Association attacks: Identifying association protocols

In this paper, we examine the problem of identifying different association protocols based on client probing patterns. We take the view point of an attacker, who aims to trick certain clients to switch their association to a compromised AP, so that the attacker can easily perform various attacks, such as passing false management frames and stealing client information. In order to do that, the attacker must know what association protocol the client is using since it determines the clients switching criteria. Therefore, the attacker must be able to identify the association protocol by monitoring the network traffic. We investigated methods to identify four association protocols and propose an approach which combines k-means clustering and Gaussian fitting to classify the association protocols based on probing patterns. We tested the designed scheme on traffic traces for a variety of network scenarios. We also designed a method to quantify the likelihood of the identification using confidence intervals. Results show that the proposed method can correctly identify association protocols. Further interpretation of the results also reveals information regarding important metrics of the clients chosen association protocol.