Traffic characteristics mechanism for detecting rogue access point in local area network

Rogue Access Point (RAP) is a network vulnerability involving illicit usage of wireless access point in a network environment. The existence of RAP can be identified using network traffic inspection. The purpose of this thesis is to present a study on the use of local area network (LAN) traffic characterisation for typifying wired and wireless network traffic through examination of packet exchange between sender and receiver by using inbound packet capturing with time stamping to indicate the existence of a RAP. The research is based on the analysis of synchronisation response (SYN/ACK), close connection respond (FIN/ACK), push respond (PSH/ACK), and data send (PAYLOAD) of the provider’s flags which are paired with their respective receiver acknowledgment (ACK). The timestamp of each pair is grouped using the Equal Group technique, which produced group means. These means were then categorised into three zones to form zone means. Subsequently, the zone means were used to generate a global mean that served as a threshold value for identifying RAP. A network testbed was developed from which real network traffic was captured and analysed. A mechanism to typify wired and wireless LAN traffic using the analysis of the global mean used in the RAP detection process has been proposed. The research calculated RAP detection threshold value of 0.002 ms for the wired IEEE 802.3 LAN, while wireless IEEE 802.11g is 0.014 ms and IEEE 802.11n is 0.033 ms respectively. This study has contributed a new mechanism for detecting a RAP through traffic characterisation by examining packet communication in the LAN environment. The detection of RAP is crucial in the effort to reduce vulnerability and to ensure integrity of data exchange in LA

Identifying 802.11 traffic from passive measurements using iterative Bayesian inference

In this paper, we propose a classification scheme to differentiate Ethernet and WLAN TCP flows based on mea-surements collected passively at the edge of a large network. This classifier computes the fraction of wireless TCP flows, and the degree of belief that a TCP flow traverses a WLAN inside the network. The core of this classifier is an iterative Bayesian inference algorithm that we developed to obtain the maximum likelihood estimate (MLE) of these quantities. Our algorithm can handle any general two-class classification problem given the marginal distributions of these two classes. Numerical and experimental evaluations demonstrate that our classifier obtains accurate results and is insensitive to imprecise marginal distributions. We apply the classifier to various traces collected at the edge of the UMass campus network and infer that between 11-14 % of all TCP flows coming into UMass campus traverse a 802.11 wireless link within the campus. We also detect wireless usage (through the use of private routers and access points) in areas not covered by the official wireless infrastructure. I

Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference

Abstract — In this paper, we propose a classification scheme to differentiate Ethernet and WLAN TCP flows based on measurements collected passively at the edge of a large network. This classifier computes the fraction of wireless TCP flows, and the degree of belief that a TCP flow traverses a WLAN inside the network. The core of this classifier is an iterative Bayesian inference algorithm that we developed to obtain the maximum likelihood estimate (MLE) of these quantities. Our algorithm can handle any general two-class classification problem given the marginal distributions of these two classes. Numerical and experimental evaluations demonstrate that our classifier obtains accurate results and is insensitive to imprecise marginal distributions. We apply the classifier to various traces collected at the edge of the UMass campus network and infer that between 11-14 % of all TCP flows coming into UMass campus traverse an 802.11 wireless link within the campus. We also detect wireless usage (through the use of private routers and access points) in areas not covered by the official wireless infrastructure. I

Secure and Reliable Wireless Communication through End-to-End-based Solution

In the past few decades, network architectures and protocols are often designed to achieve a high throughput and a low latency. Security was rarely considered during the initial design phases. As a result, many network systems are insecure by design. Once they are widely deployed, the inherent vulnerabilities may be difficult to eliminate due to the prohibitive update cost. In this dissertation, we examine such types of vulnerabilities in various networks and design end-to-end-based solutions that allow end systems to address such loopholes. The end-to-end argument was originally proposed to let end hosts implement application-specific functions rather than letting intermediate network nodes (i.e., routers) perform unneeded functions. In this dissertation, we apply the end-to-end principle to address three problems in wireless networks that are caused by design flaw with following reasons: either because integrating solutions into a large number of already deployed intermediate nodes is not a viable option or because end hosts are in a better position to cope with the problems. First, we study the problem of jamming in a multihop wireless network. Jamming attacks are possible because wireless networks communicate over a shared medium. It is easy to launch a jamming attack but is difficult to defend against it. To ensure the end-to-end packet delivery, we propose a jamming-resilient multipath routing algorithm that maximizes end-to-end availability based on the availability history between sources and destinations. Second, we investigate caller ID spoofing attacks in telephone networks in which an attacker can send a fake caller ID to a callee rather than her real one to impersonate as someone else. Such attacks are possible because there is no caller ID authentication mechanism in operator interconnection protocols. Modifying current protocols to verify caller ID between operators may be infeasible due to the scale of deployed systems. So, we propose two schemes to detect caller ID spoofing attacks based on end-to-end verification. Finally, we examine evil twin access point attacks in wireless hotspots. In such attacks, an adversary sets up a phishing access point that has the same Service Set IDentification (SSID) as the legitimate ones in the hotspot. Such attacks are easy to launch because of how 802.11 standards are designed. Existing solutions take away convenience from the user while providing security. Our aim is to detect evil twin access point attacks in wireless hotspots without modifying how access point works in hotspots and without additional infrastructure support. We propose an end-to-end-based mechanism that can effectively detect evil twin access point attacks in wireless hotspots