Skip to main content
SpringerLink
Log in

An Efficient Scheme to Detect Evil Twin Rogue Access Point Attack in 802.11 Wi-Fi Networks

  • Published:
International Journal of Wireless Information Networks Aims and scope Submit manuscript

Abstract

The MAC layer of 802.11 protocol possess inherent weakness making it vulnerable to various security attacks like denial of service, deauthentication attack, flooding attacks, rogue access point (RAP) etc. In this manuscript we focus on evil twin attack. An evil twin is a RAP setup by cloning the MAC address and the Service Set IDentifier of an existing wireless access point (AP). An evil twin is setup so that the client(s) unknowingly connect to them under the pretext that they are connected to a genuine AP. Once a client is connected, an attacker eavesdrops on its communication to hijack client’s communication, re-direct clients to malicious websites, steal credentials of the clients connecting to it. Existing methods to detect the evil twin include maintaining white lists, patching AP/client, timing based solutions, protocol modifications etc. These methods usually require extensive setup and maintenance, have scalability and compatibility issues, require changes in protocol stack making them expensive to deploy and manage. The network conditions under normal and evil twin attack are almost similar thereby crafting a signature or defining an anomaly pattern usually leads to large amount of false positives. In this manuscript, we propose an IDS for detecting the evil twin attack, which addresses most of these issues associated with the existing detection mechanisms. Further the scheme is also proved to detect a single evil twin, multiple evil twins for single AP and multiple evil twins for multiple APs. The proposed IDS has been deployed in a lab environment and its detection rate exceeds 92% mark and the accuracy is 100% in all the runs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. Genuine AP implies an AP setup by a network administrator.

  2. Henceforth in the manuscript an authentication response would mean a successful authentication response.

  3. Henceforth in the manuscript an association response would mean a successful association response.

  4. Henceforth, we consider only those cases in which no deauthentication frame is present in between two association frames.

References

  1. Wireless Infrared Communication Systems and Networks, International Journal of Wireless Information Networks, Vol. 4, No. 4, pp. 257–258, 1997.

  2. J. A. Gutiérrez, On the use of IEEE Std. 802.15.4 to enable wireless sensor networks in building automation, International Journal of Wireless Information Networks, Vol. 14, No. 4, pp. 295–301, 2007.

    Article  Google Scholar 

  3. P. Johansson, R. Kapoor, M. Kazantzidis and M. Gerla, Personal area networks: Bluetooth or IEEE 802.11?, International Journal of Wireless Information Networks, Vol. 9, No. 2, pp. 89–103, 2002.

    Article  Google Scholar 

  4. D. C. Cox, Wireless loops: What are they?, International Journal of Wireless Information Networks, Vol. 3, No. 3, pp. 125–138, 1996.

    Article  Google Scholar 

  5. R. D. Pietro, and G. Oligeri, Silence is golden: exploiting jamming and radio silence to communicate. ACM Transactions on Information and System Security (TISSEC), Vol. 17, No. 3, pp. 9:1–9:24, 2015.

  6. Y. Gilad, and A. Herzberg, Off-path tcp injection attacks. ACM Transactions on Information and System Security (TISSEC), Vol. 16, No. 4, pp. 13:1–13:32, 2014.

  7. J. Dong, R. Curtmola, and C. Nita-Rotaru, Practical defenses against pollution attacks in wireless network coding. ACM Transactions on Information and System Security (TISSEC), Vol. 14, No. 1, pp. 7:1–7:31, 2011.

  8. J. Bellardo, and S. Savage, 802.11 denial-of-service attacks: real vulnerabilities and practical solutions. In: Proceedings of the 12th Conference on USENIX Security Symposium, Vol 12, SSYM’03, pp. 15–28, 2003.

  9. C. Anagnostopoulos, Intelligent contextual information collection in internet of things, International Journal of Wireless Information Networks, Vol. 23, No. 1, pp. 28–39, 2016.

    Article  MathSciNet  Google Scholar 

  10. W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose, D. Towsley, and S. Jaiswal, Passive online detection of 802.11 traffic using sequential hypothesis testing with TCP ACK-Pairs. Mobile Computing, IEEE Transactions, Vol. 8, No. 3, 398 –412, 2009.

  11. L. Ma, A. Y. Teymorian, X. Cheng, and M. Song, RAP: protecting commodity Wi-Fi networks from rogue access points. In: The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness Workshops, QSHINE ’07, pp. 21:1–21:7. ACM, New York, NY, USA 2007.

  12. AirWave Wireless Management Suite, Whitepaper, Aruba. URL www.moonblinkwifi.com/files/airwave-solution-guide.pdf 2006.

  13. P. K. Dubey, and J. N. Verma, Method And Apparatus For Detecting A Rogue Access Point In A Communication Network. URL http://www.google.com/patents/US20120124665 2012.

  14. R. Beyah, S. Kangude, G. Yu, B. Strickland, and J. Copeland, Rogue access point detection using temporal traffic characteristics. In: IEEE Global Telecommunications Conference, GLOBECOM ’04. , Vol. 4, pp. 2271–2275, Vol.4, 2004.

  15. P. Chumchu, T. Saelim, and C. Sriklauy, A new MAC address spoofing detection algorithm using PLCP header. In: Information Networking (ICOIN), 2011 International Conference, pp. 48 –53, 2011.

  16. H. Han, B. Sheng, C. Tan, Q. Li and S. Lu, A timing-based scheme for rogue AP detection, IEEE Transactions on Parallel and Distributed Systems, Vol. 22, No. 11, pp. 1912–1925, 2011.

    Article  Google Scholar 

  17. S. Jana and S. K. Kasera, On fast and accurate detection of unauthorized wireless access points using clock skews, IEEE Transactions on Mobile Computing, Vol. 9, No. 3, pp. 449–462, 2010.

    Article  Google Scholar 

  18. C. D. Mano, A. Blaich, Q. Liao, Y. Jiang, D. A. Cieslak, D. C. Salyers, and A. Striegel, RIPPS: Rogue identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning. ACM Transactions on Information Systems Security, Vol. 11, NO. 2, pp. 2:1–2:23, 2008.

  19. Y. Song, C. Yang, and G. Gu, Who is peeping at your passwords at Starbucks?; To catch an evil twin access point. In: Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference , pp. 323 –332, 2010.

  20. K. F. Kao, T. H. Yeo, W. S. Yong, and H. H. Chen, A location-aware rogue AP detection system based on wireless packet sniffing of sensor APs. In: Proceedings of the 2011 ACM Symposium on Applied Computing, SAC ’11, pp. 32–36. ACM, New York, USA 2011.

  21. V. Sriram, G. Sahoo, and K. Agrawal, Detecting and eliminating rogue access points in IEEE-802.11 WLAN—A multi-agent sourcing methodology. In: Advance Computing Conference (IACC), 2010 IEEE 2nd International, pp. 256 –260, 2010.

  22. M. K. Chirumamilla, Agent based intrusion detection and response system for wireless LANs. In: Proceedings of IEEE International Conference on Communications, pp. 492–496, 2003.

  23. T. Kohno, A. Broido, and K. Claffy, Remote physical device fingerprinting. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, pp. 211–225, 2005.

  24. S. Bratus, C. Arackaparambil, A. Shubina, and D. College, Detection of Rogue APs Using Clock Skews: Does it Really Work? . URL www.cs.dartmouth.edu/~cja/papers/toorcon11_ver6a.pdf 2009.

  25. IEEE Standard for Information technology-telecommunications and information exchange between systems-local and metropolitan area networks-specific requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Std 802.11-2007 (Revision of IEEE Std 802.11-1999) pp. C1–1184, 2007.

  26. N. Agrawal and S. Tapaswi, The performance analysis of honeypot based intrusion detection system for wireless network, International Journal of Wireless Information Networks, Vol. 24, No. 1, pp. 14–26, 2017.

    Article  Google Scholar 

  27. K. Chae, J. Shao, S. Jung, C. Han, S. Bae, and I. Jeong, A scheme of detection and prevention rogue AP using comparison security condition of AP. UACEE International Journal of Advances in Computer Networks and Its Security, 2012.

  28. Aircrack-ng Suite. URL http://www.aircrack-ng.org/ 2015.

  29. R. Whelan, L. Van Wagenen, and R. Morris, System and method for detecting unauthorized wireless access points, US Patent 8,787,576 2014.

  30. A. Aggarwal, E. Hardie, S. Das, R. Gupta, and A. Naguib, Detection of falsified wireless access points, US Patent 8,750,267 2014.

  31. B. Alotaibi, and K. Elleithy, An empirical fingerprint framework to detect rogue access points. In: Systems, Applications and Technology Conference (LISAT), 2015 IEEE Long Island, pp. 1–7, 2015.

  32. J. Yu, Applying TCP profiling to detect wireless rogue access point. In: Proceedings of the International Conference on Wireless Networks (ICWN). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), pp. 1–7, 2014.

Download references

Author information

Authors and Affiliations

  1. Department of ISE, Ben-Gurion University of the Negev, Beersheba, Israel

    Mayank Agarwal

  2. Department of Computer Science and Engineering, IIT Guwahati, Guwahati, India

    Santosh Biswas & Sukumar Nandi

Authors
  1. Mayank Agarwal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Santosh Biswas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sukumar Nandi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Santosh Biswas.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Agarwal, M., Biswas, S. & Nandi, S. An Efficient Scheme to Detect Evil Twin Rogue Access Point Attack in 802.11 Wi-Fi Networks. Int J Wireless Inf Networks 25, 130–145 (2018). https://doi.org/10.1007/s10776-018-0396-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10776-018-0396-1

Keywords

Search

Navigation