Researcher fingerprints networks to find rogue hardware

Unauthorized devices are the bane of network admins. New technology based on digital fingerprinting might offer some relief.

Finding a rogue access point is tough. Every time I get asked to help locate one, I turn to the Internet hoping to find a miracle cure. I'm tired of looking like some nut case, running around pointing a weird-looking antenna at everyone.

Things are looking up.

Raheem Beyah, Associate Professor of Computer Science at Georgia State University received a huge grant from DARPA for a project called: Network Intrusion Detection Using Hardware Signatures. With it, Dr. Beyah intends to:

  • Create a hardware signature for each device by studying the packets they generate.
  • Develop an Intrusion Detection System (IDS) prototype employing hardware-signatures.
  • Investigate how to secure networks from threats involving unauthorized devices.

The professor and his team already accumulated significant experience with Wi-Fi networks: A Passive Approach to Wireless Device Fingerprinting.

After reading the paper I was still at a loss. I did not see how each and every networked device could have a unique digital fingerprint. The only way I know to fix that is to ask questions. Dr. Beyah, a busy educator, was gracious enough to explain.

Kassner: Wikipedia defines device fingerprinting as:

"A compact summary of software and hardware settings collected from a remote computing device."

What do you consider to be digital fingerprinting?

Beyah: First of all Michael, thank you for taking the time to ask questions about the project.

Digital fingerprinting can take on many different meanings. My research focuses on the pointed question of: What do you consider to be device fingerprinting?

I would define device fingerprinting as methods used to identify specific devices or types of devices by using information that is "leaked" from the device.

The leaked information can be an indicator of the device's software (e.g., operating system, firmware, or drivers) or its hardware (i.e., hardware composition). The key is to fuse the various pieces of leaked information to come up with an identifier that is very difficult for an adversary to subvert.

Kassner: I've read fingerprinting can be passive (listening) or done actively (handshake with the device). What are the advantages of each? Which approach do you use? Beyah: Active approaches usually entail interrogating a node with various types of packets. These packets may vary in size and can be either legitimate or malformed. The goal of active techniques is to trigger a response that is unique to the device that is being fingerprinted.

Passive techniques are often more desirable to the fingerprinter, however they usually give less information about a node than their active counterparts. Generally, passive approaches do not inject any stimulant into the system of interest.

Rather they capture data silently with the goal of not alerting or disturbing the system under surveillance. The data is analyzed to reveal patterns that are unique to the system of interest. We use a combination of active and passive approaches, although most of our work is passive.

Kassner: In the paper, you mention IAT is the parameter used to identify the networked device. I'm not familiar with IAT. What does the acronym stand for and why does it works as a fingerprint? Beyah: IAT stands for inter-arrival time. When considering IAT in the context of computer-network traffic, it describes the time between successive packets sent or received by a node.

IAT is an interesting metric and can describe many different aspects of a system or network. For example, IAT has been used by researchers to determine which links are bottlenecks in the Internet. It has also been used to determine the type of link used to access a network (e.g., a wireless network link or a wired network link).

In the most basic scenario, the difference between two successive packets (i.e., IAT) gives you information about the system the packets traversed. If several IAT values differ, this can indicate that the state of the system (e.g., the network, a device) the packets traversed may have changed in some form.

Based on the interpretation of these IAT fluctuations, various characteristics of the system of interest may be inferred. For example, if the IAT fluctuations for a specific device were predictable and different from other devices, then those fluctuations can be used to fingerprint devices.

Another way of putting it is that the information describing the system and its state is leaked through the IAT. The challenge is then to determine a way to extract the information buried in a series of IAT values (i.e., a time series). Normally, various statistical and signal processing techniques are used for this.

Kassner: Wikipedia mentions that digital fingerprints need diversity (no two devices have the same fingerprint) and stability (the fingerprint remains the same over time). It is hard to imagine that each individual device can be differentiated. How is that possible? Beyah: I agree that it's hard to imagine that devices can have a unique fingerprint. I'm sure many said the same thing about humans before identifiers like DNA, human fingerprints, and retinal scanning were used.

For device fingerprinting, our hypothesis is that network packets are a function of the composition (i.e., the architecture) of the devices that generate them just as voices are a function of the composition (e.g., larynx, vocal cords) of the particular human that generates it.

Also, if you dig a bit deeper, you will find that there are enough manufacturing process variations across integrated circuits (intended to be identical) to uniquely characterize each integrated circuit. Researchers have used this concept in the past to perform various levels of authentication for field programmable gate arrays (FPGAs).

The challenge then lies in extracting these minute differences. We are trying to use various techniques to detect these differences and also to understand the limits of such techniques.

Kassner: It seems that digital fingerprinting is not the end purpose, but the means to achieve it. What is your goal? Beyah: At a fundamental level, our goal is to understand and characterize the interplay between the architecture of a system and the network to which the system is connected. Fingerprinting is one important application of the fundamental idea that the network can be viewed as an extension of a computing device.

One long-term goal for our fingerprinting work is to have a unique and irrefutable identifier for every device that is attached to any type of network. This will help make our networks more secure.

Kassner: Earlier, you mentioned using techniques similar to human-speech identification. Could you please go into more detail? Beyah: Sure. We believe there is a parallel between human-voice creation and device-packet creation. The general idea is that both humans and computing devices are compound entities.

Further, for both humans and computing devices to communicate (i.e., speaking for humans and sending packet for computing devices), a complex set of interactions between multiple internal components has to occur. These interactions and the components themselves leave their mark on the resulting communication.

As a result, this unique mark can be detected externally for humans by using various speaker-identification techniques or externally for computing devices using various device-identification techniques.

Kassner: What do you envision this device/technology doing once it locates an unauthorized device attached to the network? Beyah: This is beyond the scope of this current project, but one could certainly imagine a system that could signal a network switch to disable the port to which the rogue is attached.

Another action could be to signal various intrusion detection systems to monitor the rogue device, its actions, and communication pattern more closely in hopes of gaining enough information to track down the intruder.

Kassner: Would it be possible for this approach to determine the make and model of networked devices and to be used for inventory purposes? Beyah: Absolutely. This is one goal of this work. There certainly doesn't have to be an active threat for this work to be relevant. Network management is often as difficult as securing the network.

Final thoughts

I see a lot of promise for this type of fingerprinting technology. Especially, when Dr. Beyah mentioned it will likely be passive in nature. I forgot to ask when it will be available, I hope sooner than later.

A special thanks to an unbelievably busy Dr. Beyah for his willingness to help.