臺灣博碩士論文加值系統

硬體裝置識別是網路安全中非常重要的議題。攻擊者可能使用竊取或是假造的身分去進行非法的行為或攻擊，這使得蒐集證據變得更為困難。之前的研究中提出一個稱為遠端硬體裝置指紋的技術，利用從裝置送出的TCP封包中取出時間戳記內包含的時間訊息計算出該裝置的時間歪斜誤差(clock skew error)來做為該裝置的硬體指紋。但時間歪斜會因為硬體的特性和網路的傳輸延遲而變的不穩定，特別是對行動裝置來說這個不穩定更為的明顯。在此篇論文中我們利用統計的模型來提升行動裝置硬體指紋的準確率。並且根據這個行動裝置硬體指紋的技術提出了一個偽造身分檢測的方法。實驗的結果顯示我們提出的方法可以有效的偵測出偽造身分攻擊，並且相較於之前的研究有著更高的準確度。

Device identification is one of the most important issues to Internet security. An adversary can take illegal actions with stolen or forged identity that makes evidence collecting to be very difficult. Previous work introduces an intuitive method that identifies a device by its clock skew. Unfortunately, the clock skew of a device is instable over time in the mobile environment due to the characteristics of the hardware and the instability of network latency. In this paper we adapt a statistical method inspired by EWMA model that characterizes the tendency of clock skew changes to improve the accuracy of mobile device fingerprinting. We also propose a device identity spoofing detection scheme based on the improved mobile device fingerprinting technique. The experiment result shows that the proposed scheme effectively detects identity spoofing attacks with higher accuracy compared to prior works.

1. Introduction 1
2. Related Work 3
3. Clock Skew Based fingerprinting technique for mobile devices 5
3.1. Kohno’s remote physical device fingerprinting technique 5
3.2. Instability of Mobile Device’s Clock Skew 7
3.3. The Proposed Mobile Device Fingerprinting Technique 11
3.4. Proposed device identity spoofing detection scheme 16
4. Experiments and Results 23
4.1. Required packet number to estimate a clock skew 23
4.2. Required Profile Sample Size 24
4.3. Accuracy evaluation of the proposed device identity spoofing detection scheme 25
4.3.1. Environment and Settings 26
4.3.2. Error rate evaluation 26
5. Conclusion 29
6. References 30

[1] J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive data link layer 802.11 wireless device driver fingerprinting. In Proceedings of the 15th Usenix Security Symposium, 2006.
[2] Cherita Corbett, Raheem Beyah, and John Copeland. "A Passive Approach to Wireless NIC Identification." To appear in the Proceedings of IEEE International Conference on Communications (ICC), June 2006.
[3] T. Kohno, A. Broido, and K. C. Claffy, “Remote physical device fingerprinting,” in SP ’05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 2005.
[4] Exponentially Weighted Moving Average Model http://en.wikipedia.org/wiki/Moving_average
[5] S.B. Moon, P. Skelly, and D. Towsley, “Estimation and Removal of Clock Skew From Network Delay Measurements,” Proc. INFOCOM Conf., 1999
[6] V. Paxson, “On Calibrating Measurements of Packet Transit Times,” Proc. SIGMETRICS Conf., 1998
[7] M.E. Dyer, “Linear Time Algorithms for Two- and Three-Variable Linear Programs,” SIAM J. Computing, vol. 13, 1984.
[8] N. Megiddo, “Linear-Time Algorithms for Linear Programming in R3 and Related Problems,” SIAM J. Computers, vol. 12, 1983.
[9] M. Martinec. Temperature dependency of a quartz oscillator. http://www.ijs.si/time/#temp-dependency.
[10] M. G. Kuhn. Personal communication.
[11] C-MAC MicroTechnology. HC49/4H SMX crystals datasheet, September 2004. http://www.cmac.com/ mt/databook/crystals/smd/hc49 4h smx.pdf.
[12] S. J. Murdoch, “Hot or not: revealing hidden services by their clock skew,” in CCS ’06: Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 27–36.
[13] R. Dingledine, N. Mathewson, and P. F. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium, August 2004.
[14] Mbmon, A tty motherboard monitor, http://www.freshports.org/sysutils/mbmon/.
[15] Douglas C. Montgomery. Introduction to Statistical Quality Control.John Wiley and Sons, USA, July 2004.
[16] K-fold Cross-validation. http://en.wikipedia.org/wiki/Cross-validation
[17] Ming Tham. Dealing with measurment noise. http://lorien.ncl.ac.uk/ming/_lter/ _llpass.htm, accessed December 2005.
[18] Simple Least-Squares Linear Regression. http://www.tufts.edu/~gdallal/slr.htm
[19] Nmap free security scanner, http://www.insecure.org/nmap/, 2004.
[20] Project details for p0f, http://freshmeat.net/projects/p0f/, 2004.
[21] Xprobe official home, http://www.sys-security.com/index.php?page=xprobe, 2004.
[22] F. Veysset, O. Courtay, and O. Heen, “New Tool and Technique for Remote Operating System Fingerprinting,” http://www.intranode.com/fr/doc/ring-short-paper.pdf, 2002.