Presentation is loading. Please wait.

Presentation is loading. Please wait.

TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida.

Published byPreston Logan Modified over 7 years ago

Similar presentations

Presentation on theme: "TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida."— Presentation transcript:

1 TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

2 Motivation  Spoofing in Wi-Fi: even a common laptop computer can be configured to send packets with faked identity  Encryption-based protection cannot be relied upon in many cases  users with weak passwords  open networks such as some hotels and coffee shops  A reliable method is needed to detect spoofing without password AP Alice Bob Hi, I am Bob! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

3 Channel State Information (CSI)  It has been proposed to use Channel State Information (CSI) to identify the user [yang2014] Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

4 Challenge in Using CSI for Authentication The challenge is to obtain the CSI of the legitimate user in time to for comparison The CSI may change If the new CSI is different from the ones in record, is it because the new CSI is from the attacker, or because the CSI changed? When the CSI is needed for comparison, the legitimate user may not be sending any packet depends on user traffic Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

5 Our Approach  Our key idea is to actively elicit the CSI: when the AP received a packet is received from Bob, it sends a probe (a small dummy packet), which will to elicit a response from Bob (the ACK) AP Alice Bob Hi, I am Bob! Not matching!!! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University Bob’s packet Alice’s packet

6 What if Alice also sends a response?  The two responses will collide, the AP will not receive it and can also determine the previous packet is spoofed AP Alice Bob Hi, I am Bob! Not matching!!! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University Alice’s packet Collision packet

7 Key Advantages The CSI is collected when needed, and does not depend on user traffic Should achieve better performance Puts the attacker in a delimma No change to the Wi-Fi protocol, because a node will always send an ACK when it receives a packet Improving the security by only upgrading the AP, all user devices in the network can stay the same The Catch The additional overhead of probing However can be managed Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

8 Our Key Contributions The Channel State Check (CSC), which can tell if two packets are from the same sender based on the CSI A simple protocol to reduce the overhead of probing Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

9 Channel State Check (CSC) Problem: Given the CSI vectors from Packet 1 and Packet 2, are Packet 1 and 2 from the same sender? In our context Packet 1 and 2 are received within a short interval, e.g., a few milliseconds Packet 1 has been received correctly, Packet 2 may not Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

10 Channel State Check (CSC) Strawman Solution. Just subtract the two CSI vectors, and compare the squared error with a threshold Problem: The CSI of the legitimate user may change, difficult to select a good threshold value The threshold value should actually be determined by the time interval, the larger the interval, the more difference it should allow Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

11 Channel State Check (CSC) Therefore, the main idea of CSC is to calculate a check curve to be used as the expected CSI of Packet 2: not too far from the CSI in Packet 1 the distance determined by the time interval, allow some drifting best matches the measured CSI in Packet 2 If the CSI in Packet 2 is even far from check curve, something is wrong! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

12 Channel State Check (CSC) Mathematically, it is to solve an optimization problem of finding a polynomial that : under the constraint that Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

13 Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

14 Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

15 Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

16 Channel State Check (CSC) CSC performance on over 8000 packet pairs The need for two checks is clear Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

17 A Simple Protocol to Limit Overhead Simplest approach based on CSC: Every time a data packet is received 1.send a probe, get the CSI in the probe response 2.run CSC between the CSI in the data packet and the probe response, reject or accept the data packet depending on the decision of CSC Problem is high overhead Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

18 A Simple Protocol to Limit Overhead The main idea is to store the last accepted packet as history. When a new packet is received, 1.Run CSC between the new packet and the history 2.Depending on CSC: a.If passes, accepted the new packet, update history b.If fails, clear history, send probe, run CSC between the new packet and the probe response 3.Periodically clear the history Why it works in most cases when there is no attacker If the user has a high traffic, history is almost always fresh, and usually no need to send probe If the user has low traffic, sending a probe for each packet is fine Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

19 Evaluation  We have verified the approach using Software-Defined Radio, achieving False Positive and False Negative ratios of around 0.1% Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

20 Evaluation Compared with a recent work “Practical User Authentication Leveraging Channel State Information” in ASIACCS 2014, referred to as SVM Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

21 False Positive Under various traffic load (HT, MT, or LT) transmission power (high or low) Channel mobility (stationary or mobile channel) Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

22 False Positive TBAS always has low FP ratios of around 0.001 or lower SVM sometimes has high FP ratio, like 0.1 Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

23 Overhead Measured by the fraction of time used by probe and probe response All around 0.001 or lower Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

24 False Positive with Delayed Response Configure the program to use the response of the next probe as that for this probe Longer delays between the data packet and the probe response, around 15 ms or more, testing TBAS under extreme conditions Still around 0.01 or lower, mobile channels affected more Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

25 False Negative Attacker sends the data packet, and has two strategies: Strategy 0: When a probe is received, do not respond Strategy 1: When a probe is received, respond Varying the transmission powers of the user and the attacker Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

26 False Negative TBAS has very low FN ratios, i.e., in the order 0.001 or below in all cases. SVM sometimes has higher FN ratios, such as around 0.26, in one of the cases. Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

27 Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Download ppt "TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida."

Similar presentations

Nick Feamster CS 4251 Computer Networking II Spring 2008

Nick Feamster CS 4251 Computer Networking II Spring 2008
IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
802.11n MAC layer simulation Submitted by: Niv Tokman Aya Mire Oren Gur-Arie.

802.11n MAC layer simulation Submitted by: Niv Tokman Aya Mire Oren Gur-Arie.
Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.
5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.

5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.
MAC Layer Protocols for Sensor Networks Leonardo Leiria Fernandes.

MAC Layer Protocols for Sensor Networks Leonardo Leiria Fernandes.
Basic Concepts of Computer Networks

Basic Concepts of Computer Networks
Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.

Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.
Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.

Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.
A survey of Routing Attacks in Mobile Ad Hoc Networks Bounpadith Kannhavong, Hidehisa Nakayama, Yoshiaki Nemoto, Nei Kato, and Abbas Jamalipour Presented.

A survey of Routing Attacks in Mobile Ad Hoc Networks Bounpadith Kannhavong, Hidehisa Nakayama, Yoshiaki Nemoto, Nei Kato, and Abbas Jamalipour Presented.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Similar presentations

Ads by Google