A Passive Approach to Wireless NIC Identification

A Passive Approach to Wireless NIC Identification Cherita Corbett Georgia Institute of Technology IEEE ICC 2006 June 13, 2006

Presentation Outline   

Motivation & Background Objective NIC Identification using Rate Switching  

  

Opportunity for distinction Empirical Analysis

Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC

2



  



3

802.11 Security 

WLANs are attractive targets for malicious activity   





IEEE 802.11 standard encompasses security services to maintain confidentiality, integrity, and access control for WLANs Wired Equivalent Privacy (WEP) 



Lack of physical boundaries Use of open-air medium Advertisement of existence so that clients can connect

RC4 & CRC-32

802.11i – solves the currently known security vulnerabilities of WEP  

AES, crypto MIC, & dynamic key management Requires new hardware & must be commonly applied to all systems on WLAN CSC · GTISC

4

Unauthorized Access  

Prevention only effective on systems that are owned, managed, and controlled Rogue client & AP  

 

Authorized user installs unauthorized device Attacker uses rogue system to lure victims to gather user credentials

Flawed legacy equipment – exploit design flaws of WEP Stealthy intrusions – phishing evades preventive measures

► Need for detecting unauthorized access to respond and curtail damage CSC · GTISC

5

Current Solutions 

Intrusion detection systems – monitor WLAN traffic for sequence of events that exhibit anomalous behavior or match the pattern of known attacks  



False positives, signature updates Effectiveness reduced by novel attacks & stealthy intrusions

Identification Systems 

Commercial products – WiMetrics, DeviceID 



RF Fingerprinting – Jeyanthi Hall, et al. (CIIT) 



Active approaches that probe client or rely on cooperation of user Difficult to incorporate into existing WLAN infrastructure

Remote Physical Device Fingerprinting – Yoshi Kohno, et al (IEEE TDSC) 

TCP timestamp options can be set to arbitrary value

CSC · GTISC

6

Proposed Scheme 



NIC ID based on packet frequency patterns in wireless stream to help control access to WLANs Advantages 



  

Passive – only requires the capturing of 802.11 frames Software implementation – incorporate into existing WLAN infrastructure Operates independent of higher layer protocols Operates with encrypted streams Detection is independent of attack that lead to unauthorized access CSC · GTISC

7



  



8

Objective 

Establish the identity of a wireless NIC by analyzing the temporal behavior of a wireless stream 







Implementation of 802.11 standard influences transmission patterns of wireless stream Different implementations will have different impact on time-variant properties of wireless stream Use signal processing to extract the periodic components of stream for the identity of NIC Support the detection of unauthorized systems that use NICs different from legitimate systems CSC · GTISC

9



  



10

Opportunity for Distinction 

 

Dynamically adapts transmission rate per packet to maximize throughput based on channel conditions Implementation vaguely specified Current algorithms: throughput-based, frame-error rate, autorate fallback, retry-based   



Dictates number of frames to transmit at a selected rate Dictates how often to change rates Dictates order in which rate is selected

Impacts transmission duration, frame arrival rate, throughput capacity, retransmissions, etc. CSC · GTISC

11

Opportunity for Distinction

►Implementation of rate switching function influences traffic patterns of a wireless stream CSC · GTISC

12

Empirical Analysis of Rate Switching 





Collected 13.3 hrs of wireless traffic over the course of 7 days at local hotspot Of the clients that sent > 8 frames, 92% perform rate switching Of the rate-switching clients   

90% transmitted 37+ frames 88% connected 2+ minutes 85% switched rates within 1st 3 minutes of connection

►Rate switching is common and more likely to occur the longer a client is connected CSC · GTISC

13



  



14

Spectral Analysis 

 

Useful in extracting periodic phenomena from noisy signals Shown to work well in network traffic analysis Must represent wireless traffic as signal 





Describe the frame transmission process as a discrete event x that occurs as a function of time t Choice of events: frame type, frame size, transmission rate of frame, etc Uniformly sample the signal CSC · GTISC

15

Power Spectrum Density  

Captures power of signal over a range frequencies Theoretical description  Convert signal x[n] into frequency domain N !1

X N (f) = " x N [n]e ! j 2 !fn

fs

n =0



Compute the signal power (spectral density) of the frequency data

X N (f) ˆ Pxx(f) = fs N 

2

Magnitude of power indicates the amount of regularity of the periodicity in the arrival rates of wireless frames at the corresponding frequency CSC · GTISC

16

Spectral Profile  



Systematic way to numerically compare spectral content Use subset of values from PSD to capture the trend in frequency distribution of the spectra Generate spectral profile using N frequency points that exhibit the greatest amount of power F = { f1, f2, f3,… fN }

CSC · GTISC

17

Approach in a Nutshell 

 







Exploit differences in the implementation of the rate switching mechanism Capture traffic generated during rate switching Convert traffic capture in to a time series of data frame arrivals Apply power spectrum density function to analyze periodicity embedded in traffic Generate spectral profile from most prevalent periodic components → identity of NIC Compare spectral profiles to discern between NICs CSC · GTISC

18



  



19

Rate Switching: Controlled Experiments sniffer

client

Setup  Tested 3 NICs: D-Link DWL-650, Linksys WPC11, Lucent/Orinoco Gold  Second Laptop with Linksys NIC to capture traffic using tcpdump  CBR Traffic load: 1470-byte packet every 5ms = 2.4Mbps  Noise source: microwave for a 60 second interval CSC · GTISC

20

Invoking Rate Switching

CSC · GTISC

21

Controlled Rate Switching: Spectral Analysis 



Partitioned analysis into 3 60-second parts: interval before noise, interval with noise, interval after noise Configuration of PSD function   

sampling interval: 0.002 seconds nfft: next power of 2 greater than length of signal segment size: length of signal

CSC · GTISC

22

No Rate Switching vs. Rate Switching 54%

56%

54%

CSC · GTISC

23

Controlled Rate Switching: Summary 



NICs behaved the same when no rate switching during data transmission – discrete peaks at 100Hz and 200Hz Distinctive PSD during rate switching   

DLink: 54% 40-60 Hz → 17ms to 25ms Linksys: 56% 80-130 Hz → 7.7ms to 12.5ms Lucent: 54% 0-10 Hz → 100ms

►Rate switching does affect the periodicity of wireless streams and cards with different algorithms cause different spectral characteristics CSC · GTISC

24



  



25

Contribution & Future Work 

Identified NICs manufactured by different vendors based on periodic patterns imposed by rate switching algorithm   

 

Independent of attack tool Does not rely on detection of alarming behavior Allows detection of authorized users with unauthorized devices

Test approach in real-world experiments Test sensitivity of spectral profile to different host compositions (i.e., CPU, OS, etc) CSC · GTISC

26

Questions ???

CSC · GTISC

27