Abstract
Distinguishing between wireless and wired traffic in a network middlebox is an essential ingredient for numerous applications including security monitoring and quality-of-service (QoS) provisioning. The majority of existing approaches have exploited the greater delay statistics, such as round-trip-time and inter-packet arrival time, observed in wireless traffic to infer whether the traffic is originated from Ethernet (i.e., wired) or Wi-Fi (i.e., wireless) based on the assumption that the capacity of the wireless link is much slower than that of the wired link. However, this underlying assumption is no longer valid due to increases in wireless data rates over Gbps enabled by recent Wi-Fi technologies such as 802.11ac/ax. In this paper, we revisit the problem of identifying Wi-Fi traffic in network middleboxes as the wireless link capacity approaches the capacity of the wired. We present Weigh-in-Motion, a lightweight online detection scheme, that analyzes the traffic patterns observed at the middleboxes and infers whether the traffic is originated from high-speed Wi-Fi devices. To this end, we introduce the concept of ACKBunch that captures the unique characteristics of high-speed Wi-Fi, which is further utilized to distinguish whether the observed traffic is originated from a wired or wireless device. The effectiveness of the proposed scheme is evaluated via extensive real experiments, demonstrating its capability of accurately identifying wireless traffic from/to Gigabit 802.11 devices.
Highlights
The trend of using Bring Your Own Device (BYOD) policies has been increasing over the years, which allows company employees to bring unmanaged personal devices into their workspace and connect to internal networks [1,2]
We focus on the following problem: “Given observations of a mixture of wired and wireless traffic, can we identify the traffic transmitted over Gigabit WiFi network?” To answer this question, we aim to design an online lightweight traffic classifier that analyzes the traffic patterns observed at the monitoring modules and identifies whether the traffic originated from a Gbps Wi-Fi network such as 802.11ac or from a wired network such as Ethernet
It implies that packets transmitted over the 802.11ac link are aggregated by A-MAClevel protocol data units (MPDUs) frame aggregation mechanism, forming a unique inter-packet time distribution or traffic profile different from those of the wired traffic
Summary
The trend of using Bring Your Own Device (BYOD) policies has been increasing over the years, which allows company employees to bring unmanaged personal devices into their workspace and connect to internal networks [1,2]. A rogue AP is an unauthorized AP connected to an organization’s network, not under the management of the network administrator, often deployed by employees wanting unfettered wireless access [4]. It can be created by malicious insiders to conduct malicious attacks such as DoS (Denial-of-Service), and data theft, thereby creating a security hazard [4,5]. For this reason, it is critical for most organizations to detect the rogue AP to defend against the ever-increasing potential security threats. We overview related work on traffic classification methods and introduce the background of high-speed 802.11 networks
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
