This project is no longer active; this page is no longer updated.
Related projects: [DIST], [NetSANI], [Wi-Fi-measurement]
Related keywords: [security], [wifi]
Wireless networks are pervasive, but concerns remain about their security. In the MAP (Measure, Analyze, Protect) project we developed methods for large-scale monitoring and real-time analysis of Wi-Fi network traffic to identify attacks on the network. Specifically, the MAP effort focused on attacks that disable the network, denying access to legitimate clients or reducing the quality of their network performance. The MAP papers provide effective mechanisms for sampling network traffic using sniffers placed throughout the enterprise, a new way to detect whether a given client MAC address is being "spoofed" by an attacker node, and new methods for active fingerprinting of wireless devices.
The following was written during the project in 2005-07.
With the rise of Voice over wireless LAN (VoWLAN), any complete WiFi security solution must address denial of service attacks, such as kicking off other clients, consuming excessive bandwidth, or spoofing access points, to the detriment of legitimate clients. Even an authorized client may be able to sufficiently disrupt service quality to make the network ineffective for legitimate clients.
We take a three-point, MAP (Measure, Analyze, Protect) approach to develop an integrated and extensible framework to address existing and future attacks on WiFi networks. Specifically, we focus our efforts on an integrated set of new components that allow a WiFi network operator to measure and analyze WiFi and VoWLAN activity, and in real-time to identify and defend against MAC-layer attacks on that infrastructure. Our plan includes three overlapping phases: research, prototype development, and deployment on a large portion of Dartmouth's campus-wide wireless network.
Measurement: we have developed novel and scalable techniques to collect multi-channel MAC-layer traces of the environment, building on our wireless-measurement infrastructure. Our independant and coordinated channel sampling strategies dynamically adapt to current channel conditions. These are augmented by our refocusing mechanism which takes input from the analysis engines to further improve relevant frame capture.
Analysis: We have developed novel anomaly and signature detection techniques. Our MAC spoofing detection algorithm is based on RSSI observed at the air monitors.
Protection: we aim to develop a policy-driven protection engine that leverages existing defense mechanisms; the R&D challenge here is to integrate them into our analysis framework and to evaluate the impact of automated defenses on well-behaved users in a network.
Deployment:
With our partner, Aruba Networks, we will develop and deploy prototypes for testing in Phase 1-2, and in the third phase we are deploying our prototypes across Dartmouth' next-generation campus-wide WiFi network; this testbed provides valuable data for the research team and valuable input into Aruba's product pipeline.Novelty:
We plan significant, novel extensions to existing technology; these techniques have never been applied to WiFi networks, to VoWLAN applications, or at the scale necessary for large deployment. Our integrated end-to-end MAP approach is new, and our proposed campus-wide deployment is unprecedented in scope and scale.
Our MAP approach provides a new foundation for wireless network security, able to dynamically measure, analyze and protect a WiFi network against existing and novel threats, including rogue clients and access points, with a focus on VoWLAN use cases.
Andrew Campbell, Guanling Chen, Udayan Deshpande, Tristan Henderson, David Kotz, Michael Locasto, Chris McDonald, Yong Sheng, Keren Tan, Bennet Vance, Joshua Wright, Bo Yan, Hongda Yin.
This research program is a part of the Institute for Security Technology Studies (ISTS), primarily supported by the US Department of Homeland Security (Science and Technology directorate) under award number NBCH2050002.
Aspects of this project were also supported by the Cisco Systems University Research Program, the US National Science Foundation under Infrastructure Award EIA-9802068, and the US Department of Justice (Bureau of Justice Assistance) under award 2005-DD-BX-1091
The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).
[Also available in BibTeX]
For MAP papers not involving David Kotz as co-author, see the list above.Papers are listed in reverse-chronological order;
click an entry to pop up the abstract.
For full information and pdf, please click Details link.
Follow updates with RSS.
This sampling approach may be sufficient, for example, for a system administrator or anomaly detection module to observe some unusual behavior in the network. Once an anomaly is detected, however, the administrator may require a more extensive traffic sample, or need to identify the location of an offending device.
We propose a method to allow measurement applications to dynamically modify the sampling strategy, refocusing the monitoring system to pay more attention to certain types of traffic than others. In this paper we show that refocusing is a necessary and promising new technique for wireless measurement.
By analyzing the RSS pattern of typical 802.11 transmitters in a 3-floor building covered by 20 air monitors, we observed that the RSS readings followed a mixture of multiple Gaussian distributions. We discovered that this phenomenon was mainly due to antenna diversity, a widely-adopted technique to improve the stability and robustness of wireless connectivity. This observation renders existing approaches ineffective because they assume a single RSS source. We propose an approach based on Gaussian mixture models, building RSS profiles for spoofing detection. Experiments on the same testbed show that our method is robust against antenna diversity and significantly outperforms existing approaches. At a 3% false positive rate, we detect 73.4%, 89.6% and 97.8% of attacks using the three proposed algorithms, based on local statistics of a single AM, combining local results from AMs, and global multi-AM detection, respectively.
Effective monitoring of wireless network traffic, using commodity hardware, is a challenging task due to the limitations of the hardware. IEEE 802.11 networks support multiple channels, and a wireless interface can monitor only a single channel at one time. Thus, capturing all frames passing an interface on all channels is an impossible task, and we need strategies to capture the most representative sample.
When a large geographic area is to be monitored, several monitoring stations must be deployed, and these will typically overlap in their area of coverage. The competing goals of effective wireless monitoring are to capture as many frames as possible, while minimizing the number of those frames that are captured redundantly by more than one monitoring station. Both goals may be addressed with a sampling strategy that directs neighboring monitoring stations to different channels during any period. To be effective, such a strategy requires timely access to the nature of all recent traffic.
We propose a coordinated sampling strategy that meets these goals. Our implemented solution involves a central controller considering traffic characteristics from many monitoring stations to periodically develop specific sampling policies for each station. We demonstrate the effectiveness of our coordinated sampling strategy by comparing it with existing independent strategies. Our coordinated strategy enabled more distinct frames to be captured, providing a solid foundation for focused sampling and intrusion detection.