Wireless Intrusion Detection Model

Below figure shows model how WIDS detect threat in wireless network.

attacker will try to make a attack to wireless user by using wireless attacking tool ( for ex. air-replay to prevent the connection of wireless station to WLAN ), but certain type of symptom will be revealed on the network by this kind of attack.( for ex. lots of deauthentication packet will be shown from certain wireless client ) Based on this symptom, IDS will categorized the attack to certain type of threat.

The main concepts presented on below Figure are

• Wireless Attack Tool – a program or device designed to investigate, distract from, disrupt or use a wireless service. Examples of wireless attack tools include the aircrack-ng suite, mdk3 and the wireless component of Metasploit. A single tool can produce more than one threat. For example aircrack-ng contains many different components for discovering wireless networks, cracking encryption protocols and executing denial of service attacks.
• Threat – the actual harm that a tool generates. A single threat can be generated by many different tools. For example, several implementations of the Chop-chop attack on the WEP key stream are available.
• Threat Category – Threats are categorized based on common attributes. This paper describes the categories used by the Extreme Networks Wireless WIDS implementation. Most threats belong to a single category but some can belong to more than one.
• Symptoms – every threat has at least one effect. Each effect can be considered a symptom that signals the potential presence of the threat. Some attacks have a single symptom (such as a drastic increase in the volume of a specific layer 2 message type) while others have many. Like medical symptoms it is possible for a single symptom to be an indicator of more than one type of problem and it is possible for some symptoms to occur naturally without the presence of a threat.
• Detector – A mechanism for detecting a symptom. A wireless intrusion detection system will implement numerous detectors.

There are two main approaches to wireless intrusion detection:

·      Anomaly detection

·      Signature detection

Signature detection involves matching wireless traffic against a database of threat patterns or signatures. Anomaly detection systems monitor wireless traffic for unusual deviations from the local “normal” behavior. a

Below table shows the advantage and disadvantage of Signature based & Anomaly based IDS systems

Neither approach alone is perfect. The Extreme Networks WIDS (Radar) is primarily a signature based detection system. Future releases are likely to include aspects of anomaly detection systems to permit easier customizations to the needs of specific deployments.

The ultimate goal of WIPS is achieving security goals named Confientiality, Integrity, and Availability.