Multivariate Control Chart for the Detection of MAC ...

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 83 (2016) 58 – 65

The 7th International Conference on Ambient Systems, Networks and Technologies (ANT 2016)

Multivariate control chart for the detection of MAC layer misbehavior in mobile ad hoc networks Mohammed-Alamine El Houssainia,*, Abdessadek Aarouda, Ali El Horea,Jalel BenOthmanb a

Department of Computer Science, Faculty of Sciences, Chouaib Doukkali University, El Jadida, Morocco b Department of Computer Science, Galilee Institute, Paris 13 University, Paris, France

Abstract

The share nature of the transmission channel in IEEE 802.11 makes the network vulnerable to several attacks like the MAC layer misbehavior which can be similar to denial of service attack. In this way cheating node by choosing smaller backoff timer attempts to increase its resources at the expense to other stations which respect the protocol. In this paper, we suggest a novel detection scheme of such attack using a multivariate control chart currently exist in industrial management with a large success. Our proposed strategy comes to replace the univariate Shewhart control chart which already exists in the literature research for the detection of greedy nodes, because it reduces the number of control chart. As we will prove by NS-2 simulations, the proposed mechanism doesn’t require any modification to the 802.11 standard, it works in real time and very easy in implementation though it appears somewhat complicated because of the computation of the mean and the covariance matrix in the absence of the MAC layer misbehavior attack. © Published by by Elsevier B.V.B.V. This is an open access article under the CC BY-NC-ND license © 2016 2016The TheAuthors. Authors. Published Elsevier (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs. Peer-review under responsibility of the Conference Program Chairs Keywords:Mobile ad hoc network; IEEE 802.11; MAC layer misbehavior; Statistical process control.

* Corresponding author. E-mail address: [email protected]

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs doi:10.1016/j.procs.2016.04.099

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 58 – 65

1. Introduction The Distributed Coordination Function (DCF) of the 802.111 protocol is based on distributed algorithm, executed topically in every node in order to define the transmission instant. Cheating stations (called greedy stations)2 may exploit this knowledge by modifying the backoff rules with the intention of increasing their throughput and then have more access to the transmission channel. This MAC layer misbehavior can be performed easily in network cards which integrates the MAC protocol in the software rather than in the hardware. A greedy node can intentionally modify its backoff rules to increase its throughput and then enhance its bandwidth at the detriment of other honest nodes those respecting the 802.11 standard. In this way, the network may be conducted to the performance degradation. This performance deterioration can be like a denial of service attack3. Furthermore, the need of a detection scheme becomes an emergency. Several attempts were proposed in the literature research to detect such attack. The most stressed detection methods do not require changes in the 802.11. In this convergence, we try to propose in our present work, a novel detection method based on the statistical process control (SPC)4. The SPC has shown more success in industrial management context. Our new detection strategy has not been presented previously in the stat of the art in the context of the MAC layer misbehavior. This paper is organized as follows: The next section presents a stat of the art on the research work related to the MAC layer misbehavior attacks. Secondly, the Hotelling control chart was highlighted. The fourth section is dedicated of the presentation of our novel detection method of greedy nodes. The fifth one tries to measure the performance of the so-called detection scheme. Finally, we summarise our work and give perspectives for the future plan. 2. Related work Multiple studies in the literature review have addressed the subject of MAC layer misbehavior in 802.11 environments, we cite for example: In5, authors simulated the MAC layer misbehavior in mobile ad hoc networks through NS-2 and defined new metrics which can be adopted for the detection/reaction of such attacks. They also analysed the network’s performance upon several metrics in the presence/absence of greedy behaviors. Generally, their work distinguished the impact of malicious attacks on their predefined metrics. In6, authors have addressed the problem of the Contention Widow (CW) cheating in 802.11b. They demonstrated by NS-2 simulator the impact of greedy nodes on the throughput and the packet delay as a function of the constant bit rate. Their work showed that greedy nodes dominate the network use by increasing the throughput and decreasing the packet delay. Authors in7, proposed a new detecting scheme for cheating nodes in the backoff rules. This novel scheme is based on the sequential analysis. They also proposed a new analytical model for the 802.11 networks with cheating stations. The authors in8 presented a multi-criteria analysis of MAC layer misbehavior, based on the reception throughput and inter-packets time. This analysis takes into consideration the Random Way Point mobility model. They also introduced a new metrics for measuring the process capability of communications in mobile ad hoc networks, borrowed from industrial fields. The work generally is a comparison between greedy behaviour case and honest case in term of performance and capability. Several schemes have been proposed for the detection of greedy behavior, here are some solutions which are based on statistical approach: Authors in9 proposed a new statistical algorithm to detect greedy nodes. First, it compares probability distributions of transmission intervals among all nodes using Kolmogorov-Smirnov test and then it separates nodes into categories by test results. Second, the algorithm seeks to pick out the greedy node groups through comparing characteristics among groups. Another approach10 applied the statistical process control (SPC) to detect greedy behaviors in mobile ad hoc networks based on the reception throughput and inter-packets time. In this scheme, the Shewhart control chart was used for individual measurements of metrics (throughput and inter-packets) to detect the MAC layer misbehavior in a real time by visual graphs. The proposed method did not require any modifications to the 802.11 protocol, although it is based on SPC approach to define tolerance intervals.

59

60


The next section presents the Hotelling control chart. 3. The Hotelling control chart In complex processes, instead of monitoring each metric independently by a control chart, we should use a multivariate control chart which takes into account the relationship between these metrics. Among these charts we find the T2chart of Hotelling4. The Hotelling T2 statistic is defined as follows: ƍ

ଶ ൌ ሺ െ ሻ ିଵ ሺ െ ሻ

(1)

Where X is a vector of quality characteristic, its mean calculated in normal case, and S denotes the covariance matrix. ƍ

The term ሺ െ ሻ refers to the transpose of ሺ െ ሻ, and ିଵ to the inverse of S calculated when the process is under control. The upper control limit (UPL) and lower control limit (LCL) are defined as follow11: ൌ ȤଶĮǡ୮ ൌ Ͳ

(2) (3)

Where p is the number of quality characteristics observed (degree of freedom) The principle of the Hotelling control chart is, therefore, simply to calculate for each sample T2 and to represent this value on a control chart with upper and lower limits those represented by equations (2) and (3). In the next section, we propose a new detection method for the MAC layer misbehavior attacks which is based on the Hotelling control chart. According to our modest knowledge in the literature research, our approach has not yet proposed to detect such attack. 4. Proposed detection for the MAC layer misbehavior The same statistical unit was considered to draw the scatter plot below for highlighting the correlation between the throughput and the inter-packets time. Simulation results are depicted in Figure 18.

Throughput in Mb/s

0.7 0.6 0.5 0.4 0.3 0.2 0.01

0.015

0.02 0.025 0.03 Inter-packets time in s

0.035

0.04

Figure 1 Correlation between throughput and inter-packets time

As we can see from Figure 1, there is a strong negative correlation between the throughput and the inter-packets time. In addition, the correlation coefficient was calculated mathematically through this formula: ȡൌ

ୡ୭୴ሺଡ଼ǡଢ଼ሻ ı౔ Ǥıౕ

(4)

This previous computation showed a coefficient very near to -18. As demonstrated previously, there is a strong correlation between the throughput and the inter-packets time, thus we

61


can apply the Hotelling control chart to detect the greedy behavior as presented later. We have chosen: ൌቂ ቃ

(5)

Where D is the throughput and T is the inter-packets time. Therefore ൌቈ

଴ ଴

቉

(6)

Where ଴ is the mean throughput and ଴ is the mean inter-packets time when the network is without a MAC layer misbehavior attack. The covariance matrix between the throughput and the inter-packets time is: ሺ଴ ሻ ൌ൤ ሺ଴ ǡ ଴ ሻ

ሺ଴ ǡ ଴ ሻ ൨ ሺ଴ ሻ

(7)

Where ሺ଴ ሻ is the variance of ଴ ,ሺ଴ ሻ is the variance of ଴ and ሺ଴ ǡ ଴ ሻ is the covariance between ଴ and ଴ . The inverse of the matrix S can be formulated as: ିଵ ൌ

ଵ ୚୅ୖሺୈబ ሻ୚୅ୖሺ୘బ ሻିେ୓୚ሺୈబ ǡ୘బ ሻమ

൤

ሺ଴ ሻ െሺ଴ ǡ ଴ ሻ

െሺ଴ ǡ ଴ ሻ ൨ ሺ଴ ሻ

(8)

From equation (1) we note the Hotelling statistic as: ଶ ൌ ൣ െ ଴

െ ଴ ൧ ିଵ ቈ

െ ଴ െ ଴

቉

(9)

Finally, the Hotelling statistic can be expressed by the following equation: ଶ ൌ ൣ െ ଴

െ ଴ ൧ ୚୅ୖሺୈ

ଵ మ బ ሻ୚୅ୖሺ୘బ ሻିେ୓୚ሺୈబ ǡ୘బ ሻ

൤

ሺ଴ ሻ െሺ଴ ǡ ଴ ሻ

െሺ଴ ǡ ଴ ሻ െ ଴ ቉ ൨ቈ ሺ଴ ሻ െ ଴

(10)

The upper control limit was calculated with a risk Į = 0.0511 through equation (3) so we note: UCL= 5.99 LCL= 0

(11) (12)

Our detection scheme for the MAC layer misbehavior detection can be summarized in the following block diagram depicted by the Figure 2.

62


Define the degree of freedom and the alpha risk

Calculate the upper control limit

Calculaate the mean and the covariance matrix in normaal case (without MAC layer misbehavior) Monittoring the Hotelling T2 statistic using the multivariate control chart

If the majority of pooints are inside the limits

Our process iss under control and noo MAC layer misbehhavior exists

If a small number of points crossed the control limits The node is moving out of the transmission range

If there has been a strong deviation

The network is under greedy attack

Figure 2 Block diagram d of the detection scheme using the T2 control chart

5. Performance evaluation of the Hotellingg control chart To evaluate the performance of our detecttion strategy through NS2 simulations12, we defined the t parameters and tools as represented in Table 1. Some simpplified tools exist in the state of the art for the processing and the data parsing of NS-2 trace files. In13, authors deeveloped a trace analysed for NS-2 simulator in ordder to facilitate the extraction of data from trace files. The prroposed software was developed using open source tools. Its outputs presented in form of meaningful data (graphhs, tables or reports) which can lead to the performancce study for mobile ad hoc networks. Software called TRAFIL L easy and powerful was developed14 by introducing the notion of “metafiles” and “sub metafiles”. TRAFIL haas the power to parsing NS-2 trace files and offering a large number of performance indicators for networks simulaations. One of new opportunities of this software is the possibility of executing Structured Query Language (SQL)) queries in the local database processed by the new sooftware. Table 1 Paraameters of simulation. Parameters Values Computer HP Compaq 6730s Operating system Ubuntu 10.10 Version of the sim mulator ns-2.34 Trace file processiing language Perl Graph constructionn tool Microsoft Excel 2007 2 Transmission rate (Mb/s) 802.11 MAC layer Direct Sequence Spread Spectrum Physical layer Simulation surfacee (m) 500x500 Transmission rangge (m) 250 Radio propagationn model Shadowing CBR Constant bit rate Traffic generator Simulation time (ss) 600 1000 Packet size (byte) AODV Routing protocol Randomly selected between 0 and 15 Node speed (m/s) 15 Mobility model Random Way Point

In all simulation scenarios, the shadowing model was chosen as a radio propagation model whichh is very similar to the realistic radio propagation. Results of ourr detection scheme are depicted in Figure 3.

63

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 58 – 65 T2

7

UCL

LCL

6

T2

5 4 3 2 1 0 10

110

210

310 Time in s

410

510

(a) T2 control chart for the throughput and the inter-packets time in normal case T2

UCL

T2

LCL

1000

700

800

600

UCL

LCL

T2

T2

500 600

400 300

400

200 200

100 0

0 0

100

200

300 400 500 600 Time in s (b) T2 control chart for the throughput and the inter-packets time in the attacked case

0

100

200

300 400 500 600 Time in s (c) T2 control chart for the throughput and the inter-packets time in the attacker case

Figure 3 T2 control chart for the throughput and the inter-packets time

The monitoring of T2 in normal case (without greedy behavior) showed that all points are inside the tolerance interval (between the upper and the lower control limits), as seen in Figure 3, (a) the process is under control. As we can see in Figure 3 (a) and (b), the Hotelling statistic crossed the upper control limit in the presence of the greedy behavior. We note also that there was a strong deviation in the case of the attacked compared to the attacker. The simulation results of the mean throughput, mean inter-packets time and parameters of the covariance matrix showed random variations depending on the number of nodes (Figure 4), therefore we should compute the mean vector and the covariance matrix in normal case for every number of transmitters. 0.05 Mean inter-packets time

Mean throughput

2 1.5 1 0.5 0 2

4

6 8 Number of nodes (a) Mean throughput depending of number of nodes

10

0.04 0.03 0.02 0.01 0 2 4 6 8 Number of nodes (b) Mean inter-packets time depending of number of nodes

10


0.018 0.016 0.014 0.012 0.01 0.008 0.006 0.004 0.002 0

Variance of inter-packets time

Variance of throughput

64

2

4

6

8

10

Number of nodes

0.0005 0.00045 0.0004 0.00035 0.0003 0.00025 0.0002 0.00015 0.0001 0.00005 0 2

6 8 10 Number of nodes (d) Variance of inter-packets time depending of number of nodes

(c) Variance of throughput depending of number of nodes

4

Covariance between throughput and inter-packet time

0 -0.0002

2

4

6

8

10

-0.0004 -0.0006 -0.0008

-0.001 Number of nodes (e) Covariance between throughput and inter-packets time depending of number of nodes

Figure 4 Parameters of the mean vector and the covariance matrix depending of number of nodes

Referring to the univariate control charts for the throughput and the inter-packets time, the upper and the lower control limits depends on network charge as mentioned in10, but the monitored value is related to the actual state. Contrary to this approach, the Hotelling T2 method presents constant upper and lower limits but the calculated value depends on the normal case. The Table 2 describes the comparison between the Shewhart and the Hotelling control charts. Table 2 Comparison between Shewhart control charts and the Hotelling T2 control chart for the throughput and the inter-packets time Monitoring value Number of Real-time Fixed control Type of control chart depends on the normal control charts monitoring limits case Shewhart control charts for the throughput and the inter-packets time

2

Yes

No

No

The Hotelling T2 control chart for the throughput and the inter-packets time

1

Yes

Yes

Yes

We have demonstrated in this paper that we can reduce the number of control chart by using the multivariate one; although we may pick out the correlation between metrics in order to justify this choice. Further, the proposed detection strategy of greedy stations was tested in an ideal environment with constant bit rate; although our scheme maybe efficient in any type of environment theoretical or realistic. Our proposed strategy has several advantages. It operates in real time through the visual graph (control chart), and it doesn’t need modifications to the IEEE 802.11 standard. 6. Conclusion The MAC layer misbehavior can lead to the network degradation causing by disobeying to the 802.11 mechanism. In this way, greedy nodes increase their needs at the detriment of other honest nodes. We have proposed a novel detection scheme based on the statistical process control through the implementation of multivariate control chart. The last one can cancel the choice made for the Shewhart control chart for greedy detection because it reduced the number of chart in the presence of correlation between metrics.


Our new strategy doesn’t require any modification in protocols, it can be distributed, and it may detect greedy attacks in real time; although the proposed scheme seems to be complex because of the computation of the mean vector and the covariance matrix. In our perspectives, we try to implement our strategy in a real context to prove their effectiveness and correctness. We try also to an extension of our strategy in vehicular ad hoc networks. References 1. IEEE Standards Association, IEEE 802.11 Standard for Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Standards Association (March), 2012, pp. 818–840. 2. M. Raya, J.P. Hubaux, I. Aad, DOMINO: detecting MAC layer greedy behavior in IEEE 802.11 hotspots, IEEE Trans. Mob. Comput., 5 (12) (2006), pp. 1691–1705. 3. V. Gupta, S. Krishnamurthy, M. Faloutsos, Denial of service attacks at the MAC layer in wireless ad hoc networks, in: Presented at IEEE MILCOM, Anaheim, California, 2002. 4. M. Pillet, Appliquer la maitrise statistique des procédés MSP/SPC (forth ed.), Edition d’Organisation, Paris, France (2005). 5. M. El Houssaini, A. Aaroud, A. Elhore, J. Ben-Othman, Analysis and simulation of MAC layer misbehavior in mobile ad-hoc networks, in: Proceedings of the 5th International Workshop on Codes, Cryptography and Communication Systems, 2014, pp. 50–54. 6. S. Szott, M. Natkaniec, R. Canonico, A. R. Pach, Misbehavior Analysis of 802.11 Mobile Ad-Hoc Networks – Contention Window Cheating, in: Proceedings of Med-Hoc-Net, 2007, pp. 12–15. 7. Y. Rong, S. Lee, H. Choi, Detecting stations cheating on backoff rules in 80211 networks using sequential analysis, in: Proceedings of IEEE INFOCOM, 2005, pp. 1-13. 8. M. El Houssaini, A. Aaroud, A. El Hore, J. Ben-Othman, Performance Analysis under MAC Layer Misbehavior Attack in Mobile Ad-Hoc Networks, Computer Technology and Application 6 (2015) 37-44. 9. Y. Han, S. Seok, W. Song, D. Choi and J. Huh, Detection of Greedy Nodes in Wireless LAN through Comparing of Probability Distributions of Transmission Intervals, International Journal of Multimedia and Ubiquitous Engineering 8 (2013) 175-184. 10. A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics (2015), http://dx.doi.org/10.1016/j.aci.2015.11.001 11. C. Douglas Montgomery, Introduction to Statistical Quality Control (sixth ed.), John Wiley & Sons Inc, United States of America (2008). 12. Information Sciences Institute, The Network Simulator – ns-2, Information Sciences Institute, 1995 (accessed July 10, 2015). 13. A.U. Salleh, Z. Ishak, N.M. Din, M.Z. Jamaludin, Trace Analyzer for NS-2, in: Proceedings of the 4th Student Conference on Research and Development, 2006, pp. 29-32. 14. C. Bouras, S. Charalambides, M. Drakoulelis, G. Kioumourtzis, K. Stamos, A tool for automating network simulation and processing tracing data files,Simulation Modelling Practice and Theory 30 (2013) 90–110. 15. F. Bai, A. Helmy, A Survey of mobility modeling and analysis in wireless ad-hoc networks, in: Wireless AdHoc and Sensor Networks, 2004.

65