IEEE TRANSACTIONS ON MOBILE COMPUTING,         VOL. 11,   NO. 5,   MAY 2012                                               ...
794                                                           IEEE TRANSACTIONS ON MOBILE COMPUTING,    VOL. 11, NO. 5,   ...
796                                                                    IEEE TRANSACTIONS ON MOBILE COMPUTING,   VOL. 11, N...
798                                                              IEEE TRANSACTIONS ON MOBILE COMPUTING,     VOL. 11, NO. 5...
800                                                           IEEE TRANSACTIONS ON MOBILE COMPUTING,    VOL. 11, NO. 5,   ...
802                                                                         IEEE TRANSACTIONS ON MOBILE COMPUTING,      VO...
Š with a small
,                                                                                   As shown in Algorithm 2, after all the...
however, the resulted error rates are quite low.                                                                          ...
Upcoming SlideShare
Loading in …5

A trigger identification service for defending reactive jammers in wsn.bak


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A trigger identification service for defending reactive jammers in wsn.bak

  1. 1. IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 793 A Trigger Identification Service for Defending Reactive Jammers in WSN Ying Xuan, Yilin Shen, Nam P. Nguyen, and My T. Thai, Member, IEEE Abstract—During the last decade, Reactive Jamming Attack has emerged as a great security threat to wireless sensor networks, due to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering the specific characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes, whose transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger-identification procedure can work as an application-layer service and benefit many existing reactive-jamming defending schemes. In this paper, on the one hand, we leverage several optimization problems to provide a complete trigger-identification service framework for unreliable wireless sensor networks. On the other hand, we provide an improved algorithm with regard to two sophisticated jamming models, in order to enhance its robustness for various network scenarios. Theoretical analysis and simulation results are included to validate the performance of this framework. Index Terms—Reactive jamming, jamming detection, trigger identification, error-tolerant nonadaptive group testing, optimization, NP-hardness. Ç1 INTRODUCTIONS INCE the last decade, the security of wireless sensor On the other hand, various network diversities are networks (WSNs) has attracted numerous attentions, investigated to provide mitigation solutions [6]. Spreadingdue to its wide applications in various monitoring systems spectrum [12], [5], [8] making use of multiple frequencyand vulnerability toward sophisticated wireless attacks. bands and MAC channels, Multipath routing benefitingAmong these attacks, jamming attack where a jammer node from multiple pre-selected routing paths [6] are two gooddisrupts the message delivery of its neighboring sensor examples of them. However, in this method, the capability http://ieeexploreprojects.blogspot.comnodes with interference signals, has become a critical threat of jammers are assumed to be limited and powerless toto WSNs. Thanks to the efforts of researchers toward this catch the legitimate traffic from the camouflage of theseissue, as summarized in [12], various efficient defense diversities. However, due to the silent behavior of reactivestrategies have been proposed and developed. However, a jammers, they have more powers to destruct these mitiga-reactive variant of this attack, where jammer nodes stay tion methods. To this end, other solutions are in great need.quite until an ongoing legitimate transmission (even has a A mapping service of jammed area has been presented insingle bit) is sensed over the channel, emerged recently and [11], which detects the jammed areas and suggests thatcalled for stronger defending system and more efficient routing paths evade these areas. This works for proactivedetection schemes. jamming, since all the jammed nodes are having low PDR Existing countermeasures against Reactive Jamming and thus incapable for reliable message delay. However, inattacks consist of jamming (signal) detection and jamming the case of reactive jamming, this is not always the case.mitigation. On the one hand, detection of interference Only a proportion of these jammed nodes, named triggersignals from jammer nodes is nontrivial due to the nodes, whose transmissions wake up the reactive jammers,discrimination between normal noises and adversarial are blocked to avoid the jamming effects.signals over unstable wireless channels. Numerous at- In this paper, we present an application-layer real-timetempts to this end monitored critical communication related trigger-identification service for reactive-jamming in wire-objects, such as Receiver Signal Strength (RSS), Carrier Sensing less sensor networks, which promptly provides the list ofTime (CST), Packet Delivery Ratio (PDR), compared the trigger-nodes using a lightweight decentralized algorithm,results with specific thresholds, which were established without introducing neither new hardware devices, norfrom basic statistical methods and multimodal strategies significant message overhead at each sensor node.[9], [12]. By such schemes, jamming signals could be This service exhibits great potentials to be developed asdiscovered, but to locate the jammer nodes based on these reactive jamming defending schemes. As an example, bysignals is much more complicated and has not been settled. excluding the set of trigger nodes from the routing paths, the reactive jammers will have to stay idle since transmis- sions cannot be sensed. Even though the jammers move. The authors are with the Department of Computer Information Science and around and detect new sensor signals, the list of trigger Engineering, University of Florida, CSE Building, Gainesville, Florida nodes will be quickly updated, so are the routing tables. As 32611-6120. E-mail: {yxuan, yshen, nanguyen, mythai} another example, without prior knowledge of the numberManuscript received 1 Mar. 2010; revised 9 Mar. 2011; accepted 18 Mar. of jammers, the radius of jamming signals and specific2011; published online 6 Apr. 2011.For information on obtaining reprints of this article, please send e-mail to: jamming behavior types, it is quite hard to locate, and reference IEEECS Log Number TMC-2010-03-0103. reactive jammers even the jammed areas are detected (e.g.,Digital Object Identifier no. 10.1109/TMC.2011.86. by Wood et al. [11]). However, with the trigger nodes 1536-1233/12/$31.00 ß 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
  2. 2. 794 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012localized, we can narrow down the possible locations of (packet or bit) to disrupt the sensed signal (called jammerreactive jammers. wake-up period), instead of the whole channel, which Although the benefits of this trigger-identification means once the sensor transmission finishes, the jammingservice are exciting, its hardness is also obvious, which attacks will be stopped (called jammer sleep period). Threedues to the efficiency requirements of identifying the set of concepts are introduced to complete this model.trigger nodes out of a much large set of victim nodes, that Jamming range R. Similar to the sensors, the jammers areare affected jamming signals from reactive jammers with equipped with omnidirectional antennas with uniformpossibly various sophisticated behaviors. To address these power strength on each direction. The jammed area can beproblem, a novel randomized error-tolerant group testing regarded as a circle centered at the jammer node, with ascheme as well as minimum disk cover for polygons areproposed and leveraged. radius R, where R is assumed greater than rs , for simulating The basic idea of our solution is to first identify the set of a powerful and efficient jammer node. All the sensors withinvictim nodes by investigating corresponding links’ PDR this range will be jammed during the jammer wake-upand RSS, then these victim nodes are grouped into multiple period. The value of R can be approximated based on thetesting teams. Once the group testing schedule is made at the positions of the boundary sensors (whose neighbors arebase station and routed to all the victim nodes, they then jammed but themselves not), and then further refined.locally conducts the test to identify each of them as a trigger Triggering range r. On sensing an ongoing transmission,or nontrigger. The identification results can be stored locally the decision whether or not to launch a jamming signalfor reactive routing schemes or delivered to the base station depends on the power of the sensor signal Ps , the arrivedfor jamming localization process. signal power at the jammer Pa with distance r from the In the remainder of this paper, we first present the sensor, and the power of the background noise Pn .problem definition in Section 2, where the network model, According to the traditional signal propagation model,victim model, and attacker models are included. Then, we the jammer will regard the arrived signal as a sensorintroduce three kernel techniques for our scheme, Rando- transmission as long as the Signal-Noise-Ratio is higher thanmized Error-Tolerant Nonadaptive Group Testing, Clique-inde- some threshold, i.e., SNR ¼ Pa > where Pa ¼ Ps Á Y with P r npendent Set (CIS), and Minimum Disk Cover in a Simple and called jamming decision threshold and path-loss factor,Polygon in Section 3. The core of this paper: trigger-node Y as a log-normally random variable. Therefore, r ! ð ÁPn Þ1 is Ps ÁYidentification and its error-tolerant extension toward sophis- a range within which the sensor transmission will definitelyticated jammer behaviors are presented, respectively, in trigger the jamming attack, named as triggering range. As willSections 4 and 5. A series of simulation results for evaluating r is bounded by R from above, andthe system performance and validating the theoretical be shown later, this range rs from below, where the distances from either bounds areresults are included in Section 6. We present related worksin Section 7 and summarize the paper in Section 8. decided by the jamming decision threshold . For simplicity, we assume triggering range is the same for each sensor. Jammer distance. Any two jammer nodes are assumed2 PROBLEM MODELS AND NOTATIONS not to be too close to each other, i.e., the distance between2.1 Network Model jammer J1 and J2 is ðJ1 ; J2 Þ R. The motivations behindWe consider a wireless sensor network consisting of this assumptions are three-fold: 1) the deployment ofn sensor nodes and one base station (larger networks with jammers should maximize the jammed areas with a limitedmultiple base stations can be split into small ones to satisfy number of jammers, therefore large overlapping betweenthe model). Each sensor node is equipped with a globally jammed areas of different jammers lowers down the attacksynchronized time clock, omnidirectional antennas, efficiency; 2) ðJ1 ; J2 Þ should be greater than R, since them radios for in total k channels throughout the network, transmission signals from one jammer should not interferewhere k m. For simplicity, the power strength in each the signal reception at the other jammer. Otherwise, thedirection is assumed to be uniform, so the transmission latter jammer will not able to correctly detect any sensorrange of each sensor can be abstracted as a constant rs and transmission signals, since they are accompanied with highthe whole network as a unit disk graph (UDG) G ¼ ðV ; EÞ, RF noises, unless the jammer spends a lot of efforts inwhere any node pair i; j is connected iff the euclidean denoising or embeds jammer-label in the jamming noise fordistance between i; j: ði; jÞ rs . We leave asymmetric the other jammers to recognize. Both ways are infeasible forpowers and polygonal transmission area for further study. an efficient attack; 3) the communications between jammers are impractical, which will expose the jammers to anomaly2.2 Attacker Model detections at the network authority.We consider both a basic attacker model and severaladvanced attacker models in this paper. Specifically, we 2.2.2 Advanced Attacker Modelprovide a solution framework toward the basic attacker To evade detections, the attackers may alter their behaviorsmodel, and validate its performance toward multiple to evade the detection, for which two advanced reactiveadvanced attacker models theoretically and experimentally. jamming models: probabilistic attack and asymmetric response time delay are considered in this paper. In the first one, the2.2.1 Basic Attacker Model jammer responds each sensed transmission with a prob-Conventional reactive jammers [12] are defined as mal- ability independently. In the second one, the jammericious devices, which keep idle until they sense any ongoing delays each of its jamming signals with an independentlylegitimate transmissions and then emit jamming signals randomized time interval.
  3. 3. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 795Fig. 1. Sensor periodical status report message. We do not specify the possible changes of jammingrange R as an advanced model, since the trigger set in thiscase will not change, though the victim set varies. Further,we do not theoretically analyze the effects of variousjamming decision threshold in this paper version, but weevaluate all these above factors in the simulation section.Jammer mobilities are out of the scope of this paper, whichassumes that the jammers are static during our trigger- Fig. 2. Nodes in gray and blue are victim nodes around jammer nodes,identification phase. This is quite reasonable, since the time where blue nodes are also trigger nodes, which invoke the jammerlength of this phase is short, as to be shown later. nodes. Nodes surrounding the jammed are boundary nodes, while the others are unaffected nodes.2.3 Sensor ModelBesides monitoring the assigned network field and generat- consider only proactive jammers, while reactive jammersing alarms in case of special events (e.g., fire, high can bring up larger damage due to efficient attack andtemperature), each sensor periodically sends a status report hardness to detect. To this end, we embed a group testingmessage to the base station, which includes a header and a process, i.e., the randomized error-tolerant group testing bymain message body containing the monitored results, means of our designed random ðd; zÞ-disjunct matrix, to thebattery usage, and other related content. As shown in routing update scheme, which avoids unnecessarily largeFig. 1, the header is designated for antijamming purpose, isolated areas as [11] does. Moreover, most existingwhich is 4-tuple: Sensor_ID as the ID of the sensor node, topology-based solutions [23], [24] can only handle theTime_Stamp as the sending out time indicating the single-jammer case, since lacking of knowledge over thesequence number, as well as a Label referring to the node’s jamming range and inevitable overlapping of the jammedcurrent jamming status, and TTL as the time-to-live field areas bring ups the analytical difficulties, for which wewhich is initialized as the 2D with network diameter D. cover problem in a simple polygon resort to a minimum disk According to the jamming status, all the sensor nodes can problem and a clique-independent set categorized into four classes: trigger nodes T N, victimnodes V N, boundary nodes BN, and unaffected node UN. 3.1 Error-Tolerant Randomized Nonadaptive GroupTrigger nodes refer to the sensor nodes whose signals awake Testingthe jammers, i.e., within a distance less than r from a Group Testing was proposed since WWII to speed up thejammer. Victim nodes are those within a distance R from an identification of affected blood samples from a large sampleactivated jammer and disturbed by the jamming signals. population. This scheme has been developed with aSince R r, T N V N. Other than these disturbed sensors, complete theoretical system and widely applied to medicalUN and BN are the unaffected sensors while the latter ones testing and molecular biology during the past severalhave at least one neighbor in V N, hence BN UN, andV N UN ¼ ;. The Label field of each sensor indicates the decades [1]. Notice that the nature of our work is tosmallest class it belongs to. The relationships among these identify all triggers out of a large pool of victim nodes, soclasses are shown in Fig. 2. this technique intuitively matches our problem. There are two issues orthogonal to our solution. On one The key idea of group testing is to test items in multiplehand, the detection of jammed signals at each sensor node is designated groups, instead of individually. The principlesorthogonal to this work, and can be completed via of traditional group testing are sketched in the Appendix,sophisticated reactive jamming detection techniques, such which can be found on the Computer Society Digitalas comparing the SNR, PDR, and RSS with predefined Library at, as shown in [9]. With regard to the effects of TMC.2011.86.detection errors on our solution, we provide sometheoretical analysis at the end of Section 5.1.1. On the other 3.1.1 Traditional Nonadaptive Group Testinghand, the detailed attack schemes adopted by the reactive The key idea of group testing is to test items in multiplejammers are orthogonal with our application-layer service. designated groups, instead of testing them one by one. TheAs long as the jamming detection techniques that we resort traditional method of grouping items is based on ato can efficiently detect these malicious signals, either high designated 0-1 matrix MtÂn where the matrix rowsRF noises, fraud message segments, etc., our solution represent the testing group and each column refers to anservice is feasible. item (Fig. 3). M½i; jŠ ¼ 1 if the jth item appears in the ith testing group, and 0 otherwise. Therefore, the number of rows of the matrix denotes the number of groups tested in3 THREE KERNEL TECHNIQUES parallel and each entry of the result vector V refers to theIn this section, three kernel techniques for the proposed test outcome of the corresponding group (row), where 1protocol are introduced. Most existing antijamming works denotes positive outcome and 0 denotes negative outcome.
  4. 4. 796 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 We only show the performance of this new construction, namely, ETG algorithm in this section. The details of the construction and analysis are included in the Appendix, available in the online supplemental material. Theorem 3.1. The ETG algorithm produces a ðd; zÞ-disjunctFig. 3. Binary testing matrix M and testing outcome vector V . Assumedthat item 1 (first column) and item 2 (second column) are positive, then matrix with probability p0 where p0 can be arbitrarilyonly the first two groups return negative outcomes, because they do not approaching 1.contain these two positive items. On the contrary, all the other fourgroups return positive outcomes. . The worst-case number of rows of this matrix is bounded by Given that there are at most d n positive items among 2in total n ones, all the d positive items can be efficiently and 3:78ðd þ 1Þ2 log n þ 3:78ðd þ 1Þ logcorrectly identified on condition that the testing matrix M is 1 À p0d-disjunct: any single column is not contained by the union À 3:78ðd þ 1Þ þ 5:44ðd þ 1Þðz À 1Þ;of any other d columns. Owing to this property, each much smaller than 4:28d2 log 1Àp0 þ 4:28d2 log n þ 2negative item will appear in at least one row (group) where 2 2nÀ1 9:84dz þ 3:92z ln 1Àp0 .all the positive items do not show up, therefore, by filteringall the items appearing in groups with negative outcomes, all the . If z t, the worst-case number of rows becomesleft ones are positive. Although providing such simple ln nðd þ 1Þ2 À 2ðd þ 1Þ lnð1 À p0 Þdecoding method, d-disjunct matrix is nontrivial to con- t¼struct [1], [2] which may involve with complicated ð À ðd þ 1ÞÞ2computations with high overhead, e.g., calculation of where ¼ ðd=ðd þ 1ÞÞd and asymptotically t ¼irreducible polynomials on Galois Field. In order to Oðd2 log nÞ.alleviate this testing overhead, we advanced the determi-nistic d-disjunct matrix used in [7] to randomized error- Proof. See Section B in the Appendix, available in the onlinetolerant d-disjunct matrix, i.e., a matrix with less rows but supplemental material. u tremains d-disjunct w.h.p. Moreover, by introducing this Theorem 3.2. The ETG algorithm has smallerffiffiffitime complexity pmatrix, our identification is able to handle test errors under Oðd2 n log nÞ than Oðn2 log nÞ, when d n.sophisticated jamming environments. In order to handle errors in the Cover in a Simple Polygon testing outcomes, the 3.2 Minimum Diskerror-tolerant nonadaptive group testing has been developed Given a simple polygon with a set of vertices inside, theusing ðd; zÞ-disjunct matrix, where in any d þ 1 columns, problem of finding a minimum number of variable-radiieach column has a 1 in at least z rows where all the other d disks that not only cover all the given vertices, but also arecolumns are 0. Therefore, a ðd; 1Þ-disjunct matrix is exactly all within the polygon, can be efficiently solved.d-disjunct. Straightforwardly, the d positive items can still The latest results due to the near linear algorithmbe correctly identified, in the presence of at most z À 1 test proposed recently by Kaplan et al. [25], which investigateserrors. In the literature, numerous deterministic designs for the medial axis and voronoi diagram of the given polygon,ðd; zÞ-disjunct matrix have been provided (summarized in and provides the optimal solution using Oð$ þ ðlog $ þ[1]), however, these constructions often suffer from high- log6 ÞÞ time and Oð$ þ log log Þ space, where the numbercomputational complexity, thus are not efficient for of edges of the polygon is $ and nodes within it as . Wepractical use and distributed implementation. On the other employ this algorithm to estimate the jamming range R.hand, to our best knowledge, the only randomizedconstruction for ðd; zÞ-disjunct matrix dues to Cheng’s work 3.3 Clique-Independent Setvia q-nary matrix [19], which results in a ðd; zÞ-disjunct Cliques-Independent Set is the problem to find a set ofmatrix of size t1  n with probability p0 , where t1 is maximum number of pairwise vertex-disjoint maximal cliques, which is referred to as a maximum clique-independent 2 2 2 2 2n À 1 set (MCIS) [4]. Since this problem serves as the abstracted 4:28d log þ 4:28d log n þ 9:84dz þ 3:92z ln ; 1 À p0 1 À p0 model of the grouping phase of our identification, its hardnesswith time complexity Oðn log nÞ. Compared with this work, is of great interest in this scope. To our best knowledge, it has 2we advance a classic randomized construction for d- already been proved to be NP-hard for cocomparability,disjunct matrix, namely, random incidence construction planar, line, and total graphs; however, its hardness on UDG[1], [2], to generate ðd; zÞ-disjunct matrix which can not only is still open. We propose its NP-complete proof in thegenerate comparably smaller t  n matrix, but also handle Appendix, available in the online supplemental material.the case where z is not known beforehand, instead, only the There have been numerous polynomial exact algorithmserror probability of each test is bounded by some constant for solving this problem on graphs with specific topology,. Although z can be quite loosely upper bounded by t, yet e.g., Helly circular-arc graph and strongly chordal grapht is not an input. The motivation of this construction lies in [4], but none of these algorithms gives the solution on UDG.the real test scenarios, the error probability of each test is In this paper, we employ the scanning disk approach in [3] tounknown and asymmetric, hence it is impossible to find all maximal cliques on UDG, and then find all theevaluate z before knowing the number of pools. MCIS using a greedy algorithm.
  5. 5. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 7974 TRIGGER-NODE IDENTIFICATIONWe propose a decentralized trigger-identification proce-dure. It is lightweight in that all the calculations occur at thebase station, and the transmission overhead as well as thetime complexity is low and theoretically guaranteed. Noextra hardware is introduced into the scheme, except for thesimple status report messages sent by each sensor, and thegeographic locations of all sensors maintained at the basestation. Three main steps of this procedure are as follows: Fig. 4. Estimated R and jammed area. 1. Anomaly Detection—the base station detects potential 4.2 Jammer Property Estimation reactive jamming attacks, each boundary node tries to report their identities to the base station. We estimate the jamming range as R and the jammed areas 2. Jammer Property Estimation—The base station calcu- as simple polygons, based on the locations of the boundary lates the estimated jammed area and jamming range and victim nodes. R based on the locations of boundary nodes. For sparse-jammer where the distribution of jammers is 3. Trigger Detection relatively sparse and there is at least one jammer whose jammed area does not overlap with the others, like J2 in Fig. 2. a. the base station makes a short encrypted testing By denoting the set of boundary nodes for the ith jammed area schedule message Z which will be broadcasted as BNi , we can estimate the coordinate of this jammer as to all the boundary nodes. PBNi PBNi ! b. boundary nodes keep broadcasting Z to all the k¼1 Xk Yk ðXJ ; YJ Þ ¼ ; k¼1 ; victim nodes within the estimated jammed area jBNi j jBNk j for a period Q. c. all the victim nodes locally execute the testing where ðXk ; Yk Þ is the coordinate of a node k is the jammed procedure based on Z, identify themselves as area BNi and the jamming range R is triggers or nontriggers. qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi R ¼ min max ðXk À XJ Þ2 þ ðYk À XJ Þ2 ;4.1 Anomaly Detection 8BNi k2BNiEach sensor periodically sends a status report message to for we assume that all the jammers have the same range.the base station. However, once the jammers are activated For dense-jammer, shown in Fig. 4, we first estimate theby message transmissions, the base station will not receive jammed areas, which are simple polygons (unnecessarilythese reports from some sensors. By comparing the ratio of convex) containing all the boundary and victim nodes. Thisreceived reports to a predefined threshold , the base process consists of three steps: 1) discovery of convex hulls ofstation can thus decide if a jamming attack is happening in the boundary and victim nodes, where no unaffected nodesthe networks. When generating the status report message, are included in the generate convex polygons. 2) for eacheach sensor can locally obtain its jamming status and decide boundary node v not on the hull, choose two nodes on thethe value of the Label field (Initially trigger “TN”). In detail, hull and connect v to them in such a way that the internalif a node v hears jamming signals, it will not try to send out angle at this reflex vertex is the smallest, hence the polygonmessages but keep its label as victim. If v cannot sense is modified by replacing an edge (dotted one in Fig. 4) byjamming signals, its report will be routed to the base station the two new ones. The resulted polygon is the estimatedas usual, however, if it does not receive ACK from its jammed area. 3) execute the near-linear algorithm [25] toneighbor on the next hop of the route within a time out find the optimal variable-radii disk cover of all the victimperiod, it tries for two more retransmissions. If no ACKs are nodes, but constrained in the polygon, and return thereceived, it is quite possible that that neighbor is a victim largest disk radius as R.node, then v updates Label tuple as boundary “BN” in itsstatus report. Another outgoing link from v with the most 4.3 Trigger Detectionavailable capacity is taken to forward this message. If the Since the jammer behavior is reactive, in order to find all thestatus report is successfully delivered to the base station trigger nodes, a straightforward way is that let each sensorwith Label ¼ TN, the corresponding node is regarded as broadcast one by one, and listen to possible jammingunaffected. All the messages are queued in the buffer of the signals. However, this individual detection is quite timeintermediate nodes and forwarded in an FCFS manner. The consuming and all the victim nodes thus have to be isolatedTTL value is reduced by 1 per hop for each message, and for a long detection period, or even returns wrong detectionany message will be dropped once its TTL ¼ 0. result in the presence of mobile jammers. In this case, the The base station waits for the status report from each network throughput would be dramatically decreased.node in each period of length P. If no reports have been Therefore, to promptly and accurately find out thesereceived from a node v with a maximum delay time, then v triggers from a large pool of victim nodes, emerges as thewill be regarded as victim. The maximum delay time is most challenging part of the proposed protocol, for whichrelated to graph diameter and will be specified later. If the the idea of group testing is applied.aggregate report amount is less than , the base station In this section, we only consider a basic attack modelstarts to create the testing schedule for the trigger nodes, where the jammers deterministically and immediately broad-based on which the routing tables will be updated locally. casts jamming signals once it senses the sensor signal.
  6. 6. 798 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 TABLE 1 Message Containing Trigger Detection Schedule Fig. 5. Interference teams. Second-level, within each testing team, victims are further divided into multiple testing groups. This is completed by constructing a randomized ðd; 1Þ-disjunct matrix, as mentioned in Section 3.1, mapping each sensorTherefore, as long as at least one of the broadcasting victim node to a matrix column, and make each matrix row as anodes is a trigger, some jamming signals will be sensed, and testing group (sensors corresponding to the columns with 1svice versa. The performance of this protocol toward in this row are chosen). Apparently, tests within one groupsophisticated attacker models with probabilistic attack will possibly interfere that of another, so each group will bestrategies will be validated in the next section. assigned with a different frequency channel. All the following is the encrypted testing schedule over The duration of the overall testing process is t time slots,all the victim nodes, which is designed at the base station where the length of each slot is L. Both t and L arebased on the set of boundary nodes and the global topology, predefined, yet the former depends on the total number ofstored as a message (illustrated in Table 1) and broadcastedto all the boundary nodes. The broadcasting of the testing victims and estimated number of trigger nodes, and thescheduling message adopts a routing mechanism similar to latter depends on the transmission rate of the channel.reverse path forwarding. In detail, all the status report Specifically, at the beginning of each time slot, all the sensorsmessages relayed to the base station will record all the designated to test in this slot broadcast a -bit test packet onnodes’ IDs on their routing paths. Therefore, without the assigned channel to their 1-hop neighbors. Till the endconsidering mobile jammers, those routing paths can be of this slot, these sensors keep detecting possible jammingreused to send out these testing scheduling messages and signals. Each sensors will label itself as a trigger unless in atevade the jammed areas. least one slot of its testing, no jamming signal is sensed. After receiving this message, each trigger identification procedure is boundary node broad- The correctness of thiscasts this message one time using simple flooding method to theoretically straightforward. Given that all the testingits nearby jammed area. All the victim nodes execute the teams are interference free, then the testing with differenttesting schedule and indicate themselves as nontriggers or teams can be executed simultaneously. Given that we havetriggers. Since all the sensor nodes are equipped with a an upper bound d on the number of trigger nodes and eachglobal uniform clock, and no message transmissions to the testing group follow the ðd; 1Þ-disjunct matrix, whichbase station are required during the detection, the mechan- guarantees that each nontrigger node will be included inism is easy to implement and practical for applications. at least one group, which does not contain any trigger node, As shown in Table 1, for each time slot, m sets of victim so each nontrigger node will not hear jamming signals in atsensors will be tested. The selection of these sets involves a least one time slot, but the trigger nodes will since thetwo-level grouping procedure. jammers are activated once they broadcast the test packets. First-level, the whole set of victims are divided into Therefore, two critical issues need to be addressed to ensureseveral interference-free testing teams. Here, by interference this correctness: how to partition the victim set intofree we mean that if the transmissions from the victim maximal interference-free testing teams and estimate thenodes in one testing team invokes a jammer node, its number of trigger nodes d, as follows: Though these twojamming area will not reach the victim nodes in another involve geometric analysis over the global topology, since it onlytesting team. Therefore, by trying broadcasting from victim takes the information of boundary and victim nodes as inputs, andnodes in each testing team and monitoring the jamming is calculated at the base station, no message complexity issignals, we can conclude if any members in this team are introduced.triggers. In addition, all the tests in different testing teamscan be executed simultaneously since they will not interfere 4.3.1 Discovery of Interference-Free Testing Teamseach other. Fig. 5 provides an example for this. Three As stated above, two disjoint sets of victim nodes aremaximal cliques C1 ¼ fv1 ; v2 ; v3 ; v4 g, C2 ¼ fv3 ; v4 ; v5 ; v6 g,C3 ¼ fv5 ; v7 ; v8 ; v9 g can be found within three jammed areas. interference-free testing teams iff the transmission within oneImagine these three cliques are, respectively, the three set will not invoke a jammer node, whose jamming signalsteams we test at the same time. If v4 in the middle team will interfere the communications within the other set.keeps broadcasting all the time and J2 is awaken frequently, Although we have estimated the jamming range R, it is stillno matter the trigger v2 in the leftmost team is broadcasting quite challenging to find these interference-free teamsor not, v3 will always hear the jamming signals, so these two without knowing the accurate locations of the jammers.teams interfere each other. In addition, node-disjoint groups Notice that it is possible to discover the set of victim nodesdo not necessarily interference free, as the leftmost and within the same jammed area, i.e., with a distance R fromrightmost teams show. the same jammer node. Any two nodes within the same
  7. 7. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 799Fig. 6. Clique C1 ¼ V1 V2 V3 V4 is chosen by CIS, but its concentric circleCC 0 covers boundary node V0 , then clique C2 ¼ V4 V5 V6 V7 replaces C1 in Fig. 7. Maximum # interfering cliques.the testing team for the first round. Clique V1 V2 V3 are left for the nextround. by and from C1 is r R distance away, whose jammingjammed area should be at most 2R far from each other, i.e., range can only reach another R distance further, which isif we induce a new graph G0 ¼ ðV 0 ; E 0 Þ with all these victim thus away from C2 . Therefore, the cliques in the obtainednodes as the vertex set V 0 and E 0 ¼ fðu; vÞjðu; vÞ 2Rg, the CIS of this kind are selected as testing teams. While thenodes jammed by the same jammer should form a clique. others are left for the next time slot.The maximum number of vertex-disjoint maximal cliques In addition, in the worst case, any single maximal clique(i.e., clique-independent set) of this kind provides an upper C has at most 12 interfering cliques in the CIS, as thebound of possible jammers within the estimated jammed shadowed ones in Fig. 7. Therefore, at most 13 testing teamsarea, where each maximal clique is likely to correspond to are required to cover all these cliques. If the number ofthe nodes jammed by the same jammer. channels k given is larger than 13, then a frequency-division The solution consists of three steps: CIS discovery on the is available, i.e., these interfering cliques can still becomeinduced graph from the remaining victim without test simultaneous testing teams, on the condition each team can kschedules, boundary-based local refinement and interfer- only use minfd13e; mg of the given channels, where m is theence-free team detection. We iterate three steps to decide number of radios per sensor. Otherwise, we have to use timethe schedule for every victim node. divisions, i.e., they have to be tested in different time slots. CIS discovery. We first employ Gupta’s MCE algorithm 4.3.2 Estimation of Trigger Upper Bound[3] to find all the maximal cliques, then use a greedyalgorithm, as shown in Algorithm 1 to get the CIS. Before bounding the trigger quantity from above, the triggering range r should be estimated. As mentioned in http://ieeexploreprojects.blogspot.comAlgorithm 1. CIS discovery. the attacker model, r depends not only on the power of both sensors and jammers, but also the jamming threshold and path-loss factor 1 Pn Á r! ; Ps Á Y since the real time Pn and Ps are not given, we estimate r based on the SNR cutoff 0 of the network setting. In fact, the transmission range of each sensor rs is a maximum radius to guarantee Local refinement. Each clique we select is expected to Pa Ps Á Y SNR ¼ ¼ ! 0 :represent the jammed area poisoned by the same jammer, P n Pn Á rsand this area should not cover the boundary nodes. Therefore, we can estimate r asHowever, we did not take this into account when discover-ing the CIS, and need to locally update it. Specially, for each 1 clique, we find its circumscribed circle CC and the r % rs 0 ; concentric circle CC 0 with radius R of CC. In the case thatCC 0 covers any boundary nodes, we locally select another where 0 and are parts of the network input, while isclique by adding/removing nodes from this clique, to see if assumed as a constant, which indicates the aggressivenessthe problem can be solve. If not, we keep this clique as it is, of the jammer. For this estimation, can be first set as 10 db,otherwise, we update it. This is illustrated in Fig. 6. which is the normally lower bound of SNR in wireless Team detection. The cliques in CIS can also interfere transmission, and then adaptively adjusted to polish theeach other, e.g., the clique V1 V2 V3 V4 and V5 V7 V8 V9 in Fig. 5. service quality.This is because the signals from V4 will wake J2 , who will With estimated r, since all the trigger nodes in the sametry to block these signals with noises and affect V5 by the team should be within a 2r distance from each other, byway. But if any two cliques C1 and C2 are not connected by finding another induced graph G00 ¼ ðWi ; E 00 Þ from the victimany single edge, then they are straightforwardly inter- nodes Wi in team i, with E 00 ¼ fðu; vÞ 2 E 00 if ðu; vÞ 2rg,ference free, since the shortest distance between any node in the size of the maximal clique indicates the upper bound ofC1 and C2 is larger than 2R. But the farthest jammer waken the trigger nodes, thus can be an estimate over d.
  8. 8. 800 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 The testing delay Tt depends on the number of testing rounds and the length of each round. Since the reactive jamming signal disappears as soon as these sensed 1-hop transmission finishes, each round length is then Oð1Þ. The number of testing rounds is however complicated and bounded by Theorem 4.1. Lemma 4.1. Based on the ETG algorithm, the number of tests to identify d trigger nodes from jW j victim nodes is upper bounded by tðjW j; dÞ ¼ Oðd2 dln jW jeÞ w.h.p. iFig. 8. Maximum # jammers invoked by one team. Theorem 4.1 (Main). The total number of testing rounds is As mentioned above, all the parallel testing teams selected upper bounded byare interference free; therefore, we roughly regard each team to be the jammed area of one jammer. As a deeper Q 13 minfd2 dln jWi je; jWi jg i O max ;investigation, the number of jammers that can be invoked i¼1 mby the nodes in the same team (six 3-clique within the red P w.h.p, with di ¼ minf 6 jcs ðGi Þj; jWi jg and cs ðGi Þ is the s¼1circles) can be up to 6, since the minimum distance between sth largest clique over an induced unit disk subgraph Gi ¼two jammers is greater than R and r R, as shown in Fig. 8. ðWi ; Ei ; 2rÞ in the testing team i.Therefore on the induced graph, the largest 6 cliques form the d2 dln jW jepossible trigger set. However, since the jammer distribution Proof. First, from Lemma 4.1, at most tðjW j;dÞ ¼ i m mcannot be that dense for the sake of energy conserving, the testing rounds are needed to identify all nodes in testingformer estimate over d is large enough. team i. Second, the set of testing teams that can be tested in parallel is 13, as mentioned earlier. Combining with the4.4 Analysis of Time and Message Complexity worst case upper bound of triggers in each team, theTime complexity. By time complexity we mean the upper bound on round is derived. t uidentification delay counted since the attack happens tillall the nodes successfully identify themselves as trigger ornontrigger. Therefore, the complexity break downs into If the jamming range R is assumed known beforehand,four parts: similar to [7], the whole time complexity is thus 13d2 dln jWi je; jWi j 1. the detection of jamming signals at local links Td ; Q i O max ; 2. the routing of sensor report to the base station from i¼1 m each sensor node, and the testing schedule to each and asymptotically bounded by Oðn2 log nÞ. It is asympto- victim node from the base station, aggregated as Tr ; 3. the calculation of CIS and R at the base station Tc ; tically smaller than that of [7] 4. the testing at each jammed area Tt . ÁðHÞ ’! X d2 log2 jWj j j 2 The local jamming signal detection involves the statis- O max ð2 þ oð1ÞÞ 2 ; m ;tical properties of PDR, RSS, and SNR, which is orthogonal i¼1 j log2 ðdj log2 jWj jÞto our work. We regard Td as Oð1Þ since it is an entirely local where ÁðHÞ refers to the maximum degree of the inducedoperation and independent with the network scale. The routing time overhead is quite complicated, since graph H (in this new solution, maximum degree is notcongestions need to be considered. For simplicity, we involved). By taking the calculation overhead for R intoconsider that all the 1-hop transmission takes Oð1Þ time account, the overall time complexity is asymptotically 2 6 6and bound Tr using the diameter D of the graph. As Oðn log n þ n log nÞ, which is Oðn log nÞ for n ! 4.mentioned earlier, the base station waits at most Oð2DÞ for Message complexity. On the one hand, the broadcastingthe reports, so that is the upper bound of the one-way of testing schedule Z from the base station to all the victimrouting. As to the other way, we also bound it using Oð2DÞ nodes costs OðnÞ messages in the worst case. On the otherto match any collision and retransmission cases. hand, the overhead of routing reports toward the base The calculation of CIS resorts to the algorithm in [3], which station depends on the routing scheme used and thefinds OðlÁÞ maximal cliques on UDG within OðlÁ2 Þ time, network topology as well as capacity. The upper bound iswhere l ¼ jEj and Á refers to the maximum degree. We used straightforward obtained in a line graph with the basea greedy algorithm to find a MCIS from these OðlÁÞ cliques station at one end, whose message complexity is OðnðnÀ1ÞÞ.with Oðl3 Á3 QÞ time: OðlÁÞ-time for each clique to check 2 With regard to the message overhead of the testingthe overlapping with other cliques, OðlÁÞ-time to find a process. Considering that there are approximately jWi j victimclique overlapping with minimum other cliques, and Q dþ1denotes the number of testing teams. Notice that in practice, nodes in each testing group of team Wi (mentioned in thesensor networks are not quite dense, so the number of edges l construction of randomized ðd; zÞ-disjunct matrix in Appen-and maximum degree Á are actually limited to small values. dix, available in the online supplemental material), the jWi jOn the other hand, the time complexity of estimating R is up overhead of each testing group in a testing round is dþ1 1-hopto OðnÁ þ nðlog nÁ þ log6 nÞ using the minimum disk cover testing message broadcasted by all victim nodes in each group 2 2algorithm as mentioned. of team Wi . Therefore, the overhead message complexity is
  9. 9. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 801 d x TABLE 2 Pr½uðiÞ ¼ xŠ ¼ p ð1 À pÞdÀx : ð1Þ x Notations For each test i, the event that it contains at least one trigger but returns a negative result, has a probability at most Pr½gðiÞ ¼ 0 uðiÞ ! 1Š ð2Þ Xd d x ¼ ð1 À Þx p ð1 À pÞdÀx ð3Þ ! x¼1 x X Q Q O n2 þ jWi j maxfdi dln jWi je; jWi jgm ; i¼1 i¼1 ¼ ½ð1 À Þp þ 1 À pŠd À ð1 À pÞd ð4Þwhich is Oðn2 log nÞ. ¼ ð1 À pÞd À ð1 À pÞd ð1 À Þp: ð5Þ5 ADVANCED SOLUTIONS TOWARD SOPHISTICATED Meanwhile, the event that it contains no trigger nodes but ATTACK MODELS returns a positive result, has a probabilityIn this section, we consider two sophisticated attacker Pr½gðiÞ ¼ 1 uðiÞ ¼ 0Š ¼ 0: ð6Þmodels: probabilistic attack and variant response time delay, Since in practical ! 1 , we therefore have the expectedwhere the jammers rely each sensed transmission with 2 number of false positive and negative tests is, respectively,different probabilities, instead of deterministically, or delay at most pt=2 and 0.the jamming signals with a random time interval, instead Instead of the jamming behavior, the jamming signalof immediately. This may mismatch with the original detection errors can be analyzed using the same method.definition of reactive jamming, which targets at transmis- Given that each node detects possible jamming signalssion signals, instead of nodes or channels. However, clever successfully with probability q, then following (1), we canjammers can possibly change their strategies to evade similarly have the false negative rate of each test ipossible sensed detections. Also, a common sense indicatesthat as long as an activity is sensed by the jammer, it is Pr½gðiÞ ¼ 0 uðiÞ ! 1Š ð7Þquite possible that some other activities are following this.So delaying the response time still guarantees the attack Xd d xefficiency, but minimize the risk of being caught by ¼ ð1 À qÞx p ð1 À pÞdÀx ð8Þ x¼1 xreactive detections. Since our scheme is robust and accurate in the steps ofgrouping, generating disjunct matrix and decoding the ¼ ½ð1 À qÞp þ 1 À pŠd À ð1 À pÞd ð9Þtesting results, the only possible test errors arise from thegeneration of testing outcomes. Nevertheless, by using ¼ ð1 À qpÞd À ð1 À pÞd ð1 À qÞp; ð10Þthe error-tolerant disjunct matrix and relaxing the identifi- 1cation procedures to asynchronous manner, our scheme which is also small considering p ¼ dþ1 .will provide small false rates in these cases. Some notations 5.1.2 Variant Reaction Timecan be found in Table 2. In this section, the terms test andgroup, the terms column and nodes are interchangeable. The introduction of group testing techniques aims to decrease the identification latency to the minimum, there-5.1 Upper Bound on the Expected Value of z fore, if the jammer would not respond intermediately afterFirst, we investigate the properties of both jamming sensing the ongoing transmissions, but instead wait for abehaviors and obtain the expected number of error tests randomized time delay, the test outcomes would be messed up. Since it is expensive to synchronize the tests amongin both cases through the following analysis. Since in sensors, we use a predefined testing length as L, thus thepractice, it is not trivial to establish accurate jamming test outcome of test i 2 ½1; tŠ is generated within timemodels, we derive an upper bound of the error probability i i interval ½ðdme À 1ÞL; dmeLŠ. There are two possible errorwhich does not require the beforehand knowledge of the events regarding any test i.objective jamming models, which is therefore feasible forreal-time identifications. Since it is a relaxed bound, it could . F pðiÞ: test i is negative, but some jamming signalsbe further strengthened via learning the jamming history. are delayed from previous tests and interfere this test, where we have a false positive event;5.1.1 Probabilistic Jamming Response (Detection) . F nðiÞ: test i is positive, but the jammer activated inA clever jammer can choose not to respond to some sensed this test delayed its jamming signals to someongoing transmissions, in order to evade the detection. subsequent tests, meanwhile, no delayed jammingAssume that each ongoing transmission has an independent signals from previous tests exists, where we have aprobability to be responded. In our construction algorithm false negative event.ETG, where each matrix entry is IID and has a probability p Since the jammers in this paper are assumed to blockto be 1, therefore for any single test i with i 2 ½1; tŠ communications only on the channels where transmissions
  10. 10. 802 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 pare sensed, for the following analysis, we claim that the ¼ þ 2ð1 À ð1 À pÞd Þð1 À pÞd 2interferences can only happen between any two tests i; j þ ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞwith i jðmod mÞ. Denote the delay of jamming signals asa random variable X ¼ fxð1Þ; xð2Þ; xð3Þ; . . . xðtÞg where xðiÞ ¼ ð10 À 8 2 À Àd À 1Þ=2;is the delay for possible jamming signals arisen from test i. where ¼ ðd=ðd þ 1ÞÞd . Intuitively, we can have an upper1) For event F pðiÞ, consider the test i À m, in order to have bound on the number of error tests as z ¼ t ¼its jamming signals delayed to test i, we have a bound on ð10 À 8 2 À Àd À 1Þ=2, and take it as an input to constructxði À mÞ 2 ð0; 2LÞ. Similarly, in order to have the signals of the ðd; zÞ-disjunct matrix. However, notice that z dependsany test j delayed to i, we have xðjÞ 2 ½ðiÀj À 1ÞL; ðiÀj þ 1ÞLŠ. m m on t, i.e., the number of rows of the constructed matrix, weFurther the probability density function of X is PðiÞ ¼ therefore derive another bound of t related to , as shownPr½X ¼ xðiފ. Consider all the tests prior to i, which are in the Appendix, available in the online supplementali mod m; 1 þ i mod m; . . . ; i À m, we have the probability material.for F pðiÞ 5.2 Error-Tolerant Asynchronous Testing within Z ðiÀjþ1ÞL Each Testing Team X iÀm m ð1 À pÞd PðwÞdwð1 À ð1 À pÞd Þ: ð11Þ By applying the derived worst cast number of error tests j¼i mod m ðiÀjÀ1ÞL m into the ETG construction, we can obtain the following algorithm where tests are conducted in an asynchronousTo simplify this expression, we assume that X=L follows a manner to enhance the efficiency.uniform distribution within the range ½0;
  11. 11. Š with a small
  12. 12. , As shown in Algorithm 2, after all the groups arewhich is reasonable and efficient for attackers in practice. decided, conduct group testing on them in m pipelines,Since the nature of jamming attacks lies in adapting the where in each pipeline any detected jamming signals willattack frequency due to the sensed transmissions, too large end the current test and trigger the next tests while groupsdelay does not make sense to tackle the ongoing transmis- receiving no jamming signals will be required to resendsions. Under a uniform distribution, the probability of F pðiÞ triggering messages and wait till the predefined round timebecomes has passed. These changes over the original algorithm, especially the asynchronous testing are located in each 2X iÀm ð1 À ð1 À pÞd Þð1 À pÞd testing team, thus will not introduce significant overheads, j¼max i mod m;iÀmÀ
  13. 13. À1
  14. 14. however, the resulted error rates are quite low. d d i 2 Algorithm 2. Asynchronous Testing. ¼ ð1 À ð1 À pÞ Þð1 À pÞ À1 : m
  15. 15. Therefore, the expected number of false positive tests is atmost Xt 2 Tþ ð1 À ð1 À pÞd Þð1 À pÞd ð
  16. 16. Þ i¼1
  17. 17. X t 2 ð1 À ð1 À pÞd Þð1 À pÞd i¼1 2ð1 À ð1 À pÞd Þð1 À pÞd t: 2) For event F nðiÞ, following the similar arguments above,we have an upper bound of the probability for F nðiÞ (assumethat any delays larger than l at test i will interfere the tests jfollowing i where j 2 ½maxði mod m; i À m À
  18. 18. À 1Þ; i À mŠ): Z þ1 d ð1 À ð1 À pÞ Þ PðwÞdw l ! X Z ð m þ1ÞL iÀj d Á 1À PðwÞdwð1 À ð1 À pÞ Þ j ðiÀjÀ1ÞL m ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞð
  19. 19. À lÞ=
  20. 20. ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞ: 6 EXPERIMENTAL EVALUATION 6.1 OverviewSo the expected number of false negative tests is at most As a lightweight distribute trigger-identification service, our TÀ ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞt: ð12Þ solution will be experimentally evaluated from four facets:Therefore, we could use a union bound and obtain a worst . in order to show the benefit of this service, wecase error rate of each test compare it with JAM [11] in terms of the end-to-end
  21. 21. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 803Fig. 9. Benefits for routing. delay and delivery ratio of the detour routes from three parameters J 2 ½1; 20Š, R 2 ½100; 200Š, r 2 ½50; 150Š are the base station to all the sensor nodes, as the included in Figs. 9a, 9b, and 9c, respectively. Notice that for number of sensors n, sensor range rs , and number of each experiments, the other two parameters are set as the jammers J vary within practical intervals. median value of their corresponding intervals. Therefore, . in order to show the acceleration effect of the clique- R ¼ 150 for Fig. 9c, which matches the extreme case R ¼ r. independent set in this solution, we compare the Furthermore, for the nodes that are in jammed areas for complexity of this solution to our previous centra- JAM and that are triggers for our method, in another word, lized one [7], with varying the above four para- unable to deliver packets to or from the base station, we meters, where both jamming and triggering range R count the delay as n þ 1, which is an upper bound of the and r are assumed to be known beforehand. route length. . in order to show the accuracy of estimating the As shown in Figs. 9a and 9b, when j and R increases, jamming range by using the polygon disk cover the routing delay goes up, which is quite reasonable since algorithm, we provide the estimated jamming the jamming areas get larger and more detours have to be ranges as well as the error rate to the actual values. taken. The length of routes based on JAM quickly climbs up . in order to show its performance and robustness to the upper bound, while that of our trigger method is toward tricky attackers, we assess its false positive/ much lower and more stable (less than 900 seconds). When negative rate and the estimation of R, for those two triggering range r is small, as in Fig. 9c, the end-to-end advanced jammer models. delay of Trigger-based routing is much smaller than theThe simulation is developed using C++ on a Linux Work- other, while as r increases the two approaches each other,station with 8 GB RAM. A 1;000  1;000 square sensor field since more victim nodes are created with uniformly distributed n sensor nodes, one 6.3 Improvements on Time Complexitybase station and J randomly distributed jammer nodes. Allthe simulation results are derived by averaging 20 random In our previous work [7], we proposed a preliminary idea ofinstances. this trigger detection, and provided a disk-based solution. However, its high time complexity limits its usage in real-6.2 Benefits for Jamming-Resistent Routing time networks. As mentioned above, the time complexity ofJAM [11] proposed a jamming-resistent routing scheme, our new clique-based detection is proved to be asympto-where all the detected jammed areas will be evaded and tically lower than the previous, while the message complex-packets will not pass through the jammed nodes. This ities are approaching each other.method is dedicated for proactive jamming attacks, which Although the computational overhead for estimating R issacrifices significant packet delivery ratio due to the asymptotically huge, the phase is not the key part of ourunnecessarily long routes selected, though the effects of scheme, and can be easily improved by machine learningjamming signals are avoided. We compare the end-to-end techniques. Therefore, in this section, we assume that bothdelay between each sensor node and the base station, of the R and r are known beforehand, and validate the theoreticalselected routes by evading the jammed areas detected by results through simulations on network instances withJAM, with that of the ones evading only trigger nodes. various settings. Specifically, the network size n rangingAlthough there are many existing routing protocols for from 450 to 550 with step 2, transmission rs from 50 to 60unreliable network environments, the aim of this experi- with step 0.2, and number of jammers J from 3 to 10 withment is to show the potential of this service to various step 1. Parameter values lower than these intervals wouldapplications, instead of being a dedicated routing protocol. make the sensor network less connected and jamming Three key parameters for routing could be the number of attack less severe, while higher values would lead toJammers J, jamming range R, jamming threshold . As impractical dense scenarios and unnecessary energy waste.mentioned earlier, indicates the aggressiveness of the Since the length of each reactive attack is equal to the 1 attacker and the triggering range r % rs ð0 Þ . Therefore, with transmission delay of the object sensor signal, note that inrs , 0 and as fixed network inputs, the effect of can be our trigger detection, only one message is broadcast byexactly indicated by studying the effect of r instead. each sensor in the testing groups. Therefore, it is reasonable The whole network has n ¼ 1;500 nodes and sensor to predefine the length of each testing round as a constant.transmission range rs ¼ 50. The results with respect to the We set this as 1 second, which is far more enough for any
  22. 22. 804 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012Fig. 10. Time and message complexity.single packet to be transmitted from one node to its the accuracy of this estimation. As shown in Fig. 11, weneighboring nodes. Henceforth, the time cost shown in investigate the error rate ÁR for R ¼ ½50; 100Š when thereSection 6.3 only indicates the number of necessary rounds are, respectively, J ¼ 5; 10; 15 find out all the triggers, and can be further reduced. The Two observations are straightforward from these results:message complexity is measured via the average message 1) all the estimated values are above the actual ones,cost on each sensor node. percent difference. This meets our however, less than 10 As shown in Figs. 10a and 10b, this clique-based scheme requirement for a tight upper bound of R. 2) the error ratescompletes the identification with steadily less than 10 sec- in case of fewer jammers are lower than those with moreonds, compared to the increasing time overhead with more jammers. This is because the jammer areas can have largerthan 15 seconds of the disk-based solution, as the network overlaps, which introduces estimate inaccuracies.grows denser with more sensor nodes. Meanwhile, itsamortized communication overheads are only slightly 6.5 Robustness to Various Jammer Modelshigher than that of the other solution, whereas both are In order to show the precision of our proposed solutionbelow 10 messages per victim node. Therefore, the new under different jamming environments, we vary the twoscheme is even more efficient and robust to large-scale parameters of the jammer behaviors above: Jammer Responsenetwork scenarios. Probability and Testing Round Length/Maximum Jamming With the sensor transmission radius growing up, the Delay L=X and illustrate the resulted false rates in Figs. 12atime complexity of the disk-based solution gradually and 12b. To simulate the most dangerous case, we assume aascends (Figs. 10d and 10c) due to the increased maximum hybrid behavior for all the jammers, for example, thedegree ÁðHÞ mentioned in the above analysis. Compara-tively, the time cost of clique-based solution remains below jammers in the simulation of Fig. 12a not only launch10 seconds, while the two message complexities are similar. the jamming signals probabilistically, but also delay the Since sensor nodes are uniformly distributed, the more jamming messages with a random period of time up to 2L.jammer nodes placed in the networks, the more victim On the other hand, the jammers in the simulation of Fig. 12bnodes are expected to be tested, the identification complex-ity will therewith raises, as the performance of disk-basedscheme shows in Figs. 10f and 10e. Encouragingly, theproposed scheme can still finish the identification promptlywith less than 10 seconds, which grows up much slowerthan the other. It has slightly more communication over-heads (10 messages per victim nodes) but is still affordableto power-limited sensor nodes.6.4 Accuracy in Estimating Jammer PropertiesThough the estimate of jamming range R is only to providean upper bound for R, such that the testing teams obtainedaccordingly are interference free, we are also interested in Fig. 11. Estimation error of R.
  23. 23. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 805 other hand, mitigation schemes which benefit from channel surfing [13], frequency hopping and spatial retreats [12], reactively help legitimate nodes escape from the jammed area or frequency. Unfortunately, being lack of preknow- ledge over possible positions of hidden reactive jammer nodes, legitimate nodes cannot efficiently evade jamming signals, especially in dense sensor network when multiple mobile nodes can easily activate reactive jammer nodes and cause the interference. For the sake of overcoming these limitations above, in [7] we studied on the problem ofFig. 12. Solution robustness. identification trigger nodes with a short period of time, whose results can be employed by jamming-resistentrespond each sensed transmission with probability 0.5 as routing schemes, to avoid the transmissions of these triggerwell. All the simulation results are derived by averaging 10 nodes and deactivate the reactive jammer nodes. In thisinstances for each parameter team. paper, we complete this trigger identification procedure as As shown in both figures, we consider the extreme cases a lightweight service, which is prompt and reliable towhere jammers respond transmission signals with a prob- various network scenarios.ability as small as 0.1, or delay the signals to up to 10 testingrounds later. This actually contradicts with the nature ofreactive jamming attacks, which aim at disrupting the 8 DISCUSSION AND CONCLUSIONSnetwork communication as soon as any legitimate transmis- One leftover problem to this service framework is thesion starts. The motivation of such parameter setting is to jammer mobility. Although the identification latency hasshow the robustness of this scheme even if the attackers been shown small, it would not be efficient toward jammerssense the detection and intentionally slow down the attacks. that are moving at a high speed. This would become anThe overall false rates are below 20 percent. interesting direction of this research. In Fig. 12a, when 1=2 which corresponds to practical Another leftover problem is the application of this service.cases, we find that the false negative rates generally decrease Jamming-resistent routing and jammer localizations arefrom 10 to 5 percent as increases. Meanwhile the false both quite promising, yet the service overhead has to bepositive rate grows gently, but is still below 14 percent, this is further reduced to for real-time requirements.because as more and more jamming signals are sent, due to http://ieeexploreprojects.blogspot.comorder to provide an efficient trigger- As a summary, intheir randomized time delays, more and more following tests identification service framework, we leverage severalwill be influenced and become false positive. In Fig. 12b, optimization problem models and provide correspondingconsidering the practical cases where L=X 1=2, both rates algorithms to them, which includes the clique-independentare going down from around 10 to 1 percent, since the problem, randomized error-tolerant group testing, andmaximum jamming delay becomes shorter and shorter minimum disk cover for simple polygon. The efficiency ofcompared to the testing round length L, as the number of this framework is proved through both theoreticallyinterferences between consecutive tests decreases. analysis toward various sophisticated attack models and simulations under different network settings. With abun-7 RELATED WORKS dant possible applications, this framework exhibits huge potentials and deserves further studies.Existing countermeasures against jamming attacks in WSNcan be categorized into two facets: signal detection andmitigation, both of which have been well studied and ACKNOWLEDGMENTSdeveloped with various defense schemes. On the one hand, This work was partially supported by US National Sciencea majority of detection methods focus on analyzing specific Foundation Career Award # 0953284 and DTRA, Youngobject values to discover abnormal events, e.g., Xu et al. [16] Investigator Award, Basic Research Program # HDTRA1-studied a multimodel (PDR, RSS) to consistently monitor 09-1-0061 and DTRA # HDTRA1-08-10.jamming signals. Work based on similar ideas [17], [15], [14]improved the detection accuracy by investigating sophisti-cated decision criteria and thresholds. However, reactive REFERENCESjamming attacks, where the jammer node are not continu- [1] D.Z. Du and F. Hwang, Pooling Designs: Group Testing in Molecularously active and thus unnecessary to cause huge deviations Biology. World Scientific, 2006. [2] M. Goodrich, M. Atallah, and R. Tamassia, “Indexing Informationof these variables from normal legitimate profiles, cannot be for Data Forensics,” Proc. Third Applied Cryptography and Networkefficiently tackled by these methods. In addition, some Security Conf. (ACNS), 2005.recent works proposed methods for detecting jammed areas [3] R. Gupta, J. Walrand, and O. Goldschmidt, “Maximal Cliques in Unit Disk Graphs: Polynomial Approximation,” Proc. Int’l Network[11] and directing normal communications bypass possible Optimization Conf. (INOC), 2005.jammed area using wormhole [18]. These solutions can [4] V. Guruswami and C.P. Rangan, “Algorithmic Aspects of Clique-effectively mitigate jamming attacks, but their performances Transversal and Clique-Independent Sets,” Discrete Applied Math.,rely on the accuracy of detection on jammed areas, i.e., the vol. 100, pp. 183-202, 2000. [5] W. Hang, W. Zanji, and G. Jingbo, “Performance of DSSS Againsttransmission overhead would be unnecessarily brought up Repeater Jamming,” Proc. IEEE 13th Int’l Conf. Electronics, Circuitsif the jammed area is much larger than its actual size. On the and Systems (ICECS), 2006.
  24. 24. 806 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012[6] P. Tague, S. Nabar, J.A. Ritcey, and R. Poovendran, “Jamming- Ying Xuan received the BE degree in computer Aware Traffic Allocation for Multiple-Path Routing Using engineering from the University of Science and Portfolio Selection,” IEEE/ACM Trans. Networking, vol. 19, no. 1, Technology of China, Anhui, in 2006. He is now pp. 184-194, Feb. 2011. working toward the PhD degree in the Depart-[7] I. Shin, Y. Shen, Y. Xuan, M.T. Thai, and T. Znati, “Reactive ment of Computer and Information Science and Jamming Attacks in Multi-Radio Wireless Sensor Networks: An Engineering, University of Florida, under the Efficient Mitigating Measure by Identifying Trigger Nodes,” Proc. supervision of Dr. My T. Thai. His research Second ACM Int’l Workshop Foundations of Wireless Ad Hoc and topics include applied group testing theory, Sensor Networking and Computing (FOWANC), in conjunction with social networking, and network vulnerability. MobiHoc, 2009.[8] O. Sidek and A. Yahya, “Reed Solomon Coding for Frequency Hopping Spread Spectrum in Jamming Environment,” Am. J. Applied Sciences, vol. 5, no. 10, pp. 1281-1284, 2008. Yilin Shen received the BS degree in applied[9] M. Strasser, B. Danev, and S. Capkun, “Detection of Reactive mathematics from Donghua University, Shang- Jamming in Sensor Networks,” ACM Trans. Sensor Networks, vol. 7, hai, China, in 2005. He is currently working pp. 1-29, 2010. toward the PhD degree at the Department of[10] H. Wang, J. Guo, and Z. Wang, “Feasibility Assessment of Computer and Information Science and Engi- Repeater Jamming Technique for DSSS,” Proc. IEEE Wireless neering, University of Florida, under the super- Comm. and Networking Conf. (WCNC), 2007. vision of Dr. My T. Thai. His research topics[11] A.D. Wood, J. Stankovic, and S. Son, “A Jammed-Area Mapping include network security, and network reliability Service for Sensor Networks,” Proc. IEEE 24th Real-Time Systems and social networks. Symp. (RTSS), 2003.[12] W. Xu, K. Ma, W. Trappe, and Y. Zhang, “Jamming Sensor Networks: Attack and Defense Strategies,” IEEE Network, vol. 20, Nam P. Nguyen received the bachelor’s degree no. 3, pp. 41-47, May/June 2006. from Vietnam National University in 2007 and[13] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel Surfing and Spatial Retreats: Defenses Against Wireless Denial of Service,” the master’s of science degree from Ohio Proc. ACM Workshop Wireless Security, pp. 80-89, 2004. University in 2009, both in mathematics. He is[14] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal Jamming currently working toward the PhD degree in Attacks and Network Defense Policies in Wireless Sensor Net- computer science at the CISE Department, works,” Proc. IEEE INFOCOM, 2007. University of Florida. His interests include com- munity detection methods for both static and[15] R.A. Poisel, Modern Communications Jamming Principles and Techniques. Artech House, 2004. dynamic networks, and effective approximation[16] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The Feasibility of algorithms for networking problems. Launching and Detecting Jamming Attacks in Wireless Net- works,” Proc. ACM MobiHoc, 2005.[17] M. Cakiroglu and A.T. Ozcerit, “Jamming Detection Mechanisms My T. Thai received the PhD degree in computer for Wireless Sensor Networks,” Proc. Third Int’l Conf. Scalable science from the University of Minnesota, Twin Information Systems (InfoScale), 2008. Cities, in 2006. She is an assistant professor in[18] M. Cagalj, S. Capkun, and J.P. Hubaux, “Wormhole-Based the Department of Computer and Information Antijamming Techniques in Sensor Networks,” IEEE Trans. Mobile Sciences and Engineering at the University of Computing, vol. 6, no. 1, pp. 100-114, Jan. 2007. Florida. Her current research interests include[19] Y.-X. Chen and D.-Z. Du, “New Constructions of One- and Two- algorithms and optimization on network science Stage Pooling Designs,” J. Computational Biology, vol. 15, pp. 195- and engineering. She also serves as an associ- 205, 2008. ate editor for the Journal of Combinatorial[20] M.G. Garey and D.S. Johnson, “The Rectilinear Steiner Tree Optimization (JOCO) and Optimization Letters Problem is NP-Complete,” SIAM J. Applied Math., vol. 32, pp. 826- and a conference chair of COCOON 2010 and several workshops in the 834, 1977. area of network science. She is a recipient of DoD Young Investigator[21] L.G. Valiant, “Universality Considerations in VLSI Circuits,” IEEE Awards and US National Science Foundation CAREER awards. She is a Trans. Computers, vol. 30, no. 2, pp. 135-140, Feb. 1981. member of the IEEE.[22] K. Pelechrinis, I. Koutsopoulos, I. Broustis, and S.V. Krishna- murthy, “Lightweight Jammer Localization in Wireless Networks: System Design and Implementation,” Proc. IEEE 28th Conf. Global . For more information on this or any other computing topic, Telecomm. (GlobeCom ’09), 2009. please visit our Digital Library at[23] H. Liu, W. Xu, Y. Chen, and Z. Liu, “Localizing Jammers in Wireless Networks,” Proc. IEEE Int’l Conf. Pervasive Computing and Comm. (PWN), 2009.[24] Z. Liu, H. Liu, W. Xu, and Y. Chen, “Wireless Jamming Localization by Exploiting Nodes’ Hearing Ranges,” Proc. Int’l Conf. Distributed Computing in Sensor Systems (DCOSS), 2010.[25] H. Kaplan, M. Katz, G. Morgenstern, and M. Sharir, “Optimal Cover of Points by Disks in a Simple Polygon,” Proc. 18th Ann. European Symp. Algorithms, 2010.