1

MSWiM 2004

Rational Behaviors in WiFi Hotspots and in Ad Hoc Networks

Jean-Pierre Hubaux

EPFL

2

Cooperation in self-organized wireless networks

Problem: how to enforce cooperation, if each node is its own authority?

Question 1: How do we prevent greedy behaviour at the MAC layer of multi-hop wireless networks?

Question 2: How to prevent selfish behavior in packet forwarding?

S1

S2

D1D2

3

Question 1: How do we prevent greedy behavior at the MAC layer of multi-hop

wireless networks ?

Routing

Routing

Routing

Routing

Routing

MAC

MAC

MAC

MAC

MAC

Almost unexplored problem

Question 1’: How is this problem solved today in WiFi hotspots?Answer: It is not solved!

4

Question 1’ : How do we prevent greedy behavior at the MAC layer in WiFi hotspots ?

Well-behaved node Well-behaved node

The access point is trustedThe access point is trusted

The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth

The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth

5

Question 1’ : Preventing greedy behavior at the MAC layer in WiFi hotspots

Well-behaved node Cheater

The access point is trustedThe access point is trusted

6

IEEE 802.11 MAC – Brief reminder

• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks

• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks

7

Greedy technique 1/4:oversized NAV

8

Greedy technique 2/4: transmit before DIFS

9

Greedy technique 3/4 : scramble others’ frames

10

Greedy technique 4/4: pick a shorter backoff

Implementation of this cheating technique: 3 lines of code!Implementation of this cheating technique: 3 lines of code!

11

Proposed solution: DOMINO DOMINO: System for Detection Of greedy behaviour in the MAC layer of

WiFi public NetwOrks (Raya, Hubaux, Aad, Mobisys 2004) Idea: monitor the traffic and detect deviations by comparing average values of

observed users

Detection tests: statistical comparison of the observed protocol behaviour

Features:

• Full standard compliance

• Needs to be implemented only at the Access Point

• Simple and efficient

The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives)

Other solution: Kyasanur and Vaidya, DSN 2003 (but not protocol compliant)

12

Detection Tests of DOMINO

Consecutive backoff

Actual backoff

Maximum backoff: the maximum should

be close to CWmin - 1

Backoff manipulation

Comparison of the idle time after the last

ACK with DIFSTransmission before DIFS

Comparison of the declared and actual

NAV valuesOversized NAV

Number of retransmissionsFrame scrambling

Detection testCheating method

13

Simulation of cheating and detection

Cheating technique: Backoff manipulation

Traffic:

Constant Bit Rate / UDP traffic

FTP / TCP traffic

misbehavior coefficient (m): cheater chooses its

backoff as (1 - m) x CWmin

Simulation environment: ns-2

Cheater

14

Simulation results

• Each point corresponds to 100 simulations• Confidence intervals: 95%

• Each point corresponds to 100 simulations• Confidence intervals: 95%

15

Implementation of the demo prototype

Equipment

Adapters based on the Atheros

AR5212 chipset

MADWIFI driver

Misbehavior: backoff

Overwrite the values CWmin and

CWmax (in driver)

Monitoring

The driver in MONITOR mode

prism2 frame header

AP DOMINO

Cheater Well-behaved

16

Conclusion on the prevention of greedy behaviour at the MAC layer

There exist greedy techniques against hotspots Some of these techniques are straightforward We have proposed, implemented and patented a simple

solution, DOMINO, to prevent them (http://domino.epfl.ch) The same problem in self-organized wireless networks is still

unsolved. Can it be solved? Game-theoretic study:

M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux"On Cheating in CSMA/CA Networks" Technical report No. IC/2004/27, July 2004

17

Question 2: How to prevent selfish behavior in packet forwarding ? (1/2)

self-organizing network – no central authority each networking service is provided by the nodes themselves

18

Question 2: How to prevent selfish behavior in packet forwarding ? (2/2)

• Problem: If selfish nodes do not forward packets for others (do notcooperate with others), the network can be paralyzed Intuitively, an incentive is required• Solutions: based typically on game theory, on reputation systems, and on micropayments; often related to secure routing• proposed by NEC, UC Berkeley, Stanford, CMU, Cornell, U. of Washington,Yale, UCSD, Eurécom, EPFL,…• address different scenarios: pure ad hoc, multi-hop access to the backbone,…

• BUT the proof that an incentive is required has been addressed only very recently (and independently) by UCSD and EPFL

19

UCSD approach (1/2)

Question: Do we need these incentive mechanisms or can cooperation exist based on the self-interest of the nodes?

Energy-efficient cooperation: Willingness to cooperate adapts to the energy class of the nodes. [SrinivasanNCR03infocom]

S R3R1 R2 D

session:

energy class:

energy class of the session

[SrinivasanNCR03infocom] :V. Srinivasan, P. Nuggehalli, C. Chiasserini, and R. Rao, “Nash Equilibria of Packet Forwarding Strategies in Wireless Ad Hoc Networks,” Infocom 2003 (extended version in IEEE Trans. on Wireless Comm.)

20

UCSD approach (2/2)

Conclusions:

Unique and optimal operating point of the system Proposed strategy (GTFT) reaches the optimal operating point

But:

Uniform random participation in sessions Security is not considered two mechanisms:

class membership session acceptance

21

The role of the network configuration

[FelegyhaziHB04tmc]: M. Felegyhazi, J.-P. Hubaux and L. Buttyan, “Nash Equilibria of Packet Forwarding Strategies in Wireless Ad Hoc Networks,” to appear in IEEE Transactions on Mobile Computing• Preliminary version presented at PWC 2003 (in Venice!)

Network configuration = connectivity graph + traffic matrix

Assumptions: static network routes last for the whole duration of the game each node is a source on only one route (will be relaxed) each node i is a CBR source with traffic rate Ti

22

Modeling packet forwarding as a game

time0time slot: 1 t

cooperation level:

pC(0) pC(1) pC(t)

23

Cost function

trcrTtr jsf j,ˆ)(,

)(,ˆ1

tptrj

kfj k

Normalized throughput at forwarder fj :

Cost for forwarder fj :

where: r – route on which fk is a forwarder t – time slot fk – forwarders on route r pfk – cooperation level of forwarder fk

where: Ts(r) – traffic sent by source s on route r c – unit cost of forwarding

Example :

)()()(,ˆ},{

tptptptr CECEk

fC k

ˆ, ( ) ,C A jr t T r c r t

A E C D

TApE(t) pC(t)

r (A→D):

24

Utility function

)()()(, tptprTtr CEA

)()(,1

tprTtrl

kfs k

where: s – source r – route on which s is a source t – time slot fk – forwarders for s pfk – cooperation level of forwarder fk

Experienced throughput : A E C D

TApE(t) pC(t)

r (A→D):

Example :

25

Total payoff

( ) ( )

, ,i i

i i iq S t r F t

t u q t r t

The goal of each node is to maximize its total payoff over the game

Payoff = Utility - Cost

where: Si(t) – set of routes on which i is a source Fi(t) – set of routes on which i is a forwarder

t

tii t

0

max where: – discounting factor t – time

time0time slot: 1 t

Payoff: A(0) A(1). A(t).t

A E C D

TApE(t) pC(t)

r (A→D):

Example :

26

Representation of the nodes as players

Node i is represented as a machine Mi

is a multiplication gate

corresponding the multiplicative

property of packet forwarding

σi represents the strategy of the node

Node i is playing against the rest

of the network (represented by the

box denoted by A-i )

yi

xi

A-i i

...

Mi

i

yi

xi

...

27

Strategy of the nodes

))]1,(([)( )1( tSrii itrtp Strategy function for node i:

where:

(r,t) – experienced throughput Si – set of routes on which i is a sourceMi

i

yi

xi

...

28

Examples of strategies

1)( ii y

iii xy )(

0)( ii y

StrategyFunction

Initial cooperation

level

AllD (always defect)

AllC (always cooperate)

TFT (Tit-For-Tat)

0

1

1

non-reactive strategies: the output of the strategy function is independent of the input (example: AllD and AllC) reactive strategies: the output of the strategy function depends on the input (example: TFT)

where yi stands for the input

iii yy )(

29

Concept of dependency graph

dependency: the benefit of each source is dependent on the behavior of its forwarders

dependency loop

30

Nash equilibrium (reminder)

Nash equilibrium = No player can deviate to increase its payoff

),(),( '*iiiiii

for all i‘ and for all i

where:

– total throughput in the game i* – a Nash equilibrium strategy played by node i

i’ – any strategy played by node i

-i – the strategies played by the other players

31

Analytical Results (1)

0)( IF

Theorem 1: If node i does not have any dependency loops, then its best strategy is AllD.

Theorem 2: If node i has only non-reactive dependency loops, then its best strategy is AllD.

Corollary 1: If every node plays AllD, it is a Nash-equilibrium.

0)( IE

node i

node playing a non-reactive strategy

other nodes

32

Analytical Results (2)

)(' ii Tu

Theorem 3: Assuming that node i is a forwarder,

the best strategy for node i is TFT, if:

Node i has a dependency loop with all of its sources,

all other nodes play TFT

where: – derivative of the utility function at Ti

Ti – traffic sent by node i – discounting factor src(r) – source of a route on which node i is a forwarder – length of the shortest dependency loop with source src(r) Fi – set of routes where node i is a forwarder c – unit cost of forwarding

cTF

TTursrc

i

iiirsrci

)(

'

||

)( )(,

Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.

33

Classification of scenarios

D: Set of scenarios, in which every node playing AllD is a Nash equilibrium

C: Set of scenarios, in which a Nash equilibrium based on cooperation is not

excluded by Theorem 1

C2: Set of scenarios, in which cooperation is based on the conditions expressed in

Corollary 2

34

Simulation Scenario

Number of nodes 100, 150, 200

Area type torus

Area size 1500x1500m, 1850x1850m, 2150x2150m

Radio range 200 m

Distribution of the nodes random uniform

Number of routes originating at each node

1-10

Route selection shortest path

Number of simulation runs 1000

35

Scenarios, where a cooperative Nash equilibrium is possible (not excluded by Theorem 1)

36

Avalanche effect

Theorem 1

+Theorem 2

node playing a non-reactive strategy

other nodes

37

Scenarios, in which some nodes are unaffected by the avalanche effect

38

Number of nodes unaffected by the avalanche effect

39

Conclusion on selfish behavior in static multi-hop wireless networks

Analytical results: If everyone drops all packets, it is a Nash-equilibrium. In theory, given some conditions, a cooperative Nash-

equilibrium can exist ( i.e., each forwarder forwards all packets ). Simulation results:

In practice, the conditions for cooperative Nash-equilibria are

very restrictive : the likelihood that the conditions for cooperation

hold for every node is extremely small. Local cooperation among a subset of nodes is not excluded.

Future work: Consider a mobile scenario – impact of mobility Take battery level of nodes into account Emergency of cooperation

40

A glimpse at the transport layer:Denial of service attacks

TCP can be highly vulnerable to protocol-compliant attacks:• Packet reordering• Packet delaying• Packet dropping

Aad, Hubaux, Knightly, Mobicom 2004

Illustration of the« JellyFish »re-order attack

• Isolated relay chain• Single JF• Standard 802.11, 2Mb/s• TCP-Sack• Simulator: ns-2

41

A glimpse at secure mobility: provable encounters

- Initial distribution of keys/hash values

- Encounter certification comprised of the following phases:

- Authentication

- Distance bounding (Cf also Brands and Chaum, 1993)

- Issuance of the proof of encounter

a) Guaranteeing Encounter Freshness (GEF)

b) Guaranteeing the Time of Encounter (GTE)

- Encounter verification comprised of the following phases:

- Authentication

- Verification

claimant certifier

Encounter certification

claimant verifier

Encounter verification

Solution based on hash chains and on Merkle trees (Capkun et al., SASN 2003)

42

A glimpse at secure positioning

Being able to securely verify the positions of devices can enable:

- Location-based access control (e.g., prevention of the parking lot attack)- Detection of displacement of valuables- Detection of stealing- Location-based charging - …

In multi-hop networks- Secure routing- Secure positioning- Secure data harvesting (sensor networks)- …

Comm. Tower

v1

v3v4

v5

43

Conclusion Rational behaviours are a major issue in wireless networks:

Wi-Fi hotspots must be protected against greedy behaviour(possible solution : DOMINO)

In self-organized ad hoc networks, packet forwarding is very unlikely to happen spontaneously (at least in static networks) Incentives are necessary

The more wireless networks become decentralized and self-organized, the more their proper operation depends on the behaviour of individual nodes Rational / greedy / selfish behaviour requires appropriate investigation

Wireless security offers many other research challenges (transport layer, proof of encounter, secure positioning,…)

http://lcawww.epfl.ch/hubaux/