MAC addresses can be easily spoofed in 802.11 wireless LANs. An adversary can exploit this vulnerability to launch a large number of attacks. For example, an attacker may masquerade as a legitimate access point to disrupt network services or to advertise false services, tricking nearby wireless stations. On the other hand, the received signal strength (RSS) is a measurement that is hard to forge arbitrarily and it is highly correlated to the transmitter's location. Assuming the attacker and the victim are separated by a reasonable distance, RSS can be used to differentiate them to detect MAC spoofing, as recently proposed by several researchers. By analyzing the RSS pattern of typical 802.11 transmitters in a 3-floor building covered by 20 air monitors, we observed that the RSS readings followed a mixture of multiple Gaussian distributions. We discovered that this phenomenon was mainly due to antenna diversity, a widely-adopted technique to improve the stability and robustness of wireless connectivity. This observation renders existing approaches ineffective because they assume a single RSS source. We propose an approach based on Gaussian mixture models, building RSS profiles for spoofing detection. Experiments on the same testbed show that our method is robust against antenna diversity and significantly outperforms existing approaches. At a 3% false positive rate, we detect 73.4%, 89.6% and 97.8% of attacks using the three proposed algorithms, based on local statistics of a single AM, combining local results from AMs, and global multi-AM detection, respectively.
[1]
R. Redner,et al.
Mixture densities, maximum likelihood, and the EM algorithm
,
1984
.
[2]
Douglas C. Madory,et al.
New Methods of Spoof Detection in 802.11b Wireless Networking
,
2006
.
[3]
Kostas E. Bekris,et al.
Robotics-Based Location Sensing Using Wireless Ethernet
,
2002,
MobiCom '02.
[4]
Tzi-cker Chiueh,et al.
Sequence Number-Based MAC Address Spoof Detection
,
2005,
RAID.
[5]
D. Grunwald,et al.
SoftMAC – Flexible Wireless Research Platform
,
2005
.
[6]
Richard P. Martin,et al.
Detecting and Localizing Wireless Spoofing Attacks
,
2007,
2007 4th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks.
[7]
David R. Cheriton,et al.
Detecting identity-based attacks in wireless networks using signalprints
,
2006,
WiSe '06.
[8]
Stefan Savage,et al.
802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions
,
2003,
USENIX Security Symposium.
[9]
Joshua Wright,et al.
Detecting Wireless LAN MAC Address Spoofing
,
2003
.