25-08-2017, 09:32 PM
[b]MULTIVECTOR PORTABLE INTRUSION DETECTION SYSTEM[/b]
1MULTIVECTOR PORTABLE.pdf (Size: 6.85 MB / Downloads: 243)
ABSTRACT
This research describes an intrusion detection system designed to fulfill the need for increased mobile device security. The Battery‐Sensing Intrusion Protection System (B‐SIPS) [1] initially took a non‐conventional approach to intrusion detection by recognizing attacks based on anomalous Instantaneous Current (IC) drainage. An extension of B‐SIPS, the Multi‐Vector Portable Intrusion Detection System (MVP‐IDS) validates the idea of recognizing attacks based on anomalous IC drain by correlating the detected anomalies with wireless attack traffic from both the Wi‐Fi and Bluetooth mediums. To effectively monitor the Wi‐Fi and Bluetooth mediums for malicious packet streams, the Snort‐Based Wi‐Fi and Bluetooth Attack Detection and Signature System (BADSS) modules were introduced.
MVP‐IDS illustrates that IC anomalies, representing attacks, can be correlated with wireless attack traffic through a collaborative and multi‐module approach. Furthermore, MVP‐IDS not only correlates wireless attacks, but mitigates them and defends its clients using an administrative response mechanism.
This research also provides insight into the ramifications of battery exhaustion Denial of Service (DoS) attacks on battery‐powered mobile devices. Several IEEE 802.11 Wi‐Fi, IEEE 802.15.1 Bluetooth, and blended attacks are studied to understand their effects on device battery lifetimes. In the worst case, DoS attacks against mobile devices were found to accelerate battery depletion as much as 18.5%. However, if the MVP‐IDS version of the B‐SIPS client was allowed to run in the background during a BlueSYN flood attack, it could mitigate the attack and preserve as much as 16% of a mobile device’s battery lifetime as compared with an unprotected device.
Introduction
Personal Digital Assistants (PDAs) and smart phones, also known as Portable Information Devices (PIDs), are less computationally powerful than desktop and laptop Personal Computers (PCs), but possess many of the same features and allow for much of the same functionality. Two defining features included in PIDs are the IEEE 802.11 (Wi‐Fi) and IEEE 802.15.1 (Bluetooth) capabilities. Though they are similar, many basic security measures common in PCs are not present in PIDs, primarily because of limited power and computation cycle resources. This research shows that the addition of an Intrusion Detection System (IDS) on PIDs can greatly enhance their security.
This research addresses mobile device security and extends the original Battery‐Sensing Intrusion Protection System (B‐SIPS) [1] design by introducing the Multi‐Vector Portable ‐ Intrusion Detection System (MVP‐IDS). MVP‐IDS validates reported anomalous battery depletion from B‐SIPS clients with real‐time Wi‐Fi and Bluetooth traffic using attack signature detection modules. To correlate instantaneous current (IC) anomalies with Wi‐Fi and Bluetooth attack traffic, MVP‐IDS integrates B‐SIPS anomaly detection with the signature‐based matching systems of Snort [2] and a newly developed research system, Bluetooth Attack Detection and Signature System (BADSS).
Section 1.1 provides motivation to protect PIDs in the medical, business, military, and government sectors. Section 1.2 follows, giving a brief overview of the B‐SIPS methodology and conceptual goals. Section 1.3 presents a brief overview of the MVP‐IDS methodology. Section 1.4 lays out the improvements and extensions to the B‐SIPS that MVP‐IDS achieves. Section 1.5 summarizes the thesis organization.
Motivation
While not all of the devices used in this motivation are PIDs, the purpose is to show that protecting mobile wireless communication devices should be an essential design constraint. In the medical industry, new devices are allowing patients enhanced health care through the utilization of implantable devices. These devices can monitor the physiological conditions within the body and relay information to remote monitoring locations for data analysis and device recalibration[3]. Some of these implantable devices include cardiac pacemakers, defibrillators, drug delivery systems, hearing‐aids, epileptic brain monitors, and neurostimulators [3] [4]. Another application of wireless communication in the medical field is the use of Bluetooth‐enabled computer chips embedded into prosthetic limbs to control joint movement [5]. While the development of medical devices to increase patient health is a great application of technology, the security of the technology must also be of paramount concern.
BSIPS Overview
This thesis extends and validates the previous B‐SIPS research endeavor [1] which attempted to bring intrusion and attack detection to PIDs. Conventional IDS software, such as Snort and Norton Internet Security, would consume valuable battery and processing resources that PIDs simply do not have to spare. B‐SIPS presented a viable, net‐centric solution for securing mobile devices in malicious Wi‐Fi and Bluetooth environments while also preserving battery life. The original B‐SIPS design consisted of two core components, the B‐SIPS client and the Correlation Intrusion Detection Engine (CIDE) Server. The B‐SIPS client is a host‐based application that uses a Dynamic Threshold Calculation (DTC) algorithm to continually monitor device operating characteristics for anomalous IC changes [1]. Malicious wireless communications, via Wi‐Fi or Bluetooth, produce anomalous IC expenditures, therefore allowing the client to detect attacks. Once a possible attack is detected, the client sends battery information to the CIDE server for further analysis and data mining. The CIDE server provides many forensic analysis tools for security administrators (SAs) to visualize information and determine if the anomalous IC drain was in fact an attack, or a false alarm caused by a normal process using an increased anomalous amount of IC. With this being a simplified discussion of the B‐SIPS system, an elaboration of B‐SIPS details and inner workings can be found in Chapter 2.
CIDE Server
The CIDE server functions as the supervisor for the system, performing attack correlation and developing grounds for administrative action. The correlation and administrative analysis is done external to the PID by design due to limited memory, battery power, and processing constraints of PIDs. The CIDE server communicates with the Snort and BADSS modules to correlate which attack vector(s) triggered a DTC breach by a B‐SIPS client.
Once the CIDE server has information regarding the correlation of an IC anomaly with an associated attack signature, it then sends administrative responses back to the attacked PID. Administrative responses not only tell the PID user that they are being attacked, but also supply details about the attack and administrative actions being taken.
Background
One must fully grasp the underlying protocols and ideas used in MVP‐IDS’ design to allow for a more complete understanding of its details and intricacies. This chapter intends to introduce background material used in this research attempt for improved PID security. Section 2.1 presents defining characteristics of PDAs and smart phones. Section 2.2 introduces the ideas of confidentiality, authentication, message integrity, and non‐repudiation, as well as describes the need for all in the attempt to secure data communications. Section 2.3 gives a brief introduction to the TCP/IP suite and the use of it in Wi‐Fi environment. Section 2.4 delves into the Bluetooth protocol and its features. Section 2.5 explores the idea of intrusion detection and variety of ways it can be implemented.
Conclusions
MVP‐IDS creates a viable solution to improve the security of PIDs. Mobile devices have an inherent need to function under stringent hardware constraints, causing the securing of these devices to often be done as an afterthought in the design process. To mitigate this design weakness and greatly enhance the security of PIDs, MVP‐IDS was created. Using a hybrid approach to intrusion detection, our work confirms that PIDs can be secured in malicious environments by integrating IC anomaly triggers with attack signature correlation for Wi‐Fi and Bluetooth traffic. Section 6.1 presents a summary of the research conducted throughout the design and testing of MVP‐IDS. Section 6.2 recommends future work and ideas in which to further improve this research and the field of PID security. Section 6.3 provides some concluding thoughts and reflects upon this research effort.