A Passive Fingerprint Technique to Detect Fake Access Points Bandar Alotaibi and Khaled Elleithy Computer Science and Engineering Department University of Bridgeport Bridgeport, CT 06604
[email protected],
[email protected] Abstract—The aim of this paper is to detect Rogue Access Points (RAPs) that clone legitimate Access Points (APs) characteristics. A novel passive approach that takes advantage of the characteristics of physical layer fields via the Radiotap length is proposed. This approach is a general fingerprint, thus, it can be used for different purposes such as identification, network monitoring and intrusion detection systems. We utilize the fingerprint to detect RAPs to evaluate its effectiveness. The technique is implemented on a commercially available wireless card to assess its accuracy. The proposed detection algorithm accomplishes 100 percent accuracy to determine the RAPs in a lightly loaded traffic environment. The detection can be recognized in less than 100 ms and is scanned in a real-time setting. The robustness and the effectiveness of the detection algorithm are examined in three locations. Keywords—WLAN, Rogue Access Point, Physical Layer, Beacon Frames
I.
INTRODUCTION
Wireless Local Area Networks (WLANs) have become more popular in recent years due to the widespread deployment of infrastructure and the provision of portable devices [1]. The Access Point (AP) is an integral part of WLAN, especially in infrastructure mode; it is a coordinated point that manages the work stations and connects users to the wired network. One of the most common security problems in WLANs is the Rogue Access Point (RAP) [2],[3],[4],[5],[6]. An RAP is a fake access point that is not installed by the network administrator. RAPs are classified into four types; a phishing AP, an RAP that is installed improperly by naïve users, unauthorized AP that is linked to the WLAN without authorization, and the compromised AP [3].
The phishing AP type is our main focus in this paper; it uses a software-based AP which is installed in a portable device. The phishing AP uses two wireless cards, the first one is a built-in wireless card and the other one is a plug-and-play wireless card. The built-in wireless card associates with the legitimate AP while the other wireless card masquerades as the legitimate AP to lure users to connect to it. Packets can then relay from the RAP’s plugand-play wireless card to the built-in wireless card. The phishing AP is set up by a hacker to listen to the users’ traffic that browse the Internet and launch several attacks on the victim device [7],[8],[9],[10]. This paper uses a fingerprint technique to detect the RAP. A device fingerprint is an approach to stamp a target device using one or more of its characteristics via its wireless traffic. Fingerprinting can be used for network monitoring, identification, or intrusion detection system. It might be triggered either by actively sending traffic to a target device, or passively observing the traffic that is generated by the target device [11]. Fingerprinting uniquely identifies devices on WLAN without using the identifiers that can be easily spoofed such as Internet Protocol (IP) address and Medium Access Control (MAC) address [12]. The deployed RAPs in all enterprise WLANs are approximately 20 percent of all APs [7],[13],[14]. As APs become cheaper, the ability of deploying them in WLANs maliciously has grown tremendously. Furthermore, it is difficult for the network administrator to detect RAPs visually since the RAPs are deployed as software-based generated by a portable device [15]. This is hazardous, as the RAP crafts a back door to the WLAN and compromises the security of the WLAN devices. The scope of this paper covers the following sections: section II introduces the related work; Section III explains the proposed technique; Section IV presents the fingerprint implementation and its results; and section V discusses conclusion and future work.
II. RELATED WORK The authors in [2] use round-trip time to determine whether or not the given AP is legitimate. The RAP is detected because it relays the traffic to the DNS server via the actual AP. Therefore, the delay results from the two hops that occur between the user and the RAP, instead of, the permanent one hop process. However, the proposed solution needs further investigation because the authors focus only on one specific cause of the delay in WLAN. There are various reasons that cause such a delay including, but not limited to WLAN’s medium exposure to interference and collisions. Thus, this scheme is neither accurate nor robust, especially in highly, traffic-loaded WLANs. Also, the proposed technique is more likely to detect the hotspot’s AP as an RAP. Some researchers focus on hardware fingerprinting in order to detect RAP based on the characteristics that uniquely identify the WLAN device. The authors in [16] propose a clock skew approach which extracts Timing Synchronization Function (TSF) timestamp from beacon frames. In addition, [16] compares the beacon frame timestamp that is generated at the AP with an inter arrival time of the frame at the user station. This technique is not robust for identical reasons as stated in previous research paper due to the variation of WLAN medium which is susceptible to delay, especially, in high traffic volume. In [17], the authors simulate the RAP to be launched while the attacker’s device has more than one Received Signal Strength Indicator (RSSI). The detection can be motivated by using the deviations of the two APs’ received signal strength. However, all the related work that uses hop detection depends on one scenario of RAP. They assume that the RAP relays traffic to the actual AP which is not always the case. Bratus et al.[18] use an active behavioral fingerprinting method adopted from TCP/IP fingerprinting. This approach is implemented by network discovery and security auditing tools like Nmap [19], and applies a request-response active technique. This approach sends a request frame, and then waits for the response in order to determine how the devices react to fragmented or manipulated frames. This technique has its drawbacks: it uses active detection which can be avoided by most of attackers. Also, this technique can interfere with regular WLAN traffic. In [11], the authors propose a passive technique that relies on the frame inter arrival times to identify wireless devices. The frame inter arrival time is the time interval
between the reception of two in order frames. The inter arrival times of the frames are extracted from the Radiotap header. The technique implements the identification and similarity tests using WLAN traffic that has been collected in two different settings. This technique does not require modification of the standards and protocols. It also does not require update to hardware or firmware, but it has some drawbacks regarding to its accuracy and efficiency. It is not accurate; the detection rate of this technique is about 57% which is not sufficient, especially in high traffic networks. The work in [20],[21],[22] requires the modification of 802.11 standards or protocols. The authors of [20] introduce a protocol entitled “Secure Open Wireless Access”. It adopts the well-known protocol referred as the Secure Socket Layer (SSL) to distribute certificates. The SSID of a given access point is considered unique strings and is associated with a certificate by a trusted Certification Authority (CA). The association between the certificate and the unique strings can be used to authenticate AP operator. The authors of [21],[22] propose an authentication method that is applied by using the Extensible Authentication Protocol (EAP) referred to as the Simple Wireless Authentication Technique (EAP-SWAT). It utilizes the Secure Shell’s (SSH) trust-on-first-use approach, thus the trust is certified for the first connection to the AP. Subsequently, the following connections to the AP can be ensured to be authenticated with the coexistence of the certificates. Due to deployment purposes, techniques that require standard or protocol modifications are not the optimal solutions. It is impossible to deploy the protocols in [20],[21],[22] because it is difficult to change the drivers and firmware of the supplicants and APs. Some companies such as Air-Magnet [23] use wireless sniffing solutions. Sensors are deployed in the whole diameter of the network. The sensors gather physical and data link layers information in order to detect RAPs in distributed agent-server architecture [23],[24]. The collected information contains RF measurements, MAC Addresses, signal strength, and AP control frames. This approach is very expensive because the analyzer system; provided by Air-Magnet costs US $3,000.00 [7],[24]. Our technique is similar to AirMagnet is some aspects such as it is passive, Wirelessbased, and does not require modification in standards or protocols.
III. THE PROPOSED FRAMEWORK The framework consists of four stages. Each stage has different task, and is dependent upon the previous stage. As seen below, Fig. 1. illustrates the proposed framework for RAP detection and briefly explains each stage.
Algorithm 1: bfi Packet preprocessing for all fi do ignore ( d1, d2…dn) ^ (c1, c2…cn) ignore other mi types from fci sub-layer match (m1 ^ bf1 …mn ^ bfn ) if (sub-layer match is correct)
Passive WLAN Traffic Monitoring
end if
Capture 802.11 frames on monitoring node interface Incoming
frames
Packet Preprocessing
end for return ( bf1, bf2,..bfn )
Filter frames to keep only beacon frames information Beacon
frames
AP Info. Extraction and buffering Extract and store MAC add., SSID, PLL in vectors AP
info
RAP Detection and Alerting Evaluate the stored info using the detection algorithm Fig. 1. The proposed framework for RAP detection
A. Passive WLAN Traffic Monitoring Stage The network trace is captured by the monitoring node which is defined as the data, control, and management frames. The network interface card should be set on monitor mode to be able to capture and inject packets into the WLAN. The frame sequence is represented as f0, f1,…, fn-1. We are only interested in the management frames, so the data and control frames di and ci are disregarded after the monitoring stage. B. Packet Preprocessing Stage One type of management frames mi which is unique to APs is preprocessed as shown in Algorithm 1: the beacon frames fbi. The APi sends out a sequence of beacon frames every 0.1 second (i.e. 100 ms) fb0, fb1,…, fbn-1. Fig. 2 illustrates the 802.11 MAC Layer frame format and frame control sub-layer. The beacon frame fbi subtype is represented by 1000 in bit representation of type mi that is represented by 00 which is extracted from the frame control fci sub-layer of the mac layer frame.
C. AP Info. Extraction and Buffering Stage The MAC address ID of AP (i.e., APIdi) is extracted as shown in Algorithm 2 from Address 2 field in the MAC Layer frame as shown in Fig. 2 (SA field). The service set identifier (SSID) is extracted from the data dai (frame body) sub-layer shown in Fig. 2. Lastly, Radiotap length Ri of each fbi is examined. Each Ri contains physical-layer characteristics of the wireless card. The metadata of Physical Layer (i.e., Ri) is extracted to get the header length which is denoted by PLL and R in the rest of the paper interchangeably. Byte
Byte
8
2
2
V
7
2
8
4
TSt
Interval
Cap Info
SS ID
F H
D S
CF
IBSS
2 Fra. Con.
Bit
2 Duration
6
6
DA
SA
2
2
4
1
Ver.
Ty pe
Su bT
To DS
V TIM
6
2
0-2312
4
BSSID
SN
Data
FCS
1
1
1
1
1
1
1
Fr. DS
M F
R
Pw r
M o
W
O
Fig. 2. MAC Layer Frame Format
After extraction occurs, the extracted information: APIdi, SSIDi, and PLLi for every specific AP is kept in a specific row Ρi. (APIdi, SSIDi, and PLLi) ∈ Ρi Every AP’s information that is referenced by Ρi is stored in bufferx. (Ρ1, Ρ 2, … Ρ n) ∃ bufferx Thus, bufferx contains three vectors which are the MAC Address of the AP, the Service Set Identifier (SSID), and the physical layer header length (PLL), so: bufferx ∋ (v1, v2, and v3) Every vector vi is represented as follows: vi =
Algorithm 2: APi Info. Extraction for all bfi do get (APId1,…, APIdn) from dai ∈ bfi get (SSID1, …SSIDn) get (PLL1,…,PLLn) end for return ( APIdi ) ^ (PLLi ) ^ ( SSIDi)
D. RAP Detection and Alerting Stage Algorithm 3 shows the detection stage that involves three vital tasks. The first task is to retrieve the buffer contents v1, v2, …, vn. As mentioned earlier, vi contains the AP information which are APIdi, SSIDi, and PLLi. The second task is to set a Threshold Value (TSV). The third task is comparing the PLL of every beacon frame with the TSV, and returning the information of Rogue Access Point if the alert is triggered. Algorithm 3: Detecting RAP (RAPx) for all bufferx do retrieve (v1, v2 and v3)
Fig. 3. Experiment setup for legitimate AP scenario
Fig. 4 shows the second subgroup which is the attacking scenario where the WLAN contains the RAP that is planted to lure users to connect to it. The RAP has the same SSID as the legitimate one. It can spoof the MAC address of the legitimate AP. It sets the DHCP server to provide IP addresses to users automatically and the DNS server to connect the users to the Internet. The sniffer is configured in the WLAN diameter to monitor traffic and detect the RAP.
set TSV if PLL < TSV trigger an alert (RAPX) is detected output (Ρ1, Ρ 2, … Ρ n) else AP is legitimate (do nothing) end if end for
IV. SETUP AND IMPLEMENTATION The test-bed of our experiment is divided into two subgroups. The first subgroup is the benign scenario that contains the legitimate AP and a set of wireless devices as shown in Fig. 3. The AP coordinates the wireless users and connects them to the wired side. The sniffer is configured in the diameter of the WLAN for monitoring and detecting purposes.
Fig. 4. Experiment setup for the RAP scenario
A. Hardware and Software Description The experiment is set up in three different locations with similar network topology as in Fig. 3 and Fig. 4. Two laptops are used in the first location for distinctive purposes. Each laptop is running two operating systems.
The first operating system is Windows 7, and the other one is a Linux-based operating system installed on a virtual machine. Two wireless cards are used in the first laptop. One wireless card acts as a hacking machine that plants the RAP and deceives the wireless users into connecting to it, and the other wireless card that can relay packets to the legitimate AP. In the second laptop, one wireless card acts as the WLAN user that associates with one of the legitimate APs, and the other wireless card acts as the monitor node. Seven APs are scanned, and two APs (i.e., phishing RAPs) using the same computer and the same virtual machine are configured as RAPs. One of the virtual machines is a virtual box running Debian Linux-based operating system, and the other one is VMware that is also running Debian Linux-based operating system. The virtual box acts as a hacker that plants the RAP and generates bfs in the WLAN. The VMware acts as the monitor node that observes the traffic, filters the needed frames, extracts the desired parameters, and alerts the RAPs in the WLAN diameter. The monitor node and the hacker machines use plug-and-play wireless cards that can sniff the air and generate packets in the WLAN. V. RESULTS AND DISCUSSION Using the fingerprint technique requires fingerprint analysis and utilizing the training phase [25],[26] that is introduced in subsection i. The discussion is presented in subsection ii. i.
Training Phase
The training phase shown in Table 1 acquires a trace from the monitor station placed in a good area that covers the whole WLAN diameter. The trace is gathered in a short period of time to analyze the candidate parameter and to see if it is efficient or not, to detect the RAP in a matter of approximately 100 ms. The fingerprint is PLLi, which is sent encapsulated in a bf by the APi every 100 ms in the ideal situation. Other parameters are used to measure the expected detection time dtime, based on the number of beacon frames Nbf that are sent in the training phase duration tpduration. The actual training duration tpduration for the whole trace is 38.468 sec, and the number of fi is 2,468 of which 1,739 are bfi. The training phase helps us to anticipate the dtime and set the TSV.
Table 1 Training Phase APi APA APB APC APD APE APF APG APH API
Values tpduration (Sec) 37.887 37.975 38.401 36.757 37.887 36.761 19.251 38.401 5.425
Nbf 278 756 115 192 205 176 8 386 2
PLLi (Byte) 18 378 (13)-378 (12) 18 18 18 18 18 193 (13)-193 (8) 18
To determine the dtime, the ideal case has to be considered with the nearest AP to the monitor node to avoid packet loss because of interference and other obstacles that WLAN has. The chosen AP is APA which sends 278 bf in 37.887 sec. The average time of APA to send a bf is approximately 136 ms, which is deviated from the default value of 100 ms by exactly 36 ms, and that is probably due to the interference and the delay that could happen in the medium. However, some hackers who set RAPs need the victims to associate with it as soon as possible to get sensitive information and to advertise their presence before the legitimate AP appears in the victim SSID list. The RAP floods the network diameter with bfs in a short period of time. To set the dtime, we should consider the length of time that is expected before receiving the first bf after the hacker sets up the RAP in a WLAN diameter. dtime =
× 1000
APB is configured as an RAP and as shown in Table 1; it sends 756 bf in 37.975 sec, an average of 50 ms, which is the dtime to detect the RAP in the best case scenario for hackers who set the RAP using similar software and plugand-play Network Interface Card (NIC). This AP sends duplicate beacon frames with the same sequence number: one beacon frame with an Ri of 12 bytes and the other beacon frame with an Ri of 13 bytes. To set the TSV, the PLL should be considered carefully. There is a gap of five bytes between the maximum PLL of RAPs as shown in the second AP in Fig. 5 and the minimum PLL of legitimate APs (i.e., first, third, fourth, fifth, sixth, seventh, and ninth APs). Any TSV between 13.1 and 18 bytes is usable and produces 100 percent accuracy, zero False Positives (FPs), and zero False Negatives (FNs) for the APs in the training phase.
The False Positive rate means the misidenntification of a legitimate AP, and considers it as ann RAP. False Negatives, on the other hand, mean the miissed detection of the existence of an RAP [13],[27]. Initially, an arbitrary threshold (i.e. the mean of PLLi) is considered as follows: TSVarbitrary =
∑
Although this setting achieves high accuracy, it is not always the case. If we set the TSV like thhis, the FP rate increases, especially when there are some A APs with a PLL of greater than or equal to 26 bytes that some wireless cards capture.
Fig. 5. The PLL of legitimate vs. RAP
To be accurate and to reduce the posssibility of the accuracy dropping by one or more perrcent, a more reasonable TSV should be considered for different environments and for a larger dataset. T Thus, the ideal threshold value is considered the average oof the deviation between the maximum PLL of the RAP R RAPPLLMAX and the minimum PLL of the legitimate AP LeegitimatePLLMIN. We believe this TSV works in any environment and for large datasets. TSVideal = ii.
Discussion
The detection algorithm is tested using three locations of 9, 12, and 15 APs respectively, as shownn in Fig. 6. The detection algorithm and the selected TSV achieve 100% med positively accuracy. All the legitimate APs are confirm as legitimate, whereas all the RAPs are deteected.
Fig. 6. Testing the accuracy of the deetection algorithm
The authors in [7] suggest deesired characteristics and provide direction for valuablee RAP detection. Our proposed framework satisfies the majority of the suggested characteristics. The tecchnique is deployable and does not require modification to firmware f or devices. It is also passive; there is no need d to actively probe the attacker device or add to the WLA AN traffic. The technique relies on n difficult to forge characteristics that belong to the physical layer. Changing the length of Radiotap [28] requires changing several fields that belong to the physical layer such as Antenna, Channel Frequency, Channel Typ pe, Transmission Power, and RSSI. Every single field in n the Radiotap header is hard to spoof. Radiotap length is concatenated to each packet. It does not depend on trraffic density or mutable information that can vary from m network to network. Furthermore, it only depends on beacon b frames, which are specialized frames that are sent by b APs, and they are the first frames to be sent from the RAP after the hacker plants it in the network diameter. diotap header is hard to Every single field in the Rad spoof. Radiotap or Prism headeers are generated by the receiving wireless card; so spoo ofing any field in these headers requires changing the beehavior of that field [11]. Radiotap header is concatenated d to each packet. It does not depend on traffic density or mutable m information that can vary from network to netwo ork. Furthermore, it only depends on beacon frames, whicch are specialized frames that are sent by APs, and they are a the first frames to be sent from the RAP after the hacker plants it in the network diameter. R that is detected in Fig. 7 illustrates one of the RAPs location 2. In the second column the MAC address of the RAP appears, the third column sh hows the PLL. The fourth column shows the SSID. In ourr attacking scenario, we cloned the SSID of one of the leegitimate APs (i.e., APA).
The unique and hard to spoof identifier is the PLL which appears in the third column. The PLL, of the RAP is 12 bytes while, the PLL of the legitimate AP is 18 bytes.
Fig. 7. RAP is detected in Location 2
The comparison between our technique and some of similar existing techniques is shown in table 5. Three valuable factors have been taken into consideration to analyze the performance of the existing techniques. In addition to our technique, three techniques are passive and do not add traffic to the WLAN. Only two techniques require standards or protocols modification which are SOWA and EAP-SWAT. Our technique over perform all the other techniques in accuracy. Our technique has been implemented in a specific chipset and USB Wireless Card brand. The Wireless Card has been placed on monitor mode and inject beacon frames into the WLAN. Table 5 Comparison with existing techniques Technique Passive Accuracy No Pr. Mod. 9 DNS Ser. two hops 60% 9 9 Signal Strength 97% 9 Frame Arrival time 9 57% 9 9 Clock Skew 90% SOWA NA EAP SWAT NA 9 9 PLL Fingerprint 100% No Pr. Mod.: No protocol or standard modification is required
VI. CONCLUSION AND FUTURE WORK The simplicity of configuring RAP creates a real security threat to WLAN devices. There are several existing techniques to detect RAP; however, they are not efficient, and some of them lack accuracy. Some of the techniques require actively adding traffic to the WLAN. A novel passive fingerprinting technique was used and implemented in this paper by exploiting the characteristics of the NIC of the attacker who plants the RAP. The robustness of the algorithm and the TSV were investigated by testing the detection algorithm in three locations; the algorithm proved to be robust and consistent. This technique can be used to detect different WLAN attacks such as disassociation DoS attacks and deauthentication DoS attacks. It also can be used to identify and track WLAN devices. In our future work, we will apply this technique in disassociation and deauthentication attacks.
REFERENCES 1. Chiapin Wang; Tientsung Tai, "Achieving time-based fairness for VoIP applications in IEEE 802.11 WLAN using a crosslayer approach," Personal Indoor and Mobile Radio Communications (PIMRC), 2010 IEEE 21st International Symposium on , vol., no., pp.1475,1480, 26-30 Sept. 2010. 2. Hao Han; Bo Sheng; Tan, C.C.; Qun Li; Sanglu Lu, "A TimingBased Scheme for Rogue AP Detection," Parallel and Distributed Systems, IEEE Transactions on , vol.22, no.11, pp.1912,1925, Nov. 2011. 3. L. Ma, A.Y. Teymorian, and X. Cheng, “A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks,” Proc. IEEE INFOCOM, 2008. 4. W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose, and D. Towsley, “Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs,” Proc. Seventh ACM SIGCOMM Conf. Internet Measurement (IMC), 2007. 5. H. Yin, G. Chen, and J. Wang, “Detecting Protected Layer-3 Rogue APs,” Proc. Fourth IEEE Int’l Conf. Broadband Comm., Networks, and Systems (BROADNETS ’07), 2007. 6. S. Shetty, M. Song, and L. Ma, “Rogue Access Point Detection by Analyzing Network Traffic Characteristics,” Proc. IEEE Military Comm. Conf. (MILCOM ’07), 2007. 7. Beyah, R.; Venkataraman, A., "Rogue-Access-Point Detection: Challenges, Solutions, and Future Directions," Security & Privacy, IEEE , vol.9, no.5, pp.56,61, Sept.-Oct. 2011. 8. Hao Han; Bo Sheng; Tan, C.C.; Qun Li; Sanglu Lu, "A Measurement Based Rogue AP Detection Scheme," INFOCOM 2009, IEEE , vol., no., pp.1593,1601, 19-25 April 2009. 9. Chao Yang; Yimin Song; Guofei Gu, "Active User-Side Evil Twin Access Point Detection Using Statistical Techniques," Information Forensics and Security, IEEE Transactions on , vol.7, no.5, pp.1638,1651, Oct. 2012. 10. Yimin Song; Chao Yang; Guofei Gu, "Who is peeping at your passwords at Starbucks? — To catch an evil twin access point," Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on , vol., no., pp.323,332, June 28 2010-July 1 2010. 11. C. Neumann, O. Heen, and S. Onno, “An empirical study of passive 802.11 device fingerprinting,” in Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on, june 2012, pp. 593 –602. 12. Uluagac, A.S.; Radhakrishnan, S.V.; Corbett, C.; Baca, A.; Beyah, R., "A passive technique for fingerprinting wireless devices with Wired-side Observations," Communications and Network Security (CNS), 2013 IEEE Conference on , vol., no., pp.305,313, 14-16 Oct. 2013. 13. Shivaraj, G.; Min Song; Shetty, S., "A Hidden Markov Model based approach to detect Rogue Access Points," Military Communications Conference, 2008. MILCOM 2008. IEEE , vol., no., pp.1,7, 16-19 Nov. 2008. 14. Kim, M-S., Kang, H.-J., Hung, S.-C., Chung, S.-H., and Hong, J.W., "A Flow-based Method for Abnormal Network Traffic Detection," IEEE/IFIP Network Operations and Management Symopsium, Seoul, 2004. 15. Soft AP Solutions White paper [Online]. Available: http://www.marvell.com/products/wireless/softap.jsp. 16. C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz. On the Reliability of Wireless Fingerprinting Using Clock Skews. In Third ACM Conference on Wireless Network Security (WiSec'10), 2010.
17. T. Kim, H. Park, H. Jung, and H. Lee. Online Detection of Fake Access Points Using Received Signal Strengths. In 75th IEEE Vehicular Technology Conference (VTC Spring 2012), 2012. 18. S. Bratus, C. Cornelius, D. Kotz, and D. Peebles. Active Behavioral Fingerprinting of Wireless Devices. In Proceedings of the First ACM Conference on Wireless Network Security (WiSec'08), 2008. 19. Nmap. http://www.nmap.org/. 20. T. Cross and T. Takahashi. Secure Open Wireless Access. In Black Hat USA 2011. 21. K. Bauer, H. Gonzales, and D. McCoy. Mitigating Evil Twin Attacks in 802.11. In 1st IEEE International Workshop on Information and Data Assurance (WIDA 2008) in conjunction with the 27th IEEE International Performance Computing and Communications Conference (IPCCC 2008), Austin, TX, USA, December 2008. 22. H. Gonzales, K. Bauer, J. Lindqvist, D. McCoy, and D. Sicker. Practical Defenses for Evil Twin Attacks in 802.11. In IEEE Globecom Communications and Information Security Symposium (Globecom 2010), Miami, FL, December 2010.
23. “Tired of Rogues: Solutions for Detecting and Elimi-nating Rogue Wireless Networks,” white paper, Air-Defense, 2009. 24. “Best Practices for Securing Your Wireless LAN,” white paper, AirMagnet, 2004. 25. M. Bshara, U. Orguner, F. Gustafsson, L.V. Biesen, “Fingerprint localization in wireless networks based on received signal strength measurements: A case study on WiMAX networks,” IEEE. Trans.Vehicular Technology, vol. 59, no. 1, pp. 283-294, Jan. 2010. 26. Le, T.M.; Ren Ping Liu; Hedley, M., "Rogue access point detection and localization," Personal Indoor and Mobile Radio Communications (PIMRC), 2012 IEEE 23rd International Symposium on , vol., no., pp.2489,2493, 9-12 Sept. 2012. 27. Chaudhary, A.; Kumar, A.; Tiwari, V.N., "A reliable solution against Packet dropping attack due to malicious nodes using fuzzy Logic in MANETs," Optimization, Reliabilty, and Information Technology (ICROIT), 2014 International Conference on , vol., no., pp.178,181, 6-8 Feb. 2014. 28. Radiotap . http://www.Radiotap .org/
