Wireless Security Determining applications and characteristics of encrypted wireless traffic Chris Hanks CMPE 257 3 17 2011 Introduction Several fundamental security mechanisms for restricting access to network resources rely on the ability of a reference monitor to inspect the contents of traffic as it traverses the network As an administrator you want to know the type of traffic to determine if it is acceptable or not As a user you may need to know that someone can figure out what you are doing even if encrypted Introduction Traditional packet inspection does not work if the contents are encrypted No port numbers or TCP flags to check Also valuable if not encrypted but is being disguised as another type of traffic You can still view packet size timing and direction Experiment Gathered traffic from capturing packets from Skype with voice only voip Skype with voice and video video not actively doing anything nothing standard work web browsing email etc work and a torrent download torrent While the entire packets were captured the only things useable were the inter packet timing size and direction of the packets Traffic Classification For each trace 5 minutes split into several smaller epochs of constant length s 10 seconds Attempt 1 for each epoch calculate the average number of packets and average size and standard deviation for each If traffic is within 2 standard deviations for both measurements consider it a match Attempt 2 Count the number of packets of each type during each epoch Normalize and use k NN with Kullback Leibler distance 4 types small or not inbound or outbound Traffic Classification Construct a k Nearest Neighbor k NN classifier to assign a label to each epoch based on number of packets of each type To build the k NN classifier a random sample from the data set was used as a training set based on the earlier defined classification To classify each new epoch use KullbackLeibler distance to determine which vectors in the training set are nearest to the vector of counts for the given epoch Attempt 1 within 2 std dev of size and frequency of Epochs matching training set 120 100 80 60 40 20 0 1 3 1 2 3 1 2 3 4 5 1 2 3 4 5 6 7 8 9 0 2 4 g nt ip ip ip eo deo deo deo deo ork ork ork ork ork ork ork ork ork rk1 rk1 rk1 rk1 rk1 thin rre o o o d v v v w w w w w w w w w vi vi vi vi vi to wo wo wo wo wo no voip1 video1 video3 work1 Attempt 2 Normalized Traffic Classification 0 9 0 8 0 7 0 6 0 5 0 4 0 3 0 2 0 1 0 o3 o3 o3 o3 o3 o3 o3 o3 o3 o3 01 01 01 01 01 01 01 01 01 01 ip1 ip1 ip1 ip1 ip1 ip1 ip1 ip1 ip1 ip1 de ide ide ide ide ide ide ide ide ide ork ork ork ork ork ork ork ork ork ork vo vo vo vo vo vo vo vo vo vo i v v v v v v v v v v w w w w w w w w w w Small C2S Small S2C Big C2S Big S2C k NN classifier k 5 s 10 2 classes 120 100 80 60 Match voip Match video 40 20 0 2 0 3 4 1 2 3 1 3 4 5 1 2 3 4 5 6 7 8 9 1 2 g nt ip oip oip eo deo deo deo deo ork ork ork ork ork ork ork ork ork rk1 rk1 rk1 rk1 rk1 thin rre o d v v v w w w w w w w w w wo wo vi vi vi vi vi to wo wo wo no k NN classifier k 3 5 7 s 10 3 classes 120 100 80 k 5 Match voip k 5 Match video k 5 Match work k 3 Match voip k 3 Match video k 3 Match work k 7 Match voip k 7 Match video k 7 Match work 60 40 20 0 t 2 0 1 3 4 1 3 1 2 3 4 5 1 2 3 4 5 6 7 8 9 2 g ip oip oip eo eo eo eo eo ork ork ork ork ork ork ork ork ork rk1 rk1 rk1 rk1 rk1 hin ren o r d d d d d t v v v vi w w w w w w w w w wo wo wo wo wo vi vi vi vi to no
View Full Document
Unlocking...