Presentation is loading. Please wait.

Presentation is loading. Please wait.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun.

Similar presentations


Presentation on theme: "U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun."— Presentation transcript:

1 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun Yang, Jim Kurose, Brian Neil Levine University of Massachusetts Amherst This research is supported by NSF awards CNS and CNS

2 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 2

3 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science P2P network peer Law enforcement Step2. Known sender locationStep2. location Illegal content distributed P2P from known location 3 Challenge: Can we legally determine that a suspect used wired access, thus making the resident user more likely to be a responsible party? Illegal content distributor (e.g., CP) Wireless router wired or wireless access? Step1. Public IP addressStep1. address Someone used my open Wi-Fi!

4 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Can We Intercept Data at Intermediate Nodes? 4 No, law enforcement can not legally take traces at intermediate nodes without a warrant or wiretap. Illegal content distributor peer … … Law enforcement Data interception via a sniffer Data interception router Wireless router Reasonable expectation of privacy (REP) for the sources of data. The Wiretap Act and the Pen Register statute.

5 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science P2P network Can We Intercept Data as a Peer? 5 Law enforcement peer Yes, measurements taken at a peer, before a warrant, are legal! Wireless router Users of P2P file sharing networks have no reasonable expectation of privacy. Software designed for law enforcement to monitor P2P activity does not violate US 4th amendment protections. Illegal content distributor

6 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 6

7 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Our Problem Setting 7 Target Wi-Fi AP Law enforcement peer Cable modem P2P Internet Cable network Wiredaccess?Wiredaccess? Challenge: can we classify the access network type of target sender using remotely measured P2P traces? Challenges in this forensic setting: hidden and unknown residential factors can affect classification results. ???? ? ? ? ? ? ? ? Ethernet

8 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Our Contribution Investigate performance of several wired-vs- wireless classification algorithms in various home network scenarios. Observe how several scenario factors affect classifier performance. Single flow vs. Multiple flows from a target. Operating systems. P2P application rate limit. Wireless channel contention. Explain when, why and how the classifier works reliably or poorly. 8 See Tech. Rep. UM-CS , Dept. of CS, UMass Amherst.

9 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 9

10 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Diversely Emulated P2P Traces in Controlled Settings 10 Houses near UMass Wired sniffer g or 1Gbps Ethernet. Target device Single full-rate TCP flow. Wi-Fi AP Cable modem Less than 1m (the worst case) … UMass server Internet Remotely collecting pairs of wired and wireless datasetsRemotely collecting pairs of wired and wireless datasets Linux vs. Windows XP Cable network effect (different times, and houses) Host-side vs. Cable network Host-side vs. Cable network Purdue server Multiple TCP flows. We take measurement here to help us explain/understand classification. but do NOT use them in classification.

11 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 11

12 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Classification Procedure Classification features. 25th, 50th, 75th percentiles, entropy of packet inter- arrival times distribution for datasets. We train and cross-validate decision tree, logistic regression, SVM, and EM classifiers. Classification performance metrics. TPR (True Positive Rate). FPR (False Positive Rate). FPR0.10 and 0.90TPR are acceptable classification results. 12

13 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Single-flow Classification Results 13 LinuxWindows XP 25 th percentile InconsistentNot acceptable EntropyNot acceptableInconsistent Accurate classification is difficult in single full-rate flow cases.

14 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Multiple Flows Classification Results 14 Multiple flows cases can show better classification results than single full-rate flow cases. LinuxWindows XP 25 th percentile AcceptableNot acceptable EntropyAcceptable

15 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Classification: insight into how it works 15 Key insight: Classify at receiver using packet inter-arrival times at sender that were not significantly changed a by cable network access protocol or a network at sender. Target device Wi-Fi AP Cable modem UMass server Packet inter-arrival times before a cable network … Packet inter-arrival times after a cable network … Cable network access protocol or Ethernet access protocol

16 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Discussion Classification features showing acceptable results are different for Linux and Windows XP. Windowss small 8 KB TCP send buffer. This is also found in other Windows versions. Single full-rate flow vs. multiple-flows. A flow generated with multiple competing flows from a target would be less-affected by a cable network. 16 See Tech. Rep. UM-CS , Dept. of CS, UMass Amherst.

17 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Conclusion We justified our traces gathering methods legality based on US law. We proposed a classifier for determining whether a target used wired or wireless. Through extensive experimentation, we determined scenarios where classifier works reliably. Traces: traces.cs.umass.edu.traces.cs.umass.edu 17

18 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Other hidden or unknown residential factors. Mac OS n, MIMO. Modified TCP implementation. Multiple-flow across multiple sites. Long-term traces. 18 Open Questions

19 U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science End Questions or comments welcome!


Download ppt "U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun."

Similar presentations


Ads by Google