IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX 2008 1Passive Online Detection of 802.11 Traffic UsingSequential Hyp othesis Testing with TCP ACK-PairsWei Wei, Member, IEEE, Kyoungwon Suh, Member, IEEE, Bing Wang, Member, IEEE, Yu Gu, Member, IEEE,Jim Kurose, Fellow, IEEE, Do n Towsley, Fellow, IEEE, and Sharad Ja is walAbstract— In this paper, we propose two onl ine algorithms todetect 802.11 traffic from packet-header data collected passivelyat a monitoring point. These algorithms have a number ofapplications in realtime wireless LAN management, for instance,in detecting unauthorized access points and detecting/predictingperformance degradations. Both algorithms use sequential hy-pothesis tests, and exploit fundamental properties of the 802.11CSMA/CA MAC protocol and the half duplex nature of wirelesschannels. They differ in that one requires training sets, while theother does not. We have built a system for online wireless trafficdetection using these algorithms and deployed it at a universitygateway router. Extensive experiments have demonstrated th e ef-fectiveness of our approach: the algorithm that requires trainingprovides rapid detection and is extremely accurate (the detectionis mostly within 10 seconds, with very low f alse positive andfalse negative ratios); the algorithm that does not require trainingdetects 60%-76% of the wireless hosts without any false positives;both algorithms are light-weight, wit h computation and storageoverhead well within t he capability of commodity equipment.Index Terms— Wireless LAN management, Wireless trafficdetection, Sequential hypothesis testing, TCP ACK-pairs.I. INTRODUCTIONTHE deployment of IEEE 802.11 wireless networks(WLANs) has been growing at a r emarkable rate duringthe past several years. The presence of a wireless infrastructurewithin a network , however, raises various network manage-ment and secur ity issues. Several recent studies address theseissues [10], [11], [16], [40], [41], [19], [27], [32] (detailed inSection II). These studies all adopt the approach of distributedmonitoring of RF airwaves, which has also been adopted bymost commercial products (e.g., [1], [3], [ 9], [4], [2], [8]).An altern ative approach to managing a wireless network isthrough centralized mon itoring at a single aggregation point.This single mo nitoring point is located at the edge of alocal network (e.g., at a gateway router) and captures alltraffic co ming into and getting out of the local network. Thiscentralized appro ach is scalable, requiring little deploymentcosts, and is easy to manage and maintain. However, a keychallenge when using this approach for realtim e networkmanagement is online detection of wireless traffic. This isbecause a local network typically supports both Ethernet andWLAN technologies, and hence the aggregation point observesa m ixture of wired and wireless traffic.Manuscript received xx xx, 2008.W. Wei is with United Technologies Research Center, K. Suh is with IllinoisState University, B. Wang is with the University of Connecticut, Y. Gu, J.Kurose and D. Towsley are with the University of Massachusetts, Amherst,and S. Jaiswal is with Alcatel-Lucent Bell Labs, India.Online detection of wireless tra ffic at the aggregation pointis not an easy task. It cannot be ach ieved based on IPaddresses. This is because a ne twork administrator may notallocate separate IP address pools for wired and wireless hosts.Even if there were separ a te pools, a host with an addressfrom the wired address pool may act as a NAT box for a setof w ireless hosts, or install a wir eless router and becomes awireless host. In this paper, we develop two online algorithmsto detect wireless traffic. Our algorithms ta ke advantage oftiming information at the aggregation point and can detectwireless traffic that is behind NAT boxes or user-installedwireless routers. Our main contributions are as follows:• We extend the analysis in [37] and demo nstrate that u sin gTCP ACK-pairs can effectively differentiate Ethernetand wireless connections (including both 802.11b and802.11g). Our analysis exploits fundamental properties ofthe 802.11 CSMA/CA MAC protocol and the half duplexnature of wireless channels.• We develop two online algorithms to detect wirelesstraffic. Both algor ithms use sequential hypothesis testsand ma ke prompt decisions as TCP ACK-pairs are ob-served at the monitoring point. One a lgorithm requirestraining data, while the other does not. To the best ofour kn owledge, ours are the first set of passive onlinetechniques that detect wireless traffic.• We have built a system for online detection of wirelesstraffic using the above algorithms and deployed it atthe gateway router of the University of Massachusetts,Amherst (UMass). Extensive experiments in various sce-narios have dem onstrated the effectiveness of our alg o-rithms: (1) The algorithm that req uires training makesdetections mostly within 10 seconds, and the false pos-itive and false negative ratio s a re close to zero; (2) Thealgorithm that does not require training detects 60%-76% of the wireless hosts without any false positives;and (3) Both algorithms have c omputation and storageoverhead well within the capability of commodity equip-ment. We further demonstrate that our scheme can detectconnection-type switchings and wireless networks behinda NAT box, and it is effective even when end ho sts havehigh CPU, disk or network utilizations.Our proposed algorithms have a number of important ap-plications in realtime WLAN management. For instance, theyare useful to detect rogue or unauthorized access points (APs).Suppose a host not authorized to use wireless network installsa rogue AP for wireless connection. Traffic of this host isIEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX 2008 2captured at the aggregation point. Using our online alg orithms,a network administrator will detect that the host uses wirelesswhile it is not authorized to do so, and hence determines thatit u ses a rogue AP. Our prop osed scheme can also help tomonitor the performance of wireless hosts, which are morevulnerable to performance problems due to the u nreliablenature of the wireless medium. More specifically, a networkadministrator may identify wireless hosts in realtime usingour algo rithms, monitor their p erformance, and predict and/ordetect performance degrad a tions.The rest of the paper is organized as follows. Section IIdescribes related work. Section III presents the