Abstract
Nowadays, wireless LAN service has been taken for granted by everyone. However, there is an increase in the occurrence of cyber threats to wireless LAN. For example, one attack called Evil-Twin Attack places a rogue access point (AP) with the same SSID as the legitimate one so clients connect to it unknowingly. Once attacked, all of the traffic moving across the network is sniffed by attackers. In this paper, we propose a method to detect the rogue AP by comparing different delay fluctuations in the backbone network. We define a delay in the backbone network as a subtraction result of the ICMP round trip time from client to first gateway or router and from client to the Internet server. To reduce deviation, we gathered 100 delay samples and created histogram-based vectors for a trial. We compared delay histogram vectors with cosine distances among six different wireless networks, which have different backbone networks. We confirmed that there is a large difference in cosine distance values between the same and different SSIDs on different days. We propose a method to detect the rogue AP, which compares a current delay histogram and a delay histogram from past days then compares the result with the threshold. The results showed that the proposed method can detect rogue APs with 86.67 percent accuracy under 6.25 percent false positive rate.