Math-Driven Detection
Statistical analysis with confidence scoring, not simple thresholds
Our Detection Philosophy
Evidence-Based Alerts
Every finding includes specific proof, not vague warnings
Environment-Aware
Thresholds adapt to network conditions automatically
The Result: Fewer false positives. Higher accuracy. Faster decisions.
๐จ Rogue Access Point Detection
13 Specialized Threat Signatures
Each detection method uses custom algorithms analyzing timing patterns, signal behaviors, and packet sequences. Every finding includes:
0-100%
Confidence Score
4
Severity Levels
13
Detection Methods
Example Evidence: "SSID overlap with 8 dB signal difference on different channels" or "MAC vendor switched from Cisco to Generic in 0.3 seconds"
The Complete Detection Suite:
1. Unauthorized AP Detection
How it works: Vendor database lookup + signal fingerprinting
Confidence: 90%+ when no whitelist match
Why different: Automatic vendor verification
2. Evil Twin Detection
How it works: SSID collision + signal overlap + beacon rate comparison
Evidence: "8 dB signal difference with encryption mismatch"
Why different: Groups duplicates to prevent spam
3. MAC Spoofing Detection
How it works: Vendor history tracking + sequence gap analysis
Confidence: 96% when vendor switches detected
Why different: Monitors vendor transitions over time
4. KARMA Attack Detection
How it works: Reverse-indexed probe-response matching (O(N) complexity)
Threshold: 5+ fake SSID responses in 60 seconds
Why different: Optimized for noisy environments
5. Beacon Flood Detection
How it works: Dynamic threshold based on environment (office: 100/s, urban: 200/s)
Adaptation: 2x multiplier in crowded spaces
Why different: Environment-aware to reduce false alerts
6. Deauthentication Attack
How it works: Deauth frame rate (20+/sec) + client correlation
Why different: Confirms by verifying actual disconnections
7-13. Additional Signatures
Weak Security, Rogue DHCP, Open Honeypot, Clone AP, Signal Anomaly (ฯ > 15%), Timing Attack, Channel Drift (3+ changes/5min)
๐ก Client Tracking Detection
We don't just list MAC addresses. We analyze how devices behave and how they're being tracked.
MAC Randomization
Detects fake "random" MACs via sequence jumps (>100) and timing glitches
Device Fingerprinting
Tracks devices across changes using probe patterns (>500 SSIDs)
Privacy Leaks
Flags 5+ personal SSID probes at 80%+ confidence
KARMA Vulnerable
5+ responses to unusual SSIDs in 60 seconds
Technical Advantage: O(N) processing efficiency with built-in whitelisting โ no manual Wireshark filtering required.
๐ Hidden Network Discovery
Hidden networks don't broadcast SSIDs. We find them passively by analyzing client behavior.
Probe Correlation
Links client probes to AP responses
Confidence: 70%+ with 2+ matching probes
Client-to-AP Inference
Derives SSIDs from device associations
Accuracy: 90%+ with 3+ clients connecting
Confidence Ranking
Sorts by confirmation level (High/Medium/Low)
+0.05 boost per correlated probe
Privacy-Safe: No active scanning required. We never transmit packets or probe networks โ everything is passive observation.
โ๏ธ Advanced Engineering Features
1. Environment-Aware Thresholds
The Problem: Fixed thresholds cause false positives in busy areas and miss threats in quiet networks.
Our Solution: Automatic classification based on device density and packet volume.
Office (low density): Base thresholds
Campus (medium): 1.5x multiplier
Public/Outdoor: 1.75x multiplier
Urban (high density): 2x multiplier
Campus (medium): 1.5x multiplier
Public/Outdoor: 1.75x multiplier
Urban (high density): 2x multiplier
Impact: Reduces noise in crowded spaces while staying sensitive where it counts.
2. Robust Malformed Packet Handling
Real-world PCAP files contain errors. We handle them gracefully.
- โ Malformed rate >90% โ "File likely corrupt" warning
- โ Individual frames skipped without crash
- โ Memory failures tracked and reported
- โ Partial results delivered when possible
Impact: Tools like tcpdump produce imperfect captures โ we keep going instead of failing silently.
3. Thread-Safe & Memory-Efficient
16 MB
Max Memory Pool
1K-2K
Sample History
1 GB+
File Support
Impact: Reliable processing in constrained serverless environments without crashes.
4. Whitelist Integration
Unified filtering (JSON/TXT) across all detection engines.
Impact: Your office APs won't flag as rogue. Drastically cuts false positives.
5. Evidence-Based Findings
โ "7 probe matches from 3 different clients"
โ "RSSI variance 18.2% across 247 samples"
โ "5 KARMA responses in 45 seconds"
โ "MAC vendor switched from Cisco to Generic in 0.3s"
โ "Channel changed 6 times in 4 minutes"
โ "RSSI variance 18.2% across 247 samples"
โ "5 KARMA responses in 45 seconds"
โ "MAC vendor switched from Cisco to Generic in 0.3s"
โ "Channel changed 6 times in 4 minutes"
Impact: Enables verification without re-analyzing captures. Critical for audits.
โก Optimized Performance
<10s
300 MB File
<30s
1 GB File
O(N)
Complexity
- โ Algorithmic efficiency with reverse indexing
- โ Minimal memory allocations
- โ No network round-trips (local processing)
The NoorSentinel Difference
| Feature | Basic Tools | NoorSentinel |
|---|---|---|
| Detection Methods | Generic pattern matching | 13 specialized signatures + stats |
| Thresholds | Fixed values | Environment-aware, dynamic |
| Error Handling | Crash or silent failure | Graceful + clear reporting |
| Evidence | Raw packet dumps | Specific proof with scores |
| Whitelist Support | Manual filtering | Unified, automatic |
| Performance | Varies, often slow | Optimized O(N), 1GB+ reliable |
| Privacy | Often stores data | Zero retention, instant deletion |
Built for Real Threats, Not Just Scans
We didn't build a generic packet viewer.
We engineered specialized detection engines that understand WiFi threats at a protocol level โ analyzing behaviors, patterns, and anomalies that basic tools ignore.
Clean, trustworthy reports in seconds โ not hours of manual filtering.