Experiences in Passively Detecting Session Hijacking Attacks in IEEE 802.11 Networks

Gill, Rupinder, Smith, Jason, & Clark, Andrew (2006) Experiences in Passively Detecting Session Hijacking Attacks in IEEE 802.11 Networks. In Buyya, R., Ma, T., Safavi-Naini, R., Steketee, C, & Susilo, W. (Eds.) Proceedings of 4th Australasian Information Security Workshop (Network Security), Australian Computer Society Inc, Hobart, Tasmania, pp. 221-230.


Current IEEE 802.11 wireless networks are vulnerable to session hijacking attacks as the existing standards fail to address the lack of authentication of management frames and network card addresses, and rely on loosely coupled state machines. Even the new WLAN security standard - IEEE 802.11i does not address these issues. In our previous work, we proposed two new techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance. These techniques utilise unspoofable characteristics from the MAC protocol and the physical layer to enhance confidence in the intrusion detection process. This paper extends our earlier work and explores usability, robustness and accuracy of these intrusion detection techniques by applying them to eight distinct test scenarios. A correlation engine has also been introduced to maintain the false positives and false negatives at a manageable level. We also explore the process of selecting optimum thresholds for both detection techniques. For the purposes of our experiments, Snort-Wireless open source wireless intrusion detection system was extended to implement these new techniques and the correlation engine. Absence of any false negatives and low number of false positives in all eight test scenarios successfully demonstrated the effectiveness of the correlation engine and the accuracy of the detection techniques.

Impact and interest:

12 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

304 since deposited on 17 Jun 2009
20 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 25301
Item Type: Conference Paper
Refereed: Yes
Keywords: Wireless Intrusion Detection, Session Hijacking , Received Signal Strength, Round Trip Home, Passive Monitoring
ISBN: 1920682368
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2006 Australian Computer Society Inc
Deposited On: 17 Jun 2009 15:06
Last Modified: 22 Jun 2017 14:41

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page