07-01-2013, 04:11 PM
A Mechanism for Detecting Session Hijacks in
Wireless Networks
A Mechanism for Detecting Session.pdf (Size: 409.09 KB / Downloads: 28)
Abstract—
This paper proposes a mechanism for detecting
session hijacking attacks in wireless networks. The proposed
scheme is based on using a wavelet based analysis of the received
signal strength. We first develop a model to describe the changes
in the received signal strength of a wireless station during a
session hijack, while the received signal is embedded in colored
noise caused by fading wireless channels. An optimal filter is
then designed for the purpose of detection. We show that using
a Wavelet Transform (WT), the colored noise with complex
Power Spectral Density (PSD) in our case can be approximately
whitened. Since a larger Signal to Noise Ratio (SNR) increases
the detection rate and decreases the false alarm rate, the SNR is
maximized by analyzing the signal at specific frequency ranges.
The detection mechanism is validated using both simulation
and experimental results. The detector is shown to be reliable,
computationally inexpensive and have minimal impact on the
network performance.
INTRODUCTION
AMONG the variety of threats and risks that wireless
LANs are facing, session hijacking attacks are common
and serious ones. When a session hijacking attack occurs, an
attacker forces a normal user to terminate its connection to
an access point (AP) by first masquerading the AP’s MAC
address. The attacker then associates with the AP by masquerading
the user’s MAC address and takes over its session.
Current techniques for detecting session hijacking attacks
are mainly based on spoofable and predictable parameters
such as sequence numbers, which can be guessed by the
attackers. To enhance the reliability of intrusion detection
systems, mechanisms that utilize the unspoofable PHY layer
characteristics are needed.
The authors of [1] propose a session hijacking attack
detection mechanism by periodically monitoring the received
signal strength values for a particular MAC address at a
monitor. The idea is that if an attacker B spoofs the MAC
address of a normal user A and takes its session, the monitor
will observe a sudden change in the signal strength profile of
A’s MAC address and raise an alarm. In [1],
RELATED WORK
Most work in WLAN intrusion detection concentrates on
overall Wireless Intrusion Detection System (WIDS) architectures.
Authors in [2] and [3] employ a distributed architecture
where every node uses a WIDS agent and communicates with
each other to act collectively when an intrusion is suspected.
Such methods require modification to the client stations and
inject traffic to the network. For detecting session hijacking
attacks, most existing approaches are based on the monitoring
of MAC frame sequence numbers [2], [4], where any dramatic
change in sequence numbers indicates an intrusion. However,
The sequence numbers are predictable and can be easily
eavesdropped. Our work aims to develop a more robust session
hijacking detection mechanism while minimizing the client
cost and the network cost.
COMPARISON WITH OTHER METHODS
In literature, there exist many algorithms for the purpose of
abrupt change detection such as autoregressive (AR) models,
AR moving average (ARMA) models, generalized likelihood
ratio (GLR), cumulative sum (CUSUM) etc. The prototype of
these detection schemes is the following: given a time series
of the signal , . . . , , decide which of the two hypotheses
ℋ0 and ℋ1 defined below is true: