1 MSWiM 2004 Rational Behaviors in WiFi Hotspots and in Ad Hoc Networks Jean-Pierre Hubaux EPFL
2 Cooperation in self-organized wireless networks Problem: how to enforce cooperation, if each node is its own authority? Question 1: How do we prevent greedy behaviour at the MAC layer of multi- hop wireless networks? Question 2: How to prevent selfish behavior in packet forwarding? S1S1 S2S2 D1D1 D2D2
3 Question 1: How do we prevent greedy behavior at the MAC layer of multi-hop wireless networks ? Routing MAC Almost unexplored problem Question 1’: How is this problem solved today in WiFi hotspots? Answer: It is not solved!
4 Question 1’ : How do we prevent greedy behavior at the MAC layer in WiFi hotspots ? Well-behaved node The access point is trusted The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth
5 Question 1’ : Preventing greedy behavior at the MAC layer in WiFi hotspots Well-behaved node Cheater The access point is trusted
6 IEEE MAC – Brief reminder IEEE is the MAC protocol used in WiFi By default, it is the one used in wireless multi-hop networks IEEE is the MAC protocol used in WiFi By default, it is the one used in wireless multi-hop networks
7 Greedy technique 1/4: oversized NAV
8 Greedy technique 2/4: transmit before DIFS
9 Greedy technique 3/4 : scramble others’ frames
10 Greedy technique 4/4: pick a shorter backoff Implementation of this cheating technique: 3 lines of code!
11 Proposed solution: DOMINO DOMINO: System for Detection Of greedy behaviour in the MAC layer of WiFi public NetwOrks (Raya, Hubaux, Aad, Mobisys 2004) Idea: monitor the traffic and detect deviations by comparing average values of observed users Detection tests: statistical comparison of the observed protocol behaviour Features: Full standard compliance Needs to be implemented only at the Access Point Simple and efficient The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives) Other solution: Kyasanur and Vaidya, DSN 2003 (but not protocol compliant)
12 Detection Tests of DOMINO Consecutive backoff Actual backoff Maximum backoff: the maximum should be close to CWmin - 1 Backoff manipulation Comparison of the idle time after the last ACK with DIFS Transmission before DIFS Comparison of the declared and actual NAV values Oversized NAV Number of retransmissions Frame scrambling Detection testCheating method
13 Simulation of cheating and detection Cheating technique: Backoff manipulation Traffic: Constant Bit Rate / UDP traffic FTP / TCP traffic misbehavior coefficient (m): cheater chooses its backoff as (1 - m) x CWmin Simulation environment: ns-2 Cheater
14 Simulation results Each point corresponds to 100 simulations Confidence intervals: 95% Each point corresponds to 100 simulations Confidence intervals: 95%
15 Implementation of the demo prototype Equipment Adapters based on the Atheros AR5212 chipset MADWIFI driver Misbehavior: backoff Overwrite the values CWmin and CWmax (in driver) Monitoring The driver in MONITOR mode prism2 frame header
16 Conclusion on the prevention of greedy behaviour at the MAC layer There exist greedy techniques against hotspots Some of these techniques are straightforward We have proposed, implemented and patented a simple solution, DOMINO, to prevent them ( The same problem in self-organized wireless networks is still unsolved. Can it be solved? Game-theoretic study: M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux "On Cheating in CSMA/CA Networks" Technical report No. IC/2004/27, July 2004
17 Question 2: How to prevent selfish behavior in packet forwarding ? (1/2) self-organizing network – no central authority each networking service is provided by the nodes themselves
18 Question 2: How to prevent selfish behavior in packet forwarding ? (2/2) Problem: If selfish nodes do not forward packets for others (do not cooperate with others), the network can be paralyzed Intuitively, an incentive is required Solutions: based typically on game theory, on reputation systems, and on micropayments; often related to secure routing proposed by NEC, UC Berkeley, Stanford, CMU, Cornell, U. of Washington,Yale, UCSD, Eurécom, EPFL,… address different scenarios: pure ad hoc, multi-hop access to the backbone,… BUT the proof that an incentive is required has been addressed only very recently (and independently) by UCSD and EPFL
19 UCSD approach (1/2) Question: Do we need these incentive mechanisms or can cooperation exist based on the self-interest of the nodes? Energy-efficient cooperation: Willingness to cooperate adapts to the energy class of the nodes. [SrinivasanNCR03infocom] SR3R1R2D session: energy class: energy class of the session [SrinivasanNCR03infocom] :V. Srinivasan, P. Nuggehalli, C. Chiasserini, and R. Rao, “Nash Equilibria of Packet Forwarding Strategies in Wireless Ad Hoc Networks,” Infocom 2003 (extended version in IEEE Trans. on Wireless Comm.)
20 UCSD approach (2/2) Conclusions: Unique and optimal operating point of the system Proposed strategy (GTFT) reaches the optimal operating point But: Uniform random participation in sessions Security is not considered two mechanisms: class membership session acceptance
21 The role of the network configuration [FelegyhaziHB04tmc]: M. Felegyhazi, J.-P. Hubaux and L. Buttyan, “Nash Equilibria of Packet Forwarding Strategies in Wireless Ad Hoc Networks,” to appear in IEEE Transactions on Mobile Computing Preliminary version presented at PWC 2003 (in Venice!) Network configuration = connectivity graph + traffic matrix Assumptions: static network routes last for the whole duration of the game each node is a source on only one route (will be relaxed) each node i is a CBR source with traffic rate T i
22 Modeling packet forwarding as a game time 0time slot:1t cooperation level: p C (0) p C (1)p C (t)
23 Cost function Normalized throughput at forwarder f j : Cost for forwarder f j : where: r – route on which f k is a forwarder t – time slot f k – forwarders on route r p f k – cooperation level of forwarder f k where: T s (r) – traffic sent by source s on route r c – unit cost of forwarding Example : A E C D TATA p E (t) p C (t) r (A→D):
24 Utility function where: s – source r – route on which s is a source t – time slot f k – forwarders for s p f k – cooperation level of forwarder f k Experienced throughput : A E C D TATA p E (t) p C (t) r (A→D): Example :
25 Total payoff The goal of each node is to maximize its total payoff over the game Payoff = Utility - Cost where: S i (t) – set of routes on which i is a source F i (t) – set of routes on which i is a forwarder where: – discounting factor t – time time 0time slot:1t Payoff: A (0) A (1). A (t). t A E C D TATA p E (t) p C (t) r (A→D): Example :
26 Representation of the nodes as players Node i is represented as a machine M i is a multiplication gate corresponding the multiplicative property of packet forwarding σ i represents the strategy of the node Node i is playing against the rest of the network (represented by the box denoted by A -i ) yiyi xixi A -i ii... MiMi ii yiyi xixi
27 Strategy of the nodes Strategy function for node i: where: (r,t) – experienced throughput S i – set of routes on which i is a source MiMi ii yiyi xixi ...
28 Examples of strategies Strategy Function Initial cooperation level AllD (always defect) AllC (always cooperate) TFT (Tit-For-Tat) non-reactive strategies: the output of the strategy function is independent of the input (example: AllD and AllC) reactive strategies: the output of the strategy function depends on the input (example: TFT) where y i stands for the input
29 Concept of dependency graph dependency: the benefit of each source is dependent on the behavior of its forwarders dependency loop
30 Nash equilibrium (reminder) Nash equilibrium = No player can deviate to increase its payoff for all i ‘ and for all i where: – total throughput in the game i * – a Nash equilibrium strategy played by node i i ’ – any strategy played by node i -i – the strategies played by the other players
31 Analytical Results (1) Theorem 1: If node i does not have any dependency loops, then its best strategy is AllD. Theorem 2: If node i has only non- reactive dependency loops, then its best strategy is AllD. Corollary 1: If every node plays AllD, it is a Nash-equilibrium. node i node playing a non-reactive strategy other nodes
32 Analytical Results (2) Theorem 3: Assuming that node i is a forwarder, the best strategy for node i is TFT, if: Node i has a dependency loop with all of its sources, all other nodes play TFT where: – derivative of the utility function at T i T i – traffic sent by node i – discounting factor src(r) – source of a route on which node i is a forwarder – length of the shortest dependency loop with source src(r) F i – set of routes where node i is a forwarder c – unit cost of forwarding Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.
33 Classification of scenarios D: Set of scenarios, in which every node playing AllD is a Nash equilibrium C: Set of scenarios, in which a Nash equilibrium based on cooperation is not excluded by Theorem 1 C2: Set of scenarios, in which cooperation is based on the conditions expressed in Corollary 2
34 Simulation Scenario Number of nodes 100, 150, 200 Area type torus Area size 1500x1500m, 1850x1850m, 2150x2150m Radio range 200 m Distribution of the nodes random uniform Number of routes originating at each node 1-10 Route selection shortest path Number of simulation runs 1000
35 Scenarios, where a cooperative Nash equilibrium is possible (not excluded by Theorem 1)
36 Avalanche effect Theorem 1 + Theorem 2 node playing a non-reactive strategy other nodes
37 Scenarios, in which some nodes are unaffected by the avalanche effect
38 Number of nodes unaffected by the avalanche effect
39 Conclusion on selfish behavior in static multi- hop wireless networks Analytical results: If everyone drops all packets, it is a Nash-equilibrium. In theory, given some conditions, a cooperative Nash- equilibrium can exist ( i.e., each forwarder forwards all packets ). Simulation results: In practice, the conditions for cooperative Nash-equilibria are very restrictive : the likelihood that the conditions for cooperation hold for every node is extremely small. Local cooperation among a subset of nodes is not excluded. Future work: Consider a mobile scenario – impact of mobility Take battery level of nodes into account Emergency of cooperation
40 A glimpse at the transport layer: Denial of service attacks TCP can be highly vulnerable to protocol-compliant attacks: Packet reordering Packet delaying Packet dropping Aad, Hubaux, Knightly, Mobicom 2004 Illustration of the « JellyFish » re-order attack Isolated relay chain Single JF Standard , 2Mb/s TCP-Sack Simulator: ns-2
41 A glimpse at secure mobility: provable encounters - Initial distribution of keys/hash values - Encounter certification comprised of the following phases: - Authentication - Distance bounding (Cf also Brands and Chaum, 1993) - Issuance of the proof of encounter a) Guaranteeing Encounter Freshness (GEF) b) Guaranteeing the Time of Encounter (GTE) - Encounter verification comprised of the following phases: - Authentication - Verification claimant certifier Encounter certification claimant verifier Encounter verification Solution based on hash chains and on Merkle trees (Capkun et al., SASN 2003)
42 A glimpse at secure positioning Being able to securely verify the positions of devices can enable: - Location-based access control (e.g., prevention of the parking lot attack) - Detection of displacement of valuables - Detection of stealing - Location-based charging - … In multi-hop networks - Secure routing - Secure positioning - Secure data harvesting (sensor networks) - …
43 Conclusion Rational behaviours are a major issue in wireless networks: Wi-Fi hotspots must be protected against greedy behaviour (possible solution : DOMINO) In self-organized ad hoc networks, packet forwarding is very unlikely to happen spontaneously (at least in static networks) Incentives are necessary The more wireless networks become decentralized and self-organized, the more their proper operation depends on the behaviour of individual nodes Rational / greedy / selfish behaviour requires appropriate investigation Wireless security offers many other research challenges (transport layer, proof of encounter, secure positioning,…)