Robust Detection of Unauthorized Wireless Access Points

Unauthorized 802.11 wireless access points (APs), or rogue APs, such as those brought into a corporate campus by employees, pose a security threat as they may be poorly managed or insufficiently secured. An attacker in the vicinity may easily get onto the internal network through a rogue AP, bypassing all perimeter security measures. Existing detection solutions do not work well for detecting rogue APs configured as routers that are protected by WEP, 802.11 i, or other security measures. In this paper, we describe a new rogue AP detection method to address this problem. Our solution uses a verifier on the internal wired network to send test traffic towards wireless edge, and uses wireless sniffers to identify rouge APs that relay the test packets. To quickly sweep all possible rogue APs, the verifier uses a greedy algorithm to schedule the channels for the sniffers to listen to. To work with the encrypted AP traffic, the sniffers use a probabilistic algorithm that only relies on observed wireless frame size. Using extensive experiments, we show that the proposed approach can robustly detect rogue APs with moderate network overhead. The results also show that our algorithm is resilient to congested wireless channels and has low false positives/negatives in realistic environments.

[1]  Stefan Savage,et al.  802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions , 2003, USENIX Security Symposium.

[2]  Mark Handley,et al.  The final nail in WEP's coffin , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Maxim Raya,et al.  DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots , 2004, MobiSys '04.

[4]  Yong Sheng,et al.  Map: a scalable monitoring system for dependable 802.11 wireless networks , 2008, IEEE Wireless Communications.

[5]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[7]  Ratul Mahajan,et al.  Measurement-based characterization of 802.11 in a hotspot setting , 2005, E-WIND '05.

[8]  Donald F. Towsley,et al.  Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  John C. Mitchell,et al.  Security Analysis and Improvements for IEEE 802.11i , 2005, NDSS.

[10]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[11]  D. Hochbaum Approximating covering and packing problems: set cover, vertex cover, independent set, and related problems , 1996 .

[12]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[13]  Paramvir Bahl,et al.  RADAR: an in-building RF-based user location and tracking system , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[14]  U. Deshpande,et al.  Channel Sampling Strategies for Monitoring Wireless Networks , 2006, 2006 4th International Symposium on Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks.

[15]  Donald F. Towsley,et al.  Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs , 2007, IMC '07.

[16]  Alec Wolman,et al.  Enhancing the security of corporate Wi-Fi networks using DAIR , 2006, MobiSys '06.