Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

Published byDana Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:"— Presentation transcript:

1 1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides: www.cs.cmu.edu/~jeffpang/talks/20070912_mobicom07_fp.ppt

2 2 Motivation: The Mobile Wireless Landscape A well known technical problem –Devices have unique and consistent addresses –e.g., 802.11 devices have MAC addresses  fingerprinting them is trivial! MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:0E:35:CE:1F:59 Adversary tcpdump time

3 3 Motivation: The Mobile Wireless Landscape The widely proposed techical solution –Pseudonyms: Change addresses over time 802.11: Gruteser ’05, Hu ’06, Jiang ’07 Bluetooth: Stajano ’05 RFID: Juels ‘04 GSM: already employed MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:AA:BB:CC:DD:EE tcpdump ? time

4 4 Motivation: The Mobile Wireless Landscape Our work shows: Pseudonyms are not enough –Implicit identifiers: identifying characteristics of traffic –E.G., most users identified with 90% accuracy in hotspots 00:0E:35:CE:1F:5900:AA:BB:CC:DD:EE tcpdump Search: “Bob’s Home Net” Packets  Intel Email Server … Search: “Bob’s Home Net” Packets  Intel Email Server … time

5 5 Contributions Four Novel 802.11 Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

6 6 Contributions Four Novel 802.11 Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

7 7 Implicit Identifiers by Example Implicit identifier: network destinations –IP pairs in network traffic –Some nearly-unique destinations repeatedly visited (e.g., email server) SSH/IMAP server: 159.16.40.45 tcpdump ? time SSH/IMAP server: 159.16.40.45 ?

8 8 Implicit Identifiers by Example Implicit identifier: SSIDs in probes –Set of SSIDs in 802.11 probe requests –Many 802.11 drivers search for preferred networks –Usually networks you have associated with before SSID Probe: “roofnet” User of “roofnet” tcpdump ?

9 9 Implicit Identifiers by Example Implicit identifier: broadcast packet sizes –Set of 802.11 broadcast packet sizes in network traffic –E.g., Windows machines NetBIOS naming advertisements; FileMaker and Microsoft Office advertise themselves Broadcast pkt sizes: 239, 245, 257 tcpdump ? time Broadcast pkt sizes: 239, 245, 257

10 10 Implicit Identifiers by Example Implicit identifier: MAC protocol fields –Header bits (e.g., power management., order) –Supported rates –Offered authentication algorithms tcpdump ? time Protocol Fields: 11,4,2,1Mbps, WEP Protocol Fields: 11,4,2,1Mbps, WEP

11 11 Implicit Identifier Summary 802.11 Networks: PublicHomeEnterprise Network destinations SSIDs in probes Broadcast pkt sizes MAC protocol fields Visible even with WEP/WPA TKIP encryption More implicit identifiers exist Identifying even if devices have identical drivers

12 12 Contributions Four Novel 802.11 Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

13 13 Tracking 802.11 Users Tracking scenario: –Every users changes pseudonyms every hour –Adversary monitors some locations  One hourly traffic sample from each user in each location ? ? ? tcpdump Build a profile from training samples: First collect some traffic known to be from user X and from random others tcpdump..... ? ? ? Then classify observation samples Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM Traffic at 2-3PM Traffic at 3-4PM Traffic at 4-5PM

14 14 Sample Classification Algorithm Core question: –Did traffic sample s come from user X? A simple approach: naïve Bayes classifier –Derive probabilistic model from training samples –Given s with features F, answer “yes” if: Pr[ s from user X | s has features F ] > T for a selected threshold T. –F = feature set derived from implicit identifiers

15 15 Deriving features F from implicit identifiers Set similarity (Jaccard Index), weighted by frequency: IR_Guest SAMPLE FROM OBSERVATION Sample Classification Algorithm linksys djw SIGCOMM_1 PROFILE FROM TRAINING Rare Common w(e) = low w(e) = high

16 16 Contributions Four Novel 802.11 Implicit Identifiers Automated Identification Procedure Evaluating Implicit Identifier Accuracy

17 17 Evaluating Classification Effectiveness Simulate tracking scenario with wireless traces: –Split each trace into training and observation phases –Simulate pseudonym changes for each user X DurationProfiled UsersTotal Users SIGCOMM conf. (2004) 4 days377465 UCSD office building (2006) 1 day153615 Apartment building (2006) 19 days39196

18 18 Question: Is observation sample s from user X? Evaluation metrics: –True positive rate (TPR) Fraction of user X’s samples classified correctly –False positive rate (FPR) Fraction of other samples classified incorrectly Evaluating Classification Effectiveness Pr[ s from user X | s has features F ] > T

19 19 Evaluating Classification Effectiveness

20 20 Results: Individual Feature Accuracy TPR  60% TPR  30% Individual implicit identifiers give evidence of identity 1.0

21 21 Results: Individual Feature Accuracy Individual implicit identifiers give evidence of identity TPR  50% Other implicit identifiers distinguish groups of users

22 22 Results: Individual Feature Accuracy Some users more distinguishable than others netdests: ~60% users identified >50% of the time ~20% users identified >90% of the time

23 23 Results: Multiple Feature Accuracy Users with TPR >50%: Public: 63% Home: 31% Enterprise: 27% We can identify many users in all environments PublicHomeEnterprise netdests ssids bcast fields

24 24 Results: Multiple Feature Accuracy Some users much more distinguishable than others Public networks: ~20% users identified >90% of the time PublicHomeEnterprise netdests ssids bcast fields

25 25 Results: Tracking with 90% Accuracy Majority of users can be identified if active long enough Of 268 users (71%): 75% identified with ≤4 samples 50% identified with ≤3 samples 25% identified with ≤2 samples

26 26 Results: Tracking with 90% Accuracy Many users can be identified in all environments

27 27 Conclusions Implicit identifiers can accurately identify users –Individual implicit identifiers give evidence of identity –We can identify many users in all environments –Some users much more distinguishable than others Understanding implicit identifiers is important –Pseudonyms are not enough Eliminating them poses research challenges

Download ppt "1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:"

Similar presentations

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.
SoNIC: Classifying Interference in 802.15.4 Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.

SoNIC: Classifying Interference in Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
60 GHz Flyways: Adding multi-Gbps wireless links to data centers

60 GHz Flyways: Adding multi-Gbps wireless links to data centers
Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
1 Wireless LAN Security Presented by Vikrant Karan.

1 Wireless LAN Security Presented by Vikrant Karan.
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
WiFi-Reports: Improving Wireless Network Selection Jeffrey Pang (CMU) with Ben Greenstein (IRS) Michael Kaminsky (IRP) Damon McCoy (U. Colorado) Srinivasan.

WiFi-Reports: Improving Wireless Network Selection Jeffrey Pang (CMU) with Ben Greenstein (IRS) Michael Kaminsky (IRP) Damon McCoy (U. Colorado) Srinivasan.
802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)

User Fingerprinting MobiCom 2007 (Sept Montreal, Quebec, Canada)
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google