See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/221005694

Detecting identity-based attacks in wireless networks using signalprints

Conference Paper · September 2006

DOI: 10.1145/1161289.1161298 · Source: DBLP

CITATIONS READS
308 824

2 authors, including:

David R. Cheriton
Stanford University
31 PUBLICATIONS 2,938 CITATIONS

SEE PROFILE

All content following this page was uploaded by David R. Cheriton on 06 June 2014.

The user has requested enhancement of the downloaded file.

 Detecting Identity-Based Attacks in Wireless Networks
Using Signalprints

Daniel B. Faria David R. Cheriton

Computer Science Department Computer Science Department
Stanford University Stanford University
[email protected] [email protected]

ABSTRACT (WLANs) are yet another scenario for DoS attacks, though
Wireless networks are vulnerable to many identity-based attacks
with the added complication that the wireless medium makes
in which a malicious device uses forged MAC addresses to mas- it easier for the injection of attack traffic.
querade as a specific client or to create multiple illegitimate iden-
Several DoS attacks in wireless LANs are possible because
tities. For example, several link-layer services in IEEE 802.11
these networks lack reliable client identifiers before upper-
networks have been shown to be vulnerable to such attacks even layer authentication mechanisms are evoked and user cre-
when 802.11i/1X and other security mechanisms are deployed.
dentials are securely established. After a client authenti-
In this paper we show that a transmitting device can be robustly
cates successfully and session keys are used to encrypt and
identified by its signalprint, a tuple of signal strength values re-
authenticate packets sent over wireless links, the network
ported by access points acting as sensors. We show that, different
can securely verify if the source MAC address in a packet
from MAC addresses or other packet contents, attackers do not
is correct. Without this mechanism, however, wireless in-
have as much control regarding the signalprints they produce.
stallations have to rely solely on MAC addresses for client
Moreover, using measurements in a testbed network, we demon-
identification: two devices in a network using the same ad-
strate that signalprints are strongly correlated with the physical
dress are treated as a single client, even if they generate
location of clients, with similar values found mostly in close prox-
conflicting or inconsistent requests.
imity. By tagging suspicious packets with their corresponding As MAC addresses can be easily changed through device
signalprints, the network is able to robustly identify each trans-
drivers, simple yet effective identity-based attacks can be
mitter independently of packet contents, allowing detection of a
implemented with off-the-shelf equipment against multiple
large class of identity-based attacks with high probability. link-layer services. IEEE 802.11 networks, for instance, have
been shown to be vulnerable to a class of attacks we refer
Categories and Subject Descriptors to as masquerading attacks, in which a malicious device tar-
gets a specific client by spoofing its MAC address or the
C.2.3 [Computer Communication Networks]: Network address of its current access point. Bellardo and Savage
Operations - Network Monitoring; C.2.5 [Computer Com- have demonstrated that a 10-second deauthentication at-
munication Networks]: Local and Wide-Area Networks tack can immediately knock a client off the network and
possibly incur minute-long outages given the interaction be-
General Terms tween 802.11 and TCP [5]. With such tools, a malicious user
could render a WiFi hotspot unusable by targeting all active
Design, Measurement, Security.
clients or simply maximize the throughput achieved by his
own laptop by periodically deauthenticating devices using
Keywords the same access point as him. These attacks can be cur-
Denial-of-Service Attacks, Security, Wireless LANs, Location- rently implemented even if networks deploy recent security
Based Services, IEEE 802.11. standards such as IEEE 802.11i [2].
Another class of identity-based attacks target resource de-
1. INTRODUCTION pletion: an attacker can generate high rates of requests with
random MAC values in order to consume shared resources.
Denial-of-service (DoS) attacks can bring networks to a
For example, authentication protocols such as TLS (popu-
halt by saturating communication links or by flooding hosts
lar with 802.11i/802.1X) demand milliseconds of processing
with requests that induce computationally expensive opera-
time, making servers vulnerable to attacks that consume
tions or unnecessary allocation of resources. Wireless LANs
in the order of 200 Kbps of attack bandwidth [7]. As an-
other example, the attack could target a DHCP server in
a publicly available part of the network and consume all IP
Permission to make digital or hard copies of all or part of this work for addresses reserved for visitors. A PDA device left behind in-
personal or classroom use is granted without fee provided that copies are side a corporation could act as a “wireless grenade”, going
not made or distributed for profit or commercial advantage and that copies off at a programmed time and flooding the authentication
bear this notice and the full citation on the first page. To copy otherwise, to server with random requests, possibly affecting clients well
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
beyond its communication range.
WiSe’06, September 29, 2006, Los Angeles, California, USA.
Copyright 2006 ACM 1-59593-557-6/06/0009 ...$5.00.

43
 In this paper we show that reliable client identifiers, which
we call signalprints, can be created using signal strength
information reported by access points and used to detect
misbehaving devices. As a packet of interest (e.g. a deau-
thentication request) is transmitted over the wireless link, it
is sensed by access points within range, which report signal
strength measurements (a.k.a RSSI levels) to a centralized
server. The request is then “tagged” with a signalprint, a tu-
ple constructed by aggregating all measurements reported.
Transmitters at different locations produce distinct signal-
prints because signal decays with distance, allowing the sys-
tem to robustly distinguish clients located geographically
apart. We present measurements performed within an office
building with an IEEE 802.11 network that demonstrate
that signalprints can be used to detect masquerading and
resource-depletion attacks with high probability.

2. ATTACK MODEL
We assume that malicious clients are provided with stan- Figure 1: Signalprint creation.
dard wireless transmitters. First, we assume they employ
omni-directional antennas, much like most portable wire-
less devices. The use of directional antennas is discussed
in section 6.5. Second, we assume they are able to mod- mation from all APs in order to detect security events of
ify the contents of each outgoing packet. This allows them, interest. Networks with lightweight APs require a central
among other things, to change source and destination MAC point of control, a device similar in function to what we call
addresses, a capability needed to implement the attacks we a WA. In this case, access points implement minimum func-
are interested in. For example, Bellardo and Savage have de- tionality – sometimes acting simply as remote radio inter-
scribed a mechanism that can be used to accomplish this [5]. faces – and delegate all other functions to the WA, which is
Finally, we assume that they are provided with multiple computationally more powerful. An example is the architec-
transmission power levels and that they can also change that ture being currently standardized by the CAPWAP Working
setting on a per-packet basis. In this paper we restrict our- Group at IETF [6], which should allow installations to scale
selves to 802.11 networks, but the ideas presented can be to large numbers of access points by simplifying network
equally applied to other wireless LAN technologies. management.
In terms of their physical location, we assume attackers
can move freely around the area covered by the wireless net-
3.2 Signalprint Representation
work. Note that in practice, this is only possible in environ- Conceptually, a signalprint is the signal strength charac-
ments with little or no physical security, such as in cafeterias terization of a packet transmission. Each signalprint is rep-
and other hotspots. The probability of mounting successful resented as a vector of signal strength measurements, with
attacks would be lower in environments with tighter security one entry for each access point acting as sensor. Values in
measures, such as in enterprise installations. signalprints always appear in the same order, i.e., position
In this paper we focus on the two classes of attacks already i always contains the signal strength level (in dBm) reported
mentioned: masquerading and resource depletion attacks. by the ith AP. We use the notation S[i] to refer to the ith
entry in a signalprint. If an access point does not report
3. SIGNALPRINTS
an RSSI level for a given packet, a default value equal to
its sensitivity is used. (The sensitivity of a receiver with re-
spect to a given data rate is defined as the minimum signal
3.1 Network Architecture. strength level needed to achieve a target packet error rate.)
We assume a network architecture as shown in figure 1, The size of a signalprint is the number of non-default el-
composed of multiple access points (APs) distributed across ements it contains, i.e., the number of entries created from
the environment that feed traffic information to a central- actual RSSI measurements. For instance, figure 2(a) shows
ized server, which we call a wireless appliance (WA). We two signalprints, S1 and S2 , both with 7 entries (the number
focus on the access points deployed as sensors: they observe of APs in the network) but with sizes 5 and 6, respectively.
the traffic on a channel specified by the WA and collect in- (In this case, default values of -95 dBm were used.) Signal-
formation such as the received signal strength level for each print S1 was created using RSSI levels reported by APs 1,
packet successfully received. This information is then for- 3, 4, 5, and 7, while S2 has values from APs 1, 2, 4, 5, 6,
warded to the WA, which is able to create a signalprint for and 7. As an alternative notation, S1 can also be written as
each packet of interest. S1 : (−50, , −80, −73, −88, , −60), where default values are
Our proposed mechanism can be readily deployed. For omitted.
instance, the architectural requirements just presented are
currently satisfied by some 802.11-based wireless intrusion 3.3 Signalprint Generation
detection systems (WIDSs) and network installations that Figure 1 illustrates how signalprints are created for wire-
employ lightweight access points. Some WIDSs work ex- less transmissions. A client (Client1) is shown transmitting
actly as described above, with a server aggregating infor- an authentication request through its current access point

44
(solid line). Before forwarding the packet to the WA, the being unable to considerably change the signalprints they
AP tags it with the RSSI level measured during reception. produce. We show that the use of differential signalprints
(Signal strength estimates are commonly made available by makes the system robust against devices that employ multi-
IEEE 802.11 device drivers for each packet received.) The ple transmission power levels, further decreasing their con-
other two APs shown in the figure are also configured as trol over the signalprints generated.
sensors and tuned to the same channel. As Client1 is also
Signalprints are strongly correlated with the physi-
within their ranges, they send similar reports to the WA
cal location of clients, with similar signalprints found
with their own RSSI measurements. As shown at the top
mostly in close proximity. In our measurements, per-
of the figure, the WA aggregates all reports and creates the
formed within a 45m×24m office environment with a total
following signalprint for Client1: SC1 : (−73, −51, −67). A
of 12 802.11 access points, devices need to be as close as 5
signalprint for a second client, Client2, is also shown at the
meters in order to generate similar signalprints with high
WA. The signalprints produced by both clients are quite dif-
probability, even when only 6 APs are used. This allows the
ferent – for example the clients could be located in different
detection of masquerading attempts when attacker and vic-
offices within a building.
tim are not in close proximity. If an attacker aims to DoS
The WA can identify identity-based attacks by compar-
a specific client and avoid detection, he is forced to move
ing signalprints produced by multiple packets. For exam-
closer to the infrastructure, thus risking exposure.
ple, if Client1 submits a high rate of requests trying to
This property has also been demonstrated by WLAN lo-
clog the authentication server, the WA can detect it given
calization systems that employ an offline training phase where
that many of Client1’s transmissions produce similar sig-
signal strength patterns (essentially signalprints) are created
nalprints. Likewise, the WA can detect if Client2 mounts
for a set of selected locations (usually called a signal map,
a DoS attack against Client1 by sending 802.11 deauthen-
or radio map). These systems have consistently achieved
tication requests with Client1’s MAC addresses, as the sig-
average localization errors below 3 meters, mapping areas
nalprints produced by the two devices are different.
as large as 19,000 s.f. and with numbers of access points
We assume that a subset of the deployed access points
varying between 4 and 20 [4, 20, 17, 24].
report RSSI measurements to the WA for all transmissions
they can detect. In the case of a WIDS that relies on a Packet bursts transmitted by a stationary device
separate wireless infrastructure, some APs are already per- generate similar signalprints with high probability.
manently configured as sensors. In a CAPWAP network, Our measurements show that while RSSI levels for a sta-
the WA is responsible for selecting the APs for signalprint tionary device do oscillate over time due to multiple factors,
processing. In an over-provisioned installation, the WA can over 90% of variations are within 5 dB from the median RSSI
select the access points that are not actively serving clients. level. This correlation between consecutive samples has also
Signalprint-based attack detection should be implemented been reported by other researchers [24]. Consequently, an
as a reactive mechanism whenever the number of sensors is attacker that mounts a resource depletion attack using ran-
not sufficient to cover all active channels. For instance, dense dom MAC addresses can be easily spotted. While not all
802.11 deployments have at least 15 non-overlapping chan- signalprints may match each other, the network would still
nels available across both 2.4 and 5 GHz frequency bands. be able to detect that a single transmitter is responsible for
The objective is to maximize the size of the signalprints a high rate of requests.
produced: the more measurements are received for a packet
transmission, the more accurate is the information gathered Signalprints allow a centrally controlled WLAN to reliably
about the location of the corresponding device. For that single out clients. Instead of identifying them based on MAC
to be possible, sensor APs need to be listening simultane- addresses or other data they provide, signalprints allow the
ously to the proper channel. In large networks, where more system to recognize them based on what they look like in
channels are required to serve active clients, dividing the terms of signal strength levels.
sensors across all channels to be monitored would produce
short, inaccurate signalprints. For this reason, a two-step 4. MATCHING SIGNALPRINTS
monitoring process should be implemented in these situa- In this section we demonstrate how matching rules are
tions. First, the WA identifies any abnormal behavior using specified to detect identity-based attacks. In section 4.1 we
both active and sensor APs, which are scattered across all describe the use of differential signal strength values during
channels. When abnormal behavior is detected – such as a matching. In sections 4.2 and 4.3 we describe how values
surge in the number of 802.1X authentication requests or a within signalprints are compared using max-matches and
high number of association events related to a single client – min-matches. In section 4.4 we describe how matching rules
the WA sets enough sensors to the proper channel to create are specified in terms of these operations.
signalprints for the relevant packets.
3.4 Signalprint Properties 4.1 Differential Values
Values within a signalprint can be written as absolute val-
Three properties concerning signalprints enable their use
ues (e.g. RSSI levels in dBm) or as relative values (e.g. with
as reliable client identifiers:
respect to its higher or lower value). We use the term dif-
Signalprints are hard to spoof. Signal attenuation is a ferential signal strength to refer to the difference between
function of the distance between clients and access points, the value at a given position and the maximum value found
with a strong dependence on environmental factors such in that signalprint. Signalprints are either written with
as construction materials and obstacles such as furniture absolute or differential values: for example, a signalprint
items [13, 18]. Consequently, transmitters have little or S : (−50, −62, −76) written using differential signal strength
no control over signal attenuation within the environment, becomes S : (0, −12, −26). Figure 2(b) shows S1 and S2

45
 (a) Signalprint size. (b) 10-dB max-matches. (c) 20-dB min-matches.

Figure 2: Signalprint matching examples. Figure 2(a) shows two signalprints and their corresponding sizes.
Figures 2(b) and 2(c) demonstrate how max-matches and min-matches are computed.

written with both absolute and differential values (the lat- high numbers of max-matches with low values of  (e.g. 5
ter shown respectively above and below S1 and S2 ). When dB) are likely to occur for a pair of signalprints sent by the
matching two signalprints, both need to be written in either same device.
absolute or differential values.
The use of differential values increases the robustness of 4.3 Min-Matches
signalprint operations against devices (possibly malicious) Analogous to a max-match, a “min-match” of  dB is found
that vary their transmission power levels between frames. whenever values differ by at least  dB. A 10-dB min-match is
It is a trick borrowed from differential GPS, where a sec- found at position i if abs(S1 [i] − S2 [i]) ≥ 10 and both S1 [i]
ond, stationary receiver is used to remove timing errors that and S2 [i] are non-default values. The total number of -
occur in both paths, between a satellite and each one of the dB min-matches found when comparing signalprints S1 and
receivers. In our case, this error or unknown quantity is the S2 is denoted by minM atches(S1 , S2 , ). As shown in fig-
power level used by a transmitter. With absolute values, ure 2(c), a single 20-dB min-match is found when comparing
changes in transmission power create similar changes in the S1 and S2 , at position 4.
detected RSSI, which could cause the system to attribute Min-matches allow the system to identify, with high prob-
multiple packets sent by a single client to multiple devices. ability, when two packets are sent by distinct devices. While
Using differential values, transmissions performed by a sta- small variations in received signal strength occur even for a
tionary transmitter generate similar signalprints, increasing stationary client, rarely does it change by more than 10 or
changes of attack detection. 15 dB. Consequently, the system can classify two packets as
coming from different devices with high confidence if large
4.2 Max-Matches differences are seen in a signalprint.
Matches are found by comparing values at the same posi-
tion in two different signalprints. A “max-match” of  dB is 4.4 Matching Rules
found whenever values differ by at most  dB. I.e., a 10-dB We say that a pair of signalprints “match” if they sat-
max-match is found at position i if abs(S1 [i] − S2 [i]) ≤ 10 isfy a specified matching rule, a boolean expression involv-
and both S1 [i] and S2 [i] are non-default values. The total ing numbers of max-matches and min-matches, and possi-
number of -dB max-matches found by comparing signal- bly signalprint properties such as size. The matching rule
prints S1 and S2 is denoted by maxM atches(S1 , S2 , ). maxM atches(S1 , S2 , 5) ≥ 4 requires two signalprints to have
We decided to remove default values from match compu- RSSI values within 5 dB of each other in at least 4 positions.
tations because they can arise from two distinct scenarios. When specifying matching rules, it is important to ac-
On one hand, a client can be simply outside the range of count for both signal strength oscillation and lack of feed-
an access point, in which case its packets are not detected back from access points. Constant RSSI oscillation makes
and RSSI measurements are simply not reported. On the it unlikely that even signalprints produced by the same sta-
other hand, many events may cause an AP to fail to re- tionary device have the exact same RSSI values in multi-
ceive packets independently of signal quality. For instance, ple positions. Consequently, we usually write max-match
two packets sent on the same channel but on different cells clauses with values of  of at least 5 dB. The lack of feedback
may overlap in time, in which case both packets might be from some APs prevents matches in all signalprint positions.
incorrectly decoded and dropped by the AP. As with intrusion detection systems, matching rules are
In this paper matches are always computed using differ- specified with the objective of minimizing false positives, i.e.,
ential signal strength values. Figure 2(b) shows that 3 10- we want a match to be a strong indication that an attack is
dB max-matches are found when comparing S1 and S2 , i.e. taking place. The reason is cost: a match raises an alarm
maxM atches(S1 , S2 , 10) = 3. Signalprints are shown with that is likely to be handled by the network administrator.
both original and differential signal strength values, with Rules can be made more precise (fewer false positives) by
matches found at positions 1, 4, and 7. Note that position increasing the minimum number of matches and changing
5 does not yield a 10-dB max-match when using differential the value of .
values: the difference equals 21 dB instead of the 8 dB when
absolute values are used.
Max-matches are especially useful when looking for sig- 5. ATTACK DETECTION
nalprints produced by the same transmitter. As we show in Three attack properties are important to our analysis: R
section 6, RSSI values produced by a stationary client tend denotes the rate in packets per second (pps) required for
to oscillate within 5 dB from its median value. As a result, a given DoS attack to be effective, S denotes the speed of

46
the device, while A denotes the number of antennas under 5.2 Masquerading Attacks
the control of the attacker. In this section we assume that In masquerading attacks, an attacker targets a specific
devices are stationary (S = 0) and provided with a single client by cloning its MAC address or the address of its ac-
omni-directional antenna (A = 1). In section 6.4 we address cess point. For instance, Bellardo et al. have shown that
the effects of moving devices, while in section 6.5 we assume deauthentication and disassociation attacks can be easily
attackers with directional antennas. Finally, we discuss at- mounted in 802.11 networks and are very effective [5]. Be-
tacks with multiple antennas in section 7. fore a client can send packets over the wireless link, it needs
to authenticate and associate itself with an AP. In a deau-
thentication attack, deauthentication requests are sent by
5.1 Resource Depletion Attacks an attacker with the MAC address of the victim. The ac-
In this scenario, an attacker sends high rates of request cess point, after granting the attacker’s request, removes the
messages using random MAC values in order to emulate victim from the authenticated state and drops all its pack-
a high number of clients and consume scarce resources in ets until association is reestablished. Bellardo et al. discuss
the network. For example, an attacker can send enough other equally effective masquerading attacks that exploit the
DHCP requests in a hotspot as to consume all available IP association service and the power saving mechanism [5].
addresses, flood access points with association requests in In normal situations, 802.11 devices are not expected to
the hopes of exceeding allowed limits, or send high rates generate high rates of authentication or association mes-
of authentication requests to slow down or even disable a sages. However, there are situations in which well-behaved
shared authentication server. clients switch between access points with a frequency that is
As an example, Dean et al. [7] have also shown that ef- abnormally high. For example, in their study of a large-scale
fective low-bandwidth DoS attacks can be mounted against 802.11 network, Kotz et al. showed that clients sometimes
TLS, one of the preferred authentication methods to be used are overly aggressive when selecting the best access point,
in 802.11i/802.1X [2, 1]. TLS requires cryptographic oper- which causes them to reassociate more often than neces-
ations (e.g. RSA and Diffie-Hellman) that when executed sary [16]. In these cases, multiple APs are within the client’s
in software demand tens of milliseconds even on a dedicated range with comparable RSSI levels, which may cause it to
processor. In situations where a dedicated server is not avail- change APs with small variations in signal strength.
able – some lightweight AP architectures perform authenti- So the WA can detect an unusual traffic pattern, but is an
cation at the WA – the overhead imposed by each request attack really happening? Signalprints can be used to detect
could be much higher. A server could therefore be over- attacks with high probability, providing a level of assurance
loaded by a device that generates 100 requests per second, that cannot be achieved by only looking at packet contents.
which can be injected into the network while demanding far The input now consists of two sets of packets that rep-
less than 1Mbps of attack bandwidth. resent conflicting requests (e.g. authentication vs. deau-
In this case, the input to the signalprint matching process thentication messages), all transmitted with the same MAC
is a set of packets (e.g. authentication requests) with distinct address. An attack is detected by comparing pairs of sig-
MAC addresses and their corresponding signalprints. Effec- nalprints, one from each set. Given that continuous attacks
tive DoS attacks in this category require high packet rates are needed to severely affect a victim’s throughput, large
(R >> 1 pps), so many signalprints should be available for input sets are also expected in this case. For example, to
processing. By comparing pairs of signalprints, the system keep a victim off the network, Bellardo et al. used up to 10
can identify subsets generated by the same device. deauthentication frames per second in their experiments [5].
Matching rules should require multiple max-matches with To detect these attacks, matching rules should require
low values of  because we are looking for signalprints that min-matches with large values of , because we are look-
were generated by the same device and therefore expected ing for considerable differences in RSSI that would indi-
to have similar RSSI values in multiple positions. Using cate two (or more) distinct transmitters. In this case, rules
6 APs as sensors, the first rule we evaluate in section 6 can be more precise by either increasing the number of
for this purpose is maxM atches(S1 , S2 , 5) ≥ 4. We can min-matches or increasing the value of . In our evalua-
decrease the probability of false positives by increasing the tion section, using 6 access points, we look for 10-dB min-
required number of max-matches or decreasing the value of matches. We evaluate the performance of two matching
. The second rule we evaluate – maxM atches(S1 , S2 , 5) ≥ 5 rules for this purpose: minM atches(S1 , S2 , 10) ≥ 1 and
– tends to be satisfied by signalprints generated at locations minM atches(S1 , S2 , 10) ≥ 2.
that are physically closer to each other.
In order to further decrease the probability of false posi- 6. EVALUATION
tives, these rules can be extended with min-match clauses. In this section we show that signalprints are strongly cor-
For instance, consider two signalprints that satisfy the sec- related with the physical locations within an environment,
ond matching rule above by having similar RSSI levels in 5 which allows them to be used as robust, location-dependent
positions. Now consider the single position that did not pro- client identifiers.
duce a max-match. If one of the signalprints has a default
value at that position, the likelihood of these signalprints be- 6.1 Testbed
ing from the same device does not change much. However, Our testbed consists of a 45×24m (147×78 ft) section of
if values are defined in both signalprints and differ by 8 or an office environment (the 4A Wing of the Gates Building
10 dB, this likelihood decreases substantially. Therefore, we at Stanford University). As shown in figure 3, it contains
evaluate a third matching rule that extends the second rule a mix of offices (most 3×6m), large labs (at least 8×4.5m),
above with a min-match clause: maxM atches(S1 , S2 , 5) ≥ and long corridors. We have installed a total of 12 IEEE
5 ∧ minM atches(S1 , S2 , 8) = 0. 802.11b/g access points, which are mounted at the ceiling

47
 10

Variation (dB)
0
9 10
20 -10
-20
6 5 4 7 -30
Y coordinate (m)

-40
0 50 100 150 200 250
10 Sample

2 3 8 10

Variation (dB)
1 0
11 12 -10
-20
0 -30
0 10 20 30 40 -40
X coordinate (m) 0 50 100 150 200 250
Sample
(a) Testbed network.
10

Variation (dB)
0
-10
-20
20
-30
-40
Y coordinate (m)

N 0 50 100 150 200 250

Sample

10 10

Variation (dB)
0
-10
-20
-30
0 -40
0 50 100 150 200 250
0 10 20 30 40 Sample
X coordinate (m)

(b) Sampled locations. Figure 4: RSSI oscillation for a stationary device.

Each graph was created by choosing one of the loca-
Figure 3: Our testbed and locations sampled. tions sampled and one access point within its range.
It shows the variation in signal strength for con-
secutive frame transmissions relative to the median
RSSI (shown as 0 dBm) for that location-AP pair.
(height of 2.5 m) and connected to a centralized server. The
access points are off-the-shelf Linksys WRT54G units run-
ning a Linux distribution (OpenWrt rc3), their exact place-
ment depicted by triangles in figure 3(a). An application Our measurements suggest that most signal strength os-
running at each AP monitors the wireless channels and re- cillations are small, within 5 dB from the median RSSI level.
ports signal strength information back to the server. Each graph in figure 4 was created by choosing one of our
In order to evaluate our mechanism, we created a test sampled locations and one of the access points within its
dataset by manually sampling 135 locations across the floor, range. Each graph shows the variation in signal strength
as shown in figure 3(b). At each location a laptop provided for successive transmissions: the difference between the de-
with a Cisco 340 PCMCIA card transmitted ping packets tected RSSI and the median value for the corresponding
at rates between 10 and 20 packets per second for approxi- location-AP pair (the median, or base level, is shown as 0
mately one minute, as our access points had to hop through dBm). The top two graphs in figure 4 are examples of the
the three 802.11b/g non-overlapping channels. The client behavior detected for most locations: the majority of RSSI
annotated each packet with the location ID, while each ac- oscillations are within 5 dB from the median. Aggregating
cess point in range tagged it with an RSSI level and for- all the measurements in our dataset – all locations with re-
warded it to the localization server, which logged all mea- spect to all access points – we have that over 71%, 90%, and
surement traffic. At all locations the laptop was held at 93% of RSSI oscillations are respectively within 2, 5, and 10
waist level and with the same orientation, with the user fac- dB from the median RSSI levels.
ing North as indicated in figure 3(b). A total of over 420,000 However, the tail of the distribution is long, and some
signal strength samples were collected, and we created a dis- strong, mostly destructive oscillations do occur. The bottom
tinct signalprint for each location by using the median RSSI two graphs in figure 4 are examples of this case. In one of
level with respect to each access point. them, the RSSI level is somewhat stable, with a couple of
strong oscillations (>25 dB). In the other example, periods
6.2 Signal Strength Oscillation with strong RSSI degradation seem to happen with a certain
We first demonstrate that while stationary, a wireless client frequency, with a difference in signal strength between the
tends to create similar signalprints, despite the inherently two levels of over 30 dB. 1
unpredictable nature of wireless propagation. This is an While strong RSSI oscillations do occur in our measure-
important property when we consider the performance of ments, the path loss between a stationary client and each
our system against DoS attacks with high rates of requests. AP is stable most of the time. In theory, multipath prop-
For example, even a small fraction of matching signalprints
would allow the network to detect a malicious device that 1
We do not have a definitive explanation for these signal
sends over 100 authentication requests per second. strength variations we have observed.

48
 ❍ ● ● ● ● ● ● ●
❍ ❍ ▲ ● ● ● ● ● ❍ ❍ ❍ ● ● ● ● ● ● ❍
▲ ● ❍ ● ● ●
20 ● 20 ●
● ● ● ● ● ● ● ● ● ● ● ● ● ❍ ● ● ● ● ● ● ● ❍ ● ● ● ●
● ❍ ▲ ❍ ❍ ▲
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ❍ ● ● ● ● ❍ ● ● ● ● ● ● ● ● ● ●
Y coordinate (m)

Y coordinate (m)
▲ ▲
❍ ● ● ● ● ● ● ● ● ● ● ● ● ● ❍ ❍ ❍ ● ● ● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ● ●
● ● ● ● ● ●
● ● ● ● ● ❍ ● ● ● ●
10 10
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
▲ ▲
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ❍ ● ● ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ❍
● ● ▲ ❍ ● ▲
● ● ● ● ● ● ● ● ❍ ● ● ● ● ● ❍ ❍ ● ● ● ❍ ● ❍ ❍ ❍ ❍ ❍

● ● ▲ ● ● ▲
● ● ● ● ● ● ❍ ● ● ● ● ❍ ❍ ● ❍ ❍ ● ● ● ❍ ● ● ● ● ❍ ❍
0 0
0 10 20 30 40 0 10 20 30 40
X coordinate (m) X coordinate (m)

(a) maxM atches(S1 , S2 , 5) ≥ 4. (b) maxM atches(S1 , S2 , 5) ≥ 5.

❍ ● ● ● ❍ ● ● ❍
❍ ❍ ▲ ● ❍ ● ● ● ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ● ●
20 ● 20 ●
❍ ● ● ❍ ❍ ● ● ● ❍ ● ● ● ● ● ● ● ● ● ● ● ❍ ● ● ● ● ●
❍ ❍ ▲ ● ❍ ▲
❍ ● ● ● ● ❍ ● ● ● ● ● ● ● ● ● ❍ ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Y coordinate (m)

Y coordinate (m)
▲ ▲
❍ ❍ ❍ ● ● ❍ ❍ ❍ ● ❍ ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
● ❍ ● ● ● ● ● ● ● ●
● ● ● ● ● ●
❍ ● ● ● ❍ ● ● ● ● ●
10 10
● ● ❍ ❍ ● ● ● ● ● ● ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ● ● ●
▲ ▲
● ❍ ● ● ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ❍ ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
❍ ● ▲ ● ● ▲
● ❍ ❍ ● ● ● ❍ ● ❍ ❍ ❍ ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ● ●

● ● ▲ ● ●
● ❍ ❍ ❍ ● ● ❍ ● ● ● ● ❍ ❍ ● ● ● ● ● ● ● ● ● ● ● ● ●
0 0
0 10 20 30 40 0 10 20 30 40
X coordinate (m) X coordinate (m)

(c) maxM atches(S1 , S2 , 5) ≥ 5 ∧ (d) maxM atches(S1 , S2 , 5) ≥ 3 ∧

minM atches(S1 , S2 , 8) = 0. minM atches(S1 , S2 , 8) = 0.

Figure 5: Location pairs satisfying multiple matching rules. Figures 5(a)-5(c) use the 6-AP configuration
(APs shown as triangles), while figure 5(d) uses the setup with 4 access points.

agation and other phenomena generate small-scale fading, AP configuration, figure 5(a) shows all location pairs that
with possibly strong RSSI variations over time caused by satisfy the matching rule maxM atches(S1 , S2 , 5) ≥ 4 con-
people walking by, doors being closed, and other changes nected by a line segment. Even though many matches are
in environment that affect any of the multiple paths taken produced, most of them involve locations that are close to
by transmissions between two devices. In practice, however, each other. Overall, 430 matches were found (4.8% of all
these events do not seem to happen often. Perhaps these re- pairs), with 51%, 74%, and 91% of them found respectively
sults are due to techniques developed to decrease the effects for locations within 5, 7, and 10 meters from each other.
of small-scale fading in wireless systems, such as antenna However, there are still many matches found for locations
diversity, implemented in most 802.11 devices. more than 15 meters from each other. All matching results
presented in this section are summarized in table 1.
6.3 Signalprints and Physical Proximity As discussed in section 5.1, matching results are improved
In this section we explore the relationship between signal- if we increase the number of max-matches required. Still
prints and physical proximity between transmitters in order using 6 sensors, figure 5(b) shows the locations whose sig-
to detect identity-based attacks. Despite having 12 access nalprints satisfy the rule maxM atches(S1 , S2 , 5) ≥ 5. Com-
points deployed in our testbed, all the results presented in pared to figure 5(a), there is a significant reduction in the
this paper use two AP configurations: one with 6 access number of long-distance matches. A total of 150 matches
points (numbers 3, 5, 6, 8, 10, and 11 in figure 3(a)) and were found (1.7% of all pairs), with respectively 64%, 88%,
the other with 4 APs (numbers 2, 4, 6, and 8). The config- and 98% of them found for locations within 5, 7, and 10
uration with 4 access points is used to evaluate the loss in meters from each other. In this case, there are no matches
accuracy when using fewer sensors. Each figure shows the for locations more than 15 meters apart.
APs being used as triangles and omits the others. Using min-matches, matching rules can be made even
more precise. Figure 5(c) shows that the matching rule
6.3.1 Detecting Packets From a Single Device maxM atches(S1 , S2 , 5) ≥ 5 ∧ minM atches(S1 , S2 , 8) = 0
further reduces the number of long-distance matches. Like
As discussed in section 5.1, matching rules that detect in figure 5(b), this rule still requires a minimum of 5 max-
when packets are generated by the same device are useful to matches of 5 dB, but now rejects all the location pairs for
detect high-rate DoS attacks. By requiring multiple max- which any difference larger than 8-dB is found. As shown,
matches with low  values, we show that matching similar this rule produces only 97 matches (1.1% of all pairs), with
signalprints are found mostly in close proximity. respectively 72%, 91%, and 99% of them found for locations
Locations that produce signalprints with similar values in within 5, 7, and 10 meters from each other. In this case
multiple positions tend to be physically close. Using the 6-

49
 Matching Rule Figure # APs # Matches ≤ 5m ≤ 7m ≤ 10m
maxM atches(S1 , S2 , 5) ≥ 4 fig. 5(a) 6 430 (4.8%) 50.9% 74.4% 91.2%
maxM atches(S1 , S2 , 5) ≥ 5 fig. 5(b) 6 150 (1.7%) 64.0% 88.0% 98.0%
maxM atches(S1 , S2 , 5) ≥ 5 ∧ minM atches(S1 , S2 , 8) = 0 fig. 5(c) 6 97 (1.1%) 72.2% 90.7% 99.0%
maxM atches(S1 , S2 , 5) ≥ 3 ∧ minM atches(S1 , S2 , 8) = 0 fig. 5(d) 4 317 (3.5%) 62.2% 86.4% 99.1%
minM atches(S1 , S2 , 10) ≥ 1 (no figure) 6 8643 (95.6%) 4.6% 10.1% 21.9%
minM atches(S1 , S2 , 10) ≥ 2 (no figure) 6 7768 (85.9%) 2.6% 6.9% 17.9%

Table 1: Matching results. Each row shows a matching rule, the figure (if any) containing the signalprints
created from our measurements that satisfy that rule, the number of access points used as sensors, the
number of matches produced, and the percentages of matches created by locations within 5, 7, and 10 meters
from each other. The first four rules are used to detect packets transmitted by the same device, while the
last two detect packets sent by distinct devices.

there is a single match for locations more than 10 meters 6.4 Moving Devices
from each other. We do not expect legitimate clients on the move to gen-
Finally, figure 5(d) shows that performance degrades if erate false alarms because they send requests at rates much
we decrease the number of access points used to 4, but that lower than required by most attacks. For example, consider
results are still satisfactory due to the use of min-matches. an 802.11 client that associates with an access point and
With 4 APs, this matching rule requires at least 3 5-dB max- after some time moves to a different location and requests
matches and no 8-dB min-matches. It produces 317 matches, disassociation. Despite the fact that the two signalprints
but with respectively 62%, 86%, and 99% of matches found generated can be quite different, an alarm should not be
for locations within 5, 7, and 10 meters from each other. raised in this situation. An effective disassociation attack
Note that these numbers are better than the ones related to requires higher rates of deauthentication requests to keep a
figure 5(a) even though there are two fewer access points. client off the network, so only a larger number of matching
These results show that resource depletion attacks can be signalprints detected during a short period of time (e.g. tens
detected with high probability, as matching signalprints are of seconds) should generate an alarm.
found mostly for locations that are near each other. There- Unless an attacker moves towards the victim, changing his
fore, a large number of matching requests means they are location does not increase the chances of having a successful
being transmitted from a specific location or area, which masquerading attack. What matters is not how the signal-
could be found by coupling our mechanism with a localiza- prints he produces compare to each other – for this matter
tion system. Some signalprints produced at the same loca- they could be all different – but how similar they are to the
tion may not match due to RSSI oscillations, but this does one produced by the victim. Attacks are detected as long
not prevent the WA from detecting high-rate DoS attacks. as there are considerable RSSI differences, which only cease
to exist if the attacker moves close to his victim.
Whether an attacker can disguise a resource depletion at-
tack by changing his location over time depends on his speed
6.3.2 Detecting Packets From Distinct Devices and the required packet rate. Let us assume that an attacker
In this section we evaluate matching rules specified to moves at pedestrian speeds and consider an attack requir-
decrease the probability of false positives when looking for ing R > 10 pps (such as the attack against TLS). In this
masquerading attacks. We want signalprints to match only case, attacks are still detected with high probability. If he
if there is a high probability that they were indeed produced transmits at a uniform rate, which has to be close to R pps,
by distinct devices. In this case, detecting large RSSI dif- he continuously provides the system with information about
ferences is more important than finding similar values, so his location. Packets transmitted close in time generate sim-
min-matches play a more important role in these situations. ilar signalprints, allowing the system to track his location if
Most location pairs in our dataset generate signalprints a localization system is available. To avoid being tracked,
that satisfy the matching rule minM atches(S1 , S2 , 10) ≥ 1, an attacker needs to alternate periods of packet transmis-
i.e., values in at least one position differ by 10 dB or more. sions and radio silence. During such transmission bursts,
As shown in table 1 (5th row) over 95% of all location pairs however, he needs to send packets at rates higher than R
satisfy this rule. Even a large number of locations that are pps in order to compensate for the periods of silence. This
physically close can be distinguished, with over 400 matches attack would be also detected because signalprints gener-
produced for locations less than 5 meters from each other. ated during each burst should match each other with high
Overall, these results show that masquerading attacks can probability. However, tracking the attacker becomes more
be detected with high probability, as at least one access point challenging because these bursts produce location estimates
can tell the two locations apart. that are further apart.
We can decrease the probability of false positives by in-
creasing the minimum number of 10-dB min-matches to 2. 6.5 Directional and Beamforming Antennas
As shown in the 6th row in the table, over 85% of all loca- A single directional or beamforming antenna would be
tion pairs still produce a match. In this case, a match is more helpful to an attacker implementing a resource deple-
an even stronger indication that an attack is taking place, tion attack than a masquerading attack. In a masquerading
as signalprints differ substantially relative to at least two attack, it is still hard for an attacker to clone the exact
access points. signalprint produced by his intended victim from a large

50
distance. In close range, an omni-directional transmitter that can be realized with low overhead and without modi-
would also be effective while being easier to conceal. During fying clients. For example, the authors suggest that access
resource depletion attacks, changing the transmission beam points buffer deauthentication and disassociation requests
allows an attacker to change his signalprint, which decreases for brief periods of time (5-10 seconds) before processing
the number of matching requests. The probability of detec- them. In this case, conflicting requests would be taken as
tion depends on the number of distinct patterns a trans- indications of an attack.
mitter is able to create and the packet rate required by the Concurrently to our work, Demirbas et al. have proposed
attack. If an attacker is only able to produce a small number the use of RSSI measurements from multiple sensors to de-
of antenna patterns and an attack requires high packer rates tect sybil attacks in wireless sensor networks, where a node
(tens or hundreds of packets per second), some of the sig- uses multiple identities [8]. As testbed, the authors use up
nalprints produced are still associated with a large number to four Mica2 motes operating as sensors at 433 MHz, with
of requests, allowing detection with high probability. motes always located in close proximity to each other (30 cm
to 10 m). Our research demonstrates that reliable attack
7. LIMITATIONS detection is possible for larger 802.11 installations, where
clients can be more than 40 meters from access points.
Due to the use of RSSI levels to characterize wireless A technique called RF fingerprinting (RFF) has been de-
clients, one inherent limitation of our mechanism is that veloped to identify distinct transceivers across multiple wire-
it may be unable to distinguish two devices located phys- less systems [22, 9]. The fingerprint for a transmitter is cre-
ically close to each other. Masquerading attempts can be ated from several features (such as phase, and amplitude)
detected if there is a noticeable difference in RSSI with re- extracted from a period of transient behavior that occurs
spect to at least one access point. As shown in section 6.3.2, as the device powers up before a transmission. These turn-
this happens even for some locations in close range, possi- on transients are different for each tranceiver, allowing even
bly due to obstacles that affect one location more than the units build on the same factory to be distinguished. RFF
other. In some situations – such as multiple clients in a systems have been used to detect cloned phones in cellu-
conference room – the system may not have compelling evi- lar systems [19], and several researchers have proposed their
dence that packets are coming from different devices, making use in wireless LANs [12, 23]. One disadvantage of RFF is
masquerading attacks possible. The level of physical secu- that it requires specialized hardware to measure the signal
rity in an installation dictates whether these attacks can be properties needed with enough precision.
mounted: compared to a cafeteria, it is harder for an at- Gruteser et al. have proposed the use of temporary inter-
tacker in an enterprise building to get close enough to his face identifiers to improve privacy in WLANs: clients change
victim to mount an undetected masquerading attack. their MAC addresses whenever they associate with an ac-
Our mechanism may also not be able to detect DoS at- cess point, reducing the chances of being tracked [10]. The
tacks composed of few packets. The more packets are in- authors evaluate this mechanism against an attacker that
volved in an attack, the more signalprints are available for uses signal strength information to identify MAC addresses
processing and the higher the probability of detection. A used by the same client. Our research extends this analysis
single-packet deauthentication attack in a 802.11 network to show that with higher number of access points, attack-
may go unnoticed – for example if APs are sensing other ers may be able to track clients even after address changes,
channels – or not provide enough confidence as to raise an unless the number of active devices in the network is large
alarm. In most situations, however, attacks require high enough as to create multiple similar signalprints.
packet rates to be effective, increasing chances of detection. Mechanisms such as client puzzles have been designed to
An attacker may be able to avoid detection if provided slow down attack sources, reducing the damages caused by
with multiple antennas (A > 1). Suppose that an attacker resource depletion attacks [15, 7, 3]. Before any resource
configures its antennas so that each sensor can only listen to is committed to an incoming request, computational puz-
transmissions from a single antenna (e.g. using directional zles are sent back to clients that require CPU- or memory-
antennas with narrow beamwidth values). To successfully intensive operations. Despite being protocol-agnostic, puz-
mount a resource depletion attack, the attacker can simul- zles demand that both clients and servers be modified, in-
taneously transmit a different packet through each antenna. creasing deployment overhead when compared to a signalprint-
As a single sensor detects each transmission, the signalprints based mechanism, implemented solely at the WA.
produced are too short to satisfy the rules presented in sec- Our work also relates to localization algorithms, from pio-
tion 5.1. To mount a masquerading attack, the attacker neer systems such as RADAR [4] and SpotON [14], to more
simultaneously transmits the same packet using all anten- recent approaches that use probabilistic techniques, includ-
nas. By choosing the proper transmission power level for ing the work of Roos et al. [20], Ladd et al. [17], Haeberlen
each of them, he is able to “compose” any arbitrary signal- et al. [11], and the Horus system [24]. By achieving aver-
print with A values. In both scenarios, attacks would be age localization errors below 3 meters these systems have
detected if some of the packets – even a small fraction – demonstrated that signalprints are strongly correlated with
were detected by multiple access points. the location of a wireless client. Moreover, they can be used
to complement signalprint-based mechanisms with localiza-
8. RELATED WORK tion services: when an attack is detected, the corresponding
signalprint can be used as input to such systems so the lo-
Bellardo and Savage have shown that effective DoS at-
cation of the offending device can be determined. Tao et
tacks in 802.11 networks can be mounted with standard
al. have in fact used differential signal strength values to
hardware [5]. They measured the impact of several identity-
make localization services more robust against variations in
based attacks, including the ones targeting authentication
transmission power [21].
and association services, and presented practical solutions

51
 9. CONCLUSION [5] J. Bellardo and S. Savage. 802.11 Denial-of-Service Attacks:
Real Vulnerabilities and Practical Solutions. In Proceedings
In this paper we showed that reliable client identifiers,
of the USENIX Security Symposium, Washington, DC,
which we call signalprints, can be created using signal strength USA, Aug. 2003.
measurements reported by access points acting as sensors. [6] P. Calhoun, M. Montemurro, and D. Stanley. CAPWAP
We showed that while malicious clients can lie about their Protocol Specification. IETF Internet Draft,
MAC addresses, the signalprints they produce are strongly draft-ietf-capwap-protocol-specification-01, May
correlated with their physical location. We demonstrated 2006.
that by tagging packets with their signalprints and crafting [7] D. Dean and A. Stubblefield. Using Client Puzzles to
proper matching rules, a wireless network is able to detect Protect TLS. In Proceedings of the Tenth USENIX Security
Symposium, Washington, DC, USA, Aug. 2001.
a large class of effective denial-of-service attacks based on
[8] M. Demirbas and Y. Song. An RSSI-based Scheme for Sybil
MAC address spoofing. We presented several examples of Attack Detection in Wireless Sensor Networks. In Proc. of
attacks that can be easily mounted in IEEE 802.11 networks International Workshop on Advanced Experimental
and that can be detected by our proposed mechanism with Activities on Wireless Networks and Systems, June 2006.
high probability. [9] K. J. Ellis and N. Serinken. Characteristics of Radio
Measurements in our network testbed demonstrate that Transmitter Fingerprints. Radio Science, 36:585-598, 2001.
multiple packets transmitted by a stationary device pro- [10] M. Gruteser and D. Grunwald. Enhancing Location Privacy
duce similar signalprints with high probability. In our test in Wireless LAN Through Disposable Interface Identifiers:
A Quantitative Analysis. Mobile Networks and
dataset, most RSSI variations for a stationary client with re- Applications, 10(3):315-325, June 2005.
spect to a single access point are small, within 5 dB from the [11] A. Haeberlen, E. Flannery, A. M. Ladd, , A. Rudys, D. S.
median signal strength level. This allows the network to de- Wallach, and L. Kavraki. Practical Robust Localization
tect resource depletion attacks, in which a malicious device over Large-Scale 802.11 Wireless Networks. In Proc. of
transmits high rates of packets (e.g. DHCP or authentica- ACM MobiCom, Philadelphia, PA, Sept. 2004.
tion requests) containing random, forged MAC addresses. [12] J. Hall, M. Barbeau, and E. Kranakis. Enhancing Intrusion
We presented matching rules able to detect that a large per- Detection in Wireless Networks Using Radio Frequency
Fingerprinting. In Proc. of The IASTED Conference on
centage of these packets were indeed generated by a single Communications, Internet and Information Technology,
device, despite the different MAC addresses. Nov. 2004.
We also showed that similar signalprints are mostly found [13] H. Hashemi. The Indoor Radio Propagation Channel.
in close proximity. First, using 6 of our deployed access Proceedings of IEE, 81(7):943-968, July 1993.
points, we showed that locations that produce signalprints [14] J. Hightower, R. Want, and G. Borriello. SpotON: An
with multiple similar RSSI values tend to be within 5 meters Indoor 3D Location Sensing Technology Based on RF
from each other. Then we showed that large RSSI differ- Signal Strength. Technical Report UW CSE 2000-02-02,
University of Washington, Feb. 2000.
ences provide strong evidence that packets were generated
[15] A. Juels and J. Brainard. Client Puzzles: A Cryptographic
by distinct devices. Consequently, an attacker needs to be Defense Against Connection Depletion Attacks. In
physically close to his intended victim in order to mount Proceedings of the Network and Distributed System
undetected masquerading attacks. Security Symposium (NDSS), pages 151-165, San Diego,
Overall, we showed that signalprints are tags that allow a USA, Feb. 1999.
wireless network to identify mobile devices according their [16] D. Kotz and K. Essien. Analysis of a Campus-wide
physical location, improving security in a cost-effective man- Wireless Network. In Proc. of ACM MobiCom, pages
ner. Although signalprints can be defeated, such as by the 107-118, Atlanta, GA, Sept. 2002.
use of multiple synchronized direction antennas, these situ- [17] A. M. Ladd, K. E. Bekris, A. Rudys, G. Marceau, L. E.
Kavraki, and D. S. Wallach. Robotics-Based Location
ations present a challenge for an intruder and increase the Sensing using Wireless Ethernet. In Proc. of ACM
likelihood of detection by physical security measurements. MobiCom, Atlanta, GA, USA, Sept. 2002.
Thus, like the use of fingerprints to identify humans, the [18] T. S. Rappaport. Wireless Communications - Principles
mechanism is not infallible but a significant improvement and Practice. Prentice Hall PTR, 2nd edition, Jan. 2002.
over just believing the identity that the individual claims. [19] M. J. Riezenman. Cellular security: better, but foes still
lurk. IEEE Spectrum, 37(6):39-42, June 2000.
[20] T. Roos, P. Myllymäki, H. Tirri, P. Misikangas, and
10. REFERENCES J. Sievänen. A Probabilistic Approach to WLAN User
Location Estimation. International Journal of Wireless
[1] LAN MAN Standards Committee of the IEEE Computer Information Networks, 9(3):155-164, July 2002.
Society. Standard for Port based Network Access Control. [21] P. Tao, A. Rudys, A. Ladd, and D. S. Wallach. Wireless
Technical Report Draft P802.1X/D11, IEEE Computer LAN Location-Sensing for Security Applications. In Proc.
Society, Mar. 2001. of the Second ACM Workshop on Wireless Security
[2] LAN MAN Standards Committee of the IEEE Computer (WiSe’03), pages 11-20, Sept. 2003.
Society. Wireless LAN Medium Access Control (MAC) and [22] O. Ureten and N. Serinken. Detection of Radio Transmitter
Physical Layer (PHY) Specifications - Amendment 6: Turn-On Transients. Electronic Letters, 35(23):1996-1997,
Medium Access Control (MAC) Security Enhancements. Nov. 1999.
Technical Report 2004 Edition, IEEE Std 802.11i, July [23] O. Ureten and N. Serinken. Bayesian Detection of Wi-Fi
2004. Transmitter RF Fingerprints. Electronic Letters,
[3] M. Abadi, M. Burrows, and T. Wobber. Moderately Hard, 41(6):373-374, Mar. 2006.
Memory-Bound Functions. In Proceedings of the Network [24] M. Youssef and A. Agrawala. The Horus WLAN Location
and Distributed System Security Symposium (NDSS), San Determination System. In Proc. of ACM/USENIX
Diego, USA, Feb. 2003. Mobisys, Seattle, WA, June 2005.
[4] P. Bahl and V. N. Padmanabhan. RADAR: An In-Building
RF-Based User Location and Tracking System. In Proc. of
IEEE INFOCOM, Tel-Aviv, Israel, Mar. 2000.

52

View publication stats