Detecting MAC Layer Back-off Timer Violations in Mobile Ad Hoc Networks Venkata Nishanth Lolla, Lap Kong Law, Srikanth V. Krishnamurthy, Chinya Ravishankar, and Dharmaiah Manjunath Dept. of Computer Science & Engineering, UC Riverside Dept. of Electrical Engineering, Indian Institute of Technology - Mumbai ICDCS 2006 Problem • Malicious nodes can cause a denial of service attack by simply manipulating the back-off timers prior to a transmission. – By not adhering to the IEEE 802.11 standard. – By choosing a small/constant back-off interval prior to a transmission. • Consequences: – Misbehaving nodes can gain an unfair advantage by acquiring the wireless channel more often. – Causing bandwidth starvation of the well-behaved nodes. Motivation • The lack of centralized arbiter (such as an access point) makes it hard to detect timer violations. • Can we design a distributed framework to – discourage such attacks and, – detect such attacks and identify the misbehaving attackers? Contributions • We propose a combination of deterministic and statistical methods that facilitate our objectives. • Only involve minor changes to the 802.11 standard. • Our performance evaluations shows that with our methods, it is possible to detect a malicious node with a probability close to one. • Furthermore, the probability of false alarms (wrongly classifying a node as a misbehaving node) is lower than 1%. Roadmap • The System Model • Our Proposed Framework • Simulation Results • Conclusions System Model • Using Verifiable Back-off timers – Use a deterministic/known sequence of back-off values that each node has to follow. – Each node announces the state of its pseudo-random sequence generator in the RTS messages. • Each node is aware of the back-off timers used by its neighbors. • Making Sense of the Uncertainty in System State – Due to the interference effects, a node may not be able to deterministically ascertain the legitimacy of the back-off patterns of a neighbor. – Therefore, it estimates the probability of the neighbor’s misbehavior statistically based on observed patterns. Estimating the system state of neighbors • Goal: To allow a monitoring node to estimate the back-off timers used by its neighbors. • Example: Let’s node R be monitoring node S – R wants to determine if S is misbehaving -- how? – R will estimate the system state of S and compare it with the value announced by S. • System state: The number of idle (I) / busy (B) slots of the monitored node (i.e., node S) in a period of N observed slots. • R can approximately estimate the number of idle (Iest) and busy (Best) slots observed by S: Prob(S senses idle | R senses idle) Prob(S senses idle | R senses busy) Determining PI/I and PI/B analytically Node R is monitoring node S n nodes Sx: sensing range of node x Tx: transmission range of node x k nodes • Assumptions: – Only the interference effects within a two-hop neighborhood are considered. – Nodes are uniformly distributed. – The steady state load experienced by all nodes within the two hops radius are identical. (Due to the fairly large interference radius) – Node is aware of the position of its neighbors. • The areas of A2, A3, A4 and A5 can be easily computed. • The area A1 can be estimated by assuming a minimum overlap between SS and SR. Determining PI/I • Deriving PB/I : Prob(S senses busy | R senses idle) – For R to sense idle n nodes • No transmission can occur in A3, A4 and A5 • However, transmissions can occur in A1 A2 k nodes – For S to sense busy • Transmissions can only occur in A2 Probability that the transmission occurs in A2. Probability that at least one node transmits in A1 A2. Determining PI/B • Deriving PI/B: Prob(S senses idle | R senses busy) – For S to sense idle n nodes • No transmission can occur in A2, A3 and A4 • However, transmissions can occur in A1 and A5 k nodes – For R to sense busy • Transmissions can only occur in A5 Probability that transmissions occur in A5. Probability that S senses the channel to be idle. Our proposed framework Let us call the node being monitored the tagged node. Overview of the approach: • The monitoring node obtains the pseudo-random sequence generator announced by the tagged node. • The monitoring node can compare the expected back-off times of the tagged node and the announced back-off times. • In some cases, the monitoring node cannot deterministically determine if the tagged node is misbehaving (due to interference). • Therefore, the monitoring node uses a hypothesis test (Wilcoxon rank sum test) based on the estimation of PI/I and PI/B, to determine if the tagged node is misbehaving. Details of the proposed framework • The seed of the pseudo-random number generator (PRNG) – The MAC address of the node. • Simple modification to the RTS message – SeqOff#: The offset to the PRNG. Increment by one upon each transmission. – Attempt#: The number of retransmission attempts. – MD: The message digest of the DATA packet. To prevent nodes from cheating on the Attempt#. • The wilcoxon rank sum test – Two populations: “x” be the sequential population of the dictated sequence of the back-off timers; “y” be the sequential population of the estimated sequence of the back-off timers. – Use the rank sum test to compute the significance probability p of the two populations. – If p is small, the tagged node is likely to be malicious. Simulation Set up • NS-2 simulator with extension of our framework. • Shadow channel fading model is considered. • Poisson and CBR traffic. • Grid and Random topologies. • Static and Mobility scenarios. • Parameters of interest: – Traffic intensity – Percentage of Misbehavior (PM) • Metrics of interest: – Probability of correct diagnosis. Analysis v.s. Simulation: on PI/B and PB/I • Two scenarios: – Grid topology with Poisson traffic – Random topology with CBR traffic • Monitoring and tagged nodes are one-hop away and are placed at the center Poisson traffic, Grid topology of the simulation area. • All nodes are well behaved. • The analysis results match with the simulation results. – Justify the assumptions that we made earlier CBR traffic, Random topology Probability of correct diagnosis Static grid topology With mobility • Percentage of misbehavior (PM) of m% means a malicious node transmits a packet after counting down to (100-m)% of the dictated back-off value. • The probability of detecting misbehavior is close to one when the PM is large and the sample size is large. • In scenario with mobility, a larger number samples is required for convergence as compared to the case with no mobility. Probability of misdiagnosis Static grid scenario Mobility scenario, Load=0.6 • The misdiagnosis probability is very low (<0.01) even when the sample size is 10. • The misdiagnosis probability decreases drastically when the sample size is increased. • With smaller load, the misdiagnosis probability is usually higher. This is because a longer time is needed to detect misbehavior. Conclusions • In this work, we focus on the problem of detecting back- off timer violations with the IEEE 802.11 MAC. • We propose a framework that is based on a combination of deterministic and statistical methods to discern timer violations by neighboring nodes. • Our extensive simulations show that our protocol can provide accurate assessments of the node misbehavior within short periods and with extremely low probability of false alarms.