This Article 
 Bibliographic References 
 Add to: 
Passive Online Detection of 802.11 Traffic Using Sequential Hypothesis Testing with TCP ACK-Pairs
March 2009 (vol. 8 no. 3)
pp. 398-412
Wei Wei, University of Connecticut, Storrs
Kyoungwon Suh, Illinois State University, Normal
Bing Wang, University of Connecticut, Storrs
Yu Gu, NEC Laboratories America, Princeton
James Kurose, University of Massachusetts, Amherst
Don Towsley, University of Massachusetts, Amherst
Sharad Jaiswal, Bell Labs Research India, Bangalore
In this paper, we propose two online algorithms to detect 802.11 traffic from packet-header data collected passively at a monitoring point. These algorithms have a number of applications in \emph{realtime} wireless LAN management, for instance, in detecting unauthorized access points and detecting/predicting performance degradations. Both algorithms use sequential hypothesis tests, and exploit fundamental properties of the 802.11 CSMA/CA MAC protocol and the half duplex nature of wireless channels. They differ in that one requires training sets, while the other does not. We have built a system for online wireless-traffic detection using these algorithms and deployed it at a university gateway router. Extensive experiments have demonstrated the effectiveness of our approach: the algorithm that requires training provides rapid detection and is extremely accurate (the detection is mostly within 10 seconds, with very low false positive and false negative ratios); the algorithm that does not require training detects $60\%$-$76\%$ of the wireless hosts without any false positives; both algorithms are light-weight, with computation and storage overhead well within the capability of commodity equipment.

[1] AirDefense, Wireless LAN Security, http:/, 2008.
[2] AirMagnet, http:/, 2008.
[3] AirWave, AirWave Management Platform, http:/, 2008.
[4] Cisco Wireless LAN Solution Engine (WLSE), com/en/US/products/sw/ cscoworkps3915/, 2008.
[5] Host AP, http:/, 2008.
[6] http:/, 2008.
[7] Microsoft Windows 2000 TCP/IP Implementation Details, network/deploy/depovgtcpip2k.mspx, 2008.
[8] NetStumbler, http:/, 2008.
[9] Rogue Access Point Detection: Automatically Detect and Manage Wireless Threats to Your Network, http:/, 2008.
[10] A. Adya, V. Bahl, R. Chandra, and L. Qiu, “Architecture and Techniques for Diagnosing Faults in IEEE 802.11 Infrastructure Networks,” Proc. ACM MobiCom '04, Sept. 2004.
[11] P. Bahl, R. Chandra, J. Padhye, L. Ravindranath, M. Singh, A. Wolman, and B. Zill, “Enhancing the Security of Corporate Wi-Fi Networks Using DAIR,” Proc. Fourth ACMInt'l Conf. Mobile Systems, Applications, and Services (MobiSys'06), June 2006.
[12] V. Baiamonte, K. Papagiannaki, and G. Iannaccone, “Detecting 802.11 Wireless Hosts from Remote Passive Observations,” Proc. IFIP/TC6 Networking, May 2007.
[13] R. Beyah, S. Kangude, G. Yu, B. Strickland, and J. Copeland, “Rogue Access Point Detection Using Temporal Traffic Characteristics,” Proc. 47th Ann. IEEE Global Telecomm. Conf. (GLOBECOM '04), Dec. 2004.
[14] A.A. Cardenas, S. Radosavac, and J.S. Baras, “An Analytical Evaluation of MAC Layer Misbehavior Detection Schemes,” Proc. IEEE INFOCOM '07, May 2007.
[15] G. Casella and R.L. Berger, Statistical Inference. Duxbury Thomson Learning, 2002.
[16] R. Chandra, J. Padhye, A. Wolman, and B. Zill, “A Location-Based Management System for Enterprise Wireless LANs,” Proc. Fourth Usenix Symp. Networked Systems Design and Implementation (NSDI'07), Apr. 2007.
[17] W. Chen, Y. Huang, B.F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. Kurose, and D. Towsley, “Exploiting the IPID Field to Infer Network Path and End-System Characteristics,” Proc. Sixth Passive and Active Measurement Workshop (PAM), 2005.
[18] L. Cheng and I. Marsic, “Fuzzy Reasoning for Wireless Awareness,” Int'l J. Wireless Information Networks, vol. 8, no. 1, 2001.
[19] Y.-C. Cheng, J. Bellardo, P. Benko, A.C. Snoeren, G.M. Voelker, and S. Savage, “Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis,” Proc. ACM SIGCOMM '06, Sept. 2006.
[20] S. Garg, M. Kappes, and A.S. Krishnakumar, “On the Effectof Contention-Window Sizes in IEEE 802.11b Networks,” Technical Report ALR-2002-024, Avaya Labs Research, 2002.
[21] IEEE 802.11, 802.11a, 802.11b Standards for Wireless Local Area Networks, , 2008.
[22] S. Jaiswal, G. Iannaccone, C. Diot, J. Kurose, and D. Towsley, “Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone,” Proc. IEEE INFOCOM '03, Mar. 2003.
[23] S. Jaiswal, G. Iannaccone, C. Diot, J. Kurose, and D. Towsley, “Inferring TCP Connection Characteristics through Passive Measurements,” Proc. IEEE INFOCOM '04, Mar. 2004.
[24] J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, “Fast Portscan Detection Using Sequential Hypothesis Testing,” Proc. IEEE Symp. Security and Privacy, May 2004.
[25] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks,” Proc. IEEE INFOCOM '07, May 2007.
[26] L. Ma, A.Y. Teymorian, and X. Cheng, “A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks,” Proc. IEEE INFOCOM '08, Apr. 2008.
[27] R. Mahajan, M. Rodrig, D. Wetherall, and J. Zahorjan, “Analyzing the MAC-Level Behavior of Wireless Networks in the Wild,” Proc. ACM SIGCOMM '06, Sept. 2006.
[28] C. Mano, A. Blaich, Q. Liao, Y. Jiang, D. Salyers, D. Cieslak, and A. Striegel, “RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts through Network Traffic Conditioning,” ACM Trans. Information Systems and Security, vol. 11, no. 2, Mar. 2008.
[29] Packet Trace Analysis, , 2008.
[30] S. Radosavac, J. Baras, and I. Koutsopoulos, “A Framework for MAC Protocol Misbehavior Detection in Wireless Networks,” Proc. ACM Workshop Wireless Security (WiSe '05), Sept. 2005.
[31] P. Sarolahti and A. Kuznetsov, “Congestion Control in Linux TCP,” Proc. Usenix, June 2002.
[32] A. Sheth, C. Doerr, D. Grunwald, R. Han, and D.C. Sicker, “MOJO: A Distributed Physical Layer Anomaly Detection System for 802.11 WLANs,” Proc. Fourth ACM Int'l Conf. Mobile Systems, Applications, and Services (MobiSys '06), June 2006.
[33] A.N. Shiryaev, Probability, second ed. Springer, 1995.
[34] K. Thompson, G. Miller, and R. Wilder, “Wide-Area Internet Traffic Patterns and Characteristics,” IEEE Network, vol. 11, no. 6, pp. 10-23, Nov./Dec. 1997.
[35] A. Wald, Sequential Analysis. John Wiley & Sons, 1947.
[36] W. Wei, S. Jaiswal, J. Kurose, and D. Towsley, “Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference,” Technical Report 05-47, Dept. of Computer Science, Univ. of Mass., Amherst, 2005.
[37] W. Wei, S. Jaiswal, J. Kurose, and D. Towsley, “Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference,” Proc. IEEE INFOCOM '06, Apr. 2006.
[38] W. Wei, K. Suh, B. Wang, Y. Gu, J. Kurose, and D. Towsley, “Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs,” Proc. ACM SIGCOMM Internet Measurement Conf. (IMC '07), Oct. 2007.
[39] W. Wei, B. Wang, C. Zhang, J. Kurose, and D. Towsley, “Classification of Access Network Types: Ethernet, Wireless LAN, ADSL, Cable Modem or Dialup,” Proc. IEEE INFOCOM'05, Mar. 2005.
[40] J. Yeo, M. Youssef, and A. Agrawala, “A Framework for Wireless LAN Monitoring and Its Applications,” Proc. ACM Workshop Wireless Security (WiSe '04), Oct. 2004.
[41] J. Yeo, M. Youssef, T. Henderson, and A. Agrawala, “An Accurate Technique for Measuring the Wireless Side of Wireless Networks,” Proc. Usenix/ACM Workshop Wireless Traffic Measurements and Modeling (WiTMeMo '05), June 2005.
[42] H. Yin, G. Chen, and J. Wang, “Detecting Protected Layer-3 Rogue APs,” Proc. IEEE Int'l Conf. Broadband Comm., Networks, and Systems (BROADNETS '07), Sept. 2007.

Index Terms:
Network Operations, Network management
Wei Wei, Kyoungwon Suh, Bing Wang, Yu Gu, James Kurose, Don Towsley, Sharad Jaiswal, "Passive Online Detection of 802.11 Traffic Using Sequential Hypothesis Testing with TCP ACK-Pairs," IEEE Transactions on Mobile Computing, vol. 8, no. 3, pp. 398-412, March 2009, doi:10.1109/TMC.2008.126
Usage of this product signifies your acceptance of the Terms of Use.