DEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks

Similar documents
Wireless Sensor Networks

Wireless Network Security Spring 2014

Book Title: XXXXXXXXXXXXXXXXXXXXXXXXXX. Editors

Jamming Wireless Networks: Attack and Defense Strategies

Wireless Network Security Spring 2012

Wireless Network Security Spring 2016

Ultra-Low Duty Cycle MAC with Scheduled Channel Polling

FTSP Power Characterization

Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

AS-MAC: An Asynchronous Scheduled MAC Protocol for Wireless Sensor Networks

Prevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods

Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service

Wireless Network Security Spring 2015

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Wireless Network Security Spring 2016

A Routing Approach to Jamming Effects Mitigation in Wireless Multihop Networks. by Umang Sureshbhai Patel

Lightweight Decentralized Algorithm for Localizing Reactive Jammers in Wireless Sensor Network

The Pennsylvania State University The Graduate School COMPROMISE-RESILIENT ANTI-JAMMING COMMUNICATION IN WIRELESS SENSOR NETWORKS

Security in Sensor Networks. Written by: Prof. Srdjan Capkun & Others Presented By : Siddharth Malhotra Mentor: Roland Flury

Feasibility and Benefits of Passive RFID Wake-up Radios for Wireless Sensor Networks

An Effective Defensive Node against Jamming Attacks in Sensor Networks

Randomized Channel Hopping Scheme for Anti-Jamming Communication

Wireless Network Security Spring 2015

Detection of Reactive Jamming in Sensor Networks

Sensor Network Platforms and Tools

Jamming-resistant Broadcast Communication without Shared Keys

The Mote Revolution: Low Power Wireless Sensor Network Devices

UNDERSTANDING AND MITIGATING

By Ryan Winfield Woodings and Mark Gerrior, Cypress Semiconductor

The Mote Revolution: Low Power Wireless Sensor Network Devices

Keywords: Network Security, Wireless Communications, piggybacking, Encryption.

Defending DSSS-based Broadcast Communication against Insider Jammers via Delayed Seed-Disclosure

USD-FH: Jamming-resistant Wireless Communication using Frequency Hopping with Uncoordinated Seed Disclosure

Lower Layers PART1: IEEE and the ZOLERTIA Z1 Radio

Multiple Access Schemes

On Practical Selective Jamming of Bluetooth Low Energy Advertising

Simple Algorithm in (older) Selection Diversity. Receiver Diversity Can we Do Better? Receiver Diversity Optimization.

Syed Obaid Amin. Date: February 11 th, Networking Lab Kyung Hee University

Performance Evaluation of AODV, DSDV and DSR or Avoiding Selective Jamming Attacks in WLAN

CS649 Sensor Networks Lecture 3: Hardware

IN4181 Lecture 2. Ad-hoc and Sensor Networks. Koen Langendoen Muneeb Ali, Aline Baggio Gertjan Halkes

Multiple Receiver Strategies for Minimizing Packet Loss in Dense Sensor Networks

Alibi framework for identifying reactive jamming nodes in wireless LAN

INTRODUCTION TO WIRELESS SENSOR NETWORKS. CHAPTER 3: RADIO COMMUNICATIONS Anna Förster

Jamming Attacks with its Various Techniques and AODV in Wireless Networks

Data Dissemination in Wireless Sensor Networks

LOCALIZATION AND ROUTING AGAINST JAMMERS IN WIRELESS NETWORKS

Using Channel Hopping to Increase Resilience to Jamming Attacks

Intrusion Detection and Hindrance for Spot Jamming Attacks in Wireless Network for Packet Concealing Ways

Application Note AN041

Embedded Radio Data Transceiver SV611

Short Paper: Reactive Jamming in Wireless Networks How Realistic is the Threat?

A Wireless Communication System using Multicasting with an Acknowledgement Mark

Wormhole-Based Anti-Jamming Techniques in Sensor. Networks

Chapter 2: Hardware Sensor Mote Architecture and Design

An Empirical Study of Harvesting-Aware Duty Cycling in Sustainable Wireless Sensor Networks

Avoiding Selective Attacks with using Packet Hiding Approaches in Wireless Network

Wireless Communication

Project: IEEE P Working Group for Wireless Personal Area Networks N

Wireless Networks (PHY): Design for Diversity

ATPC: Adaptive Transmission Power Control for Wireless Sensor Networks

Active RFID System with Wireless Sensor Network for Power

Avoid Impact of Jamming Using Multipath Routing Based on Wireless Mesh Networks

USB Port Medium Power Wireless Module SV653

Vulnerability modelling of ad hoc routing protocols a comparison of OLSR and DSR

Towards Self-Healing Smart Grid via Intelligent Local Controller Switching under Jamming

Deformation Monitoring Based on Wireless Sensor Networks

Design Issues and Experiences with BRIMON Railway BRIdge MONitoring Project

SNOW: Sensor Network over White Spaces

Drahtlose Kommunikation. Sensornetze

DYNAMIC BANDWIDTH ALLOCATION IN SCPC-BASED SATELLITE NETWORKS

Politecnico di Milano Advanced Network Technologies Laboratory. Beyond Standard MAC Sublayer

CS649 Sensor Networks IP Lecture 9: Synchronization

Data and Computer Communications

CL4790 USER GUIDE VERSION 3.0. Americas: Europe: Hong Kong:

WUR-MAC: Energy efficient Wakeup Receiver based MAC Protocol

PW-MMAC: Predictive-Wakeup Multi-Channel MAC Protocol for Wireless Sensor Networks

Exercise Data Networks

Anti-Jamming: A Study

An Opportunistic Frequency Channels Selection Scheme for Interference Minimization

Wireless Sensor Network based Shooter Localization

WisperNet: Anti-Jamming for Wireless Sensor Networks

ENERGY EFFICIENT SENSOR NODE DESIGN IN WIRELESS SENSOR NETWORKS

Cognitive Wireless Network : Computer Networking. Overview. Cognitive Wireless Networks

AN AUTONOMOUS SIMULATION BASED SYSTEM FOR ROBOTIC SERVICES IN PARTIALLY KNOWN ENVIRONMENTS

IJSER 1. INTRODUCTION 2. ANALYSIS

Detection and Prevention of Physical Jamming Attacks in Vehicular Environment

Thwarting Control-Channel Jamming Attacks from Inside Jammers

Wormhole-Based Anti-Jamming Techniques in Sensor. Networks

Multiplexing Module W.tra.2

UWB for Sensor Networks:

T. Yoo, E. Setton, X. Zhu, Pr. Goldsmith and Pr. Girod Department of Electrical Engineering Stanford University

Utilization Based Duty Cycle Tuning MAC Protocol for Wireless Sensor Networks

IN this paper, we investigate an attack where the attacker

Preamble MAC Protocols with Non-persistent Receivers in Wireless Sensor Networks

802.11a Hardware Implementation of an a Transmitter

Contents. IEEE family of standards Protocol layering TDD frame structure MAC PDU structure

Wireless Personal Area Networks

Honeybees: Combining Replication and Evasion for Mitigating Base-station Jamming in Sensor Networks

Transcription:

DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia

Wireless Sensor Networks Embedded in physical environment Devices with limited resources Large scale static deployment Diverse applications: military, volcano monitoring, zebra tracking, healthcare, emergency response... MICAz mote: 8 MHz 8-bit up 128 MB code 4 KB data mem 250 Kbps radio IEEE 802.15.4 radios: MICAz, Telos/Tmote/Tmini, imote2, XYZ 2/ 24

Physical-Layer DoS Threats and Vulnerabilities: WSNs becoming ubiquitous, connected to IP networks Devices are easy to compromise Jamming is easy to do in software DoS attacks will spread to WSNs A Attacker s goal: disrupt communication as steathily and energy-efficiently as possible 3/ 24

Physical-Layer DoS State of the Art: Military hardware Detection of jamming, evasion by physically moving, channel surfing (Xu et al.) Data blurting, schedule switching (Law et al.) Multi-frequency protocols: Bluetooth, Tang et al., Zhou et al. Wormholes to exfiltrate data (Cagalj et al.) Low-density parity codes (Noubir) x A 4/ 24

Physical-Layer DoS Our approach: Hide messages from the jammer Evade the jammer s search Reduce impact of corrupted messages Raise the bar for jamming DoS attackers A DEEJAM: defeating jamming at the MAC-layer 5/ 24

Contributions Define, implement, and show efficacy of four jamming attack classes: interrupt jamming, activity jamming, scan jamming, pulse jamming Propose four complementary solutions that together greatly improve communication: frame masking, channel hopping, packet fragmentation, redundant encoding Evaluate integrated protocol on MICAz platform to show suitability for popular embedded hardware. Empirically show continued communication despite an ongoing attack 6/ 24

Assumptions Static wide-area deployment, no mobility Lightweight cryptographic primitives available Key distribution, time synchronization available Each pair of neighbors shares K N, used to generate other keys and pseudo-random sequences. Attacker compromises mote or uses mote-class hardware Can use all resources available to regular node 7/ 24

IEEE 802.15.4 Transceivers 802.15.4 defines: 250 Kbps, 16 channels, DSSS, 4-bit symbols, 32 chips/symbol Transmit path: micro fills TXFIFO, issues transmit command after small delay, radio chip transmits frame Receive path: search for DSSS coding sync 4-bit symbols on preamble sync bytes on Start of Frame Delimeter (SFD) buffer frame, signal micro micro reads RXFIFO, parses packet 8/ 24

A1: Interrupt Jamming Attack goal: only jam when message on air Configure radio to generate interrupt on SFD In SFD interrupt vector, issue transmit command time to initialize state and radio registers [10us] internal radio stabilization delay [128-192us] Only need to invalidate Frame Check Sequence 9/ 24

D1: Frame Masking Defense goal: prevent interrupt upon message header reception Neighbors use secret SFD sequence: K S = E Kn (0) SS = { E Ks (i) mod 2 q }, q is length of SFD [1 or 2B] Without knowing SS, attacker s radio: synchronizes on DSSS encoding in preamble searches for its configured SFD (not SS i ) does not capture message or generate interrupt 10 / 24

A2: Activity Jamming Attack goal: poll channel energy to find message Attacker s micro polls RSSI / CCA output of radio When activity is detected, initiate jamming sampling period minimum time to sample RSSI [128us] Less reliable detection (false positives), more latency 11 / 24

D2: Channel Hopping Defense goal: evade activity check Neighbors channel hop according to secret shared sequence: K C = E Kn (1) CS = { E Kc (i) mod C }, C is number of channels [16] Attacker has 1 / C chance of sampling correct channel, U / C chance of detecting a message for channel utilization U 12 / 24

A3: Scan Jamming Attack goal: find messages and jam Attacker scans channels, checking for activity and jamming if detected minimum time to change frequency and stabilize [132us] 13 / 24

A3: Scan Jamming For C channels, attacker can always jam if: Since channel is chosen randomly, probability of successful scan jamming is at most: Defender wants to increase C and/or decrease T pkt 14 / 24

D3: Packet Fragmentation Defense goal: hop away before jammer reacts Fragment packets based on minimum reactive jam time Reassemble sequence of fragments at receiver 15 / 24

A4: Pulse Jamming Attack goal: blindly disrupt fragments Transmit with duty cycle sufficient to corrupt any fragments present on a chosen channel: T hdr / (2T hdr + T frag ) [< 50%] Disadvantages: Not reactive, not stealthy Cannot selectively jam by inspecting header 16 / 24

D4: Redundant Encoding Defense goal: recover from damaged fragments Redundantly encode fragments with configurable rate R (Some) fragments corrupted on a pulse jammed channel are recoverable Requirement for CS: C i C i+1 17 / 24

DEEJAM MAC Protocol Summary Compute FCS for entire packet Divide into small fragments Encode redundantly with rate R Assign SFD from receiver s current SS Transmit on channel in receiver s current CS Channel hopping by itself is not sufficient Cannot assume a priori that attacker pulse jams 18 / 24

Implementation Prototype implementation in nesc for TinyOS, using MICAz s TI Chipcon CC2420 To minimize fragment length: shortened T txdelay to 4B shortened preamble to 1B removed unused IEEE 802.15.4 MAC fields Interrupt jamming: byte-serial receive mode + FIFOP interrupt with threshold zero 19 / 24

Evaluation Sender to receiver, attacker jamming Five 60s runs, 32 msg/s, 39B total length Total of 9595 messages per datum Use 16 channels Transmit power -7 dbm Measure: Packet Delivery Ratio with attacks Jamming effort PDR with no attacks A 20 / 24

Performance (with attacks) Scanning too slow 100% effective 89% PDR despite pulse jamming 21 / 24

Jamming Effort (Bps) Effort of jammer greatly increases even without real traffic present. 22 / 24

Performance (no attacks) Loss of any fragment causes loss of entire packet Recover from loss (R=2) Impact of DEEJAM on PDR with no attacks is small 23 / 24

Conclusions With no defense, a stealthy interrupt jamming attack is 100% effective Adding defenses forces attacker to adapt Ultimately, despite an active pulse jamming attack, PDR drops by only 11% For many systems, recovery of performance during attack is worth the overhead More powerful jamming is possible but without countermeasures it is not necessary 24 / 24

End

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback