A Combined Approach for Distinguishing Different Types of Jamming Attacks Against Wireless Networks

Transcription

1 A Combined Approach for Distinguishing Different Types of Jamming Attacks Against Wireless Networks Le Wang, Alexander M. Wyglinski Wireless Innovation Laboratory Department of Electrical and Computer Engineering Worcester Polytechnic Institute, Worcester, MA , USA { lewang, alexw}@wpi.edu Abstract In this paper, we devised a Combined approach to distinguish different types of jamming attacks against wireless networks.based on the shared characteristics of the wireless medium, a wireless network can be easily affected by jamming attacks, which is one of the most effective forms of denial-ofservice (DoS) attacks against this type of networking architecture. Attacks can be implemented by either corrupting the operations of the medium access control (MAC) protocols or transmitting large amounts of interfering wireless signals without obeying the MAC protocols. Most jamming detection approaches cannot provide an effective way for differentiating between the various categories of jamming attacks. To enable the network to perform defense strategies more effectively, distinguishing the type of different jamming attacks is necessary. In this paper, we improve existing jamming detection approaches by using a novel statistical model and evaluate it both theoretically and experimentally. We begin by combining two existing jamming detection methods together to sort the jamming types roughly. Then, based on the statistical data of Packets Send Ratio (PSR) and Packets Delivery Ratio (PDR) in different jamming situations, we built a model to further subdivide the jamming attacks. Finally, we evaluate our proposed strategy using the ns-2 simulation platform. From the simulation results, we can observe the combined jamming detection technology can achieve a higher accuracy when distinguishing the types of jamming attacks. Index Terms DoS, PSR, PDR Wireless Network,Jamming Attacks. I. INTRODUCTION Wireless networks have already grown considerably and will certainly go on doing so, consequently the security and secrecy has become a critical issue especially in the military. To prevent people from communicating with each other, jamming the communication channel is one of the most efficient way and easy to implement. Wireless networks, however adopting the common are as the channel, are more susceptible to be disruptive than those who communicate based on a wire channel such as TP (twist pairs), coaxial cable and fiber. Usually, denial of service aims at filling user-domain and kernel-demain buffers. [6].Because of the shared characteristics, an adversary called Jammer can easily interfere the wireless communication channel using RF technologies either by transmitting a great deal of unmeaning signal disregarding MAC protocols or using valid signal to treat MAC protocols. A variety of jamming attacks can be performed in order to interfere the wireless communication channel.the most efficient attacks can be reduce into four type [1]: Constant Jammer: Continually send random and meaningless signal to the channel disregarding the MAC protocols. Deceptive Jammer: Continually injects valid packets which means a valid packet header with a useless payload or even no payload to the channel with no gap between packets. Random Jammer: Alternate between jamming and sleeping mode. In brief, the jammer perform constant jammer or deceptive jammer for a random period then shut down the jammer for another random period of time. The benefit of this jammer is saving energy which is especially important in a war. Reactive Jammer: Stay quiet till there is activity on the channel then devastate the reception. Its target aims at the receiver. Reactive Jammer spent more energy on sensing the channel then corrupted transmitting signal using only a minimum amount of power which brings more imperceptibility. To defend from jammers, the first step is to detect the existence of jammer because many other factors can also result in the similar appearance like jammer performed such as low SNR (Signal Noise Ratio), battery running out of power or receiver moving out of the range. A lot of detection methods have been proposed such as Signal Strength detection, Carrier sensing time detection and PDR (Packets Delivery Ratio) detection, however each of which has their own weak point. The current state of art is Signal Strength Consistency Checks which can differentiate jamming from normal signals. However, the only problem of Strength Consistency Checks is it can not differentiate between the various categories of jamming attacks. To enable the network to perform defense strategies more effectively such as saving power or quickly enough reaction, distinguishing the type of different jamming attacks is necessary.

2 Fig. 1. Network Layers Fig. 2. Hidden station problem In this paper we present a combined approach by using statistical model between PSR (Packets Sending Ratio) and PDR (Packet Delivery Ratio) to compensate this drawback. To explain the procedure more explicitly, we divide the procedure into two steps. We begin by comparing the correlation between Signal Strength (SS) and PDR to determine jamming attacks exist. Then, based on the statistical data of PSR and PDR in different jamming situations, we further subdivide the jamming attacks. The rest of the paper is organized as follows: Section II presents the MAC sublayer protocol of wireless networks and the concept of PDR and PSR. In section III, we introduce the correlation between PSR and PDR used in our proposed method to differentiate Jamming attack types. The simulation models and results are given in Section IV. Finally, we summarize the main contribution of our work and its perspectives in section V. II. BACKGROUND To reduce the design complexity, the networks are usually differentiated by layers. Each layer is in charge of different functions.see Fig[1]. As the noise exists in the common channel, messages cannot be sent from one node to another directly. Once some part of the message was damaged by disturbing, a duplicate message has to be retransmitted, which cost a long delay and huge bandwidth will waste. Under the circumstances, Data Link Layer was designed to solve the problem by further breaking up the segments received from network layer into data frames (usually hundreds of bytes) and transmit the frames sequentially through the channel. The shared nature of channel demands a necessary mechanism to control access to the channel. A sublayer of data link layer, the Medium Access Control (MAC) Sublayer, determines which frame goes next on a multi-access channel. One of the basic protocols is Carrier Sense Multiple Access (CSMA) protocol. When a node has frame to send,it has to sense the channel to see if the channel is idle first. If the channel is busy, the node will stay quiet and keep sensing the channel periodically. Once the node detects an idle channel, it will transmit frames with a probability of P (p belongs to (0-1)). This is one of the weaknesses of MAC Sublayer protocol which can be used by jammer to conduct deceptive jamming attack. If a jammer keep transmitting a valid frame, according to the protocol, the nodes at each end of the channel will stay quiet without sending any frames. If a collision occurs, either by two nodes transmitting frames simultaneously or corrupting frames by jammers, the nodes will abruptly stop transmitting as long as the collision is detected so as to saving time and bandwidth. This this the famous CSMA/CD protocol which can be widely used on Ethernet LAN but not suitable for wireless networks. [5] In wireless networks, what really matters is the situation of receiver instead of condition of the transmitter compared to wired networks. Before starting a transmission, a node has to decide if whether the receiver is idle or not. In wired networks, transmission can only be taken place simultaneously in channel such as twisted pair or coaxial, which is how CSMA/CD works properly. In wireless networks based on radio waves, however, multiple transmissions may occur at the same time. Hidden station problem Consider Fig[2],where node A B C are illustrated. The circle means the range of each node.in Fig[2],node B is in the range of C while C is out of the range of A.If A is communicating with B while C is trying to contact B at the same time, C will sense the channel between B and C is idle.c will send frames to B without knowing B is busy with A.In this situation,frames sent from C will corrupt the frames between A and B. Exposed station problem Consider Fig[3],where node A B C D are illustrated. B is communicating with A while C can only know that B is sending frames.due to the carrier sensing protocol,c will stay quiet to prevent from interfering with the transmission by B.Consequently,the communication between C and D,which will not interfere the communication between A and B actually,has to be canceled.one may conduct the MAC sublayer to increase network resources even if not a jamming attack. [4]

3 Fig. 5. Basic Jamming Attack Model Fig. 4. Fig. 3. Exposed station problem RTS/CTS standard of CSMA/CA As CSMA/CD cannot perform satisfied, a new approach called CSMA/CA was implemented.see Fig[4]. Before a communication channel was established,node A sends a frame named Request to Send(RTS) to Node B which informs B that A has messages to transmit.b will reply a Clear to Send(CTS) frame back to A which informs that B is clear and ready to receive message.then communication established. [3] A. Current Issues However, CSMA/CA mechanism will not be able to prevent the jammers from carrying out jamming attacks by corrupting RTS/CTS frames or just sending meaningless frames to make collisions.the weaknesses of MAC sublayer in has been revisited by the Australian CERT. [2] III. PROPOSED IMPLEMENTATION In order to understand Jamming attacks better, a basic jamming attack model was set up.see Fig [4]. A is a legitimate transmitting node in the channel while B as the receiver.both of them are within the range of the Jammer which can transmit either regular data keep Node A and B in receiving mode or undesired radio signal corrupting the normal frames between A and B.The former didn t break the CSMA/CA rules because the jammer,named Deceptive Jammer, keeps sending legitimate frames so that A and B will never sense the channel as idle.the latter ignores MAC sublayer protocol by sending junk messages into channel to corrupt normal messages. The MAC sublayer usually set up a fixed threshold. If the received signal is lower than the threshold,mac sublayer protocol will consider this channel as idle.only detecting a signal which is higher than the threshold,can the nodes receive and interpret the signal. To evaluate the efficiency of each, two metrics were proposed. Packets Send Ratio:Packets Send Ratio(PSR)is the ratio of frames(or packets in network layer) that are actually sent into the channel from a normal node compared to frames that are intended to be sent into the channel.for instance, A intends to send y frames to B but only x of y were send out.the PSR will be x y.one of the usual measure methods is tracking the number of frames a node intends to send out and the number of frames it actually sends out then compute the ratio. Packets Delivery Ratio:Packets Delivery Ratio(PDR)is the ratio of the number of frames which the destination(node B in Fig 4)receives successfully compared to the number of frames that have been sent out from source(node A in Fig4). the last instance,y frames were actually sent into the channel, if B finally receives z of them successfully,the PDR would be z y. According to Data link layer protocol,a has to wait to receive the ACK(acknowledgement)frame coming from Node B before it can send next frame. If A cannot receive this ACK frame within some period, a timeout will be counted and A has to resend the same frame till receiving the correct ACK frame. So as long as the ACK frames cannot be received successfully by A, the corresponding message frames cannot be considered sending out correctly.consequently, the PDR can be measured by computing the ratio of the numbers of ACK frames A received from B to the number of frames that A successfully sent out(y).this method can be implemented at transmitter.

4 Fig. 7. Algorithm: PDR SS Detect Jam Fig. 6. Combined Approach for Distinguishing Different Types of Jamming Attacks Another measurement is to compute the ratio of the number of frames received by receiver correctly compared to the numbers of frames that were sent into the channel which can be implemented at the receiver. We carried out four types jamming attacks based on NS platform and the results are as follows: Diagram[1] [1]. TABLE I PSR/PDR IN FOUR JAMMER MODEL PSR (%) PDR (%) Parameter 1 Constant Jammer Ra=38.6cm 2 Deceptive Jammer Ra=38.6cm 3 Random Jammer Ra=38.6cm 4 Reactive Jammer Ra=38.6cm From the data,we can find that nearly all types of jamming attacks will result in a sharp drop of PDR while not all jamming attacks can affect PSR. So detecting and differentiating Jamming attack types is very important. In this chapter we will proposed a combined approach to detect and differentiate jamming attacks in two types. See Fig[6]. Many jamming detection methods have been proposed [8], [10].One of the most efficient one is Signal Strength Consistency Checks(Step 1 in Fig[6]) [1]. The basic idea of this measurement is even in a congestion channel,the PDR measured from receiver is still around 78% meanwhile all kinds of jamming attacks can result a drop of PDR under 10%. However, the problem is many other factors can also result in a low PDR such that Node A ran out of battery or moved out of the range of Node B.In such case, setting up a consistency turns out to be necessary.during the experiments,the dynamic factors such as battery failure and move out of the range will also result in a low Signal Strength.Under this fact, if a drop of PDR as well as a high level signal strength can be measured at the same time, we can see that the channel has been jammed. Check Step 1 in Fig[6]. We first set up threshold 1 for PDR and threshold 2 for signal strength based on the statistics of normal situation.if PDR is no less than thresholds,the channel has not been jammed.on the other hand,compare the current signal strength with threshold 2.If the current signal strength is less than threshold 2,the channel is intact and we need to check other factors such as batteries. Otherwise,we can draw the conclusion that the channel has been jammed.all the procedures can be finished at Node B(i.e. the receiver). After Jamming attack was detected, Node B will send a reminder frame to Node A in another frequency which should has been set up in advance reminding A that the channel has been jammed.this technology is always used in Jammer Defending such as Channel Surfing to avoid Jammer attacks.when A receives this special frame from B, it will further differentiate the type of jammer attacks.check step 2 in Fig[6]. According to the statistics in table1, we set up threshold3 and threshold4. First we compute PSR at Node A and compare it with threshold3. Depending on the result we divided the jamming attacks into two groups,constant Jammer/Deceptive Jammer and Random Jammer/reactive Jammer.For the first group, because of the nature of deceptive attack, Node A will be kept in receiving mode and PSR will be (0%).For the second group, as reactive attack aims at the receiver, the PSR will be nearly (100%). By comparing the value of PSR with threshold, Node A can differentiate the jammer attacks easily. IV. EXPERIMENTATION AND VALIDATION Based on the description above,we propose the detection protocol as follows. To explain it explicitly,the whole process was divided into two parts PDR detection part and PSR differentiation part.recently, some measures have been proposed to protect local services from being exploited by adversaries. [7] For PDR detection, the algorithm is in Fig[7].

5 Fig. 8. Algorithm: PSR Detect Jamtype In the PDRSS Detect Jam algorithm, If a high PDR can be detected, this node is not jammed. However, if the detected PDR is low, another variable,signal strength (SS) has to been measured by function Sample Signal Strength(). This function can be only implemented after the PDR is lower than a threshold which has been set up originally. The function SS ConsistencyCheck() is performed to see if the low PDR is consistent with the signal strength. If a large SS and a low PDR were detected at the same time, this function returns False, else returns True. The result can be found in Fig[8]. During the process, a table (PDR;SS) of packet delivery ratio and signal strength has to be established in advance in a non-jammed scenario. The output is the relationship between PDR and SS from which an upper bound for the maximum signal strength can be calculated. Based on this bound, the (PDR;SS) plane was show as [9] Fig [9] shows the results for different jammers. The upperleft region is the jammed-region.from Fig[8], we can see the jamming situation has been detected successfully. For PSR detection, the algorithm is in Fig[8]. The result can be found in Fig[10]. In the PSR detect Jamtype algorithm,two variables, MaxP- SR and MinPDR,has to be measured simultaneously at sender node. If MaxPSR is less than PSRThresh2 which has been set up in advance, the result can be divided into two groups. By comparing different PDR values with different thresholds, four kinds of jamming attacks can be distinguished explicitly. In Fig[10],different colors represent different jamming attacks.from Fig[10],we can see that the jamming attack types have be differentiated successfully. V. CONCLUSION Wireless networks has been developed into many forms such as ad hoc networks and wireless sensor networks. The shared nature of air channel enable enemy to carry out jamming attacks easily.in these paper, we first focus on the principle of MAC sublayer protocols and explain the process Fig. 9. Fig. 10. The (PDR,SS) measurement The (PDR,PSR) measurement of different jamming attacks.we then introduction one of the most common methods,signal Strength Consistency Checks,by comparing PDR and signal strength to detect the existence of jamming attacks. Finally, to differentiate the jamming attacks types, we showed a new method by comparing PDR and PSR at the sending node.if sending note distinguish the type of jamming attacks successfully, it will send a special signal to receiving node in a special frequency. After know the exact type of jamming attacks, the nodes can implement a more efficient method to defend jammers. [12]

6 A. Future Work When Jamming attacks detection is completed, the information on the jamming types may be used as two parts: jamming defence and jammer localization. Jamming defence was designed to decrease the influence of jamming attacks and keep the communication connected in an jamming area. One of the most popular strategies is Channel Surfing implemented by changing the communication frequency to a range avoiding the interference from the adversary.another methods is Spatial Retreats which can be achieve by moving wireless users to a new area where no interference exists. [11] While the Jamming defence was carrying out, another mechanism named jammer localization may be also implemented at the same time. Jammer localization was designed to lock the position of the jammer. One of the most popular methods is Virtual Force Iterative Localization (VFIL) realized by utilizing the network topology. REFERENCES [1] W. Xu, W. Trappe, Y. Zhang, and T. Wood, The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks,Proc. MobiHoc05, p. 46C57, May 25C27, Urbana-Champaign, IL [2] AusCERT. AA denial of service vulnerability in IEEE wireless devices. [3] R. Bruno, M. Conti, and E. Gregori, IEEE Optimal Performances: RTS/CTS Mechanism vs. Basic Access, PIMRC, 2002 [4] J. Bellardo and S. Savage denial-of-service attacks: Real vulnerabilities and practical solutions. In Proceedings of the USENIX Security Symposium, pages 15-28, 2003 [5] Y. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks. In 8th ACM International Conference on Mobile Computing and Networking, pages 12-23, September 2002 [6] Q. Huang, H. Kobayashi, and B. Liu. Modeling of distributed denial of service attacks in wireless networks. In IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, volume 1, pages 41-44, 2003 [7] Z. Li, W. Trappe, Y. Zhang, and B. Nath. Securing wireless localization: Living with bad guys. In DIMACS Workshop on Mobile and Wireless Security, 2004 [8] G. Noubir and G. Lin. Low-power DoS attacks in data wireless lans and countermeasures. SIGMOBILE Mob. Comput.Commun. Rev., 7(3):29-30, 2003 [9] A. Wood and J. Stankovic. Denial of service in sensor networks. IEEE Computer, 35(10):54-62, October 2002 [10] A. Wood, J. Stankovic, and S. Son. JAM: A jammed-area mapping service for sensor networks. In 24th IEEE Real-Time Systems Symposium, pages , 2003 [11] W. Xu, T. Wood, W. Trappe, and Y. Zhang. Channel surfing and spatial retreats: defenses against wireless denial of service. In Proceedings of the 2004 ACM workshop on Wireless security, pages 80 89, 2004 [12] H. Liu, W. Xu, Y. Chen and Z. Liu. Localizing Jammers in Wireless Networks. In Pervasive Computing and Communications, PerCom 2009, pages 1,2009