Adding WiFi sensors to the infrastructure
Linksys Access Points run as “Kismet drones” passively monitoring all 802.11 and report wireless frames over Ethernet.
Added new GenericSensor instance to the SXE to provide KismetSensor as a “first class” sensor device.
Kismet server process interprets drone’s results and detects “ALERT” events via (published) UDP protocol,
DEAUTHFLOOD, DISASSOCTRAFFIC, etc. Packet analysis can be run on the AP but performance
(and extensibility) improves when processed elsewhere. New functionalities added to read KismetSensor as a snStruct.
Other processors can be plugged in and customized to detect different attacks/events (flag “any traffic from sender X”, etc).
Experiment environment: CS Graduate Research Lab
Linksys Access Points imaged with OpenAP Linux and Kismet Axis Pan-Tilt-Zoom on a dedicated gigabit network Crossbow motes, servers, compute node, 750GB SQL server, etc.
Adding Network Intrusion Detection
Simulated attacks with open-source tools (AirJack, Netstumbler) were detected and responses processed on an average of 2.8 seconds in polling mode on un-optimized code (e.g., debug mode).
Quick optimizations reduced processing time to 550ms Anything under 30 seconds is likely acceptable for intrusion
response time – “I did it, now run!” ? findadjacentsensor does not move the PTZ cameras
Use signal strength to improve captured image by moving the cameras to the best vantage point and take an image from all applicable sensors
Implement SendDisassociate() and DetectWifiCommEvent() take defensive action against an attacker.
Results & Future Work
E-mail notification on detected intrusion
letonce WIFIPKT = DetectWifiAlertEvent(Sensor) in
leteach SRC = WIFIPKT.getfield(“MAC”) in
level_trigger(
not(isnil(WIFIPKT))
email(“[email protected]”,
concat($NOW$,“:Found banned MAC”,
SRC,“ at”,
WIFIPKT.getfield(“time”) ))
Build a MAC blacklist on detected intrusion
level_trigger(
not(contains(SQL.get(“BLACKLIST”),SRC)),
SQL.put(“BLACKLIST”,SRC) )
Take a picture when a wireless intruder is detected
level_trigger(
contains(SQL.get(“BLACKLIST”),SRC),
SQL.put(“wifi_intrusion_$EVAL_COUNT$”,
drawstring(concat(“MAC ”, SRC),
snapshot(
findadjacentsensor(“Image”,
WIFIPKT.getfield(“SOURCE_AP”)))))
Forcibly Disassociate a Blacklisted User Whenever Detected
level_trigger(
not(isnll(WIFIPKT)),
SendDisassociate(
WIFIPKT.getfield(“BASESTATION”),SRC))
WNID in SNAFU
SNBench Case Studies : Wireless Network Security & Floor-Plan Flow AnalysisMichael Ocean, Azer Bestavros and Assaf Kfoury
The SNBench is designed promote research; intrinsic (within the snBench) and extrinsic (running on the snBench)1. New sensing hardware, modalities (e.g., data types) or functional abilities require simple Java class (interface) implementation
A wireless network intrusion detection (WNID) system is a just a specialized instance of a Sensor Network, so we added WNID to the snBench. snBench with WNID enables features beyond other WNID systems, specifically multi-modal detection and response (e.g., use both wifi sensors and video sensors).
2. We have used the snBench within a graduate Software Engineering Class for the last two years. A group of graduate students have implemented motion detection and motion vector tracking functionalities to facilitate floor plan flow analysis.
Image Processing on the SNBench As part of a Software Engineering class, a group of Masters
students in the Image and Video Computing group added new operations (STEP functions) to the SXE core library.
BlobDetect(snImage) Find differences between the current image and the
image that was run with previously and return the number of blobs detected in the image.
BlobDraw(snImage) Find differences between the current image and the
image that was run with previously and draw bounding boxes around the blobs detected in the image.
PeopleDetect(snImage, MotionVector) Every blob moving in the same direction as the
MotionVector increases value by 1 Every blob moving against the MotionVector
decreases value by 1 MakeTable(snPair(timestamp,value))
Create (or update) an image of a line graph to include a value with height “value” at time “timestamp”
Results & Demo STEP Graph:
(image from STEP IDE)
Results: (images from live run)