Networks using Error Distribution ... Index TermsâAd Hoc Networks, IEEE 802.11 MAC Protocol, ... is their vulnerability to Denial-of-Service (DoS) attacks [9].
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
Detection of Jamming Attacks in Wireless Ad Hoc Networks using Error Distribution Ali Hamieh, Jalel Ben-Othman CNRS-PRiSM Laboratory, University of Versailles 45 av. des Etats Unis, 78035 Versailles, France {ali.hamieh, jalel.ben-othman}@prism.uvsq.fr
Abstract—Mobile ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other securitysensitive operations are still the main applications of ad hoc networks. One main challenge in design of these networks is their vulnerability to Denial-of-Service (DoS) attacks. In this paper, we consider a particular class of DoS attacks called Jamming. The objective of a jammer is to interfere with legitimate wireless communications. A jammer can achieve this goal by either preventing a real traffic source from sending out a packet, or by preventing the reception of legitimate packets. We propose in this study a new method of detection of such attack by the measurement of error distribution. Index Terms—Ad Hoc Networks, IEEE 802.11 MAC Protocol, Jamming Attack, Correlation.
with each node, etc, present many new opportunities for launching a DoS. In this paper, we consider a particular class of DoS attacks called Jamming. In fact, the mobile hosts in mobile ad hoc networks share a wireless medium. Thus, a radio signal can be jammed or interfered, which causes the message to be corrupted or lost. If the attacker has a powerful transmitter, a signal can be generated that will be strong enough to overwhelm the targeted signals and disrupt communications. There are many different attack strategies that a jammer can perform in order to interfere with other wireless communications. Some possible strategies are exposed below [6]: •
•
I. I NTRODUCTION
I
N a Mobile AD hoc NETworks (MANET), a collection of mobile hosts with wireless network interfaces form a temporary network without the aid of any fixed infrastructure or centralized administration. The ad hoc nodes are equipped with wireless transmitters/receivers using antennas which may be omnidirectional (broadcast), highly-directional (point-topoint), or some combination thereof. At a given time, the system can be viewed as a random graph due to the movement of the nodes, their transmitter/receiver coverage patterns, the transmission power levels, and the co-channel interference levels. The network topology may change with time as the nodes move or adjust their transmission and reception parameters. One main challenge in design of these networks is their vulnerability to Denial-of-Service (DoS) attacks [9]. Guarding against DoS attacks is a critical component of any security system. While DoS has been studied extensively for the wire-line networks, there is lack of research for preventing such attacks in mobile ad hoc networks. Due to deployment in tactical battlefield missions these networks are susceptible to attacks of malicious intruders. These intruders might attempt to disrupt/degrade the functioning of the whole network or may harm a specific node. Also, in mobile ad hoc networks, mobility, limited bandwidth, routing functionalities associated This work is supported by ANR (French Research National Agency) under CLADIS grant N. 05-SSIA-0018.
•
•
Constant Jammer: A constant jammer continuously emits a radio signal that represents random bits; the signal generator does not follow any MAC protocol. Deceptive Jammer: Different from the continuous jammers, deceptive jammers do not transmit random bits instead they transmit semi-valid packets. This means that the packet header is valid but the payload is useless. Random Jammer: Alternates between sleeping and jamming the channel. In the first mode the jammer jams for a random period of time (it can behave either like a constant jammer or a deceptive jammer), and in the second mode (the sleeping mode) the jammer turns its transmitters off for another random period of time. The energy efficiency is determined as the ratio of the length of the jamming period over the length of the sleeping period. Reactive Jammer: A reactive jammer tries not to waste resources by only jamming when it senses that somebody is transmitting. Its target is not the sender but the receiver, trying to input as much noise as possible in the packet to modify as many bits as possible given that only a minimum amount of power is required to modify enough bits so that when a checksum is performed over that packet at the receiver it will be classified as not valid and therefore discarded.
However, some jamming techniques use the MAC protocol of ad hoc networks and hence a brief description of ad hoc MAC layer is given in next section. The development of detection and reaction mechanisms of jamming nodes are necessary. Detecting a jamming attack is not easy in IEEE 802.11n because we don’t differentiate a
978-1-4244-3435-0/09/$25.00 ©2009 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
collision with a bad SNR. Our purpose is to detect specific type of jamming, in witch the jammer transmits only when valid radio activity is signaled from its radio hardware. At other times, the attacking device enters sleep states while its radio passively listens. The attacker also save energy and decreases the probability of detection by jam the packet with pjam probability. Our jammer uses the same hardware as ad hoc nodes in terms of capability, energy capacity, and complexity. A variety of metrics can be used to compare various jamming attacks. Some metrics are exposed below [1]: • Energy efficient • Low probability of detection • Stealthy • Strong DoS, complete if so desired • Maintain behavior consistent with or close to the protocol standard • Authenticated or unauthenticated users • Strength against error correction algorithms • Strength against physical layer techniques such as FHSS, DSSS, CDMA. These criteria are jamming scenario dependent. This means that the jamming scenario will best tell us which are the suitable criteria to use in order to compare two different jamming techniques for a particular case. For example, energy efficiency may be the most important metric for sensor networks where nodes are expected to live for along time. Of course in all cases a jammer wants to be energy efficient and to have low probability of detection in order to be stealthy. This can be achieved by maintaining consistency with MAC layer behaviors. Jamming and its countermeasures have a long history in military applications where the jammer is used to degrade enemy radio communications. The military has long dealt with jamming by using spread-spectrum communication [4]. Our approach of Jamming detection is based upon the measure of statistical correlation. In fact, the idea of our approach can be resumed by the strong correlation that we have remarked among the error and the correct reception times. The rest of the paper is organized as follows: Section II presents the mac protocol of ad hoc networks. In Section III, overviews of the related work in the domain of Jamming are exposed. In Section IV, we introduce the correlation used in our proposed technique with the details of our method to detect a Jamming attack. The simulation models and numerical results are given in section V. Finally, we summarize the main contribution of our work and its perspectives in section VI. II. T HE MAC L AYER OF A D HOC N ETWORKS The current IEEE 802.11 wireless ad hoc protocol employs the Distributed Coordination Function (DCF) to Medium Access Control (MAC) [13]. DCF mechanism defines a distributed access algorithm based on the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). The goal of CSMA/CA protocol is to minimize the collisions and to guarantee a fair access to the channel. If a node have a packet to transmit, it senses the medium during an idle period which
0 1 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Frame 0 1 0 1 0 1 0 1 0 1 0 1 SIFS SIFS 0 1 SIFS 0 1 0 1 0 1 0 1 0 1 0 1 000 111 0 1 000 111 CTS ACK 0 0001 111 0 1 000 111 0 1 1 0 0 1 0 1 0 1 0 DIFS 1 0 1 0 1 0 1 0 0 1 1 0 1 NAV (RTS) 0 1 0 1 0 0 1 0 1 1 0 1 000000000000000000 111111111111111111 0 1 0 1 0 1 000000000000000000 111111111111111111 0 0 0000000000000000001 111111111111111111 0 1 1 0 1 000000000000 111111111111 0 1 0 000000000000 111111111111 0 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 NAV(CTS) Contention 0 1 0 1 0window 1 0 1 0 1 0 1 Reserved medium 0 1 RTS duration field
DIFS
CTS duration field
RTS Source
Destination
Others
time
time
next frame
Fig. 1. The Distributed Coordination Function (DCF) with RTS/CTS handshake.
corresponds to a DIFS (Distributed Inter Frame Space). If the medium is busy, a random backoff interval is selected. The backoff time counter is decremented as long as the channel is idle, then stopped when a transmission is detected on the channel, and then reactivated when the channel is sensed idle again for more than a DIFS. The node transmits when the backoff time reaches 0. In addition, to avoid channel capture, a node must wait a random backoff time between two consecutive transmissions, even if the medium is sensed idle in the DIFS time. The backoff time is uniformly chosen in the interval [0, CW − 1], where CW is the Contention W indow size. At the first transmission attempt CW is equal to CWmin , and it is doubled at each retransmission up to CWmax . If a node data transmission is successful, the node resets its CW to CWmin . The receiver acknowledges a successful reception by transmitting an ACK (ACKnowledge) frame. Taking into consideration the problem of hidden nodes, CSMA/CA uses the Request to Send (RTS) and Clear to Send (CTS) control packets to reserve the channel. Before transmitting, a node sends a RTS frame to the receiver. When the RTS arrives to the destination, it sends back a CTS frame if it is not currently busy. This RTS/CTS exchange, which also contains timing information about the length of the subsequent transmission, known as NAV (Network Allocation Vector), is detected by all nodes within hearing range of either the sender or the receiver or both. These nodes defer their transmissions until the ongoing transmission is complete. A SIFS (Short Inter Frame Space) interval guarantees uninterrupted fourway exchange of successful RTS and then CTS, DATA, and ACK frames. Taking into consideration the problem of hidden nodes, CSMA/CA uses the Request to Send (RTS) and Clear to Send (CTS) control packets to reserve the channel. Before transmitting, a node sends a RTS frame to the receiver. When the RTS arrives to the destination, it sends back a CTS frame if it is not currently busy. This RTS/CTS exchange, which also contains timing information about the length of the subsequent transmission, known as NAV (Network Allocation Vector), is detected by all nodes within hearing range of either the sender or the receiver or both. These nodes defer their transmissions until the ongoing transmission is complete. A SIFS (Short Inter Frame Space) interval guarantees uninterrupted four-way exchange of successful RTS and then CTS, DATA, and ACK frames. Fig. 1 illustrates the workings of DCF method in a simplified way.
time
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
Using this knowledge of mac protocol, a jammer can be made more effective. For example, the jammer can sends out fake RTS packets whenever it finds the medium idle and reserves the channel for maximum time duration possible thereby degrading the network throughput with very little effort. The related work on the domain of jamming attack is presented in next section. III. R ELATED W ORK The shared nature of the wireless medium in ad hoc network allows attackers to easily observe communications between wireless devices and launch simple DoS attacks against wireless networks by jamming or interfering communication. Such attacks in the physical layer cannot be addressed through conventional security mechanisms. An attacker can simply disregard the medium access protocol and continually transmit in a wireless channel. By doing so, the attacker either prevents users from being able to commit legitimate MAC operations. The issues of jamming detection, prevention and reaction in wireless networks have received a significant attention recently. Xu et al. [3] propose two methods to react at jamming attacks: channel surfing and spatial retreats. The first technique has been inspired in some way from the frequency hopping technique. Unlike frequency hopping that takes place at the PHY layer, channel surfing takes place at the MAC layer. When a node detects that it is jammed it can switch its channel and send a beacon message on the new channel frequency band. Its non-jammed neighbors will detect the absence of this node and change its channel to get the beacons broadcasted in new channel. If no beacon is detected then they assume that the node just moved away. In the other side, if they sense a beacon they will inform the rest of the network at the initial channel to switch the channel. There are two possible approaches. At the first approach the whole network will eventually change channel while in the second approach only the boundary nodes of the jam region will change their channel and they will be used as relays for the rest of the network and the jammed area. In spatial retreats method, when a node detects that it is being jammed, it firstly escapes from the jammed area and then tries to stay connected within the rest of the network in order to avoid the partition of the network reconstruction phase. More specifically, when a node senses that it is being jammed, it starts moving out of the jammed region and simultaneously runs the detection algorithm. When it detects that it has moved away the jamming area, it tries to stay connected with its previous neighbors. In order to stay connected it keeps moving at the boundary of the jammed area. If the node does not recognize that it is out of the jammed area and it continuous to move away, it could be out of the network partition that makes it impossible to stay connected. Wood et al. [5] described various denial-of-service attacks against WSN nodes. In [4], the authors presented DEEJAM, a protocol for detecting and reaction after a jamming attack using IEEE 802.15.4-based hardware. It uses frame masking, channel hopping, packet fragmentation, and redundant encod-
ing to eliminate most of the impact of jamming by a moteclass attacker. All of the components of DEEJAM must be used simultaneously to resist all types of jamming described in [4], resulting in energy consumption overheads exceeding 150%. Such overheads are extreme and can reduce network lifetime to a fraction of what it would be without them. In the case that a jamming attack is ongoing, this overhead is justified, but in the more likely case that there is no jamming attack, it might be prohibitively expensive. Xu et al. [6] studied the feasibility of launching and detecting jamming attacks in wireless networks. Their paper shows that by using signal strength, carrier sensing time, or the packet delivery ratio individually, one is not able to definitively conclude the presence of a jammer. Therefore, to improve detection, the authors introduced the concept of consistency checking, where the packet delivery ratio is used to classify a radio link as having poor utility, and then a consistency check is performed to classify whether poor link quality is due to jamming. Two enhanced detection algorithms are presented: one considering signal strength as a consistency check, and the other taking into account location information as a consistency check. Though there are some issues that are critical for their performance, such like the frequency of the location advertisements, which need to be taken into a deeper consideration. JAM [8] is a service for sensor networks, which detects jammed areas in the sensor networks and helps to bypass the jammed area, enabling routing within the sensor network to continue. This technique is only reliable in the presence of constant jamming and will not detect random or reactive jamming. In [2], the use of low density parity check (LDPC) codes is proposed to cope with jamming. Further, an anti-jamming technique is proposed for 802.11b that involves the use of Reed-Solomon codes. To the best of our knowledge our approach has not been proposed in the literature to detect jamming attack in ad hoc networks which is based on correlation. Our method is described in the next section.
IV. D ETECTION BY C ORRELATION We assume that the jammer transmits only when valid radio activity is signaled from its radio hardware. At other times, the attacking device enters sleep states while its radio passively listens. Using this strategy the attacker save energy and decreases the probability of detection by jam the packet with pjam probability. Thus, to differentiate this jamming scenario from legitimate scenarios, we have measured the dependence among the periods of error and correct reception times. In fact, the access to the channel of jammer is dependent of the access to the channel of active nodes. Thus, this dependence measure in jamming attack case is greater than in normal network activity. In order to measure this dependency, we have used the Correlation Coefficient which is a statistic measure of relation between two random variables. This correlation is exposed below.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
A. Correlation The correlation is a measure of the association between two random variables. The Correlation Coefficient (CC) between two random variables, X and Y , is defined as: CC =
cov(X, Y ) σx · σy
(1)
The value of the correlation coefficient is between −1 and 1. The sign of CC indicates the direction of the linear pattern. Values of CC closer to −1 or 1 indicate a strong correlation, when it is near 0 it indicates the absence of a useful relationship. It is possible that X and Y are related by a linear relation: y = a · x + b. The linear regression is to determine an estimation of values a and b to quantify the value of this relation due to the correlation coefficient [7]. The ) value of a is estimated to be cov(X,Y var(X) . The main advantages of the proposed model are its simplicity and efficiency for detecting jamming attack. Also, as our model is passive, there is no communication overhead. In addition, the required storage and computation overhead is very small. Therefore, the solution is easy to implement in existing devices. The following subsection explain the proposed approach in detail. B. Detection System In this sub-section, we describe our model to detect the jamming attack in ad hoc networks. A transmission node measure the Error Probability (EP ) and the Correlation Coefficient (CC). The CC is among the reception error time and the correct reception time. Thus, if the CC is larger than produced relative EP then the network is considered like jammed. We would like to point out that a jamming with small percentage, which only marginally affects the network (i.e., no congestion), does not cause noticeable damage to the network quality. Moreover, it also does not need to be detected or defended. The relation between CC and EP may measured by simulation, or by measurement of the regression in normal network dynamics. In fact, the system is composed of two phases: a) Initialization Phase- It consists of calculating at the beginning the value of the threshold w, defined as the maximum value of the slope that any couple of (CC, EP ) should have. In fact, after a determined period of simulations, the value of w will be estimated from simulation. However, this w value can be also estimated theoretically in the following way: taking, εi = cci − a · epi − b, as the difference between the line (estimated by the linear regression) and the point (cci , epi ). Thus, the estimator of the residual variance σ ˆε2i is 1 · Σni=1 ε2i . σ ˆε2i = n−2 Therefore, the variance of the slope a of the line, could be calculated using σ ˆa2 =
σε2i , n · var(EP )
where n is the number of simulations. In this case, we are in the Student-Test where the variance of a random variable is known and an unknown standard deviation. In the Studenttest, for a given level of confidence α, the error over a can be estimated by: �a = σ ˆa · tn−2 (1−α)/2 . In our approach, we have taken, tn−2 (1−α)/2 = 3, which corresponds to a 99.7% confidence level. Therefore, the proposed threshold is w = �a� + �a , . where �a = 3 · √ σˆε n·var(EP ) We should notice that the threshold w is calculated in the non-jammed case. b) Detection Phase- The transmission node calculates the EP and cov(X, Y ) . CC = σX · σY X(xi ; i = 1, . . . , t) is the reception error time and Y (yi ; i = 1, . . . , t) is the correct reception time for the node, where t is the number of simulated points. Thus, if the CC is bigger than w · EP , it means that the network is under jamming attack. V. S IMULATION We use NS-2 [10] in order to evaluate the correctness of our proposed detection system. Parameters in Table I are used in the simulations. SIMULATIONS PARAMETERS Transmission Rate (Mb/sec) 2 MAC Layer Protocol 802.11 Simulations Area (m) 800 x 800 Transmission Range (m) 250 Radio Propagation Model Shadowing Traffic Model CBR Simulation Time (s) 30 Packets size (bytes) 1000 TABLE I PARAMETERS OF THE SIMULATED AD HOC NETWORK.
The shadowing channel model captures the variations in channel conditions over time and space by using a Gaussian random variable, XdB , with zero mean and σdB standard deviation. The model is represented as: (d) [ PPrr(d ]dB = −10βlog( dd0 ) + XdB 0)
β is called the Path Loss Exponent, d is the distance between the sender and receiver, Pr (d) is the received power and Pr (d0 ) is the power at some reference distance d0 . For free space propagation β is 2 and we use this value in our simulations. The value of σdB is set to 4. The nodes sending CBR (Constant Bit Rate) traffic. The frame length was set to 1000 bytes in the default case. Results are averaged over 30 simulations, 30s each (100s for the preliminary simulations). The simulation was restricted to a 800m x 800m for node placement and travel. 802.11 was chosen as the MAC layer protocol. The data rate for each connection in the simulation is 2Mbps.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
1.8e+06
1 node(0) node(2)
Without Jam Jam 0.99
1.6e+06
0.98
1.4e+06
0.97 Correlation Coefficient
Throughput (bit/s)
1.2e+06
1e+06
800000
600000
0.96 0.95 0.94 0.93
400000
0.92
200000
0.91
0
0.9 30
60
90
15
20
Time (s)
Fig. 2.
Measure the throughput under jamming attack.
B. Model Simulation In Fig. 3 (respectively Fig. 4), we present the simulation results obtained for the average Correlation Coefficient (CC) for all nodes as a function of the number of mobile stations (respectively packet size). The CC is among the error and the correct reception times. The Error Probability of the jammed network is equal to the Error Probability of the normal network. Fig. {3,4} indicate that the CC in jamming case is bigger than the CC in normal case. These results are compatible with our idea for detecting jamming attack. Thus, we can conclude from these results that our approach can detect the jamming attack with a very high probability. VI. C ONCLUSIONS Ad hoc networks using distributed wireless technology are used in many applications, such as Tactical operations, Rescue missions, Commercial use and Education. Due to their nature, ad hoc network is vulnerable to DoS attacks, such as jamming attack. The objective of a jammer is to interfere with legitimate wireless communications, and to degrade the overall QoS of the network. In this study, we have proposed a new model based on the measure of correlation among the error and the correct reception times in order to detect the presence of jamming
35
40
Fig. 3. Measure the Correlation Coefficient as a function of the number of mobile stations. 1
A. Impact of Jamming Attack
0.99
0.98 Correlation Coefficient
To determine the impact of jamming attack on ad-hoc networks, preliminary simulations have been performed. A small network of 3 nodes was considered, where node 1 is the jammer. All stations were within hearing range of each other. We can see a graph popping up, with 2 curves on it (Figure 2) the throughputs of 2 nodes (Node 0 and 2). Node 0 starts at t1 = 0s, node 1 starts at t2 = 60s and node 2 first starts at t3 = 30s, then stop at t4 = 60s, and finally starts at t5 = 90s. Simulation stops at t6 = 100s. As seen from this figure, the throughput of well-behaved hosts starts degrading under jamming attack. Hence, the development of detection mechanism of jamming attack is necessary.
25 30 Number of mobile stations
0.97
0.96
0.95
0.94
0.93 Without Jam Jam 0.92 600
Fig. 4.
800
1000
1200 Packet Size
1400
1600
Measure the Correlation Coefficient as a function of packet size.
attack in ad hoc networks. The correlation is defined here as a measure of the association between two random variables. Our purpose is to detect specific type of jamming, in witch the jammer transmits only when valid radio activity is signaled from its radio hardware, which it represents the major case of such attack. The simulation results of the model are quite promising. In fact, we have been able to detect the presence of jamming with very high degree of confidence. Our objective in the future is to use our approach to detect others DoS attacks, and to find an effective reaction mechanism to cope up with jamming. R EFERENCES [1] Mithun Acharya, David Thuente, Intelligent Jamming Attacks, Counterattacks and (Counter)2 Attacks in 802.11b Wireless Networks, in Proceedings of the OPNETWORK-2005 Conference, Washington DC, USA, August 2005. [2] G. Noubir and G. Lin. Low-power DoS attacks in data wireless lans and countermeasures. SIGMOBILE Mob. Comput. Commun. Rev., 7(3):2930, 2003. [3] W. Xu, T. Wood, W.Trappe, and Y. Zhang. Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service. In Proceedings of the ACM Workshop on Wireless Security (WiSe), 2004.
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings
[4] Anthony D. Wood, J. A. S., and Zhou, G. DEEJAM: Defeating energyefficient jamming in IEEE 802.15.4-based wireless networks. 4th IEEE Conference on Sensor and Ad Hoc Communications and Networks (2007). [5] A. D.Wood and J. A. Stankovic. Denial of service in sensor networks. IEEE Computer, 35(10):5462, 2002. [6] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. In Proceedings of MobiHoc05, Urbana-Champaign, Illinois, USA. [7] Dodge Y, Rousson V. 2004. Analyse de r´egression appliqu´e, Dunod. [8] A.D. Wood, J.A., Stankovic, and S.H. Son. JAM: A Jammed-Area Mapping Service for Sensor Networks. In Real-Time Systems Symposium (RTSS), Cancun, Mexico, 2003. [9] I. Aad, J.-P. Hubaux, and E. W. Knightly. Denial of service resilience in ad hoc networks. In Proceedings of Mobicom, 2004. [10] Fall K, Varadhan K. 2003. ns notes and documentation. UC Berkeley, LBL, USC/ISI, Xerox PARC. [11] MacKenzie A, Wicker S. 2003. Stability of Multipacket Slotted Aloha with Selfish Users and Perfect Information. In Proc. of Infocom 2003, San Francisco, CA, IEEE. [12] D. Burroughs D, L. Wilson L, and G. Cybenko G. 2002. Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods. In Proc. of IEEE International Performance Computing and Communication Conference. [13] Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. 1997. IEEE standards 802.11.
