Low-cost UAV detection via WiFi traffic analysis and machine learning

The paper addresses the rising security and safety risks posed by widespread consumer UAV use, including incidents near sensitive infrastructure and airspace. Although Chinese regulations mandate operator licensing and establish no-fly zones, enforcement remains challenging due to unregistered and low-cost drones. The research aims to develop a practical, low-cost, and real-time WiFi-based UAV detection framework that: (1) has low computational complexity suitable for portable devices; (2) enables early-stage detection on short time windows; (3) detects stealthy, non–video-streaming UAVs; and (4) supports maintaining an invading-UAV database for tracking and forensics. The proposed solution reframes detection into classification of per-source WiFi traffic groups using features from packet headers and machine learning, targeting general WiFi-based drones in China without relying on raw RF capture or proprietary protocols.

UAV detection methods include: (a) vision-based approaches that use cameras and object recognition but require line-of-sight, good lighting, and sufficient target pixels; (b) sound-based approaches using acoustic signatures and ML, but sensitive to environmental noise; (c) radar-based approaches using Doppler and spectral features, which can be blocked in urban environments and are costly and power-hungry; and (d) RF- and WiFi-based approaches that exploit control/video link characteristics in ISM bands (2.4/5.8 GHz). Prior RF works analyze raw RF signals with deep learning, PSD modeling, and RF fingerprints to classify drones and controllers, often with higher computation and hardware requirements. WiFi-based approaches, such as Bisio et al., use statistical fingerprints from network traffic without raw RF, enabling lower-cost sensing. This paper builds on WiFi traffic analysis, emphasizing early detection on 1-s windows, low computational overhead, and robustness to encrypted traffic, while also addressing stealthy (non–video-streaming) drones and maintaining a forensics-oriented database.

Framework overview: A three-stage WiFi-based detection framework identifies UAVs via network traffic analysis and ML, then records identified UAVs in a database with metadata for forensics.

• Stage I: WiFi data sniffer and preprocessing. WiFi traffic is captured continuously across channels in 1-second slots to prioritize early detection. Broadcast, corrupted, and ACK-only packets are removed, reducing traffic size to ~44% of raw on average. Packets are grouped by source MAC address (SA). Groups with SAs already known in the invading-UAV database are filtered out; only groups with unknown SAs proceed.
• Stage II: UAV classifier. From each group, four features are extracted from public MAC headers: total number of packets (TN), average packet length (AL), root-mean-square of frame control field (RF), and root-mean-square of duration (RD). The feature vector [TN, AL, RF, RD] is fed to a trained classifier (Random Forest selected) to decide whether the group belongs to a UAV.
• Stage III: Invading UAV database maintenance. When an SA is classified as an unauthorized UAV, it is logged in a database indexed by SA. Additional information (e.g., ESSID-derived model and serial number, manufacturer, destination address, signal power, frequency) is extracted to support identification, tracking, and forensics.

Dataset and labeling: WiFi traffic from six consumer UAVs was captured using a Lenovo R9000P with a NIC in monitor mode (Wireshark v2.6.10), matching the UAVs’ channels. For each UAV, 30–60 minutes were captured with video streaming and 30 minutes with video disabled (stealth mode). Data were segmented into 1-s intervals, preprocessed, and grouped by SA as in Stage I. Initial raw packets totaled 1,618,063 and were reduced to 8,667 traffic groups after preprocessing. A non-UAV dataset was collected with two encrypted routers generating diverse traffic (web, video, conferencing, gaming) on the same channel; 9,000 non-UAV traffic groups were collected. UAV and non-UAV datasets were merged; 70% used for training, 30% for testing.

Model training and selection: Multiple classifiers were evaluated: Random Forest (RF), K-Nearest Neighbors (KNN), Support Vector Machine (SVM), XGBoost, Shallow Neural Network (SNN), and CNN. RF with 9 trees (TreeBagger in MATLAB) achieved accuracy 99.91% and AUC 1.00. SVM with RBF kernel achieved 99.88% accuracy (AUC 0.9998). KNN with K=2 achieved 99.86% accuracy (AUC 0.997). XGBoost, SNN, and CNN were also tested; CNN underperformed relative to others. RF was selected for best accuracy with modest complexity. Bisio’s algorithm was reproduced using RF for benchmarking.

Complexity analysis: Feature computation uses a 1-s window and simple statistics: one O(1) assignment and three O(n) means/RMS over n packets. Compared to Bisio’s 5-s window and more operations, the proposed feature computation is about one-tenth the complexity in practice, further aided by traffic reduction (~44%). Inference complexity comparisons indicate RF/XGBoost depend on tree depth; SVM (RBF) depends on number of support vectors; KNN requires distance computations and sorting; SNN/CNN depend on architecture. Measured average single-inference times place SVM under 1 µs; KNN, SNN, CNN in ~10 µs; RF ~23 µs; XGBoost ~18 µs on the test platform.

Embedded implementation: The framework was deployed on a portable board (quad-core ARM Cortex-A55 CPU, 4 GB RAM, 128 GB eMMC) with a MediaTek RT3070 NIC in monitor mode, Ubuntu 20.04, and Librf (C++) RF predictor. In typical operation (scenario 4), about 29 packets/s were captured; after preprocessing, about 16 valid packets/s remained. The RF model size was ~148,480 bytes; total memory for a single run was ~150,796 bytes, making the approach suitable for embedded devices.

• Classifier performance (test set): RF accuracy 99.91%, AUC 1.00; SVM 99.88%, AUC 0.9998; KNN 99.86%, AUC 0.997; XGBoost 99.80%, AUC 1.00; SNN 99.74%, AUC 1.00; CNN 95.43%, AUC 0.9978.
• Scenario evaluations (ours vs. Bisio benchmark):
  • Scenario-1 (multiple UAVs with video streaming, background traffic): POD ~99.93%, F-score 0.9997; high accuracy, robust to UAVs not in training set.
  • Scenario-2 (multiple stealthy UAVs, background traffic): Achieved very high detection (text notes 100% POD) despite low packet volumes.
  • Scenario-3 (multiple stealthy UAVs with heavy background traffic): POD 0.9926; CSI 0.9804; FAR 0.0123; F-score 0.9901. All stealthy UAVs detected; 5 background traces misclassified as UAVs (false alarms). Bisio’s FAR higher (0.1299) and CSI lower (0.8634).
  • Scenario-4 (NIC active scan across channels; 6 stealthy UAVs on different channels): POD 0.9941; CSI 0.8169; FAR 0.1792; F-score 0.8992. Bisio’s F-score 0.8828.
• Complexity and efficiency: Proposed method uses 1-s windows and reduces packet volume to 44% of raw on average; practical feature-computation complexity about one-tenth of Bisio’s. Measured single-inference times: RF ~23.14 µs; SVM ~0.59 µs; KNN ~4.90 µs; SNN ~6.53 µs; CNN ~7.76 µs; XGBoost ~18.03 µs on the test platform.
• Range and latency: Field tests showed detection range of ~280 m (line-of-sight) and ~90 m (non-line-of-sight). Detection time components for far UAVs: LOS total ~18.428 ms (t_d 16.45 ms; t_p 0.203 ms; t_f 1.775 ms), NLOS total ~368.222 ms (t_d 367.68 ms; t_p 0.283 ms; t_f 0.259 ms). Early detection within 1 s is guaranteed by design due to 1-s capture windows.
• Resource footprint: Single-run memory ~150.8 kB; RF model size ~148.5 kB; suitable for low-cost embedded boards.

The proposed approach reframes WiFi-based UAV detection into a per-source-traffic classification task using four simple header-derived features, enabling accurate, early-stage detection in 1-second windows. Results across realistic scenarios show high detection probabilities for both video-streaming and stealthy UAVs, with robustness under heavy background traffic and during multi-channel scanning. Compared with a prior WiFi statistical fingerprinting method, the framework reduces false alarms substantially (e.g., FAR 0.0123 vs. 0.1299 in heavy-interference stealth scenario) and maintains higher CSI and F-scores. The low computational complexity, small model size, and minimal memory footprint make the system practical for portable, battery-powered deployments. The detection does not rely on vendor-specific protocols, aiding generalization to WiFi-based drones beyond the training set. Range and latency tests further demonstrate practical viability for real-time surveillance, and the database component supports forensics and response coordination. A distributed deployment of multiple boards with centralized data fusion can extend coverage to large restricted areas, such as airports.

The study proposes and validates a low-cost, learning-based WiFi traffic analysis framework for UAV detection, tailored to practical constraints in China. Using a 1-s capture window, four simple statistical features, and a Random Forest classifier, the system detects both video-streaming and stealthy UAVs with high accuracy, outperforming a prior WiFi-based baseline in false alarm rate and overall detection quality. Implementation on an embedded board confirms low resource usage, real-time operation, and effective range (up to ~280 m LOS). In scenarios with video streaming, POD reaches ~99.93% (F-score 0.9997), while in stealthy, multi-channel scans POD remains ~99.41% (F-score 0.8992). The approach is broadly applicable to WiFi-based drones using 802.11, without vendor-specific knowledge. Future work includes scaling to distributed, networked surveillance boards and a central data center to cover large UAV-restricted regions and further research on diverse transmission types.

• Scope limited to WiFi-based UAVs using 802.11; drones using proprietary, non-WiFi links or other bands/protocols are out of scope.
• Performance degrades under multi-channel scanning and heavy background traffic (e.g., Scenario-4 F-score 0.8992; Scenario-3 elevated FAR vs. ideal conditions), indicating susceptibility to class imbalance and interference-rich environments.
• Identification metadata (e.g., model/serial from ESSID) may be unavailable or obfuscated depending on UAV configuration.
• Detection range and latency depend on propagation conditions (LOS vs. NLOS) and packet availability; very sparse packet arrivals can delay detection up to the 1-s window.
• Training data cover six consumer UAVs; although the method is designed to generalize, broader evaluation across more models and environments would strengthen generalizability.
• Monitoring requires channel alignment or scanning; during scanning, brief dwell times may miss packets, impacting metrics.