Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Hossen A. Mustafa,Wenyuan Xu

DOI: https://doi.org/10.1109/CNS.2014.6997491

2014-01-01

Abstract:Wireless hotspots allow users to use Internet via Wi-Fi interface, and many shops, cafés, parks, and airports provide free wireless hotspot services to attract customers. However, there is no authentication mechanism of Wi-Fi access points (APs) available in such hotspots, which makes them vulnerable to evil twin AP attacks. Such attacks are harmful because they allow to steal sensitive data from users. Today, there is no client-side mechanism that can effectively detect an evil twin AP attack without additional infrastructure supports. In this paper, we propose a mechanism CETAD leveraging public servers to detect such attacks. CETAD only requires installing an app at the client device and does not require to change the hotspot APs. CETAD explores the similarities between the legitimate APs and discrepancies between evil twin APs, and legitimate ones to detect an evil twin AP attack. Through our implementation and evaluation, we show that CETAD can detect evil twin AP attacks in various scenarios effectively.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Changming Li,Mingjing Xu,Yicong Du,Limin Liu,Cong Shi,Yan Wang,Hongbo Liu,Yingying Chen

DOI: https://doi.org/10.1145/3636534.3649367

2024-01-01

Abstract:The pervasive use of WiFi has driven the recent research in WiFi sensing, converting communication tech into sensing for applications such as activity recognition, user authentication, and vital sign monitoring. Despite the integration of deep learning into WiFi sensing systems, potential security vulnerabilities to adversarial attacks remain unexplored. This paper introduces the first physical attack focusing on deep learning-based WiFi sensing systems, demonstrating how adversaries can subtly manipulate WiFi packet preambles to affect channel state information (CSI), a critical feature in such systems, and thereby influence underlying deep learning models without disrupting regular communication. To realize the proposed attack in practical scenarios, we rigorously analyze and derive the intricate relationship between the pilot symbol and CSI. A novel mechanism is proposed to facilitate quantitive control of receiver-side CSI through minimal modifications to the pilot symbols of WiFi packets at the transmitter. We further develop a perturbation optimization method based on the Carlini & Wagner (CW) attack and a penalty-based training process to ensure the attack's universal efficacy across various CSI responses and noise. The physical attack is implemented and evaluated in two representative WiFi sensing systems (i.e., activity recognition and user authentication) with 35 participants over 3 months. Extensive experiments demonstrate the remarkable attack success rates of 90.47% and 83.83% for activity recognition and user authentication, respectively.

Matthias Frey,Igor Bjelaković,Sławomir Stańczak

2024-03-16

Abstract:We propose a new method to protect Over-The-Air (OTA) computation schemes against passive eavesdropping. Our method uses a friendly jammer whose signal is -- contrary to common intuition -- stronger at the legitimate receiver than it is at the eavesdropper. We focus on the computation of arithmetic averages over an OTA channel. The derived secrecy guarantee translates to a lower bound on the eavesdropper's mean square error while the question of how to provide operationally more significant guarantees such as semantic security remains open for future work. The key ingredients in proving the security guarantees are a known result on channel resolvability and a generalization of existing achievability results on coding for compound channels.

Information Theory

Daniel Romero,Tien Ngoc Ha,Peter Gerstoft

2023-10-17

Abstract:In a spoofing attack, an attacker impersonates a legitimate user to access or modify data belonging to the latter. Typical approaches for spoofing detection in the physical layer declare an attack when a change is observed in certain channel features, such as the received signal strength (RSS) measured by spatially distributed receivers. However, since channels change over time, for example due to user movement, such approaches are impractical. To sidestep this limitation, this paper proposes a scheme that combines the decisions of a position-change detector based on a deep neural network to distinguish spoofing from movement. Building upon community detection on graphs, the sequence of received frames is partitioned into subsequences to detect concurrent transmissions from distinct locations. The scheme can be easily deployed in practice since it just involves collecting a small dataset of measurements at a few tens of locations that need not even be computed or recorded. The scheme is evaluated on real data collected for this purpose.

Signal Processing,Artificial Intelligence

Yi-Ying Zhang,Han-Chieh Chao,Min Chen,Lei Shu,Chulhyun Park,Myong-Soon Park

DOI: https://doi.org/10.1049/iet-ifs.2009.0192

2010-01-01

Abstract:Outliers in wireless sensor networks (WSNs) are sensor nodes that issue attacks by abnormal behaviours and fake message dissemination. However, existing cryptographic techniques are hard to detect these inside attacks, which cause outlier recognition a critical and challenging issue for reliable and secure data dissemination in WSNs. To efficiently identify and isolate outliers, this study presents a novel outlier detection and countermeasure scheme (ODCS), which consists of three mechanisms: (i) abnormal event observation mechanism for network surveillance; (ii) exceptional message supervision mechanism for distinguishing fake messages by exploiting spatiotemporal correlation and consistency and (iii) abnormal behaviour supervision mechanism for the evaluation of node behaviour. The ODCS provides a heuristic methodology and does not need the knowledge about normal or malicious sensors in advance. This property makes the ODCS not only to distinguish and deal with various dynamic attacks automatically without advance learning, but also to reduce the requirement of capability for constrained nodes. In the ODCS, the communication is limited in a local range, such as one-hop or a cluster, which can reduce the communication frequency and circumscribe the session range further. Moreover, the ODCS provides countermeasures for different types of attacks, such as the rerouting scheme and the rekey security scheme, which can separate outliers from normal sensors and enhance the robustness of network, even when some nodes are compromised by adversary. Simulation results indicate that our approach can effectively detect and defend the outlier attack. © 2010 The Institution of Engineering and Technology.

Xiang Sheng,Shaowei Wang

DOI: https://doi.org/10.1109/twc.2021.3091588

IF: 10.4

2021-01-01

IEEE Transactions on Wireless Communications

Abstract:Spectrum sensing is one of the main components of the cognitive radio (CR) system, based on which secondary users (SUs) can get access to spectrum holes available. On the other hand, a malicious adversary can also attack the primary user (PU) system and the legitimate CR system via spectrum sensing, which can lead to serious security issue for both systems. In this article, we study an online attacking strategy, referred to as PU emulation attacker (PEA), which transmits forged PU signals over available channels to deteriorate the spectrum sensing performance of the SUs. We propose an online learning based attacking scheme for both the single attacker and the multiple-attacker cases, and analyze the regret upper bound of the proposed algorithm. The proposed PEA strategy can work in both stationary and non-stationary CR networks where the statistical characteristics of channels and the access strategy of SUs change over time. Numerical results show that it is more efficient than others in two different performance metrics: successful accesses of SUs and effective attacks of PEAs. Our proposal raises an interesting open question on how to develop CR networks with security guarantee.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Yalin E. Sagduyu,Yi Shi,Tugba Erpek

DOI: https://doi.org/10.1109/tmc.2019.2950398

IF: 6.075

2021-02-01

IEEE Transactions on Mobile Computing

Abstract:An adversarial deep learning approach is presented to launch over-the-air spectrum poisoning attacks. A transmitter applies deep learning on its spectrum sensing results to predict idle time slots for data transmission. In the meantime, an adversary learns the transmitter's behavior (exploratory attack) by building another deep neural network to predict when transmissions will succeed. The adversary falsifies (poisons) the transmitter's spectrum sensing data over the air by transmitting during the short spectrum sensing period of the transmitter. Depending on whether the transmitter uses the sensing results as test data to make transmit decisions or as training data to retrain its deep neural network, either it is fooled into making incorrect decisions (evasion attack) or the transmitter's algorithm is retrained incorrectly for future decisions (causative attack). Both attacks are energy efficient and hard to detect (stealth) compared to jamming the long data transmission period, and substantially reduce the throughput. A dynamic defense is designed for the transmitter that deliberately makes a small number of incorrect transmissions (selected by the confidence score on channel classification) to manipulate the adversary's training data. This defense effectively fools the adversary (if any) and helps the transmitter sustain its throughput with or without an adversary present.

computer science, information systems,telecommunications

Zhihong Liu,Jiajia Liu,Yong Zeng,Zhuo Ma,Jianfeng Ma,Qiping Huang

DOI: https://doi.org/10.48550/arXiv.1901.03185

2019-01-09

Abstract:Covert wireless communication or low probability of detection (LPD) communication that employs the noise or jamming signals as the cover to hide user's information can prevent a warden Willie from discovering user's transmission attempts. Previous work on this problem has typically assumed that the warden is static and has only one antenna, often neglecting an active warden who can dynamically adjust his/her location to make better statistic tests. In this paper, we analyze the effect of an active warden in covert wireless communications on AWGN channels and find that, having gathered samples at different places, the warden can easily detect Alice's transmission behavior via a trend test, and the square root law is invalid in this scenario. Furthermore, a more powerful warden with multiple antennas is harder to be deceived, and Willie's detection time can be greatly shortened.

Cryptography and Security

Keqiang He,Chengchen Hu,Junchen Jiang,Yachao Zhou,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5684142

2010-01-01

Abstract:Flow-level sampling methods have been widely studied and extensively employed in network traffic measurement systems. However, traffic anomalies are becoming more prevalent and severe in the Internet, which pose great challenges to the traffic measurement. Existing solutions targeted at such scenario have either low accuracy or high memory usage. In this paper, we propose a two-stage sampling approach-Anti Attack Counters (A2C) and an efficient parameter adapting method to solve the problem. The proposed sampling mechanism can adapt to the network condition automatically and collect more information even under severe traffic attacks. Theoretical analysis on accuracy and resource requirement is presented in our work. Furthermore, we validate our approach using both synthetic and real traces. The experimental results demonstrate that A2C is of high resilience while providing significantly improved measurement accuracy with reduced memory occupation comparing with other existing anti-attack countermeasures.

Hao Liu,Ben Niu,Yuzhe Li

DOI: https://doi.org/10.1109/tcyb.2020.2977056

IF: 11.8

2022-01-01

IEEE Transactions on Cybernetics

Abstract:This article studies a security issue in remote distributed consensus estimation where sensors transmit their measurements to remote estimators via a wireless communication network. The relative entropy is utilized as a stealthiness metric to detect whether the data transmitted through the wireless network are attacked. The performance degradation induced by an attacker that attempts to be stealthy or undetected is analyzed, and the corresponding false-data attack strategy is characterized, which can achieve the maximal integrated mean-square error (IMSE). Finally, the tradeoff between the performance degradation and attack stealthiness level is evaluated through an example.

automation & control systems,computer science, cybernetics, artificial intelligence

M. Oinonen,W.G. Morsi

DOI: https://doi.org/10.1016/j.ijepes.2024.110311

IF: 5.659

2024-10-19

International Journal of Electrical Power & Energy Systems

Abstract:Substation Automation Systems (SASs) integrate communication networks with physical equipment and are vulnerable to cyberattacks. A subset of these attacks, namely Insider attacks, are launched from knowledgeable insiders and therefore they are typically difficult to detect. This paper presents a new method for detecting and classifying Insider cyberattacks as well as power disturbances on SASs using short-length orthogonal wavelet filters in real-time using an OPAL-Real-Time (OPAL-RT) simulator. An Intrusion Detection System (IDS) is proposed in which custom-designed wavelet filters of short length are developed to better extract both the network and physical data of the SASs into time–frequency spectrograms. The advantage of using the short length filters is to provide fast detection of these time-sensitive Insider attacks and disturbances in real-time, which is a key requirement for mitigation to be possible. The generated spectrograms are fed to a Convolutional Neural Network (CNN) that automates the classification process. An experimental dataset is developed from real-time testing using OPAL-RT that implements several types of cyberattacks including Insider attacks and other popular attacks such as Denial-of-Service and False Data Injection as well as challenging attacks such as Replay and Message Suppression attacks. The results of experimentally testing the proposed method in real-time using OPAL-RT demonstrate that the use of the short-length custom-designed orthogonal wavelet filters achieves a detection accuracy of 97.37 % compared to other methods as well as a low runtime of 33.786 ms.

engineering, electrical & electronic

Yulong Zou,Jia Zhu,Baoyu Zheng

DOI: https://doi.org/10.1109/chinacom.2013.6694683

2013-01-01

Abstract:Wireless communication is vulnerable to eavesdropping attack due to the broadcast nature of radio propagation. In recent years, physical-layer security is emerging as a promising paradigm to prevent an eavesdropper from interception. In this paper, we consider a wireless network consisting of one source, one destination and one eavesdropper, and exploit multiple antennas at all the network nodes to improve wireless security against eavesdropping attack. Considering multiple transmit antennas at source node, we propose the optimal antenna selection (OAS) scheme to enhance the physical-layer security. We also examine the conventional single-input single-output (SISO) and space-time-coded transmission (STT) for the comparison purpose. We analyze the intercept probability performance of SISO, STT and OAS schemes in Rayleigh fading channels and theoretically prove that the proposed OAS scheme strictly outperforms conventional STT scheme in terms of the intercept probability. In addition, numerical results illustrate that with an increasing number of antennas at source and destination, the intercept probabilities of both OAS and STT schemes significantly decrease, implying the advantage of exploiting multiple antennas for wireless security against eavesdropping attack.

Yujiao Lv,Jianquan Lu,Yang Liu,Lingzhong Zhang

DOI: https://doi.org/10.1016/j.ins.2023.118964

IF: 8.1

2023-05-04

Information Sciences

Abstract:Network attacks always threaten economic operations and personal privacy, which have resulted in severe and irreparable damage. Therefore, the investigation of network attacks is essential for network security. This paper concentrates on designing two stealthy attack strategies for remote state estimation with intermittent observations, where the attackers can select one of the designed stealthy attack strategies depending on their capabilities, available resources, and information. Furthermore, for real-time communication rates, a novel detector is introduced to determine if the system is compromised by attackers at each moment. Then, an algorithm for state estimation is derived under the proposed stealthy attack strategies. Furthermore, the attack parameters in the proposed attack strategies are discussed by applying linear matrix inequalities. Finally, a numerical example illustrates the effects of the detector and attack strategies.

computer science, information systems

Kaigui Bian,Jung-Min Park,Ruiliang Chen

DOI: https://doi.org/10.1109/glocom.2006.266

2006-01-01

Abstract:Denial-of-Service (DoS) attacks pose a major threat to the availability of wireless ad hoc networks. Fault tolerant operation of wireless ad hoc networks will depend on the placement of DoS countermeasures in sufficiently robust form. In this paper, we describe a novel type of DoS attack called the Stasis Trap attack, and propose a technique for detecting such an attack. Stasis Trap attack has two distinguishing characteristics-it has a cross-layer design, and is stealthy. The Stasis Trap attack has a cross-layer design in that it is launched from the MAC layer but its aim is to degrade the end-to-end throughput of flows at the transport layer by exploiting TCP's congestion-control mechanism. Specifically, an adversary launches a Stasis Trap attack against neighboring nodes by periodically preempting the wireless channel in order to cause large variations in the round trip time (RTT) of TCP flows. Channel preemptions are carried out by manipulating the back-off mechanism of the Distributed Coordinating Function of the 802.11 MAC protocol. The periodic preemptions induce large RTT variations in the TCP flows that are within the transmission range of the adversary. This in turn causes a significant drop in the throughput of those flows, thereby creating a "stasis trap" around the adversary that entangles TCP flows. The aforementioned attack severely degrades end-to-end throughput but has very little effect on MAC-layer throughput, and hence it is very hard to detect at the MAC layer, which is its point of attack. In this sense, this attack is stealthy. To detect the Stasis Trap attack, we propose a minimax robust decentralized detection framework with robust hypothesis testing.

Li Lu,Meng Chen,Jiadi Yu,Zhongjie Ba,Feng Lin,Jinsong Han,Yanmin Zhu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2024.3403839

2024-01-01

Abstract:Recent years have witnessed enormous research efforts on WiFi sensing to enable intelligent services of Internet of Things. However, due to the omni-directional broadcasting manner of WiFi signals, the activity semantic underlying the signals can be leaked to adversaries for surveillance, as demonstrated by our previous work. In this paper, we further extend the attack capability of ActListener to impersonation attack, which could eavesdrop on users’ behavioral uniqueness imperceptibly using a WiFi infrastructure in any location of user sensing area. In particular, ActListener detects each human activity and converts the eavesdropped signals to that by legitimate devices based on our proposed signal propagation models. To extract noise-resilient individual behavioral uniqueness from converted CSI of WiFi signals, we further add user identification models into the substitute model set for training the signal pattern calibration generative model. Experimental results demonstrate that ActListener could achieve over 80% accuracy in activity semantics retrieval and impersonation by using the converted signals.