CRAWDAD toronto/bluetooth

To investigate whether a large-scale Bluetooth worm outbreak is viable in practice, we conducted controlled experiments and we gathered traces of Bluetooth activity in different urban environments to determine the feasibility of a worm infection date/time of measurement start: 2005-11-16date/time of measurement end: 2005-11-26 collection environment: Even if a worm could exploit a security vulnerability in the Bluetooth protocol to replicate itself, a large-scale Bluetooth worm outbreak might never develop. If vulnerable Bluetooth devices are few and far between, and most inter-device contacts are short, a worm might never reach many victims. In this case, the threat of a largescale Bluetooth worm infection is minimal. To investigate these questions, we examined whether a large-scale Bluetooth worm outbreak is viable in practice. For this, we collected traces of Bluetooth activity and conducted controlled experiments in a Bluetooth environment.network configuration: We used Palm Tungsten T PDAs having 16MB of RAM with PalmOS version 5.0 to scan for Bluetooth devices. The Bluetooth radios of our PDAs are similar to the ones found in most commodity cell-phones: our empirical tests found that our PDAs' ranges are about 10 meters in an urban environment corresponding to the specifications presented on Palm's website. Because a Bluetooth inquiry is a power-intensive procedure, we used a total of eight scanners. Each device sends "inquiries" over its Bluetooth interface. Our inquiry rate is variable: we increase it when no devices are discovered, and we decrease it when others answer our probes. We issue inquiries at least once every 10 seconds but never more often than once every 3 seconds. This variable rate deals with congestion scenarios when several devices answer simultaneously.data collection methodology: We collected three different traces of Bluetooth activity. Two of our traces are gathered inside Pacific Mall and Eaton Centre, two malls in Toronto, Canada. We gathered the third trace while riding the Toronto subway system. These three locations provide a broad coverage of different density and mobility characteristics one might find in various urban destinations. When collecting these traces, we had a behavior compatible to the environment we were scanning. For example, we were casually walking in the malls, we stopped briefly by their food courts, and we stood still while riding the subway. In this way, our data illustrates a scenario where an attacker behaves inconspicuously while launching a Bluetooth worm. We used two devices scanning simultaneously to collect the Eaton Centre and the Subway traces. We used only one device to collect the Pacific Mall trace.sanitization: We have anonymized the MAC addresses of the discovered devices.Tracesettoronto/bluetooth/encountering Traceset of Bluetooth activity in different urban environment.files: pacificMall.txt, eatonCenter.txt, subway.txtdescription: Traceset of Bluetooth activity in three different locations which have different density and mobility characteristics one might find in various urban destinations.measurement purpose: Network Security, Computer Malware (Worms) Investigationmethodology: We collected three different traces of Bluetooth activity. Two of our traces are gathered inside Pacific Mall and Eaton Centre, two malls in Toronto, Canada. We gathered the third trace while riding the Toronto subway system. These three locations provide a broad coverage of different density and mobility characteristics one might find in various urban destinations.sanitization: if the same foreign device answers multiple consecutive Bluetooth inquiries except one, we "patch" the missed Bluetooth inquiry, pretending the device answered the inquiry. If the foreign device misses two consecutive Bluetooth inquiries, we do not "patch" the encounter. We have anonymized the MAC addresses of the discovered devices. We preserved the first three octets of the original MAC address, however we have generated random three octets for the last three octects of the MAC address. In short: anonymized_MAC = first_3_octets(orig_MAC) + random_3_octetstoronto/bluetooth/encountering TracespacificMall: Trace of Bluetooth activity in Pacific Mall, a mall in Toronto, Canadaconfiguration: Each line in the file corresponds to one "encountering", where one of our scanners encountered a foreign Bluetooth device. One encounter is a sequence of several (one or more) consecutive successful Bluetooth inquiries. Each encounter has a start time (the time of the first Bluetooth inquiry answered by the encountered device) and an end time (the time of the last Bluetooth inquiry answered by the encountered device.)format: Here's a breakdown of the format, column by column:1. 32-bit timestamp: the encounter start time.2. same timestamp as per #1, but in a human readable format3. 32-bit timestamp: the encounter end time4. same timestamp as per #3, but in a human readable format5. location (one of EATON_CENTER, PACIFIC_MALL, or SUBWAY).6. scanner ID7. anonymized MAC address of foreign Bluetooth device encountered.8. type of Bluetooth device9. manufacturer of Bluetooth deviceeatonCenter: Trace of Bluetooth activity in Eaton Centre, a mall in Toronto, Canada.configuration: Each line in the file corresponds to one "encountering", where one of our scanners encountered a foreign Bluetooth device. One encounter is a sequence of several (one or more) consecutive successful Bluetooth inquiries. Each encounter has a start time (the time of the first Bluetooth inquiry answered by the encountered device) and an end time (the time of the last Bluetooth inquiry answered by the encountered device.)format: Here's a breakdown of the format, column by column:1. 32-bit timestamp: the encounter start time.2. same timestamp as per #1, but in a human readable format3. 32-bit timestamp: the encounter end time4. same timestamp as per #3, but in a human readable format5. location (one of EATON_CENTER, PACIFIC_MALL, or SUBWAY).6. scanner ID7. anonymized MAC address of foreign Bluetooth device encountered.8. type of Bluetooth device9. manufacturer of Bluetooth devicesubway: Trace of Bluetooth activity gathered while riding the Toronto subway system.configuration: Each line in the file corresponds to one "encountering", where one of our scanners encountered a foreign Bluetooth device. One encounter is a sequence of several (one or more) consecutive successful Bluetooth inquiries. Each encounter has a start time (the time of the first Bluetooth inquiry answered by the encountered device) and an end time (the time of the last Bluetooth inquiry answered by the encountered device.)format: Here's a breakdown of the format, column by column:1. 32-bit timestamp: the encounter start time.2. same timestamp as per #1, but in a human readable format3. 32-bit timestamp: the encounter end time4. same timestamp as per #3, but in a human readable format5. location (one of EATON_CENTER, PACIFIC_MALL, or SUBWAY).6. scanner ID7. anonymized MAC address of foreign Bluetooth device encountered.8. type of Bluetooth device9. manufacturer of Bluetooth devicetoronto/bluetooth/controlledfiles: bluetooth_traces.tar.gz, xfers.txt, controlled.txtdescription: Traceset of controlled experiments for Bluetooth activity.measurement purpose: Network Security, Computer Malware (Worms) Investigationmethodology: We conducted two controlled experiments as follows:1. toronto/bluetooth/controlled/xfersWe measured the throughput and the failure rate of transmissions between two devices we controlled. We transfered a 256KB file between two devices placed apart at different the throughput and the failure rate of transmissions between two devices we controlled. We transfered a 256KB file between two devices placed apart at different 2. toronto/bluetooth/controlled/moving We also conducted the controlled experiments of communicating over Bluetooth between two devices when only one is moving.toronto/bluetooth/controlled Tracesxfers: Trace of measurement of Bluetooth transfers performed in different environments.configuration: This trace contains the measurements of Bluetooth transfers performed in different environments. We measured how long it took to transfer 256KB between two stationary Bluetooth devices while they are K feet apart (for K between 0 and 25).format: Here's a breakdown of the format, column by column:This is a breakdown of the file's format, column by column:1. inter-device distance in feet2. data successfully transfered (out of 256032 bytes)3. duration of transfer (in seconds)moving: Trace of measurements of Bluetooth transfer performed in a controlled environment (our lab).configuration: We conducted controlled experiments to determine whether walking can prevent a person's device from becoming infected. We placed one device on a wall at a T-junction hallway, while a person carried another device pacing themselves at a constant speed. The mobile device first issued inquiry requests. Once the stationary device is discovered, the mobile device transmitted a file. We performed several experiments. We set the size of the file at 500 bytes and at 25KB. We moved the mobile device at a speed of 1 m/s, corresponding to a typical walking speed, and 2 m/s, to approximate the relative speed of two people walking in opposite directions. Each experiment is repeated five times. We chose the T-junction hallway because it combines both line-of-sight and obstructed inter-device transmissions. There are five trials for each setting of moving device's speed and transfer data (except when we are transffering 25KB and the device is moving at 2m/s; in this case, we only have four successful trials.)format: 1. moving device's speed (in meters per second)2. transfer size in KB3. time elapsed until target is discovered (in seconds)4. time elapsed until an ACL connection is established5. time elapsed until an L2CAP socket is setup6. time elapsed to complete (and ACK) data transmission

为探究大规模蓝牙蠕虫爆发在实际操作中的可行性，我们进行了可控实验，并收集了不同城市环境中的蓝牙活动轨迹，以确定蠕虫感染日期/时间、测量起始时间：2005-11-16日期/时间、测量结束时间：2005-11-26收集环境：即便蠕虫能够利用蓝牙协议中的安全漏洞进行自我复制，大规模蓝牙蠕虫爆发也可能从未发生。若易受攻击的蓝牙设备稀少且设备间接触大多短暂，蠕虫可能永远无法触及众多受害者。在这种情况下，大规模蓝牙蠕虫感染的风险微乎其微。为探讨这些问题，我们研究了大规模蓝牙蠕虫爆发在实际操作中的可行性。为此，我们收集了蓝牙活动轨迹，并在蓝牙环境中进行了可控实验。网络配置：我们使用具备16MB RAM且运行PalmOS版本5.0的Palm Tungsten T个人数字助理（PDAs）来扫描蓝牙设备。我们的PDAs中的蓝牙无线电与大多数商用手机中的类似：我们的实证测试发现，在城市环境中，我们的PDAs的覆盖范围约为10米，这与Palm公司网站上的规格相符。由于蓝牙查询是一项耗电的程序，我们共使用了八台扫描仪。每个设备都会通过其蓝牙接口发送“查询”。我们的查询速率是可变的：当未发现设备时，我们会增加查询速率；当其他设备对我们的探测作出回应时，我们会降低查询速率。我们至少每10秒进行一次查询，但绝不会超过每3秒一次。这种可变速率可以处理多个设备同时响应时的拥堵场景。数据收集方法：我们收集了三种不同的蓝牙活动轨迹。其中两种轨迹是在加拿大多伦多的太平洋购物中心和伊顿中心收集的。我们在乘坐多伦多地铁系统时收集了第三条轨迹。这三个地点涵盖了各种城市目的地可能遇到的不同密度和移动特性。在收集这些轨迹时，我们的行为与扫描的环境相一致。例如，我们在购物中心悠闲地散步，在他们的食品法庭短暂停留，并在乘坐地铁时静止不动。因此，我们的数据描绘了一种攻击者在启动蓝牙蠕虫时表现得若无其事的情况。我们使用两台设备同时扫描以收集伊顿中心和地铁的轨迹。我们仅使用一台设备来收集太平洋购物中心的轨迹。数据清洗：我们对发现的设备的MAC地址进行了匿名处理。toronto/bluetooth/encountering 蓝牙活动在不同城市环境中的轨迹集文件：pacificMall.txt，eatonCenter.txt，subway.txt描述：在具有不同密度和移动特性的三个不同地点收集的蓝牙活动轨迹集。测量目的：网络安全，计算机恶意软件（蠕虫）研究方法：我们收集了三种不同的蓝牙活动轨迹。其中两种轨迹是在加拿大多伦多的太平洋购物中心和伊顿中心收集的。我们在乘坐多伦多地铁系统时收集了第三条轨迹。这三个地点涵盖了各种城市目的地可能遇到的不同密度和移动特性。数据清洗：如果同一台外国设备连续多次对蓝牙查询作出回应，除了一次外，我们将“修补”遗漏的蓝牙查询，假装该设备已作出回应。如果外国设备连续两次错过蓝牙查询，我们不“修补”该遭遇。我们对发现的设备的MAC地址进行了匿名处理，保留了原始MAC地址的前三个八位字节，然而我们为MAC地址的最后三个八位字节生成了随机的三个八位字节。简要来说：匿名_MAC = 原始_MAC的前三个八位字节 + 随机生成的三个八位字节toronto/bluetooth/encountering 蓝牙活动在不同城市环境中的轨迹集pacificMall：在多伦多的太平洋购物中心收集的蓝牙活动轨迹配置：文件中的每一行对应一次“遭遇”，其中我们的扫描仪遇到了一台外国蓝牙设备。一次遭遇是一系列（一个或多个）连续成功的蓝牙查询。每次遭遇都有一个开始时间（遇到设备对第一次蓝牙查询作出回应的时间）和一个结束时间（遇到设备对最后一次蓝牙查询作出回应的时间）。格式：以下是格式的分解，按列分解：1. 32位时间戳：遭遇开始时间。2. 与#1相同的时戳，但以人类可读的格式。3. 32位时间戳：遭遇结束时间。4. 与#3相同的时戳，但以人类可读的格式。5. 位置（EATON_CENTER，PACIFIC_MALL或SUBWAY之一）。6. 扫描仪ID。7. 遇到的外国蓝牙设备的匿名MAC地址。8. 蓝牙设备类型。9. 蓝牙设备制造商eatonCenter：在多伦多的伊顿中心收集的蓝牙活动轨迹配置：文件中的每一行对应一次“遭遇”，其中我们的扫描仪遇到了一台外国蓝牙设备。一次遭遇是一系列（一个或多个）连续成功的蓝牙查询。每次遭遇都有一个开始时间（遇到设备对第一次蓝牙查询作出回应的时间）和一个结束时间（遇到设备对最后一次蓝牙查询作出回应的时间）。格式：以下是格式的分解，按列分解：1. 32位时间戳：遭遇开始时间。2. 与#1相同的时戳，但以人类可读的格式。3. 32位时间戳：遭遇结束时间。4. 与#3相同的时戳，但以人类可读的格式。5. 位置（EATON_CENTER，PACIFIC_MALL或SUBWAY之一）。6. 扫描仪ID。7. 遇到的外国蓝牙设备的匿名MAC地址。8. 蓝牙设备类型。9. 蓝牙设备制造商subway：在乘坐多伦多地铁系统时收集的蓝牙活动轨迹配置：文件中的每一行对应一次“遭遇”，其中我们的扫描仪遇到了一台外国蓝牙设备。一次遭遇是一系列（一个或多个）连续成功的蓝牙查询。每次遭遇都有一个开始时间（遇到设备对第一次蓝牙查询作出回应的时间）和一个结束时间（遇到设备对最后一次蓝牙查询作出回应的时间）。格式：以下是格式的分解，按列分解：1. 32位时间戳：遭遇开始时间。2. 与#1相同的时戳，但以人类可读的格式。3. 32位时间戳：遭遇结束时间。4. 与#3相同的时戳，但以人类可读的格式。5. 位置（EATON_CENTER，PACIFIC_MALL或SUBWAY之一）。6. 扫描仪ID。7. 遇到的外国蓝牙设备的匿名MAC地址。8. 蓝牙设备类型。9. 蓝牙设备制造商toronto/bluetooth/controlled 蓝牙活动可控实验轨迹集文件：bluetooth_traces.tar.gz，xfers.txt，controlled.txt描述：蓝牙活动可控实验轨迹集。测量目的：网络安全，计算机恶意软件（蠕虫）研究方法：我们进行了两次可控实验，具体如下：1. toronto/bluetooth/controlled/xfers我们测量了两个受控设备之间传输的吞吐量和失败率。我们在两个放置在不同距离的设备之间传输了256KB的文件。2. toronto/bluetooth/controlled/moving我们还进行了在只有一个设备移动时，通过蓝牙在两个设备之间进行通信的可控实验。toronto/bluetooth/controlled 蓝牙活动可控实验轨迹集xfers：在不同环境中进行的蓝牙传输测量轨迹配置：此轨迹包含在不同环境中进行的蓝牙传输测量。我们测量了在两个静止的蓝牙设备之间，它们相距K英尺（K在0到25之间）时，传输256KB所需的时间。格式：以下是文件格式的分解，按列分解：1. 设备间距离（英尺）。2. 成功传输的数据（256032字节中的数据）。3. 传输持续时间（秒）。moving：在可控环境中进行的蓝牙传输测量轨迹配置：我们进行了可控实验，以确定行走是否可以防止一个人的设备被感染。我们将一个设备放置在T形走廊的墙上，而一个人携带另一个设备以恒定速度行走。移动设备首先发出查询请求。一旦静止设备被发现，移动设备就传输文件。我们进行了多次实验。我们将文件大小设置为500字节和25KB。我们将移动设备以1米/秒的速度移动，这相当于典型的步行速度，以及2米/秒，以近似两个方向行走的人的相对速度。每个实验重复五次。我们选择T形走廊是因为它结合了视线传输和视线受阻的设备间传输。每个移动设备速度和传输数据设置（除了我们传输25KB且设备以2米/秒移动的情况；在这种情况下，我们只有四次成功的实验。）格式：1. 移动设备速度（米/秒）。2. 传输大小（KB）。3. 发现目标所需的时间（秒）。4. 建立ACL连接所需的时间。5. 设置L2CAP套接字所需的时间。6. 完成数据传输（并确认）所需的时间。