MOJO: A Distributed Physical Layer Anomaly Detection System for 802.11 WLANs
-
Upload
myles-evans -
Category
Documents
-
view
36 -
download
2
description
Transcript of MOJO: A Distributed Physical Layer Anomaly Detection System for 802.11 WLANs
MOJO: A Distributed Physical Layer Anomaly Detection System
for 802.11 WLANs
Richard D. Gopaul
CSCI 388
Authors
• Anmol Sheth
• Christian Doerr
• Dirk Grunwald
• Richard Han
• Douglas Sicker
Department of Computer Science
University of Colorado at Boulder
Boulder, CO, 80309
Problem
• Existing 802.11 deployments provide unpredictable performance
• 802.11 Wireless Networks– Cheap– Easy to deploy
• Two Classes– Planned deployments (large companies)– Small scale chaotic deployments (home users)
Reasons for Unpredictable Performance
• Noise and Interference– Co-channel interference, Bluetooth, Microwave Oven,
…
• Hidden Terminals– Node location, Heterogeneous Transmit Powers
• Capture Effects– Simultaneous transmission
• MAC Layer limitations– Timers, Rate adaptation, …
• Heterogeneous Receiver Sensitivities
Problems With Existing Solutions
• Wireless networks encounter time-varying conditions– A single site survey is not enough
• Cannot distinguish or determine root cause of problem– Existing tools for diagnosing WLANs only look at MAC
layer and up– Aggregate effects of multiple PHY layer anomalies– Results in misdiagnosis, suboptimal solution
How Faults Propagate in the Network Stack
How Faults Propagate in the Network Stack
Contributions of this paper:
• Attempts to build a unified framework for detecting underlying physical layer anomalies
• Quantifies the effects of different faults on a real network
• Builds statistical detection algorithms for each physical effect and evaluates algorithm effectiveness in a real network testbed
System Architecture
• Provide visibility into PHY layer
• Faults observed by multiple sensors
• Based on an iterative design process– Artificially replicated faults in a testbed– Measured impact of fault at each layer of
network stack
MOJO
• Distributed Physical Layer Anomaly Detection System for 802.11 WLANs
• Design Goals: – Flexible sniffer deployment– Inexpensive, $ + Comms. – Accurate in diagnosing PHY layer root causes– Implements efficient remedies– Near-real-time
Initial Design
• Main components: – Wireless sniffers– Data collection mechanism– Inference engine
• Diagnose problems, Suggest remedies
• Data collection and inference engine initially centralized at a single server
Operation Overview
• Wireless sniffers sense PHY layer– Network interference, signal strength
variations, concurrent transmissions– Modified Atheros based Madwifi driver run on
client nodes
• Periodically transmit a summary to centralized inference engine.
• Inference engine collects information from the sniffers and runs detection algorithms.
Sniffer Placement
• Sniffer placement key to monitoring and detection– Sniffer locations may need to change as
clients move over time– Cannot assume fixed locations, suboptimal
monitoring
• Multiple sniffers, merged sniffer traces necessary to account for missed data
Prototype Implementation
• Uses two wireless interfaces on each client– One for data, the other for monitoring– Second radio receives every frame
transmitted by the primary radio
• Avg. sniffer payload of 768 bytes/packet– 1.3KB of data every 10 sec. – < 200 bytes/sec.
Detection of Noise
• Caused by interfering wireless nodes or non-802.11 devices such as microwave ovens, Bluetooth, cordless phones, …
• Signal generator used to emulate noise source– Node A connected to access point and signal
generator using RF splitter
Node A
Detection of Noise
• Power of signal generator increased from -90 dBm to -50 dBm
• Packet payload increased from 256 bytes to 1024 bytes in 256 byte steps
• 1000 frames transmitted for each power and payload size setting
RTT vs. Signal Power
• RTT stable until -65 dBm
• Beyond -50 dBm 100% packet loss
% Data Frames Retransmitted
• Signal power set to -60 dBm
Time Spent in Backoff and Busy Sensing of Medium
Detection of Noise
• Noise floor sampled every 5 mins. for a period of 5 days in a residential environment.
Hidden Terminal and Capture Effect
• Both caused by concurrent transmissions and collisions at the receiver
• In the Hidden Terminal case, nodes are not in range and can collide at any time
• In Capture Effect, the receivers are not necessarily hidden from one another– Why would they transmit concurrently?
• Contention window set to CWmin (31 usec) on receiving a successful ACK
• Backoff interval selected from contention window
• Clear Channel Assessment time is 25 usec
• 6 usec region of overlap
Hidden Terminal and Capture Effect
• Experiment Setup:– Node B higher SNR
than node A at AP– Node C not visible to
node B or node A– Rate fallback disabled– Node pairs A-B or A-C
generating TCP traffic to DEST node– TCP packets varied in size from 256-1024 Bytes– 10 test runs for each payload size, 5.5 and 11 Mbps
Hidden Terminal and Capture Effect
• Experimental Results
Hidden Terminal and Capture Effect
Detection Algorithm
• Executed on a central server
• Sliding window buffer of recorded data frames
Detection Accuracy
• Time synchronization is essential
• 802.11 time synchronization protocol
• +/- 4 usec measured error
Long Term Signal Strength Variations of AP
• Different hardware = different powers and sensitivities
• Transmit power of AP varied, 100mW, 5mW
Detection Algorithm
• Signal strength variations observed by one sniffer are not enough to differentiate– Localized events, i.e. fading– Global events, i.e. change in TX power of AP
• Multiple distributed sniffers needed
• Experiments show three distributed sensors are sufficient to detect correlated changes in signal strength
Observations From Three Sniffers
AP Power Reduced
Detection Accuracy vs. AP Signal Strength
• AP Power changed once every 5 mins.
Conclusion
• MOJO, a unified framework to diagnose physical layer faults in 802.11 based wireless networks.
• Experimental results from a real testbed• Information collected used to build
threshold based statistical detection algorithms for each fault.
• First step toward self-healing wireless networks?