who is peeping at your passwords at starbucks? to catch an evil twin access point dsn 2010 yimin...
TRANSCRIPT
![Page 1: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/1.jpg)
Who Is Peeping at Your Passwords at Starbucks?
To Catch an Evil Twin Access Point
DSN 2010Yimin Song, Texas A&M UniversityChao Yang, Texas A&M UniversityGuofei Gy, Texas A&M University
![Page 2: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/2.jpg)
Agenda
2
Introduction
Analysis
Algorithm
Evaluation
Conclusion
![Page 3: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/3.jpg)
Agenda
3
Introduction• Wireless Network Review• Evil Twin Attack
Analysis
Algorithm
Evaluation
Conclusion
![Page 4: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/4.jpg)
Wireless Network Review
4
Wireless terminology• AP – Access Point• SSID – Service Set Identifier• RSSI – Received Signal Strength Indication
BSS 1
BSS 2
Internet
hub, switchor routerAP
AP
802.11 CSMA/CA• DIFS – Distributed Inter-Frame Spacing• SIFS – Short Inter-Frame Spacing• BF – Random Backoff Time
sender receiver
BF
data
SIFS
ACK
DIFS
![Page 5: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/5.jpg)
Evil Twin Attack
5
A phishing Wi-Fi AP that looks like a legitimate one (with the same SSID name).
Typically occurred near free hotspots, such as airports, cafes, hotels, and libraries.
Hard to trace since they can be launched and shut off suddenly or randomly, and last only for a short time after achieving their goal.
![Page 6: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/6.jpg)
Evil Twin Attack (cont.)
6
Related work• Monitors radio frequency airwaves and/or
additional information gathered at router/switches and then compares with a known authorized list.
• Monitors traffic at wired side and determines if a machine uses wired or wireless connections. Then compare the result with an authorization list to detect if the associated AP is a rogue one.
![Page 7: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/7.jpg)
Agenda
7
Introduction
Analysis• Network Setting in This Model• Problem Description• Server IAT (Inter-packet Arrival Time)
Algorithm
Evaluation
Conclusion
![Page 8: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/8.jpg)
Network Setting in This Model
8
Table 1: Variables and settings in this model
![Page 9: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/9.jpg)
Problem Description
9
An evil twin typically still requires the good twin for Internet access. Thus, the wireless hops for a user to access Internet are actually increased.
Fig. 1: Illustration of the target problem in this paper
• What statistics can be used to effectively distinguish one-hop and two-hop wireless channels on user side?
• Are there any dynamic factors in a real network environment that can affect such statistics?
• How to design efficient detection algorithms with the consideration of these influencing factors?
![Page 10: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/10.jpg)
Server IAT
10
![Page 11: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/11.jpg)
Server IAT (cont.)
11Fig. 2: Server IAT illustration in the normal AP scenario
![Page 12: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/12.jpg)
Server IAT (cont.)
12Fig. 2: Server IAT illustration in the normal AP scenario
![Page 13: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/13.jpg)
Server IAT (cont.)
13
![Page 14: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/14.jpg)
Server IAT (cont.)
14
Fig. 5: IAT distribution under RSSI=50%
Fig. 4: IAT distribution under RSSI=100%
![Page 15: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/15.jpg)
Agenda
15
Introduction
Analysis
Algorithm• TMM (Trained Mean Matching Algorithm)• HDT (Hop Differentiating Technique)• Improvement by Preprocessing
Evaluation
Conclusion
![Page 16: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/16.jpg)
TMM
16
Trained Mean Matching Algorithm (TMM) requires knowing the distribution of Server IAT as a prior knowledge.
Given a sequence of observed Server IATs, if the mean of these Server IATs has a higher likelihood of matching the trained mean of two-hop wireless channels, we conclude that the client uses two wireless network hops to communicate with the remote server indicating a likely evil twin attack, and vice versa.
![Page 17: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/17.jpg)
TMM (cont.)
17
![Page 18: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/18.jpg)
TMM (cont.)
18
![Page 19: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/19.jpg)
TMM (cont.)
19
![Page 20: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/20.jpg)
HDT
20
![Page 21: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/21.jpg)
HDT (cont.)
21
Fig. 2: Server IAT illustration in the normal AP scenario
Fig. 6: 6-AP IAT illustration in the normal AP scenario
![Page 22: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/22.jpg)
HDT (cont.)
22
![Page 23: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/23.jpg)
HDT (cont.)
23
![Page 24: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/24.jpg)
Improvement by Preprocessing
24
![Page 25: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/25.jpg)
Agenda
25
Introduction
Analysis
Algorithm
Evaluation• Environment Setup• Datasets• Effectiveness• Cross Validation
Conclusion
![Page 26: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/26.jpg)
Environment Setup
26
Fig. 8: Environment for evil twin APFig. 7: Environment for normal AP
![Page 27: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/27.jpg)
Datasets
27
Range A B+ B- C+ C- D E
Upper 100% 80% 70% 60% 50% 40% 20%
Lower 80% 70% 60% 50% 40% 20% 0%
Algorithm Protocol A B+ B- C+ C- D
HDT802.11g 0.8% 0.86% 3.91% 3.72% 4.69% 7.09%
802.11b 1.38% 1.44% 5.61% 6.17% 9.42% 10.36%
TMM802.11g 0.62% 0.68% 2.59% 2.66% 3.30% 6.02%
802.11b 0.99% 1.04% 3.33% 4.72% 7.44% 8.29%
Table 3: The percentage of filtered packets
Table 2: RSSI ranges and corresponding levels
![Page 28: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/28.jpg)
Effectiveness
28
Table 5: False positive rate for HDT and TMM
Table 4: Detection rate for HDT and TMM
Algorithm Protocol A B+ B- C+ C- D
HDT802.11g 99.08% 98.72% 93.53% 94.31% 87.29% 81.39%
802.11b 99.92% 99.99% 99.96% 99.95% 96.05% 94.64%
TMM802.11g 99.39% 99.97% 99.49% 99.5% 98.32% 94.36%
802.11b 99.81% 95.43% 94.81% 96.09% 91.94% 85.71%
Algorithm Protocol A B+ B- C+ C- D
HDT802.11g 2.19% 1.41% 2.06% 1.93% 2.48% 6.52%
802.11b 8.39% 8.74% 5.39% 6.96% 5.27% 5.15%
TMM802.11g 1.08% 1.76% 1.97% 1.48% 1.75% 1.73%
802.11b 0.78% 1% 1.07% 1.27% 6.65% 7.01%
![Page 29: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/29.jpg)
Effectiveness (cont.)
29
Fig. 9: Cumulative probability of the number of decision rounds for HDT to output a correct result
![Page 30: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/30.jpg)
Effectiveness (cont.)
30
Table 7: False positive rate when number of input data in one decision round is 50
Table 6: Detection rate when number of input data in one decision round is 50
Algorithm Protocol A B+ B- C+ C- D
multi-HDT802.11g 99.62% 100% 100% 99.95% 100% 100%
802.11b 100% 100% 100% 100% 100% 100%
multi-TMM802.11g 100% 99.11% 98.73% 99.88% 95.83% 88%
802.11b 100% 100% 100% 100% 100% 100%
Algorithm Protocol A B+ B- C+ C- D
multi-HDT802.11g 0% 0.77% 0% 0% 0% 0%
802.11b 0% 0.03% 0.02% 0.11% 0.73% 0.1%
multi-TMM802.11g 0% 0.96% 0.16% 0.13% 0.55% 0.96%
802.11b 0% 1.07% 1.16% 1.02% 1.36% 1.41%
Table 7: False positive rate when number of input data in one decision round is 100
![Page 31: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/31.jpg)
Effectiveness (cont.)
31
Fig. 10: Detection rate for multi-HDT using different numbers of input data in one decision round
![Page 32: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/32.jpg)
Cross Validation
32
Fig. 11: Detection rate for TMM under different RSSI ranges
![Page 33: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/33.jpg)
Cross Validation (cont.)
33
Fig. 12:Detection rate under different 802.11g networks
![Page 34: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/34.jpg)
Cross Validation (cont.)
34
Fig. 13: False positive rate under different 802.11g networks
![Page 35: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/35.jpg)
Agenda
35
Introduction
Analysis
Algorithm
Evaluation
Discussion and Conclusion• Discussion• Conclusion
![Page 36: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/36.jpg)
Discussion
36
More wired hops?• Several studies showed that the delays from the
wired link is not comparable to those in the wireless link.
• We can trade-off for more decision rounds.• Use a server within small hops.• Maybe use techniques similar to “traceroute” to
know the wired transfer time and then exclude/subtract them to minimize the noisy effect at wired side.
![Page 37: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/37.jpg)
Discussion (cont.)
37
Will attacker increase IAT to avoid detection?• Users don’t like a slow connection.
Eq. 1: Attacker may delay the packet to reduce the SAIR
What if some evil twin AP connect to wired network instead of using normal AP?• That’s our future work.
![Page 38: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/38.jpg)
Conclusion
38
We propose TMM and HDT to detect evil twin attack where TMM requires trained data and HDT doesn’t.
HDT is particularly attractive because it doesn’t rely on trained knowledge or parameters, and is resilient to changes in wireless environments.
![Page 39: Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649ed95503460f94be7803/html5/thumbnails/39.jpg)
The End