Our Wireless World Our Wireless World

Slides:

Advertisements

Similar presentations

Clustering Basic Concepts and Algorithms

Advertisements

LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Data Mining Classification: Alternative Techniques

FM-BASED INDOOR LOCALIZATION TsungYun 1.

Computer Networks Group Universität Paderborn Ad hoc and Sensor Networks Chapter 9: Localization & positioning Holger Karl.

Patch to the Future: Unsupervised Visual Prediction

5/15/2015 Mobile Ad hoc Networks COE 499 Localization Tarek Sheltami KFUPM CCSE COE 1.

Accuracy Characterization for Metropolitan-scale Wi-Fi Localization Yu-Chung Cheng (UCSD, Intel Research) Yatin Chawathe (Intel Research) Anthony LaMarca.

Watching Unlabeled Video Helps Learn New Human Actions from Very Few Labeled Snapshots Chao-Yeh Chen and Kristen Grauman University of Texas at Austin.

Accuracy Characterization for Metropolitan-scale Wi-Fi Localization Ying Wang, Xia Li Ying Wang, Xia Li.

Error Estimation for Indoor Location Fingerprinting.

RADAR: An In-Building RF-based User Location and Tracking System Paramvir Bahl and Venkata N. Padmanabhan Microsoft Research.

Assuming normally distributed data! Naïve Bayes Classifier.

1 Application of Metamorphic Testing to Supervised Classifiers Xiaoyuan Xie, Tsong Yueh Chen Swinburne University of Technology Christian Murphy, Gail.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 ENHANCED RSSI-BASED HIGH ACCURACY REAL-TIME USER LOCATION TRACKING SYSTEM FOR INDOOR AND OUTDOOR ENVIRONMENTS Department of Computer Science and Information.

© 2004 Andreas Haeberlen, Rice University 1 Practical Robust Localization over Large-Scale Wireless Ethernet Networks Andreas Haeberlen Eliot Flannery.

Lost in Space or Positioning in Sensor Networks Michael O’Dell Regina O’Dell Mirjam Wattenhofer Roger Wattenhofer.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 17th Lecture Christian Schindelhauer.

Range-free Localization Schemes for Large Scale Sensor Networks

Novel Self-Configurable Positioning Technique for Multihop Wireless Networks Authors ： Hongyi Wu Chong Wang Nian-Feng Tzeng IEEE/ACM TRANSACTIONS ON NETWORKING,

TPS: A Time-Based Positioning Scheme for outdoor Wireless Sensor Networks Authors: Xiuzhen Cheng, Andrew Thaeler, Guoliang Xue, Dechang Chen From IEEE.

Direction Finding Positioning for

Rutgers: Gayathri Chandrasekaran, Tam Vu, Marco Gruteser, Rich Martin,

Time of arrival(TOA) Prepared By Sushmita Pal Roll No Dept.-CSE,4 th year.

Sensor Positioning in Wireless Ad-hoc Sensor Networks Using Multidimensional Scaling Xiang Ji and Hongyuan Zha Dept. of Computer Science and Engineering,

Authors: Sheng-Po Kuo, Yu-Chee Tseng, Fang-Jing Wu, and Chun-Yu Lin

Introduction to Sensor Networks Rabie A. Ramadan, PhD Cairo University 3.

Bayesian Indoor Positioning Systems Presented by: Eiman Elnahrawy Joint work with: David Madigan, Richard P. Martin, Wen-Hua Ju, P. Krishnan, A.S. Krishnakumar.

ADVANCED CLASSIFICATION TECHNIQUES David Kauchak CS 159 – Fall 2014.

COMMON EVALUATION FINAL PROJECT Vira Oleksyuk ECE 8110: Introduction to machine Learning and Pattern Recognition.

Architectures and Applications for Wireless Sensor Networks ( ) Localization Chaiporn Jaikaeo Department of Computer Engineering.

SMACK: Smart ACKnowledgment Scheme for Broadcast Messages in Wireless Networks Aveek Dutta, Dola Saha, Dirk Grunwald, Douglas Sicker, University of Colorado.

The Limits of Localization Using Signal Strength: A Comparative Study Eiman Elnahrawy, Xiaoyan Li, and Richard Martin Dept. of Computer Science, Rutgers.

DISCERN: Cooperative Whitespace Scanning in Practical Environments Tarun Bansal, Bo Chen and Prasun Sinha Ohio State Univeristy.

Assist. Prof. Peerapong Uthansakul, Ph.D. School of Telecommunication Engineering Suranaree University of Technology.

Algorithms for Wireless Sensor Networks Marcela Boboila, George Iordache Computer Science Department Stony Brook University.

1 Robust Statistical Methods for Securing Wireless Localization in Sensor Networks (IPSN ’05) Zang Li, Wade Trappe Yanyong Zhang, Badri Nath Rutgers University.

Accuracy Characterization for Metropolitan-scale Wi-Fi Localization Yu-Chung Cheng (UCSD, Intel Research) Yatin Chawathe (Intel Research) Anthony LaMarca.

Extending the Multi- Instance Problem to Model Instance Collaboration Anjali Koppal Advanced Machine Learning December 11, 2007.

A New Hybrid Wireless Sensor Network Localization System Ahmed A. Ahmed, Hongchi Shi, and Yi Shang Department of Computer Science University of Missouri-Columbia.

A Distributed Relay-Assignment Algorithm for Cooperative Communications in Wireless Networks ICC 2006 Ahmed K. Sadek, Zhu Han, and K. J. Ray Liu Department.

CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.

A Passive Approach to Sensor Network Localization Rahul Biswas and Sebastian Thrun International Conference on Intelligent Robots and Systems 2004 Presented.

RADAR: an In-building RF-based user location and tracking system

Performance Study of Localization Techniques in Zigbee Wireless Sensor Networks Ray Holguin Electrical Engineering Major Dr. Hong Huang Advisor.

A Trust Based Distributed Kalman Filtering Approach for Mode Estimation in Power Systems Tao Jiang, Ion Matei and John S. Baras Institute for Systems Research.

Advancing Wireless Link Signatures for Location Distinction Mobicom 2008 Junxing Zhang, Mohammad H. Firooz Neal Patwari, Sneha K. Kasera University of.

Classification (slides adapted from Rob Schapire) Eran Segal Weizmann Institute.

Chapter 13 (Prototype Methods and Nearest-Neighbors )

C. Savarese, J. Beutel, J. Rabaey; UC BerkeleyICASSP Locationing in Distributed Ad-hoc Wireless Sensor Networks Chris Savarese, Jan Beutel, Jan Rabaey.

Network/Computer Security Workshop, May 06 The Robustness of Localization Algorithms to Signal Strength Attacks A Comparative Study Yingying Chen, Konstantinos.

Computer Science 1 Using Clustering Information for Sensor Network Localization Haowen Chan, Mark Luk, and Adrian Perrig Carnegie Mellon University

Learning Photographic Global Tonal Adjustment with a Database of Input / Output Image Pairs.

Doc.: IEEE /0632r0 Submission May 2015 Intel CorporationSlide 1 Experimental Measurements for Short Range LOS SU-MIMO Date: Authors:

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Smartphone-based Wi-Fi Pedestrian-Tracking System Tolerating the RSS Variance Problem Yungeun Kim, Hyojeong Shin, and Hojung Cha Yonsei University Bing.

LEMON: An RSS-Based Indoor Localization Technique Israat T. Haque, Ioanis Nikolaidis, and Pawel Gburzynski Computing Science, University of Alberta, Canada.

Learning to Detect and Classify Malicious Executables in the Wild by J

E. Elnahrawy, X. Li, and R. Martin Rutgers U.

RF-based positioning.

Outlier Processing via L1-Principal Subspaces

Cold-Start Heterogeneous-Device Wireless Localization

On Tap Angular Spread and Kronecker Structure of WLAN Channel Models

Localization in Wireless Networks

K Nearest Neighbor Classification

Indoor Location Estimation Using Multiple Wireless Technologies

RADAR: An In-Building RF-based User Location and Tracking System

Coordinated Spatial Reuse Performance Analysis

Presentation transcript:

University of Colorado The Directional Attack on Wireless Localization - or - How to Spoof Your Location with a Tin Can Kevin Bauer, Damon McCoy, Eric Anderson, Markus Breitenbach, Greg Grudic, Dirk Grunwald, and Douglas Sicker University of Colorado IEEE GLOBECOM 2009 December 3, 2009

Our Wireless World Our Wireless World Our wireless signals can implicitly reveal our locations Location-aware services: - Rogue device detection - Location-based access control Malicious users have incentive to precisely spoof their locations

802.11 Localization Background Many localization techniques have been proposed Angle of arrival (AoA) [Elnahrawy et al., ‘07; Niculescu and Nath, ’04] Time of arrival (ToA) [GPS; Chan et al., ‘06] Time difference of arrival (TDoA) [Priyantha et al., ’00] Received signal strength (RSS) [Bahl and Padmanabhan, ‘00; Haeberlen et al., ‘04; Tao et al., ’03; Ladd et al., ’02; King et al. ‘06] Requires non-commodity hardware Uses existing 802.11 AP infrastructure

RSS Localization is a Supervised Learning Problem RSSI = -45 dB (x, y) = (4, 6) RSSI = -60 dB (x, y) = (4, 6) RSSI = -65 dB (x, y) = (4, 6) RSSI = -80 dB (x, y) = (4, 6) Real location (x, y) = (4, 6) Part 1: Training phase 1. Deploy 802.11 sensors in a target environment (or use existing APs) 2. Broadcast wireless frames from several positions within the environment labeled with the transmitter’s real location 3. Record the frames’ received signal strength (RSSI) values and locations Feature vector i: {(x, y), RSSIi1, RSSIi2, RSSIi3, RSSIi4} = {(4, 6), -45, -60, -65, -80} Problem: Need to learn the mapping between signal space and physical space

RSS Localization is a Supervised Learning Problem RSSI = -85 dB (x, y) = (?, ?) RSSI = -55 dB (x, y) = (?, ?) RSSI = -49 dB (x, y) = (?, ?) RSSI = -40 dB (x, y) = (?, ?) (x, y) = (10, 7) Part 2: Localization phase Given a wireless frame, we want to determine the transmitter’s location Problem: Need to learn the mapping between signal space and physical space RSSI training data {-85, -55, -49, -40} Observed RSSI feature vector Learning algorithm (k-nearest neighbors, Naïve Bayes, etc.)

Prior Attacks on RSS Localization RSSI = -80 dB (x, y) = (?, ?) RSSI = -55 dB (x, y) = (?, ?) RSSI = -65 dB (x, y) = (?, ?) RSSI = -75 dB (x, y) = (?, ?) Estimated location Real location Localization error Amplification effect not really accurately shown, but it should give the intuition Attack can use this to gain access to location based services, but cannot reliably appear at a position of their choosing Attack: During localization phase, use transmit power control to manipulate RSSI values [Tao et al., ‘03; Haeberlen et al., ’04; Chen et al., ’07; Chen et al., ‘09] Result: Attacker appears at a different location far away Limitation: Limited (or no) control over the location estimate

The Directional Attack Intuition: Give the attacker the ability to influence their estimated location by focusing transmissions using an inexpensive directional antenna, a.k.a. a “cantenna” Attack goals: 1. Introduce localization errors focused in a direction of the attacker’s choice 2. Introduce more error into predictions than can be achieved with transmit power attacks alone

The Directional Attack RSSI = -50 dB (x, y) = (?, ?) RSSI = -65 dB (x, y) = (?, ?) RSSI = -80 dB (x, y) = (?, ?) RSSI = -85 dB (x, y) = (?, ?) Real location Location-based access control Estimated location By pointing the directional antenna down long corridors or through open spaces, the attacker can appear in the direction of the antenna’s focus with a high probability Could allow an attacker to gain access to location-based services or location-based access controlled resources

Experimental Setup Office building environment (50 x 75 meters) We collect three data sets: Omni-directional training data tx fixed at 16 dBm Omni-directional testing data tx varies between 10-20 dBm Directional testing data We collect RSSI data from within a large office building. Office building environment (50 x 75 meters) 5 802.11 monitors, 179 training locations, 70 omni-directional testing locations, and 18 directional testing locations (4 directions) CRAWDAD: http://crawdad.cs.dartmouth.edu/cu/rssi

Localization Algorithms Evaluated k-nearest neighbors (“RADAR”) [Bahl and Padmanabhan, ‘00] Find the k closest training instances using Euclidean distance and average their (x, y) coordinates k-nearest neighbors-median [Trappe et al., ‘05] Like above, but minimize the median of the distances in each dimension Naïve Bayes [Ladd et al., ‘02; Haeberlen et al., ‘04] Direct application of Bayes’ rule Naïve Bayes-difference [Tao et al., ‘03] Use Bayes’ rule with pair-wise differences in average signal strengths between each monitor

Experimental Evaluation: No Attack We first establish a baseline Compute CDF of localization error without any attack Median localization errors: k-nearest neighbors: 3.6 m k-nearest neighbors-med: 6.7 m Naïve Bayes: 4.3 m Naïve Bayes-diff: 3.7 m Consistent with prior work Same omni-directional antenna used for testing as in the training phase. Same transmit power level used (16dBm). Perfect localization algorithm would be a vertical line along the y-axis.

Experimental Evaluation: Transmit Power Control Attacks We found that reducing transmit power level produced increased localization errors Attacker transmits at 10 dBm Median localization errors: k-nearest neighbors: 6.8 m k-nearest neighbors-med: 7.9 m Naïve Bayes: 8.1 m Naïve Bayes-diff: 6.7 m Consistent with prior work Same omni-directional antenna used for testing as in the training phase. Same transmit power level used (16dBm).

Experimental Evaluation: Directional Attacks Directional attack, 16 dBm transmit power level Attacker points directional antenna in the four cardinal directions Median localization errors: k-nearest neighbors: 6.2 m k-nearest neighbors-med: 8.5 m Naïve Bayes: 6.2 m Naïve Bayes-diff: 4.7 m Produces similar localization errors as transmit power attacks Same omni-directional antenna used for testing as in the training phase. Same transmit power level used (16dBm).

Experimental Evaluation: Transmit Power Control + Directional Attacks Directional attack, 10 dBm transmit power level Attacker points directional antenna in the four cardinal directions Median localization errors: k-nearest neighbors: 10.6 m k-nearest neighbors-med: 11.0 m Naïve Bayes: 16.9 m Naïve Bayes-diff: 9.5 m Produces greatest localization errors Same omni-directional antenna used for testing as in the training phase. Same transmit power level used (16dBm). 200% improvement over transmit power attacks alone.

Experimental Evaluation: Movement in the Desired Direction Directional attack, 16 dBm transmit power level Attacker points directional antenna down long hallways and open spaces 75% of the time: The attacker appears in their desired direction 50% of the time: The attacker appears at least 3 meters in that direction “Backscatter” Attacker points antenna in directions where there’s at least 10 meter of open space

Experimental Evaluation: Movement in the Desired Direction Directional attack, 10 dBm transmit power level Attacker points directional antenna down long hallways and open spaces and uses transmit power control 60-80% of the time: The attacker appears in their desired direction 50% of the time: The attacker appears at least 6 meters in that direction “Backscatter” Attacker points antenna in directions where there’s at least 10 meter of open space

Prior Attack Detection Scheme Goal: Detect transmit power/directional attackers Prior detection scheme: Examine distance between potential attack data and the training data [Chen et al., ’07]: Classify as attack if ROC curves Signal space distance generates too many false positives for transmit power, directional, and combination attacks

Attack Detection: Minimize Variance Intuition: Directional attackers who point the antenna in different directions exhibit higher variances in received signal strength values For each observation window j, calculate variance in observed RSS across each of the n monitors: Classify as attack if Offers 90+% detection rate with < 10% false positives ROC curves

Summary and Conclusion The directional attack is a powerful new way for malicious users to precisely spoof their locations Through experiments, we show that directional attackers can reliably appear in a direction of their choice 75% of the time We also show that directional attacks achieve an increase in localization error of up to 200% relative to transmit power attacks Supported by NSF Awards ITR-0430593 and CRI-0454404

Backup Slides

Detecting General Case of Attack Apply standard outlier detection and/or data smoothing techniques (future work) For example, single exponential smoothing Previous location prediction Current smoothed location prediction Previous smoothed location prediction Smoothing constant, determines how fast smoothed values change

k-Nearest Neighbors Find the k closest training examples to a given test instance using a distance metric (i.e., Euclidean distance) Average the (x, y) coordinates of the k training examples to get the location prediction

k-Nearest Neighbors – Median Like normal k-nearest neighbors, except we minimize the median of the RSSI squared differences: Proposed as a more secure variant of k-nearest neighbors

Simple Naïve Bayes Classifier Estimate the probability of observing a received signal strength vector at a given location For an unlabeled received signal strength vector, find the location that maximizes the a posteriori probability

Naïve Bayes – Difference Input the pair-wise differences in observed average received signal strengths between all monitors into Bayes’ rule Proposed as a more secure variant of Naïve Bayes

“Smart” vs. “Naïve” Attacker Localization Error The smart directional attacker achieves similar total localization error Smart Attacker CDF Naïve Attacker CDF

“Naïve” Attacker Teleportation Naïve directional attacker achieves less movement in their intended direction than the intelligent attacker With transmit power control

Hardware Used in Experiments Omni-directional antenna 802.11 cards “Super Cantenna”

Please Download Our Data Available to the public as part of the CRAWDAD wireless data repository: Raw PCAP traces (w/ prism headers) and processed ASCII files available for download Additional information is available here: http://crawdad.cs.dartmouth.edu/cu/rssi http://tinyurl.com/cu-globecom