An Analytical Approach to Real-Time Misbehavior Detection in IEEE 802.11 Based Wireless Networks Jin Tang, Yu Cheng Electrical and Computer Engineering Illinois Institute of Technology Email: {jtang9, cheng}@iit.edu Weihua Zhuang Electrical and Computer Engineering University of Waterloo Email: wzhuang@uwaterloo.ca Abstract—The distributed nature of the CSMA/CA based wireless protocols, e.g., the IEEE 802.11 distributed coordinated function (DCF), allows malicious nodes to deliberately manipu- late their backoff parameters and thus unfairly gain a large share of the network throughput. The non-parametric cumulative sum (CUSUM) test is a promising method for real-time misbehavior detection due to its ability to quickly find abrupt changes in a process without any a priori knowledge of the statistics of the change occurrences. While most of the existing schemes for selfish behavior detection depend on heuristic parameter configuration and experimental performance evaluation, we develop a Markov chain based analytical model to systematically study the CUSUM based scheme for real-time detection of the backoff misbehavior. Based on the analytical model, we can quantitatively compute the system configuration parameters for guaranteed performance in terms of average false positive rate, average detection delay and missed detection ratio under a detection delay constraint. Moreover, we find that the short-term fairness issue of the 802.11 DCF impacts the transition probabilities of the Markov model and thus the detection accuracy. We develop a shuffle scheme to mitigate the short-term fairness impact on the sample series, and investigate the proper shuffle period (in terms of observation windows) that can maintain the randomness in each node’s backoff behavior while resolving the short-term fairness issue. We present simulation results to confirm the accuracy of our theoretical analysis as well as demonstrate the performance of the developed real-time detection scheme. I. I NTRODUCTION The IEEE 802.11 based wireless networks have been widely deployed over recent years due to their high-speed access, easy-to-use features and economical advantages. To resolve the contention issue among the multiple participating nodes, 802.11 employs the carrier sense multiple access/collision avoidance (CSMA/CA) protocol to ensure that each node gets a reasonably fair share of the network. This is particularly the case for the distributed cooperation function (DCF) of 802.11, where every node accesses the network in a cooperative manner and randomly delays transmissions to avoid collisions by following a common backoff rule [1]–[3]. However, in such a distributed environment without a centralized controller, a malicious node may deliberately choose a smaller backoff timer and gain an unfair share of the network throughput at the expenses of other normal nodes’ channel access opportunities. Moreover, only to make things worse, the easily available programmable and reconfigurable wireless network devices This work was supported in part by NSF grant CNS-0832093. nowadays [4], [5] make the backoff misbehavior much more feasible. In this paper, we propose an analytical approach for real-time detection of the backoff misbehavior. An efficient detection scheme needs to address the two main correlated challenges: 1) unknown misbehavior strategy, 2) real-time detection of the misbehavior. For the first challenge, since a malicious node can first behave as a normal node and then manipulate its backoff timer to a random small value at any time, we have no way to know the misbehavior strategy a priori. For the second, the misbehavior needs to be detected in real-time and we can then isolate the malicious node to prevent it from bringing more harm to the network as soon as possible. The existing solutions either can not address both issues at the same time [5]–[9], or require modifications to the 802.11 protocols [10], [11]. Considering the challenges, in our very recent work [12], we develop a detection scheme based on the non-parametric cumulative sum (CUSUM) test [13] which can quickly find abrupt changes in a process without any prior knowledge of the statistical model of the change occurrences. In [12], we also propose a new observation method to get samples for testing, which directly counts the number of successful transmissions from a tagged node to facilitate the real-time detection. Also, our detection scheme does not require any modification to the protocols. Thus it can be implemented by any node assuming the role of the detection agent that monitors the network. A significant open research issue regarding the selfish be- havior detection is that most of the existing detection schemes depend on heuristic parameter configuration and experimental performance evaluation. Such a heuristic approach largely limits the flexibility and robustness of the detection scheme; a change of the operation context could trigger the retraining of the configuration parameters by experimenting over a large set of data traces and the performance under those heuristic parameters is not theoretically provable. In this paper, we develop an analytical model for the CUSUM based detection scheme, which can provide quantita- tive performance analysis and theoretical guidance on system parameter configuration. Specifically, we use a discrete-time Markov chain to model the behavior of the CUSUM detector, because the detector’s value in an observation window only depends on its value in the previous window and the observa- tion samples in the current window. To determine the transition This paper was presented as part of the main technical program at IEEE INFOCOM 2011 978-1-4244-9921-2/11/$26.00 ©2011 IEEE 1624