1 / 28

SecureArray : Improving WiFi Security with Fine-Grained Physical-Layer Information

SecureArray : Improving WiFi Security with Fine-Grained Physical-Layer Information. MobiCom’13 Jie Xiong and Kyle Jamieson University College London CSE713 Spring 2017 Presentation Jinghao Shi. Target Threat: Active Attacks. Inject packets Denial of service Jam and replay Spoofing

abrial
Download Presentation

SecureArray : Improving WiFi Security with Fine-Grained Physical-Layer Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecureArray: Improving WiFi Security with Fine-Grained Physical-Layer Information MobiCom’13 JieXiong and Kyle Jamieson University College London CSE713 Spring 2017 Presentation Jinghao Shi

  2. Target Threat: Active Attacks Inject packets • Denial of service • Jam and replay • Spoofing • … Home or Enterprise Network

  3. SecureArray: Key Idea Use Angle-of-Arrival (AoA)information to detect attackers Pretend Legitimate User Attacker

  4. Outline • How to obtainAoA information? • The SecureArray system • How to utilize the AoA information? • Integration with 802.11 RSN • Evaluations

  5. AoA Primer Base band phase difference

  6. AoA Primer (cont’d)

  7. Sensitivity AP Client Attacker AP Client Attacker

  8. Random Phase Perturbation • Add random phase perturbation to to calculate AoA signature • Repeat times, obtain

  9. Comparing AoA Signatures • M approaches 1 if • Peaks align, and • Have similar magnitude • Binary threshold

  10. What if Client is Mobile?Channel Coherence Time : The time duration over which the wireless channel can be considered unchanging

  11. How to Utilize AoA Information?Integration with 802.11 RSN Three types of attacks • Deauthentication deadlock • Authenticated spoofing • Authentication deadlock

  12. Deauthentication Deadlock Attack 802.11X Extensible AuthenticationProtocol over LANs (EAPOL) Four Way Handshake AP compares AoA ofDeauth and EAOPL msg 4

  13. Authentication Spoofing Attack Scenario: attacker has gained access and pretends to be the legitimate user (spoofing) Client sends a challenge frameafter overhearing anunexpected Ack.

  14. Authentication Deadlock Attack AuthReq will cause APto delete the client’s key. AP compares the AoAof Data and AuthReqpacket

  15. SecureArray Implementation Rice WARP platform 8 antennas in total

  16. Evaluation Questions • How to choose ? (similarity threshold) • How to decide L? (number of random perturbations) • How many AP antennas are needed? • Distance between client and attacker? • Mobile clients?

  17. Experiment Setup • Indoor officeenvironment (30mx40m) • 150 locations • Static and mobile client • Various client/attackerdistance (3m – 5 cm)

  18. Confusion Matrix andReceiver Operating Characteristic (ROC) Curve ROC Curve: True Positive Rate (TPR) vs. False Positive Rate (FPR) Standard way to show the performance of a binary classifier.

  19. Overall ROC Curve Effectiveness ofrandom perturbation 100% detection rate with only 0.67%false alarm rate. L=1

  20. Number of random-phase perturbations ( L ) • Trade-off betweenaccuracy and overhead • L = 5 is sufficient • Marginal improvementwhen L > 5.

  21. Number of AP antennas 1% 4.7% 11.3% Detection rate is higheven w/ 4 antennas

  22. Distance between client and attacker Miss rate increasesto only 3.7% @5 cm

  23. Inter-packet time (Static) False alarm rate is loweven for 2s spacing

  24. Inter-packet time (Mobile) Walk Speed 4km/h Coherence time 12ms

  25. Detection Latency • : time taken for packet detection and samples recording with WARP • 1.6us • : time taken for samples to be transferred to the server • 2.56ms • : time taken for the server to compute the metric and make the decision • 10-20ms (L=5) • Total latency • ~20ms

  26. Summary Use Angle-of-Arrival (AoA)information to detect attackers • Attacks • Deauthentication deadlock attack • Authentication spoofing attack • Authentication deadlock attack • Prototype implementation on WARP • Thorough evaluations • Random phase perturbation (L) • Attacker distance • AP antennas • Inter-packet time Pretend Legitimate User Attacker

  27. Critique • Need extra hardware • Multiple antennas at the AP • Can not detect jamming attacks

  28. References (See Full List in Paper) • M. Eian and S. Mjølsnes. A formal analysis of IEEE 802.11w deadlock vulnerabilities. In Proc. of IEEE Infocom,2012. • R. Schmidt. Multiple emitter location and signal parameter estimation. IEEE Trans. on Antennas and Propagation, AP-34(3):276–280, Mar. 1986. • M. Eian and S. Mjølsnes. The modeling and comparison of wireless network denial of service attacks • N. Anand, S. Lee, and E. Knightly. STROBE: Actively securing wireless communications using zero-forcing beamforming. In Proc. of IEEE Infocom, 2012. • E. Aryafar, N. Anand, T. Salonidis, and E. Knightly. Design and experimental evaluation of multi-user beamforming in wireless LANs. In Proc. of ACM MobiCom, 2010. • B. Bertka. 802.11w security: DoS attacks and vulnerability controls. In Proc. of Infocom, 2012. • D. Faria and D. Cheriton. No long-term secrets: Location based security in overprovisioned wireless LANs. In Proc. Of ACM HotNets, 2004.

More Related