MAC Layer Misbehavior in
Wireless Networks
Pradeep Kyasanur
Nitin H. Vaidya
University of Illinois at Urbana-Champaign
Problem Definition
Access Point

Wireless
channel
A
Nodes are required to
follow Medium Access
Control (MAC) rules
B
Misbehaving nodes may violate MAC rules
IEEE 802.11 overview

Distributed Coordination Function (DCF)


Widely used for channel access
DCF is a Carrier Sense Multiple Access/
Collision Avoidance (CSMA/CA) protocol
CSMA/CA


Don’t transmit when channel is busy
Defer transmission for a random duration
on idle channel
Backoff Example

Choose backoff value B in range [0,CW]


CW is the Contention Window
Count down backoff by 1 every idle slot
B1=15
S1
B1=0
B1=20
Transmit
wait
wait
Transmit
CW=31
S2
B2=25
B2=10
B2=10
Data Transmission

Reserve channel with RTS/CTS exchange
RTS
A
CTS
S
B=10
Sender
S
Receiver
R
R
B
Possible Misbehavior

Backoff from biased distribution

Example: Always select a small backoff value
B1 = 1
B1 = 1
Misbehaving
node
Transmit
Transmit
Well-behaved
node
wait
wait
B2 = 20
B2 = 19
Goals of proposed scheme

Diagnose node misbehavior


Catch misbehaving nodes
Discourage misbehavior

Punish misbehaving nodes
Related Work
Routing: Security

Many proposals for securing network layer
[Hou02, Zhou99, Awerbuch02]

Attacks: Creating routing loops, misrouting
packets, ...

Solutions: Use cryptographic keys to prevent
route tampering
Routing: Selfishness

Selfish misbehavior



Nodes cheat primarily to gain benefit
Example: Not relaying packets to save
energy
Solutions

Designing protocols resilient to misbehavior


[Savage99, Nisan99, Buttyan01]
Explicitly detect and penalize misbehavior

[Marti00, Zhang00, Buchegger02]
MAC: Selfishness

MacKenzie addresses selfish
misbehavior in Aloha networks


Nodes may use higher access probabilities
Solution uses game theoretic approach



Assumes there is some cost for transmitting
Nodes independently adjust access prob.
Under some assumptions network reaches
a fair equilibrium
MAC: Selfishness

[Konorski01, Konorski02] discuss selfish
misbehavior in 802.11 networks

Game theory used to analyze solution


Nodes use a black-burst to resolve
contention
Winner is not the largest burst, but node with
burst within  slots of largest burst
Game theory - Discussion

Protocols resilient to misbehavior can
be developed


Solutions assume perfect knowledge


Do not need explicit misbehavior detection
No guarantees with imperfect information
Performance at equilibrium may be poor
Proposed protocol
Solution Approaches

Misbehaving node can gain more
bandwidth
 Use payment schemes, charging per packet

Misbehaving node can achieve lower delay
(e.g., by sending packet bursts)
 Average delay is less with same cost
Per-packet payment schemes not
sufficient (need to factor delay – harder)
Proposed Approach

Receivers detect sender misbehavior

Assume receivers are well-behaved (can be
relaxed)
Access Point
A

Access Point is trusted.
When AP transmits, it is
well-behaved

When AP receives, it can
monitor sender behavior
Wireless
channel
Issues


Receiver does not know exact backoff
value chosen by sender

Sender chooses random backoff

Hard to distinguish between maliciously chosen small
values and a legitimate random sequence
Wireless channel introduces uncertainties

Channel status seen by sender and receiver may be
different
Potential Solution:
Use long-term statistics

Observe backoffs chosen by sender over
multiple packets

Backoff values not from expected
distribution  Misbehavior
Selecting right observation interval difficult
A Simpler Approach

Remove the non-determinism
A Simpler Approach

Receiver provides backoff values to sender


Receiver specified backoff for next packet in
ACK for current packet
Modification does not significantly change
802.11 behavior

Backoffs of different nodes still independent
Uncertainty of sender’s backoff eliminated
Modifications to 802.11
B
Sender
S
Receiver
R
• R provides backoff B to S in ACK
B selected from [0,CWmin]
• S uses B for backoff
Protocol steps
Step 1: For each transmission:


Detect deviations: Decide if sender backed
off for less than required number of slots
Penalize deviations: Penalty is added, if the
sender appears to have deviated
Goal: Identify and penalize suspected
misbehavior

Reacting to individual transmission makes it
harder to adapt to the protocol
Protocol steps
Step 2: Based on last W transmissions:

Diagnose misbehavior: Identify
misbehaving nodes
Goal: Identify misbehaving nodes with high
probability


Reduce impact of channel uncertainties
Filter out misbehaving nodes from wellbehaved nodes
Detecting deviations
Backoff
Sender S
Receiver R
Bobsr

Receiver counts number of idle slots Bobsr
Condition for detecting deviations: Bobsr <  B
(0 <  <= 1)
Threshold scheme is optimal

Goal: Maximize detection percentage
while keeping misdiagnosis percentage
below some bound

Invoking Neyman-Pearson [Poor94]
criteria, we prove that a threshold
scheme is optimal (under a simplified
channel mode)
Threshold scheme

Threshold is a function of assigned
backoff B

In the protocol, we use a constant factor
of B as threshold for simplicity
Penalizing Misbehavior
Actual backoff < B
Sender
S
Receiver
R
Bobsr
 When Bobsr <  B, penalty P added

P proportional to  B– Bobsr
 Total backoff assigned = B + P
Penalty Scheme issues

Misbehaving sender has two options



Ignore assigned penalty  Easier to detect
Follow assigned penalty  No throughput gain
With penalty, sender has to misbehave
more for same throughput gain
Diagnosing Misbehavior

Total deviation for last W packets used

Deviation per packet is B – Bobsr

If total deviation > THRESH then sender is
designated as misbehaving

Higher layers / administrator can be
informed of misbehavior
Results
Simulation Results



Using ns-2 simulator
Results for one receiver, with one
misbehaving sender
CBR traffic flows between receiver and all
senders
Simulation Setup
Misbehaving
Node
Misbehavior Models

Persistent Misbehavior Model:




Uses “Percentage of Misbehavior” (PM) as
a parameter
Misbehaving node backs off for (100-PM)%
of assigned backoff
PM = 0%  well-behaved
Simple misbehavior model used for
evaluation of tradeoffs
Throughput (Kbps \ node)
Throughput – no misbehavior
1000
Proposed
Scheme
900
800
700
600
500
400
300
802.11
200
100
0
1
2
4
8
16
32
Number of sender nodes
64
Persistent Misbehavior -Diagnosis
Accuracy
100
90
Percentage
80
70
Correct Diagnosis
60
50
40
30
Misdiagnosis
20
10
0
0
10
20
30
40
50
60
70
80
90
95
100
Percentage of Misbehavior (of misbehaving node)
Persistent Misbehavior- throughput
Throughput (Kbps)
900
802.11
800
700
600
500
Avg. with
proposed
scheme
Proposed Scheme
400
300
200
100
0
0
10
20
30
40
50
60
70
80
90
Percentage of Misbehavior
95
100
Avg. with
802.11
Observations

Persistent misbehavior detected with high
accuracy

Accuracy increases with misbehavior

Accuracy depends on channel conditions

Accuracy not 100% due to channel
variations
Extensions to the protocol
Handling other misbehavior

Receiver may misbehave by assigning
large or small backoff values

Sender can detect receiver assigning small
backoff values


Backoff assigned by receiver has to follow
well-known distribution
Sender uses larger of assigned backoff and
expected backoff
Handling other misbehavior

Detecting receiver assigning large backoff
values not handled



Equivalent to receiver not responding at all
Need higher layer mechanisms
Collusion between sender and receiver


Harder to detect
Requires an observer that can monitor both
sender and receiver
Multiple Observers


Currently, single observer is used (receiver)
Data from multiple observers can be
combined to improve diagnosis
•S sends a packet to R
A
S
B
R
•A, B also monitor S
•Information from A, B, R
can be combined
Multiple Observers - Issues

How many observers are needed for
obtaining specified diagnosis accuracy?

Impact of channel noise on observations

How to combine multiple observations?


Collect raw observations and then combine
Combine individual diagnoses
Conclusion

MAC layer misbehavior can severely affect
throughput of well-behaved nodes

We present simple modifications to IEEE
802.11 to detect/penalize misbehavior

Open issues:


Using multiple observers
Integrate diagnosis scheme with higher layers
Thanks!
http://www.crhc.uiuc.edu/wireless/
References













[Savage99] TCP Congestion Control with a misbehaving receiver
[Nisan99] Algoithms for Selfish Agents
[Buttyan01] Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks
[Marti00] Mitigating Routing Misbehavior in Mobile Ad hoc Networks
[Zhang00] Intrusion Detection in wireless ad hoc networks
[Buchegger02] Nodes Bearing Grudges: Towards Routing Security, Fairness and
Robustness in Mobile Ad Hoc Networks
[Hu02] Ariadne: A secure on-demand routing protocol for ad hoc networks
[Konorski01] Protection of Fairness for Multimedia Traffic Streams in a Noncooperative Wireless LAN setting
[MacKenzie01] Selfish users in Aloha: A Game-theoretic Approach
[Konorski02] Multiple Access in Ad Hoc Wireless LANs with Noncooperative
stations
[Awerbach02] An On-Demand Secure Routing Protocol resilient to Byzantine
Failures
[Zhou99] Securing Ad-hoc Networks
[Poor94] An Introduction to Signal Detection and Estimation

Extra Slides follow ....
Additional details

Mechanisms to address protocol
response after packet collisions
Collision Example

On collision double CW


Binary exponential backoff algorithm
Pick new backoff and send again
B1=10
S1
B1=20
Collision
CW=31
Transmit
CW=63
S2
Collision
B2=10
B2=40
wait
Modifications to 802.11
b1
Sender
S
wait
b2
wait
collision
Receiver
R
1. On collision new backoff b2 is
b2 = f(b1, nodeId of S, attempt number)
2. RTS contains attempt number
Simulation Metrics

Correct Diagnosis percentage

Misdiagnosis Percentage

Average throughput of well-behaved nodes

Misbehaving node throughput
Fairness - no misbehavior
802.11
1.2
Fairness Index
1
0.8
0.6
0.4
0.2
0
1
2
4
8
16
32
Number of sender nodes
64
Proposed
scheme