Evil Twin Attack Detection using Discrete Event Systems in IEEE 802.11 Wi-Fi Networks
01 Jul 2019-pp 316-321
TL;DR: A Discrete Event System (DES) based approach for Intrusion Detection System (IDS) for evil twin attacks in a Wi-Fi network is proposed.
Abstract: Wi-Fi technology has seen rapid growth in the last two decades. It has revolutionized the way we access the Internet. However, they are vulnerable to Denial of Service attacks, Encryption Cracking, and Rogue Access Points etc. In this manuscript, our focus is on Evil Twin Attack, the most common type of Rogue Access Point (RAP). An evil twin AP lures client(s) into connecting to it, disguising itself as a genuine AP by spoofing its MAC address and SSID (Service Set IDentifier). Once a client is connected to the evil twin AP, the attacker can spy on its communication, re-direct client(s) to malicious websites, compromise credentials. Whitelisting AP(s), timing based solutions, patching AP/client etc., are some existing methods to detect evil twin AP(s) in a network. However, practically methods demand comprehensive set up and maintenance, they suffer from scalability and compatibility issues. Some even require protocol modifications, thus making it expensive and practically infeasible in a large scale network with no proof of correctness. To address these issues, we propose a Discrete Event System (DES) based approach for Intrusion Detection System (IDS) for evil twin attacks in a Wi-Fi network.
Citations
More filters
TL;DR: This research aims to explore the various methods on how to distinguish the AP, as a rogue or legitimate, based on the hardware and software approach model, and produced an alternative solution using beacon frame manipulation technique.
Abstract: Most people around the world make use of public Wi-Fi hotspots, as their daily routine companion in communication. The access points (APs) of public Wi-Fi are easily deployed by anyone and everywhere, to provide hassle-free Internet connectivity. The availability of Wi-Fi increases the danger of adversaries, taking advantages of sniffing the sensitive data. One of the most serious security issues encountered by Wi-Fi users, is the presence of rogue access points (RAP). Several studies have been published regarding how to identify the RAP. Using systematic literature review, this research aims to explore the various methods on how to distinguish the AP, as a rogue or legitimate, based on the hardware and software approach model. In conclusion, all the classifications were summarized, and produced an alternative solution using beacon frame manipulation technique. Therefore, further research is needed to identify the RAP.
4 citations
TL;DR: A machine learning-based radio identification solution that relies on hardware variabilities of internal components of the transmitter caused during manufacturing, allowing to achieve passive device identification and introduces a new kind of covert channel, based on variations in the emitted signal strength, which allows to implement unique active device identification.
Abstract: Secure wireless device identification is necessary if we want to ensure that any transmitted data reach only a desired receiver. However the fact that wireless communications are by nature broadcast creates unique challenges such as identity theft, eavesdropping for data interception, jamming attacks to disrupt legitimate transmissions, etc. This paper proposes a new integrated radioprint framework (IRID) that has two main components. First, we propose a machine learning-based radio identification solution that relies on hardware variabilities of internal components of the transmitter caused during manufacturing, allowing us to achieve passive device identification. Second, we introduce a new kind of covert channel, based on variations in the emitted signal strength, which allows us to implement unique active device identification. We evaluate our proposed framework on an experimental test-bed of 20 identical WiFi devices. Although our experiments deal only with IEEE 802.11b, the approach can easily be extended to any wireless protocol. The experimental results show that our proposed solution can differentiate between network devices with accuracy in excess of 99% on the basis of a standard-compliant implementation.
1 citations
Cites methods from "Evil Twin Attack Detection using Di..."
...This rogue AP mimics an AP by using the same identification credentials as the legitimate AP [3]....
[...]
01 Jan 2021
TL;DR: In this paper, a lightweight network intrusion detection system for link-physical layer devices operating the 802.11 suite of protocols is proposed for non-compute-intensive embedded devices in a distributed network, synonymous to applications of smart city wide area networks and relatively smaller wireless local area networks.
Abstract: The growth in capability of consumer electronics, intelligent systems, and wireless networking technology has brought about an unprecedented scale in communication by networked devices. With scale of capability comes information security issues that present themselves through all layers of software and network stacks. In this paper, we propose a lightweight network intrusion detection system for link-physical layer devices operating the 802.11 suite of protocols. Though many attempts have been made at detecting abnormal behavior through protocol modification, firmware augmentation, and machine learning, a novel approach has been proposed which is suitable for non-compute-intensive embedded devices in a distributed network, synonymous to applications of smart-city wide area networks and relatively smaller wireless local area networks.
1 citations
01 Jan 2022
TL;DR: In this paper , the authors address the strategies that intruders use to extract identities and what users need to do to keep them out of the networks, and identify and avoid the Evil Twin attack over any Wi-Fi networks.
Abstract: AbstractNumerous types of threats could become vulnerable to Wi-Fi networks. In terms of preventing and reducing their effect on the networks, it has become an imperative activity of any user to understand the threats. Even after thoroughly encrypting them, the route between the attacker’s device and the victim’s device may even be vulnerable to security attacks on Wi-Fi networks. It has also been noted that there are current shortcomings on Wi-Fi security protocols and hardware modules that are available in the market. Any device connected to the network could be a possible primary interface for attackers. Wi-Fi networks that are available in the transmission range are vulnerable to threats. For instance, if an Access Point (AP) has no encrypted traffic while it is attached to a Wi-Fi network, an intruder may run a background check to launch the attack. And then, attackers could launch more possible attacks in the targeted network, in which the Evil Twin attack have become the most prominent. This Evil Twin attack in a Wi-Fi network is a unique outbreak mostly used by attackers to make intrusion or to establish an infection where the users are exploited to connect with a victim’s network through a nearby access point. So, there are more chance to get user’s credentials by the perpetrators. An intruder wisely introduces a fake access point that is equivalent to something looks like an original access point near the network premises in this case. So, an attacker is capable of compromising the network when a user unconsciously enters by using this fake access point. Attackers could also intercept the traffic and even the login credentials used after breaching insecure networks. This could enable monitoring the users and perhaps even manipulating the behavior patterns of an authorized network user smoother for attackers. The key consideration of this research paper is the identification and avoidance of the Evil Twin attack over any Wi-Fi networks. It is named as DPETAs to address the strategies that intruders use to extract identities and what users need to do to keep them out of the networks.KeywordsManagement framesFake access points802.11 standardsWi-Fi attacksMan in the middle (MITM) attackEvil twin AP attacks
19 Apr 2023
TL;DR: In this paper , the authors proposed a preventive algorithm to counterattack the evil twin attack in free Wi-Fi networks using multi-channel, information about IP prefix distribution, and whitelisting of legitimate points.
Abstract: Amateurs hack systems; professionals make evil twins with a mere connection. Free Wi-Fi everywhere, but we need more awareness among us. An evil twin can mimic the IP address and the network name of a legitimate access point. The evil twin can obstruct the accessibility of the legitimate access point, leading to a man-in-the-middle attack. Thus, preventing such spoofing attacks is needed to strengthen security and prevent data breaches. In the past few decades, some efforts have taken place to detect and stop evil twin attacks, but they are less vast than multi-channel. This paper will detail the preventive algorithm to counterattack the evil twin attack. The suggested algorithm work on the multi-channel, information about IP prefix distribution, and whitelisting of legitimate points are implemented in evil twin detection. Authorization is performed at every channel to detect any unauthorized BSSID or Deauthorization frame in the network. The proposed algorithm successfully substantiate the detection of the evil twin.
References
More filters
Proceedings Article•
04 Aug 2003TL;DR: This paper provides an experimental analysis of 802.11-specific attacks - their practicality, their efficacy and potential low-overhead implementation changes to mitigate the underlying vulnerabilities.
Abstract: The convenience of 802.11-based wireless access networks has led to widespread deployment in the consumer, industrial and military sectors. However, this use is predicated on an implicit assumption of confidentiality and availability. While the security flaws in 802.11's basic confidentially mechanisms have been widely publicized, the threats to network availability are far less widely appreciated. In fact, it has been suggested that 802.11 is highly susceptible to malicious denial-of-service (DoS) attacks targeting its management and media access protocols. This paper provides an experimental analysis of such 802.11-specific attacks - their practicality, their efficacy and potential low-overhead implementation changes to mitigate the underlying vulnerabilities.
733 citations
Additional excerpts
...spoofing [6], authentication flood, de-authentication flood etc....
[...]
TL;DR: This paper considers a category of rogue access points (APs) that pretend to be legitimate APs to lure users to connect to them and proposes a practical timing-based technique that allows the user to avoid connecting to rogue APs.
Abstract: This paper considers a category of rogue access points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing-based technique that allows the user to avoid connecting to rogue APs. Our detection scheme is a client-centric approach that employs the round trip time between the user and the DNS server to independently determine whether an AP is a rogue AP without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance. Extensive experiments have demonstrated the accuracy, effectiveness, and robustness of our approach. The algorithm achieves close to 100 percent accuracy in distinguishing rogue APs from legitimate APs in lightly loaded traffic conditions, and larger than 60 percent accuracy in heavy traffic conditions. At the same time, the detection only requires less than 1 second for lightly-loaded traffic conditions and tens of seconds for heavy traffic conditions.
125 citations
"Evil Twin Attack Detection using Di..." refers background in this paper
...[13] [15] [11], Special Hardware Solutions [8], [2], Statistical Evaluation [5] etc....
[...]
05 Sep 2004
TL;DR: A brief technical introduction of the IEEE 802.15.4 standard is presented and its applicability for building automation applications is analyzed.
Abstract: IEEE 802.15.4 is a new standard that addresses the need of low-rate wireless personal area networks or LR-WPAN with a focus on enabling pervasive wireless sensor networks for residential, commercial and industrial applications. The standard is characterized by maintaining a high level of simplicity, allowing for low cost and low power implementations. This work presents a brief technical introduction of the IEEE 802.15.4 standard and analyzes its applicability for building automation applications.
117 citations
"Evil Twin Attack Detection using Di..." refers background in this paper
...Wireless technologies such as Wi-Fi, Bluetooth, Infrared, Radio, Microwave, Zigbee etc [12], [10], [1] have seen enormous advancement in terms of its applications....
[...]
11 May 2003
TL;DR: A distributed agent based intrusion detection and response system for wireless LANs that can detect unauthorized wireless elements like access points, wireless clients that are in promiscuous mode etc and react to intrusions by either notifying the concerned personnel, or by blocking unauthorized users from accessing the network resources.
Abstract: Wireless LAN technology, despite the numerous advantages it has over competing technologies, has not seen widespread deployment. A primary reason for markets not adopting this technology is its failure to provide adequate security. Data that is sent over wireless links can be compromised with utmost ease. In this project, we propose a distributed agent based intrusion detection and response system for wireless LANs that can detect unauthorized wireless elements like access points, wireless clients that are in promiscuous mode etc. The system reacts to intrusions by either notifying the concerned personnel, in case of rogue access points and promiscuous nodes, or by blocking unauthorized users from accessing the network resources.
94 citations
Additional excerpts
...[7], Timing Based Solutions Mano et al....
[...]
09 Aug 2010
TL;DR: This work proposes a novel user-side evil twin detection technique that outperforms traditional administrator-side detection methods in several aspects and can identify evil twins with a very high detection rate while keeping a very low false positive rate.
Abstract: In this paper, we consider the problem of “evil twin” attacks in wireless local area networks (WLANs). An evil twin is essentially a phishing (rogue) Wi-Fi access point (AP) that looks like a legitimate one (with the same SSID name). It is set up by an adversary, who can eavesdrop on wireless communications of users' Internet access. Existing evil twin detection solutions are mostly for wireless network administrators to verify whether a given AP is in an authorized list or not, instead of for a wireless client to detect whether a given AP is authentic or evil. Such administrator-side solutions are limited, expensive, and not available for many scenarios. For example, for traveling users who use wireless networks at airports, hotels, or cafes, they need to protect themselves from evil twin attacks (instead of relying on those wireless network providers, which typically may not provide strong security monitoring/management service). Thus, a lightweight and effective solution for these users is highly desired. In this work, we propose a novel user-side evil twin detection technique that outperforms traditional administrator-side detection methods in several aspects. Unlike previous approaches, our technique does not need a known authorized AP/host list, thus it is suitable for users to identify and avoid evil twins. Our technique does not strictly rely on training data of target wireless networks, nor depend on the types of wireless networks. We propose to exploit fundamental communication structures and properties of such evil twin attacks in wireless networks and to design new active, statistical and anomaly detection algorithms. Our preliminary evaluation in real-world widely deployed 802.11b and 802.11g wireless networks shows very promising results. We can identify evil twins with a very high detection rate while keeping a very low false positive rate.
89 citations