Cherita L. Corbett

A Passive Approach to Rogue Access Point Detection

Unauthorized or rogue access points (APs) produce security vulnerabilities in enterprise/campus networks by circumventing inherent security mechanisms. We propose to use the round trip time (RTT) of network traffic to distinguish between wired and wireless nodes. This information coupled with a standard wireless AP authorization policy allows the differentiation (at a central location) between wired nodes, authorized APs, and rogue APs. We show that the lower capacity and the higher variability in a wireless network can be used to effectively distinguish between wired and wireless nodes. Further, this detection is not dependant upon the wireless technology (802.11a, 802.11b, or 802.11g), is scalable, does not contain the inefficiencies of current solutions, remains valid as the capacity of wired and wireless links increase, and is independent of the signal range of the rogue APs.

SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack

Detecting and mitigating insider threat is a critical element in the overall information protection strategy. By successfully implementing tactics to detect this threat, organizations mitigate the loss of sensitive information and also potentially protect against future attacks. Within the broader scope of mitigating insider threat, we focus on detecting exfiltration of sensitive data through a protected network. We propose a multilevel framework called SIDD (Sensitive Information Dissemination Detection) system which is a high-speed transparent network bridge located at the edge of the protected network. SIDD consists of three main components: 1) network-level application identification, 2) content signature generation and detection, and 3) covert communication detection. Further, we introduce a model implementation of the key components, demonstrating how our system can be deployed. Our approach is based on the application of statistical and signal processing techniques on traffic flow to generate signatures and/or extract features for classification purposes. The proposed framework aims to address methods to detect, deter and prevent deliberate and unintended distribution of sensitive content outside the organization using the organization’s system and network resources by a trusted insider.

A Passive Approach to Wireless NIC Identification

IEEE 802.11 wireless networks are plagued with problems of unauthorized access. Left undetected, unauthorized access is the precursor to additional mischief. Current approaches to detecting intruders are invasive or can be evaded by stealthy attackers. We propose the use of spectral analysis to identify a type of wireless network interface card. This mechanism can be applied to support the detection of unauthorized systems that use wireless network interface cards that are different from that of a legitimate system. The approach is passive and works in the presence of encrypted traffic.

A Novel Audio Steganalysis Based on High-Order Statistics of a Distortion Measure with Hausdorff Distance

Steganography can be used to hide information in audio media both for the purposes of digital watermarking and establishing covert communication channels. Digital audio provides a suitable cover for high-throughput steganography as a result of its transient and unpredictable characteristics. Distortion measure plays an important role in audio steganalysis - the analysis and classification method of determining if an audio medium is carrying hidden information. In this paper, we propose a novel distortion metric based on Hausdorff distance. Given an audio object xwhich could potentially be a stego-audio object, we consider its de-noised version xi¾? as an estimate of the cover-object. We then use Hausdorff distance to measure the distortion from xto xi¾?. The distortion measurement is obtained at various wavelet decomposition levels from which we derive high-order statistics as features for a classifier to determine the presence of hidden information in an audio signal. Extensive experimental results for the Least Significant Bit (LSB) substitution based steganography tool show that the proposed algorithm has a strong discriminatory ability and the performance is significantly superior to existing methods. The proposed approach can be easily applied to other steganography tools and algorithms.

Using Active Scanning to Identify Wireless NICs

Computer networks have become increasingly ubiquitous. However, with the increase in networked applications, there has also been an increase in difficulty to manage and secure these networks. The proliferation of 802.11 wireless networks has heightened this problem by extending networks beyond physical boundaries. We propose the use of spectral analysis to identify the type of wireless network interface card (NIC). This mechanism can be applied to support the detection of unauthorized systems that use NICs which are different from that of a legitimate system. We focus on active scanning, a vaguely specified mechanism required by the 802.11 standard that is implemented in the hardware and software of the wireless NIC. We show that the implementation of this function influences the transmission patterns of a wireless stream that are observable through traffic analysis. Our mechanism for NIC identification uses signal processing to analyze the periodicity embedded in the wireless traffic caused by active scanning. A stable spectral profile is created from the periodic components of the traffic and used for the identity of the wireless NIC. We show that we can distinguish between NICs manufactured by different vendors using the spectral profile

Dynamic Energy-based Encoding and Filtering in Sensor Networks

In critical sensor deployments it is important to ensure the authenticity and integrity of sensed data. Further, one must ensure that false data injected into the network by malicious nodes is not perceived as accurate data. In this paper we present the Dynamic Energy-based Encoding and Filtering (DEEF) framework to detect the injection of false data into a sensor network. DEEF requires that each sensed event report be encoded using a simple encoding scheme based on a keyed hash. The key to the hashing function dynamically changes as a function of the transient energy of the sensor, thus requiring no need for re-keying. Depending on the cost of transmission vs. computational cost of encoding, it may be important to remove data as quickly as possible. Accordingly, DEEF can provide authentication at the edge of the network or authentication inside of the sensor network. Depending on the optimal configuration, as the report is forwarded, each node along the way verifies the correctness of the encoding probabilistically and drops those that are invalid. We have evaluated DEEFs feasibility and performance through analysis. Our results show that DEEF, without incurring transmission overhead (increasing packet size), is able to eliminate 90% - 99% of false data injected from an outsider within 9 hops before it reaches the sink.

Using link RTT to passively detect unapproved wireless nodes

Rogue Access Points (APs) produce security vulnerabilities in enterprise/campus networks by circumventing security mechanisms. We propose to use network traffic Round Trip Time (RTT) coupled with standard wireless network policies to distinguish between wired nodes, authorised APs, and rogue APs. Further, this approach has the following advantages: independent of wireless technology (802.11a/b/g); resilient to increases in capacity for wired and wireless links; scalable; resilient to effects of multiple hops; independent of rouge AP signal range. Our experimental results show that we can quickly classify the nodes as wired or wireless with 80-100% accuracy.

Constructing timing-based covert channels in mobile networks by adjusting CPU frequency

We have identified a novel wireless covert timing channel (WCTC) that could be used by malware to exfiltrate data from mobile devices. We introduce the WCTC by demonstrating its ability to transmit data covertly: (1) across existing network services, (2) across ICMP pings, and (3) via a trojanized chat application. The WCTC is implemented by manipulating the Android operating systems CPU on the client end to modulate network traffic emitted from the mobile device by purposely adjusting the CPUs speed to send a binary 1 or 0. The data is recovered and deciphered on the receiving end by applying a simple threshold to the average inter-packet spacing of a fixed number of packets within a bit stream sent by the client. To our knowledge, there only exists intrusive methods to defeat this type of channel. We characterize this potential threat by determining: (1) its channel capacity, (2) the accuracy of its data transmission, (3) the effects of network hops on its accuracy, and (4) the minimum mobile device signal strength required to maintain 90% or better message recovery.

Wavelet-Based Traffic Analysis for Identifying Video Streams over Broadband Networks

Network and service providers are rapidly deploying IPTV networks to deliver a wide variety of video content to subscribers. Some video content may be protected by copyright and/or may be subject to distribution restrictions. Encryption technologies may not always be effective to manage protected video content, particularly when video content is legally decrypted upon receipt by a subscriber. This paper presents a new approach to detect if specific (or protected) downloaded video is being redistributed by a subscriber using the broadband Internet connection. The approach employs a traffic-based signature of the protected video clip. The signature which is shown to be unique is stored in a signature store. We adopt a wavelet-based analysis to match video streams captured from the network to the signatures in the store. The performance of the detection algorithm is evaluated using a large video database populated with a variety of movies and TV shows. The experiment results show that our algorithm achieves high detection rates and low false alarm rates using video clips of only a few seconds.

Passive classification of wireless NICs during rate switching

Computer networks have become increasingly ubiquitous. However, with the increase in networked applications, there has also been an increase in difficulty to manage and secure these networks. The proliferation of 802.11 wireless networks has heightened this problem by extending networks beyond physical boundaries. We propose the use of spectral analysis to identify the type of wireless network interface card (NIC). This mechanism can be applied to support the detection of unauthorized systems that use NICs which are different from that of a legitimate system. We focus on rate switching, a vaguely specified mechanism required by the 802.11 standard that is implemented in the hardware and software of the wireless NIC. We show that the implementation of this function influences the transmission patterns of a wireless stream, which are observable through traffic analysis. Our mechanism for NIC identification uses signal processing to analyze the periodicity embedded in the wireless traffic caused by rate switching. A stable spectral profile is created from the periodic components of the traffic and used for the identity of the wireless NIC. We show that we can distinguish between NICs manufactured by different vendors and NICs manufactured by the same vendor using their spectral profiles.