This document summarizes a survey of recent methods for detecting evil twin access points in wireless local area networks (WLANs). It describes the background and challenges of evil twin attacks, where attackers create rogue access points that mimic authorized ones to steal user information. The document categorizes detection methods as network admin-side or client-side solutions. It reviews several specific detection techniques, such as those based on timing analysis, received signal strength, or separating one-hop from two-hop wireless connections. Finally, it discusses issues like the difficulty of completely detecting evil twins and challenges with wireless-only versus wired-side detection approaches.

1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
493
A SURVEY ON EVIL TWIN DETECTION METHODS FOR WIRELESS
LOCAL AREA NETWORK
Sachin R. Sonawane1
, Sandeep Vanjale2
, Dr.P.B.Mane 3
1
(MTECH COMPUTER, BVDUCOE, Pune, Maharashtra, India)
2
(Professor, PhD Student, BVDUCOE, Pune, Maharashtra, India)
3
(Professor, AISSMS IOIT, Pune, Maharashtra, India)
ABSTRACT
Wireless access points are today popularly used for the convenience of mobile users.
The growing acceptance of wireless local area networks (WLAN) presented different risks of
wireless security attacks. The presence of Evil access points is one of the most challenging
network security concerns for network administrators. Evil access points, if undetected, can
steal sensitive information on the network. Most of the current solutions to detect Evil access
points are not automated and are dependent on a specific wireless technology. Evil access
point is one of the serious threat in wireless local area network. In this paper we have
presented survey on recent different Evil Twin access point detection solutions.
Keywords: RAP, WLAN, RSSI
1. INTRODUCTION
WLAN Security technology has major use in many fields. Wireless LAN has a wide
range of applications due to its flexibility and easy access. The use of public Wi-Fi has
reached at a level that is difficult to avoid. According to the poll conducted by Kaspersky’s
global facebook pages 32 percent of the more than 1600 respondents said that they are using
public Wi-Fi regardless of the security concerned. The Kaspersky [1] study also discovered
that about 70% of Tablet and 53% of the mobile phone users using free public Wi-Fi hotpots
to go online. According to the JiWire report in past year,[2] total Wi-Fi usage has been
doubled, increasing by more than 240% since Q2,2011.it also specify that this rise is being
due to the mobile devices and laptops account for just 48% of the connected devices. Based
on the above two survey results, greater educational awareness is needed. Public Wi-Fi
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING
& TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 2, March – April (2013), pp. 493-499
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com
IJCET
© I A E M E

2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
494
networks like at coffee shop, airport, etc., are open for users as well as for attackers, who are
looking for sensitive user data. Attackers can create Evil Twin access point in such places to
hack such data. Evil Twin access point is one of the most serious threats in WLAN.
2. BACKGROUND
2.1 Wireless Local Area Network
Wireless Local Area Networks are nowadays are the easiest solution for the
interconnection of various mobile devices like Tablets, Mobile Phones, PDAs, etc. As
Wireless arena is growing rapidly users find it very convenient to use these devices to check
mail, browse internet, etc. Such free services are available to the users through Wireless
networks present at the public places like Coffee Shop, Airport, etc.
There are two types of Wireless networks: In the first the common network topology
is that, where each node can reach to other node using radio relay systems having a big range.
this topology doesn’t use routing protocols. In Second network topology deploy radio relay
systems as first one but each node in this has limited range so one node is using other node to
reach another node which is beyond transmission range.
2.2 Evil Twin Attack in Wireless Network
Various security mechanisms are necessary in order to avoid threats against Wireless
Networks. Different threats are present on the Wireless Network; one of such serious threat is
Evil Twin Access Point
An Evil Twin attack is clean to set as illustrated in Fig. 1, an attacker can easily set
Evil access point to copy the authorized access point used in public Wi-Fi area, these area
could be coffee shop, airtoprt...etc.They can set up Evil access point near to the victims, the
Evil access point then can attack the victim’s wireless connection by using different methods
to force victim to change the connection. Generally Evil AP uses stronger wireless signal
then the authorized AP within the range. So user’s laptop or other device automatically
connect to the AP with highest RSSI.Once user is connected to the Evil AP,by capturing
network packets between Evil AP and the authorize AP the attacker can provide internet
access and can stole sensitive information like passwords, ATM pin..etc. In this way Evil AP
works as an “Evil Twin” AP between victim and the authorize AP. the attacker can introduce
more serious attacks like phishing. In short, Evil Twin attack is a serious threat to the WLAN
Security.
Figure 1. evil twin attack

3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
495
2.3 Classification of Evil Twin Methods
Most of the existing Evil Twin detection methods today are classified into two
categories.
First is Network Admin-side solution, it is further sub-classified into two sub-
categories. In the first sub-category [3],[4],[5] approach, it monitors radio frequency airwaves
after that it collects some information at router/switches and finally compare this obtained
information with a known authorized list. In the second sub-category [6],[7] approach, it
monitor network traffic present at the wired side after that decide whether machine using
wireless or wired connection and at the end the obtained information is compared with an
authorization list to find if the related AP is Evil Twin or not.
Second category solutions [8],[9] are Client or User side solutions. Such client
approaches doesn’t require authorization list to compare the result. Instead it is allowing user
to detect presence of a Evil Twin Access point in the network and provides a mean to avoid
it.
2.4 Components of Evil Twin Detection Methods
Most of the Evil Twin detection methods has the following components:
i) Listening Component:
This component is used for monitoring of local events like packet sending packet
receiving packet, checking RSSI level...Etc.
ii) Answering Component:
This is used in case, if Evil Twin AP is detected in the wireless network. It uses
different alarm mechanisms to alert the network administrator about the Evil Twin attack.
iii) Storage Component:
This component is used to store some standard threshold values, which will be used
for the comparison with the obtain values to detect Evil Twin attack. This component
sometime also store the training set data, different levels of RSSI from all APs present in the
network....Etc.
2.5 Factors Affecting Evil Twin Access Point Detection
Different Evil Twin detection methods have unlike factors which are affecting the
accuracy of the attack detection. Some of such factors are:
i) Wireless Traffic:
The performance of the network can be analysed by the network traffic measurement.
The network traffic presented in wireless environment may sometimes lead to the false or
inaccurate result of Evil Twin detection.[10] Some methods assume the wireless traffic
between the user and the AP and set the Evil Twin AP to use the most favourable conditions
to avoid detection. They are using idle traffic and good quality of signal.
ii) APs Workload:
The network load present [10] at the AP may also affect the accuracy of the Evil Twin
detection. The APs workload is based on utilization of APs queue.
iii) Dependency on Training Data:
In Some methods Evil Twin detection is is dependent on the training data. In such
methods the training data is used for the comparison with the obtained results and based on
the comparison, Evil Twin attack is detected.
iv) RSSI Level :

4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
496
In Some methods [11] ,detection of Evil Twin attack is checked under different RSSI
levels of access point. So variations in RSSI level may also show variations in the result of
Evil Twin detection.
v) Techniques used for Detection of Evil Twin:
Different methods used various techniques for the detection of Evil Twin attack.
Some of such techniques are Clock Skew, RSSI Level,etc.These different parameters have
different rate of success for Evil Twin detection.
3. RELATED WORK
The threat of Evil Twin AP have attracted both industrial and academic researchers to
work on these problem. There are some methods which focused on this problem.
Hao Han and his colleagues used timing based scheme for Evil AP detection,[10] in
that they have practical timing based scheme for the user to avoid connecting to Evil AP. In
their detection method they have used timing information based on the round trip time. Idea
is to user probe a server in local area network and after that measure the RTT from the
response, this process is repeated number of times and all RTTs are recorded. If the mean
value of RTTs is larger than a fixed threshold, they consider the associated AP as a Evil AP.
They have consider four factors that have influence on timing RTT which are Data
transmission rate, Location of DNS server, Wireless traffic and APs workload. They have
tested accuracy of their technique considering different scenarios for these four factors.
Taebeom Kim and his colleagues used received signal strengths for detection of fake
access point [11], in this they measures correlated RSS sequences from nearby APs in order
to determine whether the sequences are legitimate or fake. This method works in three
phases. In phase one they are collecting RSS from nearby AP,In Second Phase they are doing
normalization of collected RSSs,it estimates some missed RSSs,caused by some external
factors and normalizes the estimated RSSs for generalization of a variety of wireless
environments. In third phase they are determining which RSSs are highly correlated to others
based on some empirical threshold value. They define that highly correlated RSS sequences
as fake signals from a single device.
Qu and Nefcy presented new indirect Evil Twin access point detection system.[12]
They analyzed local round trip time(LRTT) data and designed a method with several
algorithms for discovering wireless hosts effectively.Their work starts from passively
scanning or monitoring network traffic to host discovery and detecting Client-side solution
for Evil Twin access point.
Roth et al, presented a simple assurance mechanisms that help the users or clients to
detect an Evil Twin in public Internet networks.[13] This method gives short authentication
string protocols for tradeing cryptographic keys.The small string proof is executed using
encoding the short strings as a sequence of colors,carried out sequentially by the user’s
device, and by the particular access point.
Chao Yang and his colleagues have used Statistical technique based on TCP packets
to compute their IAT to detect Evil Twin AP [8]. if client is connected to remote server
through Evil Twin AP and a normal AP that is two hop wireless channel, so this gives the
idea to detect Evil Twin attacks by separating one-hop and two-hop wireless channels from
the user to the remote server. In this they have used two algorithms, first is Trained Mean
Matching, in this they are using training technique to detect Evil Twin attack. The second
algorithm is Hop Differentiating Technique; it is a non-training-based detection algorithm in

5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
497
which they are using particular theoretical value for the threshold to detect Evil Twin attack.
They have tested this method under different RSSI levels for the accuracy of the detection of
Evil Twin AP.
Monitoring RF waves and IP traffic are two broad classes of approaches to detecting
Evil APs. Most existing commercial products take the first approach they either manually
scan the RF waves using sniffers (e.g., AirMagnet, NetStumbler [3]) or automate the process
using sensors. Automatic scanning using sensors is less time consuming than manual
scanning and provides a continuous vigilance to Evil APs. However, it may require a large
number of sensors for good coverage, which leads to a high deployment cost. Furthermore,
since it depends on signatures of APs (e.g., MAC address, SSID, etc.), it becomes ineffective
when a Evil AP spoofs signatures. Three recent research efforts [3, 4, 5] also use RF sensing
to detect Evil APs. In [16], wireless clients are instrumented to collect information about
nearby APs and send the information to a centralized server for Evil AP detection. This
approach is not resilient to spoofing. Secondly, it assumes that Evil access points use standard
beacon messages in IEEE 802.11 and respond to probes from the clients, which may not hold
in practice. Last, all unknown APs (including those in the vicinity networks) are flagged as
Evil APs, which may lead to a large number of false positives. The main idea of [14] is to
enable dense RF monitoring through wireless devices attached to desktop machines. This
study improves upon [6] by providing more accurate and comprehensive Evil AP detection.
However, it relies on proper operation of a large number of wireless devices, which can be
difficult to manage. In contrast, our approach only requires a single monitoring point, and is
easy to manage and maintain. The studies of [14,16] detect Evil APs by monitoring IP traffic.
The authors of [15] demonstrated from experiments in a local test bed that wired and wireless
connections can be separated by visually inspecting the timing in the packet traces of traffic
generated by the clients. The settings of their experiments are very restrictive. Furthermore,
the visual inspection method cannot be carried out automatically. The technique in [16]
requires segmenting large packets into smaller ones, and hence is not a passive approach.
There are several prior studies on determining connection types. However, none of them
provides a passive online technique, required for our scenario. The work of [17] uses RTT
method to detect presence of wireless device but RTT may change due to delays in the
network. In other studies, differentiating connection types is based on active measurements
[17] or certain assumptions about wireless links (such as very low bandwidth and high loss
rates) [15], which do not apply to our scenario.
4. ISSUES AND CHALLENGES
The effects of Evil Twin access points are present on both wired and wireless side of
the network. The most of the research work carried out is based on data source from audit
trails, system calls and network traffic. There are two groups working on this problem of Evil
Twin detection in different directions. First group is of Industry solutions focusing on
wireless only, Second group is of academic researchers focused on wired side.
The Successful wireless-side methods [] use sensors in the entire network to collect
physical-layer and link-layer information to help detect and locate Evil Twin AP in a
distributed architecture. Though largely used across many enterprises WLAN, such sensors
based sniffing method is costly. Again wireless method is not generally scalable because it
includes considerable infrastructural commitment and is costly alternative for huge networks.
Beyond that wireless sniffing may failed in certain cases first if Evil Twin AP doesn’t show

6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
498
itself by pausing beacon frames, may operate with less signal strength, and may use
nonstandard protocols. In the second case sometimes the attacker can even use directional
antenna to focus on small area to avoid detection.
Wired-side solutions abuse dissimilarities in network traffic chacteristics to infer
wireless traffic. They are using policy-based access control to detect if discovered APs are
authorized or not. Some solutions are sometime efficient, but as they differentiate network
traffic as wireless mainly on the basis of network statistics that shows bigger delay then that
from wired networks. These wired solutions also consider that sample wireless network
traffic is available for comparison which means network has an AP. However there are many
networks which are not wireless. Sometime attacker may aware of Evil Twin defences and
may use different techniques to avoid wired-side detection.
Hybrid Approach is good for the detection of Evil Twin but sometimes attacker may
easily get away from the Hybrid apporach’s wired-side components.So, we still have no
technique to completely detect Evil Twin access point.
5. CONCLUSION
The Evil Twin detection system has been a major research area as the popularity of
Wireless Local Area Network increasing day by day. The Widespread use of Wireless
networks at public places like coffeeshops, airports..Etc increases the threat of Evil Twin
attack.
In this Paper, We Surveyed different recent Evil Twin detection methods or solutions
presented by researchers. We have given weaknesses of particular solution, depth of accuracy
of various solutions, Factors affecting the detection of such methods...etc.So, as the era of
Wireless Environment is growing faster, we need more general solution against one of the
serious threat of Evil Twin attack.
REFERENCES
[1] http://blog.kaspersky.com/do-you-use-free-wifi-hotspots-a-survey.
[2] public wi-fi useage survey,2012 Identity Theft Resource Center.
[3] Netstumbler. http://www.netstumbler.com
[4] Wavelink, http://www.wavelink.com
[5] The Airwave Project,http://www.airwave.com
[6] W.wei,S.Jaiswal,J.Kurose and D.Towsley,Identifying 802.11 traffic from passive
measurments using iterative Bayesian inference in Proc. IEEE INFOCOM 06,2006.
[7] L.Watkins,R.Beyah, and C. Corbett, Apassive apporach to rogue access point detection,
in Proc. IEEE INFOCOM 06,2006.
[8] Active User-side Evil Twin Access Point Detection Using Statistical Techniques Chao
Yang, Yimin Song, and Guofei Gu, Member, IEEE.
[9] A Novel Approach for Rogue Access Point Detection on the Client-Side. Somayeh
Nikbakhsh, Azizah Bt Abdul Manaf, Mazdak Zamani, Maziar Janbeglou
[10] A Timing-Based Scheme for Rogue AP Detection. Hao Han, Bo Sheng, Member, IEEE,
Chiu C. Tan, Member, IEEE, Qun Li, Member, IEEE, and Sanglu Lu Member,IEEE.
[11] Online Detection of Fake Access Points using Received Signal Strengths.Taebeom Kim,
Haemin Park, Hyunchul Jung, and Heejo Lee

7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 2, March – April (2013), © IAEME
499
[12] Qu, G. And Nefey M.M.(2010).RAPid.An indirect Rogue Access point Detection
System,IEEE 978-1-4244-9328-9/10
[13] Roth, V., Polak, W., Rieffel, E. and Turner, T., (2008). Simple and effective defense
against Evil Twin Access Points. WiSec’08, March 31–April 2, 2008, Alexandria, Virginia,
USA.
[14] C. Mano, A. Blaich, Q. Liao, Y. Jiang, D. Salyers, D. Cieslak, and A. Striegel. RIPPS:
Evil identifying packet payload slicer detecting unauthorized wireless hosts through network
traffic conditioning. ACM Transactions on Information Systems and Security.
[15] W. Wei, B. Wang, C. Zhang, J. Kurose, and D. Towsley. Classification of access
network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? In Proc. IEEE
INFOCOM, March 2005
[16] V. Baiamonte, K. Papagiannaki, and G. Iannaccone. Detecting 802.11 wireless hosts
from remote passive observations. In Proc. IFIP/TC6 Networking, Atlanta,
[17] W. Wei, S. Jaiswal, J. Kurose, and D. Towsley. Identifying 802.11 traffic from passive
measurements using iterative Bayesian inference. In Proc. IEEE INFOCOM, 2006.
[18] H. Yin, G. Chen, and J. Wang. Detecting Protected Layer-3 Evil APs. In Proceedings of
the Fourth IEEE International Conference on Broadband Communications, Networks, and
Systems (BROADNETS), Raleigh, NC, September 2007.
[19] Gaogang XIE, Tingting HE, Guangxing ZHANG Evil Access Point Detection Using
Segmental TCP Jitter
[20] Rogue-Access-Point Detection, Challenges, Solutions, and Future Directions, Raheem
Beyah Georgia Tech, Aravind Venkataraman Cigital.
[21] Ajay M. Patel, Dr. A. R. Patel and Ms. Hiral R. Patel, “A Comparative Analysis of Data
Mining Tools for Performance Mapping of WLAN Data”, International Journal of Computer
Engineering & Technology (IJCET), Volume 4, Issue 2, 2013, pp. 241 - 251, ISSN Print:
0976 – 6367, ISSN Online: 0976 – 6375.
[21] S. B. Patil, S. M. Deshmukh, Dr. Preeti Patil and Nitin Chavan, “Intrusion Detection
Probability Identification in Homogeneous System of Wireless Sensor Network”,
International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2,
2012, pp. 12 - 18, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
[22] Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, “Wireless Sensor Networks:
Limitation, Layerwise Security Threats, Intruder Detection”, International Journal of
Electronics and Communication Engineering &Technology (IJECET), Volume 3, Issue 2,
2012, pp. 22 - 31, ISSN Print: 0976- 6464, ISSN Online: 0976 –6472.