Embedded Software Platform Used for Detection and Mitigation of a MAC Anomaly in IEEE 802.11n Networks

: IEEE 802.11 standard is largely used anywhere as a cheap way to access internet, but the majority of devices used does not provide a standard way to manage them. Mobile stations competing for access point may causes a general wireless network failure, known as the “MAC Anomaly”. It is presented here an access point with modified firmware, that monitors wireless conections´s quality and has a programmable capability allowing to do network management in a standardized manner, using SNMP for example. In this article, embedded Linux “OpenWRT” installed in a very cheap and reduced size hardware was used. By means of Bourne shell script programming, it is possible to collect all important operating parameters and data of the access point. From this, its possible to gain considerable control over it. IEEE 802.11 (Wi-Fi) access point devices are routers, while embedded Linux has routing capabilities. Thus, it is easy to implement traffic policies by means of Bourne shell script programming. Traffic shapping is one of the acces point´s capabilities successfuly tested and demonstrated in this study. MAC anomaly detection in IEEE 802.11 networks can be easily implemented by means of scripts as well. It was collected and plotted network throughput data, becoming possible to observe MAC anomaly in visual charts. A matemathic model to apply on the collected data of network throughput is under study, aiming to identify the anomaly through calculations. The object of the current study is to integrate everything: Measurements of operation data (network throughput in Mbit/s), identification of the MAC anomaly and its immediate mitigation. The result was the conception of an integrated device to measure, identify and mitigate MAC anomaly in a test field and therefore restore network throughput by representing a gain of 42.5216%.


Introduction
The IEEE 802.11b MAC Anomaly was first introduced by (Heusse et al., 2003). It was demonstrated by means of calculations and simulations of the access methods contained in the MAC layer. The MAC anomaly in IEEE 802.11 networks is explained in section 2. Heusse et al. (2003) gave origins to several other works all around the world. Our objects of study are the works regarding workbench setups to measure, control and mitigate this anomaly. Branquinho et al. (2006) successfully identified and mitigated the MAC anomaly using Signal to Noise Rate (SNR) measures in a controlled workbench environment. Guirardello (2008) demonstrated the possible use of QoS, Quality of Service (Oliveira et al., 2015), to mitigate a MAC Anomaly. An experimental workbench with modified access point firmware in a controled radio environment, with two Wi-Fi client stations connected were used. Peris (2012) used an embedded Linux distribution running in the access point device (DD- WRT Project, 2015). It was applied bandwidth management, a resource found in DD-WRT, to mitigate a MAC Anomaly, but no method to identify it was showed. Beyond the access point device, two other wired servers were used. All operations were done manually. Marques (2013) demonstrated a mathematic model to identify the MAC Anomaly, based on the station´s and access point´s throughput measures. For the first time, a common and accessible setup was used. This enabled a moving of the workbench from the lab to a trial field.
All the works listed above with their positive results, showed opportunities to continue studying the MAC anomaly mitigation. In this article, new equipment and methods are used to have an auto-managed access point that performs measurement, identification and mitigation of MAC anomaly automatically. Thus, a wireless network free of anomaly, in a real world environment will be possible. The workbench model in (Marques, 2013) was chosen as a starting point. Several improvements were added to build a new, cheap, accessible and manageable access point that now is being used in a trial field environment. Table 1 shows the main differences between both systems: The workbench used in this article and the workbench used by (Marques, 2013).
The main contributions of this work goes far beyond the basic system improvements, such as new hardware and the operating system as described in section 4. As in (Marques, 2013), it was also used a Linux platform, introduced with details in section 3. Similar scripts to the ones in (Marques, 2013) were also developed in order to collect connection´s data of the client stations. Data such as throughput in Mbits/s and Radio Signal Strength Indicator (RSSI) in dBm can be collected from the client stations. Data collection is described in detail in section 4.2, 4.3 and 4.4.
After checking the connection quality (Oliveira et al., 2013a;2013b), it becomes possible to perform a test to see if a given station is an offender or not (just in case the MAC Anomaly is installed). A new approach using a new mathematical calculation is being studied. "Lua", a high level scripting language running on the new platform will be used. Details are described in section 4.5.
A Bourne Shell script was successfuly tested to perform offenders´s bad effect mitigation using embedded Linux traffic control resources. To perform this, a filter was applied over the overall traffic, in order to distinguish offending station traffic from the normal one. Afterwards, to reduce the bandwidth of the offending station, "traffic shaping" was applied over the offending traffic, in order to mitigate the anomaly. Acting this way, it is possible to recover the wirelles network normal operation. "Traffic shapping" and scripts are explained in details in section 4.6.
Measurements were taken using up to five client stations connected to an access point. We visually observed up to two simultaneous offenders in the graphics plotted, as shown in section "5.1".
The availability of a low-cost platform, affordable and portable; as well as the achievement of the positive results using it, made possible to proceed with the development of a unique script to integrate: • Measurements of client stations´s throughput • IEEE 802.11 MAC Anomaly detection • Application of "traffic shapping" over the offending traffic to mitigate the MAC Anomaly restoring in this way, the wireless network integrity

IEEE 802.11 MAC Anomaly
As explained by (Heusse et al., 2003), the protocol that governs the MAC is fair to the client stations, giving them an equal oportunity to transmit their frames. The anomaly is installed when one of the connected stations has a poor connection quality, having to retransmit their frames frequently, or having a much lower transmission rate than the others. Surely, when its turn to transmit is reached, it will take longer than the others, forcing all stations to wait, including the access point. When the media is available for a normal station to transmit, it quickly transmits only one frame and starts waiting for the next opportunity. Due to the excessive delays in the media availability caused by the offending station, the well connected stations have their throughput decreased. This scenario causes a general failure in the network that is verified by a serious decrease in the total throughput. One can observe that the total network throughput is leveled beneath, having similar values to the offending station.
IEEE 802.11n standard, a very recent generation o f wireless network, added several powerful technologies to the physical layer in order to enhance signal coverage and increase the transmission rate. Nonetheless, no changes were made to the core of the MAC layer and the MAC Anomaly can still be observed (Zhang et al., 2008;Shrivastava et al., 2008). Recent literature reviews is found in (Lopez-Aguilera et al., 2010) and (Cheng et al., 2007). Embedded Linux is used frequently to study IEEE 802.11 standard behavior: A study of link layer´s MAC is found in (Singh and Sohi, 2008) and a study of energy eficiency is found in (Biazotto et al., 2012).

Embedded Linux for Wi-Fi Routers
As described in (Hallinan, 2006), embedded Linux systems are associated with several key attributes. For example, if the system passes by an electric power outage, it can auto restart its operations without human intervention, acting as an autonomous system. User interface frequently consists of only a serial port and some LEDs.
Embedded systems are not necessarily of small sizes. They can extend to several racks in size, as storage systems does. Dedicated embedded Linux systems are largely used to control data storage. They are called Linux appliances. Embedded Linux can be found in reduced size hardware as well. A good example is a smarphone operated by "Android". Some common characteristics found in embedded systems are: • Is of limited resources: Small memory and no hard drive for example • Has a very simple, or no human interface • Contains a general-purpose microprocessor • Applications are built-in, not installed by end-users • Is presented ready to use, with all hardware and software preinstalled • Human intervention is not supposed to occur, normally are autonomous systems • Especially designed for a specific purpose • Is not used for general purpose, is not a common computer • Low power consuming or is powered by batteries The hypothetical access point in Fig. 1, contains onboard: • A 32-bit RISC processor as its core component.
Often, the processor performs many other functions beyond the traditional CPU. This example contains an integrated UART for a serial interface, an integrated USB and Ethernet controllers • Nonvolatile program and data are stored in flash memory. Main memory is Synchronous Dynamic Random-Access Memory (SDRAM) and might contain from few to hundreds of Megabytes, depending on the application • A real-time clock module, that keeps the time of day preserved by a battery • This example includes an Ethernet and USB interface, as well as a serial port for console access via RS-232. The 802.11 chipset implements the wireless modem function The above text about embedded Linux and the Fig. 1, were adapted from (Hallinan, 2006), page 32 "2.2 Anatomy of an Embedded System".
It is known that Linux is widely used in embedded systems and there has been an upward trend in their use (Palazzi et al., 2010). Besides not requiring user licenses, Linux has powerful programming features (Ingle and Daryapurkar, 2013).
OpenWRT is an embedded Linux distribution, oriented for network support (OpenWRT Project, 2015) and easy to configure. Besides de aforementioned features, OpenWRT was chosen for this work, because of the following: • Native support for programming languages, such as "Lua", Bourne Shell and C • Native support for traffic control with bandwidth management • "iw" command line utility to collect wireless connection data such as: Data transfer rate, Received Signal Strength Indicator (RSSI), Signal to Noise Rate (SNR) and many other data • Has an optional software package to deploy a SNMP agent

Why to Change the Original Firmware
A modified firmware was adopted in this study, instead of using a static, closed and proprietary firmware running on the access point. The modified firmware adoption will enable many features, as described in (OpenWRT Project, 2015): • A complete file system to be freely used in read or write modes • Software package management. As in Linux, packet management frees user from application selection and configuration • Hundreds of software packets are available making possible a system customization to support any kind of application • For developers, OpenWrt provides a framework to build applications having operating system support and tools, like Linux does

OpenWRT and DD-WRT
As well as OpenWRT, DD-WRT (DD- WRT Project, 2015) is an alternative, Open Source Linux embedded firmware that supports a huge list of wirelles access points, from a hundred of vendors. DD-WRT also provides bandwidth management, as used by (Peris, 2012) for MAC anomaly mitigation.

OpenWRT as a Router
OpenWRT was designed specially to work as a router: It operates the wireless access point, routing the traffic originated from the wireless client stations to the wired network. The wired network in it´s turn routes to the internet.
A router has total control over the incoming and outgoing traffic. It has buffers, where the datagrams are enqueued before a decision must be taken on what destination port the datagrams will follow. A routing table is checked to guide the decisions.
In addition to make routing, other kind of processing can be applyed over the incoming or outgoing traffic. Information contained in the TCP/IP headers, can be used to identify the type of traffic. Based on this kind of information, the packets of a given type can pass by a distinguished processing.
"Filters" are applyed over the packets enqueued, based on the information contained in the packet´s headers in order to select a given type of traffic. After classifying traffic by means of a "filter", their packets are stored into separated buffers called "qdiscs" or queue disciplines.
"Policies" are applyed over "qdiscs", becoming possible for example: • To reschedule or drop undesired packets • To chose what port to deliver the packets • Apply delays in order to reduce the throughput of a given type of traffic • Define priority "queues" such as voice or video streaming

OpenWRT as a Programming Environment
What makes OpenWRT a good choice for data data colection, network analysis and traffic control, is it´s support for programming. OpenWRT comes with two scripting languages always pre-installed, because they are part of the system itself: • Busybox (OpenWRT Project, 2015). A set of Linux utility programs, modified to reduce their sizes, in order enable them to run in embedded devices. Obviously, they have reduced funcionality, but have the basics necessary to run well. Busybox also have a command line shell, very similar to Bourne Shell, useful for programming • Lua (Ierusalimschy, 2015) is a high-level and complete script programming language, with numerous features. Lua was used to build part of the OpenWRT itself and at the same time was made available to user environment • Besides these two languages, "LuCI" (OpenWRT Project, 2015) is available as well. LuCI is a programming environment used to build WEB pages for embedded systems. The OpenWRT administrative WEB interface was built using "Lua" and "LuCI" "C" language can be used also, but it is necessary to "Cross-compile" the code. The aforementioned languages are the most used ones. Other languages can be installed, but will require a mid-range hardware.

OpenWRT SNMP Capabilities
OpenWRT has an optional SNMP (Stallings, 1999) software package that can be easily installed and configured. SNMP on OpenWRT provides a framework to deploy remote management by means of very simple scripts. SNMP is a standard largely used for remote management.

Materials and Methods
It is necessary to measure throughput levels on all the connected stations, in order to decide if MAC Anomaly is present or not. If MAC Anomaly is present, throughput levels is forced to decrease on the offending stations, aiming to restore the normal network operation. Traffic shaping technique is used to force a decrease in throughput of the offender stations (Hubert, 2015). The lower is the throughput, the lower will be the interference caused by the offender station on the overall network performance. Thus, the normal network operation is restored, because the total network throughtput returns to the normal level.
The embedded Linux, with programming capability, along with its native traffic control utilities, installed in a reduced size hardware, motivated the choice for this platform. All the three following processes, running in this order, were implemented to run automatically as an integrated program forming an autonomous system: • Bourne shell scripts collect throughput data from all connected stations (Mbits/s) and save to disk files • Run manually the method described in section 4.5 to check if MAC anomaly is present or not. If MAC anomaly is present, identify the offender statation. A plan for near future is to program a Lua script that reads throughput data from file to perform MAC Anomaly detection and identification of the offender stations. SciLab simulation software was used succesfully to validade the future Lua scripts´s logic • If MAC anomaly is present, a Bourne shell script is called passing the hardware address of the offending station as argument. Mitigation is then started. Traffic shaping technique described in section 4.6 is used to force a decrease of throughtput in the offending stations Process 3 is still being started by hand due to the lack of phase 2 that is being performed off-line by graphics visual inspections only. Lua scripts are not running yet. This setup will be used in real world, not at the laboratory. Being of reduced size and wireless, it can be moved to anywhere to perform wireless signal quality analysis.
All of this work is performed above the link layer. MAC sub-layer of link layer, remains untouched in this study. Only network data throughput was measured.
If MAC anomaly is present, the method described in section 4.5 proved to be 100% efficient to detect it. Anomaly can be evoked by placing one connected station far away from the access point, or by setting its transmission rate by hand to a lower value than others. Attenuation of radio signal due to high distance from the access point automatically causes the station´s data transfer rate to decrease. A transfer rate lower than normal is enough to cause an anomaly.

Hardware
There are hundreds of vendors and devices listed in (OpenWRT Project, 2015) hardware compatibility list. Some of them come with an USB interface, where it is possible to connect a pen drive or even an external hard disk. The one chosen for this work has the following characteristics: • Two antennas, MIMO technology • Maximum throughput of up to 300Mbps • Model TL-WR841ND • 4Mb of Flash Memory, 32Mb of RAM • Atheros AR7241 main processor, clock of 400MHz • Atheros AR9287 onboard network interface • OpenWRT firmware The Utility Command "iw" "iw" is a very useful program made available by OpenWRT, that was used in this study to take measures on the wireless connections, as shown by Fig. 2: Iperf Network Performance Tool "Iperf" was installed on OpenWRT access point as a daemon using the "-s"option. On the client stations´s side, it was run in client mode, using the "-c" option. A traffic simulation is necessary before measuring the network´s throughtput.

Scripts Used to Perform Measurements
"BusyBox" shell programming (Bourne Shell alike with reduced functionality) and "iw" command were used to write the scripts that measures network throughput of each connected stations (Mbits/s). The scripts are simple and self explanatory, having ("#") commented lines inside to explain their logic. Only Mbits/s measurements were taken, but many others can be implemented in similiar way these scripts do, as shown by Fig. 3-5.

MAC Anomaly Detection Method
Throughput data files collected by these measures is used to detect the presence of "MAC Anomaly", identifying the offending station as well. Throughput data files are loaded manually in SciLab. Curves of each connected station are plotted. The method relays on the similarity between two curves: If a station´s curve is similar to the network´s total throughtput curve, then the station is not an offender; otherwise it is the offender station and is causing the MAC anomaly. The offending station has a particularity: Comparing it´s throughput curve with the network´s total throughput curve, a very clear opposite image is observed. Only visual inspections of the graphs is used as a MAC Anomaly identification method.  Comparisons between each stations´s throughput curves with the networks´s total throughput curve indicates if MAC Anomaly is installed or not and identifies the offending station as well.
If total network´s total throughput decreases while a certain station´s throughput increases, or vice-versa, we can say that anomaly is installed and this is the offending station.
The throughput of the offending station varies in the opposite way to the network´s total. This method is well described by (Marques, 2013). This behavior can be observed visually in the figures presented in section 5.

Traffic Shaping Script
The more a offending station generates traffic, the more it will cause anomaly. Traffic shaping is the method used here to mitigate the MAC Anomaly restoring the normal network operation. This action will increase total network throughput to the same level as before. The objective is to reduce the throughput of the offending station to a lower level. Thus, it will not affect the rest of the network, still having opportunitty to transmit.
A complete explanation of the traffic shaping process can be found in (Hubert, 2015), one of the most referenced documents about traffic control. A small and simple script to implement traffic shapping was developed and presented in Fig. 6. The script logic is explained as follows: • First of all, it is necessary to have the MAC address of the offending station to be passed as command line argument to the script. It is used the MAC address of the station identified as a offender by the method described in section 4.5. • Create a table using the command "iptables". This table will pick-up all incoming packets and mark them if the MAC address matches with the one passed as command line argument • Create an ingress "qdisc" (queue discipline). Ingress qdiscs are used to specify traffic of incoming type • Create a filter and apply it to qdisc. The relationship between the filter and the qdisc is specified using the "parent" clause that contais the qdisc id "ffff:". The filter will select only the packets marked by "iptables", i.e., from the offender station. The relation between "filter" and "iptables" is specified by the "handle 1" clause • Apply a police on these packets. The police will do the following: Put all packets in a buffer of size 10k bytes. Forward them only if the buffer is not full at a rate of 250kbit/s. If the buffer is full and more packets arrive, they will be dropped. The incoming dropped packets, won´t be lost. After not receiving an ACK during a period of time, the transmitter will lower its transmition rate and retransmit the packets dropped by this polic

Putty, WinSCP and SciLab
Putty: Running as ssh, it was used to start and stop the measuring and traffic shape scripts. Also to do all the configurations on the OpenWRT. The Luci Graphical User Interface was not used.
WinSCP: The results were saved in OpenWRT itself, but due to its reduced memory, WinSCP was used to transfer the data, in order to process them in SciLab.
SciLab: It was used to merge all the station´s data and build the graphics using its programming language.

MAC Anomaly Detection
Set of Fig. 7-9 are showing a scenario with two stations connected: A and B. The total network throughput curve (A+B) is superposed with the station A and "B" throughput curves in Fig. 7. Figure 8 compares station "A" throughput curve with network´s total separately and Fig. 9 does the same with station B. As explained in section 4.5, our goal is to check if anomaly is present or not, identifying the offender as well. Anomaly is shown at time interval of 130-150s, were a throughput level decrease is observed. The station under 5 Mbits/s is the offender, because his curve is exactly the opposite image of the network´s total curve (Fig. 9). The other station above 20 Mbits/s has its curve very similar to the network total, then it is not an offender (Fig. 8).
Set of Fig. 10-15 are showing a scenario with five stations connected: Two are offenders and 3 are normal. Anomaly is shown at time interval of 60-120s, when a total network throughput decrease is observed (Fig. 10). Separately comparisons between each station´s throughput curves against network´s total throughput are shown in Fig. 11-15; aiming to identify the ofending stations that are causing the MAC anomaly.

MAC Anomaly Mitigation
Set of Fig. 16-18 shows a scenario with two stations connected, anomaly installed. Throughput curves were superposed: Network total, normal station and offending station in Fig. 16. Figure 17 compares a normal station against network, showing very similar curves. Figure 18 compares offending station against network, showing oposite images. At the moment of 200s, traffic shapping was applied to mitigate anomaly restoring the network´s normal operation. A strong total network throughput is observed. Offending station throughput was forced to decrease by traffic shaping. Stopped traffic shapping to demonstrate that the anomaly came back at 360 sec.

Discussion and Conclusion
The goal to maintain the network throughput at its original workable level, when the MAC anomaly is present, was achieved with success. Processes to monitor, identify and mitigate MAC anomaly was used to achieve this goal.
Data throughput measurements were implemented, tested and used with success. This enabled analysis of the network conditions and identification of MAC anomaly by visual inspections the graphics.
Mitigation of MAC anomaly was implemented with success, using traffic shaping technique by means of a script running in embedded Linux.
Considering the current state of the art, it was verified the possibility to deploy a hardware and software platform of reduced cost and reduced hardware, using embedded Linux to identify and mitigate the IEEE 802.11 MAC Anomaly. It was successfully demonstrated the effect of traffic shaping applied to mitigate the MAC anomaly, in order to restore the normal network operation. A mathematic model that uses measured throughput data to identify the offender station by the similarity or opposition of its throughput curve to the network´s total throughput is being studied. Afterwards, a shell script to automate the process of identification will be written. A computer program to be run in OpenWRT, integrating all the steps: Throughput data measurement, MAC anomaly identification and mitigation will be implemented. Figure 16 displays the total throughput in red, by taking a closer look, it was possible to assess a gain while the mitigation through traffic shaping took place of 42.5216% or 7.781465 Mbits/s. Given that the average throughput, in the periods before, from 0 to 199s and after, from 361s to 491s the total average throughput was of 18.300012Mbits/s, whereas the interval using the referred mitigation the average throughput was of 26.081476Mbits/s.

Funding Information
The authors have no support or funding to report.

Author's Contributions
Argemiro Bevilacqua and Vitor Chaves de Oliveira: Conception and design, write computer programs, data acquisition, implement/test the traffic shaping method, analysis and interpretation of data. Configure and test the embedded Linux setup. Write the draft article. Studies about the subject and experiments development.
Gunnar Bedicks Jr.: Conception and design of data modeling, analysis and interpretation of data. General guidance on the concepts of radio systems. Orientation in statistical graphics procedures. Contributed to the writing of the manuscript.
Contributed to the establishment of experiments schema. Important review contributions.
Alexandre de Assis Mota and Lia Toledo Moreira Mota: Conception and design of data modeling, analysis and interpretation of data. General guidance on the concepts of MAC Anomaly, traffic shaping method, analysis and interpretation of data. Orientation in statistical graphics procedures. Contributed to the writing of the manuscript. Establishment of good programming practice and program design issues. Important review contributions.

Ethics
This article is original and contains unpublished material. The corresponding author confirms that all of the other authors have read and approved the manuscript and no ethical issues involved.