Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and A Public Dataset
Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and A Public Dataset
Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and A Public Dataset
net/publication/276373944
CITATIONS READS
124 3,269
4 authors, including:
Some of the authors of this publication are also working on these related projects:
COSMOS: Collaborative, Seamless and Adaptive Sentinels for the Internet of Things View project
All content following this page was uploaded by Constantinos Kolias on 30 July 2015.
Abstract—WiFi has become the de facto wireless technology for of availability attacks but more importantly to attacks that
achieving short to medium-range device connectivity. While early threat the secrecy of its key, jeopardising the confidentiality
attempts to secure this technology have been proved inadequate in of the entire communication. Posterior efforts such as WiFi
several respects, the current, more robust, security amendments
will inevitably get outperformed in the future too. In any case, Protected Access (WPA) and WPA2 proved to be more robust
several security vulnerabilities have been spotted in virtually any as far as confidentiality is concerned. However, with the
version of the protocol rendering the integration of external increasing computational power and the instalment of low-cost
protection mechanisms a necessity. In this context, the contri- cluster computing this will be soon inaccurate. Naturally, these
bution of this paper is multi-fold. First, it gathers, categorizes, mechanisms are anticipated to render themselves vulnerable
thoroughly evaluates the most popular attacks on 802.11, and
analyzes their signatures. Second, it offers a publicly available even to brute force attacks [3]. On the other hand, cloud-based
dataset containing a rich blend of normal and attack traffic systems like CloudCracker [4] can test 300 million possible
against 802.11 networks. A quite extensive first-hand evaluation WPA passwords in just 20 minutes.
of this dataset using several machine learning algorithms and In any case, WPA/WPA2 share almost the same vulnerabil-
data features is also provided. Given that to the best of our ities as the early WEP versions as far as availability is con-
knowledge the literature lacks such a rich and well-tailored
dataset, it is anticipated that the results of the work at hand cerned. Even the newest amendment, 802.11w [5], which con-
will offer a solid basis for intrusion detection in the current as centrates in patching availability related shortcomings (leading
well as next generation wireless networks. to Deauthentication, Disassociation and Authentication Re-
Index Terms—WiFi, 802.11, Security, Attacks, Intrusion De- quest attacks for example) has been proved impotent to tackle
tection, Dataset. the entirety of documented DoS attacks [6].
Furthermore, easy to use penetration testing tools, which
are able to automate attacks against 802.11 networks, have
I. I NTRODUCTION
been developed, and are easily accessible [7]. Such tools are
A categorization of the attacks based on different criteria is organizational unit is a special piece of hardware, namely the
also provided. Secondly, in the context of this work, attacks Access Point (AP) to which the stations (STA) -also referred to
described so far only in a theoretic level were implemented, as clients (these terms will be used interchangeably)- connect
and their practicality was measured (alongside with numerous and through which the generated packets are transferred. On
other popular attacks) through experiments to conclude to an the contrary, in Ad-Hoc mode the STAs communicate with
estimation of the possible threat they pose. Thirdly, it analyzes each other within their range directly, without the requirement
traces of both 802.11 normal and attack traffic to highlight pos- for an AP. In this organizational paradigm the nodes of the
sible attack patterns. However, the major pillar of contribution network also play the role of the router.
of this work is the Aegean WiFi Intrusion Dataset (AWID), a Generally, security and lack of infrastructure are two oppos-
publicly available collection of sets of data in easily distributed ing forces in WLAN. By definition, Ad-Hoc WiFi networks
format, which contain real traces of both normal and intrusive are less secure than the Infrastructure-based ones but in such
802.11 traffic. Opposed to alternatives like [14] our dataset scenarios security is typically of secondary concern. Admit-
is oriented towards intrusion detection and more specifically tedly, these two areas of study have diverse vulnerabilities
intrusion detection in wireless networks. The traces contained and their traffic behavior is significantly dissimilar even under
in AWID are not artificial but are extracted from real utilization normal conditions. At this point it should be made clear that all
of a dedicated WEP protected 802.11 network. To the best of experiments in this work, along with the discussed attacks and
our knowledge this is the first publicly available dataset of this the resulting dataset, refer to Infrastructure mode networks.
kind. We argue that the well-known KDD’99 [15] or similar
sets crafted for wired environments will not lead to the creation
of optimized algorithms targeting 802.11 environments as B. Frame Types
the two realms possess vitally diverse characteristics. On the
contrary, the AWID dataset may prove a valuable tool for 802.11 defines three different types of frames, namely
research even on different wireless technologies (e.g. WiMax management, control, and data. Each of them has different
[16], UMTS [17], LTE [18]) or alternative 802.11 settings length and fields and fulfils a different purpose.
(e.g., mesh mode [19], vehicular networks [20]) since some of 1) Management Frames: 802.11 management frames allow
the respective attacks are based on resembling principles. This STAs to establish communication with an AP and preserve
work concludes with the presentation of comparative results connectivity with it. A management frame’s structure varies
of numerous classification algorithms applied upon the AWID. depending on its purpose. Such frames can have one of
We argue that our contributions will (a) assist researchers on the following subtypes: (a) Authentication, (b) Deauthenti-
getting accustomed with the major vulnerabilities and existing cation, (c) Association Request, (d) Association Response,
attacks of 802.11 networks, (b) inform them about the practical (e) Reassociation Request, (f) Reassociation Response, (g)
impact these attacks are expected to inflict under real-life Disassociation, (h) Beacon, (j) Probe Request, (k) Probe
conditions, and finally, (c) provide a problem-directed tool for Response. For example, Deauthentication is the type of frame
ML-based intrusion detection on wireless networks. sent from the AP to a STA when the former decides to
The remainder of this paper can be broken down in the fol- terminate all communication with that client. Alternatively,
lowing parts: The upcoming section briefly inspects the 802.11 Deauthentication frames can be sent from a client to the AP
architecture and its security mechanisms. Section 3 enumerates simply to notify about its intention to drop communication. In
and describes major attacks against 802.11 standard. Next both cases, Deauthentication frames are not requests and must
section draws conclusions regarding the feasibility of such at- always be accepted and acted upon. Another example of man-
tacks extracted from experimentation. Section 5 details attack agement frames are the Beacon ones. These are broadcasted
signatures based on theoretic and practical analysis of intrusive periodically by an AP to announce its presence and advertise
and normal traffic. Section 6 outlines the most important its capabilities. On the other hand, frames of the Probe Request
aspects of the AWID dataset. The evaluation of well-known type are broadcasted by an unauthenticated client in search for
classifiers is conducted in section 7. The final discussion along a specific AP. It is possible that such messages do not specify
with conclusions and possible future directions is given in the an AP so that the STA can immediately obtain information
last section. about all APs within its range.
2) Control Frames: 802.11 control frames coordinate ac-
II. 802.11 A RCHITECTURE cess to the wireless medium and play a role in the delivery of
In this section a brief description of the entities defined in data frames from a STA to the AP and vice-versa. A control
the standard, their supported organisational modes, their possi- frame can have one of the following types: (a) Request to
ble ways of communication, along with the available security Send, (b) Clear to Send, (c) Acknowledgement, (d) Power Save
mechanisms is provided. Note that all terms mentioned here, (PS) Poll. For example, a Request to Send frame (RTS) is the
are defined in the respective standard [2]. first message of the 802.11 RTS/CTS handshake mechanism.
This mechanism is optional but when applied it reduces frame
collisions caused by the hidden terminal phenomenon. If that
A. Network Architecture mechanism is active, the STA is required to send RTS frame to
The IEEE 802.11 family networks can be organized in either request permission to occupy the channel before transmitting
Infrastructure or Ad-Hoc mode. In the first paradigm the basic an actual data frame.
3
3) Data Frames: Data frames are used to transmit the message which contains the MAC address of the client and
actual information produced from other layers. There are the MAC address of the AP, (b) the AP responds with a
different types of data frames based on whether the data is sent challenge message which contains a 128 bits random number,
on a contention based service, whether they carry additional (c) the client sends a response message which contains the
information and whether they have Quality of Service (QoS) random number encrypted with the WEP shared key. The AP
enhancements. For example, a frame of the Data type is the then decrypts the previous message using its shared key. If
basic kind used for sending and receiving data. These frames the number contained in the decrypted message matches the
are transmitted during the contention-based period. On the random number previously send, then the AP considers that
contrary, frames of Null Data type carry no payload. They are the client is in possession of the shared key. As a final step
transmitted exclusively from a STA towards the AP to edify the AP responds with (d) an Authentication Response message
a change in its sleep state. This is accomplished simply by containing the outcome of the authentication process.
altering the value of the respective power management bit. It is clear that the authentication process described above
is strictly unidirectional meaning the AP can authenticate the
C. Frame Structure client but not vice-versa.
2) Traffic Encryption: WEP depends in the RC4 algorithm
All data frames have the same structure which consists of a
for confidentiality, while the CRC-32 mechanism is employed
header, the frame body, and a Frame Check Sequence (FCS).
for message integrity. Confidentiality in WEP relies on a static
Any data placed on the frame body is usually encrypted. The
key also known as root key. WEP supports two different key
frame body is the only variable length field and can take up
sizes and as a result two versions exist, namely WEP-40 and
any value from 0 to 2,312 bytes. The FCS has length of 4
WEP-104.
bytes. It is based on CRC-32 algorithm and it is applied to
WEP-40 supports key sizes of 40 bits. This key is never
bytes of both the header and the body. The header is the most
used for direct packet encryption, but it is the basis (seed) for
complicated of the fields. It is 30 bytes long and in turn it is
the generation of a session key. Only data frames are protected
comprised of 7 fields.
while management and control ones remain unguarded. Every
Management frames have similar structure to Data ones with
time a packet is to be encrypted the following sequence of
the exception that their body may only be comprised by fixed
actions takes place: A 24-bit long Initialization Vector (IV)
or variable length tagged parameters. Control frames do not
is generated usually in a sequential way, although, a detailed
have a body and their header has smaller size than the rest of
methodology is not specified by the standard. Next, the root
the frame types.
key is concatenated with the IV forming the “per packet key”.
The highly dynamic nature of 802.11 frames brings to sur-
Note that even thought the root key remains the same, the
face the requirement for their representation as static vectors
IV varies in each encryption attempt. For this reason, the
of attributes within a given dataset. In this respect, section
resulting “per packet key” is also different for each packet.
VI-D gives details on the adopted record schema on the AWID
This key (which itself is merely a 64 bit sequence) seeds the
dataset.
RC4 algorithm producing a key sequence which is known as
keystream. As a final step, the keystream is XORed with the
D. WEP Security concatenation of the plaintext of the packet and its CRC-32
Wired Equivalent Privacy (WEP) was the sole security value resulting to the ciphertext of the specific packet.
mechanism in the first version of the 802.11 protocol in- The encryption process on WEP-104 is analogous except
troduced in 1999. As the name implies its main goal was for key size which in this case is 104 bits.
to provide a confidentiality level comparable to that offered
in the wired world. Nonetheless, as proved in practice these
goals were not met and this protocol was found susceptible E. WPA
to a number of different attacks, including these that allow WiFi Protected Access (WPA) is a security technology that
the efficient calculation of its secret key. Naturally, with the was introduced in 802.11x amendment in order to alleviate the
introduction of 802.11i, WEP became officially deprecated. weaknesses of the original security mechanism. Since WEP
Still, a non negligible mass of 802.11 networks utilize WEP was found vulnerable to attacks that could be launched by
as their sole protection mechanism. attackers even with moderate level of skills many network
1) Authorization: WEP supports two methods of authen- administrators started deploying third-party security solutions
tication namely, open system and shared key. In the first including 802.1X and Virtual Private Networks (VPN) in order
case, the client does not need to provide any credentials for to increase the level of security. The lack of native wireless
connecting to the AP. The authentication is completed after the security triggered the development of 802.11i by IEEE and the
exchange of only two messages. Frequently, in such scenarios WiFi alliance. WPA was treated as a transitional step since the
the network is protected through means of whitelisting specific more robust 802.11i (frequently referred as WPA2) security
MAC addresses. sub-protocol was still under development. Actually, WPA is a
On the other hand, in the shared key authentication, a subset of 802.11i but it maintains forward compatibility with
process that completes with the exchange of four messages it.
takes place before a client can enter the network. More The cornerstone of WPA is the provision of stronger en-
specifically, (a) the client sends an Authentication Request cryption mechanisms, such as Temporal Key Integrity Protocol
4
(TKIP) or the Advanced Encryption Standard (AES) which is keys in the WPA2 hierarchy. The KCK and KEK are used to
employed as an alternative. At the same time, WPA effectively protect EAPOL-Key frames while the temporal key is used to
addresses critical security issues, including mutual authentica- encrypt/decrypt unicast network traffic.
tion via the utilization of 802.1X framework and the Extensible The GTK on the other hand, is split into two keys the Group
Authentication Protocol (EAP), more appropriate IV lengths, Encryption Key (GEK) which is used for encrypting/decrypt-
a stronger integrity check mechanism (namely Michael), a ing multicast traffic, and the Group Integrity Key (GIK) which
secure rekeying function, and others. is used for verifying the MIC of multicast/broadcast traffic.
WPA depends on central authentication servers such as 2) Traffic Confidentiality & Integrity: WPA2 supports three
RADIUS for user authentication, access control and manage- alternative protocols for protecting network traffic: Temporal
ment. While this practice is typically adopted in enterprise Key Integrity Protocol (TKIP), Counter-Mode/Cipher Block
environments for home users, a variation of WPA, namely Chaining Message Authentication Code Protocol (CCMP), and
WPA Pre-Shared Key (WPA-PSK) has been developed. In Wireless Robust Authenticated Protocol (WRAP).
essence, WPA-PSK is a simplified version of WPA which is TKIP is based on RC4 and is regarded as a transitional
based on the use of a passphrase as a pre-shared secret key step from WEP which simply provides buffed up security and
among the users much like in the case of WEP. backward compatibility. On the downside WRAP, is based on
the Offset Codebook (OCB) mode of AES which is considered
much more secure but may be subject to licensing issues.
F. WPA2 CCMP is based on the Advanced Encryption Standard
IEEE 802.11i, commonly known as WPA2, was an amend- (AES) algorithm in its CCM mode. It breaks the plaintext
ment to the original IEEE 802.11 standard aiming to increase in chunks of 128 bits and encrypts them with a key of the
the security of the protocol. The final draft was ratified on same size. On the other hand, MIC computation is conducted
June 24, 2004 and it was finally incorporated into the IEEE with the Cipher Block Chaining (CBC-MAC) which initially
802.11-2007 standard. Note that the currently latest version encrypts a nonce block, the source address and the packet
of the standard, namely 802.11ac [21] (which was finalized number and then XORs the result with each succeeding block.
and approved in January 2014) also adopts 802.11i as its The MIC is attached at the end of the plaintext and it is
primary security protocol. Although the beamforming feature encrypted along with it.
will possibly generate the need for redisign of the penetration
testing equipment, it is safe to assume that most of the G. 802.11w
vulnerabilities discovered for 802.11i will apply also in the While the 802.11i focuses on the confidentiality and in-
newest version of the protocol. Below, we will provide details tegrity aspects of the wireless communication it has been
on how key generation process is conducted in 802.11i and proven rather thrifty on the availability ones. In this way, DoS
what processes are provisioned for traffic confidentiality and attacks discovered even since the WEP ages, fully apply on
integrity. WPA/WPA2 settings too. The common denominator of most
1) Key Construction: In WPA2 all keys are derived from a of these vulnerabilities is the fact that management frames
single key which is placed in the highest level of the hierarchy. are unprotected, thus easily issued even by unauthorized
There are two types of that key which depend on the utilized entities. For this reason the 802.11w amendment, which was
method of authentication. If the authentication method is based approved in 2009, focused on these issues and addressed
on a pre-shared key, the top key is simply the pre-shared key them by introducing the Robust Management Frames (RMF)
itself and it is referred as Pre Shared Key (PSK). If the latter is mechanism which is merely the cryptographically protected
based on the 802.1X framework, the top key is called Master version of some of the management frames (Deauthentication,
Session Key (MSK). Disassociation, and Action management ones).
These top level keys are used for generating the primary In 802.11w the Robust Security Network Information El-
keying material in WPA2, which is the Pairwise Master Key ements (RSN IE) field is extended by two bits (bits six and
(PMK). In the case of a pre-shared key based network the seven) to advertise the new capabilities which indicate that
PMK is equal to the PSK, while in the 802.1X based network 802.11w is supported. More specifically, the sixth and seventh
scenario the PMK is produced from a portion of MSK. The bit correspond to Management Frame Protection Required and
PMK is never used for encryption or integrity checks directly; Management Frame Protection Capable flags.
rather it contributes to the generation of shorter-life keys. Unicast management frames are protected by the PTK,
In the next level of the keying hierarchy, the Pairwise while for broadcast management frames, a new encryption key
Transient Key (PTK) and the Group Transient Key (GTK) had to be introduced, namely the Integrity Group Transient
exist. These keys are specific to the client-AP pair as they Key (IGTK). The latter is used in a MIC information element.
are produced during the authentication process from the PMK In further detail, the MIC is comprised of a packet ID, IGTK
or the GMK respectively, as well as other random numbers key ID, a serial number (IPN), and a cryptographic hash
negotiated with the client. derived from the packet’s MAC header and payload. IPN
The PTK key is then split into five sub keys, i.e., temporal protects against replayed frames which are dropped if the same
encryption key, two temporal Message Integrity Code (MIC) IPN has been used in the past.
keys, EAPOL-Key Key Confirmation Key (KCK), EAPOL- To tackle Association Request attacks, the Security Asso-
Key Key Encryption Key (KEK). These are the bottom level ciation Query (SA Query) mechanism has been introduced.
5
This mechanism makes use of two new management frames, first n bytes of that key. In this case, the input conditions are
namely SA Query Request and Response which are exchanged easy to derive since the first byte of the plaintext is predictable
between STA and AP as a follow up of every Association (it can take one of the very limited number of values of
Request issued by the STA. The association procedure carries the corresponding SNAP header field). After completing this
on only if the SA Query Response message is verified by the process the attacker will have a possible value of byte n+1
AP. The Timeout Information Element (TIE) is introduced for but not definitely the actual one. So, she may choose to repeat
the cases where a STA is in associated state but somehow the this process for multiple messages that satisfy the weak IV
serving AP receives a new Association Request message. The condition. The real value will be encountered with significantly
AP replies with a rejection notice and remains blindfolded to higher frequency than the rest. From that point on, the same
every Association Request stemming from the same client for cycle may be repeated for the rest of the bytes of the key.
a time interval equal to the one specified in the TIE field. 2) KoreK Family of Attacks: A cryptanalyst with the
The traces contained in AWID as well as all the relative ex- pseudonym KoreK published (in the Netstumpler forum) im-
perimentation are conducted on a WEP protected network. We plementations of seventeen attacks that aim at retrieving the
argue that such setting provides a rather attack-rich platform WEP key. Each one of these attacks is based on similar
for experimentation. Since the attacks that can be executed in mathematical principles as the FMS one, but makes use of
that platform are a subset of the existing attacks of versions different correlations. Once more, these approaches use statis-
up to 802.11w, the efficiency of the tools tested with AWID tical methods to vote for probable keys. A detailed analysis of
is expected to deviate minimally under such situations. this family of attacks is included in [26].
In any case, a significant amount of IVs must be collected
III. ATTACKS AGAINST 802.11 in the hands of an attacker before she is capable of retrieving
This section is devoted to attacks against several versions the WEP key. Although, typically, the KoreK incursions are
of the 802.11 security mechanism (i.e. WEP, WPA, WPA2). more efficient than the FMS one, injection of packets to the
Although the AWID dataset was gathered from a WEP pro- network is still advised so that this process proves efficient in
tected network and contains only WEP related attacks, here matters of time too. Actually, both the FMS and KoreK attacks
WPA/WPA2 ones are also included for reasons of complete- have been used in conjunction to create an initial space of a
ness. Note that physical layer attacks or higher layer ones limited number of possible keys and then carry on with a brute
are considered out of scope (the reader should refer to [22] force attack to effectively reveal the correct one.
for such) and therefore are not examined in the context of 3) PTW Attack: PTW attack [27] was described by re-
this work. Moreover, the emphasis is put on attacks that searches Pyshkin, Twes and Weinmann and was based on
have practical value and have been implemented (or can be Klein’s attack which targets the generic version of RC4 [28].
implemented relatively easy) by penetration testing tools. In The PTW attack attempts to break the WEP key in a much
this section we organize the attacks in groups of similar more efficient way (i.e., with much less IVs/data frames) than
goals. Nevertheless, the reader must keep in mind that in the statistical methods.
the AWID dataset an alternative classification which is based In practice, this attack is constrained to ARP packets,
on the implementation methodology is followed. This section thus making techniques such as ARP injection necessary for
concludes with an evaluation of the severity (impact) of these someone who wishes fast WEP key cracking. Nowadays,
attacks drawn from empirical, experimental observations and many WEP cracking tools consider this attack as their default
theoretic assumptions. cracking method mainly due to its efficiency.
4) ARP Injection: ARP injection is not actually an attack
itself but it may be used as a first (frequently necessary) step
A. Key Retrieving Attacks for any of the Key cracking attacks [27] (especially from the
This subsection concentrates on attacks that attempt to IV greedy ones). The purpose of this attack is to manipulate
reveal the Secret Key. In all cases, the attacker simply needs the network in such a way, so that new IVs are produced
to monitor for specific packets and then proceed with the key steadily in large numbers even if no real traffic is moved in the
cracking process offline. While this passive practice is totally network. These forcefully generated IVs will then be captured
untraceable even by the most sophisticated, state-of-art IDS, by the attacker and be fed to the respective Key cracking
the attacker will often choose to execute the active counterpart algorithms in a subsequent offline step.
of these attacks which rely on the injection of a (large in most Assuming that the attacker is already in possession of
cases) number of packets in the network, possibly revealing a Pseudo-Random Generation Algorithm (PRGA) she will
herself. construct an ARP Request packet with broadcast IPs, encrypt
1) FMS Attack: The FMS attack [23] was the first doc- and finally transmit it. Upon reception, the AP will broadcast
umented successful attempt to derive the WEP Shared Key, it to the network and a new IV will be produced for each ARP
by taking advantage of a vulnerability on the key scheduling request. There are methods to achieve an ARP amplification
algorithm of the RC4 stream cipher. This attack is based on the effect meaning for each frame injected two or even three
theory of weak IVs [24, 25]. When such an IV has been used to messages (with different IVs) will be produced. Such methods
encrypt a packet, then the attacker can make safe assumptions rely on the knowledge of the network topology and valid
about the value of byte n+1 of the encryption key simply by client IPs. In the later scenario the attacker constructs an ARP
having knowledge of the first byte of the keystream and the Request with an IP of a valid STA and transmits it to the
6
network. The AP will receive the message and re-transmit it B. Keystream Retrieving Attacks
towards the STA producing the first IV. The interested STA The profits of a cracked Shared Key are obvious. Yet, in
will receive the message and construct the appropriate ARP WEP protected networks it is possible for an attacker to benefit
Response and then transmit it to the AP, producing a second even from the knowledge of the keystream alone. For example,
IV. Finally, the AP will transmit the ARP Response back to one possibility for the attacker is to use the keystream to
the client producing a third IV. forge and inject packets to the network as a stepping stone
5) Dictionary Attack: The Dictionary Attack is a form for more serious attacks. This is possible as the standard
of brute force attack that has been widely used to retrieve allows the sender of a message to choose its IVs and at the
weak WPA/WPA2 [29] and less frequently WEP keys (since same time it does not apply any technical means to forbid
more efficient methods exist). By today’s standards this is the reuse of IVs. Another (less popular) option is to decrypt
considered the most reliable method for WPA/WPA2 cracking. portions of packets. That is by decrypting critical segments of
In the first phase of the attack the aggressor sniffs a target packets the aggressor can learn the topology of a network or
network hoping to catch a live handshake. Alternatively, she indirectly render herself able to decrypt all traffic by building
can target a victim client and actively issue deauthentication a comprehensive database of keystream/IV pairs.
frames (usually a single or a very small number of frames) 1) ChopChop Attack: ChopChop attack was also proposed
forcing the client to perform a 4-way-handshake immediately. by KoreK [31]. It allows an attacker to retrieve the m last
In the first case, the attacker can be totally untraceable, while bytes of both the keystream and the plaintext of a packet
in the second the volume of the injected packets is so low that without having knowledge of the Key. The sources of this
she also has a good change to pass undetected. In the second vulnerability are (a) the fact that CRC-32 is wrongly utilized in
phase, the attacker goes through a process of generating the WEP for message integrity, and (b) WEP offers no protection
third message of a 4-way-handshake based on potential keys mechanism against replaying previously sent packets.
contained in a large database, usually referred to as dictionary. The attack is based on ‘chopping’ the last byte of the
For each key, the attacker evaluates the result against the encrypted portion of a packet and attempting to deduce the
captured sequence and if the two match she can be certain actual ciphertext value for this byte. Due to the missing byte, in
that the currently evaluated key is the PSK of the network. this truncated form, the frame will have invalid ICV. Therefore,
The aforementioned process is done in an offline fashion. This firstly the attacker XORs the truncated packet with a chosen
methodology is described in Figure 1 analytically. value hoping that this value will lead to a sequence which will
be valid for the specific ICV. Since the attacker has no means
This attack is limited towards networks protected with
of knowing if the ICV is the valid one, she injects the modified
the PSK method. It is considered effective only if the dic-
packet in the network. Theoretically, the AP must reply with a
tionary utilized contains the passphrase. So, the dictionary
message stating that the ICV is not valid, therefore revealing if
must be large enough, that is, to accommodate many possible
her guess was fruitful or not. Ultimately, the attacker is using
passphrases. Also, its efficiency heavily depends on the com-
the AP as an oracle. If the ICV for an attempt is not valid
putational power the attacker possesses. Although usually such
then she simply repeats the process for all possible values
dictionaries have size of multiple GBs the words contained on
of that byte (256 values). In the end, the attacker will know
them are just a small fraction of the total combinations that
the plaintext of the truncated byte, and the keystream as well.
can be used as a passphrase. For this reason, the attack will
Statistically, only 128m guesses are required on average and
fail if the passphrase is not contained in the dictionary. The
256m guesses maximum to retrieve the last m bytes of a
authors in [30] describe the various techniques that have been
packet.
employed for retrieving the WPA/WPA2 key. In practice, the ChopChop attack is usually executed with
the purpose of deriving large portions of the keystream. This
keystream will be used to forge and inject frames in a network
on a subsequent step. Less frequent scenarios want this attack
to be used for partially decrypting packets, especially when
the attacker does not have knowledge of the WEP Key.
2) Fragmentation Attack: The fragmentation attack [32]
aims at revealing a significant portion of the keystream by
sending notably less messages than the ChopChop one. The
keystream can later be used to generate and inject packets into
the network as part of other assaults. Due to its efficiency it
is sometimes embraced by attackers when they aim to create
a full dictionary of keystreams for different values of IVs.
The fragmentation attack takes advantage of the fragmenta-
tion mechanism of 802.11. This mechanism allows any packet
that exceeds the maximum frame length to be broken into
several smaller fragments which can be sent independently.
Fig. 1: Dictionary Attack
Also, this attack capitalizes on the observation that the first 8
bytes of any encrypted data frame are predictable. These bytes
7
correspond to the LLC header which is comprised by constant networks with which they have been associated in the past, and
and known fields. That is, all but the last of these fields have (c) the client automatically attempts to connect to a network if
fixed values. Even so, the last byte which corresponds to that network has the same ESSID as any of the probed ones.
field EtherType (this indicates the protocol of the encapsulated For this attack to be fruitful, the victim STA must be probing
packet) can take either the values for an ARP or IP packet. for known networks. As a first step, the attacker sniffs these
Nevertheless, the actual size of the packet can indicate whether probes and then using the appropriate equipment she poses
one is dealing with an ARP or IP packet. as a valid AP (i.e., becomes a Honeypot) with the chosen
This attack assumes that the attacker has first falsely authen- ESSID. Next, the victim client authenticates and associates
ticated herself to the network. As a first step, the fragmentation with the attacker’s fake AP (this is possible since WEP does
attack requires the attacker to capture at least one data packet not incorporate a mechanism for authenticating the AP). At
from the network. Since the first 8 bytes of plaintext are this point the client will typically request an IP address from
known, the attacker can deduce exactly 8 bytes of keystream a DHCP server (by sending several DHCP requests), but if not
with high probability. Of course, 8 bytes of keystream leave one is found, it will self-assign a private address and then send
room for only 4 bytes of data (since the ICV itself requires 4 encrypted gratuitous ARP packets. Right then, the attacker will
bytes), which is not sufficient for constructing any meaningful have to capture an encrypted ARP packet and modify certain
packet. At this point, the attacker takes advantage of the bits in order to transform it into an ARP request packet. This
802.11 fragmentation mechanism. She constructs a sufficient is done in an attempt to learn the client’s IP. The attacker
number of 8 byte packets with specific content and marks will continue flipping specific bits of the ARP packet that
them as fragments. The protocol provisions that a message correspond to the IP address in a brute force manner until
can be broken down to 16 fragments at maximum. Finally, she she receives a matching ARP Response by the client. In this
sends these packets through the AP to the broadcast address. way, she can deduce the IP address of that client and transmit
Typically, the AP will reassemble the fragments and transmit a series of encrypted ARP Requests messages. As expected,
them back, to all clients in a single packet. The contents of this the STA will respond with a new ARP Response packet to
packet are known beforehand. Hence, the attacker (by simply each one of those messages, producing multiple new IVs, a
XORing) is able to retrieve keystream of size equal to the fact which can be fully capitalized with the one of the WEP
packet’s length. The entire process along with the messages cracking attacks.
involved is described in Figure 2. 4) Hirte Attack: Hirte Attack [34] is another “AP-less”
method for retrieving the WEP key using solely a client and
IV Encrypted Data ICV not needing an AP of the network at all. It works in a similar
First 8 bytes of Encrypted Portion of the Packet
fashion to the Caffe Latte one but it incorporates methods
XOR found in the fragmentation attack.
DSAP SSAP CTRL ORG ORG ORG
8 bytes of Predictable Sequence
ETHER-TP ETHER-TP In a typical attack scenario, the attacker acquires an en-
crypted packet (a gratuitous ARP or IP packet) after setting
8 bytes of Keystream
XOR up a Honeypot similarly to the Caffe Latte attack. Then, it
4 bytes of Data 4 bytes of ICV relocates the IP address field by breaking that packet into
Fragment fragments and changing their order. The concatenated packet
Fragment 1 (8 bytes)
Fragment 2 (8 bytes)
will finally become an ARP Request one and from that point
Fragment 3 (8 bytes)
Fragment 16 (8 bytes)
on a flooding of these messages can take place to harvest IVs
Reassembled Packet (64 bytes)
For a holistic survey of DoS attacks in 802.11 and possible the rest.
countermeasures the reader should consult [36]. To mount this attack the aggressor will simply have to
1) Deauthentication Attack: This is considered the most falsify an ADDBA frame having the client’s MAC address and
potent DoS attack in 802.11 networks due to its simplicity and large sequence numbers. All traffic transmitted from the client
efficiency. It is based on the fact that deauthentication packets will be ignored until the sequence numbers indicated in the
are transmitted unprotected and they can easily be spoofed by invalid ADDBA frame have been reached. This attack is hard
an ill-motivated entity. Moreover, upon receiving such packets to be detected as it is effective even by injecting extremely
the client must abandon the network immediately without any low volume of traffic in the network. This also means that the
additional actions. attacker needs not to be present during the entire course of
The attacker monitors the traffic on the network to deduce the attack [39].
the MAC addresses associated with a specific client and the 6) Authentication Request Flooding Attack: In this case the
one of the AP. Then, she forges a Deauthentication manage- aggressor attempts to exhaust the AP’s resources by causing
ment frame and sends it to that client on behalf of the AP. overflow to its client association table. It is based on the fact
Alternatively, she can send it to the AP on behalf of the that the maximum number of clients which can be maintained
client, so that the network stops considering that client authen- in the client AP’s association table is limited and depends
ticated. The client will immediately loose connectivity with either on a hard-coded value on the AP or on its physical
the network, but typically it will re-initiate the authentication memory constraints. An entry on the AP’s client association
procedure automatically. This cycle is usually very brief but table is inserted upon the receipt of an Authentication Request
of course, the attack may be mounted repeatedly depriving the message even if the client does not complete its authentication
client of the service for a longer period of time. (i.e., is still in the unauthenticated/unassociated state).
2) Disassociation Attack: The disassociation attack is very Typically, an attacker will have to emulate a large number
similar to the Deauthentication one in both methodology, ease of phony clients and simply send an authentication frame on
of use and effects. In this case, the attacker will send a behalf of each one. After the AP’s client association table
Disassociation message instead. Theoretically, such attacks are overflows with fake entries, the AP will not be able to associate
less efficient because there is a smaller amount of procedures legitimate STAs any longer. This attack has been described and
involved for the client to return from non-associated back studied more extensively in [40].
to associated state. Thus, the duration of loss of service is 7) Fake Power Saving Attack: This is the only DoS attack
expected to be shorter. that does not rely on management frames but is rather imple-
3) Deauthentication Broadcast Attack: The Deauthentica- mented through null data frames (see section II-B1 ). The fake
tion Broadcast Attack works in the same way as the simple power saving attack was originally described in [41] and in
Deauthentication one but instead of a client address in the theory it has the advantage that it requires a smaller number
corresponding field the aggressor inserts the broadcast address. of frames to achieve its goal. By abusing the Power Saving
This will cause all clients to receive this message and deau- mechanism this attack basically tricks the AP into thinking that
thenticate. The system might be stressed mildly since possibly a specific STA has fallen into doze mode. Note that the Power
all the connected clients in the network will attempt to initiate Management mechanism in 802.11 helps to reduce the power
the authentication process roughly at the same time. consumption of a STA by setting their network adapters into
4) Disassociation Broadcast Attack: The Disassociation power saving mode. This state is also referred to as doze mode
Broadcast Attack works similarly to the Deauthentication (more commonly known as sleep mode). The transition to doze
one but it utilizes the Disassociation message instead. The mode is typically done when the client spends an amount of
effects of this attack are analogous but it is expected to be time without communication. For switching to sleep mode, the
less severe as the reassociation process is briefer and less client first has to notify the AP about its intention through a
computationally intensive. The authors in [37] focused their null data frame with the Power Save bit set to 1. When in
study on Deauthentication/Disassociation attacks and proposed doze mode the client is not able to receive or transmit frames
a modification of the protocol based on one-way functions to and the AP temporarily stores all frames destined to it.
counteract the effects of this attack. So in essence, this attack takes place by sending a null data
5) Block ACK flood: This attack may cause an AP to frame with the Power Save bit field set to 1. The AP will accept
voluntarily drop all packets originating from a specific client. this message and immediately start buffering all data frames
It is effective against 802.11n networks and it achieves its destined to that STA. The upcoming Beacon frame will contain
results by taking advantage of the Add Block Acknowledge- a TIM field (with the client’s MAC address), but since that
ment (ADDBA) mechanism introduced in that version of the client is not actually on power saving mode, it will be ignored.
standard. More specifically, this mechanism allows a client If this procedure is repeated for many cycles, sufficient time
to transmit a single large block of frames at once instead of will elapse and the AP will be forced to discard all buffered
several smaller segments [38]. An ADDBA message must be frames. However, the exact time is depended on the adopted
send on behalf of the client to notify the AP for its intention to “Ageing Function” and is vendor specific. Actually, the role
conduct such a transaction. This message contains information of the null data frames in 802.11 has been severely critisized
such as the size of the block and the corresponding sequence [42] and eventually has been tackled by 802.11w.
numbers. After receiving such a message, the AP will only 8) CTS Flooding Attack: As explained in section III-C7
accept frames that fall within the indicated sequence and drop the Request to Send (RTS), Clear to Send (CTS) message
9
pair is an optional mechanism to control the access to the 1) Honeypot: In the context of this work Honeypots [47]
RF medium. When this mechanism is enabled and a STA has are networks created and controlled by malicious administra-
data for transmission in its queue, it sends an RTS frame to tors to attract naive users and then perform different attacks
gain access to the RF medium for a pre-specified amount of to them. Usually, such networks are open and advertise luring
time. This privilege is actually granted upon receiving the CTS ESSIDs (e.g., Free Internet, Free WiFi, Open Hotspot etc.) in
frame. order to maximize the number of clients connected to them.
In CTS Flooding Attack the attacker may constantly trans-
When users connect and since no encryption is applied
mit CTS frames to itself or another STA, thus forcing the rest
(or if so, the key is already in possession of the malicious
of the STAs in the network to continuously postpone their
user) all (unencrypted by the higher layers) traffic is visible to
transmission.
the attacker. Furthermore, the attacker may use sophisticated
9) RTS Flooding Attack: An RTS Flooding Attack also
penetration testing tools to discover security holes to that client
takes advantage of the RTS/CTS mechanism but works in an
and then launch higher-layer attacks (e.g. Session Hijacking)
opposite way than the CTS Flooding one. It transmits a big
to bypass even higher-layer security mechanisms.
number of spoofed RTS frames with possibly a large trans-
mission duration window, hoping to monopolize the wireless A Honeypot is not considered an attack per se and there are
medium in such a way that will eventually force the rest no means to detect if a given network is actually a Honeypot
STAs to back-off from transmitting. For the interested reader, or not (at least not in the MAC level). It is the responsibility
the works [43, 44] provide a detailed analysis and empirical of a user to connect to reliable networks only. Nevertheless,
evaluation of the numerous flavors of both CTS and RTS IDS working on higher layers will be able to detect intrusion
attacks. attempts normally.
10) Beacon Flooding Attack: The Beacon Flooding attack
is a form of DoS attack that an aggressor may use in two 2) Evil Twin: An Evil Twin is a special case of Honeypots
different ways to achieve annoyance or complete denial of that advertise an existing ESSID to fool naive users into
entry of new clients to the network [45]. connecting to it instead of the valid network [48]. Evil Twin
In the first case, the attacker will transmit a constant stream APs are possible due to the fact that (a) multiple APs with the
of fake beacons that advertise non-existing ESSIDs. This will same ESSID is allowed to exist in the same area, and (b) in
cause an overflow to the list of available networks, making it such situations the client will prefer to connect to the one with
troublesome for the end-user to locate his preferred one. In the strongest signal disregarding the BSSID of the legitimate
the second case, the attacker will transmit a flood of spoofed AP.
beacon frames with a specific ESSID which correspond to Initially, the attacker brings up a fake AP (usually a software
different (non-existing) BSSIDs. Depending on the implemen- one) that advertises the same ESSID with a valid one in the
tation, most probably the client(s) will go into a loop of vicinity. Preferably, the impersonated networks must be open
checking if each of the synonymous ESSIDs corresponds to (e.g., networks of coffee shops, airports etc.) or at least their
an existing network. credentials should have been acquired by the attacker first
11) Probe Request Flooding Attack: A Probe Request (e.g., the case of a hotel wireless connection). Naturally, if
Flooding Attack [46] aims at stressing the resources of an AP the attacker’s Network Interface Card (NIC) transmits with a
and eventually drive it to paralysis. This attack is based on the stronger signal then the client will prefer to connect to that
fact that according to the 802.11 standard an AP is obligated to fake network. As in the case of a normal Honeypot, from that
reply to every Probe Request message with a Probe Response point on the attacker is able to launch higher level attacks or
one. simply monitor the traffic.
Such messages contain details about the network and the
capabilities of the AP. An attacker may send a constant stream 3) Rogue Access Point: Rogue APs are unauthorized access
of fake Probe Request packets. If this is done in high volume points (i.e., either hardware or software AP) enabled within
and for prolonged periods of time the AP will not be able to the corporate, home or office premises by an insider of that
afford serving its legitimate clients too, as it will be probably network. Such settings may be spawned by undisciplined users
struggling to reply to the probes of the non-existing ones. without the permission of the network administrator in order
12) Probe Response Flooding Attack: This attack also takes to render a security policy more convenient for them or by
advantage of the Probe mechanism although it works in reverse traitors with an ulterior purpose to leave a backdoor open for
by targeting the client rather than the AP. outsiders.
This time the attacker monitors for probe request messages Rogue APs are usually connected to the wired counterpart of
coming from valid clients and by acting like an AP, she the network although the wireless connection is not uncommon
transmits a flood of fake and inaccurate probe responses to especially for software APs. Such APs can be open if an
the STAs. These messages contain bogus information about the attacker wants to attract a larger number of users or be
network, thus misleading the STA from receiving the response protected with a shared key, if the insider wants to allow
from the valid AP and further preventing it from connecting access to specific allies. The detection of such devices is a
to any AP. challenging task. Works such as [49] have studied this concept
more extensively, while the work in [50] indicates methods to
D. Man-in-the-Middle Attacks suspend rogue APs and response to their threats.
10
evaluated the results in both TCP (FTP file transfer) and UDP E. Authentication Flooding
(Skype call) application scenarios. More specifically, in the While in theory the Authentication Flooding attack attempts
UDP scenario we noticed that the throughput dropped from to exhaust the physical resources of the APs, experimental
145Kbps to 68Kbps and in the TCP scenario from 2Mbps results indicate that contemporary devices can cope well,
to 269Kbps. This is translated to a loss of 53% and 87% even for an extreme number of simultaneous authentication
respectively. Figure 5 presents the drop of throughput noticed requests. Actually, even after 8 million authentication attempts
for the TCP and UDP scenarios when a Probe Request flooding on a single commodity AP that was used as our test subject,
attack unfolds. we observed no noticeable deviation from the AP’s normal
behavior (i.e., freeze or reset).
What is interesting however, is the fact that during the
course of this attack even in its early stages (i.e., the first two
seconds) the client was unable to perform authentication to
enter the network. More specifically, all devices presented such
behavior with the sole exception being the Samsung Nexus,
which was able to connect but with a noticeable delay.
This attack may pose as a more effective equivalent of
the Beacon Flooding. The above mentioned experiments were
conducted with the use of the MDK3 tool and an average
injection rate of 900 authentication frames per second. For a
(a) Drop of Throughput in TCP Scenario complete overview of flooding attacks in 802.11 along with
simulated evaluations the interested reader should refer to [57].
F. ChopChop
We conducted our experiments with the Aireplay-ng tool
(of the Aircrack suite). In the course of the attack we replayed
packets of different sizes. We came to the conclusion that the
amount of time required for the ChopChop method to fully
analyze a given packet depends on the actual size of the packet.
Some examples of various packet sizes and the corresponding
(b) Drop of Throughput in UDP Scenario requirements in number of packets to be injected and amounts
Fig. 5: Effect of Probe Request Flooding Attack in Throughput of time are given in Table III.
exist, although, the reader should keep in mind that they are
contingent on the tools used during each attack. Whereas, there
may be certain actions an aggressor can make to masquerade
the traces produced by the specific tool in use, there is very
little she can do to conceal the increase in the number of
management frames as this is the basis of all flooding attacks.
The Deauthentication Flooding attack is considered as one
of the most potent DoS attacks in the wireless realm, yet
it is also one of the hardest to accurately identify. During
its course, a burst of Deauthentication frames is generated.
(a) Increase in Traffic However, elevated levels of such frames may also be tracked in
Amok, Dissassociation, Power Saving, Authentication Request
Flooding attacks, as well as in the ARP Injection one when ex-
ecuted improperly. For example, consider the case where such
frames are transmitted by intruders that possess or impersonate
non-authenticated MAC addresses. It is important to keep in
mind that only in the case of Deauthentication Flooding attack
the Deauthentication frames are forged and transmitted by the
adversary, while in the rest of the cases they are products of
the AP itself as part of a valid response to the attack. Aireplay,
which is the de-facto tool for launching Deauthentication
flooding attacks, transmits management frames that have the
(b) Number of Packets with Repeated IVs
same Reason Code (0x0007), and at the same time their
Fig. 6: ChopChop Attack Sequence Number field contains values that are outside the
natural order for that session.
Figure 7a shows the total amount of Deauthentication
perspective. To the best of our knowledge this is the first
frames throughout the entire duration of the reduced training
documented attempt to fingerprint 802.11 attacks. We expect
set. Notice that only few timeslots contain Deauthentication
that this will lead to the better understanding of the structure
frames that have the Reason Code field set to 0x0007. Even so,
and the characteristics of such anomalies when they occur in
there are cases where Deauthentication frames with the exact
wireless networks.
same Reason Code do not correspond to a Deauthentication
Flooding attack. For example, the timeframe between seconds
A. Flooding Attacks 1050 to 1150 contains frames originating from an actual Deau-
Flooding attacks create a sudden increase in the manage- thentication Flooding attack, while the timeframe between
ment frames (in their majority) per time unit. Even though this seconds 1400 to 1600 contains Deauthentication frames that
makes it easy to discern a flooding attack from normal traffic, are produced by the AP as a valid response to an ineffectual
it is not always as straightforward to distinguish it from other ARP Injection attempt. Figure 7b focuses in this time zone.
attack types. Some assaults may cause a temporary increase Notice that the Signal Strength criterion that is applied as a last
of certain management frames as collateral damage. As will resort reveals of the actual Deauthentication Flooding attack.
be explained in the process, additional hints and traces usually As observed from the figure, in the first time slot, there is
14
a significant percentage of packets that deviate from a certain set, as well as those Beacon frames in that set that meet the
threshold of Signal Strength, while in the second time slot this MDK3 signature attributes. Note that even with the use of the
percentage is kept low. first filter alone (blue area) it is easy to identify the time frame
within which a Beacon attack unfolds with high accuracy,
however the use of the second filter (orange area) achieves
optimal results.
Fig. 9: Traffic Pattern during ARP Injection Attack Twin attack when the Airbase tool is utilized. However, Caffe
Latte assaults will simultaneously inject encrypted Data frames
During a Fragmentation Attack the intruder injects a se- of small size, much like a normal injection attack, making it
quence of short, fragmented data frames. If successful, this harder to clearly distinguish it from an ARP Injection or Evil
process usually does not consume more than one second, Twin attack for instance.
however if not successful the same procedure will be repeated. As a final note, in all cases described above the received
The Aireplay tool contains an implementation of this attack Signal Strength of all forged frames (as indicated by the
and by examining the packets it produces we notice that corresponding Radiotap Header field) will probably fall within
all have a static, invalid value in the Destination Address a different range of values (usually forged frames have higher
(ff:ff:ff:ff:ff:ed) field, the DS status flag is set to 1, the length Signal Strength) than that of the validly generated ones. This
of the frame is small (but not fixed) and finally the sequence criterion is not undisputed but when applied as a statistical
number is out-of-order. Not surprisingly, the More-Fragments means and combined with other factors, it is usually indicative
flag is set to 1 and the fragment number field is greater than of an attack.
zero in all but one of the fragments in the chain. Works like [49, 58] propose possible ways for identifying
rogue AP and evil twin attacks, while [44] propose systems for
recognizing malicious CTS/RTS packets. We expect that the
C. Impersonation Attacks clear statement of attack signatures as the ones presented in
Impersonation attacks introduce an additional AP in the this paragraph will contribute to the improvement of analogous
neighborhood broadcasting Beacon frames that advertise a pre- defensive systems in the future.
existing valid network (i.e., that of the victim’s). The common
denominator of all Impersonation Attacks is that the number VI. DATASET
of Beacon frames of the victim network is approximately This section describes the AWID family of datasets with
doubled. Quite frequently these attacks are combined with a respect to its collection methodology, structure and contents.
short flood of Deauthentication frames as an initial step, so We anticipate that not only this dataset can act as a
that the attacker may force the STAs to connect to its own reliable testbed for intrusion detection experiments in wireless
rogue AP. networks, but also its study can reveal valuable information
Typically, attackers rely on the Airbase tool of the Aircrack about the conditions that take place on a singling level when
suite to launch Evil Twin attacks. As expected, additional different types of attacks occur on a real wireless network.
Beacon frames are broadcasted but in this case they have
significantly different characteristics. For example, the Times-
tamp field has a fixed value (0x0000000000000000) for all A. Data Gathering
the forged beacon frames, and the Tagged Parameters field For purposes of data gathering we created a physical lab
contains steadily a different number of parameters. which realistically emulates a typical SOHO infrastructure. A
Figure 10 displays the number of Beacon Frames having number of mobile and stationary STAs were used as the valid
the ESSID of the victim network. The reader should notice clients of the network, while a single mobile attacker was
that there are timeframes during which the amount of these unleashing various attacks.
Beacons is almost doubled. These durations correspond to More specifically, the valid network consisted of 1 desktop
impersonation attacks, and this conclusion is verified by the machine, 2 laptops, 2 smartphones, 1 tablet and 1 smart
fact that approximately half of these frames possess intrusive TV. The position of the desktop machine and smart TV
characteristics. remained static throughout the course of all the experiments.
Caffe Latte attacks are more complex in nature. Since they The smartphone devices displayed high mobility, i.e., they
fall into the Impersonation attacks category, they will introduce changed position inside the facilities of the lab and joined/left
additional Beacon frames, all having the ESSID of the victim the network numerous times throughout the course of the
network. As expected, these frames will also bear the same experiments. Finally, the laptop machines were semi-static,
signature characteristics as the ones transmitted during an Evil i.e., they rarely changed their position. The services running
16
contains attacks lasting for 15 minutes. This corresponds to a the corresponding normal to attack traffic ratio with respect
3 to 2 ratio of normal to attack with respect to time invested. to time as well as traffic, are illustrated in figure 13 and 14.
The raw (pcap) file occupies 948 MB on the disk while the Moreover, the complete sequence of intrusive events, and their
corresponding extracted dataset is a single Comma Separated duration through time is illustrated in figure 12.
Values (CSV) file of 935 MB (or merely 68 MB if compressed
with gzip). Likewise, the AWID-ATK-F-Trn and AWID-CLS- D. Record Scheme
F-Trn contain 37,817,835 records, 1,085,372 of which are
Each packet in the dataset is represented as a vector of
some kind of attack (in this dataset the normal to attack time
156 attributes, with the last attribute being the corresponding
ratio is 9:1). The dataset is spread over 96 files each containing
class (for AWID-CLS-R-Trn, AWID-CLS-R-Tst) or the cor-
(a variable number of) records that correspond to 1 hour of
responding attack (for AWID-ATK-R-Trn and AWID-ATK-R-
network monitoring. The accumulated size of the dataset is
Tst) of the record. The set of attributes is static which means
approximately 15 GB and it was produced from over 16.3 GB
that a packet is described by the same number of attributes
of raw information.
independently of its type and subtype. For creating a well
Table VI summarizes the main characteristics and file struc-
defined dataset we were indebted to construct a rather verbose
ture of the AWID collection of datasets including references
universal 802.11 frame type. This theoretic representation of
to the test versions of the dataset. A snapshot of all the current
a frame bears (almost) all possible 802.11 fields and therefore
and future versions will be made available (upon request) by
the values of -1 or “-” were assigned to the fields that do not
visiting the online resources of the manuscript [63].
apply to a specific header type. Note that the actual data field
was considered irrelevant and was not included in the dataset.
C. Composition of Dataset Moreover, extremely rare fields (such as vendor depended
ones) or custom tags were filtered out beforehand.
This subsection decomposes the AWID-CLS-R-Trn and
Each record is composed mainly by MAC layer information.
AWID-ATK-R-Trn subsets and analyzes their contents. Both
Such attributes include: Source Address (wlan sa), Destina-
AWID-CLS-R-Trn and AWID-ATK-R-Trn subsets were gen-
tion Address (wlan da), Initialization Vector (wlan wep iv),
erated by 1 hour utilization of the test network. In our
the ESSID (wlan mgt ssid) and others. Additionally, all
experiments the attack-free traffic lasted 35 minutes (60% of
Radiotap information such as the Signal Strength (radio-
the time) while the rest 25 minutes (40% of the time) were ded-
tap dbm antsignal), as well as general frame information
icated to exploiting vulnerabilities of the test network. During
such as Packet Number (frame number) are included in each
the attack free traffic the users of the network were conducting
record.
ordinary activities such as file transfers, web browsing and
All attributes in the dataset have numeric or nominal values
video streaming or for some periods of time the network was
except for the SSID value which takes string values. Hex-
dormant. During the attack window a single node unleashed a
adecimal values or fields that represent MAC addresses were
set of 15 unique attacks and multiple variations of them in a
transformed to their corresponding integer values on a separate
non-random way, i.e., she sequentially executed attacks with
preprocessing step. A typical MAC address corresponds to
the necessary order to achieve a specific task such as cracking
an integer value of 82468889197, while a typical value of
the network key. In more detail, in the AWID-CLS-R-Trn
signal strength field is -33. It is obvious that the scales of the
and AWID-ATK-R-Trn subsets 54.5% of the attack time was
attributes on the dataset are heavily imbalanced. We argue that
dedicated to injection attacks, 18.5% to flooding attacks and
a normalization step would be beneficial prior applying any
26.8% to impersonation attacks. The AWID-CLS-R-Trn and
kind of ML algorithm to the dataset.
AWID-ATK-R-Trn subsets include: Fragmentation and ARP
Injection attacks, Deauthentication, Authorization Request,
VII. DATASET E VALUATION
Beacon, Probe Response flooding attacks as well as Evil Twin
and Caffe Latte impersonation attacks. On the other hand, A. Machine Learning Classification
the AWID-CLS-R-Tst and AWID-ATK-R-Tst contains all the We evaluated the AWID dataset against several soft com-
aforementioned attacks plus: ChopChop, CTS, RTS, Disasso- puting algorithms in an attempt to give pointers towards the
ciation, Power Saving, Probe Request and Hirte attacks, which algorithms that behave best with the AWID dataset. Our
are considered novel by the standards of the training set. The experiments were conducted with the Weka [64] framework
full versions of the dataset, namely AWID-CLS-R-Trn and on an 8-core, Ubuntu 12.04 server, virtual machine with 56
AWID-ATK-R-Trn are based on similar principles. GB RAM, located on the Azure cloud service. The chosen
Take into account that the percentages above refer to time datasets were AWID-CLS-R-Trn and AWID-CLS-R-Tst for
durations and do not correspond to actual number of records. training and testing purposes respectively. A summary of the
For instance, flooding attacks occupied 18.5% of the attack results is shown in Table VII.
time (or 7.5% of the total experiment time) in the AWID- The J48 algorithm achieved the optimal FP, TP rates but on
CLS-R-Trn set. During this duration 48,484 malicious packets the downside it required dramatically more time than any other
were introduced which may be as high as 29.8% of the entire method to construct its model from the training data (3921.68
attack traffic but at the same time it is just 2.7% of the sum seconds). The Random Forest and OneR achieved the second
of traffic in that set. The type of attacks included in the best TP and FP rate respectively, both an order of magnitude
training and test versions of the AWID dataset along with faster.
18
(a) Time Based Composition of the Training Subset by Class (b) Traffic Based Composition of the Training Subset by Class
(c) Time Based Composition of the Training Subset by Attack (d) Traffic Based Composition of the Training Subset by Attack
Fig. 13: Attack vs. Normal Traffic in the Reduced Training sets
19
At a first glance, algorithms such as Adaboost, Hyperpipes, that all have Sequence Number field of value 0. This would
ZeroR which present TP rate of 0.922 may seem satisfactory. strike as a statistical anomaly as it is impossible to locate
This illusion is created by the fact that the portion of normal sequential records with such characteristics on the normal
traffic greatly outnumbers the abnormal one. In practice, what class.
these algorithms do is incorrectly assign any record to the After thoroughly examining the fields of intrusive frames
normal class, thus achieving TP rates equal to the records of we attempted manual attribute selection. Based on the ob-
that class. Nevertheless, a closer look at the comparative con- servations and theoretical analysis of the attack patterns we
fusion matrices in Table VIII can verify that these algorithms deduced that only 20 attributes play a crucial role when it
misclassify all intrusive records. As far as separate classes are comes to identifying attacks, so we moved to a second round
concerned the normal class was almost infallibly predicted by of the previously described experiments. The results of the
the OneR algorithm in 99.99% rate. Naive Bayes managed evaluation which can be seen in Table IX indicate that while
to correctly recognize 72.69% of the flooding records. The there was a small (and in many cases negligible) increase in
injection class was very accurately predicted by the J48 the overall accuracy, there was a definite boost in the training
algorithm (99.98%) but records of impersonation class were speed of almost all algorithms. More specifically, the shrinkage
the toughest to recognize with the top performer for the class, in training time varied from 10.75% for the Random Forest
namely Random Tree, being able to correctly classify only algorithm to as high as 89.35% for the Adaboost algorithm.
7.5% of these records. The only exception to this rule was the ZeroR algorithm which
actually required more time (0.63 seconds with the 156-feature
sets vs. 3.65 seconds with the 20-feature sets).
B. Manual Attribute Selection Based on Theoretic Criteria Likewise, we observed an augmentation in the classification
Out of the 156 attributes contained in the dataset it is precision which unfortunately was of milder intensity. More
inevitable that some of them play a less important role, others specifically, the achieved improvement ranged from 0.1% for
are insignificant, while in the worst case, a number of attributes the Random Forest algorithm to 4.5% for the Random Tree
may act as noise and therefore misdirect the machine learning one. Despite the overall increase in precision, only the Naive
process. This pleonasm is expected to have a negative impact Bayes algorithm showcased a significant one in prediction
on the training speed and it is highly probable that it will lead accuracy of the impersonation attacks, but with 4,419 correctly
to lower detection rates. We assert that the process of locating classified out of 20,079 class instances (22%) the achievements
and eliminating the redundant attributes is a necessary step are still unsatisfactory.
before moving on to any form of automatic intrusion detection, In this round of experiments the Naive Bayes algorithm had
and as explained further down, it will be of benefit when the lowest FP rate, the J48 achieved the highest TP rate while
applied to the AWID dataset too. The work in [65] stresses the Random Forest had the best accuracy for the Normal class,
importance of feature/attribute selection in wireless intrusion Naive Bayes for the Flooding and Impersonation classes, and
detection and ranks the most important features/attributes of J48 for the Injection one.
the MAC header.
As detailed in section V most attacks have inherent char- VIII. C ONCLUSIONS AND D ISCUSSION
acteristics that attest their presence. For example, the frag- This work gathers, describes and evaluates the most
mentation attack is based on the injection of a large number widespread attacks in the IEEE 802.11 standard. Based on
of frames that have the fragment number field greater than real-life network utilization we have compiled the AWID
0. Moreover, besides the theoretic attack signatures most family of datasets that contain both normal and abnormal
penetration tools leave digital footprints of their own. A vivid traffic. The results of the evaluation have aided maintaining
example is that of the Authentication Request attack which is the contents of the dataset as realistic as possible in matters of
implemented solely by the MDK3 tool. During this mode of attack sequence and normal to attack traffic ratio. The dataset
execution the tool generates a flood of frames of subtype 0x0b, was harvested from a WEP protected network but we strongly
20
(a) Time Based Composition of the Test Subset by Class (b) Traffic Based Composition of the Test Subset by Class
(c) Time Based Composition of the Test Subset by Attack (d) Traffic Based Composition of the Test Subset by Attack
Fig. 14: Attack vs. Normal Traffic in the Reduced Testing Sets
TABLE VII: Evaluation of Various Classification Algorithms on the 156 Feature Set. Best performer in red.
Algorithm Correctly Classified% Incorrectly Classified% TP Rate FP Rate Precision Recall F-Measure ROC Area Time
AdaBoost 92.2073 7.7927 0.922 0.922 0.85 0.922 0.885 0.806 1513
Hyperpipes 92.2073 7.7927 0.922 0.922 0.85 0.922 0.885 0.952 7.79
J48 96.1982 3.801 0.962 0.437 0.954 0.962 0.948 0.759 3921.68
Naive Bayes 89.4323 10.5677 0.894 0.768 0.891 0.894 0.877 0.594 188.21
OneR 94.5758 5.4242 0.946 0.642 0.9 0.946 0.922 0.652 156.98
Random Forest 95.5891 4.4109 0.956 0.52 0.958 0.956 0.941 0.955 828.95
Random Tree 91.4379 8.5621 0.914 0.449 0.914 0.914 0.91 0.733 88.43
ZeroR 92.2073 7.7927 0.922 0.922 0.85 0.922 0.885 0.5 0.63
assert that the same data is possible to be used for WPA/WPA2 After carefully examining the traffic patterns we concluded
intrusion detection, since the existing threats of the latter are that theoretically, out of the 156 attributes chosen to be
practically a subset of first. With the same mindset, the AWID included in the dataset, only 20 seem to play a more significant
dataset is possible to be utilized for experimentation with role in legacy intrusion detection. This hypothesis was indeed
alternative wireless technologies (WiMAX, UMTS, LTE) as confirmed by the results of several tests which exhibited a
they are proved to have similar security holes and their attacks slight increase in detection rate, the overall accuracy of most
follow resembling patterns [66] and [67]. classifiers as well as a definite increase in the learning speed.
Our experiments indicated an inherent advantage of the Ran- These experiments were not exhaustive and numerous
dom Forest and J48 classification algorithms. This conclusion promising machine learning techniques were left for future
may pave a walkway for the development of robust detection research. In particular, Swarm Intelligence techniques [68],
algorithms for the specific dataset in the future. Markov Chain [69] based ones as well as other soft computing
21
TABLE VIII: Confusion Matrices of Various Classification Algorithms on the 156 Feature Set. Best performer in red.
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530785 0 0 0 Normal 530785 0 0 0 Normal
8097 0 0 0 Flooding 8097 0 0 0 Flooding
16682 0 0 0 Injection 16682 0 0 0 Injection
20079 0 0 0 Impersonation 20079 0 0 0 Impersonation
(a) Adaboost (b) Hyperpipes
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530771 8 0 6 Normal 508621 22164 0 0 Normal
2641 4857 0 599 Flooding 2189 5908 0 0 Flooding
2 0 16680 0 Injection 16400 0 282 0 Injection
18629 0 0 1450 Impersonation 18750 1329 0 0 Impersonation
(c) J48 (d) Naive Bayes
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530775 0 7 3 Normal 530729 1 54 1 Normal
8097 0 0 0 Flooding 4077 4020 0 0 Flooding
3038 0 13644 0 Injection 2470 0 14212 0 Injection
20079 0 0 0 Impersonation 18760 0 28 1291 Impersonation
(e) OneR (f) Random Forest
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
518657 906 716 10506 Normal 530785 0 0 0 Normal
3854 4243 0 0 Flooding 8097 0 0 0 Flooding
338 0 1930 14414 Injection 16682 0 0 0 Injection
17550 0 1003 1526 Impersonation 20079 0 0 0 Impersonation
(g) Random Tree (h) ZeroR
TABLE IX: Evaluation of Various Classification Algorithms on the 20 Feature Set. Best performer in red.
Algorithm Correctly Classified% Incorrectly Classified% TP Rate FP Rate Precision Recall F-Measure ROC Area Time
AdaBoost 92.2073 7.7927 0.922 0.922 0.85 0.922 0.885 0.673 161.12
Hyperpipes 92.2363 7.7637 0.922 0.919 0.879 0.922 0.885 0.935 3.52
J48 96.2574 3.7426 0.963 0.436 0.962 0.963 0.948 0.752 568.92
Naive Bayes 90.5504 9.4496 0.906 0.399 0.917 0.906 0.909 0.774 29.67
OneR 94.5741 5.4259 0.946 0.642 0.9 0.946 0.922 0.652 156.98
Random Forest 95.8247 4.1753 0.958 0.493 0.959 0.958 0.944 0.958 739.78
Random Tree 96.2258 3.7742 0.962 0.438 0.959 0.962 0.948 0.762 49.3
ZeroR 92.2073 7.7927 0.922 0.922 0.85 0.922 0.885 0.5 3.65
TABLE X: Confusion Matrices of Various Classification Algorithms on the 20 Feature Set. Best performer in red.
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530785 0 0 0 Normal 530785 0 0 0 Normal
8097 0 0 0 Flooding 8097 0 0 0 Flooding
16682 0 0 0 Injection 16515 0 167 0 Injection
20079 0 0 0 Impersonation 20079 0 0 0 Impersonation
(a) Adaboost (b) Hyperpipes
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530588 116 6 75 Normal 497199 8971 11899 12716 Normal
2553 5544 0 0 Flooding 2123 5974 0 0 Flooding
2 0 16680 0 Injection 3027 0 13655 0 Injection
18644 148 0 1287 Impersonation 14187 1473 0 4419 Impersonation
(c) J48 (d) Naive Bayes
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530765 0 14 6 Normal 530746 1 1 37 Normal
8097 0 0 0 Flooding 2600 5497 0 0 Flooding
3038 0 13644 0 Injection 2763 0 13893 0 Injection
20079 0 0 0 Impersonation 18607 0 28 1472 Impersonation
(e) OneR (f) Random Forest
Normal Flooding Injection Impersonation Classified As Normal Flooding Injection Impersonation Classified As
530700 3 0 82 Normal 530785 0 0 0 Normal
2442 5494 161 0 Flooding 8097 0 0 0 Flooding
273 0 16253 156 Injection 16682 0 0 0 Injection
18609 0 0 1470 Impersonation 20079 0 0 0 Impersonation
(g) Random Tree (h) ZeroR
methods [70] seem to possess desirable characteristics in According to [71] big data are high volume, high veloc-
theory, and in practice have regularly led to the construction ity, and/or high variety information assets. Wireless network
of robust IDS. communication satisfies all 3 characteristics of this model,
REFERENCES 22
conference on Mobile computing and networking. ACM. onds”. In: Information Security Applications. Springer,
2001, pp. 180–189. 2007, pp. 188–202.
[13] Kwang-Hyun Baek, Sean W Smith, and David Kotz. [28] Andreas Klein. “Attacks on the RC4 stream cipher”.
“A Survey of WPA and 802.11 i RSN Authentication In: Designs, Codes and Cryptography 48.3 (2008),
Protocols”. In: Dartmouth Computer Science Technical pp. 269–286.
Report2004 (2004). [29] Robert Moskowitz. “Weakness in passphrase choice in
[14] Richard Gass, James Scott, and Christophe Diot. “Mea- WPA interface”. In: ICSA Labs (2003).
surements of in-motion 802.11 networking”. In: Mo- [30] Yonglei Liu, Zhigang Jin, and Ying Wang. “Sur-
bile Computing Systems and Applications, 2006. WM- vey on security scheme and attacking methods of
CSA’06. Proceedings. 7th IEEE Workshop on. IEEE. WPA/WPA2”. In: Wireless Communications Network-
2005, pp. 69–74. ing and Mobile Computing (WiCOM), 2010 6th Inter-
[15] The KDD99 Dataset. Nov. 2014. URL: http://kdd.ics. national Conference on. IEEE. 2010, pp. 1–4.
uci.edu/databases/kddcup99/task.html. [31] KoreK. ChopChop (Experimental WEP attacks). Nov.
[16] IEEE. 802.16e-2005, I.S. IEEE Standard for Local and 2014. URL: http : / / www. netstumbler. org / showthread .
Metropolitan area networks Part 16: Air Interface for php?t=12489.
Fixed Broadband Wireless Access Systems. Nov. 2014. [32] Andrea Bittau. “The Fragmentation Attack in Practice”.
URL : http : / / standards . ieee . org / getieee802 / download / In: IEEE Symposium on Security and Privacy, IEEE
802.16e-2005.pdf. Computer Society. 2005.
[17] ETSI. Universal Mobile Telecommunications System [33] Md Sohail Ahmad and Vivek Ramachandran. Cafe latte
(UMTS); User Equipment (UE) radio transmission and with a free topping of cracked wep retrieving wep keys
reception (FDD). Nov. 2014. URL: http://www.3gpp. from road warriors. 2007.
org/specifications/79-specification-numbering. [34] Hirte Attack. Nov. 2014. URL: http://www.aircrack-ng.
[18] 3GPP. LTE; Evolved Universal Terrestrial Radio Access org/doku.php?id=airbase- ng#hirte attack in access
(E-UTRA); User Equipment (UE) radio transmission point mode.
and reception (3GPP TS 36.101 version 10.3.0 Release [35] IEEE. 802.11n-2009 - IEEE Standard for Information
10). Nov. 2014. URL: http://www.3gpp.org/DynaReport/ Technology- Telecommunications and Information Ex-
36-series.htm. change Between Systems-Local and Metropolitan Area
[19] Rodrigo do Carmo and Matthias Hollick. “DogoIDS: a Networks-Specific Requirements. Part 11: Wireles LAN
mobile and active intrusion detection system for IEEE Medium Access Control (MAC) and Physical Layer
802.11 s wireless mesh networks”. In: Proceedings of (PHY) Specifications. Amendment 5: Enhancements for
the 2nd ACM workshop on Hot topics on wireless Higher Throughput. Nov. 2014. URL: http://standards.
network security and privacy. ACM. 2013, pp. 13–18. ieee.org/getieee802/download/802.11n-2009.pdf.
[20] Nikita Lyamin, Alexey Vinel, Magnus Jonsson, and [36] Kemal Bicakci and Bulent Tavli. “Denial-of-Service
Jonathan Loo. “Real-Time Detection of Denial-of- attacks and countermeasures in IEEE 802.11 wireless
Service Attacks in IEEE 802.11 p Vehicular Networks”. networks”. In: Computer Standards & Interfaces 31.5
In: IEEE communications letters 18.1 (2014), pp. 110– (2009), pp. 931–941.
113. [37] Thuc D Nguyen, D Nguyen, Bao N Tran, Hai Vu,
[21] IEEE. Part 11: Wireless LAN Medium Access Con- and Neeraj Mittal. “A lightweight solution for de-
trol (MAC) and Physical Layer (PHY) Specifications. fending against deauthentication/disassociation attacks
Amendment 4: Enhancements for Very High Throughput on 802.11 networks”. In: Computer Communications
for Operation in Bands below 6 GHz. Nov. 2014. URL: and Networks, 2008. ICCCN’08. Proceedings of 17th
http : / / standards . ieee . org / getieee802 / download / 802 . International Conference on. IEEE. 2008, pp. 1–6.
11ac-2013.pdf. [38] Ilenia Tinnirello and Sunghyun Choi. “Efficiency
[22] L Devi and A Suganthi. “Denial of Service Attacks in analysis of burst transmissions with block ACK in
Wireless Networks: The Case of Jammers”. In: (2014). contention-based 802.11 e WLANs”. In: Communica-
[23] Scott Fluhrer, Itsik Mantin, and Adi Shamir. “Weak- tions, 2005. ICC 2005. 2005 IEEE International Con-
nesses in the key scheduling algorithm of RC4”. In: ference on. Vol. 5. IEEE. 2005, pp. 3455–3460.
Selected areas in cryptography. Springer. 2001, pp. 1– [39] Review of A MPDU DoS Issue, Nov. 2014. URL: https:
24. //mentor.ieee.org/802.11/file/07/11-07-2163-01-000n-
[24] Andrea Bittau. “Additional weak IV classes for the a-mpdu-security-issues.ppt.
FMS attack”. In: Department of Computer Science, [40] Chibiao Liu, James Yu, and Gregory Brewster. “Empir-
University College London (2003). ical studies and queuing modeling of denial of service
[25] Hal Berghel and Jacob Uecker. “WiFi attack vectors”. attacks against 802.11 WLANs”. In: World of Wireless
In: Communications of the ACM 48.8 (2005), pp. 21–28. Mobile and Multimedia Networks (WoWMoM), 2010
[26] Rafik Chaabouni. Break wep faster with statistical anal- IEEE International Symposium on a. IEEE. 2010, pp. 1–
ysis. Tech. rep. 2006. 9.
[27] Erik Tews, Ralf-Philipp Weinmann, and Andrei [41] Leandro F Meiners. “But... my station is awake! Power
Pyshkin. “Breaking 104 bit WEP in less than 60 sec- Save Denial of Service in 802.11 Networks”. In: (2009).
24
[42] Wenjun Gu, Zhimin Yang, Dong Xuan, Weijia Jia, and WLAN”. In: Global Trends in Computing and Commu-
Can Que. “Null data frame: A double-edged sword in nication Systems. Springer, 2012, pp. 607–616.
IEEE 802.11 WLANs”. In: Parallel and Distributed [58] Harold Gonzales, Kevin Bauer, Janne Lindqvist, Damon
Systems, IEEE Transactions on 21.7 (2010), pp. 897– McCoy, and Douglas Sicker. “Practical defenses for evil
910. twin attacks in 802.11”. In: Global Telecommunications
[43] Mina Malekzadeh, Abdul AA Ghani, Jalil Desa, and Conference (GLOBECOM 2010), 2010 IEEE. IEEE.
Shamala Subramaniam. “Empirical analysis of virtual 2010, pp. 1–6.
carrier sense flooding attacks over wireless local area [59] Metasploit. Nov. 2014. URL: http : / / www. metasploit .
network”. In: Journal of Computer science 5.3 (2009), com/.
p. 214. [60] Wireshark. Nov. 2014. URL: http://www.wireshark.org.
[44] Supriya S Sawwashere and Sonali U Nimbhorkar. [61] AWID. capt - Dataset Capturing Script. Nov. 2014.
“Survey of RTS-CTS Attacks in Wireless Network”. URL: www.icsd.aegean.gr/awid/downloads.
In: Communication Systems and Network Technolo- [62] AWID. pcap2csv - PCAP to CSV Transformation Script.
gies (CSNT), 2014 Fourth International Conference on. Nov. 2014. URL: www.icsd.aegean.gr/awid/downloads.
IEEE. 2014, pp. 752–755. [63] AWID. Aegean Wireless Intrusion Dataset. Nov. 2014.
[45] Asier Martı́nez, Urko Zurutuza, Roberto Uribeetxeber- URL: www.icsd.aegean.gr/awid/downloads.
ria, Miguel Fernández, Jesus Lizarraga, Ainhoa Serna, [64] University of Waikato. Weka 3: Data Mining Software
and Iñaki Vélez. “Beacon Frame Spoofing Attack De- in Java. Nov. 2014. URL: http://www.cs.waikato.ac.nz/
tection in IEEE 802.11 Networks”. In: Availability, Reli- ml/weka/.
ability and Security, 2008. ARES 08. Third International [65] N Pratik Neelakantan and C Nagesh. “Role of Feature
Conference on. IEEE. 2008, pp. 520–525. Selection in Intrusion Detection Systems for 802.11
[46] Francesco Ferreri, Massimo Bernaschi, and Leonardo Networks”. In: International Journal of Smart Sensors
Valcamonici. “Access points vulnerabilities to DoS at- and Ad Hoc Networks (IJSSAN) Volume-1, Issue-1
tacks in 802.11 networks.” In: WCNC. 2004, pp. 634– (2011), pp. 98–101.
638. [66] Georgios Kambourakis, Constantinos Kolias, Stefanos
[47] Noor Al-Gharabally, Nosayba El-Sayed, Sara Al-Mulla, Gritzalis, and Jong Hyuk Park. “DoS attacks exploiting
and Imtiaz Ahmad. “Wireless honeypots: survey and signaling in UMTS and IMS”. In: Computer Commu-
assessment”. In: Proceedings of the 2009 conference nications 34.3 (2011), pp. 226–235.
on Information Science, Technology and Applications. [67] Constantinos Kolias, Georgios Kambourakis, and Ste-
ACM. 2009, pp. 45–52. fanos Gritzalis. “Attacks and countermeasures on
[48] Yimin Song, Chao Yang, and Guofei Gu. “Who is peep- 802.16: analysis and assessment”. In: Communications
ing at your passwords at Starbucks?To catch an evil twin Surveys & Tutorials, IEEE 15.1 (2013), pp. 487–514.
access point”. In: Dependable Systems and Networks [68] Constantinos Kolias, Georgios Kambourakis, and M
(DSN), 2010 IEEE/IFIP International Conference on. Maragoudakis. “Swarm intelligence in intrusion detec-
IEEE. 2010, pp. 323–332. tion: A survey”. In: computers & security 30.8 (2011),
[49] Raheem Beyah and Aravind Venkataraman. “Rogue- pp. 625–642.
access-point detection: Challenges, solutions, and future [69] Jiankun Hu, Xinghuo Yu, Dong Qiu, and Hsiao-Hwa
directions”. In: IEEE Security and Privacy 9.5 (2011), Chen. “A simple and efficient hidden Markov model
pp. 56–61. scheme for host-based anomaly intrusion detection”. In:
[50] Ajay M Patel, Ashok R Patel, and Hiral R Patel. “RAP Network, IEEE 23.1 (2009), pp. 42–47.
Problems and Solutions in 802.11 Wireless LAN”. In: [70] Shelly Xiaonan Wu and Wolfgang Banzhaf. “The use
International Journal 2.1 (2014). of computational intelligence in intrusion detection
[51] Vivek Ramachandran. Backtrack 5 Wireless Penetration systems: A review”. In: Applied Soft Computing 10.1
Testing: Beginner’s Guide. Packt Publishing Ltd, 2011. (2010), pp. 1–35.
[52] MDK3. Nov. 2014. URL: http : / / homepages . tu - [71] Mark A Beyer and Douglas Laney. “The importance
darmstadt.de/∼p\ larbig/wlan/\#mdk3. of’big data’: a definition”. In: Stamford, CT: Gartner
[53] File2air. Nov. 2014. URL: http://www.willhackforsushi. (2012).
com/?page\ id=19.
[54] Lorcon-old source code. Nov. 2014. URL: https://aur.
archlinux.org/packages/lorcon-old-git/?setlang=en.
[55] Lorcon2 Library. Nov. 2014. URL: https://code.google.
com/p/lorcon/.
[56] John Bellardo and Stefan Savage. “802.11 Denial-of-
Service Attacks: Real Vulnerabilities and Practical So-
lutions.” In: USENIX security. 2003, pp. 15–28.
[57] L Arockiam, B Vani, S Sivagowry, and A Persia. “A
solution to prevent resource flooding attacks in 802.11
25
Constantinos Kolias was born in Athens, Greece Prof. Stefanos Gritzalis is the Rector of the Uni-
in 1982. He holds a Diploma in Computer Science versity of the Aegean, Greece (2014-2018). He
from Technological Educational Institute of Athens, is a Professor at the Dept. of Information and
Greece and MSc in Information and Communication Communication Systems Engineering and member
System Security from the Department of Information of the Laboratory of Information and Communica-
and Communication Systems Engineering, Univer- tion Systems Security (Info-Sec-Lab). He holds a
sity of the Aegean, Greece. He received his Ph.D. in BSc in Physics, an MSc in Electronic Automation,
2014 under the supervision of Assist. Prof. Georgios and a PhD in Information and Communications
Kambourakis. Currently, he works as a Research Security from the Department of Informatics and
Assistant Professor at the George Mason University Telecommunications, University of Athens, Greece.
under the supervision of Prof. Angelos Stavrou. His His published scientific work includes more than
primary research interests lie in the field of security for 4G/5G protocols, 30 books or book chapters, including the book ”Digital Privacy: Theory,
wireless intrusion detection, data mining network traces, big data analysis Technologies and Practices”, co-edited by A. Acquisti, S. De Capitani di
techniques, datasets construction, security via virtualization techniques, and Vimercati, and C. Lambrinoudakis. Moreover, his work has been published
smartphone security. in more than 110 scientific journals and in the proceedings of more than
140 international refereed scientific conferences and workshops. The focus
of his publications is on Information and Communications Security and
Privacy. His most frequently cited papers have more than 3.000 citations
(h-index=27, i10-index=83). He has acted as Guest Editor in more than 32
journal special issues, and has been General Chair or Program Committee
Chair in more than 30 international conferences and workshops. He has
served as a Program Committee member of more than 400 international
conferences and workshops. He is the Editor-in-Chief or Editor or Editorial
Board member in 20 journals and a Reviewer in more than 50 scientific
journals. He has supervised 13 PhD dissertations and has acted as external
evaluator for more than 30 PhD students from Germany, Italy, Spain, India,
Greece, etc. He has acted as external reviewer for research proposals submitted
to Qatar Foundation - Qatar National Research Fund, ETH Zurich Research
Georgios Kambourakis received the Diploma in
Commission, The Netherlands Organisation for Scientific Research, Czech
Applied Informatics from the Athens University of
Science Foundation, FFG Austrian Research Promotion Agency, Croatian
Economics and Business, and the Ph.D. in Infor-
Ministry of Science and Education, Slovenian Research Agency, South Africas
mation and Communication Systems Engineering
National Research Foundation, Greek General Secretariat for Research and
from the dept. of Information and Communications
Technology, etc. He has been involved in several National and EU funded RD
Systems Engineering, University of the Aegean.
projects. His professional experience includes senior consulting and researcher
He also holds a Master of Education degree from
positions in a number of private and public institutions. He was elected twice
the Hellenic Open University. Currently, he is an
as Member of the Board (Secretary General, Treasurer) of the Greek Computer
Assistant Professor at the dept. of Information and
Society. He acts as member of the Hellenic Association for Information
Communication Systems Engineering, University of
Systems (AIS - Hellenic Chapter), the Association for Computing Machinery
the Aegean, Greece. His research interests are in the
(ACM), the Institute of Electrical and Electronics Engineers (IEEE) and the
fields of mobile and wireless networks security and privacy, VoIP security,
IEEE Communications Society ”Communications and Information Security
DNS security, and m-learning and he has more than 100 publications in the
Technical Committee”.
above areas. He has been involved in several national and EU funded RD
projects in the areas of Information and Communication Systems Security.
He is also a reviewer for a plethora of IEEE and other international journals
and has served as a technical program committee member for more than 140
international conferences in security and networking.