Although a wireless local area network is claimed to be as secure as a wired network after the deployment of the WiFi protected access (WPA) protocol, because of unprotected medium access control (MAC) management messages, a WiFi network is vulnerable to low-layer attacks, such as MAC address spoofing, session hijacking, rogue access point (AP) and various lower-layer denial-of-service (DoS) attacks. Since it is proved that the received signal strength (RSS) value of a received packet is strongly related to the physical location of a sender, we designed a RSS-based network intrusion detection system (NIDS) framework for MAC layer attack detection. The fact is that most attacks that exploit MAC layer vulnerabilities can be detected by comparing the location of an attacker with the location of victim nodes. The core of the NIDS framework is a RSS-based localization model. The model is based on the quadratic discriminant analysis (QDA) data mining algorithm. The choice of the QDA algorithm is based on the analysis of a simulation of three data mining algorithms, which are linear discriminant analysis (LDA), QDA, and classification tree.; To solve the relative high error of the RSS-based localization model, which is also the problem of RSS-based localization methods in other researches, we designed an enhancement method based on signalprints. For a network where the separation distance of any neighboring node is larger than 2.4 meters, the enhanced localization model can distinguish each node with nearly zero error.; Our RSS-based NIDS focuses on MAC address spoofing attacks. The detection of MAC spoofing attacks is very important since it protects the network from the further identity-based attacks and MAC layer DoS attacks. The localization capability also can be utilized to take effective action after attacks. For the detection of MAC address spoofing, our simulation shows that the NIDS achieves 99.2 percent true positive rate (TPR), and 0.4 percent false positive rate (FPR) when the separation distance of any neighboring node is larger than 2.4 meters.
展开▼
