Physical layer identification: methodology, security, and origin of variation

It is common practice to limit solutions for most problems in computer and network security to the purview of the digital domain. Certainly, digital solutions offer much in the way of addressing the security concerns associated with computer and network monitoring and access control. In many areas, however, the available techniques are limited because of their digital nature: authentication schemes are vulnerable to the theft of digital tokens; intrusion detection systems can be thwarted by spoofing or impersonating devices; forensic analysis is incapable of demonstrably tying a particular device to a specific network connection after the fact; and assurance monitoring systems can only provide notification of failures rather than impending failures. In order to address these concerns researchers have proposed, in work falling under the general heading of physical layer identification (PLI), that the signaling behavior of digital devices manifested at the physical layer be used for identification and monitoring purposes. This work presents a secure methodology, capable of reliably identifying and tracking wired Ethernet cards of the same make and model to a high degree of accuracy, which may be used to corroborate higher layer mechanisms used in authentication and intrusion detection. A framework is also devised, and applied to this methodology, to judge the security of a PLI scheme by determining how resistant it is to forgery attacks using arbitrary waveform generators. While a PLI scheme must be resistant to attack, it must also be able to identify the preponderance of devices within a given population to be of any practical value. Therefore, a technique, based upon the signalling behaviour specified for Ethernet devices in the IEEE 802.3 standard, is set forth for estimating the theoretical number of devices the methodology is capable of distinguishing between. Finally, if it can be understood how the individual components of a device give rise to differences in device behaviour, it should be possible to not only model devices for the purposes of creating new identification and tracking methodologies, but perhaps also allow the community to determine exactly which components should be modified to create device signals resistant to forgery. With this in mind, a methodology is proposed that describes how a device component should be measured to create a model that captures its signalling behaviour, as well as how it can be determined whether or not, and to what extent, the component shapes the device's identity.