Skip to main content
SpringerLink
Log in

Robust Detection of Unauthorized Wireless Access Points

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

Unauthorized 802.11 wireless access points (APs), or rogue APs, such as those brought into a corporate campus by employees, pose a security threat as they may be poorly managed or insufficiently secured. An attacker in the vicinity may easily get onto the internal network through a rogue AP, bypassing all perimeter security measures. Existing detection solutions do not work well for detecting rogue APs configured as routers that are protected by WEP, 802.11 i, or other security measures. In this paper, we describe a new rogue AP detection method to address this problem. Our solution uses a verifier on the internal wired network to send test traffic towards wireless edge, and uses wireless sniffers to identify rouge APs that relay the test packets. To quickly sweep all possible rogue APs, the verifier uses a greedy algorithm to schedule the channels for the sniffers to listen to. To work with the encrypted AP traffic, the sniffers use a probabilistic algorithm that only relies on observed wireless frame size. Using extensive experiments, we show that the proposed approach can robustly detect rogue APs with moderate network overhead. The results also show that our algorithm is resilient to congested wireless channels and has low false positives/negatives in realistic environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16

Similar content being viewed by others

Notes

  1. http://www.placelab.org/database/.

References

  1. Bahl P, Chandra R, Padhye J, Ravindranath L, Singh M, Wolman A, Zill B (2006) Enhancing the security of corporate Wi-Fi networks using DAIR. In: Proceedings of the fourth international conference on mobile systems, applications, and services, Uppsala, June 2006

  2. Bahl P, Padmanabhan VN (2000) RADAR: an in-building RF-based user location and tracking system. In: Proceedings of the 19th annual joint conference of the IEEE computer and communications societies, Tel Aviv, March 2000

  3. Bellardo J, Savage S (2003) 802.11 Denial-of-service attacks: real vulnerabilities and practical solutions. In: Proceedings of the 12th USENIX security symposium, Washington, DC, August 2003, pp 15–28

  4. Bittau A, Handley M, Lackey J (2006) The final nail in WEP’s coffin. In: Proceedings of the 2006 IEEE symposium on security and privacy, Oakland, May 2006

  5. Bulk F (2006) Safe inside a bubble. June. www.networkcomputing.com

  6. Deshpande U, Henderson T, Kotz D (2006) Channel sampling strategies for monitoring wireless networks. In: Proceedings of the second workshop on wireless network measurements, Boston, April 2006

  7. Garey MR, Johnson DS (1979) Computers and intractability: a guide to the theory of NP-completeness. Freeman, Nashville

    MATH  Google Scholar 

  8. Garg S, Kappes M, Krishnakumar AS (2002) On the effect of contention-window sizes in IEEE 802.11 b networks. Technical report ALR-2002-024, Avaya Labs Research

  9. He C, Mitchell JC (2005) Security analysis and improvements for IEEE 802.11 i. In: Proceedings of the 12th network and distributed system security symposium, San Diego, February 2005

  10. Hochbaum D (1997) Approximating covering and packing problems: set cover, vertex cover, independent set, and related problems. In: Hochbaum D (ed) Approximation algorithms for NP-hard problems. PWS, Boston

    Google Scholar 

  11. Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE symposium on security and privacy, Berkeley, May 2004, pp 211–225

  12. MAP (2006) Security through measurement for wireless LANs. Dartmouth College, July. http://www.cs.dartmouth.edu/~map/

  13. Pang R, Tierney B (2005) A Ffrst look at modern enterprise traffic. In: Proceedings of the fifth ACM internet measurement conference, Berkeley, October 2005, pp 15–28

  14. Raya M, Hubaux J-P, Aad I (2004) DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots. In: Proceedings of the second international conference on mobile systems, applications, and services, Boston, June 2004, pp 84–97

  15. Rodrig M, Reis C, Mahajan R, Wetherall D, Zahorjan J (2005) Measurement-based characterization of 802.11 in a hotspot setting. In: Proceeding of the ACM SIGCOMM workshop on experimental approaches to wireless network design and analysis, Philadelphia, August 2005, pp 5–10

  16. Sheng Y, Chen G, Tan K, Deshpande U, Vance B, Yin H, Henderson T, Kotz D, Campbell A, Wright J (2008) MAP: a scalable monitoring system for dependable 802.11 wireless networks. IEEE Wirel Commun, October 2008, pp 10–18

  17. Mobile Antivirus Researcher’s Association (2006) The ten most critical wireless and mobile security vulnerabilities. Mobile Antivirus Researcher’s Association, June

  18. Wald A (1947) Sequential analysis. Wiley, New York

    MATH  Google Scholar 

  19. Wang X, Reeves DS (2003) Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM conference on computer and communications security, Washington, DC, October 2003, pp 20–29

  20. Wei W, Jaiswal S, Kurose J, Towsley D (2006) Identifying 802.11 traffic from passive measurements using iterative bayesian inference. In: Proceedings of the 25th annual joint conference of the IEEE computer and communications societies, Barcelona, April 2006

  21. Wei W, Suh K, Wang B, Gu Y, Kurose J, Towsley D (2007) Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-Pairs. In: Proceedings of the seventh ACM internet measurement conference, San Diego, October 2007

Download references

Acknowledgements

This work is supported in part by NSF under Award CCF-0429906 and by the Science and Technology Directorate of the U.S. Department of Homeland Security under Award NBCH2050002. Points of view in this document are those of the authors and do not necessarily represent the official position of NSF or the U.S. Department of Homeland Security. We thank MAP project team at Dartmouth College and Aruba Networks for the constructive discussions on the proposed detection method. David Martin also provided valuable comments on an early draft of this paper. We also thank the Dartmouth CRAWDAD team, particularly Jihwang Yeo, and the ICSI/LBNL group who made efforts to release the network traces used in our experiments.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Massachusetts Lowell, Massachusetts, MA, USA

    Bo Yan, Guanling Chen, Jie Wang & Hongda Yin

Authors
  1. Bo Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guanling Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jie Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hongda Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guanling Chen.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Yan, B., Chen, G., Wang, J. et al. Robust Detection of Unauthorized Wireless Access Points. Mobile Netw Appl 14, 508–522 (2009). https://doi.org/10.1007/s11036-008-0109-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-008-0109-6

Keywords

Search

Navigation