Protecting enterprise wireless networks from increasingly sophisticated attacks is the focus of a research project from the Dept. of Homeland Security Advanced Research Projects Agency (HSARPA), a pilot of which is just wrapping up at Dartmouth College.

Researchers from Dartmouth and Aruba Networks are developing a battery of algorithms and a software architecture running over radio frequency sensors to measure and analyze traffic and then react to wireless LAN (WLAN) attacks, especially to the spoofing and evasion that are ever more common today.

There are commercial wireless intrusion-detection systems (IDS) today from AirDefense, AirTight Networks, Network Chemistry, and Aruba itself. But Project MAP -- the acronym stands for measure, analyze and protect -- has two ambitious, distinguishing goals. First, it is an IDS that's far more intelligent in what and how it measures and analyzes wireless traffic. Second, it is an IDS that can handle not only the traffic from thousands of access points and clients, but also the flood of measurement data that its own RF sensors, or sniffers, will create.

Smarter is better

Smarter software is needed because attacks are becoming smarter and sneakier.

"The IDS [today] may not see certain frames, or the attacker may be doing radio frequency jamming, causing the attack to be invisible," says Josh Wright, senior security researcher with Aruba. "Attackers are using evasion techniques, and these are not being addressed by today's [IDS] products."

Scalability is essential to the project's design because the RF sensors will continuously track, collect, and combine a lot of real-time data about a site's entire radio environment.

Launched in summer of 2005, Project MAP is funded by the Department of Homeland Security through DARPA. The researchers are starting to analyze the results of a test MAP deployment at one building on the Dartmouth campus. Those results will guide changes, tweaks, and refinements to the software through the first half of 2007. By the end of 2007, researcher plan to have deployed a full-production MAP system over a major part of Dartmouth's sprawling wireless network.

The pilot consists of off-the-shelf Aruba RF sniffers, which basically are 802.11a/b/g access points that listen only for radio signals. The MAP software listens to the traffic on all channels, measuring a range of statistics, aggregates that information to create an accurate picture of what's happening in the air, and then scans for evidence of attacks, says David Kotz, a Dartmouth professor of computer science and one of the lead MAP researchers.