1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

Slides:

Advertisements

Similar presentations

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Advertisements

SoNIC: Classifying Interference in Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

60 GHz Flyways: Adding multi-Gbps wireless links to data centers

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

1 Wireless LAN Security Presented by Vikrant Karan.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

WiFi-Reports: Improving Wireless Network Selection Jeffrey Pang (CMU) with Ben Greenstein (IRS) Michael Kaminsky (IRP) Damon McCoy (U. Colorado) Srinivasan.

User Fingerprinting MobiCom 2007 (Sept Montreal, Quebec, Canada)

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Privecsg Tracking of Link Layer Identifiers Date: [ ] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital

Wifi-Reports: Improving Wireless Network Selection with Collaboration Jeffrey Pang (CMU) Ben Greenstein (Intel Research Seattle) Michael Kaminsky (Intel.

Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.

Networking Components

Improving the Privacy of Wireless Protocols Jeffrey Pang Carnegie Mellon University.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

An Efficient Identity-based Cryptosystem for

Indoor Localization using Wireless LAN infrastructure Location Based Services Supervised by Prof. Dr. Amal Elnahas Presented by Ahmed Ali Sabbour.

Chapter 6: Packet Filtering

Two reasons you can’t trust a wireless network (and some stuff that goes on at Intel Research Seattle) Jeff Hightower, Ali Rahimi, Ian Smith, Josh Smith,

Wireless Network Security Dr. John P. Abraham Professor UTPA.

Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.

FiG: Automatic Fingerprint Generation Shobha Venkataraman Joint work with Juan Caballero, Pongsin Poosankam, Min Gyung Kang, Dawn Song & Avrim Blum Carnegie.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 11 User Datagram Protocol (UDP)

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Elastic Pathing: Your Speed Is Enough to Track You Presented by Ali.

Nicholas D. Lane, Hong Lu, Shane B. Eisenman, and Andrew T. Campbell Presenter: Pete Clements Cooperative Techniques Supporting Sensor- based People-centric.

Preserving Location Privacy in Wireless LANs Jiang, Wang and Hu MobiSys 2007 Presenter: Bibudh Lahiri.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Authors: Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y. Chen,

Remote Hardware Fingerprinting: A Statistical Approach R. Fink ~ May, 2006.

Intradomain Traffic Engineering By Behzad Akbari These slides are based in part upon slides of J. Rexford (Princeton university)

Wireless Networks. Wireless Network A wireless network transports data from one device to another without cables or wires – RF signals – Microwaves –

Classification (slides adapted from Rob Schapire) Eran Segal Weizmann Institute.

Privecsg Tracking of Link Layer Identifiers Date: [ ] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital

1 DozyAP: Power-Efficient Wi-Fi Tethering Speaker Hao Han College of William & Mary 3/22/2013 W&M Graduate Research Symposium 2013.

Secure Unlocking of Mobile Touch Screen Devices by Simple Gestures – You can see it but you can not do it Muhammad Shahzad, Alex X. Liu Michigan State.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Yoshi Kohno, Jeffrey Pang, Srini Seshan, and David.

Doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

ARP ‘n RARP. The Address Resolution Protocol (ARP) is a request sent out by a computer to find another computer’s MAC address. It already knows the IP.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.

Privacy Vulnerability of Published Anonymous Mobility Traces Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip (Purdue University) Nageswara S. V. Rao (Oak.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Wireless LANs.

Understand Wireless Security LESSON Security Fundamentals.

Intro. to Telecommunications

OS Fingerprinting and Tethering Detection in Mobile Networks

Introduction Wireless devices offering IP connectivity

Wireless Network Security

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.

Unknown Malware Detection Using Network Traffic Classification

Leveraging Textual Specifications for Grammar-based Fuzzing of Network Protocols Samuel Jero, Maria Leonor Pacheco, Dan Goldwasser, Cristina Nita-Rotaru.

Security Issues with Wireless Protocols

Sofia Pediaditaki and Mahesh Marina University of Edinburgh

Presentation transcript:

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

2 Motivation: The Mobile Wireless Landscape A well known technical problem –Devices have unique and consistent addresses –e.g., devices have MAC addresses  fingerprinting them is trivial! MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:0E:35:CE:1F:59 Adversary tcpdump time

3 Motivation: The Mobile Wireless Landscape The widely proposed techical solution –Pseudonyms: Change addresses over time : Gruteser ’05, Hu ’06, Jiang ’07 Bluetooth: Stajano ’05 RFID: Juels ‘04 GSM: already employed MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:AA:BB:CC:DD:EE tcpdump ? time

4 Motivation: The Mobile Wireless Landscape Our work shows: Pseudonyms are not enough –Implicit identifiers: identifying characteristics of traffic –E.G., most users identified with 90% accuracy in hotspots 00:0E:35:CE:1F:5900:AA:BB:CC:DD:EE tcpdump Search: “Bob’s Home Net” Packets  Intel Server … Search: “Bob’s Home Net” Packets  Intel Server … time

5 Contributions Four Novel Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

6 Contributions Four Novel Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

7 Implicit Identifiers by Example Implicit identifier: network destinations –IP pairs in network traffic –Some nearly-unique destinations repeatedly visited (e.g., server) SSH/IMAP server: tcpdump ? time SSH/IMAP server: ?

8 Implicit Identifiers by Example Implicit identifier: SSIDs in probes –Set of SSIDs in probe requests –Many drivers search for preferred networks –Usually networks you have associated with before SSID Probe: “roofnet” User of “roofnet” tcpdump ?

9 Implicit Identifiers by Example Implicit identifier: broadcast packet sizes –Set of broadcast packet sizes in network traffic –E.g., Windows machines NetBIOS naming advertisements; FileMaker and Microsoft Office advertise themselves Broadcast pkt sizes: 239, 245, 257 tcpdump ? time Broadcast pkt sizes: 239, 245, 257

10 Implicit Identifiers by Example Implicit identifier: MAC protocol fields –Header bits (e.g., power management., order) –Supported rates –Offered authentication algorithms tcpdump ? time Protocol Fields: 11,4,2,1Mbps, WEP Protocol Fields: 11,4,2,1Mbps, WEP

11 Implicit Identifier Summary Networks: PublicHomeEnterprise Network destinations SSIDs in probes Broadcast pkt sizes MAC protocol fields Visible even with WEP/WPA TKIP encryption More implicit identifiers exist Identifying even if devices have identical drivers

12 Contributions Four Novel Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

13 Tracking Users Tracking scenario: –Every users changes pseudonyms every hour –Adversary monitors some locations  One hourly traffic sample from each user in each location ? ? ? tcpdump Build a profile from training samples: First collect some traffic known to be from user X and from random others tcpdump..... ? ? ? Then classify observation samples Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM

14 Sample Classification Algorithm Core question: –Did traffic sample s come from user X? A simple approach: naïve Bayes classifier –Derive probabilistic model from training samples –Given s with features F, answer “yes” if: Pr[ s from user X | s has features F ] > T for a selected threshold T. –F = feature set derived from implicit identifiers

15 Deriving features F from implicit identifiers Set similarity (Jaccard Index), weighted by frequency: IR_Guest SAMPLE FROM OBSERVATION Sample Classification Algorithm linksys djw SIGCOMM_1 PROFILE FROM TRAINING Rare Common w(e) = low w(e) = high

16 Contributions Four Novel Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

17 Evaluating Classification Effectiveness Simulate tracking scenario with wireless traces: –Split each trace into training and observation phases –Simulate pseudonym changes for each user X DurationProfiled UsersTotal Users SIGCOMM conf. (2004) 4 days UCSD office building (2006) 1 day Apartment building (2006) 19 days39196

18 Question: Is observation sample s from user X? Evaluation metrics: –True positive rate (TPR) Fraction of user X’s samples classified correctly –False positive rate (FPR) Fraction of other samples classified incorrectly Evaluating Classification Effectiveness Pr[ s from user X | s has features F ] > T

19 Evaluating Classification Effectiveness

20 Results: Individual Feature Accuracy TPR  60% TPR  30% Individual implicit identifiers give evidence of identity 1.0

21 Results: Individual Feature Accuracy Individual implicit identifiers give evidence of identity TPR  50% Other implicit identifiers distinguish groups of users

22 Results: Individual Feature Accuracy Some users more distinguishable than others netdests: ~60% users identified >50% of the time ~20% users identified >90% of the time

23 Results: Multiple Feature Accuracy Users with TPR >50%: Public: 63% Home: 31% Enterprise: 27% We can identify many users in all environments PublicHomeEnterprise netdests ssids bcast fields

24 Results: Multiple Feature Accuracy Some users much more distinguishable than others Public networks: ~20% users identified >90% of the time PublicHomeEnterprise netdests ssids bcast fields

25 Results: Tracking with 90% Accuracy Majority of users can be identified if active long enough Of 268 users (71%): 75% identified with ≤4 samples 50% identified with ≤3 samples 25% identified with ≤2 samples

26 Results: Tracking with 90% Accuracy Many users can be identified in all environments

27 Conclusions Implicit identifiers can accurately identify users –Individual implicit identifiers give evidence of identity –We can identify many users in all environments –Some users much more distinguishable than others Understanding implicit identifiers is important –Pseudonyms are not enough Eliminating them poses research challenges