190 likes | 336 Views
Disambiguation of Residential Wired and Wireless Access in a Forensic Setting. Sookhyun Yang , Jim Kurose, Brian Neil Levine University of Massachusetts Amherst shyang@cs.umass.edu This research is supported by NSF awards CNS-0905349 and CNS-1040781. Outline. Introduction
E N D
Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun Yang, Jim Kurose, Brian Neil Levine University of Massachusetts Amherst shyang@cs.umass.edu This research is supported by NSF awards CNS-0905349 and CNS-1040781.
Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion
Illegal content distributed P2P from known location Someone used my open Wi-Fi! Step2. Known sender location “wired or wireless access? ” Step1. Public IP address peer peer P2P network peer Wireless router Illegal content distributor (e.g., CP) peer Law enforcement Challenge: “Can we legally determine that a suspect used wired access, thus making the resident user more likely to be a responsible party?”
Can We Intercept Data at Intermediate Nodes? Wireless router router … … peer Data interception Illegal content distributor Data interception via a sniffer Law enforcement No, law enforcement can not legally take traces at intermediate nodes without a warrant or wiretap. Reasonable expectation of privacy (REP) for the sources of data. The Wiretap Act and the Pen Register statute.
Can We Intercept Data as a Peer? P2P network Wireless router Illegal content distributor Law enforcement peer Yes, measurements taken at a peer, before a warrant, are legal! Users of P2P file sharing networks have no “reasonable expectation of privacy”. Software designed for law enforcement to monitor P2P activity does not violate US 4th amendment protections.
Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 6
Our Problem Setting Challenge: can we classify the access network type of target sender using remotely measured P2P traces? Wired access? Law enforcement peer Cable network P2P Internet Ethernet Wi-Fi AP Cable modem Target ? ? ? ? ? ? ? ? Challenges in this forensic setting: hidden and unknown residential factors can affect classification results. ?
Our Contribution See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst. • Investigate performance of several wired-vs-wireless classification algorithms in various home network scenarios. • Observe how several scenario factors affect classifier performance. • Single flow vs. Multiple flows from a target. • Operating systems. • P2P application rate limit. • Wireless channel contention. • Explain when, why and how the classifier works reliably or poorly.
Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 9
Diversely Emulated P2P Traces in Controlled Settings Host-side vs. Cablenetwork Remotely collecting pairs of wired and wireless datasets Single full-rate TCP flow. 802.11g or 1Gbps Ethernet. Multiple TCP flows. Cable network effect (different times, and houses) Internet Linux vs. Windows XP … Wi-Fi AP Cable modem Target device UMass server Less than 1m (the worst case) Purdue server Wired sniffer Houses near UMass We take measurement here to help us explain/understand classification. but do NOT use them in classification.
Outline Introduction Problem Statement Experimental Methodology Classification Results Conclusion 11
Classification Procedure • Classification features. • 25th, 50th, 75th percentiles, entropy of packet inter-arrival times distribution for datasets. • We train and cross-validate decision tree, logistic regression, SVM, and EM classifiers. • Classification performance metrics. • TPR (True Positive Rate). • FPR (False Positive Rate). • FPR≤0.10 and 0.90≤TPR are acceptable classification results.
Single-flow Classification Results Accurate classification is difficult in single full-rate flow cases.
Multiple Flows Classification Results Multiple flows cases can show better classification results than single full-rate flow cases.
Classification: insight into how it works Packet inter-arrival times before a cable network Packet inter-arrival times after a cable network Cable network access protocol 802.11 or Ethernet access protocol Wi-Fi AP Cable modem Target device … … UMass server Key insight: Classify at receiver using packet inter-arrival times at sender that were not significantly changed a by cable network access protocol or a network at sender.
Discussion See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst. • Classification features showing acceptable results are different for Linux and Windows XP. • Windows’s small 8 KB TCP send buffer. • This is also found in other Windows versions. • Single full-rate flow vs. multiple-flows. • A flow generated with multiple competing flows from a target would be less-affected by a cable network.
Conclusion We justified our traces gathering method’s legality based on US law. We proposed a classifier for determining whether a target used wired or wireless. Through extensive experimentation, we determined scenarios where classifier works reliably. Traces: traces.cs.umass.edu.
Open Questions • Other hidden or unknown residential factors. • Mac OS. • 802.11n, MIMO. • Modified TCP implementation. • Multiple-flow across multiple sites. • Long-term traces.
End Questions or comments welcome!