Physical-Layer Identification of Wired Ethernet Devices

This work sets forth a systematic approach for the investigation and utilization of the signal characteristics of digital devices for use in a security context. A methodology, built upon an optimal detector, the matched filter, is proposed that allows for the reliable identification and tracking of wired Ethernet cards by use of their hardware signaling characteristics. The matched filter is found to be sensitive enough to differentiate between devices using only a single Ethernet frame; an adaptive thresholding strategy employing prediction intervals is used to cope with the stochastic nature of the signals. To demonstrate the validity of the methodology, and to determine which portions of the signal are useful for identification purposes, experiments were performed on three different models of 10/100 Ethernet cards, totaling 27 devices in all. In selecting the cards, an effort was made to maximize intramodel similarity and thus present a worst-case scenario. While the primary focus of the work is network-based authentication, forensic applications are also considered. By using data collected from the same devices at different times, it is shown that some models of cards can be reidentified even after a month has elapsed since they were last seen.