2nd International ICST Workshop on Personalized Networks

Research Article

Anomaly-Based Behavior Analysis of Wireless Network Security

  • @INPROCEEDINGS{10.1109/MOBIQ.2007.4451054,
        author={Samer  Fayssal and Salim  Hariri and Youssif  Al-Nashif},
        title={Anomaly-Based Behavior Analysis of Wireless Network Security},
        proceedings={2nd International ICST Workshop on Personalized Networks},
        keywords={Communication system security  Computer network management  Computer networks  Computer security  Condition monitoring  Intrusion detection  Protection  Signal analysis  Wireless LAN  Wireless networks},
  • Samer Fayssal
    Salim Hariri
    Youssif Al-Nashif
    Year: 2008
    Anomaly-Based Behavior Analysis of Wireless Network Security
    DOI: 10.1109/MOBIQ.2007.4451054
Samer Fayssal1,*, Salim Hariri1,*, Youssif Al-Nashif1,*
  • 1: Electrical and Computer Engineering Department The University of Arizona Tucson, AZ 85721
*Contact email: sfayssal@ece.arizona.edu, hariri@ece.arizona.edu, alnashif@ece.arizona.edu


The exponential growth in wireless network faults, vulnerabilities, and attacks make the wireless local area network (WLAN) security management a challenging research area. Newer network cards implemented more security measures according to the IEEE recommendations [14]; but the wireless network is still vulnerable to denial of service attacks or to other traditional attacks due to existing wide deployment of network cards with well-known security vulnerabilities. The effectiveness of a wireless intrusion detection system (WIDS) relies on updating its security rules; many current WIDSs use static security rule settings based on expert knowledge. However, updating those security rules can be time-consuming and expensive. In this paper, we present a novel approach based on multi-channel monitoring and anomaly analysis of station localization, packet analysis, and state tracking to detect wireless attacks; we use adaptive machine learning and genetic search to dynamically set optimal anomaly thresholds and select the proper set of features necessary to efficiently detect network attacks. We present a self-protection system that has the following salient features: monitor the wireless network, generate network features, track wireless network state machine violations, generate wireless flow keys (WFK), and use the dynamically updated anomaly and misuse rules to detect complex known and unknown wireless attacks. To quantify the attack impact, we use the abnormality distance from the trained norm and multivariate analysis to correlate multiple selected features contributing to the final decision. We validate our wireless self protection system (WSPS) approach by experimenting with more than 20 different types of wireless attacks. Our experimental results show that the WSPS approach can protect from wireless network attacks with a false positive rate of 0.1209% and more than 99% detection rate.