Rogue Access Point Detection Using Innate Characteristics of the 802.11 MAC

Attacks on wireless networks can be classified into two categories: external wireless and internal wired. In external wireless attacks, an attacker uses a wireless device to target the access point (AP), other wireless nodes or the communications on the network. In internal wired attacks, an attacker or authorized insider inserts an unauthorized (or rogue) AP into the wired backbone for malicious activity or misfeasance. This paper addresses detecting the internal wired attack of inserting rogue APs (RAPs) in a network by monitoring on the wiredside for characteristics of wireless traffic. We focus on two 802.11 medium access control (MAC) layer features as a means of fingerprinting wireless traffic in a wired network. In particular, we study the effect of the Distributed Coordination Function (DCF) and rate adaptation specifications on wireless traffic by observing their influence on arrival delays. By focusing on fundamental traits of wireless communications, unlike existing techniques, we demonstrate that it is possible to extract wireless components from a flow without having to train our system with network-specific wired and wireless traces. Unlike some existing anomaly based detection schemes, our approach is generic as it does not assume that the wired network is inherently faster than the wireless network, is effective for networks that do not have sample wireless traffic, and is independent of network speed/type/protocol. We evaluate our approach using experiments and simulations. Using a Bayesian classifier we show that we can correctly identify wireless traffic on a wired link with 86-90% accuracy. This coupled with an appropriate switch port policy allows the identification of RAPs.

[1]  Chun Zhang,et al.  Classification of access network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? , 2008, Comput. Networks.

[2]  Konstantina Papagiannaki,et al.  Detecting 802.11 Wireless Hosts from Remote Passive Observations , 2007, Networking.

[3]  Donald F. Towsley,et al.  Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs , 2007, IMC '07.

[4]  Periklis Chatzimisios,et al.  Packet delay analysis of IEEE 802.11 MAC protocol , 2003 .

[5]  Raheem A. Beyah,et al.  Rogue access point detection using temporal traffic characteristics , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[6]  S. Srilasak,et al.  Integrated Wireless Rogue Access Point Detection and Counterattack System , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[7]  A. Girotra,et al.  Performance Analysis of the IEEE 802 . 11 Distributed Coordination Function , 2005 .

[8]  V. Vitsas,et al.  Throughput and delay analysis of IEEE 802.11 protocol , 2002, Proceedings 3rd IEEE International Workshop on System-on-Chip for Real-Time Applications.

[9]  B. Bing Measured performance of the IEEE 802.11 wireless LAN , 1999, Proceedings 24th Conference on Local Computer Networks. LCN'99.

[10]  Raheem A. Beyah,et al.  A Passive Approach to Rogue Access Point Detection , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[11]  Raheem A. Beyah,et al.  A Passive Approach to Wireless NIC Identification , 2006, 2006 IEEE International Conference on Communications.

[12]  Alec Wolman,et al.  Enhancing the security of corporate Wi-Fi networks using DAIR , 2006, MobiSys '06.

[13]  Vasilis Friderikos,et al.  Cross-Layer Optimization to Maximize Fairness Among TCP Flows of Different TCP Flavors , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[14]  David A. Cieslak,et al.  RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning , 2008, TSEC.

[15]  Sachin Shetty,et al.  Rogue Access Point Detection by Analyzing Network Traffic Characteristics , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[16]  Xiuzhen Cheng,et al.  A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[17]  TowsleyDon,et al.  Classification of access network types , 2008 .

[18]  Byrav Ramamurthy,et al.  Agent based intrusion detection and response system for wireless LANs , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[19]  Donald F. Towsley,et al.  Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[20]  Ivan Marsic,et al.  Fuzzy Reasoning for Wireless Awareness , 2001, Int. J. Wirel. Inf. Networks.