2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)

Rogue Wireless AP Detection

using Delay Fluctuation in Backbone Network

Ziwei Zhang Hirokazu Hasegawa Yukiko Yamaguchi Hajime Shimada

Nagoya University Nagoya University Nagoya University Nagoya University
Nagoya, Japan Nagoya, Japan Nagoya, Japan Nagoya, Japan
choshibi@net.itc.nagoya-u.ac.jp hasegawa@icts.nagoya-u.ac.jp yamagu chi@ itc.nagoya-u.ac.jp shimada@itc.nagoy a-u.ac .jp

Abstract— Nowadays, wireless LAN service has been taken for

granted for everyone. On the other hand, there is an increasing
cyber threat in wireless LAN. For example, there is an attack
called Evil-Twin Attack which places rogue access point which has
the same SSID as legitimate one to make clients unknowingly
connect to it. Once attacked, all of the traffic moving across the
network will be eavesdropped by attackers. In this paper, we
propose a method to detect rogue AP by comparing delay
fluctuation of backbone network. We define delay of backbone
network as the difference between ICMP travel from client to first
gateway and to the Internet Server. By comparing 100 samples of
backbone delay evaluation results among 5 different wireless
networks, which have different backbone networks, we obtained a
perspective to discriminate networks by histogram of the
backbone delay.
Keywords— evil twin attack, rogue wireless AP, backbone
network delay
I. I n t r o d u c t io n
The Internet is becoming one of the important infrastructure
of the society. To increase connectivity, Wireless LAN or Wi-Fi
becomes more and more essential to our daily life. Meanwhile,
cyber threats has to be considered seriously due to the rising
numbers of cyber-attacks. Accessing public Wi-Fi has various
risks such as getting eavesdropped through man-in-the-middle
attack. Besides, there is a type of attack called Evil Twin Attack
(ETA). In ETA, attackers create a rogue access point (rogue AP)
that hijacks the wireless connection from clients by providing
same SSID with stronger signal than legitimate AP. In addition,
to convince the victims that the rogue AP is not a fake AP,
attackers provides internet connection to clients in many cases.
To provide such connectivity, attackers may route the traffic
either through a legitimate AP, or may use different backbone
network [1,2],
Such a rogue AP based attack is also threat for wireless LAN
service provider. So, it is important to develop a method to
detect rogue AP. There is a research which try to detect rogue
AP by delay from client to the Internet Server[l], But current
Figure 1 Experiment Environment
Server. Backbone delay based rogue AP detection lias been
tested in 2 APs in which we focused on “using different
network” as experimental environment (Figure 1). The
experimental setup includes 3 wireless LAN infrastructure,
using which the client can connect to 5 different wireless LAN
which have different AP organization or backbone network. We
collected 100 samples of backbone delay respectively on above
5 different wireless LAN at one trial and compared them. Using
the collected samples we were able to obtain a perspective to
discriminate networks by evaluating cosine distance of
histogram.
II. D e t e c t io n m ethod
The rogue AP simulates the behavior of the legitimate AP,
but the backbone network or the authentication is hard to be set
as same as the real one. In such situation, it is considered that we
can discriminate the rogue AP from the legitimate AP based on
the delay of backbone network. Therefore, we propose a method
that detects rogue AP by measuring delay fluctuation from the
first gateway to the Internet Server. Since the Wi-Fi APs in real-
world exhibit more than 2 AP usually, the experiments have
been performed on 5 different wireless networks in the
laboratory.
192.168.12.100 192.168.12.1 192.168. 5.0/24 Server on
m AP
the Internet

¡ IC M P E c h o R e q u e s t
wireless LAN is so crowded especially in 2.4GHz band so that
delay fluctuates so largely. A
¡ IC M P E c h o R e p ly ;

In this study, to improve preciseness, we utilized delay of I C M P E c h o R e q u e st

backbone network which is defined by subtracting time taken B * ----------------------------4— --------------------------
for ICMP packet from client to first gateway and to Internet Figure 2 Measurement Method

978-1-7281-2607-4/19/$31.00 ©2019 IEEE 936 _ IEEE

DOI 10.1109/COMPSAC.2019.00149 computer
society
 Table 1 Difference among Wireless Networks
Lab. L e gitim ate R o g u e Cam pusl
A P o rgan ization m a k e r l m aker2 Linux P C m aker3
Backbone backbone! backbone! backbone2 backbone3 backbone4
We measured delay of backbone network by following the
below steps on each wireless networks.
1. Connect to the AP
2. Send ping (ICMP echo request) from the client to the first
gateway (AP or router) as shown in Figure 2 A.
Simultaneously send ping from the client to the server on
the Internet such as Google server.
3. Repeat step 2 for 100 times to collect delay A (from the client
to the first gateway) and delay B (from the client to the
server) (as shown in Figure 2).
4. Subtract delay A from delay B for respective samples.
Finally the histogram of a sample of 100 has been created
following the rules explained in Section III and respective cosine
distances between histograms have been calculated. In practical
usage, delay histogram of legitimate AP is prepared beforehand
and is compared with delay histogram whenever there is new AP
connected. If similarity is smaller than the predefined threshold,
the newly connected AP is potentially rogue AP.
III. E x p e r im e n t a l s e t u p
To measure the effectiveness of the proposal, we evaluated
backbone delay of 5 wireless networks (Laboratory, Legitimate,
Rogue, Campusl, Campus2) which differs in terms of their
respective backbone networks or AP implementations as shown
in Table 1. We evaluated backbone delay in different days
(weekday, Saturday, Sunday). The delay is summarized to
histogram and the similarities have been calculated using cosine
distance by treating histogram data as vector. The bins of the
histogram is created according to the following rules. (1) bin
size is 1ms from 1ms to 10ms. (2) bin size is 2ms between 10ms
and 30ms. (3) bin size is 5ms between 30ms and 60ms. (4) bin
size is 10ms between 60ms and 100ms. (5) less than 0ms
(occurs when delay A in Figure 2 is longer than delay B) and
more than 100ms are defined as the otherbin.
IV . R e s u l t s a n d D is c u s s io n s
Figure 3 shows the histogram of Sunday as an example.
The horizontal axis shows delay with milliseconds and the
A evaluates and compares delays and warn the end user if the
A currently connected AP seems to be possible rogue AP.
¥\
SO
A V
20
10
0- 1 2 3 4 5 6 7 8 9 10 12 14 16 18 20 22 24
Lab. Legitimate Rogue C a m p u sl
Figure 3 Delay Histogram on Sunday
Table 2 Average Cosine Distance
Cam pus2 Lab. Le gitim ate Rogue C a m p u sl C am p us2
m aker3
Lab. 0.721 0.763 0.594 0.681 0.620
Le gitim ate 0.936 0.395 0.614 0.642
Rogue 0.771 0.616 0.445
C am p usl 0.788 0.824
C am p u s2 0.904
vertical axis shows frequency. As indicated in Section III, the
maximum delay bin is more than 100ms, but since the difference
among wireless networks is insignificant when it exceeds more
than 24ms, it has been omitted. As shown in Figure 3, there are
some visible differences among wireless networks as well as
similar histogram patterns such as Lab. and Legitimate those
have same backbone or Campus 1 and Campus2 which utilize
same hardware for AP.
Table 2 shows average of cosine distance vectors generated by
histograms. The vectors have been generated using histograms
for respective days and networks and their cosine distance have
been computed. As shown in Table 2, Legitimate and Campus2
shows more than 0.9 similarity in same wireless LAN and
similarity to other wireless LAN are less than them. Thus, the
networks can be easily distinguished using delay histogram. On
the other hand, Lab., Rogue, and Campusl shows 0.721 to
0.788 similarity with the same wireless networks and higher
similarities with the other networks. Thus, it sometimes miss to
distinguish the network. We believe by improving data quality
it can achieve better results. Also, the current evaluation is
preliminary one and considers only 3 days of data. Hence in
order to improve performance more data needs to be collected.
Also it can be seen that threshold value could be set around 0.7.
V. C o n c l u s io n
Wireless LAN is essential to our social life, however, it is
becoming more dangerous to use Wi-Fi in the public settings
due to the cyber-attacks such as ETA or man-in-the-middle
attacks. In this paper, we propose a method to detect the rogue
AP by using delay fluctuation of backbone network. To evaluate
the proposal, we measured backbone delay of 5 wireless
networks. We obtained histograms and computed their cosine
distances from observed delays. Using the result, we obtained
potential method to distinguish rogue and legitimate APs in the
wireless LAN.
As a future work, we need to collect more delay data at least
for a period of month. Additionally creation of a tool which
R eferences.
[1] O. Nakhila, “User-side Wi-Fi Evil Twin Attack detection using SSL/TCP
protoclos,” CCNC2015, pp. 239-244, Jan. 2015.
[2] F. Lanze, “Undesired Relatives: Protection Mechanisms Against The Evil
Twin Attack in IEEE 802.11, ” Q2SWinet, pp. 87-94, Sep. 2014
Cam pus2
937