On the detection of Channel Switch Announcement Attack in 802.11 networks

“…However, upon considering the above attack and benign traffic CSA scenarios, we set the threshold (TH4) to 1 CSA frame to identify potential fake CSA attacks and provide a warning sign for possible MC-MitM-IV attacks. Furthermore, to verify the occurrence of CSAs, DFS detectors can be used [18]. Such detectors recognize radar pulses that require advanced device setup and increase the cost of attack detection.…”

“…However, checking beacons only on the legitimate channel is not always beneficial because there are valid reasons for an AP to switch to different channels. For example, switching the channel is essential to avoid interference from radar noise in particular channels and is a dynamic action in modern routers enabled with the Dynamic Frequency Selection (DFS) feature [18]. Furthermore, the MC-MitM attacker can use a special kind of constant jamming or reactive jamming by using cheap off-theshelf Wi-Fi dongles in order to establish the MitM position, which is relatively hard to detect by existing intrusion detection systems [6], [19].…”

“…Recently, Louca et al [18] proposed a defense mechanism that verifies whether a channel switch announcement is fake or not by using a DFS detector that identifies the presence of radar pulses. However, the proposed mechanism requires advanced Software Defined Radio (SDR) devices to detect radar pulses.…”

“…Typically, CSAs arrive with beacons or probe responses when the AP changes its channel due to the reception of radar pulses after booting up. With the DFS feature, the AP uses specific 5 GHz channels reserved for certain high-priority radar signals used for military, satellite communication, and meteorological purposes [7], [18], [47]. That is, when the AP detects any of the above-mentioned high-frequency radar signals, it sends a CSA to all of its associated clients in order to switch to different, less noisy 5 GHz channels to minimize interruptions in communications.…”

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-The-Middle Attacks Against Protected Wi-Fi Networks

“…However, upon considering the above attack and benign traffic CSA scenarios, we set the threshold (TH4) to 1 CSA frame to identify potential fake CSA attacks and provide a warning sign for possible MC-MitM-IV attacks. Furthermore, to verify the occurrence of CSAs, DFS detectors can be used [18]. Such detectors recognize radar pulses that require advanced device setup and increase the cost of attack detection.…”

“…However, checking beacons only on the legitimate channel is not always beneficial because there are valid reasons for an AP to switch to different channels. For example, switching the channel is essential to avoid interference from radar noise in particular channels and is a dynamic action in modern routers enabled with the Dynamic Frequency Selection (DFS) feature [18]. Furthermore, the MC-MitM attacker can use a special kind of constant jamming or reactive jamming by using cheap off-theshelf Wi-Fi dongles in order to establish the MitM position, which is relatively hard to detect by existing intrusion detection systems [6], [19].…”

“…Recently, Louca et al [18] proposed a defense mechanism that verifies whether a channel switch announcement is fake or not by using a DFS detector that identifies the presence of radar pulses. However, the proposed mechanism requires advanced Software Defined Radio (SDR) devices to detect radar pulses.…”

“…Typically, CSAs arrive with beacons or probe responses when the AP changes its channel due to the reception of radar pulses after booting up. With the DFS feature, the AP uses specific 5 GHz channels reserved for certain high-priority radar signals used for military, satellite communication, and meteorological purposes [7], [18], [47]. That is, when the AP detects any of the above-mentioned high-frequency radar signals, it sends a CSA to all of its associated clients in order to switch to different, less noisy 5 GHz channels to minimize interruptions in communications.…”

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-The-Middle Attacks Against Protected Wi-Fi Networks

“…However, checking beacons only on the legitimate channel is not always beneficial because there are valid reasons for an AP to switch to different channels. For example, channel switching is essential to avoid interference from radar noise on certain channels, and is a dynamic action in modern routers enabled by the Dynamic Frequency Selection (DFS) feature [18]. Furthermore, the MC-MitM attacker can use a special kind of constant jamming or reactive jamming by using cheap off-the-shelf Wi-Fi dongles in order to establish the MitM position, which is relatively hard to detect by existing intrusion detection systems [6], [19].…”

A Signature-Based Wireless Intrusion Detection System Framework for Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks

Multi-channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks and Their Attack Signatures