Fabian Hugelshofer, Paul Smith, David Hutchison and Nicholas J.P. Race. OpenLIDS: A Lightweight Intrusion Detection System for Wireless Mesh Networks. Proceedings of the 15th Annual International Conference on Mobile Computing and Networking (MobiCom'2009). 2009.
Wireless mesh networks are being used to provide Internet access in a cost efficient manner. Typically, consumer-level wireless access points with modified software are used to route traffic to potentially multiple back-haul points. Malware infected computers generate malicious traffic, which uses valuable network resources and puts other systems at risk. Intrusion detection systems can be used to detect such activity. Cost constraints and the decentralised nature of WMNs make performing intrusion detection on mesh devices desirable. However, these devices are typically resource constrained.
This paper describes the results of examining their ability to perform intrusion detection. Our experimental study shows that commonly-used deep packet inspection approaches are unreliable on such hardware. We implement a set of lightweight anomaly detection mechanisms as part of an intrusion detection system, called OpenLIDS. We show that even with the limited hardware resources of a mesh device, it can detect current malware behaviour in an efficient way.
© ACM (2009). This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM MobiCom 2009.
Paper
We have access to a WMN that provides Internet connectivity to members of a rural village, called Wray. The network consists of twelve mesh boxes that serve up to a total of 50 users at one time. Internet connectivity is provided at a single point in the village. The mesh devices in this network use different logical network interfaces for intra-mesh communication and client access.
To have a set of real-world network traces for our experiments, traffic in the Wray network was captured for 18 days in Spring, 2008. On every mesh box the first 54B of every IP packet entering or leaving a client network interface was captured. To represent traffic at a single point, we merged all the network traces that we collected. We then split the merged traces into hour-long segments and all broadcast messages were removed, leaving only routable traffic. During the busiest hour, a maximum number of 43 hosts were seen and the average data rate observed was 1.32Mbps. The traces shown here were anonymised with tcpmkpub for privacy reasons and are not the ones actually used in the paper.
Tcpmkpub is described in "The devil and packet trace anonymization" (Pang, R. and Allman, M. and Paxson, V. and Lee, J. ACM SIGCOMM Computer Communication Review. 2006). All internal addresses were mapped to 101.209.0.0/16. Else the default policy was used which:
The traces from the 30 hours with the highest amount of traffic are available for download. The file name countains the month, the day and the hour at which the trace begins (UTC). The lcoal time zone was BST. A trace with tag "042317" was therefore recorded at 23 April 2008 from 6pm to 7pm.
We analysed the detection capabilities of OpenLIDS with the Conficker (a.k.a Downadup) worm. Conficker is a recent network propagating worm, which has spread widely. It exploits a vulnerability in the Windows RPC service, performs password attacks against network shares, and infects removable media. To exploit the RPC vulnerability, it scans
random IP addresses on TCP port 445, which makes it detectable by OpenLIDS. The variant we used is detected by
Symantec Norton AntiVirus as Downadup.B and was first discovered on 30 December, 2008.
To obtain a trace file containing the malicious traffic generated by Conficker, we infected a virtual machine with the worm. The virtual machine was connected to an isolated wired network, and all traffic except outgoing HTTP and DNS connections was blocked. As a suspected way of evading detection, Conficker adapts its scanning rate based upon an estimate of available bandwidth. To simulate networks with different bandwidth capabilities, we throttled the available bandwidth on the network uplink router to 96Kbps, 496Kbps or left it unlimited at 100Mbps. For each bandwidth setting, the full traffic was recorded. The traces shown here were not anonymised, they are the ones actually used for the paper.