Detecting Greedy Behaviors by Linear Regression in ... - IEEE Xplore

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

Detecting Greedy Behaviors by Linear Regression in Wireless Ad Hoc Networks Ali Hamieh± , Jalel Ben-Othman± , Abdelhak Gueroui± , Farid Na¨ıt-Abdesselam∓ ± PRISM – University of Versailles, France ∓ LIFL-IRCICA – University of Sciences and Technologies of Lille, France ± {ali.hamieh, jbo, mogue}@prism.uvsq.fr, ∓ [email protected]

Abstract—The CSMA/CA protocol is well known to handle the channel access to various users in wireless ad hoc networks using IEEE 802.11 technology. This protocol requires nodes to wait for some time before initiating a transmission to avoid collisions. As a result, the greedy behavior of some misbehaving nodes can try to lower their waiting time in order to access the channel earlier and penalize the other nodes. In order to avoid this misbehavior, we propose in this paper a model based on measuring the linear regression of nodes’ access time to the channel. We have demonstrated that this model exhibits a linear regression between the different nodes’ access time. This result has been also confirmed by simulations. In this model, each deviation from the estimated slope is considered as a source of cheating from a corresponding node. By using this detection model, we were able to detect most of the misbehaving nodes in wireless ad hoc networks without requiring modifications to the IEEE 802.11 MAC protocol. Index Terms—Ad Hoc Networks, IEEE 802.11 MAC Protocol, Greedy Behavior, Linear Regression.

I. I NTRODUCTION

T

HE IEEE 802.11 DCF function relies on a distributed algorithm that is executed locally on each node to determine the access time periods to the channel. Thus, a node’s misbehavior can appear which is called greedy behavior [1]. A greedy node modifies some parameters of its MAC layer in order to increase its bandwidth, at the expense of other nodes. Simple changes of several protocol parameters in one or in a set of multiple nodes can have devastating effects on the overall network performance. These changes would be too similar to Denial of Service (DoS) [4]. Furthermore, the development of detection and reaction mechanisms of greedy nodes are necessary. IEEE 802.11 MAC protocol has two methods for contention resolution: • A centralized method called PCF (Point Coordination Function). • A fully distributed method called DCF (Distributed Coordination Function). The first one can only be used in infrastructure-based mode while the second is widely used in both infrastructure-based wireless networks as well as ad hoc wireless networks (self This work is supported by ANR (French Research National Agency) under CLADIS grant N. 05-SSIA-0018.

organized networks: without a central authority). In the PCF method, the access point manages the bandwidth sharing among all the connected nodes. On the other hand, the DCF defines a distributed access algorithm based on the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) [8]. The goal of CSMA/CA protocol is to minimize the collisions and to guarantee a fair access to the channel. If a node have a packet to transmit, it senses the medium during an idle period which corresponds to a DIFS (Distributed Inter Frame Space). If the medium is busy, a random backoff interval is selected. The backoff time counter is decremented as long as the channel is idle, then stopped when a transmission is detected on the channel, and then reactivated when the channel is sensed idle again for more than a DIFS. The node transmits when the backoff time reaches 0. In addition, to avoid channel capture, a node must wait a random backoff time between two consecutive transmissions, even if the medium is sensed idle in the DIFS time. The backoff time is uniformly chosen in the interval [0, CW − 1], where CW is the Contention W indow size. At the first transmission attempt CW is equal to CWmin , and it is doubled at each retransmission up to CWmax . If a node data transmission is successful, the node resets its CW to CWmin . The receiver acknowledges a successful reception by transmitting an ACK (ACKnowledge) frame. Taking into consideration the problem of hidden nodes, CSMA/CA uses the Request to Send (RTS) and Clear to Send (CTS) control packets to reserve the channel. Before transmitting, a node sends an RTS frame to the receiver. When the RTS arrives to the destination, it sends back a CTS frame if it is not currently busy. This RTS/CTS exchange, which also contains timing information about the length of the subsequent transmission, known as NAV (Network Allocation Vector), is detected by all nodes within hearing range of either the sender or the receiver or both. These nodes defer their transmissions until the ongoing transmission is complete. A SIFS (Short Inter Frame Space) interval guarantees uninterrupted four-way exchange of successful RTS and then CTS, DATA, and ACK frames. MAC layer misbehavior is possible in network access cards that run the MAC protocol in software rather than hardware (i.e, when using a Linux based computer), allowing an attacker to easily change MAC layer parameters. Our approach of greedy nodes detection in IEEE 802.11

978-1-4244-3435-0/09/$25.00 ©2009 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

DCF MAC layer is original, as it is based upon the measure of statistical regression. In fact, the idea of our approach can be resumed by the strong linear regression that we have remarked among the time periods of transmission. This strong linear regression is observed in ad hoc mode as well as in infrastructure mode. The rest of the paper is organized as follows: Section II describes the misbehavior techniques at the MAC layer. In Section III, overviews of the related work in the domain of misbehavior are exposed. In Section IV, we introduce the linear regression used in our proposed technique with the details of our method to detect a greedy node. The simulation models and numerical results are given in section V. Finally, we summarize the main contribution of our work and its perspectives in section VI. II. M ISBEHAVIOR T ECHNIQUES Misbehaving nodes are classified into two types. First is called greedy nodes, and the second is called malicious nodes. A greedy node is only concerned about improving its performance even at the expense of other nodes. The second type intends to disrupt normal network operations, like denial of service (DoS) attacks, or jamming the wireless channel to prevent communication, etc. There are multiple ways a greedy node can violate the MAC layer. Some possible scenarios are exposed below [1]: • A node can adjust its backoff time to CWmin or less at all times. • A node may scramble frames sent by other nodes in order to increase their CW. • A node may delay CTS and ACK, or reject RTS and DATA, so the sender doubles its CW and consequently the selfish node gets to transmit. • A node may increase its Network Allocation Vector (NAV) time to prevent other nodes from contending during this period. • A node may also transmit when it senses the channel idle before waiting DIFS time. A cheater may also combine several of the above techniques. In this paper, we focus on the detection of greedy nodes at the MAC layer in ad hoc networks using IEEE 802.11 technology. The related work on this domain is presented in next section. III. R ELATED W ORK Several approaches are proposed for greedy behavior detection in the literature for IEEE 802.11 MAC layer. But nearly all the approaches for ad hoc networks require to modify the MAC layer and they are not able to detect the nodes that cooperate for cheating. MAC layer detection solutions focused on detecting backoff values manipulation. This is due to the fact that backoff values are the easiest to manipulate and the hardest to detect. In [3], the authors proposed a modification to the IEEE 802.11 MAC protocol that simplifies the misbehavior detection. They assume that the receiver is a trusted node like an Access Point (AP) that selects a backoff value and sends it

in the CTS and ACK packets to the sender. The sender is expected to use this backoff value in its next transmission to the receiver. These changes allow the receiver to monitor the sender if it deviates from the protocol by observing the number of idle slots between consecutive transmissions from the sender. If the number of idle slots is less than the assigned backoff time, it may be an indication of a deviation from the protocol. To reduce the throughput of a deviating sender, the receiver penalizes it by assigning a larger backoff value to it next time it needs to transmit (correction scheme). The sender determines misbehaving with high probability to find if the number of its deviations over multiple transmissions, exceeds a predefined threshold. Simulation results showed that the scheme offers an accurate diagnosis of nodes misbehavior if the misbehaving persists, and also the correction scheme works on limiting the throughput of misbehaving nodes to a fair share. Although the scheme works well on a network infrastructure, it is not suitable for ad hoc networks, where receivers can not be trusted. Raya et al. [1] proposed a system called DOMINO for detection of greedy MAC layer in the infrastructure-based networks (as opposed to ad hoc networks). DOMINO is a piece of software installed at the Access Point (AP). It detects and identifies greedy stations, without a need for any changes of the standard protocol. DOMINO does not only focus on the manipulation of the backoff values, but also it is capable to cover mostly all manipulation techniques mentioned in Section II. The AP gathers enough statistical data to detect if the parameters of the MAC protocol have been manipulated. Traffic traces are collected periodically during short intervals of time called monitoring periods. The information gathered by the AP is run through multiple tests to detect misbehavior. Eventually if a node is misbehaving, it has to be caught by one of these tests. The advantage of this scheme is its simplicity, and its high accuracy for detection in a variety of cases. The system is also resilient to several factors, such as traffic types that could affect the performance of other detection systems. As the authors pointed, DOMINO has some open issues. One issue is the security, where a greedy node may impersonate a honest node in order to provoke the punishment function, and gets it possibly disconnected. Adaptive misbehaving is also an issue in DOMINO, where some nodes may exploit the detection system, and avoid being detected by switching enough among several techniques. The authors of [5] propose an extension to the 802.11 CSMA/CA protocol that ensures an uniformly distributed random backoff, when at least the sender or receiver is honest. In their approach, the sender and the receiver exchange some additional commitment information to ensure complete randomness. There are some drawbacks in this approach. For example, the algorithm requires modifications to the 802.11 MAC layer protocol and it does not solve the problem of colluding nodes where both the sender and the receiver pretend to select backoff value of zero. Game-theoretic techniques [9], [10], [11], [12] have been used to develop protocols which are resilient to misbehavior. Game theoretic approach assumes that all users are selfish and rational. Rational hosts always select a strategy that maximizes

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

their utility (utility is a measure of the benefit obtained by a host). Protocols are designed that reach an equilibrium state called the Nash equilibrium, where a selfish host cannot unilaterally gain any advantage over well-behaved hosts. Intrusion detection and tolerance techniques are used as a tool for diagnosing and tolerating misbehavior [14], [15]. Intrusion detection approaches are based on developing a longterm profile of normal activities, and identifying intrusion by observing deviations from the measured profile. To the best of our knowledge our approach has not been proposed in the literature to detect greedy behavior in ad hoc networks which is based on linear regression. Our method is described in the next section. IV. D ETECTION BY L INEAR REGRESSION A. Basic Idea The basic idea of our approach is the strong dependence between the periods of transmissions of all active nodes. This idea comes from the fact that only one channel is used in the same IBSS (Independent Basic Service Set), and that the main CSMA/CA protocol characteristic guarantees a fairness access to all connected nodes. Thus, let us suppose that we have two nodes (honest and in the status of transmission): S0 and S1 that have the same throughput. S0 begins the transmission before S1 , then S1 should wait (because only one transmission is permitted) until the end of the transmission of S0 , on the other side, the access to the channel of S0 is dependent of the access to the channel of S1 (main characteristic of CSMA/CA). However, if there is one or several greedy nodes in IBSS, this relation between nodes are reduced because the CSMA/CA main characteristics is conversely proportional to the percentage of cheating. In order to know the intensity of this relation, we have used the correlation coefficient which is a statistic measure of relation between two random variables. B. Linear regression The correlation is a measure of the association between two random variables. The correlation coefficient between two random variables, X and Y , is defined as: ρ=

cov(X, Y ) σ x · σy

(1)

The value of the correlation coefficient is between −1 and 1. The sign of ρ indicates the direction of the linear pattern. Values of ρ closer to −1 or 1 indicate a strong correlation, values near 0 indicate absence of a useful relationship. It is possible that X and Y are related by a linear relation: y = a · x + b. The linear regression is to determine an estimation of values a and b to quantify the value of this relation due to the correlation coefficient [7]. The value of a is estimated to ) be cov(X,Y var(X) . We have calculated the correlation coefficient in several scenarios. We have found that this coefficient is very near to 1 in all the scenarios and it varies inversely and proportionally to the percentage of cheating. Thus, we can say that by

using statistical notions there exists a strong linear regression between the instants of nodes access to the channel. Thus, in the majority of cases if S0 began its transmission before S1 at the instant t0 , therefore S1 takes the channel at the instants t1 = a · t0 + b due to the linear regression between the access time to the channel. Note that, a and b depend on the backoff duration, SIFS, RTS, CTS, ACK, the number of active nodes, and the threshold etc. Now, let us suppose that we have only 3 nodes: S0 (honest), S1 (honest) and S2 (greedy). Therefore in the majority of cases if S0 has access to the channel at the instant t0 , the node S1 will have access to the channel in the instant t1 = a · t0 + b. But, in the majority of cases if S2 has access to the channel at the instant t2 , the node S1 will have access to the channel at the instant t1 = q · t2 + z where q is bigger than a (deviation) because the greedy node S2 will have access to the channel in a shorter period in comparison to S0 . Consequently, from this deviations we can detect the cheaters. Moreover, intuitively this slope q increases with the cheat increase. With simulations (see Sect. V), we confirm the exactness of the reasoning. The main features of the proposed model are its simplicity and efficiency for detecting greedy nodes. Also, as our model is passive, there is no communication overhead. In addition, the required storage and computation overhead is very small. C. Detection System In this sub-section, we describe the details of our model to find the greedy nodes at the MAC IEEE 802.11 layer in ad hoc networks. When a node detects a congestion in the network, it triggers the Detection System (1 or 2 as given below) to know that network congestion is caused by greedy attack or by a typical congestion network due to other events. We would like to point out that a cheater with small percentage, which only marginally affects the network (i.e., no congestion), does not cause noticeable damage to the network quality. Moreover, it also does not need to be detected or defended. However, our model can identify greedy nodes, and therefore can detect greedy attack. Congestion estimation has been extensively studied in literature. In this regard, several metrics such as packet delivery ratio, queue length, and throughput have been used as a measure for determining congestion. However, for wireless networks, congestion of a link can be calculated based on the amount of time the channel is utilized or reserved by nodes [16]. We assume in this model that there is a reputation management system similar to CONFIDANT [17], [18]. Using CONFIDANT nodes can monitor and distribute reputation values about other nodes behaviour at the MAC layer. However, CONFIDANT focuses on reputation at the routing layer. We intend to suggest the design of a robust MAC layer reputation system in the near future. We propose two detection systems for misbehavior at the MAC layer. In the first detection system we have assumed that in selection of two nodes only one can be greedy. But in the second one, the two nodes can be cheaters. This system does not require any modifications in the MAC layer. Thus, the

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

method works even if all nodes does not use it. Moreover, it can detect the cheaters even if there are several greedy nodes. We should notice that all approaches proposed in the literature to detect the misbehaving node in ad hoc networks require modifications on the MAC layer. 1) Detection System 1 : This system is composed of two phases: a) Initialization Phase- It consists of calculating at the beginning the value of the threshold w, defined as the maximum value of the slope that any honest couple of nodes should have. This parameter is necessary for the detection of a cheater. In fact, one supervision node watches the access time to the channel of each neighboring node. After a determined period of supervision, the value of w will be estimated from simulation. However, the value of w can be also estimated theoretically in the following way: taking, εi = yi − a · xi − b, as the difference between the line (estimated by the linear regression) and the point (xi , yi ) for two selected nodes. Thus, the estimator of the residual variance σ ˆε2i is σ ˆε2i =

1 · Σni=1 ε2i . n−2

Therefore, the variance of the slope a of the line, could be calculated using σε2i , σ ˆa2 = n · var(x) where n is the number of simulated points. In this case, we are in the Student-Test where the variance of a random variable is known and an unknown standard deviation. In the Studenttest, for a given level of confidence α, the error over a can be estimated by: a = σ ˆa · tn−2 (1−α)/2 . In our approach, we have taken, tn−2 (1−α)/2 = 3, which corresponds to a 99.7 % confidence level . Thus, the probability that one honest node be detected like a suspect three times (see below) is near to (1 − 0.997)3 = 27 · 10−9 . This is a very good probability for the false detections. Therefore, the proposed threshold is w = a + a , where a = 3 · √

σ ˆε . n·var(x)

We should notice that the threshold w is calculated in the ideal case that is without cheaters. We propose to use this theoretical threshold in little dense network (little traffic). On the other hand, in a dense network, it is better to calculate directlythe error over from the variance n a, beginning n 2 2 a − ( a ) because in that case, we var(a) = i=1 i i=1 i have a lot of statistical results (sufficient pairs). b) Capture Phase- In this phase, the supervision node selects randomly one pair of active nodes, then it calculates the linear regression between the access time to the channel of these two nodes by calculating the slope cov(X, Y ) , a= var(X)

and then calculating the next slope given as: a =

cov(X, Y ) . var(Y )

X(xi ; i = 1, . . . , n) is the access time of S0 and Y (yi ; i = 1, . . . , n) is the access time for the channel of the node S1 of the selected pair. Thus, if the slope, a, (respectively a ) is bigger than a determined threshold w thus the node S0 (respectively S1 ) is considered as being suspected of cheat. Afterward, the supervision node takes another couple and makes the same test of detection and continues in such a way so that all nodes are tested. Note that in this detection system we have assumed that in a selection of two nodes only one node can be greedy. In order to reduce the number of false positives (the false detections), we should suspect at least one node three times before being considered like a cheater. 2) Detection System 2: This detection system works in the same way of the proposed system in the subsubsection IV-C1 but in this one, the two randomly nodes chosen can be cheaters. Thus, if the slop a (or a ´) has deviated from a determined threshold, therefore a node can be cheater or the both. Consequently, in this approach, we propose to do the same detection test with an ideal node which will be defined as being honest from the beginning of simulation. We should notice that this detection system is more efficient than that used in subsubsection IV-C1 because it detects the cheaters even if there are two cheaters in any selection of a couple. We propose this detection system for more effective feasibility. We provide simulation results for this detection system in the next section. D. Separation of traffic Because of the inter-frame duration (i.e., a TCP sources using congestion control and UDP sources), we propose for more precision the separation of the traffic into two parts, TCP part and UDP part. We then apply the detection system on each part which is based on the measure of the linear regression for all traffic using TCP and UDP. E. Adaptation in the Infrastructure Mode Our detection system can be adapted to find the cheaters in the infrastructure mode. In fact, we propose to implement our system of detection only upon the Access Point (AP). Thus neither change nor reconfiguration of wireless cards should be done by user side. Let us notice that the solution is under the whole order of the AP. However, the separation into 2 parts does not work in the infrastructure mode because only MAC layer and the physical layer are implemented on an AP, thus it cannot know the traffic type (TCP, UDP, etc.) that is used by a user. V. S IMULATION We use NS-2 [6] in order to evaluate the correctness of our proposed detection system. The shadowing channel model captures the variations in channel conditions over time and

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

160 Station Honest

Station Greedy

35 34.2 33.5 135.9

Throughput(packets/s)

Throughput(packets/s)

29.9

12.8

84.3

67.4 61.3 55.6

6.1

47 0

0.1

0.2

0.3

0.5

0.7

0.8

0

0.9

0.1

0.2

0.3

Misbehavior Percentage

Fig. 1. Measured throughput of Honest station with the increasing of the cheating percentage

To determine the impact of MAC layer misbehaviour on adhoc networks, preliminary simulations have been performed. A small network of 9 nodes was considered. All stations were within hearing range of each other. They were sending CBR (Constant Bit Rate) traffic. The frame length was set to 500 bytes. The simulation time is 40 seconds. Each data point is averaged over 30 runs of simulations. The results of these preliminary simulations can be seen in Fig. 1 (respectively Fig. 2) for honest node (respectively greedy node) throughput as a function of the cheating percentage. As seen from those figures, the misbehaving host obtains a large throughput share even when extent of misbehavior is not too high (see Fig. 2). On the other hand, the throughput of well-behaved hosts (see Fig. 1) starts degrading with the increasing of cheat. Hence, the development of detection mechanism of greedy nodes is necessary. B. Simulation Model In this simulation, we have generated randomly different traffic CBR at each execution. The packet size is 512 bytes.

0.8

0.9

1 4 stations 7 stations 10 stations 0.98

(d) ]dB = −10βlog( dd0 ) + XdB [ PPrr(d 0)

A. Impact of Misbehavior

0.7

Fig. 2. Measured throughput of Greedy station with the increasing of the cheating percentage

space by using a Gaussian random variable, XdB , with zero mean and σdB standard deviation. The model is represented as:

0.96

Correlation coefficient

β is called the Path Loss Exponent, d is the distance between the sender and receiver, Pr (d) is the received power and Pr (d0 ) is the power at some reference distance d0 . For free space propagation β is 2 and we use this value in our simulations. The value of σdB is set to 4. To model various levels of misbehavior, we define a coefficient which is called in following Misbehavior Coefficient (MC). A node misbehavior with MC equal to x, signifies that it fixed its Contention W indow (CW ) at (1 − x) × CWmin . Thus, a node with MC=0 has an honest behaviour, whereas a node with MC=1 sends packet without counting down any backoff at all.

0.5 Misbehavior Percentage

0.94

0.92

0.9

0.88

0.86 0.1

0.2

0.3

0.4 0.5 0.6 Misbehavior coefficient

0.7

0.8

0.9

1

Fig. 3. Measure the correlation coefficient with the increasing of the cheating percentage

The network size is 500m×500m and it includes several nodes moving randomly and its initial positions are also random chosen. The channel bit rate is 2 Mbps, and the simulation time is 40 seconds. Each data point is averaged over 30 runs of simulations. 1) Coefficient Results of Correlation: In Fig. 3, we present the simulation results obtained for the correlation coefficient between two nodes, one is honest and the other is cheater with a Misbehavior coefficient that varies from 0 to 1 in an ad hoc networks of 4, 7, 10 nodes under transmissions. Figure 3 indicates that the correlation coefficient decreases with increase of cheating percentage but it stays always near to 1. These results are compatible with our idea ”the strong dependence between the transmissions time of all active nodes and if there is one or several greedy nodes in the IBSS therefore this relation between the nodes will reduced” given in the sub-section IV-A. 2) Results of Linear Regression: For ad hoc network of 20 nodes, the couples (xi , yi ) are drawn in Fig. 4, where xi is the ith access of a node X randomly chosen, and yi , is the ith access of a node Y randomly selected. From this figure we can notice clearly the existence of a linear regression between the time of access to the channel of nodes. These results confirm

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings

(xi,yi)

2.4

2.2

2

Access station y

1.8

1.6

1.4

1.2

1

0.8

0.7

0.8

0.9

1

1.1

Access station x

Fig. 4. nodes

The couple (xi , yi ), the access time to the channel of two honest

the channel of nodes in order to detect the cheaters in IEEE 802.11 DCF MAC layer for ad hoc networks. The correlation is defined here as a measure of the association between two random variables. The proposed system does not need any modification of the MAC protocol. The simulation results of the model are quite promising. In fact, we have been able to detect the cheater in the studied cases with very high degree of confidence. Hence, we have proposed this model as a solution for the detection of greedy nodes in the infrastructure-based wireless networks. Our objective in the future is to use our approach to detect others attacks such as jamming attacks, and to find an effective punishment method to penalize a greedy node when it is caught misbehaving. An effective punishment method must ensure a fair share of the medium without degrading the whole network throughput. R EFERENCES

38 5 stations aS 5 stations aH 10 stations aS 10 stations aH 30 stations aS 30 stations aH

36 34 32 30 28 26 24

Slope

22 20 18 16 14 12 10 8 6 4 2 1 0 0.1

0.2

0.3

0.4 0.5 0.6 Misbehavior coefficient

0.7

0.8

0.9

Fig. 5. The slope of the linear regression. aH: between 2 honest nodes. aS: between greedy node and honest node

our approach of the linear regression to study the problem. We show in Fig. 5 the slope aS between two nodes where one is honest (y-axis) and the other node is greedy (x-axis) with Misbehavior coefficient that varies from 0.1 to 0.9 in ad hoc network of 5, 20 and 30 nodes in transmissions. Also, in the same figure we have plotted the slope aH between 2 honest nodes. Figure 5 indicates that in a network of 5, 10 and 30 nodes the slope between the access time to the channel of a greedy (x-axis) node and the channel access time of a honest node (y-axis) is bigger than the slope between the channel access time of honest couple. We observe that this slope increase with the increasing cheating percentage. Thus, we can conclude from these results that our approach can detect the cheaters with a very high probability. VI. C ONCLUSIONS In IEEE 802.11 based ad hoc networks, by simply manipulating the back-off timer prior transmission, greedy nodes can cause a drastically reduced bandwidth to well behaving nodes. This can result in bandwidth starvation which then causes a denial of service to legitimate nodes. In this study, we have proposed a new model based on the presence of correlation between the different access times to

[1] Raya M, Aad I, Hubaux J-P, and Elfawal A. 2006. DOMINO: Detecting MAC layer Greedy behavior in IEEE 802.11 hotspots. IEEE Transactions on Mobile Computing (TMC), 5(12). [2] Raya M, Hubaux J-P, and Aad I. 2004. DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots. In Proc. of MOBISYS’04. [3] Kyasanur P, Vaidya N. Detection and handling of MAC layer misbehavior in wireless networks. 2003. In Dependable Systems and Networks. [4] Gupta V, Krishnamurthy S, and Faloutsos M. 2002. Denial of service attacks at the mac layer in wireless ad hoc networks. In Proc. IEEE MILCOM. [5] C´ardenas A, Radosavac S, Baras J-S. 2004. Detection and prevention of MAC layer misbehavior for ad hoc networks. In Proc. of SASN. [6] Fall K, Varadhan K. 2003. ns notes and documentation. UC Berkeley, LBL, USC/ISI, Xerox PARC. [7] Dodge Y, Rousson V. 2004. Analyse de r´egression appliqu´e, Dunod. [8] Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 1997. IEEE standards 802.11. [9] Konorski J. 2001. Protection of Fairness for Multimedia Traffic Streams in a Non-cooperativeWireless LAN Setting. In PROMS, volume 2213 of LNCS. [10] Konorski J. 2002. Multiple Access in Ad-Hoc Wireless LANs with Noncooperative Stations. In NETWORKING, volume 2345 of LNCS. [11] Mackenzie A, Wicker S. 200. Game Theory and the Design of Self-Configuring. Adaptive Wireless Networks. IEEE Communications Magazine, 39(11):126 131. [12] MacKenzie A, Wicker S. 2003. Stability of Multipacket Slotted Aloha with Selfish Users and Perfect Information. In Proc. of Infocom 2003, San Francisco, CA, IEEE. [13] D. Burroughs D, L. Wilson L, and G. Cybenko G. 2002. Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods. In Proc. of IEEE International Performance Computing and Communication Conference. [14] Goseva-Popstojanova K, Wang F, Wang R, Gong F, Vaidyanathan K, Trivedi K, and Muthusamy B. 2001. Characterizing Intrusion Tolerant Systems using a State Transition Model. In Proc. of DARPA Information Survivability Conference and Exposition II (DISCEX01). [15] Sanders W, Cukier M, Webber F, Pal P, and Watro R. 2002. Probabilistic Validation of Intrusion Tolerance. In Digest of Fast Abstracts: The International Conference on Dependable Systems and Networks, Bethesda, Maryland. [16] Jardosh A, Ramachandran K, Almeroth K, and Royer E. 2005. Understanding congestion in IEEE 802.1 lb wireless networks. In Proc. of the 2005 Internet Measurement Conference, (Berkeley, CA, USA), pp. 279292. [17] Buchegger S, Le Boudec J. 2002. Nodes bearing grudges: Towards routing security, fairness, and robustness in mobile ad hoc networks. In Proc. of Tenth Euromicro PDP, Gran Canaria, pp. 403 410. [18] Buchegger S, Le Boudec J-Y. 2002. Performance analysis of the confidant protocol. In Proc. of the 3rd ACM international symposium on Mobile ad hoc networking computing, pp. 226236.