2. ABSTRACT
‣ How a jammer attacks wireless networks.
‣ How to avoid jamming to achieve efficient communication, we investigate three different aspects
of wireless network jamming:
1) types of existing jammers,.
2) protocols for localizing jammers.
3) jamming detection and countermeasure.
▸Different perspectives of jamming :
First, from the perspective of an attacker, different types of jammers and their optimal
placements are discussed.
Second, from the security point of view, we analyze existing anti-jamming techniques in detail
and classify them into different categories.
Third,we elaborate on key issues of existing countermeasures of jamming attacks and point out
3. DEFINITION..
Jamming in wireless networks is defined as the disruption of existing wireless
communications by decreasing the signal-to-noise ratio at receiver sides through
the transmission of interfering wireless signals.
Jamming makes use of intentional radio interferences to harm wireless
communications by keeping communicating medium busy, causing a transmitter to
back-off whenever it senses busy wireless medium, or corrupted signal received at
receivers.
Jamming mostly targets attacks at the physical layer but sometimes cross-layer
attacks are possible too.
4. TYPES OF JAMMERS..
Elementary jammers, are divided them into two sub- groups: proactive and reactive.
The advanced ones are also classified into two sub-types: function-specific and smart-hybrid.
5. PRO-ACTIVE JAMMERS..
Proactive jammer transmits jamming (interfering) signals whether or not there is data communication in
a network. It sends packets or random bits on the channel it is operating on, putting all the others nodes
on that channel in non-operating modes. However, it does not switch channels and operates on only one
channel until its energy is exhausted.
Types of pro-active jammers:
Constant.
Deceptive.
Random.
6. CONSTANT JAMMER(PAJ)
Constant jammer emits continuous, random bits without following the CSMA protocol .
A constant jammer prevents legitimate nodes from communicating with each other by
causing the wireless media to be constantly busy.
This type of attack is energy inefficient and easy to detect but is very easy to launch.
Can damage network communications to the point that no one can communicate at any time.
7. DECEPTIVE JAMMER(PAJ)
Deceptive jammer continuously transmits regular packets instead of emitting random bits .
It deceive other nodes to believe that a legitimate transmission is taking place so that they
remain in receiving states until the jammer is turned off or dies.
Compared to a constant jammer, it is more difficult to detect a deceptive jammer because it
transmits legitimate packets instead of random bits.
Similar to the constant jammer, deceptive jammer is also energy inefficient due to the
continuous transmission but is very easily implemented.
8. RANDOM JAMMER(PAJ)
Random jammer intermittently transmits either random bits or regular packets into networks .
Contrary to the above two jammers, it aims at saving energy. It continuously switches between
two states: sleep phase and jamming phase. It sleeps for a certain time of period and then
becomes active for jamming before returning back to a sleep state. The sleeping and jamming
time periods are either fixed or random.
There is a tradeoff between jamming effectiveness and energy saving because it cannot jam
during its sleeping period. The ratios between sleeping and jamming time can be manipulated to
adjust this tradeoff between efficiency and effectiveness.
9. REACTIVE JAMMER..
Reactive jammer starts jamming only when it observes a network activity occurs on a certain
channel . As a result, a reactive jammer targets on compromising the reception of a message. It
can disrupt both small and large sized packets.
Since it has to constantly monitor the network, reactive jammer is less energy efficient than
random jammer. However, it is much more difficult to detect a reactive jammer than a proactive
jammer because the packet delivery ratio (PDR) cannot be determined accurately in practice.
10. TYPES OF REACTIVE JAMMERS..
Reactive RTS/CTS jammer jams the network when it senses a request-to-send (RTS) message is
being transmitted from a sender. It starts jamming the channel as soon as the RTS is sent. In this way,
the receiver will not send back clear-to-send (CTS) reply because the RTS packet sent from a sender
is distorted. Then, the sender will not send data because it believes the receiver is busy with another
on-going transmission. Alternatively, the jammer can wait after the RTS to be received and jams
when the CTS is sent by the receiver. That will also result in the sender not sending data and the
receiver always waiting for the data packet.
11. DATA/ACK REACTIVE JAMMER..
Data/ACK jammer jams the network by corrupting the transmissions of data or
acknowledgement (ACK) packets. It does not react until a data transmission starts at the
transmitter end. This type of jammer can corrupt data packets, or it waits until the data packets
reach the receiver and then corrupts the ACK packets. The corruptions of both data packets and
ACK messages will lead to re-transmissions at the sender end.
In the first case, because the data packets are not received correctly at the receiver, they have to
be re-transmitted. In the second case, since the sender does not receive the ACKs, it believes
something is wrong at the receiver side, e.g. buffer overflow. Therefore, it will retransmit the
data packets. Reactive
13. FUNCTION SPECIFIC JAMMERS..
Function-specific jamming is implemented by having a pre-determined function.
In addition to being either proactive or reactive, they can either work on a single channel to
conserve energy or jam multiple channels and maximize the jamming throughput irrespective of the
energy usage.
Even when the jammer is jamming a single channel at a time, they are not fixed to that channel and
can change their channels according to their specific functionality.
Types of function specific jammers:
Follow-on jammers
Channel-hopping jammer
Pulsed-noise jammer.
14. FOLLOW-ON JAMMER..
Follow-on jammer hops over all available channels very frequently (thousand times per second) and
jams each channel for a short period of time .
If a transmitter detects the jamming and switches its channel, the follow-on jammer will scan the entire
band and search for a new frequency to jam again. Or, it may follow a pseudo-random frequency
hopping sequence.
This type of jammer conserves power by limiting its attack to a single channel before hopping to
another.
Due to its high frequency hopping rate, the follow-on jammer is particularly effective against some
anti-jamming techniques, e.g. frequency hopping spread spectrum (FHSS) which uses a slow-hopping
rate.
15. PULSED-NOISE JAMMER..
Channel-hopping jammer hops between different channels proactively. This type of jammer has direct
access to channels by overriding the CSMA algorithm provided by the MAC layer. Moreover, it can jam
multiple channels at the same time. During its discovery and vertex-coloring phases, the jammer is quiet
and is invisible to its neighbors. Then, it starts performing attacks on different channels at different times
according to a predetermined pseudo- random sequence.
16. SMART-HYBRID JAMMERS..
We call them smart because of their power efficient and effective jamming nature.
The main aim of these jammers is to magnify their jamming effect in the network they intend to jam.
Moreover, they also take care of themselves by conserving their energy. They place sufficient energy
in the right place so as to hinder the communication bandwidth for the entire network or a major part
of the network, in very large networks.
Each of this type of jammer can be implemented as both proactive and reactive, hence hybrid.
Types of Hybrid jammers:
Control channel.
Implicit jsmmer.
17. CONTROL CHANNEL
Control channel jammers work in multi-channel networks by targeting the control channel, or the
channel used to coordinate network activity .
A random jammer that targets the control channel could cause a severe degradation of network
performance, while a continuous jammer targeting the control channel might deny access to the
network altogether. These attacks are usually accomplished by compromising a node in the network.
Furthermore, future control channel locations can be obtained from the compromised nodes.
18. IMPLICIT JAMMER
Implicit jamming attacks are those that in addition to disabling the functionality of the intended target, cause d
19. FLOW-JAMMER
Flow-jamming attacks involve multiple jammers throughout the network which jams packets to reduce
traffic flow. These attacks are launched by using information from the network layer. This type of
jamming attack is good for the resource-constrained attackers. If there is centralized control, then the
minimum power to jam a packet is computed and the jammer acts accordingly. In a non-centralized
jammer model, each jammer shares information with neighbour jammers to maximize efficiency.
21. PLACEMENT OF JAMMERS..
Placement of the jammer plays an important role in effective jamming. Jammers can be placed
randomly or can be placed based on a jamming technique which locates the best position to
accomplish its objective of jamming with as many nodes as possible.
22. PROBABILITY IN JAMMING..
The jammers and transmitters/receivers are distributed in a given area. The expected values of
successful transmission are computed in terms of probabilities. If a particular area is jammed,
then the monitor node is expected to send the jamming notification out of the area (using multi-
hop transmission); this also suffers from the jamming in the area. Using a probability of
distribution and a mathematical proof, the authors proved that the optimal strategy for the
attacker tends to be rather mild and long-term
23. JAMMING RANGE..
‣ Jammers with transmission range half that of legitimate nodes can jam the network because
the interference range of wireless devices is twice the transmission range
‣ The normal range jammers have the same transmission range as legitimate nodes; which
makes their interference range twice that of the transmission range. Similarly, the limited-
range jammers are formed with half the transmission range and hence, interference range
equal to the transmission range of the legitimate nodes.
‣ Limited-range jammers are difficult to detect because they decrease the metrics that are most
commonly used for detection.
24. NANO-SIZE JAMMERS..
The use of a large number of tiny, low-power jammers that are difficult to detect as they are
not visible to the naked eye, being so smaller in size. The implementation of these jammers is
in the form of a network. With the total jamming power being constant, they achieve a phase
transition of jamming throughput.
They proved the difficulty in detecting their jammers because of their low- power, small size
and high effectiveness in their network formation.
25. PROTOCOLS FOR LOCALISING
JAMMERS..Localization approaches can be divided into two types: range-based and range-free.
Since it is not easy to locate a jammer, there is very few work in this area. Current techniques include :
Centroid-based localization approach.
Virtual-force iterative approach,.
Geometry- covering based localization.
Light-weight localization.
26. CENTROID BASED SCHEME
Centroid-based localization schemes estimate the position of a jammer by averaging the
coordinates of the jammed nodes.
Assumption: Jamming has been detected, the affected nodes are marked as jammed nodes and that
these nodes have information about their coordinates.
The estimation is totally dependent on the position and number of jammed nodes. It will give very
good results for a uniformly distributed network, but seems inappropriate for uneven distribution
of nodes in a network.
27. To look into unevenly distributed nodes networks, build upon the centroid scheme by using a
virtual-force iterative approach, where they estimate the jammer’s location iteratively by
computing the push and pull virtual forces generating from the boundary nodes of a jammed
region and jammed nodes outside the jammed region respectively.
Their model is stationary and requires knowledge about their location and those of their
neighbors. This work only deals with the location of jammers after jamming has been detected in
a network.
VIRTUAL FORCE ITERATIVE
APPROACH..
28. GEOMETRY COVERING LOCALISATION..
Unlike the centroid approach, geometry-covering based localization computes the convex hull
instead of the centroid and uses the computed geometry to get the estimated jammer location from
the convex hull.
Considering that the smallest convex polygon for which each point is given by the convex hull,
we use this technique to approximate the location of the jammer with high accuracy. After
computing the convex hull of the jammed nodes, the smallest circle covering all jammed nodes is
calculated, with the center of the circle as the jammer’s location.
29. LIGHT WEIGHT JAMMER
LOCALISATION..
It is a gradient-based scheme using the theory that as we move closer to the jammer, the
PDR becomes low,i.e; product of the probability of the sender sensing the medium idle,
probability that the receiver will receive the packets sent to it and the probability that
the sender will receive the acknowledgment.
These probabilities are computed using the signal propagation model. This algorithm
computes the values independently by sending packets to its neighbors and obtaining
the PDR, so it is a good choice for dense as well as sparse environments.
31. Introduction
• Jamming – A harmful DoS Attach
• Countermeasure tailored on the basis of Jamming
type
• Classified on the basis of
• Form
• Metric
• Overhead
• Cost
• Difficulty in Implementation
• Validation Method
32. Contents
Elementary Jamming
1. Jammed-Area Mapping
2. Ant System
3. Hybrid System
4. Channel Surfing – Spatial
Retreat
5. PDR with Consistency Check
6. Fuzzy Interference System
7. Game Theoretic Modeling
8. Channel Hopping
9. Reactive Jamming detection
using BER
10. Trigger Node Identification
Advanced Jamming
1. Hermes Code (Hybrid DSSS,
FHSS)
2. Control Channel Attack
Prevention
3. MULEPRO
4. Cross-Layer Jamming
Detection and Mitigation
5. FIJI – Fighting Implicit Jamming
34. Jammed-Area Mapping
• Detection
• Time duration of 1-5 Seconds
• Node Utility < Threshold –
Jamming Detected
• Message sent to neighbor –
JAMMED/ UNJAMMED
• Countermeasure is undertaken
• Restoration
• If Jammer is removed,
UNJAMMED message is sent
• TEARDOWN message sent for
recovery
• Countermeasure
• Neighbor creates Group with
gid, Normalized Direction
Vector
• After Timer expiry, Node sends
BUILD message along with its
group id, direction vector list
• Coalescing Timer expires
• Compatible Groups are
coalesced together
• BUILD message results in
creation of recovered node
group
• New BUILD results in
coalescing with newer groups
35. Ant System
• Detection
• An agent, ANT traverses the
network iteratively in various
routes collecting information
• Resource availability
• Hops
• Energy
• Distance
• Packet loss
• Can detect Single-Tone,
Multiple-Tone, Pulsed-Noise
and ELINT jammers
• Transition Probabilities are
computed iteratively
• This probability is passed via a
threshold check – the result
determines if the network if
jammed or not.
• Genuine Acceptance Rate as
well as False Acceptance Rate
are high
• Countermeasure
• Upon detection, that node is
excluded from next iteration
• New Route explored
36. Hybrid System
• Combination of Base Station (BS) Replication, BS Evasion and
Multipath Routing between BS
• Replication
• Multiple Replica BS present.
• Unjammed BS serve network
• Evasion
• Spatial Retreat of BS if Jamming is detected
• Pre-defined Off-line Schedule to prevent Collision
• Multipath Routing
• Multiple Routes between Node and BS
• Assumption that at least 1 UNJAMMED path exists
• Better throughput on collective implementation
37. Channel Surfing & Spatial Retreat
• Channel Surfing
• Migration to Another Channel
upon detection
• If there are M Orthogonal
Channels, Channel is
computed using -
C(n + 1) = (C(n) + 1) % M
• Infrastructure-Based Network
• Checks if all registered clients are
on the new channel
• Broadcasts Channel Change
command if check fails
• Ad-hoc Network
• Dual-Radio usage
• Spatial Retreating
• Reconfiguration of Network
• Knowledge of each
communicating node’s
coordinates as well as
communication direction is
essential
• Infrastructure-Based Network
• Moving nodes establish
connection with new access
points
• Handoff Strategy is used
• Ad-hoc Network
• Infeasible due to Complexity
38. USING PDR WITH CONSISTENCY CHECK
• Packet Delivery Ratio(PDR),
Consistency check results in
False Positives if used
independently
• Computing Higher Order
Crossing helps in
differentiating between
Jammer Types
• Low PDR best measure but
needs Consistency check to
confirm
PDR<Threshold
• Low Signal Strength => Low
PDR, Vice Versa not always
true
• High Signal Strength, Low
PDR – Neighbor’s PDR are
checked
• 1 Neighbor has High PDR –
Detection Fails
• All neighbors have Low
PDR- Jamming Detected
• If no neighbors present,
Jamming effect is not
noticed
39. Fuzzy Interference System
• Centralized Detection
• Jamming Index computed
using Signal-to-Noise
Ratio(SNR) and Packet
Dropper per
Terminal(PDPT)
• An algorithm detects no of
packets received, packets
dropped and signal strength
for all the clusters consisting
of neighboring nodes
• Base station computes
SNR, PDPT
• Low SNR, irrespective of
PDPT, JAMMED is highly
likely
• Medium SNR, JAMMED
depends on PDPT
• High SNR, JAMMED is a
level lower than PDPT
• 3-step fuzzy interference
system with 2-means
clustering algorithm that
groups neighbors based on
JAMMED, UNJAMMED
40. Game Theoretic Modeling
• Clustering algorithm based
on retransmit RTS(Request
to Send), retransmit DATA,
carrier sensing failure count
and network allocator value.
• Requires 2 players, jammer
and monitor nodes. Jammer
tries to maximize DoS while
legitimate nodes try to
increase throughput
• Monitor node use cross
layer features for detection
of constant nodes
• For reactive nodes, average
retransmission rate of
RTS/Data Packet is used.
• Interval of Monitor nodes
can be periodic or
continuous
• Euclidean distance
determines proximity to
normal or anomalous cluster
• Tradeoff between detection
rate and duration to prevent
false positives and energy
conservation
41. Channel Hopping
• Proactive Hopping –
• Channel hopping after fixed time period
• Ignorant of JAMMED/UNJAMMED
• Complete spectrum jamming using multiple jammers on orthogonal
channels harms 2 adjacent channels as well
• Recommended only if number of orthogonal channels is large
• Reactive Hopping
• Upon detection of JAMMED, channel hopped
• If timeout, JAMMED is assumed, channel hopped
• Hopping Strategies
• Straightforward – Prediction by Jammer is easy
• Deceptive- While using variation is useful, once variation is detected,
deception fails
• Pseudo Random provides best result
42. Reactive Jamming Detection using BER
• Bit error rate (BER) used for reactive jammers to keep
received signal strength (RSS) low while disrupting packet
• If error due to weak signal => RSS must be low
• High RSS => External Interference/JAMMED
• Calculation of the Marginal likelihood of error due to
unintentional collection
• Value < Target Probability for Missed Alarm : Target
Probability – JAMMED
• Iterative process is followed when test is inconclusive
• False Negatives due to error in calculation of BER
43. Trigger NODES Identification
• Trigger Nodes in a Network result in reactive jammers
• Techniques like Group Testing, Disk Cover, Clique-based
Clustering used
1. Detection of Victim Nodes using Breadth-First Search.
Information of all Victim Nodes available at Base Station
2. Grouping of Victim Nodes to identify groups of nodes
affected by same jammer
3. Using Non-adaptive combinatorial testing or group testing,
trigger nodes are identified.
• Alternative Route is used after Trigger nodes are identified
44. Advanced jamming
Detection and Countermeasure
Hermes Node, Control Channel Attack Prevention, MULEPRO, Cross-Layer
Jamming Detection and Mitigation, Fighting Implicit Jamming
45. Hermes Node (Hybrid DSSS & FHSS)
• Direct-sequence spread
spectrum(DSSS), Frequency-
hopping spread spectrum (FHSS)
used against fast-following
jammers due to processing gains
• DSSS uses wider bandwidth
• FHSS provides interference
avoidance
• A hybrid of the two, Hermes
Node performs 1Million
Hops/second using FHSS
• DSSS provides a white noise to
prevent detection of radio band.
• Uses 55 frequency channels at
275MHz of bandwidth
• Knowledge about Frequency
Sequence of FHSS and Pseudo
Noise code of DSSS necessary
to recover original signal
• Secret code is hard-coded
• Synchronization is vital
46. Control Channel Attack prevention
• To prevent JAMMED, several clusters maintaining its
own control channel with unique hopping sequence
• JAMMED is achieved by collecting information from
compromised node by using cryptographic
techniques
• All compromised nodes are identified by computing
Hamming Distance between jammer’s hopping
sequence and actual hopping sequence.
• A new control-channel is established using frequency
hopping by updating hopping sequence.
47. MULEPRO
• Using a multi-channel protocol,
each node independently
determines if it is JAMMED.
Normal UNJAMMED node uses
common channel for
communication
• If Jammed, MULEPRO (MULti-
channel Exfiltration PROtocol) is
executed switching normal node
to exfiltration mode
• Phases in exfiltration mode
1. Node in sender set transmit to
receiver set
2. Node in receiver set exfiltrate data
towards boundary nodes
• Based on jammed area,
MULEPRO transfers data using
single or multi-hop
• In single hop states of JAMMED
node and boundary node are
similar
• In multi-hop, each intermediary
switches between reception and
sending and also carries a vertex
color in order to reach boundary
• MULEPRO best against
Channel-hopping Jammer
48. Cross-layer jamming detection and mitigation
• Jamming detection usually in Physical or MAC Layer
• Usage of upper-layer security mechanism while still using
the Physical Layer
• Tree-based approach to form asymmetric hopping pattern
due to cross-layer mechanism
• Decoding of Message with simple hopping pattern
• Adding test patterns during transmission helps detect
JAMMED
• When JAMMED, cover is removed and children of root are
added to Cover
49. FIJI – Fighting implicit jamming
• Cross Layering is used by splitting system between driver
and network module
• Detection Algorithm computes data transmission delay for
each client. JAMMED when abrupt increase in downlink
traffic due to increase in transmission delay time
• If JAMMED, data rate as well as channel occupancy time are
reduced.
• Data rate tuning is used at MAC layer to avoid changing
packet size in Network Layer
• Despite not giving fair solution, it enhances throughput of
UNJAMMED clients.
50. ANALYSING EXISTING APPROACHES
The JAM mapping protocol approach only maps a jammed area; it is not
able to quantify the type of attack experienced by a node. Moreover, it
does not seem feasible to effectively detect reactive jamming using this
scheme.
In the Ant system, if jamming is detected in an area much before a table
list is formed by the agents, then the scheme fails. In addition, it incurs
memory overhead.
51. • In case of Base station replication technique, If a working BS is jammed
before the update, then there is data loss for the time period that the BS is
jammed.
• In the evasion techniques, there is an overhead of movement and network
reconfiguration.
• Channel surfing at the link layer would require synchronization between
two communicating nodes and is an expensive option in terms of time.
• In Fuzzy Interference mechanism, a densely deployed network would yield
better results compared to a sparsely deployed network. Therefore, it is not
suitable for networks with fewer neighbouring nodes.
52. Open research challenge
• Currently there is no universal anti-jamming
technique which deals with all kinds of jammers.
• New immerging wireless technology has made the
more difficult.
53. • Energy efficient jamming detection : there is no low-power
detection strategy that provides effective detection of low-power
jamming (like in reactive jammers).
• Detection based on jammer’s classification : It seems to be
easier to implement a top-down approach.
• Anti- jamming in 802.11n networks.
• Anti- jamming in wireless mobile networks.
• Universal anti- jamming technology.
54. Code for placing jammers n a given area:
• #include<iostream>
• #include<conio.h>
• using namespace std;
• int main()
• {
• int m,n,x,i,j,k,temp;
•
• cout<<"Plz ntr the dimensions of the matrix: ";
• cin>>m>>n;
• cout<<"Plz ntr the no. of users constraint: ";
• cin>>x;
• int flag[m][n];
• for(i=1;i<=m;i++)
• {
• for(j=1;j<=n;j++)
• {
•
• flag[i][j]=0;
• cout<<flag[i][j]<<" ";
• }
• cout<<endl;
• }
•
• cout<<"Jammers co-ordinates: "<<endl;
• for(i=2;i<=m;i++)
• {
• for(j=2;j<=n;j++)
• {
• if(flag[i][j]==0)
• {
• cout<<i<<" "<<j<<"n";
• flag[i][j]=8;
•
• temp=x;
•
•
59. Conclusion
• Analysis of various jamming and anti-jamming techniques is
done.
• Comparision between various techniques is obsereved.
• Existing approaches for anti-jamming techniques is studied.
• Optimal placement of jammers is compiled in order to cover
the jamming range while minimising the cost incurred.