International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)
85
RAPD Algorithm: Detection of Rogue Access Point in Wireless
Network
Dr. Sanjay Thakur
1, Abhijit Bodhe
21
Head Of Dept, 2Student, Lord Krishana College Of Technology, RGPV University, Inodre (MP) Abstract- The most challenging security concerns for IT
industries today is the rogue wireless access point. Now a day’s IEEE 802.11 technologies continue to become more popular, less expensive, and easier for end users to install, the threat to corporate network security are increases rapidly. Most of the current approaches to detecting rogue APs are easily evaded by hackers. In Our paper, we proposed the very new algorithm to detect the RAP in wireless network, without change in existing hardware. we simply moniters the traffic and its characteristics in our system to detect the RAP.
Keywords- IEEE 802.11, RAP, Traffic Characteristics.
I. INTRODUCTION
A rogue AP is an unauthorized access point plugged into a corporate network, posing a serious security threat to enterprise IT systems. Rogue APs are typically installed by employees in work places for convenience and flexibility. Although users could leverage common security measures such as Wired Equivalent Privacy (WEP) to protect their network communications, such measures may not be consistent with the corporate security policies and they are often inefficient. For example, researchers have identified design flaws in WEP, which can be easily exploited to recover secret keys [1]. Rogue AP exposes internal networks to the outside world, making it easy for people to bypass security measures. A compromised AP is the most dangerous rogue AP that can exist in commodity Wi-Fi Networks. In particular, it is difficult to detect such a rogue device because the AP itself is not malfunctioning (e.g., operating without specified security controls).as discussed in last paper[2].
RAPs are present on about 20% of all enterprise networks [3]. Since APs have reached commodity pricing, the appeal to deploy these devices in an unauthorized fashion has grown. Also, since the size of APs has decreased significantly, it is difficult for network administrators to visually detect these devices. This is especially true if the attacker were to use his laptop to act as an AP. Note that this feature is built into MAC OS or one can download OpenAP for Linux. Unlike traditional attacks that are perpetrated from outside the network, the insertion of a RAP is most often a result of an insider.
This seemingly simple act of misfeasance can have significant consequences. This is because the insertion of these rogue devices creates a back-door to the network and therefore significantly threatens the investment made in securing the network. The term rogue access point has been used in more than one context in wireless security literature. Further, this type of attack can be conducted by malicious outsiders as well as by malicious insiders. This article focuses on threats from malicious insiders, but also presents related work on detecting attacks from malicious outsiders. It is important to clarify where RAP fits into the larger hierarchy of insider threats[4].
In this paper, we summarize the rogue access point as two definitions: − Definition 1: Rogue access point is the access point that is installed to the network without authorization and does not follow the organization’s security policy. − Definition 2: Rogue access point is the access point that is setup based on the malicious intention to compromise the company’s information system i.e, data sniffing going through the rogue access point. An access point with the criteria that falls in either definition is considered to be the rogue access point. There are four common types of rogue access point as the follows:
1. Employee’s rogue access point: Employees buy an
access point and installs it on the company’s LAN for their own convenient uses without the authorization. The rogue access point creates the vulnerability to the network. It enables unauthorized users or attackers from outside to access the company’s network. This type of rogue access point is very common especially in the organization that is lacking of the wireless security policy and security awareness training for employees.
2. Attacker’s external rogue access point: The rogue
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)
86
3. Attacker’s internal rogue access point: The rogue
access point is setup inside the company and does connect to the company’s network. The attacker will use this rogue access point as the backdoor to access the network at later time. This rogue access point is unlikely because the attacker has to bypass the physical security and access to the internal LAN. But once it is successful, it would be a serious security breach. Typically the attacker will disable the broadcast SSID in order to hide it from others to notice.
4. Neighborhood rogue access point: The access point is
setup by other company in the close vicinity. Some people do not consider this as the rogue access point because of the unlicensed and share media of wireless LAN. The administrator has no authority to control or shut down legitimate access points of other company.
In addition, there are quite a few commercial rogue access point detection available in the marker. Most of them are based on the dedicated wireless sensor to perform the RF detection.
The rest of the paper is organized as follows. Section 2 describes the related work & Current Approches. We present the proposed algorithm and our system approach in Section 3. In Section 4 we concludes the paper.
II. CURRENT APPROACHES
Threre are various RAP detection softwares present like AirWave, AirDefense , AirMagnet , Wifi Manager,BT Scanner, FAKE AP etc as discussed in last paper[2]. The research community has just recently started to direct attention toward rogue AP detection. An architecture for fault diagnostics in IEEE 802.11 networks is presented in
[5]. Multiple APs and mobile clients perform
RFmonitoring to help detect the presence of rogue wireless devices like unauthorized APs. Each client is required to install special diagnostic software, and rogue APs are assumed to transmit beacon messages and respond to probe requests. In contrast, RAP does not inconvenience clients with additional software installs. Further, its detection ability is not based on the assumption that rogue APs will function properly [6]. Sometimes rouge AP detection functionalities are integrated into an intrusion detection system (IDS). A typical IDS scans network traffic and generates an alert when an intrusion has been detected. When used with intrusion prevention techniques such as realtime traffic flow analysis and automatic attack prevention, the security of a network is further enhanced.
A. Malicious Insiders
The existing literature focused on RAP detection of malicious insiders can be classified into three categories - wireless-side sniffing approaches, wired-side fingerprinting approaches, and hybrid approaches that consolidate both.
In this article, we highlight a representative sample of a large set of related work. The industry and academia contributions discussed herein constitute the state of the art in RAP detection. While [7] are some of the wireless-only approaches primarily from industry, [8] are some of the wired-side alternatives from academia. Further, [8] are examples of hybrid approaches.
The overarching difficulty in detecting RAPs is that they are not likely to respond to active probing. This lack of cooperation has led to an overall consensus that passive detection is the more logical method to detecting RAPs - this paradigm has been followed by many of the better approaches in both industry and academia.
RAP detection presents a very interesting problem because effects of the RAP are visible on both the wired and wireless sides of a network. Still, industry and academia have taken different approaches to RAP detection. As mentioned previously, industry solutions have been mostly wireless-only, while researchers in academia seem to have been focused on solving the wireless problem from the wired side of the network. The fact that the two different groups attacked this problem in different directions is not a surprise. Further, this approach has proven beneficial because, as will be discussed later, it is likely that the optimal approach to RAP detection will be a combination of the two. In the case of RAP detection, the industry solutions arrived first and took up the intuitive idea of sniffing the radio frequency (RF) spectrum in search of unauthorized wireless traffic. Though much success was seen with this technique, it still had deficiencies. One of the most significant deficiencies was the lack of scalability. As a result, researchers in academia began to develop wired-side techniques based on temporal traffic characteristics in an attempt to mitigate deficiencies of wireless-only detection[4]
B. Malicious Outsiders
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)
87
The attacker can then launch various attacks on the wireless node. In [14], the authors assume that the RAP is connected to a legitimate AP and uses this connection to connect legitimate nodes to the network. They present a technique that uses the RTT between the user and the local DNS server to determine whether an AP is a RAP, without assistance from the WLAN operator. The main idea is that if the node is connected through the RAP, it will take two wireless hops to reach the local DNS server, as opposed to one, and the extra delay from two wireless hops will be visible in the RTT. However, this technique cannot detect RAPs directly connected to the wired network. In [15], the authors assume that the RAP is connected directly to the wired network. They obtain the timestamps from the 802.11 beacon frames and propose a scheme that uses clock skew variation between nodes to identify RAPs. However, this solution is a wireless-side solution and has the same disadvantages as the wireless-side solutions for malicious insider RAP detection presented above. Since the focus of this article is on malicious insiders, no further discussion on malicious outsiders will be presented[4].III. PROPOSED SYSTEM &RAPDALGORITHM
PROPOSED SYSTEM
The proposed system work on basically four main modules 1.from the becon frames the packets are sepratly sorted with various traffic characteristics parameters like SSID,MAC address, Signal, Security,channel used etc. . And probing function will take the decision depend upon algorithm whether the given access point is Autorised or un authorised. As shown in figure 1.
Fig1. Proposed System
Algorithm
The rogue access point detection starts with RF sniffing to collect wireless data and then analyze the collected data to determine the rogue access point The access point is changed the mode from Normal Mode to Sniffer Mode and operates as wireless sniffer collecting wireless sniffing data including Beacon, Probe messages and client data frames
with various characteristics of traffic like
MAC,SSID,Signal,chnnel etc. .
The potential rogue access point data is stored in the database waiting for analyzed.
1)Compare the sniffing data (i.e., SSID, Wireless MAC)
with the authorized AP information. The authorized AP information is stored beforehand. There are three possible outcomes: Completely Matched (SSID and MAC), Completely Unmatched (not SSID and not MAC) and Partially Matched (not SSID but MAC, or SSID but not MAC). If Completely Matched, goto stage 2). If Partially Matched, goto stage 3) and If Completely Unmatched goto stage 4)
2)For Completely Matched, there is maximum
possibility of access points: Trusted AP. Then there is no need to check other traffic parameters from the incoming beacon frame & call that AP as authorized AP and user can shair its data eith that AP..
3)For Partially Matched, the result would be either
Misconfiguration AP or Attacker’s Rogue AP. The Misconfiguration AP is the access point with configuration that is not consistent to the registered AP.If its attackers AP then it eill check for the traffic parameters like signal,strength,& channel used.
4)For Completely Unmatched, the result would be
either Neighborhood AP or Employee rogue AP. Typically it is hard to verify if an AP is the legitimate one. Therefore, we propose the technique that can differentiate Trust APs from Spoof Rogue AP using traffic characteristics as mentioned above.
IV. RESULTS
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)
88
Fig2.Avilable Networks
Then after starting our java application our algorithm
starts, in 1st phase we will separate the traffic from wired
and wireless by selecting the drivers & choose the capture device as wireless device which is Microsoft driver of system. As shown in figure 3.
Fig3. Capture device selection for traffic
After performing the traffic selection we can monitor the complete traffic from source to destination with all the packets incoming and outgoing from source to destination. With their MAC addresses And IP addresses through access points in the current network. As shown in Fig.4
Fig.4 Sniffer Window
After confirmation of traffic transfer from source to destination our algorithm will come into action and clicking the scan button it will start checking available access point & for those AP applies the algorithm proposed in above section and using the preemption & detection engine it will give the result, whether given acces point is Rough Or its authorized AP. In our demo having 4 AP from which 2 are authorized as there entries of parameters are made in backend. And two are new that is unauthorized to the system. Shown in fig .5 type authorized or unauthorized.
Fig.5 All available access point
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)
89
Fig.6 Rough access point list in network
V. CONCLUSION
In proposed system we compute & proposed a new technique to detect the rogue access point in the wireless network. And proposed new algorithm for this purpose. It wills efficient and cost effective as well as no need to make any change in existing system. So one can easily find RAP in network without specified hardware or software using our system and algorithm.
REFERENCES
[1] A. Bittau, M. Handley, and J. Lackey, “The Final Nail in WEP’s Coffin,” in Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006
[2] Prof. Abhijit Bodhe,Dr. Sanjay Thakur,” The RAP: Wireless Security”,IJETAE, vol1, Jan-13.
[3] Airdefense White Paper: 'Wireless LANs: Risks and Defenses',
Available Online:
http://www.itsec.gov.cn/webportal/download/73.pdf
[4] Raheem Beyah and Aravind Venkataraman,” Rogue Access Point Detection:Challenges, Solutions and Future Directions”, This article has been accepted for publication in IEEE Security and Privacy. [5] A. Adya, P. Bahl, R. Chandra, and L. Qiu. Architecture and
techniques for diagnosing faults in ieee 802.11 infrastructure networks. In MobiCom ’04, pages 30–44. ACM Press, 2004 [6] Liran Ma, Amin Y. Teymorian, Xiuzhen Cheng,” RAP: Protecting
Commodity Wi-Fi Networks from Rogue Access Points”.
[7] Airdefense White Paper: 'Solutions for Detecting and Eliminating
Rogue Wireless Networks', Available Online:
http://www.airdefense.net/whitepapers/index.php
[8] Ma, L., Teymorian, A.Y., Cheng, X.: ʻA Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networksʼ, IEEE INFOCOM, 2008
[9] Han,H., Sheng, B., Tan, C. C., Li, Q. and Lu, S.: ʻA Timing Based Scheme for Rogue AP Detectionʼ, IEEE Transactions on Parallel and Distributed Systemsʼ, To appear.
