雙基地台偵測-客戶端偵測惡意無線基地台機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：19

、訪客IP：3.137.186.186

姓名

徐裕量(Yu-Liang Hsu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

雙基地台偵測-客戶端偵測惡意無線基地台機制
(Gemini detector-Client side solutions to detect the evil twin access point)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

現今越來越多的裝置透過無線網路技術存取網路資訊，當資訊從空氣中交換時容易受到惡意攻擊者的攻擊，因此我們提出三種在使用者端的偵測機制，其中兩種被動偵測機制與一種主動偵測機制是用來偵測環境上是否有惡意孿生基地台(Evil Twin)，而這種惡意孿生基地台可能造成不同種類的安全問題，如:詐欺、使用者資訊擷取和中間人攻擊。由於惡意孿生基地台產生很嚴重的安全性威脅，有許多解決方案已經被提出，然而大多數的解決方案都是以管理者端的角度作為設計來偵測，通常這類解決方式需要昂貴或是大量資料來判讀，而不是以使用者端的角度來解決惡意孿生基地台。我們提出兩種在使用者端可以偵測是否有惡意孿生基地台轉發封包的行為，在公眾區域或是未加密的無線網路環境中，第一種方式透過觀察封包傳遞是否被轉發，這種方式稱為ET Detector，第二種方式透過觀察TCP三方交握的資訊來判讀是否有惡意孿生基地台再轉發網路封包至合法的基地台上，這種偵測方法稱為LAF，因為ET Detector與LAF不積極發送探索封包，所以惡意孿生基地台不會察覺到ET Detector與LAF的存在。如果攻擊者在公眾區域架設的惡意基地台，不是透過合法基地台存取網路，而是接取3G/4G的網路存取網路，為了對抗這種惡意基地台(Rogue AP)我們提出了RAF方法，使用者使用RAF在兩個相同SSID的基地台環境內發送封包後，透過網路上的一台伺服器去偵測這兩個收到的封包路徑，來判讀使用者環境中，是否有非法基地台，透過這三種偵測方法可以提升在公眾區域使用無線網路的安全。

摘要(英)

This paper proposes two passive and one active user-side solutions, called Evil Twin Detector(ET-Detector), Wi-Fi Legal AP Finder (LAF) and Wi-Fi Malicious Rouge AP Finder (RAF), to the notorious evil twin access point problem which in turn can result in diverse security problems, such as fraud, identity theft, and man-in-the-middle attacks.
Due to the severe security threats created by evil twins, many promising solutions have been proposed. However, the majority of these solutions are designed for the administrators of wireless networks, not for Wi-Fi users. Hence, they are either too expensive or need some data that are usually not accessible to normal users. ET Detector detects wireless packets and forwarding behavior. LAF utilizes the TCP three-way handshake-related packets and packet forwarding property created by evil twins to find legal APs, called good twins, at public hotspots or unencrypted WLANs; thus, it does not need any data or assistance from wireless network administrators. LAF does not send exploring packets actively; hence, evil twins cannot sense its existence. If the evil twins connected the Internet by 3G/4G network, LAF can′t collect the TCP packets between evil twins and the Internet. RAF utilizes the routing path to find out the rogue AP, the routing path is not the same with good AP and rogue AP. No matter when and where a user needs to utilize an AP to connect to the Internet at a hotspot, he can use ET Detector,LAF and RAF to find a good twin AP to connect to.

關鍵字(中)

★ Wireless
★ Evil twin
★ Rogue AP

關鍵字(英)

★ Wireless
★ Evil twin
★ Rogue AP

論文目次

Introduction.................................................................... 1
2. Related Work.................................................................. 9
2.1 Radio Frequency Sniffing . . . . . . . . . . . . . . . 9
2.2 Gateway-side Detection . . . . . . . . . . . . . . . . 10
2.3 Active Client-Side Detection . . . . . . . . . . . . . . 12
3. Proposed Solutions and Mechanisms....................... 15
3.1 Evil Twin Detection Algorithm . . . . . . . . . . . . 15
3.1.1 Monitor Mode . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 ET Detector . . . . . . . . . . . . . . . . . . . . . . 16
3.1.3 Detection Algorithm . . . . . . . . . . . . . . . . . . 19
3.2 Wi-Fi Legal AP Finder Mechanisms . . . . . . . . . 25
3.2.1 Packet Forwarding . . . . . . . . . . . . . . . . . . . 25
3.2.2 Design Principle and LAF Algorithm . . . . . . . . . 26
3.2.3 Correctness Analysis of LAF Algorithm . . . . . . . 30
3.3 Malicious Rogue AP Finder Mechanisms . . . . . . . 32
3.3.1 Route Path . . . . . . . . . . . . . . . . . . . . . . . 33
3.3.2 Design Principle and RAF Algorithm . . . . . . . . . 33
4. Evaluation ....................................................................... 35
4.1 Evaluation of ET Detector . . . . . . . . . . . . . . 35
4.1.1 TCP/IP Connection Establishment Pattern . . . . . 36
4.1.2 Evaluation of Detection Accuracy . . . . . . . . . . . 36
4.1.3 Time Efficiency . . . . . . . . . . . . . . . . . . . . . 38
4.2 Evaluation of LAF . . . . . . . . . . . . . . . . . . . 38
4.2.1 TCP/IP Connection Establishment Pattern . . . . . 39
4.2.2 Discussion of TRTT and Tforward . . . . . . . . . . . 40
4.2.3 Accuracy of LAF under Various Situations . . . . . . 41
4.3 Evaluation of RAF . . . . . . . . . . . . . . . . . . . 45
4.3.1 Reverse Traceroute Services . . . . . . . . . . . . . . 46
4.3.2 Accuracy of RAF . . . . . . . . . . . . . . . . . . . . 47
5. Discussion........................................................................ 50
5.1 Discussion for ET Detector . . . . . . . . . . . . . . 50
5.1.1 Limitation . . . . . . . . . . . . . . . . . . . . . . . 50
5.1.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1.3 Future Work . . . . . . . . . . . . . . . . . . . . . . 52
5.2 Discussion for LAF . . . . . . . . . . . . . . . . . . . 52
5.3 Discussion for RAF . . . . . . . . . . . . . . . . . . 54
5.3.1 Future Work . . . . . . . . . . . . . . . . . . . . . . 55
6. Conclusion....................................................................... 56
6.1 ET Detector . . . . . . . . . . . . . . . . . . . . . . 56
6.2 LAF . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3 RAF . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Bibliography ....................................................................................... 58

參考文獻

[1] Wikipedia. Hotspot (wi-Fi). http://en.wikipedia.org/wiki/Hotspot_(Wi-Fi), 2015.
[2] United States Department of Homeland Security. Tips for using public wi-Fi networks. http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks, 2014.
[3] iPass. Wi-Fi growth map. http://www.ipass.com/wifi-growth-map/, 2015.
[4] CNN. Evil twin threat to Wi-Fi users. Available from: http://edition.cnn.com/2005/TECH/internet/01/20/evil.twins/
[5] Erin Biba. Does Your Wi-Fi Hotspot Have an Evil Twin.Available from: http://www.pcworld.com/article/120054/article.html
[6] Chris Hails. Smartphones and Public Wi-Fi Evil Twin Attacks. Available from: http://blog.netsafe.org.nz/2011/04/28/smartphones-and-public-wi-fi-evil-twin-attacks/
[7] Scams Inc. Evil Twin Attacks: Scamming Wireless Network Users. Available from: http://scamsinc.com/2012/02/13/evil-twin-attacks-scamming-wireless-network-users/
[8] Shmoo. Airsnarf - A rogue AP setup utility. Available from: http://airsnarf.shmoo.com/
[9] Hack WiFi. Rogue AP Dangers - Wireless Evil Twin Attack Techniques. Available from: http://www.freehowtohackwifi.com/advanced-wifi-hacks/rogue-ap/
[10] Wikipedia. Received signal strength indication. Available from: http://en.wikipedia.org/wiki/Received_signal_strength_indication
[11] John Bellardo and Stefan Savage. 802.11 denial-of-service attacks: Real vulnerabilities and practical solutions. In Proceedings of the 12th conference on USENIX Security Symposium, volume 12 of SSYM′03, Berkeley, CA, USA, 2003. USENIX Association.
[12] Chao Yang, Yimin Song, and Guofei Gu. Active user-side evil twin access point detection using statistical techniques. IEEE Transac-tions on Information Forensics and Security, 7(5):1638-1651, 2012.
[13] Motorola Solutions. TIRED OF ROGUES? Solutions for Detecting and Eliminating Rogue Wireless Networks White paper. Available from: http://www.motorolasolutions.com/web/Business/Products/Software%20and%20Applications/Network%20Design%20Software/AirDefense_Security_Compliance/_documents/Static_files/Tired_of_Rogues.pdf.
[14] Airwave. The Airwave Project. Available from: http://www.airwave.com
[15] Cisco. Cisco wireless lan solution engine (wlse) white paper. Available from: http://www.cisco.com/c/en/us/products/cloud-systems-management/ciscoworks-wireless-lan-solution-engine-wlse/index.html
[16] Proxim. Rogue access point detection: Automatically detect and manage wireless threats to your network white paper. Available from: http://www.proxim.com
[17] Netstumbler. The Netstumbler Project. Available from: http://www.netstumbler.com
[18] AirMagnet. The AirMagnet Project. Available from: http://www.airmagnet.com/
[19] Yong Sheng, Keren Tan, Guanling Chen, David Kotz, and Andrew Campbell. Detecting 802.11 mac layer spoofing using received signal strength. In INFOCOM, pages 1768-1776. IEEE, 2008.
[20] Suman Jana and Sneha Kumar Kasera. On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Trans. Mob. Comput., 9(3):449-462, 2010.
[21] Vladimir Brik, Suman Banerjee, Marco Gruteser, and Sangho Oh. Wireless device identification with radiometric signatures. In J. J.Garcia-Luna-Aceves, Raghupathy Sivakumar, and Peter Steenkiste, editors, MOBICOM, pages 116-127. ACM, 2008.
[22] Paramvir Bahl, Ranveer Chandra, Jitendra Padhye, Lenin Ravindranath, Manpreet Singh, Alec Wolman, and Brian Zill. Enhancing the security of corporate wi-Fi networks using dair. In Proceedings of the 4th International Conference on Mobile Systems, Applications and Services, MobiSys ′06, pages 1-14, New York, NY, USA, 2006. ACM.
[23] Raheem A. Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John A. Copeland. Rogue access point detection using temporal trafic characteristics. In GLOBECOM, pages 2271-2275. IEEE, 2004.
[24] Hongda Yin, Guanling Chen, and Jie Wang. Detecting protected layer-3 rogue aps. In BROADNETS, pages 449-458. IEEE, 2007.
[25] Wei Wei, Kyoungwon Suh, Bing Wang, Yu Gu, Jim Kurose, and Don Towsley. Passive online rogue access point detection using sequential hypothesis testing with tcp ack-pairs. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC ′07, pages 365-378, New York, NY, USA, 2007. ACM.
[26] S. Shetty, Min Song, and Liran Ma. Rogue access point detection by analyzing network traffic characteristics. In Military Communi-cations Conference, 2007. MILCOM 2007. IEEE, pages 1-7, Oct 2007.
[27] WeiWei, Sharad Jaiswal, Jim Kurose, and Don Towsley. Identifying 802.11 traffic from passive measurements using iterative bayesian inference. In In Proc. IEEE INFOCOM, 2006.
[28] Lanier Watkins, Raheem A. Beyah, and Cherita L. Corbett. A passive approach to rogue access point detection. In GLOBECOM, pages 355-360. IEEE, 2007.
[29] Chad D. Mano, Andrew Blaich, Qi Liao, Yingxin Jiang, David A. Cieslak, David Salyers, and Aaron Striegel. Ripps: Rogue identifying packet payload slicer detecting unauthorized wireless hosts through network traffic conditioning. ACM Trans. Inf. Syst. Secur., 11(2), 2008.
[30] Aravind Venkataraman and Raheem Beyah. Rogue access point detection using innate characteristics of the 802.11 mac. In Yan Chen, Tassos Dimitriou, and Jianying Zhou, editors, SecureComm, volume 19 of Lecture Notes of the Institute for Computer Sciences, So-cial Informatics and Telecommunications Engineering, pages 394-416. Springer, 2009.
[31] Wei Wei, Bing Wang, Chun Zhang, Jim Kurose, and Don Towsley. Classification of access network types: Ethernet, wireless lan, adsl, cable modem or dialup. Computer Networks, pages 3205-3217, 2008.
[32] Valeria Baiamonte, Konstantina Papagiannaki, and Gianluca Iannaccone. Detecting 802.11 wireless hosts from remote passive observations. In Ian F. Akyildiz, Raghupathy Sivakumar, Eylem Ekici, Jaudelice Cavalcante de Oliveira, and Janise McNair, editors, Net-working, volume 4479 of Lecture Notes in Computer Science, pages 356-367. Springer, 2007.
[33] Hao Han, Bo Sheng, Chiu Chiang Tan, Qun Li, and Sanglu Lu. A timing-based scheme for rogue ap detection. IEEE Trans. Parallel Distrib. Syst., 22(11):1912-1925, 2011.
[34] Cherita Corbett, Raheem Beyah, and John Copeland. A passive approach to wireless nic identification. In ICC, pages 2329-2334. IEEE, 2006.
[35] Liran Ma, Amin Y. Teymorian, and Xiuzhen Cheng. A hybrid rogue access point protection framework for commodity wi-fi networks. In Proc. IEEE INFOCOM, 2008.
[36] Wei Wei, Sharad Jaiswal, Jim Kurose, Don Towsley, Kyoungwon Suh, and Bing Wang. Identifying 802.11 traffic from passive measurements using iterative bayesian inference. IEEE/ACM Trans. Netw., 20(2):325-338, 2012.
[37] Kuo-Fong Kao, I-En Liao, and Yueh-Chia Li. Detecting rogue access points using client-side bottleneck bandwidth analysis. Computers & Security, 28(3-4):144-152, 2009.
[38] Anthony J. Nicholson, Yatin Chawathe, Mike Y. Chen, Brian D. Noble, and David Wetherall. Improved access point selection. In Proceedings of the 4th International Conference on Mobile Systems, Applications and Services, MobiSys ′06, pages 233-245, New York, NY, USA, 2006. ACM.
[39] Jay Aikat, Jasleen Kaur, F. Donelson Smith, and Kevin Jeffay. Variability in tcp round-trip times. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC ′03, pages 279-284, New York, NY, USA, 2003. ACM.
[40] Phillipa Sessini and Anirban Mahanti. Observations on round-trip times of tcp connections. SIMULATION SERIES, 38(3):347, 2006.
[41] Rafael Camilo Lozoya Gámez, P Marti, Manel Velasco, and J Fuertes. Wireless network delay estimation for time-sensitive applications. Autom. Control Dept., Technical Univ. Catalonia, Catalonia, Spain, Tech. Rep. ESAII RR-06-12, 2006.
[42] O. Awoniyi and F.A. Tobagi. Packet error rate in ofdm-based wireless lans operating in frequency selective channels. In INFOCOM 2006. 25th IEEE International Conference on Computer Communications. Proceedings, pages 1-13, April 2006.
[43] Ethan Katz-Bassett, Harsha V Madhyastha, Vijay Kumar Adhikari, Colin Scott, Justine Sherry, Peter Van Wesep, Thomas E Anderson, and Arvind Krishnamurthy. Reverse traceroute. In NSDI, volume 10, pages 219-234, 2010.
[44] Aircrack-ng. Determine the driver, 2011.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2016-7-26

推文