A solution to detect the existence of a malicious rogue AP

Abstract A malicious rogue AP works like an evil twin; however, instead of using a good twin to connect to the Internet, a malicious rogue AP uses a 3G/4G mobile network to connect to the Internet. While administrators have sufficient information to distinguish rogue APs, it is difficult for client users to know whether they are using a wireless network with malicious an AP. To solve evil twin problems at client-side, many solutions make their detection based on some time metrics or evil twin features. However, time metrics may be influenced by pre-fetching, network topology, traffic volume, or network types. And the evil twin features such as packet forwarding cannot distinguish malicious rogue APs because they behave just like a legitimate AP. To solve above problem, this paper proposes an active user-side solution, called Wi-Fi Malicious Rogue AP Finder (RAF). RAF can be installed in any computer or laptop without any special requirement. RAF detect the existence of a malicious rogue AP based on different reverse traceroute information collected by a remote server. To the best of our knowledge, RAF is the first one client-side solution which could detect malicious rogue APs based on path information but not time metrics.