Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
  • H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/12—Detection or prevention of fraud
  • H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
  • H04W12/122—Counter-measures against attacks; Protection against rogue devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W24/00—Supervisory, monitoring or testing arrangements
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W8/00—Network data management
  • H04W8/26—Network addressing or numbering for mobility support
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W84/00—Network topologies
  • H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
  • H04W84/10—Small scale networks; Flat hierarchical networks
  • H04W84/12—WLAN [Wireless Local Area Networks]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W92/00—Interfaces specially adapted for wireless communication networks
  • H04W92/04—Interfaces between hierarchically different network devices
  • H04W92/10—Interfaces between hierarchically different network devices between terminal device and access point, i.e. wireless air interface

Definitions

• the present invention relates, in general, to the detection of an intrusion between a communicating entity via a network and an access point of this network.
• the access point is indeed a key element of the communication between a client and a network.
• a known attack implementing a false access point is for the attacker to find himself between a legitimate client and a legitimate access point of the network. In this position, the attacker is then able to intercept all communications.
• the communication takes place in data packets comprising, in general, a field in which at least the start and destination addresses of the packets (also called “source address” and “address” can be identified). It can typically be MAC addresses (for “Medium Access ControV”) or IP (for "Internet Proto ⁇ r”).
• MAC addresses for "Medium Access ControV”
• IP for "Internet Proto ⁇ r”
• attacks of the "Man-In-The-Middle” type are difficult to detect because they can implement a particular MAC address spoofing technique. It becomes difficult then to distinguish two different equipment emitting from the same MAC address.
• This type of attack is particularly effective and interesting for the attacker when the legitimate connection, for example in a wireless network, is not encrypted and takes place in so-called “infrastructure” mode, that is to say between a client and an access point.
• This is typically the case for the "hot-spot” technology deployed by mobile operators, and that of the majority of wireless access networks for businesses (even if they use upper layer security mechanisms ( above level 2) such as IPsec, Secure Shell (SSH), or Transport Layer Security (TLS) for employee access.
• IPsec IPsec
• SSH Secure Shell
• TLS Transport Layer Security
• the present invention aims in particular an effective detection of a type of attack "Man-In-The-Middle" for the networks of "hot-spot” type or company.
• the effectiveness of the attack in the latter case, depends a lot on the security mechanisms used by the company, in particular their vulnerability to active attacks.
• MITM MITM
• the client CL is directly connected to the access point AP via a telecommunication network RES.
• a telecommunication network RES In a standard connection as shown in Figure 1, it then accesses the services offered by a second network that is located behind the point (s) of access, for example to an Internet access in the case of the use of a WiFi hot-spot.
• the legitimate client CL has little information about the legitimate access point to which it connects. In practice, this information is often the network name (ESSID for "Extended Service Set Identifier" in English), or even the MAC address (BSSID for "Basic Service Set Identifier" in English). However, these items can usually be spoofed easily.
• an attacker is typically able to conduct a MITM-type attack by usurping the access point function for the client, and the client function for the access point.
• the pirate Pl With reference to FIG. 2 illustrating a MITM-type attack, the pirate Pl thus positions itself in "transparent" relay and thus intercepts all the packets sent by the client and by the legitimate access point.
• the attacker chooses a network name (identifier "ESSID”), a MAC address for its wireless interface (identifier "BSSID”), and a radio channel on which to transmit.
• ESSID network name
• BSSID MAC address for its wireless interface
• radio channel on which to transmit a radio channel on which to transmit.
• These three elements can optionally be chosen to be the same as those of the legitimate access point, so as to minimize the chances for the attacker to be easily detected because, in fact, detection tools of appropriate intrusion could easily identify a discrepancy, such as the appearance of a new access point with other characteristics than legitimate access points.
• the attacker will generally have to choose a different channel from that of the legitimate access point.
• an illegitimate access point for example a same BSSID and the same ESSID as a legitimate access point, but the radio channel is different;
• EAP Extensible Authentication Protocols
• the legitimate client associates with the illegitimate access point and the attacker usurps the identity of the legitimate client to associate with the legitimate access point.It will thus be understood that twice as many EAP frames are broadcast with the same source and destination MAC addresses. MAC addresses may vary depending on whether the attacker is also usurping the MAC address of the legitimate client or only that of the legitimate access point.
• an attack is usually detected using a logical sequence of events. However, these events can each be subject to false positives (alarms raised wrongly), but also and especially to false negatives (undetected attacks) in the case where it is decided to detect the attack only if all aforementioned conditions are fulfilled.
• the de-authentication of a client is based only on a single packet (unassembly or de-authentication frame), which, for example in the event of an overload of the calculation capabilities of a probe, may not to be seen by this probe.
• the EAP packet enumeration method does not tolerate packet loss.
• the MITM type attack can also occur when the client first arrives on the network. This new client then connects to a fake access point that was waiting for his arrival, and this fake access point can then perform the second part of the attack, spoofing the client's information to connect to the legitimate access point. . In this case, no de-association or de-authentication frame is exchanged, making detection of the attack even more improbable.
• the present invention improves the situation. To this end, it proposes a method for detecting an intrusion in a private data communication between a first entity and a second entity, communicating via a telecommunication network, the communication being carried out by transmission of successive packets, each packet including less:
• a header field including at least one source address of the packet and / or a destination address of the packet for an appropriate routing of the packets, and a packet body including private data
• the method comprising the steps : a) detecting at least a first packet and a second packet, transmitted at respective distinct times between the first and second entities, and having identical packet bodies, b) and triggering an alarm if a number of packets whose body is identical and detected in step a) is greater than a predetermined threshold.
• the present invention finds an advantageous application in its implementation in a wireless telecommunication network, advantageously configured according to the IEEE-802.11 standard, this wireless network being able to be connected to a wide area network, in particular in a "hot” context. spof, for a intrusion detection of the type "Man-In-The-Middle".
• the second aforementioned entity can then be an access point of the wireless network.
• FIG. 2 schematically illustrates the situation of an attack. of the "Man-In-The-Middle" type in the context of FIG.
• FIG. 3 represents, by way of example, the structure of a packet or "frame" of data transmitted according to the IEEE 802.11 standard
• FIG. 4A illustrates the main steps of the method in the sense of the invention, in a first exemplary embodiment, corresponding to a flowchart of a computer program in said first exemplary embodiment
• FIG. 4B partially illustrates the steps of a variant of the method of FIG. 4A, in a second exemplary embodiment, corresponding to a flowchart of a computer program in said second exemplary embodiment, and
• FIG. 5 illustrates the operation of a probe, for example a control system of a network, for the implementation of the present invention.
• a wireless network is considered according to the IEEE 802.11 standard in infrastructure mode (between a client and an access point) and without data encryption at the radio level.
• a detection within the meaning of of the invention, of attacks of the type "Man-In-The-Middle" between an access point considered legitimate and the customer.
• the invention is particularly adapted to the context of hot-spots.
• the listening infrastructure can be deployed in addition to an existing IEEE 802.11 architecture.
• the invention uses, in this context, the following principle.
• an attacker In an IEEE 802.11 wireless LAN, consisting of at least one legitimate access point and a legitimate client, an attacker is assumed to have made a "Man-In-The-Middle" attack. between the legitimate client and the legitimate access point, and so retransmits packets received from the client to the legitimate access point.
• this packet consists of an IEEE 802.11 header and a "data" part.
• the header contains information about the IEEE 802.11 network and allows the proper routing of the packet from the source to the destination.
• the attacker re-transmits this packet to the legitimate access point, a certain number of fields in this header are modified (we can even say that the header is completely recreated by the attacker).
• the "data” part does not change.
• This "data” part of the packet contains the headers of the higher network layers (for example IP, TCP, UDP, ICMP) as well as the data of the application layers.
• the invention is then based on the following principle. It is possible, from a probe, to capture and then analyze the variations of these "data" fields of the packets. When two fields of "data" have been identified as identical in separate packages inside a a relatively short time interval, it can be assumed that this is a Man-In-The-Middle attack.
• the network comprises a plurality of communication channels, and the steps of the detection method are conducted on at least two of these channels and, preferably, on each of the channels.
• the contents of a packet or "frame" of data according to the IEEE 802.11 standard are described below, with reference to FIG. 3.
• the frame first comprises a MAC header field (or "MAC Header” field). ) which is defined by the aforementioned IEEE 802.11 standard. It also includes a CRC field associated with an error detector code.
• frame body (according to the English name “frame body”).
• This "frame body” field also contains the useful data of the communications (in particular TCP / IP).
• the application content of the "frame body” can generally be of the form:
• LLC Logical Link Control
• IP for "Internet Protocol”
• TCP Transport Control
• IEEE 802.11 frames transiting on the radio channel it is sought to conduct a listening on this radio channel.
• the content of the data frames (in fact all or part of the "frame bod ⁇ ") is compared each time with the content of the previously received data frames so as to detect the frames received in duplicate as to their 'frame body' If such frames are spotted on the radio path, and this, on a regular basis, then a "Man-In-The-Middle" type attack is in progress.
• One principle of the present invention is that the packets belonging to the protocols of the layers above the MAC layer (especially in the OSI model) are generally subject to important variations.
• these different protocols use, for the most part, identification mechanisms for transmitted packets, for example a 2-byte identifier for the IP protocol, a 2-byte coded sequence number for the ICMP ("Internet Control Message Protocol") protocol.
• the invention is particularly suitable for performing an efficient analysis with a rate false positives and false negatives very weak.
• the packets can be transmitted according to a communication protocol that uses data identifying transmitted packets, these data being included in the packet bodies, which can then detect a MITM type intrusion if the bodies of the packets are identical.
• the present invention also provides a probe for the implementation of the above method and which will be defined later in generic terms. It may advantageously be an intrusion detection probe adapted to wireless networks and located on a geographic site to be monitored. This sensor is able to raise alarms according to certain events identified. A particular analysis of the content of the transmitted frames or even the sequence of frames constitutes a signature that an intrusion detection tool is able to locate. This signature characterizes an event, such as an attack or simply normal behavior.
• the probe preferably has specific capabilities that allow it to "listen” on multiple channels at the same time by ensuring, preferably, that there is little or no loss of data frames during listening.
• a first embodiment comprises the steps illustrated in Figure 4A and may represent an exemplary flowchart of a computer program for the implementation of the invention.
• steps 40 By listening to a network typically according to the IEEE 802.11 standard using a probe of the aforementioned type, successive data packets FRA-i are recovered (step 40).
• a received packet FRA-i is then analyzed by retrieving in particular its frame body fb-i or "frame body" (step 41) which includes private data that a client entity wished, for example, to transmit to an access point.
• Step 42 consists in calculating a signature sgn-i by a hash function H of all or part of the frame body fb-i.
• the result can be, for example, a 128-bit number (using the MD5 function for "Message Digest 5") or 160 bits (using the SHA1 function for "Secure Hash Algorithm V") or n bits (with another hash function)
• This value denoted sgn-i in FIG. HAS H_F RAM E BO DY below.
• the portion of the chopped frame body for calculating the signature may be an important element for performance reasons. Indeed, the invention can be optimized so as to make a calculation of the hashed only on the first 100 bytes for example. It can then be a parameterization of the probe implementing the invention. This point can also be important for certain attack categories that may cause some fixed bytes of the fb-i frame body to change. It is then possible to define the bytes not to be checked so that certain classes of attacks can be detected. This point can also be a parameterization of the tool implementing the invention.
• a signature of the body of the packet is calculated by applying a hash function to all or part of the data of the packet body
• said signature is stored in memory, and said signature is compared with packet body signatures previously stored in said memory.
• the hash function is applied to a part of the data of the packet body, this part of the data being chosen according to the configuration of the network and / or according to the relevance of these data for the intrusion detection.
• the address information (in the header of the packet mainly), for example at least of the type @MAC_source (starting MAC address), @MAC_destination (destination MAC address), and advantageously the type @MAC_BSSID, and possibly a TO_DS / FROM_DS flag (named STATE_DS) are archived at the same time as the frame body signature.
• the flag TO_DS is a field indicating that the packet from the client is to the network behind the access point (typically a wired network).
• the FROM-DS flag is a field indicating that the frame coming from the access point is from equipment behind the access point (in the wired network).
• the new HASH_ FRAMEBODY sgn-i is compared with those present in the memory, preferably making this comparison sequentially. If there exists in the memory a HASH_ FRAMEBODY sgn-j equal to HASH_ FRAMEBODY current sgn-i (indices i and j being different), which corresponds to the arrow o at the exit of the test 44, then it is raised an alarm of type "Man-In-The-Middle" in step 45. If not (arrow n at the output of test 44), the method continues by analyzing a next FRA-i frame (step 46) and the method is reiterated for this new frame at step 40.
• the flowchart above shows the most optimized method in terms of speed of processing the IEEE 802.11 information received by the probe.
• step b) of the general method defined above is conditioned by the detection of a number of packets whose body is identical to step a), this number (corresponding to in practice at the threshold KTH + 1) being preferentially chosen according to a given configuration of the network.
• this threshold K T H simply has a value of 1.
• the flowchart of FIG. 4B presents the most optimized method in terms of reducing false positives in the processing of the IEEE 802.11 information received by the probe.
• the tool can implement both methods and dynamically select the most suitable one depending on the context. It is of course possible to set the listening time window to optimize the detection process.
• the triggering of the alarm in step b) is effective if first and second packets of the same body are detected in step a) in a time interval less than a predetermined time, this duration being preferentially chosen according to a configuration of the network.
• the alarm raised by the probe can indicate the five aforementioned data @MAC_source, @MAC_destination, @MAC_BSSID, TO_DS / FROM_DS and HASH_ FRAMEBODY associated with the current frame, and that of a frame previously stored in memory. It is then possible to give additional information such as source, destination and BSSID MAC addresses. Although, in principle, they are not necessary to perform the attack detection, they can instead help the operator to trace the event more accurately.
• a third embodiment in a specific context corresponding to communications between Wi-Fi clients is described below.
• a feature is enabled on legitimate access points to prohibit cross-client connections from the same access point. This is a so-called relay mode (or "bridge") operation of the access point.
• PSPF Publicly Secure Packet Forwarding
• CISCO access points brand
• the invention is particularly effective, but in the absence of such functionality, a packet issued by a client to another client of the same access point is retransmitted by the legitimate access point without modification of the "frame body.” This phenomenon would be detected as a possible MITM attack within the meaning of the invention, so it is possible to add an additional verification step to be performed on the packets identified under these conditions
• This additional verification step can for example be activated by the administrator of the wireless network according to the configuration chosen for his network.
• the "To DS" field is set to zero while the "From DS” field is set to 1.
• the @MAC_destination and @MAC_source fields are filled respectively with the MAC address of B and the MAC address of A, and the BSSID field presents the MAC address of the access point.
• the intrusion further comprises a step of modifying data (such as TO DS / FROM DS flag values) in the header field:
• step a) the header fields of the first and second packets are further compared
• step b) the alarm is triggered if the packet bodies are identical and if the header fields are different.
• the invention advantageously adapts to a context that is not dependent on a constraint of the type "no communication between clients via an access point". To this end, it suffices to add a test on the To DS / From DS flag values at the output of the test 44 on the HASH_ FRAMEBODY shown in FIG. 4A.
• the probe S listens to both channels 1 and 2 connecting the ATT attacker to the client CL, on the one hand, and the ATT attacker to the access point AP on the other hand. It stores in the memory MEM and reads the packets transiting on these two paths and detects in particular those which have the same frame body by triggering, if necessary, an alarm.
• the present invention also aims at such a probe S, arranged to detect an intrusion in a private data communication between a first entity and a second entity (such as an access point), these entities being communicating via a telecommunications network, the probe comprising: preferably, means for reading at least the bodies of the packets transmitted between the first entity and the second entity, for example in the MEM memory,
• the present invention also relates to a computer program that can be downloaded via a telecommunication network and / or intended to be stored in a memory of a probe of the type described above and / or stored on a memory medium intended to cooperate with a reader of this probe.
• the program includes instructions for implementing the method of the type described above.
• the present invention also relates to a data storage medium comprising computer program code instructions for executing the steps of the method within the meaning of the invention.
• the present invention also provides a system for implementing a method of detecting an intrusion into a private data communication, typically between a plurality of communicating entities via a telecommunication network and a plurality of access points. network. For this purpose, it comprises a plurality of probes forming an architecture deployed on the network and network control, each probe comprising the means described above.
• the detection in the sense of the invention is entirely passive. It does not require any interaction with the equipment constituting the wireless network (access point, clients).
• the detection in progress is not detectable by an attacker.
• the detection is independent of the fact that the MAC addresses are spoofed or not since one attaches to the content of the frame body. It is also independent of the fact that ESSID network names are spoofed or not.
• Another major advantage is that it is independent of the fact that the radio channels are the same or not.
• Detection is easy to implement in practice. It tolerates in particular that the equipment listening to the radio loses packets. Indeed, this effect has no impact in terms of false positives. As a MitM attack requires many successive packets, it will necessarily be detected.
• the method within the meaning of the invention can be implemented very simply in an intrusion detection tool in IEEE 802.11 wireless networks, equipment capable of listening to the IEEE 802.11 radio channel being common.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Small-Scale Networks (AREA)
• Mobile Radio Communication Systems (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=36297263

Family Applications (1)

Country Status (4)

Families Citing this family (7)

Family Cites Families (4)

• 2005
  • 2005-07-13 FR FR0507532A patent/FR2888695A1/fr not_active Withdrawn
• 2006
  • 2006-06-28 US US11/988,558 patent/US20090138971A1/en not_active Abandoned
  • 2006-06-28 WO PCT/FR2006/001508 patent/WO2007010101A2/fr not_active Application Discontinuation
  • 2006-06-28 EP EP06778701A patent/EP1902563A2/de not_active Withdrawn

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events