A Hidden Markov Model based approach to detect Rogue Access Points

One of the most challenging security concerns for network administrators is the presence of rogue access points. In this paper, we propose a statistical based approach to detect rogue access points using a hidden Markov model applied to passively measure packet-header data collected at a gateway router. Our approach utilizes variations in packet inter-arrival time to differentiate between authorized access points and rouge access points. We designed and developed our hidden Markov model by analyzing denial of service attacks and the traffic characteristics of 802.11 based wireless local area networks. Experimental validations demonstrate the effectiveness of our approach. Our trained Hidden Markov Model can detect the presence of a rogue access point promptly within one second with extreme accuracy (very low false positive and false negative ratios are obtained). The success of our approach lies in the fact that it leverages knowledge about the behaviour of the traffic characteristics of 802.11 based WLANs and properties of denial of service attacks. Our approach is scalable and non-intrusive, requiring little deployment cost and effort, and is easy to manage and maintain.