A Non-Intrusive Cyber Physical Social Sensing Solution to People Behavior Tracking: Mechanism, Prototype, and Field Experiments

sensors

Article A Non-Intrusive Cyber Physical Social Sensing Solution to People Behavior Tracking: Mechanism, Prototype, and Field Experiments

Yunjian Jia 1,*, Zhenyu Zhou 2,*, Fei Chen 1, Peng Duan 1, Zhen Guo 3 and Shahid Mumtaz 4 1 College of Communication Engineering, Chongqing University, Chongqing 400044, China; [email protected] (F.C.); [email protected] (P.D.) 2 School of Electrical and Electronic Engineering, North China Electric Power University, Beijing 102206, China 3 Guoxin Tendering Group Co., Ltd., Beijing 100044, China; [email protected] 4 Instituto de Telecomunicações, Campus Universitário de Santiago, Aveiro 3810-193, Portugal; [email protected] * Correspondence: [email protected] (Y.J.); [email protected] (Z.Z.); Tel.: +86-23-6510-5059 (Y.J.)

Academic Editors: Mianxiong Dong, Zhi Liu, Anfeng Liu and Didier El Baz Received: 31 October 2016; Accepted: 21 December 2016; Published: 13 January 2017 Abstract: Tracking people’s behaviors is a main category of cyber physical social sensing (CPSS)-related people-centric applications. Most tracking methods utilize camera networks or sensors built into mobile devices such as global positioning system (GPS) and Bluetooth. In this article, we propose a non-intrusive wireless fidelity (Wi-Fi)-based tracking method. To show the feasibility, we target tracking people’s access behaviors in Wi-Fi networks, which has drawn a lot of interest from the academy and industry recently. Existing methods used for acquiring access traces either provide very limited visibility into media access control (MAC)-level transmission dynamics or sometimes are inflexible and costly. In this article, we present a passive CPSS system operating in a non-intrusive, flexible, and simplified manner to overcome above limitations. We have implemented the prototype on the off-the-shelf personal computer, and performed real-world deployment experiments. The experimental results show that the method is feasible, and people’s access behaviors can be correctly tracked within a one-second delay.

Keywords: passive cyber physical social sensing (CPSS); wireless ﬁdelity (Wi-Fi); people behavior tracking; non-intrusive

1. Introduction Cyber-physical systems (CPSs) have emerged as a promising research paradigm [1] which integrates computing, communication and control, that has become a new generation intelligent system. With the extensive development of network applications, CPS has been further integrated, which facilitates the seamless integration between networks and human society. In this context, people, machines, and information systems need to be urgently integrated [2–4], which leads to the creation of cyber-physical-social systems [5,6]. On the other hand, with the extensive penetration and integration of personalized mobile devices (e.g., wearable devices, smartphones) in people’s daily lives, people have become the most sensitive social sensors. Therefore, sensing people’s social information has become a new paradigm of cyber physical social system-related applications, called cyber physical social sensing (CPSS) [7,8]. CPSS is designed to operate in conjunction with and in service of people. It leverages the sensed information collected by sensing nodes and aggregates it for recognizing people’s behaviors (e.g., mobility pattern), and in turn provides people with a higher level of combined information or services, which simpliﬁes people’s lives. The rapid development of mobile devices with various

Sensors 2017, 17, 143; doi:10.3390/s17010143 www.mdpi.com/journal/sensors Sensors 2017, 17, 143 2 of 18 sensors is the catalyst to promote CPSS to form a context-aware or social-aware mobile wireless sensor network. Many open issues have been studied, such as energy efficiency optimization [9], security attacks [10,11], etc. Among them, the technology utilized to sense or track people’s behavior attracts more attention. CPSS allows people to collect and share information using cyber devices intuitively [12]. In contrast to it, in this article, we explore how to track people’s behaviors without people actively participating in the activity, namely, passive tracking. Comparisons between different people tracking technologies are summarized in Table1. Due to many attractive features, such as non-intrusive (third-party) and high positioning precision, camera networks are widely used for tracking people’s behaviors [13,14]. However, camera-based methods require line of sight (LOS), and cannot be deployed flexibly. Radio frequency identification (RFID) [15] and IEEE 802.15.4/ZigBee sensor networks [16] can also be utilized as tracking methods. The tracking systems based on them use electronic tags carried by people, and tag readers deployed in the area of interest. They can perform in non-line of sight (NLOS) manner and can be deployed flexibly. However, all these technologies are intrusive. Given the popularity of mobile devices today, there has been a growing interest in tracking people’s behaviors through all kinds of sensors built into mobile devices [17], such as global positioning system (GPS), Wireless Fidelity (Wi-Fi), and Bluetooth, etc. GPS has been used in people tracking [17] in a participatory manner, however, it rarely works indoors. Bluetooth-based tracking methods [18] are available indoors, and the tracking mechanism is similar to that of RFID or ZigBee, therefore, the method is also considered intrusive. In addition, cellular signals can be also used to track people’s behaviors [19,20], and the tracking is performed on the network side. However, there exist many limits in this method, such as intrusiveness, poor positioning precision, and inflexible deployment. Wi-Fi has been ubiquitously deployed, especially in public areas such as airports, shopping centers, etc. In addition, almost all of the mobile devices integrate Wi-Fi functionality. In this context, Wi-Fi-based sensing networks have become the world’s largest wireless sensor networks. Researchers have also utilized Wi-Fi to do participatory CPSS [21]. However, in our work, we focus on passive CPSS using Wi-Fi.

Table 1. Comparison between different people tracking technologies.

Tracking Methods Pros Cons

• High positioning precision • Need people to participate GPS [17] (participatory) • Low-cost to deploy • Rarely works indoors

• High positioning precision • Need people to participate Wi-Fi [21] (participatory) • Low-cost to deploy • Need special software

• Non-intrusive • LOS • High positioning precision Camera [13,14] (passive) • Inﬂexible deployment • No devices carried by people

• NLOS • Intrusive RFID [15] (passive) • Flexible deployment • Dedicated devices • High positioning precision carried by people

• NLOS • Intrusive ZigBee [16] (passive) • Flexible deployment • Dedicated devices • High positioning precision carried by people Sensors 2017, 17, 143 3 of 18

Table 1. Cont.

Tracking Methods Pros Cons

• NLOS • Intrusive Bluetooth [18] (passive) • Flexible deployment • Dedicated devices • High positioning precision carried by people

• Intrusive • NLOS • Poor positioning precision Cellular signal [19,20] (passive) • Wide Coverage • Inﬂexible deployment • Widely deployed infrastructures • Common devices carried by people

• Non-intrusive • NLOS • Common devices • Flexible deployment Proposed system (passive) carried by people • Relatively high positioning precision

Wi-Fi-enabled mobile devices, carried by people, discontinuously send out Wi-Fi messages, even when not connecting with any access point (AP). The presence of people can be identified by sensing these messages. Furthermore, each Wi-Fi-enabled mobile device is equipped with a wireless network adapter, which contains a universal unique device identifier, a media access control (MAC) address. Almost all of the Wi-Fi messages encapsulate the MAC address, with which different people can be distinguished [22]. By placing a dedicated set of hardware devices called monitors dispersed in areas of interest to sense Wi-Fi messages, people’s behaviors can be tracked. One typical application is Wi-Fi-based indoor localization [23], in which Wi-Fi received signal strength (RSS) is utilized by Wi-Fi monitors to identify the locations of people with Wi-Fi devices. To show the feasibility of the Wi-Fi-based passive CPSS approach, we performed a case study that tracked people’s access behaviors in Wi-Fi networks. Analyzing people’s access behaviors has attracted significant attention recently [24–35]. This can be beneficial in many aspects, such as assessment of wireless network utilization, site planning, and design for intelligent and robust wireless network protocols. Therefore, there is a pressing need to characterize and understand people’s access behaviors, including access or exit time, session duration, and other access details, etc. Previous studies have focused on mobility and association pattern analysis based on the traces collected from Wi-Fi networks through different methods. These methods can be mainly classified into four categories: wired monitoring, polling based on simple network-management protocol (SNMP), specialized applications on the Wi-Fi device, and AP syslog. Wired monitoring collects Wi-Fi traffic at the wired portion adjacent to APs. Schwab et al. [24] presented a method to capture and analyze traffic patterns on a campus Wi-Fi network, based on the traces collected via wired monitoring. Wired monitoring can provide accurate and detailed traces. However, the monitor has to build physical connections with the networks, making this approach inconvenient to deploy. In addition, wired monitoring provides very limited visibility into MAC-level transmission dynamics. The approach we propose adopts passive monitoring, which means the monitors can be deployed flexibly without having to build any connection with the network. SNMP polling is another popular method. Based on the SNMP traces, user mobility patterns in a large corporate Wi-Fi networks were explored in [27]. The study in [30] examined the utilization of Wi-Fi hotspot networks based on the SNMP traces. However, SNMP polls data typically at intervals of minutes. Therefore, some instantaneous transmission dynamics might be lost. Wi-Fi devices with specialized applications can also participate in the trace collection [32]. However, this method suffers from some limitations. First, the assumption that people are willing to install these applications is not always true. Second, these applications may Sensors 2017, 17, 143 4 of 18 involve modifying drivers, which is complex and costly. Furthermore, the applications run in the Wi-Fi device may need sufficient storage capacity, and incur high energy consumption. Researchers have also used AP syslog [33,35] to characterize and analyze access patterns. However, it is insufficient to expose the MAC-level transmission dynamics of Wi-Fi networks, such as the retransmission and some other details of transmission events. Some works utilized these methods simultaneously. Researchers in [25] analyzed user behavior and network performance in a public-area wireless network based on traces from SNMP and wired monitoring. In [26] researchers analyzed the usage of a mature campus Wi-Fi network based on traces from syslog, SNMP polling, and tcpdump sniffers. Furthermore, some researchers [28,29,31] have modeled user mobility and association patterns in university campus Wi-Fi networks, based on the traces from SNMP and AP syslog. However, none of them can sense the transmissions from Wi-Fi devices which do not build connection with any AP. In this article, we develop a passive CPSS system operating in a non-intrusive, flexible, and simplified manner to tracking people’s access behaviors in Wi-Fi networks. Through this system we ease the way to collect detailed access traces with low cost and high flexibility such that brings us closer to understanding people’s access patterns and behaviors in Wi-Fi networks. The contributions are summarized as follows:

• We propose a Wi-Fi based passive CPSS approach for tracking people’s behaviors. The approach works in a non-intrusive, flexible, and simplified manner, and has the ability to provide deep visibility into MAC-level transmission dynamics between Wi-Fi devices and APs. Specifically, it tracks people’s behaviors by sensing Wi-Fi messages from mobile devices people carry with. By extracting the information from these Wi-Fi messages, more data can be obtained. • Based on the approach, we design a non-intrusive CPSS system. The system works as a third-party monitor, and can be deployed conveniently and cost-effectively. To show the feasibility, we use the system to track people’s access behaviors in Wi-Fi networks. We design the system architecture, and propose a two-sized sliding window algorithm, with which the unreliable information, caused by the loss and retransmission of the 802.11 frame, can be eliminated from the tracked traces. In addition, we design a policy to judge the validness of an access operation. • We implement the system on the off-the-shelf PC, without changing the hardware or firmware. We also evaluate the system in real Wi-Fi networks. The results show that the system can track people’s access behaviors accurately.

The rest of this article is organized as follows: Section2 introduces the system description and some deﬁnitions. The architecture and implementation details of the proposed system are given in Section3. In Section4, the prototype of the system and the experimental results are presented. Finally, we present our conclusions and outlook in Section5.

2. System Description The target Wi-Fi networks we consider in this article are unencrypted or encrypted by Wi-Fi protected access or Wi-Fi protected access 2 in pre-shared key mode (WPA/WPA2-PSK), which are ubiquitously being deployed in airports, shopping malls, and cafes, etc. As shown in Figure1, the system we designed works as a third-party monitor. It tracks the access behaviors of nearby Wi-Fi users, and extracts the access information, including access time, exit time, and some other details. The extracted information will be elaborated in detail subsequently, as illustrated in Section 3.3. Sensors 2017, 17, 143 4 of 17

tracks people’s behaviors by sensing Wi-Fi messages from mobile devices people carry with. By extracting the information from these Wi-Fi messages, more data can be obtained.  Based on the approach, we design a non-intrusive CPSS system. The system works as a third- party monitor, and can be deployed conveniently and cost-effectively. To show the feasibility, we use the system to track people’s access behaviors in Wi-Fi networks. We design the system architecture, and propose a two-sized sliding window algorithm, with which the unreliable information, caused by the loss and retransmission of the 802.11 frame, can be eliminated from the tracked traces. In addition, we design a policy to judge the validness of an access operation.  We implement the system on the off-the-shelf PC, without changing the hardware or firmware. We also evaluate the system in real Wi-Fi networks. The results show that the system can track people’s access behaviors accurately. The rest of this article is organized as follows: Section 2 introduces the system description and some definitions. The architecture and implementation details of the proposed system are given in Section 3. In Section 4, the prototype of the system and the experimental results are presented. Finally, we present our conclusions and outlook in Section 5.

2. System Description The target Wi-Fi networks we consider in this article are unencrypted or encrypted by Wi-Fi protected access or Wi-Fi protected access 2 in pre-shared key mode (WPA/WPA2-PSK), which are ubiquitously being deployed in airports, shopping malls, and cafes, etc. As shown in Figure 1, the system we designed works as a third-party monitor. It tracks the access behaviors of nearby Wi-Fi users, and extracts the access information, including access time, exit time, and some other details. SensorsThe extracted2017, 17, 143 information will be elaborated in detail subsequently, as illustrated in Section 3.3.5 of 18

Figure 1. Description of formulating people’s access behaviors in Wi-Fi networks.networks.

For the convenience of of description, description, we we give give the the common common 802.11 802.11 state state diagram diagram first, ﬁrst, as asshown shown in inFigure Figure 2. 2A. Wi-Fi A Wi-Fi device device usually usually works works in three in three states, states, and andeach each state state is a successively is a successively higher higher point pointin the indevelopment the development of an IEEE of an 802.11 IEEE connection. 802.11 connection. Frames are Frames also divided are also into divided different into classes. different The classes.Wi-Fi device The starts Wi-Fi in device state 1, starts and data in state can be 1, tran andsmitted data can through be transmitted a distribution through system a distributiononly in state system3. The Wi-Fi only indevice state changes 3. The the Wi-Fi state device by exchangi changesng the different state by frames exchanging with the different AP. When frames a device with thetries AP. to Whenaccess aan device AP, it tries exchanges to access the an Authentica AP, it exchangestion frame the Authentication with the AP first, frame and with then the sends AP ﬁrst, the andAssociation/Re-association then sends the Association/Re-association Request frame to the Request AP, the frame AP toreplies the AP, with the APthe repliesAssociation/Re- with the Association/Re-associationassociation Response frame. ResponseThe Disassociation frame. The or Disassociation De-authentication or De-authentication frame can be used frame to abort can the be usedconnection.Sensors to 2017 abort, 17 , the143 connection. 5 of 17

State 1 Class 1 frames or Unauthenticated authentication failure and unassociated Successful Deauthentication authentication State 2 Class 1 and 2 frames or Deauthentication Authenticated association failure and unassociated Successful Disassociation association State 3 Class 1, 2, and 3 Authenticated frames and associated Figure 2. Overall 802.11 state diagram. Figure 2. Overall 802.11 state diagram.

We make some definitions about people’s access and exit operations from an AP, as illustrated We make some definitions about people’s access and exit operations from an AP, as illustrated subsequently. For the sake of simplicity, we define Association/Re-association Response frame and subsequently. For the sake of simplicity, we define Association/Re-association Response frame and Disassociation/De-authentication frame as the access frame and exit frame, respectively. We define Disassociation/De-authentication frame as the access frame and exit frame, respectively. We define the access frame and the exit frame reception time on the monitor side as the approximation of the the access frame and the exit frame reception time on the monitor side as the approximation of the actual occurrence time of the access and exit event on the Wi-Fi device side. Therefore, there is a delay actual occurrence time of the access and exit event on the Wi-Fi device side. Therefore, there is a delay between them. The delay changes under different wireless environment. For example, the delay may between them. The delay changes under different wireless environment. For example, the delay may get longer if the wireless networks congest, or vice versa. get longer if the wireless networks congest, or vice versa. Figure 3a shows the procedures of accessing an encrypted AP. The Wi-Fi device scans the AP Figure3a shows the procedures of accessing an encrypted AP. The Wi-Fi device scans the AP first. After finding the AP, the device tries to build a connection with the AP, and it starts with first. After finding the AP, the device tries to build a connection with the AP, and it starts with authentication with the AP. Open system authentication can always succeed. Then, the device sends association/re-association request to the AP, and the AP replies with the access frame. Whether an association operation succeeds or not is denoted by the Status Code field in the header of the access frame. The Status Code field is set to 0 when an association/re-association operation succeeds and nonzero on failure. If the association/re-association succeeds, there is a process of 4-way handshake between the AP and the device, which is used for key exchange. The device can exchange data with the AP only if 4-way handshake succeeds. Figure 3b illustrates the process of 4-way handshake. The AP distributes keys to the Wi-Fi device using extensible authentication protocol over LAN-key (EAPOL-Key) messages encapsulated in quality of service (QoS) Data frames. If 4-way handshake fails, there are several execution loops including steps 1 and 2 in Figure 3b, without step 3 and 4. Then the device or the AP sends the exit frame to the other side to abort the connection. Note that the access procedures for a Wi-Fi device in unencrypted Wi-Fi networks only include access point scanning, open system authentication, and association/re-association process in Figure 3a.

Device AP AP Device

Access Point Scanning Step 1: EAPOL-Key 1

Open System Authentication Step 2: EAPOL-Key 2

Association Process Step 3: EAPOL-Key 3

4 - Way Handshake Step 4: EAPOL-Key 4

(a) (b)

Figure 3. Procedures of accessing an encrypted AP. (a) Access procedures; (b) The 4-way handshake.

Sensors 2017, 17, 143 5 of 17

We make some definitions about people’s access and exit operations from an AP, as illustrated subsequently. For the sake of simplicity, we define Association/Re-association Response frame and Disassociation/De-authentication frame as the access frame and exit frame, respectively. We define the access frame and the exit frame reception time on the monitor side as the approximation of the actual occurrence time of the access and exit event on the Wi-Fi device side. Therefore, there is a delay between them. The delay changes under different wireless environment. For example, the delay may get longer if the wireless networks congest, or vice versa. Figure 3a shows the procedures of accessing an encrypted AP. The Wi-Fi device scans the AP first. After finding the AP, the device tries to build a connection with the AP, and it starts with authentication with the AP. Open system authentication can always succeed. Then, the device sends association/re-association request to the AP, and the AP replies with the access frame. Whether an association operation succeeds or not is denoted by the Status Code field in the header of the access frame. The Status Code field is set to 0 when an association/re-association operation succeeds and Sensorsnonzero2017 on, 17 failure., 143 If the association/re-association succeeds, there is a process of 4-way handshake6 of 18 between the AP and the device, which is used for key exchange. The device can exchange data with the AP only if 4-way handshake succeeds. authenticationFigure 3b illustrates with the AP. the Openprocess system of 4-way authentication handshake. can The always AP distributes succeed. keys Then, to thethe deviceWi-Fi device sends usingassociation/re-association extensible authentication request protocol to the AP,over and LAN-key the AP replies(EAPOL-Key) with the messages access frame. encapsulated Whether anin qualityassociation of service operation (QoS) succeeds Data frames. or not isIf denoted 4-way handshake by the Status fails, Code there ﬁeld are in several the header execution of the accessloops includingframe. The steps Status 1 and Code 2 in ﬁeld Figure is set 3b, to without 0 when step an association/re-association 3 and 4. Then the device or operation the AP sends succeeds the andexit framenonzero to onthe failure. other side If the to association/re-associationabort the connection. Note succeeds,that the access there procedures is a process for of4-way a Wi-Fi handshake device in unencryptedbetween the APWi-Fi and networks the device, only which include is used access for keypoint exchange. scanning, The open device system can authentication, exchange data withand association/re-associationthe AP only if 4-way handshake process succeeds. in Figure 3a.

Device AP AP Device

Access Point Scanning Step 1: EAPOL-Key 1

Open System Authentication Step 2: EAPOL-Key 2

Association Process Step 3: EAPOL-Key 3

4 - Way Handshake Step 4: EAPOL-Key 4

(a) (b)

Figure 3. Procedures of accessing an encrypted AP. (a) Access procedures; (b) The 4-way handshake. Figure 3. Procedures of accessing an encrypted AP. (a) Access procedures; (b) The 4-way handshake.

Figure3b illustrates the process of 4-way handshake. The AP distributes keys to the Wi-Fi device using extensible authentication protocol over LAN-key (EAPOL-Key) messages encapsulated in quality of service (QoS) Data frames. If 4-way handshake fails, there are several execution loops including steps 1 and 2 in Figure3b, without step 3 and 4. Then the device or the AP sends the exit frame to the other side to abort the connection. Note that the access procedures for a Wi-Fi device in unencrypted Wi-Fi networks only include access point scanning, open system authentication, and association/re-association process in Figure3a. However, the access operation for a Wi-Fi device is not always valid. When a device tries to access an encrypted AP, if the 4-way handshake fails, the device still cannot exchange data with the AP, although the association/re-association succeeds. Therefore, the access operation for the device is invalid. If a Wi-Fi device associates with an unencrypted AP successfully, the access operation is valid. If a Wi-Fi device associates with an encrypted AP successfully, and the 4-way handshake succeeds, then the access operation for the device is valid. However, if the 4-way handshake fails, though the association succeeds, the access operation for the device is invalid.

3. System Design The aim of this section is to describe in details the system. The proposed system is shown in Figure4 and is explained below. The system has three key components, namely, wireless frame collecting, frame processing, and information storage. Wireless frame collecting captures 802.11 MAC frames in Wi-Fi networks. Frame processing is responsible for selecting frames related to people’s access behaviors from the captured frames and extracting useful information from each selected frame. Information storage stores the extracted information into database. Furthermore, the two-sized sliding window algorithm and the judging policy for access validness are implemented in information cleansing. Sensors 2017, 17, 143 6 of 17

However, the access operation for a Wi-Fi device is not always valid. When a device tries to access an encrypted AP, if the 4-way handshake fails, the device still cannot exchange data with the AP, although the association/re-association succeeds. Therefore, the access operation for the device is invalid. If a Wi-Fi device associates with an unencrypted AP successfully, the access operation is valid. If a Wi-Fi device associates with an encrypted AP successfully, and the 4-way handshake succeeds, then the access operation for the device is valid. However, if the 4-way handshake fails, though the association succeeds, the access operation for the device is invalid.

3. System Design The aim of this section is to describe in details the system. The proposed system is shown in Figure 4 and is explained below. The system has three key components, namely, wireless frame collecting, frame processing, and information storage. Wireless frame collecting captures 802.11 MAC frames in Wi-Fi networks. Frame processing is responsible for selecting frames related to people’s access behaviors from the captured frames and extracting useful information from each selected frame. Information storage stores the extracted information into database. Furthermore, the two- sized sliding window algorithm and the judging policy for access validness are implemented in Sensors 2017, 17, 143 7 of 18 information cleansing.

Customizable Application

Frame Processing Association/Reassociation Response Information Frame Filtering Disassociation or Deauthentication Cleansing QoS Data with EAPOL-Key Information Extracting

Database Wireless Frame Collecting

AP #1 . . . AP #n Device #1 . . . Device #n

Figure 4. Overview of system architecture.

3.1. Wireless Frame Collecting Capturing 802.11 MAC frames in Wi-Fi networks can be realized via the monitormonitor mode of thethe wirelesswireless networknetwork adapter.adapter. MonitorMonitor modemode [[36]36] allowsallows aa wireless network adapter to monitor all traffictraffic received fromfrom Wi-FiWi-Fi networksnetworks inin aa non-intrusivenon-intrusive manner.manner. UsuallyUsually whetherwhether aa wirelesswireless adapteradapter isis ableable toto operateoperate inin monitormonitor modemode oror notnot dependsdepends onon itsits driver,driver, firmware,firmware, andand chipsetchipset features.features. DifferentDifferent operating systems show different featuresfeatures forfor supportingsupporting monitormonitor mode.mode. For example, the networknetwork driver interface specificationspecification onon older Windows versionsversions doesdoes not support any extensions for wireless monitor mode, whereas Windows VistaVista andand laterlater versionsversions ofof WindowsWindows do.do. Some Unix-like operating systems provideprovide interfacesinterfaces forfor manymany driversdrivers (i.e.,(i.e., 802.11 drivers) that support monitor mode, such as Linux, FreeBSD, NetBSD,NetBSD, OpenBSD,OpenBSD, DragonFlyDragonFly Bsd,Bsd, andand MacMac OSOS XX 10.410.4 andand laterlater releases.releases. The wayway toto enableenable the the monitor monitor mode mode varies varies from from the the type type of theof the operating operating system. system. For For example, example, the monitorthe monitor mode mode of a wirelessof a wireless network network adapter adapter can be can enabled be enabled by command by command lines on Linux,lines on or Linux, by invoking or by functioninvoking libraries function that libraries comprises that application comprises programmingapplication programming interface (API) interface for capturing (API) network for capturing traffic (i.e.,network Winpcap traffic on (i.e., Windows, Winpcap Libpcap on Windows, on Linux). Libpca Besides,p on some Linux). packet Besides, analyzer some applications packet analyzer such as OmniPeek,applications CommView, such as OmniPeek, and Wireshark CommView, (i.e., on and Windows Wireshark or Linux)(i.e., on can Windows also be utilized.or Linux) can also be utilized.After enabling the monitor mode, a computer with a wireless network adapter can monitor all wireless frames that flow through the adapter in Wi-Fi networks. The APIs provided by function libraries, or packet analyzers can be utilized to store the captured packets in pcap files. In this article,

Linux is used as the operating system, under which the wireless network adapter with monitor mode works. And APIs of function libraries are invoked to operate the adapter and process the collected frames.

3.2. Frame Processing Frame processing includes frame filtering and information extracting. In frame filtering, we select frames related to people’s access behaviors from captured frames, including Association/Re-association Response frames, Disassociation frames, De-authentication frames, and QoS Data frames that encapsulate EAPOL-Key messages, based on the frame format. These frames use generic frame format [37], and each can be identified by the six-bit Type and Subtype fields, as shown in Figure5. Table2 shows how the Type and Subtype identifiers are used for different frames. In Table2, bit strings are written most-significant bit first, which is the reverse of the order used in Figure5. Sensors 2017, 17, 143 7 of 17

After enabling the monitor mode, a computer with a wireless network adapter can monitor all wireless frames that flow through the adapter in Wi-Fi networks. The APIs provided by function libraries, or packet analyzers can be utilized to store the captured packets in pcap files. In this article, Linux is used as the operating system, under which the wireless network adapter with monitor mode works. And APIs of function libraries are invoked to operate the adapter and process the collected frames.

3.2. Frame Processing

Frame processing includes frame filtering and information extracting. In frame filtering, we select frames related to people’s access behaviors from captured frames, including Association/Re- association Response frames, Disassociation frames, De-authentication frames, and QoS Data frames that encapsulate EAPOL-Key messages, based on the frame format. These frames use generic frame format [37], and each can be identified by the six-bit Type and Subtype fields, as shown in Figure 5.

TableSensors 20172 shows, 17, 143 how the Type and Subtype identifiers are used for different frames. In Table 2,8 ofbit 18 strings are written most-significant bit first, which is the reverse of the order used in Figure 5.

802.11 Header bytes 2 2 6 6 6 22 0-2312 4 Frame Add- Add- Add- Sequence QoS Frame Duration FCS Control ress1 ress2 ress3 Control Control Body

bits 224 3 1 4 bytes 2 2 2 2 variable Pro- Sub- Re- Reason Status Info Type ...... tocol type try Code Code Elements Figure 5. Generic 802.11 frame format. Figure 5. Generic 802.11 frame format.

To identify which EAPOL-Key message a QoS Data frame encapsulates, the Ethernet Type field Table 2. Information fields description. and the Secure Flag field in the QoS Data frame can be used, as shown in Figure 6. The code 0x888e is assignedType to EAPOL, Subtype and the Secure Frame Flag Name is set to bit 1 Address1 when the message Address2 is EAPOL-Key Address3 3 or EAPOL- Key 4. Therefore,00 we 0001 can distinguish Association differen Responset QoS Data Destination frames using Sourceabove description. BSSID 00 0011 Reassociation Response Destination Source BSSID 00 1010Table Disassociation 2. Information fields Destination description. Source BSSID 00 1100 Deauthentication Destination Source BSSID Type10 Subtype 1000 QoS Frame Data(from Name AP) Destination Address1 BSSIDAddress2 Address3 Source 10 1000 QoS Data(to AP) BSSID Source Destination 00 0001 Association Response Destination Source BSSID 00 0011 Reassociation Response Destination Source BSSID To identify00 which1010 EAPOL-Key Disassociation message a QoS Data Destination frame encapsulates, Source the EthernetBSSID Type field and the Secure Flag field in the QoS Data frame can be used, as shown in Figure6. The code 0x888e 00 1100 Deauthentication Destination Source BSSID is assigned to EAPOL, and the Secure Flag is set to bit 1 when the message is EAPOL-Key 3 or 10 1000 QoS Data(from AP) Destination BSSID Source EAPOL-Key 4. Therefore, we can distinguish different QoS Data frames using above description. Sensors 201710, 17 , 143 1000 QoS Data(to AP) BSSID Source Destination 8 of 17

bytes 26 6 2 1 1 2 variable 4 Then in information extracting,802.11 SNAP useful Ethernet informatio Ver- Packetn from Body each Packet selected frame is extracted. As FCS shown in Table 2, each frameHeader includesHeader threeType addressions fields,Type thatLength is, destinationBody address (DA), source address (SA), and basic servicebytes set identifier1 (BSSID).2 BSSID92 representsvariable the MAC address of an AP. By comparing BSSID with the DA orDescriptor SA, the MACKey a ddresses and the transmission directions of the . . . Key Data Wi-Fi device and the AP can be determined.Type Furthermore,Information the occurrence time of the access and exit event on the Wi-Fi device side can be obtained according to the assumptions defined in Section 2. bits 3 6 1 6 From time to time, frames may be retransmitted. The Retry field of the retransmitted frame is set to Descriptor . . . Secure . . . bit 1. Besides, the two-byte Status Code field ofVersion the Association/Re-associatioFlag n Response frame is set to 0 when an association operation succeeds and nonzero on failure. While the two-byte Reason Code Figure 6. Format of the QoS Data frame with the EAPOL-Key message. field of the DisassociationFigure 6. orFormat De-authentication of the QoS Data frame frame indicates with the EAPOL-Keythe reason of message. an exit operation. Status codes and reason codes have been standardized, which can be referenced in [37]. 3.3. Information Storage Then in information extracting, useful information from each selected frame is extracted.

As shownAfter inframe Table processing,2, each frame the includes information three is address stored fields, into thatdatabase. is, destination Table 3 addressillustrates (DA), the informationsource address fields (SA), stored and basicin database service in set this identifier article. (BSSID).The ValiFlag BSSID field represents is used to the denote MAC the address validness of an ofAP. an By access comparing operation. BSSID If an with access the DAoperation or SA, is the valid, MAC then addresses the field and is set the to transmission 1, otherwise, directionsset to 0. The of InOutthe Wi-Fi field device is set andto eapol12 the AP for can the be EAPOL-Key determined. 1 Furthermore,or EAPOL-Key the 2 occurrencemessage, and time is ofset the to accesseapol34 and for theexit EAPOL-Key event on the 3 Wi-Fi or EAPOL-Key device side 4 can message. be obtained according to the assumptions defined in Section2. From time to time, frames may be retransmitted. The Retry field of the retransmitted frame is set to Table 3. Information fields description. bit 1. Besides, the two-byte Status Code field of the Association/Re-association Response frame is set to 0 when anField association Name operation succeeds Description and nonzero on failure. While Illustration the two-byte Reason Code field of the DisassociationStaAdd or De-authenticationMac address of stat frameion indicates the reason0c:37:dc:d3:25:22 of an exit operation. Status codes and reasonApAdd codes have beenMac standardized, address of AP which can be referenced1c:fa:68:4e:4c:c6 in [37]. FrameInfo Frame type and direction disassociation_from_ap 3.3. InformationRecTime Storage Receiving time 2014-08-26 20:33:00 InOut Access or exit in/out/eapol12/eapol34 After frameStaCode processing, the informationStatus code isstored into database. 0-65535/65536(default) Table3 illustrates the information fields storedReaCode in database in this article.Reason The codeValiFlag field is used to 0-65535/65536(default) denote the validness of an access RetrFlag Retransmitted or not 1(retransmit)/0(not) ValiFlag Access succeeds or not 1(succeed)/0(not)/65536(default)

The access/exit information of different Wi-Fi devices stored in database is in chronological order based on the time when the system receives each access/exit frame. The information is not completely reliable. The loss and retransmission of the 802.11 MAC frame, caused by inevitable noises and electromagnetic interferences result in some unreliable information in database. Here we only consider the items stored in database with same StaAdd and ApAdd. There are five possible cases: Case 1: If the InOut fields of two adjacent items are set to in, then whatever the RetrFlag fields are set to, the first item is always unreliable. When the RetrFlag field of the second item is set to 0, it means the corresponding exit frame to the first item is lost. If the RetrFlag field the second item is set to 1, the first item is useless, and should be abandoned. Case 2: If the InOut fields of two adjacent items are different, we think they are both reliable. Case 3: If the InOut fields of two adjacent items are out, and the RetrFlag field of the second item is set to 0, then the second item is unreliable, because the corresponding access frame is lost. Case 4: For three adjacent items, if the InOut fields of the latter two are set to out, and the RetrFlag fields of the latter two are set to 0 and 1 respectively, then the unreliable item depends on the first item: (1) if the InOut field of the first item is set to in, then the second item is unreliable, because only the last retransmission is considered; and (2) if the InOut field of the first item is set to out, both of the second and third items are unreliable, and if there are more items after the third item, of which the InOut fields are set to out and the RetrFlag fields are set to 1, then these items are also unreliable, because the corresponding access frames are missing. Case 5: For three adjacent items, if the InOut fields of the latter two are set to out, and the RetrFlag fields are both set to 1, then no matter what the first item is, the second item is always unreliable. The concrete details are similar to Case 4, not tired in words here.

Sensors 2017, 17, 143 9 of 18 operation. If an access operation is valid, then the ﬁeld is set to 1, otherwise, set to 0. The InOut ﬁeld is set to eapol12 for the EAPOL-Key 1 or EAPOL-Key 2 message, and is set to eapol34 for the EAPOL-Key 3 or EAPOL-Key 4 message.

Table 3. Information ﬁelds description.

Field Name Description Illustration StaAdd Mac address of station 0c:37:dc:d3:25:22 ApAdd Mac address of AP 1c:fa:68:4e:4c:c6 FrameInfo Frame type and direction disassociation_from_ap RecTime Receiving time 2014-08-26 20:33:00 InOut Access or exit in/out/eapol12/eapol34 StaCode Status code 0-65535/65536(default) ReaCode Reason code 0-65535/65536(default) RetrFlag Retransmitted or not 1(retransmit)/0(not) ValiFlag Access succeeds or not 1(succeed)/0(not)/65536(default)

Case 1: If the InOut fields of two adjacent items are set to in, then whatever the RetrFlag fields are set to, the first item is always unreliable. When the RetrFlag field of the second item is set to 0, it means the corresponding exit frame to the first item is lost. If the RetrFlag field the second item is set to 1, the first item is useless, and should be abandoned. Case 2: If the InOut fields of two adjacent items are different, we think they are both reliable. Case 3: If the InOut fields of two adjacent items are out, and the RetrFlag field of the second item is set to 0, then the second item is unreliable, because the corresponding access frame is lost. Case 4: For three adjacent items, if the InOut fields of the latter two are set to out, and the RetrFlag fields of the latter two are set to 0 and 1 respectively, then the unreliable item depends on the first item: (1) if the InOut field of the first item is set to in, then the second item is unreliable, because only the last retransmission is considered; and (2) if the InOut field of the first item is set to out, both of the second and third items are unreliable, and if there are more items after the third item, of which the InOut fields are set to out and the RetrFlag fields are set to 1, then these items are also unreliable, because the corresponding access frames are missing. Case 5: For three adjacent items, if the InOut fields of the latter two are set to out, and the RetrFlag fields are both set to 1, then no matter what the first item is, the second item is always unreliable. The concrete details are similar to Case 4, not tired in words here.

Aiming at the above cases, two-sized sliding window algorithm is proposed as the correcting mechanism. Each time the items with same StaAdd and ApAdd in database, denoted by set S = {s0, s1,...}, are considered. Note that the items are still in chronological order. Then each two adjacent items in S from beginning to end are compared, and the unreliable items are removed. Let L = {l0, l1,...} be the unreliable item set. Algorithm 1 presents the pseudo-code of two-sized sliding window algorithm. Sensors 2017, 17, 143 9 of 17 Sensors 2017, 17, 143 9 of 17 Aiming at the above cases, two-sized sliding window algorithm is proposed as the correcting mechanism.Aiming Eachat the time above the cases, items two-sized with same sliding StaAdd window and ApAdd algorithm in database, is proposed denoted as the by correcting set = mechanism.,,…, are Each considered. time the Note items that with the itemssame areStaAdd still inand chronological ApAdd in database, order. Then denoted each two by adjacentset =

items, ,…in , are from considered. beginning Note to endthat arethe itemscompared, are still and in chronologicalthe unreliable order. items Then are removed. each two adjacentLet = Sensorsitems,,…2017 in , 17be ,from 143the beginningunreliable toitem end set. are Algorithm compared, 1 andpresents the unreliable the pseudo-code items are of removed.two-sized Let sliding10 of= 18 window,,… algorithm. be the unreliable item set. Algorithm 1 presents the pseudo-code of two-sized sliding window algorithm. AlgorithmAlgorithm 1: 1: two-sizedtwo-sized sliding sliding window window algorithm algorithm AlgorithmInput: Set of 1: itemstwo-sized sliding window algorithm Input:Output: Set Set of of items invalid items Output:Notation: Set The of lengthinvalid of items length , integer i, j, k, flag Notation:01: i←0, jThe←0, lengthk←0, flag of ← 0length , integer i, j, k, flag 01:02: iwhile←0, j← i <0, lengh k←0, – flag 1 do← 0 02:03: while if i < lengh〈 – 〉1≠ do 〈〉 /*the InOut field of */ then ← 03:04: if 〈ii + 1,〉 ≠ continue〈 〉 /*the InOut field of */ then 04:05: else ifi← i 〈+ 1, continue〉 = and 〈〉 =0 then ← ← ← 05:06: else if 〈, j 〉 =j + 1, i andi + 1 〈〉 =0 then 〈 〉 〈 〉 06:07: else if ← , j←j =+ 1, i← andi + 1 =0 then 〈〉 = 07:08: else ifif i = 〈0 or 〉 = and 〈then 〉 =0 then ← ← ← 08:09: if i = 0 or , j〈j + 1, 〉flag= 0then 09:10: else ←, j←j + 1, flag←0 10:11: else ←, j←j + 1, flag←1

11:12: for k←←i + 1 ,to j← lengthj + 1, –flag 2 do←1 12:13: for k ←if i + 1 to〈 length〉 =– 2 do and 〈〉 =1 and flag = 0 then ← ← 13:14: if 〈, j 〉j += 1 and 〈〉 =1 and flag = 0 then 14:15: else if ←〈, j←j + 〉1 = and 〈〉 =1 and flag = 1 then ← ← 15:16: else if 〈, j 〉j += 1 and 〈〉 =1 and flag = 1 then 16:17: else ← , j←j + 1 17:18: else break 18:19: i ← k break 19:20: else i←k 20:21: else ←, j←j + 1, i←i + 1

21: ←, j←j + 1, i←i + 1 However, there may exist an exceptional case: after above algorithm, in set , the InOut field of the firstHowever,However, item is therethere out, mayormay the existexist InOut an fieldexceptional of the lastcase: case: item after after is above abovein. These algorithm, algorithm, items arein in set unreliable set ,S the, the InOut InOutbecause fieldfield we of ofthecannot the first first be item itemsure isis outwhetherout, or, or the thethe InOutInOut corresponding fieldfield of of the the accesslast last item or is exit inin .frames TheseThese itemsitemsare lost areare or unreliableunreliable not, they becausebecause should we webe cannotcannotremoved be be surefrom sure whether database. whether the the corresponding corresponding access access or exit or frames exit frames are lost are or not,lost theyor not, should they be should removed be fromremoved database. from database. Algorithm 2: Judging policy for access validness AlgorithmAlgorithmInput: Set of 2: 2: itemsJudgingJudging policy policy for for access access validness validness Input:Output: Set Set of of items invalid items ℝ Output:Notation: Set The of lengthinvalid of items length ℝ , integer m, n, x, t Notation:01: m←0, The n← length0, x←0 of length, integer m, n, x, t 01:02: mwhile←0, nm← <0, length x←0 – 1 do 02:03: while if m < length〈 –〉 1= do then 〈 〉 03:04: if Find〈 the〉 =first itemthen ( = ) behind ∈, 〈〉 = 12 04:05: Findif for the first item, (〈〉 =)then behind ← ← ← 05:06: if for ∈ , , x, x〈 + 1, m〉 =n 12 + 1 then

06:07: else ←, x←x + 1, m←n + 1 07:08: else continue, m←m + 1 08: continue, m←m + 1 Algorithm 2 presents the pseudo-code of judging policy for access validness. The items with sameAlgorithm StaAdd and 2 ApAddpresents in thedatabase pseudo are-code stored of judginginto a set. policy Let =for access, ,…validness. be the Theset. Theitems output with same Algorithm StaAdd and 2 presentsApAdd in the database pseudo-code are stored of judging into a set. policy Let for= access, validness.,… be theThe set. itemsThe output with same StaAdd and ApAdd in database are stored into a set. Let = {b , b ,...} be the set. The output B 0 1 set R = {r0, r1 ...} comprises the invalid access items. If an access operation is valid, the ValiFlag field of the access item is set to 1; otherwise set it to 0. Sensors 2017, 17, 143 10 of 17 Sensors 2017, 17, 143 11 of 18 set ℝ=, … comprises the invalid access items. If an access operation is valid, the ValiFlag field of the access item is set to 1; otherwise set it to 0. 4. Experimental Demonstration 4. Experimental Demonstration This section mainly focuses on the implementation and evaluation of the system we designed. The majorThis emphasis section mainly of the experimentfocuses on the is placedimplementati on theon accuracy and evaluation verification of the of thesystem tracked we information.designed. It makesThe major sense emphasis to confirm of the this experiment issue for furtheris placed studying on the theaccuracy feasibility verification of the proposedof the tracked system. information. It makes sense to confirm this issue for further studying the feasibility of the proposed To this end, the system was prototyped and experiments were conducted on single target AP within system. To this end, the system was prototyped and experiments were conducted on single target AP real outdoor Wi-Fi networks. within real outdoor Wi-Fi networks. 4.1. Prototype Setup 4.1. Prototype Setup The proposed system is implemented on a HP Pivilion g4 PC equipped with a 2.66 GHz Intel The proposed system is implemented on a HP Pivilion g4 PC equipped with a 2.66 GHz Intel Core 2 Duo Processor. The PC is equipped with the Qualcomm Atheros AR9285 802.11b/g/n Wi-Fi Core 2 Duo Processor. The PC is equipped with the Qualcomm Atheros AR9285 802.11b/g/n Wi-Fi Adapter. The operating system (OS) is 32-bit Ubuntu LTS 12.04. Libpcap [38], a network packet capture Adapter. The operating system (OS) is 32-bit Ubuntu LTS 12.04. Libpcap [38], a network packet library,capture is invokedlibrary, is toinvoked capture to Wi-Ficapture messages. Wi-Fi message Thes. captured The captured information informatio isn stored is stored into into MySQL MySQL [39 ]. GTK[39]. + GTK toolkit + toolkit [40] is [40] used is toused create to create graphical graphical user user interface interface (GUI), (GUI), as as shown shown in in Figure Figure7 b.7b.

(a) (b)

(c)

Figure 7. Experimental setup: (a) Experiment equipment; (b) The GUI of the monitor; (c) The floor Figure 7. Experimental setup: (a) Experiment equipment; (b) The GUI of the monitor; (c) The floor plan of the experiment. plan of the experiment. We have evaluated the system in Chongqing University Library (CUL), China, in which some APsWe had have been evaluated deployed. the systemMost these in Chongqing APs were University encrypted Library by WPA/WPA2-PSK, (CUL), China, in and which less some were APs hadunencrypted. been deployed. We chose Most theseencrypted APs wereAP as encrypted the experiment by WPA/WPA2-PSK, target. The reason and why less we were did unencrypted.this choice We chose encrypted AP as the experiment target. The reason why we did this choice instead of unencrypted AP is that the access procedures on the encrypted AP comprise those on the unencrypted AP as shown in Figure3. In other words, the latter can be regarded as a special case of the former. Sensors 2017, 17, 143 1112 of 17 18 instead of unencrypted AP is that the access procedures on the encrypted AP comprise those on the unencryptedTherefore, we AP can as conduct shown experimentsin Figure 3. In on other encrypted words, AP the for latter the can accuracy be regarded verification as a special of the trackedcase of theinformation former. Therefore, without loss we ofcan generality. conduct experiments The target encrypted on encrypted AP we AP chose for the operates accuracy on verification the frequency of theof 2.412 tracked GHz. information For the issue without of monitor loss of generality. placement, The we target have placed encrypted the systemAP we chose near the operates target on AP the to frequencyincrease chances of 2.412 of GHz. people For being the monitored.issue of monitor The floor placement, plan of CULwe have is shown placed in the Figure system7c. Note near that the targetthe wireless AP to environmentincrease chances is complicated of people being and changeable, monitored. especially The floor in plan doors. of CUL The Wi-Fiis shown signal in alwaysFigure 7c.suffer Note the that influence the wireless of unpredictable environment path is losscomplica and multipathted and changeable, fading [40]. especially One way toin compensatedoors. The Wi- this Filimitation signal always is to model suffer the the wireless influence environment. of unpredictable However, path loss when and the multipath tracking environmentfading [40]. One changes, way tothe compensate model built this before limitation is useless, is to a model new model the wi hasreless to be environment. constructed. However, In our work, when we the neglect tracking the environment factor.changes, the model built before is useless, a new model has to be constructed. In our work,We we chooseneglect smartphonesthe environment as factor. the Wi-Fi devices. We prepared ten smartphone prototypes withWe 1.6 GHzchoose Intel smartphones Atom Z2460 as processorsthe Wi-Fi devices. as Wi-Fi We devices prepared and distributedten smartphone them prototypes to ten participants, with 1.6 GHzas shown Intel Atom in Figure Z24607a. processors Note that as the Wi-Fi type devices of the Wi-Fiand distributed device can them influence to ten theparticipants, tracking accuracy.as shown inFor Figure instance, 7a. Note the Wi-Fi that the devices type equippedof the Wi-Fi with devi iOSce can 8 randomize influence thethe MACtracking addresses accuracy. while For scanninginstance, thefor Wi-FiWi-Fi networksdevices equipped [41]. That with means iOS the 8 MACrandomiz addresse the used MAC for addresses Wi-Fi scans while may scanning not always for beWi-Fi the networksdevice’s real [41]. (universal) That means address. the MAC This address may causeused for some Wi-Fi interference scans may fornot identifying always be the people. device’s All real ten (universal)participants address. knew the This password may cause to access some theinterference target AP for beforehand. identifying Theypeople. accessed All ten the participants target AP knewrandomly, the password and each to of access them the had target to access AP beforehand. and exit from They the accessed target AP the attarget least AP once randomly, respectively. and eachFurthermore, of them had the accessto access and and exit exit time from information the target wasAP at recorded least once by respectively. the small android Furthermore, application the accessrunning and on exit the smartphone.time information The was application recorded runs by asthe a small background android process application to monitor running the on Wi-Fi the smartphone.connection status. The application runs as a background process to monitor the Wi-Fi connection status. The time we did the experiment was from 7 p.m. to 8 p.m., during which the flow flow of people is relatively large so the wireless environment is crowded and complicated.complicated. This prerequisite ensures that our experiment was conducted in a common scenario.

4.2. Experimental Results Figure 88 showsshows thethe comparisoncomparison betweenbetween thethe originaloriginal recordsrecords andand thethe outputoutput informationinformation ofof thethe system. Figure 88aa illustratesillustrates thethe originaloriginal recordsrecords duringduring thethe experiment.experiment. TheThe recordsrecords areare mainlymainly aboutabout the access access and and exit exit time time of of each each people, people, and and the thetime time is accurate is accurate to seconds. to seconds. As we As can we see can from see Figure from 8a,Figure each8a, user each accessed user accessed the target the target AP only AP once, only once,except except for user for user4 and 4 anduser user 7. In 7. our In ourexperiment, experiment, we wearranged arranged user user 4 and 4 anduser user7 to access 7 to access the AP the twice. AP twice. In addition, In addition, both of both user of 4 userand user 4 and 7 used user 7wrong used wrongpasswords passwords on purpose on purpose when the when first thetime ﬁrst they time accessed. they accessed. Using wrong Using password wrong password can result can in 4-way result handshakein 4-way handshake failure in failureFigure in3. FigureAs we3 .mentioned As we mentioned before, if before, 4-way if handshake 4-way handshake fails, the fails, Wi-Fi the device Wi-Fi willdevice continue will continue to attempt to attemptto access to the access AP several the AP times, several rather times, than rather giving than up. giving As shown up. Asin Figure shown 8b, in afterFigure the8b, first after access the ﬁrst operation access operationfailed, the failed,device theof user device 4 or of user user 7 4 did or userone more 7 did attempt. one more However, attempt. theHowever, access the still access failed. still After failed. that, After the that, device the device or the or theAP APaborted aborted the the association. association. Under Under normal circumstances, each user accessed the AP at a certain certain instant, instant, and and exited exited at at another another instant. instant. However, However, as illustrated in Figure 88b,b, thethe accessaccess andand exitexit timetime ofof useruser 44 oror useruser 77 areare overlapped.overlapped. ThisThis isis becausebecause the access and exit operations occurred almost simultaneously when accessaccess failed.failed.

20:00:00 20:00:00 19:50:00 19:50:00 Overlap

19:40:00 19:40:00

19:30:00 19:30:00

Time Overlap Time Access 19:20:00 19:20:00 Access Exit Exit 19:10:00 19:10:00

19:00:00 19:00:00 #1 #2 #3 #4 #4 #5 #6 #7 #7 #8 #9 #10 #1 #2 #3 #4 #4 #4 #5 #6 #7 #7 #7 #8 #9 #10 Numbers for denoting different Users Numbers for denoting different Users (a) (b)

Figure 8. Experimental results: (a) Records of the experiment; (b) Output information of the system. Figure 8. Experimental results: (a) Records of the experiment; (b) Output information of the system.

As we can see from Figure 8, the output information of the proposed system shows a close agreement with the original experiment records, which fairly verifies the feasibility of the proposed

Sensors 2017, 17, 143 12 of 17 system and correctness of the proposed two-size sliding window algorithm. Furthermore, by comparing the time information recorded on the smartphones and that recorded by the system, we Sensorsobserve2017 that, 17, the 143 system can correctly track people’s access information within a one-second delay.13 of 18 Such low delay can be neglected in the researches for characterizing people’s access behaviors, in which the minimum unit of the time is one minute or one hour. InAs addition we can to see above from information, Figure8, the there output are some information other details of the about proposed access and system exit operations shows a ofclose the agreementWi-Fi devices. with Figure the original 9 illustrates experiment the type records, and transmission which fairly direction veriﬁes of theaccess feasibility or exit frames of the proposedfor each Wi-Fi system device. and correctnessFor the sake of of the simplicity, proposed we two-size encode sliding the information window algorithm. into different Furthermore, codes, as shownby comparing in Table the 4. Note time that information all access recorded frames are on Association the smartphones Response and frames that recorded sent by bythe the target system, AP, wenot including observe that Re-association the system Response can correctly frames. track This people’s indicates access there informationwas no roam withinor hand-off a one-second happens. delay.Most Such exit low information delay can be codes neglected are 3. We in the can researches infer that forthe characterizingDisassociation people’s frame is accesscommonly behaviors, used toin whichabort a the connection. minimum Furthermore, unit of the time the is Wi-Fi one minute device or of one user hour. 8 sent the De-authentication frame to abortIn the addition connection. to above We observe information, that the there first are two some exit other operations details of about the Wi-Fi access devices and exit of operationsuser 4 and userof the 7 Wi-Fiused the devices. De-authentication Figure9 illustrates frame theto abort type andthe connection. transmission More direction importantly, of access the or frames exit frames were sentfor each by the Wi-Fi target device. AP, not For by the the saketwo Wi-Fi of simplicity, devices. weWe encodecan infer the that information because the into 4-way different handshakes codes, failed,as shown the in target Table 4AP. Note could that not all accessdistribute frames keys are to Association the two Wi-Fi Response devices, frames and sent it byhad the to target end AP,the connections.not including Re-association Response frames. This indicates there was no roam or hand-off happens.

6 information code of access frame information code of exit frame 5

Frame information0 code #1 #2 #3 #4 #4 #4 #5 #6 #7 #7 #7 #8 #9 #10 Numbers for denoting different Users

Figure 9. Frame type and transmission direction.

Table 4. Frame Information Encoding. Table 4. Frame Information Encoding. Frame Information Code Frame Information Code Association Response frame from AP to Wi-Fi 0 AssociationRe-association Response frame Response from APframe to Wi-Fi from Device AP to Wi-Fi 1 0 Re-association Response frame from AP to Wi-Fi Device 1 DisassociationDisassociation frame frame from AP from to Wi-Fi AP to Device Wi-Fi Device 2 2 DisassociationDisassociation frame frame from Wi-Fi from Device Wi-Fi to Device AP to AP 3 3 De-authenticationDe-authentication frame frame from AP from to Wi-Fi AP to Device Wi-Fi Device 4 4 De-authentication frame from Wi-Fi Device to AP 5 De-authentication frame from Wi-Fi Device to AP 5

AsMost shown exit information in Figure codes10, the are status 3. We cancodes infer of thatthe theaccess Disassociation frames are frame 0, which is commonly means usedall the to associationabort a connection. operations Furthermore, succeeded. the But Wi-Fi there device are differ of userent reasons 8 sent the for De-authentication the exit operation frame of each to Wi-Fi abort device.the connection. According We to observe the 802.11 that standard the first two[37], exit code operations 8 indicates of disassociation the Wi-Fi devices because of user sending 4 and userWi-Fi 7 deviceused the is De-authenticationleaving or has left framefrom the to abortbasic theservice connection. set (BSS) More in which importantly, the target the AP frames is located. were sentCode by 3 indicatesthe target de-authentication AP, not by the two because Wi-Fi devices. sending We Wi-Fi can device infer that is leaving because or the has 4-way left from handshakes the extended failed, servicethe target set AP (ESS). could Because not distribute we only keys used to one the twoAP, Wi-Fithe BSS devices, and ESS and are it hadidentical. to end We the can connections. infer these usersAs might shown disable in Figure the 10Wi-Fi, the or status they codes left the of the cove accessrage framesof the areAP. 0, Note which that means for allthe the first association two exit operations of succeeded. user 4 and But user there 7, the are reason different code reasons is 15 indicates for the exitthe operation4-way handshakes of eachWi-Fi are timeout, device. Accordingwhich matches to the what 802.11 we standard expected [37 before.], code Note 8 indicates that for disassociation user 9, the reason because code sending is 1, which Wi-Fi indicates device is theleaving reason or hasis unspecified. left from the basic service set (BSS) in which the target AP is located. Code 3 indicates de-authenticationTo examine the because accuracy sending of Algorithm Wi-Fi device 2, we is also leaving observe or has the left ValiFlag from thefield. extended As we mentioned service set (ESS).before, Because the ValiFlag we onlyfield usedin database one AP, is theused BSS to denote and ESS the are validness identical. of an We access can infer operation. these users If an access might operationdisable the is Wi-Fi valid, or the they field left is the set coverage to 1, otherwise, of the AP. set Note to 0. that Figure for the 11 firstgives two an exitintuitive operations illustration of user of 4 and user 7, the reason code is 15 indicates the 4-way handshakes are timeout, which matches what we expected before. Note that for user 9, the reason code is 1, which indicates the reason is unspecified. Sensors 2017, 17, 143 14 of 18

To examine the accuracy of Algorithm 2, we also observe the ValiFlag field. As we mentioned before,Sensors 2017 the, 17ValiFlag, 143 field in database is used to denote the validness of an access operation. If an13 access of 17 operationSensors 2017, is 17 valid,, 143 the field is set to 1, otherwise, set to 0. Figure 11 gives an intuitive illustration13 of of the 17 valuethe value of ValiFlag of ValiFlagafter theafter proposed the proposed algorithms. algorithms. As shown As insh Figureown in 11 Figure, the first 11, two the access first two operations access ofoperationsthe user value 4 and ofof userValiFlaguser 74 areand after invalid, user the 7 are whichproposed invalid, is in algorithms. which well agreement is in wellAs sh withagreementown the in analysisFigure with the11, before. analysisthe first before. two access operations of user 4 and user 7 are invalid, which is in well agreement with the analysis before. 16 16 14 14 12 12 10 10 status code for access 8 reasonstatus code code for for accessexit 8 6 reason code for exit 6 4 4 2 Status or reason code reason or Status 2 Status or reason code reason or Status 0 0 #1 #2 #3 #4 #4 #4 #5 #6 #7 #7 #7 #8 #9 #10 #1 #2 #3Numbers #4 #4 for #4 denotin #5g #6 different #7 #7Users #7 #8 #9 #10 Numbers for denoting different Users Figure 10. Status codes and reason codes. Figure 10. Status codes and reason codes. 1 1 ValiFlag value ValiFlag ValiFlag value ValiFlag 0 0 #1 #2 #3 #4 #4 #4 #5 #6 #7 #7 #7 #8 #9 #10 #1 #2 #3Numbers #4 #4 for #4denoting #5 different #6 #7 Users #7 #7 #8 #9 #10 Numbers for denoting different Users Figure 11. ValiFlag value for the access operation of each device. Figure 11. ValiFlag value for the access operation of each device. Figure 11. ValiFlag value for the access operation of each device. 5. Conclusions and Outlook 5. Conclusions and Outlook 5. Conclusions and Outlook 5.1. Conclusions 5.1. Conclusions In this article, we studied a method of tracking people’s behaviors. First, we summarized the shortcomingsInIn this article, article, of traditional we we studied studied methods, a a method method and of propos of tracki trackingedng apeople’s Wi-Fi-based people’s behaviors. behaviors. passive First, CPSS First, we method. wesummarized summarized Then, the to thevalidateshortcomings shortcomings the feasibility of traditional of traditional of the methods, proposed methods, and method, propos and proposedaed third-party a Wi-Fi-based a Wi-Fi-basedsystem passive was CPSS passivedesigned method. CPSS targeting Then, method. for to Then,trackingvalidate to validatepeople’sthe feasibility theaccess feasibility ofbehaviors the proposed ofthe in Wi-Fi proposed method, networks. method, a third-party The a system third-party systemoperates system was in a was designednon-intrusive, designed targeting targeting flexible, for forandtracking trackingsimplified people’s people’s manner. access access We behaviors also behaviors described in Wi-Fi in Wi-Fithe networks. deta networks.ils ofThe the system system The system operates implementation, operates in a non-intrusive, in including a non-intrusive, flexible, a two- flexible,sizedand simplified sliding and simplifiedwindow manner. algorithm manner. We also Weuseddescribed also to describedeliminate the deta th theilse ofinterference details the system of the information systemimplementation, implementation, caused including by the including loss a two- and aretransmissionsized two-sized sliding sliding window of the window algorithm IEEE algorithm802.11 used MAC to used eliminate frame, to eliminate thande interference a thepolicy interference to information judge informationthe causedvalidity by causedof the an loss byaccess and the lossoperation.retransmission and retransmission Finally, of the systemIEEE of the 802.11 IEEEwas implemented 802.11MAC MACframe, frame, on and an andoff-the-shelfa policy a policy to judge toPC, judge and the theevaluated validity validity inof of realan an accessWi-Fi operation.networks. Real-worldFinally, the systemexperiments was implementedshowed the feasibility on an off-the-shelf of the proposed PC, and method. evaluated The in realproposed Wi-Fi networks.system could Real-world correctly experimentstrack people’s showed access behaviorsthe feasibility within of a the one-second proposedproposed delay. method.method. The proposedproposed systemThe couldcould collected correctlycorrectly traces tracktrack can people’speople’s be utilized accessaccess to behaviorsbehaviors characterize withinwithin people’s aa one-secondone-second individual delay.delay. behavior or group behaviorsThe collected[28,29], which traces is can benefi bebe cial utilizedutilized for modelling, toto characterizecharacterize managing, people’speople’s leveraging individual and behaviordesigning or efficient group behaviorsmobile networks. [[28,29],28,29], whichBy conducting isis beneficialbenefi cialaggregated forfor modelling,modelling, statistics managing,managing, and modeling leveragingleveraging analysis andand on designingdesigning access and efficientefficient exit mobileinformation, networks.networks. people’s By By presenceconducting conducting activities, aggregated aggregated mobility, statistics statistics and association and and modeling preferences analysis in onthe accessarea of and interest exitexit information,caninformation, be evaluated people’s [28]. presenceCombing activities,the status mobility,code and andand reason association code information, preferences more in the in-depth area of insights interest caninto beassociation evaluated behaviors [[28].28]. Combing can thebe statusprovided, code which and reason contributes code information, to the statistics more in-depthand models. insights In intoaddition,into associationassociation by the behaviors aidbehaviors of frame can can betype provided,be andprovided, transmission which which contributes directioncontributes to theinformation, to statistics the statistics andhand-off models. and events Inmodels. addition, can beIn identifiedaddition, byand the studied. aid of frameIn a word type, andthrough transmission this system direction we ease information, the way to hand-offcollect detailed events canaccess be tracesidentified with and low studied. cost and In high a word flexibility,, through such this that system brings weus closerease th toe understandingway to collect people’sdetailed access patternstraces with and low behaviors cost and in high Wi-Fi flexibility, networks. such that brings us closer to understanding people’s access patterns and behaviors in Wi-Fi networks.

Sensors 2017, 17, 143 15 of 18 by the aid of frame type and transmission direction information, hand-off events can be identiﬁed and studied. In a word, through this system we ease the way to collect detailed access traces with low cost and high ﬂexibility, such that brings us closer to understanding people’s access patterns and behaviors in Wi-Fi networks.

5.2. Outlook For future work, we will consider large-scale experiments in the environment with multiple APs such as university campus or ofﬁce buildings. There are some open issues which need to be addressed:

• The effective access behavior tracking will require deployment of several wireless monitoring systems. In this case, the density and topology of deployment can inﬂuence the accuracy [42]. Obviously, the more monitors are deployed, the higher accuracy can be realized, but as the amount of monitors increases, the cost goes up. Therefore, how to design the optimized topology of the monitor to minimize the cost is a big challenge. It is possible to tackle this challenge in future by using the knowledge of geometry. • In addition, the traces captured by multiple monitors will require additional data sanitization techniques to address the scenario when a transmission from a single Wi-Fi device is observed on multiple monitors. cloud-based processing architecture will be explored, in which cloud servers are utilized to perform centralized processing for the traces captured by multiple monitors. • Furthermore, a single system may be utilized to monitor multiple APs with different operating frequencies. In this case, some mechanisms like dynamic frequency switching must be considered, in which a system switches to different frequencies in different time slot to perform tracking. In this case, how to design the switching policy to maximize the tracking accuracy can be a big challenge. • In some scenarios, there are massive people trying to access single AP. The network becomes very congested. Therefore, the probability of missing tracking gets higher. Some solutions need to be proposed, such as using multiple monitors and designing reasonable deployment structures to mitigate the burden.

Toward this end, more tests need to be conducted to further validate the performance of the proposed system. Moreover, more practical potential applications for the proposed system will be experimentally demonstrated, such as passenger ﬂow statistics, precision marketing, and criminal hunting.

• Passenger flow statistics. By counting the number of different MAC addresses extracted from the receiving Wi-Fi frames, the proposed system can be utilized to conduct statistics on passenger flow in some operating regions, such as tourist attractions. Comparing to traditional statistical methods, such as artificial statistics and camera statistics, the proposed system can save the labor cost and lower the statistics difficulty. However, there are some open issues exist. For example, how to guarantee the Wi-Fi enabling of all the Wi-Fi devices to avoid missing of statistics. In addition, some people carry more than one Wi-Fi device, how to avoid duplication of statistics on these people. • Precision marketing. By sensing the Wi-Fi signals from the Wi-Fi devices carried by people, people’s presence can be recognized. Furthermore, by deploying a set of the proposed systems in the area of interest, people’s movement trajectories can be tracked. This would be very helpful for precision marketing in retail stores or shopping malls. For example, changing the store layout according to the people’s moving trajectories to conducting marketing campaigns and advertising deliveries in the popular paths. In addition, by the analysis on the MAC addresses and time information the system tracked, the proportion of new and old customers, visiting cycle, and customer activity are easy to obtained, which can be utilized for grasping the composition of customers to provide references for the marketing strategy adjustment. In this application, Sensors 2017, 17, 143 16 of 18

how to consider the density and topology of the multiple systems to minimize deployment cost and maximize tracking accuracy is a big challenge. • Criminal hunting. Our system can also be used as a criminal hunting technology. In large scale deployment, the tracked information such as MAC addresses of criminals’ Wi-Fi devices on each sensing node is delivered to the central servers combing the time information and location tags of each node. By comparing the tracked information with that in the database built beforehand, the location or the trajectory of the criminal can be tracked. Compared to the hunting technology based on base station positioning, using the proposed system can enormously improve the positioning precision. Usually, people possess many Wi-Fi devices with multiple different MAC addresses, while only one cellphone number. Therefore, compared to the hunting technology based on base station positioning, using the proposed system can also increase the success probability for criminal hunting. There also exists a challenge. For the Wi-Fi devices equipped with iOS 8, the MAC addresses are randomized while scanning for Wi-Fi networks. That means the MAC address used for Wi-Fi scans may not always be the device’s real address, which causes some interference for criminal hunting.

Acknowledgments: This work was partially supported by the National Science Foundation of China (NSFC) under Grant Number 61601180, 61601181, Fundamental Research Funds for the Central Universities under Grant Number 2014MS08, 2016MS17, and Program for Innovation Team Building at colleges and universities in Chongqing, China, under Grant CXTDX201601006. Author Contributions: Each author contributed extensively to this manuscript. Yunjian Jia provided the idea and designed the architecture; Fei Chen performed experiments and wrote some sections; Zhenyu Zhou and Shahid Mumtaz developed the system, and wrote some sections; Peng Duan and Zhen Guo analyzed the experimental results. Conﬂicts of Interest: The authors declare no conﬂict of interest.

References

1. Park, K.J.; Zheng, R.; Liu, X. Cyber-physical systems: Milestones and research challenges. Comput. Commun. 2012, 36, 1–7. [CrossRef] 2. Zhou, Z.Y.; Dong, M.X.; Ota, K.; Shi, R.F.; Liu, Z.H.; Sato, T. Game-theoretic approach to energy-efficient resource allocation in device-to-device underlay communications. IET Commun. 2014, 9, 375–385. [CrossRef] 3. Zhang, N.; Cheng, N.; Gamage, A.T.; Zhang, K.; Mark, J.W.; Shen, X.M. Cloud Assisted HetNets toward 5G Wireless Networks. IEEE Commun. Mag. 2015, 53, 59–65. [CrossRef] 4. Zhang, S.; Zhang, N.; Zhou, S.; Gong, J.; Niu, Z.S.; Shen, X.M. Energy-Aware Traffic Offloading for Green Heterogeneous Networks. IEEE J. Sel. Area Commun. 2016, 34, 1116–1129. [CrossRef] 5. Wang, F.Y. The Emergence of Intelligent Enterprises: From CPS to CPSS. IEEE Intell. Syst. 2010, 25, 85–88. [CrossRef] 6. Zeng, J.; Yang, L.T.; Ma, J.H. A System-Level Modeling and Design for Cyber-Physical-Social Systems. ACM Trans. Embed. Comput. Syst. 2016, 15, 1–26. [CrossRef] 7. Abdelzaher, T.; Wang, D. Analytic challenges in social sensing. In The Art of Wireless Sensor Networks, 1st ed.; Ammari, H.M., Ed.; Springer: Dearborn, MI, USA, 2014; Volume 2, pp. 609–638. 8. Huang, C.; Marshall, J.; Wang, D.; Dong, M.X. Towards Reliable Social Sensing in Cyber-Physical-Social Systems. In Proceedings of the IEEE International Parallel and Distributed Processing Symposium, Chicago, IL, USA, 23–27 May 2016; pp. 1796–1802. 9. Dong, M.X.; Ota, K.; Liu, A.F.; Guo, M.Y. Joint Optimization of Lifetime and Transport Delay under Reliability Constraint Wireless Sensor Networks. IEEE Trans. Parall. Distr. 2016, 27, 225–236. [CrossRef] 10. Liu, A.F.; Liu, X.; Li, H.; Long, J. MDMA: A Multi-Data and Multi-ACK Verified Selective Forwarding Attack Detection Scheme in WSNs. IEICE Trans. Inf. Syst. 2016, E99-D, 2010–2018. [CrossRef] 11. Liu, A.F.; Dong, M.X.; Ota, K.; Long, J. PHACK: An Efficient Scheme for Selective Forwarding Attack Detection in WSNs. Sensors 2015, 15, 30942–30963. [CrossRef][PubMed] 12. Guo, B.; Wang, Z.; Yu, Z.W. Mobile Crowd Sensing and Computing: The Review of an Emerging Human-Powered Sensing Paradigm. ACM Comput. Surv. 2015, 48, 1–31. [CrossRef] Sensors 2017, 17, 143 17 of 18

13. Thakoor, N.S.; An, L.; Bhanu, B.; Sunderrajan, S. People Tracking in Camera Networks: Three Open Questions. IEEE Comput. 2015, 48, 78–86. [CrossRef] 14. Kulkarni, P.; Ganesan, D.; Shenoy, P.; Lu, Q.F. SensEye: A multi-tier camera sensor network. In Proceedings of the ACM International Conference on Multimedia, Singapore, 6–11 November 2005; pp. 229–238. 15. Kim, S.C.; Jeong, Y.S.; Park, S.O. RFID-based indoor location tracking to ensure the safety of the elderly in smart home environments. Pers. Ubiquit. Comput. 2012, 17, 1699–1707. [CrossRef] 16. Jin, S.C.; Zhou, M.C. Design issues in ZigBee-based sensor network for healthcare applications. In Proceedings of the IEEE International Conference on Networking, Sensing and Control, Beijing, China, 11–14 April 2012; pp. 238–243. 17. Thiagarajan, A.; Biagioni, J.; Gerlich, T.; Erikssonet, J. Cooperative transit tracking using smart-phones. In Proceedings of the ACM Conference on Embedded Networked Sensor Systems, Zurich, Switzerland, 3–5 November 2010; pp. 85–98. 18. Cheng, H.T.; Zhuang, W. Bluetooth-enabled in-home patient monitoring system: Early detection of Alzheimer’s disease. IEEE Wirel. Commun. 2010, 17, 74–79. [CrossRef] 19. Dalip, D.; Kumar, V. GPS and GSM based Passenger Tracking System. IJCA 2014, 100, 30–34. [CrossRef] 20. Gember, A.; Akella, A.; Pang, J.; Varshavsky, A.; Caceres, R. Obtaining in-context measurements of cellular network performance. In Proceedings of the Internet Measurement Conference, Boston, MA, USA, 14–16 November 2012; pp. 1–14. 21. Wu, F.J.; Luo, T.; Liang, J.C.J. A crowdsourced WiFi sensing system with an endorsement network in smart cities. In Proceedings of the IEEE Tenth International Conference on Intelligent Sensors, Sensor Networks and Information Processing, Singapore, 7–9 April 2015; pp. 1–2. 22. Cunche, M. I know your MAC address: Targeted tracking of individual using Wi-Fi. J. Comput. Virol. Hack. Tech. 2013, 10, 219–227. [CrossRef] 23. Luo, C.; Cheng, L.; Chan, M.C.; Gu, Y. Pallas: Self-bootstrapping Fine-grained Passive Indoor Localization Using WiFi Monitors. IEEE Trans. Mob. Comput. 2016, 1–14. [CrossRef] 24. Schwab, D.; Bunt, R. Characterising the Use of a Campus Wireless Network. In Proceedings of the International Conference on Computer Communications, Hong Kong, China, 7–11 March 2004; pp. 862–870. 25. Balachandran, A.; Voelker, G.M.; Bahl, P.; Rangan, P.V. Characterizing User Behavior and Network Performance in a Public Wireless LAN. In Proceedings of the ACM Sigmetrics Performance Evaluation Review, Marina Del Rey, CA, USA, 15–19 June 2002; pp. 195–205. 26. Henderson, T.; Kotz, D.; Abyzov, I. The Changing Usage of a Mature Campus-wide Wireless Network. In Proceedings of the International Conference on Mobile Computing and Networking, Philadelphia, PA, USA, 26 September–1 October 2004; pp. 187–201. 27. Balazinska, M.; Castro, P. Characterizing Mobility and Network Usage in a Corporate Wireless Local-area Network. In Proceedings of the International Conference on Mobile Systems, Applications, and Services, San Francisco, CA, USA, 5–8 May 2003; pp. 303–316. 28. Hsu, W.; Helmy, A. Impact: Investigation of mobile-user patterns across university campuses using WLAN trace analysis. In Proceedings of the IEEE INFOCOM, Miami, FL, USA, 13–17 March 2005; pp. 1–16. 29. Hsu, W.; Dutta, D.; Helmy, A. Structural Analysis of User Association Patterns in University Campus Wireless LANs. IEEE Trans. Mob. Comput. 2012, 11, 1734–1748. [CrossRef] 30. Blinn, D.P.; Henderson, T.; Kotz, D. Analysis of a Wi-ﬁ Hotspot Network. In Proceedings of the International Workshop on Wireless Trafﬁc Measurements & Modeling, Seattle, WA, USA, 6–8 June 2005; pp. 1–6. 31. Hsu, W.; Helmy, A. On Modeling User Associations in Wireless LAN Traces on University Campuses. In Proceedings of the International Symposium on Modeling and Optimization in Mobile, Ad-Hoc and Wireless Networks, Boston, MA, USA, 3–6 April 2006; pp. 1–9. 32. Chinchilla, F.; Lindsey, M.; Papadopouli, M. Analysis of Wireless Information Locality and Association Patterns in a Campus. In Proceedings of the International Conference on Computer Communications, Hong Kong, China, 7–11 March 2004; pp. 906–917. 33. Ojala, T.; Hakanen, T.; Makinen, T.; Rivinoja, V. Usage Analysis of a Large Public Wireless LAN. In Proceedings of the International Conference on Wireless Networks, Las Vegas, NV, USA, 27–30 June 2005; pp. 661–667. 34. Hutchins, R.; Zegura, E.W. Measurements from a Campus Wireless Network. In Proceedings of the IEEE International Conference on Communications, New York, NY, USA, 28 April–2 May 2002; pp. 3161–3167. Sensors 2017, 17, 143 18 of 18

35. Papadopouli, M.; Shen, H.; Spanakis, M. Characterizing the duration and association patterns of wireless access in a campus. In Proceedings of the 11th European Wireless Conference, Nicosia, Cyprus, 10–13 April 2005; pp. 1–7. 36. Monitor Mode. Available online: https://en.wikipedia.org/wiki/Monitor_mode (accessed on 28 October 2016). 37. IEEE Computer Society. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Speciﬁcations; IEEE: New York, NY, USA, 2012; pp. 380–812, 1163–1307. 38. TCPDUMP/LIBPCAP. Available online: http://www.tcpdump.org (accessed on 28 October 2016). 39. MySQL. Available online: http://www.mysql.com (accessed on 28 October 2016). 40. The GTK+ Project. Available online: http://www.gtk.org (accessed on 28 October 2016). 41. Vanhoef, M.; Matte, C.; Cunche, M. Why MAC Address Randomization is not enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the Computer and Communications Security, Xi’an, China, 30 May–3 June 2016; pp. 1–12. 42. Rgaard, M.B.; Nurmi, P. Challenges for social sensing using WiFi signals. In Proceedings of the ACM Workshop on Mobile Systems for Computational Social Science, Low Wood Bay, Lake District, UK, 25 June 2012; pp. 17–21.

© 2017 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).