A passive technique for fingerprinting wireless devices with Wired-side Observations

In this paper, we introduce GTID, a technique that passively fingerprints wireless devices and their types from the wired backbone. GTID exploits the heterogeneity of devices, which is a function of different device hardware compositions and variations in devices´ clock skew. We use statistical techniques to create unique, reproducible device and device type signatures that represent time variant behavior in network traffic and use artificial neural networks (ANNs) to classify devices and device types. We demonstrate the efficacy of our technique on both an isolated testbed and a live campus network (during peak hours) using a corpus of 27 devices representing a wide range of device classes. We collected more than 100 GB of traffic captures for ANN training and classification. We assert that for any fingerprinting technique to be practical, it must be able to detect previously unseen devices (i.e., devices for which no stored signature is available) and must be able to withstand various attacks. GTID is the first fingerprinting technique to detect previously unseen devices and to illustrate its resilience under various attacker models. We measure the performance of GTID by considering accuracy, recall, and processing time and illustrate how it can be used to complement existing authentication systems and to detect counterfeit devices.