Denial of Service Attacks in Wireless Networks: The case of Jammers

Transcription

1 Denial of Service Attacks in Wireless Networks: The case of Jammers Konstantinos Pelechrinis and Marios Iliofotou Department of Computer Science and Engineering UC Riverside, Riverside CA Abstract The commodity of the medium in wireless networks makes it easy for an adversary to launch a Wireless Denial of Service (WDoS) attack. All current research work demonstrates that such attacks can easily be accomplished. For example a jammer can continually transmit a radio signal in order to block any access to the medium by legitimate wireless nodes. Jamming techniques can vary, from simple ones based on the continual transmission of interference signals, to more sophisticated that rely on exploiting the protocol used for communication among wireless devices. In this survey we present a detailed reference to all jamming attacks been recorded in literature since now. In addition, we illustrate various techniques that where introduced in order to detect the presence of an adversary node as well as the mechanisms proposed for protecting the network from such attacks. I. INTRODUCTION Security is one of the most important issues for every communication network. Various attacks have been recorded through the previous years. Most of the attacks were targeting wired networks since, according to our assessment, wireless networks weren t that much spread. Today though, with the advances in wireless technology, wireless networks gain more ground day by day. They are becoming more affordable and easier to be built. Many metropolitan areas deploy public WMEN for their citizens to use freely. Moreover, the prevalence of WLANs as the basic access solution to the Internet is rabidly increasing. However, the main disadvantage of wireless networks is that they are much easier to be compromised than any wire-line network. The commodity of the medium used for wireless data transfers makes it extremely easy for an adversary to launch an attack. Traditional DoS are concerned with overflowing userdomain and kernel domain buffers [1]. However, in wireless networks there are many occasions where the attack can be much easier for an adversary. For example one can use a compromised mobile device to broadcast huge volumes of SMS to its vicinity in order to flood all nearby devices [2]. In this way, it is feasible to even block any sense of communication between two wireless capable nodes. However such brute jamming techniques, that refer to the exploitation of the PHY and MAC layer vulnerabilities, are also easy to detect. As a result jammers can reside to more intelligent ways to accomplish their task without being detected. For example they can exploit vulnerabilities at higher layers of the network stack. A typical example would be the detection of the transmission of a control packet and the jammer to preferentially incur interference aiming at corrupting that particular packet. In order to address these threads, security experts must deploy more efficient methods for detecting and preventing the attackers. An all time classic game between The Cat and the Mouse. In this paper we record some of the most significant attacks that can be launched by a jammer, as well as give reference to the most well known works accomplished by security experts in detecting and preventing such scenarios. Our survey is organized as follows. In Section 2 we expand known jamming techniques and attack models. In particular, we study attacks performed at the PHY and MAC layer of the network. In Section 3 we cope with intelligent jamming techniques targeting the MAC and higher layers. In Section 4 and 5 we study ways of detecting and defending, respectively, a wireless networks against such attacks. We conclude our work in Section 6 by summarizing our findings and highlighting future directions. II. JAMMING MODELS OF PHY AND MAC LAYER Before we present the goals jammers are trying to achieve, we should start by giving a definition to the entity of jammer. The best suited definition has been given in [5]: We define jammer to be an entity who is purposefully trying to interfere with the physical transmission and reception of wireless communications A. Jamming Efficiency Criteria and Metrics Before we start talking about the jamming models of PHY and MAC layers it is important to refer to some criteria and metrics that are being used in order to compare the various jamming attacks. The criteria that are being extendedly used in the literature [3] are: Energy efficiency Probability of detection Level of DoS Strength against physical layer techniques such as FHSS, DSSS, CDMA.

2 These criteria are jamming scenario dependent. This means that the jamming scenario will best tell us which are the suitable criteria to use in order to compare two different jamming techniques for a particular case. For example, energy efficiency may be the most important metric for sensor networks where nodes are expected to live for along time. Of course in all cases a jammer wants to be energy efficient and to have low probability of detection in order to be stealthy. This can be achieved by maintaining consistency with MAC layer behaviors. We can also define metrics that quantify the efficiency of a jammer. Looking more carefully at the aforementioned definition we can see that the quantitative metrics that we will use to describe the efficiency of a jammer must be related with the ability of the wireless device to transmit or receive data. In all works that have to deal with jammers there are two main metrics that are being used. In [5] these metrics are being detailed defined. Packet Send Ratio(PSR): Lets suppose that the MAC layer of a node has n packets to send out. For any reasons just m (n m) of these are eventually being sent while the others are lost eg dropped from the MAC layer queue. Then PSR is being defined as: P SR = m n = P acketssent P acketsintendedtobesent It is an easily computed measure and in some way it can measure the effectiveness of the jammer at the transmitter. Packet Delivery Ratio(PDR):Lets suppose that the transmitter sent out m packets eventually and we suppose that the receiver received all of those m packets. From these m packets only q packets were eventually successfully delivered to the destination node, meaning that they passed the CRC check. Then we define PDR with the following formula - if m=0 then PDR=0: P DR = q m = packetspassedcrc packetsreceived In contrast with PSR, PDR is measuring the effectiveness of the jammer at the receiver. These metrics are used in order to quantify the performance of the jammer and hence we will refer to those very often to therest of this work. Except of these metrics there are some others that are being used in order to measure the jamming strength. Jamming-to-Signal Ratio:Traditionally jamming strength referring to PHY jamming mostly - is being measured by the jamming-to-signal ratio as it is given from the following formula [9] [10]: J R = PjGjrGrjR2 tr LrBr P where P tg trg rtr j: jammer power, jr 2 LjBj P t : transmitter power, G jr : antenna gain from jammer to receiver, G tr : antenna gain from transmitter to receiver, G rj : antenna gain from receiver to jammer, G rt : antenna gain from receiver to transmitter, R tr : distance from transmitter to receiver, R jr : distance from jammer to receiver, L r : communication signal loss, L j : jamming signal loss, B r : communications receiver bandwidth and B j : jamming transmitter bandwidth. Obviously high jamming-to-signal ratio leads to a successful jamming model. As a result we try to reduce this ratio. There are several ways doing so, which we will analyze in following section. Connectivity index: When we have an ad hoc wireless network the presence of jammers can result in the partition of the network. When this happens there will be some nodes that cant reach some others. We want the graph of the network to be connected and as a result to exist at least one path from every node to every other node. In order to describe this situation we define the connectivity index [9]. Firstly we will give the definition of a non-jammed link as found in [9]. Definition 1: Let R be the communication range of the nodes, JS be the set of jammers, and JR be the jammer range. A link from node A to node B is said to be non-jammed if and only if: d(a, B) < R J JS : d(j, B) > JR d(a, B) denoted the Euclidian distance between the locations of node A and node B. Having defined the non-jammed links and as a result also the jammed links we can now define the connectivity index as follows: Definition 2 : Let G=(V,E) be the directed connectivity graph of the multihop ad hoc network after removing the jammed links. Let G =(V,E ) be the transitive closure of G. The connectivity index if G is defined as: E V V 1 2 A connected graph has connectivity index 1, while a graph partitioned in two equal size connected graphs has a connectivity index of 0.5. B. Simple Jamming Techniques Various simple jamming models have been presented at [5][6] [7] [8]. Based on these works we can present four basic jamming models. Despite their simplicity these models have been proved to be very effective. The first jamming model that we will present is this of the constant jammer. A constant jammer emits radio signals all the time at the wireless medium. The signals that he/she emits are totally random. They don t follow any underlying MAC protocol and are just random bits. The goal of this type of jammer is either for a legitimate user to sense all the time the channel busy - and as a result the sender will never get access to the channel to send data - or to pose interference to a node that has send out data and as a result to corrupt the packets sent out. Similar - in some way - to the constant jammer is the deceptive jammer. Its similarity lays in the fact that deceptive jammer also sends out constantly bits, however this time the bits are not random. The deceptive jammer continually injects regular packets to the channel without any gap between the transmissions. This has as a result a legitimate user to believe that there is an legitimate transmission going on and as a result this node will remain at the receive state even if it has data to send out. One problem that the previously described jammers can face is this of energy failure. They emit signals to the wireless medium all the time so their life time is restricted. On the other hand the random jammer jams for t j seconds and sleeps for t s seconds. At the jamming period the jammer can follow any

3 of the models that we have described since now or any of the models that we will describe in following sections. By changing t j and t s we can achieve different levels of effectiveness and power saving. All those jamming models that we mentioned - and can be found with more details at [5][6] - target mostly at the transmission of a packet. They try to avoid the transmission of a packet from the sender. On the other hand a jammer can target the reception of the a packet. So a reactive jammer is sensing the channel all the time and when he/she senses a packet to be sent, transmits a radio signal in order to cause collision and as a result corruption of the data that the packet transfers. The effectiveness of those types of jammers is being augmented by the current standards for wireless data communications [11]. The PHY of IEEE or Bluetooth makes them an easy target for DoS. These PHY layers don t support error correction. This has as a result even if a jammer sends as less bits as it cans in order to corrupt one bit, the whole packet will not pass the CRC check as there is no error correction scheme. The reason for this is that wireless systems had been designed in order to be resilient to non-malicious interference and to noise. But as we can see a jammer can use efficiently low power in order to jam a whole communication. III. INTELLIGENT JAMMING MODELS The methods presented until now can be thought as naive jamming solutions. This is due to the fact that these jamming models only try to break down the communication between two nodes,without caring about the energy efficiency of the jamming nodes or the easiness of detecting the jammer. However, in addition to physical layer jamming several WDoS techniques can be applied at higher protocol layers. For example in IEEE someone can force the backoff window to remain at its maximum or at Bluetooth MAC someone can just destroy some control packets. At the routing level one can inject erroneous or destroy legitimate control routing packets. Similarly, at the transport layer a jammer can force TCP to multiplicative decrease in order to keep the congestion window small. A. Goals of Intelligent Jamming Intelligent jamming aims at exploiting upper layers protocols vulnerabilities in order to achieve three advantages over the naive models described earlier. These three goals are: (a) maximize jamming gain, (b) targeted jamming and (c) reduced probability of detection [12]. Following we describe each of these goals. Jamming Gain:In order to define jamming gain we will have as reference the constant jammer who is always sending jamming signals over the wireless medium. We define jamming gain of a different jamming model from constant jammer the ratio of the amount of power used to achieve a desired effect with the constant jammer proportional to the amount of power that is used to achieve the same effect with the model under consideration [12]. As a result the constant jammer has the least jamming gain and it is equal to one. There could be significant jamming gain as high as 40dB and more. This issue will be explored later on this work. Targeted Jamming:A naive jamming model - like constant jammers - emits a radio signal on the wireless medium and breaks down the whole communication, not paying attention to which nodes are being jammed. Further jamming gain can be accomplished if the attacker jams the specific nodes that he/she wants to attack. Reduced Probability of Detection:Referring again to naive models like the constant jammer we can see that these models are easy to be detected as we will see in more details later. So a jammer tries to reduce this detection probability. Imposing more intelligent ways of jamming one can force the victim network to believe that the possible degradation of network performance is due to congestion or poor link connection and not due to the presence of a jammer. These three should be the targets of every intelligent jamming model. Before continuing to analyze some efficient jamming techniques we must emphasize on the fact that jamming is not a transmit-only activity. Most of the times it involves also the sensing of the channel. All these will become more clear in the following sections were we will analyze some interesting intelligent jamming techniques. B. A Layered Model for Jamming Encryption is a common technique used by most networks in order to protect the transmitted date from being sniffed. Brown et al. [12] presents a layered jamming model that can work very well even with encrypted wireless networks. The encryption offers just a bit-level protection of the data. However the layered model of a network can provide multiple ways for a DoS. More specific we can break down the jamming and sensing to layers, just like the OSI layered model for networks. Similar to that situation the number of layers that we will define is not unique. In [12] the authors propose three layers as seen in the figure. We will now present very shortly this model. For more details you can refer to [12]. Every layer offers some services to the upper layer and each layer has two different modules. The sensing module and the jamming module. Starting from the lower layer Link/Physical layer we can say that this is the layer that interacts straight through with the wireless medium. The sensing module senses the channel and every time that detects a packet it makes some measurements. More specific it measures the packet size and the packet start time. The jamming module of this layer sends out the jamming signals when an upper layer requests it. The Transport/Network layer gets data from the Link/Physical layer and offers services to the Application layer. More specific the sensing module gets data from its peer of the link/physical layer concerning the measurements that the latter took about the size packet and the timing of the packet. Then using a statistical algorithm that we will present later it decides the type of the packet. So the goal of the sensing module at transport/network

4 layer is to classify the packets. On the other hand the jamming module orders the jamming module of link/physical layer to attack a specific target at the greatest possible jamming gain and the least possible detection probability. The Application layer finally, works on a higher level. The sensing module senses HTTP sessions etc and targets specific nodes. The jamming module then defines when jamming should take place and who should be jammed. So far we have a high level overview of the whole system. There are some issues that should have arisen from the presentation that was made about the model. When does the classification take place? Is it online or offline? The answer to this has two parts. The ideal would be to be online, but since some packets need future packets in order to be identified correctly, offline classification is more feasible. This offline classification can be easily done to multihop Ad Hoc networks as it is explained by Brown et al [12]. The classification of the packets can be done using a probabilistic model of packet size and a historical analyzer. The whole procedure involves basic statistics and can be easily accomplished. For more details the reader can refer to [12]. What is of great importance to refer here is the significant jamming gains that can be achieved from such an approach. Anti jamming techniques should also take into consideration such approaches and there are simple ways to do so. We will elaborate further with this at later sections. C. Intelligent Jamming in IEEE Since now the models that we presented have not taken into account protocol specific parameters. We will now present some jamming techniques that try to involve just control packets jamming so as to corrupt communication with the less possible energy constraints. These techniques require good knowledge of IEEE networks. Readers that are not familiar with the protocol can find an overview in [13]. 1) CTS Corruption Jamming: At this case the jammer senses the channel and when he/she senses an RTS packet then waits for SIFS time after the end of the RTS and sends a short jamming pulse which will result in the corruption of CTS packet. This will eventually result in zero throughput as no data will be ever transferred in this way. 2) ACK Corruption Jamming: It is similar with the CTS corruption jamming, but this time the jammer waits for the DATA packet. When he/she senses the data packet, counts down after the end of the DATA for SIFS time and jams the channel which will has as a result the corruption of the ACK packet. The ACK doesn t get back to the sender and there will be several retransmissions, until the sender will give up and as a result no further data exchange will take place. 3) DATA Corruption Jamming: Similar with the other two previous models the jammer waits for the CTS packet and then counts down DIFS time since the end of the CTS packet and then jams the DATA packet. We can see that these three mentioned jamming models are extremely energy efficient as they are active for only a short period of time and the rest of the time they are at promiscuous mode. 4) DIFS Waiting Jamming: This type of jammers waits until it senses the channel idle for DIFS time. When this event occurs the jammer jams the channel. By this way he/she will corrupt the expected communication that will follow the DIFS idle time. The jammer will corrupt either the DATA packet or the RTS packet if the RTS/CTS scheme is employed. Making a comparison of the four intelligent jamming models we can see that the 1 st and the 3 rd work only when there is the RTS/CTS mode on. Also DIFS wait jamming can be less energy efficient than the other three models because after the idle DIFS time there might not be any communication so there was no need for the jamming signal. This jamming works well with high traffic load networks. In [4] the authors presented a table comparing the total energy that various jamming models consume for the same jamming result. This table verifies the fact that intelligent jamming models can be a lot more energy efficient than the nave PHY layer models. 5) Identity Attacks and & Greedy Behavior: Apart from these intelligent attacks there could also be other types of intelligent attacks that can lead to DoS [14]. For example there are the so called identity attacks. We firstly have the deauthentication attack where the attacker spoof the deauthentication message with which the mobile user or the AP explicitly asks for a deauthentication. This will result in the AP or the mobile client to exit the authentication state and refuse any further packets until the reestablishment of the authentication. Similar to this attack is the disassociation attack but this time the attacker spoofs the association messages. This attack is less effective than the dissauthentication one because the latter forces the victim to do more work to return to association state. Another possible identity attack is the power saving attack. At this attack the attacker can spoof the pooling messages or the TIM messages, which are related with the sleep function of a mobile node. This will result in data discarding. More details for these types of attacks can be found in [14]. In [15][16][17] there are some examples of a greedy behavior of a legitimate user that wants to gain more throughput than the other users of the network. These techniques though can also be used from an adversary that just wants to interrupt the communication of the wireless network. The bad node can scramble the CTS, ACK or DATA frames as we also mentioned before. By doing so the congestion windows of the other nodes will increase and as a result their communication will be corrupted in the end if this continues happening. It can also increase the duration value in the frame headers of RTS or DATA and as a result the NAV of the other nodes will indicate that there is an ongoing data exchange and will not content for the channel, but at the reality there will nothing going on the channel. It can also reduce the backoff time and just simple use another distribution for the congestion window in order to get more access to the channel

5 than the other nodes that use the distribution described by the standard. More details for these types of attacks can be found in the references given. 6) Wireless Ad Hoc DoS: Finally there are some specific WDoS attacks that preferentially target wireless ad hoc network, taking in advantage the fact that they luck of infrastructure [18]. Because of no infrastructure, an adversary can launch a WDoS attack by sending a large number of route requests. The large number of request could be a consequence of a normal network state, when there is high mobility and there is a large number of broken links. The adversary can also spoof the IP address and send many route requests to a target node with different IPs and as a result it can cause a DoS at that node. IV. INTRUSION DETECTION SCHEMES The purpose of this work is not to define what an intrusion detection system is and which the various types of them are. Prior works have done extensive work on things of similar issues A good overview of IDSs can be found in [19]. Although IDSs for wired networks have been excessively studied this is not the case for wireless networks. Many of the IDSs implemented for a wired network are signature-based. In wireless networks though, many attacks happen at the MAC layer and thus it is difficult to isolate sequences of packets to use them in such IDSs. In addition to this, if this was possible the power constraints of a mobile user are such that make it relatively difficult to build such a system, which needs to store a great amount of attack signatures. Actually most of the work that has been done until now refers to Intrusion Prevention. By this we mean that most schemes that are proposed, suppose that there is an intruder and there are some solutions given in order to avoid him/her in a transparent way to the user. Following we will present some detection schemes for wireless networks that have been proposed and we will also present some antijamming techniques that exist in the literature. A. Wireless Intrusion Detection Systems 1) DOMINO: DOMINO stands for Detection Of greedy behavior inthe MAC layer in IEEE Networks. The name implies that it only deals with greedy legitimate users, but the truth is that it can be deployed in order to detect also adversaries that use similar techniques as those described earlier [15]. The geat advantage of this system is that it doesn t require any modification on the existing infrastructure. The system is implemented only at the Access Point (AP) and can detect various types of attacks. Its detailed architecture can be found in [15] but here we will go over a brief overview of the system. DOMINO consists of three different modules. The first module is responsible for the collection of traffic traces in monitoring periods with predefined length. These traces work as input to the second module which consists in various tests - the current version of DOMINO supports six such tests - each of which try to detect a particular attack. Each one of these tests consists of two components. The Deviation Estimation Algorithm which determines the deviation from the expected model and the Anomaly Detection Component which uses the previously estimated deviation in order to decide if the station in consideration is well behaved or not. The third and final module of DOMINO is the Decision Making Component, which aggregates all the results derived from the previous tests and decides if the station is an intruder. The Decision Making Component is also divided into the Aggregation Component and the Behavior Classification Component. The Aggregation Component can use several functions for aggregating the results of the tests. It can be a simple OR like the implementation of DOMINO - that is available now - or a more complicated function with weights that correspond to our trust at every test. Some test might be more trustful than others and so we assign to them more a larger weight. Then the Behavior Classification Component finally decides using a simple threshold or any other probabilistic technique like Baysian inference about the classification of the node into consideration. At [15] there is a thorough description of the system, of the tests that are currently implemented and of the performance of the system. 2) A Wireless Distributed IDS: Aime et al. propose a distributed IDS [20]. Here we will present a high level overview of the proposed scheme. The reader can refer to [20] for more details. The basic concept is that a node on itself cannot decide if the degradation of the performance is due to network failure or due to a jamming attack. Therefore, in order to take a correct decision about this all the nodes need to cooperate. Every node in the network monitors the ongoing traffic and creates a list of evidences, which are the events that take place on the wireless medium of the network. Such events include the number of packets send, the idle periods, the number of corrupted packets (failed CRC check ) etc. When every node has created its own list, nodes share these lists and try to match events. This combination leads to a better understanding of what happens in the network and more specific it can distinguish between jamming attacks and a channel failures. Those two network states have the same basic signature, but they differ on their position in the event list. For example an attack will result in the disappear of a large number of packets, while a network failure will have some packets lost here and there. The whole process resembles a lot the data fusion techniques,which are being used in wired IDSs in order to support evidences, which combinedata from many different sensors. The drawback of this method is that in order to work nodes need to exchange their event lists. If a node is being jammed he/she will not be able to exchange these data on real-time (during the attack period), but the evidence will be shared in later time. This has as a result that this scheme cannot actually be employed for real time detection. Detail about the protocol used to share these information and about the exact algorithm are over the scope of this work and can be found in [20] along with the analysis of an attack model based on economic models.

6 3) Detection of MAC layer DoS/misbehavior: As we analyzed in Section 3 an adversary can use MAC layer misbehavior techniques in order to accomplish a DoS attack. Kyasanur et al. [16] propose a scheme that can detect a user that tries to get access to the channel more often that it should. This will be a result of his/her will to get more bandwidth or because he/she wants to prevent other users from using the medium, thereby causing DoS attack. The proposed detection scheme consists of three modules that modify IEEE The basic idea is that the receiver, every time that sends a CTS or ACK packet to the sender explicitly declares to him/her the next backoff time that he/she has to use. This backoff time is being selected randomly from the receiver. So the first module of the system is used to identify deviation from the protocol. The receiver monitors the network to see weather the sender is using the correct backoff time or not. The second module of the system uses the previous knowledge and penalizes the sender if he/she misbehaved in the last transmission - assigning him/her a bigger backoff time - proportional to his/her deviation - for the next transmission. We have to note here that a node might behave well but the receiver might detect deviation, for example due to a hidden terminal problem. The fact is that even with this bug the systems works well because in such a situation the deviation will be small and the penalty will also be small. The third module of the system is the diagnosis module. This module uses the deviation at a sliding window of length W and if the sum if these deviations exceed THRESH then the node into consideration is being classified as malicious. When the node is being classified as malicious there are several policies that can be followed but are out of the scope of our work. The proposed scheme works well but there should be some issues taken into consideration. For example what happens if the receiver is malicious and assigns small backoff times to the sender? What can we do in order to avoid extended misdiagnosis? These issues are being addressed together with some extensions of the system at [17]. Moreover there should be taken into consideration issues like what happens if two nodes - sender and receiver - are cooperating in order to gain more bandwidth and prevent other users from getting the medium? 4) PHY layer Intrusion Detection: As we mentioned in a previous section PHY layer jamming is probably the most feasible jamming technique, as it is just concerned with emitting signals on the shared medium and colliding the communication. The presence of such radio signals can affect the received signal strength. In [5][6] there are proposed some basic detection methods a) Signal Strength Measurments: In order to detect a jammer we can use the average power of the received signal. As it is shown in [5][6] a simple statistic metric like the average received signal power is not useful in discriminating between the jamming scenarios and the normal state of the network. This one dimensional metric cannot work well because it is hard to select a threshold that can discriminate the two different scenarios. Though we can enhance this method and use signal strength spectral discrimination techniques. By this way we keep more than one dimension of the signal strength and as a result we can discriminate better, as we keep track of the shape of the curve that describes the received signal power. Xu et al [5][6] use the High Order Crossings (HOC) method, but we can employ other spectral methods as well. What it is shown though, is that this technique can detect only some types of jammers. It can distinguish the constant and deceptive jammer but it cannot distinguish the reactive and the random jammers. b) Carrier Sensing Time: Another statistical metric that we can use to detect a jamming attack is the carrier sensing time [5][6]. Whenever a node wants to send data, the IEEE standard obligates the node first to sense the channel as idle for a specific amount of time. Under normal conditions the distribution of this carrier time sensing is known for a specific network and can be determined either theoretically or empirically. The effectiveness of this analysis though is pretty much the same with the previous. While it can detect the constant and deceptive jammer, it cannot do the same for the random and reactive jammer. c) PDR Measurements: In previous section we gave the definition of the PDR. In [5][6] it is shown that this single metric can detect all types of jammers. More specifically it is shown that even at a high congestion scenario the PDR is around 78 %. On the other hand when there is a jamming attack PDR drops almost to 0. So a simple threshold can distinguish a normal congested state of the network from all the PHY layer jammers that we presented. On the contrary though there are situations that PDR measurements can lead to false alarms. When there is a network failure, like a battery failure, the node in consideration stops sending packets, so PDR drops to 0 too. As we can understand the PDR measurements cannot distinguish between jamming scenarios and network failures scenarios that can disrupt the communication between the two nodes. d) Consistency Checks: The authors on [5][6] propose 2 techniques that are based on consistency checks, in order to detect all types of jammers and overcome the problem of distinguishing between networks dynamics and jamming attacks. The two schemes are: Signal Strength Consistency Check:In this case we make two measurements. One of PDR and one of SS (signal strength). The key observation is that if we have low PDR and high SS then it is most likely that we are jammed, while if we have low PDR but low SS as well, this is most likely to be due to a network failure in our neighbor. So by conducting these two measurements and checking their consistency we can map the jammed regions in a two dimension scatter plot of PDR and SS. From their results they show that all the jamming scenarios fell into the jammed region and we can do a simple mapping of our measurements to such graphs in order to detect all kinds of jammers. Location Consistency Check:It is pretty much the same with the previous technique. In this case we measure the PDR along

7 with the location of the neighdors of the node under consideration. The ituition about these measurements is that if we measure low PDR and the distance of the neighbors is small then it is more likely that the node is being jammed. On the other hand if we have low PDR and the distance of the neighbors is big then low PDR might be a results of the neighbors being out of range. In the same way as previously we can have a mapping of the jamming scenarios and the normal state on a 2 dimensions plot of PDR and distance. These techniques can detect all types of PHY jammers and also distinguish from normal congested networks states or dynamic failures of the network. Though there are some issues that are critical for their performance, such like the frequency of the location advertisements, which need to be taken into a deeper consideration. 5) Wireless Ad Hoc Networks Intrusion Detection: Wireless Ad Hoc networks as we mentioned earlier are more vulnerable in attacks, due to their lack of infrastructure. Open medium, dynamic topological changes, limited bandwidth, distributed cooperation and constrained energy resources are some of the characteristics that make MANETs more vulnerable. Recently there has been an increased interest in wireless MANET intrusion detection. A brief overview of these works can be found in [18].More specifically Zhang et al. [21] describes a distributed IDS for MANETs, where an IDS agent operates at each mobile node fo the network. In [22] there is extension of the previously mentioned distributed IDS, which tries to enhance the security on the AODV routing protocol. A local IDS is proposed in [22]. This system is based on mobile agents using SNMP protocol to collect data that exist at MIBs. This method can offer several advantages, like the fact that collecting information is of negligible cost for an agent running SNMP or the fact that mobile agents can reach remote nodes. In [24] there is a Support Vector Machine based IDS being proposed. The SVM data mining technique is a very powerful technique used for classification when we have unseen events. In this work the SVM is being used in order to classify the traffic that is being collected as normal or abnormal. More work on Ad Hoc IDS can be found in [25][26][27], and a comparison of all these systems can be found in [18]. V. INTRUSION PREVENTION SCHEMES As it was mentioned earlier it is very common in wireless networks to use Intrusion Prevention Systems. Actually these systems are the first line of defense for a wireless network. Many times these systems suppose that there are adversaries at the network and try to avoid them anti-jamming. In the following sub sections we will present some anti-jamming techniques. a) Channel Surfing: This technique has been inspired in some way from the frequency hopping technique. Unlike frequency hopping that takes place at the PHY layer, channel surfing takes place at the MAC layer [6][28]. When a node detects that it is jammed it can switch channel and send a beacon message at the new channelss fequency band. Its non-jammed neighbors will feel the absence of this node and will change channel in a try to see if their neighbors have sent beacon at this channel. If not then they assume that the node just moved away. Conversely, if they sense a beacon they will inform the rest of the network at the initial channel to change channel. There are two possible approaches. At the first approach the whole network will eventually change channel while in the second approach only the boundary nodes of the jam region will change channel and they will be used as relays for the rest of the network and the jammed area. b) Spatial Retreats: By the words in spatial retreats we want to describe an anti-jamming technique that tries to take advantage of the mobility of the nodes. In brief we can say that when a node detects that it is being jammed, it firstly escapes from the jammed area and then tries to stay connected with the rest network in order to avoid the partition of the network reconstruction phase [6][28]. More specifically, when a node senses that it is being jammed, it starts moving out of the jammed region and simultaneously runs the detection algorithm. When it detects that it has moved away the jamming area, it tries to stay connected with its previous neighbors. In order to do so it keeps moving at the boundary of the jammed area. If the node was continuously moving away the jammed area then this could lead to a partition of the network. c) Fighting Reservation Based DoS attacks: As we mentioned earlier an adversary can send an RTS packet, requesting the medium for a period of M slots, while he/she has nothing actual to send. This results in the medium being idle but and legitimate users cannot use it. By keep doing the same thing, the adversary can launch a very sophisticated DoS attack. Negi at al. [29] the usage of a new control packet, called CTSR. More specifically in an infrastructure wireless network the access point can periodically, every K slots, sense the channel to see if there is an ongoing transmission as it should be. If the medium is not busy, the AP revokes the medium by sending out a CTS packet with NAV DURATION=0. Of course we would like to keep K<<M, in order to have an early detection. Of course this solution could also be defeated as the jammer, by having knowledge of the modified protocol can send out a jamming packet every K slots, in order to fraud the AP and sense that there is an ongoing transmission. Of course again if K<< M, the jammer will have to spend a lot of energy in order to keep cheating the AP and as a result is becoming less efficient. d) Securing our Network from a Layer Jamming Attack: In section III.B we presented a simple model of a layered jamming attack. This model was trying to exploit the patterns that exist in protocols and refer to size, timing and sequence of the packets exchanged. A simple way to make a network more secure against such attacks is to remove all these consistencies when possible.for example for the size of the packets we can simple use a padding technique, making every control packet of the same size and as a result more difficult to be recognize. This padding has a very small effect on throughput as it is explained in [12].Moreover in [12] it is proposed that protocols at

8 which timing is overly precisely should be modified. The modification should be done in such a way that additional delays can be added. Furthermore the header could indicate the additional delay that was added for security reasons. As far as the sequence of the packet is concerned, we have to note that is immutable. However we can use a technique called aggregate multiple packets and foils the sequence of the packet consistency. About this technique we can say that a system aggregates data packets communicated between one or more sessions on a source system and one or more sessions on a target system by: collecting one or more session packets from the one or more source system sessions; multiplexing the session data packets into an aggregated packet; sending the aggregated packet from the source system to the target system; and demultiplexing each aggregated packet into corresponding session packets for delivery to the sessions on the target system. This aggregation affects both timing and size of packets, and also hides the precise number of packets that are exchanged. e) PHY layer anti-jamming techniques: All previous antijamming techniques involve with one way or the other the MAC layer or higher layers. We will now present some anti-jamming techniques that are focused totally on PHY [30] [31].What can one do is to increase the transmission power. This is obviously a brute force technique. We decrease the jamming-to-signal ration and hence improve performance. Another anti-jamming technique that can be used is directional antennas. By this way we target at reducing the antenna gain from the jammer to the receiver [2]. The goal can be reached by the use of directional antennas, sectored antennas, or any other type of smart antennas which focuses the beams power directly to the receiver. Apart from these naive or unrealistic solutions there are PHY layer techniques that have been proposed in order to avoid jamming. The most well known one is the use of Spread Spectrum. This is a technique in which a signal is transmitted on a bandwidth considerably larger than the frequency content of the original information. Spread-spectrum telecommunications is a signal structuring technique that employs direct sequence, frequency hopping or a hybrid of these, which can be used for multiple access and/or multiple functions. This technique decreases the potential interference to other receivers while achieving privacy. Spread spectrum generally makes use of a sequential noise-like signal structure to spread the normally narrowband information signal over a relatively wideband (radio) band of frequencies. The receiver correlates the received signals to retrieve the original information signal. Originally there were two motivations: either to resist enemy efforts to jam the communications (anti-jam, or AJ), or to hide the fact that communication was even taking place, sometimes called Low Probability of Intercept (LPI). Direct Sequence SS is better at resisting continuous-time narrowband jamming, while Frequency Hopping SS is better at resisting pulse jamming. In Detection Systems, narrowband jamming affects detection performance about as much as if the amount of jamming power is spread over the whole signal bandwidth, when it will often not be much stronger than background noise. By contrast, in narrowband systems where the signal bandwidth is low, the received signal quality will be severely lowered if the jamming power happens to be concentrated on the signal bandwidth.despite the usage of these techniques our network is not secure against jammers as the adversary does not have to follow the complete spectrum-transition sequence in order to disrupt communication. Whereas in the case of voice communication between human users a corruption to a small part of the conversation will have a minor effect on the quality of the link, in the case of digital communication (assuming absence of error-correction) a corruption to a single bit is enough to compromise the whole communication process. The Achilles heal of widely used wireless protocols such as IEEE and Bluetooth lies in their lack of any errorcorrection mechanism [30] [31]. This makes the goal of an adversary easier since the corruption of a single bit is enough to render a complete packet futile. Moreover the current systems are designed to resist to non-malicious interferes and noise. These techniques offer a bit level protection only. The main disadvantage of not using any error-correction mechanism is the fact that attackers can spend enough energy to just corrupt a single bit per packet in order to prevent any meaningful interaction between communication nodes. This vulnerability allows adversaries to attack a network with high Jamming Efficiency. Such low-energy long-lived jamming units are called cyber-mines. In [30] [31] authors propose as the basic idea to force the jammer to spend more energy in order to achieve its goal. In other words, the goal is to eliminate cyber-mines. To address this problem they investigate the performance of various errorcorrection schemes and they concluded that the most suitable codes for binary modulation are the Low Density Parity Codes (LDPC). The main advantages of LDPC is (a) they give capacity close to Shannons bound; (b) they perform very well with long packets of the order of 16,000 bits which makes the suitable for IP-networks (c) relatively easy to implement. In addition, they assert that another set of near-shannon codes that are also a good alternative to LDPC are Turbo-Codes. Such codes are a perfect alternate especially for shorter packets [30]. In practice, in order to improve the error tolerance a combination of an interleaver and error-correction code is used. The main problem with traditional communication systems is that the structure of the interleaver and the ECC are publicly known. This knowledge gives to the adversary the choice of attacking those bits that when de-interleaved at the R x they will results in a burst of errors that exceed the tolerance of the underline ECC. To overcome this problem they propose the use of cryptographic-interleaving where the reordering of bit-blocks in the transmission frame are placed in a permutation only known to the two communicating parties. Such information can be exchanged using any available encryption scheme. The prize of using ECC is additional overhead for the tran-

9 sition of the error correction bits and additional latency since the complete information cannot be retrieved before the reception of all the disseminated information blocks. The gain is an increase ambiguity to which bits must be jammed in order for a packet to fail the CRC check at the receiver. Therefore, the scheme proposed can be seen as a method to prevent jammers from attacking the network using energy preserving methods. Finally, they close their work by suggesting the use of an adaptive scheme where the excessive error correction codes are avoided in the absence of jamming attacks. Therefore, the performance of the network under normal conditions is not affected by the proposed mechanism. f) Wormholes: Until recently wormholes were thought to be a threat for a WDoS [32] [33] [34]. Cagalj et al [35] though, proposed a reactive anti-jamming scheme for wireless sensor networks using wormholes. The basic idea is that jammed nodes use channel diversity in order to establish a communication with another node outside the jammed area. There are proposed 3 types of wormholes: Wired pairs of sensors:a sensor network is being enhanced by some certain number of pairs of sensor nodes that are connected through a wire. It is shown that in order to have a large probability that an arbitrary pair forms a wormhole from the exposure region to the area not affected by jamming, it might be required a large number of wired pairs to be created, which has as a corresponding result the need of more wire. Frequency hopping pairs:at this solution that is proposed the pairs are being created by using frequency hopping techniques like Bluetooth. All pairs are being deployed by wireless links and can afford longer links between pairs. However this technique still requires some level of synchronization. Uncoordinated channel-hopping:in this solution Cagaj et al [35]seek to create probabilistic wormholes by using sensor nodes that are capable of hopping between radio channels that ideally span a large frequency band. The difference with the previous solution is that now one entire packet is transmitted on a single channel. So the hops between the different channels come in a much slower way as compared to classical frequency hopping. More information and a detail probabilistic analysis for the formation of the wormholes can be found in [35] VI. CONCLUSIONS & FUTURE WORK The most important conclusion we derived through our study is that there is no solution that can currently fully address the problem of jamming in wireless networks. What can be done is the construction of an efficient system, which combines most of the techniques described herein. For example, for every antijamming system there should be an efficient detection mechanism accompanying it. The detection can be done in two levels. The first subsystem can operate at the PHY and use the consistency checks that we saw that work very well [5] [6]. Then there can be a second subsystem that will detect possible malicious activity at the MAC layer detection of intelligent jammers [15][20]. Additionally we can enhance the security of our network by implementing some of the techniques mentioned concerning the insertion of unpredictability at the size and timing of essential control packets [12]. Moreover we can make some simple modifications at the MAC protocol, e.g., the CTSR packet that was proposed in [29]. Finally we can integrate to the system techniques in order to avoid jamming, like mobility, channel surfing or spread spectrum techniques [6][31]. What is clear is that a single system cannot fully solve the jamming problem. A collaborative approach of all those systems is needed in order to secure our networks. More research can be done in areas involving control packets of the current standards. For example we saw that the RTS/CTS packets actually help the jammers to launch some types of attacks and achieve their objectives with less effort. These packets are sent at the basic rate. Can we avoid this if we send these control packets in higher rates? By doing this we reduce reliability as the higher the rate the less reliable the transmission. What is the trade-off between reliability and security if we deploy these higher rates? Such issues should be taken into account more for further research in the future. REFERENCES [1] Q.Huang, H.Kobayashi, and B.Liu. Modeling of distributed denial of service attacks in wireless networks. In IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, volume 1, pages , [2] L.Sherriff, Virus launches DDoS for mobile phones, [3] Mithun Acharya, David Thuente, Intelligent Jamming Attacks, Counterattacks and (Counter)2 Attacks in b Wireless Networks, in Proceedings of the OPNETWORK-2005 Conference, Washington DC, USA, August [4] Mithun Acharya, Tahu Sharma, David Thuente, David Sizemore,Intelligent Jamming Attacks in b Wireless Networks, in Proceedings of the OPNETWORK-2004 Conference [5] Wenyuan Xu, Wade Trappe, Yanyong Zhang, Timothy Wood, The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks, MobiHoc 05, May 25-27, 2005, Urbana-Champaign, Illinois, USA, pp [6] Wenyan Xu, Ke Ma, Wade Trappe, Yanyong Zhang, Jamming Sensor Networks: Attacks and Defense Strategies, IEEE Network, May/June [7] Y. Law et al., Link-Layer Jamming Attacks on S-Mac, Proc. 2nd Euro. Wksp. Wireless Sensor Networks, 2005, pp [8] A. Wood and J. Stankovic, Denial of Service in Sensor Networks, IEEE Comp., vol. 35, no. 10, Oct. 2002, pp [9] G.Noubir, On Connectivity in Ad Hoc Networks under Jamming Using Directional Antennas and Mobility, Technical Report, December [10] Curtis D. Schleher, Electronic Warfare in the Information Age, 1999, Norwood, Artech House. [11] G.Noubir, G.Lin, Low Power DoS Attacks in Data Wireless LANs and Countermeasures, in Proceedings of Poster: ACM MobiHoc Annapolis, MD: ACM Press. [12] T.X.Brown, J.E.James, A.Sethi, Jamming and Sensing of Encrypted Wireless Ad Hoc Networks, MobiHoc06, May, Florence-Italy. [13] Schiller, Mobile Communications, Addison-Wesley Longman Publishing, Boston, [14] J.Bellardo, S.Savage, Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, In Proceedings of USENIX Security Symposium03, August 03. [15] M.Raya, I.Aad, J-P.Hubaux, A. El Fawal, DOMINO: Detecting MAC layer greedy behavior in IEEE hotspots, in Proceedings of ACM MobiSys, Boston (MA), USA, 2004.