Rogue Access Point Detection using Temporal Traffic Characteristics Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland Communications Systems Center School of Electrical and Computer Engineering Georgia Institute of Technology
Outline Abstract Current Approaches Background of Proposed Scheme Experimental Setup Performance Analysis Conclusion and Future Work 2-Dec-04 Globecom 2004 2
Abstract As the cost of 802.11 hardware continues to fall, the appeal of inserting unauthorized wireless access points (APs) grows These rogue APs seriously breach the security of the network Current approaches to detecting rogue APs are rudimentary and easily evaded We propose a scheme that uses temporal traffic characteristics to detect rogues APs Further, this approach is independent of the wireless technology 2-Dec-04 Globecom 2004 3
Layered Solution Application Transport Network Data Link Layer Physical Layer 2-Dec-04 Globecom 2004 4
Current Approaches - Wireless Most of the current approaches fall into this category Popular solutions include: wireless packet analyzers (as separate devices, or as software on laptops), distributed sensors (e.g., separate devices, valid APs, laptops with special software) These solutions are either costly, impractical for networks without a wireless infrastructure, limited to one wireless technology, or can be foiled by intelligent hackers with special hardware (e.g., directional antennas) 2-Dec-04 Globecom 2004 5
Current Approaches - Hybrid A solution that combines wireless and wired techniques is a step in the right direction In addition to distributed sensors. This solution listens at layers 2 and 3 and queries switches and routers to determine connected devices This solution is inadequate: Medium Access Control (MAC) addresses can be spoofed Queried devices can be configured to be unresponsive to specific queries 2-Dec-04 Globecom 2004 6
Current Approaches - Wired Best approach However, current solutions are inadequate because they rely on: MAC addresses that can be spoofed Querying devices that can be configured to be unresponsive Look for specific transactions during a short window to identify rogues Are not scalable 2-Dec-04 Globecom 2004 7
Background of Proposed Scheme Wireless links in a That is: network path cause more random temporally different spreading of packets as compared to wired Specifically, the spreading of packets caused by wireless links is normally greater than that caused by wired links { 2-Dec-04 Globecom 2004 8
Background of Proposed Scheme Difference in inter-packet spacing in wireless and wired traffic is a result of: Reliability of the wired link vs. wireless link - thus traffic is shaped mostly by higher layers (e.g., TCP) MAC protocol used to access the shared wireless link vs. non-contention based access to a switched wired link Increased capacity of wired link vs. wireless link 2-Dec-04 Globecom 2004 9
PWR 10M100M 1 2 3 4 5 6 7 8 9101112 ACTACT COLCOL SWITCH 131415161718192021222324 1 2 3 4 13 14 15 16 5 6 7 8 17 18 19 20 9 10 11 12 21 22 23 24 UPLINK PWR 1 2 3 4 5 6 7 8 9 101112 10M100M ACT ACT COLCOL SWITCH 131415161718192021222324 1 2 3 4 13 14 15 16 5 6 7 8 17 18 19 20 9 10 11 12 21 22 23 24 UPLINK Experimental Setup Figure 1. Configuration with wired link. Figure 2. Configuration with wireless link. o FTP traffic generated o File sizes (10MB, to 100MB, using 10MB increments) o Wireless network - 802.11b 2-Dec-04 Globecom 2004 10
Performance Analysis Rogue AP Detection at Immediate Switch Forward Path Figure 3. Cumulative Distribution Function of the inter-packet spacing of wired and wireless traffic on the forward path. 2-Dec-04 Globecom 2004 11
Performance Analysis Rogue AP Detection at Immediate Switch Reverse Path Figure 4. Cumulative Distribution Function of the inter-packet spacing of wired and wireless traffic on the reverse path. 2-Dec-04 Globecom 2004 12
Performance Analysis Rogue AP Detection at Immediate Switch Forward Path 10Mb/s cross traffic Figure 5. Cumulative Distribution Function of the Inter-packet spacing of wired and wireless traffic on the forward path with UDP constant bit rate cross traffic at 10Mb/s. 2-Dec-04 Globecom 2004 13
Performance Analysis Results Figure 3 shows that 80% of the interpacket spacing on the forward path for the wired link was less than 1ms, while around 90% of the inter-packet spacing for the wired link was greater than 1ms Figure 4 shows a similar theme for the reverse path Figure 5 also confirms the approach with the inclusion of 10Mb/s of cross traffic 2-Dec-04 Globecom 2004 14
Conclusion & Future Work We presented a novel wired approach to detecting rogues APs Create detection algorithms at upper layers Detection several segments downstream is underway Automation of the algorithm is also being actively researched Incorporation of this scheme in with switched with non-traditional queuing (other than first in first out (FIFO)) is being researched 2-Dec-04 Globecom 2004 15
Questions 2-Dec-04 Globecom 2004 16