Understanding the WiFi usage of university students

In this work, we analyze the use of a WiFi network deployed in a large-scale technical university. To this extent, we leverage three weeks of WiFi traffic data logs and characterize the spatio-temporal correlation of the traffic at different granularities (each individual access point, groups of access points, entire network). The spatial correlation of traffic across nearby access points is also assessed. Then, we search for distinctive fingerprints left on the WiFi traffic by different situations/conditions; namely, we answer the following questions: Do students attending a lecture use the wireless network in a different way than students not attending a lecture?, and Is there any difference in the usage of the wireless network during architecture or engineering classes? A supervised learning approach based on Quadratic Discriminant Analysis (QDA) is used to classify empty vs. occupied rooms and engineering vs. architecture lectures using only WiFi traffic logs with promising results

Passive classification of Wi-Fi enabled devices

We propose a method for classifying Wi-Fi enabled mobile handheld devices (smartphones) and non-handheld devices (laptops) in a completely passive way, that is resorting neither to traffic probes on network edge devices nor to deep packet inspection techniques to read application layer information. Instead, classification is performed starting from probe requests Wi-Fi frames, which can be sniffed with inexpensive commercial hardware. We extract distinctive features from probe request frames (how many probe requests are transmitted by each device, how frequently, etc.) and take a machine learning approach, training four different classifiers to recognize the two types of devices. We compare the performance of the different classifiers and identify a solution based on a Random Decision Forest that correctly classify devices 95% of the times. The classification method is then used as a pre-processing stage to analyze network traffic traces from the wireless network of a university building, with interesting considerations on the way different types of devices uses the network (amount of data exchanged, duration of connections, etc.). The proposed methodology finds application in many scenarios related to Wi-Fi network management/optimization and Wi-Fi based services

Device-type Profiling using Packet Inter-Arrival Time for Network Access Control

Network Access Control (NAC) systems are technologies and defined policies typically established to control the access of devices attempting to connect to enterprise networks. However, NAC limitations have led to security threats that can lead to illegal and unauthorised access to networks as well as insider misuse. Current NAC configuration settings rely on point of entry authentication systems including passwords, biometrics, two-factor, and multi-factor authentication to protect employees, but this reliance can lead to security susceptibilities that can significantly damage enterprise network systems. In addition, incorporating NAC into the growing Bring Your Own Device (BYOD) paradigm further increases the security threats, vulnerabilities and risks potentials in enterprise network environments. Regardless of any existing security solutions, such as antimalware, anti-virus and intrusion detection and prevention systems, security issues continue to rise within BYOD, with a proportionate increase in consequences and impacts. This thesis explores novel solution paths to the above challenges by investigating device-type fingerprinting and behaviour profiling to improve the security of NAC. This is achieved by proposing a novel Intelligent Filtering Technique (IFT) that uses packet Inter-Arrival Time (IAT) data for smartphones, tablets and laptops to profile and identify abnormal patterns based on device-types. The IFT is composed of three data mining algorithms, namely K-means clustering, clustering-based multivariate gaussian outlier score, and long short-term memory networks algorithms. These algorithms are capable of identifying abnormal inter-arrival time patterns based on device-types. The effectiveness of the proposed technique is evaluated using a combination of datasets from different network traffic protocols, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP), the author’s knowledge, this is the only technique to date that can identify abnormal inter-arrival time patterns based on the devicetype. The new technique can improve intrusion detection system capabilities and outcomes by using device-type profiling to reduce the false positive rates of detected abnormal patterns