Defending Against Zero Day Attacks in WLANs
Zero Day Attack is exotic name for hacks which will be realized in future and which we don’t know about today. Conventionally, it is believed that a zero day attack will create some anomaly in the network behavior and hence some form of anomaly detector can provide protection from zero day attacks. However, there have always been practical difficulties in implementing robust anomaly detector. Fortunately for 802.11 WLANs, there is also an alternative viable way to defend against zero day attacks.
Practical Difficulties in Traditional Anomaly Detection
Among the range of anomalies which can be envisaged, one rather simple form of anomaly is volume anomaly, i.e., out-of-routine volume of some type of network packets, protocol messages, events etc. Anomaly detectors can thus be threshold crossing alarms on some such objects. For example, in case of WLAN, one can imagine various kinds of thresholds – control packets, management packets, packets to AP, packets from AP, fragmented packets, broadcast packets, multicast packets, deauth packets, certain types of events etc. An unending list of such packet types, events and their permutations and combinations can be envisaged.
Now the practical difficulty here is to reason out why the thresholds you are setting will detect zero day attacks and why they will not trip often during normal network operation (i.e., cause false alarms). Building nexus between thresholds and wireless zero day attack is a very hard problem. Unless someone solves this problem for you, such threshold based anomaly alarms can turn out to be illusion of protection from zero day attacks and reality of false alarm overhead.
Is There Another Way?
In fact, for WLANs there is another way, which can considerably heighten your chances of protection from WLAN zero day attacks (since zero day attack means undefined attack, we can only talk of probabilities), without the nuisance of false alarms. The key lies in fundamentally how WLAN security needs to work. Stated in simple words, the mission of your WiFi security system such as wireless intrusion prevention system (WIPS) should be to automatically detect and block every wireless connection which is not compliant with the security policy and the security best practices. Once that it achieved, your chances of protection from wireless zero day attacks will grow considerably, because it is reasonable to presume that any credible WLAN attack – even the zero day attack – will ride on some insecure wireless connection. To that effect, robust detection and blocking of fundamental WLAN vulnerabilities such as rogue APs, connections of clients to unmanaged APs, ad hoc connections, misconfigured devices, spoofing etc. becomes critical for zero day attack protection.
Bottom Line: Wireless security system which is good at classifying, detecting and blocking insecure wireless connections is a good bet for protection from WLAN zero day attacks. On the other hand, too much reliance on threshold based alarms can turn out to be illusive and create false alarm overhead.
