Recent Changes - Search:

SPAN

News and Events

Teaching

Projects

People

Publications

Data & Tools

Schedule

Links

CFP

PHY-based Location Distinction

Overview

We have developed a location distinction technology that allows a single access point to detect with high reliability any change in position of a WiFi device in its network.

This technology will improve security - both network security and physical security. Location distinction detects an impersonation attack, i.e., when another WiFi device uses your credentials to impersonate a legitimate device and gain access to its private information, because the access point can see that the request is coming from a device at a new location. Physical security is improved because an RTLS system can detect a change in location even when the device's location is not able to be located (because it is not in range of multiple access points), or can detect a change in position before the localization algorithm can say that the device's coordinate has changed.

Our technology is not a localization algorithm. Most localization algorithms require three access points to estimate location; and even then, are only accurate to within 3-5 meters. Our technology does not estimate position - it detects a change in position of one meter or even less. Our technology is infrastructure-based and does not require any change in WiFi devices. We do not need an accelerometer to be added to a device. Furthermore, it is highly robust to attacks.

The method requires a minor change in the access point receiver. We call an averaged estimate of the channel impulse response the link signature. In current receivers, data to calculate a link signature is calculated, but then discarded, because it does not contain information about the received data. We have developed an implementation of a WiFi access point which does not discard this information, and instead, saves and uses the calculated link signature in the location distinction algorithm. This project is related to our project to build a full-bandwidth 802.11b receiver for gnu-radio.

Motivation

Two examples of the need for location distinction are as follows:

  • Active RFID tags are placed on boxes and equipment in warehouses and in factories in order to know where it is at all times, an application called real-time location services (RTLS). But localization requires (at least) triple-coverage of all parts of a building. Multipath and shadowing increase location errors for such systems. Further, signal-strength localization methods can be 'faked', which is a security issue for systems that aim to increase physical security. We could use robust detection of a change in location to provide an additional layer of security, especially if it can be done with less than triple-coverage.
  • An impersonation attack in a wireless network occurs when an attacker obtains your credentials and uses them to access your private information. Faria and Cheriton (2006) pointed out that MAC-address spoofing is a problem in WLANs. Traditional crypto methods are subject to node compromise. We could use a secure location distinction method to provide additional security against replication attacks.

Technology

Link signatures have key properties:

  1. Uniqueness: The link signature changes as a function of transmitter and receiver locations
  2. Non-measurement: Link signatures aren't readable from a place other than the transmitter or receiver location
  3. Spoof-proof: An attacker isn't able to obtain an arbitrary link signature simultaneously at multiple access points
  4. Efficiency: A change in location does not require multiple receivers or continuous transmission
  5. Infrastructure-based: Does not require any change in the user device

Our research group has been experimentally verifying these properties in real-world WiFi channels, using our testbed implementation.

Our Methods

A detailed description is given in our Mobicom 2007 paper, but the basic approach is to form from the received signal a sampled estimate of the channel impulse response. A multipath channel between transmitter i and receiver j is modeled as,

h_{i,j}(\tau) = \sum_{l=1}^L \alpha_l e^{j\phi_l} \delta(\tau-\tau_l),

where \alpha_l and \phi_l are the amplitude and phase of the lth multipath component, \tau_l is its time delay, L is the total number of multipath, and \delta(\tau) is the Dirac delta function. Essentially, the filter impulse response is the superposition of many impulses, each one representing a single path in the multiple paths of a link. Each impulse is delayed by the path delay, and multiplied by the amplitude and phase of that path.

We denote \mathbf{h}^{(n)}_{i,j} to be the nth sampled estimate of h_{i,j}(\tau). By saving a history of these temporal link signature vectors \mathbf{h}^{(n)}_{i,j} for n=1, \ldots, N-1, we store recent values of the channel impulse response with the transmitter at location i. Then, when a new signal is measured with temporal link signature \mathbf{h}^{(N)}_{i,j}, we can quantitatively compare it with the history. This quantification, discussed in the Mobicom paper, is a distance d.

The final step of the algorithm is detection. We compare d to a threshold \gamma. When the threshold is exceeded, we declare that the new signal came from a different transmitter location. In the other case, when d < \gamma, we declare that the signal came from the same location.

Related Research

Other approaches to using physical-layer measurements to identify a transmitter location:

  1. D. B. Faria and D. R. Cheriton. Radio-layer security: Detecting identity-based attacks in wireless networks using signalprints. In Proc. 5th ACM Workshop on Wireless Security (WiSe'06), pages 43-52, Sept. 2006.
  2. Z. Li, W. Xu, R. Miller, and W. Trappe. Securing wireless systems via lower layer enforcements. In Proc. 5th ACM Workshop on Wireless Security (WiSe'06), pages 33-42, Sept. 2006.

Ref [1] uses received signal strength (RSS) at multiple receivers to form a 'signalprint' of a transmitter location. Ref [2] uses multiple frequency tones to measure a channel response.

Experimentation Results

We used an extensive measurement set, which is now publicly available on our Measured CIR Data Set wiki. This campaign measured multiple channel impulse responses (CIR) for every pair-wise channel in a 44-node network, a total of more than 9300 CIR measurements.

From the results, we can see how a temporal link signature changes over time, and also when the transmitter location changes. Effectively, we can determine:

  • when a change in position causes a significantly different link signature to be measured (a Detection), and
  • when normal changes in the channel over time cause a link signature from a stationary transmitter to be falsely detected to be from a different location (a False Alarm).

The measurements allow us to quantify the probability of detection vs. the probability of false alarm, the key tradeoff in any detection algorithm.

Figures 1-3 compare the performance of the temporal link signature method with the performance of the RSS-only signalprint method of Faria and Cheriton (2006). They also compare the results when using 1, 2, or 3 receivers to measure the PHY characteristic.


Figure 1: Performance comparison of methods using one receiver.

Figure 2: Performance comparison of methods using two receivers.
Note the smaller scale on this figure compared to Figure 1.

Figure 3: Performance comparison of methods using three receivers.
Note the smaller scale on this figure compared to Figure 1.


Implementation

We demonstrate the real-time performance of the location distinction system prototype at the University of Utah. The video below shows the "change metric" at the location distinction server. Each packet transmitted by the device allows the access points to measure a new link signature. The server calculates the difference between the latest link signatures and the previously recorded link signatures. When the change metric jumps, the server decides that the WiFi device has changed position. During the demo, our team moves a WiFi device among several different positions. Immediately after each move, the system detects a large change and you see a large jump in the change metric.

This technology can be used for location-based authentication, to detect impersonation attacks. An impersonation attack is when an attacker uses a WiFi device to eavesdrop on a legitimate user's packets, determine its identity, and attempt to appear like the legitimate user to the network in order to gain access to the legitimate user's private data.

In summary, we demonstrate a system that, with high sensitivity, can detect an impersonation attack, based on a measurement of the wireless link we call a link signature. The channel impulse responses necessary for identifying the link signatures are measured using our 802.11b channel sounder developed on Gnu-Radio. This is joint research with Dustin Maas, Junxing Zhang, Hamed Firooz, Prof. Sneha K. Kasera and Prof. Neal Patwari. Please contact us for more information.

A video of the change metric GUI during the demonstration.A diagram of the demonstration setup.
One of the receivers.Linksys router used as transmitter, positions marked in red.

Contributors

Edit - History - Print - Recent Changes - Search
Page last modified on November 08, 2008, at 11:33 PM MST