WIDS/WIPS & Rogue AP Detection
Wireless Intrusion Detection/Prevention Systems monitor the RF environment for unauthorised devices, attack signatures, and policy violations. WIDS detects and alerts; WIPS adds active containment. Understanding their detection methods - and their fundamental limitations - is the first step toward accurate rogue AP analysis.
WIDS vs WIPS - What Each System Does
Rogue AP Classification - 4 Types
Not every unrecognised AP is a threat. Accurate classification determines response priority. Misclassifying a neighbouring organisation's AP as malicious wastes analyst time and may trigger inappropriate containment.
An unrecognised AP connected to your wired network without authorisation. Could be an employee who brought in a home router, or a deliberate attacker. Confirmed via wired-side ARP correlation.
Active attack tool: Evil Twin (clone of your SSID+BSSID), Karma AP (responds to any probe), deauth flood source, or PMKID harvester. Distinguished from rogue by active attack behaviour.
An AP visible in your RF environment but NOT connected to your network. A neighbouring office, apartment, or retail shop. Not a threat - but contributes to CCI and should be monitored.
A device acting as an AP (phone hotspot, Windows mobile hotspot, soft-AP). Not connected to your wired network but potentially circumventing your security perimeter if clients connect to it.
Commercial WIDS/WIPS platforms produce binary verdicts: Rogue or Legitimate. In dense enterprise deployments - multi-tenant buildings, hospital campuses, university networks - a single AP may exhibit characteristics of both a neighbouring-organisation AP (Interfering) and a misconfigured corporate AP simultaneously. Binary classification forces a verdict that is often wrong, generating false positives that erode analyst trust over time.
Detection Methods - From RF to Wired Side
Compare observed BSSID against authorised AP whitelist (MAC address database). First-line detection. Effective against casual rogues, not against determined attackers who use randomised MACs (locally-administered bit = 1 in byte 0).
Scan switch ARP/MAC tables for BSSIDs observed in the RF environment. If a BSSID seen over-the-air matches a MAC in the wired ARP table, the AP is physically connected to your network - confirmed rogue. This is the gold standard for distinguishing Rogue from Interfering.
Multiple sensors observe the same AP and compare RSSI. Time Difference of Arrival (TDoA) or angle of arrival estimates give approximate location. Useful for guiding physical investigation but not reliable as a sole classification method. ±5–10 metre accuracy typical indoors.
Compare observed Beacon IEs against known AP profiles: RSN IE cipher suites, supported rates, HT/VHT/HE capabilities. Mismatches (e.g. same SSID but different RSN IE) flag potential evil twin. Your tool (F62) uses this as pillar P2 (Channel Consistency) and P4 (Beacon Timing Delta).
Evil twin APs are typically placed close to clients to force association (higher RSSI than legitimate AP). Anomalously high RSSI from an unknown AP with a known SSID is a primary evil twin indicator. Compare RSSI_suspected vs RSSI_legitimate - significant asymmetry warrants investigation.
Soft-AP implementations (hostapd, Windows Hosted Network, phone hotspots) exhibit characteristic TSF inconsistency and beacon interval jitter compared to hardware APs. Inter-beacon variance >500 µs from the declared interval is a soft-AP signature in passive PCAP capture.
Containment Methods - and Their Limits
| Method | How it works | Limitation | Legal status |
|---|---|---|---|
| Targeted Deauth | WIPS sensor sends spoofed Deauth frames to clients of the rogue AP, preventing them from staying connected. | Completely ineffective against clients with PMF (WPA3 or WPA2+PMF). As WPA3 adoption grows, this method degrades. Also requires the WIPS sensor to be within RF range. | Legal - on your own network. Illegal against non-your-network devices (Interfering APs). |
| Switch Port Shutdown | WIPS correlates rogue AP BSSID to a switch port via ARP/SNMP, then shuts down that port via SNMP write or vendor API. | Requires network management access. If AP is on a secondary VLAN or behind another device, correlation may fail. Does not work for wireless rogues not physically connected (Ad-hoc, Interfering). | Legal and preferred - targets only confirmed wired rogue. |
| RF Jamming | WIPS sensor transmits high-power interference on the rogue AP's channel to make the medium unusable. | Indiscriminate - affects legitimate users on the same channel. Produces its own CCI. Highly unreliable in practice. | Illegal in most jurisdictions including US (FCC Part 97 prohibits intentional interference). Do not use. |
| DHCP Starvation | WIPS exhausts the DHCP pool on the rogue AP's subnet to prevent clients from obtaining addresses. | Requires knowledge of the rogue AP's DHCP server. Only works for Layer 3 connectivity - clients may still associate. | Legal in some configurations on your own network - complex. |
PCAP-Based Detection - The Layer-2 Advantage
Commercial WIDS/WIPS platforms (Cisco CleanAir, Aruba RFProtect, Juniper Mist AI) operate primarily at the controller or cloud level - correlating RSSI and MAC data from APs. They do not parse 802.11 management frame fields at the byte level. A 2025 analysis confirmed that standard NIDS (Suricata, Snort operating at L3+) are completely blind to evil twin attacks at the 802.11 MAC layer - they cannot see Beacon frame content, RSN IE fields, or deauth reason codes.
Evil twins frequently use locally-administered MACs (bit 1 of first byte = 1) or OUIs not in the IEEE registry. Score 0 = registered OUI; score 1 = unregistered or locally-administered.
Soft-AP implementations exhibit cross-field channel inconsistency - the announced channel in the DS Parameter Set IE does not match the actual operating channel in the RadioTap header. Hardware APs keep these aligned.
Evil twins move close to clients to force association - anomalously high RSSI compared to the legitimate AP advertising the same SSID. A delta >15 dBm where unknown AP is stronger warrants investigation.
Passive PCAP: measure the actual inter-beacon interval and compare to the declared TU (102.4 ms nominal). Hostapd/soft-APs exhibit characteristic jitter (>1 ms variance) that hardware APs do not.
In a controlled evil twin scenario PCAP: 11 of 14 suspected BSSIDs returned confident singleton detections; 2 returned ambiguous sets {Rogue, Misconfigured} reflecting genuine uncertainty (legitimate AP with non-standard configuration); 1 was correctly identified as a neighbouring-organisation AP. Binary classifier would have flagged that last AP as a false positive - increasing investigation load by 21% unnecessarily.
The Binary Verdict Problem
Every commercial WIDS/WIPS and every published open-source rogue AP detector produces a binary verdict: Rogue or Legitimate. In ambiguous cases - misconfigured corporate APs, dual-homed devices, neighbouring-network APs with similar configurations - this forced binary output is frequently wrong, generating false positives that cause operator alert fatigue.
Forces a verdict even when evidence is ambiguous. A misconfigured enterprise AP may score similarly to an evil twin on OUI and RSSI pillars. A neighbouring-organisation AP may appear rogue due to channel mismatch.
Returns the smallest set of labels whose combined posterior probability meets analyst-specified threshold β. When evidence is genuinely ambiguous, returns an ambiguous set rather than forcing an incorrect singleton - preserving analyst information.
The detection threshold β is operator-configurable per deployment context. Financial institution security (β = 0.99): only flag APs with near-certain rogue evidence. Field triage (β = 0.80): flag anything with moderate suspicion. Reducing β collapses ambiguous sets to singletons - enabling the classic precision/recall tradeoff with explicit confidence control rather than implicit threshold tuning. No existing commercial WIDS/WIPS platform provides this mechanism.
Commercial WIDS/WIPS Platforms
Dedicated 3600/3800 series RF sensors with spectrum analysis chipset. Monitors all channels simultaneously (spectrum-over-the-air). >30 threat signatures. Cross-channel deauth flood detection. Controller-integrated.
Overlay WIPS sensors or Air Monitor (AM) mode APs. Strong wired-side correlation via ARP table integration with AOS switches. Campus-optimised.
Cloud-based AI correlation on RSSI/throughput/client count telemetry. No frame-level analysis. Anomaly scoring via ML on time-series data.
Security-first architecture - tight integration with FortiGate NGFW and FortiAnalyzer SIEM. Strong for security-first deployments wanting unified threat correlation.
All platforms produce binary alerts with no confidence quantification. All require managed infrastructure - none operate from passive PCAP capture on unmanaged networks. None parse Beacon IE fields at the byte level (RSN IE cipher suites, channel fields, HT/VHT/HE capabilities) as part of classification. This is the diagnostic gap that frame-level PCAP analysis fills.