OpenLIDS: a lightweight intrusion detection system for wireless mesh networks

Wireless mesh networks are being used to provide Internet access in a cost efficient manner. Typically, consumer-level wireless access points with modified software are used to route traffic to potentially multiple back-haul points. Malware infected computers generate malicious traffic, which uses valuable network resources and puts other systems at risk. Intrusion detection systems can be used to detect such activity. Cost constraints and the decentralised nature of WMNs make performing intrusion detection on mesh devices desirable. However, these devices are typically resource constrained. This paper describes the results of examining their ability to perform intrusion detection. Our experimental study shows that commonly-used deep packet inspection approaches are unreliable on such hardware. We implement a set of lightweight anomaly detection mechanisms as part of an intrusion detection system, called OpenLIDS. We show that even with the limited hardware resources of a mesh device, it can detect current malware behaviour in an efficient way.

[1]  Pablo Neira Ayuso,et al.  Netfilter's Connection Tracking System , 2006, login Usenix Mag..

[2]  Johnathan Ishmael,et al.  Deploying Rural Community Wireless Mesh Networks , 2008, IEEE Internet Computing.

[3]  Thomas M. Chen,et al.  Intrusion Detection in Wireless Mesh Networks , 2008 .

[4]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .

[6]  Ratan K. Guha,et al.  Effective intrusion detection using multiple sensors in wireless ad hoc networks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[7]  Karl N. Levitt,et al.  A general cooperative intrusion detection architecture for MANETs , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[8]  Yi Zhang,et al.  Performance Adaptation in Real-Time Intrusion Detection Systems , 2002, RAID.

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[11]  Y. Musashi,et al.  Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners , 2004 .

[12]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[13]  Evangelos P. Markatos,et al.  An active traffic splitter architecture for intrusion detection , 2003, 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, 2003. MASCOTS 2003..

[14]  Kevin C. Almeroth,et al.  Malware in IEEE 802.11 Wireless Networks , 2008, PAM.

[15]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[16]  Jonathan M. McCune,et al.  A study of mass-mailing worms , 2004, WORM '04.

[17]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[18]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[19]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[20]  Bernhard Plattner,et al.  A Fast Worm Scan Detection Tool for VPN Congestion Avoidance , 2006, DIMVA.

[21]  Jignesh M. Patel,et al.  WIND: Workload-Aware INtrusion Detection , 2006, RAID.

[22]  Min Sik Kim,et al.  Rule Hashing for Efficient Packet Classification in Network Intrusion Detection , 2008, 2008 Proceedings of 17th International Conference on Computer Communications and Networks.