A Passive Approach to Wireless NIC Identification

Similar documents
LESSON 12: WI FI NETWORKS SECURITY

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Wireless Attacks and Countermeasures

PIE in the Sky : Online Passive Interference Estimation for Enterprise WLANs

Wireless technology Principles of Security

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Wireless Network Security Spring 2016

Wireless Security Security problems in Wireless Networks

Wireless Network Security Spring 2015

How Insecure is Wireless LAN?

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Detecting Protected Layer-3 Rogue APs

Mobile Security Fall 2013

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

What s New in ZoneFlex Software Release 9.4

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Rogue Access Point Detection using Temporal Traffic Characteristics

Requirements from the

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

DESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN

Overcoming Concerns about Wireless PACs and I/O in Industrial Automation

Wireless Network Security Fundamentals and Technologies

An Intrusion Detection System for Critical Information Infrastructures Using Wireless Sensor Network Technologies

Chapter 11: It s a Network. Introduction to Networking

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Multipot: A More Potent Variant of Evil Twin

Wireless Networking Basics. Ed Crowley

Firewalls, Tunnels, and Network Intrusion Detection

WLAN Intrusion Detection System Ms. Sushama Shirke 1, Mr. S.B.Vanjale 2

Wireless LAN Security. Gabriel Clothier

WIDS Technology White Paper

Wireless Challenges and Resolutions

Wireless LAN Security (RM12/2002)

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Basic Concepts in Intrusion Detection

DOMINO: A System to Detect Greedy Behavior in IEEE Hotspots

Configuring Layer2 Security

Authors. Passive Data Link Layer Wireless Device Driver Fingerprinting. Agenda OVERVIEW. Problems. Device Drivers

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

What is Eavedropping?

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

Physical and Link Layer Attacks

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

MSIT 413: Wireless Technologies Week 8

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

The Challenges of Measuring Wireless Networks. David Kotz Dartmouth College August 2005

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS


Appendix E Wireless Networking Basics

FAQ on Cisco Aironet Wireless Security

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Network Encryption 3 4/20/17

CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION

Running Reports. Choosing a Report CHAPTER

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Burglarproof WEP Protocol on Wireless Infrastructure

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

WLAN Security Performance Study

NETWORK SECURITY. Ch. 3: Network Attacks

Security Setup CHAPTER

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

Wi-Fi Scanner. Glossary. LizardSystems

Wireless g AP. User s Manual

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Diagnosing: Home Wireless & Wide-area Networks

Monitoring Dashboard. Figure 1: Monitoring Dashboard

1. Which network design consideration would be more important to a large corporation than to a small business?

Final Exam: Mobile Networking (Part II of the course Réseaux et mobilité )

Overview of Security

Wireless MACs: MACAW/802.11

5 Tips to Fortify your Wireless Network

WiFi Networks: IEEE b Wireless LANs. Carey Williamson Department of Computer Science University of Calgary Winter 2018

Mobile Communications Chapter 7: Wireless LANs

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Wireless MAXg Technology

Practical Lazy Scheduling in Wireless Sensor Networks. Ramana Rao Kompella and Alex C. Snoeren

2. Traffic lect02.ppt S Introduction to Teletraffic Theory Spring

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Wireless LANs. ITS 413 Internet Technologies and Applications

Chapter 7. Basic Wireless Concepts and Configuration. Part I

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Chapter 1 Describing Regulatory Compliance

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DATA SHEET MODEL AXC1000 HIGHLIGHTS OVERVIEW. Redefining Enterprise Wireless Management

WHITE PAPER AX WAIT, DID WE JUST BUILD A WIRELESS SWITCH?

Samsung Security AP WHITE PAPER

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

CWAP-402.exam. Number: CWAP-402 Passing Score: 800 Time Limit: 120 min File Version: CWAP-402

EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India

Chapter 11: Networks

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Wireless IDS Challenges and Vulnerabilities. Joshua Wright Senior Security Researcher Aruba Networks

Configuring Cipher Suites and WEP

5. Execute the attack and obtain unauthorized access to the system.

Chapter 24 Wireless Network Security

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Transcription:

A Passive Approach to Wireless NIC Identification Cherita Corbett Georgia Institute of Technology IEEE ICC 2006 June 13, 2006

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 2

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 3

802.11 Security WLANs are attractive targets for malicious activity Lack of physical boundaries Use of open-air medium Advertisement of existence so that clients can connect IEEE 802.11 standard encompasses security services to maintain confidentiality, integrity, and access control for WLANs Wired Equivalent Privacy (WEP) RC4 & CRC-32 802.11i solves the currently known security vulnerabilities of WEP AES, crypto MIC, & dynamic key management Requires new hardware & must be commonly applied to all systems on WLAN CSC GTISC 4

Unauthorized Access Prevention only effective on systems that are owned, managed, and controlled Rogue client & AP Authorized user installs unauthorized device Attacker uses rogue system to lure victims to gather user credentials Flawed legacy equipment exploit design flaws of WEP Stealthy intrusions phishing evades preventive measures Need for detecting unauthorized access to respond and curtail damage CSC GTISC 5

Current Solutions Intrusion detection systems monitor WLAN traffic for sequence of events that exhibit anomalous behavior or match the pattern of known attacks False positives, signature updates Effectiveness reduced by novel attacks & stealthy intrusions Identification Systems Commercial products WiMetrics, DeviceID Active approaches that probe client or rely on cooperation of user RF Fingerprinting Jeyanthi Hall, et al. (CIIT) Difficult to incorporate into existing WLAN infrastructure Remote Physical Device Fingerprinting Yoshi Kohno, et al (IEEE TDSC) TCP timestamp options can be set to arbitrary value CSC GTISC 6

Proposed Scheme NIC ID based on packet frequency patterns in wireless stream to help control access to WLANs Advantages Passive only requires the capturing of 802.11 frames Software implementation incorporate into existing WLAN infrastructure Operates independent of higher layer protocols Operates with encrypted streams Detection is independent of attack that lead to unauthorized access CSC GTISC 7

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 8

Objective Establish the identity of a wireless NIC by analyzing the temporal behavior of a wireless stream Implementation of 802.11 standard influences transmission patterns of wireless stream Different implementations will have different impact on time-variant properties of wireless stream Use signal processing to extract the periodic components of stream for the identity of NIC Support the detection of unauthorized systems that use NICs different from legitimate systems CSC GTISC 9

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 10

Opportunity for Distinction Dynamically adapts transmission rate per packet to maximize throughput based on channel conditions Implementation vaguely specified Current algorithms: throughput-based, frame-error rate, autorate fallback, retry-based Dictates number of frames to transmit at a selected rate Dictates how often to change rates Dictates order in which rate is selected Impacts transmission duration, frame arrival rate, throughput capacity, retransmissions, etc. CSC GTISC 11

Opportunity for Distinction Implementation of rate switching function influences traffic patterns of a wireless stream CSC GTISC 12

Empirical Analysis of Rate Switching Collected 13.3 hrs of wireless traffic over the course of 7 days at local hotspot Of the clients that sent > 8 frames, 92% perform rate switching Of the rate-switching clients 90% transmitted 37+ frames 88% connected 2+ minutes 85% switched rates within 1 st 3 minutes of connection Rate switching is common and more likely to occur the longer a client is connected CSC GTISC 13

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 14

Spectral Analysis Useful in extracting periodic phenomena from noisy signals Shown to work well in network traffic analysis Must represent wireless traffic as signal Describe the frame transmission process as a discrete event x that occurs as a function of time t Choice of events: frame type, frame size, transmission rate of frame, etc Uniformly sample the signal CSC GTISC 15

Power Spectrum Density Captures power of signal over a range frequencies Theoretical description Convert signal x[n] into frequency domain X N (f) N! 1 = " n= 0 x N j2!fn fs [ n] e! Compute the signal power (spectral density) of the frequency data Pˆ (f) = xx Magnitude of power indicates the amount of regularity of the periodicity in the arrival rates of wireless frames at the corresponding frequency X f N s (f) N 2 CSC GTISC 16

Spectral Profile Systematic way to numerically compare spectral content Use subset of values from PSD to capture the trend in frequency distribution of the spectra Generate spectral profile using N frequency points that exhibit the greatest amount of power F = { f 1, f 2, f 3, f N } CSC GTISC 17

Approach in a Nutshell Exploit differences in the implementation of the rate switching mechanism Capture traffic generated during rate switching Convert traffic capture in to a time series of data frame arrivals Apply power spectrum density function to analyze periodicity embedded in traffic Generate spectral profile from most prevalent periodic components identity of NIC Compare spectral profiles to discern between NICs CSC GTISC 18

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Experimental Evaluation Contribution & Future Work CSC GTISC 19

Rate Switching: Controlled Experiments sniffer client Setup Tested 3 NICs: D-Link DWL-650, Linksys WPC11, Lucent/Orinoco Gold Second Laptop with Linksys NIC to capture traffic using tcpdump CBR Traffic load: 1470-byte packet every 5ms = 2.4Mbps Noise source: microwave for a 60 second interval CSC GTISC 20

Invoking Rate Switching CSC GTISC 21

Controlled Rate Switching: Spectral Analysis Partitioned analysis into 3 60-second parts: interval before noise, interval with noise, interval after noise Configuration of PSD function sampling interval: 0.002 seconds nfft: next power of 2 greater than length of signal segment size: length of signal CSC GTISC 22

No Rate Switching vs. Rate Switching 54% 56% 54% CSC GTISC 23

Controlled Rate Switching: Summary NICs behaved the same when no rate switching during data transmission discrete peaks at 100Hz and 200Hz Distinctive PSD during rate switching DLink: 54% 40-60 Hz 17ms to 25ms Linksys: 56% 80-130 Hz 7.7ms to 12.5ms Lucent: 54% 0-10 Hz 100ms Rate switching does affect the periodicity of wireless streams and cards with different algorithms cause different spectral characteristics CSC GTISC 24

Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 25

Contribution & Future Work Identified NICs manufactured by different vendors based on periodic patterns imposed by rate switching algorithm Independent of attack tool Does not rely on detection of alarming behavior Allows detection of authorized users with unauthorized devices Test approach in real-world experiments Test sensitivity of spectral profile to different host compositions (i.e., CPU, OS, etc) CSC GTISC 26

Questions??? CSC GTISC 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback