ABSTRACT
Wireless mesh networks are being used to provide Internet access in a cost efficient manner. Typically, consumer-level wireless access points with modified software are used to route traffic to potentially multiple back-haul points. Malware infected computers generate malicious traffic, which uses valuable network resources and puts other systems at risk. Intrusion detection systems can be used to detect such activity. Cost constraints and the decentralised nature of WMNs make performing intrusion detection on mesh devices desirable. However, these devices are typically resource constrained. This paper describes the results of examining their ability to perform intrusion detection. Our experimental study shows that commonly-used deep packet inspection approaches are unreliable on such hardware. We implement a set of lightweight anomaly detection mechanisms as part of an intrusion detection system, called OpenLIDS. We show that even with the limited hardware resources of a mesh device, it can detect current malware behaviour in an efficient way.
- aMule. http://www.amule.org, August 2008.Google Scholar
- P. Ayuso. Netfilter's connection tracking system. LOGIN;, The USENIX magazine, 32(3):34--39, 2006.Google Scholar
- I. Charitakis, K. Anagnostakis, and E. Markatos. An Active Traffic Splitter Architecture for Intrusion Detection. In MASCOTS 2003. 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, pages 238--241, 2003.Google Scholar
- T. Chen, G. Kuo, Z. Li, and G. Zhu. Intrusion Detection in Wireless Mesh Networks. Security in Wireless Mesh Networks, page 145, 2008.Google ScholarCross Ref
- Conficker Worm. http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99, December 2008.Google Scholar
- A. Decker, D. Sancho, L. Kharouni, M. Goncharov, and R. McArdle. Pushdo / Cutwail Botnet. http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf, July 2009.Google Scholar
- L. Deri. Improving Passive Packet Capture: Beyond Device Polling. Proceedings of SANE, 2004, 2004.Google Scholar
- H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational Experiences with High-Volume Network Intrusion Detection. Proceedings of the 11th ACM conference on Computer and communications security, pages 2--11, 2004. Google ScholarDigital Library
- J. Ishmael, S. Bury, D. Pezaros, and N. Race. Deploying Rural Community Wireless Mesh Networks. IEEE Internet Computing, 12(4):22--29, 2008. Google ScholarDigital Library
- O. Kachirski and R. Guha. Effective Intrusion Detection Using Multiple Sensors in Wireless Ad Hoc Networks. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences, 2003. Google ScholarDigital Library
- C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 285--293, 2002. Google ScholarDigital Library
- W. Lee, J. Cabrera, A. Thomas, N. Balwalli, S. Saluja, and Y. Zhang. Performance Adaptation in Real-Time Intrusion Detection Systems. Lecture Notes in Computer Science, pages 252--273, 2002.Google Scholar
- libpcap: Packet Capture Library. http://www.tcpdump.org, April 2008.Google Scholar
- Madwifi. http://www.madwifi.org, May 2008.Google Scholar
- S. McCanne and V. Jacobson. The BSD packet Filter: A new architecture for user-level packet capture. Proc. Winter'93 USENIX Conference, 1993. Google ScholarDigital Library
- Y. Musashi, R. Matsuba, and K. Sugitani. Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners. Proc. ICETA2004, 2004.Google Scholar
- Netfilter Project. http://www.netfilter.org, May 2008.Google Scholar
- Open Wireless. http://www.openwireless.ch, April 2008.Google Scholar
- OpenWRT. http://www.openwrt.org, April 2008.Google Scholar
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23):2435--2463, 1999. Google ScholarDigital Library
- V. Paxson. Bro Intrusion Detection System Hands-On Workshop: Bro Overwiew. Technical report, Lawrence Berkeley National Laboratory, 2007.Google Scholar
- Procps - The /proc File system utilities. http://procps.sourceforge.net, May 2008.Google Scholar
- A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, volume 36, pages 291--302. ACM New York, NY, USA, 2006. Google ScholarDigital Library
- M. Roesch. Snort-Lightweight Intrusion Detection for Networks. Proceedings of the 1999 USENIX LISA Systems Administration Conference, 1999. Google ScholarDigital Library
- H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobso. RFC 3350: RTP: A Transport Protocol for Real-Time Applications, 2003.Google Scholar
- Seattle Wireless. http://www.seattlewireless.net, April 2008.Google Scholar
- S. Shalunov. Thrulay - Network capacity tester. http://shlang.com/thrulay/, August 2008.Google Scholar
- S. Sinha, F. Jahanian, and J. Patel. Wind: Workload-aware intrusion detection. In Symposium on Recent Advances in Intrusion Detection (RAID'06), Hamburg, Germany, September 2006. Google ScholarDigital Library
- Smurf Attack. http://www.cert.org/advisories/CA-1998-01.html, February 2007.Google Scholar
- D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, C. Tseng, T. Bowen, M. Res, et al. A General Cooperative Intrusion Detection Architecture for MANETs. In Third IEEE International Workshop on Information Assurance, pages 57--70, 2005. Google ScholarDigital Library
- J. Stewart. Storm Worm DDoS Attack. http://www.secureworks.com/research/threats/storm-worm, February 2007.Google Scholar
- B. Stone-Gross, C. Wilson, K. Almeroth, E. Belding, H. Zheng, and K. Papagiannaki. Malware in IEEE 802.11 Wireless Networks. In Proceedings of the Passive and Active Measurement Conference (PAM), 2008. Google ScholarDigital Library
- Tcpreplay: Pcap editing and replay tools for *NIX. http://tcpreplay.synfin.net, April 2008.Google Scholar
- Transmission. http://www.transmissionbt.com, August 2008.Google Scholar
- A. Wagner, T. Dübendorfer, R. Hiestand, C. Göldi, and B. Plattner. A Fast Worm Scan Detection Tool for VPN Congestion Avoidance. Lecture Notes in Computer Science, 4064:181, 2006. Google ScholarDigital Library
- C. Wong, S. Bielski, J. McCune, and C. Wang. A Study of Mass-mailing Worms. Proceedings of the 2004 ACM workshop on Rapid malcode, pages 1--10, 2004. Google ScholarDigital Library
- P. Wood. libpcap-mmap: Memory Mapped Packet Capture Library. http://public.lanl.gov/cpw/, April 2008.Google Scholar
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. 2008.Google Scholar
- A. Yoshioka, S. Shaikot, and M. Kim. Rule Hashing for Efficient Packet Classiffication in Network Intrusion Detection. In Proceedings of 17th International Conference on Computer Communications and Networks. ICCCN 2008, pages 1--6, August 2008.Google Scholar
- Y. Zhang and W. Lee. Intrusion Detection in Wireless Ad-Hoc Networks. Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking (MobiCom'2000), 2000.Google ScholarDigital Library
Index Terms
- OpenLIDS: a lightweight intrusion detection system for wireless mesh networks
Recommendations
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
CloudRPS: a cloud analysis based enhanced ransomware prevention system
Recently, indiscriminate ransomware attacks targeting a wide range of victims for monetary gains have become a worldwide social issue. In the early years, ransomware has used e-mails as attack method. The most common spreading method was through spam ...
Detecting botnet by anomalous traffic
Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
Comments