Professional Documents
Culture Documents
Rogue Wireless AP Detection Using Delay Fluctuation in Backbone Network
Rogue Wireless AP Detection Using Delay Fluctuation in Backbone Network
Rogue Wireless AP Detection Using Delay Fluctuation in Backbone Network
¡ IC M P E c h o R e q u e s t
wireless LAN is so crowded especially in 2.4GHz band so that
delay fluctuates so largely. A
¡ IC M P E c h o R e p ly ;
We measured delay of backbone network by following the Rogue 0.771 0.616 0.445
2. Send ping (ICMP echo request) from the client to the first vertical axis shows frequency. As indicated in Section III, the
gateway (AP or router) as shown in Figure 2 A. maximum delay bin is more than 100ms, but since the difference
Simultaneously send ping from the client to the server on among wireless networks is insignificant when it exceeds more
the Internet such as Google server. than 24ms, it has been omitted. As shown in Figure 3, there are
some visible differences among wireless networks as well as
3. Repeat step 2 for 100 times to collect delay A (from the client similar histogram patterns such as Lab. and Legitimate those
to the first gateway) and delay B (from the client to the have same backbone or Campus 1 and Campus2 which utilize
server) (as shown in Figure 2). same hardware for AP.
4. Subtract delay A from delay B for respective samples. Table 2 shows average of cosine distance vectors generated by
Finally the histogram of a sample of 100 has been created histograms. The vectors have been generated using histograms
following the rules explained in Section III and respective cosine for respective days and networks and their cosine distance have
distances between histograms have been calculated. In practical been computed. As shown in Table 2, Legitimate and Campus2
usage, delay histogram of legitimate AP is prepared beforehand shows more than 0.9 similarity in same wireless LAN and
and is compared with delay histogram whenever there is new AP similarity to other wireless LAN are less than them. Thus, the
connected. If similarity is smaller than the predefined threshold, networks can be easily distinguished using delay histogram. On
the newly connected AP is potentially rogue AP. the other hand, Lab., Rogue, and Campusl shows 0.721 to
0.788 similarity with the same wireless networks and higher
III. E x p e r im e n t a l s e t u p similarities with the other networks. Thus, it sometimes miss to
To measure the effectiveness of the proposal, we evaluated distinguish the network. We believe by improving data quality
backbone delay of 5 wireless networks (Laboratory, Legitimate, it can achieve better results. Also, the current evaluation is
Rogue, Campusl, Campus2) which differs in terms of their preliminary one and considers only 3 days of data. Hence in
respective backbone networks or AP implementations as shown order to improve performance more data needs to be collected.
in Table 1. We evaluated backbone delay in different days Also it can be seen that threshold value could be set around 0.7.
(weekday, Saturday, Sunday). The delay is summarized to
histogram and the similarities have been calculated using cosine V. C o n c l u s io n
distance by treating histogram data as vector. The bins of the Wireless LAN is essential to our social life, however, it is
histogram is created according to the following rules. (1) bin becoming more dangerous to use Wi-Fi in the public settings
size is 1ms from 1ms to 10ms. (2) bin size is 2ms between 10ms due to the cyber-attacks such as ETA or man-in-the-middle
and 30ms. (3) bin size is 5ms between 30ms and 60ms. (4) bin attacks. In this paper, we propose a method to detect the rogue
size is 10ms between 60ms and 100ms. (5) less than 0ms AP by using delay fluctuation of backbone network. To evaluate
(occurs when delay A in Figure 2 is longer than delay B) and the proposal, we measured backbone delay of 5 wireless
more than 100ms are defined as the otherbin. networks. We obtained histograms and computed their cosine
IV . R e s u l t s a n d D is c u s s io n s
distances from observed delays. Using the result, we obtained
potential method to distinguish rogue and legitimate APs in the
Figure 3 shows the histogram of Sunday as an example. wireless LAN.
The horizontal axis shows delay with milliseconds and the
As a future work, we need to collect more delay data at least
for a period of month. Additionally creation of a tool which
A evaluates and compares delays and warn the end user if the
A currently connected AP seems to be possible rogue AP.
¥\
SO
A V
R eferences.
20
[1] O. Nakhila, “User-side Wi-Fi Evil Twin Attack detection using SSL/TCP
10 protoclos,” CCNC2015, pp. 239-244, Jan. 2015.
[2] F. Lanze, “Undesired Relatives: Protection Mechanisms Against The Evil
0- 1 2 3 4 5 6 7 8 9 10 12 14 16 18 20 22 24 Twin Attack in IEEE 802.11, ” Q2SWinet, pp. 87-94, Sep. 2014
Lab. Legitimate Rogue C a m p u sl Cam pus2
937