WiFi CSI: Analysis & Forensic Applications

• WiFi Channel State Information (CSI) is a high-dimensional representation capturing multipath characteristics of wireless channels via OFDM signals.
• The topic details system architectures like the CSI Sniffer platform that enable forensic sensing and human presence detection using commodity WiFi hardware.
• It emphasizes methodologies for preprocessing, feature extraction, and efficient data compression that balance storage needs with high classification accuracy.

WiFi Channel State Information (CSI) is a high-dimensional, complex-valued representation of the wireless channel’s multipath characteristics, captured per packet in orthogonal frequency division multiplexing (OFDM) systems. CSI enables commodity Wi-Fi access points (APs) and clients to not only facilitate advanced communication techniques such as beamforming and spatial multiplexing but also act as software-defined sensors for inferring presence, movement, and other properties of the surrounding environment. This comprehensive entry covers the mathematical foundation of CSI, system architectures for acquisition and management (with a focus on IoT forensics and the CSI Sniffer platform), preprocessing and feature extraction, machine learning-based inference, quantitative storage–fidelity trade-offs, and deployment guidelines for practical human sensing and behavioral analytics (Palmese et al., 2023).

1. Mathematical Foundation and Formal Definition of CSI

In an $N_t$-transmit, $N_r$-receive OFDM Wi-Fi system, each received symbol $y \in \mathbb{C}^{N_r\times 1}$ is related to the transmitted symbols $x \in \mathbb{C}^{N_t\times 1}$ through the frequency-domain channel matrix (the instantaneous CSI),

$y = Hx + n$

where $H \in \mathbb{C}^{N_r\times N_t}$ captures the complex gain between each transmit-receive antenna pair, and $n$ is additive noise. OFDM divides the channel’s bandwidth (e.g., 20 MHz) into $N_{sc}=64$ subcarriers (Wi-Fi 802.11n/ac: 56 used for data). For subcarrier $k$, the frequency-domain CSI is $H_k \in \mathbb{C}^{N_r \times N_t}$, with each entry $H_k(i,j)$ representing the channel gain from transmit antenna $j$ to receive antenna $i$ at frequency $k$.

The relation to the physical multipath channel is via the discrete multipath taps $\{h_\ell\}_{\ell=0..L-1}$: $$H_k = \sum_{\ell=0}^{L-1} h_\ell e^{-j2\pi k\ell / N},\quad k=0,\ldots,N-1$$ Each $H_k(i,j)$ is typically represented in polar coordinates: $|H_k(i,j)|$ (amplitude attenuation) and $\angle H_k(i,j)$ (phase shift per subcarrier). The instantaneous per-packet estimates of $H$ constitute the Wi-Fi CSI.

2. Architecture and Implementation: CSI Sniffer Platform

CSI Sniffer is a tool designed to collect and manage Wi-Fi CSI in commodity access points for IoT forensic applications. Its architecture comprises both hardware and software elements:

• Hardware/Software Stack:
  • Commodity Wi-Fi AP (e.g., Linksys WRT3200ACM) running OpenWrt and the LuCI web UI.
  • Raspberry Pi with a Broadcom-based Wi-Fi chip running Nexmon CSI extractor firmware.
  • Ethernet link between AP and Raspberry Pi.
  • Mosquitto MQTT broker on Raspberry Pi.
• System Pipeline:

1. The AP’s LuCI interface, with the CSI Sniffer extension, allows users to define collection configurations (Wi-Fi band, channel, device MAC, duration). 2. On starting a collection, the AP publishes configuration parameters via MQTT to the Raspberry Pi. 3. The Pi, as MQTT subscriber, starts Nexmon CSI extraction. Each received frame (matching the filter) yields a CSV row: [timestamp, transmitter MAC, $H_k$ for each subcarrier $k$]. 4. CSI samples are streamed into a local CSV on the Pi. 5. On stopping, the AP issues a MQTT “stop” command; the Pi halts collection and closes the dataset. 6. For data download, the Pi serves the dataset back to the AP, which in turn makes it available via HTTP.

This system supports flexible, unattended CSI monitoring on commodity infrastructure and is directly deployable by ISPs or network managers for forensic or sensing scenarios (Palmese et al., 2023).

3. CSI Data Characteristics and Storage–Accuracy Trade-offs

CSI data, particularly from smart-camera IoT devices, can arrive at 30–50 packets/s per device, with each packet corresponding to a multidimensional CSI sample. The resulting storage requirements (dozens of complex values plus metadata per row) can quickly accumulate to multiple gigabytes per device over a 24-hour period if left uncompressed.

Efficiency measures and their quantitative impact:

• Frame discarding: Thinning samples (e.g., retaining 1 in 10 packets) reduces storage by 90% while preserving classification performance (AUC > 0.90 for typical behavioral detection tasks).
• Quantization:
  • Raw complex $H_k$ (“stage 1”): At least 8 bits/sample are needed to maintain high AUC ($\approx 0.97$).
  • Amplitude/filtered/feature stages (“stages 2–4”): Just 5 bits/sample suffice for optimal classification.
• Data aggregation: Storing only an aggregate feature (e.g., $\approx$1 float per analysis window) offers >99% reduction in storage compared to raw CSI.

Storage Optimization	Retained Accuracy (AUC)	Reduction
Thinned (10×)	>0.90	90% less data
8-bit quantized	≈0.97	75% less/floats
Aggregate feature only	≈1 float/window	>99% less data

4. Preprocessing, Feature Extraction, and Classification

The raw multidimensional (subcarrier, antenna) CSI must be preprocessed for robust behavioral inference:

• Outlier removal: Subcarrier amplitude outliers (over a window $w_1 = 5\,\mathrm{s}$, parameter $\lambda=3$) are replaced with prior values if deviations exceed $\lambda$ times the recent window’s standard deviation.
• Subcarrier aggregation: Time is partitioned into non-overlapping windows ($w_2=3\,\mathrm{s}$); for each subcarrier $i$, compute the standard deviation $\sigma_k^i$. Aggregate feature $A^*_k = \mathrm{mean}_{i\in I}\{\sigma_k^i\}$ serves as a scalar summary.
• Classification: A simple threshold on $A^*_k$ ($Y_k = 1$ if $A^*_k \geq \tau$, else 0) is swept across possible $\tau$ to yield TPR/FPR (ROC curve). Area Under the ROC Curve (AUC) quantifies overall performance.
• Empirical outcomes:
  • Room-presence detection: AUC = 0.9718
  • Door-passage detection: AUC = 0.9752
  • Downsampled to 3 packets/s, both uses retain AUC > 0.90.

Additional features used elsewhere include subcarrier-wise amplitude variance, inter-antenna phase difference, and cross-subcarrier correlation profiles.

5. Practical Deployment and Forensic Application Recommendations

To facilitate scalable and reliable CSI-based sensing in operational networks:

• Hardware selection: Any OpenWrt-capable AP is suitable; Raspberry Pi 3B/B+ or 4 with Broadcom Wi-Fi chip and Nexmon firmware recommended.
• Software setup: Mosquitto MQTT for messaging (on Pi), luci-cbi script on AP; GUI-initiated parameter tuning for channel, bandwidth, and MAC filters.
• Storage management:
  • Reduce packet rate at source or discard packets at AP to minimize log volume.
  • Use 5-bit quantized, aggregated features ($A^*$) for compact, yet accurate, forensic storage; maintain 8 bits/sample for raw $H_k$ if future or diverse analyses are anticipated.
  • For long-term archiving on resource-constrained devices, store only the derived features after real-time computation, archiving full CSI temporarily for subsequent high-value forensic investigations.
• Scalability: The approach is compatible with existing network infrastructure, designed for hands-off operation and managed collection (Palmese et al., 2023).

6. Significance, Limitations, and Impact in Human and Environmental Sensing

The mathematical formalism and system pipeline capture the essential link between Wi-Fi physical layer CSI and its use in environmental inference. Robust, threshold-based classifiers, applied to amplitude-based features aggregated over a cohort of subcarriers and suitable time windows, can achieve near-perfect discrimination for occupancy and passage events, as quantified by ROC/AUC metrics.

Key limitations and open issues:

• Retaining high-dimensional raw CSI is costly; aggressive quantization/aggregation is required but carries the risk of losing out on advanced or future analytics if not managed judiciously.
• Real-time on-device aggregation may be limited by embedded CPU capabilities; full CSI archiving for brief intervals may be necessary for certain forensic workflows.
• The system, while demonstrated on a smart-camera IoT traffic source, generalizes to any Wi-Fi endpoint with sufficient traffic frequency and compatible radio hardware.

CSI-based behavioral analytics represents a foundational technology for IoT forensics, smart environments, and privacy-preserving ambient intelligence. The CSI Sniffer methodology sets a baseline for future deployments, quantifying trade-offs and demonstrating that practical, compressed CSI pipelines can be combined with lightweight machine learning to yield robust, forensic-grade environmental evidence (Palmese et al., 2023).