Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

StateFi: Effectively Identifying Wi-Fi Devices through State Transitions

Abhishek K. Mishra, Mathieu Cunche

TL;DR

StateFi introduces a finite-state machine (FSM) based fingerprinting framework that models Wi-Fi device management-frame behavior to capture both structural transitions and temporal dynamics. By embedding per-burst FSMs into compact feature vectors, StateFi enables scalable similarity and supervised classification, achieving 94–97% in-network fingerprinting and 92–97% probe-only re-identification under MAC randomization, with 93–98% discrimination accuracy. Across diverse campus and public datasets, StateFi outperforms prior syntactic signatures (IE/SEQ/RSSI) by up to 17 percentage points, revealing a robust behavioral side channel that persists despite MAC randomization. These findings underscore the need for privacy defenses that mitigate FSM-level leakage without compromising wireless performance.

Abstract

Randomized MAC addresses aim to prevent passive device tracking, yet Wi-Fi management frames still leak structured behavioral patterns. Prior work has relied primarily on syntactic probe-request features such as Information Elements (IEs), sequence numbers (SEQ), or RSSI correlations, which degrade in dense environments and fail under aggressive randomization. We introduce StateFi, a fingerprinting framework that models device behavior as finite-state machines (FSMs), capturing both structural transition patterns and temporal execution logic. These FSMs are embedded into compact feature vectors that support efficient similarity computation and supervised classification. Across five heterogeneous campus environments, StateFi achieves 94-97% accuracy for in-network fingerprinting using full management-frame FSMs. With probe-only FSMs, it re-identifies devices under MAC randomization with up to 97% accuracy across large public datasets comprising more than a million frames. When looking at the discrimination accuracy of the model, StateFi reaches 98%, outperforming the strongest prior signature by up to 17 percentage points. These results demonstrate that FSM-level behavioral dynamics form a powerful and largely unmitigated side channel, stable enough to defeat randomization and expressive enough for robust, scalable device identification.

StateFi: Effectively Identifying Wi-Fi Devices through State Transitions

TL;DR

StateFi introduces a finite-state machine (FSM) based fingerprinting framework that models Wi-Fi device management-frame behavior to capture both structural transitions and temporal dynamics. By embedding per-burst FSMs into compact feature vectors, StateFi enables scalable similarity and supervised classification, achieving 94–97% in-network fingerprinting and 92–97% probe-only re-identification under MAC randomization, with 93–98% discrimination accuracy. Across diverse campus and public datasets, StateFi outperforms prior syntactic signatures (IE/SEQ/RSSI) by up to 17 percentage points, revealing a robust behavioral side channel that persists despite MAC randomization. These findings underscore the need for privacy defenses that mitigate FSM-level leakage without compromising wireless performance.

Abstract

Randomized MAC addresses aim to prevent passive device tracking, yet Wi-Fi management frames still leak structured behavioral patterns. Prior work has relied primarily on syntactic probe-request features such as Information Elements (IEs), sequence numbers (SEQ), or RSSI correlations, which degrade in dense environments and fail under aggressive randomization. We introduce StateFi, a fingerprinting framework that models device behavior as finite-state machines (FSMs), capturing both structural transition patterns and temporal execution logic. These FSMs are embedded into compact feature vectors that support efficient similarity computation and supervised classification. Across five heterogeneous campus environments, StateFi achieves 94-97% accuracy for in-network fingerprinting using full management-frame FSMs. With probe-only FSMs, it re-identifies devices under MAC randomization with up to 97% accuracy across large public datasets comprising more than a million frames. When looking at the discrimination accuracy of the model, StateFi reaches 98%, outperforming the strongest prior signature by up to 17 percentage points. These results demonstrate that FSM-level behavioral dynamics form a powerful and largely unmitigated side channel, stable enough to defeat randomization and expressive enough for robust, scalable device identification.

Paper Structure

This paper contains 21 sections, 2 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Data Collection and Preprocessing
  4. Capture Settings and Dataset Overview
  5. Privacy Considerations and Processing
  6. Isolating Bursts and Ground Truth
  7. FSM-Based Device Characterization
  8. Modeling Device Behavior as an FSM
  9. Constructing FSMs from Bursts
  10. FSM-Based Behavioral Comparison and Fingerprinting
  11. FSM Feature Representation
  12. Device-Pair Classification
  13. Positive and Negative Pair Construction.
  14. Model Training and Hyperparameter Selection.
  15. Summary.
  16. ...and 6 more sections

Figures (3)

  • Figure 1: Fingerprinting accuracy across heterogeneous campus scenarios using RF, SVM, and LR models. Here, FSMs are constructed from the full management-frame exchange of associated devices, enabling high-precision behavioral fingerprinting for anomaly and intrusion detection.
  • Figure 2: Accuracy in defeating MAC randomization for large public datasets (Infocom'21, Cagliari, MITIK) using probe-only FSMs. StateFi maintains high accuracy even when operating solely on pre-association probe behavior, illustrating its ability to re-link devices across randomized MAC addresses.
  • Figure 3: Discrimination accuracy comparison on the Infocom'21 dataset for $\tau \in \{60,120,240,480,600\}$ seconds. StateFi substantially outperforms IE- and SEQ-based baselines, including the full IE+SEQ+RSS signature.