"Wireless intrusion detection through preamble manipulation" by Nicholas Kulesza, Benjamin W. Ramsey et al.
 

Wireless intrusion detection through preamble manipulation

Document Type

Conference Proceeding

Publication Date

3-24-2014

Abstract

Wireless Local Area Networks are particularly vulnerable to cyber attacks due to their contested transmission medium. Access point spoofing, route poisoning, and cryptographic attacks are some of the many mature threats faced by wireless networks. Recent work investigates physical-layer features such as received signal strength or radio frequency fingerprinting to identify and localize malicious devices. Received signal strength analysis is effective at localizing wireless devices and radio frequency fingerprinting can differentiate among devices of the same make and model, but both require dozens of training packets for model development. Furthermore, the developed models of both techniques are only effective for a given environment and specific set of devices. In this paper we demonstrate a novel and complementary approach to exploiting physical-layer differences among wireless devices that is more energy efficient and invariant with respect to the environment than traditional fingerprinting techniques. Specifically, we exploit subtle design differences among different transceiver hardware types. Transceivers fulfill the physical-layer aspects of the IEEE 802.11 local area network protocols, yet specific hardware implementations vary among manufacturers and device types. In particular, IEEE 802.11b packets feature a physical-layer preamble on every packet for synchronization. We record packets with standardlength IEEE 802.11b preambles using a software defined radio, manipulate the recorded preambles by shortening their length, then we replay the altered packets toward our transceivers under test. Wireless transceivers vary in their ability to receive packets with preambles shorter than the standard. We experimentally identify the unique preamble length for each transceiver type at which packet reception drops to zero. By analyzing differences in packet reception with respect to preamble length, we distinguish among five transceiver types from three manufacturers with greater than 99% accuracy using a small number of test packets. Our results demonstrate that preamble manipulation is effective for multi-factor device authentication, network intrusion detection, and remote transceiver type fingerprinting.

Comments

Author notes:

Benjamin Ramsey was an AFIT PhD candidate at the time of this conference. (AFIT-ENG-DS-14-S-10, September 2014)

Nicholas Kulesza was a graduate student (Masters) at AFIT at the time of this conference. (AFIT-ENG-T-14-J-8, June 2014)

Source Publication

9th International Conference on Cyber Warfare and Security 2014, ICCWS 2014

This document is currently not available here.

Share

COinS