cope with a malicious host in mobile adhoc networks...

Cope with a Malicious Host in Mobile Adhoc

Networks (MANET)

By

Faraz Ahsan

Reg No. CIIT/SP04-PCS-002/ISB

PhD Thesis

COMSATS Institute of Information Technology,

Islamabad- Pakistan Spring, 2012

2

COMSATS Institute of Information Technology

Cope with a Malicious Host in Mobile Adhoc

Networks (MANET)

A Thesis Presented to

COMSATS Institute of Information Technology, Islamabad

In partial fulfillment

of the requirement for the degree of

PhD

(Computer Science)

By

Faraz Ahsan

CIIT/ SP04-PCS-002/ISB

Spring, 2012

3

DEDICATION

To

My Loving Family

4

ACKNOWLEDGEMENTS

All praises to Almighty God, who blessed me with the ability and bestowed the strength to

accomplish this Thesis. My thanks to all those who guided me in achieving every phase of the

thesis, especially my supervisor Dr. Sajjad Mohsin without his in time advices I would have been

lost. His encouragement made a very large impact on my thesis and it was the prime reason that I

completed my thesis in good time. Another name worth mentioning is Dr. Farid Naït-

Abdesselam, who gave me the opportunity to be a part of his MISC team in LIFL/ IRCICA,

France for more than 6 months. I am short of words to list down his support that he provided in

every aspect during my stay there, but his most vital part was of narrowing down of my problem

statement and providing new research paradigms.

I will not forget the contribution and important suggestions of my friends, colleagues, seniors

and especially juniors for whom I needed to be strong, when I felt weak. At the end I would like

to thank my family for staying behind me backing and supporting me through all the crests &

troughs of this period.

Last but not the least, similar to the trend that winner is announced at the end, I am thankful to

Higher Education Commission (HEC) to provide me the opportunity, research environment,

technical support and funding for my post graduation. Although, the high criteria set by HEC felt

like a burden initially, but at the time of completion of my thesis I can very well foresee the

benefits of it on my research and career in future.

Faraz Ahsan

(CIIT/ SP04-PCS-002/ISB)

5

ABSTRACT

Coping with a Malicious Host in Mobile Adhoc Networks (MANET)

From a security perspective, a jamming attack is easy to launch and relatively hard to detect.

Jamming attacks are generally directed towards seizing the medium completely by transmitting

fake packets violating the medium access protocol, either constantly or periodically. This work

analyzes the effects of different types of jammers using Conservation of Flow (CoF), which has

been useful for detecting other attacks in wired networks. Additionally, simulation results are

presented in justification of proposed methodology.

With the miniaturization of wireless devices, the popularity and usage has increased in recent

past, especially due to portability. Since the design of such devices does not primarily emphasize

heavy computation and secure communication, these are treated as add-ons. In setting up an ad

hoc network rather than choosing all or more than the channels offered by 802.11 standard, only

a single channel is generally utilized to minimize delay and synchronization issues. However, by

using additional available multiple channels, significant gain in terms of overall system

performance can be achieved. This, and other limitations like a shared medium which is open to

all, attracts intruders in wireless networks. Mainly, the use of a lone channel can become single

point of failure in case of an attack, especially a jamming attack.

In contrast to other security attacks, no special hardware and computation is required in

launching jamming attacks. Additionally, even if the attacker does not get hold of the

communication, he can emit radio signals periodically to jam legitimate conversation. Thus,

legitimate nodes escape physically or logically to avoid a jammer at the cost of additional

overhead involving coordination amongst nodes to resume communication. The overhead

involved in either of the methods is considered worthy in terms of regaining the performance of

the network.

In this thesis, a couple of MAC layer-based algorithms are proposed to mitigate the effects of

jamming attacks efficiently; the first is a reactive mechanism and the second is a proactive

6

proposal. The work starts with an investigation of different jamming types and their effects on

wireless communication. For this purpose, a simulation model was developed and the resulting

data set was verified using AI algorithms, which predicted 98% accuracy.

Next, a reactive technique namely packet-feed is proposed to keep the jammer busy on the

jammed channel. Once the nodes detect the existence of the jammer and hop to another channel,

they alternatively visit the earlier channel to feed the jammer with valid packets. This way, the

nodes pretend to the jammer that the earlier channel is still in use.

Finally, a proactive channel hopping protocol is proposed where each node has a separate and

dynamically selected control channel. Additionally, rather than each of them feeding the other its

channel hopping sequence, both parties coordinate to come up with a new channel where data

transfer can take place. Thus, provision of redundant channels is provided to each node.

Following on from this, the proposed idea is analyzed with the existence of a jammer.

7

Table of Contents

1. Introduction…………………………..…………………………..………………..... 1

1.1 Introduction…...…………………………..………………………………….. 2

1.2 Problem Statement…….………………………..…………………………... 3

1.3 Research Questions……………………..…………………………………... 4

1.4 Contribution of This Thesis……………………………………………………… 5

1.5 Thesis Outline …………………………………………………………………… 6

2. Background …………………………..…………………………..………………. 7

2.1 Introduction ………………………………………………..………………….. 9

2.2 Applications of Adhoc Networks…………………………………..………….. 9

2.3 Ad Hoc Network Vulnerabilities …………………………..…………………... 10

2.4 Handling Malicious Nodes…….…………………………..…………………... 11

2.5 Use of Multichannels in Wireless Network…….………………………………. 11

2.6 Variations in Jamming Attack….…………………………..………………….. 14

2.6.1 Jamming Models……...…………………………..…………………... 14

2.6.2 Types Of Jammers…….………………………………………………. 16

3. Related Work …………………………..…………………………………………... 20

3.1 Introduction …………………………..…………………………………... 22

3.2 Jamming Characteristics And Efficiency Criteria………………………………. 23

3.3 Techniques For Detecting Jamming Attacks…………………………………… 25

3.3.1 Transmitter-Based Detection………………………………………….. 25

3.3.2 Receiver-Based Detection…………………………………………….. 26

3.3.3 Dedicated Detection……………………………………………………….. 26

3.3.4 Cooperative Detection……………………………………………………... 26

3.3.5 Detection via RF finger-Printing…………………………………………... 26

3.4 Jamming Attack on The Control Plane ………………………………………… 27

3.5 Jammer Mitigating Techniques ……....................................................................... 28

3.5.1 Spread Spectrum…………………………………………………………... 28

3.5.2 Evasion Techniques……………………………………………………….. 28

3.5.3 Retreat Restoration………………………………………………………… 30

8

3.5.4 Temporal Retreat…………………………………………………………... 30

3.5.5 Hybrid Approaches………………………………………………………... 31

3.5.6 Cognitive Radio…………………………………………………………… 31

3.6 Discussion on Selected Algorithms………………………………………………... 32

3.7 Summary…………………………………………………………………………… 38w

4. Estimating Effects of Jammers via Conservation of Flow in Adhoc Networks………... 40

4.1 Introduction ……………………………………………………………………….. 41

4.2 Jamming Attack: Approaches and Effects…………………………………………. 41

4.3 Problem Statement…………………………………………………………………. 43

4.4 Conservation of Flow (Cof) Based Malicious Node Detection……………………. 44

4.5 Simulation Testbed………………………………………………………………… 45

4.6 Simulation and Results …………………………………………………………….. 46

4.7 Verification of Parameters Using WEKA………………………………………….. 55

4.7.1. Bayesian Naïve Classification…………………………………………….. 56

4.7.2. J-48 Algorithm…………………………………………………………….. 59

4.8 Summary…………………………………………………………………………… 63

5. Packet-Feed: A Survival Approach to Cope Up with Jamming Attack……………….. 65

5.1 Introduction ……………………………………………………………………….. 66


5.3 Proposed Methodology…………………………………………………………….. 67

5.4 Mathematical Model ……………………………………………………………… 69

5.5 Theoretical Analysis………………………………………………………………... 71

5.6 Enhancements in Proposed Methodology………………………………………….. 75

5.7 Simulation & Results………………………………………………………………. 79

5.8 Summary…………………………………………………………………………… 87

6. Neighbor Based Channel Hopping Coordination: Practical Against Jammer………... 88

6.1 Introduction ………………………………………………………………………... 89


6.3 Proposed Solution………………………………………………………………….. 90

6.3.1 Determining Control Channel (CC)……………………………………….. 91

6.3.2 Data Channel (DC) Coordination…………………………………………. 93

6.4 Mathematical Model 95

6.5 Design Diagrams 97

9

6.6 Simulation and Analysis…………………………………………………………… 100

6.7 Summary…………………………………………………………………………… 105

7. Conclusion…………………………………………………………………….……………. 107

References………………………………………………………………………………….. 110

10

LIST OF FIGURES

Fig 2-1: Effect of Proactive Jammers in Wireless network--------------------------------------------15 Fig 3-1: Jammed Scenario in a wireless environment--------------------------------------------------23 Fig 3-2: Spatial Retreat strategy for a two party communication scenario --------------------------29 Fig 4-1: Transit packet byte counters---------------------------------------------------------------------43 Fig 4-2: Adhoc network of eight nodes with jammer---------------------------------------------------46 Fig 4-3: Node wise traffic in normal scenario-----------------------------------------------------------48 Fig 4-4: Node wise communication in presence of constant jammer --------------------------------48 Fig 4-5: Node wise communication in presence of periodic jammer --------------------------------49 Fig 4-6: Adhoc network of 12 nodes with jammer------------------------------------------------------49 Fig 4-7: 12-Node wise traffic in normal scenario-------------------------------------------------------50 Fig 4-8: 12-Node wise traffic in presence of constant jammer. ---------------------------------------51 Fig 4-9: 12-Node wise traffic with periodic jammer. --------------------------------------------------51 Fig 4-10: Time wise effect of jammers in 8-node scenario--------------------------------------------52 Fig 4-11: Time wise effect of jammers in 12-node scenario-------------------------------------------52 Fig 4-12: 25 Nodes: (a) Constant Jammer (b) Periodic Jammer ------------------------------------- 53 Fig 4-13: 50 Nodes (a) Constant Jammer (b) Periodic Jammer ---------------------------------------54 Fig 4-14: Randomly Selected Data Set for WEKA. ----------------------------------------------------55 Fig 4-15: A Bayesian Naïve example --------------------------------------------------------------------57 Fig 4-16: Pseudo-code for Bayesian Naïve --------------------------------------------------------------57 Fig 4-17: BN based jammer classification---------------------------------------------------------------59 Fig 4-18: Pseudo code for Decision Tree (J48 algorithm) ---------------------------------------------60

11

Fig 4-19: Cost Analysis of Jammer Classification using J-48-----------------------------------------62 Fig 4-20: J-48 based Threshold Estimation of Jammer types used. ----------------------------------62 Fig 4-21: Analysis of Validated data using J-48 algorithm. -------------------------------------------63 Fig 5-1: Feeding node hops back to feed Jammer on originally used channel----------------------68 Fig 5-2: A Normal Q-Q Graph of Average Received Packets-----------------------------------------72 Fig 5-3: A Detrended Normal Q-Q Graph of Average Received Packets. --------------------------72 Fig 5-4: Packet Analysis on the basis of Time. ---------------------------------------------------------73 Fig 5-5: XBAR Control Chart------------------------------------------------------------------------------74 Fig 5-6: Multiple Nodes feeding the Jammer on Originally used jammed channel----------------76 Fig 5-7: Pseudo-code of proposed methodology--------------------------------------------------------77 Fig 5-8: Flow chart highlighting the communication flow of the proposed methodology---------78 Fig 5-9: Overall Network Throughput (a) 10 nodes (b) 20 nodes-------------------------------------80 Fig 5-10: 2 Nodes feed the jammer in every time slot. Overall Throughput for (a) 10 nodes (b) 20 nodes-----------------------------------------------------------------------------------81 Fig 5-11: 2 Nodes feed jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------83 Fig 5-12: 3 Nodes feed jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------84 Fig 5-13: 4 Nodes feed the jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------85 Fig 5-14: Comparison of Multiple Nodes feeding jammer with varying packets in every time slot, scenario for (a) 10 nodes (b) 20 nodes--------------------------------------------------------86 Fig 5-15: Overall Throughput achieved in terms of percentage for varying nodes ----------------87 Fig 6-1: Scenario stating how node D would initiate communication with node C----------------90 Fig 6-2: Elementary Negotiation for a DC between two nodes---------------------------------------92 Fig 6-3: Communication Sequence on Data Channel between a node-pair-------------------------94

12

Fig 6-4: Pseudo-code for the proposed technique-------------------------------------------------------97 Fig 6-5: Flow Sequence of Network Communication. -------------------------------------------------98 Fig 6-6: Block Diagram of Channel Hopping Selection before transmitting------------------------99 Fig 6-7: Communication Sequence on Data Channel between a node-pair--------------------------99 Fig 6-8: Single channel compared with proposed scheme using 12 Node-pairs with traffic load 200 pps. Jammer is active during 20–80seconds-------------------------------------------------------101 Fig 6-9: Sink Status on each channel – Node-wise distribution-------------------------------------101 Figure 6-10: Nodewise distribution – Percent Loss in Communication----------------------------102 Fig 6-11: Effect of Pulse jamming on nodes having jammed control and data channels---------102 Fig 6-12: Two way communication between each node-pair with varied traffic generation rates. Jammer is active from 20 to 80 sec. ---------------------------------------------------------------------105

13

LIST OF TABLES _________________________________________________________________ Table 3-1: Logical Division of Jammer Handling Strategies------------------------------------------33 Table 4-1: Simulation Parameters-------------------------------------------------------------------------46 Table 4-2: Accuracy detail w.r.t. jammer classification by BN---------------------------------------58 Table 4-3: Confusion Matrix based on BN algorithm--------------------------------------------------59 Table 4-4: Accuracy detail w.r.t. jammer classification by J-48--------------------------------------61 Table 4-5: Confusion Matrix based on J-48 algorithm-------------------------------------------------61 Table 5-1: Simulation settings-----------------------------------------------------------------------------79 Table 6-1: Simulation settings----------------------------------------------------------------------------100

14

LIST OF ABBREVIATIONS

ATIM Ad hoc Traffic Indication Message CHMA Channel Hopping Multiple Access CoF Conservation of Flow DCA Dynamic Channel Allocation DCF Distributed Coordinated Function DDC Dedicated Control Channel DIFS DCF Inter Frame Spacing DoS Denial of Service DSSS Direct Sequence Spread Spectrum EIFS Extended Inter Frame Spacing FHSS Frequency Hopping Spread Spectrum J/S Jamming to Signal Ratio MAC Medium Access Control MAP Multichannel Access Protocol MIMO Multiple Input Multiple Output PAN Personal Area Network PCL Preferable Channel List SSCH Slotted Seeded Channel Hopping SNR Signal-to-Noise Ratio

15

Chapter 1

Introduction

16

1.1 Introduction

Wireless networks are more prone to attack than its earlier wire-based counterpart due to open

characteristics of the underlying medium and due to the assumptions of the wireless standard [1]

that nodes will be cooperating with each other to form a network. The attacker can be an insider

entity or an external uninvited guest. An attack can be featured as rational where the attacker

misbehaves only if violation is somewhat beneficial to it. The benefits may be in terms of price,

obtaining more bandwidth for itself, resource saving, etc., otherwise it is considered malicious.

Furthermore, attacks might target various protocol layers. At the physical layer, an attacker may

jam the transmissions of wireless antennas or simply disrupt the hardware functionality of a

certain node. From the MAC layer perspective, violation can be in terms of the equality of shared

medium access by emitting massive MAC level control and data packets or impersonate a legal

node. Additionally, it can also take advantage of limitations of network layer protocols whose

underlying assumption being that nodes will cooperate to relay packets for distant destinations.

One such type of attack is to intimate knowledge of the routing mechanisms. Another malicious

activity is packet forwarding, i.e. being an intermediate hop, the attacker, changes the destination

bypassing the routing protocol behavior without changing the routing table. Furthermore, the

attacker may passively monitor the network and impersonate as a legal node to gain access to

some useful data, etc. At the application layer, an attacker could insert false or forged data by

perceiving the working of the application. Typical attacks for ad hoc networks, which are also

applicable in wireless mesh networks, include Impersonation, Sinkhole Attack, Wormhole

Attack, Selfish and Greedy Behavior Attack, Sybil Attack, Sleep Deprivation, DOS and Flooding

[2].

For wireless ad hoc and mesh networks, IEEE 802.11 uses the Distributed Coordination Function

(DCF) mode to schedule the wireless resource. In the absence of collision detection mechanism,

initially control packets RTS/CTS are exchanged between sender and receiver to avoid exposed

and hidden terminal problems [1]. A source node sends RTS message to indicate for

transmission and destination responds with CTS. Any node that listened to CTS cannot transmit

till the data is transmitted. Meanwhile, any node that intends to initiate another transfer in range

of earlier conversation, it senses the channel and blocks itself off with respect to the binary

17

exponential back-off scheme. The binary exponential scheme favors the last winner amongst the

contending nodes. This means nodes that are heavily loaded tend to capture the channel by

continually transmitting data thereby causing lightly loaded neighbors to back off again and

again. This leads to the capture effect that brings the problem of unfairness. The capture effect

may be exploited to launch a DoS attack by introducing a large number of packets on the

network, bypassing the MAC protocol [3]. The selfish nodes can drop packets to save their own

energy and the greedy nodes can disobey the protocol specification to obtain a higher throughput

than the other honest nodes.

Two kinds of DoS attacks may be launched to wireless networks, as described in [4]. One kind is

single adversary attack. A single challenger intrudes the network by sending enormous flow of

packets to legitimate nodes and hence drains the energy of legitimate nodes as well as

significantly degrades the performance of network communication. The second kind of attack

exploits the unfairness possible with IEEE 820.11. Two adversaries join together to send huge

data flows straightforwardly to each other, and hence exhaust the network bandwidth in their

neighborhood which is named as a colluding adversaries attack.

1.2 Problem Statement

Malicious Nodes are quite a huge threat in wireless networks as even if an adversary who is not

equipped with much computing power and unable to analyze data but may impose passive

attack. The adversary can first differentiate whether the medium is in use and later disrupt the

communication by distorting it for personal gain. If intelligent enough, to analyze different

communication patterns and aware of wireless MAC protocol, it can interrupt communication for

larger time periods either by targeting packets periodically or selectively to a particular type.

Since, underlying assumption of wireless protocols is that nodes will cooperate in terms of

routing each others’ packets and does not offer handling of such security threats. Therefore, such

malicious activities can exist on the network for long, undetected.

18

However, studies have suggested many techniques to detect such malicious activities. But mainly

jamming detection techniques at the physical level mainly rely on signal strength and packet

delivery ratio related parameters. Such measures even though are useful, but may generate false

alarms as it is quite hard to differentiate between interference due to surrounding, channel error

or physical layer malicious activity. Recent studies have suggested the use of MAC layer, to

devise algorithms to analyze such parameters and react accordingly. On the other hand,

prevention is better than cure was considered much better and proactive algorithms were devised

which even though are considered costly in normal scenario, but are effective against jamming

attack. Typical evasion techniques are based on jammer avoidance, either moving away

physically or logically. From the physical layer perspective, the common disadvantage of FHSS

is that in large bandwidth required is far larger as compared to single frequency, for same data.

Similarly, DSSS modulation used in, Bluetooth technology, is not secure against jamming attack.

Authors have proposed sector antenna useage for jamming attacks; which are not yet commonly

accessible. Since, a jammer simply violates the MAC protocol, so our intention is to come up

with MAC layer techniques, which are efficient against jammer; especially for simpler devices

like the ones having single antenna.

We investigate the problem of jammer handling at three levels. First, we analyze the effect of

jammers based on existing studies and evaluate it using Conservation of Flow, which has been

used in wired networks for detection of malicious nodes effectively. The questions that needed to

be answered were:

1.3 Research Questions

� Whether the disruption of packet delivery can be analyzed at the MAC layer effectively to

pin-point jammer existence in the network?

� Is conservation of flow effective for malicious node detection in wireless, as it has been

proven to be in wired networks?

� On the basis of answers of above questions, is it possible to come up with better approaches

to handle jammers, especially in terms of achieving more throughput; either pre-emptive or

reactive approach is used?

19

In quest of the answers of the above queries, we not only analyzed various jammers, rather study

their behavior and effectiveness on communication to come up with better techniques to handle

jammers.

1.4 Contribution of This Thesis

Jammer is one such anomaly that does not require any knowledge to disrupt communication. He

rather, senses the medium to be in use and starts disrupting communication by bypassing MAC

layer code of behavior. This way, he can either continuously or periodically jam the

communication, resulting in virtual collapse of the network in the jammed area.

The goal of this study was to come up with techniques, which are novel and allow legitimate

nodes to communicate in the presence of jammer so that starvation of nodes in the jammed area

and virtual collapse of the whole network can be avoided. For that very reason, two techniques

have been proposed:

a) Generally, a single channel is being used by legitimate nodes in an adhoc network for

establishment of the network and communication. However, if the channel is jammed, the

legitimate nodes hop to another channel and try to restore communication. Meanwhile, when

the jammer senses the medium to be idle, he starts to scan other channels randomly and

follows the nodes on the newer channel. The proposed technique however, allows the

legitimate nodes to periodically, return to the original channel and transmit valid packets on

the medium, so that the jammer is convinced that the original channel is still in use.

b) Rather than detecting, nodes need to communicate in such a manner that even if a jammer is

introduced, only few nodes are exposed. For this, multiple channels in 802.11 standard can

be used, as the jammer can seize only 1 channel at a time. Furthermore, at the node level, we

divide different control and data channel for each node, where it will be communicating with

its 1-hop neighbor. This way, not only nodes will not starve on the affected channel, rather

redundancy in terms of control and data channel is also provided.

20

In short, rather than majority failure in presence of jammer, both the techniques allow majority

of legitimate nodes to communicate successfully. Additionally, as compared to existing

literature, the proof of concept is provided in terms of more participating nodes. Finally, the

network throughput achieved in the presence of jammer is also enhanced.

1.5 Thesis Outline

The rest of the thesis is organized as follows. In chapter 2, we present some background of basic

concepts related to the approaches used in this dissertation.

Next, review of the related research in the domain of jamming attack mitigation and evasion

techniques is presented. Starting from the jamming models and types, we discuss to basic

physical layer detection strategies. Even though, physical layer strategies are not focused in this

dissertation, they helped us in analyzing varying behavior of different jammers and expect the

same for the readers.

In chapter 4, we provide the details of our own simulation model to analyze various jamming

types and their effectiveness for degrading wireless communication. Modified Conservation of

Flow (CoF) was used to measure jammers’ efficacy. CoF has already been successfully used for

detecting malicious nodes in wired networks but to the best of our knowledge this is first such

attempt to apply it in wireless networks. Moreover, we used AI based algorithms to verify our

parameters and data set.

Chapter 5 consists of a reactive technique to handle jamming attack in a reactive manner for

better gain in terms of throughput. Rather than frequent switching and allow the jammer to scan

other channels and search for legitimate nodes. We propose better to fight than frequent channel

switching. Even though, nodes initially hop in a coordinated manner, they return periodically on

the earlier used channel and feed the jammer with valid packets, portraying the image of the

current jammed channel being still in use. However, if for some reason, the jammer still scans

21

other channels and follows legitimate nodes on the new one, the said technique is still found to

be effective.

Next in Chapter 6, a preemptive protocol is proposed that can minimize jamming effects in an ad

hoc network environment. Since prevention is better than the cure, similar is the idea in

proposing a preemptive approach to handle jammer in adhoc network. The proposed approach is

found effective than its predecessors, as discussed later.

In Chapter 7, final remarks are presented based on the earlier discussed techniques and their

results. Lastly, future scope of this work is discussed.

22

Chapter 2

Background

2.1 Introduction

A network that is formed on need basis for a shorter period on the peer basis without any fixed

infrastructure is termed as mobile adhoc network. Every member of the adhoc network

volunteers to forward traffic of other nodes. Only on the basis of this coordination a node

becomes part of the adhoc network. Since, all or some nodes may be mobile therefore, path to

destination may vary due to broken links. A node pair having established a communication link

may be out of transmitting range at a later time. Thus, frequent update of nodes’ position is

required. Hence, sender node will be needing cooperation of other members to act as

intermediate hop, so that data is re-routed to the destination at its new location.

2.2 Applications of Adhoc Networks

From indoor Personal Area Networks (PAN) as in home to deployment of a network in

emergency situation like data collection and tracking of sufferers in a disaster relief, from

hotspots at an airport terminal to be a part of a video conference adhoc networks are considered

best choice. Some significant purpose of ad-hoc networks include [6, 7]:

� Impulsive Networking:

The ease of use and mobility being major factors for the popularity of wireless networks,

allow users to be involved remotely in important matters via use of mobile conferencing;

regardless of their geographical location. Such ad hoc networking desires some infrastructure

to gain access to the internet. Else, the larger the distance from central point, like office,

involves more operating cost in terms of routing and delay, especially if multiple transactions

take place back and forth.

� Emergency Services:

The sudden rise of use and importance of internet is quite felt when it is not available, like

due to some natural disaster. Ad hoc networks facilitate and try to overcome network

destruction during such emergencies. Typical search and rescue and relevant surveys and

data collection are the main help adhoc networks provide during such disasters.

24

� Applications for Armed Forces:

One of the main objectives for ad-hoc networks is the need for combat zone survivability for

military needs. The need is to avoid single point of failure, overlap in terms of geographical

location and provide redundancy, all can be provided via adhoc networks to coordinate

between various groups. Not to forget that military cannot plan ahead and depend on already

constructed communication infrastructure especially in forests, deserts etc. or while it is on

the move.

� Sensor Networks:

Set of small inexpensive processing devices are deployed to gather information about a

geographical location. These nodes communicate with each other to relay gathered

information, however in the absence of a central hub they may form an adhoc network and

information may be stored locally. World Heritage listed Spring brook National Park is using

such sensors to track certain information in terms of microclimates and biodiversity,

periodically [8]. This sort of skill has principally been developed for utilization in the mining,

medical and defense engineering [9]. Sensors currently in use include Wind speed and

direction, Rainfall, Temperature & Humidity, Barometric pressure, Leaf wetness, Soil

moisture, etc.

2.3 Ad Hoc Network Vulnerabilities

One of the prime objectives in an adhoc network is the provision of secure communication

between various participants in an unfriendly environment. Distinctive properties of wireless

network create new threats to the security design which were not present earlier, that include

peer based network architecture, a common wireless medium open to all and varying topology

due to mobility [12]. If positively taken, these threats are helping in achieving a matured design

for future wireless communications, especially in terms of green-field technology where new

infrastructures are being deployed. However, for the already deployed ones independent modules

/ protocols are desired to have a cheap solution.

25

The adversary may disrupt packet forwarding operations, which is based on the supposition that

nodes cooperate for packet routing destined for remote destinations [13]. Generally, routing

protocols are not disturbed via such attacks; rather routing states maintained at each node are

infected only; resulting in affecting packet delivery operation. Another type of attack is the

denial-of-service (DoS) attack where enormous packets are fed on the medium, either

continuously or periodically, while other nodes may be communicating or they keep on waiting

for the medium to get idle. Such fake packets force legitimate nodes to have multiple packet

retransmission and frequent packet drops resulting in severe contention and network congestion

on the medium [22].

2.4 Handling Malicious Nodes

The existence of malicious node is a great threat in proper functioning of an ad-hoc network. It is

vital to counter such entities to avoid the valid nodes from being blocked and to allow the

network to provide its services in an optimum manner. Usually, three main steps are used in

tackling and managing a malicious node that include initially detecting a malicious activity on

the network [10] [11] [14]. Once, the presence is detected only then participants will be able to

trigger reactive mechanism to handle it for future. The detection process is generally carried out

in a distributed fashion by each node. Further, periodic coordination is done to apply weight,

intimate others and minimize false alarms. Once, the existence of malicious node is confirmed,

identification mechanism is triggered. Increased packet drops, frequent time outs and analyzing

packet traffic patterns and statistics are typical ways of identifying a malicious node [15] [16].

Generally, each node with the help of others tries to pin-point the malicious node which is later

intimated to all other participants. Finally, all services and cooperation for that node are denied

like packet forwarding requests, etc. This way, all nodes isolate the malicious node by refusing to

provide assistance [17].

2.5 Use of Multiple Channels in Wireless Network

A multi-channel approach can be used to achieve highly significant performance gains. An

inspiration to use more than one channel or multiple channels is that it ensures different

26

performance enhancements as compared to single-channel CSMA. The argument is that huge

number of channels can decrease the number of collisions by allowing simultaneous

transmissions and carry more resourceful utilization of the bandwidth [23-25].

Multi-channel protocols can be divided in different categories, based on the approach used for

control or data packets transmission or both. Single and double radios may be used by devices. In

case of double radios, a radio may be dedicated to control messages whereas other radio may

grant access to any other channel for data transmission. Generally, before transmitting, sender

checks either the proposed channel is free or not. If it is found free sender builds a record of

inactive idle channels. The transmitting node while transmitting the RTS frame piggybacks the

list of available channels, to the receiving node; condition to that minimum of one data channel

is found idle where the node-pair can exchange data packet. If destination node is busy or no

channel is available for data exchange, sender enters into back off process. After the acceptance

of RTS packet by destination node, it finds the free data channel from the maintained list. When

the free channel is located, it sends the CTS frame together with the selected channel number on

the control channel after waiting SIFS time. However, if the said channel is found occupied by

sender, CTS packet will not be transmitted. The other nodes in the network who receive this RTS

frame; postpone their communication on the control channel just for the time interval of running

CTS and RTS. After confirmation of RTS/CTS the data channel will handle the rest and control

channel will be free for other node pairs.

When the CTS is received, sender toggles to decide channel and waits for a SIFS amount of

time, just to ensure that the channel is idle. It then initiates data transfer to the intended receiver

on the new channel. The devices using such phenomenon are categorized into Dedicated Control

Channel. Examples include Dynamic Channel Allocation (DCA) [18], Power Control [19],

Dynamic Control Channel [20], CSMA MAC derived from IEEE 802.11 DCF with RTS/CTS.

Besides dedicated control channel remaining three protocol families use single radio. Common

Hopping devices do not exchange data hops through all channels. This exchange is done

synchronously. As the transmitter and receiver pair build an agreement for the communication

and restart the common hooping pattern. This process is done when the communication is

27

completed. As compared to dedicated control channel, common hopping protocol is better

because it uses only one transmitter and one receiver (transceiver) for one single machine and

also it utilizes all channels for data exchange. CHMA (channel hoping multiple access) [21] and

CHMA with packet trains [22] are the examples of this design.

In split phase approach, time is separated into a discontinuous series of control and data

transmission segments. Examples of this approach are MMAC (Multichannel MAC) and

Multichannel Access Protocol (MAP) [23]. In MMAC beacons split into time which are

periodically transmitted. The ATIM window is present in start of every beacon message. It is

required to hear the default channel which is one among the many channels and is already

defined. Thus, each node can identify the default channel. This default channel is only utilized

for transmitting the data other than ATIM window. If any node has some buffered data packets

which it wants to transmit, it transmits ATIM packet to alert the target node with desired channel

list. The receiving node chooses one channel based on preferable channel list (PCL) of both

parties, that is its own and the one it received from the sender, after receiving the ATIM packet.

After the selection of channel by receiving node, it incorporates the information of channel in the

ATIM -ACK packet and sends it to sender. After receiving the ATIM-ACK packet from

receiver, sender attempts to occupy the same channel specified in the ATIM-ACK. If the

required channel is selected by the sender, it transmits the ATIMRES packet to destination node.

The ATIM-RES packet intimates the neighboring nodes of the transmitter that said channel will

be used, so that the others update their PCL by using this information. After the ATIM window,

both transmitter and receiver will hop to the said channel and exchange data after RTS/CTS.

Parallel Rendezvous protocols are different from the preceding such multi-channel protocols

such that multiple device pairs can agree concurrently on various available channels. The major

task being to cater down bottleneck of single control channel. Due to multiple rendezvous

channels, it requires particular coordination to rendezvous two devices on the identical channels.

A way out is for each idle device to chase a “home” hopping sequence whereas the transmitting

device needs to transmit on that specific channel for finding the anticipated receiver. SSCH [24]

and McMAC [25] are the examples of this approach.

28

The capacity of IEEE 802.11 network is increased by utilizing frequency variety in SSCH. All

nodes in a network use SSCH to toggle across channels in such a way that those which are

required to communicate overlap on the same channel. Whereas dislodged messages mostly do

not overlie, so interference is not found among the nodes. In multi-channel MAC protocols

devices work in terms of pairs are enabled to communicate on different channels simultaneously

to increase network throughput.

The comparison of different protocols can be achieved by varying the available channels, hop

time and offered devices, to examine their outcomes on the network efficiency. From the

comparison it is found out that Parallel Rendezvous protocols such as McMAC and SSCH has

the ability to perform better than Single Rendezvous protocols. The Dedicated Control Channel

protocol outperforms other protocols at the cost of two radios. Further protocols which consist of

only on one radio show high performance when there is small number of channels but fall-short

to inspect the channels perfectly and status of other members of the network when there are large

numbers of channels. The parameters like length of the control and data segments need to be

adjusted because they being vital for better performance of split phase technique. When MAC

protocols firmly manage to exchange several packages of the same destination after each

meeting, are found useful for various types of reciprocity. This approach improves the flow

(throughput), jitter and delays, by using any protocol discussed above.

2.6 Variations in Jamming Attack

2.6.1 Jamming Models

From the physical layer perspective, the jamming attack can be classified as follows [36]:

� Noise Jamming:

The channel bandwidth used by the targeted system is jammed with noise energy. This raises the

level of background noise at the receiver and makes it difficult to detect frames correctly. In

other words, the SNR (Signal-to-Noise Ratio) at the receiver end is decreased.

29

� Bit Jamming:

Jamming at the same frequency and modulation scheme as the targeted system seriously

decreases the network performance as the devices try to detect a known pattern in the bit stream

allowing them to synchronize. Since this modulated signal may not be filtered out like white

noise, it decreases the SNR at the receiver and occupies the channel heavily.

� Frame Jamming:

Jamming using frames according to the targeted system is hard to detect, since the jamming

signal is masked as regular frames. Its impact goes beyond minimizing the signal-to-noise ratio.

Due to unfairness of jammer, the channel may be occupied over long periods of time. Depending

on the system, this might be achieved with very low energy consumption by periodically

announcing long duration frames which compels the participating nodes to stay silent for said

amount of time.

Figure 2-1: Effect of Proactive Jammers in Wireless network

Furthermore, from viewpoint of jammers the use of additional information at the MAC layer can

increase their effectiveness. For a channel aware jammer, a single jamming pace is usually

applied for every likely status of channel like busy, idle, etc. In a continuous-time model, signals

30

are produced based on Poisson distribution having diverse ratio for varying status. Additionally,

intelligent jammers may have varying states depending upon the targeted communication. e.g.

reactive jammer seeks a non-colliding transmission and immediately targets it with a particular

possibility of collision.

2.6.2 Types of Jammers

A jamming strategy describes the way an attacker disturbs the medium. Besides the time-based

strategies, where the jamming signal is active only in specific time intervals, there are more

advanced jamming schemes possible which make use of knowledge about the physical and link

layer specifications of the targeted system. Based on the selected strategy, the effective jamming

is then performed by emitting an appropriate radio frequency signal. This could be noise or

modulated signals. The device that generates a noise and creates intrusion for network is referred

as a jammer [19][20]. [19] explains different types of jammer. Most common ones are known as

proactive jammers as shown in Figure-2-1 and discussed below:

a) Constant jammer

Constant jammer is not energy efficient rather it just emit radio signals continuously on the

medium with the intent to keep it unavailable for legal communication. The signal is composed

of random bits. It does not follow MAC protocol rules and does not consider for the ongoing

communication.

b) Periodic Jammer

A periodic jammer is similar to a constant type, except that it jams the period for certain period

and then sleeps for some time after which it restarts injecting fake packets on to the network.

Thus periodic jammer alternatively sleeps and jams the channel, in repeated fashion. The sleep

and jam periods may and may not be the same.

c) Deceptive jammer

31

Deceptive jammer is just like the constant jammers in a sense that it also emits signals

continuously. However, rather than random bit, regular packets are emitted, so that its detection

is delayed due to used of valid packets.

d) Random jammer

Random jammer is more energy efficient than previous ones. It does not send signals

continuously, rather follows the sleep-and-jam rule, and i.e. sends packets for some random time

intervals and then it turns off its radio or sleep for a specific time interval. In jamming mode it

can act as constant or deceptive jammer.

e) Pulse jammer

The efficiency of jamming depends on various aspects. These are jamming-to-signal ratio (J/S),

channel coding, modulation scheme and interleaving of the target system. If the jammer is not

able to jam continuously it changes the intensity (jamming level) by pulsed jamming. 77.

f) Reactive jammer

The jamming techniques mentioned so far are active having one goal to make the medium busy

for nodes regardless which type of packets flowing and thus are easy to detect. Whereas the

reactive jammer has more sophisticated jamming technique, which is much harder to detect. It

passively monitors the medium continuously and emits packet large enough such that a collision

occurs at the receiver, whenever a valid packet is heard.

g) Intelligent jammer (energy efficient jammer)

All above jamming techniques have low energy efficiency and higher degree of detection. Not

only physical layer but other layers can be exploited for jamming purpose. Intelligent jamming

techniques operate on control packets, as all communication depends on them. Since no data gets

transferred if control packets are destroyed. This could reduce throughput to zero levels. There

are different types of jammers in [20] [21] [23]. Some important are:

� CTS Corruption Jamming:

32

In this jammer sense for RTS packets. If jammer senses the RTS, then it waits for SIFS time

and emits small radio signal to corrupt the CTS packet, which is an expected response of the

RTS. By demolishing the CTS packet, again and again, sender times out and hence the data

packet is never transmitted.

� ACK Corruption Jamming:

ACK packets always follow the data packets. In this case jammer is looking for data packets,

once it hears the data packet on the medium. It simply waits for SIFS time interval and after

that it send small jamming signal which destroyed ACK packet.

� DATA Corruption Jamming:

It just likes the ACK Corruption jamming technique. In this technique jammer waits for CTS

packets where DATA packets follow the CTS packets. When jammer sense any CTS packet,

it just wait for SIFS time and then send signal of noise to disrupt the data packets

� DIFS Waiting Jamming:

In a network with much traffic rate, it is quite normal that medium is found inoperative for

DIFS time. Such a jammer senses and waits for DIFS interval and sends one jamming signal

to corrupt communication. This technique cannot work well in low traffic network

j) Selective Jammer:

Another important category, of intelligent jamming attacks is the selective jammer [26-27]

who targets control packets, but can be a combination of the above discussed intelligent

jammers. Thus, the target layer is network if it is corrupting the route request/replies or

transport if acknowledgement of a TCP communication is being garbled.

k) Flow Jammer:

Generally, multiple traffic flows may exist between point to point communications, which in

the absence of topology change do not require frequent route inquiry/ maintenance control

packets. Flows are being sent in case of segmentation, like large files whereas multiple flows

33

vary in terms of parallel communication with different entities or applications. Flow jamming

attack [28-30] targets particular flow(s), that result in large delays and result in generation of

frequent control messages by the legitimate nodes, like frequent route requests, in case of the

existing one generates a route error, resulting in topology change or re-routing. The

complexity increases further, if the jammer is not only intelligent enough to target

concentration of flows on network, rather it is mobile and shifts itself accordingly.

l) Mobile Jammer:

Another form of jamming is the mobile jamming attack [31] that not only threatens the MAC or

physical layer, but also breaks the routing in an adhoc network. As the name represents mobile

jammer has mobility to sneak in the critical path based on the information it collects overtime by

eavesdropping the amount of traffic load and the direction of the dataflow. Besides, the mobile

jammer can decide when to jam an area based on the value called jamming threshold. Mobile

jammers are more successful in environments where nodes have no or less mobility and a single

channel is used for communication, e.g. wireless mesh networks and WSN.

34

490

Chapter 3

Related Work

35

3.1 Introduction

Due to ease of installation and usage, unlicensed band, cheap hardware, mobility, portability and

expandability, wireless network has become the most popular technology among current

communities. New networks of business are quickly deploying by saving cost and time of having

wired offices and workstations, resulting in a real business success tool. Different types of

wireless systems ranging from WLAN to mesh and sensors network are available as per the

requirement. However, one critical issue of security exists in wireless networks; especially some

attacks are medium dependent and do not exist in the earlier counterpart [32]. The wireless

medium introduces many threats which cannot be easily addressed by the traditional protection

methods. One significant set of such attacks is denial-of-service (DoS) which is concerned with

satisfying user or system domain buffers. But in wireless realm, attackers may attain ability to

prevent legitimate nodes from communication by capturing the medium. It is because wireless

networks are constructed via common medium which creates a trouble-free path for intruders to

introduce such attacks [33]. In wireless network defenses like cryptography, pass-phrase sharing

etc., can be overrun by a simple DoS attack that can shutter the whole network. Jamming is a

special category of DoS attacks which is used in wireless networks, where an attacker disrespects

the medium access control (MAC) protocol and transmits on the mutual channel; either

continuously or periodically to target all or some communication, respectively [77-79].

Jamming is a special category of DoS attacks which is used in wireless networks, where an

attacker disrespects the medium access control (MAC) protocol and transmits on the shared

channel; either continuously or periodically to target all or some communication, respectively.

Figure 3-1 shows a jamming scenario in wireless network, where the red area marks the jammed

region. Since, jamming cannot be handled other than preventing it, either using logical or

physical retreat. Such schemes are generally employed at the MAC layer and so is our emphasis

in this study, but other approaches are not being ignored. Additionally, the major focus is on

possible solutions for the nodes having only single antenna. Initially the variations that the

jammers are capable of are listed in next section. Thereafter, third section comprises of the basic

parameters and metrics that are helpful in detection of a jamming attack. Unlike other security

attacks, jamming attacks are handled by avoiding the malicious entity via escape; either

physically or logically. Such retreats are discussed in the following section. Thereafter, we

36

discuss the mitigation techniques that are used and have been proposed in near past, followed by

a critical review of the said studies. Finally, we conclude and highlight future directions.

Figure 3-1: Jammed Scenario in a wireless environment.

3.2 Jamming Characteristics and Efficiency Criteria

According to Xu [34] jammer is defined as an individual who is intentionally obstructing the

methods of legal wireless communication. Such an individual is treated as an active attacker

depending upon its intentions and actions. From the jammer’s perspective, it can accomplish its

aim by seizing the sender such that it is unable to transmit or, as a second option which is found

better, hinder the receiver so that it cannot understand the message completely or partially. For

the sake of concept, suppose that in communication of the two nodes where jammer is residing

nearby, can prevent the sender from initiating a data communication by constantly emitting low

powered signals on the channel; allowing the sender to presume that the medium is occupied.

Alternatively, if for some reason the data is transmitted successfully, jammer can target the

receiver’s end via inclusion of noise in the transmitted packet. Thus, jammer can target a whole

area in its range or a particular transmission.

Before going into the details of tackling a

some factors and measures on the basis of which jamming attack is categorized and identified.

Ideally, jammer ought to have elongated energy to continuously hinder the communication.

Additionally, it should adopt the methodology not to get detected. A third criterion is that it

should disrupt the communication to possible extent i.e. level of DOS attack depends on interests

of jamming scenarios. That is, an adversary with restricted energy will not be

because the primary concern will be to lengthen its existence on the network, rather than

efficiently disrupt the communication. [

for measuring jamming effectiveness:

• Energy Competence

• Likelihood of Exposure

• Domain of DoS

• Potential alongside physical layer techniques

In order to measure the degree to which a jammer assures these factors, Xu [

discussed two methods that are of great importance:

Packet Send Ratio (PSR) is evaluated via number of packets which have been successfully

transmitted in accordance to the amount of selected packets. However, there is always chance of

interference because of the open medium; and surety of non intervention is not guaranteed

If ‘m’ is the number of packets sent out and

transmitted, then PSR can be defined mathematically as:

Packet Delivery Ratio (PDR)

when compared to amount of packets that were transmitted by the source [43]. If

of packets be very high and m no of packets sent then PDR can be defined mathematically as:

37

Before going into the details of tackling and mitigating a jamming attack, it is vital to overview



should adopt the methodology not to get detected. A third criterion is that it


of jamming scenarios. That is, an adversary with restricted energy will not be


efficiently disrupt the communication. [35, 36] specifies the factors that are extensively utilized

for measuring jamming effectiveness:

Potential alongside physical layer techniques

In order to measure the degree to which a jammer assures these factors, Xu [34

discussed two methods that are of great importance:

is evaluated via number of packets which have been successfully


interference because of the open medium; and surety of non intervention is not guaranteed

of packets sent out and ‘n’ is the number of packets that were intended to be

transmitted, then PSR can be defined mathematically as:

is defined as number of packets that are received by recipient

hen compared to amount of packets that were transmitted by the source [43]. If

and m no of packets sent then PDR can be defined mathematically as:

nd mitigating a jamming attack, it is vital to overview



should adopt the methodology not to get detected. A third criterion is that it


of jamming scenarios. That is, an adversary with restricted energy will not be much effective,


] specifies the factors that are extensively utilized

34] analyzed and

is evaluated via number of packets which have been successfully


interference because of the open medium; and surety of non intervention is not guaranteed [43].

of packets that were intended to be

is defined as number of packets that are received by recipient

hen compared to amount of packets that were transmitted by the source [43]. If ‘q’ is number

and m no of packets sent then PDR can be defined mathematically as:

38

Even after packets are sent out by A, B cannot receive message completely due to presence of X.

PSR can be easily calculated by no of packets that passed CRC at B with respect to number of

packets received.

3.3 Techniques for Detecting Jamming Attacks

For the detection of jamming attacks, several practical implementations are possible. One

approach is to perform the detection on the active nodes during their own transmissions. Since

these nodes have a different view on the data flow depending on whether they act in the role of

the transmitter or receiver, they define two separate algorithms for both cases, i.e. transmitter-

based and receiver-based detection, depending upon where among both the parties the detection

algorithm is initiated. The "dedicated jamming detection" is useful in scenarios where the power

consumption and device complexity of most of the participating nodes should be low. The

detection is then performed by only one or a few nodes having enough resources available.

Finally, the development of a "cooperative jamming detection" algorithm is motivated by the

expected increase of detection performance compared to the standalone detection mechanisms,

since a broader view of the network is available. In the following, each of the four detection

strategies is discussed [37]. Another detection strategy of jamming attack is proposed by [38] is

Radio Frequency Finger-print being useful for the wireless networks. If the fingerprint of the

wireless network is not identifying or considered as a threat than the security of the network can

be increased by testing the legitimate user to ensure its authentication.

3.3.1 Transmitter-Based Detection

Different detection approaches of jamming exist; consider an ad hoc network with node A

sending to node B. To apply the decision algorithm [37] which is described in the previous

section, the transmitter has to determine the four metrics, as follows

• PDR (Packet Devilry Ratio)

• RSSI (Received Signal Strength Indication)

• PHY rate (Physical Rate)

• Noise

39

3.3.2 Receiver-Based Detection

The main difference between receiver-based and transmitter-based detection lies in the

computation of the PDR. Although in transmitter based detection, the transmitter knows the

exact number of data frames sent including all retransmissions; this being a priori not known to

the receiver since several frames might get lost during transmission. Therefore, it is necessary

that the data frames contain additional information which enables the receiver to determine the

total number of sent frames. This can be achieved by adding a sequence number to every single

data frame, as in the WLAN standard [37].

3.3.3 Dedicated Detection

In case of dedicated detection [37], the RSSI and PHY rate are read from the acknowledgement

frames arriving from the receiver, i.e. node B. As always, the noise level is taken from arbitrary

frames arriving at the monitor. Based on the gathered statistics over several ACK frames, the

monitor then applies the decision algorithm. Finally, the node dedicated to the jamming detection

announces his decision to the other participating nodes in a broadcast frame. This broadcasting is

then repeated whenever the decision changes in future.

3.3.4 Cooperative Detection

This detection scheme is the combination of all the previous three strategies. In this case the

technique is to share all the information at all nodes among each other and to make a decision

based on this broader view. This means that every participating node in the ad hoc network

gathers its own information independently using any of the above techniques and shares with its

neighbors.

3.3.5 Detection via RF Finger-Print

RF finger print is deployed as a means to enhance security in wireless network. As the

transmitter of the radio activates, the transmission of the RF signals demonstrates the temporary

behavior with reference to the instantaneous frequency and amplitude. The time duration of the

transient performance can be changed because of model type and nature of the transmitter. The

difference between the same types can be observable which can be caused due to the aging and

the manufacturing tolerance of the devices. The unique turn-on transient signal behavior is called

the RF finger print of a radio and can be used to identify the transmitter [38].

40

3.4 Jamming Attack on the Control Plane

Wireless medium is accessed through CSMA/CA mechanism in order to transmit data. Before

sending RTS nodes waits for DIFS time gap and before sending CTS, DATA, ACK it will waits

for SIFS time. Implementation of such mechanism is to avoid collisions and resolve hidden node

problem. For disrupting network communication different types of jamming methods and

jammers are available such as; continuous jamming, random jamming, intelligent jamming etc.

each jamming method has cost in term of energy, where energy in certain scenarios can be a vital

constraint to survive for a prolonged period on the network. Continuous and random emission of

signals have higher cost than intelligent jamming which targets control packets rather than whole

frequency band. Such jamming mechanism requires good knowledge of fundamental wireless

network protocols. Intelligent jamming varieties target control packets such as ACK, DATA, and

CTS etc. A CTS corruption jammer seeks the RTS packet on the medium. When senses the

required packet; it generates the noise (small radio signal) after waiting SIFS time to corrupt the

CTS packet. Similarly after sensing CTS packet it will send small interruption signals after SIFS

interval in order to distort the data packet. In wireless transmission ACK frame has highest

priority over other packets. Seizure of ACK is enough for the transmission failure [39-41].

Retransmission of data packet(s) consumes not only node energy; rather result in backing off of

neighboring nodes. Four major energy loss sources for nodes are collisions, control packet

overhead, overhearing, and idle listening [42].

Mitigation method for ACK attack is presented in [43]. They propose ENAV (Extended Network

Allocator Vector) which mitigates impact of ACK attack. It brings flexibility in NAV time for

receiver in order to send ACK packet, which follows after each DATA packet received at

receiver end. As in CSMA/CA ACK packet follows DATA packet after SIFS time interval, but

now due to ENAV receiver has flexibility, which reduce the chances of collision. With this

scheme victim node can reduce its energy consumption by 40%. Further more. Energy efficient

attacks such as Denial of sleep attack can be defended by using framework suggested in [38].

This framework has four key components and these are; strong link-layer authentication, anti-

replay protection, jammer identification and mitigation, and broadcast attack defense. Using this

node can preserve nearly 80% lifetime and achieve 77% throughput of the network.

41

3.5 Jammer Mitigating Techniques

In this section we survey the methods of mitigating a jamming attack that include use of spread

spectrum at the physical level, followed by MAC layer approaches to evade and retreat a jammed

channel; either physically or logically moving away from the jammer. Finally, the techniques of

resumption of network nodes to reestablish a network are discussed.

3.5.1 Spread Spectrum

Spread spectrum has two basic motivations [44]:

• Provide resistance against jammer

• Hide communication

In a wireless environment, most commonly used anti-jamming technique at physical layer is

spread spectrum based communication. However it does not fully secure communication against

jamming attack. Major drawback being that invader does not have to be conscious of whole

spectrum alteration progression in order to interrupt communication. For instance, in the case of

voice communication, small part of conversation corruption between human users will have a

minor effect on the quality of communication.

3.5.2 Evasion Techniques

• Spatial Retreat

Spatial retreat is a mechanism to physically evade the jammed area. The rationale behind this

strategy is that when an area is jammed in the wireless network, based on the detection algorithm

all nodes try to estimate the jammed region and flee physically in the direction of safer place.

Based on their estimation about the jammed region, nodes independently opt for shortest path to

avoid being jammed and move accordingly. Figure 3-2 shows the spatial retreat approach for two

party communication scenario [46]. The area illustrated via slashed stripes is jamming range. As

Wireless networks are vulnerable to such intrusion which interrupts node communication,

therefore to survive against such interference above approaches were introduced. There are

basically two approaches used in this technique: Jam Area Mapping (JAM) and Node Escape.

42

Figure 3-2: Spatial Retreat strategy for a two party communication scenario [46]

i. Jammed Area Mapping (JAM)

This mechanism employs scattered approach to draw the jammed area so communications

with that part of the network node can be avoided during specification of routes [46]. Once,

out of the jammed region legitimate nodes try to relocate others and hence, may change their

direction and speed according to the predefined algorithm [47].

ii. Node Escape

This technique is for the physical escape of the node from the jamming location. In view of

the fact that mostly devices of a wireless network are mobile, like cell phones or WLAN

enabled laptops, this technique is more likely to be adopted. Main theme being to move away

from the jammed area and periodically sense the medium if it has become interference free.

This procedure is repeated till node reaches to an interference free location [34].

43

3.5.3 Retreat Restoration

A very important phase of handling jamming in an adhoc network is to restore a network to non-

defensive mode when the attacker goes out of range. This phase is highly important because in

adhoc networks our prime focus is to conserve energy utilization so as to prolong lifetime of

nodes. In a proactive defense mode energy consumption is increased by manifolds. Hence

making it all the more vital to bring down network nodes to a normal level of energy

consumption essential for basic functionality performance. This retreat restoration can take place

in either the manner; by coordinated or uncoordinated communication. The communication is

based on a pre planned hop pattern between senders and receivers. Such pattern is already

decided among the network nodes prior to starting communication and as soon as nodes intend to

get in synch with any particular node they switch channel or frequencies according to the pre-

defined pattern to find the receiver node [48]. Such pre-defined hop coordination can be a

formula for finding the right control and data channel.

3.5.4 Temporal Retreat

Temporal retreat is a mechanism to logically retreat from the jammed area by changing the

channel nodes communicates on. This mechanism gives an impression to the attacker that the

participants are not available on the same channel anymore and hence becomes a retreat without

any physical movement. However, if the jammer is intelligent enough to sense other channels for

legitimate communication and network participants repeat the same procedure, again and again

this methodology is referred as channel hopping. In an uncoordinated manner, after each hop

communicating every node needs to get synchronized with other nodes. When any node is

unable to communicate for a certain period of time it starts listening on other channels in order to

sense whether its neighboring nodes have hopped on due to jamming or not. Nevertheless, if the

participants have already earlier decided about a channel hopping mechanism based on a

formula, etc., it is referred as coordinated channel hopping [49-54].

44

3.5.5 Hybrid Approaches

These approaches are the ones which have defined new protocols based upon multiple of existing

approaches to present an even effective anti-jamming mechanism. Other protocols that combine

innovative strategies like artificial and swarm intelligence are also included in this section. Some

approaches involve preemptive channel hopping or frequency hopping [55,56] instead of reactive

ones in order to prevent getting into a state where jamming disrupts normal communication.

Other implementations include synchronous and asynchronous spectral multiplexing where the

concept of intermediary nodes has been introduced to communicate at multiple channels. When a

node changes its channel because of jamming one of its neighbors takes upon itself to

communicate with the node on its new channel and rest of the network on the old channel [57].

Another strategy which targets prediction of nodes which are about to be jammed and hence

should be removed from routing in a wireless network. This strategy uses LEACH as its base

routing protocol and uses JAM for predictive determination of jamming holes [58]. DEEJAM

[59] protocol is an amalgamation of frame masking, channel hopping, packet fragmentation and

redundant encoding in order to avoid all four types of jamming classes and succeeds in reducing

pulse jam attack impact to 11%. However the extra computational overhead in these approaches

is unresolved. This magnifies in situations where there simply is no jammer in the vicinity.

Swarm intelligence is yet another strategy finding its popularity in field of wireless routing and

other issues related to WLAN. One such swarm based methodology is simulation of ants

behavior in path translation to a food source. This method is very effective and energy efficient

as is based on a natural process of pheromone laying and determining optimum routes [60].

However implementation details of this process are pretty complex, as volatility of this process

and intelligent learning is a little difficult to model.

3.5.6 Cognitive Radio

In better utilization of available spectrum and increase jamming resilience, use of cognitive radio

is quite useful. Jamming problem cannot be catered down by Adaptive Frequency Hopping

because it cannot differentiate among self-interference and noise generated via other devices.

[61] describes some attack mitigation schemes like robust Sensory Input, Mitigation in

Individual Radios, and Mitigation in Networks. In robust sensory input, the improved input

45

sensor helps significantly to reduce the credulity of cognitive radios. For example, when would

the radio be able to carefully differentiate between the characterization of interference and noise,

during events of natural and man-made RF divergence? Such sensors can map dedicated

functionalities at the hardware level that filters signs of hostile glance which can corrupt the

confidence of radio. Mitola [62] describes the typical cognition cycle of Observe! Orient! Plan!

Decide! and Act. If the radio maintains learning, whenever this loop results in a new operating

state for the radio, another stage called Learn is injected into the cognition cycle that allows the

radio to add to its memory information about how the radio transitioned to this new operating

state information that can be used by Plan and Decide in future cognition cycles. Improving

sensor input can significantly help to reduce the gullibility of cognitive radios. For example, if

radios could carefully characterize the difference between interference and noise, they could

distinguish between natural and man-made radio frequency events. Such sensors could also feed

specialized policy engine subroutines that specifically look for hostile signals that may be

attempting to corrupt a radio’s beliefs [61].

3.6 Discussion on Proposed Algorithms

So far we have only overviewed the general techniques that exist in mitigating the jamming

attack, either detection or retreat. In this section we investigate further on other ideas that can be

applied to handle a jamming attack.

Table-3-1 presents a logical division of all the techniques and proposed algorithms that have

been highlighted earlier. In this section we will discuss them in detail on the basis of the category

the study lies in. The studies listed include of the last recent years, some only emphasizing only

on a single approach whereas others have focused on combination of strategies (like detection

and retreat, etc.). Additionally, there are studies that have categorized the jamming attack on

basis of control and data packets. Lastly, based on varying jamming attacks by a single

intelligent jammer, protocols suites that avoid such jammer are also enlisted in the Table 3-1.

46

Table 3-1: Logical Division of Jammer Handling Strategies

Retreat

Restoration

Multiple

Channels

S.

No.

Ref.

No.

1st

Author

Na

me

of

Tec

hn

iqu

e

(if

an

y)

Det

ecti

on

Sp

ati

al

Ret

rea

t

Tem

po

ral

Ret

rea

t

MM

AC

Mu

lti-

Ra

dio

En

erg

y

Eff

icie

ncy

1. [59] Wood A.D. DeeJam X X

2. [34] Xu W. X X X

3. [35] Xu W. X X X X

4. [63] Paula A.R. DIDS X X

5. [69] Shi J. AMCP X X X

6. [60] Muraleedharan Ant X

7. [65] Mishra A. MaxChop X

8. [68] Alnifie G. Mulepro X X

9. [75] Lin C.S. CMCT X X

10. [56] Li M. X X X X

11. [76] Chen W. X

12. [66] Khattab S. X X X X

13. [64] Strasser M. UFH X X

14. [52] Nguyen H. Allibi X X X

15. [54] Othman J.B. X X

The focus of this chapter is to explore the techniques for tackling a jamming attack and for this

initially the physical layer approaches will be highlighted. Physical layer metrics help in deciding

anti jamming strategies and suggest changing physical level details of communicating traffic.

The said change may be in form of implementation of spread spectrum (FHSS or DSSS) or in

form of accommodating extra information in basic packet headers. Under this category are also

studies which suggest modification of communication packet size (packet fragmentation) and

hiding of packet header markers (frame masking) as suggested in [59]. Authors of [31] focused

on the frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS),

considered to be highly resilient in jammed environment at the physical layer. The major

contribution of this work is the analysis of a variety of counter measures opposing jammers

which facilitate the network to endure and employ correctly in a seized situation. Authors have

recommended the utilization of a particular FHSS method in 5 GHz band having 55 channels.

Using a secret key shared between the source and the sink nodes, a channel sequence may be

47

generated. Each channel uses DSSS modulation with 16 bit Pseudo Noise (PN) code, which

derives from the same secret word used for FHSS channel generation. Authors in [55] proposed a

new mechanism to mitigate jamming attacks via random channel selection protocol, especially

developed to facilitate communication among nodes in the presence of jammers. To make this

possible the pair-wise key pre-distribution protocol is used which is based on bi-variate

polynomial in order to build a secure random frequency hopping schedule between two nodes.

Asynchronous Multi-channel Coordination Protocol (AMCP) [60] is a MAC protocol that works

in a distributed fashion, which enhances cumulative network throughput, also tackles with

elementary synchronization issues that lead to isolation. AMCP realistically develops and

verifies via case scenarios, an estimated lesser range on the throughput of any flow in a random

setup. On the other hand, it considerably conveys enhanced throughput with respect to each flow

as compared to WLAN and multichannel propositions.

Authors in [33] explain the detection of jamming attacks in WLANs on the control packets i.e.

RTS and CTS jamming and a CUSUM based detection method is proposed, that is capable of

locating a jammer precisely at the cost of small storage and computation. A transformation-point

is detected due to contiguous fake packets on the medium, when such points are noticed in the

traffic patterns received; alarms are triggered to intimate all. An Intrusion Detection System

(IDS) [34] was proposed that satisfies requirements and conditions of WSNs. Preventive

mechanisms are generally required to defend against such intrusions. Though, certain intrusions

exist where no well-known avoidance methodology can be applied and hence, becomes essential

to utilize some means of intrusion detection. This way, not only the network is avoided from any

harm caused by the intruder, but also helps in developing prevention system by analyzing the

attacking techniques.

Authors of [35] proposed channel hopping and physical shift away from the jammed area and

demonstrated it using Mica2 networks. However, the focal point being the methodologies to

determine the instance about jammer being active. (afterwards in [38]), instead of proposing an

avoidance scheme, overall. Besides, authors did not address the overhead involved in channel

hopping or inspecting about existence of jammer. Authors in [56] consider a situation about a

complex jammer that congests an environment with fake packets using single channel

communication. Probability based signals are emitted by the jammer so that maximum loss with

48

respect to communication links occur over the network. Additionally, the jammer is smart

enough to seize itself when a monitoring node transmits a notification message out of the

jammed region, and knows it has been detected. Monitoring node identifies the jammer with the

help, of an optimal detection test, of packet clashes that took place over a period of time. Once

triggered by the monitoring node, the network calculates the likelihood of channel access, to

minimize frequent jamming identification and notification messages.

The physical evasion [34] needs the nodes being mobile and thus not energy efficient in

environments like sensor networks. The theme in this approach lies that when nodes being

mobile face distortion on a particular location continuously, ought to merely fly out in search of

a secure region. It is usually an attractive technique for wireless networks as devices are

generally mobile, like cell phones or WLAN enabled laptops. However, the main concern of

adopting this technique is to come up with the tactic through which devices need to fly away,

while being in synchronization with other members of the network.

Temporal retreat is a mechanism to logically avoid the jamming area by changing the channel

order a node communicates on. This mechanism gives an impression to the attacker that the node

is not available on the same channel anymore and hence the retreat without any physical

movement. An Uncoordinated Frequency Hopping (UFH) technique is proposed which is

independent and individually applied by all nodes [64]. The problem of jamming resistant key

establishment can be solved by some anti jamming techniques like FHSS or DSSS that favors

devices for communicating the key establishment; condition to that a secret spreading key/ code

has been carved up, in advance. Even though, this condition being quite minimum, but generates

a cyclic reliance among key arrangement and spread spectrum based communication; and is yet

to be addressed. Similarly, authors of [70] address the mutual broadcasting using UFH, based on

receiving channel selection without any prior coordination. Contribution of authors of [71] is

distinguishing that the proposed method of using Uncoordinated Spread Spectrum (USS), is

mainly focused on reactive jammers but also incorporates other jammer types, like random,

static, etc. A further enhancement is suggested in [72], in terms of attack model and addresses

the problem of time synchronization and localization for GPS spoofing attacks.

Authors highlight complexity of equality in uncoordinated deployments, emphasizing mainly on

channel assignment view point in a wireless environment [65]. The proposed answer lies on the

49

idea of temporal retreats. It is distributed in nature, involves no prior harmonization between APs

owned by various hotspots, is simpler to employ and finally compatible with in-hand standards.

Specifically speaking, proposed idea is called MAXchop, which works effectively with non-

overlapped wireless channels. Although, is found efficient in exploiting partially-overlapped

channels, in particular. Additionally they assess how the said approach (of channel assignment)

balances itself with earlier anticipated carrier sensing schemes to provide additional performance

enhancements using widespread simulations.

Since, jamming is considered a severe threat for wireless networks, as normal measures fail to

secure and counter it. Two defense strategies of jamming mitigation with respect to single and

multiple antenna apparatus are explained in [66]. These are proactive and reactive channel

hopping. Proactive channel hopping algorithms have been of prime concern so far as compared

to reactive techniques. From single-radio point of view, theoretical models have been developed

to investigate the blocking probability for combinations of defense and attack strategies. In

multiple antenna devices, jamming problem was applied min-max game theory and using

simulation illustrate that the result of the game is dependent on the payoff function. Additionally,

authors demonstrate that reactive techniques offer improved jamming resilience as compared to

proactive ones, but are the same in terms of energy efficiency. Authors in [73] have addressed

the control-channel jamming from an insider jammer perspective with the help of cognitive

radio, by establishing and maintaining a randomized distributed channel with via frequency

hopping; for each node independently. Further authors [74] enhance the schemes in WMN

scenario, on the basis of localization of each node, forming clusters and mesh routers being the

cluster heads (CH). Thus, multiple control channels exist on the network based on geographical

location till the jammer exists.

Mobility lists down papers which have presented solutions for catering to mobility as a property

of communicating nodes in a network as well as of the attacking jammer. It also lists down

approaches to diminish affects of a mobile jammer, evading which is much more complex and

energy consuming than other forms of attacking jammers. Distinct feature of such approaches is

the “Restoration phase”, where network nodes assume their original communication positions as

they were prior to getting under the influence of a mobile jammer. Authors in [67] discussed a

50

novel and powerful jamming attack called mobile jamming attack. Besides, he proposes a multi-

dataflow topologies scheme that can effectively defend the mobile jamming attack. The

simulation results of this study demonstrate that the mobile jamming attack is more devastating

than traditional jamming attacks and the proposed defense scheme can effectively alleviate the

damage. Authors of [39] presented three defense techniques: reactive, proactive, and hybrid.

MMAC marks work, which present use of multiple channels as an inherent communication

property in an adhoc network. This category is more focused towards proactive use of channel

for overcoming affects of a jammer in surroundings.

Another technique which provides urgent and robust response to the jamming attack is known as

MULEPRO [68]. It stands for MULti channel Ex-filtration Protocol and is designed to quickly

Ex-filtrate the sensed data from jammed region to the outer area. Major strength of this technique

lies in distributed nature, where all nodes based on a single seed value can calculate the time slot

and channel where data communication will take place.

Finally, jamming is not being taken as an adversary; instead it can be used in a constructive

manner among network nodes, as in [40]. Using jamming on unwanted traffic helps save other

nodes from trying to process them as legitimate information and hence conserve energy.

The focus of literature in general, has so far been either to detect the jamming attack from the

physical layer perspective or to come up with reactive approaches having underlying assumption

that nodes are able to detect jammer’s existence. The contribution of proactive approaches, lack a

lot, as such techniques are considered to have more overhead involved. Similar is the trend found

in terms of spatial retreat from the perspective of retreat restoration; where temporal retreat gets

to have more attention. Logical escape has majorly been considered in terms of WSN, Bluetooth

and WLAN, where a central entity is at least present to show the way to legitimate nodes. For

example, in WLAN the AP leads channel hopping sequence by announcing a especial message

and nodes follow. Though, from the MANET’s viewpoint, there is still quite a room to work

with; for both reactive and proactive techniques.

Even though, multiple channels exist in wireless standard and are available to use, as suggested

in literature to attain not only much throughput by simultaneous communication but to evade

51

jammer as well. The distributed nature of the said environment and lack of synchronization is

still a major issue in MANET. For that very reason multiple / smart antennas have been in focus

but practically they are yet to gain attention. Additionally, simpler and small devices having

single antennas would be needing a hardware level modification in basic design architecture. So,

the need is to come up with software based solutions that are proficient and efficient for all in a

distributed manner against jamming attack to avoid virtual collapse of the network.

3.7 Summary

Jamming attack is different from its other security attacks, as it cannot be mitigated like the

others. The severity increases many folds in a wireless environment due to lack of detection and

prevention mechanism in 802.11 standards. In this chapter, we surveyed the ways through which

an attacker can disrupt the medium. It has been analyzed that in addition to the time-based

strategies, in which the jamming signal is active only for a specified interval of time, there are

efficient jamming schemes possible which make use of knowledge about the physical and link

layer specifications of the targeted system. Hence, an intelligent jammer can survive longer on

the network.

Jamming attacks are avoided by escaping from the jammed area. In case of mobility as in

WLAN, legitimate jammed nodes need to be equipped with jamming detection technique, via

which they can physically escape from the jammed region and later try to relocate other nodes by

periodically moving and sensing beacon messages from others. Nodes flee out of the jammed

region by estimating the jammer’s signal strength on the basis of jammer detection mechanism.

So far, the jamming attack detection mechanisms are threshold based and may increase false

alarm rate. Additionally, the relocating algorithm to find peer nodes is independently run on each

node, via randomly chosen speed and direction. The combination of above stated algorithms is

quite complex and is found effective in dense environment, only where chances of relocating

other nodes is higher.

52

The use of multi-channel in wireless networks has been in focus for increasing throughput and

use of simultaneous communication in the same vicinity. However, the additional channels are

also a solution against single band jammers where legitimate nodes hop to another channel either

on the basis of earlier coordination or randomly chosen channel where they can later try to

resume communication with others. Besides, for uncoordinated escape from jammer as in adhoc

network, use of boundary nodes is considered useful for the nodes stuck in jammed region and is

unable to move away. When the wireless network gets jammed, each node becomes independent,

as it is unable to communicate with others and thus all above techniques are applied by the node

autonomously, requiring more power and energy consumption. Furthermore, channel switching

has its own overhead involved but is found valuable for stationery nodes having large number of

channels, especially against frequency swept jammers.

As discussed earlier, that proactive and reactive algorithms have approximately same energy

consumption in case of jammer avoidance, generally. However, the added advantage in using the

earlier ones is that no detection mechanism is needed. Therefore, couple of studies has proposed

proactive protocol suites in WLAN and WPAN environment. But the challenge is of developing

such protocols for MANETS, especially against intelligent jammers with the emphasis on

securing control and data channels, or both; if not all, then majority should be able to cope up

with jammer.

53

Chapter 4

Estimating the Effects of Jammers via Conservation

of Flow in Wireless AdHoc Networks

1.

54

4.1 Introduction

Tackling of the jammers interference and jamming are conventionally done by PHY-layer

communication techniques. These systems are based on spreading techniques like Frequency

Hopping Spread Spectrum (FHSS), which provide flexibility to interference. However, attacks

like jamming attacks do not require heavy computation and algorithm breaking techniques to

interfere any communication. They just simply do it with the generation of fake / valid packets

on medium. Additionally, if the attacker is intelligent enough to cleverly target packets, it can

survive on the network for longer time, undetected. Thus, the need arises for advance mitigation

techniques to be incorporated on higher layer(s), like MAC layer.

In this chapter, initially an overview of existing jamming attack approaches and their effects is

provided. Next, Conservation of Flow (CoF) technique is sketched out which has been quite

successful to detect malicious nodes in wired networks. In Section 4.4, proposed CoF based

simulation model to analyze jamming attack is described, followed by simulation results in

subsequent section. Since, this is first of its kind attempt to deploy CoF technique for the

wireless medium as a security mechanism; the results are verified using AI algorithms on the

recovered data set, in section 4.6. Finally, I conclude and summarize my contribution.

4.2 Jamming Attack: Approaches & Effects

Various jamming approaches and strategies can be used by the attacker to disrupt the network.

Along with the time-based strategies, where the jamming signal is active only in a definite time

intervals, there are more advanced jamming schemes possible that make use of knowledge about

the physical and link layer specifications of the targeted system. Keeping the selected strategy as

a bottom line, the effective jamming is then executed by emitting an appropriate radio frequency

signal. This could be noise or modulated signal. The approaches most commonly used by the

jammers and proven to be effective are discussed as follows [83,84].

A constant jammer emits a constant signal continuously without any delay. This constant signal

can be a radio signal which can be generated from a waveform generator. Such a jammer can

efficiently prevent legitimate traffic sources from getting hold of a channel and sending packets.

55

Instead of continuously emitting the signal, a periodical jammer hangs up its transmission during

a particular time in regular intervals. Similarly the random jammer also delays its transmission

for a specified time but at a random duration or arbitrary interval or both. It alternates between

sleep and jam phases. This model strives to take energy conservation into consideration, which is

a matter of great interest for those jammers that do not have unlimited power supply but intend to

interrupt legitimate communication.

Apart from the above approaches, the jammer can be intelligent enough to conserve its energy so

that it can survive longer, resulting in more damages. Such intelligence is acquired by sensing

the medium passively before targeting one or more nodes or types of traffic. In reactive jamming

attack, the jammer starts its transmission as soon as a communication is detected on the channel,

via sensing it. It targets the reception of a message because it stays silent when the channel is

idle, but starts generating a radio signal as soon as it senses activity on the channel. A more

sophisticated type of reactive jamming takes into account the analysis of the detected regular

data stream. The jamming is then applied systematically to frames from or to particular nodes or

to frames of a certain type. On the other hand the deceptive jammer continuously feeds regular

packets to the channel without any gap between succeeding packet transmissions. Due to this

phenomenon, a legitimate communicator will be deceived into believing it as a legitimate packet

and will be duped to remain in the receive state. Therefore, even if a node wants to send the

packets, it won’t be able to do so as a constant stream of incoming packets will be detected.

Radio jamming is potentially the most direct, nondestructive and yet disruptive form of DoS

attack on wireless networks. Most of the attackers might favor radio jamming over other DoS

attacks because it is trivial to execute and the jammer only needs to emit an arbitrary constant

signal at a power roughly equal to the signal power of its victims [75]. According to [83], the

adversaries vary with respect to their use of different radio jamming attack strategies: constant

jammer, deceptive jammer, random jammer, reactive jammer. The attacker nodes or

compromised nodes bypass the MAC protocol and blast on the channel irrespective of the other

activities that are taking place on the channel.

Link layer jamming is a more complicated type among the denial of service jamming attacks. An

intelligent adversary that wisely uses the link layer protocol logic can be effective as a blind

56

radio jammer but by consuming less energy. The intelligent jammer’s couple of objectives are;

first to survive on the medium for longer period without being detected and secondly to

misbehave in order to frustrate the legitimate neighbors from gaining the medium. The

motivation of such DoS attack is to violate the MAC layer rules at specific time periods such that

the intervention is unnoticeable and the energy efficiency of attacker is conserved [80].

4.3 Problem statement

Recent past has experienced the wide usage of wireless devices especially due to portability.

Since the design of such devices does not primarily emphasize on heavy computation and secure

communication, rather are treated as add-ons. This, and other limitations like shared medium

which is open to all, attracts intruders in wireless network. From the security perspective

jamming attack is the one that is easy to launch and harder to detect. Jamming attacks are

generally directed towards seizing the medium completely, via transmitting fake packets

violating the medium access protocol; either constantly or periodically. In this study I have

analyzed the effects of different types of jammers using Conservation of Flow (CoF), which has

been useful for detecting other attacks, in the wired networks [85-87]. Lastly, simulation results

are presented in justification of proposed methodology.

Figure 4-1: Transit packet byte counters [85]

57

4.4 Conservation of flow (CoF) based malicous node detection

The theory of CoF has been successfully used to identify the malfunctioning node in the wired

networks. WATCHERS [85] take CoF into account but it does not deal with outside intruders, it

is rather specifically concerned with malicious node within the network, whichever type it is.

The algorithm is based on finding out the inconsistency between the incoming and outgoing

traffic, as shown in Figure 4-1. Every router has to maintain a set of six vectors for each neighbor

node containing the information about the data passing through that router, or all information

which are being sent to that router or which are intended for that router. Besides, every router

tests its neighbor by receiving the counters from its neighbor’s neighbors and comparing the

packets destined for that router and the number of packets that router received. If the difference

exceeds a certain threshold that router is declared as malicious and removed. [87] presents a

detection algorithm for malicious routers in the wired networks where attacker easily exploits the

shortcomings in the current standard networks. A compromised router can potentially be

identified by the correct routers when it deviates from an expected behavior. They divide the

problem into three sub-problems: Traffic validation i.e. detection of anomalous behavior on the

basis of the traffic information. Next is distributed detection which emphasizes that a single

router cannot decide whether a particular router is malicious or not. Finally response phase

which highlights that once a router is found faulty, routing tables of other routers must be

modified so that the traffic should not pass through the malicious one in future.

Wireless Networks are more susceptible to packet loss because of two reasons; malicious nodes

and lossy channel. Adhoc networks are different from the traditional wireless networks in that

every node is connected to more than one node mostly, instead of a central access point

providing connectivity. Additionally, adhoc networks also have some limitations like chances of

error are increased with node density, open medium etc. Therefore to incorporate packet loss

especially in terms of noisy medium, [88] has incorporated packets counters to apply CoF

algorithm successfully to identify a lossy channel in wireless networks. Authors have applied

vectors to every hop that routes a packet, to incorporate traceability of each packet to conserve

entropy of the system. Additionally, the path taken by the packet is also taken into consideration

by every sender node to narrow down any bottle neck, if exists.

58

4.5 Simulation Model

For the transmission and reception of data over radio interface, different approaches are used. As

data is in the form of signals, so for the transmission of signals MIMO (Multiple Input Multiple

Output) technology is widely used. It is antenna based technology for wireless communication in

which multiple antennas are used for transmission and reception. Previous techniques hold one

antenna for transmission and one for receiving the signals, which reduces the overall throughput

of the wireless network. So MIMO overcomes this shortcoming by using multiple antennas for

communication.

In this study, for COF and tracking of all the packets within the network, each node maintains a

set of matrices for different types of packets that it entertained during the simulation run. [88]

can be referred for further details, however here an overview of the method is provided.

The first matrix is of Sent-packets (S) which stores the total number of data packets initiated by

that specific node to all the other nodes within the network. On the other hand, destination-

packets (D) matrix has the information of packets received which are meant for that particular

node as final destination. Since, the underlying theme of adhoc networks is cooperation among

nodes for routing the packets; therefore each node also acts as a router for communication

between other nodes. For such situations where a node acts as a transient hop and routes packets,

for the sake of traceability, it maintains another matrix namely the transient matrix (T). Every

packet that a node routes for which it is neither the original sender nor the final destination, it

keeps track of it in T-matrix when successfully forwarded to the next hop. For example, if node 6

is the originator of a packet, it will append it in the S-matrix, which is destined for node 8 as the

final destination; with respect to the network topology shown in Figure-4-2. Thus, on receiving

the packet node 8 will incorporate it into its D-matrix. However, the shortest path through which

the packet was routed consists of nodes 2, 7 and 1; each of the hops will mark this packet into

their corresponding T-matrices. This way, all the packets that originated within the system are

conserved as not only in terms of the quantity but also allow traceability of the packets.

59

4.6 Simulation And Results

To understand the effects of different jammers on wireless traffic through Conservation-of-Flow

(COF), in this study I simulate a stationary adhoc network using MATLAB [89]. An adhoc

network is initially considered operating on 802.11g wireless standard [1]. Later, by keeping all

the parameters constant, different jammers are introduced. The channel error rate in normal

wireless communication and topology are kept same as that of [81]. The main parameters of the

simulation are summarized in Table 4-1.

Table-4-1: Simulation Parameters

Parameters Values

Wireless Standard 802.11g

Channel Type ‘MIMO’

Number of Nodes 8, 12

Simulation Time 100 seconds

Packets per second (pps.) 20-100

Packet size 1024 Bytes

Path Delay 0.3 milli-sec.

Jammer Type Constant, Periodic

Jammer’s Packet size 17 Bytes

Jamming Rate 93 pulses/sec

Figure 4-2: Adhoc network of eight nodes with jammer

60

Case-I

Initially, a network of eight nodes is considered and later different jammer types are incorporated

to analyze the affected communication in the shaded region as shown in Figure 4-2. For normal

communication, Figure 4-3 explains the success factor for transactions that took place in a node-

wise cumulative manner, i.e. how many data packets were sent by each node and the ones

collected by the intended receivers. X-axis represents the node number and y-axis shows the

achieved throughput in terms of successful packet delivery that each node initiated to any other

node in the network. In this case the nominal error is taken into account which is the propagation

loss and more than 95% communications was found productive on average.

At first, constant jammer being the simplest in the group was introduced. For simplicity and

avoiding frequent timeouts, the intensity of constant jammer was little degraded, which is also

evident from the results. Figure 4-4 presents the node wise effect of constant jammer on the

communication. As constant jammer continuously introduces packets on the medium by

violating MAC protocol behavior, therefore theoretically the communication in the jammed area

is treated as complete failure. However, in practice negligible communication took place,

especially due to the reason that some nodes are outside the jammed area or away from the

jammer. Nodes continue to originate packets, which are continuously distorted by constant

jammer. The jamming effect in a constant manner is found to be more than 90% effective.

Next in the run was periodic jammer. As periodic jammer attacks the transmission relentlessly by

sleep and wake periods, theoretically 50% communication is targeted on average. Due to its short

jamming burst the main target is control packets. Effect of periodic jammer on each node’s

transactions is highlighted in Figure-4-5. Since, our emphasis being on data packets only, the

average throughput is found to be nearly 40%.

61

Figure 4-3: Node wise traffic in normal scenario.

Figure 4-4: Node wise communication in presence of constant jammer

Node-wise Normal Communication

0

100

200

300

400

500

600

1 2 3 4 5 6 7 8

Node Number

No. of

Pack

ets

Originated Packets

Received Packets

Constant Jammer – Node wise Communication

62

Figure 4-5: Node-wise communication in presence of periodic jammer

Figure 4-6: Adhoc network of 12 nodes with jammer

Case-II

The scenario was extended further to a network of 12 nodes and the topology taken into

consideration is shown in Figure 4-6. The jammer is placed in such a way that two-third of the

nodes are jammed, especially the ones in the centre are near to the jammer. Nodes outside

jammed area become isolated as jamming intensity would be highest in the center. Hence,

0

200

400

600

800

1000

1200

1400

1 2 3 4 5 6 7 8

No

. o

f P

ack

ets

Node Number

Periodic Jammer - 8 Node Communication

Originated Packets

Received Packets

63

packets originated by nodes outside the jammed area would not be able to reach intended

destinations as corresponding 1-hop neighbors are jammed.

As earlier, normal communication is shown in Figure 4-7 for each participating node. However,

due to increased network participants and intermediate hops, the difference in successful packet

delivery ratio of nodes on the edges is found higher. But even then about 95% of communication

was found successfully delivered. The effect of constant jammer on transmission is shown in

Figure 4-8 which was able to successfully seize around 95% communication.

Figure 4-7: 12-Node wise traffic in normal scenario.

Effect of periodic jammer on each node’s transactions is highlighted in Figure-4-9 and average

throughput is found to be just over 40%. In this case the total nodes in the network are 12. The

periodic jammer jams about half of the communication. The jamming range of periodic jammer

is from 40% to 60%.

Lastly, for better understanding and analysis, we present effect of the above jammers on

communication in terms of periodic throughput recorded and compare them for the two cases, as

shown in Figures 4-10 and 4-11. At first we focus on normal scenario that ensures more than 90

percent delivery of the total communication, even though certain dips are observed. The second

12 Nodes Normal Communication

0

100

200

300

400

500

600

700

800

900

1000

1 2 3 4 5 6 7 8 9 10 11 12

Node Number

No

. of

Pa

cket

s

Originated Packets

Received Packets

64

case is of constant jammer which is the most destructible situation for any sort of wireless

transmission and is evident from the Figures that less than 10 percent of the total transmission

was received by the destined receivers. Last but not the least is periodic jammer which affects

half of the communication in ideal cases. The average damage it caused in first case is just above

40% and increased to 50% when network size was enhanced with 50% more nodes in the latter

case.

Figure 4-8: 12-Node wise traffic in presence of constant jammer.

Figure 4-9: 12-Node wise traffic with periodic jammer.

Constant Jammer - 12 Nodes Communication

0

100

200

300

400

500

600

700

800

900

1 2 3 4 5 6 7 8 9 10 11 12

Node Number

No. of

Pack

ets

Origianted Packets

Received Packets

Periodic Jammer - 12 Nodes Communication

0

100

200

300

400

500

600

700

800

900

1000

1 2 3 4 5 6 7 8 9 10 11 12

Node Number

No. of

Pack

ets

Originated Packets

Received Packets

65

Figure 4-10: Time wise effect of jammers in 8-node scenario

Figure 4-11: Time wise effect of jammers in 12-node scenario

In this section we studied the effects of jammers in wireless network with the help of CoF that

how much traffic loss occurs during such attacks. The difference of total packet sent and

received by the particular node shows the amount of data corrupted by the jammer due to its

8 Nodes - Timewise Effect of Jammer

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90

Time (sec.)

No

. o

f P

ack

ets

Packets Sent Normal Constant Jammer Periodic Jammer

12 Nodes - Timewise Effect of Jammer

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90

Time (sec.)

No

. o

f P

ack

ets

Packets Sent Normal Constant Jammer Periodic Jammer

66

interference in the network. First we analyzed the normal communication and recorded the ratio

of packet loss in the network without the existence of jammer, which happened to be about 5%

loss of the total communication. However, when the jammer came into play, this loss increased

many folds, depending upon its type and traffic flow through the jammed area. The approach

used by the jammer based on its priorities defines its type and corresponding damage to valid

communication.

Figure 4-12: 25 Nodes: (a) Constant Jammer (b) Periodic Jammer.

25 Nodes - Constant Jammer

0%

20%

40%

60%

80%

100%

1 5 9 13 17 21 25

Node Number

Percen

t T

hro

ug

hp

ut

Packets Lost

Packets Received

25 Nodes- Periodic Jammer

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 5 9 13 17 21 25

Node Number

Percen

t T

hro

ug

hp

ut

Packets Sent

Packets Lost

67

Figure 4-13: 50 Nodes (a) Constant Jammer (b) Periodic Jammer.

For extended network of 25 and 50 nodes, the corresponding communication success rate is

shown in Figures 4-12 and 4-13, respectively. Initially, a constant jammer was launched and

later, the network was exposed to periodic jammer. For constant jammer, the network throughput

was found to be only 15% on average, whereas for periodic jammer more than 60%

communication was jammed. It is evident that nodes located close by in jamming range starved.

50 Nodes - Constant Jammer

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1 6 11 16 21 26 31 36 41 46

Node Number

Per

cen

t T

hro

ugh

pu

t

Packets Lost

Packets Received

50 Nodes - Periodic Jammer

0%

20%

40%

60%

80%

100%

1 6 11 16 21 26 31 36 41 46

Node Number

Percent

Throughput

Lost PacketsReceived Packets

68

Figure 4-14: Randomly Selected Data Set for WEKA.

4.7 Verification of Parameters using WEKA

The WEKA [90] software contains a set of visualization tools and algorithms for predictive

modeling and data analysis, together with graphical user interfaces for easy use and view. The

original non-Java version of WEKA was a front-end to (mostly third-party) modeling algorithms

implemented in other programming languages, plus data preprocessing utilities in C, and a make

file data based system for running machine learning experiments. WEKA has implementations of

numerous classification and prediction algorithms. The basic ideas behind using all of these are

similar.

69

So after generating the data set of approximately 1000 runs, we provided it to weka as an input

and applied two different classification algorithms, i.e. Naïve-Bayes and C4.5 (J48). Before

applying the classifiers we discretized the data by using the built in discretization filter of weka.

The main reason of using Bayesian Naive is that in our case all the classes are independent from

each other. We collected data with three attributes, Sender, Receiver and Type and applied

Bayesian Naïves algorithm. The second algorithm is the J48 which is the variation of the ID3

(Iterative Dichotomiser 3), which generates tree based classification.

Firstly, 66% of data means we use 2/3rd of values out of 1000 needs to be separated for the

training purposes and the remaining will be used for validation. The main objective of the

experiment is to predict the jammer type by analyzing the values of sender and receiver matrices,

and verify our earlier methodology. For example if the send value is 1280 packets and the

receive value is about 64 packets. Then we can say that this is the case of constant jammer. Also

in case of random jammer the range will be in between 20% to 80%. After running these

algorithms the results achieved were promising. Approximately, 100% results on validation set

were justified. But before going into the details, a brief overview of the classification algorithms

is also presented for better understanding of the method used.

4.7.1 Bayesian Naïve Classification

A probability based classification with respect to Bayesian theorem, having independent

assumptions, is known as Naïve Bayes Classifier [91]. It is applied when the inputs have varying

forms thus provide large combinations among themselves to optimize the output. Even though, it

is simple in nature but can surpass some complex algorithms when it comes to categorization of

sample dataset. A simple example of Naive Bayes classification is shown in Figure 4-15, where

given objects can be classified as either green or red. As the new cases show up, the task is to

decide where they belong based on existing dataset. Since the population of former is double as

compared to that of latter, therefore, the chance of new arrival of being green is double, even

before analyzing it. This concept based on previous experience is known as prior probability and

is used to predict conclusion before it actually occur. The Naïve Bayes algorithm is illustrated in

Figure 4-16.

70

Figure 4-15: A Bayesian Naïve example [91]

Figure 4-16: Pseudo-code for Bayesian Naïve [91]

71

The main reason of using Bayesian naive in our case is that all the classes are independent from

each other and no two classes are inter-dependent on each other in any way. We collected data

with three attributes i.e. sender, receiver and type and applied Bayesian naive algorithm that is

built-in provided with weka. First of all, we discretized our data set. Next, for training and

validation of data we use split set of 66-34, means 66% for training and 34% for validation. The

main aim of the experiment is to predict the classifier based on the trained dataset, not to

compare effect of various parameters. Thus, for simplicity, default values of the parameters were

used for both datasets.

For a dataset of just above 1000 records, Table 4-2 shows accuracy detail with respect to jammer

classification and prediction. Around 98% instances were correctly classified and so is the

strength of Kappa’s agreement i.e. 98%. With 5% noise incorporated at random, the relative

absolute error is found to be as 5.5% for all cases. The true positive rate of constant jammer was

majorly identified. However, a single entry was encountered as constant jammer, falsely. Thus,

the recall was calculated as maximum whereas F-measure showing the test’s accuracy was found

close, due to a single misinterpreted entry. Similar, is the reason for ROC (Receiver Operating

Characteristic) Area to miss core target for predicting constant jammer, as the single entry was

found near to bottom-right corner in the Figure-4-17 and is below the curve. Since, the ROC is

greater than 0.7, therefore it is considered useful for decision making. Since, random and normal

jammer overlap with each other in terms of jamming strength and ratio, therefore more instances

of theirs are mingled with each other, as shown in Table-4-3f that provides a confusion matrix

with minimal overlapped instances.

Table 4-2: Accuracy detail w.r.t. jammer classification by BN

Class TP Rate FP Rate Precision Recall F-Measure ROC Area

Constant 1 0.005 0.993 1 0.996 0.998

Normal 0.983 0.007 0.979 0.983 0.981 1

Random 0.977 0.006 0.989 0.977 0.983 0.994

Weighted Avg. 0.988 0.006 0.988 0.988 0.988 0.997

72

Table 4-3: Confusion Matrix based on BN algorithm

Constant Normal Random

410 0 0

0 234 4

3 5 347

Figure 4-17: BN based jammer classification

4.7.2 J-48 Algorithm

For just above 1000 records, a 10-fold cross validation test mode was acquired using J-48

algorithm [92]. Since, the training and evaluation data set are from the same stream, therefore it

is essential to acquire a reasonable idea of accuracy of the generated model. From Table 4-4 it is

quite evident that around 99% occurrences were classified correctly, with more than 98%

Kappa’s strength. To estimate, how far the estimate is from actual values, mean absolute error is

found around 1% whereas relative absolute error based on dataset is just above 2%.

73

Figure 4-18: Pseudo code for Decision Tree (J48 algorithm) [92]

74

The constant jammer was identified, mainly accurately. However, 3 entries were encountered as

constant jammer, falsely. Thus, the recall is at the peak, i.e. 1 but accuracy of the test, F-measure

and ROC area were found close to 1 for constant jammer. Based on confusion matrix in Table 4-

5, the minimum number of falsely classified cases is 8 and similar is the trend shown in Figure-

4-19 highlighting the cost for each class. Normalized expected cost along with predicted cost

function is plotted; showing overlapping in bottom-right corner based on falsely identified cases

and incorporated noise while data was generated.

Table 4-4: Accuracy detail w.r.t. jammer classification by J-48

Area Class TP Rate FP Rate Precision Recall F-Measure ROC

Constant 1 0.005 0.993 1 0.996 0.996

Normal 0.987 0.003 0.992 0.987 0.989 0.999

Random 0.986 0.005 0.992 0.986 0.989 0.995

Weighted Avg. 0.992 0.004 0.992 0.992 0.992 0.996

Table 4-5: Confusion Matrix based on J-48 algorithm

Constant Normal Random

410 0 0

0 235 3

3 2 350

On the basis of random class input, cost curve is shown in Figure-4-17. Probability cost function

increases with each instance whereas normalized expected cost decreases as the J-48 decision

tree is traversed. The values of different jammer classification converge, showing the cost

reduction after being able two predict the jammer type. However, the assessment overlaps due to

randomization of the trained and predicted dataset. Figure-4-20 shows the threshold

identification for each jammer type, with respective precision for each classification. The incline

between any two classes is found due to the falsely recognized samples that were either not

categorized or misinterpreted; i.e. were found in the class where they did not belong.

75

Figure 4-19: Cost Analysis of Jammer Classification using J-48

Figure 4-20: J-48 based Threshold Estimation of Jammer types used.

76

Figure 4-21: Analysis of Validated data using J-48 algorithm.

(a) Threshold Curve (b) Cost/ Benefit Analysis

For the dataset, after the training period, J-48 validated approximately every instance truly as

shown in Figure-4-19(a). Except for the 0.1 rejection in constant jammer, the true positive rate of

the provided sample was identified correctly whereas in (b) cost benefit analysis was found

smooth, apart from a slight tilt for normal jammer which consisted of certain traces of other

types; as discussed earlier.

4.8 Summary

Conservation of Flow has already been considered by many studies as a metric to identify

various attacks, but mostly in wired networks. The basic aim of this study was to analyze the

effect of various jammers on wireless communication, using CoF. The network is considered

without mobility so that similar methodology can be applied for jammer detection as in wired-

network based studies [85-87]. That is the very reason; the initial topologies are kept similar to

our earlier study, which later is scaled to larger networks.

Additionally, on the basis of earlier studies, the effects of different jamming attacks were

introduced in our simulation and corresponding ranges of effect were determined with the help of

CoF, successfully. Next, we applied Bayesian Naïve and J-48 algorithms using WEKA, to verify

our parameters and results, as in [88,89]. Both the algorithms predicted more than 98% of the

77

dataset, to be accurate. Whereas threshold classification and cost/benefit analysis was found to

be approximately true positive.

Jamming attack, especially the non-continuous ones, at MAC layer are hard to distinguish from

frequent unintentional collisions and congested scenarios. However, based on the data set

acquired and applying AI algorithms for behavioral analysis, different jammers can be identified

in the network, simultaneously.

In this way, this study provides the basis for future directions in the area of optimizing CoF for

wireless networks with mobility, efficient power usage, mitigation against jammer on the basis

of threshold and many more. Last but not the least; CoF can be further analyzed for other attacks

in wireless network.

78

Chapter 5

Packet-Feed: A Survival Approach

To Cope up with Jamming Attack in MANET

79

5.1 Introduction

As discussed earlier, jamming attacks are hard to mitigate even if it is constantly targeting all

packets in the range. For intelligent jammers, the situation becomes much worse where jammer

lasts longer by saving its energy and smartly targets partial data packets that cannot be regained

by existing error recovery techniques; resulting in retransmission of the affected packets. Thus,

affected nodes either move away from the jammed area or switch channel, independently and

later try to resume communication with other nodes. However, intelligent jammers can sense the

medium and follow legitimate nodes on other areas and channels where they can sense on-going

communication; forcing the nodes on defensive feet to repeat the whole process again and the

cycle continues till the communication jamming is carried on by the jammer.

In this chapter, a reactive methodology is proposed which in the best of my knowledge is first of

its kind. The proposed method is based on the idea that instead of flight, it is better to stay and

fight. Thus, legitimate nodes respond to the jammer and keep it busy rather than retreat. Section

5.2 provides a detail overview of the proposed methodology. In the following section a

theoretical analysis is conducted on the basis of which the basic methodology is enhanced in

section 5.4. Next, simulation scenario and results are discussed. Lastly, I summarize the

contribution of the proposed method.

5.2 Problem statement

The open nature of wireless network exposes is to vulnerability and external intrusion, like

jamming attack. The jammer is the worst to handle, as typical encryption techniques for

legitimate communication become void. Jamming attack, in the form of either continuous or

periodic, can easily be deployed in wireless network. Conventionally, nodes either passively

doze out till the jamming phase is over or actively try to move out of the jammed region. For

small devices having lesser or no mobility, channel hop is an alternate where nodes move to

another channel and try to re-establish the communication. However, if the jammer has enough

knowledge of the network, it can follow legitimate nodes on the newer channel.

In this chapter, the idea to cope up with intelligent jamming attack is proposed by actively

feeding valid packets on the seized channel, periodically. Main theme is that when the nodes

80

resume on the newer channel when the current one is jammed, rather than stay there and wait for

the jammer to follow them on newer channel, nodes feed the jammer on the earlier channel by

alternatively visiting and sending legal packets on the network. By doing this, even if the jammer

is intelligent, a legal packet will result in a jam-burst, i.e. pretending the earlier channel being

still in use. Later, simulation results in favor of the idea are presented.

5.3 Proposed Methodology

Initially, an adhoc network having some nodes communicating on a single channel is considered,

which is later exposed to an external jammer. With the assumption that nodes are equipped with

jamming sensing techniques, as soon as each one of them senses the existence of the jammer it

tunes to another channel independently based on an already agreed upon methodology and try to

resume communication. Once, the locality of the nodes is exposed and even though they succeed

in resuming communication on different channel, chances are that the new temporal-location will

soon be discovered by the intruder and legitimate nodes have to move on. An intelligent jammer,

which toggles between sensing and jamming mode to seek valid packets on the medium, may

sense the absence of the nodes and initiate sensing other channels for legitimate traffic.

Therefore, once the nodes are on a new channel, let us call it as the escape-channel, proposed

method is that each node alternatively returns to the seized-channel (original channel where

jammer is located) periodically and feeds the jammer with a valid packet. Such a node is called

as a feeder or feeding node. This way, in a certain time slot the cost will be the loss of a single

packet and a couple of channel hops by a node, while the rest of communication will be taking

place successfully on the newer channel. The advantage being that if the intelligent jammer seeks

legitimate communication on the channel it stays at the same channel by initiating jamming-burst

and defers scanning further channels. Jammer resides for the duration on that channel depending

upon traffic (ongoing communication) and it never scans other channel until communication on

the seized channel is unavailable.

81

Figure-5-1: Feeding node hops back to feed Jammer on originally used channel

Figure-5-1 shows the working of the proposed methodology having some nodes communicating

in an adhoc network environment. Meanwhile, a jammer senses the channel for packets, both

control or data packets, and tries to disrupt the communication. If the jammer finds any traffic it

stays at that channel and destroys legitimate traffic just by putting noise during a valid

communication. Assuming that the nodes are equipped with some jamming detection mechanism

and have already coordinated about a channel hopping scheme in case of jamming attack. So

after sensing jammer each of them tries hopping and moves to next available channel,

individually. Once the nodes arrive on new channel (x+n), the escape channel, assumption is that

they coordinate with each other for the jammer type based on the jammer detection mechanism.

This assumption is necessary because of two reasons. First, depending upon the type of jammer,

nodes decide about the time slot division for synchronization. Secondly, they determine the

designated feeder to the jammer for each time slot. Next, as shown in Figure, node A returns to

seized-channel and initiates a legitimate communication which is welcomed by the jammer ‘J’

and it initiates a burst of jamming signals. As soon as the communication times out ‘A’ hops

back to escape-channel and resumes communication with others. In the following time slot, ‘B’

comes into play and repeats the same scenario. This process continues till either the adhoc

network is no more required or the new channel is somehow compromised by same/ other

jammer.

82

5.4 Mathematical Model

Probability Measuring Parameters:

s1 Auxiliary Row

s2 Auxiliary Column

t1 Time Slot Detail w.r.t. row

t2 Time Slot Detail w.r.t. column

k1 Row consider for Analysis (it1 – s1)

k2 Column consider for Analysis (t2 – s2)

Matrix Evaluation

fij Positive integer for row i and column j: from main table F

fi+ Minor sum of row i, where i=1,……k1

fj+ Minor sum of column j, where j=1,……k1

N Grand total of F

Matrix Statistics

ris Foundation of row entity i on plane s

cjs Foundation of column entity j on plane s

I Total inertia

Basic Matrix Evaluation

When source node want to send some data towards destination node (CORRESPONDENCE

NODE) to evaluate the source row values [ris] and respective column [cjs] for this the function

will be used

Where the minimal values for corresponding row and column, under the standardization are:

With respect to our proposed methodology and according to the evaluation, for analysis, the

CORRESPONDENCE Algorithm can be divided in three steps:

83

1. Evaluation with Chi Square

Chi square provides goodness of fit, in terms of attained values and the expected ones for the

model under consideration. Later, it accesses significance levels. For our auxiliary matrix ‘Z’,

mainly, the emphasis is on common factors that will map in terms of wireless communication.

Through removing the averages of the row and column, chi-square retains rc-mean, throughout.

2. Evaluation with Euclidean

For the observed values, the distance between two points is calculated through Euclidean on our

matrix ‘Z’. Generally,

With based on the consistency options:

(a) consistency option r-mean (row average is eliminated)

(b) consistency option c-mean (remove column means)

(c) For Rc-mean, eliminate both row and column means

(d) consistency choice r-sum, we equate for row total

(e) consistency choice c-sum, we equate for column total

This, way all the wireless packets that are originated in the network, are mapped for acceptance

level. The variation, leads for some misbehavior detection.

3. Malicious Diagnostics

84

After applying proposed algorithm along with CORRESPONDENCE algorithm, we alternatively

generate a table of row and column profiles, as:

, respectively.

Singular Values, Maximum Rank and Inertia

By performing the full scaled simulation all the singular values which we have already defined

above are produced up to utmost . The small singular values and

corresponding magnitude are covered when they do not cross the magnitude , where

a caution message is raised. Dimension wise inertia and total inertia are represented via

relationship:

Likewise, association for additional normalizations can be easily derived, similarly. The measure

of “proportion explained” are equal to inertia divided by total inertia: , which

5.5 Theoretical Analysis

A Q-Q plot helps in determining relevance of the sample from the intended data set and assists in

locating as a tool for regression and variance analysis [101]. One Q represents the selected group

of population, i.e. quartiles whereas the other is for the selected data being used as a benchmark

that will be applied to the former ones. Theoretically, you need to know the average and variance

of the target population in advance. However, it is not practically feasible; therefore same values

of benchmark are used as reference parameters.

To analyze our methodology, SPSS [102] was used for the above presented model. Figure-5-2

shows a Normal Q-Q analysis on the basis of average received packets, cumulative by all nodes.

The expected values vary due to the node hopping for feeding the jammer even though, the

jammer is not active any more, resulting in an overhead in every time slot. Whereas figure 5-3

shows a detrended normal Q-Q variance found after the jamming phase is over. Based on the

average before the jammer was activated and after the algorithm was triggered, the divergence

was noticed as deviation from the mean value.

85

Figure 5-2: A Normal Q-Q Graph of Average Received Packets.

Figure 5-3: A Detrended Normal Q-Q Graph of Average Received Packets.

To further evaluate the network performance and validate the considered parameters, Matlab

[89] was used. Control charts are useful where data is normally distributed and are found to be

86

vigorous against biased data set. Generally, two types of charts are used, first is the range-chart

(R-chart) and second being the X-chart. The former is used to determine variability of the

progression whereas latter identifies overall average of the method. The upper and lower X-bar

chart control limits need to be determined, so that overall procedure inconsistency remains in

control.

For some charts, e.g. c charts, likelihood of generated data will be non-normally distributed

whereas moving range chart is considered as single entity that use different interpretation rules to

cater for the very strong non-normality of said data. Examples include ‘X’ or ‘I’ charts.

Interpretation rules for X-bar charts means the whole plot rather than considering individual

trends. As explained by the Central Limit Theorem, means tend to be normally distributed even

if the underlying data is not.

Figure 5-4: Packet Analysis on the basis of Time.

87

Figure 5-5: XBAR Control Chart

Lower and Upper Control Limits are 3 standard deviations from the average and can be

computed using [101]:

Upper Control Limit (UCL)

MeanMean + 3*Sqrt( )

Average sample measurement

Lower Control Limit (LCL)

MeanMean - 3*Sqrt( )

Max sample measurement

LCL is always a positive value whereas use of “maximum sample measurement” makes LCL

more responsive. Yet, the above limits and their relation based on average is significant for

analysis when repeated values are encountered.

88

Figure 5-4 demonstrates packet analysis on the basis of time. Initially, corrupted packets are

found due to jammer, which later sets the probability based trend for future packets after nodes

are hopped on the new channel. However, realistically complete probability is not achieved due

to packet losses involved during feeding the jammer process, iteratively. After the jammed phase

is over the interruption corresponds to overhead involved, where no collusions were found as

shown on extreme right in the graph; which is discussed further in next section.

Figure 5-5 shows the theoretical data generated for evaluating the average variation possible. The

violation represents the jamming phase, just after 20 seconds when the jammer was activated.

Whereas, center in the graphs illustrates the average throughput of the network that is found high

because after detection, nodes hopped to another channel and started feeding the jammer. It is to

note that all the communication, after hopping lies between LCL and UCL, give good reason in

favor of the proposed methodology.

5.6 Enhancements in Proposed Methodology

In the last section, the simpler scenario of proposed methodology was presented for better

understanding. Now further details of building blocks of proposed scheme will be discussed by

incorporating more parameters in context of assumptions in a practical scenario and provide

improvisations accordingly. First of all, even though the underlying assumption is that nodes are

equipped with a jamming sensing mechanism and each node needs to decide independently when

to initiate a reactive technique to avoid the jammer. Since, the techniques mainly rely on PDR/

PSR (as discussed in section II) and if only one node returns to the seized-channel to feed the

jammer, it will not be able to sense whether the said channel is still compromised, especially

against an intelligent jammer. Thus, nodes may either keep on feeding the jammer for the rest of

their existence in that locality or false alarms may rise at the network level. Former degrades the

overall throughput unnecessarily whereas the latter may invite the jammer on the newer channel.

Therefore a slight enhancement is applied to the basic concept that instead of one, more than one

nodes hop back to the seized-channel to feed the jammer. This way although the cost of channel

hopping will increase in every time slot and overall throughput on the escape channel will

decrease, but it will result in minimizing the false alarm rate.

89

Figure-5-6: Multiple Nodes feeding the Jammer on Originally used jammed channel

Next, the problem of synchronization among nodes needs to be addressed. Even though, the

nodes will coordinate among themselves regarding feeding the jammer on seized-channel and act

accordingly. In a dense environment, especially in the absence of a central entity in adhoc

network, synchronization issues may arise. Additionally, if the jammer period is over or it has

moved away, the feeding nodes’ intended receivers did not accompany them on the seized

channel on that particular time slot and thus failed delivery is reported. E.g. ‘A’ intends to send

packet to ‘B’ whereas ‘C’ is determined to communicate with ‘D’. Since, both ‘A’ and ‘C’ are

the designated feeders in that particular time slot and switched back to the seized-channel. Even

though, the jammer is absent and more than one node are present on the channel but their packet

delivery will not succeed as both of them are not accompanied by respective intended receivers

and may arise false alarms.

Therefore, to accommodate and intentionally prompt the intelligent jammer another

enhancement is to feed the jammer with more than one packet by each feeding node. In this

fashion, even if the jamming and sensing periods of intelligent jammer are short, multiple valid

packets on the seized-channel from more than one node would not create any ambiguity about

absence of packets in the remaining portion of the time slot.

90

By incorporating the enhancements, the working of the proposed methodology is shown in

Figure 5-6. Nodes are communicating with each other on channel 1 without any interruption.

Meanwhile jammer J starts interrupting them and destroyers the transmission. Due to this

intrusion all the nodes A, B, C and D move to the following channel that has already been

decided and resume their communication. However, in this case two (or more) feeding nodes

rather than one hop back to seized-channel and start feeding the jammer. From the Figure 5-6,

node A and node C send more than one packet each, to their corresponding receivers. Due to

involvement of the jammer or absence of their intended receivers, whenever their packets time-

out they return to escape-channel. However, if nodes are able to receive frequent

acknowledgements on the old channel, they may conclude that the jammer has moved away of

that location. Either case, they hop back to escape-channel and participate with their feedback in

periodic coordination of the nodes. As per Figure, in the following time slot nodes B and D will

do the same to feed the jammer. And if J is still present on the said channel they feed it and leave

the channel. Keeping in mind that in the presence of jammer the network comes to a virtual

collapse and no communication takes place between nodes. Even if feeding nodes are unable to

get acknowledgement they may sense valid packets of other nodes that shows the absence of the

jammer. The corresponding pseudo-code and communication flow of the proposed methodology

are given in Figure 5-7 and 5-8, respectively.

Figure 5-7: Pseudo-code of proposed methodology

91

Figure 5-8: Flow chart highlighting the communication flow of the proposed methodology.

92

Table 5-1: Simulation Settings

SIMULATION PARAMETERS PARAMETERS

VALUE

Physical Layer Standard 802.11a

Number of Channels 12 (in 5GHz band)

Traffic type CBR

Packet Size 512 Bytes

Traffic Load of Node 10 packets/sec (pps)

Simulation time 100 seconds.

Communicating nodes 10-20

Jamming phase 20-80seconds

5.7 Simulation & Results

This section presents the simulation scenario and results obtained using the OPNET network

simulator [103]. The simulation parameters are summarized in Table 5-1 and are similar to [108].

An ad hoc network consisting of more than 10 wireless stations are considered, with single

transceiver only. The traffic load at the source nodes is 10 packets per second. Whereas the

packet size is chosen to be 512 bytes, each. The physical layer standard taken into consideration

is 802.11a which offers 12 channels in 5 GHz band. For channel hopping the cost currently

considered by different studies is between 40 to 80 micro-sec, so 80 micro-sec delay was opted,

similar to [104,19]. Besides these, the jammer is located in the center and all nodes are in the

jamming range and assumption is that no communication takes place in this range on the jammed

channel, thus the intensity of jammer is set accordingly. Since, the jammer is considered an

outsider and on any channel he tunes into, he is able to listen legitimate traffic; either control or

data packets. Therefore, the underlying assumption is that the jammer sticks to such a channel

where his intention to block lawful conversation is fulfilled and by doing so it does not scan

other channels.

93

10 Nodes - Overall Throughput

0

20

40

60

80

100

0 20 40 60 80 100

Time

No

. o

f P

ack

ets

Packets Delivered

20 Nodes- Overall Throughput

0

40

80

120

160

200

0 20 40 60 80 100

Time

No

. o

f P

ack

ets

Packets Delivered

Figure 5-9: Overall Network Throughput (a) 10 nodes (b) 20 nodes

Figure 5-9(a) explains the basic concept in 100 seconds simulation among 10 communicating

nodes in the network. The straight line for the first 20 seconds shows successful communication

among nodes. Then, the jammer comes into play and remains active till 80 seconds of the

simulation time. As soon as jammer activates, the network theoretically comes to virtual collapse

and no communication takes place. However, it was soon resumed when nodes independently

move away to escape channel when they sensed the current channel is being seized by the

jammer. The drop in packet throughput is observed as sudden due to failure of all

communication at once when the jammer is introduced, however a slant is observed in rising of

the graph when nodes resume on escape channel. Later, the packet loss on the new channel is

94

observed when nodes alternately hop back to the jammed channel and send valid packet to

engage the jammer.

Throughput - 2 of 10 Nodes Feed the Jammer

0

20

40

60

80

100

0 20 40 60 80 100

Time

No

. o

f P

ac

ke

ts

Packets Delieverd

Throughput - 2 of 20 Nodes Feed the Jammer

0

50

100

150

200

0 20 40 60 80 100

Time

No

. o

f P

ac

ke

ts

Packets Delieverd

Figure 5-10: 2 Nodes as jammer feeder. Overall Throughput for (a) 10 nodes (b) 20 nodes

Next, the number of legitimate nodes in the network were doubled, i.e. 20 but by keeping all the

other parameters same as earlier. This way, the overall throughput of the network increased to

200 packets per second in the absence of jammer. The rest of the pattern in throughput as evident

from Figure-5-9 (b) was found similar to that of 10-node scenario. However, with the increase in

nodes, the throughput also increased during jam-phase, as the numbers of drop packets were the

same for the sake of feeding the jammer, but the successful delivery of packets by other nodes on

the new channel was increased; minimizing the effect of loss packets during jammed period.

Approximately, more than 95% of communication was retained by this scheme, in the said

95

scenarios. Though, nearly 85% of overall communication was successfully carried out during

jam period.

By applying the different enhancements to the two basic concepts that is 10 and 20 nodes. Now

the number of feeders is doubled. In previous case there is only one feeding node which troughs

the legitimate packets to intelligent jammer to make him busy. But in this case two feeders are

introduced. After the intrusion of jammer in the network, all the nodes try to hop the channel.

After acquiring new channel they again start their communication. As we know, that the jammer

is intelligent, and if it senses that the channel he is jamming is empty, it leaves that channel and

start sensing another channel to jam. So to avoid this scenario two of total nodes (feeding nodes)

hop back to pervious channel and start communication with each other. In Figure 5-10(a) the

jammer intrusion time is 20us to 80us. Time 20us to time 24us (approx) shows the immediate

loss of transmission due to channel hoping of all the communicating nodes. After time 24us they

all regain the transmission but with some loss. The loss is due to the hop of feeding nodes, they

go back to the pervious channel and start communication between each other. If their

communication fails the existence of jammer is proved. Besides proving the existence of

jammer, the feeding nodes also make the intelligent jammer busy which ultimately result the

successful communication of remaining nodes on un-jammed channel. Figure 5-10 (b) shows the

same scenario but with 20 nodes in a network. Both the cases 4a and 4b consist of single packet

feed to the intelligent jammer. Approximately 90% throughput is retained in the two feeding

nodes scenario with total 10 nodes, whereas latter kept hold of better throughput due to more

legitimate communication in the jam-phase.

In Figure 5-11 (a), the same scenario has been taken into account with further three sub

scenarios. In this case number of nodes is the same. Number of feeding nodes is also the same.

But the number of packets for feeding is changed to three cases. Blue line shows the single feed,

green line shows the double feed and red line indicates the triple feed. When the feeding nodes

starts communication with each other at the jammed channel, one of them becomes sender and

other becomes receiver. Sender starts sending packets to receiver and start waiting for

acknowledgement from receiver. After waiting EIFS (Extended Inter Frame Spacing) time for

acknowledgment, both leave the channel and hop back to pervious channel. This is the case of

96

single feed. In case of double feed, after waiting for EIFS time the sender again send the packet

and wait for acknowledgement. Failure will results in channel hoping for feeding nodes. Third

case is the extended form of double feed. Sender sends the packet three times, failing to receive

acknowledgement from receiver feeding nodes hop back to un-jammed channel.

Figure 5-11: 2 Nodes feed jammer with multiple packets in every time slot,

scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes

97

Figure 5-12: 3 Nodes feed jammer with multiple packets in every time slot,


Figure 5-12(a) shows the increase of feeding nodes at jammed channel. In this case three of total

nodes hop back to jammed channel and starts feeding jammer with legitimate packets. After

sending the packet to each other and failure to receive the acknowledgement all the feeding

nodes hops back and the previously discussed process repeats again till jammer leave the channel

or feeding nodes leave the channel. Average throughput, having comparison of 4 nodes acting as

feeders, simultaneously are shown in Figure 5-13.

98

Figure 5-13: 4 Nodes feed the jammer with multiple packets in every time slot,


For some reason, if jammer senses that another channel is also in use and it lands on the escape

channel after sensing other channels, at random. After sensing time, the jammer starts the new

channel and the whole cycle is repeated. For the two cases, i.e. 10 and 20 nodes, this scenario is

illustrated in Figure 5-14 with varying nodes and different number of feeding packets on the

jammed channel. At least around 85% of network throughput is still maintained with maximum

of 4 feeding nodes where each feed the jammer more than 2 packets alternatively on each slot.

99

Average Throughput:Multi-Feeders of 10 Nodes

0

20

40

60

80

100

0 20 40 60 80 100

Time

No. of

Pack

ets

Single Feed Double Feed Tripple Feed

Average Throughput:Multi-Feeder of 20 Nodes

0

50

100

150

200

0 20 40 60 80 100

Time

No. of

Pack

ets

Single Feed Double Feed Tripple Feed

Figure 5-14: Comparison of Multiple Nodes feeding jammer with varying packets in every time

slot, scenario for (a) 10 nodes (b) 20 nodes

The simulation was then further enhanced, gradually till 50 nodes, where during the jam phase 2

feeders in each time slot transmitting 2 packet feeds (PF) were selected. To accommodate,

additional node communication, we quadrupled the data rate, so that only channel hopping and

feeding cost is highlighted. In terms of percentages, Figure 5-15 highlights the successful data

delivery rate having minimum of 90% throughput gain for 10 nodes, which rose to 94%, which is

found better than [108] having similar parameters. However, a slight drop was experienced for

50 nodes, but that is estimated to be in terms of congestion on the new channel, as well.

100

10-50 Nodes: Overall Percent Throughput

80%

85%

90%

95%

100%

10 15 20 25 30 35 40 45 50

No. of Nodes

Th

ro

ug

hp

ut

(%)

Packet Delivery Success Rate Packet Drop Rate

Figure 5-15: Overall Throughput achieved in terms of percentage for varying nodes

5.8 Summary

Instead of a physical or logical retreat only to avoid being jammed, in this study the idea that

nodes periodically visit the jammed channel, once they have restored communication on another

channel, to inject legitimate communication for the jammer to target is proposed. The advantage

being that while a fraction of nodes will be feeding the jammer, while others are able to

successfully communicate in a normal manner. Additionally, to minimize channel hopping cost

varying numbers of feed packets were simulated, along with numerous feeding nodes. This way,

approximately 70-95% of the communication is resumed, depending upon the traffic load and

number of nodes. Hence, the proposed methodology works for 2% of the legitimate participants

or 4 feeding nodes, whichever is larger and still gives more than 80% of the throughput. In

future, further analysis of jammer types against proposed methodology is intended, not restricted

to link layer only.

101

Chapter 6

Neighbor based Channel Hopping Coordination:

Practical against Jammer

102

6.1 Introduction

Recent studies suggest channel hopping as a logical escape in case of a jammed channel. If a

valid communication is not heard for a period of time on the common channel, nodes initiate

jamming attack detection, individually. If the said channel is detected as jammed, nodes switch

channel to locate other nodes and try to resume communication on another channel as a reactive

mechanism.

This chapter focuses on a proactive MAC based protocol to minimize the effect of jamming

attack. The said method does not need any detection techniques and incorporates multiple

channels for communication, which are already available in wireless communication standards.

Our proposed solution differs in a sense that an ad hoc network is chosen, having considerable

number of nodes, with the provision that nodes can join or leave the network any time.

Additionally, nodes reside on distinct control channels. Instead of a set of hopping sequence,

dynamic coordination between nodes exists for selection of next channel to exchange data

packets. Besides, it is easy to stay in a single channel and send a burst of data to overcome

channel hopping cost, as chosen by them. Yet, restriction is of single packet exchange per visit

for analyzing channel hopping overhead which however can be modified anytime to multiple

data packets and thus yielding in overall increased throughput. In section 6.2, the proposed

solution is described in detail. Later, in section 6.3 simulation results are presented that are found

better than earlier similar study. Lastly, I summarize the contributions and main points of this

chapter.

6.2 Problem Statement

As compared to its wired counterpart, wireless network is relatively new and is exposed to some

additional threats specific to the underlying medium. Among such threats one is jamming attack

which can take place easily due to the open nature of wireless medium. A device or person can

continuously emit radio signals to disturb a valid conversation. If it lasts for sometime

continuously, it can result in total collapse of a network using single channel.

103

In order to evade a jammer in an ad hoc network, in this chapter a proactive channel hopping

scheme based neighbor correspondence is proposed. Rather than detect and react, legitimate

nodes rely on prevention is better than cure. Each node communicates with its neighbors on

different channels, coordinated between them dynamically. Furthermore, the control and data

channels of each node are separated. This way redundancy at the node-level is provided so that

even if nodes on the jammed channel cannot be approached but they still are able to contact

others by visiting their control channels; avoiding the node on the jammed channel from

starvation. Hence, even if the network is exposed to the jammer, a complete failure is prevented.

The simulation results show that our scheme is efficient and is able to reduce the jammer’s

impact significantly, as compared to another proactive hopping scheme [51].

Figure 6-1: Scenario stating how node D would initiate communication with node C

6.3 Proposed Solution

As it is said that prevention is better than cure, similar is our proposed solution to mitigate a

jamming attack using proactive channel hopping in an ad hoc network. Every node selects its

control channel through a predefined function which is known to network participants.

Furthermore, data transfer takes place on a different channel coordinated dynamically between

104

each node pair. Thus, every node communicates with each of its neighbors on different channels.

From the network level point of view, every channel can be used for control and data packets

simultaneously. In the sequel, the major design aspects of our proposed scheme are discussed.

6.3.1 Determining Control Channel (CC)

In the formation of an ad hoc network every node selects its own control channel, docks itself

there and waits for other nodes to visit it (if it has no packets to send). The control channel is

selected via a pre-loaded function based on the node identity which is shared among nodes and is

kept secret. This way, each node not only selects its control channel but also learns about the

control channel where the intended destination is residing, if a transmission needs to be initiated.

To avoid an outsider from targeting a particular node or legitimate communication, the function

can be a high level polynomial which is hard to break by overhearing the traffic. However, for

the sake of simplicity a simple function is incorporated. Hence, a neighboring node who wants to

initiate communication with node 'A' can determine its control channel using the following

function:

CC(A) = I mod kA

(1)

where k being the total number of channels and I denotes the identity of the intended receiver.

This way, n number of nodes will be distributed over k channels evenly, having (n/k) nodes on

the same channel, on average. To minimize computation overhead and avoid the re-computation

of same function, once determined, the resultant channel is stored in a CC-table for future

correspondences. Additionally, since nodes need to visit other channels which are the control

channels of intended destinations. Therefore, each node will maintain its own control channel in

the CC-table as well which will be referred while returning after a successful data transfer.

Hence, sender node first checks a corresponding entry for intended destination in CC-table. If not

found, the corresponding control channel is calculated using equation-1 only once for each node.

The energy consumption factor is not taken into account in this study, but due to frequent

channel hopping, which has its own delay, the computation delay is reduced. Thus, to get an

105

estimation of how much computation is saved, consider that if node 'A' intends to communicate

with its neighbor node B for m packets and that only a single packet is exchanged in each visit.

Then (m-1) computations for locating control channel of node B and similar number of

computations for returning to its own control channel are avoided by node A. If the situation is

extended to multiple destinations, say node A sends m packets to j neighbors then A saves the

amount of computation for (j x m) packets:

(j . (m-1))+(j . m-1)

where the first half of the equation is in terms of CC of destination node and second half is

representing return to its own control channel after each sent packet. So, for n nodes having large

'm' packets to send in the network, quite a computation overhead is diminished.

Sender Receiver

Calculate X

Calculate Y

Both nodes calculate Z

Hop to the channel Z

RTS + X

Figure 6-2: Elementary Negotiation for a DC between two nodes

Once the node knows the receiver's control channel, it hops to the corresponding channel where

both nodes agree upon a new channel chosen for data exchange. Since, a single channel can be

used for data and control messages by different pair of nodes. So, the newly arriving node on

106

control channel of intended receiver may disrupt an on going communication. Therefore, it needs

to contend for the medium in the next slot to initiate its communication formally. Similar

situation is depicted in Figure 6-1 where node D hops to CC(C), where already a communication

between node A and B is in progress. Node D senses the medium busy and consequently it keeps

silence till the end of the on-going transmission. Later, it contends for the medium with other

nodes.

6.3.2 Data Channel (DC) Coordination

Once the sender hops to the control channel of the intended receiver, rather than they initiate data

exchange both coordinate for a data channel. To have different data channel between each node

pair, the channel is selected using the identities of both parties. As earlier for equation \ref{eq-

1}, the complexity of the function will not yield much difference except to increase the

computational time only, due to the limited number of channels. Therefore, the current channel

(i.e. control channel of the receiver) is also taken into account. This way, it becomes hard for an

attacker to guess and target a particular communication having knowledge of the node identities.

Moving a step further, since the nodes need to coordinate data channel over an insecure medium,

we tailor a key exchange scheme to incorporate our desired coordination, securely. For this

purpose, the data channel coordination is based on Diffie-Hellman algorithm [107] as shown in

Figure 6-2 and described as follows:

The sender initiates the coordination by choosing a secret random exponent 'a' and yields

X = g mod pa (2)

where g is a constant which is publicly known [106] and p is a prime number selected using the

identities of sender and receiver along with the current channel number in use as:

receiver sender receiverp > f (ID , ID , CC ) (3)

X is then sent to the receiver with RTS. Since the parameters are the same for calculation of p,

the receiver can either generate it just like sender or it can also be sent with RTS. On receiving

107

RTS the receiver generates Y, same as sender yielded X, with the help of his secret random

exponent b. The receiver then responses by sending CTS piggybacked with Y. Both parties then

apply their respective secret random exponent on the information received from the other, to

yield the same value:

Y = X = Z mod ka b (4)

Thus, Z is the newly selected channel for data exchange. Both nodes store it in a DC-table for

future reference and switch their transceivers accordingly to initiate data transfer on the new

channel. Regardless, the data is exchanged successfully or it times out due to unavailability of

the medium, in either case nodes will return to their respective control channels.

Figure 6-3: Communication Sequence on Data Channel between a node-pair

When the nodes hop to channel Z for data exchange to avoid hidden terminal problem on the

new channel, they need to exchange RTS-CTS once again [19]. If successfully exchanged, data

and acknowledgement follow as shown in Figure 6-3. For each neighbor, the above sequence is

108

followed only once and the coordinated data channel is stored in DC-table. For the subsequent

visits, only simple RTS-CTS are exchanged, both parties refer their DC-table and hop for data

exchange. If a node has more than one visitor on its control channel, it will choose and accord

with one only. The others will wait for receiver to return to its control channel for their turn, till

they time out.

6.4 Mathematical Model

From a set of nodes Ns, for any node Ni who wants to initiate communication with Nj, Ni will

hop from its control channel to the destination’s control channel, where set of control channels is

denoted by CC. Hence, CCi and CCj denote the respective control channels of nodes i & j.

Since, the time Ni will be trying to locate Nj, the latter may be locating Nk on CC(k). This way,

we need to define the status of the receiving node’s availability, via SNj for node j. The whole

scenario, so far can be illustrated as:

{Ni Nj | (i,j) Ns Sc(j)= 1 Sn(j)=1 Hop(Z(j))}→ ∈ ∧ ∧ ∧

where {Z(j) Z |Z(j) CC(i) ^ Z(j) CC(j)}∈ ∉ ∉ , i.e. Z(j) is the data transmission channel with

respect to receiver’s node id and condition applies that it should not be the control channel of

either of the node pairs. This way, a new channel is negotiated for data transfer.

Once, the sender and destination calculate channel ‘Z’, they hop on the channel ‘Z’ and data

transfer between the node pair takes place.

For communication and throughput between the nodes, packets are the basis for analyzing the network gain. Let’s denote:

{ }

{ }r

P | (0 )

P | (0 Pr )

T

s

TotalPackets P

SendingPackets s Source Ps TPackets

RecievingPackets r Desitnation TPackets

=

= = ∧ < ≤

= = ∧ < ≤

where Ps denotes the transmitted packets and Pr the received packets at the receiver end. But, since a jammer may interfere with the network, therefore, packet lost / corruption is estimated. For this very reason, we need to cater for jammed packets as well.

{ }P | Re PrJammedPackets j r ceiver s Sender Pj= = ∧ = ∧ ∉

where Pj is the number of corrupted packets.

109

Before discussing the scenarios, let’s first define the sets as follows:

Set of Nodes = Ns = {A, B, C, D}

Set of Channels = Cs = {a, b, c, d}

State of Channel = Sc = {0,1}

State of Node = SN = {0,1}

Set of Data Channels = {Za, Zb, Zc, Zd}

where Zx is the control channel of node x

Scenario-1: Normal Communication

When node ‘A’ wants to start communication with node ‘B’, the preconditions can be stated as

follows:

{A B | (A,B) Ns Sc(B) = 1 Sn(B) = 1 Hop(Z(B))}→ ∈ ∧ ∧ ∧

where {Z(B) Z |Z(B) CC(A) ^ Z(B) CC(B)}∈ ∉ ∉ .

Or

{A B | (A,B) Ns Sc(B) = 1 Sn(B) = 0}→ ∈ ∧ ∧

When node ‘B’ is not found on its control channel, the sending node ‘A’ will return to its own

CC, after retransmission attempts expire.

Scenario-2: Communication in Presence of Jammer

When node ‘A’ wants to start communication with node ‘B’, the preconditions can be stated as

follows:

{A B | (A,B) Ns Sc(B) = 0 Sn(B) = 1}→ ∈ ∧ ∧

That means that the control channel is jammed. However, if the nodes as earlier are able to hop

on data transmission channel, but that is the one jammed by the jammer. The condition applied

will be:

{Z(B) Z | Z(B) CC(A) Z(B) CC(B) Sc(Z(B)) = 0}∈ ∉ ∧ ∉ ∧

i.e. all the pre-conditions apply, but due to unavailability of the channel Z(B), nodes will time-

out and return to their respective control channels.

110

6.5 Design Diagrams

Figure 6-4: Pseudo-code for the proposed technique

The pseudo code for the proposed technique, for a sending node is shown in Figure 6-4. The

respective flow of communication on the network is shown in Figure 6-5, along with block

diagram in Figure 6-6.

111

Network Initialization

Start

Nodes calculate their / others’

CCs & dock on own CC

Hop to Receiver’s CC

Remain on own CC

Negotiate for DTC &

Hop to DTC.

Store DTC in DTT

Hop to DTC

Check for DTC

in DTT

N

Y

Y

Other Member approached

for Data Exchange

N

If (Packet Tx

== True)

If (found DTC

== True)

Nodes Exchange Data -ACK

Return to own CCs

END

Figure 6-5: Flow Sequence of Network Communication.

112

Figure 6-6: Block Diagram of Channel Hopping Selection before transmitting.

1

7

2

8

3

9

410

6

12

5

11

Jammer

Figure 6-7: Communication Sequence on Data Channel between a node-pair

113

Table 6-1: Simulation settings

Simulation parameters Parameter value

Physical Layer Standard 802.11a

Number of Channels 12 (in 5 GHz band)

Traffic type CBR

Packet Size 512 Bytes

Traffic Load 200 packets/sec (pps)

Simulation Time 100 sec.

Jammer Type Constant Jammer

Jamming Period 20 - 80 sec.

6.6 Simulation and Analysis

This section presents the simulation scenario and results obtained using the OPNET network

simulator [103]. The simulation parameters are summarized in Table-6-1 and majority is kept

similar to [54]. An ad hoc network consisting of 24 wireless stations with single transceiver only

is considered. All nodes are in the transmission range of each other, i.e. 1-hop neighbors. To

incorporate a saturated case, the traffic load at the source nodes is 200 pps. Whereas the packet

size is chosen to be 512 bytes each. Only a single packet is exchanged in each visit between a

node-pair. The physical layer standard taken into consideration is 802.11a which offers 12

channels in 5 GHz band. For channel hopping the cost currently considered by different studies

is between 40 to 80 microseconds, so 80 micro-sec. delay was opted, similar to [24] and [105].

Besides these, the jammer is located in the center and all nodes are in the jamming range and

assumption is that no communication takes place in this range on the jammed channel, thus the

intensity of jammer is set accordingly. Since, the jammer is considered an outsider and on any

channel he tunes into, he is able to listen legitimate traffic; either control or data packets.

Therefore, the underlying assumption is that the jammer sticks to such a channel where his

intention to block lawful conversation is fulfilled and by doing so it does not scan other channels.

Hence, in our simulation environment the jamming attack is launched in the form of a constant

jammer who sticks to a single frequency. The topology considered is shown in Figure 6-7.

114

Figure 6-8: Single channel compared with proposed scheme using 12 Node-pairs

with traffic load 200 pps. Jammer is active during 20–80seconds

Figure 6-9: Sink Status on each channel – Nodewise distribution

115

Figure 6-10: Nodewise distribution – Percent Loss in Communication

Figure 6-11: Effect of Pulse jamming on nodes having jammed control and data channels

116

Initially, single channel with multi-channel proactive hopping for throughput is compared and

later with the presence of jammer in both cases. The network is divided such that half of the

nodes are traffic sources and the rest are treated as sinks. In a single channel environment, nodes

and the jammer are situated on the same channel. However, for multichannel scenario sink nodes

are evenly distributed so that one on each channel resides and the remaining are selected as

source. Thus, one sender and receiver reside in each channel, but the communication pair are

chosen from different control channels to incorporate channel hopping even for the exchange of

control packets. For 100 seconds simulation time, the jammer is active from 20 to 80 seconds.

Figure 6-8 shows that in a single channel scenario no legitimate communication is observed

during jamming phase. However for multi-channel setup with proposed scheme a couple of node

pairs out of 12 are affected, i.e. approximately 17% degradation in overall network performance

is observed when a single channel is exposed to jammer. The degradation is due to the effect on

node-pairs having their control or data channel being jammed, depending upon the channel

selected by the jammer. The peak found in the curve is due to those packets that are not

discarded by that time and were successfully retransmitted after the jamming phase is over. It

varies depending upon the number of nodes and traffic load.

Figure 6-9 shows average throughput at the sinks in our scheme. Nodes having the jammed

channel as control and data channel face nearly the same degradation in throughput on average

and are therefore represented using different colors. Figure 6-10 provides the similar results in

terms of node-wise percentage throughput, which is found to be around 60% drop in terms of the

nodes who chose the jammed channel either as their control or data exchange channel. Still,

overall network throughput was retained around 90%.

However, if the jamming intensity is decreased or rather than constant a periodic jammer is

incorporated the difference will be more evident. For this reason, a pulse jammer, who disrupts

communication periodically for some time and sleeps during the two jamming intervals, is

substituted. The jamming period chosen is 100 ms. and sleep time as 2 seconds, alternatively.

For a 100 seconds simulation the effect of pulse jammer on affected nodes are shown in Figure

6-11. This Figure gives a picture of data packets corrupted and control packets targeted by pulse

117

jammer. The difference is evident in terms of plunges in the curves, found more in case of

control channel being jammed. However, with the increase in jamming intensity the difference is

diminished and both such nodes may starve.

Next, to have a more realistic scenario rather than divide the topology into active source and

sinks, status of all nodes is modified so that each one is sender and receiver at the same time.

However, while node A is seeking for node B, B may be visiting some other nodes or A at the

same time. Such a situation can give rise to a deadlock and increased packet drops and is thus

considered as worst case. To incorporate the worst case scenario and analyze its effects, the

earlier sinks are therefore changed to senders for different traffic generation rates, but others are

kept unchanged. i.e. all nodes send and receive simultaneously, as generally observed in manets.

Initially, the traffic load on new sources is kept low to have a better picture of network traffic

degradation due to synchronization issues, when both nodes try to reach another to deliver their

packets. Thus, the traffic load was started on new sources from 10 pps and gradually increased it

to 100 pps, so that all nodes generate similar number of packets. For a traffic load between 10 to

100 pps for the new source nodes, the network along with the jammer was tested as shown in

Figure 6-12. In worst case scenario, approximately 20% decline is observed as compared to

simpler scenario of a single channel only as considered in Figure 6-8. However, the overall

throughput decreases with increase in traffic load and only 40% of legitimate communication is

successful when all nodes have similar configuration, which declines further in the presence of

jammer to 25% of the generated traffic (only 600 out of 2400 pps are successfully received ). But

the jamming phase added pain to the sickness as the lost packets are doubled from the earlier

scenario, to nearly 35%. Above all, we treat the lastly presented scenario where all nodes are the

senders as worst case due to the fact that when node A is sending to B the data channel would be

different than B is sending to A. Thus, the number of affected data channels and nodes are

increased.

As compared to other proactive channel hopping scheme proposed in [54] consisting of an

infrastructure based network having only an AP and a single node, the performance drop was

reported as 60% due to jamming. The scheme when applied in an ad hoc network (without AP)

with several nodes having majority similar parameters, the performance is estimated to decrease

118

further. However, with our proposed scheme in worst case scenario 65% of the network

performance is still retained. Additionally, if we apply the similar jammer configuration with

listen and jam intervals, slight improvement in achieved results are expected. Further

improvement is expected in our scheme if burst of packets, rather than only one packet, are

exchanged in each meeting between each node pair. Yet, the intention of this study is to explore

the jamming effects on proactive channel hopping only and analyze future directions for its

mitigation.

Figure 6-12: Two way communication between each node-pair with varied traffic generation

rates. Jammer is active from 20 to 80 sec.

6.7 Summary

Channel hopping is considered a logical escape from the jammer, either in a reactive or proactive

manner. The proposed channel hopping scheme differs from the already existing solutions in a

sense that separate control and data channels exist and neighbors coordinate for their

corresponding data channels. Neighborhood communication of a node can be described as

flower-petals, each of different color representing a distinct channel for each neighbor. Above

119

all, the scheme is proactive in nature that reduces the impact of a jamming attack without using

any detection mechanism by providing already existed escape doors for a node. Initially, simpler

scenarios was incorporated for the ease of analysis and highlighting the jamming effect on our

scheme and then gradually moving to worst case scenario, involving synchronization issues

along with the jamming phase. Results show that it is efficient for an ad hoc network, as

compared to other proactive schemes. Yet, the focus of this study is to analyze proposed scheme

in terms of jamming attack. It will help us in developing a robust solution to counter the jammer

more effectively in the future.

120

Chapter 7

Conclusions and Future Work

121

7.1. Conclusions

In this dissertation, we address the problem of jamming attacks in wireless network, especially in

an ad hoc setup. We approach the problem at two levels, first a reactive mechanism based on

jammer detection is proposed and later a proactive channel hopping scheme is presented.

Jamming attack is different from its other counter parts, as it cannot be mitigated like the others.

The severity increases many folds in a wireless environment due to lack of detection and

prevention mechanism in 802.11 standards [1]. Even though security schemes being used in

wired based networks are not applicable for wireless on as-is-basis due to the distinct

characteristics of the wireless medium, researchers first of all try to analyze possible

modifications and feasibility of applying them on latter, before brainstorming for a new solution.

Similar is the approach used by us where we have tried to analyze the use of CoF for detecting

jamming attack in wireless environment. Additionally, on the basis of earlier studies, the effects

of different jamming attacks were incorporated in our simulation and corresponding ranges of

effect were determined with the help of CoF, successfully. Furthermore, with the help of AI

algorithms, like Naïve Bayesian and J-48 algorithms, we verified our parameters and results.

Both the algorithms predicted more than 98% of the dataset, to be accurate. Whereas threshold

classification and cost/benefit analysis was found to be approximately true positive. To the best

of our knowledge, since this is first such attempt for wireless medium and therefore can be

further enhanced in many directions like mobility, cognitive radios, spectral multiplexing and

other retreat and restoration techniques.

Over the years, various studies have been proposed for detecting a jamming attack on the

medium in near locality based on which further enhancements have been proposed for tackling

the anomaly in a more effective manner. We used similar approach to come up with a novel

technique to keep the jammer busy. In terms of logical escape a chain of periodic/ continuous

channel hopping is needed against an intelligent jammer who is knowledgeable enough to scan

for the next channel where legitimate communication can be found. We exploit such behavior of

the jammer where it periodically senses the medium for packets, till its jamming-threshold is

122

expired and it scans other channels. Rather than nodes hop to new channel and allow the jammer

to follow them, repeatedly; we opted to better-fight-than-frequent-switches. After a new channel

is selected and legitimate packet transfer is resumed, nodes alternatively hop back to original

channel and feed valid packets to the jammer. This way, jammer is kept in the impression that

original channel is still in use and jammer threshold is not reached.

Lastly, we proposed proactive channel hopping scheme that differs from the already existing

solutions in a sense that each node communicates on different control and data channels with

each of its one-hop neighbors based on a pre-defined formula. Neighborhood communication of

a node can be described as flower-petals, each of different color representing a distinct channel

for each neighbor. Above all, the scheme is proactive in nature that reduces the impact of a

jamming attack without using any detection mechanism by providing already existed escape

doors for a node. Results show that it is efficient for an ad hoc network, as compared to other

proactive scheme(s). Yet, the focus of this study is to analyze proposed scheme in terms of

jamming attack. It will help us to come up with a solution to counter the jammer more effectively

in future.

7.2. Future Work

Even though, the focus of this thesis was on MAC layer techniques which can enhance the

overall performance of the network in the presence of a jammer. These techniques, need to be

tested out and tailored accordingly to other security attacks; and later can be enhanced in the

form of an Intrusion Detection System (IDS), etc. Additionally, with the provision of AI

algorithms, dynamic detection of jammer type can be tested, in enhancement of the proposed

simulation test bed. Furthermore, other technologies like Bluetooth, WSN, wireless mesh

networks need to be experimented with proposed techniques. Since, the focus of proposed

techniques was with single antenna devices, but these techniques can be tested on cognitive

radios and smart antennas, as well. Finally, the provision of mobility is an important aspect,

which needs to be tested out as well in terms of jamming attack for proposed techniques.

123

490

References

124

1. IEEE 802.11, 1999 Edition (ISO/IEC 8802-11:1999). IEEE Standards for Information

Technology – Telecommunications and Information Exchange between Systems –

Local and Metropolitan Area Network – Specific Requirements – Part 11: Wireless

LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.

2. Karyotis V., Kakalis A., Papavassiliou S., "On the Tradeoff between MAC-Layer and

Network-Layer Topology-Controlled Malware Spreading Schemes in Ad Hoc and

Sensor Networks". In Proceeding of the Third International Conference on Emerging

Security Information, Systems and Technologies, SECURWARE '09, Athens,

Glyfada, 18-23 June 2009. pp: 255 - 261

3. G. Noubir, “On connectivity in ad hoc networks under jamming using directional

antennas and mobility”, in Proc. Wired/Wireless Internet Communications

conference, LNCS vol. 2957, pp. 186-200, 2004.

4. Wu Z.D., Nettles S., “Analyzing and Preventing MAC-Layer Denial of Service

Attacks for Stock 802.11 systems”, BROADNETS, San Jose, USA, 2004.

5. John Wiley & Sons, Inc. “Handbook of Wireless Networks and Mobile Computing”,

2002. ISBNs: 0-471-41902-8 (Paper); 0-471-22456-1 (Electronic)

6. Wu B., Chen J., Wu J., Cardei M., “A Survey on Attacks and Countermeasures in

Mobile Ad Hoc Networks”, Wireless Network Security: Signals and Communication

Technology, Springer; 1st edition, 2007. pp.:103-135,

7. Medidi S.R., Medidi M., Gavini S., “Detecting Packet-Dropping Faults In Mobile

Ad-Hoc Networks”, In proceedings of IEEE ASILOMAR Conference on Signals,

Systems and Computers (ASILOMAR), vol. 2, Monterey, CA, November 2003. pp:

1708-1712.

8. [Online] http://www.derm.qld.gov.au/wildlife-ecosystems/plants/ queensland_

herbarium/wireless_sensor_network_springbrook.html Last visited: December 10,

2010.

9. [Online] http://www.vislab.uq.edu.au/research/sensornet/network.html. Last visited:

December 10, 2010.

10. Hongxun L., Delgado-Frias J.G., Medidi S., "Using a Cache Scheme to Detect

Misbehaving Nodes in Mobile Ad-Hoc Networks" in Proceedings of 15th IEEE

125

International Conference on Networks (ICON'07), Adelaide, Australia, 19-21 Nov.

2007

11. Medidi S.R., Medidi M., Gavini S., Griswold R.. “Detecting Packet Mishandling in

Manets”, in Security and Management, pages 159–162, 2004.

12. [Online] Bakht H., ‘Understanding Mobile Ad-hoc Networks’.

http://www.computingunplugged.com. Last visited: December 10, 2010.

13. Yang H., Luo H., Ye F., Lu S., Zhang L., “Security in Mobile Ad Hoc Networks:

Challenges and Solutions”. IEEE Wireless Communications, February 2004.

14. Griswold R., Medidi S., “Malicious Node Detection In Ad-Hoc Wireless Networks”,

in Proceedings of SPIE Aero-Sense, Digital Wireless Communications V, April 2003.

15. Buchegger S., Boudec J.L. “Nodes Bearing Grudges: Towards Routing Security,

Fairness and Robustness in Mobile Ad Hoc Networks”. In Proceedings of the

Parallel, Distributed and Network-based Processing, pages 403–410, January 2002.

16. Marti S., Giuli T.J., Lai K., Baker M., “Mitigating Routing Misbehavior in Mobile Ad

Hoc Networks”, In Proceedings of the Mobile Computing and Networking, pages

255–265, 2000.

17. Griswold R., “Malicious Node Detection In Ad Hoc Wireless Networks”, Master’s

thesis, Washington State University, Pullman, 2003.

18. Wu S.L., Lin Y., Tseng Y.C., Sheu J.P., “A New Multi-Channel MAC Protocol with

On-Demand Channel Assignment for Mobile Ad Hoc Networks,” Proc. Int’l Symp.

Parallel Architectures, Algorithms and Networks (ISPAN ’00), p. 232, Dec. 2000.

19. Wu S.L., Lin C.Y., Tseng Y.C., Lin C.Y., Sheu J.P., “A Multi-Channel MAC

protocol with Power Control for Multi-Hop Mobile Ad Hoc Networks,” The

Computer J., vol. 45, no. 1, 2002. pp.: 101-110.

20. Hung W.C., Law K.L.E., Garcia A.L., “A Dynamic Multi-Channel MAC for Ad Hoc

LAN,” in Proceedings of 21st Biennial Symposium on Communications, Kingston,

Ontario, June 2002. pp. 31-35.

21. Tzamaloukas, J. Garcia-Luna-Aceves, “Channel-Hopping Multiple Access,” in

Proceedings of IEEE International Conference on Communication (ICC ’00), New

Orleans, 18-22 June 2000.

126

22. Tzamaloukas, J. Garcia-Luna-Aceves, “Channel-Hopping Multiple Access with

Packet Trains for Ad Hoc Networks,” Proc. IEEE Device Multimedia Comm.

(MoMuC ’00), Oct. 2000.

23. Chen J., Sheu S., Yang C., “A New Multichannel Access Protocol for IEEE 802.11

Ad Hoc Wireless LANs,” Proc. 14th IEEE Int’l Symposium on Personal, Indoor and

Mobile Radio Communication (PIMRC ’03), vol. 3, Beijing, China, Sept. 2003. pp.

2291-2296.

24. Bahl P., Chandra R., Dunagan J., “SSCH: Slotted Seeded Channel Hopping for

Capacity Improvement in IEEE 802.11 Ad Hoc Wireless Networks,” Proc. ACM

Annual International Conference on Mobile Computing and Networking (MobiCom),

Philadelphia, PA, USA, 26 September- 1st October, 2004.

25. So H.W., Walrand J., Mo J., “McMAC: A Multi-Channel MAC Proposal for Ad Hoc

Wireless Networks,” Proc. IEEE Wireless Comm. and Networking Conf. (WCNC

’07), Hong Kong, China. 11-15 March, 2007.

26. Alomair B., Lazos L., Poovendran R., "Securing low-cost RFID systems: An

unconditionally secure approach", Journal of Computer Security, Vol: 19, issue: 2,

2011. pp: 229-257.

27. Proano A., Lazos L., "Packet-Hiding Methods for Preventing Selective Jamming

Attacks", IEEE Transactions on Dependable and Secure Computing, Vol: 9, Issue: 1,

2012. pp: 101 - 114

28. Tague P., Li M., Poovendran R., "Mitigation of Control Channel Jamming under

Node Capture Attacks", IEEE Transactions on Mobile Computing, vol. 8, no. 9,

September 2009.

29. Tague P., Nabar S., Ritcey J.A., Poovendran R., "Jamming-aware traffic allocation

for multiple-path routing using portfolio selection", IEEE/ACM Transactions on

Networking (TON), Vol: 19, Issue: 1, February 2011.

30. Patrick Tague, "Identifying, Modeling, and Mitigating Attacks in Wireless Ad-Hoc

and Sensor Networks", PhD Thesis, University of Washington, 2009.

31. Mpitziopoulos A., Gavalas D., Pantziou G., "Defending Wireless Sensor Networks

from Jamming Attacks", in proceedings of The 18th Annual IEEE International

127

Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC'07),

Athens,. Greece, 3–7 September, 2007.

32. Salem M., Sarhan A., Abu-Bakr M., “A DOS Attack Intrusion Detection and

Inhibition Technique for Wireless Computer Networks”, ICGST- CNIR, Volume (7),

Issue (I), July 2007.

33. Xu W., Trappe W., Zhang Y., Wood T., “The Feasibility of Launching and Detecting

Jamming Attacks in Wireless Networks”, In Proceedings of the Sixth ACM

International Symposium on Mobile Ad-hoc Networking and Computing (MobiHoc),

Urbana-Champaign, IL, USA, May, 25-28, 2005.

34. Xu W., Trappe W., Zhang Y., "Defending Wireless Sensor Networks from Radio

Interference through Channel Adaptation," ACM Transactions on Sensor Networks

(TOSN), Volume 4, Issue 4, August 2008.

35. Xu W., Wood T., Trappe W., Zhang Y., "Channel Surfing and Spatial Retreats:

Defenses Against Wireless Denial of Service, " in Proceedings of the 2004 ACM

workshop on Wireless security (WiSe), pg. 80 - 89, 2004.

36. Acharya M., Thuente D., “Intelligent Jamming Attacks, Counterattacks and

(Counter)2 Attacks in 802.11b Wireless Networks”, in Proceedings of the

OPNETWORK Conference, Washington DC, USA, August 2005.

37. Chen K.C. “Cognitive Radio Networks”, Ramjee Prasad Publisher John Wiley and

Sons, 2009

38. Chen Y., Xu W., Trappe W., Zhang Y.Y., “Securing Emerging Wireless Systems”:

Lower-Layer Approaches, 1st Edition. 2009.

39. Khattab S., Moss´e D., Melhem R., "Honeybees: Combining Replication and Evasion

for Mitigating Base-station Jamming in Sensor Networks", 2006.

40. Martinovic, P. Pichota, J.B.Schmitt, "Jamming for good: a fresh approach to authentic

communication in WSNs", in Proceeding of the second ACM conference on Wireless

network security (WiSec'09), Zurich, Switzerland, March 16-18, 2009.

41. Ponomarchuk, Y., Dae-Wha S., "A Lightweight and Effective Jamming Detection in

Electronic Shelf Label Systems", in Proceedings of the 4th International Conference

on Ubiquitous Information Technologies & Applications, 20-22 Dec, 2009. ICUT '09.

pp: 1-6.

128

42. Raymond D.R., Brownfield M.I., "Effects of Denial-of-Sleep Attacks on Wireless

Sensor Network MAC Protocols", Published in IEEE Transactions on Vehicular

Technology, Vol.:58, No.:1, January 2009.

43. Zhang Z., Wu J., Deng J., Qiu M., "Jamming ACK Attack to Wireless Networks and

a Mitigation Approach," in Proc. of IEEE Global Telecommunications Conference -

Wireless Networking Symposium (GLOBECOM '08), New Orleans, LA, USA,

November 30-December 4, 2008, vol. ECP.950, pp. 1-5.

44. Peterson R. L., Ziemer R. E., Borth D. E., "Introduction to Spread-Spectrum

Communications" Prentice Hall, 1st Edition, 1995.

45. Acharya M., Thuente D., “Intelligent Jamming Attacks, Counterattacks and

(Counter)2 Attacks in 802.11b Wireless Networks”, in Proceedings of the

OPNETWORK Conference, Washington DC, USA, August 2005.

46. Wood A. D., Stankovic J. A., Son S. H., “JAM: A Jammed-Area Mapping Service for

Sensor Networks,” in Proceedings of 24th IEEE Real-Time Systems Symposium

(RTSS), 3-5 December, 2003. pp: 286 - 297

47. Ma K., Zhang Y., Trappe W., “Mobile Network Management and Robust Spatial

Retreats via Network Dynamics,” in Proceedings of the 1st International Workshop

on Resource Provisioning and Management in Sensor Networks (RPMSN05), Ohio,

USA, November 7th, 2005.

48. J.Shi, T.Salonidis, and E.W.Knightly, “Starvation Mitigation through MultiChannel

Coordination in CSMA Multihop Wireless Networks” in proceedings of the Seventh

ACM International Symposium on Mobile Ad Hoc Networking and Computing

(MobiHoc’06), Florence, Italy, May 22-25, 2006

49. Navda V., Bohra A., Ganguly S., Rubenstein D., "Using Channel Hopping to Increase

802.11 Resilience to Jamming Attacks", in proceedings of 26th IEEE International

Conference on Computer Communications, Joint Conference of the IEEE Computer

and Communications Societies, Anchorage, Alaska, USA, 6-12 May 2007.

50. Khattab S., Mosse D., Melhem R., "Modeling of the Channel-Hopping Anti-Jamming

Defense in Multi-Radio Wireless Networks", in proceedings of MobiQuitous 2008,

Dublin, Ireland, July 21 - 25, 2008

129

51. Nahrstedt K., Campbell R.H., Vaidya N.H., "Identifying Insider-based Jammers in

Multi-channel Wireless Networks", in proceedings of GLOBECOM'10. Miami,

Florida, USA, 6-10 December, pp.1-6

52. Nguyen H., Pongthawornkamol T., Nahrstedt K., "Alibi: A Framework for

Identifying Insider-based Jamming Attacks in Multi-channel Wireless Networks", in

proceedings of 16th ACM Conference on Computer and Communications Security

(CCS), Hyatt Regency Chicago, IL, USA, November 9-13, 2009.

53. Lee E.K., Oh S.Y., Gerla M., "Randomized Channel Hopping Scheme for Anti-

Jamming Communication", In proceedings of Wireless Days Conference, Venice,

Italy, October. 2010.

54. Othman J.B., Hamieh A., "Defending Method Against Jamming Attack in Wireless

Ad Hoc Networks", The 5th IEEE International Workshop on Performance and

Management of Wireless and Mobile Networks (P2MNET 2009), Zürich,

Switzerland; 20-23 October 2009.

55. Mahadevan K., Hong S., Dullum J., “Anti-Jamming: A Study”. 2005

56. Li M., Koutsopoulos I., Poovendran R., “Optimal Jamming Attacks and Network

Defense” In IEEE International Conference on Computer Communications

(INFOCOM), Anchorage, Alaska, USA, 6-12 May, 2007.

57. Reese K.W. Salem A., “A Survey on Jamming Avoidance in Adhoc Sensory

Networks” Journal of Computing Sciences in Colleges, Volume 24 Issue 3, January

2009

58. Soreanu P., Volkovich Z., Barzily Z., “Energy-Efficient Predictive Jamming Holes

Detection Protocol for Wireless Sensor Networks” in Proceedings of the 2008 Second

International Conference on Sensor Technologies and Applications (SENSORCOMM

'08), Cap Esterel, France, August 25-31, 2008

59. A.D. Wood, J.A. Stankovic, and G. Zhou, “DEEJAM: Defeating Energy-Efficient

Jamming in IEEE 802.15. 4-based Wireless Networks", in proceedings of 4th Annual

IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc

Communications and Networks, (SECON '07), San Diego, CA, USA, 18-21 June

2007. pp: 60-69

130

60. Muraleedharan R., Osadciw L.A., “Jamming Attack Detection and Countermeasures

in Wireless Sensor Network using Ant System” SPIE Defence and Security

Symposium, Orlando, USA, 17-21 April, 2006

61. Clancy T.C., Goergen N., “Security in Cognitive Radio Networks: Threats and

Mitigation,” in Proceedings of International Conference on Cognitive Radio Oriented

Wireless Networks and Communication. (CrownCom’08), Singapore, 15-17 May

2008.

62. Mitola J., “Cognitive Radio: An Integrated Agent Architecture for Software Defined

Radio.” Ph.D. Dissertation, KTH, 2000.

63. Paula R. da Silva, Marcelo H.T. Martins, and Bruno P.S. Rocha, "Decentralized

Intrusion Detection in Wireless Sensor Networks", in Proceedings of the 1st ACM

international workshop on Quality of service & security in wireless and mobile

networks (Q2SWinet '05), Montreal, Canada, October 10 - 13, 2005

64. Strasser M. "Jamming-resistant Key Establishment using Uncoordinated Frequency

Hopping" , in Proceedings of the 2008 IEEE Symposium on Security and Privacy,

Oakland, California, USA , May 18-21, 2008

65. Mishra A., Shrivastava V., Agarwal D., Banerjee S., Ganguly S., “Distributed

Channel Management in Uncoordinated Wireless Environments” in proceedings o

The Twelfth Annual International Conference on Mobile Computing and Networking

(MobiCom'06), Los Angeles, CA, USA, 24-29 September, 2006

66. Khattab S., Mosse D., Melhem R., "Jamming Mitigation in Multi-radio Wireless

Networks: Reactive or Proactive?", in Proceedings of the 4th international conference

on Security and Privacy in Communication Netowrks (SecureComm '08), Istanbul,

Turkey, September 22-26, 2008.

67. Hung-Min S., Shih-Pu H., Chien-Ming C., “Mobile Jamming Attack and its

Countermeasure in Wireless Sensor Networks” in proceedings of 21st International

Conference on Advanced Information Networking and Applications (AINA 2007),

Niagara Falls, CanadaMay 21-23, 2007.

68. Alnifie G., Simon R., "A Multi-channel Defense Against Jamming Attacks in

Wireless Sensor Networks" In Proc. of the third ACM International Workshop on

131

QoS and Security for Wireless and Mobile Networks (Q2SWinet 2007). Chania,

Crete Island, Greece, October 22, 2007. pp: 95–104.

69. Shi J., Salonidis T., Knightly E.W., “Starvation Mitigation Through MultiChannel

Coordination in CSMA Multihop Wireless Networks” in proceedings of the Seventh

ACM International Symposium on Mobile Ad Hoc Networking and Computing

(MobiHoc’06), Florence, Italy, May 22-25, 2006

70. Xiao L., Dai H., Ning P., "Jamming-Resistant Collaborative Broadcast Using

Uncoordinated Frequency Hopping", IEEE Transactions on Information Forensics

and Security, Vol: 7, Issue: 1, February 2012, pp: 297 - 309

71. Popper C., Strasser M, Capkun S., "Anti-jamming Broadcast Communication using

Uncoordinated Spread Spectrum Techniques", IEEE Journal on Selected Areas in

Communication, vol:28, issue:5, June 2010.

72. Popper C., "On Secure Wireless Communication under Adversarial Interference",

PhD Thesis, ETH Zurich, 2011.

73. Liu S., Lazos L., Krunz, M., "Thwarting Control-Channel Jamming Attacks from

Inside Jammers", to be published in IEEE Transaction on Mobile Computing, 2011.

74. Lazos L., "Securing Network Services for Wireless Ad Hoc and Sensor Networks",

Phd Thesis, University of Washington, 2006

75. Lin S., Wueng M., "Concurrent Multi-Channel Transmission (CMCT) MAC Protocol

in Wireless Mobile Ad Hoc Networks" in proceedings of The 9th International

Conference on Advanced Communication Technology (ICACT'07), Gangwon-Do,

S.Korea, 12 Feb - 14 Feb 2007, pp: 445 - 449

76. Chen W., Chen D., Sun G., Zhang Y., “Defending Against Jamming Attacks in

Wireless Local Area Networks” Autonomic and Trusted Computing, Autonomic and

Trusted Computing, Lecture Notes in Computer Science, 2007, Volume 4610/2007,

pp: 519-528, DOI: 10.1007/978-3-540-73547-2_53.

77. Ståhlberg M. , “Radio Jamming Attacks Against Two Popular Mobile Networks”,

Seminar on Network Security. Mobile Security. Helsinki University of Technology,

Fall 2000.

132

78. Noubir G., Lin G., “Low-power DoS Attacks in Data Wireless LANs and

Countermeasures,” in proceedings of the Fourth ACM International Symposium on

Mobile Ad Hoc Networking and Computing, Annapolis, MD, USA, June 1-3, 2003.

79. Bayraktaroglu E., King C., Liu X., Noubir G., Rajaraman R., Thapa B., “On the

Performance of IEEE 802.11 under Jamming,” in Proceedings of IEEE 27th

Conference on Computer Communications (INFOCOM’08), Phoenix, Arizona, USA,

April 13 - 19 2008.

80. Law Y., Hartel P., Hartog J. den, Havinga P., ‘Link-layer Jamming Attacks on

SMAC’, in proceedings of the 2nd European Workshop on Wireless Sensor Networks

(EWSN 2005), 2005, pp. 217 - 225.

81. Rajeswaran A., Negi R., “DoS Analysis of Reservation based MAC Protocols”, in

proceedings of the IEEE International Conference on Communications, 16-20 May,

2005.

82. Schafroth M., “Jamming Detection inWireless Ad Hoc Networks”, Master’s thesis,

MA-2008-21March 2009.

83. Xu W., Trappe W. Zhang Y., "Channel Surfing: Defending Wireless Sensor

Networks from Jamming and Interference," in Proceedings of the 6th International

Conference on Information Processing in Sensor Networks (IPSN07), pg.499-508,

2007.

84. Xu W., Ma K., Trappe W., Zhang Y., “Jamming Sensor Networks: Attack and

Defense Strategies”, Rutgers University, 2006.

85. Bradley K. A., Cheung S., Puketza N., Mukherjee B., Olsson R. A.. ‘Detecting

Disruptive Routers: A Distributed Network Monitoring Approach’, in proceedings of

the IEEE Symposium on Security and Privacy, May 1998, pp: 115– 124.

86. Hughes J. R., Tuomas A., Matt B., “Using Conservation of Flow as a Security

Mechanism in Network Protocols”, in proceedings of IEEE Symposium on Security

and Privacy, Berkeley, CA, USA, 2000.

87. Mizrak A.T., Cheng Y.C., Marzullo K., and Savage S., “Fatih: Detecting and

Isolating Malicious Routers”, DSN ’05: Proc. Int’l Conf. Dependable Systems and

Networks (DSN’05), pp. 538-547, 2005.

133

88. Faraz A., Khalid H, Nyla K., M.Sharif, Noor Z. "Identification of a Lossy Channel

in Wireless Mesh Network using Conservation of flow", Journal of Information &

Communication Technology, Vol. 1, No. 2, (Fall 2007) 60-70

89. [Online] Matlab. www.mathworks.com Last visited: December 28, 2010.

90. [Online] WEKA software, Machine Learning, http://www.cs.waikato.ac.nz/ml/weka/,

The University of Waikato, Hamilton, New Zealand. visited: December 28, 2010.

91. [Online] Technical Notes, “Naive Bayes Classifier”, Stat-Soft Electronic Statistics

Textbook. http://www.statsoft.com/textbook/naive-bayes-classifier. Last visited:

December 28, 2010.

92. Huang D.C., Wunsch D.S., Levine K.H. Jo, "Advanced Intelligent Computing

Theories and Applications: With Aspects of Artificial Intelligence", in proceedings of

4th International Conference on Intelligent Computing, ICIC 2008, Shanghai, China,

September 2008.

93. Wang X., Tu-liang L., Wong J., "Feature Selection in Intrusion Detection System

over Mobile Ad-hoc Network", Technical Report, Computer Science, Iowa State

University, 2005.

94. Zhang J., ZulkernineM., “Network Intrusion Detection using Random Forests”, in

proceedings of Third Annual Conference on Privacy, Security and Trust,The

Fairmont Algonquin, St. Andrews,New Brunswick, Canada, October 12-14, 2005.

95. Ma K., Zhang Y., Trappe W., “Mobile Network Management and Robust Spatial

Retreats via Network Dynamics,” in Proceedings of the The 1st International

Workshop on Resource Provisioning and Management in Sensor Networks

(RPMSN05), 2005.

96. Liu H., Xu W., Chen Y., Liu Z., “Localizing Jammers in Wireless Networks”, in

Proceedings of the Seventh Annual IEEE International Conference on Pervasive

Computing and Communications (PERCOM '09), Galveston, Texas, USA, March 9-

13, 2009

97. Pelechrinis K., Koutsopoulos I., Broustis I., Krishnamurthy S.V., “Lightweight

Jammer Localization in Wireless Networks: System Design and Implementation” in

proceedings of IEEE Global Telecommunications Conference (GLOBECOM'09),

Honolulu, Hawaii, USA, Nov. 30 2009-Dec. 4 2009, pp: 1 - 6

134

98. Pelechrinis K., Koufogiannakis C. Krishnamurthy S.V., “Gaming the Jammer: Is

Frequency Hopping Effective?”, in Proceedings of the 7th international conference

on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks

(WiOPT'09), Seoul, S. Korea, June 23-27, 2009.

99. Xu W., Trappe W,. Zhang Y., “Anti-Jamming Timing Channels for Wireless

Networks", in proceedings of the 1st ACM Conference on Wireless Security

(WiSec), Alexandria, Virginia, USA, 31 March - 2 April, 2008,. pp. 203-213

100. Lazos L., Liu S., Krunz M., “Mitigating Control-Channel Jamming Attacks in Multi-

channel Ad Hoc Networks”, in Proceedings of the second ACM conference on

Wireless network security (WiSec'09), Zurich, Switzerland, March 16-18, 2009.

101. Martínez W.L., Martínez A.R., "Computational statistics handbook with MATLAB",

Chapman & Hall/CRC, 2002.

102. [Online] SPSS. http://www-01.ibm.com/software/analytics/spss. Last visited:

December 28, 2010.

103. [Online] OPNET Modeller, http://www.opnet.com. Last visited: December 28, 2010.

104. Gong M.X., Midkiff S.F., Mao S., “A Cross-layer Approach to Channel Assignment

in Wireless Ad Hoc Networks”, Journal of Mobile Networks and Applications, Vol.

12, No. 1, p 43-56, Feb. 2007

105. So J., Vaidya N.H., “MultiChannel MAC for Ad Hoc Networks: Handling

MultiChannel Hidden Terminals Using A Single Transceiver”, In Proceedings of the

Fifth ACM International Symposium on Mobile Ad Hoc Networking and Computing,

(MobiHoc’04), Tokyo, Japan, May 24-26, 2004.

106. Bicakci K., Tavli B., “Denial-of-Service Attacks and Countermeasures in IEEE

802.11 Wireless Networks”, Computer Standards & Interfaces (2008),

doi:10.1046/j.csi.2008.09.038.

107. [Online] http://en.wikipedia.org/wiki/Diffie-Hellman. Last visited: December 10,

2010.

108. Jaemin J., Seungmyeong J., Jaesung L., "Anti jamming - based medium access

control using adaptive rapid channel hopping in 802.11: AJ-MAC", in Proceedings of

the 2011 international conference on Computational Science and Its Applications

(ICCSA'11), Santander, Spaiwwn. 20 - 23 Jun 2011. pp.:70-82

cope with a malicious host in mobile adhoc networks...

Documents