The broadcast nature of wireless networks and the mobility features created new kinds of intrusions and anomalies taking profit of wireless vulnerabilities. Because of the radio links and the mobile equipment features of wireless networks, wireless intrusions are more complex because they add to the intrusions developed for wired networks, a large spectrum of complex attacks targeting wireless environment. These intrusions include rogue or unauthorized access point (AP), AP MAC spoofing, and wireless denial of service and require adding new techniques and mechanisms to those approaches detecting intrusions targeting wired networks. To face this challenge, some researchers focused on extending the deployed approaches for wired networks while others worked to develop techniques suitable for detecting wireless intrusions. The efforts have mainly addressed: (1) the development of theories to allow reasoning about detection, wireless cooperation, and response to incidents; and (2) the development of wireless intrusion and anomaly detection systems that incorporate wireless detection, preventive mechanisms and tolerance functions. This chapter aims at discussing the major theories, models, and mechanisms developed for the protection of wireless networks/systems against threats, intrusions, and anomalous behaviors. The objectives of this chapter are to: (1) discuss security problems in a wireless environment; (2) present the current research activities; (3) study the important results already developed by researchers; and (4) discuss the validation methods proposed for the protection of wireless networks against attacks.
Key Terms in this Chapter
Ad Hoc Networks: Ad hoc networks are local area networks or other small networks, especially ones with wireless or temporary plug-in connections, in which some of the network devices are part of the network only for the duration of a communications session or, in the case of mobile or portable devices, while in some close proximity to the rest of the network.
Access Point (AP): Access point in the base station in a wireless LAN. APs are typically stand-alone devices that plug into an Ethernet hub or switch. Like a cellular phone system, users can roam around with their mobile devices and be handed off from one AP to the other.
Intrusion Tolerance: Intrusion tolerance is the ability to continue delivering a service when an intrusion occurs.
Wireless Sensors Networks (WSN): WSN is a network of RF transceivers, sensors, machine controllers, microcontrollers, and user interface devices with at least two nodes communicating by means of wireless transmissions.
Intrusion Prevention System (IPS): IPS is the software that prevents an attack on a network or computer system. An IPS is a significant step beyond an intrusion detection system (IDS), because it stops the attack from damaging or retrieving data. Whereas, an IDS passively monitors traffic by sniffing packets off a switch port, an IPS resides inline like a firewall, intercepting and forwarding packets. It can thus block attacks in real time.
Wireless Traffic Anomaly: Wireless traffic anomaly is a deviation from the normal wireless traffic pattern. An intrusion detection system (IDS) may look for unusual traffic activities. Wireless traffic anomalies can be used to identify unknown attacks and DoS floods.
Wireless Attack: A wireless attack is a malicious action against wireless system information or wireless networks; examples can be denial of service attacks, penetration, and sabotage.
Wireless Vulnerability: Wireless vulnerability is a security exposure in wireless components. Before the Internet became mainstream and exposed every organization in the world to every attacker on the planet, vulnerabilities surely existed, but were not as often exploited.
Wireless Intrusion Detection System (WIDS): The WIDS is the software that detects an attack on a wireless network or wireless system. A network IDS (NIDS) is designed to support multiple hosts, whereas a host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky.