Detection and Elimination of Unauthorized Hosts
using MA based WIPS
Hitesh Thawani1, Vivek Waykule2, Geetsagar Pagare3, Saket Raut4, Shashi Athawale5
Computer Department,
AISSMS, College of Engineering,
Pune, Maharashtra, India
progrp@ymail.com1
attacks has been said to be emerged in past few years.
Abundance of wireless technologies has enabled attackers to
enter networks. Using simple, free software, a new breed of
adversaries is able to locate wireless networks, eavesdrop on
ongoing communications, and resources in the Network.
With the proper antenna, the attack can come from far away.
Thus detection and identification of the intruder presents
exclusive challenges which render many conventional
intrusion detection techniques ineffective. Data security is
biggest concern for network administrators while
implementing WLAN. In a WLAN it is impossible for the
Access Point to detect the location of intruder. Considering
the college situation Intruder could be in lobby, or in class
room, or in laboratory, or in library, or in the car parked just
outside the gate of college. Data passing across unreliable
radio link could lead to spoofing. According to a study rogue
APs are present on about 40% of all enterprise networks. The
key reason is advancements in hardware and software have
made AP installation, AP discovery, and AP compromise an
effortless task for intruders. It is handy to obtain an AP and
Keywords— Intrusion, Intelligent Mobile Agents (MA), Rouge
plug into a network without being discovered for some time.
Access Point, Unauthorized Host, Wireless LAN (WLan).
Moreover, Wi-Fi network cards have the capability to capture
all 802.11 transmissions. This has led to increase in the
I. INTRODUCTION
process of driving around and looking for vulnerable APs
We are living in era of convergence. Convergence is (war-driving activities). Intrusion Detection Systems (IDSs)
synergistic integration of various technologies of different are a key line of defence for protecting network resources
domain and discrete Information technology (IT) from illegal penetrations [5].The shortcomings in the current
systems .Wireless Local Area Network (WLAN) is most security standards have led to a new breed of security
rapidly growing networking technology in this era due to its products known as Intrusion Prevention Systems (IPS). An
immense advantages [9]. Access to the WLAN is made using Intrusion Prevention System is a network device/software
the Hotspot or Access Points. Least expensive, high data rates, that goes deeper than a firewall to identify and block network
easy installation, mobility, productivity, flexibility, handiness, threats.So the main theme of our paper is to provide an
constant connections and easy extensions are some of the efficient and reliable approach to detect and eliminate
plus points of WLAN technology. Transmission & receiving unauthorized communication links which compromise the
of data is done through high frequency radio waves over security and confidentiality of wireless Networks and tackle
range of few hundred meters. Network looks pretty good with all the above problems.
no wires and increases flexibility too. WLAN also have
capability to wired local area networks (LAN) or other
II. BACKGROUND & RELATED WORK
WLAN workstations. These all factors helped for booming of
this technology. WLANs have been criticized a lot
A WIPS with an intelligent plan recognition and preconcerning their ability to provide security equivalent to decision engine that makes use of honeypots to detect and
wired LANs. Moreover, security in wireless networks was prevent potential intrusions have been put forth by author but
considered to be sparse ever since its introduction. Wired it failed to recognize unknown wireless attacks [1]. The
Equivalent Privacy (WEP), the first security protocol which system that used Detector to monitor wireless data timely,
was created by IEEE proved to be inadequate [6, 7]. However, Intrusion detection system IDS which is used to collect the
it has been proved form time to time that WEP has failed to data came from detector and determine the rogue device,
meet security goals like data confidentiality, access control Network management software, which is used to
and data integrity up to the expected level [6, 7]. New class of communicate with the wired network, determine the switch
Abstract— - The incredible rise in the deployment of WLANs is
observed in commercial, military and various other domains in
past few years. But still there are many loopholes found in
present era of wireless network security of which adversaries
can easily take advantage. However unauthorized hosts that
may be either intruders or Rouge Access Points still continue to
be a major threat to this security. The common practice of
intrusion is observed with intent of accessing free internet while
the Rouge Access Points may exist with intent of spoofing the
data from somebody’s private Network. The adversaries take
advantage of common vulnerabilities which are found in almost
every network. Taking into account the existing network
security standards, we propose our paper which contains an
approach to detect such type of intrusions and eliminate them.
The main premise of our approach is to distinguish between
authorized users & adversaries by making use of Intelligent
Mobile Agents (MA) and other traditional parameters like IP &
MAC Address and then eliminate these adversaries. We take
into account various Qos parameters like network payload, time
complexity and latency in order to make sure that performance
of network is not compromised to a large extent.
port which meets the rogue device and disconnect the port
was proposed by author[4]. A novel lightweight user-side evil
twin attack detection technique using TMM (Trained Mean
Matching) and HDT (Hop Differentiating Technique)
algorithms has been proposed [2]. A system that detects the
illegal behaviour of corrupted machines based on policies
indicating allowed communications was presented, but this
system relied on third party to check violation of policies and
to notify network admin [3]. Research has indicated that even
an 128-bit WEP key of a wireless transmission can be quickly
decrypted via BackTrack or Aircrack-ng tool [1]. Attacker
can even potentially decrypt the WPA/WPA2 key using
Cowpatty tool [1].
III. PROPOSED SYSTEM
To deal with different kind of unauthorized hosts we make
use of intelligent Mobile Agent (MA). Mobile agents [8]
perform a task by migrating and executing on several
computers connected to the network.
A. Initial Setup of Network
In this Mobile Agent System (MAS) is deployed on every
computer in the Network. We make use of two MA’s
programs which communicate with each other. The first
program is deployed on the centralized Host(s) (Host that is
supposed to detect unauthorized host(s)) and Second program
is deployed on other trusted computer’s in the Network.MA
on each Host in the Network is given a set of Agent ID‘s
(AID’s) which are in the encrypted form. These AID’s are
mapped to MAC, SSID and IP of that particular computer.
The information (MAC, SSID, IP and AID’s (In decrypted
form)) about each computer in the Network is stored in the
database file at the centralized System(s).Every time
whenever we need a new computer system to be brought in
the Network it should be authorized first by installing MAS,
deploying second MA program on it and then updating the
information of corresponding computer in the database at
centralized system.
B. Basic Detection and prevention Methodology
Refer Fig.1 a MA from the centralized system 2 will
randomly select one of the Active computers from those
which are connected to Access Point (A) and visit there.
While a MA from the centralized system 1 will randomly
select one of the Active computers from the Network and
visit there. If the selected computer contains MAS then MA
gets executed on that system and returns back to centralized
system. Selected computer gets Authenticated if the
information supplied by it matches with the corresponding
information that is present in the database at the centralized
system. If the selected computer doesn’t contain MAS then
that computer is considered as unauthorized and is not
allowed to get authenticated. It is responsibility of the
Centralized system 2 to prevent any type of unauthorized host
to get connected to Access Point (A).Similarly it is
responsibility of the Centralized system 1 to prevent any type
of unauthorized host to get connected to Network. In general
it is responsibility of Centralized system to prevent any type
of intrusion in the Network to which it (Centralized system)
is directly connected.
Fig. 1 Working of our proposed system in real world scenario
C. Detection and prevention Methodology in Different Cases
Case 1: Suppose intruder tries to connect his laptop
directly to Access Point A .There is no MAS installed on his
laptop.
Prevention Technique: The MA from centralized System 2
will migrate to intruder’s laptop. As there is no MAS on this
laptop then MA won’t be able to execute itself. This will be
noticed at the centralized system 2 an intruders laptop is not
allowed to get authenticated.
Case 2: In fig. above Access Point (B) is brought up in the
Network by an intruder. Next he connects his laptop to this
Access Point (i.e. Access Point B) and assigns MAC, SSID
and IP of one of the trusted computers in the Network to
accomplish his desires. Assume that there is no MAS on his
laptop.
Prevention Technique:







MA form Centralized system 1 will randomly select
one of the active computers in the Network and visit
there.
Suppose MA from Centralized system 1 select
Trusted Host (A) it will visit there. This MA will get
all the information from the MA program present on
this host that is needed for Authentication purpose
and get back to Centralized System 1 and as this
information is correct then this Host is authenticated.
The above step will be repeated for each trusted
Host.
When the MA will reach the intruders laptop then it
won’t be able to execute itself on that laptop. Hence
the intrusion is confirmed and the Access point at
which this intrusion takes place is considered as
Rouge Access Point.
Once the Rouge Access Point is confirmed it can be
eliminated by making use of switch.
A SNMP command is given to switch to block the
port to which RAP is connected.
In this way a RAP can be eliminated.
Case 3: Let’s make minor changes in above case and
assume that now the intruder installs the MAS system on his
laptop and again connects it to Access Point B. Assume that
he also deploys the MA program which will provide
information to MA of centralized system 1.
IV. ADVANTAGES OF USING MA BASED APPROACH
Most of the existing strategies make use of underlying
Network protocols to detect any un-trusted host (conventional
intruder or RAP).This in turn increase Network traffic and
hence decrease the performance of the Network. To tackle
with the above drawbacks and increase the level of security
we make use of Mobile Agents. Mobile Agents can take
advantage of natural parallelism of large Networks to offer
performance improvements over usual centralized security
monitoring by distributing the workload over the
Network.MA can be used in any type of Network i.e. either
wired or wireless or both (wired and wireless). Moreover it is
difficult for intruder to disturb working of Mobile Agent
Based System. The feature of fault-tolerance also gets added
with the introduction of MA, it means that now Network is
not susceptible to single point failure.
V. CONCLUSIONS
In the beginning of this paper we first do the analysis of
the threats to wireless LANs, then give an overview of
existing intrusion prevention system and RAP detection
systems in WLANs. To detect and response these wireless
attacks, we design an intelligent MA based WIPS. This
System is believed to be more reliable and efficient then most
of the existing systems.
REFERENCES
[1]
[2]
[3]
[4]
Prevention Technique:
[5]





MA form Centralized system 1 will randomly select
one of the active computers in the Network and visit
there.
Suppose MA from Centralized system 1 select
intruder’s laptop it will visit there. This MA will get
all the information from the MA program present on
this host that is needed for Authentication purpose
and get back to Centralized System 1 and as this
information is incorrect then this computer is
considered as unauthorized and Access Point to
which it is connected is considered as Rouge.
Once the Rouge Access Point is confirmed it can be
eliminated by making use of switch.
A SNMP command is given to switch to block the
port to which RAP is connected.
In this way a RAP can be eliminated.
[6]
[7]
[8]
[9]
Zebing Wang., Research of Wireless Intrusion Prevention Systems
based on Plan Recognition and Honeypot, IEEE, 2009.
Chao Yang, “Active User-Side Evil Twin Access Point Detection
Using Statistical Techniques,” IEEE TRANSACTIONS ON
INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 5,
OCTOBER 2012.
Kenichi Takahashi “Intrusion Detection using Third-Parties Support,”
in 12th IEEE International Workshop on Future Trends of Distributed
Computing Systems,2008.
R. E. Sorace, V. S. Reinhardt, and S. A. Vaughn, “The Intrusion
Detection System design in WLAN based on rogue AP” IEEE
Computer Engineering and Technology (ICCET), 2010 2nd
International Conference,VOL. 7,APRIL 2010
Khalil El-Khatib, “Impact of Feature Reduction on the Efficiency of
Wireless Intrusion Detection Systems,” IEEE TRANSACTIONS ON
PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 8,
AUGUST 2010.
Ossmann.M.“WEP : Dead Again , Part1”
http://securityfocus.com/infocus/1814
Ossmann.M. “WEP: Dead Again, Part2”
http://securityfocus.com/infocus/1824
Lange, Danny B. Chang, Daniel T. “IBM Aglets Workbench White
Paper” http://www.trl.ibm.co.jp/aglets/whitepaper.html
Arun Koshal ,“Mitigating Wireless Security Attacks”,White
Paper ,Tech Mahindra IT Services & Telecom Solutions.