802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

Slides:

Advertisements

Similar presentations

Inktomi Confidential and Proprietary The Inktomi Climate Lab: An Integrated Environment for Analyzing and Simulating Customer Network Traffic Stephane.

Advertisements

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

User Fingerprinting MobiCom 2007 (Sept Montreal, Quebec, Canada)

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Q and A, Ch. 21 IS333, Spring 2015 Victor Norman.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Fermilab VPN Service What is a VPN ?.

Securing a Wireless Network

CSC 412 – Networking Scott Heggen. Agenda Today The Network Layer (Chapter 5) Discussion on A2: The Data Link Layer Thursday Q2: The Networking Layer.

1 26-Aug-15 Addressing the network using IPv4 Lecture # 2 Engr. Orland G. Basas Prepared by: Engr. Orland G. Basas IT Lecturer.

Two reasons you can’t trust a wireless network (and some stuff that goes on at Intel Research Seattle) Jeff Hightower, Ali Rahimi, Ian Smith, Josh Smith,

Wireless Network Security Dr. John P. Abraham Professor UTPA.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.

Technical Refresher Session 3. Overview Difference between communication between devices on a single logical network and communication between different.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

WiFi-Reports: Improving Wireless Network Selection Jeffrey Pang (CMU) with Ben Greenstein (IRS) Michael Kaminsky (IRP) Damon McCoy (U. Colorado) Srinivasan.

Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

TECHNOLOGY GUIDE THREE Protecting Your Information Assets.

FiG: Automatic Fingerprint Generation Shobha Venkataraman Joint work with Juan Caballero, Pongsin Poosankam, Min Gyung Kang, Dawn Song & Avrim Blum Carnegie.

Connecting The Network Layer to Data Link Layer. ARP in the IP Layer The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) Part.

TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.

NATs and UDP Victor Norman CS322 Spring NAPT Suppose we have a router doing NAT: half is the “public side”, IP address ; other half is.

Networks and Protocols CE Week 2a. Network hardware.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

Stephan Bayer September 9, 2004 INLS 187. What is it? War Driving Software – WarDriving v. The benign act of locating and logging wireless access points.

David Abarca, Instructor Del Mar College Computer Corner Wireless Network Access Control.

Networking Fundamentals. Basics Network – collection of nodes and links that cooperate for communication Nodes – computer systems –Internal (routers,

The Basics of HOME NETWORKS Capstone Technologies Group Brian Sammons.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Authors: Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y. Chen,

Presented by Rebecca Meinhold But How Does the Internet Work?

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

6° of Darkness or Using Webs of Trust to Solve the Problem of Global Indexes.

Doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser

Mr C Johnston ICT Teacher G055 - Lecture 10 Network Protocols.

Transport layer identification of P2P traffic Victor Gau Yi-Hsien Wang

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Q and A, Ch. 21 IS333, Spring 2016 Victor Norman.

Securing your Personal Wireless Networks By: Bryan Oxendale.

Due: a start of class Oct 12

TECHNOLOGY GUIDE THREE

Due: a start of class Oct 26

CSE 4905 Network Security Overview

IP Forwarding Relates to Lab 3.

De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.

Topic 5: Communication and the Internet

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas.

Presentation transcript:

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben

Location Privacy is at Risk You “The adversary” (a.k.a., some dude with a laptop) Your MAC address: 00:0E:35:CE:1F:59 Usually < 100m

Are pseudonyms enough? MAC address now: 00:0E:35:CE:1F:59 MAC address later: 00:AA:BB:CC:DD:EE

Implicit Identifiers Remain Consider one user at SIGCOMM 2004 Visible in an “anonymized” trace MAC addresses scrubbed Effectively a pseudonym Transferred 512MB via bittorrent => Crappy performance for everyone else Let’s call him Bob Can we figure out who Bob is?

Implicit Identifier: SSIDs SSIDs in Probe Requests Windows XP, Mac OS X probe for your preferred networks by default Set of networks advertised in a traffic sample Determined by a user’s preferred networks list SSID Probe: “roofnet” Bob

What if Bob used pseudonyms? “roofnet” probe occurred during different session than bittorrent download Can no longer explicitly associate “roofnet” with poor network etiquette Can we do it implicitly?

Implicit Identifier: Network Destinations Network Destinations Set of IP pairs in a traffic sample In SIGCOMM, each visited by 1.15 users on average A user is likely to visit a site repeatedly (e.g., an server) SSH/IMAP server: Bob

What if network is encrypted? Can’t see IP addresses through link- layer encryption like WPA Is Bob safe now?

Implicit Identifier: Broadcast Packet Sizes Broadcast Packet Sizes Set of broadcast packet sizes in a traffic sample E.g., Windows machines NetBIOS naming advertisements; FileMaker and Microsoft Office advertise themselves In SIGCOMM, only 16% more unique tuples than unique sizes Broadcast packet sizes: 239, 245, 257 Bob

Implicit Identifier: MAC Protocol Fields MAC Protocol Fields Header bits (e.g., power mgmt., order) Supported rates Offered authentication algorithms Mac Protocol Fields: 11,4,2,1Mbps, WEP, etc. Bob

David J. Wetherall Anonymized Traces from SIGCOMM 2004 Search on Wigle for “djw” in the Seattle area Google pinpoints David’s home (to within 200 ft) A pseudonym What else do implicit identifiers tell us?

Automating Implicit Identifiers TRAINING: Collect some traffic known to be from Bob OBSERVATION: Which traffic is from Bob? ? ??

Methodology Simulate using SIGCOMM, USCD Split trace into training data and observation data Sample = 1hour of traffic to/from a user Assume pseudonyms “The adversary”

Did this traffic sample come from Bob? How to convert implicit identifiers into features? Naïve Bayesian Classifier: We say sample s (with features f i ) is from Bob if Pr[s from Bob | s has features f i ] > T

Did This Traffic Sample Come from Bob? Features: Set similarity (Jaccard Index), weighted by frequency: linksys IR_Guest djw SIGCOMM_1 PROFILE FROM TRAINING SAMPLE FOR VALIDATION Rare Common

Individual Feature Accuracy 60% TPR with 99% FPR Higher FPR, likely due to not being user specific Useful in combination with other features, to rule out identities

Multi-feature Accuracy Samples from 1 in 4 users are identified >50% of the time with FPR bcast + ssids + fields + netdests bcast + ssids + fields bcast + ssids

Was Bob here today? Maybe… Suppose N users present Over an 8 hour day, 8*N opportunities to misclassify a user’s traffic Instead, say Bob is present iff multiple samples are classified as his

Was Bob here today? In a busy coffee shop with 25 concurrent users, more than half (54%) can be identified with 90% accuracy 4 hour median to detect (4 samples) 27% with two 9s.

Conclusion: Pseudonyms Are Insufficient 4 new identifiers: netdests, ssids, fields, bcast Average user emits highly distinguishing identifiers Adversary can combine features Future Uncover more identifiers (timing, etc.) Validate on longer/more diverse traces (SSIDs stable in home setting for >=2 weeks) Build a better link layer