Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs
by Don Towsley, Wei Wei, Kyoungwon Suh, Bing Wang, Yu Gu, Jim Kurose
show details
Details
| url: | http://www.imconf.net/imc-2007/papers/imc122.pdf | | abstract: | Rogue (unauthorized) wireless access points pose serious security threats to local networks. In this paper, we propose
two online algorithms to detect rogue access points using
sequential hypothesis tests applied to packet-header data
collected passively at a monitoring point. One algorithm
requires training sets, while the other does not. Both algorithms extend our earlier TCP ACK-pair technique to differentiate wired and wireless LAN TCP traffic, and exploit the
fundamental properties of the 802.11 CSMA/CA MAC protocol and the half duplex nature of wireless channels. Our
algorithms make prompt decisions as TCP ACK-pairs are
observed, and only incur minimum computation and storage
overhead. We have built a system for online rogue-access-point detection using these algorithms and deployed it at a
university gateway router. Extensive experiments in various
scenarios have demonstrated the excellent performance of
our approach: the algorithm that requires training provides
rapid detection and is extremely accurate (the detection is
mostly within 10 seconds, with very low false positive and
false negative ratios); the algorithm that does not require
training detects 60%-76% of the wireless hosts without any
false positives; both algorithms are light-weight (with computation and storage overhead well within the capability of
commodity equipment). |
|
|
You need to log in to add tags and post comments.
