Detection Technique and Mitigation Against a Phishing Attack

Wireless networking is a main part of our daily life during these days, each one wants to be connected. Nevertheless, the massive progress in the Wi-Fi trends and technologies leads most people to give no attention to the security issues. Also detecting a fake access point is a hard security issue over the wireless network. All the currently used methods are either in need of hardware installation, changing the protocol or needs analyzing frames. Moreover, these solutions mainly focus on a single digital attack identification. In this paper, we proposed an admin side way of detection of a not real access point. That works on multiple cyber-attacks especially the phishing attack. We shed the light on detecting WI-phishing or Evil Twin, DE authentication attack, KARMA attack, advanced WI-phishing attack and differentiate them from the normal packets. By performing the frame type analysis in real time and analyzing different static and dynamic parameters as any change in the static features will be considered as an evil twin attack. Also, providing that the value of the dynamic parameters surpasses the threshold, it reflects Evil Twin. The detector has been tested experimentally and it reflects average accuracy of 94.40%, 87.08% average precision and an average specificity of 96.39% for the five types of attack. Keywords—Rogue access point; phishing attacks; KARMA attack; social engineering; hacking


I. INTRODUCTION AND BACKGROUND
Currently, the wireless techniques help users who are using terminals, phones, and tablets to use the internet services, in addition to being integrated in many interfaces and used implementation over the field of (IOT) Internet of Things. [1] Despite the growth of wi-fi technologies, users still do not care for security issues. As clients used to be online most of the time, this gives a higher availability of being victimized with many of the cyber security attacks. All these communications are done over the channel used for sending or receiving wireless waves in-between the access point (AP) and the user. Because of that, the attacker is in no need to physically access the victim's network. He can easily sniff, eavesdrop, resend frames using off the shelf tools [2]. While getting benefits from this technology, these vast numbers of non-smart connected cyber-physical devices have several properties that led to critical security issues, such as nodes mobility, wireless communications, lack of local security features, scale, and diversity. IoT botnets attack is considered a critical attack that affects IoT network infrastructure that launches a distributed denial of service (DDoS) [3].
Phishing is the attempt to acquire sensitive data or to inspire somebody to react in a desired method by simulating as a trusted one in the electronic atmosphere. As demanding a user to tap on a connection in an email or to give his Mastercard numbers or enter definite data as first, last name, address, age, and city. At that point, the hacker can access and use the data. Phishing assaults can be performed over different specialized strategies [2].

A. Impact on the Community and Motivation
Damage from cybercrime is expected to cost the world $6 trillion annually by 2021, raised from $3 trillion in 2015 according to Cybersecurity Ventures [3]. Phishing attacks are the most common type of cybersecurity breaches as stated by the official statistics from the cybersecurity breaches survey 2020 in the United Kingdom [4].
As Phishing attacks merge social psychology, technical systems, and security subjects. These attacks affect organizations and individuals alike, the loss for the organizations is significant as it includes the recovery cost, reputation loss, and productivity reduction [5]. www.ijacsa.thesai.org in solving the phishing problem and mitigate its impact over the community. Therefore, the research problem is to address the limitation of the previous studies and security scheme that may offer attack detection but fails to offer it in real time over the network. The problem's solution arises whereas there is an increasing evolution of network devices as well as smart appliance for WI-FI services. Hence, this acts as motivating factor towards working for improving the security of networks and connections as addressed in this research.
The aim of this study is to improve the detection of the attack and contribute to solving the problem of the phishing attack by present a solution that is not costly and in real-time in addition to achieving the best performance with high accuracy and the decreasing the cost. The main aim is to reduce the spread of this attack, improving the detection rate, improving accuracy, decreasing the false alarms, and decreasing the cost of the proposed method.
Therefore, this study addresses the following research questions:  Research Question 1 (RQ1) How to enable administrators to detect WI phishing in real time without using a special or expensive hardware?
 Research Question 2 (RQ2) How to find a reliable forensic way that visualize the different attacks underway?
It is worth noting that in this research WI-phishing is referred to as Evil Twin (ET) or Rouge Access Point (RAP). As WI-phishing [2] or Evil Twin, DE authentication attack [8] , and KARMA attack [9] are considered types of phishing, we focus on detecting these types. WI-phishing [2] or ET is a procedure of phishing that uses a wireless network where the phisher is in between the client and illegitimate wireless AP, using a Rouge access point as in Fig. 1.
WI phishing is one of the most dangerous and severing attacks [10] that deceives the user to join a rogue access point (RAP) instead of Legitimate Access Point (LAP), while RAP is a malicious device used by an adversary as if it is a real AP.
In which the intruder always copies the same configurations of one or more nearby LAPs to broadcast the same Service Set Identifier (SSID) and always with even stronger transmitting power.
The DE authentication attack is when the attacker tries to sniff or break the connection between the victim and an AP by flooding the network with DE authentication frames to force the client to reauthenticate. Then, the attacker can save traffic during the authentication process and this step is the base of attack's phase one. The attacker decrypts the pre-shared secret to have the secret key and bypass security encryption. The second step of the DE authentication attack is to force the client to connect to a RAP to sniff the whole communication which needs special tools to be detected. While RAP based on DE authentication is perhaps the most well-known assaults in Wi-Fi networks [11] as shown in Fig. 2.  Karma attack depends on actively scanning the WLAN [12] to collect the probe frames requests from users' devices and then generate a corresponding probe response as if the required WLAN network is nearby. As the enormous growth of digital era more and more, many humans keep their own Wi-Fi settings in their device as it is for the device to automatically be connected to their known network if the network is in the nearby, devices send probe requests in probe frames to verify the existence of a network as the device does not know physically whether the network is in range or not. Resulting the targeted device is connected to the RAP which is made as a trap by the adversary.
Karma attacks can in any case influence customers that are utilizing active probing authentication. Also to perform it, the intruder can utilize a Pineapple AP 5 [13] that makes the assault a lot less difficult to achieve [9]. As shown in Fig. 3.

B. Detecting Evil Twin Solutions
Detecting RAP solutions are categorized into two sets. The administrator-based set is a preliminary one that is based on observing the radio signals, and needs to be utilized on switches, servers, routers, or special devices. It may rely on the technique of whitelisting. From its name, it is deployed by the administrator of the network. But it has its downsides as most of it does not work in real time, needs protocol modification, or depends on a single point of failure as a server.
The second set of solutions is the client-based one. It is used by the user. Using the connection of TCP, Clock Skew, route option, IP packet header and data frame statistics are its main ways. But it has its con as it may needs a predefined data about the network [14].
For these reasons, such a study became more needed as it presents the following: Diverse detection logic to distinguish different kinds of attack signature. An empirical implementation of the proposed scheme for detecting WIphishing [2]or ET, DE authentication attack , KARMA attack [9], advanced WI-phishing attack and the normal packets are prototyped under real attack. Recommending a better detection method by providing a real time admin side detection via specific parameters in the beacon frames as a signature of being under attack and then giving an alert. Furthermore, to send all beacon frames to a database for further processing and giving alert in case of any anomaly in the features of the previous packets. The final implementation is realized in the Python language using a Scapy [15] library to detect and classify frames.
Many studies have been published to address the problem of detecting phishing or WI Phishing attacks over the network, such as -Detecting fake access point or Evil Twin‖ as a relevant approach presented in [16] by Lovinger et al. , it depends on the network probing using Raspberry Pi 4. Capability, the author creates a logging system. Analyzing the wireless networks and scanning it, then filtering captured frames to create signatures and store it into the database. Upon the result, the alert is created after comparison. As for the challenges in this approach, it depends on a Raspberry Pi 4 as a device for detection which is a higher cost and limitations, while we developed a cross platform code with less cost. It depends on creating a unique fingerprint, he depends on a 256-bit hash function, which reflects more time, and he uses only static parameters while we depend on static and dynamic parameters for detecting the ET.
He depends on a log file which is not stable and harder to retrieve data rather than the visualized database used by our side. As a competitive advantage, we use all data from the database for further forensic purposes as it can store data for months which reflects stability and durability. Both of us work in real time detection. The other parts of the research are organized as follows: the related work is in Section 2; Section 3 describes the proposed method and the prototype. In Section 4, we present the experimental results. Then Section 5 contains the conclusion and the future work.

A. Currently used Strategies for Detecting Evil Twin Attack
are categorized in Five Groups as follows 1) Monitoring Wi-Fi traffic approach and limitation: Most wi-fi solutions attempt to spread sniffers over the network to accumulate fundamental data measurements such as MAC, SSID, working channel, RSS ID etc. The information accumulated deploying these sniffers enable the administrator to perceive the ET.
Kao et al. [17] detect the existence of ET by keeping a whitelist of the trusted MAC of Laps. Sniffers screen the remote traffic consistently, when an AP is discovered, whose MAC is not indexed in the whitelist, it is alerted as Evil Twin with accuracy of 96.4% average. As for the limitations of this approach, if the attacker sniffs the MAC address of the LAP, the approach has nothing to do in this case in addition of whitelisting only the MAC address disregarding other attributes that we have mentioned in our work.
Sachin et al. presented a way of identifying the malicious access point by setting up a whitelist of authentic APs' MAC address and IP. At that point send a broadcast packet over a central service to uncover the evil twin over the WLAN by receiving all replies from all access points and contrast them against the pre prepared whitelist. Yet, its downside is that it works over wireless networks when all terminals are in a similar range. It does not support the detection in real time as well as relying upon the whitelisting techniques [18] [19].
Sriram et al. [20]. and Chirumamilla et al [21] presented an agent-based intrusion detection system (IDS) to reveal RAP by screening the networks for the existence of new Aps and if these access points are not recorded in the pre-approved records, they will be flagged as RAP. As a downside in these methods, if an evil twin AP has a similar SSID and MAC, both these procedures are not as powerful as an insidious twin's MAC similar to the MAC of the approved AP. It depends on a server which is a single point of failure, and this method is useful only if the RAP is connected directly to the LAN and if the attacker has its own internet, the approach has nothing to do with it.
2) Timing based methods and feature extraction approach and limitation: In the frame analysis mechanism, the system aggregates all the frames using the mirror port of a core switch or by analyzing the frames obtained from the remote sensors distributed over the network. Utilizing the data from the gathered frames, many features are extracted to gain vital information regarding the existence of evil twin. The evil twin access point structures a scaffold between the real one and the customer to give Internet features. Due to crossing over an extra bounce, timing is put together and works with respect to the additional deferral happening because of the extra hop. This additional deferral gives proof to discovery of the evil twin. www.ijacsa.thesai.org Diogo M´onica et al. introduced an approach to distinguish a multi-hop evil twin via a real time detection device utilized by the client. It is not exposed to idleness or bandwidth with no need for a pre-prepared list. Using this way, channels are being scanned in less than 500ms. But it has constraints as a real access point can be distinguished as a fake one.it distinguishes evil twin in 30 seconds which is a major issue. [22].
Burns et al. in his paper [23] founded out the method of traceroute bidirectionally . To make a traceroute between a terminal and a remote server from terminal-to-server and then from server-back-to-terminal then to compare former both sides traceroute results. By comparing the number of hops both ways, if deference is found between the number of hops both ways that would be considered as an indicator of Evil Twin attack. The drawback of this method is that it has a single point of failure as it depends on an external server and this method is completely useless if the intruder uses his/her own internet connection like 4G.
Han et al. [24] have presented a technique that calculate the Round Trip Time (RTT) of a DNS query, while Mano et al. [25] utilizes a local RTT metric in addition to a frame payload slicing method to detect RAP too. As for the limitations of these solutions is that the RTT is affected by the congestion of the network. If there is a repeater in the network, this method is useless. In addition of depending on a server as it is an extra cost and considered as a single point of failure.
Yimin et al. [26] used the inter arrival time (IAT) to figure out the extra delay resulted by ET. Yet, the mentioned schemes fail when ET gives its own private connection causing the delay resulted because of the extra hop. It depends on training data to run the main algorithm of the detector and it is not easy for each admin to extract.
Fingerprinting a physical device remotely and passively in [27] is presented by F.Lanze et al. to mitigate the RAP but, it required a white listing with user interaction and a protocol modification for a spatial timestamp are utilized to mark beacon frames, resulting, the increase of false positive alarms probability as a result of the time synchronization problems, using only 50 observations for training, it detects RAP in 90% of all cases but it still depends on training data.
Based on the work of Kohno et al. in [27], Jana et al. [28] have presented the clock skew method to distinguish unapproved APs existence over the network. By calculating the clock skews of different APs using the IEEE 802.11-time synchronization function (TSF), as timestamps is a part of beacon frames. If the clock skew for a device does not equal the one kept previously, it is flagged as evil twin AP.
These solutions have many limitations as:  It causes a higher load on the core switch because of the additional burden of feature processing.
 In case, an intruder uses his own Internet connectivity, the traffic doesn't arrive at the Centre switch, leaving the assault not detected.
 a spoofed response can be sent to the user to keep away from the time difference that may result from the extra hop.
 The approach results in a lot of false positives in case the frames are queued by a busy router which causes an additional delay.
3) Proprietary hardware approach and limitation: Pradip et al. [29] used a probing device that sends a pre-detection message to all connected users advising them to ignore the probe request. Afterwards, it sends another probe request and mark all responding APs as ET.
Eman et al. [30] used a chipset to detect the evil twin deauthentication attack depending on analyzing the packet frames especially the management frame named DE authentication frames.
These solutions have many limitations as:  Ignoring the 802.11 probe request is a violation of the 802.11 standards [31].
 If attacker ignores reacting to the probe request to stay covered up and make, the method not useful.
 Special hardware means higher cost.

4) Signature-based and anomaly-based IDS's approach and limitation:
It means using a database that contains the known intrusion patterns or signatures to be used for detection but in case of a new pattern or signature, it will never be detected. While an anomaly-based IDS creates profile for a host or network in the normal situation depending on statistics. It can recognize both known and unknown attacks. Both mentioned types lead to a large number of false positives. A survey of many anomaly based IDSs is mentioned in [32], It uses honeypot and anomaly analysis for making an IDS [2], it consists of filtering, IDS, and honeypot as the traffic after passing filtering and IDS. They rerouted all attacks to a honeypot for in-depth investigation, with False positive rate using anomaly detection system with Specificity of 0,62 and False Positive rate of 38% and it is a limitation.

5) RAP-based DE authentication/disassociation attack's approaches and limitations:
No single method recognizes all ET types. The practical technique is the one that identifies a wide range of RAP, needs no adjustment in protocol nor a determined equipment. All current methods have at least one of these highlights, yet none of them has all the features. As it is quite hard to detect Evil Twin, S. Jadhav et al. in [33] have modified the transmission protocol by additional timestamps, which are being observed for detection but protocol modification in itself is a limitation.
A. M. Alsahlany et al. in [34] have presented a good discussion and analysis for the security threats of RAP and its results shows that the RAP always comes in conjunction with DoS and MitM attacks in an experimental way but the author didn't provide any mitigation mechanism. www.ijacsa.thesai.org İ.F.KILINÇER et al. in [35] have presented a RAP mitigation method, an IoT-based approach depending on. A single board computer and a wireless antenna make a RAP detection system by detecting their media access control address (MAC) of the RAP which is assigned to an unauthorized (VLAN) Virtual Local Area Network. The detection mechanism depends on making a comparison between MAC and Basic Service Set Identifiers (BSSID) with identical SSID lists.
These solutions have many limitations as:  The attacker can overcome the mitigation using an open-source tool (like mac changer) to obtain the LAP BSSID. Benefiting from the propagation of smartphones they used a simple approach to locate the RAP.
 The detection is based on simple comparison of BSSID for networks with identical SSID parameters. An attacker can easily obtain the BSSID and change it for the fake AP (tool mac changer). Therefore, this paper proposes an admin-side solution that defeats the issues related with the current strategies and distinguishes the RAP with higher accuracy and detection rate. It detects WI-phishing [2]or Evil Twin, DE authentication attack, KARMA attack [9], advanced WI-phishing attack and differentiate them from the normal packets. As a kind of phishing attack, based on performing the frame type analysis. In contrast with the previously mentioned solutions, our method of detection has many pros:

III. PROPOSED METHOD
This section clarifies the utilized indicators for the proposed module via analyzing beacon frames and extracting features that are considered as a sign of attack. It helps in detecting WI-phishing [2] or Evil Twin, DE authentication attack , KARMA attack [9], advanced WI-phishing attack and differentiate them from the normal packets in real time and making a long-timed database that is used for forensics for detecting more sophisticated beacon-based attacks via a python language and SCAPY library. The research has a significant impact on the community of network system administrators as it will ease the process of detection in real time and forensics of the evil twin attack.
We have previously mentioned that there is a drawback in IEEE 802.11 protocol as the beacon is sent unencrypted, it helps in the occurrence of many attacks such as RAP. While methods given by researchers as some assisted in securing from the evil twin attack however had their own downsides. These methods range from the installation of special hardware [1],protocol modification [33] and measuring frame characteristics [34], [36], etc.
Limitations in the available Intrusion Detection/Prevention Systems such as Suricata [37] which works only on LAN, and Kismet [38] which has no sophisticated logging method as its pcap file cannot be analyzed in real-time in addition to its massive size.
In our approach, the proposed method countered these drawbacks as it does not need any change protocol, does not depend on learning data or expensive monitoring devices. It depends on a native, better, and real time detection method, depending on analyzing, storing, and visualizing sub types under beacon frames in real-time to figure out the anomaly which reflects the existence of RAP. As well as the long-term real time logging database analysis and visualization which gives more capability and elasticity for further forensics and threat analysis. This database based on Elasticsearch [39] and MongoDB [40], it provides a real time chart, detects anomalies, and generate an alert. It can even send it to the administrator by email. Our method implementation is realized using the language of Python -which enables cross platform implementation-that allows affordability and portability.

A. Detecting Beacon Frames
In the initial step, Scapy library is used for packet capturing phase. So, we can divide our detection algorithm into two different sub algorithms.

B. Real Time Detection Algorithm
1) Depends on IEEE 802.11 management frame -static parameters-that the attacker can sniff, any change in one or more static parameter would be considered as Evil Twin; These static parameters include BSSID, SSID, Channel, Encryption type, Country code, Supported channels and First Channel. We assume that the administrator knows all attributes of his network which should be assigned by the administrator at the first time.
a) Our algorithm can defend one or more Wi-Fi networks as the administrator can provide one or more network properties. These attributes are always being compared against all properties which are being captured in real time from all surrounding networks.
2) Also, there are dynamic Wi-Fi network's parameters, which are very hard for the attacker to imitate as the timestamp and signal strength of the network.
a) The algorithm depends on the fact that the timestamp increases regularly over time in the Wi-Fi access points that we are defending. This means, if we find another access point with the same static attributes but differ in timestamp as if it is less than or equals the last received timestamp from the access point, which means that the last access point is an evil twin. www.ijacsa.thesai.org b) Also for signal strength (RSSIs), we depend on the paper in [41] which is presented by Vanjale et al. as they stated that if the signal differs by 10 dB greater or less, that indicates an evil twin coexistence. Because the attacker may place his RAP nearby the LAP with stronger signal strength or closer to the target to lure them to use his access point. We considered 10 dB< or > it is considered as evil twin.
3) If there is a coexistence of two BSSIDs, in case of a DE authentication attack that exceeds the threshold, it reflects DE authentication attack which in this case considered as an indicator of evil twin. We have set our threshold in this phase as 10 DE authentication packets as mentioned in [42] [39] to overcome the weakness in Kismet , like pcap. captured file analysis. As capturing a large file for many days will be extremely hard to be analyzed by using a normal computer.
2) By using this combination of MongoDB with Elasticsearch, we analyze and visualize the captured data for weeks; and in case of anomaly an alert is generated.
3) This database has many advantages for the administrator as knowing if the network is always receiving DE authentication attack from a particular MAC address, or if there is someone probing the users by using a famous Wi-Fi name which is open like the names for airports or cafes to lure the user to use it which is of course a KARMA attack. It enables the administrator to know about his physical location and if this open Wi-Fi is in the surroundings or not. 4) Using the mentioned database, the administrator can know how long the Wi phishing attack was underway.
Whether the network targeted by a script kiddie, with a raspberry-pi, who floods the network with DE authentication frames and whether the DE authentication frames was targeting specific device or department.

D. Classes of the Proposed Algorithm
The proposed algorithm has seven correlated classes as follows: 1) Wireless interface management -enabling the monitoring mode in the wireless card and starting channel hopping over frequencies.
2) Scanning wireless networks -capturing transmitted frames of all the surrounding networks.
3) Frame Analysis and filtering -captured frames to find data frames out of the beacon ones, and to separate beacon frames into DE authentication frames beacons, to be compared against the threshold value, and other types of beacons.
4) Compare other types of beacon frames against the predefined parameters -IF difference found between real time captured frame attributes and the predefined attributes, an alert is generated. These attributes are BSSID, SSID, Channel, Encryption Type, Country Code, Supported Channels, First Channel.

5) Compare beacon frames' timestamp and signal strength-generate alert if the timestamp is not incremental or
the difference in signal strength is > or < 10 dB than the previously recorded ones.

6) Listing all surrounding open WI-FI, if any, in case of new open Wi-Fi loomed, it is considered as a KARMA attack.
7) Store in database and start visualization -send all frames to a long-time database for forensics purposes and visualize it for further analysis. In case of anomaly, an alert is generated and then returned to the network scanning step.
For final implementation, Python 3.8 programming language was chosen, Fig. 4 figures out the seven phases of the algorithm of detection as follows.

E. Detector's Pseudo Code
This section shows the proposed algorithm module. As shown in Fig. 5, we start the detection by setting the interface into monitoring mode, then start a continuous channel hopping that goes to each channel and scan it from channel 1 to channel 11. And define static parameters and calculate the dynamic parameters to detect attack in case of a difference occurrence. It also detects De authentication and KARMA attack.

F. Flow Chart of the Proposed Method All Captured Beacon
In the following flow chart, Fig. 6, the program starts by putting interface in monitoring mode to scan all the nearby networks by making a channel hopping between channel 1 and 14. Then monitoring scanning and analyzing all beacon frames properties which captured by our network in promiscuous/monitoring mode; Firstly send all captured beacon frames and make a real time comparison between all features that is hard coded from the admin for the needed to be a defended network or networks against the fetched properties from captured beacon frames and in case of matched it generates an alert in real time. Furthermore, the long-term database which can handle, analyze, and visualize features of captured beacon frames to generate valuable statistics to forecast attacks.

IV. RESULTS
This section is determined for the proposed technique's evaluation. In which we describe the laboratory, the design of the detector, the efficiency of the detector, evaluation measures and lastly the results are mapped over a confusion matrix as a predictive analysis method.

A. Laboratory Description
The experiment has been implemented over a network named -MR. Linux‖ for evaluating the proposed methodology. Python 3.8 programming language, Scapy library and an ALFA model AWUS036H [43] in the promiscuous mode have been used for monitoring and analyzing the packets sent and received. We used airgeddon [44] and Wi-Fi pumpkin [45] to launch the attack, using a Lenovo G4080 Core I5 , 4th generation with 4 gigabyte RAM laptop loaded by Wifislax 2.4 64 bits [46] which is a distribution GNU / Linux. The attacker is launched using a wireless interface card ALFA model AWUS036H. [43] The device that is used for detection is hp EliteBook 745 G3 with AMD64 A10, 8 gigabyte RAM loaded with a Ubuntu 20.4 OS [46] having a Pre-installed Python 3.8, We also use Elasticsearch [39] and MongoDB [40].

B. Proposed Detector's Design
Our proposed algorithm overcomes admin side vulnerabilities in solutions as mentioned in section II as the efficiency of the algorithm does not depend on protocol modification, data sampling, machine learning algorithms, dedicated server, or RTT parameters. As well as it is real-time that does not depend upon training knowledge or Wi-Fi network's fingerprint.  (Advanced Wi-Fi phishing) attack with higher signal strength. We simulate the attack by cloning all parameters of the real AP, but with higher signal strength to lure the users to connect to the fake one, it is detected in real time.
 (Advanced Wi-Fi phishing) attack with time difference: We simulate the attack by cloning all parameters of the real AP, but with less timestamp value and based on time difference, it is detected in real time.
 (Real time database is made for more analysis and forensic purposes).
o To know which of our clients was connected to the Wi-phishing AP, as all beacon frames are logged.
o Using the mentioned database, we know how long the different attacks were underway.
o By analysing the Realtime database, we can answer the question, was our network targeted or were DE authentication frames targeting specific devices or departments.

C. Efficiency of Proposed Algorithm
This section is dedicated for evaluating the proposed method. The section is separated into two main parts. The first part evaluates the performance of the proposed detector for classifying the types of attacks on detecting (1) KARMA attack (2) DE authentication attack [9] (3) WI-phishing [2] or Evil Twin, (4) advanced WI-phishing, (5) and differentiating them from the normal packets in real time, furthermore to database all beacon frame for visualization, forensics, and further anomaly inspection. The second part compares the results against the method in [16] proposed by Lovinger et al. , Zeeshan Afzal et al. in [47] and Mayank Agarwal et al. in [1].

D. Evaluation Measures
The performance of the proposed method is analyzed via the estimation of different evaluation metrics like TN rate, TP rate, Specificity Accuracy, false negative rate, and false positive rate, Precision, Recall and F-Measure which are detailed in the subsequent descriptions: These measures are calculated over a confusion matrix classification as a predictive analysis method based on equation number. 1, 2, 3, 4 and 5. In which TP, FN and FP represent numbers of true positives, false negatives, and false positives, respectively.

1) Specificity:
The parameter of specificity is defined as the ratio of total true negatives to the summation of total true negative and false positive value. True negative rate is called specificity. (1) 2) Accuracy: The accuracy metrics are estimated by the parameters value of specificity and sensitivity, which are expressed by equation number 1. Also accuracy refers to how accurate the proposed method can classify frame types in a correct way, and this is expressed by equation number 2, which is applied to return the accuracy value. The accuracy value expresses a comparison between frames that are correctly classified with the whole frames.
3) Precision: The value of precision refers to the number of frames or a category frame that is classified correctly divided by the total frames classified of the same type. Precision is calculated by equation 3. And precision is also referred to as positive predictive value; other related measures used in classification include true negative rate and accuracy. (3)

4)
Recall: Nevertheless, recall shows how many percent of mentioned attacks are correctly classified by the classification. Equation 4 is used for resulting the value of recall. Recall in this context is also referred to as the true positive rate or sensitivity, and it is defined as the ratio of total true positives to the summation of total false negative and false positive value.

E. Evaluation of the Proposed Detector
For evaluation, a comprehensive analysis is conducted. Results showed the FP, TP, FN, and TN presented and analyzed via a confusion matrix as a predictive analysis method. The used set of data for evaluation is outlined in Table I to make sure that the predicted attacks are the actual ones that were sent by the attacking tool. The calculations done via the confusion matrix, Table II shows results with average accuracy of 94.40%, 87.08% average precision and an average specificity of 96.39%. Table II shows the classifications performance based on the number of each frame type by classifying each type of attack. While Fig. 7 shows the high value of TN with higher value than the TP which increases the overall algorithm detection accuracy which is reflected in Fig. 8.

F. Testing
We have tested our solution against airgeddon [44] and wifipumpkin3 [45] for launching the attack to run the previously mentioned attacks against a network that we have permission to, and calculate the response. We used the OS Wifislax 2.4 64 bits [46] which is a distribution GNU / Linux. The alert reflects the kind of attack underway as shown in Fig. 9 that shows the real time detection. Fig. 10, 11, 12 and 13 show the detection of different types of attack, Fig. 14 shows a sample of anomaly detection through the database. While Fig. 15 represents the database visualization in real time.

G. Comparison and Evaluation
Here is a comparison between the proposed method and the method presented in [16] by Lovinger et al. As this approach depends on the network probe using the Raspberry Pi 4. Capability, and creates a logging system. Analyzing the wireless networks and scanning it, then filtering captured frames to create signatures and store it into the database, based on the result obtained the alert is created after comparison. As for the challenges in this approach, it depends on a Raspberry Pi 4 as a device for detection which means more cost and higher limitations, while we developed a cross platform code with less cost. It depends on the log file which is not stable and harder to retrieve data. It depends on creating a unique fingerprint, he depends on a 256-bit hash function, which reflects more time, he uses only static parameters.
While our proposed method depends on static and dynamic parameters for detecting the evil twin, it provides real time detection, it is not passive, but it is active, it is an admin solution, it is cheap, it does not store SSID in DB nor perform bookkeeping of all the APs in the neighborhood. It detects more than one type of attack as WI-phishing or Evil Twin, DE authentication attack, KARMA attack and differentiate them from the normal packets as a kind of phishing attack by depending on Sniffing and analyzing the wireless frames. It has an average accuracy of 94.40%, 87.08% average precision and an average specificity of 96.39% for the five types of attack. The average of the false positive rate is 13 % for all tested types, and it also detects the attacker's MAC address. The results prove that the detector's accuracy is quite high and provide most of the expected features. It also shows that the proposed system can be used for forensic purposes as it can store data for a long time which reflects stability and durability, for data that is stored in the database and start visualization. Table III represents a comparison between the proposed method and three methods for different authors, Levinger et al. [16], Zeeshan Afzal [47] and Mayank Agarwal [1].
To wrap up, we conclude that we have achieved best results after comparing with the previously proposed methods in addition to performing the detection in real time. The wireless network is a primary portion in our world, on account of being used in many life aspects. In this paper, a real time attack detection method has been proposed and helped in detecting different types of wireless attacks as detecting WIphishing or Evil Twin, DE authentication attack, KARMA attack, advanced WI-phishing attack and differentiate them from the normal packets. While the previously mentioned algorithms of other researchers are either outdated, limited in their detection methods, architecture and/or scope of detection. The implementation was written in Python using the Scapy library by analyzing beacon frames properties in real time and extracting features to be compared against the prestored features of LAPs beacon properties and consider any change or a threshold exceeding as a sign of attack. The proposed detector has the advantages of being stable, working in real time, low cost, it does not need extra hardware. It is also powered by a database that can store frames for a long time, which by analyzing them the detector has an added value of forensics, forecasting and detecting anomaly. The detector's efficiency was modelled in a mathematical way and implemented in real life scenarios, returning average accuracy of 94.40%, a value of 87.08% average precision and an average specificity of 96.39% for the different attack scenarios.

VI. FUTURE WORK
In the future, we need to analyze our collected data using AI, machine learning and deep learning to generate attack vectors that will help for faster and better detection of the different types of attack. In addition to being willing to deploy the mentioned algorithm for detecting other types of attack rather than the previously mentioned. Also, we can use semantic analysis and ranking technique evaluated in [48] for detecting and ranking other types of attack. We need to make a real time probe request analysis to reduce the value of false positive for the real time detection of the KARMA. Trying not only to detect the attack, but also make a counterattack.