Mobile Networks and Applications

, Volume 14, Issue 4, pp 508–522 | Cite as

Robust Detection of Unauthorized Wireless Access Points



Unauthorized 802.11 wireless access points (APs), or rogue APs, such as those brought into a corporate campus by employees, pose a security threat as they may be poorly managed or insufficiently secured. An attacker in the vicinity may easily get onto the internal network through a rogue AP, bypassing all perimeter security measures. Existing detection solutions do not work well for detecting rogue APs configured as routers that are protected by WEP, 802.11 i, or other security measures. In this paper, we describe a new rogue AP detection method to address this problem. Our solution uses a verifier on the internal wired network to send test traffic towards wireless edge, and uses wireless sniffers to identify rouge APs that relay the test packets. To quickly sweep all possible rogue APs, the verifier uses a greedy algorithm to schedule the channels for the sniffers to listen to. To work with the encrypted AP traffic, the sniffers use a probabilistic algorithm that only relies on observed wireless frame size. Using extensive experiments, we show that the proposed approach can robustly detect rogue APs with moderate network overhead. The results also show that our algorithm is resilient to congested wireless channels and has low false positives/negatives in realistic environments.


wireless security IEEE 802.11 rogue AP intrusion detection 



This work is supported in part by NSF under Award CCF-0429906 and by the Science and Technology Directorate of the U.S. Department of Homeland Security under Award NBCH2050002. Points of view in this document are those of the authors and do not necessarily represent the official position of NSF or the U.S. Department of Homeland Security. We thank MAP project team at Dartmouth College and Aruba Networks for the constructive discussions on the proposed detection method. David Martin also provided valuable comments on an early draft of this paper. We also thank the Dartmouth CRAWDAD team, particularly Jihwang Yeo, and the ICSI/LBNL group who made efforts to release the network traces used in our experiments.


  1. 1.
    Bahl P, Chandra R, Padhye J, Ravindranath L, Singh M, Wolman A, Zill B (2006) Enhancing the security of corporate Wi-Fi networks using DAIR. In: Proceedings of the fourth international conference on mobile systems, applications, and services, Uppsala, June 2006Google Scholar
  2. 2.
    Bahl P, Padmanabhan VN (2000) RADAR: an in-building RF-based user location and tracking system. In: Proceedings of the 19th annual joint conference of the IEEE computer and communications societies, Tel Aviv, March 2000Google Scholar
  3. 3.
    Bellardo J, Savage S (2003) 802.11 Denial-of-service attacks: real vulnerabilities and practical solutions. In: Proceedings of the 12th USENIX security symposium, Washington, DC, August 2003, pp 15–28Google Scholar
  4. 4.
    Bittau A, Handley M, Lackey J (2006) The final nail in WEP’s coffin. In: Proceedings of the 2006 IEEE symposium on security and privacy, Oakland, May 2006Google Scholar
  5. 5.
    Bulk F (2006) Safe inside a bubble. June.
  6. 6.
    Deshpande U, Henderson T, Kotz D (2006) Channel sampling strategies for monitoring wireless networks. In: Proceedings of the second workshop on wireless network measurements, Boston, April 2006Google Scholar
  7. 7.
    Garey MR, Johnson DS (1979) Computers and intractability: a guide to the theory of NP-completeness. Freeman, NashvilleMATHGoogle Scholar
  8. 8.
    Garg S, Kappes M, Krishnakumar AS (2002) On the effect of contention-window sizes in IEEE 802.11 b networks. Technical report ALR-2002-024, Avaya Labs ResearchGoogle Scholar
  9. 9.
    He C, Mitchell JC (2005) Security analysis and improvements for IEEE 802.11 i. In: Proceedings of the 12th network and distributed system security symposium, San Diego, February 2005Google Scholar
  10. 10.
    Hochbaum D (1997) Approximating covering and packing problems: set cover, vertex cover, independent set, and related problems. In: Hochbaum D (ed) Approximation algorithms for NP-hard problems. PWS, BostonGoogle Scholar
  11. 11.
    Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE symposium on security and privacy, Berkeley, May 2004, pp 211–225Google Scholar
  12. 12.
    MAP (2006) Security through measurement for wireless LANs. Dartmouth College, July.
  13. 13.
    Pang R, Tierney B (2005) A Ffrst look at modern enterprise traffic. In: Proceedings of the fifth ACM internet measurement conference, Berkeley, October 2005, pp 15–28Google Scholar
  14. 14.
    Raya M, Hubaux J-P, Aad I (2004) DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots. In: Proceedings of the second international conference on mobile systems, applications, and services, Boston, June 2004, pp 84–97Google Scholar
  15. 15.
    Rodrig M, Reis C, Mahajan R, Wetherall D, Zahorjan J (2005) Measurement-based characterization of 802.11 in a hotspot setting. In: Proceeding of the ACM SIGCOMM workshop on experimental approaches to wireless network design and analysis, Philadelphia, August 2005, pp 5–10Google Scholar
  16. 16.
    Sheng Y, Chen G, Tan K, Deshpande U, Vance B, Yin H, Henderson T, Kotz D, Campbell A, Wright J (2008) MAP: a scalable monitoring system for dependable 802.11 wireless networks. IEEE Wirel Commun, October 2008, pp 10–18Google Scholar
  17. 17.
    Mobile Antivirus Researcher’s Association (2006) The ten most critical wireless and mobile security vulnerabilities. Mobile Antivirus Researcher’s Association, JuneGoogle Scholar
  18. 18.
    Wald A (1947) Sequential analysis. Wiley, New YorkMATHGoogle Scholar
  19. 19.
    Wang X, Reeves DS (2003) Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM conference on computer and communications security, Washington, DC, October 2003, pp 20–29Google Scholar
  20. 20.
    Wei W, Jaiswal S, Kurose J, Towsley D (2006) Identifying 802.11 traffic from passive measurements using iterative bayesian inference. In: Proceedings of the 25th annual joint conference of the IEEE computer and communications societies, Barcelona, April 2006Google Scholar
  21. 21.
    Wei W, Suh K, Wang B, Gu Y, Kurose J, Towsley D (2007) Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-Pairs. In: Proceedings of the seventh ACM internet measurement conference, San Diego, October 2007Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Massachusetts LowellMassachusettsUSA

Personalised recommendations