Link-layer device type classification on encrypted wireless traffic with COTS radios

Rajib Ranjan Maiti; Sandra Siby; Ragav Sridharan; Nils Ole Tippenhauer

doi:10.1007/978-3-319-66399-9_14

Link-layer device type classification on encrypted wireless traffic with COTS radios

Rajib Ranjan Maiti, Sandra Siby, Ragav Sridharan, Nils Ole Tippenhauer

Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In this work, we design and implement a framework, PrEDeC, which enables an attacker to violate user privacy by using the encrypted link-layer radio traffic to detect device types in a targeted environment. We focus on 802.11 traffic using WPA2 as security protocol. Data is collected by passive eavesdropping using COTS radios. PrEDeC (a) extracts features using temporal properties, size of encrypted payload, type and direction of wireless traffic (b) filters features to improve overall performance (c) builds a classification model to detect different device types. While designing PrEDeC, we experimentally record the traffic of 22 IoT devices and manually classify that data into 10 classes to train three machine learning classifiers: Random Forest, Decision Tree and SVM. We analyze the performance of the classifiers on different block sizes (set of frames) and find that a block size of 30k frames with Random Forest classifier shows above 90% accuracy. Additionally, we observe that a reduced set of 49 features gives similar accuracy but better efficiency as compared to taking an entire set of extracted features. We investigate the significance of these features for classification. We further investigated the number of frames and the amount time required to eavesdrop them in different traffic scenarios.

Original language	English (US)
Title of host publication	Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
Editors	Simon N. Foley, Dieter Gollmann, Einar Snekkenes
Publisher	Springer Verlag
Pages	247-264
Number of pages	18
ISBN (Print)	9783319663982
DOIs	https://doi.org/10.1007/978-3-319-66399-9_14
State	Published - 2017
Event	22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway Duration: Sep 11 2017 → Sep 15 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10493 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	22nd European Symposium on Research in Computer Security, ESORICS 2017
Country/Territory	Norway
City	Oslo
Period	9/11/17 → 9/15/17

Keywords

Classification
Encrypted network traffic
Machine learning

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-66399-9_14

Cite this

Maiti, R. R., Siby, S., Sridharan, R., & Tippenhauer, N. O. (2017). Link-layer device type classification on encrypted wireless traffic with COTS radios. In S. N. Foley, D. Gollmann, & E. Snekkenes (Eds.), Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings (pp. 247-264). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-66399-9_14

Link-layer device type classification on encrypted wireless traffic with COTS radios. / Maiti, Rajib Ranjan; Siby, Sandra; Sridharan, Ragav et al.
Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. ed. / Simon N. Foley; Dieter Gollmann; Einar Snekkenes. Springer Verlag, 2017. p. 247-264 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Maiti, RR, Siby, S, Sridharan, R & Tippenhauer, NO 2017, Link-layer device type classification on encrypted wireless traffic with COTS radios. in SN Foley, D Gollmann & E Snekkenes (eds), Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10493 LNCS, Springer Verlag, pp. 247-264, 22nd European Symposium on Research in Computer Security, ESORICS 2017, Oslo, Norway, 9/11/17. https://doi.org/10.1007/978-3-319-66399-9_14

Maiti RR, Siby S, Sridharan R, Tippenhauer NO. Link-layer device type classification on encrypted wireless traffic with COTS radios. In Foley SN, Gollmann D, Snekkenes E, editors, Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Springer Verlag. 2017. p. 247-264. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-66399-9_14

Maiti, Rajib Ranjan ; Siby, Sandra ; Sridharan, Ragav et al. / Link-layer device type classification on encrypted wireless traffic with COTS radios. Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. editor / Simon N. Foley ; Dieter Gollmann ; Einar Snekkenes. Springer Verlag, 2017. pp. 247-264 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{756e6db9e8eb4b61a21e18b74a373691,

title = "Link-layer device type classification on encrypted wireless traffic with COTS radios",

abstract = "In this work, we design and implement a framework, PrEDeC, which enables an attacker to violate user privacy by using the encrypted link-layer radio traffic to detect device types in a targeted environment. We focus on 802.11 traffic using WPA2 as security protocol. Data is collected by passive eavesdropping using COTS radios. PrEDeC (a) extracts features using temporal properties, size of encrypted payload, type and direction of wireless traffic (b) filters features to improve overall performance (c) builds a classification model to detect different device types. While designing PrEDeC, we experimentally record the traffic of 22 IoT devices and manually classify that data into 10 classes to train three machine learning classifiers: Random Forest, Decision Tree and SVM. We analyze the performance of the classifiers on different block sizes (set of frames) and find that a block size of 30k frames with Random Forest classifier shows above 90% accuracy. Additionally, we observe that a reduced set of 49 features gives similar accuracy but better efficiency as compared to taking an entire set of extracted features. We investigate the significance of these features for classification. We further investigated the number of frames and the amount time required to eavesdrop them in different traffic scenarios.",

keywords = "Classification, Encrypted network traffic, Machine learning",

author = "Maiti, {Rajib Ranjan} and Sandra Siby and Ragav Sridharan and Tippenhauer, {Nils Ole}",

note = "Publisher Copyright: {\textcopyright} 2017, Springer International Publishing AG.; 22nd European Symposium on Research in Computer Security, ESORICS 2017 ; Conference date: 11-09-2017 Through 15-09-2017",

year = "2017",

doi = "10.1007/978-3-319-66399-9_14",

language = "English (US)",

isbn = "9783319663982",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "247--264",

editor = "Foley, {Simon N.} and Dieter Gollmann and Einar Snekkenes",

booktitle = "Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings",

}

TY - GEN

T1 - Link-layer device type classification on encrypted wireless traffic with COTS radios

AU - Maiti, Rajib Ranjan

AU - Siby, Sandra

AU - Sridharan, Ragav

AU - Tippenhauer, Nils Ole

PY - 2017

Y1 - 2017

N2 - In this work, we design and implement a framework, PrEDeC, which enables an attacker to violate user privacy by using the encrypted link-layer radio traffic to detect device types in a targeted environment. We focus on 802.11 traffic using WPA2 as security protocol. Data is collected by passive eavesdropping using COTS radios. PrEDeC (a) extracts features using temporal properties, size of encrypted payload, type and direction of wireless traffic (b) filters features to improve overall performance (c) builds a classification model to detect different device types. While designing PrEDeC, we experimentally record the traffic of 22 IoT devices and manually classify that data into 10 classes to train three machine learning classifiers: Random Forest, Decision Tree and SVM. We analyze the performance of the classifiers on different block sizes (set of frames) and find that a block size of 30k frames with Random Forest classifier shows above 90% accuracy. Additionally, we observe that a reduced set of 49 features gives similar accuracy but better efficiency as compared to taking an entire set of extracted features. We investigate the significance of these features for classification. We further investigated the number of frames and the amount time required to eavesdrop them in different traffic scenarios.

AB - In this work, we design and implement a framework, PrEDeC, which enables an attacker to violate user privacy by using the encrypted link-layer radio traffic to detect device types in a targeted environment. We focus on 802.11 traffic using WPA2 as security protocol. Data is collected by passive eavesdropping using COTS radios. PrEDeC (a) extracts features using temporal properties, size of encrypted payload, type and direction of wireless traffic (b) filters features to improve overall performance (c) builds a classification model to detect different device types. While designing PrEDeC, we experimentally record the traffic of 22 IoT devices and manually classify that data into 10 classes to train three machine learning classifiers: Random Forest, Decision Tree and SVM. We analyze the performance of the classifiers on different block sizes (set of frames) and find that a block size of 30k frames with Random Forest classifier shows above 90% accuracy. Additionally, we observe that a reduced set of 49 features gives similar accuracy but better efficiency as compared to taking an entire set of extracted features. We investigate the significance of these features for classification. We further investigated the number of frames and the amount time required to eavesdrop them in different traffic scenarios.

KW - Classification

KW - Encrypted network traffic

KW - Machine learning

UR - http://www.scopus.com/inward/record.url?scp=85029480568&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85029480568&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-66399-9_14

DO - 10.1007/978-3-319-66399-9_14

M3 - Conference contribution

AN - SCOPUS:85029480568

SN - 9783319663982

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 247

EP - 264

BT - Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings

A2 - Foley, Simon N.

A2 - Gollmann, Dieter

A2 - Snekkenes, Einar

PB - Springer Verlag

T2 - 22nd European Symposium on Research in Computer Security, ESORICS 2017

Y2 - 11 September 2017 through 15 September 2017

ER -

Link-layer device type classification on encrypted wireless traffic with COTS radios

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this