detection and defense against jammingdetection …wyxu/wenyuan_xu.pdfdetection and defense against...

Detection and Defense against JammingDetection and Defense against Jamming Attacks in Wireless Networks

Wenyuan Xu

Computer Science and EngineeringUniversity of South Carolina

Roadmap Introduction and motivation

d lJammer Models– Four models– Their effectiveness

Detecting Jamming attacks– Basic statistic + Consistency checkBasic statistic + Consistency check

Defense strategyCh l fi– Channel surfing

Future directions & Conclusionsu u e d e o s & Co us o s

Jamming Style DoS

Bob AliceHello

…Hi …

Jamming Style DoS

Bob AliceHello

…Hi …

@#$%%$#@&…

Mr XMr. X

Jamming Attacks Bob AliceHello … Hi

…

@#$%%$#@&…

Jamming Attacks:

Mr. X

Jamming Attacks:– Behavior that prevents other nodes from using the channel

to communicate by interfering with the physical transmission and reception of wireless communications

Unintentional jamming:– Co-existing devices: 802.11b/g interferes with cordless

phone Bluetooth Microwave ovenphone, Bluetooth, Microwave oven...– Equipment accidentally emits a signal on an frequency

band that does not belong to it.

Intentional jamming: – A transmitter, tuned to the same frequency as the

receiving equipment, can override any signal with enough power

The history of jammingWorld War II – Radio jamming– Jamming radar that is used to guide an enemy's

aircraft aircraft Mechanical jamming.

– Chaff, corner reflectors, decoys

Electrical jammingElectrical jamming– Spot jamming, sweep jamming…

– Jamming foreign radio broadcast stationsPrevent or deter citizens from listening to broadcasts Prevent or deter citizens from listening to broadcasts from enemy countries.

Co nte me eCountermeasure:– Frequency hopping over a broad-spectrum

The more random the frequency change, the more likely to counter the jammer

Jamming in the civilian worldCell phone jammer unit:– Intended for blocking all mobile phone types within

designated indoor areas – 'plug and play' unit– $1,950-$11,800+

Radar/speed gun jammers (Illegal!)Radar/speed gun jammers (Illegal!)– $100 - $2,000+

Radio Jammers (Illegal!) Radio Jammers (Illegal!) – Your neighbor plays loud radio while you are

preparing for your exam– Prevent nearby cars from playing loud music by

b d ti i l broadcasting your own signal

Jamming wireless networksWaveform Generator– Tune frequency to whatever you want

$1 500 $50 000+– $1,500 - $50,000+– Require external power supply

MAC layer JammersMAC-layer Jammers– 802.11 laptop – Mica2 Motes (UC Berkeley)

8 bit CPU at 4MH8-bit CPU at 4MHz128KB flash, 4KB RAM916.7MHz radioOS: TinyOSOS: TinyOSLanguage: NesC

– Disable the CSMA– Keep sending out the preamble Keep sending out the preamble

What has been done?Somewhat related work on jamming:– Greedy user behaviors

DOMINO: system for detection of greedy behavior in the MAC layer of IEEE 802.11 public Networks [Hubaux04]

– 802.11 DoS attacks802.11 Denial of Service attacks [Savage03][ g ]Attacks that jam RTS, and floods RTS [Perrig03]

Work on jamming attacks:Mapping a jamming area for sensor networks– Mapping a jamming-area for sensor networks

Brief discussion on jamming detection [Stankovic03]– Countermeasure against jamming attacks

Traditional physical layer technologies – Spread Spectrum [Di C 00] [W F 99][DigComm00], [WarFare99]Low density parity check codes (LDPC) [Noubir03]

– Channel capacity of jamming channelsThe capacity of Correlated Jamming Channels [Medard97]

What needs to be done?Lot of theoretical/simulation work on anti-jamming, but no systems-oriented study on jamming.

My goal: validate anti jamming solutions in a REAL systemMy goal: validate anti-jamming solutions in a REAL system.

Use commodity wireless devices, and make them jamming resistant.

O l di d – Only one radio card. – Can at most work on one channel a time.

Type of jammers interested:MAC layer jammers– MAC-layer jammers

– Unintentional interferers– Somewhat malicious jammers

Mica2 Motes (UC Berkeley) Mica2 Motes (UC Berkeley) – 8-bit CPU at 4MHz– 128KB flash, 4KB RAM– 916.7MHz radio– OS: TinyOS– OS: TinyOS

The Jammer Models and Their Effectiveness

This work appeared in “The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks,” Mobihoc 2005.

Jammer Attack Models&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….

Constant jammer:– Continuously emits a radio signal

Payload …

Preamble CRC

PayloadPayload Payload Payload

Deceptive jammer:Deceptive jammer:– Constantly injects regular packets to the channel without any gap

between consecutive packet transmissions– A normal communicator will be deceived into the receive state

Jammer Attack Models&F*(SDJF ^F&*D( D*KC*I^ …

Random jammer:– Alternates between sleeping and jamming

Sleeping period: turn off the radioJamming period: either a constant jammer or deceptive Jamming period: either a constant jammer or deceptive jammer

Underling normal traffic

&F*(SDJ

Payload

^%^*&

Payload

CD*(&FG

Payload

…&F (SDJ % & CD (&FG

Reactive jammer:– Stays quiet when the channel is idle, starts transmitting a

radio signal as soon as it senses activity on the channel.– Targets the reception of a messageTargets the reception of a message

Metrics & ImplementationGoals of the jammer:– Interfere with legitimate wireless communications– Prevent a sender from sending out packets– Prevent a receiver from receiving a legitimate packets

Packet Send Ratio (PSR)– The ratio of packets that are successfully sent out by a legitimate The ratio of packets that are successfully sent out by a legitimate

traffic source compared to the number of packets it intends to send out in the MAC layer

Packet Delivery Ratio (PDR)Packet Delivery Ratio (PDR)– The ratio of packets that are successfully delivered to a destination

compared to the number of packets that have been sent out by the sender

Implementation platform:– Mica2 Motes– Disabled channel sensing and backoff operation in TinyOS MAC

protocol

Experiment SetupInvolved three parties:– Normal nodes:

Sender A Sender A

Receiver B

Receiver B – Jammer X

Parameters Parameters – Four jammer models– Distance

Let dXB = dXAdXB

dAB

Let dXB dXA

Fix dAB at 30 inches– Power

PA = PB = P X = -4dBmMAC

XB

dXA

– MACFix MAC thresholdAdaptive MAC threshold (BMAC) Jammer X

Experimental ResultsInvolved three parties:– Normal nodes:

Sender ADeceptive Jammer

d (inch) PSR(%) PDR(%)Receiver B

– Jammer X

Parameters

dxa (inch) PSR(%) PDR(%)

38.6 0.00 0.00

54.0 0.00 0.00

72.0 0.00 0.00

Parameters – Four jammer models– Distance

Let dXB = dXA

Reactive Jammer

d (inch) PSR(%) PDR(%)Let dXB dXA

Fix dAB at 30 inches– Power

PA = PB = P X = -4dBmMAC

dxa (inch) PSR(%) PDR(%)

m =7bytes

38.6 99.00 0.00

54.0 100.0 99.24

m =33bytes

38.6 99.00 0.00

54 0 99 25 98 00– MACFix MAC thresholdAdaptive MAC threshold (BMAC)

33bytes 54.0 99.25 98.00

Radio irregularity- PDR Contour

D i J i A k B i S i iDetecting Jamming Attacks: Basic Statistics plus Consistency Checks

This work appeared in “The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks,” Mobihoc 2005.

Basic Statistics P.1Idea:– Many measurements will be affected by the presence of a jammer– Network devices can gather measurements during a time period

prior to jamming and build a statistical model describing basic

80

-60CBR

prior to jamming and build a statistical model describing basic measurements in the network

Measurements– Signal strength

-100

-80 CBR

-100

-80

-60MaxTraffic

-60

Moving averageSpectral discrimination

– Carrier sensing time– Packet delivery ratio

Normal traffic

Basic

Congested traffic

-100

-80 Constant Jammer

-100

-80

-60

R

SS

I (dB

m)

Deceptive Jammer

Experiment platform:– Mica2 Motes– Use RSSI ADC to

measure the signal

average detection doesn’t work !

-100

-80

-60Reactive Jammer

100

-80

-60Random Jammer

measure the signal strength Jammers

0 200 400 600 800 1000 1200 1400 1600-100

sample sequence number

Signal Strength P.2

Basic Average and Energy Detection don’t work!How about spectral discrimination mechanism?– Higher Order Crossing (HOC)Higher Order Crossing (HOC)

Combine zero-crossing counts in stationary time series with linear filters.Calculate the first two higher order crossings for the time series. SS spectral series.Window size: 240 samples

200

HOC

200

HOC

SS spectral discrimination doesn’t work !

150

200

D2

150

200

D2

50

100

CBRMaxTrafficConstant Jammer

50

100

CBRMaxTrafficReactive JammerRandom Jammer

0 50 100 150 2000

D1

Deceptive Jammer0 50 100 150 200

0

D1

Random Jammer

Basic Statistics P.3Can basic statistics differentiate between jamming scenariosand normal scenarios including congested scenarios?

Signal strength Carrier Packet delivery Signal strength Carrier sensing time

Packet delivery ratio

Average Spectral Discrimination

Constant Jammer

Deceptive Jammer

Differentiate jamming scenario from all network dynamics e g

a e

Random Jammer

Reactive Jammer

Differentiate jamming scenario from all network dynamics, e.g. congestion, hardware failure– PDR is a relatively good statistic, but cannot handle hardware

failure– Consistency checks --- using Signal strengthy g g g

Normal scenarios: – High signal strength a high PDR – Low signal strength a low PDR

Low PDR:– Hardware failure or poor link quality low signal strengthp q y g g– Jamming attack high signal strength

Jamming Detection with Consistency Checks

Measure PDR(N){N Є Neighbors}

Build a (PDR,SS) look-up table empirically– Measure (PDR, SS) during a guaranteed time of

non-interfered network operation– Divide the data into PDR bins, calculate the mean

d i f th d t ithi h bi{N Є Neighbors}

PDR(N) < PDRThresh ? Not Jammed

No

and variance for the data within each bin.– Get the upper bound for the maximum SS that

world have produced a particular PDR value during a normal case.

– Partition the (PDR, SS) plane into a jammed-region and a non-jammed region.

PDR VS. SSPDR(N) < PDRThresh ? Not Jammed

Yes

Jammed Region

dB

m)

PDR(N) consistent with signal strength?

Yes

N

SS

(d

Jammed!

No

PDR %

Jamming Detection with Consistency ChecksJammer setup:– Transmission power: -4dBm– The reactive jammer injects 20-byte long packets– The random jammer turns on for t = U[0 31] and turns off for t = – The random jammer turns on for tj = U[0,31] and turns off for ts =

U[0,31]

The (PDR, SS) values for all jammers distinctively fall within the jammed-region

The more aggressive the jammer is, the more likely it will be detected.

PDR VS. SS

The less aggressive the jammer is, the less damage it causes to the network.

S l l d l

Jammed Region

dB

m)

Similarly, we can deploy a location information based consistency check to achieve an enhanced jamming detection.

SS

(d

PDR %

D f i J i A kDefenses against Jamming Attacks:Evasion Defense Strategies

This work appeared in “Channel surfing and spatial retreats: defenses against wireless denial of service ”, ACM WiSe 2004,and “Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference,” IPSN 2007, SenSys 2006

Handling Jamming: StrategiesWhat can you do when your channel is occupied?– In wired networks you can cut the link that causes the problem, but

in wireless… – Make the building as resistant as possible to incoming radio signals?Make the building as resistant as possible to incoming radio signals?– Find the jamming source and shoot it down?– Battery drain defenses/attacks are not realistic!

Protecting networks is a constant battle between the Protecting networks is a constant battle between the security expert and the clever adversary.

Our approach: He who cannot defeat his enemy h ld t t (“Thi t Si St t ” )should retreat (“Thirty-Six Stratagems” ).

Retreat Strategies:– Channel surfing– Spatial retreat

Channel SurfingIdea:– If we are blocked at a particular channel, we can resume

our communication by switching to a “safe” channelInspired by frequency hopping techniques but operates at – Inspired by frequency hopping techniques, but operates at the link layer in an on-demand fashion.

ChallengeDi t ib t d ti– Distributed computing

– Asynchrony, latency and scalability

Jammer Jammer

Node working in channel 1


channel 1

channel 2

Channel Surfing FrameworkChannel Surfing Algorithm: While (1) do

if NeighborsLost() == True thenworking_channel = next_channel; if FindNeighbor() == False thenif FindNeighbor() == False then

working_channel = original_channelelse

Use a Channel Surfing Strategyend

endend

Jammer Jammer



channel 1

channel 2

Channel Surfing FrameworkIssues– How does a node detect that its neighbor is missing?

Link quality

– How to ensure the boundary nodes find their missing neighbors in the new channel?

It takes less time for a node to detect the absence of a neighbor than it It takes less time for a node to detect the absence of a neighbor than it does for a node to decide it is jammed.

– How to choose the new channel?Make it harder for the adversary to predict Make it harder for the adversary to predict Keyed pseudo-random generatorC(n+1) = Ek(C(n))

H t th t k While (1) do

– How to resume the network connectivity?

( )if NeighborsLost() == True then

working_channel = next_channel; if FindNeighbor() == False then

working_channel = original_channelelse

Use a Channel Surfing Strategydend

endend

Coordinated Channel SurfingCoordinated Channel Surfing– The entire network changes its channel to a new channel

A node not effected

A jammed nodeDetect neighbors are missing Searching for missing neighbors A jammed node

A boundary node

channel 1

channel 2

g g g g g

J J

The network operate on new channelBroadcast channel-switch command

J

Strategy validationMica2 Motes

8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOSOS: TinyOS

Debugging facilities:– JTag: not compatible with TinyOS 1.1.7– TOSSIM: poor PHY-layer support

Example: no multi channel supportExample: no multi-channel support– “Most effective” debugging interface: 3

LEDs

Upload code:– Wireless code propagation (Deluge):

Periodically broadcast code summary, which interferes with measurements.

– Most “reliable” way: manually plug Motes onto the MIB510 programming boardboard

Hardware failure– Need to solder wires from time to time

Strategy validationTestbed– 30 Mica2 motes – 2.5 feet spacing– Tree-based routing– Surge

Performance Metrics:– Network recovery – Protocol overhead

Experiment resultsPerformance Metrics:– Network recovery – Protocol overhead

Spectral MultiplexingSpectral Multiplexing– Jammed nodes switch channel– Nodes on the boundary of a jammed region serve as relay nodes between

different spectral zonesdifferent spectral zones

Challenge– Sender-receiver frequency mis-matching– Synchronization– Initiation– Slot duration

Algorithms– Synchronous Spectral Multiplexing– Asynchronous Spectral Multiplexing

JammerJammer



Node working in both channel 1 & 2

channel 1

channel 2

Synchronous Spectral MultiplexingIdea:– One global clock, divided into slots– Each slot is assigned to a single

channel The network may only use channel. The network may only use the assigned channel – regardless of whether nodes are jammed.

Challenges:Challenges:– How to synchronize the global time

efficiently when nodes may work in different channels?

– Initiation– Slot duration

Solution:– The root sends out SYNC to its

children, and the children send out SYNC to their children, and so on …

– Boundary nodes send SYNC in rapid succession across both channels.

Asynchronous Spectral MultiplexingIdea: – Nodes operate on local schedules. The boundary nodes make local decisions

on when to switch channel

Challenges:– How to coordinate the schedules among neighbors?– How long a node should stay on each channel?

Initiation– Initiation– Slot duration

Solution:Th b d d tifi it hild it h f h l– The boundary node notifies its children its change of channel

– Stay in each channel long enough to offset the switching overhead, short enough to avoid buffer overflow.

Experiment results:Synchronous

Spectrum MultiplexingAsynchronous

Spectrum Multiplexing

Down time dueto jamming

Channel Surfing AlgorithmCoordinated Channel Surfing– Pros:

Simple– Cons:

E if ll i f h k i j d h h l k h f Even if a small portion of the network is jammed, the whole network has to pay for the price of channel surfing.

Synchronous Spectral Multiplexing– Pros:

The deterministic and synchronous nature of this algorithm guarantees that it can The deterministic and synchronous nature of this algorithm guarantees that it can work well even under complex scenarios where multiple nodes need to work on multiple channels and these nodes are neighbors of each other.

– Cons: Extra overhead to maintain synchrony among nodes

Asynchronous Spectral Multiplexing– Pros:

Small synchronization overheard when jammed region is smallAble to adapt to local traffic and buffer conditions

– Cons:Complicated, advantage less pronounced when jammed region is large.

Coordinated Channel Surfing

Spectral Multiplexing

Synchronous AsynchronousSynchronous Asynchronous

ROM usage (bytes) 28186 32634 30070

RAM usage (bytes) 3511 3557 3495

SummaryDue to the shared nature of the wireless medium, it is an easy feat for adversaries to perform a jamming-style denial of service p j g yagainst wireless networks.

We proposed to detect jamming using consistency check based mechanism.

We have proposed evasion defense strategy to cope with jamming style of DoS attackscope with jamming style of DoS attacks.– Evasion defense: Channel-surfing, whereby changing

the transmission frequency to a range where there is no interference from the adversary.

Related publications[IEEE SDR Workshop 2007] Service Discovery and Device Identification in Cognitive Radio Networks

[IEEE ICDCS 2007] Temporal Privacy in wireless sensor networks (Acceptance ratio: 13 5%)13.5%)

[ACM IEEE IPSN 2007] Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference (Acceptance ratio: 21%)

[ACM Sensys 2006] Poster Abstract: Channel Surfing: Defending Wireless Sensor [ACM Sensys 2006] Poster Abstract: Channel Surfing: Defending Wireless Sensor Networks from Jamming and Interference

[ACM WiSe 2006] Securing Wireless Systems via Lower Layer Enforcements (Acceptance ratio: 19.6%)

[IEEE SDR Workshop 2006] TRIESTE: A Trusted Radio Infrastructure for Enforcing SpecTrum Etiquettes

[IEEE Networks Special Issue on Sensor Networks] Jamming Sensor Networks: Attack and Defense Strategies (Acceptance ratio: 10.3%)Attack and Defense Strategies (Acceptance ratio: 10.3%)

[ACM MobiHoc 2005] The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks (Acceptance ratio: 14.2%)

[ACM WiSe 2004] Channel surfing and spatial retreats: defenses against wireless [ ] g p gdenial of service (Acceptance ratio: 20%)

[IEEE GLOBECOM 2004] Key Management for 3G MBMS Security

References[Stankovic03] A. Wood, J. Stankovic, and S. Son, “JAM: A jammed-area Mapping Service for Sensor Networks,” 24th IEEE International Real-Time Systems Symposium, pp.287-297, 2003

[Hubaux04] M. Raya, J. Hubaux, and I. Aad, “DOMINO: a system to detect greedy behavior in IEEE 802.11 hotspots,” MobiSYS, pp.84-97, 2004

[DigComm00] J. G. Proakis. Digital Communications. McGraw-Hill, 4th edition, 2000

[WarFare99] C. Schleher. Electronic Warfare in the Information Age. Martech House, 1999

[Noubir03] G. Noubir and G. Lin. “Low-power DoS attacks in data wireless lans and countermeasures,” SIGMOBILE Mob. Comput. Commun. Rev., 7(3):29-30, 2003.

[Savage03] John Bellardo and Stefan Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions,” USENIX Security Symposium, Washington D.C., August 2003. Security Symposium, Washington D.C., August 2003.

[MedardAllerton97] M. Médard, "Capacity of Correlated Jamming Channels," Allerton Conference on Communications, Computing and Control, 1997

[XuWise04] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel surfing and spatial retreats: defenses against wireless denial of service,” in Proceedings of the 2004 ACM workshop on Wireless security, pp 80-89, 2004.

[Perrig03] R Negi and A Perrig “Jamming analysis of MAC protocols ” Carnegie Mellon Technical Memo 2003[Perrig03] R. Negi and A. Perrig, Jamming analysis of MAC protocols, Carnegie Mellon Technical Memo, 2003

[Law05] Y. Law, P. Hartel, J. den Hartog, and P. Havinga, “Link-layer jamming attacks on S-MAC," in Proceedings of the 2nd European Workshop on Wireless Sensor Networks (EWSN 2005), pp. 217-225, 2005

[Ma05] K. Ma, Y. Zhang, and W. Trappe, “Mobile network management and robust spatial retreats via network dynamics," in Proceedings of the 1st International Workshop on Resource Provisioning and Management in Sensor Networks (RPMSN05), 2005.

[Hubaux07] M Cagalj S Capkun and J P Hubaux “Wormhole-Based Anti-Jamming Techniques in Sensor Networks " to appear in IEEE [Hubaux07] M. Cagalj, S. Capkun, and J.P. Hubaux, Wormhole-Based Anti-Jamming Techniques in Sensor Networks, to appear in IEEE Transactions on Mobile Computing, January 2007.

[Medard06] S. Ray, P. Moulin, M. Médard, “On Jamming in the Wideband Regime,” International Symposium on Information Theory (ISIT), July 2006

[Navda07] V. Navda, A. Bohra, S. Ganguly, and D. Rubenstein, “Using channel hopping to increase 802.11 resilience to jamming attacks,” IEEE INFOCOM, 2007

[ d 0 ] l d d “O l k d k d f l S ” OCO[Poovendran07] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal jamming attacks and network defense policies in WSN,” IEEE INFOCOM, 2007

detection and defense against jammingdetection …wyxu/wenyuan_xu.pdfdetection and defense against...

Documents