Use this URL to cite or link to this record in EThOS:
Title: An investigation into MAC layer frame clustering for wirelass LAN intrusion detection.
Author: Zhou, Wenzhe
ISNI:       0000 0001 3577 7352
Awarding Body: Queens -Belfast
Current Institution: Queen's University Belfast
Date of Award: 2006
Availability of Full Text:
Full text unavailable from EThOS.
Please contact the current institution’s library for further details.
The proliferation of wireless networks has today made security a major concern in the design and operation of these networks. The most popular wireless local area networks (WLANs) are those confonning to the IEEE 802.11 WLAN standards. However, research has shown that there are many vulnerabilities that exist in the wireless MAC layer of these networks that provide opportunities for malicious hackers. Identification of~ttacks occurring inside WLANs is therefore critical to their future developme.nt. This thesis aims at developing a novel MAC frame clustering scheme to solve this problem. This approach is based on the observation that when active events occurs in wireless networks, for example, scanning, joining, and attacking, the management traffic pattern in the MAC layer will be impacted. By analyzing these impacts, MAC layer attacks can be observed and recognized. The methodology involved in this research is machine learning, and a major contribution ofthe work is the classification of attack patterns through observation ofmanagement traffic clusters. The work firstly clusters the MAC management frames into groups which represent corresponding events. For each specific cluster, or event, there are unique patterns. Throug];1/recognizing the patterns of the cluster, attacking clusters can be classified into known categories. The thesis proposes the· above theory and applies it to a MAC layer Intrusion Detection System (IDS) for 802.11 Wireless LANs. This is the first time that a MAC layer IDS has been based on this technique. The IDS consists of six functions: a Traffic Filtration Function (TFF), a Management Traffic Clustering Function (MTCF), an Information Filtration Function (IFF), a First Level Classification (FLC), a Cluster Infonnation Management Function (CIMF) and a Second Level Classification (SLC). The TFF filters the MAC layer management frames and certain information from the filtered frames will be stored in the IFF. The MTCF then clusters the rest of the management frames. A novel clustering algorithm based on a sliding window approach is developed for the MTCF. A two-level classification structure is designed to recognize the cluster types. This two-level structure ensures that the IDS is able to detect unknown pattern attacks and helps decrease system false alarms. The FLC decides whether a cluster represents an abnonnal event based on the content value of the cluster (CCV) and beacon infonnation. When there is an abnonnal event, theSLC is then executed in order to determine the category of the attack according to known patterns. The work has analyzed a variety of 802.11 WLAN MAC layer active attacks and selected thirteen features for classifying the clusters. Support Vector Machine is used as the classification approach. Data captured from the real network test bed are tested on the IDS and the results show high accuracy of detection. The work presented in this thesis is applied in the 802.11 WLANs, however the underlying principles can be applIed to other wireless networks.
Supervisor: Not available Sponsor: Not available
Qualification Name: Queens -Belfast, 2006 Qualification Level: Doctoral
EThOS ID:  DOI: Not available