Detection and Defense against JammingDetection and Defense against Jamming Attacks in Wireless Networks
Wenyuan Xu
Computer Science and EngineeringUniversity of South Carolina
Roadmap Introduction and motivation
d lJammer Models– Four models– Their effectiveness
Detecting Jamming attacks– Basic statistic + Consistency checkBasic statistic + Consistency check
Defense strategyCh l fi– Channel surfing
Future directions & Conclusionsu u e d e o s & Co us o s
Jamming Attacks Bob AliceHello … Hi
…
@#$%%$#@&…
Jamming Attacks:
Mr. X
Jamming Attacks:– Behavior that prevents other nodes from using the channel
to communicate by interfering with the physical transmission and reception of wireless communications
Unintentional jamming:– Co-existing devices: 802.11b/g interferes with cordless
phone Bluetooth Microwave ovenphone, Bluetooth, Microwave oven...– Equipment accidentally emits a signal on an frequency
band that does not belong to it.
Intentional jamming: – A transmitter, tuned to the same frequency as the
receiving equipment, can override any signal with enough power
The history of jammingWorld War II – Radio jamming– Jamming radar that is used to guide an enemy's
aircraft aircraft Mechanical jamming.
– Chaff, corner reflectors, decoys
Electrical jammingElectrical jamming– Spot jamming, sweep jamming…
– Jamming foreign radio broadcast stationsPrevent or deter citizens from listening to broadcasts Prevent or deter citizens from listening to broadcasts from enemy countries.
Co nte me eCountermeasure:– Frequency hopping over a broad-spectrum
The more random the frequency change, the more likely to counter the jammer
Jamming in the civilian worldCell phone jammer unit:– Intended for blocking all mobile phone types within
designated indoor areas – 'plug and play' unit– $1,950-$11,800+
Radar/speed gun jammers (Illegal!)Radar/speed gun jammers (Illegal!)– $100 - $2,000+
Radio Jammers (Illegal!) Radio Jammers (Illegal!) – Your neighbor plays loud radio while you are
preparing for your exam– Prevent nearby cars from playing loud music by
b d ti i l broadcasting your own signal
Jamming wireless networksWaveform Generator– Tune frequency to whatever you want
$1 500 $50 000+– $1,500 - $50,000+– Require external power supply
MAC layer JammersMAC-layer Jammers– 802.11 laptop – Mica2 Motes (UC Berkeley)
8 bit CPU at 4MH8-bit CPU at 4MHz128KB flash, 4KB RAM916.7MHz radioOS: TinyOSOS: TinyOSLanguage: NesC
– Disable the CSMA– Keep sending out the preamble Keep sending out the preamble
What has been done?Somewhat related work on jamming:– Greedy user behaviors
DOMINO: system for detection of greedy behavior in the MAC layer of IEEE 802.11 public Networks [Hubaux04]
– 802.11 DoS attacks802.11 Denial of Service attacks [Savage03][ g ]Attacks that jam RTS, and floods RTS [Perrig03]
Work on jamming attacks:Mapping a jamming area for sensor networks– Mapping a jamming-area for sensor networks
Brief discussion on jamming detection [Stankovic03]– Countermeasure against jamming attacks
Traditional physical layer technologies – Spread Spectrum [Di C 00] [W F 99][DigComm00], [WarFare99]Low density parity check codes (LDPC) [Noubir03]
– Channel capacity of jamming channelsThe capacity of Correlated Jamming Channels [Medard97]
What needs to be done?Lot of theoretical/simulation work on anti-jamming, but no systems-oriented study on jamming.
My goal: validate anti jamming solutions in a REAL systemMy goal: validate anti-jamming solutions in a REAL system.
Use commodity wireless devices, and make them jamming resistant.
O l di d – Only one radio card. – Can at most work on one channel a time.
Type of jammers interested:MAC layer jammers– MAC-layer jammers
– Unintentional interferers– Somewhat malicious jammers
Mica2 Motes (UC Berkeley) Mica2 Motes (UC Berkeley) – 8-bit CPU at 4MHz– 128KB flash, 4KB RAM– 916.7MHz radio– OS: TinyOS– OS: TinyOS
The Jammer Models and Their Effectiveness
This work appeared in “The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks,” Mobihoc 2005.
Jammer Attack Models&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….
Constant jammer:– Continuously emits a radio signal
Payload …
Preamble CRC
PayloadPayload Payload Payload
Deceptive jammer:Deceptive jammer:– Constantly injects regular packets to the channel without any gap
between consecutive packet transmissions– A normal communicator will be deceived into the receive state
Jammer Attack Models&F*(SDJF ^F&*D( D*KC*I^ …
Random jammer:– Alternates between sleeping and jamming
Sleeping period: turn off the radioJamming period: either a constant jammer or deceptive Jamming period: either a constant jammer or deceptive jammer
Underling normal traffic
&F*(SDJ
Payload
^%^*&
Payload
CD*(&FG
Payload
…&F (SDJ % & CD (&FG
Reactive jammer:– Stays quiet when the channel is idle, starts transmitting a
radio signal as soon as it senses activity on the channel.– Targets the reception of a messageTargets the reception of a message
Metrics & ImplementationGoals of the jammer:– Interfere with legitimate wireless communications– Prevent a sender from sending out packets– Prevent a receiver from receiving a legitimate packets
Packet Send Ratio (PSR)– The ratio of packets that are successfully sent out by a legitimate The ratio of packets that are successfully sent out by a legitimate
traffic source compared to the number of packets it intends to send out in the MAC layer
Packet Delivery Ratio (PDR)Packet Delivery Ratio (PDR)– The ratio of packets that are successfully delivered to a destination
compared to the number of packets that have been sent out by the sender
Implementation platform:– Mica2 Motes– Disabled channel sensing and backoff operation in TinyOS MAC
protocol
Experiment SetupInvolved three parties:– Normal nodes:
Sender A Sender A
Receiver B
Receiver B – Jammer X
Parameters Parameters – Four jammer models– Distance
Let dXB = dXAdXB
dAB
Let dXB dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBmMAC
XB
dXA
– MACFix MAC thresholdAdaptive MAC threshold (BMAC) Jammer X
Experimental ResultsInvolved three parties:– Normal nodes:
Sender ADeceptive Jammer
d (inch) PSR(%) PDR(%)Receiver B
– Jammer X
Parameters
dxa (inch) PSR(%) PDR(%)
38.6 0.00 0.00
54.0 0.00 0.00
72.0 0.00 0.00
Parameters – Four jammer models– Distance
Let dXB = dXA
Reactive Jammer
d (inch) PSR(%) PDR(%)Let dXB dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBmMAC
dxa (inch) PSR(%) PDR(%)
m =7bytes
38.6 99.00 0.00
54.0 100.0 99.24
m =33bytes
38.6 99.00 0.00
54 0 99 25 98 00– MACFix MAC thresholdAdaptive MAC threshold (BMAC)
33bytes 54.0 99.25 98.00
Experimental ResultsInvolved three parties:– Normal nodes:
Sender ADeceptive Jammer
d (inch) PSR(%) PDR(%)Receiver B
– Jammer X
Parameters
dxa (inch) PSR(%) PDR(%)
38.6 0.00 0.00
54.0 0.00 0.00
72.0 0.00 0.00
Parameters – Four jammer models– Distance
Let dXB = dXA
Reactive Jammer
d (inch) PSR(%) PDR(%)Let dXB dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBmMAC
dxa (inch) PSR(%) PDR(%)
m =7bytes
38.6 99.00 0.00
54.0 100.0 99.24
m =33bytes
38.6 99.00 0.00
54 0 99 25 98 00– MACFix MAC thresholdAdaptive MAC threshold (BMAC)
33bytes 54.0 99.25 98.00
Experimental ResultsInvolved three parties:– Normal nodes:
Sender ADeceptive Jammer
d (inch) PSR(%) PDR(%)Receiver B
– Jammer X
Parameters
dxa (inch) PSR(%) PDR(%)
38.6 0.00 0.00
54.0 0.00 0.00
72.0 0.00 0.00
Parameters – Four jammer models– Distance
Let dXB = dXA
Reactive Jammer
d (inch) PSR(%) PDR(%)Let dXB dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBmMAC
dxa (inch) PSR(%) PDR(%)
m =7bytes
38.6 99.00 0.00
54.0 100.0 99.24
m =33bytes
38.6 99.00 0.00
54 0 99 25 98 00– MACFix MAC thresholdAdaptive MAC threshold (BMAC)
33bytes 54.0 99.25 98.00
Experimental ResultsInvolved three parties:– Normal nodes:
Sender ADeceptive Jammer
d (inch) PSR(%) PDR(%)Receiver B
– Jammer X
Parameters
dxa (inch) PSR(%) PDR(%)
38.6 0.00 0.00
54.0 0.00 0.00
72.0 0.00 0.00
Parameters – Four jammer models– Distance
Let dXB = dXA
Reactive Jammer
d (inch) PSR(%) PDR(%)Let dXB dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBmMAC
dxa (inch) PSR(%) PDR(%)
m =7bytes
38.6 99.00 0.00
54.0 100.0 99.24
m =33bytes
38.6 99.00 0.00
54 0 99 25 98 00– MACFix MAC thresholdAdaptive MAC threshold (BMAC)
33bytes 54.0 99.25 98.00
D i J i A k B i S i iDetecting Jamming Attacks: Basic Statistics plus Consistency Checks
This work appeared in “The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks,” Mobihoc 2005.
Basic Statistics P.1Idea:– Many measurements will be affected by the presence of a jammer– Network devices can gather measurements during a time period
prior to jamming and build a statistical model describing basic
80
-60CBR
prior to jamming and build a statistical model describing basic measurements in the network
Measurements– Signal strength
-100
-80 CBR
-100
-80
-60MaxTraffic
-60
Moving averageSpectral discrimination
– Carrier sensing time– Packet delivery ratio
Normal traffic
Basic
Congested traffic
-100
-80 Constant Jammer
-100
-80
-60
R
SS
I (dB
m)
Deceptive Jammer
Experiment platform:– Mica2 Motes– Use RSSI ADC to
measure the signal
average detection doesn’t work !
-100
-80
-60Reactive Jammer
100
-80
-60Random Jammer
measure the signal strength Jammers
0 200 400 600 800 1000 1200 1400 1600-100
sample sequence number
Signal Strength P.2
Basic Average and Energy Detection don’t work!How about spectral discrimination mechanism?– Higher Order Crossing (HOC)Higher Order Crossing (HOC)
Combine zero-crossing counts in stationary time series with linear filters.Calculate the first two higher order crossings for the time series. SS spectral series.Window size: 240 samples
200
HOC
200
HOC
SS spectral discrimination doesn’t work !
150
200
D2
150
200
D2
50
100
CBRMaxTrafficConstant Jammer
50
100
CBRMaxTrafficReactive JammerRandom Jammer
0 50 100 150 2000
D1
Deceptive Jammer0 50 100 150 200
0
D1
Random Jammer
Basic Statistics P.3Can basic statistics differentiate between jamming scenariosand normal scenarios including congested scenarios?
Signal strength Carrier Packet delivery Signal strength Carrier sensing time
Packet delivery ratio
Average Spectral Discrimination
Constant Jammer
Deceptive Jammer
Differentiate jamming scenario from all network dynamics e g
a e
Random Jammer
Reactive Jammer
Differentiate jamming scenario from all network dynamics, e.g. congestion, hardware failure– PDR is a relatively good statistic, but cannot handle hardware
failure– Consistency checks --- using Signal strengthy g g g
Normal scenarios: – High signal strength a high PDR – Low signal strength a low PDR
Low PDR:– Hardware failure or poor link quality low signal strengthp q y g g– Jamming attack high signal strength
Jamming Detection with Consistency Checks
Measure PDR(N){N Є Neighbors}
Build a (PDR,SS) look-up table empirically– Measure (PDR, SS) during a guaranteed time of
non-interfered network operation– Divide the data into PDR bins, calculate the mean
d i f th d t ithi h bi{N Є Neighbors}
PDR(N) < PDRThresh ? Not Jammed
No
and variance for the data within each bin.– Get the upper bound for the maximum SS that
world have produced a particular PDR value during a normal case.
– Partition the (PDR, SS) plane into a jammed-region and a non-jammed region.
PDR VS. SSPDR(N) < PDRThresh ? Not Jammed
Yes
Jammed Region
dB
m)
PDR(N) consistent with signal strength?
Yes
N
SS
(d
Jammed!
No
PDR %
Jamming Detection with Consistency ChecksJammer setup:– Transmission power: -4dBm– The reactive jammer injects 20-byte long packets– The random jammer turns on for t = U[0 31] and turns off for t = – The random jammer turns on for tj = U[0,31] and turns off for ts =
U[0,31]
The (PDR, SS) values for all jammers distinctively fall within the jammed-region
The more aggressive the jammer is, the more likely it will be detected.
PDR VS. SS
The less aggressive the jammer is, the less damage it causes to the network.
S l l d l
Jammed Region
dB
m)
Similarly, we can deploy a location information based consistency check to achieve an enhanced jamming detection.
SS
(d
PDR %
D f i J i A kDefenses against Jamming Attacks:Evasion Defense Strategies
This work appeared in “Channel surfing and spatial retreats: defenses against wireless denial of service ”, ACM WiSe 2004,and “Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference,” IPSN 2007, SenSys 2006
Handling Jamming: StrategiesWhat can you do when your channel is occupied?– In wired networks you can cut the link that causes the problem, but
in wireless… – Make the building as resistant as possible to incoming radio signals?Make the building as resistant as possible to incoming radio signals?– Find the jamming source and shoot it down?– Battery drain defenses/attacks are not realistic!
Protecting networks is a constant battle between the Protecting networks is a constant battle between the security expert and the clever adversary.
Our approach: He who cannot defeat his enemy h ld t t (“Thi t Si St t ” )should retreat (“Thirty-Six Stratagems” ).
Retreat Strategies:– Channel surfing– Spatial retreat
Channel SurfingIdea:– If we are blocked at a particular channel, we can resume
our communication by switching to a “safe” channelInspired by frequency hopping techniques but operates at – Inspired by frequency hopping techniques, but operates at the link layer in an on-demand fashion.
ChallengeDi t ib t d ti– Distributed computing
– Asynchrony, latency and scalability
Jammer Jammer
Node working in channel 1
Node working in channel 2
channel 1
channel 2
Channel Surfing FrameworkChannel Surfing Algorithm: While (1) do
if NeighborsLost() == True thenworking_channel = next_channel; if FindNeighbor() == False thenif FindNeighbor() == False then
working_channel = original_channelelse
Use a Channel Surfing Strategyend
endend
Jammer Jammer
Node working in channel 1
Node working in channel 2
channel 1
channel 2
Channel Surfing FrameworkIssues– How does a node detect that its neighbor is missing?
Link quality
– How to ensure the boundary nodes find their missing neighbors in the new channel?
It takes less time for a node to detect the absence of a neighbor than it It takes less time for a node to detect the absence of a neighbor than it does for a node to decide it is jammed.
– How to choose the new channel?Make it harder for the adversary to predict Make it harder for the adversary to predict Keyed pseudo-random generatorC(n+1) = Ek(C(n))
H t th t k While (1) do
– How to resume the network connectivity?
( )if NeighborsLost() == True then
working_channel = next_channel; if FindNeighbor() == False then
working_channel = original_channelelse
Use a Channel Surfing Strategydend
endend
Coordinated Channel SurfingCoordinated Channel Surfing– The entire network changes its channel to a new channel
A node not effected
A jammed nodeDetect neighbors are missing Searching for missing neighbors A jammed node
A boundary node
channel 1
channel 2
g g g g g
J J
The network operate on new channelBroadcast channel-switch command
J
Strategy validationMica2 Motes
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOSOS: TinyOS
Debugging facilities:– JTag: not compatible with TinyOS 1.1.7– TOSSIM: poor PHY-layer support
Example: no multi channel supportExample: no multi-channel support– “Most effective” debugging interface: 3
LEDs
Upload code:– Wireless code propagation (Deluge):
Periodically broadcast code summary, which interferes with measurements.
– Most “reliable” way: manually plug Motes onto the MIB510 programming boardboard
Hardware failure– Need to solder wires from time to time
Strategy validationTestbed– 30 Mica2 motes – 2.5 feet spacing– Tree-based routing– Surge
Performance Metrics:– Network recovery – Protocol overhead
Spectral MultiplexingSpectral Multiplexing– Jammed nodes switch channel– Nodes on the boundary of a jammed region serve as relay nodes between
different spectral zonesdifferent spectral zones
Challenge– Sender-receiver frequency mis-matching– Synchronization– Initiation– Slot duration
Algorithms– Synchronous Spectral Multiplexing– Asynchronous Spectral Multiplexing
JammerJammer
Node working in channel 1
Node working in channel 2
Node working in both channel 1 & 2
channel 1
channel 2
Synchronous Spectral MultiplexingIdea:– One global clock, divided into slots– Each slot is assigned to a single
channel The network may only use channel. The network may only use the assigned channel – regardless of whether nodes are jammed.
Challenges:Challenges:– How to synchronize the global time
efficiently when nodes may work in different channels?
– Initiation– Slot duration
Solution:– The root sends out SYNC to its
children, and the children send out SYNC to their children, and so on …
– Boundary nodes send SYNC in rapid succession across both channels.
Asynchronous Spectral MultiplexingIdea: – Nodes operate on local schedules. The boundary nodes make local decisions
on when to switch channel
Challenges:– How to coordinate the schedules among neighbors?– How long a node should stay on each channel?
Initiation– Initiation– Slot duration
Solution:Th b d d tifi it hild it h f h l– The boundary node notifies its children its change of channel
– Stay in each channel long enough to offset the switching overhead, short enough to avoid buffer overflow.
Experiment results:Synchronous
Spectrum MultiplexingAsynchronous
Spectrum Multiplexing
Down time dueto jamming
Channel Surfing AlgorithmCoordinated Channel Surfing– Pros:
Simple– Cons:
E if ll i f h k i j d h h l k h f Even if a small portion of the network is jammed, the whole network has to pay for the price of channel surfing.
Synchronous Spectral Multiplexing– Pros:
The deterministic and synchronous nature of this algorithm guarantees that it can The deterministic and synchronous nature of this algorithm guarantees that it can work well even under complex scenarios where multiple nodes need to work on multiple channels and these nodes are neighbors of each other.
– Cons: Extra overhead to maintain synchrony among nodes
Asynchronous Spectral Multiplexing– Pros:
Small synchronization overheard when jammed region is smallAble to adapt to local traffic and buffer conditions
– Cons:Complicated, advantage less pronounced when jammed region is large.
Coordinated Channel Surfing
Spectral Multiplexing
Synchronous AsynchronousSynchronous Asynchronous
ROM usage (bytes) 28186 32634 30070
RAM usage (bytes) 3511 3557 3495
SummaryDue to the shared nature of the wireless medium, it is an easy feat for adversaries to perform a jamming-style denial of service p j g yagainst wireless networks.
We proposed to detect jamming using consistency check based mechanism.
We have proposed evasion defense strategy to cope with jamming style of DoS attackscope with jamming style of DoS attacks.– Evasion defense: Channel-surfing, whereby changing
the transmission frequency to a range where there is no interference from the adversary.
Related publications[IEEE SDR Workshop 2007] Service Discovery and Device Identification in Cognitive Radio Networks
[IEEE ICDCS 2007] Temporal Privacy in wireless sensor networks (Acceptance ratio: 13 5%)13.5%)
[ACM IEEE IPSN 2007] Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference (Acceptance ratio: 21%)
[ACM Sensys 2006] Poster Abstract: Channel Surfing: Defending Wireless Sensor [ACM Sensys 2006] Poster Abstract: Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference
[ACM WiSe 2006] Securing Wireless Systems via Lower Layer Enforcements (Acceptance ratio: 19.6%)
[IEEE SDR Workshop 2006] TRIESTE: A Trusted Radio Infrastructure for Enforcing SpecTrum Etiquettes
[IEEE Networks Special Issue on Sensor Networks] Jamming Sensor Networks: Attack and Defense Strategies (Acceptance ratio: 10.3%)Attack and Defense Strategies (Acceptance ratio: 10.3%)
[ACM MobiHoc 2005] The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks (Acceptance ratio: 14.2%)
[ACM WiSe 2004] Channel surfing and spatial retreats: defenses against wireless [ ] g p gdenial of service (Acceptance ratio: 20%)
[IEEE GLOBECOM 2004] Key Management for 3G MBMS Security
References[Stankovic03] A. Wood, J. Stankovic, and S. Son, “JAM: A jammed-area Mapping Service for Sensor Networks,” 24th IEEE International Real-Time Systems Symposium, pp.287-297, 2003
[Hubaux04] M. Raya, J. Hubaux, and I. Aad, “DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots,” MobiSYS, pp.84-97, 2004
[DigComm00] J. G. Proakis. Digital Communications. McGraw-Hill, 4th edition, 2000
[WarFare99] C. Schleher. Electronic Warfare in the Information Age. Martech House, 1999
[Noubir03] G. Noubir and G. Lin. “Low-power DoS attacks in data wireless lans and countermeasures,” SIGMOBILE Mob. Comput. Commun. Rev., 7(3):29-30, 2003.
[Savage03] John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions,” USENIX Security Symposium, Washington D.C., August 2003. Security Symposium, Washington D.C., August 2003.
[MedardAllerton97] M. Médard, "Capacity of Correlated Jamming Channels," Allerton Conference on Communications, Computing and Control, 1997
[XuWise04] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel surfing and spatial retreats: defenses against wireless denial of service,” in Proceedings of the 2004 ACM workshop on Wireless security, pp 80-89, 2004.
[Perrig03] R Negi and A Perrig “Jamming analysis of MAC protocols ” Carnegie Mellon Technical Memo 2003[Perrig03] R. Negi and A. Perrig, Jamming analysis of MAC protocols, Carnegie Mellon Technical Memo, 2003
[Law05] Y. Law, P. Hartel, J. den Hartog, and P. Havinga, “Link-layer jamming attacks on S-MAC," in Proceedings of the 2nd European Workshop on Wireless Sensor Networks (EWSN 2005), pp. 217-225, 2005
[Ma05] K. Ma, Y. Zhang, and W. Trappe, “Mobile network management and robust spatial retreats via network dynamics," in Proceedings of the 1st International Workshop on Resource Provisioning and Management in Sensor Networks (RPMSN05), 2005.
[Hubaux07] M Cagalj S Capkun and J P Hubaux “Wormhole-Based Anti-Jamming Techniques in Sensor Networks " to appear in IEEE [Hubaux07] M. Cagalj, S. Capkun, and J.P. Hubaux, Wormhole-Based Anti-Jamming Techniques in Sensor Networks, to appear in IEEE Transactions on Mobile Computing, January 2007.
[Medard06] S. Ray, P. Moulin, M. Médard, “On Jamming in the Wideband Regime,” International Symposium on Information Theory (ISIT), July 2006
[Navda07] V. Navda, A. Bohra, S. Ganguly, and D. Rubenstein, “Using channel hopping to increase 802.11 resilience to jamming attacks,” IEEE INFOCOM, 2007
[ d 0 ] l d d “O l k d k d f l S ” OCO[Poovendran07] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal jamming attacks and network defense policies in WSN,” IEEE INFOCOM, 2007