WO2012069544A1 - Method and device for fingerprinting of wireless communication devices - Google Patents

Method and device for fingerprinting of wireless communication devices Download PDF

Info

Publication number
WO2012069544A1
WO2012069544A1 PCT/EP2011/070830 EP2011070830W WO2012069544A1 WO 2012069544 A1 WO2012069544 A1 WO 2012069544A1 EP 2011070830 W EP2011070830 W EP 2011070830W WO 2012069544 A1 WO2012069544 A1 WO 2012069544A1
Authority
WO
WIPO (PCT)
Prior art keywords
inter
fingerprint
wireless device
frame
channel
Prior art date
Application number
PCT/EP2011/070830
Other languages
French (fr)
Inventor
Olivier Heen
Christoph Neumann
Stéphane Onno
Original Assignee
Thomson Licensing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing filed Critical Thomson Licensing
Priority to CN201180056879.6A priority Critical patent/CN103229528B/en
Priority to JP2013540348A priority patent/JP6019033B2/en
Priority to US13/988,529 priority patent/US9462449B2/en
Priority to EP11785707.8A priority patent/EP2643985B1/en
Priority to KR1020137013100A priority patent/KR20130143694A/en
Publication of WO2012069544A1 publication Critical patent/WO2012069544A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/005Discovery of network devices, e.g. terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/79Radio fingerprint

Definitions

  • the present invention relates generally to device fingerprinting and in particular to the fingerprinting of wireless communication devices.
  • device fingerprinting means gathering information about a device in order to characterize it. This process yields a signature, also called fingerprint, which describes the device's observed features in a compact form. If the generated signature is distinctive enough, it may be used to identify the device.
  • This standard is for example used by WiFi.
  • the invention may also be used to fingerprint devices that implement other suitable communication techniques, such as for example ALOHA.
  • device fingerprinting enables identification of devices, an identification that is independent of the purported identity of the device.
  • a primary application of 802.1 1 device fingerprinting is the prevention of Media Access Control (MAC) address spoofing. This refers to the action of usurping the MAC address of another device in order to benefit from its authorization.
  • MAC Media Access Control
  • the prevention of MAC address spoofing is of importance: Open wireless networks such as hot-spots often implement MAC address based access control in order to guarantee that only legitimate client stations (e.g. the devices that has purchased Internet access) connect to the access points. Attackers may then want to steal a legitimate device's session by spoofing the latter ' s MAC address.
  • the access points may be subject to attacks: tools like AirSnarf and RawFakeAP enable an attacker to set up a rogue access point, which could make client stations connect to the fake AP instead of the genuine one.
  • a good fingerprinting method should be able to detect above attacks so that countermeasures may be taken.
  • Wi-Fi Protected Access A passive fingerprinting method may be used prior to the key-based authentication mechanism as an additional layer of trust, which may detect unauthorized devices and thus render pointless the active, possibly more vulnerable and costly, key-based authentication mechanism. Fingerprinting may also be used after the wireless authentication mechanism in order to control that only authorized devices are in the network.
  • keys may leak as there are several normal situations in which users voluntarily give out their Wi-Fi key. For instance, when inviting a friend and allowing his laptop to access the home network. While this scenario is both common and simple, it also endangers the home network; the key may later leak from the invited laptop or the friend may abusively reconnect.
  • tools exist that allow hackers to crack the WEP protocol which is known to be insecure, and there are currently existing services, e.g. WPA Cracker, that try to discover WPA keys.
  • the prior art comprises a number of solutions for fingerprinting wireless devices by analyzing implementation specificities of the network card and/or driver.
  • Franklin et al. characterize the drivers during the "active scanning period" where the card is searching for available wireless network. This searching process is underspecified in the 802.1 1 standard regarding the frequency and order of sending probe requests. Each manufacturer therefore implements its own algorithm and timers during this period. See J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker; "Passive Data Link Layer 802.1 1 Wireless Device Driver Fingerprinting"; In Proceedings Usenix Security 06, August 2006. A major drawback of this passive fingerprinting technique is that it only works during a short and specific period at the start of the wireless protocol. A similar solution is found in D.C.C. Loh, C.Y. Cho, C P. Tan and R.S. Lee, "Identifying Unique Devices through Wireless Fingerprinting", In WiSec'08, April 2008.
  • Gopinath et al. show that the 802.1 1 cards exhibit very heterogeneous behavior which are due to implementation specificities. They tested a set of 802.1 1 features such as Random Back-off timers and Virtual Carrier Sensing (NAV mechanism). The authors indicate that the observed heterogeneity in behavior may be used to fingerprint a card's vendor and model. See K. Gaopinath, P. Bhagwat, and K. Gopinath; "An Empirical Analysis of Heterogeneity in IEEE 802.1 1 MAC Protocol Implementations and Its Implications"; In Proceedings of ACM WiNTECH'06, September 2006. However, the paper does not further analyze this aspect and just presents bare experimental results.
  • Bratus et al. propose a method that uses the above work and performs actual fingerprinting of wireless client stations and access points. According to their method, malformed or non-standard stimulus frames are sent to the device to be fingerprinted and a decision tree is applied to the response or behavior of the device in order to fingerprint the vendor/manufacturer. See S. Bratus, C. Cornelius, D. Kotz, and D. Peebles; "Active Behavioral Fingerprinting of Wireless Devices"; In Proceedings of ACM WiSec'08, March 2008. A main drawback of this technique is that it is active, not passive.
  • Cache proposes two methods for fingerprinting a device's network card and driver; see J. Cache; "Fingerprinting 802.1 1 Devices”; Master Thesis, 2006.
  • the first method is active and uses the 802.1 1 association redirection mechanism, which even if well specified in the 802.1 1 standard, is very loosely implemented in the tested wireless cards. As a consequence each wireless card behaves differently during this phase which allows characterization.
  • the second method is passive and based on analysis of duration field values in 802.1 1 data and management frames. Each wireless card computes the duration field slightly differently yielding different duration values.
  • C. Arackaparambil et al. refine the work of Jana et al. and propose a new method yielding more precise clock measures. They also successfully spoof an AP, making it indistinguishable from a 'real' AP by the methods used by Jana et al. Their method uses the fact that wireless cards automatically synchronize with the attached AP (which makes the wireless card having the same clock skew than the AP). This makes it easier to spoof an AP by associating with the AP prior to the attack. See C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz; "On the Reliability of Wireless Fingerprinting Using Clock Skews"; In Proceedings of ACM WiSec 10, March 2010.
  • the invention is directed to a method of fingerprinting at least one wireless device transmitting data in frames on a channel, wherein frames transmitted in succession on the channel.
  • a device listening to the channel, receives a current frame that succeeds a preceding frame; measures an inter-arrival time from the end of reception of the preceding frame to the end of reception of the current frame; obtains, if possible, an identity of the wireless device that transmitted the current frame; and if the identity was obtained, stores the inter-arrival time in a set of inter-arrival times for the wireless device corresponding to the obtained identity in order to generate a fingerprint for the wireless device.
  • the device arranges the set of inter- arrival times as a histogram that constitutes the fingerprint for the wireless device. It is advantageous that the histogram is expressed as a percentage frequency distribution. It is also advantageous that the histogram comprises bins that correspond to specific times defined by a standard used for communication over the channel.
  • the standard is advantageously IEEE 802.1 1 , in particular IEEE 802.1 1 g, and the first bin corresponds to the Short Interframe Space (SIFS), the second bin corresponds to the Distributed coordination function Interframe Space (DIFS) minus the SIFS, and at least a third and a fourth bin, each corresponding to the length of a timeslot (aSlotTime).
  • the obtained fingerprint is compared with stored fingerprints and the wireless device is identified as the device whose stored fingerprint the obtained fingerprint resembles the most. It is advantageous that resemblance is determined using a similarity measure.
  • the invention is directed to a device for fingerprinting at least one wireless device transmitting data in frames on a channel, wherein frames are transmitted in succession on the channel.
  • the device comprises means for listening to the channel; means for receiving a current frame that succeeds a preceding frame; means for measuring an inter-arrival time from the end of reception of the previously received frame to the end of reception of the current frame; means for obtaining, if possible, an identity of the wireless device that transmitted the current frame; and means for storing, if the identity was obtained, the inter-arrival time in a set of inter- arrival times for the wireless device corresponding to the obtained identity in order to generate a fingerprint for the wireless device.
  • the device further comprises means for arranging the set of inter-arrival times as a histogram that constitutes the fingerprint for the wireless device. It is advantageous that the arranging means is further for expressing the histogram as a percentage frequency distribution.
  • the device further comprises means for comparing the obtained fingerprint with stored fingerprints; and for identifying the wireless device as the device whose stored fingerprint the obtained fingerprint resembles the most.
  • Figure 2 illustrates an exemplary monitoring station according to a preferred embodiment of the present invention
  • Figure 3 illustrates an example of network traffic monitoring according to a preferred embodiment of the present invention
  • Figure 4 illustrates a flow chart of the fingerprinting method according to a preferred embodiment of the present invention.
  • Figure 5 illustrates exemplary fingerprints generated by a preferred embodiment of the present invention. DESCRIPTION OF EMBODIMENTS
  • FIG. 1 illustrates an exemplary wireless network 100 in which the present invention may be used.
  • the wireless network 100 comprises an access point (AP) 1 10 and a plurality of client devices 120A-D (which may be jointly referred to as 120).
  • the AP 1 10 is adapted to communicate with the client devices 120 and, for example, provide Internet access to them.
  • the measured time interval is then added to the set /(s,) for the sender Si, where /(s,) denotes the set of inter-arrival times measured for sending device s,.
  • the monitoring station To collect the traces, it suffices for the monitoring station to have a standard 802.1 1 wireless card that listens in monitoring mode on the 802.1 1 channel of interest. It will be appreciated that the method of the present invention is completely passive; no additional traffic is generated. It is, for example, possible to generate the capture traces using the so-called pcap library (see TCPDump and Libpcap; http://tcpdump.org) on the monitoring device. As can be seen, this monitoring setting has very small requirements.
  • FIG. 2 illustrates an exemplary monitoring station according to a preferred embodiment of the present invention.
  • the monitoring station 200 comprises a wireless interface 210, such as the mentioned 802.1 1 wireless card, at least one processor 220 (hereinafter "processor") and memory 230.
  • the wireless interface 210 is adapted to monitor wireless traffic
  • the processor 220 is adapted to analyse the monitored traffic by, as will be seen in further detail hereinafter, measuring frame inter-arrival times and detecting the sender
  • the memory 230 is adapted to store data such as device fingerprints.
  • the processor 220 is further adapted to compare received traffic in order to identify a sending device. Only the features necessary for the comprehension of the invention are detailed; it will be understood that the monitoring station 200 further comprises internal connections and possibly, for example, a further (wire-based) communication interface and a user interface.
  • Figure 3 illustrates an example of network traffic monitoring according to a preferred embodiment of the present invention.
  • the four client devices 120 have been joined in the network 100 by the monitoring device 200.
  • the propagation time has been neglected, as it is almost zero for the small distances in the network; a frame is thus shown to arrive exactly when it is transmitted. It will also be appreciated that normally only a single frame (or no frame at all) is sent in the network at a given time (i.e. on the channel that the devices use); there is thus a succession of frames on the channel.
  • device A 120A sends a data frame until time t-i. However, as the monitoring device 200 did not capture any previous frame, it cannot calculate the inter-arrival time. Then device B 120B sends an acknowledgement (ACK) that ends at time t2. The monitoring device 200 can calculate the inter-arrival time T 2 , but it cannot determine the sender, so s 2 is not set (i.e. null) and the inter-arrival time is ignored.
  • ACK acknowledgement
  • Device A 120A then sends another frame of data, ending at t3.
  • RTS Request to Send
  • the monitoring station 200 uses these measurements to generate an inter-arrival time histogram for each emitting station.
  • Each histogram comprises the bins b 0 , ... , b k , where each bin corresponds to a time interval of inter-arrival times.
  • the number of observations in a bin b j is denoted rri j (where 0 ⁇ j ⁇ k).
  • FIG. 4 illustrates a flow chart that summarizes the fingerprinting method just described.
  • the monitoring station 200 begins by listening 410 to a channel. When it receives 420 a frame, it measures 430 the inter-arrival time from the end of reception of the preceding frame to the end of reception of the present frame. If possible, it also obtains 440 the identity of the sender of the frame. If this identity is obtained, then the inter-arrival time is stored 450 in a histogram for the sender. This is repeated as long as is deemed fit.
  • the fingerprinting is advantageously continuous, but it can also be limited in time, for example to a specific time or a specific number of received frames, either for the channel as a whole or for a specific transmitting device.
  • SIFS 10 ps
  • DIFS 28 ps
  • timeslot sizes aSlotTime 9 ps.
  • SIFS is the shortest time interval during which the channel has to be idle and is used for highest priority transmissions or by stations that has reserved the channel using the so-called virtual carrier sensing mechanism.
  • DIFS is the minimum time interval during which the channel has to be idle for stations using the so-called random backoff procedure. However, as it happens, a station transmits frames at DIFS plus multiples of aSlotTime.
  • FIG. 5 illustrates exemplary histograms 510 and 520 with the bins along the x-axis and the density (i.e. the percentage frequency) along the y- axis.
  • the density i.e. the percentage frequency
  • histogram 510 has two salient peaks
  • histogram 520 only has one.
  • the scale on the x-axis is the same, but that the y- axis goes from 0 to 0.05 in the top histogram 510 and from 0 to 0.01 in the bottom histogram 520.
  • PLCP Physical Layer Convergence Protocol
  • Duration and size depend on the used transmission rates and on features of the physical layer, which partly depend on the wireless card and its driver.
  • the sender then transmits the frame's payload, whose transmission duration depends on the transmission rate and the size of the payload.
  • the frame type, the settings of the wireless card, and the application that generates the frame data influence the size of the frames.
  • the frame transmission duration depends on a mix of features of the wireless card and on the application that generates the data in the frame. Owing to this dependence, some very characteristic patterns and peaks are generated in the histograms.
  • the duration of the idle period depends mainly on the wireless card and its driver.
  • a signature based on this measurement only would not be able to differentiate between two devices that use the same wireless card and driver.
  • inter-arrival time histograms are also used by Berger-Sabbatel et al, but they however use them to assess the performance of 802.1 1 devices, not for fingerprinting. In addition, their measurements are only applicable in a completely controlled environment with no or only controlled background traffic. See G. Berger-Sabbatel, Y. Grunenberger, M. Heusse, F. Rousseau, and A. Duda, "Interarrival Histograms: A Method for Measuring Transmission Delays in 802.1 1 WLANs", Research report, LIG Lab, Grenoble, France, Oct 2007. So far, the description has focused on the generation of fingerprints for devices. This generation is also called the learning phase, during which a reference database is populated with fingerprints.
  • the monitoring device 200 stores the generated signatures, i.e. the reference database, in memory 230. It is thus able to obtain the histograms Sig(refj) of all its known wireless devices ref,.
  • the reference database is thus generated from one or more training datasets, which may an entire wireless trace or a subset of thereof, from which the histograms are computed for each source address appearing in the trace.
  • the skilled person will appreciate that it is possible for an attacker to pollute the training datasets, in which case the fingerprints may be corrupt.
  • fingerprints are normally used in a subsequent detection phase, during which a monitoring device matches unknown wireless devices against the fingerprints in the reference database.
  • a monitoring device matches unknown wireless devices against the fingerprints in the reference database.
  • the skilled person will appreciate that 'unknown' merely means that there may be a fingerprint for the unknown device in the reference database, but that the monitoring device has yet to identify the unknown device; the unknown device may naturally also be completely unknown, which is the case for example if the monitoring device has never encountered it before.
  • a further wireless trace is analyzed in order to extract the signatures Sig(candj) for all devices, called candidate devices, appearing in this trace.
  • the signature of each candidate device is compared to the signatures of the reference database.
  • the comparison is performed using at least one similarity measure further described hereinafter. This yields, for each candidate device, a vector of similarities ⁇ sim-i , sim 2 , ... , sim N >, where sim, represents the similarity of the signature Sig(candj) of the unknown device compared to the reference signature of device ref,.
  • the proximity test does not try to identify the candidate device exactly.
  • the fingerprint algorithm returns a set of reference device identifiers to which the similarity sim, is smaller than a threshold value TV.
  • This can enable fine-tuning of the method, using two accuracy metrics: the true positive rate (TPR) and the false positive rate (FPR).
  • TPR is the fraction of candidate wireless devices known to the reference database for which the returned set contains the candidate device's actual identity.
  • FPR is the fraction of candidate wireless devices not known to the reference database for which the algorithm returned a non empty set of identities.
  • the identification test presupposes that the proximity test returned a set of reference device identifiers and that the candidate identity is contained in this set. Based on the vector of similarities returned by the previous test, we pick the reference device with the greatest similarity. A suitable accuracy metric for this test is expressed as a detection ratio, i.e. the fraction of wireless devices that have been correctly identified.
  • the first similarity measure is a standard L1 -similarity based on the L1 -distance:
  • the second similarity measure is a ⁇ -similarity, based on the ⁇ -test:
  • the second similarity measure is smaller than 0, i.e. negative. It is thus not, in a strict sense, a similarity measure, but it nevertheless performs well. In particular, owing to the square, this similarity measure gives more weight to some large differences than many small ones, and it also gives more importance to differences whenever P refj is small.
  • the third similarity measure is a Jaccard-similarity, based on the
  • this equals 1 if the signatures are identical. If the signatures are completely opposite, then the value is 0.
  • the fingerprinting method can be implemented quite easily without the need for special equipment, it may be implemented by 'normal' user devices such as PCs, mobile phones, gateways in home networks and so on. It will thus be appreciated that the present invention can provide a passive method for fingerprinting wireless devices, in particular those implementing the IEEE 802.1 1 protocol, and that the method being easy to implement.
  • the claims and drawings may be provided independently or in any appropriate combination.
  • Features described as being implemented in hardware may also be implemented in software, and vice versa.
  • Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for fingerprinting wireless devices (120) and a method for using a device fingerprint for identifying wireless devices. A monitoring station (200) listens (410) to a channel. For each received frame, the station measures (430) the inter-arrival time from the end of the previously received frame to the end of the present frame. If possible, the station obtains (440) the identity 10 of the sender of the frame. If the sender is known, then the station stores (450) the inter-arrival time in a histogram for the sender; the histogram becomes the fingerprint for the sender. Identification of a device begins by obtaining a number of inter-arrival times for an unknown sender and then matching these to stored fingerprints using a suitable similarity measure. The 15 invention is particularly suitable for IEEE 802.11 and may for example be used to detect so-called MAC spoofing and as an additional layer of an identification protocol.

Description

METHOD AND DEVICE FOR FINGERPRINTING OF WIRELESS
COMMUNICATION DEVICES
TECHNICAL FIELD
The present invention relates generally to device fingerprinting and in particular to the fingerprinting of wireless communication devices.
BACKGROUND
This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art. For the purposes of the present invention device fingerprinting means gathering information about a device in order to characterize it. This process yields a signature, also called fingerprint, which describes the device's observed features in a compact form. If the generated signature is distinctive enough, it may be used to identify the device. The description will be focused on fingerprinting devices that implement the standard for wireless communication called IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements Part 1 1 : Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications; for short called IEEE 802.1 1 and defined in IEEE Std 802.1 1 -1999 (hereinafter 802.1 1 ). This standard is for example used by WiFi. It will however be appreciated that the invention may also be used to fingerprint devices that implement other suitable communication techniques, such as for example ALOHA. As already mentioned, device fingerprinting enables identification of devices, an identification that is independent of the purported identity of the device. A primary application of 802.1 1 device fingerprinting is the prevention of Media Access Control (MAC) address spoofing. This refers to the action of usurping the MAC address of another device in order to benefit from its authorization.
In several scenarios, the prevention of MAC address spoofing is of importance: Open wireless networks such as hot-spots often implement MAC address based access control in order to guarantee that only legitimate client stations (e.g. the devices that has purchased Internet access) connect to the access points. Attackers may then want to steal a legitimate device's session by spoofing the latter' s MAC address. Conversely, the access points may be subject to attacks: tools like AirSnarf and RawFakeAP enable an attacker to set up a rogue access point, which could make client stations connect to the fake AP instead of the genuine one. A good fingerprinting method should be able to detect above attacks so that countermeasures may be taken.
In fact, it can make sense to use fingerprint signature verification even in wireless networks protected by a key, e.g. Wi-Fi Protected Access (WPA). A passive fingerprinting method may be used prior to the key-based authentication mechanism as an additional layer of trust, which may detect unauthorized devices and thus render pointless the active, possibly more vulnerable and costly, key-based authentication mechanism. Fingerprinting may also be used after the wireless authentication mechanism in order to control that only authorized devices are in the network. Indeed, keys may leak as there are several normal situations in which users voluntarily give out their Wi-Fi key. For instance, when inviting a friend and allowing his laptop to access the home network. While this scenario is both common and simple, it also endangers the home network; the key may later leak from the invited laptop or the friend may abusively reconnect. Finally, tools exist that allow hackers to crack the WEP protocol, which is known to be insecure, and there are currently existing services, e.g. WPA Cracker, that try to discover WPA keys.
The prior art comprises a number of solutions for fingerprinting wireless devices by analyzing implementation specificities of the network card and/or driver.
Franklin et al. characterize the drivers during the "active scanning period" where the card is searching for available wireless network. This searching process is underspecified in the 802.1 1 standard regarding the frequency and order of sending probe requests. Each manufacturer therefore implements its own algorithm and timers during this period. See J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker; "Passive Data Link Layer 802.1 1 Wireless Device Driver Fingerprinting"; In Proceedings Usenix Security 06, August 2006. A major drawback of this passive fingerprinting technique is that it only works during a short and specific period at the start of the wireless protocol. A similar solution is found in D.C.C. Loh, C.Y. Cho, C P. Tan and R.S. Lee, "Identifying Unique Devices through Wireless Fingerprinting", In WiSec'08, April 2008.
Gopinath et al. show that the 802.1 1 cards exhibit very heterogeneous behavior which are due to implementation specificities. They tested a set of 802.1 1 features such as Random Back-off timers and Virtual Carrier Sensing (NAV mechanism). The authors indicate that the observed heterogeneity in behavior may be used to fingerprint a card's vendor and model. See K. Gaopinath, P. Bhagwat, and K. Gopinath; "An Empirical Analysis of Heterogeneity in IEEE 802.1 1 MAC Protocol Implementations and Its Implications"; In Proceedings of ACM WiNTECH'06, September 2006. However, the paper does not further analyze this aspect and just presents bare experimental results.
Bratus et al. propose a method that uses the above work and performs actual fingerprinting of wireless client stations and access points. According to their method, malformed or non-standard stimulus frames are sent to the device to be fingerprinted and a decision tree is applied to the response or behavior of the device in order to fingerprint the vendor/manufacturer. See S. Bratus, C. Cornelius, D. Kotz, and D. Peebles; "Active Behavioral Fingerprinting of Wireless Devices"; In Proceedings of ACM WiSec'08, March 2008. A main drawback of this technique is that it is active, not passive.
Cache proposes two methods for fingerprinting a device's network card and driver; see J. Cache; "Fingerprinting 802.1 1 Devices"; Master Thesis, 2006. The first method is active and uses the 802.1 1 association redirection mechanism, which even if well specified in the 802.1 1 standard, is very loosely implemented in the tested wireless cards. As a consequence each wireless card behaves differently during this phase which allows characterization. The second method is passive and based on analysis of duration field values in 802.1 1 data and management frames. Each wireless card computes the duration field slightly differently yielding different duration values.
Common to all of the approaches hereinbefore is that they cannot differentiate between two devices using the same network card and driver. These approaches may thus for example not be used for detecting MAC address spoofing and even less order to identify the devices.
In contrast to the papers hereinbefore, Pang et al. discuss privacy implications of 802.1 1 . Their paper highlights that users are not anonymous when using 802.1 1 as the protocol uses globally unique identifiers (i.e. the MAC addresses) that allows user tracking. Even if this identifier is masked - e.g. by temporarily changing addresses - it is still possible to track users by observing a set of parameters (used as implicit identifiers) in the 802.1 1 protocol. The authors apply a naive Bayes classifier on four implicit identifiers, namely network destinations, network names advertised in 802.1 1 probes, 802.1 1 configuration options and broadcast frame sizes. Three out of the four parameters apply even when the traffic is encrypted. Using busy hot spot test traces, they could identify 64% of users with 90% accuracy.
Other prior art documents deal with the fingerprinting of wireless access points (APs). Jana et al. calculate the clock skews of access points in order to identify them. The clock skews are calculated using the Timestamps contained in Beacon/Probe response frames emitted by the AP. An attacker that replays the clock skew is subject to the 802.1 1 protocol timers such as the DIFS (Distributed coordination function Interframe Space) which changes the actual time the beacon is sent. As those timers are not accessible from the driver level (where the attack is implemented), the timestamps and receiving times do not correspond, which changes the measured clock skew. Their proposed method is able to measure those differences and therefore detect the attack. See S. Jana and S. K. Kasera; "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews;" In Proceedings of ACM MobiCom 08, September 2008.
C. Arackaparambil et al. refine the work of Jana et al. and propose a new method yielding more precise clock measures. They also successfully spoof an AP, making it indistinguishable from a 'real' AP by the methods used by Jana et al. Their method uses the fact that wireless cards automatically synchronize with the attached AP (which makes the wireless card having the same clock skew than the AP). This makes it easier to spoof an AP by associating with the AP prior to the attack. See C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz; "On the Reliability of Wireless Fingerprinting Using Clock Skews"; In Proceedings of ACM WiSec 10, March 2010.
The methods of Jana et al. and Arackaparambil et al. are however only applicable to access points as they require the timestamps included in the 802.1 1 beacon frames which are only sent by access points and not by client stations. Finally, for completeness, two papers tackle the problem of MAC address spoofing, but do not engage in any fingerprinting. Both papers detect discontinuities in 802.1 1 frame sequence numbers in order to detect potential address spoofing. See J. Wright, "Detecting Wireless LAN MAC Address Spoofing"; Technical Report, 2003 and F. Gua and T. Chiueh, "Sequence Number-Based MAC Address Spoof Detection; In Proceedings of RAID 2005, September 2005.
It will therefore be appreciated that there is a need for a solution that can enable passive fingerprinting and individual identification of wireless devices. The present invention provides such a solution.
SUMMARY OF INVENTION
In a first aspect, the invention is directed to a method of fingerprinting at least one wireless device transmitting data in frames on a channel, wherein frames transmitted in succession on the channel. A device, listening to the channel, receives a current frame that succeeds a preceding frame; measures an inter-arrival time from the end of reception of the preceding frame to the end of reception of the current frame; obtains, if possible, an identity of the wireless device that transmitted the current frame; and if the identity was obtained, stores the inter-arrival time in a set of inter-arrival times for the wireless device corresponding to the obtained identity in order to generate a fingerprint for the wireless device.
In a first preferred embodiment, the device arranges the set of inter- arrival times as a histogram that constitutes the fingerprint for the wireless device. It is advantageous that the histogram is expressed as a percentage frequency distribution. It is also advantageous that the histogram comprises bins that correspond to specific times defined by a standard used for communication over the channel. The standard is advantageously IEEE 802.1 1 , in particular IEEE 802.1 1 g, and the first bin corresponds to the Short Interframe Space (SIFS), the second bin corresponds to the Distributed coordination function Interframe Space (DIFS) minus the SIFS, and at least a third and a fourth bin, each corresponding to the length of a timeslot (aSlotTime).
In a second preferred embodiment, the obtained fingerprint is compared with stored fingerprints and the wireless device is identified as the device whose stored fingerprint the obtained fingerprint resembles the most. It is advantageous that resemblance is determined using a similarity measure.
In a second aspect, the invention is directed to a device for fingerprinting at least one wireless device transmitting data in frames on a channel, wherein frames are transmitted in succession on the channel. The device comprises means for listening to the channel; means for receiving a current frame that succeeds a preceding frame; means for measuring an inter-arrival time from the end of reception of the previously received frame to the end of reception of the current frame; means for obtaining, if possible, an identity of the wireless device that transmitted the current frame; and means for storing, if the identity was obtained, the inter-arrival time in a set of inter- arrival times for the wireless device corresponding to the obtained identity in order to generate a fingerprint for the wireless device.
In a first preferred embodiment, the device further comprises means for arranging the set of inter-arrival times as a histogram that constitutes the fingerprint for the wireless device. It is advantageous that the arranging means is further for expressing the histogram as a percentage frequency distribution.
In a second preferred embodiment, the device further comprises means for comparing the obtained fingerprint with stored fingerprints; and for identifying the wireless device as the device whose stored fingerprint the obtained fingerprint resembles the most. BRIEF DESCRIPTION OF DRAWINGS
Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which Figure 1 illustrates an exemplary wireless network in which the present invention may be used;
Figure 2 illustrates an exemplary monitoring station according to a preferred embodiment of the present invention;
Figure 3 illustrates an example of network traffic monitoring according to a preferred embodiment of the present invention;
Figure 4 illustrates a flow chart of the fingerprinting method according to a preferred embodiment of the present invention; and
Figure 5 illustrates exemplary fingerprints generated by a preferred embodiment of the present invention. DESCRIPTION OF EMBODIMENTS
Figure 1 illustrates an exemplary wireless network 100 in which the present invention may be used. The wireless network 100 comprises an access point (AP) 1 10 and a plurality of client devices 120A-D (which may be jointly referred to as 120). The AP 1 10 is adapted to communicate with the client devices 120 and, for example, provide Internet access to them.
A salient inventive idea of the present invention is to monitor network traffic and measure the frame inter-arrival times for frames sent by each sending wireless device. The wireless trace captured (i.e. received) by a monitoring station (which could be the AP 1 10 or a client device 120) is given as a sequence po, ... , pn of frames. The time of end of reception of a frame p, is denoted t, (where 0 < / < n) and frames are increasingly ordered according to the reception time (i.e. V/ : f,.i < ί,). Frame p, is sent by sender s,, and the sender is considered to be unknown for frames with a frame type that does not include a sender address or a transmitting address (such as ACK frames and Clear-to-send frames); in the latter case s, = null. For each frame p,, the interval 7} = t, - is measured, i.e. the difference between the time of end of reception of frame p 1 and the time of end of reception of succeeding frame Pi. The measured time interval , is then added to the set /(s,) for the sender Si, where /(s,) denotes the set of inter-arrival times measured for sending device s,. |/(s,)| is the number of observations for device s,.
To collect the traces, it suffices for the monitoring station to have a standard 802.1 1 wireless card that listens in monitoring mode on the 802.1 1 channel of interest. It will be appreciated that the method of the present invention is completely passive; no additional traffic is generated. It is, for example, possible to generate the capture traces using the so-called pcap library (see TCPDump and Libpcap; http://tcpdump.org) on the monitoring device. As can be seen, this monitoring setting has very small requirements.
Figure 2 illustrates an exemplary monitoring station according to a preferred embodiment of the present invention. The monitoring station 200 comprises a wireless interface 210, such as the mentioned 802.1 1 wireless card, at least one processor 220 (hereinafter "processor") and memory 230. The wireless interface 210 is adapted to monitor wireless traffic, the processor 220 is adapted to analyse the monitored traffic by, as will be seen in further detail hereinafter, measuring frame inter-arrival times and detecting the sender, and the memory 230 is adapted to store data such as device fingerprints. The processor 220 is further adapted to compare received traffic in order to identify a sending device. Only the features necessary for the comprehension of the invention are detailed; it will be understood that the monitoring station 200 further comprises internal connections and possibly, for example, a further (wire-based) communication interface and a user interface.
Figure 3 illustrates an example of network traffic monitoring according to a preferred embodiment of the present invention. The four client devices 120 have been joined in the network 100 by the monitoring device 200. In Figure 3, the propagation time has been neglected, as it is almost zero for the small distances in the network; a frame is thus shown to arrive exactly when it is transmitted. It will also be appreciated that normally only a single frame (or no frame at all) is sent in the network at a given time (i.e. on the channel that the devices use); there is thus a succession of frames on the channel.
At first, device A 120A sends a data frame until time t-i. However, as the monitoring device 200 did not capture any previous frame, it cannot calculate the inter-arrival time. Then device B 120B sends an acknowledgement (ACK) that ends at time t2. The monitoring device 200 can calculate the inter-arrival time T2, but it cannot determine the sender, so s2 is not set (i.e. null) and the inter-arrival time is ignored.
Device A 120A then sends another frame of data, ending at t3. The monitoring device 200 calculates the inter-arrival time T3=t3-t2 and sets s3=A. Similarly, device C 120C sends a Request to Send (RTS) enabling the calculation of
Figure imgf000012_0001
and device D 120D sends a data frame enabling the calculation of T5=t5-t4 and s5=D.
At this point l(A)={T3}, l(B)={null}, l(C)={T4}, and l(D)={T5}. Naturally, there would normally be many more captured frames, but the number has been kept to a minimum for reasons of clarity. It will be appreciated that these sets l(s,) in fact are fingerprints for the corresponding devices (keeping in mind that the sets normally comprise many more observations). However, the fingerprint is much easier to visualize and also to compare when it is expressed as a histogram, as will be further described hereinafter.
The monitoring station 200 uses these measurements to generate an inter-arrival time histogram for each emitting station. Each histogram comprises the bins b0, ... , bk, where each bin corresponds to a time interval of inter-arrival times. The number of observations in a bin bj is denoted rrij (where 0 < j < k). The histogram may then be converted into a percentage frequency distribution, where the percentage frequency of bin bj is Pj = m |l(S)|. A signature for wireless device S may then be defined as Sig(S) = {Pj ; Vj G 0≤j≤k}.
It should be noted that there is a risk that two devices begin simultaneous transmission of frames on the channel, resulting in a corrupted frame. In this case, a Carrier sense multiple access with collision avoidance (CSMA/CA) mechanism defined by the standard makes the transmitting devices 'back off and retransmit later. There are, at least, two embodiments for how the monitoring station 200 should handle corrupt frames. A first embodiment is to perform the measurement from the end of reception of the corrupt frame when calculating the inter-arrival time of the succeeding frame; in a variant, the inter-arrival time for the corrupt frame itself is ignored, while this inter-arrival time is counted for each transmitting device in another variant if it is possible to obtain the identities. A second embodiment is to simply ignore the corrupt frame and consider the latest 'correct' (i.e. non- corrupt) frame as the preceding frame for the next 'correct' frame.
Figure 4 illustrates a flow chart that summarizes the fingerprinting method just described. The monitoring station 200 begins by listening 410 to a channel. When it receives 420 a frame, it measures 430 the inter-arrival time from the end of reception of the preceding frame to the end of reception of the present frame. If possible, it also obtains 440 the identity of the sender of the frame. If this identity is obtained, then the inter-arrival time is stored 450 in a histogram for the sender. This is repeated as long as is deemed fit. The fingerprinting is advantageously continuous, but it can also be limited in time, for example to a specific time or a specific number of received frames, either for the channel as a whole or for a specific transmitting device.
The histogram bins are preferably aligned with some time intervals defined by the associated communication protocol. For example, the histogram bins of the example illustrated in Figure 3 advantageously correspond to time intervals defined by the 802.1 1 standard, which requires that before transmission, an emitting station listen to the communication channel for a certain amount of time to see if it is idle. The emitting station does not transmit any frames during this time. Apart from the DIFS already mentioned hereinbefore, 802.1 1 also defines the time interval Short Interframe Space (SIFS) and sets the length of each timeslot. The exact values depend on the variant of 802.1 1 ; in IEEE Std 802.1 1™-2007 (herein "802.1 1 g"), SIFS = 10 ps, DIFS = 28 ps and timeslot sizes aSlotTime = 9 ps. SIFS is the shortest time interval during which the channel has to be idle and is used for highest priority transmissions or by stations that has reserved the channel using the so-called virtual carrier sensing mechanism. DIFS is the minimum time interval during which the channel has to be idle for stations using the so-called random backoff procedure. However, as it happens, a station transmits frames at DIFS plus multiples of aSlotTime. Using these times yields a histogram with the first bin b0 of size SIFS, the second bin bi of size DIFS-SIFS and all the following bins b2, ... , bk of size aSlotTime. Figure 5 illustrates exemplary histograms 510 and 520 with the bins along the x-axis and the density (i.e. the percentage frequency) along the y- axis. A mere glance at the histograms 510 and 520 suffices to recognize that they are quite different; hence the fingerprints are also different. For instance, histogram 510 has two salient peaks, while histogram 520 only has one. It should also be noted that the scale on the x-axis is the same, but that the y- axis goes from 0 to 0.05 in the top histogram 510 and from 0 to 0.01 in the bottom histogram 520.
The skilled person will note that measurement of the end of reception of a frame, measures both the emitting station's idle period and transmission period. Looking first at the transmission period, a sender starts a transmission by sending so-called Physical Layer Convergence Protocol (PLCP) preambles and headers. These are used for synchronization at the physical layer. Duration and size depend on the used transmission rates and on features of the physical layer, which partly depend on the wireless card and its driver. The sender then transmits the frame's payload, whose transmission duration depends on the transmission rate and the size of the payload. In addition, the frame type, the settings of the wireless card, and the application that generates the frame data influence the size of the frames. Thus, the frame transmission duration depends on a mix of features of the wireless card and on the application that generates the data in the frame. Owing to this dependence, some very characteristic patterns and peaks are generated in the histograms.
If the measurements were made at the start of reception of a frame, this would just measure the idle time, i.e. the time the emitting station waited before transmitting. A signature based solely on this measurement would enable differentiation of a subset of the monitored wireless stations. Implementation specificities of this period in the wireless driver and the wireless card may influence the histogram. Thus, the duration of the idle period depends mainly on the wireless card and its driver. A signature based on this measurement only would not be able to differentiate between two devices that use the same wireless card and driver.
It should be noted that inter-arrival time histograms are also used by Berger-Sabbatel et al, but they however use them to assess the performance of 802.1 1 devices, not for fingerprinting. In addition, their measurements are only applicable in a completely controlled environment with no or only controlled background traffic. See G. Berger-Sabbatel, Y. Grunenberger, M. Heusse, F. Rousseau, and A. Duda, "Interarrival Histograms: A Method for Measuring Transmission Delays in 802.1 1 WLANs", Research report, LIG Lab, Grenoble, France, Oct 2007. So far, the description has focused on the generation of fingerprints for devices. This generation is also called the learning phase, during which a reference database is populated with fingerprints. The monitoring device 200 stores the generated signatures, i.e. the reference database, in memory 230. It is thus able to obtain the histograms Sig(refj) of all its known wireless devices ref,. The reference database is thus generated from one or more training datasets, which may an entire wireless trace or a subset of thereof, from which the histograms are computed for each source address appearing in the trace. The skilled person will appreciate that it is possible for an attacker to pollute the training datasets, in which case the fingerprints may be corrupt.
These fingerprints are normally used in a subsequent detection phase, during which a monitoring device matches unknown wireless devices against the fingerprints in the reference database. The skilled person will appreciate that 'unknown' merely means that there may be a fingerprint for the unknown device in the reference database, but that the monitoring device has yet to identify the unknown device; the unknown device may naturally also be completely unknown, which is the case for example if the monitoring device has never encountered it before.
In the detection phase, a further wireless trace, called a validation dataset, is analyzed in order to extract the signatures Sig(candj) for all devices, called candidate devices, appearing in this trace. The signature of each candidate device is compared to the signatures of the reference database. The comparison is performed using at least one similarity measure further described hereinafter. This yields, for each candidate device, a vector of similarities < sim-i , sim2, ... , simN >, where sim, represents the similarity of the signature Sig(candj) of the unknown device compared to the reference signature of device ref,.
For each candidate device, it may be interesting to resolve the following two problems: proximity and identification. The proximity test does not try to identify the candidate device exactly.
Instead, the fingerprint algorithm returns a set of reference device identifiers to which the similarity sim, is smaller than a threshold value TV. This can enable fine-tuning of the method, using two accuracy metrics: the true positive rate (TPR) and the false positive rate (FPR). TPR is the fraction of candidate wireless devices known to the reference database for which the returned set contains the candidate device's actual identity. FPR is the fraction of candidate wireless devices not known to the reference database for which the algorithm returned a non empty set of identities.
The identification test presupposes that the proximity test returned a set of reference device identifiers and that the candidate identity is contained in this set. Based on the vector of similarities returned by the previous test, we pick the reference device with the greatest similarity. A suitable accuracy metric for this test is expressed as a detection ratio, i.e. the fraction of wireless devices that have been correctly identified.
There are, of course, many different similarity measures that can be used. Three such similarity measures will be described hereinafter.
Sig(ref) = {Prefj; j} denotes the reference signature for device re and Sig(cand) = {Pcandj; j} denotes the candidate signature for device cand.
The first similarity measure is a standard L1 -similarity based on the L1 -distance:
Yr-o \ PCand ' — Pre |
simLi (Sig(cand), Sig(ref)) = 1 —— cand;} re^,}
If two signatures are identical, then the value equals 1 ; conversely, it equals 0 if two signatures are entirely opposite.
This is a standard and quite simple measure performs reasonably well.
The second similarity measure is a χ -similarity, based on the χ -test:
k (P P )2
Once again, if two signatures are identical, then the value equals 1. However, it is possible for the second similarity measure to be smaller than 0, i.e. negative. It is thus not, in a strict sense, a similarity measure, but it nevertheless performs well. In particular, owing to the square, this similarity measure gives more weight to some large differences than many small ones, and it also gives more importance to differences whenever Prefj is small. The third similarity measure is a Jaccard-similarity, based on the
Jaccard-distance.
sim Jacc (Sig(cand), Sig ref) )
Figure imgf000018_0001
t->j=0 r cand,j ^ ^j=0 r ref Aij=o r cand,jrref,j
As with the other similarity measures, this equals 1 if the signatures are identical. If the signatures are completely opposite, then the value is 0.
The skilled person will appreciate that the Jaccard-similarity metric has been used with good results in several trace analysis scenarios. See for example J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall, "802.1 1 User Fingerprinting", In Proceedings of ACM MobiCom'07, September 2007; and J. Wright, "Detecting Wireless LAN MAC Address Spoofing", Technical Report, 2003. The skilled person will appreciate that the fingerprinting method described herein can be used in a number of different applications. The method may for example be used to complement the MAC address based access control that is often implemented, in particular in home networks. It may also be used to detect rogue access points, i.e. access points that purport being a genuine access point. Another example is as a way of locating and tracking devices.
The skilled person will also appreciate that as the fingerprinting method can be implemented quite easily without the need for special equipment, it may be implemented by 'normal' user devices such as PCs, mobile phones, gateways in home networks and so on. It will thus be appreciated that the present invention can provide a passive method for fingerprinting wireless devices, in particular those implementing the IEEE 802.1 1 protocol, and that the method being easy to implement. Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.

Claims

1 . A method of fingerprinting at least one wireless device (120) transmitting data in frames on a channel, wherein frames are transmitted in succession on the channel, the method comprising the steps, in a device (200) listening to the channel, of:
receiving (420) a current frame that succeeds a preceding frame;
measuring (430) an inter-arrival time from the end of reception of the preceding frame to the end of reception of the current frame;
obtaining (440), if possible, an identity of the wireless device that transmitted the current frame; and
if the identity was obtained, storing (450) the inter-arrival time in a set of inter-arrival times for the wireless device (120) corresponding to the obtained identity in order to generate a fingerprint for the wireless device.
2. The method of claim 1 , further comprising the step of arranging the set of inter-arrival times as a histogram (510, 520) that constitutes the fingerprint for the wireless device (120).
3. The method of claim 2, further comprising the step of expressing the histogram (510, 520) as a percentage frequency distribution.
4. The method of claim 2, wherein the histogram comprises bins that correspond to specific times defined by a standard used for communication over the channel.
5. The method of claim 4, wherein the standard is IEEE 802.1 1 .
6. The method of claim 5, wherein the standard is IEEE 802.1 1 g.
7. The method of claim 5, wherein the first bin corresponds to the Short Interframe Space (SIFS), the second bin corresponds to the Distributed coordination function Interframe Space (DIFS) minus the SIFS, and at least a third and a fourth bin, each corresponding to the length of a timeslot (aSlotTime).
8. The method of claim 1 , further comprising the steps of:
comparing the obtained fingerprint with stored fingerprints; and identifying the wireless device (120) as the device whose stored fingerprint the obtained fingerprint resembles the most.
9. The method of claim 8, wherein resemblance is determined using a similarity measure.
10. A device (200) for fingerprinting at least one wireless device (120) transmitting data in frames on a channel, wherein frames are transmitted in succession on the channel, the device (200) comprising:
means (210) for listening to the channel;
means (210) for receiving a current frame that succeeds a preceding frame;
means (220) for measuring an inter-arrival time from the end of reception of the previously received frame to the end of reception of the current frame;
means (220) for obtaining, if possible, an identity of the wireless device that transmitted the current frame; and
means (230) for storing, if the identity was obtained, the inter-arrival time in a set of inter-arrival times for the wireless device (120) corresponding to the obtained identity in order to generate a fingerprint for the wireless device (120).
1 1 . The device of claim 10, further comprising means for arranging the set of inter-arrival times as a histogram (510, 520) that constitutes the fingerprint for the wireless device (120).
12. The device of claim 1 1 , wherein the arranging means is further for expressing the histogram (510, 520) as a percentage frequency distribution.
13. The device of claim 10, further comprising:
means (220) for comparing the obtained fingerprint with stored fingerprints; and for identifying the wireless device (120) as the device whose stored fingerprint the obtained fingerprint resembles the most.
PCT/EP2011/070830 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication devices WO2012069544A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201180056879.6A CN103229528B (en) 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication device
JP2013540348A JP6019033B2 (en) 2010-11-25 2011-11-23 Method and apparatus for fingerprinting a wireless communication device
US13/988,529 US9462449B2 (en) 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication devices
EP11785707.8A EP2643985B1 (en) 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication devices
KR1020137013100A KR20130143694A (en) 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication devices

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP10306294 2010-11-25
EP10306294.9 2010-11-25

Publications (1)

Publication Number Publication Date
WO2012069544A1 true WO2012069544A1 (en) 2012-05-31

Family

ID=45002980

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/070830 WO2012069544A1 (en) 2010-11-25 2011-11-23 Method and device for fingerprinting of wireless communication devices

Country Status (6)

Country Link
US (1) US9462449B2 (en)
EP (1) EP2643985B1 (en)
JP (1) JP6019033B2 (en)
KR (1) KR20130143694A (en)
CN (1) CN103229528B (en)
WO (1) WO2012069544A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2677793A1 (en) 2012-06-20 2013-12-25 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
CN106961434A (en) * 2017-03-21 2017-07-18 南京大学 One kind carries out fingerprint modeling for wireless device and knows method for distinguishing
EP3474240A1 (en) * 2017-10-19 2019-04-24 HUF Hülsbeck & Fürst GmbH & Co. KG Method and system for activating a safety function via an external apparatus

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9313221B2 (en) * 2012-01-31 2016-04-12 Hewlett Packard Enterprise Development Lp Determination of spoofing of a unique machine identifier
US9461973B2 (en) 2014-03-19 2016-10-04 Bluefin Payment Systems, LLC Systems and methods for decryption as a service
JP6239805B2 (en) * 2014-03-19 2017-11-29 ブルーフィン ペイメント システムズ エルエルシーBluefin Payment Systems,Llc System and method for creating fingerprint of encryption device
US11256798B2 (en) 2014-03-19 2022-02-22 Bluefin Payment Systems Llc Systems and methods for decryption as a service
US9124583B1 (en) * 2014-05-09 2015-09-01 Bank Of America Corporation Device registration using device fingerprint
US20160006842A1 (en) * 2014-07-02 2016-01-07 Qualcomm Incorporated Frame format supporting enhanced features in a communication network
US10116493B2 (en) 2014-11-21 2018-10-30 Cisco Technology, Inc. Recovering from virtual port channel peer failure
CN105989149A (en) * 2015-03-02 2016-10-05 苏宁云商集团股份有限公司 Method and system for extracting and recognizing fingerprint of user equipment
EP3265919B1 (en) 2015-03-06 2021-09-29 Georgia Tech Research Corporation Device fingerprinting for cyber-physical systems
US9838278B2 (en) 2016-02-26 2017-12-05 Guavus, Inc. Self-learning device classifier
US10542014B2 (en) * 2016-05-11 2020-01-21 International Business Machines Corporation Automatic categorization of IDPS signatures from multiple different IDPS systems
US10333828B2 (en) 2016-05-31 2019-06-25 Cisco Technology, Inc. Bidirectional multicasting over virtual port channel
US10027671B2 (en) * 2016-06-16 2018-07-17 Ca, Inc. Restricting access to content based on a posterior probability that a terminal signature was received from a previously unseen computer terminal
US10032116B2 (en) * 2016-07-05 2018-07-24 Ca, Inc. Identifying computer devices based on machine effective speed calibration
US11509501B2 (en) * 2016-07-20 2022-11-22 Cisco Technology, Inc. Automatic port verification and policy application for rogue devices
US10193750B2 (en) 2016-09-07 2019-01-29 Cisco Technology, Inc. Managing virtual port channel switch peers from software-defined network controller
CN107241711A (en) * 2017-05-26 2017-10-10 上海与德科技有限公司 A kind of information loading method and device
US11070534B2 (en) 2019-05-13 2021-07-20 Bluefin Payment Systems Llc Systems and processes for vaultless tokenization and encryption
JP7093531B2 (en) 2017-06-02 2022-06-30 ブルーフィン ペイメント システムズ エルエルシー Systems and methods for managing payment terminals via a web browser
US11711350B2 (en) 2017-06-02 2023-07-25 Bluefin Payment Systems Llc Systems and processes for vaultless tokenization and encryption
US10547509B2 (en) 2017-06-19 2020-01-28 Cisco Technology, Inc. Validation of a virtual port channel (VPC) endpoint in the network fabric
US11855971B2 (en) * 2018-01-11 2023-12-26 Visa International Service Association Offline authorization of interactions and controlled tasks
CN110545219A (en) * 2019-09-25 2019-12-06 杭州安恒信息技术股份有限公司 Passive identification method and device for industrial assets and electronic equipment
US20220309186A1 (en) * 2019-10-04 2022-09-29 Indivd Ab Methods and systems for anonymously tracking and/or analysing individuals based on biometric data
US20210279565A1 (en) * 2020-03-04 2021-09-09 WootCloud Inc. Systems And Methods For Device Fingerprinting
US20210281566A1 (en) * 2020-03-04 2021-09-09 WootCloud Inc. Systems And Methods For Device Fingerprinting
US11509668B2 (en) * 2020-03-04 2022-11-22 Netskope, Inc. Systems and methods for device fingerprinting
CN111385297B (en) * 2020-03-04 2021-12-28 西安交通大学 Wireless device fingerprint identification method, system, device and readable storage medium
US11645538B2 (en) * 2020-04-17 2023-05-09 Applied Engineering Concepts, Inc. Physical layer authentication of electronic communication networks
CN114124566B (en) * 2021-12-07 2022-04-19 广州尚航信息科技股份有限公司 Network attack remote real-time monitoring method and system for exchange unit

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603710B2 (en) * 2003-04-03 2009-10-13 Network Security Technologies, Inc. Method and system for detecting characteristics of a wireless network
US7853250B2 (en) * 2003-04-03 2010-12-14 Network Security Technologies, Inc. Wireless intrusion detection system and method
US7706399B2 (en) * 2003-12-19 2010-04-27 Intel Corporation Polling in wireless networks
JP4047836B2 (en) 2004-04-02 2008-02-13 株式会社東芝 COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION CONTROL PROGRAM
US20070243882A1 (en) * 2006-04-12 2007-10-18 Qualcomm Incorporated Method and apparatus for locating a wireless local area network associated with a wireless wide area network
EP1881435A1 (en) * 2006-07-18 2008-01-23 France Télécom Method and apparatus for network attack detection by determining temporal data correlations
US7783300B2 (en) * 2006-11-22 2010-08-24 Airdefense, Inc. Systems and methods for proactively enforcing a wireless free zone
US8018883B2 (en) * 2007-03-26 2011-09-13 Cisco Technology, Inc. Wireless transmitter identity validation in a wireless network
US8144589B2 (en) 2007-05-07 2012-03-27 Qualcomm Incorporated Learning-based semi-persistent scheduling in wireless communications
US20100135178A1 (en) * 2008-11-21 2010-06-03 Qualcomm Incorporated Wireless position determination using adjusted round trip time measurements
US8508363B2 (en) * 2009-05-15 2013-08-13 First Principles, Inc. Systems and methods for permitting movement of an object outside a predetermined proximity distance threshold
US8694624B2 (en) * 2009-05-19 2014-04-08 Symbol Technologies, Inc. Systems and methods for concurrent wireless local area network access and sensing
EP2504952A1 (en) * 2009-11-27 2012-10-03 Telefonaktiebolaget LM Ericsson (publ) Packet classification method and apparatus
US8351331B2 (en) * 2010-06-22 2013-01-08 Microsoft Corporation Resource allocation framework for wireless/wired networks
US9225732B2 (en) * 2011-11-29 2015-12-29 Georgia Tech Research Corporation Systems and methods for fingerprinting physical devices and device types based on network traffic

Non-Patent Citations (12)

* Cited by examiner, † Cited by third party
Title
C. ARACKAPARAMBIL; S. BRATUS; A. SHUBINA; D. KOTZ: "On the Reliability of Wireless Fingerprinting Using Clock Skews", PROCEEDINGS OF ACM WISEC 10, March 2010 (2010-03-01)
D.C.C. LOH; C.Y. CHO; C.P. TAN; R.S. LEE: "Identifying Unique Devices through Wireless Fingerprinting", WISEC'08, April 2008 (2008-04-01)
D.C.C. LOH; C.Y. CHO; C.P. TAN; R.S. LEE: "Identifying Unique Devices through Wireless Fingerprinting", WISEC'08, April 2008 (2008-04-01), XP002669056 *
F. GUA; T. CHIUEH: "Sequence Number-Based MAC Address Spoof Detection", PROCEEDINGS OF RAID 2005, September 2005 (2005-09-01)
G. BERGER-SABBATEL; Y. GRUNENBERGER; M. HEUSSE; F. ROUSSEAU; A. DUDA: "Interarrival Histograms: A Method for Measuring Transmission Delays in 802.11 WLANs", RESEARCH REPORT, LIG LAB, GRENOBLE, FRANCE, October 2007 (2007-10-01)
J. FRANKLIN; D. MCCOY; P. TABRIZ; V. NEAGOE; J. V. RANDWYK; D. SICKER: "Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting", PROCEEDINGS USENIX SECURITY 06, August 2006 (2006-08-01)
J. FRANKLIN; D. MCCOY; P. TABRIZ; V. NEAGOE; J. V. RANDWYK; D. SICKER: "Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting", SECURITY 06, August 2006 (2006-08-01), 15th Usenix Security Symposium, pages 167 - 178, XP002669055 *
J. PANG; B. GREENSTEIN; R. GUMMADI; S. SESHAN; D. WETHERALL: "802.11 User Fingerprinting", PROCEEDINGS OF ACM MOBICOM'07, September 2007 (2007-09-01)
J. WRIGHT: "Detecting Wireless LAN MAC Address Spoofing", TECHNICAL REPORT, 2003
K. GAOPINATH; P. BHAGWAT; K. GOPINATH: "An Empirical Analysis of Heterogeneity in IEEE 802.11 MAC Protocol Implementations and Its Implications", PROCEEDINGS OF ACM Y%NTECH'06, September 2006 (2006-09-01)
S. BRATUS; C. CORNELIUS; D. KOTZ; D. PEEBLES: "Active Behavioral Fingerprinting of Wireless Devices", PROCEEDINGS OF ACM WSEC08, March 2008 (2008-03-01)
S. JANA; S. K. KASERA: "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews", PROCEEDINGS OF ACM MOBICOM 08, September 2008 (2008-09-01)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2677793A1 (en) 2012-06-20 2013-12-25 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
EP2677792A1 (en) 2012-06-20 2013-12-25 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
US9143528B2 (en) 2012-06-20 2015-09-22 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
CN106961434A (en) * 2017-03-21 2017-07-18 南京大学 One kind carries out fingerprint modeling for wireless device and knows method for distinguishing
EP3474240A1 (en) * 2017-10-19 2019-04-24 HUF Hülsbeck & Fürst GmbH & Co. KG Method and system for activating a safety function via an external apparatus
EP3474239A1 (en) * 2017-10-19 2019-04-24 HUF Hülsbeck & Fürst GmbH & Co. KG Method and system for activation of a safety function

Also Published As

Publication number Publication date
EP2643985B1 (en) 2017-02-22
KR20130143694A (en) 2013-12-31
CN103229528B (en) 2017-02-15
CN103229528A (en) 2013-07-31
JP2013545411A (en) 2013-12-19
US9462449B2 (en) 2016-10-04
US20130242795A1 (en) 2013-09-19
JP6019033B2 (en) 2016-11-02
EP2643985A1 (en) 2013-10-02

Similar Documents

Publication Publication Date Title
EP2643985B1 (en) Method and device for fingerprinting of wireless communication devices
Neumann et al. An empirical study of passive 802.11 device fingerprinting
Desmond et al. Identifying unique devices through wireless fingerprinting
KR100959459B1 (en) Group judgment device
Han et al. A timing-based scheme for rogue AP detection
US8249028B2 (en) Method and apparatus for identifying wireless transmitters
US9143528B2 (en) Method and device for countering fingerprint forgery attacks in a communication system
Robyns et al. Noncooperative 802.11 mac layer fingerprinting and tracking of mobile devices
Tippenhauer et al. Id-based secure distance bounding and localization
US20220070684A1 (en) Anomalous access point detection
EP2798811B1 (en) Method and device for fingerprinting of network devices
EP3700234A1 (en) System for trusted distance measurement
Yu et al. A framework for detecting MAC and IP spoofing attacks with network characteristics
Chen et al. Enhancing Wi-Fi Device Authentication Protocol Leveraging Channel State Information
CN111405548B (en) Fishing wifi detection method and device
US10771498B1 (en) Validating de-authentication requests
Ahmad et al. A RSSI-based rogue access point detection framework for Wi-Fi hotspots
Kitisriworapan et al. Client-side rogue access-point detection using a simple walking strategy and round-trip time analysis
Lackner et al. Combating wireless LAN MAC-layer address spoofing with fingerprinting methods
Corbett et al. Passive classification of wireless NICs during active scanning
Chen et al. TSCD: a novel secure localization approach for wireless sensor networks
CN117397269A (en) Device authentication in backscatter communication systems
Panos et al. Securing the 802.11 MAC in MANETs: A specification-based intrusion detection engine
Lu et al. Fastid: An undeceived router for real-time identification of wifi terminals
Selleby et al. Detecting Impersonation Attacks in a Static WSN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11785707

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2011785707

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 13988529

Country of ref document: US

Ref document number: 2011785707

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20137013100

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2013540348

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE