MOJO: A Distributed Physical Layer Anomaly Detection System

for 802.11 WLANs

Richard D. Gopaul

CSCI 388

Authors

• Anmol Sheth

• Christian Doerr

• Dirk Grunwald

• Richard Han

• Douglas Sicker

Department of Computer Science

University of Colorado at Boulder

Boulder, CO, 80309

Problem

• Existing 802.11 deployments provide unpredictable performance

• 802.11 Wireless Networks– Cheap– Easy to deploy

• Two Classes– Planned deployments (large companies)– Small scale chaotic deployments (home users)

Reasons for Unpredictable Performance

• Noise and Interference– Co-channel interference, Bluetooth, Microwave Oven,

…

• Hidden Terminals– Node location, Heterogeneous Transmit Powers

• Capture Effects– Simultaneous transmission

• MAC Layer limitations– Timers, Rate adaptation, …

• Heterogeneous Receiver Sensitivities

Problems With Existing Solutions

• Wireless networks encounter time-varying conditions– A single site survey is not enough

• Cannot distinguish or determine root cause of problem– Existing tools for diagnosing WLANs only look at MAC

layer and up– Aggregate effects of multiple PHY layer anomalies– Results in misdiagnosis, suboptimal solution

How Faults Propagate in the Network Stack

How Faults Propagate in the Network Stack

Contributions of this paper:

• Attempts to build a unified framework for detecting underlying physical layer anomalies

• Quantifies the effects of different faults on a real network

• Builds statistical detection algorithms for each physical effect and evaluates algorithm effectiveness in a real network testbed

System Architecture

• Provide visibility into PHY layer

• Faults observed by multiple sensors

• Based on an iterative design process– Artificially replicated faults in a testbed– Measured impact of fault at each layer of

network stack

MOJO

• Distributed Physical Layer Anomaly Detection System for 802.11 WLANs

• Design Goals: – Flexible sniffer deployment– Inexpensive, $ + Comms. – Accurate in diagnosing PHY layer root causes– Implements efficient remedies– Near-real-time

Initial Design

• Main components: – Wireless sniffers– Data collection mechanism– Inference engine

• Diagnose problems, Suggest remedies

• Data collection and inference engine initially centralized at a single server

Operation Overview

• Wireless sniffers sense PHY layer– Network interference, signal strength

variations, concurrent transmissions– Modified Atheros based Madwifi driver run on

client nodes

• Periodically transmit a summary to centralized inference engine.

• Inference engine collects information from the sniffers and runs detection algorithms.

Sniffer Placement

• Sniffer placement key to monitoring and detection– Sniffer locations may need to change as

clients move over time– Cannot assume fixed locations, suboptimal

monitoring

• Multiple sniffers, merged sniffer traces necessary to account for missed data

Prototype Implementation

• Uses two wireless interfaces on each client– One for data, the other for monitoring– Second radio receives every frame

transmitted by the primary radio

• Avg. sniffer payload of 768 bytes/packet– 1.3KB of data every 10 sec. – < 200 bytes/sec.

Detection of Noise

• Caused by interfering wireless nodes or non-802.11 devices such as microwave ovens, Bluetooth, cordless phones, …

• Signal generator used to emulate noise source– Node A connected to access point and signal

generator using RF splitter

Node A

Detection of Noise

• Power of signal generator increased from -90 dBm to -50 dBm

• Packet payload increased from 256 bytes to 1024 bytes in 256 byte steps

• 1000 frames transmitted for each power and payload size setting

RTT vs. Signal Power

• RTT stable until -65 dBm

• Beyond -50 dBm 100% packet loss

% Data Frames Retransmitted

• Signal power set to -60 dBm

Time Spent in Backoff and Busy Sensing of Medium

Detection of Noise

• Noise floor sampled every 5 mins. for a period of 5 days in a residential environment.

Hidden Terminal and Capture Effect

• Both caused by concurrent transmissions and collisions at the receiver

• In the Hidden Terminal case, nodes are not in range and can collide at any time

• In Capture Effect, the receivers are not necessarily hidden from one another– Why would they transmit concurrently?

• Contention window set to CWmin (31 usec) on receiving a successful ACK

• Backoff interval selected from contention window

• Clear Channel Assessment time is 25 usec

• 6 usec region of overlap

Hidden Terminal and Capture Effect

• Experiment Setup:– Node B higher SNR

than node A at AP– Node C not visible to

node B or node A– Rate fallback disabled– Node pairs A-B or A-C

generating TCP traffic to DEST node– TCP packets varied in size from 256-1024 Bytes– 10 test runs for each payload size, 5.5 and 11 Mbps

Hidden Terminal and Capture Effect

• Experimental Results

Hidden Terminal and Capture Effect

Detection Algorithm

• Executed on a central server

• Sliding window buffer of recorded data frames

Detection Accuracy

• Time synchronization is essential

• 802.11 time synchronization protocol

• +/- 4 usec measured error

Long Term Signal Strength Variations of AP

• Different hardware = different powers and sensitivities

• Transmit power of AP varied, 100mW, 5mW

Detection Algorithm

• Signal strength variations observed by one sniffer are not enough to differentiate– Localized events, i.e. fading– Global events, i.e. change in TX power of AP

• Multiple distributed sniffers needed

• Experiments show three distributed sensors are sufficient to detect correlated changes in signal strength

Observations From Three Sniffers

AP Power Reduced

Detection Accuracy vs. AP Signal Strength

• AP Power changed once every 5 mins.

Conclusion

• MOJO, a unified framework to diagnose physical layer faults in 802.11 based wireless networks.

• Experimental results from a real testbed• Information collected used to build

threshold based statistical detection algorithms for each fault.

• First step toward self-healing wireless networks?