-
Weak-Jamming Detection in IEEE 802.11 Networks: Techniques, Scenarios and Mobility
Authors:
Martijn Hanegraaf,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
State-of-the-art solutions detect jamming attacks ex-post, i.e., only when jamming has already disrupted the wireless communication link. In many scenarios, e.g., mobile networks or static deployments distributed over a large geographical area, it is often desired to detect jamming at the early stage, when it affects the communication link enough to be detected but not sufficiently to disrupt it (…
▽ More
State-of-the-art solutions detect jamming attacks ex-post, i.e., only when jamming has already disrupted the wireless communication link. In many scenarios, e.g., mobile networks or static deployments distributed over a large geographical area, it is often desired to detect jamming at the early stage, when it affects the communication link enough to be detected but not sufficiently to disrupt it (detection of weak jamming signals). Under such assumptions, devices can enhance situational awareness and promptly apply mitigation, e.g., moving away from the jammed area in mobile scenarios or changing communication frequency in static deployments, before jamming fully disrupts the communication link. Although some contributions recently demonstrated the feasibility of detecting low-power and weak jamming signals, they make simplistic assumptions far from real-world deployments. Given the current state of the art, no evidence exists that detection of weak jamming can be considered with real-world communication technologies. In this paper, we provide and comprehensively analyze new general-purpose strategies for detecting weak jamming signals, compatible by design with one of the most relevant communication technologies used by commercial-off-the-shelf devices, i.e., IEEE 802.11. We describe two operational modes: (i) binary classification via Convolutional Neural Networks and (ii) one-class classification via Sparse Autoencoders. We evaluate and compare the proposed approaches with the current state-of-the-art using data collected through an extensive real-world experimental campaign in three relevant environments. At the same time, we made the dataset available to the public. Our results demonstrate that detecting weak jamming signals is feasible in all considered real-world environments, and we provide an in-depth analysis considering different techniques, scenarios, and mobility patterns.
△ Less
Submitted 26 May, 2025;
originally announced May 2025.
-
LLMs Have Rhythm: Fingerprinting Large Language Models Using Inter-Token Times and Network Traffic Analysis
Authors:
Saeif Alhazbi,
Ahmed Mohamed Hussain,
Gabriele Oligeri,
Panos Papadimitratos
Abstract:
As Large Language Models (LLMs) become increasingly integrated into many technological ecosystems across various domains and industries, identifying which model is deployed or being interacted with is critical for the security and trustworthiness of the systems. Current verification methods typically rely on analyzing the generated output to determine the source model. However, these techniques ar…
▽ More
As Large Language Models (LLMs) become increasingly integrated into many technological ecosystems across various domains and industries, identifying which model is deployed or being interacted with is critical for the security and trustworthiness of the systems. Current verification methods typically rely on analyzing the generated output to determine the source model. However, these techniques are susceptible to adversarial attacks, operate in a post-hoc manner, and may require access to the model weights to inject a verifiable fingerprint. In this paper, we propose a novel passive and non-invasive fingerprinting technique that operates in real-time and remains effective even under encrypted network traffic conditions. Our method leverages the intrinsic autoregressive generation nature of language models, which generate text one token at a time based on all previously generated tokens, creating a unique temporal pattern like a rhythm or heartbeat that persists even when the output is streamed over a network. We find that measuring the Inter-Token Times (ITTs)-time intervals between consecutive tokens-can identify different language models with high accuracy. We develop a Deep Learning (DL) pipeline to capture these timing patterns using network traffic analysis and evaluate it on 16 Small Language Models (SLMs) and 10 proprietary LLMs across different deployment scenarios, including local host machine (GPU/CPU), Local Area Network (LAN), Remote Network, and Virtual Private Network (VPN). The experimental results confirm that our proposed technique is effective and maintains high accuracy even when tested in different network conditions. This work opens a new avenue for model identification in real-world scenarios and contributes to more secure and trustworthy language model deployment.
△ Less
Submitted 27 February, 2025;
originally announced February 2025.
-
Cyber Spectrum Intelligence: Security Applications, Challenges and Road Ahead
Authors:
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Cyber Spectrum Intelligence (SpecInt) is emerging as a concept that extends beyond basic {\em spectrum sensing} and {\em signal intelligence} to encompass a broader set of capabilities and technologies aimed at monitoring the use of the radio spectrum and extracting information. SpecInt merges traditional spectrum sensing techniques with Artificial Intelligence (AI) and parallel processing to enha…
▽ More
Cyber Spectrum Intelligence (SpecInt) is emerging as a concept that extends beyond basic {\em spectrum sensing} and {\em signal intelligence} to encompass a broader set of capabilities and technologies aimed at monitoring the use of the radio spectrum and extracting information. SpecInt merges traditional spectrum sensing techniques with Artificial Intelligence (AI) and parallel processing to enhance the ability to extract and correlate simultaneous events occurring on various frequencies, allowing for a new wave of intelligence applications.
This paper provides an overview of the emerging SpecInt research area, characterizing the system architecture and the most relevant applications for cyber-physical security. We identify five subcategories of spectrum intelligence for cyber-physical security, encompassing Device Intelligence, Channel Intelligence, Location Intelligence, Communication Intelligence, and Ambient Intelligence. We also provide preliminary results based on an experimental testbed showing the viability, feasibility, and potential of this emerging application area. Finally, we point out current research challenges and future directions paving the way for further research in this domain.
△ Less
Submitted 7 January, 2025;
originally announced January 2025.
-
Detection of Aerial Spoofing Attacks to LEO Satellite Systems via Deep Learning
Authors:
Jos Wigchert,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Detecting spoofing attacks to Low-Earth-Orbit (LEO) satellite systems is a cornerstone to assessing the authenticity of the received information and guaranteeing robust service delivery in several application domains. The solutions available today for spoofing detection either rely on additional communication systems, receivers, and antennas, or require mobile deployments. Detection systems workin…
▽ More
Detecting spoofing attacks to Low-Earth-Orbit (LEO) satellite systems is a cornerstone to assessing the authenticity of the received information and guaranteeing robust service delivery in several application domains. The solutions available today for spoofing detection either rely on additional communication systems, receivers, and antennas, or require mobile deployments. Detection systems working at the Physical (PHY) layer of the satellite communication link also require time-consuming and energy-hungry training processes on all satellites of the constellation, and rely on the availability of spoofed data, which are often challenging to collect. Moreover, none of such contributions investigate the feasibility of aerial spoofing attacks launched via drones operating at various altitudes. In this paper, we propose a new spoofing detection technique for LEO satellite constellation systems, applying anomaly detection on the received PHY signal via autoencoders. We validate our solution through an extensive measurement campaign involving the deployment of an actual spoofer (Software-Defined Radio) installed on a drone and injecting rogue IRIDIUM messages while flying at different altitudes with various movement patterns. Our results demonstrate that the proposed technique can reliably detect LEO spoofing attacks launched at different altitudes, while state-of-the-art competing approaches simply fail. We also release the collected data as open source, fostering further research on satellite security.
△ Less
Submitted 22 May, 2025; v1 submitted 20 December, 2024;
originally announced December 2024.
-
HidePrint: Hiding the Radio Fingerprint via Random Noise
Authors:
Gabriele Oligeri,
Savio Sciancalepore
Abstract:
Radio Frequency Fingerprinting (RFF) techniques allow a receiver to authenticate a transmitter by analyzing the physical layer of the radio spectrum. Although the vast majority of scientific contributions focus on improving the performance of RFF considering different parameters and scenarios, in this work, we consider RFF as an attack vector to identify and track a target device.
We propose, im…
▽ More
Radio Frequency Fingerprinting (RFF) techniques allow a receiver to authenticate a transmitter by analyzing the physical layer of the radio spectrum. Although the vast majority of scientific contributions focus on improving the performance of RFF considering different parameters and scenarios, in this work, we consider RFF as an attack vector to identify and track a target device.
We propose, implement, and evaluate HidePrint, a solution to prevent tracking through RFF without affecting the quality of the communication link between the transmitter and the receiver. HidePrint hides the transmitter's fingerprint against an illegitimate eavesdropper by injecting controlled noise in the transmitted signal. We evaluate our solution against state-of-the-art image-based RFF techniques considering different adversarial models, different communication links (wired and wireless), and different configurations. Our results show that the injection of a Gaussian noise pattern with a standard deviation of (at least) 0.02 prevents device fingerprinting in all the considered scenarios, thus making the performance of the identification process indistinguishable from the random guess while affecting the Signal-to-Noise Ratio (SNR) of the received signal by only 0.1 dB. Moreover, we introduce selective radio fingerprint disclosure, a new technique that allows the transmitter to disclose the radio fingerprint to only a subset of intended receivers. This technique allows the transmitter to regain anonymity, thus preventing identification and tracking while allowing authorized receivers to authenticate the transmitter without affecting the quality of the transmitted signal.
△ Less
Submitted 10 November, 2024;
originally announced November 2024.
-
On the Reliability of Radio Frequency Fingerprinting
Authors:
Muhammad Irfan,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Radio Frequency Fingerprinting (RFF) offers a unique method for identifying devices at the physical (PHY) layer based on their RF emissions due to intrinsic hardware differences. Nevertheless, RFF techniques depend on the ability to extract information from the PHY layer of the radio spectrum by resorting to Software Defined Radios (SDR). Previous works have highlighted the so-called ``Day-After-T…
▽ More
Radio Frequency Fingerprinting (RFF) offers a unique method for identifying devices at the physical (PHY) layer based on their RF emissions due to intrinsic hardware differences. Nevertheless, RFF techniques depend on the ability to extract information from the PHY layer of the radio spectrum by resorting to Software Defined Radios (SDR). Previous works have highlighted the so-called ``Day-After-Tomorrow'' effect, i.e., an intrinsic issue of SDRs leading to a fingerprint mutation following a radio power cycle. In this work, we extend such a study by demonstrating that fingerprint mutations appear every time a new FPGA image is reloaded, i.e., when the SDR initiates a new communication. In this context, we provide an in-depth analysis of the reliability of RFF over multiple FPGA image reloading operations, highlighting its ephemeral and mutational nature. We introduce a methodology for abstracting fingerprint mutations into a graph and provide a theoretical framework for assessing fingerprint reliability. Our results show that the common assumption of considering the RF fingerprint as unique and always persistent is incorrect. By combining real-world measurements, high-performance SDRs, and state-of-the-art deep learning techniques, we experimentally demonstrate that radio devices feature multiple fingerprints that can be clustered according to shared features. Moreover, we show that the RF fingerprint is a time-independent probabilistic phenomenon, which requires the collection of multiple samples to achieve the necessary reliability.
△ Less
Submitted 17 August, 2024;
originally announced August 2024.
-
Preventing Radio Fingerprinting through Low-Power Jamming
Authors:
Muhammad Irfan,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
Radio Frequency fingerprinting enables a passive receiver to recognize and authenticate a transmitter without the need for cryptographic tools. Authentication is achieved by isolating specific features of the transmitted signal that are unique to the transmitter's hardware. Much research has focused on improving the effectiveness and efficiency of radio frequency fingerprinting to maximize its per…
▽ More
Radio Frequency fingerprinting enables a passive receiver to recognize and authenticate a transmitter without the need for cryptographic tools. Authentication is achieved by isolating specific features of the transmitted signal that are unique to the transmitter's hardware. Much research has focused on improving the effectiveness and efficiency of radio frequency fingerprinting to maximize its performance in various scenarios and conditions, while little research examined how to protect devices from being subject to radio fingerprinting in the wild.
In this paper, we explore a novel point of view. We examine the threat posed by radio frequency fingerprinting, which facilitates the unauthorized identification of wireless devices in the field by malicious entities. We also suggest a method to sanitize the transmitted signal of its fingerprint using a low-power jammer, deployed on purpose to improve devices' anonymity on the channel while still guaranteeing the link's quality of service. Our experimental results and subsequent analysis demonstrate that a low-power jammer can effectively block a malicious eavesdropper from identifying a device without affecting the quality of the wireless link, thereby restoring the privacy of the user when accessing the radio spectrum.
△ Less
Submitted 2 April, 2025; v1 submitted 11 July, 2024;
originally announced July 2024.
-
Radio Frequency Fingerprinting via Deep Learning: Challenges and Opportunities
Authors:
Saeif Al-Hazbi,
Ahmed Hussain,
Savio Sciancalepore,
Gabriele Oligeri,
Panos Papadimitratos
Abstract:
Radio Frequency Fingerprinting (RFF) techniques promise to authenticate wireless devices at the physical layer based on inherent hardware imperfections introduced during manufacturing. Such RF transmitter imperfections are reflected into over-the-air signals, allowing receivers to accurately identify the RF transmitting source. Recent advances in Machine Learning, particularly in Deep Learning (DL…
▽ More
Radio Frequency Fingerprinting (RFF) techniques promise to authenticate wireless devices at the physical layer based on inherent hardware imperfections introduced during manufacturing. Such RF transmitter imperfections are reflected into over-the-air signals, allowing receivers to accurately identify the RF transmitting source. Recent advances in Machine Learning, particularly in Deep Learning (DL), have improved the ability of RFF systems to extract and learn complex features that make up the device-specific fingerprint. However, integrating DL techniques with RFF and operating the system in real-world scenarios presents numerous challenges, originating from the embedded systems and the DL research domains. This paper systematically identifies and analyzes the essential considerations and challenges encountered in the creation of DL-based RFF systems across their typical development life-cycle, which include (i) data collection and preprocessing, (ii) training, and finally, (iii) deployment. Our investigation provides a comprehensive overview of the current open problems that prevent real deployment of DL-based RFF systems while also discussing promising research opportunities to enhance the overall accuracy, robustness, and privacy of these systems.
△ Less
Submitted 15 April, 2024; v1 submitted 25 October, 2023;
originally announced October 2023.
-
Watch Nearby! Privacy Analysis of the People Nearby Service of Telegram
Authors:
Maurantonio Caprolu,
Savio Sciancalepore,
Aleksandar Grigorov,
Velyan Kolev,
Gabriele Oligeri
Abstract:
People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearb…
▽ More
People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram of 500 meters. Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400 meters (close to the equator) and 128 meters (close to the poles), with a difference of up to 75% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with using People Nearby service.
△ Less
Submitted 20 October, 2023;
originally announced October 2023.
-
MITRE ATT&CK: State of the Art and Way Forward
Authors:
Bader Al-Sada,
Alireza Sadighian,
Gabriele Oligeri
Abstract:
MITRE ATT&CK is a comprehensive framework of adversary tactics, techniques and procedures based on real-world observations. It has been used as a foundation for threat modelling in different sectors, such as government, academia and industry. To the best of our knowledge, no previous work has been devoted to the comprehensive collection, study and investigation of the current state of the art leve…
▽ More
MITRE ATT&CK is a comprehensive framework of adversary tactics, techniques and procedures based on real-world observations. It has been used as a foundation for threat modelling in different sectors, such as government, academia and industry. To the best of our knowledge, no previous work has been devoted to the comprehensive collection, study and investigation of the current state of the art leveraging the MITRE ATT&CK framework. We select and inspect more than fifty major research contributions, while conducting a detailed analysis of their methodology and objectives in relation to the MITRE ATT&CK framework. We provide a categorization of the identified papers according to different criteria such as use cases, application scenarios, adopted methodologies and the use of additional data. Finally, we discuss open issues and future research directions involving not only the MITRE ATT&CK framework but also the fields of risk analysis and cyber-threat intelligence at large.
△ Less
Submitted 27 August, 2023;
originally announced August 2023.
-
False Data Injection Attacks in Smart Grids: State of the Art and Way Forward
Authors:
Muhammad Irfan,
Alireza Sadighian,
Adeen Tanveer,
Shaikha J. Al-Naimi,
Gabriele Oligeri
Abstract:
In the recent years cyberattacks to smart grids are becoming more frequent Among the many malicious activities that can be launched against smart grids False Data Injection FDI attacks have raised significant concerns from both academia and industry FDI attacks can affect the internal state estimation processcritical for smart grid monitoring and controlthus being able to bypass conventional Bad D…
▽ More
In the recent years cyberattacks to smart grids are becoming more frequent Among the many malicious activities that can be launched against smart grids False Data Injection FDI attacks have raised significant concerns from both academia and industry FDI attacks can affect the internal state estimation processcritical for smart grid monitoring and controlthus being able to bypass conventional Bad Data Detection BDD methods Hence prompt detection and precise localization of FDI attacks is becomming of paramount importance to ensure smart grids security and safety Several papers recently started to study and analyze this topic from different perspectives and address existing challenges Datadriven techniques and mathematical modelings are the major ingredients of the proposed approaches The primary objective of this work is to provide a systematic review and insights into FDI attacks joint detection and localization approaches considering that other surveys mainly concentrated on the detection aspects without detailed coverage of localization aspects For this purpose we select and inspect more than forty major research contributions while conducting a detailed analysis of their methodology and objectives in relation to the FDI attacks detection and localization We provide our key findings of the identified papers according to different criteria such as employed FDI attacks localization techniques utilized evaluation scenarios investigated FDI attack types application scenarios adopted methodologies and the use of additional data Finally we discuss open issues and future research directions
△ Less
Submitted 20 August, 2023;
originally announced August 2023.
-
Jamming Detection in Low-BER Mobile Indoor Scenarios via Deep Learning
Authors:
Savio Sciancalepore,
Fabrice Kusters,
Nada Khaled Abdelhadi,
Gabriele Oligeri
Abstract:
The current state of the art on jamming detection relies on link-layer metrics. A few examples are the bit-error-rate (BER), the packet delivery ratio, the throughput, and the increase in the signal-to-noise ratio (SNR). As a result, these techniques can only detect jamming \emph{ex-post}, i.e., once the attack has already taken down the communication link. These solutions are unfit for mobile dev…
▽ More
The current state of the art on jamming detection relies on link-layer metrics. A few examples are the bit-error-rate (BER), the packet delivery ratio, the throughput, and the increase in the signal-to-noise ratio (SNR). As a result, these techniques can only detect jamming \emph{ex-post}, i.e., once the attack has already taken down the communication link. These solutions are unfit for mobile devices, e.g., drones, which might lose the connection to the remote controller, being unable to predict the attack.
Our solution is rooted in the idea that a drone unknowingly flying toward a jammed area is experiencing an increasing effect of the jamming, e.g., in terms of BER and SNR. Therefore, drones might use the above-mentioned phenomenon to detect jamming before the decrease of the BER and the increase of the SNR completely disrupt the communication link. Such an approach would allow drones and their pilots to make informed decisions and maintain complete control of navigation, enhancing security and safety.
This paper proposes Bloodhound+, a solution for jamming detection on mobile devices in low-BER regimes. Our approach analyzes raw physical-layer information (I-Q samples) acquired from the wireless channel. We assemble this information into grayscale images and use sparse autoencoders to detect image anomalies caused by jamming attacks. To test our solution against a wide set of configurations, we acquired a large dataset of indoor measurements using multiple hardware, jamming strategies, and communication parameters. Our results indicate that Bloodhound+ can detect indoor jamming up to 20 meters from the jamming source at the minimum available relative jamming power, with a minimum accuracy of 99.7\%. Our solution is also robust to various sampling rates adopted by the jammer and to the type of signal used for jamming.
△ Less
Submitted 12 December, 2023; v1 submitted 19 June, 2023;
originally announced June 2023.
-
The Day-After-Tomorrow: On the Performance of Radio Fingerprinting over Time
Authors:
Saeif Alhazbi,
Savio Sciancalepore,
Gabriele Oligeri
Abstract:
The performance of Radio Frequency (RF) Fingerprinting (RFF) techniques is negatively impacted when the training data is not temporally close to the testing data. This can limit the practical implementation of physical-layer authentication solutions. To circumvent this problem, current solutions involve collecting training and testing datasets at close time intervals -- this being detrimental to t…
▽ More
The performance of Radio Frequency (RF) Fingerprinting (RFF) techniques is negatively impacted when the training data is not temporally close to the testing data. This can limit the practical implementation of physical-layer authentication solutions. To circumvent this problem, current solutions involve collecting training and testing datasets at close time intervals -- this being detrimental to the real-life deployment of any physical-layer authentication solution. We refer to this issue as the Day-After-Tomorrow (DAT) effect, being widely attributed to the temporal variability of the wireless channel, which masks the physical-layer features of the transmitter, thus impairing the fingerprinting process.
In this work, we investigate the DAT effect shedding light on its root causes. Our results refute previous knowledge by demonstrating that the DAT effect is not solely caused by the variability of the wireless channel. Instead, we prove that it is also due to the power cycling of the radios, i.e., the turning off and on of the radios between the collection of training and testing data. We show that state-of-the-art RFF solutions double their performance when the devices under test are not power cycled, i.e., the accuracy increases from about 0.5 to about 1 in a controlled scenario. Finally, we show how to mitigate the DAT effect in real-world scenarios, through pre-processing of the I-Q samples. Our experimental results show a significant improvement in accuracy, from approximately 0.45 to 0.85. Additionally, we reduce the variance of the results, making the overall performance more reliable.
△ Less
Submitted 17 October, 2023; v1 submitted 9 May, 2023;
originally announced May 2023.
-
KaFHCa: Key-establishment via Frequency Hopping Collisions
Authors:
Muhammad Usman,
Simone Raponi,
Marwa Qaraqe,
Gabriele Oligeri
Abstract:
The massive deployment of IoT devices being utilized by home automation, industrial and military scenarios demands for high security and privacy standards to be achieved through innovative solutions. This paper proposes KaFHCa, a crypto-less protocol that generates shared secret keys by combining random frequency hopping collisions and source indistinguishability independently of the radio channel…
▽ More
The massive deployment of IoT devices being utilized by home automation, industrial and military scenarios demands for high security and privacy standards to be achieved through innovative solutions. This paper proposes KaFHCa, a crypto-less protocol that generates shared secret keys by combining random frequency hopping collisions and source indistinguishability independently of the radio channel status. While other solutions tie the secret bit rate generation to the current radio channel conditions, thus becoming unpractical in static environments, KaFHCa guarantees almost the same secret bitrate independently of the channel conditions. KaFHCa generates shared secrets through random collisions of the transmitter and the receiver in the radio spectrum, and leverages on the fading phenomena to achieve source indistinguishability, thus preventing unauthorized eavesdroppers from inferring the key. The proposed solution is (almost) independent of the adversary position, works under the conservative assumption of channel fading (σ = 8dB), and is capable of generating a secret key of 128 bits with less than 564 transmissions.
△ Less
Submitted 20 October, 2020; v1 submitted 19 October, 2020;
originally announced October 2020.
-
PAST-AI: Physical-layer Authentication of Satellite Transmitters via Deep Learning
Authors:
Gabriele Oligeri,
Simone Raponi,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
Physical-layer security is regaining traction in the research community, due to the performance boost introduced by deep learning classification algorithms. This is particularly true for sender authentication in wireless communications via radio fingerprinting. However, previous research efforts mainly focused on terrestrial wireless devices while, to the best of our knowledge, none of the previou…
▽ More
Physical-layer security is regaining traction in the research community, due to the performance boost introduced by deep learning classification algorithms. This is particularly true for sender authentication in wireless communications via radio fingerprinting. However, previous research efforts mainly focused on terrestrial wireless devices while, to the best of our knowledge, none of the previous work took into consideration satellite transmitters. The satellite scenario is generally challenging because, among others, satellite radio transducers feature non-standard electronics (usually aged and specifically designed for harsh conditions). Moreover, the fingerprinting task is specifically difficult for Low-Earth Orbit (LEO) satellites (like the ones we focus in this paper) since they orbit at about 800Km from the Earth, at a speed of around 25,000Km/h, thus making the receiver experiencing a down-link with unique attenuation and fading characteristics. In this paper, we propose PAST-AI, a methodology tailored to authenticate LEO satellites through fingerprinting of their IQ samples, using advanced AI solutions. Our methodology is tested on real data -- more than 100M I/Q samples -- collected from an extensive measurements campaign on the IRIDIUM LEO satellites constellation, lasting 589 hours. Results are striking: we prove that Convolutional Neural Networks (CNN) and autoencoders (if properly calibrated) can be successfully adopted to authenticate the satellite transducers, with an accuracy spanning between 0.8 and 1, depending on prior assumptions. The proposed methodology, the achieved results, and the provided insights, other than being interesting on their own, when associated to the dataset that we made publicly available, will also pave the way for future research in the area.
△ Less
Submitted 12 October, 2020;
originally announced October 2020.
-
The Dark (and Bright) Side of IoT: Attacks and Countermeasures for Identifying Smart Home Devices and Services
Authors:
Ahmed Mohamed Hussain,
Gabriele Oligeri,
Thiemo Voigt
Abstract:
We present a new machine learning-based attack that exploits network patterns to detect the presence of smart IoT devices and running services in the WiFi radio spectrum. We perform an extensive measurement campaign of data collection, and we build up a model describing the traffic patterns characterizing three popular IoT smart home devices, i.e., Google Nest Mini, Amazon Echo, and Amazon Echo Do…
▽ More
We present a new machine learning-based attack that exploits network patterns to detect the presence of smart IoT devices and running services in the WiFi radio spectrum. We perform an extensive measurement campaign of data collection, and we build up a model describing the traffic patterns characterizing three popular IoT smart home devices, i.e., Google Nest Mini, Amazon Echo, and Amazon Echo Dot. We prove that it is possible to detect and identify with overwhelming probability their presence and the services running by the aforementioned devices in a crowded WiFi scenario. This work proves that standard encryption techniques alone are not sufficient to protect the privacy of the end-user, since the network traffic itself exposes the presence of both the device and the associated service. While more work is required to prevent non-trusted third parties to detect and identify the user's devices, we introduce Eclipse, a technique to mitigate these types of attacks, which reshapes the traffic making the identification of the devices and the associated services similar to the random classification baseline.
△ Less
Submitted 25 July, 2021; v1 submitted 16 September, 2020;
originally announced September 2020.
-
GNSS Spoofing Detection via Opportunistic IRIDIUM Signals
Authors:
Gabriele Oligeri,
Savio Sciancalepore,
Roberto Di Pietro
Abstract:
In this paper, we study the privately-own IRIDIUM satellite constellation, to provide a location service that is independent of the GNSS. In particular, we apply our findings to propose a new GNSS spoofing detection solution, exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM satellite conste…
▽ More
In this paper, we study the privately-own IRIDIUM satellite constellation, to provide a location service that is independent of the GNSS. In particular, we apply our findings to propose a new GNSS spoofing detection solution, exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM satellite constellation, such as the satellites speed, packet interarrival times, maximum satellite coverage, satellite pass duration, and the satellite beam constellation, to name a few. Later, we adopt the aforementioned statistics to create a detailed model of the satellite network. Subsequently, we propose a solution to detect unintended deviations of a target user from his path, due to GNSS spoofing attacks. We show that our solution can be used efficiently and effectively to verify the position estimated from standard GNSS satellite constellation, and we provide constraints and parameters to fit several application scenarios. All the results reported in this paper, while showing the quality and viability of our proposal, are supported by real data. In particular, we have collected and analyzed hundreds of thousands of IRA messages, thanks to a measurement campaign lasting several days. All the collected data ($1000+$ hours) have been made available to the research community. Our solution is particularly suitable for unattended scenarios such as deserts, rural areas, or open seas, where standard spoofing detection techniques resorting to crowd-sourcing cannot be used due to deployment limitations. Moreover, contrary to competing solutions, our approach does not resort to physical-layer information, dedicated hardware, or multiple receiving stations, while exploiting only a single receiving antenna and publicly-available IRIDIUM transmissions. Finally, novel research directions are also highlighted.
△ Less
Submitted 18 June, 2020;
originally announced June 2020.
-
Sound of Guns: Digital Forensics of Gun Audio Samples meets Artificial Intelligence
Authors:
Simone Raponi,
Isra Ali,
Gabriele Oligeri
Abstract:
Classifying a weapon based on its muzzle blast is a challenging task that has significant applications in various security and military fields. Most of the existing works rely on ad-hoc deployment of spatially diverse microphone sensors to capture multiple replicas of the same gunshot, which enables accurate detection and identification of the acoustic source. However, carefully controlled setups…
▽ More
Classifying a weapon based on its muzzle blast is a challenging task that has significant applications in various security and military fields. Most of the existing works rely on ad-hoc deployment of spatially diverse microphone sensors to capture multiple replicas of the same gunshot, which enables accurate detection and identification of the acoustic source. However, carefully controlled setups are difficult to obtain in scenarios such as crime scene forensics, making the aforementioned techniques inapplicable and impractical. We introduce a novel technique that requires zero knowledge about the recording setup and is completely agnostic to the relative positions of both the microphone and shooter. Our solution can identify the category, caliber, and model of the gun, reaching over 90% accuracy on a dataset composed of 3655 samples that are extracted from YouTube videos. Our results demonstrate the effectiveness and efficiency of applying Convolutional Neural Network (CNN) in gunshot classification eliminating the need for an ad-hoc setup while significantly improving the classification performance.
△ Less
Submitted 1 March, 2021; v1 submitted 15 April, 2020;
originally announced April 2020.
-
MAGNETO: Fingerprinting USB Flash Drives via Unintentional Magnetic Emissions
Authors:
Omar Adel Ibrahim,
Savio Sciancalepore,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would instal…
▽ More
Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would install passwords stealing tools, root-kit software, and other disrupting malware. In such a way, an attacker can steal sensitive information via the USB-connected devices, as well as inject any kind of malicious software into the host.
To thwart the above-cited raising threats, we propose MAGNETO, an efficient, non-interactive, and privacy-preserving framework to verify the authenticity of a USB flash drive, rooted in the analysis of its unintentional magnetic emissions. We show that the magnetic emissions radiated during boot operations on a specific host are unique for each device, and sufficient to uniquely fingerprint both the brand and the model of the USB flash drive, or the specific USB device, depending on the used equipment. Our investigation on 59 different USB flash drives---belonging to 17 brands, including the top brands purchased on Amazon in mid-2019---, reveals a minimum classification accuracy of 98.2% in the identification of both brand and model, accompanied by a negligible time and computational overhead. MAGNETO can also identify the specific USB Flash drive, with a minimum classification accuracy of 91.2%. Overall, MAGNETO proves that unintentional magnetic emissions can be considered as a viable and reliable means to fingerprint read-only USB flash drives. Finally, future research directions in this domain are also discussed.
△ Less
Submitted 12 September, 2020; v1 submitted 14 February, 2020;
originally announced February 2020.
-
Road Traffic Poisoning of Navigation Apps: Threats and Countermeasures
Authors:
Simone Raponi,
Savio Sciancalepore,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
Assisted-navigation applications have a relevant impact on our daily life. However, technological progress in virtualization technologies and Software-Defined Radios recently enabled new attack vectors, namely, road traffic poisoning. These attacks open up several dreadful scenarios, which are addressed in this contribution by identifying the associated challenges and proposing innovative counterm…
▽ More
Assisted-navigation applications have a relevant impact on our daily life. However, technological progress in virtualization technologies and Software-Defined Radios recently enabled new attack vectors, namely, road traffic poisoning. These attacks open up several dreadful scenarios, which are addressed in this contribution by identifying the associated challenges and proposing innovative countermeasures.
△ Less
Submitted 5 May, 2021; v1 submitted 12 February, 2020;
originally announced February 2020.
-
Cryptomining Makes Noise: a Machine Learning Approach for Cryptojacking Detection
Authors:
Maurantonio Caprolu,
Simone Raponi,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
A new cybersecurity attack,where an adversary illicitly runs crypto-mining software over the devices of unaware users, is emerging in both the literature and in the wild . This attack, known as cryptojacking, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performa…
▽ More
A new cybersecurity attack,where an adversary illicitly runs crypto-mining software over the devices of unaware users, is emerging in both the literature and in the wild . This attack, known as cryptojacking, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performance, but all characterized by a host-based architecture. This kind of solutions, designed to protect the individual user, are not suitable for efficiently protecting a corporate network, especially against insiders. In this paper, we propose a network-based approach to detect and identify crypto-clients activities by solely relying on the network traffic, even when encrypted. First, we provide a detailed analysis of the real network traces generated by three major cryptocurrencies, Bitcoin, Monero, and Bytecoin, considering both the normal traffic and the one shaped by a VPN. Then, we propose Crypto-Aegis, a Machine Learning (ML) based framework built over the results of our investigation, aimed at detecting cryptocurrencies related activities, e.g., pool mining, solo mining, and active full nodes. Our solution achieves a striking 0.96 of F1-score and 0.99 of AUC for the ROC, while enjoying a few other properties, such as device and infrastructure independence. Given the extent and novelty of the addressed threat we believe that our approach, supported by its excellent results, pave the way for further research in this area.
△ Less
Submitted 28 January, 2020; v1 submitted 21 October, 2019;
originally announced October 2019.
-
BrokenStrokes: On the (in)Security of Wireless Keyboards
Authors:
Gabriele Oligeri,
Savio Sciancalepore,
Simone Raponi,
Roberto Di Pietro
Abstract:
Wireless devices resorting to event-triggered communications have been proved to suffer critical privacy issues, due to the intrinsic leakage associated with radio-frequency (RF) emissions. In this paper, we move the attack frontier forward by proposing BrokenStrokes: an inexpensive, easy to implement, efficient, and effective attack able to detect the typing of a pre-defined keyword by only eaves…
▽ More
Wireless devices resorting to event-triggered communications have been proved to suffer critical privacy issues, due to the intrinsic leakage associated with radio-frequency (RF) emissions. In this paper, we move the attack frontier forward by proposing BrokenStrokes: an inexpensive, easy to implement, efficient, and effective attack able to detect the typing of a pre-defined keyword by only eavesdropping the communication channel used by the wireless keyboard. BrokenStrokes proves itself to be a particularly dreadful attack: it achieves its goal when the eavesdropping antenna is up to 15 meters from the target keyboard, regardless of the encryption scheme, the communication protocol, the presence of radio noise, and the presence of physical obstacles. While we detail the attack in three current scenarios and discuss its striking performance--its success probability exceeds 90% in normal operating conditions--, we also provide some suggestions on how to mitigate it. The data utilized in this paper have been released as open-source to allow practitioners, industries, and academia to verify our claims and use them as a basis for further developments.
△ Less
Submitted 21 May, 2020; v1 submitted 9 October, 2019;
originally announced October 2019.
-
PiNcH: an Effective, Efficient, and Robust Solution to Drone Detection via Network Traffic Analysis
Authors:
Savio Sciancalepore,
Omar Adel Ibrahim,
Gabriele Oligeri,
Roberto Di Pietro
Abstract:
We propose PiNcH, a methodology to detect the presence of a drone, its current status, and its movements by leveraging just the communication traffic exchanged between the drone and its Remote Controller (RC). PiNcH is built applying standard classification algorithms to the eavesdropped traffic, analyzing features such as packets inter-arrival time and size. PiNcH is fully passive and it requires…
▽ More
We propose PiNcH, a methodology to detect the presence of a drone, its current status, and its movements by leveraging just the communication traffic exchanged between the drone and its Remote Controller (RC). PiNcH is built applying standard classification algorithms to the eavesdropped traffic, analyzing features such as packets inter-arrival time and size. PiNcH is fully passive and it requires just cheap and general-purpose hardware. To evaluate the effectiveness of our solution, we collected real communication traces originated by a drone running the widespread ArduCopter open-source firmware, currently mounted on-board of a wide range (30+) of commercial amateur drones. We tested our solution against different publicly available wireless traces. The results prove that PiNcH can efficiently and effectively: (i) identify the presence of the drone in several heterogeneous scenarios; (ii) identify the current state of a powered-on drone, i.e., flying or lying on the ground; (iii) discriminate the movements of the drone; and, finally, (iv) enjoy a reduced upper bound on the time required to identify a drone with the requested level of assurance. The effectiveness of PiNcH has been also evaluated in the presence of both heavy packet loss and evasion attacks. In this latter case, the adversary modifies on purpose the profile of the traffic of the drone-RC link to avoid the detection. In both the cited cases, PiNcH continues enjoying a remarkable performance. Further, the comparison against state of the art solution confirms the superior performance of PiNcH in several scenarios. Note that all the drone-controller generated data traces have been released as open-source, to allow replicability and foster follow-up. Finally, the quality and viability of our solution, do prove that network traffic analysis can be successfully adopted for drone identification and status discrimination.
△ Less
Submitted 7 December, 2019; v1 submitted 11 January, 2019;
originally announced January 2019.
-
Silence is Golden: exploiting jamming and radio silence to communicate
Authors:
Roberto Di Pietro,
Gabriele Oligeri
Abstract:
Jamming techniques require just moderate resources to be deployed, while their effectiveness in disrupting communications is unprecedented. In this paper we introduce several contributions to jamming mitigation. In particular, we introduce a novel adversary model that has both (unlimited) jamming reactive capabilities as well as powerful (but limited) proactive jamming capabilities. Under this pow…
▽ More
Jamming techniques require just moderate resources to be deployed, while their effectiveness in disrupting communications is unprecedented. In this paper we introduce several contributions to jamming mitigation. In particular, we introduce a novel adversary model that has both (unlimited) jamming reactive capabilities as well as powerful (but limited) proactive jamming capabilities. Under this powerful but yet realistic adversary model, the communication bandwidth provided by current anti-jamming solutions drops to zero. We then present Silence is Golden (SiG): a novel anti jamming protocol that, introducing a tunable, asymmetric communication channel, is able to mitigate the adversary capabilities, enabling the parties to communicate. For instance, with SiG it is possible to deliver a 128 bits long message with a probability greater than 99% in 4096 time slots in the presence of a jammer that jams all the on-the-fly communications and the 74% of the silent radio spectrum---while competing proposals simply fail. The provided solution enjoys a thorough theoretical analysis and is supported by extensive experimental results, showing the viability of our proposal.
△ Less
Submitted 22 July, 2013;
originally announced July 2013.
