An Empirical study of clock skew behavior in modern mobile and hand-held devices

Host identification, today, can be done at many layers of the network protocol stack depending on the identifiable parameter used for classification. But, these generally include fields from TCP/IP/MAC packets; that can be spoofed or manipulated very easily to misguide the identification process or include intolerable error into. Identification on wireless networks can be done with better precision by using physical layer, machine-dependent characteristics. We provide an empirical study of another such parameter, the host's clock information, that may lead to accurate identification of a host, among other applications. It is resistant to the earlier mentioned methods of spoofing, as clock information is very specific to the oscillator that generates it. We provide a simplification into the measurement technique of an already investigated approach of remote identification, to achieve lower error rates. We also provide a detailed study of clock skew behavior on a LAN, consisting of wired, wireless nodes and modern mobile and hand-held devices. To our knowledge, this work is the first in the mobile and hand-held device domain to identify such devices definitively. Clock skew based host identification can be put to many applications, that may be specific to each Enterprise network. For instance, aiding the network administrator in monitoring the network, malicious activity flagging mechanism for IDS's/IPS's, isolating unknown or new machines, keeping count of the number of active machines at any time for the purpose of say IP address allocation, associating virtual machines to their corresponding physical machines and so on.

[1]  F. O R M A T I O N G U I D Timekeeping in VMware Virtual Machines , 2004 .

[2]  Vern Paxson,et al.  On calibrating measurements of packet transit times , 1998, SIGMETRICS '98/PERFORMANCE '98.

[3]  Sergey Bratus,et al.  Active behavioral fingerprinting of wireless devices , 2008, WiSec '08.

[4]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[5]  David L. Mills,et al.  Network Time Protocol (NTP) , 1985, RFC.

[6]  Michel Barbeau,et al.  DETECTION OF TRANSIENT IN RADIO FREQUENCY FINGERPRINTING USING SIGNAL PHASE , 2003 .

[7]  Desmond Loh Chin Choong,et al.  Identifying unique devices through wireless fingerprinting , 2008, WiSec '08.

[8]  Tzi-cker Chiueh,et al.  Sequence Number-Based MAC Address Spoof Detection , 2005, RAID.

[9]  Udo Payer,et al.  Combating Wireless LAN MAC-layer Address Spoofing with Fingerprinting Methods , 2009, Int. J. Netw. Secur..

[10]  Aaron C. Judd Improved Network Security and Disguising TCP/IP Fingerprint through Dynamic Stack Modification , 2005 .

[11]  Donald F. Towsley,et al.  Estimation and removal of clock skew from network delay measurements , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).