Security

Researcher fingerprints networks to find rogue hardware

Unauthorized devices are the bane of network admins. New technology based on digital fingerprinting might offer some relief.

Finding a rogue access point is tough. Every time I get asked to help locate one, I turn to the Internet hoping to find a miracle cure. I'm tired of looking like some nut case, running around pointing a weird-looking antenna at everyone.

Things are looking up.

Raheem Beyah, Associate Professor of Computer Science at Georgia State University received a huge grant from DARPA for a project called: Network Intrusion Detection Using Hardware Signatures. With it, Dr. Beyah intends to:

  • Create a hardware signature for each device by studying the packets they generate.
  • Develop an Intrusion Detection System (IDS) prototype employing hardware-signatures.
  • Investigate how to secure networks from threats involving unauthorized devices.

The professor and his team already accumulated significant experience with Wi-Fi networks: A Passive Approach to Wireless Device Fingerprinting.

After reading the paper I was still at a loss. I did not see how each and every networked device could have a unique digital fingerprint. The only way I know to fix that is to ask questions. Dr. Beyah, a busy educator, was gracious enough to explain.

Kassner: Wikipedia defines device fingerprinting as:

"A compact summary of software and hardware settings collected from a remote computing device."

What do you consider to be digital fingerprinting?

Beyah: First of all Michael, thank you for taking the time to ask questions about the project.

Digital fingerprinting can take on many different meanings. My research focuses on the pointed question of: What do you consider to be device fingerprinting?

I would define device fingerprinting as methods used to identify specific devices or types of devices by using information that is "leaked" from the device.

The leaked information can be an indicator of the device's software (e.g., operating system, firmware, or drivers) or its hardware (i.e., hardware composition). The key is to fuse the various pieces of leaked information to come up with an identifier that is very difficult for an adversary to subvert.

Kassner: I've read fingerprinting can be passive (listening) or done actively (handshake with the device). What are the advantages of each? Which approach do you use? Beyah: Active approaches usually entail interrogating a node with various types of packets. These packets may vary in size and can be either legitimate or malformed. The goal of active techniques is to trigger a response that is unique to the device that is being fingerprinted.

Passive techniques are often more desirable to the fingerprinter, however they usually give less information about a node than their active counterparts. Generally, passive approaches do not inject any stimulant into the system of interest.

Rather they capture data silently with the goal of not alerting or disturbing the system under surveillance. The data is analyzed to reveal patterns that are unique to the system of interest. We use a combination of active and passive approaches, although most of our work is passive.

Kassner: In the paper, you mention IAT is the parameter used to identify the networked device. I'm not familiar with IAT. What does the acronym stand for and why does it works as a fingerprint? Beyah: IAT stands for inter-arrival time. When considering IAT in the context of computer-network traffic, it describes the time between successive packets sent or received by a node.

IAT is an interesting metric and can describe many different aspects of a system or network. For example, IAT has been used by researchers to determine which links are bottlenecks in the Internet. It has also been used to determine the type of link used to access a network (e.g., a wireless network link or a wired network link).

In the most basic scenario, the difference between two successive packets (i.e., IAT) gives you information about the system the packets traversed. If several IAT values differ, this can indicate that the state of the system (e.g., the network, a device) the packets traversed may have changed in some form.

Based on the interpretation of these IAT fluctuations, various characteristics of the system of interest may be inferred. For example, if the IAT fluctuations for a specific device were predictable and different from other devices, then those fluctuations can be used to fingerprint devices.

Another way of putting it is that the information describing the system and its state is leaked through the IAT. The challenge is then to determine a way to extract the information buried in a series of IAT values (i.e., a time series). Normally, various statistical and signal processing techniques are used for this.

Kassner: Wikipedia mentions that digital fingerprints need diversity (no two devices have the same fingerprint) and stability (the fingerprint remains the same over time). It is hard to imagine that each individual device can be differentiated. How is that possible? Beyah: I agree that it's hard to imagine that devices can have a unique fingerprint. I'm sure many said the same thing about humans before identifiers like DNA, human fingerprints, and retinal scanning were used.

For device fingerprinting, our hypothesis is that network packets are a function of the composition (i.e., the architecture) of the devices that generate them just as voices are a function of the composition (e.g., larynx, vocal cords) of the particular human that generates it.

Also, if you dig a bit deeper, you will find that there are enough manufacturing process variations across integrated circuits (intended to be identical) to uniquely characterize each integrated circuit. Researchers have used this concept in the past to perform various levels of authentication for field programmable gate arrays (FPGAs).

The challenge then lies in extracting these minute differences. We are trying to use various techniques to detect these differences and also to understand the limits of such techniques.

Kassner: It seems that digital fingerprinting is not the end purpose, but the means to achieve it. What is your goal? Beyah: At a fundamental level, our goal is to understand and characterize the interplay between the architecture of a system and the network to which the system is connected. Fingerprinting is one important application of the fundamental idea that the network can be viewed as an extension of a computing device.

One long-term goal for our fingerprinting work is to have a unique and irrefutable identifier for every device that is attached to any type of network. This will help make our networks more secure.

Kassner: Earlier, you mentioned using techniques similar to human-speech identification. Could you please go into more detail? Beyah: Sure. We believe there is a parallel between human-voice creation and device-packet creation. The general idea is that both humans and computing devices are compound entities.

Further, for both humans and computing devices to communicate (i.e., speaking for humans and sending packet for computing devices), a complex set of interactions between multiple internal components has to occur. These interactions and the components themselves leave their mark on the resulting communication.

As a result, this unique mark can be detected externally for humans by using various speaker-identification techniques or externally for computing devices using various device-identification techniques.

Kassner: What do you envision this device/technology doing once it locates an unauthorized device attached to the network? Beyah: This is beyond the scope of this current project, but one could certainly imagine a system that could signal a network switch to disable the port to which the rogue is attached.

Another action could be to signal various intrusion detection systems to monitor the rogue device, its actions, and communication pattern more closely in hopes of gaining enough information to track down the intruder.

Kassner: Would it be possible for this approach to determine the make and model of networked devices and to be used for inventory purposes? Beyah: Absolutely. This is one goal of this work. There certainly doesn't have to be an active threat for this work to be relevant. Network management is often as difficult as securing the network.

Final thoughts

I see a lot of promise for this type of fingerprinting technology. Especially, when Dr. Beyah mentioned it will likely be passive in nature. I forgot to ask when it will be available, I hope sooner than later.

A special thanks to an unbelievably busy Dr. Beyah for his willingness to help.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

16 comments
crcgraphix
crcgraphix

This reminds me of when an MIT and a Technology Successor student came out with a ray gun. This large and elaborate antennae was able to scan wireless modems from almost a mile away and could penetrate 4 to 5 layers of walls. It also had such strong pick-up ability that it could suck the MD5 hash algorithms right through in milliseconds. Then they could get in. But, many networks that have double-encryption technologies and sonic wall do not get broken into, even by this type of device. However, this is a reason why we must secure our wireless infrastructure.

ijustfixedthat
ijustfixedthat

I thought the MAC address was the 'finger print' for all network interfaces? Even if a MAC is spoofed you control the master list of devices that should be allowed to connect to your network. If you have two devices with the same MAC, one may be spoofed - go physically check it out, pull the legitimate device and if possible change it's MAC to something different and dissallow communication with te rogue. If a devices MAC address is suspicious, simply don't allow your network to 'talk' to it.

mmatchen
mmatchen

Seems to me like it's one of those logging products that map to device syslog signatures for message recognition, only he's trying to do it at a packet level. It'll be interesting if the IAT can be fine-tuned to a particular device, and then determine if that IAT could still reliably identify a device in areas of network congestion where delays are intermittent. More impressive if it can be done reliably in passive mode! For production purposes, there would have to be a separation of what constitutes an "allowed" device versus a "rogue" device, right? So, I guess these "fingerprints" would be added to an IDS/IPS and a network admin would identify a scope of approved devices, and any "fingerprint" outside of that range would be the rogue device? How would that piece work?

pgit
pgit

How long before that determination is in the hands of one man, like "enemy combatant" is now? This is the science that will enable the technology I described in a sci-fi short story I wrote over 15 years ago. The story was called "wrong thinking," a double entendre, one meaning being the "crime" of basically thinking for one's self. The protagonist gets his "rogue device" shut off for having held a patented thought without permission. The device is his money, he'd be left to die of starvation. (nobody else would think to feed him, nobody can think that far ahead) Coming to a dystopia near you.

Daemonlord
Daemonlord

I think the research will revolutionise Network management in general, and not just for wireless, providing the end result is achieved.

bboyd
bboyd

Can it find rogue thumb drives or key loggers? DOD to DARPA: um we don't like this wiki leaks thing... DARPA to DOD: Cash please.

Michael Kassner
Michael Kassner

Using a variation of a queuing theory that deals with Inter-Arrival Time differences, Dr. Raheem Beyah is able to differentiate devices located on a common network. Incredible.

Michael Kassner
Michael Kassner

You mention physically go and check a device out. That is not always possible or efficient.

Michael Kassner
Michael Kassner

You are right though, as usual. And, I did think about that aspect while pulling the article together. But, isn't that ability already here, just a bit tougher to accomplish. Like what the .govs did with CoreFlood.

Michael Kassner
Michael Kassner

This research is just an extension of Dr. Beyah's work with Wi-Fi. It should help system admins keep their networks straight without the need for client-side apps.

pgit
pgit

I don 't know where I got the habit, maybe because I hung around with a lot of scientific research-types in my youth. I learned early on that a lot of the folks on the cutting edge of science are very compartmentalized, the can't see the forest for the trees thing. I have an over active imagination and a capacity to understand the science. Throw in a healthy consideration of basic human nature and I can't help but see the worst case, pushed out into the future. I still appreciate the science, and have a ton of respect for the deep thinkers (and math speakers) of the world. I just hope maybe some of them will apply the lessons of history to the eventual deployment of their work. Einstein warned that just knowing we could make a nuclear weapon was more than enough 'deterrent,' and we certain;y shouldn't actually build one. Unfortunately he was the only celebrity who could get away with such a public position. Many of those who built the bomb agreed with him, but had to keep it to themselves. If you were so much as suspected of thinking atomic weapons were a bad idea you were accused of being a commie. Today it's "terrorist," but same thing. Oddly, I am an optimist. I believe we can break the 'cycle of history' in my lifetime. It's a race, and a free and open, and anonymous where needed, internet is key.

Michael Kassner
Michael Kassner

We are dealing with that in MN. There is a huge sugar beet industry here and they are starting to introduce genetically-altered varieties, but only in some areas. The trouble is that it is impossible to contain the plants.

pgit
pgit

I don't blame inventors or theorists. The system around them is the problem, it has a tendency to place incentives on potential profit above all else, and there's a lot of profit to be had in tracking and controlling people these days. I know a person who started out her career doing the grunt work in laying the foundations of 'gene slicing.' She thought what she was doing was cool, cutting edge, high-tech, earth shattering and everything good. The work led to GMO frankenfoods. The evidence is clear that we don't want to be eating that stuff, and that it'll out compete natural, unmodified species in the wild. Too late, that genie is out of the bottle. There are some scientist claiming that we have just put an end to "natural selection" on planet earth. This woman quit the business in disgust after the first fruits of her labors became clear to her. At the time she was doing the work, it was pure theory, and all the banter was rosy; "this will provide cures for children with genetic diseases!" and the like. The reality planned for the technology was always quite different. Basically Monsanto wants to corner literally 100% of the base food supply planet wide. The genetic research, being done at a top shelf Ivy league university, was never about saving children, fixing prior wrongs (eg eliminate dutch elm disease or similar) or any of the claptrap the public was fed, in order to sell the idea and keep progressing toward the real goal. Some scientists actually know their ultimate goal is evil, but rationalize that their part is pure theoretical science, or pure applied science. If they want to do the work at all they have to go along with the agenda. Those people you can blame. My friend you can not blame, she was totally clueless, but when she saw the bigger picture she quit and took up a new career. The way I see it, more often than not, since WWII and thereafter, "something huge" is thrust on humankind much to the detriment of the same. "Something huge" that is good, yet is denied humankind is denied because it would empower people over corporations, would cut into profit motives or marginalize established power centers. We are routinely denied technologies that would elevate all of humanity, in some cases just about overnight. It is unfortunate, but smart people are not immune to the follies of human nature. They get taken for a ride as often as the next guy. I've always tried to bridge that gap, try get the people who's focus is on the minuscule to see the broader social, political and historical view, and the place of their work in the actual, rather than theoretical, context.

Michael Kassner
Michael Kassner

Is it right to blame inventors for how their inventions are used. At an early stage of research are we capable enough to determine if it should be pursued or not? What if something huge is denied humankind. I wonder about these things.

Editor's Picks