1 / 59

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots. By Maxim Raya, Jean­Pierre Hubaux, Imad Aad Laboratory for computer Communications and Applications(LCA) School of Computer and Communication Sciences EPFL, Switzerland Your host today: Aaron LeMasters. Quick Agenda.

dalit
Download Presentation

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots By Maxim Raya, Jean­Pierre Hubaux, Imad Aad Laboratory for computer Communications and Applications(LCA) School of Computer and Communication Sciences EPFL, Switzerland Your host today: Aaron LeMasters CS388 Wireless and Mobile Security

  2. Quick Agenda Overview of this research paper Misbehavior What is it and how do we measure it? DOMINO Intro, components, design details Six detection tests ** STAY AWAKE ** Simulation Results Conclusions CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  3. Overview CS388 Wireless and Mobile Security

  4. Goal & Previous Work • This paper attempts to detect greedy misbehavior on Wireless hotspots by examining MAC-layer activity • The approach in this paper builds on a previous work by Kyasanur and Vaidya (detecting misbehavior based on penalty assigned) • Shortcomings in previous work’s solution: • Requires modification to 802.11 MAC protocol • Could lead to further misbehavior • Adds significant overhead to AP • Only considers lagging UDP traffic as indicator of misbehavior • No actual implementation of proposed solution CS388 Wireless and Mobile Security

  5. Main points • Hotspots are growing more popular, demand increasing • Users will misbehave by modifying hardware characteristics of their Wireless Card to become greedy (this is yet another MAC-layer paper) • DOMINO can stealthily detect this behavior and integrate with WIDS; AirDefense Guard + DOMINO = protocol misbehavior and intrusion detection all-in-one CS388 Wireless and Mobile Security

  6. Assumptions • Operation mode of AP is infrastructure mode using DCF (normal default) • Solution is implemented on a single, trusted AP operating by an ISP (no changes to user laptops or NICs) • Only user stations misbehave • Objective of misbehavior is to gain throughput – doesn’t consider any other misbehavior (DoS, spoof, etc) CS388 Wireless and Mobile Security

  7. Misbehavior CS388 Wireless and Mobile Security

  8. Motivation for misbehavior • Authors point out that MAC protocol is the best place to misbehave because: • You can get greater bandwidth gains because it is more efficient than doing it at higher layers • It is undetectable at higher layers • It can be used in any hotspot, because all AP’s use 802.11 MAC protocol (whereas TCP greediness wouldn’t impact UDP greediness, for example) • Rather than enumerate all possible MAC-layer misbehaviors, a taxonomy is created to classify general types of misbehaviors CS388 Wireless and Mobile Security

  9. Misbehavior Taxonomy • Two main classes: • MAC Greedy behavior • Scramble frames of target systems to increase their contention window (CW) by modifying CTS, ACK, or DATA frames • Manipulate standard protocol parameters • Security Attacks • Inherent weaknesses in MAC (ie, De-auth attack) • Not addressed in this paper • Goal of both classes is to increase the cheater’s own throughput (bandwidth share) CS388 Wireless and Mobile Security

  10. Misbehavior: Scrambling Frames • How the RTS/CTS handshake works in 802.11: • (RTS = Request to send / CTS = clear to send) • Station wanting to send data sends the receiver an RTS frame • The receiver responds with a CTS frame • Any other node receiving the CTS frame should refrain from transmitting for time specified in the frame • Any node receiving the RTS frame but not CTS is permitted to transmit to neighboring nodes CS388 Wireless and Mobile Security

  11. Misbehavior: Scrambling Frames (cont’d) 8/9/2014 CS388 Wireless and Mobile Security 11

  12. Misbehavior: Scrambling Frames (cont’d) • Force a sending target (DATA frame source) to double its contention window size by altering ACK frame • sender selects larger back-off values • Cheater gets more medium CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  13. Misbehavior: Manipulate Standard Protocol Parameters • When channel is idle, transmit after SIFS but before DIFS • Manipulate NAV value in RTS or DATA frames to force neighbors to not contend • Reduce back-off time by choosing a small, static window, so that back-off is always chosen within this window CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  14. Misbehavior Metrics • How the AP determines a user is misbehavior • Takes measurements by collecting statistical data • Considers two attributes of transmitting stations: throughput and backoff • Chooses backoff as metric for solution CS388 Wireless and Mobile Security

  15. Misbehavior Metrics: Throughput • Most obvious choice – users hogging bandwidth are the cheaters, right? • Problematic – throughput naturally varies based on application being used by the user • To check application would require significant overhead • High false-positives possible, b/c UDP throughput problems are related to many legit factors (SNR, device drivers, O/S protocol implementation, etc) • Similarly, TCP protocol design (retransmit, reliability, error control, etc) tends to naturally degrade throughput on wireless networks CS388 Wireless and Mobile Security

  16. Misbehavior Metrics: Backoff • Less dependent on factors that affect throughput • Still has its own problems, but authors choose it over throughput: • Backoff idle period is indistinguishable from the delay due to a low packet rate source • Backoff value cannot be computed at receiving end (no info in MAC header), thus it is hard to interpret collisions since those stations will increase backoff and others wont • Hidden terminal problem can cause increases in backoff times CS388 Wireless and Mobile Security

  17. DOMINO System Details CS388 Wireless and Mobile Security

  18. What is DOMINO? “System for Detection Of greedy behavior in the MAC layer of IEEE 802.11 public NetwOrks” A piece of software to be installed on the monitoring Access Point It collects traffic traces during a monitoring period to be inspected for misbehavior

  19. Key Features of DOMINO • Seamless integration with the AP w/o interfering normal operations (passive monitoring) • Compatibility with existing networks • Still applicable to future revisions of 802.11 protocol • This is supported by results from real experiments CS388 Wireless and Mobile Security

  20. Limitations of DOMINO • No automatic remediation • Requires steady traffic on the channel CS388 Wireless and Mobile Security

  21. Design Details • Fully implemented in software/firmware • Minor changes to 802.11 driver, possibly integrate with MADWIFI • Can run as a module on AP • Integrate with a monitor near the AP, such as AirDefense Guard CS388 Wireless and Mobile Security

  22. The 6 Test Components of DOMINO CS388 Wireless and Mobile Security

  23. Other Components of DOMINO Main loop in program: CS388 Wireless and Mobile Security

  24. Other Components of DOMINO (cont’d) • Check() function to execute tests: CS388 Wireless and Mobile Security

  25. Other Components of DOMINO (cont’d) • Punishing Function based on policy defined by Wireless ISP • Decides what to do with misbehaving user CS388 Wireless and Mobile Security

  26. How DOMINO Detects Misbehavior TEST #1: Scrambled Frames CS388 Wireless and Mobile Security

  27. Scrambled Frames – Background • Scrambling the RTS/CTS/DATA frames just creates noise and confusion • The goal is to halt other’s use of the medium or stall them for long periods of time to hog the channel CS388 Wireless and Mobile Security

  28. Scrambled Frames – Detection DOMINO detects scrambled frames by observing a user’s retransmission rate (Rtx rate) Bad user must scramble a large portion of others’ CTS, RTS, and DATA frames to cause desired effect – thus its Rtx rate will be lower than its victims’ 8/9/2014 CS388 Wireless and Mobile Security 28

  29. Scrambled Frames – How? • But how does it detect a retransmission?? • When user scrambles CTS, DATA or ACK frames, the RTS or DATA header will contain repeated sequence numbers • notice threshold φ to control false positives CS388 Wireless and Mobile Security

  30. How DOMINO Detects Misbehavior TEST #2: Shorter than DIFS 8/9/2014 CS388 Wireless and Mobile Security 30

  31. Shorter than DIFS – Detection AP simple monitors idle period since last ACK Any station that transmits before required DIFS is potentially misbehaving Threshold here is protocol-defined (DIFS) 8/9/2014 CS388 Wireless and Mobile Security 31

  32. How DOMINO Detects Misbehavior TEST #3: Oversized NAV 8/9/2014 CS388 Wireless and Mobile Security 32

  33. Oversized NAV - Background Network allocation vector (NAV) value of a frame is a function of frame length and data rate Basically a counter at each station that represents the amount of time that the previous frame needed to send its frame; MUST BE ZERO before a station can transmit Stored in duration field of frame header Receiving station reads this value and sets their NAV accordingly, allocating enough medium for them CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  34. Oversized NAV – Detection AP compares actual duration of transmission against the NAV value present in DATA or RTS frames Stations that regularly set high NAV values are potential offenders, for obvious reasons Threshold A defines a tolerance value 8/9/2014 CS388 Wireless and Mobile Security 34

  35. How DOMINO Detects Misbehavior TEST #4: Maximum Backoff 8/9/2014 CS388 Wireless and Mobile Security 35

  36. Maximum Backoff – Background IEEE 802.11 protocol selects backoff values randomly from [0, CW –1], where CW depends on retransmission rate Thus, maximum selected backoff over a set of frames sent by a given station should be close to CWmin –1, if the sample size is adequate 8/9/2014 CS388 Wireless and Mobile Security 36

  37. Maximum Backoff – Detection Test #4 checks a user’s maximum backoff over a set of samples against a threshold value; if it is less, possible offender! Sample size must increase as threshold increases! 8/9/2014 CS388 Wireless and Mobile Security 37

  38. Maximum Backoff – Caveat This test can be easily fooled The cheater (and sometimes normal use) can make the monitor observe in every sample at least one backoff value larger than or equal to the threshold Use this as an auxiliary test 8/9/2014 CS388 Wireless and Mobile Security 38

  39. How DOMINO Detects Misbehavior TEST #5: Actual Backoff 8/9/2014 CS388 Wireless and Mobile Security 39

  40. Actual Backoff – Background How to measure “actual backoff”? If no collisions, the AP calculates a “total delay”, I.e. all idle intervals, between two transmission from a station If a collision occurs, the current and next backoffs are ignored Whatever is calculated is stored for a particular station 8/9/2014 CS388 Wireless and Mobile Security 40

  41. Actual Backoff – Detection Bac[Si] Bac stores all backoffs calculated Si is a particular station being observed Bacnom is the nominal backoff value which is the average backoff value The ac value is between 0 and 1 and represents desired correct detection rate (I.e, 90%) 8/9/2014 CS388 Wireless and Mobile Security 41

  42. Actual Backoff – Caveat Since no data is collected during a collision, the test cannot detect misbehavior during interframe delays The AP will see the delays when it adds up the idle times for a source, but since it does not record the backoff, it cannot measure them properly Solved by Test #6 – consecutive backoff 8/9/2014 CS388 Wireless and Mobile Security 42

  43. How DOMINO Detects Misbehavior TEST #6: Consecutive Backoff 8/9/2014 CS388 Wireless and Mobile Security 43

  44. Consecutive Backoff – Background Takes into account sources with interframe delays Primarily TCP sources (congestion control) Whenever two frames are back-to-back, not interleaved with others’ frames, DOMINO will measure the backoff and consider it in the user’s average retransmission rate calculation Why is this an opportunity to cheat? Because the user is experiencing upper layer delay (in TCP) and by altering the MAC-layer backoff value, he can ignore upper layer contention and improve his throughput 8/9/2014 CS388 Wireless and Mobile Security 44

  45. Consecutive Backoff – Detection Same equation as Test #5, except backoffs are now measured during packets with interframe delays 8/9/2014 CS388 Wireless and Mobile Security 45

  46. Simulation Results CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  47. Simulation Design • They only test actual backoff, consecutive backoff, and complete solution • Focus on a single cheater • 8 stations sending UDP and TCP data • Distance to AP is 50m • All stations are within range of each other • Model common traffic types: • UDP – 1 cheater, 7 regular, all CBR sources • TCP – 1 cheater, 8 regular, all FTP sources CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  48. Simulation Design (cont’d) • The authors measured throughput of cheaters to show they do benefit: CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  49. Simulation Results – Actual Backoff (UDP) • UDP – successful b/c idle time is only due to backoff, no interframe delay CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

  50. Simulation Results – Actual Backoff (TCP) • Unsuccessful (no graphic shown in paper) b/c all of the collected data (which was small), was simply interframe delay as a result of higher-layer TCP congestion control mechanism CS388 Wireless and Mobile SecurityCS388 Wireless and Mobile Security

More Related