Abstract
Computer networks have become increasingly ubiquitous. However, with the increase in networked applications, there has also been an increase in difficulty to manage and secure these networks. The proliferation of 802.11 wireless networks has heightened this problem by extending networks beyond physical boundaries. We present a statistical analysis and propose the use of spectral analysis to identify the type of wireless network interface card (NIC). This mechanism can be applied to support the detection of unauthorized systems that use NICs that are different from that of a legitimate system. We focus on active scanning, a vaguely specified mechanism required by the 802.11 standard that is implemented in the hardware and software of the wireless NIC. We show that the implementation of this function influences the transmission patterns of a wireless stream that are observable through traffic analysis. Our mechanism for NIC identification uses signal processing to analyze the periodicity embedded in the wireless traffic caused by active scanning. A stable spectral profile is created from the periodic components of the traffic and used for the identity of the wireless NIC. We show that we can distinguish between NICs manufactured by different vendors, with zero false positives, using the spectral profile. Finally, we infer where, in the NIC, the active scanning algorithm is implemented.
Similar content being viewed by others
References
Cisco Security Agent. http://www.cisco.com
ISS Proventia Desktop. http://www.iss.net
Symantec Critical system Protection. http://www.symantec.com
McAfee Entercept. http://www.mcafee.com
Checkpoint Integrity. http://www.checkpoint.com
Sana Primary Response. http://www.sanasecurity.com
Wright, J.: Detecting wireless LAN MAC address spoofing. http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
AirDefense. http://www.airdefense.net
AirMagnet. http://www.airmagnet.com/
WiMetrics, www.wimetrics.com
Cellular companies fight fraud. http://www.decodesystems.com/mt/97dec/
Hall, J.: Barbeau, M., Kranakis, E.: Detection of transient in radio frequency fingerprinting using signal phase. Internet and Information Technology (CIIT), St. Thomas, US Virgin Islands (2004)
Kohno, T., Briodo, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)
Corbett, C., Beyah, R., Copeland, J.: A passive approach to wireless NIC identification. To appear in the Proceedings of IEEE International Conference on Communications (ICC) (2006)
Fyodor, Y.: Remote OS detection via TCP/IP stack fingerprinting. October 18, 1998. http://www.insecure.org/nmap/nmap-fingerprinting-article.txt
Arkin, O., Yarochkin, F.: Xprove v2.0: a fuzzy approach to remote active operating system fingerprinting. August 2, 2002. http://www.sys-security.com/archive/papers/Xprobe2.pdf
Agere’s WiFi chipset reaches 150Mbit/s. www.electronicsweekly.com/Article5144.html
IEEE 802.11 specification, http://standards.ieee.org/getieee802/802.11.html
Mishra, A., Shin, M., Arbaugh, W.: An empirical analysis of the IEEE 802.11 MAC layer handoff process. ACM Comput Commun. Rev. 33(2), 93–102 (2003)
Ramani, I., Savage, S.: SyncScan: practical fast handoff for 802.11 infrastructure networks. In: Proceedings of IEEE INFOCOM (2005)
Cheng, C.-M., Kung, H.T., Tan, K.-S.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of the IEEE GLOBECOM, Taipei, Taiwan (2002)
Hussain, A., Heidemann, J., Papadopoulos, C.: Identification of repeated attacks using network traffic forensics. Technical Report ISI-TR-2003–577b, USC/Information Sciences Institute (2003)
Partridge, C. et al.: Using signal processing to analyze wireless data traffic. ACM Workshop on Wireless Security (WiSe), Atlanta, GA, USA, September 28, (2002)
McClellan, J., Schafer, R., Yoder, M.: Signal processing first. Prentice Hall, New York (2003)
Oppenheim, A.V., Schafer, R.W.: Discrete-time signal processing, pp. 730–742. Prentice-Hall, New York (1989)
Signal Processing Toolbox. http://www.mathworks.com/access/helpdesk/help/toolbox/signal/
The linux-wlanTM Project. http://www.linux-wlan.org/
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Corbett, C.L., Beyah, R.A. & Copeland, J.A. Passive classification of wireless NICs during active scanning. Int. J. Inf. Secur. 7, 335–348 (2008). https://doi.org/10.1007/s10207-007-0053-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0053-7