Conference PaperPDF Available

A Passive Fingerprint Technique to Detect Fake Access Points,

Authors:

Abstract and Figures

The aim of this paper is to detect Rogue Access Points (RAPs) that clone legitimate Access Points (APs) characteristics. A novel passive approach that takes advantage of the characteristics of physical layer fields via the Radiotap length is proposed. This approach is a general fingerprint, thus, it can be used for different purposes such as identification, network monitoring and intrusion detection systems. We utilize the fingerprint to detect RAPs to evaluate its effectiveness. The technique is implemented on a commercially available wireless card to assess its accuracy. The proposed detection algorithm accomplishes 100 percent accuracy to determine the RAPs in a lightly loaded traffic environment. The detection can be recognized in less than 100 ms and is scanned in a real-time setting. The robustness and the effectiveness of the detection algorithm are examined in three locations.
Content may be subject to copyright.
A preview of the PDF is not available
... Another AP profiling research conducted by Li and Li [40], proposed a novel approach by capturing and processing the frame to acquire the fingerprint, then determining the AP status, based on Gaussian and Naive Bayes algorithm. A study from Alotaibi and Elleithy [41] explained how to capture, extract, and store the features from the beacon frames, as a fundamental detection characteristics of RAP profiling algorithm. ...
... While agent deployment, which is an admin-side approach, has good prospects for the industrial application, as it allows automation in detecting RAP without a significant role from the client, as implemented by several network companies. [21], [24], [25], [27], [29], [30], [75], [36], [38], [39], [40], [41], [42], [43], [45], [46], [47], [48], [49], [31] Packet behaviour MAC, NUL, PHY [51], [53], [56], [57], [58], [59], [ ...
Article
Full-text available
Most people around the world make use of public Wi-Fi hotspots, as their daily routine companion in communication. The access points (APs) of public Wi-Fi are easily deployed by anyone and everywhere, to provide hassle-free Internet connectivity. The availability of Wi-Fi increases the danger of adversaries, taking advantages of sniffing the sensitive data. One of the most serious security issues encountered by Wi-Fi users, is the presence of rogue access points (RAP). Several studies have been published regarding how to identify the RAP. Using systematic literature review, this research aims to explore the various methods on how to distinguish the AP, as a rogue or legitimate, based on the hardware and software approach model. In conclusion, all the classifications were summarized, and produced an alternative solution using beacon frame manipulation technique. Therefore, further research is needed to identify the RAP.
... Fake AP uses a software-based AP which is installed in a portable device [2]. The access point has the same Service Set Identifier (SSID) with the legitimate AP. ...
... Extracting these radiometric identities from emi ed signals allows identifying a signal's device-of-origin [9]. Using physical layer characteristics of the radiotap header instead of measuring the analog signal directly, reduces the resource requirements and determines a rogue APs in a lightly loaded tra c environment properly [2]. In [18], Timing Synchronization Function (TSF) timestamps are extracted from WiFi beacons to compute a clock skew and to detect the possible change of an AP. ...
Conference Paper
Millimeter-wave (mm-wave) communication systems provide high data-rates and enable emerging application scenarios, such as 'information showers' for location-based services. Devices are equipped with antenna arrays using dozens of elements to achieve high directionality and thus creating a signal beam that focuses only on a specific area-of-interest. This new communication paradigm of steerable links requires a rethinking of wireless networks and calls for efficient protocols to train the beam alignment among network nodes. The IEEE 802.1 lad standard defines the so-called sector sweep that sweeps through a predefined set of antenna-sectors to find the optimal antenna steerings. Such low-layer protocols lack proper security mechanisms and open unprecedented attack possibilities. Distant attackers might tamper with the beam-training and literally 'steal' the beam from other devices. In this work, we investigate the threat of such beam-stealing attacks that intercept the sector sweep. By injecting forged feedback, we force victims to steer their signals towards the attacker's location. We implement a proof-of-concept on commercial off-the-shelf devices and evaluate the impacts on eavesdropping and acting as a Man-in-the-Middle (MITM). Our practical experiments in typical indoor scenarios reveal that beam-stealing increases the eavesdropping performance by 38% and allow a MITM to relay packets with an average error of only 1%. With these results, we emphasize the threat of beam-training attacks on mm-wave networks and aim to raise the awareness of attack vectors that are emerging with new low-layer amendments in next-generation wireless networks.
... The first type of solutions is based on the fingerprints of a predefined authorized AP list [3]- [5]. However, this type of solutions are usually conducted by the network administrator or require the collaboration of the administrator, which is not available for most of Wi-Fi networks. ...
Conference Paper
Full-text available
Wireless sensor networks (WSNs) are widely deployed to collect data from surrounding context. Then, a sink node will aggregate the sensing data and send the data to the remote server or user via Internet. The most popular wireless Internet access technology used in WSNs is Wi-Fi. However, the data may be leaked if the access through Wi-Fi is not well-guarded. Wi-Fi hotspots are deployed in an unprecedented speed to facilitate people's lives. The open access nature makes them vulnerable to an evil twin access point (AP), which has the same service set id (SSID) as the legitimate AP and larger signal strength. Current Wi-Fi capable devices (e.g., the sink node in WSNs) are not able to detect the evil twin attack, and will automatically switch to the bogus AP. In this paper, we devise a novel detection scheme based on the commonly used network diagnostic tool traceroute. A remote detection server is set up so that the client-to-server and server-to-client traceroute results are compared. If the evil twin AP is present, it will attempt to conceal the legitimate AP. The inconsistency among the two traceroute results will reveal the evil twin attack. We first present the attack model, then describe the detection scheme in detail. In our implementation, a Nexus 4 smartphone serves as the client, a desktop PC with a USB wireless adapter is set up as the evil twin AP, and the detection service is running on an Amazon EC2 Server. The experimental result demonstrates that our scheme can effectively detect an evil twin attack.
Article
Full-text available
Background: Coronary heart disease (CHD) is the single most important cause of death. Diagnosing ACS is important because the diagnosis triggers both triage and management. Cardiac Troponin-I (cTnI) known to be a very sensitive and specific marker for extent of coronary artery involvement. The objective of the Study: The study aimed to determine the correlation of extent of coronary artery disease (CAD) with elevated syntax score &Tro- ponin – I level in non- ST elevated MI (NSTEMI). Methods: This cross-sectional analytical study was conducted from July 2019 to June 2020 in the Department of Cardiology, United Hospital Limited. Total 230 first attack of NSTEMI patients was included in the study. All patients underwent coronary angiography in United Hospital Limited. Single, double or triple vessel CAD were considered for extent of CAD& syntax score ≤22 as low, 23- 32 as intermediate & ≥33 were considered as high. The sample population was divided into two groups: Group–I: Patients with first attack of NSTEMI with Troponin-I level ≤6.6 ng/ml. Group–II: Patients with first attack of NSTEMI with Troponin-I level ≥6.6 ng/ml. Association between cTnI levels and CAD extent & severity were observed statistically.Results:Out of 230 patientsof Group-I, majority (36%) had double& mean syntax score was 24.16±5.84, then 30.6% had triple vessel with mean syntax score was 34.70±8.59& the remaining had single vessel CAD with mean syntax score 14.15±5.06, whereas in patients of Group - II, most patients (46.2%) had triple vesselwith mean syntax score was 38.50±7.95, then 31.1% had double with mean syntax score was 24.70±8.59& the rest had single vessel CADwith mean syntax score 18.90±9.85. The results indicated statistically significant association between the cTnI levels and triple vessel CAD with highest syntax score (p = 0.04). Our study discov- ered that increased Troponin-I level over 6.6 ng/ml & elevated syntax score were a very sensitive and specific for CAD extension& severity. Conclusion: The study enabled us to conclude that, higher cTnI levels & syntax score are associated with an increased extension & severity of CAD.
Chapter
In recent years, wireless local area networks (WLANs) have become one of the important ways to access the Internet. However, the openness of WLANs makes them vulnerable to the threat of the evil twin attack (ETA). Existing effective ETA detection solutions usually rely on physical fingerprints. Especially fingerprints made by information extracted from channel state information (CSI) are more reliable. However, demonstrated by our experiment, the fingerprint of the state-of-the-art ETA detection scheme, which is based on phase error extracted from CSI, is not stable enough, and it results in a large number of false negative results in some cases. In this paper, we present a novel ETA detection scheme, called PEDR, which uses range fingerprint extracted from CSI to identify the evil twin (ET). Inspired by the significant observation that the phase error will drift over time, the concept of drift range fingerprints is proposed and exploited to improve ETA detection accuracy in real-world attack scenarios. Range fingerprints are not affected by drift in phase error and can be uniquely identified. The proposed range fingerprint is implemented and extensive performance evaluation experiments are conducted in the large-scale experiment with 27 devices. The experimental results demonstrate that the detection rate of PEDR is close to 99% and the false negative data is only 1.11%. It is worth mentioning that PEDR is outstanding in the scenario with similar device fingerprints.
Chapter
With the popularity of mobile computing, WiFi has become one of the essential technologies for people to access the Internet, and WiFi security has also become a major threat for mobile computing. The Evil-Twin attack can steal a large amount of private data by forging the same SSID as the real Access Point. This paper proposes a passive Evil-Twin attack detection scheme through CSI in physical layer. First of all, we propose a location model based on the edge of landmark area. In this model, the improved MUSIC algorithm is used to calculate each AP’s AoA by CSI phase. Secondly, it proposes an algorithm for simplifying the generation of location model files, which is the dataset of a small number of AoA and RSSI samples. Finally, according to location model, attack detection algorithm combines a large number of crowd sensing data to determine whether it is a malicious AP. Experiments show that our attack detection system achieves a higher detection rate.
Article
Full-text available
This paper considers the problem of fingerprinting localization in wireless networks based on received-signal-strength (RSS) observations. First, the performance of static localization using power maps (PMs) is improved with a new approach called the base-station-strict (BS-strict) methodology, which emphasizes the effect of BS identities in the classical fingerprinting. Second, dynamic motion models with and without road network information are used to further improve the accuracy via particle filters. The likelihood-calculation mechanism proposed for the particle filters is interpreted as a soft version (called BS-soft) of the BS-strict approach applied in the static case. The results of the proposed approaches are illustrated and compared with an example whose data were collected from a WiMAX network in a challenging urban area in the capitol city of Brussels, Belgium.
Conference Paper
Full-text available
This paper considers a category of rogue access points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing based technique that allows the user to avoid connecting to rogue APs. Our method employs the round trip time between the user and the DNS server to independently determine whether an AP is legitimate or not without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance.
Conference Paper
Full-text available
One of the most challenging security concerns for network administrators is the presence of rogue access points. In this paper, we propose a statistical based approach to detect rogue access points using a hidden Markov model applied to passively measure packet-header data collected at a gateway router. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and rouge access points. We designed and developed our hidden Markov model by analyzing denial of service attacks and the traffic characteristics of 802.11 based wireless local area networks. Experimental validations demonstrate the effectiveness of our approach. Our trained Hidden Markov Model can detect the presence of a rogue access point promptly within one second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behaviour of the traffic characteristics of 802.11 based WLANs and properties of denial of service attacks. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.
Conference Paper
The recent trend of mobile ad hoc network increases the ability and impregnability of communication between the mobile nodes. Mobile ad Hoc networks are completely free from pre-existing infrastructure or authentication point so that all the present mobile nodes which are want to communicate with each other immediately form the topology and initiates the request for data packets to send or receive. For the security perspective, communication between mobile nodes via wireless links make these networks more susceptible to internal or external attacks because any one can join and move the network at any time. In general, Packet dropping attack through the malicious node (s) is one of the possible attack in the mobile ad hoc network. This paper emphasized to develop an intrusion detection system using fuzzy Logic to detect the packet dropping attack from the mobile ad hoc networks and also remove the malicious nodes in order to save the resources of mobile nodes. For the implementation point of view Qualnet simulator 6.1 and Mamdani fuzzy inference system are used to analyze the results. Simulation results show that our system is more capable to detect the dropping attacks with high positive rate and low false positive.
Conference Paper
In this paper, we introduce GTID, a technique that passively fingerprints wireless devices and their types from the wired backbone. GTID exploits the heterogeneity of devices, which is a function of different device hardware compositions and variations in devices' clock skew. We use statistical techniques to create unique, reproducible device and device type signatures that represent time variant behavior in network traffic and use artificial neural networks (ANNs) to classify devices and device types. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 27 devices representing a wide range of device classes. We collected more than 100 GB of traffic captures for ANN training and classification. We assert that for any fingerprinting technique to be practical, it must be able to detect previously unseen devices (i.e., devices for which no stored signature is available) and must be able to withstand various attacks. GTID is the first fingerprinting technique to detect previously unseen devices and to illustrate its resilience under various attacker models. We measure the performance of GTID by considering accuracy, recall, and processing time and illustrate how it can be used to complement existing authentication systems and to detect counterfeit devices.
Conference Paper
802.11 device fingerprinting is the action of characterizing a target device through its wireless traffic. This results in a signature that may be used for identification, network monitoring or intrusion detection. The fingerprinting method can be active by sending traffic to the target device, or passive by just observing the traffic sent by the target device. Many passive fingerprinting methods rely on the observation of one particular network feature, such as the rate switching behavior or the transmission pattern of probe requests. In this work, we evaluate a set of global wireless network parameters with respect to their ability to identify 802.11 devices. We restrict ourselves to parameters that can be observed passively using a standard wireless card. We evaluate these parameters for two different tests: i) the identification test that returns one single result being the closest match for the target device, and ii) the similarity test that returns a set of devices that are close to the target devices. We find that the network parameters transmission time and frame inter-arrival time perform best in comparison to the other network parameters considered. Finally, we focus on inter-arrival times, the most promising parameter for device identification, and show its dependency from several device characteristics such as the wireless card and driver but also running applications.
Conference Paper
The threat of rogue Access Points (APs) has attracted significant attentions from both industrial and academic researchers. However existing solutions focus on rogue AP detection, rather than localization. We propose a Rogue AP Detection and Localization (RAPDL) architecture, which integrates rogue AP detection and localization into one software system. A RAPDL demonstration system has been developed in our laboratory. In the RAPDL system, the monitors identify potential rogue APs, measure their properties and report relevant information to the server. The RAPDL server collects information from all monitors, and runs a localization algorithm to identify and locate the rogue APs. We implemented two localization algorithms in the RAPDL system based on received signal strength (RSS) and compare their performance. Experimental results acquired in an office environment show that RAPDL can detect and locate rogue APs quickly and accurately.
Conference Paper
Wireless access points (APs) are widely used for the convenience and productivity of smartphone users. The growing popularity of wireless local area networks (WLANs) increases the risk of wireless security attacks. A fake AP can be set in any public space in order to impersonate legitimate APs for monetization. Existing fake AP detection methods analyze wireless traffic by using extra devices, and the traffic is collected by servers. However, using these server-side methods is costly and only provide secure communication, in limited places, of clients' devices. Recently, several fake AP detection methods have been designed in order to overcome the server-side problems in a client-side. However, there are two limitations to the client-side methods: cumbersome processes and limited resources. When the methods attempt to collect data, calculating interval time incurs time-consuming processes to detect fake characteristics in the client-side. Moreover, the operating systems in smartphones provide limited resources that can hardly be adopted in the client-side. In this paper, we propose a novel fake AP detection method to solve the aforementioned problems in the client-side. The method leverages received signal strengths (RSSs) and online detection algorithm. Our method collects RSSs from nearby APs and normalizes them for accurate measurement. We measure the similarity of normalized RSSs. If the similarity between normalized RSSs is less than the fixed threshold value, we determine that the RSSs are generated from a fake device. We can measure the optimal threshold value derived from the sequential hypothesis testing. In our experiment, when the fixed threshold value was 2, the true positive was over than 99% and the false positive was less than 0.1% in three observations.
Article
In this paper, we consider the problem of “evil twin” attacks in wireless local area networks (WLANs). An evil twin is essentially a rogue (phishing) Wi-Fi access point (AP) that looks like a legitimate one (with the same SSID). It is set up by an adversary, who can eavesdrop on wireless communications of users' Internet access. Existing evil twin detection solutions are mostly for wireless network administrators to verify whether a given AP is in an authorized list or not, instead of for a wireless client to detect whether a given AP is authentic or evil. Such administrator-side solutions are limited, expensive, and not available for many scenarios. Thus, a lightweight, effective, and user-side solution is highly desired. In this work, we propose a novel user-side evil twin detection technique that outperforms traditional administrator-side detection methods in several aspects. Unlike previous approaches, our technique does not need a known authorized AP/host list, thus it is suitable for users to identify and avoid evil twins. Our technique does not strictly rely on training data of target wireless networks, nor depend on the types of wireless networks. We propose to exploit fundamental communication structures and properties of such evil twin attacks in wireless networks and to design new active, statistical and anomaly detection algorithms. Our preliminary evaluation in real-world widely deployed 802.11b and 802.11 g wireless networks shows very promising results. We can identify evil twins with a very high detection rate while maintaining a very low false positive rate.
Conference Paper
Due to the prevalence of insecure open 802.11 access points, it is currently easy for a malicious party to launch a variety of attacks such as eavesdropping and data injection. In this paper, we consider a particular threat called the evil twin attack, which occurs when an adversary clones an open access point and exploits common automatic access point selection techniques to trick a wireless client into associating with the malicious access point. We propose two lines of defense against this attack. First, we present an evil twin detection strategy called context-leashing based upon recording the nearby access points when first associating with an access point. Using this contextual information, the client determines if an adversary has setup an evil twin access point at a different location. Next, we propose an SSH-style authentication method called EAP-SWAT to perform one-way access point authentication that fits into the extensible authentication protocol (EAP) framework.