U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun.

UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer ScienceUNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science

Disambiguation of Residential Wired and Wireless Access in a

Forensic Setting

Sookhyun Yang, Jim Kurose, Brian Neil LevineUniversity of Massachusetts Amherst

[email protected]

This research is supported by NSF awards CNS-0905349 and CNS-1040781.

mailto:[email protected]

UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science

Outline

Introduction Problem Statement Experimental Methodology Classification Results Conclusion

2


P2P network

peer peer

peer

peer

Law enforcement

Step2. Known sender

location

Illegal content distributed P2P from known location

3

Challenge:“Can we legally determine that a suspect used wired access, thus making the resident user more likely to be a responsible party?”

Illegal content distributor (e.g.,

CP)

Wireless router

“wiredor

wireless access? ”

Step1. Public IP address

Someone used my

open Wi-Fi!


Can We Intercept Data at Intermediate Nodes?

4

No, law enforcement can not legally take traces at intermediate nodes without a warrant or

wiretap.

Illegal content distributor

peer… …

Law enforceme

nt

Data interceptio

nvia a

sniffer

Data interceptio

n

router

Wireless router

Reasonable expectation of privacy (REP) for the sources of data.

The Wiretap Act and the Pen Register statute.


P2P network

Can We Intercept Data as a Peer?

5

Law enforceme

nt peer

Yes, measurements taken at a peer, before a warrant, are legal!

Wireless router

Users of P2P file sharing networks have no “reasonable expectation of privacy”.

Software designed for law enforcement to monitor P2P activity does not violate US 4th amendment protections.

Illegal content distributor


Outline


6


Our Problem Setting

7

TargetWi-Fi

APLaw

enforcement

peer

Cable mode

m

P2P Internet

Cable network

Wired access?

Challenge: can we classify the access network type of target sender using remotely measured P2P traces?

Challenges in this forensic setting: hidden and unknown residential factors can affect classification

results.

?? ?? ? ? ? ?

?Ethernet

UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science 8

Our Contribution

Investigate performance of several wired-vs-wireless classification algorithms in various home network scenarios.

Observe how several scenario factors affect classifier performance.

Single flow vs. Multiple flows from a target. Operating systems. P2P application rate limit. Wireless channel contention.

Explain when, why and how the classifier works reliably or poorly.

See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst.

user

"We observe how several commonly-found factors..."

user

Main thing missing here - what classifier do you use? In this slide it seems that this classifier is given to you. Did you just analyze performance of an existing classfier, or develop one as well?


Outline


9


Diversely Emulated P2P Traces in Controlled Settings

Houses near UMass

Wired sniffer

802.11g or 1Gbps

Ethernet.

Target device

Single full-rate TCP

flow.

Wi-Fi AP

Cable modem

Less than 1m(the worst case)

…

UMass server

Internet

Remotely collecting pairs of

wired and wireless datasets

Linux vs. Windows

XP

Cable network effect (different

times, and houses)

Host-side vs. Cable network

Purdue server

Multiple TCP flows.

We take measurement here to help us explain/understand classification. but do NOT use them in classification.


Outline


11


Classification Procedure

Classification features. 25th, 50th, 75th percentiles, entropy of packet

inter-arrival times distribution for datasets.

We train and cross-validate decision tree, logistic regression, SVM, and EM classifiers.

Classification performance metrics. TPR (True Positive Rate). FPR (False Positive Rate). FPR≤0.10 and 0.90≤TPR are acceptable

classification results.


Single-flow Classification Results

Linux Windows XP

25th per-centile

InconsistentNot accept-

able

EntropyNot accept-

ableInconsistent

Accurate classification is difficult in single full-rate flow cases.

user

Perhaps I missed something in earlier slides, but what does Linux or Windows have to do with things here - is this the machine of the target, or the analyzer?


Multiple Flows Classification Results

Multiple flows cases can show better classification results than single full-rate

flow cases.

Linux Windows XP

25th per-centile

AcceptableNot accept-

able

Entropy Acceptable Acceptable


Classification: insight into how it works

Key insight: Classify at receiver using packet inter-arrival times at sender that were not significantly changed a by cable network access protocol or a network at sender.

Target device

Wi-Fi AP

Cable modem

UMass server

Packet inter-arrival timesbefore a cable network

…

Packet inter-arrival times after a cable

network

…

Cable network access

protocol

802.11 or Ethernet access

protocol


Discussion

Classification features showing acceptable results are different for Linux and Windows XP.

Windows’s small 8 KB TCP send buffer. This is also found in other Windows versions.

Single full-rate flow vs. multiple-flows.

A flow generated with multiple competing flows from a target would be less-affected by a cable network.

See Tech. Rep. UM-CS-2013-001, Dept. of CS, UMass Amherst.


Conclusion

We justified our traces gathering method’s legality based on US law.

We proposed a classifier for determining whether a target used wired or wireless.

Through extensive experimentation, we determined scenarios where classifier works reliably.

Traces: traces.cs.umass.edu.

http://traces.cs.umass.edu/

user

- We determined legal methods of trace gathering, based on US law- We enumerated many factors that need to be considered in a forensic setting, and their impact- Based on the above, we developed a classifier for determining whether the target used wired or wireless- Through extensive experimentation, we determined for which scenarios the classifier shown here will work reliably


Other hidden or unknown residential factors. Mac OS. 802.11n, MIMO. Modified TCP implementation. Multiple-flow across multiple sites.

Long-term traces.

18

Open Questions

UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer ScienceUNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science

End

Questions or comments welcome!

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Disambiguation of Residential Wired and Wireless Access in a Forensic Setting Sookhyun.

Documents

u niversity

wireless access

p2p traces

ethernet slide

p2p activity

cp wireless router

wired access

location illegal content