1. MAC Layer Misbehavior in Wireless Networks Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign

2. Problem Definition Wireless channel Access Point AB Misbehaving nodes may violate MAC rules Nodes are required to follow Medium Access Control (MAC) rules

3. IEEE 802.11 overview Distributed Coordination Function (DCF) Widely used for channel access DCF is a Carrier Sense Multiple Access/ Collision Avoidance (CSMA/CA) protocol

4. CSMA/CA Don’t transmit when channel is busy Defer transmission for a random duration on idle channel

5. Backoff Example Choose backoff value B in range [0,CW] CW is the Contention Window Count down backoff by 1 every idle slot wait Transmit wait B2=10 B1=20 B2=10 B1=0 S1 S2 CW=31 B1=15 B2=25

6. Data Transmission Reserve channel with RTS/CTS exchange Sender S Receiver R B=10 DATA ACK SBAR RTS CTS

7. Possible Misbehavior Backoff from biased distribution Example: Always select a small backoff value Transmit wait B1 = 1 B2 = 20 Transmit wait B2 = 19 B1 = 1 Misbehaving node Well-behaved node

8. Goals of proposed scheme Diagnose node misbehavior Catch misbehaving nodes Discourage misbehavior Punish misbehaving nodes

9. Related Work

10. Routing: Security Many proposals for securing network layer [Hou02, Zhou99, Awerbuch02] Attacks: Creating routing loops, misrouting packets,... Solutions: Use cryptographic keys to prevent route tampering

11. Routing: Selfishness Selfish misbehavior Nodes cheat primarily to gain benefit Example: Not relaying packets to save energy Solutions Designing protocols resilient to misbehavior [Savage99, Nisan99, Buttyan01] Explicitly detect and penalize misbehavior [Marti00, Zhang00, Buchegger02]

12. MAC: Selfishness MacKenzie addresses selfish misbehavior in Aloha networks Nodes may use higher access probabilities Solution uses game theoretic approach Assumes there is some cost for transmitting Nodes independently adjust access prob. Under some assumptions network reaches a fair equilibrium

13. MAC: Selfishness [Konorski01, Konorski02] discuss selfish misbehavior in 802.11 networks Game theory used to analyze solution Nodes use a black-burst to resolve contention Winner is not the largest burst, but node with burst within  slots of largest burst

14. Game theory - Discussion Protocols resilient to misbehavior can be developed Do not need explicit misbehavior detection Solutions assume perfect knowledge No guarantees with imperfect information Performance at equilibrium may be poor

15. Proposed protocol

16. Misbehaving node can gain more bandwidth  Use payment schemes, charging per packet Misbehaving node can achieve lower delay (e.g., by sending packet bursts)  Average delay is less with same cost Solution Approaches Per-packet payment schemes not sufficient (need to factor delay – harder)

17. Proposed Approach Receivers detect sender misbehavior Assume receivers are well-behaved (can be relaxed) Access Point is trusted. When AP transmits, it is well-behaved When AP receives, it can monitor sender behavior Wireless channel Access Point A

18. Issues Receiver does not know exact backoff value chosen by sender Sender chooses random backoff Hard to distinguish between maliciously chosen small values and a legitimate random sequence Wireless channel introduces uncertainties Channel status seen by sender and receiver may be different

19. Potential Solution: Use long-term statistics Observe backoffs chosen by sender over multiple packets Backoff values not from expected distribution  Misbehavior Selecting right observation interval difficult

20. A Simpler Approach Remove the non-determinism

21. A Simpler Approach Receiver provides backoff values to sender Receiver specified backoff for next packet in ACK for current packet Modification does not significantly change 802.11 behavior Backoffs of different nodes still independent Uncertainty of sender’s backoff eliminated

22. Modifications to 802.11 R provides backoff B to S in ACK B selected from [0,CW min ] DATA Sender S Receiver R CTS ACK(B) RTS S uses B for backoff RTS B

23. Protocol steps Step 1: For each transmission: Detect deviations: Decide if sender backed off for less than required number of slots Penalize deviations: Penalty is added, if the sender appears to have deviated Goal: Identify and penalize suspected misbehavior Reacting to individual transmission makes it harder to adapt to the protocol

24. Protocol steps Step 2: Based on last W transmissions: Diagnose misbehavior: Identify misbehaving nodes Goal: Identify misbehaving nodes with high probability Reduce impact of channel uncertainties Filter out misbehaving nodes from well- behaved nodes

25. Detecting deviations Receiver counts number of idle slots B obsr Condition for detecting deviations: B obsr <  B (0 <  <= 1) Sender S Receiver R ACK(B) RTS Backoff B obsr

26. Threshold scheme is optimal Goal: Maximize detection percentage while keeping misdiagnosis percentage below some bound Invoking Neyman-Pearson [Poor94] criteria, we prove that a threshold scheme is optimal (under a simplified channel mode)

27. Threshold scheme Threshold is a function of assigned backoff B In the protocol, we use a constant factor of B as threshold for simplicity

28. Penalizing Misbehavior  When B obsr <  B, penalty P added  P proportional to  B– B obsr ACK(B+P) CTS DATA  Total backoff assigned = B + P B obsr Sender S Receiver R ACK(B) RTS Actual backoff < B

29. Penalty Scheme issues Misbehaving sender has two options Ignore assigned penalty  Easier to detect Follow assigned penalty  No throughput gain With penalty, sender has to misbehave more for same throughput gain

30. Diagnosing Misbehavior Total deviation for last W packets used Deviation per packet is B – B obsr If total deviation > THRESH then sender is designated as misbehaving Higher layers / administrator can be informed of misbehavior

31. Results

32. Simulation Results Using ns-2 simulator Results for one receiver, with one misbehaving sender CBR traffic flows between receiver and all senders

33. Simulation Setup Misbehaving Node

34. Misbehavior Models Persistent Misbehavior Model: Uses “Percentage of Misbehavior” (PM) as a parameter Misbehaving node backs off for (100-PM)% of assigned backoff PM = 0%  well-behaved Simple misbehavior model used for evaluation of tradeoffs

35. Throughput – no misbehavior Proposed Scheme 802.11 Number of sender nodes Throughput (Kbps \ node)

36. Persistent Misbehavior -Diagnosis Accuracy Correct Diagnosis Misdiagnosis Percentage of Misbehavior (of misbehaving node) Percentage

37. Persistent Misbehavior- throughput 802.11 Proposed Scheme Percentage of Misbehavior Throughput (Kbps) Avg. with proposed scheme Avg. with 802.11

38. Observations Persistent misbehavior detected with high accuracy Accuracy increases with misbehavior Accuracy depends on channel conditions Accuracy not 100% due to channel variations

39. Extensions to the protocol

40. Handling other misbehavior Receiver may misbehave by assigning large or small backoff values Sender can detect receiver assigning small backoff values Backoff assigned by receiver has to follow well-known distribution Sender uses larger of assigned backoff and expected backoff

41. Handling other misbehavior Detecting receiver assigning large backoff values not handled Equivalent to receiver not responding at all Need higher layer mechanisms Collusion between sender and receiver Harder to detect Requires an observer that can monitor both sender and receiver

42. Multiple Observers Currently, single observer is used (receiver) Data from multiple observers can be combined to improve diagnosis S B AR S sends a packet to R A, B also monitor S Information from A, B, R can be combined

43. Multiple Observers - Issues How many observers are needed for obtaining specified diagnosis accuracy? Impact of channel noise on observations How to combine multiple observations? Collect raw observations and then combine Combine individual diagnoses

44. Conclusion MAC layer misbehavior can severely affect throughput of well-behaved nodes We present simple modifications to IEEE 802.11 to detect/penalize misbehavior Open issues: Using multiple observers Integrate diagnosis scheme with higher layers

45. Thanks! http://www.crhc.uiuc.edu/wireless/

46. References [Savage99] TCP Congestion Control with a misbehaving receiver [Nisan99] Algoithms for Selfish Agents [Buttyan01] Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks [Marti00] Mitigating Routing Misbehavior in Mobile Ad hoc Networks [Zhang00] Intrusion Detection in wireless ad hoc networks [Buchegger02] Nodes Bearing Grudges: Towards Routing Security, Fairness and Robustness in Mobile Ad Hoc Networks [Hu02] Ariadne: A secure on-demand routing protocol for ad hoc networks [Konorski01] Protection of Fairness for Multimedia Traffic Streams in a Non- cooperative Wireless LAN setting [MacKenzie01] Selfish users in Aloha: A Game-theoretic Approach [Konorski02] Multiple Access in Ad Hoc Wireless LANs with Noncooperative stations [Awerbach02] An On-Demand Secure Routing Protocol resilient to Byzantine Failures [Zhou99] Securing Ad-hoc Networks [Poor94] An Introduction to Signal Detection and Estimation

47. Extra Slides follow....

48. Additional details Mechanisms to address protocol response after packet collisions

49. Collision Example On collision double CW Binary exponential backoff algorithm Pick new backoff and send again S1 S2 CW=31 B1=10 B2=10 wait Transmit Collision B2=40 B1=20 CW=63

50. Modifications to 802.11 1. On collision new backoff b2 is b2 = f(b1, nodeId of S, attempt number) 2. RTS contains attempt number wait RTS(2) b2 Sender S Receiver R ACK(b1) RTS(1) wait b1 collision

51. Simulation Metrics Correct Diagnosis percentage Misdiagnosis Percentage Average throughput of well-behaved nodes Misbehaving node throughput

52. Fairness - no misbehavior Proposed scheme Fairness Index Number of sender nodes 802.11