RAPiD: An indirect rogue access points detection system

Rogue wireless access points (RWAPs) bypass physical endpoint security of local area networks and present significant security threats by creating network attack vectors behind firewalls, exposing confidential information, and allowing unauthorized utilization of network resources. A family of more promising methods detects RWAPs indirectly by identifying unauthorized wireless hosts through using temporal TCP/IP characteristics of SYN, FIN, and ACK local round trip times (LRTT). Thus any unauthorized wireless hosts found indicate the presence of a RWAP. With these session-based temporal characteristics, traffic from wireless and wired nodes can be differentiated by exploiting the fundamental differences between Ethernet and 802.11b/g/n. In this work, we empirically analyzed extensive LRTT data and designed a light system - RAPiD with several algorithms for effective wireless hosts detection. Ultimately, SYN, FIN, and ACK LRTTs can be compared against each other to discover wireless hosts regardless of network speeds. The results show first time how merging 802.11n wireless technology can still be accurately separated from Ethernet hosts, even as it continues to improve.