A Method to Detect Rogue Access Points in a Campus without Decrypting WLAN Frames

大学に無線LAN アクセスポイント（以下，AP と呼ぶ）を導入するに当り，許可を得ず接続されたAP や正規のAP を装ったAP 等の不正AP に関するセキュリティ上の課題が存在する．大学では，全学としてのネットワーク管理者（以下，全学ネットワーク管理者と呼ぶ）だけでなく，各サブネットワークごとに管理者を指定していることが多く，ネットワーク全体を把握している管理者が存在しない可能性がある．本論文では，全学ネットワーク管理者の視点で，サブネットワーク管理者との連携を追加で要することなく，検査対象AP のキャンパスネットワークへの接続の有無を判断することにより不正AP を検出する手法について提案する．提案手法では，Windows やAndroid 等のOS に導入されている，Captive Portal Detection（以下，CPD と呼ぶ）を利用する．キャンパスネットワークの上流と無線LAN 通信区間の二箇所におけるCPD 用HTTP 通信の時間差から，検査対象AP のキャンパスネットワークへの接続を確認する．なお，本手法では無線LAN での通信において，WPA2 等の復号を行わず推定している．評価実験では，提案手法によりネットワーク上流から見た各サブネットワークのIP アドレスと無線LAN クライアントが接続したAP の紐付けが可能であることを確認した

Addressing Insider Threats from Smart Devices

Smart devices have unique security challenges and are becoming increasingly common. They have been used in the past to launch cyber attacks such as the Mirai attack. This work is focused on solving the threats posed to and by smart devices inside a network. The size of the problem is quantified; the initial compromise is prevented where possible, and compromised devices are identified. To gain insight into the size of the problem, campus Domain Name System (DNS) measurements were taken that allow for wireless traffic to be separated from wired traffic. Two-thirds of the DNS traffic measured came from wireless hosts, implying that mobile devices are playing a bigger role in networks. Also, port scans and service discovery protocols were used to identify Internet of Things (IoT) devices on the campus network and follow-up work was done to assess the state of the IoT devices. Motivated by these findings, three solutions were developed. To handle the scenario when compromised mobile devices are connected to the network, a new strategy for steppingstone detection was developed with both an application layer and a transport layer solution. The proposed solution is effective even when the mobile device cellular connection is used. Also, malicious or vulnerable applications make it through the mobile app store vetting process. A user space tool was developed that identifies apps contacting malicious domains in real time and collects data for research purposes. Malicious app behavior can then be identified on the user’s device, catching malicious apps that were overlooked by software vetting. Last, the variety of IoT device types and manufacturers makes the job of keeping them secure difficult. A generic framework was developed to lighten the management burden of securing IoT devices, serve as a middle box to secure legacy devices, and also use DNS queries as a way to identify misbehaving devices