A novel approach in WLAN anomaly detection

Maik Topfer, Dublin Institute of Technology

Document Type Theses, Masters

Abstract

Over the last years Wireless Local Area Networks (WLANs) have developed into a significant part of BMWs network. From their first deployment in offices WLANs have now expanded into industrial manufacturing. Important production applications such as automated guided vehicles (AGVs) or barcode scanners are using WLAN for their communication needs. To ensure maximum stability and availability, a wireless LAN monitoring system was installed. This system is based on a network of stand alone sensors which report to a central server. Although this monitoring solution represented a considerable improvement for the administration staff it still was not fulfilling all of their requirements. First of all, the stand alone sensors could only provide and external view of the WLAN. Therefore, the actual status of a WLAN client can only be guessed. Secondly, the detection of WLAN incidents is based on the comparison of simple fixed thresholds. However, WLAN values such as signal strength and signal quality differ from location to location. To guarantee a sufficiently high precision of monitoring an extended manual configuration is required.

This work presents a novel approach providing comprehensive Wireless LAN monitoring from a client perspective. Instead of stand alone hardware the AGVs were chosen as active sensors. Since these vehicles constantly move they offer instant WLAN figures of the production area from a clients view. To overcome the limitation of WLAN anomaly detection with fixed thresholds several statistical methods were employed to provide an automated detection of deviations. The core technique is based on a computed confidence band which is laid around the observed values. Values falling outside of that band are evidence for an anomaly. Anomalies detected are forwarded to an alarm engine whose task is to control the amount of alarms sent to the external network management console. The system was first designed and then fully implemented. Afterwards benchmark tests were carried out. These tests have shown that the algorithms chosen for anomaly detection operate effectively. The system was then placed in the live production environment and has already passed long term tests of over three months without any issues arising.