TY - GEN
T1 - Rogue Access Point Detection by Using ARP Failure under the MAC Address Duplication
AU - Igarashi, Kosuke
AU - Kato, Hiroya
AU - Sasase, Iwao
N1 - Funding Information:
VI. CONCLUSION In this paper, we have proposed RAP detection by using ARP failure under the MAC address duplication. We collect MAC addresses from user side and set the MAC address of a client to them. By observing ARP packets in the situation, we can reveal the benignancy of the connected AP. The detection performance of the proposed scheme is better than that of the previous scheme. The results show it can detect a RAP without any error even in unstable traffic environment. In addition, the experiment in a small cafe shows the availability in a real network. In the future, we will conduct a large-scaled examination of the proposed scheme. Furhermore, we will expand the scheme for the network where a LR is arranged. VII. ACKNOWLEDGMENT This work is partly supported by the Grant in Aid for Scientific Research (No.17K06440) from Japan Society for Promotion of Science (JSPS).
Publisher Copyright:
© 2021 IEEE.
PY - 2021/9/13
Y1 - 2021/9/13
N2 - Detecting a Rogue Access Point (RAP) in Wi-Fi network is imperative. The previous scheme is user side detection focusing on two channels used by a RAP. That scheme can detect a RAP in stable traffic environment by revealing the channel used with a Legitimate Access Point (LAP) with intentional interference. However, the detection performance is degraded in the real environment where traffic is more unstable because it affects the traffic on the channel. Thus, it is necessary to design the scheme which is independent of such factors. In this paper, we propose RAP detection by using Address Resolution Protocol (ARP) failure under the Media Access Control (MAC) address duplication. Our main idea is that the traffic is relayed via a RAP and a LAP on the LAN path between a client and a gateway under the attack. This is because the RAP must be established between a client and a LAP to provide Internet connection. On the basis of this idea, the proposed scheme reveals that the Access Point (AP) with which a client connects is a RAP by discovering the MAC address of a LAP on the path. In order to find the MAC address, we leverage the phenomenon that a client cannot receive ARP reply packets in the situation where its MAC address and that of a AP are duplicated on the path. By doing this, the presence of a LAP is revealed, which can judge that the connected AP is a RAP. In our evaluation, the proposed scheme achieves accuracy of 96.5% even in unstable traffic environment. True positive rate and false positive rate are 31.0% higher and 9.0% lower than the previous scheme. Furthermore, the proposed scheme can detect RAPs accurately in real environment where the previous scheme cannot.
AB - Detecting a Rogue Access Point (RAP) in Wi-Fi network is imperative. The previous scheme is user side detection focusing on two channels used by a RAP. That scheme can detect a RAP in stable traffic environment by revealing the channel used with a Legitimate Access Point (LAP) with intentional interference. However, the detection performance is degraded in the real environment where traffic is more unstable because it affects the traffic on the channel. Thus, it is necessary to design the scheme which is independent of such factors. In this paper, we propose RAP detection by using Address Resolution Protocol (ARP) failure under the Media Access Control (MAC) address duplication. Our main idea is that the traffic is relayed via a RAP and a LAP on the LAN path between a client and a gateway under the attack. This is because the RAP must be established between a client and a LAP to provide Internet connection. On the basis of this idea, the proposed scheme reveals that the Access Point (AP) with which a client connects is a RAP by discovering the MAC address of a LAP on the path. In order to find the MAC address, we leverage the phenomenon that a client cannot receive ARP reply packets in the situation where its MAC address and that of a AP are duplicated on the path. By doing this, the presence of a LAP is revealed, which can judge that the connected AP is a RAP. In our evaluation, the proposed scheme achieves accuracy of 96.5% even in unstable traffic environment. True positive rate and false positive rate are 31.0% higher and 9.0% lower than the previous scheme. Furthermore, the proposed scheme can detect RAPs accurately in real environment where the previous scheme cannot.
KW - Address Resolution Protocol
KW - Evil Twin Attack
KW - Rogue Access Point
UR - http://www.scopus.com/inward/record.url?scp=85118438886&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85118438886&partnerID=8YFLogxK
U2 - 10.1109/PIMRC50174.2021.9569473
DO - 10.1109/PIMRC50174.2021.9569473
M3 - Conference contribution
AN - SCOPUS:85118438886
T3 - IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC
SP - 1469
EP - 1474
BT - 2021 IEEE 32nd Annual International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 32nd IEEE Annual International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC 2021
Y2 - 13 September 2021 through 16 September 2021
ER -