Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feilong Tang,Yi-Chao Chen

DOI: https://doi.org/10.1145/3466772.3467032

2021-01-01

Abstract:ABSTRACTWith the increasing integration of humans and the cyber world, user authentication becomes critical to support various emerging application scenarios requiring security guarantees. Existing works utilize Channel State Information (CSI) of WiFi signals to capture single human activities for non-intrusive and device-free user authentication, but multi-user authentication remains a challenging task. In this paper, we present a multi-user authentication system, MultiAuth, which can authenticate multiple users with a single commodity WiFi device. The key idea is to profile multipath components of WiFi signals induced by multiple users, and construct individual CSI from the multipath components to solely characterize each user for user authentication. Specifically, we propose a MUltipath Time-of-Arrival measurement algorithm (MUTA) to profile multipath components of WiFi signals in high resolution. Then, after aggregating and separating the multipath components related to users, MultiAuth constructs individual CSI based on the multipath components to solely characterize each user. To identify users, MultiAuth further extracts user behavior profiles based on the individual CSI of each user through time-frequency analysis, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is accurate and reliable for multi-user authentication with 87.6% average accuracy and 8.8% average false accept rate.

Hossen A. Mustafa,Wenyuan Xu

DOI: https://doi.org/10.1109/CNS.2014.6997491

2014-01-01

Abstract:Wireless hotspots allow users to use Internet via Wi-Fi interface, and many shops, cafés, parks, and airports provide free wireless hotspot services to attract customers. However, there is no authentication mechanism of Wi-Fi access points (APs) available in such hotspots, which makes them vulnerable to evil twin AP attacks. Such attacks are harmful because they allow to steal sensitive data from users. Today, there is no client-side mechanism that can effectively detect an evil twin AP attack without additional infrastructure supports. In this paper, we propose a mechanism CETAD leveraging public servers to detect such attacks. CETAD only requires installing an app at the client device and does not require to change the hotspot APs. CETAD explores the similarities between the legitimate APs and discrepancies between evil twin APs, and legitimate ones to detect an evil twin AP attack. Through our implementation and evaluation, we show that CETAD can detect evil twin AP attacks in various scenarios effectively.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feng Lyu

DOI: https://doi.org/10.1109/tnet.2023.3237686

2023-01-01

Abstract:User authentication nowadays has become an important support for not only security guarantees but also emerging novel applications. Although WiFi signal-based user authentication has achieved initial success, it works in single-user scenarios while multi-user authentication remains a challenging task. In this paper, we present MultiAuth, a multi-user authentication system that can authenticate multiple users with a single pair of commodity WiFi devices. The basic idea is to profile multipath components of WiFi signals, and leverage the multipath components to characterize each user individually for multi-user authentication. MultiAuth first profiles multipath components of WiFi signals through a proposed MUltipath Time-of-Arrival estimation algorithm (MUTA). Then, after matching corresponding multipath components to each user in complex multi-user scenarios, MultiAuth constructs individual CSI based on the multipath components to characterize each user individually. An AoA-based approach is exploited to further separate individual CSI constructed by the users with same ToA. To identify users through their activities, MultiAuth extracts user behavior profiles based on the individual CSI, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is effective in multi-user authentication with 86.2% average accuracy and 9.5% average false accept rate.

Dawei Yan,Yubo Yan,Panlong Yang,Wen-Zhan Song,Xiang-Yang Li,Pengfei Liu

DOI: https://doi.org/10.1109/jiot.2022.3223682

IF: 10.6

2023-03-25

IEEE Internet of Things Journal

Abstract:WiFi connections are vulnerable to simulated attacks from rogue access points (AP) or devices whose SSID and/or MAC/IP address are the same as legitimate devices. This kind of attack is difficult to counter with traditional network security mechanisms. In this paper, we propose a new security mechanism that uses environment-independent features extracted from channel state information (CSI) to detect and identify rogue WiFi devices or APs, and reject their connections. We find that due to the I/Q imbalance and imperfect oscillator of each WiFi network card (NIC), the nonlinear phase error of different subcarriers will vary with the NIC. Through our experimental verification, this cross-subcarrier phase feature is invariant to the location and the environment. We deploy systems on two platforms that can extract constant phase errors from the constantly changing CSI in less than one second, which is at least 8× faster than that of the state-of-the-art solution. Extensive experiments on commercial routers and end devices in different scenarios show that based on the Industral Platform Computer (IPC) platform, where only non-encrypted rogue connections can be detected, the detection accuracy rate reaches 96%, and the false alarm rate is less than 2%. Based on the ASUS router platform (a commercial WiFi router), WiFi channels and smart device types are not restricted, which greatly improved universality, and the accuracy of device connection detection can even reach more than 99%. We improve a device-type identification method based on the communication traffic features of the device when connected to WiFi. Experiments show that even if there are multiple similar devices from the same manufacturer, the accuracy of device type detection exceeds 99%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tongqing Zhou,Zhiping Cai,Bin Xiao,Yueyue Chen,Ming Xu

DOI: https://doi.org/10.1109/icdcs.2017.31

2017-01-01

Abstract:WiFi networks are vulnerable to rogue AP attacks in which an attacker sets up an imposter AP to lure mobile users to connect. The attacker can eavesdrop on the communication, severely threatening users' privacy. Existing rogue AP detection solutions are confined to some specific attack scenarios (e.g., by relaying the traffic to a target AP) or require additional hardware. In this paper, we propose a crowdsensing based approach, named CRAD, to detect rogue APs in camouflage without specialized hardware requirement. CRAD exploits the spatial correlation of RSS to identify a potential imposter, which should be at a different location from the legitimate one. The RSS measurements collected from the crowd facilitate a robust profile and minimize the inaccuracy effect of a single RSS value. As a result, CRAD can filter out abnormal samples sensed in the realtime by dynamically matching the profile. We evaluate our approach with both a public dataset and a real prototype. The results show that CRAD can yield 90% detection accuracy and precision with proper crowd presence, even when the rogue AP is launched close to the legitimate one (e.g., within 1m).

Pengfei Liu,Panlong Yang,Wen-Zhan Song,Yubo Yan,Xiang-Yang Li

DOI: https://doi.org/10.1109/infocom.2019.8737455

2019-01-01

Abstract:WiFi has become a pervasive communication medium in connecting various devices of WLAN and IoT. However, WiFi connections are vulnerable to the impersonation attack from rogue access points (AP) or devices, whose SSID and/or MAC/IP address are identical to the legitimate devices. This kind of attack is difficult to countermeasure with traditional network security mechanisms. In this paper, we present a novel security mechanism to detect and identify rogue WiFi devices or AP using environment-independent characteristics extracted from channel state information (CSI), and refuse their connections. We find that nonlinear phase errors of different subcarriers change with WiFi network interface cards (NIC), due to the I/Q imbalance and imperfect oscillator of each WiFi NIC. Validated by our experiments, this phase feature across subcarriers is consistent and invariant to location and external environment, and can be extracted to build an essential signature of the NIC itself. Such signature of the transmitter can be calculated in real-time by the receiver and cannot be forged by rogue devices. Extensive experiments with dozens of WiFi devices demonstrate that the proposed mechanism can reliably detect the rogue WiFi connections and prevent impersonation in various scenarios. The speed of identification is 8$\times$ faster than that of the state-of-the-art solution. Moreover, the accuracy of rogue connection detection is up to 96% and false alarm rate is shown below 2%.

Hongbo Liu,Yan Wang,Jian Liu,Yingying Chen

DOI: https://doi.org/10.1007/978-3-030-10597-6_9

2019-01-01

Abstract:User authentication is the critical first step of network security to detect identity-based attacks and prevent subsequent malicious attacks. However, the increasingly dynamic mobile environments make it harder to always apply the cryptographic-based methods for user authentication due to their infrastructural and key management overhead. Exploiting non-cryptographic-based techniques grounded on physical layer properties to perform user authentication appears promising. To ensure the security of mobile devices in dynamic networks, we explore to use fine-grained channel state information (CSI), which is available from off-the-shelf WiFi devices, to perform proactive user authentication. We propose a user-authentication framework that has the capability to proactively request CSI and build the user profile resilient to the presence of the spoofer. Our machine learning based user-authentication techniques can distinguish two users even when they possess similar signal fingerprints and detect the existence of the spoofer in dynamic network environments. Extensive experiments in both office and apartment environments show that our framework can remove the effect of signal outliers and achieve higher authentication accuracy compared to existing approaches that use received signal strength (RSS).

Hao Han,Fengyuan Xu,Chiu Chiang Tan,Yifan Zhang,Qun Li

DOI: https://doi.org/10.1109/INFCOM.2011.5934960

2011-01-01

Abstract:This paper considers vehicular rogue access points (APs) that rogue APs are set up in moving vehicles to mimic legitimate roadside APs to lure users to associate to them. Due to its mobility, a vehicular rogue AP is able to maintain a long connection with users. Thus, the adversary has more time to launch various attacks to steal users' private information. We propose a practical detection scheme based on the comparison of Receive Signal Strength (RSS) to prevent users from connecting to rogue APs. The basic idea of our solution is to force APs (both legitimate and fake) to report their GPS locations and transmission powers in beacons. Based on such information, users can validate whether the measured RSS matches the value estimated from the AP's location, transmission power, and its own GPS location. Furthermore, we consider the impact of path loss and shadowing and propose a method based on rate adaption to deal with advanced rogue APs. We implemented our detection technique on commercial off-the-shelf devices including wireless cards, antennas, and GPS modules to evaluate the efficacy of our scheme.

Hao Han,Fengyuan Xu,Chiu C. Tan,Yifan Zhang,Qun Li

DOI: https://doi.org/10.1109/tvt.2014.2311015

IF: 6.8

2014-01-01

IEEE Transactions on Vehicular Technology

Abstract:This paper considers the problem of vehicular rogue access points (APs) for drive-thru Internet. Vehicular rogue APs are set up in moving vehicles to mimic legitimate roadside APs so as to lure users into associating with them. Due to the mobility, a vehicular rogue AP is able to maintain a long connection with users, which gives the adversary more time to launch various attacks and steal users' sensitive data. We propose a practical user-side detection scheme to prevent users from connecting to vehicular rogue APs without the help of a network administrator. In our solution, each AP broadcasts its GPS location; thus, a vehicular rogue AP has to forge its location to evade detection. A lie detector algorithm based on information collected and exchanged by clients is then used to validate whether the reported location is fake, aiming to detect the rogue AP. We have implemented the prototype and evaluated it on commercial off-the-shelf devices. We observed that our scheme can achieve more than 90% accuracy in real-world experiments.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Xuefeng Liu,Jiaqi Wen,Shaojie Tang,Jiannong Cao,Jiaxing Shen

DOI: https://doi.org/10.1109/ICDCS.2017.148

2017-01-01

Abstract:The security issue of public WiFi is gaining more and more concern. By listening to probe requests, an adversary can obtain the SSID list of the APs to which a smartphone previously connected, and utilizes this information to trick the smartphone into associating to it. However, with the enhancement of security level, most smartphones now do not proactively disclose their SSID lists, making these attacks obsolete. In this paper, we propose City-Hunter, an attacker that can lure nearby smartphones without knowing their SSID information. City-Hunter establishes and maintains an SSID database by integrating both offline and online information. Meanwhile, it smartly chooses some SSIDs to hit a smartphone according to the past record and freshness. We evaluate the performance of City-Hunter in different public places. The results demonstrate that City-Hunter is able to successfully hit 12% ~ 18% smartphones without knowing their SSID information, which is about 4 ~ 8 times improvement compared to the similar attacks like KARMA and MANA.

Hao Han,Bo Sheng,Chiu C. Tan,Qun Li,Sanglu Lu

DOI: https://doi.org/10.1109/tpds.2011.125

2009-01-01

Abstract:This paper considers a category of rogue access points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing based technique that allows the user to avoid connecting to rogue APs. Our method employs the round trip time between the user and the DNS server to independently determine whether an AP is legitimate or not without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance.

Linsong Cheng,Jiliang Wang

DOI: https://doi.org/10.1145/2942358.2942373

2016-01-01

Abstract:With the development and popularization of WiFi, surfing on the Internet with mobile devices has become an indispensable part of people's daily life. However, as an infrastructure, WiFi APs are easily connected by some undesired users nearby. In this paper, we propose NiFi, a non-intrusive WiFi user identification system based on WiFi signals that enables AP to automatically identify legitimate users in indoor environment such as home, office and hotel. The core idea is that legitimate and undesired users may have different physical constraints, e.g., moving area, walking path, etc, leading to different signal sequences. NiFi analyzes and exploits the characteristics of signal sequences generated by mobile devices. NiFi proposes a practical and effective method to extract useful features and measure similarity for signal sequences, while not relying on precise user location information. We implement NiFi on Commercial Off-The-Shelf (COTS) APs, and the implementation does not require any modification to user devices. The experiment results demonstrate that NiFi is able to achieve an average identification accuracy at 90.83% with true positive rate at 98.89%.

Yong Huang,Wei Wang,Hao Wang,Tao Jiang,Qian Zhang

DOI: https://doi.org/10.1109/twc.2020.2991111

IF: 10.4

2020-08-01

IEEE Transactions on Wireless Communications

Abstract:By adding users as a new dimension to connectivity, on-body Internet-of-Things (IoT) devices have gained considerable momentum in recent years, while raising serious privacy and safety issues. Existing approaches to authenticate these devices limit themselves to dedicated sensors or specified user motions, undermining their widespread acceptance. This paper overcomes these limitations with a general authentication solution by integrating wireless physical layer (PHY) signatures with upper-layer protocols. The key enabling techniques are constructing representative radio propagation profiles from received signals, and developing an adversarial multi-player neural network to accurately recognize underlying radio propagation patterns and facilitate on-body device authentication. Once hearing a suspicious transmission, our system triggers a PHY-based challenge-response protocol to defend in depth against active attacks. We prove that at equilibrium, our adversarial model can extract all information about propagation patterns and eliminate any irrelevant information caused by motion variances and environment changes. We build a prototype of our system using Universal Software Radio Peripheral (USRP) devices and conduct extensive experiments with various static and dynamic body motions in typical indoor and outdoor environments. The experimental results show that our system achieves an average authentication accuracy of 91.6%, with a high area under the receiver operating characteristic curve (AUROC) of 0.96 and a better generalization performance compared with the conventional non-adversarial approach.

telecommunications,engineering, electrical & electronic

Linsong Cheng,Jiliang Wang

DOI: https://doi.org/10.1145/2942358.2942373

2016-01-01

Abstract:With the development and popularization of WiFi, surfing on the Internet with mobile devices has become an indispensable part of people's daily life. However, as an infrastructure, WiFi APs are easily connected by some undesired users nearby. In this paper, we propose NiFi, a non-intrusive WiFi user identification system based on WiFi signals that enables AP to automatically identify legitimate users in indoor environment such as home, office and hotel. The core idea is that legitimate and undesired users may have different physical constraints, e.g., moving area, walking path, etc, leading to different signal sequences. NiFi analyzes and exploits the characteristics of signal sequences generated by mobile devices. NiFi proposes a practical and effective method to extract useful features and measure similarity for signal sequences, while not relying on precise user location information. We implement NiFi on Commercial Off-The-Shelf (COTS) APs, and the implementation does not require any modification to user devices. The experiment results demonstrate that NiFi is able to achieve an average identification accuracy at 90.83% with true positive rate at 98.89%.

Shulin Yang,Yantong Wang,Xiaoxiao Yu,Yu Gu,Fuji Ren

DOI: https://doi.org/10.1109/ICCC49849.2020.9238889

2020-01-01

Abstract:User authentication is a major area of interest within the field of Human Computer Interaction (HCI). Meanwhile, it prevents unauthorized accesses to certain the security of data. Personal Identification Number (PIN) and biometrics are the main approaches for identifying the user on the basis of his/her identity. However, PIN can be easily leaked to others, and biometrics usually require specialized devices. In this paper, we prototype our system, a new method for user authentication by leveraging commodity WiFi. The basic methodology is to explore the typing habit of users from Channel State Information (CSI). The design and implementation of our system face two challenges, i.e. extracting keystroke features from wireless channel data and authenticating the user via typing habit from the corresponding keystroke features. For the former, we capture signal fluctuations caused by the micro movements like typing and extract the keystroke features on channel response obtained from commodity WiFi devices. For the latter, we design a computational intelligence driven mechanism to authenticate users from the corresponding keystroke feature. We prototype our system on the low-cost off-the-shelf WiFi devices and evaluate its performance in real-world experiments. We have explored four classifiers including K Nearest Neighbor(KNN), Support Vector Machine (SVM), Random Forest, and Decision Tree for recognizing users. Empirical results show that KNN provides the best performance, i.e., 85.2% authentication accuracy, 12.8% false accept rate, and 11.2% false reject rate on average over 9 participants.

Hongbo Liu,Yan Wang,Jian Liu,Jie Yang,Yingying Chen,H. Vincent Poor

DOI: https://doi.org/10.1109/tmc.2017.2718540

IF: 6.075

2018-01-01

IEEE Transactions on Mobile Computing

Abstract:User authentication is the critical first step in detecting identity-based attacks and preventing subsequent malicious attacks. However, the increasingly dynamic mobile environments make it harder to always apply cryptographic-based methods for user authentication due to their infrastructural and key management overhead. Exploiting non-cryptographic based techniques grounded on physical layer properties to performuser authentication appears promising. In this work, the use of channel state information (CSI), which is available from off-the-shelf WiFi devices, to performfine-grained user authentication is explored. Particularly, a user-authentication framework that can work with both stationary and mobile users is proposed. When the user is stationary, the proposed framework builds a user profile for user authentication that is resilient to the presence of a spoofer. The proposed machine learning based user-authentication techniques can distinguish between two users even when they possess similar signal fingerprints and detect the existence of a spoofer. When the user is mobile, it is proposed to detect the presence of a spoofer by examining the temporal correlation of CSI measurements. Both office building and apartment environments show that the proposed framework can filter out signal outliers and achieve higher authentication accuracy compared with existing approaches using received signal strength (RSS).

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Wenhao Li,Fan Terry Zhang

DOI: https://doi.org/10.1145/3589334.3645407

2024-01-01

Abstract:To detect unknown attack traffic, anomaly-based network intrusion detection systems (NIDSs) are widely used in Internet infrastructure. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained emerging attack detection and (ii) incremental updates/adaptations. To tackle these problems, we propose to decouple the need for model capabilities by transforming known/new class identification issues into multiple independent one-class learning tasks. Based on the above core ideas, we develop Trident, a universal framework for fine-grained unknown encrypted traffic detection. It consists of three main modules, i.e., tSieve, tScissors, and tMagnifier are used for profiling traffic, determining outlier thresholds, and clustering respectively, each of which supports custom configuration. Using four popular datasets of network traces, we show that Trident significantly outperforms 16 state-of-the-art (SOTA) methods. Furthermore, a series of experiments (concept drift, overhead/parameter evaluation) demonstrate the stability, scalability, and practicality of Trident.