BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @TechReport{bratus:fingerprint-tr, author = {Sergey Bratus and Cory Cornelius and Daniel Peebles and David Kotz}, title = {{Active Behavioral Fingerprinting of Wireless Devices}}, institution = {Dartmouth Computer Science}, year = 2008, month = {March}, number = {TR2008-610}, copyright = {the authors}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-fingerprint-tr/index.html}, abstract = {We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting framework. Our method complements known fingerprinting approaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to conceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.}, } @InProceedings{bratus:fingerprint, author = {Sergey Bratus and Cory Cornelius and David Kotz and Dan Peebles}, title = {{Active Behavioral Fingerprinting of Wireless Devices}}, booktitle = {{Proceedings of the ACM Conference on Wireless Network Security (WiSec)}}, year = 2008, month = {March}, pages = {56--61}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1352533.1352543}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-fingerprint/index.html}, abstract = {We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting framework. Our method complements known fingerprinting approaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to conceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.}, } @InProceedings{bratus:streaming-poster, author = {Sergey Bratus and Joshua Brody and David Kotz and Anna Shubina}, title = {{Streaming Estimation of Information-theoretic Metrics for Anomaly Detection (Extended Abstract)}}, booktitle = {{Proceedings of the International Symposium on Recent Advances in Intrusion Detection--- Posters}}, series = {Lecture Notes in Computer Science}, year = 2008, month = {September}, volume = 5230, pages = {412--414}, publisher = {Springer-Verlag}, copyright = {Springer}, address = {Cambridge, MA}, DOI = {10.1007/978-3-540-87403-4_32}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-streaming-poster/index.html}, abstract = {Information-theoretic metrics hold great promise for modeling traffic and detecting anomalies if only they could be computed in an efficient, scalable ways. Recent advances in streaming estimation algorithms give hope that such computations can be made practical. We describe our work in progress that aims to use streaming algorithms on 802.11a/b/g link layer (and above) features and feature pairs to detect anomalies.}, } @InProceedings{deshpande:refocusing, author = {Udayan Deshpande and Chris McDonald and David Kotz}, title = {{Refocusing in 802.11 Wireless Measurement}}, booktitle = {{Proceedings of the Passive and Active Measurement Conference (PAM 2008)}}, series = {Lecture Notes in Computer Science}, year = 2008, month = {April}, volume = 4979, pages = {142--151}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-540-79232-1_15}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-refocusing/index.html}, abstract = {The edge of the Internet is increasingly wireless. To understand the Internet, one must understand the edge, and yet the measurement of wireless networks poses many new challenges. IEEE 802.11 networks support multiple wireless channels and any monitoring technique involves capturing traffic on each of these channels to gather a representative sample of frames from the network. We call this procedure \emph{channel sampling}, in which each sniffer visits each channel periodically, resulting in a sample of the traffic on each of the channels. \par This sampling approach may be sufficient, for example, for a system administrator or anomaly detection module to observe some unusual behavior in the network. Once an anomaly is detected, however, the administrator may require a more extensive traffic sample, or need to identify the location of an offending device. \par We propose a method to allow measurement applications to dynamically modify the sampling strategy, \emph{refocusing} the monitoring system to pay more attention to certain types of traffic than others. In this paper we show that refocusing is a necessary and promising new technique for wireless measurement.}, } @Article{sheng:map, author = {Yong Sheng and Guanling Chen and Hongda Yin and Keren Tan and Udayan Deshpande and Bennet Vance and David Kotz and Andrew Campbell and Chris McDonald and Tristan Henderson and Joshua Wright}, title = {{MAP: A scalable monitoring system for dependable 802.11 wireless networks}}, journal = {IEEE Wireless Communications}, year = 2008, month = {October}, volume = 15, number = 5, pages = {10--18}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MWC.2008.4653127}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sheng-map/index.html}, abstract = {Many enterprises have deployed 802.11 wireless networks for mission-critical operations; these networks must be protected for dependable access. This paper introduces project MAP, which includes a scalable 802.11 measurement system that can provide continuous monitoring of wireless traffic to quickly identify threats and attacks. We discuss the MAP system architecture, design decisions, and evaluation results from a real testbed.}, } @InProceedings{sheng:spoofing, author = {Yong Sheng and Keren Tan and Guanling Chen and David Kotz and Andrew Campbell}, title = {{Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength}}, booktitle = {{Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM)}}, year = 2008, month = {April}, pages = {1768--1776}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2007.239}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sheng-spoofing/index.html}, abstract = {MAC addresses can be easily spoofed in 802.11 wireless LANs. An adversary can exploit this vulnerability to launch a large number of attacks. For example, an attacker may masquerade as a legitimate access point to disrupt network services or to advertise false services, tricking nearby wireless stations. On the other hand, the received signal strength (RSS) is a measurement that is hard to forge arbitrarily and it is highly correlated to the transmitter's location. Assuming the attacker and the victim are separated by a reasonable distance, RSS can be used to differentiate them to detect MAC spoofing, as recently proposed by several researchers. \par By analyzing the RSS pattern of typical 802.11 transmitters in a 3-floor building covered by 20 air monitors, we observed that the RSS readings followed a mixture of multiple Gaussian distributions. We discovered that this phenomenon was mainly due to \emph{antenna diversity}, a widely-adopted technique to improve the stability and robustness of wireless connectivity. This observation renders existing approaches ineffective because they assume a single RSS source. We propose an approach based on Gaussian mixture models, building RSS profiles for spoofing detection. Experiments on the same testbed show that our method is robust against antenna diversity and significantly outperforms existing approaches. At a 3\% false positive rate, we detect 73.4\%, 89.6\% and 97.8\% of attacks using the three proposed algorithms, based on local statistics of a single AM, combining local results from AMs, and global multi-AM detection, respectively.}, } @PhdThesis{deshpande:thesis, author = {Udayan Deshpande}, title = {{A Dynamically Refocusable Sampling Infrastructure for 802.11 Networks}}, school = {Dartmouth College Computer Science}, year = 2008, month = {May}, copyright = {Udayan Deshpande}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2008-620}, abstract = {The edge of the Internet is increasingly wireless. Enterprises large and small, homeowners, and even whole cities have deployed Wi-Fi networks for their users, and many users never need to--- or never bother to--- use the wired network. With the advent of high-throughput wireless networks (such as 802.11n) some new construction, even of large enterprise buildings, may no longer be wired for Ethernet. To understand Internet traffic, then, we need to understand the wireless edge. Measuring Wi-Fi traffic, however, is challenging. It is insufficient to capture traffic in the access points, or upstream of the access points, because the activity of neighboring networks, ad hoc networks, and physical interference cannot be seen at that level. To truly understand the MAC-layer behavior, we need to capture frames from the air using Air Monitors (AMs) placed in the vicinity of the network. Such a capture is always a sample of the network activity, since it is physically impossible to capture a full trace: all frames from all channels at all times in all places. We have built a monitoring infrastructure that captures frames from the 802.11 network. This infrastructure includes several ``channel sampling'' strategies that will capture representative traffic from the network. Further, the monitoring infrastructure needs to modify its behavior according to feedback received from the downstream consumers of the captured traffic in case the analysis needs traffic of a certain type. We call this technique ``refocusing''. The ``coordinated sampling'' technique improves the efficiency of the monitoring by utilizing the AMs intelligently. Finally, we deployed this measurement infrastructure within our Computer Science building to study the performance of the system with real network traffic.}, } @InProceedings{deshpande:coordinated, author = {Udayan Deshpande and Chris McDonald and David Kotz}, title = {{Coordinated Sampling to Improve the Efficiency of Wireless Network Monitoring}}, booktitle = {{Proceedings of the IEEE International Conference on Networks (ICON)}}, year = 2007, month = {November}, pages = {353--358}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/ICON.2007.4444112}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-coordinated/index.html}, abstract = {Wireless networks are deployed in home, university, business, military and hospital environments, and are increasingly used for mission-critical applications like VoIP or financial applications. Monitoring the health of these networks, whether it is for failure, coverage or attacks, is important in terms of security, connectivity, cost, and performance. \par Effective monitoring of wireless network traffic, using commodity hardware, is a challenging task due to the limitations of the hardware. IEEE 802.11 networks support multiple channels, and a wireless interface can monitor only a single channel at one time. Thus, capturing all frames passing an interface on all channels is an impossible task, and we need strategies to capture the most representative sample. \par When a large geographic area is to be monitored, several monitoring stations must be deployed, and these will typically overlap in their area of coverage. The competing goals of effective wireless monitoring are to capture as many frames as possible, while minimizing the number of those frames that are captured redundantly by more than one monitoring station. Both goals may be addressed with a sampling strategy that directs neighboring monitoring stations to different channels during any period. To be effective, such a strategy requires timely access to the nature of all recent traffic. \par We propose a coordinated sampling strategy that meets these goals. Our implemented solution involves a central controller considering traffic characteristics from many monitoring stations to periodically develop specific sampling policies for each station. We demonstrate the effectiveness of our coordinated sampling strategy by comparing it with existing independent strategies. Our coordinated strategy enabled more distinct frames to be captured, providing a solid foundation for focused sampling and intrusion detection.}, } @InProceedings{deshpande:sampling, author = {Udayan Deshpande and Tristan Henderson and David Kotz}, title = {{Channel Sampling Strategies for Monitoring Wireless Networks}}, booktitle = {{Proceedings of the International Workshop on Wireless Network Measurement (WiNMee)}}, year = 2006, month = {April}, numpages = 7, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/WIOPT.2006.1666486}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-sampling/index.html}, abstract = {Monitoring the activity on an IEEE 802.11 network is useful for many applications, such as network management, optimizing deployment, or detecting network attacks. Deploying wireless sniffers to monitor every access point in an enterprise network, however, may be expensive or impractical. Moreover, some applications may require the deployment of multiple sniffers to monitor the numerous channels in an 802.11 network. In this paper, we explore sampling strategies for monitoring multiple channels in 802.11b/g networks. We describe a simple sampling strategy, where each channel is observed for an equal, predetermined length of time, and consider applications where such a strategy might be appropriate. We then introduce a sampling strategy that weights the time spent on each channel according to the number of frames observed on that channel, and compare the two strategies under experimental conditions.}, }