Extending orchids for intrusion detection in 802.11 wireless networks

Abstract

In recent years, wireless equipment and services have become close to ubiquitous. Unfortunately, these services are more often than not ill configured security-wise, with minimal protection against potentially damaging attacks. To alleviate this problem, intrusion detection techniques may be used to help identify suspicious behaviour and counter intrusion attempts. In this paper, we describe an extension to the Orchids intrusion detection tool, aimed at detecting intrusions in wireless networks. First, an event analysis module specialized for 802.1 wireless network events has been developed and integrated into Orchids. Next, a number of known attacks (e.g., deauthentication flooding, rogue access points and ChopChop) were modelized and described using declarative signatures. Then, within a simplified but realistic environment, the attacks were reenacted and successfully detected. To our knowledge, our team is the first to detect the ChopChop attack.