Applied Computing and Informatics (2016) xxx, xxx–xxx

Saudi Computer Society, King Saud University

Applied Computing and Informatics

(http://computer.org.sa)
www.ksu.edu.sa
www.sciencedirect.com

REVIEW ARTICLE

Real-time detection of MAC layer misbehavior in

mobile ad hoc networks
Abdessadek Aaroud a,*, Mohammed-Alamine El Houssaini a, Ali El Hore a,
Jalel Ben-Othman b

a
Department of Computer Science Faculty of Sciences, Chouaib Doukkali University, El Jadida, Morocco
b
Department of Computer Science Galilee Institute, Paris 13 University, Paris, France

Received 13 July 2015; revised 3 November 2015; accepted 22 November 2015

KEYWORDS Abstract The MAC layer misbehavior of the IEEE 802.11 standard can have a negative impact on
Mobile ad hoc Network; the wireless network’s performance, similar to the effects of denial of service attacks. The goal of
MAC IEEE 802.11; this misbehavior was handling the protocol to increase the greedy nodes transmission rate at the
Misbehavior detection; expense of the other honest nodes. In fact, nodes in IEEE 802.11 standard should wait for a random
NS2 simulation; backoff interval time to access to the channel before initiating any transmission. Greedy nodes use a
Statistical process control malicious technique to reduce the channel waiting time and occupy the channel. This paper intro-
duces a new scheme to detect such malicious behavior, which is based on statistical process control
(SPC) borrowed from the industrial field in a quality management context. To the best of our
knowledge, this approach has not been proposed in state of the art, reports concerning the detection
of greedy behaviors in mobile ad hoc networks. The approach has the power to identify greedy
nodes in real time by using a graphical tool called ûcontrol chartý that measures the throughput
and the inter-packet interval time for each node, and raises an alert if this measure is over a defined
threshold. The validation of all obtained results is performed in the network simulator NS2.
Ó 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is
an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

* Corresponding author.
E-mail addresses: [email protected] (A. Aaroud), [email protected] (M.-A. El Houssaini), [email protected] (A. El Hore),
[email protected] (J. Ben-Othman).
Peer review under responsibility of King Saud University.

Production and hosting by Elsevier

http://dx.doi.org/10.1016/j.aci.2015.11.001
2210-8327 Ó 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
2 A. Aaroud et al.

Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
2. IEEE 802.11 layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
3. Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4. Proposed detection system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.1. Modeling 802.11 networks with greedy nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.2. Basic idea. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.3. Statistical process control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.4. The Shewhart control chart for individual measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.5. Development of the control chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
4.6. Detection strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5. Performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.1. Computation of control limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.2. Monitoring in normal case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.3. Monitoring in the MAC layer misbehavior case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.3.1. First scenario (detection of the attacked) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.3.2. Second scenario (detection of the attacker) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
5.4. Generalization of the detection method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 00

1. Introduction 2. IEEE 802.11 layers

One of the most significant advantages of the IEEE 802.11
standard is the fair access to the medium. However sharing
the transmission channel makes the networks vulnerable to
several attacks such as jamming, black holes, and greedy
behavior (MAC layer misbehavior) [12].
A greedy node intentionally modifies the MAC IEEE
802.11 protocol to get more network resources than honest
nodes [10]. By this channel-access misbehavior a greedy node
can benefit from several advantages such as:

Increasing its throughput.

Reducing its power consumption.
This work aimed to apply a statistical process control (SPC)
scheme to detect the IEEE 802.11 MAC layer misbehavior.
Our paper is organized as follows. The second section is
dedicated to presenting the architecture of the IEEE 802.11
with all its layers. An overview of the research works related
to the IEEE 802.11 MAC layer misbehavior is shown in the
third section. The fourth section proposes our detection
scheme of the IEEE 802.11 MAC layer misbehavior (greedy
node). In the fifth section, the authors evaluate the perfor-
mance of their approach using the NS2 simulator. Conclusions
and perspectives are presented in the last section.
The IEEE 802.11 protocol covers the physical layer and the
Medium Access Control (MAC) layer as described in Fig. 1.
The MAC layer is the same for all IEEE 802.11 standards.
However, the physical layer is divided into three categories:
FH (Frequency Hopping Spread Spectrum), DS (Direct
Sequence Spread Spectrum) and IR (Infrared).
The IEEE 802.11 MAC layer defines the access method
Carrier Sense Multiple Access/Collision Avoidance (CSMA/
CA) working as follows. Before transmitting, a node first lis-
tens to the shared medium (such as listening for wireless signals
in a wireless network) to determine whether another node is
transmitting or not. If the channel is free for a DCF Inter-
Frame Space (DIFS) time, then the station transmits a frame
which is acknowledged after a Short Inter-Frame Space (SIFS)
interval time with an ACK frame.
The transaction time (DATA + SIFS + ACK) is noted as
a Network Allocation Vector (NAV) and blocks other stations
from accessing channel till total NAV decrement.
Additionally the CSMA/CA method has an optional mech-
anism of channel reservation Request To Send (RTS)/Clear To
Send (CTS) [1].
The CSMA/CA access method defines the Binary Exponen-
tial Backoff (Fig. 2) in order to resolve the access medium
problem when several stations want to transmit data simulta-
neously. This method requires that each station chooses a ran-
dom waiting time between 0 and the size of a contention
window CW (value equals to a number of time slots), and
expects the number of slots before transmission [1].

3. Related work

The BEB algorithm provides a fair access to the medium.

Greedy nodes change their BEB to increase their throughput
at the expense of other honest nodes. This greedy behavior is
considered as misbehavior of the IEEE 802.11 MAC layer.
Figure 1 IEEE 802.11 layers description.

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
Detection of MAC layer misbehavior 3

Figure 2 Backoff procedure.

The classification of the MAC layer misbehavior, given in
[4], is categorized as follows:

a misbehavior: The greedy node chooses the value of BEB
in the interval [0 a(CW  1)], where CW is the contention
window, and 0 < a < 1.

Deterministic BEB: The greedy node chooses a constant
BEB independently of the contention window.

b misbehavior: After a failed transmission, instead of put-
ting a CW to be min{2CW, CWmax}, greedy node sets its
contention window as CW = max{CWmin, min{bCW,
CWmax}} where 0 < b < 2.

Fixed maximum contention window.

Fixed contention window.
process control). We use the Shewhart chart for individual
value, applied to the receiving throughput and the average
time between receptions.
Our new detection strategy can be implemented on any
receiving node to monitor the network in real time. As we will
demonstrate by the simulation, the proposed detection scheme
does not require modifications of the IEEE 802.11 standard.
To the best of our knowledge our approach based on statis-
tical process control has not been proposed before in the liter-
ature to detect greedy behavior in mobile ad hoc networks.
4. Proposed detection system
4.1. Modeling 802.11 networks with greedy nodes

Several approaches have been proposed in the literature for

Bianchi [18] developed a Markov chain model for IEEE 802.11
the detection of the IEEE 802.11 MAC layer misbehavior.
protocol in a normal case and without any attacks, assuming
Tiwary [16] proposed a detection scheme based on the sta-
that the network is saturated and the collision probability p
tistical collection of all nodes RTS retransmission due to time
is constant. The author adopted the notation Wi ¼ 2i W, where
out, packet retransmission due to ACK timeout and through-
i 2 ð0; mÞ is called ‘‘bachoff stage” and W ¼ CWmin , s(t) and b
put at receiver, then compared these results with the threshold
(t) denote the stochastic process referring to the backoff stage
values to decide whether a selfish attack is occurring. This
and the backoff time counter of the node at time t respectively.
method does not require any changes in protocols but it cre-
The stochastic process is defined as follows:
ates computation overhead.
8
Other authors [17] also proposed an extension to the 802.11 > Pfi; kji; k þ 1g ¼ 1 k 2 ð0; Wi  2Þ i 2 ð0; mÞ
>
>
standard that ensures a uniformly distributed random backoff < Pf0; kji; 0g ¼ ð1  pÞ=W k 2 ð0; W  1Þ i 2 ð0; mÞ
0 0
through the protocol of coin flipping by telephone. The main
>
> Pfi; kji  1; 0g ¼ p=W k 2 ð0; Wi  1Þ i 2 ð1; mÞ
idea is to let both the sender and receiver agree on a random >
:
i

value of backoff through a public exchange using an engage- Pfm; kjm; 0g ¼ p=Wm k 2 ð0; Wm  1Þ
ment method inspired by the protocol of applying flipping ð1Þ
coins over the telephone. However, it is still unable to detect
collision between sender and receiver. where
An approach of greedy nodes detection in IEEE 802.11 was
Pfi1 ; k1 ji0 ; k0 g ¼ Pfsðt þ 1Þ ¼ i1 ; bðt þ 1Þ ¼ k1 jsðtÞ ¼ i0 ; bðtÞ ¼ k0 g
proposed [5] based upon the linear regression between instants
of transmission to calculate a detection threshold and without ð2Þ
requiring modifications to the standard. This idea results from The probability that a node in the network transmits a packet
the strong linear correlation noticed between nodes in terms of in a randomly chosen slot is denoted as s. Its computation can
transmission instants. be done as follows:
The strategy called Detecting MAC Layer Greedy Behavior
in IEEE 802.11 Hotspots (DOMINO) deployed in the access 2ð1  2pÞ
s¼ ð3Þ
point to detect misbehavior is exposed [6]. This method uses ð1  2pÞðW þ 1Þ þ pWð1  ð2pÞm Þ
a modular architecture which comprises individual tests and
a decision making component DMC. However, greedy nodes For n nodes using the shared medium,
may exploit the knowledge of DOMINO in order to adapt
P ¼ 1  ð1  sÞn1 ð4Þ
its parameters to avoid the detection.
We propose in the following section a new detection strat- The last two equations can be solved to compute the two
egy based on a statistical quality control approach (statistical unknowns variables n and p.

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
4 A. Aaroud et al.

The authors in [19] proposed a modeling of an 802.11 net- Indeed, two processes are never exactly similar. There are
work with MAC layer misbehavior attacks. They consider n many sources of variation in low amplitude that cannot be
nodes in a network, with the presence of l greedy nodes mod- removed, all of them representing the common causes of dis-
ifying the backoff timer. The misbehaving nodes choose a ran- persion [13].
dom backoff interval in the range of ð0; ga W  1Þ, where However, there are major causes of variation that require
ð1 6 a 6 lÞ and W is the current contention window (CW). change. These cases are called special causes. The process
The collision probability at the greedy node is pa . Therefore becomes out of control, and thus we must look for the cause.
they modified the stochastic process proposed in [18] to estab- The SPC method provides an effective and proper tool to
lish a simple modeling for the misbehaving nodes. separate the ordinary from the extraordinary by creating a
As a result they found the following equations with 2l þ 2 powerful graphic called ûcontrol chartý, among these charts
unknowns, s0 ; s1 ; . . . ; sl ; p0 ; p1 ; . . . ; pl . are: The Shewhart control chart for individual measurements
8 [13].
2ð12pÞ0
>
> s0 ¼ ð12p0 ÞðWþ1Þþp
>
>
0 Wð1ð2p0 Þm Þ
>
>
>
> s1 ¼ 2ð12pÞ1
>
> 4.4. The Shewhart control chart for individual measurements
>
m
ð12p1 Þðg1 Wþ1Þþp1 g1 Wð1ð2p1 Þ Þ
>
>
>
> ...
>
>
>
> l The Shewhart control chart for individual measurements
<
1
2ð12pl Þ
s ¼ ð12pl Þðgl Wþ1Þþp l gl Wð1ð2pl Þm Þ should be used when we want to monitor a process on the basis
ð5Þ
>
> Q of a periodically measured quantity [14].
>
> P 0
¼ 1  ð1  s 0 nl1
Þ ð1  s i
Þ
>
> 16i6l In such situations, the control chart for individual units is
>
> Q
>
> P ¼ 1  ð1  s Þ 0 nl
26i6l ð1  s Þ
>
1 i useful. (The cumulative sum and exponentially weighted mov-
>
>
>
> ing average control charts will be a better alternative when the
>
> ...
>
> magnitude of the shift in process means that what is of interest
: l nl Q
P ¼ 1  ð1  s0 Þ 16i6l1 ð1  s Þ
i
is small.) In many applications of the individual control chart
we use the moving range of two successive observations as the
The last equations can be solved to compute the unknown
basis of estimating the process variability [14].
variables and also to define parameters adopted for the perfor-
The moving range is defined as [14]
mance evaluation of the network. However, finding a closed
form for each variable is not our goal, since our approach is MRi ¼ jxi  xi1 j ð6Þ
based on simulation analysis. where the moving range number i is MRi , and xi is the range
number i.
4.2. Basic idea To establish a moving range control chart, the procedure is
illustrated in the following section.
The basic idea of our strategy for detecting IEEE 802.11 MAC
layer misbehavior emerges from the difference and the shift 4.5. Development of the control chart
observed on the two previously defined metrics, namely
throughput [7], which is defined as a measure of how many To calculate the control limits for individual values, we should
successful packets were received correctly in a given amount use the below formulas [14]:
of time and the inter-packets time defined as the mean time
between receptions (mean time between successive received MR
packets) [3]. UCL ¼ x þ 3 ð7Þ
d2
We showed that this misbehavior led to an increase of the Center line ¼ x ð8Þ
average reception throughput and a decrease of times between
receptions for the greedy nodes. On the other side it generates MR
LCL ¼ x  3 ð9Þ
a reverse effect for honest nodes [3]. d2
Our detection method is based on the supervision of the
For the moving range, we find the equations [14] as follows:
two metrics defined in our previous work [3] and its dispersion
by a control chart with two limits. These graphs are called con-
UCL ¼ D4 MR ð10Þ
trol charts, following a statistical process control approach.
Center line ¼ MR ð11Þ

4.3. Statistical process control LCL ¼ D3 MR ð12Þ

The SPC ensures optimum quality based on statistical tools. It
aims to the following:
– Give a tool to monitoring process.
– Formalize the notion of capability.
– Distinguish between ordinary and extraordinary situations.
One of the basic principles of this control is deviation detec-
tion. All variations on a system do not require modification.
where UCL and LCL are the upper and lower control limits
respectively, and MR is the average of the moving ranges of
two observations, x being the observation value.
The constants, d2 ; D3 and D4 are tabulated for various
sample sizes [14]. Its mathematical origins are shown in [20].
The control chart for the individual measurements includes
two graphs, the first is for individual value monitoring used for
detecting the slip of the system and the second is for moving
range used for monitoring the quality [14].

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
Detection of MAC layer misbehavior 5

Table 1 Lookup table of the chart parameters.

Parameter Value
The observation X Throughput or inter-packets time
Average of observations (center line) Center line ¼ x
Average moving range of observations (center line) Center line ¼ MR
Upper control limit of individual observations UCL ¼ x þ 3 MR
d2
Lower control limit of individual observations LCL ¼ x  3 MR
d2
Upper control limit of moving range observations UCL ¼ D4 MR
Lower control limit of moving range observations LCL ¼ D3 MR

4.6. Detection strategy of transmitters ({B, C, D, E, F} is the transmitters’ set of the

In this monitoring technique we propose supervising and plot-
ting the average reception throughput and the mean inter-
packets time by control charts (Table 1).
The judgment and interpretations of the novel detection
strategy can be summarized in the following block diagram
(Fig. 3):
To illustrate our novel detection scheme, station A depicted
in Fig. 4 for instance, receives packets from the set defined by
{B, C, D, E, F}. The purpose is to identify which among this
set of stations is a greedy one. Therefore, this detection scheme
is implemented at every station to designate the cheater station
through the supervision of the average reception throughput
and the mean inter-packets time by control charts. The control
is performed automatically for every node belonging to this set
station A).
For the computation of the thresholds (control chart
parameters), we need a minimum of 20 values [13], but for
the network monitoring, we draw every calculated value (for
the throughput and for the inter-packets time). This is the
real-time detection that we highlight in our paper. The detec-
tion scheme is performed at any receiving node for every trans-
mitting station (as in Fig. 4). In fact every node has the right to
explore its received packets. We can emphasize that one honest
node in the state of transmission is sufficient to calculate the
control chart parameters (see Figs. 5–7).
The next section is dedicated to the performance analysis of
the proposed detection scheme through NS-2 simulations. In
our simulation parameters we used the shadowing model as
a radio propagation model which is very near to the realistic
radio propagation, taking into account the energy losses.

5. Performance evaluation

Identification of critical
process parameters To achieve our detection method of the IEEE 802.11 MAC
layer misbehavior [9], the simulator NS-2 can be used with
some useful tools for processing traces files as explained by
Collect ofstatistical measures in normal case
(without misbehavior) [8,11]. In our case we have chosen the simulator with the soft-
ware platform and parameters depicted in Table 2.

Calculate the parameters of the chart (UCL,

Center line and LCL) 5.1. Computation of control limits

First, we calculated the control limits and center lines based on

Represent the measurements above on the chart (if there are points
that come out of the control limits they should be eliminated and
recalculate the chart settings)
the results of the simulation in normal cases (without IEEE
802.11 MAC Layer Misbehavior) through equations from
(6)–(12).

Monitoring the metrics

using the control chart

If the curves If a small If there has

oscillate on either number of been a
side of the mean and points crossed greater
that the majority of the upper or tendency and
the points are inside lower control deviation
the limits limit or deviate
from the center
line
The
network is
Our process is under under
control and no MAC The node is
moving out of greedy
layer misbehavior attack
exist the transmission
range.

Figure 3 Block diagram of the detection scheme. Figure 4 A mobile ad hoc network.

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
6 A. Aaroud et al.

Throughput, UCL, Center line, LCL Inter-packets time, UCL, Center line, LCL
0.50 0.025
0.48 0.024

Inter-packets time in s
0.46 0.023

Throughput in Mb/s
0.44 0.022
0.42 0.021
0.40 0.020
0.38 0.019
0.36 0.018
0.34 0.017
0.32 0.016
0.30 0.015
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time in s Time in s
(Throughput monitoring in normal case) (Inter-packets time monitoring in normal case)

Interpackets time moving range in s

Throughput moving range in Mb/s

Throughput moving range, UCL, Center line Inter-packets time moving range, UCL, Center line
0.10 0.005
0.09
0.08 0.004
0.07
0.06 0.003
0.05
0.04 0.002
0.03
0.02 0.001
0.01
0.00 0.000
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time in s Time in s
(Throughput moving range monitoring in normal case) (Inter-packets time moving range monitoring in normal case)

Figure 5 Control charts monitoring in normal case (without greedy attack).

Inter-packets time, UCL, Center line, LCL

Throughput, UCL, Center line, LCL 0.035
0.50 0.033
Inter-packets time in s

0.031
0.45
Throughput in Mb/s

0.029
0.40 0.027
0.025
0.35
0.023
0.30 0.021
0.019
0.25
0.017
0.20 0.015
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time in s Time in s
(Throughput monitoring in attack case) (Inter-packets time monitoring in attack case)

Throughput moving range, UCL, Center line Inter-packets time moving range, UCL, Center line
Throughput moving range in Mb/s

Inter-packets time moving range in s

0.14 0.012

0.12
0.010
0.10
0.008
0.08
0.006
0.06
0.004
0.04

0.02 0.002

0.00 0.000
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time in s Time in s
(Throughput moving range monitoring in attack case) (Inter-packets time moving range monitoring in attack case)

Figure 6 Control charts monitoring of the attacked.

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
Detection of MAC layer misbehavior 7

Throughput, UCL, Center line, LCL Inter-packets time, UCL, Center line, LCL
0.9 0.025
0.023
0.8
0.021

Inter-packets time in s
Throughput in Mb/s
0.019
0.7
0.017
0.6 0.015
0.013
0.5 0.011
0.009
0.4
0.007

0.3 0.005
0 100 200 300 400 500 600 0 100 200 300 400 500 600

Time in s Time in s
(Throughput monitoring in attack case) (Inter-packets time monitoring in attack case)

Throughput moving range, UCL, Center line Inter-packets time moving range, UCL, Center line

Inter-packets time moving range in s

0.12 0.005
Throughput moving range in Mb/s

0.10
0.004

0.08
0.003
0.06
0.002
0.04
0.001
0.02

0.00 0.000
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time in s Time in s
(Throughput moving range monitoring in attack case) (Inter-packets time moving range monitoring in attack case)

Figure 7 Control charts monitoring of the attacker.

Table 2 Platform and parameters.

Parameters Values
Computer HP Compaq 6730s
Operating system Ubuntu 10.10
Version of the simulator ns-2.34 [2]
Trace file processing language Perl
Graph construction tool Microsoft Excel 2007
Transmission rate (Mb/s) 2
MAC layer 802.11
Physical layer Direct Sequence Spread Spectrum
Simulation surface (m) 500  500
Transmission range (m) 250
Radio propagation model Shadowing
Traffic generator CBR Constant bit rate
Simulation time (s) 600
Packet size (byte) 1000
Routing protocol AODV
Node speed (m/s) Randomly selected between 0 and 15
Mobility model Random Way Point [15]

Table 3 Control charts parameters for throughput and inter-packets time.

Chart type Chart parameters Shewhart control chart for throughput Shewhart control chart for inter-packets time
monitoring monitoring
Individual UCL 0.49238 0.02372
measurement CENTER LINE 0.41219 0.01982
LCL 0.33200 0.01591
Moving range UCL 0.09850 0.00480
CENTER LINE 0.03015 0.00147
LCL 0 0

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
8 A. Aaroud et al.

Throughput, Throughput moving range Inter-packets time, Inter-packets time moving range
0.7 0.45

Tolerance interval in Mb/s

0.6 0.40

Tolerance interval in s
0.35
0.5
0.30
0.4 0.25
0.3 0.20
0.15
0.2
0.10
0.1
0.05
0.0 0.00
0 5 10 15 20 25 30 0 5 10 15 20 25 30
Number of nodes Number of nodes
(The throughput tolerance intervals depending on the number of nodes) (The inter-packets time tolerance intervals depending on the number of nodes)

Figure 8 Tolerance intervals depending on the number of nodes.

5.2. Monitoring in normal case Small and random variations in curves are detected. We
should compute the chart parameters for every number of
In this case the two metrics (throughput and inter-packets nodes to obtain a better supervision of the network.
time) are supervised in the control chart below composed by The detection thresholds and the tolerance interval depend
the control limits that we computed in the last section for a on the number of nodes; therefore, each receiver updates these
node in the network. parameters for each number of transmitters. In our work we
As we can see in the control chart for throughput and the tested the detection scheme in an ideal environment which
inter-packets time, curves oscillate on either side of the mean depends on the number of nodes with constant bit rate traffic.
and the majority of the points are inside the limits. Obviously The statistical process control is a useful and strong tool for
we can decide that this node communicates in an environment supervising and detecting strong derivations in any type of
without greedy attack. environment (realistic or theoretical). Thus, the purpose is
If few points come out of the control limits, we can explain the separation of the extraordinary from the ordinary
this fact by the movement outside of the transmission range situations.
(see Table 3).
6. Conclusion
5.3. Monitoring in the MAC layer misbehavior case
The misbehavior at the MAC layer by changing the backoff
5.3.1. First scenario (detection of the attacked) mechanism can lead to performance degradation of the net-
In this monitoring case we note that when the throughput work. In this paper we tried to propose a novel detection
curve crossed the lower control limit and the inter-packets time scheme for this misbehavior based on the supervision of two
curve crossed the upper control limit, there is a strong devia- metrics (reception throughput and inter-packets time) through
tion. Consequently we can decide that this node is under a statistical process control charts. Our detection scheme pre-
MAC layer misbehavior attack. sents several advantages. It does not require any changes in
We can also lay emphasis on the absence of any great the IEEE 802.11 protocol and it can be implemented at any
change for the moving range curves related to the deviations receiving node. Its most significant advantage is the detection
for the mean but not for the amplitude, due to the greedy of such attack in real time by visual graphs.
behavior. In the perspective, we will try to extend the proposed
scheme by introducing other performance measurements in
5.3.2. Second scenario (detection of the attacker) order to develop other detection systems that are easier than
the previous ones. We also plan an implementation of the
In this monitoring case we reveal that the throughput curve
so-called detection strategy in a realistic environment.
crossed the upper control limit and the inter-packets time
curve crossed the lower control limit. There is a strong devia-
tion, so we can decide that this node is a greedy one (this is the References
MAC layer misbehavior attack).
[1] IEEE Standards Association, IEEE 802.11 Standard for
We can also focus on a change in the moving range curve of
Wireless LAN Medium Access Control (MAC) and Physical
the inter-packets time resulting from an improvement of the Layer (PHY) Specifications, IEEE Standards Association
transmission time for the attacker due to the greedy behavior. (March), 2012, pp. 818–840.
[2] Information Sciences Institute, The Network Simulator – ns-2,
5.4. Generalization of the detection method Information Sciences Institute, 1995 <http://www.isi.edu/
nsnam/ns/> (accessed July 10, 2015).
We plot the tolerance interval (the difference between the [3] M. El Houssaini, A. Aaroud, A. Elhore, J. Ben-Othman,
Analysis and simulation of MAC layer misbehavior in mobile
upper and lower control limits) as a function of the number
ad-hoc networks, in: Proceedings of the 5th International
of nodes. Our results are represented in the graphics below Workshop on Codes, Cryptography and Communication
(Fig. 8). Systems, 2014, pp. 50–54.

Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
Detection of MAC layer misbehavior
[4] V.R. Giri, N. Jaggi, MAC layer misbehavior effectiveness
and collective aggressive reaction approach, in: Proceeding
33rd IEEE Sarnoff Symposium, Princeton, NJ, April 2010,
pp. 1–5.
[5] A. Hamieh, J. Ben-Othman, A. Gueroui, F. Naı̈t-Abdesselam,
Detecting greedy behaviors by linear correlation in wireless Ad
Hoc networks, in: Presented at the IEEE International
Conference on Communications (IEEE ICC), Dresden,
Germany, 2009.
[6] M. Raya, J.P. Hubaux, I. Aad, DOMINO: detecting MAC layer
greedy behavior in IEEE 802.11 hotspots, IEEE Trans. Mob.
Comput. 5 (12) (2006) 1691–1705.
[7] S. Szott, M. Natkaniec, R. Canonico, A.R. Pach, Misbehaviour
analysis of 802.11 mobile ad-hoc networks – contention window
cheating, in: Med-Hoc-Net 2007, 12 June 2007, Ionian
Academy, Corfu, Greece.
[8] C. Bouras, S. Charalambides, M. Drakoulelis, G. Kioumourtzis,
K. Stamos, A tool for automating network simulation and
processing tracing data files, Simul. Model. Pract. Theory 30
(2013) 90–110, January.
[9] P. Kyasanur, N.H. Vaidya, Selfish MAC layer misbehavior in
wireless networks, IEEE Trans. Mob. Comput. 4 (5) (2005).
[10] S. Szott, M. Natkaniec, A. Banchs, Impact of misbehaviour on
QoS in wireless mesh networks, in: Proceeding NETWORKING
‘09 Proceedings of the 8th International IFIP-TC 6 Networking
Conference, P639-650, 2009.
[11] A.U. Salleh, Z. Ishak, N.M. Din, M.Z. Jamaludin, Trace
analyzer for NS-2, in: 4th Student Conference on Research and
Please cite this article in press as: A. Aaroud et al., Real-time detection of MAC layer misbehavior in mobile ad hoc networks, Applied Computing and Informatics
(2016), http://dx.doi.org/10.1016/j.aci.2015.11.001
9
Development (SCOReD 2006), Shah Alam, Selangor, Malaysia,
27–28 June, 2006.
[12] V. Gupta, S. Krishnamurthy, M. Faloutsos, Denial of service
attacks at the MAC layer in wireless ad hoc networks, in:
Presented at IEEE MILCOM, Anaheim, California, 2002.
[13] M. Pillet, Appliquer la maitrise statistique des procédés MSP/
SPC, forth ed., Edition d’Organisation, Paris, France, 2005.
[14] C. Douglas Montgomery, Introduction to Statistical Quality
Control, sixth ed., John Wiley & Sons Inc, United States of
America, 2008.
[15] F. Bai, A. Helmy, A Survey of mobility modeling and analysis in
wireless ad-hoc networks, in: Wireless Ad-Hoc and Sensor
Networks, 2004.
[16] O.N. Tiwary, Detection of misbehaviour at MAC layer in
wireless networks, Int. J. Scient. Eng. Res. 3 (5) (2012) 909–912.
[17] A.A. Cardenas, S. Radosavac, J.S. Baras, Detection and
prevention of MAC layer misbehavior in ad hoc networks, in:
Proceedings of the 2nd ACM Workshop on Security of Ad Hoc
and Sensor Networks, 2004, pp. 17–22.
[18] G. Bianchi, Performance analysis of the IEEE 802.11 distributed
coordination function, IEEE J. Select. Areas Commun. 18 (3)
(2000) 535–547.
[19] Y. Rong, S.-K. Lee, H.-A. Choi, Detecting stations cheating on
backoff rules in 80211 networks using sequential analysis, in:
Proceedings of IEEE INFOCOM, 2005.
[20] L.H.C. Tippett, On the extreme individuals and the range of
samples taken from a normal population, Biometrika 17 (1925)
364–387.