1.
Maryna Veksler, David Langus Rodríguez, Ahmet Aris, Kemal Akkaya, A. Selcuk Uluagac
LoFin: LoRa-based UAV Fingerprinting Framework Conference Paper
In the Proceedings of the 41st IEEE Military Communications Conference (MILCOM) , 2022.
Abstract | Links | BibTeX | Tags: Fingerprinting, Network Security, UAV Security
@conference{10017584,
title = {LoFin: LoRa-based UAV Fingerprinting Framework},
author = {Maryna Veksler and David Langus Rodríguez and Ahmet Aris and Kemal Akkaya and A. Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/abstract/document/10017584/},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
booktitle = {In the Proceedings of the 41st IEEE Military Communications Conference (MILCOM)
},
abstract = {The emerging proliferation of unmanned aerial vehicles (UAV) combined with their autonomous capabilities established the solid incorporation of UAVs for military applications. However, seamless deployment of drones into the adversarial environment and on the battlefield requires a robust and secure network stack, protected from adversarial intrusion. As LoRa became a low-cost solution for the long-distance control channel, it solved the challenge of long-range connectivity and prolonged lifespan present in UAV applications. However, the existing implementations lack protection mechanisms against unauthorized access. In this paper, we present LoFin, the first fingerprinting framework used to identify telemetry transceivers that communicate over the LoRa channel. LoFin exploits information leaked due to the differences in hardware structure, which results in processing time variations. Passively collecting},
keywords = {Fingerprinting, Network Security, UAV Security},
pubstate = {published},
tppubtype = {conference}
}
The emerging proliferation of unmanned aerial vehicles (UAV) combined with their autonomous capabilities established the solid incorporation of UAVs for military applications. However, seamless deployment of drones into the adversarial environment and on the battlefield requires a robust and secure network stack, protected from adversarial intrusion. As LoRa became a low-cost solution for the long-distance control channel, it solved the challenge of long-range connectivity and prolonged lifespan present in UAV applications. However, the existing implementations lack protection mechanisms against unauthorized access. In this paper, we present LoFin, the first fingerprinting framework used to identify telemetry transceivers that communicate over the LoRa channel. LoFin exploits information leaked due to the differences in hardware structure, which results in processing time variations. Passively collecting
2.
Hidayet Aksu, A Selcuk Uluagac, Elizabeth S Bentley
Identification of wearable devices with bluetooth Journal Article
IEEE Transactions on Sustainable Computing Journal, 2018.
Abstract | Links | BibTeX | Tags: Fingerprinting, IoT Security
@article{AksuIdentificationIEEE,
title = {Identification of wearable devices with bluetooth},
author = {Hidayet Aksu and A Selcuk Uluagac and Elizabeth S Bentley},
url = {https://ieeexplore.ieee.org/document/8299447},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {IEEE Transactions on Sustainable Computing Journal},
publisher = {IEEE},
abstract = {With wearable devices such as smartwatches on the rise in the consumer electronics market, securing these wearables is vital. However, the current security mechanisms only focus on validating the user not the device itself. Indeed, wearables can be (1) unauthorized wearable devices with correct credentials accessing valuable systems and networks, (2) passive insiders or outsider wearable devices, or (3) information-leaking wearables devices. Fingerprinting via machine learning can provide necessary cyber threat intelligence to address all these cyber attacks. In this work, we introduce a wearable fingerprinting technique focusing on Bluetooth classic protocol, which is a common protocol used by the wearables and other IoT devices. Specifically, we propose a non-intrusive wearable device identification framework which utilizes 20 different Machine Learning (ML) algorithms in the training phase of the classification process and selects the best performing algorithm for the testing phase. Furthermore, we evaluate the performance of proposed wearable fingerprinting technique on real wearable devices, including various off-the-shelf smartwatches. Our evaluation demonstrates the feasibility of the proposed technique to provide reliable cyber threat intelligence. Specifically, our detailed accuracy results show on average 98.5 percent, 98.3 percent precision and recall for identifying wearables using the Bluetooth classic protocol.},
keywords = {Fingerprinting, IoT Security},
pubstate = {published},
tppubtype = {article}
}
With wearable devices such as smartwatches on the rise in the consumer electronics market, securing these wearables is vital. However, the current security mechanisms only focus on validating the user not the device itself. Indeed, wearables can be (1) unauthorized wearable devices with correct credentials accessing valuable systems and networks, (2) passive insiders or outsider wearable devices, or (3) information-leaking wearables devices. Fingerprinting via machine learning can provide necessary cyber threat intelligence to address all these cyber attacks. In this work, we introduce a wearable fingerprinting technique focusing on Bluetooth classic protocol, which is a common protocol used by the wearables and other IoT devices. Specifically, we propose a non-intrusive wearable device identification framework which utilizes 20 different Machine Learning (ML) algorithms in the training phase of the classification process and selects the best performing algorithm for the testing phase. Furthermore, we evaluate the performance of proposed wearable fingerprinting technique on real wearable devices, including various off-the-shelf smartwatches. Our evaluation demonstrates the feasibility of the proposed technique to provide reliable cyber threat intelligence. Specifically, our detailed accuracy results show on average 98.5 percent, 98.3 percent precision and recall for identifying wearables using the Bluetooth classic protocol.
3.
Leonardo Babun, Hidayet Aksu, A. Selcuk Uluagac
Detection of counterfeit and compromised devices using system and function call tracing techniques Patent
US Patent, 2017.
Abstract | Links | BibTeX | Tags: Fingerprinting, Smart-grid Security
@patent{Babun2018SyscallTraceb,
title = {Detection of counterfeit and compromised devices using system and function call tracing techniques},
author = {Leonardo Babun and Hidayet Aksu and A. Selcuk Uluagac},
url = {https://www.osti.gov/biblio/1463864},
year = {2017},
date = {2017-07-17},
urldate = {2017-07-17},
abstract = {Frameworks, methods, and systems for securing a smart grid are provided. A framework can include data collection, call tracing techniques, and preparing call lists to detect counterfeit or compromised devices. The call tracing techniques can include call tracing and compiling all system and function calls over a time interval. The framework can further include data processing, in which a genuine device is identified and compared to unknown devices. A first statistical correlation can be used for resource-rich systems, and a second statistical correlation can be used for resource-limited systems. Threats of information leakage, measurement poisoning and store-and-send-later can be considered.},
howpublished = {US Patent},
keywords = {Fingerprinting, Smart-grid Security},
pubstate = {published},
tppubtype = {patent}
}
Frameworks, methods, and systems for securing a smart grid are provided. A framework can include data collection, call tracing techniques, and preparing call lists to detect counterfeit or compromised devices. The call tracing techniques can include call tracing and compiling all system and function calls over a time interval. The framework can further include data processing, in which a genuine device is identified and compared to unknown devices. A first statistical correlation can be used for resource-rich systems, and a second statistical correlation can be used for resource-limited systems. Threats of information leakage, measurement poisoning and store-and-send-later can be considered.
4.
Juan Lopez, Leonardo Babun, Hidayet Aksu, A Selcuk Uluagac
A Survey on Function and System Call Hooking Approaches Journal Article
Journal of Hardware and Systems Security, 2017.
Abstract | Links | BibTeX | Tags: Fingerprinting
@article{LopezSurveySpringer,
title = {A Survey on Function and System Call Hooking Approaches},
author = {Juan Lopez and Leonardo Babun and Hidayet Aksu and A Selcuk Uluagac},
url = {https://link.springer.com/article/10.1007/s41635-017-0013-2},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
journal = {Journal of Hardware and Systems Security},
publisher = {Springer},
abstract = {Functions and system calls are effective indicators of the behavior of a process. These subroutines are useful for identifying unauthorized behavior caused by malware or for developing a better understanding of the lower-level operations of an application. Code obfuscation, however, often prevents user monitoring and modification of subroutine calls. Subroutine hooking offers a solution to this limitation. Function and system call hooking approaches allow for subroutine instrumentation, making hooking a valuable and versatile skill across industry and academia. In this survey, we present several criteria for the classification and selection of hooking tools and techniques as well as an examination of the major hooking approaches used on Windows, Linux, macOS, iOS, and Android operating systems. We also evaluate and compare the performance of different subroutine hooking tools and techniques based on computing resource utilization such as CPU time, memory, and wall-clock time. To the best of our knowledge, this is the first paper that encompasses both system call and function hooking techniques and tools across the major desktop and mobile operating systems.
},
keywords = {Fingerprinting},
pubstate = {published},
tppubtype = {article}
}
Functions and system calls are effective indicators of the behavior of a process. These subroutines are useful for identifying unauthorized behavior caused by malware or for developing a better understanding of the lower-level operations of an application. Code obfuscation, however, often prevents user monitoring and modification of subroutine calls. Subroutine hooking offers a solution to this limitation. Function and system call hooking approaches allow for subroutine instrumentation, making hooking a valuable and versatile skill across industry and academia. In this survey, we present several criteria for the classification and selection of hooking tools and techniques as well as an examination of the major hooking approaches used on Windows, Linux, macOS, iOS, and Android operating systems. We also evaluate and compare the performance of different subroutine hooking tools and techniques based on computing resource utilization such as CPU time, memory, and wall-clock time. To the best of our knowledge, this is the first paper that encompasses both system call and function hooking techniques and tools across the major desktop and mobile operating systems.
5.
Leonardo Babun, Hidayet Aksu, A. Selcuk Uluagac
Identifying counterfeit smart grid devices: A lightweight system level framework Conference Paper
In the Proceedings of the IEEE International Conference on Communications (ICC), 2017.
Abstract | Links | BibTeX | Tags: Fingerprinting, Smart Home Security
@conference{BabunIdentifyingIEEEICC,
title = {Identifying counterfeit smart grid devices: A lightweight system level framework},
author = {Leonardo Babun and Hidayet Aksu and A. Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/7996877},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {In the Proceedings of the IEEE International Conference on Communications (ICC)},
abstract = {The use of counterfeit smart grid devices throughout the smart grid communication infrastructure represents a real problem. Hence, monitoring and early detection of counterfeit smart grid devices is critical for protecting smart grid's components and data. To address these concerns, in this paper, we introduce a novel system level approach to identify counterfeit smart grid devices. Specifically, our approach is a configurable framework that combines system and function call tracing techniques and statistical analysis to detect counterfeit smart grid devices based on their behavioural characteristics. Moreover, we measure the efficacy of our framework with a realistic testbed that includes both resource-limited and resource-rich counterfeit devices. In total, we analyze six different counterfeit devices in our testbed. The devices communicate via an open source version of the IEC61850 protocol suite (i.e., libiec61850). Experimental results reveal an excellent rate on the detection of smart grid counterfeit devices. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.},
keywords = {Fingerprinting, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
The use of counterfeit smart grid devices throughout the smart grid communication infrastructure represents a real problem. Hence, monitoring and early detection of counterfeit smart grid devices is critical for protecting smart grid's components and data. To address these concerns, in this paper, we introduce a novel system level approach to identify counterfeit smart grid devices. Specifically, our approach is a configurable framework that combines system and function call tracing techniques and statistical analysis to detect counterfeit smart grid devices based on their behavioural characteristics. Moreover, we measure the efficacy of our framework with a realistic testbed that includes both resource-limited and resource-rich counterfeit devices. In total, we analyze six different counterfeit devices in our testbed. The devices communicate via an open source version of the IEC61850 protocol suite (i.e., libiec61850). Experimental results reveal an excellent rate on the detection of smart grid counterfeit devices. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.
6.
Leonardo Babun, Hidayet Aksu, A. Selcuk Uluagac
A framework for counterfeit smart grid device detection Conference Paper
In the Proceedings of the IEEE Conference on Communications and Network Security (CNS), 2016.
Abstract | Links | BibTeX | Tags: CPS Security, Fingerprinting
@conference{BabunSmartGridIEEECNS,
title = {A framework for counterfeit smart grid device detection},
author = {Leonardo Babun and Hidayet Aksu and A. Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/7860522},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
booktitle = {In the Proceedings of the IEEE Conference on Communications and Network Security (CNS)},
abstract = {The core vision of the smart grid concept is the realization of reliable two-way communications between smart devices (e.g., IEDs, PLCs, PMUs). The benefits of the smart grid also come with tremendous security risks and new challenges in protecting the smart grid systems from cyber threats. Particularly, the use of untrusted counterfeit smart grid devices represents a real problem. Consequences of propagating false or malicious data, as well as stealing valuable user or smart grid state information from counterfeit devices are costly. Hence, early detection of counterfeit devices is critical for protecting smart grid's components and users. To address these concerns, in this poster, we introduce our initial design of a configurable framework that utilize system call tracing, library interposition, and statistical techniques for monitoring and detection of counterfeit smart grid devices. In our framework, we consider realistic counterfeit device scenarios with different smart grid devices and adversarial settings. Our initial results on a realistic testbed utilizing actual smart-grid GOOSE messages with IEC-61850 communication protocol are very promising. Our framework is showing excellent rates on detection of smart grid counterfeit devices from impostors.},
keywords = {CPS Security, Fingerprinting},
pubstate = {published},
tppubtype = {conference}
}
The core vision of the smart grid concept is the realization of reliable two-way communications between smart devices (e.g., IEDs, PLCs, PMUs). The benefits of the smart grid also come with tremendous security risks and new challenges in protecting the smart grid systems from cyber threats. Particularly, the use of untrusted counterfeit smart grid devices represents a real problem. Consequences of propagating false or malicious data, as well as stealing valuable user or smart grid state information from counterfeit devices are costly. Hence, early detection of counterfeit devices is critical for protecting smart grid's components and users. To address these concerns, in this poster, we introduce our initial design of a configurable framework that utilize system call tracing, library interposition, and statistical techniques for monitoring and detection of counterfeit smart grid devices. In our framework, we consider realistic counterfeit device scenarios with different smart grid devices and adversarial settings. Our initial results on a realistic testbed utilizing actual smart-grid GOOSE messages with IEC-61850 communication protocol are very promising. Our framework is showing excellent rates on detection of smart grid counterfeit devices from impostors.
7.
Sakthi Vignesh Radhakrishnan, A. Selcuk Uluagac, Raheem Beyah
GTID: A Technique for Physical Device and Device Type Fingerprinting Journal Article
IEEE Transactions on Dependable and Secure Computing Journal, 2015.
Abstract | Links | BibTeX | Tags: Fingerprinting, Network Security
@article{RadhakrishnanGTIDIEEE,
title = {GTID: A Technique for Physical Device and Device Type Fingerprinting},
author = {Sakthi Vignesh Radhakrishnan and A. Selcuk Uluagac and Raheem Beyah},
url = {https://ieeexplore.ieee.org/document/6951398},
year = {2015},
date = {2015-01-01},
urldate = {2015-01-01},
journal = {IEEE Transactions on Dependable and Secure Computing Journal},
abstract = {In this paper, we introduce GTID, a technique that can actively and passively fingerprint wireless devices and their types using wire-side observations in a local network. GTID exploits information that is leaked as a result of heterogeneity in devices, which is a function of different device hardware compositions and variations in devices' clock skew. We apply statistical techniques on network traffic to create unique, reproducible device and device type signatures, and use artificial neural networks (ANNs) for classification. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 37 devices representing a wide range of device classes (e.g., iPads, iPhones, Google Phones, etc.) and traffic types (e.g., Skype, SCP, ICMP, etc.). Our experiments provided more than 300 GB of traffic captures which we used for ANN training and performance.},
keywords = {Fingerprinting, Network Security},
pubstate = {published},
tppubtype = {article}
}
In this paper, we introduce GTID, a technique that can actively and passively fingerprint wireless devices and their types using wire-side observations in a local network. GTID exploits information that is leaked as a result of heterogeneity in devices, which is a function of different device hardware compositions and variations in devices' clock skew. We apply statistical techniques on network traffic to create unique, reproducible device and device type signatures, and use artificial neural networks (ANNs) for classification. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 37 devices representing a wide range of device classes (e.g., iPads, iPhones, Google Phones, etc.) and traffic types (e.g., Skype, SCP, ICMP, etc.). Our experiments provided more than 300 GB of traffic captures which we used for ANN training and performance.
8.
A. Selcuk Uluagac, Sakthi V. Radhakrishnan, Cherita Corbett, Antony Baca, Raheem Beyah
A passive technique for fingerprinting wireless devices with Wired-side Observations Conference Paper
In the proceedings of the IEEE Conference on Communications and Network Security (CNS) , 2013.
Abstract | Links | BibTeX | Tags: Fingerprinting, Wireless Security
@conference{UluagacFingerprintingIEEE2013,
title = {A passive technique for fingerprinting wireless devices with Wired-side Observations},
author = {A. Selcuk Uluagac and Sakthi V. Radhakrishnan and Cherita Corbett and Antony Baca and Raheem Beyah},
url = {https://ieeexplore.ieee.org/abstract/document/6682720/},
year = {2013},
date = {2013-01-01},
urldate = {2013-01-01},
booktitle = {In the proceedings of the IEEE Conference on Communications and Network Security (CNS)
},
abstract = {In this paper, we introduce GTID, a technique that passively fingerprints wireless devices and their types from the wired backbone. GTID exploits the heterogeneity of devices, which is a function of different device hardware compositions and variations in devices' clock skew. We use statistical techniques to create unique, reproducible device and device type signatures that represent time variant behavior in network traffic and use artificial neural networks (ANNs) to classify devices and device types. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 27 devices representing a wide range of device classes. We collected more than 100 GB of traffic captures for ANN training and classification. We assert that for any fingerprinting technique to be practical, it must be able to detect previously unseen devices (i.e., devices for which no stored signature is available) and must be able to withstand various attacks. GTID is the first fingerprinting technique to detect previously unseen devices and to illustrate its resilience under various attacker models. We measure the performance of GTID by considering accuracy, recall, and processing time and illustrate how it can be used to complement existing authentication systems and to detect counterfeit devices.},
keywords = {Fingerprinting, Wireless Security},
pubstate = {published},
tppubtype = {conference}
}
In this paper, we introduce GTID, a technique that passively fingerprints wireless devices and their types from the wired backbone. GTID exploits the heterogeneity of devices, which is a function of different device hardware compositions and variations in devices' clock skew. We use statistical techniques to create unique, reproducible device and device type signatures that represent time variant behavior in network traffic and use artificial neural networks (ANNs) to classify devices and device types. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 27 devices representing a wide range of device classes. We collected more than 100 GB of traffic captures for ANN training and classification. We assert that for any fingerprinting technique to be practical, it must be able to detect previously unseen devices (i.e., devices for which no stored signature is available) and must be able to withstand various attacks. GTID is the first fingerprinting technique to detect previously unseen devices and to illustrate its resilience under various attacker models. We measure the performance of GTID by considering accuracy, recall, and processing time and illustrate how it can be used to complement existing authentication systems and to detect counterfeit devices.
Citations: 8413
h-index: 44
i10-index: 107
