A Passive Approach to Wireless NIC Identification Cherita Corbett Georgia Institute of Technology IEEE ICC 2006 June 13, 2006
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 2
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 3
802.11 Security WLANs are attractive targets for malicious activity Lack of physical boundaries Use of open-air medium Advertisement of existence so that clients can connect IEEE 802.11 standard encompasses security services to maintain confidentiality, integrity, and access control for WLANs Wired Equivalent Privacy (WEP) RC4 & CRC-32 802.11i solves the currently known security vulnerabilities of WEP AES, crypto MIC, & dynamic key management Requires new hardware & must be commonly applied to all systems on WLAN CSC GTISC 4
Unauthorized Access Prevention only effective on systems that are owned, managed, and controlled Rogue client & AP Authorized user installs unauthorized device Attacker uses rogue system to lure victims to gather user credentials Flawed legacy equipment exploit design flaws of WEP Stealthy intrusions phishing evades preventive measures Need for detecting unauthorized access to respond and curtail damage CSC GTISC 5
Current Solutions Intrusion detection systems monitor WLAN traffic for sequence of events that exhibit anomalous behavior or match the pattern of known attacks False positives, signature updates Effectiveness reduced by novel attacks & stealthy intrusions Identification Systems Commercial products WiMetrics, DeviceID Active approaches that probe client or rely on cooperation of user RF Fingerprinting Jeyanthi Hall, et al. (CIIT) Difficult to incorporate into existing WLAN infrastructure Remote Physical Device Fingerprinting Yoshi Kohno, et al (IEEE TDSC) TCP timestamp options can be set to arbitrary value CSC GTISC 6
Proposed Scheme NIC ID based on packet frequency patterns in wireless stream to help control access to WLANs Advantages Passive only requires the capturing of 802.11 frames Software implementation incorporate into existing WLAN infrastructure Operates independent of higher layer protocols Operates with encrypted streams Detection is independent of attack that lead to unauthorized access CSC GTISC 7
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 8
Objective Establish the identity of a wireless NIC by analyzing the temporal behavior of a wireless stream Implementation of 802.11 standard influences transmission patterns of wireless stream Different implementations will have different impact on time-variant properties of wireless stream Use signal processing to extract the periodic components of stream for the identity of NIC Support the detection of unauthorized systems that use NICs different from legitimate systems CSC GTISC 9
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 10
Opportunity for Distinction Dynamically adapts transmission rate per packet to maximize throughput based on channel conditions Implementation vaguely specified Current algorithms: throughput-based, frame-error rate, autorate fallback, retry-based Dictates number of frames to transmit at a selected rate Dictates how often to change rates Dictates order in which rate is selected Impacts transmission duration, frame arrival rate, throughput capacity, retransmissions, etc. CSC GTISC 11
Opportunity for Distinction Implementation of rate switching function influences traffic patterns of a wireless stream CSC GTISC 12
Empirical Analysis of Rate Switching Collected 13.3 hrs of wireless traffic over the course of 7 days at local hotspot Of the clients that sent > 8 frames, 92% perform rate switching Of the rate-switching clients 90% transmitted 37+ frames 88% connected 2+ minutes 85% switched rates within 1 st 3 minutes of connection Rate switching is common and more likely to occur the longer a client is connected CSC GTISC 13
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 14
Spectral Analysis Useful in extracting periodic phenomena from noisy signals Shown to work well in network traffic analysis Must represent wireless traffic as signal Describe the frame transmission process as a discrete event x that occurs as a function of time t Choice of events: frame type, frame size, transmission rate of frame, etc Uniformly sample the signal CSC GTISC 15
Power Spectrum Density Captures power of signal over a range frequencies Theoretical description Convert signal x[n] into frequency domain X N (f) N! 1 = " n= 0 x N j2!fn fs [ n] e! Compute the signal power (spectral density) of the frequency data Pˆ (f) = xx Magnitude of power indicates the amount of regularity of the periodicity in the arrival rates of wireless frames at the corresponding frequency X f N s (f) N 2 CSC GTISC 16
Spectral Profile Systematic way to numerically compare spectral content Use subset of values from PSD to capture the trend in frequency distribution of the spectra Generate spectral profile using N frequency points that exhibit the greatest amount of power F = { f 1, f 2, f 3, f N } CSC GTISC 17
Approach in a Nutshell Exploit differences in the implementation of the rate switching mechanism Capture traffic generated during rate switching Convert traffic capture in to a time series of data frame arrivals Apply power spectrum density function to analyze periodicity embedded in traffic Generate spectral profile from most prevalent periodic components identity of NIC Compare spectral profiles to discern between NICs CSC GTISC 18
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Experimental Evaluation Contribution & Future Work CSC GTISC 19
Rate Switching: Controlled Experiments sniffer client Setup Tested 3 NICs: D-Link DWL-650, Linksys WPC11, Lucent/Orinoco Gold Second Laptop with Linksys NIC to capture traffic using tcpdump CBR Traffic load: 1470-byte packet every 5ms = 2.4Mbps Noise source: microwave for a 60 second interval CSC GTISC 20
Invoking Rate Switching CSC GTISC 21
Controlled Rate Switching: Spectral Analysis Partitioned analysis into 3 60-second parts: interval before noise, interval with noise, interval after noise Configuration of PSD function sampling interval: 0.002 seconds nfft: next power of 2 greater than length of signal segment size: length of signal CSC GTISC 22
No Rate Switching vs. Rate Switching 54% 56% 54% CSC GTISC 23
Controlled Rate Switching: Summary NICs behaved the same when no rate switching during data transmission discrete peaks at 100Hz and 200Hz Distinctive PSD during rate switching DLink: 54% 40-60 Hz 17ms to 25ms Linksys: 56% 80-130 Hz 7.7ms to 12.5ms Lucent: 54% 0-10 Hz 100ms Rate switching does affect the periodicity of wireless streams and cards with different algorithms cause different spectral characteristics CSC GTISC 24
Presentation Outline Motivation & Background Objective NIC Identification using Rate Switching Opportunity for distinction Empirical Analysis Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC GTISC 25
Contribution & Future Work Identified NICs manufactured by different vendors based on periodic patterns imposed by rate switching algorithm Independent of attack tool Does not rely on detection of alarming behavior Allows detection of authorized users with unauthorized devices Test approach in real-world experiments Test sensitivity of spectral profile to different host compositions (i.e., CPU, OS, etc) CSC GTISC 26
Questions??? CSC GTISC 27