Passive classification of wireless NICs during active scanning

Computer networks have become increasingly ubiquitous. However, with the increase in networked applications, there has also been an increase in difficulty to manage and secure these networks. The proliferation of 802.11 wireless networks has heightened this problem by extending networks beyond physical boundaries. We present a statistical analysis and propose the use of spectral analysis to identify the type of wireless network interface card (NIC). This mechanism can be applied to support the detection of unauthorized systems that use NICs that are different from that of a legitimate system. We focus on active scanning, a vaguely specified mechanism required by the 802.11 standard that is implemented in the hardware and software of the wireless NIC. We show that the implementation of this function influences the transmission patterns of a wireless stream that are observable through traffic analysis. Our mechanism for NIC identification uses signal processing to analyze the periodicity embedded in the wireless traffic caused by active scanning. A stable spectral profile is created from the periodic components of the traffic and used for the identity of the wireless NIC. We show that we can distinguish between NICs manufactured by different vendors, with zero false positives, using the spectral profile. Finally, we infer where, in the NIC, the active scanning algorithm is implemented.

[1]  Michel Barbeau,et al.  Enhancing intrusion detection in wireless networks using radio frequency fingerprinting , 2004, Communications, Internet, and Information Technology.

[2]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[3]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[4]  M. A. Yoder,et al.  Signal Processing First , 2003 .

[5]  Joshua Wright,et al.  Detecting Wireless LAN MAC Address Spoofing , 2003 .

[6]  Michel Barbeau,et al.  DETECTION OF TRANSIENT IN RADIO FREQUENCY FINGERPRINTING USING SIGNAL PHASE , 2003 .

[7]  Alan V. Oppenheim,et al.  Discrete-time Signal Processing. Vol.2 , 2001 .

[8]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[9]  Raheem A. Beyah,et al.  A Passive Approach to Wireless NIC Identification , 2006, 2006 IEEE International Conference on Communications.

[10]  Chad Sullivan Cisco Security Agent , 2005 .

[11]  Alefiya Hussain,et al.  Identification of Repeated Attacks Using Network Traffic Forensics , 2003 .

[12]  William A. Arbaugh,et al.  An empirical analysis of the IEEE 802.11 MAC layer handoff process , 2003, CCRV.

[13]  Stefan Savage,et al.  SyncScan: practical fast handoff for 802.11 infrastructure networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..