Wireless systems have long suffered from man-in-the-middle, session hijacking and other similar attacks that rely on the ability to impersonate a legitimate party. Approaches so far have focused on better authentication and key distribution schemes. These approaches have little to do with detecting an attack, and will always have vulnerability, namely theft of identity.
Currently, an attacker who wishes to impersonate a node (client or access point) in an authenticated network (802.1x or PSK) somehow steals their authentication credentials (e.g., PSK, private keys, certificates, etc.) and then uses it for their authentication. While impersonating a node, the attacker may or may not choose to use the MAC address of the node being impersonated.
The 802.11 protocol is designed in a manner such that all nodes receive all packets that are transmitted. Each node then proceeds to read the destination MAC address of every packet. If the destination MAC address corresponds to their own MAC address, the node proceeds to read the contents of the packet. Otherwise, the node discards the packet. This results in several problems. One problem is that the MAC address, even though it acts to authenticate hardware, is not used for authentication.
Security companies in the security market have developed sensors that monitor for multiple transmissions using the same MAC addresses from different locations. While these sensors are useful, they are typically expensive and result in additional hardware being added to the nodes.