Traffic characteristics mechanism for detecting rogue access point in local area network

Rogue Access Point (RAP) is a network vulnerability involving illicit usage of wireless access point in a network environment. The existence of RAP can be identified using network traffic inspection. The purpose of this thesis is to present a study on the use of local area network (LAN) traffic characterisation for typifying wired and wireless network traffic through examination of packet exchange between sender and receiver by using inbound packet capturing with time stamping to indicate the existence of a RAP. The research is based on the analysis of synchronisation response (SYN/ACK), close connection respond (FIN/ACK), push respond (PSH/ACK), and data send (PAYLOAD) of the provider’s flags which are paired with their respective receiver acknowledgment (ACK). The timestamp of each pair is grouped using the Equal Group technique, which produced group means. These means were then categorised into three zones to form zone means. Subsequently, the zone means were used to generate a global mean that served as a threshold value for identifying RAP. A network testbed was developed from which real network traffic was captured and analysed. A mechanism to typify wired and wireless LAN traffic using the analysis of the global mean used in the RAP detection process has been proposed. The research calculated RAP detection threshold value of 0.002 ms for the wired IEEE 802.3 LAN, while wireless IEEE 802.11g is 0.014 ms and IEEE 802.11n is 0.033 ms respectively. This study has contributed a new mechanism for detecting a RAP through traffic characterisation by examining packet communication in the LAN environment. The detection of RAP is crucial in the effort to reduce vulnerability and to ensure integrity of data exchange in LA

Passive Client-Centric Rogue Access Point Detection Framework For WiFi Hotspots

The proliferation of Wi-Fi hotspots in public places provides seamless Internet connectivity anywhere at any time to the wireless clients.Although many hotspots are often unprotected,unmanaged and unencrypted,this does not prevent the clients from actively connecting to the network.The underlying problem is that the network Access Point (AP) is always trusted.The adversary can impersonate a legitimate AP by setting up a rogue AP to commit espionage and to launch evil-twin attack,session hijacking,and eavesdropping.To aggravate the threats, existing detection solutions are ill-equipped to safeguard the client against rogue AP.Infrastructure- centric solutions are heavily relied on the deployment of sensors or centralized server for rogue AP detection, which are limited,expensive and rarely to be implemented in hotspots.Even though client-centric solutions offer threat-aware protection for the client,but the dependency of the existing solutions on the spoofable contextual network information and the necessity to be associated with the network makes those solutions are not viable for the hotspot’s client.Hence,this work proposes a framework of passive client-centric rogue AP detection for hotspots.Unlike existing solutions,the key idea is to piggyback AP-specific and network-specific information in IEEE 802.11 beacon frame that enables the client to perform the detection without authentication and association to any AP.Based on the spatial fingerprints included in the broadcasted information from the APs in the vicinity of the client,this work discloses a novel concept that enables the rogue AP detection via the client’s ability to self-colocalize and self-validate its own position in the hotspot.The legitimacy of the APs in the hotspot,in this view,lies in the fact that the correct matching between the Received Signal Strength Indicator (RSSI) measurements at the client and pre-recorded fingerprints is attainable when the beacons are transmitted only from the legitimate APs.Hence,any anomalousness in AP’s beacon frame or any attempt to replay the legitimate AP’s beacon frame from different location can be detected and classified as rogue AP threats.Through experiments in real environment,the results demonstrate that with proper algorithm selection and parameters tuning,the rogue AP detection framework can achieve over 90% detection accuracy in classifying the absence and presence of rogue AP threats in the hotspot

Overview of the Course in “Wireless and Mobile Security”

This paper provides an overview of “Wireless and Mobile Security” course. The course offers practical study of security issues and features concerning wireless security. The program of the course effciently interleaves systematic theoretical knowledge and practical work. The theoretical part of the course includes basic information about the architecture of wireless networks, as well as available in this area to modern standards and protection mechanisms built into the equipment for wireless networks. It is also proposed an effective method for integrating a wireless network with the existing network infrastructure, taking into account all aspects of security. More than 50 percent of teaching time is devoted to practical work on the protection of wireless networks. During the course skills to work with software NetStumbler, Kismet, AirSnort, Aircrack, and other monitoring wireless and network tools will be acquired. Particular attention is paid to the use of the most common tools of audit wireless networks, both commercial, and open source. In conclusion, a comprehensive approach to wireless security will be offered for each wireless technology

Exploiting wireless received signal strength indicators to detect evil-twin attacks in smart homes

Evil-twin is becoming a common attack in Smart Home environments where an attacker can set up a fake AP to compromise the security of the connected devices. To identify the fake APs, The current approaches of detecting Evil-twin attacks all rely on information such as SSIDs, the MAC address of the genuine AP or network traffic patterns. However, such information can be faked by the attacker, often leading to low detection rates and weak protection. This paper presents a novel evil-twin attack detection method based on the received signal strength indicator (RSSI). Our key insight is that the location of the genuine AP rarely moves in a home environment and as a result the RSSI of the genuine AP is relatively stable. Our approach considers the RSSI as a fingerprint of APs and uses the fingerprint of the genuine AP to identify fake ones. We provide two schemes to detect a fake AP in two different scenarios where the genuine AP can be located at either a single or multiple locations in the property, by exploiting the multipath effect of the WIFI signal. As a departure from prior work, our approach does not rely on any professional measurement devices. Experimental results show that our approach can successfully detect 90% of the fake APs, at the cost of an one-off, modest connection delay