Misbehavior at the medium access control layer in wireless networks

Material Information

Misbehavior at the medium access control layer in wireless networks
Gubran, Mohamed
Publication Date:
Physical Description:
viii, 59 leaves : ; 28 cm


Subjects / Keywords:
Wireless communication systems ( lcsh )
Computer networks -- Access control ( lcsh )
Computer networks -- Access control ( fast )
Wireless communication systems ( fast )
bibliography ( marcgt )
theses ( marcgt )
non-fiction ( marcgt )


Includes bibliographical references (leaves 58-59).
General Note:
Department of Computer Science and Engineering
Statement of Responsibility:
by Mohamed Gubran.

Record Information

Source Institution:
|University of Colorado Denver
Holding Location:
Auraria Library
Rights Management:
All applicable rights reserved by the source institution and holding location.
Resource Identifier:
747103239 ( OCLC )
LD1193.E52 2011m G82 ( lcc )

Full Text
Mohamed Gubran
B.S., The Higher Institute for Comprehensive Professions/ Yefren, 2001
A thesis submitted to the
University of Colorado Denver
In partial fulfillment
Of the requirements for the degree of
Master of Science
Computer Science

This thesis for the Master of Science
degree by
Mohamed Gubran
Has been approved
Bogdan Chlebus
Ellen Gethner
F-d£lAAjcUY^ j $0 (/

Gubran, Mohamed (M.S., Computer Science)
Misbehavior at the Medium Access Control Layer in Wireless Networks
Thesis directed by Associate Professor Bogdan S. Chlebus
In this thesis we investigate medium access control layers misbehavior in
wireless networks. We begin with an overview of the operating principles and
architecture of the IEEE 802.11 standard. This standard was designed for wireless
networks isolated from intruders. Contemporary applications make it used in
general access points to the internet over wireless local area networks.
Misbehavior at the medium access control layer in such situation can have never
adverse effects on networks performance. Selfish behavior on the medium access
control layer may result in unbalanced distribution of bandwidth.

We survey possible patterns of misbehavior along with methods of
detection and prevention. We discuss in detail two specific detection methods. We
conclude with their assessment and mutual comparison.
This abstract accurately represents the content of candidates thesis. I recommend
its publication.
Bogdan Chlebus

Figures.............................................................. VII
Tables.................................................................. VIII
1. Introduction..................................................... 1
1.1 Operating Principles of IEEE 802.11 Standard..................... 4
1.2 Protocol Architecture of IEEE 802.11 ........................... 4
1.3 Physical Layer Standards........................................ 7
1.4 The modes of wireless networks.................................. 8
1.4.1 Infrastructure mode............................................ 8
1.4.2 Ad hoc mode.................................................... 9
1.5 Distributed Coordination Function............................... 9
1.5.1 The methods of Distributed Coordination Function............... 10
- Basic access method.......................................... 10
- Optional access method....................................... 12
2. Medium Access Control Selfish behavior in hotspots............... 13
2.1 Benefits of Cheating........................................... 14
2.2 Classification of Attacks....................................... 14
2.2.1 Naive attack................................................... 15
2.2.2 Smart attack.................................................. 15
2.3 Misbehavior Techniques........................................... 15
2.3.1 Medium Access Control Selfish behavior......................... 15
- Attacks on the Uplink Traffic................................ 16
- Attacks on the Downlink Traffic.............................. 17

2.3.2 Security Attacks.............................................. 21
Some Types of Security Attacks.............................. 22
Denial of Service..................................... 22
Detour Attack......................................... 23
Timeout Attack........................................ 23
3. The Possible Solutions to Detect the MAC Layer Misbehavior.... 24
3.1 DOMINO Detecting System......................................... 24
3.1.1 Components of DOMINO.......................................... 25 Scrambled Frames............................................ 28 Detection of Manipulated Protocol Parameters............. 29
3.1.2 Related Issues.............................................. 37 Hidden Nodes................................................ 37 Security.................................................... 37 Adaptive Cheating........................................... 38 Choice of the Detection Parameters.......................... 39 Monitoring Period........................................... 40
3.1.3 Punishing Function............................................ 41
3.2 Robust Detection of MAC Layer Denial-of-Service Attacks...... 42
3.2.1 MAC DoS Detector.............................................. 44 Tracking the Number of Competing Nodes................... 45 Sequential Denial-of-Service Detector..................... 48
4. Conclusion & Recommendations..................................... 53
References.......................................................... 58

1.1: IEEE 802.11 protocol architecture................................... 7
2.1: General scenario.................................................... 20

1.1: Inter frame space and CW time for different PHY layers

1. Introduction
Wireless networks are deployed in all over the world. These days with
presence of the Internet there are many problems combined with wireless
networks. The misbehavior problem at medium access control layer is one of the
biggest issues at wireless networks. I studied many published research papers
about misbehavior problem at medium access control layer in wireless networks
which makes me interested in this area of research. There are many solutions to
solve the problem of selfish and security attacks. The main idea that my thesis
based on is introducing some solutions to solve misbehavior problem. I tried to
find some detection systems that can work together in future as one system. I
chose two detection systems that have common characteristics. These systems
don't need any modification at the IEEE802.11 protocols. This choice makes the
deployed of these systems possible and easy from the practical side in wireless
networks. Also, those systems can solve both types of the misbehavior problem
which are the selfish attacks and the security attacks. This mechanism gives an
integrated system which protects the wireless network from both types of attack if
they work together at the same wireless network. First, I will introduce the
DOMINO detection system which can discover the selfish attacks such as the
attacks on the uplink traffic and down link traffic. The attacks on the uplink traffic

are set by taking the scramble frames which contain encryption information by a
selfish node to raise their contention window using different techniques to rich its
goal. The attacks on the downlink traffic are set on the transmission control
protocol source by the selfish node to raise its share of traffic through the access
point. Second, Robust detection system is used to discover denial of service
security attacks. Denial of service attacks try to prevent the wireless network
users from accessing the service availability by using many attempts to reach their
goal in order to create medium access control congestion. This helps DOMINO
detection system to cover the security weaknesses by using robust detection
The work on the wireless networks standard IEEE 802.11 started in 1990
particularly dedicated to wireless networks with a privilege developing a medium
access control protocol and physical-medium specification. The IEEE 802.11
working group has issued an ever-expanding list of standards [9]. Carrier senses
multiple access with collision avoidance has been broadly unfurled as the
principal medium access control protocol for ad hoc networks and infrastructure-
based networks. It was designed with the surmise that nodes will pursue correct
operation of the protocol. However, nodes might prefer to deflect to get an unfair
share of the obtainable bandwidth or disrupt the services of the network.
Consequently, misbehavior (deviation from medium access control protocols)

which is inherently possible at the medium access control layer could be divided
into selfish or malicious behavior. The selfish nodes are economically rational
nodes whose objective is to maximize their own welfare, which is defined as the
benefit of their actions minus the cost of their actions. In other words, the
misbehavior of a node is considered as a selfish behavior if it aims at obtaining an
advantage that can be quantitatively expressed in the units of wireless networking
or in a related incentive system. The malicious nodes can be defined as the broad
class of nodes that are either faulty and therefore cannot follow a protocol, or are
intentionally malicious and try to attack the system. The current prevention and
detection systems that are used to detect and prevent misbehaviors in medium
access control are mainly designed to deal with one or more misbehavior. The
main problem that the detection systems face is how to manage the broadly
unfurled networks with the increasingly complicated attacks. In order to detect
and prevent misbehaviors in the medium access control layer, we need to show a
well defined misbehavior model and system framework [2]. In this thesis we
present a systematic survey of medium access control misbehavior and prevention
systems that introduced in published papers. We are going to introduce the
problem of selfish behavior at medium access control layer and some of possible
attacks. Then we will introduce the possible solutions to detect the medium access
control layer misbehavior, and we will concentrate on DOMINO Detection

System and Robust Detection System, which do not require any modification to
the existing IEEE802.11 protocols.
1.1 Operating Principles of IEEE 802.11 Standard
The main standard that used for wireless networks is called
Both the medium access control layer and the physical layer are specified by this
standard. The work groups are used to extend the specifications of the medium
access control layer and physical layer for wireless networks to mange mobile and
portable nodes. The physical layer contains many layers, and the medium access
control layer is on the top of them. Carrier sense multiple access with collusion
avoidance performs the medium access control layer.
1.2 Protocol Architecture of IEEE 802.11
IEEE 802.11 standard contains three layers which are: logical link control
layer, medium access control layer, and physical layer (see figure 1.1). An
interface to higher layers is provided by the logical link control layer. The logical
link control layer implements basic link layer functions (e.g., error control and
flow control). The devices of each network must share their transmission
capacity. Thus, the devices of each network will use that capacity in regularly and
efficient manner to arrange access to the transmission medium. This responsibility

goes down to the medium access control protocol which guarantees that all the
devices on a network work together. Only one mobile device transmit at a time is
required by the medium access control protocol and it clearly states that data be
transmitted in blocks or medium access control frames. Each frame includes user
data, a destination and source address, error detection code, and medium access
control layer control bits. The shared medium for frames is checked by each
mobile device with a destination address that fits with its address and copies
frames addressed to it. The medium access control layer has two sublayers which
are following:
- The Distributed Coordination Function: this function is the lower sublayer
and it exploits an ethemet-style contention algorithm which supplies
access to all traffic. The coordination function is exploited by ordinary
asynchronous traffic.
The Point Coordination Function: this function is the upper sublayer and it
can be defined as a centralized medium access control algorithm that
supplies contention-free service by polling mobile devices in turn [9].
The frequency band, data rate, and other details of the actual radio
transmission are defined by the physical layer. The physical layer is divided into
two sublayers which are following:

Physical Medium Dependent Sublayer: The characteristic of the wireless
medium is defined by this sublayer. In addition, the sublayer performs
data encoding and modulation.
Physical Layer Convergence Procedure Sublayer: This sublayer lets the
medium access control layer runs with minimum dependence on the
physical characteristic of the wireless medium. The medium access control
layer uses this sublayer to communicate with the physical layer via
specific primitives through a physical service access point. The
information that is provided by medium access control layer enables the
physical layer convergence procedure sublayer.
The medium access control layer and the physical layer are managed using
the management entities for each of them (see Figure 1.1) [9].

Logic link control (LLC)
Contention-free service
Point coordination function
Contention algorithm
Distributed coordination function (DCF)
802.11 2.4-GHz FHSS 802.11 2.4-GHz DSSS 802.11 Infrared 802.11a 5-GHz OFDM 802.11b 2.4-GHz DSSS 802.1 lg 2.4- GHz DSSS, OFDM
Figure!.I: IEEE 802.11 protocol architecture [9]
1.3 Physical-Layer Standards
Within IEEE 802.1 ls layered protocol architecture, physical layer
describes the frequency band, data rate, and encoding technique (see table 1.1). An
original standard, which defines the medium access control layer and the three
physical layers is known as IEEE 802.11. The three physical media layers are
Direct-Sequence Spread Spectrum, Frequency-Hopping Spread Spectrum, and
Infrared Layer [9].
Spread-spectrum approaches are used in the first two schemes. Spread
spectrum basically implicates using a much wider bandwidth than is actually
necessary to support a given data rate. Interference is minimized and the error rate

is drastically reduced by using a wider bandwidth. Repeatedly jumping from one
carrier frequency to another is used by Frequency-hopping spread spectrum to
spread the spectrum. Only a small fraction of the transmission is affected by
interference or performance reduction at a given frequency. A signals data rate is
effectively increased by direct-sequence spread spectrum when mapping each
data bit into a string of bits using one string for binary 1 and another string for
binary 0. The higher data rate exploits a greater bandwidth. The effect is to spread
each data bit out over time, minimizing the effects of interference and reduction.
Frequency-hopping spread spectrum is employed in most early 802.11 networks
because it is simpler to implement than direct-sequence spread spectrum. Direct-
sequence spread spectrum is more effective in the 802.11 scheme in terms of
resistance to interference. Nevertheless, all of the original direct-sequence spread
spectrum products were not widely used owing to their low data [9].
1.4 The Modes of Wireless Networks
There are two modes which are implemented by the wireless networks.
These modes are:
1.4.1 Infrastructure Mode: This mode is used broadly in wireless networks. It
contains an access point that works as a hub for the network with every client

connected through it. The nodes in this mode communicate with each other
through the access point on wired network [5].
1.4.2 Ad Hoc Mode: The access point is eliminated in this mode. The mobile
nodes can be linked dynamically in an arbitrary way. Trustworthy communication
in ad hoc networks depends on natural trust among nodes, which means that
nodes need to work together to guarantee correct route establishment
mechanisms, routing information protection, and packet forwarding security. This
mode is ordinarily used when the medium access control layer is used in mobile
ad hoc networks [2].
1.5 Distributed Coordination Function
Distributed coordination function is considered as a basic system of This function uses a carrier sense multiple access with collision
avoidance to arrange the access to the shared medium. The sharing of the medium
among nodes is defined by the distributed coordination function protocol. The
distributed coordinating function specifies the exploit of carrier sense multiple
access with collision avoidance to decrease packet collisions in the network [7].

1.5.1 The Methods of Distributed Coordination Function
Distributed coordination function depends on carrier sense multiple access
with collision avoidance. It holds a basic access method and an optional channel
access method with request_to_send and clear_to_send packets.
1- Basic Access Method: A backoff time which measured in slot times is chosen
arbitrary in the interval [0, Contention Window) if the channel is busy for the
source. When the channel is sensed idle for a distributed inter_frame space time,
this timer is decremented by 1. Distributed inter_frame space time = Short
inter_frame space time + 2 slot time.
When the channel is busy, the timer stops and restarts when the channel is
idle again for at least a distributed inter_frame space time cycle. Contention
window can be defined as an integer whose range is decided by the physical layer
characteristic. The contention window is doubled after every collision
transmission, up to the maximum of contention window +1 [3],
When the backoff time is equal to zero, the data packet is transmitted by
the source. The receiver transmits a signal to acknowledge the receipt of data
immediately after a cycle of duration equal to Short inter_frame space time. When
a data packet is transmitted, all other nodes hearing this transmission adjust their
net allocation vector. Net allocation vector is used to maintain a prediction of
future traffic on the medium based on the duration information that is announced

in data frames prior to the actual exchange of data. Whenever an erroneous frame
is detected by a node, the node defers its transmission by a fixed duration
indicated by an extended inter_frame_space time.
Extended inter_frame_space time = Short interjrame space time +
Acknowledgment time + Distributed inter_frame space time.
Every time a collision happens, the minimum contention window
(CWmin) is given minimum value (e.g CWmin=15). This is explained as a high
load of the network and every node that is in the collision throttles down its
transmission rate by doubling the size of its contention window up to the
maximum value of contention window (CWmax=1024). The transmission of
packets is slowed down, and the probability of collision is reduced by larger
contention windows. The transmitting node gets the value of its contention
window to minimum in case of collision-free transmission. The previous
mechanism is called exponential backoff or binary exponential backoff (see
Table 1.1) [3].
Tahlel. 1: Inter frame spaee and Contention Window time for different physical layers [3]
Parameters 802.1 la 802.11b (FH) 802.1 lb (DS) 802.1 lb (IR) 802.11b (High Rate)
Slot time (ps) 9 50 20 8 20
SIFS (ps) 16 28 10 10 10
DIFS 34 128 50 26 50

EIFS (PS) 92.6 396 364 205 or 193 268 or 364
cwmin (Slot time) 15 15 31 63 31
CWmax (Slot time) 1023 1023 1023 1023 1023
2- Optional Access Method: In this method, the source should transmit a
request_to_send frame, and the destination should accept the data transmission
by sending a clear_to_send frame prior to the transmission of the actual data
packet. When the nodes which are in the range of sender hear the request_to_send
packet, they should update their net allocation vectors and defer their transmission
for the duration specified by the request_to_send.
Nodes which overhear the clear_to_send packet update their net allocation
vectors and they are avoided from transmitting. Using this method, the data
packet transmission and its corresponding acknowledgment can continue without
interference from other nodes [3].

2. Medium Access Control Selfish Behavior in Hotspots
Wireless networks were designed for protected locations use, but in these
days they have been used as the standard solution for hot spots which give public
wireless access to the internet. Strict unfairness in distribution of bandwidth can
happen due to the medium access control layer selfish behavior in wireless
networks, which leads to a big problem in public internet access hotspots. Selfish
nodes characteristically misbehave to ameliorate their own performance. This
contains nodes that refuse to forward packets on behalf of other nodes in order to
conserve energy. For instance, nodes competing is needed by IEEE 802.11 for the
channel to wait for a backoff interval before any transmissions. A selfish node
may on purpose prefer to wait for a smaller backoff interval, thus increasing its
chance of accessing the channel and hence reducing the throughput share received
by well behaved users. The performance of the network can be severely reduced
by the selfish behavior. Thus, some transformations are suggested for the protocol
to detect and penalize misbehaving nodes. Moreover, the hotspots are used by the
users to pay for network access and this can lead to cheat in order to increase their
share of the medium [1].

2.1 Benefits of Cheating
The cheater can get some benefits by misusing the medium access control.
These benefits are the following:
The cheater can result in significant bandwidth when it directly deals with
the wireless medium. Accordingly, it is more efficacious than misbehavior
at the network and transport layers.
The cheater cannot be discovered by any mechanism designed for upper
layers because it is ambiguous and separated from those layers.
Consequently, the cheater can be merged with upper layer misbehavior to
increase the effect.
Since all the wireless nodes use the same medium access control protocol,
the cheater is always serviceable. In contrast, cheating with transmission
control protocol yields no benefits against user datagram protocol
competing sources [1].
2.2 Classification of Attacks
Attacks classification is based on the attackers knowledge about the
current intrusion prevention systems, intrusion detection systems, and intrusion
reaction systems. The attacks can be divided into two classes:

2.2.1 Naive Attack: In this type of attack, intrusion prevention systems, intrusion
detection systems, and intrusion reaction systems are unknown from the
misbehaving node which implements simple attacks to achieve a selfish goal.
2.2.2 Smart Attack: In this type of attack, complete operation procedure of the
intrusion prevention systems, intrusion detection systems, and intrusion reaction
systems are known for the misbehaving node. Though, surmising the precise
critical parameters might not be efficient such as monitoring interval T and
threshold Thresh. Consequently, the selfish node will misbehave in a way in
which it can act selfishly while reducing the possibility of being easily detected
2.3 Misbehavior Techniques
The medium access control misbehavior space can be divided into two
major types which are selfish behavior and security attacks as below:
2.3.1 Medium Access Control Selfish Behavior
The medium access control selfish behavior which is caused by modifying
the operation of the IEEE 802.11 protocol can be defined as the failing to follow
communication procedures or changing parameters specified in the standard.
Many studies have demonstrated that 91% of the traffic flowing over deployed
wireless networks is transmission control protocol and is mostly downlink.

Therefore, it is important to differentiate misbehavior techniques by the type of
traffic they target. In the following, attacks on the uplink traffic (both
transmission control protocol and user datagram protocol) and the downlink
transmission control protocol traffic are depicted.
Attacks on the Uplink Traffic
Scramble frames (contains encrypted information) which have sent by other
nodes can be picked by a selfish node in order to increase their contention
windows. The following are the frames that the cheater attacks:
1- Clear_to_Send frames: In the clear_to_send frames, the cheater hears a
request_to_send frame destined to different node. The cheater on purpose
causes collision and loss of the corresponding clear_to_send frame in order to
prevent the following long frame exchange sequence (In case of large frames
request_to_send/ clear_to_send handshake is used). Consequently, after the
corrupted clear_to_send, the channel gets idle, the contention window is
doubled, and the cheaters chance to send its data becomes very high.
2- Acknowledgment and data frames: This type of frame helps to double the
contention window for the acknowledgement destination. However, it cannot
save the time of the data frame transmission. As above, the cheaters chances
to get access to the channel are increased [1].

The cheater manipulates the protocol parameters to increase bandwidth share
by doing the following:
1- It transmits when the channel is idle. The transmission is done before
distributed inter_frame space time and after short inter_frame space time.
2- The duration value in the frame headers is increased when request_to_send or
data frames are sent. This increasing helps the nodes to prevent contending the
value in the duration field during their net allocation vectors.
3- The cheater selects a small fixed contention window in order to reduce the
backoff time.
In order to avoid being detected the cheater may use some techniques or
alter its misbehavior [1],
Attacks on the Downlink Traffic
In the downlink traffic, the cheater will try to raise the share of traffic that
it got it through the access point. As a result, the number of packets destined to
the cheater in the access points queue increases. The cheater will target the
protocols responsible for filling this queue to achieve this goal. The sending
traffic to wireless nodes through the access point is done by two types of sources:
1- User Datagram Protocol Source: in this type of sources the channel
conditions cannot affect the user datagram protocol since it does not require

acknowledgements from the receiver. Therefore, attacking user datagram protocol
traffic is pointless.
2- Transmission Control Protocol Source: in this type of sources the congestion
windows and acknowledgements from the receiver are used by the transmission
control protocol traffic rate to respond to the channel conditions. Accordingly, an
attack can be set on the transmission control protocol traffic by exploiting the
congestion avoidance mechanism and decreasing the source rate up to stopping
the flow [1].
Comparatively, downlink attacks are less intuitive and require more effort
from the cheaters side. This property is needed to raise cheaters share of the
bandwidth and to discover the misbehavior of the access points. Leveraging on
the closed-loop nature of transmission control protocol flows, their collision goes
over the hotspot and associates nodes to attain remote servers. Both the topology
and the typical following scenario are considered in figure 2.1: M and Me which
are mobile nodes connected to the Internet via the access points. Large files are
downloaded by M and Me from two remote servers, S and Sc, respectively. File
transfer protocol/ transmission control protocol are used in downloads. The
following two techniques can be used by the cheater (Me) to reduce Ss data rate
in order to increase the cheaters download data rate, therefore make more

bandwidth available for itself at any common bottleneck between the servers and
the access point, or at the access point itself:
The transmission control protocol acknowledgments from M to the access
point are jammed by Me, therefore the server S is never reached by them. As
transmission control protocol acknowledgments get jammed, S raises its
sending data rate using transmission control protocol congestion control. As a
result, the connection does not work properly. At the access point Ms share
of the bandwidth decreases reducing the data rate from Sc to Me [1].
The jamming can be heard in the prior technique by access point and may
finish discovering Me based on the number of retransmissions of M. Another
choice for Me structures in jamming access points frames assigned to M.
Therefore, Ss data rate can be reduced and access points dont hear it.
Nevertheless, both Mcs and Ms packets share the same queue at the access
point. When the access point retransmits the jammed frames repeatedly, Mcs
packets are delayed in the queue and its data rate which is from Sc is reduced
too. Forged medium access control acknowledgments are sent by Me on
behalf of M for the jammed packets to prevent access point retransmissions
and the queuing delays. By using this technique, the data rate from S is
decreased and the retransmission at the access point is avoided. Moreover,

only part of the access points frames to M can be jammed by Me. This makes
Me able to save its battery power and make discovering it harder [1].
Sc Me
Figure2.1: General scenario. Me jams the access points, Transmission Control Protocol packets
on their way to M to decrease the flow from server S [1],
The results of these misbehavior techniques can be destructive because of
the wide use of transmission control protocol source in the internet, particularly
for file transfers and web browsing. A cheater will not be prevented from
mounting the above attacks by using internet protocol security. In fact, all the
packets can be easily jammed by the cheater without figuring out their content as
transmission control protocol.
The turnaround time of IEEE 802.11 is at most 5 ps. The medium access
control and intrusion prevention frame headers are 30 and 20 bytes respectively.

Therefore, assuming that the 11 Mbps is the highest rate of IEEE 802.1 lb, which
implies the shortest time obtainable for jamming, the medium access control
header transmission time is around 22 ps and the intrusion prevention header
transmission time is around 15 ps. A cheater will be allowed by the short
turnaround time to jam the transmission control protocol acknowledgment or the
transmission control protocol frame even before transmitting the all intrusion
prevention header when the source and the destination addresses are known by the
cheater from the medium access control header.
The tolerance of the transmission control protocol connection to the
cheaters jamming will be raised by the use of transmission control protocol
splitting techniques. Therefore, the connection will be dropped, but after a longer
delay [1],
The downlink traffic and uplink traffic attacks which are caused by the
selfish nodes can be detected and punched using DOMINO detection system
which is introduced in the next section.
2.3.2 Security Attacks
Security attacks such as the deauthentication attack use security
weaknesses of the medium access control protocol such as flaws in authentication
or encryption mechanisms. In addition, they target the access control,
confidentiality, or availability of the network [1],

Some Types of Security Attacks
The following are some kinds of attacks which use IEEE 802.11 as
resulting from the cross-layer interaction:
- Denial of Service Attack: The denial of service can be defined as an attack that
tries to prevent the network users from accessing the service availability. There
are many types of attempts that the denial of service attack does. First, it prevents
legitimate network traffic by flooding the network. Second, it prevents access to
the service by disrupting the connection between two nodes. It also may prevent a
specific node from accessing the service. Finally, the denial of service attack
sometimes disrupts the service to a particular system or person within the network
[4]. Denial of service attack is one of the common attacks that are implemented
by the IEEE 802.11 standard. In this attack the packets can be injected by a
malicious node in order to create medium access control congestion. The node
with high traffic load has more chance to capture the channel than the node with
low traffic load. Another scenario can happen when two malicious nodes create a
continuous flow. The above scenario causes breaking down the service of the
cooperation nodes. This can happen even if the cooperation nodes are not in the
transmission range of the malicious nodes. This type of attacks can be detected
using Robust detection system which is demonstrated in the next section [6].

- Detour Attack: In this type of attacks, a malicious node may choose a small
contention window in order to delay the propagation of a message. The malicious
node gets two benefits from this misbehavior. First, it saves its energy because the
chance of selecting this node as a replaying node is reduced. Second, it sends
extra traffic to the other nodes. This type of attacks cannot be easily detected
since it applies only few times change on the contention window. The medium
access control layer needs to cooperate with the cross-layer in order to deal with
this attack [6].
- Timeout Attack: The timeout attack affects the transmitter and the receiver
nodes. In this attack, the malicious node forwards packets to the other nodes and
chooses the proper backoff intervals. At the same time, the malicious node makes
forwarding operation failure in order to reach one of the two goals. Disrupting the
route discovery process or damaging the flows routed through it. Even if this
attack starts at medium access control layer, it has affects on the higher layer
performance (routing and application throughput for example). This attack cannot
be taken care of using a single layer, so cooperation between the medium access
control layer and the cross-layer is required in order to deal with this attack [6].

3. The Possible Solutions to Detect the Medium Access Control Layer
There are many detection systems were implemented to detect and punish
the different attacks (misbehaviors) at medium access control layer. These
detection systems can be implemented by modifying the IEEE 802.11 protocol to
simplify the detection of any selfish nodes and analyze the optimality of the
selected strategy. Another strategy can be done by installing a piece of software in
the access point or near to it. A penalty scheme for punishing selfish nodes is also
introduced at some detection systems.
3.1 DOMINO Detection System
The efficiency of DOMINO (Detection of greedy behavior in the MAC
layer of IEEE 802.11 public Networks) is based on the small modifications to a
driver for IEEE 802.11 compliant cards. This modification results much higher
throughput at the expense of nodes provided with unmodified drivers. Also, the
monitoring of frames on the wireless medium is performed by this system, which
enables the discovery of selfish behavior [1], domino is used to find whether the
selfish nodes get advantage over normal nodes. The mechanism that DOMINO
works with is by comparing the actual average backoff time of a node with the

nominal average backoff time of the node to notice whether node deviates from
the protocol [7].
The problem of medium access control layer selfish behavior is presented
in the first version of DOMINO that was limited to attacks on the uplink traffic.
Attacks that targeted the downlink traffic and other related issues will be
described. Detections such as the interaction between the IEEE 802.lie protocol
extension for quality of service that is the set of techniques are used to manage
network resources and DOMINO are addressed.
3.1.1 Components of DOMINO
In the DOMINO, traffic traces of active nodes are collected occasionally
during short intervals of time called monitoring periods. A sequence of tests, each
aimed at detecting a specific misbehavior technique, decides if the analyzed
traffic presents behavior anomalies. These anomalies can be considered as the
corresponding misbehavior symptoms. The results of those tests will be given to a
decision making component to tell whether a given node is cheating, then inform
the operator if it found a cheater.
Many advantages are presented by the modular architecture. First, the tests
as well as the decision making component can be performed using many

algorithms depending on both the needed accuracy and the tolerable complexity.
Second, recent tests for potential yet undetected misbehaviors could be easily
The tests which are designed to detect the previously presented misbehaviors
are presented bellow. Each one contains two parts: a deviation estimation
component and an anomaly detection component.
1- The Deviation Estimation Component is mainly a statistical test that
decides the amount of deviation of a nodes behavior from a model of the
expected behavior (derived by noticing the access point behavior or the
other operative nodes during a monitoring cycle).
2- The Anomaly Detection Component exploits the deviation measured by
the deviation estimation component to judge a node as suspected or well-
behaved. It can be easy or a complicated technique (e.g. Bayesian
inference) [1].
The decision making component assembles the diverse tests partial
decisions in order to enter a given node behavior in the last monitoring cycle. The
decision making component is split into two modules: an aggregation component
and a behavior classification component. The implementation of any one of them
can be pliant. A simple OR of the Boolean outputs of diverse tests to perform the
aggregation component is selected. It is intended that the node will be detected as

a cheater if it used any of the above methods. In place of that, a weighted sum of
different test outputs can be output by the aggregation component; afterwards, this
sum is normalized to 1 and compared to a threshold. The weights could be
selected to show the trust in a given detection test as well as the austerity of the
conformable misbehavior. For example, a test that is more vulnerable to these
conditions will have a less weight than a test the output of which cannot be
affected by factors like channel conditions. The behavior classification
component implementation can be based on a simple misbehavior tolerance
threshold or a Bayesian inference like the anomaly detection component.
The deviation estimation component is particular to every test while the
anomaly detection component in diverse tests can exploit diverse or the same
implementations. Consequently, we are going to concentrate on the algorithm
behind the corresponding deviation estimation component in the following
description of every test. The structure is exploited in the tests which are
described beneath, where the test number is shown by x:
if condition* is true then output* := 1 else output* := 0
It must be observed that all the tests showed beneath are performed on
each data pattern successfully assembled for a node Mi during the last monitoring
cycle. If misbehavior is discovered, then the checking on Mi is discontinued as no
further analysis is required [1].
27 Scrambled Frames
The goal of this test is detecting misbehavior techniques that depend on
frame scrambling. Misbehavior techniques correspond to the first attacks were
showed in the previous chapter. The cheater needs to scramble a comparatively
large percentage of Clear_to_Send, Acknowledgment, or DATA frames sent by
other nodes to achieve a significant share of the common wireless bandwidth
exploiting Clear_to_Send/Acknowledgment/DATA scrambling. Consequently,
the retransmissions average number of the cheater will be fewer than
retransmissions average number of other nodes, and it can be discovered using
Testl (Scrambled frames).
A retransmission can be discovered by DOMINO by observing an iterated
sequence number in the header of Request_to_Send or DATA frames while the
corresponding Clear_to_Send or ACK frames are scrambled, respectively. In
DATA frames case, because the DATA frames are scrambled, one may dispute
that the access point will not be efficient to differentiate retransmissions.
Nevertheless, the headers of these frames cannot be scramble by the cheater;
differently, they cannot know if a given frame is fated to itself [1].
Thenceforth a rational attacker which jams other frames only when it
requires to is assumed, its identity could be derived from the retransmissions
number. Actually, this number cannot be converted by the rational attacker to

cheat because it will get a reaction from the sender to a wrong sequence number
by two ways. In the first way the frame is rejected (if the number is less than or
equal to the last recorded value). In the second way the frame is sent out of order
(if the number is larger than the last recorded value) depending on the particular
wireless card implementation. Another assumption comes from the fact that an
authentication mechanism (e.g., Wi-Fi Protected Access or IEEE 802.lli) is in
place which prevents from using arbitrary medium access control addresses. So,
the medium access control address of attacker node cannot be modified by the
A potential produce of false positives for this test can be the bad channel
conditions, which drive to frame loss and retransmission. The access point can
take the signal-to-noise ratio of nodes into consideration when detecting
misbehavior is a way to avoid this trap [1]. Detection of Manipulated Protocol Parameters
In the subsequent, we are going to show misbehavior techniques which
change protocol parameters. We concentrate mainly on backoff manipulation
because it is the simplest to implement and the hardest to detect.
29 Shorter Than Distributed Inter_Frame Space Time
The idle cycle after each acknowledgment can be monitored by the access
point and any node that transmits before the required distributed inter_frame
space time cycle can be distinguished by it too. The access point can take a
reliable decision after having noticed this misbehavior frequently for many frames
from one node (using test 2 Shorter than distributed inter_frame space time) [1]. Oversized Net Allocation Vector
First, the measurements of the actual duration of a transmission are gotten.
Those measurements contain the DATA, acknowledgment, and optional
Request_to_Send/Clear_to_Send requests. After that, the transmission is
compared with the duration field value in the Request_to_Send or DATA frame
headers. A node which regularly sets the duration field to very large values can be
detected by the access point. Test 3 shows the tolerance parameter A which is
greater than 1 guarantees that cooperating nodes are not erroneously inculpated by
the access point (Test 3 Oversized Net Allocation Vector).
Transmissions from M are interleaved with one or more transmissions
from other nodes (including the access point). The transmission contains DATA
frame and all the control frames as well as the interleaving idle shorter than
distributed inter_frame space time and distributed inter_frame space time cycles.

The total of all idle intervals between two transmissions from M represents the
measured value and the inter_frame spaces is not included [1]. Backoff Manipulation
Test4 structures in measuring the actual backoff. The test procedures can
be described as below:
Assuming that S spent all its idle time backing off if there are no collisions
between two transmissions from a node S. After that, this backoff is
estimated by calculating the sum.
It is impossible to identify the identities of the senders of the colliding
frames if a collision occurs. Therefore, the nodes that measured actual
backoff must be updated. To simplify, collisions are not taken into
account. In case of collisions, both the present backoff and the next one
are not measured for any node (Test 4 Actual backoff) [1],
An analytical value is exploited by the access point if it does not have
sufficient data to derive a nominal backoff value from its own traffic. The
analytical value is not used by DOMINO in the first location because it depends
on the operative nodes number and calculates presuming backlogged sources. In a
practical setting, because of mobility and usage patterns this assumption could be
incorrect (In their paper[10], Tang and Baker came to the following result: in

most of the time, 80% single user and application causes the peak throughput).
The parameter is configurable according to the wanted true positive which is a
correct detection, and false positive which is incorrect detection percentages.
As it assembles no data during collisions, the actual backoff test measures
backoffs which are picked only from the range of [0, CWm;n 1]. Resulting from
its mechanism, in case of the cheater has interframe delays this test miscarries to
discover misbehavior (e.g., a transmission control protocol source using
congestion control). In fact, these delays are measured by the test instead of
backoffs because the idle periods between transmissions from similar source are
added up by the test. The consecutive backoff test provides the solution to this
problem [1],
1- Consecutive Backoff: Test 5 is used in the case of sources with interframe
delays. Particularly, this is mostly the case of transmission control protocol
sources (the delay is characteristically resulting from the congestion transmission
control protocol control). The correct values are not yielded by the actual backoff
test for this type of sources. Therefore, the potential cheating cannot be detected.
Assuming that a node M is sending transmission control protocol traffic,
and there is sufficient traffic from other sources on the common channel. There
must be at least one interleaving frame from another node between two frames

sent by M and a transport layer delay divides them. Accordingly, if two
consecutive noninterleaved frames are noticed by the access point from M, then
the idle time between those two consecutive noninterleaved frames can be
considered as only a backoff besides to the mandatory distributed inter_frame
space time by the access point. M might be forced by these consecutive frames
which are the result of channel contention to queue packets at the medium access
control layer even if a delay at upper layers divided them. In this case, M will
profit from cheating with backoff in order to free its medium access control layer
queue. Therefore, DOMINO can gather significant types of backoff values chosen
by M. These types are called consecutive backoffs.
The previous traffic level assumption is reasonable if the traffic on the
channel is quite low to nullify this assumption. In other words, cheating will be
meaningless at the time of decreasing the backoff. This reduced backoff does not
affect the upper layer delay if consecutive noninterleaved frames divided by a
delay besides to the backoff and distributed inter_frame space time can be sent by
M. In this situation, misbehavior detection would not be necessary (Test 5
Consecutive backoff) [1].
Backoff values are recorded only between consecutive noninterleaved
transmissions from M. Like the former test, the average of the collected values is
compared to a fraction of the nominal value. If sufficient data is available, then

the nominal value is the access point average consecutive backoff. Differently, it
is an analytical value [1].
2- Maximum Backoff: Since the backoffs are chosen randomly in the range of
[0, CW 1] by IEEE 802.11 protocol, the minimum of the maximum chosen
backoff above a set of frames sent from a given node must be CWm;n -1 if the
samples number is quite large. Notice that contention window (CW) depends on
the number of retransmissions. This property to distrust nodes whose maximum
backoff over a set of samples which is less than a threshold value is exploited by
DOMINO. Distinctly, between the number of samples and the threshold there is a
compromise. If the threshold is raised (CWmin is the largest value for it), then the
number of sampled backoffs have to be raised also to have more distinct values
and, therefore, false positives are evaded. A threshold which is exploited in a test
is equal to CWmin/2. Therefore, if the decreased contention window is within the
range [0, CWmin/2- 1], then the test works.
Unluckily, a clever cheater that wins at making the monitor observe
in each sample at least one backoff value more than or equal to the threshold
might simply cheat this check. Exact result can also be yielded by channel
conditions, and, therefore, miscarry the check. So, the check of the maximum
backoff is only ancillary to the previous two tests [1].
34 Scrambled Transmission Control Protocol Packets with Forged
Medium Access Control Acknowledgments
The second downlink attack which was described in chapter 2 is more
important than the first one. It is also the most difficult to detect because the
collisions couldnt be heard by the access point. In addition, DOMINO couldnt
depend on the retransmissions number to discover this misbehavior when the
cheater counterfeits the medium access control-acknowledgment corresponding to
scrambled frames. Two complementary mechanisms which perform the deviation
estimation component and anomaly detection component elements of the test in
the system architecture have been devised to cope with this technique. Primarily,
the throughputs of the downlink flows are measured by DOMINO. Next, if there
is a receiver which draws most of the traffic, DOMINO distrusts it as a potential
cheater. Because of the diverse requirements of users, throughput is not a
trustworthy detection metric. Therefore, dummy frame probing is exploited to
accept or reject the suspicion. Dummy frame probing consists in sending dummy
frames to real nonexistent nodes. If a medium access control-acknowledgment
pursues any of these frames, then this means that there is a cheater in the network.
Longer throughput observes is next required to determine the cheater identity. The
anomaly detection component can be formed by merging dummy frame probing
with throughput comparison [1],

A cheater can record a list of virtual nodes that do not rejoin the medium
access control-acknowledgment in order to prevent reacting with the dummy
frames. False acknowledgments must be produced to detect this cheater. Thus, it
is difficult for the cheater to know the dummy frames from the other ones. On the
other hand, it is profitable for the cheaters to attack only the connections which
have high throughput. Therefore, to make the dummy frames effective they have
to be produced frequently at high throughput and they are also must be a snare for
the cheater. The most important feature that the dummy frames have is the highly
discriminating test which is depicted by them. A simple model is sufficient to
increase a very high suspicion, even with dummy frames that are produced during
a small time period.
DOMINO reaches a high accuracy of detection in many kinds of scenarios
that have been demonstrated. The system is applicable to many factors, like kinds
of traffic, in which the performance of other detection techniques can be affected.
Consequently, both the efficiency and applicability to virtual networks are the
main characterizes of the suggested solution. Another significant thing of this
work is the cheating and detection prototype which have been implemented [1].

3.1.2 Related Issues Hidden Nodes
A negative effect on DOMINO might be obtained by hidden nodes. For
instance, if the access point sees two nodes A and B, but these two nodes cannot
see each other, A might feel the medium idle while the access point feels it is
busy because B transmits. Consequently, As backoff counter will be kept
decrementing, and after that A transmits a frame whose backoff measured at the
access point. This backoff will be less than the actual value. The detection
mechanism will give an incorrect suspicion of A after many iterations of this
scenario. For uplink traffic with hidden nodes, tolerating some misbehavior can
be used to reduce false positives in the presence of hidden nodes [1]. Security
DOMINO could be used to make hybrid attacks by getting benefit of
security flaws and medium access control vulnerability. For instance, a
cooperating node might be incarnated by a cheater to excite its punishment and,
probably, the operator disconnects it from the network. However, a
deauthentication attack which is more easy to do has the same affect without
using the punishment policy. Moreover, using recent security mechanisms like
Wi-Fi Protected Access and IEEE 802.1 li could restrict the efficiency of these
hybrid attacks. Actually, since the cheater doesnt have any acknowledgment

about the encryption key of the incarnated host, the useful data in the
counterfeited frames cannot be conveyed by the cheater. Furthermore, any attack
could incur on the cheater as an overhead resulting from the dummy frames,
which are sent by it. The solution to these attacks is in the use of enhanced
security mechanisms together with DOMINO [1]. Adaptive Cheating
The set of misbehavior techniques which knows some information about
how does DOMINO work is known as adaptive cheating. For instance, a cheater
can change repeatedly sufficient between many techniques like when DOMINO
fails to assemble sufficient data to discover misbehavior. However, since the
detection parameters such as the monitoring period and the thresholds are not
known by the cheater, it is not easy to adapt to the detection system to evade
being caught.
The default detection parameter values can be exploited by the cheaters to
adapt their techniques if the system administrators use these values during
installation. However, the various environments result in various parameter values
even the default values are considered. Therefore, it could not be easy for the
cheater to adapt to another access point and its parameters.

One more method of deceiving DOMINO will perform in using
techniques to incapacitate certain tests. For instance, collision-like signals could
be on purpose performed by a cheater to trick the actual backoff test or never
transmit two consecutive noninterleaved frames to trick the consecutive backoff
test. However, the cheaters overhead can be raised apparently by any techniques
(e.g., in terms of interframe delay). The significant throughput benefit could not
indemnify above other nodes [1]. Choice of the Detection Parameters
The performance of DOMINO is affected by the selection of the correct
parameters. The parameters must be set during the installation of the access point
and this selection relies on the environment in which the system operates.
Actually, a series of tests need to be made by the system administrators in each
case. The values which obtained according to the simulated environment of paper
[1] give a good trade-off between high detection and low misdetection ratios.
Therefore, one or both of the ratios will be reduced by exploiting else values. It is
not important to use a large monitoring cycle. Using this monitoring cycle would
only redound to a slower response of the detection mechanisms. In the actual
setting, the administrators could begin with default values and afterwards change

them suitably. Techniques like site surveys run by cellular and wireless network
operators can also get the default values [1]. Monitoring Period
The data needed for detection is assembled during configurable intervals
of time to evade overloading the access point with per-frame calculations. The
detection mechanism is run at every interval end. One more profit of this method
over a per-frame detection approach is the competence to gather more statistical
data and, therefore, raise the accuracy. Additionally, based on the fact that IEEE
802.11 has been shown to be short-term fair, its long-term fairness is more
trustworthy to show conclusions about misbehavior. Hence, the monitoring cycle
has to be quiet large to depend on long-term fairness. Since taking into account
the typical bit rates to protect the cheater from obtaining large advantages before
being detected, monitoring cycles could be quiet short. For instance, as
assumption, 350 backoff values per node can be collected in 10 seconds by the
access point, as a result of equally dividing 500- byte packets and 7Mbps data rate
(that is the maximum effective IEEE 802.1 lb rate) among 50 nodes [1].

3.1.3 Punishing Function
Cooperate nodes can get a fewer throughput share than cheating nodes.
The punishing function gives larger backoffs to cheating nodes as a punishment
than those given to cooperated nodes. Hence, when a deviation is found by the
receiver, the receiver computes the deviation using the following formula:
Deviation = max (a specified fraction assigned backoff observed number
of idle slots, 0).
Then, the computed deviation is given as a penalty to the sender. An additional
penalty is necessary to effectively penalize the misbehaving nodes.
Total penalty = the sum of deviation + the additional penalty.
The sum of arbitrary value represents the next backoff value that assigned
to the deviating sender. This backoff value is chosen from range between
[0, CWmin] and the total penalty. Therefore, the deviating sender is decided to
backoff for a longer interval before the next transmission is being initiated than
the deviating sender will have needed to without the penalty [5].
A cooperate sender could be penalized by the penalty function if it's
mistakenly considered as a cheater. This situation could happen when the channel
conditions at cooperate sender change significantly from the channel conditions at
the receiver. The solution for the previous situation is by giving an additional
penalty for every perceived deviation to protect a misbehaving node from trying

to adapt to any protocol parameters and thereby get a throughput benefit over
cooperating nodes. As a result of enabling the penalty function, the average
throughput obtained by cooperating nodes is comparable to that obtained by IEEE
802.11 protocol [5].
3.2 Robust Detection System
The carrier-sensing multiple-access with collision avoidance protocol
depends on the packet transmissions random delay for both contention resolution
and efficacious of the shared channel exploit among nodes in a network. Being a
completely distributed algorithm is right operation assuming that all nodes follow
the protocol. Wireless devices software parameters can be simply altered by the
wireless devices to access unfairly to the network (selfish behavior), or protecting
other nodes from access to it (denial-of-service attack) [3].
Selfish behavior has been dissected many years ago usually under a game
theoretic framework. Selfish nodes are perforce revealed and their objective is to
raise their own transmissions in the network which gets their traffic responsive to
statistical analysis and recognition. From another point of view, hiding is the
secret of medium access control denial-of-service attacks. In order to implement
the attack, the attacker does not have to appear. Seriously, a tiny power is needed
by medium access control denial-of-service attacks. This power can be considered
as particular parts of the other nodes transmissions require to be targeted to win.

Protocol-aware jammers are any jammers that jam the network, and the target
medium access control protocol is known for them. As a result, medium -access
control denial-of-service attacks using clever jamming are greatly easier and more
effective to implement, and their effect on the network performance is often
disastrous. The chosen control packets can be severed and the network throughput
can be decreased up to zero by an energy-efficient stealthy jammer. From another
point of view, both the carrier sense multiple access with collision avoidance
protocol random operation and the nature of the wireless medium get network
conditions seem variation for different nodes. Therefore, it is difficult to know
which of the errors are produced by a surge in the number of legitimate nodes like
in hotspots or by malicious nodes. As assumption, other nodes simultaneous
transmissions produce all transmission errors which is legitimate or misbehaving.
Actually, collisions produce all errors [3].
In this section, we study medium access control vulnerabilities and
specifically those allied to intelligent jammers such as jammers which run
exploiting the medium access control layer protocol knowledge. In particular,
some modifications to the IEEE 802.11 distributed coordination function which
account for a raise in the collisions number in the network are proposed by some
researchers. While any approaches may discover several attacks, the modification
of the protocol needs an update of the IEEE 802.11 installed base which make the

deploying it not easy. In this system, no modification in IEEE 802.11 protocols is
needed. Some methods are investigated to implement more effective attacks by
other related work. Some of those effective attacks will be used as benchmarks for
performance evaluation of this detection system. To implement jamming attack
detection at the beginning, the possibility to determine the probability that a node
is redounding to a noticed collision by following its prosperous transmissions will
be demonstrated. Afterwards, the concept of a collision explainability will be
shown (i.e., the probability that the events noticed in the network can explain a
collision). Next, the allocation of the explainability of the collisions which is quite
susceptible to jamming attacks will be introduced. Eventually, detecting a
jamming attack will be proposed by detecting the event that the allocation of the
explainability of the collisions diverges significantly from the jamming attack
under normal operating conditions. This can be done by exploiting a robust
nonparametric Kolmogorov-Smimov detector [3].
3.2.1 Medium Access Control Denial-of-Service Detector
By assuming that we know the competing nodes number in the network,
the distribution of the sequence of explainability of collisions e(ct) could be
exploited as observations for the discovering of a jamming attack which is not the
case. In this part, we are going to describe how to keep track of the number of

competing nodes. After that, we are going to explain the implementation of a
robust medium access control denial-of-service detector [3]. Tracking the Number of Competing Nodes
We will estimate the number of competing nodes issue (i.e., the number of
nodes which have something to send) in an IEEE 802.11 distributed coordination
function network. The estimations of the prior works established on the
assumption that there is a functional relationship between the collision probability
and the number of competing nodes. Unlikely, in a medium access control
jamming attack situation, the functional relationship is no more available because
the number of collisions will be raised by a jammer without affecting the number
of competing nodes. Rather than, Toledo at el [3] suggest to estimate the number
of competing nodes N by observation of the prosperous transmissions of the nodes
in the network directly. The node is certainly competing if a prosperous
transmission of a node is noticed. Nevertheless, the case of the node ceasing to
compete (i.e., there is no other data to send) is not noticeable after a prosperous
transmission is noticed. The reason that a recent prosperous transmission has not
happened and some amount of time has gone since the past prosperous
transmission of a node could be that the node has really discharged its buffers, or
because it has severe collisions. Next, we suggest a way to estimate the

importance of the waiting after noticing a prosperous transmission of a node
before finding that the node is no more competing in the network.
The following algorithm computes the collision explainability which is
used later in the detecting jammer algorithm [3].
Algorithm 1: Calculation of Collision Explainability
1) Notice the network until a prosperous transmission from any node is observed.
Let that be a transmission from node n e {1,... JV}.
2) Denote {ci, C2,...,cc] as the sequence of collisions and {to,..., tK} as the
sequence of idle slots noticed in the network since the final prosperous
transmission of node n.
3) Use p(x? = 1 t0,...,tK)= Xxn=iP(x?, ...,x% t0,...,tK). to compute the
contribution of n to the collisions {cj, C2,...,cc) (i.e., p (x|to,...,tk), ..
p(x£| )[3].
4) For those collisions c,e {cj, C2,...,cc } for which all of the p (x(\.), j =
1, ...,1V are known (where N is the number of competing nodes in the
network), compute e{ct) given by

5) Go to Step 1 [3].
= l k)...... Tl-l
X tf)....tfv)
The competing nodes number in algorithm 1 is computed as the follows.
AT is the total number of nodes which have been noticed transmitting in the
network in the former, and Tn is the number of idle slots since the last prosperous
transmission of node n. Tn will be set to 0 and n will be set to 1,...., N'. Next, One
of the following events will happen for each node n while Tn raises. First: if there
is a new prosperous transmission from node n, or Tn > x, where x is chosen like
denoted before, then {cl,..., cp} are the collisions sequence in the network since
the last prosperous transmission of node n. If a prosperous transmission happens
before, then it is clear that node n was competing at collisions {cj,..., cp}. From
another point of view, if T > x is first, then node n was not competing at
collisions {cj,...,cp}. From calculating the nodes number which was competing at
every collision c, we can calculate the summation of competing nodes [3].
In the aforesaid procedure, there are two potential error sources. In the
first case, a node begins competing for the first time. A prosperous transmission

from that node is noticed by the algorithm. Nevertheless, the first transmission of
a node could not be prosperous. Actually, before a node gets succeed for the first
time, it will suffer on average 1/(1 -pc) collisions. In the second case, a node has
ceased to compete, and then begins competing once more in smaller than x idle
slots after its last prosperous transmission. This may force the algorithm to
mistakenly decide that the node did not cease competing in the first place. There
is a relationship between the two types of errors only if the going and coming rate
of a node are on the similar time scale like that of two sequential transmissions
which is improbable. At the end, errors are not notified by the attendance of a
jammer, because the noticed probability of collision in the network is gotten into
account by the algorithm. In the attendance of a jammer, the noticed probabilities
of collision Pc will rise, and also the algorithm will wait for more idle slots before
figuring out that a legitimate node has ceased to compete [3], Sequential Denial-of-Service Detector
This detector can discriminate between normal operation of the network
characterized by a probability distribution fo, and abnormal operation
characterized by an unknown probability distribution//.
The sequence of explainability of collisions e(c,j will be used as
observation variables for the hypothesis testing problem. Because of that

{e(Cj),...,e(cK)}~fj, i=0, 1, is important to exploit a distribution-free or
nonparametric approach to implement the detection since the distribution fi when
a jammer is present is unknown. Consequently, we will exploit the M-truncated
sequential Kolmogorov-Smimov test.
The Kolmogorov-Smimov test is the most widely used goodness-of-fit
test for continuous data. It is based on the empirical distribution function, which
converges uniformly and almost surely to the real population cumulative
distribution function (Glivenko-Cantelli Theorem). The Kolmogorov-Smimov
test is the most powerful two-sample test for which the distribution of the statistic
is known, and this property is used to design a sequential test based on it. The
Kolmogorov-Smimov test compares the empirical distribution function Fj
obtained from the data samples with the hypothesized cumulative distribution
function Fq, and determines whether F/= Fo, F}< Fo or F/> Fq. The following test
is used for the jamming detection problem [8]:
rh Wo ' Fi = Fo (no jamming)
se(_H1 : Fx =£ F0 (Jamming)
Define Fq as the cumulative distribution function of the sequence of the
explainability of collisions in an IEEE 802.11 distributed coordination function
network with N competing nodes when there is no jammer in the network.
Afterwards, for a given sequence of C collisions in the network {c/,
C2,...,cc }, the distribution for the test in (1) is given by:

n 1 vc irw(cO
Where N(ci) is the number of competing nodes in the network at collision which
computed exploiting the procedure depicted in previous section. The normal
behavior of IEEE 802.11 distributed coordination function while no jammer is
present is represented by the cumulative distribution functions[Fq-. j = 0,1,2,...),
and could be computed offline via simulations and preloaded in the detector.
From another point of view, F0 relies on the real number of competing nodes for
the observation period, so it has to be computed online. Let {e{ce{cc)}be the
corresponding sequence of the explainability of collisions and let the empirical
distribution function of the observations for the test in equation (1) given by:
Fi (e(c/)) = £i=i l{ e(Ci) < e(cj)}....(3)[8]
The Kolmogorov-Smimov test statistic D which is specified as the maximum
value of the difference between the two cumulative distribution functions
D = max oo < x < +oo{ F^x) F0(x)}, can be computed as
D= i5£{fi(e(Ci))- FoO(c,))}...............(4)[8J
X0 = max{(Vc + 0.12+^)D,0}................(5)[8]
P = l- ........(6)[8]

Where C is the number of samples (i.e., collisions) and M is the maximum
stage of the M-truncated sequential Kolmogorov-Smimov test with a probability
of false alarm a. Then, at any stage of the Kolmogorov-Smimov test, the
hypothesis H0 is rejected if P < /?.
P= e_2A(D)2(7)[8]
Ultimately, the algorithm for detecting the presence of a jammer in the network is
introduced in algorithm 2 [8].
Algorithm 2: Detecting jammer attacks using the M-truncated sequential
Kolmogorov-Smimov test with PFA = oc
1) m = 0.
2) /? < 1 VT^a.
3) <- m + 1.
4) Let (e(cf), ...,e(ci+c)}be the last values returned by Algorithm 1, and
{N(Ci), ...,N(ci+c)} be the number of competing nodes at each ct calculated as in
section 3.2.1.
5) Update F0 with the new calculated number of competing nodes
{ N(Ci),..., N(ci+C)} using (2).
6) Update Fx the empirical distribution function with the observations
{ e(C[),..., e(ci+c)} using (3).
7) Calculate the significance level P of the stage as in (7).

8) if P < /? then
9) Reject H0 The network is behaving abnormally (e.g., there is a jammer in
the network).
10) else if m = M then
11) do not reject H0. The network is behaving normally.
12) else
13) go to 2
14) end if [8]

4. Conclusion and Recommendations
The adversary effects that the selfish behavior at the medium access
control layer has on the performance of wireless networks are similar to the
effects of denial_of_service attacks. In this thesis we focus on both types of
misbehavior (selfish and malicious behavior) and the prevention and detection
systems. In this thesis we choose two detection methods which do not require any
modification to the existing IEEE802.11 protocols, which make it more practical
to use them in the recent wireless networks. So, we will introduce the main
specifications of DOMINO and Robust detection systems and propose some
recommendations for the future work.
DOMINO Detection System
DOMINO detection system does not require any modification to the medium
access control protocol. The system is implemented at the access point, and the
access point is assumed to be trusted. DOMINO presents several procedures for
detecting misbehaviors that aim at altering protocol parameters. Traffic traces of
sending hosts are collected periodically during short intervals of time called
monitoring periods. This gathered data passed to six tests within the DOMINO
algorithm. Each of these tests corresponds to a designated misbehavior. The result

of each test is then fed into a decision making component, which in turn will infer
whether a particular node is misbehaving or not, and a certain reaction scheme
will be invoked thereafter. A node misbehaves when its corresponding cheat
counter exceeds a certain threshold. Detected misbehaving nodes are then
punished using a punishing function.
As a result of the simulations which are presented by Raya at el, [1] the
resulting throughput and backoff of the cheating and well-behaved nodes are
noticed as the follows:
- The cheater obtains higher throughput at the expense of the well-behaved
node by increasing its misbehavior.
- When the misbehavior percentage increases, the cheaters average backoff
decreases (thus, increasing its chances to grab the channel first and
boosting its throughput).
In the meantime, the average backoff of the well-behaved node increases with
the misbehavior percentage (due to collisions and the subsequent increase of the
contention window); this explains its decreasing throughput.
Weakness of DOMINO
Even by the reduction of false positives in the presence of hidden nodes,
DOMINO does not provide an optimal solution for this problem. Moreover, since

there are no enhanced security mechanisms together with DOMINO, the problem
of security attacks cannot be completely solved by DOMINO. Also it is possible
for the cheater to adapt to another access point and its parameters. Another
weakness of the DOMINO is the difficulty of detecting the misbehavior nodes in
the short monitoring cycles.
The cheater can know some information about how DOMINO works
(adaptive cheating). The detection efficiency against other misbehavior models is
not verified. In particular, the accuracy and effectiveness of DOMINO will be
challenged by adaptive cheating skills. For example, a node could reduce its
distributed inter_frame space time to 10 ps (default distributed inter_frame space
time is 50 ps and a slot is 20 ps) and add two slots to the selected random backoff
counter. Therefore, from the perspective of the monitor node, the misbehaving
node waits for a valid duration and it is unlikely to be identified. However, this
behavior still leads to severe throughput degradation for well behaved flows due
to capture effects.
Some of DOMINOs deficiencies were also introduced by Cardenas at el [6].
In order to evaluate the performance of some detection systems, DOMINO has
been compared to the detection accuracy of the entropy statistic detection system
and a Wilcoxon nonparametric rank test. The evaluation shows the weakness of
DOMINO in compare to the other detection systems.

Robust Detection System
Robust detection system can operate without modifying the protocol
implementation. The system detects the medium access control layer
denial_of_service attacks (i.e., jamming) in carrier sense multiple access with
collusion avoidance network based on calculating the probability of the collisions
in the network. The simulation which is introduced by Toledo at el [3] shows that
the distribution of the explainability of the collisions is an excellent indicator for
the presence of jammers and misbehaving nodes in the network, and that it greatly
surpasses the standard detectors that track changes in the distribution of the
collisions in the network. This system has the ability to detect any deviation from
the normal operation. It also has a very short detection latency and high detection
accuracy. The distribution of the explainability of the collisions is very sensitive
to changes in the network even with a changing number of competing nodes.
These features make the system an excellent candidate to serve as a jamming
attack indicator.
It is critical to present a well defined misbehavior model and system
framework to integrate different medium access control misbehaviors, and
their corresponding and detection methods.

The study of more intelligent attack strategy (e.g., colluding attacks and
smart attack with knowledge of intrusion prevention system and intrusion
detection system), rather than developing various systems under the
assumption of naive attacks. This study will build a sound basis for
advanced security mechanisms.
A prevention extension to integrate with a DOMINO system.
o First, update DOMINO detection system to discover more selfish
nodes by adding more tests to the system to detect the selfish nodes
which are not detected using previous tests,
o Second, update the robust detection system to detect more
malicious attacks additional to denial_of_service attacks,
o Finally, merge the two detection systems together to get full
protection system of medium access control misbehavior.

1. M. Raya, I. Aad, J.-P. Hubaux and A. El Fawal, "DOMINO: Detecting
MAC Layer Greedy Behavior in IEEE 802.11 Hotspots," Mobile
Computing, IEEE Transactions on, vol.5, no.12, pp.1691-1705, Dec.
2. L. Guang, C. Assi and A. Benslimane, "MAC layer misbehavior in
wireless networks: challenges and solutions," Wireless Communications,
3. A.L. Toledo and W. Xiaodong, "Robust Detection of MAC Layer Denial -
of-Service Attacks in CSMA/CA Wireless Networks," Information
Forensics and Security,IEEE Transactions on vol.3, no.3, pp.347-358,
4. L.A. Mohammed and B. Issac, "DoS attacks and defense mechanisms in
wireless networks," Mobile Technology, Applications and Systems, 2005
2nd International Conference on vol., no., pp.8 pp.-8, 15-17 Nov. 2005.
5. P. Kyasanur and N.H. Vaidya, "Selfish MAC layer misbehavior in
wireless networks,"Mobile Computing, IEEE Transactions on vol.4,
6. L. Guang and C. Assi, "Cross-Layer Cooperation to Handle MAC
Misbehavior in Ad Hoc Networks," Electrical and Computer Engineering,
2006. CCECE '06. Canadian Conference on vol., no., pp.219-222, May
7. Y. Rong, S.-K Lee and H.-A.Choi, Detecting Stations Cheating on
Backoff Rules in 802.11 Networks Using Sequential Analysis
INFOCOM 2006. 25th IEEE International Conference on Computer
Communications. Proceedings vol., no., pp.1-13, April 2006.
8. A. L. Toledo and X.Wang, Detecting MAC layer collision abnormalities
in CSMA/CA wireless networks, presented at the IEEE Int. Conf.
Commun., Beijing, China, May 2008.

9. W. Stallings, "IEEE 802.11: wireless LANs from a to n "IT Professional,
10. D. Tang and M. Baker; Analysis of a Local-Area Wireless Network,
Proc. MobiCom, Aug. 2000.