A Hidden Markov Model based approach to detect Rogue Access Points

One of the most challenging security concerns for network administrators is the presence of rogue access points. In this paper, we propose a statistical based approach to detect rogue access points using a hidden Markov model applied to passively measure packet-header data collected at a gateway router. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and rouge access points. We designed and developed our hidden Markov model by analyzing denial of service attacks and the traffic characteristics of 802.11 based wireless local area networks. Experimental validations demonstrate the effectiveness of our approach. Our trained Hidden Markov Model can detect the presence of a rogue access point promptly within one second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behaviour of the traffic characteristics of 802.11 based WLANs and properties of denial of service attacks. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.

[1]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[2]  Xiuzhen Cheng,et al.  RAP: protecting commodity wi-fi networks from rogue access points , 2007, QSHINE.

[3]  Donald F. Towsley,et al.  Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs , 2007, IMC '07.

[4]  Raheem A. Beyah,et al.  Rogue access point detection using temporal traffic characteristics , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[5]  Alec Wolman,et al.  Enhancing the security of corporate Wi-Fi networks using DAIR , 2006, MobiSys '06.

[6]  Jens Palsberg,et al.  Timing analysis of TCP servers for surviving denial-of-service attacks , 2005, 11th IEEE Real Time and Embedded Technology and Applications Symposium.

[7]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[8]  Jie Wang,et al.  Detecting protected layer-3 rogue APs , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[9]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[10]  Paramvir Bahl,et al.  Architecture and techniques for diagnosing faults in IEEE 802.11 infrastructure networks , 2004, MobiCom '04.

[11]  Svetlana Radosavac Detection and Classification of Network Intrusions Using Hidden Markov Models , 2003 .

[12]  Sachin Shetty,et al.  Rogue Access Point Detection by Analyzing Network Traffic Characteristics , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[13]  홍원기,et al.  A Flow-based Method for Abnormal Network Traffic Detection , 2004 .

[14]  Yuguang Fang,et al.  Performance Analysis of IEEE 802.11 DCF in Imperfect Channels , 2006, IEEE Transactions on Vehicular Technology.