CN112073968B - Full-model pseudo AP detection method and detection device based on phase error drift range - Google Patents

Full-model pseudo AP detection method and detection device based on phase error drift range Download PDF

Info

Publication number
CN112073968B
CN112073968B CN202010838473.4A CN202010838473A CN112073968B CN 112073968 B CN112073968 B CN 112073968B CN 202010838473 A CN202010838473 A CN 202010838473A CN 112073968 B CN112073968 B CN 112073968B
Authority
CN
China
Prior art keywords
fingerprint
detected
phase error
legal
max
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010838473.4A
Other languages
Chinese (zh)
Other versions
CN112073968A (en
Inventor
卢倩
张家辉
蒋若冰
曲海鹏
欧阳宇展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao University
Original Assignee
Qingdao University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao University filed Critical Qingdao University
Priority to CN202010838473.4A priority Critical patent/CN112073968B/en
Publication of CN112073968A publication Critical patent/CN112073968A/en
Application granted granted Critical
Publication of CN112073968B publication Critical patent/CN112073968B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a full-model pseudo AP detection method and a detection device based on a phase error drift range, belonging to the technical field of communication safety, wherein the method comprises the steps of establishing an AP fingerprint database based on the phase error drift range; carrying out validity detection on the AP to be detected according to a judgment rule; tracing and identifying the detected pseudo AP; the method can realize accurate identification of the pseudo AP of the full model, solves the problems of limitation of a detection model and low detection rate of the traditional RAP detection scheme, and achieves the aims of maintaining network security and protecting user privacy.

Description

Full-model pseudo AP detection method and detection device based on phase error drift range
Technical Field
The invention belongs to the technical field of communication safety, and particularly relates to a full-model pseudo AP detection method and a full-model pseudo AP detection device based on a phase error drift range.
Background
With the widespread use of Wireless Local Area Networks (WLANs), security issues have become particularly acute and important. RAP is a long standing security threat in IEEE 802.11 wireless lans. The RAP attack means that an attacker utilizes the weakness of the 802.11 protocol family to imitate the information of the legal access point, establish a fraudulent access point and trap the wireless user connection, thereby achieving the purposes of monitoring, manipulating and tampering the communication of a victim. RAP has the characteristics of wide attack range, easiness in implementation, difficulty in detection and serious consequences, and the attacks cause a large amount of privacy disclosure and property loss events every year, so that RAP becomes one of the most serious and most extensive attack means in WLAN.
When a phishing AP attack is implemented, an attacker disguises RAPs as legal APs by eavesdropping and 'cloning' relevant configuration information such as SSIDs, channels, encryption modes and the like of the legal APs in a WLAN, and then performs denial of service attack on the legal APs or provides Received Signal Strength Indication (RSSI) higher than that of the legal APs to trick a wireless user into connecting with the legal APs. Once a wireless device is spoofed by a RAP, connected to the RAP, all traffic of the victim can be eavesdropped by the attacker. The attacker can also perform subsequent attacks through RAP, such as launching a man-in-the-middle attack to steal the account password of the victim, performing DNS spoofing attack, performing key speculation attack, and the like.
Phishing AP attack models present diversity, including four classes: a serial phishing AP model, a parallel phishing AP attack model, a replacement phishing AP attack, and a remote phishing AP attack. Of these, the serial RAP attack and the parallel RAP attack are the two main attack types in the WLAN at present. In the scenes of serial RAP attack and parallel RAP attack, Wi-Fi signals of a legal AP and RAP exist simultaneously. In the alternative RAP attack and remote RAP attack scenes, a wireless user can only receive phishing Wi-Fi signals sent by RAP, but cannot receive legal AP signals. When RAP coexists with legitimate APs and forms a tandem structure on the positional relationship, such RAP is defined as tandem RAP; when RAPs coexist with legitimate APs and form a parallel structure on a positional relationship, such RAPs are defined as parallel RAPs; the alternative RAP attack means that an attacker closes the legal AP service through a series of attack means and starts RAP at the same position; a remote RAP attack, also known as Karma attack, refers to a RAP attack that an attacker implements by forging a legitimate AP at a physical location different from the legitimate AP.
At present, various schemes are proposed for detecting phishing APs, for example, patent CN201210548689.2 discloses a method for identifying and processing phishing APs in a wireless network, which judges whether the phishing APs belong to a legal AP or not by BSSID information, SSID information, channel information, beacon interval information, vendor information and location information of adjacent APs uploaded by each wireless AP, but the scheme is only suitable for remote phishing AP attack, is not suitable for detecting other types of RAP attack, has a high false negative rate, and is easily bypassed by attackers. Patent CN201610173358 discloses a pseudo AP detection blocking method, a wireless device and a router, which send a Beacon message by broadcasting, receive the Beacon message broadcasted by a peripheral access point, and determine whether the SSID carried in the received Beacon message is the same as the SSID of its own access point; whether the Beacon message carries the encrypted field or not is judged, when the encrypted field does not exist in the Beacon message, the access point sending the Beacon message is detected to be a pseudo access point, but the implementation of the scheme needs to modify the existing communication protocol, so that the detection cost is increased, and the practicability is low.
Although the method can detect the phishing AP of the partial model, a high-precision solution is not provided for the detection of the phishing AP of the full model, and the prior art has technical obstacles for detecting the phishing AP attack of the full model.
CSI is fine-grained physical layer information, which expresses the channel property of a communication link from a transmitter to a receiver in wireless communication and includes information such as amplitude and phase. Through processing the fine phase information between the transceivers, a nonlinear phase error can be obtained, which is caused by two reasons: subtle process variations in oscillator production, I/Q imbalance characteristics (i.e., amplitude and phase mismatch between transceivers). These two causes work together to cause the generation of sub-carrier nonlinear phase error, which can be used as a hardware fingerprint for wireless devices.
However, empirical research on the conventional nonlinear phase error work shows that the phase error fingerprints generally have a certain drift phenomenon in the time dimension, so that fingerprints among different devices are overlapped, the serious condition of missing report is caused, and the accuracy of a detection result is influenced. That is, the phase error is not sufficient to act as a hardware fingerprint for the wireless device. Based on this discovery, the present invention proposes to utilize the subcarrier-level phase error drift range as a wireless device hardware fingerprint and for full model RAP detection and trace-to-source identification.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a full-model pseudo AP detection method and a detection device based on a phase error drift range, which can realize accurate identification of the pseudo AP of the full model.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
the invention firstly provides a full-model pseudo AP detection method based on a phase error drift range, which comprises the following steps:
establishing a fingerprint library: establishing an AP fingerprint database based on the phase error drift range, wherein the AP fingerprint database comprises a legal AP fingerprint database and an illegal AP fingerprint database;
and a step of validity detection: connecting the AP to be detected, collecting CSI data from the AP to be detected, and making a phase error drift range fingerprint of the AP to be detected; after extracting corresponding fingerprints from a legal AP fingerprint database according to the SSID and the MAC address of the AP to be detected, carrying out validity detection on the AP to be detected according to a judgment rule;
tracing and identifying: and tracing and identifying the detected pseudo AP according to the fingerprint of the phase error drift range, and searching or adding the information of the pseudo AP from an illegal fingerprint library.
Further, when the fingerprint library is established, the method for making the fingerprint based on the phase error drift range comprises the steps of determining the maximum value of the phase error in each subcarrier, obtaining the upper and lower boundaries of the phase error in each subcarrier, respectively fitting the upper and lower boundaries to obtain a fitting function representing the upper and lower boundaries, and calculating the integral of the upper and lower boundary function as the phase error distribution area; the fitting function and the distribution area are jointly used as fingerprints and added into an AP fingerprint library.
Further, the specific steps of making the fingerprint based on the phase error drift range include:
collecting CSI data, calculating and extracting phase error information of each group of CSI, comparing phase error values of all subcarriers, determining the most significant value of the phase error on each subcarrier, namely discrete points of upper and lower bounds of the phase error at subcarrier level, and respectively comparing the discrete points of the upper and lower bounds with a function AX3+BX2Fitting the + CX + D to form a phase error upper bound function F at the subcarrier levelmaxAnd function F of lower boundmin
And calculating F using the definite integralmaxAnd FminThe distribution area S of phase error between, the upper and lower bound functions Fmax、FminAnd the distribution area S is stored in a dictionary FPiIn the method, phase error drift range fingerprints are formed together;
FPithe data structure is as follows:
FPi={‘SSID’:XXX,
‘MAC’:XX:XX:XX:XX:XX:XX,
‘Fmax’:αX3+βX2+γX+θ,
‘Fmin’:α′X3+β′X2+γ′X+θ′′,
‘S’:0.00}
wherein SSID represents a service set identifier of the AP device and MAC represents a physical address of the AP device.
Further, the specific steps of performing validity detection using the phase error drift range include:
extracting phase error of CSI data, and manufacturing a phase error drift range fingerprint FP 'of AP to be detected'iObtaining an upper bound function F'maxLower bound function F'minDistribution area S';
then, in a legal fingerprint library, extracting corresponding legal AP fingerprints FP according to SSID and MACiIncluding an upper bound function FmaxLower bound function FminDistribution area S;
by judging F'maxAnd FmaxAnd F'minAnd FminPreliminarily judging the difference between the fingerprints of the AP to be detected and the fingerprints of the legal AP;
if FmaxAnd F'maxBetween or FminAnd F'minIf the 3 rd intersection point exists in the range of-28 to 28 sub-carriers, the fingerprint of the AP to be detected is different from that of the legal AP, the AP to be detected is RAP, and the fingerprint FPiAnd FPi' is a cross relationship, i.e. boundary crossing of fingerprints, representing FPiAnd FPi' different, the AP to be detected is determined as RAP;
if FmaxAnd F'maxBetween or FminAnd F'minThere is no third intersection point between them, FPiAnd FPi' are included, partially overlapped, separated or overlapped, and further carry out validity detection according to a boundary zero value and a zero difference value.
Further, the method for detecting the legality according to the boundary zero value and the zero difference value comprises the following steps:
definition Dup=Fmax(0)-F′max(0) For upper bound zero-point differences, define Dbot=Fmin(0)-F′min(0) Is the lower bound zero difference;
wherein, Fmax(0) For legal fingerprint upper bound zero values, Fmin(0) Is a legal fingerprint lower bound zero value, F'max(0) Is a zero value of an upper bound of a fingerprint to be detected, F'min(0) The fingerprint to be detected is a lower bound zero value;
if D isup·DbotIf the comparison result is more than 0, the fingerprint to be detected and the legal fingerprint are in a separation or partial overlapping relationship, and the APs to be detected are all RAPs, and tracing identification is carried out;
if D isup·Dbot< 0 and DupIf the number is less than 0, the fingerprint to be detected contains a legal fingerprint, and the target AP is RAP;
if D isup·Dbot< 0 and DupIf the fingerprint number is more than 0, the legal fingerprint contains the fingerprint to be detected or is superposed with the fingerprint to be detected, and the phase error distribution area is used for further distinguishing.
Further, when the relation between the fingerprint to be detected and the legal fingerprint is determined by using the distribution area of the phase error, if the absolute value of the difference between the fingerprint S' to be detected and the legal fingerprint S is greater than the threshold STSVIf the fingerprint to be detected and the legal fingerprint are in an inclusion relationship, judging that the AP to be detected is RAP, and entering tracing identification; otherwise, judging that the fingerprints are overlapped, and detecting that the AP is legal.
Further, the method for tracing and identifying comprises the following steps: and performing one-to-many matching on the detected RAP fingerprint and the fingerprints in the illegal fingerprint database, if the illegal fingerprint matching exists, extracting and obtaining the equipment source information of the RAP, and otherwise, adding the RAP phase error drift range fingerprint and the SSID and MAC address related equipment information thereof into the illegal fingerprint database.
Further, the AP to be detected can be specified by a user according to requirements and can be all Wi-Fi in the whole wireless network or one or more specified Wi-Fi.
Further, the full-model pseudo AP detection method based on the phase error drift range further includes: and when the pseudo AP is judged, warning is sent to a user and an administrator to prompt that the Wi-Fi is unsafe and/or user access is forbidden, and the pseudo AP is positioned by combining CSI data of the pseudo AP.
The invention also provides a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method steps as described above.
The invention also provides a detection device of the full-model pseudo AP based on the phase error drift range, which comprises the following steps:
the fingerprint database establishing module is used for storing the fingerprint information of the phase error drift range of the known AP, and comprises two fingerprint databases: a legal AP fingerprint database and an illegal AP fingerprint database;
the validity detection module is used for collecting the AP fingerprint to be detected and carrying out validity detection;
and the source tracing identification module is used for tracing and identifying the detected pseudo AP, comparing the pseudo AP fingerprint with the existing illegal fingerprint of the illegal fingerprint library in a one-to-many matching manner, realizing RAP source identification and acquiring related information of RAP.
Compared with the prior art, the invention has the advantages that:
(1) the detection method can accurately detect full-model RAP attacks (series RAP attacks, parallel RAP attacks, alternative RAP attacks and remote RAP attacks), has good stability and effectiveness, and has a detection rate of 98.7%.
(2) The real-time detection characteristic of the invention facilitates the network administrator to monitor the network security state and avoid the wireless user from accessing the pseudo AP, thereby avoiding the privacy disclosure and economic loss of the wireless user and achieving the purpose of maintaining the network security.
(3) In addition, the invention does not need to use special detection equipment in the detection process, and has low cost.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic flow chart of a full-model pseudo AP detection method based on a phase error drift range in embodiment 1 of the present invention.
Fig. 2 is a schematic structural diagram of a full-model pseudo AP detection apparatus based on a phase error drift range according to embodiment 2 of the present invention.
Fig. 3 is a flowchart illustrating a computer program according to embodiment 3 of the present invention when executed.
FIG. 4 shows the cross relationship between the fingerprints of the target AP and the legitimate AP during the validity detection in embodiment 1;
FIG. 5 shows the relationship between the target AP and the fingerprint of the valid AP during the validity detection in embodiment 1;
FIG. 6 shows the overlapping relationship between the target AP and the fingerprint of the valid AP during the validity detection of the present invention in embodiment 1;
FIG. 7 shows the separation relationship between the target AP and the fingerprint of the valid AP during the validity detection in embodiment 1;
fig. 8 shows the coincidence relationship between the fingerprints of the target AP and the legitimate AP in the validity detection of the present invention in embodiment 1.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments.
Example 1
As shown in fig. 1, the full-model pseudo AP detection method based on the phase error drift range includes:
s101, establishing a fingerprint database: and (3) collecting the fingerprints of the phase error drift range of the known AP, and establishing an AP fingerprint library based on the phase error drift range, wherein the AP fingerprint library comprises a legal AP fingerprint library and an illegal AP fingerprint library. And the legal AP fingerprint library is used for comparing and verifying the fingerprints of the AP (target AP) to be detected in the validity detection process, and the illegal AP fingerprint library is used for extracting or increasing related information of RAP in the tracing identification stage.
The method for making the fingerprint based on the phase error drift range comprises the steps of determining the maximum value of the phase error in each subcarrier, obtaining the upper and lower boundaries of the phase error in each subcarrier, respectively fitting the upper and lower boundaries to obtain fitting functions representing the upper and lower boundaries, and calculating the integral of the upper and lower boundary functions as the distribution area of the phase error; the fitting function and the distribution area are jointly used as fingerprints and added into an AP fingerprint library.
Specifically, for each device, in order to obtain the maximum range of phase error variation, sufficient CSI data are collected, phase error information of each group of CSI is calculated and extracted, the phase error values of the subcarriers are compared, the maximum value of the phase error on each subcarrier, that is, the maximum and minimum discrete points of the phase error at the subcarrier level are determined, and the maximum and minimum discrete points are respectively compared with the function AX3+BX2Fitting is carried out on + CX + D (when the method is used for fitting, the fitting effect of discrete points and cubic functions is best through tests), and an upper bound function F of the phase error at the subcarrier level is formedmaxAnd function F of lower boundmin
And calculating F using the definite integralmaxAnd FminArea S of phase error distribution, upper and lower bound functions Fmax、FminAnd the distribution area S is stored in a dictionary FPiTogether, constitute a phase error drift range fingerprint. The dictionary is a format for storing data in a computer and is responsible for storing the fingerprints of the AP equipment.
FPiThe data structure is as follows:
FPi={‘SSID’:XXX,
‘MAC’:XX:XX:XX:XX:XX:XX,
‘Fmax’:αX3+βX2+γX+θ,
‘Fmin’:α′X3+β′X2+γ′X+θ′,
‘S’:0.00}
wherein SSID represents a service set identifier of the AP device and MAC represents a physical address of the AP device.
If a valid AP fingerprint structure with SSID Starbucks is:
FPi={‘SSID’:Starbucks,
‘MAC’:00:4A:2F:DB:61:80,
‘Fmax’:-3.37X3-1.37×10-4X2+2.74×10-2X+1.13×10-1
‘Fmin’:-3.49X3+8.99X2+2.78×10-2X-8.32×10-2
‘S’:14.34
and then, according to the legality of each AP, adding the fingerprints of the AP into a legal AP fingerprint library or an illegal AP fingerprint library. It should be noted that the fingerprint database is not a constant one, and it can be continuously supplemented or adjusted, and the fingerprint database provides a basis for the subsequent validity detection.
S102, legality detection: connecting the AP to be detected, collecting CSI data from the AP to be detected, and making a phase error drift range fingerprint of the AP to be detected; and after extracting corresponding fingerprints from a legal AP fingerprint database according to the SSID and the MAC address of the AP to be detected, carrying out validity detection on the AP to be detected according to a judgment rule. I.e. extracting the valid fingerprint FP from the SSID and MAC addressiAnd the manufactured AP (target AP) fingerprint FP to be detectedi' to compare, and achieve the purpose of identifying RAP attack. The method comprises the following specific steps:
firstly, making a fingerprint of an AP (target AP) to be detected, connecting a detection end to the AP (target AP) to be detected, sending an ICMP Ping packet which is 5ms long and lasts 10s to the AP (target AP) to be detected, and collecting sufficient CSI data while sending a response data packet to the AP (target AP) to be detected each time. Respectively extracting phase errors of CSI data, and utilizing the collected data to manufacture a phase error drift range fingerprint FP 'of an AP (target AP) to be detected'iI.e. upper and lower bound fitting function (F'maxAnd F'min) And calculating the distribution area (S').
Then, in a legal fingerprint library, extracting corresponding legal AP fingerprints FP according to SSID and MACiIncluding an upper bound function FmaxLower bound function FminThe distribution area S; by judging F'maxAnd FmaxAnd F'minAnd FminThe number of the intersection points, and the difference between the fingerprints of the AP (target AP) to be detected and the fingerprints of the legal AP are preliminarily judged.
On the one hand, if FmaxAnd F'maxBetween or FminAnd F'minIf the 3 rd intersection point exists in the range of-28 to 28 sub-carriers, the AP (target AP) to be detected is considered to be different from the fingerprint of the legal AP, the AP (target AP) to be detected is an RAP, and the fingerprint FPiAnd FPi' is a cross relationship, as shown in FIG. 4, i.e. the boundary of the fingerprint crosses, representing FPiAnd FPi'different,' the AP to be detected (target AP) is identified as RAP. In particular, since each phase error is zero at both-28 and 28 sub-carriers, i.e. there are at least two intersections between the boundary functions, if F is equal tomaxAnd F'maxBetween or FminAnd F'minThere is a third intersection point in the range of-28 to 28 sub-carriers, which indicates that the boundaries of the fingerprints are crossed, and the fingerprints are different, then the target AP is identified as RAP, and the source identification phase is entered.
On the other hand, if FmaxAnd F'maxBetween or FminAnd F'minThere is no third intersection point between them, it proves FPiAnd FPi' relationship of inclusion, partial overlap, separation or overlap, as shown in fig. 5, 6, 7 and 8, further judgment is required. The overlapping, containing, separating or partially overlapping cases can be distinguished according to the boundary zero value and the zero difference value. The method comprises the following steps:
definition Dup=Fmax(0)-F′max(0) For upper bound zero-point differences, define Dbot=Fmin(0)-F′min(0) Is the lower bound zero difference;
wherein, Fmax(0) For legal fingerprint upper bound zero values, Fmin(0) Is a legal fingerprint lower bound zero value, F'max(0) Is the upper boundary zero point value, F 'of the fingerprint (target fingerprint) to be detected'min(0) Is the lower bound zero value of the fingerprint to be detected (target fingerprint).
If D isup·DbotAnd > 0, the detected fingerprint (target fingerprint) and the legal fingerprint are in a separated or partially overlapped relationship, as shown in fig. 6 and 7. Under the two conditions, the AP (target AP) to be detected is RAP, and source tracing identification is carried out;
if D isup·Dbot< 0 and DupIf the value is less than 0, the fingerprint to be detected (target fingerprint) contains a legal fingerprint, namely the upper and lower bounds of the target fingerprint are outside the legal fingerprint range, as shown in fig. 5, the AP (target AP) to be detected is RAP;
if D isup·Dbot< 0 and DupIf the fingerprint number is more than 0, the legal fingerprint contains the fingerprint to be detected or is superposed with the fingerprint to be detected, and the phase error distribution area is used for further distinguishing.
If the absolute value of the difference value between the fingerprint S' to be detected and the legal fingerprint S is greater than the threshold value STSVIf the fingerprint to be detected and the legal fingerprint are in an inclusion relationship, judging that the AP to be detected is RAP, and entering source tracing identification; otherwise, judging that the fingerprints are overlapped, and detecting that the AP is legal.
S103, tracing source identification: and tracing and identifying the detected pseudo AP according to the fingerprint of the phase error drift range, and searching or adding the information of the pseudo AP from an illegal fingerprint library.
Specifically, the method comprises the following steps: and performing one-to-many matching on the detected RAP fingerprint and the fingerprint in the illegal fingerprint library, wherein the matching process is similar to the legality detection process. If the matching fingerprint exists in the illegal fingerprint library, the related equipment source information of the RAP can be extracted and obtained, otherwise, the related equipment information of the RAP, such as the phase error drift range fingerprint, the SSID, the MAC address and the like, is added into the illegal fingerprint library, and the help is provided for the future RAP source identification.
As an embodiment of the invention, after judging that the pseudo AP attacks, a warning is sent to a user and an administrator to prompt that the Wi-Fi is not safe and/or a user is prohibited to access, and/or the SSID and the MAC address of the pseudo AP are sent to a network administrator, and the warning information comprises the SSID, the MAC address and the physical position of the pseudo AP.
As an embodiment of the present invention, after determining the pseudo AP, the AP is located by combining CSI of the pseudo AP. The CSI positioning AP technology is not a design point of the present invention, and can be implemented according to the prior art, and is not described herein again.
Example 2
Referring to fig. 2, the present embodiment provides a device for detecting a full-model pseudo AP based on a phase error drift range, including:
the fingerprint database establishing module is used for storing the fingerprint information of the phase error drift range of the known AP, and comprises two fingerprint databases: a legitimate AP fingerprint repository and an illegitimate AP fingerprint repository. The legal AP fingerprint library is used for comparing and verifying the target AP fingerprint in the detection module; the illegal AP fingerprint database is used for obtaining or adding related information of RAP by the tracing identification module;
and the validity detection module is used for collecting the AP fingerprint to be detected and carrying out validity detection. The detection equipment is connected with a target AP, CSI data is collected, a phase error drift range fingerprint of the AP to be detected is made, after a legal fingerprint is extracted from a legal fingerprint library according to the SSID and MAC address of the AP to be detected, the legal fingerprint and the collected fingerprint to be detected are subjected to legality detection according to a judgment rule, if the legal fingerprint and the collected fingerprint to be detected are the same, the AP to be detected is judged to be a legal AP, otherwise, the AP to be detected is judged to be a fake AP, and the AP to be detected enters a traceability identification module;
and the source tracing identification module is used for comparing the pseudo AP fingerprint with the existing illegal fingerprint in the illegal fingerprint library, realizing RAP source identification and acquiring related information of RAP. The fingerprints of the counterfeit APs need to be matched with the device fingerprints in the illegal AP fingerprint library in a one-to-many way. If the matched fingerprint exists in the illegal fingerprint library, the related equipment information of the RAP can be obtained and further recorded; otherwise, adding the corresponding relation between the related equipment information and the fingerprint into the illegal AP fingerprint database.
For the implementation method of the device part, refer to embodiment 1, and details are not repeated here.
Example 3
Referring to fig. 3, the present embodiment provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements operations for constructing a fingerprint library, including two fingerprint libraries: and the legal AP fingerprint library and the illegal AP fingerprint library are used for storing the fingerprint information of the phase error drift range of the known AP.
The database constructed by the fingerprint database is input for validity detection and source tracing identification, and the computer program realizes the following operations when entering a validity detection module:
firstly, connecting a target AP, collecting CSI data of the target AP, processing the CSI data, and extracting phase information.
Secondly, according to the fingerprint making scheme provided by the invention, the phase error drift range fingerprint of the target AP is made.
Third, the target AP fingerprint is compared to the legitimate fingerprint. And extracting the legal AP fingerprint from the legal AP fingerprint library according to the SSID and MAC address of the target AP, comparing the legal AP fingerprint with the target AP fingerprint, and judging the legality of the target fingerprint. If the fingerprints are coincident, the target AP is prompted to be a legal AP, otherwise, the target AP is a fake AP, and the source tracing identification module is started.
When the computer program enters the tracing identification module, the following operations are realized: and performing source tracing identification on the RAP. And respectively carrying out one-to-many fingerprint matching on the RAP fingerprint and the illegal equipment fingerprint in the illegal AP fingerprint database. If the matched fingerprint exists in the illegal fingerprint library, reporting related equipment information of RAP, and sending RAP attack alarm to a user and an administrator; otherwise, adding the corresponding relation between the RAP related equipment information and the fingerprint into the illegal AP fingerprint library.
Of course, the computer program of this embodiment may also execute each of the process steps of embodiment 1, which is not described herein again.
Evaluation experiment results in a large number of normal scenes and attack scenes show that the phase error drift range fingerprint has better stability and effectiveness compared with the traditional hardware fingerprint, and the detection rate of the full-model RAP attack can reach 98.7%.
The same or similar parts among the various embodiments of the present description may be referred to each other, and each embodiment is described with emphasis on differences from the other embodiments. Moreover, the structure of the system embodiment is only schematic, wherein the program modules described by the separable components may or may not be physically separated, and in actual application, some or all of the modules may be selected as needed to achieve the purpose of the solution of the embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary hardware platform, and certainly may be implemented by hardware, but in many cases, the former is a better embodiment. With this understanding in mind, all or part of the technical solutions of the present invention that contribute to the background can be embodied in the form of a software product, which can be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments or some parts of the embodiments of the present invention.
It is understood that the above description is not intended to limit the present invention, and the present invention is not limited to the above examples, and those skilled in the art should understand that they can make various changes, modifications, additions and substitutions within the spirit and scope of the present invention.

Claims (5)

1. The full-model pseudo AP detection method based on the phase error drift range is characterized by comprising the following steps:
establishing a fingerprint library: establishing an AP fingerprint database based on the phase error drift range, wherein the AP fingerprint database comprises a legal AP fingerprint database and an illegal AP fingerprint database; the specific steps for manufacturing the fingerprint based on the phase error drift range comprise:
collecting CSI data, calculating and extracting phase error information of each group of CSI, comparing phase error values of all subcarriers, determining the most significant value of the phase error on each subcarrier, namely discrete points of upper and lower bounds of the phase error at subcarrier level, and respectively comparing the discrete points of the upper and lower bounds with a function AX3+BX2Fitting the + CX + D to form a phase error upper bound function F at the subcarrier levelmaxAnd function F of lower boundmin
And calculating F using the definite integralmaxAnd FminArea S of phase error distribution, upper and lower bound functions Fmax、FminAnd the distribution area S is stored in a dictionary FPiIn the method, phase error drift range fingerprints are formed together;
and a step of validity detection: connecting the AP to be detected, collecting CSI data from the AP to be detected, and making a phase error drift range fingerprint of the AP to be detected; after extracting corresponding fingerprints from a legal AP fingerprint database according to the SSID and the MAC address of the AP to be detected, carrying out validity detection on the AP to be detected according to a judgment rule; the specific steps of detecting the validity by using the phase error drift range include:
extracting phase error of CSI data, and manufacturing a phase error drift range fingerprint FP 'of AP to be detected'iObtaining an upper bound function F'maxLower bound function F'minAnd a distribution area S';
then, in a legal fingerprint library, extracting corresponding legal AP fingerprints FP according to SSID and MACiIncluding an upper bound function FmaxLower bound function FminDistribution area S;
by judging F'maxAnd FmaxAnd F'minAnd FminPreliminarily judging the difference between the fingerprints of the AP to be detected and the fingerprints of the legal AP;
if FmaxAnd F'maxBetween or FminAnd F'minIf the 3 rd intersection point exists in the range of-28 to 28 sub-carriers, the fingerprint of the AP to be detected is different from that of the legal AP, the AP to be detected is RAP, and the fingerprint FPiAnd FPi' is a cross relationship, i.e. boundary crossing of fingerprints, representing FPiAnd FPi' different, the AP to be detected is determined as RAP;
if FmaxAnd F'maxBetween or FminAnd F'minThere is no third intersection point between them, FPiAnd FPiThe relation of inclusion, partial overlap, phase separation or coincidence is formed between the two parts, and the legality detection is further carried out according to a boundary zero point value and a zero point difference value; the method for detecting the legality according to the boundary zero value and the zero difference value comprises the following steps:
definition Dup=Fmax(0)-F'max(0) For upper bound zero-point differences, define Dbot=Fmin(0)-F'min(0) Is the lower bound zero difference;
wherein, Fmax(0) For legal fingerprint upper bound zero values, Fmin(0) Is a legal fingerprint lower bound zero value, F'max(0) To be detected as a fingerLine upper boundary zero value, F'min(0) The fingerprint to be detected is a lower bound zero value;
if D isup·DbotIf the comparison result is more than 0, the fingerprint to be detected and the legal fingerprint are in a separation or partial overlapping relationship, and the APs to be detected are all RAPs, and tracing identification is carried out;
if D isup·Dbot< 0 and DupIf the number is less than 0, the fingerprint to be detected contains a legal fingerprint, and the target AP is RAP;
if D isup·Dbot< 0 and DupIf the fingerprint number is more than 0, the legal fingerprint contains the fingerprint to be detected or is superposed with the fingerprint to be detected, and the fingerprint is further distinguished by using the distribution area of the phase error; when the relation between the fingerprint to be detected and the legal fingerprint is determined by using the distribution area of the phase errors, if the absolute value of the difference value between the fingerprint S' to be detected and the legal fingerprint S is larger than the threshold STSVIf the fingerprint to be detected and the legal fingerprint are in an inclusion relationship, judging that the AP to be detected is RAP, and entering tracing identification; otherwise, judging that the fingerprints are overlapped, and judging that the AP to be detected is legal;
tracing and identifying: and tracing and identifying the detected pseudo AP according to the fingerprint of the phase error drift range, and searching or adding the information of the pseudo AP from an illegal fingerprint library.
2. The full-model pseudo AP detection method based on the phase error drift range according to claim 1, wherein the tracing identification method comprises the following steps: and performing one-to-many matching on the detected RAP fingerprint and the fingerprints in the illegal fingerprint database, if the illegal fingerprint matching exists, extracting and obtaining the equipment source information of the RAP, and otherwise, adding the RAP phase error drift range fingerprint and the SSID and MAC address related equipment information thereof into the illegal fingerprint database.
3. The method of claim 1, further comprising: and when the pseudo AP is judged, warning is sent to a user and an administrator to prompt that the AP to be detected is unsafe and/or the user is prohibited to access, and the pseudo AP is positioned by combining CSI data of the pseudo AP.
4. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of any one of claims 1 to 3.
5. Device for full model pseudo-AP detection based on phase error drift range, characterized in that it implements the steps of any of claims 1-3, comprising:
the fingerprint database establishing module is used for storing the fingerprint information of the phase error drift range of the known AP, and comprises two fingerprint databases: a legal AP fingerprint database and an illegal AP fingerprint database;
the validity detection module is used for collecting the AP fingerprint to be detected and carrying out validity detection;
and the source tracing identification module is used for tracing and identifying the detected pseudo AP, comparing the pseudo AP fingerprint with the existing illegal fingerprint of the illegal fingerprint library in a one-to-many matching manner, realizing RAP source identification and acquiring related information of RAP.
CN202010838473.4A 2020-08-19 2020-08-19 Full-model pseudo AP detection method and detection device based on phase error drift range Active CN112073968B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010838473.4A CN112073968B (en) 2020-08-19 2020-08-19 Full-model pseudo AP detection method and detection device based on phase error drift range

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010838473.4A CN112073968B (en) 2020-08-19 2020-08-19 Full-model pseudo AP detection method and detection device based on phase error drift range

Publications (2)

Publication Number Publication Date
CN112073968A CN112073968A (en) 2020-12-11
CN112073968B true CN112073968B (en) 2022-05-31

Family

ID=73662272

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010838473.4A Active CN112073968B (en) 2020-08-19 2020-08-19 Full-model pseudo AP detection method and detection device based on phase error drift range

Country Status (1)

Country Link
CN (1) CN112073968B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612751B (en) * 2021-07-28 2023-06-13 深圳供电局有限公司 Access security detection method for power line carrier communication system of power distribution network
CN114025355A (en) * 2021-08-05 2022-02-08 成都西加云杉科技有限公司 Pseudo AP (access point) identification method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681272A (en) * 2015-12-08 2016-06-15 哈尔滨工业大学(威海) Method for detecting and defensing fishing WiFi of mobile terminal
CN106961434A (en) * 2017-03-21 2017-07-18 南京大学 One kind carries out fingerprint modeling for wireless device and knows method for distinguishing

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10051475B2 (en) * 2015-09-28 2018-08-14 Department 13, Inc. Unmanned aerial vehicle intrusion detection and countermeasures
CN105472621B (en) * 2015-12-03 2018-11-27 西北大学 A kind of pseudo- AP detection method based on RSSI
US11243983B2 (en) * 2017-10-30 2022-02-08 Qualcomm Incorporated System and method for compact storage and efficient retrieval of access point information for detecting rogue access points
CN108540979A (en) * 2018-04-04 2018-09-14 北京邮电大学 Pseudo- AP detection method and device based on fingerprint characteristic
CN110475274B (en) * 2018-05-09 2022-12-06 北京智慧图科技有限责任公司 Method for identifying abnormal AP in mobile positioning technology
CN110035425B (en) * 2019-04-04 2021-10-01 中国科学技术大学 Physical fingerprint extraction method for wireless equipment based on wireless network card
CN110213761B (en) * 2019-05-27 2020-06-02 中国海洋大学 Multi-model pseudo AP detection method and detection device based on bidirectional SYN reflection
CN110650436B (en) * 2019-06-25 2023-02-24 北京航空航天大学 WiFi data-based position fingerprint database establishing and fitting method
CN111405548B (en) * 2020-04-08 2023-07-21 国家电网有限公司信息通信分公司 Fishing wifi detection method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681272A (en) * 2015-12-08 2016-06-15 哈尔滨工业大学(威海) Method for detecting and defensing fishing WiFi of mobile terminal
CN106961434A (en) * 2017-03-21 2017-07-18 南京大学 One kind carries out fingerprint modeling for wireless device and knows method for distinguishing

Also Published As

Publication number Publication date
CN112073968A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
US7716740B2 (en) Rogue access point detection in wireless networks
US8249028B2 (en) Method and apparatus for identifying wireless transmitters
KR102000159B1 (en) Apparatus and method for identifying rogue device
US7724717B2 (en) Method and apparatus for wireless network security
Ma et al. A hybrid rogue access point protection framework for commodity Wi-Fi networks
US20130040603A1 (en) Wireless access point detection
CN112073968B (en) Full-model pseudo AP detection method and detection device based on phase error drift range
EP1728225A2 (en) Method for wireless lan intrusion detection based on protocol anomaly analysis
KR20070054067A (en) Wireless access point apparatus and network traffic intrusion detection and prevention method using the same
CN106961683B (en) Method and system for detecting illegal AP and discoverer AP
Dalal et al. A wireless intrusion detection system for 802.11 WPA3 networks
KR102414334B1 (en) Method and apparatus for detecting threats of cooperative-intelligent transport road infrastructure
CN111031537A (en) Wireless local area network management system for preventing illegal user access
CN111405548B (en) Fishing wifi detection method and device
Lovinger et al. Detection of wireless fake access points
CN105245494B (en) A kind of determination method and device of network attack
CN114051247A (en) Method and equipment for detecting security of wireless network
Thomas et al. Evaluation of wireless access point security and best practices for mitigation
Ma et al. RAP: Protecting commodity wi-fi networks from rogue access points
CN111212430A (en) Wireless local area network protection system based on zero knowledge proof
Guezguez et al. Observation-based detection of femtocell attacks in wireless mobile networks
Komanduri et al. Experimental assessment of wireless lans against rogue access points
Chen et al. Development and implementation of anti phishing wi-fi and information security protection app based on android
Li et al. Wireless network security detection system design based on client
CN111479271B (en) Wireless security detection and protection method and system based on asset attribute marking grouping

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant