Using Hidden Markov Model to detect rogue access points

Gayathri Shivaraj, Min Song, Sachin Shetty

Research output: Contribution to journalArticlepeer-review

4 Scopus citations

Abstract

One of the most challenging security concerns for network administrators is the presence of rogue access points (RAPs). The challenge is to detect and disable a RAP before it poses a serious security risk. In this paper, we propose a statistical based approach to detect RAPs using a Hidden Markov Model (HMM), which is applied to passively measure packet-header data collected at a gateway router. The main idea is to process the sequence of packet traces in order to distinguish the normal packets from the abnormal ones. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and RAPs. We used the inter-arrival time of a packet as a distinguishing parameter because it varies drastically for a normal activity and an intrusive activity. We developed our HMM by analyzing Denial of Service (DoS) attacks of 802.11 based wireless local area networks. Our trained HMM can detect the presence of a RAP promptly within a second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behavior of the traffic characteristics of 802.11 based wireless local area networks and the properties of DoS attacks. Experiments were also performed to improve the accuracy of our HMM model. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.

Original languageEnglish
Pages (from-to)394-407
Number of pages14
JournalSecurity and Communication Networks
Volume3
Issue number5
DOIs
StatePublished - 2010

Keywords

  • Compromised rogue access points
  • Denial of service
  • Hidden markov models
  • Rogue access points

Fingerprint

Dive into the research topics of 'Using Hidden Markov Model to detect rogue access points'. Together they form a unique fingerprint.

Cite this