Detection and Performance Analysis of Greedy Individual and Colluding MAC Layer Attackers Svetlana Radosavac and John S. Baras Department of Electrical and Computer Engineering and the Institute for Systems research University of Maryland, College Park 20742 Email:{svetlana,baras}@isr.umd.edu Abstract— Selfish behavior at the Medium Access (MAC) Layer can have devastating side effects on the performance of wireless networks, with effects similar to those of Denial of Service (DoS) attacks. In this paper we consider the problem of misbehavior detection at the MAC layer, focusing on the back-off manipulation by colluding selfish nodes. We cast the problem within a minimax robust detection framework, providing a detection rule of optimum performance for the worst-case attack. We analyze the effects of a single optimal attacker with respect to the detection delay and average number of backoff slots and compare them with the effects of colluding attackers. I. I NTRODUCTION With the rise and flexibility of ubiquitous computing, new and unforeseeable ways of user interactions are expected, such as establishing collaborative networks with minimum or almost no central control. The communication protocols in different layers of an ad hoc network can also be subject to manipulation by selfish users due to the fact that they were designed under the assumption that all participating nodes obey the given specifications. However, when these protocols are implemented in an environment where each node has its own authority, nodes can deviate from the protocol specification in order to obtain a given goal, at the expense of honest participants. In this paper we focus on the effects of a single optimal attacker analyzed in [2] and derive the optimal strategy for colluding selfish users at the MAC layer in ad hoc networks. Our approach is based on sequential detection procedures, placing the emphasis on the class of attacks that incur larger gain for the attackers and is able to cope with the uncer- tain environment of a wireless network. Hence, the minimax robust detection approach is adopted in order to optimize performance for the worst-case instance of uncertainty. More specifically, the goal is to identify the least favorable operating point of a system in the presence of uncertainty and subse- quently find the strategy the optimizes system performance when operating in that point. In our case, the least favorable operating point corresponds to the worst-case instance of an attack and the optimal strategy amounts to the optimal detection rule. II. BACKGROUND WORK Due to the popularity of the IEEE 802.11, most of the work in detecting MAC layer misbehavior has focused on this protocol. Most of the work in this area has been focused on detecting back-off manipulation [4], [1]. Due to the random- ness introduced in the choice of the back-off, it is difficult to distinguish among legal and misbehaving nodes. The approach proposed in [4] focuses on adversaries that are unaware of the existing detection scheme. [2] addresses the issue of intelligent adversaries by providing a theoretical foundation for the design of optimal detection schemes. The authors in [?] presuppose a trustworthy receiver, who assigns the back-off value to be used to the sender. A decision about protocol deviation is reached if the observed number of idle slots of the sender is smaller than a pre-specified fraction of the allocated back-off. However, the problems of applying this protocol in ad hoc networks are (i) the receiver might not be trusted and (ii) it cannot be applied in environments with no central authority. All of the above algorithms have only focused on individual misbehaving nodes and do not consider collusion. III. IEEE 802.11 DCF The most frequently used MAC protocol for wireless net- works is the IEEE 802.11 MAC protocol, which uses a distributed contention resolution mechanism for sharing the wireless channel. Its design attempts to ensure a relatively fair access to the medium for all participants of the protocol. In order to avoid collisions, the nodes follow a binary exponential back-off scheme that favors the last winner amongst the contending nodes. In the distributed coordinating function (DCF) of the IEEE 802.11 MAC protocol, coordination of channel access for contending nodes is achieved with carrier sense multiple access with collision avoidance (CSMA/CA). A node with a packet to transmit selects a random back-off value b uniformly from the set {0, 1,..., W - 1}, where W is the (fixed) size of the contention window. The back-off counter decreases by one at each time slot that is sensed to be idle and the node transmits after b idle slots. In case the channel is perceived to be busy in one slot, the back-off counter stops momentarily. After the back-off counter is decreased to zero, the transmitter can reserve the channel for the duration of data transfer. First, it sends a request-to-send (RTS) packet to the receiver, which responds with a clear-to-send (CTS) packet. Thus, the channel is reserved for the transmission. Both RTS and CTS messages contain the intended duration of data transmission in the duration field. Other hosts overhearing either the RTS or the CTS are required to adjust their network allocation