Wireless networks' proliferation has been remarkable during the last decade as the license-free nature of the ISM band and the rapid proliferation of the Wi-Fi compatible devices, especially the smart phones, have offered ubiquitous broadband wireless internet access to millions of users worldwide. However, due to their open nature, wireless networks are susceptible to a number of attacks. Adversaries can exploit vulnerabilities in the medium access and physical layers and heavily disrupt the network operation (e.g., see [1–5]). The traditional methods of protecting the networks by using firewalls and encryption software are not sufficient, and for this reason, several intrusion detection algorithms have been proposed by the research community in order to address these issues.
In general, intrusion detection techniques fall into two main categories: misuse (or signature-based) detection and anomaly-based detection. The former is based on known signature attacks, it has low false alarm rates (FARs) but it lacks the ability to detect new types of attacks. The latter may have higher FARs but it has the potential ability to detect unknown types of attacks. In this article, we study the performance of anomaly-based intrusion detection.
In our previous studies [6, 7], we investigated the performance of several algorithms for the detection of physical-layer jamming attacks. This type of attacks can be launched by adversaries through the generation of interference in neighbouring channels. We proposed intrusion detection algorithms that considered several metrics using two types of algorithms: simple threshold and cumulative sum (Cusum). The performance evaluation, in terms of the detection probability (DP), FAR, and the robustness to different detection thresholds, showed that Cusum Max-Min, a Cusum type of algorithm, has the best performance among all algorithms. The attack model we considered was based on a modified IEEE 802.11 node that violated several mechanisms (backoff, spectrum sensing, etc.), emitting energy on the neighbouring channel legitimate nodes used for communication.
In this article, we extend our previous contribution in order to detect attackers (jammers) who follow different attack strategies. Such an attacker can for example emit energy on the same channel legitimates nodes use. For the detection of this type of attack, we consider a metric based on the ratio of the corrupted packets over the correctly decoded packets.
Furthermore, more powerful jammers based on software defined radio can completely block wireless network's operation. In this case, a metric based on the SINR or error-based metrics are not useful as no packets are transmitted at all. We detect this type of attack, called as blocking attack, using a metric based on the number of beacon packets transmitted by the access point (AP) in a pre-defined time window.
Based on these metrics we implemented anomaly-based intrusion detection algorithms running in a real limited resource prototype. This work presents in detail the functional blocks of the prototype and shows its operation in a real infrastructure-based IEEE 802.11 wireless network. We evaluate the performance of the algorithms in terms of the DP, the FAR, and their robustness to different detection thresholds. Our main contributions are listed below:
-
we consider anomaly-based intrusion detection algorithms for the detection of different types of attacks,
-
we develop a real lightweight prototype executing and evaluating the intrusion detection algorithms in realistic conditions,
-
we show that even with limited hardware resources, the prototype gives high detection rates and low FARs,
-
we introduce the term robustness to describe algorithms' performance stability under different detection threshold values.
The evaluation shows that all types of the attacks can be detected with a high DP and low FARs.
The remainder of this article is organised as follows. In Section 2, we describe the related work. In Section 3, we present the network layout for testing our prototype and the attack models used. The intrusion detection algorithms and their associated metrics are analysed in Section 4. The structure of the prototype and its functionalities are given in Section 5. In Section 6, we describe the evaluation methodology and then we present the performance results. Finally, conclusions appear in Section 7.
2 Related work
There are several significant contributions made by the research community in the area of the intrusion detection in communication networks. The work presented in [8] evaluates two types of algorithms for the detection of SYN attacks. The evaluation shows that the simple detection algorithm has satisfactory performance for the high intensity attacks but it deteriorates for the low intensity attacks. The Cusum algorithm, on the other hand, has robust performance for different types of attacks. This is consistent with the findings of this work; however, we perform measurements at the physical and medium access layers.
The authors of [9] describe and evaluate methods for anomaly detection and distributed intrusion detection in mobile adhoc networks, focusing on two routing protocols. They use a two-layer hierarchical system, where anomaly indexes are combined using an averaging or median scheme, with the averaging scheme having higher performance.
Peng et al. [10] present an information sharing model for distributed intrusion detection. A Cusum algorithm is used to collect statistics at local systems, while a learning algorithm decides when information has to be shared among the nodes, in order to minimise detection delay and reduce the communication overhead. Data are fused using the sum rule.
In [11], the authors describe a distributed change-point detection scheme for the detection of DDoS attacks over multiple network domains. At each router, a Cusum algorithm executes, raising alerts that are sent to a central server. Then, the server creates a subtree displaying a spatiotemporal vision of the attack. In a second hierarchy level, a global picture of the attack is created by merging all subtrees together.
The so-far described related contributions focus on local, distributed or collaborative schemes for attack detection at higher network layers (e.g. IP, TCP), whereas this work focuses on detecting jammers at the physical and medium access layers.
A similar work studying jamming at the physical layer appears in [12], where the authors describe several types of jammers and propose two types of detection algorithms, considering metrics such as the packet delivery ratio, the bad packet ratio and the energy consumption amount. The basic algorithm tries to detect jamming by using multiple if-else statements on the aforementioned metrics, while the advanced algorithm uses a distribution scheme where information is collected from neighbouring nodes. The evaluation shows high detection rates, but trade-offs regarding the FAR versus the DP or the robustness of the algorithms is not presented.
In [13], techniques that detect anomalies at all layers of a wireless sensor network are proposed. The authors show how the DP increases when the number of the nodes running the proposed procedure increases, but they do not show the trade-off with the FAR.
The authors of [14] show how the errors at the physical layer propagate up the network stack, presenting a distributed anomaly detection system based on simple thresholds. A method for combining measurements using the Pearson's product moment correlation coefficient is also presented. A disadvantage of this method is that "raw" RSSI measurements by several sniffers are needed. This could generate a high volume of traffic flowing from the sniffers to a main node where the algorithm executes. In contrast, our proposal is based on passive monitoring performed by a single node.
Several adversarial models are presented in [15], all focusing on RF jamming attacks. One of the proposed algorithms, applies high order crossings a spectral discrimination mechanism that distinguishes normal scenarios from two types of the defined jammers. The authors introduce two detection algorithms based on thresholds that use signal strength and location information as a consistency check to avoid false alarms.
The authors of [16] present a cross layer approach to detect jamming attacks. Jamming is performed at the physical layer by using RF signals, and at the MAC layer by targeting the RTS/CTS and NAV mechanisms of the IEEE 802.11 protocol. Jamming detection is split into two phases. In the first phase, simple threshold algorithms are deployed using metrics such as the physical carrier sensing time, the number of RTC/CTS frames, the duration of channel idle period and the average number of retransmissions. The second phase is triggered if there are threshold violations.
The authors of [17] describe ARES, an anti-jamming reinforcement system for 802.11 networks which tunes the parameters of rate adaptation and power control to improve the performance in the presence of jammers. However, ARES should be present in every wireless node in order to regulate rate and power while our system consists of a prototype based on passive measurements and no modifications are needed for the wireless clients. Furthermore, they consider a Jammer that creates interference (so it operates on neighbouring channels), while our prototype can also detect jammers emitting energy on the same channel, as well as detecting blocking attacks performed by powerful jammers that completely block the communication within their transmission range.
Cardenas et al. [5] consider the sequential probability ratio test. However, their work is about detecting MAC-layer misbehaviours and not attacks.
Wood et al. [18] propose DEEJAM, a MAC-layer protocol for defending against stealthy jammers using IEEE 802.15.4-based hardware. Nevertheless, as the authors note, against a powerful and more sophisticated jammer, DEEJAM cannot effectively defend the wireless network.
The authors of [19] propose a lightweight intrusion detection system that is however used for sensor networks and their related attacks (e.g. sinkhole attack), while our prototype is for infrastructure networks and different attack types.
Finally in [20], the authors describe a lightweight intrusion detection system for wireless mesh networks. Nevertheless, they study attacks (port scanning, consumption attacks, spam detection, etc.) that are not wireless-specific as those we studied in this article.