Upcoming SlideShare
×

# A trigger identification service for defending reactive jammers in wsn.bak

1,850 views

Published on

0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here
• Be the first to comment

• Be the first to like this

Views
Total views
1,850
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
30
0
Likes
0
Embeds 0
No embeds

No notes for slide

### A trigger identification service for defending reactive jammers in wsn.bak

4. 4. 796 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 We only show the performance of this new construction, namely, ETG algorithm in this section. The details of the construction and analysis are included in the Appendix, available in the online supplemental material. Theorem 3.1. The ETG algorithm produces a ðd; zÞ-disjunctFig. 3. Binary testing matrix M and testing outcome vector V . Assumedthat item 1 (first column) and item 2 (second column) are positive, then matrix with probability p0 where p0 can be arbitrarilyonly the first two groups return negative outcomes, because they do not approaching 1.contain these two positive items. On the contrary, all the other fourgroups return positive outcomes. . The worst-case number of rows of this matrix is bounded by Given that there are at most d n positive items among 2in total n ones, all the d positive items can be efficiently and 3:78ðd þ 1Þ2 log n þ 3:78ðd þ 1Þ logcorrectly identified on condition that the testing matrix M is 1 À p0d-disjunct: any single column is not contained by the union À 3:78ðd þ 1Þ þ 5:44ðd þ 1Þðz À 1Þ;of any other d columns. Owing to this property, each much smaller than 4:28d2 log 1Àp0 þ 4:28d2 log n þ 2negative item will appear in at least one row (group) where 2 2nÀ1 9:84dz þ 3:92z ln 1Àp0 .all the positive items do not show up, therefore, by filteringall the items appearing in groups with negative outcomes, all the . If z t, the worst-case number of rows becomesleft ones are positive. Although providing such simple ln nðd þ 1Þ2 À 2ðd þ 1Þ lnð1 À p0 Þdecoding method, d-disjunct matrix is nontrivial to con- t¼struct [1], [2] which may involve with complicated ð À ðd þ 1ÞÞ2computations with high overhead, e.g., calculation of where ¼ ðd=ðd þ 1ÞÞd and asymptotically t ¼irreducible polynomials on Galois Field. In order to Oðd2 log nÞ.alleviate this testing overhead, we advanced the determi-nistic d-disjunct matrix used in [7] to randomized error- Proof. See Section B in the Appendix, available in the onlinetolerant d-disjunct matrix, i.e., a matrix with less rows but supplemental material. u tremains d-disjunct w.h.p. Moreover, by introducing this Theorem 3.2. The ETG algorithm has smallerﬃﬃﬃtime complexity pmatrix, our identification is able to handle test errors under Oðd2 n log nÞ than Oðn2 log nÞ, when d n.sophisticated jamming environments. In order to handle errors in the http://ieeexploreprojects.blogspot.com Cover in a Simple Polygon testing outcomes, the 3.2 Minimum Diskerror-tolerant nonadaptive group testing has been developed Given a simple polygon with a set of vertices inside, theusing ðd; zÞ-disjunct matrix, where in any d þ 1 columns, problem of finding a minimum number of variable-radiieach column has a 1 in at least z rows where all the other d disks that not only cover all the given vertices, but also arecolumns are 0. Therefore, a ðd; 1Þ-disjunct matrix is exactly all within the polygon, can be efficiently solved.d-disjunct. Straightforwardly, the d positive items can still The latest results due to the near linear algorithmbe correctly identified, in the presence of at most z À 1 test proposed recently by Kaplan et al. [25], which investigateserrors. In the literature, numerous deterministic designs for the medial axis and voronoi diagram of the given polygon,ðd; zÞ-disjunct matrix have been provided (summarized in and provides the optimal solution using Oð\$ þ ðlog \$ þ[1]), however, these constructions often suffer from high- log6 ÞÞ time and Oð\$ þ log log Þ space, where the numbercomputational complexity, thus are not efficient for of edges of the polygon is \$ and nodes within it as . Wepractical use and distributed implementation. On the other employ this algorithm to estimate the jamming range R.hand, to our best knowledge, the only randomizedconstruction for ðd; zÞ-disjunct matrix dues to Cheng’s work 3.3 Clique-Independent Setvia q-nary matrix [19], which results in a ðd; zÞ-disjunct Cliques-Independent Set is the problem to find a set ofmatrix of size t1 Â n with probability p0 , where t1 is maximum number of pairwise vertex-disjoint maximal cliques, which is referred to as a maximum clique-independent 2 2 2 2 2n À 1 set (MCIS) [4]. Since this problem serves as the abstracted 4:28d log þ 4:28d log n þ 9:84dz þ 3:92z ln ; 1 À p0 1 À p0 model of the grouping phase of our identification, its hardnesswith time complexity Oðn log nÞ. Compared with this work, is of great interest in this scope. To our best knowledge, it has 2we advance a classic randomized construction for d- already been proved to be NP-hard for cocomparability,disjunct matrix, namely, random incidence construction planar, line, and total graphs; however, its hardness on UDG[1], [2], to generate ðd; zÞ-disjunct matrix which can not only is still open. We propose its NP-complete proof in thegenerate comparably smaller t Â n matrix, but also handle Appendix, available in the online supplemental material.the case where z is not known beforehand, instead, only the There have been numerous polynomial exact algorithmserror probability of each test is bounded by some constant for solving this problem on graphs with specific topology,. Although z can be quite loosely upper bounded by t, yet e.g., Helly circular-arc graph and strongly chordal grapht is not an input. The motivation of this construction lies in [4], but none of these algorithms gives the solution on UDG.the real test scenarios, the error probability of each test is In this paper, we employ the scanning disk approach in [3] tounknown and asymmetric, hence it is impossible to find all maximal cliques on UDG, and then find all theevaluate z before knowing the number of pools. MCIS using a greedy algorithm.
7. 7. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 799Fig. 6. Clique C1 ¼ V1 V2 V3 V4 is chosen by CIS, but its concentric circleCC 0 covers boundary node V0 , then clique C2 ¼ V4 V5 V6 V7 replaces C1 in Fig. 7. Maximum # interfering cliques.the testing team for the first round. Clique V1 V2 V3 are left for the nextround. by and from C1 is r R distance away, whose jammingjammed area should be at most 2R far from each other, i.e., range can only reach another R distance further, which isif we induce a new graph G0 ¼ ðV 0 ; E 0 Þ with all these victim thus away from C2 . Therefore, the cliques in the obtainednodes as the vertex set V 0 and E 0 ¼ fðu; vÞjðu; vÞ 2Rg, the CIS of this kind are selected as testing teams. While thenodes jammed by the same jammer should form a clique. others are left for the next time slot.The maximum number of vertex-disjoint maximal cliques In addition, in the worst case, any single maximal clique(i.e., clique-independent set) of this kind provides an upper C has at most 12 interfering cliques in the CIS, as thebound of possible jammers within the estimated jammed shadowed ones in Fig. 7. Therefore, at most 13 testing teamsarea, where each maximal clique is likely to correspond to are required to cover all these cliques. If the number ofthe nodes jammed by the same jammer. channels k given is larger than 13, then a frequency-division The solution consists of three steps: CIS discovery on the is available, i.e., these interfering cliques can still becomeinduced graph from the remaining victim without test simultaneous testing teams, on the condition each team can kschedules, boundary-based local refinement and interfer- only use minfd13e; mg of the given channels, where m is theence-free team detection. We iterate three steps to decide number of radios per sensor. Otherwise, we have to use timethe schedule for every victim node. divisions, i.e., they have to be tested in different time slots. CIS discovery. We first employ Gupta’s MCE algorithm 4.3.2 Estimation of Trigger Upper Bound[3] to find all the maximal cliques, then use a greedyalgorithm, as shown in Algorithm 1 to get the CIS. Before bounding the trigger quantity from above, the triggering range r should be estimated. As mentioned in http://ieeexploreprojects.blogspot.comAlgorithm 1. CIS discovery. the attacker model, r depends not only on the power of both sensors and jammers, but also the jamming threshold and path-loss factor 1 Pn Á r! ; Ps Á Y since the real time Pn and Ps are not given, we estimate r based on the SNR cutoff 0 of the network setting. In fact, the transmission range of each sensor rs is a maximum radius to guarantee Local refinement. Each clique we select is expected to Pa Ps Á Y SNR ¼ ¼ ! 0 :represent the jammed area poisoned by the same jammer, P n Pn Á rsand this area should not cover the boundary nodes. Therefore, we can estimate r asHowever, we did not take this into account when discover-ing the CIS, and need to locally update it. Specially, for each 1 clique, we find its circumscribed circle CC and the r % rs 0 ; concentric circle CC 0 with radius R of CC. In the case thatCC 0 covers any boundary nodes, we locally select another where 0 and are parts of the network input, while isclique by adding/removing nodes from this clique, to see if assumed as a constant, which indicates the aggressivenessthe problem can be solve. If not, we keep this clique as it is, of the jammer. For this estimation, can be first set as 10 db,otherwise, we update it. This is illustrated in Fig. 6. which is the normally lower bound of SNR in wireless Team detection. The cliques in CIS can also interfere transmission, and then adaptively adjusted to polish theeach other, e.g., the clique V1 V2 V3 V4 and V5 V7 V8 V9 in Fig. 5. service quality.This is because the signals from V4 will wake J2 , who will With estimated r, since all the trigger nodes in the sametry to block these signals with noises and affect V5 by the team should be within a 2r distance from each other, byway. But if any two cliques C1 and C2 are not connected by finding another induced graph G00 ¼ ðWi ; E 00 Þ from the victimany single edge, then they are straightforwardly inter- nodes Wi in team i, with E 00 ¼ fðu; vÞ 2 E 00 if ðu; vÞ 2rg,ference free, since the shortest distance between any node in the size of the maximal clique indicates the upper bound ofC1 and C2 is larger than 2R. But the farthest jammer waken the trigger nodes, thus can be an estimate over d.
8. 8. 800 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 The testing delay Tt depends on the number of testing rounds and the length of each round. Since the reactive jamming signal disappears as soon as these sensed 1-hop transmission finishes, each round length is then Oð1Þ. The number of testing rounds is however complicated and bounded by Theorem 4.1. Lemma 4.1. Based on the ETG algorithm, the number of tests to identify d trigger nodes from jW j victim nodes is upper bounded by tðjW j; dÞ ¼ Oðd2 dln jW jeÞ w.h.p. iFig. 8. Maximum # jammers invoked by one team. Theorem 4.1 (Main). The total number of testing rounds is As mentioned above, all the parallel testing teams selected upper bounded byare interference free; therefore, we roughly regard each team to be the jammed area of one jammer. As a deeper Q 13 minfd2 dln jWi je; jWi jg i O max ;investigation, the number of jammers that can be invoked i¼1 mby the nodes in the same team (six 3-clique within the red P w.h.p, with di ¼ minf 6 jcs ðGi Þj; jWi jg and cs ðGi Þ is the s¼1circles) can be up to 6, since the minimum distance between sth largest clique over an induced unit disk subgraph Gi ¼two jammers is greater than R and r R, as shown in Fig. 8. ðWi ; Ei ; 2rÞ in the testing team i.Therefore on the induced graph, the largest 6 cliques form the d2 dln jW jepossible trigger set. However, since the jammer distribution Proof. First, from Lemma 4.1, at most tðjW j;dÞ ¼ i m mcannot be that dense for the sake of energy conserving, the testing rounds are needed to identify all nodes in testingformer estimate over d is large enough. team i. Second, the set of testing teams that can be tested in parallel is 13, as mentioned earlier. Combining with the4.4 Analysis of Time and Message Complexity worst case upper bound of triggers in each team, theTime complexity. By time complexity we mean the upper bound on round is derived. t uidentification delay counted since the attack happens tillall the nodes successfully identify themselves as trigger ornontrigger. Therefore, the complexity break downs into If the jamming range R is assumed known beforehand,four parts: similar to [7], the whole time complexity is thus http://ieeexploreprojects.blogspot.com 13d2 dln jWi je; jWi j 1. the detection of jamming signals at local links Td ; Q i O max ; 2. the routing of sensor report to the base station from i¼1 m each sensor node, and the testing schedule to each and asymptotically bounded by Oðn2 log nÞ. It is asympto- victim node from the base station, aggregated as Tr ; 3. the calculation of CIS and R at the base station Tc ; tically smaller than that of [7] 4. the testing at each jammed area Tt . ÁðHÞ ’! X d2 log2 jWj j j 2 The local jamming signal detection involves the statis- O max ð2 þ oð1ÞÞ 2 ; m ;tical properties of PDR, RSS, and SNR, which is orthogonal i¼1 j log2 ðdj log2 jWj jÞto our work. We regard Td as Oð1Þ since it is an entirely local where ÁðHÞ refers to the maximum degree of the inducedoperation and independent with the network scale. The routing time overhead is quite complicated, since graph H (in this new solution, maximum degree is notcongestions need to be considered. For simplicity, we involved). By taking the calculation overhead for R intoconsider that all the 1-hop transmission takes Oð1Þ time account, the overall time complexity is asymptotically 2 6 6and bound Tr using the diameter D of the graph. As Oðn log n þ n log nÞ, which is Oðn log nÞ for n ! 4.mentioned earlier, the base station waits at most Oð2DÞ for Message complexity. On the one hand, the broadcastingthe reports, so that is the upper bound of the one-way of testing schedule Z from the base station to all the victimrouting. As to the other way, we also bound it using Oð2DÞ nodes costs OðnÞ messages in the worst case. On the otherto match any collision and retransmission cases. hand, the overhead of routing reports toward the base The calculation of CIS resorts to the algorithm in [3], which station depends on the routing scheme used and thefinds OðlÁÞ maximal cliques on UDG within OðlÁ2 Þ time, network topology as well as capacity. The upper bound iswhere l ¼ jEj and Á refers to the maximum degree. We used straightforward obtained in a line graph with the basea greedy algorithm to find a MCIS from these OðlÁÞ cliques station at one end, whose message complexity is OðnðnÀ1ÞÞ.with Oðl3 Á3 QÞ time: OðlÁÞ-time for each clique to check 2 With regard to the message overhead of the testingthe overlapping with other cliques, OðlÁÞ-time to find a process. Considering that there are approximately jWi j victimclique overlapping with minimum other cliques, and Q dþ1denotes the number of testing teams. Notice that in practice, nodes in each testing group of team Wi (mentioned in thesensor networks are not quite dense, so the number of edges l construction of randomized ðd; zÞ-disjunct matrix in Appen-and maximum degree Á are actually limited to small values. dix, available in the online supplemental material), the jWi jOn the other hand, the time complexity of estimating R is up overhead of each testing group in a testing round is dþ1 1-hopto OðnÁ þ nðlog nÁ þ log6 nÞ using the minimum disk cover testing message broadcasted by all victim nodes in each group 2 2algorithm as mentioned. of team Wi . Therefore, the overhead message complexity is
9. 9. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 801 d x TABLE 2 Pr½uðiÞ ¼ x ¼ p ð1 À pÞdÀx : ð1Þ x Notations For each test i, the event that it contains at least one trigger but returns a negative result, has a probability at most Pr½gðiÞ ¼ 0 uðiÞ ! 1 ð2Þ Xd d x ¼ ð1 À Þx p ð1 À pÞdÀx ð3Þ ! x¼1 x X Q Q O n2 þ jWi j maxfdi dln jWi je; jWi jgm ; i¼1 i¼1 ¼ ½ð1 À Þp þ 1 À pd À ð1 À pÞd ð4Þwhich is Oðn2 log nÞ. ¼ ð1 À pÞd À ð1 À pÞd ð1 À Þp: ð5Þ5 ADVANCED SOLUTIONS TOWARD SOPHISTICATED Meanwhile, the event that it contains no trigger nodes but ATTACK MODELS returns a positive result, has a probabilityIn this section, we consider two sophisticated attacker Pr½gðiÞ ¼ 1 uðiÞ ¼ 0 ¼ 0: ð6Þmodels: probabilistic attack and variant response time delay, Since in practical ! 1 , we therefore have the expectedwhere the jammers rely each sensed transmission with 2 number of false positive and negative tests is, respectively,different probabilities, instead of deterministically, or delay at most pt=2 and 0.the jamming signals with a random time interval, instead Instead of the jamming behavior, the jamming signalof immediately. This may mismatch with the original detection errors can be analyzed using the same method.definition of reactive jamming, which targets at transmis- Given that each node detects possible jamming signalssion signals, instead of nodes or channels. However, clever successfully with probability q, then following (1), we canjammers can possibly change their strategies to evade similarly have the false negative rate of each test ipossible sensed detections. Also, a common sense indicatesthat as long as an activity is sensed by the jammer, it is Pr½gðiÞ ¼ 0 uðiÞ ! 1 ð7Þquite possible that some other activities are following this.So delaying the response time still http://ieeexploreprojects.blogspot.com guarantees the attack Xd d xefficiency, but minimize the risk of being caught by ¼ ð1 À qÞx p ð1 À pÞdÀx ð8Þ x¼1 xreactive detections. Since our scheme is robust and accurate in the steps ofgrouping, generating disjunct matrix and decoding the ¼ ½ð1 À qÞp þ 1 À pd À ð1 À pÞd ð9Þtesting results, the only possible test errors arise from thegeneration of testing outcomes. Nevertheless, by using ¼ ð1 À qpÞd À ð1 À pÞd ð1 À qÞp; ð10Þthe error-tolerant disjunct matrix and relaxing the identifi- 1cation procedures to asynchronous manner, our scheme which is also small considering p ¼ dþ1 .will provide small false rates in these cases. Some notations 5.1.2 Variant Reaction Timecan be found in Table 2. In this section, the terms test andgroup, the terms column and nodes are interchangeable. The introduction of group testing techniques aims to decrease the identification latency to the minimum, there-5.1 Upper Bound on the Expected Value of z fore, if the jammer would not respond intermediately afterFirst, we investigate the properties of both jamming sensing the ongoing transmissions, but instead wait for abehaviors and obtain the expected number of error tests randomized time delay, the test outcomes would be messed up. Since it is expensive to synchronize the tests amongin both cases through the following analysis. Since in sensors, we use a predefined testing length as L, thus thepractice, it is not trivial to establish accurate jamming test outcome of test i 2 ½1; t is generated within timemodels, we derive an upper bound of the error probability i i interval ½ðdme À 1ÞL; dmeL. There are two possible errorwhich does not require the beforehand knowledge of the events regarding any test i.objective jamming models, which is therefore feasible forreal-time identifications. Since it is a relaxed bound, it could . F pðiÞ: test i is negative, but some jamming signalsbe further strengthened via learning the jamming history. are delayed from previous tests and interfere this test, where we have a false positive event;5.1.1 Probabilistic Jamming Response (Detection) . F nðiÞ: test i is positive, but the jammer activated inA clever jammer can choose not to respond to some sensed this test delayed its jamming signals to someongoing transmissions, in order to evade the detection. subsequent tests, meanwhile, no delayed jammingAssume that each ongoing transmission has an independent signals from previous tests exists, where we have aprobability to be responded. In our construction algorithm false negative event.ETG, where each matrix entry is IID and has a probability p Since the jammers in this paper are assumed to blockto be 1, therefore for any single test i with i 2 ½1; t communications only on the channels where transmissions
10. 10. 802 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 pare sensed, for the following analysis, we claim that the ¼ þ 2ð1 À ð1 À pÞd Þð1 À pÞd 2interferences can only happen between any two tests i; j þ ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞwith i jðmod mÞ. Denote the delay of jamming signals asa random variable X ¼ fxð1Þ; xð2Þ; xð3Þ; . . . xðtÞg where xðiÞ ¼ ð10 À 8 2 À Àd À 1Þ=2;is the delay for possible jamming signals arisen from test i. where ¼ ðd=ðd þ 1ÞÞd . Intuitively, we can have an upper1) For event F pðiÞ, consider the test i À m, in order to have bound on the number of error tests as z ¼ t ¼its jamming signals delayed to test i, we have a bound on ð10 À 8 2 À Àd À 1Þ=2, and take it as an input to constructxði À mÞ 2 ð0; 2LÞ. Similarly, in order to have the signals of the ðd; zÞ-disjunct matrix. However, notice that z dependsany test j delayed to i, we have xðjÞ 2 ½ðiÀj À 1ÞL; ðiÀj þ 1ÞL. m m on t, i.e., the number of rows of the constructed matrix, weFurther the probability density function of X is PðiÞ ¼ therefore derive another bound of t related to , as shownPr½X ¼ xðiÞ. Consider all the tests prior to i, which are in the Appendix, available in the online supplementali mod m; 1 þ i mod m; . . . ; i À m, we have the probability material.for F pðiÞ 5.2 Error-Tolerant Asynchronous Testing within Z ðiÀjþ1ÞL Each Testing Team X iÀm m ð1 À pÞd PðwÞdwð1 À ð1 À pÞd Þ: ð11Þ By applying the derived worst cast number of error tests j¼i mod m ðiÀjÀ1ÞL m into the ETG construction, we can obtain the following algorithm where tests are conducted in an asynchronousTo simplify this expression, we assume that X=L follows a manner to enhance the efficiency.uniform distribution within the range ½0;
11. 11.  with a small
12. 12. , As shown in Algorithm 2, after all the groups arewhich is reasonable and efficient for attackers in practice. decided, conduct group testing on them in m pipelines,Since the nature of jamming attacks lies in adapting the where in each pipeline any detected jamming signals willattack frequency due to the sensed transmissions, too large end the current test and trigger the next tests while groupsdelay does not make sense to tackle the ongoing transmis- receiving no jamming signals will be required to resendsions. Under a uniform distribution, the probability of F pðiÞ triggering messages and wait till the predefined round timebecomes has passed. These changes over the original algorithm, especially the asynchronous testing are located in each 2X iÀm ð1 À ð1 À pÞd Þð1 À pÞd testing team, thus will not introduce significant overheads, j¼max i mod m;iÀmÀ
13. 13. À1
14. 14. however, the resulted error rates are quite low. http://ieeexploreprojects.blogspot.com d d i 2 Algorithm 2. Asynchronous Testing. ¼ ð1 À ð1 À pÞ Þð1 À pÞ À1 : m
15. 15. Therefore, the expected number of false positive tests is atmost Xt 2 Tþ ð1 À ð1 À pÞd Þð1 À pÞd ð
16. 16. Þ i¼1
17. 17. X t 2 ð1 À ð1 À pÞd Þð1 À pÞd i¼1 2ð1 À ð1 À pÞd Þð1 À pÞd t: 2) For event F nðiÞ, following the similar arguments above,we have an upper bound of the probability for F nðiÞ (assumethat any delays larger than l at test i will interfere the tests jfollowing i where j 2 ½maxði mod m; i À m À
18. 18. À 1Þ; i À m): Z þ1 d ð1 À ð1 À pÞ Þ PðwÞdw l ! X Z ð m þ1ÞL iÀj d Á 1À PðwÞdwð1 À ð1 À pÞ Þ j ðiÀjÀ1ÞL m ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞð
19. 19. À lÞ=
20. 20. ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞ: 6 EXPERIMENTAL EVALUATION 6.1 OverviewSo the expected number of false negative tests is at most As a lightweight distribute trigger-identification service, our TÀ ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞt: ð12Þ solution will be experimentally evaluated from four facets:Therefore, we could use a union bound and obtain a worst . in order to show the benefit of this service, wecase error rate of each test compare it with JAM [11] in terms of the end-to-end
21. 21. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 803Fig. 9. Benefits for routing. delay and delivery ratio of the detour routes from three parameters J 2 ½1; 20, R 2 ½100; 200, r 2 ½50; 150 are the base station to all the sensor nodes, as the included in Figs. 9a, 9b, and 9c, respectively. Notice that for number of sensors n, sensor range rs , and number of each experiments, the other two parameters are set as the jammers J vary within practical intervals. median value of their corresponding intervals. Therefore, . in order to show the acceleration effect of the clique- R ¼ 150 for Fig. 9c, which matches the extreme case R ¼ r. independent set in this solution, we compare the Furthermore, for the nodes that are in jammed areas for complexity of this solution to our previous centra- JAM and that are triggers for our method, in another word, lized one [7], with varying the above four para- unable to deliver packets to or from the base station, we meters, where both jamming and triggering range R count the delay as n þ 1, which is an upper bound of the and r are assumed to be known beforehand. route length. . in order to show the accuracy of estimating the As shown in Figs. 9a and 9b, when j and R increases, jamming range by using the polygon disk cover the routing delay goes up, which is quite reasonable since algorithm, we provide the estimated jamming the jamming areas get larger and more detours have to be ranges as well as the error rate to the actual values. taken. The length of routes based on JAM quickly climbs up . in order to show its performance and robustness to the upper bound, while that of our trigger method is toward tricky attackers, we assess its false positive/ much lower and more stable (less than 900 seconds). When negative rate and the estimation of R, for those two triggering range r is small, as in Fig. 9c, the end-to-end http://ieeexploreprojects.blogspot.com advanced jammer models. delay of Trigger-based routing is much smaller than theThe simulation is developed using C++ on a Linux Work- other, while as r increases the two approaches each other,station with 8 GB RAM. A 1;000 Â 1;000 square sensor field since more victim nodes are triggers.is created with uniformly distributed n sensor nodes, one 6.3 Improvements on Time Complexitybase station and J randomly distributed jammer nodes. Allthe simulation results are derived by averaging 20 random In our previous work [7], we proposed a preliminary idea ofinstances. this trigger detection, and provided a disk-based solution. However, its high time complexity limits its usage in real-6.2 Benefits for Jamming-Resistent Routing time networks. As mentioned above, the time complexity ofJAM [11] proposed a jamming-resistent routing scheme, our new clique-based detection is proved to be asympto-where all the detected jammed areas will be evaded and tically lower than the previous, while the message complex-packets will not pass through the jammed nodes. This ities are approaching each other.method is dedicated for proactive jamming attacks, which Although the computational overhead for estimating R issacrifices significant packet delivery ratio due to the asymptotically huge, the phase is not the key part of ourunnecessarily long routes selected, though the effects of scheme, and can be easily improved by machine learningjamming signals are avoided. We compare the end-to-end techniques. Therefore, in this section, we assume that bothdelay between each sensor node and the base station, of the R and r are known beforehand, and validate the theoreticalselected routes by evading the jammed areas detected by results through simulations on network instances withJAM, with that of the ones evading only trigger nodes. various settings. Specifically, the network size n rangingAlthough there are many existing routing protocols for from 450 to 550 with step 2, transmission rs from 50 to 60unreliable network environments, the aim of this experi- with step 0.2, and number of jammers J from 3 to 10 withment is to show the potential of this service to various step 1. Parameter values lower than these intervals wouldapplications, instead of being a dedicated routing protocol. make the sensor network less connected and jamming Three key parameters for routing could be the number of attack less severe, while higher values would lead toJammers J, jamming range R, jamming threshold . As impractical dense scenarios and unnecessary energy waste.mentioned earlier, indicates the aggressiveness of the Since the length of each reactive attack is equal to the 1 attacker and the triggering range r % rs ð0 Þ . Therefore, with transmission delay of the object sensor signal, note that inrs , 0 and as fixed network inputs, the effect of can be our trigger detection, only one message is broadcast byexactly indicated by studying the effect of r instead. each sensor in the testing groups. Therefore, it is reasonable The whole network has n ¼ 1;500 nodes and sensor to predefine the length of each testing round as a constant.transmission range rs ¼ 50. The results with respect to the We set this as 1 second, which is far more enough for any
22. 22. 804 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012Fig. 10. Time and message complexity.single packet to be transmitted from one node to its the accuracy of this estimation. As shown in Fig. 11, weneighboring nodes. Henceforth, the time cost shown in investigate the error rate ÁR for R ¼ ½50; 100 when thereSection 6.3 only indicates the number of necessary rounds are, respectively, J ¼ 5; 10; 15 jammers.to find out all the triggers, and can be further reduced. The Two observations are straightforward from these results:message complexity is measured via the average message 1) all the estimated values are above the actual ones,cost on each sensor node. http://ieeexploreprojects.blogspot.com percent difference. This meets our however, less than 10 As shown in Figs. 10a and 10b, this clique-based scheme requirement for a tight upper bound of R. 2) the error ratescompletes the identification with steadily less than 10 sec- in case of fewer jammers are lower than those with moreonds, compared to the increasing time overhead with more jammers. This is because the jammer areas can have largerthan 15 seconds of the disk-based solution, as the network overlaps, which introduces estimate inaccuracies.grows denser with more sensor nodes. Meanwhile, itsamortized communication overheads are only slightly 6.5 Robustness to Various Jammer Modelshigher than that of the other solution, whereas both are In order to show the precision of our proposed solutionbelow 10 messages per victim node. Therefore, the new under different jamming environments, we vary the twoscheme is even more efficient and robust to large-scale parameters of the jammer behaviors above: Jammer Responsenetwork scenarios. Probability and Testing Round Length/Maximum Jamming With the sensor transmission radius growing up, the Delay L=X and illustrate the resulted false rates in Figs. 12atime complexity of the disk-based solution gradually and 12b. To simulate the most dangerous case, we assume aascends (Figs. 10d and 10c) due to the increased maximum hybrid behavior for all the jammers, for example, thedegree ÁðHÞ mentioned in the above analysis. Compara-tively, the time cost of clique-based solution remains below jammers in the simulation of Fig. 12a not only launch10 seconds, while the two message complexities are similar. the jamming signals probabilistically, but also delay the Since sensor nodes are uniformly distributed, the more jamming messages with a random period of time up to 2L.jammer nodes placed in the networks, the more victim On the other hand, the jammers in the simulation of Fig. 12bnodes are expected to be tested, the identification complex-ity will therewith raises, as the performance of disk-basedscheme shows in Figs. 10f and 10e. Encouragingly, theproposed scheme can still finish the identification promptlywith less than 10 seconds, which grows up much slowerthan the other. It has slightly more communication over-heads (10 messages per victim nodes) but is still affordableto power-limited sensor nodes.6.4 Accuracy in Estimating Jammer PropertiesThough the estimate of jamming range R is only to providean upper bound for R, such that the testing teams obtainedaccordingly are interference free, we are also interested in Fig. 11. Estimation error of R.
23. 23. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 805 other hand, mitigation schemes which benefit from channel surfing [13], frequency hopping and spatial retreats [12], reactively help legitimate nodes escape from the jammed area or frequency. Unfortunately, being lack of preknow- ledge over possible positions of hidden reactive jammer nodes, legitimate nodes cannot efficiently evade jamming signals, especially in dense sensor network when multiple mobile nodes can easily activate reactive jammer nodes and cause the interference. For the sake of overcoming these limitations above, in [7] we studied on the problem ofFig. 12. Solution robustness. identification trigger nodes with a short period of time, whose results can be employed by jamming-resistentrespond each sensed transmission with probability 0.5 as routing schemes, to avoid the transmissions of these triggerwell. All the simulation results are derived by averaging 10 nodes and deactivate the reactive jammer nodes. In thisinstances for each parameter team. paper, we complete this trigger identification procedure as As shown in both figures, we consider the extreme cases a lightweight service, which is prompt and reliable towhere jammers respond transmission signals with a prob- various network scenarios.ability as small as 0.1, or delay the signals to up to 10 testingrounds later. This actually contradicts with the nature ofreactive jamming attacks, which aim at disrupting the 8 DISCUSSION AND CONCLUSIONSnetwork communication as soon as any legitimate transmis- One leftover problem to this service framework is thesion starts. The motivation of such parameter setting is to jammer mobility. Although the identification latency hasshow the robustness of this scheme even if the attackers been shown small, it would not be efficient toward jammerssense the detection and intentionally slow down the attacks. that are moving at a high speed. This would become anThe overall false rates are below 20 percent. interesting direction of this research. In Fig. 12a, when 1=2 which corresponds to practical Another leftover problem is the application of this service.cases, we find that the false negative rates generally decrease Jamming-resistent routing and jammer localizations arefrom 10 to 5 percent as increases. Meanwhile the false both quite promising, yet the service overhead has to bepositive rate grows gently, but is still below 14 percent, this is further reduced to for real-time requirements.because as more and more jamming signals are sent, due to http://ieeexploreprojects.blogspot.comorder to provide an efficient trigger- As a summary, intheir randomized time delays, more and more following tests identification service framework, we leverage severalwill be influenced and become false positive. In Fig. 12b, optimization problem models and provide correspondingconsidering the practical cases where L=X 1=2, both rates algorithms to them, which includes the clique-independentare going down from around 10 to 1 percent, since the problem, randomized error-tolerant group testing, andmaximum jamming delay becomes shorter and shorter minimum disk cover for simple polygon. The efficiency ofcompared to the testing round length L, as the number of this framework is proved through both theoreticallyinterferences between consecutive tests decreases. analysis toward various sophisticated attack models and simulations under different network settings. With abun-7 RELATED WORKS dant possible applications, this framework exhibits huge potentials and deserves further studies.Existing countermeasures against jamming attacks in WSNcan be categorized into two facets: signal detection andmitigation, both of which have been well studied and ACKNOWLEDGMENTSdeveloped with various defense schemes. On the one hand, This work was partially supported by US National Sciencea majority of detection methods focus on analyzing specific Foundation Career Award # 0953284 and DTRA, Youngobject values to discover abnormal events, e.g., Xu et al. [16] Investigator Award, Basic Research Program # HDTRA1-studied a multimodel (PDR, RSS) to consistently monitor 09-1-0061 and DTRA # HDTRA1-08-10.jamming signals. Work based on similar ideas [17], [15], [14]improved the detection accuracy by investigating sophisti-cated decision criteria and thresholds. However, reactive REFERENCESjamming attacks, where the jammer node are not continu- [1] D.Z. Du and F. Hwang, Pooling Designs: Group Testing in Molecularously active and thus unnecessary to cause huge deviations Biology. World Scientific, 2006. [2] M. Goodrich, M. Atallah, and R. Tamassia, “Indexing Informationof these variables from normal legitimate profiles, cannot be for Data Forensics,” Proc. Third Applied Cryptography and Networkefficiently tackled by these methods. In addition, some Security Conf. (ACNS), 2005.recent works proposed methods for detecting jammed areas [3] R. Gupta, J. Walrand, and O. Goldschmidt, “Maximal Cliques in Unit Disk Graphs: Polynomial Approximation,” Proc. Int’l Network[11] and directing normal communications bypass possible Optimization Conf. (INOC), 2005.jammed area using wormhole [18]. These solutions can [4] V. Guruswami and C.P. Rangan, “Algorithmic Aspects of Clique-effectively mitigate jamming attacks, but their performances Transversal and Clique-Independent Sets,” Discrete Applied Math.,rely on the accuracy of detection on jammed areas, i.e., the vol. 100, pp. 183-202, 2000. [5] W. Hang, W. Zanji, and G. Jingbo, “Performance of DSSS Againsttransmission overhead would be unnecessarily brought up Repeater Jamming,” Proc. IEEE 13th Int’l Conf. Electronics, Circuitsif the jammed area is much larger than its actual size. On the and Systems (ICECS), 2006.