Kyasanur-misbehaviour on Mac

8/2/2019 Kyasanur-misbehaviour on Mac

1/15

Selfish MAC Layer Misbehaviorin Wireless Networks

Pradeep Kyasanur and Nitin H. Vaidya, Senior Member, IEEE

AbstractWireless Medium Access Control (MAC) protocols such as IEEE 802.11 use distributed contention resolution mechanisms

for sharing the wireless channel. In this environment, selfish hosts that fail to adhere to the MAC protocol may obtain an unfair

throughput share. For example, IEEE 802.11 requires hosts competing for access to the channel to wait for a backoff interval,

randomly selected from a specified range, before initiating a transmission. Selfish hosts may wait for smaller backoff intervals than

well-behaved hosts, thereby obtaining an unfair advantage. We present modifications to the IEEE 802.11 protocol to simplify detection

of such selfish hosts and analyze the optimality of the chosen strategy. We also present a penalty scheme for punishing selfish

misbehavior. We develop two misbehavior models to capture the behavior of misbehaving hosts. Simulation results under these

misbehavior models indicate that our detection and penalty schemes are successful in handling MAC layer misbehavior.

Index TermsWireless communication, network monitoring, public networks, network-level security and protection.

1 INTRODUCTION

WIRELESS Medium Access Control (MAC) protocols suchas IEEE 802.11 [13] use distributed contentionresolution mechanisms for sharing the wireless channel.The contention resolution mechanism is typically based oncooperative protocols (e.g., random backoff before trans-mission) that attempt to ensure a reasonably fair through-put share for all the participating hosts. In environmentswhere hosts in the network are untrusted, some hosts maymisbehave by failing to adhere to the network protocols,with the intent of obtaining an unfair share of the channel.The presence of selfish hosts that deviate from the conten-

tion resolution protocol can reduce the throughput sharereceived by well-behaved hosts. Thus, the development ofmechanisms for detecting and handling selfish misbehavioris essential.

Wireless networks can be classified into infrastructure-based networks and ad hoc networks. Infrastructure-basednetworks have a centralized base station. Hosts in thewireless network communicate with each other, and withother hosts on the wired network, through the base station.Ad hoc networks are characterized by the absence of anyinfrastructure support. Hosts in the network are self-organized and forward packets on behalf of each other,enabling communication over multihop routes. IEEE 802.11is a MAC layer protocol that can be used in infrastructure-

based networks as well as in ad hoc networks.IEEE 802.11 has two mechanisms for contention resolu-

tion: a centralized mechanism called point coordinationfunction (PCF), and a fully distributed mechanism called

distributed coordination function (DCF). PCF needs acentralized controller (located at the base station), and canbe used only in infrastructure-based networks. PCF is anoptional feature in IEEE 802.11 and is not supported by allIEEE 802.11 implementations. DCF provides distributedaccess and is the only contention resolution mechanism thatcan be used for ad hoc networks. DCF is also suitable whenthe number of hosts and load in the network is not fixed.Consequently, DCF is widely used in practice for infra-structure-based networks as well. In this paper, we addressa misbehavior possible in the DCF mode. Using PCF,

instead of DCF, in infrastructure-based networks mayalleviate the selfish misbehavior that we identify, but PCFmay offer lower performance than DCF during normalnetwork operation.

1.1 Details of DCF and Illustration of PossibleMisbehavior

DCF uses CSMA/CA (carrier sense multiple access/collision avoidance) for resolving contention among multi-ple hosts accessing the channel. A host with data to transmiton the channel selects a random backoff value from range0; CW, where CW (Contention Window) is a variablemaintained by each host. While the channel is idle, the

backoff counter is decremented by one after every time slot(time slot is a fixed interval of time defined in IEEE 802.11standard) and the counter is frozen when the channelbecomes busy. A host may access the channel when itsbackoff counter is decremented to zero.

After the backoff counter is decremented to zero, thesender host may reserve the channel for the duration of thedata transfer by exchanging control packets on the channel.The sender first sends an RTS (Request to Send) packet tothe receiver host. The receiver responds with a CTS (Clearto Send) packet and this exchange reserves the channel forthe duration of data transmission (RTS-CTS exchange isoptional in IEEE 802.11). Both the RTS and the CTS contain

the proposed duration of data transmission. Other hosts

502 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 4, NO. 5, SEPTEMBER/OCTOBER 2005

. P. Kyasanur is with the Department of Computer Science, and theCoordinated Science Laboratory, University of Illinois at Urbana-Champaign, IL, 61820. E-mail: [email protected].

. N.H. Vaidya is with the Department of Electrical and ComputerEngineering, and the Coordinated Science Laboratory, University ofIllinois at Urbana-Champaign, IL, 61820. E-mail: [email protected].

Manuscript received 3 Oct. 2003; revised 4 Mar. 2004; accepted 5 Apr. 2004;published online 27 July 2005.For information on obtaining reprints of this article, please send e-mail to:

[email protected], and reference IEEECS Log Number TMC-0162-1003.1536-1233/05/$20.00 2005 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS


2/15

which overhear either the RTS or the CTS (or both) arerequired to defer transmissions on the channel for theduration specified in RTS/CTS. After a successful RTS/CTSexchange, the sender transmits a DATA packet. Thereceiver responds with an ACK packet to acknowledge asuccessful reception of the DATA packet. If a hosts datatransmission is successful, the host resets its CW to a

minimum value (CWmin); otherwise, if a hosts datatransmission is unsuccessful (detected by the absence of aCTS or the absence of an ACK), CW is doubled, subject to amaximum of CWmax.

Some strategies misbehaving hosts may use to obtain anunfair share of the channel include:

. Selecting backoff values from a different distribu-tion with a smaller average backoff value, than thedistribution specified by DCF (e.g., by selectingbackoff values from the range 0; CW

4 instead of

0; CW or by always selecting a fixed backoff ofone slot).

. Using a different retransmission strategy that doesnot double the CW value after collision.

Such selfish misbehavior can seriously degrade thethroughput of well-behaved hosts. For example, oursimulation results (Section 6) show that, for a networkcontaining eight hosts sending packets to a commonreceiver, with one of the eight hosts misbehaving byselecting backoff values from the range 0; CW

4, t he

throughput of the other seven hosts is degraded by asmuch as 50 percent. In this paper, we propose modificationsto IEEE 802.11 for simplifying the detection of suchmisbehaving hosts and for penalizing hosts detected to bemisbehaving. Subsequent to this work [20], Raya et al. [32]have considered detection of misbehavior without modify-

ing the IEEE 802.11 MAC protocol.The rest of the paper is organized as follows: A

discussion of related work is presented in Section 2. A briefoverview of the proposed scheme is outlined in Section 3and details are presented in Section 4. Extensions to theprotocol for detecting receiver misbehavior and improvingdiagnosis accuracy are in Section 5. Evaluation of theproposed scheme is presented in Section 6. We conclude inSection 7.

2 RELATED WORK

Most research addressing selfish misbehavior assumes that

selfish hosts misbehave primarily to improve their ownperformance (throughput, latency, energy, etc.). Selfishhosts are assumed to desist from degrading the perfor-mance obtained by other hosts when such an attempt doesnot improve their own performance. In contrast, researchaddressing wireless security is primarily focused onaddressing malicious misbehavior, which is misbehavioraimed at disrupting normal network operation, possiblywith no performance gain to the misbehaving host. Selfishmisbehavior includes hosts that refuse to forward packetson behalf of other hosts to conserve energy, hosts thatselect small backoff values to obtain larger throughputshare (the misbehavior that we address), etc. Malicious

misbehavior includes denial of service attacks that disrupt

routing operation, jamming the wireless channel to preventcommunication, etc. Good discussions on various securityissues in wireless networks are in [6], [12], [30].

Several approaches have been proposed for addressingselfish misbehavior at the network layer in wireless net-works. One approach is to identify misbehaving hosts andavoid their use for network operations such as routing [23].

Another approach is to design protocols that encouragecooperation by penalizing misbehavior [3], [4]. A comple-mentary approach is to provide incentives for hosts tocooperate by paying for cooperation [7], [8]. Network layermechanisms address network layer misbehavior such asdropping, delaying, or misrouting packets. The scheme wepropose addresses selfish misbehavior at the MAC layerand can complement network layer mechanisms.

Game-theoretic techniques [17], [18], [21], [22], [24], [25]have been used to develop protocols which are resilient tomisbehavior. The game theoretic approach assumes that allusers are selfish and rational. Rational hosts always select astrategy that maximizes their utility (utility is a measure ofthe benefit obtained by a host). Protocols are designed that

reach a equilibrium state, called the Nash equilibrium,where a selfish host cannot unilaterally gain any advantageover well-behaved hosts.

MacKenzie and Wicker [21], [22] consider selfishmisbehavior in Aloha protocol. Konorski [17], [18] studiesselfish MAC layer misbehavior, where hosts deviate fromthe specified backoff strategy. Konorski proposes a mod-ified backoff algorithm using black-bursts and, with agame-theoretic analysis, shows that the protocol is resilientto selfish misbehavior. Konorskis work assumes that allhosts can accurately measure the duration and originator ofeach black-burst, which is hard to guarantee in a wirelessnetwork.

Most of the protocols using game-theoretic techniquesare based on the assumption of Perfect Information, i.e.,every host can observe all the actions of other hosts in thenetwork. This assumption is hard to realize in practice,especially in the context of a wireless network (with fadingchannels, hidden terminals, etc.). In addition, protocolsdeveloped with game-theoretic techniques may not achievethe performance of protocols developed under the assump-tion that all hosts are well-behaved and cooperate with eachother (e.g., IEEE 802.11). The scheme we propose retains theperformance of IEEE 802.11 (a protocol based on coopera-tion among hosts), while ensuring detection of misbehavior.

Intrusion detection and tolerance techniques are used as

a tool for diagnosing and tolerating misbehavior [5], [11],[28], [31]. Intrusion detection approaches are based ondeveloping a long-term profile of normal activities andidentify intrusion by observing deviations from the mea-sured profile. On the other hand, our proposed modifica-tions are not dependent on the availability of a long-termprofile of normal behavior (when the topology, channelconditions, and traffic patterns are dynamic, such a profilemay not be accurate).

Bhargavan et al. [2] used a backoff mechanism similarto the one proposed in this paper, but their goal was toachieve improved fairness in channel access. In contrast,our modifications are designed to simplify misbehavior

diagnosis.

KYASANUR AND VAIDYA: SELFISH MAC LAYER MISBEHAVIOR IN WIRELESS NETWORKS 503


3/15

This paper is an extension of an earlier conference paper[20]. The earlier work has been expanded with extensionsfor improving detection accuracy and a more detailedevaluation.

3 PRELIMINARIES

We define the following terminology used in presenting theproposed scheme.

Sender. Sender is a host which wants to transmit a datapacket to another host.

Receiver. Receiver is a host which receives a data packetfrom a sender host. The receiver monitors the sender host todetect senders misbehavior.

Sender and receiver are the different roles a host canperform. A host may assume the roles of a sender and areceiver at different times. Recall that, in the case ofIEEE 802.11 DCF, the sender host transmits a DATA packetto a receiver host after an optional RTS-CTS exchange.

3.1 Motivation and Assumptions

The proposed scheme is designed to require minimalmodifications to IEEE 802.11 DCF and allows a receiver todetect sender misbehavior identified earlier. Detectingsender misbehavior is important, for example, in infra-structure-based public wireless networks (e.g., publicwireless networks in airports). In public wireless networks,the base stations are maintained by the network serviceproviders and can be trusted. Since the base station is well-behaved, there is no misbehavior when it is sending. On theother hand, wireless hosts sending data to the base stationusing the DCF mode are untrusted and may misbehave togain a higher throughput share than competing hosts.Hence, the base station (receiver) is required to detectmisbehavior of wireless hosts (senders).

We assume that the receivers are well-behaved whilepresenting the proposed scheme. We discuss mechanismsto address receiver misbehavior in Section 5. We alsoassume that there is no collusion between the sender andthe receiver. For example, these assumptions are valid inthe infrastructure-based wireless networks with a trustedbase station. The proposed scheme can also be applied toad hoc networks (self-organized networks without a centralauthority) to detect misbehavior, as discussed later. Theproposed scheme addresses selfish misbehavior (hostsintending to obtain higher throughput or lower delay)and does not consider malicious attacks such as jammingthe channel.

3.2 Brief Overview of the Proposed SchemeThe proposed scheme is designed to handle selfish MAClayer misbehavior in hosts using IEEE 802.11 DCF mode. Agoal of the proposed scheme is to simplify misbehaviordetection. In IEEE 802.11 protocol, a sender transmits anRTS (Request to Send) after waiting for a randomly selectednumber of slots in the range 0; CW. Consequently, the timeinterval between consecutive transmissions by the sendercan be any value within the above range. Hence, a receiverthat observes the time interval between consecutivetransmissions from the sender cannot distinguish a well-behaved sender that legitimately selected a small randombackoff from a misbehaving sender that maliciously

selected a nonrandom small backoff. It may be possible to

detect sender misbehavior by observing the behavior ofsenders over a large sequence of transmissions, but this mayintroduce a large delay in detecting misbehavior. Inaddition, it may not be feasible to monitor the behavior ofsenders over a large sequence of transmissions when hostmobility is high. Furthermore, two hosts may obtain thesame throughput share over the long term, but one host

may achieve significantly lower delay by misbehaving (themisbehaving host may immediately access the channel, butthe well-behaved host may have a significant contentionresolution delay, especially at higher loads).

Hence, we propose modifications to the IEEE 802.11protocol that enables a receiver to identify sender mis-behavior within a small observation interval. Instead of thesender selecting random backoff values to initialize thebackoff counter, the receiver selects a random backoff value andsends it in the CTS (Clear to Send) and ACK packets to thesender. The sender uses this assigned backoff value in thenext transmission to the receiver. With these modifications,a receiver knows the exact backoff value a sender isexpected to use. Hence, receivers can identify a senderdeviating from the protocol by observing the number of idleslots between consecutive transmissions from the sender. Ifthis observed number of idle slots is less than the assignedbackoff, then the sender may have deviated from theprotocol. The magnitude of observed deviations over asmall history of received packets is used to diagnose sendermisbehavior with high probability.

The proposed scheme also attempts to negate anythroughput advantage that the misbehaving hosts mayobtain. To achieve this, deviating senders are penalized,thereby discouraging misbehavior. When the receiverperceives that a sender has waited for less than the assignedbackoff, it adds a penalty to the next backoff assigned to

that sender. If the sender does not backoff for the durationspecified by the penalty (or backs off for a small fraction ofthe duration), it significantly increases the probability ofdetecting misbehavior (as explained later). On the otherhand, a misbehaving sender which backs off for theduration specified by the penalty (or a large fraction of it)does not obtain significant throughput advantage overother well-behaved hosts. Hence, with the proposedscheme, it is difficult for a misbehaving host to obtain anunfair share of the channel while eluding detection.

4 PROPOSED SCHEME

The proposed scheme has three components. First, thereceiver decides, at the end of a transmission from thesender, whether the sender deviated from the protocol forthat particular transmission. A deviation does not alwaysindicate that the sender is misbehaving (as explained later).Next, if the sender has identified a deviation for atransmission from the sender, it penalizes the sender, basedon the magnitude of the perceived deviation for thatparticular transmission (penalty scheme). Last, based on themagnitude of the perceived deviation over multiple trans-missions from the sender, the receiver identifies sendersthat are indeed misbehaving (diagnosis scheme). Extensionsto the protocol for detecting receiver misbehavior and

improving detection accuracy are in Section 5.



4/15

4.1 Identifying Deviations from the Protocol

In the proposed scheme, hosts follow the rules of IEEE802.11 DCF except for some suitable modifications to thebackoff scheme, as explained below. Proposed modifica-tions to the backoff scheme enable a receiver R to dictate thebackoff values to be used by a sender S that is sendingpackets to R. The first time S sends a packet to R, S may usean arbitrarily selected backoff value. For all subsequenttransmissions, the sender has to use the backoff valuesprovided by the receiver. For example, Fig. 1 depicts the

receiver-sender interaction in the modified protocol. Whenthe receiver R receives an RTS1 from the sender S, R assignsa backoff value Bexp b to S in the CTS packet as well as thesubsequent ACK packet, as shown in Fig. 1. S is required touse this backoff value b for sending the next packet to R.

The receiver selects the backoff values Bexp assigned tothe sender from the range 0; CWmin. The sender maymisbehave by backing off for a smaller duration than Bexp.The receiver observes the channel status during the intervalbetween the sending of an ACK by R and the reception ofthe next RTS from S. The receiver notes down the length ofthis interval in slots, K, as well as the number of slots thatwere idle Bact during this interval. The sender is designated

as deviating from the protocol if the observed number ofidle slots Bact is smaller than a specified fraction of theassigned backoff Bexp, i.e.,

Bact < Bexp; 0 < 1: 1

A deviation does not necessarily indicate that the senderis misbehaving as the channel conditions seen by the senderand receiver may be different. For example, if the sendersenses the channel to be idle and counts down its backofftimer, while the receiver senses the channel to be busy and

does not count down its timer, then the transmission fromthe sender may be falsely designated as a deviation. Theparameter in (1) can be suitably chosen, based on thechannel conditions, to reduce the incidence of falsedeviations. Using a small may allow misbehaving sendersto elude detection. Hence, we selected a reasonably high (our simulations used > 0:8) and used the diagnosisscheme, presented in Section 4.3 for accurately diagnosingmisbehaving hosts.

A threshold scheme, which compares the observed

backoff Bact with a threshold (based on the assignedbackoff B and total slots K) is optimal in maximizingdetection percentage, subject to a maximum allowedmisdiagnosis percentage (proof in the Appendix). In ourcurrent work, we are using a constant fraction ofBas thethreshold to simplify the protocol. Accurate selection of thethreshold may require detailed information about channelparameters, which may not be available. Simulation resultsshow that using fixed values is still effective in diagnosingmisbehavior.

We now describe the extensions to IEEE 802.11 forhandling sender misbehavior during packet retransmis-sions. Every RTS sent by the sender has an attempt number

included in a new field in the RTS header. The sender setsthe attempt number to 1 after a successful transmission, andincrements it by 1 after every unsuccessful transmission(indicated by the absence of a CTS following an RTS or theabsence of an ACK following a DATA packet). Thecontention window CW maintained by the sender is set toCWmin after a successful transmission and, after anunsuccessful transmission, CW is set to minCWmin 1 2i1 1; CWmax for the ith transmission attempt, as inIEEE 802.11.

Fig. 2 demonstrates the protocol operation after acollision. In the figure, the number in parentheses next toeach RTS is the value of the attempt number. When an RTS

transmission is unsuccessful, the sender increments the


1. We assume RTS/CTS exchange is used before data transmission.However, the proposed scheme can be applied even when RTS/CTS

exchange is not used.

Fig. 1. Receiver-Sender interaction.

Fig. 2. Protocol for retransmissions.


5/15

attempt number and chooses a new backoff value using adeterministic function f as follows:

NewBackoff fbackoff; senderId; attempt CW ;

where backoff is the backoff previously assigned by thereceiver, senderId is the unique sender identifier, andattempt is the attempt number maintained by the sender.

In Fig. 2, backoff b, senderId S, and the attemptnumbers are 1, 2 and 3.

The function f used by the sender for computing backoffvalues for retransmission attempt is given by:

fbackoff; senderId; attempt

aX c modCWmin 1=CWmin;

where a 5, c 2 attempt 1 and

X backoff senderId modCWmin 1:

The function f generates a uniform random numberbetween 0 and 1. The deterministic function f that we use

has been carefully chosen (a good discussion on pseudo-random generation is in [16]) to ensure that, after collisions,the colliding senders will select different backoff valueswith high probability, provided the senderIds are uniformlydistributed.

When an RTS is successfully received at the receiver(after possibly multiple transmission attempts by thesender), the receiver can estimate the number of retransmis-sion attempts by using the attempt number field included inthe RTS. An attempt number value greater than 1 indicatesthat there was at least one unsuccessful transmissionattempt by the sender. The receiver can then estimate thetotal time, Bexp, for which the sender was expected tobackoff for by applying the same deterministic function f

used at the sender:

Bexp backoff Xattempti2

fbackoff; senderId; i CWi;

where CWi is the contention window for the ith transmis-sion attempt (computed as in IEEE 802.11) given byCWi minCWmin 1 2

i1 1; CWmax. This estimatedbackoff is then used in checking for possible deviation byapplying (1), as explained before. Note that if a determi-nistic function is not used by the sender, then the receivercannot easily estimate the backoff value used by the senderafter a collision.

It may be possible for the sender to provide incorrectattempt number values in the RTS. To ensure that sendersprovide correct attempt numbers, the receiver can sense thechannel to identify high collision intervals (when thechannel is mostly busy but few transmissions are success-ful). During these intervals, the receiver can analyze thetraffic to identify any sender Sachieving a larger number ofsuccessful transmissions than other hosts, or having smalleraverage attempt values than other hosts. If such a sender Sexists, the receiver can intentionally drop RTS packets fromS occasionally and verify that S increments the attemptnumber in the retransmission of RTS. Even a single failureby S to increment the attempt number in the retransmissionis an immediate proof of misbehavior. As S does not know

which RTS packets are lost due to collisions and which are

intentionally dropped by the receiver, it will be harder forsuch misbehaving senders to persistently send incorrectattempt numbers without being detected. Dropping RTSpackets occasionally will not significantly affect thethroughput of S.

4.2 Penalty Scheme

Hosts deviating from the protocol may obtain a largerthroughput share than well-behaved hosts. The penaltyscheme penalizes deviating hosts by assigning largerbackoff values to them than those assigned to well-behavedhosts. We use the principle that hosts deviating moreshould be assigned larger penalties. Hence, when thereceiver detects a deviation (using (1)), it measures thedeviation D max Bexp Bact; 0 and assigns thismeasured deviation as a penalty to the sender.

From analysis and simulations (details in [19]), weidentified the need for an additional penalty to effectivelypenalize the misbehaving hosts. So, the total penalty P isequal to the sum of D and the additional penalty. The nextbackoff value assigned to the deviating sender is the sum of

a random value, selected as in IEEE 802.11 from range0; CWmin, and the computed penalty P. Thus, the deviat-ing sender is dictated to back off for a longer interval beforeinitiating the next transmission than it would have neededto without the penalty.

Since the penalty scheme adds a penalty for everyperceived deviation, a well-behaved sender may bepenalized if the receiver incorrectly identifies the senderas deviating from the protocol. As described earlier, thisscenario may arise when the channel conditions at a well-behaved sender differ significantly from the channelconditions at the receiver. However, we decided to usethe approach of adding a penalty for every perceived

deviation to prevent a misbehaving host from trying toadapt to any protocol parameters and thereby obtain athroughput advantage over well-behaved hosts. In mostcases, the magnitude of deviation for well-behaved sendersis very small. As the penalty added is proportional to themagnitude of deviation, this penalty will be small for awell-behaved host. Our simulation results show that theaverage throughput obtained by well-behaved hosts whenthe penalty scheme is enabled is comparable to thatobtained when using IEEE 802.11 protocol.

4.3 Diagnosis Scheme

The diagnosis scheme uses two protocol parameters, WandThresh. The receiver maintains a moving window contain-ing information about the last Wpackets received from eachsender. When a new packet is received, the differenceBexp Bact is stored in the moving window. A positive(negative) difference indicates that the sender waited forless (more) than the backoff duration expected by thereceiver. If the sum of these differences in the previousW packets from the sender is greater than a thresholdThresh, then the sender is designated as misbehaving.

We add both positive differences (sender has waited forless than the required duration, i.e., a deviation) andnegative differences (the sender has waited for more thanthe required duration) since a well-behaved host perceivedas deviating for a packet may be perceived to backoff forlarger than the expected backoff for some other packet.

However, a persistently misbehaving host will have



6/15

positive differences for most packets and is likely to bediagnosed. The choice of W and Thresh does not affect thepenalty scheme. Hence, a sender adapting to Wand Threshwill still have a penalty added for every perceiveddeviation, even if the host is not immediately diagnosedto be misbehaving. The parameter Thresh used in theprotocol may be adaptively selected, based on the channel

conditions, to maximize the probability of correct diagnosiswhile minimizing the probability of misdiagnosis (we deferadaptive selection to future work).

The penalty scheme is used to penalize potentiallymisbehaving hosts. However, the penalty scheme is noteffective if a misbehaving host does not back off for at leasta significant fraction of the assigned penalty when ittransmits its next packet. On the other hand, the magnitudeof the observed deviation for a sender host that backs off fora small fraction of the assigned penalty will be large and thediagnosis scheme can identify such hosts with highprobability. Thus, penalty and diagnosis schemes togetherensure that a misbehaving host cannot obtain a larger than fairshare of the channel without being diagnosed as misbehaving.

After the diagnosis scheme identifies a host to bemisbehaving, the MAC layer may refuse to accept packetsfrom the misbehaving host (by not responding with a CTS).Alternatively, higher layers can be informed of themisbehavior. Using this information, the higher layers orthe system administrator may take suitable action. Forexample, in ad hoc networks, hosts forward packets onbehalf of each other. When misbehavior is diagnosed,network layer protocols may use the diagnosis informationto route around misbehaving hosts. Network layer proto-cols can also refuse to forward packets originating frommisbehaving hosts.

The proposed scheme can be used in conjunction withthe upper layers to handle other types of MAC layer

misbehavior as well. For example, a misbehaving host mayuse different MAC addresses for different packet transmis-sions. A receiver monitoring such a sender cannot effec-tively penalize the misbehaving host as the receiverassociates different MAC addresses with different hosts.Another misbehavior may be a host that spoofs the addressof another host. The proposed scheme can be augmentedwith authentication mechanisms provided by higher layers(e.g., the newly proposed IEEE 802.1x mechanisms [1]) toidentify such misbehaving hosts.

5 EXTENSIONS TO THE PROTOCOL

5.1 Handling Receiver Misbehavior

In the proposed scheme, there exists a possibility that thereceiver may misbehave in assigning backoff values. Asdiscussed before, in the case of infrastructure-based net-works, the base station is trusted and is not expected tomisbehave. When the base station is sending, it can ignorethe backoff values assigned by client hosts (receivers) anduse randomly generated backoff values. Thus, receivermisbehavior does not impact infrastructure-based net-works. However, in the case of ad hoc networks, receiverscannot be trusted and may misbehave.

A receiver misbehavior is to assign small backoff valuesto a preferred sender to receive data from that sender at ahigher than fair rate. This type of attack is possible, say,

when the receiver is expecting some data from a particular

sender and seeks to obtain that data with minimal latency.For example, if the sender is hosting a server, it is interestedin ensuring fair access for all its clients. So, the sender willbe interested in detecting a misbehaving receiver that seeksto download data from the sender at a higher rate. In thecontext of TCP, Ely et al. [9], and Savage et al. [29] haveidentified similar receiver misbehavior that may allow a

misbehaving receiver to gain a throughput advantage overother well-behaved receivers.This misbehavior can be detected using an approach

similar to that used for detecting sender misbehavior. Forexample, the receiver can be required to select the initialbackoff values (i.e., backoff value before penalty is added)using some well-known deterministic function, g, which thesender is aware of. Hence, the sender can detect a receiverassigning small backoff values. Senders can choose to usethe larger of the backoff assigned by the receiver and thebackoff expected by the sender. This solution is notsufficient in case the sender and the receiver collude.Mechanisms to address collusion are discussed later.

An alternate approach is for the sender to publish its

backoff for next transmission, with the constraint that thesevalues have to be picked using a well-known deterministicfunction g. This is similar to the approach used in theSEEDEX protocol [27], where senders inform receivers of thetransmission schedule by publishing the seed of the randomnumber generator. When the receiver gets the schedule, ithas to first verify that the published schedule has beenlegitimately chosen and then has to verify, for eachtransmission, whether the sender counted down the re-quired backoff using the approach described earlier. Thedrawback of this approach is that a receiver can no longerpunish misbehaving senders using a simple penalty me-chanism as proposed earlier. Receivers can drop packetsfrom potentially misbehaving senders, but, if packets are

dropped from well-behaved senders, it may drasticallydegrade their throughput (e.g., if TCP is being used, TCPmay timeout to recover from lost packets, leading to severedegradation in throughput). Hence, dropping packets, incontrast to adding additional backoff as penalty, may have adetrimental effect on the throughput of misdiagnosed well-behaved hosts.

Another receiver misbehavior is to assign large backoffvalues to a sender. We do not address this misbehavior inour scheme as it is equivalent to a receiver refusing toaccept packets from the sender. To encourage the receiver toaccept packets from the sender, higher level solutions (e.g.,incentive-based mechanisms) may be used.

5.2 Reducing Misdiagnosis

In IEEE 802.11, the channel is said to be busy in a slot in thefollowing cases:

. When that slot has been reserved by an RTS or anCTS, or a host is receiving a packet.2

. When the strength of the received signal on thechannel (including noise and interference) is above athreshold called the carrier sense threshold (evenif the packet is not decoded correctly). The carriersense threshold is often chosen such that the


2. A packet is being received on the channel when the preamble sent by

the sender has been correctly decoded.


7/15

maximum distance from which a transmission canbe sensed, called the carrier sense range, is approxi-mately twice the distance from which a packet canbe correctly received. This enables a host to sensetransmissions originating from its two-hop neigh-bors, and avoid colliding with them. (More detailsare in IEEE standard [13].)

We identify a scenario where misdiagnosis may occurand propose a solution. In Fig. 3, bold lines connecting twohosts indicate that they can receive packets from each other.Dashed lines indicate that the two hosts can sense eachothers transmission, but cannot successfully receive pack-

ets. In Fig. 3, sender S attempts to communicate withreceiver R. Transmissions from host 1 in the vicinity of Rcan be sensed by S, but packets from 1 cannot be received atS. R can only sense transmissions from 2, while S cannoteven sense transmissions from 2. Hence, 2 is hidden from S,but not from R.

In this scenario, when 2 starts a transmission, receiver Rsenses the channel to be busy, but sender S does not. Later,when a packet is received from S, R may decide that S didnot back off for a sufficient number of idle slots (this is aproblem arising out of hidden terminals [15]) and mayconclude that S is misbehaving. This leads to misdiagnosis.The protocol conservatively chooses parameters to reducethe incidence of misdiagnosis, but the misdiagnosis

percentage may be high if the above scenario persists.We propose an optional modification to the proposed

scheme to address this problem. Observe that the problemillustrated above would not have arisen, if R had countedthe slots in which 2 was transmitting to be idle. So, if thereceiver classifies a slot to be busy only when an overheardRTS/CTS has reserved the slot or a packet is being received(and not when only sensing some transmission but notreceiving anything correctly), then the receiver in mostcases will identify a slot to be idle whenever the sendersenses a slot as idle. This will reduce the incidence ofmisdiagnosis. Note that senders are still required to count aslot as busy if they sense a transmission, as in IEEE 802.11.

Furthermore, this modification is used to decide if a senderis misbehaving. If the sender is classified as misbehaving,then the penalty is added based on a counter that countsbusy slots as before (even slots where transmissions are justsensed are counted as busy). This ensures that theappropriate penalty will be added once a sender isdiagnosed to be misbehaving.

With this modification, the receiver may now classifysome slots to be idle when the sender actually senses theslots as busy (e.g., when the sender and receiver arereversed in Fig. 3). Misbehaving hosts aware of thismodification may try to intelligently misbehave, andleverage the conservative behavior of the receiver. How-

ever, a misbehaving sender cannot decide with certainty

whether the receiver has classified a busy slot as idle and,thus, does not have a guaranteed strategy for obtainingbetter performance.

5.3 Using Multiple Observers

In the discussions so far, we have required the receiver tomonitor sender behavior. We can easily extend the protocol

to allow other hosts in the vicinity of the sender to monitorsender behavior. For example, in Fig. 4, host 1 can receivepackets from both the sender S and the receiver R. Whenhost 1 receives a CTS from R intended for S, host 1 knowsthe backoff assigned to S. Later, when S sends a packet,host 1 can decide if the sender S waited for the assignednumber of idle slots. These additional observers can also beused to detect collusion. For example, host 1 can monitorthe backoff values assigned by the receiver R and decide ifR is assigning small backoff values to any particular sender.In addition, host 1 can also monitor the sender S and verifyif a receiver is correctly punishing sender misbehavior(otherwise, a receiver may intentionally ignore misbehavior

of a preferred sender).Multiple observers can be used to improve diagnosis

accuracy. In an infrastructure-based network, the observersmay be neighboring base stations or other specially installedmonitoring hosts. In ad hoc networks, observers may belongto a common trust group and can share diagnosis informa-tion (e.g., hosts 1, 2, 3 in Fig. 4). As discussed before,misdiagnosis incidences may be high in certain scenarios.But, when multiple observers are used, not all observersincorrectly diagnose misbehavior. So, intelligently combin-ing information from multiple observers can reduce mis-diagnosis percentage. Similarly, we can improve the correctdiagnosis percentage as well. We defer for future work

analysis of scenarios when multiple observers are beneficialand strategies to be used for combining information frommultiple observers. Use of multiple observers in ad hocnetworks requires protection against false-reporting, propa-gation of incorrect diagnosis, etc. We believe we can enhancethe use of multiple observers with mechanisms from thefield of distributed diagnosis. Another question of interestfor infrastructure-based networks is the locations whereobservers need to be placed to maximize diagnosis accuracy.

6 SIMULATION RESULTS

We use the ns-2 [10] simulator for our simulations. The

simulator has been extended with modifications needed for


Fig. 3. Scenario where misdiagnosis occurs.

Fig. 4. Using multiple observers to improve diagnosis accuracy anddetect collusion.


8/15

our protocol. We have also incorporated modifications tothe physical carrier sensing to account for variations inchannel conditions at the granularity of a slot. We use theshadowing channel model [10]. The shadowing channelmodel captures the variations in channel conditions over

time and space by using a Gaussian random variable, XdB,with zero mean and dB standard deviation. The model isrepresented as

Prd

Prd0

dB

10 logd

d0

XdB:

is called the Path Loss Exponent, d is the distancebetween the sender and receiver, Prd is the receivedpower, and Prd0 is the power at some reference distanced0 [10]. For free space propagation, is 2 and we use thisvalue in our simulations. We set dB to 1 and the carriersense and receive thresholds are selected such that atransmission is received with 50 percent probability at a

distance of 250m and sensed with 50 percent probability at adistance of 550m.

In our simulations, all the sender hosts in the networkare backlogged. The traffic from the senders to the receiversis a CBR (Constant Bit Rate) flow with rate 2 Mbps and thesize of the CBR packets is 512 bytes. The channel bit rate is2 Mbps. The simulation time for each run is 50 seconds. Theresults are averaged over 30 runs of the simulation. Eachrun is seeded by a different seed and the set of seeds usedfor different data points is the same. Hosts are stationary inall simulations.

Simulation topology. We first simulate our proposedprotocol for a network having a well-behaved receiver R

and multiple senders transmitting to R. We use this simplenetwork setting to simplify the evaluation of the proposedprotocols effectiveness in handling sender misbehavior andidentify the various trade offs involved. However, thesimulation setup includes other traffic in the vicinity of thereceiver that can affect the carrier sensing at the receiver Rand the senders that communicate with it. We also present,later in this section, simulation results for multiple sendersand receivers randomly placed in the network.

Fig. 5 shows the simulated network. The number ofsender hosts around the receiver R is eight (numbered 1through 8 in the figure) with host 3 misbehaving. The eightsender hosts are placed in a circle of radius 150 meters

around R, equidistant from each other. There are four other

hosts, A, B, C, and D, in the network, with constant bit rate(CBR) flows of rate 500 Kbps from A to B and from C to D.The flows A-B and C-D are at a distance of 500 meters oneither side of the receiver R, as shown in Fig. 5. The flowsare positioned such that the transmissions on these flows A-

B and C-D are sensed with high probability by the receiverR, while farther away sender hosts do not sense thesetransmissions with high probability. For example, in Fig. 5,when A sends a packet to B, host 3 may not sense thetransmission, while R may sense the transmission.

We evaluate our protocol under three different scenariosby enabling or disabling traffic on flows A-B and C-D:

1. ZERO-FLOW: In this scenario, both traffic flows A-Band C-D are turned off. This gives a symmetrictopology with eight senders sending to a commonreceiver R. This models the case when backgroundtraffic is small.

2. ONE-FLOW: In this scenario, only traffic flow C-D isturned on. In this scenario, receiver R and hosts 1through 5 sense the transmission from C to D withhigh probability, while hosts 6, 7, and 8 do not.Consequently, hosts 6, 7, and 8 may occasionallyappear to be deviating from the protocol (as theysense the channel to be idle while receiver R sensesthe channel to be busy). We select host 3 to be themisbehaving host. Hence, this scenario tests ourprotocol performance when host 3 is actuallymisbehaving, while hosts 6-8 may falsely appear tobe misbehaving.

3. TWO-FLOW: In this scenario, both traffic flows A-Band C-D are turned on. Now, all the senders

occasionally appear to be deviating from the proto-col (as they sense the channel to be idle when theflow farthest from them is transmitting, while thereceiver senses the channel to be busy).

Simulation Metrics. The metrics used in the protocolevaluation are:

1. Correct Diagnosis: This is computed as the percentageof packets transmitted by misbehaving senderswhich are correctly diagnosed by the receiver (i.e.,by the diagnosis scheme) as packets from amisbehaving sender. A packet received at thereceiver R from a sender S is classified to be from

a misbehaving sender only if the measured deviation


Fig. 5. Simulation setup.


9/15

over the previous W packets from S is greater thanThresh, as explained in Section 4.3.

2. Misdiagnosis: This is computed as the percentage ofpackets sent by well-behaved senders which arewrongly diagnosed by the receiver as packets frommisbehaving senders.

3. Average throughput of well-behaved hosts: This is theaverage throughput per well-behaved sender.

4. Misbehaving host throughput: This is the averagethroughput per misbehaving sender.

Misbehavior Models. We evaluate our protocols undertwo misbehavior models that capture the behavior of amisbehaving host. The first model, termed the PersistentMisbehavior Model, captures the behavior of a misbehavinghost that always misbehaves using a fixed strategy. In thismodel, we characterize various levels of misbehavior with aparameter called Percentage of Misbehavior (PM). Amisbehaving host with PM = x percent transmits a packetafter counting down to (100-x) percent of the assignedbackoff value. The PM parameter is used to quantify themagnitude of misbehavior, with larger values of PM

indicating greater misbehavior. Hence, a host with PM = 0percent fully counts down the assigned backoff and is well-behaved, whereas a host with PM = 100 percent transmits apacket without counting down any backoff at all. Misbe-having hosts persist with this behavior irrespective of themagnitude of assigned backoff. This captures the behaviorof a host which misbehaves without adapting to theassigned penalties. Although this is a simple misbehaviormodel, we use this model for most simulations to simplifythe evaluation.

The second model we use, termed as Adaptive Misbeha-vior Model, captures the behavior of a misbehaving hostwhich changes the magnitude of misbehavior based on the

magnitude of penalty assigned by the receiver. This isintended to model a misbehaving host which tries to obtaina higher throughput share without getting caught. Thismodel also uses a variable called Percentage of Misbeha-vior (PM) that is used to decide what fraction of theassigned backoff a host will wait for, as described for thepersistent misbehavior model. However, the value of thisvariable is changed based on the penalty assigned by thereceiver. If the receiver assigns a penalty, the misbehavingsender decreases its PM and, in the absence of a penalty,PM is increased. Intuitively, the misbehaving host tries tomisbehave more when the receiver cannot diagnose themisbehavior (and, therefore, does not assign a penalty). In

this model, PM is initially set to 0. For every packet

transmission not assigned a penalty by the receiver (penaltyis said to be not assigned if assigned backoff is not greaterthan CWmin), the value of PM is increased by a additivefactor called Additive Increase Percentage. If a penalty isassigned, then the value of PM is reduced by half (multi-plicative decrease). In our evaluations, we vary theAdditive Increase Percentage from 1 percent to 20 percentto model varying aggressiveness of misbehavior.

6.1 Results for Protocol Performance in theAbsence of Misbehavior

We first evaluate the performance of our protocol (withoutthe extensions proposed in Section 5) in the absence ofmisbehavior to characterize the effect of occasionallypenalizing well-behaved hosts. Our evaluation in thissection indicates that the average throughput, as well asthe fairness of the proposed scheme, is comparable to thatof IEEE 802.11 in the absence of misbehavior.

The number of senders communicating with thereceiver R is varied from 1 to 64 (replacing the eightsenders in Fig. 5). All senders are well-behaved. Fig. 6

compares the average throughput obtained by hosts whenusing IEEE 802.11 (curve 802.11) with that obtained whenusing the proposed scheme (curve CORRECT) forvarying network sizes under ZERO-FLOW, ONE-FLOW,and TWO-FLOW scenarios. As we can see from the figure,the average throughput obtained when using the proposedscheme is comparable with IEEE 802.11 across differentnetwork sizes (the two curves almost overlap in Fig. 6).Hence, the penalty scheme does not degrade the aggregatethroughput of the network.

We are also interested in comparing the fairnessproperties of the penalty scheme with that obtainedusing IEEE 802.11. We use Jain et al.s Fairness Index [14]

as a fairness metric, defined as,

Fairness index P

f Tf2

N P

f T2f

;

where Tf represents the throughput of a flow f (between asender host and receiver R) and N is the total number offlows. Fairness index values closer to 1 indicate betterfairness.

Fig. 7 compares the fairness index of IEEE 802.11 and thepenalty scheme for varying network sizes underZERO-FLOW, ONE-FLOW, and TWO-FLOW scenarios.For the ZERO-FLOW scenario, the fairness index of the

penalty scheme is comparable to that of IEEE 802.11. For the


Fig. 6. Throughput comparison without misbehavior for varying network sizes.


10/15

ONE-FLOW and TWO-FLOW scenarios, the fairness index

of our scheme is slightly lesser than that of 802.11. This

indicates that our scheme degrades the throughput of some

senders minimally, while increasing the throughput of

some other senders since the average throughput (Fig. 6) is

the same as in IEEE 802.11. In ONE-FLOW and TWO-

FLOW scenarios, a few sender hosts occasionally appear to

be deviating from the protocol (from the perspective of the

receiver), leading to the addition of a penalty, and thereby

resulting in a slight degradation in their throughput.However, the penalty added in those cases is small,

resulting in fairness index that is still close to that of 802.11.There is a trade off involved between penalizing

misbehaving hosts versus ensuring the fairness of well-

behaved hosts. If we use a conservative approach of adding

smaller penalties, then misbehaving hosts may obtain a

higher throughput share. On the other hand, an aggressive

strategy of adding larger penalties may unnecessarily

penalize some well-behaved hosts, degrading fairness. We

balance this to an extent by penalizing hosts in proportion

to their measured deviation. Thus, large penalties are

assigned to misbehaving hosts with significant levels of

misbehavior, while minimal penalty is assigned for mis-diagnosed hosts.

6.2 Results for Persistent Misbehavior Model

In this section, we evaluate our proposed scheme (without

the extensions of Section 5). The protocol parameters Wand

Thresh are used by the diagnosis scheme to identify

misbehaving hosts and is used by the penalty scheme

for computing the penalty. Unless stated otherwise, the

values used for simulations are W= 5, Thresh = 20 (i.e., four

slots per packet), and 0:9. Results on the sensitivity of

the protocol with different parameter values and a discus-

sion on appropriate values is presented later in this section.

6.2.1 Diagnosis Accuracy

Fig. 8 plots the correct diagnosis percentage and misdiag-nosis percentage for the ZERO-FLOW, ONE-FLOW, andTWO-FLOW scenarios. In the ZERO-FLOW scenario, themisdiagnosis percentage is close to 0 and the correctdiagnosis percentage is quite high once the extent ofmisbehavior becomes high. We observe a sharp increasein the correct diagnosis percentage when PM increasesabove 50 percent. Since we have conservatively selected theThresh parameter (the host is designated as misbehaving

only when the total deviation for previous W= 5 packets isgreater than Thresh = 20 slots), the correct diagnosispercentage is small when the extent of misbehavior is less(however, with the benefit of low misdiagnosis percentage).As the misbehavior increases, the observed deviation risesabove Thresh = 20 slots and there is a rapid increase in thecorrect diagnosis percentage. Similarly, for the ONE-FLOWscenario, the correct misbehavior percentage is quite high.In the ONE-FLOW scenario, flow C-D is on, resulting inmisdiagnosis of some hosts, but the misdiagnosis percen-tage is small because our choice of protocol parameters isconservative. In the TWO-FLOW scenario, the correctdiagnosis percentage is fairly high even when the extent

of misbehavior is small, but at the price of a highermisdiagnosis percentage. In this scenario, both traffic flowsA-B and C-D are on, leading to an increase in the magnitudeof the observed deviations over the ZERO-FLOW scenario.As a result, the Thresh value is not sufficiently high toprevent misdiagnosis. Hence, we observe a higher mis-diagnosis percentage as well as a higher correct diagnosispercentage.

6.2.2 Throughput in the Presence of Misbehavior

Fig. 9 compares the throughput obtained by a misbehavinghost (designated as MSB) using the proposed scheme(designated as CORRECT) with that obtained using IEEE

802.11 protocol (designated as 802.11). The figure also plots


Fig. 7. Comparison of the fairness index between IEEE 802.11 and proposed scheme.

Fig. 8. Diagnosis accuracy for varying magnitude of misbehavior.


11/15

the average throughput obtained by the seven well-behavedsenders (1, 2, and 4 through 8) when using both the schemes(designated as AVG). We define fair share as the through-put obtained by a host when it is using IEEE 802.11 protocoland fully conforming to the protocol (i.e., PM = 0 percent).As seen from the figure, throughput of the misbehavinghost (CORRECT-MSB curve) is restricted to its fair share(except when PM is close to 100 percent), while, for the

802.11 (802.11-MSB curve), the misbehaving host obtainsa large throughput share even when the extent ofmisbehavior is not too high. In addition, the throughputof well-behaved hosts using the proposed scheme (COR-RECT-AVG curve) is not affected, except when PM is closeto 100 percent. On the other hand, the throughput of well-behaved hosts using IEEE 802.11 (802.11-AVG curve)starts degrading even when the extent of misbehavior is nottoo high. Hence, the proposed penalty scheme is fairlysuccessful in ensuring reasonable throughput for well-behaved hosts, in the presence of misbehaving hosts. WhenPM is close to 100 percent, the misbehaving host backs offfor a small fraction of the assigned backoff and, conse-

quently, the proposed scheme cannot restrict the through-put of the misbehaving host. However, we can see fromFig. 8 that the correct diagnosis percentage is significantlyhigh when PM is close to 100 percent and, in this case,higher layers can be informed of the host misbehavior (asdiscussed in Section 4.3).

6.2.3 Sensitivity of Misbehavior Detection to Protocol

Parameters

Fig. 10 compares the sensitivity of correct diagnosis andmisdiagnosis with different values of W and Thresh in theTWO-FLOW scenario. As we can see from the results, thecorrect diagnosis percentage is not very sensitive to

variations in parameter values. The misdiagnosis percen-

tage is higher when a small window (W= 1) is chosen, but isnot very sensitive to exact window value when largervalues are chosen. When the window of observation issmall, channel variations may increase the possibility ofmisdiagnosis, but, with larger window values, such aneffect is minimized. Furthermore, we can observe from thefigure that increasing Thresh, while keeping W fixed,decreases misdiagnosis, but with a reduction in correct

diagnosis percentage. A similar effect can be observedwhen Wis increased while keeping the ratio between WandThresh constant.

From our simulations, we observe that Whas to be set toa small value to allow reasonably fast misbehavior diag-nosis, but not too small so as to reduce misdiagnosis. Threshalso has to be reasonably small (a few slots per packet) fordiagnosing most misbehavior. Similarly, has to be close toone to penalize most misbehavior. The results for different are not included here for lack of space, but we found thatresults are not sensitive to between 0:8 to 1:0. Based onthese experiments, W, Thresh, and are set to five packets,20 slots (i.e., four slots per packet), and 0.9, respectively, for

most simulations. Adaptive selection of protocol para-meters based on channel conditions has been deferred tofuture work.

6.2.4 Protocol Performance with Random Topologies

Fig. 11 compares the protocol performance for 30 differentrandom topologies. Forty hosts are placed at randomlocations in a 1500m by 700m area. Five hosts, selected atrandom, are misbehaving. Each host sets up a CBRconnection with one of its neighbors and the connectionsare always backlogged. Fig. 11a plots the correct diagnosispercentage and misdiagnosis percentage for different PM(Percentage of Misbehavior) values. As we can see from the

figure, the correct diagnosis percentage is high when the


Fig. 9. Throughput comparison between IEEE 802.11 and the proposed scheme.

Fig. 10. Sensitivity of the proposed protocol with varying parmeters.


12/15

extent of misbehavior is large and the misdiagnosispercentage is reasonably small across all values of PM.Fig. 11b compares the throughput obtained by the mis-behaving hosts and the average throughput for IEEE 802.11and the proposed penalty scheme (the notations used arethose described earlier for Fig. 9). When the extent ofmisbehavior is small, the penalty scheme is fairly successful

in restricting the misbehaving hosts to a fair share, therebyensuring that the throughput of well-behaved hosts are notaffected. When the extent of misbehavior is large, thepenalty scheme is not as successful, but the misbehavior isdiagnosed with high probability (as seen from Fig. 11a).

6.3 Results for Adaptive Misbehavior Model

We have proposed the penalty scheme as a mechanism todiscourage misbehavior. By adding a penalty, hosts thatignore the penalty have higher probability of beingdetected. In this section, we evaluate the benefit amisbehaving host can obtain, while not ignoring theassigned penalty. We assume that the misbehaving hostfollows the adaptive misbehavior strategy defined earlier.

Fig. 12a plots the correct diagnosis percentage when themisbehaving host uses an adaptive misbehavior strategy.As we can see from the figure, the misbehaving host canevade diagnosis most of the times (low diagnosis accuracy)in all three flow scenarios, but the accuracy improves whenthe misbehaving host uses an aggressive misbehavior policy(large additive increase percentages). ZERO-FLOW scenariohas lower diagnosis accuracy than other scenarios becausethe absence of background traffic enables the misbehavinghost to adapt better to the penalty scheme, thereby evadingdiagnosis.

Although diagnosis accuracy is low, throughput gainobtained by the misbehaving host (Fig. 12b) is not large

because the penalty scheme reacts to each detected

deviation. In the figure, for the three curves, the valuewhen Additive Increase Percentage is equal to 0 is thethroughput the misbehaving host would have obtained if itwas well-behaved. The ZERO-FLOW curve starts at ahigher value than the other two curves because, in theZERO-FLOW scenario, there is no background traffic,allowing all hosts to obtain higher throughput. For each

of the curves, with increasing additive increase percentage,there is an increase in the throughput until a saturationlevel is reached. This indicates that the misbehaving hostdoes gain some throughput advantage. This throughputgain is obtained because the penalty added by the penaltyscheme is conservatively chosen to ensure large penaltiesare not assigned to well-behaved hosts. Although, adaptivemisbehaving hosts may gain some throughput advantageby exploiting the conservative penalty scheme, in theabsence of the penalty scheme, misbehaving hosts canobtain significantly larger benefits (e.g., comparing with the802.11-MSB curve in Fig. 9).

6.4 Results for Extensions to the Protocol

In this section, we evaluate the optional extensions to theprotocol for reducing misdiagnosis, discussed in Section 5.2.As we noted there, by modifying the receiver to conserva-tively classify slots as idle, we can reduce misdiagnosis, butallow a misbehaving host to gain larger throughput. Toascertain the impact of the extension, we evaluate theextended protocol under adaptive misbehavior model.

With the modified protocol, the misdiagnosis percentageis zero for all three scenarios (we have not included thatfigure here). Thus, the modified protocol is quite successfulin reducing misdiagnosis. Fig. 13a plots the correctdiagnosis percentage for the modified protocol. As we cansee from the figure, the diagnosis accuracy is lower than

that obtained with the base protocol under adaptive


Fig. 11. Protocol performance for random topology with 40 hosts in 1; 500m 700m area. (a) Diagnosis accuracy. (b) Throughput comparison.

Fig. 12. Protocol performance with adaptive misbehavior. (a) Diagnosis accuracy. (b) Throughput comparison.


13/15

misbehavior model (Fig. 12a). The low diagnosis accuracy isa consequence of conservatively classifying some busy slotsto be idle, thereby not diagnosing a few instances ofmisbehavior. However, the diagnosis accuracy is highunder persistent misbehavior model (those results aresimilar to the results for the base protocol and are omittedhere). The throughput curves for the extended protocol inFig. 13b are also similar to that of the base protocol(Fig. 12b). Hence, the extension to the protocol does notallow a misbehaving host to gain significant benefits. Wepostpone for future work evaluation of the extendedprotocol under alternate misbehavior strategies that maybe designed to specifically exploit these protocol extensions.

7 CONCLUSION AND FUTURE WORK

Handling MAC layer misbehavior is an important require-ment in ensuring a reasonable throughput share for well-behaved hosts in the presence of misbehaving hosts. In thispaper, we have presented modifications to the IEEE 802.11MAC protocol that simplifies misbehavior detection. Simu-

lation results have indicated that our scheme provides fairlyaccurate misbehavior diagnosis. The penalty scheme wehave proposed is effective in restricting the throughput ofselfish hosts to a fair share.

We plan to extend the proposed scheme for detectingother types of host misbehavior, such as a host usingmultiple MAC addresses for obtaining higher throughputwith the support of higher layers. Designing strategies forcombining information from multiple observers, as well asoptimally placing the observers, is part of future work. Wealso plan to incorporate adaptive selection of protocolparameters into the proposed scheme.

APPENDIXPROOF OF EXISTENCE OF OPTIMAL THRESHOLD

The aim of the diagnosis process is to maximize the correctdiagnosis probability while restricting the misdiagnosis (i.e.,false alarm) percentage below a specified threshold . Thediagnosis problem can be formulated under the Neyman-Pearson hypothesis testing framework [26].

On receiving a packet from the sender, the receiver has todecide if the sender misbehaved. The information availableat the receiver in diagnosing sender behavior is the status ofthe channel (idle or busy), in all the slots between theprevious transmission from the sender and the current

transmission, and characteristics of the channel. Using this

information, the receiver has to choose one among thefollowing two hypotheses:

. Hypothesis H0: Sender is well-behaved.

. Hypothesis H1: Sender is misbehaving.

We first prove under a general model for the channel

that a scheme that compares the likelihood ratio (definedlater) to a threshold is optimal for maximizing correctdiagnosis probability. We then present a simple channelmodel and demonstrate that, for this model, it is sufficientto compare the observed backoff (instead of the likelihoodratio) against a threshold.

Both the sender and the receiver observe the channel.

The channel in each slot may either be idle(I) or busy (B). Thesender is assigned a backoff value Bby the receiver. Say thesender waits for K slots on the channel (both idle and busy

slots) before transmitting a packet. The channel conditionsobserved by the sender can be represented by a string s of

length K, derived from an alphabet fI; Bg, with I (B) at

position i in the string indicating slot i was observed idle(busy) by the sender. The receiver observes a string so(possibly different from s because of varying channelconditions), also of length K. The receiver has to select,based on the assigned backoffBand the observed string so,

the more likely hypothesis. This can be extended to a moregeneral model where the receivers past history of observedstrings is used in addition to the newly observed string.

If hypothesis H0 is true, the sender will have selectedstring s from a set SG (set of good strings) that have at leastB idle slots. Otherwise, the string s will be selected from aset SB (set of bad strings) that have less than B idle slots.The channel is specified using a conditional probability

distribution (PC) of observing a string s at the sender whenstring so is observed at the receiver.

Under theabovemodel, we canderivethe probabilitiesfor

hypothesis H0 and H1 being true, given the observation so as

PH0 is true given so was observed PH0 Xs2SG

PCs=so

PH1 is true given so was observedPH1 Xs2SB

PCs=so:

The likelihood-ratio L is defined as:

L PH1PH0

:


Fig. 13. Performance with extensions to protocol. (a) Diagnosis accuracy. (b) Throughput comparison.


14/15

Applying the Neyman-Pearson theorem [26], the optimaldecision rule for maximizing the probability of diagnosis,while restricting the misdiagnosis percentage below aspecified value , is of the form:

. Choose hypothesis H1 if L > T,

. Choose hypothesis H1 with probability if L T,

and. Choose hypothesis H0 if L < T,

where the threshold T and probability can be computedfrom and distributions of PH1 and PH0, as shown in [26].

Next, we use a simple channel model and prove that, forthis model, comparing observed backoff against a thresholdis optimal. We assume that the receiver has a probability pof sensing a slot, observed by the sender as idle, to be busy(p is used in analysis, the actual protocol does not require pto be computed). On the other hand, when the sendersenses a slot to be busy, the receiver too senses the slot to bebusy. Such a model approximates a scenario in practicewhen the carrier sensing threshold of IEEE 802.11 at the

receiver is chosen to be significantly lower3

than the receivethreshold. In this scenario, the receiver senses most of thetransmissions sensed by the sender, but may also sensesome other transmissions that are not sensed by the sender(as is the case in the model).

In the proposed scheme, the receiver counts the totalnumber of slots K between two transmissions by thesender, as well as the number of idle slots Bo observed onthe channel in that interval. The receiver is also aware of thebackoff B that it had assigned to the sender.

We assume that a well-behaved sender waits for at leastB idle slots before transmitting a packet (alternatively, wecould model a well-behaved sender to wait for exactly Bidle slots and the same analysis as below applies for thatscenario also). Under the assumed channel model, thenumber of idle slots observed by the receiver is less than orequal to that observed by the sender. Thus, when Bo ! B,the sender has waited for at least B slots and is well-behaved. On the other hand, if Bo < B, we can apply thegeneral formula derived earlier (replacing the observedevent, as number of idle slots, instead of a specific string so).As a result, PH0 can be computed as,

PH0 1; Bo ! B

PH0 XKiB

PCi=Bo; Bo < B:

PCi=Bo is the probability that the sender waited forexactly i idle slots (out of K total slots) given that thereceiver observed Bo idle slots. Similarly, we can computePH1 as,

PH1 0; Bo ! B

PH1 XB1iBo

PCi=Bo; Bo < B:

The likelihood ratio L is 0 for Bo ! B and for Bo < B isgiven by

L PH1PH0

1PK

iBPCi=Bo 1:

When Bo increases, PCi=Bo increases if the probability pof a receiver sensing a slot, observed to be idle by the

sender, to be busy is less than 0:5. When Bo increases, weare conditioning on the receiver making fewer mistakes

(i Bo is the number of mistakes) and this probabilityincreases whenever p < 0:5. Under this condition, the

likelihood ratio L is monotonically decreasing with increas-

ing Bo (until L reaches 0). Therefore, in the Neyman-Pearson rule, instead of comparing L against a threshold T,

we can compare Bo with a new threshold T0, suitably

derived from T.Hence, the optimal decision rule is:

1. The sender is misbehaving if Bo < T0.

2. The sender is misbehaving with some probability if Bo T

0.3. The sender is well-behaved if Bo > T0.

Note that the threshold itself is some function of B and

K, though, in the proposed scheme, we choose a constant

fraction () of B as the threshold for simplicity.

ACKNOWLEDGMENTS

This research was supported in part by UIUC CampusResearch Board.

REFERENCES[1] Draft Standard for Local and Metropolitan Area NetworksPort-Based

Network Access Control, P802.1X, 2004.[2] V. Bhargavan, A. Demers, S. Shenker, and L. Zhang, Macaw: AMedia Access Protocol for Wireless Lans, Proc. ACM SigComm,Sept. 1994.

[3] S. Buchegger and J. Le Boudec, Nodes Bearing Grudges:Towards Routing Security, Fairness, and Robustness in MobileAd Hoc Networks, Proc. 10th Euromicro Workshop Parallel,Distributed and Network-Based Processing, pp. 403-410, Jan. 2002.

[4] S. Buchegger and J. Le Boudec, Performance Analysis of theCONFIDANT Protocol: Cooperation Of NodesFairness InDynamic Ad-Hoc NeTworks, Proc. IEEE/ACM Symp. Mobile Ad

Hoc Networking and Computing, June 2002.[5] D.J. Burroughs, L.F. Wilson, and G.V. Cybenko, Analysis of

Distributed Intrusion Detection Systems Using Bayesian Meth-ods, Proc. IEEE Intl Performance Computing and Comm. Conf., Apr.2002.

[6] Report on a Working Session on Security in Wireless Ad Hoc

Networks, Mobile Computing and Comm. Rev., L. Buttyan andJ. H, eds., vol. 6, no. 4, Nov. 2002.[7] L. Buttyan and J. Hubaux, Enforcing Service Availability in

Mobile Ad-Hoc WANs, Proc. IEEE/ACM Workshop Mobile Ad HocNetworking and Computing, Aug. 2000.

[8] L. Buttyan and J. Hubaux, Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks, Technical Report DSC/2001/046, EPFL-DI-ICA, Aug. 2001.

[9] D. Ely, N. Spring, D. Wetherall, S. Savage, and T. Anderson,Robust Congestion Signaling, Proc. 2001 Intl Conf. NetworkProtocols, Nov. 2001.

[10] K. Fall and K. Varadhan, Ns Notes and Documentation,technical report, Univ. of California at Berkley, LBL, USC/ISI,Xerox PARC, 2002.

[11] K. Goseva-Popstojanova, F. Wang, R. Wang, F. Gong, K.Vaidyanathan, K. Trivedi, and B. Muthusamy, CharacterizingIntrusion Tolerant Systems Using a State Transition Model, Proc.

DARPA Information Survivability Conf. and Exposition II, 2001.


3. The lower value of threshold implies that signals received with lower

power are detected, enabling the sensing of further away transmissions.


15/15

[12] J. Hubaux, L. Buttyan, and S. Capkun, The Quest for Security inMobile Ad Hoc Networks, Proc. ACM Symp. Mobile Ad HocNetworking and Computing, Oct. 2001.

[13] IEEE Standard for Wireless LAN-Medium Access Control and PhysicalLayer Specification, P802.11, 1999.

[14] R. Jain, G. Babic, B. Nagendra, and C. Lam, Fairness, CallEstablishment Latency and Other Performance Metrics, Techni-cal Report ATM_Forum/96-1173, ATM Forum Document, Aug.1996.

[15] P. Karn, MACAA New Channel Access Method for PacketRadio, Proc. Ninth Ann. ARRL Networking Conf., 1990.[16] D.E. Knuth, The Art of Computer Programming, third ed., vol. 2,

chapter 3, pp. 10-17. Addison-Wesley, 2000.[17] J. Konorski, Protection of Fairness for Multimedia Traffic Streams

in a Non-Cooperative Wireless LAN Setting, Proc. Sixth Intl Conf.Protocols for Multimedis Systems (PROMS), 2001.

[18] J. Konorski, Multiple Access in Ad-Hoc Wireless LANs withNoncooperative Stations, Proc. Networking Conf., 2002.

[19] P. Kyasanur, Selfish Misbehavior at Medium Access ControlLayer in Wireless Networks, masters thesis, Univ. of Illinois atUrbana-Champaign, Dec. 2003.

[20] P. Kyasanur and N.H. Vaidya, Detection and Handling of MACLayer Misbehavior in Wireless Networks, Proc. 2003 Intl Conf.Dependable Systems and Networks, pp. 173-182, 2003.

[21] A.B. MacKenzie and S.B. Wicker, Game Theory and the Design ofSelf-Configuring, Adaptive Wireless Networks, IEEE Comm.

Magazine, vol. 39, no. 11, pp. 126-131, 2000.[22] A.B. MacKenzie and S.B. Wicker, Stability of Multipacket SlottedAloha with Selfish Users and Perfect Information, Proc. Infocom,2003.

[23] S. Marti, T.J. Giuli, K. Lai, and M. Baker, Mitigating RoutingMisbehavior in Mobile Ad Hoc Networks, Proc. Mobile Computingand Networking Conf., pp. 255-265, 2000.

[24] P. Michiardi and R. Molva, Game Theoretic Analysis of Securityin Mobile Ad Hoc Networks, Technical Report RR-02-070,Institut Eurecom, Apr. 2002.

[25] N. Nisan and A. Ronen, Algorithmic Mechanism Design, Proc.ACM Symp. Theory of Computing, pp. 129-140, 1999.

[26] V. Poor, An Introduction to Signal Detection and Estimation,second ed., vol. 1, chapter 2, pp. 22-29. Springer-Verlag, 1994.

[27] R. Rozovsky and P.R. Kumar, SEEDEX: A MAC Protocol for AdHoc Networks, Proc. ACM Symp. Mobile Ad Hoc Networking andComputing, pp. 67-75, Oct. 2001.

[28] W.H. Sanders, M. Cukier, F. Webber, P. Pal, and R. Watro,Probabilistic Validation of Intrusion Tolerance, Digest of FastAbstracts: The Intl Conf. Dependable Systems and Networks, June2002.

[29] S. Savage, N. Cardwell, D. Wetherall, and T. Anderson, TCPCongestion Control with a Misbehaving Receiver, ACM ComputerComm. Rev., pp. 71-78, Oct. 1999.

[30] F. Stajano and R. Anderson, The Resurrecting Duckling: SecurityIssues for Ad-Hoc Wireless Networks, Proc. Security Protocols,Seventh Intl Workshop, pp. 172-194, Apr. 1999.

[31] Y. Zhang and W. Lee, Intrusion Detection in Wireless Ad-HocNetworks, Proc. Mobile Computing and Networking, pp. 275-283,2000.

[32] M. Raya, J.-P. Hubaux, and I. Aad, DOMINO: A System to DetectGreedy Behavior in IEEE 802.11 Hotspots, Proc. ACM Intl Conf.

Mobile Systems, Applications, and Services (MobiSys), 2004.

Pradeep Kyasanur received the BE degree incomputer engineering from Mangalore Univer-sity, India, in 2001, and the MS degree incomputer science from the University of Illinoisat Urbana-Champaign in 2003. He is currentlypursing the PhD degree in computer science atthe University of Illinois. His research interestsare in the area of wireless network protocols.

Nitin H. Vaidya received the PhD degree fromthe University of Massachusetts at Amherst. Heis presently an associate professor of electricaland computer engineering at the University ofIllinois at Urbana-Champaign (UIUC). He hasheld visiting positions at Microsoft Research,Sun Microsystems, and the Indian Institute ofTechnology-Bombay. His current research is inthe areas of wireless networking and mobilecomputing. His research has been funded by

various agencies, including the US National Science Foundation (NSF),DARPA, BBN Technologies, Microsoft Research and Sun Microsys-tems. Dr. Vaidya is a recipient of a CAREER award from the NSF. Hehas served on the program committees of several conferences andworkshops, and served as program cochair for the 2003 ACM MobiCom.He has served as an editor for several journals, and presently serves asthe Editor-in-Chief for the IEEE Transactions on Mobile Computing. Heis a senior member of the IEEE and the IEEE Computer Society and is amember of the ACM.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

Kyasanur-misbehaviour on Mac