A survey on evil twin detection methods for wireless local area network


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

A survey on evil twin detection methods for wireless local area network

  1. 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME493A SURVEY ON EVIL TWIN DETECTION METHODS FOR WIRELESSLOCAL AREA NETWORKSachin R. Sonawane1, Sandeep Vanjale2, Dr.P.B.Mane 31(MTECH COMPUTER, BVDUCOE, Pune, Maharashtra, India)2(Professor, PhD Student, BVDUCOE, Pune, Maharashtra, India)3(Professor, AISSMS IOIT, Pune, Maharashtra, India)ABSTRACTWireless access points are today popularly used for the convenience of mobile users.The growing acceptance of wireless local area networks (WLAN) presented different risks ofwireless security attacks. The presence of Evil access points is one of the most challengingnetwork security concerns for network administrators. Evil access points, if undetected, cansteal sensitive information on the network. Most of the current solutions to detect Evil accesspoints are not automated and are dependent on a specific wireless technology. Evil accesspoint is one of the serious threat in wireless local area network. In this paper we havepresented survey on recent different Evil Twin access point detection solutions.Keywords: RAP, WLAN, RSSI1. INTRODUCTIONWLAN Security technology has major use in many fields. Wireless LAN has a widerange of applications due to its flexibility and easy access. The use of public Wi-Fi hasreached at a level that is difficult to avoid. According to the poll conducted by Kaspersky’sglobal facebook pages 32 percent of the more than 1600 respondents said that they are usingpublic Wi-Fi regardless of the security concerned. The Kaspersky [1] study also discoveredthat about 70% of Tablet and 53% of the mobile phone users using free public Wi-Fi hotpotsto go online. According to the JiWire report in past year,[2] total Wi-Fi usage has beendoubled, increasing by more than 240% since Q2,2011.it also specify that this rise is beingdue to the mobile devices and laptops account for just 48% of the connected devices. Basedon the above two survey results, greater educational awareness is needed. Public Wi-FiINTERNATIONAL JOURNAL OF COMPUTER ENGINEERING& TECHNOLOGY (IJCET)ISSN 0976 – 6367(Print)ISSN 0976 – 6375(Online)Volume 4, Issue 2, March – April (2013), pp. 493-499© IAEME: www.iaeme.com/ijcet.aspJournal Impact Factor (2013): 6.1302 (Calculated by GISI)www.jifactor.comIJCET© I A E M E
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME494networks like at coffee shop, airport, etc., are open for users as well as for attackers, who arelooking for sensitive user data. Attackers can create Evil Twin access point in such places tohack such data. Evil Twin access point is one of the most serious threats in WLAN.2. BACKGROUND2.1 Wireless Local Area NetworkWireless Local Area Networks are nowadays are the easiest solution for theinterconnection of various mobile devices like Tablets, Mobile Phones, PDAs, etc. AsWireless arena is growing rapidly users find it very convenient to use these devices to checkmail, browse internet, etc. Such free services are available to the users through Wirelessnetworks present at the public places like Coffee Shop, Airport, etc.There are two types of Wireless networks: In the first the common network topologyis that, where each node can reach to other node using radio relay systems having a big range.this topology doesn’t use routing protocols. In Second network topology deploy radio relaysystems as first one but each node in this has limited range so one node is using other node toreach another node which is beyond transmission range.2.2 Evil Twin Attack in Wireless NetworkVarious security mechanisms are necessary in order to avoid threats against WirelessNetworks. Different threats are present on the Wireless Network; one of such serious threat isEvil Twin Access PointAn Evil Twin attack is clean to set as illustrated in Fig. 1, an attacker can easily setEvil access point to copy the authorized access point used in public Wi-Fi area, these areacould be coffee shop, airtoprt...etc.They can set up Evil access point near to the victims, theEvil access point then can attack the victim’s wireless connection by using different methodsto force victim to change the connection. Generally Evil AP uses stronger wireless signalthen the authorized AP within the range. So user’s laptop or other device automaticallyconnect to the AP with highest RSSI.Once user is connected to the Evil AP,by capturingnetwork packets between Evil AP and the authorize AP the attacker can provide internetaccess and can stole sensitive information like passwords, ATM pin..etc. In this way Evil APworks as an “Evil Twin” AP between victim and the authorize AP. the attacker can introducemore serious attacks like phishing. In short, Evil Twin attack is a serious threat to the WLANSecurity.Figure 1. evil twin attack
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME4952.3 Classification of Evil Twin MethodsMost of the existing Evil Twin detection methods today are classified into twocategories.First is Network Admin-side solution, it is further sub-classified into two sub-categories. In the first sub-category [3],[4],[5] approach, it monitors radio frequency airwavesafter that it collects some information at router/switches and finally compare this obtainedinformation with a known authorized list. In the second sub-category [6],[7] approach, itmonitor network traffic present at the wired side after that decide whether machine usingwireless or wired connection and at the end the obtained information is compared with anauthorization list to find if the related AP is Evil Twin or not.Second category solutions [8],[9] are Client or User side solutions. Such clientapproaches doesn’t require authorization list to compare the result. Instead it is allowing userto detect presence of a Evil Twin Access point in the network and provides a mean to avoidit.2.4 Components of Evil Twin Detection MethodsMost of the Evil Twin detection methods has the following components:i) Listening Component:This component is used for monitoring of local events like packet sending packetreceiving packet, checking RSSI level...Etc.ii) Answering Component:This is used in case, if Evil Twin AP is detected in the wireless network. It usesdifferent alarm mechanisms to alert the network administrator about the Evil Twin attack.iii) Storage Component:This component is used to store some standard threshold values, which will be usedfor the comparison with the obtain values to detect Evil Twin attack. This componentsometime also store the training set data, different levels of RSSI from all APs present in thenetwork....Etc.2.5 Factors Affecting Evil Twin Access Point DetectionDifferent Evil Twin detection methods have unlike factors which are affecting theaccuracy of the attack detection. Some of such factors are:i) Wireless Traffic:The performance of the network can be analysed by the network traffic measurement.The network traffic presented in wireless environment may sometimes lead to the false orinaccurate result of Evil Twin detection.[10] Some methods assume the wireless trafficbetween the user and the AP and set the Evil Twin AP to use the most favourable conditionsto avoid detection. They are using idle traffic and good quality of signal.ii) APs Workload:The network load present [10] at the AP may also affect the accuracy of the Evil Twindetection. The APs workload is based on utilization of APs queue.iii) Dependency on Training Data:In Some methods Evil Twin detection is is dependent on the training data. In suchmethods the training data is used for the comparison with the obtained results and based onthe comparison, Evil Twin attack is detected.iv) RSSI Level :
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME496In Some methods [11] ,detection of Evil Twin attack is checked under different RSSIlevels of access point. So variations in RSSI level may also show variations in the result ofEvil Twin detection.v) Techniques used for Detection of Evil Twin:Different methods used various techniques for the detection of Evil Twin attack.Some of such techniques are Clock Skew, RSSI Level,etc.These different parameters havedifferent rate of success for Evil Twin detection.3. RELATED WORKThe threat of Evil Twin AP have attracted both industrial and academic researchers towork on these problem. There are some methods which focused on this problem.Hao Han and his colleagues used timing based scheme for Evil AP detection,[10] inthat they have practical timing based scheme for the user to avoid connecting to Evil AP. Intheir detection method they have used timing information based on the round trip time. Ideais to user probe a server in local area network and after that measure the RTT from theresponse, this process is repeated number of times and all RTTs are recorded. If the meanvalue of RTTs is larger than a fixed threshold, they consider the associated AP as a Evil AP.They have consider four factors that have influence on timing RTT which are Datatransmission rate, Location of DNS server, Wireless traffic and APs workload. They havetested accuracy of their technique considering different scenarios for these four factors.Taebeom Kim and his colleagues used received signal strengths for detection of fakeaccess point [11], in this they measures correlated RSS sequences from nearby APs in orderto determine whether the sequences are legitimate or fake. This method works in threephases. In phase one they are collecting RSS from nearby AP,In Second Phase they are doingnormalization of collected RSSs,it estimates some missed RSSs,caused by some externalfactors and normalizes the estimated RSSs for generalization of a variety of wirelessenvironments. In third phase they are determining which RSSs are highly correlated to othersbased on some empirical threshold value. They define that highly correlated RSS sequencesas fake signals from a single device.Qu and Nefcy presented new indirect Evil Twin access point detection system.[12]They analyzed local round trip time(LRTT) data and designed a method with severalalgorithms for discovering wireless hosts effectively.Their work starts from passivelyscanning or monitoring network traffic to host discovery and detecting Client-side solutionfor Evil Twin access point.Roth et al, presented a simple assurance mechanisms that help the users or clients todetect an Evil Twin in public Internet networks.[13] This method gives short authenticationstring protocols for tradeing cryptographic keys.The small string proof is executed usingencoding the short strings as a sequence of colors,carried out sequentially by the user’sdevice, and by the particular access point.Chao Yang and his colleagues have used Statistical technique based on TCP packetsto compute their IAT to detect Evil Twin AP [8]. if client is connected to remote serverthrough Evil Twin AP and a normal AP that is two hop wireless channel, so this gives theidea to detect Evil Twin attacks by separating one-hop and two-hop wireless channels fromthe user to the remote server. In this they have used two algorithms, first is Trained MeanMatching, in this they are using training technique to detect Evil Twin attack. The secondalgorithm is Hop Differentiating Technique; it is a non-training-based detection algorithm in
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME497which they are using particular theoretical value for the threshold to detect Evil Twin attack.They have tested this method under different RSSI levels for the accuracy of the detection ofEvil Twin AP.Monitoring RF waves and IP traffic are two broad classes of approaches to detectingEvil APs. Most existing commercial products take the first approach they either manuallyscan the RF waves using sniffers (e.g., AirMagnet, NetStumbler [3]) or automate the processusing sensors. Automatic scanning using sensors is less time consuming than manualscanning and provides a continuous vigilance to Evil APs. However, it may require a largenumber of sensors for good coverage, which leads to a high deployment cost. Furthermore,since it depends on signatures of APs (e.g., MAC address, SSID, etc.), it becomes ineffectivewhen a Evil AP spoofs signatures. Three recent research efforts [3, 4, 5] also use RF sensingto detect Evil APs. In [16], wireless clients are instrumented to collect information aboutnearby APs and send the information to a centralized server for Evil AP detection. Thisapproach is not resilient to spoofing. Secondly, it assumes that Evil access points use standardbeacon messages in IEEE 802.11 and respond to probes from the clients, which may not holdin practice. Last, all unknown APs (including those in the vicinity networks) are flagged asEvil APs, which may lead to a large number of false positives. The main idea of [14] is toenable dense RF monitoring through wireless devices attached to desktop machines. Thisstudy improves upon [6] by providing more accurate and comprehensive Evil AP detection.However, it relies on proper operation of a large number of wireless devices, which can bedifficult to manage. In contrast, our approach only requires a single monitoring point, and iseasy to manage and maintain. The studies of [14,16] detect Evil APs by monitoring IP traffic.The authors of [15] demonstrated from experiments in a local test bed that wired and wirelessconnections can be separated by visually inspecting the timing in the packet traces of trafficgenerated by the clients. The settings of their experiments are very restrictive. Furthermore,the visual inspection method cannot be carried out automatically. The technique in [16]requires segmenting large packets into smaller ones, and hence is not a passive approach.There are several prior studies on determining connection types. However, none of themprovides a passive online technique, required for our scenario. The work of [17] uses RTTmethod to detect presence of wireless device but RTT may change due to delays in thenetwork. In other studies, differentiating connection types is based on active measurements[17] or certain assumptions about wireless links (such as very low bandwidth and high lossrates) [15], which do not apply to our scenario.4. ISSUES AND CHALLENGESThe effects of Evil Twin access points are present on both wired and wireless side ofthe network. The most of the research work carried out is based on data source from audittrails, system calls and network traffic. There are two groups working on this problem of EvilTwin detection in different directions. First group is of Industry solutions focusing onwireless only, Second group is of academic researchers focused on wired side.The Successful wireless-side methods [] use sensors in the entire network to collectphysical-layer and link-layer information to help detect and locate Evil Twin AP in adistributed architecture. Though largely used across many enterprises WLAN, such sensorsbased sniffing method is costly. Again wireless method is not generally scalable because itincludes considerable infrastructural commitment and is costly alternative for huge networks.Beyond that wireless sniffing may failed in certain cases first if Evil Twin AP doesn’t show
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME498itself by pausing beacon frames, may operate with less signal strength, and may usenonstandard protocols. In the second case sometimes the attacker can even use directionalantenna to focus on small area to avoid detection.Wired-side solutions abuse dissimilarities in network traffic chacteristics to inferwireless traffic. They are using policy-based access control to detect if discovered APs areauthorized or not. Some solutions are sometime efficient, but as they differentiate networktraffic as wireless mainly on the basis of network statistics that shows bigger delay then thatfrom wired networks. These wired solutions also consider that sample wireless networktraffic is available for comparison which means network has an AP. However there are manynetworks which are not wireless. Sometime attacker may aware of Evil Twin defences andmay use different techniques to avoid wired-side detection.Hybrid Approach is good for the detection of Evil Twin but sometimes attacker mayeasily get away from the Hybrid apporach’s wired-side components.So, we still have notechnique to completely detect Evil Twin access point.5. CONCLUSIONThe Evil Twin detection system has been a major research area as the popularity ofWireless Local Area Network increasing day by day. The Widespread use of Wirelessnetworks at public places like coffeeshops, airports..Etc increases the threat of Evil Twinattack.In this Paper, We Surveyed different recent Evil Twin detection methods or solutionspresented by researchers. We have given weaknesses of particular solution, depth of accuracyof various solutions, Factors affecting the detection of such methods...etc.So, as the era ofWireless Environment is growing faster, we need more general solution against one of theserious threat of Evil Twin attack.REFERENCES[1] http://blog.kaspersky.com/do-you-use-free-wifi-hotspots-a-survey.[2] public wi-fi useage survey,2012 Identity Theft Resource Center.[3] Netstumbler. http://www.netstumbler.com[4] Wavelink, http://www.wavelink.com[5] The Airwave Project,http://www.airwave.com[6] W.wei,S.Jaiswal,J.Kurose and D.Towsley,Identifying 802.11 traffic from passivemeasurments using iterative Bayesian inference in Proc. IEEE INFOCOM 06,2006.[7] L.Watkins,R.Beyah, and C. Corbett, Apassive apporach to rogue access point detection,in Proc. IEEE INFOCOM 06,2006.[8] Active User-side Evil Twin Access Point Detection Using Statistical Techniques ChaoYang, Yimin Song, and Guofei Gu, Member, IEEE.[9] A Novel Approach for Rogue Access Point Detection on the Client-Side. SomayehNikbakhsh, Azizah Bt Abdul Manaf, Mazdak Zamani, Maziar Janbeglou[10] A Timing-Based Scheme for Rogue AP Detection. Hao Han, Bo Sheng, Member, IEEE,Chiu C. Tan, Member, IEEE, Qun Li, Member, IEEE, and Sanglu Lu Member,IEEE.[11] Online Detection of Fake Access Points using Received Signal Strengths.Taebeom Kim,Haemin Park, Hyunchul Jung, and Heejo Lee
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME499[12] Qu, G. And Nefey M.M.(2010).RAPid.An indirect Rogue Access point DetectionSystem,IEEE 978-1-4244-9328-9/10[13] Roth, V., Polak, W., Rieffel, E. and Turner, T., (2008). Simple and effective defenseagainst Evil Twin Access Points. WiSec’08, March 31–April 2, 2008, Alexandria, Virginia,USA.[14] C. Mano, A. Blaich, Q. Liao, Y. Jiang, D. Salyers, D. Cieslak, and A. Striegel. RIPPS:Evil identifying packet payload slicer detecting unauthorized wireless hosts through networktraffic conditioning. ACM Transactions on Information Systems and Security.[15] W. Wei, B. Wang, C. Zhang, J. Kurose, and D. Towsley. Classification of accessnetwork types: Ethernet, wireless LAN, ADSL, cable modem or dialup? In Proc. IEEEINFOCOM, March 2005[16] V. Baiamonte, K. Papagiannaki, and G. Iannaccone. Detecting 802.11 wireless hostsfrom remote passive observations. In Proc. IFIP/TC6 Networking, Atlanta,[17] W. Wei, S. Jaiswal, J. Kurose, and D. Towsley. Identifying 802.11 traffic from passivemeasurements using iterative Bayesian inference. In Proc. IEEE INFOCOM, 2006.[18] H. Yin, G. Chen, and J. Wang. Detecting Protected Layer-3 Evil APs. In Proceedings ofthe Fourth IEEE International Conference on Broadband Communications, Networks, andSystems (BROADNETS), Raleigh, NC, September 2007.[19] Gaogang XIE, Tingting HE, Guangxing ZHANG Evil Access Point Detection UsingSegmental TCP Jitter[20] Rogue-Access-Point Detection, Challenges, Solutions, and Future Directions, RaheemBeyah Georgia Tech, Aravind Venkataraman Cigital.[21] Ajay M. Patel, Dr. A. R. Patel and Ms. Hiral R. Patel, “A Comparative Analysis of DataMining Tools for Performance Mapping of WLAN Data”, International Journal of ComputerEngineering & Technology (IJCET), Volume 4, Issue 2, 2013, pp. 241 - 251, ISSN Print:0976 – 6367, ISSN Online: 0976 – 6375.[21] S. B. Patil, S. M. Deshmukh, Dr. Preeti Patil and Nitin Chavan, “Intrusion DetectionProbability Identification in Homogeneous System of Wireless Sensor Network”,International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2,2012, pp. 12 - 18, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.[22] Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, “Wireless Sensor Networks:Limitation, Layerwise Security Threats, Intruder Detection”, International Journal ofElectronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 2,2012, pp. 22 - 31, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472.