An Empirical Fingerprint Framework to Detect Rogue ...

An Empirical Fingerprint Framework to Detect Rogue Access Points Bandar Alotaibi and Khaled Elleithy Computer Science and Engineering Department University of Bridgeport Bridgeport, CT 06604 [email protected], [email protected] Abstract--The aim of this paper is to detect Rogue Access Points (RAPs) that clone some of the characteristics of nearby legitimate Access Points (APs). A new passive approach that takes advantage of the first frame that the RAP sends (i.e., Beacon Frame (BF)) when it is planted in the Wireless Local Area Network (WLAN) is proposed. We apply the proposed fingerprint to detect RAPs to evaluate the fingerprint effectiveness. The proposed framework examines every beacon frame size, and compares it with a threshold value. The technique is implemented on a commercially available Wireless Network Interface Controller (WNIC) to evaluate its accuracy. The detection algorithm achieves 100 percent accuracy to determine the RAPs in a lightly loaded traffic environment. The detection time can be taken in approximately 100 ms and is scanned in real-time setting. The robustness and the efficiency of the detection algorithm are examined in two different locations. Keywords—WLAN; Rogue Access Point; WIDS; Beacon Frames I.

INTRODUCTION

WLANs have become more popular in recent years due to the widespread deployment of infrastructure and the provision of portable devices [1]. The Access Point (AP) is an integral part of WLAN, especially in infrastructure mode; it is a coordinated point that manages the work stations and connects users to the wired network. One of the most common security problems in WLANs is the Rogue Access Point (RAP) [2], [3], [4], [5], [6]. An RAP is a fake access point that is not installed by the network administrator. RAPs are classified into four types; a phishing AP, an RAP that is installed improperly by naïve users, unauthorized AP that is linked to the WLAN without authorization, and the compromised AP [3]. The phishing AP is our main focus; it uses a software-based AP which is installed in a portable device. The phishing AP uses two wireless cards, the first one is built-in wireless card and the

other one is a plug-and-play wireless card. The built-in wireless card associates with the legitimate AP while the other wireless card masquerades as the legitimate AP to lure users to connect to it. Packets then relay from the RAP’s plug-and-play wireless card to the built-in wireless card. The phishing AP is set up by a hacker to listen to the users’ traffic that browse the Internet and launch several attacks on the victim device [2], [7], [8], [9]. This paper uses a fingerprint technique to detect the RAP. A device fingerprint is an approach to stamp a target device using one or more of its characteristics via its wireless traffic. Fingerprinting can be used for network monitoring, identification, or intrusion detection system. It might be triggered either by actively sending traffic to a target device, or passively observing the traffic that is generated by the target device [10]. Fingerprinting uniquely identifies devices on WLAN without using the identifiers that can be easily spoofed such as IP address and MAC address [11]. The deployed RAPs in all enterprise WLANs are approximately 20 percent of all APs [12], [13], [14]. As APs become cheaper, the ability of deploying them in WLANs maliciously has grown tremendously. Furthermore, it is difficult for the network administrator to detect RAPs visually since the RAPs are deployed as software-based generated by a portable device [15]. This is hazardous, as the RAP crafts a back door to the WLAN and compromises the security of the WLAN devices. A. Beacon Frame Characteristics The Beacon Frame (BF) in the infrastructure mode is a specialized management frame that is sent by the AP. The AP broadcasts the existence of the network by sending a BF every 100-ms by default; the BF contains some configuration parameters to allow nearby wireless nodes connect to the AP. Another important function of the BF is to synchronize the wireless nodes clocks [16], [17], [18], [19]. The BF format is shown in Figure 1 and contains the following fields: 1.

MAC header

MAC header is 24 in early standards or 36 octets in 802.11n amendment that contains typically eight fields which are Frame Control, Duration, Address 1, Address 2, Address 3, BSSID (i.e., the MAC address of the AP), Sequence Control, and HT Control. 2.

II. RELATED WORK

Frame Body

Frame Body or data sub-layer has a variable length from 0 to 2312 octets which includes the frame types and subtypes information. It contains two types of fields. The first includes fields that are not information elements specific; followed by Information Elements specific fields [20], [21]. Byte

Byte

8

2

2

V

7

2

8

4

TSt

Interval

Cap Info

SS ID

F H

D S

CF

IBSS

2 Fra. Con.

Bit

2 Duration

6

6

DA

SA

2

2

4

1

Ver.

Ty pe

Su bT

To DS

V TIM

6

2

0-2312

4

BSSID

SN

Data

FCS

1

1

1

1

1

1

1

Fr. DS

M F

R

Pw r

M o

W

O

Figure 1. MAC Layer Frame Format

3.

Fields Related to our Research

•

SSID Field: In infrastructure mode, SSID field is an Information Element field that exists in Frame Body and introduces the Extended Service Set (ESS) identity. Its maximum length is 32 octets and is known as ELEMENT ID 0. Source Address (SA) Field: This field belongs to the MAC header which contains the MAC address of the AP that sends the beacon frame. Its length is 6 octets.

•

related work; Section III explains the proposed technique; Section IV presents the fingerprint implementation; section V presents the results; and section VI discusses conclusion and future work.

We believe that the only individuals who can configure the RAP to increase the size of the beacon frame are the developers of these tools. All of the hackers that set phishing APs using commodity tools cannot configure the AP to increase the size of the beacon frame. The only parameter that can they use to increase the size of the beacon frame is the SSID field which is of variable length from 0 to 32 octets. Hackers can use two other mandatory fields which are the MAC address of the access point or the source address field and the DS field that includes the channel number which cannot add to the size of the beacon frame. Thus, the RAP sets the same SSID as the legitimate one. It also can spoof the MAC address of the legitimate AP which does not add to the beacon frame size because it is a mandatory field. Other configurations can be set by a hacker that do not add to the size of the beacon frame thereby setting the DHCP server to provide IP addresses to users automatically and the DNS server to connect the users to the Internet. The scope of this paper covers the following sections: section II introduces the

The authors in [2] use round-trip time to determine whether or not the given AP is legitimate. The RAP is detected because it relays the traffic to the DNS server via the actual AP. Therefore, the delay results from the two hops that occur between the user and the RAP, instead of, the permanent one hop process. However, the proposed solution needs further investigation because the authors focus only on one specific cause of the delay in WLAN. There are various reasons that cause such a delay including, but not limited to WLAN’s medium exposure to interference and collisions. Thus, this scheme is neither accurate nor robust, especially in highly, traffic-loaded WLANs. Also, the proposed technique is more likely to detect the hotspot’s AP as a RAP. Some researchers focus on hardware fingerprinting in order to detect RAP based on the characteristics that uniquely identify the WLAN device. [22] Proposes clock skew approach which extracts Timing Synchronization Function (TSF) timestamp from beacon frames. In addition, [22] compares the beacon frame timestamp that is generated at the AP with an inter arrival time of the frame at the user station. This technique is not robust for identical reasons as stated in previous research paper due to the variation of WLAN medium which is susceptible to delay, especially, in high traffic volume. In [23], the authors simulate the RAP to be launched while the attacker’s device has more than one SSID. The detection can be motivated by using the deviations of the two APs’ received signal strength. However, all the related work that uses hop detection depends on one scenario of RAP. They assume that the RAP relays traffic to the actual AP which is not always the case. The work in [24], [25], [26] requires the modification of 802.11 standards or protocols. The authors of [24] introduce a protocol entitled “Secure Open Wireless Access”. It adopts the well-known protocol referred as the Secure Socket Layer (SSL) to distribute certificates. The SSID of a given access point is considered unique strings and is associated with a certificate by a trusted Certification Authority (CA). The association between the certificate and the unique strings can be used to authenticate AP operator. The authors of [25], [26] propose an authentication method that is applied by using the Extensible Authentication Protocol (EAP) referred to as the Simple Wireless Authentication Technique (EAP-SWAT). It utilizes the Secure Shell’s (SSH) trust-on-first-use approach, thus the trust is certified for the first connection to the AP. Subsequently, the following connections

to the AP can be ensured to be authenticated with the coexistence of the certificates. Due to deployment purposes, techniques that require standard or protocol modifications are not the optimal solutions. It is impossible to deploy the protocols in [24], [25], [26] because it is difficult to change the drivers and firmware of the supplicants and APs. Some companies such as Air-Magnet [27] use wireless sniffing solutions. Sensors are deployed in the whole diameter of the network. The sensors gather physical and data link layers information in order to detect RAPs in distributed agent-server architecture [27], [28]. The collected information contains RF measurements, MAC Addresses, signal strength, and AP control frames. This approach is very expensive because the analyzer system; provided by Air-Magnet costs US $3,000.00 [12], [28]. The authors of [29] use the whole frame size to globally identify and differentiate 802.11 user devices. The authors use several broadcast frames sizes to track a given user. The frame size acts like the MAC address, and can be used globally to determine the identity of a given user for tracking that user. They use different frames and ignore the beacon frame which is the frame that we will investigate in this research paper. III. THE PROPOSED FRAMEWORK The framework consists of four stages. Each stage has different task, and is dependent upon the previous stage. As seen below, Figure 2 illustrates the proposed framework for RAP detection and briefly explains each stage. Passive WLAN Traffic Monitoring Capture 802.11 frames on monitoring node interface Incoming

frames

Packet Preprocessing Filter frames to keep only beacon frames information Beacon

frames

AP Info. Extraction and buffering Extract and store MAC add., SSID, BFS in vectors AP

info

RAP Detection and Alerting Evaluate the stored info using the detection algorithm Figure 2. The proposed framework for RAP detection

A.Passive WLAN Traffic Monitoring Stage The network trace is captured by the monitoring node which is defined as the data, control, and management frames. The frame sequence is represented as f0, f1,…, fn-1. We are only interested in the management frames, so the data and control frames di and ci are disregarded after the monitoring stage. B. Packet Preprocessing Stage

One type of management frames mi which is unique to APs is preprocessed as shown in Algorithm 1: the beacon frames fbi. The APi sends out a sequence of beacon frames every 0.1 second (i.e. 100 ms) fb0, fb1,…, fbn-1. Figure 2 illustrates the 802.11 MAC Layer frame format and frame control sub-layer. The beacon frame fbi subtype is represented by 1000 in bit representation of type mi that is represented by 00 which is extracted from the frame control fci sub-layer of the mac layer frame. Algorithm 1. bfi Packet preprocessing for all fi do ignore ( d1, d2…dn) ^ (c1, c2…cn) ignore other mi types from fci sub-layer match (m1 ^ bf1 …mn ^ bfn ) if (sub-layer match is correct) end if end for return ( bf1, bf2,..bfn ) C. AP Info. Extraction and Buffering Stage The MAC address ID of AP (i.e., APIdi) is extracted as shown in Algorithm 2 from Address 2 field in the MAC Layer frame as shown in Figure 1 (SA field). The service set identifier (SSID) or the name of the WLAN is extracted from the data dai (frame body) sub-layer. Lastly, the Beacon Frame Size (BFS) is examined and stored. After extraction occurs, the extracted information: APIdi, SSIDi, and BFSi for every specific AP is kept in a specific row Ρi. (APIdi, SSIDi, and BFSi) ∈ Ρi Every AP’s information that is referenced by Ρi is stored in bufferx. (Ρ1, Ρ 2, … Ρ n) ∃ bufferx Thus, bufferx contains three vectors which are the MAC Address of the AP, the Service Set Identifier (SSID), and the Beacon Frame Size (BFS), so: bufferx ∋ (v1, v2, and v3) Every vector vi is represented as follows: vi = Algorithm 2. APi Info. Extraction for all bfi do get (APId1,…, APIdn) from dai ∈ bfi get (SSID1, …SSIDn) get (BFS1,…,BFSn) end for return ( APIdi ) ^ (SSIDi ) ^ (BFSi)

D. RAP Detection and Alerting Stage Algorithm 3 shows the detection stage that involves three vital tasks. The first task is to retrieve the buffer contents v1, v2, …, vn. As mentioned earlier, vi contains the AP information which are APIdi, SSIDi, and BFSi. The second task is to set a Threshold Value (TSV) which is discussed in next section. The third task is comparing the BFS of every beacon frame with the TSV, and returning the information of Rogue Access Point if the alert is triggered (i.e., the BFS of the RAP is less than the threshold value).

lure users to connect to it. The RAP has the same SSID as the legitimate one. It also can spoof the MAC address of the legitimate AP. The sniffer is configured in the WLAN diameter to monitor traffic and detect the RAP.

Algorithm 3. Detecting RAP (RAPx) for all bufferx do retrieve (v1, v2 and v3) set TSV if BFS < TSV trigger an alert (RAPX) is detected output (Ρ1, Ρ 2, … Ρ n) else AP is legitimate (do nothing) end if end for IV. SETUP AND IMPLEMENTATION The test-bed of our experiment is divided into two subgroups. The first subgroup is the benign scenario that contains the legitimate AP and a set of wireless devices as shown in Figure 3. The AP coordinates the wireless users and connects them to the wired side. The sniffer is configured in the diameter of the WLAN for monitoring and detecting purposes.

Figure 3. Experiment setup for legitimate AP scenario

Figure 4 shows the second subgroup which is the attacking scenario where the WLAN contains the RAP that is planted to

Figure 4. Experiment setup for the RAP scenario

A.Hardware and Software Description The experiment is set up in three different locations with similar network topology as in Fig. 3 and Fig. 4. Two laptops are used in the first location for distinctive purposes. Each laptop is running two operating systems. The first operating system is Windows 7, and the other one is a Linux-based operating system installed on a virtual machine. Two wireless cards are used in the first laptop. One wireless card acts as a hacking machine that plants the RAP and deceives the wireless users into connecting to it, and the other wireless card that can relay packets to the legitimate AP. In the second laptop, one wireless card acts as the WLAN user that associates with one of the legitimate APs, and the other wireless card acts as the monitor node. Thirteen legitimate APs are scanned, and two APs (i.e., phishing RAPs) using the same computer and the same virtual machine are configured as RAPs. One of the virtual machines is a virtual box running Debian Linux-based operating system, and the other one is VMware that is also running Debian Linuxbased operating system. The virtual box acts as a hacker that plants the RAP and generates bfs in the WLAN. The VMware acts as the monitor node that observes the traffic, filters the needed frames, extracts the desired parameters, and alerts the RAPs in the WLAN diameter. The monitor node and the hacker machines use plug-and-play wireless cards that can sniff the air and generate packets in the WLAN.

V. RESULTS Using the fingerprint technique requires fingerpprint analysis and utilizing a training phase [30], [31]. The initial trraining sample is introduced in subsection A. Subsection B pressents the training and testing phases. The discussion is presented in subsection C. A. Initial Training Sample The initial training sample shown in Table 1 acquires a trace from the monitor station placed in a good areaa that covers the whole WLAN diameter. The trace is gathered in a short period of time in location 1 to analyze the candidate pparameter and to see if it is efficient or not, to detect the RAP P in a matter of approximately 100 ms. The fingerprint is BFSi, w which is sent in a bf by the APi every 100 ms in the ideal situation. Table 1. Initial Training Sample

APi APA APB APC APD APE APF APG APH API APJ APK APL APM APN APO

tpduration (Sec) 56.831 54.859 12.49, 12.489 12.534 12.603 10.552 54.886 55.666 2.867 12.39, 12.39 12.288 6.554 NA 5.632 10.344, 9.114

Values Nbf 535 359 98, 101 76 100 16 141 378 2 54, 44 83 7 1 5 26, 7

BF FSi (Byte) 266 83 211, 302 194 289 371 277 83 275 2449, 315 324 242 368 154 211, 302

Other parameters are used to measure the exxpected detection time dtime, based on the number of beacon framess Nbf that are sent in the initial training sample duration tpduration. T The actual initial training sample tpduration for the whole trace is 566.851 sec, and the number of fi is 2,428 of which 1,920 are bfi. Thhe initial training sample helps us to anticipate the dtime. To determine the dtime, the ideal case has tto be considered with the nearest AP to the monitor node to aavoid packet loss because of interference and other obstacles that WLAN has. The chosen AP is APA which sends 535 bf in 56.831ssec. The average time of APA to send a bf is approximately 1006 ms, which is deviated from the default value of 100 ms by eexactly 6 ms, and that is probably due to the interference and the delay that could happen in the medium. To set the dtime, we shoould consider the length of time that is expected before receivingg the first bf after the hacker sets up the RAP in a WLAN diameterr.

dtime =

× 1000

B. Training and Testing f location while the testing The training takes place in the first takes place in the second and third d locations as shown in Table 2. Table 2. Training and testing statistics

Duration in hrs Number of fs Number of bfs

Location 1 Training 1 1,130,120 260,022

Lo ocation 2 1sts Testing 20 6,,085,178 1,,588,612

Location 3 2nd Testing 23 6,745,960 1,918,595

The training embraces setting the t ideal threshold value that could work in different environmen nts. Two more APs have been found in addition to the fifteen APss that are introduced in Table 1 because of the extended time that has been used to scan the APs. Thus, a total of seventeen APs are examined in the expanded training phase as show wn in Figure 5. The ideal threshold value is considered as the t average of the deviation between the maximum BFS of thee RAP RAPBFSMAX (i.e., AP2, and AP8 as shown in Figure 5) an nd the minimum BFS of the legitimate AP LegitimateBFSMIN (i.e., AP16 as shown in Figure 5). We believe this TSV works in any y environment and for large datasets. TSVideal =

Figure 5 The BFS of legitimate vs. RAP

C. Discussion The detection algorithm is testeed using two locations of 22 and 42 APs respectively, as shown n in Figure 6. The detection algorithm and the selected TSV ach hieve 100% accuracy. All the

legitimate APs are confirmed positively as leggitimate, whereas all the RAPs are detected.

techniques require standards or prottocols modification which are SOWA and EAP-SWAT. Our tecchnique over perform all the other techniques in accuracy. Table 2. Comparison with existing techniquees

Technique Passive Accurracy No Pr. Mod. 9 DNS Ser. two hops 60% 9 9 Signal Strength 97% 9 9 Clock Skew 90% SOWA NA EAP SWAT NA 9 9 % BFS Fingerprint 100% No Pr. Mod.: No protocol or standard modification m is required

VI. CONCLUSION AN ND FUTURE WORK Figure 6. Testing the accuracy of the detection algorithm

The authors in [12] suggest desired chaaracteristics and provide direction for valuable RAP detectionn. Our proposed framework satisfies the majority of the suggesteed characteristics. The technique is deployable and does not requirre modification to firmware or devices. It is also passive; theree is no need to actively probe the attacker device or add to the WLAN traffic. The technique relies on difficult to forge param meter; the hacker has to forge many fields in the frame to have thhe same length as the beacon frames that are sent by legitimate A APs. It does not depend on traffic density or mutable information that can vary from network to network. Furthermore, it oonly depends on beacon frames, which are specialized frames that are sent by APs, and they are the first frames to be sent froom the RAP after the hacker plants it in the network diameter. Figure 8 illustrates one of the RAPs thaat is detected in location 2. In the second column the MAC adddress of the RAP appears, the third column shows the SSID. Thhe fourth column shows the BFS of the RAP. In our attacking sceenario, we cloned the SSID of one of the legitimate APs (i.e., A APA). The unique and hard to spoof identifier is the BFS which appears in the third column. The BFS, of the RAP is 83 bytes whilee, the BFS of the legitimate AP is 266 bytes.

Figure 8. RAP is detected in Location 2

The comparison between our technique andd some of similar existing techniques is shown in Table 2. Threee valuable factors have been taken into consideration to analyze the performance of the existing techniques. In addition to our technique, two techniques are passive and do not add traffic to tthe WLAN. Two

The simplicity of configuring an n RAP creates a real security threat to WLAN devices. There arre several existing techniques to detect an RAP; however, they are a not efficient, and some of them lack accuracy. Some of thee techniques require actively adding traffic to the WLAN. A new passive fingerprinting technique was implemented in th his paper by exploiting the characteristics of the NIC of the atttacker and the software used by the attacker who plants the RAP. R The robustness of the algorithm and the TSV were investigated by testing the detection algorithm in two locations; the alg gorithm proved to be robust and consistent. In our future work, we would implement another detection algorithm that detects th he Phishing AP in case the developers of these tools increase th he size of the beacon frames. We might also consider detecting other types of RAPs such as unauthorized and improperly config gured RAPs. VII. REFE ERENCES [1] Chiapin Wang; Tientsung Tai, "A Achieving time-based fairness for VoIP applications in IEEE 802.11 WLAN using a cross-layer approach," Personal Indoor and Mobile Radio Communications (PIMRC), 2010 IEEE 21st Internaational Symposium on , vol., no., pp.1475,1480, 26-30 Sept. 2010. Q Li; Sanglu Lu, "A Timing[2] Hao Han; Bo Sheng; Tan, C.C.; Qun Based Scheme for Rogue AP Dettection," Parallel and Distributed Systems, IEEE Transactions on , vol.22, no.11, pp.1912,1925, Nov. 2011. C “A Hybrid Rogue Access [3] L. Ma, A.Y. Teymorian, and X. Cheng, Point Protection Framework for Commodity Wi-Fi Networks,” Proc. IEEE INFOCOM, 2008. G J. Kurose, and D. Towsley, [4] W. Wei, K. Suh, B. Wang, Y. Gu, “Passive Online Rogue Access Po oint Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs,” Proc. 7th ACM ment (IMC), 2007. SIGCOMM Co. Internet Measurem [5] H. Yin, G. Chen, and J. Wang, “Detecting Protected Layer-3 Rogue APs,” Proc. Fourth IEEE Int’l Conf. Broadband Comm., NETS ’07), 2007. Networks, and Systems (BROADN [6] S. Shetty, M. Song, and L. Ma, “Rogue Access Point Detection by Analyzing Network Traffic Characcteristics,” Proc. IEEE Military Comm. Conf. (MILCOM ’07), 200 07.

[7] Chao Yang; Yimin Song; Guofei Gu, "Active User-Side Evil Twin Access Point Detection Using Statistical Techniques," Information Forensics and Security, IEEE Transactions on , vol.7, no.5, pp.1638,1651, Oct. 2012. [8] Yimin Song; Chao Yang; Guofei Gu, "Who is peeping at your passwords at Starbucks? — To catch an evil twin access point," Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on , vol., no., pp.323,332, June 28 2010July 1 2010. [9] Hao Han; Bo Sheng; Tan, C.C.; Qun Li; Sanglu Lu, "A Measurement Based Rogue AP Detection Scheme," INFOCOM 2009, IEEE , vol., no., pp.1593,1601, 19-25 April 2009. [10] C. Neumann, O. Heen, and S. Onno, “An empirical study of passive 802.11 device fingerprinting,” in Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on, june 2012, pp. 593 –602. [11] Uluagac, A.S.; Radhakrishnan, S.V.; Corbett, C.; Baca, A.; Beyah, R., "A passive technique for fingerprinting wireless devices with Wired-side Observations," Communications and Network Security (CNS), 2013 IEEE Conference on , vol., no., pp.305,313, 14-16 Oct. 2013. [12] Beyah, R.; Venkataraman, A., "Rogue-Access-Point Detection: Challenges, Solutions, and Future Directions," Security & Privacy, IEEE , vol.9, no.5, pp.56,61, Sept.-Oct. 2011. [13] Shivaraj, G.; Min Song; Shetty, S., "A Hidden Markov Model based approach to detect Rogue Access Points," Military Communications Conference, 2008. MILCOM 2008. IEEE , vol., no., pp.1,7, 16-19 Nov. 2008. [14] Kim, M-S., Kang, H.-J., Hung, S.-C., Chung, S.-H., and Hong, J.W., "A Flow-based Method for Abnormal Network Traffic Detection," IEEE/IFIP Network Operations and Management Symopsium, Seoul, 2004. [15] Soft AP Solutions White paper [Online]. Available: http://www.marvell.com/products/wireless/softap.jsp. [16] IEEE, “1999 edition (r2003) part 11: Wireless LAN medium access control (MAC) and physical layer (phy) specifications,” IEEE, Tech. Rep., 1999 (R2003). [17] Asier Mart´ınez, Urko Zurutuza, Roberto Uribeetxeberria, Miguel Fern´andez, Jesus Lizarraga, Ainhoa Serna, and naki V´elez, I˙ Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks. In ARES ’08: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, pages 520–525, Washington, DC, USA, 2008. IEEE Computer Society. [18] Stefan Mangold, Sunghyun Choi, Guido R. Hiertz, Ole Klein, and Bernhard Walke, “Analysis of IEEE 802.11e for QoS Support in

[19] [20] [21]

[22] [23] [24] [25]

[26]

[27] [28] [29] [30]

[31]

Wireless LANs”, IEEE Wireless Communications Magazine, Special Issue on Evolution of Wireless LANs and PANs, July 2003. S. Mangold et al., “IEEE 802.11e Wireless LAN for Quality of Service,” Proc. European Wireless ‘02, Florence, Italy, Feb. 2002. IEEE standard 802.11. Part 11: wireless LAN Medium Access Control (MAC) and Physical Layer specifications, 2007. Gupta, V. and Rohil, M. K., Information Embedding in IEEE 802.11 Beacon Frame, National Conference on Communication Technologies & its impact on Next Generation Computing CTNGC 2012 Proceedings published by International Journal of Computer Applications (IJCA). C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz. On the Reliability of Wireless Fingerprinting Using Clock Skews. In third ACM Conference on Wireless Network Security (WiSec'10), 2010. T. Kim, H. Park, H. Jung, and H. Lee. Online Detection of Fake Access Points Using Received Signal Strengths. In 75th IEEE Vehicular Technology Conference (VTC Spring 2012), 2012. T. Cross and T. Takahashi. Secure Open Wireless Access. In Black Hat USA 2011. K. Bauer, H. Gonzales, and D. McCoy. Mitigating Evil Twin Attacks in 802.11. In 1st IEEE International Workshop on Information and Data Assurance (WIDA 2008) in conjunction with the 27th IEEE International Performance Computing and Communications Conference (IPCCC 2008), Austin, TX, USA, December 2008. H. Gonzales, K. Bauer, J. Lindqvist, D. McCoy, and D. Sicker. Practical Defenses for Evil Twin Attacks in 802.11. In IEEE Globecom Communications and Information Security Symposium (Globecom 2010), Miami, FL, December 2010. “Tired of Rogues: Solutions for Detecting and Eliminating Rogue Wireless Networks,” white paper, Air-Defense, 2009. “Best Practices for Securing Your Wireless LAN,” white paper, AirMagnet, 2004. J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall. 802.11 User Fingerprinting. In ACM MobiCom, 2007. M. Bshara, U. Orguner, F. Gustafsson, L.V. Biesen, “Fingerprint localization in wireless networks based on received signal strength measurements: A case study on WiMAX networks,” IEEE. Trans.Vehicular Technology, vol. 59, no. 1, pp. 283-294, Jan. 2010. Le, T.M.; Ren Ping Liu; Hedley, M., "Rogue access point detection and localization," Personal Indoor and Mobile Radio Communications (PIMRC), 2012 IEEE 23rd International Symposium on , vol., no., pp.2489,2493, 9-12 Sept. 2012.