Mathematical Modeling and SDN-Driven Defense for Wi-Fi MAC-Layer Vulnerabilities in Access Points

2.1 Media Access Control-layer overview

The IEEE 802.11 MAC data link layer is responsible for facilitating reliable communication between devices on a common network by arranging data into frames while also making sure it is transmitted correctly. It controls data flow to avoid overwhelming receivers, performs device identification using physical MAC addresses, and finds or repairs potential physical layer problems. To prevent collisions and provide seamless data transfer coordination, it also supervises how devices access the common communication channel [5].

According to the 802.11 standard, each device is uniquely recognized by a MAC address, which is a physical address. Ethernet or LAN addresses are other names for MAC addresses [2]. The Network Interface Card (NIC) includes this address as a hardware identifier. The MAC address is unique unless the user changes it manually. Usually demonstrated as six groups of hexadecimal numerals [4], it is a 48-bit value. In terms of Organization, Unique Identifier (OUI), which the IEEE allocates to the NIC manufacturer, is made up of the first three bytes on the left side of the MAC address, as seen in Figure 2. The manufacturer designates the remaining three bytes as the Universally Administered Address (UAA) that is used to uniquely identify each NIC [6].

Figure 2. Structure of 48-bit Media Access Control (MAC) address [6]

MAC addresses can be categorized as unicast, multicast, or broadcast according to the least significant bit of the first octet. In practical IEEE 802.11 communication, this classification affects how frames are delivered and interpreted at the link layer, especially when management traffic is broadcast to multiple stations during discovery and coordination.

The MAC layer of IEEE 802.11 wireless networks supports three different frame types: management, control, and data frames. This defines it apart from its Ethernet cousin. While collisions cannot be detected wirelessly, it uses Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) instead of CSMA/CD. Important for mobility and roaming support, the MAC layer also controls device association, authentication, and handover throughout access points [7]. In comparison with data frames protected by WPA2/3 encryption, the majority of control and management frames were neither encrypted nor authenticated. This places Wi-Fi access points at considerable risk from spoofing and injection attacks [8, 9].

2.2 Wi-Fi Protected Access 3

WPA3 represents the latest Wi-Fi security standard that has been designed to replace WPA2 and to improve the protection against modern attacks. At the core of WPA3 is the SAE handshake, which replaces the WPA2 (4-way handshake) with a zero-knowledge password exchange. This mechanism allows the client and the access point (AP) to establish the shared session key with the password never being sent over the air, thus preventing attackers who may intercept the handshake and launch offline brute-force attacks on the network. WPA3 uses either 128 or 192 bits of encryption for personal networks and enterprise networks, respectively, in Figure 3, with the help of a powerful cipher, such as AES-GCM and SHA-384, to guarantee confidentiality and integrity. The most significant is that WPA3 requires Management Frame Protection (MFP), which protects against deauthentication and disassociation attacks that might have been used in the past to disconnect users. Moreover, it is forward secrecy, meaning that a different set of keys is used each time to make sure that even a subsequently compromised password will not decrypt the previous communication. WPA3 Revision 3 (2022-2023) is based on these foundations and designed to provide additional protection against side-channel attacks of the SAE handshake (as seen with Dragonblood), support downgrade protection better, and add support to IoT and resource-constrained devices with more efficient handshakes. WPA3 R3, which adds the Device Provisioning Protocol (DPP) or Easy Connect, can also be used to securely onboard devices with a QR code or NFC, enhancing usability and security in the current networks [10-13].

Figure 3. WPA3 enterprise process [13]

2.3 Software-Defined Networking overview

SDN is a network architecture that separates the data plane (forwarding the traffic to its destination) and the control plane (choosing how to route the data before sending it to the destination). This decoupling allows centralized control, easier programmability, and dynamic network designing with a logically centrally located SDN controller [14].

Security processes are now operating globally and not on isolated devices due to SDN's ability to offer real-time visibility to the entire network. MAC-layer attack detection and prevention in wireless networks can be performed with the help of SDN because it is particularly effective in terms of coordinating and implementing security policies in multiple APs, Figure 4 [15]. In addition, it allows the use of southbound protocols like OpenFlow [16] for the construction of custom flow rules, traffic isolation, and anomaly response.

Figure 4. Software-Defined Networking (SDN) management [14]

2.4 Wireless communication and channel model

To connect the security model more directly with communications engineering, the WLAN is modeled as a wireless system in which access points and stations exchange frames over a shared channel characterized by bandwidth, transmit power, receiver sensitivity, interference, and propagation loss. Which means that the received signal strength indicator (RSSI) becomes more than a detection heuristic: it is a communication observable whose deviation from expected behavior can indicate spoofing, evil-twin activity, or abnormal mobility patterns.

At the MAC level, the same attacks can be seen as affecting contention and service. Flooding attacks increase queue pressure and channel access delay, deauthentication attacks interrupt association continuity, and rogue access points distort the relationship between SSID, BSSID, and signal characteristics. Thus, the communication degradation of an attack can be quantified by using metrics like access delay, packet delivery ratio, retransmission rate, goodput and control overhead. The communication perspective enhances the use of the proposed SDN-based framework: the controller not only supports decision-making about the presence of an attack, but also supports communication quality preservation, by early detection of abnormal PHY/MAC behavior and mitigation before it affects the whole WLAN. In subsequent sections, this view helps to support the mathematical detection model and the analysis of throughput and delay recovery.

Although substantial advances have been made in Wi-Fi security, there are some problems with the current approaches from a holistic perspective. WPA3-based solutions primarily provide preventive security with improved authentication and encryption mechanisms, but do not provide real-time detection and mitigation in the event of attacks. Machine learning-based approaches enhance detection accuracy, but they come with higher computational costs, a need for training data, and a lack of interpretability, making them less attractive in scenarios that are sensitive to latency.

SDN-based solutions offer a global network view and centralised control to manage traffic and policies. However, current SDN-based approaches usually work at the higher layers of networks and do not offer fine-grained MAC-layer attack detection. Also, they typically target either generic network protection or QoS rather than Wi-Fi MAC-layer attack prevention.

As a result, there is a clear gap in the literature: the absence of a unified, lightweight, and interpretable framework that combines real-time MAC-layer attack detection with SDN-based dynamic mitigation. To fill this gap, this paper introduces a deterministic mathematical detection model with SDN control, providing explainable, timely, and MAC-layer-aware security mechanisms for Wi-Fi access points.

To protect Wi-Fi networks on the MAC layer, particularly on the AP part, several conventional countermeasures have been developed to protect against such attacks as spoofing, flooding, rogue APs, and deauthentication.

MAC Address Spoofing Countermeasures: To defend against MAC address spoofing, the paper proposes 802.1X authentication so devices must authenticate with credentials rather than only MAC addresses, PMF (802.11w) to secure management frames, sequence number monitoring to detect suspicious anomalies, and RSSI analysis to identify inconsistent signal strength patterns. At the MAC layer, the strategy is to enforce identity beyond the MAC address, detect duplicate or inconsistent MAC behavior, and block spoofed management frames [30].

MAC Address Flooding Countermeasures: For MAC flooding, the proposed AP-side defenses include port security to limit how many MAC addresses can be learned on a port, rate limiting to reduce the frequency of association requests, and association limits to avoid exhausting AP resources. The MAC-layer countermeasure is to avoid AP memory or association table overflow and to identify excessive association requests with random MAC addresses [31].

KRACK Countermeasures: The paper proposes firmware patches to address vulnerabilities in WPA2 implementation, 802.11w to secure management frames and limit attack impact, and handshake monitoring to detect four-way handshake anomalies. At the MAC layer, the aim is to prevent nonce or key reuse and detect replayed handshake messages [8].

STP Manipulation Countermeasures: To protect against STP manipulation, the paper recommends BPDU Guard, which disables ports receiving BPDUs from untrusted sources and Root Guard, which prevents designated ports from becoming root ports and manipulates topology. The MAC layer approach is to prevent unauthorised BPDUs and rogue devices from manipulating Layer 2 topology [32].

Evil Twin Rogue AP Countermeasures: To mitigate Evil Twin attacks, the paper suggests the use of rogue AP detection, which prevents clients from connecting to unauthorised APs, 802.1X server certificate verification so that clients access only legitimate APs and PMF (802.11w) to prevent deauthentication attacks often used in Evil Twin attacks. The MAC-layer defense strategy is to identify unauthorized APs mimicking SSID/BSSID values and secure association with the genuine AP through mutual authentication [33, 34].

De-authentication DoS Countermeasures: For de-authentication DoS attacks, the proposed defenses are PMF (802.11w) to secure de-authentication frames, management frame rate limiting to restrict abuse, and anomaly detection systems to identify suspicious de-authentication patterns. At the MAC layer, the strategy is to authenticate deauthentication and disassociation frames, prevent forced disconnects caused by spoofing, and maintain session stability [35, 36].

6.1 The proposed system description

The MAC layer of Wi-Fi is known to have prevalent vulnerabilities, and since management and control frames are not authenticated, attackers can spoof addresses and introduce malicious frames [37]. In order to improve the robustness of Wi-Fi APs to MAC-layer attacks, a combined security structure of SDN and mathematical detection models is suggested. It is a system to identify and prevent a high number of attacks, such as MAC address spoofing, flooding, KRACKs, STP manipulation, rogue APs, and deauthentication DoS attacks, based on a deterministic equation and rule-based logic, without depending on machine learning or external behavioural training.

6.2 The proposed Mathematical detection model

6.2.1 Media Access Control address spoofing detection

RSSI variations can help detect spoofing. In the proposed scheme, spoofing is identified based on sequence number consistency and RSSI deviation [9]. Let ${{S}_{i}}$ be the sequence number of the i-th frame and $RSS{{I}_{i}}$ the signal strength. Let $RSS{{I}_{ref}}$ be the normal signal pattern of legitimate devices. $Thet{{a}_{s}}$ is the sequence gap threshold to detect anomalous frame sequence patterns and $\varepsilon_r$ is the RSSI threshold to detect inconsistent signalling.

$Delta~{{S}_{i}}=abs\left( {{S}_{i}}-{{S}_{i-1}} \right)$      (1)

${{\Phi }_{spoof\left( i \right)}}=\left\{ 1,~if~Delta~{{S}_{i}}\left\langle Thet{{a}_{s}}~\text{OR}~\text{abs}\left( RSS{{I}_{i}}-RSS{{I}_{ref}} \right) \right\rangle {{\varepsilon }_{r}};~0,~\text{otherwise}\!\!~\!\!\text{ } \right\}$     (2)

6.2.2 Media Access Control address flooding detection

Flooding attacks can be detected by statistically monitoring request rates [38]. In our model, MAC flooding is detected by counting the number of authentication requests during a time window. Let ${{N}_{auth\left( t,T \right)}}$ be the number of authentication requests in the time window T, R_auth(t) be the authentication request rate, and ${{R}_{max}}$ be the maximum acceptable authentication request rate, respectively, used to separate normal and flooding attacks.

${{R}_{auth\left( t \right)}}=\frac{{{N}_{auth\left( t,T \right)}}}{T}$         (3)

${{\Phi }_{flood\left( t \right)}}=\{1,~if~{{R}_{auth\left( t \right)}}>{{R}_{max}};~0,~otherwise\}$        (4)

6.2.3 Key Reinstallation Attacks detection

KRACK attacks involve nonce reuse in the WPA2 4-way handshake [8]. KRACK is detected in the proposed model by detecting unusual repetition of handshake messages and nonce reuse in addition to normal retransmissions. Let $Nonc{{e}_{i}}$ be the nonce value of the i-th handshake message and Msg3_i be the third message in the 4-way handshake. Let $Delta~{{t}_{i}}$ be the time difference between consecutive handshake events, and $ta{{u}_{r}}$ the time threshold to distinguish between malicious retransmissions and normal retransmissions.

${{\Phi }_{krack\left( i \right)}}=\{1,~if~(Nonc{{e}_{i}}=Nonc{{e}_{i+1}}~\text{AND}~(Msg{{3}_{i}}=Msg{{3}_{i+1~}}\text{AND}~(Delta~{{t}_{i}}>ta{{u}_{r}});~0,~otherwise\}$       (5)

To prevent false positives, the KRACK detector does not use only the reuse of nonces, as repeated handshakes may also occur for normal retransmissions in poor wireless channel conditions. So, the model uses the combination of nonce reuse, repeated observation of Message 3, and the time criterion (Delta ${{t}_{i}}$ > $ta{{u}_{r}}$). This lowers the likelihood of false positives for normal retransmissions. However, false positives may still occur in highly congested channels or under severe packet loss, where repeated handshake messages appear abnormal. False negatives may occur in the case of an adversary imitating normal retransmission or in the case of observing partial traces of the handshake at the access point.

6.2.4 Spanning Tree Protocol manipulation detection

The details of STP operation have been well studied under network topology changes [39]. Under the proposed model, STP attacks are detected based on the presence of non-trusted Bridge Protocol Data Unit (BPDU) messages from devices trying to change the network topology. Let $BPD{{U}_{i}}$ be an indicator of the presence of a BPDU frame in the i-th event, and $MA{{C}_{src\left( i \right)}}$ be the source MAC address of the frame. Let T be the set of trusted MAC addresses of switches or access points.

${{\Phi }_{stp\left( i \right)}}=\left\{ 1,~if~BPD{{U}_{i}}=1~\text{AND}~MA{{C}_{src\left( i \right)}}\notin T;~0,~otherwise \right\}$            (6)

6.2.5 Evil Twin Rogue access point detection

Network identity and signal anomalies can be used to detect rogue access points [40]. In the proposed model, an Evil Twin is detected by a change in the BSSID with the same SSID, and an unusual RSSI variance. Let SSID_i be the SSID in the i-th frame, let $BSSI{{D}_{i}}$ be the BSSID transmitting the frame, and let $RSS{{I}_{i}}$ be the received signal strength indicator (RSSI). Let SSID_legit and BSSID_legit be the legitimate access point ID and BSSID, and let RSSI_ref be the reference signal profile.

${{\Phi }_{evil\left( i \right)}}=\left\{ 1,~if~\left( SSI{{D}_{i}}=SSI{{D}_{legit}} \right)\text{ }\!\!~\!\!\text{ AND}~\left( BSSI{{D}_{i}}\ne BSSI{{D}_{legit}} \right)~AND~abs\left( RSS{{I}_{i}}-RSS{{I}_{ref}} \right)>{{\varepsilon }_{e}};~0,~otherwise \right\}$          (7)

6.2.6 Deauthentication denial-of-service attacks detection

Counting features can be used to detect deauthentication DoS [28]. In the considered model, deauthentication DoS is detected by observing the rate of bursts of deauthentication frames during a moving time window. Let ${{N}_{deauth\left( t,T \right)}}~$be the number of deauthentication frames in time window T, D(t) be the deauthentication frame rate, and ${{D}_{max}}$maximum acceptable deauthentication rate threshold.

$D\left( t \right)=\frac{{{N}_{deauth\left( t,T \right)}}}{T}$           (8)

${{\Phi }_{deauth\left( t \right)}}=\{1,~if~D\left( t \right)>~{{D}_{max}};~0,~otherwise\}$          (9)

6.3 Key system architecture

The system operates on a centralized SDN controller that manages multiple Wi-Fi APs in a programmable network environment. As shown in Figure 5, the architecture consists of the key components.

​

Figure 5. The system architecture

AP Monitoring Agents: Each AP is equipped with a lightweight agent that captures 802.11 management (authentication, association, beacon, deauthentication, EAPOL frames) and control frames (ACK, RTS, and CTS) in real-time [41-43]. Feature Extraction Module: Extracts relevant MAC-layer attributes such as source/destination MAC addresses, sequence numbers, signal strength (RSSI), frame type/subtype, Timestamp, and BPDUs. These features are forwarded to the SDN controller for analysis. Mathematical Detection Engine: Implements attack-specific rule sets derived from formal models to detect anomalous behavior or protocol violations. This module evaluates real-time traffic against specific mathematical rules [44-46]. SDN Response Engine (central brain): When an attack is detected, this module issues immediate control instructions to the data plane. Mitigation includes blocking specific MAC addresses, isolating rogue APs, reconfiguring access policies, and initiating session re-keying or suppression of malicious frames.

In the proposed system, AP's data plane focuses on forwarding and monitoring traffic, while the controller’s control plane makes security decisions. The data flow will be from the wireless frames to the AP agent that is responsible for feature extraction, an SDN controller will use detection logic, and then the mitigation commands will make network enforcement. This enables a closed-loop security mechanism for continuous monitoring, centralized analysis, and rapid mitigation.

6.4 Unified mathematical model for Media Access Control-layer attack detection

Let $F=\left\{f_1, f_2, \ldots, f_N\right\}$ is a set of 802.11 frames observed at the AP, and each frame contains:

${{f}_{i}}=\{MA{{C}_{src\left( i \right)}},~MA{{C}_{des\left( i \right)}},~type\left( i \right),~subtype\left( i \right),$

$RSS{{I}_{i}},~{{S}_{i}},~Nonc{{e}_{i}},~Timestam{{p}_{i}}\}$

Six binary detection functions can be defined, one for each attack type: $\Phi_{\text {spoof }(i)}, \Phi_{\text {flood }(t)}, \Phi_{\text {krack }(i)}, \Phi_{\text {stp }(i)}, \Phi_{\text {evil }(i)}, \Phi_{\text {deauth }(t)}$.

The Unified Detection Function is defined as:

${{\Phi }_{total\left( i,t \right)}}={{\Phi }_{spoof\left( i \right)}}\vee {{\Phi }_{flood\left( t \right)}}\vee {{\Phi }_{krack\left( i \right)}}\vee {{\Phi }_{stp\left( i \right)}}\vee {{\Phi }_{evil\left( i \right)}}\vee {{\Phi }_{deauth\left( t \right)}}$          (10)

The Decision Function is defined as:

$\begin{gathered}D(i, t)=1, \text { if } \Phi_{\text {total }(i, t)}=1 \\ 0, \text { otherwise }\end{gathered}$     (11)

The multi-attack set is defined as:

$A\left( i,t \right)=\text{ }\!\!\{\!\!\text{ }k\in \left\{ spoof,~flood,~krack,~stp,~evil,~deauth \right\}\text{ }\!\!|\!\!\text{ }{{\Phi }_{k}}=1\}$         (12)

The attack classification is defined as:

$\left| A\left( i,t \right) \right|=1\Rightarrow Single~Attack$           (13)

$\left| A\left( i,t \right) \right|>1\Rightarrow Multi-Attack~Condition$          (14)

Finally, the SDN Response Function form will be:

$R\left( i,t \right)=Policy\left( A\left( i,t \right) \right)$          (15)

Each detection function $\Phi_k$ returns a binary value, where ${{\Phi }_{k}}$=1 indicates detection of the corresponding attack and ${{\Phi }_{k}}$=0 indicates normal behavior.

Table 1. Access point (AP)/ Wi-Fi Attacks and security countermeasures

The aggregate detection function is the logical OR function of all attack detection functions. The attack is detected if any of the detection functions are activated. The set A(i,t) denotes the attacks, which can be used to detect a single or multiple attack conditions. The unified detection function also offers a consistent and reproducible decision-making process, in which multiple attack conditions can be detected and simultaneously mapped to SDN attack mitigation actions via the policy at the controller. The six attack-specific detection functions are defined in Table 1.

6.5 Mapping the security system to the Transmission Control Protocol/Internet Protocol model

The proposed security system mainly operates at the data link layer (L2) level, where attacks are detected through the inspection of MAC-layer features, including sequence numbers, frame types, received signal strength indicator (RSSI), and management frame behavior. The access points communicate with the SDN controller on the network layer and transport layer (L3-L4), while the core of the detection system and the decision-making for mitigation is executed on the application layer (L5). This layered integration enables low-level MAC-layer inspection combined with centralized SDN-based control and response.

6.6 Data and control flow

Normal client traffic flows from APs to the wired network (and vice versa) as usual (data plane), with minimal interruption. To reduce overhead, the AP agent solely relays or transmits metadata to the controller, like frame headers, RSSI, and counts, instead of all user traffic. Upon detecting as saults using this metadata, the SDN controller sends commands for control back to the network. As an example, the controller might instruct the switch or AP to delete packets from a MAC spoofing attack if it is discovered. While the APs carry out light-duty monitoring and enforcement, this out-of-band control flow guarantees that complex decision-making happens centrally. Such a method ensures the efficiency of the data plane while dynamically reconfiguring the network in response to threats through using SDN's flexible control plane.

6.7 Software-Defined Networking Implementation Mechanism via OpenFlow

The proposed architecture uses SDN to enable centralized MAC-layer attack detection and mitigation [16, 47, 48]. Wireless access points capture and extract MAC-layer features from the wireless network traffic, and send the extracted features to the SDN controller [49-51]. The controller utilises the proposed mathematical detection model to detect anomalies. When an attack is detected, the controller dynamically program rules via OpenFlow to enforce mitigation actions such as banning malicious MAC addresses [52-55], restricting authentication attempts or preventing deauthentication floods. This allows real-time detection and control actions while ensuring seamless operation of the Wi-Fi network [56-58]. Table 2 shows the monitored features, detection rules, and SDN actions for different types of attacks.

Table 2. Attack features and detection conditions

6.8 Experimental setup

To test the proposed SDN-based approach for detecting attacks at the MAC layer, we created a simulation environment that models the behavior of an IEEE 802.11 wireless network under normal and attack scenarios. This environment comprises an AP, several clients, and a logically centralized control system for monitoring and decision making, as per SDN principles. It extracts MAC-layer attributes from the traffic and dynamically applies the proposed mathematical detection functions.

Data collection for traffic generation was programmed using Python scripts, where each traffic record is an abstracted Wi-Fi frame with the following attributes: MAC_src, MAC_des, frame type/subtype, $RSS{{I}_{i}}$, sequence number (${{S}_{i}}$), nonce values ($Nonc{{e}_{i}}$), and timestamp ($Timestam{{p}_{i}}$). We generated 1000 traffic records, including normal and attack traffic. Legitimate traffic was generated through typical communication scenarios including authentication, association and data transfer. Attacks were introduced by manipulating the following MAC-layer attributes based on attack types:

• MAC spoofing: emulated using MAC address changes and abnormal sequence number gaps and RSSI variations
• MAC flooding: emulated by raising authentication request rates
• KRACK: emulated through nonce reuse combined with abnormal retransmission timing
• STP manipulation: simulated by introducing unauthorized BPDU frames from non-trusted nodes
• Evil Twin: generated by duplicating SSID with mismatched BSSID and abnormal RSSI behavior
• Deauthentication DoS: generated by sending a series of deauthentication frames within a short time window

Our detection thresholds were set as:

${{\theta }_{s}}$ = 5 (sequence gap threshold)

${{\varepsilon }_{r}}$ = 10 dB (RSSI threshold for spoofing)

${{\text{R}}_{\text{max}}}$ = 30 requests/sec (authentication rate threshold)

${{\tau }_{r}}$ = 100 ms (KRACK retransmission threshold)

${{\varepsilon }_{e}}$ = 10 dB (Evil Twin RSSI threshold)

${{D}_{\text{max}}}$ = 10 frames/sec (deauthentication threshold)

The simulation data set includes around 80% legitimate traffic and 20% attacks, with equal representation for all six attack types. The simulation environment was set up on an Ubuntu system and the SDN network was simulated using Mininet. The SDN controller, traffic generation, feature extraction and detection were integrated into this environment using Python scripts to provide a controlled environment for detection implementation and mitigation. The generated data set was also preserved and used for the performance analysis of the detection mechanism. This setup enables controlled, reproducible and repeatable testing with realistic statistical characteristics of Wi-Fi traffic and attack events.

The results establish the proposed model as a communication-aware protection framework for Wi-Fi access points. Its main strengths are the use of interpretable PHY/MAC observables, deterministic detection rules that map directly to known attack behaviors, and centralized SDN mitigation that restores communication stability with limited signaling overhead. The most important finding is that the framework improves both security visibility and communication quality: after mitigation, delay is reduced, throughput is recovered, and session continuity becomes more stable. This makes the model valuable not only as an intrusion-detection approach, but also as a practical method for preserving WLAN performance under MAC-layer attack conditions.