Raheem A. Beyah

Rogue access point detection using temporal traffic characteristics

As the cost of IEEE 802.11 hardware continues to fall, the appeal of inserting unauthorized wireless access into enterprise networks grows. These rogue access points (AP) expose the enterprise network to a barrage of security vulnerabilities in that they are typically connected to a network port behind the firewall. Most of the current approaches to detecting rogue AP are rudimentary and are easily evaded by hackers. We propose the use of temporal traffic characteristics to detect rogue AP at a central location. This detection is independent of the wireless technology (IEEE 802.11a, 802.11b, or 802.11g), is scalable, does not possess the inefficiencies of the current solutions, and is independent of the signal range of the rogue AP.

Composite Event Detection in Wireless Sensor Networks

Sensor networks can be used for event alarming applications. To date, in most of the proposed schemes, the raw or aggregated sensed data is periodically sent to a data consuming center. However, with this scheme, the occurrence of an emergency event such as a fire is hardly reported in a timely manner which is a strict requirement for event alarming applications. In sensor networks, it is also highly desired to conserve energy so that the network lifetime can be maximized. Furthermore, to ensure the quality of surveillance, some applications require that if an event occurs, it needs to be detected by at least k sensors where k is a user-defined parameter. In this work, we examine the timely energy-efficient k-watching event detection problem (TEKWEO). A topology-and-routing-supported algorithm is proposed which constructs a set of detection sets that satisfy the short notification time, energy conservation, and tunable quality of surveillance requirements for event alarming applications. Simulation results are shown to validate the proposed algorithm.

A Passive Approach to Rogue Access Point Detection

Unauthorized or rogue access points (APs) produce security vulnerabilities in enterprise/campus networks by circumventing inherent security mechanisms. We propose to use the round trip time (RTT) of network traffic to distinguish between wired and wireless nodes. This information coupled with a standard wireless AP authorization policy allows the differentiation (at a central location) between wired nodes, authorized APs, and rogue APs. We show that the lower capacity and the higher variability in a wireless network can be used to effectively distinguish between wired and wireless nodes. Further, this detection is not dependant upon the wireless technology (802.11a, 802.11b, or 802.11g), is scalable, does not contain the inefficiencies of current solutions, remains valid as the capacity of wired and wireless links increase, and is independent of the signal range of the rogue APs.

VEBEK: Virtual Energy-Based Encryption and Keying for Wireless Sensor Networks

Designing cost-efficient, secure network protocols for Wireless Sensor Networks (WSNs) is a challenging problem because sensors are resource-limited wireless devices. Since the communication cost is the most dominant factor in a sensors energy consumption, we introduce an energy-efficient Virtual Energy-Based Encryption and Keying (VEBEK) scheme for WSNs that significantly reduces the number of transmissions needed for rekeying to avoid stale keys. In addition to the goal of saving energy, minimal transmission is imperative for some military applications of WSNs where an adversary could be monitoring the wireless spectrum. VEBEK is a secure communication framework where sensed data is encoded using a scheme based on a permutation code generated via the RC4 encryption mechanism. The key to the RC4 encryption mechanism dynamically changes as a function of the residual virtual energy of the sensor. Thus, a one-time dynamic key is employed for one packet only and different keys are used for the successive packets of the stream. The intermediate nodes along the path to the sink are able to verify the authenticity and integrity of the incoming packets using a predicted value of the key generated by the senders virtual energy, thus requiring no need for specific rekeying messages. VEBEK is able to efficiently detect and filter false data injected into the network by malicious outsiders. The VEBEK framework consists of two operational modes (VEBEK-I and VEBEK-II), each of which is optimal for different scenarios. In VEBEK-I, each node monitors its one-hop neighbors where VEBEK-II statistically monitors downstream nodes. We have evaluated VEBEKs feasibility and performance analytically and through simulations. Our results show that VEBEK, without incurring transmission overhead (increasing packet size or sending control messages for rekeying), is able to eliminate malicious data from the network in an energy-efficient manner. We also show that our framework performs better than other comparable schemes in the literature with an overall 60-100 percent improvement in energy savings without the assumption of a reliable medium access control layer.

Visual firewall: real-time network security monitor

Networked systems still suffer from poor firewall configuration and monitoring. VisualFirewall seeks to aid in the configuration of firewalls and monitoring of networks by providing four simultaneous views that display varying levels of detail and time-scales as well as correctly visualizing firewall reactions to individual packets. The four implemented views, real-time traffic, visual signature, statistics, and IDS alarm, provide the levels of detail and temporality that system administrators need to properly monitor their systems in a passive or an active manner. We have visualized several attacks, and we feel that even individuals unfamiliar with networking concepts can quickly distinguish between benign and malignant traffic patterns with a minimal amount of introduction.

Sensor scheduling for p-percent coverage in wireless sensor networks

We study sensor scheduling problems of p-percent coverage in this paper and propose two scheduling algorithms to prolong network lifetime due to the fact that for some applications full coverage is not necessary and different subareas of the monitored area may have different coverage requirements. Centralized p-Percent Coverage Algorithm (CPCA) we proposed is a centralized algorithm which selects the least number of nodes to monitor p-percent of the monitored area. Distributed p-Percent Coverage Protocol (DPCP) we represented is a distributed algorithm which can determine a set of nodes in a distributed manner to cover p-percent of the monitored area. Both of the algorithms can guarantee network connectivity. The simulation results show that our algorithms can remarkably prolong network lifetime, have less than 5% un-required coverage for large networks, and employ nodes fairly for most cases.

Rogue-Access-Point Detection: Challenges, Solutions, and Future Directions

Rogue devices are an increasingly dangerous reality in the insider threat problem domain. Industry, government, and academia need to be aware of this problem and promote state-of-the-art detection methods.

Toward Revealing Kernel Malware Behavior in Virtual Execution Environments

Using a sandbox for malware analysis has proven effective in helping people quickly understand the behavior of unknown malware. This technique is also complementary to other malware analysis techniques such as static code analysis and debugger-based code analysis. This paper presents Rkprofiler , a sandbox-based malware tracking system that dynamically monitors and analyzes the behavior of Windows kernel malware. Kernel malware samples run inside a virtual machine (VM) that is supported and managed by a PC emulator. By building its monitoring component into the PC emulator, Rkprofiler is able to inspect each instruction executed by the kernel malware and therefore possesses a powerful weapon against the malware. Rkprofiler provides several capabilities that other malware tracking systems do not. First, it can detect the execution of malicious kernel code regardless of how the monitored kernel malware is loaded into the kernel and whether it is packed or not. Second, it captures all function calls made by the kernel malware and constructs call graphs from the trace files. Third, a technique called aggressive memory tagging (AMT) is proposed to track the dynamic data objects that the kernel malware visit. Last, Rkprofiler records and reports the hardware access events of kernel malware (e.g., MSR register reads and writes). Our evaluation results show that Rkprofiler can quickly expose the security-sensitive activities of kernel malware and thus reduces the effort exerted in conducting tedious manual malware analysis.

A Passive Approach to Wireless NIC Identification

IEEE 802.11 wireless networks are plagued with problems of unauthorized access. Left undetected, unauthorized access is the precursor to additional mischief. Current approaches to detecting intruders are invasive or can be evaded by stealthy attackers. We propose the use of spectral analysis to identify a type of wireless network interface card. This mechanism can be applied to support the detection of unauthorized systems that use wireless network interface cards that are different from that of a legitimate system. The approach is passive and works in the presence of encrypted traffic.

Snapshot and Continuous Data Collection in Probabilistic Wireless Sensor Networks

Data collection is a common operation of Wireless Sensor Networks (WSNs), of which the performance can be measured by its achievable network capacity. Most existing works studying the network capacity issue are based on the unpractical model called deterministic network model. In this paper, a more reasonable model, probabilistic network model, is considered. For snapshot data collection, we propose a novel Cell-based Path Scheduling (CPS) algorithm that achieves capacity of Ω(1/ 5ω ln n·W) in the sense of the worst case and order-optimal capacity in the sense of expectation, where n is the number of sensor nodes, ω is a constant, and W is the data transmitting rate. For continuous data collection, we propose a Zone-based Pipeline Scheduling (ZPS) algorithm. ZPS significantly speeds up the continuous data collection process by forming a data transmission pipeline, and achieves a capacity gain of N√n/√(log n) ln n or n/log n ln n times better than the optimal capacity of the snapshot data collection scenario in order in the sense of the worst case, where N is the number of snapshots in a continuous data collection task. The simulation results also validate that the proposed algorithms significantly improve network capacity compared with the existing works.