04-06-2012, 12:45 PM
A Lightweight Passive Online Detection Method
for Pinpointing Misbehavior in WLANs
[attachment=24121]
Abstract
Detecting misbehaving users in wireless networks is an important problem that has been drawing considerable attention.
Even though there is a plethora of work on 802.11 wireless local area networks (WLANs), most existing schemes employ behaviorbased
anomaly detection, assuming that the backoff-time information of each transmitting node is available to the monitoring node.
Unfortunately, it is practically infeasible to obtain the accurate backoff value chosen by other transmitting nodes because this MAC-layer
information is not readily available.
INTRODUCTION
RECENT advances in radio technology, such as Software-
Defined Radios (SDRs) [1], [2], open-source drivers [3],
and reverse-engineered firmware [4], allow users to modify
their wireless interface software and change the protocol
parameters to meet their own needs. This programmability
provides flexibility to end users to best suit their performance
needs, such as connectivity and quality of service
(QoS) [5]. However, a misbehaving user can abuse this
flexibility to increase his own throughput by manipulating
the channel access functions in a selfish manner, at the cost
of other well-behaving users’ performance.
Related Work
Even through there is a plethora of work on the detection of
misbehaving users in CSMA networks [6], [7], [8], [9], [10],
[11], [12], [13], [14], to the best of our knowledge, this is the
first online detection method that relies only on easy-toobtain
packet-based information. Most existing detection
schemes [6], [8], [14] in 802.11 are designed under the
assumption that the backoff-time information of each
tagged node is available at the monitoring node. However,
it is infeasible to obtain the accurate value of backoff chosen
by other stations in 802.11 WLANs.
SYSTEM MODEL AND PROPOSED APPROACH
In this section, we first present the system model and the
assumptions to be used, and then overview the proposed
misbehavior-detection approach.
System Model
We consider the common IEEE 802.11 infrastructure WLAN
consisting of an AP and a set N of client nodes that access
the Internet via the AP. The client nodes send their packets
to the AP (i.e., uplink transmissions) and the AP forwards
the packets to local destinations and/or to remote destinations
via the wireline Internet (i.e., downlink transmissions).
We assume that APs can be fully trusted since APs usually
are maintained by well-trained network administrators. We
focus on scenarios where selfish nodes manipulate the
channel-access function of the 802.11 protocol, e.g., using
smaller CWmin, CWmax, and IFS (interframe space) than
those of well-behaving nodes. In 802.11, it is relatively easy
to manipulate the channel-access function, but their detection
is not trivial. We are primarily interested in a saturated
network condition, because misbehaving nodes can otherwise
make insignificant impacts and can thus be ignored.
NEW LIGHTWEIGHT DETECTION METRIC
In this section, we present a simple and practical metric,
namely, the number of intertransmissions, that characterizes
the legitimate behavior of 802.11 nodes. We then
derive a closed-form expression for the detection metric to
quantitatively characterize each client node’s behavior in an
802.11 WLAN. Finally, we describe how to identify
misbehaving nodes using the detection metric.
for Pinpointing Misbehavior in WLANs
[attachment=24121]
Abstract
Detecting misbehaving users in wireless networks is an important problem that has been drawing considerable attention.
Even though there is a plethora of work on 802.11 wireless local area networks (WLANs), most existing schemes employ behaviorbased
anomaly detection, assuming that the backoff-time information of each transmitting node is available to the monitoring node.
Unfortunately, it is practically infeasible to obtain the accurate backoff value chosen by other transmitting nodes because this MAC-layer
information is not readily available.
INTRODUCTION
RECENT advances in radio technology, such as Software-
Defined Radios (SDRs) [1], [2], open-source drivers [3],
and reverse-engineered firmware [4], allow users to modify
their wireless interface software and change the protocol
parameters to meet their own needs. This programmability
provides flexibility to end users to best suit their performance
needs, such as connectivity and quality of service
(QoS) [5]. However, a misbehaving user can abuse this
flexibility to increase his own throughput by manipulating
the channel access functions in a selfish manner, at the cost
of other well-behaving users’ performance.
Related Work
Even through there is a plethora of work on the detection of
misbehaving users in CSMA networks [6], [7], [8], [9], [10],
[11], [12], [13], [14], to the best of our knowledge, this is the
first online detection method that relies only on easy-toobtain
packet-based information. Most existing detection
schemes [6], [8], [14] in 802.11 are designed under the
assumption that the backoff-time information of each
tagged node is available at the monitoring node. However,
it is infeasible to obtain the accurate value of backoff chosen
by other stations in 802.11 WLANs.
SYSTEM MODEL AND PROPOSED APPROACH
In this section, we first present the system model and the
assumptions to be used, and then overview the proposed
misbehavior-detection approach.
System Model
We consider the common IEEE 802.11 infrastructure WLAN
consisting of an AP and a set N of client nodes that access
the Internet via the AP. The client nodes send their packets
to the AP (i.e., uplink transmissions) and the AP forwards
the packets to local destinations and/or to remote destinations
via the wireline Internet (i.e., downlink transmissions).
We assume that APs can be fully trusted since APs usually
are maintained by well-trained network administrators. We
focus on scenarios where selfish nodes manipulate the
channel-access function of the 802.11 protocol, e.g., using
smaller CWmin, CWmax, and IFS (interframe space) than
those of well-behaving nodes. In 802.11, it is relatively easy
to manipulate the channel-access function, but their detection
is not trivial. We are primarily interested in a saturated
network condition, because misbehaving nodes can otherwise
make insignificant impacts and can thus be ignored.
NEW LIGHTWEIGHT DETECTION METRIC
In this section, we present a simple and practical metric,
namely, the number of intertransmissions, that characterizes
the legitimate behavior of 802.11 nodes. We then
derive a closed-form expression for the detection metric to
quantitatively characterize each client node’s behavior in an
802.11 WLAN. Finally, we describe how to identify
misbehaving nodes using the detection metric.