Packet-Level Signatures for Smart Home Devices Rahmadi Trimananda, - - PowerPoint PPT Presentation

Packet-Level Signatures for Smart Home Devices

Rahmadi Trimananda, Janus Varmarken, Athina Markopoulou, and Brian Demsky

Smart Home

2

Smart Plugs

2

Smart Home

Smart Plugs Light Bulbs

Smart Home

2

Smart Plugs Light Bulbs Thermostats

Smart Home

2

Smart Plugs Light Bulbs Thermostats Cameras

Smart Home

2

Smart Plugs Light Bulbs Thermostats Cameras Doorbells

Smart Home

2

3

LAN Traffic

Smart Home

3

WAN Traffic

Smart Home

3

Phone-Cloud

WAN Traffic

Smart Home

3

Smart Home

Phone-Cloud

3

Phone-Cloud

Smart Home

Not Not-so

• privat

ate

4

WAN Sniffer

WAN Traffic WAN Traffic

4

WAN Sniffer

WAN Traffic WAN Traffic

4

WAN Sniffer

Phone-Cloud

4

WAN Sniffer

Phone-Cloud

1) Can look into TCP/IP packet 2) Can see IP address 3) Cannot see MAC address

5

Wi-Fi Sniffer

WAN Traffic LAN Traffic WAN Traffic

5

Wi-Fi Sniffer

WAN Traffic LAN Traffic WAN Traffic

5

Wi-Fi Sniffer

Phone-Cloud

5

Wi-Fi Sniffer

Phone-Cloud

1) Cannot look into TCP/IP packet 2) Cannot see IP address 3) Can see MAC address

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

Volume spike is event

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

Network statistics as features

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

State-of-the-Art

• Specific protocols (ZigBee/Z-Wave)Homonit [CCS’18]
• Volume-basedApthorpe et al. [PETS’19]
• ML-based approachesHomeSnitch [WiSec’19]
• IoT datasetsRen et al. [IMC’19], Alrawi et al. [S&P’19]

6

• Device study

○ Network traffic characteristics

• Public datasets

○ Mon(IoT)r

https://moniotrlab.ccis.neu.edu/imc19/

○ YourThings

https://yourthings.info/

Outline

• I. Background and Problem Statement
• II. Key Observation: Packet-Level Signatures

III.The PingPong System IV.Conclusion

7

Outline

• I. Background and Problem Statement
• II. Key Observation: Packet-Level Signatures

III.The PingPong System IV.Conclusion

7

8

Smart Home

Phone-Cloud

8

LAN Traffic

Local Phone

Toggle ON Plug

8

Request

Key Observation: Ping-Pong

PING!

Toggle ON Plug

8

Reply PONG!

Key Observation: Ping-Pong

Toggle ON Plug

8

WAN Traffic

Key Observation

Toggle ON Plug

8

Request

Key Observation

Reply

Toggle ON Plug

8

Phone-Cloud

WAN Traffic

Remote Phone

Toggle ON Plug

8

WAN Traffic

Phone-Cloud

Remote Phone

Remote Phone

Toggle ON Plug

8

Request

Remote Phone

Reply

Toggle ON Plug

8

Request

Remote Phone

Reply

Toggle ON Plug

Home Automation

8

Home Automation

Toggle ON Plug

8

Request

Home Automation

Toggle ON Plug

8

Request

Home Automation

Reply

Toggle ON Plug

ON OFF

9

Ping-Pong in TP-Link Plug

ON OFF

9

Ping-Pong in TP-Link Plug

<C-556, S-1293> Device-Cloud

ON OFF

9

Ping-Pong in TP-Link Plug

<C-556, S-1293> Device-Cloud Device-Cloud

ON OFF

9

Ping-Pong in TP-Link Plug

<C-557, S-1294>

Phone-Cloud Phone-Cloud

ON OFF

10

<C-1117, S-613> <C-1118, S-613>

Ping-Pong in D-Link Plug

11

Ping-Pong in SmartThings Plug

ON OFF

<C-699, S-511> Phone-Cloud Phone-Cloud

ON OFF

11

Ping-Pong in SmartThings Plug

<S-612, C-136> <S-777, C-136> <C-700, S-511> <S-616, C-136> <S-780, C-136>

<C-699, S-511> Phone-Cloud Phone-Cloud

ON OFF

11

Ping-Pong in SmartThings Plug

<S-612, C-136> <S-777, C-136> <C-700, S-511> <S-616, C-136> <S-780, C-136>

Packet-Level Signature of an Event Sequences of request-reply packet pairs with unique and deterministic packet lengths and directions

Research Questions

• How to automatically extract packet-level

signatures?

• How universal are packet-level signatures?
• How unique are packet-level signatures?

12

Research Questions

• How to automatically extract packet-level

signatures?

• How universal are packet-level signatures?
• How unique are packet-level signatures?

12

Outline

• I. Background and Problem Statement
• II. Key Observation: Packet-Level Signatures

III.The PingPong System IV.Conclusion

13

Automated Extraction

• Extract these pairs
• Form longest possible sequences
• Use them as a signature

14

PingPong Training

15

Input

Event Triggers Device

The PingPong System

PingPong Training

15

Training

Data Collection Network Trace

Input

Event Triggers Device

The PingPong System

PingPong Training

15

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

PingPong Training

15

Training

Pair Clustering Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering

Signature

Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering

Signature

Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

C-556 S-1293

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering

Signature

Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

C-556 S-1293 C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

PingPong Training

15

Training

Pair Clustering Signature Creation Data Collection Trace Filtering

Signature

Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

C-556 S-1293 C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Research Questions

• How to automatically extract packet-level

signatures?

• How universal are packet-level signatures?
• How unique are packet-level signatures?

16

Research Questions

• How to automatically extract packet-level

signatures?

• How universal are packet-level signatures?
• How unique are packet-level signatures?

16

Universal Signatures

• Three communications

17

Universal Signatures

• Three communications

17

Phone-Cloud

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

17

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

• Different triggers

○ Local-Phone

17

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices

18

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices

18

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices

18

Universal Signatures

18

• Applies to many devices

○ Our corpus: 18 devices

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices

18

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices

19

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices ○ Public dataset Mon(IoT)r

■ Extraction for 21 new devices

19

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices ○ Public dataset Mon(IoT)r

■ Extraction for 21 new devices

19

Universal Signatures

• Applies to many devices

○ Our corpus: 18 devices ○ Public dataset Mon(IoT)r

■ Extraction for 21 new devices ■ Comparison for 5 common devices

19

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

• Different triggers

○ Local-Phone

19

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

• Different triggers

○ Local-Phone ○ Remote-Phone, and ○ Home Automation

19

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

• Different triggers

○ Local-Phone ○ Remote-Phone, and ○ Home Automation

19

Universal Signatures

Universal Signatures

• Three communications
• Two adversaries

○ WAN and Wi-Fi sniffers

• Different triggers

○ Local-Phone ○ Remote-Phone, and ○ Home Automation

• Matching with recall > 97%

19

Unique Signatures

• Distinguish

○ Device type ○ Event type: binary and non-binary

○ Same-vendor devices

20

Unique Signatures

• Distinguish

○ Device type ○ Event type: binary and non-binary

○ Same-vendor devices

20

Unique Signatures

• Distinguish

○ Device type ○ Event type: binary and non-binary

○ Same-vendor devices

• Negative control experiment

○ Three public datasets: >440 million packets

■ YourThings, UNSW, UNB

○ FPR: one FP per 40 million packets

20

Packet-Level Signatures

• Can distinguish event types

21

Packet-Level Signatures

• Can distinguish event types
• Minimal set of traffic features

21

Packet-Level Signatures

• Can distinguish event types
• Minimal set of traffic features
• Two adversaries

21

Packet-Level Signatures

• Can distinguish event types
• Minimal set of traffic features
• Two adversaries
• Applicable to many devices

21

Packet-Level Signatures

• Can distinguish event types
• Minimal set of traffic features
• Two adversaries
• Applicable to many devices
• Resilient to traffic shaping & VPN encryption
• Defended against by packet padding

21

Packet-Level Signatures

• Can distinguish event types
• Minimal set of traffic features
• Two adversaries
• Applicable to many devices
• Resilient to traffic shaping & VPN encryption
• Defended against by packet padding
• Profiling and network monitoring

21

Limitations

• Need device to train
• Signatures may vary over time
• Apply to 95% of devices

○ UDP-based ○ Repetitive pairs for an event

22

Outline

• I. Background and Problem Statement
• II. Key Observation: Packet-Level Signatures

III.The PingPong System IV.Conclusion

23

Conclusions

• Packet-level signatures

○ Request-reply pattern ○ Packet lengths and directions

• Automation: PingPong

○ Extraction and detection

• Signatures are universal and unique

24

Thank You!

• Paper

https://www.ndss-symposium.org/ndss- paper/packet-level-signatures-for-smart-home- devices/

• Software and datasets

http://plrg.ics.uci.edu/pingpong/

25

Additional Slides

Signature Variations

• Signatures with no variation
• Signatures with ranges
• Signatures that vary

○ Signature evolution ○ Signatures that vary in certain packets

■ App’s username and password

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] C-556 S-1293 C-592 S-1234 S-100 C-605 S-1213 S-100 C-556 S-1293 2018 2019

PingPong Training

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

tcpdump

Training

Data Collection Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

adb tcpdump

Training

Data Collection Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

tcpdump

PingPong Training

adb Toggle-ON 11/08/2018 01:28:23 PM

Training

Data Collection Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

... … C-123 S-456 … C-234 S-567 … C-345 S-678 ... … C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... … C-123 S-456 … C-234 S-567 … C-345 S-678 … ... t PCAP file

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

... … C-123 S-456 … C-234 S-567 … C-345 S-678 ... … C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... … C-123 S-456 … C-234 S-567 … C-345 S-678 … ... t PCAP file Toggle-ON 11/08/2018 01:28:23 PM

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

... … C-123 S-456 … C-234 S-567 … C-345 S-678 ... … C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... … C-123 S-456 … C-234 S-567 … C-345 S-678 … ... t PCAP file Toggle-ON 11/08/2018 01:28:23 PM

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

… C-556 S-1293 ... C-238 S-826 … C-129 S-123 ...

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

… C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... TCP Conn.1 … C-556 S-1293 ...

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

… C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... TCP Conn.1 … C-556 S-1293 ... TCP Conn.2 … C-238 S-826 ...

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

… C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... TCP Conn.1 … C-556 S-1293 ... TCP Conn.2 … C-238 S-826 ... TCP Conn.3 … C-129 S-123 ...

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System Toggle ON for TP-Link Plug

PingPong Training

… C-556 S-1293 ... C-238 S-826 … C-129 S-123 ... <...,...> <C-556, S-1293> <...,...> <...,...> <C-238, S-826> <...,...> <...,...> <C-129, S-123> <...,...>

Training

Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

Packet Pairs

Toggle ON for TP-Link Plug

PingPong Training

<...,...> <C-556, S-1293> <...,...> <...,...> <C-238, S-826> <...,...> <...,...> <C-129, S-123> <...,...>

Training

Pair Clustering Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

Packet Pairs

Toggle ON for TP-Link Plug

Signature Creation

ON

PingPong Training

<...,...> <C-556, S-1293> <...,...> <...,...> <C-238, S-826> <...,...> <...,...> <C-129, S-123> <...,...>

Training

Pair Clustering Data Collection Trace Filtering Network Trace

Input

Event Triggers Device

The PingPong System

Packet Pairs

Toggle ON for TP-Link Plug

Signature Creation

PingPong Training

<...,...> <C-556, S-1293> <...,...> <...,...> <C-238, S-826> <...,...> <...,...> <C-129, S-123> <...,...>

PingPong Training

PingPong Training

PingPong Training

PingPong Training

PingPong Training

C-556 S-1293

PingPong Training

PingPong Training

PingPong Training

PingPong Training

PingPong Training

PingPong Training

PingPong Training

PingPong Training

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

PingPong Training

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

PingPong Training

• Run detection

○ Same PCAP file

• Valid signature iff

○ n detected events ○ n triggered events ○ Matching timestamps

Training

Pair Clustering Signature Creation Data Collection Trace Filtering Network Trace

Input

Event Triggers Device Signature Validation

The PingPong System

PingPong Detection

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] Arlo Camera

PingPong Detection

Network Trace

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] Signature ...

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] ... C-339

PingPong Detection

The PingPong System

Detection

Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] ... C-339 S-329

Match Packet

PingPong Detection

The PingPong System

Detection

Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] ... C-339 S-329 C-365

Range-based Matching

Match Packet

PingPong Detection

The PingPong System

Detection

Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] ... C-339 S-329 C-365 S-1065

Range-based Matching

Match Packet

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Match Sequence

... C-339 S-329 C-365 S-1065

First Sequence Matched

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Match Sequence

... C-339 S-329 C-365 S-1065 ... C-272

Range-based Matching

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505] ... C-339 S-329 C-365 S-1065 ... C-272 S-500

Range-based Matching

Match Sequence

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Match Sequence

... C-339 S-329 C-365 S-1065 ... C-272 S-500

Second Sequence Matched

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Match Sequence

... C-339 S-329 C-365 S-1065 ... C-272 S-500

Event Match

Matched Events Event 1

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature

Match Sequence

... C-339 S-329 C-365 S-1065 ... C-272 S-500

Event Match

Matched Events Event 1 Event n . . .

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

PingPong Detection

The PingPong System

Detection

Match Packet Network Trace

Signature

Match Sequence

... C-339 S-329 C-365 S-1065 ... C-272 S-500

Event Match

Matched Events Event 1 Event n . . .

See paper for more detail

C-339 S-329 C-[364-365] S-[1061-1070] C-[271-273] S-[499-505]

Possible Defenses

• Seemingly not effective defense

○ VPN ○ Traffic injection and shaping

Possible Defenses

• Seemingly not effective defense

○ VPN ○ Traffic injection and shaping

• More effective defense

○ Packet padding

■ Obfuscate packet lengths

Possible Defenses

• Not too effective defense

○ VPN ○ Traffic injection and shaping

• More effective defense

○ Packet padding

■ Obfuscate packet lengths

• See paper for detail