Skip to main content
SpringerLink
Log in

Passive classification of wireless NICs during active scanning

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Computer networks have become increasingly ubiquitous. However, with the increase in networked applications, there has also been an increase in difficulty to manage and secure these networks. The proliferation of 802.11 wireless networks has heightened this problem by extending networks beyond physical boundaries. We present a statistical analysis and propose the use of spectral analysis to identify the type of wireless network interface card (NIC). This mechanism can be applied to support the detection of unauthorized systems that use NICs that are different from that of a legitimate system. We focus on active scanning, a vaguely specified mechanism required by the 802.11 standard that is implemented in the hardware and software of the wireless NIC. We show that the implementation of this function influences the transmission patterns of a wireless stream that are observable through traffic analysis. Our mechanism for NIC identification uses signal processing to analyze the periodicity embedded in the wireless traffic caused by active scanning. A stable spectral profile is created from the periodic components of the traffic and used for the identity of the wireless NIC. We show that we can distinguish between NICs manufactured by different vendors, with zero false positives, using the spectral profile. Finally, we infer where, in the NIC, the active scanning algorithm is implemented.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Cisco Security Agent. http://www.cisco.com

  2. ISS Proventia Desktop. http://www.iss.net

  3. Symantec Critical system Protection. http://www.symantec.com

  4. McAfee Entercept. http://www.mcafee.com

  5. Checkpoint Integrity. http://www.checkpoint.com

  6. Sana Primary Response. http://www.sanasecurity.com

  7. Wright, J.: Detecting wireless LAN MAC address spoofing. http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf

  8. ReefEdge. http://www.tribecaexpress.com/reefedge.htm

  9. AirDefense. http://www.airdefense.net

  10. AirMagnet. http://www.airmagnet.com/

  11. WiMetrics, www.wimetrics.com

  12. iPass. http://www.ipass.com/services/servicesdeviceid.html

  13. Cellular companies fight fraud. http://www.decodesystems.com/mt/97dec/

  14. Hall, J.: Barbeau, M., Kranakis, E.: Detection of transient in radio frequency fingerprinting using signal phase. Internet and Information Technology (CIIT), St. Thomas, US Virgin Islands (2004)

  15. Kohno, T., Briodo, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)

    Article  Google Scholar 

  16. Corbett, C., Beyah, R., Copeland, J.: A passive approach to wireless NIC identification. To appear in the Proceedings of IEEE International Conference on Communications (ICC) (2006)

  17. Fyodor, Y.: Remote OS detection via TCP/IP stack fingerprinting. October 18, 1998. http://www.insecure.org/nmap/nmap-fingerprinting-article.txt

  18. Arkin, O., Yarochkin, F.: Xprove v2.0: a fuzzy approach to remote active operating system fingerprinting. August 2, 2002. http://www.sys-security.com/archive/papers/Xprobe2.pdf

  19. Agere’s WiFi chipset reaches 150Mbit/s. www.electronicsweekly.com/Article5144.html

  20. IEEE 802.11 specification, http://standards.ieee.org/getieee802/802.11.html

  21. Mishra, A., Shin, M., Arbaugh, W.: An empirical analysis of the IEEE 802.11 MAC layer handoff process. ACM Comput Commun. Rev. 33(2), 93–102 (2003)

    Article  Google Scholar 

  22. Ramani, I., Savage, S.: SyncScan: practical fast handoff for 802.11 infrastructure networks. In: Proceedings of IEEE INFOCOM (2005)

  23. Cheng, C.-M., Kung, H.T., Tan, K.-S.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of the IEEE GLOBECOM, Taipei, Taiwan (2002)

  24. Hussain, A., Heidemann, J., Papadopoulos, C.: Identification of repeated attacks using network traffic forensics. Technical Report ISI-TR-2003–577b, USC/Information Sciences Institute (2003)

  25. Partridge, C. et al.: Using signal processing to analyze wireless data traffic. ACM Workshop on Wireless Security (WiSe), Atlanta, GA, USA, September 28, (2002)

  26. McClellan, J., Schafer, R., Yoder, M.: Signal processing first. Prentice Hall, New York (2003)

    Google Scholar 

  27. Oppenheim, A.V., Schafer, R.W.: Discrete-time signal processing, pp. 730–742. Prentice-Hall, New York (1989)

    MATH  Google Scholar 

  28. Signal Processing Toolbox. http://www.mathworks.com/access/helpdesk/help/toolbox/signal/

  29. The linux-wlanTM Project. http://www.linux-wlan.org/

  30. http://www.tcpdump.org/

Download references

Author information

Authors and Affiliations

  1. Computer & Network Security Group, Sandia National Laboratories, 7011 East Avenue, MS 9011, Livermore, CA, 94550, USA

    Cherita L. Corbett

  2. Department of Computer Science, Georgia State University, 34 Peachtree Street, Suite 1451, Atlanta, GA, 30303, USA

    Raheem A. Beyah

  3. Communications Systems Center, School of Electrical and Computer Engineering, Georgia Institute of Technology, 75 Fifth Street, Atlanta, GA, 30308, USA

    John A. Copeland

Authors
  1. Cherita L. Corbett
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raheem A. Beyah
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John A. Copeland
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raheem A. Beyah.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Corbett, C.L., Beyah, R.A. & Copeland, J.A. Passive classification of wireless NICs during active scanning. Int. J. Inf. Secur. 7, 335–348 (2008). https://doi.org/10.1007/s10207-007-0053-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0053-7

Keywords

Search

Navigation