Paper 2021/1702

CheckShake: Passively Detecting Anomaly in Wi-Fi Security Handshake using Gradient Boosting based Ensemble Learning

Anand Agrawal, Urbi Chatterjee, and Rajib Ranjan Maiti


Recently, a number of attacks have been demonstrated (like key reinstallation attack, called KRACK) on WPA2 protocol suite in Wi-Fi WLAN. As the firmware of the WLAN devices in the context of IoT, industrial systems, and medical devices is often not patched, detecting and preventing such attacks is challenging. In this paper, we design and implement a system, called CheckShake, to passively detect anomalies in the handshake of Wi-Fi security protocols, in particular WPA2, between a client and an access point using COTS radios. Our proposed system works without decrypting any traffic. It passively monitors multiple wireless channels in parallel in the neighborhood and uses a state machine model to characterize and detect the attacks. In particular, we develop a state machine model for grouping Wi-Fi handshake packets and then perform deep packet inspection to identify the symptoms of the anomaly in specific stages of a handshake session. Our implementation of CheckShake does not require any modification to the firmware of the client or the access point or the COTS devices, it only requires to be physically placed within the range of the access point and its clients. We use both the publicly available dataset and our own data set for performance analysis of CheckShake. Using gradient boosting-based supervised machine learning models, we show that an accuracy around 93.39% and a false positive rate of 5.08% can be achieved using CheckShake

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
WPAWPA2Security protocols
Contact author(s)
anandgarg91 @ gmail com
2021-12-31: received
Short URL
Creative Commons Attribution


      author = {Anand Agrawal and Urbi Chatterjee and Rajib Ranjan Maiti},
      title = {CheckShake: Passively Detecting Anomaly in Wi-Fi Security Handshake using Gradient Boosting based Ensemble Learning},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1702},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.