Post on 23-Dec-2015
1
Mapping the Urban Wireless Landscape with Argos
Ian Rose, Matt Welshianrose@eecs.harvard.edu
mdw@eecs.harvard.edu
2
h
Motivation
WiFi devices are extremely popular; usage continues to grow dramatically.
Wireless is increasingly pervasive – no longer just indoors – and diverse.
3
Motivation
Suppose we had a global view of a city's wireless traffic... What kind of questions might we ask?
What are user's mobility patterns? How does traffic and usage vary by device type
(phone vs. laptop) or setting (cafe vs. bus)? How much malware is present in wireless
networks?
4
The Big Picture
Deploy WiFi sniffers across a large urban area Sniffers capture wireless traffic, merge
individual traces into a global view, run custom user queries
Our deployment: CitySense network 26 sniffers in Cambridge, MA using wireless
mesh for network connectivity
5
Hardware Implementation
SBC: Soekris net4826 or ALIX 2c2
CM9 2.4 GHz + 8 dBi antenna for sniffer
XR9 900 MHz + 6 dBi antenna for mesh
Power from streetlights or wall sockets
7
Challenges
Poor packet capture rates from individual sniffers
Scalability, esp. regarding sniffer nodes' backhaul connectivity.
Monitored population is quite diverse, exhibits large temporal and spatial variance
8
Privacy Concerns
There is an (obvious) big privacy concern here. One goal: understand privacy vs. research
tradeoffs Also, understand the capabilities of systems like
this (whether for “good” or for “evil”) -- what are the actual risks/dangers?
Identifying fields obfuscated by the system (IP address, MAC)
9
Architecture: User Queries
User queries are expressed as a dataflow graph of packet processing operators.
Think Click Modular Router or stream processing engines
Let's consider a simple example:
“stolen laptop finder”
10
Architecture: Collecting Packets
Naive method:All sniffers stream captured packets to server for merging and user queries.
Sniffer network w/ wireless mesh backhaul:
12
Trace merging like this is pretty standard practice (e.g. Jigsaw, Wit, Yeo et al. '04)
In wired sniffer networks: all captured packets are collected at a central location for merging
Architecture: Trace Merging
Expensive or impossible to do with a low-bw backhaul!
How can we merge in the network?
13
Architecture: In-Network Processing
Option #1: Centralized Merging Option #2: In-Network MergingThis reduces b/w somewhat, as it eliminates duplicates, but we can do much better!
14
Architecture: User Queries
Split user queries into sniffer and server dataflows (similar to Wishbone [NSDI '09])
15
Option #3: In-Network Merging and user queriesSo how does this help?
Big b/w savings by sending only query outputs back to server.(90% is common)
Architecture: In-Network Processing
16
Main points: Merging packets in-network saves some b/w But the big savings come from running user
queries in-network A few complications glossed over here
(discussed in paper)
Architecture: In-Network Processing
18
There are 11 radio channels (802.11b/g) We need channel policies to determine when to
change the radio channel
Architecture: Channel Management
When particularly interesting traffic is detected, sniffers can also recruit nearby sniffers to focus all on one channel to maximize capture
19
Sample Query
Would not work right with packets from merged tap -- requires all (and only) locally captured packets.
Done!
20
Performance Evaluation: Summary
In-network Traffic Processing leads to a more even distribution of traffic load over
network links; bottleneck links greatly reduced allows sniffer networks to scale to a greater offered
load (monitored population) Channel Focusing
increases network-wide capture of small windows of “interesting” traffic in some cases (no advantage in other cases)
21
Performance Evaluation
In-network processing evaluated analytically
25 sniffers in grid Wired sink in center Variable # sources
(placed randomly) Empirically-derived
traffic model
Max. link load 8x higher in centralized case
22
Case Studies
Popular websites and search patterns Malicious traffic Tracking public transportation services
Commuter trains Private bus lines
Wireless client fingerprinting
Popular websites and search patterns Malicious traffic Tracking public transportation services
Commuter trains Private bus lines
Wireless client fingerprinting
23
Case Study: Train Tracking
LTRX_IBSS^@^@^@^@^@MuffinMITRA-PC_NetworkshafanaliSaleeqahpsetupBrooklineWirelessARTSHOPMBTA_WiFi_Coach0365_Box-076MBTA_WiFi_Coach0389_Box-180Free Public WiFiVerizon MiFi MNRGaneshLINKSYSMBTA_WiFi_Coach0227_Box-038MBTA_WiFi_Coachnnnn_Box-050Coach0385_Box-068skandoMBTA_Wifi_Coach1612_Box-143
LTRX_IBSS^@^@^@^@^@MuffinMITRA-PC_NetworkshafanaliSaleeqahpsetupBrooklineWirelessARTSHOPMBTA_WiFi_Coach0365_Box-076MBTA_WiFi_Coach0389_Box-180Free Public WiFiVerizon MiFi MNRGaneshLINKSYSMBTA_WiFi_Coach0227_Box-038MBTA_WiFi_Coachnnnn_Box-050Coach0385_Box-068skandoMBTA_Wifi_Coach1612_Box-143
25
Case Study: Train Tracking
From captured traffic, try to predict: when trains passed by their direction of travel
Use published train schedule as “gold standard” (probably not 100% accurate!)
Over a 24 hour test, all 34 trains detected successfully
time estimates usually accurate to within ~5 min. direction estimates: 25 correct, 4 incorrect
26
Case Study: User Fingerprinting
WiFi devices send Probe Requests to search for known networks
By capturing these and geolocating the named networks (via www.wigle.net) we can fingerprint user's movements
Rank Unique Nets Locatable1 7431 49 282 87 48 113 370 46 104 632 47 105 120 47 0
Probe ReqsTulsa OKChicago ILUKBelgium
trainsOregonMass.Austin TX
27
Related Work
Wardriving: wide spatial coverage, but no temporal coverage (Akella et al. - MobiCom '05, Han et al. - IMC '08)
Dense indoor monitoring: good temporal coverage and high capture fidelity, but limited spatial coverage (Jigsaw & Wit – Sigcomm '06)
28
Conclusions
Urban wireless capture is a difficult business – Argos shows that the technique is possible via: in-network merging & user queries to reduce traffic intelligent 802.11 channel control
Our case studies demonstrate Argos' utility, but many more opportunities exist
Future work: improved anonymity guarantees other sniffer types (vehicular, mobile phone, etc.)