International Journal of Computer Engineering and Technology ENGINEERING (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER 6367(Print), ISSN 0976

6375(Online) Volume 4, Issue 2, March April (2013), IAEME & TECHNOLOGY (IJCET)

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), pp. 493-499 IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

A SURVEY ON EVIL TWIN DETECTION METHODS FOR WIRELESS LOCAL AREA NETWORK
Sachin R. Sonawane1, Sandeep Vanjale2, Dr.P.B.Mane 3
1 2

(MTECH COMPUTER, BVDUCOE, Pune, Maharashtra, India) (Professor, PhD Student, BVDUCOE, Pune, Maharashtra, India) 3 (Professor, AISSMS IOIT, Pune, Maharashtra, India)

ABSTRACT Wireless access points are today popularly used for the convenience of mobile users. The growing acceptance of wireless local area networks (WLAN) presented different risks of wireless security attacks. The presence of Evil access points is one of the most challenging network security concerns for network administrators. Evil access points, if undetected, can steal sensitive information on the network. Most of the current solutions to detect Evil access points are not automated and are dependent on a specific wireless technology. Evil access point is one of the serious threat in wireless local area network. In this paper we have presented survey on recent different Evil Twin access point detection solutions. Keywords: RAP, WLAN, RSSI 1. INTRODUCTION WLAN Security technology has major use in many fields. Wireless LAN has a wide range of applications due to its flexibility and easy access. The use of public Wi-Fi has reached at a level that is difficult to avoid. According to the poll conducted by Kasperskys global facebook pages 32 percent of the more than 1600 respondents said that they are using public Wi-Fi regardless of the security concerned. The Kaspersky [1] study also discovered that about 70% of Tablet and 53% of the mobile phone users using free public Wi-Fi hotpots to go online. According to the JiWire report in past year,[2] total Wi-Fi usage has been doubled, increasing by more than 240% since Q2,2011.it also specify that this rise is being due to the mobile devices and laptops account for just 48% of the connected devices. Based on the above two survey results, greater educational awareness is needed. Public Wi-Fi
493

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

networks like at coffee shop, airport, etc., are open for users as well as for attackers, who are looking for sensitive user data. Attackers can create Evil Twin access point in such places to hack such data. Evil Twin access point is one of the most serious threats in WLAN. 2. BACKGROUND 2.1 Wireless Local Area Network Wireless Local Area Networks are nowadays are the easiest solution for the interconnection of various mobile devices like Tablets, Mobile Phones, PDAs, etc. As Wireless arena is growing rapidly users find it very convenient to use these devices to check mail, browse internet, etc. Such free services are available to the users through Wireless networks present at the public places like Coffee Shop, Airport, etc. There are two types of Wireless networks: In the first the common network topology is that, where each node can reach to other node using radio relay systems having a big range. this topology doesnt use routing protocols. In Second network topology deploy radio relay systems as first one but each node in this has limited range so one node is using other node to reach another node which is beyond transmission range. 2.2 Evil Twin Attack in Wireless Network Various security mechanisms are necessary in order to avoid threats against Wireless Networks. Different threats are present on the Wireless Network; one of such serious threat is Evil Twin Access Point An Evil Twin attack is clean to set as illustrated in Fig. 1, an attacker can easily set Evil access point to copy the authorized access point used in public Wi-Fi area, these area could be coffee shop, airtoprt...etc.They can set up Evil access point near to the victims, the Evil access point then can attack the victims wireless connection by using different methods to force victim to change the connection. Generally Evil AP uses stronger wireless signal then the authorized AP within the range. So users laptop or other device automatically connect to the AP with highest RSSI.Once user is connected to the Evil AP,by capturing network packets between Evil AP and the authorize AP the attacker can provide internet access and can stole sensitive information like passwords, ATM pin..etc. In this way Evil AP works as an Evil Twin AP between victim and the authorize AP. the attacker can introduce more serious attacks like phishing. In short, Evil Twin attack is a serious threat to the WLAN Security.

Figure 1. evil twin attack

494

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

2.3 Classification of Evil Twin Methods Most of the existing Evil Twin detection methods today are classified into two categories. First is Network Admin-side solution, it is further sub-classified into two subcategories. In the first sub-category [3],[4],[5] approach, it monitors radio frequency airwaves after that it collects some information at router/switches and finally compare this obtained information with a known authorized list. In the second sub-category [6],[7] approach, it monitor network traffic present at the wired side after that decide whether machine using wireless or wired connection and at the end the obtained information is compared with an authorization list to find if the related AP is Evil Twin or not. Second category solutions [8],[9] are Client or User side solutions. Such client approaches doesnt require authorization list to compare the result. Instead it is allowing user to detect presence of a Evil Twin Access point in the network and provides a mean to avoid it. 2.4 Components of Evil Twin Detection Methods Most of the Evil Twin detection methods has the following components: i) Listening Component: This component is used for monitoring of local events like packet sending packet receiving packet, checking RSSI level...Etc. ii) Answering Component: This is used in case, if Evil Twin AP is detected in the wireless network. It uses different alarm mechanisms to alert the network administrator about the Evil Twin attack. iii) Storage Component: This component is used to store some standard threshold values, which will be used for the comparison with the obtain values to detect Evil Twin attack. This component sometime also store the training set data, different levels of RSSI from all APs present in the network....Etc. 2.5 Factors Affecting Evil Twin Access Point Detection Different Evil Twin detection methods have unlike factors which are affecting the accuracy of the attack detection. Some of such factors are: i) Wireless Traffic: The performance of the network can be analysed by the network traffic measurement. The network traffic presented in wireless environment may sometimes lead to the false or inaccurate result of Evil Twin detection.[10] Some methods assume the wireless traffic between the user and the AP and set the Evil Twin AP to use the most favourable conditions to avoid detection. They are using idle traffic and good quality of signal. ii) APs Workload: The network load present [10] at the AP may also affect the accuracy of the Evil Twin detection. The APs workload is based on utilization of APs queue. iii) Dependency on Training Data: In Some methods Evil Twin detection is is dependent on the training data. In such methods the training data is used for the comparison with the obtained results and based on the comparison, Evil Twin attack is detected. iv) RSSI Level :
495

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

In Some methods [11] ,detection of Evil Twin attack is checked under different RSSI levels of access point. So variations in RSSI level may also show variations in the result of Evil Twin detection. v) Techniques used for Detection of Evil Twin: Different methods used various techniques for the detection of Evil Twin attack. Some of such techniques are Clock Skew, RSSI Level,etc.These different parameters have different rate of success for Evil Twin detection. 3. RELATED WORK The threat of Evil Twin AP have attracted both industrial and academic researchers to work on these problem. There are some methods which focused on this problem. Hao Han and his colleagues used timing based scheme for Evil AP detection,[10] in that they have practical timing based scheme for the user to avoid connecting to Evil AP. In their detection method they have used timing information based on the round trip time. Idea is to user probe a server in local area network and after that measure the RTT from the response, this process is repeated number of times and all RTTs are recorded. If the mean value of RTTs is larger than a fixed threshold, they consider the associated AP as a Evil AP. They have consider four factors that have influence on timing RTT which are Data transmission rate, Location of DNS server, Wireless traffic and APs workload. They have tested accuracy of their technique considering different scenarios for these four factors. Taebeom Kim and his colleagues used received signal strengths for detection of fake access point [11], in this they measures correlated RSS sequences from nearby APs in order to determine whether the sequences are legitimate or fake. This method works in three phases. In phase one they are collecting RSS from nearby AP,In Second Phase they are doing normalization of collected RSSs,it estimates some missed RSSs,caused by some external factors and normalizes the estimated RSSs for generalization of a variety of wireless environments. In third phase they are determining which RSSs are highly correlated to others based on some empirical threshold value. They define that highly correlated RSS sequences as fake signals from a single device. Qu and Nefcy presented new indirect Evil Twin access point detection system.[12] They analyzed local round trip time(LRTT) data and designed a method with several algorithms for discovering wireless hosts effectively.Their work starts from passively scanning or monitoring network traffic to host discovery and detecting Client-side solution for Evil Twin access point. Roth et al, presented a simple assurance mechanisms that help the users or clients to detect an Evil Twin in public Internet networks.[13] This method gives short authentication string protocols for tradeing cryptographic keys.The small string proof is executed using encoding the short strings as a sequence of colors,carried out sequentially by the users device, and by the particular access point. Chao Yang and his colleagues have used Statistical technique based on TCP packets to compute their IAT to detect Evil Twin AP [8]. if client is connected to remote server through Evil Twin AP and a normal AP that is two hop wireless channel, so this gives the idea to detect Evil Twin attacks by separating one-hop and two-hop wireless channels from the user to the remote server. In this they have used two algorithms, first is Trained Mean Matching, in this they are using training technique to detect Evil Twin attack. The second algorithm is Hop Differentiating Technique; it is a non-training-based detection algorithm in
496

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

which they are using particular theoretical value for the threshold to detect Evil Twin attack. They have tested this method under different RSSI levels for the accuracy of the detection of Evil Twin AP. Monitoring RF waves and IP traffic are two broad classes of approaches to detecting Evil APs. Most existing commercial products take the first approach they either manually scan the RF waves using sniffers (e.g., AirMagnet, NetStumbler [3]) or automate the process using sensors. Automatic scanning using sensors is less time consuming than manual scanning and provides a continuous vigilance to Evil APs. However, it may require a large number of sensors for good coverage, which leads to a high deployment cost. Furthermore, since it depends on signatures of APs (e.g., MAC address, SSID, etc.), it becomes ineffective when a Evil AP spoofs signatures. Three recent research efforts [3, 4, 5] also use RF sensing to detect Evil APs. In [16], wireless clients are instrumented to collect information about nearby APs and send the information to a centralized server for Evil AP detection. This approach is not resilient to spoofing. Secondly, it assumes that Evil access points use standard beacon messages in IEEE 802.11 and respond to probes from the clients, which may not hold in practice. Last, all unknown APs (including those in the vicinity networks) are flagged as Evil APs, which may lead to a large number of false positives. The main idea of [14] is to enable dense RF monitoring through wireless devices attached to desktop machines. This study improves upon [6] by providing more accurate and comprehensive Evil AP detection. However, it relies on proper operation of a large number of wireless devices, which can be difficult to manage. In contrast, our approach only requires a single monitoring point, and is easy to manage and maintain. The studies of [14,16] detect Evil APs by monitoring IP traffic. The authors of [15] demonstrated from experiments in a local test bed that wired and wireless connections can be separated by visually inspecting the timing in the packet traces of traffic generated by the clients. The settings of their experiments are very restrictive. Furthermore, the visual inspection method cannot be carried out automatically. The technique in [16] requires segmenting large packets into smaller ones, and hence is not a passive approach. There are several prior studies on determining connection types. However, none of them provides a passive online technique, required for our scenario. The work of [17] uses RTT method to detect presence of wireless device but RTT may change due to delays in the network. In other studies, differentiating connection types is based on active measurements [17] or certain assumptions about wireless links (such as very low bandwidth and high loss rates) [15], which do not apply to our scenario. 4. ISSUES AND CHALLENGES The effects of Evil Twin access points are present on both wired and wireless side of the network. The most of the research work carried out is based on data source from audit trails, system calls and network traffic. There are two groups working on this problem of Evil Twin detection in different directions. First group is of Industry solutions focusing on wireless only, Second group is of academic researchers focused on wired side. The Successful wireless-side methods [] use sensors in the entire network to collect physical-layer and link-layer information to help detect and locate Evil Twin AP in a distributed architecture. Though largely used across many enterprises WLAN, such sensors based sniffing method is costly. Again wireless method is not generally scalable because it includes considerable infrastructural commitment and is costly alternative for huge networks. Beyond that wireless sniffing may failed in certain cases first if Evil Twin AP doesnt show
497

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

itself by pausing beacon frames, may operate with less signal strength, and may use nonstandard protocols. In the second case sometimes the attacker can even use directional antenna to focus on small area to avoid detection. Wired-side solutions abuse dissimilarities in network traffic chacteristics to infer wireless traffic. They are using policy-based access control to detect if discovered APs are authorized or not. Some solutions are sometime efficient, but as they differentiate network traffic as wireless mainly on the basis of network statistics that shows bigger delay then that from wired networks. These wired solutions also consider that sample wireless network traffic is available for comparison which means network has an AP. However there are many networks which are not wireless. Sometime attacker may aware of Evil Twin defences and may use different techniques to avoid wired-side detection. Hybrid Approach is good for the detection of Evil Twin but sometimes attacker may easily get away from the Hybrid apporachs wired-side components.So, we still have no technique to completely detect Evil Twin access point. 5. CONCLUSION The Evil Twin detection system has been a major research area as the popularity of Wireless Local Area Network increasing day by day. The Widespread use of Wireless networks at public places like coffeeshops, airports..Etc increases the threat of Evil Twin attack. In this Paper, We Surveyed different recent Evil Twin detection methods or solutions presented by researchers. We have given weaknesses of particular solution, depth of accuracy of various solutions, Factors affecting the detection of such methods...etc.So, as the era of Wireless Environment is growing faster, we need more general solution against one of the serious threat of Evil Twin attack. REFERENCES [1] http://blog.kaspersky.com/do-you-use-free-wifi-hotspots-a-survey. [2] public wi-fi useage survey,2012 Identity Theft Resource Center. [3] Netstumbler. http://www.netstumbler.com [4] Wavelink, http://www.wavelink.com [5] The Airwave Project,http://www.airwave.com [6] W.wei,S.Jaiswal,J.Kurose and D.Towsley,Identifying 802.11 traffic from passive measurments using iterative Bayesian inference in Proc. IEEE INFOCOM 06,2006. [7] L.Watkins,R.Beyah, and C. Corbett, Apassive apporach to rogue access point detection, in Proc. IEEE INFOCOM 06,2006. [8] Active User-side Evil Twin Access Point Detection Using Statistical Techniques Chao Yang, Yimin Song, and Guofei Gu, Member, IEEE. [9] A Novel Approach for Rogue Access Point Detection on the Client-Side. Somayeh Nikbakhsh, Azizah Bt Abdul Manaf, Mazdak Zamani, Maziar Janbeglou [10] A Timing-Based Scheme for Rogue AP Detection. Hao Han, Bo Sheng, Member, IEEE, Chiu C. Tan, Member, IEEE, Qun Li, Member, IEEE, and Sanglu Lu Member,IEEE. [11] Online Detection of Fake Access Points using Received Signal Strengths.Taebeom Kim, Haemin Park, Hyunchul Jung, and Heejo Lee

498

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 2, March April (2013), IAEME

[12] Qu, G. And Nefey M.M.(2010).RAPid.An indirect Rogue Access point Detection System,IEEE 978-1-4244-9328-9/10 [13] Roth, V., Polak, W., Rieffel, E. and Turner, T., (2008). Simple and effective defense against Evil Twin Access Points. WiSec08, March 31April 2, 2008, Alexandria, Virginia, USA. [14] C. Mano, A. Blaich, Q. Liao, Y. Jiang, D. Salyers, D. Cieslak, and A. Striegel. RIPPS: Evil identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning. ACM Transactions on Information Systems and Security. [15] W. Wei, B. Wang, C. Zhang, J. Kurose, and D. Towsley. Classication of access network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? In Proc. IEEE INFOCOM, March 2005 [16] V. Baiamonte, K. Papagiannaki, and G. Iannaccone. Detecting 802.11 wireless hosts from remote passive observations. In Proc. IFIP/TC6 Networking, Atlanta, [17] W. Wei, S. Jaiswal, J. Kurose, and D. Towsley. Identifying 802.11 trac from passive measurements using iterative Bayesian inference. In Proc. IEEE INFOCOM, 2006. [18] H. Yin, G. Chen, and J. Wang. Detecting Protected Layer-3 Evil APs. In Proceedings of the Fourth IEEE International Conference on Broadband Communications, Networks, and Systems (BROADNETS), Raleigh, NC, September 2007. [19] Gaogang XIE, Tingting HE, Guangxing ZHANG Evil Access Point Detection Using Segmental TCP Jitter [20] Rogue-Access-Point Detection, Challenges, Solutions, and Future Directions, Raheem Beyah Georgia Tech, Aravind Venkataraman Cigital. [21] Ajay M. Patel, Dr. A. R. Patel and Ms. Hiral R. Patel, A Comparative Analysis of Data Mining Tools for Performance Mapping of WLAN Data, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 2, 2013, pp. 241 - 251, ISSN Print: 0976 6367, ISSN Online: 0976 6375. [21] S. B. Patil, S. M. Deshmukh, Dr. Preeti Patil and Nitin Chavan, Intrusion Detection Probability Identification in Homogeneous System of Wireless Sensor Network, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 12 - 18, ISSN Print: 0976 6367, ISSN Online: 0976 6375. [22] Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, Wireless Sensor Networks: Limitation, Layerwise Security Threats, Intruder Detection, International Journal of Electronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 2, 2012, pp. 22 - 31, ISSN Print: 0976- 6464, ISSN Online: 0976 6472.

499