Presentation is loading. Please wait.

Presentation is loading. Please wait.

MobiCom’13 Jie Xiong and Kyle Jamieson University College London

Published byBrian Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "MobiCom’13 Jie Xiong and Kyle Jamieson University College London"— Presentation transcript:

1 SecureArray: Improving WiFi Security with Fine-Grained Physical-Layer Information
MobiCom’13 Jie Xiong and Kyle Jamieson University College London CSE713 Spring 2017 Presentation Jinghao Shi

2 Target Threat: Active Attacks
Inject packets Denial of service Jam and replay Spoofing Home or Enterprise Network

3 Use Angle-of-Arrival (AoA) information to detect attackers
SecureArray: Key Idea Use Angle-of-Arrival (AoA) information to detect attackers Pretend Legitimate User Attacker

4 Outline How to obtain AoA information?
The SecureArray system How to utilize the AoA information? Integration with RSN Evaluations

5 AoA Primer Ω= 1 2 𝜆𝑠𝑖𝑛𝜃× 2𝜋 𝜆 =𝜋𝑠𝑖𝑛𝜃 𝜃 = arcsin⁡( Ω 𝜋 )
Base band phase difference Ω= 1 2 𝜆𝑠𝑖𝑛𝜃× 2𝜋 𝜆 =𝜋𝑠𝑖𝑛𝜃 𝜃 = arcsin⁡( Ω 𝜋 )

6 AoA Primer (cont’d) 𝜃 = arcsin⁡( Ω 𝜋 ) d𝜃 𝑑Ω = 1 𝜋 2 − Ω 2

7 𝜃−Ω Sensitivity AP Client 𝜃 Attacker AP Client Attacker

8 Random Phase Perturbation
Add random phase perturbation 𝜁 𝑖 to Ω to calculate AoA signature 𝜎 𝑖 𝜃 Repeat 𝐿 times, obtain 𝜎 1 𝜃 ,…, 𝜎 𝐿 (𝜃)

9 Comparing AoA Signatures
M approaches 1 if Peaks align, and Have similar magnitude Binary threshold 𝜂

10 What if Client is Mobile? Channel Coherence Time
𝑇 𝑐 : The time duration over which the wireless channel can be considered unchanging

11 How to Utilize AoA Information? Integration with 802.11 RSN
Three types of attacks Deauthentication deadlock Authenticated spoofing Authentication deadlock

12 Deauthentication Deadlock Attack
802.11X Extensible Authentication Protocol over LANs (EAPOL) Four Way Handshake AP compares AoA of Deauth and EAOPL msg 4 30−59𝜇𝑠

13 Authentication Spoofing Attack
Scenario: attacker has gained access and pretends to be the legitimate user (spoofing) Client sends a challenge frame after overhearing an unexpected Ack.

14 Authentication Deadlock Attack
Auth Req will cause AP to delete the client’s key. AP compares the AoA of Data and Auth Req packet

15 SecureArray Implementation
Rice WARP platform 8 antennas in total

16 Evaluation Questions How to choose 𝜂? (similarity threshold)
How to decide L? (number of random perturbations) How many AP antennas are needed? Distance between client and attacker? Mobile clients?

17 Experiment Setup Indoor office environment (30mx40m) 150 locations
Static and mobile client Various client/attacker distance (3m – 5 cm)

18 Confusion Matrix and Receiver Operating Characteristic (ROC) Curve
ROC Curve: True Positive Rate (TPR) vs. False Positive Rate (FPR) Standard way to show the performance of a binary classifier.

19 Overall ROC Curve Effectiveness of random perturbation L=1
100% detection rate with only 0.67% false alarm rate. L=1

20 Number of random-phase perturbations ( L )
Trade-off between accuracy and overhead L = 5 is sufficient Marginal improvement when L > 5.

21 Detection rate is high even w/ 4 antennas
Number of AP antennas 1% 4.7% 11.3% Detection rate is high even w/ 4 antennas

22 Distance between client and attacker
Miss rate increases to only cm

23 Inter-packet time (Static)
False alarm rate is low even for 2s spacing

24 Inter-packet time (Mobile)
Walk Speed 4km/h Coherence time 12ms

25 Detection Latency 𝑇 1 : time taken for packet detection and samples recording with WARP 1.6us 𝑇 2 : time taken for samples to be transferred to the server 2.56ms 𝑇 3 : time taken for the server to compute the metric and make the decision 10-20ms (L=5) Total latency ~20ms

26 Use Angle-of-Arrival (AoA) information to detect attackers
Summary Use Angle-of-Arrival (AoA) information to detect attackers Attacks Deauthentication deadlock attack Authentication spoofing attack Authentication deadlock attack Prototype implementation on WARP Thorough evaluations Random phase perturbation (L) Attacker distance AP antennas Inter-packet time Pretend Legitimate User Attacker

27 Critique Need extra hardware Can not detect jamming attacks
Multiple antennas at the AP Can not detect jamming attacks

28 References (See Full List in Paper)
M. Eian and S. Mjølsnes. A formal analysis of IEEE w deadlock vulnerabilities. In Proc. of IEEE Infocom,2012. R. Schmidt. Multiple emitter location and signal parameter estimation. IEEE Trans. on Antennas and Propagation, AP-34(3):276–280, Mar M. Eian and S. Mjølsnes. The modeling and comparison of wireless network denial of service attacks N. Anand, S. Lee, and E. Knightly. STROBE: Actively securing wireless communications using zero-forcing beamforming. In Proc. of IEEE Infocom, 2012. E. Aryafar, N. Anand, T. Salonidis, and E. Knightly. Design and experimental evaluation of multi-user beamforming in wireless LANs. In Proc. of ACM MobiCom, 2010. B. Bertka w security: DoS attacks and vulnerability controls. In Proc. of Infocom, D. Faria and D. Cheriton. No long-term secrets: Location based security in overprovisioned wireless LANs. In Proc. Of ACM HotNets, 2004.

Download ppt "MobiCom’13 Jie Xiong and Kyle Jamieson University College London"

Similar presentations

$ Network Support for Wireless Connectivity in the TV Bands Victor Bahl Ranveer Chandra Thomas Moscibroda Srihari Narlanka Yunnan Wu Yuan.

$ Network Support for Wireless Connectivity in the TV Bands Victor Bahl Ranveer Chandra Thomas Moscibroda Srihari Narlanka Yunnan Wu Yuan.
Dept. of computer Science and Information Management

Dept. of computer Science and Information Management
SoNIC: Classifying Interference in 802.15.4 Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.

SoNIC: Classifying Interference in Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
RainDrop: A Multi-Rate Multi-Channel Wireless LAN Tianbo Kuang Qian Wu Carey Williamson Department of Computer Science University of Calgary.

RainDrop: A Multi-Rate Multi-Channel Wireless LAN Tianbo Kuang Qian Wu Carey Williamson Department of Computer Science University of Calgary.
Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.

Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
1 How to apply Adaptation principle: case study in 802.11.

1 How to apply Adaptation principle: case study in
5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.

5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.
April 20, 2008Emmett Nicholas ECE 256 1 Drive-by Localization of Roadside WiFi Networks Anand Prabhu Subramanian, Pralhad Deshpande, Jie Gao, Samir R.

April 20, 2008Emmett Nicholas ECE Drive-by Localization of Roadside WiFi Networks Anand Prabhu Subramanian, Pralhad Deshpande, Jie Gao, Samir R.
Thoughts on Biomarker Discovery and Validation Karla Ballman, Ph.D. Division of Biostatistics October 29, 2007.

Thoughts on Biomarker Discovery and Validation Karla Ballman, Ph.D. Division of Biostatistics October 29, 2007.
Practical Performance of MU- MIMO Precoding in Many-Antenna Base Stations Clayton Shepard Narendra Anand Lin Zhong.

Practical Performance of MU- MIMO Precoding in Many-Antenna Base Stations Clayton Shepard Narendra Anand Lin Zhong.
Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.

Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
A measurement study of vehicular internet access using in situ Wi-Fi networks Vladimir Bychkovsky, Bret Hull, Allen Miu, Hari Balakrishnan, and Samuel.

A measurement study of vehicular internet access using in situ Wi-Fi networks Vladimir Bychkovsky, Bret Hull, Allen Miu, Hari Balakrishnan, and Samuel.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Project Idea #1 Project: Simulation in NS Learn how to use NS-2 Examine 2-3 papers that do benchmark studies Implement a simulation of the Drexel TAARP.

Project Idea #1 Project: Simulation in NS Learn how to use NS-2 Examine 2-3 papers that do benchmark studies Implement a simulation of the Drexel TAARP.
Shambhu Upadhyaya 1 802.11 Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Similar presentations

Ads by Google