RU2810111C1 - METHOD FOR DETECTING UNAUTHORIZED AND FAKE Wi-Fi ACCESS POINTS - Google Patents

Abstract

FIELD: detecting attacks on wireless networks.

SUBSTANCE: in the method, control commands are additionally transmitted from the application servers to the analysing devices via a computer network to start the detection of unauthorized and fake access points together with the transfer of data on the parameters of the protected access points that were previously entered into the databases, after scanning the airwaves by the analysing devices throughout range of Wi-Fi frequencies and capturing packets from the air, the parameters of access points present on the air are selected, the selected parameters are compared with the parameters of the access points to be protected, received from application servers, and, if the access points present on the air have a unique identifier and/ or network name equivalent to the unique identifier and/or network name of the access points to be protected, but other parameters of the access points present on the air do not match the parameters of the access points to be protected, then the analysing device generates a fake access point detection event.

EFFECT: reducing the time period for detecting unauthorized and fake access points, increasing the invisibility of actions to detect unauthorized and fake access points.

1 cl, 3 dwg

Description

The method for detecting unauthorized and fake Wi-Fi access points refers to methods for detecting attacks on wireless networks and can be used as the basis of an intrusion detection and prevention system or as a separate module of an intrusion detection and prevention system.

There is a known system and method for collecting information for detecting phishing, in which the detection of phishing attacks is carried out in accordance with the following steps: receiving on the web server on which the web resource is located a request via the http/https protocol to obtain a resource located on this web resource resource; extracting from the referrer field of the request a URL link pointing to the source of the request; generating, based on the extracted URL link, at least one translated URL link referencing another resource located on the same host, where the host represents a fully qualified domain name or IP address; submitting at least one converted URL link for phishing analysis; analysis of at least one link received for the presence of phishing /1/.

The disadvantage of this method is that to detect phishing, active actions are taken when collecting information, namely, a request is sent via the http/https protocol to a web resource. By monitoring the corresponding requests, an attacker can identify phishing detection activities and take the necessary countermeasures to avoid detection.

There is a known method and system for generating a list of indicators of compromise, in which the following steps are performed to generate a list of indicators of compromise: obtaining a malware carrier intended for preparation for launching and/or launching at least one main malware module; build an attack roadmap by detecting additional malware carriers and/or the main malware module and determining the sequence of their execution provided by the execution algorithm of the resulting malware carrier; determine whether each detected malware carrier or main malware module belongs to a specific malware family; compile a list of indicators of compromise for each detected malware carrier or main malware module; find in the database at least one attack roadmap, characterized by the fact that the launch sequence of malware carriers and/or main malware modules in this roadmap with a given level of accuracy coincides with the launch sequence of malware carriers and/or main malware modules in the resulting malware carrier , and these malware carriers themselves and/or the main malware modules belong to the same families; extracting from the database lists of indicators of compromise for each malware carrier and/or main malware module from at least one detected attack roadmap; generating a general list of indicators of compromise based on compiled lists of indicators of compromise and lists of combined lists of indicators of compromise extracted from the database; save compiled lists of indicators of compromise for each detected malware carrier or main malware module, as well as a general list of indicators of compromise in the database /2/.

The disadvantage of this method in relation to Wi-Fi technology is that it is based on building an attack roadmap by detecting additional malware carriers and/or the main malware module and determining the sequence of their execution, however, data transmitted via Wi-Fi technology is encrypted and accessible only to devices that transmit or receive data. Thus, to detect a fake or unauthorized access point, it is necessary to have access to the user’s device and analyze the data obtained when connecting to a potentially malicious Wi-Fi network for the presence of malware modules (phishing web scripts), which in practice is not always possible (for example, if the user connects not to a corporate Wi-Fi network from a corporate laptop, but to a public Wi-Fi network in a restaurant or public transport from a personal device).

There is a known method for detecting unauthorized wireless access points in a wireless access network, in which there are a plurality of authorized access points, a core network and a plurality of client devices, the method being performed by each authorized access point and including: establishing a connection by one of the client devices with an authorized access point; receiving data packets from one of the client devices connected to an authorized access point, wherein said client device must have previously been connected to another access point on the wireless access network, and the received data packets must have been addressed to that other access point; When an authorized access point receives data packets addressed to another access point and transmitted from one of the client devices connected to the authorized access point, rogue access point detection is initiated. For detection, the network address is analyzed from the data packet, which contains network information about the wireless access network to which the client device was previously connected; comparing the network address with predefined criteria; notifying the specified client device about the detection of an unauthorized wireless access point if the network address information in the received packet does not meet predefined criteria /3/.

One of the disadvantages of this method is that in order to detect unauthorized wireless access points, it is necessary to wait for the client device to reconnect to the authorized wireless access point, due to which the gap between the time the attack is carried out and its detection increases, which allows the attacker more time to remain undetected and continue the attack.

Another disadvantage of this method is that to detect unauthorized access points, authorized access points are used, each of which must be compatible with this method. Thus, the use of this method in practice does not allow the use of arbitrary network equipment on the basis of which the Wi-Fi network operates.

There is a known system and method for analyzing the level of vulnerability to a phishing attack and assigning a value for the level of vulnerability to a phishing attack, in which, to determine the level of vulnerability of the user's computing device to a phishing attack, a WiFi packet with a password hash from the access point being tested is detected, and instructions are generated to create a false one. access point, generates instructions to assign a name identical to the name of the tested access point to the generated false access point, while the generated false access point does not have a password for the connection, generates a jamming signal to suppress the tested access point and/or sends a network packet to the tested access point to encourage the user to disconnect the user's computing device from the access point being tested, requests are received from the user's computing device and the said requests are redirected to a phishing web page; in case of successful or unsuccessful connection of the user's computing device to the false access point, a vulnerability level value is assigned to the user's computing device to a phishing attack /4/.

One of the disadvantages of the method implemented by this system is the lack of centralized system management functionality: analyzing devices work independently of each other, thus, the decision maker will have to analyze attack messages from each of these devices separately, which will lead to additional time costs and can lead to inaccurate decisions due to the large amount of information coming from various analyzing devices.

Another disadvantage of the method implemented by this system is the use of only two wireless interfaces to detect attacks, one of which is used to create an access point, and the other to ensure user deauthentication. If several access points are operating simultaneously and need to be checked for vulnerability to a phishing attack, the corresponding checks will be carried out sequentially, which will increase the required time to check for vulnerability to a phishing attack in proportion to the number of access points, or it will be necessary to use several analyzing devices, which in general, will entail additional analytical work on the part of the decision maker.

The problem to be solved by the claimed invention is to reduce the time period for detecting unauthorized and fake access points, increasing the stealth of actions to detect unauthorized and fake access points.

This is solved by adding centralized control elements (server part) to the known system and method based on application servers and databases; application servers switch analyzing devices to scanning mode and idle mode by sending control commands to them, set parameters of protected access points and save them in databases, transmit parameters of protected access points to analyzing devices, display in text and graphic format information about detected fake and unauthorized access points, which was received from analyzing devices in the form of messages, and save it in databases; as well as changing the process of detecting unauthorized and fake access points, to detect unauthorized and fake access points, analyzing devices are used that scan the air over the entire Wi-Fi frequency range through wireless network interfaces provided by Wi-Fi adapters connected to the analyzing devices, as well as capture from the air of packets and extracting at least such parameters of access points present on the air as a unique identifier of the access point, network name, type of protection, supported data transfer rate, country code, which are subsequently compared by analyzing devices with the parameters of the access points to be protected, received from application servers, and if the access points present on the air have a unique identifier and/or network name equivalent to the unique identifier and/or network name of the access points to be protected, but other parameters of the access points present on the air do not correspond to the parameters of the access points to be protected , then the analyzing device that has detected the specified discrepancy transmits a message to the application servers with information about the detection of fake access points, or, if the access points present on the air have a unique identifier and network name that are not equivalent to the unique identifier and network name of the access points to be protected , then the analyzing device, which has detected the specified discrepancy, sends a message to the application servers with information about the detection of unauthorized access points.

Thus, through centralized control elements based on application servers and databases, the decision maker has the opportunity to monitor in real time the detection of unauthorized and fake access points, the list of which is collected from a variety of analyzing devices and displayed in graphical and textual representation, and also centrally send commands that switch analyzing devices to scanning mode and idle mode, manage detection by setting the parameters of protected access points against which detection is carried out by analyzing devices. Since external analyzing devices are used to implement the method, scanning the airwaves and capturing packets from it without interacting with user devices or access points, the use of the method does not entail making changes to the network equipment on which the Wi-Fi network operates, but also does not require access to user devices. The method for detecting unauthorized and fake access points is based on the analysis of packets captured from the air, that is, when scanning, analyzing devices work exclusively for reception, which ensures a high level of invisibility of the method. Considering that Wi-Fi access points transmit frames with information about themselves at intervals of 100 ms according to the specification of the IEEE 802.11 family of standards, the difference between the moment an unauthorized or fake access point is detected and the moment it is created will be comparable to the delay in transmitting data packets over a radio channel plus the period of time required to collect packets from the entire Wi-Fi frequency range, analyze these packets by an analysis device and then transmit a discovery message to the application server, which on average takes no more than 5-15 seconds. The ability to increase the number of network interfaces on the analyzing device by connecting multiple Wi-Fi adapters to it will reduce the time required to cover the entire Wi-Fi frequency range when scanning, which also reduces the time period for detecting unauthorized and fake access points.

When unauthorized and fake Wi-Fi access points are detected in accordance with the presented method, steps a, b, c, d, e, f, g, h, i, j, k, m, n, p are carried out according to Fig. 1, where the notations are introduced:

1 - analyzing device;

2 - Wi-Fi adapter;

3 - general computer network;

4 - server part;

5 - application server;

6 - database.

In FIG. Figure 2 shows a diagram of a possible system that implements the presented method for detecting unauthorized and fake Wi-Fi access points (designations retained).

In FIG. 3 uses an example to explain the operation of the presented method for detecting unauthorized and fake Wi-Fi access points, where the following notations are additionally introduced:

I, II - analyzing devices with Wi-Fi adapters connected to them;

III, VI - protected access points;

IV - unauthorized access point;

V is a fake access point. Description of the steps in Fig. 1:

a - placement of analyzing devices 1 and Wi-Fi adapters 2 connected to them within the premises or space in which attacks need to be detected;

b - ensuring the connection of analyzing devices 1 via a wired and/or wireless connection, and if necessary additionally using VPN technology, to the computer network 3 in which the application servers are located;

c - transmission of a control command from the application servers 5 to the analyzing devices 1 via the computer network 3 to launch a monitoring scan;

d - implementation by analyzing devices 1 of scanning the air over the entire Wi-Fi frequency range through wireless network interfaces provided by Wi-Fi adapters 2 connected to the analyzing devices 1, as well as capturing packets from the air and highlighting at least such parameters present on the air access points, such as a unique access point identifier, network name, security type, supported data transfer rate, country code;

e - transfer of selected parameters from the analyzing devices 1 to the application servers 5 via the computer network 3;

f - selection on application servers 5 among the received parameters of those that relate to protected access points;

g - entering selected parameters by application servers 5 into databases 6;

h - transmission of a control command from the application servers 5 to the analyzing devices 1 via the computer network 3 to start the detection of unauthorized and fake access points together with the transmission of data on the parameters of the protected access points, which were entered into the databases 6 at the previous stage;

i - implementation by analyzing devices 1 of scanning the air over the entire Wi-Fi frequency range through wireless network interfaces provided by Wi-Fi adapters 2 connected to the analyzing devices 1, as well as capturing packets from the air and highlighting at least such parameters present on the air access points, such as a unique access point identifier, network name, security type, supported data transfer rate, country code;

j - comparison by analyzing devices 1 of the selected parameters with the parameters of the access points to be protected, received from application servers 5, and, if the access points present on the air have a unique identifier and/or network name equivalent to the unique identifier and/or network name of the access points to be protected , but other parameters of the access points present on the air do not correspond to the parameters of the access points to be protected, then the analyzing device 1, which has detected the specified discrepancy, generates a detection event for fake access points, or, if the access points present on the air have a unique identifier and network name that are not equivalent to the unique identifier and network name of the access points to be protected, then the analyzing device 1, which has detected the specified discrepancy, generates a rogue access point detection event;

k - transmission by analyzing devices 1, which generated the corresponding events, to application servers 5 via computer network 3 of messages with information about the detection of fake and unauthorized access points; messages may include, among other things, information about the unique identifier of a fake or unauthorized access point , network name, type of protection, supported data transfer rate, country code, information about analyzing device 1, its network address, unique identifier;

m - aggregation by application servers 5 of messages from analyzing devices 1 about detected unauthorized and fake access points, output of relevant information in text and graphic format,

n - saving aggregated information about detected unauthorized and fake access points by application servers 5 in databases 6;

p - transmission of a control command from the application servers 5 to the analyzing devices 1 via the computer network 3 to stop detecting unauthorized and fake access points and switch to idle mode.

To detect unauthorized and fake Wi-Fi access points, at least one analyzing device 1 is used to scan the air and collect data about access points, and a common computer network 3 is used for data exchange, and the server part 4, represented by application servers 5 and databases 6, application servers 5 switch the analyzing devices 1 to scanning mode and idle mode by sending control commands to them, set the parameters of the protected access points and save them in the databases 6, transfer the parameters of the protected access points to the analyzing devices 1, display in text and graphic format information about detected fake and unauthorized access points, which was received from analyzing devices 1 in the form of messages, and save it in databases 6; analyzing devices 1 scan the air over the entire Wi-Fi frequency range through wireless network interfaces provided by Wi-Fi adapters 2 connected to the analyzing devices 1, and also capture packets from the air and isolate at least such parameters of points present on the air access point, as a unique identifier of the access point, network name, type of protection, supported data transfer rate, country code, which are subsequently compared by analyzing devices 1 with the parameters of the access points to be protected received from application servers 5, and, if the access points present on the air have a unique identifier and/or network name equivalent to the unique identifier and/or network name of the access points to be protected, but other parameters of the access points present on the air do not correspond to the parameters of the access points to be protected, then the analyzing device 1, which has recorded the specified discrepancy, transmits to the servers applications 5, a message with information about the detection of fake access points, or, if the access points present on the air have a unique identifier and network name that is not equivalent to the unique identifier and network name of the access points to be protected, then the analyzing device 1, which recorded the specified discrepancy, transmits to the application server 5 a message with information about the detection of unauthorized access points (Fig. 2).

The operation of the presented method for detecting unauthorized and fake Wi-Fi access points is illustrated by an example in FIG. 3. For clarity, when carrying out steps a, b, c, d, e, f, g, h, only access points III, IV are operational, as shown in Fig. 3 on the left, and when stages i, j, k, m, n, p are carried out, access points V, VI additionally function, as shown in FIG. 3 on the right. In the example under consideration, analyzing devices I and II are located in different rooms, and in the packet receiving area of analyzing device I there are access points III, IV, V, VI, and in the packet receiving area of analyzing device II there is access point IV.

In accordance with the described situation, steps a, b, c are carried out. Then at stage d, analyzing device I, having scanned the airwaves and analyzing captured packets, will detect access points III, IV, since they are in its packet reception area, and analyzing device II will detect only access point IV. In the example under consideration, analyzing device I for access point III will highlight the parameters {unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, for the access point IV will highlight the parameters {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}; and analyzer II for access point IV will extract parameters {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}.

According to step e, the analyzing device I will transmit the selected parameters to the application server 5 [{unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36,48, 54; country code RU}, {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}]; and analyzer II will transmit the selected parameters [{unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}].

For example, based on the results of stage f, the decision maker selected 5 parameters of protected access points on the application servers [{unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}].

According to step g, parameters [{unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}] will be saved in databases 6.

According to step h, analyzing devices I and II received a command via computer network 3 to start detecting unauthorized and counterfeit access points. As criteria for identifying unauthorized and fake access points, they were also sent the parameters of protected access points [{unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}].

In the example under consideration, from the moment of stage i, access points V and VI additionally begin to function. Therefore, at stage i, analyzing device I, having scanned the airwaves and analyzing captured packets, will detect access points III, IV, V, VI, since they are in its packet reception area, and analyzing device II will detect only access point IV. Analyzer I for access point III will extract parameters {unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36,48, 54; country code RU}, for the access point IV will highlight the parameters {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, for the access point V will highlight the parameters {unique identifier 55:55:55:55:55:55; network name secure-network; security type WPA2; supported baud rate 6,12,24,48; TN country code}, for the access point VI will highlight the parameters {unique identifier 66:66:66:66:66:66; network name business-network; security type WPA2; supported baud rate 6,9,12,48; country code SG}; and analyzer II for access point IV will extract parameters {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}.

Then at stage j the analyzing device I will record:

-for access points III, IV with parameters {unique identifier 33:33:33:33:33:33; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, which were allocated at stage i, detection events of unauthorized and fake access points will not be generated, since the selected parameters fully correspond to the parameters that were received by the analyzing device I at stage h;

-for access point V with parameters {unique identifier 55:55:55:55:55:55; network name secure-network; security type WPA2; supported data transfer rates 6, 12, 24, 48; country code TH}, which were allocated in step i, a fake access point detection event will be generated, since the network name matches the network name of the protected access points III, IV, while other parameters (unique identifier, supported data transfer rate, code countries) do not correspond to the parameters of protected access points III, IV, received by analyzing device I at stage h;

-for VI access point with parameters {unique identifier 66:66:66:66:66:66; network name business-network; security type WPA2; supported data transfer rates 6, 9, 12, 48; country code SG}, which were allocated at stage i, an unauthorized access point detection event will be generated, since its unique identifier and network name do not match the unique identifier and network name of any of the protected access points III, IV, information about which was received analyzer I at step h.

Also at stage j, the analyzing device II will record: - for access point IV with parameters {unique identifier 44:44:44:44:44:44; network name secure-network; security type WPA2; supported data transfer rates 24, 36, 48, 54; country code RU}, which were allocated in stage i, the detection event of an unauthorized or fake access point will not be generated, since the allocated parameters fully correspond to the parameters that were received by the analyzing device II in stage h.

According to the stage, messages will be sent to the analyzing device I to the application servers 5 via the computer network 3 about the detection of a fake access point V with parameters {unique identifier 55:55:55:55:55:55; network name secure-network; security type WPA2; supported data transfer rates 6, 12, 24, 48; country code TN}, unauthorized access point VI with parameters {unique identifier 66:66:66:66:66:66; network name business-network; security type WPA2; supported data transfer rates 6, 9, 12, 48; country code SG}; while analyzing device II will not send messages about the detection of unauthorized and fake access points, since they are not within the receiving range of packets from analyzing device II.

According to stage m, the application server 5 will aggregate messages about detected unauthorized and fake access points received from the analyzing device I, and provide the received information in text and graphic format to the decision maker. In accordance with the described situation, the decision maker will have information about the detection by the analyzing device I of a fake access point V with parameters {unique identifier 55:55:55:55:55:55; network name secure-network; security type WPA2; supported data transfer rates 6, 12, 24, 48; country code TN}, unauthorized access point VI with parameters {unique identifier 66:66:66:66:66:66; network name business-network; security type WPA2; supported data transfer rates 6, 9, 12, 48; country code SG}.

According to step n, information about the detection by analyzing device I of a fake access point V with parameters {unique identifier 55:55:55:55:55:55; network name secure-network; security type WPA2; supported data transfer rates 6, 12, 24, 48; country code TN}, unauthorized access point VI with parameters {unique identifier 66:66:66:66:66:66; network name business-network; security type WPA2; supported data transfer rates 6, 9, 12, 48; country code SG} will be stored in databases 6.

If there is no need to continue detecting unauthorized and fake access points (for example, at night, when the corporate Wi-Fi network is turned off), the decision maker initiates the transmission of a control command from the application servers 5 to the analyzing devices I and II over the computer network 3 to stop detecting unauthorized and fake access points - stage p.

Thus, the decision maker, based on timely information received, will be able to take targeted organizational, legal and technical measures aimed at preventing the threat from unauthorized and counterfeit access points. Unlike the prototype, the presented invention implements a single control channel for detecting unauthorized and fake access points through the server part 4; there is also no limitation on the number of wireless network interfaces used, which is equal to the number of Wi-Fi adapters 2 connected to analyzing devices 1, which allows you to increase the scanning speed of the entire Wi-Fi frequency range and, as a result, increases the speed of detection of unauthorized and fake access points. The use of databases 6 to store information about detected unauthorized and fake access points makes it possible to record the fact of their presence on the air and present the corresponding evidence as evidence in the judicial settlement of possible information security incidents. Since, according to the presented method, a computer network 3 is used for data exchange, provided by a wired and/or wireless connection, as well as VPN technology, the analyzing devices 1 can be located remotely from each other and detect geographically extensive attacks. The application of the presented method does not depend on the network infrastructure used at the heart of the Wi-Fi network, since to detect unauthorized and fake access points, external analyzing devices 1 are used with Wi-Fi adapters 2 connected to them, operating in data receiving mode, which also does not allow the attacker can identify the use of the presented method and take countermeasures to avoid detection.

Information sources:

1. RF Patent No. 2671991.

2. RF patent 2743619.

3. US Patent No. 9603021.

4. RF patent No. 2758084. - prototype.

Claims (1)

A method for detecting unauthorized and fake Wi-Fi access points, including the collection of data by analyzing devices about access points, where network monitoring and data collection are provided by receiving network data from the tested access point, characterized in that the analyzing devices and Wi-Fi connected to them are additionally placed Fi adapters within the premises or space in which it is necessary to detect attacks, connect analyzing devices via a wired and/or wireless connection, and, if necessary, additionally using VPN technology, to the computer network in which the application servers are located, transmit control commands from the outside application servers to analyzing devices over a computer network to launch a monitoring scan, after scanning the air by the analyzing devices in the entire Wi-Fi frequency range and capturing packets from the air, and when performing scanning, wireless network interfaces are used, provided by Wi-Fi adapters connected to the analyzing devices , select at least such parameters of access points present on the air as a unique identifier of the access point, network name, type of protection, supported data transfer rate, country code, transmit the selected parameters from the analyzing devices to the application servers via a computer network , select on application servers from among the received parameters those that relate to protected access points, enter the selected parameters into databases by application servers, transmit control commands from application servers to analyzing devices via a computer network to start detecting unauthorized and fake access points together with transmission of data on the parameters of protected access points, which were entered into databases at the previous stage, after scanning the air by analyzing devices over the entire Wi-Fi frequency range and capturing packets from the air, and when scanning, wireless network interfaces provided by those connected to the analyzing devices are used Wi-Fi adapters select at least such parameters of access points present on the air, such as a unique identifier of the access point, network name, type of protection, supported data transfer rate, country code, and compare the selected parameters with the parameters of the points to be protected by analyzing devices access points received from application servers, and if the access points present on the air have a unique identifier and/or network name equivalent to the unique identifier and/or network name of the access points to be protected, but other parameters of the access points present on the air do not correspond to the parameters of the ones to be protected access points, then the analysis device that detects the specified discrepancy generates a rogue access point detection event, or, if the access points present on the air have a unique identifier and network name that is not equivalent to the unique identifier and network name of the access points to be protected, then the analysis device , which recorded the specified discrepancy, generates an event for the detection of unauthorized access points, the analyzing devices that generated the corresponding events transmit messages to application servers over the computer network with information about the detection of fake and unauthorized access points, messages may include, among other things, information about the unique identifier of a fake or unauthorized access point, network name, type of protection, supported data transfer rate, country code, information about the analyzing device, its network address, unique identifier, application servers aggregate messages from analyzing devices about detected unauthorized and fake access points, display relevant information in text and graphic format, store aggregated information about detected unauthorized and fake access points by application servers in databases, transmit a control command from application servers to analyzing devices via a computer network to stop detecting unauthorized and fake access points and switch to idle mode.