User-side evil twin attack detection using time-delay statistics of TCP connection termination

Abstract

Open wireless network services are now freely shared in the most of the public areas but have barely protection about communication data between the web server and the client-side. Evil Twin Attack (ETA) appears to be a legitimate Wi-Fi Access Point (AP) and becomes a common attack in smart home environments where attackers can compromise the security of the connected devices. By setting up a rogue access point, deceiving users into establishing the network connection with the same SSID as the legitimate one, the attacker can launch the man-in-the-middle attack and steal some private information. To identify the fake APs, this paper presents an improved and practical client-side detection method to mathematically detect the ETA by observing the time-delay of TCP connection termination between the client and the server. This proposed time-delay model is further experimented and measured from the following three date-time intervals: Initial Ending, Ending Response, and Confirmed Ending. The utility of this model is illustrated by applying it to the client side which makes it more convenient for users to deploy and ensure their security with high detection rate.