Abstract
A Multi-Channel Man-in-the-Middle (MC-MitM) attack is an advanced form of MitM attack, characterized by its ability to manipulate encrypted wireless communications between the Access Point (AP) and clients within a WiFi network. MC-MitM attacks can target any Wi-Fi client, regardless of the authentication method used with the AP. Notable examples of such attacks include Key Reinstallation Attacks and FragAttacks, which have impacted millions of WiFi systems worldwide, especially those involving Internet of Things devices. Current defense mechanisms are inadequate against these attacks due to interoperability challenges and the need for modifications to devices or protocols within the targeted Wi-Fi networks. This paper introduces a distributed and cooperative signature-based wireless intrusion detection mechanism designed for online passive monitoring to detect malicious traffic patterns during MC-MitM attacks in any environment, from apartments and houses to large areas like hotels, offices or industrial sites. We implemented the proposed framework on Raspberry Pis and evaluated it in real-world settings. Our evaluation demonstrates that this framework can effectively identify MC-MitM attacks with an average accuracy of 98% when deployed across different locations within our experimental testbed.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Wi-Fi networks are prone to different kinds of Man-in-the-Middle (MitM) attacks where attackers intercept or manipulate information between user devices and the AP by spoofing the device characteristics. In conventional MitM attacks, perpetrators typically equip a device with dual wireless cards; one connects to a legitimate AP, while the other serves as a rogue AP by spoofing the legitimate one. For such rogue AP to function effectively, it must be configured with the same settings as the legitimate AP. Consequently, the attacker must acquire the Wi-Fi password of the original network to accurately duplicate these parameters in the rogue setup. Fluxion [1], and airbase-ng [2], etc., are some common tools to perform traditional rogue AP MitM attacks.
This paper focuses on the MC-MitM attack, one of the advanced MitM attacks introduced by Vanhoef et al [3]. In this type of MitM attack, the attacker deploys a PC or laptop equipped with two wireless adapters, each operating on a different channel, allowing them to modify the encrypted wireless data between the AP and the client without needing any legitimate Wi-Fi passphrases. Specifically, the MC-MitM attacker spoofs the legitimate AP on a different channel (other than the legitimate channel) and facilitates the relaying of all connection and data frames between these channels. This capability enables the attacker to communicate concurrently with both the client and the AP. Moreover, the method of transmitting frames across various channels is effective regardless of the client’s authentication method with the network, rendering MC-MitM attacks feasible in both enterprise and personal Wi-Fi networks. Once the attacker achieves the MC-MitM position, they gain the ability to block, intercept, delay, modify, buffer, inject, and replay protected wireless frames transmitted between the client and the legitimate AP. These actions serve as the foundation for other MC-MitM enabled attacks. While MC-MitM attacks do not directly break any encryption, their primary purpose is to exploit on particular vulnerabilities (such as weaknesses in encryption or authentication processes) present in various Wi-Fi protocols (e.g., WPA,WPA2/3). This exploitation allows attackers to access and potentially extract sensitive user data. To establish an MC-MitM position, attackers need to provoke a channel switch in the legitimate connections. They can achieve this by disrupting communication using layer 1 techniques, such as jamming, or layer 2 techniques, such as Denial-of-Service (DoS) attacks as described in [4, 5]. Alternatively, attackers can use Channel Switch Announcements (CSA) to manipulate client devices into switching to channels under their control. In this paper, we categorize MC-MitM attacks using jamming techniques or DoS as the “base variant” (MC-MitM-BV) and those employing CSAs as the “improved variant” (MC-MitM-IV). In [6, 7], we explore the technical configurations and mechanisms, and assess the unique characteristics of various MC-MitM attack strategies.
The key reinstallation attack (KRACK) stands out as the most recognized MC-MitM base variant attacks. It targets a critical nonce reuse vulnerability during the 4-way handshake protocol in the IEEE 802.11 standards, as detailed in [8]. This vulnerability allows an attacker to easily decrypt Wi-Fi frames, especially from Linux and Android devices, as these platforms are prone to use an all-zero encryption key in response to key reinstallation attacks under WPA or WPA2 protocols. Notably, this vulnerability represents a significant issue affecting millions of Wi-Fi devices globally. It arises from an incorrect implementation of the standard and stands out as the first non-vendor specific problem of its kind.
FragAttacks [9] are the latest MC-MitM improved variant attacks. FragAttacks represent the latest non-vendor specific vulnerability that targets specific fragmentation and aggregation aspects of the 802.11 standards. This vulnerability enables attackers to transmit packets legitimately into protected wireless networks and to extract sensitive data from clients. In [6], we performed an in-depth analysis of multiple MC-MitM attacks as described in the existing literature, and explored their consequences on Wi-Fi systems.
In WLAN environments, conventional perimeter defense mechanisms like firewalls and VPNs are typically utilized to safeguard sensitive communications. Yet, these measures are ineffective against MC-MitM attacks, as these are link-layer attacks that occur beneath the level at which firewalls operate, which is within the higher layers of the network stack.
Beginning in 2018, the implementation of Protected Management Frames (PMF) has been mandated by the Wi-Fi Alliance to strengthen the security of management frames under the WPA2 and WPA3 protocols, aimed at mitigating risks from rogue AP and DoS attacks [10, 11]. PMF is designed to protect certain management frames, including action frames, disassociation, and deauthentication frames [12]. Despite these advancements, PMF falls short in providing comprehensive defense against MC-MitM attacks for several reasons: firstly, attackers executing MC-MitM do not typically rely on deauthentication packets to establish their position [13]; secondly, PMF lacks the capability to detect attacks through jamming [14]; and thirdly, MC-MitM attacks often employ beacons or probe responses, which are not covered by PMF’s protective measures. Furthermore, in situations where the MC-MitM attacker possesses legitimate access to the network, they are capable of manipulating clients to connect to a malicious rogue AP using CSA action frames [15, 16]. This insider status significantly complicates the detection of such attacks in real-world scenarios.
In [6], we also extensively studied various challenges and technical feasibility associated with various MC-MitM defense mechanisms, highlighting the significant difficulties encountered in their implementation, particularly within Wi-Fi-based IoT environments such as smart homes. We discovered that, while not all commercial devices are equipped with patches, the management and maintenance of these devices demand technical expertise beyond what the average user possesses. Additionally, current defense strategies are inadequate for addressing these attacks due to various interoperability issues and the need for updates to devices or protocols
To this end, in our paper [17], we introduced a lightweight, centralized, and signature-based wireless intrusion detection system (SWIDS) framework. This plug-and-play system is designed for seamless integration into Wi-Fi or IoT environments, requiring no modifications to network settings or existing devices. It also provides continuous security against all variants of MC-MitM attacks. The core of our intrusion detection system framework is a set of specific attack signatures that identifies the behavior of MC-MitM attacks in terms of network patterns. Our centralized intrusion detection system framework effectively identifies MC-MitM attacks within a maximum time of 60 s, achieving a true positive rate (TPR) of 90% with short-distance detectors and 84% with long-distance detectors in Wi-Fi or IoT environments. We also demonstrated that our centralized intrusion detection system experiences frame loss that affects detection performance, especially with long-distance detectors.
In this paper, we improve our centralized SWIDS framework [17] and propose a novel framework for distributed intrusion detection by employing cooperative and autonomous detection systems to detect different MC-MitM attack variants. These autonomous detection systems make independent attack decisions in the places where they are deployed and communicate with each other by exchanging attack details through Message Queuing Telemetry Transport (MQTT) communication protocol. Our primary goal is to enhance the detection capabilities across a broad area, thereby mitigating frame loss via distributed intrusion detection systems. The results indicate that the proposed distributed framework efficiently detects MC-MitM attacks with an average accuracy above 95% when deployed at different locations within our experimental testbed that covers a wide area.
1.1 Contributions
This paper presents the following contributions:
-
1.
Design of a distributed and cooperative signature-based wireless intrusion detection system (DC-SWIDS) framework tailored for border surveillance in any Wi-Fi network.
-
2.
Development of an open-source prototype of the proposed DC-SWIDS framework using the python-scapy library [18].
-
3.
Implementation of the DC-SWIDS framework on Raspberry Pi.
-
4.
Empirical evaluation of the DC-SWIDS framework in an industry-relevant smart home environment using off-the-shelf IoT and Wi-Fi devices.
The structure of this paper is organized as follows: Sect. 2 outlines the related work; Sect. 3 introduces our proposed solution; Sect. 4 details the implementation of our proposed solution; Sect. 5 evaluates the efficacy of the proposed solution. Lastly, Sect. 6 offers conclusions and directions for future work.
2 Related work
In this section, we examine the existing defense mechanisms for combating MC-MitM attacks. We categorize the mechanisms, which are designed to either detect or prevent such attacks, into two primary classifications: stage 1 and stage 2 defense mechanisms. The stage 1 mechanisms are designed to mitigate potential threats posed by attackers before they acquire the MC-MitM setup. This involves the identification of authentic attack vectors, encompassing factors like rogue channels, unauthorized devices, and falsified CSAs. Conversely, the second category of defense mechanisms is designed to protect against attacks facilitated by MC-MitM attacks, including scenarios like KRACK, FragAttacks, and cipher downgrades, etc., once the attacker has successfully established control over the MC-MitM setup.
2.1 Stage 1 defense mechanisms
SWIDS [17] is a framework designed to detect MC-MitM attacks. It identifies these attacks by analyzing specific patterns or behaviors they exhibit. This system is user-friendly, lightweight, and compatible with any Wi-Fi-based IoT setup without requiring changes to existing devices or network configurations. Through testing in real scenarios, the system’s effectiveness has been confirmed for both personal and enterprise Wi-Fi networks.
In [19], the authors introduced the Operating Channel Validation (OCV) method, to detect and prevent MC-MitM attacks by cryptographically validating the communication channel between the client and the AP. This method suggests extending the 802.11w standards (PMF standards) by including an (OCI) element. During the 4-way handshake messages, the OCI element within handshake frames undergoes authentication to ensure alignment of communication channels between the client and the AP. Although OCV has been integrated into IEEE standards, it is not a compulsory feature in WPA/2 standards and has not widely been implemented or accepted by device manufacturers. The effectiveness of OCV is limited to devices capable of Protected Management Frames (PMF), and even then, only if the PMF standards themselves are adapted, which is a significant challenge due to the complexity of setting or updating PMF across all devices. Furthermore, within a network enabled by OCV, insider attackers are still able to mimic CSAs and manipulate or replay previously captured CSAs to redirect clients to their channels, facilitating various MitM attacks.
In [20], an alternative approach was proposed to counteract attacks exploiting unprotected beacons, aiming to detect and prevent rogue AP, including MC-MitM attacks. The authors introduced an additional information element (IE) into each beacon, permitting clients to cryptographically validate beacon integrity during AP connections. However, similar to their previous work [19], the practical implementation of the beacon protection mechanism faces challenges predominantly due to the reliance on PMF. This can lead to interoperability concerns when employing devices that only support WPA or WPA2. Furthermore, it is important to mention that the proposed mechanism does not address the possibility of insider MC-MitM attacks [21]. Although the above mechanisms outlined in [19, 20] can detect the presence of MC-MitM attacks,they are unable to accurately determine the specific variant of the attack being employed.
The WPA3-2020 updates introduced an additional feature, Simultaneous Authentication of Equals Public Key (SAE PK) [22], as part of the WLAN connection process to prevent MitM attacks in general. SAE-PK utilizes ECC (Elliptic Curve Cryptography) to uniquely identify APs during connection establishment. This feature also offers defense against insider attackers aiming to establish rogue APs and conduct MitM attacks through the use of the digital signature of the public key of the AP.
However, the detection of rogue APs through SAE-PK is primarily limited to the authentication phase or the initial client-AP connection. Conversely, MC-MitM attackers often position themselves between an already connected client and the AP, a scenario not entirely addressed by SAE-PK. Furthermore, it is important to note that [23] highlights that WPA3 clients utilize open authentication instead of SAE authentication during reconnection to an established network, potentially allowing MC-MitM attackers to bypass SAE security measures.
The authors in [24] introduced a method for detecting and preventing attacks using Physically Unclonable Functions (PUF) to combat rogue AP used in MC-MitM attacks. This approach generates a unique key based on the AP’s PUF signature to facilitate authentication between the AP and client devices. Nonetheless, the adoption of this PUF-based method necessitates intricate hardware alterations across all involved wireless devices. Furthermore, this technique remains susceptible to specific MitM attack variants [25].
In [26], the authors introduced a defense mechanism for wireless clients to identify the presence of rogue while launching MC-MitM-BVR attacks. This involved developing a modification for wpa-supplicant (wireless client software application), which verifies the uniqueness of paired identifiers such as BSSID and SSID during client-AP communication. However, this method faces challenges if an MC-MitM attacker continuously jams the legitimate AP’s channel, preventing the client from collecting the necessary beacon data for verification. Moreover, relying solely on the distinctiveness of SSID and BSSID pairs is insufficient in scenarios where these identifiers are duplicated, particularly in environments where APs facilitate dual-band connections. Additionally, SSAD is only capable of detecting base variant (MC-MitM-BV) attacks and not the improved variant (MC-MitM-IV) attacks, as it fails to identify counterfeit CSAs.
2.2 Stage 2 defense mechanisms
Many stage 2 defense strategies are designed specifically to detect or counteract MC-MitM-enabled KRACK attacks due to their significant effects on Wi-Fi system security. Certain mechanisms, including those outlined in [27,28,29,30] utilize network analysis techniques to identify retransmissions of Message 3 in the 4-way handshake process specific to KRACK attacks. Nevertheless, the 802.11 standards consider APs re-transmitting Message 3 under specific circumstances, such as network congestion or reaching retransmission limits. Blocking re-transmissions of handshake messages can lead to frequent failures or increased false positives.
In [31], a recent study introduced anomaly detection, utilizing supervised machine learning models to identify handshake messages across various channels, particularly focusing on detecting KRACK behavior. Although effective in KRACK detection, their focus remains limited to this specific type of MC-MitM enabled attack and is not evaluated in any real world settings. This lack of practical evaluation limits its feasibility in defending against real time attacks. Similar works, such as [32,33,34] also have not undergone real-network evaluations, relying the use of AWID3 public dataset [35]. In our paper [17], we showed the enhanced efficiency of our SWIDS framework in identifying KRACK attacks from AWID3 datasets, outperforming similar defense mechanisms.
In contrast, mechanisms discussed in [36,37,38] introduce cryptographic verification methods during the 4-way handshake exchanges to combat nonce reuse vulnerabilities targeted by KRACK. These approaches additionally tackle cipher downgrade attacks on APs. However, their deployment requires modifications to Wi-Fi standards and has not been evaluated in actual attack environments.
Regarding FragAttacks, dedicated defense mechanisms are currently absent. Instead, a testing framework [39] has been established to detect fragmentation and aggregation vulnerabilities in Wi-Fi devices.
In [40], Snort rules are designed to detect network packets that carry distinct markers associated with KRACK attack scripts. However, modified versions of KRACK attacks may not be detected by these rules. Furthermore, the markers identified could also be present in legitimate WLAN packets or in scripts from other attacks crafted using Scapy. Consequently, exclusive reliance on predefined Snort rules could lead to ineffective detection or false positives.
2.3 Network intrusion detection systems
While traditional security measures such as encryption, authentication, and access control, are available, wireless networks continue to be vulnerable to network attacks, underscoring the need for a secondary line of defense [41]. In these scenarios, Intrusion Detection Systems (IDSs) for Wi-Fi and IoT networks become critically important. Among IoT systems, IDSs or Network Intrusion Detection Systems (NIDSs) for connected smart devices are widely deployed. Numerous NIDS have been developed using either attack rules/signatures or normal behavior specifications tailored for IoT and Wi-Fi environments. Pathan et al. [42] offer a comprehensive review of Intrusion Prevention and Detection, analyzing the trends and issues in intrusion detection systems within computer and communication networks. Recent state-of-the-art reviews [43,44,45,46,47,48,49] provide a systematic review of intrusion detection in wireless networks, covering IDS variants, types of attacks, public datasets, challenges, and applications. Although these state-of-the-art reviews show that many NIDS systems have been proposed so far, none of them addresses MC-MitM attacks and their unique characteristics in wireless networks. Most research papers included in these reviews focus on traditional Wi-Fi attacks, such as flooding, DoS, IP/ARP/DNS spoofing, access attacks, evil-twin scenarios, session hijacking, SSL stripping, and proxy attacks. These attacks typically involve an evil-twin using MAC IDs that are different from those of legitimate APs and display clearly malicious behavior. Conversely, MC-MitM attacks spoof the same MAC ID as the legitimate AP and victims, which complicates detection efforts. Some IDSs [32,33,34] are capable of detecting KRACK attacks, a specific form of MC-MitM attack, using the AWID3 datasets (as mentioned in the previous section). However, these systems are capable of detecting the different types of MC-MitM attacks.
2.4 Significant research challenges
Overall, the defense mechanisms currently in place fail to provide a holistic solution capable of effectively detecting all types of MC-MitM attacks. Furthermore, we underscore the design shortcomings of current standards, pointing out the absence of research that adequately protects PMF clients from MC-MitM attacks, which can elude PMF protection through various methods. This gap represents a significant ongoing research challenge, particularly with new WPA2 and WPA3 devices that now require PMF. MC-MitM attacks are particularly critical when perpetrated by insiders or authorized users, such as through fragmentation cache attacks [9], potentially leading to the compromise of private communications within homes or offices. Existing defense strategies are insufficient to address these complex scenarios effectively.
From an operational standpoint, existing defense strategies, with the exception of SWIDS [17] as mentioned earlier, demand firmware updates or the implementation of specific software/hardware solutions across wireless devices. Consequently, their efficiency is contingent upon the universal compatibility of devices within a WLAN, a criterion not universally met by IoT devices or all Wi-Fi clients. This requirement often imposes considerable technical challenges on end-users in terms of device and network setup and maintenance. Furthermore, the majority of these defense solutions lacks empirical validation in real-world Wi-Fi or IoT scenarios, thereby constraining their practical utility. Additionally, existing defense mechanisms fail to offer backward compatibility with older or deprecated devices. This scenario underscores the pressing need for the development of more useful and user-friendly defense strategies that can cater to the diverse landscape of Wi-Fi enabled devices and their security needs.
2.5 SWIDS: a signature-based wireless intrusion detection system framework for MC-MitM attacks
Considering diverse challenges and technical infeasibility concerns, in [17] we designed the first centralized, lightweight and SWIDS framework, specifically tailored for the demands of Wi-Fi or IoT-driven smart environments. The SWIDS framework we have developed possesses the capability to detect a variety of MC-MitM attacks, which constitute the underlying basis for more recognized attacks, including but not limited to KRACK [8] and FragAttacks [9]. Instead of relying on machine learning, the framework adopts a threshold based detection approach that meticulously examines wireless network frames to rapidly identify attack signatures or suspicious behaviors in a WLAN during a probe interval duration (specific observation period for observing wireless frames). Our SWIDS paper details the formulation and validation of MC-MitM attack signatures and discusses the design of the probe interval and the intricacies of the detection methodology, including its integration into the SWIDS framework. Furthermore, it provides an exposition of the network analysis algorithms that play a crucial role in the identification of a spectrum of MC-MitM attack signatures. The detection methodology is based on both theoretical and empirical analysis of Wi-Fi protocol operation (benign traffic) and the attack traffic.
Our SWIDS framework functions in real-time, analyzing Wi-Fi frames and immediately identifying potential attacks by detecting malicious frames. This plug-and-play system effortlessly integrates into existing Wi-Fi or IoT setups without requiring modifications to current network configurations or devices. It reliably protects against all types of MC-MitM attacks. In real-world Wi-Fi or IoT environments, our short-distance detectors achieve an average TPR of 90%. Meanwhile, our long-distance detectors maintain an average TPR of 84% in identifying different MC-MitM attacks.
2.6 Limitations of centralized SWIDS framework
Our SWIDS framework captures wireless frames in real time, but suffers from frame losses that impair the detection accuracy of MC-MitM attacks. These losses are particularly pronounced in detectors located more than 10 ms away from the attacker, and can be attributed to various factors including network conditions, the time taken to parse and process frames, and the processing capabilities of the Wi-Fi card. As a result, the centralized SWIDS system may incorrectly classify some attacks as benign or fail to accurately identify attacks, leading to a decrease in detection performance.
In our experiments evaluating detection capabilities with contemporary Wi-Fi routers, such as 802.11ac and 802.11ax, we concentrated on the impact of varying channel widths and the functions of primary and secondary channels. We discovered that the primary cause of reduced performance was frame loss, which could be attributed either to the distance between the detector and the attacker or to delays in processing frames within the SWIDS framework. Additionally, network conditions and environmental elements like traffic density, network overhead, and building materials, etc., also impacted the wireless signal range and throughput, thereby affecting detection efficiency.
Furthermore, the entire system’s reliability and availability are at risk if the centralized detection system fails for any reason. Another limitation is that the framework can monitor only one Wi-Fi network or AP at a time, lacking the ability to simultaneously monitor multiple APs or channels, including both 2.4 GHz and 5 GHz frequencies. These challenges have led us to propose a distributed architecture for detecting MC-MitM attacks, aiming to overcome these limitations and improve detection accuracy and system reliability.
3 Proposed solution: a distributed and cooperative signature based wireless intrusion detection system framework for MC-MitM attacks
In this section, we detail the architectural components and operational principles of our distributed and cooperative signature based intrusion detection system (DC-SWIDS) framework, designed to detect MC-MitM attack variants in Wi-Fi networks.
The proposed system utilizes cooperative signature-based detection, enabling rapid identification of malicious activities by comparing observed data collected during a probe interval duration, i.e. the specific period for observing wireless frames, against pre-defined signatures or patterns of known malicious behavior. Attack signatures, consisting of sets of network characteristics and their threshold values, determine when network traffic is potentially malicious and trigger attack alerts. For MC-MitM attacks, the attack signatures include specific patterns such as channel switch announcement (CSA) signatures and wireless jamming signatures. These signatures were rigorously defined and validated in our SWIDS paper [17] and are summarized in Table 1.
Our primary goal is to achieve optimal detection performance by minimizing potential frame loss caused by long distances and network latency issues, while also eliminating single points of failure. This solution aims to improve upon our previous SWIDS framework with a lightweight intrusion detection system designed for distributed deployment across wide areas to monitor various MC-MitM attacks effectively.
3.1 System architecture of the DC-SWIDS framework
The DC-SWIDS framework is designed as a network system incorporating distributed Autonomous Detection System (ADS) nodes, each functioning as an evolution of our previously centralized SWIDS framework. Figure 1 illustrates an example of the DC-SWIDS framework featuring four ADS nodes. The various units in an ADS are described in detail in Section 3.2.
A Model of DC-SWIDS Framework
Various ADS nodes in the DC-SWIDS framework are interconnected through the existing WLAN and communicate with each other using the Message Queuing Telemetry Transport (MQTT) protocol. This setup enables each ADS node to act as a MQTT client and incorporates a cooperative unit designed for interconnection with other ADS nodes through a cloud-based MQTT broker. The primary function of each ADS node is to autonomously monitor wireless traffic within their designated areas, identifying the presence of MC-MitM attacks and also exchanging statuses of stage 1 and 2 attack traffic via the MQTT broker with other ADS nodes. Furthermore, each ADS node is capable of monitoring either a single AP or different APs simultaneously.
To enforce the integrity and confidentiality of exchanged messages from eavesdroppers or attackers, we use a TLS (Transport Layer Security) enabled MQTT broker. Specifically, we employ MQTT with authentication, powered by TLS. This approach establishes a secure tunnel between ADS nodes (acting as MQTT clients) and the MQTT broker, safeguarding the confidentiality of data as it travels through the network. The broker also provides authentication and access control, so that only authorized ADS nodes can connect and authenticate to the broker. This secured configuration prevents potential attackers from setting up unauthorized ADS nodes.
In the event that an MC-MitM attack disrupts (for example, through jamming) one or more ADS nodes, the neighboring nodes are capable of promptly detecting such disruptions (see Section IV.B.1 of our SWIDS paper [17]). They can then disseminate the jamming attack data to other interconnected ADS nodes through the cooperative unit. This capability underscores the resilience of the system against attempts to evade or delay detection through interference with its components.
Specifically, within a given probe interval duration, every ADS node broadcasts or transmits the observed local statuses of stage 1 and 2 attack traffic, while also receiving those statuses from other ADS nodes deployed at various locations through the cooperative unit. In the event of any ADS node failing to detect MC-MitM attacks, other ADS nodes can continue to detect attacks cooperatively. For example, if an ADS node could not identify a particular attack status, possibly due to frame loss or other reasons, the cooperative unit can compensate for the missed detections by receiving attack statuses from other deployed ADS nodes. Consequently, alerts for MC-MitM attacks are generated by individual ADS nodes when such attacks are detected. Moreover, the exchange of attack data via cooperative communication enables other ADS nodes to issue alerts at the same or subsequent probe intervals.
It is also important to mention that not all ADS nodes need to issue alerts at the same time; the generation of alerts depends on the availability of local attack data or data provided by other ADS during a probe interval. This collaborative approach also overcomes the problem of having a single detection node, which becomes a single point of failure in the WLAN.
In the next section, we illustrate the high-level system architecture and workflow of an ADS in the DC-SWIDS framework.
3.2 System architecture of an ADS node in the DC-SWIDS framework
Figure 2 presents the high-level system architecture and workflow of an ADS within the DC-SWIDS framework. The architecture is organized into five primary units: the traffic interceptor, device database unit, MC-MitM detection coordinator unit, alert generator unit, and cooperative unit. The numbered arrows between these units or modules indicate the flow of data exchanges during a probe interval at an ADS node. Additionally, Algorithm 1 outlines the overall data exchange in terms of processes involved at an ADS node. For variables used in the algorithm, refer to Table 1. The following sections provide a detailed explanation of each unit within the framework.
High level system architecture of an ADS node in the DC-SWIDS framework
3.2.1 Traffic interceptor unit
As shown in Fig. 2, a traffic interceptor unit passively monitors the wireless traffic of a specific AP and connected clients in a deployed location. It primarily filters required beacons, probe responses, connection establishment frames, etc., based on the AP’s MAC address. These filtered frames are then forwarded to both the device database and the MC-MitM detection coordinator units for more in-depth analysis.
3.2.2 Device database unit
The device database unit collects MAC addresses of clients connected to a specific AP in the WLAN before attack detection. This data is sent to the MC-MitM detection coordinator unit and aids in identifying potential attack signatures and effectively detecting attacks. Additionally, whenever a new Wi-Fi client connects to the target access point, this unit automatically compiles information about all such newly connected devices and appropriately updates the database.
3.2.3 MC-MitM detection coordinator unit
The MC-MitM detection unit primarily identifies attack signatures of MC-MitM attacks from the filtered wireless traffic in the vicinity of an ADS. It manages probe intervals using a sliding window approach (see Section V of our previous paper [17]) to accumulate attack statuses. The unit comprises two key modules.
Wi-Fi frame decoder: This component processes and decodes each wireless frame, pulling essential data from the MAC layer header such as type, subtype, BSSID, ESSID, and channel used, among others. After extracting this information, the parsed frames are sent to the detection controller.
Detection controller: This module implements the detection methodology and network traffic analysis algorithms to identify the specific attack traffic associated with MC-MitM attack variants. It comprises three sub-modules. The stage 1 and stage 2 traffic analyzer sub-modules, track and record the number of network frames corresponding to the stage 1 and stage 2 attack signatures over a given probe interval. After the completion of a probe interval, the traffic collator sub-module evaluates the data on stage 1 and stage 2 attack traffic against preset threshold values (see Table 1). It then verifies the statuses of the remote attack traffic received by the cooperative unit and also forwards the statuses of attack signatures identified locally to the cooperative unit. Based on these attack statuses, which are found locally and received remotely, the traffic collator sub-module in a single ADS node decides whether the MC-MitM attack is occurring in any part of a particular WLAN, traces its variant, and forwards the attack details to the alert generator unit.
3.2.4 Cooperative unit
The cooperative unit is crucial in the DC-SWIDS framework. Its main role is to work with multiple ADSs using the MQTT protocol. This unit includes an MQTT client to handle communication. It helps exchange information about statuses of different stages of MC-MitM attack traffic between ADS nodes via a centralized MQTT broker. This unit constantly monitors attack traffic statuses as long as the DC-SWIDS framework is active. However, it only receives/sends attack statuses when an MC-MitM attack occurs at any location under the framework’s surveillance. The MQTT broker organizes attack traffic information into topics, with each topic corresponding to different stage 1 and stage 2 traffic as shown in Table 1. Each ADS node subscribes to and publishes on these topics. Subscription enables the cooperative unit to receive updates on attack statuses from other ADS nodes or locations, while publishing disseminates attack information across the network. Only the latest updates on topics (attack statuses published) are considered to ensure their relevance.
3.2.5 Alert generator unit
This unit generates alerts for MC-MitM attacks based on notifications from the MC-MitM detection controller within an ADS node during a probe interval. An ADS may generate alerts in consecutive probe intervals as long as an MC-MitM attack is ongoing. Additionally, the alert generator unit records these alerts, including the MAC addresses of the victims and the specific time and date of each attack.
3.3 Capacity planning
One of the key objectives within the DC-SWIDS framework is determining the minimum number of ADS units necessary to achieve a true positive rate (TPR) exceeding 95%, along with planning their distribution. This parameter holds significant importance in ensuring effective surveillance and defense mechanisms while avoiding unnecessary deployment of detectors, which could result in over saturation. To do this, we first determine the maximum distance between a deployed ADS node and a potential attacker while ensuring a TPR of 95% or higher. Subsequently, based on this maximum distance, we define a circular surveillance area with the radius equal to the established maximum distance. In section 5, we present the evaluation based on this capacity planning, and in section 5.2 we show the experiments carried out to determine the maximum distance between ADS nodes. This approach offers a cost-effective solution, particularly in large-scale or complex environments. The task of determining the optimal number of ADS units for a given environment is comparable to placing base stations in cellular networks and poses a similar challenge. Considerable research, spanning academic and industrial sectors, has been devoted to this endeavor, as evidenced by existing literature [50].
4 Proposed solution: system implementation and setup
In this section, we provide an overview of how our DC-SWIDS framework is implemented, the key graphical user interfaces (GUIs) developed during the prototyping phase and detail the setup process within a real-world IoT environment.
4.1 Framework implementation
We develop our DC-SWIDS framework using Python. More specifically, an ADS of our DC-SWIDS framework, as depicted in Fig. 2, is composed of four distinct units developed using Python-Scapy libraries, which are utilized for network packet processing. The ADS’s traffic interception unit is implemented with the help of two wireless interfaces, specifically the TL-WN722N for the 2.4 GHz band and Wi-Fi Nation for the 5 GHz band, selected for their affordability and compatibility with monitor mode across various Linux distributions. Moreover, we have integrated a text based logging mechanism to efficiently record all alerts triggered within our system. Additionally, to develop the cooperative unit, we employ a pre-configured MQTT account on a cloud-supported platform. In our tests, we employed the EMQX broker: a free, rapid, and cloud-based MQTT service. Importantly, each ADS node must be connected to the existing WLAN to maintain internet access. Finally, the hardware used to build the ADS node is a Raspberry Pi 4 and the script used in an ADS node is made available in [18]
Screenshot of the front panel of an ADS in DC-SWIDS framework
Screenshot of the log file view panel of an ADS node in DC-SWIDS framework
Screenshot of a sample cooperative communication (exchange of statues of attack traffic) for the detection of MC-MitM attacks
4.2 System setup in real-world environment
In our proposed system, we have developed a graphical user interface (GUI) as a proof of concept for activating an ADS node, illustrated in Fig. 3. This GUI simplifies the initial setup process, requiring users to only input the SSID (Wi-Fi network name) of the AP or Wi-Fi network targeted for surveillance. By activating the “search clients” function, the ADS node efficiently identifies and catalogs all devices connected to the AP, detailing their MAC IDs and additional device information. Upon enumerating the connected devices, the ADS node is equipped to commence surveillance for MC-MitM attacks and initiate communication with similarly deployed ADS nodes using pre-configured MQTT credentials. Additionally, the system is designed to notify users of detected attacks via an audible alarm. Figure 4 displays the GUI tailored for log file review within the ADS framework, and Fig. 5 showcases an instance of cooperative communication (the exchange of attack traffic data) during the network monitoring process, as captured from the MQTT broker. Finally, Figs. 6 and 7 outlines the deployment of ADS nodes on a Raspberry Pi, accommodating various Wi-Fi frequencies. Two wireless adapters are employed to simultaneously track both the legitimate and rogue channels.
It is important to emphasize that the process of activating an ADS node has been simplified to mirror the ease of connecting to a Wi-Fi network, a task with which most users are already familiar. Following the completion of the initial activation, managing the DC-SWIDS framework is intended to be intuitive, necessitating minimal user effort. In future developments, we aim to evolve the DC-SWIDS framework into an installable plugin application, facilitating seamless integration with smart home ecosystems such as Home Assistant [51] or OpenHAB [52].
5 Evaluation
In this section, we evaluate the proposed DC-SWIDS framework for detecting MC-MitM attacks in a representative set of scenarios, focusing primarily on personal networks, but applicable to enterprise networks as well.
5.1 Experimental testbed
The experimental phase was conducted within the central computing facility of our University, spanning an area of 500 square meters. Figure 8 depicts our experimental setup, showing the positions of test devices. Our objective was to determine the maximum distance between an attacker and an ADS node that shows a TPR of over 95%. We employed a total of 14 devices for this experiment, comprising 2APs, 9 client devices, 2 attacker devices, and an ADS node. Comprehensive device details are elaborated in Table 2. We established a mixed-mode Wi-Fi environment, integrating both WPA2 and WPA3 protocols, to support the connectivity of various devices. Specifically, 5 WPA2-compatible clients connected to AP1, and 4 WPA3-compatible clients connected to AP2. For executing MC-MitM attacks, individually, two laptops were employed: one for initiating MC-MitM-IV attacks and the other for conducting either MC-MitM-BVC or MC-MitM-BVR attacks.
An ADS node in the DC-SWIDS framework with support for 2.4 GHz
An ADS node in the DC-SWIDS framework with support for 5 GHz
To conduct experiments, we placed an ADS node of the DC-SWIDS framework, one at a time at varying distances from a fixed attacker location, starting from 1 m and extending up to 12 ms, with each increment being 1 m, as illustrated in Fig. 8. We established a distance limit of up to 12 ms, as evidenced in our previous work [17], demonstrating that distances beyond this threshold could lead to significant frame loss, thereby impacting detection capabilities. Specifically, we carried out 75 tests for each distance, with 25 tests dedicated to each of the three MC-MitM attack variants, conducted at the aforementioned four distances. The findings from this initial series of experiments are detailed in Section 5.3.
5.2 Evaluation methodology
The performance of our DC-SWIDS framework is evaluated using the metrics detailed in Table 3. Within this evaluation, each outcome from our framework is categorized as follows: TP (true positive) occurs when an alarm is correctly triggered during an attack; TN (true negative) when no alarm is triggered and there is no attack; FP (false positive) when an alarm is erroneously triggered without an attack; and FN (false negative) when an attack occurs but no alarm is generated.
Experimental testbed (distances are representative)
5.3 Results and discussion of experiments to find out maximum distance with best (TPR above 95%) detection performance
Figure 9 provides detection performance achieved by an ADS of our framework at different distances from the attacker location.
Detection performance achieved with an ADS node when placed at different distances from the attacker
From Fig. 9, we can observe that a single ADS node is capable of identifying various MC-MitM attack variants with a minimal TPR of 95% or higher, starting from a distance of 7 ms away from the attacker. Consequently, our experiments have led to the conclusion that situating an ADS node within a 7-meter radius effectively reduces frame loss, encompassing a surveillance area of roughly 150 square meters. Furthermore, it is crucial for users to maintain a maximum separation of 12 ms between the attacker and an ADS node to ensure a reasonable detection performance as mentioned in the previous section. In the following section, we evaluate our proposed DC-SWIDS framework, incorporating the necessary number of ADS nodes within a comprehensive and extensive Wi-Fi or IoT environment.
5.4 Experimental testbed to analyze performance of DC-SWIDS framework in a Wi-Fi or IoT environment.
Experimental testbed for implementation of DC-SWIDS framework (Devices used are same as in Table 2)
As shown in Fig. 10, we have used our central computing facility at the University, which covers an area of 500 square meters, for the evaluation of our DC-SWIDS framework. Based on the optimal distance identified in the previous section, it is ascertained that 3 ADS nodes, spaced 7 ms apart, are required to achieve comprehensive coverage within the specified experimental testbed.
Our primary focus during testing lies in scrutinizing the detection performance of our DC-SWIDS framework across diverse attack scenarios, encompassing both fixed and moving attacker positions. Testing against both fixed and moving attacker positions is crucial because it mirrors the dynamic nature of MC-MitM attacks, where attackers may either persistently target a specific Wi-Fi client or shift their focus to evade detection. Such versatility underscores the DC-SWIDS framework’s ability to provide robust security across a spectrum of attack methodologies, enhancing its reliability and effectiveness in safeguarding Wi-Fi networks against malicious MC-MitM attacks.
To ensure consistency, we maintained the identical device configuration detailed in Table 2. Regarding tests, for each attacker position, we conducted a series of 75 detection tests, comprising 25 detection tests for each of the three MC-MitM attack variants. These attacks were launched at five different positions but at different times, which are shown in Fig. 10. This resulted in a total of 375 detection tests.
5.5 Results and discussion: performance evaluation of DC-SWIDS framework in a Wi-Fi or IoT environment
Figures 11 and 12 respectively showcase detection performance achieved by distributed ADS of our DC-SWIDS framework against fixed and moving attacker locations.
Detection performance achieved with DC-SWIDS framework with 3 distributed ADS nodes in the experimental testbed against any fixed attacker
Detection performance achieved with DC-SWIDS framework with 3 distributed ADS nodes in the experimental testbed against any moving attacker
As demonstrated in Fig. 11, our DC-SWIDS framework achieves an average True Positive Rate (TPR) of over 99% against fixed attackers. Similarly, Fig. 12 illustrates that the framework maintains an average TPR of 97% against moving attackers. These results ensure that the DC-SWIDS framework is not only satisfactory at identifying stationary attackers, but is also capable of adapting to and intercepting attacks that employ mobility as a tactic to complicate detection. Furthermore, as discussed in previous section, our DC-SWIDS framework demonstrated good reliability in accurately identifying attacks with a 100% TNR and achieved good F1-scores (exceeding 98%) in all test cases. Moreover, we also evaluated the DC-SWIDS framework’s detection capabilities when operating with fewer ADS nodes than the optimal number, which is identified as three in our targeted experimental testbed. Thus, we conducted an analysis to assess the impact on performance of having fewer deployed nodes. Figure 13 presents the performance results of MC-MitM attack detection using the DC-SWIDS framework with a varying number of ADS nodes.
Detection performance achieved with DC-SWIDS framework with different no. of ADS nodes
As we can see from Fig. 13, a single ADS node results in lower detection rates, with an average performance hovering around 82%, while the use of two ADS nodes enhances the average detection rate to approximately 94%. However, optimal results are observed with the deployment of three ADS nodes, as recommended by our maximum distance, where the system achieves an average TPR of nearly 99%. This shows that deployment of an optimal number of ADS nodes has significantly reduced the issue of frame loss while detecting different MC-MitM attacks.
5.6 Comparison of DC-SWIDS with current defense mechanisms
In this section, we compare our proposed DC-SWIDS framework with existing state-of-the-art defense mechanisms, particularly focusing on their efficacy in combating MC-MitM attacks. This comparison builds upon the comparison outlined in our previous paper [17].
For comparative purposes, we utilize a range of criteria to compare different defense mechanisms, including: (1) the capability to detect MC-MitM attacks on WPA/2 clients (\(\square \)), WPA3 clients (\(\blacksquare \)), or both (⚬); (2) the capability to detect MC-MitM attacks on PMF-capable clients (\(\square \)), non-PMF-capable clients (\(\blacksquare \)), or both (⚬); (3) the capability to detect insider MC-MitM attacks (\(\square \)), outsider MC-MitM attacks (\(\blacksquare \)), or both (⚬); (4) the capability to detect (\(\square \)) or both detect and prevent (⚬) MC-MitM attacks; (5) the capability to identify MC-MitM attack variant (⚬) or not (\(\blacksquare \)); (6) requirements for protocol or firmware modifications (\(\square \)), integration of software/hardware (\(\blacksquare \)), or no modifications (⚬) for implementation; (7) the capability to provide backward compatibility (⚬) or lack thereof (\(\blacksquare \)); (8) Applicable to both personal Wi-Fi networks (\(\square \)), enterprise networks (\(\blacksquare \)), or both (⚬); the capability to monitor multiple APs simultaneously (⚬) or not (\(\blacksquare \)), and the capability to monitor multiple wireless channels simultaneously (⚬) or not (\(\blacksquare \)). These comparisons are summarized in Table 4. The presence of more open circles (i.e., icon ⚬) in the row of a specific defense mechanism indicates greater effectiveness in detecting MC-MitM attacks.
Table 4 reveals that the DC-SWIDS framework is adept at identifying threats across all device types within WPA2/3 networks, including those PMF-capable. It efficiently counters both insider and outsider threats and various MC-MitM attack variants. Notably, DC-SWIDS maintains backward compatibility, requires no modifications to protocols or devices, and is user-friendly. Its capability to monitor multiple APs and channels in both personal and enterprise networks, coupled with passive attack signature detection, positions DC-SWIDS as a superior solution that enhances security against MC-MitM attacks, outperforming existing defense mechanisms. At the same time, we also want to note that currently we do not incorporate any protection mechanism for MC-MitM attacks, as prevention is not feasible on a large scale in the short term, our work lays the foundation by providing a mean to identify and respond to MC-MitM attacks effectively.
5.7 Comparison of existing defense mechanisms using significant public datasets
The AWID3 dataset [35] is commonly used for analyzing various Wi-Fi attacks and includes multiple attack traces, such as KRACK attacks, in PCAP format. However, it is limited to identifying KRACK attacks and does not encompass all types of MC-MitM attacks. To address this limitation, we developed a new dataset that captures traffic from various MC-MitM attack types and their variants, and is available in [53].
We mainly evaluated the ADS nodes of our DC-SWIDS framework using the AWID3 dataset to detect KRACK signatures. We directly input the AWID3 PCAP file into the Traffic Interceptor Unit of three ADS nodes as depicted in 10, by bypassing the online monitoring and passive capturing. Using our proposed signatures, we successfully detected the retransmission of message 3 of the 4-way handshake, indicative of MC-MitM attacks across multiple channels (channels 2 and 13). This demonstrated our framework’s effectiveness in identifying KRACK behavior. Table 5 presents a performance comparison, using F1 Score and/or accuracy, of existing detection mechanisms that utilize the AWID3 dataset for identifying KRACK attacks.
As shown in Table 5, our proposed framework achieves a higher F1 Score and accuracy compared to other methods using the AWID3 dataset. This superior performance is due to our framework’s low rate of undetected attack frames, which is occasionally affected by slight delays in frame processing during detection. These results demonstrate the accuracy and effectiveness of our DC-SWIDS framework in detecting MC-MitM attacks. We highlight that our framework functions in real-time, which contrasts with the offline machine learning-based analysis methods previously discussed. Consequently, the results in Section 5 highlight the real-time capabilities of our framework. The AWID3 data was utilized in our Traffic Interceptor Unit exclusively for comparison purposes.
5.8 Performance overhead evaluation
In this section, we evaluate the performance overhead of the proposed DC-SWIDS framework in detecting MC-MitM attacks. We specifically focus on two key aspects: CPU and memory, and network overhead. Through systematic testing, our aim is to gauge the efficiency of the framework in terms of resource utilization. These insights will be instrumental in determining the framework’s suitability for deployment on single-board computers and across various network environments.
5.8.1 CPU, memory, and disk consumption
To evaluate the impact of our defense mechanism on system resources, including CPU, memory, and disk consumption, we executed an analysis using a Raspberry Pi (4b Model, equipped with a 64-bit ARMv8 microprocessor and 2GB of RAM) that runs our autonomous detection system (ADS). Specifically, our analysis focused on tracking the CPU, memory, and disk consumption over a set period of time-in this instance, 300 min (5 h)-to observe the resource demands of the ADS both when idle and during active monitoring. The results concerning CPU, memory, and disk space consumption are respectively depicted in Figs. 14, 15, and 16.
Resource utilization involving CPU consumption
Resource utilization involving memory consumption
5.8.2 Network overhead
In order to test the network overhead of our proposed system, especially as part of cooperative communication, we conducted an experiment in which we measured how many bytes of MQTT messages have been transmitted or exchanged in previous N seconds (in our case, we used 300 s (1 hour) on each ADS distributed in a targeted Wi-Fi network (with 50 Mbps of data bandwidth on the network interface) during the running period. Figure 17 illustrates the average bytes of MQTT traffic or network packets being exchanged with four ADSs.
Resource utilization involving disk consumption
Network overhead during cooperative communication
5.8.3 Discussion on performance overhead
Figure 14 illustrates a nominal increase in CPU consumption, averaging only 5% after the activation of an ADS within our DC-SWIDS framework. This increase is primarily attributed to the processes involved in capturing Wi-Fi frames and subsequent extraction of data. Memory consumption, as shown in Fig. 15, experiences an average augmentation of 12% (approximately 0.48GB) when an ADS node is operational. This minor increase is attributed to the storage requirements for the number of identified malicious frames and the corresponding attack traffic status during each probe interval. Moreover, the disk consumption, represented in Fig. 16, is considerably low, which can be attributed to the storage of alerts in a compact text file format. Additionally, analysis of network traffic, as detailed in the network usage graph (see Fig. 17), transmits only around 200 bytes on average during an attack. In addition, there is no MQTT traffic when there is no attack, indicating that there is no unnecessary cooperative communication. This reveals that the ADS node’s activity does not exert a significant impact on network load, which is essential for maintaining optimal network performance. Collectively, these findings indicate that the ADS node designed for the DC-SWIDS framework functions with minimal impact on system resources. Hence, it constitutes an efficacious yet resource-efficient security solution, well-suited for diverse deployment contexts, and can be reliably implemented on devices with constrained resources such as the Raspberry Pi.
5.9 Security considerations
Our DC-SWIDS framework identifies MC-MitM attacks and is applicable to all Wi-Fi networks and devices. Leveraging passive monitoring techniques, the framework exhibits proficiency in identifying both insider and outsider MC-MitM attacks to any Wi-Fi-enabled device. Notably, the framework presents significant challenges for potential attackers seeking to bypass its defenses, even those with knowledge of the specific defense mechanisms and algorithms implemented. This robustness is attributed to the establishment of detection thresholds grounded in both theoretical and empirical analyses of Wi-Fi protocol operations, effectively rendering it infeasible to execute such attacks without exceeding these predefined thresholds (see Table 1 in our previous paper [17]).
The proposed DC-SWIDS framework enables the deployment of multiple ADS nodes to concurrently monitor either a single or multiple APs across various wireless channels. This adaptability enhances the framework’s ability to provide comprehensive security surveillance tailored to specific needs, significantly mitigating frame loss and accelerating the detection of attacks throughout the monitored region. In this framework, the distributed ADS nodes utilize TLS-secure and authenticated MQTT communication for data exchange (see Sect. 3.1). This approach ensures that the DC-SWIDS framework can effectively prevent potential attackers from setting up unauthorized ADS nodes or from intercepting and decrypting vital information, even if they manage to infiltrate the network.
Our framework is designed for easy, plug-and-play deployment, eliminating the need for any modifications to the protocols or devices used by Wi-Fi clients and access points (APs). This plug-and-play functionality necessitates only the SSID of the Wi-Fi network being monitored against MC-MitM attacks. The inherent simplicity of our approach ensures that typical users can enact our detection mechanism without confronting considerable technical hurdles, making it highly accessible for widespread implementation. Additionally, our framework is scalable, allowing for the effortless addition of more ADS nodes to enhance coverage against MC-MitM attacks. For instance, to incorporate an extra ADS node, a user can easily set up a pre-configured ADS node, such as a Raspberry Pi, by configuring the network name via a graphical user interface (GUI). Importantly, our distributed framework’s design ensures that if any ADS node encounters issues, such as network congestion or delays, the remaining nodes will continue to collaborate effectively in detecting MC-MitM attacks.
6 Conclusions and future work
In this work, we introduced a distributed and collaborative wireless intrusion detection system designed to detect various MC-MitM attack variants. We developed this system using Scapy, a Python library for network packet capture and manipulation, along with MQTT for node communication, and utilized standard wireless interfaces. This system seamlessly integrates into Wi-Fi-based IoT environments and operates independently of any specific Wi-Fi protocols or standards, requiring no alterations to current network configurations or hardware. It provides robust, ongoing protection from MC-MitM attacks, which are critical in the context of broader security threats such as KRACK and FragAttacks. We assessed the effectiveness of our DC-SWIDS framework by conducting tests against actual MC-MitM attacks within a specially configured experimental environment, closely monitoring the detection capabilities across various distributed ADS nodes. Our results showed that the proposed distributed framework efficiently manages potential frame losses and detects MC-MitM attacks with a minimum average accuracy of 98% when distributed at different locations following the recommended maximum separation between ADS nodes. As a future work, we plan to implement our framework as an installable plugin for smart home domotics such as Home Assistant or OpenHAB.
References
Fajar, B.: Fluxion kali linux tutorial, 2017. Accessed Feb 29, 2024, (2017). from : https://linuxhint.com/fluxion-kali-linux-tutorial
Aircrack-Ng. airbase-ng [aircrack-ng], 2018. Accessed Feb 29, 2024, (2018). from : https://www.aircrack-ng.org/doku.php?id=airbase-ng
Vanhoef, Mathy, Piessens, Frank: Advanced wi-fi attacks using commodity hardware. In: Proceedings of the 30th Annual Computer Security Applications Conference, pages 256–265, (2014). https://doi.org/10.1145/2664243.2664260
Chatzoglou, Efstratios: Kambourakis, Georgios, Kolias, Constantinos: How is your Wi-Fi connection today? DoS attacks on WPA3-SAE. J. Information Secur. Appl. 64, 103058 (2022). https://doi.org/10.1016/j.jisa.2021.103058
Lounis, Karim, Zulkernine, Mohammad: Bad-token: denial of service attacks on wpa3. In: Proceedings of the 12th International Conference on Security of Information and Networks, pages 1–8, (2019)
Thankappan, Manesh, Rifà-Pous, Helena, Garrigues, Carles: Multi-channel man-in-the-middle attacks against protected wi-fi networks: A state of the art review. Expert Syst. Appl. 210, 118401 (2022). https://doi.org/10.1016/j.eswa.2022.118401
Thankappan, Manesh, Rifà-Pous, Helena, Garrigues, Carles: Multi-channel man-in-the-middle attacks against protected wi-fi networks and their attack signatures. In: International Conference on Computer, Communication, and Signal Processing, pages 269–285. Springer, (2023). https://doi.org/10.1007/978-3-031-39811-7_27
Vanhoef, Mathy, Piessens, Frank: Key reinstallation attacks: Forcing nonce reuse in wpa2. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 1313–1328, (2017). https://doi.org/10.1145/3133956.3134027
Vanhoef, Mathy: Fragment and forge: breaking \(\{\)Wi-Fi\(\}\) through frame aggregation and fragmentation. In: 30th USENIX security symposium (USENIX Security 21), pages 161–178, (2021a)
Wi-fi alliance, 2020. Accessed Feb 25, 2024, (2020). from : http://surl.li/siwfe
Ebbecke, Philipp: Protected management frames enhance wi-fi® network security, 2020. Accessed Feb 25, 2024, (2020). from : http://surl.li/siweq
Bertka, Benjamin: 802.11 w security: Dos attacks and vulnerability controls. In: Proc. of Infocom, (2012)
Vanhoef, Mathy: Fragattacks: Clarifying some aspects, 05 2021b. Accessed Feb 25, 2024, (2021). from : https://www.mathyvanhoef.com/2021/05/fragattacks-clarifying-some-aspects.html
CWNP. Wireless lan security and ieee 802.11w, 2009. Accessed Feb 25, 2024, (2021). from : https://www.cwnp.com/wireless-lan-security-and-ieee-802-11w
Louca, Constantinos, Peratikou, Adamantini, Stavrou, Stavros: 802.11 man-in-the-middle attack using channel switch announcement. In: Selected Papers from the 12th International Networking Conference: INC 2020 12, pages 62–70. Springer, (2021)
MTROI. Protected management frames (802.11w), 2014. Accessed March 25, 2024, (2014). from : https://wlan1nde.wordpress.com/2014/10/21/protected-management-frames-802-11w
Thankappan, Manesh, Rifà-Pous, Helena, Garrigues, Carles: A signature-based wireless intrusion detection system framework for multi-channel man-in-the-middle attacks against protected wi-fi networks. IEEE Access (2024). https://doi.org/10.1109/ACCESS.2024.3362803
thankappan, Manesh: Dcswids framework for detecting mc-mitm attacks, 2024. Accessed April 02, 2024, (2024). from : https://github.com/maneshthankappan/DC-SWIDS_Framework
Vanhoef, Mathy, Bhandaru, Nehru, Derham, Thomas, Ouzieli, Ido, Piessens, Frank: Operating channel validation: Preventing multi-channel man-in-the-middle attacks against protected wi-fi networks. In: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 34–39, 2018. https://doi.org/10.1145/3212480.3212493
Vanhoef, Mathy, Adhikari, Prasant, Pöpper, Christina: Protecting wi-fi beacons from outsider forgeries. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 155–160, (2020). https://doi.org/10.1145/3395351.3399442
Chi, Mengchao, Bu, Bing, Wang, Hongwei, Lv, Yisheng, Yi, Shengwei, Yang, Xuetao, Li, Jie: Multi-channel man-in-the-middle attack against communication-based train control systems: Attack implementation and impact. In: Proceedings of the 4th International Conference on Electrical and Information Technologies for Rail Transportation (EITRT) 2019: Rail Transportation Information Processing and Operational Management Technologies, pages 129–139. Springer, (2020)
Derham, Thomas, Bhandaru, Nehru: Sae public key, 2020. Accessed March 01, 2024, (2019). from : http://surl.li/siwfo
Huawei, 2020. Accessed March 15, 2024, (2020, Jan 10). from : https://support.huawei.com/enterprise/en/doc/EDOC1100008282/b27702df/understanding-wlan-security-policies
Chatterjee, Urbi, Sadhukhan, Rajat, Mukhopadhyay, Debdeep, Subhra Chakraborty, Rajat, Mahata, Debashis, Prabhu, Mukesh M.: Stupify: a hardware countermeasure of kracks in wpa2 using physically unclonable functions. In: Companion Proceedings of the Web Conference 2020, pages 217–221, 2020. https://doi.org/10.1145/3366424.3383545
Babaei, Armin, Schiele, Gregor: Physical unclonable functions in the internet of things: State of the art and open challenges. Sensors 19(14), 3208 (2019). https://doi.org/10.3390/s19143208
Gong, Sheng, Ochiai, Hideya, Esaki, Hiroshi: Scan-based self anomaly detection: client-side mitigation of channel-based man-in-the-middle attacks against wi-fi. In: 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), pages 1498–1503. IEEE, (2020). https://doi.org/10.1109/COMPSAC48688.2020.00-43
Chin, Tommy, Xiong, Kaiqi: Krackcover: A wireless security framework for covering krack attacks. In: Wireless Algorithms, Systems, and Applications: 13th International Conference, WASA 2018, Tianjin, China, June 20-22, 2018, Proceedings 13, pages 733–739. Springer, (2018)
Li, Yi., Serrano, Marcos, Chin, Tommy, Xiong, Kaiqi, Lin, Jing: A software-defined networking-based detection and mitigation approach against krack. In ICETE 2, 244–251 (2019)
Naitik, ST, Raiton, L, Pradnya, V, Vamshi, S.: Mitigation of key reinstallation attack in wpa2 wi-fi networks by detection of nonce reuse. Int. Res. J. Eng. Technol. (IRJET), 5(5), 2018
Securingsam . securingsam/krackdetector, 2017. Accessed March 31, 2024, (2016). from : https://github.com/securingsam/krackdetector
Agrawal, Anand, Chatterjee, Urbi, Maiti, Rajib Ranjan: Checkshake: Passively detecting anomaly in wi-fi security handshake using gradient boosting based ensemble learning. IEEE Trans. Dependable Secure Comput., (2023). https://doi.org/10.1109/TDSC.2023.3236355
Chatzoglou, Efstratios: Kambourakis, Georgios, Smiliotopoulos, Christos, Kolias, Constantinos: Best of both worlds: Detecting application layer attacks through 802.11 and non-802.11 features. Sensors 22(15), 5633 (2022). https://doi.org/10.3390/s22155633
Sydney Mambwe Kasongo and Yanxia Sun: A deep learning method with wrapper based feature extraction for wireless intrusion detection system. Comput. Security 92, 101752 (2020). https://doi.org/10.1016/j.cose.2020.101752
Agrawal, Anand, Chatterjee, Urbi, Maiti, Rajib Ranjan: Ktracker: Passively tracking krack using ml model. In: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, pages 364–366, (2022). https://doi.org/10.1145/3508398.3519360
Chatzoglou, E., Kambourakis, G., Kolias, C.: Empirical evaluation of attacks against IEEE 802.11 enterprise networks: The AWID3 dataset. IEEE Access 23(9), 34188–205 (2021)
Abare, G., Garba, E.J.: A proposed model for enhanced security against key reinstallation attack on wireless networks. Int. J. Sci. Res. Netw. Secur. Commun. 7(3), 21–27 (2019)
Singh, Rajiv Ranjan, Moreira, José, Chothia, Tom, Ryan, Mark D.: Modelling of 802.11 4-way handshake attacks and analysis of security properties. In: Security and Trust Management: 16th International Workshop, STM 2020, Guildford, UK, September 17–18, 2020, Proceedings 16, pages 3–21. Springer, (2020). https://doi.org/10.1007/978-3-030-59817-4_1
Cremers, Cas, Kiesl, Benjamin, Medinger, Niklas: A formal analysis of \(\{\)IEEE\(\}\) 802.11’s \(\{\)WPA2\(\}\): Countering the kracks caused by cracking the counters. In: 29th USENIX Security Symposium (USENIX Security 20), pages 1–17, 2020
Schepers, Domien, Vanhoef, Mathy, Ranganathan, Aanjhan: A framework to test and fuzz wi-fi devices. In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 368–370, (2021). https://doi.org/10.1145/3448300.3468261
SNORT. Snort - rule docs, 2018. Accessed March 31, 2024, (2018). from : https://www.snort.org/rule_docs/1-44640
Sethuraman, Sibi Chakkaravarthy, Dhamodaran, Sangeetha, Vijayakumar, Vaidehi: Intrusion detection system for detecting wireless attacks in IEEE 80211 networks. IET Netw. 8(4), 219–232 (2019). https://doi.org/10.1049/iet-net.2018.5050
Al-Sakib Khan Pathan: The state of the art in intrusion prevention and detection, vol. 44. CRC Press Hoboken, NJ, USA (2014)
Chaabouni, Nadia: Mosbah, Mohamed, Zemmari, Akka, Sauvignac, Cyrille, Faruki, Parvez: Network intrusion detection for IoT security based on learning techniques. IEEE Commun. Surv. Tutorials/IEEE Commun. Surv. Tutorials 21(3), 2671–2701 (2019). https://doi.org/10.1109/comst.2019.2896380
Abdulganiyu, Oluwadamilare Harazeem, Tchakoucht, Taha Ait, Saheed, Yakub Kayode: A systematic literature review for network intrusion detection system (IDS). Int. J. Inf. Security 22(5), 1125–1162 (2023). https://doi.org/10.1007/s10207-023-00682-2
Maseno, Elijah M.: Wang, Zenghui, Xing, Hongyan: A Systematic Review on Hybrid Intrusion Detection System. Security Commun. Netw. 1–23, 2022 (2022). https://doi.org/10.1155/2022/9663052
Vanin, Patrick: Newe, Thomas, Dhirani, Lubna Luxmi, O’Connell, Eoin, O’Shea, Donna, Lee, Brian, Rao, Muzaffar: A study of network intrusion detection systems using Artificial Intelligence/Machine Learning. Appl. Sci. 12(22), 11752 (2022). https://doi.org/10.3390/app122211752
Momand, Asadullah, Jan, Sana Ullah, Ramzan, Naeem: A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: deep learning, datasets, and attack taxonomy. Journal of sensors, 2023:1–18, 2 2023. URL https://doi.org/10.1155/2023/6048087
Heidari, Arash: Ali Jabraeil Jamali, Mohammad: Internet of Things intrusion detection systems: a comprehensive review and future directions. Cluster Comput. 26(6), 3753–3780 (2022). https://doi.org/10.1007/s10586-022-03776-z
Sheeja, S, et al. Intrusion detection system and mitigation of threats in iot networks using ai techniques: A review. Engineering & Appl. Sci. Res., 50(6), (2023)
Taufique, Azar, Jaber, Mona, Imran, Ali, Dawy, Zaher, Yacoub, Elias: Planning wireless cellular networks of future: Outlook, challenges and opportunities. IEEE Access 5, 4821–4845 (2017). https://doi.org/10.1109/ACCESS.2017.2680318
Home Assistant , 2023. Accessed March 31, 2024, (2023). from : https://www.home-assistant.io/
OpenHAB . openhab, 2024. Accessed March 31, 2024, (2024). from : https://www.openhab.org/
Thankappan, Manesh: Mc-mitm attack signatures., 2020. Accessed May 31, 2024, (2019). from : https://github.com/maneshthankappan/MC-MitM-Attack-Dataset
Acknowledgements
The authors would like to express their gratitude to Mathy Vanhoef for his assistance with source codes and his help in addressing certain problems associated with MC-MitM attacks.
Funding
Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. This work is linked to the SERCURING project PID2021-125962OB-C31, funded by the Ministerio de Ciencia e Innovación, la Agencia Estatal de Investigación and the European Regional Development Fund (ERDF), as well as the ARTEMISA International Chair of Cybersecurity and the DANGER Strategic Project of Cybersecurity, both funded by the Spanish National Institute of Cybersecurity through the European Union - NextGenerationEU and the Recovery, Transformation and Resilience Plan.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interests:
The authors declare that they have no Conflict of interest.
Ethical approval
This study does not engage human participants or animals, hence ethical issues pertaining to human or animal subjects are not relevant for this paper.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Thankappan, M., Rifà-Pous, H. & Garrigues, C. A distributed and cooperative signature-based intrusion detection system framework for multi-channel man-in-the-middle attacks against protected Wi-Fi networks. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00899-9
Published:
DOI: https://doi.org/10.1007/s10207-024-00899-9