Differentiating ethernet devices through SNR maximization

The Detecting Intrusions at Layer ONe (DILON) project investigates the use of the digital and analog characteristics of digital devices for security purposes. To this end, we present a method capable of identifying Ethernet cards based upon minute variations in their network signaling resulting from hardware and manufacturing inconsistencies, using an optimal detector, the matched filter. Our results indicate that a matched filter can easily discriminate between Ethernet cards of different models, and with sufficient preprocessing of data, cards of the same model, to an acceptable degree of accuracy. Several non-traditional applications of the filter are presented in order to improve its ability to discriminate between signals from seemingly identical devices of the same manufacturing lot. The experimental results of applying these filters to three different models of Ethernet cards, totaling 16 devices, are presented and discussed. Important applications of this technology include intrusion detection (discovering node impersonation and network tampering), authentication (preventing unauthorized access to the physical network), forensic data collection (tying a physical device to a specific network incident), and assurance monitoring (determining whether a device will or is in the process of failing). Open questions include identifying, tracking, and adapting to long-term changes in system behavior caused by device aging, and how to cope with the intermittent connectivity of devices on the network