An Empirical study of clock skew behavior in modern mobile and hand-held devices

Abstract

Host identification, today, can be done at many layers of the network protocol stack depending on the identifiable parameter used for classification. But, these generally include fields from TCP/IP/MAC packets; that can be spoofed or manipulated very easily to misguide the identification process or include intolerable error into. Identification on wireless networks can be done with better precision by using physical layer, machine-dependent characteristics. We provide an empirical study of another such parameter, the host's clock information, that may lead to accurate identification of a host, among other applications. It is resistant to the earlier mentioned methods of spoofing, as clock information is very specific to the oscillator that generates it. We provide a simplification into the measurement technique of an already investigated approach of remote identification, to achieve lower error rates. We also provide a detailed study of clock skew behavior on a LAN, consisting of wired, wireless nodes and modern mobile and hand-held devices. To our knowledge, this work is the first in the mobile and hand-held device domain to identify such devices definitively. Clock skew based host identification can be put to many applications, that may be specific to each Enterprise network. For instance, aiding the network administrator in monitoring the network, malicious activity flagging mechanism for IDS's/IPS's, isolating unknown or new machines, keeping count of the number of active machines at any time for the purpose of say IP address allocation, associating virtual machines to their corresponding physical machines and so on.