Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs

Rogue (unauthorized) wireless access points pose serious security threats to local networks. In this paper, we propose two online algorithms to detect rogue access points using sequential hypothesis tests applied to packet-header data collected passively at a monitoring point. One algorithm requires training sets, while the other does not. Both algorithms extend our earlier TCP ACK-pair technique to differentiate wired and wireless LAN TCP traffic, and exploit the fundamental properties of the 802.11 CSMA/CA MAC protocol and the half duplex nature of wireless channels. Our algorithms make prompt decisions as TCP ACK-pairs are observed, and only incur minimum computation and storage overhead. We have built a system for online rogue-access-point detection using these algorithms and deployed it at a university gateway router. Extensive experiments in various scenarios have demonstrated the excellent performance of our approach: the algorithm that requires training provides rapid detection and is extremely accurate (the detection is mostly within 10 seconds, with very low false positive and false negative ratios); the algorithm that does not require training detects 60%-76% of the wireless hosts without any false positives; both algorithms are light-weight (with computation and storage overhead well within the capability of commodity equipment).