Wireless Rogue Access Point Detection Using Shadow Honeynet

Abstract

Network security is becoming a great challenge as the popularity of wireless network is increasing. On account of open medium, insignificant software implementation, potential for hardware deficits, and improper configuration; Wi-Fi network is vulnerable to rogue access point (RAP). RAP is an unauthorized access point which can be installed by end-users without the knowledge of security administrator. When this rogue device is connected to the Internet, it can be used by an attacker to breach the security of the network. Attackers can also install RAP to lure other users for sniffing sensitive data. In this paper, a method called “Shadow Honeynet” has been proposed for the detection and prevention of RAP. The concept of Shadow Honeynet arrives from Shadow Honeypot that integrate the best features of anomaly detection system (ADS) and Honeypot. The shadow is an instance of protected software that share all internal states with the regular (“production”) instance of the application to detect potential attacks. The proposed architecture improves the overall performance of the system by diminishing false positives rate generated by ADS and can be able to sustain the overall workload of honeypot.

1 Introduction

Detection of RAP is most important, as it is responsible for various security threats. Security protocol used in Wireless Local Area Network (WLAN) is Wired Equivalent Privacy (WEP) but fails to achieve security goals of confidentiality, integrity and availability. To overcome the flaws of WEP, Wi-Fi Protected Access (WPA) has been developed. Since WPA still relies on Ron’s Code (RC) 4 encryption algorithm, the access points can be easily compromised [1–4].

Rogue access point can be placed into four categories [5]:

1. 1.

   Improperly configured access point: Because of minor configuration mistakes, a legitimate access point may suddenly convert into improperly configured device. The reasons behind this type of APs are: network administrator with insufficient security knowledge (e.g, choose inappropriate encryption and authentication techniques), use of faulty AP’s driver, and sometimes after software updating a properly configured AP becomes vulnerable.

2. 2.

   Unauthorized access point: For flexibility and scalability, employees install APs without the knowledge of administrator. Hackers can connect to the internal organization, sniff sensitive data, steal bandwidth and use the network to attack other users with the help of these APs. Another possibility for the origin of unauthorized APs is the neighborhood WLAN. As the clients always prefer to connect with the AP having high signal strength, due to this sometimes authorized clients of one organization may connect with the AP in close vicinity. This neighboring AP can expose sensitive data.

3. 3.

   Phishing access point: Outside the wireless network, if the malicious user installs an AP to obtain users’ credentials like usernames and passwords by masquerading as a legitimate user, termed as phishing AP. This allows the assailant to conduct Man-in-the-Middle (MITM) attack in the wireless network that does not require mutual authentication between client-to-server and server-to-client. Since WEP enabled network does not enforce mutual authentication, so it is easy to launch MITM attack in such networks.

4. 4.

   Compromised access point: If an attacker cracks the key that is being used in WEP and WPA Pre-Shared Key (WPA-PSK) enabled network, then it will become compromised. Once the attacker discovers a key, all APs those are using the same credentials will become rogue AP. It is easy for an attacker to masquerade as a legitimate user in a compromised network.

It is easy to detect first three classes of rogue access point. However, it is difficult to deal with the fourth one. The overall security of the network can be significantly affected by compromised AP because it is more dangerous and difficult to detect. There are several methods for the detection of rogue access points, but still there is a need to develop an approach that can deal with all types of rogue access point efficiently and effectively.

The paper is further organized as follows: Sect. 2 elaborate previously proposed methods to detect and prevent rogue access point and its associated problems, Sect. 3 explains the shadow honeypot architecture and its utility, Sect. 4 describes the proposed approach, implementation is described in Sects. 5, 6 illustrates experimental evaluation, Sect. 7 concludes the paper and presents future work.

2 Related Work

Various methods have been introduced for detecting RAP, but each technique has its own pros and cons. Traditional RAP detection rely on enumeration tools like NetStumbler, etc, which runs on handheld devices and laptops to gather information [6]. This method is time-consuming, expensive and unreliable. Further it fails to detect if an assailant spoofs Medium Access Control (MAC) address and Service Set Identifier (SSID) of a legitimate access point.

A number of commercial products have been developed for continuous monitoring like AirDefence [5, 7]. To capture, process and correlate network events, it uses the combination of radio frequency sensors and intrusion detection and prevention servers.

Radio Frequency (RF) monitoring [5, 8] is used for the detection of wireless rogue access points. In this approach, multiple APs and mobile clients were used to perform RF monitoring. Flaws include: difficulty in proper installation of APs for sniffing, attacker can easily turn off the AP during scanning, MAC spoofing is undetected.

Distributed monitoring infrastructure, Dense Array Inexpensive Radios (DAIR) [5, 9] provides comprehensive traffic capturing ability. This is not very effective approach as it depends on the APs functionality that can be easily turned off.

The paper [5, 6] proposed a method for wired network. This approach was based on inter-packet spacing, since the spacing between the wireless packets is more than that of wired packets because of one hop count increment (due to involvement of wireless router). The network becomes vulnerable after installing wireless access point in it. The client (a laptop) was connected to the 100 Mbps shared hub (at central location) where sniffing took place. If packet spacing is large, it was considered as rogue access point.

Detection of rogue access point and eavesdropper, can be performed using multiple sniffers. Each sniffer has three network cards and intrusion detection capabilities. This method fails to detect MAC address spoofing [5, 10].

A novel approach called RAP has been introduced that targets commodity Wi-Fi network [5]. It consists of three main elements: a packet collector, a detection engine, and a preemption engine. This method has the following advantages: (1) it neither requires specialized hardware nor modification to existing networks; (2) can be integrated as a plug-in enhancement to Wi-Fi networks; (3) protect the network from adversaries capable of violating WLAN standard; (4) can be used with the security protocols like WEP and WPA.

Organizations have started to deploy Intrusion Prevention System (IPS), another method to detect and prevent newer attacks, as the malevolent activities is on high spirit on today’s Internet. Since current Internet Protocol Security (IPSec) use rule-based intrusion detectors like SNORT [11] that can detect only already known attacks. The flaws associated with Intrusion Detection System (IDS) include high false positive and false negative alerts. If the IDS system is more sensitive to attacks then it may misclassify legitimate users as malicious i.e, increasing false positives, and if the IDS system is insensitive to attacks then false negatives increases i.e., missing some real attacks. To tune the system for low false positives, Shadow Honeypot [12] was introduced.

3 Shadow Honeypot Architecture

To handle network-based attacks Shadow Honeypot [12] architecture is used. The architecture consist of three components: filtering engine, array of anomaly detection sensors and shadow honeypot as shown in Fig. 1.

Fig. 1

Shadow honeypot architecture [12]

The filtering component is used to filter unauthorized traffic flowing towards the secured network. It uses an authenticated list and by comparing the traffic against this list, it rejects malicious packet. Traffic that passes the filtering stage is passed to an array of anomaly detection sensors otherwise drops the request by short-circuiting the detection heuristics and shadow testing. Anomaly detection sensors analyze the packets’ characteristics. After passing second stage, traffic is forwarded to the shadow code. It is preferable to tune the detectors towards high sensitivity to increase the false positives. The shadow and regular application fully share internal states to avoid attacks that exploit differences between the two. The result of shadow honeypot is reflected to the low level stages to filter out same malevolent packets immediately if it is detected in future.

3.1 Utility of Shadow Honeypot

“Honeypots is an information system resource whose value lies in unauthorized or illicit use of that resource”. Honeypot instrumented to detect active attacks but fails to detect passive attacks where an attacker lures a victim user to download malicious file. For only server side applications, honeypot can be used.

Unlike traditional honeypots that remain idle while waiting for an active attacker to probe, shadow honeypot is able to detect passive attack that lures a victim [13].

A Honeynet [14] is a network, which captures all inbound and outbound traffic to/from the reverse firewall. The reverse firewall limits the amount of malicious traffic that can leave the Honeynet. Honeynet is placed behind the reverse firewall. To provide the feel of a real system to hacker, standard production systems are used on the Honeynet.

For successful completion of Honeynet, there are two principles: Data Capture and Data Control. Data Capture relate to the gathering of all traffic that enters and leaves the Honeynet. It must be collected for further analysis without the knowledge of the individuals who is performing malicious activity. The data must be kept at different location so that hacker should not be able to destroy it, even if the system gets compromised.

Data Control concern to protect other networks from getting attacked and compromised by the Honeynet’s systems.

Each and every activity that is performed either by an attacker or by an authorized user is logged by honeypot and honeynet. This increases the overhead, and reduces efficiency. For providing better performance shadow honeypot was introduced.

The advantages of shadow honeypot are given below:

• Improves system’s performance by reducing false positive rate.

• Handled attacks against specific site with a particular internal state.

• Suitable for protecting attacks against client-side like for Web-browser and P2P file-sharing client.

• Additional detection mechanism can be easily integrated.

• Capable to deceive the attackers to a greater extent.

4 Proposed Approach

4.1 Architecture

The architecture that combines the best features of honeypot and anomaly detection system is “Shadow Honeypot”. The paper proposes a method for the detection and prevention of rogue access points using shadow honeypot.

Considering Fig. 1, the filtering component is used to filter unauthorized access points (rogue access points). It uses a list, which contains the MAC addresses of all authorized access points. At this stage, the MAC addresses of all visible wireless routers is matched against the list, if it finds any router whose MAC address does not exist in the list then it will be treated as rogue access point. But there may be a possibility that either an attacker is using our authorized AP (improperly configured and compromised access point) or spoofs the MAC address of legitimate access point (phishing access point). In this case, the packet will be passed through the filtering stage and forwarded to the anomaly detection sensors. At this stage, ettercap [15], wireshark [16], snort [17] and anomaly detection heuristic payload sifting [18] are used to filter out unauthorized hosts and to detect various attacks.

Ettercap is used to scan all hosts connected to our wireless network and display their IP and MAC addresses; so that the assailants can be easily filtered out based on the unauthorized IP addresses. If an attacker is using ARP spoofing, then he/she easily evade the ettercap detection tool. For this, wireshark is used to detect Man-in-the-Middle and Denial-of-Service (DoS), Distributed Denial-of-Service (DDoS), smurf like attacks. Thereafter the packet is forwarded to the shadow honeypot for validation. Based on the results of anomaly detection system and shadow honeypot, shadow honeypot indicate measured false positive and false negative rate. This result is sent to the filtering and detection stage, so that if any packet is flowing from these malicious nodes will be rejected at the initial stage in future. Shadow and regular application fully share internal states to avoid attacks that exploit the differences between two.

For providing the illusion of real system environment to the attackers, the method used multiple shadow honeypots called “ shadow honeynet” as shown in Fig. 2.

Fig. 2

Shadow honeynet

Considering Figs. 1 and 2 the shadow is an instance of the protected software (e.g a web server or client) that is instrumented to detect all potential attacks. This instance share all internal states with the regular (production) instance of the application. Shadow catch the attacks against it, and discard the changes that have been occurred in the shared states. Signal handler installed automatically by the tool indicates operating system (OS) that an attack has been detected. The OS roll back all the changes occured while servicing the malevolent request. The traffic that was misclassified as malicious will be validated by shadow, and transparently handled by the system (e.g. an HTTP request that was mistakenly classified as suspicious will be handled correctly). The filters and anomaly detectors will be updated by the shadow to prevent future attacks. The proposed architecture improves the performance by reducing false positives. Since the system is designed sensitive to attacks; the attacks that were misclassified as malicious by anomaly detection sensors will be handled carefully by the production software transparently to the end users.

Specifically a tool “TXL compiler/interpreter” [19–21] is used to create the shadow version of the existing code. If attack is detected by the shadow then changes in the state will be rolled back and the outcome will be transferred to the filters and anomaly detectors to prevent future attacks. The shadow can be an entire separate process, running on other machine (loose coupling) or can be a different thread running on the same address space (tight coupling).

Fig. 3

System work flow

4.2 System Work Flow

Figure 3 shows the processing logic of the system. The steps involved are:

1. 1.

   Filter check the MAC addresses of all showing wireless access points. If it find any router having unauthorized MAC address, then classify it as rogue access point and drop the request.

2. 2.

   After passing first stage, the request goes to anomaly detector (AD) where the contents of the packets and its characteristics is to be considered. Here, three tools ettercap, wireshark, snort and a detection hueristic payload sifting are used.

   1. (a)

      Ettercap is used to scan the whole wireless network and detect the assailants. All the hosts having unauthorized IP addresses (attackers) are indentified here and drop the request. But there may be a case that the attacker is using authorized IP address (IP spoofing), then wireshark and snort is used to detect various attacks like MITM, DoS, DDoS, Smurf, etc,.

   2. (b)

      Using Wireshark, the packet flow rate is analysed. If an attacker performs MITM attack then packet spacing is increases due to his/her involvement between authorized communicating entities. In DoS, DDoS, Smurf attacks packet spacing decreases. Suppose for normal wireless packets it is 10-15 ms (threshold) then for MITM it is greater than threshold and for other attacks it is less than threshold. Snort is used to provide more detailed information about packets as well as generating alarms.

   3. (c)

      Payload sifting identify popular substrings in the packets’ payload and mark them as fingerprints of rapidly spreading worms. These fingerprints are forwarded to the shadow honeypot for searching them in the network traffic. If the generated fingerprint is actually belong to the malicious activity then it indicates hit to ADS and filtering component, otherwise indicates false positive and upadate low level stages to reduce false positive rate.

   For (a) and (b) two conditions will arise:

3. 3.

   If classified as authorized, pass to the third stage:

   1. (a)

      If attack is detected then indicate false negative and update the Anomaly Detection (AD) and filtering components.

   2. (b)

      If attack is not detected, indicate true negative and handle the request carefully.

4. 4.

   If classified as unauthorized then also pass to the third stage:

   1. (a)

      If attack is detected, indicate true positive and pass the result to below stages.

   2. (b)

      If attack is not detected then indicate false positive, and update the Anomaly Detection (AD) and filtering components.

5 Implementation

Figure 4 shows the experimental setup used for implementation in which ettercap, wireshark and snort have been used. The setup considered a small wireless network connected to one authorized ciscob wireless router. Three authorized hosts having IP addresses 192.168.38.27, 192.168.38.40 and 192.168.38.65 and one system having all required softwares named shadow honeypot are part of this home network. The attacker having IP address 192.168.38.212 connected to our network through wireless router and trying to breach the network security.

Fig. 4

Home network

5.1 Filtering

Filtering component filter unauthorized access points by comparing their MAC addresses against white list. To do this, firstly calculate the MAC addresses of authorized APs. The paper consider only one authorized AP (ciscob router) in home network. Following are the steps to calculate the MAC address:

1. 1.

   Find out the default router (gateway IP address), enter: $ /sbin/route

2. 2.

   This gives the router’s IP address. For ciscob, it is: 192.168.38.254

3. 3.

   Calculate router’s MAC address, enter: $ arp -a

4. 4.

   The router’s MAC address is: 00.04.96.1e.56.e0

Any AP not having this MAC address is indicated as rogue access point.

5.2 Anomaly Detection System

The packet after passing the first phase (not identified as attacker) enters into this phase. There are two possibilities; either the packet is coming from the authorized host or from unauthorized host. If the packet is coming from malicious user, it will be filtered using ettercap. Ettercap display the IP and MAC addresses of all hosts connected to wireless network as shown in Fig. 5. If the attacker is not using ARP spoofing then it will be easily filtered here.

Fig. 5

IP and MAC addresses of all hosts using ettercap

Considering Figs. 4 and 5, the IP addresses except 192.168.38.27, 192.168.38.40 and 192.168.38.65 all are unauthorized hence filtered out. But if the attacker is using ARP spoofing then it will not be filtered here. To detect some attacks, wireshark is used to find out the packets’ arrival time. The implementation of such attacks may be harmful for router, so the the paper calculated packet flow rate for wired and wireless network. The packet flow rate for wired network is more than that of wireless network, due to the increment of one hop count in wireless network (considering Figs. 7, 8). Figure 6 shows the packets captured using wireshark and its arrival time.

Fig. 6

Packet capturing using wireshark

Fig. 7

Packet flow rate for wired network

Fig. 8

Packet flow rate for wireless network

Figures 6 and 8 shows the packet’s arrival time and flow rate for wireless network respectively. MITM attack is to be signaled if packet spacing is large i.e., less flow rate. If packet spacing is too less i.e., flow rate is too high, then DoS, DDoS and Smurf like attacks is detected. Using snort, paper captured more information about packets as well as generating alerts based on specified rules (considering Fig. 9). The figure show alert message that IP address 192.168.38.53 is accessing google within wireless network.

Fig. 9

Generating alerts using snort

5.3 Overview of TXL

The tool which is used to create the shadow of the normal application is Tree Transformation Language (TXL) [19–21] is a rapid prototyping system and programming language used for rule based source-to-source transformation. Source structure that is to be transformed is in extended Backus–Naur Form (BNF) using unrestricted ambiguous context free grammar, from which a structure parser is automatically generated. Below is the transformation rule, which convert two scalar assignments that are independent of each other into a single vector assignment.

The replace clause gives the pattern for which the rule searches in actual source text. The by clause gives the transformed result in similar style. The where clause specifies additional semantic constraints on which the rule can be applied.

5.3.1 The TXL Processor

Figure 10 shows that TXL program consist of Grammar Structure Specification and Transformation Rules. Grammar Structure Specification defines the lexical and syntactic forms of the input and in transformation rules actual input-to-output source transformation is specified. The TXL processor is a compiler and run time system that converts the one source code into other source code [22].

Fig. 10

The TXL processor

6 Experimental Evaluation

6.1 ARP Cache Poisoning Attack

ARP Cache Poisoning is a form of Man-in-the-Middle attack in which an attacker sends his/her MAC address with the authenticated IP address in ARP_REPLY message. This attack has been implemented using IP addresses 192.168.39.22, 192.168.39.114 and 192.168.39.76. IP address 192.168.39.76 treated as an eavesdropper between authenticated IP addresses 192.168.39.22 and 192.168.39.114 (considering Figs. 11, 12). All the traffic flowing between 192.168.39.22 and 192.168.39.114 is captured by 192.168.39.76. Figure 11 is the screenshot of attacker’s system showing all the captured packets when 192.168.39.22 pinged 192.168.39.114.

Fig. 11

Captured packets during ARP spoofing attack using wireshark

At second stage, ARP soofing attack is detected using snort. Figure  12 show the packets captured by snort. Since ping supports ICMP protocol, the number of ICMP packets captured by snort are 34.

Fig. 12

Captured packets during ARP spoofing attack using snort

Since the IP addesses 192.168.39.22, 192.168.39.114 and 192.168.39.76 are authorized, so attacker could not be detected by ettercap. According to the recieved ICMP supports packets, MITM attack is signaled by snort. After that the request has been forwarded to the shadow honeypot for validation. Calculated false positive rate in both cases is given below.

False positive rate is calculated using Specificity. Specificity (sometimes called the true negative rate) measures the proportion of correctly identified authorized users.

$$\begin{aligned} {\textit{False Positive Rate}}&= 1-{\textit{Specificity}}\\ {\textit{Specificity}}&= \frac{{\textit{Number of True Negatives}}}{{\textit{Number of True Negatives + Number of False Positives}}}\\&= \frac{{\textit{Normal User Identified as Normal}}}{{\textit{Normal User Identified as Normal}} + {\textit{Normal User Identified as Attacker}}} \end{aligned}$$

Case I: False positive rate using anomaly detection system:

Using ADS, the users having IP addresses 192.168.39.22 and 192.168.39.114 has been identified correctly and the IP address 192.168.39.76 misclassified as attacker.

$$\begin{aligned} \textit{Specificity}&= \frac{5}{5 + 3} = 0.62\\ \textit{False Positive Rate}&= 1 - 0.62\\&= 0.38\\&= 38\,\%\\ \end{aligned}$$

There were total eight systems in network on which ARP Spoofing attack is performed, out of which the paper mentioned only three (192.168.39.22, 192.168.39.114 and 192.168.39.76).

Case II: False positive rate using shadow honeypot:

The proposed method improves overall performance by reducing false positive rate. Since the system is designed sensitive to attacks, ADS will misclassify legitimate users as attacker. Misclassified authorized users is then forwarded to shadow honeypot, where it will be handled carefully, thus minimizing false positive rate.

Suppose using proposed architecture, the user having IP address 192.168.39.76 that was misclassified as attacker using ADS, identified correctly by shadow and carefully handled by production software.

$$\begin{aligned} \textit{Specificity} =\frac{6}{6 + 2} \qquad&= \quad 0.75\\ \textit{False Positive Rate}&= 1 - 0.75\\&= 0.25\\&= 25\,\%\\ \end{aligned}$$

Thus, false positive rate decreases.

6.2 DNS Spoofing Attack

DNS Spoofing is also a form of Man-in-the-Middle attack which is used to provide fake IP address when servicing the DNS_REQUEST. So that when the requested host browse for a website at IP address W.X.Y.Z, the request is forwarded to fake site created by attacker at IP address A.B.C.D, so that an attacker can be able to steal users’ credentials.

The paper implemented this attack using two systems having IP addresses 192.168.38.38 and 192.168.38.191. The system 192.168.38.191 behaves as an attacker and system 192.168.38.38 is a victim. Attacker spoofs victims’s IP address using ettercap to capture all traffic flowing from his/her machine, and enable dns_spoof plug-in on his/her own machine using ettercap. Attacker performs DNS spoofing for microsoft website and redirect it to itself. So that whenever victim’s machine browse for that site, the request is directed towards attacker’s machine instead. To do this, some changes is to be done in etter.dns file. Figure 13 shows the modified etter.dns file where the IP address corresponding to microsoft.com is changed to the attacker’s IP address.

Fig. 13

Adding a spoofed DNS record to etter.dns

After making the changes in etter.dns file, attacker runs the command “ettercap -T -q -M arp -i eth0 -P dns_spoof // //” for activating DNS spoofing. After that when victim’s machine browse for microsoft website it will redirect to attacker’s machine. Figure 14 shows the dns spoofing where victim’s machine spoofed to IP address 192.168.38.191.

Fig. 14

Adding a spoofed DNS record to etter.dns

At second stage Snort is used to detect this type of attack using below signature.

alert udp \(\varvec{\$}\) EXTERNAL_NET 53 -\(>\) \(\varvec{\$}\) HOME_NET any (msg:“DNS SPOOF query response PTR with TTL 1 min. and no authority”; content:“|85800001000100000000|”; content:“|c00c000c000100 00003c000f|”; classtype:bad-unknown; sid:253; rev:2;)

The signature detects DNS cache poisoning attempts, packets with large TTL values and DNS responses coming from malevolent DNS servers.

After that the request is sent to third stage i.e., towards shadow honeypot for further analysis. The paper performed dns_spoofing for three websites, microsoft.com, facebook.com and google.com, but IDS signaled alerts for five sites after accessing six sites (microsoft, facebook, google, yahoo, youtube and rediff), since the system is sensitive to attacks. Honeypot signaled fake IP address for four sites, and false positive for one site. The result of shadow honeypot is reflected to ADS and filtering component for preventing future attacks. The calculated false positive rate in both cases using above formula are:

$$\begin{aligned} \textit{False} \,\textit{Positive} \,\textit{Rate}\, \textit{without} \,\textit{Shadow}\, \textit{Honeypot}&= 0.67\,\%\\ \textit{False}\, \textit{Positive}\, \textit{Rate}\, \textit{with} \,\textit{Shadow} \,\textit{Honeypot}&= 0.34\,\%\\ \end{aligned}$$

Result shows the reduction in false positive rate.

6.3 Payload Sifting

Payload Sifting [12, 18] identify similar contents in the payload of several packets heading to numerous destination hosts, and consider them as fingerprints of rapidly spreading worms. The generated fingerprints are disseminated to shadow honeypot for matching network traffic against it. The pseudocode for the same is given below:

Figure 15 show the false positives by varying destination threshold. Increasing the threshold means for detecting attack more instances are required. As the destination threshold increases, detection delay increases and false positive reduces.

Fig. 15

False positive for payload sifting

6.4 Buffer Overflow Attack

Presence of long sequence of valid instructions in the network traffic signaled buffer overflow attack. Since, these sequences can appear in authorized data, this is where shadow honeypot is used for validation [12, 23]. Attacker uses sequence of [NOP][Shell code][Return address] to implement buffer overflow attack. Snort is used to looking for this sled in network traffic. To diminish false positie rate the packet is forwarded towards shadow honeypot. Below is the shadow code for buffer overflow attack; the decision on whether the shadow code or the normal code should be executed depends on the shadow_enable() macro that simply checks the status of shared-memory variable.

Figure 16 show the effects of number of sled instructions on false positive rate. False positive rate decreases by increasing number of sled instructions.

Fig. 16

False positive for buffer overflow attack

6.5 Denial-of-Service, Distributed Denial-of-Service, Smurf Attacks

If the inter-packet spacing is too less, then these attacks is signaled by ADS. There may be a case that packet-spacing is less for non-malevolent data. To reduce false positive alerts and carefully handling of such request shadow honeypot is used. The pseudocode is given below:

The request that was misclassified as malicious by ADS will be handled carefully. Thus, false positive rate decreases.

Table 1 shows the attacks, the time for which the particular attack is performed, the time taken by shadow honeypot to detect it along with their false positives in both cases: without shadow honeypot and using shadow honeypot.

Table 1 Attacks with their false positives in both cases

7 Conclusion

During the past several years, installation of wireless LAN (802.11) in military and organization is tremendously increasing. To secure such networks it is necessary to detect and prevent the installation of rogue access point. In this paper, a novel hybrid approach that combines the best features found in today’s honeypots and anomaly detection system has been proposed. The system improves the performance by minimizing false positive rate because all the activities that were misclassified as malicious by the anomaly detection sensors will be handled carefully by the production software transparently to the end users. Various anomaly detectors are used which analyze the traffic directed towards the protected network. Despite this, the system is capable to sustain the overall workload of honeypots.

Enhance the performance by detecting more attacks at second stage and implementation of multiple shadow honeypots to provide real system environment to attacker.