Jun 13, 2006 - Approach to NIC Identification ... Advertisement of existence so that clients can connect ... Operates independent of higher layer protocols.
A Passive Approach to Wireless NIC Identification Cherita Corbett Georgia Institute of Technology IEEE ICC 2006 June 13, 2006
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
2
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
3
802.11 Security
WLANs are attractive targets for malicious activity
IEEE 802.11 standard encompasses security services to maintain confidentiality, integrity, and access control for WLANs Wired Equivalent Privacy (WEP)
Lack of physical boundaries Use of open-air medium Advertisement of existence so that clients can connect
RC4 & CRC-32
802.11i – solves the currently known security vulnerabilities of WEP
AES, crypto MIC, & dynamic key management Requires new hardware & must be commonly applied to all systems on WLAN CSC · GTISC
4
Unauthorized Access
Prevention only effective on systems that are owned, managed, and controlled Rogue client & AP
Authorized user installs unauthorized device Attacker uses rogue system to lure victims to gather user credentials
Flawed legacy equipment – exploit design flaws of WEP Stealthy intrusions – phishing evades preventive measures
► Need for detecting unauthorized access to respond and curtail damage CSC · GTISC
5
Current Solutions
Intrusion detection systems – monitor WLAN traffic for sequence of events that exhibit anomalous behavior or match the pattern of known attacks
False positives, signature updates Effectiveness reduced by novel attacks & stealthy intrusions
Identification Systems
Commercial products – WiMetrics, DeviceID
RF Fingerprinting – Jeyanthi Hall, et al. (CIIT)
Active approaches that probe client or rely on cooperation of user Difficult to incorporate into existing WLAN infrastructure
Remote Physical Device Fingerprinting – Yoshi Kohno, et al (IEEE TDSC)
TCP timestamp options can be set to arbitrary value
CSC · GTISC
6
Proposed Scheme
NIC ID based on packet frequency patterns in wireless stream to help control access to WLANs Advantages
Passive – only requires the capturing of 802.11 frames Software implementation – incorporate into existing WLAN infrastructure Operates independent of higher layer protocols Operates with encrypted streams Detection is independent of attack that lead to unauthorized access CSC · GTISC
7
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
8
Objective
Establish the identity of a wireless NIC by analyzing the temporal behavior of a wireless stream
Implementation of 802.11 standard influences transmission patterns of wireless stream Different implementations will have different impact on time-variant properties of wireless stream Use signal processing to extract the periodic components of stream for the identity of NIC Support the detection of unauthorized systems that use NICs different from legitimate systems CSC · GTISC
9
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
10
Opportunity for Distinction
Dynamically adapts transmission rate per packet to maximize throughput based on channel conditions Implementation vaguely specified Current algorithms: throughput-based, frame-error rate, autorate fallback, retry-based
Dictates number of frames to transmit at a selected rate Dictates how often to change rates Dictates order in which rate is selected
Impacts transmission duration, frame arrival rate, throughput capacity, retransmissions, etc. CSC · GTISC
11
Opportunity for Distinction
►Implementation of rate switching function influences traffic patterns of a wireless stream CSC · GTISC
12
Empirical Analysis of Rate Switching
Collected 13.3 hrs of wireless traffic over the course of 7 days at local hotspot Of the clients that sent > 8 frames, 92% perform rate switching Of the rate-switching clients
90% transmitted 37+ frames 88% connected 2+ minutes 85% switched rates within 1st 3 minutes of connection
►Rate switching is common and more likely to occur the longer a client is connected CSC · GTISC
13
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
14
Spectral Analysis
Useful in extracting periodic phenomena from noisy signals Shown to work well in network traffic analysis Must represent wireless traffic as signal
Describe the frame transmission process as a discrete event x that occurs as a function of time t Choice of events: frame type, frame size, transmission rate of frame, etc Uniformly sample the signal CSC · GTISC
15
Power Spectrum Density
Captures power of signal over a range frequencies Theoretical description Convert signal x[n] into frequency domain N !1
X N (f) = " x N [n]e ! j 2 !fn
fs
n =0
Compute the signal power (spectral density) of the frequency data
X N (f) ˆ Pxx(f) = fs N
2
Magnitude of power indicates the amount of regularity of the periodicity in the arrival rates of wireless frames at the corresponding frequency CSC · GTISC
16
Spectral Profile
Systematic way to numerically compare spectral content Use subset of values from PSD to capture the trend in frequency distribution of the spectra Generate spectral profile using N frequency points that exhibit the greatest amount of power F = { f1, f2, f3,… fN }
CSC · GTISC
17
Approach in a Nutshell
Exploit differences in the implementation of the rate switching mechanism Capture traffic generated during rate switching Convert traffic capture in to a time series of data frame arrivals Apply power spectrum density function to analyze periodicity embedded in traffic Generate spectral profile from most prevalent periodic components → identity of NIC Compare spectral profiles to discern between NICs CSC · GTISC
18
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
19
Rate Switching: Controlled Experiments sniffer
client
Setup Tested 3 NICs: D-Link DWL-650, Linksys WPC11, Lucent/Orinoco Gold Second Laptop with Linksys NIC to capture traffic using tcpdump CBR Traffic load: 1470-byte packet every 5ms = 2.4Mbps Noise source: microwave for a 60 second interval CSC · GTISC
20
Invoking Rate Switching
CSC · GTISC
21
Controlled Rate Switching: Spectral Analysis
Partitioned analysis into 3 60-second parts: interval before noise, interval with noise, interval after noise Configuration of PSD function
sampling interval: 0.002 seconds nfft: next power of 2 greater than length of signal segment size: length of signal
CSC · GTISC
22
No Rate Switching vs. Rate Switching 54%
56%
54%
CSC · GTISC
23
Controlled Rate Switching: Summary
NICs behaved the same when no rate switching during data transmission – discrete peaks at 100Hz and 200Hz Distinctive PSD during rate switching
DLink: 54% 40-60 Hz → 17ms to 25ms Linksys: 56% 80-130 Hz → 7.7ms to 12.5ms Lucent: 54% 0-10 Hz → 100ms
►Rate switching does affect the periodicity of wireless streams and cards with different algorithms cause different spectral characteristics CSC · GTISC
24
Presentation Outline
Motivation & Background Objective NIC Identification using Rate Switching
Opportunity for distinction Empirical Analysis
Approach to NIC Identification Experimental Evaluation Contribution & Future Work CSC · GTISC
25
Contribution & Future Work
Identified NICs manufactured by different vendors based on periodic patterns imposed by rate switching algorithm
Independent of attack tool Does not rely on detection of alarming behavior Allows detection of authorized users with unauthorized devices
Test approach in real-world experiments Test sensitivity of spectral profile to different host compositions (i.e., CPU, OS, etc) CSC · GTISC
26
Questions ???
CSC · GTISC
27