Lanier Watkins

A Passive Approach to Rogue Access Point Detection

Unauthorized or rogue access points (APs) produce security vulnerabilities in enterprise/campus networks by circumventing inherent security mechanisms. We propose to use the round trip time (RTT) of network traffic to distinguish between wired and wireless nodes. This information coupled with a standard wireless AP authorization policy allows the differentiation (at a central location) between wired nodes, authorized APs, and rogue APs. We show that the lower capacity and the higher variability in a wireless network can be used to effectively distinguish between wired and wireless nodes. Further, this detection is not dependant upon the wireless technology (802.11a, 802.11b, or 802.11g), is scalable, does not contain the inefficiencies of current solutions, remains valid as the capacity of wired and wireless links increase, and is independent of the signal range of the rogue APs.

A Passive Solution to the CPU Resource Discovery Problem in Cluster Grid Networks

We present the details of a novel method for passive resource discovery in cluster grid environments, where resources constantly utilize internode communication. Our method offers the ability to nonintrusively identify resources that have available CPU cycles; this is critical for lowering queue wait times in large cluster grid networks. The benefits include: 1) low message complexity, which facilitates low latency in distributed networks, 2) scalability, which provides support for very large networks, and 3) low maintainability, since no additional software is needed on compute resources. Using a 50-node (multicore) test bed (DETERlab), we demonstrate the feasibility of our method with experiments utilizing TCP, UDP, and ICMP network traffic. We use a simple but powerful technique that monitors the frequency of network packets emitted from the Network Interface Card (NIC) of local resources. We observed the correlation between CPU load and the timely response of network traffic. A highly utilized CPU will have numerous, active processes which require context switching. The latency associated with numerous context switches manifests as a delay signature within the packet transmission process. Our method detects that delay signature to determine the utilization of network resources. Results show that our method can consistently and accurately identify nodes with available CPU cycles (<;70 percent CPU utilization) through analysis of existing network traffic, including network traffic that has passed through a switch (noncongested). Also, in situations where there is no existing network traffic for nodes, ICMP ping replies can be used to ascertain this resource information.

Using link RTT to passively detect unapproved wireless nodes

Rogue Access Points (APs) produce security vulnerabilities in enterprise/campus networks by circumventing security mechanisms. We propose to use network traffic Round Trip Time (RTT) coupled with standard wireless network policies to distinguish between wired nodes, authorised APs, and rogue APs. Further, this approach has the following advantages: independent of wireless technology (802.11a/b/g); resilient to increases in capacity for wired and wireless links; scalable; resilient to effects of multiple hops; independent of rouge AP signal range. Our experimental results show that we can quickly classify the nodes as wired or wireless with 80-100% accuracy.

Constructing timing-based covert channels in mobile networks by adjusting CPU frequency

We have identified a novel wireless covert timing channel (WCTC) that could be used by malware to exfiltrate data from mobile devices. We introduce the WCTC by demonstrating its ability to transmit data covertly: (1) across existing network services, (2) across ICMP pings, and (3) via a trojanized chat application. The WCTC is implemented by manipulating the Android operating systems CPU on the client end to modulate network traffic emitted from the mobile device by purposely adjusting the CPUs speed to send a binary 1 or 0. The data is recovered and deciphered on the receiving end by applying a simple threshold to the average inter-packet spacing of a fixed number of packets within a bit stream sent by the client. To our knowledge, there only exists intrusive methods to defeat this type of channel. We characterize this potential threat by determining: (1) its channel capacity, (2) the accuracy of its data transmission, (3) the effects of network hops on its accuracy, and (4) the minimum mobile device signal strength required to maintain 90% or better message recovery.

Securing commercial WiFi-based UAVs from common security attacks

We posit that commercial Wi-Fi-based unmanned aerial vehicles (UAV) are vulnerable to common and basic security attacks, capable by beginner to intermediate hackers. We do this by demonstrating that the standard ARDiscovery Connection process and the Wi-Fi access point used in the Parrot Bebop UAV are exploitable such that the UAVs ability to fly can be disrupted mid-flight by a remote attacker. We believe that these vulnerabilities are systemic in Wi-Fi-based Parrot UAVs. Our approach observed the normal operation (i.e., ARDiscovery Connection process over Wi-Fi) of the Parrot Bebop UAV. We then used a fuzzing technique to discover that the Parrot Bebop UAV is vulnerable to basic denial of service (DoS) and buffer-overflow attacks during its ARDiscovery Connection process. The exploitation of these vulnerabilities could result in catastrophic and immediate disabling of the UAVs rotors midflight. Also, we discovered that the Parrot Bebop UAV is vulnerable to a basic ARP (Address Resolution Protocol) Cache Poisoning attack, which can disconnect the primary mobile device user and in most cases cause the UAV to land or return home. Based on the literature and our own penetration testing, we assert that Wi-Fi-based commercial UAVs require a comprehensive security framework that utilizes a defense-in-depth approach. This approach would likely mitigate security risks associated with the three zero-day vulnerabilities described in this paper as well as other vulnerabilities reported in the literature. This framework will be effective for Parrot Wi-Fi-based commercial UAVs and likely others with similar platforms.

Detection of Tunnels in PCAP Data by Random Forests

This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.

Remotely inferring device manipulation of industrial control systems via network behavior

This paper presents preliminary findings on a novel method to remotely fingerprint a network of Cyber Physical Systems and demonstrates the ability to remotely infer the functionality of an Industrial Control System device. A monitoring node measures the target devices response to network requests and statistically analyzes the collected data to build and classify a profile of the devices functionality via machine learning. As ICSs are used to control critical infrastructure processes such as power generation and distribution, it is vital to develop methods to detect tampering. A system employing our measurement technique could discover if an insider has made unauthorized changes to a devices logic. Our architecture also has advantages because the monitoring node is separate from the measured device. Our results indicate the ability to accurately infer (i.e., using a tunable threshold value) discrete ranges of task cycle periods (i.e., CPU loads) that could correspond to different functions.

Passive Identification of Under-Utilized CPUs in High Performance Cluster Grid Networks

In this paper we propose a passive approach to using network traffic to discover the availability of resources in local distributed networks (e.g., cluster grids, campus desktop grids, etc.). To our knowledge, this is the first approach of its kind. The ability to quickly identify resource availability is critical because the presence of available resources directly affects the job execution time of a distributed environment. The proposed method creates a delay sensitive profile generated by the analysis of monitored network traffic, which emulates high performance UDP based grid services such as file transfer applications (FOBS, Tsunami, UDT, SABUL, etc.), message passing platforms (MPICHG2/Score, etc.), and others. An energy value is derived from the delay sensitive profile, which represents the state (over-utilized CPU or under-utilized CPU) of the resource of interest. Then a simple threshold (derived from initial calibrations on the over-utilized resources.) is applied to the energy value to identify the state of the resource. This method could be used to enhance existing resource discovery algorithms used in local distributed networks because this approach is capable of passively determining a major dynamic resource attribute - CPU utilization. The main benefits are the reduction in the necessary complexity associated with the use of non-passive algorithms (e.g., flooding algorithm, name-dropper algorithm, distinctive awareness algorithm, etc.) and the reduction in the extra network traffic that results from the continual need to determine the availability of dynamic resources. Since this method is passive in nature, there is no need to query potential resources directly to determine their availability to complete distributed computing related jobs. Results suggest that once the CPU utilization approaches 70% (unavailable) the network traffic produced by that node exhibits different behavior than when the CPU utilization is less than 70% (available).

Using Network Traffic to Infer Hardware State: A Kernel-Level Investigation

In this article, we illustrate that the boundary of a general-purpose node can be extended into the network by extracting information from network traffic generated by that general-purpose node to infer the state of its hardware components. This information is represented in a delay signature latent within the network traffic. In contrast, the traditional approach to determine the internal state of a node’s resources meant that a software application with internal processes had to be resident on the node. The aforementioned delay signature is the keystone that provides a correlation between network traffic and the internal state of the source node. We characterize this delay signature by (1) identifying the different types of assembly language instructions that source this delay and (2) describing how architectural techniques, such as instruction pipelining and caching, give rise to this delay signature. In theory, highly utilized nodes (due to multiple threads) will contain excessive context switching and contention for shared resources. One important shared resource is main memory, and excessive use of this resource by applications and internal processes eventually leads to a decrease in cache efficiency that eventually stalls the instruction pipeline. Our results support this theory; specifically, we have observed that excessive context switching in active applications increases the effective memory access time and wastes precious CPU cycles, thus adding additional delay to the execution of load, store, and other instructions. Because the operating system (OS) kernel accesses memory to send network packets, the delay signature is induced into network traffic in situations where user-level utilization is high. We demonstrate this theory in two case studies: (1) resource discovery in cluster grids and (2) network-based detection of bitcoin mining on compromised nodes.

Fighting banking botnets by exploiting inherent command and control vulnerabilities

Malware poses a significant threat to commerce and banking systems. Specifically, the Zeus banking botnet is reported to have caused more than 100 million dollars in damages. This type of malware has been around for over ten years, and in 2013 alone was responsible for compromising over one-million computers. The impact of banking botnets (i.e., typically Zeus or its derivatives) can be lessened by exploiting the inherent vulnerabilities of their command and control (C&C). Our approach involves: (1) fuzz testing the C&C to identify vulnerabilities and (2) designing exploits that can be used to make bot-herders less effective in their criminal endeavors. The novelty of our approach is its focus on interrogating the C&C and not the compromised clients; however we do not discourage traditional malware removal and clean-up processes. As a complement to traditional processes, we offer our approach to organizations with the proper authority for an active defense (i.e., offensive measures). We demonstrate the feasibility of this approach by using the leaked Zeus 2.0.8.9 toolkit that included the C&C web application. The following security flaws exist in the Zeus 2.0.8.9 C&C web application: (1) no authentication between the zbot (i.e., client-side malware) and the C&C, (2) a lack of proper access control in the web application folders, and (3) simple clear text authentication between C&C and the remote bot-herder. Our results suggest that because of these security flaws, a range of offensive measures are viable against the Zeus C&C, including Buffer-Overflow, Denial-of-Service, and Dictionary or Brute Force Attacks.