On the exploitation of CDF based wireless scheduling

On the Exploitation of CDF based Wireless Scheduling Udi Ben-Porata,∗, Anat Bremler-Barrb , Hanoch Levyc a Computer Engineering and Networks Laboratory (TIK), ETH Zurich, Switzerland. Science Dpt., Interdisciplinary Center, Herzliya, Israel. c Computer Science Dpt., Tel-Aviv University, Tel-Aviv, Israel. b Computer Abstract Channel-aware scheduling strategies - such as the CDF scheduler (CS) algorithm - provide an effective mechanism for utilizing the channel data rate for improving throughput performance in wireless data networks by exploiting channel fluctuations. A highly desired property of such a scheduling strategy is that its algorithm is stable, in the sense that no user has incentive ”cheating” the algorithm in order to increase his/hers channel share (on the account of others). Considering a single user we show that no such user can increase his/hers channel share by misreporting the channel capacity. In contrast, considering a group of users, we present a scheme by which coordination allows them to gain permanent increase in both their time slots share and in their throughput on the expense of others, by misreporting their rates. We show that for large populations consisting of regular and coordinated users in equal numbers, the ratio of allocated time slots between a coordinated and a regular user converges to e − 1 ≈ 1.7. Our scheme targets the very fundamental principle of CS (as opposed to just attacking implementation aspects), which bases its scheduling decisions on the Cumulative Distribution Function (CDF) of the channel rates reported by users. Our scheme works both for the continuous channel spectrum and the discrete channel spectrum versions of the problem. Finally, we outline a modified CDF scheduler immune to such attacks. Keywords: Wireless, Cellular, MAC layer, CDF, Scheduling, Fairness, DDoS, Attack, Exploit. 1. Introduction High-speed wireless networks are becoming increasingly common and along with that the strategy of scheduling the high-speed data - which is vital to the performance of moderns wireless systems - has become the subject of active research. The modern wireless networks standards such as HSPDA [1] and EV-DO [2] [3] allow new generation of channel aware schedulers - such as the Proportional Fairness [4] [5] and the CDF scheduler [6] - which improve throughput performance by exploiting channel fluctuations while maintaining fairness between the users. The CDF Scheduler (CS) makes scheduling decisions based on the Cumulative Distribution Function (CDF) functions of the users in such way that every time slot the user whose rate is the least probable to become higher is scheduled for transmission. An important property of this scheduler is that it statistically allocates ∗ Corresponding Author. E-mail addresses: [email protected] (U. Ben-Porat), [email protected] (A. Bremler-Barr) and [email protected] (H. Levy). Preprint submitted to Computer Networks all users an equal number of slots while smartly utilizing the knowledge of channel capacity to dynamically select at every moment the more attractive (higher capacity) users. A distinctive feature of this algorithm is that it allows to predict the exact throughput for each user based on his/hers1 CDF alone, regardless of changes in the channel rate distribution of other users. These features and its simple notion of fairness (equal time share) make CS an attractive alternative to the Proportional Fairness Scheduler (PFS) [4]. Recent studies [7] [8] revealed the vulnerability of PFS to delays/jitter and loss of throughput caused by malicious users by providing false channel capacity reports. In this paper the vulnerability of the CDF scheduler to threats of non-conforming opportunistic users as well as malicious users is investigated for the first time. One of the main roles of a resource allocation mechanism is to ensure fairness of the allocation under the assumption that every user aims at increasing his own allocation. Furthermore, it is highly important that the 1 From now on we use ”he” and ”his” to mean ”she/he” and ”hers/his” for the sake of reading flow. December 2, 2012 scheduler will be resilient to users who may try to increase the resources allocated to them by not fully conforming with the protocol rules. The objective of this work is to study this problem. Namely, whether a user, or a group of users, can mislead the CDF scheduler by providing false channel capacity reports and use it to increase the amount of resources allocated to them. Every modern channel-aware scheduler must allow a temporary state of unfairness in order to utilize a temporary exceptionally good channel condition of one of the users. Nevertheless, it is still expected that in the long run - that is, in the steady state - fairness is enforced. For example, in [7] the authors presented an attack on PFS in which a starved user can suddenly report an exceptionally good channel condition and temporarily be granted high priority, which cause other users to experience jitter. However, in the long run, the fairness that PFS is meant to ensure, is kept. In this work, we show that the CDF scheduler can be attacked by malicious and selfish users who gain a permanent advantage over users. That is, the time share fairness that the CDF scheduler is meant to ensure is not kept even in the steady state. We show that this is a fundamental weak point of the CDF scheduler regardless of its exact implementation. To this end we show that the CDF algorithm is resilient against ”attacks” produced by a single user. That is, a single user can increase neither the number of slots nor the bandwidth allocated to him by providing misleading information about his channel capacity. We then show, that nonetheless, a group of coordinated users which collaborate with each other can increase both the number of slots and the bandwidth allocated to each of them. That is, while the scheduler is designed to counter an independent selfish behavior of a single user, its design does not take into account the possibility of a coordinated group of users. The capacity announcement strategy used by the coordinated users is very simple and requires only knowledge of each other’s capacity. We conduct the analysis of this strategy and derive its performance gains. The analysis is carried out both for the the continuous rate distribution model (Section 3) and the discrete rate distribution model (Section 4). Our results show that the gain that such non-conforming users can achieve may be as high as 28% in a typical system configuration (30 users). Furthermore, the ratio between the slot allocation of a coordinated user and a regular user can reach e − 1 ≈ 1.7. We further consider coordinated malicious users. These aim at reducing the performance the regular users, not caring about their own performance. We show that the channel share loss that the regular innocent users suffer can be as high as 48% in a typical system configuration. The attack algorithm we show exploits the stochastic worst case traffic pattern of multiple users that can be applied to the system. This type of attack is demonstrated in the Reduction of Quality (RoQ) attacks papers [9, 10, 11]. RoQ attacks target the adaptation mechanisms by hindering the adaptive component from converging to steady-state. This is done by sending - from time to time - a very short burst of surge demand imitating many users and thus pushing the system into an overload condition. Using a similar technique, Kuzmanovic and Knightly [12] presented the Shrew Attack which is tailored and designed to exploit TCP’s deterministic retransmission timeout mechanism. Another example of an attack exploiting the stochastic worst case is given in [13, 14]. There it is shown that Weighted Fair Queueing (WFQ), a commonly deployed mechanism to protect traffic from DDoS attacks, is ineffective in an environment consisting of bursting applications such as the Web client application. The paper [15] shows attack on the SSL handshake, by requesting again and again hard SSL requests. The rest of the paper is organized as follows: After model and preliminaries given in Section 2, Section 3 analyzes non-conformist users under the continuous rate distribution, and Section 4 does it under the discrete rate distribution. In Section 5 we analyze the loss for regular users by coordinated and malicious users in the practical discrete model. Finally, in Section 6 we outline a modified CDF Scheduler immune to selfish or malicious behavior. Note that a short abstract of this work has been presented at [16]. 2. Assumptions, Model and Preliminaries In the scheduling models discussed in this work, time is slotted to slots t = 1, 2, ... and the possible channel rates are arbitrary and non negative. The rate at which user k can transmit at time slot t is given by Rk (t). Rk (t) is distributed according to random variable Rk associated with user k, and whose CDF is FRk (r) = Pr[Rk ≤ r]. Rk (t) is a stationary random process assumed to be independent of Rk (t′ ) for any t , t′ and of R j (t′ ) for any j , k and any t′ . At each slot t, each user k announces to the scheduler his actual value Rk (t). The scheduler may compute the distribution FRk (r) from the past reports of user k. Note that we demonstrate the vulnerability of CS without targeting a weak point in the inferring mechanism, therefore throughout the paper we assume the schedular has the precise CDF functions of the channel rates reported by users. At time t, the scheduler can use both 2 the studied FRk (r), k = 1, ..., K and the current user rates Rk (t), k = 1, ..., K to decide to which user to transmit at slot t. The rate at which the server will transmit to the selected user, say k, is Rk (t). rate by modifying their laptop’ 3G PC cards, by either through the accompanying software development kit or the device firmware. And the providers cannot detect it, even if they attempt tamper-proof technique [8]. Nevertheless, we prove that under the CDF scheduler, it is impossible for one user to benefit from an additional time share or throughput by misreporting his channel condition. We show that this result stems from the fundamental characteristics of the CDF scheduler which are common to both the continuous and the discrete models (Section 4). 3. The Basic Problem: Dealing with Continuous Rate Distributions In this section we assume that all the channel rate distributions are continuous, that is the distribution functions do not contain mass values (i.e. FRk (r) is differentiable and Pr[Rk = x] equals zero for every x). Later, in Section 4, we will deal with discrete (and mixed) probability functions. Theorem 1. If a user has no knowledge on the reports of others, then no strategy can benefit him with long-run additional time share. 3.1. Scheduling Algorithm Proof: The CDF function of every continuous random variable X is distributed uniformly, F X ∼ Uniform(0, 1), regardless of its distribution. Therefore, since the channel condition reports issued by the users are independent of each other, the priority value of every user is a random number between zero and one. Hence, every user has an equal probability to win a time slot. Therefore, all users receive (in the steady state) the same amount of time share N1 where N is the number of users in the system.  Note that the proof for Theorem 1 does not hold for a user who coordinate with other user(s), because then the channel reports of the users are no longer independent. In addition to Theorem 1, under both continuous and discrete models, there is no misreporting strategy that allows a user to achieve higher throughput than what he would get by always reporting his real rate. Due to its length, the formal proof of this claim (under the discrete model, which is the model used in practice) is placed at the Appendix. Nevertheless, we give here an intuitive explanation for the validity of this claim (under both continuous and discrete models). A false reports strategy can involve reporting a fake high rate when the real rate is lower and vice versa. Reporting a fake high channel rate might increase the priority values in some of the time slots in which the real rate is low. However, it makes the high rates reported by the user less exceptional than they really are and hence decrease the priority value when the user truly experiences and reports a high rate. Such behavior is not beneficial since increasing the priority value of some low-rate time slots on the expense of the priority value of high-rate time slots, never benefits the user. Reporting a rate lower than the real rate has also both negative and positive effects. The positive effect is that such behavior makes other time slots in which the user report the truth about The basic CDF Scheduler (CS), aiming at dealing with continuous distributions, was introduced in [6] and operates as follows. Recall that Rk (t) is the actual channel capacity of user k at time slot (TS) t and let k∗ (t) be the user selected for data transmission. The scheduler selects k∗ (t) to be the user for which P[Rk > Rk (t)] is the smallest among all users. That is, the user whose rate is the least probable to become higher, namely: k∗ (t) = argmaxk {FRk (Rk (t))}, where FRk (r) = P[Rk ≤ r]. The original scheduler definition [6] includes the option to assign each user a special weight wk according to k∗ (t) = 1 argmaxk {FRk (Rk (t)) wk } but for the sake of simplicity we omit the weight factor and assume the Base Station (BS) serves the users equally. For notational simplicity we define Vk (t) = FRk (Rk (t)) and since k∗ (t) = argmaxk {Vk (t)} we will refer to Vk (t) as the priority value assigned to User k at TS t. The CDF scheduler relies on a well-known property of CDF functions to ensure time share fairness: The CDF function of every continuous random variable X is distributed uniformly, F X ∼ Uniform(0, 1). That is, the priority value of every user k is distributed uniformly, Vk ∼ Uniform(0, 1), regardless of the distribution of Rk . Therefore, all users have equal chance to obtain the highest priority value and hence time-share fairness is maintained. 3.2. Misreporting of channel rates cannot benefit a single user The idea of users reporting fake channel rate to exploit the properties of channel aware scheduler was already introduced in [8]. The users can fake channel 3 his high rate look more exceptional. Hence, the user will have an increased priority value in these time slots. The negative effect is that in the time slots in which he fakes a low rate, the user has a lower priority value than if he reported the truth. In addition, even if he is assigned for transmission, the transmission rate will fit his report and will be lower than what his real channel condition can support. In the formal proof we show that this negative effect shadows the positive effect. Hence, if to summarize it in one sentence, scarifying some of the high rate slots to increase the priority value in the rest never pays off. Finally we can conclude that since no strategy can benefit the user with either additional throughput or time share – the best strategy for one user is to always report his real rate. 3.4. Analysis of the Coordinated Users Share Let R′c be the R.V. of the reported channel rate by user c when he follows the coordination strategy. Recall that Rc (t) is the real channel rate of user c at TS t, therefore R′c = Rc if the user behaves normally. Lemma 1. FR′c (r) = G(FRc (r)) where G(x) = L−1 L + 1 L Lx (1) and c ∈ C. Proof: Let Er be the event where user c ∈ C reports to the BS channel rate less than r (Rc (t) < r). Let WIN be the event where user c is the chosen user in C to report his real channel rate, therefore: 3.3. Coordinated Users Strategy FR′c (r) = (1 − P[WIN])P[Er |¬WIN] + P[WIN]P[Er |WIN] We next deal with a group of non-conforming opportunistic users who coordinate their action and reporting in order to increase their time and throughput shares. In the previous section we explained that the negative effects of a misreporting strategy exceed its benefit when one user acts on his own. In this section we describe a cooperation scheme in which a group of users can gain additional time share and throughput while avoiding the negative effects that reporting a false channel condition may cause. Let C be a group of |C| = L coordinated users and N is the number of additional regular users in the network. Each one of the coordinated users knows if his rate is the least probable to be higher (and therefore will get the highest scheduling priority) in C before reporting to the BS. Let c∗ (t) be the user with the highest CDF value in the group in time t. Formally, c∗ (t) = argmaxc {FRc (Rc (t))} where c ∈ C. The reporting strategy is simple: at time slot t user c∗ will be the only one acting normal (reporting his real channel rate Rc∗ (t)) while all others report zero. The users share their CDF value, so each user knows if he is c∗ or not. The coordinated users strategy can be implemented using a low bandwidth medium/sidechannel that allows the users to share this small amount of information. For example, a big factory using a designated private (low rate and cost) wireless network to coordinate the access points used by its employees in order to gain more throughput to its users. Note that in Section 5 we describe a malicious strategy that does not require any communication between the users during the attack and causes even a greater damage to the system than the coordinated strategy described here. (2) Every time slot each coordinated user has an equal probability to be the one reporting his real channel rate, therefore P[WIN] = L1 . If c is not chosen to report his real rate, then he reports minimal channel rate, therefore for every r, P[Er |¬WIN] = 1. Now all is left is compute P[Er |WIN]. Let R.V. Y be Y(t) = max j {FR j (R j (t))| j ∈ C}, since FR j is CDF then P[FR j < x] = x and we get P[Y < y] = yL , this is true regardless of the ID of j for whom FR j (R j (t)) = Y(t), therefore P[Y < y] = P[Y < y|WIN] = yL . According to the strategy, if c reports ∧ less than r and he is the chosen user (Event Er WIN) then his real channel rate – Rc (t) – must be less than r which means that FRc (Rc (t)) < FRc (r). Given WIN, then FRc (Rc (t)) = max j {FR j (R j (t))| j ∈ C} = Y(t) and accord∧ ing to what we just showed we get (Er WIN) ⇐⇒ FRc (Rc (t)) < FRc (r) ⇐⇒ (Y(t) < FRc (r)) and we get P[Er |WIN] = P[Y(t) < FRc (r)] = (FRc (r))L since P[Y < y|WIN] = yL as we showed earlier. According to Equation 2 and the conditional results we showed we get Equation 1.  Recall that Vc (r) = FRc (r) is the priority value of user c for reporting channel rate r to the BS when he behaves normally (always reporting his real channel rate). Now let Vc′ (r) = FR′c (r) be the priority value he gets for r when following the coordination strategy, then according to Lemma 1 we get that: Vc′ (r) = G(Vc (r)) (3) Before we analyze the benefit from coordination, we first prove that it can never harm (and hence only benefit) the coordinating users. 4 Theorem 2. User following the coordination strategy will still win every time slot that he would have won when if he behaved normally. Therefore, his throughput and time share can only be increased when following the coordination strategy. to report a zero channel rate L − 1/L of the time. Therefore, when he finally reports a non-zero rate r > 0, then FR′c (r) = Prob(R′c < r) > L−1/L. This explains why the values of the non-solid curves in Fig. 1 are greater than L−1/L. For example, assume a system with three users, U1 , U2 and U3 . If U1 , who always report his true rate, has a CDF value of 0.4, what is the probability that he will be assigned with the time slot? In the case where U2 and U3 are regular (non-coordinated) users, the probability that both of them have priority value that does not exceed 0.4 is 0.42 = 16%. However, if U2 and U3 are coordinated, then one of them is going to report his real rate, which will be given with a CDF value higher than 0.5 regardless of the rate he reports. Therefore, if U2 and U3 are coordinated,the probability of U1 to win the time slot with a CDF value of 0.4 is 0% instead of 16%. To conclude, the above results show how users in a coordinated group systematically increase their priority values. In the following theorems we show how this advantage translates into a larger time share and more throughput. Proof: Assume user c0 obtains the highest priority value when all the users in the system behave normally. Therefore, c0 = k∗ (t) = argmaxk {Vk (Rk (t))}. Since also c0 = c∗ (t), when following the strategy, c0 will be the user from C reporting his real rate in this time slot. A simple function analysis can show that G(x) > x for x ∈ (0, 1). Therefore, according to Lemma 1, the priority value he gets Vc′0 (r) = G(Vc0 (r)) is greater than Vc0 (r) which is greater than the priority values of all other users. Therefore, he still obtains this time slot when following the strategy.  CDF Value Evaluated by the Scheduler (F R’c ) Gain from Coordination 1 0.8 Theorem 3. In a network consisting L + N users of which L are coordinated, the time share fraction dedicated to the L coordinated users (jointly) depends only on L and N (regardless of the channel rate distributions of any of users) and is given by:  ( )N+1   L−1 L   . (4) 1 − N+1 L 0.6 0.4 L=5 Coordinated Users L=2 Coordinated Users No Coordination 0.2 0 0 0.2 0.4 0.6 Real CDF Value (F ) 0.8 Proof: First we make few definitions and short calculations to be used later. Let R.V. W be the maximal priority W(t) = maxc {Vc (Rc (t))}. Since P[Vc < x] = x, we get P[W < w] = wL . Therefore, the probability density function (PDF) of W is fW (w) = (P[W < w])′ = L·wL−1 . Let R.V. B(t) = maxn {Vn (Rn (t))}, where n is one of the regular users, be the highest priority among the regular users and R.V. A = maxn {Vn′ (Rn (t))} be the highest priority among the coordinated users. Then, from Equation 3 we get that A = maxn {G(Vn (Rn (t)))}. In addition, since G is monotonically increasing, then maxn {G(Vn (Rn (t)))} = G(maxn {Vn (Rn (t))}) and we get A = G(W). According to that we get: ∫ 1 fW (w) · P[B < A|W = w]dw P[B < A] = w=0 ∫ 1 L · wL−1 · P[B < G(w)]dw. = 1 Rc Figure 1: The Y-axis is the CDF value evaluated by the base station (FR′c (r)) as a function of the real CDF values that would have been evaluated without coordinating with other users (FRc (r)). Fig. 1 depicts the gain from following the coordination scheme based on Eq. 1. For example, let r0 be a rate with a corresponding CDF value of FRc (r0 ) = 0.4. That is, in reality, 40% of the time the channel rate of the user is r0 or lower. For normal users, who always report their real rates, the scheduler evaluates their real CDF value FR′c (r) = 0.4 as the solid curve (labeled No Coordination) shows. If the user coordinates with another user, L = 2, then, as the dotted curve show, the scheduler evaluates a CDF value of 0.58 instead of 0.4. As seen in the dashed curve, L = 5, when he cooperates with four other users, his priority value will be 0.802 instead of 0.4. As explained in the proof of Lemma 1, when a user coordinates with L − 1 other users, he is expected w=0 The probability that all regular users will have priority less than a is P[B < a] = aN , then P[B < G(w)] = 5 (G(w))N and we get: P[B < A] = = = and since ∫1 w=0 P[B < A] = ∫ 1 )N ( L−1 1 L dw + w L L w=0 ∫ 1 N ( ) ∑ N (L − 1)N−i Li LwL−1 · w dw i LN w=0 i=0 ∫ N ( ) ∑ N (L − 1)N−i 1 (i+1)L−1 w dw · i LN−1 w=0 i=0 LwL−1 i=0 i LN (i + 1) . Hence, we receive that  )N+1  (  L  L−1  P[B < A] = 1 −  N+1 L (5) i=0 Additional time share for a coordinating user (%) N (L − 1)N−i · LN i 1 w=0 w=0 1 −1 F (w)dw. L Rc 30 Theorem 5. In a network consisting L + N (in the continuous model) users of which L are coordinated, the average throughput (per time slot) of a coordinated user c is given by: ∫ fW (w) · P[B < A|W = w] · Permanent Time−share Benefit − Continuous model Corollary 4. Let C share and R share be the time share of the coordinated users and regular users respectively. When N = L − 1, then limL→∞ C share = 1 − e−1 and share limL→∞ R share = e−1 . This means that limL→∞ CRshare = e − 1 ≈ 171% although this ratio - which equals L/N = L/(L − 1) under normal conditions - should converge to 100%. ) 1 3.5. Evaluation and Discussion In Figure 2 we evaluate the relative benefit in time slots a coordinated user gains from the coordination 1 strategy; this is relatively to what he would get ( N+L ) if he did not coordinate. The figure depicts this relative benefit as a function of the number of coordinated users L (given that the total number of users is fixed N + L = 30). One may observe that the relative benefit is maximized at L = 11, implying that a coalition of 11 coordinated users has only a little incentive adding more users to the coalition. The relative benefit per user obtained is 28%.  This result now allows us to evaluate the ”inequality” in time slot allocation between a coordinated user and a regular user. This ”inequality” can be evaluated by the ratio between the slot shares of these users, which as shown next, can be very high: N ( ∑ ∫ Continuing the calculations in the same manner as in the proof of Theorem 3 until the last equation which consisting the integral, will give us Equation 6.  w(i+1)L−1 dw = ((i + 1)L)−1 we get: N ( ) ∑ N (L − 1)N−i only if B > A (this is a time slot which is obtained by a user from C). In addition, c has to be the user chosen among the coordinated users to transmit his real channel rate (happens with probability L1 ). When W = w and c is the chosen user, then FRc (r) = w therefore his the rate in this time slot is given by FR−1c (w), therefore we get: w(i+1)L−1 · FR−1c (w)dw, (6) 25 20 15 10 5 0 where FR−1c (w) is the inverse function of FRc , the CDF of the real channel rate distribution. 5 10 15 20 25 30 Number of coordinated users (L) (Total users=30) Figure 2: Y-axis is the additional time share (in percents) that a coordinated user gains when he takes part in a coordinated group of size L (X-Axis). The results show that when there are 30 users in the system, participating in a coordinated group of 11 users is the most beneficial and increases the time share of the user by 28%. Proof: The proof is very similar to the proof of Theorem 3, we will skip the identical parts in the proof. Assume A, B and W as defined in the proof of Theorem 3. Let R.V. D be the rate that user c receives (at some time slot t). If W = w then user c gets throughput from the BS When L = N + 1 - which happens approximately at L = 15 in Figure 2 - the time share of the L users when 6 L behaving normally is given by 2L+1 and converges to 1 . Corollary 4 pointed out that when L = N + 1 the 2 time share obtained by the coordinated users converges to 1 − e−1 instead of 12 , means a coordinated user benefits from an additional time share of (1 − e−1 )/( 21 ) − 1 = 26.4% which is close to the result at L = 15 which equals 25.3%. Recall that according to Theorem 3 these results are valid for every system with 30 users regardless of the channel rate distributions of the users. the extension of the CS algorithm to the case of discrete channel rate values which appears in [17]. Again, to keep the calculations simple, we assume all users have the same weight and exclude the weight factor. In the discrete model Rk (t) ∈ {r1 , r2 , ..., r M } where r1 < r2 < ... < r M . At TS #t user k feeds back mk (t) ∈ {1, ..., M} the index of his channel rate value. ∑m Denote qk,m ≡ FRk (rm ) = i=1 P[Rk = ri ] where qk,0 is set to 0 for notational convenience. Instead of simply taking qk,mk (t) to be the priority value of user k, the CDF scheduler generates for each user a random priority given by a R.V. Uk (t) which is uniformly distributed in the interval [qk,mk (t)−1 , qk,mk (t) )]. Finally, the scheduler selects the user with the highest priority k∗ (t) = argmaxk {Uk (t)}. The priority value of the discrete range algorithm (Uk ) preserves the fundamental characteristic of the priority value of the continuous range algorithm (Vk ) which is that for every user k we get P[Uk (t) ≤ x] = P[Vk (t) ≤ x] = x. More precisely, as in the continuous model, the priority value of every user is distributed uniformly in [0, 1] (regardless of his channel rate distribution) and hence time share fairness maintained by the scheduler also under the discrete model. Maximal time benefit by coordination − Continuous Model 30 Maximal time benefit (%) 25 20 15 10 5 0 10 20 30 40 50 60 70 Total users (N+L) 80 90 100 4.2. Misreporting of channel rates cannot benefit a single user Section 3.2 explains why a single user cannot benefit neither additional time share nor throughput by misreporting his channel rate on his own. Both under the discrete and the continuous model, the priority values of all users are distributed uniformly in [0, 1]. Therefore, Theorem 1 which proves that one user cannot gain additional time share is valid also under the discrete model. To complete the proof, we provide at the Appendix a formal proof under the discrete model for the claim that no strategy can benefit a single user who acts alone with additional throughput. Figure 3: Maximal time share (percents) that one user benefits from following the coordination strategy as a function of the total population in the system (X-Axis). In Figure 3 we evaluate this maximal benefit as a function of the population size (N + L varies). One may see that this maximal benefit per user (of the coalition) monotonically increases with the population size and approaches 30% at large populations. According to Theorem 2 the throughput of the coordinated users can only be increased. The throughput result for each user can be calculated according to Theorem 5 and depends on the user’s specific distribution of channel rates and can be different for different users in the coordinated group. The throughput gain for a coordinated group is given in the evaluation for the discrete model. 4.3. Coordinated Users Strategy Assume a coordinated group of users C (|C| = L) with the same channel rate probability (but independent from each other), means ∀c1 ,c2 ∈C qc1 ,i = qc2 ,i . Let m∗c (t) = argmaxi {ri |∃c.Rc (t) = ri } where c are users from the coordinated group. Every time slot, only the users with channel rate rm∗c (t) will report their real channel rate while all other report the lowest channel rate possible r1 (they have no chance getting the highest priority). Let pc,i be the probability that a coordinated user experiences channel rate ri and p′c,i be the probability that 4. CS with discrete channel rates range 4.1. Scheduling Algorithm The original version of the CS algorithm ([6]) assumed continuous channel rate values even though practical systems use discrete values. We now summarize 7 ( ) therefore P[MAX j<L,1 ] = 0. There are Lj possible combination of j users in C and each such combination reports rm∗c (t) = ri , (i≥2) only when their actual channel rate is ri (with probability (pc,i ) j ) and the channel rate of all others is ri−1 or less (with probability (qc,i−1 )L− j ).  he reports channel rate ri . Then by following the strategy we get: Corollary 6. From the point of view of the BS (Base Station), the channel rate probability of coordinated user c is given by p’ as follows: p′c,1 = 1− M ∑ Lemma 3. Let CWIN be the event where some coordinated user wins a time slot, then p′c,i i=2 p′c,i = pc,i · (qc,i ) L−1 (q′c,1 )N · P[CWIN |MAX j,i ] = N ( ) ∑ N ′ s ′ j (p ) (qc,i−1 )N−s · s c,i j+s s=0 Theorem 7. P[CWIN ] = 0 P[MAXL,1 ] = (pc,1 )L ( ) L (pc,i ) j · (qc,i−1 )L− j j M ∑ L ∑ P[MAX j,i ] · P[CWIN |MAX j,i ], i=1 j=1 where P[MAX j,i ] and P[COR|MAX j,i ] are given in Lemmas 2 and 3. Lemma 2. Let MAX j, i be the event where rm∗c (t) = ri is reported by exactly j of the coordinated users. P[MAX j,1 ] = (i≥2) Proof: According to P[Uk (t) ≤ u] = u, the probability for regular users to get a priority value u is uniform in [0, 1]. When m∗c (t) = i ≥ 2, a coordinated user can obtain the highest priority value only when all N users has priority values in [0, q′c,i ]. With probability of (N ) ′ s ′ N−s exactly s regular users have priority s (pc,i ) (qc,i−1 ) ′ values in [qc,i−1 , q′c,i ] while all the other N − s regular users have no chance getting the highest priority. Given that event, the priority values - U s of each of the s regular users and Uc of the coordinated users with ri is uniform in [q′c,i−1 , q′c,i ], therefore the probability for a coorj where j dinated user to have the highest U-value is j+s is the number of the coordinated users with channel rate ri . The proof for P[CWIN |MAX j,1 ] is similar.  4.4. Analysis of Coordinated Users Share P[MAX j,i ] = = (i≥2) Then when a coordinated user c reports mc (t) = i, the scheduler generates a uniform priority value in the interval [q′c,i , q′c,i−1 ] where q′c,i is the CDF of the reported ∑ channel rates of user c - q′c,i = ij=1 p′c, j . For example, assume a user c1 in a network with pc1 ,1 = pc1 ,2 = pc1 ,3 = 13 to have one of the three possible channel rates r1 , r2 , r3 . In a normal situation, if user c1 reports channel rate r1 , then the CS generates a priority value Uc1 in [0, 13 ], if he reports r2 then the range is [ 13 , 23 ] and finally if he reports r3 the range will be [ 23 , 1]. Now assume this user is part of a coordinated group (where all users share the same channel rate distribution) which follows the coordinated users’ strategy and we want to find p′c1 ,i which is the probability for him to actually report rate ri . When he experiences r3 then he will always report r3 because there is no other coordinated user who will surely have higher. If he coordinates with two more users who have the same rate probabilities then according to Corollary 6 we get that when c1 reports r2 the CS will generate Uc1 in the in2 terval [ 14 27 , 3 ] and this increases his expected U value. Therefore, the expected number of time slots where he obtains the highest priority. j j+N P[CWIN |MAX j,1 ] Proof: Immediate result from Bayes rule and the correctness of Lemmas 2 and 3.  (∀ j<L) Theorem 8. In a network consisting L + N users (in the discrete model) of which L are coordinated, the average throughput (per time slot) of a coordinated user c is given by: (∀i≥2) Proof: rm∗c (t) = ri means that ri is the highest rate of the users in C, therefore i = 1 only when all the users in C have r1 which happens with probability of (pc,1 )L . It is impossible that j < L coordinated users will report r1 since it means that at least one user reports higher channel rate than r1 which contradicts rm∗c (t) = r1 and N ( ) M L ∑ N 1 ∑∑ P[MAX j,i ] · P[CWIN |MAX j,i ] · ri · i L i=1 j=1 i=0 (7) where P[MAX j,i ] and P[COR|MAX j,i ] are given in Lemmas 2 and 3. 8 Proof: Let c be a coordinated user, the probability that some coordinated user obtains ri at some time slot is ∑ given by Lj=1 P[MAX j,i ] · P[CWIN |MAX j,i ]. The probability this user was c is L1 and we get the probability he ∑ gets ri is given by Lj=1 P[MAX j,i ] · P[CWIN |MAX j,i ] · L1 and when summing it up over all possible rates we get Equation 7.  ous model (Figure 2) and for the same reasons that were already mentioned in section 3.5. A remarkable difference between the models is that the time share benefit in the continuous model is greater than the benefit in the discrete model. By investigating the nature of the strategy effects in each model, we will be able to understand the reason for the differences and the effects of the strategy in different system configurations. In both continuous and discrete models, when a coordinated user reports the minimal channel rate instead of his real channel rate then he widens the gap between the CDF of the distributions of his real (Fc ) and reported (Fc′ ) channel rate distributions (Fc′ (r) > Fc (r)). This gap defines the increase in the priority values the user gets for different rates. Therefore, an important observation is that the more the user gets to report a fake channel rates (according to the strategy conditions) - the more time slots he gets. In the continuous model, the shared information between the coordinated users allows them to identify in each time slot exactly L − 1 users who have no chance winning while in the discrete model their number varies from 0 to L − 1 (depending of how many coordinated users obtained the maximal channel rate rm∗c (t) ). Therefore, there will always be more fake channel rate reports in the continuous model and the time share benefit in the continuous model will always be better than in the discrete model. As the number of the possible channel rates (M) grows, the coordinated users’ behavior in the discrete model will become more like their behavior in the continuous model where the probability that two different users will get the same rate is zero. When M grows the probability that two users will get the same channel rate decreases. Therefore, less users obtain rm∗c (t) and more users can report the minimal channel rate. This means that the benefit from the strategy will grow. Bigger sets of channel rates are expected in future physical standards for wireless communication to allow better utilization of channel fluctuations and/or to cover bigger range of channel condition values, so while it is expected to allow better system performance, it will make the system more vulnerable to such coordination strategy as we showed here. Figure 5 shows the throughput benefit for the same settings as in Figure 4. In order to compute the throughM put, channel rate probabilities {pc,i }i=1 were associated with actual rates in the CDMA2000 1xEV-DO as in [17]. For different sets of rates, we will get different results in Figure 5, while Figure 4 stays the same since M it depends only on the set of probabilities {pc,i }i=1 regardless of the actual rates associated with them. The throughput of a coordinated user was computed according to Theorem 8 and it was compared to the 4.5. Evaluation and Discussion Additional time share for a coordinating user (%) Permanent Time−share Benefit − Discrete model 14 12 10 8 6 4 2 0 5 10 15 20 25 30 Number of coordinated users (L) (Total users=30) Figure 4: Y-axis is the additional time share (in percents) that a coordinated user (experiencing Rayleigh fading channel in CDMA2000 1xEV-DO) gains when he takes part in a coordinated group of size L (X-Axis). The results show that when there are 30 users in the system, participating in a coordinated group of 13 users is the most beneficial and increases the time share of the user by 13%. While the share of a coordinated user in the continuous model depends only on the size of the coordinated group (L) and the number of regular users (N), the users’ share in the discrete model depends also on the number of the possible channel rates (M) and their probaM bilities among the coordinated users {pc,i }i=1 (while still independent from the channel rate distributions of the M in the system regular users). The values of {pc,i }i=1 configuration considered in figure 4 were set according to Rayleigh distribution on the 11 channel rates of the CDMA2000 1xEV-DO system in the same way which is already described in [17] (where the CDF scheduler for discrete channel rates was presented). As in Figure 2, Figure 4 shows that the scheduler’s notion of fairness is violated, we can see how the additional time share (Y-axis) for one coordinated user changes according to the number of users in the coordinated group (L) in the same manner as for the continu9 higher interest (than the continuous model) to system designers. In section 5.1 we present a new strategy, the malicious strategy which allows malicious users to cause time share loss to the innocent users significantly higher than the loss caused by the coordination strategy (in the discrete model, Section 4). In fact, we prove that the damage caused by the malicious strategy under the discrete model is identical to the damage caused by the coordination strategy under the continuous model. Permanent Throughput Benefit − Discrete model Additional throughput for a coordinated user (%) 12 10 8 6 4 5.1. The Malicious Strategy Malicious users intend to harm rather than increase their own throughput as other users in a coordinated group do. Hence, as we explain now, a malicious group has two advantages over a coordinated group of selfish users: 1. They gain a larger time share; 2. They need only to synchronize before starting the attack rather than exchanging information before every time slot as a selfish coordinated group does. A coordinated user, aiming at increasing his own throughput, never reports a channel condition better than what he really experiences (if he does, it will decrease his expected throughput). Therefore, there may be some time slots where all the users in a coordinated group have exceptionally poor channel conditions and even the user (among them) with the best chances to be scheduled with the next time slot - has a very slim chance to get it. However, a malicious user, for whom his expected throughput is irrelevant, can report a channel condition independent of his real channel rate. This allows a malicious group to present in every time slot a user with an exceptionally good channel condition. For the same reason (irrelevancy of their throughput), the malicious users do not need to share any information on their real channel condition before every time slot and hence synchronizing once at the beginning of the attack is suffice, as demonstrated in the following description of the malicious strategy. Assume a group of malicious users MAL = {1, 2, .., S } (for simplicity we assume their indices are 1, 2, ..., S ). The basic idea followed by the malicious users is to take turns, in a round-robin fashion, in trying to obtain time slots. This means that at TS t, malicious user number (t mod S) will attempt to obtain the time slot. Consider a malicious user s: In all times slots that he tries to obtain he always reports the same channel rate - which we denote by rhs (h ≥ 2), while in all other slots he reports other rates which are all lower than rhs . Each user s chooses his rhs value independently of other users. This flexibility in choosing channel rates makes the malicious pattern very hard to detect. 2 0 5 10 15 20 25 30 Number of coordinating users (L) (Total users=30) Figure 5: Y-axis is the additional throughput (in percents) that a coordinated user (in the same settings as in Figure 4) gains when he takes part in a coordinated group of size L (X-Axis). Like for time share, the results show that participating in a coordinated group of 13 users is the most beneficial, it increases the throughput of each user by 11.6%. throughput that he gets under normal behavior which is given in [17]. Unsurprisingly, the throughput benefit demonstrates similar behavior to (as a function of L) the time share benefit. 5. System Loss by Malicious Strategy (Discrete Model) In the previous section we focused on non-conformist opportunistic coordinated users whose objective is to increase their own share of the network resources. This increase was, of course, accompanied by performance degradation to the regular innocent users. This degradation can be easily computed from our results in Sections 3.5 and 4.5. Our interest in this section is in malicious users whose objective is only to damage the other regular users, disregarding their own performance. So the malicious users are willing to degrade their own performance if it helps degrading that of the innocent users. Of course – the malicious users can damage the innocent users at least as much as opportunistic coordinated users can do. So the major question addressed in this section is whether they can inflict greater damage and how much. Our focus in this analysis will be on the discrete distribution model which, due to its practicality, is of 10 5.2. Analysis of the Malicious Strategy System Loss, Discrete model 50 Theorem 9. In a network consisting S + N users of which S are malicious which use the malicious strategy, the time share fraction dedicated to the S malicious users (jointly) depends only on S and N and equals Time− share loss of others (%)  ( )N+1   S −1 S   . 1 − N+1 S 45 (8) Proof: Consider a malicious user s with chosen maximal channel rate rhs . Since rhs is the highest channel rate he reports, then q s,hs = 1. Since in all other time slots - which are S S−1 of the time - he reports rhs −1 or lower, then we get q s,hs −1 = S S−1 . Therefore, in every time slot t there will be exactly one malicious user, say s, with priority value U s ∼ Uni f orm( S S−1 , 1). Assume there are N regular users in the network. As stated in [17], the discrete scheduler preserves the fundamental character of the continuous model Un ∼ Uni f orm(0, 1) for every (regular) user n. Let Zi be the event where exactly i users get priority values in the range( S S−1 , 1). Given Zi , the probability that the malicious user will be the one to get the highest 1 value in this range is i+1 since, given Zi , the priority values of the malicious user and the regular users are uniformly distributed in ( S S−1 , 1). Unconditional on Zi we get that the probability that a time slot is obtained by a malicious user is given by N ∑ i=0 P[Zi ] · 1 . i+1 35 30 25 20 15 10 5 0 5 10 15 20 25 Number of malicious/coordinated users (L) Figure 6: Time Slot loss of innocent users: Malicious vs. Coordination strategy. The network’s population is 30 users. 5.3. Evaluation and Discussion The effect of the malicious strategy is depicted in Figure 6. We consider a system consisting of 30 users in total and evaluate the (relative, percent-wise) time share loss experienced by each of the innocent users (compared to what he would get – 1/30 – in a normal system) as a function of the number of malicious users (x-Axis). This is done for both the coordinated user strategy (dotted line) and the malicious strategy (solid line). Both are evaluated for the discrete model. The channel distribution used is the Rayleigh distribution in CDMA2000 as in Figure 4. As one can observe, the loss caused by malicious users is significantly higher (by approximately a factor of 2) than that inflicted by the coordinated user strategy (for the discrete model). Note that according to Remark 1 we can use Corollary 4 to get an estimation for the time share loss of regular users. When S = N − 1 the time share of the regular users converges to e−1 instead of 0.5 means the loss of the regular users converges to 26% which is not far from the loss when S = N = 15 which equals 25% according to Figure 6. Note that all the results in our work regarding malicious and coordinated users are independent of the channel rate distributions of regular users. While the throughput loss of of a regular user depends on his distribution, the case where some regular user experiences constant channel rate shows that the throughput loss can be high as the time share loss. (9) Now, P[Zi ] is the probability that exactly N − i users get priority value less than S S−1 , so according to P[Un < ( ) u] = u we get P[Zi ] = Ni ( S S−1 )N−i ( S1 )i . Thus, the probability that a malicious user wins a TS is )N−i ( )i N ( )( ∑ N S −1 1 1 . · i S S i+1 i=0 40 Malicious users Coordinated users (10) Noting that Equation 10 is identical to Equation 5 (substitute S for L) we can use the analysis of Lemma 3 to obtain Equation 8.  Remark 1. It is easy to see that the damage inflicted by this strategy on the innocent users (under the discrete model) is identical to the damage inflicted by coordinated users strategy under the continuous model. 11 6. Solution Outline users focused on degrading the system performance. We showed that for large populations consisting of regular and coordinated users in equal numbers, the ratio of allocated time slots between a coordinated and a regular user converges to e − 1 ≈ 1.7. After researches proved the vulnerability of the Proportional Fairness scheduler, our work demonstrates the vulnerability of its alternative – the CDF scheduler. We recommend that this vulnerability, together with the solution we outlined should be taken into consideration by system designers when choosing and deploying a scheduler for modern wireless networks. The CDF scheduler is a unique scheduler. Almost magically, it maintains time share fairness without keeping track of past scheduling decisions. Unfortunately, while elegant, the CDF scheduler algorithm is too fragile. As we show in this work, the CDF scheduler fails to maintain fairness in the presence of selfish or malicious users. Hence, it has to be modified to take past scheduling decisions into account when making scheduling decisions. Such scheduler should record, for every user, the expected time share he should have got since he joined the system. For example, if a user has spent so far 200 time slots in the system with N = 10 users, it is expected that he should have received 1/N = 10% of the time slots so far (20 time slots). The proportion between the expected time share so far of user k, denoted with S ke (t), and the time share a user received in reality so far, denoted with S kr (t), can be used to construct a weight that will influence his priority value positively or negatively - depends if the user is below or above his expected share. A simple example for such a modified scheduler can be as follows: Every user is assigned with a priority value as usual. Then, the priority value of every user k is multiplied with wk (t) = (S ke (t)/S kr (t))α , where α > 1 is constant decided by the system designer. It defines the balance between strict fairness enforcement and the overall throughput of the system. For example, when α is extremely high, then wk (t) is very close to zero if the user received more than he deserved S kr (t) > S ke (t). In the same manner, wk (t) is very high for users who received less than they were expected (S kr (t) < S ke (t)). Observe that as the number of users in the system (N) increases, the expected fluctuation range of S ke (t)/S kr (t) increases. Hence, a further refinement of such modified scheduler would be to use different α values for different values of N. That is, replace α with α(N). Note that the above is a very rough solution mainly meant to outline a possible solution. In our future work we aim at designing an optimal modified CDF scheduler which is immune to such attacks while maintaining an overall throughput in the system as close as possible to the original vulnerable CDF scheduler. Appendix A. Misreporting of channel rates cannot benefit a single user As promised, we provide a formal proof for this claim under the discrete model. Note that a similar proof can be constructed under the continuous model. Such proof will mainly differ in the throughput expressions and will use rates-ranges where single rates are used in the proof under the discrete model. Lemma 4. Let D1 and D2 be the following expressions D1 = D2 = (a − b)X + (b − c)Y N (a − cN ) a−c X(aN − bN ) + Y(bN − cN ) where a > b > c ≥ 0 and N ≥ 1 is a natural number. Then, there exists a constant d > 0 such that D1 − D2 = d(X − Y). Lemma 4 can be easily proved using the identity AN − ∑N N−i i−1 A B . The full proof is provided B = (A − B) i=1 in a technical report [18]. N Theorem 10. Under the discrete model, a user with no knowledge of the rates of other users cannot benefit from reporting fake channel rates. Proof: Both under the discrete and the continuous model, the priority values of all users are distributed uniformly in [0, 1]. Therefore, Theorem 1 is valid also under the discrete model. In order to complete the proof of the claim, we now prove that a user also cannot gain additional throughput by following a misreporting strategy. A user following a false-reports strategy sometimes report a certain channel rate which is different than his real channel rate. Let pi, j be the probability that in a random time slot the user reports ri although his real rate is ∑M ∑M r j . That is, i=1 j=1 pi, j = 1. In order to evaluate the throughput a user gains when following a false-reports 7. Conclusion In this paper, based on scheme which targets the very fundamental principle of the CDF scheduler, we showed that non-conforming opportunistic users have the motivation to misreport their channel rates and destabilize the scheduler’s notion of fairness. In addition we studied the loss for regular users inflicted by malicious 12 channel rate distribution) to achieve an expected throughput T high higher than what he would achieve by always reporting his real rate. Let strategy S T f ake ∈ min st {DM(st, k)|T st = T high } be a strategy with the minimal deviation among the strategies that achieve throughput T high . We now prove that if S T f ake involves reporting a fake channel condition (DM( f ake, k) > 0), there exists an alternative strategy S T alt such that 1. T alt = T high ; 2. DM(S T alt , k) < DM(S T f ake , k). This contradicts the definition of S T f ake and the assumption that throughput of T high cannot be achieved by simply reporting the real channel condition. Let { p̄i, j |i, j ∈ [1, M]} be the reporting probabilities of S T f ake . Since DM(S T f ake , k) > 0, at least one of the following claims has to be true: 1. There are i > j such that p̄i, j > 0; 2. there are i < j such that p̄i, j > 0. We first prove the existence of S T alt , as described above, assuming claim 1. Let w = mini {∃ j < i. p̄i, j > 0} and let z = min j { p̄w, j > 0} (observe that j < w). Define an alternative strategy S T alt as follows: S T alt is identical to S T f ake with only one difference: At time slots in which S T f ake would instruct the user to report rw instead of rz , S T alt instructs the user to report rw−1 instead. Note that by its definition, w ≥ 2, hence rw−1 exists. Let { p̃i, j |i, j ∈ [1, M]} be the reporting probabilities when the user follows S T alt . Then, strategy, we first examine the outcome of winning a time slot with a fake report. When the user wins a time slot for which he reported to have a channel rate of ri , the system tries to send him data at the rate he reported. If ri > r j , it means the real channel condition of the user can support data transfer only up to r j . We assume, in favor2 of false-reports strategies, that in such case the user receives r j of the ri the system sends him. If ri ≤ r j , that is, the real channel rate of the user is good enough for the rate in which the system transmits (ri ). Formally, the expected rate received by a user if he wins a time slot for which he reported a channel condition of ri while his real channel condition is r j is given by hi, j = min{r j , ri }. Note that since we always discuss the same user k, for the sake of notational simplicity when we use qi instead of qk,i until the end of the proof. The probability that a ∑ user reports ri is qi − qi−1 = M j=1 pi, j . Therefore, given that the user won a time slot at which he reported ri , the expected rate he receives is Hi = M ∑ hi, j pi, j /(qi − qi−1 ). (A.1) j=1 Note that Eq. A.1 is valid only if qi − qi−1 > 0. If qi − qi−1 = 0 it means that the user never reports rate ri . Hence, for the sake of completeness, we trivially define that Hi = 0 in this case. As explained earlier, in discrete CDF scheduling, when the user reports ri he is assigned with a random number in [qi−1 , qi ]. In [17] the authors N )/N (where N is the total number proved that (qiN − qi−1 of users in the system) is the probability for a random slot to be: 1. A slot in which the user reports ri and 2. a slot at which the user was assigned for transmission. Therefore, the expected throughput of a user is given by T= M ∑ N Hi (qiN − qi−1 )/N.    i = w, j = z     p̃i, j =  i = w − 1, j = z,     o/w 0 p̄w−1,z + p̄w,z p̄i, j (A.3) Therefore, DM(S T f ake , k) > DM(S T alt , k). What is left to prove is that T alt ≥ T f ake . Let H̄i (H̃i ) and q̄i (q̃i ) be the expected received rates and the CDF values of S T f ake (S T alt ), Respectively. In S alt the user sometimes reports rw−1 instead of rw . Therefore: (A.2) i=1    i = w − 1 q̃i =   o/w Observe that Hi = ri for a user who always report his real channel condition. We now define a Deviation Measurement (DM) which evaluates (for a given strategy and user) how far from the truth are the reports of the user when he follows the strategy. The measure is given as follows: ∑M ∑M DM(strategy, user) = i=1 j=1 pi, j |i − j|. Observe that if the user never fake his reports then DM = 0. Assume by contradiction there exists some falsereports strategy that allows some user k (with some q̄w−1 + p̄w,z q̄w (A.4) We now want to prove that T alt − T f ake ≥ 0. From Eq. A.2 we get that T alt − T f ake = M ∑ N N [H̃i (q̃iN − q̃i−1 ) − H̄i (q̄iN − q̄i−1 )] (A.5) i=1 Both strategies are similar when it comes to reports of rates different than rw and rw−1 . Therefore, ∀i , w, w − 1.H̃i = H̄i (Formally, that can be concluded from equations A.1, A.3 and A.4). Considering also Eq. A.4, 2 The user might receive less than r since the transmission moduj lation might not be the optimal one for his real channel condition. 13 we can contract Eq. A.5 to: If H̃w = 0 we immediately get that T alt − T f ake ≥ 0. Otherwise, we use Lemma 4 to prove this claim. This time, in the context of Lemma 4, we define a = qw , b = qw−1 + pw,z , c = qw−1 , X = H̃w and Y = rz . Note that b > c since pw,z > 0 and a > b since H̃w > 0. Observe that in the context of Lemma 4 we can write equation A.9as follows: T alt − T f ake = (A.6) N N N N H̃w (q̃w − q̃w−1 ) − H̄w (q̄w − q̄w−1 ) + N N N N H̃w−1 (q̃w−1 − q̃w−2 ) − H̄w−1 (q̄w−1 − q̄w−2 ) Using equations A.3, A.4 and A.1 Eq. A.6 can be writtenas follows3 : T alt − T f ake = H̃w (q̄wN − (q̄w−1 + p̄w,z )N ) T alt − T f ake ≥ D2 − D1 H̃w (q̄w − (q̄w−1 + p̄w,z )) + rz p̄w,z N N ) (A.7) (q̄w − q̄w−1 q̄w − q̄w−1 H̄w−1 (q̄w−1 − q̄w−2 ) + rz p̄w,z N + ((q̄w−1 + p̄w,z )N − q̄w−2 ) q̄w−1 + p̄w,z − q̄w−2 − N N −H̄w−1 (q̄w−1 − q̄w−2 ) Note that since p̄w,z > 0 the denominators in Eq. A.7 must be greater than zero. In addition, note that is it possible that both or one of H̃w and H̄w−1 is zero. We now examine Eq. A.7 and prove that: H̄w−1 (q̄w−1 − q̄w−2 ) + rz p̄w,z ((q̄w−1 + p̄w,z )N − (q̄w−2 )N ) q̄w−1 + p̄w,z − q̄w−2 −H̄w−1 ((q̄w−1 )N − (q̄w−2 )N ) N (A.8) N ≥ rz ((q̄w−1 + p̄w,z ) − (q̄w−1 ) ) If H̄w−1 = 0 (and therefore q̄w−1 = q̄w−2 ) then Eq. A.8 is true. If H̄w−1 > 0, then Eq. A.8 is a result of Lemma 4 as follows. Let a = q̄w−1 + p̄w,z , b = q̄w−1 and c = q̄w−2 . Note that p̄w,z > 0 hence a > b. In addition, b > c since H̄w−1 > 0. Define X = rz and Y = H̄w−1 . Recall that rw is the lowest channel rate the user reports (in S T f ake ) while his real channel rate is lower. Therefore, when the user reports rw−1 in S T f ake , his real rate has to be equal or higher than rw−1 . Therefore, ∀ j. p̄w−1, j , 0 → hw−1, j = rw−1 and we get that Y = H̄w−1 = rw−1 . In addition, recall that z < w and hence, Y = rw−1 ≥ rz = X. Therefore, in the context of Lemma 4 we get that (aN − cN ) − Y(bN − D1 ≥ D2 and therefore (a−b)X+(b−c)Y a−c N N N c ) ≥ X(a − b ), which is identical to Eq. A.8 if replacing a, b, c, X and Y with the values with which they were defined. From equations A.8 and A.7 we get that T alt − T f ake ≥ [1] H. Holma, A. Toskala, HSDPA/HSUPA for UMTS: High Speed Radio Access for Mobile Communications, John Wiley & Sons, 2006. [2] T. I. Association, CDMA2000: High Rate Packet Data Air Interface Specification (TIA-856-A). [3] V. Vanghi, A. Damnjanovic, B. Vojcic, The CDMA2000 System for Mobile Communications: 3G Wireless Evolution, Prentice Hall PTR, Upper Saddle River, NJ, USA, 2004. [4] R. P. A. Jalali, R. Pankaj, Data Throughput of CDMA-HDR: A High Efficiency High Data Rate Personal Communication Wireless System, in: Proceedings of the IEEE Vehicular Technology Conference. [5] S. Borst, User-Level Performance of Channel-Aware Scheduling Algorithms in Wireless Data Networks, IEEE/ACM Trans. Netw. 13 (2005) 636–647. (A.9) H̃w (qw − (qw−1 + pw,z )) + rz pw,z ((qw )N − (qw−1 )N ) qw − qw−1 +rz ((qw−1 + pw,z )N − (qw−1 )N ) 3A Recall the way z was chosen. In strategy S T f ake , rz is the lowest possible rate the user experiences if he reports rw . Therefore, in strategy S T alt , the lowest real rate of the user when he reports rw cannot be lower than rz+1 . Therefore, X = H̃w > rz = Y and we get that D2 −D1 > 0 and hence proved that T alt ≥ T f ake . Recall that we explained that since DM(S T f ake , k) > 0, at least one of the following claims has to be true: 1. There are i > j such that p̄i, j > 0; 2. there are i < j such that p̄i, j > 0. We have just proved that if claim 1 is true then there is a strategy S T alt such that T alt ≥ T f ake and DM(S T f ake , k) > DM(S T alt , k) which contradicts the definition of S T f ake . Now all is left to prove is that if claim 2 is true, there exists strategy S T alt2 such that T alt2 ≥ T f ake and DM(S T f ake , k) > DM(S T alt2 , k). Let w′ = maxi {∃ j > i. p̄i, j > 0} and let z′ = max j { p̄w′ , j > 0} (observe that j > w′ ). Define an alternative strategy S T alt2 as follows: S T alt2 is identical to S T f ake with only one difference: At time slots in which S T f ake would instruct the user to report rw′ instead of rz′ j , S T alt2 instructs the user to report rw′ +1 instead. (Note that by its definition, w′ ≤ M − 1, hence rw′ +1 exists.). The strategy S T alt2 and the proofs for the above claims are completely symmetrical to S T alt and the proofs of its properties. Hence, due to luck of space we exclude from this article the complete proof. It can be found in a technical report [18].  References H̃w ((qw )N − (qw−1 + pw,z )N ) − (A.10) detailed explanation can be found in the technical report [18]. 14 [6] D. Park, H. Seo, H. Kwon, B. G. Lee, Wireless Packet Scheduling Based on the Cumulative Distribution Function of User Transmission Rates, IEEE Transactions on Communications 53 (2005) 1919–1929. [7] S. Bali, S. Machiraju, H. Zang, V. Frost, A Measurement Study of Scheduler-Based Attacks in 3G Wireless Networks, in: PAM, pp. 105–114. [8] R. Racic, D. Ma, H. Chen, X. Liu, Exploiting Opportunistic Scheduling in Cellular Data Networks, in: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA. [9] M. Guirguis, A. Bestavros, I. Matta, Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources, in: in Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP04). [10] M. Guirguis, A. Bestavros, I. Matta, Y. Zhang, Reduction of Quality (RoQ) Attacks on Internet End-Systems, in: in Proceedings of Infocom05: The IEEE International Conference on Computer Communication, pp. 1362–1372. [11] R. Smith, C. Estan, S. Jha, Backtracking Algorithmic Complexity Attacks Against a NIDS, in: ACSAC. [12] A. Kuzmanovic, E. W. Knightly, Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew VS. the Mice and Elephants), in: ACM SIGCOMM Conference on Applications. [13] A. Bremler-Barr, H. Levy, N. Halachmi, Aggressiveness Protective Fair Queueing for Bursty Applications, in: IWQoS. [14] E. Doron, A. Wool, Wda: A Web Farm Distributed Denial of Service Attack Attenuator, Comput. Netw. 55 (2011) 1037– 1051. [15] C. Castelluccia, E. Mykletun, G. Tsudik, Improving Secure Server Performance by Re-balancing SSL/TLS Handshakes, in: USENIX. [16] U. Ben-Porat, A. Bremler-Barr, H. Levy, On the Exploitation of CDF Based Wireless Scheduling, in: INFOCOM, pp. 2821– 2825. [17] D. Park, B. G. Lee, Qos Support by Using CDF-Based Wireless Packet Scheduling in Fading Channels, IEEE Transactions on Communications 54 (2006) 955. [18] U. Ben-Porat, A. Bremler-Barr, H. Levy, On the Exploitation of CDF Based Wireless Scheduling, 2012. Http://www.faculty.idc.ac.il/bremler/. 15