research-article

OpenLIDS: a lightweight intrusion detection system for wireless mesh networks

Authors:
Fabian Hugelshofer

Lancaster University, Lancaster, United Kingdom

Lancaster University, Lancaster, United Kingdom
View Profile

,
Paul Smith

Lancaster University, Lancaster, United Kingdom

Lancaster University, Lancaster, United Kingdom
View Profile

,
David Hutchison

Lancaster University, Lancaster, United Kingdom

Lancaster University, Lancaster, United Kingdom
View Profile

,
Nicholas J.P. Race

Lancaster University, Lancaster, United Kingdom

Lancaster University, Lancaster, United Kingdom
View Profile

MobiCom '09: Proceedings of the 15th annual international conference on Mobile computing and networkingSeptember 2009Pages 309–320https://doi.org/10.1145/1614320.1614355

Published:20 September 2009Publication History

MobiCom '09: Proceedings of the 15th annual international conference on Mobile computing and networking

Pages 309–320

ABSTRACT

Wireless mesh networks are being used to provide Internet access in a cost efficient manner. Typically, consumer-level wireless access points with modified software are used to route traffic to potentially multiple back-haul points. Malware infected computers generate malicious traffic, which uses valuable network resources and puts other systems at risk. Intrusion detection systems can be used to detect such activity. Cost constraints and the decentralised nature of WMNs make performing intrusion detection on mesh devices desirable. However, these devices are typically resource constrained. This paper describes the results of examining their ability to perform intrusion detection. Our experimental study shows that commonly-used deep packet inspection approaches are unreliable on such hardware. We implement a set of lightweight anomaly detection mechanisms as part of an intrusion detection system, called OpenLIDS. We show that even with the limited hardware resources of a mesh device, it can detect current malware behaviour in an efficient way.

References

aMule. http://www.amule.org, August 2008.Google Scholar
P. Ayuso. Netfilter's connection tracking system. LOGIN;, The USENIX magazine, 32(3):34--39, 2006.Google Scholar
I. Charitakis, K. Anagnostakis, and E. Markatos. An Active Traffic Splitter Architecture for Intrusion Detection. In MASCOTS 2003. 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, pages 238--241, 2003.Google Scholar
T. Chen, G. Kuo, Z. Li, and G. Zhu. Intrusion Detection in Wireless Mesh Networks. Security in Wireless Mesh Networks, page 145, 2008.Google ScholarCross Ref
Conficker Worm. http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99, December 2008.Google Scholar
A. Decker, D. Sancho, L. Kharouni, M. Goncharov, and R. McArdle. Pushdo / Cutwail Botnet. http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf, July 2009.Google Scholar
L. Deri. Improving Passive Packet Capture: Beyond Device Polling. Proceedings of SANE, 2004, 2004.Google Scholar
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational Experiences with High-Volume Network Intrusion Detection. Proceedings of the 11th ACM conference on Computer and communications security, pages 2--11, 2004. Google ScholarDigital Library
J. Ishmael, S. Bury, D. Pezaros, and N. Race. Deploying Rural Community Wireless Mesh Networks. IEEE Internet Computing, 12(4):22--29, 2008. Google ScholarDigital Library
O. Kachirski and R. Guha. Effective Intrusion Detection Using Multiple Sensors in Wireless Ad Hoc Networks. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences, 2003. Google ScholarDigital Library
C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 285--293, 2002. Google ScholarDigital Library
W. Lee, J. Cabrera, A. Thomas, N. Balwalli, S. Saluja, and Y. Zhang. Performance Adaptation in Real-Time Intrusion Detection Systems. Lecture Notes in Computer Science, pages 252--273, 2002.Google Scholar
libpcap: Packet Capture Library. http://www.tcpdump.org, April 2008.Google Scholar
Madwifi. http://www.madwifi.org, May 2008.Google Scholar
S. McCanne and V. Jacobson. The BSD packet Filter: A new architecture for user-level packet capture. Proc. Winter'93 USENIX Conference, 1993. Google ScholarDigital Library
Y. Musashi, R. Matsuba, and K. Sugitani. Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners. Proc. ICETA2004, 2004.Google Scholar
Netfilter Project. http://www.netfilter.org, May 2008.Google Scholar
Open Wireless. http://www.openwireless.ch, April 2008.Google Scholar
OpenWRT. http://www.openwrt.org, April 2008.Google Scholar
V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23):2435--2463, 1999. Google ScholarDigital Library
V. Paxson. Bro Intrusion Detection System Hands-On Workshop: Bro Overwiew. Technical report, Lawrence Berkeley National Laboratory, 2007.Google Scholar
Procps - The /proc File system utilities. http://procps.sourceforge.net, May 2008.Google Scholar
A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, volume 36, pages 291--302. ACM New York, NY, USA, 2006. Google ScholarDigital Library
M. Roesch. Snort-Lightweight Intrusion Detection for Networks. Proceedings of the 1999 USENIX LISA Systems Administration Conference, 1999. Google ScholarDigital Library
H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobso. RFC 3350: RTP: A Transport Protocol for Real-Time Applications, 2003.Google Scholar
Seattle Wireless. http://www.seattlewireless.net, April 2008.Google Scholar
S. Shalunov. Thrulay - Network capacity tester. http://shlang.com/thrulay/, August 2008.Google Scholar
S. Sinha, F. Jahanian, and J. Patel. Wind: Workload-aware intrusion detection. In Symposium on Recent Advances in Intrusion Detection (RAID'06), Hamburg, Germany, September 2006. Google ScholarDigital Library
Smurf Attack. http://www.cert.org/advisories/CA-1998-01.html, February 2007.Google Scholar
D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, C. Tseng, T. Bowen, M. Res, et al. A General Cooperative Intrusion Detection Architecture for MANETs. In Third IEEE International Workshop on Information Assurance, pages 57--70, 2005. Google ScholarDigital Library
J. Stewart. Storm Worm DDoS Attack. http://www.secureworks.com/research/threats/storm-worm, February 2007.Google Scholar
B. Stone-Gross, C. Wilson, K. Almeroth, E. Belding, H. Zheng, and K. Papagiannaki. Malware in IEEE 802.11 Wireless Networks. In Proceedings of the Passive and Active Measurement Conference (PAM), 2008. Google ScholarDigital Library
Tcpreplay: Pcap editing and replay tools for *NIX. http://tcpreplay.synfin.net, April 2008.Google Scholar
Transmission. http://www.transmissionbt.com, August 2008.Google Scholar
A. Wagner, T. Dübendorfer, R. Hiestand, C. Göldi, and B. Plattner. A Fast Worm Scan Detection Tool for VPN Congestion Avoidance. Lecture Notes in Computer Science, 4064:181, 2006. Google ScholarDigital Library
C. Wong, S. Bielski, J. McCune, and C. Wang. A Study of Mass-mailing Worms. Proceedings of the 2004 ACM workshop on Rapid malcode, pages 1--10, 2004. Google ScholarDigital Library
P. Wood. libpcap-mmap: Memory Mapped Packet Capture Library. http://public.lanl.gov/cpw/, April 2008.Google Scholar
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. 2008.Google Scholar
A. Yoshioka, S. Shaikot, and M. Kim. Rule Hashing for Efficient Packet Classiffication in Network Intrusion Detection. In Proceedings of 17th International Conference on Computer Communications and Networks. ICCCN 2008, pages 1--6, August 2008.Google Scholar
Y. Zhang and W. Lee. Intrusion Detection in Wireless Ad-Hoc Networks. Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking (MobiCom'2000), 2000.Google ScholarDigital Library

Index Terms

OpenLIDS: a lightweight intrusion detection system for wireless mesh networks
1. Networks
  1. Network types
    1. Mobile networks
    2. Wireless access networks

Recommendations

Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Read More
CloudRPS: a cloud analysis based enhanced ransomware prevention system

Recently, indiscriminate ransomware attacks targeting a wide range of victims for monetary gains have become a worldwide social issue. In the early years, ransomware has used e-mails as attack method. The most common spreading method was through spam ...
Read More
Detecting botnet by anomalous traffic

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MobiCom '09: Proceedings of the 15th annual international conference on Mobile computing and networking
September 2009
368 pages
ISBN:9781605587028
DOI:10.1145/1614320
General Chairs:
Kang G. Shin
University of Michigan, USA
,
Yongguang Zhang
Microsoft Research Asia, China
,
Program Chairs:
Rajive Bagrodia
University of California, Los Angeles, USA
,
Ramesh Govindan
University of Southern California, USA
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 September 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
intrusion detection
performance
resource constrained devices
wireless mesh network
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate440of2,972submissions,15%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 35
  Total Citations
  View Citations
- 933
  Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

OpenLIDS: a lightweight intrusion detection system for wireless mesh networks

MobiCom '09: Proceedings of the 15th annual international conference on Mobile computing and networking

ABSTRACT

References

Cited By

Index Terms

Recommendations

Detecting, validating and characterizing computer infections in the wild

CloudRPS: a cloud analysis based enhanced ransomware prevention system

Detecting botnet by anomalous traffic