A New MAC Address Spoofing Detection Technique Based on Random Forests

Media access control (MAC) addresses in wireless networks can be trivially spoofed using off-the-shelf devices. The aim of this research is to detect MAC address spoofing in wireless networks using a hard-to-spoof measurement that is correlated to the location of the wireless device, namely the received signal strength (RSS). We developed a passive solution that does not require modification for standards or protocols. The solution was tested in a live test-bed (i.e., a wireless local area network with the aid of two air monitors acting as sensors) and achieved 99.77%, 93.16% and 88.38% accuracy when the attacker is 8–13 m, 4–8 m and less than 4 m away from the victim device, respectively. We implemented three previous methods on the same test-bed and found that our solution outperforms existing solutions. Our solution is based on an ensemble method known as random forests.https://doi.org/10.3390/s1603028

Reduction of secondary lobes in joint angle and delay estimation in angle of arrival localization to detect MAC address spoofing in wireless networks

in this paper, we solve the problem of  secondary lobes that are due to noise that comes from constructive and destructive multipath interference that are resulted in received signal strength (RSS) variation over time. This is to develop a very efficient localization algorithm that uses a unique fingerprint angle of arrivals (AOAs), in a specified range, with associated time delays (TDs), in the surrounded sparsity design promoting multipath parameter (i.e:RSS). We solve this problem to detect physical identity spoofing of nodes in radio wireless networks, and localize adversaries and jammers of wireless networks. All radio waves are vulnerable to many types of attacks due to the ability to capture them and sniff or eavesdropping on them in the open space. Physical identity spoofing is used to launch many types of attacks against wireless networks like Denial of Service (DOS), Man-In-The-Middle and Session Hijacking and eavesdropping. Eavesdropping is a human-based social engineering attack. Active adversaries are able to jam and eavesdrop simultaneously, while passive adversaries can only eavesdrop on passed signals. In TCP/IP protocol for example, Media Access Card (MAC) Address is transferred in 802.11 frames. Detection process was carried out by analyzing electromagnetic radio waves that are used to transfer data, in the form of radio wave signals that are formed by the modulation process which mixes the electromagnetic wave, with another one of different frequency or amplitude to produce the signal with a specified pattern of frequency and amplitude. We depended on the angle of arrival of vectors and time delay across scattered areas in the surrounded space to solve the problem of co-location in detection and localization of jammers. We used Maximum Likelihood (ML) angle of arrival determination because ML approaches, known to their higher accuracy and enhanced resolution capabilities. And we assessed their computational complexity that was considered as the major drawback for designers to their implementation in practice.   Our solution was tested on a jammer that changed the signal strength of received signal at the receiver at an angle of arrival 30 degree. And we used scatterers density to determine the angle of arrival of the sender. The simulation has observed that the power of the received signal has changed from the range of angles 20 to 40 degrees. We used scatterers because they describe the density of the signal power, and also enhance the signal to noise ratio, that resulted from the multipath fading of the signal strength. And also overcoming the problem of secondary lobes that are due to signal propagation, while determining the angle of arrival of a signal sender. So, we developed a new passive technique to detect MAC address spoofing based on angle of arrival localization. And assessed the computation complexity of the localization technique through depending on a range angle to estimate the angle of arrival of the adversary within it. And we reduced number of secondary lobes, and their peaks, in the importance function, while determining the angle of arrival, and so increasing the accuracy of angle of arrival measurement. We compared our work to other techniques and find that our technique is better than these techniques

Improving a wireless localization system via machine learning techniques and security protocols

The recent advancements made in Internet of Things (IoT) devices have brought forth new opportunities for technologies and systems to be integrated into our everyday life. In this work, we investigate how edge nodes can effectively utilize 802.11 wireless beacon frames being broadcast from pre-existing access points in a building to achieve room-level localization. We explain the needed hardware and software for this system and demonstrate a proof of concept with experimental data analysis. Improvements to localization accuracy are shown via machine learning by implementing the random forest algorithm. Using this algorithm, historical data can train the model and make more informed decisions while tracking other nodes in the future. We also include multiple security protocols that can be taken to reduce the threat of both physical and digital attacks on the system. These threats include access point spoofing, side channel analysis, and packet sniffing, all of which are often overlooked in IoT devices that are rushed to market. Our research demonstrates the comprehensive combination of affordability, accuracy, and security possible in an IoT beacon frame-based localization system that has not been fully explored by the localization research community

Empirical Techniques To Detect Rogue Wireless Devices

Media Access Control (MAC) addresses in wireless networks can be trivially spoofed using off-the-shelf devices. We proposed a solution to detect MAC address spoofing in wireless networks using a hard-to-spoof measurement that is correlated to the location of the wireless device, namely the Received Signal Strength (RSS). We developed a passive solution that does not require modification for standards or protocols. The solution was tested in a live test-bed (i.e., a Wireless Local Area Network with the aid of two air monitors acting as sensors) and achieved 99.77%, 93.16%, and 88.38% accuracy when the attacker is 8–13 m, 4–8 m, and less than 4 m away from the victim device, respectively. We implemented three previous methods on the same test-bed and found that our solution outperforms existing solutions. Our solution is based on an ensemble method known as Random Forests. We also proposed an anomaly detection solution to deal with situations where it is impossible to cover the whole intended area. The solution is totally passive and unsupervised (using unlabeled data points) to build the profile of the legitimate device. It only requires the training of one location which is the location of the legitimate device (unlike the misuse detection solution that train and simulate the existing of the attacker in every possible spot in the network diameter). The solution was tested in the same test-bed and yield about 79% overall accuracy. We build a misuseWireless Local Area Network Intrusion Detection System (WIDS) and discover some important fields in WLAN MAC-layer frame to differentiate the attackers from the legitimate devices. We tested several machine learning algorithms and found some promising ones to improve the accuracy and computation time on a public dataset. The best performing algorithms that we found are Extra Trees, Random Forests, and Bagging. We then used a majority voting technique to vote on these algorithms. Bagging classifier and our customized voting technique have good results (about 96.25 % and 96.32 %respectively) when tested on all the features. We also used a data mining technique based on Extra Trees ensemble method to find the most important features on AWID public dataset. After selecting the most 20 important features, Extra Trees and our voting technique are the best performing classifiers in term of accuracy (96.31 % and 96.32 % respectively)

Spoofing Attack Detection in the Physical Layer with Commutative Neural Networks

In a spoofing attack, an attacker impersonates a legitimate user to access or tamper with data intended for or produced by the legitimate user. In wireless communication systems, these attacks may be detected by relying on features of the channel and transmitter radios. In this context, a popular approach is to exploit the dependence of the received signal strength (RSS) at multiple receivers or access points with respect to the spatial location of the transmitter. Existing schemes rely on long-term estimates, which makes it difficult to distinguish spoofing from movement of a legitimate user. This limitation is here addressed by means of a deep neural network that implicitly learns the distribution of pairs of short-term RSS vector estimates. The adopted network architecture imposes the invariance to permutations of the input (commutativity) that the decision problem exhibits. The merits of the proposed algorithm are corroborated on a data set that we collected

Enhancement performance of random forest algorithm via one hot encoding for IoT IDS

The random forest algorithm is one of important supervised machine learning (ML) algorithms. In the present paper, the accuracy of the results of the random forest (RF) algorithm has been improved by the use of the One Hot Encoding method. The Intrusion Detection System (IDS) can be defined as a system that can predict security vulnerabilities within network traffic and is located out of range on a network infrastructure. It does not affect the efficiency of the built-in network because it analyzes a copy of the built-in traffic flow and reports results to the administrator by giving alerts. However, since IDS is a listening system only, it cannot take automatic action to prevent an attack or security vulnerability detected from infecting the system, it provides information about the source address to start the break-in, the address of the target and the type of suspected attack. The IoTID20 dataset is used to verify the improved algorithm, where this dataset is having three targets, the proposed system is compared with the state-of-art approaches and shows superiority over them

Enhancement performance of random forest algorithm via one hot encoding for IoT IDS

The random forest algorithm is one of important supervised machine learning (ML) algorithms. In the present paper, the accuracy of the results of the random forest (RF) algorithm has been improved by the use of the One Hot Encoding method. The Intrusion Detection System (IDS) can be defined as a system that can predict security vulnerabilities within network traffic and is located out of range on a network infrastructure. It does not affect the efficiency of the built-in network because it analyzes a copy of the built-in traffic flow and reports results to the administrator by giving alerts. However, since IDS is a listening system only, it cannot take automatic action to prevent an attack or security vulnerability detected from infecting the system, it provides information about the source address to start the break-in, the address of the target and the type of suspected attack. The IoTID20 dataset is used to verify the improved algorithm, where this dataset is having three targets, the proposed system is compared with the state-of-art approaches and shows superiority over them

Intrusion detection in IoT networks using machine learning

The exponential growth of Internet of Things (IoT) infrastructure has introduced significant security challenges due to the large-scale deployment of interconnected devices. IoT devices are present in every aspect of our modern life; they are essential components of Industry 4.0, smart cities, and critical infrastructures. Therefore, the detection of attacks on this platform becomes necessary through an Intrusion Detection Systems (IDS). These tools are dedicated hardware devices or software that monitors a network to detect and automatically alert the presence of malicious activity. This study aimed to assess the viability of Machine Learning Models for IDS within IoT infrastructures. Five classifiers, encompassing a spectrum from linear models like Logistic Regression, Decision Trees from Trees Algorithms, Gaussian Naïve Bayes from Probabilistic models, Random Forest from ensemble family and Multi-Layer Perceptron from Artificial Neural Networks, were analysed. These models were trained using supervised methods on a public IoT attacks dataset, with three tasks ranging from binary classification (determining if a sample was part of an attack) to multiclassification of 8 groups of attack categories and the multiclassification of 33 individual attacks. Various metrics were considered, from performance to execution times and all models were trained and tuned using cross-validation of 10 k-folds. On the three classification tasks, Random Forest was found to be the model with best performance, at expenses of time consumption. Gaussian Naïve Bayes was the fastest algorithm in all classification¿s tasks, but with a lower performance detecting attacks. Whereas Decision Trees shows a good balance between performance and processing speed. Classifying among 8 attack categories, most models showed vulnerabilities to specific attack types, especially those in minority classes due to dataset imbalances. In more granular 33 attack type classifications, all models generally faced challenges, but Random Forest remained the most reliable, despite vulnerabilities. In conclusion, Machine Learning algorithms proves to be effective for IDS in IoT infrastructure, with Random Forest model being the most robust, but with Decision Trees offering a good balance between speed and performance.Objectius de Desenvolupament Sostenible::9 - Indústria, Innovació i Infraestructur