Rogue Access Point Detection using Temporal Traffic Characteristics Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland Communications Systems Center School of Electrical and Computer Engineering Georgia Institute of Technology Abstract-As the cost of 802.11 hardware continues to fall, the appeal of inserting unauthorized wireless access into enterprise networks grows. These rogue access points (APs) expose the enterprise network to a barrage of security vulnerabilities in that they are typically connected to a network port behind the firewall. Most of the current approaches to detecting rogue APs are rudimentary and are easily evaded by hackers. We propose the use of temporal traffic characteristics to detect rogue APs at a central location. This detection is independent of the wireless technology (802.11a, 802.11b, or 802.11g), is scalable, does not posses the inefficiencies of the current solutions, and is independent of the signal range of the rogue APs. I. INTRODUCTION As users realize the benefits of wireless networking at home, they begin to desire the same flexibility in the workplace. Rather than waiting for their IT organizations to install a wireless network, users are taking matters into their own hands. Employees are deploying rogue APs and building large grassroots wireless networks without the knowledge or consent of their IT departments. These rogue APs represent a serious breach of network security. They are typically connected to a network port behind the corporate firewall. Additionally, employees rarely enable even the most basic security settings on rogue APs, making it easy for unauthorized outsiders to use the AP and eavesdrop on network traffic. Corporate network administrators are not the only ones who are, or should be, concerned about the rogue AP problem. Universities’ support staffs are already having a difficult time trying to manage the security of the PCs on the network. Under pressure from students, staff, and administration, the universities’ networking staffs have deployed wireless networking across campus with minimum security measures. Some enable the wired equivalency protocol (WEP) and perform some degree of application- level authentication before allowing nodes to become associated with the network. While this is a good start, due to various factors, including cost constraints, many universities do not have specific wireless intrusion detection systems, nor do they have any method of preventing students, staff, or faculty from installing their own AP. This rogue AP may allow unauthorized pleasant or malicious users onto the network. Further, the network administrator will have difficulty tracking down the assailant. Similarly, a growing number of hotels now offer broadband access in upgraded and even regular rooms. Many of the services are provided by a third-party who accepts payment in exchange for daily internet access for one machine. This is loosely enforced by assigning a temporary IP address to the requesting machine and storing that machine’s medium access control (MAC) address. Once the time expires, the IP expires and the communication is blocked until the fee is paid again. One cannot share the internet access with another machine in the room because the IP is linked to one MAC address. This control is easily circumvented so that multiple users can share the access. The room’s users can simply use a router that has MAC address spoofing and network address translation (NAT) features. If a user wants to share this one connection with everyone on the hall, he merely has to use a wireless router with the same features. In general, every organization that has a network should have some form of rogue AP detection, especially organizations that do not have wireless networks. These organizations do not expect, or think to consider, any sort of malicious wireless activity because they have not deployed a wireless network. This thinking, can result in two undesirable outcomes: 1) an employee installs a rogue AP and a malicious user stumbles upon a wide-open invitation to the corporate network as they “war drive”; or 2) a hacker installs an AP out of site on a live port (e.g., hotel lobby, hardware store, hospital, government building, etc.) and has a gateway to the network from the parking lot or, using signal boosting antennas, even farther away. To these authors’ knowledge, the rogue AP detection problem has been overlooked by academic researchers. Most solutions have been quick fixes by wireless local area network (WLAN) security vendors. We illustrate, by empirical analysis, a novel approach to rogue AP detection using temporal traffic characteristics. The remainder of the paper is organized as follows: In section II we discuss current approaches. We discuss the background of our scheme in Section III. In Section IV we describe our experimental setup. Section V gives the results and performance analysis of our scheme. In Section VI we give the conclusion and we conclude this paper with a discussion on future work in Section VII. II. CURRENT APPROACHES A. Wireless Approaches Most of the current approaches for detecting rogue APs are rudimentary and easily evaded by hackers. Some organizations have equipped IT personnel with wireless packet analyzer tools (e.g., sniffers) on laptops and handheld Globecom 2004 2271 0-7803-8794-5/04/$20.00 © 2004 IEEE IEEE Communications Society