Article

Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs

Authors:

Wei Wei,

Kyoungwon Suh,

Bing Wang,

Yu Gu,

Jim Kurose,

Don TowsleyAuthors Info & Claims

IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement

Pages 365 - 378

https://doi.org/10.1145/1298306.1298357

Published: 24 October 2007 Publication History

Get Access

Abstract

Rogue (unauthorized) wireless access points pose serious security threats to local networks. In this paper, we propose two online algorithms to detect rogue access points using sequential hypothesis tests applied to packet-header data collected passively at a monitoring point. One algorithm requires training sets, while the other does not. Both algorithms extend our earlier TCP ACK-pair technique to differentiate wired and wireless LAN TCP traffic, and exploit the fundamental properties of the 802.11 CSMA/CA MAC protocol and the half duplex nature of wireless channels. Our algorithms make prompt decisions as TCP ACK-pairs are observed, and only incur minimum computation and storage overhead. We have built a system for online rogue-access-point detection using these algorithms and deployed it at a university gateway router. Extensive experiments in various scenarios have demonstrated the excellent performance of our approach: the algorithm that requires training provides rapid detection and is extremely accurate (the detection is mostly within 10 seconds, with very low false positive and false negative ratios); the algorithm that does not require training detects 60%-76% of the wireless hosts without any false positives; both algorithms are light-weight (with computation and storage overhead well within the capability of commodity equipment).

References

[1]

AirDefense, Wireless LAN Security. http://airdefense.net.

Google Scholar

[2]

AirMagnet. http://www.airmagnet.com.

Google Scholar

[3]

AirWave, AirWave Management Platform. http://airwave.com.

Google Scholar

[4]

Cisco Wireless LAN Solution Engine (WLSE). http://www.cisco.com/en/US/products/sw/cscowork/ps3915/.

Google Scholar

[5]

Host AP. http://hostap.epitest.fi.

Google Scholar

[6]

http://www.endace.com.

Google Scholar

[7]

Microsoft Windows 2000 TCP/IP implementation details, http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k .mspx.

Google Scholar

[8]

NetStumbler. http://www.netstumbler.com.

Google Scholar

[9]

Rogue Access Point Detection: Automatically Detect and Manage Wireless Threats to Your Network. http://www.proxim.com.

Google Scholar

[10]

A. Adya, V. Bahl, R. Chandra, and L. Qiu. Architecture and techniques for diagnosing faults in ieee 802.11 infrastructure networks. In Proc. ACM MOBICOM, September 2004.

Digital Library

Google Scholar

[11]

P. Bahl, R. Chandra, J. Padhye, L. Ravindranath, M. Singh, A. Wolman, and B. Zill. Enhancing the security of corporate Wi-Fi networks using DAIR. In Proc. ACM MOBISYS, 2006.

Digital Library

Google Scholar

[12]

V. Baiamonte, K. Papagiannaki, and G. Iannaccone. Detecting 802.11 wireless hosts from remote passive observations. In Proc. IFIP/TC6 Networking, Atlanta, GE, May 2007.

Digital Library

Google Scholar

[13]

R. Beyah, S. Kangude, G. Yu, B. Strickland, and J. Copeland. Rogue access point detection using temporal traffic characteristics. In Proc. IEEE GLOBECOM, Dec 2004.

Crossref

Google Scholar

[14]

G. Casella and R. L. Berger. Statistical Inference. Duxbury Thomson Learning, 2002.

Google Scholar

[15]

L. Cheng and I. Marsic. Fuzzy reasoning for wireless awareness. International Journal of Wireless Information Networks, 8(1), 2001.

Google Scholar

[16]

S. Garg, M. Kappes, and A. S. Krishnakumar. On the effect of contention-window sizes in IEEE 802.11b networks. Technical Report ALR-2002-024, Avaya Labs Research, 2002.

Google Scholar

[17]

IEEE 802.11, 802.11a, 802.11b standards for wireless local area networks. http://standards.ieee.org/getieee802/802.11.html.

Google Scholar

[18]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proc. IEEE Symposium on Security and Privacy, May 2004.

Crossref

Google Scholar

[19]

C. Mano, A. Blaich, Q. Liao, Y. Jiang, D. Salyers, D. Cieslak, and A. Striegel. RIPPS: Rogue identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning. ACM Transactions on Information Systems and Security, to appear.

Digital Library

Google Scholar

[20]

Packet trace analysis. http://ipmon.sprintlabs.com/packstat/packetoverview.php.

Google Scholar

[21]

P. Sarolahti and A. Kuznetsov. Congestion control in Linux TCP. In Proc. USENIX02, June 2002.

Digital Library

Google Scholar

[22]

A. N. Shiryaev. Probability. Springer, 2nd edition.

Google Scholar

[23]

K. Thompson, G. Miller, and R. Wilder. Wide-area Internet traffic patterns and characteristics. IEEE Network, 11(6):10-23, Nov./Dec. 1997.

Digital Library

Google Scholar

[24]

A. Wald. Sequential Analysis. J. Wiley & Sons, 1947.

Google Scholar

[25]

W. Wei, S. Jaiswal, J. Kurose, and D. Towsley. Identifying 802.11 traffic from passive measurements using iterative Bayesian inference. In Proc. IEEE INFOCOM, 2006.

Crossref

Google Scholar

[26]

W. Wei, B. Wang, C. Zhang, J. Kurose, and D. Towsley. Classification of access network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? In Proc. IEEE INFOCOM, March 2005.

Crossref

Google Scholar

[27]

H. Yin, G. Chen, and J. Wang. Detecting Protected Layer-3 Rogue APs. In Proceedings of the Fourth IEEE International Conference on Broadband Communications, Networks, and Systems (BROADNETS), Raleigh, NC, September 2007.

Google Scholar

Cited By

View all

Ganji SKumar P(2024)Seeing the Unseen: The REVEAL Protocol to Expose the Wireless Man-in-the-MiddleIEEE Transactions on Wireless Communications10.1109/TWC.2024.345135823:11(17143-17156)Online publication date: Nov-2024
https://doi.org/10.1109/TWC.2024.3451358
Hagos DYazidi AKure OEngelstad P(2021)A Machine-Learning-Based Tool for Passive OS Fingerprinting With TCP Variant as a Novel FeatureIEEE Internet of Things Journal10.1109/JIOT.2020.30242938:5(3534-3553)Online publication date: 1-Mar-2021
https://doi.org/10.1109/JIOT.2020.3024293
Shrivastava PJamal MKataoka K(2020)EvilScout: Detection and Mitigation of Evil Twin Attack in SDN Enabled WiFiIEEE Transactions on Network and Service Management10.1109/TNSM.2020.297277417:1(89-102)Online publication date: Mar-2020
https://doi.org/10.1109/TNSM.2020.2972774
Show More Cited By

Index Terms

Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs
1. Networks
  1. Network services
    1. Network management

Recommendations

Rogue access point detection using segmental TCP jitter
WWW '08: Proceedings of the 17th international conference on World Wide Web

Rogue Access Points (RAPs) pose serious security threats to local networks. An analytic model of prior probability distribution of Segmental TCP Jitter (STJ) is deduced from the mechanism of IEEE 802.11 MAC Distributed Coordinated Function (DCF) and ...
Passive Online Detection of 802.11 Traffic Using Sequential Hypothesis Testing with TCP ACK-Pairs

In this paper, we propose two online algorithms to detect 802.11 traffic from packet-header data collected passively at a monitoring point. These algorithms have a number of applications in \emph{realtime} wireless LAN management, for instance, in ...
Reducing the TCP ACK packet backlog at the WLAN access point
IMCOM '15: Proceedings of the 9th International Conference on Ubiquitous Information Management and Communication

Modern loss based Transmission Control Protocols take aggressive congestion window (CWND) control strategies in order to gain better throughput, but such strategies may cause a large number of packets to be backlogged and eventually dropped at the entry ...

Reviews

Reviewer: David Bruce Henderson

The unauthorized installation of wireless access points (APs) on a network increases the risk of security breaches and radio frequency (RF) interference. In this paper, the authors explore two real-time, passive techniques that can be used to detect these devices. Unauthorized APs, by definition, are not controlled by the administration and security management regime of a network. These devices are simple to install and use, and there are usually no physical barriers in doing so. The presence of unauthorized APs increases the risk of unauthorized access and attack, and may also cause RF interference to existing authorized APs. Consequently, network administrators need to discover these devices on their networks. There are two broad approaches to AP discovery: RF techniques and transmission control protocol (TCP) techniques. The drawback to the RF approach is the cost of additional equipment needed to monitor the radio spectrum. This equipment must, in general, be deployed over the entire network, with consequent implementation and ongoing support costs. The second approach requires no additional equipment, and is based on passive measurements at a single traffic aggregation point, such as a gateway router. It is this second approach that the authors explore. The authors briefly review earlier work, document their approach, and then analyze the characteristics of TCP ACK-pairs in both wired Ethernets and wireless networks. They develop two algorithms based on the different characteristics of TCP traffic over carrier sense multiple access/collision detection (CSMA/CD) wired circuits and carrier sense multiple access/collision avoidance (CSMA/CA) wireless circuits, and use these to detect the presence of wireless traffic. One of the algorithms requires training data, and is claimed to be extremely accurate. The other does not require training data, and detects 60 to 76 percent of wireless hosts without false positives. The authors address an area of significant concern to network administrators. The proposed solution offers centralized real-time detection of unauthorized APs, without the additional infrastructure needed for the alternative RF spectrum monitoring approach. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement

October 2007

390 pages

ISBN:9781595939081

DOI:10.1145/1298306

Program Chairs:
Constantine Dovrolis
Georgia Institute of Technology
,
Matthew Roughan
University of Adelaide, Australia

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

IMC07

Sponsor:

IMC07: Internet Measurement Conference

October 24 - 26, 2007

California, San Diego, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

75
Total Citations
View Citations
645
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ganji SKumar P(2024)Seeing the Unseen: The REVEAL Protocol to Expose the Wireless Man-in-the-MiddleIEEE Transactions on Wireless Communications10.1109/TWC.2024.345135823:11(17143-17156)Online publication date: Nov-2024
https://doi.org/10.1109/TWC.2024.3451358
Hagos DYazidi AKure OEngelstad P(2021)A Machine-Learning-Based Tool for Passive OS Fingerprinting With TCP Variant as a Novel FeatureIEEE Internet of Things Journal10.1109/JIOT.2020.30242938:5(3534-3553)Online publication date: 1-Mar-2021
https://doi.org/10.1109/JIOT.2020.3024293
Shrivastava PJamal MKataoka K(2020)EvilScout: Detection and Mitigation of Evil Twin Attack in SDN Enabled WiFiIEEE Transactions on Network and Service Management10.1109/TNSM.2020.297277417:1(89-102)Online publication date: Mar-2020
https://doi.org/10.1109/TNSM.2020.2972774
Jang RKang JMohaisen ANyang D(2020)Catch Me If You Can: Rogue Access Point Detection Using Intentional Channel InterferenceIEEE Transactions on Mobile Computing10.1109/TMC.2019.290305219:5(1056-1071)Online publication date: 1-May-2020
https://doi.org/10.1109/TMC.2019.2903052
Hagos DLoland MYazidi AKure OEngelstad P(2020)Advanced Passive Operating System Fingerprinting Using Machine Learning and Deep Learning2020 29th International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN49398.2020.9209694(1-11)Online publication date: Aug-2020
https://doi.org/10.1109/ICCCN49398.2020.9209694
Zhang JLu QJiang RQu H(2020)PEDR: A Novel Evil Twin Attack Detection Scheme Based on Phase Error Drift RangeSecurity and Privacy in Communication Networks10.1007/978-3-030-63095-9_10(188-207)Online publication date: 12-Dec-2020
https://doi.org/10.1007/978-3-030-63095-9_10
Hsu FWang COu CHsu Y(2020)A passive user‐side solution for evil twin access point detection at public hotspotsInternational Journal of Communication Systems10.1002/dac.446033:14Online publication date: 25-Jun-2020
https://doi.org/10.1002/dac.4460
Wang JJuarez NKohm ELiu YYuan JSong H(2019)Integration of SDR and UAS for Malicious Wi-Fi Hotspots Detection2019 Integrated Communications, Navigation and Surveillance Conference (ICNS)10.1109/ICNSURV.2019.8735296(1-8)Online publication date: Apr-2019
https://doi.org/10.1109/ICNSURV.2019.8735296
Kitisriworapan SJansang APhonphoem A(2019)Evil-Twin Detection on Client-side2019 16th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON)10.1109/ECTI-CON47248.2019.8955158(697-700)Online publication date: Jul-2019
https://doi.org/10.1109/ECTI-CON47248.2019.8955158
LU QQU HZHUANG YLIN XOUYANG Y(2018)Client-Side Evil Twin Attacks Detection Using Statistical Characteristics of 802.11 Data FramesIEICE Transactions on Information and Systems10.1587/transinf.2018EDP7030E101.D:10(2465-2473)Online publication date: 1-Oct-2018
https://doi.org/10.1587/transinf.2018EDP7030
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Rogue access point detection using segmental TCP jitter

Passive Online Detection of 802.11 Traffic Using Sequential Hypothesis Testing with TCP ACK-Pairs

Reducing the TCP ACK packet backlog at the WLAN access point

Reviews

Access critical reviews of Computing literature here