MAP (Measure, Analyze, Protect) project (2005-2008)

This project is no longer active; this page is no longer updated.

• Overview
• People
• Press
• Sponsor
• Papers (others)
• Papers (Kotz)

Related projects: [DIST], [NetSANI], [Wi-Fi-measurement]

Related keywords: [security], [wifi]

Overview: Security through measurement for wireless LANs

Wireless networks are pervasive, but concerns remain about their security. In the MAP (Measure, Analyze, Protect) project we developed methods for large-scale monitoring and real-time analysis of Wi-Fi network traffic to identify attacks on the network. Specifically, the MAP effort focused on attacks that disable the network, denying access to legitimate clients or reducing the quality of their network performance. The MAP papers provide effective mechanisms for sampling network traffic using sniffers placed throughout the enterprise, a new way to detect whether a given client MAC address is being "spoofed" by an attacker node, and new methods for active fingerprinting of wireless devices.

The following was written during the project in 2005-07.

With the rise of Voice over wireless LAN (VoWLAN), any complete WiFi security solution must address denial of service attacks, such as kicking off other clients, consuming excessive bandwidth, or spoofing access points, to the detriment of legitimate clients. Even an authorized client may be able to sufficiently disrupt service quality to make the network ineffective for legitimate clients.

We take a three-point, MAP (Measure, Analyze, Protect) approach to develop an integrated and extensible framework to address existing and future attacks on WiFi networks. Specifically, we focus our efforts on an integrated set of new components that allow a WiFi network operator to measure and analyze WiFi and VoWLAN activity, and in real-time to identify and defend against MAC-layer attacks on that infrastructure. Our plan includes three overlapping phases: research, prototype development, and deployment on a large portion of Dartmouth's campus-wide wireless network.

Measurement: we have developed novel and scalable techniques to collect multi-channel MAC-layer traces of the environment, building on our wireless-measurement infrastructure. Our independant and coordinated channel sampling strategies dynamically adapt to current channel conditions. These are augmented by our refocusing mechanism which takes input from the analysis engines to further improve relevant frame capture.

Analysis: We have developed novel anomaly and signature detection techniques. Our MAC spoofing detection algorithm is based on RSSI observed at the air monitors.

Protection: we aim to develop a policy-driven protection engine that leverages existing defense mechanisms; the R&D challenge here is to integrate them into our analysis framework and to evaluate the impact of automated defenses on well-behaved users in a network.

Deployment:

Novelty:

We plan significant, novel extensions to existing technology; these techniques have never been applied to WiFi networks, to VoWLAN applications, or at the scale necessary for large deployment. Our integrated end-to-end MAP approach is new, and our proposed campus-wide deployment is unprecedented in scope and scale.

Our MAP approach provides a new foundation for wireless network security, able to dynamically measure, analyze and protect a WiFi network against existing and novel threats, including rogue clients and access points, with a focus on VoWLAN use cases.

People

Andrew Campbell, Guanling Chen, Udayan Deshpande, Tristan Henderson, David Kotz, Michael Locasto, Chris McDonald, Yong Sheng, Keren Tan, Bennet Vance, Joshua Wright, Bo Yan, Hongda Yin.

Sponsor

Sponsored by HSARPA as part of the Cyber Security Research and Development (CSRD) program

Papers

• Bo Yan and Guanling Chen. Model-based Fault Diagnosis for IEEE 802.11 Wireless LANs. In Proceedings of the Sixth Annual International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous), July, 2009.
• Yuan Song, Xian Chen, Yoo-Ah Kim Bing Wang, and Guanling Chen. Sniffer Channel Selection for Monitoring Wireless LANs. In Proceedings of the International Conference on Wireless Algorithms, Systems, and Applications (WASA), August, 2009.
• Guanling Chen, Jie Wang, Bo Yan, and Hongda Yin. Robust Detection of Unauthorized Wireless Access Points. Mobile Networks and Applications (MONET), In Press. DOI 10.1007/s11036-008-0109-6. Copyright © 2008 by Springer.
• Hongda Yin, Guanling Chen, and Jie Wang. Detecting Protected Layer-3 Rogue APs. In Proceedings of the Fourth International Conference on Broadband Communications, Networks, and Systems (IEEE BROADNETS 2007), Raleigh, NC, USA.
• Douglas Madory. New Methods of Spoof Detection in 802.11b Wireless Networking. M.S. thesis, Dartmouth College, June 2006.

Papers with Kotz as co-author (tagged 'map')

[Also available in BibTeX]

Papers are listed in reverse-chronological order. Follow updates with RSS.

2008:

• Yong Sheng, Guanling Chen, Hongda Yin, Keren Tan, Udayan Deshpande, Bennet Vance, David Kotz, Andrew Campbell, Chris McDonald, Tristan Henderson, and Joshua Wright. MAP: A scalable monitoring system for dependable 802.11 wireless networks. IEEE Wireless Communications, volume 15, number 5, pages 10–18. IEEE, October 2008. doi:10.1109/MWC.2008.4653127. [Details]
• Sergey Bratus, Joshua Brody, David Kotz, and Anna Shubina. Streaming Estimation of Information-theoretic Metrics for Anomaly Detection (Extended Abstract). Proceedings of the International Symposium on Recent Advances in Intrusion Detection--- Posters, volume 5230 in Lecture Notes in Computer Science, pages 412–414. Springer-Verlag, Cambridge, MA, September 2008. doi:10.1007/978-3-540-87403-4_32. [Details]
• Udayan Deshpande. A Dynamically Refocusable Sampling Infrastructure for 802.11 Networks. PhD thesis, Dartmouth College Computer Science, Hanover, NH, May 2008. Available as Dartmouth Computer Science Technical Report TR2008-620. [Details]
• Udayan Deshpande, Chris McDonald, and David Kotz. Refocusing in 802.11 Wireless Measurement. Proceedings of the Passive and Active Measurement Conference (PAM 2008), volume 4979 in Lecture Notes in Computer Science, pages 142–151. Springer-Verlag, April 2008. doi:10.1007/978-3-540-79232-1_15. [Details]
• Yong Sheng, Keren Tan, Guanling Chen, David Kotz, and Andrew Campbell. Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength. Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pages 1768–1776. IEEE, April 2008. doi:10.1109/INFOCOM.2007.239. [Details]
• Sergey Bratus, Cory Cornelius, Daniel Peebles, and David Kotz. Active Behavioral Fingerprinting of Wireless Devices. Technical Report number TR2008-610, Dartmouth Computer Science, Hanover, NH, March 2008. [Details]
• Sergey Bratus, Cory Cornelius, David Kotz, and Dan Peebles. Active Behavioral Fingerprinting of Wireless Devices. Proceedings of the ACM Conference on Wireless Network Security (WiSec), pages 56–61. ACM, March 2008. doi:10.1145/1352533.1352543. [Details]

2007:

• Udayan Deshpande, Chris McDonald, and David Kotz. Coordinated Sampling to Improve the Efficiency of Wireless Network Monitoring. Proceedings of the IEEE International Conference on Networks (ICON), pages 353–358. IEEE, November 2007. doi:10.1109/ICON.2007.4444112. [Details]

2006:

• Udayan Deshpande, Tristan Henderson, and David Kotz. Channel Sampling Strategies for Monitoring Wireless Networks. Proceedings of the International Workshop on Wireless Network Measurement (WiNMee), 7 pages. IEEE, April 2006. doi:10.1109/WIOPT.2006.1666486. [Details]

[Kotz research]