Enhancing Wi-Fi Security by Preventing Backward Compatibility Attacks on WPA3 Protocols

Enhancing Wi-Fi Security by Preventing Backward Compatibility Attacks on WPA3 Protocols | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Enhancing Wi-Fi Security by Preventing Backward Compatibility Attacks on WPA3 Protocols Aya Tareef, AHMAD ABADLEH, Anas A. Alkasasbeh, Mansoor Alghamdi This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-4830716/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract The widespread adoption of the Wi-Fi Protected Access III (WPA3) standard has been critical in wireless network security. However, the inherent vulnerability of wireless communication to unauthorized access presents a significant challenge. A critical concern is the potential for downgrade attacks, which can force the network's security protocol from WPA3 to WPA2, exploiting known vulnerabilities in the older standard. To mitigate this issue, many intrusion detection systems depend on fixed-threshold statistical approaches. However, these statistical approaches may prove inefficient in adapting to dynamic network conditions and attack behaviors. Therefore, adaptive selection and thresholding methods are required to compromise with the downgrade attack on WPA3. The proposed approach provides a hybrid adaptive approach for feature selection and thresholding with the goal of classifying incoming traffic containing downgrade attacks. It consists of three stages: (1) preprocessing, (2) baseline adaptive feature selection, and (3) real-time detection and prevention. The findings reveal that the developed approach, using a specially generated dataset, successfully detects downgrade attacks in WPA3 networks. Evaluation of the Naive Bayes classifier performance in both WPA3 modes demonstrates a high accuracy rate of approximately 99.8%. This result confirms the approach's effectiveness in detecting and mitigating wireless network security breaches. WPA3-SAE WPA-TM WPA2 WiFi attacks Downgrade Attack Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 I. INTRODUCTION The Institute of Electrical and Electronics Engineers (IEEE) has released a standard guideline for establishing a network between devices or wireless local area networks (WLANs). This technology is used to promote cost-effectiveness and connectivity over traditional cables [ 1 ]. Currently, wireless networks enable devices such as smartphones, laptops, and Internet of Things (IoT) to establish connection and share data without any physical wire. However, Wi-Fi is vulnerable to serious security issues. There has been extensive research on the strengths, weaknesses, and vulnerabilities of Wi-Fi. Wi-Fi security has undergone continual upgrades over the years. A series of security protocols—such as Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), WPA2, and WPA3—have been developed to enhance the security of wireless networking [ 3 ]. These protocols provide different authentication techniques for ensuring the confidentiality and integrity of transmitted data. Nowadays, WPA2 stands out as the most commonly utilized protocol. While the release of WPA3 is relatively recent and has not yet achieved popularity, it has the highest level of security to date. Several attacks against Wi-Fi networks have been uncovered over the years. The major weaknesses have been found in WPA-TKIP, such as plaintext recovery attacks [ 4 ], which are based on RC4 attacks within TLS; flawed random numbers [ 5 ], predictable passwords [ 6 ]; offline attacks against 4-way handshakes [ 7 ]; man-in-the-middle attacks [ 8 ]; and downgrade attacks [ 17 ]. After the disclosure of the KRACK vulnerability in the 4-way handshake [ 9 ], the Wi-Fi Alliance released a third version of WPA protocols known as WPA3 [ 10 ]. The WPA3 protocol uses simultaneous authentication of equals (SAE), also known as the dragonfly handshake. Since 2020, WPA3 has been a mandatory requirement for Wi-Fi implementations [ 11 ]. Consequently, it is anticipated that there will be an increase in WPA3 in the near future. While the number of access points (APs) has reached billions, only 0.84% have been used for WPA3 [ 12 ]. As mentioned in WPA3 specifications [ 10 ], the transition mode enables an AP to accommodate both WPA3-SAE and WPA2-PSK clients with the same password. However, there is concern in this mode that an adversary can operate a rouge AP with the same network's MAC and advertise for the vulnerable WPA2 [ 13 , 16 ]. Although WPA3 signifies a significant improvement over preceding security protocols, devices utilizing WPA3 are not immune to security concerns. While newest devices have updated security protocols, older devices have not. In a diversely developed network of devices, the transition from WPA2-only devices is a time-consuming process. Therefore, access points that operate WPA3 need to be backwards compatible with WPA2, as implemented in WPA3-TM in both Personal Transition Mode and Enterprise Transition Mode (Wi-Fi Alliance, 2018). However, the WPA3-TM mode exhibits vulnerability to downgrade attacks [ 13 , 19 ], deprivation attacks [ 16 ], and denial-of-service (DoS) attacks [ 14 ]. Because of the vulnerabilities described above and the diverse expansion of network devices, the security of Wi-Fi standards and wireless networks has become critical. An intrusion detection system (IDS) serves as an essential component in maintaining the security integrity of Wi-Fi networks. The implementation of WPA3 offers a transitional compatibility mode, facilitating connection with WPA2-enabled devices. However, this temporary mode presents inherent challenges, as highlighted by recent findings. Until these vulnerabilities are addressed, all WPA3 APs remain susceptible to attacks targeting connections [ 13 , 16 , 18 ]. Moreover, existing solutions may encounter difficulties in effectively tackling dynamic security scenarios and network conditions. These detection methods are susceptible to generate false-positive alerts, wherein actions such as reconfiguring AP settings or network delays erroneously trigger alarms for malicious behaviors [ 19 ]. To overcome the challenges and limitations of conventional IDS detection methods, this paper proposes a hybrid adaptive approach to mitigate the effect of a downgrade attack on WPA3. The proposed approach utilizes a combination of adaptive feature selection and attack detection, whereas current literature and approaches primarily consider the fixed threshold value. The proposed hybrid approach relies on different network practical scenarios and traffic conditions. By incorporating adaptive thresholding, the attack detection approach becomes more dynamic to varying network traffic patterns. Therefore, the contributions of this paper are: Introducing an Adaptive Feature Selection and Threshold for Downgrade Attacks (AFST-DA) approach, based on analysis of incoming traffic; Developing a novel hybrid approach to enhance WPA3 security by integrating practical, statistical, and thresholding models; Creating a new dataset specifically designed to assess downgrade attacks targeting WPA3-SAE and WPA3-TM; and Enhancing detection accuracy and reducing false alarms. II. LITERATURE REVIEW Since their inception, security has been a significant concern in Wi-Fi technologies because of a considerable number of unaddressed flaws that need consideration. To remain relevant, security measures must be adapted to new threats [ 21 ]. We observe various studies discussing whether WPA3 represents a technological breakthrough immune to vulnerabilities [ 22 ] or a simple constitutes enhancement over WPA2. Notably, WPA3 is designed to accommodate both WPA2– and WPA3–supported devices [ 13 ]. Following the release of WPA, it was identified as a weaker protocol that is vulnerable to dictionary attack [ 23 ]. He et al. [ 24 ] discover that the four-way handshake is vulnerable to DoS attacks. They provide a modular correctness of IEEE 802.11i, encompassing the four-way-handshake and security assurances. However, Vanhoef et al. [ 25 ] discover that the four-way handshake is still vulnerable to downgrade attacks, which can force clients to use RC4 associated with the weaker WPA-TKIP network support over WPA2 [ 26 ]. In 2018, a detailed review paper on WPA3/WPA2 [ 21 ] shows several enhancements in Wi-Fi security, including defense against key reinstallation attacks on WP2 [ 9 ]; evaluates WPA3 security introduced by the SAE; and highlights improvements over WPA2 while identifying remaining vulnerabilities. More recently, Vanhoef et al. [ 13 ] identify a series of vulnerabilities in the WPA3 authentication protocol, referred to as "Dragonblood”. These vulnerabilities include downgrade, timing-based, cache-based, and DoS attacks. In response, the Wi-Fi Alliance has come up with a set of security guidelines for WPA3 implementations [ 10 ]. One study demonstrates the ability to perform offline dictionary attacks on WPA3-enabled APs [ 15 ]. Patel et al. [ 18 ] also demonstrate an active dictionary attack on WPA3 that can recover the password during transition. Recent studies have highlighted DoS attacks on WPA3-SAE (Simultaneous Authentication of Equals) [ 14 , 16 ]. Louis et al. [ 28 ] analyze Wi-Fi Management Frame Protection (MFP) while highlighting the vulnerabilities that facilitate de-authentication attacks. Vanhoef et al. [ 29 ] disclose a time–memory trade-off attack, making it feasible to break the SAE-PK password with reduced computational cost. IDS is an important security mechanism for network defense. Network IDS classifies traffic data into unauthorized (attacked) and normal traffic. Certain IDS techniques have many theoretical advantages, such as low false-positive rates, but they did not gain widespread use. For instance, signature-based IDS detect patterns of a known attack type. They rely on current knowledge of such attacks to recognize patterns. However, these systems are incapable of identifying other attacks. Anomaly-based IDS solves the problems of signature-based IDS by analyzing the difference between malicious and normal behavior [ 30 ]. Dalal et al. [ 19 ] propose a signature-based IDS that assesses nine attacks on a WPA3-supported AP. They implement a set of signature rules to mitigate the effect of each attack. Moreover, a downgrade attack has been demonstrated, with abnormal events such as duplicates in authentication key management (AKM). However, relying on a predefined threshold may result in false positives and problems with adapting to dynamic conditions. Variables such as delays or reconfiguration could impact the accuracy of signatures. Another signal-based IDS is proposed by Thankappan et al. [ 31 ] to identify variants of multi-channel man-in-the-middle attacks on Wi-Fi networks. The developed algorithms identify many MitM attacks with an accuracy of 90%. However, a detection delay of 60 seconds is not effective for active detection. Most of these signature-based IDS require static attack signatures, which can be exploited by zero-day attacks. Recently, various studies have made use of IDS with machine learning (ML). ML-based IDS systems are designed to capture traffic packets for an attack to predict and detect the threat class [ 32 ]. Verma et al. [ 33 ] utilize feature extractor methods while using classification algorithms to classify DoS attacks. The selected features obtained using a threshold method provides a TPR of 98.2% with Random Forest (RF). Saini et al. [ 20 ] propose real-time IDS within an enterprise environment. Initially, a flood detection system is designed to capture a frame flood based on a spike in the mean of frame numbers. Next, a ML-based intrusion is used to predict the attack class. The result shows high accuracy, up to 99.9%. However, their dependence on the mean of frame numbers may lead to false positives. In the case of a low-rate DoS attack, the system may interpret the activity as normal, as the mean might not exceed the specified mean. While this approach provides an IDS designed for WPA3 flood vulnerabilities, it does not tackle the problem of downgrade attacks. Recently, a lightweight real-time IDS is proposed by Bhutta et al. [ 27 ]. The authors use a lightGBM machine learning model to detect and classify Wi-Fi attacks. The proposed solution shows an accuracy of 99.77% in the order of microseconds. Shone et al. [ 34 ] propose an approach to non-symmetric deep auto-encoder (NDAE) and deep learning classification on the NSL-KDD dataset. The model shows an accuracy of 97.85%. In recent years, the AWID2 dataset has been introduced. This dataset has been constructed to build an anomaly-based IDS utilizing a set of WEP-based machine learning techniques. In 2021, the AWID was updated to AWID3 [ 35 ]. However, these datasets are primarily centered around WPA2, lagging behind WPA3 vulnerabilities [ 13 ]. Thus, we create a dataset that includes the behaviors of downgrade attacks and present the results. In summary, the existing literature is limited by different problems. The current landscape of Wi-Fi security lacks downgrade attack–labeled datasets. The absence of related data for WPA3 poses an obstacle for the development of IDS. These limitations require updated resources that encapsulate the downgrade vulnerability of WPA3. The proposed approach underscores the significance of both analysis and practical implementation. A thorough investigation of the downgrade attack, utilizing datasets aligned with WPA3 and incorporating practical testing, stands as an important prerequisite for the security of WPA3. III. METHODOLOGY The proposed methodology is shown in Fig. 1 . This hybrid approach, termed Adaptive Feature Selection and Thresholding for Downgrade Attacks (AFST-DA), combines statistical and thresholding techniques to proactively identify and mitigate downgrade attacks within WPA3 protocols. Utilizing adaptive feature selection, AFST-DA integrates network capture, packet data analysis, and real-time detection to fortify WPA3 security. It exhibits an improved ability to classify between downgrade attack behaviors and normal activities within focus adjustment based on mapping with the selected adaptive feature set. These features are derived from both WPA3 modes, specifically WPA3-only and WPA3-Transition. As illustrated in Fig. 2 , the architecture of the proposed approach comprises three stages: (1) preprocessing, (2) baseline adaptive feature selection (BAFS), and (3) attack detection and prevention (RDP). Firstly, packet details are extracted and normalized. Secondly, the dataset is examined and analyzed to adaptively select features based on each feature entropy and baseline threshold. Finally, an active testing stage is used to classify the input packets for the downgrade attack and normal traffic. A. Data Preprocessing Stage All traffic packets transmitted over a Wi-Fi connection, whether in a normal network setting or within a compromised network, are intercepted and employed as an input dataset. Initially, the device network interface reconfigures into monitor mode, enabling each packet corresponding to the Wi-Fi connection to be stored into the PCAP (Packet CAPture) file format. These packets include valuable information, such as IP addresses, ports, headers, payloads, and more. These data represent the raw information required for constructing the system that offers protection against attacks like downgrade attacks. Therefore, in this data preprocessing stage, frame attributes are extracted and filtered from the captured traffic dataset. Algorithm 1 shows the procedure for the data preprocessing stage. Algorithm 1 Data Preprocessing - Input : Arriving Traffic Data (A T ) - Output : Prepared Traffic Data (P T ) 1: Extracting packet data from A T, (.csv). 2: Filtering Packet Data: Filter packets based on specific criteria, e.g., frame type, source IP. 3: Normalizing data using Eq. (1) The arriving traffic attributes are extracted, filtered, and normalized. Since there are specific types of frames that play a significant role in every network discovery or intrusion detection system, the filtering process focuses on selecting a specific type of frame, like a beacon frame or probe response. Beacons are a type of management frame used to recognize the presence of an AP. These frames encapsulate valuable network details, including the network's name, MAC address, AKM (Authentication Key Management) type and count, and other 802.11 capabilities of an AP. A probe response is a type of frame generated to respond to the probe request sent from the client's devices. Although they are sent out individually, these response frames have the same AP capabilities as beacon frames. By isolating and emphasizing on these frames, we provide a more accurate and perceptive analysis of the network's behavior. To standardize the value range of the packets and provide a fair examination of every attribute, a normalization technique is utilized in this stage. The packet feature values have different scales and units; the high feature amounts may predominate the others, producing an unbalanced finding. Thus, this technique allows for standardizing all the attributes to a typical range. The Z -score technique is one of the normalization methods used in preprocessing [ 36 ]. The formula for Z -score is presented in Eq. (1). $$\:\:\:\:\:\:\:\:\:\:\:\:Z=\frac{{X}_{i}-\mu\:}{\sigma\:}\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\left(1\right)$$ where Z is the new normalized value for each feature; X is the current feature value; \(\:\mu\:\:\) is the mean value; and \(\:\sigma\:\) is the standard deviation of each feature. After Z -score normalization, the features preserve the distribution shape and are roughly the same scale. B. Baseline Adaptive Feature Selection (BAFS) Stage To select the optimal adaptive features in the AFST-DA approach, the initial step involves retrieving and normalizing the traffic dataset within the data preprocessing stage. These dataset files contain both normal and malicious traffic data. According to Algorithm 2, all prepared traffic data (P T ) is taken as input for this offline analysis. This stage incorporates a set of processes to identify the feature that promotes efficient anomaly detection. Initially, entropy is computed for each feature vector using Shannon’s entropy [ 37 ]. The formula is presented in Eq. 2. $$\:E=\:{\sum\:}_{i=0}^{n}-{p}_{i\:\:}\text{log}{p}_{i}\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\:\left(2\right)$$ where E represents the entropy of the feature vector and \(\:{p}_{i\:}\) denotes the probability of occurrence for each possible outcome. The summation runs over all possible outcomes. In cases of attack, the feature entropy pattern changes and deviates from its normal values. These deviations provide insights into the attack behavior and the specific type of feature affected. After computing the entropy for each feature vector, the baseline threshold is determined to identify anomalous features based on their entropies. This threshold is set using normal traffic as a reference point under typical conditions. Once a feature’s entropy exceeds this baseline threshold, it is flagged as an anomaly linked to downgrade attacks. These selected anomaly features form an adaptive set that acts as a repository for features indicating downgrade attack anomalies. Currently, many issues revolve around the limitations associated with static thresholding techniques within dynamic network conditions, particularly in attacks against Wi-Fi networks. However, these static techniques are not accurate to deal with dynamic variations. Within the attack behaviors, it might lead to variations in features with high entropies and low entropies, which lead to false positives. Therefore, to address these issues, the proposed approach uses MAD adaptive technology for accurate thresholding. Algorithm 2 Baseline Adaptive Feature Selection -Input : Preparing traffic data (P T ) - offline training -Output : Selecting adaptive feature and baseline threshold (adaptive set ) 1: Calculate the entropy E ( F i ) for each feature using Eq. (2) 2: Calculate the baseline threshold ( Th i ) for each feature. 3: For each F ∈ P T : 4: if E(F i ) > Th i then 5: combined F i and Th i to adaptive set 6: else dropped the feature. 7: end if 8: // utilize the adaptive set in RDP stage. C. Real-Time Detection and Prevention Stage In the real-time detection and prevention stage, incoming traffic is continuously observed and processed within a predefined sliding window. These traffic data are mapped with the selected adaptive set from the previous stage, enhancing detection by incorporating relevant features that reflect the current traffic dynamics. The sliding window dynamically adjusts its size based on the incoming data, ensuring timely analysis. For detection, a threshold is utilized to identify abnormal features. This threshold dynamically adapts to varying loads, ensuring flexibility in response to changing conditions. Once the detection threshold is alerted for a downgrade attack, the traffic packets are passed through the machine learning classifier. This mix of techniques is useful for high bandwidth and multiple APs, where central monitoring for vulnerabilities is not practical. Therefore, we use our dataset to train and test a few machine learning classifiers. When features remain below the threshold, the process continues with the addition of subsequent windows until the completion of the traffic analysis. Additionally, to prevent the attack, the mechanism takes action on each MAC address associated with malicious activity and the fraudulent authentication mechanism. By adding the MAC address of the attacking node to the blacklist, its ability to reconnect to the network is effectively blocked. Consequently, any subsequent attempts by the attack packet are promptly discarded, ensuring a proactive approach to preventing threats and enhancing WPA3 network security. IV. EXPERIMENTAL RESULTS ANALYSIS To validate the proposed approach, a set of experimentally configured scenarios is required. These experiments generate a dataset that contains both normal and attacked network conditions. The dataset contains a collection of packet captures from three types of scenarios, allowing us to effectively analyze the behavior of the network. The proposed approach is implemented and evaluated using Python 3.9 on a Dell machine with 16GB RAM and Intel® Core™ i7-6600U CPU. Figure 3 is a representation of our setup for simulating and collecting data. We use a mobile hotspot with switching enabled between WPA3 modes, participating client devices, a monitoring device (a Dell laptop running Ubuntu 18.04), and an attacker node running Ubuntu 18.04. A. Experimental setup To create the dataset, we label each scenario packet to determine if it corresponds to a specific attack. The offline stage relies on traffic analysis of the input frame, primarily focusing on downgrade attacks. The resulting dataset comprises packet captures from two attack sessions: WPA3-SAE and WPA3-TM. The dataset includes CSV files containing the network packets transmitted during the attack and captured using the monitoring device. Moreover, the dataset also incorporates packets from a normal network scenario and temporary disruption scenarios, providing a comprehensive view of network traffic under various conditions. Table 1 shows the experiment scenarios aimed to establish a baseline dataset from a normal and attacked Wi-Fi WLAN connection. To address false positives, disruption scenarios are simulated using non-standard traffic patterns using the same legitimate AP. This AP's mode is repeatedly reconfigured during data capture, mimicking downgrade attack behaviors without actual attacks. TABLE I Scenarios Setting No. Scenario Type AP standard security Attack type Radio Channel Frequency 1 Normal WPA3-SAE None 2.4 GHz 2 Normal WPA3-TM None 2.4 GHz 3 Attacked WPA3-SAE ,WPA2 Downgrade 2.4 GHz 4 Attacked WPA3-TM, WPA2 Downgrade 2.4 GHz 5 Temporary disruption WPA3-TM, WPA3-SAE Normal Operation 2.5GHz B. Data Representation and Analysis In the data preprocessing stage, we start our analysis by investigating the frames of different Wi-Fi WLAN scenarios, encompassing management frames (type = 0), control frames (type = 1), and data frames (type = 2), along with their subtype frames. This analysis aims to ensure the correctness of the Wi-Fi trace by examining the distribution of frame types. As shown in Fig. 4 , the dataset consists of 24 features, with frame statistics comparing rogue AP data to legitimate AP data. In the case of rouge AP, the most prevalent frames are beacons (type = 0, subtype = 8), which represent about 90% of the total occurrences, followed by deauthentcation frames (type = 0, subtype = 12) with a rate of 5%, while 0.06% of the frames are identified as EAPOL frames (type = 2, subtype = 0). In the legitimate AP data, the frame distribution has a different pattern. Beacons remain the dominant type at approximately 50%. This distribution is anticipated in a typical network scenario because beacons are used legitimately to announce the AP availability. EAPOL packets (type = 2, subtype = 0) have a high presence, accounting for approximately 15%. EAPOL frames are commonly associated with the establishment and management of secure connections, and their lower occurrence in attack scenarios indicates a delay or termination in connection establishment. All Wi-Fi packet time gaps are illustrated in Fig. 5 . This observation underlines the unusual behavior of the AP packets. The purpose is to perform a sanity check of the captured traffic, which provides insight about the presence of malicious activities, such as rapid advertising of the rogue AP and lower advertising of the legitimate AP. This justifies the varying number of packets, which indicates a lower number of frames from legitimate AP compared to rogue AP packets. The legitimate AP keeps busy with a connection setup and data packets instead of advertising itself. C. Results and Discussion To validate the accuracy and reliability of the proposed approach, we present and discuss the results of the experiments. We evaluate feature selection efficiency by comparing entropy statistics, analyzing real-time detection and prevention capabilities, and examining the performance of the machine learning classifier. Firstly, we observe that the proposed baseline adaptive feature selection algorithm provides better results along with the entropy statistic. Figures 6 (a) and 6(b) report the entropy in two APs (one for WPA3-SAE only and the other for WPA3-TM), an involved AP operating in WPA3-SAE mode under normal conditions, and the same legitimate AP being attacked by a rogue AP using WPA2. In the context of WPA3-SAE under normal conditions, the feature entropy exhibits lower values, reflecting a consistent pattern in the feature vector characteristic of a secure network environment. This stability in entropy during normal operation contrasts with the variations observed in the attacked scenario. In the attacked scenario, alterations are evident in AKM types, frame length (frame.len), frame sequence (wlan.seq), and beacon intervals (wlan.fixed.beacon). The entropy associated with AKM types indicates malicious attempts using different authentication algorithms while supporting WPA2-PSK. Variations in frame length and sequence suggest disruptions to typical communication patterns, implying interference by the attacker in the customary sequence of data frames. Additionally, changes in beacon intervals highlight anomalies in standard broadcasting behavior. On the other hand, the attacked condition demonstrates changes in AKM type, frame length (frame.len), frame sequence (wlan.seq), and beacon intervals (wlan.fixed.beacon). The entropy of AKM types signifies malicious attempts with different authentication algorithms while supporting WPA2-PSK. Changes in frame length and sequence suggest disruptions in normal communication patterns, implying the attacker's interference in the usual sequence of data frames. Moreover, changes in beacon intervals indicate anomalies in typical broadcasting behavior. Subsequently, the experiments involve a legitimate AP operating in WPA3-TM mode. Figure 6 (b) illustrates the entropy results. In the normal condition, the AP broadcasts a beacon detailing the supported AKM types, including both WPA3-SAE and WPA2-PSK authentication, with an AKM count of two. The entropy analysis shows patterns consistent with secure behavior, displaying consistent AKM type, AKM count, beacon interval characteristics, and steady frame sequence entropy. On the other hand, in the temporary disruption scenario, as shown in Fig. 7, when the AP temporarily changed its security settings from WPA3-TM to WPA3-SAFE mode, the results show a distinct change in AKM count and AKM type in the entropies, which matches the results observed during the attack scenario. However, the findings indicate different entropy values and feature sets. Interestingly, despite this temporary disruption, no additional alterations are detected in the frame sequence, intervals, or length, as seen in attack behaviors. This variation serves as a pivotal factor in distinguishing attack behaviors from transient conditions, affirming the capability to minimize false negatives. Figure 7. Results of Entropy Analysis via temporary condition. Thereafter, the aforementioned adaptive thresholding technique is employed. For each feature vector, a threshold value is provided on which anomaly feature is selected and combined into an adaptive set. Once the feature entropy exceeds the threshold, it is identified as an anomaly. Following the identification of anomaly features, the approach tests a traffic dataset by mapping it with the chosen adaptive feature set. The traffic adapts dynamically to the changing conditions. As the window size reaches the length of the traffic, the system computes the feature entropy and dynamically adjusts the threshold for anomaly detection. As illustrated in Fig. 8 (a) and 6(b), the approach responds to the attacked WPA3-SAE and WPA3-TM scenario and accurately identifies the downgrade attack with a recorded detection time. Furthermore, the approach is taken to prevent downgrade attacks by implementing an adaptive blacklist. When a blacklisted source tries to access the network again, they are promptly notified about the unauthorized traffic. Evaluation in various scenarios shows the effectiveness of this prevention measure, as illustrated in Fig. 9 . Notably, the blacklist operates within a simulated environment on the same device, demonstrating its functionality without any on manufacturer–specific implementations. Additionally, a machine learning classifier is used along with the thresholding process to predict the downgrade attack. As depicted in Fig. 10 , the comparison output of different classifiers reveals that Naive Bayes exhibits the highest accuracy (99.8%). This indicates its exceptional capability in accurately detecting network attacks. Similarly, Naive Bayes (NB) demonstrates excellent performance in achieving the highest accuracy, F1-score, recall, and precision compared to KNN, SVM, and SGD classifiers. This is evident from the results presented in Table II. TABLE II Classification Results Classifier Accuracy Recall Precision F1 score KNN 97.9% 0.977 0.974 0.975 Nave Base 99.8% 0.977 0.997 0.998 SVM 85.9% 0.783 0.869 0.810 SGD 78.1% 0.845 0.785 0.772 Comparing our proposed hybrid approach to related methods, as listed in Table III, we observe improvements in both detection rate and accuracy. However, it encounters potential false positives, leaving vulnerabilities [ 19 ] and weaker defense against downgrade attacks, and as such is an inefficient Wi-Fi IDS [ 20 ]. Nonetheless, our proposed hybrid approach, which incorporates adaptive feature sets and dynamic thresholding, achieves a detection rate of 99.8%, effectively addressing downgrade attacks in both WPA3-SAE and WPA3-TM scenarios. While limitations exist, notably in its scope (which is limited to downgrade attacks), our approach demonstrates significant improvements in mitigating Wi-Fi vulnerabilities compared to existing methods. TABLE III Summary of comparison with the related works Reference Approach Basis Detection Rate/ Accuracy Weakness Vulnerabilities Dalal et al. [ 19 ] Signature-based IDS Attack vector Able to detect abnormal packets Potential false positives during AP restart or reconfiguration Downgrade attack and more. Saini et al.[ 20 ] Signature based IDS Attack flow and ML-classification Random Forest 99.9% -Spike in the mean number of packets may lead for false positives -Limited to Floods attack Flood attacks Bhutta et al.[ 27 ] Lightweight wifi IDS LightGBM 99.7 Downgrade attack Wi-Fi attack and WPA3 flood attacks Proposed Hybrid approach Adaptive Fature set and dynamic thresholding. 99.8 -Limited to downgrade attack Downgrade attack in WPA3-SAE & WPA3-TM V. CONCLUSION This paper has proposed a hybrid approach to detect and prevent inherent security challenges introduced by the backward compatibility of WPA3. These challenges have not been seriously solved in existing work. We propose a combination of statistical, thresholding, and classifying methods that enable Wi-Fi traffic analysis to classify a Wi-Fi attack. The primary objective of the proposed approach is to classify whether the observed traffic data is indicative of a downgrade attack or aligns with normal network behavior. Employing adaptive feature selection and thresholding, the approach effectively identifies significant features from the dataset. Additionally, it utilizes entropy statistics and MAD thresholding to detect and prevent attack traffic. Furthermore, ML classification techniques are employed to enhance the accuracy of threat detection. Through the implementation of practical and realistic scenarios, the obtained results underscore the responsiveness and accuracy of WPA3, showcasing a robust intrusion detection capability. The best accuracy obtained by the Naive Bayes classifier for both modes is approximately 99.8%. In future work, we intend to extend the dataset to integrate more WPA3 vulnerabilities. Furthermore, the approach confirms the benefits of integrating an accessible blacklist to prevent unauthorized traffic sources. Therefore, this method can be extended to a cloud-based blacklist system within the security infrastructure. This blacklist will provide centralized and updated storage for malicious sources, reducing the risk of security breaches. Declarations Ethical Approval Not applicable. Funding Not applicable. Author Contribution A.T. and A.A. authored the main text and prepared the implementation section. A.A. wrote the introduction and literature review. M.A. created the figures and tables. All authors reviewed the manuscript. References Bellalta, B., Bononi, L., Bruno, R., & Kassler, A. (2016). Next generation IEEE 802.11 Wireless Local Area Networks: Current status, future directions and open challenges. Computer Communications , 75 , 1–25. Zou, Y., Zhu, J., Wang, X., & Hanzo, L. (2016). A survey on wireless security: Technical challenges, recent advances, and future trends. Proceedings of the IEEE, 104(9), 1727–1765. Alliance, W. F. (2003). Wi-Fi Protected Access: Strong, standards-based, interoperable security for today’s Wi-Fi networks (pp. 492–495). White paper, University of Cape Town. Paterson, K. G., Poettering, B., & Schuldt, J. C. (2015). Plaintext recovery attacks against WPA/TKIP. In Fast Software Encryption: 21st International Workshop, FSE 2014, London, UK, March 3–5, 2014. Revised Selected Papers 21 (pp. 325–349). Springer Berlin Heidelberg. Vanhoef, M., & Piessens, F. (2013, May). Practical verification of WPA-TKIP vulnerabilities. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security (pp. 427–436). Lorente, E. N., Meijer, C., & Verdult, R. (2015). Scrutinizing {WPA2} Password Generating Algorithms in Wireless Routers. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). Moskowitz, R. (2003). Weakness in passphrase choice in WPA interface. http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface . html. Agarwal, M., Biswas, S., & Nandi, S. (2015). Advanced stealth man-in-the- middle attack in WPA2 encrypted Wi-Fi networks. IEEE Communications Letters , 19 (4), 581–584. Vanhoef, M., & Piessens, F. (2017, October). Key reinstallation attacks: Forcing nonce reuse in WPA2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 1313–1328). Wi-Fi Alliance (2018). WPA3 specification. Retrieved fromhttps://www.wifi.org/system/files/WPA3%20Specification%20v3.1.pdf Wi-Fi Alliance, & Security (2020). Wi-Fi Security. https://www.wi-fi.org/discover-wi-fi/security (Accessed: 20 December 2023). WiGLE.net (2023). Statistics. Retrieved from https://wigle.net/stats. Vanhoef, M., & Ronen, E. (2020, May). Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In 2020 IEEE Symposium on Security and Privacy (SP) (pp. 517–533). IEEE. Lounis, K., & Zulkernine, M. (2019, September). Bad-token: denial of service attacks on WPA3. In Proceedings of the 12th International Conference on Security of Information and Networks (pp. 1–8). Lamers, E., Dijksman, R., van der Vegt, A., Sarode, M., & de Laat, C. (2021, January). Securing home Wi-Fi with WPA3 personal. In 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC) (pp. 1–8). IEEE. Lounis, K., & Zulkernine, M. (2020). WPA3 connection deprivation attacks. In Risks and Security of Internet and Systems: 14th International Conference, CRiSIS 2019, Hammamet, Tunisia, October 29–31, 2019, Proceedings 14 (pp. 164–176). Springer International Publishing. Vanhoef, M., Schepers, D., & Piessens, F. (2017, April). Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (pp. 360–371). Patel, M., Amritha, P. P., & Sam jasper, R. (2021). Active dictionary attack on WPA3-SAE. In Advances in Computing and Network Communications: Proceedings of CoCoNet 2020, Volume 1 (pp. 633–641). Springer Singapore. Dalal, N., Akhtar, N., Gupta, A., Karamchandani, N., Kasbekar, G. S., & Parekh, J. (2022, January). A wireless intrusion detection system for 802.11 WPA3 networks. In 2022 14th International Conference on COMmunication Systems & NETworkS (COMSNETS) (pp. 384–392). IEEE. Saini, R., Halder, D., & Baswade, A. M. (2022, December). RIDS: Real-time Intrusion Detection System for WPA3 enabled Enterprise Networks. In GLOBECOM 2022–2022 IEEE Global Communications Conference (pp. 43–48). IEEE. Kohlios, C. P., & Hayajneh, T. (2018). A comprehensive attack flow model and security analysis for Wi-Fi and WPA3. Electronics , 7 (11), 284. Appel, M., & Guenther, I. S. (2020). WPA 3-Improvements over WPA 2 or broken again? Network , 7 , 1–4. Moskowitz, R. (2003). Weakness in passphrase choice in WPA interface. http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface . html. He, C., Sundararajan, M., Datta, A., Derek, A., & Mitchell, J. C. (2005, November). A modular correctness proof of IEEE 802.11 i and TLS. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 2–15). Vanhoef, M., & Piessens, F. (2016). Predicting, Decrypting, and Abusing {WPA2/802.11} Group Keys. In 25th USENIX security symposium (USENIX security 16) (pp. 673–688). Tews, E., & Beck, M. (2009, March). Practical attacks against WEP and WPA. In Proceedings of the second ACM conference on Wireless network security (pp. 79–86). Bhutta, A. A., & Mian, A. N. (2023). Lightweight real-time WiFi-based intrusion detection system using LightGBM (pp. 1–13). Wireless Networks. Lounis, K., Ding, S. H., & Zulkernine, M. (2021, December). Cut It: Deauthentication attacks on protected management frames in WPA2 and WPA3. In International symposium on foundations and practice of security (pp. 235–252). Cham: Springer International Publishing. Vanhoef, M. (2022, May). A time-memory trade-off attack on WPA3's SAE-PK. In Proceedings of the 9th ACM on ASIA Public-Key Cryptography Workshop (pp. 27–37). Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity , 2 (1), 1–22. Thankappan, M., Rifà-Pous, H., & Garrigues, C. (2024). A signature-based wireless intrusion detection system framework for multi-channel man-in-the-middle attacks against protected Wi-Fi networks . IEEE Access. Kocher, G., & Kumar, G. (2021). Machine learning and deep learning methods for intrusion detection systems: recent developments and challenges. Soft Computing , 25 (15), 9731–9763. Verma, P., Tapaswi, S., & Godfrey, W. W. (2020). An adaptive threshold-based attribute selection to classify requests under DDoS attack in cloud-based systems. Arabian Journal for Science and Engineering , 45 , 2813–2834. Shone, N., Ngoc, T. N., Phai, V. D., & Shi, Q. (2018). A deep learning approach to network intrusion detection. IEEE transactions on emerging topics in computational intelligence , 2 (1), 41–50. Chatzoglou, E., Kambourakis, G., & Kolias, C. (2021). Empirical evaluation of attacks against IEEE 802.11 enterprise networks: The AWID3 dataset. Ieee Access : Practical Innovations, Open Solutions , 9 , 34188–34205. Patro, S. G. O. P. A. L., & Sahu, K. K. (2015). Normalization: A preprocessing stage. arXiv preprint arXiv :150306462. Shannon, C. E. (2001). A mathematical theory of communication. ACM SIGMOBILE mobile computing and communications review , 5 (1), 3–55. Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-4830716","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":338093211,"identity":"988f3d6c-f0f2-4bf1-b7c2-b59926819ba1","order_by":0,"name":"Aya Tareef","email":"","orcid":"","institution":"Mutah University","correspondingAuthor":false,"prefix":"","firstName":"Aya","middleName":"","lastName":"Tareef","suffix":""},{"id":338093212,"identity":"36d03aaf-bf63-4f7e-abed-55f6ef50ec67","order_by":1,"name":"AHMAD ABADLEH","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA1UlEQVRIiWNgGAWjYFACHiAqYEjgB3PYiNZiwJAg2cBMqhaDA8Rq4W8/e/DDGwObPOMb+QcYPpQdZpBvP4Bfi8SZvGTJOQZpxWY3khkYZ5w7zGBwJoGANQdyDKR5DA4nbgNqYeZtA2phIKBF/vwb4988Bv8TN88AavkL1CLf/wC/FoMbOWZAWw4kbpAAamEEamG4QcAWwxvv0iznGCQnzjjz2OBgz7l0HoMbBGyRO597+MabCrvE/vbEhw9+lFnLyfcTsAUFHGAAR9MoGAWjYBSMAooBABkKRYZprTq3AAAAAElFTkSuQmCC","orcid":"","institution":"University of Tabuk","correspondingAuthor":true,"prefix":"","firstName":"AHMAD","middleName":"","lastName":"ABADLEH","suffix":""},{"id":338093220,"identity":"76fe2d0f-6a73-4fc1-a5bb-94a1dd846463","order_by":2,"name":"Anas A. Alkasasbeh","email":"","orcid":"","institution":"Mutah University","correspondingAuthor":false,"prefix":"","firstName":"Anas","middleName":"A.","lastName":"Alkasasbeh","suffix":""},{"id":338093223,"identity":"fdd71621-c586-4849-b75a-58cf35fe2855","order_by":3,"name":"Mansoor Alghamdi","email":"","orcid":"","institution":"University of Tabuk","correspondingAuthor":false,"prefix":"","firstName":"Mansoor","middleName":"","lastName":"Alghamdi","suffix":""}],"badges":[],"createdAt":"2024-07-30 18:31:33","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-4830716/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-4830716/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":64029804,"identity":"0c3391c5-cb0a-4773-ac1f-2b194c085e78","added_by":"auto","created_at":"2024-09-05 08:50:21","extension":"jpg","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":17153,"visible":true,"origin":"","legend":"\u003cp\u003eAFST-DA System Model\u003c/p\u003e","description":"","filename":"Picture1.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/a0e28bfc74e58bd8b7ffee42.jpg"},{"id":64030950,"identity":"456933d4-dad4-467a-ba00-514118ded4ef","added_by":"auto","created_at":"2024-09-05 09:06:21","extension":"jpg","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":23335,"visible":true,"origin":"","legend":"\u003cp\u003eThe AFST-DA architecture.\u003c/p\u003e","description":"","filename":"Picture2.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/b376f1363aab92619784543b.jpg"},{"id":64030477,"identity":"fb1d5b99-7174-48db-8a0a-32c43eff93e1","added_by":"auto","created_at":"2024-09-05 08:58:21","extension":"jpg","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":15575,"visible":true,"origin":"","legend":"\u003cp\u003eExperimental setup\u003c/p\u003e","description":"","filename":"Picture3.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/98e6412f431deb2af8b44167.jpg"},{"id":64029813,"identity":"9d7603ad-5a1b-42bc-a44e-d3b9bc64668e","added_by":"auto","created_at":"2024-09-05 08:50:21","extension":"jpg","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":8271,"visible":true,"origin":"","legend":"\u003cp\u003eFrame type and frequency.\u003c/p\u003e","description":"","filename":"Picture4.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/522a8f002004b29034ed9a6f.jpg"},{"id":64029809,"identity":"f691903f-35ba-46fa-b7e4-fe7bb987ace1","added_by":"auto","created_at":"2024-09-05 08:50:21","extension":"jpg","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":13181,"visible":true,"origin":"","legend":"\u003cp\u003eTime gap analysis between Wi-Fi packets.\u003c/p\u003e","description":"","filename":"Picture5.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/970b3c4a508a62adece3b8da.jpg"},{"id":64030479,"identity":"ad3e06a2-4aa8-49ee-8d1a-c4261dbccab4","added_by":"auto","created_at":"2024-09-05 08:58:21","extension":"jpg","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":88312,"visible":true,"origin":"","legend":"\u003cp\u003eResults of Entropy Analysis in WPA3-SAE and WPA3-TM.\u003c/p\u003e","description":"","filename":"Picture6.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/098249d13ab4e6a8b4ddabc1.jpg"},{"id":64029806,"identity":"94e772a2-caf0-40bb-9335-48cb9e398f29","added_by":"auto","created_at":"2024-09-05 08:50:21","extension":"jpg","order_by":7,"title":"Figure 7","display":"","copyAsset":false,"role":"figure","size":26272,"visible":true,"origin":"","legend":"\u003cp\u003eResults of Entropy Analysis via temporary condition.\u003c/p\u003e","description":"","filename":"Picture7.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/be5728929beb68dbf0027f06.jpg"},{"id":64030481,"identity":"32b4d77c-1cde-4241-b018-25bc9bcb9231","added_by":"auto","created_at":"2024-09-05 08:58:21","extension":"jpg","order_by":8,"title":"Figure 8","display":"","copyAsset":false,"role":"figure","size":108705,"visible":true,"origin":"","legend":"\u003cp\u003eProposed approach response.\u003c/p\u003e","description":"","filename":"Picture8.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/4112db087de8cb2b8f90ee41.jpg"},{"id":64030951,"identity":"8a7963a6-6385-4893-9f35-4f97b4f46b84","added_by":"auto","created_at":"2024-09-05 09:06:21","extension":"jpg","order_by":9,"title":"Figure 9","display":"","copyAsset":false,"role":"figure","size":12962,"visible":true,"origin":"","legend":"\u003cp\u003eReal-time prevention response using a blacklist.\u003c/p\u003e","description":"","filename":"Picture9.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/943f5a20efd93f2ef273b887.jpg"},{"id":64029811,"identity":"3b4679fd-e0f5-4ffe-aa7a-59288334c563","added_by":"auto","created_at":"2024-09-05 08:50:21","extension":"jpg","order_by":10,"title":"Figure 10","display":"","copyAsset":false,"role":"figure","size":15122,"visible":true,"origin":"","legend":"\u003cp\u003eClassification accuracy results.\u003c/p\u003e","description":"","filename":"Picture10.jpg","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/22824b3307aef115f0b8ce58.jpg"},{"id":76075453,"identity":"1f901685-5327-481d-bbfd-60f305ff5ce0","added_by":"auto","created_at":"2025-02-12 05:33:12","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":957094,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-4830716/v1/af347fca-c659-4421-b77d-7893f0a239ae.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Enhancing Wi-Fi Security by Preventing Backward Compatibility Attacks on WPA3 Protocols","fulltext":[{"header":"I. INTRODUCTION","content":"\u003cp\u003eThe Institute of Electrical and Electronics Engineers (IEEE) has released a standard guideline for establishing a network between devices or wireless local area networks (WLANs). This technology is used to promote cost-effectiveness and connectivity over traditional cables [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Currently, wireless networks enable devices such as smartphones, laptops, and Internet of Things (IoT) to establish connection and share data without any physical wire. However, Wi-Fi is vulnerable to serious security issues. There has been extensive research on the strengths, weaknesses, and vulnerabilities of Wi-Fi.\u003c/p\u003e \u003cp\u003eWi-Fi security has undergone continual upgrades over the years. A series of security protocols\u0026mdash;such as Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), WPA2, and WPA3\u0026mdash;have been developed to enhance the security of wireless networking [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. These protocols provide different authentication techniques for ensuring the confidentiality and integrity of transmitted data. Nowadays, WPA2 stands out as the most commonly utilized protocol. While the release of WPA3 is relatively recent and has not yet achieved popularity, it has the highest level of security to date.\u003c/p\u003e \u003cp\u003eSeveral attacks against Wi-Fi networks have been uncovered over the years. The major weaknesses have been found in WPA-TKIP, such as plaintext recovery attacks [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e], which are based on RC4 attacks within TLS; flawed random numbers [\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e], predictable passwords [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e]; offline attacks against 4-way handshakes [\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]; man-in-the-middle attacks [\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e]; and downgrade attacks [\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e]. After the disclosure of the KRACK vulnerability in the 4-way handshake [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e], the Wi-Fi Alliance released a third version of WPA protocols known as WPA3 [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e]. The WPA3 protocol uses simultaneous authentication of equals (SAE), also known as the dragonfly handshake. Since 2020, WPA3 has been a mandatory requirement for Wi-Fi implementations [\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e]. Consequently, it is anticipated that there will be an increase in WPA3 in the near future. While the number of access points (APs) has reached billions, only 0.84% have been used for WPA3 [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e]. As mentioned in WPA3 specifications [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e], the transition mode enables an AP to accommodate both WPA3-SAE and WPA2-PSK clients with the same password. However, there is concern in this mode that an adversary can operate a rouge AP with the same network's MAC and advertise for the vulnerable WPA2 [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e, \u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eAlthough WPA3 signifies a significant improvement over preceding security protocols, devices utilizing WPA3 are not immune to security concerns. While newest devices have updated security protocols, older devices have not. In a diversely developed network of devices, the transition from WPA2-only devices is a time-consuming process. Therefore, access points that operate WPA3 need to be backwards compatible with WPA2, as implemented in WPA3-TM in both Personal Transition Mode and Enterprise Transition Mode (Wi-Fi Alliance, 2018). However, the WPA3-TM mode exhibits vulnerability to downgrade attacks [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e, \u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e], deprivation attacks [\u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e], and denial-of-service (DoS) attacks [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eBecause of the vulnerabilities described above and the diverse expansion of network devices, the security of Wi-Fi standards and wireless networks has become critical. An intrusion detection system (IDS) serves as an essential component in maintaining the security integrity of Wi-Fi networks. The implementation of WPA3 offers a transitional compatibility mode, facilitating connection with WPA2-enabled devices. However, this temporary mode presents inherent challenges, as highlighted by recent findings. Until these vulnerabilities are addressed, all WPA3 APs remain susceptible to attacks targeting connections [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e, \u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e, \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e]. Moreover, existing solutions may encounter difficulties in effectively tackling dynamic security scenarios and network conditions. These detection methods are susceptible to generate false-positive alerts, wherein actions such as reconfiguring AP settings or network delays erroneously trigger alarms for malicious behaviors [\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eTo overcome the challenges and limitations of conventional IDS detection methods, this paper proposes a hybrid adaptive approach to mitigate the effect of a downgrade attack on WPA3. The proposed approach utilizes a combination of adaptive feature selection and attack detection, whereas current literature and approaches primarily consider the fixed threshold value. The proposed hybrid approach relies on different network practical scenarios and traffic conditions. By incorporating adaptive thresholding, the attack detection approach becomes more dynamic to varying network traffic patterns. Therefore, the contributions of this paper are:\u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eIntroducing an Adaptive Feature Selection and Threshold for Downgrade Attacks (AFST-DA) approach, based on analysis of incoming traffic;\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eDeveloping a novel hybrid approach to enhance WPA3 security by integrating practical, statistical, and thresholding models;\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eCreating a new dataset specifically designed to assess downgrade attacks targeting WPA3-SAE and WPA3-TM; and\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eEnhancing detection accuracy and reducing false alarms.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e"},{"header":"II. LITERATURE REVIEW ","content":"\u003cp\u003eSince their inception, security has been a significant concern in Wi-Fi technologies because of a considerable number of unaddressed flaws that need consideration. To remain relevant, security measures must be adapted to new threats [\u003cspan citationid=\"CR21\" class=\"CitationRef\"\u003e21\u003c/span\u003e]. We observe various studies discussing whether WPA3 represents a technological breakthrough immune to vulnerabilities [\u003cspan citationid=\"CR22\" class=\"CitationRef\"\u003e22\u003c/span\u003e] or a simple constitutes enhancement over WPA2. Notably, WPA3 is designed to accommodate both WPA2\u0026ndash; and WPA3\u0026ndash;supported devices [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eFollowing the release of WPA, it was identified as a weaker protocol that is vulnerable to dictionary attack [\u003cspan citationid=\"CR23\" class=\"CitationRef\"\u003e23\u003c/span\u003e]. He et al. [\u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e24\u003c/span\u003e] discover that the four-way handshake is vulnerable to DoS attacks. They provide a modular correctness of IEEE 802.11i, encompassing the four-way-handshake and security assurances. However, Vanhoef et al. [\u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e25\u003c/span\u003e] discover that the four-way handshake is still vulnerable to downgrade attacks, which can force clients to use RC4 associated with the weaker WPA-TKIP network support over WPA2 [\u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e26\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eIn 2018, a detailed review paper on WPA3/WPA2 [\u003cspan citationid=\"CR21\" class=\"CitationRef\"\u003e21\u003c/span\u003e] shows several enhancements in Wi-Fi security, including defense against key reinstallation attacks on WP2 [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e]; evaluates WPA3 security introduced by the SAE; and highlights improvements over WPA2 while identifying remaining vulnerabilities. More recently, Vanhoef et al. [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e] identify a series of vulnerabilities in the WPA3 authentication protocol, referred to as \"Dragonblood\u0026rdquo;. These vulnerabilities include downgrade, timing-based, cache-based, and DoS attacks. In response, the Wi-Fi Alliance has come up with a set of security guidelines for WPA3 implementations [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e]. One study demonstrates the ability to perform offline dictionary attacks on WPA3-enabled APs [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e]. Patel et al. [\u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e] also demonstrate an active dictionary attack on WPA3 that can recover the password during transition.\u003c/p\u003e \u003cp\u003eRecent studies have highlighted DoS attacks on WPA3-SAE (Simultaneous Authentication of Equals) [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e, \u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e]. Louis et al. [\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e28\u003c/span\u003e] analyze Wi-Fi Management Frame Protection (MFP) while highlighting the vulnerabilities that facilitate de-authentication attacks. Vanhoef et al. [\u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e29\u003c/span\u003e] disclose a time\u0026ndash;memory trade-off attack, making it feasible to break the SAE-PK password with reduced computational cost.\u003c/p\u003e \u003cp\u003eIDS is an important security mechanism for network defense. Network IDS classifies traffic data into unauthorized (attacked) and normal traffic. Certain IDS techniques have many theoretical advantages, such as low false-positive rates, but they did not gain widespread use. For instance, signature-based IDS detect patterns of a known attack type. They rely on current knowledge of such attacks to recognize patterns. However, these systems are incapable of identifying other attacks. Anomaly-based IDS solves the problems of signature-based IDS by analyzing the difference between malicious and normal behavior [\u003cspan citationid=\"CR30\" class=\"CitationRef\"\u003e30\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eDalal et al. [\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e] propose a signature-based IDS that assesses nine attacks on a WPA3-supported AP. They implement a set of signature rules to mitigate the effect of each attack. Moreover, a downgrade attack has been demonstrated, with abnormal events such as duplicates in authentication key management (AKM). However, relying on a predefined threshold may result in false positives and problems with adapting to dynamic conditions. Variables such as delays or reconfiguration could impact the accuracy of signatures. Another signal-based IDS is proposed by Thankappan et al. [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e] to identify variants of multi-channel man-in-the-middle attacks on Wi-Fi networks. The developed algorithms identify many MitM attacks with an accuracy of 90%. However, a detection delay of 60 seconds is not effective for active detection. Most of these signature-based IDS require static attack signatures, which can be exploited by zero-day attacks.\u003c/p\u003e \u003cp\u003eRecently, various studies have made use of IDS with machine learning (ML). ML-based IDS systems are designed to capture traffic packets for an attack to predict and detect the threat class [\u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e32\u003c/span\u003e]. Verma et al. [\u003cspan citationid=\"CR33\" class=\"CitationRef\"\u003e33\u003c/span\u003e] utilize feature extractor methods while using classification algorithms to classify DoS attacks. The selected features obtained using a threshold method provides a TPR of 98.2% with Random Forest (RF).\u003c/p\u003e \u003cp\u003eSaini et al. [\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e20\u003c/span\u003e] propose real-time IDS within an enterprise environment. Initially, a flood detection system is designed to capture a frame flood based on a spike in the mean of frame numbers. Next, a ML-based intrusion is used to predict the attack class. The result shows high accuracy, up to 99.9%. However, their dependence on the mean of frame numbers may lead to false positives. In the case of a low-rate DoS attack, the system may interpret the activity as normal, as the mean might not exceed the specified mean. While this approach provides an IDS designed for WPA3 flood vulnerabilities, it does not tackle the problem of downgrade attacks. Recently, a lightweight real-time IDS is proposed by Bhutta et al. [\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e27\u003c/span\u003e]. The authors use a lightGBM machine learning model to detect and classify Wi-Fi attacks. The proposed solution shows an accuracy of 99.77% in the order of microseconds.\u003c/p\u003e \u003cp\u003eShone et al. [\u003cspan citationid=\"CR34\" class=\"CitationRef\"\u003e34\u003c/span\u003e] propose an approach to non-symmetric deep auto-encoder (NDAE) and deep learning classification on the NSL-KDD dataset. The model shows an accuracy of 97.85%. In recent years, the AWID2 dataset has been introduced. This dataset has been constructed to build an anomaly-based IDS utilizing a set of WEP-based machine learning techniques. In 2021, the AWID was updated to AWID3 [\u003cspan citationid=\"CR35\" class=\"CitationRef\"\u003e35\u003c/span\u003e]. However, these datasets are primarily centered around WPA2, lagging behind WPA3 vulnerabilities [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e]. Thus, we create a dataset that includes the behaviors of downgrade attacks and present the results.\u003c/p\u003e \u003cp\u003eIn summary, the existing literature is limited by different problems. The current landscape of Wi-Fi security lacks downgrade attack\u0026ndash;labeled datasets. The absence of related data for WPA3 poses an obstacle for the development of IDS. These limitations require updated resources that encapsulate the downgrade vulnerability of WPA3. The proposed approach underscores the significance of both analysis and practical implementation. A thorough investigation of the downgrade attack, utilizing datasets aligned with WPA3 and incorporating practical testing, stands as an important prerequisite for the security of WPA3.\u003c/p\u003e"},{"header":"III. METHODOLOGY ","content":"\u003cp\u003eThe proposed methodology is shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e. This hybrid approach, termed Adaptive Feature Selection and Thresholding for Downgrade Attacks (AFST-DA), combines statistical and thresholding techniques to proactively identify and mitigate downgrade attacks within WPA3 protocols. Utilizing adaptive feature selection, AFST-DA integrates network capture, packet data analysis, and real-time detection to fortify WPA3 security. It exhibits an improved ability to classify between downgrade attack behaviors and normal activities within focus adjustment based on mapping with the selected adaptive feature set. These features are derived from both WPA3 modes, specifically WPA3-only and WPA3-Transition.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eAs illustrated in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e, the architecture of the proposed approach comprises three stages: (1) preprocessing, (2) baseline adaptive feature selection (BAFS), and (3) attack detection and prevention (RDP). Firstly, packet details are extracted and normalized. Secondly, the dataset is examined and analyzed to adaptively select features based on each feature entropy and baseline threshold. Finally, an active testing stage is used to classify the input packets for the downgrade attack and normal traffic.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cem\u003eA. Data Preprocessing Stage\u003c/em\u003e \u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eAll traffic packets transmitted over a Wi-Fi connection, whether in a normal network setting or within a compromised network, are intercepted and employed as an input dataset. Initially, the device network interface reconfigures into monitor mode, enabling each packet corresponding to the Wi-Fi connection to be stored into the PCAP (Packet CAPture) file format. These packets include valuable information, such as IP addresses, ports, headers, payloads, and more. These data represent the raw information required for constructing the system that offers protection against attacks like downgrade attacks. Therefore, in this data preprocessing stage, frame attributes are extracted and filtered from the captured traffic dataset. Algorithm 1 shows the procedure for the data preprocessing stage.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Taba\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAlgorithm 1 Data Preprocessing\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e-\u003cb\u003eInput\u003c/b\u003e: Arriving Traffic Data (A\u003csub\u003eT\u003c/sub\u003e)\u003c/p\u003e \u003cp\u003e-\u003cb\u003eOutput\u003c/b\u003e: Prepared Traffic Data (P\u003csub\u003eT\u003c/sub\u003e)\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e1: Extracting packet data from A\u003csub\u003eT,\u003c/sub\u003e (.csv).\u003c/p\u003e \u003cp\u003e2: Filtering Packet Data: Filter packets based on specific criteria, e.g., frame type, source IP.\u003c/p\u003e \u003cp\u003e3: Normalizing data using Eq.\u0026nbsp;(1)\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eThe arriving traffic attributes are extracted, filtered, and normalized. Since there are specific types of frames that play a significant role in every network discovery or intrusion detection system, the filtering process focuses on selecting a specific type of frame, like a beacon frame or probe response. Beacons are a type of management frame used to recognize the presence of an AP. These frames encapsulate valuable network details, including the network's name, MAC address, AKM (Authentication Key Management) type and count, and other 802.11 capabilities of an AP. A probe response is a type of frame generated to respond to the probe request sent from the client's devices. Although they are sent out individually, these response frames have the same AP capabilities as beacon frames. By isolating and emphasizing on these frames, we provide a more accurate and perceptive analysis of the network's behavior.\u003c/p\u003e \u003cp\u003eTo standardize the value range of the packets and provide a fair examination of every attribute, a normalization technique is utilized in this stage. The packet feature values have different scales and units; the high feature amounts may predominate the others, producing an unbalanced finding. Thus, this technique allows for standardizing all the attributes to a typical range. The \u003cem\u003eZ\u003c/em\u003e-score technique is one of the normalization methods used in preprocessing [\u003cspan citationid=\"CR36\" class=\"CitationRef\"\u003e36\u003c/span\u003e]. The formula for \u003cem\u003eZ\u003c/em\u003e-score is presented in Eq.\u0026nbsp;(1).\u003cdiv id=\"Equa\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equa\" name=\"EquationSource\"\u003e\n$$\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:Z=\\frac{{X}_{i}-\\mu\\:}{\\sigma\\:}\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\left(1\\right)$$\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003ewhere \u003cem\u003eZ\u003c/em\u003e is the new normalized value for each feature; \u003cem\u003eX\u003c/em\u003e is the current feature value; \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\mu\\:\\:\\)\u003c/span\u003e\u003c/span\u003e is the mean value; and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\sigma\\:\\)\u003c/span\u003e\u003c/span\u003e is the standard deviation of each feature. After \u003cem\u003eZ\u003c/em\u003e-score normalization, the features preserve the distribution shape and are roughly the same scale.\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cem\u003eB. Baseline Adaptive Feature Selection (BAFS) Stage\u003c/em\u003e \u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eTo select the optimal adaptive features in the AFST-DA approach, the initial step involves retrieving and normalizing the traffic dataset within the data preprocessing stage. These dataset files contain both normal and malicious traffic data. According to Algorithm 2, all prepared traffic data (P\u003csub\u003eT\u003c/sub\u003e) is taken as input for this offline analysis. This stage incorporates a set of processes to identify the feature that promotes efficient anomaly detection. Initially, entropy is computed for each feature vector using Shannon\u0026rsquo;s entropy [\u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e37\u003c/span\u003e]. The formula is presented in Eq.\u0026nbsp;2.\u003cdiv id=\"Equb\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equb\" name=\"EquationSource\"\u003e\n$$\\:E=\\:{\\sum\\:}_{i=0}^{n}-{p}_{i\\:\\:}\\text{log}{p}_{i}\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\:\\left(2\\right)$$\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003ewhere \u003cem\u003eE\u003c/em\u003e represents the entropy of the feature vector and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{p}_{i\\:}\\)\u003c/span\u003e\u003c/span\u003edenotes the probability of occurrence for each possible outcome. The summation runs over all possible outcomes. In cases of attack, the feature entropy pattern changes and deviates from its normal values. These deviations provide insights into the attack behavior and the specific type of feature affected.\u003c/p\u003e \u003cp\u003eAfter computing the entropy for each feature vector, the baseline threshold is determined to identify anomalous features based on their entropies. This threshold is set using normal traffic as a reference point under typical conditions. Once a feature\u0026rsquo;s entropy exceeds this baseline threshold, it is flagged as an anomaly linked to downgrade attacks. These selected anomaly features form an adaptive set that acts as a repository for features indicating downgrade attack anomalies.\u003c/p\u003e \u003cp\u003eCurrently, many issues revolve around the limitations associated with static thresholding techniques within dynamic network conditions, particularly in attacks against Wi-Fi networks. However, these static techniques are not accurate to deal with dynamic variations. Within the attack behaviors, it might lead to variations in features with high entropies and low entropies, which lead to false positives. Therefore, to address these issues, the proposed approach uses MAD adaptive technology for accurate thresholding.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabb\" border=\"1\"\u003e \u003ccolgroup cols=\"1\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAlgorithm 2 Baseline Adaptive Feature Selection\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e\u003cb\u003e-Input\u003c/b\u003e: \u0026nbsp;Preparing traffic data (P\u003csub\u003eT\u003c/sub\u003e) - offline training\u003c/p\u003e \u003cp\u003e\u003cb\u003e-Output\u003c/b\u003e: Selecting adaptive feature and baseline threshold (adaptive \u003csub\u003eset\u003c/sub\u003e)\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003e1: Calculate the entropy \u003cem\u003eE\u003c/em\u003e(\u003cem\u003eF\u003c/em\u003e\u003csub\u003e\u003cem\u003ei\u003c/em\u003e\u003c/sub\u003e) for each feature using Eq.\u0026nbsp;(2)\u003c/p\u003e \u003cp\u003e2: Calculate the baseline threshold (\u003cem\u003eTh\u003c/em\u003e\u003csub\u003e\u003cem\u003ei\u003c/em\u003e\u003c/sub\u003e) for each feature.\u003c/p\u003e \u003cp\u003e3: \u003cb\u003eFor\u003c/b\u003e each F \u0026isin; P\u003csub\u003eT\u003c/sub\u003e:\u003c/p\u003e \u003cp\u003e4: if E(F\u003csub\u003ei\u003c/sub\u003e) \u0026gt;\u0026nbsp;Th\u003csub\u003ei\u003c/sub\u003e\u0026nbsp;\u003cb\u003ethen\u003c/b\u003e\u003c/p\u003e \u003cp\u003e5:\u0026nbsp;combined F\u003csub\u003ei\u003c/sub\u003e and Th\u003csub\u003ei\u003c/sub\u003e\u0026nbsp;to adaptive \u003csub\u003eset\u003c/sub\u003e\u003c/p\u003e \u003cp\u003e6: \u003cb\u003eelse\u003c/b\u003e dropped the feature.\u003c/p\u003e \u003cp\u003e7: \u003cb\u003eend if\u003c/b\u003e\u003c/p\u003e \u003cp\u003e8: // utilize the adaptive set in RDP stage.\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cem\u003eC. Real-Time Detection and Prevention Stage\u003c/em\u003e \u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eIn the real-time detection and prevention stage, incoming traffic is continuously observed and processed within a predefined sliding window. These traffic data are mapped with the selected adaptive set from the previous stage, enhancing detection by incorporating relevant features that reflect the current traffic dynamics. The sliding window dynamically adjusts its size based on the incoming data, ensuring timely analysis. For detection, a threshold is utilized to identify abnormal features. This threshold dynamically adapts to varying loads, ensuring flexibility in response to changing conditions. Once the detection threshold is alerted for a downgrade attack, the traffic packets are passed through the machine learning classifier. This mix of techniques is useful for high bandwidth and multiple APs, where central monitoring for vulnerabilities is not practical. Therefore, we use our dataset to train and test a few machine learning classifiers. When features remain below the threshold, the process continues with the addition of subsequent windows until the completion of the traffic analysis.\u003c/p\u003e \u003cp\u003eAdditionally, to prevent the attack, the mechanism takes action on each MAC address associated with malicious activity and the fraudulent authentication mechanism. By adding the MAC address of the attacking node to the blacklist, its ability to reconnect to the network is effectively blocked. Consequently, any subsequent attempts by the attack packet are promptly discarded, ensuring a proactive approach to preventing threats and enhancing WPA3 network security.\u003c/p\u003e"},{"header":"IV. EXPERIMENTAL RESULTS ANALYSIS ","content":"\u003cp\u003eTo validate the proposed approach, a set of experimentally configured scenarios is required. These experiments generate a dataset that contains both normal and attacked network conditions. The dataset contains a collection of packet captures from three types of scenarios, allowing us to effectively analyze the behavior of the network. The proposed approach is implemented and evaluated using Python 3.9 on a Dell machine with 16GB RAM and Intel\u0026reg; Core\u0026trade; i7-6600U CPU. Figure \u003cspan class=\"InternalRef\"\u003e3\u003c/span\u003e is a representation of our setup for simulating and collecting data. We use a mobile hotspot with switching enabled between WPA3 modes, participating client devices, a monitoring device (a Dell laptop running Ubuntu 18.04), and an attacker node running Ubuntu 18.04.\u003c/p\u003e\n\u003cp\u003e\u003cspan\u003e\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eA. Experimental setup\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eTo create the dataset, we label each scenario packet to determine if it corresponds to a specific attack. The offline stage relies on traffic analysis of the input frame, primarily focusing on downgrade attacks. The resulting dataset comprises packet captures from two attack sessions: WPA3-SAE and WPA3-TM. The dataset includes CSV files containing the network packets transmitted during the attack and captured using the monitoring device. Moreover, the dataset also incorporates packets from a normal network scenario and temporary disruption scenarios, providing a comprehensive view of network traffic under various conditions.\u003c/p\u003e\n\u003cp\u003eTable\u0026nbsp;1 shows the experiment scenarios aimed to establish a baseline dataset from a normal and attacked Wi-Fi WLAN connection. To address false positives, disruption scenarios are simulated using non-standard traffic patterns using the same legitimate AP. This AP\u0026apos;s mode is repeatedly reconfigured during data capture, mimicking downgrade attack behaviors without actual attacks.\u003c/p\u003e\n\u003cp\u003eTABLE I\u003c/p\u003e\n\u003cp\u003e\u003cspan type=\"SmallCaps\" class=\"SmallCaps\" name=\"Emphasis\"\u003eScenarios Setting\u003c/span\u003e\u003c/p\u003e\n\u003cdiv class=\"gridtable\"\u003e\u0026nbsp;\u003ctable id=\"Tabc\" border=\"1\"\u003e\n \u003ccolgroup cols=\"6\"\u003e\u003c/colgroup\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eNo.\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eScenario Type\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eAP standard security\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eAttack type\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eRadio\u003c/p\u003e\n \u003cp\u003eChannel Frequency\u003c/p\u003e\n \u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e1\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNormal\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eWPA3-SAE\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNone\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2.4 GHz\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNormal\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eWPA3-TM\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNone\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2.4 GHz\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e3\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAttacked\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eWPA3-SAE ,WPA2\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDowngrade\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2.4 GHz\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e4\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAttacked\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eWPA3-TM, WPA2\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDowngrade\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2.4 GHz\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e5\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eTemporary disruption\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\" colspan=\"2\"\u003e\n \u003cp\u003eWPA3-TM, WPA3-SAE\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNormal Operation\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e2.5GHz\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n\u003c/div\u003e\n\u003cp\u003e\u003cspan\u003e\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eB. Data Representation and Analysis\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eIn the data preprocessing stage, we start our analysis by investigating the frames of different Wi-Fi WLAN scenarios, encompassing management frames (type\u0026thinsp;=\u0026thinsp;0), control frames (type\u0026thinsp;=\u0026thinsp;1), and data frames (type\u0026thinsp;=\u0026thinsp;2), along with their subtype frames. This analysis aims to ensure the correctness of the Wi-Fi trace by examining the distribution of frame types. As shown in Fig. \u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e, the dataset consists of 24 features, with frame statistics comparing rogue AP data to legitimate AP data.\u003c/p\u003e\n\u003cp\u003eIn the case of rouge AP, the most prevalent frames are beacons (type\u0026thinsp;=\u0026thinsp;0, subtype\u0026thinsp;=\u0026thinsp;8), which represent about 90% of the total occurrences, followed by deauthentcation frames (type\u0026thinsp;=\u0026thinsp;0, subtype\u0026thinsp;=\u0026thinsp;12) with a rate of 5%, while 0.06% of the frames are identified as EAPOL frames (type\u0026thinsp;=\u0026thinsp;2, subtype\u0026thinsp;=\u0026thinsp;0). In the legitimate AP data, the frame distribution has a different pattern. Beacons remain the dominant type at approximately 50%. This distribution is anticipated in a typical network scenario because beacons are used legitimately to announce the AP availability. EAPOL packets (type\u0026thinsp;=\u0026thinsp;2, subtype\u0026thinsp;=\u0026thinsp;0) have a high presence, accounting for approximately 15%. EAPOL frames are commonly associated with the establishment and management of secure connections, and their lower occurrence in attack scenarios indicates a delay or termination in connection establishment.\u003c/p\u003e\n\u003cp\u003eAll Wi-Fi packet time gaps are illustrated in Fig. \u003cspan class=\"InternalRef\"\u003e5\u003c/span\u003e. This observation underlines the unusual behavior of the AP packets. The purpose is to perform a sanity check of the captured traffic, which provides insight about the presence of malicious activities, such as rapid advertising of the rogue AP and lower advertising of the legitimate AP. This justifies the varying number of packets, which indicates a lower number of frames from legitimate AP compared to rogue AP packets. The legitimate AP keeps busy with a connection setup and data packets instead of advertising itself.\u003c/p\u003e\n\u003cp\u003e\u003cspan\u003e\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eC. Results and Discussion\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eTo validate the accuracy and reliability of the proposed approach, we present and discuss the results of the experiments. We evaluate feature selection efficiency by comparing entropy statistics, analyzing real-time detection and prevention capabilities, and examining the performance of the machine learning classifier.\u003c/p\u003e\n\u003cp\u003eFirstly, we observe that the proposed baseline adaptive feature selection algorithm provides better results along with the entropy statistic. Figures \u003cspan class=\"InternalRef\"\u003e6\u003c/span\u003e(a) and 6(b) report the entropy in two APs (one for WPA3-SAE only and the other for WPA3-TM), an involved AP operating in WPA3-SAE mode under normal conditions, and the same legitimate AP being attacked by a rogue AP using WPA2. In the context of WPA3-SAE under normal conditions, the feature entropy exhibits lower values, reflecting a consistent pattern in the feature vector characteristic of a secure network environment. This stability in entropy during normal operation contrasts with the variations observed in the attacked scenario.\u003c/p\u003e\n\u003cp\u003eIn the attacked scenario, alterations are evident in AKM types, frame length (frame.len), frame sequence (wlan.seq), and beacon intervals (wlan.fixed.beacon). The entropy associated with AKM types indicates malicious attempts using different authentication algorithms while supporting WPA2-PSK. Variations in frame length and sequence suggest disruptions to typical communication patterns, implying interference by the attacker in the customary sequence of data frames. Additionally, changes in beacon intervals highlight anomalies in standard broadcasting behavior. On the other hand, the attacked condition demonstrates changes in AKM type, frame length (frame.len), frame sequence (wlan.seq), and beacon intervals (wlan.fixed.beacon). The entropy of AKM types signifies malicious attempts with different authentication algorithms while supporting WPA2-PSK. Changes in frame length and sequence suggest disruptions in normal communication patterns, implying the attacker\u0026apos;s interference in the usual sequence of data frames. Moreover, changes in beacon intervals indicate anomalies in typical broadcasting behavior.\u003c/p\u003e\n\u003cp\u003eSubsequently, the experiments involve a legitimate AP operating in WPA3-TM mode. Figure \u003cspan class=\"InternalRef\"\u003e6\u003c/span\u003e(b) illustrates the entropy results. In the normal condition, the AP broadcasts a beacon detailing the supported AKM types, including both WPA3-SAE and WPA2-PSK authentication, with an AKM count of two. The entropy analysis shows patterns consistent with secure behavior, displaying consistent AKM type, AKM count, beacon interval characteristics, and steady frame sequence entropy.\u003c/p\u003e\n\u003cp\u003eOn the other hand, in the temporary disruption scenario, as shown in Fig. 7, when the AP temporarily changed its security settings from WPA3-TM to WPA3-SAFE mode, the results show a distinct change in AKM count and AKM type in the entropies, which matches the results observed during the attack scenario. However, the findings indicate different entropy values and feature sets. Interestingly, despite this temporary disruption, no additional alterations are detected in the frame sequence, intervals, or length, as seen in attack behaviors. This variation serves as a pivotal factor in distinguishing attack behaviors from transient conditions, affirming the capability to minimize false negatives.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFigure\u0026nbsp;7.\u003c/strong\u003e Results of Entropy Analysis via temporary condition.\u003c/p\u003e\n\u003cp\u003eThereafter, the aforementioned adaptive thresholding technique is employed. For each feature vector, a threshold value is provided on which anomaly feature is selected and combined into an adaptive set. Once the feature entropy exceeds the threshold, it is identified as an anomaly.\u003c/p\u003e\n\u003cp\u003eFollowing the identification of anomaly features, the approach tests a traffic dataset by mapping it with the chosen adaptive feature set. The traffic adapts dynamically to the changing conditions. As the window size reaches the length of the traffic, the system computes the feature entropy and dynamically adjusts the threshold for anomaly detection.\u003c/p\u003e\n\u003cp\u003eAs illustrated in Fig. \u003cspan class=\"InternalRef\"\u003e8\u003c/span\u003e(a) and 6(b), the approach responds to the attacked WPA3-SAE and WPA3-TM scenario and accurately identifies the downgrade attack with a recorded detection time.\u003c/p\u003e\n\u003cp\u003eFurthermore, the approach is taken to prevent downgrade attacks by implementing an adaptive blacklist. When a blacklisted source tries to access the network again, they are promptly notified about the unauthorized traffic. Evaluation in various scenarios shows the effectiveness of this prevention measure, as illustrated in Fig. \u003cspan class=\"InternalRef\"\u003e9\u003c/span\u003e. Notably, the blacklist operates within a simulated environment on the same device, demonstrating its functionality without any on manufacturer\u0026ndash;specific implementations.\u003c/p\u003e\n\u003cp\u003eAdditionally, a machine learning classifier is used along with the thresholding process to predict the downgrade attack. As depicted in Fig. \u003cspan class=\"InternalRef\"\u003e10\u003c/span\u003e, the comparison output of different classifiers reveals that Naive Bayes exhibits the highest accuracy (99.8%). This indicates its exceptional capability in accurately detecting network attacks.\u003c/p\u003e\n\u003cp\u003eSimilarly, Naive Bayes (NB) demonstrates excellent performance in achieving the highest accuracy, F1-score, recall, and precision compared to KNN, SVM, and SGD classifiers. This is evident from the results presented in Table II.\u003c/p\u003e\n\u003cp\u003eTABLE II\u003c/p\u003e\n\u003cp\u003e\u003cspan type=\"SmallCaps\" class=\"SmallCaps\" name=\"Emphasis\"\u003eClassification Results\u003c/span\u003e\u0026nbsp;\u003c/p\u003e\n\u003ctable id=\"Tabe\" border=\"1\"\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eClassifier\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eAccuracy\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eRecall\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003ePrecision\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eF1 score\u003c/p\u003e\n \u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eKNN\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e97.9%\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.977\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.974\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.975\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eNave Base\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e99.8%\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.977\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.997\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.998\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eSVM\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e85.9%\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.783\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.869\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.810\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eSGD\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e78.1%\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.845\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.785\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e0.772\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eComparing our proposed hybrid approach to related methods, as listed in Table III, we observe improvements in both detection rate and accuracy. However, it encounters potential false positives, leaving vulnerabilities [\u003cspan class=\"CitationRef\"\u003e19\u003c/span\u003e] and weaker defense against downgrade attacks, and as such is an inefficient Wi-Fi IDS [\u003cspan class=\"CitationRef\"\u003e20\u003c/span\u003e]. Nonetheless, our proposed hybrid approach, which incorporates adaptive feature sets and dynamic thresholding, achieves a detection rate of 99.8%, effectively addressing downgrade attacks in both WPA3-SAE and WPA3-TM scenarios. While limitations exist, notably in its scope (which is limited to downgrade attacks), our approach demonstrates significant improvements in mitigating Wi-Fi vulnerabilities compared to existing methods.\u003c/p\u003e\n\u003cp\u003eTABLE III\u003c/p\u003e\n\u003cp\u003e\u003cspan type=\"SmallCaps\" class=\"SmallCaps\" name=\"Emphasis\"\u003eSummary of comparison with the related works\u003c/span\u003e\u0026nbsp;\u003c/p\u003e\n\u003ctable id=\"Tabf\" border=\"1\"\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eReference\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eApproach\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eBasis\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eDetection\u003c/p\u003e\n \u003cp\u003eRate/\u003c/p\u003e\n \u003cp\u003eAccuracy\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eWeakness\u003c/p\u003e\n \u003c/th\u003e\n \u003cth align=\"left\"\u003e\n \u003cp\u003eVulnerabilities\u003c/p\u003e\n \u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDalal et al. [\u003cspan class=\"CitationRef\"\u003e19\u003c/span\u003e]\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eSignature-based IDS\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAttack vector\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAble to detect abnormal packets\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003ePotential false positives during AP restart or reconfiguration\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDowngrade attack and more.\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eSaini et al.[\u003cspan class=\"CitationRef\"\u003e20\u003c/span\u003e]\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eSignature based IDS\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAttack flow and ML-classification\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eRandom Forest 99.9%\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e-Spike in the mean number of packets may lead for false positives\u003c/p\u003e\n \u003cp\u003e-Limited to Floods attack\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eFlood attacks\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eBhutta et al.[\u003cspan class=\"CitationRef\"\u003e27\u003c/span\u003e]\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eLightweight wifi IDS\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eLightGBM\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e99.7\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDowngrade attack\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eWi-Fi attack and WPA3 flood attacks\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eProposed\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eHybrid approach\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eAdaptive Fature set and dynamic thresholding.\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e99.8\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003e-Limited to downgrade attack\u003c/p\u003e\n \u003c/td\u003e\n \u003ctd align=\"left\"\u003e\n \u003cp\u003eDowngrade attack in WPA3-SAE \u0026amp; WPA3-TM\u003c/p\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003c/p\u003e"},{"header":"V. CONCLUSION","content":"\u003cp\u003eThis paper has proposed a hybrid approach to detect and prevent inherent security challenges introduced by the backward compatibility of WPA3. These challenges have not been seriously solved in existing work. We propose a combination of statistical, thresholding, and classifying methods that enable Wi-Fi traffic analysis to classify a Wi-Fi attack. The primary objective of the proposed approach is to classify whether the observed traffic data is indicative of a downgrade attack or aligns with normal network behavior. Employing adaptive feature selection and thresholding, the approach effectively identifies significant features from the dataset. Additionally, it utilizes entropy statistics and MAD thresholding to detect and prevent attack traffic. Furthermore, ML classification techniques are employed to enhance the accuracy of threat detection.\u003c/p\u003e \u003cp\u003eThrough the implementation of practical and realistic scenarios, the obtained results underscore the responsiveness and accuracy of WPA3, showcasing a robust intrusion detection capability. The best accuracy obtained by the Naive Bayes classifier for both modes is approximately 99.8%. In future work, we intend to extend the dataset to integrate more WPA3 vulnerabilities. Furthermore, the approach confirms the benefits of integrating an accessible blacklist to prevent unauthorized traffic sources. Therefore, this method can be extended to a cloud-based blacklist system within the security infrastructure. This blacklist will provide centralized and updated storage for malicious sources, reducing the risk of security breaches.\u003c/p\u003e"},{"header":"Declarations","content":"\u003ch2\u003eEthical Approval\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eNot applicable.\u003c/p\u003e\n\u003ch2\u003eFunding\u003c/h2\u003e\n\u003cp\u003eNot applicable.\u003c/p\u003e\n\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\n\u003cp\u003eA.T. and A.A. authored the main text and prepared the implementation section. A.A. wrote the introduction and literature review. M.A. created the figures and tables. All authors reviewed the manuscript.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eBellalta, B., Bononi, L., Bruno, R., \u0026amp; Kassler, A. (2016). Next generation IEEE 802.11 Wireless Local Area Networks: Current status, future directions and open challenges. \u003cem\u003eComputer Communications\u003c/em\u003e, \u003cem\u003e75\u003c/em\u003e, 1\u0026ndash;25.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eZou, Y., Zhu, J., Wang, X., \u0026amp; Hanzo, L. (2016). A survey on wireless security: Technical challenges, recent advances, and future trends. Proceedings of the IEEE, 104(9), 1727\u0026ndash;1765.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAlliance, W. F. (2003). \u003cem\u003eWi-Fi Protected Access: Strong, standards-based, interoperable security for today\u0026rsquo;s Wi-Fi networks\u003c/em\u003e (pp. 492\u0026ndash;495). White paper, University of Cape Town.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePaterson, K. G., Poettering, B., \u0026amp; Schuldt, J. C. (2015). Plaintext recovery attacks against WPA/TKIP. In Fast Software Encryption: 21st International Workshop, FSE 2014, London, UK, March 3\u0026ndash;5, 2014. Revised Selected Papers 21 (pp. 325\u0026ndash;349). Springer Berlin Heidelberg.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M., \u0026amp; Piessens, F. (2013, May). Practical verification of WPA-TKIP vulnerabilities. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security (pp. 427\u0026ndash;436).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLorente, E. N., Meijer, C., \u0026amp; Verdult, R. (2015). Scrutinizing {WPA2} Password Generating Algorithms in Wireless Routers. In 9th USENIX Workshop on Offensive Technologies (WOOT 15).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMoskowitz, R. (2003). Weakness in passphrase choice in WPA interface. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface\u003c/span\u003e\u003cspan address=\"http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e. html.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAgarwal, M., Biswas, S., \u0026amp; Nandi, S. (2015). Advanced stealth man-in-the- middle attack in WPA2 encrypted Wi-Fi networks. \u003cem\u003eIEEE Communications Letters\u003c/em\u003e, \u003cem\u003e19\u003c/em\u003e(4), 581\u0026ndash;584.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M., \u0026amp; Piessens, F. (2017, October). Key reinstallation attacks: Forcing nonce reuse in WPA2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 1313\u0026ndash;1328).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWi-Fi Alliance (2018). WPA3 specification. Retrieved \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003efromhttps://www.wifi.org/system/files/WPA3%20Specification%20v3.1.pdf\u003c/span\u003e\u003cspan address=\"http://fromhttps://www.wifi.org/system/files/WPA3%20Specification%20v3.1.pdf\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWi-Fi Alliance, \u0026amp; Security (2020). Wi-Fi Security. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.wi-fi.org/discover-wi-fi/security\u003c/span\u003e\u003cspan address=\"https://www.wi-fi.org/discover-wi-fi/security\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (Accessed: 20 December 2023).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWiGLE.net (2023). Statistics. Retrieved from https://wigle.net/stats.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M., \u0026amp; Ronen, E. (2020, May). Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In 2020 IEEE Symposium on Security and Privacy (SP) (pp. 517\u0026ndash;533). IEEE.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLounis, K., \u0026amp; Zulkernine, M. (2019, September). Bad-token: denial of service attacks on WPA3. In Proceedings of the 12th International Conference on Security of Information and Networks (pp. 1\u0026ndash;8).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLamers, E., Dijksman, R., van der Vegt, A., Sarode, M., \u0026amp; de Laat, C. (2021, January). Securing home Wi-Fi with WPA3 personal. In 2021 IEEE 18th Annual Consumer Communications \u0026amp; Networking Conference (CCNC) (pp. 1\u0026ndash;8). IEEE.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLounis, K., \u0026amp; Zulkernine, M. (2020). WPA3 connection deprivation attacks. In Risks and Security of Internet and Systems: 14th International Conference, CRiSIS 2019, Hammamet, Tunisia, October 29\u0026ndash;31, 2019, Proceedings 14 (pp. 164\u0026ndash;176). Springer International Publishing.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M., Schepers, D., \u0026amp; Piessens, F. (2017, April). Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (pp. 360\u0026ndash;371).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePatel, M., Amritha, P. P., \u0026amp; Sam jasper, R. (2021). Active dictionary attack on WPA3-SAE. In Advances in Computing and Network Communications: Proceedings of CoCoNet 2020, Volume 1 (pp. 633\u0026ndash;641). Springer Singapore.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDalal, N., Akhtar, N., Gupta, A., Karamchandani, N., Kasbekar, G. S., \u0026amp; Parekh, J. (2022, January). A wireless intrusion detection system for 802.11 WPA3 networks. In 2022 14th International Conference on COMmunication Systems \u0026amp; NETworkS (COMSNETS) (pp. 384\u0026ndash;392). IEEE.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSaini, R., Halder, D., \u0026amp; Baswade, A. M. (2022, December). RIDS: Real-time Intrusion Detection System for WPA3 enabled Enterprise Networks. In GLOBECOM 2022\u0026ndash;2022 IEEE Global Communications Conference (pp. 43\u0026ndash;48). IEEE.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKohlios, C. P., \u0026amp; Hayajneh, T. (2018). A comprehensive attack flow model and security analysis for Wi-Fi and WPA3. \u003cem\u003eElectronics\u003c/em\u003e, \u003cem\u003e7\u003c/em\u003e(11), 284.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAppel, M., \u0026amp; Guenther, I. S. (2020). WPA 3-Improvements over WPA 2 or broken again? \u003cem\u003eNetwork\u003c/em\u003e, \u003cem\u003e7\u003c/em\u003e, 1\u0026ndash;4.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMoskowitz, R. (2003). Weakness in passphrase choice in WPA interface. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface\u003c/span\u003e\u003cspan address=\"http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e. html.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eHe, C., Sundararajan, M., Datta, A., Derek, A., \u0026amp; Mitchell, J. C. (2005, November). A modular correctness proof of IEEE 802.11 i and TLS. In Proceedings of the 12th ACM conference on Computer and communications security (pp. 2\u0026ndash;15).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M., \u0026amp; Piessens, F. (2016). Predicting, Decrypting, and Abusing {WPA2/802.11} Group Keys. In 25th USENIX security symposium (USENIX security 16) (pp. 673\u0026ndash;688).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eTews, E., \u0026amp; Beck, M. (2009, March). Practical attacks against WEP and WPA. In Proceedings of the second ACM conference on Wireless network security (pp. 79\u0026ndash;86).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBhutta, A. A., \u0026amp; Mian, A. N. (2023). \u003cem\u003eLightweight real-time WiFi-based intrusion detection system using LightGBM\u003c/em\u003e (pp. 1\u0026ndash;13). Wireless Networks.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLounis, K., Ding, S. H., \u0026amp; Zulkernine, M. (2021, December). Cut It: Deauthentication attacks on protected management frames in WPA2 and WPA3. In International symposium on foundations and practice of security (pp. 235\u0026ndash;252). Cham: Springer International Publishing.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVanhoef, M. (2022, May). A time-memory trade-off attack on WPA3's SAE-PK. In Proceedings of the 9th ACM on ASIA Public-Key Cryptography Workshop (pp. 27\u0026ndash;37).\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKhraisat, A., Gondal, I., Vamplew, P., \u0026amp; Kamruzzaman, J. (2019). Survey of intrusion detection systems: techniques, datasets and challenges. \u003cem\u003eCybersecurity\u003c/em\u003e, \u003cem\u003e2\u003c/em\u003e(1), 1\u0026ndash;22.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eThankappan, M., Rif\u0026agrave;-Pous, H., \u0026amp; Garrigues, C. (2024). \u003cem\u003eA signature-based wireless intrusion detection system framework for multi-channel man-in-the-middle attacks against protected Wi-Fi networks\u003c/em\u003e. IEEE Access.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKocher, G., \u0026amp; Kumar, G. (2021). Machine learning and deep learning methods for intrusion detection systems: recent developments and challenges. \u003cem\u003eSoft Computing\u003c/em\u003e, \u003cem\u003e25\u003c/em\u003e(15), 9731\u0026ndash;9763.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVerma, P., Tapaswi, S., \u0026amp; Godfrey, W. W. (2020). An adaptive threshold-based attribute selection to classify requests under DDoS attack in cloud-based systems. \u003cem\u003eArabian Journal for Science and Engineering\u003c/em\u003e, \u003cem\u003e45\u003c/em\u003e, 2813\u0026ndash;2834.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eShone, N., Ngoc, T. N., Phai, V. D., \u0026amp; Shi, Q. (2018). A deep learning approach to network intrusion detection. \u003cem\u003eIEEE transactions on emerging topics in computational intelligence\u003c/em\u003e, \u003cem\u003e2\u003c/em\u003e(1), 41\u0026ndash;50.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eChatzoglou, E., Kambourakis, G., \u0026amp; Kolias, C. (2021). Empirical evaluation of attacks against IEEE 802.11 enterprise networks: The AWID3 dataset. \u003cem\u003eIeee Access : Practical Innovations, Open Solutions\u003c/em\u003e, \u003cem\u003e9\u003c/em\u003e, 34188\u0026ndash;34205.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePatro, S. G. O. P. A. L., \u0026amp; Sahu, K. K. (2015). Normalization: A preprocessing stage. \u003cem\u003earXiv preprint arXiv\u003c/em\u003e:150306462.\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eShannon, C. E. (2001). A mathematical theory of communication. \u003cem\u003eACM SIGMOBILE mobile computing and communications review\u003c/em\u003e, \u003cem\u003e5\u003c/em\u003e(1), 3\u0026ndash;55.\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"WPA3-SAE, WPA-TM, WPA2, WiFi attacks, Downgrade Attack","lastPublishedDoi":"10.21203/rs.3.rs-4830716/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-4830716/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThe widespread adoption of the Wi-Fi Protected Access III (WPA3) standard has been critical in wireless network security. However, the inherent vulnerability of wireless communication to unauthorized access presents a significant challenge. A critical concern is the potential for downgrade attacks, which can force the network's security protocol from WPA3 to WPA2, exploiting known vulnerabilities in the older standard. To mitigate this issue, many intrusion detection systems depend on fixed-threshold statistical approaches. However, these statistical approaches may prove inefficient in adapting to dynamic network conditions and attack behaviors. Therefore, adaptive selection and thresholding methods are required to compromise with the downgrade attack on WPA3. The proposed approach provides a hybrid adaptive approach for feature selection and thresholding with the goal of classifying incoming traffic containing downgrade attacks. It consists of three stages: (1) preprocessing, (2) baseline adaptive feature selection, and (3) real-time detection and prevention. The findings reveal that the developed approach, using a specially generated dataset, successfully detects downgrade attacks in WPA3 networks. Evaluation of the Naive Bayes classifier performance in both WPA3 modes demonstrates a high accuracy rate of approximately 99.8%. This result confirms the approach's effectiveness in detecting and mitigating wireless network security breaches.\u003c/p\u003e","manuscriptTitle":"Enhancing Wi-Fi Security by Preventing Backward Compatibility Attacks on WPA3 Protocols","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2024-09-05 08:50:16","doi":"10.21203/rs.3.rs-4830716/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"d3cc2627-0a2d-48b0-9f3b-ebd8acaaf3c9","owner":[],"postedDate":"September 5th, 2024","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-02-12T05:08:51+00:00","versionOfRecord":[],"versionCreatedAt":"2024-09-05 08:50:16","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-4830716","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-4830716","identity":"rs-4830716","version":["v1"]},"buildId":"qtupq5eGEP_6zYnWcrvyt","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}