Modelling Co-operative MAC Layer Misbehaviour in IEEE
802.11 Ad Hoc Networks with Heterogeneous Loads
Rohith Dwarakanath Vallam, A. Antony Franklin, and C. Siva Ram Murthy
∗
Department of Computer Science and Engineering,
Indian Institute of Technology Madras, Chennai - 600036, India
{rohith, antony}@cse.iitm.ernet.in, murthy@iitm.ac.in
Abstract— Misbehaviour due to back-off distribution
manipulation has been one of the significant problems
faced in IEEE 802.11 wireless ad hoc networks which
has been explored recently by the research community.
In addition, collusion between misbehaving nodes adds
another dimension to this security problem. We examine
this problem in a three-node network scenario wherein two
nodes are assumed to be malicious colluding adversaries
causing unfair channel access to the other legitimate node.
The misbehaving nodes, through back-off manipulation,
will try to minimize the channel access share got by the le-
gitimate node and at the same time maximize the detection
delay to detect such an attack. We explore this problem
and its solution, analytically, in a non-saturated setting,
by modelling a single IEEE 802.11 node as a Discrete
Time Markov Chain (DTMC) and suggest a measure for
evaluating fairness in the network. We then propose an
attacker-detector non-linear optimization model through
which the joint optimal attacker distribution is evaluated
by applying results from the area of variational calculus.
We finally use the Sequential Probability Ratio Test (SPRT)
for estimating the average number of samples for detecting
colluding adversaries in the network. We validate all the
models using MATLAB and verify the model results by
sampling values from the evaluated optimal attacker distri-
bution using a robust statistical library called UNU.RAN.
I. INTRODUCTION
As we enter the age of ubiquitous wireless networks,
the issue of security in such networks is growingly
becoming a pervasive problem. New vulnerabilities in
these networks have emerged in these networks and
thus, solutions related to these security issues in wireless
networks has been explored by the research community
of late. Security issues in wireless ad hoc networks pose
significant challenges due to the unpredictable nature of
the wireless medium and independent behaviour of the
nodes in the network. These challenges make security
a very interesting area of research. There have been
significant progress towards addressing issues related to
∗
Author for correspondence.
this area. The broad area of security in wireless net-
works encompass issues like privacy protection, naming
and addressing, secure neighbour discovery and secure
routing. Also, there are issues regards to trust evaluation,
secure localisation, behaviour enforcement, selfishness in
packet forwarding, and selfish behaviour at MAC layer.
This paper is related to the issue of security at the
Medium Access Control (MAC) layer and in particular,
the problem of thwarting misbehaviour by malicious
IEEE 802.11 nodes whose objective is to cause un-
fair channel access to legitimate nodes in its transmis-
sion range. We model the problem from an analytical
perspective and try to understand the various aspects of
the problem and use mathematical analysis i.e., Markov
chain modelling, variational calculus based non-linear
optimization theory, and statistical estimations to get
insights into detecting misbehaviour of the monitored
nodes. The main contributions of this paper can be put
forth as follows.
• The problem of back-off manipulation has been
addressed in a non-saturated scenario where each of
the nodes in the network have different data arrival
rates following the Poisson distribution.
• A detailed model of a single IEEE 802.11
non-saturated node based on Discrete Time Markov
Chain (DTMC) is proposed and steady state
probabilities are evaluated.
• The global system state of the three-node network is
then modelled probabilistically and a new fairness
measure is proposed for the nodes in the network.
• The problem of collusion of two nodes is taken
and a non-linear optimization model is developed
to depict the colluding attackers-detector scenario.
• By using principles from the area of variational cal-
culus, the optimal joint probability density function
of the colluding attackers is found and the average
sample size for detecting such an optimal attack is
evaluated using a statistical approach namely the
Sequential Probability Ratio Test (SPRT).
WIOPT 2008, 1st–3rd Apr 2008, Berlin, Germany.
Copyright © 2011–2012 ICST ISBN 978-963-9799-18-9
DOI 10.4108/ICST.WIOPT2008.3178
The rest of the paper is organised as follows. Section II
discusses related work in the area of security in IEEE
802.11 MAC layer. Section III explains the problem
setting and formulates the problem addressed in this
paper. Section IV gives an overview of the approach
followed and then, explains, in detail, the modelling
aspects of the various aspects of this problem. Section V
validates the models by plotting results from MATLAB.
Section VI discusses the conclusions and future work.
II. RELATED WORK AND MOTIVATION
The ad hoc network community has tried to under-
stand and address issues related to attack resistance at
MAC layer in recent times. In [1], the authors study
simple DoS attacks at the MAC layer, show their de-
pendence on attacker traffic patterns, and deduce that
the use of MAC layer fairness can mitigate the effect
of such attacks. In [2], the focus is also on DoS attacks
against the IEEE 802.11 MAC protocol. They describe
vulnerabilities of IEEE 802.11 and show ways of exploit-
ing them by tampering with normal operation of device
firmware.
There has been some significant work on detecting
MAC layer misbehaviour in Wireless LANs [3]. A mod-
ification to the IEEE 802.11 MAC protocol is proposed
to facilitate the detection of selfish and misbehaving
nodes. The approach assumes a trustworthy receiver,
since the receiver assigns to the sender the back-off
value to be used. The receiver can detect misbehaviour
of the sender and accordingly penalize it by providing
less favourable access conditions through higher back-
off values for future transmissions. A decision about
protocol deviation is reached if the observed number of
idle slots of the sender is smaller than a pre-specified
fraction of the allocated back-off. The sender is labelled
as misbehaving if it turns out to deviate continuously
based on a cumulative metric over a sliding window.
This work also presents techniques for handling potential
false positives due to the hidden terminal problem and
the different channel quality perceived by the sender and
the receiver. However, our work differs from [3] and [4],
as we consider an ad hoc environment wherein no trusted
centralized Access Point (AP) can be assumed.
Also, there have been recent approaches like [4],[5],
and [6], that have addressed the problem of back-off
manipulation at MAC layer. The authors in [4], focus on
MAC layer misbehaviour in wireless hot-spot communi-
ties. They propose a sequence of conditions on some
available observations for testing the extent to which
MAC protocol parameters have been manipulated. The
advantage of the scheme is its simplicity and easiness of
implementation, although in some cases the method can
be deceived by cheating peers, as the authors point out.
Greedy behaviour by the nodes is considered in [4] and
not malicious behaviour by nodes as considered in this
paper.
Detecting MAC layer back-off timer violations in ad
hoc networks have been studied in [5]. They exchange
the state of the random number generator of each of the
neighbours by modifying the IEEE 802.11 protocol and
then, using Wilcoxon rank sum test, which uses fixed
sample size, compare difference between analytically
computed samples with observed samples and detect
misbehaviour exists or not. However it does not handle
collusion between nodes. Also, they have an approach
wherein the number of samples required for detection
is fixed. Our work uses an optimal statistical method,
SPRT [7], for adaptive estimation of number of samples
for misbehaviour detection.
The problem of determining the attacker distribution
in the saturated case (i.e., all nodes have data to send
in every time slot) has been addressed in [6]. The
work considers the case of colluding attackers, but in
a network where all nodes have always data to send
i.e., they are saturated. In real IEEE 802.11 networks,
data and multimedia traffic (for eg., traffic due to e-
mail, Internet, audio and video) is inherently bursty [8]
in nature. The demanded transmission rate for most real
traffic varies with significant idle periods and hence,
nodes are usually far from being saturated. So, we study
the effect of back-off manipulation at the MAC layer in
a network where nodes may have different data rates.
In addition, we explore this misbehaviour when there
is co-operation between misbehaving nodes to jointly
cause unfairness to the legitimate nodes. This collusion
between adversarial nodes makes the detection of such
an attack harder and hence, in order to aid the detection
mechanism, there is a need to evaluate the worst case
attack that can be caused by this collusion. We consider
this problem of back-off attack when there are colluding
nodes and the network is non-saturated.
III. PROBLEM SETTING AND FORMULATION
This paper addresses a vulnerability in the IEEE
802.11 Distributed Co-ordination Function (DCF)
Medium Access Control (MAC) protocol [9] namely the
back-off attack. In a back-off attack, nodes will not fol-
low the uniform distribution for choosing a waiting time
(back-off) after successful packet transmission. They
will choose smaller waiting times from a different non-
uniform distribution resulting in unfairness in channel
access. Consider a three-node (referred to as Node 1,
Node 2, and Node 3) ad hoc wireless network where each
node is in the wireless range of the other. The primary
objective of the adversarial nodes is to cause unfairness,
with respect to channel access, to the legitimate node.
Consider two nodes (Node 2 and Node 3) in the network
as colluding malicious nodes whose aim is to disrupt the
channel access of the other legitimate node (Node 1).
The objective, from the colluding attackers’ point of
view, is to determine their back-off values in such a way
that it causes maximum unfairness in the network. In
other words, the attackers will not follow the uniform
distribution for selecting the back-off values between
packet transmissions as specified by the IEEE 802.11
DCF protocol and thus, try to deny fair access to the
channel by the legitimate node. The legitimate node,
on the other hand, will be sampling the back-off values
used by each of its neighbours by some mechanism like
the statistical monitoring mechanism proposed in [5]
and will test these samples to check if the neighbours
are misbehaving or not. To perform this function, the
legitimate node needs to fix the number of samples
that needs to be collected after which it is enough to
decide if the neighbours are misbehaving or not. Hence,
a mechanism for estimating the average sample size
required for detection is needed.
Assumptions:
• Each node is supposed to follow the IEEE 802.11
DCF protocol as the MAC layer protocol.
• The nodes are static or moving with a velocity such
that they continue to be in the transmission range
of each other.
• Each node has some data to be sent to any of the
other nodes and the arrival process in Poisson. All
the nodes are aware of the traffic loads at the other
nodes in its vicinity.
• The higher layers of the network stack generates the
data traffic. The delay occurring between the time
the packets are generated to the time when they
arrive at the MAC layer for transmission, which
may be due to delay at the higher layers like TCP
is not considered in this work.
• Each node has small buffers (as small as possible
to avoid the effect of queueing dynamics) to hold
the incoming packets from higher layers.
• The nodes are able to sense the channel at any time
(using promiscuous mode) and hence detect if the
medium is busy or idle. If busy, it can sniff the
packets to know information about the headers in
the packet like destination, duration of the transfer,
sequence number, etc.
• Once a packet encounters a collision, it is dropped
and no retransmissions are attempted. This is to
simplify analysis as the main focus of this paper
is to explore the collusion problem between two
nodes under non-saturated conditions and not the
way packet collision is handled.
IV. PROPOSED SOLUTION
A. A Broad Overview
The problem under consideration can be approached
in the following way:
• Develop a detailed mathematical model for under-
standing the behaviour of a single node following
the IEEE 802.11 DCF mechanism considering the
assumptions mentioned in Section III.
• Develop a model for the system as a whole and the
various states that the system may be in. This will
provide a global outlook of the system which will
be useful to understand the Quality of Service (QoS)
aspects, like fairness, of the three-node network .
• Formulate an optimization scenario, wherein, un-
der the evaluated fairness conditions, the colluding
attackers try to maximize the unfairness of the
network, while at the same time, try to avoid
detection by the legitimate node to the maximum
extent possible.
• Estimate the optimal attacker back-off distribution
from the optimization problem thus formulated and
then derive the value for the expected sample size
required to detect such an optimal attack. Due
to the optimality of the attacker distribution, any
other attack caused by the colluding nodes will be
suboptimal and the sample size thus calculated for
the optimal case will be enough to identify these
suboptimal attacks, on an average.
B. A Single Node Model
( ( (1-p)q / W ) +
(pq / W) ) = q/W
...................
q
q
q
( ( (1-p)(1-q) / W) +
( p(1-q) / W) ) = (1-q)/W
1
1
1-q
1-q
1-q
(0 , 0)
(0 , 1)
(0 , 2)
(0 , 0)
(0 , 1)
(0 , 2)
(0 , W-1)
(0 , W-1)
(1-q)
+q(pid) / W
...................
( q(1-pid)) / W
for k >0,
( q(pid)) / W
1
e
e
e
e
Fig. 1: Discrete Time Markov Chain Model of IEEE
802.11 DCF protocol
1) Preliminaries: Non-saturation in IEEE 802.11 net-
works was considered in [10]. They model a node based
on the well known Bianchi [11] model of IEEE 802.11
DCF node. In this model, an IEEE 802.11 DCF node
is modelled as a Discrete Time Markov Chain (DTMC)
with each state being denoted by a pair of integers (s, k)
where s is the back-off stage and k is the back-off
counter value at that stage as shown in Fig. 1. We use
this model as the basis of our work, but as mentioned
earlier, add a restriction that the collision of a packet is
handled by dropping the packet thereby not considering
it for retransmission i.e., the node is always in back-off
stage 0.
2) Analytical evaluation of the model: As in [10],
due to the non-saturation assumption, idle states can be
present wherein there is no data for transmission and
they are represented by the states (0, k)
e
(known as
the post-back-off states). Hence the DTMC will either
be in any of the (0, k) states if there is packet to be
transmitted or in any of the (0, k)
e
states if the node
is idle. Transmission of a packet is attempted either in
b(0, 0) state after the back-off counter (which is selected
uniformly from [0, W
0
− 1] where W
0
is the maximum
contention window size at stage 0) reaches zero or when
a packet arrival occurs in the b(0, 0)
e
state. Note that
W
0
is shown as W in Fig. 1. This DTMC is solved for
steady state probabilities (represented by the stationary
distribution b) analytically by first formulating the one-
step state transition probabilities (as shown in Fig. 1)
and then finding the expressions for the steady state
probability of each state. The notations followed are:
• p - probability of collision given the node is at-
tempting transmission.
• (1 − q) - probability that the node’s buffer has no
packets awaiting transmission at the start of each
counter decrement.
• b(0, k)
e
- steady state probability of being in state
(0, k)
e
of the DTMC where k ∈ [0, W
0
− 1].
• b(0, k) - steady state probability of being in state
(0, k) of the DTMC where k ∈ [0, W
0
− 1].
• P
idle
(shown as pid in Fig. 1) - probability that the
medium is sensed idle during a typical slot.
Determining one-step state transition probabilities:
If the node is in (0, 0) state, two things can happen. It
might get a packet to send or not. In case of packet
arrival (with probability q), the node will choose a back-
off uniformly and transition into any one of the (0, k)
states. If no data arrives, the node will choose a uniform
back-off in the range [0, W
0
− 1] and move into any one
of the (0, k)
e
states. To put it in terms of state transitions,
P ((0, k)|(0, 0)) = q/W
0
P ((0, k)
e
|(0, 0)) = (1 − q)/W
0
If the MAC is in (0, 0)
e
state, three things can occur.
(i) A packet may arrive in which case, the medium is
sensed and if it is idle, the packet is transmitted. Due to
our assumption, after the packet is transmitted, the MAC
enters back to the (0, k)
e
chain irrespective of whether
the packet collided or not as the case of retransmission
of the packet (in case of collision) is not handled in this
work.
P ((0, 0)
e
|(0, 0)
e
) = (1 − q) + qP
idle
/W
0
(ii) If the medium is busy, then the MAC enters stage-0
back-off by choosing a uniformly distributed back-off in
the range [0, W
0
].
P ((0, k)|(0, 0)
e
) = q(1 − P
idle
)/W
0
(iii) If no packet arrives in the considered slot, then the
MAC will loop in the (0, 0)
e
state.
k > 0, P ((0, k)
e
|(0, 0)
e
) = qP
idle
/W
0
By similar reasoning, the other one step transition prob-
abilities can be described as below.
P ((0, k − 1)|(0, k)) = 1
P ((0, k − 1)
e
|(0, k)
e
) = 1 − q
P ((0, k − 1)|(0, k)
e
) = q
In order to evaluate the steady state probabilities in the
setup described above, we make the following observa-
tions. With b(i, k) and b(0, k)
e
denoting the steady state
probabilities of being in states (i, k) and (0, k)
e
, we have
W
0
−1
X
k=0
b(0, k) +
W
0
−1
X
k=0
b(0, k)
e
= 1 (1)
Eqn. (1) is a very important equation for our simplifica-
tion. The objective of the following simplification is to
reduce the two sums in Eqn. (1) in terms of a common
term, b(0, 0)
e
, and evaluate the rest of the steady state
probabilities in terms of this value. We proceed as given
below to achieve this simplification.
We know that
b(0, W
0
− 1)
e
=
b(0, 0)
e
q(1 − p)P
idle
W
0
+
(1 − q)b(0, 0)
W
0
For, (W
0
− 1) > k > 0,
b(0, k)
e
= (1 − q)b(0, k + 1)
e
+ b(0, W
0
− 1)
e
Simplifying recursively,
b(0, k)
e
=
qb(0, 0)
e
− b(0, W
0
− 1)
e
1−(1−q)
k
q
(1 − q)
k
Using the above expressions and following some basic
simplification, we can evaluate
b(0, 0)
e
b(0, 0)
=
1 − q
q
1 − (1 − q)
W
0
qW
0
− (1 − p)P
idle
(1 − (1 − q)
W
0
)
We then derive the following,
W
0
−1
X
k=0
b(0, k)
e
=
b(0, 0)
e
(1 − (1 − q)
W
0
)
(qW
0
) (2)
To evaluate
W
0
−1
X
k=0
b(0, k), we know that
b(0, k) = b(0, 0) − q
k
X
i=1
b(0, i)
e
− kb(0, W
0
− 1)
By using the above equation, b(0, i)
e
can be simplified
to
b(0, i)
e
= ((q
2
b(0, 0)
e
− b(0, W
0
− 1)
e
) ×
(1/(1 − q)
k
− 1) + qi b(0, W
0
− 1)
e
)/(q
2
)
To sum it up, we start by splitting the terms as following.
W
0
−1
X
k=0
b(0, k) = b(0, 0) +b(0, W
0
− 1) +
W
0
−2
X
k=1
b(0, k)
(3)
Further, b(0, k) can be written as below.
b(0, k) = b(0, 0) − result
1
− result
2
(4)
where result
1
and result
2
are got by further simplifi-
cation as below.
result
1
= k
b(0, 0)
e
q
W
0
(1 − pP
idle
) +
b(0, 0)
W
0
(1 − pq)
result
2
=
1
q
1
(1 − q)
k
− 1
×
1
q
q
2
b(0, 0)
e
− b(0, W
0
− 1)
e
Since we need to get an expression for
W
0
−1
X
k=0
b(0, k),
we use Eqn. (3) and Eqn. (4) and get the following
expression.
W
0
−1
X
k=0
b(0, k) = b(0, 0) + b(0, W
0
− 1) +
W
0
−2
X
k=1
b(0, 0)
−
W
0
−2
X
k=1
result
1
−
W
0
−2
X
k=1
result
2
Simplifying, the following equation results
W
0
−1
X
k=0
b(0, k) = result
3
− result
4
+
b(0, 0) + b(0, W
0
− 1)
(5)
where result
3
and result
4
are as follows:
result
3
=
"
(W
0
− 2)/(2W
0
)
b(0, 0)
×
2W
0
−
(W
0
− 1)(1 − pq)
−
b(0, 0)
e
/W
0
q(1 − p P
idle
)
×
(W
0
− 2)(W
0
− 1)/2
#
result
4
=
"
b(0, 0)
e
q
(1/γ) − 1
δ
#
δ =
(1/q) ×
1/((1 − q)
W
0
−2
) − 1
−
W
0
− 2
γ =
1 −
(1 − q)
W
0
As we can clearly observe from the Eqn. (2) and
Eqn. (5), we have got the values of the two sums in
terms of b(0, 0)
e
and hence the normalisation equation of
Eqn. (1) can now be used to determine b(0, 0)
e
in terms
of q, W
0
and P
idle
. From this value, we can now evaluate
values of b(0, 0),
W
0
−1
X
k=0
b(0, k), and
W
0
−1
X
k=0
b(0, k)
e
. These
values are used in the next section to determine the state
of the system as a whole and define fairness condition
for the network.
C. A Global System Model
1) Details of the Model: Using the single node model
proposed in Section IV-B, we define the following:
a
i
= Probability that the node i is choosing a back-off
value in a time slot. We can say that a node will start to
choose a random back-off value in the current time slot
in the following two scenarios.
• The node is in b(0, 0) state and a new packet awaits
transmission at the end of the packet transmission.
• The node is in any of the b(0, k)
e
states and a new
packet arrives for transmission in the current time
slot.
Hence, from Fig. 1, we can deduce
a
i
=
q
i
×
b(0, 0) +
W
0
−1
X
k=0
b(0, k)
e
!
(6)
where q
i
is the probability that Node i has at least one
packet to be sent at the start of each time slot.
b
i
= Probability that the Node i is not choosing a
back-off value in the considered time slot (b
i
= 1 − a
i
).
Now, in the current three-node network under con-
sideration, in a time slot, there may be 0, 1, 2 or 3
