Detecting Protected Layer-3 Rogue APs Authors: Hongda Yin, Guanling Chen, and Jie Wang Department of Computer Science, University of Massachusetts Lowell Presenter: Bo Yan Department of Computer Science University of Massachusetts Lowell Email: byan@cs.uml.edu
Outline Motivation Approach Network Model Wired Traffic Monitoring Rogue AP Verification Evaluation results Conclusion
Motivation What is Rogue AP An unauthorized AP plugged into a corporate network Security threat to the internal network Why Rogue AP is important No.2 threat of critical wireless vulnerability, June 2006, Network Computing Detecting rogue APs Wireless sniffers scanning airwaves for packet analysis A detected AP not on the authorized list is a suspect A suspect maybe a legitimate AP belong to neighboring areas How to automatically verify whether the suspect AP is on the enterprise wired network or not??!
Layer-2 rogue APs Poll network switches over SNMP to determine MAC addresses associated with each port on the switch Wireless sniffer observes any of these MAC addresses to detect whether associated AP is on the wired network Layer-3 rogue APs A nearby sniffer associate with the suspect AP Ping a known host inaccessible from outside to detect whether successful However, fails to detect protected associated APs due to the requirement of valid MAC addresses or other authentication methods Our Goal To detect protected rogue APs on both layer-2 and layer-3, focus on layer-3!!
Network Model Monitor outbound traffic and send test packets Instruct sniffers to switch to a particular channel during the verification process Sniffer channel switching Test packet size wireless sources classification Wireless workstations Detect the presence of APs Update the verifier about the detected APs and their channels
Wired Traffic Monitoring Test every observed internal host: Every observed host on the internal network is potentially a wireless AP. Simple to implement but time consuming. Test those hosts classified as wireless sources: Any source with ratio of inbound and outbound short packet intervals exceeds a threshold is classified as a potential wireless host W. Wei et al s work [6], short packet intervals Maybe inaccurate results and longer delay Obtain high accuracy classification and reduce test traffic
Rogue AP Verification The verifier sends test packets to wireless sources and sees whether some wireless sniffer can hear these packets Packet size selection A rogue AP may encrypt traffic and so sniffers cannot rely on special signature embedded in the application layer data. To detect test packet relayed by a rogue AP requires decryption method Use packet size observation to recognize test packets
Network trace collected from a WLAN made available to attendees of a four-day academic conference (Sigcomm 2004) Size distribution of downstream data packets Not frequently seen on the suspect APs Small size demanding less bandwidth and unlikely being fragmented by APs so that not be missed by sniffers
Binary hypothesis testing To avoid false positives caused by normal packets that happen to have the same size of the test packets, the verifier sends more than one test packet to improve the robustness of detection. But how many?? Sequential Hypothesis Testing A. Wald[9], Sequential Analysis Send packet with rarely-seen size The tradeoff between the desired detection accuracy and the longer delay
Sniffer channel scheduling Hear multiple targets if they are in its range, but only listen to one channel at one test round Switch channels to monitor targets in range at another test round To minimize the number of test rounds so that all targets are covered by at least one sniffer
Evaluation Results Wired traffic monitoring Two 10-day data sets collected from Dartmouth campus WLAN Long-time trace and only wireless hosts Some hosts remaining untested in the queue Appeared early in the trace, expired in the queue before they could be verified, and were never seen again Length of verification queue
In more than 98% of the cases a host could be verified within 5 minutes since its first appearance for the traces In more than 95% and 99% of the cases a host could be verified within 50 seconds since its last update for the traces Verification delay since first request
A one-day data set collected from enterprise network Short-time trace, wireless and wired hosts, only one hour data is available from a particular subnet Large Jumped At the 6th hour of the odd-ports The monitor started on an active subnet and 539 hosts were observed during that hour. The queue length would be reduce with longer-time traces Length of verification queue
In more than 77% of the cases a host could be verified within 20 minutes since its first appearance for the traces In more than 49% of the cases a host could be verified within 100 seconds since its last update for the traces Verification delay since first request
Imitate a rogue AP, using a Web proxy running tcpdump as a sniffer to collect the traffic. Then, all the Web transactions are recorded in the tcpdump trace Classifier achieved 100% accuracy The verifier could reduce its workload by only testing likely wireless sources In about 93% of the cases the classifier could conclude in less than 100 seconds. The distribution of classification time
Sniffer channel scheduling The Sniffer/AP ratio increases, the tuning time decreases The working of covering the APs can be shared by more sniffers. With a larger sniffering radius, a sniffer can cover more APs with the same channels so the tuning time also decreases. Number of scheduled rounds for sniffers
The number of required sniffers decreases as the sniffer/ap density increases. If the APs run over a larger channel range, more sniffers are needed to cover them. Number of sniffers to be instrumented
Network Model Monitor outbound traffic and send test packets Instruct sniffers to switch to a particular channel during the verification process Sniffer channel switching Observed packets size wireless sources classification Wireless workstations Detect the presence of APs Update the verifier about the detected APs and their channels
Related Work Associate-and-ping approach False positives to classifying neighboring APs as rogues on the internal network Fails for protected AP Collect information from network devices for classification Need user feedback Must trust user input-data without threat DIAR uses heuristics to reduce false positives A wired component to compare the packets seen on wired and wireless networks. However, give none details on their comparison heuristics require running a wired monitor in each subnet Use Different inter-packet temporal distributions to detect Not consider natural variations of traffic patterns
Conclusion A new method to reliably detect protected layer-3 rogue APs Easily combined with other rogue AP detection methods Quickly detected with High accuracy and high robustness
Q & A? Welcome to Our group website http://www.cs.uml.edu/~glchen/map