Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers

Research Article

Detection of Masqueraded Wireless Access Using 802.11 MAC Layer Fingerprints

Download
499 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-39891-9_18,
        author={Christer Idland and Thomas Jelle and Stig Mj\`{u}lsnes},
        title={Detection of Masqueraded Wireless Access Using 802.11 MAC Layer Fingerprints},
        proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2013},
        month={10},
        keywords={WLAN 802.11 wireless media access layer masquerading intrusion detection network forensics communication fingerprints},
        doi={10.1007/978-3-642-39891-9_18}
    }
    
  • Christer Idland
    Thomas Jelle
    Stig Mjølsnes
    Year: 2013
    Detection of Masqueraded Wireless Access Using 802.11 MAC Layer Fingerprints
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-39891-9_18
Christer Idland1,*, Thomas Jelle1,*, Stig Mjølsnes1,*
  • 1: Norwegian University of Science and Technology
*Contact email: christer.idland@item.ntnu.no, thomas.jelle@item.ntnu.no, sfm@item.ntnu.no

Abstract

Many wireless Internet access operators prefer open local area network (WLAN) access because this reduces the need for user assistance for a variety of smaller devices. A 802.11 MAC spoofer masquerades as an authorized user and gains access by using an already whitelisted MAC address. We consider the scenario where the spoofer waits until the authorized user has finished the session, and then uses the still whitelisted MAC address for the network access. We propose and experiment with “implementation fingerprints” that can be used to detect MAC layer spoofing in this setting. We include eight different tests in the detection algorithm, resulting in 2.8 in average Hamming distance of the tests. Eleven different STA devices are tested with promising detection results. No precomputed database of fingerprints is needed.