Physical Security Perimeters for Wireless Local Area …mlsichit/Research/Publications/losecIJNS.pdf · International Journal of Network Security, Vol.3, ... Physical Security Perimeters

International Journal of Network Security, Vol.3, No.2, PP.124–135, Sept. 2006 (http://isrc.nchu.edu.tw/ijns/) 124

Physical Security Perimeters for Wireless Local

Area Networks

Vishal Bhargava and Mihail L. Sichitiu

(Corresponding author: Vishal Bhargava)

Department of Electrical and Computer Engineering, North Carolina State University

Raleigh, NC - 27695, USA (Email: [email protected], [email protected])

(Received Aug. 11, 2005; revised and accepted Oct. 1, 2005)

Abstract

On a wired network, physical authentication is implic-itly provided by access: if a user is able to plug a cableinto a network socket, he must have cleared other secu-rity checks such as the receptionist and/or locked doors.In the case of a wireless local area network (WLAN), thesignal propagation is not limited by a fixed boundary, andunauthorized access from outside the security perimeteris possible, and in many instances facile. In this paper, wepresent a probabilistic technique for localization of usersin a WLAN. The presented technique is able to iden-tify intruders based on their location, and thus success-fully defend a “parking lot” attack. The approach relieson a probabilistic mapping from received signal strength(RSSI) to location. Calibration inside and around thesecurity perimeter must precede the localization phase.During the localization phase, the RSSI of all the WLANusers is measured by multiple monitoring stations posi-tioned to provide an overlapping coverage of the area (theaccess points needed to provide the WLAN coverage candouble as monitoring stations). A Bayesian technique isused to estimate the location of the unsuspecting mobileuser, and the position estimate of each user is updatedwith every new RSSI measurement at any of the monitor-ing stations. The presented approach is server-based, i.e.,it works without the knowledge or cooperation of the userbeing tracked, thereby enabling the proposed security ap-plication, as well as location-aware services. Validationof the concepts was implemented using an experimentaltested in an office environment. The results demonstratethe ability of the proposed technique to estimate the userlocation to a very high degree of accuracy.

Keywords: Active attacker, localization, physical securityperimeter

1 Introduction

Wireless Local Area Networks (WLANs), (especiallythose compatible with IEEE 802.11 [12]) are fast becom-

ing the networks of choice for enterprises, small offices andhouseholds all over the world. With a variety of avail-able inexpensive hardware, WLANs are facing tremen-dous growth, which is expected to continue in the future.The lack of cables makes WLANs easy to install for sys-tem administrators and, at the same time, offer mobilityand flexibility for the users. This kind of portability at areasonable price, without a noticeable drop in bandwidth,has been mainly responsible for WLAN’s widespread us-age in the home environment.

Unfortunately, with the advent of WLANs, arises theissue of security in a wireless environment. Security inWLANs takes center stage, due to its inherent broadcastmechanism. Every packet that is transmitted can be eas-ily captured by any receiver in its range. Most WLANsdo offer some form of security; but as their popularityhas increased, a host of flaws have been identified bothin the standards, as well as in the implementation of thestandards [1, 6, 8, 19].

Intending to correct the flaws discovered in the securityof IEEE 802.11, a number of authentication and encryp-tion schemes have been proposed and/or are in the processof standardization: 802.1X, EAP, MAC filtering, 802.11i,TKIP, etc. [5]. A common flaw of all password-based se-curity systems is that the passwords may be poorly chosenor can be obtained through social engineering. Our goal isnot to replace those schemes, but rather to enhance theireffectiveness, by creating a virtual security perimeter in-side a physical security perimeter.

The lack of physical boundaries of WLANs creates sig-nificant security issues for system administrators. Sincethe signal range cannot be easily controlled, it is likelythat the signal will extend beyond the boundaries cre-ated by wired LANs. This leaves the system open towhat is commonly known as the parking lot attack (Fig-ure 1). In a parking lot attack, an attacker can eaves-drop on WLAN communication by setting up a laptopwith a WLAN adapter in the communication range ofthe WLAN.

One important feature that is missing from all of theexisting proposals for security is the ability to distin-


Internet

Internal Host

Atacker

Firewall

Physical Security Perimeter

Access Point

Parking Lot

CorporateLAN

� ��

Figure 1: The parking lot attack

guish between the users located within a physical secu-rity perimeter and those outside such a perimeter. Sucha feature can be used to implementing access restrictionbased on the physical location of the user. If users outsidethe security perimeter are not allowed to connect to theorganization’s WLAN, it would become much more dif-ficult for an attacker to access the network from outsidethe security perimeter.

In this paper, we propose an algorithm to localize andtrack a user based on the signal strengths of the packetsthat he transmits, and thus be able to block the networkaccess of an attacker based on his physical location. Theproposed approach aims to restore the properties of thephysical security perimeter that was lost with the intro-duction of wireless networks: only users inside the phys-ical security perimeter would be allowed access, while allother users would be denied access. The solution pre-sented does not require custom equipment; in some cases,only a firmware upgrade of the access points is needed.Alternatively, special monitoring stations might be de-ployed. The system works without the cooperation (pos-sibly even without the knowledge) of the WLAN users.Since the monitoring stations are passive, it is impossibleto detect their presence from the users’ point of view.

The emphasis of our work is not on achieving finegrained localization (with precision of a few centime-ters), since it is not essential for authentication. The fo-cus of our work is on achieving coarse localization thatcan answer with high reliability the question, “Is theuser inside or outside the security perimeter?” To an-swer this question we propose a “reverse localization” al-gorithm that combines Bayesian localization techniques

with emergency cellular localization ideas (the base sta-tions collaborate to localize the user, rather than the useractively localizing itself, like in GPS).

The main drawback of the proposed approach is thatit can be used to locate and track only an active attacker.If the attacker is passive i.e., just eavesdropping, it is im-possible to detect him (with this or any other technique).While passive attackers can be extremely dangerous bygathering sensitive information, arguably, the active at-tackers can cause the maximum amount of damage. Fur-thermore, the approach is only applicable if the coveragearea is protected by a physical security perimeter (e.g., abuilding or a military base), thus being not suitable forpublic access WLANs (e.g., airports, hot-spots, etc.).

The paper is organized as follows: Section 2 discussesthe related work in the area of localization. Section 3presents our proposed localization algorithm. Thereafter,we present the results of our tracking and localizationexperiments in Section 4. Section 5 concludes the paper.

2 Related Work

The localization field is a rather mature field, with sig-nificant research activity in many application areas Theproblem is known in literature under many names, includ-ing localization, locationing, geolocation, positioning, etc.An excellent survey of the area was published a couple ofyears ago [10].

The Global Positioning System (GPS) is perhaps themost well-known positioning system currently in use.

The US Federal Communications Commission’s E911


Table 1: Classification of RF-based localization tech-niques

Indoor OutdoorHost-based RADAR, etc GPS

Server-based Proposed technique E911 services

telecommunication initiatives require that wireless phoneproviders develop a way to locate any phone that makes a911 emergency call. Significant research was thus gearedtowards localizing the cellular phone users in outdoor en-vironments. Many applications call for indoor solutionsto the problem of localization. Nowadays, many com-panies offer a variety of solutions based on visual track-ing, ultrasound, or even radios with dedicated hardware[7, 11, 14, 17, 18, 20, 21]. The popularity of WLANs,(especially of the IEEE 802.11 standard), sparked a sig-nificant interest in indoor localization systems based onthe already available 802.11 access points (used for radiocoverage of a larger WLAN) [3, 4, 9, 15, 16].

According to [10], the localization systems can be clas-sified in host-based and server-based systems. In a host-based system, the users gather information from the in-frastructure with the goal of localizing themselves; a clas-sical example is the GPS system. In a server-based sys-tem, the infrastructure gathers information from the usersand determines the location of the users; such systems arepresented, for example, in [3, 4, 9, 15, 16]. Similarly, theRSSI-based localization systems can be classified in out-door and indoor systems. The main difference betweenthe two types of systems is that outdoors, many times,the assumption of a circular propagation pattern holds.In this paper we are presenting a server-based, indoor lo-calization system (see Table 1), and evaluate its suitabil-ity for a physical authentication system. The localizationsystem can have many other applications, e.g., tracking ofinventory items, personnel, location aware services, etc.

3 Proposed Approach

In the proposed approach we use a network of monitor-ing stations spread over the coverage area of the WLAN.Each monitoring station listens on the wireless medium,and captures all packets that are correctly received (theyoperate in “promiscuous” mode, i.e., it does not filter thereceived packets by its own MAC address). Upon the re-ceipt of a packet, the monitoring station also measuresthe RSSI associated with that packet, and it then sendsthe MAC address of the sender and the RSSI measure-ment to a central server that combines the informationfrom all monitoring stations into a best estimate of theposition of all users (both authorized users and attackers).A system administrator can thus create policies denyingWLAN access to users outside certain areas (see Figure2).

The proposed localization and tracking technique can

Firewall

Internet

Monitoring Stations

Aggregation Station

Intruder

Figure 2: Intrusion detection based on user localization

be divided into two phases:

• The calibration (sometimes referred to as the “finger-printing”) phase; the purpose of the calibration phaseis to collect labeled data (packets labeled with thelocation of the sender) from different points spreadover the tested, and then filter this data into a usableform for the localization phase.

• The localization phase; the goal of the localizationphase is to estimate the location of the source(s) ofunlabeled data (i.e., any 802.11 packet). Somewhatsimilar to the approach presented in [15], we followa Bayesian approach for dynamic state estimation.The state of the system, at any given time, is repre-sented by a probability distribution function definedas the probability of a sender being present in a givenarea. The state is updated as a function of the pre-vious state and new data measurements. We haveused a recursive filtering approach, in which each newmeasurement is processed individually, and the re-ceived data is processed sequentially rather than asa batch.

3.1 Calibration

The calibration (or finger-printing) phase is a key step inwhich the system “learns” the mapping of the probabilitydensity function as a function of the RSSI. In this phase,labeled data (location of the sender of a packet and thereceived signal strength) is collected, and processed into asimplified form that will later be used by the localizationphase to estimate the position of the wireless user in real-time.

In practical terms, in the calibration phase, a mobilenode periodically broadcasts its position at different po-sitions in the tested; each of the monitoring stations cap-tures these packets along with the RSSI corresponding tothe packet. This information is further sent to the serverfrom each of the monitoring stations. Corresponding toeach packet received by a monitoring station, a tuple con-sisting of the location (x,y coordinates), RSSI and the


monitoring station identifier (MSID) of the MS that cap-tures the packet is sent to the server. An almost equalnumber of labeled packets with varying RSSI is expectedat each of the monitoring stations, if they are spread uni-formly over the tested and have an almost equal range.The packets are collected both from “inside” as well from“outside” the physical security perimeter.

For simplicity, assume that the tested is divided intoan N × N grid represented as a matrix, each elementof a matrix corresponding to a square of the surface ofthe tested. After the calibration phase the server willhave a database with one entry for each packet receivedby a monitoring station, each entry being of the form(< x, y >, MSID, RSSI), where < x, y > is the locationof the mobile station at the time when the packet wassent, MSID is the identifier of the monitoring station thatreceived the packet (more than one monitoring stationmay receive a packet), and RSSI is the received signalstrength of the received packet received.

For a collection of data elements with a constantMSID=MSi and a constant RSSI=λ, let ηi,j be the num-ber of elements at location (i, j) on the X-Y plane. Inthis case, corresponding to a packet received by monitor-ing station MSi with a signal strength λ, the probabilitythat the user is at position (x, y) is:

pi,λ(x, y) =ηx,y

∑i=N

i=1

∑j=N

j=1ηi,j

. (1)

During the localization phase, these measurements be-come constraints on the position estimates of the users.Thus, the constraint c(n) resulting from capturing the nth

packet is:

c(n) =

p(x1, y1) p(x2, y1) . . . p(xN , y1)p(x1, y2) p(x2, y2) . . . p(xN , y2)

......

. . ....

p(x1, yN ) p(x2, yN) . . . p(xN , yN )

,

where p(x, y) is given by Equation (1).It would be very tedious and error prone to send cali-

bration data from each square of the N × N matrix. In-stead we collect data from a relatively small, approxi-mately uniformly distributed, points and interpolate theresults using a Gaussian filter [13] similar to the one de-scribed in Section 3.2.1.

3.2 Localization

In the localization phase, each monitoring station uponthe reception of a packet will send at the server a tripletwith the MAC address of the sender of the received packet(readily available in the 802.11 MAC header), the signalstrength of the packet and the monitoring station identi-fier. The goal of the server is to determine the probabilitydistribution function for each user by combining the datacollected from multiple monitoring stations.

We define the position estimate of a user z(n), afterthe server received the nth measurement from that user

Figure 3: 2-D Gaussian distribution with mean (0,0) andσ = 1

as the probability density function (pdf) of the positionon the X-Y plane. We chose to represent this probabilityas a two-dimensional matrix:

z(n) =

p(x1, y1) p(x2, y1) . . . p(xN , y1)p(x1, y2) p(x2, y2) . . . p(xN , y2)

......

. . ....

p(x1, yN ) p(x2, yN) . . . p(xN , yN )

,

where p(xi, yi) is the probability of finding the user atlocation (xi, yi).

For localization, we define a model that relates thisstate with the corresponding tuples (MSID, RSSI) re-ceived from the monitoring stations. We also considerthe change in state over time, due to movement of themobile node. Any algorithm concerning a dynamic sys-tem consists of at least two models [2]:

• System model - a model describing the evolution ofthe state with time;

• Measurement model - a model relating each measure-ment with the change in state.

3.2.1 System Model

We assume that the mobile nodes that we aim to trackare mobile, and that their random movement has a normaldistribution, centered at the starting location. Thus, weperiodically perform the convolution of the state with aGaussian filter. The effect of this convolution operation isthe “spreading” of the position estimate of a user reflect-ing the increase in the uncertainty due to user movement.In 2-dimension, an isotropic Gaussian (see Figure 3) is ofthe form

G(x, y) =1

2πσ2e−

x2+y

2

2σ2 .

Thus, the state is periodically updated:

z(n + 1) = z(n) ∗ G, (2)

where, by ∗ we denote the convolution function.


3.2.2 Measurement Model

The measurement model defines the relationship of thestate estimate to successive measurements. Section 3.1describes the algorithm to compute the constraints overthe X-Y plane for a given pair of RSSI and MSID values.The computed 2-dimensional constraint is used to updatethe position estimate of the node:

z(n + 1) = z(n) ∩ c(n), (3)

where z(n+1) is the new position estimate, z(n) is the oldposition estimate, and c(n) is constraint resulting fromthe measurement. The position estimate is initializedwith a uniform distribution:

z(0) =1

N2

1 1 . . . 11 1 . . . 1...

.... . .

...1 1 . . . 1

. (4)

An important factor that has to be considered whiledeveloping an algorithm is the reproducibility of the ex-perimental data. With 802.11 wireless cards (as withpractically all wireless transceivers) there is a significantvariance in the RSSI over time. Thus, for every receivedsignal strength λ we average all constraints resulting fromsignal strengths between λ − β and λ + β.Summary

The localization algorithm, including the system modeland the measurement model, can be summarized as:

1) Initialize the position estimate (z(0)) as the entirespace (as in Equation (4)).

2) For each packet received from a monitoring station:

• if the packet received from monitoring stationMSi with RSS λi, calculate the average con-straint c(n) by averaging over the constraints inthe range [λi − σ . . . λi + σ]; and

• update the position estimate z(n+1) accordingto Equation (3);

3) Periodically, update the system model as Equa-tion (2).

4) Goto Step 2.

Once the localization procedure results in position es-timates, is relatively easy to exclude (either at the accesspoints, or at the common switch/router) all users localoutside the security perimeter.

A denial of service attack that uses the proposed sys-tem can be imagined. An attacker can capture the MACaddress of a legitimate user and transmit packets fromoutside the security perimeter. The system will then lo-calize the attacker and deny access both to the attackerand the legitimate user. However, this is arguably betterthan allowing both of them access to the network.

BS1

BS2

BS3BS4

361

BS5

Figure 4: The experimental tested

4 Experimental Setup and Re-

sults

Initially we planned to use a network simulator to evaluatethe performance of such a system. However, all currentnetwork simulators have inadequate physical layer modelsfor indoor environments. Hence, in order to evaluate theperformance of the system, we decided to implement asystem prototype.

4.1 Experimental Setup

The experimental setup consists of five monitoring sta-tions (MS), a mobile node (MN), and a server. The MNis connected at the campus WLAN, and any packet beingtransmitted by the mobile node is received by the MSs.Each MS has a wireless as well as a wired interface. Itcaptures all packets on the wireless interface and trans-mits the RSSI, Source MAC and MSID tuple to the server,using the wired network. The server which is connectedto the monitoring stations via the wired network, receivesand processes the information to estimate the location ofthe MNs.

The experimental tested is located on the third floor ofthe Electrical and Computer Engineering Department inDaniels Hall. We have limited the experimental area totwo perpendicular corridors of the Department (Figure 4).We set up a network of 5 monitoring stations relatively


uniformly distributed over the tested. The monitoringstations are placed in such a way that their range cov-ers the entire tested. Our aim is to track WLAN usersanywhere along the two corridors, and in the adjoiningrooms. The yellow area, Room No. 361, acts as the ex-perimental “outside the perimeter” for the purpose of ourtested. Figure 4 shows a floor map of our tested. Themap in Figure 4 is divided into a grid 100× 100; whereasthe dimensions in reality are 66m × 73m. Each cell isthus 0.66m on the x-axis and 0.73m on the y-axis. Theposition of the calibration readings is shown with smallred circles in Figure 4.

• Monitoring Station: The setup consists of an iPAQ(Model No. H3870) connected to a computer, viaa serial link supporting data transfer rates of up to115 Kbps. Each iPAQ is equipped with an Orinocogold Classic PC card for capturing the packets of thetracked users. The iPAQs run Familiar Linux 0.6(Opie) with kernel 2.4.18-rmk3. Each of the comput-ers attached to the iPAQ has a 333 MHz Pentium IIprocessor, running RedHat Linux 7.3 (kernel 2.4.18-3).

• Server: Our server is a desktop with a 2.4 GHz IntelPentium 4 processor, 512 MB RAM, running RedHatLinux 7.3 (kernel 2.4.18-3).

• Mobile Node: A laptop with a 1.8 GHz Intel Pen-tium 4m processor, 256 MB RAM, running RedHatLinux 8.0 (kernel 2.4.18-14), acts as the mobile node.A Cisco Aironet 350 series PC card is used as thetransmitter (the Cisco cards are capable of varyingtheir transmission power).

The goal of our experiment is to locate an intruderand identify whether he is inside or outside a given secu-rity perimeter with a very high degree of reliability. Forour implementation, we set the security perimeter as theboundary of Room No. 361 (Figure 4). A user inside theroom is considered an intruder. In order to compare theestimated position of the user with his real coordinates,the real position of the user has to be known. A utilityenabling the user to specify his real position by clicking onthe map, was developed. This position was considered asthe “real position” of the user and compared with the es-timated position, which is calculated using the measuredRSSI of each of the packets transmitted by the user.

The following metrics are used to judge the efficacy ofour implementation.

• Error of location estimate defined as the Euclideandistance between the real position of the user andthe estimated position given by our implementation.The performance of the algorithm with respect to theerror in estimation can be visualized by plotting thepercentile of the error estimate against the error indistance. Another measure that reflects the perfor-mance is the average error in estimating the user’slocation.

• Misinterpretation of position: A misinterpretationoccurs when the actual position of the user is dif-ferent from the estimated position, with respect tothe security perimeter. Misinterpretation of positioncan be of two types (a) False Positives and (b) FalseNegatives.

– A False Positive is the case when the esti-mated position of the user is outside the securityperimeter (positive), although the real positionof the user is inside.

– A False Negative is the case when the estimatedposition of the user is inside the security perime-ter (negative), although the user is actually out-side the security perimeter.

The probability of False Negatives is a very impor-tant metric, as the objective is to detect the intrudereffectively (a user outside the security perimeter). Itis more important to be able to detect and blockintruders without any exceptions than to allow a le-gitimate user close to the security perimeter (FalsePositives). The probability of False Negatives shouldideally be zero. The probability of False Positivesis also an important measure which would reflect theinconvenience caused to a legitimate user in the vicin-ity of the security perimeter. It is a measure of theprobability that if a user has been detected outsidethe perimeter, what is the chance that he is actuallya legitimate user inside the security perimeter.

During the implementation, a number of parametershad to be chosen. These design parameters can be di-vided into two sets corresponding to the calibration andlocalization processes.

One of the primary calibration parameters is σloc,which is the standard deviation for the Gaussian filterused to interpolate between the data-point measurements.During the data collection process, selected data pointsspread uniformly over the tested were chosen for the sakeof convenience and to reduce the time taken to calibratethe tested. A Gaussian filter was then applied over thecollected data, to generate new data points over the en-tire tested. Some of the factors to be considered whilechoosing σloc were:

• The indoor signal strength does not have a normaldistribution, as indoor obstructions (e.g., walls) causea significant attenuation in signal power. Thus, σloc

should be sufficiently small (< 0.5m) considering thefact that actual RSSI measurements can vary signifi-cantly across very short distances (e.g across a wall).

• RSSI variation is very small over short open spaces(e.g open corridors), and we did not observe a no-ticeable change in measured RSSI between locations2-3 meters apart. This would lead us to set σloc toas much as 2-3m.


• In our implementation, our cell size is about 0.65mon the X-axis and 0.70m on the Y-axis. When weapply the Gaussian filter, we scale the Y-axis corre-spondingly to make the filter circular in nature, andthus keep a unit on the Y-axis equivalent to the uniton the X-axis, which is 0.65m.

Considering these factors, we choose the value of σloc =1m which is a compromise solution considering the abovefactors. Thus, σloc ≈ 1.5 cell units.

The system model for the localization process was dis-cussed in Section 3.2.1. The system model helps in con-tinuous tracking of the mobile user. The main parameterin this model is σsys, which is the standard deviation ofthe Gaussian filter that is applied to the probability dis-tribution matrix of the user at periodic (one second inour case) intervals. The Gaussian filter is applied to ac-count for the movement of the user and to track the user.Thus, assuming that with a 97% probability that the mo-bile user does not move at a speed of more than 3m/s, wekeep 3σsys = 3m, therefore σsys = 1m. Thus, σsys ≈ 1.5units.

The measurement model (Section 3.2.2) describes ourapproach at finding the constraint matrix to update theestimated position every time a new packet is received.The constraint matrix is calculated by averaging prob-ability density matrices for a range of RSSI values overwhich we can assume the RSSI to vary for the same loca-tion. During calibration, a large number of packets werecollected for every position rotating the laptop aroundthe point to account for variation in RSSI due to the di-rectionality of the wireless adapter. This data collectionmethod causes a variation in the RSSI, but it might notbe sufficient to reflect the variation in RSSI over time. Wenoticed that the range of values we collected from the MSshow a maximum variation in RSSI, (β) of about threeunits. Thus, to produce a constraint we will average theconstraints from 2β = 6 different RSSI values, (similar tothe deviation in RSSI assumed in [4]).

Thus, the main three parameters that may affect theresults of the proposed algorithm are chosen as:

σloc = 1.5,

σsys = 1.5,

β = 3,

where the units are a function of the cell size.

4.2 Experimental Results

Figure 5 shows the cumulative probability of the localiza-tion error, i.e., on the y axis there is the probability thatthe localization error is smaller than the value on the x

axis. There is a 30% chance that the estimated locationis less than 0.95m from the real position, at least 50% ofthe errors are less than 1.5m, and 90% less than 3.3m.The average estimation error is 1.73m. Other metrics toobserve are:

0

10

20

30

40

50

60

70

80

90

100

0 1 2 3 4 5 6 7 8 9

Cum

ulat

ive

Prob

abili

ty(%

)

Error (m)

Cumulative Probability vs Error

Cumulative Probability

Figure 5: Cumulative Probability of Error vs. Error inestimation σloc = 1.5, σsys = 1.5 and β = 3

• False Negatives = 0. This means a 0% error in re-liably estimating if the user is outside the securityperimeter. Thus, we are reliably able to determine ifthe user is outside the security perimeter.

• False Positives = 10.4%. This translates to an ap-proximately 10% chance that the user, who has beenestimated to be outside the security perimeter, is ac-tually inside the perimeter. When the user is close tothe edge of the security perimeter, or standing closeto an exit, he could be mistakenly identified as beingoutside the perimeter. This relatively high numberof False Positives is mainly due to the inaccuraciesin measuring the real position of the user during themeasurements.

4.3 The Effect of Variation in Design Pa-

rameters

In this section, we evaluate the effect of the design param-eters on the metrics of interest (localization error, FalsePositives and False Negatives). We will change one pa-rameter at a time, while keeping the other parametersconstant.

1.5

2

2.5

3

3.5

4

4.5

5

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

Ave

rage

Err

or(m

)

σloc

Average Error

Figure 6: Variation of average localization error vs varia-tion in standard deviation of the Gaussian filter used forcalibration (σloc), with σsys = 1.5 and β = 3


4.3.1 The Effect of the Variation of the StandardDeviation of the Gaussian Filter used forCalibration (σloc)

Figure 6 shows that the average error in estimation in-creases with an increase in the standard deviation (σloc)for the Gaussian filter used in the calibration process.The average error does not increase with the decrease ofσloc due to the relatively dense data points collected dur-ing the calibration phase (i.e., interpolation is not reallyneeded). On the other hand, when σloc increases, we ef-fectively reduce the resolution of the system during thecalibration phase. The possibility of a wrong estimate in-creases as multiple locations might have a similar set ofRSSI values.

5

10

15

20

25

30

35

40

45

50

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

Pro

babi

lity

of F

alse

Pos

itive

s(%

)

σloc

Probability of False Positive

Figure 7: The effect of varying the standard deviation ofthe Gaussian filter used in calibration (σloc) on probabil-ity of false positives, keeping σsys = 1.5 and β = 3

In Figure 7, we observe that the False Positives in-crease with an increase in the standard deviation of theGaussian filter used for σloc. Figure 7 closely correlateswell with Figure 6, (the average error). As the error ofestimation increases, we see an increase in the number ofFalse Positives.

An interesting observation is that the probability ofFalse Negatives remains zero when varying σloc. Thiscould be due to the large difference in measured RSSIwhen the user is outside the security perimeter(i.e in roomNo.361 for our implementation) and when it is inside, be-cause of the presence of two monitoring stations in Room361. None of the points outside Room 361 (i.e., insidethe security perimeter) would provide an alternate solu-tion for the set of RSSIs because of the large differencein RSSI inside and outside the room. Also, the effect onthe estimated position is minimal because we use a cir-cular Gaussian filter which spreads the values circularlyover the region, and the mean remains the same. If theprobability density is very high inside a particular area,the estimated position would remain in the area even onapplying a Gaussian filter with a high standard deviation.

1.5

2

2.5

3

3.5

4

0 1 2 3 4 5 6 7 8 9

Ave

rage

Err

or(m

)

σsys

Average Error

Figure 8: The effect of varying the standard deviationof the Gaussian filter in the system model(σsys) on theaverage localization error, with σloc = 1.5 and β = 3

0

10

20

30

40

50

60

70

80

90

100

0 10 20 30 40 50 60

Cum

ulat

ive

Pro

babi

lity

of E

rror

(%)

Error in Estimation (m)

0.20.40.81.21.52.02.42.4

4579

Figure 9: Effect of varying σsys on the Error distribution,σloc = 1.5 and β = 3

4.3.2 The Effect of Varying the Standard Devia-tion used for Gaussian Filtering in the Sys-tem Model (σsys)

In Figure 8, we observe that the average error in estima-tion has a minimum for σsys ≈ 0.8. The value of theminimum is dependent on the average speed of the userduring the test-run. While assuming σsys = 1.5 in Sec-tion 4.1, we assumed the maximum speed of a user to be3 m/s for calculating a σsys, which would lead to a stablesystem enabling continuous tracking of the user. Whilecollecting data for the experiment, the average speed wasmuch lower. In this case, even though the minimum isclearly around σsys = 0.8, it is better to keep σsys highto maintain a stable system that can track mobile usersmoving at a higher speeds.

In Figure 10, it can be seen that the probability ofFalse Positives increases with the increase in the stan-dard deviation of the Gaussian filter used in the systemmodel. The probability of False Positives first decreaseson varying σsys from 0.2 to 0.3 and increases for valuesof σsys > 1. The decrease for values between 0.2 and 0.3can be attributed to the difference in the tracking speedwith respect to the actual average speed of the user dur-ing the course of the experimentation. The increase in


4

6

8

10

12

14

16

18

20

22

24

0 1 2 3 4 5 6 7 8 9

Pro

babi

lity

of F

alse

Pos

itive

s(%

)

σsys

Probability of False Positive

Figure 10: The effect of varying the standard deviation ofthe Gaussian filter used in the system model (σsys) on theprobability of False Positives, with σloc = 1.5 and β = 3

the probability of the False Positives with an increase inσsys can be attributed to the spreading of the probabilitydensities by the Gaussian filter. Even a slight change inthe estimated position can cause a sharp increase in thenumber of False Positives due to the rigid boundary.

Our model performs very well in deciding that usersthat are actually outside are outside the security perime-ter. The probability of False Negatives is always less thana 1%; in fact it is exactly equal to 0%, for 0.4 < σsys < 1.9.Thus, the system is able to locate the intruder that is out-side the security perimeter with 100% accuracy.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0 1 2 3 4 5 6 7 8 9

Pro

babi

lity

of F

alse

Neg

ativ

es(%

)

σsys

Probability of False Negatives

Figure 11: Effect of varying the standard deviation of theGaussian filter used in the system model (σsys) on theprobability of False Negatives, with σloc = 1.5 and β = 3

4.3.3 The Effect of Varying the Range of themeasured Received Signal Strength (β)

Figure 12 shows that by varying the assumed variancein the RSS (β), the average error starts increasing afterβ > 6. In this case the resolution of the RSSI measure-ments is reduced and thus it is expected that the precisionof the localization will suffer. For 1 < β < 6, the aver-age error in estimate is almost constant. This means thatfor a specified location, the received signal strength at aparticular MS does not vary by more than 6 RSSI units.

1

2

3

4

5

6

7

8

9

0 5 10 15 20 25 30

Ave

rage

Err

or (

m)

β

Average Error

Figure 12: The effect of varying the assumed variancein RSS(β) on the Average Error, with σloc = 1.5 andσsys = 1.5

The average localization error is just as small for β = 1 asfor higher values of β. This somewhat unexpected resultcan be explained by the fact that during the data collec-tion process, we obtained data for calibration by sendinga large number of packets transmitted in different direc-tions. The natural variation in the RSSI of these packetsmight be satisfying almost the entire set of RSSI valuesthat can be recorded at a MS from a particular position.However, if we consider a zero deviation in RSSI, i.e., forβ = 0, the system is not able to locate the user and be-comes unstable.

0

10

20

30

40

50

60

70

0 5 10 15 20 25 30

Pro

babi

lity

of F

alse

Pos

itive

s(%

)

β

Probability of False Positives

Figure 13: Effect of β on False Positives, σloc = 1.5 andσsys = 1.5

Figure 13 shows the effect of varying β on the prob-ability of False Positives. We observe that even thoughthe average error in estimate hardly varies for 1 < β < 6,there is a drop in the number of False Positives for thesame region. This justifies our assumption of a variationin observed RSSI. The number of False Positives rises dra-matically as we increase β and it also corresponds withan increase in the average estimated error.

The probability of a False Negative is zero for all valuesof 2 < β < 30. At β = 1, there exists a small probabilityof 0.2%, of estimating the user inside the security perime-ter even though he is actually outside.


4.3.4 The Effect of Varying the TransmissionPower

If the system is calibrated at a certain transmission powerlevel, and the intruder accesses the network while using adifferent transmission power level, the system may not beable to localize it exactly. We decided to estimate the lo-calization error as a function of the transmission power ofthe WLAN users. Thus, we performed the calibration ata power level of 20mW, and then varied the transmissionpower levels of the mobile node from 1mW to 100mW andobserved the localization error.

The Cisco Aironet wireless adapter allowed us to varythe transmission power from 1mW to 100mW. All existingWLAN adapters use a transmission power in this range(using a higher power is basically useless as the accesspoints themselves use up to 100mW transmitters). Thus,in addition to robustness to power transmission level, thisexperiment reflect the robustness to different adapters (wealso verified with a Lucent Orinoco card). We observeda variation of about 10-12 units of RSSI between powerlevels of 1 mW and 100mW. This deviation is relativelysmall when compared to the deviation due to the changein location.

0

10

20

30

40

50

60

70

80

90

100

0 5 10 15 20 25 30 35

Pro

babi

lity

of E

rror

(%)

Error(m)

Power Level 1mWPower Level 5mW

Power Level 20mWPower Level 30mWPower Level 50mW

Power Level 100mW

Figure 14: The effect of varying transmission power onthe cumulative probability of the localization error, withσloc = 1.5, σsys = 3 and β = 7

0

2

4

6

8

10

12

14

0 10 20 30 40 50 60 70 80 90 100

Ave

rage

Err

or (

m)

Power (mW)

Average Error in Estimation

Figure 15: Average Error vs Transmission Power, withσloc = 1.5, σsys = 3 and β = 7

In Figure 14 and Figure 15, we see that the averageerror in estimation is the smallest for 20mW (the powerused during calibration). This is as expected. We had tokeep the β = 7 for the estimation to converge in the caseof 1mW and 100mW runs.

For a transmission power level of 1mW, the averageerror in position estimate is about 11.88m; it decreases to3.96m for 5mW and 1.8m for 20mW, and increases backto 4.2m at 100mW.

The probability of a False Positive for 20mW is about10%, which means that 10% of the estimated positionsoutside the security perimeter are actually inside theperimeter. This number increases to 60% at a power levelof 50mW.

The probability of a False Negative for 5mW is around5%, which is still low, but not 100% accurate. At powerlevels of 20mW, 30mW and 50mW, the probability of aFalse Negative is 0%, thus indicating that the intruder isalways detected.

Thus, the change in the power level at the transmitteris almost irrelevant for the accuracy of the proposed ap-proach. Essentially the path loss significantly out-weightsthe change in transmission power, and an attacker couldnot defeat the proposed approach by changing (even of-ten) its transmission power.

4.3.5 Fault Tolerance

To evaluate the effect of the failure of the monitoring sta-tions, we switch off two monitoring stations, one at a time.The MSs are shown in Figure 4. We consider two differentcases (a) MS3 failed and (b) MS3 and MS4 failed.

0

10

20

30

40

50

60

70

80

90

100

0 10 20 30 40 50 60

Cum

ulat

ive

Err

or

Error(m)

All MSsOne MS Failed(MS3)

Two MS Failed(MS3 and MS4)

Figure 16: The effect on performance of the localizationsystem with the failure of MSs, with σloc = 1.5, σsys = 3and β = 3

Figure 16 shows that the localization error increasesif there is a fault in the monitoring network. However,the localization process does not fail. Even when two outof the five MSs fail, we are able to locate the user withconsiderable accuracy.

• MS3 failed:Average Error = 2.56m, False Negatives = 0.16%,False Positives = 10.8%.


• MS3 and MS4 failed:Average Error = 5.52m, False Negatives = 0.25% andFalse Positives = 25.55%.

If more than two MSs fail, the system becomes unstableand only users in a small part of the tested are successfullylocated.

5 Conclusion

We proposed and implemented a novel server-based ap-proach to locate the users of a WLAN using only thereceived signal strength of packets transmitted by theWLAN users. Even though our initial intention was toprovide only a coarse-grained localization, and an ex-tremely reliable method to determine if a user is outsidethe defined security perimeter, our implementation wasable to locate and continuously track users with an aver-age error in estimated position of around 1.65m ≈ 5.4 feet,which is rather good for indoor localization in a WLAN.We were also able to achieve an almost 100% accuracyin identifying the intruder (user outside a fixed securityperimeter). The learning process in our approach, i.e., thecalibration phase, took about 30 minutes for our tested.Thus, this technique offers a very low lead time for deploy-ment of a new setup. We did not use any specialized hard-ware for the implementation, although we did use extramonitoring stations to detect the RSSI of the user’s pack-ets. The ideal implementation would be a small hardwareupgrade on the access points which would enable them todouble up as monitoring stations.

References

[1] W. A. Arbaugh, N. Shankar, and Y. J. Wan, “Your802.11 wireless network has no clothes,” IEEE Wire-less Communications, pp. 44V51, Dec. 2002.

[2] S. Arulampalam, S. Maskell, N. Gordon, andT. Clapp, “A tutorial on particle filters for on-linenon-linear/non-gaussian bayesian tracking,” IEEETransactions on Signal Processing, vol. 50, no. 2, pp.174-188, Feb. 2002.

[3] P. Bahl and V. N. Padmanabhan, “RADAR: An in-building RF-based user location and tracking sys-tem,” in Proceeding of Infocom’2000, vol. 2, pp. 775-584, Tel Aviv, Israel, Mar. 2000.

[4] P. Bahl and V. N. Padmanabhan, Enhancements tothe Radar User Location and Tracking System, Mi-crosoft Research Technical Report MSR-TR-2000-12,2000.

[5] L. Barken, How Secure is Your Wireless Network?,Prentice Hall, 2003.

[6] N. Borisov, I. Goldberg, and D. Wagner, InterceptingMobile Communications: The Insecurity of 802.11,http://www.isaac.cs. berkeley.edu/isaac/wep-faq.html, 2001.

[7] M. H. T. Darrell, G. Gordon and J. Woodfill, “Inte-grated person tracking using stereo, color, and pat-tern detection,” in Proceeding of Conf. ComputerVision and Pattern Recognition, pp. 601-608, LosAlamitos, CA, 1998.

[8] S. Fluhrer, I. Mantin, and A. Shamir, “Weaknessesin the key scheduling algorithm of RC4,” LNCS 2259,pp. 1V20, 2001.

[9] M. Helen, J. Latvala, H. Ikonen, and J. Niittylahti,“Using calibration in RSSI-based location trackingsystem,” in Proceeding of the 5th World Multiconfer-ence on Circuits, Systems, Communications & Com-puters (CSCC20001), 2001.

[10] J. Hightower and G. Borriello, “Location systems forubiquitous computing,” IEEE Computer, vol. 34, no.8, pp. 57-66, Aug. 2001.

[11] J. Hightower, R. Want, and G. Borriello, SpotON: AnIndoor 3D Location Sensing Technology Based on RFSignal Strength, Technical Report CSE 2000-02-02,University of Washington, Seattle, WA, Feb. 2000.

[12] IEEE, Wireless LAN Medium Access Control (MAC)and Physical Layer (PHY) Specification, IEEE Std.802.11, June 1999.

[13] K. Ito and K. Xiong, “ Gaussian filters for nonlin-ear filtering problems,” IEEE Transactions on Auto-matic Control, vol. 45, no. 5, pp. 910–927, May 2000.

[14] J. Krumm, S. Harris, B. Meyers, B. Brumitt,M. Hale, and S. Shafer, “Multi-camera multi-persontracking for easy living,” in Proceeding of 3rd IEEEIntl. Workshop on Visual Surveillance, pp. 3-10,2000.

[15] A. M. Ladd, K. E. Bekris, G. Marceau, A. Rudys,L. E. Kavraki, and D. Wallach, “Robotics-based lo-cation sensing using wireless ethernet,” in Proceedingof Eighth ACM International Conference on MobileComputing and Networking (MOBICOM 2002), pp.227-238, Atlanta, Georgia, Sept. 2002.

[16] J. Latvala, J. Syrjarinne, H. Ikonen, and J. Niitty-lahti, “Evaluation of RSSI-based human tracking,”in European Signal Processing Conference, pp. 2273-2277, 2000.

[17] R. Orr and G. Abowd, “The smart floor: A mech-anism for natural user identification and tracking,”in Proceeding of the 2000 Conf. Human Factors inComputing Systems (CHI 2000), pp. 275-276, 2000.

[18] K. Pahlavan, X. Li, and J. Makela, “Indoor geolo-cation science and technology,” IEEE Comm Soc.Mag., pp. 112-118, Feb. 2002.

[19] A. Stubblefield, J. Ioannidis, and A. Rubin, Using theFluhrer, Mantin, and Shamir Attack to Break WEP,ATT Labs Technical Report TD-4ZCPZZ, Revision2, Aug. 2001.

[20] A. Ward, A. Jones, and A. Hopper, “A new loca-tion technique for the active office,” IEEE PersonalCommunications, vol. 4, no. 5, pp. 42-47, Oct. 1997.

[21] J. Werb and C. Lanzl, “Designing a positioning sys-tem for finding things and people indoors,” IEEESpectrum, vol. 35, no. 9, pp. 71-78, Sept. 1998.


Vishal Bhargava received a BS de-gree in Electrical Engineering from theIndian Institute of Technology, Bom-bay and MS in Computer Networksfrom North Carolina State University.His research interests are in wirelessnetworking and equity trading. He iscurrently working in Internet market-

ing.

Mihail L. Sichitiu was born inBucharest, Romania. He received aB.E. and an M.S. in Electrical Engi-neering from the Polytechnic Univer-sity of Bucharest in 1995 and 1996 re-spectively. In May 2001, he received aPh.D. degree in Electrical Engineeringfrom the University of Notre Dame.

He is currently employed as an assistant professor in theDepartment of Electrical and Computer Engineering atNorth Carolina State University. His primary researchinterest is in wireless networking with emphasis on adhoc networking and wireless local area networks.

Documents

Physical Security Perimeters for Wireless Local Area …mlsichit/Research/Publications/losecIJNS.pdf · International Journal of Network Security, Vol.3, ... Physical Security Perimeters