See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/4339361

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

Conference Paper · April 2008

DOI: 10.1109/ARES.2008.130 · Source: IEEE Xplore

CITATIONS READS
27 3,649

7 authors, including:

Urko Zurutuza Roberto Uribeetxeberria

Mondragon Unibertsitatea Mondragon Unibertsitatea
92 PUBLICATIONS 1,821 CITATIONS 43 PUBLICATIONS 322 CITATIONS

SEE PROFILE SEE PROFILE

Miguel Fernández Arrieta J. Lizarraga

Mondragon Unibertsitatea Mondragon Unibertsitatea
10 PUBLICATIONS 39 CITATIONS 6 PUBLICATIONS 39 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Urko Zurutuza on 15 May 2014.

The user has requested enhancement of the downloaded file.

 Beacon Frame Spoofing Attack Detection in IEEE
802.11 Networks
Asier Martı́nez∗ , Urko Zurutuza†‡ , Roberto Uribeetxeberria† , Miguel Fernández† ,
Jesus lizarraga† , Ainhoa Serna† and Iñaki Vélez†
∗ AbitSecurity, Uribarri Etorbidea 19 - 1o
Polo de Innovación Garaia, 20500 Mondragon, Spain
Tel.: +34 943 712 072
Email: [email protected]
† Mondragon University, Computer Science Department

Loramendi 4, 20500, Mondragon, Spain

Tel.: +34 943 739 634. Fax: +34 943 791 536
Email: [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected]
‡ This author is supported by the grant BFI05.454

of the Department of Research, Education and Universities

of the Basque Government.

Abstract—A great variety of well-known attacks exist for the possible [1]–[3]. 802.11i and 802.1X standards have mitigated
IEEE 802.11 protocol. The lack of mechanisms for management the effects of this problem but not all the possible attacks
frame authentication and the complexity of the protocol itself have been tackled and even worse, new ones have arisen [4].
have derived into a considerable number of denial of service and
identity spoofing attacks. As most denial of service attacks are Therefore it is necessary to develop techniques that will allow
based on spoofing of MAC addresses, spoofed frame detection us to detect DoS attacks in 802.11 networks. Most of these
schemes have gained attentions. Currently the most efficient attacks impersonate MAC frames, thus the detection of such
techniques to detect this kind of attacks are based on the creation impersonation could lead us to the detection of a great variety
of profiles for the wireless nodes and behavior based protocol of attacks.
anomaly detection. However, these techniques tend to generate
too many of false positives. This is caused by the unstable nature In this work we propose a new technique to detect the
of the wireless medium and also because of the difficulty to model falsification of management frames in IEEE 802.11 protocol.
the behaviour of the diverse implementations from different More precisely, we give details about how to detect beacon
manufacturers. One way to reduce false positives is to combine frame falsification. These frames are responsible of distribut-
different techniques to carry out the analysis. We propose a novel
method that identifies the impersonation of certain management ing critical information in an 802.11 network. We propose an
frames, which helps to reduce the number of false positives within algorithm that identifies each false beacon frame in order to
other existing MAC spoofing detection techniques. detect DoS attacks in a passive mode. The article contributes
Index Terms—802.11 MAC address spoofing, false positive as follows:
reduction, synchronisation attack detection, wireless intrusion
• We describe beacon frame based attacks.
I. I NTRODUCTION • We develop a method for a false positive-free, single false
beacon frame detection.
Wireless networks have gained much popularity lately, to
• We show experimental results, analysis and a benchmark
such an extent that we can find them in almost any aspect of
of our system implementation compared with a known
our daily life. Mobile phones, PDAs and computers are some
IEEE 802.11 based intrusion detection system.
evident examples. The most popular implementation for local
area networks is the standard IEEE 802.11, also known as Wi- The rest of the document is organised as follows: Sec-
Fi. As Wi-Fi networks proliferated, the security flaws of the tion II gives an overview of MAC address spoofing detection
protocol became notorious. techniques. It focuses on the strong and weak points of each
Management frames carry out critical tasks in those net- technique. Section III-A describes DoS attacks based on de-
works, but unfortunately these frames are not authenticated. synchronisation of nodes. These attacks are carried out by the
This is probably the most important weakness of the protocol. impersonation of beacon frames. A method to detect these
As a consequence, several denial of service (DoS) attacks are spoofed frames is proposed in section IV. After a theoretical
description of our detection method, section V shows the field consists on a counter of the time (in microseconds) that
results of experimental tests over two different scenarios. the access point is active. For example, if the BSSTimestamp
Finally, conclusions extracted from the experimental work are does not increase with time, the value will not be coherent
detailed and summarised in section VI. and an anomaly will be detected. In practice, modeling the
behaviour of a 802.11 network is not a simple task. The
II. R ELATED WORK
unstable nature of the wireless medium and the different
Despite the existence of diverse methods to detect the MAC implementations of the protocol in network cards [6] cre-
frame spoofing in 802.11, widely all of them can be classified ate important deviations between the behaviour of different
into two categories: protocol anomaly detection and anomaly networks [10], [11]. Nevertheless, although getting a general
detection based in the individual characteristics of 802.11 model for every attack seems impossible, sufficiently reliable
nodes. and useful patterns can be obtained.
Techniques belonging to the first category try to model and The creation of profiles with the characteristics of wireless
understand the normal behaviour of a 802.11 network. After nodes is an alternative to protocol modelling. These profiles
modeling this behaviour, the network is monitored looking for are created using measurable attributes of each wireless node.
patterns that do not fit into this model. One of the most popular Characteristics such as hardware [12], [13], software [14]
techniques within this category uses sequence number analysis and firmware [15], [16] fingerprints analysing the behaviour
of 802.11 frames. This number acts as a sequence number of the node could be included. Also attributes referring to
identifier of the frames transmitted from a node. In this sense the physical position of the node can be used. In [17], [18]
Joshua Wright proposes in [5] the use of this sequence number the delay in the transmission of fixed length frames and the
field in the frame. This is a very simple technique that uses a fluctuation of the power in the received signal is used to
threshold representing the maximum difference between each univocally identify each node. More simply, in [19]–[21] the
sequence number. The main disadvantage of this approach is validity of the physical addresses of MAC frames is verified.
the amount of false positives generated. This happens because Unfortunately this will only detect the spoofing of non-existent
the theoretical model on which it is based does not properly nodes and it would be very simple to overcome by generating
fit the real operation of a 802.11 network [6]. Nevertheless valid addresses and thus remain undetected.
this technique has been implemented in some free intrusion
detection tools such as Snort-Wireless1 , WIDZ2 or Garuda3 .
On the other hand, Fanglu Guo et al. [7] model the behaviour III. BEACON BASED ATTACKS
of the sequence field using an empirical method that takes
measures in a 802.11 network for a given time. Although this A. Synchronization attacks
method achieves a more realistic model, it can vary on for
different devices [2], [6] or situations other than those used A beacon frame is used for several functions. To synchronise
when taking the measures. the clocks of the nodes and to announce the existence of the
Also making use of the sequence number field, Dasgupta network as well as to transmit some necessary configuration
et al. [8] propose more precisely fuzzy logic techniques, to parameters to join it [22]. Other important functions of beacon
obtain more flexible patterns with a lower false positive rate. frames are related to the maintenance of the network. Beacon
However, results obtained on tests have not been very encour- frames are transmitted at regular intervals to allow the nodes
aging. LaRoche et al. [9] use machine-learning techniques to find and identify a network. Every wireless network needs a
model the behaviour of the protocol and reduce the number of coordinator in charge of transmitting beacon frames.
false positives. Genetic algorithms are used in this work but 1) Power Saving Mode Attack: PSM allows nodes to save
the false positive ratio obtained does not offer a significant energy while they are waiting for the channel to be available
improvement. for transmission. For example, one node will go to a power
Still within protocol anomaly detection, indirect detection save mode for a period specified by the access point. During
is another approach to detect spoofed frames. Bellardo et this idle time, the access point will buffer the packets destined
al. describe an heuristic technique to detect de-authentication to that node and they will be sent to it when it wakes up. If
attacks in [2]. This kind of attack performs MAC address for any reason, the node wakes up at any other time than
spoofing and therefore the attack can be detected indirectly. that expected by the access point due to desynchronization
Kismet4 is a well-known 802.11 network scanner that caused by spoofed beacon frames, it may loose the buffered
includes intrusion detection features. It is able to model the information. As a result, the victim node can suffer a reduction
behaviour of beacon frames and the detection of spoofed in its capacity for transmitting [3].
frames is based on the coherence of the BSSTimestamp field. 2) PCF attack: In a PCF (Point Coordination Function)
This approach has obtained good results so far. BSSTimestamp mode, the access point serves as a network referee. It provides
1 http://www.snort-wireless.org/
the priority mechanisms for the devices. An attacker could
2 http://www.loud-fat-bloke.co.uk/tools.html spoof beacon frames using false clock values. Those values
3 http://sourceforge.net/projects/garuda/ would produce a maladjustment in the contention periods of
4 http://www.kismetwireless.net/ the stations, causing a DoS [3].
B. 802.11i attacks
The 802.11i standard is also propitious to suffering from
attacks by means of the information contained in the beacon
frames, as described in [23]. A manipulation of the element
of network information of robust security specified in 802.11i
will produce a DoS in the client node, keeping it from joining
the network. If, for some reason, incoherence is detected in
the security method chosen, the network joining process is
aborted. This incoherence can be caused by an attacker who
forges a beacon frame.
The rollback attack also exists, which tries to supplant ne-
gotiated values by the station by weaker encryption methods. Fig. 1. Network diagram of test scenarios.
[24] describe how to use the policies to detect this type of
attacks, but it is not possible to detect the poisoning attack
due to the fact that it modifies some bits that are insignificant
can be considered as malicious. Nevertheless, exceptions for
and variable, causing the DoS without influencing the bits in
this behaviour exist. If a network is congested, the access
charge of encryption or authentication.
point may delay the transmission of the beacon frame. This
C. False Information attacks behaviour is not specified in the standard and using smaller
As previously described attacks do, false information attacks beacon frame periods could be considered as a Hardware error,
transmit manipulated values in the fields necessary for the since an incorrect synchronisation may cause failure of some
stations to connect to the network. An example of this type services. Therefore, the proposed technique is based on the
of attack can be found in the WVE-2006-00505 wireless monitoring of time intervals between beacon frames. In this
vulnerability database. The information field provides the work, we measure this value for each beacon frame transmitted
number of the channels used by the network. If beacon frames and we define a variable called Delta which represents the
are falsified using a wrong channel number, stations will not time gap between two consecutive beacon frames. If Delta is
be able to join the network. smaller than a defined threshold, they will be considered as
anomalous.
IV. P ROPOSED DETECTION METHOD
V. E XPERIMENTAL RESULTS
The simplest way to detect most of the spoofed traffic is To test the validity of the new method proposed in sec-
to modify the firmware of the access points and 802.11 cards tion IV, the intrusion detection system for Wi-Fi networks
in order to log the transmitted data. Knowing which frames Snort-Wireless has been modified. To measure the interval
have been transmitted helps to detect others that do not belong between beacon frames, the MACTime field of Prism [25]
to the device even if they have the same physical address. headers has been used. This field informs about the moment,
This technique is very useful in infrastructure networks as in microseconds, when the wireless card received and stored
the management frames are centralised in the access point. the beacon frame. A more precise measure can be obtained as
However, certain limitations exist in the market. On the one a result rather than simply analysing the time at the host. Two
hand, the technique needs hardware with special firmware. different scenarios have been created to complete the tests.
On the other hand, it has to be taken into account that a lot This was because in practise the beacon frame intervals vary
of hardware without spoofing detection functionality already depending on the network traffic. The tests in the scenario of
exist. External monitoring methods can help to overcome this section V-B were made under low traffic conditions and the
necessity. They should be passive methods because of the lack traffic was incremented for the scenario of section V-C.
of bandwidth that characterises wireless networks.
The technique proposed in this work detects beacon frames A. Network configuration
that have been spoofed in an infrastructure 802.11 network. Figure 1 shows the network configuration used during the
This is a passive technique that does not need a modification of experiments. There are two nodes with Senao 802.11g wireless
the firmware of the existing hardware. We have implemented cards generating traffic and a Linksys WRT54G access point
it in a dedicated monitoring sensor. Spoofing of beacon frames operating in dual mode 802.11 b/g. The wireless sensor is
can cause denial of service attacks as the ones mentioned in located very close to the access point so the measurement of
section III-A. frame transmission times is very precise. The access point was
As said before beacon frames must be transmitted at regular configured with an interval between transmitted beacon frames
intervals. This interval is specified by the access point and of 102.4 ms.
it is announced to the rest of the nodes in the ”beacon
B. Scenario I
interval” field. If a frame does not satisfy this condition, it
In this first scenario, nodes generate moderate traffic by
5 http://www.wirelessve.org/entries/show/WVE-2006-0050 making Internet requests and SSH connexions. The attack was
 (a) (b) (a)
Threshold FP FN Threshold FP FN Delta max. 204.808 ms
1% 5 0 1% 118 0 Delta min. 875.06 ms
2% 0 0 2% 4 0 Delta mean 102.451 ms
3% 0 0 3% 2 0 Delta variation 0.05%
6% 0 0 4% 1 0
(b)
10% 0 0 5% 1 0
6% 0 0 Attack frame number 501
Attack frame loss 2
Delta min. 0.804 ms
TABLE I
FALSE POSITIVES AND NEGATIVES , A ) IN A LOW TRAFFIC NETWORK Delta max. 109.376 ms
DURING AN ATTACK B ) IN A HIGH TRAFFIC NETWORK DURING AN ATTACK
Delta mean 88.917 ms
Delta variation 13.16%

TABLE II
D ELTA TIME STATISTICS IN A LOW TRAFFIC NETWORK . ( A ) D URING THE
NORMAL OPERATION . ( B ) D URING AN ATTACK .

(a)
Delta max. 206.220 ms
Delta min. 96.639 ms
Delta mean 102.524 ms
Delta variation 0.122%
(b)
Attack frame number 501
Attack frame loss 29
Delta min. 0.826 ms
Delta max. 203.909 ms
(a) Delta mean 89.615 ms
Delta variation 12.48%

TABLE III
D ELTA TIME STATISTICS IN A HIGH TRAFFIC NETWORK . ( A ) D URING THE
NORMAL OPERATION . ( B ) D URING AN ATTACK .

some effect over the clocks of the nodes. In order to have a

false negative, the absence of beacon frames should last for at
least the double of the beacon interval predefined in the access
point.
The difference between measured delta times of the beacon
frames can be observed in figure 2. Figure 2(a) shows the
(b) values for a normal network while figure 2(b) shows how delta
times decrease when a large amount of external beacon frames
Fig. 2. beacon frame delta times in a low traffic network. are introduced. In this case the predefined values are not kept
anymore. It has to be mentioned too that the amount of false
positives is very low. Table 1 shows how despite having a
carried out using a traffic injection tool called Scapy6 . The
very low Threshold there are only five false positives. The
tool sends three beacon packets per second after waiting a
reason for this is that the traffic is very low. Thus, intervals
pseudo-random time obtained by the random() function (from
between beacon frames do not oscillate as much and they can
the Python7 programming language). Table 1(a) shows how the
be considered very precise. This can be compared with the
access point acts as expected and there is almost no divergence
results obtained in section V-C.
between the beacon frame Delta times.
1) Results for scenario I: Significant results have been
obtained after carrying out the attacks. The mean value of delta C. Scenario II
time is considerably lower, the amount of false positive goes
This scenario keeps save the previous network configu-
down rapidly and there are no false negatives. The absence of
ration. The difference only lays in the amount of traffic
false negatives is due to the way that the attack was carried
generated. Both client nodes make simultaneous transmissions
out. Desynchronization attacks need various frames to have
of large files via FTP transferences. Due to this change, more
6 http://www.secdev.org/projects/scapy/ fluctuations occur and are reflected in the statistics of table
7 www.python.org/ 3(b).
 (a) (b)
Attack frames 499 Attack frames 472
Alerts 121 Alerts 110
True Positives 90 True Positives 83
False Positives 31 False Positives 27
False Negatives 378 False Negatives 362

TABLE IV
S NORT-W IRELESS ALERT RESULTS ( A ) D URING ATTACK WITH LOW
TRAFFIC . ( B ) D URING AN ATTACK WITH HIGH TRAFFIC .

delay in the network will cause the invalidation of the attacker

injected frame. In order to verify this, we suppose that an
(a) attacker can obtain a delay pattern. Practical attempts have
been made, but it has been impossible to reproduce the attack
due to the slow response times at the moment of injecting the
frame resulting in the detection of the attack. These response
times are much smaller than the required times. In addition,
the fact that the machine, from which the traffic injection is
made, does not have an operating system in real time causes
that the synchronization of the attack became a complicated
task. On the other hand, an attacker could try to interfere the
legitimate frame and inject his own. Anyway this is not an
easy task either [26] as wireless 802.11 networks make use
of Direct Sequence Spread Spectrum (DSSS) which is very
resistant against interferences. In addition to that, this kind
of attack would require a highly specialised hardware and a
(b)
correct synchronisation with the legitimate frame that we try
Fig. 3. Beacon frame delta times in a high traffic network.
to interfere with.
E. Comparison against Snort-Wireless
Snort-Wireless is the most advanced Open Source Wireless
1) Results for scenario II: Results of scenario II differ
IDS. It uses the sequence number analysis technique proposed
from those of scenario I because having higher traffic makes
by [5] to detect false frame attacks. In this section we test the
fluctuations between beacon frames grow. This is shown in
effectiveness of the Snort-Wireless with the used data applying
table 2(b), where for a threshold of 1% 118 false positives
the purposed analysis technique. Slightlyly modified default
are obtained while for scenario I there were only 5 of them.
values have been used in Snort-Wireless to send out alerts
Statistics of the behaviour for a network that is not under attack
in the detected attacks. This is because by default it only
also change. The deviation in a congested network is doubled
detects the first attack, saving the address of the attacker station
as can be seen in table 3(a).As mentioned in section V-C,
without sending any alert in a period of time. Snort-Wireless is
for high traffic in the 802.11 network, the hardware finds
outdated in some aspects, but choosing Snort-Wireless instead
more difficulties to achieve the established beacon intervals.
of other commercial tools was due to the fact that they are a
Therefore small fluctuations are generated and a high false
black box and it is imposible to analyze the techniques they
positive rate will be produced if a low Threshold is established.
use and to reach any satisfactory conclusion.
This situation may change depending on the chosen hardware
As shown in table 4, there is little difference between
so the needed threshold will also be different required on the
both high- and low-traffic scenarios. This happens because the
network electronics.
traffic volume does not influence the behavior of the sequence
D. Trying to evade detection number of the stations involved. It can also be observed that
the detection rate is considerably lower. Even if spoofing
Another significant result from the statistics shown in table attacks can be detected, it is not capable of identifying the
3(b) is that the value of delta time goes up to 203.9 ms malicious packets as the threshold-based technique used by
(the maximum value measured) at least once. If an attacker Snort-Wireless is prone to false positives.
was able to synchronise and inject the spoofed frame in a
moment significantly close to the middle of the interval, he VI. C ONCLUSIONS AND FURTHER WORK
would manage to generate a false negative. Nevertheless it The MAC address spoofing detection technique proposed in
is not possible for an attacker to a priori know when those this article does not generate any false positive if correct detec-
fluctuations will occur, and the congestion which caused the tion threshold is established. Results clearly show that spoofed
 [7] F. Guo and T. cker Chiueh, “Sequence number-based MAC address spoof
detection.” in Proceedings of the 9th international symposium on recent
advances on intrusion detection, RAID, 2005, pp. 309–329.
[8] D. D. F. G. K. Yallapu and M. Kaniganti, “Multilevel monitoring
and detection systems (MMDS),” in Proceedings of the 15th Annual
Computer Security Incident Handling Conference (FIRST), Ottawa,
Canada, June 22-27 2003.
[9] P. LaRoche and A. N. Zincir-Heywood, “802.11 network
intrusion detection using genetic programming,” in Genetic and
Evolutionary Computation Conference (GECCO2005) workshop
program. Washington, D.C., USA: ACM Press, 25-29 Jun. 2005, pp.
170–171. [Online]. Available: http://www.cs.bham.ac.uk/∼wbl/biblio/
gecco2005wks/papers/0170.pdf
[10] J. Yeo, M. Youssef, and A. Agrawala, “A framework for wireless LAN
Fig. 4. ROC curve of the detection method in worst case with hight traffic. monitoring and its applications,” in WiSe ’04: Proceedings of the 2004
ACM workshop on Wireless security. New York, NY, USA: ACM Press,
2004, pp. 70–79.
[11] A. A. Cárdenas, S. Radosavac, and J. S. Baras, “Detection and preven-
beacon frames can be detected measuring the intervals between tion of MAC layer misbehavior in ad hoc networks.” in SASN, S. Setia
and V. Swarup, Eds. ACM, 2004, pp. 17–22.
beacon frames. This method has revealed to be adequate to be [12] J. Hall, M. Barbeau, and E. Kranakis, “Radio frequency fingerprinting
implemented together with other techniques such as sequence for intrusion detection in wireless networks,” IEEE Transactions on
number analysis. As well as being an effective technique its Dependable and Secure Computing, 2005.
[13] ——, “Enhancing intrusion detection in wireless networks using radio
implementation is very simple a passive measurement with frequency fingerprinting,” in Ommunications, Internet and Information
minimum hardware requirements is sufficient. Almost any Technology (CIIT), November 2004, pp. 22–24.
802.11 card could be used for that. This technique implies [14] B. Sieka, “Active fingerprinting of 802.11 devices by timing analysis,”
in Consumer Communications and Networking Conference,CCNC 2006,
taking an step forward towards the creation of valid profiles 2006, pp. 15–19, Volume: 1.
that will allow us to detect anomalies in Wi-Fi networks. The [15] J. P. Ellch, “Fingerprinting 802.11 devices,” Master’s thesis, Naval
introduction of spoofed frames in these networks generate Postgraduate School Monterey, California, 2006.
[16] J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk,
anomalous situations. One of these anomalies can be caused and D. Sicker, “Passive data link layer 802.11 wireless device
by: not satisfying the minimum required intervals between driver fingerprinting,” in Proceedings of the 15th USENIX
frames, or other time intervals specified by the medium Security Symposium, Vancouver, Canada, jul-aug 2006, pp. 167–
178. [Online]. Available: http://www.cs.cmu.edu/∼jfrankli/usenixsec06/
access control mechanisms of the protocol. The times can be usenixsec06driverfingerprinting.pdf
measured and thus, the very same techniques can be used in [17] G. R. anbd Smith J., L. M., and A. . Clark, “Passive techniques for
the future to detect the anomalous behaviour provoked by other detecting session hijacking attacks in IEEE 802.11 wireless networks,” in
Proceedings of AusCERT Asia Pacific Information Technology Security
type of denial of service attacks. Although these techniques Conference (AusCERT2005), R. Stream, C. A., K. K., and U. o. Q.
are not sufficiently strong to offer a fully reliable response Mohay, G., Eds., 2005, pp. 26–38.
by their own the reduction of false positives by means of [18] R. Gill, J. Smith, and A. Clark, “Experiences in passively detect-
ing session hijacking attacks in IEEE 802.11 networks,” in Fourth
combining this technique with other ones is possible. Finally, Australasian Information Security Workshop (Network Security) (AISW
this technique could effectively be implemented in Ad-Hoc 2006), R. Safavi-Naini, C. Steketee, and W. Susilo, Eds., vol. 54.
networks as they also use management frames that can suffer Hobart, Australia: ACS, 2006, pp. 221–230.
[19] W.-C. Hsieh, C.-C. Lo, J.-C. Lee, and L.-T. Huang, “The
from the same kind of attacks. implementation of a proactive wireless intrusion detection system,” in
CIT, 2004, pp. 581–586. [Online]. Available: http://csdl.computer.org/
R EFERENCES comp/proceedings/cit/2004/2216/00/22160581abs.htm
[1] W. A. Arbaugh, N. Shankar, and Y. J. Wan, “Your 802.11 wireless [20] V. Sharma, “Intrusion detection in infrastructure wireless LANs,” Bell
network has no clothes,” Wireless Communications, IEEE, vol. 9, no. 1, Labs Technical Journal, vol. 8, no. 4, pp. 115–119, 2004. [Online].
pp. 44–51, 2002. Available: http://dx.doi.org/10.1002/bltj.10090
[2] J. Bellardo and S. Savage, “802.11 denial-of-service attacks: Real [21] Y.-X. Lim, T. Schmoyer, J. G. Levine, and H. L. Owen, “Wireless
vulnerabilities and practical solutions,” in Proceedings of the intrusion detection and response.” in IAW, 2003, pp. 68–75.
Twelfth USENIX Security Symposium. Washington, DC, USA: [22] IEEE, “1999 edition (r2003) part 11: Wireless LAN medium access
USENIX Association, Aug 2003, pp. 15–28. [Online]. Available: control (MAC) and physical layer (phy) specifications,” IEEE, Tech.
http://www.cs.ucsd.edu/∼savage/papers/UsenixSec03.pdf Rep., 1999 (R2003).
[3] G. Khanna, A. Masood, and C. Nita-Rotaru, “Synchronization attacks [23] C. He and J. C. Mitchell, “Security analysis and improvements for ieee
against 802.11,” in The 12th Annual Network and Distributed System 802.11i.” in NDSS, 2005.
Security Symposium Pre-Conference Wireless and Mobile Security [24] R. Gill, J. Smith, and A. Clark, “Specification-based intrusion detection
Workshop, San Diego, CA, USA, Feb. 2005. [Online]. Available: in WLANs,” in 22nd Annual Computer Security Applications Confer-
http://www.isoc.org/isoc/conferences/ndss/05/workshop/khanna.pdf ence, December 11-15 2006.
[4] A. Mishra and W. A. Arbaugh, “An initial security analysis of [25] Intersil, PRISM Driver Programmers Manual, version 2.30, 2002, avail-
the ieee 802.1x standard,” University of Maryland, Tech. Rep. able at http://home.eunet.cz/jt/wifi/RM0251.pdf.
CS-TR-4328, Feb 2002, uMIACS-TR-2002-10. [Online]. Available: [26] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching
citeseer.ist.psu.edu/566520.html and detecting jamming attacks in wireless networks,” in MobiHoc ’05:
[5] J. Wright, “Detecting wireless LAN MAC address spoofing,” http: Proceedings of the 6th ACM international symposium on Mobile ad hoc
//home.jwu.edu/jwright/, 2003. networking and computing. New York, NY, USA: ACM Press, 2005,
[6] A. D. Stefano, A. Scaglione, G. Terrazzino, I. Tinnirello, V. Ammirata, pp. 46–57.
L. Scalia, G. Bianchi, and C. Giaconia, “Wifi does not imply 802.11
standard compliancy: experimental results,” in The Wireless Internet
conference (WICON), July 2004.

View publication stats