TwinGuard

Detection Detection Detection Mitigation Mitigation

Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4 Subsystem 5
Scanning Scanning Scanning Scanning Scanning

Send captured
packets to cloud

Detection Detection Detection

Subsystem 1 Subsystem 2 Subsystem 3
Analyzing Analyzing Analyzing

Detecting potentially
Mitigation Subsystem
Detection Share the Evil Twin details compromised users
4 Analyzing
Subsystem X with Mitigation Subsystems
detected the Evil 4 and 5 and publish the Evil Mitigation Subsystem Detecting the Evil Twin
Twin Twin details on the website 5 Analyzing location
 Start of Detection Retrieve packet parameters: MAC Compare the retrieved packet
Subsystem 1 Address, Auth Algorithm, parameters with the
Encryption Algorithm(s) and corresponding entries in the
Cipher Algorithm(s) whitelist for the associated MAC
Capture all the Beacon Address
packets

Send captured
packets to cloud Is MA C Add res s Yes
Did the val ues Yes
in the wh ite lis t? ma tch ?

Analyze each
Beacon packet No No

Is cap tur ed
bea con rel eva nt Yes Evil Twin Detected Discard the packet
to the
ent erp ris e?
Share the Evil Twin details
with Mitigation Subsystems
No
4 and 5 and publish the Evil
Discard the packet Twin details on the website
 Start of Detection
Subsystem 2
Is dup lic ate MA C No
Add res s in the Discard the packets
Send Probe requests to all Wh ite lis t?
APs and store the Probe
response packets. Yes

Send stored Probe

response packets to Evil Twin Detected
cloud

Share the Evil Twin details

Analyze Probe response with Mitigation Subsystems
packets and count 4 and 5 and publish the Evil
duplicate MAC Addresses Twin details on the website

Are the re Yes

dup lic ate MA C
Add res ses ?

No

Discard the packets

 Start of Detection
Subsystem 3 Evil Twin Detected

Capture beacon packets

Share the Evil Twin details
by listening on each
with Mitigation Subsystems
channel for 10 seconds.
4 and 5 and publish the Evil
Twin details on the website
Send captured
packets to cloud

Analyze the captured packets

and extract the Beacons
numbers for each MAC Address
in the whitelist.

Are the re any MA C

add res ses wit h mo re Yes

tha n 120 bea con

pac ket s?

No

Discard the packets

 Start of Mitigation
Subsystem 1 Potential Compromised User identified

Extract source and destination MAC addresses

Publish the destination MAC
from Probe response packets in Detection
Address on the website as
Subsystem one's captured file
potentially compromised
user
Send source and destination MAC Addresses to
cloud

Analyze the MAC Addresses and check if any

of the source MAC Addresses are identified as
an Evil Twin?

Yes
MA C ide nti fie d ?

No

Discard the packets

 Start of Mitigation
Subsystem 2
Each Raspberry PI performs 5
scans and averaging nearby APs
RSSIs
Send averaged packets to cloud,
containing their ID, MAC and RSSI
Analyze the MAC Addresses and
check if any of them identified
as an Evil Twin?
Yes
MA C ide nti fie d ?
No
Discard the packets
Wa s thi s MA C and ID Yes Reset all counters of
pai r eva lua ted bef ore current Raspberry PI
?
No
Open corresponding Raspberry PI
excel sheet and find closest room's
RSSI to the packet RSSI
Mark that room as likely room for
that Raspberry PI
Reset combined counter and
compute it again by adding up
identical room counters across all
Raspberry PI counters
Assign the highest room count as
most likely room
Trigger a new alert and display
results on the website