A multi-layer approach to preventing wireless network impersonation attacks

Complex and challenging to secure, IEEE 802.11 networks have become indispensable to modern communications. However, continuous security threats, large data volumes, and ever-increasing availability requirements have created an ongoing burden for network operators. Various security enhancements have been made since the release of the original IEEE 802.11 standard in 1997, and these have considerably improved the effectiveness of the authentication and encryption methods. Nevertheless, due to the broadcast nature of the medium, these changes have not diminished the simplicity of monitoring data. This concern is unique to wireless networks because control messages are generally visible. These management frames often become the target of Denial-of-Service (DoS) attacks. This situation, unfortunately, has left network operators in an impossible position. However, as this research demonstrates, this need not always be the case. This thesis’s original contribution to knowledge is a novel system for preventing IEEE 802.11 impersonation attacks. The key findings are that by correctly identifying devices and applying behavioural models, Denial-of-Service attacks can be pre-empted and neutralised. Using an optimised combination of radio frequency characteristics, Media Access Control (MAC) layer parameters and probed responses show that device identification can be as high as 99%. This input combination utilises a new algorithm that determines the features to be evaluated from the multiple layers of an IEEE 802.11 frame. Building upon a reliable device identity, a novel algorithm has also been developed for mitigating Denial-of-Service attacks using behavioural analytics and defensive countermeasures based on cybersecurity operations strategy to evaluate attacker actions and analyse evolving situations in real time. A common approach is to start with the MAC layer of an IEEE 802.11 frame, containing the device-specific capability and identification information. However, the MAC layer alone is not enough to identify easily forged IEEE 802.11 frames. That is not to say that the MAC layer cannot contribute to device identification, just that it should not be trusted in isolation. Additionally, the MAC layer provides information about the device vendor and the chipset model, which can also help to detect a mismatch with the information extracted from the physical layer. While the broadcast nature of wireless networking creates numerous challenges, it also provides some unique benefits. Radio frequency signals vary from device to device and are impacted significantly by the environment. Such variations present an opportunity for “fingerprinting” individual devices. This thesis shows that such distinctions can become an accurate and reliable identification method when combined with other attributes. The difficulty, however, has been accessing the raw radio frequency information within a Wireless Access Point (WAP). The baseband processing of the radio frequency signal is locked deep within the wireless networking chip and unavailable to outside processes. By implementing the baseband logic in a Field Programmable Gate Array (FPGA), it is possible to extract radio frequency information for upstream processing. As demonstrated, combining this radio frequency data with MAC layer elements allows the combined evaluation of several data points. A Denial-of-Service attack impacts all parties in a wireless network and, by its very nature, is a malicious undertaking. Because of this, one may believe they would be simple to detect. However, wireless Denial-of-Service attack detection is difficult because they commonly abuse legitimate functions. Therefore, it is not enough to base decisions independently on identity or behaviour. Numerous variables must be evaluated in real time to detect and mitigate an IEEE 802.11 Denial-of-Service attack effectively. Using a variant of the Observe-Orient-Decide-Act (OODA) loop, the Wireless Access Point can evaluate its surroundings incorporating all visible devices, associated or not, to maintain a real time threat matrix. In addition to passive sampling, which evaluates data from all devices in the broadcast range, this novel approach detects changes using active and pre-emptive methods by assessing prompts issued by an attacker reconnaissance algorithm. Finally, countermeasures act to neutralise attacks. This multi-tier approach provides a powerful technique for protecting the Wireless Access Point’s network stack, thereby defending against various Denial-of-Service attacks. In summary, this thesis presents a clear and definitive research outcome that advances the understanding of IEEE 802.11 impersonation attacks and delivers a set of original mechanisms for effectively mitigating them. It also offers newfound knowledge of the device identification methods currently employed and how these compare to the new techniques. These new algorithms also have the potential to extend far beyond IEEE 802.11 networks to other wireless technologies such as Bluetooth, LoRa and 5G. Finally, it provides new tools and techniques to aid future research in this area significantly and, by doing so, assist in developing more reliable, secure, and efficient wireless networks.