Null Data Frame - IEEE Xplore

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,

VOL. 21,

NO. 7,

JULY 2010

897

Null Data Frame: A Double-Edged Sword in IEEE 802.11 WLANs Wenjun Gu, Zhimin Yang, Dong Xuan, Member, IEEE, Weijia Jia, Senior Member, IEEE, and Can Que Abstract—Null data frames are a special but important type of frames in IEEE 802.11 WLANs. They are widely used in 802.11 WLANs for control purposes such as power management, channel scanning, and association keeping alive. The wide applications of null data frames come from their salient features such as lightweight frame format and implementation flexibility. However, such features can be taken advantage of by malicious attackers to launch a variety of attacks on 802.11 WLANs. In this paper, we identify potential security vulnerabilities in current null data frame applications in 802.11 WLANs. We then study two types of attacks taking advantage of these vulnerabilities in detail that are functionality-based Denial-of-Service attack and implementation-based fingerprinting attack. We also evaluate their effectiveness based on extensive experiments. Furthermore, we design and implement novel defense mechanisms against the attacks, and evaluate their effectiveness based on extensive experiments. Although our proposed defenses help alleviate the vulnerabilities, completely eliminating the vulnerabilities brought by null data frames remains an open issue. Finally, we point out that our work has broader impact in that similar vulnerabilities exist in many other networks due to the adoption of simple and lightweight messages for control purpose. Index Terms—Security, wireless local area network.

Ç 1

INTRODUCTION

I

EEE 802.11 WLANs are widely deployed nowadays in airports, starbucks, universities, and even the whole city [1]. Such wide deployment is due to the fact that 802.11 WLANs allow the convenience of user mobility and the cost-effectiveness/flexibility in network deployment. It is believed that 802.11 WLANs will keep playing a major role in wireless communications. Null data frames are a special but important type of frames in 802.11 WLANs. They are a special type of data frames where the Frame Body field is empty, and are the only type of frames in 802.11 WLANs whose usage is not explicitly specified in the IEEE 802.11 standard [2]. However, in real NICs implementations, they are used in a wide variety of applications, including power management, channel scanning, and association keeping alive. When used for power management and channel scanning, a single bit in null data frame is used to denote the state switching of a station between active and sleeping states. On the other hand, when used for association keeping alive, the null data frame as a whole notifies the access point the existence of the station during idle period. Such wide applications of null data frames come from their salient features such as lightweight frame format and implementation flexibility.

. W. Gu, Z. Yang, and D. Xuan are with the Department of Computer Science and Engineering, The Ohio State University, 395 Dreese Laboratories, 2015 Neil Avenue, Columbus, OH 43210-1277. E-mail: {gu.36, yang.1070}@osu.edu, [email protected]. . W. Jia and C. Que are with the Department of Computer Science, City University of Hong Kong, 83 Tat Chee Ave., Kowloon, Hong Kong, SAR China. E-mail: [email protected], [email protected]. Manuscript received 12 Oct. 2008; revised 19 May 2009; accepted 2 June 2009; published online 9 June 2009. Recommended for acceptance by M. Singhal. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TPDS-2008-10-0412. Digital Object Identifier no. 10.1109/TPDS.2009.96. 1045-9219/10/$26.00 ß 2010 IEEE

Null data frames are lightweight as they are short in size and unencrypted. Therefore, it incurs little overhead in generating and processing these frames. Null data frames allow implementation flexibility due to the lack of standardization in the IEEE 802.11 standard [2]. Thus, protocol designers have the freedom to apply them wherever applicable. However, we find that these salient features do not come for free. Being short and unencrypted, null data frames can easily be forged at low overhead to conduct a variety of spoofing attacks. On the other hand, being flexible in implementation, different vendors have applied null data frames in different applications. Besides, even for a single application such as power management, null data frames are used dramatically differently by different vendors. The existence of such implementation variations allows a fingerprinting attack to track a device/user based on its unique set of behaviors in null data frame usage even if camouflaging techniques are applied to MAC and IP addresses. Personal privacy will be compromised under such attack. In short, the salient features of null data frames act as a double-edged sword. While they allow efficient application implementations, they unfortunately reveal many security vulnerabilities. The root of these security vulnerabilities is the fact that during protocol design, security is not given as much consideration as functionality and performance. In this paper, we study two types of attacks on existing applications of null data frames in 802.11 WLANs based on the security vulnerabilities we identified above. First, we study functionality-based Denial-of-Service attacks. In these attacks, the attacker spoofs the identity of the victim station and sends fake null data frames to mess up with the intended functionalities of null data frames. There are two attack instances here. In state-switching-based DoS attack, the attacker spoofs the identity of a victim station when it switches to sleeping state (in power management) or another channel (in Published by the IEEE Computer Society

898


VOL. 21,

NO. 7, JULY 2010

Fig. 1. IEEE 802.11 data frame format [2].

channel scanning), and fetches all buffered frames of the victim station causing continuous data losses. In associationkeeping-alive-based DoS attack, the attacker establishes a large number of dummy associations with the access point in public access 802.11 WLAN, and keeps these associations alive with null data frames. In this way, other stations cannot associate with the access point. Second, we study implementation-based fingerprinting attack. In this attack, the attacker takes advantage of implementation variations of null data frames and correlates the frames sent from seemingly different stations by the unique behaviors in using null data frames. Our attack can be combined with existing fingerprinting techniques to achieve higher fingerprinting accuracy and compromise use privacy. Based on extensive experiments, we find that the above attacks are effective in achieving their respective goals. We also propose preliminary defenses to alleviate the vulnerabilities. However, completely eliminating the vulnerabilities brought by null data frames remains an open issue. Finally, we point out that our work has broader impact in that similar vulnerabilities exist in many other networks due to the adoption of simple and lightweight messages for control purpose. We point out that we have done prior work on security vulnerabilities of null data frames in 802.11 WLANs in [3]. However, this work has extended our priori work in the following aspects. In [3], we focus on the attack implementation and only discuss preliminary defense mechanisms. In this paper, we design novel defense mechanisms against the attacks. We implement our defense and evaluate the effectiveness via extensive experiments. Besides, in this work, we further study the attack impact via more experiments. We test user experience, conduct more experiments under various access points/NICs configurations, and obtain more interesting findings based on experiments/traces. The remaining of the paper is organized as follows: In Section 2, we discuss the frame format and applications of null data frames in 802.11 WLANs. In Section 3, we identify two types of security vulnerabilities in current applications of null data frames in 802.11 WLANs. In Sections 4 and 5, we study in detail the functionality-based Denial-of-Service attacks and the implementation-based fingerprinting attack, respectively, based on extensive experiments. Preliminary defenses are proposed and evaluated as well. In Section 6, we further study the fundamental trade-off of null data frames in 802.11 WLANs and similar trade-offs of other simple and lightweight messages in many network protocols for control purpose. We discuss related work in Section 7, and finally, conclude this paper in Section 8.

2

PRELIMINARY OF NULL DATA FRAME

2.1 Frame Format In Fig. 1, we show the general IEEE 802.11 data frame format. Null data frames are a special type of data frame where the Frame Body field is empty. The Duration/ID field in

Fig. 2. Frame Control field in the IEEE 802.11 data frame [2].

null data frames denotes the number of microseconds that the medium is expected to be busy, and it is also called NAV value. All stations should monitor this field of all received frames and refrain from interfering with the communications of other stations. The four Address fields denote the MAC addresses of the receiver, the transmitter, the destination, and the source. Depending on the scenario, the number of address fields actually used varies. In null data frames, only two Address fields are used that are the addresses of the receiver (i.e., the access point) and the transmitter (i.e., the station). The sequence control (Seq-ctl) field consists of two parts that are sequence number and fragment number. The sequence number increments sequentially and is used to detect lost or unordered frames. The fragment number is used to order the fragments of a single packet whose size exceeds the maximum allowed in 802.11 WLANs. The frame check sequence (FCS) field is used for frame integrity checking and is calculated based on the whole frame. In the following, we will discuss the Frame Control field in detail. In the Frame Control field shown in Fig. 2, the P rotocol field denotes the version of 802.11 MAC. The T ype and Subtype fields denote the type of the frame. The T oDS and F romDS fields denote whether the frame is sent to or from the distributed system, respectively, and are set to 1 and 0, respectively, in null data frames. The MoreF rag field denotes whether there is more fragment in the current packet, which is 0 in null data frames. The Retry field denotes whether the frame is a retransmitted one. The P wrMgmt field denotes the power saving state. The station sets this bit to 1 if it plans to switch to sleeping state after this frame, while it sets this bit to 0 if it decides to switch to or stay in active mode. The MoreData field is used to denote whether there are more buffered data. The P rotectedF rame field denotes whether encryption is applied to the frame body. Since null data frame has no frame body, this bit is set to 0. The Order field denotes whether strict frame ordering is applied.

2.2 Applications Although IEEE 802.11 standard [2] does not explicitly specify the usage of null data frames. They are, in fact, widely used in reality. The NICs vendors have applied null data frames in a variety of applications. In the following, we classify the applications into two categories. First, the station can use the P wrMgmt field in null data frames to inform the access point its state switching decision. In power management, the station sets P wrMgmt field to 1 before it switches to sleeping state, and sets it to 0 otherwise. When the station is in sleeping state, the access point will buffer all data frames for the

GU ET AL.: NULL DATA FRAME: A DOUBLE-EDGED SWORD IN IEEE 802.11 WLANS

station until the station switches back to active state. Besides power management, the station can send a null data frame with P wrMgmt bit set to 1 before scanning other channels. In this way, the access point will also buffer the frames until the station switches back to the current channel. Second, the station can use the null data frame as a whole to keep the association alive. When the station keeps sending/receiving data frames, it does not need to send extra null data frames to keep the association alive as the data frames achieve such goal naturally. However, when the station keeps idle for a long time, the access point cannot decide whether the station is simply idle, is currently out of its service area, or becomes out of power suddenly. Keeping the associations for the stations out of service area or out of power will waste association ID resource. Thus, the idle station needs a special mechanism to inform the access point of its existence. Null data frames are a natural choice, and they are sent once every 10 seconds under idle period.

3

SECURITY VULNERABILITIES OF NULL DATA FRAMES

3.1 Functionality-Associated Vulnerability As discussed above, the main functionalities of null data frames in 802.11 WLANs are state switching in power management and channel scanning, and association keeping alive during idle period. When null data frames are used for state switching, an attacker can spoof the identity of a station that is in sleeping state or is scanning in another channel, and generate fake null data frames to fetch the buffered frames of the victim station. Since the access point deletes the buffered frames after successful transmission, such attack in effect results in continuous frame losses. On the other hand, when null data frames are used to keep association alive, an attacker can first establish a large number of dummy associations with the access point in public access 802.11 WLANs, and then, use null data frames to keep these associations alive. As each association takes one unique association ID, and the total number of allowed association IDs for one access point is 2007, it is not difficult for the attacker to deplete all available association IDs. In this way, other stations cannot associate with the access point. The main reason behind the above two DoS attacks is that the null data frames are lightweight. First of all, null data frames are short. They consist of only MAC header fields, and have no frame body. Besides, null data frames are not encrypted. These salient features allow efficient generation and processing, and are useful in many situations. For example, when the station switches between sleeping and active states frequently, it is preferable for the station to retrieve the buffered frames at low cost. Null data frames are ideal for such usage. Similarly, it is also preferable to implement channel scanning and association keeping alive in an efficient way. However, the lightweight feature of null data frames also allows malicious attacker to generate fake null data frames easily. Being unencrypted, the attacker can easily manoeuver any field in null data frame and send fake frames to cheat the access point. 3.2 Implementation-Associated Vulnerability Since the exact implementation of null data frames is not explicitly specified in the IEEE 802.11 standard [2], NIC

899

vendors have been applying null data frames in different ways. Some NICs use null data frames for power management, channel scanning, and association keeping alive, while others implement only a subset of the above functionalities. Furthermore, for a single function such as power management, different vendors’ implementations vary dramatically. Due to this fact, an attacker may leverage such implementation variations to determine that two seemingly unrelated sets of frames (i.e., frames with different MAC/IP addresses sent at different positions/ time), in fact, come from the same device/user. This can be achieved when among the stations in a local area, one station shows unique behaviors in null data frame implementation. Therefore, even if all users intentionally change the MAC addresses and encrypt the IP addresses, it does not help much. When the attacker can correlate a sequence of frames sent at different positions at different time, he is able to track the victim device/user and compromise user privacy. Clearly, the above attack comes as a result of the implementation flexibility of null data frames. As null data frames are the only type of frame whose usage is not explicitly specified in the IEEE 802.11 standard [2], the NIC vendors have the freedom to use null data frames wherever they might be useful. Such flexibility helps NIC vendors to achieve efficiency in many applications. For example, in the standard, PS-Poll control frames are specified to be used for power management. After switching from sleeping state to active state, a station needs to send one PS-Poll control frame for each buffered frame. In reality, most NICs use null data frames instead to achieve the same goal with the advantage that only one frame is needed to retrieve all the buffered frames. Besides power management, null data frames are also used for channel scanning and association keeping alive in an efficient way.

4

FUNCTIONALITY-BASED DENIAL-OF-SERVICE ATTACKS

4.1 Attack Model The basic idea of functionality-based Denial-of-Service (DoS) attacks is that the attacker spoofs null data frames to mess up with the intended functionalities of the genuine null data frames. There are three main functionalities of null data frames in 802.11 WLANs that are power management, channel scanning, and association keeping alive. Since both power management and channel scanning use the same field in null data frames for similar purposes, these two have the same functionality called state switching. In the following, we introduce two DoS attacks targeting state switching and association keeping alive. In the state-switching-based DoS attack, an attacker spoofs a victim station in sleeping state or scanning in another channel. Thus, the attacker can fetch the buffered frames at the access point and cause continuous frame losses for the victim station. In the association-keeping-alive-based DoS attack, the attacker first establishes a large number of dummy associations with the access point in public access 802.11 WLANs, and then, sends null data frames to keep those associations alive. As each association takes one

900


VOL. 21,

NO. 7, JULY 2010

unique association ID and the total number of association IDs for a single access point is 2,007, the attacker can deplete all the association IDs and prevent other stations from associating with the access point. Due to space limitation, we focus on state-switching-based DoS attack in the paper. As the usages of null data frames in power management and channel scanning are similar, we assume that the scenario is power management. However, our discussions on the attack apply to channel scanning as well. Algorithm 1. State Switching based DoS Attack 1: State_Switching_based_DoS_Attack 2: while (TRUE) 3: capture a frame F ; 4: if F :sender MAC ¼¼ victim MAC then 5: if F :P wrMgmt ¼¼ 1 then 6: generate fake null data frame F 0 ; 7: F 0 :sender MAC ¼¼ victim MAC; 8: F 0 :receiver MAC ¼¼ AccessP oint MAC; 9: F 0 :sequence number ¼¼ F :sequence number þ 1; 10: F 0 :P wrMgmt ¼¼ 0; 11: send fake null data frame F 0 ; 12: victim is sleeping ¼¼ T RUE; 13: else 14: victim is sleeping ¼¼ F ALSE; 15: end if 16: else if F :receiver MAC ¼¼ victim MAC AND F :type ¼¼ DAT AANDvictim is sleeping ¼¼ T RUE then 17: send fake ACK frame to access point; 18: end if 19: end while An intuitive attack is that the attacker keeps flooding fake null data frames with P wrMgmt field set to 0. This floodingbased attack is simple to launch, but it involves a large amount of frame injections. This is not cost-effective to the attacker and results in easy detection. We design an attack that injects much fewer frames while achieving the same effect. The pseudocode of the attack is given in Algorithm 1. Specifically, the attacker captures and checks all frames related with the victim station. When the victim station sends a frame informing its intent to switch to sleeping state (lines 4-5), the attacker generates one fake null data frame (line 6). The attacker needs to set the MAC addresses of the sender and receiver appropriately (lines 7-8), and sets the sequence number appropriately (line 9) to prevent immediate detection by the access point via sequence number inconsistency. Then, the attacker sets the P wrMgmt field to 0 (line 10) and sends the fake null data frame to access point (line 11). The attacker also sets a variable victim is sleeping to TRUE (line 12) to track the state of the victim station. If the victim station sends a frame informing its intent to switch to active state (line 13), the attacker does nothing except for setting the variable victim is sleeping to FALSE (line 14). During the attack, when the access point sends a data frame to the victim station that is in sleeping state (line 16), the attacker sends a fake ACK frame back (line 17). In Fig. 3, we illustrate the impact of such an attack. In this example, the victim station wakes up in the beginning of every other beacon interval to check the availability of its

Fig. 3. State-switching-based DoS attack.

buffered data frames at the access point. Such information is embedded in the beacons sent from the access point in the beginning of each beacon interval by setting a bit (called T IM) for the corresponding association ID. In particular, the T IM bit of an association ID is set to 1 if there are buffered frames for the corresponding station, and it is set to 0 otherwise. In the example, the station switches to sleeping state in the beginning of the first beacon interval since there is no buffered data frame for it (T IM ¼ 0), and switches back to active state in the middle of this beacon interval since it has a data frame to send. After sending this data frame, the station switches back to sleeping state. Shortly after that the attacker sends a fake null data frame and notifies the access point that the victim station just switches back to active state again. Later on, the access point receives two data frames for the victim station and sends them to the attacker. When the victim station switches to active state in the third beacon interval, it is notified that there is no buffered data frame for it. In effect, the attacker is able to delete two data frames from access point, while the victim station is in sleeping state. Although the attacker may not be able to decrypt the data frame it receives, it is able to denial the service of the victim station by keeping deleting its data frames. Remarks. In the following, we make some comments on our designed attack. We want to point out that the access point could detect the existence of attack from the inconsistency of sequence numbers when the victim station wakes up and sends data frames. However, the access point cannot tell whether a received null data frame is genuine or fake immediately after reception. This is because the sequence number in the fake null data frame can be modified to match the previous frame sent by the victim station. Even if the access point can eventually detect the attack by observing two frames with the same sequence number (one from the victim station and the other from the attacker), it cannot tell whether it is genuine or fake after receiving the first of these two frames. Therefore, it is hard for the access point to differentiate fake null data frames from the genuine ones in real time, and ignore fake frames to evade attack.


901

Fig. 6. TCP throughput of Intel NIC with automatic mode and MADWiFi AP under attack.

Fig. 4. Architecture of our testbed.

4.2 Experimental Evaluations In the following, we present the experimental results and our observations. 4.2.1 Experiment Setup In Fig. 4, we show the architecture of our testbed. Most of the equipment used in our experiments are listed in Fig. 5. The air traffic logger is a Lenovo T60 laptop with Intel pro/ wireless 3945abg mini-PCI card running Backtrack Linux [4] with Wireshark [5]. The attacker is a Dell E1405 laptop with super g+ gigabyte 108 Mbps wi-01gt 802.11 b/g mini-PCI card running Backtrack Linux with MADWiFi-ng driver and Aircrack-ng tools [6]. The attacker program is written in C by reusing the exiting libraries in Aircrack-ng. There are two victim stations. The first one is a Sony laptop with Intel pro/wireless 2200bg mini-PCI adapter running windows XP SP2. Another station is a Lenovo T60 laptop with 3Com OfficeConnect wireless 108Mbps 11g xjack pc card running windows XP SP2. The access point is a Lenovo T60 laptop with 3Com OfficeConnect wireless 108 Mbps 11g xjack pc card running Backtrack Linux with MADWiFi-ng driver. The DHCP server and internet gateway is a Dell Dimension 5150 running Redhat Linux. AP and servers are connected

Fig. 5. Equipments in our experiment.

with netgear Prosafe 24 port 10/100 smart switch. The TCP/ UDP throughput measurement tool Iperf [7] is installed on victim stations and the server.

4.2.2 Experiment Results Our first set of experiments is to test user experiences when performing common network activities such as Web surfing and file downloading under state-switching-based DoS attack. In our experiments, two types of stations are used with four representative access points that are the access point in our campus (Aruba AP), the access points in our department (Cisco AP), a commercial wireless router (Netgear AP), and the software access point installed by us. We found that when the attack is going on, the communications become stalled. Users cannot open new Web sites and the existing files downloading process stops. This illustrates the effectiveness of the attack. To further evaluate the quantitative impact of the attack on different applications, we use the Iperf [7] as traffic generator and performance measurement tool. The server is installed with Iperf to generate TCP/UDP traffic, while the stations are installed with Iperf to receive traffic and measure throughput. Each test lasts for 300 seconds. Initially, there is no attack in place. The attack is enabled at the 60th second, lasts for 60 seconds, and is disabled at the 120th second. Again, the attack is enabled at the 180th second, lasts for 60 seconds, and is disabled at the 240th second. In Figs. 6 and 7, TCP and UDP traffic are tested on Intel NIC with automatic power management mode and MADWiFi access point, respectively. We can see in Fig. 6 that TCP throughput decreases to 0 immediately after attack comes at the 60th second. This is because the attacker keeps deleting the data from the access point. Even worse, the TCP connection is disconnected during the attack, and the

Fig. 7. UDP throughput of Intel NIC with automatic mode and MADWiFi AP under attack.

902


VOL. 21,

NO. 7, JULY 2010

Fig. 10. Intel NIC sends null data frame before sending data. Fig. 8. UDP throughput of 3Com NIC with fast mode and MADWiFi AP under attack.

Fig. 11. TCP throughput of Intel NIC with maximum power saving mode and MADWiFi AP under attack. Fig. 9. 3Com NIC does not send null data frame before sending data.

throughput remains 0 after attack is disabled at the 120th second. This shows that consistent message loss caused by the attack could cause TCP disconnection. In Fig. 7, we can see that UDP throughput degrades significantly during the time the attack is enabled. This is also because of the attacker deleting messages from the access point. However, UDP traffic is able to resume its normal throughput when the attack is disabled due to the connectionless nature of UDP. In Fig. 8, UDP traffic is tested on 3Com NIC with fast power management mode and MADWiFi access point. We have similar observations as that made in Fig. 7. However, we find that the throughput of 3Com NIC with fast mode under attack in Fig. 8 is much higher than that of Intel NIC with automatic mode under attack in Fig. 7. This is because of the differences in power management implementations between 3Com NIC fast mode and Intel NIC automatic mode. Based on the observation of the traces, we find that the 3Com NIC tends to stay in awake state for a while before switching to sleeping state even if it has finished transmitting/receiving the data. Under constant rate UDP traffic, the delay in switching to sleeping state could greatly enhance the chance that the station receives the next data frame before it originally intends to switch to sleeping state. Thus, the station stays in awake state for much longer time, and the attack impact is significantly decreased. Another interesting feature of 3Com NIC power management is that after switching to awake state, the 3Com NIC does not send null data frame (switch to awake) before sending data to the access point, as shown in Fig. 9. In contrast, after switching to awake state, the Intel NIC always sends null data frame (switch to awake) before sending data, as shown in Fig. 10. This feature of power management implementation in 3Com NIC also helps to enhance its performance. In Figs. 11 and 12, TCP and UDP traffic are tested on Intel NIC with maximum power saving mode and MADWiFi access point, respectively. We have similar

Fig. 12. UDP throughput of Intel NIC with maximum power saving mode and MADWiFi AP under attack.

Fig. 13. UDP throughput of 3Com NIC with maximum power saving mode and MADWiFi AP under attack.

observations as those made in Figs. 6 and 7 except that the throughput in Figs. 11 and 12 is lower. This is because in maximum power saving mode, stations trade the performance for maximum power reservation. Thus, throughput degrades in both normal situation and when the attack is in place. In Fig. 13, UDP traffic is tested on 3Com NIC with maximum power saving mode and MADWiFi access point. Compared with that in Fig. 12, the throughput of 3Com NIC with maximum power saving mode under attack in Fig. 13 is much higher than that of Intel NIC with maximum power saving mode under attack in Fig. 12. This is also because of the differences in power management implementations as discussed above. Besides the tests above, we also evaluate the attack impact with different NIC or access point. In Figs. 14 and 15,


903

Fig. 14. TCP throughput of 3Com NIC with fast mode and MADWiFi AP under attack.

Fig. 16. TCP throughput of Intel NIC with automatic mode and Aruba AP under attack.

similar tests as those in Figs. 6 and 11 are conducted with 3Com NIC. We have similar observations as those made in Figs. 6 and 11. TCP connections are disconnected by the attack. In Fig. 16, similar test as that in Fig. 6 is conducted with Aruba access point. We also observe TCP disconnection in this case. Besides, we observe that under the same configuration, enterprize access point can achieve higher throughput than the lower end access point. In summary, we find that the power-managementbased DoS attack has significant impact on both TCP and UDP traffic. TCP traffic is disconnected, while UDP traffic suffers from throughput degradation. The less aggressiveness of power management in 3Com NIC makes it more tolerable to the attack. Besides, enterprize access points can achieve higher throughput than lower end ones under the same configuration.

different device from the victim station via RF fingerprinting techniques introduced in [8], [9]. Fortunately, in our experiment, we find that certain temporal information is embedded in genuine null data frames (switch to awake) that could be leveraged by the access point. In Fig. 17, we show some genuine null data frames (switch to awake). We can classify the genuine null data frames (switch to awake) into two types. The first type of genuine null data frames (switch to awake) are sent just before the beginning of the beacon interval when the station is supposed to wake up and listen to the beacon. The station does not need to wake up too early to waste power. Thus, it will not hurt much if the access point delays the transmission of the buffered frames until the beginning of the following beacon interval. Besides, the access point is aware of the period with which the station wakes up, which is negotiated between the station and the access point during the initial association process. The second type of genuine null data frames (switch to awake) are sent just before the station sends the first data frame after it wakes up. Since the data frame itself will convey state switching information, it does not hurt to ignore the preceding null data frame at all. Based on the observations above, we design a defense mechanism that takes advantage of the embedded temporal information. In our defense, the access point differentiates genuine null data frames from the fake ones following the pseudocode in Algorithm 2. When a null data frame (switch to awake) is received from a station in sleeping state, it will be processed by the following rules. If the frame (switch to awake) is received before the beacon interval when the station is supposed to wake up, the null data frame is ignored temporarily and the access point delays the transmission of buffered messages until the following beacon interval. Otherwise, the null data frame will be ignored permanently. In this way, the access point can filter away most fake null data frames sent by the attacker. In Fig. 18, we illustrate the effectiveness of our defense using an example. When defense is in place, fake null data frames are ignored and attack impact is decreased. Quantitative results based on experiment will be given in the following section.

4.3 Defense Design As discussed above, the attacker will send a fake null data frame (switch to awake) after a genuine null data frame (switch to sleep) is sent by the station. For a defense mechanism to be effective, the access point should be able to differentiate the fake null data frames from the genuine ones. However, such task is challenging. As discussed above, the null data frames are unprotected and easy to forge by the attacker. Besides, the victim station could send a null data frame (switch to awake) shortly after it sends a null data frame (switch to sleep); thus, the access point cannot assume a null data frame (switch to awake) sent immediately after a null data frame (switch to sleep) is fake. Furthermore, the attacker could use the same hardware as the victim station, stay close to the victim station, and control its transmission power so that the access point cannot determine that the fake messages are sent by a

Fig. 15. TCP throughput of 3Com NIC with maximum power saving mode and MADWiFi AP under attack.

Fig. 17. Two types of genuine null data frames (switch to awake).

904


VOL. 21,

NO. 7, JULY 2010

Fig. 20. UDP throughput of Intel NIC with automatic mode and MADWiFi AP with defense.

Fig. 18. Defense against the state-switching-based DoS attack.

Algorithm 2. Pseudocode of Defense Algorithm 1: Defend_State_Switching_based_DoS_Attack 2: while (TRUE) 3: capture a frame F ; 4: if F :type ¼¼ data then 5: if F :switch to sleep ¼¼ 1 6: sender is sleeping ¼ true; 7: elseif F :sub type ¼¼ null then 8: if the node is supposed to be awake in the beginning of the following beacon interval then 9: delay the transmission of buffered frames until the following beacon interval; 10: sender is sleeping ¼ false; 11: continue; 12: else 13: ignore F ; 14: sender is sleeping ¼ true; 15: continue; 16: end if 17: end if 18: end if 19: end while

frame. Ignoring such null data frame will not cause any negative effect since the following data frame also serves the function of informing the access point of its state switching. In fact, not sending the preceding null data frame will not cause any negative effect, thus ignoring it will not hurt. As a result, our defense has virtually no false positive. As to the possibility of false negative, it happens when the attacker intentionally sends a null data frame (switch to awake) before the beacon interval when the station is supposed to wake up. Such behavior of attacker will evade the detection by access point in our defense; however, it will not be able to cause any data frame loss as the buffered frames will be sent only when the victim station is guaranteed to be awake. The effectiveness of our defense comes at the cost of extra delay as the buffered frames are not sent immediately after the station wakes up.

4.4

Remarks. In the following, we will discuss the possibility of false positive and false negative of our defense mechanism. False positive happens in one situation, where the station sends such null data frame before sending a data

Defense Implementation and Experimental Evaluation We have implemented our defense mechanism on the access point by modifying the MADWiFi-ng driver [10]. In the following, we discuss our experimental results and our observations. In Figs. 19 and 22, TCP traffic is tested on Intel NIC with automatic mode and maximum power saving mode, respectively. As can be seen, a salient feature of our defense is that the TCP connection is able to sustain under the attack. After attack is disabled, the throughput returns to its normal value. Besides, the throughput under attack is higher than those without defense in Figs. 6 and 11, respectively. In Figs. 20 and 23, UDP traffic is tested on Intel NIC with automatic mode and maximum power saving mode,

Fig. 19. TCP throughput of Intel NIC with automatic mode and MADWiFi AP with defense.

Fig. 21. TCP throughput of 3Com NIC with fast mode and MADWiFi AP with defense.


905

Fig. 22. TCP throughput of Intel NIC with maximum power saving mode and MADWiFi AP with defense.

Fig. 24. TCP throughput of 3Com NIC with maximum power saving mode and MADWiFi AP with defense.

respectively. The throughput does degrade under attack due to the extra delay introduced by our defense. However, the throughput under attack with defense is higher than those without defense in Figs. 7 and 12, respectively. In fact, the throughput improvement is between 24 and 32 percent, which shows the benefit of our defense mechanism. In Figs. 21 and 24, TCP traffic is tested on 3Com NIC with fast mode and maximum power saving mode, respectively. We have similar observations as those made in Figs. 19 and 22. The TCP connection is able to sustain under the attack. After attack is disabled, the throughput returns to normal value. Besides, the throughput under attack with defense is much higher than those under attack without defense in Figs. 14 and 15, respectively. All these observations confirm the effectiveness of our defense. Furthermore, we find that the throughput of 3Com NIC under attack with defense in Figs. 21 and 24 is much higher than those of Intel NIC under attack with defense in Figs. 19 and 22. This is also due to the less aggressiveness of power management implementation in 3Com NIC as discussed before. In summary, we find that our defense mechanism effectively enhances the performance of both TCP and UDP traffic under attacks. Specifically, TCP traffic can sustain under the attack. Both TCP and UDP traffic have much higher throughput under attack.

correlate two sets of frames sent in different positions at different time. After obtaining a sequence of frames with the same MAC address, we are able to determine the position of a single device/user at certain time and even the whole movement pattern if enough number of frames are obtained. This could compromise the location privacy of mobile devices and personal privacy of users. However, the user can change his MAC address between communication sessions to defend user tracking. Unfortunately, this is not enough. During the analysis of the traces, we collect on a variety of typical NICs and the well-known public traces, and find that the implementations of null data frames in NICs vary dramatically. In particular, we identify seven fingerprinting rules that can help the attacker to correlate two sets of frames even if their MAC addresses are different. In other words, even if a user changes his MAC address frequently, our fingerprinting attacker can still track the user if the NIC in his device shows a unique behavior compared with nearby NICs. In the following, we describe the seven fingerprinting rules. Rule 1. Some NICs use null data frames for power management (Y), while others use PS-Poll control frames (N). Rule 2. Some NICs send null data frames once per 10 seconds when there is no data communication to keep association alive (Y), while others do not (N). Rule 3. Some NICs send null data frames before sending probe request frames during active channel scanning (Y), while others do not (N). Rule 4. After switching from sleeping state to active state, some NICs send a null data frame (P wrMgmt set to 0) before sending the first data frame (Y), while others send the data frame directly (N). Rule 5. Some NICs can still receive data frames for a short period of time after sending a null data frame (P wrMgmt set to 1) (Y), while others switch to sleeping state immediately after sending such null data frame (N). Rule 6. Some NICs send null data frames periodically (Y), while others send it aperiodically depending on the availability of data (N). For example, when there are continuous data communications, the station sends null data frames at a higher frequency. However, during the idle period, the station sleeps for longer time and occasionally wakes up to check the availability of buffered frames, which results in sending null data frames at a lower frequency. Rule 7. Some NICs send null data frame (P wrMgmt set to 1) and switch to sleeping state after sending out all the

5

IMPLEMENTATION-BASED FINGERPRINTING ATTACKS

5.1 Attack Model In this section, we discuss how fingerprinting attacker can take advantage of the implementation variations of null data frames to compromise user privacy. As we know, MAC address is an obvious identifier that can be used to

Fig. 23. UDP throughput of Intel NIC with maximum power saving mode and MADWiFi AP with defense.

906


VOL. 21,

NO. 7, JULY 2010

Fig. 25. Six configurations in our 802.11 WLAN traces.

data frames to the access point even if there are more buffered data frames at the access point (Y), while others do so only when there is no frame in both directions (N). In the following, we will apply our fingerprinting rules to 802.11 WLANs traces to evaluate the effectiveness of our fingerprinting attack.

5.2 Experimental Evaluations In this section, we will evaluate the effectiveness of our fingerprinting attack based on experiments. We first apply the fingerprinting rules above to the 802.11 WLAN traces we collect with a variety of typical NICs with different power management modes. Then, we apply these rules to the well-known 802.11 WLAN trace collected in Sigcomm 2004 [11]. In Fig. 25, we show the six configurations based on which we collect our 802.11 WLAN traces. In the first five configurations, we use the NICs originally shipped with the laptops, while in the last one (i.e., configuration F), we use an external NIC on Lenovo Thinkpad T60. Except for the second configuration (i.e., configuration B), all other configurations are enabled with power management. In Fig. 26, we show the behaviors of the six configurations with respect to the seven fingerprinting rules. Each row corresponds to one configuration, while each column corresponds to one rule. As can be seen, for any two configurations, there exists at least one rule that can differentiate them. In other words, the fingerprinting attack is effective in identifying each of the six configurations from others. In order to evaluate the effectiveness of our fingerprinting attack in real-life situation, we further apply our rules on the well-known 802.11 WLAN trace collected in Sigcomm 2004 [11]. In particular, we write scripts for five of our seven

Fig. 26. Behaviors of six configurations with respect to the seven fingerprinting rules.

Fig. 27. Behaviors of the NICs in Sigcomm 2004 trace [11].

fingerprinting rules (i.e., rules 1, 3, 4, 5, and 7) and obtain the behaviors of the NICs based on our scripts. We do not use rules 2 and 6 here due to the lack of idle periods in this trace. However, we believe that these two rules are useful, in general, as they are observed in other public online traces. In order to obtain stable results, we only consider the NICs that send/receive more than 500 data frames (including null data frames) in the trace. In Fig. 27, we show the behaviors of the NICs with respect to the fingerprint rules. Although all MAC addresses are camouflaged for privacy reason, these camouflaged MAC addresses can still help us to obtain the frames from the same NIC. An extra rule is added (second column), which states whether the NIC ever uses power management. As can be seen, we can classify the NICs into seven categories based on their behaviors. We find that two NICs can be identified due to their unique behaviors, while the remaining 14 NICs share the same behaviors with a few others. Although in this case, we may not be able to identify all NICs uniquely, and our fingerprinting rules help to classify NICs into finer categories, otherwise not possible. Our fingerprinting rules can also be used with other existing fingerprinting techniques to achieve finer classification and higher accuracy.

5.3 Preliminary Defense In order to defend against the fingerprinting attack, decreasing the implementation variations or frequently changing the current implementation seems to be two natural choices. Unfortunately, neither choice can eliminate the vulnerability satisfactorily as detailed below. Thus, in the following of this section, instead of designing a single defense mechanism whose existence we doubt of, we discuss the limitations of both choices above and propose some suggestions. First of all, we would like to point out that it is not possible to completely eliminate implementation variations due to two reasons. First, there exists a trade-off between security and power conservation. Although the user can disable power management to eliminate many null data frames, it comes at the cost of much higher power consumption. This is not preferable for wireless mobile


users as the laptop battery still cannot sustain for more than only a few hours under current technology. Second, we doubt a single implementation suffices for all situations. It is preferable for an NIC to have multiple options for users to choose from depending on the scenarios and user preferences. There is no single implementation that can satisfy all users in all situations. Different implementations under different options will show different behaviors, and can be taken advantage of by the fingerprinting attacker. Besides eliminating implementation variations discussed above, another possible defense is frequently changing the usage of null data frames between communication sessions either manually by the user or automatically by the NIC driver. However, this defense has obvious drawbacks. First, forcing users manually change the usage options introduces extra work for the users in the best case and annoys the users in the worst case. Second, letting NIC drivers dynamically change the usage options when the application scenario does not change obviously degrades the performance of associated functionalities. Finally, we suggest that the NICs vendors consider both security and functionality in NICs design. In particular, we would like to have as few unique options as necessary, and standardize the implementations of these options. This could make the fingerprinting attack much less effective.

6

FUNDAMENTAL TRADE-OFF

In the above sections, we discussed the applications and features of null data frames in 802.11 WLANs and how the applications and features reveal security vulnerabilities to malicious attackers. Ironically, the fundamental reason of the existence of these attacks is the salient features of null data frames. While these salient features allow null data frames to achieve many functionalities efficiently, such features at the same time allow malicious attackers to attack the functionalities equally efficiently. For example, while it is efficient to notify state switching with a single P wrMgmt bit in power management and channel scanning, simply flipping the P wrMgmt bit allows the attacker to cheat the access point and defeat the functionality of state switching notification. While it is also efficient to keep the association alive via a simple null data frame, a large number of fake null data frames could also keep spoofed associations alive and deplete the association IDs. Furthermore, while it allows design flexibility by not standardizing the implementation details of power management with null data frames, the implementation variations can easily be taken advantage of to launch fingerprinting attack. As we know, the IEEE 802.11w working group [12] is planning to protect management frames such as deauthentication and disassociation frames to defend DoS attacks based on management frames spoofing. It might seem trivial to eliminate null data frame spoofing by simply protecting (i.e., encrypting) such frames in the same way. Unfortunately, frame protection may not work as well for our null-data-frame-based attacks. Null data frames are sent much more frequently in general under power management than the deauthentication and disassociation frames. Encrypting and decrypting null data frames at such a high

907

frequency will cost too much computation resource and power consumption. On the other hand, standardizing the implementation of null data frames against fingerprinting attack is not trivial either. This will clearly disable the possibility for users to choose different power management options based on user preference and/or application scenarios. Besides, this cannot help the large number of NICs that are already on the market. It is still an open problem as to completely eliminating the security vulnerabilities brought by null data frames in an efficient way. In the above, we discussed the null data frames in 802.11 WLANs. In fact, in many other network protocols, similar simple and lightweight messages for control purpose exist as well, such as TCP SYN message during connection establishment, BGP keep alive message for routing link maintenance, 802.11 RTS/CTS frames for medium reservation, etc. These simple and lightweight messages share many similarities with null data frames in 802.11 WLANs, including frequent usage, being unencrypted, being simple and lightweight. Besides, these common features are closely related. Due to the fact of frequent usage, it is preferable to use simple and unencrypted messages to reduce overhead. Not surprisingly, these simple and lightweight messages suffer from the trade-off between functionality and security as well. In TCP SYN DoS attack, the attacker floods SYN messages to the server to establish large number of open TCP connections, which could disallow valid users from establishing connections with the server. In BGP, an attacker can send fake keep alive messages to BGP peers at certain time to cause routing disruption. In 802.11 WLANs, it is possible to fake RTS/CTS frames with extremely large NAV values to prevent nearby stations from accessing the medium for a long time. Compared with those simple control messages in other network protocols, the null data frames have even more vulnerabilities due to two main reasons. First, null data frames are used in many applications instead of a single one, which makes more applications vulnerable under attack. Second, lack of standardization allows a variety of different implementation variations even for a single application, which allows fingerprinting attack that does not exist in the above messages. Albeit the work in this paper, achieving satisfactory balance among functionality, efficiency, and security in network protocols with simple and lightweight messages for control purpose remains a challenging task, which will be our future work.

7

RELATED WORK

In this section, we discuss related literatures on Denial-ofService and fingerprinting attacks in the IEEE 802.11 WLANs. There are a bunch of works on DoS attacks in 802.11 WLANs [13], [14], [15], etc. In [13], deauthentication and disassociation frames are sent to disrupt the communications between the station and the access point. In [13], control frames like RTS/CTS are spoofed to prevent other stations from accessing the medium when it is actually free. In IE poisoning attack [14], the attacker modifies some insignificant bits in IE elements so that the initial negotiation procedure fails due to the inconsistency of IE elements. In four-way handshake blocking attack [14], the attacker

908


spoofs the first message in four-way handshake so that a memory DoS attack is launched to the station. Our proposed attacks have a few salient features that distinguish them from the existing DoS attacks. First, our attacks are hard to detect. Null data frames are not encrypted and the fake null data frames are sent only when the victim node is sleeping. Although deauthentication and disassociation frames are also unencrypted at current stage, the IEEE 802.11w working group [12] is planning to protect these management frames in the near future. However, no plan has been carried out to protect null data frames. Second, our attacks are cost-effective. Instead of constantly flooding deauthentication and disassociation frames, our attack only requires occasional insertion of fake frames. Third, our attacks do not have strict timing requirement. In IE poisoning attack and four-way handshake blocking attack, a particular frame has to be inserted at a particular time. Sending the fake frame too early or too late will result in ineffective attack. Our attack does not have such strict requirement though. One work related with part of our work in this paper is the PS-Poll control-frame-based DoS attack in [13]. In this attack, the attacker spoofs PS-Poll control frame (P wrMgmt set to 0) to delete data frames of the victim station when it is sleeping. Albeit the same attack consequence, our work differs from that in [13] in the following ways. First, our attack is more efficient. Only one null data frame is needed to retrieve all buffered data frames, while one PS-Poll control frame is needed per buffered data frame. Second, our attack is more practical. Based on our traces and the well-known public traces, we find that in reality, almost all NICs use null data frames for power management instead of PS-Poll control frame as specified in the IEEE 802.11 standard [2]. Third, we have implemented our attack, evaluated its effectiveness in real testbed, and proposed a novel defense, none of which is conducted in [13]. We give a brief survey on the defense mechanisms against Denial-of-Service attacks implemented at the access points. An intuitive defense is to authenticate all management and control frames [13]. However, many of such frames are sent frequently, and the incurred overhead would degrade the performance. In [13], a detection scheme based on delaying the response to deauthentication and disassociation frames was proposed. In this scheme, the receiver of the deauthentication and disassociation frames waits for future data frames for a while instead of acknowledging those frames immediately. Valid data frames after the deauthentication and disassociation frames indicate the existence of attacks. However, such scheme was found to have a number of new vulnerabilities [16]. SNORT [17] sets a threshold value for the number of deauthentication frames per unit time, and uses such threshold to detect and mitigate the deauthentication attack. Similar approach was proposed in [13] to detect and mitigate the RTS/CTS attack in which a threshold was set for the value of duration field. While the above two threshold-based approaches can help alleviate the attack impact, they may result in false positive in certain situations. In [18], sequence-numbervariation-based defense was proposed against deauthentication attacks. It is based on the observation that in normal

VOL. 21,

NO. 7, JULY 2010

situation, sequence numbers variation shows linear pattern. While under deauthentication attack, nonlinear variations are observed. However, a smart attacker can intentionally change the sequence numbers to make the defense ineffective. To sum up, defending Denial-of-Service attacks is still a challenging task, considering the multiple objectives such as defense effectiveness, overhead, and impact on the performance. In the following, we discuss fingerprinting attacks on 802.11 WLANs. We classify the attacks based on the layer of the attack mechanisms. Our fingerprinting attack in this paper can be complemented with the existing techniques to further enhance the effectiveness of fingerprinting. In physical layer, there are three types of attack mechanisms that are signal-feature-based attacks, temporal-feature-based attacks, and frame-feature-based attacks. In [9], signal features such as aptitude, frequency and phase are used to differentiate devices due to the fact that minor variations in hardware could result in observable differences in the signal sent. In [8], it is observed that the time a station waits before sending probe request frames shows different probability distribution depending on the device driver implementation. Such temporal features may be used to differentiate two devices if they have different NICs or the same NIC with different versions of drivers. In [19], it is found that the set of broadcast frame sizes sent by one user are, in general, different from that sent by another user since different users probably use different sets of applications. Such frame feature can also be used to do fingerprinting. In MAC layer, MAC address is an obvious identifier that can be used to track a device. To defend against such attack, several works have proposed to hide such identity by changing the MAC address during communication sessions. However, if only one station changes its MAC address at a certain time in a local area, the attacker can still easily correlate the old and new MAC addresses. In [20], a distributed scheme is proposed so that there exists a period of time (e.g., silent period) in which several stations keep silent and update their MAC addresses at about the same time. Recently, it is discovered in [19] that several other fields in MAC header of 802.11 frames (called implicit identifiers) can be used for fingerprinting, such as SSID field, supported rate, etc. For example, different users have different sets of preferred network SSIDs, and the attacker can track a device/user based on the unique set of SSIDs. There are a variety of other fingerprinting schemes based on network and even higher layer information. Thus, such schemes are independent of IEEE 802.11 protocol, and can be applied in other wireless and wired networks. The IP address is an obvious identifier in networking layer although encryption can be applied. In [21], it is shown that devices could be fingerprinted using the clock skew exposed by TCP time stamps. In security tools like nmap [22] and p0f [23], the differences in network stack behaviors can be leveraged to determine the operating system of the device. In [24], keystroke dynamics of the user are used to identify individual users. In [25], unconcealed information in encrypted Web browsing traffic and statistical characteristics of Web requests, respectively, can be used to compromise user privacy.


8

CONCLUSION

Null data frames have been widely used in the IEEE 802.11 WLANs for power management, channel scanning, and association keeping alive. Such wide applications are due to the lightweight frame format and implementation flexibility of null data frames. However, these features can be taken advantage by malicious attackers to launch a variety of attacks. In this paper, we identify the potential security vulnerabilities of current applications of null data frames in 802.11 WLANs, study two types of attacks in detail, evaluate the effectiveness of the attacks based on extensive experiments, design defense mechanism, and evaluate its effectiveness. Besides, our work has broader impact in that similar vulnerabilities exist in many other networks. Finally, we point out that similar vulnerabilities exist in many other network protocols due to the adoption of similar simple and lightweight messages for control purpose.

ACKNOWLEDGMENTS This work is supported in part by the US National Science Foundation (NSF) CAREER Award CCF-0546 668, the NSF under grant No. CNS-0916584, the Army Research Office (ARO) under grant No. AMSRDACC-R 50521-CI, the Research Grants Council of the Hong Kong SAR, China No. (CityU 114908), CityU Applied R&D Funding (ARD(Ctr)) No. 9681001 and 9678002, and ShenZhen Basic Research Grant No. JC200903170456A. Any opinions, findings, conclusions, and recommendations in this paper are those of the authors and do not necessarily reflect the views of the funding agencies.

REFERENCES [1] [2] [3]

[4] [5] [6] [7] [8]

[9] [10] [11] [12] [13] [14]

Houston-WiFi, http://auscillate.com/wireless/houston/, 2009. “IEEE 802.11: Wireless lan Medium Access Control and Physical Layer Specifications,” IEEE CS LAN MAN Standards Committee, Aug. 1999. W. Gu, Z. Yang, C. Que, D. Xuan, and W. Jia, “On Security Vulnerabilities of Null Data Frames in ieee 802.11 Based wlans,” Proc. Int’l Conf. Distributed Computing Systems (ICDCS), June 2008. Backtrack, http://www.remote-exploit.org/backtrack.html, 2009. Wireshark, http://www.wireshark.org/, 2009. Aircrack-ng, http://www.aircrack-ng.org/doku.php, 2009. Iperf, http://dast.nlanr.net/projects/iperf/, 2008. J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J.V. Randwyk, and D. Sicker, “Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting,” Proc. 15th USENIX Security Symp., July 2006. D.B. Faria and D.R. Cheriton, “Detecting Identity Based Attacks in Wireless Networks Using Signalprints,” Proc. ACM Workshop Wireless Security (WiSe), Sept. 2006. MADWiFi, http://madwifi.org/, 2009. Sigcomm04-trace, http://crawdad.cs.dartmouth.edu/download/ uw/sigcomm2004/kalahari, 2009. “IEEE 802.11w: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Protected Management Frames,” IEEE CS LAN MAN Standards Committee, 2009. J. Bellardo and S. Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions,” Proc. 12th USENIX Security Symp., Aug. 2003. C. He and J.C. Mitchell, “Security Analysis and Improvements for ieee 802.11i,” Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS), Feb. 2005.

909

[15] C. Liu and J.T. Yu, “An Analysis of Dos Attacks on Wireless lan,” Proc. Int’l Conf. Wireless Networks and Emerging Technologies (WNET), July 2006. [16] Y.S. Lee, H.T. Chien, and W.N. Tsai, “Using Random Bit Auhentication to Defend IEEE 802.11 DSO Attacks,” Proc. Int’l Computer Symp. (ICS), Dec. 2006. [17] SNORT, http://www.snort.org/, 2009. [18] S. Balachandran, D. Dasgupta, and L. Wang, “A Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks,” Proc. Symp. Information Assurance (SIA), June 2006. [19] J. Pang, B. Greenstein, and R. Gummadi, “802.11 User Fingerprinting,” Proc. 13th ACM MobiCom, Sept. 2007. [20] T. Jiang, H.J. Wang, and Y.C. Hu, “Preserving Location Privacy in Wireless Lans,” Proc. Fifth ACM MobiSys, June 2007. [21] T. Kohno, A. Broido, and K.C. Claffy, “Remote Physical Device Fingerprinting,” Proc. 26th IEEE Symp. Security and Privacy, May 2005. [22] nmap Network Security Scanner, http://insecure.org/nmap/, 2009. [23] p0f, http://freshmeat.net/projects/p0f/, 2009. [24] D.X. Song, D. Wagner, and X. Tian, “Timing Analysis of Keystrokes and Timing Attacks on SSH,” Proc. 10th USENIX Security Symp., Aug. 2001. [25] Q. Sun, D.R. Simon, Y.M. Wang, W. Russell, V.N. Padmanabhan, and L. Qiu, “Statistical Identification of Encrypted Web Browsing Traffic,” Proc. 23rd IEEE Symp. Security and Privacy, May 2002.

Wenjun Gu received the BS and MS degrees in electronic engineering from Shanghai Jiao Tong University (SJTU), China, in 2000 and 2003, respectively. He is currently working toward the PhD degree at the Department of Computer Science and Engineering, The Ohio State University. His current research interests are in Wireless Networks, Network Security, and Distributed Systems.

Zhimin Yang received the BS, MS, and PhD degrees in electrical engineering from Harbin Institute of Technology, China, in 1995, 1997, and 2000, respectively, and the MS degree in computer science from The Ohio State University in 2009. He is currently working toward the PhD degree at the Department of Computer Science and Engineering, The Ohio State University. His current research includes network security, distributed systems, and mobile applications.

Dong Xuan received the BS and MS degrees in electronic engineering from Shanghai Jiao Tong University (SJTU), China, and the PhD degree in computer engineering from Texas A&M University. Currently, he is an associate professor in the Department of Computer Science and Engineering, The Ohio State University (OSU). His research interests include distributed computing, computer networks, and cyberspace security. He received the US National Science Foundation (NSF) CAREER Award in 2005 and the College of Engineering/OSU Lumley Research Award in 2009. He is a member of the IEEE and the ACM.

910


Weijia Jia received the BSc and MSc degrees from Center South University, China, in 1982 and 1984, respectively, and the Master of Applied Science and PhD degrees from the Polytechnic Faculty of Mons, Belgium, in 1992 and 1993, respectively, all in computer science. He is currently a full professor in the Department of Computer Science and the director of Future Networking Center, ShenZhen Research Institute of City University of Hong Kong (CityU). He joined German National Research Center for Information Science (GMD) in Bonn (St. Augustine) from 1993 to 1995 as a research fellow. In 1995, he joined the Department of Computer Science, CityU, as an assistant professor. His research interests include next-generation wireless communication, protocols and heterogeneous networks, distributed systems, and multicast and anycast QoS routing protocols. In these fields, he has a number of publications in the prestige international journals (IEEE Transactions, e.g., TPDS, TC, TMC, etc.), books/chapters, and refereed international conference proceedings (e.g., ACM WiSec, MobiHoc, SenSys, IEEE ICDCS, INFOCOM, etc.). He (with W. Zhou) has published a book Distributed Network Systems (Springer), where the book contains extensive research materials and implementation examples. He has received the Best Paper Award in a prestige (IEEE) conference and (with J. Chen et al.) proposed an improved algorithm for well-known Vertex Cover and Set-packing NPhard problems with time bounds of O(kn+1.2852k) and O((5.7k)kn), respectively. Both results stand on the current best time bound to date for the fixed-parameterized intractable problems. He is the chair professor of Central South University, Changsha, China, and a guest professor of Shanghai Jiao Tong University, University of Science and Technology of China, Beijing Jiao Tong University, and Jinan University, Guangzhou, China. He has served as an editor and a guest editor for international journals and the PC chairs and members/keynote speakers for various prestige international conferences. He is a senior member of the IEEE and a member of the ACM.

VOL. 21,

NO. 7, JULY 2010

Can Que received the BEng degree from the University of Science and Technology of China in 2005. He is currently working toward the PhD degree at the City University of Hong Kong and the University of Science and Technology of China. His research interests include nextgeneration wireless communication and QoS routing protocols for multihop wireless networks.

. For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.