SpringerBriefs in Computer Science SeriesEditors StanZdonik ComputerScienceDepartment,BrownUniversity,Providence,RhodeIsland,USA ShashiShekhar University of Minnesota Dept. Computer Science & Engineering, Minneapolis, Minnesota,USA JonathanKatz Dept.ComputerScience,UniversityofMaryland,CollegePark,Maryland,USA XindongWu Universityof VermontDept.ComputerScience,Burlington,Vermont,USA LakhmiC.Jain School of Electrical and Information Engineering, University of SouthAustralia, Adelaide,SouthAustralia,Australia DavidPadua University of Illinois Urbana-Champaign Siebel Center for Computer Science, Urbana,Illinois,USA Xuemin(Sherman)Shen Department of Electronic and Computer Engineering, University of Waterloo, Waterloo,Ontario,Canada BorkoFurht FloridaAtlanticUniversityDept.of ComputerScience&Engineering,BocaRaton, Florida,USA V.S.Subrahmanian Computer Science Department, University of Maryland, College Park, Maryland, USA MartialHebert CarnegieMellonUniversity,Pittsburgh,Pennsylvania,USA KatsushiIkeuchi Universityof TokyoInst.IndustrialScience,Tokyo,Japan BrunoSiciliano DipartimentodiIngegneriaElettricaeT,Universita` diNapoliFedericoII,Napoli, Napoli,Italy SushilJajodia GeorgeMasonUniversity,Fairfax,Virginia,USA Moreinformationaboutthisseriesathttp://www.springer.com/series/10028 JieYang • Yingying Chen (cid:129) Wade Trappe Jerry Cheng Pervasive Wireless Environments: Detecting and Localizing User Spoofing 2123 JieYang WadeTrappe DepartmentofComputerScienceandEngineering WirelessInformationNetworkLab OaklandUniversity Rutgers,TheStateUniversity Rochester ofNewJersey Michigan NorthBrunswick USA NewJersey,USA YingyingChen JerryCheng DepartmentElectrical&ComputerEngineering Rutgers,TheStateUniversity StevensInstituteofTechnology ofNewJersey Hoboken NewBrunswick NewJersey NewJersey USA USA ISSN2191-5768 ISSN2191-5776(electronic) ISBN978-3-319-07355-2 ISBN978-3-319-07356-9(eBook) DOI10.1007/978-3-319-07356-9 SpringerChamHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2014940861 © TheAuthor(s)2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publicationorpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’s location,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissions forusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliableto prosecutionundertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Asmorewirelessandsensornetworksaredeployed,informationprovidedandshared bywirelesssystemshasbecomeaninseparablepartofoursocialfabric. However, wireless security is often cited as a major technical barrier that must be overcome before widespread adoption of wireless information systems. Due to the shared nature of the wireless medium, adversaries can gather useful identity information during passive monitoring and further utilize the identity information to perform user spoofing. During an user spoofing attack, an adversary can forge its identity tomasqueradeasanotherdevice, orevencreatesmultipleillegitimateidentitiesin the networks. For instance, inWi-Fi network, it is easy for an attacker to modify itsMACaddressofnetworkinterfacecard(NIC)toanotherdevicethroughvendor- suppliedNICdriversoropen-sourceNICdrivers. Inaddition, bymasqueradingas anauthorizedwirelessaccesspointorasanauthorizedclient,anattackercanlaunch denial of service attacks, bypass access control mechanisms, or falsely advertise servicestowirelessclients. Attacksoriginatedfromuserspoofingwillhaveaseriousimpactonthesuccess- fuldeploymentofpervasivewirelessenvironments.Itisthusdesirabletodetectthe presence of user spoofing and eliminate it from the network. The traditional ap- proachtopreventuserspoofingistoapplycryptographicauthentication.However, authenticationrequiresadditionalkeymanagementinfrastructuraloverheadandex- tracomputationalpowerassociatedwithdistributing,andmaintainingcryptographic keys.Duetothelimitedpowerandresourcesavailableonthewirelessdevicesand the dynamics introduced by the node mobility, it is not always possible to deploy authentication.Thisbookprovidesadifferentapproachbyusingthephysicalprop- ertiesassociatedwithwirelesstransmissionstodetectthepresenceofuserspoofing. Thebookbeginsbyintroducinguserspoofinginwirelessnetworks,presentingthe motivationofthebookandsummarizingourcontributionsofthebook.Afterthat, wediscussthefeasibilityoflaunchinguserspoofingattacksandtheirimpactonthe pervasivewirelessenvironmentsinChap.2.InChap.3,wedescribetheattackde- tectionmodelthatexploitsthespatialcorrelationofReceivedSignalStrength(RSS) inherited from wireless devices as a foundation. This chapter further presents the performanceevaluationofthespoofingattackdetectionmodelthroughexperiments in practical environments. In Chap. 4, we deal with the situation when multiple v vi Preface spoofing attackers are present. We develop a statistical approach to determine the number of attackers, and further show how to localize these adversaries. Both the attacker number determination and adversaries localization methods are evaluated thoughtwowirelesstestbedsincludingbothWi-FiandZigbeenetworks.InChap.5, westudyuserspoofingundermobilewirelessnetworks. Formanypeople, mobile devicesarebecomingthefavoredportaltotheironlinesociallives.Thus,theiden- tityfraudconductedbymaliciousmobileagentswillhavedetrimentalimpactonthe successfuldeploymentofmobilepervasiveapplications.WedeveloptheDEMOTE system, whichexploitsthecorrelationwithintheRSStracebasedoneachdevices identity to detect mobile attackers in Chap. 5. The DEMOTE system is evaluated in an office environment in bothWi-Fi and Zigbee networks. In Chap. 6, we pro- videanoverviewofthestate-of-the-artresearch.Finally,theconclusionsandfuture directionsarepresentedinChap.7. Contents 1 Introduction................................................... 1 1.1 BackgroundandMotivation.................................. 1 1.2 Contributions .............................................. 2 1.3 OutlineoftheBook......................................... 3 References ..................................................... 4 2 FeasibilityofLaunchingUserSpoofing ........................... 5 References ..................................................... 6 3 AttackDetectionModel ......................................... 7 3.1 FormulationofAttackDetection .............................. 8 3.2 TheoreticalAnalysisoftheSpatialCorrelationofRSS............ 8 3.3 DetectionPhilosophy ....................................... 11 3.4 ExperimentalMethodology .................................. 13 3.4.1 ExperimentalSetup .................................. 13 3.4.2 Metrics............................................. 14 3.5 PerformanceEvaluation ..................................... 16 3.5.1 ImpactofThresholdandSamplingNumber .............. 16 3.5.2 HandlingDifferentTransmissionPowerLevels ........... 16 3.5.3 PerformanceofDetection ............................. 19 3.5.4 Impact of Distance Between the Spoofing Node and the OriginalNode ...................................... 19 3.6 Summary ................................................. 21 References ..................................................... 21 4 DetectionandLocalizingMultipleSpoofingAttackers .............. 23 4.1 ProblemFormulation ....................................... 24 4.2 AttackerNumberDetermination .............................. 25 4.2.1 SilhouettePlot....................................... 25 4.2.2 SystemEvolution .................................... 27 4.2.3 TheSILENCEMechanism ............................ 29 4.2.4 SupportVectorMachinesBasedMechanism.............. 33 vii viii Contents 4.3 LocalizingAdversaries ...................................... 35 4.3.1 Framework.......................................... 35 4.3.2 Algorithms.......................................... 36 4.3.3 ExperimentalEvaluation .............................. 40 4.4 Summary ................................................. 40 References ..................................................... 41 5 DetectingMobileAgentsUsingIdentityFraud..................... 43 5.1 Motivation ................................................ 43 5.2 DetectionSystemApproach.................................. 44 5.2.1 AttackModel........................................ 44 5.2.2 DEMOTESystemOverview ........................... 44 5.2.3 RSSPartitioning ..................................... 45 5.2.4 TraceReconstruction ................................. 49 5.2.5 CorrelationCoefficientCalculation ..................... 50 5.3 ExperimentalEvaluation .................................... 53 5.3.1 ExperimentalMethodology............................ 53 5.3.2 DetectioninSignalSpace ............................. 55 5.3.3 DetectioninPhysicalSpace............................ 61 5.4 Summary ................................................. 64 References ..................................................... 65 6 RelatedWork.................................................. 67 References ..................................................... 68 7 ConclusionsandFutureWork ................................... 71 Chapter 1 Introduction 1.1 BackgroundandMotivation AscomputingandnetworkingshiftfromthestaticmodelofthewiredInternetto- wardthenewandexcitinganytime-anywhereservicemodelofthemobileInternet, informationwillbegatheredbywirelessdevicesandmadeavailabletomobileusers to consume or process on-the-go. However, wireless security is often cited as a majortechnicalbarrierthatmustbeovercomebeforewidespreadadoptionofsuch wirelessinformationsystemstosupportabroadarrayofpervasiveapplicationsin- cludingemergencyrescueandrecovery,assetmonitoringandtracking,mobilesocial networks,smarthealthcare,andbattlefieldprotection. Duetotheopennessofthewirelesstransmissionmedium,adversariescanmonitor anytransmission.Further,adversariescaneasilypurchaselow-costwirelessdevices and use these commonly-available platforms to launch a variety of attacks with little effort. Among various types of attacks, identity-based spoofing attacks are especiallyeasytolaunchandcancausesignificantdamagetonetworkperformance. Forinstance,inan802.11network,itiseasyforanattackertogatherusefulMAC address information during passive monitoring and then modify its MAC address by simply issuing an ifconfig command to masquerade as another device. In spite ofexisting802.11securitytechniquesincludingWiredEquivalentPrivacy(WEP), Wi-Fi Protected Access (WPA), or 802.11i (WPA2), such methodology can only protect data frames-an attacker can still spoof management or control frames to causesignificantimpactonnetworks. Spoofingattackscanfurtherfacilitateavarietyoftrafficinjectionattacks[1,2], such as attacks on access control lists, rogue access point attacks, and eventually Denial-of-Service (DoS) attacks. A broad survey of possible spoofing attacks can be found in [3, 4]. Moreover, in a large-scale network, multiple adversaries may masqueradeasthesameidentityandcollaboratetolaunchmaliciousattackssuchas networkresourceutilizationattackanddenial-of-serviceattackquickly.Therefore,it isimportantto(1)detectthepresenceofspoofingattacks,(2)determinethenumber ofattackers,and(3)localizemultipleadversariesandeliminatethem. Furthermore, for many people mobile devices are becoming the favored portal to their online social lives. People are using their phones to read news, publish J.Yangetal.,PervasiveWirelessEnvironments:DetectingandLocalizingUserSpoofing, 1 SpringerBriefsinComputerScience,DOI10.1007/978-3-319-07356-9_1, ©TheAuthor(s)2014