Jerry Cheng

Detection and Localization of Multiple Spoofing Attackers in Wireless Networks

Wireless spoofing attacks are easy to launch and can significantly impact the performance of networks. Although the identity of a node can be verified through cryptographic authentication, conventional security approaches are not always desirable because of their overhead requirements. In this paper, we propose to use spatial information, a physical property associated with each node, hard to falsify, and not reliant on cryptography, as the basis for 1) detecting spoofing attacks; 2) determining the number of attackers when multiple adversaries masquerading as the same node identity; and 3) localizing multiple adversaries. We propose to use the spatial correlation of received signal strength (RSS) inherited from wireless nodes to detect the spoofing attacks. We then formulate the problem of determining the number of attackers as a multiclass detection problem. Cluster-based mechanisms are developed to determine the number of attackers. When the training data are available, we explore using the Support Vector Machines (SVM) method to further improve the accuracy of determining the number of attackers. In addition, we developed an integrated detection and localization system that can localize the positions of multiple attackers. We evaluated our techniques through two testbeds using both an 802.11 (WiFi) network and an 802.15.4 (ZigBee) network in two real office buildings. Our experimental results show that our proposed methods can achieve over 90 percent Hit Rate and Precision when determining the number of attackers. Our localization results using a representative set of algorithms provide strong evidence of high accuracy of localizing multiple adversaries.

Tracking Vital Signs During Sleep Leveraging Off-the-shelf WiFi

Tracking human vital signs of breathing and heart rates during sleep is important as it can help to assess the general physical health of a person and provide useful clues for diagnosing possible diseases. Traditional approaches (e.g., Polysomnography (PSG)) are limited to clinic usage. Recent radio frequency (RF) based approaches require specialized devices or dedicated wireless sensors and are only able to track breathing rate. In this work, we propose to track the vital signs of both breathing rate and heart rate during sleep by using off-the-shelf WiFi without any wearable or dedicated devices. Our system re-uses existing WiFi network and exploits the fine-grained channel information to capture the minute movements caused by breathing and heart beats. Our system thus has the potential to be widely deployed and perform continuous long-term monitoring. The developed algorithm makes use of the channel information in both time and frequency domain to estimate breathing and heart rates, and it works well when either individual or two persons are in bed. Our extensive experiments demonstrate that our system can accurately capture vital signs during sleep under realistic settings, and achieve comparable or even better performance comparing to traditional and existing approaches, which is a strong indication of providing non-invasive, continuous fine-grained vital signs monitoring without any additional cost.

Determining the Number of Attackers and Localizing Multiple Adversaries in Wireless Spoofing Attacks

Wireless spoofing attacks are easy to launch and can significantly impact the performance of networks. Although the identity of a node can be verified through cryptographic authentication, conventional security approaches are not always desirable because of their overhead requirements. In this paper, we propose to use location information, a physical property associated with each node, hard to falsify, and not reliant on cryptography, as the basis for (1) detecting spoofing attacks; (2) determining the number of attackers when multiple adver- saries masquerading as a same node identity; and (3) localizing multiple adversaries. We formulate the problem of determining the number of attackers as a multi-class detection problem. We first propose two cluster-based mechanisms to determine the number of attackers. We then develop SILENCE that employs the minimum distance testing of RSS values in addition to cluster analysis and can achieve better accuracy than other methods under study that merely use cluster analysis alone. We further developed an integrated detection and localization system that can localize the positions of multiple attackers. We evaluated our techniques through two testbeds using both an 802.11 (WiFi) network and an 802.15.4 (ZigBee) network in two real office buildings. Our experimental results show that SILENCE can achieve over 90% Hit Rate and Precision when determining the number of attackers. Additionally, our localization results using a representative set of algorithms provide strong evidence of high accuracy of localizing multiple adversaries.

Feasibility of Launching User Spoofing

We provide a brief overview of identity-based spoofing attack, and its impact to the wireless and sensor networks in this chapter.

Attack Detection Model

User spoofing has a serious impact to the normal operation of wireless and sensor networks. It is thus desirable to detect the presence of identity-based attacks and eliminate them from the network. The traditional approach to address identity-based attacks is to apply cryptographic authentication. However, authentication requires additional infrastructural overhead and computational power associated with distributing, and maintaining cryptographic keys. Due to the limited power and resources available to the wireless devices and sensor nodes, it is not always possible to deploy authentication. In this chapter, we take a different approach by using the physical properties associated with wireless transmissions to detect identity-based attacks. Specifically, we utilizes the Received Signal Strength (RSS) measured across a set of landmarks (i.e., reference points with known locations) to perform detection of identity-based attacks. In this chapter, we focus on static nodes, which are common for most identity-based attacks scenarios (Sheng et al., Detecting 802.11 MAC layer spoofing using received signal strength, in Proceedings of the IEEE International Conference on Computer Communications (INFOCOM), April 2008). Our scheme does not add any overhead to the wireless devices and sensor nodes.

Detection and Localizing Multiple Spoofing Attackers

Under a malicious spoofing attack, multiple adversaries may masquerade as the same identity and collaborate to launch a denial-of-service attack quickly. Therefore, it is important to further determine the number of attackers that masquerade as the same identity in the wireless network. Further, detecting the presence of identity-based attacks in the network provides first order information towards defending against attackers. Learning the physical location of the attackers allows the network administrators to further exploit a wide range of defense strategies. For example, we can physically visit multiple adversaries and eliminate it from the network. We then explore how to find the positions of the adversaries by integrating our attack detector into a real-time indoor localization system.

Pervasive Wireless Environments: Detecting and Localizing User Spoofing

This Springer Brief provides a new approach to prevent user spoofing by using the physical properties associated with wireless transmissions to detect the presence of user spoofing. The most common method, applying cryptographic authentication, requires additional management and computational power that cannot be deployed consistently. The authors present the new approach by offering a summary of the recent research and exploring the benefits and potential challenges of this method. This brief discusses the feasibility of launching user spoofing attacks and their impact on the wireless and sensor networks. Readers are equipped to understand several system models. One attack detection model exploits the spatial correlation of received signal strength (RSS) inherited from wireless devices as a foundation. Through experiments in practical environments, the authors evaluate the performance of the spoofing attack detection model. The brief also introduces the DEMOTE system, which exploits the correlation within the RSS trace based on each devices identity to detect mobile attackers. A final chapter covers future directions of this field. By presenting complex technical information in a concise format, this brief is a valuable resource for researchers, professionals, and advanced-level students focused on wireless network security.

Detecting Mobile Agents Using Identity Fraud

Attacks involving identity fraud can facilitate a variety of advanced attacks to significantly impact the normal operation of wireless networks (F. Ferreri, M. Bernaschi, and L. Valcamonici, “Access points vulnerabilities to dos attacks in 802.11 networks,” in Proceedings of the IEEE Wireless Communications and Networking Conference, 2004; J. Bellardo and S. Savage, “802.11 denial-of-service attacks: Real vulnerabilities and practical solutions,” in Proceedings of the USENIX Security Symposium, 2003, pp. 15–28; D. Faria and D. Cheriton, “Detecting identity-based attacks in wireless networks using signalprints,” in Proceedings of the ACM Workshop on Wireless Security (WiSe), September 2006; Q. Li andW. Trappe, “Relationship-based detection of spoofing-related anomalous traffic in ad hoc networks,” in Proceedings of the Third Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), September 2006). Identity fraud performed by mobile wireless devices may further inflict security and privacy damages on the social life of the individual who carries wireless devices. We call these kind of attacks as mobile spoofing attacks. There has been active work in detecting spoofing attacks (D. Faria and D. Cheriton, “Detecting identity-based attacks in wireless networks using signalprints,” in Proceedings of the ACM Workshop on Wireless Security (WiSe), September 2006; Y. Chen, W. Trappe, and R. P. Martin, “Detecting and localizing wirelss spoofing attacks,” in Proceedings of the Fourth Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), May 2007. (Acceptance rate: 20%); Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, “Detecting 802.11 MAC layer spoofing using received signal strength,” in Proceedings of the IEEE International Conference on Computer Communications (INFOCOM), April 2008). D. Faria and D. Cheriton, (“Detecting identity-based attacks in wireless networks using signalprints,” in Proceedings of the ACM Workshop on Wireless Security (WiSe), September 2006) proposed the use of matching rules of Received Signal Strength (RSS) for spoofing detection, (Y. Chen, W. Trappe, and R. P. Martin, “Detecting and localizing wirelss spoofing attacks,” in Proceedings of the Fourth Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), May 2007. used K-means cluster analysis of RSS, and (Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, “Detecting 802.11 MAC layer spoofing using received signal strength,” in Proceedings of the IEEE International Conference on Computer Communications (INFOCOM), April 2008.) modeled RSS readings as a Gaussian mixture model to capture antenna diversity. However, these mechanisms only work in static wireless environments, i.e., the victim node has a fixed location. In this chapter, we focus on spoofing attack detection in mobile wireless environments, that is, the wireless devices including the victim node and/or the spoofing node are moving around. Thus, detecting identity fraud launched by mobile agents is important as it allows the network to further exploit a wide range of defense strategies in different network layers, and consequently helps to ensure secure and trustworthy communication in emerging mobile pervasive computing.

Mobile Sensing Enabled Robust Detection of Security Threats in Urban Environments

Mobile sensing enables data collection from large numbers of participants in ways that previously were not possible. In particular, by affixing a sensory device to a mobile device, such as smartphone or vehicle, mobile sensing provides the opportunity to not only collect dynamic information from environments but also detect the environmental hazards. In this paper, we propose a mobile sensing wireless network for surveillance of security threats in urban environments, e.g., environmental pollution sources or nuclear radiation materials. We formulate the security threats detection as a significant cluster detection problem. To make our approach robust to unreliable sensing data, we propose an algorithm based on the Mean Shift method to identify the significant clusters and determine the locations of threats. Extensive simulation studies are conducted to evaluate the effectiveness of the proposed detection algorithm.