This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts

for publication in the IEEE INFOCOM 2008 proceedings.

A Hybrid Rogue Access Point Protection

Framework for Commodity Wi-Fi Networks
Liran Ma, Amin Y. Teymorian, Xiuzhen Cheng
Department of Computer Science
The George Washington University,
Washington DC, 20052, USA.
Email: {lrma,amin,cheng}@[Link]

Abstract—We develop a practical and comprehensive hybrid rogue device because the AP itself is not malfunctioning (e.g.,
rogue access point (AP) detection framework for commodity Wi- operating without specified security controls). Further, the AP
Fi networks. It is the first scheme that combines the distributed does not display anomalous misbehavior such as broadcasting
wireless media surveillance and the centralized wired end socket
level traffic “fingerprinting.” The former is designed not only a duplicate SSID. Thus, a compromised AP can significantly
to detect various types of rogue APs, but also to discover diminish the overall security of the network. A summary of
suspicious activities so as to prevent the adversaries from turning the types of rogue APs and a number of possible scenarios is
victim APs into rogue devices. Moreover, the socket level traffic shown in Table I. For a detailed taxonomy of rogue APs, we
fingerprinting helps our frame work to achieve a finer granu- refer the readers to Ref. [1].
larity on rogue AP detection among the existing schemes. This
framework has the following nice properties: i) it requires neither
Rogue AP Class Possible Scenarios
specialized hardware nor modification to existing standards; ii) 1. Improperly insufficient security knowledge;
the proposed mechanism greatly improves the rogue AP detection configured faulty driver; physically defective;
probability so that network resilience is improved; iii) it provides multiple network cards
a cost-effective solution to Wi-Fi network security enhancement 2. Unauthorized connected to internal LAN without
by incorporating free but mature software tools; iv) it can permission; external neighborhood AP
protect the network from adversaries capable of using customized 3. Phishing fabricated by adversary
equipment and/or violating the IEEE 802.11 standard; v) its open 4. Compromised disclosure of security credentials
architecture allows extra features to be easily added on in the TABLE I
future. Our analysis and evaluation demonstrate that this hybrid ROGUE AP TAXONOMY AND S CENARIOS.
rogue AP protection framework is capable of reliably revealing
rogue devices and preempting potential attacks.
Index Terms—Rogue access point detection, commodity Wi-Fi
networks, intrusion detection, wireless security. According to an early study by Gartner [2], rogue APs
are present on about 20% of all enterprise networks. The
I. I NTRODUCTION main reason leading to this phenomenon is that advances
in hardware and software have made AP installation, AP
With the increasing popularity of Wi-Fi networks, securing discovery (e.g., finding improperly configured APs), and AP
such a network becomes a challenging problem. Commodity compromise an easy task for attackers. It is convenient to
Wi-Fi networks are particularly vulnerable to attacks because obtain an AP and plug into a network without being discovered
of factors such as open medium, insufficient software im- for some time. Moreover, commodity Wi-Fi network cards
plementations, potential for hardware deficits, and improper that have the capability to capture all 802.11 transmissions
configurations. Among all the security threats, one of the most can currently be purchased for about US $30 on eBay. Hence,
dangerous hazards is the prevalence of rogue APs. A rogue AP the process of driving around and looking for vulnerable APs
is typically referred to as an unauthorized AP in the literature. (known as “wardriving”) can be accomplished by people with
This type of device can be easily deployed by end-users. When limited security backgrounds. In addition, the probability that
a rogue AP is connected to a network, it can be used by an unprotected AP can be exploited is increased by people
adversaries for committing espionage and launching attacks. called warchalkers that document and publicize the locations
Similarly, improperly configured APs and phishing APs of APs.
can introduce the same security threats once exploited by To make matters worse, a properly configured AP with secu-
adversaries. Therefore, they can be regarded as rogue APs rity features enforced can still be compromised, thus becoming
as well. More importantly, there is a more insidious type a rogue AP. As shown in [3]–[5], the most common security
of rogue APs, called the compromised APs, that has drawn protocol, Wired Equivalent Privacy (WEP), has been shown to
little attention in the literature. A compromised AP is the be breakable even when correctly configured. Recently, Wi-Fi
most dangerous rogue AP that can exist in commodity Wi- Protected Access (WPA) has been created in response to the
Fi Networks. In particular, it is difficult to detect such a serious weaknesses that researchers found in WEP. However,

978-1-4244-2026-1/08/$25.00 © 2008 IEEE 1894

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

WPA does not necessarily work with the first generation process, and correlate network events. However, the latest
APs. When operating in WPA Pre-Shared Key (PSK) mode, release, AirDefense 7.2, has a starting price of US $7, 995.
a strong passphrase is required. Otherwise, the secret key Lastly, if the specialized monitoring sensors are not used, it is
might be discovered by launching a brute-force dictionary difficult to guarantee a complete coverage of the network to
attack on authentication frames. Another deficiency of WPA ensure effective rogue AP detection.
is that it still relies on the RC4 encryption algorithm. Due to On the other hand, the research community has just recently
these weaknesses in WEP and WPA, an attacker can easily started to direct attention toward rogue AP detection. An
compromise an AP and turn it into a rogue one. architecture for fault diagnostics in IEEE 802.11 networks
Facing such unprecedent challenges, the traditional way is presented in [9]. Multiple APs and mobile clients perform
of protecting networks with encryption and firewalls is no RF monitoring to help detect the presence of rogue wireless
longer sufficient. Thus, several techniques are proposed to devices such as unauthorized APs. Each client is required to
detect the existence of rogue APs in literature. One of the install special diagnostic software, and rogue APs are assumed
most popular approaches is to scan the area of interest with to transmit beacon messages and respond to probe requests. In
a wireless device running on laptops or handheld devices. contrast, our framework does not inconvenience clients with
This idea is also widely adopted in the commercial products additional software installs. Further, its detection ability is not
with advanced features such as non-interactive scanning and based on the assumption that rogue APs will function properly.
continuous monitoring capabilities enabled. However, there Bahl et al. [10] propose a distributed monitoring infrastruc-
still lacks a satisfactory and practical solution that is competent ture called DAIR. It attaches USB wireless adapters to desktop
enough to tackle rogue APs. machines for more comprehensive traffic capturing ability.
We develop a novel hybrid framework for protecting Wi-Fi Although techniques to reduce false positives/negatives are
networks from rogue APs. In this framework, rogue APs are provided, its effectiveness is still dependent on AP functional-
automatically detected and located through the combination of ity that can be easily turned off. Additionally, both of [9] and
a distributed wireless scanning and a centralized traffic “fin- [10] assume that some specific characteristics of IEEE 802.11
gerprinting.” Accordingly, it includes two major components: standards cannot be violated by the adversaries. Conversely,
a distribution detection module (DDM) and a centralized our proposed framework avoids their limiting dependencies,
detection module (CDM). The former can be connected to and provides protection from types of rogue APs that they
or implemented on APs as small plugins, while the latter is cannot detect.
located at the gateway router of a local network. In addition, Differences in inter-packet spacing between traffic flows
our framework works in conjunction with current security on wired and wireless networks is used in [11], [12] for
protocols such as WEP and WPA, and it does not require identification of rogue APs. However, the scheme does not
any specialized wireless hardware. Furthermore, it can protect differentiate between wireless traffic from authorized and
the network from adversaries using customized equipment unauthorized APs. It also assumes that APs will be connected
and/or violating the IEEE 802.11 standard. Lastly, it works within one hop to a switch monitoring the traffic, and relies
consistently under various network configurations. on visual inspection of traffic characteristics.
The rest of the paper is organized as follows. Section II Multiple network sniffers are used in [13] for detecting
discusses related work. The proposed rogue AP protection rogue APs and eavesdroppers. Each sniffer has three network
framework is elaborated in Section III, and the detailed cards, and the intrusion detection capabilities are stymied by
analysis is provided in Section IV. The evaluation results are MAC address spoofing. Yeo et al. [14] improve the perfor-
presented in Seciont V. Finally, our conclusion and future mance of wireless monitoring by merging packet captures from
research directions appear in Section VI. multiple network sniffers and carefully selecting sniffer place-
ment. The techniques are exploited to characterize MAC layer
II. R ELATED W ORK traffic and perform retrospective diagnoses. Our framework
Due to the security threats that a rogue AP can pose provides techniques to detect rogue APs that have spoofed
for corporate Wi-Fi networks, detecting such APs is one of MAC addresses without relying on heavily equipped sniffers.
the most important tasks of an IT department. Traditional It can also detect sophisticated eavesdroppers and avert AP
rogue AP detection relies on network enumeration tools (e.g., compromise.
NetStumbler) running on laptops or handheld devices carried Recently, two passive online rogue AP detection algorithms
by IT personnel. This “walking audit” approach is both time- are proposed in [15]. The core of these two algorithms are the
consuming and unreliable. Further it fails when a rogue AP sequential hypothesis tests applied to packet-header data that
spoofs characteristics such as the MAC address and Service are passively collected at a monitoring point. Both algorithms
Set Identifier (SSID) of a legitimate AP. exploit the fundamental properties of the 802.11 CSMA/CA
To help automate the scanning process and provide continu- mechanism and the half duplex nature of wireless channels to
ous monitoring capabilities, a number of commercial products differentiate wired and wireless LAN TCP traffic. Once TCP
have been developed [6]–[8]. AirDefense [6] is one such ACK-pairs are observed, prompt decisions are made with little
product. It uses a combination of radio frequency sensors and computation and storage overhead. Yin et al. [16] propose a
an intrusion detection/protection server appliance to capture, layer-3 rogue AP detection approach using the combination

1895
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

of a verifier and wireless sniffers. In this approach, a verifier Detection and Containment
on the internal wired network is employed to send test traffic - OS fingerprints
- wireless NIC driver
towards wireless edge. Once wireless sniffers capture an AP fingerprints
relaying the test packets, the AP is flagged as rogue. In >probing timing
>rate adaptation Probing Functions
addition, binary hypothesis testing technique is adopted to - traffic fingerprints - customized ARP
improve the robustness of detection. requests
- probe requests
Our proposed framework differs from previous work in >SSID
that it provides robust and comprehensive protection against >channel
Monitoring and Preemption >security protocol
rogue APs through a novel coupling of rogue AP preemption - promiscuous nodes >RSSI/location
and detection. It also defends against a more insidious type - unregistered MACs
- duplicate MACs
of rogue APs, i.e., the compromised APs, that has never - spoofed management
been addressed in the literature before. Further, it can detect frames
- excessive ARP requests
rogue APs that have the ability to violate the IEEE 802.11
standard. Moreover, the mature techniques and freely available
software that this framework employs make it an efficient and Passive Wireless Frame Collector
cost-effective solution. Lastly, modifications to the underlying
wireless standard are not necessary with this framework.
Fig. 1. Distributed monitoring module architecture.

III. THE F RAMEWORK D ESIGN

This hybrid framework is designed to monitor network 1) Passive Wireless Frame Collector: A frame collector is
activities, forestall events that could lead to the generation needed for realtime WLAN monitoring so that rogue wireless
of rogue APs, discover existing rogue APs, and block unau- devices can be quickly identified, and network administrators
thorized network access through rogue APs. The two main notified when appropriate. One benefit of the frame collector is
components that constitute its architecture are the distributed its natural ability to separate wired and wireless traffic. Thus,
monitoring module and the centralized detection module. The there is no need for complicated modules that attempt to isolate
former should be placed in a way that it can cover the the two by examining traffic signatures.
interested areas as much as possible. On the other hand, the The frame collector needs to have a network device that
latter is located at the gateway router of a local network, which runs in promiscuous mode at all times. The entire region
allows it to examine all the traffic coming in and going out of interest can be covered with the assistance of wireless
of the network. A brief summary of each component and its range extenders. One of the frame collector’s main duties
functionalities is listed in Table II. is to capture all wireless traffic. Subsequently, the frame
collector dissects frames into IP and TCP components. This
The type of Wi-Fi networks we consider uses WEP or WPA
allows for information such as client MAC addresses, SSID,
in conjunction with MAC address filtering. Additionally, we
channel assignment, encryption status, and beacon interval to
try to avoid rekeying activities, as they require significant
be recorded. It also filters the collected traffic into user specific
overhead. An example of such a network is the one used by the
Department of Computer Science at The George Washington streams such as AP-client pairs. The relevant data will be
processed by the intrusion preemption and detection engines
University. Although, there are about 20 to 30 active users
described in the following subsections.
daily, there are over 600 registered users. Rekeying (i.e.,
change of the WEP secret key) is not a desirable action, as it Note that it is critical to hide the wireless frame collector
incurs significant overhead. The layout of an example network described from adversaries. Otherwise, a prudent attacker may
can be found in Fig. 2, where a wireless network is behind a change tactics to elude capture. Techniques that can achieve
NAT box. real “passive listening” are detailed in [17].
2) Preemption Engine: While attempted network attacks
cannot be avoided, it is possible to prevent some attacks before
A. The Distributed Detection Module
they happen. In particular, a certain amount of information
This module consists of a passive wireless frame collector, a must be collected by an adversary before an attack can
rogue AP preemption engine, and a rogue AP detection engine. actually occur. The prompt identification of such activity can
An illustration of the overall architecture of the distributed help thwart an impending attack. Subsequently, a rogue AP
monitoring module can be seen in Fig. 1. The frame collector preemption engine is included in the proposed framework.
is responsible for gathering wireless traffic. The collected data The rogue AP preemption engine is our first line of defense.
is then passed to the preemption engine, where checks are The basic objectives of this component are to trap sniffers
performed in order to thwart various attacks. Finally, the data and thwart activity that can lead to AP compromise. Probing
is analyzed by the detection engine. There are also probing of potential eavesdroppers and network integrity checks are
functions shared by the preemption and detection engines so performed to accomplish these goals. The former is designed
that adversaries can be lured into revealing their presence. to discover passive listeners while the latter is used to prevent

1896
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

TABLE II
F RAMEWORK C OMPONENT S UMMARY

Component Security Threat Countermeasure

Rogue wireless traffic (e.g., unau- Device running in promiscuous at
thorized access, passive attacks, all times with “real passive” listen-
Wireless Frame Collector
and active attacks) ing capability; off-the-shelf wire-
less range extenders
Class 4 rogue APs; passive lis- Probing eavesdropper (e.g., using
teners; network integrity violations ARP requests); logging and local-
Distributed Detection Module Preemption Engine (e.g., unregistered MACs, dupli- ization of unregistered or duplicate
cate MACs, and forged manage- MACs; avoid post-forge requests
ment frames)
Class 1-4 rogue APs; attackers that Active AP probing; location veri-
Detection Engine evade Preemption Engine or obtain fication; client disassociation; pas-
the security credentials sive or active OS fingerprinting
Rogues undetected or uncovered Port 80 scans; socket-level stream
Centralized Detection Module Scanning & Filtration by DDM (e.g., rogues hide behind analysis (e.g., RRTs or inter-packet
NAT devices) arrival times)

a legitimate AP from being compromised. ignore such ARP requests.

a) Eavesdropper Probing: Probing functionality is em- As a complement to the above tactics, a warning message
ployed to help prevent Class 4 rogues from appearing on a can be sent to the system administrator whenever a spoofed
network. In particular, messages are periodically generated MAC address or a forged management frame is detected.
that, when replied to, reveal the presence of a sniffer. One 3) Detection Engine: There are two primary reasons for
type of message is an ARP request. If a potential attacker is the rogue AP detection engine. First, defending against Class
eavesdropping at the network traffic and replies to one of the 1−3 rogue APs is an inherently reactive process. For example,
trap ARP requests, her presence is revealed. there is no way to prevent an attacker from setting up a
Since these broadcasted messages are regular network sig- phishing AP outside of a private organization. The AP probing
naling traffic, it is unlikely that an attacker will notice the technique described in Section III-A3a is used to lure Classes
existence of our preemption engine. In addition, the interval 1 − 3 rogue APs into revealing their presence. Secondly, a
selected for broadcasting the frames reflects a trade off be- sophisticated adversary may be able to evade the preemption
tween available bandwidth consumption and time needed for techniques for Class 4 rogue APs. Class 4 rogue APs are
detection. These parameters can be customized based on the detected by first identifying traffic from an unauthorized user.
capabilities of the underlying hardware systems. Additional mechanisms are included for handling adversaries
b) Intruder Discovery: After obtaining data from the that are strong enough to use hardware that violates the 802.11
wireless frame collector, four integrity checks outlined below standard.
will be carried out. We assume that every legitimate wireless
We assume that a floor plan of the building containing the
device’s MAC address is available to the preemption engine.
to-be-protected network is available. In particular, the exact
• Unregistered MAC addresses are temporarily stored to-
location of authorized APs and range extenders should be
gether with their possible location information. This is known. The above location data, along with information such
because an attacker might disclose its MAC address to the as an AP’s MAC address, SSID, nearest extender, working
AP before the knowledge of a legitimate MAC address channel, and typical received signal strength indicator (RSSI)
is acquired. Additionally, these MAC address will be can be made accessible to the detection engine.
shared with the rogue AP detection engine described in a) AP Probing: An AP advertises its presence several
Section III-A3. times per second by broadcasting special frames called bea-
• Duplicate MAC addresses are temporarily removed from
cons that carry its SSID. Stations can discover an AP by pas-
the MAC filter so that network access is denied. This can sively listening for beacons, or by transmitting a probe request
happen when an attacker spoofs a MAC address to that message to actively search for an AP with a specified SSID.
of a client that is currently connected. Our detection engine uses active honeypot functionality1 to
• The presence of management frames (e.g., deauthentica-
discover rogue APs by sending out probe requests. It is capable
tion frames) will be observed and checked because many of detecting the first three classes of rogue APs.
active attacks rely on the transmission of forged frames Therefore, a particular AP can be discovered from its probe
[18]. Once it is determined to be a spoofed frame, APs responses. The next step is to determine whether or not it is a
refuse to respond to that frame. rogue AP. One way to do this is to compare the discovered APs
• The appearance of excessive ARP requests in a given time
with those belonging to a list of authorized APs. Any AP that
is the sign of a ARP request replay attack [19], which
is detected and does not appear in the authorization list can
repeatedly transmits the same ARP packet to obtain new
initial vectors (IVs) from an AP in order to crack a WEP 1 Examples of active honeypot systems include Strider HoneyMonkeys [20]

key. In cases like this, an AP is instructed to temporarily and the Honeyclient Project [21].

1897
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

be labeled as a rogue device. The relevant values associated acteristics in terms of this function [25]. Using these
with each AP in the table of authorized APs include its MAC characteristics, wireless drivers can be determined with
address, SSID, working channel, and equipment vendor. acceptable accuracy.
Accordingly, our detection system has a probe request frame • Rate adaptation schemes: The lack of an explicit speci-
periodically sent out on all of the channels (e.g., 11 channels in fication for a rate adaptation algorithm results in differ-
802.11b). This property increases the likelihood of a rogue AP ent implementations such as ARF [26] and SampleRate
being detected because any AP that hears the request will send [27]. Thus, each algorithm will have a different impact
a probe response back to the detection engine. In this response, on observable traffic characteristics such as throughput
information such as the MAC address must be included, even and occurrence of retransmissions. Techniques have been
though the SSID may not be present. If the reported MAC proposed in [28] to distinguish different drivers by rate
address matches an unregistered MAC address found during adaptation algorithms.
an integrity check, we can conclude that it belongs to a rogue iv) Client location fingerprinting: The ability to distinguish
AP. Finally, the switch port that is associated with the rogue the location of spoofed nodes from the authentic nodes can
AP’s MAC address can be closed to eliminate it from the help to identify compromised APs. A commonly used location
network. distinction approach is RSSI measurement. Yet, RSSI values
In the event that a rogue AP spoofs a legitimate AP’s MAC may vary due to small-scale and frequency-selective fading.
address and SSID, location information should be used to There are some more advanced techniques proposed for loca-
make a judgement. If an AP announces a legitimate MAC tion distinction such as link temporal signature [29].
address, but has localization results that are inconsistent with
those in the AP MAC-to-location table, it can be considered B. Centralized Detection Module
to be a rogue AP. The wireless distributed monitoring module is effective at
b) Compromised AP Detection: A compromised AP is spotting rogues, but those not within the surveillance coverage
detected by identifying an unauthorized client who is con- range may run away undetected. In addition, it is conceivable
necting to it. The client can be detected by employing a com- that there might be no wireless network in a company. As a
bination of various fingerprinting techniques. Fingerprinting result, there is no AP or wireless extender available. Therefore,
is a process by which a device or the software it is running the ideal method of detecting such rogue APs is to use a
is identified by its externally observable characteristics. We central console attached to the wired side of the network for
detail these techniques below. monitoring. Another benefits of a central point detection is
i) User-specific traffic fingerprinting: A profile could be cre- that it alleviates the need to walk through the facilities in case
ated (either online or offline) for each client that indicates their of incomplete coverage. It can be regarded as a compensate to
network traffic patterns such as web browsing preferences. the wireless monitoring module. In the following, we elaborate
More specifically, the profile contains distinctive identifiers some novel techniques for finding potential rogue APs from
such as Internet destinations and email servers. In this case, the wired side of the network.
techniques from machine learning and data mining [22] could 1) Port 80 Detection: Most commodity AP products enable
be performed. port 80 (HTTP) in order to let the management personnel to
ii) OS fingerprinting: The OS that is running on a sus- login. Thus, a simple but efficient method to detect the exis-
pect client can be identified with OS fingerprinting tools. tence of an rogue AP is to trap it into responding to queries. In
Examples of active and passive OS fingerprinting tools are our centralized detection module, a port 80 scanning program
Nmap [23] and p0f [24], respectively. Information about OS is running on the console that is connected to the gateway
preference can be obtained when users register with the router. The port scan program can identify enabled TCP ports
system administrator. With this information, we can identify from various devices connected to the wired network. To be
potential attackers by looking for inconsistencies between the specific, it uncovers all port 80 (HTTP) interfaces on the
fingerprinting results and the preferred OS. A discrepancy may network, which includes all Web servers, and all APs. Even if
be cause for a “red flag” to be generated about a particular an rogue AP’s port 80 interface is disabled or protected by a
client. username and password, it will generally respond to the port
iii) Wireless network interface card (NIC) driver fingerprint- scanner’s ping with the vendor name and its corresponding IP
ing: Due to the ambiguity of the 802.11 standard, different address. After obtaining these information, they are compared
implementations of the same protocol specification in wireless with the stored data of the authorized APs. Any mismatching
device drivers behave differently. Fingerprinting techniques will trigger a security alert to the system administrator. With
take advantage of these implementation-dependent differences the IP address of a suspected AP, it is possible to determine
to accurately identify a driver. We list two implementation- its physical location via router table entries.
dependent algorithms below. There are two extra advantages to carry out the port 80 scan
• Timing of probe request frames: The algorithm used from the wired side of the local networks compared to the
to scan for AP is not explicitly defined in the 802.11 wireless side. Firstly, there is much more available bandwidth
standard. Therefore, it has led to the development of than the wireless links. Secondly, it is more “passive” than
many wireless device drivers that display different char- sending out queries via wireless broadcasting because the

1898
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

query traffic is more invisible inside wired communications. Gateway Router

Centralized Detection Module
One example of such port scanning tool is SuperScan [30],
which is free available from Internet.
2) Socket Level Wireless Traffic Detection: The port 80 NAT Box
Client B
scan will fail if a rogue AP does not have port 80 HTTP Client A Attacker
service enabled. Consequently, it is necessary to scrutinize at xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx xxxxxxxx
a finer granularity so as to discover the rogue APs. A fairly xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx AP b
xxxxxxxx
xxxxxxxx
xxxxxxxx
AP a xxxxxxxx
effective approach is to conduct socket level TCP/UDP traffic
inspection. It is important to notice that we adopt socket level
traffic examination instead of the popular IP address based
method. Since we consider the wireless networks that are Wireless Rogue Client
Range xxxxxxxxx
Wireless xxxxxxxxx
xxxxxxxxx
behind network address translation (NAT) boxes, hosts may Extender b
Range
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
Extender a xxxxxxxxx
use either Ethernet or WLAN to connect to a NAT box. All Rogue AP
traffic through a NAT box will have the IP and MAC address Wired Clients
of the NAT box. As a result, the traffic features reflected in
the IP level are no longer wireless unique, which makes the IP
address scanning based schemes [11], [15] insufficient. Thus, Fig. 2. A typical Wi-Fi network scenario: AP a & b, and wireless range
extender a & b compose the Distributed Detection Module.
it is necessary to pin down the wireless links via the socket
level traffic inspection.
The socket level inspection is grounded on the concept [10]. Yet, the coverage can be greatly improved with the par-
that wireless links uses a contention based MAC protocol to ticipation of multiple APs (e.g., AP a and b in Fig. 2) and the
access the shared link, which naturally causes a longer random utilization of standard wireless range extenders (e.g., ranger
delay. Therefore, wireless links cause more random temporally extender a and b in Fig. 2). These extenders can currently be
different spreading of packets as compared to wired links. purchased for less than US $80 from online retailers. Based on
Parameters such as packet inter-arrival (or inter-departure) the specifications of an off-the-shelf extender (e.g., the Belkin
time, round trip time (RTT), and etc., can be employed to F5D7132), it can scan all working channels of 802.11b and
identify wireless links as what is done at the IP level. In 802.11g with a working range up to 457.2 meters.
addition, some of the above features are also applicable for
Still, it is possible that neither APs nor extenders can pickup
UDP traffic.
the wireless signals sent by a customized wireless antenna that
Here, we adopt the inter-packet spacing, which is the
can limit its signal inside a very small area. Subsequently, the
spreading of packets, to differentiate wireless links from wired
task of identifying a wireless link falls upon the centralized
links. In general, the inter-packet of a wireless link is greater
wired end detection module (located at the gateway router in
than that of a wired link. To be specific, when two back-
Fig. 2).
to-back packets are sent on a perfect wireless channel, the
inter-departure time of the packet pair is uniformly distributed
B. Attack Prevention by DDM
between 500 μs and 1130 μs, with a median of 810 μs
[15]. Although an Ethernet connection uses shared media, For example, in order to launch a dictionary attack on the
the randomness caused by the shared media in Ethernet is shared key used in a WEP or a WPA-PSK enabled network,
negligible compared to the one in a wireless network because an attacker in Fig. 2 needs to capture the four authentication
of its high bandwidth and ability to detect collisions. Thus, frames exchanged between the client B and the AP b. To do
a link is labeled as wireless if its corresponding socket level this, the attacker needs to send out a spoofed deauthentication
traffic shows the above pattern in packet inter-departure time. message to client B to force the client to re-authenticate to the
AP. After capturing authentication frames, the hash of each
IV. A NALYSIS word in a dictionary is compared to the hashed passphrase
In practice, most of the Wi-Fi networks are behind a NAT used during the handshake. Of course, if the passphrase is
box due to the lack of IPv4 addresses. As a result, all traffic strong enough (i.e., not located in the dictionary), this attack
that go through a NAT box have the same IP/MAC address fails.
(i.e., the IP/MAC address of the NAT box). Considering these In this case, the preemption engine of DDM will detect the
characteristics, we illustrate an example Wi-Fi network that is fake deauthentication message and instruct the AP to refuse
protected by our framework in Fig. 2. The detailed analysis performing the authentication process with the client. Thus,
of the proposed framework based on this example network is the attacker is prevented from capturing the frames needed to
described in the following subsections. launch a brute-force attack on the key.
By preempting intruders that could reveal the secret network
A. Coverage of DDM key, we prevent the creation of Class 4 rogue APs. Neverthe-
Some research argues that monitoring a network from less, there are some cases where an attacker might get away
devices such as APs cannot provide comprehensive coverage unnoticed by our preemption system. For example, the attacker

1899
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

might choose to employ the passive listening techniques de- D. Remarks

scribed in [17]. The attacker could also track legitimate MAC This framework is a marriage of the distributed wireless
addresses for use at a later time. Once the attacker has acquired media monitoring module and the centralized wireless rogue
the secret key, the MAC address of a legitimate but currently equipment detection module. The former module plays a more
not present client can be used. Since these types of activities important role in the framework in that it identifies rogue APs
may escape from our checking functionalities, the rogue AP and preempts possible attacks via directly measuring ongoing
detection capabilities is introduced in the next subsection. wireless communications. The latter works as a necessary
compliment to the former.
C. Rogue Device Discovery In these two modules, several novel techniques are in-
troduced to detect and prevent the existence of rogue APs.
1) Why Does the AP Probing Work?: There is a common A complete classification of these methods and the security
misconception that disabling the “Broadcast SSID” option in threats they mitigate are listed in Table II. Although some of
an AP hides the SSID. As a result, a rogue AP is able to escape the techniques have been vetted in the literature, the elegance
from AP probing. In reality, disabling this feature only makes and comprehensiveness of such a hybrid approach to rogue
the AP transmit a null (zero-length) SSID in beacon frames AP protection have never been achieved before. Moreover,
and probe responses instead of the actual SSID. There are still powered by the idea of pining down to socket level traffic
several other frames (e.g., probe requests, association requests, feature recognition, our framework achieves the highest rogue
and reassociation requests) that carry the SSID. Hence, it is detection granularity among the existing schemes. Lastly, it
impossible to keep an SSID value secret without manually has been shown in the above analysis that the proposed
reconfiguring device drivers or hardware to violate the 802.11 framework is capable of discovering rogue devices with a high
standard. probability and a low overhead.
In addition to regular rogue device, AP probing also handles V. E MPIRICAL E VALUATION
extreme cases where rogue APs have had their driver and/or
firmware modified in such a way that neither beacon frames The focus of our evaluation is on the detection and preven-
nor probe response frames are transmitted. Therefore, there is tion of compromised APs because they are the most insidious
no MAC address information available to draw a conclusion. rogue APs. We follow two approaches. The first uses network
Nevertheless, a disassociation message can be sent from AP traces gathered from multiple monitoring points at the 2004
b to the rogue client of the rogue AP in Fig. 2 based on the SIGCOMM conference [32] to examine compromised AP
information collected by the wireless frame collector. When detection techniques (e.g., the fingerprints of wireless clients).
the rogue client sends out a reassociation request, the MAC The second employs controlled real experiments to evaluate
address and SSID of the rogue AP will be disclosed. the preemption engine.
Note that the above technique can thwart an adversary with A. Trace-Based Study
a level of strength that has never been assumed before. In
particular, other work such as [9] and [10] assume that an The widely used SIGCOMM conference trace [32] was
attacker does not have the ability to violate characteristics of collected using standard wireless cards in monitor mode
the 802.11 standard. Although this assumption is reasonable with tcpdump-like tools for a span of 5 days. For privacy
in many cases, the protection of any system based on it can be concerns, IP and MAC addresses are anonymized consistently
undermined. Our framework does not place this limitation on throughout the entire trace (i.e., there is a unique one-to-one
the capabilities of the adversary. Hence, it is able to provide mapping between addresses and anonymous “marks”). Thus,
both robust and comprehensive protection from rogue APs. each user is uniquely identified by its anonymous mark.
Using the aforementioned trace, we evaluate the user-
2) Pitfalls in Compromised AP Detection Engine: We
specific traffic fingerprinting techniques proposed in Subsec-
make a note of the following caveat in the compromised
tion III-A3b. The preferred OS, rate adaptation scheme, and
AP detection unit proposed in Subsection III-A3b. There are
user location are not evaluated due to the lack of a ground
some rare cases where the proposed fingerprinting techniques
truth. A number of training samples are requited to build an
should not be applied. For instance, a registered MAC address
Internet traffic (e.g., <IP address, port number>) profile for
could belong to a PCMCIA card that is used by different
a particular user. The training period may vary depending on
laptops. If these computers are running different operating
the networking activities of the user. According to Ref. [33],
systems, false positives could be generated. Similarly, there
a one day span of training samples is enough to profile a large
are some cases where a card is used by a machine that
percentage (70%-100%) of users in this trace. Therefore, the
can boot into multiple operating systems. It is also possible
remainder of the trace (about 4 days) is used as validation
for a sophisticated attacker to defeat fingerprinting tools by
data in our study. 2 To simulate the effect of a compromised
modifying the characteristics of the TCP/IP traffic (e.g., ISNs,
AP with an unauthorized user connected to it that spoofs the
initial window sizes, and options) and driver behaviors that
they base their identifications on. A freely available tool that 2 We exclude users that are not present in either the training or the validation

performs such functions is IP Personality [31]. samples.

1900
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

identity of a legitimate user A, the validation samples from PCI card (Atheros AR2414a chipset) using MadWifi [35]
users other than A are classified based on A’s profile using driver. Enabled by the MadWifi driver, this interface functions
the Bayesian approach [34]. as a normal AP. The other interface is an external Linksys
The two metrics that we employ to evaluate the performance WMP54G PCI card, which serves as the host for all the rogue
of our proposed fingerprinting techniques are as follows: AP detection modules including the preemption engine. The
• The true positive rate (TPR) refers to the percentage of prototype preemption engine employs open source programs
validation data that user A does not generate but we such as Kismet [36] and Nmap [23].
correctly classify as unauthorized users. The attacker is a Dell laptop with a number of wireless
• The false positive rate (FPR) refers to the percentage of
surveillance and hacking tools such as Kismet and Aircrack
validation data that user A generates but we incorrectly [37], respectively, installed. Therefore, this laptop is capable
classify as unauthorized users. of launching various attacks that include management frame
We detail our evaluation results below. The relation between forgery (e.g., deauthentication flooding, and fake authentica-
the mean TPR and the mean FPR, also known as the receiver tion), ARP request injection [19], fragmentation attack [37],
operating characteristic (ROC) curve, is plotted in Fig 3(a). For and Monkey-Jack attack [38]. We arrange the attacker to launch
reference, the dotted line x = y represents the performance the above attacks at various times and locations.
of random guessing. The proposed techniques clearly achieve
a high accuracy in terms of unauthorized user detection on 2) Methodology: Experiments are done during weekends
average. For example, the mean TPR reaches over 80% when when the offices are empty in order to minimize the impact of
the mean FPR is 0.05. This high average accuracy is partly external factors such as traffic from other APs or client devices.
due to the rich diversity that lies in the attendees of the Our setup completely separates normal AP functionalities from
conference. A large portion of the attendees come from dif- rogue AP detection modules. As a result, it is easy for us
ferent universities, and therefore become distinguishable when to debug. The machines are tested to ensure that packet
accessing their school web and email servers. Additionally, collection (i.e., “logging”) and processing does not degrade the
the complementary cumulative distribution function (CCDF) performance of the wireless network or inadvertently impact
of the TPR when the FPR is fixed to be 0.05 is shown in the results of the experiment. We have more control over
Fig 3(b). We see that over 60% unauthorized users can be the system compared to commodity AP products because
identified at a TPR that is at least 95% on average. a software programmable AP is constructed using widely
available devices that are reasonably priced. We also adopt
ROC Curve
FPR = 0.05 open source programs to greatly reduce development costs.
Fraction of users with TPR > x

1.0
1.0

Traffic Fingerprints 3) Results: Our logged records show that the preemption
Mean true positive rate

0.8

x=y
0.8

engine reliably detects all the arranged attacking activities (i.e.,

0.6

it has 100% recall). To be specific, each attack is identified

0.6

and recorded in log files, which matches with its scheduled

0.4
0.4

time and date. However, our preemption engine generates a

0.2
0.2

few false positives in the presence of external users. This

0.0
0.0

phenomenon occurs when an external client device tries to

1e−04 1e−03 1e−02 1e−01 1e+00 0.0 0.2 0.4 0.6 0.8 1.0
probe and connect to our AP, even without malicious intent.
Mean false positive rate True positive rate Therefore, it may be mistakenly labeled as suspicious. Since
(a) Mean TPR vs. FPR. (b) The CCDF of TPR. the external client does not have the necessary credentials
Fig. 3. TPR and FPR Measurements.
to associate with our AP, it repeatedly probes/querys the
AP. These activities are indicators of wireless reconnaissance,
which is an essential step that precedes many attacks.
B. Experimental Study In order to measure the storage overhead of the data
Since link-layer encryption is not employed by the SIG- collected in the distributed detection module, we conduct a
COMM network, there is no attack targeting AP compromise test using the Wi-Fi network (802.11 b/g compatible) of the
that can be used to evaluation our proposed preemption Department of Computer Science at The George Washington
techniques. Therefore, we used controlled real experiments University. There are about 20 to 30 users active each day.
conducted in a real campus setting. We describe our exper- A monitor machine is placed near an AP to capture wireless
iment setup, methodology, and results in the subsections that frames. The capture process lasts for two weeks. The average
follow. data collected per day per AP is approximately 1 Gigabyte.
1) Setup: The prototype rogue AP preemption engine is on Therefore, by recycling the collected data every week, the
a Dell desktop (Intel Pentium IV 3.2GHz, with 1.5 GBytes storage overhead can be limited to about 7 Gigabyte per AP.
of memory) running Linux 2.6.20, and equipped with two This is a reasonable overhead for even low-end computing
wireless interfaces. One is an external Trendnet TEW-443PI equipment.

1901
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2008 proceedings.

VI. C ONCLUSION [12] S. Shetty, M. Song, and L. Ma, “Rogue access point detection by
analyzing network traffic characteristics,” in MILCOM, Orlando, Florida,
In this paper, we develop a practical hybrid framework October 2007.
targeting preempting attacks that can create rogue APs, and [13] M. K. Chirumamilla and B. Ramamurthy, “Agent based intrusion
detection and response system for wireless lans,” in ICC ’03. IEEE
detecting the presence of such devices when they exist. It is International Conference on Communications, 2003, pp. 492–496.
the first framework that correlates alerts containing all data [14] J. Yeo, M. Youssef, and A. Agrawala, “A framework for wireless LAN
from both wired scans and wireless surveillance. An attractive monitoring and its applications,” in WiSe ’04: Proceedings of the 2004
ACM workshop on Wireless security. New York, NY, USA: ACM Press,
feature of the proposed framework is that it requires neither 2004, pp. 70–79.
specialized hardware nor modification to existing security [15] W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose, and D. Towsley, “Passive
standards. Further, it can be connected to or implemented on online rogue access point detection using sequential hypothesis testing
with tcp ack-pairs,” in IMC ’07: Proceedings of the 7th ACM SIGCOMM
APs as small plugins. It also makes use of freely available conference on Internet measurement. New York, NY, USA: ACM, 2007,
mature software in order to provide a cost-effective security pp. 365–378.
solution. Lastly, it can protect networks from rogue APs [16] H. Yin, G. Chen, and J. wang, “Detecting protected layer-3 rogue APs,”
in IEEE BROADNETS ’07: Fourth Annual International Conference on
even when assuming that adversaries have the ability to use Broadband Networks, 2007.
customized equipment that violates the IEEE 802.11 standard. [17] L. Ma, A. Y. Teymorian, and X. Cheng, “Passive listening and intrusion
Our framework is the first one that can successfully protect the management in commodity wi-fi networks,” in GLOBECOM, 2007.
[18] P. Mateti, “Hacking techniques in wireless networks.” [On-
network under that assumption. line]. Available: [Link]
As a part of our future work, we plan to evaluate the Lectures/WirelessHacks/[Link]
[19] “ARP request replay attack.” [Online]. Available: [Link]
proposed framework in a more open environment, where [Link]/[Link]?id=arp-request reinjection
there are more background “noises” that may cause false [20] Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and
positives. Additionally, we are anticipating the inclusion of S. T. King, “Automated web patrol with strider honeymonkeys: Finding
new features for the framework that can further improve its web sites that exploit browser vulnerabilities.” in NDSS, 2006.
[21] “Honeyclient project.” [Online]. Available:
network protection abilities. One such feature is a proactive [Link]
honeypot function that can be used to better preempt various [22] M. A. Maloof, Machine Learning and Data Mining for Computer Secu-
rity: Methods and Applications (Advanced Information and Knowledge
attacks. Processing). Secaucus, NJ, USA: Springer-Verlag New York, Inc.,
2005.
ACKNOWLEDGMENT [23] “Nmap network security scanner.” [Online]. Available:
[Link]
This research was supported by the US National Science [24] “p0f: a versatile passive os fingerprinting tool.” [Online]. Available:
Foundation under grant CCF-0627322. [Link]
[25] J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and
D. Sicker, “Passive data link layer 802.11 wireless device driver fin-
REFERENCES gerprinting,” in USENIX-SS’06: Proceedings of the 15th conference
on USENIX Security Symposium. Berkeley, CA, USA: USENIX
[1] L. Ma, A. Y. Teymorian, X. Cheng, and M. Song, “RAP: Protecting Association, 2006, pp. 12–12.
commodity wi-fi networks from rogue access points,” in QShine ’07: [26] A. Kamerman and L. Monteban, “WaveLAN-II: A high-performance
Proceedings of the 4th international conference on Quality of service in wireless lan for the unlicensed band,” Bell Labs Technical Journal, 1997.
heterogeneous wired/wireless networks, 2007. [27] J. Bicket, “Bit-rate selection in wireless networks,” Master’s thesis,
[2] “Gartner advises on security.” [Online]. Available: Massachusetts Institute of Technology, 2005.
[Link] about/press releases/2001/[Link] [28] C. Corbett, R. Beyah, and J. Copeland, “Passive classification of wireless
[3] S. R. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key nics during rate switching,” EURASIP J. Wirel. Commun. Netw., To
scheduling algorithm of rc4,” in SAC ’01: Revised Papers from the appear.
8th Annual International Workshop on Selected Areas in Cryptography. [29] N. Patwari and S. K. Kasera, “Robust location distinction using temporal
London, UK: Springer-Verlag, 2001, pp. 1–24. link signatures,” in MobiCom ’07, 2007, pp. 111–122.
[4] N. Borisov, I. Goldberg, and D. Wagner, “Intercepting mobile communi- [30] “Powerful TCP port scanner, pinger, resolver.” [Online]. Available:
cations: the insecurity of 802.11,” in MobiCom ’01, 2001, pp. 180–189. [Link]
[5] N. Cam-Winget, R. Housley, D. Wagner, and J. Walker, “Security flaws [31] “IP personality: a netfilter module to change characteristics of network
in 802.11 data link protocols,” Commun. ACM, vol. 46, no. 5, pp. 35–39, traffic.” [Online]. Available: [Link]
2003. [32] M. Rodrig, C. Reis, R. Mahajan, D. Wetherall, J. Zahorjan, and
[6] “AirDefense enterprise: a wireless intrusion prevention system.” E. Lazowska, “CRAWDAD data set uw/sigcomm2004 (v. 2006-10-17),”
[Online]. Available: [Link] Downloaded from [Link]
[7] “AirMagnet: Enterprise WLAN management.” [Online]. Available: Oct. 2006.
[Link] [33] J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall,
[8] “Airwave: Wireless network management.” [Online]. Available: “802.11 user fingerprinting,” in MobiCom ’07, 2007, pp. 99–110.
[Link] [34] A. W. Moore and D. Zuev, “Internet traffic classification using bayesian
[9] A. Adya, P. Bahl, R. Chandra, and L. Qiu, “Architecture and techniques analysis techniques,” in SIGMETRICS ’05. New York, NY, USA: ACM,
for diagnosing faults in IEEE 802.11 infrastructure networks,” in Mobi- 2005, pp. 50–60.
Com ’04, 2004, pp. 30–44. [35] “Madwifi wlan device driver.” [Online]. Available: [Link]
[10] P. Bahl, R. Chandra, J. Padhye, L. Ravindranath, M. Singh, A. Wolman, [36] “Kismet: an 802.11 layer2 wireless network detector,
and B. Zill, “Enhancing the security of corporate wi-fi networks using sniffer, and intrusion detection system.” [Online]. Available:
DAIR,” in MobiSys 2006: Proceedings of the 4th international confer- [Link]
ence on Mobile systems, applications and services. New York, NY, [37] “Aircrack-ng: an 802.11 WEP and WPA-PSK keys cracking program.”
USA: ACM Press, 2006, pp. 1–14. [Online]. Available: [Link]
[11] R. Beyah, S. Kangude, G. Yu, B. Strickland, and J. Copeland, “Rogue [38] “Advanced 802.11 attack: Black hat 2002.” [Online]. Avail-
access point detection using temporal traffic characteristics,” in GLOBE- able: [Link]
COM, 2004. [Link]

1902