Medium Access Control (MAC) address spoofing is considered as an important first step in a hacker’s attempt to launch a variety of attacks on 802.11 wireless networks. Unfortunately, MAC address spoofing is hard to detect. Most current spoofing detection systems mainly use the sequence number (SN) tracking technique, which has drawbacks. Firstly, it may lead to an increase in the number of false positives. Secondly, such techniques cannot be used in systems with wireless cards that do not follow standard 802.11 sequence number patterns. Thirdly, attackers can forge sequence numbers, thereby causing the attacks to go undetected. We present a new architecture called WISE GUARD (Wireless Security Guard) for detection of MAC address spoofing on 802.11 wireless LANs. It integrates three detection techniques – SN tracking, Operating System (OS) fingerprinting & tracking and Received Signal Strength (RSS) fingerprinting & tracking. It also includes the fingerprinting of Access Point (AP) parameters as an extension to the OS fingerprinting for detection of AP address spoofing. We have implemented WISE GUARD on a test bed using off-the-shelf wireless devices and open source drivers. Experimental results show that the new design enhances the detection effectiveness and reduces the number of false positives in comparison with current approaches.
[1]
Paramvir Bahl,et al.
RADAR: an in-building RF-based user location and tracking system
,
2000,
Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).
[2]
Joshua Wright,et al.
Detecting Wireless LAN MAC Address Spoofing
,
2003
.
[3]
José Carlos Brustoloni,et al.
Detecting and Blocking Unauthorized Access in Wi-Fi Networks
,
2004,
NETWORKING.
[4]
Paramvir Bahl,et al.
A Software System for Locating Mobile Users: Design, Evaluation, and Lessons
,
2000
.