research article exploiting wireless received …research article exploiting wireless received...

Research ArticleExploiting Wireless Received Signal Strength Indicators toDetect Evil-Twin Attacks in Smart Homes

Zhanyong Tang1 Yujie Zhao1 Lei Yang1 Shengde Qi1 Dingyi Fang1

Xiaojiang Chen1 Xiaoqing Gong1 and Zheng Wang2

1School of Information Science and Technology Northwest University Xirsquoan China2School of Computing and Communications Lancaster University Lancaster UK

Correspondence should be addressed to Dingyi Fang dyfnwueducn and Zheng Wang zwanglancasteracuk

Received 20 September 2016 Accepted 21 November 2016 Published 17 January 2017

Academic Editor Qingchen Zhang

Copyright copy 2017 Zhanyong Tang et alThis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Evil-Twin is becoming a common attack in smart home environments where an attacker can set up a fake AP to compromisethe security of the connected devices To identify the fake APs The current approaches of detecting Evil-Twin attacks all rely oninformation such as SSIDs theMAC address of the genuine AP or network traffic patterns However such information can be fakedby the attacker often leading to low detection rates and weak protection This paper presents a novel Evil-Twin attack detectionmethod based on the received signal strength indicator (RSSI) Our approach considers the RSSI as a fingerprint of APs and usesthe fingerprint of the genuine AP to identify fake onesWe provide two schemes to detect a fake AP in two different scenarios wherethe genuine AP can be located at either a single or multiple locations in the property by exploiting the multipath effect of theWi-Fisignal As a departure from prior work our approach does not rely on any professional measurement devices Experimental resultsshow that our approach can successfully detect 90 of the fake APs at the cost of a one-off modest connection delay

1 Introduction

Smart homes consist of many intelligent automation systemswhich are often connected to each other and the Internetthrough Wi-Fi to provide the inhabitants with sophisticatedmonitoring and control over the propertyrsquos functions Smarthomes are increasingly becoming a target for cyber attackers[1ndash4] Many of smart home targeting attacks exploit a tech-nique called Evil-Twin where an adversary makes a rogue(ie Evil-Twin) access point (AP) with the same identity(or SSID) as an authorized AP hoping that many of thewireless clients will connect to the rogue AP due to thecommonly used automatic access point selection option [5]An adversary can use an Evil-TwinAP as a platform to launcha variety of attacks including privacy and data theft Privacyconcerns become evident because there are a large number ofprivate data by various applications in the smart city such assensitive data of governments or proprietary information ofenterprises [6]

How to detect Evil-Twin AP has recently received muchattention [7 8] Generally speaking there are twowidely used

approaches in this domain The first approach uses trafficcharacteristics from the network flow [9 10] to detect rogueAPs By analyzing information such as the packet arrival timethe requestresponse time of TCP ACKs one can distinguishauthorized APs from fake ones Such approaches howeverdepend on many environmental factors such as the type andbandwidth of the network and traffic congestion (which canchange from time to time) Therefore such an approach isonly applicable to a limited set of environments where thenetwork traffic pattern is known ahead of time and is sta-ble The second approach namely fingerprint identificationdetection uses hardware features [11ndash18] to identify rogueAPs This requires collecting fingerprint information fromthe hardware and systems software components (eg thefirmware the chip and the driver) of the authentic APsThis approach is based on an assumption that it is difficultfor the attacker to set up an AP with identical hardwareinformation However building a fingerprint library is non-trivial and extracting the fingerprints from the APs couldbe time-consumingThese drawbacks make such approachesinfeasible when real-time is an essential requirement

Hindawi Publishing CorporationMobile Information SystemsVolume 2017 Article ID 1248578 14 pageshttpsdoiorg10115520171248578

2 Mobile Information Systems

This paper introduces a novel method for detecting Evil-Twin APs Our approach targets smart homes Our approachexploits the following observations (1) the position of an APis often fixed in a smart home environment (2) the receivedsignal strength indicator (RSSI) of a fixed AP is relativelystable We consider the RSSI signal as the fingerprint ofa genuine AP and use this information to identify rogueAPs One of the advantages of our approach is that we donot require any additional sensoractuator infrastructureInstead we first use the stable RSSI to estimate the distancebetween the signal point and the receiving point [19ndash27] andthen use the distance to detect rogue Evil-Twin APsWe showthat our approach achieves on average a successful rate of over90 with a one-off connection delay of less than 20 seconds

The main contribution of this paper is a novel Evil-Twinattack detection system based on RSSI We have shown thatRSSI is a viable means for detecting rogue APs in smart homeenvironments Although our approach is evaluated in a smarthome environment similar ideas can be expanded to otherWi-Fi environments

2 Background

SSID and BSSID are always used to identify Wi-Fi hot pointsince the protocol 80211 does not define a strong sign todo it In fact both of them could be easily got by attackerbecause the wireless network not only shares the media butalso cannot control the signal range Although the accesspoint is protected by password and sophisticated encryptionfor an experienced attacker it is not difficult to crack itduring a short timeThe original 80211 security organizationthat try to solve these problems was the Wired EquivalentPrivacy (WEP) In spite of having mechanisms to provideauthentication confidentiality and data integrity WEP wasfound to be unsafe and trivially cracked after an attacker hasgathered enough frames with the same initialization vector[28] By actively accelerating the gather of frames the latestWEP attack is able to complete breaking of WEP in under aminute [29] WEP is increasingly being replaced by the Wi-Fi Protected Access (WPA) Nevertheless to hold backwardcompatibility WPA has not totally solved some securityproblems Because control and management frames can betricked and faked even with WPA enabled wireless LocalArea Networks (LANS) reserve impressionable to identityattacks and denial of service attacks [12] Once the attackergot the password they will soon forge the same one calledthe Evil-Twin AP (ie the rogue or fake AP) which is noteasily recognized by user Over the past few years this kindof attack mainly exists in some public environments such asairports and cafes However as the development of the IoTnowadays gigantic crowd-sourced data from mobile deviceshave become widely available in social networks [30] theattack value of private Wi-Fi rises rapidly and the attackdevelops towards the private Wi-Fi in the smart home andother environments such as privacy concerns that becomeevident on the cloud because there are a lot of private data inmultimedia data sets [31]Once the user connects the networkto the fake AP the intruder can control the network environ-ment of the user and further privacy sniffing malicious data

tampering and other advanced attacks can be realized Thebehavior of the intelligent device even can be controlled forinstance opening or closing an intelligent lock

According to the IEEE 80211 standard when there aremultiple APs nearby the one with the strongest signal isto be chosen [16] So the fake AP is always putting at thenearest of attack target in order to be chosen This kind ofattack can be called Fishing which contains active Fishingand passive Fishing Passive Fishing is named because thefake AP is just waiting for the connection from the terminalThis kind of attack cannot easily be found since it does notaffect the Real AP at the same time the attack successful rateis not high Active Fishing means that to connect with theterminal fake AP cut the connection between Real AP andthe terminal by Evil-Twin attack Such attack can be carriedout to precise attacks without affecting the other equipmentexcept the target

3 Attacking Scenarios

Attacking Scenarios Figure 1 illustrates the scenarios wherethe Evil-Twin attack can be applied Evil-Twin is designedto look like real Wi-Fi hotspots In those scenarios theadversary is able to set a fake AP to launch an Evil-Twinattack from a laptop Its signal might be stronger to the victimthan the Real AP Once disconnected from the legitimateReal AP the tool then forces offline computers and devices toautomatically reconnect to the Evil-Twin allowing the hackerto intercept all the traffic to that deviceWhen people in smarthomes are using the Internet through an Evil-Twin theycan unknowingly expose their passwords and other sensitiveonline data to hackers According to the Wi-Fi Alliancea sophisticated Evil-Twin can even control what websitesappear when users access the Internet That allows hackersto capture their passwords

Our Assumptions Our attacks require the adversary to setup the Evil-Twin at different locations We believe that theadversary may not set the fake AP very close to the smarthomes in order to avoid being caught If a profile for thelegitimate AP exists the client device will automaticallyconnect to the faked AP

4 DRET Overview

Figure 2 is shown as the overview of DRET System DRETis a system that helps wireless home owner to discoverand prevent evil access points (AP) from attacking wirelessusers The application can be run in regular intervals toprotect your wireless network from Evil-Twin attacks Byconfiguring the tool you can get notifications sent to youralarm signal whenever an evil access point is discoveredAdditionally you can configure DRET to performDoS on thelegitimate wireless users to prevent them from connectingto the discovered evil AP in order to give the administratormore time to react However notice that the DoS will onlybe performed for evil APs which have the same SSID butdifferent BSSID (APrsquosMACaddress) or running on a different

Mobile Information Systems 3

Facebook

Twitter

Fake AP

Attacker

Real AP

Smarthomes

Wi-Fi

Figure 1 Example scenarios in which the attacker can easily launch an Evil-Twin attack to steal information using a fake AP This kind ofattack typically happens when a hacker constructs a mock (but still functional)Wi-Fi access point (AP) right at the place where there ought tobe an original and legitimate access pointThe reason this works so well is that for a well-orchestrated attack the illegitimate AP has strongersignals than the legitimate one and hence the unsuspecting users might log on to this mock-up connection and then use the Internet whilesharing all their precious data all the way from their userrsquos IDs and passwords to creditdebit card information

Legitimacyjudgment Location RSSI adjusting

Single device Single position

SDSP

Detector based on RSSI against Evil-Twin attacks (DRET)

Position RSSI

4

3

2

1

Output result

Single device Multiple

position SDMP

Multiple device Multiple

position MDMP

Output result

Figure 2 The overview of DRET System DRET mainly consists of three parts (SDSP SDMP and MDMP)

channel This method can prevent DoS from attacking yourlegitimate network

Following a common practice in fake AP detectionDRET will choose different modules depending on differentcircumstances SDSPmeet the simple scenario such as duringnight and when nobody is at home However SDSP is limitedand the success rate is closely related to the detector locationTo address this limitation SDMP is proposed which locatesthe mobile phone firstly the RSS fingerprint value is drawnto SDSP (e) so the SDSP can determine the location oflegitimacy (f) the result returns to SDMP Sometimes inmany devices working in multiplaces these devices need touse only one set of fingerprint data to check at the same timeMDMPwill start the RSSI is adjusted and then sent to SDMP(g) the result done by SDMP returns to MDMP (h)

5 Preliminaries

In order to construct a real environment the attacker will doeverything to improve the fake AP so that it has the samefeatures of a Real AP including traffic characteristics andhardware fingerprint characteristics In real-world applica-tions the environmentmay have some negative effects on theidentification of the target [32] However the attacker cannotforge the position of the Real AP Recent literature advancesWi-Fi signals to ldquoseerdquo peoplersquos motions and locations Bydetecting and analyzing signal reflection they enable Wi-Fito ldquoseerdquo target objects [33] In smart homes the intuitionunderlying our design is that each Real AP has its fixedposition and the attacker cannot put the fake AP exactly inthe right placeTherefore a new smart home fakeAPdetectedmethod based on RSSI is proposed in this paper


RAP1

RAP2FAP1

FAP2

Detector2

Detector1

D1

D2

D3

D1998400

D2998400

D3998400

Figure 3 The figure shows two Real APs (in green) and two FakeAPs (in red) The figure illustrates how the detector (in black)recognizes the FAP by using the differences of the RSSI that the APslocate differently

Figure 3 is shown as the principle of fake AP detectionbased on RSSI RAP and FAP are respectively representedReal AP and fake AP Detector receives the signal fromeach AP 1198631 is the distance between the 1198631198901199051198901198881199051199001199031 and theReal AP and 11986311015840 is the distance between the 1198631198901199051198901198881199051199001199031 andthe fake AP If 1198631 is greater than 11986311015840 it means that theintensity of 1198631198901199051198901198881199051199001199031 received from the fake AP is strongerthan the real one In general when there exists multipatheffect detector always chooses the strongest signal in thehomologous signals So undoubtedly when the attackerturns on FAP1 1198631198901199051198901198881199051199001199031 will choose it rather than the realRAP1 But when the attacker turns off the FAP1 1198631198901199051198901198881199051199001199031will choose RAP According to the upper analysis we caneasily identify the fake AP from the real one by comparingthe RSSI of them In this scene If RSSI10158401 is greater than RSSI1it means that FAP1 is fake AP

However there is another scene where the distancebetween the Real AP and detector is less than the fake onesIn this condition no matter how open or shut down the fakeAP is the detector would always choose the Real AP So weshould try to build a scene like the previous one namelymoving the detectionrsquos position to 1198631198901199031198901198881199051199001199032 making 11986331015840greater than1198633 then we can detect the fake AP

In free space the path loss of signal propagation expressessignal attenuation which is defined as the difference valuebetween the effective radiated power and the received powerSo the path loss in free space can be computed by thefollowing formula 119866119905 and 119866119903 separately express the antennagain of the sender and the receiver 120582 indicates the signal wavelength 119889 is the distance between the sender and receiver

PL (dB) = 10 log 119875119905119875119903 = minus10 log[ 1198661199051198661199031205822(4120587)2 1198892] (1)

Frequency of Wi-Fi channel 1sim13 is from 2412 lowast109sim2472 lowast 109 And there exists 120582 = 119888119891 and 119888 asymp 3 lowast108ms so the value range of 120582 is 01214sim01244We did someexperiment to study factors effecting the attenuation and theattenuation curve is shown in Figure 4 In Figure 4(a) bothof the sender and receiver have unity-gain and the channel is1 In Figure 4(b) both of the sender and receiver have unity-gain and the channel is 13 In Figure 4(c) the antenna gainproduct of the sender and receiver is 100 and the channel

is 13 From Figure 4 we can find the following rules (1)From (a) and (b) we can find that the effect of channel onattenuation is very small (2) From (b) and (c) we can findthat antenna gain has a great influence on attenuation (3)From (a) (b) and (c) we can find that the distance is themain factor to affect the attenuation and the attenuation isless sensitive to the distance with the increase of distance

RSSI (Signal Strength Indicator Received) is the intensityof the received signal its value can be calculated by thefollowing formula RSSI = Transmit Power + antenna gain minuspath loss

For a fixed transmitter and receiver the Transmit Powerand antenna gain are both constant and the path loss is afunction of the distance119863 so RSSI can be expressed as RSSI =119891(119889) Then 119889 will be 119889 = 1198911015840(RSSI) Therefore RSSI can beused directly to replace the distance for positioning

In order to be simplify the calculation we proposed signalspace and signal distance Signal distance can be abbreviatedas sd then sd = |RSSI| In Figure 5 the left is the physicalspace and the right is the signal space Both of them take APas the reference point Points a b c and d are the positionof four mobile phones In the physical space the distanceseparately between a c and d is equal less than the distancebetween b andAP But there are obstacles at the points a anddwhere the attenuation of the black obstacle is higher than thegray obstacle so sda gt sdd gt sdc and sdb gt sdc In generalthe signal strength of straight line is the best when there isno obstacle and wireless devices always give priority to thebest signal when dealing with multipath effects So from thephysical space to the signal space the distance of their signalhas some slight changes which is shown as the right figure

In order to verify that the RSSI can be used as the defec-tion factor we did an experiment In normal circumstanceswe build a fingerprint library by using the signal distanceTerminal MX3 is used as director to collect RSSI signal andthe TL-WR882N is used as AP The distance between themis 5m and data collection rate is 2 times per second Wecollected about 14000 of the total data keeping surroundingenvironment not changed during the process of collectingdata except when someone walked across Its probabilitydistribution histogram is shown in Figure 6

By analyzing the experiment data it is found that themeasured value of the actual measurement is near to astable value and the probability distribution is approximatelynormal distribution That means the RSSI can be used as thedefection factor

Actually it seems that both of the fake and Real AP issimilar to the detector which are difficult to be distinguishedAccording to multipath effect the detector will select theone with the strongest signal to associate and computethe distance between the selected AP and it which willbe compared with the distance recorded in signal distancefingerprint database If they are different that means theAP should be forged The mobile phone will be used as thedetector Depending on whether the mobile phone used as adetector in smart home is moving or not two different kindsof solution have been proposed in this paper they are a singlefixed position detection and the multiposition collaborativedetection


0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01244

5

(a)

0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01214

5

(b)

0 10 20

40

60

80

100

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 100

120582 = 01214

(c)

Figure 4 Signal attenuation curve

y

xa

bc

d

AP

y

xa

bc

d

APPhysical space Signal space

Figure 5 Physical space convert to signal space

6 Automated Detection Analysis

61 A Single Fixed Position Detection Smart homes devicesstill need work under networking even if there is nobody athome so the detector can also finish the detecting of falseAP Therefore we install the detector in a fixed positionand let it work 24 hours Detector establishes target AP RSSIfingerprint library in normal sense which would be used as

0

005

01

Prob

abili

ty

RSSIminus75 minus70 minus65 minus60 minus55 minus50 minus45

Figure 6 Probability distribution histogram

sample when detecting Only the detected distance is withinthe error range of distances recorded in fingerprint databaseit is considered as the fake AP otherwise it is true AP

It is assumed that the deployment of hot spot and detectoris shown in Figure 7 The position of fake AP and true AP isdifferent but the other features are the same such as network


Y1 Y2 Y3

Real AP Fake APA

B

C

X

minus25 dB minus25 dB

minus50dBminus50dB

minus75dBminus75dB

Figure 7 A single fixed position detection

Table 1 FSSI and variance in the security state

Location Average VarianceA 120583A = minus50 120590AB 120583B = minus50 120590BC 120583C = minus75 120590C

card hardware features antenna gain and stability A B andC are the positions of three detectors The signal intensity oftrue AP and fake AP is the same in the position A (shown as1198842 axis) The signal intensity of true AP is stronger than onesof fake AP in the position B and the opposite in position C

In the security state that is where the fake AP does notexist the RSSI and variance of signal intensity separatelyreceived by three detectors at positions A B and C are shownin Table 1

Fake APs working will lead to multipath effectThereforeit is assumed that 119875A 119875B and 119875C are the probability of select-ing true AP signal in A B and C Under ideal conditions0 le 119875C lt 119875A = 05 lt 119875B le 1 and the new average andvariance are shown in Table 2 Both of them wave in a certainrange of fluctuation due to kinds of factors like the multipatheffect the external interference and so forth It is assumedthat the average an variance meet the following conditions120583 minus119872 le 120583 le 120583 +119872 120590 le Σ

From Figure 7 we can see that when the detector isin region C it will select fake AP whose signal intensity isstronger than the Real APs which can be described with aformula like 1205831015840 gt 120583 When 1205831015840 gt 120583 +119872 we can say that thereexists a fakeAP in the networkWhen the detector is in regionA 1205831015840 = 120583 that means we cannot distinguish the Real AP andthe fake one In region B although the signal intensity of RealAP is higher than fake AP but the detector considers both ofthem are the same signal the latter still cannot be detected

As analysis shows detector and Real AP cannot be tooclose that will lead to high misdetection rate so the bestdeployment location of detector is in region C where thesignal is weak far away from the Real AP and near the fakeAP

Table 2 FSSI and variance when fake AP is working

Location Average VarianceA 1205831015840A = 120583A = minus50 1205901015840A = 120590AB minus75 lt 1205831015840B lt minus50 1205901015840B gt 120590BC 75 lt 1205831015840C lt minus50 1205901015840C gt 120590C62 Multiposition Detection Obviously a single fixed posi-tion detection method can only solve part of the problem Inthis part multiposition detection is proposed Multipositiondetection relies on mobile phones with it we can convertmultiposition to single fixed position detection So firstwhat we need to do is determine the position of the mobilephoneThemost well-known and highly accurate positioningmethod is GPS while GPS devices have been known to notwork very well indoors In this paper we use theWi-Fi signalfor locating the position of mobile phone by three-pointpositioning method With the popularity of Wi-Fi there arealmost always more than three Wi-Fi hotspots that will befound when we are indoors

As shown in Figure 8 AP1 AP2 and AP3 are threedifferent APs assuming their positions are known O is themobile phonersquos positionThe original distance can be definedas sd which represents the distance between AP and mobilephone sd119894 = |OO119894| 119894 = 1 2 3 4 5 So AP1 AP2 and AP3 canlocate the position of the mobile phone in the signal spaceThen we can convert the multiposition detection to a singlefixed position detection

There are two stages in multiposition cooperative detec-tion fingerprint gathering stage and detection stage Thefirst stage should be done in a safe state we collect theRSSI information both of reference AP and target AP inmany different positions to build a fingerprint library In thedetection stage using reference AP to locate the phone andthe fingerprint data in a single fixed position detection theprogram framework is shown in Figure 8 we can locate themobile phonersquos position by using reference AP and then usingthe method mentioned in the previous chapter to detect

In Figure 9 AP0 is the target AP AP2simAP119899 are thecandidatersquos reference AP and the whole process can bedivided into the following 5 steps

Stepe RSSI acquisition

Stepf effective data selection

Stepg establishment of fingerprint database

Steph mobile position determination

Stepi validity judgment

621 RSSI Acquisition In the experiment the value of RSSIis collected by mobile phone the detection program canimport correspondingmanagement package and call relevantinterface (Android androidnetwifi IOS SystemConfigu-rationCaptiveNetworkh) so that it can make mobile phoneacquire enough RISS value in daily routines


Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP

Figure 8 Multiposition detection transformationThe figure shows that any three APs could be chosen as reference in the signal spaceTheyare used to locate the positions of the mobile phone which is a detector in smart homes

Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44

AP0 APnmiddot middot middot(MAC1 RSSI1)

(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection

Location ReferenceAP Real AP

L1

Lm

RSSI0

Locationmodule

Figure 9 Multiposition detection framework

622 Effective Data Selection

Effective RSSI Values Selection It is a challenging job to choosethe right RSSI values since the mobile phones are alwaysmoving However the RSSI value we need should be wavedin a small range which is shown in Figure 10 The data intwo boxes are what we want the others are generated bymobile phone when it is moving When the distance betweenmobile phone and AP is 1m and there is no interference itcan generate the data in the first box Data in the second boxis generated in the condition that the distance betweenmobilephone andAP is 4mand there are two sources of interference

The other data is generated in the condition that someonetakes the mobile phone and go around the house with thespeed of 15ms

In the first experiment variance increment method isused to judge whether the mobile phone is moving It isassumed that the size of sliding window is 120 When theamount of data is less than the window it is invalid data

119882119894 = 119903119894minusws+1 119903119894minusws+2 119903119894minus1 119903119894 119894 ge ws 119903119894 isin 119877 (2)

119877 is the whole RSSI sequence 119903119894 is the value of RSSI andws is the window size


0 500 1000 1500 2000 2500 3000

RSSI

Original dataAverage

minus20

minus40

minus60

minus80

minus100

Figure 10 The RSSI sequence

0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce

Figure 11 The RSSI sequence variance

The variance can be used to measure the deviationbetween the RSSI data and themean value of the windowThevariance of119882119894 is 120590119894 which expresses the data fluctuation of119882119894The greater the data fluctuation the greater the variance

As shown in Figure 11 the window size is 120 with twopeaks in the middle corresponding to the moving processthat is it corresponds to the parts not in those two boxesin Figure 10 However the cause of the big variance is notnecessarily a personrsquosmovement the stability of the signalwillalso affect itTherefore the slope of the variance curve is usedto determine whether the current is moving The varianceincrement

119896 (119894) = 119889120590119894119889119894 = 120590119894 minus 120590119894minus1119894 minus (119894 minus 1) = 120590119894 minus 120590119894minus1 (3)

In Formula (3) 120590119894 is the variance of 119882119894 and 120590119894minus1 is thevariance of119882119894minus1

The improved results are shown in Figure 12 When 119896(119894)is near to 0 it means that the original variance is stable ina certain range that also means the mobile phone is notmoving or moving in a small range We set a threshold todetect whether the mobile phone is moving If |119896(119894)| le 119870 themobile phone is considered to be stable otherwise it meansthe position of mobile phone has changed

Those sequences with a stable position have the followingcharacteristics

Start point [|119896(119894)| le 119870] minus ws(+1)End point [|119896(119894)| gt 119870] minus ws2

Effective Reference AP Selection In order to improve theaccuracy of multiposition detection it is needed to improvethe accuracy of the location Because of the complexity ofthe wireless signal transmission in the indoor environment

0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40

Figure 12 RSSI sequence variance

the AP signal is not stable In the network environment aposition can be detected by more than one AP Thereforesignal stability and the relevance with target AP are the twofactors in choosing AP Relevance here means that both thetarget AP and the reference AP moving with the mobilephone that is why the fluctuations of the variance betweenthe target AP and the reference AP should be consistent

We use dynamic (dynamic time warping DTW [34])algorithm to calculate the distance and determine the validityof the reference AP DTW is a method that calculates anoptimal match between two given sequences (eg timeseries) with certain restrictions The sequences are ldquowarpedrdquononlinearly in the time dimension to determine a measure oftheir similarity independent of certain nonlinear variationsin the time dimension This sequence alignment method isoften used in time series classification

As is shown in Figure 13 (a) calculates distance withoutusing dynamic time but (b) uses it by using dynamic time (b)can reach theminimumdistortion when it comes to calculatethe distance

When selecting the effective reference AP each AP isconsidered as the candidate referenceAPThe large number ofits variance increment is stored aswell as the distance betweenits variance increment sequence and the targetrsquos After gettingthe distance of all candidate reference APs and target APs allcandidate reference APs will be ordered by the distance Thesmaller the distance the better the effectiveness Thereforefour candidate reference APs with theminimumdistance willbe chosen as the reference APs to locate the mobile phonersquosposition In general three points are enough for location Inorder to prevent that one of the three reference APs fromfailure so we choose four reference APs from the candidatelists

623 Establishment of Fingerprint Database The RSSI fin-gerprint library (RSSI-MAP) is built by the RSSI sequencegenerated in previous section RSSI-MAP is shown in Table 3119877119869 = (1199031119869 1199032119869 119903119871119869) represent the fingerprint informationin RSSI-MAP 119869 is the position where the mobile phone isstayed for detecting 119871 is the number of candidate referenceAPs 119903 is the fingerprint information of AP which canbe described by triple like 119903(rssi var len) Items in triplerepresent the average variance and length of RSSI sequence

624 Mobile Position Determination 119877119879 = (1199031119879 1199032119879 119903119871119879) represents RSSI fingerprinting information of the refer-ence APs detected at the position 119879 1198771015840119879 = 11990310158400119879 represents the


015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)

Figure 13 Dynamic time warp (DTW)

Table 3 Structure of RSSI-MAP

Location Reference AP Target AP1 1198771 = (11990311 11990321 1199031198711) 11987710158401 = 119903012 1198772 = (11990312 11990322 1199031198712) 11987710158402 = 11990302 119869 119877119869 = (1199031119869 1199032119869 119903119871119869) 1198771015840119869 = 1199030119869RSSI fingerprinting information of the target AP detected bythe position 119879 Dist(119877119879 119877119869) is the distance between 119877119879 and119877119869 rssi119894119879 is the average value of RSSI for reference AP rssi119894119869is the average of the RSSI sequence for reference AP 119869 is theposition where the distance between119879 and one in RSSI-MAPis the shortestWhen there aremore than three referenceAPswe can locate the mobile phone

Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)

Dist(119877119879 119877119869) in Formula (4) depend on the number of 119871in order to reduce the effect on Dist119879 that the number ofreference AP is different in different position The formula isimproved as the following

Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)

When 119871 is greater than or equal to 3 the fingerprint ofthe first three APs can be used for location by using Formulas(4) and (5) When 119871 is equal to 2 there will be more thanone position and all of them have the same distance Thenwe should choose the one who is the nearest one with thetarget AP When 119871 is equal to 1 in order to increase theaccuracy of the positioning the variance is used tomeasuringthe similarity between position 119879 and position 119869 From theprevious section the RSSI form one AP at the same positionwhich is approximate normal distribution that is the RSSIsequence is represented as follows

119875 (rssi) = 1radic2120587120590119890(rssiminus120583)221205902 (6)

In Formula (6) 120590 = var 120583 = rssi

In the information theory KL [35 36] (Kullback-Leiblerdivergence) can be used to describe the difference betweentwo probability distributions of 119876 and 119875 119863KL(119875 119876) is theinformation loss caused by that 119876 which is used to fit thetrue distribution 119875 So the distance between the 119879 and theRSSI probability distribution can be calculated using the KLdivergence KL divergence is defined in

119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)

So we can get formula (8) from formula (6) and formula(7)

Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100

119875 (rssi)2 [(rssi minus 1205831)212059021 minus (rssi minus 1205832)212059022 ] (8)

In the formula (8)1205901 = var1198711198791205831 = rssi1198711198791205902 = var1198711198691205832 = rssi119871119869

119875 (rssi) = 1radic21205871205901 119890(rssiminus1205831)2212059021

(9)

Then according to the distance got by formula (8) thenearest neighbor algorithm is used to find the correspondingposition in the 119869 RSSI-MAP

625 Legitimacy Judgment max(rssi) represents the maxi-mummean of target RSSI at position 119869 It can be easily queryin RSSI-MAP when we find the position 119869 rssi is the meanvalue being detected Then there is Diff119879 = rssi minusmax(rssi)

If Dist119879 le 119872 and Diff119879 le 0 it is safe and there is no fakeAP

If Dist119879 le 119872 and Diff119879 gt 0 it is unsafe and there exitsfake AP

If Dist119879 gt 119872 fingerprint database should be updatedYou can find the details in next section


626 Dynamic Update of Fingerprint Database Thedynamicupdate of RSSI fingerprint database consists of two parts oneis the addition of the new fingerprint and the other is theupdate of the existing fingerprint

The new fingerprint should be added because of variousreasons in the training phase of the RSSI fingerprint databaseIt cannot cover all the spatial subregions of 119872 so it isnecessary to improve the fingerprint database in the laterstage

The update of the existing fingerprint is caused byenvironmental changes such as survival status of referenceAP the correlation between the candidate reference AP andthe target AP and the change of the reference APrsquos positionAt this point we need to update the fingerprint informationwhich already exists in the fingerprint database in detectionstage

[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)

Assume there are four valid candidate reference APsthey are AP1AP2AP3AP4 and the relationship or theireffectiveness is as the following 1198641 gt 1198642 gt 1198643 gt 1198644 thenthere is Dist119879 = Dist119879(AP1AP2AP3) The correspondingposition is 119869

When there is Dist119879 gt 119872Dist1198793 = Dist119879 (AP1AP2AP4) Dist1198792 = Dist119879 (AP1AP3AP4) Dist1198791 = Dist119879 (AP2AP3AP4)

(11)

If Dist119879119894 le 119872 then we can use 119903119894119879 instead of 119903119894119869 in theRSSI-MAP to update the existing fingerprint If Dist119879119894 gt 119872then put (119877119879 1198771015840119879) into the RSSI-MAP If Dist119879119894 le 119872 and119903119894119905len ge 119903119894119895len then we can use 119903119894119879 instead 119903119894119869 in the RSSI-MAP

7 Evaluation in SPD and MPD

In order to verify the feasibility and effectiveness of the APEvil-Twin detection method based on RSSI we implement anumber of experiments

We use the Terminal MX3 to collect RSSI signal The TL-WR882N is used as the true AP A fake AP has been simulatedby hostapd in a notebook The experiment is done in a roomwith 100 square meters In the detection phase we set thedifferent 119865 minus 119877 (119865 minus 119877 is defined as the mean differenceresp between the fake AP and the true APrsquos RSSI The meandifference is equal to the distance between two APs)

71 Experiment and Assessment for Single Position Detection

Discussion of SlidingWindowSizeTheprevious section showsthe size of the sliding window affects the delay rate and falsenegative rate of detectionThat means the bigger the windowthe higher the delay rate and the higher the false negative rateIn order to find a suitable value for the size of sliding windowwe design an experiment like the following

In order to verify the effect of window size on the delaywe set the mean difference respectively between the fake APand the true RSSI as 25 and 10 that is 119865minus119877 = 25 and 119865minus119877 =10 The window size in turn is 1 40 80 120 160 200 and240The safety threshold value for each round of detection isthe maximum mean of RSSI in 30 minutes There are 14 setsof experiment each set of experiment will be done 30 timesand the result is as shown in Figure 14 From (a) we can seethat when the difference of mean between true AP and fakeAP is bigger the delay rate is smaller When the window sizeis 120 the average delay time is less than 20 s

To verify the effect of window size on accuracy when it isin the condition that 119865 minus 119877 = 10 we set the windows size inturn 1 40 80 120 160 200 and 240 After the test programrunning 10 minutes open the fake AP and let it run for 3minutes then close it for 3 minutes because it needs a certaindelay that the mean value is changed from abnormal status tonormal status

The mean from abnormal status returning to normalneeds a certain delay so if there occurs wrong or misseddetection in every 3 minutes after the delay time it will beassumed as a wrong one If there is wrong ormissed detectingafter delayed time it is considered as the error status Thisexperiment is done 50 times and the result is shown on theright in Figure 14 According to the experiment results whenthe window size is 80 120 and 160 the accuracy is more than98 If the windows size is too small or too big the accuracyis lower since the false positive rate is higher

Discussion of Threshold Value In this experiment we set thewindow size as 120 and the 119865minus119877 as 25 or 10 Assume that thethreshold value is 119877max 119877max minus 2 119877max + 2 119877max + 4and 119877max + 8 So there are 10 sets of experiment In eachexperiment the following step is done 50 times After the testprogram running 10 minutes open the fake AP and let it runfor 3 minutes and then close it for 3 minutes We can get theresult of this experiment from Figure 15 when the securitythreshold value is119877max and the accuracy is up to 96Whenthe security threshold value is 119877max + 2 the accuracy of thecondition is 119865 minus 119877 = 25 up to 100 and 119865 minus 119877 = 25 is 99

Discussion of Distance In this experiment we set 119865 minus 119877 =0 5 10 15 and 20 and the threshold value is 119877max Eachexperiment is to be done as the following step 50 times Afterthe test program is running for 10 minutes open the fake APand let it run for 3minutes and then close it for 3minutesWecan get the result of this experiment from Figure 16 When119865minus119877 = 10 the accuracy is more than 96 the missing rate isless than 3

72 Experiment and Evaluation of MultipositionCooperative Detection

Validation of Variance Increment Method In this experimentthe window size is 120 and 119870 is 4 then split the RSSIsequence using Variance increment method The result isshown in Table 4 Dropping out the fragment whose lengthis shorter than 120 then we can get two effective RSSIsequence fragments (S 1 and S 10) the total length is 2598


240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)

Figure 14 Effect of window size on delay and accuracy

Accu

racy

rate

Threshold

1

05

0Rmax minus 2 Rmax Rmax + 2 Rmax + 4 Rmax + 8

F minus R = 15

F minus R = 10

Figure 15 Effect of safety threshold on the accuracy of detection

Table 4 First time to split the RSSI sequence

Flag Range Length Range MeanS 1 1ndash1422 1422 [minus52 minus35] minus4515S 2 1366ndash1431 66 [minus44 minus39] minus425S 3 1424ndash1502 79 [minus84 minus38] minus5004S 4 1489ndash1560 72 [minus100 minus64] minus9117S 5 1507ndash1569 63 [minus100 minus87] minus9595S 6 1552ndash1620 69 [minus100 minus72] minus9091S 7 1609ndash1718 110 [minus76 minus38] minus5654S 8 1660ndash1726 67 [minus75 minus40] minus5668S 9 1669ndash1731 63 [minus75 minus40] minus5995S 10 1861ndash2848 1168 [minus90 minus56] minus6637and the effective fragment lengthwas 2605 in the original datasequence So the accuracy is 997

The Validity of DTW Algorithm To verify that the DTWalgorithm could be used to choose the valid AP we open

the detecting software which could find all the AP and gettheir RSSI Then we let the detecting software move with thespeed of 15m staying at three different locations and stayingat each place for 15 minutes At the end there are 28 APsbeing found including 1 target AP and 27 candidate referenceAPs For each of 27 candidate reference APs we use DTWalgorithm to calculate the distance of variance incrementsequence between target AP and it Finally we are successfulto find four suitable reference APs

The Validity of Localization Algorithm In a room with 100square meters we collect a set of data per 4 square metersSo there are 25 sets of data In detecting stage we stayed atevery position for 5minutes thenmoving to another positionwith the speed of 15ms For the four suitable reference APfound in previous section there are three kinds of conditionsthat is the first 4 AP should be considered as the referenceAP and the first 3 and the first 2 respectively calculate theirEuclidean distance When there is only one reference AP theaccuracy of location is 62 When there are two referenceAPs the accuracy of location is 85 When there are threereference APs the accuracy of location is 90

The Validity of Multiposition Cooperative Detection We playa role of an attack simulating a fake AP in a notebook Andthe experiment is done still in a roomwith 100 square metersdividing it into 25 regions In each region we collect data forevery 30 minutes and use the maximum mean of this regionas the safety threshold In detecting stage we stayed at everyposition for 5 minutes then moving to another position withthe speed of 15ms Experiments were carried out for 200times 100 times is to open the fake AP and the other 100times is to turn off the fake AP When the fake AP is turnedon if there is any position detected by the fake AP then thedetection is successful if all the positions are not detected bythe fakeAP then the detection fails Close the fakeAP if thereis any position to detect the false AP then the detection failsif all the positions are not detected in the fake AP then the


Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R

Figure 16 Effect of distance on the detection results

detection is successful When there is only one reference APthe accuracy of location is 58When there are two referenceAPs the accuracy of location is 80 When there are threereference APs the accuracy of location is 90

8 Related Work

At present most Evil-Twin detection methods work for thepublic Wi-Fi environment There are two key approaches inthis domain One is based on hardware feature the other isflow feature

The hardware feature testing method utilizes the charac-teristic that different network card chips and different drivespossess different fingerprint features to set up a fingerprintfeature library and decide whether the fake AP existed ornot through matching fingerprint data in the fingerprintfeature library during testing Bratus et al [9] send someSIMULATING frames which possess false formats but arenot prohibited by a standard protocol Although differentnetwork card chips or drives have different responses tovarious SIMULATING frames the testing method is easyto be found by an intruder McCoy et al [11] characterizethe drivers during the ldquoactive scanning periodrdquoThis methodis undefined in the IEEE 80211 standard on the frequencyand order of sending probe requests Therefore each man-ufacturer employs its own algorithm This technique cannotdistinguish between two devices using the same networkcard and driver So this technique may not be used foridentifying individual devices However the attacker cannotforge the position of the Real AP In smart homes theintuition underlying our design is that each Real AP hasits fixed position and the attacker cannot put the fake APexactly in the right place Desmond et al [12] used fingerprintclient station which sends probe requests in light of periodiccharacteristic by surveying probe requests The period itselfis attached to slight variations Far from being consistentthese variations can be clustered With enough detectiontime each cluster slowly derives with a slope proportional tothe time skewThis work is able to particularly identify clientstation however this requires more than one hour of trafficand is only applicable to client stations In a word McCoy

et al [11] and Desmond et al [12] utilize the characteristicthat different wireless network cards send different proberequest frames with different periods during scanning to setup the fingerprint library As the equipment only sends asmall number of probe request during joining the networkand the method can be valid when passive scanning is usedthe expensive time overhead and the relatively bad real-timeproperty are involved Neumann et al [13] utilize the arrivaltime of interframe space to identify the wireless equipmentbut the characteristic can be faked by the intruder and thetesting method based on the characteristic can be bypassedThe testing methods for the hardware fingerprint featureof the equipment above-mentioned cut both ways variousfake AP can be tested effectively and the cost of fakingthe hardware feature of the intruder is relatively high thefingerprint database can be built in many ways [37] but thecost of building the hardware feature fingerprint library ishigh the time for extracting the hardware fingerprint is longthe testing real-time property is worse and the expansibilityis bad However Our approach builds the feature fingerprintlibrary without collecting deliberately You will achieve thefeature fingerprint library as soon as you open the phone

According to the flow feature testingmethod the networkflow feature is different when the fake AP is existent ornonexistent so whether Evil-Twin AP is existent or not canbe testedThemethod is excellent in extendibility but also hassome disadvantages Beyah et al [14] utilize the arrival timespace of each data packet to build a flow feature library asthemethod is influenced by flow shaping greatly the practicaloperation and the applicability are not good Wei et al [15]propose that the arrival time of the ACK data packet in aTCP protocol can be used to set up the flow feature libraryas the arrival time is influenced by TCP the testing efficiencyis limited Sheng et al [16ndash18] propose that data round triptime can be used to test whether the fake AP is existent ornot but the data round trip time is influenced by the networktype the bandwidth and the state of congestion at the sametime

Besides Han et al [38] put forward the wireless fakeAP attack in an in-vehicle network and meanwhile give thetesting method based on RSSI The method requires that all


of the APs are equipped with GPS modules to report theirown positions a user judges whether the fake AP is existentor not through whether the measured RSSI is matched withthe position or not The method can effectively test the fakeAP attack in the in-vehicle network but is not suitable forindoor environment because the GPS signal is weakenedeven shielded indoors

9 Conclusions

This paper has presented a novel approach to detect fake APsin a smart home environment Our approach uses RSSI as thefingerprint of the authentic AP to detect fake APs We haveproposed two methods to identity fake APs in two differentscenarios where the genuine AP locates on a single fixed ormultiple positions Our experimental results show that ourapproach can detect 90 of the fake APs with little extraoverhead to the communication delay time

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This work was partly supported by the National NaturalScience Foundation of China under Grant Agreement no61672427 no 61672428 and no 61272461 the Key Projectof Chinese Ministry of Education under Grant Agree-ment no 211181 the International Cooperation Foundationof Shaanxi Province China under Grant Agreement no2013KW01-02 and no 2015 KW-003 the Research Projectof Shaanxi Province Department of Education under Grantno 15JK1734 the Research Project of NWU China (no14NW28) and the UK Engineering and Physical SciencesResearch Council (EPSRC) under Grants EPM01567X1(SANDeRs) and EPM0157931 (DIVIDEND)

References

[1] M Chan D Esteve C Escriba and E Campo ldquoA review ofsmart homesmdashpresent state and future challengesrdquo ComputerMethods and Programs in Biomedicine vol 91 no 1 pp 55ndash812008

[2] J Schulz-Zander L Suresh N Sarrar A Feldmann T Huhnand R Merz ldquoProgrammatic orchestration of wifi networksrdquoin Proceedings of the USENIX Annual Technical Conference(USENIXATC rsquo14) pp 347ndash358USENIXAssociation Philadel-phia Pa USA June 2014

[3] F Lanze A Panchenko I Ponce-Alcaide and T Engel ldquoUnde-sired relatives protection mechanisms against the evil twinattack in IEEE 80211rdquo in Proceedings of the 10th ACM Sym-posium on QoS and Security for Wireless and Mobile Networks(Q2SWinet rsquo14) pp 87ndash94 ACM Quebec Canada September2014

[4] J Zhang X Zheng Z Tang et al ldquoPrivacy leakage in mobilesensing your unlock passwords can be leaked through wirelesshotspot functionalityrdquo Mobile Information Systems vol 2016Article ID 8793025 14 pages 2016

[5] D A D Zovi and S A Macaulay ldquoAttacking automatic wirelessnetwork selectionrdquo in Proceedings of the 6th Annual IEEESystem Man and Cybernetics Information Assurance Workshop(SMC rsquo05) pp 365ndash372 West Point NY USA June 2005

[6] Q Zhang L T Yang and Z Chen ldquoPrivacy preserving deepcomputationmodel on cloud for big data feature learningrdquo IEEETransactions on Computers vol 65 no 5 pp 1351ndash1362 2016

[7] J Herzen R Merz and P Thiran ldquoDistributed spectrumassignment for homeWLANsrdquo in Proceedings of the 32nd IEEEConference on Computer Communications (INFOCOM rsquo13) pp1573ndash1581 Turin Italy April 2013

[8] O Nakhila E Dondyk M F Amjad and C Zou ldquoUser-sideWi-Fi evil twin attack detection using SSLTCP protocolsrdquo inProceedings of the 12th Annual IEEE Consumer Communicationsand Networking Conference (CCNC rsquo15) pp 239ndash244 IEEEJanuary 2015

[9] S Bratus C Cornelius D Kotz and D Peebles ldquoActivebehavioral fingerprinting of wireless devicesrdquo in Proceedings ofthe 1st ACM Conference on Wireless Network Security (WiSecrsquo08) pp 56ndash61 New York NY USA 2008

[10] J Cache ldquoFingerprinting 80211 implementations via statisticalanalysis of the duration fieldrdquo Uninformedorg vol 5 2006

[11] D McCoy J Franklin J Van Randwyk D Sicker and PTabriz Passive data-link layer 80211 wireless device driverfingerprinting January 2006

[12] L C C Desmond C C Yuan T C Pheng and R S LeeldquoIdentifying unique devices through wireless fingerprintingrdquo inProceedings of the ACMConference onWireless Network Security(WISEC rsquo08) pp 46ndash55 Alexandria Va USA April 2008

[13] C Neumann O Heen and S Onno ldquoAn empirical studyof passive 80211 device fingerprintingrdquo in Proceedings of the32nd IEEE International Conference on Distributed ComputingSystems Workshops (ICDCSW rsquo12) pp 593ndash602 Macau ChinaJune 2012

[14] R Beyah S Kangude G Yu B Strickland and J CopelandldquoRogue access point detection using temporal traffic charac-teristicsrdquo in Proceedings of the IEEE Global TelecommunicationsConference (GLOBECOM rsquo04) vol 4 pp 2271ndash2275Dallas TexUSA November 2004

[15] W Wei K Suh B Wang Y Gu J Kurose and D TowsleyldquoPassive online rogue access point detection using sequentialhypothesis testing with TCP ACK-pairsrdquo in Proceedings of the7thACMSIGCOMMConference on InternetMeasurement (IMCrsquo07) pp 365ndash378 ACM San Diego Calif USA October 2007

[16] H Han B Sheng C C Tan Q Li and S Lu ldquoA timing-basedscheme for rogue AP detectionrdquo IEEE Transactions on Paralleland Distributed Systems vol 22 no 11 pp 1912ndash1925 2011

[17] C D Mano A Blaich Q Liao et al ldquoRipps rogue identifyingpacket payload slicer detecting unauthorized wireless hoststhrough network traffic conditioningrdquo ACM Transactions onInformation and System Security vol 11 no 2 article no 2 2008

[18] GQu andMMNefcy ldquoRAPiD an indirect rogue access pointsdetection systemrdquo in Proceedings of the IEEE 29th Interna-tional Performance Computing and Communications Conference(IPCCC rsquo10) pp 9ndash16 IEEE December 2010

[19] K S A P Levis ldquoRssi is under appreciatedrdquo in Proceedings ofthe 3rd Workshop on Embedded Networked Sensors vol 3031 p239242 Cambridge Mass USA 2006

[20] D Kotz C Newport R S Gray J Liu Y Yuan and C ElliottldquoExperimental evaluation of wireless simulation assumptionsrdquoin Proceedings of the 7th ACM Symposium onModeling Analysis


and Simulation of Wireless and Mobile Systems (ACM MSWiMrsquo04) pp 78ndash82 ACM Venice Italy October 2004

[21] N Patwari A O Hero III M Perkins N S Correal andR J OrsquoDea ldquoRelative location estimation in wireless sensornetworksrdquo IEEE Transactions on Signal Processing vol 51 no8 pp 2137ndash2148 2003

[22] M Kotaru K Joshi D Bharadia and S Katti ldquoSpotfi decimeterlevel localization using wifirdquo SIGCOMM Computer Communi-cation Review vol 45 no 4 pp 269ndash282 2015

[23] K Wu J Xiao Y Yi M Gao and L M Ni ldquoFILA fine-grainedindoor localizationrdquo in Proceedings of the IEEE Conference onComputer Communications (INFOCOM rsquo12) pp 2210ndash2218Orlando Fla USA March 2012

[24] A Rai K K Chintalapudi V N Padmanabhan and R SenldquoZee zero-effort crowdsourcing for indoor localizationrdquo inProceedings of the 18th Annual International Conference onMobile Computing andNetworking (MobiCom rsquo12) pp 293ndash304ACM Istanbul Turkey August 2012

[25] H Liu Y Gan J Yang et al ldquoPush the limit of WiFi basedlocalization for smartphonesrdquo in Proceedings of the 18th AnnualInternational Conference on Mobile Computing and Networking(MobiCom rsquo12) pp 305ndash316 ACM Istanbul Turkey August2012

[26] S Sen J Lee K-H Kim and P Congdon ldquoAvoiding multipathto revive inbuilding WiFi localizationrdquo in Proceedings of the11th Annual International Conference on Mobile Systems Appli-cations and Services (MobiSys rsquo13) pp 249ndash262 ACM TaipeiTaiwan June 2013

[27] J Schulz-Zander C Mayer B Ciobotaru S Schmid A Feld-mann and R Riggio ldquoProgramming the home and enterpriseWiFi with OpenSDWNrdquo in Proceedings of the ACM Conferenceon Special Interest Group on Data Communication (SIGCOMMrsquo15) pp 117ndash118 ACM London UK August 2015

[28] N Borisov I Goldberg and D Wagner ldquoIntercepting mobilecommunications the insecurity of 80211rdquo in Proceedings of the7th Annual International Conference on Mobile Computing andNetworking (MobiCom rsquo01) pp 180ndash189 Rome Italy 2001

[29] E Tews R P Weinmann and A Pyshkin ldquoBreaking 104 bitwep in less than 60 secondsrdquo in Proceedings of the InformationSecurity Applications International Workshop (Wisa rsquo07) pp188ndash202 Jeju Island Korea August 2007

[30] Q Wang Y Zhang X Lu Z Wang Z Qin and K RenldquoReal-time and spatio-temporal crowd-sourced social networkdata publishing with differential privacyrdquo IEEE Transactions onDependable and Secure Computing 2016

[31] Q Zhang H Zhong L T Yang Z Chen and F Bu ldquoPrivacypreserving highorder cfs algorithm on the cloud for clusteringmultimedia datardquo ACM Transactions on Multimedia Comput-ing Communications and Applications vol 12 no 4s pp 661ndash6615 2016

[32] G Wang Y Zou Z Zhou K Wu and L M Ni ldquoWe canhear you with Wi-Firdquo in Proceedings of the ACM InternationalConference on Mobile Computing and Networking (MobiComrsquo14) pp 593ndash604 Maui Hawaii USA September 2014

[33] J Wang X Chen D Fang C Q Wu Z Yang and T XingldquoTransferring compressive-sensing-based device-free localiza-tion across target diversityrdquo IEEE Transactions on IndustrialElectronics vol 62 no 4 pp 2397ndash2409 2015

[34] J Wang and D Katabi ldquoDude wherersquos my card RFID posi-tioning that works with multipath and non-line of sightrdquo inProceedings of the Conference on Applications Technologies

Architectures and Protocols for Computer Communication (SIG-COMM rsquo13) pp 51ndash62 ACM August 2013

[35] S Kullback and R A Leibler ldquoOn information and sufficiencyrdquoThe Annals of Mathematical Statistics vol 22 no 1 pp 79ndash861951

[36] S Kullback ldquoLetter to the editor the kullback-leibler distancerdquoThe American Statistician vol 41 no 4 pp 340ndash341 1987

[37] Y Wen X Tian X Wang and S Lu ldquoFundamental limits ofRSS fingerprinting based indoor localizationrdquo in Proceedings ofthe IEEEConference on Computer Communications (INFOCOMrsquo15) pp 2479ndash2487 Hong Kong May 2015

[38] HHan F Xu C C Tan Y Zhang andQ Li ldquoDefending againstvehicular rogue apsrdquo in Proceedings of the IEEE INFOCOM pp1665ndash1673 April 2011

Submit your manuscripts athttpswwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



This paper introduces a novel method for detecting Evil-Twin APs Our approach targets smart homes Our approachexploits the following observations (1) the position of an APis often fixed in a smart home environment (2) the receivedsignal strength indicator (RSSI) of a fixed AP is relativelystable We consider the RSSI signal as the fingerprint ofa genuine AP and use this information to identify rogueAPs One of the advantages of our approach is that we donot require any additional sensoractuator infrastructureInstead we first use the stable RSSI to estimate the distancebetween the signal point and the receiving point [19ndash27] andthen use the distance to detect rogue Evil-Twin APsWe showthat our approach achieves on average a successful rate of over90 with a one-off connection delay of less than 20 seconds

The main contribution of this paper is a novel Evil-Twinattack detection system based on RSSI We have shown thatRSSI is a viable means for detecting rogue APs in smart homeenvironments Although our approach is evaluated in a smarthome environment similar ideas can be expanded to otherWi-Fi environments

2 Background

SSID and BSSID are always used to identify Wi-Fi hot pointsince the protocol 80211 does not define a strong sign todo it In fact both of them could be easily got by attackerbecause the wireless network not only shares the media butalso cannot control the signal range Although the accesspoint is protected by password and sophisticated encryptionfor an experienced attacker it is not difficult to crack itduring a short timeThe original 80211 security organizationthat try to solve these problems was the Wired EquivalentPrivacy (WEP) In spite of having mechanisms to provideauthentication confidentiality and data integrity WEP wasfound to be unsafe and trivially cracked after an attacker hasgathered enough frames with the same initialization vector[28] By actively accelerating the gather of frames the latestWEP attack is able to complete breaking of WEP in under aminute [29] WEP is increasingly being replaced by the Wi-Fi Protected Access (WPA) Nevertheless to hold backwardcompatibility WPA has not totally solved some securityproblems Because control and management frames can betricked and faked even with WPA enabled wireless LocalArea Networks (LANS) reserve impressionable to identityattacks and denial of service attacks [12] Once the attackergot the password they will soon forge the same one calledthe Evil-Twin AP (ie the rogue or fake AP) which is noteasily recognized by user Over the past few years this kindof attack mainly exists in some public environments such asairports and cafes However as the development of the IoTnowadays gigantic crowd-sourced data from mobile deviceshave become widely available in social networks [30] theattack value of private Wi-Fi rises rapidly and the attackdevelops towards the private Wi-Fi in the smart home andother environments such as privacy concerns that becomeevident on the cloud because there are a lot of private data inmultimedia data sets [31]Once the user connects the networkto the fake AP the intruder can control the network environ-ment of the user and further privacy sniffing malicious data

tampering and other advanced attacks can be realized Thebehavior of the intelligent device even can be controlled forinstance opening or closing an intelligent lock

According to the IEEE 80211 standard when there aremultiple APs nearby the one with the strongest signal isto be chosen [16] So the fake AP is always putting at thenearest of attack target in order to be chosen This kind ofattack can be called Fishing which contains active Fishingand passive Fishing Passive Fishing is named because thefake AP is just waiting for the connection from the terminalThis kind of attack cannot easily be found since it does notaffect the Real AP at the same time the attack successful rateis not high Active Fishing means that to connect with theterminal fake AP cut the connection between Real AP andthe terminal by Evil-Twin attack Such attack can be carriedout to precise attacks without affecting the other equipmentexcept the target

3 Attacking Scenarios

Attacking Scenarios Figure 1 illustrates the scenarios wherethe Evil-Twin attack can be applied Evil-Twin is designedto look like real Wi-Fi hotspots In those scenarios theadversary is able to set a fake AP to launch an Evil-Twinattack from a laptop Its signal might be stronger to the victimthan the Real AP Once disconnected from the legitimateReal AP the tool then forces offline computers and devices toautomatically reconnect to the Evil-Twin allowing the hackerto intercept all the traffic to that deviceWhen people in smarthomes are using the Internet through an Evil-Twin theycan unknowingly expose their passwords and other sensitiveonline data to hackers According to the Wi-Fi Alliancea sophisticated Evil-Twin can even control what websitesappear when users access the Internet That allows hackersto capture their passwords

Our Assumptions Our attacks require the adversary to setup the Evil-Twin at different locations We believe that theadversary may not set the fake AP very close to the smarthomes in order to avoid being caught If a profile for thelegitimate AP exists the client device will automaticallyconnect to the faked AP

4 DRET Overview

Figure 2 is shown as the overview of DRET System DRETis a system that helps wireless home owner to discoverand prevent evil access points (AP) from attacking wirelessusers The application can be run in regular intervals toprotect your wireless network from Evil-Twin attacks Byconfiguring the tool you can get notifications sent to youralarm signal whenever an evil access point is discoveredAdditionally you can configure DRET to performDoS on thelegitimate wireless users to prevent them from connectingto the discovered evil AP in order to give the administratormore time to react However notice that the DoS will onlybe performed for evil APs which have the same SSID butdifferent BSSID (APrsquosMACaddress) or running on a different


Facebook

Twitter

Fake AP

Attacker

Real AP

Smarthomes

Wi-Fi




SDSP


Position RSSI

4

3

2

1

Output result


position SDMP


position MDMP

Output result




5 Preliminaries



RAP1

RAP2FAP1

FAP2

Detector2

Detector1

D1

D2

D3

D1998400

D2998400

D3998400















0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01244

5

(a)

0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01214

5

(b)

0 10 20

40

60

80

100

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 100

120582 = 01214

(c)


y

xa

bc

d

AP

y

xa

bc

d





0

005

01

Prob

abili

ty






Y1 Y2 Y3

Real AP Fake APA

B

C

X


minus50dBminus50dB

minus75dBminus75dB





















Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Facebook

Twitter

Fake AP

Attacker

Real AP

Smarthomes

Wi-Fi




SDSP


Position RSSI

4

3

2

1

Output result


position SDMP


position MDMP

Output result




5 Preliminaries



RAP1

RAP2FAP1

FAP2

Detector2

Detector1

D1

D2

D3

D1998400

D2998400

D3998400















0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01244

5

(a)

0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01214

5

(b)

0 10 20

40

60

80

100

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 100

120582 = 01214

(c)


y

xa

bc

d

AP

y

xa

bc

d





0

005

01

Prob

abili

ty






Y1 Y2 Y3

Real AP Fake APA

B

C

X


minus50dBminus50dB

minus75dBminus75dB





















Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




RAP1

RAP2FAP1

FAP2

Detector2

Detector1

D1

D2

D3

D1998400

D2998400

D3998400















0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01244

5

(a)

0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01214

5

(b)

0 10 20

40

60

80

100

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 100

120582 = 01214

(c)


y

xa

bc

d

AP

y

xa

bc

d





0

005

01

Prob

abili

ty






Y1 Y2 Y3

Real AP Fake APA

B

C

X


minus50dBminus50dB

minus75dBminus75dB





















Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01244

5

(a)

0 10 15 20

80

100

120

140

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 1

120582 = 01214

5

(b)

0 10 20

40

60

80

100

Distance (m)

Atte

nuat

ion

(dB)

GtGr = 100

120582 = 01214

(c)


y

xa

bc

d

AP

y

xa

bc

d





0

005

01

Prob

abili

ty






Y1 Y2 Y3

Real AP Fake APA

B

C

X


minus50dBminus50dB

minus75dBminus75dB





















Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Y1 Y2 Y3

Real AP Fake APA

B

C

X


minus50dBminus50dB

minus75dBminus75dB





















Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Real AP

O4

O2

O

O5

AP2

O1AP1

AP3O3

Fake AP

Attacker

Real AP

550000

Fake APReference AP


Record

Similaritycalculate

Reference AP

Target AP

Safety

1 1 1

2

3

1 112

4

5

27 29 44


(MACn RSSIn)

RSSI feature sets

Feature

collectionDetection


L1

Lm

RSSI0

Locationmodule









0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




0 500 1000 1500 2000 2500 3000

RSSI


minus20

minus40

minus60

minus80

minus100


0 500 1000 1500 2000 2500 30000

200

400

600

800

Varia

nce










0 500 1000 1500 2000 2500 3000

0

20

Varia

nce i

ncre

men

t

minus20

minus40









015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




015

01

005

00 50 100 150 200

(a)

015

01

005

00 50 100 150 200

(b)




Dist (119877119879 119877119869) = radic 119871sum119894=1

(rssi119894119879 minus rssi119894119869)2 (4)


Dist119879 = min[Dist (119877119879 119877119869)119871 ] (5)





119863KL (119875 119876) = sum119875 (119894) ln 119875 (119894)119876 (119894) (7)


Dist (119877119879 119877119869) = 119863KL (119877119879 119877119869)= 0sum

rssi=minus100




(9)










[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







[119877119869 (1199031119869 1199032119869 119903119871119869) 1198771015840119869 (1199030119869)] (10)



(11)















240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




240200401

40

20

0

Del

ay ti

me (

s)

120Window size

F minus R = 25

F minus R = 15

(a)

0

02

04

06

08

1

240200120401 80 160Window size

Accu

racy

rate

(b)


Accu

racy

rate

Threshold

1

05


F minus R = 15

F minus R = 10









Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Miss

ing

rate

1

05

0

1

05

00 5 10 15 200 5 10 15 20

Accu

racy

rate

F minus R F minus R



8 Related Work








9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





9 Conclusions


Competing Interests


Acknowledgments


References

















































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



research article exploiting wireless received …research article exploiting wireless received...

Documents