Researchers crafting intelligent, scaleable WLAN defense

Protecting enterprise wireless networks from increasingly sophisticated attacks is the focus of a research project from the Dept. of Homeland Security Advanced Research Projects Agency, a pilot of which is just wrapping up at Dartmouth College.

Protecting enterprise wireless networks from increasingly sophisticated attacks is the focus of a research project from the Dept. of Homeland Security Advanced Research Projects Agency (HSARPA), a pilot of which is just wrapping up at Dartmouth College.

Researchers from Dartmouth and Aruba Networks are developing a battery of algorithms and a software architecture running over radio frequency sensors to measure and analyze traffic and then react to wireless LAN (WLAN) attacks, especially to the spoofing and evasion that are ever more common today.

There are commercial wireless intrusion-detection systems (IDS) today from AirDefense, AirTight Networks, Network Chemistry, and Aruba itself. But Project MAP -- the acronym stands for measure, analyze and protect -- has two ambitious, distinguishing goals. First, it is an IDS that's far more intelligent in what and how it measures and analyzes wireless traffic. Second, it is an IDS that can handle not only the traffic from thousands of access points and clients, but also the flood of measurement data that its own RF sensors, or sniffers, will create.

Smarter is better

Smarter software is needed because attacks are becoming smarter and sneakier.

"The IDS [today] may not see certain frames, or the attacker may be doing radio frequency jamming, causing the attack to be invisible," says Josh Wright, senior security researcher with Aruba. "Attackers are using evasion techniques, and these are not being addressed by today's [IDS] products."

Scalability is essential to the project's design because the RF sensors will continuously track, collect, and combine a lot of real-time data about a site's entire radio environment.

Launched in summer of 2005, Project MAP is funded by the Department of Homeland Security through DARPA. The researchers are starting to analyze the results of a test MAP deployment at one building on the Dartmouth campus. Those results will guide changes, tweaks, and refinements to the software through the first half of 2007. By the end of 2007, researcher plan to have deployed a full-production MAP system over a major part of Dartmouth's sprawling wireless network.

The pilot consists of off-the-shelf Aruba RF sniffers, which basically are 802.11a/b/g access points that listen only for radio signals. The MAP software listens to the traffic on all channels, measuring a range of statistics, aggregates that information to create an accurate picture of what's happening in the air, and then scans for evidence of attacks, says David Kotz, a Dartmouth professor of computer science and one of the lead MAP researchers.

Lots of RF sniffers

Instead of trying to minimize the number of sniffers, MAP will do the opposite, deploying lots of them to provide effective coverage of all the access points, authorized clients, and attacking clients. "All three devices are involved in an attack," Kotz says. "An attacker may present itself as an access point and tell an authorized client to disassociate [from a legitimate access point]. You may need more than one sniffer to collect the needed data from all three of these parties, which may be separated by some considerable distance."

"We're trying to get as high a resolution 'snapshot' of the net as we can with lots of sniffers and data aggregation," Kotz says.

MAP is intended to be resilient enough to work successfully in the face of the numerous variables and glitches that exist in WLANs. "Sniffers might not be able to collect all the needed packets because of things like packet collisions, RF reflections, or misaligned antennas," says Tristan Henderson, assistant professor of computer science and a MAP researcher. "So we're building algorithms on the assumption that we won't be able to collect everything."

Higher-level stats, and accuracy

Some commercial IDS systems require that every single frame be checked to see if it matches known attack signatures, Henderson says. By contrast, MAP analyzes higher-level statistics. "We can look at statistics about the proportion of control traffic to data traffic in various type of attacks," he says, revealing a pattern that may signal malicious activity. "We can be more certain about an attack than other techniques that rely on capturing every frame."

MAP will also monitor aggressively all 802.11 channels for activity. "Most other products configure their sniffers to listen to only one channel all the time, or to rotate through all the channels, spending the same amount of time listening to each one," Kotz says. MAP adds intelligence; it cycles through all the channels, but spends more time on the busiest ones. In addition, the MAP sensors can be refocused quickly on a channel with suspicious activity. "The software says 'this client appears to be under attack' and it tells the MAP measurement system to get more information," Kotz says. "The measurement system [software] refocuses and spends more time listening to that client."

MAP is intended to be effective against denial-of-service attacks, as well as against a new category of attacks called "reduction of quality (RoQ)." An RoQ attack doesn't deny service completely. Instead, it degrades the quality of the connection or the available bandwidth, either to disrupt communications for others or to get better service for the attacker. A wireless VoIP call, for example, might stay connected but be so plagued with dropped packets or other problems as to be useless.

"It's hard to detect who's doing it, or even whether it's being done at all," Henderson says. "You need much more sophisticated techniques to detect these attacks."

Countering evasive tactics

A higher level of sophistication also is needed to counter the evasive techniques that attackers are starting to exploit, Aruba's Wright says. For example, an access point legitimately can direct a client to deauthenticate in certain cases, so deauthentication traffic is normal on a WLAN. The problem, Wright says, is that an attacker also can use deauthentication traffic to enable, and mask, a denial-of-service attack. More recently, he says, it's being used to trigger software flaws in WLAN driver code.

As part of developing this greater sophistication, MAP researchers are working to improve the accuracy of attack identification, thereby eliminating false alarms (false positives) as well as false negatives -- real attacks that the IDS doesn't recognize.

If successful, MAP could create the foundation of a dynamic WLAN security system that can monitor continuously for, and adapt to, constantly changing attacks.

Learn more about this topic

Project MAP Web site

Best practices for Wi-Fi Rogue containment10/18/06Will we see wireless driver exploits in the wild?11/27/06

WVE: the online Wireless Vulnerabilities and Exploits index

Siemens software protects WLANs04/17/06
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies