disambiguation of residential wired and wireless access in a forensic setting
DESCRIPTION
Disambiguation of Residential Wired and Wireless Access in a Forensic Setting. Sookhyun Yang , Jim Kurose, Brian Neil Levine University of Massachusetts Amherst [email protected] This research is supported by NSF awards CNS-0905349 and CNS-1040781. Outline. Introduction - PowerPoint PPT PresentationTRANSCRIPT
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer ScienceUNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Disambiguation of Residential Wired and Wireless Access in a
Forensic SettingSookhyun Yang, Jim Kurose, Brian Neil Levine
University of Massachusetts [email protected]
This research is supported by NSF awards CNS-0905349 and CNS-1040781.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Outline
Introduction Problem Statement Experimental Methodology Classification Results Conclusion
2
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
P2P networkpeer peer
peer
peer
Law enforcement
Step2. Known sender
location
Illegal content distributed P2P from known location
3
Challenge:“Can we legally determine that a suspect used wired access, thus making the resident user more likely to be a responsible party?”
Illegal content distributor (e.g.,
CP)
Wireless router
“wiredor
wireless access? ”
Step1. Public IP address
Someone used my
open Wi-Fi!
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Can We Intercept Data at Intermediate Nodes?
4
No, law enforcement can not legally take traces at intermediate nodes without a warrant or
wiretap.
Illegal content distributor peer
… …
Law enforceme
nt
Data interceptio
nvia a
sniffer
Data interceptio
n
routerWireless router
Reasonable expectation of privacy (REP) for the sources of data.
The Wiretap Act and the Pen Register statute.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
P2P network
Can We Intercept Data as a Peer?
5
Law enforceme
nt peer
Yes, measurements taken at a peer, before a warrant, are legal!
Wireless router
Users of P2P file sharing networks have no “reasonable expectation of privacy”.
Software designed for law enforcement to monitor P2P activity does not violate US 4th amendment protections.
Illegal content distributor
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Outline
Introduction Problem Statement Experimental Methodology Classification Results Conclusion
6
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Our Problem Setting
7
TargetWi-Fi
APLaw
enforcement
peer
Cable mode
m
P2P Internet
Cable network
Wired access?
Challenge: can we classify the access network type of target sender using remotely measured P2P traces?
Challenges in this forensic setting: hidden and unknown residential factors can affect classification
results.
?? ?? ? ? ? ?
?Ethernet
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 8
Our Contribution Investigate performance of several
wired-vs-wireless classification algorithms in various home network scenarios.
Observe how several scenario factors affect classifier performance.
Single flow vs. Multiple flows from a target. Operating systems. P2P application rate limit. Wireless channel contention.
Explain when, why and how the classifier works reliably or poorly.
See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Outline
Introduction Problem Statement Experimental Methodology Classification Results Conclusion
9
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 10
Diversely Emulated P2P Traces in Controlled Settings
Houses near UMass
Wired sniffer
802.11g or 1Gbps
Ethernet.
Target device
Single full-rate TCP
flow.
Wi-Fi AP
Cable modem
Less than 1m(the worst case)
…
UMass server
Internet
Remotely collecting pairs of
wired and wireless datasets
Linux vs. Windows
XP
Cable network effect (different
times, and houses)
Host-side vs. Cable network
Purdue server
Multiple TCP flows.
We take measurement here to help us explain/understand classification. but do NOT use them in classification.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Outline
Introduction Problem Statement Experimental Methodology Classification Results Conclusion
11
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 12
Classification Procedure
Classification features. 25th, 50th, 75th percentiles, entropy of packet
inter-arrival times distribution for datasets.
We train and cross-validate decision tree, logistic regression, SVM, and EM classifiers.
Classification performance metrics. TPR (True Positive Rate). FPR (False Positive Rate). FPR≤0.10 and 0.90≤TPR are acceptable
classification results.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 13
Single-flow Classification Results
Linux Windows XP25th per-centile Inconsistent Not accept-
able
Entropy Not accept-able Inconsistent
Accurate classification is difficult in single full-rate flow cases.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 14
Multiple Flows Classification Results
Multiple flows cases can show better classification results than single full-rate
flow cases.
Linux Windows XP25th per-centile Acceptable Not accept-
able
Entropy Acceptable Acceptable
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 15
Classification: insight into how it works
Key insight: Classify at receiver using packet inter-arrival times at sender that were not significantly changed a by cable network access protocol or a network at sender.
Target device
Wi-Fi AP
Cable modem
UMass server
Packet inter-arrival timesbefore a cable network
…
Packet inter-arrival times after a cable
network
…
Cable network access
protocol
802.11 or Ethernet access
protocol
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 16
Discussion
Classification features showing acceptable results are different for Linux and Windows XP.
Windows’s small 8 KB TCP send buffer. This is also found in other Windows versions.
Single full-rate flow vs. multiple-flows.
A flow generated with multiple competing flows from a target would be less-affected by a cable network.
See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 17
Conclusion
We justified our traces gathering method’s legality based on US law.
We proposed a classifier for determining whether a target used wired or wireless.
Through extensive experimentation, we determined scenarios where classifier works reliably.
Traces: traces.cs.umass.edu.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Other hidden or unknown residential factors. Mac OS. 802.11n, MIMO. Modified TCP implementation. Multiple-flow across multiple sites.
Long-term traces.
18
Open Questions
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer ScienceUNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
End
Questions or comments welcome!