Research Article
Rogue Access Point Detection Using Innate Characteristics of the 802.11 MAC
@INPROCEEDINGS{10.1007/978-3-642-05284-2_23, author={Aravind Venkataraman and Raheem Beyah}, title={Rogue Access Point Detection Using Innate Characteristics of the 802.11 MAC}, proceedings={Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={5}, keywords={Rogue Access Point Detection 802.11 MAC Protocol Rate Adaptation Distributed Coordination Function}, doi={10.1007/978-3-642-05284-2_23} }
- Aravind Venkataraman
Raheem Beyah
Year: 2012
Rogue Access Point Detection Using Innate Characteristics of the 802.11 MAC
SECURECOMM
Springer
DOI: 10.1007/978-3-642-05284-2_23
Abstract
Attacks on wireless networks can be classified into two categories: external wireless and internal wired. In external wireless attacks, an attacker uses a wireless device to target the access point (AP), other wireless nodes or the communications on the network. In internal wired attacks, an attacker or authorized insider inserts an unauthorized (or rogue) AP into the wired backbone for malicious activity or misfeasance. This paper addresses detecting the internal wired attack of inserting rogue APs (RAPs) in a network by monitoring on the wiredside for characteristics of wireless traffic. We focus on two 802.11 medium access control (MAC) layer features as a means of fingerprinting wireless traffic in a wired network. In particular, we study the effect of the Distributed Coordination Function (DCF) and rate adaptation specifications on wireless traffic by observing their influence on arrival delays. By focusing on fundamental traits of wireless communications, unlike existing techniques, we demonstrate that it is possible to extract wireless components from a flow without having to train our system with network-specific wired and wireless traces. Unlike some existing anomaly based detection schemes, our approach is generic as it does not assume that the wired network is inherently faster than the wireless network, is effective for networks that do not have sample wireless traffic, and is independent of network speed/type/protocol. We evaluate our approach using experiments and simulations. Using a Bayesian classifier we show that we can correctly identify wireless traffic on a wired link with 86-90% accuracy. This coupled with an appropriate switch port policy allows the identification of RAPs.