the feasibility of launching and detecting jamming attacks ... · the feasibility of launching and...
TRANSCRIPT
The Feasibility of Launching and DetectingJamming Attacks in Wireless Networks
Wenyuan Xu, Wade Trappe, Yanyong Zhang, Timothy Wood,WINLAB, Rutgers University
Mobihoc 2005
IAB, June 8th, 2005
2
Roadmap Motivation and Introduction
Jammer Models– Four models– Their effectiveness
Basic Statistics for Detecting
Improved Jamming Detection Strategy
Conclusions & Future works
3
Jamming Style DoS
Bob AliceHello … Hi …
4
Jamming Style DoS
Bob AliceHello … Hi …
@#$%)$*#@&…
Mr. X
5
Jammers
Jamming style DoS Attack:– Behavior that prevents other nodes from using the
channel to communicate by occupying the channel that they are communicating on
A jammer– An entity who is purposefully trying to interfere with
the physical transmission and reception of wireless communications.
Is it hard to build a jammer?
Mr. X
No! Haha…
Bob Alice
Hello … Hi …@#$%%$#
@&…
Mr. X
6
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform GeneratorTune frequency to what ever you want
MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
Disable the CSMAKeep sending out the preamble
7
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform Generator– Tune frequency to what ever you want
MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
Disable the CSMAKeep sending out the preamble
8
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform Generator– Tune frequency to what ever you want
MAC-layer Jammer (our focus)– Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
– Disable the CSMA– Keep sending out the preamble
The Jammer Models and Their Effectiveness
10
Jammer Attack Models
Need tosend m
Is channel
idle?Backoff
start tosend m
No
Yes
Is channel
idle?Backoff
No
Yes
Normal MAC protocol:
Need tosend m
start tosend m
Jammer:
11
Jammer Attack Models
Constant jammer:– Continually emits a radio signal– It can prevent legitimate nodes from getting hold of channel, if the
underlying MAC protocol determines whether a channel is idle or not by comparing the signal strength measurement with a fixed threshold.
Deceptive jammer:– Constantly injects regular packets to the channel without any gap
between concatenated packet transmissions– A normal communicator will be deceived into the receive state
&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….
Payload …
Preamble CRC
PayloadPayload Payload Payload
12
Jammer Attack Models
Random jammer:– Alternates between sleeping and jamming
Sleeping period: turn off the radioJamming period: either a constant jammer or deceptive jammer
– Good for those jammers that do not have unlimited power supply
Reactive jammer:– No need to jam the channel if nobody is communicating– Stays quiet when the channel is idle, starts transmitting a radio
signal as soon as it senses activity on the channel.– Targets the reception of a message– Harder to detect
&F*(SDJF ^F&*D( D*KC*I^ …
…
Underling normal traffic
&F*(SDJ
Payload
^%^*&
Payload
CD*(&FG
Payload
13
Metrics & ImplementationGoal of jammer:– Interfere with legitimate wireless communications– Prevent a sender from sending out packets– Prevent a receiver from receiving a legitimate packets
Packet Send Ratio (PSR)– The ratio of packets that are successfully sent out by a legitimate
traffic source compared to the number of packets it intends to send out in MAC layer
Packet Delivery Ratio (PDR)– The ratio of packets that are successfully delivered to a destination
compared to the number of packets that have been sent out by thesender
Implementation platform:– Mica2 Motes– Disabled channel sensing and backoff operation in TinyOS MAC
protocol
14
Experiment SetupInvolving three parties:– Normal nodes:
Sender AReceiver B
– Jammer X
Parameters – Four jammers model– Distance
Let dXB = dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBm– MAC
Fix MAC thresholdAdaptive MAC threshold (BMAC)
Sender A
Receiver B
Jammer X
dXB
dAB
dXA
15
Experimental ResultsInvolving three parties:– Normal nodes:
Sender AReceiver B
– Jammer X
Parameters – Four jammers models– Distance
Let dXB = dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBm– MAC
Fix MAC thresholdAdaptive MAC threshold (BMAC)
3.260.9293.5799.5772.0
2.911.020.5377.1754.0
1.941.000.4374.3738.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Constant Jammer
99.53100.098.0099.2554.0
87.26100.058.0599.0044.0
0.00100.00.0099.0038.6m =
33bytes
99.87100.099.35100.072.0
99.87100.099.24100.054.0
0.00100.00.0099.0038.6m =
7bytes
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Reactive Jammer
16
Experimental ResultsInvolving three parties:– Normal nodes:
Sender AReceiver B
– Jammer X
Parameters – Four jammers models– Distance
Let dXB = dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBm– MAC
Fix MAC thresholdAdaptive MAC threshold (BMAC)
3.260.9293.5799.5772.0
2.911.020.5377.1754.0
1.941.000.4374.3738.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Constant Jammer
99.53100.098.0099.2554.0
87.26100.058.0599.0044.0
0.00100.00.0099.0038.6m =
33bytes
99.87100.099.35100.072.0
99.87100.099.24100.054.0
0.00100.00.0099.0038.6m =
7bytes
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Reactive Jammer
17
Experimental ResultsInvolving three parties:– Normal nodes:
Sender AReceiver B
– Jammer X
Parameters – Four jammers models– Distance
Let dXB = dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBm– MAC
Fix MAC thresholdAdaptive MAC threshold (BMAC)
3.260.9293.5799.5772.0
2.911.020.5377.1754.0
1.941.000.4374.3738.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Constant Jammer
99.53100.098.0099.2554.0
87.26100.058.0599.0044.0
0.00100.00.0099.0038.6m =
33bytes
99.87100.099.35100.072.0
99.87100.099.24100.054.0
0.00100.00.0099.0038.6m =
7bytes
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Reactive Jammer
18
Experimental ResultsInvolving three parties:– Normal nodes:
Sender AReceiver B
– Jammer X
Parameters – Four jammers models– Distance
Let dXB = dXA
Fix dAB at 30 inches– Power
PA = PB = P X = -4dBm– MAC
Fix MAC thresholdAdaptive MAC threshold (BMAC)
3.260.9293.5799.5772.0
2.911.020.5377.1754.0
1.941.000.4374.3738.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Constant Jammer
99.53100.098.0099.2554.0
87.26100.058.0599.0044.0
0.00100.00.0099.0038.6m =
33bytes
99.87100.099.35100.072.0
99.87100.099.24100.054.0
0.00100.00.0099.0038.6m =
7bytes
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Reactive Jammer
Basic Statistics for Detecting Jamming Attacks
20
Signal Strength P.1
Idea:– The signal strength distribution may be affected by the
presence of a jammer
Assume– Network devices can gather enough noise level
measurements during a time period prior to jamming and build a statistical model describing normal energy levels in the network.
Statistical model– Average signal value or the total signal energy over a
window– Signal strength spectral discrimination
Experiment platform:– Mica2 Motes (UC Berkeley) – Use RSSI ADC to measure the signal strength
21
Signal Strength P.2
-100
-80
-60CBR
-100
-80
-60MaxTraffic
-100
-80
-60Constant Jammer
-100
-80
-60
R
SS
I (dB
m)
Deceptive Jammer
-100
-80
-60Reactive Jammer
0 200 400 600 800 1000 1200 1400 1600-100
-80
-60
sample sequence number
Random Jammer
Normal traffic
Jammers
Basic average
detection doesn’t work !
Congested traffic
22
Signal Strength P.3
Basic Average and Energy Detection don’t work!How about spectral discrimination mechanism?– Higher Order Crossing (HOC)
The idea is to combine zero-crossing counts in stationary time series with linear filters .We calculated the first two higher order crossings for the time series.Window size: 240 samples
0 50 100 150 2000
50
100
150
200
HOC
D1
D2
CBRMaxTrafficConstant JammerDeceptive Jammer
0 50 100 150 2000
50
100
150
200
HOC
D1
D2
CBRMaxTrafficReactive JammerRandom Jammer
SS spectral discrimination doesn’t work !
23
Packet Delivery Ratio P.1
Carrier sensing time cannot detect reactive jammer.
Idea:– Determine whether the communication node can receive
packets in the way it should have had the jammer not been present.
– A non-aggressive jammer, which only marginally affects the PDR, does not need to be detected or defended against.
How much PDR degradation can be caused by non-jamming, normal network dynamics, such as congestion?
Experiment– Setup
3 MaxTraffic sources– Raw offered traffic rate: 19.38Kbps– Max allowed bandwidth: 12.364kbps
Measure PDR at receiver side– Result
PDR: 78%
MaxTrafficSender
Receiver
24
Packet Delivery Ratio P.2
The PDRs are low in the presence of jammers
PDR is effective in discriminating jamming from congested network scenario.
Low PDR can be caused by network dynamics:– Sender battery failure– Sender moving out of the
communication range
PDR cannot differentiate jamming attacks from other scenarios, such as, poor link quality.
3.260.9293.5799.5772.0
2.911.020.5377.1754.0
1.941.000.4374.3738.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Constant Jammer
99.53100.098.0099.2554.0
87.26100.058.0599.0044.0
0.00100.00.0099.0038.6m =
33bytes
99.87100.099.35100.072.0
99.87100.099.24100.054.0
0.00100.00.0099.0038.6m =
7bytes
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Reactive Jammer
0.000.000.000.0072.0
0.000.000.000.0054.0
0.000.000.000.0038.6
PDR(%)PSR(%)PDR(%)PSR(%)
FixMACBMACdxa (inch)
Deceptive Jammer
Jamming Detection with Consistency Checks
26
Signal Strength Consistency Checks P.1Goal — to discriminate jamming attacks from,– normal congested scenarios– other cases caused by poor link quality, sudden failures of nodes
Observation:– PDR is a relative good statistic, we can build some strategies upon
PDR to achieve enhanced jammer detection.– Normal scenarios:
High signal strength a high PDR Low signal strength a low PDR
– Low PDR:Hardware failure or poor link quality low signal strengthJamming attack high signal strength
Idea:– Node A checks whether all its neighbors share low PDRs with itself. – If at least one neighbor has high PDR, Node A is not jammed. – Otherwise, check whether the low PDR is consistent with the
ambient signal strength Node A measures. – If the PDR is low but signal strength is high, node A is jammed.– If both are low, probably there are other reasons.
27
Signal Strength Consistency Checks P.2Assumption:– A node is only responsible for detecting whether it is
jammed, and not its neighbors– The network is sufficiently dense, each node has several
neighbors– Each node maintains a neighbor list – All normal nodes in the network will send out heartbeat
beacons, such as routing updates.
Algorithm:{PDR(N): N Є Neighbors} = Mearsure_PDR()MaxPDR = max{PDR(N): N Є Neighbors}if MaxPDR < PDRThresh then
SS = Sample_Signal_Strength()CCheck = SS_ConsistencyCheck(MaxPDR, SS)if CCheck == False then
post NodeIsJammed() end
end
28
Signal Strength Consistency Checks P.3Sample_Signal_Strength() returns the maximum value of the signal strengths during the sampling window.
SS_ConsistencyCheck(MaxPDR, SS) performs a consistent checking to see whether the low MaxPDRvalues are consistent with SS, the signal strength measurements.
How does a consistency checking work?
Algorithm:
{PDR(N): N Є Neighbors} = Mearsure_PDR()MaxPDR = max{PDR(N): N Є Neighbors}if MaxPDR < PDRThresh then
SS = Sample_Signal_Strength()CCheck = SS_ConsistencyCheck(MaxPDR, SS)if CCheck == False then
post NodeIsJammed() end
end
29
Signal Strength Consistency Checks P.4Build a (PDR,SS) look-up table empirically– Measure (PDR, SS) during a guaranteed time of non-interfered
network.– Divide the data into PDR bins, calculate the mean and variance for
the data within each bin.– Get the upper bound for the maximum SS that world have
produced a particular PDR value during a normal case.– Partition the (PDR, SS) plane into a jammed-region and a non-
jammed region.
Experiment setup:– The sender power: -
5dBm– Data rate: 20packets/sec– Average PDR over 200
packets– SS were sampled every
1msec for 200msecs– Vary the DSR– PDR bins: (0,40) (40,90)
(90, 100)– PDR threshold 65%– 99% confidence bar
Jammed Region
PDR %
PDR VS. SS
SS
(dB
m)
30
Signal Strength Consistency Checks P.5Jammer setup:– Transmission power: -4dBm– The reactive jammer injects 20-byte long packets– The random jammer turns on for tj = U[0,31] and turns off for ts =
U[0,31]
The (PDR, SS) values for all jammers distinctively fall within the jammed-region
The more aggressive the jammer is, the more likely it will be detected.
The less aggressive the jammer is, the less damage it causes to the network.
Similarly, we can deploy a location information based consistency check to achieve an enhanced jamming detection.
Jammed Region
PDR %
PDR VS. SS
SS
(dB
m)
31
Conclusions:Due to the shared nature of the wireless medium, it is an easy feat for adversaries to perform a jamming-style denial of service against wireless networks.
We presented four different jammer attack models. We have studies the effectiveness of them by constructing prototypes using the MICA2 Mote platform and measured the PSR and PDR.
We have studied the issue of detecting jamming attacks.– We showed that a single measurement statistic is not enough to
identify the presence of a jammer. – We introduced the notion of consistency checks– We presented two enhanced jamming detection algorithms:
Employing signal strength as a consistency checkEmploying location information as a consistency check
32
Future Works:Investigate the effectiveness of different jamming attack models in other wireless devices, e.g. 802.11 devices, and study their effectiveness in different wireless network topology.– Infrastructured network– Ad-hoc network
Study the jamming detection mechanism in other scenarios: – Highly mobile jammers– Highly mobile network nodes
Validate the jamming detection mechanism in a large scale sensor network
We are building a large scale jamming resistant wireless sensor network (approximately 50 nodes)