them as suspicious. For these reasons, knowledge-based IDSs are also called behavior-based or statistical. Proper network baselining is essential for efficient statistical IDS operations. Although knowledge-based IDSs are not easily fooled, their main problems are false positives and difficulties detecting some covert channel communications. The possibility of false-alarm generation is particularly worrisome on wireless networks due to the unreliable nature of the Layer 1 medium. Also, attacks launched at the early stage of the baselining period can severely interfere with the IDS learning process, making deployment of a knowledge-based IDS on a production network a somewhat risky task. What if the "normal" behavior of the network is already altered by a cracker at the moment of IDS deployment?

We believe that a proper wireless IDS should belong to both categories simultaneously. Few wireless attack tools have specific attack signatures, as discussed in this chapter. The signatures that do exist can be matched against the database of known attack traces to trigger the alarm. However, many wireless attacks do not generate specific signatures, but instead cause a deviation from the standard network operation on lower network layers. This deviation can be as subtle as few wireless frames coming out of sequence or as straightforward as tripled bandwidth consumption on the WLAN. Detecting wireless network behavior abnormalities is not an easy task, because no two wireless networks are the same. A similar principle applies to the wired LANs, but wired networks do not suffer from radio interference, signal refraction, reflection, and scattering issues. They do not have roaming users and stretch CAT 5 cables out of the office window to give access to the potential attackers on streets. Thus, the key to efficient intrusion detection on WLANs is detailed network baselining over a significant time period.

Only by collecting a large number of statistics about the particular WLAN behavior is it possible to determine what constitutes abnormal behavior and what doesn't, and to distinguish connectivity problems, user errors, and malicious attacks. Multiple 802.1x/LEAP authentication requests might constitute a brute-forcing attempt. At the same time, it could be a user guessing his or her forgotten password, or a badly written supplicant application that attempts to log in until the correct password is entered. An increased number of beacon frames per second might signal a DoS attack or rogue access point presence, but it could also be a faulty or misconfigured access point. Higher layer IDS alarm-triggering events, such as a large number of fragmented packets or abundant TCP SYN requests, can indicate a possible portscan or DoS attack, but might also be a result of a Layer 1 connectivity problem on a WLAN. Fire up your Ethereal or similar protocol analyzer on a wireless interface and subject the network to a high level of RF interference; you will see all kinds of damaged and incomplete packets identified as various obscure protocols by your sniffer (Banyan Vines, anyone?). It is not surprising that some of these malformed packets can accidentally trigger an IDS alarm. After some investigation, the "evil cracker" can turn out to be a Bluetooth dongle or microwave oven creating RF interference in the network area.