Professional Documents
Culture Documents
I. INTRODUCTION
Wireless networks are becoming extremely popular with
the rapid advance of wireless LAN techniques and the wide
deployment of Wi-Fi equipment. Users can easily access
the Internet wirelessly when they are at home, at work, or
even traveling. However, there is an emerging threat that can
severely compromise the security of wireless users - evil
twin attacks. An evil twin in a wireless LAN is essentially
a phishing (rogue) Wi-Fi access point (AP) that looks like a
legitimate one (with the same ssm name), but actually has
been set up by an adversary, who can eavesdrop on wireless
communications of users' Internet access.
An evil twin attack is easy to launch. First, by using specific
readily-available software [4], an attacker can simply configure
a laptop to be an access point in a wireless network. Then,
the attacker can figure out the SSID and the radio frequency
that the legitimate AP is using. Finally, the attacker can phish
victim users, by deploying her own access point with the
same ssm as the legitimate AP is utilizing. An evil twin
323
DSN 20 1 0 : Song et al .
RELAT E D
WORK
324
DSN 20 1 0 : Song et al .
III.
325
SERV E R
IAT
A N A LY S I S
DSN 20 1 0 : Song et al .
.
TABLE I Vanables and settmgs m our model
Protocol
802 . l l b
I I MBps
1 00MBps
32
Bw
BE
Wo
TDIFS
TSIFS
LACK(MAC)
LACK(TCP)
Lp
Lp
802 . l l g
54MBps
1 00MBps
16
50j.Ls
lOj.Ls
Li A S
278Bytes
278Bytes
338Bytes
402Bytes
375Bytes
402Bytes
375Bytes
P1
2T'DI
Theorem 1.
27'011"5+
alU/
E(T'waid= 2(1'=-p)
'
TSIFS+
I'ACK(MAC)
Bw
L -
l'ACK(TCP)+I,p
'
Be
(I)
+ Twait
p
-2(1 - p)
B Jj
After receiving AI, the server will send P2 to the AP. If the
AP has not finished sending the ACK packet in the MAC layer
to the client, the AP could not begin to send P2 to the client.
Thus, after Al arrives at the AP from the c1ientl the AP will
have to use TM AX time to begin to prepare sendmg P2 to the
client, where
T/\,/ AX
= Trt
ax
Ts I
PS
LACJMAC)
BW
LACK(TCP) +
BE
Lp
"
Lwail.
TSIJ"S +
2E(TJ3F )
LACJMAC) + LACJTCP) + Lp
(5)
E(T'MAX)
BW
B(7-:waitJ =
4'1'01PS+TSIFS+4E(TBF)
LACJAlAC) +
21'ACJTCP) +21,p
BW
.
I'ACK(MAC)
7511"5+
B
W
L
'
(6)
+E(TMAX)
LACK(TCP)+I,p
BB
+ 7 'Wail,
()
+ T'MAX
ulld
+ E(TMAX)
2TOIl"S +
Where,TMAx=nl-ax
(3)
BW
Where,7MAx=rna3;
Bw
BW
l.Jp
LACJMAC)+LACJTCP)+Lp
+TOIPS+TBP+
PS+TSI FS+2TBF
E(iS.AS)L'WO_hO
p
LACK(MAC)+LACK(TCP)+Lp
BW
LACJTCP)
Thus,
LACJMAC)
+ TMAX +TDIPS+TBP+BW
B(25.AS)one_hop
E(25.AS)one_hop
(2)
=TSIPS+
50j.Ls
10j.Ls
338Bytes
T P2
326
E(Lis )
E(LiAs)two-hop - E(LiAs)one-hop
2TDIFS
2E(TBF)
;;)
LACK(
Lp
(7)
E( s )
E( As )two-hop - E( As)one-hop
2TDIFS
2E(TBF)
c;
LACK(
E(Lis )
Lp
(8)
DSN 20 1 0 : Song et al .
0.25,-----;=_
=0 =... =00=;.==R=55==., ,0= 0%(==,)==il
-'one-hop; RSSI=100%(2)
0.2
..... one-hop; RSSI=.100%(3)
--two-hops; RSSI=l00%(l
--two-hops; RSSI=100%(2
::;; 0.15
....A.-two-hops; RSSI=100%(3
:c
d:
0.1
0.05
BOOO
/-L2,EAP.
ol-C
...
(a) RSSI=IOO%
(b) RSSI=50%
DET E C T I O N A L G O R I T H M
An-In
=
(9)
327
DSN 20 1 0 : Song et aL
For the first assumption, since the time cost during collect
ing one pair of Server IAT and AP IAT is in seconds, it is
reasonable to assume the wireless network environment does
not change dramatically during such a short time interval. For
the second one, since the attacker wants to successfully allure
victim clients to connect with the evil twin AP, it is more
likely for the attacker to provide a better RSSI and a smaller
wireless collision probability. For the last one, if there is a
severe network congestion in the Ethernet, few people would
choose the normal AP to surf the Internet.
Next, we introduce some variables to better describe our
model. Let AA be the AP IAT and 0: be the SAIR, under
the real network environment. Let LiAA be the AP IAT and ii
be the SAIR under the ideal network environment. Then, we
can get
0:
As
AA and
liAs
0:
LiAA
(10)
Bw
(II)
Theorem 3.
328
DSN 20 1 0 : Song et al .
76.9%;
- for ProtocoI802.11g, ao
71.5%;
74.9%;
- for ProtocoI802.11g, ao
71.2%;
C. Improvement by Data Preprocessing
In this section, we describe two data preprocessing tech
niques to improve the results: data filtering and data smooth
ing. For the first technique, we filter noisy data (according
to the theoretical Server IAT) with large number of network
collisions. For the second technique, we use the mean of
multiple collected input data, rather than only one collected
data, to smooth the input.
J) Data Filtering: In order to filter noisy data, we only
consider the packets whose collision number is at most three.
(According to [29], when the number of users is under 20,
the probability that a packet has at most 3 collisions is over
85%). In this way, we can both filter the noisy data and keep
sufficient data to implement the detection. Thus, according to
IEEE 802.11 standard and our filter policy, we filter out the
packets whose AP IATs exceeding 21,000p,s or Server IAT
exceeding 39,800p,s.
2) Data Smoothing: To further improve the result, we also
use the mean of multiple input data rather than only one input
data in one decision round. Specifically, we use the mean of
multiple Server IATs or the mean of multiple SAIRs instead
of only one Server IAT or one SAIR in one decision round to
perform the threshold random walk. We name TMM algorithm
and HOT algorithm using multiple Server IATs and multi
SAIRs as multi-TMM algorithm and multi-HOT algorithm,
respectively.
VI. EVALUATION
We evaluate the results and the performance of our evil twin
attack detection algorithms through implementing a detection
prototype system named ETSniffer (Evil Twin Sniffer). In this
section, we describe our evaluation methodology, including
the experimental setup, datasets, effectiveness, efficiency and
cross-validation.
Datasets
329
DSN 20 1 0 : Song et al .
B+
B-
C+
C-
802.11g(HOT)
2.19%
1.41%
2.06%
1.93%
2.48%
6.52%
802.11b(HOT)
8.39%
8.76%
5.39%
6.96%
5.27%
5.15%
802.11g(TMM)
1.08%
1.76%
1.97%
1.48%
1.75%
1.73%
802.11b(TMM)
0.78%
1%
1.07%
1.27%
6.65%
7.01%
1
0.98
0.96 .
0.94
.
:s 0.92
.3
0.9
Q.
0.88
0.84
0.8
Tech
HOT
TMM
B+
B-
C+
C-
802.IIg
0.80%
0.86%
3.91%
3.72%
4.69%
7.09%
10.36%
802.llb
1.38%
1.44%
5.61%
6.17%
9.42%
802.lIg
0.62%
0.68%
2.59%
2.66%
3.30%
6.02%
802.IIb
0.99%
1.04%
3.33%
4.82%
7.44%
8.29%
- 4-
..
0.86
RSSI Range: B
RSSI Range: C+
..
RSSI range: C
...
RSSI range: 0
ro
w
Number of input data in one Decision Round
20
100
C. Effectiveness
We evaluate the effectiveness of our algorithms based on
different RSSI ranges and two IEEE WLAN protocols 802.11b and 802.11g. In the normal AP scenario, the RSSI
refers to the link between the user and the normal AP; in the
evil twin AP scenario, the RSSI refers to the link between
the user and the evil twin AP. The results are shown in
Table IV and V, which clearly verify the effectiveness of
our algorithms. In addition, we can also find that the results
obtained in 802.11g are better than those obtained in 802.11b.
This is caused by the low bandwidth and larger initial window
size in 802.11b protocol, leading to a larger variance of IAT
distribution.
TART R TV: D
A
B+
802.11g(HOT)
99.08%
rate
B-
C+
C-
98.72%
93.53%
94.31%
87.29%
81.39%
94.64%
802.11b(HOT)
99.92%
99.99%
99.96%
99.95%
96.05%
802.llg(TMM)
99.39%
99.97%
99.49%
99.5%
98.32%
94.36%
802.11b(TMM)
99.81%
95.43%
94.81%
96.09%
91.94%
85.71%
B+
B-
C+
C-
802.11g(mulii-TMM)
99.62%
100%
100%
99.95%
100%
100%
802.11b(multi-TMM)
100%
100%
100%
100%
100%
100%
802.11g(multi-HDT)
100%
99.11%
98.73%
99.88%
95.83%
88%
802.11b(multi-HDT)
100%
100%
100%
100%
100%
100%
B+
B-
C+
C-
802.11g(multi-TMM)
0%
0.77%
0%
0%
0%
0%
802.11b(tnulti-TMM)
0%
0.03%
0.02%
0.11%
0.73%
0.1%
802.11g(multi-HDT)
0%
0.96%
0.16%
0.\3%
0.55%
0.96%
802.11b(multi-HDT)
0%
1.07%
1.16%
1.02%
1.36%
1.41%
D. Time Efficiency
330
DSN 20 1 0 : Song et al .
B+
B-
c+
c-
802.11g(multi-TMM)
0%
0%
0%
0%
0%
0%
802.11b(multi-TMM)
0%
0%
0.01%
0.01%
0.02%
0.01%
802.11g(muhi-J-lDT)
0%
0%
0%
0%
0%
0%
802.11b(mult;-HDT)
0%
0%
0.02%
0.02%
0.03%
0.03%
f" p
rLI . :
2
a.
Il)
"
.,
.
... .....
.12
+l
g 0.75 :,..
. . ..
.. .. .
" J
0.7
:,
......
'
0.65 ........... , . ... . ..... .
10
15
25
B+
8-
C+
RSSI Range
C-
..
RSSI Range
..
30
35
40
45
.. ..... ..
.
..
20
.. ....
.
50
O.
a:
c
.
S! o.
1l
0.6
0.5
O ..
. .====--+---!
RSSI
E. Cross-Validation
Form Section VI-C, we can find that both TMM algorithm
and HOT algorithm demonstrate high efficiency and effec
tiveness. Especially, TMM algorithm, based on the trained
knowledge, performs a little bit better than HOT algorithm.
However, as described in Section V-A2, in many practical
cases, the prior knowledge is difficult to be obtained. In
addition, TMM algorithm does not accommodate well to
the changes of the wireless network environment. Thus, to
evaluate such limitations of TMM algorithm, in this section,
we design cross-validation experiments under different levels
of RSSI and different locations.
J) Cross-validation under different RSSI: In this sec
tion, we implement the cross-validation under different RSSI
ranges. Specifically, we train the Server IAT threshold for
TMM algorithm using the data from only one RSSI range
and execute the detection phase using the data from all RSSI
ranges. We show two scenarios in Figure 9 in this paper (a
complete result can be found in [25]). From Figure 9, we can
see that the detection rate drops dramatically, revealing TMM
algorithm's tight dependency on the (perfect) training data.
33 1
0.21-,-""'---;====,.-,
0.2r--,--,---.---,
0.15
0.15
.
>
0.1
;:;
0.05
B+-B--C + -C- -D
RSSI
0.1
0.05
B+
B-
ASSI
C+
c-
AND
FUT U RE W O R K
DSN 20 1 0 : Song et al .
CONCLU SION
[ 1 2] AirDefense .
TIRED OF ROGUES? Solutions for Detecting
and Eliminating Rogue Wireless Networks .
White paper, http://
wirelessnetworkchannel- asia .motorola.comlpdf/ .
[ 1 3 ] P. Bahl , R. Chandra , J. Padhye , L. Ravindranath, M. Singh , A. Wolman ,
and B . Zil l . Enhancing the security of corporate Wi-Fi networks using
DAIR. In Proc. MobiSys '06 , 2006 .
[ 1 4] V. Baiamonte , K. Papagiannaki , G. Iannaccone , and P. D. Torino.
Detecting S02 . 1 1 wireless hosts from remote passive observations . In
Proc . IFIPITC6 Networking , 2007 .
[ I S] R. Beyah , S . Kangude, G. Yu , B . Strickland, and J. Copeland . Rogue
access point detection using temporal traffic characteristics . In IEEE
Global Telecommunications Conference (GLOBECOM'04) , 2004.
[ 1 6] G. Bianchi and D . e Inf. IEEE S02 . 1 I -saturation throughput analysi s .
IEEE communications letters, 2( 1 2):3 1 8--320, 1 995.
[ 1 7] C . Corbett, R . Beyah , and J . Copeland . A passive approach to wireless
NIC identification. In IEEE International Conference on Communica
tions (ICC '06) , 2006 .
[ I S] C. Foh and J. Tantra. Comments on IEEE S02 . 1 1 saturation throughput
analysis with freezing of backoff counters . IEEE Communications
Letters , 9(2) : 130- 1 3 2 , 2005 .
[ 1 9] S . Garg and M. Kappe s . An experimental study of throughput for UDP
and VoIP traffic in IEEE S02 . 1 1 b networks . In 2003 IEEE Wireless
Communications and Networking (WCNC '03) , 2003 .
[20] L. Ma, A. Teymorian, and X. Cheng. A hybrid rogue access point
protection framework for commodity Wi-Fi networks. In Proc . IEEE
Infocom '08, 200S .
[2 1 ] D. MacDonald and W. Barkley. Microsoft Windows 2000 TCP/IP Im
plementation Detai l s . White paper, http://technet.microsoft.com/en- us/
library/bb7269S I .aspx .
[22] C. Mano , A. Blaich , Q. Liao , Y. Jiang , D. Cieslak, D. Salyers , and
A. Striegel . RIPPS: Rogue identifying packet payload slicer detecting
unauthorized wireless hosts through network traffic conditioning. ACM
Transactions on Information and System Security (TISSEC) , 1 1 (2): 1 -23 ,
200S .
[23 ] P. Sarolahti and A. Kuznetsov. Congestion control in linux tcp . In
[24] S . Shetty, M. Song , and L. Ma. Rogue access point detection by ana
lyzing network traffic characteristics . In IEEE Military Communications
Conference (MILCOM'07) , 2007 .
[25] Y. Song , C. Yang, and G. Gu. Who Is Peeping at Your Passwords at
Starbucks? - To Catch an Evil Twin Access Point (Extended Version) .
http://faculty.cs .tamu.edu/guofei/etsniffer_tr09.pdf. Technical report.
[26] S. Srilasak , K. Wongthavarawat, and A. Phonphoem . Integrated Wireless
Rogue Access Point Detection and Counterattack System . In Interna
tional Conference on Information Security and Assurance , pages 32633 1 , 200S .
[27] K. Thompson , G. Miller, and R. Wilder. Wide-area Internet traffic
patterns and characteristics . IEEE network, 1 1 (6) : 1 0-23 , 1 997 .
[2S] A. Venkataraman and R. Beyah . Rogue Access Point Detection Using
Innate Characteristics of the S02 . l l MAC . In International Conference
on Security and Privacy in Communication Networks (SecureComm '09) ,
2009 .
[29] H. Vu and T. Sakurai . Collision probability in saturated IEEE S02. 1 1
networks . In Australian Telecommunication Networks and Applications
Conference, 2006 .
[30] A. Wald o Sequential Analysis . Dover Publications , 2004.
[3 1 ] L. Watkin s , R. Beyah , and C. Corbett. A passive approach to rogue
access point detection. In Proc . IEEE Globecom '07, 2007 .
[32] W. Wei , S . Jaiswal , J. Kurose, and D. Towsley. Identifying S02 . 1 1 traffic
from passive measurements using iterative Bayesian inference. In Proc.
IEEE INFOCOM'06, 2006 .
[33 ] W. Wei , K. Suh, B . Wang , Y. Gu, J. Kurose, and D. Towsley. Passive
online rogue access point detection using sequential hypothesis testing
with TCP ACK-pairs . In Proceedings of the 7th ACM SIGCOMM
conference on Internet measurement (IMC '07) , 2007 .
[34] W. Wei , B . Wang , C. Zhang, J. Kurose , and D. Towsley. Classification
of access network types: Ethernet, wireless LAN , ADSL, cable modem
or dialup? Computer Networks , 52( 17):3205-3 2 1 7 , 200S .
[35] H. Yin , G. Chen , and J. Wang . Detecting protected layer-3 rogue APs . In
Proceedings of the Fourth IEEE International Conference on Broadband
Communications, Networks, and Systems (BROADNETS '07) , 2007 .
332
DSN 20 1 0 : Song et al .