In this research thesis, an advance work is being done on the Wireless Local Area Network (WLAN) design and future internet architecture for intrusion detection. There has been a large shift worldwide in using technology in almost every aspect of our lives. This trend has been termed in many industries as the "Internet of Things" (IoT), where the Internet and cloud- based activities are seeing more and more use for control, monitoring and data storage applications. As stated earlier, these assumptions were made because of the extreme difficulty in obtaining any related telemetry from an actual WLAN system or business-critical network. To improve the validity of the simulation, it would be beneficial to obtain even sanitized telemetry from an actual system. Then, the simulation could be refined to better reflect the dynamics of the signals in a real system. If actual WLAN system data is unobtainable, then the test by itself can be modified to reflect more processes seen in these systems. First, a small flow loop with sensing and control elements could be constructed and driven by the servers of the test bed. The primary server in the test bed that acts as the WLAN server could then be programmed to poll the sensors, issue commands and collect data. Time synchronous averaging techniques are used to resample telemetry sources that have different sampling rates. The research provides several case studies to prove the efficacy of the newly developed variable grouping technique for WLAN. Recall that variable grouping methods are needed to extract sets or subsets of variables that give the lowest model prediction errors. The research also presents AAKR and AAMSET model results for several successfully detected intrusion activities from two different data sets. The models utilized four different clusters of telemetry taken from the Linux kernel to determine which class of telemetry was more effective for intrusion detection. The knowledge-based system is certainly the most numerous and widely used type that uses signatures or features of known wireless network attacks for detection purposes. While this type is easy to implement and has a low rate of false/missed alarms, it will always miss the so-called zero-day wireless network attacks. Recall that a zero-day wireless network attack is a new, unknown intrusion. Because the knowledge-based system has never seen a zero-day intrusion event, it will classify this new behavior as normal. In contrast, the behavior-based system can detect known and zero-day wireless network attacks with an accuracy of 97.86% correctly. This type uses data-driven modeling techniques to learn normal system behavior. Once trained, any future monitored telemetry that deviates from this learned behavior will be labeled as an intrusion event.
Read full abstract