Passive Online Detection of 802.11 Traffic Using Sequential Hypothesis Testing with TCP ACK-Pairs

In this paper, we propose two online algorithms to detect 802.11 traffic from packet-header data collected passively at a monitoring point. These algorithms have a number of applications in real-time wireless LAN management, for instance, in detecting unauthorized access points and detecting/predicting performance degradations. Both algorithms use sequential hypothesis tests and exploit fundamental properties of the 802.11 CSMA/CA MAC protocol and the half-duplex nature of wireless channels. They differ in that one requires training sets, while the other does not. We have built a system for online wireless traffic detection using these algorithms and deployed it at a university gateway router. Extensive experiments have demonstrated the effectiveness of our approach: the algorithm that requires training provides rapid detection and is extremely accurate (the detection is mostly within 10 seconds, with very low false-positive and false-negative ratios), the algorithm that does not require training detects 60 percent to 76 percent of the wireless hosts without any false positives, and both algorithms are lightweight, with computation and storage overhead well within the capability of commodity equipment.

[1]  G. Casella,et al.  Statistical Inference , 2003, Encyclopedia of Social Network Analysis and Mining.

[2]  Xiuzhen Cheng,et al.  A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[3]  Stefan Savage,et al.  Jigsaw: solving the puzzle of enterprise 802.11 analysis , 2006, SIGCOMM.

[4]  John S. Baras,et al.  A framework for MAC protocol misbehavior detection in wireless networks , 2005, WiSe '05.

[5]  Chun Zhang,et al.  Classification of access network types: Ethernet, wireless LAN, ADSL, cable modem or dialup? , 2008, Comput. Networks.

[6]  Konstantina Papagiannaki,et al.  Detecting 802.11 Wireless Hosts from Remote Passive Observations , 2007, Networking.

[7]  David A. Cieslak,et al.  RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning , 2008, TSEC.

[8]  Donald F. Towsley,et al.  Identifying 802.11 Traffic from Passive Measurements Using Iterative Bayesian Inference , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  Moustafa Youssef,et al.  An accurate technique for measuring the wireless side of wireless networks , 2005, WiTMeMo '05.

[10]  Jie Wang,et al.  Detecting protected layer-3 rogue APs , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[11]  Raheem A. Beyah,et al.  Rogue access point detection using temporal traffic characteristics , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[12]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  R. Wilder,et al.  Wide-area Internet traffic patterns and characteristics , 1997, IEEE Netw..

[14]  Alec Wolman,et al.  A Location-Based Management System for Enterprise Wireless LANs , 2007, NSDI.

[15]  Aarnout Brombacher,et al.  Probability... , 2009, Qual. Reliab. Eng. Int..

[16]  TowsleyDon,et al.  Classification of access network types , 2008 .

[17]  Stefan Savage,et al.  Jigsaw: solving the puzzle of enterprise 802.11 analysis , 2006, SIGCOMM.

[18]  Pasi Sarolahti,et al.  Congestion Control in Linux TCP , 2002, USENIX Annual Technical Conference, FREENIX Track.

[19]  Donald F. Towsley,et al.  Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone , 2002, IEEE/ACM Transactions on Networking.

[20]  Dirk Grunwald,et al.  MOJO: a distributed physical layer anomaly detection system for 802.11 WLANs , 2006, MobiSys '06.

[21]  Donald F. Towsley,et al.  Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone , 2002, IEEE/ACM Transactions on Networking.

[22]  Paramvir Bahl,et al.  Architecture and techniques for diagnosing faults in IEEE 802.11 infrastructure networks , 2004, MobiCom '04.

[23]  Donald F. Towsley,et al.  Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs , 2007, IMC '07.

[24]  Alec Wolman,et al.  Enhancing the security of corporate Wi-Fi networks using DAIR , 2006, MobiSys '06.

[25]  Radha Poovendran,et al.  Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[26]  Moustafa Youssef,et al.  A framework for wireless LAN monitoring and its applications , 2004, WiSe '04.

[27]  Donald F. Towsley,et al.  Inferring TCP connection characteristics through passive measurements , 2004, IEEE INFOCOM 2004.

[28]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[29]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[30]  Ratul Mahajan,et al.  Analyzing the MAC-level behavior of wireless networks in the wild , 2006, SIGCOMM.

[31]  Wei Wei,et al.  Classification of access network types: Ethernet wireless LAN, ADSL, cable modem or dialup? , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[32]  Ivan Marsic,et al.  Fuzzy Reasoning for Wireless Awareness , 2001, Int. J. Wirel. Inf. Networks.