Using multiscale traffic analysis to detect WPS attacks

The worldwide adoption of the IEEE 802.11 standard as the solution to provide efficient network coverage with high data-rates raised several security concerns. In a first stage, Wired Equivalent Privacy (WEP) was used to protect wireless networks from intrusions, whose main motivations ranged from simply getting free Internet access to the perpetration of complex attacks in order to retrieve confidential information. However, due to multiple technical flaws, this approach was not sufficient, leading to the emergence of the Wi-Fi Protected Access (WPA) and WPA2 technologies, which provided more secure mechanisms at the cost of requiring more complicated configuration tasks. In order to create a simple configuration interface, the Wi-Fi Alliance proposed a simple configuration approach: the Wi-Fi Protected Setup (WPS), which is used by major network products manufacturers and provides a much easier configuration setup, although in a less efficient security environment. Actually, this implementation is vulnerable to brute force attacks, which are very quick to execute, have little complexity and are difficult to detect. After cracking WPS, attackers can access to WPA/WPA2 login information and illicitly connect to the target wireless network. There are several technical requirements and legal constrains that limit access to the contents of wireless frames, thus preventing their deep analysis. This paper presents a method to detect attacks over WPA-enabled routers with Wi-Fi Protected Setup, based only on the amount of generated traffic. The detection methodology uses a monitoring station that exclusively analyzes traffic flows from the router: by monitoring traffic and using a multiscale analysis procedure, the approach is able to accurately identify each intrusion attempt.