Detecting MAC Layer Back-off Timer Violations in Mobile Ad Hoc Networks

Venkata Nishanth Lolla, Lap Kong Law, Srikanth V. Krishnamurthy, Chinya Ravishankar, and Dharmaiah Manjunath

Dept. of Computer Science & Engineering, UC Riverside

Dept. of Electrical Engineering, Indian Institute of Technology - Mumbai

ICDCS 2006

Problem• Malicious nodes can cause a denial of service attack by

simply manipulating the back-off timers prior to a transmission.– By not adhering to the IEEE 802.11 standard.– By choosing a small/constant back-off interval prior to a

transmission.

• Consequences:– Misbehaving nodes can gain an unfair advantage by acquiring

the wireless channel more often.– Causing bandwidth starvation of the well-behaved nodes.

Motivation• The lack of centralized arbiter (such as an access point)

makes it hard to detect timer violations.• Can we design a distributed framework to

– discourage such attacks and,– detect such attacks and identify the misbehaving attackers?

Contributions• We propose a combination of deterministic and

statistical methods that facilitate our objectives.• Only involve minor changes to the 802.11 standard.• Our performance evaluations shows that with our

methods, it is possible to detect a malicious node with a probability close to one.

• Furthermore, the probability of false alarms (wrongly classifying a node as a misbehaving node) is lower than 1%.

Roadmap• The System Model

• Our Proposed Framework

• Simulation Results

• Conclusions

System Model• Using Verifiable Back-off timers

– Use a deterministic/known sequence of back-off values that each node has to follow.

– Each node announces the state of its pseudo-random sequence generator in the RTS messages.• Each node is aware of the back-off timers used by its neighbors.

• Making Sense of the Uncertainty in System State– Due to the interference effects, a node may not be able to

deterministically ascertain the legitimacy of the back-off patterns of a neighbor.

– Therefore, it estimates the probability of the neighbor’s misbehavior statistically based on observed patterns.

Estimating the system state of neighbors

• Goal: To allow a monitoring node to estimate the back-off timers used by its neighbors.

• Example: Let’s node R be monitoring node S– R wants to determine if S is misbehaving -- how?– R will estimate the system state of S and compare it with the value announced

by S.

• System state: The number of idle (I) / busy (B) slots of the monitored node (i.e., node S) in a period of N observed slots.

• R can approximately estimate the number of idle (Iest) and busy (Best) slots observed by S:

Prob(S senses idle | R senses idle) Prob(S senses idle | R senses busy)

Determining PI/I and PI/B analytically

• Assumptions:– Only the interference effects within a two-hop neighborhood are considered.– Nodes are uniformly distributed.– The steady state load experienced by all nodes within the two hops radius are

identical. (Due to the fairly large interference radius)– Node is aware of the position of its neighbors.

• The areas of A2, A3, A4 and A5 can be easily computed.• The area A1 can be estimated by assuming a minimum overlap between SS and SR.

Sx: sensing range of node xTx: transmission range of node x

n nodes

k nodes

Node R is monitoring node S

Determining PI/I

• Deriving PB/I : Prob(S senses busy | R senses idle)

– For R to sense idle• No transmission can occur in A3, A4 and A5• However, transmissions can occur in A1 A2

– For S to sense busy

• Transmissions can only occur in A2

n nodes

k nodes

Probability that at least one nodetransmits in A1 A2.

Probability that the transmission occurs in A2.

Determining PI/B

• Deriving PI/B: Prob(S senses idle | R senses busy)

– For S to sense idle • No transmission can occur in A2, A3 and A4• However, transmissions can occur in A1 and A5

– For R to sense busy• Transmissions can only occur in A5

Probability that transmissions occur in A5.

Probability that S senses the channel to be idle.

n nodes

k nodes

Our proposed frameworkLet us call the node being monitored the tagged node.

Overview of the approach:• The monitoring node obtains the pseudo-random sequence generator

announced by the tagged node.• The monitoring node can compare the expected back-off times of the

tagged node and the announced back-off times.• In some cases, the monitoring node cannot deterministically determine if

the tagged node is misbehaving (due to interference).• Therefore, the monitoring node uses a hypothesis test (Wilcoxon rank

sum test) based on the estimation of PI/I and PI/B, to determine if the tagged node is misbehaving.

Details of the proposed framework• The seed of the pseudo-random number generator (PRNG)

– The MAC address of the node.

• Simple modification to the RTS message

– SeqOff#: The offset to the PRNG. Increment by one upon each transmission.– Attempt#: The number of retransmission attempts.– MD: The message digest of the DATA packet. To prevent nodes from cheating on the

Attempt#.

• The wilcoxon rank sum test– Two populations: “x” be the sequential population of the dictated sequence of

the back-off timers; “y” be the sequential population of the estimated sequence of the back-off timers.

– Use the rank sum test to compute the significance probability p of the two populations.

– If p is small, the tagged node is likely to be malicious.

Simulation Set up• NS-2 simulator with extension of

our framework.• Shadow channel fading model is

considered.• Poisson and CBR traffic.• Grid and Random topologies.• Static and Mobility scenarios.• Parameters of interest:

– Traffic intensity– Percentage of Misbehavior (PM)

• Metrics of interest:– Probability of correct diagnosis.

Analysis v.s. Simulation: on PI/B and PB/I

• Two scenarios:– Grid topology with Poisson

traffic– Random topology with CBR

traffic

• Monitoring and tagged nodes are one-hop away and are placed at the center of the simulation area.

• All nodes are well behaved.• The analysis results match

with the simulation results.– Justify the assumptions that

we made earlier

Poisson traffic, Grid topology

CBR traffic, Random topology

Probability of correct diagnosis

• Percentage of misbehavior (PM) of m% means a malicious node transmits a packet after counting down to (100-m)% of the dictated back-off value.

• The probability of detecting misbehavior is close to one when the PM is large and the sample size is large.

• In scenario with mobility, a larger number samples is required for convergence as compared to the case with no mobility.

Static grid topology With mobility

Probability of misdiagnosis

• The misdiagnosis probability is very low (<0.01) even when the sample size is 10.

• The misdiagnosis probability decreases drastically when the sample size is increased.

• With smaller load, the misdiagnosis probability is usually higher. This is because a longer time is needed to detect misbehavior.

Static grid scenario Mobility scenario, Load=0.6

Conclusions• In this work, we focus on the problem of detecting back-

off timer violations with the IEEE 802.11 MAC.• We propose a framework that is based on a combination

of deterministic and statistical methods to discern timer violations by neighboring nodes.

• Our extensive simulations show that our protocol can provide accurate assessments of the node misbehavior within short periods and with extremely low probability of false alarms.