1 / 1

Adding WiFi sensors to the infrastructure

SN Bench Case Studies : Wireless Network Security & Floor-Plan Flow Analysis Michael Ocean, Azer Bestavros and Assaf Kfoury. The SN Bench is designed promote research; intrinsic (within the snBench) and extrinsic (running on the snBench).

fai
Télécharger la présentation

Adding WiFi sensors to the infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SNBench Case Studies : Wireless Network Security & Floor-Plan Flow Analysis Michael Ocean, Azer Bestavros and Assaf Kfoury The SNBench is designed promote research; intrinsic (within the snBench) and extrinsic (running on the snBench) 1. New sensing hardware, modalities (e.g., data types) or functional abilities require simple Java class (interface) implementation • A wireless network intrusion detection (WNID) system is a just a specialized instance of a Sensor Network, so we added WNID to the snBench. • snBench with WNID enables features beyond other WNID systems, specifically multi-modal detection and response (e.g., use both wifi sensors and video sensors). 2. We have used the snBench within a graduate Software Engineering Class for the last two years. • A group of graduate students have implemented motion detection and motion vector tracking functionalities to facilitate floor plan flow analysis. Image Processing on the SNBench Adding Network Intrusion Detection WNID in SNAFU • As part of a Software Engineering class, a group of Masters students in the Image and Video Computing group added new operations (STEP functions) to the SXE core library. • BlobDetect(snImage) • Find differences between the current image and the image that was run with previously and return the number of blobs detected in the image. • BlobDraw(snImage) • Find differences between the current image and the image that was run with previously and draw bounding boxes around the blobs detected in the image. • PeopleDetect(snImage, MotionVector) • Every blob moving in the same direction as the MotionVector increases value by 1 • Every blob moving against the MotionVector decreases value by 1 • MakeTable(snPair(timestamp,value)) • Create (or update) an image of a line graph to include a value with height “value” at time “timestamp” • Adding WiFi sensors to the infrastructure • Linksys Access Points run as “Kismet drones” passively monitoring all 802.11 and report wireless frames over Ethernet. • Added new GenericSensor instance to the SXE to provide KismetSensor as a “first class” sensor device. • Kismet server process interprets drone’s results and detects “ALERT” events via (published) UDP protocol, • DEAUTHFLOOD, DISASSOCTRAFFIC, etc. • Packet analysis can be run on the AP but performance (and extensibility) improves when processed elsewhere. • New functionalities added to read KismetSensor as a snStruct. • Other processors can be plugged in and customized to detect different attacks/events (flag “any traffic from sender X”, etc). • Experiment environment:CS Graduate Research Lab • Linksys Access Points imaged with OpenAP Linux and Kismet • Axis Pan-Tilt-Zoom on a dedicated gigabit network • Crossbow motes, servers, compute node, 750GB SQL server, etc. E-mail notification on detected intrusion letonce WIFIPKT = DetectWifiAlertEvent(Sensor) in leteach SRC = WIFIPKT.getfield(“MAC”) in level_trigger( not(isnil(WIFIPKT)) email(“mocean@cs.bu.edu”, concat($NOW$,“:Found banned MAC”, SRC,“ at”, WIFIPKT.getfield(“time”) )) Build a MAC blacklist on detected intrusion level_trigger( not(contains(SQL.get(“BLACKLIST”),SRC)), SQL.put(“BLACKLIST”,SRC) ) Take a picture when a wireless intruder is detected level_trigger( contains(SQL.get(“BLACKLIST”),SRC), SQL.put(“wifi_intrusion_$EVAL_COUNT$”, drawstring(concat(“MAC ”, SRC), snapshot( findadjacentsensor(“Image”, WIFIPKT.getfield(“SOURCE_AP”))))) Forcibly Disassociate a Blacklisted User Whenever Detected level_trigger( not(isnll(WIFIPKT)), SendDisassociate( WIFIPKT.getfield(“BASESTATION”),SRC)) Results & Future Work • Simulated attacks with open-source tools (AirJack, Netstumbler) were detected and responses processed on an average of 2.8 seconds in polling mode on un-optimized code (e.g., debug mode). • Quick optimizations reduced processing time to 550ms • Anything under 30 seconds is likely acceptable for intrusion response time – “I did it, now run!” ? • findadjacentsensor does not move the PTZ cameras • Use signal strength to improve captured image by moving the cameras to the best vantage point and take an image from all applicable sensors • Implement SendDisassociate() and DetectWifiCommEvent() take defensive action against an attacker. Results & Demo • STEP Graph:(image from STEP IDE)Results: (images from live run)

More Related