WiMapper: A Lightweight Kernel-Based Framework for Rogue Access Point Detection on Edge Devices

Abstract

Abstract—Public wireless networks have evolved from convenient services into critical urban infrastructure, yet they remain fundamentally susceptible to identity-based exploits. The Evil Twin attack persists as a significant threat because client devices implicitly trust broadcast identifiers before a secure encryption channel is established. Existing defense mechanisms typically rely on either cost-prohibitive Wireless Intrusion Prevention Systems (WIPS), which necessitate centralized wired infrastructure, or computationally intensive deep learning models that exceed the resource capabilities of edge sensors. This paper presents WiMapper, a detection framework engineered specifically for Resource-Constrained Edge Devices (RCEDs). The architecture employs a two-stage hybrid approach: Track A utilizes a deterministic whitelist for immediate threat filtering, while Track B deploys a One-Class Support Vector Machine (OC-SVM) with a Radial Basis Function (RBF) kernel to assess signal integrity. By analyzing higher-order statistical features, specifically Kurtosis and Skewness, the model identifies non-Gaussian anomalies characteristic of signal spoofing. Extensive simulations using the HCXY dataset and subsequent field validation demonstrated that WiMapper achieves a Pareto-optimal balance between efficiency and accuracy. The framework attained a mean F1-Score of 0.740 with an algorithmic inference latency of 0.15 ms and a memory footprint of 188.5 KB. These metrics confirm that the kernel-based approach offers a superior trade-off between sensitivity and computational cost compared to Isolation Forest and Autoencoder baselines, positioning it as a highly efficient solution for dense, low-power security sensor networks.