Transcript Identifying Unique Devices through Wireless Fingerprinting

Identifying Unique Devices
through
Wireless Fingerprinting
WiSec 2008
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
OUTLINE
•
•
•
•
Introduction
Network fingerprinting techniques
Design and implementation of fingerprinting technique
The experimental results and analysis of the proposed
solution
• The applications of our device fingerprinting
• Limitations
• Conclusion
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
INTRODUCTION
• 1.New fingerprinting technique that differentiates between
unique devices over a WLAN through the timing analysis of
802.11 probe request frames
• 2.Can be applied to spoof detection,network
reconnaissance,and access control against masquerading
attacks
• 3.WEP was insecure and trivially cracked after an attacker has
collected enough frames with the same Initialization Vector
• 4.In order to retain backward compatibility,WPA has not
NTHUsome
CS ISLAB 國立清華大學
資訊工程研究所
資訊安全實驗室
completely resolved
security
issues
WIRELESS DEVICE
FINGERPRINTING
• Distinguishing between unique combinations of the
tuple {Machine,Wireless NetworkInterface
Card(NIC) Driver, Operating System}
• Fingerprinting technique is a process with three
phases:
• 1. Traffic Capturing Phase – Passive collection of wireless
traces
• 2. Fingerprint Generation Phase – Processing raw data to
extract meaningful information
• 3. Analysis Phase–Employing statistical significance testing
to distinguish between unique devices
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Figure
High Level Overview of Fingerprinting Technique
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Traffic Capturing Phase
• Involves the passive collection of probe request
frames emitted from wireless client stations for timing
analysis in the Fingerprint Generation Phase
• Periodic probe request intervals appear to be different
across wireless NIC drivers
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Active Scanning by Cisco Aironet 340
Active Scanning by DLink DWL-G650
Figures show the time delta between successive probe
request frames received at the fingerprinter from two
different types of wireless NIC drivers
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Fingerprint Generation Phase
• Selection of key points from the data that are
valuable for distinguishing between devices
• Coarse-Grained Data Selection
• Fine-Grained Data Selection through Clustering
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Coarse-Grained Data Selection
• 1. A rapid burst of zero or more probe requests with tiny
timing intervals in the range of milliseconds
• 2. A probe request after a large timing interval in the range of
tens of seconds, which are seen as peaks
• By focusing on the probe requests with large timing intervals
in the range of tens of seconds(the large amplitudes in the
figures), it becomes possible to distinguish between devices
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Inter-burst latencies of Cisco Aironet 340
Inter-burst latencies of Netgear WG511v2
The clusters of inter-burst latencies as captured from two different wireless NIC drivers
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Fine-Grained Data Selection through
Clustering
• Using clustering techniques to automatically partition the interburst latencies into distinct clusters
• We use Maximum Variance Clustering approach that the
maximum variance (σ2max ) within a cluster
-Cluster homogeneity can be read from the sum-of-squared-errors
criterion,Je
-Changing the value of σ2max affects the cluster homogeneity
• To compute constant values of Je for a substantial range of
σ2max as σ2 max is varied over a range
• There is a high possibility of having real cluster structure within
this range ofσ2 max
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Je as a function of σ2max
•Je plateaus are formed asσ2max varies
•Let σ2A be the lower-bound variance that forms the plateau and
σ2B be the upper-bound variance, so that σ2A < σ2B
•The strength of each Je plateau can then be defined as the ratio:
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Appropriate Fitting with suitable σ2max
•Applying the clustering algorithm on a series of inter-burst latencies
from a wireless device equipped with Asus WL-167G
•The fingerprints of unique devices are represented by the clusters
of inter-burst latencies
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Analysis Phase
• Employing statistical hypothesis testing to determine if
supposedly different traffic traces captured are
actually emitted from different devices
• Mann-Whitney U-test for its statistical strength in
determining two samples of inter-burst latencies can
be tested if they are from the same distribution
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
EXPERIMENTAL RESULTS
• The objectives of our experiments were to determine whether
our fingerprinting technique was able to:
• 1. Accurately differentiate between unique devices
• 2. Produce consistent results for each particular device over
time,on separate occasions,and under varying network loads
• 3. Distinguish between different machines where the machines:
-Having the same specifications(model,RAM,processor,etc),
and are equipped with the same OS and wireless NIC
drivers
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Table of Test Outcomes based on
Actual Conditions
•The Null Hypothesis H0 for our Mann-Whitney U-test was that the
samples were generated by the same wireless device
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Controlled Environments
• Experiments was conducted with a single AP and four
laptops (one laptop as the fingerprinter and the other
three acts as the fingerprintees) in the vicinity
fingerprintees
fingerprinter
P1
P2
AP
P3
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Comparisons between Similar
Devices
• Results of fingerprinting 3 wireless devices with identical specifications, OS
and wireless NIC Driver
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Fingerprinting the Same Device
• Results of fingerprinting the same device
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Investigating the Effects of
Distance
• Effect of distance on fingerprinting different devices
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Results of fingerprinting the same device at differentdistances
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Spoof Detection
• WEP can be cracked and even with WPA
-Management and control frames remain susceptible to MAC
spoofing/replay/masquerading attacks due to lack of
authentication and encryption for such frames
• Complementing the weaknesses of the existing
WEP/WPA schemes
-Maintenance of a white-list of allowed devices,each
associated with its MAC addresses and wireless fingerprint
profile
- An alien device that attempts to masquerade using a valid
MAC address will be picked up through device fingerprinting
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Network Forensics
• A problem that easily arises in wireless LANs occurs
especially when virtual identities are entirely spoofed
during an attack
• Thus intrusion detection records and network traces
may in fact point to the wrong culprit, instead of
identifying the right attacker
-Can be resolved if wireless device fingerprints can be used as an
independent mechanism to identify unique devices
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
Network Profiling and
Reconnaissance
• A honeynet may be set up to simulate the presence
of multiple virtual hosts on a single physical
machine
-To lure attackers into honeypots to keep them away from real
production systems
-To study the attack techniques employed by the attacker
• Fingerprinting technique can be applied to indicate
whether a set of candidate MAC or IP addresses
observed in the channel actually come from the
same physical device
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
LIMITATIONS
• 1. Fundamental to statistical hypothesis testing
-When the Null Hypothesis - that the samples came from the same
device - is not rejected, we cannot conclude that two devices are
actually the same
• 2. On analyzing the inter-burst latencies based on
clustering,at present
-It takes about at least an hour before we can gather enough data to
perform the fingerprinting
• 3. The most challenging issue we face is the lossy
nature of wireless communications
-Shadowing,interferences and channel fading effects, packet losses
and delays inevitably occur, thereby decreasing the efficacy of our
timing-based fingerprinting technique
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
• 4. In particular,in a congested environment, 802.11
medium access control kicks in,causing
back-offs with a certain amount of random time
involved
-This makes it hard to characterize
• 5. An attacker may mix the probe request frames
from his masqueraded device with the frames
from a concurrently active legitimate device
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
• 7. The effects of temperature may alter clock
oscillations
-An attacker may alter the fingerprint of his own machine by altering its
temperature
-Remotely alter the fingerprint of his victim by deliberately increasing the
CPU load
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室
CONCLUSION
• New fingerprinting technique that differentiates
between unique devices
-Over a wireless Local Area Network
-Through the timing analysis of 802.11 probe request frames
-Having achieved an average accuracy rate of about 70% to 80% in
differentiating between unique devices
• Future for improvements
-Inclusion of More Test Metrics
--More metrics could be included to increase the robustness of the
technique
NTHU CS ISLAB 國立清華大學 資訊工程研究所 資訊安全實驗室