JP2018121203A - Detection apparatus and detection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine whether an access point is a legitimate access point or a rogue access point in a public environment.SOLUTION: When a transmission/reception part 15a moves from a communicable area of an access point under communication to a communicable area of another access point, transmits a roaming request for maintaining communication with a movement destination access point to the movement destination access point and receives a response from the movement destination access point in response to the roaming request. A determination unit 15d uses information indicating success or failure of the roaming included in the received response to determine whether the movement destination access point is a legitimate access point or a rogue access point.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a detection device and a detection method.

  In recent large-scale Wi-Fi (registered trademark) environment, an unauthorized access point (Rogue Access Point, hereinafter referred to as RAP) becomes a legitimate access point (hereinafter referred to as LAP). Attacks that are performed by this are known. In this case, the attacker guides regular communication through RAP, steals personal information from this communication, or infects a communication source or communication destination terminal with malware. Therefore, a technique for detecting the presence of RAP is expected.

  Conventionally, in the technology for detecting the presence of a RAP, an AP (Access Point) that exhibits a behavior different from that of a normal LAP is determined as a RAP using reference data that indicates the behavior of the LAP. For example, as reference data, the relationship between the RSSI (Received Signal Strength Indicator) of the beacon signal transmitted by the LAP and the distance between the LAP is obtained as reference data. And the technique which determines whether this AP is LAP or RAP by calculating the distance with AP from RSSI measured with the detection apparatus is known (refer nonpatent literature 1). Also, as reference data, in a space where only LAP exists and RAP does not exist, the RSSI distribution of radio waves transmitted by each LAP is measured, and the presence of RAP is detected from the RSSI measured by the detection device. Techniques are known (see Non-Patent Documents 2 to 6).

  In these technologies, reference data indicating the distribution of RSSI in a space in accordance with radio wave conditions during LAP operation is essential. It is also necessary to ensure that RAP is not mixed in this space. For example, these techniques can be applied in an office environment where only devices used by a specific person exist.

Nazrul M. Ahmad and et al, “A RSSI-based Rogue Access Point Detection Framework for Wi-Fi Hotspots”, IEEE 2nd International Symposium on Telecommunication Technologies, November 2014, pp.104-109 Daniel B. Faria, David R. Cheriton, “Detecting Identity-Based Attacks in Wireless Networks Using Signalprints”, In Proceedings of the 5th ACM workshop on Wireless security, 2006, pp. 43-52 Douglas Madory, “New Methods of Spoof Detection in 802.11b Wireless Networking”, Doctoral dissertation, Dartmouth College, 2006 Yingying Chen, Wade Trappe, Richard P. Martin, “Detecting and Localizing Wireless Spoofing Attacks”, In 4th Annual IEEE communications society conference on sensor, mesh and ad hoc communication and networks, 2007, SECON’07, pp.193-202 Yingying Chen, Jie Yang, Wade Trappe, Richard P. Martin, “Detecting and Localizing Identity-Based Attacks in Wireless and Sensor Networks”, IEEE Transactions on Vehicular Technology, 2010, VOL.59, NO.5, pp.2418- 2434 Yong Sheng, Keren Tan, Guanling Chen, David Kotz, Andrew Campbell, “Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength”, In INFOCOM 2008, The 27th Conference on Computer Communications, 2008

  However, in a public environment where there are arbitrary devices used by an unspecified number of people, various reference data indicating RSSI distribution by LAP is prepared according to parameters such as the degree of congestion in the space, weather, and humidity. It is difficult. In addition, it cannot be guaranteed that RAP is not mixed in the space in the public environment. Therefore, it has been difficult to apply a conventional technology for detecting the presence of RAP to the public environment.

  The present invention has been made in view of the above, and an object thereof is to determine whether an access point is regular or illegal in a public environment.

  In order to solve the above-described problems and achieve the object, the detection apparatus according to the present invention accesses the destination when moving from the communicable area of the communicating access point to the communicable area of another access point. A roaming request for maintaining the communication with the point to the destination access point, a transmitting unit for receiving a response from the destination access point for the request, and the received And a determination unit that determines whether the access point of the movement destination is regular or illegal by using information indicating success or failure of roaming included in the response.

  According to the present invention, it is possible to determine whether an access point is regular or illegal in a public environment.

FIG. 1 is an explanatory diagram for explaining a processing target of a detection device according to an embodiment of the present invention. FIG. 2 is an explanatory diagram for explaining an outline of processing of the detection device of the present embodiment. FIG. 3 is a schematic diagram illustrating a schematic configuration of the detection device of the present embodiment. FIG. 4 is a diagram illustrating a header field of a packet. FIG. 5 is a diagram illustrating a data configuration of position information. FIG. 6 is an explanatory diagram for explaining processing of the beacon processing unit. FIG. 7 is a diagram illustrating a status code of the reassociation response. FIG. 8 is an explanatory diagram for explaining the processing of the specifying unit. FIG. 9 is a flowchart showing a processing procedure including the detection processing of the present embodiment. FIG. 10 is a flowchart showing the detection processing procedure of this embodiment. FIG. 11 is a diagram illustrating a computer that executes a detection program.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment. Moreover, in description of drawing, the same code | symbol is attached | subjected and shown to the same part.

[Outline of detection device processing]
First, with reference to FIG. 1 and FIG. 2, the process outline | summary of the detection apparatus concerning this embodiment is demonstrated. FIG. 1 is an explanatory diagram for explaining a processing target of the detection apparatus according to the present embodiment. As shown in FIG. 1, the detection device targets a large number of legitimate APs (LAPs) connected to the same network with ESSID (Extended Service Set InDentifier) and unauthorized APs (RAPs) posing as LAPs. As described below, a detection process to be described later is executed.

  Here, different values are assigned to each LAP as a BSSID (Basic Service Set InDentifier) corresponding to the MAC address. On the other hand, the same BSSID is assigned to the RAP as any of the LAPs modified by the attacker and misrepresented. FIG. 1 illustrates that the RAP is spoofing the LAP2 of the BSSID “YYY2”. Therefore, in the example shown in FIG. 1, there are two BSSIDs “YYY2” in the network of ESSID “XXX”. In such an environment, the detection apparatus communicates wirelessly with the AP in the communicable area of any AP while moving across different communicable areas of the plurality of APs.

  FIG. 2 is an explanatory diagram for explaining an outline of processing of the detection device of the present embodiment. When the detection apparatus moves from the communicable area of the communicating AP to the communicable area of another AP, roaming is performed to maintain communication with the destination AP. That is, as illustrated in FIG. 2A, when the detection apparatus 10 roams from LAP1 to LAP2, it transmits a reassociation request to the destination LAP2. When the authentication between the LAPs is successful, the reassociation response received from the LAP2 includes information indicating the success of the reassociation. In that case, roaming between the two LAPs is completed. Note that communication between LAPs for completing roaming is performed by wire.

  On the other hand, as illustrated in FIG. 2B, when the detection apparatus 10 communicating with the LAP1 transmits a reassociation request to the RAP as a movement destination, the authentication between the LAP1 and the RAP does not succeed, so roaming Does not complete. In this case, the reassociation response received from the RAP includes information indicating failure or rejection of the reassociation. The detection device 10 executes a detection process described later, and detects RAP by determining whether the AP accessed as the movement destination is LAP or RAP using information indicating the status of success or failure of such reassociation. .

[Configuration of detection device]
Next, a schematic configuration of the detection device according to the present embodiment will be described with reference to FIG. As shown in FIG. 3, the detection apparatus 10 according to the present embodiment is realized by a wireless communication type general-purpose computer such as a tablet terminal or an automatic travel type terminal. For example, a network administrator carries a tablet terminal and walks around the target space in an exploratory manner to detect RAP. Alternatively, the automatic traveling type terminal searches the target space in a shorter time and detects the RAP.

  The detection device 10 includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15. The detection device 10 executes detection processing described later to determine whether the AP accessed as the movement destination is LAP or RAP.

  The input unit 11 is realized using an input device such as a keyboard or a mouse, and inputs various instruction information to the control unit 15 in response to an input operation by the operator. The output unit 12 is realized by a display device such as a liquid crystal display, a printing device such as a printer, an information communication device, and the like, and outputs, for example, a result of detection processing described later to the operator.

  The communication control unit 13 is realized by a NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a telecommunication line such as a LAN (Local Area Network) or the Internet.

  The storage unit 14 is realized by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk. In the storage unit 14, a processing program for operating the detection device 10, data used during execution of the processing program, and the like are stored in advance, or temporarily stored for each processing. The storage unit 14 may be configured to communicate with the control unit 15 via the communication control unit 13.

  As illustrated in FIG. 3, the control unit 15 executes a processing program stored in a memory by an arithmetic processing device such as a CPU (Central Processing Unit), so that a transmission / reception unit 15 a, a terminal location acquisition unit 15 b, and a beacon process are performed. It functions as the unit 15c, the determination unit 15d, and the specifying unit 15e.

  The transmission / reception unit 15a functions as a transmission unit and a reception unit. That is, when the transmitting / receiving unit 15a moves from the communicable area of the communicating AP to the communicable area of another AP, the transmitting / receiving unit 15a sends a roaming request for maintaining communication with the target AP to the target AP. Send. In addition, the transmission / reception unit 15a receives a response from the destination AP to the request.

  Specifically, the transmission / reception unit 15a transmits / receives various packets. For example, when the transmitting / receiving unit 15a moves from the communicable area of the communicating AP to the communicable area of another AP, the transmitting / receiving unit 15a transmits a packet representing a reassociation request with the destination AP as the destination. In addition, the transmission / reception unit 15a receives a packet representing a reassociation response from the movement destination AP in response to the reassociation request.

  Further, when the packet is received, the transmission / reception unit 15a performs filtering to extract the packet for each type, and delivers the packet to a predetermined processing unit in the control unit 15 according to the type of the packet. For example, the transmission / reception unit 15a extracts a roaming packet such as a reassociation response and passes it to the determination unit 15d described later. Or the transmission / reception part 15a extracts beacon packets, such as a beacon and a probe response, and delivers them to the beacon processing part 15c mentioned later.

  Here, FIG. 4 is a diagram illustrating a header field of a packet defined in the IEEE 802.11 standard. The transmission / reception unit 15a performs filtering with reference to the header field of the packet illustrated in FIG. Specifically, in the example illustrated in FIG. 4, the transmission / reception unit 15 a refers to the setting contents of frame control (Frame Control) included in the header (IEEE802.11 header) field, and identifies the packet type.

  For example, when the frame type of the frame control is 00, that is, a management frame, and the subtype is 0011, that is, a reassociation response, it is specified as a roaming packet. In this case, the transmission / reception unit 15a delivers the roaming packet to the determination unit 15d described later.

  Further, when the frame type of frame control is 00, that is, a management frame, and when the subtype is 0101, that is, a probe response, it is specified as a beacon packet. Alternatively, a beacon packet is also specified when the frame type of frame control is 00, that is, a management frame, and the subtype is 1000, that is, a beacon. In this case, the transmission / reception unit 15a delivers the beacon packet to the beacon processing unit 15c described later.

  The transmission / reception unit 15a may be realized by USRP (Universal Software Radio Peripheral) or the like.

  Returning to the description of FIG. The terminal position acquisition unit 15b acquires position information specifying the position of the detection device 10 in time series. For example, the terminal position acquisition unit 15b uses acceleration, geomagnetism, and angular velocity, and uses pedestrian autonomous navigation (Pedestrian Dead Reckoning, PDR) that calculates a relative position from the current position based on information such as stride and direction. The position information of the detection device 10 is acquired as time series data. Alternatively, the terminal position acquisition unit 15b uses the pedestrian map correction (Pedestrian Map Matching, PMM) technology that corrects the error of the spatiotemporal data so as to be a plausible spatiotemporal sequence along the map information. Get location information. In addition, the terminal position acquisition unit 15 b stores the acquired position information in the storage unit 14.

  FIG. 5 is a diagram illustrating a data configuration of position information. As illustrated in FIG. 5, the position information includes time and position. FIG. 5 shows that the detection device 10 was at a position represented by (X1, Y1, Z1) at 13:52 on November 8, 2016, for example.

  Returning to the description of FIG. The beacon processing unit 15c specifies the BSSID of an AP that may be a RAP using the transmission period of the beacon transmitted by the AP and the reception frequency of the received beacon for each BSSID that is self-named by each AP.

  Specifically, each AP transmits a beacon indicating a frequency band and a communication mode used for its own communication. Further, a beacon transmission cycle intended by the AP is added to the transmitted beacon. Therefore, the beacon processing unit 15c compares the beacon transmission cycle included in the beacon received in the communicable area of each AP with the reception frequency of the actually received beacon.

  Here, the processing of the beacon processing unit 15c will be described with reference to FIG. As described above, when the RAP exists, the BSSID spoofed by the RAP overlaps with the BSSID of the LAP. A beacon received from a plurality of APs to which the same BSSID is assigned has a higher reception count than a beacon received from a single AP. Therefore, as illustrated in FIG. 6, when the reception frequency per unit time calculated from the beacon transmission cycle for each BSSID is compared with the actual beacon reception frequency, the actual beacon reception is performed for the BSSID spoofed by the RAP. Increases frequency. FIG. 6 shows that there may be a RAP in the network that spoofs a BSSID of dd: dd: dd: dd: dd: dd: dd.

  Note that the beacon processing unit 15c may transmit a probe request at any time and acquire and use a beacon transmission cycle included in a probe response to the request.

  Returning to the description of FIG. The determination unit 15d determines whether the movement-destination AP is legitimate or illegal using information indicating the success or failure of roaming included in the received roaming response. Specifically, for example, when the beacon processing unit 15c identifies the BSSID of an AP that may be a RAP, the determination unit 15d acquires the reassociation response received from the AP having the identified BSSID from the transmission / reception unit 15a. . In addition, the determination unit 15d refers to information indicating the success or failure of roaming included in the acquired reassociation response.

  Here, for example, a status code defined in the IEEE 802.11 standard is used as information indicating the success or failure of roaming. FIG. 7 is a diagram illustrating a status code of the reassociation response. One of the status codes illustrated in FIG. 7 is included in the reassociation response. As illustrated in FIG. 7, the status code 0 indicates that the operation has been successful and means roaming success. On the other hand, for example, status codes 1, 11, 12, and 17 mean that reassociation has failed or has been rejected, that is, roaming failure. Specifically, status code 1 indicates a failure that cannot be identified. Further, the status code 11 indicates that the re-association is rejected because the previous association cannot be specified and transferred. The status code 12 indicates that reassociation is rejected for reasons not defined in the 802.11 standard. The status code 17 indicates that the reassociation has been rejected because the AP does not have sufficient resources.

  Here, if the destination AP is LAP, roaming is completed after authentication of availability (eg, RADIUS (Remote Authentication Dial In User Service)) is performed between the LAPs. On the other hand, if the destination AP is a RAP, roaming is not completed because the RAP is rejected in the authentication with the source LAP.

  Therefore, the determination unit 15d determines that the destination AP is LAP when roaming is successful, that is, when the status code is 0. On the other hand, if the roaming failure, that is, the status code is 1, 11, or 12, the determination unit 15d determines that the destination AP is RAP.

  It should be noted that the status code 17 indicates that the association is rejected because the destination AP does not have sufficient resources, and because the destination AP is not a RAP. Excluded from. Moreover, the status code used as the reason for the LAP / RAP determination is not limited to the above. For example, when a new value is specified by adding or changing the status code, the status code may be used for the reason of the LAP / RAP determination.

  Further, when the determination unit 15d determines that the destination AP is a RAP, the determination unit 15d stores the reassociation response received from the RAP and the RSSI of the reassociation response in the storage unit 14.

  Returning to the description of FIG. The specifying unit 15e specifies the position of the RAP using a combination of the position information of the detection device 10 and the RSSI of the reassociation response received from the RAP. Specifically, the specifying unit 15e refers to the storage unit 14, and includes a plurality of position information of the detection device 10 acquired by the terminal position acquisition unit 15b and RSSI of the reassociation response from the RAP acquired by the determination unit 15d. The combination is used to locate the RAP.

Here, the processing of the specifying unit 15e will be described with reference to FIG. As described above, the detection device 10 detects the RAP while moving in the target space. The identification unit 15e acquires, for example, a combination of the position information of the detection device 10 and the RSSI of the reassociation response for the three locations where the detection device 10 has detected the RAP using a three-point positioning method. In the example shown in FIG. 8, RSSI ₁ at position _{X 1,} RSSI ₃ are acquired in the RSSI _2, and the position _{X 3} at the position _{X 2.} Then, as illustrated in FIG. 8, the specifying unit 15 e specifies, as the RAP position, an area that is included in the three circles centered on each position and having a radius of each RSSI. The position specifying algorithm is not limited to the three-point (triangular / three-sided) positioning method.

[Detection processing]
Next, processing including detection processing of the detection device 10 will be described with reference to FIGS. 9 and 10. FIG. 9 is a flowchart showing a processing procedure including detection processing of the detection device 10. The flowchart in FIG. 9 is started, for example, at the timing when there is an operation input instructing the start of processing.

  First, the terminal position acquisition unit 15b acquires position information for specifying the position of the detection device 10 in time series and records it in the storage unit 14 (step S1).

  Next, for each BSSID that each AP self-identifies, the beacon processing unit 15c uses the beacon transmission period transmitted by the AP and the received beacon reception frequency to determine whether there is a BSSID suspected of the presence of RAP. Is confirmed (step S2). When there is no BSSID that is suspected of the presence of RAP (step S2, No), the beacon processing unit 15c returns the process to step S1. On the other hand, if there is a BSSID that is suspected of having a RAP (step S2, Yes), the beacon processing unit 15c designates the AP of that BSSID, and proceeds to the process to step S3.

  Details of the detection process in step S3 will be described later. As a result of the detection process, when it is determined that the designated AP is a LAP and not a RAP (step S3, No), the process waits until another AP is designated.

  On the other hand, if it is determined that the designated AP is a RAP as a result of the detection process (step S3, Yes), the identifying unit 15e pairs the position information of the detection device 10 and the RSSI of the reassociation response received from the RAP. The position of the RAP is specified using the set of and the specified position information is output to the output unit 12 or the like (step S4). Thereby, a series of processing of the detection apparatus 10 is completed.

  Next, FIG. 10 is a flowchart showing the detection processing procedure of step S3. First, the transmitting / receiving unit 15a transmits a reassociation request to the designated roaming destination AP (step S31). In addition, the transmission / reception unit 15a receives a reassociation response from the destination AP in response to the reassociation request (step S32).

  Next, the determination unit 15d determines whether the destination AP is a LAP or a RAP using a status code indicating whether roaming is successful or not included in the received reassociation response (step S33). If it is determined that the destination AP is LAP and not RAP (step S33, No), the determination unit 15d returns the process to step S32. On the other hand, when it is determined that the destination AP is RAP (step S33, Yes), the determination unit 15d stores the roaming packet indicating the reassociation response and the RSSI of the roaming packet in the storage unit 14 (step S31). S34). Thereby, a series of detection processing ends.

  As described above, in the detection device 10 of the present embodiment, when the transmission / reception unit 15a moves from the communicable area of the communicating AP to the communicable area of another AP, reassociation with the destination AP is performed. Send a request. In addition, the transmission / reception unit 15a receives a reassociation response from the movement destination AP in response to the reassociation request. In addition, the determination unit 15d determines whether the destination AP is LAP or RAP using a status code indicating whether roaming is successful or not included in the received reassociation response.

  As a result, the RAP can be easily detected by determining whether the AP accessed as the movement destination is the LAP or the RAP using the information indicating the success / failure state of the reassociation. As described above, according to the detection device 10 of the present embodiment, it is possible to determine whether the RAP or the RAP without using data measured in a space where no RAP exists. Therefore, it is possible to easily determine whether it is LAP or RAP even in a public environment space.

  In addition, when the determination unit 15d determines that the destination AP is a RAP, the specifying unit 15e specifies the position of this RAP using a combination of the RSSI of the reassociation response and the position information of the detection device 10. May be. Accordingly, for example, it is possible to take a defense measure against an attack more quickly by notifying a guard to remove RAP or notifying a user of a dangerous area.

  In addition, the beacon processing unit 15c identifies the BSSID of the AP that may be fraudulent using the transmission period of the beacon transmitted by the AP and the reception frequency of the received beacon for each BSSID that the AP self-identifies. May be. In this case, the transmission / reception unit 15a may transmit the reassociation request with the AP that self-identifies the BSSID specified by the beacon processing unit 15c as the destination AP. This makes it possible to detect the presence of RAP with higher efficiency.

[program]
It is also possible to create a program in which processing executed by the detection apparatus 10 according to the above embodiment is described in a language that can be executed by a computer. As one embodiment, the detection apparatus 10 can be implemented by installing a detection program that executes the above-described detection processing as package software or online software on a desired computer. For example, the information processing apparatus can function as the detection apparatus 10 by causing the information processing apparatus to execute the detection program. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, the information processing apparatus includes mobile communication terminals such as smart phones, mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDA (Personal Digital Assistants). In addition, the terminal device used by the user can be a client, and the client can be implemented as a server device that provides services related to the detection processing to the client. For example, the detection apparatus 10 is implemented as a server apparatus that provides a detection processing service that outputs a determination as to whether a designated AP is a LAP or a RAP in response to an input that designates an AP. In this case, the detection apparatus 10 may be implemented as a Web server, or may be implemented as a cloud that provides a service related to the detection process described above by outsourcing. Below, an example of the computer which performs the detection program which implement | achieves the function similar to the detection apparatus 10 is demonstrated.

  As shown in FIG. 11, the computer 1000 that executes the detection program includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface. 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

  Here, as shown in FIG. 11, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1031 or the memory 1010, for example.

  Further, the detection program is stored in the hard disk drive 1031 as a program module 1093 in which a command executed by the computer 1000 is described, for example. Specifically, a program module 1093 describing each process executed by the detection apparatus 10 described in the above embodiment is stored in the hard disk drive 1031.

  Data used for information processing by the detection program is stored as program data 1094, for example, in the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes the above-described procedures.

  Note that the program module 1093 and the program data 1094 related to the detection program are not limited to being stored in the hard disk drive 1031, but are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. It may be read by the CPU 1020.

  As mentioned above, although embodiment which applied the invention made | formed by this inventor was described, this invention is not limited with the description and drawing which make a part of indication of this invention by this embodiment. That is, other embodiments, examples, operational techniques, and the like made by those skilled in the art based on this embodiment are all included in the scope of the present invention.

DESCRIPTION OF SYMBOLS 10 Detection apparatus 11 Input part 12 Output part 13 Communication control part 14 Storage part 15 Control part 15a Transmission / reception part 15b Terminal position acquisition part 15c Beacon processing part 15d Determination part 15e Identification part

Claims (4)

When moving from a communicable area of a communicating access point to a communicable area of another access point, a roaming request to maintain the communication with the access point of the destination is sent to the access point of the destination A transmission unit for transmission;
A receiving unit that receives a response from the destination access point to the request;
Using the information indicating the success or failure of roaming included in the received response, a determination unit that determines whether the access point of the movement destination is regular or illegal,
A detection device comprising:   Further, when the determination unit determines that the destination access point is illegal, the position of the destination access point is determined using a combination of the reception strength of the response and information specifying the position of the own device. The detection device according to claim 1, further comprising a specifying unit for specifying. Further, for each piece of identification information that each access point calls itself, the identification information of the access point that may be fraudulent is specified using the transmission period of the beacon transmitted by the access point and the reception frequency of the received beacon. With a beacon processor
The detection device according to claim 1, wherein the transmission unit transmits the roaming request using an access point that self-identifies the identification information specified by the beacon processing unit as the access point of the movement destination. . A detection method executed by a detection device,
When moving from a communicable area of a communicating access point to a communicable area of another access point, a roaming request to maintain the communication with the access point of the destination is sent to the access point of the destination A transmission process to transmit;
Receiving a response from the destination access point to the request;
A determination step of determining whether the access point of the movement destination is normal or illegal using information indicating success or failure of roaming included in the received response,
The detection method characterized by including.

Images