cope with a malicious host in mobile adhoc networks...
TRANSCRIPT
Cope with a Malicious Host in Mobile Adhoc
Networks (MANET)
By
Faraz Ahsan
Reg No. CIIT/SP04-PCS-002/ISB
PhD Thesis
COMSATS Institute of Information Technology,
Islamabad- Pakistan Spring, 2012
2
COMSATS Institute of Information Technology
Cope with a Malicious Host in Mobile Adhoc
Networks (MANET)
A Thesis Presented to
COMSATS Institute of Information Technology, Islamabad
In partial fulfillment
of the requirement for the degree of
PhD
(Computer Science)
By
Faraz Ahsan
CIIT/ SP04-PCS-002/ISB
Spring, 2012
3
DEDICATION
To
My Loving Family
4
ACKNOWLEDGEMENTS
All praises to Almighty God, who blessed me with the ability and bestowed the strength to
accomplish this Thesis. My thanks to all those who guided me in achieving every phase of the
thesis, especially my supervisor Dr. Sajjad Mohsin without his in time advices I would have been
lost. His encouragement made a very large impact on my thesis and it was the prime reason that I
completed my thesis in good time. Another name worth mentioning is Dr. Farid Naït-
Abdesselam, who gave me the opportunity to be a part of his MISC team in LIFL/ IRCICA,
France for more than 6 months. I am short of words to list down his support that he provided in
every aspect during my stay there, but his most vital part was of narrowing down of my problem
statement and providing new research paradigms.
I will not forget the contribution and important suggestions of my friends, colleagues, seniors
and especially juniors for whom I needed to be strong, when I felt weak. At the end I would like
to thank my family for staying behind me backing and supporting me through all the crests &
troughs of this period.
Last but not the least, similar to the trend that winner is announced at the end, I am thankful to
Higher Education Commission (HEC) to provide me the opportunity, research environment,
technical support and funding for my post graduation. Although, the high criteria set by HEC felt
like a burden initially, but at the time of completion of my thesis I can very well foresee the
benefits of it on my research and career in future.
Faraz Ahsan
(CIIT/ SP04-PCS-002/ISB)
5
ABSTRACT
Coping with a Malicious Host in Mobile Adhoc Networks (MANET)
From a security perspective, a jamming attack is easy to launch and relatively hard to detect.
Jamming attacks are generally directed towards seizing the medium completely by transmitting
fake packets violating the medium access protocol, either constantly or periodically. This work
analyzes the effects of different types of jammers using Conservation of Flow (CoF), which has
been useful for detecting other attacks in wired networks. Additionally, simulation results are
presented in justification of proposed methodology.
With the miniaturization of wireless devices, the popularity and usage has increased in recent
past, especially due to portability. Since the design of such devices does not primarily emphasize
heavy computation and secure communication, these are treated as add-ons. In setting up an ad
hoc network rather than choosing all or more than the channels offered by 802.11 standard, only
a single channel is generally utilized to minimize delay and synchronization issues. However, by
using additional available multiple channels, significant gain in terms of overall system
performance can be achieved. This, and other limitations like a shared medium which is open to
all, attracts intruders in wireless networks. Mainly, the use of a lone channel can become single
point of failure in case of an attack, especially a jamming attack.
In contrast to other security attacks, no special hardware and computation is required in
launching jamming attacks. Additionally, even if the attacker does not get hold of the
communication, he can emit radio signals periodically to jam legitimate conversation. Thus,
legitimate nodes escape physically or logically to avoid a jammer at the cost of additional
overhead involving coordination amongst nodes to resume communication. The overhead
involved in either of the methods is considered worthy in terms of regaining the performance of
the network.
In this thesis, a couple of MAC layer-based algorithms are proposed to mitigate the effects of
jamming attacks efficiently; the first is a reactive mechanism and the second is a proactive
6
proposal. The work starts with an investigation of different jamming types and their effects on
wireless communication. For this purpose, a simulation model was developed and the resulting
data set was verified using AI algorithms, which predicted 98% accuracy.
Next, a reactive technique namely packet-feed is proposed to keep the jammer busy on the
jammed channel. Once the nodes detect the existence of the jammer and hop to another channel,
they alternatively visit the earlier channel to feed the jammer with valid packets. This way, the
nodes pretend to the jammer that the earlier channel is still in use.
Finally, a proactive channel hopping protocol is proposed where each node has a separate and
dynamically selected control channel. Additionally, rather than each of them feeding the other its
channel hopping sequence, both parties coordinate to come up with a new channel where data
transfer can take place. Thus, provision of redundant channels is provided to each node.
Following on from this, the proposed idea is analyzed with the existence of a jammer.
7
Table of Contents
1. Introduction…………………………..…………………………..………………..... 1
1.1 Introduction…...…………………………..………………………………….. 2
1.2 Problem Statement…….………………………..…………………………... 3
1.3 Research Questions……………………..…………………………………... 4
1.4 Contribution of This Thesis……………………………………………………… 5
1.5 Thesis Outline …………………………………………………………………… 6
2. Background …………………………..…………………………..………………. 7
2.1 Introduction ………………………………………………..………………….. 9
2.2 Applications of Adhoc Networks…………………………………..………….. 9
2.3 Ad Hoc Network Vulnerabilities …………………………..…………………... 10
2.4 Handling Malicious Nodes…….…………………………..…………………... 11
2.5 Use of Multichannels in Wireless Network…….………………………………. 11
2.6 Variations in Jamming Attack….…………………………..………………….. 14
2.6.1 Jamming Models……...…………………………..…………………... 14
2.6.2 Types Of Jammers…….………………………………………………. 16
3. Related Work …………………………..…………………………………………... 20
3.1 Introduction …………………………..…………………………………... 22
3.2 Jamming Characteristics And Efficiency Criteria………………………………. 23
3.3 Techniques For Detecting Jamming Attacks…………………………………… 25
3.3.1 Transmitter-Based Detection………………………………………….. 25
3.3.2 Receiver-Based Detection…………………………………………….. 26
3.3.3 Dedicated Detection……………………………………………………….. 26
3.3.4 Cooperative Detection……………………………………………………... 26
3.3.5 Detection via RF finger-Printing…………………………………………... 26
3.4 Jamming Attack on The Control Plane ………………………………………… 27
3.5 Jammer Mitigating Techniques ……....................................................................... 28
3.5.1 Spread Spectrum…………………………………………………………... 28
3.5.2 Evasion Techniques……………………………………………………….. 28
3.5.3 Retreat Restoration………………………………………………………… 30
8
3.5.4 Temporal Retreat…………………………………………………………... 30
3.5.5 Hybrid Approaches………………………………………………………... 31
3.5.6 Cognitive Radio…………………………………………………………… 31
3.6 Discussion on Selected Algorithms………………………………………………... 32
3.7 Summary…………………………………………………………………………… 38w
4. Estimating Effects of Jammers via Conservation of Flow in Adhoc Networks………... 40
4.1 Introduction ……………………………………………………………………….. 41
4.2 Jamming Attack: Approaches and Effects…………………………………………. 41
4.3 Problem Statement…………………………………………………………………. 43
4.4 Conservation of Flow (Cof) Based Malicious Node Detection……………………. 44
4.5 Simulation Testbed………………………………………………………………… 45
4.6 Simulation and Results …………………………………………………………….. 46
4.7 Verification of Parameters Using WEKA………………………………………….. 55
4.7.1. Bayesian Naïve Classification…………………………………………….. 56
4.7.2. J-48 Algorithm…………………………………………………………….. 59
4.8 Summary…………………………………………………………………………… 63
5. Packet-Feed: A Survival Approach to Cope Up with Jamming Attack……………….. 65
5.1 Introduction ……………………………………………………………………….. 66
5.2 Problem Statement…………………………………………………………………. 66
5.3 Proposed Methodology…………………………………………………………….. 67
5.4 Mathematical Model ……………………………………………………………… 69
5.5 Theoretical Analysis………………………………………………………………... 71
5.6 Enhancements in Proposed Methodology………………………………………….. 75
5.7 Simulation & Results………………………………………………………………. 79
5.8 Summary…………………………………………………………………………… 87
6. Neighbor Based Channel Hopping Coordination: Practical Against Jammer………... 88
6.1 Introduction ………………………………………………………………………... 89
6.2 Problem Statement…………………………………………………………………. 89
6.3 Proposed Solution………………………………………………………………….. 90
6.3.1 Determining Control Channel (CC)……………………………………….. 91
6.3.2 Data Channel (DC) Coordination…………………………………………. 93
6.4 Mathematical Model 95
6.5 Design Diagrams 97
9
6.6 Simulation and Analysis…………………………………………………………… 100
6.7 Summary…………………………………………………………………………… 105
7. Conclusion…………………………………………………………………….……………. 107
References………………………………………………………………………………….. 110
10
LIST OF FIGURES
Fig 2-1: Effect of Proactive Jammers in Wireless network--------------------------------------------15 Fig 3-1: Jammed Scenario in a wireless environment--------------------------------------------------23 Fig 3-2: Spatial Retreat strategy for a two party communication scenario --------------------------29 Fig 4-1: Transit packet byte counters---------------------------------------------------------------------43 Fig 4-2: Adhoc network of eight nodes with jammer---------------------------------------------------46 Fig 4-3: Node wise traffic in normal scenario-----------------------------------------------------------48 Fig 4-4: Node wise communication in presence of constant jammer --------------------------------48 Fig 4-5: Node wise communication in presence of periodic jammer --------------------------------49 Fig 4-6: Adhoc network of 12 nodes with jammer------------------------------------------------------49 Fig 4-7: 12-Node wise traffic in normal scenario-------------------------------------------------------50 Fig 4-8: 12-Node wise traffic in presence of constant jammer. ---------------------------------------51 Fig 4-9: 12-Node wise traffic with periodic jammer. --------------------------------------------------51 Fig 4-10: Time wise effect of jammers in 8-node scenario--------------------------------------------52 Fig 4-11: Time wise effect of jammers in 12-node scenario-------------------------------------------52 Fig 4-12: 25 Nodes: (a) Constant Jammer (b) Periodic Jammer ------------------------------------- 53 Fig 4-13: 50 Nodes (a) Constant Jammer (b) Periodic Jammer ---------------------------------------54 Fig 4-14: Randomly Selected Data Set for WEKA. ----------------------------------------------------55 Fig 4-15: A Bayesian Naïve example --------------------------------------------------------------------57 Fig 4-16: Pseudo-code for Bayesian Naïve --------------------------------------------------------------57 Fig 4-17: BN based jammer classification---------------------------------------------------------------59 Fig 4-18: Pseudo code for Decision Tree (J48 algorithm) ---------------------------------------------60
11
Fig 4-19: Cost Analysis of Jammer Classification using J-48-----------------------------------------62 Fig 4-20: J-48 based Threshold Estimation of Jammer types used. ----------------------------------62 Fig 4-21: Analysis of Validated data using J-48 algorithm. -------------------------------------------63 Fig 5-1: Feeding node hops back to feed Jammer on originally used channel----------------------68 Fig 5-2: A Normal Q-Q Graph of Average Received Packets-----------------------------------------72 Fig 5-3: A Detrended Normal Q-Q Graph of Average Received Packets. --------------------------72 Fig 5-4: Packet Analysis on the basis of Time. ---------------------------------------------------------73 Fig 5-5: XBAR Control Chart------------------------------------------------------------------------------74 Fig 5-6: Multiple Nodes feeding the Jammer on Originally used jammed channel----------------76 Fig 5-7: Pseudo-code of proposed methodology--------------------------------------------------------77 Fig 5-8: Flow chart highlighting the communication flow of the proposed methodology---------78 Fig 5-9: Overall Network Throughput (a) 10 nodes (b) 20 nodes-------------------------------------80 Fig 5-10: 2 Nodes feed the jammer in every time slot. Overall Throughput for (a) 10 nodes (b) 20 nodes-----------------------------------------------------------------------------------81 Fig 5-11: 2 Nodes feed jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------83 Fig 5-12: 3 Nodes feed jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------84 Fig 5-13: 4 Nodes feed the jammer with multiple packets in every time slot, scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes-------------------------------------------------------------------85 Fig 5-14: Comparison of Multiple Nodes feeding jammer with varying packets in every time slot, scenario for (a) 10 nodes (b) 20 nodes--------------------------------------------------------86 Fig 5-15: Overall Throughput achieved in terms of percentage for varying nodes ----------------87 Fig 6-1: Scenario stating how node D would initiate communication with node C----------------90 Fig 6-2: Elementary Negotiation for a DC between two nodes---------------------------------------92 Fig 6-3: Communication Sequence on Data Channel between a node-pair-------------------------94
12
Fig 6-4: Pseudo-code for the proposed technique-------------------------------------------------------97 Fig 6-5: Flow Sequence of Network Communication. -------------------------------------------------98 Fig 6-6: Block Diagram of Channel Hopping Selection before transmitting------------------------99 Fig 6-7: Communication Sequence on Data Channel between a node-pair--------------------------99 Fig 6-8: Single channel compared with proposed scheme using 12 Node-pairs with traffic load 200 pps. Jammer is active during 20–80seconds-------------------------------------------------------101 Fig 6-9: Sink Status on each channel – Node-wise distribution-------------------------------------101 Figure 6-10: Nodewise distribution – Percent Loss in Communication----------------------------102 Fig 6-11: Effect of Pulse jamming on nodes having jammed control and data channels---------102 Fig 6-12: Two way communication between each node-pair with varied traffic generation rates. Jammer is active from 20 to 80 sec. ---------------------------------------------------------------------105
13
LIST OF TABLES _________________________________________________________________ Table 3-1: Logical Division of Jammer Handling Strategies------------------------------------------33 Table 4-1: Simulation Parameters-------------------------------------------------------------------------46 Table 4-2: Accuracy detail w.r.t. jammer classification by BN---------------------------------------58 Table 4-3: Confusion Matrix based on BN algorithm--------------------------------------------------59 Table 4-4: Accuracy detail w.r.t. jammer classification by J-48--------------------------------------61 Table 4-5: Confusion Matrix based on J-48 algorithm-------------------------------------------------61 Table 5-1: Simulation settings-----------------------------------------------------------------------------79 Table 6-1: Simulation settings----------------------------------------------------------------------------100
14
LIST OF ABBREVIATIONS
ATIM Ad hoc Traffic Indication Message CHMA Channel Hopping Multiple Access CoF Conservation of Flow DCA Dynamic Channel Allocation DCF Distributed Coordinated Function DDC Dedicated Control Channel DIFS DCF Inter Frame Spacing DoS Denial of Service DSSS Direct Sequence Spread Spectrum EIFS Extended Inter Frame Spacing FHSS Frequency Hopping Spread Spectrum J/S Jamming to Signal Ratio MAC Medium Access Control MAP Multichannel Access Protocol MIMO Multiple Input Multiple Output PAN Personal Area Network PCL Preferable Channel List SSCH Slotted Seeded Channel Hopping SNR Signal-to-Noise Ratio
15
Chapter 1
Introduction
16
1.1 Introduction
Wireless networks are more prone to attack than its earlier wire-based counterpart due to open
characteristics of the underlying medium and due to the assumptions of the wireless standard [1]
that nodes will be cooperating with each other to form a network. The attacker can be an insider
entity or an external uninvited guest. An attack can be featured as rational where the attacker
misbehaves only if violation is somewhat beneficial to it. The benefits may be in terms of price,
obtaining more bandwidth for itself, resource saving, etc., otherwise it is considered malicious.
Furthermore, attacks might target various protocol layers. At the physical layer, an attacker may
jam the transmissions of wireless antennas or simply disrupt the hardware functionality of a
certain node. From the MAC layer perspective, violation can be in terms of the equality of shared
medium access by emitting massive MAC level control and data packets or impersonate a legal
node. Additionally, it can also take advantage of limitations of network layer protocols whose
underlying assumption being that nodes will cooperate to relay packets for distant destinations.
One such type of attack is to intimate knowledge of the routing mechanisms. Another malicious
activity is packet forwarding, i.e. being an intermediate hop, the attacker, changes the destination
bypassing the routing protocol behavior without changing the routing table. Furthermore, the
attacker may passively monitor the network and impersonate as a legal node to gain access to
some useful data, etc. At the application layer, an attacker could insert false or forged data by
perceiving the working of the application. Typical attacks for ad hoc networks, which are also
applicable in wireless mesh networks, include Impersonation, Sinkhole Attack, Wormhole
Attack, Selfish and Greedy Behavior Attack, Sybil Attack, Sleep Deprivation, DOS and Flooding
[2].
For wireless ad hoc and mesh networks, IEEE 802.11 uses the Distributed Coordination Function
(DCF) mode to schedule the wireless resource. In the absence of collision detection mechanism,
initially control packets RTS/CTS are exchanged between sender and receiver to avoid exposed
and hidden terminal problems [1]. A source node sends RTS message to indicate for
transmission and destination responds with CTS. Any node that listened to CTS cannot transmit
till the data is transmitted. Meanwhile, any node that intends to initiate another transfer in range
of earlier conversation, it senses the channel and blocks itself off with respect to the binary
17
exponential back-off scheme. The binary exponential scheme favors the last winner amongst the
contending nodes. This means nodes that are heavily loaded tend to capture the channel by
continually transmitting data thereby causing lightly loaded neighbors to back off again and
again. This leads to the capture effect that brings the problem of unfairness. The capture effect
may be exploited to launch a DoS attack by introducing a large number of packets on the
network, bypassing the MAC protocol [3]. The selfish nodes can drop packets to save their own
energy and the greedy nodes can disobey the protocol specification to obtain a higher throughput
than the other honest nodes.
Two kinds of DoS attacks may be launched to wireless networks, as described in [4]. One kind is
single adversary attack. A single challenger intrudes the network by sending enormous flow of
packets to legitimate nodes and hence drains the energy of legitimate nodes as well as
significantly degrades the performance of network communication. The second kind of attack
exploits the unfairness possible with IEEE 820.11. Two adversaries join together to send huge
data flows straightforwardly to each other, and hence exhaust the network bandwidth in their
neighborhood which is named as a colluding adversaries attack.
1.2 Problem Statement
Malicious Nodes are quite a huge threat in wireless networks as even if an adversary who is not
equipped with much computing power and unable to analyze data but may impose passive
attack. The adversary can first differentiate whether the medium is in use and later disrupt the
communication by distorting it for personal gain. If intelligent enough, to analyze different
communication patterns and aware of wireless MAC protocol, it can interrupt communication for
larger time periods either by targeting packets periodically or selectively to a particular type.
Since, underlying assumption of wireless protocols is that nodes will cooperate in terms of
routing each others’ packets and does not offer handling of such security threats. Therefore, such
malicious activities can exist on the network for long, undetected.
18
However, studies have suggested many techniques to detect such malicious activities. But mainly
jamming detection techniques at the physical level mainly rely on signal strength and packet
delivery ratio related parameters. Such measures even though are useful, but may generate false
alarms as it is quite hard to differentiate between interference due to surrounding, channel error
or physical layer malicious activity. Recent studies have suggested the use of MAC layer, to
devise algorithms to analyze such parameters and react accordingly. On the other hand,
prevention is better than cure was considered much better and proactive algorithms were devised
which even though are considered costly in normal scenario, but are effective against jamming
attack. Typical evasion techniques are based on jammer avoidance, either moving away
physically or logically. From the physical layer perspective, the common disadvantage of FHSS
is that in large bandwidth required is far larger as compared to single frequency, for same data.
Similarly, DSSS modulation used in, Bluetooth technology, is not secure against jamming attack.
Authors have proposed sector antenna useage for jamming attacks; which are not yet commonly
accessible. Since, a jammer simply violates the MAC protocol, so our intention is to come up
with MAC layer techniques, which are efficient against jammer; especially for simpler devices
like the ones having single antenna.
We investigate the problem of jammer handling at three levels. First, we analyze the effect of
jammers based on existing studies and evaluate it using Conservation of Flow, which has been
used in wired networks for detection of malicious nodes effectively. The questions that needed to
be answered were:
1.3 Research Questions
� Whether the disruption of packet delivery can be analyzed at the MAC layer effectively to
pin-point jammer existence in the network?
� Is conservation of flow effective for malicious node detection in wireless, as it has been
proven to be in wired networks?
� On the basis of answers of above questions, is it possible to come up with better approaches
to handle jammers, especially in terms of achieving more throughput; either pre-emptive or
reactive approach is used?
19
In quest of the answers of the above queries, we not only analyzed various jammers, rather study
their behavior and effectiveness on communication to come up with better techniques to handle
jammers.
1.4 Contribution of This Thesis
Jammer is one such anomaly that does not require any knowledge to disrupt communication. He
rather, senses the medium to be in use and starts disrupting communication by bypassing MAC
layer code of behavior. This way, he can either continuously or periodically jam the
communication, resulting in virtual collapse of the network in the jammed area.
The goal of this study was to come up with techniques, which are novel and allow legitimate
nodes to communicate in the presence of jammer so that starvation of nodes in the jammed area
and virtual collapse of the whole network can be avoided. For that very reason, two techniques
have been proposed:
a) Generally, a single channel is being used by legitimate nodes in an adhoc network for
establishment of the network and communication. However, if the channel is jammed, the
legitimate nodes hop to another channel and try to restore communication. Meanwhile, when
the jammer senses the medium to be idle, he starts to scan other channels randomly and
follows the nodes on the newer channel. The proposed technique however, allows the
legitimate nodes to periodically, return to the original channel and transmit valid packets on
the medium, so that the jammer is convinced that the original channel is still in use.
b) Rather than detecting, nodes need to communicate in such a manner that even if a jammer is
introduced, only few nodes are exposed. For this, multiple channels in 802.11 standard can
be used, as the jammer can seize only 1 channel at a time. Furthermore, at the node level, we
divide different control and data channel for each node, where it will be communicating with
its 1-hop neighbor. This way, not only nodes will not starve on the affected channel, rather
redundancy in terms of control and data channel is also provided.
20
In short, rather than majority failure in presence of jammer, both the techniques allow majority
of legitimate nodes to communicate successfully. Additionally, as compared to existing
literature, the proof of concept is provided in terms of more participating nodes. Finally, the
network throughput achieved in the presence of jammer is also enhanced.
1.5 Thesis Outline
The rest of the thesis is organized as follows. In chapter 2, we present some background of basic
concepts related to the approaches used in this dissertation.
Next, review of the related research in the domain of jamming attack mitigation and evasion
techniques is presented. Starting from the jamming models and types, we discuss to basic
physical layer detection strategies. Even though, physical layer strategies are not focused in this
dissertation, they helped us in analyzing varying behavior of different jammers and expect the
same for the readers.
In chapter 4, we provide the details of our own simulation model to analyze various jamming
types and their effectiveness for degrading wireless communication. Modified Conservation of
Flow (CoF) was used to measure jammers’ efficacy. CoF has already been successfully used for
detecting malicious nodes in wired networks but to the best of our knowledge this is first such
attempt to apply it in wireless networks. Moreover, we used AI based algorithms to verify our
parameters and data set.
Chapter 5 consists of a reactive technique to handle jamming attack in a reactive manner for
better gain in terms of throughput. Rather than frequent switching and allow the jammer to scan
other channels and search for legitimate nodes. We propose better to fight than frequent channel
switching. Even though, nodes initially hop in a coordinated manner, they return periodically on
the earlier used channel and feed the jammer with valid packets, portraying the image of the
current jammed channel being still in use. However, if for some reason, the jammer still scans
21
other channels and follows legitimate nodes on the new one, the said technique is still found to
be effective.
Next in Chapter 6, a preemptive protocol is proposed that can minimize jamming effects in an ad
hoc network environment. Since prevention is better than the cure, similar is the idea in
proposing a preemptive approach to handle jammer in adhoc network. The proposed approach is
found effective than its predecessors, as discussed later.
In Chapter 7, final remarks are presented based on the earlier discussed techniques and their
results. Lastly, future scope of this work is discussed.
22
Chapter 2
Background
2.1 Introduction
A network that is formed on need basis for a shorter period on the peer basis without any fixed
infrastructure is termed as mobile adhoc network. Every member of the adhoc network
volunteers to forward traffic of other nodes. Only on the basis of this coordination a node
becomes part of the adhoc network. Since, all or some nodes may be mobile therefore, path to
destination may vary due to broken links. A node pair having established a communication link
may be out of transmitting range at a later time. Thus, frequent update of nodes’ position is
required. Hence, sender node will be needing cooperation of other members to act as
intermediate hop, so that data is re-routed to the destination at its new location.
2.2 Applications of Adhoc Networks
From indoor Personal Area Networks (PAN) as in home to deployment of a network in
emergency situation like data collection and tracking of sufferers in a disaster relief, from
hotspots at an airport terminal to be a part of a video conference adhoc networks are considered
best choice. Some significant purpose of ad-hoc networks include [6, 7]:
� Impulsive Networking:
The ease of use and mobility being major factors for the popularity of wireless networks,
allow users to be involved remotely in important matters via use of mobile conferencing;
regardless of their geographical location. Such ad hoc networking desires some infrastructure
to gain access to the internet. Else, the larger the distance from central point, like office,
involves more operating cost in terms of routing and delay, especially if multiple transactions
take place back and forth.
� Emergency Services:
The sudden rise of use and importance of internet is quite felt when it is not available, like
due to some natural disaster. Ad hoc networks facilitate and try to overcome network
destruction during such emergencies. Typical search and rescue and relevant surveys and
data collection are the main help adhoc networks provide during such disasters.
24
� Applications for Armed Forces:
One of the main objectives for ad-hoc networks is the need for combat zone survivability for
military needs. The need is to avoid single point of failure, overlap in terms of geographical
location and provide redundancy, all can be provided via adhoc networks to coordinate
between various groups. Not to forget that military cannot plan ahead and depend on already
constructed communication infrastructure especially in forests, deserts etc. or while it is on
the move.
� Sensor Networks:
Set of small inexpensive processing devices are deployed to gather information about a
geographical location. These nodes communicate with each other to relay gathered
information, however in the absence of a central hub they may form an adhoc network and
information may be stored locally. World Heritage listed Spring brook National Park is using
such sensors to track certain information in terms of microclimates and biodiversity,
periodically [8]. This sort of skill has principally been developed for utilization in the mining,
medical and defense engineering [9]. Sensors currently in use include Wind speed and
direction, Rainfall, Temperature & Humidity, Barometric pressure, Leaf wetness, Soil
moisture, etc.
2.3 Ad Hoc Network Vulnerabilities
One of the prime objectives in an adhoc network is the provision of secure communication
between various participants in an unfriendly environment. Distinctive properties of wireless
network create new threats to the security design which were not present earlier, that include
peer based network architecture, a common wireless medium open to all and varying topology
due to mobility [12]. If positively taken, these threats are helping in achieving a matured design
for future wireless communications, especially in terms of green-field technology where new
infrastructures are being deployed. However, for the already deployed ones independent modules
/ protocols are desired to have a cheap solution.
25
The adversary may disrupt packet forwarding operations, which is based on the supposition that
nodes cooperate for packet routing destined for remote destinations [13]. Generally, routing
protocols are not disturbed via such attacks; rather routing states maintained at each node are
infected only; resulting in affecting packet delivery operation. Another type of attack is the
denial-of-service (DoS) attack where enormous packets are fed on the medium, either
continuously or periodically, while other nodes may be communicating or they keep on waiting
for the medium to get idle. Such fake packets force legitimate nodes to have multiple packet
retransmission and frequent packet drops resulting in severe contention and network congestion
on the medium [22].
2.4 Handling Malicious Nodes
The existence of malicious node is a great threat in proper functioning of an ad-hoc network. It is
vital to counter such entities to avoid the valid nodes from being blocked and to allow the
network to provide its services in an optimum manner. Usually, three main steps are used in
tackling and managing a malicious node that include initially detecting a malicious activity on
the network [10] [11] [14]. Once, the presence is detected only then participants will be able to
trigger reactive mechanism to handle it for future. The detection process is generally carried out
in a distributed fashion by each node. Further, periodic coordination is done to apply weight,
intimate others and minimize false alarms. Once, the existence of malicious node is confirmed,
identification mechanism is triggered. Increased packet drops, frequent time outs and analyzing
packet traffic patterns and statistics are typical ways of identifying a malicious node [15] [16].
Generally, each node with the help of others tries to pin-point the malicious node which is later
intimated to all other participants. Finally, all services and cooperation for that node are denied
like packet forwarding requests, etc. This way, all nodes isolate the malicious node by refusing to
provide assistance [17].
2.5 Use of Multiple Channels in Wireless Network
A multi-channel approach can be used to achieve highly significant performance gains. An
inspiration to use more than one channel or multiple channels is that it ensures different
26
performance enhancements as compared to single-channel CSMA. The argument is that huge
number of channels can decrease the number of collisions by allowing simultaneous
transmissions and carry more resourceful utilization of the bandwidth [23-25].
Multi-channel protocols can be divided in different categories, based on the approach used for
control or data packets transmission or both. Single and double radios may be used by devices. In
case of double radios, a radio may be dedicated to control messages whereas other radio may
grant access to any other channel for data transmission. Generally, before transmitting, sender
checks either the proposed channel is free or not. If it is found free sender builds a record of
inactive idle channels. The transmitting node while transmitting the RTS frame piggybacks the
list of available channels, to the receiving node; condition to that minimum of one data channel
is found idle where the node-pair can exchange data packet. If destination node is busy or no
channel is available for data exchange, sender enters into back off process. After the acceptance
of RTS packet by destination node, it finds the free data channel from the maintained list. When
the free channel is located, it sends the CTS frame together with the selected channel number on
the control channel after waiting SIFS time. However, if the said channel is found occupied by
sender, CTS packet will not be transmitted. The other nodes in the network who receive this RTS
frame; postpone their communication on the control channel just for the time interval of running
CTS and RTS. After confirmation of RTS/CTS the data channel will handle the rest and control
channel will be free for other node pairs.
When the CTS is received, sender toggles to decide channel and waits for a SIFS amount of
time, just to ensure that the channel is idle. It then initiates data transfer to the intended receiver
on the new channel. The devices using such phenomenon are categorized into Dedicated Control
Channel. Examples include Dynamic Channel Allocation (DCA) [18], Power Control [19],
Dynamic Control Channel [20], CSMA MAC derived from IEEE 802.11 DCF with RTS/CTS.
Besides dedicated control channel remaining three protocol families use single radio. Common
Hopping devices do not exchange data hops through all channels. This exchange is done
synchronously. As the transmitter and receiver pair build an agreement for the communication
and restart the common hooping pattern. This process is done when the communication is
27
completed. As compared to dedicated control channel, common hopping protocol is better
because it uses only one transmitter and one receiver (transceiver) for one single machine and
also it utilizes all channels for data exchange. CHMA (channel hoping multiple access) [21] and
CHMA with packet trains [22] are the examples of this design.
In split phase approach, time is separated into a discontinuous series of control and data
transmission segments. Examples of this approach are MMAC (Multichannel MAC) and
Multichannel Access Protocol (MAP) [23]. In MMAC beacons split into time which are
periodically transmitted. The ATIM window is present in start of every beacon message. It is
required to hear the default channel which is one among the many channels and is already
defined. Thus, each node can identify the default channel. This default channel is only utilized
for transmitting the data other than ATIM window. If any node has some buffered data packets
which it wants to transmit, it transmits ATIM packet to alert the target node with desired channel
list. The receiving node chooses one channel based on preferable channel list (PCL) of both
parties, that is its own and the one it received from the sender, after receiving the ATIM packet.
After the selection of channel by receiving node, it incorporates the information of channel in the
ATIM -ACK packet and sends it to sender. After receiving the ATIM-ACK packet from
receiver, sender attempts to occupy the same channel specified in the ATIM-ACK. If the
required channel is selected by the sender, it transmits the ATIMRES packet to destination node.
The ATIM-RES packet intimates the neighboring nodes of the transmitter that said channel will
be used, so that the others update their PCL by using this information. After the ATIM window,
both transmitter and receiver will hop to the said channel and exchange data after RTS/CTS.
Parallel Rendezvous protocols are different from the preceding such multi-channel protocols
such that multiple device pairs can agree concurrently on various available channels. The major
task being to cater down bottleneck of single control channel. Due to multiple rendezvous
channels, it requires particular coordination to rendezvous two devices on the identical channels.
A way out is for each idle device to chase a “home” hopping sequence whereas the transmitting
device needs to transmit on that specific channel for finding the anticipated receiver. SSCH [24]
and McMAC [25] are the examples of this approach.
28
The capacity of IEEE 802.11 network is increased by utilizing frequency variety in SSCH. All
nodes in a network use SSCH to toggle across channels in such a way that those which are
required to communicate overlap on the same channel. Whereas dislodged messages mostly do
not overlie, so interference is not found among the nodes. In multi-channel MAC protocols
devices work in terms of pairs are enabled to communicate on different channels simultaneously
to increase network throughput.
The comparison of different protocols can be achieved by varying the available channels, hop
time and offered devices, to examine their outcomes on the network efficiency. From the
comparison it is found out that Parallel Rendezvous protocols such as McMAC and SSCH has
the ability to perform better than Single Rendezvous protocols. The Dedicated Control Channel
protocol outperforms other protocols at the cost of two radios. Further protocols which consist of
only on one radio show high performance when there is small number of channels but fall-short
to inspect the channels perfectly and status of other members of the network when there are large
numbers of channels. The parameters like length of the control and data segments need to be
adjusted because they being vital for better performance of split phase technique. When MAC
protocols firmly manage to exchange several packages of the same destination after each
meeting, are found useful for various types of reciprocity. This approach improves the flow
(throughput), jitter and delays, by using any protocol discussed above.
2.6 Variations in Jamming Attack
2.6.1 Jamming Models
From the physical layer perspective, the jamming attack can be classified as follows [36]:
� Noise Jamming:
The channel bandwidth used by the targeted system is jammed with noise energy. This raises the
level of background noise at the receiver and makes it difficult to detect frames correctly. In
other words, the SNR (Signal-to-Noise Ratio) at the receiver end is decreased.
29
� Bit Jamming:
Jamming at the same frequency and modulation scheme as the targeted system seriously
decreases the network performance as the devices try to detect a known pattern in the bit stream
allowing them to synchronize. Since this modulated signal may not be filtered out like white
noise, it decreases the SNR at the receiver and occupies the channel heavily.
� Frame Jamming:
Jamming using frames according to the targeted system is hard to detect, since the jamming
signal is masked as regular frames. Its impact goes beyond minimizing the signal-to-noise ratio.
Due to unfairness of jammer, the channel may be occupied over long periods of time. Depending
on the system, this might be achieved with very low energy consumption by periodically
announcing long duration frames which compels the participating nodes to stay silent for said
amount of time.
Figure 2-1: Effect of Proactive Jammers in Wireless network
Furthermore, from viewpoint of jammers the use of additional information at the MAC layer can
increase their effectiveness. For a channel aware jammer, a single jamming pace is usually
applied for every likely status of channel like busy, idle, etc. In a continuous-time model, signals
30
are produced based on Poisson distribution having diverse ratio for varying status. Additionally,
intelligent jammers may have varying states depending upon the targeted communication. e.g.
reactive jammer seeks a non-colliding transmission and immediately targets it with a particular
possibility of collision.
2.6.2 Types of Jammers
A jamming strategy describes the way an attacker disturbs the medium. Besides the time-based
strategies, where the jamming signal is active only in specific time intervals, there are more
advanced jamming schemes possible which make use of knowledge about the physical and link
layer specifications of the targeted system. Based on the selected strategy, the effective jamming
is then performed by emitting an appropriate radio frequency signal. This could be noise or
modulated signals. The device that generates a noise and creates intrusion for network is referred
as a jammer [19][20]. [19] explains different types of jammer. Most common ones are known as
proactive jammers as shown in Figure-2-1 and discussed below:
a) Constant jammer
Constant jammer is not energy efficient rather it just emit radio signals continuously on the
medium with the intent to keep it unavailable for legal communication. The signal is composed
of random bits. It does not follow MAC protocol rules and does not consider for the ongoing
communication.
b) Periodic Jammer
A periodic jammer is similar to a constant type, except that it jams the period for certain period
and then sleeps for some time after which it restarts injecting fake packets on to the network.
Thus periodic jammer alternatively sleeps and jams the channel, in repeated fashion. The sleep
and jam periods may and may not be the same.
c) Deceptive jammer
31
Deceptive jammer is just like the constant jammers in a sense that it also emits signals
continuously. However, rather than random bit, regular packets are emitted, so that its detection
is delayed due to used of valid packets.
d) Random jammer
Random jammer is more energy efficient than previous ones. It does not send signals
continuously, rather follows the sleep-and-jam rule, and i.e. sends packets for some random time
intervals and then it turns off its radio or sleep for a specific time interval. In jamming mode it
can act as constant or deceptive jammer.
e) Pulse jammer
The efficiency of jamming depends on various aspects. These are jamming-to-signal ratio (J/S),
channel coding, modulation scheme and interleaving of the target system. If the jammer is not
able to jam continuously it changes the intensity (jamming level) by pulsed jamming. 77.
f) Reactive jammer
The jamming techniques mentioned so far are active having one goal to make the medium busy
for nodes regardless which type of packets flowing and thus are easy to detect. Whereas the
reactive jammer has more sophisticated jamming technique, which is much harder to detect. It
passively monitors the medium continuously and emits packet large enough such that a collision
occurs at the receiver, whenever a valid packet is heard.
g) Intelligent jammer (energy efficient jammer)
All above jamming techniques have low energy efficiency and higher degree of detection. Not
only physical layer but other layers can be exploited for jamming purpose. Intelligent jamming
techniques operate on control packets, as all communication depends on them. Since no data gets
transferred if control packets are destroyed. This could reduce throughput to zero levels. There
are different types of jammers in [20] [21] [23]. Some important are:
� CTS Corruption Jamming:
32
In this jammer sense for RTS packets. If jammer senses the RTS, then it waits for SIFS time
and emits small radio signal to corrupt the CTS packet, which is an expected response of the
RTS. By demolishing the CTS packet, again and again, sender times out and hence the data
packet is never transmitted.
� ACK Corruption Jamming:
ACK packets always follow the data packets. In this case jammer is looking for data packets,
once it hears the data packet on the medium. It simply waits for SIFS time interval and after
that it send small jamming signal which destroyed ACK packet.
� DATA Corruption Jamming:
It just likes the ACK Corruption jamming technique. In this technique jammer waits for CTS
packets where DATA packets follow the CTS packets. When jammer sense any CTS packet,
it just wait for SIFS time and then send signal of noise to disrupt the data packets
� DIFS Waiting Jamming:
In a network with much traffic rate, it is quite normal that medium is found inoperative for
DIFS time. Such a jammer senses and waits for DIFS interval and sends one jamming signal
to corrupt communication. This technique cannot work well in low traffic network
j) Selective Jammer:
Another important category, of intelligent jamming attacks is the selective jammer [26-27]
who targets control packets, but can be a combination of the above discussed intelligent
jammers. Thus, the target layer is network if it is corrupting the route request/replies or
transport if acknowledgement of a TCP communication is being garbled.
k) Flow Jammer:
Generally, multiple traffic flows may exist between point to point communications, which in
the absence of topology change do not require frequent route inquiry/ maintenance control
packets. Flows are being sent in case of segmentation, like large files whereas multiple flows
33
vary in terms of parallel communication with different entities or applications. Flow jamming
attack [28-30] targets particular flow(s), that result in large delays and result in generation of
frequent control messages by the legitimate nodes, like frequent route requests, in case of the
existing one generates a route error, resulting in topology change or re-routing. The
complexity increases further, if the jammer is not only intelligent enough to target
concentration of flows on network, rather it is mobile and shifts itself accordingly.
l) Mobile Jammer:
Another form of jamming is the mobile jamming attack [31] that not only threatens the MAC or
physical layer, but also breaks the routing in an adhoc network. As the name represents mobile
jammer has mobility to sneak in the critical path based on the information it collects overtime by
eavesdropping the amount of traffic load and the direction of the dataflow. Besides, the mobile
jammer can decide when to jam an area based on the value called jamming threshold. Mobile
jammers are more successful in environments where nodes have no or less mobility and a single
channel is used for communication, e.g. wireless mesh networks and WSN.
34
490
Chapter 3
Related Work
35
3.1 Introduction
Due to ease of installation and usage, unlicensed band, cheap hardware, mobility, portability and
expandability, wireless network has become the most popular technology among current
communities. New networks of business are quickly deploying by saving cost and time of having
wired offices and workstations, resulting in a real business success tool. Different types of
wireless systems ranging from WLAN to mesh and sensors network are available as per the
requirement. However, one critical issue of security exists in wireless networks; especially some
attacks are medium dependent and do not exist in the earlier counterpart [32]. The wireless
medium introduces many threats which cannot be easily addressed by the traditional protection
methods. One significant set of such attacks is denial-of-service (DoS) which is concerned with
satisfying user or system domain buffers. But in wireless realm, attackers may attain ability to
prevent legitimate nodes from communication by capturing the medium. It is because wireless
networks are constructed via common medium which creates a trouble-free path for intruders to
introduce such attacks [33]. In wireless network defenses like cryptography, pass-phrase sharing
etc., can be overrun by a simple DoS attack that can shutter the whole network. Jamming is a
special category of DoS attacks which is used in wireless networks, where an attacker disrespects
the medium access control (MAC) protocol and transmits on the mutual channel; either
continuously or periodically to target all or some communication, respectively [77-79].
Jamming is a special category of DoS attacks which is used in wireless networks, where an
attacker disrespects the medium access control (MAC) protocol and transmits on the shared
channel; either continuously or periodically to target all or some communication, respectively.
Figure 3-1 shows a jamming scenario in wireless network, where the red area marks the jammed
region. Since, jamming cannot be handled other than preventing it, either using logical or
physical retreat. Such schemes are generally employed at the MAC layer and so is our emphasis
in this study, but other approaches are not being ignored. Additionally, the major focus is on
possible solutions for the nodes having only single antenna. Initially the variations that the
jammers are capable of are listed in next section. Thereafter, third section comprises of the basic
parameters and metrics that are helpful in detection of a jamming attack. Unlike other security
attacks, jamming attacks are handled by avoiding the malicious entity via escape; either
physically or logically. Such retreats are discussed in the following section. Thereafter, we
36
discuss the mitigation techniques that are used and have been proposed in near past, followed by
a critical review of the said studies. Finally, we conclude and highlight future directions.
Figure 3-1: Jammed Scenario in a wireless environment.
3.2 Jamming Characteristics and Efficiency Criteria
According to Xu [34] jammer is defined as an individual who is intentionally obstructing the
methods of legal wireless communication. Such an individual is treated as an active attacker
depending upon its intentions and actions. From the jammer’s perspective, it can accomplish its
aim by seizing the sender such that it is unable to transmit or, as a second option which is found
better, hinder the receiver so that it cannot understand the message completely or partially. For
the sake of concept, suppose that in communication of the two nodes where jammer is residing
nearby, can prevent the sender from initiating a data communication by constantly emitting low
powered signals on the channel; allowing the sender to presume that the medium is occupied.
Alternatively, if for some reason the data is transmitted successfully, jammer can target the
receiver’s end via inclusion of noise in the transmitted packet. Thus, jammer can target a whole
area in its range or a particular transmission.
Before going into the details of tackling a
some factors and measures on the basis of which jamming attack is categorized and identified.
Ideally, jammer ought to have elongated energy to continuously hinder the communication.
Additionally, it should adopt the methodology not to get detected. A third criterion is that it
should disrupt the communication to possible extent i.e. level of DOS attack depends on interests
of jamming scenarios. That is, an adversary with restricted energy will not be
because the primary concern will be to lengthen its existence on the network, rather than
efficiently disrupt the communication. [
for measuring jamming effectiveness:
• Energy Competence
• Likelihood of Exposure
• Domain of DoS
• Potential alongside physical layer techniques
In order to measure the degree to which a jammer assures these factors, Xu [
discussed two methods that are of great importance:
Packet Send Ratio (PSR) is evaluated via number of packets which have been successfully
transmitted in accordance to the amount of selected packets. However, there is always chance of
interference because of the open medium; and surety of non intervention is not guaranteed
If ‘m’ is the number of packets sent out and
transmitted, then PSR can be defined mathematically as:
Packet Delivery Ratio (PDR)
when compared to amount of packets that were transmitted by the source [43]. If
of packets be very high and m no of packets sent then PDR can be defined mathematically as:
37
Before going into the details of tackling and mitigating a jamming attack, it is vital to overview
some factors and measures on the basis of which jamming attack is categorized and identified.
Ideally, jammer ought to have elongated energy to continuously hinder the communication.
should adopt the methodology not to get detected. A third criterion is that it
should disrupt the communication to possible extent i.e. level of DOS attack depends on interests
of jamming scenarios. That is, an adversary with restricted energy will not be
because the primary concern will be to lengthen its existence on the network, rather than
efficiently disrupt the communication. [35, 36] specifies the factors that are extensively utilized
for measuring jamming effectiveness:
Potential alongside physical layer techniques
In order to measure the degree to which a jammer assures these factors, Xu [34
discussed two methods that are of great importance:
is evaluated via number of packets which have been successfully
transmitted in accordance to the amount of selected packets. However, there is always chance of
interference because of the open medium; and surety of non intervention is not guaranteed
of packets sent out and ‘n’ is the number of packets that were intended to be
transmitted, then PSR can be defined mathematically as:
is defined as number of packets that are received by recipient
hen compared to amount of packets that were transmitted by the source [43]. If
and m no of packets sent then PDR can be defined mathematically as:
nd mitigating a jamming attack, it is vital to overview
some factors and measures on the basis of which jamming attack is categorized and identified.
Ideally, jammer ought to have elongated energy to continuously hinder the communication.
should adopt the methodology not to get detected. A third criterion is that it
should disrupt the communication to possible extent i.e. level of DOS attack depends on interests
of jamming scenarios. That is, an adversary with restricted energy will not be much effective,
because the primary concern will be to lengthen its existence on the network, rather than
] specifies the factors that are extensively utilized
34] analyzed and
is evaluated via number of packets which have been successfully
transmitted in accordance to the amount of selected packets. However, there is always chance of
interference because of the open medium; and surety of non intervention is not guaranteed [43].
of packets that were intended to be
is defined as number of packets that are received by recipient
hen compared to amount of packets that were transmitted by the source [43]. If ‘q’ is number
and m no of packets sent then PDR can be defined mathematically as:
38
Even after packets are sent out by A, B cannot receive message completely due to presence of X.
PSR can be easily calculated by no of packets that passed CRC at B with respect to number of
packets received.
3.3 Techniques for Detecting Jamming Attacks
For the detection of jamming attacks, several practical implementations are possible. One
approach is to perform the detection on the active nodes during their own transmissions. Since
these nodes have a different view on the data flow depending on whether they act in the role of
the transmitter or receiver, they define two separate algorithms for both cases, i.e. transmitter-
based and receiver-based detection, depending upon where among both the parties the detection
algorithm is initiated. The "dedicated jamming detection" is useful in scenarios where the power
consumption and device complexity of most of the participating nodes should be low. The
detection is then performed by only one or a few nodes having enough resources available.
Finally, the development of a "cooperative jamming detection" algorithm is motivated by the
expected increase of detection performance compared to the standalone detection mechanisms,
since a broader view of the network is available. In the following, each of the four detection
strategies is discussed [37]. Another detection strategy of jamming attack is proposed by [38] is
Radio Frequency Finger-print being useful for the wireless networks. If the fingerprint of the
wireless network is not identifying or considered as a threat than the security of the network can
be increased by testing the legitimate user to ensure its authentication.
3.3.1 Transmitter-Based Detection
Different detection approaches of jamming exist; consider an ad hoc network with node A
sending to node B. To apply the decision algorithm [37] which is described in the previous
section, the transmitter has to determine the four metrics, as follows
• PDR (Packet Devilry Ratio)
• RSSI (Received Signal Strength Indication)
• PHY rate (Physical Rate)
• Noise
39
3.3.2 Receiver-Based Detection
The main difference between receiver-based and transmitter-based detection lies in the
computation of the PDR. Although in transmitter based detection, the transmitter knows the
exact number of data frames sent including all retransmissions; this being a priori not known to
the receiver since several frames might get lost during transmission. Therefore, it is necessary
that the data frames contain additional information which enables the receiver to determine the
total number of sent frames. This can be achieved by adding a sequence number to every single
data frame, as in the WLAN standard [37].
3.3.3 Dedicated Detection
In case of dedicated detection [37], the RSSI and PHY rate are read from the acknowledgement
frames arriving from the receiver, i.e. node B. As always, the noise level is taken from arbitrary
frames arriving at the monitor. Based on the gathered statistics over several ACK frames, the
monitor then applies the decision algorithm. Finally, the node dedicated to the jamming detection
announces his decision to the other participating nodes in a broadcast frame. This broadcasting is
then repeated whenever the decision changes in future.
3.3.4 Cooperative Detection
This detection scheme is the combination of all the previous three strategies. In this case the
technique is to share all the information at all nodes among each other and to make a decision
based on this broader view. This means that every participating node in the ad hoc network
gathers its own information independently using any of the above techniques and shares with its
neighbors.
3.3.5 Detection via RF Finger-Print
RF finger print is deployed as a means to enhance security in wireless network. As the
transmitter of the radio activates, the transmission of the RF signals demonstrates the temporary
behavior with reference to the instantaneous frequency and amplitude. The time duration of the
transient performance can be changed because of model type and nature of the transmitter. The
difference between the same types can be observable which can be caused due to the aging and
the manufacturing tolerance of the devices. The unique turn-on transient signal behavior is called
the RF finger print of a radio and can be used to identify the transmitter [38].
40
3.4 Jamming Attack on the Control Plane
Wireless medium is accessed through CSMA/CA mechanism in order to transmit data. Before
sending RTS nodes waits for DIFS time gap and before sending CTS, DATA, ACK it will waits
for SIFS time. Implementation of such mechanism is to avoid collisions and resolve hidden node
problem. For disrupting network communication different types of jamming methods and
jammers are available such as; continuous jamming, random jamming, intelligent jamming etc.
each jamming method has cost in term of energy, where energy in certain scenarios can be a vital
constraint to survive for a prolonged period on the network. Continuous and random emission of
signals have higher cost than intelligent jamming which targets control packets rather than whole
frequency band. Such jamming mechanism requires good knowledge of fundamental wireless
network protocols. Intelligent jamming varieties target control packets such as ACK, DATA, and
CTS etc. A CTS corruption jammer seeks the RTS packet on the medium. When senses the
required packet; it generates the noise (small radio signal) after waiting SIFS time to corrupt the
CTS packet. Similarly after sensing CTS packet it will send small interruption signals after SIFS
interval in order to distort the data packet. In wireless transmission ACK frame has highest
priority over other packets. Seizure of ACK is enough for the transmission failure [39-41].
Retransmission of data packet(s) consumes not only node energy; rather result in backing off of
neighboring nodes. Four major energy loss sources for nodes are collisions, control packet
overhead, overhearing, and idle listening [42].
Mitigation method for ACK attack is presented in [43]. They propose ENAV (Extended Network
Allocator Vector) which mitigates impact of ACK attack. It brings flexibility in NAV time for
receiver in order to send ACK packet, which follows after each DATA packet received at
receiver end. As in CSMA/CA ACK packet follows DATA packet after SIFS time interval, but
now due to ENAV receiver has flexibility, which reduce the chances of collision. With this
scheme victim node can reduce its energy consumption by 40%. Further more. Energy efficient
attacks such as Denial of sleep attack can be defended by using framework suggested in [38].
This framework has four key components and these are; strong link-layer authentication, anti-
replay protection, jammer identification and mitigation, and broadcast attack defense. Using this
node can preserve nearly 80% lifetime and achieve 77% throughput of the network.
41
3.5 Jammer Mitigating Techniques
In this section we survey the methods of mitigating a jamming attack that include use of spread
spectrum at the physical level, followed by MAC layer approaches to evade and retreat a jammed
channel; either physically or logically moving away from the jammer. Finally, the techniques of
resumption of network nodes to reestablish a network are discussed.
3.5.1 Spread Spectrum
Spread spectrum has two basic motivations [44]:
• Provide resistance against jammer
• Hide communication
In a wireless environment, most commonly used anti-jamming technique at physical layer is
spread spectrum based communication. However it does not fully secure communication against
jamming attack. Major drawback being that invader does not have to be conscious of whole
spectrum alteration progression in order to interrupt communication. For instance, in the case of
voice communication, small part of conversation corruption between human users will have a
minor effect on the quality of communication.
3.5.2 Evasion Techniques
• Spatial Retreat
Spatial retreat is a mechanism to physically evade the jammed area. The rationale behind this
strategy is that when an area is jammed in the wireless network, based on the detection algorithm
all nodes try to estimate the jammed region and flee physically in the direction of safer place.
Based on their estimation about the jammed region, nodes independently opt for shortest path to
avoid being jammed and move accordingly. Figure 3-2 shows the spatial retreat approach for two
party communication scenario [46]. The area illustrated via slashed stripes is jamming range. As
Wireless networks are vulnerable to such intrusion which interrupts node communication,
therefore to survive against such interference above approaches were introduced. There are
basically two approaches used in this technique: Jam Area Mapping (JAM) and Node Escape.
42
Figure 3-2: Spatial Retreat strategy for a two party communication scenario [46]
i. Jammed Area Mapping (JAM)
This mechanism employs scattered approach to draw the jammed area so communications
with that part of the network node can be avoided during specification of routes [46]. Once,
out of the jammed region legitimate nodes try to relocate others and hence, may change their
direction and speed according to the predefined algorithm [47].
ii. Node Escape
This technique is for the physical escape of the node from the jamming location. In view of
the fact that mostly devices of a wireless network are mobile, like cell phones or WLAN
enabled laptops, this technique is more likely to be adopted. Main theme being to move away
from the jammed area and periodically sense the medium if it has become interference free.
This procedure is repeated till node reaches to an interference free location [34].
43
3.5.3 Retreat Restoration
A very important phase of handling jamming in an adhoc network is to restore a network to non-
defensive mode when the attacker goes out of range. This phase is highly important because in
adhoc networks our prime focus is to conserve energy utilization so as to prolong lifetime of
nodes. In a proactive defense mode energy consumption is increased by manifolds. Hence
making it all the more vital to bring down network nodes to a normal level of energy
consumption essential for basic functionality performance. This retreat restoration can take place
in either the manner; by coordinated or uncoordinated communication. The communication is
based on a pre planned hop pattern between senders and receivers. Such pattern is already
decided among the network nodes prior to starting communication and as soon as nodes intend to
get in synch with any particular node they switch channel or frequencies according to the pre-
defined pattern to find the receiver node [48]. Such pre-defined hop coordination can be a
formula for finding the right control and data channel.
3.5.4 Temporal Retreat
Temporal retreat is a mechanism to logically retreat from the jammed area by changing the
channel nodes communicates on. This mechanism gives an impression to the attacker that the
participants are not available on the same channel anymore and hence becomes a retreat without
any physical movement. However, if the jammer is intelligent enough to sense other channels for
legitimate communication and network participants repeat the same procedure, again and again
this methodology is referred as channel hopping. In an uncoordinated manner, after each hop
communicating every node needs to get synchronized with other nodes. When any node is
unable to communicate for a certain period of time it starts listening on other channels in order to
sense whether its neighboring nodes have hopped on due to jamming or not. Nevertheless, if the
participants have already earlier decided about a channel hopping mechanism based on a
formula, etc., it is referred as coordinated channel hopping [49-54].
44
3.5.5 Hybrid Approaches
These approaches are the ones which have defined new protocols based upon multiple of existing
approaches to present an even effective anti-jamming mechanism. Other protocols that combine
innovative strategies like artificial and swarm intelligence are also included in this section. Some
approaches involve preemptive channel hopping or frequency hopping [55,56] instead of reactive
ones in order to prevent getting into a state where jamming disrupts normal communication.
Other implementations include synchronous and asynchronous spectral multiplexing where the
concept of intermediary nodes has been introduced to communicate at multiple channels. When a
node changes its channel because of jamming one of its neighbors takes upon itself to
communicate with the node on its new channel and rest of the network on the old channel [57].
Another strategy which targets prediction of nodes which are about to be jammed and hence
should be removed from routing in a wireless network. This strategy uses LEACH as its base
routing protocol and uses JAM for predictive determination of jamming holes [58]. DEEJAM
[59] protocol is an amalgamation of frame masking, channel hopping, packet fragmentation and
redundant encoding in order to avoid all four types of jamming classes and succeeds in reducing
pulse jam attack impact to 11%. However the extra computational overhead in these approaches
is unresolved. This magnifies in situations where there simply is no jammer in the vicinity.
Swarm intelligence is yet another strategy finding its popularity in field of wireless routing and
other issues related to WLAN. One such swarm based methodology is simulation of ants
behavior in path translation to a food source. This method is very effective and energy efficient
as is based on a natural process of pheromone laying and determining optimum routes [60].
However implementation details of this process are pretty complex, as volatility of this process
and intelligent learning is a little difficult to model.
3.5.6 Cognitive Radio
In better utilization of available spectrum and increase jamming resilience, use of cognitive radio
is quite useful. Jamming problem cannot be catered down by Adaptive Frequency Hopping
because it cannot differentiate among self-interference and noise generated via other devices.
[61] describes some attack mitigation schemes like robust Sensory Input, Mitigation in
Individual Radios, and Mitigation in Networks. In robust sensory input, the improved input
45
sensor helps significantly to reduce the credulity of cognitive radios. For example, when would
the radio be able to carefully differentiate between the characterization of interference and noise,
during events of natural and man-made RF divergence? Such sensors can map dedicated
functionalities at the hardware level that filters signs of hostile glance which can corrupt the
confidence of radio. Mitola [62] describes the typical cognition cycle of Observe! Orient! Plan!
Decide! and Act. If the radio maintains learning, whenever this loop results in a new operating
state for the radio, another stage called Learn is injected into the cognition cycle that allows the
radio to add to its memory information about how the radio transitioned to this new operating
state information that can be used by Plan and Decide in future cognition cycles. Improving
sensor input can significantly help to reduce the gullibility of cognitive radios. For example, if
radios could carefully characterize the difference between interference and noise, they could
distinguish between natural and man-made radio frequency events. Such sensors could also feed
specialized policy engine subroutines that specifically look for hostile signals that may be
attempting to corrupt a radio’s beliefs [61].
3.6 Discussion on Proposed Algorithms
So far we have only overviewed the general techniques that exist in mitigating the jamming
attack, either detection or retreat. In this section we investigate further on other ideas that can be
applied to handle a jamming attack.
Table-3-1 presents a logical division of all the techniques and proposed algorithms that have
been highlighted earlier. In this section we will discuss them in detail on the basis of the category
the study lies in. The studies listed include of the last recent years, some only emphasizing only
on a single approach whereas others have focused on combination of strategies (like detection
and retreat, etc.). Additionally, there are studies that have categorized the jamming attack on
basis of control and data packets. Lastly, based on varying jamming attacks by a single
intelligent jammer, protocols suites that avoid such jammer are also enlisted in the Table 3-1.
46
Table 3-1: Logical Division of Jammer Handling Strategies
Retreat
Restoration
Multiple
Channels
S.
No.
Ref.
No.
1st
Author
Na
me
of
Tec
hn
iqu
e
(if
an
y)
Det
ecti
on
Sp
ati
al
Ret
rea
t
Tem
po
ral
Ret
rea
t
MM
AC
Mu
lti-
Ra
dio
En
erg
y
Eff
icie
ncy
1. [59] Wood A.D. DeeJam X X
2. [34] Xu W. X X X
3. [35] Xu W. X X X X
4. [63] Paula A.R. DIDS X X
5. [69] Shi J. AMCP X X X
6. [60] Muraleedharan Ant X
7. [65] Mishra A. MaxChop X
8. [68] Alnifie G. Mulepro X X
9. [75] Lin C.S. CMCT X X
10. [56] Li M. X X X X
11. [76] Chen W. X
12. [66] Khattab S. X X X X
13. [64] Strasser M. UFH X X
14. [52] Nguyen H. Allibi X X X
15. [54] Othman J.B. X X
The focus of this chapter is to explore the techniques for tackling a jamming attack and for this
initially the physical layer approaches will be highlighted. Physical layer metrics help in deciding
anti jamming strategies and suggest changing physical level details of communicating traffic.
The said change may be in form of implementation of spread spectrum (FHSS or DSSS) or in
form of accommodating extra information in basic packet headers. Under this category are also
studies which suggest modification of communication packet size (packet fragmentation) and
hiding of packet header markers (frame masking) as suggested in [59]. Authors of [31] focused
on the frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS),
considered to be highly resilient in jammed environment at the physical layer. The major
contribution of this work is the analysis of a variety of counter measures opposing jammers
which facilitate the network to endure and employ correctly in a seized situation. Authors have
recommended the utilization of a particular FHSS method in 5 GHz band having 55 channels.
Using a secret key shared between the source and the sink nodes, a channel sequence may be
47
generated. Each channel uses DSSS modulation with 16 bit Pseudo Noise (PN) code, which
derives from the same secret word used for FHSS channel generation. Authors in [55] proposed a
new mechanism to mitigate jamming attacks via random channel selection protocol, especially
developed to facilitate communication among nodes in the presence of jammers. To make this
possible the pair-wise key pre-distribution protocol is used which is based on bi-variate
polynomial in order to build a secure random frequency hopping schedule between two nodes.
Asynchronous Multi-channel Coordination Protocol (AMCP) [60] is a MAC protocol that works
in a distributed fashion, which enhances cumulative network throughput, also tackles with
elementary synchronization issues that lead to isolation. AMCP realistically develops and
verifies via case scenarios, an estimated lesser range on the throughput of any flow in a random
setup. On the other hand, it considerably conveys enhanced throughput with respect to each flow
as compared to WLAN and multichannel propositions.
Authors in [33] explain the detection of jamming attacks in WLANs on the control packets i.e.
RTS and CTS jamming and a CUSUM based detection method is proposed, that is capable of
locating a jammer precisely at the cost of small storage and computation. A transformation-point
is detected due to contiguous fake packets on the medium, when such points are noticed in the
traffic patterns received; alarms are triggered to intimate all. An Intrusion Detection System
(IDS) [34] was proposed that satisfies requirements and conditions of WSNs. Preventive
mechanisms are generally required to defend against such intrusions. Though, certain intrusions
exist where no well-known avoidance methodology can be applied and hence, becomes essential
to utilize some means of intrusion detection. This way, not only the network is avoided from any
harm caused by the intruder, but also helps in developing prevention system by analyzing the
attacking techniques.
Authors of [35] proposed channel hopping and physical shift away from the jammed area and
demonstrated it using Mica2 networks. However, the focal point being the methodologies to
determine the instance about jammer being active. (afterwards in [38]), instead of proposing an
avoidance scheme, overall. Besides, authors did not address the overhead involved in channel
hopping or inspecting about existence of jammer. Authors in [56] consider a situation about a
complex jammer that congests an environment with fake packets using single channel
communication. Probability based signals are emitted by the jammer so that maximum loss with
48
respect to communication links occur over the network. Additionally, the jammer is smart
enough to seize itself when a monitoring node transmits a notification message out of the
jammed region, and knows it has been detected. Monitoring node identifies the jammer with the
help, of an optimal detection test, of packet clashes that took place over a period of time. Once
triggered by the monitoring node, the network calculates the likelihood of channel access, to
minimize frequent jamming identification and notification messages.
The physical evasion [34] needs the nodes being mobile and thus not energy efficient in
environments like sensor networks. The theme in this approach lies that when nodes being
mobile face distortion on a particular location continuously, ought to merely fly out in search of
a secure region. It is usually an attractive technique for wireless networks as devices are
generally mobile, like cell phones or WLAN enabled laptops. However, the main concern of
adopting this technique is to come up with the tactic through which devices need to fly away,
while being in synchronization with other members of the network.
Temporal retreat is a mechanism to logically avoid the jamming area by changing the channel
order a node communicates on. This mechanism gives an impression to the attacker that the node
is not available on the same channel anymore and hence the retreat without any physical
movement. An Uncoordinated Frequency Hopping (UFH) technique is proposed which is
independent and individually applied by all nodes [64]. The problem of jamming resistant key
establishment can be solved by some anti jamming techniques like FHSS or DSSS that favors
devices for communicating the key establishment; condition to that a secret spreading key/ code
has been carved up, in advance. Even though, this condition being quite minimum, but generates
a cyclic reliance among key arrangement and spread spectrum based communication; and is yet
to be addressed. Similarly, authors of [70] address the mutual broadcasting using UFH, based on
receiving channel selection without any prior coordination. Contribution of authors of [71] is
distinguishing that the proposed method of using Uncoordinated Spread Spectrum (USS), is
mainly focused on reactive jammers but also incorporates other jammer types, like random,
static, etc. A further enhancement is suggested in [72], in terms of attack model and addresses
the problem of time synchronization and localization for GPS spoofing attacks.
Authors highlight complexity of equality in uncoordinated deployments, emphasizing mainly on
channel assignment view point in a wireless environment [65]. The proposed answer lies on the
49
idea of temporal retreats. It is distributed in nature, involves no prior harmonization between APs
owned by various hotspots, is simpler to employ and finally compatible with in-hand standards.
Specifically speaking, proposed idea is called MAXchop, which works effectively with non-
overlapped wireless channels. Although, is found efficient in exploiting partially-overlapped
channels, in particular. Additionally they assess how the said approach (of channel assignment)
balances itself with earlier anticipated carrier sensing schemes to provide additional performance
enhancements using widespread simulations.
Since, jamming is considered a severe threat for wireless networks, as normal measures fail to
secure and counter it. Two defense strategies of jamming mitigation with respect to single and
multiple antenna apparatus are explained in [66]. These are proactive and reactive channel
hopping. Proactive channel hopping algorithms have been of prime concern so far as compared
to reactive techniques. From single-radio point of view, theoretical models have been developed
to investigate the blocking probability for combinations of defense and attack strategies. In
multiple antenna devices, jamming problem was applied min-max game theory and using
simulation illustrate that the result of the game is dependent on the payoff function. Additionally,
authors demonstrate that reactive techniques offer improved jamming resilience as compared to
proactive ones, but are the same in terms of energy efficiency. Authors in [73] have addressed
the control-channel jamming from an insider jammer perspective with the help of cognitive
radio, by establishing and maintaining a randomized distributed channel with via frequency
hopping; for each node independently. Further authors [74] enhance the schemes in WMN
scenario, on the basis of localization of each node, forming clusters and mesh routers being the
cluster heads (CH). Thus, multiple control channels exist on the network based on geographical
location till the jammer exists.
Mobility lists down papers which have presented solutions for catering to mobility as a property
of communicating nodes in a network as well as of the attacking jammer. It also lists down
approaches to diminish affects of a mobile jammer, evading which is much more complex and
energy consuming than other forms of attacking jammers. Distinct feature of such approaches is
the “Restoration phase”, where network nodes assume their original communication positions as
they were prior to getting under the influence of a mobile jammer. Authors in [67] discussed a
50
novel and powerful jamming attack called mobile jamming attack. Besides, he proposes a multi-
dataflow topologies scheme that can effectively defend the mobile jamming attack. The
simulation results of this study demonstrate that the mobile jamming attack is more devastating
than traditional jamming attacks and the proposed defense scheme can effectively alleviate the
damage. Authors of [39] presented three defense techniques: reactive, proactive, and hybrid.
MMAC marks work, which present use of multiple channels as an inherent communication
property in an adhoc network. This category is more focused towards proactive use of channel
for overcoming affects of a jammer in surroundings.
Another technique which provides urgent and robust response to the jamming attack is known as
MULEPRO [68]. It stands for MULti channel Ex-filtration Protocol and is designed to quickly
Ex-filtrate the sensed data from jammed region to the outer area. Major strength of this technique
lies in distributed nature, where all nodes based on a single seed value can calculate the time slot
and channel where data communication will take place.
Finally, jamming is not being taken as an adversary; instead it can be used in a constructive
manner among network nodes, as in [40]. Using jamming on unwanted traffic helps save other
nodes from trying to process them as legitimate information and hence conserve energy.
The focus of literature in general, has so far been either to detect the jamming attack from the
physical layer perspective or to come up with reactive approaches having underlying assumption
that nodes are able to detect jammer’s existence. The contribution of proactive approaches, lack a
lot, as such techniques are considered to have more overhead involved. Similar is the trend found
in terms of spatial retreat from the perspective of retreat restoration; where temporal retreat gets
to have more attention. Logical escape has majorly been considered in terms of WSN, Bluetooth
and WLAN, where a central entity is at least present to show the way to legitimate nodes. For
example, in WLAN the AP leads channel hopping sequence by announcing a especial message
and nodes follow. Though, from the MANET’s viewpoint, there is still quite a room to work
with; for both reactive and proactive techniques.
Even though, multiple channels exist in wireless standard and are available to use, as suggested
in literature to attain not only much throughput by simultaneous communication but to evade
51
jammer as well. The distributed nature of the said environment and lack of synchronization is
still a major issue in MANET. For that very reason multiple / smart antennas have been in focus
but practically they are yet to gain attention. Additionally, simpler and small devices having
single antennas would be needing a hardware level modification in basic design architecture. So,
the need is to come up with software based solutions that are proficient and efficient for all in a
distributed manner against jamming attack to avoid virtual collapse of the network.
3.7 Summary
Jamming attack is different from its other security attacks, as it cannot be mitigated like the
others. The severity increases many folds in a wireless environment due to lack of detection and
prevention mechanism in 802.11 standards. In this chapter, we surveyed the ways through which
an attacker can disrupt the medium. It has been analyzed that in addition to the time-based
strategies, in which the jamming signal is active only for a specified interval of time, there are
efficient jamming schemes possible which make use of knowledge about the physical and link
layer specifications of the targeted system. Hence, an intelligent jammer can survive longer on
the network.
Jamming attacks are avoided by escaping from the jammed area. In case of mobility as in
WLAN, legitimate jammed nodes need to be equipped with jamming detection technique, via
which they can physically escape from the jammed region and later try to relocate other nodes by
periodically moving and sensing beacon messages from others. Nodes flee out of the jammed
region by estimating the jammer’s signal strength on the basis of jammer detection mechanism.
So far, the jamming attack detection mechanisms are threshold based and may increase false
alarm rate. Additionally, the relocating algorithm to find peer nodes is independently run on each
node, via randomly chosen speed and direction. The combination of above stated algorithms is
quite complex and is found effective in dense environment, only where chances of relocating
other nodes is higher.
52
The use of multi-channel in wireless networks has been in focus for increasing throughput and
use of simultaneous communication in the same vicinity. However, the additional channels are
also a solution against single band jammers where legitimate nodes hop to another channel either
on the basis of earlier coordination or randomly chosen channel where they can later try to
resume communication with others. Besides, for uncoordinated escape from jammer as in adhoc
network, use of boundary nodes is considered useful for the nodes stuck in jammed region and is
unable to move away. When the wireless network gets jammed, each node becomes independent,
as it is unable to communicate with others and thus all above techniques are applied by the node
autonomously, requiring more power and energy consumption. Furthermore, channel switching
has its own overhead involved but is found valuable for stationery nodes having large number of
channels, especially against frequency swept jammers.
As discussed earlier, that proactive and reactive algorithms have approximately same energy
consumption in case of jammer avoidance, generally. However, the added advantage in using the
earlier ones is that no detection mechanism is needed. Therefore, couple of studies has proposed
proactive protocol suites in WLAN and WPAN environment. But the challenge is of developing
such protocols for MANETS, especially against intelligent jammers with the emphasis on
securing control and data channels, or both; if not all, then majority should be able to cope up
with jammer.
53
Chapter 4
Estimating the Effects of Jammers via Conservation
of Flow in Wireless AdHoc Networks
1.
54
4.1 Introduction
Tackling of the jammers interference and jamming are conventionally done by PHY-layer
communication techniques. These systems are based on spreading techniques like Frequency
Hopping Spread Spectrum (FHSS), which provide flexibility to interference. However, attacks
like jamming attacks do not require heavy computation and algorithm breaking techniques to
interfere any communication. They just simply do it with the generation of fake / valid packets
on medium. Additionally, if the attacker is intelligent enough to cleverly target packets, it can
survive on the network for longer time, undetected. Thus, the need arises for advance mitigation
techniques to be incorporated on higher layer(s), like MAC layer.
In this chapter, initially an overview of existing jamming attack approaches and their effects is
provided. Next, Conservation of Flow (CoF) technique is sketched out which has been quite
successful to detect malicious nodes in wired networks. In Section 4.4, proposed CoF based
simulation model to analyze jamming attack is described, followed by simulation results in
subsequent section. Since, this is first of its kind attempt to deploy CoF technique for the
wireless medium as a security mechanism; the results are verified using AI algorithms on the
recovered data set, in section 4.6. Finally, I conclude and summarize my contribution.
4.2 Jamming Attack: Approaches & Effects
Various jamming approaches and strategies can be used by the attacker to disrupt the network.
Along with the time-based strategies, where the jamming signal is active only in a definite time
intervals, there are more advanced jamming schemes possible that make use of knowledge about
the physical and link layer specifications of the targeted system. Keeping the selected strategy as
a bottom line, the effective jamming is then executed by emitting an appropriate radio frequency
signal. This could be noise or modulated signal. The approaches most commonly used by the
jammers and proven to be effective are discussed as follows [83,84].
A constant jammer emits a constant signal continuously without any delay. This constant signal
can be a radio signal which can be generated from a waveform generator. Such a jammer can
efficiently prevent legitimate traffic sources from getting hold of a channel and sending packets.
55
Instead of continuously emitting the signal, a periodical jammer hangs up its transmission during
a particular time in regular intervals. Similarly the random jammer also delays its transmission
for a specified time but at a random duration or arbitrary interval or both. It alternates between
sleep and jam phases. This model strives to take energy conservation into consideration, which is
a matter of great interest for those jammers that do not have unlimited power supply but intend to
interrupt legitimate communication.
Apart from the above approaches, the jammer can be intelligent enough to conserve its energy so
that it can survive longer, resulting in more damages. Such intelligence is acquired by sensing
the medium passively before targeting one or more nodes or types of traffic. In reactive jamming
attack, the jammer starts its transmission as soon as a communication is detected on the channel,
via sensing it. It targets the reception of a message because it stays silent when the channel is
idle, but starts generating a radio signal as soon as it senses activity on the channel. A more
sophisticated type of reactive jamming takes into account the analysis of the detected regular
data stream. The jamming is then applied systematically to frames from or to particular nodes or
to frames of a certain type. On the other hand the deceptive jammer continuously feeds regular
packets to the channel without any gap between succeeding packet transmissions. Due to this
phenomenon, a legitimate communicator will be deceived into believing it as a legitimate packet
and will be duped to remain in the receive state. Therefore, even if a node wants to send the
packets, it won’t be able to do so as a constant stream of incoming packets will be detected.
Radio jamming is potentially the most direct, nondestructive and yet disruptive form of DoS
attack on wireless networks. Most of the attackers might favor radio jamming over other DoS
attacks because it is trivial to execute and the jammer only needs to emit an arbitrary constant
signal at a power roughly equal to the signal power of its victims [75]. According to [83], the
adversaries vary with respect to their use of different radio jamming attack strategies: constant
jammer, deceptive jammer, random jammer, reactive jammer. The attacker nodes or
compromised nodes bypass the MAC protocol and blast on the channel irrespective of the other
activities that are taking place on the channel.
Link layer jamming is a more complicated type among the denial of service jamming attacks. An
intelligent adversary that wisely uses the link layer protocol logic can be effective as a blind
56
radio jammer but by consuming less energy. The intelligent jammer’s couple of objectives are;
first to survive on the medium for longer period without being detected and secondly to
misbehave in order to frustrate the legitimate neighbors from gaining the medium. The
motivation of such DoS attack is to violate the MAC layer rules at specific time periods such that
the intervention is unnoticeable and the energy efficiency of attacker is conserved [80].
4.3 Problem statement
Recent past has experienced the wide usage of wireless devices especially due to portability.
Since the design of such devices does not primarily emphasize on heavy computation and secure
communication, rather are treated as add-ons. This, and other limitations like shared medium
which is open to all, attracts intruders in wireless network. From the security perspective
jamming attack is the one that is easy to launch and harder to detect. Jamming attacks are
generally directed towards seizing the medium completely, via transmitting fake packets
violating the medium access protocol; either constantly or periodically. In this study I have
analyzed the effects of different types of jammers using Conservation of Flow (CoF), which has
been useful for detecting other attacks, in the wired networks [85-87]. Lastly, simulation results
are presented in justification of proposed methodology.
Figure 4-1: Transit packet byte counters [85]
57
4.4 Conservation of flow (CoF) based malicous node detection
The theory of CoF has been successfully used to identify the malfunctioning node in the wired
networks. WATCHERS [85] take CoF into account but it does not deal with outside intruders, it
is rather specifically concerned with malicious node within the network, whichever type it is.
The algorithm is based on finding out the inconsistency between the incoming and outgoing
traffic, as shown in Figure 4-1. Every router has to maintain a set of six vectors for each neighbor
node containing the information about the data passing through that router, or all information
which are being sent to that router or which are intended for that router. Besides, every router
tests its neighbor by receiving the counters from its neighbor’s neighbors and comparing the
packets destined for that router and the number of packets that router received. If the difference
exceeds a certain threshold that router is declared as malicious and removed. [87] presents a
detection algorithm for malicious routers in the wired networks where attacker easily exploits the
shortcomings in the current standard networks. A compromised router can potentially be
identified by the correct routers when it deviates from an expected behavior. They divide the
problem into three sub-problems: Traffic validation i.e. detection of anomalous behavior on the
basis of the traffic information. Next is distributed detection which emphasizes that a single
router cannot decide whether a particular router is malicious or not. Finally response phase
which highlights that once a router is found faulty, routing tables of other routers must be
modified so that the traffic should not pass through the malicious one in future.
Wireless Networks are more susceptible to packet loss because of two reasons; malicious nodes
and lossy channel. Adhoc networks are different from the traditional wireless networks in that
every node is connected to more than one node mostly, instead of a central access point
providing connectivity. Additionally, adhoc networks also have some limitations like chances of
error are increased with node density, open medium etc. Therefore to incorporate packet loss
especially in terms of noisy medium, [88] has incorporated packets counters to apply CoF
algorithm successfully to identify a lossy channel in wireless networks. Authors have applied
vectors to every hop that routes a packet, to incorporate traceability of each packet to conserve
entropy of the system. Additionally, the path taken by the packet is also taken into consideration
by every sender node to narrow down any bottle neck, if exists.
58
4.5 Simulation Model
For the transmission and reception of data over radio interface, different approaches are used. As
data is in the form of signals, so for the transmission of signals MIMO (Multiple Input Multiple
Output) technology is widely used. It is antenna based technology for wireless communication in
which multiple antennas are used for transmission and reception. Previous techniques hold one
antenna for transmission and one for receiving the signals, which reduces the overall throughput
of the wireless network. So MIMO overcomes this shortcoming by using multiple antennas for
communication.
In this study, for COF and tracking of all the packets within the network, each node maintains a
set of matrices for different types of packets that it entertained during the simulation run. [88]
can be referred for further details, however here an overview of the method is provided.
The first matrix is of Sent-packets (S) which stores the total number of data packets initiated by
that specific node to all the other nodes within the network. On the other hand, destination-
packets (D) matrix has the information of packets received which are meant for that particular
node as final destination. Since, the underlying theme of adhoc networks is cooperation among
nodes for routing the packets; therefore each node also acts as a router for communication
between other nodes. For such situations where a node acts as a transient hop and routes packets,
for the sake of traceability, it maintains another matrix namely the transient matrix (T). Every
packet that a node routes for which it is neither the original sender nor the final destination, it
keeps track of it in T-matrix when successfully forwarded to the next hop. For example, if node 6
is the originator of a packet, it will append it in the S-matrix, which is destined for node 8 as the
final destination; with respect to the network topology shown in Figure-4-2. Thus, on receiving
the packet node 8 will incorporate it into its D-matrix. However, the shortest path through which
the packet was routed consists of nodes 2, 7 and 1; each of the hops will mark this packet into
their corresponding T-matrices. This way, all the packets that originated within the system are
conserved as not only in terms of the quantity but also allow traceability of the packets.
59
4.6 Simulation And Results
To understand the effects of different jammers on wireless traffic through Conservation-of-Flow
(COF), in this study I simulate a stationary adhoc network using MATLAB [89]. An adhoc
network is initially considered operating on 802.11g wireless standard [1]. Later, by keeping all
the parameters constant, different jammers are introduced. The channel error rate in normal
wireless communication and topology are kept same as that of [81]. The main parameters of the
simulation are summarized in Table 4-1.
Table-4-1: Simulation Parameters
Parameters Values
Wireless Standard 802.11g
Channel Type ‘MIMO’
Number of Nodes 8, 12
Simulation Time 100 seconds
Packets per second (pps.) 20-100
Packet size 1024 Bytes
Path Delay 0.3 milli-sec.
Jammer Type Constant, Periodic
Jammer’s Packet size 17 Bytes
Jamming Rate 93 pulses/sec
Figure 4-2: Adhoc network of eight nodes with jammer
60
Case-I
Initially, a network of eight nodes is considered and later different jammer types are incorporated
to analyze the affected communication in the shaded region as shown in Figure 4-2. For normal
communication, Figure 4-3 explains the success factor for transactions that took place in a node-
wise cumulative manner, i.e. how many data packets were sent by each node and the ones
collected by the intended receivers. X-axis represents the node number and y-axis shows the
achieved throughput in terms of successful packet delivery that each node initiated to any other
node in the network. In this case the nominal error is taken into account which is the propagation
loss and more than 95% communications was found productive on average.
At first, constant jammer being the simplest in the group was introduced. For simplicity and
avoiding frequent timeouts, the intensity of constant jammer was little degraded, which is also
evident from the results. Figure 4-4 presents the node wise effect of constant jammer on the
communication. As constant jammer continuously introduces packets on the medium by
violating MAC protocol behavior, therefore theoretically the communication in the jammed area
is treated as complete failure. However, in practice negligible communication took place,
especially due to the reason that some nodes are outside the jammed area or away from the
jammer. Nodes continue to originate packets, which are continuously distorted by constant
jammer. The jamming effect in a constant manner is found to be more than 90% effective.
Next in the run was periodic jammer. As periodic jammer attacks the transmission relentlessly by
sleep and wake periods, theoretically 50% communication is targeted on average. Due to its short
jamming burst the main target is control packets. Effect of periodic jammer on each node’s
transactions is highlighted in Figure-4-5. Since, our emphasis being on data packets only, the
average throughput is found to be nearly 40%.
61
Figure 4-3: Node wise traffic in normal scenario.
Figure 4-4: Node wise communication in presence of constant jammer
Node-wise Normal Communication
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8
Node Number
No. of
Pack
ets
Originated Packets
Received Packets
Constant Jammer – Node wise Communication
62
Figure 4-5: Node-wise communication in presence of periodic jammer
Figure 4-6: Adhoc network of 12 nodes with jammer
Case-II
The scenario was extended further to a network of 12 nodes and the topology taken into
consideration is shown in Figure 4-6. The jammer is placed in such a way that two-third of the
nodes are jammed, especially the ones in the centre are near to the jammer. Nodes outside
jammed area become isolated as jamming intensity would be highest in the center. Hence,
0
200
400
600
800
1000
1200
1400
1 2 3 4 5 6 7 8
No
. o
f P
ack
ets
Node Number
Periodic Jammer - 8 Node Communication
Originated Packets
Received Packets
63
packets originated by nodes outside the jammed area would not be able to reach intended
destinations as corresponding 1-hop neighbors are jammed.
As earlier, normal communication is shown in Figure 4-7 for each participating node. However,
due to increased network participants and intermediate hops, the difference in successful packet
delivery ratio of nodes on the edges is found higher. But even then about 95% of communication
was found successfully delivered. The effect of constant jammer on transmission is shown in
Figure 4-8 which was able to successfully seize around 95% communication.
Figure 4-7: 12-Node wise traffic in normal scenario.
Effect of periodic jammer on each node’s transactions is highlighted in Figure-4-9 and average
throughput is found to be just over 40%. In this case the total nodes in the network are 12. The
periodic jammer jams about half of the communication. The jamming range of periodic jammer
is from 40% to 60%.
Lastly, for better understanding and analysis, we present effect of the above jammers on
communication in terms of periodic throughput recorded and compare them for the two cases, as
shown in Figures 4-10 and 4-11. At first we focus on normal scenario that ensures more than 90
percent delivery of the total communication, even though certain dips are observed. The second
12 Nodes Normal Communication
0
100
200
300
400
500
600
700
800
900
1000
1 2 3 4 5 6 7 8 9 10 11 12
Node Number
No
. of
Pa
cket
s
Originated Packets
Received Packets
64
case is of constant jammer which is the most destructible situation for any sort of wireless
transmission and is evident from the Figures that less than 10 percent of the total transmission
was received by the destined receivers. Last but not the least is periodic jammer which affects
half of the communication in ideal cases. The average damage it caused in first case is just above
40% and increased to 50% when network size was enhanced with 50% more nodes in the latter
case.
Figure 4-8: 12-Node wise traffic in presence of constant jammer.
Figure 4-9: 12-Node wise traffic with periodic jammer.
Constant Jammer - 12 Nodes Communication
0
100
200
300
400
500
600
700
800
900
1 2 3 4 5 6 7 8 9 10 11 12
Node Number
No. of
Pack
ets
Origianted Packets
Received Packets
Periodic Jammer - 12 Nodes Communication
0
100
200
300
400
500
600
700
800
900
1000
1 2 3 4 5 6 7 8 9 10 11 12
Node Number
No. of
Pack
ets
Originated Packets
Received Packets
65
Figure 4-10: Time wise effect of jammers in 8-node scenario
Figure 4-11: Time wise effect of jammers in 12-node scenario
In this section we studied the effects of jammers in wireless network with the help of CoF that
how much traffic loss occurs during such attacks. The difference of total packet sent and
received by the particular node shows the amount of data corrupted by the jammer due to its
8 Nodes - Timewise Effect of Jammer
0
20
40
60
80
100
0 10 20 30 40 50 60 70 80 90
Time (sec.)
No
. o
f P
ack
ets
Packets Sent Normal Constant Jammer Periodic Jammer
12 Nodes - Timewise Effect of Jammer
0
20
40
60
80
100
0 10 20 30 40 50 60 70 80 90
Time (sec.)
No
. o
f P
ack
ets
Packets Sent Normal Constant Jammer Periodic Jammer
66
interference in the network. First we analyzed the normal communication and recorded the ratio
of packet loss in the network without the existence of jammer, which happened to be about 5%
loss of the total communication. However, when the jammer came into play, this loss increased
many folds, depending upon its type and traffic flow through the jammed area. The approach
used by the jammer based on its priorities defines its type and corresponding damage to valid
communication.
Figure 4-12: 25 Nodes: (a) Constant Jammer (b) Periodic Jammer.
25 Nodes - Constant Jammer
0%
20%
40%
60%
80%
100%
1 5 9 13 17 21 25
Node Number
Percen
t T
hro
ug
hp
ut
Packets Lost
Packets Received
25 Nodes- Periodic Jammer
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 5 9 13 17 21 25
Node Number
Percen
t T
hro
ug
hp
ut
Packets Sent
Packets Lost
67
Figure 4-13: 50 Nodes (a) Constant Jammer (b) Periodic Jammer.
For extended network of 25 and 50 nodes, the corresponding communication success rate is
shown in Figures 4-12 and 4-13, respectively. Initially, a constant jammer was launched and
later, the network was exposed to periodic jammer. For constant jammer, the network throughput
was found to be only 15% on average, whereas for periodic jammer more than 60%
communication was jammed. It is evident that nodes located close by in jamming range starved.
50 Nodes - Constant Jammer
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
1 6 11 16 21 26 31 36 41 46
Node Number
Per
cen
t T
hro
ugh
pu
t
Packets Lost
Packets Received
50 Nodes - Periodic Jammer
0%
20%
40%
60%
80%
100%
1 6 11 16 21 26 31 36 41 46
Node Number
Percent
Throughput
Lost PacketsReceived Packets
68
Figure 4-14: Randomly Selected Data Set for WEKA.
4.7 Verification of Parameters using WEKA
The WEKA [90] software contains a set of visualization tools and algorithms for predictive
modeling and data analysis, together with graphical user interfaces for easy use and view. The
original non-Java version of WEKA was a front-end to (mostly third-party) modeling algorithms
implemented in other programming languages, plus data preprocessing utilities in C, and a make
file data based system for running machine learning experiments. WEKA has implementations of
numerous classification and prediction algorithms. The basic ideas behind using all of these are
similar.
69
So after generating the data set of approximately 1000 runs, we provided it to weka as an input
and applied two different classification algorithms, i.e. Naïve-Bayes and C4.5 (J48). Before
applying the classifiers we discretized the data by using the built in discretization filter of weka.
The main reason of using Bayesian Naive is that in our case all the classes are independent from
each other. We collected data with three attributes, Sender, Receiver and Type and applied
Bayesian Naïves algorithm. The second algorithm is the J48 which is the variation of the ID3
(Iterative Dichotomiser 3), which generates tree based classification.
Firstly, 66% of data means we use 2/3rd of values out of 1000 needs to be separated for the
training purposes and the remaining will be used for validation. The main objective of the
experiment is to predict the jammer type by analyzing the values of sender and receiver matrices,
and verify our earlier methodology. For example if the send value is 1280 packets and the
receive value is about 64 packets. Then we can say that this is the case of constant jammer. Also
in case of random jammer the range will be in between 20% to 80%. After running these
algorithms the results achieved were promising. Approximately, 100% results on validation set
were justified. But before going into the details, a brief overview of the classification algorithms
is also presented for better understanding of the method used.
4.7.1 Bayesian Naïve Classification
A probability based classification with respect to Bayesian theorem, having independent
assumptions, is known as Naïve Bayes Classifier [91]. It is applied when the inputs have varying
forms thus provide large combinations among themselves to optimize the output. Even though, it
is simple in nature but can surpass some complex algorithms when it comes to categorization of
sample dataset. A simple example of Naive Bayes classification is shown in Figure 4-15, where
given objects can be classified as either green or red. As the new cases show up, the task is to
decide where they belong based on existing dataset. Since the population of former is double as
compared to that of latter, therefore, the chance of new arrival of being green is double, even
before analyzing it. This concept based on previous experience is known as prior probability and
is used to predict conclusion before it actually occur. The Naïve Bayes algorithm is illustrated in
Figure 4-16.
70
Figure 4-15: A Bayesian Naïve example [91]
Figure 4-16: Pseudo-code for Bayesian Naïve [91]
71
The main reason of using Bayesian naive in our case is that all the classes are independent from
each other and no two classes are inter-dependent on each other in any way. We collected data
with three attributes i.e. sender, receiver and type and applied Bayesian naive algorithm that is
built-in provided with weka. First of all, we discretized our data set. Next, for training and
validation of data we use split set of 66-34, means 66% for training and 34% for validation. The
main aim of the experiment is to predict the classifier based on the trained dataset, not to
compare effect of various parameters. Thus, for simplicity, default values of the parameters were
used for both datasets.
For a dataset of just above 1000 records, Table 4-2 shows accuracy detail with respect to jammer
classification and prediction. Around 98% instances were correctly classified and so is the
strength of Kappa’s agreement i.e. 98%. With 5% noise incorporated at random, the relative
absolute error is found to be as 5.5% for all cases. The true positive rate of constant jammer was
majorly identified. However, a single entry was encountered as constant jammer, falsely. Thus,
the recall was calculated as maximum whereas F-measure showing the test’s accuracy was found
close, due to a single misinterpreted entry. Similar, is the reason for ROC (Receiver Operating
Characteristic) Area to miss core target for predicting constant jammer, as the single entry was
found near to bottom-right corner in the Figure-4-17 and is below the curve. Since, the ROC is
greater than 0.7, therefore it is considered useful for decision making. Since, random and normal
jammer overlap with each other in terms of jamming strength and ratio, therefore more instances
of theirs are mingled with each other, as shown in Table-4-3f that provides a confusion matrix
with minimal overlapped instances.
Table 4-2: Accuracy detail w.r.t. jammer classification by BN
Class TP Rate FP Rate Precision Recall F-Measure ROC Area
Constant 1 0.005 0.993 1 0.996 0.998
Normal 0.983 0.007 0.979 0.983 0.981 1
Random 0.977 0.006 0.989 0.977 0.983 0.994
Weighted Avg. 0.988 0.006 0.988 0.988 0.988 0.997
72
Table 4-3: Confusion Matrix based on BN algorithm
Constant Normal Random
410 0 0
0 234 4
3 5 347
Figure 4-17: BN based jammer classification
4.7.2 J-48 Algorithm
For just above 1000 records, a 10-fold cross validation test mode was acquired using J-48
algorithm [92]. Since, the training and evaluation data set are from the same stream, therefore it
is essential to acquire a reasonable idea of accuracy of the generated model. From Table 4-4 it is
quite evident that around 99% occurrences were classified correctly, with more than 98%
Kappa’s strength. To estimate, how far the estimate is from actual values, mean absolute error is
found around 1% whereas relative absolute error based on dataset is just above 2%.
73
Figure 4-18: Pseudo code for Decision Tree (J48 algorithm) [92]
74
The constant jammer was identified, mainly accurately. However, 3 entries were encountered as
constant jammer, falsely. Thus, the recall is at the peak, i.e. 1 but accuracy of the test, F-measure
and ROC area were found close to 1 for constant jammer. Based on confusion matrix in Table 4-
5, the minimum number of falsely classified cases is 8 and similar is the trend shown in Figure-
4-19 highlighting the cost for each class. Normalized expected cost along with predicted cost
function is plotted; showing overlapping in bottom-right corner based on falsely identified cases
and incorporated noise while data was generated.
Table 4-4: Accuracy detail w.r.t. jammer classification by J-48
Area Class TP Rate FP Rate Precision Recall F-Measure ROC
Constant 1 0.005 0.993 1 0.996 0.996
Normal 0.987 0.003 0.992 0.987 0.989 0.999
Random 0.986 0.005 0.992 0.986 0.989 0.995
Weighted Avg. 0.992 0.004 0.992 0.992 0.992 0.996
Table 4-5: Confusion Matrix based on J-48 algorithm
Constant Normal Random
410 0 0
0 235 3
3 2 350
On the basis of random class input, cost curve is shown in Figure-4-17. Probability cost function
increases with each instance whereas normalized expected cost decreases as the J-48 decision
tree is traversed. The values of different jammer classification converge, showing the cost
reduction after being able two predict the jammer type. However, the assessment overlaps due to
randomization of the trained and predicted dataset. Figure-4-20 shows the threshold
identification for each jammer type, with respective precision for each classification. The incline
between any two classes is found due to the falsely recognized samples that were either not
categorized or misinterpreted; i.e. were found in the class where they did not belong.
75
Figure 4-19: Cost Analysis of Jammer Classification using J-48
Figure 4-20: J-48 based Threshold Estimation of Jammer types used.
76
Figure 4-21: Analysis of Validated data using J-48 algorithm.
(a) Threshold Curve (b) Cost/ Benefit Analysis
For the dataset, after the training period, J-48 validated approximately every instance truly as
shown in Figure-4-19(a). Except for the 0.1 rejection in constant jammer, the true positive rate of
the provided sample was identified correctly whereas in (b) cost benefit analysis was found
smooth, apart from a slight tilt for normal jammer which consisted of certain traces of other
types; as discussed earlier.
4.8 Summary
Conservation of Flow has already been considered by many studies as a metric to identify
various attacks, but mostly in wired networks. The basic aim of this study was to analyze the
effect of various jammers on wireless communication, using CoF. The network is considered
without mobility so that similar methodology can be applied for jammer detection as in wired-
network based studies [85-87]. That is the very reason; the initial topologies are kept similar to
our earlier study, which later is scaled to larger networks.
Additionally, on the basis of earlier studies, the effects of different jamming attacks were
introduced in our simulation and corresponding ranges of effect were determined with the help of
CoF, successfully. Next, we applied Bayesian Naïve and J-48 algorithms using WEKA, to verify
our parameters and results, as in [88,89]. Both the algorithms predicted more than 98% of the
77
dataset, to be accurate. Whereas threshold classification and cost/benefit analysis was found to
be approximately true positive.
Jamming attack, especially the non-continuous ones, at MAC layer are hard to distinguish from
frequent unintentional collisions and congested scenarios. However, based on the data set
acquired and applying AI algorithms for behavioral analysis, different jammers can be identified
in the network, simultaneously.
In this way, this study provides the basis for future directions in the area of optimizing CoF for
wireless networks with mobility, efficient power usage, mitigation against jammer on the basis
of threshold and many more. Last but not the least; CoF can be further analyzed for other attacks
in wireless network.
78
Chapter 5
Packet-Feed: A Survival Approach
To Cope up with Jamming Attack in MANET
79
5.1 Introduction
As discussed earlier, jamming attacks are hard to mitigate even if it is constantly targeting all
packets in the range. For intelligent jammers, the situation becomes much worse where jammer
lasts longer by saving its energy and smartly targets partial data packets that cannot be regained
by existing error recovery techniques; resulting in retransmission of the affected packets. Thus,
affected nodes either move away from the jammed area or switch channel, independently and
later try to resume communication with other nodes. However, intelligent jammers can sense the
medium and follow legitimate nodes on other areas and channels where they can sense on-going
communication; forcing the nodes on defensive feet to repeat the whole process again and the
cycle continues till the communication jamming is carried on by the jammer.
In this chapter, a reactive methodology is proposed which in the best of my knowledge is first of
its kind. The proposed method is based on the idea that instead of flight, it is better to stay and
fight. Thus, legitimate nodes respond to the jammer and keep it busy rather than retreat. Section
5.2 provides a detail overview of the proposed methodology. In the following section a
theoretical analysis is conducted on the basis of which the basic methodology is enhanced in
section 5.4. Next, simulation scenario and results are discussed. Lastly, I summarize the
contribution of the proposed method.
5.2 Problem statement
The open nature of wireless network exposes is to vulnerability and external intrusion, like
jamming attack. The jammer is the worst to handle, as typical encryption techniques for
legitimate communication become void. Jamming attack, in the form of either continuous or
periodic, can easily be deployed in wireless network. Conventionally, nodes either passively
doze out till the jamming phase is over or actively try to move out of the jammed region. For
small devices having lesser or no mobility, channel hop is an alternate where nodes move to
another channel and try to re-establish the communication. However, if the jammer has enough
knowledge of the network, it can follow legitimate nodes on the newer channel.
In this chapter, the idea to cope up with intelligent jamming attack is proposed by actively
feeding valid packets on the seized channel, periodically. Main theme is that when the nodes
80
resume on the newer channel when the current one is jammed, rather than stay there and wait for
the jammer to follow them on newer channel, nodes feed the jammer on the earlier channel by
alternatively visiting and sending legal packets on the network. By doing this, even if the jammer
is intelligent, a legal packet will result in a jam-burst, i.e. pretending the earlier channel being
still in use. Later, simulation results in favor of the idea are presented.
5.3 Proposed Methodology
Initially, an adhoc network having some nodes communicating on a single channel is considered,
which is later exposed to an external jammer. With the assumption that nodes are equipped with
jamming sensing techniques, as soon as each one of them senses the existence of the jammer it
tunes to another channel independently based on an already agreed upon methodology and try to
resume communication. Once, the locality of the nodes is exposed and even though they succeed
in resuming communication on different channel, chances are that the new temporal-location will
soon be discovered by the intruder and legitimate nodes have to move on. An intelligent jammer,
which toggles between sensing and jamming mode to seek valid packets on the medium, may
sense the absence of the nodes and initiate sensing other channels for legitimate traffic.
Therefore, once the nodes are on a new channel, let us call it as the escape-channel, proposed
method is that each node alternatively returns to the seized-channel (original channel where
jammer is located) periodically and feeds the jammer with a valid packet. Such a node is called
as a feeder or feeding node. This way, in a certain time slot the cost will be the loss of a single
packet and a couple of channel hops by a node, while the rest of communication will be taking
place successfully on the newer channel. The advantage being that if the intelligent jammer seeks
legitimate communication on the channel it stays at the same channel by initiating jamming-burst
and defers scanning further channels. Jammer resides for the duration on that channel depending
upon traffic (ongoing communication) and it never scans other channel until communication on
the seized channel is unavailable.
81
Figure-5-1: Feeding node hops back to feed Jammer on originally used channel
Figure-5-1 shows the working of the proposed methodology having some nodes communicating
in an adhoc network environment. Meanwhile, a jammer senses the channel for packets, both
control or data packets, and tries to disrupt the communication. If the jammer finds any traffic it
stays at that channel and destroys legitimate traffic just by putting noise during a valid
communication. Assuming that the nodes are equipped with some jamming detection mechanism
and have already coordinated about a channel hopping scheme in case of jamming attack. So
after sensing jammer each of them tries hopping and moves to next available channel,
individually. Once the nodes arrive on new channel (x+n), the escape channel, assumption is that
they coordinate with each other for the jammer type based on the jammer detection mechanism.
This assumption is necessary because of two reasons. First, depending upon the type of jammer,
nodes decide about the time slot division for synchronization. Secondly, they determine the
designated feeder to the jammer for each time slot. Next, as shown in Figure, node A returns to
seized-channel and initiates a legitimate communication which is welcomed by the jammer ‘J’
and it initiates a burst of jamming signals. As soon as the communication times out ‘A’ hops
back to escape-channel and resumes communication with others. In the following time slot, ‘B’
comes into play and repeats the same scenario. This process continues till either the adhoc
network is no more required or the new channel is somehow compromised by same/ other
jammer.
82
5.4 Mathematical Model
Probability Measuring Parameters:
s1 Auxiliary Row
s2 Auxiliary Column
t1 Time Slot Detail w.r.t. row
t2 Time Slot Detail w.r.t. column
k1 Row consider for Analysis (it1 – s1)
k2 Column consider for Analysis (t2 – s2)
Matrix Evaluation
fij Positive integer for row i and column j: from main table F
fi+ Minor sum of row i, where i=1,……k1
fj+ Minor sum of column j, where j=1,……k1
N Grand total of F
Matrix Statistics
ris Foundation of row entity i on plane s
cjs Foundation of column entity j on plane s
I Total inertia
Basic Matrix Evaluation
When source node want to send some data towards destination node (CORRESPONDENCE
NODE) to evaluate the source row values [ris] and respective column [cjs] for this the function
will be used
Where the minimal values for corresponding row and column, under the standardization are:
With respect to our proposed methodology and according to the evaluation, for analysis, the
CORRESPONDENCE Algorithm can be divided in three steps:
83
1. Evaluation with Chi Square
Chi square provides goodness of fit, in terms of attained values and the expected ones for the
model under consideration. Later, it accesses significance levels. For our auxiliary matrix ‘Z’,
mainly, the emphasis is on common factors that will map in terms of wireless communication.
Through removing the averages of the row and column, chi-square retains rc-mean, throughout.
2. Evaluation with Euclidean
For the observed values, the distance between two points is calculated through Euclidean on our
matrix ‘Z’. Generally,
With based on the consistency options:
(a) consistency option r-mean (row average is eliminated)
(b) consistency option c-mean (remove column means)
(c) For Rc-mean, eliminate both row and column means
(d) consistency choice r-sum, we equate for row total
(e) consistency choice c-sum, we equate for column total
This, way all the wireless packets that are originated in the network, are mapped for acceptance
level. The variation, leads for some misbehavior detection.
3. Malicious Diagnostics
84
After applying proposed algorithm along with CORRESPONDENCE algorithm, we alternatively
generate a table of row and column profiles, as:
, respectively.
Singular Values, Maximum Rank and Inertia
By performing the full scaled simulation all the singular values which we have already defined
above are produced up to utmost . The small singular values and
corresponding magnitude are covered when they do not cross the magnitude , where
a caution message is raised. Dimension wise inertia and total inertia are represented via
relationship:
Likewise, association for additional normalizations can be easily derived, similarly. The measure
of “proportion explained” are equal to inertia divided by total inertia: , which
5.5 Theoretical Analysis
A Q-Q plot helps in determining relevance of the sample from the intended data set and assists in
locating as a tool for regression and variance analysis [101]. One Q represents the selected group
of population, i.e. quartiles whereas the other is for the selected data being used as a benchmark
that will be applied to the former ones. Theoretically, you need to know the average and variance
of the target population in advance. However, it is not practically feasible; therefore same values
of benchmark are used as reference parameters.
To analyze our methodology, SPSS [102] was used for the above presented model. Figure-5-2
shows a Normal Q-Q analysis on the basis of average received packets, cumulative by all nodes.
The expected values vary due to the node hopping for feeding the jammer even though, the
jammer is not active any more, resulting in an overhead in every time slot. Whereas figure 5-3
shows a detrended normal Q-Q variance found after the jamming phase is over. Based on the
average before the jammer was activated and after the algorithm was triggered, the divergence
was noticed as deviation from the mean value.
85
Figure 5-2: A Normal Q-Q Graph of Average Received Packets.
Figure 5-3: A Detrended Normal Q-Q Graph of Average Received Packets.
To further evaluate the network performance and validate the considered parameters, Matlab
[89] was used. Control charts are useful where data is normally distributed and are found to be
86
vigorous against biased data set. Generally, two types of charts are used, first is the range-chart
(R-chart) and second being the X-chart. The former is used to determine variability of the
progression whereas latter identifies overall average of the method. The upper and lower X-bar
chart control limits need to be determined, so that overall procedure inconsistency remains in
control.
For some charts, e.g. c charts, likelihood of generated data will be non-normally distributed
whereas moving range chart is considered as single entity that use different interpretation rules to
cater for the very strong non-normality of said data. Examples include ‘X’ or ‘I’ charts.
Interpretation rules for X-bar charts means the whole plot rather than considering individual
trends. As explained by the Central Limit Theorem, means tend to be normally distributed even
if the underlying data is not.
Figure 5-4: Packet Analysis on the basis of Time.
87
Figure 5-5: XBAR Control Chart
Lower and Upper Control Limits are 3 standard deviations from the average and can be
computed using [101]:
Upper Control Limit (UCL)
MeanMean + 3*Sqrt( )
Average sample measurement
Lower Control Limit (LCL)
MeanMean - 3*Sqrt( )
Max sample measurement
LCL is always a positive value whereas use of “maximum sample measurement” makes LCL
more responsive. Yet, the above limits and their relation based on average is significant for
analysis when repeated values are encountered.
88
Figure 5-4 demonstrates packet analysis on the basis of time. Initially, corrupted packets are
found due to jammer, which later sets the probability based trend for future packets after nodes
are hopped on the new channel. However, realistically complete probability is not achieved due
to packet losses involved during feeding the jammer process, iteratively. After the jammed phase
is over the interruption corresponds to overhead involved, where no collusions were found as
shown on extreme right in the graph; which is discussed further in next section.
Figure 5-5 shows the theoretical data generated for evaluating the average variation possible. The
violation represents the jamming phase, just after 20 seconds when the jammer was activated.
Whereas, center in the graphs illustrates the average throughput of the network that is found high
because after detection, nodes hopped to another channel and started feeding the jammer. It is to
note that all the communication, after hopping lies between LCL and UCL, give good reason in
favor of the proposed methodology.
5.6 Enhancements in Proposed Methodology
In the last section, the simpler scenario of proposed methodology was presented for better
understanding. Now further details of building blocks of proposed scheme will be discussed by
incorporating more parameters in context of assumptions in a practical scenario and provide
improvisations accordingly. First of all, even though the underlying assumption is that nodes are
equipped with a jamming sensing mechanism and each node needs to decide independently when
to initiate a reactive technique to avoid the jammer. Since, the techniques mainly rely on PDR/
PSR (as discussed in section II) and if only one node returns to the seized-channel to feed the
jammer, it will not be able to sense whether the said channel is still compromised, especially
against an intelligent jammer. Thus, nodes may either keep on feeding the jammer for the rest of
their existence in that locality or false alarms may rise at the network level. Former degrades the
overall throughput unnecessarily whereas the latter may invite the jammer on the newer channel.
Therefore a slight enhancement is applied to the basic concept that instead of one, more than one
nodes hop back to the seized-channel to feed the jammer. This way although the cost of channel
hopping will increase in every time slot and overall throughput on the escape channel will
decrease, but it will result in minimizing the false alarm rate.
89
Figure-5-6: Multiple Nodes feeding the Jammer on Originally used jammed channel
Next, the problem of synchronization among nodes needs to be addressed. Even though, the
nodes will coordinate among themselves regarding feeding the jammer on seized-channel and act
accordingly. In a dense environment, especially in the absence of a central entity in adhoc
network, synchronization issues may arise. Additionally, if the jammer period is over or it has
moved away, the feeding nodes’ intended receivers did not accompany them on the seized
channel on that particular time slot and thus failed delivery is reported. E.g. ‘A’ intends to send
packet to ‘B’ whereas ‘C’ is determined to communicate with ‘D’. Since, both ‘A’ and ‘C’ are
the designated feeders in that particular time slot and switched back to the seized-channel. Even
though, the jammer is absent and more than one node are present on the channel but their packet
delivery will not succeed as both of them are not accompanied by respective intended receivers
and may arise false alarms.
Therefore, to accommodate and intentionally prompt the intelligent jammer another
enhancement is to feed the jammer with more than one packet by each feeding node. In this
fashion, even if the jamming and sensing periods of intelligent jammer are short, multiple valid
packets on the seized-channel from more than one node would not create any ambiguity about
absence of packets in the remaining portion of the time slot.
90
By incorporating the enhancements, the working of the proposed methodology is shown in
Figure 5-6. Nodes are communicating with each other on channel 1 without any interruption.
Meanwhile jammer J starts interrupting them and destroyers the transmission. Due to this
intrusion all the nodes A, B, C and D move to the following channel that has already been
decided and resume their communication. However, in this case two (or more) feeding nodes
rather than one hop back to seized-channel and start feeding the jammer. From the Figure 5-6,
node A and node C send more than one packet each, to their corresponding receivers. Due to
involvement of the jammer or absence of their intended receivers, whenever their packets time-
out they return to escape-channel. However, if nodes are able to receive frequent
acknowledgements on the old channel, they may conclude that the jammer has moved away of
that location. Either case, they hop back to escape-channel and participate with their feedback in
periodic coordination of the nodes. As per Figure, in the following time slot nodes B and D will
do the same to feed the jammer. And if J is still present on the said channel they feed it and leave
the channel. Keeping in mind that in the presence of jammer the network comes to a virtual
collapse and no communication takes place between nodes. Even if feeding nodes are unable to
get acknowledgement they may sense valid packets of other nodes that shows the absence of the
jammer. The corresponding pseudo-code and communication flow of the proposed methodology
are given in Figure 5-7 and 5-8, respectively.
Figure 5-7: Pseudo-code of proposed methodology
91
Figure 5-8: Flow chart highlighting the communication flow of the proposed methodology.
92
Table 5-1: Simulation Settings
SIMULATION PARAMETERS PARAMETERS
VALUE
Physical Layer Standard 802.11a
Number of Channels 12 (in 5GHz band)
Traffic type CBR
Packet Size 512 Bytes
Traffic Load of Node 10 packets/sec (pps)
Simulation time 100 seconds.
Communicating nodes 10-20
Jamming phase 20-80seconds
5.7 Simulation & Results
This section presents the simulation scenario and results obtained using the OPNET network
simulator [103]. The simulation parameters are summarized in Table 5-1 and are similar to [108].
An ad hoc network consisting of more than 10 wireless stations are considered, with single
transceiver only. The traffic load at the source nodes is 10 packets per second. Whereas the
packet size is chosen to be 512 bytes, each. The physical layer standard taken into consideration
is 802.11a which offers 12 channels in 5 GHz band. For channel hopping the cost currently
considered by different studies is between 40 to 80 micro-sec, so 80 micro-sec delay was opted,
similar to [104,19]. Besides these, the jammer is located in the center and all nodes are in the
jamming range and assumption is that no communication takes place in this range on the jammed
channel, thus the intensity of jammer is set accordingly. Since, the jammer is considered an
outsider and on any channel he tunes into, he is able to listen legitimate traffic; either control or
data packets. Therefore, the underlying assumption is that the jammer sticks to such a channel
where his intention to block lawful conversation is fulfilled and by doing so it does not scan
other channels.
93
10 Nodes - Overall Throughput
0
20
40
60
80
100
0 20 40 60 80 100
Time
No
. o
f P
ack
ets
Packets Delivered
20 Nodes- Overall Throughput
0
40
80
120
160
200
0 20 40 60 80 100
Time
No
. o
f P
ack
ets
Packets Delivered
Figure 5-9: Overall Network Throughput (a) 10 nodes (b) 20 nodes
Figure 5-9(a) explains the basic concept in 100 seconds simulation among 10 communicating
nodes in the network. The straight line for the first 20 seconds shows successful communication
among nodes. Then, the jammer comes into play and remains active till 80 seconds of the
simulation time. As soon as jammer activates, the network theoretically comes to virtual collapse
and no communication takes place. However, it was soon resumed when nodes independently
move away to escape channel when they sensed the current channel is being seized by the
jammer. The drop in packet throughput is observed as sudden due to failure of all
communication at once when the jammer is introduced, however a slant is observed in rising of
the graph when nodes resume on escape channel. Later, the packet loss on the new channel is
94
observed when nodes alternately hop back to the jammed channel and send valid packet to
engage the jammer.
Throughput - 2 of 10 Nodes Feed the Jammer
0
20
40
60
80
100
0 20 40 60 80 100
Time
No
. o
f P
ac
ke
ts
Packets Delieverd
Throughput - 2 of 20 Nodes Feed the Jammer
0
50
100
150
200
0 20 40 60 80 100
Time
No
. o
f P
ac
ke
ts
Packets Delieverd
Figure 5-10: 2 Nodes as jammer feeder. Overall Throughput for (a) 10 nodes (b) 20 nodes
Next, the number of legitimate nodes in the network were doubled, i.e. 20 but by keeping all the
other parameters same as earlier. This way, the overall throughput of the network increased to
200 packets per second in the absence of jammer. The rest of the pattern in throughput as evident
from Figure-5-9 (b) was found similar to that of 10-node scenario. However, with the increase in
nodes, the throughput also increased during jam-phase, as the numbers of drop packets were the
same for the sake of feeding the jammer, but the successful delivery of packets by other nodes on
the new channel was increased; minimizing the effect of loss packets during jammed period.
Approximately, more than 95% of communication was retained by this scheme, in the said
95
scenarios. Though, nearly 85% of overall communication was successfully carried out during
jam period.
By applying the different enhancements to the two basic concepts that is 10 and 20 nodes. Now
the number of feeders is doubled. In previous case there is only one feeding node which troughs
the legitimate packets to intelligent jammer to make him busy. But in this case two feeders are
introduced. After the intrusion of jammer in the network, all the nodes try to hop the channel.
After acquiring new channel they again start their communication. As we know, that the jammer
is intelligent, and if it senses that the channel he is jamming is empty, it leaves that channel and
start sensing another channel to jam. So to avoid this scenario two of total nodes (feeding nodes)
hop back to pervious channel and start communication with each other. In Figure 5-10(a) the
jammer intrusion time is 20us to 80us. Time 20us to time 24us (approx) shows the immediate
loss of transmission due to channel hoping of all the communicating nodes. After time 24us they
all regain the transmission but with some loss. The loss is due to the hop of feeding nodes, they
go back to the pervious channel and start communication between each other. If their
communication fails the existence of jammer is proved. Besides proving the existence of
jammer, the feeding nodes also make the intelligent jammer busy which ultimately result the
successful communication of remaining nodes on un-jammed channel. Figure 5-10 (b) shows the
same scenario but with 20 nodes in a network. Both the cases 4a and 4b consist of single packet
feed to the intelligent jammer. Approximately 90% throughput is retained in the two feeding
nodes scenario with total 10 nodes, whereas latter kept hold of better throughput due to more
legitimate communication in the jam-phase.
In Figure 5-11 (a), the same scenario has been taken into account with further three sub
scenarios. In this case number of nodes is the same. Number of feeding nodes is also the same.
But the number of packets for feeding is changed to three cases. Blue line shows the single feed,
green line shows the double feed and red line indicates the triple feed. When the feeding nodes
starts communication with each other at the jammed channel, one of them becomes sender and
other becomes receiver. Sender starts sending packets to receiver and start waiting for
acknowledgement from receiver. After waiting EIFS (Extended Inter Frame Spacing) time for
acknowledgment, both leave the channel and hop back to pervious channel. This is the case of
96
single feed. In case of double feed, after waiting for EIFS time the sender again send the packet
and wait for acknowledgement. Failure will results in channel hoping for feeding nodes. Third
case is the extended form of double feed. Sender sends the packet three times, failing to receive
acknowledgement from receiver feeding nodes hop back to un-jammed channel.
Figure 5-11: 2 Nodes feed jammer with multiple packets in every time slot,
scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes
97
Figure 5-12: 3 Nodes feed jammer with multiple packets in every time slot,
scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes
Figure 5-12(a) shows the increase of feeding nodes at jammed channel. In this case three of total
nodes hop back to jammed channel and starts feeding jammer with legitimate packets. After
sending the packet to each other and failure to receive the acknowledgement all the feeding
nodes hops back and the previously discussed process repeats again till jammer leave the channel
or feeding nodes leave the channel. Average throughput, having comparison of 4 nodes acting as
feeders, simultaneously are shown in Figure 5-13.
98
Figure 5-13: 4 Nodes feed the jammer with multiple packets in every time slot,
scenario for (a) 10 nodes (b) 15 nodes (c) 20 nodes
For some reason, if jammer senses that another channel is also in use and it lands on the escape
channel after sensing other channels, at random. After sensing time, the jammer starts the new
channel and the whole cycle is repeated. For the two cases, i.e. 10 and 20 nodes, this scenario is
illustrated in Figure 5-14 with varying nodes and different number of feeding packets on the
jammed channel. At least around 85% of network throughput is still maintained with maximum
of 4 feeding nodes where each feed the jammer more than 2 packets alternatively on each slot.
99
Average Throughput:Multi-Feeders of 10 Nodes
0
20
40
60
80
100
0 20 40 60 80 100
Time
No. of
Pack
ets
Single Feed Double Feed Tripple Feed
Average Throughput:Multi-Feeder of 20 Nodes
0
50
100
150
200
0 20 40 60 80 100
Time
No. of
Pack
ets
Single Feed Double Feed Tripple Feed
Figure 5-14: Comparison of Multiple Nodes feeding jammer with varying packets in every time
slot, scenario for (a) 10 nodes (b) 20 nodes
The simulation was then further enhanced, gradually till 50 nodes, where during the jam phase 2
feeders in each time slot transmitting 2 packet feeds (PF) were selected. To accommodate,
additional node communication, we quadrupled the data rate, so that only channel hopping and
feeding cost is highlighted. In terms of percentages, Figure 5-15 highlights the successful data
delivery rate having minimum of 90% throughput gain for 10 nodes, which rose to 94%, which is
found better than [108] having similar parameters. However, a slight drop was experienced for
50 nodes, but that is estimated to be in terms of congestion on the new channel, as well.
100
10-50 Nodes: Overall Percent Throughput
80%
85%
90%
95%
100%
10 15 20 25 30 35 40 45 50
No. of Nodes
Th
ro
ug
hp
ut
(%)
Packet Delivery Success Rate Packet Drop Rate
Figure 5-15: Overall Throughput achieved in terms of percentage for varying nodes
5.8 Summary
Instead of a physical or logical retreat only to avoid being jammed, in this study the idea that
nodes periodically visit the jammed channel, once they have restored communication on another
channel, to inject legitimate communication for the jammer to target is proposed. The advantage
being that while a fraction of nodes will be feeding the jammer, while others are able to
successfully communicate in a normal manner. Additionally, to minimize channel hopping cost
varying numbers of feed packets were simulated, along with numerous feeding nodes. This way,
approximately 70-95% of the communication is resumed, depending upon the traffic load and
number of nodes. Hence, the proposed methodology works for 2% of the legitimate participants
or 4 feeding nodes, whichever is larger and still gives more than 80% of the throughput. In
future, further analysis of jammer types against proposed methodology is intended, not restricted
to link layer only.
101
Chapter 6
Neighbor based Channel Hopping Coordination:
Practical against Jammer
102
6.1 Introduction
Recent studies suggest channel hopping as a logical escape in case of a jammed channel. If a
valid communication is not heard for a period of time on the common channel, nodes initiate
jamming attack detection, individually. If the said channel is detected as jammed, nodes switch
channel to locate other nodes and try to resume communication on another channel as a reactive
mechanism.
This chapter focuses on a proactive MAC based protocol to minimize the effect of jamming
attack. The said method does not need any detection techniques and incorporates multiple
channels for communication, which are already available in wireless communication standards.
Our proposed solution differs in a sense that an ad hoc network is chosen, having considerable
number of nodes, with the provision that nodes can join or leave the network any time.
Additionally, nodes reside on distinct control channels. Instead of a set of hopping sequence,
dynamic coordination between nodes exists for selection of next channel to exchange data
packets. Besides, it is easy to stay in a single channel and send a burst of data to overcome
channel hopping cost, as chosen by them. Yet, restriction is of single packet exchange per visit
for analyzing channel hopping overhead which however can be modified anytime to multiple
data packets and thus yielding in overall increased throughput. In section 6.2, the proposed
solution is described in detail. Later, in section 6.3 simulation results are presented that are found
better than earlier similar study. Lastly, I summarize the contributions and main points of this
chapter.
6.2 Problem Statement
As compared to its wired counterpart, wireless network is relatively new and is exposed to some
additional threats specific to the underlying medium. Among such threats one is jamming attack
which can take place easily due to the open nature of wireless medium. A device or person can
continuously emit radio signals to disturb a valid conversation. If it lasts for sometime
continuously, it can result in total collapse of a network using single channel.
103
In order to evade a jammer in an ad hoc network, in this chapter a proactive channel hopping
scheme based neighbor correspondence is proposed. Rather than detect and react, legitimate
nodes rely on prevention is better than cure. Each node communicates with its neighbors on
different channels, coordinated between them dynamically. Furthermore, the control and data
channels of each node are separated. This way redundancy at the node-level is provided so that
even if nodes on the jammed channel cannot be approached but they still are able to contact
others by visiting their control channels; avoiding the node on the jammed channel from
starvation. Hence, even if the network is exposed to the jammer, a complete failure is prevented.
The simulation results show that our scheme is efficient and is able to reduce the jammer’s
impact significantly, as compared to another proactive hopping scheme [51].
Figure 6-1: Scenario stating how node D would initiate communication with node C
6.3 Proposed Solution
As it is said that prevention is better than cure, similar is our proposed solution to mitigate a
jamming attack using proactive channel hopping in an ad hoc network. Every node selects its
control channel through a predefined function which is known to network participants.
Furthermore, data transfer takes place on a different channel coordinated dynamically between
104
each node pair. Thus, every node communicates with each of its neighbors on different channels.
From the network level point of view, every channel can be used for control and data packets
simultaneously. In the sequel, the major design aspects of our proposed scheme are discussed.
6.3.1 Determining Control Channel (CC)
In the formation of an ad hoc network every node selects its own control channel, docks itself
there and waits for other nodes to visit it (if it has no packets to send). The control channel is
selected via a pre-loaded function based on the node identity which is shared among nodes and is
kept secret. This way, each node not only selects its control channel but also learns about the
control channel where the intended destination is residing, if a transmission needs to be initiated.
To avoid an outsider from targeting a particular node or legitimate communication, the function
can be a high level polynomial which is hard to break by overhearing the traffic. However, for
the sake of simplicity a simple function is incorporated. Hence, a neighboring node who wants to
initiate communication with node 'A' can determine its control channel using the following
function:
CC(A) = I mod kA
(1)
where k being the total number of channels and I denotes the identity of the intended receiver.
This way, n number of nodes will be distributed over k channels evenly, having (n/k) nodes on
the same channel, on average. To minimize computation overhead and avoid the re-computation
of same function, once determined, the resultant channel is stored in a CC-table for future
correspondences. Additionally, since nodes need to visit other channels which are the control
channels of intended destinations. Therefore, each node will maintain its own control channel in
the CC-table as well which will be referred while returning after a successful data transfer.
Hence, sender node first checks a corresponding entry for intended destination in CC-table. If not
found, the corresponding control channel is calculated using equation-1 only once for each node.
The energy consumption factor is not taken into account in this study, but due to frequent
channel hopping, which has its own delay, the computation delay is reduced. Thus, to get an
105
estimation of how much computation is saved, consider that if node 'A' intends to communicate
with its neighbor node B for m packets and that only a single packet is exchanged in each visit.
Then (m-1) computations for locating control channel of node B and similar number of
computations for returning to its own control channel are avoided by node A. If the situation is
extended to multiple destinations, say node A sends m packets to j neighbors then A saves the
amount of computation for (j x m) packets:
(j . (m-1))+(j . m-1)
where the first half of the equation is in terms of CC of destination node and second half is
representing return to its own control channel after each sent packet. So, for n nodes having large
'm' packets to send in the network, quite a computation overhead is diminished.
Sender Receiver
Calculate X
Calculate Y
Both nodes calculate Z
Hop to the channel Z
RTS + X
Figure 6-2: Elementary Negotiation for a DC between two nodes
Once the node knows the receiver's control channel, it hops to the corresponding channel where
both nodes agree upon a new channel chosen for data exchange. Since, a single channel can be
used for data and control messages by different pair of nodes. So, the newly arriving node on
106
control channel of intended receiver may disrupt an on going communication. Therefore, it needs
to contend for the medium in the next slot to initiate its communication formally. Similar
situation is depicted in Figure 6-1 where node D hops to CC(C), where already a communication
between node A and B is in progress. Node D senses the medium busy and consequently it keeps
silence till the end of the on-going transmission. Later, it contends for the medium with other
nodes.
6.3.2 Data Channel (DC) Coordination
Once the sender hops to the control channel of the intended receiver, rather than they initiate data
exchange both coordinate for a data channel. To have different data channel between each node
pair, the channel is selected using the identities of both parties. As earlier for equation \ref{eq-
1}, the complexity of the function will not yield much difference except to increase the
computational time only, due to the limited number of channels. Therefore, the current channel
(i.e. control channel of the receiver) is also taken into account. This way, it becomes hard for an
attacker to guess and target a particular communication having knowledge of the node identities.
Moving a step further, since the nodes need to coordinate data channel over an insecure medium,
we tailor a key exchange scheme to incorporate our desired coordination, securely. For this
purpose, the data channel coordination is based on Diffie-Hellman algorithm [107] as shown in
Figure 6-2 and described as follows:
The sender initiates the coordination by choosing a secret random exponent 'a' and yields
X = g mod pa (2)
where g is a constant which is publicly known [106] and p is a prime number selected using the
identities of sender and receiver along with the current channel number in use as:
receiver sender receiverp > f (ID , ID , CC ) (3)
X is then sent to the receiver with RTS. Since the parameters are the same for calculation of p,
the receiver can either generate it just like sender or it can also be sent with RTS. On receiving
107
RTS the receiver generates Y, same as sender yielded X, with the help of his secret random
exponent b. The receiver then responses by sending CTS piggybacked with Y. Both parties then
apply their respective secret random exponent on the information received from the other, to
yield the same value:
Y = X = Z mod ka b (4)
Thus, Z is the newly selected channel for data exchange. Both nodes store it in a DC-table for
future reference and switch their transceivers accordingly to initiate data transfer on the new
channel. Regardless, the data is exchanged successfully or it times out due to unavailability of
the medium, in either case nodes will return to their respective control channels.
Figure 6-3: Communication Sequence on Data Channel between a node-pair
When the nodes hop to channel Z for data exchange to avoid hidden terminal problem on the
new channel, they need to exchange RTS-CTS once again [19]. If successfully exchanged, data
and acknowledgement follow as shown in Figure 6-3. For each neighbor, the above sequence is
108
followed only once and the coordinated data channel is stored in DC-table. For the subsequent
visits, only simple RTS-CTS are exchanged, both parties refer their DC-table and hop for data
exchange. If a node has more than one visitor on its control channel, it will choose and accord
with one only. The others will wait for receiver to return to its control channel for their turn, till
they time out.
6.4 Mathematical Model
From a set of nodes Ns, for any node Ni who wants to initiate communication with Nj, Ni will
hop from its control channel to the destination’s control channel, where set of control channels is
denoted by CC. Hence, CCi and CCj denote the respective control channels of nodes i & j.
Since, the time Ni will be trying to locate Nj, the latter may be locating Nk on CC(k). This way,
we need to define the status of the receiving node’s availability, via SNj for node j. The whole
scenario, so far can be illustrated as:
{Ni Nj | (i,j) Ns Sc(j)= 1 Sn(j)=1 Hop(Z(j))}→ ∈ ∧ ∧ ∧
where {Z(j) Z |Z(j) CC(i) ^ Z(j) CC(j)}∈ ∉ ∉ , i.e. Z(j) is the data transmission channel with
respect to receiver’s node id and condition applies that it should not be the control channel of
either of the node pairs. This way, a new channel is negotiated for data transfer.
Once, the sender and destination calculate channel ‘Z’, they hop on the channel ‘Z’ and data
transfer between the node pair takes place.
For communication and throughput between the nodes, packets are the basis for analyzing the network gain. Let’s denote:
{ }
{ }r
P | (0 )
P | (0 Pr )
T
s
TotalPackets P
SendingPackets s Source Ps TPackets
RecievingPackets r Desitnation TPackets
=
= = ∧ < ≤
= = ∧ < ≤
where Ps denotes the transmitted packets and Pr the received packets at the receiver end. But, since a jammer may interfere with the network, therefore, packet lost / corruption is estimated. For this very reason, we need to cater for jammed packets as well.
{ }P | Re PrJammedPackets j r ceiver s Sender Pj= = ∧ = ∧ ∉
where Pj is the number of corrupted packets.
109
Before discussing the scenarios, let’s first define the sets as follows:
Set of Nodes = Ns = {A, B, C, D}
Set of Channels = Cs = {a, b, c, d}
State of Channel = Sc = {0,1}
State of Node = SN = {0,1}
Set of Data Channels = {Za, Zb, Zc, Zd}
where Zx is the control channel of node x
Scenario-1: Normal Communication
When node ‘A’ wants to start communication with node ‘B’, the preconditions can be stated as
follows:
{A B | (A,B) Ns Sc(B) = 1 Sn(B) = 1 Hop(Z(B))}→ ∈ ∧ ∧ ∧
where {Z(B) Z |Z(B) CC(A) ^ Z(B) CC(B)}∈ ∉ ∉ .
Or
{A B | (A,B) Ns Sc(B) = 1 Sn(B) = 0}→ ∈ ∧ ∧
When node ‘B’ is not found on its control channel, the sending node ‘A’ will return to its own
CC, after retransmission attempts expire.
Scenario-2: Communication in Presence of Jammer
When node ‘A’ wants to start communication with node ‘B’, the preconditions can be stated as
follows:
{A B | (A,B) Ns Sc(B) = 0 Sn(B) = 1}→ ∈ ∧ ∧
That means that the control channel is jammed. However, if the nodes as earlier are able to hop
on data transmission channel, but that is the one jammed by the jammer. The condition applied
will be:
{Z(B) Z | Z(B) CC(A) Z(B) CC(B) Sc(Z(B)) = 0}∈ ∉ ∧ ∉ ∧
i.e. all the pre-conditions apply, but due to unavailability of the channel Z(B), nodes will time-
out and return to their respective control channels.
110
6.5 Design Diagrams
Figure 6-4: Pseudo-code for the proposed technique
The pseudo code for the proposed technique, for a sending node is shown in Figure 6-4. The
respective flow of communication on the network is shown in Figure 6-5, along with block
diagram in Figure 6-6.
111
Network Initialization
Start
Nodes calculate their / others’
CCs & dock on own CC
Hop to Receiver’s CC
Remain on own CC
Negotiate for DTC &
Hop to DTC.
Store DTC in DTT
Hop to DTC
Check for DTC
in DTT
N
Y
Y
Other Member approached
for Data Exchange
N
If (Packet Tx
== True)
If (found DTC
== True)
Nodes Exchange Data -ACK
Return to own CCs
END
Figure 6-5: Flow Sequence of Network Communication.
112
Figure 6-6: Block Diagram of Channel Hopping Selection before transmitting.
1
7
2
8
3
9
410
6
12
5
11
Jammer
Figure 6-7: Communication Sequence on Data Channel between a node-pair
113
Table 6-1: Simulation settings
Simulation parameters Parameter value
Physical Layer Standard 802.11a
Number of Channels 12 (in 5 GHz band)
Traffic type CBR
Packet Size 512 Bytes
Traffic Load 200 packets/sec (pps)
Simulation Time 100 sec.
Jammer Type Constant Jammer
Jamming Period 20 - 80 sec.
6.6 Simulation and Analysis
This section presents the simulation scenario and results obtained using the OPNET network
simulator [103]. The simulation parameters are summarized in Table-6-1 and majority is kept
similar to [54]. An ad hoc network consisting of 24 wireless stations with single transceiver only
is considered. All nodes are in the transmission range of each other, i.e. 1-hop neighbors. To
incorporate a saturated case, the traffic load at the source nodes is 200 pps. Whereas the packet
size is chosen to be 512 bytes each. Only a single packet is exchanged in each visit between a
node-pair. The physical layer standard taken into consideration is 802.11a which offers 12
channels in 5 GHz band. For channel hopping the cost currently considered by different studies
is between 40 to 80 microseconds, so 80 micro-sec. delay was opted, similar to [24] and [105].
Besides these, the jammer is located in the center and all nodes are in the jamming range and
assumption is that no communication takes place in this range on the jammed channel, thus the
intensity of jammer is set accordingly. Since, the jammer is considered an outsider and on any
channel he tunes into, he is able to listen legitimate traffic; either control or data packets.
Therefore, the underlying assumption is that the jammer sticks to such a channel where his
intention to block lawful conversation is fulfilled and by doing so it does not scan other channels.
Hence, in our simulation environment the jamming attack is launched in the form of a constant
jammer who sticks to a single frequency. The topology considered is shown in Figure 6-7.
114
Figure 6-8: Single channel compared with proposed scheme using 12 Node-pairs
with traffic load 200 pps. Jammer is active during 20–80seconds
Figure 6-9: Sink Status on each channel – Nodewise distribution
115
Figure 6-10: Nodewise distribution – Percent Loss in Communication
Figure 6-11: Effect of Pulse jamming on nodes having jammed control and data channels
116
Initially, single channel with multi-channel proactive hopping for throughput is compared and
later with the presence of jammer in both cases. The network is divided such that half of the
nodes are traffic sources and the rest are treated as sinks. In a single channel environment, nodes
and the jammer are situated on the same channel. However, for multichannel scenario sink nodes
are evenly distributed so that one on each channel resides and the remaining are selected as
source. Thus, one sender and receiver reside in each channel, but the communication pair are
chosen from different control channels to incorporate channel hopping even for the exchange of
control packets. For 100 seconds simulation time, the jammer is active from 20 to 80 seconds.
Figure 6-8 shows that in a single channel scenario no legitimate communication is observed
during jamming phase. However for multi-channel setup with proposed scheme a couple of node
pairs out of 12 are affected, i.e. approximately 17% degradation in overall network performance
is observed when a single channel is exposed to jammer. The degradation is due to the effect on
node-pairs having their control or data channel being jammed, depending upon the channel
selected by the jammer. The peak found in the curve is due to those packets that are not
discarded by that time and were successfully retransmitted after the jamming phase is over. It
varies depending upon the number of nodes and traffic load.
Figure 6-9 shows average throughput at the sinks in our scheme. Nodes having the jammed
channel as control and data channel face nearly the same degradation in throughput on average
and are therefore represented using different colors. Figure 6-10 provides the similar results in
terms of node-wise percentage throughput, which is found to be around 60% drop in terms of the
nodes who chose the jammed channel either as their control or data exchange channel. Still,
overall network throughput was retained around 90%.
However, if the jamming intensity is decreased or rather than constant a periodic jammer is
incorporated the difference will be more evident. For this reason, a pulse jammer, who disrupts
communication periodically for some time and sleeps during the two jamming intervals, is
substituted. The jamming period chosen is 100 ms. and sleep time as 2 seconds, alternatively.
For a 100 seconds simulation the effect of pulse jammer on affected nodes are shown in Figure
6-11. This Figure gives a picture of data packets corrupted and control packets targeted by pulse
117
jammer. The difference is evident in terms of plunges in the curves, found more in case of
control channel being jammed. However, with the increase in jamming intensity the difference is
diminished and both such nodes may starve.
Next, to have a more realistic scenario rather than divide the topology into active source and
sinks, status of all nodes is modified so that each one is sender and receiver at the same time.
However, while node A is seeking for node B, B may be visiting some other nodes or A at the
same time. Such a situation can give rise to a deadlock and increased packet drops and is thus
considered as worst case. To incorporate the worst case scenario and analyze its effects, the
earlier sinks are therefore changed to senders for different traffic generation rates, but others are
kept unchanged. i.e. all nodes send and receive simultaneously, as generally observed in manets.
Initially, the traffic load on new sources is kept low to have a better picture of network traffic
degradation due to synchronization issues, when both nodes try to reach another to deliver their
packets. Thus, the traffic load was started on new sources from 10 pps and gradually increased it
to 100 pps, so that all nodes generate similar number of packets. For a traffic load between 10 to
100 pps for the new source nodes, the network along with the jammer was tested as shown in
Figure 6-12. In worst case scenario, approximately 20% decline is observed as compared to
simpler scenario of a single channel only as considered in Figure 6-8. However, the overall
throughput decreases with increase in traffic load and only 40% of legitimate communication is
successful when all nodes have similar configuration, which declines further in the presence of
jammer to 25% of the generated traffic (only 600 out of 2400 pps are successfully received ). But
the jamming phase added pain to the sickness as the lost packets are doubled from the earlier
scenario, to nearly 35%. Above all, we treat the lastly presented scenario where all nodes are the
senders as worst case due to the fact that when node A is sending to B the data channel would be
different than B is sending to A. Thus, the number of affected data channels and nodes are
increased.
As compared to other proactive channel hopping scheme proposed in [54] consisting of an
infrastructure based network having only an AP and a single node, the performance drop was
reported as 60% due to jamming. The scheme when applied in an ad hoc network (without AP)
with several nodes having majority similar parameters, the performance is estimated to decrease
118
further. However, with our proposed scheme in worst case scenario 65% of the network
performance is still retained. Additionally, if we apply the similar jammer configuration with
listen and jam intervals, slight improvement in achieved results are expected. Further
improvement is expected in our scheme if burst of packets, rather than only one packet, are
exchanged in each meeting between each node pair. Yet, the intention of this study is to explore
the jamming effects on proactive channel hopping only and analyze future directions for its
mitigation.
Figure 6-12: Two way communication between each node-pair with varied traffic generation
rates. Jammer is active from 20 to 80 sec.
6.7 Summary
Channel hopping is considered a logical escape from the jammer, either in a reactive or proactive
manner. The proposed channel hopping scheme differs from the already existing solutions in a
sense that separate control and data channels exist and neighbors coordinate for their
corresponding data channels. Neighborhood communication of a node can be described as
flower-petals, each of different color representing a distinct channel for each neighbor. Above
119
all, the scheme is proactive in nature that reduces the impact of a jamming attack without using
any detection mechanism by providing already existed escape doors for a node. Initially, simpler
scenarios was incorporated for the ease of analysis and highlighting the jamming effect on our
scheme and then gradually moving to worst case scenario, involving synchronization issues
along with the jamming phase. Results show that it is efficient for an ad hoc network, as
compared to other proactive schemes. Yet, the focus of this study is to analyze proposed scheme
in terms of jamming attack. It will help us in developing a robust solution to counter the jammer
more effectively in the future.
120
Chapter 7
Conclusions and Future Work
121
7.1. Conclusions
In this dissertation, we address the problem of jamming attacks in wireless network, especially in
an ad hoc setup. We approach the problem at two levels, first a reactive mechanism based on
jammer detection is proposed and later a proactive channel hopping scheme is presented.
Jamming attack is different from its other counter parts, as it cannot be mitigated like the others.
The severity increases many folds in a wireless environment due to lack of detection and
prevention mechanism in 802.11 standards [1]. Even though security schemes being used in
wired based networks are not applicable for wireless on as-is-basis due to the distinct
characteristics of the wireless medium, researchers first of all try to analyze possible
modifications and feasibility of applying them on latter, before brainstorming for a new solution.
Similar is the approach used by us where we have tried to analyze the use of CoF for detecting
jamming attack in wireless environment. Additionally, on the basis of earlier studies, the effects
of different jamming attacks were incorporated in our simulation and corresponding ranges of
effect were determined with the help of CoF, successfully. Furthermore, with the help of AI
algorithms, like Naïve Bayesian and J-48 algorithms, we verified our parameters and results.
Both the algorithms predicted more than 98% of the dataset, to be accurate. Whereas threshold
classification and cost/benefit analysis was found to be approximately true positive. To the best
of our knowledge, since this is first such attempt for wireless medium and therefore can be
further enhanced in many directions like mobility, cognitive radios, spectral multiplexing and
other retreat and restoration techniques.
Over the years, various studies have been proposed for detecting a jamming attack on the
medium in near locality based on which further enhancements have been proposed for tackling
the anomaly in a more effective manner. We used similar approach to come up with a novel
technique to keep the jammer busy. In terms of logical escape a chain of periodic/ continuous
channel hopping is needed against an intelligent jammer who is knowledgeable enough to scan
for the next channel where legitimate communication can be found. We exploit such behavior of
the jammer where it periodically senses the medium for packets, till its jamming-threshold is
122
expired and it scans other channels. Rather than nodes hop to new channel and allow the jammer
to follow them, repeatedly; we opted to better-fight-than-frequent-switches. After a new channel
is selected and legitimate packet transfer is resumed, nodes alternatively hop back to original
channel and feed valid packets to the jammer. This way, jammer is kept in the impression that
original channel is still in use and jammer threshold is not reached.
Lastly, we proposed proactive channel hopping scheme that differs from the already existing
solutions in a sense that each node communicates on different control and data channels with
each of its one-hop neighbors based on a pre-defined formula. Neighborhood communication of
a node can be described as flower-petals, each of different color representing a distinct channel
for each neighbor. Above all, the scheme is proactive in nature that reduces the impact of a
jamming attack without using any detection mechanism by providing already existed escape
doors for a node. Results show that it is efficient for an ad hoc network, as compared to other
proactive scheme(s). Yet, the focus of this study is to analyze proposed scheme in terms of
jamming attack. It will help us to come up with a solution to counter the jammer more effectively
in future.
7.2. Future Work
Even though, the focus of this thesis was on MAC layer techniques which can enhance the
overall performance of the network in the presence of a jammer. These techniques, need to be
tested out and tailored accordingly to other security attacks; and later can be enhanced in the
form of an Intrusion Detection System (IDS), etc. Additionally, with the provision of AI
algorithms, dynamic detection of jammer type can be tested, in enhancement of the proposed
simulation test bed. Furthermore, other technologies like Bluetooth, WSN, wireless mesh
networks need to be experimented with proposed techniques. Since, the focus of proposed
techniques was with single antenna devices, but these techniques can be tested on cognitive
radios and smart antennas, as well. Finally, the provision of mobility is an important aspect,
which needs to be tested out as well in terms of jamming attack for proposed techniques.
123
490
References
124
1. IEEE 802.11, 1999 Edition (ISO/IEC 8802-11:1999). IEEE Standards for Information
Technology – Telecommunications and Information Exchange between Systems –
Local and Metropolitan Area Network – Specific Requirements – Part 11: Wireless
LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.
2. Karyotis V., Kakalis A., Papavassiliou S., "On the Tradeoff between MAC-Layer and
Network-Layer Topology-Controlled Malware Spreading Schemes in Ad Hoc and
Sensor Networks". In Proceeding of the Third International Conference on Emerging
Security Information, Systems and Technologies, SECURWARE '09, Athens,
Glyfada, 18-23 June 2009. pp: 255 - 261
3. G. Noubir, “On connectivity in ad hoc networks under jamming using directional
antennas and mobility”, in Proc. Wired/Wireless Internet Communications
conference, LNCS vol. 2957, pp. 186-200, 2004.
4. Wu Z.D., Nettles S., “Analyzing and Preventing MAC-Layer Denial of Service
Attacks for Stock 802.11 systems”, BROADNETS, San Jose, USA, 2004.
5. John Wiley & Sons, Inc. “Handbook of Wireless Networks and Mobile Computing”,
2002. ISBNs: 0-471-41902-8 (Paper); 0-471-22456-1 (Electronic)
6. Wu B., Chen J., Wu J., Cardei M., “A Survey on Attacks and Countermeasures in
Mobile Ad Hoc Networks”, Wireless Network Security: Signals and Communication
Technology, Springer; 1st edition, 2007. pp.:103-135,
7. Medidi S.R., Medidi M., Gavini S., “Detecting Packet-Dropping Faults In Mobile
Ad-Hoc Networks”, In proceedings of IEEE ASILOMAR Conference on Signals,
Systems and Computers (ASILOMAR), vol. 2, Monterey, CA, November 2003. pp:
1708-1712.
8. [Online] http://www.derm.qld.gov.au/wildlife-ecosystems/plants/ queensland_
herbarium/wireless_sensor_network_springbrook.html Last visited: December 10,
2010.
9. [Online] http://www.vislab.uq.edu.au/research/sensornet/network.html. Last visited:
December 10, 2010.
10. Hongxun L., Delgado-Frias J.G., Medidi S., "Using a Cache Scheme to Detect
Misbehaving Nodes in Mobile Ad-Hoc Networks" in Proceedings of 15th IEEE
125
International Conference on Networks (ICON'07), Adelaide, Australia, 19-21 Nov.
2007
11. Medidi S.R., Medidi M., Gavini S., Griswold R.. “Detecting Packet Mishandling in
Manets”, in Security and Management, pages 159–162, 2004.
12. [Online] Bakht H., ‘Understanding Mobile Ad-hoc Networks’.
http://www.computingunplugged.com. Last visited: December 10, 2010.
13. Yang H., Luo H., Ye F., Lu S., Zhang L., “Security in Mobile Ad Hoc Networks:
Challenges and Solutions”. IEEE Wireless Communications, February 2004.
14. Griswold R., Medidi S., “Malicious Node Detection In Ad-Hoc Wireless Networks”,
in Proceedings of SPIE Aero-Sense, Digital Wireless Communications V, April 2003.
15. Buchegger S., Boudec J.L. “Nodes Bearing Grudges: Towards Routing Security,
Fairness and Robustness in Mobile Ad Hoc Networks”. In Proceedings of the
Parallel, Distributed and Network-based Processing, pages 403–410, January 2002.
16. Marti S., Giuli T.J., Lai K., Baker M., “Mitigating Routing Misbehavior in Mobile Ad
Hoc Networks”, In Proceedings of the Mobile Computing and Networking, pages
255–265, 2000.
17. Griswold R., “Malicious Node Detection In Ad Hoc Wireless Networks”, Master’s
thesis, Washington State University, Pullman, 2003.
18. Wu S.L., Lin Y., Tseng Y.C., Sheu J.P., “A New Multi-Channel MAC Protocol with
On-Demand Channel Assignment for Mobile Ad Hoc Networks,” Proc. Int’l Symp.
Parallel Architectures, Algorithms and Networks (ISPAN ’00), p. 232, Dec. 2000.
19. Wu S.L., Lin C.Y., Tseng Y.C., Lin C.Y., Sheu J.P., “A Multi-Channel MAC
protocol with Power Control for Multi-Hop Mobile Ad Hoc Networks,” The
Computer J., vol. 45, no. 1, 2002. pp.: 101-110.
20. Hung W.C., Law K.L.E., Garcia A.L., “A Dynamic Multi-Channel MAC for Ad Hoc
LAN,” in Proceedings of 21st Biennial Symposium on Communications, Kingston,
Ontario, June 2002. pp. 31-35.
21. Tzamaloukas, J. Garcia-Luna-Aceves, “Channel-Hopping Multiple Access,” in
Proceedings of IEEE International Conference on Communication (ICC ’00), New
Orleans, 18-22 June 2000.
126
22. Tzamaloukas, J. Garcia-Luna-Aceves, “Channel-Hopping Multiple Access with
Packet Trains for Ad Hoc Networks,” Proc. IEEE Device Multimedia Comm.
(MoMuC ’00), Oct. 2000.
23. Chen J., Sheu S., Yang C., “A New Multichannel Access Protocol for IEEE 802.11
Ad Hoc Wireless LANs,” Proc. 14th IEEE Int’l Symposium on Personal, Indoor and
Mobile Radio Communication (PIMRC ’03), vol. 3, Beijing, China, Sept. 2003. pp.
2291-2296.
24. Bahl P., Chandra R., Dunagan J., “SSCH: Slotted Seeded Channel Hopping for
Capacity Improvement in IEEE 802.11 Ad Hoc Wireless Networks,” Proc. ACM
Annual International Conference on Mobile Computing and Networking (MobiCom),
Philadelphia, PA, USA, 26 September- 1st October, 2004.
25. So H.W., Walrand J., Mo J., “McMAC: A Multi-Channel MAC Proposal for Ad Hoc
Wireless Networks,” Proc. IEEE Wireless Comm. and Networking Conf. (WCNC
’07), Hong Kong, China. 11-15 March, 2007.
26. Alomair B., Lazos L., Poovendran R., "Securing low-cost RFID systems: An
unconditionally secure approach", Journal of Computer Security, Vol: 19, issue: 2,
2011. pp: 229-257.
27. Proano A., Lazos L., "Packet-Hiding Methods for Preventing Selective Jamming
Attacks", IEEE Transactions on Dependable and Secure Computing, Vol: 9, Issue: 1,
2012. pp: 101 - 114
28. Tague P., Li M., Poovendran R., "Mitigation of Control Channel Jamming under
Node Capture Attacks", IEEE Transactions on Mobile Computing, vol. 8, no. 9,
September 2009.
29. Tague P., Nabar S., Ritcey J.A., Poovendran R., "Jamming-aware traffic allocation
for multiple-path routing using portfolio selection", IEEE/ACM Transactions on
Networking (TON), Vol: 19, Issue: 1, February 2011.
30. Patrick Tague, "Identifying, Modeling, and Mitigating Attacks in Wireless Ad-Hoc
and Sensor Networks", PhD Thesis, University of Washington, 2009.
31. Mpitziopoulos A., Gavalas D., Pantziou G., "Defending Wireless Sensor Networks
from Jamming Attacks", in proceedings of The 18th Annual IEEE International
127
Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC'07),
Athens,. Greece, 3–7 September, 2007.
32. Salem M., Sarhan A., Abu-Bakr M., “A DOS Attack Intrusion Detection and
Inhibition Technique for Wireless Computer Networks”, ICGST- CNIR, Volume (7),
Issue (I), July 2007.
33. Xu W., Trappe W., Zhang Y., Wood T., “The Feasibility of Launching and Detecting
Jamming Attacks in Wireless Networks”, In Proceedings of the Sixth ACM
International Symposium on Mobile Ad-hoc Networking and Computing (MobiHoc),
Urbana-Champaign, IL, USA, May, 25-28, 2005.
34. Xu W., Trappe W., Zhang Y., "Defending Wireless Sensor Networks from Radio
Interference through Channel Adaptation," ACM Transactions on Sensor Networks
(TOSN), Volume 4, Issue 4, August 2008.
35. Xu W., Wood T., Trappe W., Zhang Y., "Channel Surfing and Spatial Retreats:
Defenses Against Wireless Denial of Service, " in Proceedings of the 2004 ACM
workshop on Wireless security (WiSe), pg. 80 - 89, 2004.
36. Acharya M., Thuente D., “Intelligent Jamming Attacks, Counterattacks and
(Counter)2 Attacks in 802.11b Wireless Networks”, in Proceedings of the
OPNETWORK Conference, Washington DC, USA, August 2005.
37. Chen K.C. “Cognitive Radio Networks”, Ramjee Prasad Publisher John Wiley and
Sons, 2009
38. Chen Y., Xu W., Trappe W., Zhang Y.Y., “Securing Emerging Wireless Systems”:
Lower-Layer Approaches, 1st Edition. 2009.
39. Khattab S., Moss´e D., Melhem R., "Honeybees: Combining Replication and Evasion
for Mitigating Base-station Jamming in Sensor Networks", 2006.
40. Martinovic, P. Pichota, J.B.Schmitt, "Jamming for good: a fresh approach to authentic
communication in WSNs", in Proceeding of the second ACM conference on Wireless
network security (WiSec'09), Zurich, Switzerland, March 16-18, 2009.
41. Ponomarchuk, Y., Dae-Wha S., "A Lightweight and Effective Jamming Detection in
Electronic Shelf Label Systems", in Proceedings of the 4th International Conference
on Ubiquitous Information Technologies & Applications, 20-22 Dec, 2009. ICUT '09.
pp: 1-6.
128
42. Raymond D.R., Brownfield M.I., "Effects of Denial-of-Sleep Attacks on Wireless
Sensor Network MAC Protocols", Published in IEEE Transactions on Vehicular
Technology, Vol.:58, No.:1, January 2009.
43. Zhang Z., Wu J., Deng J., Qiu M., "Jamming ACK Attack to Wireless Networks and
a Mitigation Approach," in Proc. of IEEE Global Telecommunications Conference -
Wireless Networking Symposium (GLOBECOM '08), New Orleans, LA, USA,
November 30-December 4, 2008, vol. ECP.950, pp. 1-5.
44. Peterson R. L., Ziemer R. E., Borth D. E., "Introduction to Spread-Spectrum
Communications" Prentice Hall, 1st Edition, 1995.
45. Acharya M., Thuente D., “Intelligent Jamming Attacks, Counterattacks and
(Counter)2 Attacks in 802.11b Wireless Networks”, in Proceedings of the
OPNETWORK Conference, Washington DC, USA, August 2005.
46. Wood A. D., Stankovic J. A., Son S. H., “JAM: A Jammed-Area Mapping Service for
Sensor Networks,” in Proceedings of 24th IEEE Real-Time Systems Symposium
(RTSS), 3-5 December, 2003. pp: 286 - 297
47. Ma K., Zhang Y., Trappe W., “Mobile Network Management and Robust Spatial
Retreats via Network Dynamics,” in Proceedings of the 1st International Workshop
on Resource Provisioning and Management in Sensor Networks (RPMSN05), Ohio,
USA, November 7th, 2005.
48. J.Shi, T.Salonidis, and E.W.Knightly, “Starvation Mitigation through MultiChannel
Coordination in CSMA Multihop Wireless Networks” in proceedings of the Seventh
ACM International Symposium on Mobile Ad Hoc Networking and Computing
(MobiHoc’06), Florence, Italy, May 22-25, 2006
49. Navda V., Bohra A., Ganguly S., Rubenstein D., "Using Channel Hopping to Increase
802.11 Resilience to Jamming Attacks", in proceedings of 26th IEEE International
Conference on Computer Communications, Joint Conference of the IEEE Computer
and Communications Societies, Anchorage, Alaska, USA, 6-12 May 2007.
50. Khattab S., Mosse D., Melhem R., "Modeling of the Channel-Hopping Anti-Jamming
Defense in Multi-Radio Wireless Networks", in proceedings of MobiQuitous 2008,
Dublin, Ireland, July 21 - 25, 2008
129
51. Nahrstedt K., Campbell R.H., Vaidya N.H., "Identifying Insider-based Jammers in
Multi-channel Wireless Networks", in proceedings of GLOBECOM'10. Miami,
Florida, USA, 6-10 December, pp.1-6
52. Nguyen H., Pongthawornkamol T., Nahrstedt K., "Alibi: A Framework for
Identifying Insider-based Jamming Attacks in Multi-channel Wireless Networks", in
proceedings of 16th ACM Conference on Computer and Communications Security
(CCS), Hyatt Regency Chicago, IL, USA, November 9-13, 2009.
53. Lee E.K., Oh S.Y., Gerla M., "Randomized Channel Hopping Scheme for Anti-
Jamming Communication", In proceedings of Wireless Days Conference, Venice,
Italy, October. 2010.
54. Othman J.B., Hamieh A., "Defending Method Against Jamming Attack in Wireless
Ad Hoc Networks", The 5th IEEE International Workshop on Performance and
Management of Wireless and Mobile Networks (P2MNET 2009), Zürich,
Switzerland; 20-23 October 2009.
55. Mahadevan K., Hong S., Dullum J., “Anti-Jamming: A Study”. 2005
56. Li M., Koutsopoulos I., Poovendran R., “Optimal Jamming Attacks and Network
Defense” In IEEE International Conference on Computer Communications
(INFOCOM), Anchorage, Alaska, USA, 6-12 May, 2007.
57. Reese K.W. Salem A., “A Survey on Jamming Avoidance in Adhoc Sensory
Networks” Journal of Computing Sciences in Colleges, Volume 24 Issue 3, January
2009
58. Soreanu P., Volkovich Z., Barzily Z., “Energy-Efficient Predictive Jamming Holes
Detection Protocol for Wireless Sensor Networks” in Proceedings of the 2008 Second
International Conference on Sensor Technologies and Applications (SENSORCOMM
'08), Cap Esterel, France, August 25-31, 2008
59. A.D. Wood, J.A. Stankovic, and G. Zhou, “DEEJAM: Defeating Energy-Efficient
Jamming in IEEE 802.15. 4-based Wireless Networks", in proceedings of 4th Annual
IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc
Communications and Networks, (SECON '07), San Diego, CA, USA, 18-21 June
2007. pp: 60-69
130
60. Muraleedharan R., Osadciw L.A., “Jamming Attack Detection and Countermeasures
in Wireless Sensor Network using Ant System” SPIE Defence and Security
Symposium, Orlando, USA, 17-21 April, 2006
61. Clancy T.C., Goergen N., “Security in Cognitive Radio Networks: Threats and
Mitigation,” in Proceedings of International Conference on Cognitive Radio Oriented
Wireless Networks and Communication. (CrownCom’08), Singapore, 15-17 May
2008.
62. Mitola J., “Cognitive Radio: An Integrated Agent Architecture for Software Defined
Radio.” Ph.D. Dissertation, KTH, 2000.
63. Paula R. da Silva, Marcelo H.T. Martins, and Bruno P.S. Rocha, "Decentralized
Intrusion Detection in Wireless Sensor Networks", in Proceedings of the 1st ACM
international workshop on Quality of service & security in wireless and mobile
networks (Q2SWinet '05), Montreal, Canada, October 10 - 13, 2005
64. Strasser M. "Jamming-resistant Key Establishment using Uncoordinated Frequency
Hopping" , in Proceedings of the 2008 IEEE Symposium on Security and Privacy,
Oakland, California, USA , May 18-21, 2008
65. Mishra A., Shrivastava V., Agarwal D., Banerjee S., Ganguly S., “Distributed
Channel Management in Uncoordinated Wireless Environments” in proceedings o
The Twelfth Annual International Conference on Mobile Computing and Networking
(MobiCom'06), Los Angeles, CA, USA, 24-29 September, 2006
66. Khattab S., Mosse D., Melhem R., "Jamming Mitigation in Multi-radio Wireless
Networks: Reactive or Proactive?", in Proceedings of the 4th international conference
on Security and Privacy in Communication Netowrks (SecureComm '08), Istanbul,
Turkey, September 22-26, 2008.
67. Hung-Min S., Shih-Pu H., Chien-Ming C., “Mobile Jamming Attack and its
Countermeasure in Wireless Sensor Networks” in proceedings of 21st International
Conference on Advanced Information Networking and Applications (AINA 2007),
Niagara Falls, CanadaMay 21-23, 2007.
68. Alnifie G., Simon R., "A Multi-channel Defense Against Jamming Attacks in
Wireless Sensor Networks" In Proc. of the third ACM International Workshop on
131
QoS and Security for Wireless and Mobile Networks (Q2SWinet 2007). Chania,
Crete Island, Greece, October 22, 2007. pp: 95–104.
69. Shi J., Salonidis T., Knightly E.W., “Starvation Mitigation Through MultiChannel
Coordination in CSMA Multihop Wireless Networks” in proceedings of the Seventh
ACM International Symposium on Mobile Ad Hoc Networking and Computing
(MobiHoc’06), Florence, Italy, May 22-25, 2006
70. Xiao L., Dai H., Ning P., "Jamming-Resistant Collaborative Broadcast Using
Uncoordinated Frequency Hopping", IEEE Transactions on Information Forensics
and Security, Vol: 7, Issue: 1, February 2012, pp: 297 - 309
71. Popper C., Strasser M, Capkun S., "Anti-jamming Broadcast Communication using
Uncoordinated Spread Spectrum Techniques", IEEE Journal on Selected Areas in
Communication, vol:28, issue:5, June 2010.
72. Popper C., "On Secure Wireless Communication under Adversarial Interference",
PhD Thesis, ETH Zurich, 2011.
73. Liu S., Lazos L., Krunz, M., "Thwarting Control-Channel Jamming Attacks from
Inside Jammers", to be published in IEEE Transaction on Mobile Computing, 2011.
74. Lazos L., "Securing Network Services for Wireless Ad Hoc and Sensor Networks",
Phd Thesis, University of Washington, 2006
75. Lin S., Wueng M., "Concurrent Multi-Channel Transmission (CMCT) MAC Protocol
in Wireless Mobile Ad Hoc Networks" in proceedings of The 9th International
Conference on Advanced Communication Technology (ICACT'07), Gangwon-Do,
S.Korea, 12 Feb - 14 Feb 2007, pp: 445 - 449
76. Chen W., Chen D., Sun G., Zhang Y., “Defending Against Jamming Attacks in
Wireless Local Area Networks” Autonomic and Trusted Computing, Autonomic and
Trusted Computing, Lecture Notes in Computer Science, 2007, Volume 4610/2007,
pp: 519-528, DOI: 10.1007/978-3-540-73547-2_53.
77. Ståhlberg M. , “Radio Jamming Attacks Against Two Popular Mobile Networks”,
Seminar on Network Security. Mobile Security. Helsinki University of Technology,
Fall 2000.
132
78. Noubir G., Lin G., “Low-power DoS Attacks in Data Wireless LANs and
Countermeasures,” in proceedings of the Fourth ACM International Symposium on
Mobile Ad Hoc Networking and Computing, Annapolis, MD, USA, June 1-3, 2003.
79. Bayraktaroglu E., King C., Liu X., Noubir G., Rajaraman R., Thapa B., “On the
Performance of IEEE 802.11 under Jamming,” in Proceedings of IEEE 27th
Conference on Computer Communications (INFOCOM’08), Phoenix, Arizona, USA,
April 13 - 19 2008.
80. Law Y., Hartel P., Hartog J. den, Havinga P., ‘Link-layer Jamming Attacks on
SMAC’, in proceedings of the 2nd European Workshop on Wireless Sensor Networks
(EWSN 2005), 2005, pp. 217 - 225.
81. Rajeswaran A., Negi R., “DoS Analysis of Reservation based MAC Protocols”, in
proceedings of the IEEE International Conference on Communications, 16-20 May,
2005.
82. Schafroth M., “Jamming Detection inWireless Ad Hoc Networks”, Master’s thesis,
MA-2008-21March 2009.
83. Xu W., Trappe W. Zhang Y., "Channel Surfing: Defending Wireless Sensor
Networks from Jamming and Interference," in Proceedings of the 6th International
Conference on Information Processing in Sensor Networks (IPSN07), pg.499-508,
2007.
84. Xu W., Ma K., Trappe W., Zhang Y., “Jamming Sensor Networks: Attack and
Defense Strategies”, Rutgers University, 2006.
85. Bradley K. A., Cheung S., Puketza N., Mukherjee B., Olsson R. A.. ‘Detecting
Disruptive Routers: A Distributed Network Monitoring Approach’, in proceedings of
the IEEE Symposium on Security and Privacy, May 1998, pp: 115– 124.
86. Hughes J. R., Tuomas A., Matt B., “Using Conservation of Flow as a Security
Mechanism in Network Protocols”, in proceedings of IEEE Symposium on Security
and Privacy, Berkeley, CA, USA, 2000.
87. Mizrak A.T., Cheng Y.C., Marzullo K., and Savage S., “Fatih: Detecting and
Isolating Malicious Routers”, DSN ’05: Proc. Int’l Conf. Dependable Systems and
Networks (DSN’05), pp. 538-547, 2005.
133
88. Faraz A., Khalid H, Nyla K., M.Sharif, Noor Z. "Identification of a Lossy Channel
in Wireless Mesh Network using Conservation of flow", Journal of Information &
Communication Technology, Vol. 1, No. 2, (Fall 2007) 60-70
89. [Online] Matlab. www.mathworks.com Last visited: December 28, 2010.
90. [Online] WEKA software, Machine Learning, http://www.cs.waikato.ac.nz/ml/weka/,
The University of Waikato, Hamilton, New Zealand. visited: December 28, 2010.
91. [Online] Technical Notes, “Naive Bayes Classifier”, Stat-Soft Electronic Statistics
Textbook. http://www.statsoft.com/textbook/naive-bayes-classifier. Last visited:
December 28, 2010.
92. Huang D.C., Wunsch D.S., Levine K.H. Jo, "Advanced Intelligent Computing
Theories and Applications: With Aspects of Artificial Intelligence", in proceedings of
4th International Conference on Intelligent Computing, ICIC 2008, Shanghai, China,
September 2008.
93. Wang X., Tu-liang L., Wong J., "Feature Selection in Intrusion Detection System
over Mobile Ad-hoc Network", Technical Report, Computer Science, Iowa State
University, 2005.
94. Zhang J., ZulkernineM., “Network Intrusion Detection using Random Forests”, in
proceedings of Third Annual Conference on Privacy, Security and Trust,The
Fairmont Algonquin, St. Andrews,New Brunswick, Canada, October 12-14, 2005.
95. Ma K., Zhang Y., Trappe W., “Mobile Network Management and Robust Spatial
Retreats via Network Dynamics,” in Proceedings of the The 1st International
Workshop on Resource Provisioning and Management in Sensor Networks
(RPMSN05), 2005.
96. Liu H., Xu W., Chen Y., Liu Z., “Localizing Jammers in Wireless Networks”, in
Proceedings of the Seventh Annual IEEE International Conference on Pervasive
Computing and Communications (PERCOM '09), Galveston, Texas, USA, March 9-
13, 2009
97. Pelechrinis K., Koutsopoulos I., Broustis I., Krishnamurthy S.V., “Lightweight
Jammer Localization in Wireless Networks: System Design and Implementation” in
proceedings of IEEE Global Telecommunications Conference (GLOBECOM'09),
Honolulu, Hawaii, USA, Nov. 30 2009-Dec. 4 2009, pp: 1 - 6
134
98. Pelechrinis K., Koufogiannakis C. Krishnamurthy S.V., “Gaming the Jammer: Is
Frequency Hopping Effective?”, in Proceedings of the 7th international conference
on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks
(WiOPT'09), Seoul, S. Korea, June 23-27, 2009.
99. Xu W., Trappe W,. Zhang Y., “Anti-Jamming Timing Channels for Wireless
Networks", in proceedings of the 1st ACM Conference on Wireless Security
(WiSec), Alexandria, Virginia, USA, 31 March - 2 April, 2008,. pp. 203-213
100. Lazos L., Liu S., Krunz M., “Mitigating Control-Channel Jamming Attacks in Multi-
channel Ad Hoc Networks”, in Proceedings of the second ACM conference on
Wireless network security (WiSec'09), Zurich, Switzerland, March 16-18, 2009.
101. Martínez W.L., Martínez A.R., "Computational statistics handbook with MATLAB",
Chapman & Hall/CRC, 2002.
102. [Online] SPSS. http://www-01.ibm.com/software/analytics/spss. Last visited:
December 28, 2010.
103. [Online] OPNET Modeller, http://www.opnet.com. Last visited: December 28, 2010.
104. Gong M.X., Midkiff S.F., Mao S., “A Cross-layer Approach to Channel Assignment
in Wireless Ad Hoc Networks”, Journal of Mobile Networks and Applications, Vol.
12, No. 1, p 43-56, Feb. 2007
105. So J., Vaidya N.H., “MultiChannel MAC for Ad Hoc Networks: Handling
MultiChannel Hidden Terminals Using A Single Transceiver”, In Proceedings of the
Fifth ACM International Symposium on Mobile Ad Hoc Networking and Computing,
(MobiHoc’04), Tokyo, Japan, May 24-26, 2004.
106. Bicakci K., Tavli B., “Denial-of-Service Attacks and Countermeasures in IEEE
802.11 Wireless Networks”, Computer Standards & Interfaces (2008),
doi:10.1046/j.csi.2008.09.038.
107. [Online] http://en.wikipedia.org/wiki/Diffie-Hellman. Last visited: December 10,
2010.
108. Jaemin J., Seungmyeong J., Jaesung L., "Anti jamming - based medium access
control using adaptive rapid channel hopping in 802.11: AJ-MAC", in Proceedings of
the 2011 international conference on Computational Science and Its Applications
(ICCSA'11), Santander, Spaiwwn. 20 - 23 Jun 2011. pp.:70-82