How To Detect An Traffc From A Network With A Network Onlne Onlnet

Transcription

1 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX Passve Onlne Detecton of Traffc Usng Sequental Hypothess Testng wth TCP ACK-Pars We We, Member, IEEE, Kyoungwon Suh, Member, IEEE, Bng Wang, Member, IEEE, Yu Gu, Member, IEEE, Jm Kurose, Fellow, IEEE, Don Towsley, Fellow, IEEE, and Sharad Jaswal Abstract In ths paper, we propose two onlne algorthms to detect traffc from packet-header data collected passvely at a montorng pont. These algorthms have a number of applcatons n realtme wreless LAN management, for nstance, n detectng unauthorzed access ponts and detectng/predctng performance degradatons. Both algorthms use sequental hypothess tests, and explot fundamental propertes of the CSMA/CA MAC protocol and the half duplex nature of wreless channels. They dffer n that one requres tranng sets, whle the other does not. We have bult a system for onlne wreless traffc detecton usng these algorthms and deployed t at a unversty gateway router. Extensve experments have demonstrated the effectveness of our approach: the algorthm that requres tranng provdes rapd detecton and s extremely accurate (the detecton s mostly wthn 10 seconds, wth very low false postve and false negatve ratos); the algorthm that does not requre tranng detects 60%-76% of the wreless hosts wthout any false postves; both algorthms are lght-weght, wth computaton and storage overhead well wthn the capablty of commodty equpment. Index Terms Wreless LAN management, Wreless traffc detecton, Sequental hypothess testng, TCP ACK-pars. I. INTRODUCTION THE deployment of IEEE wreless networks (WLANs) has been growng at a remarkable rate durng the past several years. The presence of a wreless nfrastructure wthn a network, however, rases varous network management and securty ssues. Several recent studes address these ssues [10], [11], [16], [40], [41], [19], [27], [32] (detaled n Secton II). These studes all adopt the approach of dstrbuted montorng of RF arwaves, whch has also been adopted by most commercal products (e.g., [1], [3], [9], [4], [2], [8]). An alternatve approach to managng a wreless network s through centralzed montorng at a sngle aggregaton pont. Ths sngle montorng pont s located at the edge of a local network (e.g., at a gateway router) and captures all traffc comng nto and gettng out of the local network. Ths centralzed approach s scalable, requrng lttle deployment costs, and s easy to manage and mantan. However, a key challenge when usng ths approach for realtme network management s onlne detecton of wreless traffc. Ths s because a local network typcally supports both Ethernet and WLAN technologes, and hence the aggregaton pont observes a mxture of wred and wreless traffc. Manuscrpt receved xx xx, W. We s wth Unted Technologes Research Center, K. Suh s wth Illnos State Unversty, B. Wang s wth the Unversty of Connectcut, Y. Gu, J. Kurose and D. Towsley are wth the Unversty of Massachusetts, Amherst, and S. Jaswal s wth Alcatel-Lucent Bell Labs, Inda. Onlne detecton of wreless traffc at the aggregaton pont s not an easy task. It cannot be acheved based on IP addresses. Ths s because a network admnstrator may not allocate separate IP address pools for wred and wreless hosts. Even f there were separate pools, a host wth an address from the wred address pool may act as a NAT box for a set of wreless hosts, or nstall a wreless router and becomes a wreless host. In ths paper, we develop two onlne algorthms to detect wreless traffc. Our algorthms take advantage of tmng nformaton at the aggregaton pont and can detect wreless traffc that s behnd NAT boxes or user-nstalled wreless routers. Our man contrbutons are as follows: We extend the analyss n [37] and demonstrate that usng TCP ACK-pars can effectvely dfferentate Ethernet and wreless connectons (ncludng both b and g). Our analyss explots fundamental propertes of the CSMA/CA MAC protocol and the half duplex nature of wreless channels. We develop two onlne algorthms to detect wreless traffc. Both algorthms use sequental hypothess tests and make prompt decsons as TCP ACK-pars are observed at the montorng pont. One algorthm requres tranng data, whle the other does not. To the best of our knowledge, ours are the frst set of passve onlne technques that detect wreless traffc. We have bult a system for onlne detecton of wreless traffc usng the above algorthms and deployed t at the gateway router of the Unversty of Massachusetts, Amherst (UMass). Extensve experments n varous scenaros have demonstrated the effectveness of our algorthms: (1) The algorthm that requres tranng makes detectons mostly wthn 10 seconds, and the false postve and false negatve ratos are close to zero; (2) The algorthm that does not requre tranng detects 60%- 76% of the wreless hosts wthout any false postves; and (3) Both algorthms have computaton and storage overhead well wthn the capablty of commodty equpment. We further demonstrate that our scheme can detect connecton-type swtchngs and wreless networks behnd a NAT box, and t s effectve even when end hosts have hgh CPU, dsk or network utlzatons. Our proposed algorthms have a number of mportant applcatons n realtme WLAN management. For nstance, they are useful to detect rogue or unauthorzed access ponts (APs). Suppose a host not authorzed to use wreless network nstalls a rogue AP for wreless connecton. Traffc of ths host s

2 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX captured at the aggregaton pont. Usng our onlne algorthms, a network admnstrator wll detect that the host uses wreless whle t s not authorzed to do so, and hence determnes that t uses a rogue AP. Our proposed scheme can also help to montor the performance of wreless hosts, whch are more vulnerable to performance problems due to the unrelable nature of the wreless medum. More specfcally, a network admnstrator may dentfy wreless hosts n realtme usng our algorthms, montor ther performance, and predct and/or detect performance degradatons. The rest of the paper s organzed as follows. Secton II descrbes related work. Secton III presents the problem settng and a hgh-level descrpton of our approach. Secton IV analyzes TCP ACK-pars n Ethernet and WLAN. Sectons V and VI present our onlne algorthms and onlne detecton system, respectvely. Sectons VII and VIII present expermental evaluaton methodology and results, respectvely. Fnally, Secton IX dscusses several ssues related to usng our algorthms, and Secton X concludes the paper and presents future work. II. RELATED WORK The study most closely related to ours s [37], whch proposes an teratve Bayesan nference technque to detect wreless traffc based on passve measurement at an aggregaton pont n an offlne manner. The focus there s on determnng the extent of wreless usage and the belef that a flow s from a wreless host. Our focus here s on onlne detecton of wreless traffc. Detectng wreless traffc has also been studed n several other efforts. However, none of them adopts a passve onlne approach. Baamonte et al. [12] use entropes to detect wreless connectons n an offlne manner. Beyah et al. [13] use vsual nspecton to detect wreless traffc, whch cannot be carred out automatcally. Mano et al. [28] propose a technque that requres segmentng large packets nto smaller ones to detect wreless traffc. In other studes, dfferentatng wreless traffc and other types of traffcs s based on actve measurements [39] or certan assumptons about wreless lnks (such as very low bandwdth and hgh loss rates) [18]. Several recent studes focus on WLAN management. Adya et al. [10] present a clent-based archtecture to detect and dagnose faults. Bahl et al. [11] propose usng USB devces that are attached to desktops to montor an enterprse WLAN. Ths archtecture has been recently extended to provde locatonbased management [16]. Yeo et al. propose a framework that merges lnk-level measurement from multple dstrbuted ar montors for WLAN management [40], [41]. Ths framework s substantally extended n Jgsaw [19] and Wt [27], where the authors provde formal and systematc technques to construct a global vew of the network by mergng and synchronzng traces from multple locatons. Based on the global vew, Cheng et al. nfer all sources of delays due to meda access and moblty for cross-layer WLAN dagnoss. In another recent study, Sheth et al. dagnose WLAN problems by detectng root causes at the physcal layer [32]. All the above studes utlze dstrbuted montorng of RF arwaves. Ths s also true for most commercal wreless network Fg. 1. Problem settng: a montorng pont at an aggregaton pont (e.g., the gateway router) captures ncomng traffc and outgong traffc. Our goal s to detect wreless hosts n realtme based on passve measurements at the montorng pont. Ths fgure also llustrates a scenaro where a host not authorzed to use the wreless LAN nstalls a rogue AP. management products [1], [3], [4], [2], [8]. The ratonale s that RF arwave montorng provdes detaled low-level (.e., PHY and MAC) nformaton that s crtcal for analyzng the behavor of a network and pnpont the exact causes of a fault. Our study takes the approach of centralzed montorng at a sngle aggregaton pont. The captured nformaton s at hgher layers (.e., IP and transport layers), and hence may not provde suffcent nsghts nto the root causes of a fault. However, as mentoned earler, t has a number of applcatons n realtme WLAN management, e.g., n detectng rogue APs and detectng/predctng performance degradatons. Two recent studes [42], [26] focus on a specfc WLAN management task rogue AP detecton. Yn et al. [42] use wreless snffers and a verfer n the wred network to detect protected layer-3 rogue APs. Ma et al. [26] propose a framework that combnes dstrbuted detecton through wreless snffers and centralzed detecton at a gateway router. Both studes stll heavly rely on arwave montorng and target at detectng rogue APs only. We provde a scalable onlne approach to detectng wreless traffc, whch has broader applcatons n realtme WLAN management. Passve measurement at a sngle aggregaton pont falls broadly nto measurement-n-the-mddle,.e., measurements are taken at a sngle pont n the mddle of the end-to-end connectons. The studes of [22] and [23] nfer end-to-end propertes of a TCP connecton through measurement-n-themddle. Our study dffers n that we focus on dfferentatng wred and wreless traffc. Last, sequental hypothess testng [35] provdes an opportunty to make decsons as data streams come n, and thus s a sutable technque for our purpose. It has also been used for detectng portscans [24], jammng attacks [25], and msbehavor n WLANs [30], [14]. III. PROBLEM SETTING AND APPROACH Consder a local network (e.g., a unversty campus or an enterprse network), as llustrated n Fg. 1. A montorng pont s placed at an aggregaton pont (e.g., the gateway router) of ths local network, capturng traffc comng n and gong out

3 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX Recever (a)ethernet Recever (b)wlan L1 100Mbps Access Pont Router L1 100Mbps A3 Router 100Mbps L2 P1P2P3 A A3 A1 100Mbps L2 Sender P1P2 P3P4 A A1 Sender Fg. 2. Settngs for the analyss: (a) Ethernet, (b) WLAN (802.11b or g). The dashed rectangle between the sender and the router represents the montorng pont. The par of ACKs, A 1 and A 3, forms an ACK-par. of the network. End hosts wthn ths network use ether wred Ethernet or WLAN to access the Internet. Therefore, the aggregaton pont captures a mxture of wred and wreless traffc. Our goal s to detect what hosts use WLAN nsde the local network n real tme. For ths purpose, we must answer the followng two questons: (1) what statstcs can be used to effectvely detect wreless hosts? (2) how to detect wreless hosts n an onlne manner? We next provde a hghlevel descrpton on how we address these two questons; a detaled descrpton s deferred to Sectons IV and V. We have shown that nter-ack tme s a statstc that can be used to effectvely detect wreless hosts n [37]. An nter-ack tme s the nter-arrval tme of a TCP ACK-par,.e., a par of ACKs correspondng to two data packets that arrve at the montorng pont close n tme. In [37], we analyze the nter- ACK tme n Ethernet and WLAN and demonstrate that t can be used to dfferentate these two connecton types. However, the analyss does not nclude g, snce t was not wdely deployed at that tme. In Secton IV, we extend the analyss n [37] to g, and derve a new set of results for Ethernet and b. Our results demonstrate that nter-ack tmes can effectvely dfferentate Ethernet and WLAN (ncludng both b and g hosts). For onlne detecton of wreless hosts, we develop two lght-weght algorthms (see Secton V), both usng sequental hypothess tests and takng the nter-ack tmes as nput. These two algorthms roughly work as follows. They calculate the lkelhoods that a host uses WLAN and Ethernet as TCP ACKpars are observed. When the rato of the WLAN lkelhood aganst the Ethernet lkelhood exceeds a certan threshold, they make a decson that the host uses WLAN. IV. ANALYSIS OF TCP ACK-PAIRS In ths secton, we extend the analyss n [37] and demonstrate analytcally that nter-ack tme can be used to effectvely dfferentate Ethernet and WLAN (ncludng both b and g). In the followng, we start from the assumptons and settngs, and then present the analytcal results. At the end, we brefly summarze the nsghts obtaned from the analyss. A. Assumptons and settngs The settngs for our analyss are shown n Fg. 2, where an outsde sender sends data to a recever n the local network. In Fg. 2(a), the recever uses Ethernet; n Fg. 2(b), the recever uses b or g WLAN. We refer to the above settngs as Ethernet settng and WLAN settng, respectvely. In both settngs, a router resdes between the sender and the recever, and s connected to the sender by lnk L 2 wth 100 Mbps bandwdth. The montorng pont s between the sender and the router, tappng nto lnk L 2. In the Ethernet settng, the router and the recever are connected by lnk L 1 wth 100 Mbps bandwdth. In the WLAN settng, an access pont resdes between the router and the recever. The access pont and the router are connected by lnk L 1 wth 100 Mbps bandwdth; and the recever s connected to the access pont usng 11 Mbps b or 54 Mbps g. In both the Ethernet and WLAN settngs, the router s queues for ncomng data packets and ACKs are modeled as M/D/1 queues. Let Q D and Q A denote the queues for data and ACKs respectvely. The utlzatons of Q D and Q A are ρ D and ρ A, respectvely. We assume that the recever mplements the TCP delayed ACK polcy 1, snce ths polcy s commonly used n practce [31], [7]. To accommodate the effects of delayed ACK, we consder four data packets P 1, P 2, P 3 and P 4, each of 1500 bytes, sent back-to-back from the sender. Wthout loss of generalty, we assume that packet P 1 s acknowledged. Snce we assume delayed ACK, packet P 3 s also acknowledged. Let A 1 and A 3 denote the ACKs correspondng to packets P 1 and P 3, respectvely. Then A 1 and A 3 form an ACK-par. Let A represent the nter-ack tme of A 1 and A 3 at the montorng pont. Let denote the nter-arrval tme of the data packets P 1 and P 3 at the montorng pont. Then = = 240 µs snce each P ( = 1,...,4) s 1500 bytes and the bandwdth of lnk L 2 s 100 Mbps. Intutvely, the random backoff mechansm n (.e., a host must wat for a random backoff nterval to transmt [21]) and the half duplex nature of wreless channels (.e., data packets and ACKs contend for meda access at a wreless host) may lead to larger nter-ack tmes n WLAN than those n Ethernet. To demonstrate analytcally that ths s ndeed the case, we consder the followng worst-case scenaros (n terms of dfferentatng Ethernet and WLAN hosts). In the Ethernet settng, we assume cross traffc traversng both queues, Q D and Q A, at the router so that the Ethernet lnk may be heavly utlzed. In the WLAN settng, the wreless lnk between the access pont and the recever s under dealzed condtons,.e., the channel s perfect, and s only used by the access pont and the recever. As we shall see, even n the above scenaros, the nter-ack tmes of WLAN are generally larger than those of Ethernet, and hence can be used to dfferentate WLAN and Ethernet connectons. B. Analyss of Ethernet We next present two theorems on nter-ack tmes n the Ethernet settng. Ther proofs are found n Appendces I and 1 That s, a recever releases an ACK after recevng two packets, or f the delayed-ack tmer s trggered after the arrval of a sngle packet.

4 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX II, respectvely. Theorem 1: (Inter-ACK tme dstrbuton for Ethernet) In the Ethernet settng, when 0 < ρ D, ρ A 1, P( A > 600 µs) < Theorem 2: (Medan nter-ack tme for Ethernet) Let { A }n =1 denote an..d sequence of n nter-ack tmes from a host (they can be from dfferent TCP flows) n the Ethernet settng. Let ξ ṇ 5 ( A) denote the sample medan of { A }n =1. Then, when 0 < ρ D, ρ A 1 and 43 n 100, we have P(ξ ṇ 5( A ) 600 µs) 1. Furthermore, lm n P(ξ ṇ 5 ( A) 600 µs) = 1. Both of the above theorems wll be used explctly to construct a sequental hypothess test n Secton V-B. C. Analyss of b WLAN We now analyze the nter-ack tme dstrbuton n the b WLAN settng. As mentoned earler, we assume dealzed condtons, that s, the wreless channel between the access pont and the recever s perfect and there s no contenton from other wreless nodes. For 11 Mbps b, the transmsson overhead for a TCP packet wth zero payload s 508 µs, whch ncludes the overhead to transmt physcallayer, MAC-layer, IP and TCP headers, the overhead for ACK transmsson, and the duratons of one SIFS and DIFS [20]. The slot tme s 20 µs and a wreless devce wats for a random backoff tme unformly dstrbuted n [0, 31] tme slots (.e., [0, 620] µs) before transmttng a packet. Therefore, the MAC servce tme (.e., the sum of the constant transmsson overhead and the random backoff tme) of a data packet of 1500 bytes s unformly dstrbuted n [1570, 2190] µs. The MAC servce tme of an ACK of 40 bytes s unformly dstrbuted n [508, 1128] µs. We have the followng theorem for the b WLAN settng; the proof s found n Appendx III. Theorem 3: (Inter-ACK tme dstrbuton for b) In the b WLAN settng, under dealzed condtons, P( A > 600 µs) > D. Analyss of g WLAN We next show that 54 Mbps g WLAN generally has larger nter-ack tmes than 100 Mbps Ethernet although they have comparable bandwdths. We agan assume deal condtons. For 54 Mbps g, the transmsson overhead for a TCP packet wth zero payload s 103 µs. The slot tme s 9 µs. The recever wats for a random backoff tme unformly dstrbuted n [0, 15] tme slots (.e., [0, 135] µs) before transmttng a packet. Therefore, the MAC servce tme of a data packet (1500 bytes) s unformly dstrbuted n [325, 460] µs; the MAC servce tme of an ACK (40 bytes) s unformly dstrbuted n [109, 244] µs. We have the followng theorem for the g WLAN settng; the proof s found n Appendx IV. Theorem 4: (Inter-ACK tme dstrbuton for g) In the g WLAN settng, under dealzed condtons, P( A > 600 µs) > E. Summary of Analyss The above analyss demonstrates that, even when a WLAN s under dealzed condtons whle an Ethernet LAN s fully utlzed, usng TCP ACK-pars can effectvely dfferentate Ethernet and WLAN connectons: for Ethernet, less than 18% of the nter-ack tmes exceed 600 µs, whle for b and g, at least 96% and 45% of the nter-ack tmes exceed 600 µs respectvely (see Theorems 1, 3 and 4). Under more realstc condtons (e.g., nosy wreless channel and wth contenton), nter-ack tmes n WLAN may be even larger than those n Ethernet. V. ONLINE DETECTION ALGORITHMS In ths secton, we develop two onlne algorthms to detect wreless hosts based on our analyss n the prevous secton. Both algorthms use sequental hypothess test technque and take the nter-ack tmes as the nput. The frst algorthm requres knowng the nter-ack tme dstrbutons for Ethernet and WLAN traffc a pror. The second algorthm does not have such a requrement. Instead, t s drectly based on Theorems 1 and 2 (see Secton IV). We refer to these two algorthms as sequental hypothess test wth tranng and sequental hypothess test wthout tranng respectvely. The algorthm wthout tranng, although not as powerful as the one wth tranng (see Secton VIII), s sutable for scenaros where the nter-ack tme dstrbutons are not avalable a pror (e.g., n organzatons wth no authorzed wreless networks, where detectng wreless traffc s crucal snce the presence of wreless traffc mples rogue APs and hence severe securty threats). We now descrbe these two algorthms n detal. Both algorthms use at most N = 100 ACK-pars to make a decson (.e., whether the connecton s Ethernet or WLAN) to accommodate the scenaros where a host swtches between Ethernet and WLAN connectons. A. Sequental Hypothess Test wth Tranng Algorthm 1 Sequental Hypothess Test wth Tranng n = 0, l E = l W = 0 loop Identfy an ACK-par n = n + 1 p n = P( A n = δ A n E), q n = P( A n = δ A n W) l E = l E + log p n, l W = l W + log q n f l W l E > log K then Report WLAN, n = 0, l E = l W = 0. else f l W l E < log K then Report Ethernet, n = 0, l E = l W = 0. else f n = N then Report undetermned, n = 0, l E = l W = 0. end f end loop We have demonstrated that the nter-ack tme dstrbutons for Ethernet and WLAN dffer sgnfcantly (see Secton IV).

5 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX When these dstrbutons are known, we can calculate the lkelhoods that a host uses Ethernet and WLAN respectvely gven a sequence of observed nter-ack tmes. If the lkelhood of usng WLAN s much larger than that of usng Ethernet, we conclude that the host uses WLAN (and vce versa). We now descrbe the test n more detal. Let {δ A}n =1 represent a sequence of nter-ack tme observatons from a host, and { A }n =1 represent ther correspondng random varables. Let E and W represent respectvely the events that a host uses Ethernet and WLAN. Let L E = P( A 1 = δ1 A, A 2 = δ2 A,..., A n = δa n E) be the lkelhood that ths observaton sequence s from an Ethernet host. Smlarly, let L W = P( A 1 = δ1 A, A 2 = δ2 A,..., A n = δn A W) be the lkelhood that the observaton sequence s from a WLAN host. Let p = P( A = δ A E) be the probablty that the -th nter-ack tme has value δ A gven that t s from an Ethernet host. Smlarly, let q = P( A = δ A W) be the probablty that the -th nter-ack tme has value δ A gven that t s from a WLAN host. Both p and q are known, obtaned from the nter-ack tme dstrbutons for Ethernet and WLAN traffc respectvely. Assumng that the nter-ack tmes are ndependent and dentcally dstrbuted, we have n L E = P( A 1 = δa 1,..., A n = δa n E) = p, =1 n L W = P( A 1 = δa 1,..., A n = δa n W) = q. =1 Ths test updates L W and L E as an ACK-par s observed. Let K > 1 be a threshold. If after the n-th ACK-par, the rato of L W and L E s over the threshold,.e., L W /L E > K, then the host s classfed as a WLAN host. If L W /L E < 1/K, then the host s classfed as an Ethernet host. If nether decson s made after N ACK-pars, the connecton type s classfed as undetermned. In our mplementaton of the algorthm, for convenence, we use log-lkelhood functon l w = log(l W ) and l E = log(l E ) nstead of the lkelhood functon. Ths test s summarzed n Algorthm 1, where N = 100. As we can see, t has very lttle computaton and storage overhead t only stores the current lkelhoods for Ethernet and WLAN for each IP address beng montored. B. Sequental Hypothess Test wthout Tranng Ths test does not requre knowng the nter-ack tme dstrbutons for Ethernet and WLAN hosts a pror. Instead, t leverages the analytcal results that the probablty of an nter-ack tme exceedng 600 µs s small for Ethernet hosts, whle t s much larger for WLAN hosts (see Secton IV). In the followng, we frst construct a lkelhood rato test [15], and then derve from t a sequental hypothess test. The lkelhood rato test s as follows. Let p be the probablty that an nter-ack tme exceeds 600 µs, that s, p = P( A > 600 µs). By Theorem 1, we have p < θ = 0.18 for Ethernet host. Therefore, f the hypothess p < θ s rejected by the nter-ack tme observaton sequence, we conclude that ths host does not use Ethernet and hence uses WLAN. More specfcally, consder two hypotheses, H 0 and H a, representng Algorthm 2 Sequental Hypothess Test wthout Tranng m = n = 0 loop Identfy an ACK-par n = n + 1 m = m + 1(δn A 600 µs) ˆp = m/n f ˆp = 1 and n > log K log θ then Report WLAN, m = n = 0. m(log ˆp log θ+log(1 θ) log(1 ˆp)) log K log(1 θ) log(1 ˆp) else f n < Report WLAN, m = n = 0. else f n 43 and ˆp 0.5 then Report WLAN, m = n = 0. else f n = N then Report undetermned. m = n = 0. end f end loop then respectvely the null hypothess that a host uses Ethernet and the alternatve hypothess that the host uses WLAN. For a sequence of nter-ack tme observatons {δ A}n =1, let m be the number of observatons that exceed 600 µs. Let K > 1 be a threshold. Then the lkelhood rato test rejects the null hypothess H 0 when λ = sup 0 p θ pm (1 p) n m sup 0 p 1 p m (1 p) n m < 1 K In the mddle term above, the numerator s the maxmum probablty of havng the observed sequence (whch has m nter-ack tmes exceedng 600 µs) computed over parameters n the null hypothess (.e., 0 p θ); the denomnator s the maxmum probablty of havng the observed sequence over all possble parameters (.e., 0 p 1). If λ < 1/K, that s, there are parameter ponts n the alternatve hypothess for whch the observed sample s much more lkely than for any parameter ponts n the null hypothess, the lkelhood rato test concludes that H 0 should be rejected. In other words, f λ < 1/K, the lkelhood rato test concludes that the host uses WLAN. We now derve a sequental hypothess test from the above lkelhood rato test. Let ˆp = m/n, where m s the number of nter-ack tmes exceedng 600 µs and n s the total number of nter-ack tmes. It s straghtforward to show that ˆp s the maxmum lkelhood estmator of p,.e., sup 0 p 1 p m (1 p) n m s acheved when p = ˆp. When ˆp θ, we have sup 0 p θ p m (1 p) n m = sup 0 p 1 p m (1 p) n m, and hence λ = 1 > 1/K. In ths case, the null hypothess H 0 s not rejected. Therefore, we only consder the case where θ < ˆp, whch can be classfed nto two cases: Case 1: θ < ˆp < 1. In ths case, to reject the null hypothess H 0, we need ˆp m (1 ˆp) n m θ m (1 θ) n m > K

6 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX Fg. 3. capture & flter pkt headers onlne detecton engne IP address 1 unacked-data-pkt queues dentfy ACK-pars IP address n unacked-data-pkt queues dentfy ACK-pars Onlne wreless-traffc detecton system. whch s equvalent to n < sequental hypo. tests m(log ˆp log θ + log(1 θ) log(1 ˆp)) log K. (1) log(1 θ) log(1 ˆp) Case 2: ˆp = 1. In ths case, to reject the null hypothess H 0, we need 1 θ n > K whch s equvalent to n > logk log θ. (2) When K = 10 6 and θ = 0.18, from (2), we have n 8. Ths mples that we need at least 8 ACK-pars to detect a WLAN host for the above settng. In addton to condtons (1) and (2), we also derve a complementary condton to reject the null hypothess H 0 drectly from Theorem 2. Theorem 2 states that, when the number of nter-ack observatons n s between 43 and 100, we have P(ξ ṇ 5 ( A) 600 µs) 1 for Ethernet hosts. Therefore, an addtonal condton to reject H 0 s when 43 n 100 and ˆp > 0.5 (because ths condton mples that at least half of the nter-ack observatons exceed 600 µs, that s, ξ ṇ 5 ( A) > 600 µs, whch contradcts Theorem 2). We combne the above three condtons to construct a sequental hypothess test as shown n Algorthm 2, where 1( ) s the ndcator functon and N = 100. As we can see, ths test has very lttle computatonal and storage overhead t only stores the total number of nter-ack tmes and the number of nter-ack tmes exceedng 600 µs for each IP address beng montored. Last, note that t only reports WLAN hosts, whle the sequental hypothess test wth tranng reports both WLAN and Ethernet hosts. VI. ONLINE DETECTION SYSTEM We now descrbe the desgn of a system for onlne detecton of wreless traffc. Ths system conssts of two major components as llustrated n Fg. 3. The data capturng component collects ncomng and outgong packet headers. These packet headers are then passed on to the onlne detecton engne, where WLAN hosts are detected usng the algorthms descrbed n Secton V. We next descrbe the onlne detecton engne, the core component n the system, n more detal. Afterwards, we descrbe how to dentfy ACK-pars n realtme and obtan nter-ack tme dstrbutons beforehand. A. Onlne Detecton Engne The onlne detecton engne makes detectons on a per host (or IP address) bass. Snce TCP data packets and ACKs come n on a per flow bass and a host may have multple smultaneous actve TCP flows 2, the onlne detecton engne mantans a set of data structures n memory, each correspondng to an actve TCP flow. We name the data structure as an unacked-data-packet queue snce t stores the nformaton on all the data packets that have not been acknowledged by the recever. Each tem n a queue represents a data packet n the correspondng actve flow. It records the sequence number (4 bytes), the tmestamp (8 bytes) and sze (2 bytes) of the packet. In addton, the onlne detecton engne also records the latest ACK for each TCP flow n memory. These nformaton s used to dentfy ACK-pars as follows. For each ncomng ACK, the onlne detecton engne fnds ts correspondng unacked-datapacket queue (usng a hash functon for quck lookup) and then matches t wth the tems n the queue to dentfy ACK-pars. Once an ACK-par s dentfed, dependng on whether tranng data s avalable, t s fed nto our algorthm (sequental hypothess test wth or wthout tranng) to determne whether the host uses WLAN. The memory requrement of the onlne detecton system manly comes from storng the unacked-data-packet queues. Each queue contans no more than M tems, where M s the maxmum TCP wndow sze (snce an tem s removed from the queue once ts correspondng ACK arrves). In our experments, we fnd that 90% of the queues contan less than 3 tems (see Secton VIII-C), ndcatng that the memory usage of ths onlne detecton system s low. B. Onlne Identfcaton of TCP ACK-pars As descrbed earler, two successve ACKs form an ACKpar f the nter-arrval tme of ther correspondng data packets at the montorng pont s less than a threshold T (chosen as 240 µs or 400 µs n our system, see Secton VIII). Takng account of several practcal ssues, we further mpose the followng addtonal restrctons when dentfyng ACK-pars. Frst, we exclude all ACKs whose correspondng data packets have been retransmtted or reordered. Second, to ensure that two ACKs are successve, we requre that the dfference of ther IPIDs to be no more than one 3. Thrd, we requre that 2 We defne a flow that has not termnated and has data transmsson durng the last mnute as an actve flow. 3 IPID feld carres a copy of the current value of an IPID counter n a host s IP stack. Many commercal operatng systems mantan a sngle IPID counter that s ncremented whenever a new IP packet s generated; other systems mplement IPID counter as a per-flow counter, as a random number or a constant [17]. Our IPID restrcton s most effectve when a host uses a sngle IPID counter. It s also helpful when a host uses per-flow counters. We do not mpose ths restrcton when IPID s not monotoncally ncreasng.

7 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX the ACKs are for relatvely large data packets (of sze at least 1000 bytes) to be consstent wth the assumpton of our analyss (n Secton IV). We also exclude ACKs due to expraton of delayed-ack tmers (f delayed ACK s mplemented) snce such an ACK s not released mmedately after ts correspondng data packet, and hence the nter-arrval tme of ths ACK and ts prevous ACK does not reflect the characterstcs of the access lnk. We use the technque n [36] to nfer whether delayed ACK s mplemented, whch further requres that the nter-ack tme of an ACK-par to be below 200 ms. C. Obtanng Inter-ACK Tme Dstrbutons Beforehand To apply sequental hypothess test wth tranng, we need to know the nter-ack tme dstrbutons for Ethernet and WLAN beforehand. In general, the nter-ack tme dstrbuton for a connecton type can be acqured from a tranng set, whch contans TCP flows known to use ths connecton type. We detal how we construct tranng sets for our expermental evaluaton n Secton VII-B; tranng sets for other networks can be constructed n a smlar manner. VII. EVALUATION METHODOLOGY We evaluate the performance of our onlne detecton algorthms through extensve experments. In ths secton, we descrbe our evaluaton methodology, ncludng the measurement equpment, tranng sets, test sets, and offlne and onlne evaluaton. A. Measurement Equpment Our measurement equpment conssts of a commodty PC, nstalled wth a DAG card [6] to capture packet headers. It s placed at the gateway router of UMass, Amherst, connected va an optcal spltter to the access lnk that connects the campus network to the commercal network. The TCP and IP headers of all the packets that traverse ths lnk are captured by the DAG card, along wth the current tmestamp. The captured data are streamed to our onlne detecton algorthms, whch are runnng on the commodty PC. The PC has three Intel Xeon Y 2.80 GHz CPUs (cache sze 512 KB), 2 Gbytes memory, and SCSI hard dsks. B. Tranng Sets Tranng sets are requred to obtan nter-ack tme dstrbutons (see Secton VI-C). We construct tranng sets for our expermental evaluaton as follows. Frst, based on our knowledge on the UMass campus network, we dentfy E and W, denotng the set of IP addresses known to use Ethernet and WLAN respectvely. The set E conssts of IP addresses for hosts usng 100 Mbps Ethernet n the Computer Scence Department. The set W conssts of IP addresses that are reserved for the campus publc WLAN (an network provdng wreless access to campus users at publc places such as the lbrares, campus eateres, etc.). The numbers of IP addresses n E and W are 648 and 1177 respectvely. The tranng set for Ethernet (or WLAN) s constructed by emprcal cumulatve probablty LAN WLAN 0.6 msec mlsecs Fg. 4. Ethernet and WLAN nter-ack tme dstrbutons obtaned from tranng sets (T = 240 µs). extractng TCP flows destned to hosts n E (or W) from a trace collected at the montorng pont. The trace for Ethernet was collected between February and Aprl, In early 2006, g APs were deployed on UMass campus and more users started to use g. Therefore, we collected a new set of traces on 9/29/2006 for WLAN. Note that the tranng set for WLAN contans a mxture of b and g traffc snce a host can use ether b or g dependng on whether ts wreless card and ts assocated AP support g. From the tranng set (for Ethernet or WLAN), we dentfy a sequence of ACK-pars, and dscretze the nter-ack tmes to obtan the nter-ack tme dstrbuton. The dscretzaton s as follows. We dvde the range from 0 to 1 ms nto 50µsbns, and dvde the range from 1 ms to 200 ms (whch s the maxmum value for nter-ack tmes) nto 1ms-bns. Fg. 4 plots the CDFs (Cumulatve Dstrbuton Functon) of the nter-ack tmes for Ethernet and WLAN, where the threshold T = 240 µs. We observe that 2.5% of the nter- ACK tmes for Ethernet hosts are above 600 µs, whle 59.0% of the nter-ack tmes for WLAN hosts are above 600 µs, confrmng our analytcal results n Secton IV (for Ethernet, the observed value s lower than the analytcal result because our analyss s very conservatve; for WLAN, the observed value s between the analytcal results for b and g snce the tranng set contans both types of wreless traffc). C. Test Sets To valdate that our algorthms can detect WLAN hosts and do not msclassfy Ethernet hosts, we construct a WLAN and an Ethernet test set, contanng IP addresses known to use WLAN and Ethernet respectvely. The WLAN test set contans the IP addresses (of 1177 addresses) reserved for the campus publc WLAN. The Ethernet test set contans the IP addresses of a subset of Dell desktops that use Ethernet n the Computer Scence buldng. It contans 258 desktops, each wth documented IP address, MAC address, operatng system, and locaton nformaton for ease of valdaton. Among these desktops, 35% of them use dfferent versons of Wndows operatng system (e.g., Wndows 2000, Wndows ME, Wndows XP); the rest use dfferent varants of Lnux and Unx operatng systems (e.g., RedHat, Solars, CentOS, Fedora Core). These

8 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX hosts are three hops away from the unversty gateway router (and the montorng pont). In addton to these two test sets, we further nvestgate whether our schemes can detect connecton-type swtchngs and wreless traffc behnd a NAT box by conductng addtonal experments n the Computer Scence Department. The total IP space montored n our expermental evaluaton has 3217 addresses: 1177 addresses n the WLAN test set and 2540 addresses n the Computer Scence Department. D. Offlne and Onlne Evaluaton We evaluate both the offlne and onlne performance of our algorthms. In the offlne evaluaton, we frst store the traffc measurements (to the hard dsk) and then apply our algorthms on the collected trace. In the onlne evaluaton, we run our algorthms whle capturng the data at the measurement pont. The offlne evaluaton, although not capturng the targeted operaton mode of our algorthms, allows us to nvestgate the mpact of varous parameters (e.g., T, the threshold to dentfy ACK-pars, K, the threshold n the sequental hypothess tests). The onlne evaluaton nvestgates the performance of our algorthms n ther targeted operaton mode. VIII. EXPERIMENTAL EVALUATION We now descrbe our expermental results. In our experments, the onlne detecton algorthms make a decson (.e., detectng WLAN, Ethernet or undetermned) usng at most N ACK-pars, N = 100. A decson of WLAN or Ethernet s referred to as a detecton. The tme t takes to make a detecton s referred to as detecton tme. Correct detecton rato s the total number correct detectons over the total number of detectons. In the followng, we frst evaluate the performance (n accuracy and promptness) of our onlne detecton algorthms (Sectons VIII-A and VIII-B). We then nvestgate the scalablty of our approach (Secton VIII-C). Afterwards, we demonstrate that our approach s effectve n detectng wreless traffc behnd a NAT box (Secton VIII-D). Last, we show that our approach can quckly detect connecton-type swtchngs (Secton VIII-E) and s robust to hgh CPU, dsk or network utlzatons at end hosts (Secton VIII-F). A. Performance of Sequental Hypothess Test wth Tranng We now nvestgate the performance of sequental hypothess test wth tranng. The Ethernet and WLAN nter-ack tme dstrbutons requred by ths algorthm are obtaned as descrbed n Secton VII-B. We descrbe results from both offlne and onlne evaluatons. 1) Offlne Evaluaton: We collect measurements on three consecutve days, from 10/18/2006 to 10/20/2006. For each day, the duraton of the trace s 6 to 7 hours. The threshold to dentfy ACK-pars, T, s ether 240 µs or 400 µs. The threshold to decde a host s connecton type, K, s ether 10 4, 10 5 or We only descrbe the results for the trace collected on 10/20/2006; the results for the other two days are smlar Ethernet WLAN >300 seconds Fg. 5. Detecton-tme dstrbutons for the trace collected on 10/20/2006 (T = 240 µs, K = 10 6, N = 100). Tables I and II present the detecton results for the WLAN and Ethernet test sets respectvely. In both cases we observe that the detecton results are smlar under dfferent values of T and K, ndcatng that our algorthm s nsenstve to the choce of parameters. For all values of T and K, the detecton results are extremely accurate wth a correct detecton rato above 99.38%. On average, t takes less than 10 ACK-pars (correspondng to 250 to 347 data packets) to make a detecton for WLAN and less than 20 ACK-pars (correspondng to 87 to 124 data packets) for Ethernet. The larger number of data packets for detectng a WLAN host can be explaned as follows. Inter-ACK tmes n WLAN tend to be large (compared to those n Ethernet), thus leadng to large nterarrval tmes between newly trggered data packets (due to TCP s self-clockng mechansm). When nter-arrval tmes of data packets exceed the threshold T, the correspondng ACKs do not qualfy as ACK-pars. Ths s confrmed by the lower ACK-par rato (.e., the number of ACK-pars dvded by the total number of packets) n WLAN traffc shown n Tables I and II. The detecton-tme dstrbutons for both Ethernet and WLAN are shown n Fg. 5, where T = 240 µs and K = The medan detecton tmes are around 1 second and 10 seconds for Ethernet and WLAN, respectvely. The much shorter detecton tme n Ethernet s due to hgher ACK-par ratos. We also observe some cases of long detecton tmes (over 5 mnutes) n the fgure. They mght be caused by users change of actvtes (e.g., a user stops usng the computer to thnk or talk and then resume usng t). Fnally, around 84% of ACK-pars used n WLAN detecton and 89% of ACK-pars used n Ethernet detecton are generated by web traffc, ndcatng that our approach s effectve even for short flows. 2) Onlne Evaluaton: We run our detecton algorthm onlne on three consecutve days, from 10/25/2006 to 10/27/2006. The evaluaton on each day lasts for 6 to 7 hours. We set T = 240 µs and K = 10 6, representng a conservatve selecton of parameters. Table III presents the detecton results for both test sets. We observe consstent results as those n the offlne evaluaton the detecton s hghly accurate and prompt. The average numbers of ACK-pars and data packets

9 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX TABLE I OFFLINE EVALUATION OF SEQUENTIAL HYPOTHESIS TEST WITH TRAINING: RESULTS ON WLANS (10/20/2006). T = 240 µs T = 400 µs K = 10 4 K = 10 5 K = 10 6 K = 10 4 K = 10 5 K = 10 6 Avg. # of ACK-pars for a detecton Avg. # of data pkts for a detecton Medan detecton tme (sec) Number of detectons 12, , 882 8, , , , 169 Correct detecton rato 99.43% 99.59% 99.61% 99.38% 99.53% 99.61% ACK-par rato 2% 2% TABLE II OFFLINE EVALUATION OF SEQUENTIAL HYPOTHESIS TEST WITH TRAINING: RESULTS ON ETHERNET (10/20/2006). T = 240 µs T = 400 µs K = 10 4 K = 10 5 K = 10 6 K = 10 4 K = 10 5 K = 10 6 Avg. # of ACK-pars for a detecton Avg. # of data pkts for a detecton Medan detecton tme (sec) Number of detectons 4, 896 3, 990 3, 363 5, 860 4, 747 4, 002 Correct detecton rato 99.88% % 99.97% 99.61% 99.79% 99.78% ACK-par rato 13% 17% requred for a detecton are also consstent wth those n the offlne evaluaton. B. Performance of Sequental Hypothess Test wthout Tranng We now examne the performance of sequental hypothess test wthout tranng. It takes at most N ACK-pars to make a decson (.e., detectng WLAN or undetermned). We apply ths algorthm to traces collected between 10/18/2006 and 10/20/2006 usng T = 240 µs, K = 10 6, and N = 100. For the Ethernet test set, ths algorthm detects no WLAN host for all the traces, ndcatng that t has no false postves. Ths demonstrates that, although ths algorthm s derved usng analytcal results n Secton IV (n a settng where the recever s one hop away from the router), t s accurate n more general settngs (the Ethernet hosts n the Computer Scence buldng are three hops away from the gateway router). Ths s not surprsng snce ths algorthm s based on an extremely conservatve analyss (assumng that the sngle Ethernet lnk s full utlzed). For the WLAN test set, of all the hosts wth at least one ACK-par, ths algorthm detects 60% to 76% of them as WLAN hosts. Table IV presents the expermental results for the WLAN test set. In general, ths algorthm requres more ACK-pars and longer tme to make a detecton than the algorthm that requres tranng. C. Scalablty Study We nvestgate the scalablty of our approach by examnng the CPU and memory usage on the PC that runs the detecton algorthms (the confguraton of the PC s descrbed n Secton VII-A). Durng onlne evaluaton, we sample the CPU usage at the measurement PC every 30 seconds. The Fg. 6. CDF Maxmum number of un ACKed data packets CDF of the number of tems n the unacked-data-packet queues. maxmum CPU usage s 9.1% (we have made no specal efforts to optmze our mplementaton), ndcatng that the measurement task s well wthn the capablty of a commodty PC. For memory usage, we nvestgate the space taken by the unacked-data-packet queues snce the memory usage manly comes from storng these queues (see Secton VI). Fg. 6 plots the CDF of the maxmum number of tems n each queue for the trace collected on 10/20/2006 (results for other traces are smlar). Ths trace was collected over 7 hours and captures 1.8 mllon TCP flows for the IP addresses beng montored (the maxmum number of concurrent flows s 8244). We observe that most of the queues are very short: 90% of them have less than 3 tems, ndcatng a very low memory usage (each data tem only keeps 14 bytes of data; see Secton VI-A). However, we also observe some long queues. We conjecture that these long queues are due to routng changes or abnormal behavors n the routes. As an optmzaton to our onlne detecton system, we can dscard unacked-data-packet queues longer than a certan threshold.

10 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX TABLE III ONLINE EVALUATION OF SEQUENTIAL HYPOTHESIS TEST WITH TRAINING (10/25/ /27/2006). 10/25/ /26/ /27/2006 WLAN Ethernet WLAN Ethernet WLAN Ethernet Avg. # of ACK-pars for a detecton Avg. # of data pkts for a detecton Medan detecton tme (sec) Number of detectons 23, 266 5, , , , 628 2, 948 Correct detecton rato 99.58% 99.93% 98.44% 99.92% 99.72% 99.76% ACK-par rato 2% 11% 2% 13% 2% 12% TABLE IV EVALUATION OF SEQUENTIAL HYPOTHESIS TEST WITHOUT TRAINING ON WLANS. Date 10/18/ /19/ /20/2006 Detecton rato 68% 76% 60% Avg. # of ACK-pars for a detecton Avg. # of data pkts for a detecton Medan detecton tme (sec) Number of detectons 3, 259 6, 539 2, 722 D. Detectng Wreless Networks behnd NAT We now demonstrate that our approach s equally applcable to detect wreless networks behnd a NAT box. Note that schemes based on MAC addresses (e.g., [9], [4], [10]) fal to detect ths type of wreless traffc, snce all traffc gong through a NAT box have the same MAC address (.e., the MAC address of the NAT box). We look at NAT boxes n two settngs, one confgured by ourselves and the other beng used n the Computer Scence Department. 1) Self-confgured NAT: We confgure a Lnux host A as a NAT box. Host A has two network nterfaces, an Ethernet card and a ZCOMAX ArRunner/XI b wreless card. The Ethernet nterface connects drectly to the Internet. The wreless card s confgured to the master mode usng Host AP [5] so that t acts as an AP. We then set up two laptops B and C to access the Internet through the wreless card of A. When host B or C accesses the Internet, ts packets frst reach host A. Host A then translates the addresses of these packets and forwards them to the Internet through ts Ethernet card. We conduct an experment wth the above setup on 10/26/2006. The experment lasts for about two mnutes. We observe 163 ACK-pars. Among them, 92% of the ACKpars are from web traffc va port 80. The remanng ACKpars are from port 1935, whch s used by Macromeda Flash Communcaton Server MX for the RTMP (Real-Tme Messagng Protocol). The sequental hypothess test wth tranng makes 37 onlne detectons, all as WLAN host. On average, one detecton s made for every 4 ACK-pars. The above results demonstrate that our test can effectvely detect wreless networks behnd NAT boxes. 2) NATs n the Computer Scence Department: Two NAT boxes n the Computer Scence Department provde a free local network to users n the department. A host may use ether Ethernet or WLAN to connect to a NAT box. All traffc through a NAT box wll have the IP address of the NAT box. We montor the IP addresses of these two NAT boxes. Our offlne detecton (from 10/18/2006 to 10/20/2006) and onlne detecton (from 10/25/2006 to 10/27/2006) both ndcate a mxture of WLAN and Ethernet connectons. The ACKpar ratos are hgher than that of WLAN and lower than that of Ethernet hosts, whch are consstent wth the settng that these two NAT boxes provde both WLAN and Ethernet connectons. E. Detectng Connecton-type Swtchngs We next explore a scenaro where an end host swtches between wred and wreless connectons. Our goal s to examne whether our detecton approach can accurately report the connecton-type swtchngs. We use an IBM laptop wth both 100 Mbps Ethernet and 54 Mbps g WLAN connectons. Ths laptop uses a web crawler to download the frst 200 web fles from cnn.com (8.3 Mbytes of data) usng Ethernet, and then swtches to WLAN to download the frst 200 web fles from nytmes.com (6.5 Mbytes of data). Ths process s repeated for three tmes. We run sequental hypothess test wth tranng usng T = 240µs, K = 10 6 and N = 100. Our algorthm makes 284 detectons, 283 correct and one ncorrect. The correct detecton rato s 99.65%. Ths demonstrates that our approach s stll effectve when a host swtches between usng Ethernet and WLAN. F. Detecton under Hgh CPU, Dsk or Network Utlzatons We now nvestgate the performance of our approach when an end host has very hgh CPU, dsk or network utlzatons. The reason for consderng these three factors s that they may drectly and/or ndrectly affect packet arrval tmes at the montorng pont (e.g., a hgh CPU or dsk utlzaton affects packet generaton tmes at the end host, whch further affects packet arrval tmes at the montorng pont), and hence may affect the performance of our approach.

11 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX For the above purpose, we stress ether the CPU, dsk or network connecton of an end host, whle downloadng the frst 200 web fles from cnn.com usng a web crawler at the host. For each scenaro, we conduct experments for both Ethernet and WLAN connectons and detect the connecton type usng sequental hypothess test wth tranng. All experments are conducted on an IBM laptop wth both a 100 Mbps Ethernet and a 54 Mbps g WLAN connecton card. We stress the CPU (utlzaton reachng 100%) by runnng an nfnte loop. For the Ethernet connecton, we observe 1077 ACK-pars and 53 detectons. For the WLAN connecton, we observe 921 ACK-pars and 123 detectons. All the detectons are correct. We stress the hard dsk by runnng a vrus scannng program that scans the dsk. For the Ethernet connecton, we observe 1158 ACK-pars and 57 detectons. For the WLAN connecton, we observe 872 ACK-pars and 84 detectons. Agan, all the detectons are correct. To stress the network connecton, we conduct two sets of experments, one stressng the downlnk drecton by downloadng a large fle from the local network; the other stressng the uplnk drecton by uploadng a large fle to the local network. Note that both cases only generate traffc n the local network, whch s not captured at the montorng pont, and hence does not nterfere wth data montorng. When stressng the downlnk, we observe 848 ACK-pars and 42 detectons for the Ethernet connecton; 660 ACK-pars and 72 detectons for the WLAN connecton. When stressng the uplnk, we observe 438 ACK-pars and 21 detectons for the Ethernet connecton; 487 ACK-pars and 46 detectons for the WLAN connecton. All the detectons are correct. When stressng ether the downlnk or uplnk, we observe sgnfcantly less ACK-pars than those when stressng CPU or dsk. Ths s due to cross traffc generated by the local downloadng or uploadng actvtes. We also observe less ACK-pars when stressng the uplnk than those when stressng the downlnk. Ths s because the uploadng data packets may be nserted between ACKs and lead to less ACK-pars. In summary, the above results ndcate that our detecton approach s effectve even when end hosts have hgh CPU, hard dsk or network utlzatons. IX. DISCUSSION We next dscuss several ssues related to usng our algorthms n practce. A. Heterogeneous Ethernet Backbone The algorthm that requres tranng can be easly extended to a network that supports heterogeneous Ethernet (e.g., 10 Mpbs, 100 Mbps and 1Gbps Ethernet) as follows. Consder a network that supports both 10 Mbps and 100 Mbps Ethernet. In ths case, we obtan the nter-ack tme dstrbutons for both 10 Mbps and 100 Mbps Ethernet through ther correspondng tranng sets. The algorthm calculates two lkelhood ratos, for 10 Mbps and 100 Mbps Ethernet over WLAN, respectvely. The decson s that a host uses 10 Mbps Ethernet, 100 Mbps Ethernet, or WLAN. B. Locaton of Montorng Pont If an nsttuton provdes separate Ethernet and WLAN networks (e.g., for securty purposes), we need to place two montorng ponts, at the gateway routers for the Ethernet and WLAN, respectvely. If a local network s multhomed, and the ncomng and outgong traffc do not traverse the same access lnk, we need to montor multple access lnks smultaneously (recent montorng equpment has ths capablty). C. Usng Our Algorthms n Future Networks A natural queston s whether our algorthms wll stll be effectve n the future, when the bandwdths of Ethernet and WLAN ncrease, and WLAN mght provde smlar or even hgher bandwdth than Ethernet. Our algorthm that requres tranng wll stll be effectve as long as the nter-ack tme dstrbutons of Ethernet and WLAN are suffcently dfferent. For nstance, t s lkely to be effectve n dfferentatng 100 Mbps Ethernet and the emergng n, snce n stll uses CSMA-CA and the wreless channel s half duplex. Our algorthm that requres no tranng s based on the analytcal results of 100 Mbps Ethernet and uses medan nter-ack tme. It mght become less effectve when the bandwdth of WLAN technology approaches or exceeds the bandwdth of Ethernet. X. CONCLUSIONS AND FUTURE WORK In ths paper, we have proposed two onlne algorthms, one requres tranng whle the other does not, to detect wreless traffc based on realtme passve measurements collected at a montorng pont. Extensve experments demonstrated that the algorthm that requres tranng provdes rapd detecton and s extremely accurate; the algorthm that does not requre tranng detects 60%-76% of the wreless hosts wthout any false postves; both algorthms have low computaton and storage overhead. Furthermore, our scheme can detect connecton-type swtchngs and wreless networks behnd a NAT box, and remans effectve for end hosts wth hgh CPU, dsk or network utlzatons. As future work, we are explorng n the followng three drectons: (1) optmze the mplementaton of our algorthms for speed and even lower memory usage; (2) evaluate the performance of our algorthms when a router shapes the traffc (e.g., t may prortze ncomng traffc for QoS consderatons); and (3) explore the mpact of moblty on dfferentatng WLAN and Ethernet traffc. ACKNOWLEDGEMENTS A prelmnary verson of ths paper appeared n IMC 2007 [38]. Ths research was supported n part by the Natonal Scence Foundaton under NSF grants ANI , ANI , ANI , CNS , CNS , CNS , and EIA , and NSF CAREER award Any opnons, fndngs, and conclusons or recommendatons expressed n ths materal are those of the authors and do not necessarly reflect the vews of the fundng agences. We would lke to thank Prof. Rchard S. Ells (UMass, Amherst) and Prof. Guanlng Chen (UMass, Lowell) for

12 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX helpful dscusson. Last, we wsh to thank Rck Tuthll from the Offce of Informaton Technology at UMass, Amherst, for helpng us understand the UMass network archtecture, and for nstallng and managng the montorng equpment. APPENDIX I PROOF OF THEOREM 1 In the Ethernet settng, we gnore the transmsson tme of an ACK snce t s neglgble. For convenence, we ntroduce a tme unt of 30 µs. Measurement studes show that the average packet sze on the Internet s between 300 and 400 bytes [34], [29]. For ease of calculaton, we assume that all cross-traffc packets are 375 bytes. Then the transmsson tme of a crosstraffc packet on a 100 Mbps lnk s 1 tme unt. Recall that A denotes the nter-ack tme of ACKs A 1 and A 3. We dscretze A usng the tme unt and denote the dscretzed value as I A, that s, I A = A /30. Let D denote the nter-departure tme of packets P 1 and P 3 at queue Q D (.e., the queue at the router n the drecton of data packets). Smlarly, we dscretze D and denote the dscretzed value as I D, that s, I D = D /30. We next state three lemmas that are used to prove Theorem 1. Lemma 1: Let Z = I D 8. When ρ D = 1, Z follows a Posson dstrbuton wth the mean of 8 tme unts. Proof: I D contans two components. One component s the transmsson tme of packets P 1 and P 2 at queue Q D, whch s 2 120/30 = 8 tme unts. The other component s the (dscretzed) transmsson tme of the cross-traffc packets that arrve between P 1 and P 3 at queue Q D, denoted as Z. Then Z = I D 8. By the M/D/1 queue assumpton, Z follows a Posson dstrbuton. Furthermore, snce the nterarrval tme of P 1 and P 3 at queue Q D s 2 120/30 = 8 tme unts, on average, 8 cross-traffc packets arrve between P 1 and P 3 at queue Q D. Ths s because, gven ρ D = 1, the arrval rate of cross-traffc packets at queue Q D s 1 packet per tme unt, equal to the processng rate. Therefore, the mean of Z s 8 tme unts. Lemma 2: Suppose I D = x tme unts. When ρ A = 1, the condtonal dstrbuton of I A gven I D follows a Posson dstrbuton wth the mean of x tme unts. Proof: From Fg. 2(a), I A s the same as the nterdeparture tme of ACKs A 1 and A 3 at queue Q A. Snce we assume no other traffc between the router and the recever, the nter-arrval tme of ACKs A 1 and A 3 at queue Q A s the same as I D. Therefore, gven that I D = x tme unts, the number of cross-traffc packets arrvng between A 1 and A 3 at queue Q A follows a Posson dstrbuton wth the mean of x tme unts (followng a reasonng smlar to the proof for Lemma 1). Therefore, the condtonal dstrbuton of I A gven I D = x follows a Posson dstrbuton wth the mean of x tme unts. Lemma 3: When ρ D = ρ A = 1, 8 y 8 e 8 x y e y P(I A x) = (y 8)!! y=8 =0 Proof: Ths follows drectly from Lemmas 1 and 2. We now proceed to prove Theorem 1. Proof: We frst prove the theorem when ρ D = ρ A = 1. Under ths condton, from Lemma 3, by drect calculaton, we have P(I A > 20) = P( A > 600 µs) < We next prove that the theorem also holds when 0 < ρ D < 1 or 0 < ρ A < 1. When 0 < ρ D < 1, the nter-departure tme of data packets P 1 and P 3 at queue Q D s no more than that when ρ D = 1. Smlarly, when 0 < ρ A < 1, the nter-departure tme of ACKs A 1 and A 3 at queue Q A s no more than that when ρ A = 1. Therefore, P( A > 600 µs) < 0.18 also holds when 0 < ρ D < 1 or 0 < ρ A < 1. APPENDIX II PROOF OF THEOREM 2 We frst present a lemma that s used to prove Theorem 2. Lemma 4: Let g(n, q) = n ( n ) = (n+1)/2 q (1 q) n. Then g(n, q) s an ncreasng functon of q, where 0 q 1. Furthermore, lm n g q (n) = 1 for q > 1/2. Proof: We frst prove the monotoncty of the functon g(n, q) wth respect to q. g(n, q) n n! = q!(n )! q 1 (1 q) n = = = = (n+1)/2 n 1 = (n+1)/2 n = (n+1)/2 n 1 = (n+1)/2 n 1 j= (n+1)/2 1 n 1 = (n+1)/2 n!!(n )! (n )q (1 q) n 1 n! ( 1)!(n )! q 1 (1 q) n n!!(n 1)! q (1 q) n 1 n! j!(n j 1)! qj (1 q) n j 1 n!!(n 1)! q (1 q) n 1 n!q (n+1)/2 1 (1 q) n (n+1)/2 ( (n + 1)/2 1)!(n (n + 1)/2 )! 0 Hence g(n, q) s an ncreasng functon of q, 0 q 1. We now prove the second part of the lemma. Assume that {X } s a set of..d Bernoull random varables wth P(X = 1) = q. By the defnton of a bnomal dstrbuton, ( n =1 g q (n) = P X ) (n + 1)/2 1. We have n =1 X n (n/2) + 1 =1 X n (n + 1)/2 =1 X n/2 n. By the strong law of large numbers, we also have n =1 lm X n n (n/2) + 1 = lm =1 X = 2q a.e. n n/2 Therefore, lm n n =1 X (n + 1)/2 = 2q a.e.

13 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX Snce almost sure convergence mples convergence n probablty [33], we have ( n lm P =1 X ) n (n + 1)/2 2q ǫ = 0 ǫ > 0, whch s equvalent to ( n lm P =1 X ) n (n + 1)/2 (2q ǫ, 2q + ǫ) = 1 ǫ > 0. Snce for q > 1/2 and 0 < ǫ < 2q 1, we have ( n =1 1 g q (n) = P X ) (n + 1)/2 1 ( n =1 P X ) (n + 1)/2 (2q ǫ, 2q + ǫ). It follows that lm n g q (n) = 1 for q > 1/2. We now prove Theorem 2. Let (1) A,..., (n) A be the ordered statstc of A 1,..., A n n the ascendng order. For smplcty, we use ξ ṇ 5 ( A) = ( (n+1)/2 ) A regardless of n beng even or odd. Proof: Let u = P( A 600 µs). n ( ) n P(ξ ṇ 5( A ) 600 µs) = u (1 u) n = (n+1)/2 = g(n, u), where g(n, u) s as defned n Lemma 4. By Lemma 4, g(n, q) s an ncreasng functon of q for 0 q 1. By Theorem 1, we know u > = Therefore, we have g(n, u) g(n, 0.82). Hence, P(ξ ṇ 5( A ) 600 µs) g(n, 0.82). By drect calculaton, we have P(ξ ṇ 5 ( A) 600 µs) 1 for 43 n 100. Furthermore, snce 0.82 > 1/2, by Lemma 4, we have lm n P(ξ ṇ 5 ( A) 600 µs) = 1. APPENDIX III PROOF OF THEOREM 3 Before provng Theorem 3, we frst state a lemma that s used n the proof. Lemma 5: Let D,+1 represent the nter-arrval tme of data packets P and P +1 at the AP, = 1, 2, 3. Then P( D,+1 < 1570 µs) 1, P( D,+1 < 325 µs) Proof: Let I,+1 D be the dscretzed value of D,+1,.e., I,+1 D = D,+1 /30. When ρ D = 1, smlar to the proof of Lemma 1, we can show that I,+1 D follows a Posson dstrbuton wth the parameter of 4 tme unts. Then P( D,+1 < 1570µs) > P(I,+1 D = 52) = 52 x=4 4x 4 e 4 (x 4)! 1. When ρ D < 1, the value of D,+1 s less than that when ρ D = 1, and hence P( D,+1 < 1570µs) 1 also holds. Smlarly, we obtan P( D,+1 < 325 µs) We now prove Theorem 3. Proof: Let C denote the condton that D, µs, = 1, 2, 3. Under ths condton, P +1 arrves at the AP before the AP fnshes transmttng P, snce the MAC servce tme of a data packet s at least 1570 µs n 11 Mbps b. Assumng ndependence, we have 3 P(C) = 1570 µs). =1 P( D,+1 From Lemma 5, P(C) 1. Let C denote the complementary condton of C. Then P( A > 600 µs) = P( A > 600 µs C)P(C) + P( A > 600 µs P( A > 600 µs C)P(C) P( A > 600 µs C) C)P( C) We now derve P( A 600 µs C). To satsfy A 600 µs, no data packet can be transmtted between ACKs A 1 and A 3, snce the transmsson tme of a data packet s at least 1570 µs. Therefore, only the followng two sequences are possble: P 2 P 3 A 1 A 3 P 4 and P 2 P 3 P 4 A 1 A 3. We frst derve the probablty that the frst sequence occurs gven condton C. Snce P 2 arrves at the AP before the AP fnshes transmttng P 1, the recever and the AP contend for the wreless channel: the recever needs to transmt ACK A 1 (whch s generated correspondng to packet P 1 ) whle the AP needs to transmt packet P 2. Let φ denote the probablty that A 1 obtans the channel earler than P 2. Snce ths probablty can be affected by many factors (e.g., the tmng when A 1 reaches the MAC layer, when packet P 2 can be transmtted), we assume φ can take any value n [0, 1]. When P 2 transmts earler than A 1, A 1 wll contend wth packet P 3 for the wreless channel. In ths case, we assume that A 1 and P 3 are equally lkely to wn the contenton, snce they can both be transmtted mmedately. To summarze, the probablty that P 2 and P 3 are earler than A 1 s (1 φ) 1/2, the probablty that A 1 and A 3 are earler than P 4 s 1/2 φ (for smlar reasons as descrbed earler). Therefore, the probablty that the frst sequence occurs gven C s (1 φ) 1/2 1/2 φ = φ(1 φ)/4. For the second sequence, the probablty of havng P 2 and P 3 earler than A 1 s (1 φ) 1/2; the probablty that P 4 s earler than A 1 s 1/2. Therefore, the probablty that the second sequence occurs s (1 φ) 1/2 1/2 = (1 φ)/4. In both sequences, to satsfy A 600 µs, we also requre the MAC servce tme of A 3 to be less than 600 µs. The probablty of ths condton beng satsfed s ( )/620 = 92/620. Therefore, P( A 600 µs C) = [φ(1 φ)/4 + (1 φ)/4]92/620 = 1 4 (1 φ2 ) < Hence, P( A > 600 µs) P( A > 600 µs C) > > APPENDIX IV PROOF OF THEOREM 4 Proof: The proof s smlar to that of Theorem 3. Let C denote the condton that D, µs, = 1, 2, 3. Under ths condton, P +1 arrves at the AP before the AP fnshes transmttng P, snce the MAC servce tme of a data packet s at least 325 µs n 54 Mbps g. Then assumng ndependence and from Lemma 5, P(C) We now obtan P( A 600 µs C). To satsfy A 600 µs, there can be at most one data packet transmtted between ACKs A 1 and A 3, snce the mnmum transmsson tme of

14 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX two data packets and one ACK exceeds 600 µs. Ths constrant leads to the followng four possble sequences: P 2 P 3 A 1 A 3 P 4, P 2 P 3 P 4 A 1 A 3, P 2 A 1 P 3 A 3 P 4, and P 2 P 3 A 1 P 4 A 3. The frst two sequences are the same as those n the proof of Theorem 3. They occur wth respectvely the probabltes of φ(1 φ)/4 and (1 φ)/4, where φ s the probablty that ACK A 1 transmts earler than P 2. Followng a smlar reasonng as that n the proof of Theorem 3, the probablty that the thrd sequence occurs s (1 φ) 1/2 1 φ = φ(1 φ)/2, and the probablty that the last sequence occurs s (1 φ) 1/2 1/2 1/2 = (1 φ)/8. For the frst two sequences, we have A 600 µs. For the thrd sequence, to satsfy A 600 µs, we need the total MAC servce tme of P 3 and A 3 to be below 600 µs. Smlarly, for the fourth sequence, to satsfy A 600 µs, we need the total MAC servce tme of P 4 and A 3 to be below 600 µs. Let X and Y denote respectvely the MAC servce tme of a data packet and an ACK. Then for both the thrd and the fourth sequences, we need X+Y 600 µs. Let α = P(X+Y 600 µs). As descrbed n Secton IV-D, X and Y are unformly dstrbuted n [325, 460] µs and [109, 244] µs, respectvely. Then, by a standard technque, we have α = Hence P( A 600 µs C) = φ(1 φ)/4 + (1 φ)/4 + αφ(1 φ)/2 + α(1 φ)/8 = ( 87718φ φ )/ Therefore, P( A > 600 µs) P( A > 600 µs C)P(C) > (1 0.37) = REFERENCES [1] ArDefense, Wreless LAN Securty. [2] ArMagnet. [3] ArWave, ArWave Management Platform. [4] Csco Wreless LAN Soluton Engne (WLSE). [5] Host AP. [6] [7] Mcrosoft Wndows 2000 TCP/IP mplementaton detals, deploy/depovg/tcpp2k.mspx. [8] NetStumbler. [9] Rogue Access Pont Detecton: Automatcally Detect and Manage Wreless Threats to Your Network. [10] A. Adya, V. Bahl, R. Chandra, and L. Qu. Archtecture and technques for dagnosng faults n IEEE nfrastructure networks. In Proc. of ACM MobCom, September [11] P. Bahl, R. Chandra, J. Padhye, L. Ravndranath, M. Sngh, A. Wolman, and B. Zll. Enhancng the securty of corporate W-F networks usng DAIR. In Proc. of ACM MobSys, June [12] V. Baamonte, K. Papagannak, and G. Iannaccone. Detectng wreless hosts from remote passve observatons. In Proc. IFIP/TC6 Networkng, Atlanta, GE, May [13] R. Beyah, S. Kangude, G. Yu, B. Strckland, and J. Copeland. Rogue access pont detecton usng temporal traffc characterstcs. In GLOBE- COM, December [14] A. A. Cardenas, S. Radosavac, and J. S. Baras. An analytcal evaluaton of MAC layer msbehavor detecton schemes. In Proc. of IEEE INFOCOM, Anchorage, Alaska, May [15] G. Casella and R. L. Berger. Statstcal Inference. Duxbury Thomson Learnng, [16] R. Chandra, J. Padhye, A. Wolman, and B. Zll. A locaton-based management system for enterprse wreless LANs. In Proc. of Networked Systems Desgn & Implementaton (NSDI), Aprl [17] W. Chen, Y. Huang, B. F. Rbero, K. Suh, H. Zhang, E. de Souza e Slva, J. Kurose, and D. Towsley. Explotng the IPID feld to nfer network path and end-system characterstcs. In Proceedngs of Passve & Actve Measurement Workshop (PAM 2005), Boston, MA, [18] L. Cheng and I. Marsc. Fuzzy reasonng for wreless awareness. Internatonal Journal of Wreless Informaton Networks, 8(1), [19] Y.-C. Cheng, J. Bellardo, P. Benko, A. C. Snoeren, G. M. Voelker, and S. Savage. Jgsaw: Solvng the puzzle of enterprse analyss. In Proc. of ACM SIGCOMM, Psa, Italy, September [20] S. Garg, M. Kappes, and A. S. Krshnakumar. On the effect of contenton-wndow szes n IEEE b networks. Techncal Report ALR , Avaya Labs Research, [21] IEEE , a, b standards for wreless local area networks. [22] S. Jaswal, G. Iannaccone, C. Dot, J. Kurose, and D. Towsley. Measurement and classfcaton of out-of-sequence packets n a ter-1 IP backbone. In Proc. of IEEE INFOCOM, March [23] S. Jaswal, G. Iannaccone, C. Dot, J. Kurose, and D. Towsley. Inferrng TCP connecton characterstcs through passve measurements. In Proc. of IEEE INFOCOM, March [24] J. Jung, V. Paxson, A. W. Berger, and H. Balakrshnan. Fast portscan detecton usng sequental hypothess testng. In Proc. IEEE Symposum on Securty and Prvacy, May [25] M. L, I. Koutsopoulos, and R. Poovendran. Optmal jammng attacks and network defense polces n wreless sensor networks. In Proc. of IEEE INFOCOM, Anchorage, Alaska, May [26] L. Ma, A. Y. Teymoran, and X. Cheng. A hybrd rogue access pont protecton framework for commodty W-F networks. In Proc. of IEEE INFOCOM, Aprl [27] R. Mahajan, M. Rodrg, D. Wetherall, and J. Zahorjan. Analyzng the MAC-level behavor of wreless networks n the wld. In Proc. of ACM SIGCOMM, Psa, Italy, September [28] C. Mano, A. Blach, Q. Lao, Y. Jang, D. Salyers, D. Ceslak, and A. Stregel. RIPPS: Rogue dentfyng packet payload slcer detectng unauthorzed wreless hosts through network traffc condtonng. ACM Transactons on Informaton Systems and Securty, 11(2), March [29] Packet trace analyss. [30] S. Radosavac, J. Baras, and I.Koutsopoulos. A framework for MAC protocol msbehavor detecton n wreless networks. In Proc. of ACM Workshop on Wreless Securty (WSe), Cologne, Germany, September [31] P. Sarolaht and A. Kuznetsov. Congeston control n Lnux TCP. In Proc. of USENIX, June [32] A. Sheth, C. Doerr, D. Grunwald, R. Han, and D. C. Scker. MOJO: A dstrbuted physcal layer anomaly detecton system for WLANs. In Proc. of ACM MobSys, June [33] A. N. Shryaev. Probablty. Sprnger, second edton, [34] K. Thompson, G. Mller, and R. Wlder. Wde-area Internet traffc patterns and characterstcs. IEEE Network, 11(6):10 23, Nov./Dec [35] A. Wald. Sequental Analyss. J. Wley & Sons, [36] W. We, S. Jaswal, J. Kurose, and D. Towsley. Identfyng traffc from passve measurements usng teratve Bayesan nference. Techncal Report 05-47, Department of Computer Scence, Unversty of Massachusetts, Amherst, [37] W. We, S. Jaswal, J. Kurose, and D. Towsley. Identfyng traffc from passve measurements usng teratve Bayesan nference. In Proc. of IEEE INFOCOM, Aprl [38] W. We, K. Suh, B. Wang, Y. Gu, J. Kurose, and D. Towsley. Passve onlne rogue access pont detecton usng sequental hypothess testng wth TCP ACK-pars. In Proc. of ACM SIGCOMM Internet Measurement Conference (IMC), October [39] W. We, B. Wang, C. Zhang, J. Kurose, and D. Towsley. Classfcaton of access network types: Ethernet, wreless LAN, ADSL, cable modem or dalup? In Proc. of IEEE INFOCOM, March [40] J. Yeo, M. Youssef, and A. Agrawala. A framework for wreless LAN montorng and ts applcatons. In Proc. of ACM Workshop on Wreless Securty (WSe), October [41] J. Yeo, M. Youssef, T. Henderson, and A. Agrawala. An accurate technque for measurng the wreless sde of wreless networks. In Proc. of USENIX/ACM Workshop on Wreless Traffc Measurements and Modelng (WTMeMo), June [42] H. Yn, G. Chen, and J. Wang. Detectng protected layer-3 rogue APs. In Proc. of IEEE Internatonal Conference on Broadband Communcatons, Networks, and Systems (BROADNETS), Ralegh, NC, September 2007.