An 802.11 MAC layer covert channel - Department of Computer Science

WIRELESS COMMUNICATIONS AND MOBILE COMPUTING Wirel. Commun. Mob. Comput. (2010) Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/wcm.969

RESEARCH ARTICLE

An 802.11 MAC layer covert channel Telvis E. Calhoun Jr, Xiaojun Cao, Yingshu Li and Raheem Beyah* Department of Computer Science, Georgia State University, Atlanta, GA 30303, U.S.A.

ABSTRACT For extremely sensitive applications, it may be advantageous for users to transmit certain types of data covertly over the network. This provides an additional layer of security to that provided by the different layers of the protocol stack. In this paper we present a covert side channel that uses the 802.11 MAC rate switching protocol. The covert channel provides a general method to hide communications within currently deployed 802.11 LANs. The technique uses a one-time password (OTP) algorithm to ensure high-entropy randomness of the covert messages. We investigate how the covert side channel affects network throughput under various rate-switching conditions with UDP-based and TCP-based application traffic. We also investigate the covertness of the covert side channel using standardized entropy. The theoretical analysis shows that the maximum covert channel bandwidth is 60 bps. The simulation results show that the impact on network throughput is minimal and increases slightly as the covert channel bandwidth increases. We further show that the channel has 100% accuracy with minimal impact on rate switching entropy for scenarios where rate switching normally occurs. Finally, we present two applications for the covert channel: covert authentication and covert WiFi botnets. Copyright © 2010 John Wiley & Sons, Ltd. KEYWORDS network steganography; covert channels; wireless networks; authentication; 802.11 rate switching; wifi botnets *Correspondence

Raheem Beyah, Department of Computer Science, Georgia State University, Atlanta, GA 30303, U.S.A. E-mail: [email protected]

1. INTRODUCTION Covert channels encode information by modulating a system parameter that is non-deterministic under normal conditions. Such a system parameter appears random to an observer, but a covert receiver can decode information from system behavior. A covert channel can use information hiding methods to hide data within an existing communication channel. Using the salt in a digital signature algorithm to leak private key information is an example of information hiding [1]. A covert channel can use a side channel by exploiting some system component that is not intended for communication. Using a wireless channel collision avoidance algorithm to transmit covert data is an example of side channel technique. For either method, the exploited system must be non-deterministic or noisy, since deterministic protocols are certifiably free of covert channels [2]. All non-deterministic systems can be modeled as a set of states and state transitions that have a given probability. Therefore, any system that can be modeled as such is vulnerable to covert channels. Researchers have proposed different techniques to remove randomness from protocols in order to verify that a protocol is covert channel free [1–3].

Copyright © 2010 John Wiley & Sons, Ltd.

Wireless networking protocols are vulnerable to covert channels due to randomness caused by the wireless environment. Factors such as mobility, RF interference, or collision avoidance algorithms can contribute to non-determinism. In Reference [3], Choi showed how the interaction between multiple protocols can produce non-deterministic behavior. Rate switching protocols can be used as a covert channel because the rate transitions are driven by non-deterministic events in the wireless channel. These protocols are designed to select a data rate that will achieve optimum performance for the current channel state. Rate switching algorithms can be modeled as a non-deterministic system where each data rate represents a state and the trigger events represent the probabilistic state transitions. Trigger events include: channel quality, frame loss, throughput, or any other metric the protocol uses to detect channel state. Additionally, issues within the rate switching protocols can make them vulnerable to covert channels. Loiacono et al. [4] observed temporal differences in system performance caused by the so-called Snowball Effect. The Snowball Effect occurs when the rate switching algorithm selects a sub-optimal data rate for a given channel state. This starts a chain-reaction that leads

An 802.11 MAC layer covert channel

to a period of unstable rate switching that degrades system performance. These unstable periods are triggered by the number of contending stations and the application traffic generated by the stations. We present a covert channel that uses 802.11 rate switching as a random variable to encode covert messages. A wireless station periodically injects a data rate sequence into the normal rate switching algorithm. The injected rate sequence, called a watermark, is derived using a one-time password (OTP) algorithm that ensures high-entropy randomness for the watermarks. The high-entropy randomness prevents replay attacks where an adversary could simply repeat a rate sequence to spoof the channel. Our goal for the watermarked rate switches is to have minimal impact on the overall rate switching distribution. We perform simulations to measure how our covert channel impacts rate switching entropy and show that the watermarks are hidden by rate switching triggered by mobility and other factors. We also examine the reliability of the channel and the overhead incurred by the covert channel in terms of node throughput for TCP and UDP traffic and explore two applications of the covert channel. The rest of the paper is organized as follows. Section 2 discusses the related covert channel schemes. Section 3 examines the causes of non-determinism for various rate switching protocols. In Section 4, we present the covert channel technique using rate switching. Section 5 presents a theoretical analysis of the covert channel. In Section 6, we present a covert authentication channel and discuss simulation results. In Section 7, we present a covert WiFi botnet. Section 8 discusses our conclusions. In this work, we assume that a rate switch occurs using a single data frame. Some rate switching protocols perform rate switches after a number of received or dropped data frames. For example, an implementation may increase the data rate after M successfully acknowledged data frames and down after N unsuccessfully acknowledged data frames. Future work will ensure that the watermark does not violate the MN thresholds. Otherwise, our covert channel can potentially generate rate sequences that violate the rate switching protocol—thus making the channel detectible.

2. RELATED WORK A covert channel can allow a process to transmit data without any indication that the system has been compromised. Lampson [5] originally discussed covert channels as a potential vector to leak sensitive information. Covert channels have received considerable attention in the network security domain. Borders et al. [6] discuss how attackers use HTTP traffic as a covert channel to bypass security measures. Covert timing channels have been used to identify the source of interactive attacks that use intermediate hosts to mask the malicious source [7, 8]. Wang et al. [9] use a MAC splitting tree algorithm as a covert channel. The tree-splitting algorithm resolves col-

T. E. Calhoun Jr et al.

lisions among active channel contenders. Colliding nodes are split into two subsets by randomly joining either the left or right subset. A splitting tree is created where the tree nodes are the collision resolution periods and the tree edges are the left or right subset selections. The station encodes a covert message as a sequence of subset selections. A covert receiver decodes the subset selections for a particular host to derive its covert message. They propose a secure algorithm that utilizes a one-way hash to generate a temporal client key that is used to encode the message. The receiver generates the same key to decode the covert message. Though the overall technique is novel, tree-splitting MAC protocols are not common in commercial wireless networks, so the technique has limited practical use. Another disadvantage of this scheme is the need to transmit the nonce via a control packet, thus adding to the overhead of the scheme. Kratzer et al. [10] use the 802.11 MAC header as a covert channel to communicate between two random WLAN hosts. The scheme modifies a MAC header field to send one or more covert bits per packet. The scheme modifies an erroneous bit which causes non-covert receivers to drop a packet while the covert receiver decodes the message. An alternate method is to modify the retry bit by duplicating a packet with retry bit set. A disadvantage of this scheme is that it requires two cover hosts to hide the covert communication channel. Additionally, the receiver must know the cover host identities and covert sender identities. Xu et al. [11] use a timing channel as a defense against broadband jamming. The authors use the inter-arrival time between receiver-side CRC failures or temporal increases in receiver-side signal strength (RSSI) to decode covert messages. The disadvantage of this scheme is that it requires a priori knowledge of channel-sensing hardware characteristics. Kataria et al. [12] use peer-to-peer traffic as a covert channel for worm coordination traffic. The scheme uses a covert storage channel to synchronize a large worm attack once the number of infected hosts reaches a critical mass. The covert channel minimizes the probability of detection by limiting probing traffic. The disadvantage of this scheme is that it does not provide a general covert channel method that can be used for various scenarios. Smith et al. [13] propose a general framework for network-based covert channels by considering two metrics: probability of detection and reliability. The framework consists of an overlay link-layer that provides forward-error correction based on trellis-coding. However, the authors do not discuss how the covert channel scheme impacts application traffic. In our previous work [14], we presented a covert authentication channel that uses 802.11 rate switching as a channel for authentication messages. We extend that work in this paper by extending the covert authentication design to support multiple authenticators. Additionally, we propose a covert botnet scenario that utilizes a bi-directional covert channel to disseminate command and control messages. We also analyze the capacity of the covert channel. Our work differs from related covert channel research in several ways. First, our covert channel uses MAC layer Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

rate switching as a side channel. This avoids the potential side effects of embedding covert information in MAC layer frames. Second, our technique is designed to operate with currently deployed 802.11 devices. Third, we examine how our MAC layer covert channel affects higher layers by analyzing how the channel impacts network throughput for UDP-based and TCP-based applications. Finally, we show that our covert channel is a general method that can be used for both network security and malicious applications.

3. BACKGROUND ON RATE SWITCHING PROTOCOLS The objective of a rate switching protocol is to select a data rate value that will achieve optimum performance for the current channel state. The two basic metrics for determining channel state are signal quality and trigger statistics based on network performance. These trigger statistics include packet loss, delay, or throughput. Algorithms that use packet loss, such as Autorate Fallback (ARF) [15] or Adaptive ARF (AARF) [16], adjust the date rate based on dropped frames, delay, or decreased throughput. Loiacono demonstrated how wireless instability occurs regardless of the trigger statistic chosen [4]. A major flaw in the design of rate adaptation protocols that rely solely on dropped frames such as ARF is that they incorrectly adjust the rate when MAC-layer collisions occur (mistaking the mangled packets as ones that have encountered RF interference). This in turn, unnecessarily reduces the throughput of the link. Signal quality algorithms such as Signal to Noise Ratio - Guided Rate Adaptation (SGRA) [17] and Receiver-Based AutoRate Protocol (RBAR) [18] measure the signal-to-noise ratio (SNR) or RSSI to determine the optimum data rate. Zhang et al. [17] use an online calibration technique to correlate the frame delivery ratio to an SNR. Rate switches are performed on SNR thresholds rather than frame loss thresholds. Commercial WLAN products implement various rate switching schemes that are based on the ARF algorithm. The implementations vary because the 802.11 specification does not define a rate switching algorithm. These commercial devices are vulnerable to the Snowball Effect caused by a failure to differentiate network congestion and channel degradation. As a consequence, rate switching algorithms can periodically decrease system performance through unstable rate switching as it attempts to respond to the channel state [4]. In our previous work [19], we observed this phenomenon in real-world networks and used the frequent rate switching as a means to identify 802.11 hardware. In response to unneeded rate switching caused by this issue, several alternatives have been proposed (e.g., using signal quality to trigger rate switching) that can distinguish between congestion and channel degradation. However, detecting signal quality is difficult to do in practice due to calibration differences in wireless receivers [4, 17]. Rate switching protocol deficiencies along with normal rate switching triggered by RF path loss and interference provide sufficient cover for a covert channel. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

An 802.11 MAC layer covert channel

4. COVERT CHANNEL USING RATE SWITCHING Our covert channel technique uses the 802.11b rate switching algorithm as cover for messages between a mobile station and an access point. Each station periodically computes a OTP that can be used for authentication or as an encryption key. In either case, the station generates a message that is encoded into a data rate sequence. The access point decodes the received rate sequence to decipher the messages. We do not attempt to match rate switching patterns generated by specific protocols because each rate switching protocol implementation generates different rate sequences [19]. Instead, the channel maintains covertness by minimizing the impact on overall rate switching. 4.1. Initialization In the initialization phase, a trusted authority (TA) creates an initialization vector (IV) for each station. The IV serves several purposes. First, the IV synchronizes the password sequence generated by a station and the access point. Second, it assures that the each station generates a unique password sequence. Finally, the IV allows the access point to expire password sequences. A TA generates a 1024-bit master key (MK) using a cryptographically secure random function. Next, a TA generates a 160-bit initial key (IK) using a hash function, MK, and a client identifier such as a MAC address or serial number. At startup, each station seeds a common pseudo-random number generator with the IK. The common Pseudo Random Number Generator (PRNG) ensures that the station and access point generate identical sequences of random numbers. It is essential that the PRNG is cryptographically secure so that the watermarks are sufficiently random. Next, each station creates the IV by concatenating the IK and nonce. Finally, each station calculates a OTP, which is the digest of the IV generated using a one-way digest algorithm like SHA. The one-way property assures that the IV cannot be derived from the password. The TA can invalidate old keys by updating the MK and generating a new IV. 4.2. One-time password generation Each station uses a password generation function similar to S/Key [20, 21] to generate a OTP. This operation avoids duplicate password generation by a single node. During this operation, the station generates a nonce from a common PRNG. To generate the next password, the client uses the cryptographic hash function, f(x), on the previous key concatenated with the nonce. The access point also performs this operation to maintain synchronization with the station. 4.3. Watermark encoding Once the OTP is generated, the station will encode the message to be sent as a sequence of available MAC layer data

An 802.11 MAC layer covert channel

T. E. Calhoun Jr et al.

baseline interval whose minimum value equals half the maximum baseline interval. This randomization prevents an adversary from knowing when a watermark begins and ends. The client and access point use a common PRNG to calculate the random baseline interval in order to ensure synchronization.

4.5. Synchronization The covert channel uses 802.11 MAC sequence identifiers to synchronize the client and the access point. The MAC ID increments after each successfully acknowledged data frame. This allows the covert channel to calculate the beginning and end of watermarking intervals and detect MAC layer retries. This synchronization assures that no error occurs over the covert channel. The access point stores data rates from each client in a FIFO buffer by shifting in the most recently received rate and shifting out the oldest rate. The access point calculates the final MAC sequence ID for the watermark interval and then processes the covert message when this sequence ID is reached.

4.6. Covert channel overhead Figure 1. Watermark encoding process.

rates that correspond to the specific MAC protocol. The message can be the password itself (e.g., when a station is using the channel for authentication) or any other data (combined with the password) to be transmitted covertly. The resultant sequence of data rates is referred to as a watermark. The encoding scheme is based on the number of data rates available to the wireless networking protocol. For example, when using 802.11b four data rates are available (1, 2, 5.5, and 11 Mbps). These four data rates represent the following bit combinations – 00, 01, 10, and 11, respectively. Figure 1 shows how a small 16-bit OTP (0xFA51) is encoded into an 8-bit watermark.

4.4. Watermark frequency Watermark frequency determines the amount of bandwidth available for covert communications. The covert channel is designed to be a general method that can be configured to suit network conditions. The administrator can specify a maximum baseline interval that determines the maximum number of successfully transmitted data frames between successive watermark intervals. The frequency of the watermark must be chosen carefully. This is because increasing the watermark frequency will reduce the overall throughput of the channel. However, decreasing the watermark frequency may add unwanted delay to the application using the covert channel. The covert channel uses a pseudo-random

Covert channel overhead occurs when the covert channel chooses a data rate that is less than the optimal data rate for a given channel state. This results in decreased network throughput during the brief watermark interval. Conversely, the covert channel may force a client to choose a higher data rate than it would choose otherwise. In mobile scenarios, this can potentially lead to packet loss when the transmission range increases at the higher data rate. The amount of overhead can be mitigated by adjusting the watermark frequency.

4.7. Adversary model The adversary in our network is an unauthorized station that can passively monitor rate switching traffic. The unauthorized station can be a malicious or friendly host, depending on how the covert channel is used. The station identification data such as MAC addresses and serial numbers are assumed to be public. The adversary can only know the watermark length but cannot know when a watermark begins because the client randomly selects the baseline interval for each watermark. Rate switching entropy provides cover for watermarks and provides protection against passive attacks. The scheme is covert if the watermark has minimal impact on rate switching entropy over a given period. The OTP algorithm ensures watermark entropy and prevents an adversary from guessing the watermark using some brute force technique. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

An 802.11 MAC layer covert channel

5. ANALYSIS

100 0.0010 Duty Cycle 0.0020 Duty Cycle 0.0040 Duty Cycle 0.0080 Duty Cycle

This section evaluates the covert channel in terms of covert channel bandwidth, entropy, and resilience to error. The analysis includes a few assumptions. We assume that the wireless contention with other hosts is minimal. 802.11 uses a shared medium, so contention with other hosts will decrease the available channel capacity and thus affect covert channel performance.

Covert Throughput (bits/second)

90 80 70 60 50 40 30 20

5.1. Covert channel bandwidth

10

d=

IW , IB

IB >> IW

(1)

The covert channel uses individual data rates as covert symbols. The transmission rate formula (2) shows the average number of covert bits transmitted per second (t) for a MAC protocol with r rates. The average number of rate selections per second is denoted by (s). The selection rate is equivalent to the data frame rate because a rate selection occurs for each transmitted data frame. The duty cycle is represented by (d) and is typically a small value that ranges from 0.0 to 0.01. t = s ∗ d × log2 r

(2)

As shown by (2), there is a linear relationship between the covert channel’s transmission rate, duty cycle, number of data rates, and data frame rate. Networks with high frame rate applications, such as streaming video, will have a higher covert bandwidth. Additionally, MAC protocols with a large number of rates will have greater covert channel bandwidth. Figures 2 and 3 illustrate the relationship between the duty cycle and the covert channel throughput. The lower frame rates represent the slow data rates such as 1 Mbps; while the higher frame rates represent faster rates such as 54 Mbps. The plot shows that the maximum covert channel bandwidth is 40 and 60 bps for 802.11b and 802.11 a/g, respectively. The small available bandwidth indicates that an application using the channel must not be bandwidth intensive. Both figures show that covert channel throughput increases as the frame rate and/or duty cycle increase. The duty cycle has minimal impact on throughput for lower frame rates. Increasing the number of rates also increases covert channel throughput. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

0 0

500

1000 1500 Frame Rate(data frames/second)

2000

2500

Figure 2. Covert throughput as a function of the frame rate using 802.11b. 802.11b uses 4 data rates. The maximum covert channel throughput is 40 bps.

100 0.0010 Duty Cycle 0.0020 Duty Cycle 0.0040 Duty Cycle 0.0080 Duty Cycle

90 Covert Throughput (bits/second)

The covert channel consists of a baseline (unwatermarked) rate switching interval (IB) followed by a brief watermark rate switching interval (IW). According to (1), these intervals determine the watermark duty cycle (d). We control the duty cycle by adjusting the watermark frequency as discussed in Section 4.4. The duty cycle determines the percentage of the current channel capacity that can be used by the covert channel.

80 70 60 50 40 30 20 10 0 0

500

1000 1500 Frame Rate(data frames/second)

2000

2500

Figure 3. Covert throughput as a function of the frame rate using 802.11 a/g. 802.11 a/g uses 8 data rates. The maximum covert channel throughput is 60 bps.

5.2. MAC layer retries The covert channel uses the MAC frame sequence identifier for synchronization between clients and the AP. If a retry occurs during a watermarking period, the channel chooses the same rate until transmission is successful and the MAC increments the frame sequence number. This mechanism assures synchronization between clients without out-of-band synchronization messages that are required in other covert channels [10, 22]. However, this can potentially cause the rate switching protocol to remain at a rate that is inconsistent with the current channel state, leading to packet loss.

5.3. Entropy We apply an information theoretical metric, standardized entropy [23], to measure the baseline rate switching

An 802.11 MAC layer covert channel

T. E. Calhoun Jr et al.

distribution and quantify the affect that the covert channel has on the baseline distribution. Let rates be the set of available data rates and F be all data frames transmitted over a given interval at distinct data rates. For ratesi ∈ rates, p = ffi , where fi is the number of frames in F transmitted at ratesi
and f is the number of frames in F. According to (3), − i∈rates pi log pi is the entropy of the rate distribution and log f is its maximum entropy. Standardized entropy (SE) approaches 0 if a single data rate dominates the rate switching and approaches 1 as the rates become more evenly distributed. However, in this work the goal is to closely follow the entropy of the baseline, ensuring a robust scheme that can adapt to multiple network conditions SE(F ) :=

−




pi log pi ∈ [0, 1] log f

i∈rates

(3)

The entropy of the baseline depends on channel conditions and the proprietary rate switching protocol implemented on the wireless device. Empirical data shows that the rate distribution for a typical baseline is largely dominated by a single rate with intermittent unstable periods of various length and severity [3, 4, 17]. The baseline becomes less evenly distributed as mobility increases in the network – thereby increasing the entropy. Watermark rate distributions are almost uniform because they are generated using a cryptographic hash function. Due to the difference in the baseline and watermark entropies, the duty cycle must remain small to minimize the impact on the overall rate switching entropy.

5.4. Adaptive watermarking The covert channel should dynamically tune the duty cycle based on temporal channel conditions. The analysis in Section 4.3 shows that as the baseline entropy increases, watermarks have less impact on overall entropy. Increasing the duty cycle under these conditions will increase covert bandwidth and increase covert channel throughput. However, as the baseline entropy decreases, the watermarks have greater impact on overall entropy – making the channel easier to detect. Adjusting the duty cycle poses a trade-off between covert channel throughput and covertness. When baseline rate switching entropy is high, the channel should increase the duty cycle to maximize throughput. When baseline rate switching entropy is low, the channel should decrease the duty cycle to maximize covertness. Accordingly, our algorithm uses the baseline rate switching entropy to adjust the duty cycle. The baseline entropy threshold specifies the baseline entropy value at which the duty cycle is changed. The duty cycle factor determines the amount that the duty cycle increases or decreases as the baseline entropy changes. The procedure may be modified to use different factor values for increasing and decreasing the duty cycle.

6. COVERT AUTHENTICATION The first application we present is authentication over the covert channel. Authentication in a wireless environment is generally performed using protocols such as RADIUS [24] or 802.11i [25]. We propose a covert authentication scheme that can be used to access a protected service, such as a protected network port [26], that does not require authentication at start-up. Covert authentication is designed as an authentication protocol for a WLAN running in infrastructure mode. Each WLAN station periodically transmits a covert authentication message to a wireless access point. Transmitting the message covertly prevents an attacker from knowing when a user is authenticating. The scheme generates temporal authentication keys to protect against replay attacks where an attacker breaks the authentication by repeating monitored rate switches. 6.1. Initialization A TA generates the IV and manually loads them on each mobile host and on the access point. At startup, the mobile hosts and access point generate the initial nonce and OTP used to generate subsequent passwords. We assume that the access point is resilient to tampering. 6.2. Encoding the authentication message The mobile station transmits the OTP discussed in Section 4.2 as a temporal authentication key. The station encodes the OTP as a watermark and sends it during the watermark interval. The access point decodes the watermark to authenticate the station. Successful authentication occurs when the decoded watermark matches the OTP for the watermark interval. 6.3. Watermark frequency Watermark frequency determines the level of security provided by the covert channel. The covert authentication channel is designed to be a general authentication method that can provide various levels of security. Networks that require higher levels of security, such as corporate networks, will use more frequent watermarks. Conversely, networks that require less security may require less frequent watermarks. 6.4. Synchronization The station and access point use the MAC sequence number to synchronize the authentication messages. The sequence numbers are already synchronized by 802.11 protocol so the nodes will never get out of sync. The access point stores the received data rates in a local FIFO and authenticates the node if the decoded rate switches match the current OTP. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

An 802.11 MAC layer covert channel

Table I. Simulation parameters. Parameter

Application Server

Setting

Watermark duty cycle (Maximum Baseline interval)

0.001 (80000 frames) 0.002 (40000 frames) 0.004 (20000 frames) 0.008 (10000 frames) One-time password length 160 bits Number of wireless clients 14 Number of access points 1 Terrain dimensions 300 × 300 meters Simulation time 1 hour Wireless client mobility Stationary, 0.5 m/s, 1.3 m/s MAC Protocol 802.11b 1 Mbps radio range 442 meters 2 Mbps radio range 339 meters 5.5 Mbps radio range 328 meters 11 Mbps radio range 271 meters FTP file size 5 MB Constant bit-rate (CBR) packet size 256 bytes

100M b Ethernet

W ireless Access Point

802.11b LAN

Figure 4. Network topology.

6.5. Modeling and simulation

6.5.1. Throughput. Figures 5 and 6 give the difference in throughput of the watermarked channel compared to the unwatermarked channel. The goal of the figures is to illustrate how the duty cycle affects network application throughput for both CBR and FTP traffic. Positive values on the graphs indicate increased network throughput and negative values indicate decreased network throughput. Overall, the figures Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

Throughput (% difference) from Baseline

10

5

0

−5

−10 0.001

0.002

0.004 Duty Cycle

0.008

Figure 5. Percentage difference in CBR throughput vs. duty cycle for a unidirectional covert channel.

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

10

Throughput (% difference) from Baseline

We model the covert authentication protocol as a unidirectional covert channel to analyze how the covert channel impacts network application throughput and rate switching entropy. All of the 802.11 stations use the covert channel to send covert authentication messages to the access point (Figure 4). We use three mobility levels to induce RF signal strength fluctuations that trigger rate switching. The mobility levels are: stationary, random waypoint mobility at 0.5 m/s and random waypoint mobility at 1.3 m/s. The simulations use the 802.11b model in Qualnet Simulator 4.5. The 802.11 model uses an ARF-based algorithm that increases the rate after ten successfully acknowledged data frames and decreases the rate after two unacknowledged data frames. We examine the impact of the covert authentication messages generated by all 802.11 nodes by isolating TCP-based and UDP-based traffic during the simulations. For the TCPonly scenario, the wireless stations use file transfer protocol (FTP) to continuously download 5 MB files from the application server. For the UDP-only scenario, the wireless stations continuously send constant bit-rate (CBR) UDP traffic to the application server. We vary the maximum baseline interval to investigate how the watermark duty cycle impacts CBR and FTP throughput. Table 1 provides all of the simulation parameters.

5

0

−5

−10 0.001

0.002

0.004 Duty Cycle

0.008

Figure 6. Percentage difference in FTP throughput vs. duty cycle for a unidirectional covert channel.

An 802.11 MAC layer covert channel

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

0.065

Standardized Entropy

show that the covert channel increases or decreases network throughput by about 5%, depending on the scenario. CBR throughput decreases by a maximum of 5.9% for the stationary network, increases by a maximum of 4.2% for 0.5 m/s mobility, and increases by a maximum of 1.8% for 1.3 m/s mobility. FTP throughput increases by a maximum of 5.8% for the stationary network and by a maximum of 1.14% for 0.5 m/s mobility. FTP throughput decreases about 0.6% for 1.3 m/s mobility. A decrease in application throughput is a result of watermark attempts that require packets to be transmitted at specific rates when the rates were not available (e.g., when temporal RF interference would normally force the node to switch to 5.5 Mbps, 11 Mbps is not available). This is temporary, and thereby does not significantly decrease throughput. An increase in throughput is a testimony to ARF’s sub-optimal performance (requiring unnecessary switches to lower rates) [4, 17, 18, 27]. During a watermark interval, the covert side channel actually ignores ARF. Ignoring ARF during watermarking negates its effect and increases the overall throughput. Mobility also affects the amount of throughput degradation (or increase) seen in the network. Moving out of the range covered by the current rate normally triggers rate switching algorithms to select lower data rates (stronger encoding schemes) in order to continue communication. The results show that the throughput difference is least when WLAN stations are mobile. This shows that station mobility effectively masks network overhead of the covert channel even as the duty cycle increases. The results also show that the covert channel impacts CBR more than FTP. FTP uses TCP, which uses a feedback loop and a sliding window for flow control. Thus, when our protocol ignores ARF, acknowledgements that would have been inappropriately transmitted at a lower link-layer data rate are transmitted at a higher link-layer data rate. This enables more data packets to be transmitted and an overall higher network throughput. The increase in throughput, as a result of a faster feedback loop and the optimal performance of TCP over Distributed Coordination Function (DCF) [3], more than compensates for the covert channel protocol’s overhead and enables a net increase in throughput.

T. E. Calhoun Jr et al.

0.06 Stationary Baseline

0.5 m/s Baseline

0.055

0.05

0.045 0.001

0.002

0.004 Duty Cycle

0.008

Figure 7. Rate switching entropy for CBR vs. duty cycle for a unidirectional covert channel.

stable networks. The results in Figures 7 and 8 are a worse case, as the covert channel will become increasingly covert as the network has more frequent unstable periods. The figures compare the covert channel rate switching entropy to the baseline scenario where watermarking is disabled for all WLAN nodes. We also investigate how the covert channel impacts each application traffic type. The overall results show that the covert channel decreases rate switching entropy for both CBR and FTP traffic. Entropy for CBR traffic decreases as much as 8.1% for a stationary network, 3.7% for 0.5 m/s mobility, and 4.2% for 1.3 m/s mobility. Entropy for FTP traffic decreases as much as 12.9% for stationary networks, 1.9% for 0.5 m/s mobility, and increases as much as 5.3% for 1.3 m/s mobility. The results show that covert channel has a non-negligible impact on standardized entropy for networks with minimal baseline rate switching. However, watermarked flows for both mobile scenarios closely follow the standardized entropy of the baseline, illustrating the covertness of the side channel for scenarios where rate switching normally occurs.

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

Standardized Entropy

0.065

6.5.2. Entropy. In order to determine how covert our side channel is, we compare the entropy of normal flows with that of flows containing the watermarks. Rate switching entropy depends on the temporal characteristics of the network. Accordingly, this entropy level will fluctuate depending on the specific network. Thus, our goal is to have the entropy level of the watermarked flows closely follow that of the non-watermarked flows. Given that our technique thrives (becomes more covert) on rate switching for cover, we simulated the opposite scenario – one where rate switching is less frequent, making it harder for our scheme to be undetected. However, the simulation results show that the covert channel has minimal impact on overall entropy, even for

1.3 m/s Baseline

0.06 Stationary Baseline

0.5 m/s Baseline

1.3 m/s Baseline

0.055

0.05

0.045 0.001

0.002

0.004 Duty Cycle

0.008

Figure 8. Rate switching entropy for FTP vs. duty cycle for a unidirectional covert channel. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

6.5.3. Covert channel accuracy. The covert channel is 100% accurate for all watermark duty cycles. This is expected since the client and access point use the MAC sequence identifiers to detect retries and for synchronization.

An 802.11 MAC layer covert channel

IR C Server(s)

DNS Server

Botm aster

Wireless Access Point

7. COVERT WIFI BOTNETS 5.IR C C omm ands

The second application we present is a WiFi botnet that utilizes our rate switching covert channel as a command and control (C&C) channel (Figure 9). Botnets are a collection of compromised networked hosts that are under the control of a single entity or botmaster. Botnets typically use the Internet Relay Chat (IRC) protocol [28] for communication among bots and to the botmaster. Intrusion detection systems (IDSs) can identify malicious IRC traffic by monitoring traffic destined to common IRC ports or by monitoring for abnormal traffic behavior [29] [30]. Botnets have been shown to evade detection by using peer-to-peer traffic [12] and HTTP traffic [31]. Gu et al. [32] developed a botnet detection technique that identifies invariants in IRC-style and HTTP-style command and control traffic. The scheme monitors for the so-called response crowd effect that occurs when many botnet members respond to the same command. A WiFi botnet can use our covert channel to hide synchronized and correlated behavior associated with command and control traffic. Several researchers have studied mobile malware in the wireless environment. Akritidis et al. [33] describe a wildfire worm that infects dense networks by exploiting overlapping access points. In a previous work [34], we describe an attack where a malicious wireless host stealthily probes an 802.11 LAN for vulnerable hosts. Our WiFi botnet assumes that wireless stations have been compromised by some means that allows a bot to modulate the data rate at will. The infected hosts communicate with the command and control server via a Command and Control (C&C) proxy that bridges the command and control channel and the covert channel. The C&C proxy receives commands over IRC or HTTP and then forwards the commands over the covert channel to the WiFi botnet. The C&C proxy provides several advantages. First, it minimizes probability of detection by hiding C&C traffic within the wireless network. Second, the proxy provides increased scalability by minimizing the number of TCP connections to the IRC/HTTP server because only the C&C proxy requires a connection to the server. Finally, the proxy provides endpoint authentication between the IRC/HTTP server and the infected hosts. Authentication prevents the bots from being subverted by a rival botnet.

7.1. Initialization The botnet proxy must provide the covert channel keying materials discussed in Section 4.1 to newly infected hosts. The proxy uses DNS spoofing to transmit this information Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

3.D N S Q uery to a Fake D omain botnet.nxdom in.co.uk, type = TXT,class = IN 1.Exploit

Botnet Proxy

2.Bot D ownload

Vulnerable H ost

4.Forged D N S R esponse cmd.nxdomain.co.uk IN TXT "proxy=192.168.10.3 IV= R +Rcac2.. topic=w ifibotnet_scan”

6. C om m ands over C overtC hannel

Figure 9. The life-cycle of the WiFi botnet infection.

using forged DNS responses. Basically, we are using the DNS protocol as a covert storage channel to initialize our covert side channel. The newly infected host will perform a DNS query for a TXT record to a non-existent domain. The proxy replies to the DNS query with a forged DNS response containing the initialization data for the bot. Protocols such as DomainKeys [35] and DKIM [36] use a similar mechanism to distribute public keys for sender verification of email messages. The proxy must respond before the legitimate NXDOMAIN response or the infected host can simply ignore the legitimate response. The forged DNS response will contain the botnet proxy IP and the covert channel.

7.2. Encoding/decoding command messages Once initialization completes, the infected host decodes the rate switches generated by the C&C proxy to retrieve the command. The proxy will wait for a command and control Messages from the botmaster, encode the message as a watermark and then transmit it over the covert channel. The proxy generates OTP according to the pseudo-random baseline interval discussed in Section 4.4. Once a proxy receives a C&C message, it performs an XOR operation using the null-terminated command string and the synchronized OTP. Next, it transmits the output of the XOR operation as a watermark during the next watermark interval. The bots will recover the command text with another XOR operation using the synchronized OTP. The algorithm may be adapted to fragment a large command string across multiple watermark intervals. The proxy will simply transmit the OTP to tell bots that no message has been received from the botmaster. This process is illustrated in Figure 10.

An 802.11 MAC layer covert channel

T. E. Calhoun Jr et al.

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

Throughput (% difference) from Baseline

10

5

0

−5

−10 0.001

Figure 10. Covert C&C communication example. The C&C bridges the HTTP/IRC and 802.11 networks.

0.002

0.004 Duty Cycle

0.008

Figure 12. Percentage difference in CBR throughput vs. duty cycle for a bi-directional covert channel.

7.4. Modeling and simulation

7.3. Watermark frequency There is a performance bottleneck that is due to the command and control message latency introduced by the botnet proxy. This latency is the interval from the time the proxy receives the C&C message until it has been sent over the covert channel—which is a function of the watermark interval. As shown in Figure 11, infrequent watermark intervals will increase C&C latency and frequent watermarks will decrease latency. This figure shows that the latency using a short baseline interval (L1) is smaller than the latency using a long baseline interval (L2). However, there is a trade-off between frequency and covertness as discussed in Section 5.3. The botnet designer should configure the watermark frequency according to the application scenario.

We model the covert botnet C&C channel as a bi-directional covert channel and analyze how the covert channel impacts network application throughput and rate switching entropy. The covert botnet simulation environment is identical to the covert authentication simulations described in Section 6.5 except for two modifications. First, the covert channel model is bi-directional so watermarks are generated by the access point and by all 802.11 stations. Second, the application server generates constant bit-rate UDP traffic to the wireless stations to provide the access point with an inbound traffic stream to be used for watermarking. Table 1 provides all of the simulation parameters. Each data point shown in the simulation results represents the average of 25 runs.

7.4.1. Throughput. Figures 12 and 13 give the difference in throughput of the watermarked channel compared to the unwatermarked channel. Further, Figures 12 and 13 illustrate how the watermark duty cycle impacts network throughput for the UDP-only and TCP-only scenarios with various levels of Stationary 0.5 m/s Mobility 1.3 m/s Mobility

10

Throughput (% difference) from Baseline

The covert channel supports bi-directional communication because both the bot and C&C proxy discover the endpoint identities during the initialization phase. The bot simply monitors the rate switches from the proxy and vice-versa . Additionally, infected hosts can promiscuously monitor traffic from the C&C proxy—enabling the proxy to communicate with all infected hosts simultaneously. This broadcast medium provides an obvious advantage over supporting multiple HTTP or IRC command channels in traditional botnets.

5

0

−5

−10 0.001

Figure 11. Command and control latency for long and short baseline intervals.

0.002

0.004 Duty Cycle

0.008

Figure 13. Percentage difference in FTP throughput vs. duty cycle for a bi-directional covert channel. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

An 802.11 MAC layer covert channel

7.4.2. Entropy. Figures 14 and 15 show how the watermark duty cycle impacts rate switching entropy for the UDP-only and TCPonly scenarios with various levels of mobility. The results provide a general observation that the baseline entropy is greater for CBR traffic than for FTP traffic. This difference in baseline entropy is due to TCP’s innate better performance over DCF [3] and indicates that UDP traffic induces more rate switches than TCP traffic. Overall, watermarking decreases rate switching entropy for lower duty cycles and starts to increase entropy after the duty cycle reaches 0.004. The greatest difference in entropy is seen for stationary scenarios and the least difference is seen for mobile scenarios. For UDP, the results show a maximum decrease of 14.2% for the stationary scenario, a maximum decrease of 3.6% for the 0.5 m/s mobility,

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

Standardized Entropy

0.065

0.06 Stationary Baseline

0.5 m/s Baseline

1.3 m/s Baseline

0.055

0.05

Stationary 0.5 m/s Mobility 1.3 m/s Mobility

0.065

Standardized Entropy

mobility. Overall, the figures show that network throughput increases for TCP traffic (indicated by the positive values on the graphs) but decreases for UDP traffic (indicated by the negative values on the graphs). For UDP, there is a maximum decrease of 8.8% for the stationary scenario and a maximum decrease of 3.5% for both mobile scenarios. For TCP, there is a maximum increase 5.5% for the stationary scenario and a maximum increase of 2.1% for both mobile scenarios. The results from both CBR and FTP traffic types show that the watermarks have minimal impact on throughput and the impact lessens as mobility increases. As discussed in the authentication simulation results, the cause for the increase in TCP throughput is the temporal boost given to TCP’s flow control mechanism. By contrast, UDP does not adapt to changes in wireless network state and cannot take advantage fluctuations in channel capacity. This results in reduced network throughput as the watermarks temporarily degrade the channel. However, the UDP results show that degradation is least when the nodes move at 1.3 m/s but is greatest when the nodes are stationary.

0.06 Stationary Baseline

0.5 m/s Baseline

1.3 m/s Baseline

0.055

0.05

0.045 0.001

0.002

0.004 Duty Cycle

0.008

Figure 15. Overall rate switching entropy vs. duty cycle for FTP traffic for a bi-directional covert channel.

and maximum increase of 2.3% for 1.3 m/s mobility. For TCP, the results show a maximum decrease of 8.4% for the stationary scenario, a maximum decrease of 6.0% for 0.5 m/s mobility, and a maximum increase of 1.8% for 1.3 m/s mobility.

7.4.3. Covert channel accuracy. The covert channel is 100% accurate for all watermark frequencies. This is expected since the client and access point use the MAC sequence identifiers to detect retries and for synchronization.

8. CONCLUSION We presented a covert channel that uses 802.11 rate switching to hide communication between an access point and station. We showed that commonly used rate switching protocols are candidate covert channels due to randomness triggered by the mobile environment. The results show that the channel is most covert when there is mobility in the network. The simulation results show that the effects of the covert channel on entropy and application throughput decrease as the baseline entropy increases, regardless of any increases in watermarking duty cycle. The covert channel impacts UDP-based applications more than TCP-based applications. Also, the covert channel is 100% accurate due to synchronization using MAC sequence identifiers. We show how a unidirectional covert channel can be used as a covert authentication mechanism and a bi-directional channel can serve as command-and-control medium for a covert WiFi botnet.

ACKNOWLEDGEMENT

0.045 0.001

0.002

0.004 Duty Cycle

0.008

Figure 14. Overall rate switching entropy vs. duty cycle for CBR traffic for a bi-directional covert channel. Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

We would like to acknowledge Scalable-Networks Inc. for supplying the university release of Qualnet 4.5 via the Qualnet University Program [37].

An 802.11 MAC layer covert channel

T. E. Calhoun Jr et al.

REFERENCES 1. Choi JY, Philippe G, Markus J. Tamper-evident digital signature protecting certification authorities against malware. In 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing Venice, Italy, Philippe G (ed.). 2006; 37–44. 2. Bailey DV, Dan B, Eu-Jin G, Ari J. Covert channels in privacy-preserving identification systems. In 14th ACM Conference on Computer and communications Security (CCS), 2007. 3. Choi J, Kihong P, Chong-kwon K. Cross-layer analysis of rate adaptation, DCF and TCP in multi-rate WLANs. In 26th IEEE International Conference on Computer Communications (INFOCOM), 2007; 1055–1063. 4. Loiacono M, Rosca J, Trappe W. The snowball effect: detailing performance anomalies of 802.11 rate adaptation. In IEEE Global Telecommunications Conference (GLOBECOM), 2007; 5117–5122. 5. Lampson BW. A note on the confinement problem. Communications of the ACM 1973; 16(10): 613–615. 6. Borders K, Atul P. Web tap: detecting covert web traffic. In 11th ACM Conference on Computer and Communications Security (CCS), 2004. 7. Pyun YJ, Park YH, Wang X, Reeves DS, Ning P. Tracing traffic through intermediate hosts that repacketize flows. In 26th IEEE International Conference on Computer Communications (INFOCOM), 2007; 634–642. 8. Wang X, Reeves DS. Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In 10th ACM Conference on Computer and Communications Security (CCS), 2003. 9. Wang Z, Jing D, Lee RB. Mutual anonymous communications: a new covert channel based on splitting tree MAC. In 26th IEEE International Conference on Computer Communications (INFOCOM), Jing D (ed.). 2007; 2531–2535. 10. Kratzer C, Jana D, Andreas L, Tobias K. Wlan steganography: A first practical review. In 8th Workshop on Multimedia and Security (MMSec), 2006. 11. Xu W, Trappe W, Zhang Y. Anti-jamming timing channels for wireless networks. In 1st ACM Conference on Wireless Network Security (WiSec), 2008. 12. Kataria G, Anand G, Araujo R, Krishnan R, Perrig A. A distributed stealthy coordination mechanism for worm synchronization. In Securecomm and Workshops, 2006; 1–8. 13. Smith RW, Scott Knight G. Predictable design of network-based covert communication systems. In IEEE Symposium on Security and Privacy (SP), 2008; 311– 321. 14. Calhoun T, Newman R, Beyah R. Authentication in 802.11 LANs using a covert side channel. In IEEE Inter-

15.

16.

17.

18.

19.

20.

21. 22.

23.

24. 25.

26.

27.

28. 29.

national Conference on Communications (ICC), 14–18 June, 2009. Kamerman A, Montaban L. Wavelan-II: a highperformance wireless LAN for the unlicensed band. Bell Labs Technical Journal 1997; 10: 119. Lacage M, Manshaei MH, Turletti T. IEEE 802.11 rate adaptation: a practical approach. In 7th ACM International Symposium on Modeling, Analysis and Simulation of Wireless and Mobile Systems (MSWiM), 2004. Zhang J, Tan K, Jun Z, Haitao W, Yongguang Z. A practical SNR-guided rate adaptation. In 27th Conference on Computer Communications (INFOCOM), 2008, 2083– 2091. Holland G, Vaidya N, Bahl P. A rate-adaptive MAC protocol for multi-hop wireless networks. In 7th Annual International Conference on Mobile Computing and Networking (Mobicom), 2001. Corbett C, Beyah R, Copeland J. A passive approach to wireless NIC identification. In IEEE International Conference on Communications (ICC), 2006; 5: 2329–2334. Lamport L. Password authentication with insecure communication. Communications of the ACM 1981; 24(11): 770–772. Nesser N, Haller C, Metz P. A one-time password system, RFC 2289, 1998. Li S, Epliremides A. A network layer covert channel in ad-hoc wireless networks. In 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON), 2004; 88– 96. Xu K, Zhang Z-L, Bhattacharyya S. Profiling internet backbone traffic: Behavior models and applications. In Conference on Applications Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2005. Livingston CR. Remote authentication dial in user service (radius), RFC 2138, 1997. IEEE 802.11i-2004: Amendment 6: Medium access control (MAC) security enhancements. IEEE Standards, 2004. deGraaf R, Aycock J, Jacobson M. Improved port knocking with strong authentication. In 21st Annual Computer Security Applications Conference, 2005. Lee S, Kwangsue C. Channel quality-based rate adaptation scheme for wireless networks. In International Conference on Information Networking (ICOIN), 2008; 1–5. Kalt C. Internet relay chat: client protocol, RFC 2812, 2000. Rajab MA, Jay Z, Fabian M, Andreas T. A multifaceted approach to understanding the botnet phenomenon. In 6th ACM SIGCOMM Conference on Internet Measurement (IMC), 2006.

Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

T. E. Calhoun Jr et al.

An 802.11 MAC layer covert channel

30. Cooke E, Jahanian F, McPherson D. The zombie roundup: understanding, detecting, and disrupting botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop (RUTI), 2005. 31. Carrow EL. Puppetnets and botnets: information technology vulnerability exploits that threaten basic internet use. In 4th Annual Conference on Information Security Curriculum Development, 2007. 32. Gu G, Zhang J, Lee W. Botsniffer: detecting botnet command and control channels in network traffic. In 15th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2008. 33. Akritidis P, Chin WY, Lam VT, Sidiroglou S, Anagnostakis KG. Proximity breeds danger: emerging threats in metro-area wireless networks. In USENIX Security Symposium (SECURITY), 2007. 34. Beyah RA, Corbett CL, Copeland JA. The case for collaborative distributed wireless intrusion detection systems. In IEEE International Conference on Granular Computing (GrC), 2006; 782–787. 35. Delany M. Domain-based email authentication using public keys advertised in the DNS (domainkeys), RFC 4870, 2007. 36. Allman E, Callas J, Delaney M, Libbey M, Fenton J, Thomas M. Domainkeys identified mail (DKIM) signatures, RFC 4871, 2007. 37. Network simulator: qualnet 4.5, 2008.

AUTHORS’ BIOGRAPHIES Telvis Calhoun received his B.S. at Southern Polytechnic State University in Computer Engineering. In 2009, he received his M.S. at Georgia State University. He is currently employed as software engineer for a multi-national security technology company. Xiaojun Cao received his B.S. from Tsinghua University and M.S. from Chinese Academy of Sciences. In June 2004, he received his Ph.D. degree in Computer Science and Engineering from the State University of New York at Buffalo. Dr Cao’s research has been sponsored by US National Science Foundation (NSF), IBM and Cisco’s University Research Program. Dr Cao is a recipient of NSF CAREER Award, 2006–2011.

Wirel. Commun. Mob. Comput. (2010) © 2010 John Wiley & Sons, Ltd. DOI: 10.1002/wcm.969

Yingshu Li received her Ph.D. and M.S. degrees from the Department of Computer Science and Engineering at University of Minnesota-Twin Cities. She received her B.S. degree from the Department of Computer Science and Engineering at Beijing Institute of Technology, China. Dr Li is currently an Assistant Professor in the Department of Computer Science at Georgia State University. Her research interests include Optimization in Networks, Wireless Sensor Networks, Wireless Networking and Mobile Computing, Approximation Algorithm Design, and Computational Biology. Her research has been supported by the National Science Foundation (NSF) of US, the National Science Foundation of China (NSFC), the Electronics and Telecommunications Research Institute (ETRI) of Korea, and GSU internal grants. Dr Li is the recipient of an NSF CAREER Award. Raheem Beyah is an Assistant Professor in the Department of Computer Science at Georgia State University where he leads the Georgia State Communications Assurance and Performance Group (CAP). He is also an Adjunct Professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. He received his Bachelor of Science in Electrical Engineering from North Carolina A&T State University in 1998. He received his Masters and Ph.D. in Electrical and Computer Engineering from the Georgia Institute of Technology in 1999 and 2003, respectively. Prior to joining Georgia State in 2005, Dr Beyah was a research faculty member with the Georgia Institute of Technology’s Communications Systems Center (CSC) for 4 years and remains a part of the Center. He also worked as a consultant in Andersen Consulting’s (now Accenture) Network Solutions group. He is an Associate Editor of several journals including the (Wiley) Security and Communication Networks Journal and the (Wiley) Wireless Communications and Mobile Computing Journal. His research interests include network security, wireless networks, network traffic characterization and performance, and security visualization. Dr Beyah received the National Science Foundation CAREER award in 2009. He is a member of ACM, NSBE, and a senior member of IEEE.