Design of a Framework to Detect Device Spoofing Attacks Using Network Characteristics

This article proposes a generic framework to detect device spoofing attacks using physical network characteristics that are hard for an attacker to mimic, including received signal strength indicator and round trip time. A technological challenge with this approach is that those values can change over time and affect the detection accuracy. To overcome this challenge, we obtained the similarity of subsequent network behaviors by using a time series similarity measure. Our method continuously monitors physical network characteristics of a device, and looks for significant changes made in those monitored characteristics. Detected changes would indicate that a suspicious activity (e.g., device spoofing) has occurred. To demonstrate our implementation, we thoroughly tested the proposed framework on ZigBee (IEEE 802.15.4) wireless networks. We achieved a high F-measure accuracy of 0.96 when spoofing devices were located more than 5 m away from original devices.