SLFAT: Client-Side Evil Twin Detection Approach Based on Arrival Time of Special Length Frames

In general, the IEEE 802.11 network identifiers used by wireless access points (APs) can be easily spoofed. Accordingly, a malicious adversary is able to clone the identity information of a legitimate AP (LAP) to launch evil twin attacks (ETAs). The evil twin is a class of rogue access point (RAP) that masquerades as a LAP and allures Wi-Fi victims’ traffic. It enables an attacker with little effort and expenditure to eavesdrop or manipulate wireless communications. Due to the characteristics of strong concealment, high confusion, great harmfulness, and easy implementation, the ETA has become one of the most severe security threats in Wireless Local Area Networks (WLANs). Here, we propose a novel client-side approach, Speical Length Frames Arrival Time (SLFAT), to detect the ETA, which utilizes the same gateway as the LAP. By monitoring the traffic emitted by target APs at a detection node, SLFAT extracts the arrival time of the special frames with the same length to determine the evil twin’s forwarding behavior. SLFAT is passive, lightweight, efficient, hard to be escaped. It allows users to independently detect ETA on ordinary wireless devices. Through implementation and evaluation in our study, SLFAT achieves a very high detection rate in distinguishing evil twins from LAPs.

[1]  Anil Kumar,et al.  Security analysis and implementation of a simple method for prevention and detection against Evil Twin attack in IEEE 802.11 wireless LAN , 2016, 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT).

[2]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[3]  Cliff Changchun Zou,et al.  User-side Wi-Fi evil twin attack detection using random wireless channel monitoring , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[4]  Sachin Shetty,et al.  Rogue Access Point Detection by Analyzing Network Traffic Characteristics , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[5]  Bo Sheng,et al.  A Timing-Based Scheme for Rogue AP Detection , 2011, IEEE Transactions on Parallel and Distributed Systems.

[6]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[7]  David A. Cieslak,et al.  RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning , 2008, TSEC.

[8]  Sergey Bratus,et al.  Active behavioral fingerprinting of wireless devices , 2008, WiSec '08.

[9]  Carlos Ribeiro,et al.  WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection , 2011, ESORICS.

[10]  Andriy Panchenko,et al.  Hacker's toolbox: Detecting software-based 802.11 evil twin access points , 2015, 2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC).

[11]  Jie Wang,et al.  Detecting protected layer-3 rogue APs , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[12]  Yu-Liang Hsu,et al.  A client-side detection mechanism for evil twins , 2017, Comput. Electr. Eng..

[13]  Chao Yang,et al.  Active User-Side Evil Twin Access Point Detection Using Statistical Techniques , 2012, IEEE Transactions on Information Forensics and Security.

[14]  Thomas Engel,et al.  Letting the puss in boots sweat: detecting fake access points using dependency of clock skews on temperature , 2014, AsiaCCS.

[15]  Chrisil Arackaparambil,et al.  On the reliability of wireless fingerprinting using clock skews , 2010, WiSec '10.

[16]  Khaled Elleithy,et al.  Rogue Access Point Detection: Taxonomy, Challenges, and Future Directions , 2016, Wirel. Pers. Commun..

[17]  Shashikala Tapaswi,et al.  Wireless Rogue Access Point Detection Using Shadow Honeynet , 2015, Wirel. Pers. Commun..

[18]  Chun Zhang,et al.  Classification of access network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? , 2008, Comput. Networks.

[19]  Alec Wolman,et al.  Enhancing the security of corporate Wi-Fi networks using DAIR , 2006, MobiSys '06.

[20]  Yuan Zhuang,et al.  Client-Side Evil Twin Attacks Detection Using Statistical Characteristics of 802.11 Data Frames , 2018, IEICE Trans. Inf. Syst..

[21]  Sneha Kumar Kasera,et al.  On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews , 2008, IEEE Transactions on Mobile Computing.

[22]  Donald F. Towsley,et al.  Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[23]  Rong Zheng,et al.  Device fingerprinting to enhance wireless security using nonparametric Bayesian method , 2011, 2011 Proceedings IEEE INFOCOM.

[24]  Thomas Engel,et al.  Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11 , 2014, Q2SWinet '14.

[25]  Andreas Zinnen,et al.  Clock skew based remote device fingerprinting demystified , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[26]  Yuan Zhuang,et al.  A Passive Client-based Approach to Detect Evil Twin Attacks , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.