| Recent years, 802.11-based Wireless Local Area Network (WLAN) has been deployed widely in schools, airport, corporation due to its advantages of installing easily, using flexibly, and expanding easily. However, wireless network access is a great convenience to users, but at the same time can be a burden to expose the enterprise network to a barrage of security vulnerabilities. This is magnified by the fact that inexpensive wireless access points can be easily installed in an enterprise network without the approval or knowledge of network administrators. These devices, termed Rogue (unauthorized) Access Points (APs), will involuntarily become an open door to any malicious individual wanting to gain access to the network, and bring great threat to local network. In order to protect Wireless LAN from unauthorized access, rogue AP detection has become an essential capability for every organization, and received significant attention from academic researchers.A comprehensive review on techniques for rogue AP detection is given in this thesis. The analysis of current researches shows that although there have been a number of recent research results, there is still much room for the improvements of the practical rogue AP detection methods. In this thesis, a novel metric named TCP Local Delay Jitter is proposed which can be used to determine hosts'access network type (either WLAN or Ethernet). Depending on whether wireless connnections'TCP Local Delay Jitter training set is available in the monitored network, two different Rogue AP Detection methods are proposed. The main contribution of this thesis is as follows:1. Motivated by analyzing the intrinsic characteristics of TCP Local Delay Jitter from Ethernet and WLAN hosts, this thesis develops a novel algorithm for rogue AP detection with wireless connections'training sets. This algorithm get wireless TCP Local Delay Jitter prior probability distribution from wireless connnections'TCP Local Delay Jitter training set in the training phase. Because the core of our rogue AP detection scheme is online determination of a host's access network type, an Improved Sequential Hypothesis Testing is proposed to be applied in the phase of access network types determination. Offline and online experiments demonstrates that with the help of the proposed algorithm the correct detection ratio on WLAN is more than 99.96% with less than 3.4% of false positives. Besides, this algorithm can detect more than 94.7% of the wireless hosts.2. In order to get prior probability distribution of wireless connections'TCP Local Delay Jitter in scenarios where TCP Local Delay Jitter training set of wireless connections'isn't available a priori (e.g., for organizations with no wireless networks), an analytical model of the TCP Local Delay Jitter for wireless connections is derived based on the analysis of IEEE 802.11 MAC DCF (Distributed Coordinated Function) and Markov chain model. Experiments show that this analytical model is consistent with the distribution of wireless connections'TCP Local Jitter from actual measurement of wireless connections'flow. Apply this analytical model, a novel rogue AP detection method is proposed. Because of non-requirement of wireless connections'training data set, this method is suitable for scenarios where TCP Local Delay Jitter training set of wireless connections isn't available. Offline and online experiments demonstrates that the correct detection ratio on Ethernet of this algorithm is more than 99.53%, while the median detection time for a detection on WLAN is less than 5.762s. Besides, this algorithm can detect more than 85.71% of the wireless hosts. |
PDF Full Text Request