Adding WiFi sensors to the infrastructure

1
SNBench Case Studies Wireless Network Security
Floor-Plan Flow Analysis Michael Ocean, Azer
Bestavros and Assaf Kfoury
The SNBench is designed promote research
intrinsic (within the snBench) and extrinsic
(running on the snBench)

• 1. New sensing hardware, modalities (e.g., data
  types) or functional abilities require simple
  Java class (interface) implementation
• A wireless network intrusion detection (WNID)
  system is a just a specialized instance of a
  Sensor Network, so we added WNID to the snBench.
• snBench with WNID enables features beyond other
  WNID systems, specifically multi-modal detection
  and response (e.g., use both wifi sensors and
  video sensors).
• 2. We have used the snBench within a graduate
  Software Engineering Class for the last two
  years.
• A group of graduate students have implemented
  motion detection and motion vector tracking
  functionalities to facilitate floor plan flow
  analysis.

Image Processing on the SNBench
Adding Network Intrusion Detection
WNID in SNAFU

• As part of a Software Engineering class, a group
  of Masters students in the Image and Video
  Computing group added new operations (STEP
  functions) to the SXE core library.
• BlobDetect(snImage)
• Find differences between the current image and
  the image that was run with previously and return
  the number of blobs detected in the image.
• BlobDraw(snImage)
• Find differences between the current image and
  the image that was run with previously and draw
  bounding boxes around the blobs detected in the
  image.
• PeopleDetect(snImage, MotionVector)
• Every blob moving in the same direction as the
  MotionVector increases value by 1
• Every blob moving against the MotionVector
  decreases value by 1
• MakeTable(snPair(timestamp,value))
• Create (or update) an image of a line graph to
  include a value with height value at time
  timestamp

• Adding WiFi sensors to the infrastructure
• Linksys Access Points run as Kismet drones
  passively monitoring all 802.11 and report
  wireless frames over Ethernet.
• Added new GenericSensor instance to the SXE to
  provide KismetSensor as a first class sensor
  device.
• Kismet server process interprets drones results
  and detects ALERT events via (published) UDP
  protocol,
• DEAUTHFLOOD, DISASSOCTRAFFIC, etc.
• Packet analysis can be run on the AP but
  performance (and extensibility) improves when
  processed elsewhere.
• New functionalities added to read KismetSensor as
  a snStruct.
• Other processors can be plugged in and customized
  to detect different attacks/events (flag any
  traffic from sender X, etc).
• Experiment environment CS Graduate Research Lab
• Linksys Access Points imaged with OpenAP Linux
  and Kismet
• Axis Pan-Tilt-Zoom on a dedicated gigabit network
• Crossbow motes, servers, compute node, 750GB SQL
  server, etc.

E-mail notification on detected intrusion letonce
WIFIPKT DetectWifiAlertEvent(Sensor) in
leteach SRC WIFIPKT.getfield(MAC) in
level_trigger( not(isnil(WIFIPKT)) email(moce
an_at_cs.bu.edu, concat(NOW,Found banned
MAC, SRC, at, WIFIPKT.getfield(time)
)) Build a MAC blacklist on detected
intrusion level_trigger( not(contains(SQL.get(
BLACKLIST),SRC)), SQL.put(BLACKLIST,SRC)
) Take a picture when a wireless intruder is
detected level_trigger( contains(SQL.get(BLACK
LIST),SRC), SQL.put(wifi_intrusion_EVAL_COUNT
, drawstring(concat(MAC ,
SRC), snapshot( findadjacentsensor(Image
, WIFIPKT.getfield(SOURCE_AP)))))
Forcibly Disassociate a Blacklisted User
Whenever Detected level_trigger( not(isnll(WIFI
PKT)), SendDisassociate( WIFIPKT.getfield(B
ASESTATION),SRC))
Results Future Work

• Simulated attacks with open-source tools
  (AirJack, Netstumbler) were detected and
  responses processed on an average of 2.8 seconds
  in polling mode on un-optimized code (e.g., debug
  mode).
• Quick optimizations reduced processing time to
  550ms
• Anything under 30 seconds is likely acceptable
  for intrusion response time I did it, now
  run! ?
• findadjacentsensor does not move the PTZ cameras
• Use signal strength to improve captured image by
  moving the cameras to the best vantage point and
  take an image from all applicable sensors
• Implement SendDisassociate() and
  DetectWifiCommEvent() take defensive action
  against an attacker.

Results Demo

• STEP Graph(image from STEP IDE)Results
  (images from live run)