TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 4251 Computer Networking II Spring 2008
Advertisements

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
Digital Signatures and Hash Functions. Digital Signatures.
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
802.11n MAC layer simulation Submitted by: Niv Tokman Aya Mire Oren Gur-Arie.
Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.
5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.
MAC Layer Protocols for Sensor Networks Leonardo Leiria Fernandes.
Basic Concepts of Computer Networks
Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.
Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.
A survey of Routing Attacks in Mobile Ad Hoc Networks Bounpadith Kannhavong, Hidehisa Nakayama, Yoshiaki Nemoto, Nei Kato, and Abbas Jamalipour Presented.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
Medium Access Control in Wireless networks
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Denial of Convenience Attack to Smartphones Using a Fake Wi-Fi Access Point Erich Dondyk, Cliff C. Zou University of Central Florida.
PROJECT DOMAIN : NETWORK SECURITY Project Members : M.Ananda Vadivelan & E.Kalaivanan Department of Computer Science.
1 Wireless Networking Understanding the departure from wired networks, Case study: IEEE (WiFi)
Presented by Edith Ngai MPhil Term 3 Presentation
Media Access Methods MAC Functionality CSMA/CA with ACK
Outline The basic authentication problem
Please take out the homework - viewing sheet fro the movie
MobiCom’13 Jie Xiong and Kyle Jamieson University College London
Jamming for good: a fresh approach to authentic communication in WSNs
CS408/533 Computer Networks Text: William Stallings Data and Computer Communications, 6th edition Chapter 1 - Introduction.
Satellite TCP Lecture 19 04/10/02.
Chapter 21 More About Tests.
Basics of Intrusion Detection
CHAPTER 9 Testing a Claim
PPP PROTOCOL The First semester
Outline Introduction Characteristics of intrusion detection systems
Location Cloaking for Location Safety Protection of Ad Hoc Networks
ODMRP Enhancement.
Packetizing Error Detection
L2Relay: a Layer 2 Wi-Fi Packet Relay Protocol
Presenter: Xudong Zhu Authors: Xudong Zhu, etc.
Packetizing Error Detection
High Throughput Route Selection in Multi-Rate Ad Hoc Wireless Networks
Goal Control the amount of traffic in the network
mEEC: A Novel Error Estimation Code with Multi-Dimensional Feature
Data and Computer Communications
IT351: Mobile & Wireless Computing
Zhenghao Zhang and Avishek Mukherjee Computer Science Department
ITIS 6010/8010 Wireless Network Security
Computer communications
Protocol ap1.0: Alice says “I am Alice”
Packetizing Error Detection
KERBEROS.
DK presents Division of Computer Science, KAIST
March 2019 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security vs. Sequence Length Considerations]
Protocols.
Information Theoretical Analysis of Digital Watermarking
Computer Networks ARP and RARP
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Reducing Forks in the Blockchain via Probabilistic Verification
Error Checking continued
Zhiqing Luo1, Wei Wang1, Jiang Xiao1,
Protocols.
Vulnerability in WUR Beacon and Its Impacts on Wake-up Operation
On standalone transmissions with short fixed LBT
Discussion on TESLA Based Frame Authentication
Presentation transcript:

TBAS: Enhancing Wi-Fi Authentication by Actively Eliciting Channel State Information Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Motivation  Spoofing in Wi-Fi: even a common laptop computer can be configured to send packets with faked identity  Encryption-based protection cannot be relied upon in many cases  users with weak passwords  open networks such as some hotels and coffee shops  A reliable method is needed to detect spoofing without password AP Alice Bob Hi, I am Bob! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Information (CSI)  It has been proposed to use Channel State Information (CSI) to identify the user [yang2014] Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Challenge in Using CSI for Authentication The challenge is to obtain the CSI of the legitimate user in time to for comparison The CSI may change If the new CSI is different from the ones in record, is it because the new CSI is from the attacker, or because the CSI changed? When the CSI is needed for comparison, the legitimate user may not be sending any packet depends on user traffic Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Our Approach  Our key idea is to actively elicit the CSI: when the AP received a packet is received from Bob, it sends a probe (a small dummy packet), which will to elicit a response from Bob (the ACK) AP Alice Bob Hi, I am Bob! Not matching!!! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University Bob’s packet Alice’s packet

What if Alice also sends a response?  The two responses will collide, the AP will not receive it and can also determine the previous packet is spoofed AP Alice Bob Hi, I am Bob! Not matching!!! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University Alice’s packet Collision packet

Key Advantages The CSI is collected when needed, and does not depend on user traffic Should achieve better performance Puts the attacker in a delimma No change to the Wi-Fi protocol, because a node will always send an ACK when it receives a packet Improving the security by only upgrading the AP, all user devices in the network can stay the same The Catch The additional overhead of probing However can be managed Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Our Key Contributions The Channel State Check (CSC), which can tell if two packets are from the same sender based on the CSI A simple protocol to reduce the overhead of probing Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) Problem: Given the CSI vectors from Packet 1 and Packet 2, are Packet 1 and 2 from the same sender? In our context Packet 1 and 2 are received within a short interval, e.g., a few milliseconds Packet 1 has been received correctly, Packet 2 may not Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) Strawman Solution. Just subtract the two CSI vectors, and compare the squared error with a threshold Problem: The CSI of the legitimate user may change, difficult to select a good threshold value The threshold value should actually be determined by the time interval, the larger the interval, the more difference it should allow Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) Therefore, the main idea of CSC is to calculate a check curve to be used as the expected CSI of Packet 2: not too far from the CSI in Packet 1 the distance determined by the time interval, allow some drifting best matches the measured CSI in Packet 2 If the CSI in Packet 2 is even far from check curve, something is wrong! Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) Mathematically, it is to solve an optimization problem of finding a polynomial that : under the constraint that Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) CSC does two checks: Noise level check: is the noise in Packet 1 and Packet 2 (by comparing with the check curve ) similar? Residual correlation check: is the difference between CSI of Packet 2 and the check curve white noise? Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Channel State Check (CSC) CSC performance on over 8000 packet pairs The need for two checks is clear Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

A Simple Protocol to Limit Overhead Simplest approach based on CSC: Every time a data packet is received 1.send a probe, get the CSI in the probe response 2.run CSC between the CSI in the data packet and the probe response, reject or accept the data packet depending on the decision of CSC Problem is high overhead Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

A Simple Protocol to Limit Overhead The main idea is to store the last accepted packet as history. When a new packet is received, 1.Run CSC between the new packet and the history 2.Depending on CSC: a.If passes, accepted the new packet, update history b.If fails, clear history, send probe, run CSC between the new packet and the probe response 3.Periodically clear the history Why it works in most cases when there is no attacker If the user has a high traffic, history is almost always fresh, and usually no need to send probe If the user has low traffic, sending a probe for each packet is fine Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Evaluation  We have verified the approach using Software-Defined Radio, achieving False Positive and False Negative ratios of around 0.1% Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Evaluation Compared with a recent work “Practical User Authentication Leveraging Channel State Information” in ASIACCS 2014, referred to as SVM Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

False Positive Under various traffic load (HT, MT, or LT) transmission power (high or low) Channel mobility (stationary or mobile channel) Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

False Positive TBAS always has low FP ratios of around or lower SVM sometimes has high FP ratio, like 0.1 Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Overhead Measured by the fraction of time used by probe and probe response All around or lower Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

False Positive with Delayed Response Configure the program to use the response of the next probe as that for this probe Longer delays between the data packet and the probe response, around 15 ms or more, testing TBAS under extreme conditions Still around 0.01 or lower, mobile channels affected more Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

False Negative Attacker sends the data packet, and has two strategies: Strategy 0: When a probe is received, do not respond Strategy 1: When a probe is received, respond Varying the transmission powers of the user and the attacker Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

False Negative TBAS has very low FN ratios, i.e., in the order or below in all cases. SVM sometimes has higher FN ratios, such as around 0.26, in one of the cases. Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Muye Liu, Avishek Mukherjee, Zhenghao Zhang, and Xiuwen Liu Florida State University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.