198 CHAPTER 8 Defending Against Identity-Based Attacks in Wireless Networks enough to make the displacement of the trans- mitter (Alice) per frame much smaller than the channel decorrelation distance (i.e., /2) so that two consecutive channel responses are highly correlated. In addition to terminal mobility, Xiao et al. [29] considered channel time variations due to environmental changes and Xiao et al. [30] considered the channel estimation errors due to the interference from other radios. Moreover, multiple-input multiple-output (MIMO) tech- niques are investigated in [28] to improve the performance of channel-based authentication because the use of multiple antennas provides extra dimensions of channel estimation data. Besides the channel frequency response, some other physical layer information is also proposed in literature to perform authentication so as to prevent spoofing attacks. For example, spectral analysis is proposed to identity the type of wireless network interface card (NIC), and thus discriminate among users with different NICs [31]. Similarly, Hall et al. [32] proposed to use radio frequency fingerprinting to discriminate wireless devices according to transient behavior of their transmitted signals. chi-square variable with a noncentrality parame- ter µ L , Equation 8-5 L = 1 2 M ( h rm + n rm ) 2 m=1 M + ( h im + n im ) 2 2 ,µ L , 2M m=1 where h rm and h im are the real and imaginary parts of (H EBm - H ABm e j ), respectively, and µ L = M 1 j 2 m=1 |H EBm - H ABm e | . 2 Given the threshold k , the "false alarm rate" on detecting the terminal is a spoofing node (i.e., Eve) is Equation 8-6 = P Alice (L > k ) = 1 - F 2 (k ), 2M and the "miss detection rate" is Equation 8-7 = P Eve (L < k ) = F 2 ,µ (k ), 2M L where F X (·) is the CDF of the random variable X . To evaluate the feasibility of channel-based spoofing detection method, Xiao et al. [26] sim- ulated spatially variable channel responses using the WiSE ray-tracing tool; and analyzed the abil- ity of a receiver to discriminate between trans- mitters (users) based on their channel frequency responses in a given office environment. The experimental results show that measuring five frequency response samples over a bandwidth of 100 MHz and using a transmit power of 100 mW, valid users can be verified with 99% confidence while detecting the spoofing node with greater than 95% confidence. The above channel-based authentication method considers the stationary and time invariant channel and subjects to some lim- itations, such as environmental changes and terminal mobility. Therefore, there are several improvements investigated in [27­30]. In [27], moderate terminal mobility is considered under the assumption: the data frame duration is small 8.4.2. Relationship-Based Detection of Spoofing Attacks This approach involves using forge-resistant rela- tionships at the medium access control (MAC) layer to detect potential spoofing. The strategy makes use of relationships associated with a stream of packets coming from an individual net- work identity. Whenever an adversary attempts to spoof a particular identity, the existence of multiple sources causes these relationships to be difficult for an adversary to control, thereby significantly increasing the chance that the adversary will reveal itself. Specifically, the monotonicity of the sequence number field and the distribution of interarrival times between packets are proposed to detect spoofing attacks. In an IEEE 802.11 wireless network, the MAC header of management and data frames contains a 12-bit sequence number field, range from 0 to 4095. This field is called sequence control field,