CN104009870A - WLAN wireless intrusion alarm aggregation method - Google Patents

Abstract

The invention discloses a WLAN-oriented wireless intrusion alarm aggregation method, which includes the following steps: Step 1, alarm formatting: first, format the original security alarm captured by the existing wireless intrusion detection system, and improve the general intrusion detection message The alarm format of the exchange format IDMEF is used to introduce wireless device information such as AP access points; step 2, alarm simplification: the alarm generated by the WLAN wireless intrusion detection system contains a large number of irrelevant alarms and repeated alarm information, and these alarms are eliminated and simplified. Improve the accuracy and reliability of alarm analysis; step 3, alarm classification: For alarms after eliminating irrelevant alarms and repeated alarms, the original alarms are aggregated into super alarms, corresponding to a certain type of security alarms with obvious attack behavior characteristics, for subsequent Provides prerequisites for intrusion prevention decisions. It can greatly reduce the number of irrelevant alarms and repeated alarms in the original alarms, and improve the performance of wireless intrusion detection.

Description

WLAN wireless intrusion alarm aggregation method

technical field

The invention relates to a wireless intrusion alarm aggregation method, more specifically, it relates to a WLAN-oriented wireless intrusion alarm aggregation method.

Background technique

With the continuous increase of the number of Internet users all over the world, the number of users using wireless access is also increasing. Wireless Local Area Network (WLAN, Wireless Local Area Network) has become a widely used network technology. WLAN has the characteristics of high access rate, fast network deployment, flexible networking, and simple structure. It has advantages that traditional wired networks cannot match. Mobile Internet, BYOD (Bring Your Own Device, Bring Your Own Device) are rapidly popularizing.

Due to the particularity of WLAN itself, attackers can attack without physical connection, and the IEEE802.11 series standards of WLAN, the wired equivalent encryption algorithm WEP (Wired Equivalent Privacy) and Wi-Fi network WPA (Wi-Fi Protected Access) and other encryption algorithms also have their own flaws, making WLAN security a prominent issue. Trustwave, an American information security service company, counted the top 10 network security risks (Top 10 Network Risks) in the 2012 Global Security Report, of which WLAN-related risks accounted for the second, namely wireless users automatically accessing illegal APs (ranked fifth) and use WEP encryption to transmit wireless information (ranked sixth).

With the increasing threats to WLAN security, hackers are increasingly targeting WLANs in various forms of attacks such as key cracking, address spoofing, and denial of service attacks, which have caused serious damage to WLAN networks in personal homes and public places. . According to reports, at the world's top hacker conference (BlackHat 2012) held in July 2012, 1561 independent WLAN security incidents were detected, including more than 280 illegal AP access points (Rouge APs), denial of service attacks (DoSAttacks) ) and deauth broadcast (Deauth Broadcast) and other attack methods. In February 2012, Xinhuanet, China Economic Net and many other media reported that hackers used fake free Wi-Fi hotspots to obtain user confidential information, pointing out that many open wireless networks in public places were forged by criminals. The private information of users using the network can be easily obtained. In March 2014, the "Overview of my country's Internet Network Security Situation in 2013" released by the National Internet Emergency Response Center showed that there are backdoors in the wireless router products of D-LINK, Cisco, Linksys, NetGear, Tenda and other manufacturers, and hackers can directly Control routers, further launch DNS hijacking, information theft, phishing and other attacks, which directly threaten the security of users' online transactions and data storage. These reports undoubtedly increase the public's hidden worries about using WLAN.

Foreign research on intrusion detection and defense technology for WLAN was carried out earlier. The main wireless network intrusion detection systems include the following products: Wireless Scanner from ISS, AirMagnet Distributed from AirMagnet, AirDefense Guard from AirDefense, Adaptive WIPS from Cisco , AirTight's SpectraGuard, Fatblock's WIDZ, open source Snort-Wireless, and Kismet.

These wireless network intrusion detection systems have their own original alarm formats, and will generate a large number of irrelevant alarms and repeated alarms, which brings inconvenience to accurately and real-time identification of the real intention of WLAN attackers, especially multi-step attack behavior. Therefore, it is necessary to preprocess the original alarms, delete irrelevant and repeated alarms in the original alarms, and convert them into super-alarm types, which can significantly reduce the number of original alarms, reduce the false alarm rate of the existing WLAN intrusion prevention system, and improve the WLAN security. Performance of intrusion detection and prevention.

Patent 200810046788.4 "A Method for Reducing False Alarms in a Network Intrusion Detection System" provides a method for reducing false alarms in a network intrusion detection system. This method removes a large number of redundant alarms generated by background traffic according to the characteristics of network traffic, and then generates The mode aggregates and analyzes the removed alarms in real time, thereby reducing the number of alarms. This method first collects features to generate alarms to form a sample set A, extracts features that meet the feature-generated alarm ratio threshold α and IPs that meet the IP-generated alarm threshold β from the sample set A, and then constructs an alarm based on the binary combination of the extracted features and IP For time series, the Fourier analysis method is used to analyze the period of the alarm time series, and a hypothetical test is made on the obtained period, and then the removal rule is formulated according to the alarm time series with a period, and the characteristics matching the rule are removed from the sample set A to generate an alarm. Finally, aggregate and analyze the remaining alarms after removal to generate super alarms.

This method mainly uses the IP address as an aggregation feature, which can effectively aggregate the intrusion alarms of the wired network and reduce the number of intrusion alarms of the wired network. However, this method is not suitable for the wireless network environment, because in the process of wireless network intrusion, the attacker often does not configure the IP address, but only uses the physical address and other attributes of the WLAN to attack, so it cannot detect the WLAN wireless intrusion alarm. effective aggregation.

Contents of the invention

The purpose of the present invention is to overcome the deficiencies in the prior art, provide a real network environment suitable for WLAN, realize the effective removal of a large number of WLAN repeated alarms and irrelevant alarms, reduce the number of original alarms, and improve the accuracy of wireless intrusion alarm analysis A WLAN wireless intrusion alarm aggregation method.

This WLAN-oriented wireless intrusion alarm aggregation method includes the following steps:

Step 1. Alarm formatting: First, format the original security alarms captured by existing wireless intrusion detection systems (such as open source Snort-Wireless), improve the alarm format of the general intrusion detection message exchange format IDMEF, and introduce AP into it Access point and other wireless device information, specifically including AP SSID, working channel, MAC address, signal strength, whether to encrypt, and encryption mechanism, etc., so that it can reflect the characteristic information of the WLAN wireless environment;

Step 2. Alarm simplification: The alarm generated by the WLAN wireless intrusion detection system contains a large number of irrelevant alarms and repeated alarm information, such as the WEP cracking alarm generated by a certain WPA-encrypted AP access point, and the consecutive alarms generated for the same attack behavior. Repeated alarms, etc., these alarms are eliminated and simplified to improve the accuracy and reliability of alarm analysis;

Step 3. Alarm classification: For the alarms after eliminating irrelevant alarms and repeated alarms, classify the alarms based on the SSID of the AP, the MAC address of the attack source, and the MAC address of the AP, and aggregate the original alarms into super alarms, corresponding to a certain type Security alerts with obvious attack behavior characteristics provide prerequisites for subsequent intrusion prevention decisions.

The overall structure of this method is shown in Figure 1, and the specific implementation steps are as follows:

Step 1. Alarm formatting

Alarm formatting needs to meet the characteristics of wireless data in the WLAN environment and integrate alarms and logs generated by different wireless intrusion detection systems. Therefore, unified formatting is required. Considering that the IDMEF standard is an intrusion detection message exchange standard proposed by IDWG, an intrusion detection working group of the Internet Engineering Task Force (IETF), but this standard is mainly aimed at wired network environments, so we propose a standard alarm format based on the IDMEF standard improvement. It combines the MAC frame structure information of the 802.11 standard and defines a standard format for converting original alarm information into super alarms, so that the improved IDMEF standard is also applicable to WLAN wireless environments.

Since the IDMEF alarm format is mainly proposed based on the wired network environment and lacks support for the special WLAN environment, we have extended it on the basis of the IDMEF alarm format. Figure 2 is an improved class diagram of the alert Alert class defined in IDMEF. The main idea of improvement is to add the following three important types of information to the IDMEF alert format:

(1) Add the AP category of the alarm Target, which describes the unique AP information attributes in the WLAN environment, mainly including the physical address (MAC_Addr) of the AP, the SSID (SSID) of the AP, the BSSID (BSSID) of the AP, and the manufacturer of the AP (Vendor ), working channel (Channel), transmission speed (Speed), signal strength (Signal), whether to encrypt (Encryption), encryption method (Encrypt_Type) and IP address (IP_Addr) and other information.

(2) Expand the AdditionalData class of the alarm, and increase the important information of the wireless frame transmitted by WLAN, mainly including the type field (Type), subtype field (Subtype), To DS field (To_DS), From DS field (From_DS), More Fragments Domain (More_Flags), Retry domain (Retry), Power Management domain (Pwr_Mgt), More Data domain (More_Data), WEP domain (WEP), Order domain (Order), Duration/ID field (Duration_ID), frame sequence number (Seq_Num) , Fragment sequence number (Frag_Num) and other MAC frame-related information.

(3) Expand the Analyzer class of the alarm, and increase the unique wireless collector attributes in the distributed environment, mainly including the collector type (Agent_Type), the collector identifier (Agent_ID) and the collector characteristic identifier (Agent_SID) that generate the alarm. , the serial number (Agent_CID) of the alarm in all the alarms of the collector, etc.

Since most WLAN alarms are generated for attacks on AP access points, it is necessary to uniformly set the relevant information of AP access points and store them in a standardized format. For example, an SSID is "wlan1", the manufacturer is TP-LINK, the MAC address is 00-19-E0-BE-1C-86, the working channel is 6, the transmission speed is 54Mb/s, the signal strength is 62%, enable Encrypted transmission, the encryption method is WEP encryption, and the AP access point with the IP address of 192.168.1.1, its storage format is shown in Figure 3.

Step 2. Alarm simplification

After the original alarms are formatted, they need to be streamlined to eliminate redundant alarms and reduce the number of alarms.

The alarms that need to be simplified mainly fall into the following two categories:

(1) Irrelevant alarm: The wireless collector recognizes an attack behavior, but the attack is not applicable to the actual wireless network environment, such as WEP cracking alarms generated by WPA-encrypted AP access points.

(2) Repeated alarms: including alarms against the same target initiated by the same attack source detected by different wireless collectors, continuous and periodic alarms of the same type generated by the same wireless collector, etc.

The present invention comprehensively utilizes four attributes of the alarm, such as time, space, attack type and target device information, to simplify the alarm, so as to achieve the purpose of removing wireless alarms and repeated alarms. Firstly, use attributes such as alarm space, attack type, and target device information to remove irrelevant alarms, and then use alarm attributes such as time, space, and attack type to remove duplicate alarms.

Figure 4 describes the specific process of alarm simplification.

The first step in alarm simplification is irrelevant alarm removal. For the formatted alarm data, use the spatial characteristics of the WLAN environment, attack type, and target device information to determine whether the alarm is related to the attack target. If not, remove the alarm. Otherwise, go to the next step of removing duplicate alarms.

The present invention adopts an irrelevant alarm simplification method of first-order predicate logic to judge irrelevant alarm, and the method includes three levels: data source, network environment and related result.

(1) Data source: Make full use of spatial features to judge the type of wireless collector in the formatted alarm data, including alarm information generated by distributed wireless intrusion detection systems such as Snort-Wireless.

(2) Network environment: Obtain the information of target devices such as AP access points and wireless terminals in the WLAN environment, including the SSID, MAC address, manufacturer, whether to encrypt and the encryption method of the AP access point, etc.

(3) Correlation results: Combining the data source and network environment information, judge whether the attack type described by the alarm meets the conditions required for the attack, and finally provide the result of whether the alarm is relevant.

The irrelevant alarm reduction method uses the following atomic predicate formula (Formula 1):

$\left\{\begin{array}{c}\mathrm{Predicate}1:\mathrm{alert}\_\mathrm{type}(\mathrm{SOURCE},\mathrm{DESTINATION})\\ \mathrm{Predicate}2:\mathrm{Weakness}\_\mathrm{name}\left(\mathrm{DESTINATION}\right)\\ \mathrm{Predicate}3:\mathrm{Device}\_\mathrm{Information}\left(\mathrm{DESTINATION}\right)\end{array}\right.$ (Formula 1)

Predicate 1 indicates that the attack type launched by the attack source SOURCE to the target device DESTINATION is Alert_Type, predicate 2 indicates that the target device DESTINATION has vulnerability information Weakness_Name, and predicate 3 indicates that the device information of the target device DESTINATION is Device_Information.

The specific judgment process of the irrelevant alarm simplification method is as follows:

(1) First define the set of wireless attack types as AT={at ₁ ,...,at _i }, the set of wireless device vulnerabilities as WN={wn ₁ ,...,wn _i }, the set of wireless device information is DI={di ₁ ,...,di _n };

(2) The elements in the three sets are represented by the logical combination of predicate 1, predicate 2 and predicate 3, and the value range of each element is {1,0}, where 1 means that the predicate value is TRUE, and 0 means FALSE;

(3) Then define the alarm correlation judgment function to make a judgment on whether the generated alarm is related to the target device, and output the result for alarm simplification.

The alarm correlation judgment function is shown in the following formula 2:

(Formula 2)

Among them, at∈AT, wn∈WN, di∈DI, if the result obtained according to the alarm correlation judgment function is 0, that is, the attack type described in the alarm does not match the vulnerability information of the target device or does not match the target information, indicating that the If the alarm is irrelevant, the alarm will be removed; if the result is 1, it will be output to the next step for repeatability judgment.

After irrelevant alarm processing, although irrelevant alarms that are invalid for the wireless network environment and target devices are removed, there are still a large amount of repeated alarm data, including the same type of alarm repeatedly generated by the same collector within a period of time, and different collectors The output of the same attack source for the same target generates the same alarms. These repeated alarms occupy a large proportion of the alarm data and will affect the efficiency and accuracy of subsequent attack intent identification. Therefore, these repeated alarms need to be removed. .

Definition 1 Given a collection of all alarms generated by different collectors A={a ₁ ,...,a _n }, a is an alarm quintuple a=(sensorID, alertType, srcMAC, dstMAC, timestamp), where , sensorID indicates the identifier of the collector, alertType indicates the type of alarm, srcMAC and dstMAC indicate the source physical address and target physical address respectively, timestamp indicates the timestamp when the alarm is generated, if two alarms a _i and a _j meet one of the following conditions, it is called These two alarms are duplicate alarms.

(1) Condition 1: The sensorID, alertType, srcMAC and dstMAC of the alarm a _i and the alarm a _j are the same, and the alarm a _j is generated within a certain unit time △t1 after the output of the alarm a _i , where △t1=timestamp _j -timestamp _i , this type of alarm actually represents repeated alarms with trend characteristics generated by the same collector;

(2) Condition 2: The sensorIDs of alarm a _i and alarm a _j are different, but the alertType, srcMAC and dstMAC are the same, and alarm a _i and alarm a _j are generated within a certain time interval △t2, where △t2=|timestamp _j -timestamp _i |, this type of alarm actually represents repeated alarms for the same attack behavior generated by different collectors.

The specific process of the repetitive alarm simplification method is as follows:

(1) First define certain time interval thresholds △t1 and △t2, which can be set in combination with the statistical mean value of actual attack detection;

(2) For the alarm set A, cluster the alarms with the same alertType, srcMAC and dstMAC to generate several A _i ;

(3) For a new alarm a that needs to be judged repeatedly, if the alarm is not in the alarm set A _i , it means that it is a new type of alarm, and it is directly added to the alarm cluster. If the alarm belongs to a certain alarm cluster Class A _i , use the alarm repetition judging function to judge whether it belongs to the result of repeated alarm;

(4) If the judgment result belongs to repeated alarms, the alarms are merged, otherwise, new alarms are added to the alarm cluster.

The function for judging the repetition of alarms for alarm a with the same alertType, srcMAC and dstMAC is shown in formula 3:

$\mathrm{redundant}(a\∈A_i)=\left\{\begin{array}{c}1,(a.\mathrm{the\; s}\∈A_i,S)\mathrm{and}(a.t-A_i.t\≤\mathrm{\Δt}1)\\ 1,(a.\mathrm{the\; s}\∉A_i.S)\mathrm{and}(a.t-A_i.t\≤\mathrm{\Δt}2)\\ 0,\mathrm{otherwise}\end{array}\right.$ (Formula 3)

Among them, as represents the sensor ID of the collector that generates alarm a, at represents the timestamp timestamp generated by alarm a, A _i .S represents the collection of collectors that generate alarm cluster A _i , and A _i .S represents the alarm cluster A _i The timestamp of the latest alarm generated. If the result obtained according to the alarm repetition judgment function is 1, it means that the alarm is a repeated alarm, which belongs to a trending repeated alarm generated by the same collector or a repeated alarm for the same attack generated by different collectors, and the alarm will be merged Go to the alarm cluster and update the time stamp of the alarm; if the result is 0, it means that the alarm is not a duplicate alarm and will be directly added to the alarm cluster.

Step 3. Alarm classification

After the above-mentioned alarm simplification processing, a large number of irrelevant and repetitive alarm information generated by the collector will be removed. In order to achieve better aggregation and identification effects, the alarm classification will be used to further aggregate the alarms to achieve HyperAlert. output in the form of .

Over-alarms mainly consider the following four key attributes: alertType, srcMAC, dstMAC, and timestamp. Within a certain time window, we divide over-alarms into the following three categories:

(1) The first type of super alarm: the alarms with the same alertType, srcMAC and dstMAC attributes are classified into one category, indicating that the same attack source continues to carry out the same attack type against the same target;

(2) The second type of super alarm: classify the alarms with the same alertType and srcMAC and different dstMAC attributes into one category, indicating the same attack type carried out by the same attack source against different targets;

(3) The third category of super-alerts: the alarms with the same alertType and dstMAC and different srcMAC attributes are classified into one category, indicating the same attack type carried out by different attack sources against the same target.

The relevant definitions for these three types of super alarms are as follows.

Definition 2: Alert Time Window W _A (Alert Time Window). Assuming that the first alarm and the last alarm describing the same attack behavior are a ₁ and a _n respectively, any alarm generated by the attack behavior between a ₁ and a _n is a _j , where 1<j<n, a ₁ .alertType=a _j .alertType=...=a _n .alertType, then for all a ₁ , a _j , a _n ∈A, if the following conditions are satisfied:

MIN(a _j .timestamp-a ₁ .timestamp)≤W _A ≤MAX(a _n .timestamp-a ₁ .timestamp)

Then W _A is called the alarm time window for alarm A.

Definition 3 The first type of hyper-alarm HA _Ⅰ (Hyper Alert Ⅰ). Suppose all alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n >} are located in the alarm time window W _A , where 1<j<n, for all a ₁ , a _j , a _n ∈A, if the following conditions are satisfied:

a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id

a ₁ .srcMAC＝…＝a _j .srcMAC＝…＝a _n .srcMAC, srcMAC∈SMAC(1<j<n)

a ₁ .dstMAC＝…＝a _j .dstMAC＝…＝a _n .dstMAC, dstMAC∈DMAC(1<j<n)

Then HA _Ⅰ =sig_id(1,SMAC,DMAC,EID,T) is called the first type of super alarm, wherein, sig_id is a specific type of wireless attack, SMAC is the physical address set of the attack source, and DMAC is the physical address set of the target A set of addresses, EID is the set of event IDs that generate the attack alarm, and T is the timestamp when the first alarm a ₁ is generated.

Definition 4 The second type of hyper-alarm HA _Ⅱ (Hyper Alert Ⅱ). Suppose all alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n >} are located in the alarm time window W _A , where 1<j<n, for all a ₁ , a _j , a _n ∈A, if the following conditions are met:

a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id

a ₁ .srcMAC＝…＝a _j .srcMAC＝…＝a _n .srcMAC, srcMAC∈SMAC(1<j<n)

a ₁ .dstMAC≠…≠a _j .dstMAC≠…≠a _n .dstMAC, dstMAC∈DMAC(1<j<n)

Then HA _II =sig_id(2, SMAC, DMAC, EID, T) is called the second type of super alarm, wherein, the meanings represented by sig_id, SMAC, DMAC, EID and T are the same as those defined in Definition 3.

Definition 5 The third type of hyper-alarm HA _Ⅲ (Hyper Alert Ⅲ). Suppose all alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n >} are located in the alarm time window W _A , where 1<j<n, for all a ₁ , a _j , a _n ∈A, if the following conditions are satisfied:

a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id

a ₁ .srcMAC≠…≠a _j .srcMAC≠…≠a _n .srcMAC, srcMAC∈SMAC(1<j<n)

a ₁ .dstMAC＝…＝a _j .dstMAC＝…＝a _n .dstMAC, dstMAC∈DMAC(1<j<n)

Then HA _III =sig_id(3, SMAC, DMAC, EID, T) is called the third type of super alarm, wherein, the meanings represented by sig_id, SMAC, DMAC, EID and T are also the same as those defined in Definition 3.

The present invention proposes a super-alarm classification algorithm for WLAN wireless network attacks. The main idea of the algorithm is as follows: within a certain alarm time window, comprehensively consider information such as alarm type, attack source physical address, and target physical address, and set different The priority of the super alarm (HA _Ⅰ is higher than HA _II is higher than HA _Ⅲ ), and the alarm can be classified into one of the three types of super alarm.

The specific steps of the super-alarm classification algorithm are as follows:

(1) First define an alarm sequence W _A (i, j) within an alarm time window W _A , where i and j represent the identifier cid of the start alarm and the end alarm respectively;

(2) Set the initialization states of super-alarm sets HA _Ⅰ , HA _Ⅱ and HA _Ⅲ to empty set φ respectively;

(3) When a new alarm a _k is generated, according to whether it meets the characteristics of HA _I , HA _II or HA _III , and according to the priority order of HA _I higher than HA _II higher than HA _III , the new alarm a _k Classify as HA _I , HA _II , or HA _III hyperalarm.

The beneficial effects of the present invention are: the present invention proposes a new WLAN wireless intrusion alarm aggregation method, which is based on AP device information, improves the alarm format of the intrusion detection message exchange format IDMEF, and unifies the original alarm format Then remove the irrelevant alarms and repeated alarms in the original alarms, and finally simplify them into three types of super alarms. This method can be applied to the real network environment of WLAN, and after aggregation by this method, the number of irrelevant alarms and repeated alarms in the original alarms can be greatly reduced, and the performance of wireless intrusion detection can be improved.

Description of drawings

Fig. 1 is the overall structural diagram of the WLAN wireless intrusion alarm aggregation method proposed by the present invention;

Fig. 2 is the improved class diagram of the Alert class in the IDMEF alarm format proposed by the present invention;

Fig. 3 is a storage structure diagram of the wireless AP access point described in the present invention;

Fig. 4 is the specific process diagram of the alarm simplification proposed by the present invention;

Fig. 5 is the wireless network attack and defense experimental environment built in the implementation of the present invention;

Fig. 6 is a comparison of the number of wireless alarms after the implementation of the present invention.

Detailed ways

The present invention will be further described below in conjunction with the accompanying drawings and embodiments. While the invention will be described in conjunction with the preferred embodiments, it will be understood that it is not intended to limit the invention to the described embodiments. On the contrary, the invention is to cover alternatives, modifications and equivalents, which may be included within the scope of the invention as defined by the appended claims.

The embodiment of the present invention relates to a WLAN-oriented wireless intrusion alarm aggregation method. The specific implementation steps are as follows:

Step 1. Implementation environment construction

We built a wireless network attack and defense experiment platform in the school network environment, which consists of the following five parts:

(1) Campus wireless local area network WLAN environment, covering the entire campus, using open system authentication, you can connect without a password, and then access the Internet through the campus unified identity verification system after establishing an association.

(2) The WLAN environment built by the network attack and defense laboratory, including several AP access points without encryption or using WEP encryption and WPA encryption, and several legal terminals such as desktop computers and notebooks equipped with wireless network cards, AP access Points and some terminal devices are directly connected to the campus wired LAN.

(3) Wireless collector environment, including a desktop computer equipped with a USB wireless network card and Snort-Wireless installed, a notebook computer equipped with a built-in wireless chip and installed Snort-Wireless, responsible for collecting the transmission data in the wireless network environment , and output a warning.

(4) Simulated attack environment, including several laptops equipped with BackTrack5 and Beini wireless attack tools, which can implement mainstream wireless attack methods such as wireless detection, WEP cracking, WPA cracking, masquerading, denial of service, and session hijacking.

(5) The control center environment, including several control servers, is responsible for the processing of wireless intrusion alarm clustering and subsequent multi-step attack intention identification.

The wireless network attack and defense experiment environment built is shown in Figure 5.

Step 2. Attack data collection

Using the wireless network attack and defense experimental environment we built, we conducted a week-long attack test and data collection, and obtained a large number of wireless data packets and security alarm information.

The process of attack testing and data collection is as follows:

(1) Set the wireless network card modes of the two computers in the wireless collector environment to monitor mode (Monitor Mode), install and configure the Snort-Wireless wireless security tool, and collect wireless data packets in an uninterrupted and comprehensive manner.

(2) Use the simulated attack environment to conduct wireless attack tests. The attackers use the attack tools integrated by wireless network attack platforms such as BackTrack5 and Beini to launch attacks on campus WLANs and AP access points in laboratories. The attack types include War Driving and DoS Attack , MAC Spoofing, Rogue AP, Evil Twin and WEP cracking, etc.

(3) The wireless collector captures data packets that match the predefined attack types, outputs original alarm information, and saves the alarm information to the server in the control center. Most of these original alarm information come from simulated attacks environment, including a small number of external alarms generated by non-simulated attack environments.

Step 3. Implementation result analysis

During the one-week attack test, because the simulated attacker implemented various wireless attack tools to attack the WLAN, the two wireless collectors captured a large number of wireless data packets and generated a large amount of original alarm information. There are more than 100,000 original alarms, and the detailed statistical results are shown in Table 1.

Table 1 Original alarm information statistics table

The alarm information collected by the two wireless collectors contains a large number of repeated alarms of the same attack behavior, and each collector itself also generates a lot of irrelevant alarms, for example, for AP access using open system authentication in the school network WLAN Points to use WEP cracking attacks, etc.

Table 2 shows the statistical results after alarm simplification.

Table 2 Simplified alarm information statistics table

It can be seen from Table 2 that after the alarm simplification, a large number of duplicate and irrelevant data were removed, and the number of alarms after simplification dropped to about 25,000. The 7-day simplification rate ranged from 75.4% to 77.4%. The streamlining rate is 76.5%.

Then classify the simplified alarms and aggregate them into super alarms. Table 3 shows the statistical results after alarm classification.

Table 3 Statistical table of alarm information after classification

It can be seen from Table 3 that after the alarm classification, the number of alarms is greatly reduced again, a total of 3204 alarms are output, the classification rate ranges from 86.9% to 88.2%, and the average classification rate is 87.5%.

In the process of attack testing and data collection, a total of 108,903 original alarms were collected. After the alarms were simplified, 25,553 alarms were obtained. After alarm classification, a total of 3,204 excess alarms were output.

Figure 6 describes the comparison of the number of alarms before and after aggregation.

It can be calculated from the above statistical data that the total aggregation rate reaches 97.1%, which better achieves the goal of preprocessing, which also verifies that the WLAN-oriented wireless intrusion alarm aggregation method proposed by the present invention is effective.

Claims (5)

1. A WLAN wireless intrusion alarm aggregation method is characterized in that: comprising the steps: Step 1. Alarm formatting: First, format the original security alarms captured by the existing wireless intrusion detection system, improve the alarm format of the general intrusion detection message exchange format IDMEF, and introduce wireless device information such as AP access points into it. It specifically includes the AP's SSID, working channel, MAC address, signal strength, whether to encrypt, and the encryption mechanism, etc., so that it can reflect the characteristic information of the WLAN wireless environment; Step 2. Alarm simplification: The alarm generated by the WLAN wireless intrusion detection system contains a large number of irrelevant alarms and repeated alarm information. These alarms are eliminated and simplified to improve the accuracy and reliability of alarm analysis; Step 3. Alarm classification: For the alarms after eliminating irrelevant alarms and repeated alarms, classify the alarms based on the SSID of the AP, the MAC address of the attack source, and the MAC address of the AP, and aggregate the original alarms into super alarms, corresponding to a certain type Security alerts with obvious attack behavior characteristics provide prerequisites for subsequent intrusion prevention decisions. 2. WLAN wireless intrusion alarm aggregation method according to claim 1, is characterized in that: the alarm format specific steps of the improved general intrusion detection message exchange format IDMEF in said step 1 are: Based on the IDMEF alarm format, the following three types of important information are added to the IDMEF alarm format: (1) Add the AP category of the alarm Target, which describes the unique AP information attributes in the WLAN environment, mainly including the physical address (MAC_Addr) of the AP, the SSID (SSID) of the AP, the BSSID (BSSID) of the AP, and the manufacturer of the AP (Vendor ), working channel (Channel), transmission speed (Speed), signal strength (Signal), whether to encrypt (Encryption), encryption method (Encrypt_Type) and IP address (IP_Addr); (2) Expand the AdditionalData class of the alarm, and increase the important information of the wireless frame transmitted by WLAN, mainly including the type field (Type), subtype field (Subtype), To DS field (To_DS), From DS field (From_DS), More Fragments Domain (More_Flags), Retry domain (Retry), Power Management domain (Pwr_Mgt), More Data domain (More_Data), WEP domain (WEP), Order domain (Order), Duration/ID field (Duration_ID), frame sequence number (Seq_Num) , Fragment sequence number (Frag_Num) and other MAC frame-related information; (3) Expand the Analyzer class of the alarm, and increase the unique wireless collector attributes in the distributed environment, mainly including the collector type (Agent_Type), the collector identifier (Agent_ID) and the collector characteristic identifier (Agent_SID) that generate the alarm. , the serial number (Agent_CID) of the alarm in all the alarms of the collector, etc. 3. The WLAN wireless intrusion alarm aggregation method according to claim 1, characterized in that: said step 2 includes specific steps of: The alarms that need to be simplified mainly fall into the following two categories: (1) Irrelevant alarm: The wireless collector recognizes an attack behavior, but the attack is not applicable to the actual wireless network environment, such as WEP cracking alarms generated by WPA-encrypted AP access points; (2) Repeated alarms: including alarms against the same target initiated by the same attack source detected by different wireless collectors, continuous and periodic alarms of the same type generated by the same wireless collector, etc.; The first step in alarm simplification is irrelevant alarm removal. For the formatted alarm data, use the spatial characteristics of the WLAN environment, attack type, and target device information to determine whether the alarm is related to the attack target. If not, remove the alarm. Otherwise, go to the next step to remove duplicate alarms; The present invention adopts an irrelevant alarm simplification method of first-order predicate logic to judge irrelevant alarms, and the method includes three levels: data source, network environment and related results; (1) Data source: make full use of spatial features to judge the type of wireless collector in the formatted alarm data, including alarm information generated by distributed wireless intrusion detection systems such as Snort-Wireless; (2) Network environment: Obtain the information of target devices such as AP access points and wireless terminals in the WLAN environment, including the SSID, MAC address, manufacturer, whether to encrypt and the encryption method of the AP access point, etc.; (3) Correlation results: Combining the data source and network environment information, judge whether the attack type described by the alarm meets the conditions required for the attack, and finally provide the result of whether the alarm is relevant; The irrelevant alarm reduction method uses the following atomic predicate formula (Formula 1): $\left\{\begin{array}{c}\mathrm{Predicate}1:\mathrm{alert}\_\mathrm{type}(\mathrm{SOURCE},\mathrm{DESTINATION})\\ \mathrm{Predicate}2:\mathrm{Weakness}\_\mathrm{name}\left(\mathrm{DESTINATION}\right)\\ \mathrm{Predicate}3:\mathrm{Device}\_\mathrm{Information}\left(\mathrm{DESTINATION}\right)\end{array}\right.$ (Formula 1) Predicate 1 indicates that the attack type launched by the attack source SOURCE to the target device DESTINATION is Alert_Type, predicate 2 indicates that the target device DESTINATION has vulnerability information Weakness_Name, and predicate 3 indicates that the device information of the target device DESTINATION is Device_Information; The specific judgment process of the irrelevant alarm simplification method is as follows: (1) First define the set of wireless attack types as AT={at ₁ ,...,at _i }, the set of wireless device vulnerabilities as WN={wn ₁ ,...,wn _i }, the set of wireless device information is DI={di ₁ ,...,di _n }; (2) The elements in the three sets are represented by the logical combination of predicate 1, predicate 2 and predicate 3, and the value range of each element is {1,0}, where 1 means that the predicate value is TRUE, and 0 means FALSE; (3) Then define the alarm correlation judgment function, make a judgment on whether the generated alarm is related to the target device, and output the result for alarm simplification; The alarm correlation judgment function is shown in the following formula 2: (Formula 2) Among them, at∈AT, wn∈WN, di∈DI, if the result obtained according to the alarm correlation judgment function is 0, that is, the attack type described in the alarm does not match the vulnerability information of the target device or does not match the target information, indicating that the If the alarm is an irrelevant alarm, the alarm will be removed; if the result is 1, it will be output to the next step for repeatability judgment; After irrelevant alarm processing, remove duplicate alarms; Definition 1 Given a collection of all alarms generated by different collectors A={a ₁ ,...,a _n }, a is an alarm quintuple a=(sensorID, alertType, srcMAC, dstMAC, timestamp), where , sensorID indicates the identifier of the collector, alertType indicates the type of alarm, srcMAC and dstMAC indicate the source physical address and target physical address respectively, timestamp indicates the timestamp when the alarm is generated, if two alarms a _i and a _j meet one of the following conditions, it is called These two alarms are repeated alarms; (1) Condition 1: The sensorID, alertType, srcMAC and dstMAC of the alarm a _i and the alarm a _j are the same, and the alarm a _j is generated within a certain unit time △t1 after the output of the alarm a _i , where △t1=timestamp _j -timestamp _i , this type of alarm actually represents repeated alarms with trend characteristics generated by the same collector; (2) Condition 2: The sensorIDs of alarm a _i and alarm a _j are different, but the alertType, srcMAC and dstMAC are the same, and alarm a _i and alarm a _j are generated within a certain time interval △t2, where △t2=|timestamp _j -timestamp _i |, this type of alarm actually represents repeated alarms for the same attack behavior generated by different collectors; The specific process of the repetitive alarm simplification method is as follows: (1) First define certain time interval thresholds △t1 and △t2, which can be set in combination with the statistical mean value of actual attack detection; (2) For the alarm set A, cluster the alarms with the same alertType, srcMAC and dstMAC to generate several A _i ; (3) For a new alarm a that needs to be judged repeatedly, if the alarm is not in the alarm set A _i , it means that it is a new type of alarm, and it is directly added to the alarm cluster. If the alarm belongs to a certain alarm cluster Class A _i , use the alarm repetition judging function to judge whether it belongs to the result of repeated alarm; (4) If the judgment result belongs to repeated alarms, the alarms are merged, otherwise, new alarms are added to the alarm cluster; The function for judging the repetition of alarms for alarm a with the same alertType, srcMAC and dstMAC is shown in formula 3: $\mathrm{redundant}(a\&Element;A_i)=\left\{\begin{array}{c}1,(a.\mathrm{the\; s}\&Element;A_i,S)\mathrm{and}(a.t-A_i.t\&le;\mathrm{\&Delta;t}1)\\ 1,(a.\mathrm{the\; s}\&NotElement;A_i.S)\mathrm{and}(a.t-A_i.t\&le;\mathrm{\&Delta;t}2)\\ 0,\mathrm{otherwise}\end{array}\right.$ (Formula 3) Among them, as represents the sensor ID of the collector that generates alarm a, at represents the timestamp timestamp generated by alarm a, A _i .S represents the collection of collectors that generate alarm cluster A _i , and A _i .S represents the alarm cluster A _i The timestamp of the latest alarm; if the result of the alarm repetition judgment function is 1, it means that the alarm is a repeated alarm, which belongs to the trending repeated alarm generated by the same collector or the repeated alarm for the same attack generated by different collectors , the alarm will be merged into the alarm cluster and the time stamp of the alarm will be updated; if the result is 0, it means that the alarm is not a duplicate alarm and will be directly added to the alarm cluster. 4. The WLAN wireless intrusion alarm aggregation method according to claim 1, characterized in that: said step 3 includes specific steps of: Alarm classification will be used to further aggregate the alarms and output in the form of Hyper Alerts; The super alarm mainly considers the following four key attributes: alertType, srcMAC, dstMAC, and timestamp. Within a certain time window, the super alarm is divided into the following three categories: (1) The first type of super alarm: the alarms with the same alertType, srcMAC and dstMAC attributes are classified into one category, indicating that the same attack source continues to carry out the same attack type against the same target; (2) The second type of super alarm: the alarms with the same alertType and srcMAC and different dstMAC attributes are classified into one category, indicating the same attack type carried out by the same attack source against different targets; (3) The third type of super alarm: the alarms with the same alertType and dstMAC and different srcMAC attributes are classified into one category, indicating the same attack type carried out by different attack sources against the same target; The relevant definitions for these three types of super-alarms are as follows; Definition 2 Alert Time Window W _A (Alert Time Window); Assuming that the first alert and the last alert describing the same attack behavior are a ₁ and a _n respectively, any alert generated between a ₁ and a _n by the attack behavior is a _j , where 1<j<n, a ₁ .alertType=a _j .alertType=...=a _n .alertType, then for all a ₁ , a _j , a _n ∈A, if the following conditions are met: MIN(a _j .timestamp-a ₁ .timestamp)≤W _A ≤MAX(a _n .timestamp-a ₁ .timestamp) Then W _A is called the alarm time window for alarm A; Definition 3 The first type of hyper-alert HA _Ⅰ (Hyper Alert Ⅰ); assume that all alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n>} are located in the alarm time window W _A , where 1<j<n, for all a ₁ , a _j , a _n ∈A, if the following conditions are satisfied: a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id a ₁ .srcMAC＝…＝a _j .srcMAC＝…＝a _n .srcMAC, srcMAC∈SMAC(1<j<n) a ₁ .dstMAC＝…＝a _j .dstMAC＝…＝a _n .dstMAC, dstMAC∈DMAC(1<j<n) Then HA _Ⅰ =sig_id(1,SMAC,DMAC,EID,T) is called the first type of super alarm, wherein, sig_id is a specific type of wireless attack, SMAC is the physical address set of the attack source, and DMAC is the physical address set of the target Address set, EID is the event ID set that generates the attack alarm, T is the timestamp when the first alarm a ₁ is generated; Definition 4 The second type of hyper-alert HA _Ⅱ (Hyper Alert Ⅱ); assume that all alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n>} are located in the alarm time window W _A , where 1<j<n, for all a ₁ , a _j , a _n ∈A, if the following conditions are met: a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id a ₁ .srcMAC＝…＝a _j .srcMAC＝…＝a _n .srcMAC, srcMAC∈SMAC(1<j<n) a ₁ .dstMAC≠…≠a _j .dstMAC≠…≠a _n .dstMAC, dstMAC∈DMAC(1<j<n) Then HA _II = sig_id (2, SMAC, DMAC, EID, T) is the second type of super alarm, wherein, the meanings represented by sig_id, SMAC, DMAC, EID and T are the same as those defined in Definition 3; Definition 5 The third type of hyper-alert HA _Ⅲ (Hyper Alert Ⅲ); assume that all the alarms in the alarm sequence A= _{<a 1 ,…,a j ,…,a n>} are located in the alarm time window W _A , where 1<j <n, for all a ₁ , a _j , a _n ∈A, if the following conditions are satisfied: a ₁ .alertType=...=a _j .alertType=...=a _n .alertType=sig_id a ₁ .srcMAC≠…≠a _j .srcMAC≠…≠a _n .srcMAC, srcMAC∈SMAC(1<j<n) a ₁ .dstMAC＝…＝a _j .dstMAC＝…＝a _n .dstMAC, dstMAC∈DMAC(1<j<n) Then HA _III =sig_id(3, SMAC, DMAC, EID, T) is called the third type of super alarm, wherein, the meanings represented by sig_id, SMAC, DMAC, EID and T are also the same as those defined in Definition 3. 5. The WLAN wireless intrusion alarm aggregation method according to claim 4, characterized in that: the specific steps of the super alarm classification algorithm are as follows: (1) First define an alarm sequence W _A (i, j) within an alarm time window W _A , where i and j represent the identifier cid of the start alarm and the end alarm respectively; (2) Set the initialization states of super-alarm sets HA _Ⅰ , HA _Ⅱ and HA _Ⅲ to empty set φ respectively; (3) When a new alarm a _k is generated, according to whether it meets the characteristics of HA _I , HA _II or HA _III , and according to the priority order of HA _I higher than HA _II higher than HA _III , the new alarm a _k Classify as HA _I , HA _II , or HA _III hyperalarm.