IEEE 802.11 Beacon Frame Dataset for Rogue Access Point Detection in Urban Environments

The core hypothesis is that IEEE 802.11 beacon frames carry sufficient metadata to passively distinguish rogue access points from legitimate ones without requiring active probe injection, network association, or elevated privileges. Specifically, rogue APs (particularly evil twin attacks, where an adversary mimics a legitimate AP to intercept traffic) leave detectable fingerprints in frame-level fields such as BSSID locally administered bits, anomalously low TSF/sequence numbers, encryption mismatches, and unusual channel assignments. The goal is to validate these heuristics on real-world urban data and enable reproducible ML model training. The dataset consists of approximately 29,990 raw beacon frame records captured across four field sessions in Chennai, Tamil Nadu, India (approx. 13.0827° N, 80.2707° E). Data was collected by mounting a custom ESP32-based scanner on a bicycle or car dashboard and commuting through residential communities and urban roads. The processed file rogue_processed.csv extends this to 67,776 total rows by augmenting with 37,786 synthetic rogue samples generated via the included rogue_ap_generator module. Each raw record has 25 fields spanning physical layer, security, and vendor attributes. Key columns include: Timestamp_ms — milliseconds since device boot SSID / BSSID — network name and MAC address of the AP RSSI — received signal strength in dBm Channel / DSChannel — operating and DS parameter set channel BeaconInterval — AP's broadcast interval in Time Units (TU) SequenceNumber — 802.11 frame counter (low values are a rogue indicator) Encryption — WPA2 / WPA / WEP / Open OUI / VendorName — manufacturer info from BSSID prefix IsHidden, Privacy, HasHT, HTChannelWidth, HTStreams capability flags The processed file rogue_processed.csv adds 11 engineered features: is_rogue — binary ground-truth label (1 = rogue, 0 = legitimate) _rogue_type — category string (e.g., evil_twin_last_octet, legitimate) BSSID_LocalAdmin — locally administered MAC address flag (key rogue indicator) LowSeqNumber, LowTSF — anomaly flags for unusually low counter values UnusualChannel — flag for non-standard channel operation Is_WEP, Is_Open — encryption downgrade flags Timestamp_Ratio — BeaconTimestamp / Timestamp_ms ratio as an anomaly indicator