TY - JOUR
T1 - Using Hidden Markov Model to detect rogue access points
AU - Shivaraj, Gayathri
AU - Song, Min
AU - Shetty, Sachin
PY - 2010
Y1 - 2010
N2 - One of the most challenging security concerns for network administrators is the presence of rogue access points (RAPs). The challenge is to detect and disable a RAP before it poses a serious security risk. In this paper, we propose a statistical based approach to detect RAPs using a Hidden Markov Model (HMM), which is applied to passively measure packet-header data collected at a gateway router. The main idea is to process the sequence of packet traces in order to distinguish the normal packets from the abnormal ones. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and RAPs. We used the inter-arrival time of a packet as a distinguishing parameter because it varies drastically for a normal activity and an intrusive activity. We developed our HMM by analyzing Denial of Service (DoS) attacks of 802.11 based wireless local area networks. Our trained HMM can detect the presence of a RAP promptly within a second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behavior of the traffic characteristics of 802.11 based wireless local area networks and the properties of DoS attacks. Experiments were also performed to improve the accuracy of our HMM model. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.
AB - One of the most challenging security concerns for network administrators is the presence of rogue access points (RAPs). The challenge is to detect and disable a RAP before it poses a serious security risk. In this paper, we propose a statistical based approach to detect RAPs using a Hidden Markov Model (HMM), which is applied to passively measure packet-header data collected at a gateway router. The main idea is to process the sequence of packet traces in order to distinguish the normal packets from the abnormal ones. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and RAPs. We used the inter-arrival time of a packet as a distinguishing parameter because it varies drastically for a normal activity and an intrusive activity. We developed our HMM by analyzing Denial of Service (DoS) attacks of 802.11 based wireless local area networks. Our trained HMM can detect the presence of a RAP promptly within a second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behavior of the traffic characteristics of 802.11 based wireless local area networks and the properties of DoS attacks. Experiments were also performed to improve the accuracy of our HMM model. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.
KW - Compromised rogue access points
KW - Denial of service
KW - Hidden markov models
KW - Rogue access points
UR - http://www.scopus.com/inward/record.url?scp=84877897812&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84877897812&partnerID=8YFLogxK
U2 - 10.1002/sec.190
DO - 10.1002/sec.190
M3 - Article
AN - SCOPUS:84877897812
SN - 1939-0114
VL - 3
SP - 394
EP - 407
JO - Security and Communication Networks
JF - Security and Communication Networks
IS - 5
ER -