802.11 Fingerprinting to Detect Wireless Stealth Attacks

We propose a simple, passive and deployable approach for fingerprinting traffic on the wired side as a solution for three critical stealth attacks in wireless networks. We focus on extracting traces of the 802.11 medium access control (MAC) protocol from the temporal arrival patterns of incoming traffic streams as seen on the wired side, to identify attacker behavior. Attacks addressed include unauthorized access points, selfish behavior at the MAC layer and MAC layer covert timing channels. We employ the Bayesian binning technique as a means of classifying between delay distributions. The scheme requires no change to the 802.11 nodes or protocol, exhibits minimal computational overhead and offers a single point of discovery. We evaluate our model using experiments and simulations

Traffic characteristics mechanism for detecting rogue access point in local area network

Rogue Access Point (RAP) is a network vulnerability involving illicit usage of wireless access point in a network environment. The existence of RAP can be identified using network traffic inspection. The purpose of this thesis is to present a study on the use of local area network (LAN) traffic characterisation for typifying wired and wireless network traffic through examination of packet exchange between sender and receiver by using inbound packet capturing with time stamping to indicate the existence of a RAP. The research is based on the analysis of synchronisation response (SYN/ACK), close connection respond (FIN/ACK), push respond (PSH/ACK), and data send (PAYLOAD) of the provider’s flags which are paired with their respective receiver acknowledgment (ACK). The timestamp of each pair is grouped using the Equal Group technique, which produced group means. These means were then categorised into three zones to form zone means. Subsequently, the zone means were used to generate a global mean that served as a threshold value for identifying RAP. A network testbed was developed from which real network traffic was captured and analysed. A mechanism to typify wired and wireless LAN traffic using the analysis of the global mean used in the RAP detection process has been proposed. The research calculated RAP detection threshold value of 0.002 ms for the wired IEEE 802.3 LAN, while wireless IEEE 802.11g is 0.014 ms and IEEE 802.11n is 0.033 ms respectively. This study has contributed a new mechanism for detecting a RAP through traffic characterisation by examining packet communication in the LAN environment. The detection of RAP is crucial in the effort to reduce vulnerability and to ensure integrity of data exchange in LA

A measurement based rogue ap detection scheme

points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing based technique that allows the user to avoid connecting to rogue APs. Our method employs the round trip time between the user and the DNS server to independently determine whether an AP is legitimate or not without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance. I

Detecting rogue access point (RAP) using simple network management protocol (SNMP)

Rogue access points (RAPs) expose the enterprise network to a barrage of security vulnerabilities in that they are typically connected to a network port behind the firewall. It will break any security implementation without a notice. Detecting RAP is vital to clear any threat to network environment. This paper is discussed about a method how to detect RAP such as passive monitoring, visualization and traffic analysis. We do a preliminary study using SNMP focusing on analyzing traffic analysis as a part of detecting RAP. We also propose a simple algorithm which is hope can detect RAP in advance before it vulnerable the network environment

Rogue access point detection framework on a multivendor access point WLAN

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Technology (MSIT) at Strathmore UniversityWireless internet access has become common throughout the world. IEEE 802.11 Wireless fidelity (Wi-Fi) is now a common internet access standard almost becoming a requirement in homes, offices, universities and public places due to developments in Bring-Your-Own-Device (BYOD), mobile telephony and telecommuting. With the proliferation of Wi-Fi comes a number of information security challenges that have to be addressed. One of the major security threats that comes with Wi-Fi is the presence of rogue access points (APs) on the network. Unsuspecting employees in a company or attackers can introduce rogue APs to a secure wired network. The problem is amplified if the wireless local area network (WLAN) consist of multivendor APs. Malicious people can leverage on rogue APs to perform passive or active attacks on a computer network. Therefore, there is need for network administrators to accurately, with less effort, detect and control presence of rogue APs on multivendor WLANs. In this thesis, a solution that can accurately support detection of rogues APs on a multi-vendor AP WLAN without extra hardware or modification of AP firmware is presented. In the solution, information from beacon frames is compared to a set of approved parameters. Intervention of a network administrator is included to prevent MAC address spoofing. A structured methodology was adopted in developing the model on a Windows operating system. Python programming language was used in coding the system with Scapy and Tkinter as the main modules. SQLite database was used to store required data. The system was tested on a setup WLAN that composed of three different access points in a University lab. It was able to capture beacon frames sent by the access points and extracted MAC address, SSID and capability information as the key parameters used in identifying and classifying the access points. The system uses the captured information to automatically compare it against an existing database of authorized parameters. It is then able to classify an access point as either rogue or authorized. The system issued alerts that described the detected APs to a network administrator. The rest of this document gives details of scholarly works that are pertinent to the study, the research methodology used, implementation and testing of the model followed by discussions of findings and the conclusions and recommendations made by the researcher

Using RTT Variability for Adaptive Cross-Layer Approach to Multimedia Delivery in Heterogeneous Networks

A holistic approach should be made for a wider adoption of a cross-layer approach. A cross-layer design on a wireless network assumed with a certain network condition, for instance, can have a limited usage in heterogeneous environments with diverse access network technologies and time varying network performance. The first step toward a cross-layer approach is an automatic detection of the underlying access network type, so that appropriate schemes can be applied without manual configurations. To address the issue, we investigate the characteristics of round-trip time (RTT) on wireless and wired networks. We conduct extensive experiments from diverse network environments and perform quantitative analyses on RTT variability. We show that RTT variability on a wireless network exhibits greatly larger mean, standard deviation, and min-to-high percentiles at least 10 ms bigger than those of wired networks due to the MAC layer retransmissions. We also find that the impact of packet size on wireless channel is particularly significant. Thus through a simple set of testing, one can accurately classify whether or not there has been a wireless network involved. We then propose effective adaptive cross-layer schemes for multimedia delivery over error-prone links. They include limiting the MAC layer retransmissions, controlling the application layer forward error correction (FEC) level, and selecting an optimal packet size. We conduct an analysis on the interplay of those adaptive parameters given a network condition. It enables us to find optimal cross-layer adaptive parameters when they are used concurrently.IEEE Circuits & Systems Societ

DRET:a system for detecting evil-twin attacks in smart homes

Evil-twin is one of most commonly attacks in the WIFI environments, with which an attacker can steal sensitive information by cloning a fake AP in Smart Homes. The current approaches of detecting Evil-twin AP uses some identities/fingerprints of legitimated APs to identify rouge APs. Prior work in the area uses information like SSIDs, MAC addresses, and network traffics to detect bogus APs. However, such information can be easily intimated by the attacker, leading to low detection rates. This paper introduces a novel Evil-Twin AP detection method based on received signal strength indicator (RSSI). Our approach exploits the fact that the AP location is relatively stable in Smart Homes, which is to great extent to meet the requirement of the detection factor not easy to imitate as previous refer. We employ two detection strategies: a single position detection and a multi-positioned detection methods. Our approach exploits the multipath effect of WIFI signals to translate the problem of attack detection into AP positioning detection. Compared to classical detection methods, our approach can perform detection without relying on professional devices. Experimental results show that the single position detection approach achieves 20 seconds’ reduction of delay time with an accuracy of 98%, whereas the multi-positioned detection approach achieves 90% correct

Detection of Man-in-the-middle Attacks Using Physical Layer Wireless Security Techniques

In a wireless network environment, all the users are able to access the wireless channel. Thus, if malicious users exploit this feature by mimicking the characteristics of a normal user or even the central wireless access point (AP), they can intercept almost all the information through the network. This scenario is referred as a Man-in-the-middle (MITM) attack. In the MITM attack, the attackers usually set up a rogue AP to spoof the clients. In this thesis, we focus on the detection of MITM attacks in Wi-Fi networks. The thesis introduces the entire process of performing and detecting the MITM attack in two separate sections. The first section starts from creating a rogue AP by imitating the characteristics of the legitimate AP. Then a multi-point jamming attack is conducted to kidnap the clients and force them to connect to the rogue AP. Furthermore, the sniffer software is used to intercept the private information passing through the rogue AP. The second section focuses on the detection of MITM attacks from two aspects: jamming attacks detection and rogue AP detection. In order to enable the network to perform defensive strategies more effectively, distinguishing different types of jamming attacks is necessary. We begin by using signal strength consistency mechanism in order to detect jamming attacks. Then, based on the statistical data of packets send ratio (PSR) and packets delivery ratio (PDR) in different jamming situations, a model is built to further differentiate the jamming attacks. At the same time, we gather the received signal strength indication (RSSI) values from three monitor nodes which process the random RSSI values employing a sliding window algorithm. According to the mean and standard deviation curve of RSSI, we can detect if a rogue AP is present within the vicinity. All these proposed approaches, either attack or detection, have been validated via computer simulations and experimental hardware implementations including Backtrack 5 Tools and MATLAB software suite

Empirical Techniques To Detect Rogue Wireless Devices

Media Access Control (MAC) addresses in wireless networks can be trivially spoofed using off-the-shelf devices. We proposed a solution to detect MAC address spoofing in wireless networks using a hard-to-spoof measurement that is correlated to the location of the wireless device, namely the Received Signal Strength (RSS). We developed a passive solution that does not require modification for standards or protocols. The solution was tested in a live test-bed (i.e., a Wireless Local Area Network with the aid of two air monitors acting as sensors) and achieved 99.77%, 93.16%, and 88.38% accuracy when the attacker is 8–13 m, 4–8 m, and less than 4 m away from the victim device, respectively. We implemented three previous methods on the same test-bed and found that our solution outperforms existing solutions. Our solution is based on an ensemble method known as Random Forests. We also proposed an anomaly detection solution to deal with situations where it is impossible to cover the whole intended area. The solution is totally passive and unsupervised (using unlabeled data points) to build the profile of the legitimate device. It only requires the training of one location which is the location of the legitimate device (unlike the misuse detection solution that train and simulate the existing of the attacker in every possible spot in the network diameter). The solution was tested in the same test-bed and yield about 79% overall accuracy. We build a misuseWireless Local Area Network Intrusion Detection System (WIDS) and discover some important fields in WLAN MAC-layer frame to differentiate the attackers from the legitimate devices. We tested several machine learning algorithms and found some promising ones to improve the accuracy and computation time on a public dataset. The best performing algorithms that we found are Extra Trees, Random Forests, and Bagging. We then used a majority voting technique to vote on these algorithms. Bagging classifier and our customized voting technique have good results (about 96.25 % and 96.32 %respectively) when tested on all the features. We also used a data mining technique based on Extra Trees ensemble method to find the most important features on AWID public dataset. After selecting the most 20 important features, Extra Trees and our voting technique are the best performing classifiers in term of accuracy (96.31 % and 96.32 % respectively)