1.
SEINIT Security for Heterogenous Mobile Network Services John Ronan, Miguel Ponce de Leon, Jimmy McGibney TSSG, Waterford Institute of Technology Ireland

2.
Threats in Mobile/Wireless Networks <ul><li>Eavesdropping by a third party </li></ul><ul><ul><li>The medium is shared, public </li></ul></ul><ul><ul><li>Hard to precisely control transmission range </li></ul></ul><ul><ul><li>Often weak encryption </li></ul></ul><ul><ul><li>Sometimes no encryption </li></ul></ul><ul><li>Bogus user </li></ul><ul><ul><li>Masquerading as genuine customer to gain illegitimate access or perpetrate fraud (e.g. free calls on telecoms networks) </li></ul></ul><ul><ul><li>WiFi often has no authentication </li></ul></ul><ul><ul><li>Cloning of Subscriber Identity Module (SIM) </li></ul></ul><ul><ul><li>Stolen phones </li></ul></ul><ul><li>Bogus network </li></ul><ul><ul><li>Base station presenting itself as network to the user, for example to collect user data (not a major problem for GSM/UMTS at the moment) </li></ul></ul><ul><li>Denial of service </li></ul><ul><ul><li>e.g. by signal jamming </li></ul></ul>

3.
The Need for a smart access point <ul><li>WLAN: An open medium far more vulnerable than its “wired cousin” </li></ul><ul><li>It needs powerful security functions: </li></ul><ul><li>Authentication,Firewall, IDS, Honeypot, … </li></ul>

4.
What is an intrusion? <ul><li>“ Any attempt to compromise the confidentiality, integrity, or availability of a computer or network” </li></ul><ul><li>“ Any attempt to bypass the security mechanisms of a computer or network” </li></ul>

5.
Intrusion Detection Systems <ul><li>“ Burglar alarm” within the network (or host) </li></ul>Protected Network Firewall Internet IDS <ul><li>Network-based Intrusion Detection System </li></ul>

6.
Honeypots <ul><li>Definition: </li></ul><ul><ul><li>“ A resource whose value lies in being probed, attacked or compromised” </li></ul></ul><ul><ul><li>System or component with no real-world value, set up to lure attackers </li></ul></ul><ul><ul><li>By definition, all activity on a honeypot is highly suspect </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Collect small data sets of high value </li></ul></ul><ul><ul><li>Reduce false positives </li></ul></ul><ul><ul><li>Catch new attacks, false negatives </li></ul></ul><ul><ul><li>Work in encrypted or IPv6 environments </li></ul></ul><ul><ul><li>Simple concept requiring minimal resources </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Limited field of view </li></ul></ul><ul><ul><li>Fingerprinting allows attackers to spot honeypots </li></ul></ul><ul><ul><li>May introduce risk </li></ul></ul>

7.
Outline <ul><li>Major ideas </li></ul><ul><ul><li>The need for a smart access point </li></ul></ul><ul><ul><li>Combining IDS and Honeypot </li></ul></ul><ul><ul><li>Collaboration and “Reputation” </li></ul></ul><ul><li>Architecture </li></ul><ul><ul><li>Generic architecture </li></ul></ul><ul><ul><li>5 main components </li></ul></ul><ul><ul><ul><li>Sensor, Alert analysis, Action engine, Data control, Collaboration </li></ul></ul></ul><ul><ul><li>IDMEF </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Prototype architecture </li></ul></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>CqureAP </li></ul></ul><ul><ul><li>Prelude-IDS </li></ul></ul><ul><ul><li>Snort </li></ul></ul><ul><ul><li>Honeyd </li></ul></ul>

8.
Combining IDS and Honeypots <ul><li>Common components </li></ul><ul><ul><li>Data collection </li></ul></ul><ul><ul><li>Analysis and decision algorithm </li></ul></ul><ul><ul><li>Action module </li></ul></ul><ul><li>Main differences </li></ul><ul><ul><li>Honeypot must be used to be effective </li></ul></ul><ul><ul><li>IDS operate continuously on the data flow </li></ul></ul><ul><li>Both are necessary: </li></ul><ul><ul><li>IDS can provide information even if the honeypot is not the target of attacks . </li></ul></ul><ul><ul><li>When used the honeypot provides more accurate and valuable information . </li></ul></ul>

9.
Major O utcomes /Results <ul><li>A network of collaborative access points </li></ul><ul><li>Exchange security information through a common vehicle </li></ul><ul><li>Compute a “level of trust” for each host </li></ul><ul><li>5 Main components </li></ul><ul><ul><li>Sensors </li></ul></ul><ul><ul><li>Alert Analysis </li></ul></ul><ul><ul><li>Action engine </li></ul></ul><ul><ul><li>Collaboration </li></ul></ul><ul><ul><li>Data control </li></ul></ul>

10.
Implementation - Use available components <ul><li>CqureAP </li></ul><ul><ul><li>Linux based a 802.11 wireless AP </li></ul></ul><ul><li>Prelude-IDS </li></ul><ul><ul><li>Our core framework: an hybrid IDS </li></ul></ul><ul><li>Snort </li></ul><ul><ul><li>Used as a nids and a wireless sensor </li></ul></ul><ul><li>Honeyd </li></ul><ul><ul><li>Used to provide various honeypot services </li></ul></ul>

11.
Implementation - Prelude IDS <ul><li>An hybrid, modular intrusion detection system, under GPL </li></ul><ul><li>Reason for choice: </li></ul><ul><ul><li>Hybrid IDS, means multilayered intrusion detection </li></ul></ul><ul><ul><li>Modularity: convenient plugin framework to add and remove module </li></ul></ul><ul><ul><li>Extensibility: easy integration of existing or new application in the framework thanks to the libprelude library </li></ul></ul><ul><ul><li>IDMEF compliant </li></ul></ul><ul><li>Main components : </li></ul><ul><ul><li>Libprelude, prelude-manager, sensors </li></ul></ul>

12.
Conclusion and outlook <ul><li>Ideal is a system that: </li></ul><ul><li>Does not entirely rely on predetermined definitions such as signatures (so it can catch new attacks) </li></ul><ul><li>Can keep running in the event of an attack </li></ul><ul><li>Can learn to adapt to changing attack scenarios </li></ul><ul><li>Generates few false alerts </li></ul>