A wireless multi-step attack pattern recognition method for WLAN

•We propose a novel wireless multi-step attack pattern recognition method.•Hyper alerts are defined to improve the recognition of wireless multi-step attacks.•The correlation between two alerts is uncovered by wireless alert correlativity.•The method can effectively identify typical wireless multi-s...

Full description

Saved in:

Bibliographic Details
Published in	Expert systems with applications Vol. 41; no. 16; pp. 7068 - 7076
Main Authors	Chen, Guanlin, Zhang, Yujia, Wang, Can
Format	Journal Article
Language	English
Published	Amsterdam Elsevier Ltd 15.11.2014 Elsevier
Subjects	Access methods and protocols, osi model Applied sciences Computer science; control theory; systems Computer systems and distributed systems. User interface Construction Correlation analysis Cracks Exact sciences and technology Intrusion Local area networks Memory and file management (including protection and security) Memory organisation. Data processing Multi-stage attack Network security Networks Pattern recognition Radiocommunications Security Software Telecommunications Telecommunications and information theory Teleprocessing networks. Isdn Wireless networks WLAN Network security WLAN Pattern recognition Correlation analysis Multi-stage attack Wireless LAN Correlation Intruder detector Correlation method Flood Classification Database Wired network Computer security Script Filtering Meshed network Aggression Transmission protocol Step method Cluster Experimental result Filter Authentication Wireless network Crack Intrusion detection systems
Online Access	Get full text

Cover

Loading…

Abstract	•We propose a novel wireless multi-step attack pattern recognition method.•Hyper alerts are defined to improve the recognition of wireless multi-step attacks.•The correlation between two alerts is uncovered by wireless alert correlativity.•The method can effectively identify typical wireless multi-step attack patterns. Intrusion detection and prevention technology has been broadly applied to wired networks as an important means to protect network security. However, few work in this area has been extended to the WLAN. In this paper, we propose a wireless multi-step attack pattern recognition method (WMAPRM) based on correlation analysis with the main attributes of the IEEE 802.11 frame. The method consists of six steps: clustering wireless intrusion alerts, constructing a global attack database, building candidate attack chains, filtering candidate attack chains, correlating multi-step attack behaviors and recognizing multi-step attack patterns. Experimental results in real world environment show that WMAPRM is capable of identifying highly correlated multi-step attack patterns such as WEP crack with ARP+Deauthentication Flood, WEP crack with wesside-ng, config file stealing attack and authentication session hijack attack etc. The method is expected to improve both wireless intrusion detection and prevention performance in practical WLAN security scenarios.
AbstractList	Intrusion detection and prevention technology has been broadly applied to wired networks as an important means to protect network security. However, few work in this area has been extended to the WLAN. In this paper, we propose a wireless multi-step attack pattern recognition method (WMAPRM) based on correlation analysis with the main attributes of the IEEE 802.11 frame. The method consists of six steps: clustering wireless intrusion alerts, constructing a global attack database, building candidate attack chains, filtering candidate attack chains, correlating multi-step attack behaviors and recognizing multistep attack patterns. Experimental results in real world environment show that WMAPRM is capable of identifying highly correlated multi-step attack patterns such as WEP crack with ARP + Deauthentication Flood, WEP crack with wesside-ng, con fig file stealing attack and authentication session hijack attack etc. The method is expected to improve both wireless intrusion detection and prevention performance in practical WLAN security scenarios. •We propose a novel wireless multi-step attack pattern recognition method.•Hyper alerts are defined to improve the recognition of wireless multi-step attacks.•The correlation between two alerts is uncovered by wireless alert correlativity.•The method can effectively identify typical wireless multi-step attack patterns. Intrusion detection and prevention technology has been broadly applied to wired networks as an important means to protect network security. However, few work in this area has been extended to the WLAN. In this paper, we propose a wireless multi-step attack pattern recognition method (WMAPRM) based on correlation analysis with the main attributes of the IEEE 802.11 frame. The method consists of six steps: clustering wireless intrusion alerts, constructing a global attack database, building candidate attack chains, filtering candidate attack chains, correlating multi-step attack behaviors and recognizing multi-step attack patterns. Experimental results in real world environment show that WMAPRM is capable of identifying highly correlated multi-step attack patterns such as WEP crack with ARP+Deauthentication Flood, WEP crack with wesside-ng, config file stealing attack and authentication session hijack attack etc. The method is expected to improve both wireless intrusion detection and prevention performance in practical WLAN security scenarios.
Author	Zhang, Yujia Wang, Can Chen, Guanlin
Author_xml	– sequence: 1 givenname: Guanlin surname: Chen fullname: Chen, Guanlin organization: School of Computer and Computing Science, Zhejiang University City College, Hangzhou 310015, PR China – sequence: 2 givenname: Yujia surname: Zhang fullname: Zhang, Yujia organization: Citigroup Software Technology and Services (China) Limited, Shanghai 201203, PR China – sequence: 3 givenname: Can surname: Wang fullname: Wang, Can email: wcan@zju.edu.cn organization: College of Computer Science, Zhejiang University, Hangzhou 310027, PR China
BackLink	http://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=28610738$$DView record in Pascal Francis
BookMark	eNqNkE1LAzEURYMoWKt_wNVsBDczviQzyQy4sIhfUHSjuAyZ9EVTp5OapBb_vVNaXIqruzn3XjhHZL_3PRJySqGgQMXFvMC41gUDWhZQFcCaPTKiteS5kA3fJyNoKpmXVJaH5CjGOQCVAHJEribZ2gXsMMZsseqSy2PCZaZT0uYjWw6Joc8CGv_Wu-R8ny0wvftZZn3IXqeTx2NyYHUX8WSXY_Jye_N8fZ9Pn-4erifT3PBGpNwIy7GUjREMBFS2ply2TaO15LyuK6apFa2WxraNoAxKXs1aKzm2DEDYEvmYnG93l8F_rjAmtXDRYNfpHv0qKipkDZQLwf6BDqNlLRkdULZFTfAxBrRqGdxCh29FQW3MqrnamFUbswoqNZgdSme7fR2N7mzQvXHxt8lqQUHyeuAutxwOXr4cBhWNw97gbDBukpp599fNDytGju0
CitedBy_id	crossref_primary_10_1016_j_cose_2018_03_001 crossref_primary_10_1109_ACCESS_2022_3168976 crossref_primary_10_1007_s11771_019_4233_1 crossref_primary_10_1016_j_asoc_2020_106188 crossref_primary_10_1049_iet_net_2018_5050
Cites_doi	10.1109/DISCEX.2001.932191 10.1147/sj.413.0475 10.1360/crad20060718 10.1016/j.eswa.2012.07.009 10.1145/996943.996947 10.1109/SECPRI.2002.1004372 10.1145/586110.586144 10.1016/j.eswa.2012.07.057 10.1016/j.eswa.2013.08.066 10.1109/SECPRI.2002.1004377 10.1016/S1389-1286(00)00139-0
ContentType	Journal Article
Copyright	2014 Elsevier Ltd 2015 INIST-CNRS
Copyright_xml	– notice: 2014 Elsevier Ltd – notice: 2015 INIST-CNRS
DBID	IQODW AAYXX CITATION 7SC 7SP 8FD JQ2 L7M L~C L~D
DOI	10.1016/j.eswa.2014.05.029
DatabaseName	Pascal-Francis CrossRef Computer and Information Systems Abstracts Electronics & Communications Abstracts Technology Research Database ProQuest Computer Science Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional
DatabaseTitle	CrossRef Technology Research Database Computer and Information Systems Abstracts – Academic Electronics & Communications Abstracts ProQuest Computer Science Collection Computer and Information Systems Abstracts Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Professional
DatabaseTitleList	Technology Research Database Technology Research Database
DeliveryMethod	fulltext_linktorsrc
Discipline	Computer Science Applied Sciences
EISSN	1873-6793
EndPage	7076
ExternalDocumentID	10_1016_j_eswa_2014_05_029 28610738 S0957417414003091
GroupedDBID	--K --M .DC .~1 0R~ 13V 1B1 1RT 1~. 1~5 4.4 457 4G. 5GY 5VS 7-5 71M 8P~ 9JN 9JO AAAKF AABNK AACTN AAEDT AAEDW AAIAV AAIKJ AAKOC AALRI AAOAW AAQFI AARIN AAXUO AAYFN ABBOA ABFNM ABMAC ABMVD ABUCO ABXDB ABYKQ ACDAQ ACGFS ACHRH ACNTT ACRLP ACZNC ADBBV ADEZE ADTZH AEBSH AECPX AEKER AENEX AFKWA AFTJW AGHFR AGJBL AGUBO AGUMN AGYEJ AHHHB AHJVU AHZHX AIALX AIEXJ AIKHN AITUG AJBFU AJOXV ALEQD ALMA_UNASSIGNED_HOLDINGS AMFUW AMRAJ AOUOD APLSM AXJTR BJAXD BKOJK BLXMC BNSAS CS3 DU5 EBS EFJIC EFLBG EJD EO8 EO9 EP2 EP3 F5P FDB FIRID FNPLU FYGXN G-Q GBLVA GBOLZ HAMUX IHE J1W JJJVA KOM LG9 LY1 LY7 M41 MO0 N9A O-L O9- OAUVE OZT P-8 P-9 P2P PC. PQQKQ Q38 RIG ROL RPZ SDF SDG SDP SDS SES SPC SPCBC SSB SSD SSL SST SSV SSZ T5K TN5 ~G- 08R 29G AAAKG AALMO AAPBV AAQXK ABKBG ABPIF ABPTK ACNNM ADALY ADJOM ASPBG AVWKF AZFZN FEDTE FGOYB G-2 HLZ HVGLF HZ~ IPNFZ IQODW PQEST R2- SBC SET SEW WUQ XPP ZMT AAXKI AAYXX ADMUD AFJKZ AKRWK CITATION 7SC 7SP 8FD JQ2 L7M L~C L~D
ID	FETCH-LOGICAL-c396t-c6f3e479c620605f8137b99aa7338852a1f6ba7cfb96120435dbf73eb2006f4e3
IEDL.DBID	AIKHN
ISSN	0957-4174
IngestDate	Fri Oct 25 00:35:26 EDT 2024 Fri Oct 25 07:01:47 EDT 2024 Thu Sep 26 16:49:35 EDT 2024 Fri Nov 25 01:03:31 EST 2022 Fri Feb 23 02:29:05 EST 2024
IsPeerReviewed	true
IsScholarly	true
Issue	16
Keywords	Network security WLAN Pattern recognition Correlation analysis Multi-stage attack Wireless LAN Correlation Intruder detector Correlation method Flood Classification Database Wired network Computer security Script Filtering Meshed network Aggression Transmission protocol Step method Cluster Experimental result Filter Authentication Wireless network Crack Intrusion detection systems
Language	English
License	CC BY 4.0
LinkModel	DirectLink
MergedId	FETCHMERGED-LOGICAL-c396t-c6f3e479c620605f8137b99aa7338852a1f6ba7cfb96120435dbf73eb2006f4e3
Notes	ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 23
PQID	1620048721
PQPubID	23500
PageCount	9
ParticipantIDs	proquest_miscellaneous_1678013662 proquest_miscellaneous_1620048721 crossref_primary_10_1016_j_eswa_2014_05_029 pascalfrancis_primary_28610738 elsevier_sciencedirect_doi_10_1016_j_eswa_2014_05_029
PublicationCentury	2000
PublicationDate	2014-11-15
PublicationDateYYYYMMDD	2014-11-15
PublicationDate_xml	– month: 11 year: 2014 text: 2014-11-15 day: 15
PublicationDecade	2010
PublicationPlace	Amsterdam
PublicationPlace_xml	– name: Amsterdam
PublicationTitle	Expert systems with applications
PublicationYear	2014
Publisher	Elsevier Ltd Elsevier
Publisher_xml	– name: Elsevier Ltd – name: Elsevier
References	Cuppens, F., & Miege, A. (2002). Alert correlation in a cooperative intrusion detection framework. In Geib, C. W., & Goldman, R. P. (2001). Plan recognition in intrusion detection systems. In Proceedings of DARPA information survivability conference and exposition (DISCEX II’01), Anaheim, USA. Kim, Lee, Kim (b0025) 2014; 41 Wang, Ghorbani, Li (b0070) 2010; 10 Sheyner, O., Haines, J., Jha, S., Lippmann, R., & Wing, J. M. (2002). Automated generation and analysis of attack graphs. In Key West, USA. Lippmann, Haines, Fried, Korba, Das (b0035) 2000; 34 Ning, Cui, Reeves, Xu (b0040) 2004; 7 Geib, C. W., & Goldman, R. P. (2001). Probabilistic plan recognition for hostile agents. In Tucson, USA. Oakland, USA. Ning, P., Cui, Y., & Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. In Percoco, N. J. (2012). Trustwave 2012 global security report. Trustware SpiderLabs. Technical report. Qin, X., & Lee, W. (2004). Attack plan recognition and prediction using causal networks. In Yang, Yun, Li (b0075) 2006; 43 Washington, DC, USA. Koc, Mazzuchi, Sarkani (b0030) 2012; 39 Hellerstein, Ma, Perng (b0020) 2002; 41 Shin, Lee, Kim, Kim (b0065) 2013; 40 Hellerstein (10.1016/j.eswa.2014.05.029_b0020) 2002; 41 10.1016/j.eswa.2014.05.029_b0055 10.1016/j.eswa.2014.05.029_b0045 Ning (10.1016/j.eswa.2014.05.029_b0040) 2004; 7 Shin (10.1016/j.eswa.2014.05.029_b0065) 2013; 40 10.1016/j.eswa.2014.05.029_b0015 10.1016/j.eswa.2014.05.029_b0005 10.1016/j.eswa.2014.05.029_b0060 10.1016/j.eswa.2014.05.029_b0050 Yang (10.1016/j.eswa.2014.05.029_b0075) 2006; 43 Koc (10.1016/j.eswa.2014.05.029_b0030) 2012; 39 10.1016/j.eswa.2014.05.029_b0010 Lippmann (10.1016/j.eswa.2014.05.029_b0035) 2000; 34 Wang (10.1016/j.eswa.2014.05.029_b0070) 2010; 10 Kim (10.1016/j.eswa.2014.05.029_b0025) 2014; 41
References_xml	– volume: 10 start-page: 142 year: 2010 end-page: 152 ident: b0070 article-title: Automatic multi-step attack pattern discovering publication-title: International Journal of Network Security contributor: fullname: Li – volume: 39 start-page: 13492 year: 2012 end-page: 13500 ident: b0030 article-title: A network intrusion detection system based on a Hidden Naive Bayes multiclass classifier publication-title: Expert Systems with Applications contributor: fullname: Sarkani – volume: 34 start-page: 579 year: 2000 end-page: 595 ident: b0035 article-title: The 1999 DARPA off-line intrusion detection evaluation publication-title: Computer Networks contributor: fullname: Das – volume: 40 start-page: 315 year: 2013 end-page: 322 ident: b0065 article-title: Advanced probabilistic approach for network intrusion forecasting and detection publication-title: Expert Systems with Applications contributor: fullname: Kim – volume: 41 start-page: 1690 year: 2014 end-page: 1700 ident: b0025 article-title: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection publication-title: Expert Systems with Applications contributor: fullname: Kim – volume: 43 start-page: 1252 year: 2006 end-page: 1259 ident: b0075 article-title: Efficient approach to intrusion detection based on boosting rule learning publication-title: Computer Research and Development contributor: fullname: Li – volume: 7 start-page: 274 year: 2004 end-page: 318 ident: b0040 article-title: Techniques and tools for analyzing intrusion alerts publication-title: ACM Transactions on Information and System Security contributor: fullname: Xu – volume: 41 start-page: 475 year: 2002 end-page: 493 ident: b0020 article-title: Discovering actionable patterns in event data publication-title: IBM Systems Journal contributor: fullname: Perng – ident: 10.1016/j.eswa.2014.05.029_b0010 doi: 10.1109/DISCEX.2001.932191 – volume: 41 start-page: 475 issue: 3 year: 2002 ident: 10.1016/j.eswa.2014.05.029_b0020 article-title: Discovering actionable patterns in event data publication-title: IBM Systems Journal doi: 10.1147/sj.413.0475 contributor: fullname: Hellerstein – volume: 43 start-page: 1252 issue: 7 year: 2006 ident: 10.1016/j.eswa.2014.05.029_b0075 article-title: Efficient approach to intrusion detection based on boosting rule learning publication-title: Computer Research and Development doi: 10.1360/crad20060718 contributor: fullname: Yang – volume: 39 start-page: 13492 issue: 18 year: 2012 ident: 10.1016/j.eswa.2014.05.029_b0030 article-title: A network intrusion detection system based on a Hidden Naive Bayes multiclass classifier publication-title: Expert Systems with Applications doi: 10.1016/j.eswa.2012.07.009 contributor: fullname: Koc – volume: 7 start-page: 274 issue: 2 year: 2004 ident: 10.1016/j.eswa.2014.05.029_b0040 article-title: Techniques and tools for analyzing intrusion alerts publication-title: ACM Transactions on Information and System Security doi: 10.1145/996943.996947 contributor: fullname: Ning – volume: 10 start-page: 142 issue: 2 year: 2010 ident: 10.1016/j.eswa.2014.05.029_b0070 article-title: Automatic multi-step attack pattern discovering publication-title: International Journal of Network Security contributor: fullname: Wang – ident: 10.1016/j.eswa.2014.05.029_b0050 – ident: 10.1016/j.eswa.2014.05.029_b0055 – ident: 10.1016/j.eswa.2014.05.029_b0015 – ident: 10.1016/j.eswa.2014.05.029_b0005 doi: 10.1109/SECPRI.2002.1004372 – ident: 10.1016/j.eswa.2014.05.029_b0045 doi: 10.1145/586110.586144 – volume: 40 start-page: 315 issue: 1 year: 2013 ident: 10.1016/j.eswa.2014.05.029_b0065 article-title: Advanced probabilistic approach for network intrusion forecasting and detection publication-title: Expert Systems with Applications doi: 10.1016/j.eswa.2012.07.057 contributor: fullname: Shin – volume: 41 start-page: 1690 issue: 4 year: 2014 ident: 10.1016/j.eswa.2014.05.029_b0025 article-title: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection publication-title: Expert Systems with Applications doi: 10.1016/j.eswa.2013.08.066 contributor: fullname: Kim – ident: 10.1016/j.eswa.2014.05.029_b0060 doi: 10.1109/SECPRI.2002.1004377 – volume: 34 start-page: 579 issue: 4 year: 2000 ident: 10.1016/j.eswa.2014.05.029_b0035 article-title: The 1999 DARPA off-line intrusion detection evaluation publication-title: Computer Networks doi: 10.1016/S1389-1286(00)00139-0 contributor: fullname: Lippmann
SSID	ssj0017007
Score	2.195695
Snippet	•We propose a novel wireless multi-step attack pattern recognition method.•Hyper alerts are defined to improve the recognition of wireless multi-step... Intrusion detection and prevention technology has been broadly applied to wired networks as an important means to protect network security. However, few work...
SourceID	proquest crossref pascalfrancis elsevier
SourceType	Aggregation Database Index Database Publisher
StartPage	7068
SubjectTerms	Access methods and protocols, osi model Applied sciences Computer science; control theory; systems Computer systems and distributed systems. User interface Construction Correlation analysis Cracks Exact sciences and technology Intrusion Local area networks Memory and file management (including protection and security) Memory organisation. Data processing Multi-stage attack Network security Networks Pattern recognition Radiocommunications Security Software Telecommunications Telecommunications and information theory Teleprocessing networks. Isdn Wireless networks WLAN
Title	A wireless multi-step attack pattern recognition method for WLAN
URI	https://dx.doi.org/10.1016/j.eswa.2014.05.029 https://search.proquest.com/docview/1620048721 https://search.proquest.com/docview/1678013662
Volume	41
hasFullText	1
inHoldings	1
isFullTextHit
isPrint
link	http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1bS8MwFD7M7UUQ7-K8jAi-SV3btE365hiOeduLDn0LaZuAF7riKr752z1J28FQfBD60pLQ8qU55_vIuQCcUh4YnqwcGSeZTclx4ox7TkjdzNVSydBmyN1NovE0uH4Kn1owbHJhTFhlbfsrm26tdf2kX6PZL56f-_dIDtAd4hXY8zyUQB10Rz5vQ2dwdTOeLA4TmFtlTeN4x0yoc2eqMC81_zTlh7zAFvC0TPNX_7RWyDmipqt2Fz8st3VHo01Yr3kkGVSfugUtlW_DRtOjgdRbdgcuBsRUI35Dg0Zs8KCDy1oQWZYyfSWFra6Zk0UY0SwnVU9pgmSWPN4OJrswHV0-DMdO3TXBSWkclU4aaaoCFqeR76JW0dyjLIljKRmqUR760tNRIlmqkxjZjYt0KUs0o6iwcQPqQNE9aOezXO0DkdIQvoy5GmVXKE17UK5YlrmxRtkpaRfOGqxEURXHEE3U2IswyAqDrHBDgch2IWzgFEtLLNB6_zmvt4T94lU-R-7HKO_CSbMYAjeHOfGQuZp9zIUXGSPAUeX-NYZxU7gu8g_--YGHsGruTIaiFx5Bu3z_UMdIVcqkByvnX16v_iG_ATN75mI
link.rule.ids	315,783,787,4509,24128,27936,27937,45597,45691
linkProvider	Elsevier
linkToHtml	http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1bS8MwFA4yHxTEuzivEXyTsnZpm-TNMRzVbX3R4d5C2iYwla64Dv--J2k7EGUPQp_ahJYvPSffR84FoVvCfMOTlSN5ktmUHIdnzHMC4maulkoGNkNuHIfRxH-aBtMN1G9yYUxYZe37K59uvXV9p1Oj2Slms84zkAPYDuHy7XkeSKBNYAMcrHOz9ziM4tVhAnWrrGkY75gJde5MFealFl-m_JDn2wKelmn-uT_tFHIBqOmq3cUvz223o8E-2q15JO5Vn3qANlR-iPaaHg24NtkjdN_DphrxBzg0bIMHHVjWAsuylOk7Lmx1zRyvwojmOa56SmMgs_h11IuP0WTw8NKPnLprgpMSHpZOGmqifMrTsOuCVtHMIzThXEoKapQFXenpMJE01QkHduMCXcoSTQkobDBA7Styglr5PFenCEtpCF9GXQ2yK5CmPShTNMtcrkF2StJGdw1WoqiKY4gmauxNGGSFQVa4gQBk2yho4BQ_lliA91477-oH9qtXdRlwP0pYG900iyHAOMyJh8zVfLkQXmicAAOVu24MZaZwXdg9--cHXqOt6GU8EqPHeHiOts0Tk63oBReoVX4u1SXQljK5qn_Lb8gN6FY
openUrl	ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=A+wireless+multi-step+attack+pattern+recognition+method+for+WLAN&rft.jtitle=Expert+systems+with+applications&rft.au=Chen%2C+Guanlin&rft.au=Zhang%2C+Yujia&rft.au=Wang%2C+Can&rft.date=2014-11-15&rft.issn=0957-4174&rft.volume=41&rft.issue=16&rft.spage=7068&rft.epage=7076&rft_id=info:doi/10.1016%2Fj.eswa.2014.05.029&rft.externalDBID=NO_FULL_TEXT
thumbnail_l	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0957-4174&client=summon
thumbnail_m	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0957-4174&client=summon
thumbnail_s	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0957-4174&client=summon