Jammers in wsn

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 793

A Trigger Identification Service for
Defending Reactive Jammers in WSN
Ying Xuan, Yilin Shen, Nam P. Nguyen, and My T. Thai, Member, IEEE

Abstract—During the last decade, Reactive Jamming Attack has emerged as a great security threat to wireless sensor networks, due
to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering the specific
characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes, whose
transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger-identification procedure can work as an
application-layer service and benefit many existing reactive-jamming defending schemes. In this paper, on the one hand, we leverage
several optimization problems to provide a complete trigger-identification service framework for unreliable wireless sensor networks.
On the other hand, we provide an improved algorithm with regard to two sophisticated jamming models, in order to enhance its
robustness for various network scenarios. Theoretical analysis and simulation results are included to validate the performance of this
framework.

Index Terms—Reactive jamming, jamming detection, trigger identification, error-tolerant nonadaptive group testing, optimization,
NP-hardness.

Ç

1 INTRODUCTION

S INCE the last decade, the security of wireless sensor
networks (WSNs) has attracted numerous attentions,
due to its wide applications in various monitoring systems
On the other hand, various network diversities are
investigated to provide mitigation solutions [6]. Spreading
spectrum [12], [5], [8] making use of multiple frequency
and vulnerability toward sophisticated wireless attacks. bands and MAC channels, Multipath routing benefiting
Among these attacks, jamming attack where a jammer node from multiple pre-selected routing paths [6] are two good
disrupts the message delivery of its neighboring sensor examples of them. However, in this method, the capability
nodes with interference signals, has become a critical threat of jammers are assumed to be limited and powerless to
to WSNs. Thanks to the efforts of researchers toward this catch the legitimate traffic from the camouflage of these
issue, as summarized in [12], various efficient defense diversities. However, due to the silent behavior of reactive
strategies have been proposed and developed. However, a jammers, they have more powers to destruct these mitiga-
reactive variant of this attack, where jammer nodes stay tion methods. To this end, other solutions are in great need.
quite until an ongoing legitimate transmission (even has a A mapping service of jammed area has been presented in
single bit) is sensed over the channel, emerged recently and [11], which detects the jammed areas and suggests that
called for stronger defending system and more efficient routing paths evade these areas. This works for proactive
detection schemes. jamming, since all the jammed nodes are having low PDR
Existing countermeasures against Reactive Jamming and thus incapable for reliable message delay. However, in
attacks consist of jamming (signal) detection and jamming the case of reactive jamming, this is not always the case.
mitigation. On the one hand, detection of interference Only a proportion of these jammed nodes, named trigger
signals from jammer nodes is nontrivial due to the nodes, whose transmissions wake up the reactive jammers,
discrimination between normal noises and adversarial are blocked to avoid the jamming effects.
signals over unstable wireless channels. Numerous at- In this paper, we present an application-layer real-time
tempts to this end monitored critical communication related trigger-identification service for reactive-jamming in wire-
objects, such as Receiver Signal Strength (RSS), Carrier Sensing less sensor networks, which promptly provides the list of
Time (CST), Packet Delivery Ratio (PDR), compared the trigger-nodes using a lightweight decentralized algorithm,
results with specific thresholds, which were established without introducing neither new hardware devices, nor
from basic statistical methods and multimodal strategies significant message overhead at each sensor node.
[9], [12]. By such schemes, jamming signals could be This service exhibits great potentials to be developed as
discovered, but to locate the jammer nodes based on these reactive jamming defending schemes. As an example, by
signals is much more complicated and has not been settled. excluding the set of trigger nodes from the routing paths,
the reactive jammers will have to stay idle since transmis-
sions cannot be sensed. Even though the jammers move
. The authors are with the Department of Computer Information Science and around and detect new sensor signals, the list of trigger
Engineering, University of Florida, CSE Building, Gainesville, Florida nodes will be quickly updated, so are the routing tables. As
32611-6120. E-mail: {yxuan, yshen, nanguyen, mythai}@cise.ufl.edu.
another example, without prior knowledge of the number
Manuscript received 1 Mar. 2010; revised 9 Mar. 2011; accepted 18 Mar. of jammers, the radius of jamming signals and specific
2011; published online 6 Apr. 2011.
For information on obtaining reprints of this article, please send e-mail to:
jamming behavior types, it is quite hard to locate the
tmc@computer.org, and reference IEEECS Log Number TMC-2010-03-0103. reactive jammers even the jammed areas are detected (e.g.,
Digital Object Identifier no. 10.1109/TMC.2011.86. by Wood et al. [11]). However, with the trigger nodes
1536-1233/12/$31.00 ß 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

794 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012

localized, we can narrow down the possible locations of (packet or bit) to disrupt the sensed signal (called jammer
reactive jammers. wake-up period), instead of the whole channel, which
Although the benefits of this trigger-identification means once the sensor transmission finishes, the jamming
service are exciting, its hardness is also obvious, which attacks will be stopped (called jammer sleep period). Three
dues to the efficiency requirements of identifying the set of concepts are introduced to complete this model.
trigger nodes out of a much large set of victim nodes, that Jamming range R. Similar to the sensors, the jammers are
are affected jamming signals from reactive jammers with equipped with omnidirectional antennas with uniform
possibly various sophisticated behaviors. To address these
power strength on each direction. The jammed area can be
problem, a novel randomized error-tolerant group testing
regarded as a circle centered at the jammer node, with a
scheme as well as minimum disk cover for polygons are
proposed and leveraged. radius R, where R is assumed greater than rs , for simulating
The basic idea of our solution is to first identify the set of a powerful and efficient jammer node. All the sensors within
victim nodes by investigating corresponding links’ PDR this range will be jammed during the jammer wake-up
and RSS, then these victim nodes are grouped into multiple period. The value of R can be approximated based on the
testing teams. Once the group testing schedule is made at the positions of the boundary sensors (whose neighbors are
base station and routed to all the victim nodes, they then jammed but themselves not), and then further refined.
locally conducts the test to identify each of them as a trigger Triggering range r. On sensing an ongoing transmission,
or nontrigger. The identification results can be stored locally the decision whether or not to launch a jamming signal
for reactive routing schemes or delivered to the base station depends on the power of the sensor signal Ps , the arrived
for jamming localization process. signal power at the jammer Pa with distance r from the
In the remainder of this paper, we first present the sensor, and the power of the background noise Pn .
problem definition in Section 2, where the network model, According to the traditional signal propagation model,
victim model, and attacker models are included. Then, we the jammer will regard the arrived signal as a sensor
introduce three kernel techniques for our scheme, Rando- transmission as long as the Signal-Noise-Ratio is higher than
mized Error-Tolerant Nonadaptive Group Testing, Clique-inde- some threshold, i.e., SNR ¼ Pn > where Pa ¼ Ps Á Y with
Pa
r
pendent Set (CIS), and Minimum Disk Cover in a Simple and called jamming decision threshold and path-loss factor,
Polygon in Section 3. The core of this paper: trigger-node ÁPn 1
Y as a log-normally random variable. Therefore, r ! ðPs ÁY Þ is
identification and its error-tolerant extension toward sophis- a range within which the sensor transmission will definitely
ticated jammer behaviors are presented, respectively, in trigger the jamming attack, named as triggering range. As will
Sections 4 and 5. A series of simulation results for evaluating
be shown later, this range r is bounded by R from above, and
the system performance and validating the theoretical
rs from below, where the distances from either bounds are
results are included in Section 6. We present related works
in Section 7 and summarize the paper in Section 8. decided by the jamming decision threshold . For simplicity,
we assume triggering range is the same for each sensor.
Jammer distance. Any two jammer nodes are assumed
2 PROBLEM MODELS AND NOTATIONS not to be too close to each other, i.e., the distance between
2.1 Network Model jammer J1 and J2 is ðJ1 ; J2 Þ R. The motivations behind
We consider a wireless sensor network consisting of this assumptions are three-fold: 1) the deployment of
n sensor nodes and one base station (larger networks with jammers should maximize the jammed areas with a limited
multiple base stations can be split into small ones to satisfy number of jammers, therefore large overlapping between
the model). Each sensor node is equipped with a globally jammed areas of different jammers lowers down the attack
synchronized time clock, omnidirectional antennas, efficiency; 2) ðJ1 ; J2 Þ should be greater than R, since the
m radios for in total k channels throughout the network, transmission signals from one jammer should not interfere
where k m. For simplicity, the power strength in each the signal reception at the other jammer. Otherwise, the
direction is assumed to be uniform, so the transmission latter jammer will not able to correctly detect any sensor
range of each sensor can be abstracted as a constant rs and transmission signals, since they are accompanied with high
the whole network as a unit disk graph (UDG) G ¼ ðV ; EÞ, RF noises, unless the jammer spends a lot of efforts in
where any node pair i; j is connected iff the euclidean denoising or embeds jammer-label in the jamming noise for
distance between i; j: ði; jÞ rs . We leave asymmetric the other jammers to recognize. Both ways are infeasible for
powers and polygonal transmission area for further study. an efficient attack; 3) the communications between jammers
are impractical, which will expose the jammers to anomaly
2.2 Attacker Model detections at the network authority.
We consider both a basic attacker model and several
advanced attacker models in this paper. Specifically, we 2.2.2 Advanced Attacker Model
provide a solution framework toward the basic attacker To evade detections, the attackers may alter their behaviors
model, and validate its performance toward multiple to evade the detection, for which two advanced reactive
advanced attacker models theoretically and experimentally. jamming models: probabilistic attack and asymmetric response
time delay are considered in this paper. In the first one, the
2.2.1 Basic Attacker Model jammer responds each sensed transmission with a prob-
Conventional reactive jammers [12] are defined as mal- ability independently. In the second one, the jammer
icious devices, which keep idle until they sense any ongoing delays each of its jamming signals with an independently
legitimate transmissions and then emit jamming signals randomized time interval.

XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 795

Fig. 1. Sensor periodical status report message.

We do not specify the possible changes of jamming
range R as an advanced model, since the trigger set in this
case will not change, though the victim set varies. Further,
we do not theoretically analyze the effects of various
jamming decision threshold in this paper version, but we
evaluate all these above factors in the simulation section.
Jammer mobilities are out of the scope of this paper, which
assumes that the jammers are static during our trigger-
Fig. 2. Nodes in gray and blue are victim nodes around jammer nodes,
identification phase. This is quite reasonable, since the time where blue nodes are also trigger nodes, which invoke the jammer
length of this phase is short, as to be shown later. nodes. Nodes surrounding the jammed are boundary nodes, while the
others are unaffected nodes.
2.3 Sensor Model
Besides monitoring the assigned network field and generat- consider only proactive jammers, while reactive jammers
ing alarms in case of special events (e.g., fire, high can bring up larger damage due to efficient attack and
temperature), each sensor periodically sends a status report hardness to detect. To this end, we embed a group testing
message to the base station, which includes a header and a process, i.e., the randomized error-tolerant group testing by
main message body containing the monitored results, means of our designed random ðd; zÞ-disjunct matrix, to the
battery usage, and other related content. As shown in routing update scheme, which avoids unnecessarily large
Fig. 1, the header is designated for antijamming purpose, isolated areas as [11] does. Moreover, most existing
which is 4-tuple: Sensor_ID as the ID of the sensor node, topology-based solutions [23], [24] can only handle the
Time_Stamp as the sending out time indicating the single-jammer case, since lacking of knowledge over the
sequence number, as well as a Label referring to the node’s jamming range and inevitable overlapping of the jammed
current jamming status, and TTL as the time-to-live field areas bring ups the analytical difficulties, for which we
which is initialized as the 2D with network diameter D. resort to a minimum disk cover problem in a simple polygon
According to the jamming status, all the sensor nodes can problem and a clique-independent set problem.
be categorized into four classes: trigger nodes T N, victim
nodes V N, boundary nodes BN, and unaffected node UN. 3.1 Error-Tolerant Randomized Nonadaptive Group
Trigger nodes refer to the sensor nodes whose signals awake Testing
the jammers, i.e., within a distance less than r from a Group Testing was proposed since WWII to speed up the
jammer. Victim nodes are those within a distance R from an identification of affected blood samples from a large sample
activated jammer and disturbed by the jamming signals.
population. This scheme has been developed with a
Since R r, T N V N. Other than these disturbed sensors,
complete theoretical system and widely applied to medical
UN and BN are the unaffected sensors while the latter ones
testing and molecular biology during the past several
have at least one neighbor in V N, hence BN UN, and
V N UN ¼ ;. The Label field of each sensor indicates the decades [1]. Notice that the nature of our work is to
smallest class it belongs to. The relationships among these identify all triggers out of a large pool of victim nodes, so
classes are shown in Fig. 2. this technique intuitively matches our problem.
There are two issues orthogonal to our solution. On one The key idea of group testing is to test items in multiple
hand, the detection of jammed signals at each sensor node is designated groups, instead of individually. The principles
orthogonal to this work, and can be completed via of traditional group testing are sketched in the Appendix,
sophisticated reactive jamming detection techniques, such which can be found on the Computer Society Digital
as comparing the SNR, PDR, and RSS with predefined Library at http://doi.ieeecomputersociety.org/10.1109/
thresholds, as shown in [9]. With regard to the effects of TMC.2011.86.
detection errors on our solution, we provide some
theoretical analysis at the end of Section 5.1.1. On the other 3.1.1 Traditional Nonadaptive Group Testing
hand, the detailed attack schemes adopted by the reactive The key idea of group testing is to test items in multiple
jammers are orthogonal with our application-layer service. designated groups, instead of testing them one by one. The
As long as the jamming detection techniques that we resort traditional method of grouping items is based on a
to can efficiently detect these malicious signals, either high designated 0-1 matrix MtÂn where the matrix rows
RF noises, fraud message segments, etc., our solution represent the testing group and each column refers to an
service is feasible. item (Fig. 3). M½i; jŠ ¼ 1 if the jth item appears in the ith
testing group, and 0 otherwise. Therefore, the number of
rows of the matrix denotes the number of groups tested in
3 THREE KERNEL TECHNIQUES parallel and each entry of the result vector V refers to the
In this section, three kernel techniques for the proposed test outcome of the corresponding group (row), where 1
protocol are introduced. Most existing antijamming works denotes positive outcome and 0 denotes negative outcome.


We only show the performance of this new construction,
namely, ETG algorithm in this section. The details of the
construction and analysis are included in the Appendix,
available in the online supplemental material.
Theorem 3.1. The ETG algorithm produces a ðd; zÞ-disjunct
Fig. 3. Binary testing matrix M and testing outcome vector V . Assumed
that item 1 (first column) and item 2 (second column) are positive, then
matrix with probability p0 where p0 can be arbitrarily
only the first two groups return negative outcomes, because they do not approaching 1.
contain these two positive items. On the contrary, all the other four
groups return positive outcomes. . The worst-case number of rows of this matrix is
bounded by
Given that there are at most d n positive items among
2
in total n ones, all the d positive items can be efficiently and 3:78ðd þ 1Þ2 log n þ 3:78ðd þ 1Þ log
correctly identified on condition that the testing matrix M is 1 À p0
d-disjunct: any single column is not contained by the union À 3:78ðd þ 1Þ þ 5:44ðd þ 1Þðz À 1Þ;
of any other d columns. Owing to this property, each
much smaller than 4:28d2 log 1Àp0 þ 4:28d2 log n þ
2
negative item will appear in at least one row (group) where 2 2nÀ1
9:84dz þ 3:92z ln 1Àp0 .
all the positive items do not show up, therefore, by filtering
all the items appearing in groups with negative outcomes, all the . If z
t, the worst-case number of rows becomes
left ones are positive. Although providing such simple
ln nðd þ 1Þ2 À 2ðd þ 1Þ lnð1 À p0 Þ
decoding method, d-disjunct matrix is nontrivial to con- t¼
struct [1], [2] which may involve with complicated ð À
ðd þ 1ÞÞ2
computations with high overhead, e.g., calculation of where ¼ ðd=ðd þ 1ÞÞd and asymptotically t ¼
irreducible polynomials on Galois Field. In order to Oðd2 log nÞ.
alleviate this testing overhead, we advanced the determi-
nistic d-disjunct matrix used in [7] to randomized error- Proof. See Section B in the Appendix, available in the online
tolerant d-disjunct matrix, i.e., a matrix with less rows but supplemental material. u
t
remains d-disjunct w.h.p. Moreover, by introducing this Theorem 3.2. The ETG algorithm has smaller time complexity
pffiffiffi
matrix, our identification is able to handle test errors under Oðd2 n log nÞ than Oðn2 log nÞ, when d n.
sophisticated jamming environments.
In order to handle errors in the testing outcomes, the 3.2 Minimum Disk Cover in a Simple Polygon
error-tolerant nonadaptive group testing has been developed Given a simple polygon with a set of vertices inside, the
using ðd; zÞ-disjunct matrix, where in any d þ 1 columns, problem of finding a minimum number of variable-radii
each column has a 1 in at least z rows where all the other d disks that not only cover all the given vertices, but also are
columns are 0. Therefore, a ðd; 1Þ-disjunct matrix is exactly all within the polygon, can be efficiently solved.
d-disjunct. Straightforwardly, the d positive items can still The latest results due to the near linear algorithm
be correctly identified, in the presence of at most z À 1 test proposed recently by Kaplan et al. [25], which investigates
errors. In the literature, numerous deterministic designs for the medial axis and voronoi diagram of the given polygon,
ðd; zÞ-disjunct matrix have been provided (summarized in and provides the optimal solution using Oð$ þ ðlog $ þ
[1]), however, these constructions often suffer from high- log6 ÞÞ time and Oð$ þ log log Þ space, where the number
computational complexity, thus are not efficient for of edges of the polygon is $ and nodes within it as . We
practical use and distributed implementation. On the other employ this algorithm to estimate the jamming range R.
hand, to our best knowledge, the only randomized
construction for ðd; zÞ-disjunct matrix dues to Cheng’s work 3.3 Clique-Independent Set
via q-nary matrix [19], which results in a ðd; zÞ-disjunct Cliques-Independent Set is the problem to find a set of
matrix of size t1 Â n with probability p0 , where t1 is maximum number of pairwise vertex-disjoint maximal
cliques, which is referred to as a maximum clique-independent
2 2n À 1 set (MCIS) [4]. Since this problem serves as the abstracted
4:28d2 log þ 4:28d2 log n þ 9:84dz þ 3:92z2 ln ;
1 À p0 1 À p0 model of the grouping phase of our identification, its hardness
with time complexity Oðn2 log nÞ. Compared with this work, is of great interest in this scope. To our best knowledge, it has
we advance a classic randomized construction for d- already been proved to be NP-hard for cocomparability,
disjunct matrix, namely, random incidence construction planar, line, and total graphs; however, its hardness on UDG
[1], [2], to generate ðd; zÞ-disjunct matrix which can not only is still open. We propose its NP-complete proof in the
generate comparably smaller t Â n matrix, but also handle Appendix, available in the online supplemental material.
the case where z is not known beforehand, instead, only the There have been numerous polynomial exact algorithms
error probability of each test is bounded by some constant for solving this problem on graphs with specific topology,

. Although z can be quite loosely upper bounded by
t, yet e.g., Helly circular-arc graph and strongly chordal graph
t is not an input. The motivation of this construction lies in [4], but none of these algorithms gives the solution on UDG.
the real test scenarios, the error probability of each test is In this paper, we employ the scanning disk approach in [3] to
unknown and asymmetric, hence it is impossible to find all maximal cliques on UDG, and then find all the
evaluate z before knowing the number of pools. MCIS using a greedy algorithm.


4 TRIGGER-NODE IDENTIFICATION
We propose a decentralized trigger-identification proce-
dure. It is lightweight in that all the calculations occur at the
base station, and the transmission overhead as well as the
time complexity is low and theoretically guaranteed. No
extra hardware is introduced into the scheme, except for the
simple status report messages sent by each sensor, and the
geographic locations of all sensors maintained at the base
station. Three main steps of this procedure are as follows: Fig. 4. Estimated R and jammed area.

1. Anomaly Detection—the base station detects potential
4.2 Jammer Property Estimation
reactive jamming attacks, each boundary node tries
to report their identities to the base station. We estimate the jamming range as R and the jammed areas
2. Jammer Property Estimation—The base station calcu- as simple polygons, based on the locations of the boundary
lates the estimated jammed area and jamming range and victim nodes.
R based on the locations of boundary nodes. For sparse-jammer where the distribution of jammers is
3. Trigger Detection relatively sparse and there is at least one jammer whose
jammed area does not overlap with the others, like J2 in Fig. 2.
a. the base station makes a short encrypted testing By denoting the set of boundary nodes for the ith jammed area
schedule message Z which will be broadcasted as BNi , we can estimate the coordinate of this jammer as
to all the boundary nodes. PBNi PBNi !
b. boundary nodes keep broadcasting Z to all the k¼1 Xk Yk
ðXJ ; YJ Þ ¼ ; k¼1 ;
victim nodes within the estimated jammed area jBNi j jBNk j
for a period Q.
c. all the victim nodes locally execute the testing where ðXk ; Yk Þ is the coordinate of a node k is the jammed
procedure based on Z, identify themselves as area BNi and the jamming range R is
triggers or nontriggers. qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
R ¼ min max ðXk À XJ Þ2 þ ðYk À XJ Þ2 ;
4.1 Anomaly Detection 8BNi k2BNi

Each sensor periodically sends a status report message to
for we assume that all the jammers have the same range.
the base station. However, once the jammers are activated For dense-jammer, shown in Fig. 4, we first estimate the
by message transmissions, the base station will not receive jammed areas, which are simple polygons (unnecessarily
these reports from some sensors. By comparing the ratio of convex) containing all the boundary and victim nodes. This
received reports to a predefined threshold , the base process consists of three steps: 1) discovery of convex hulls of
station can thus decide if a jamming attack is happening in the boundary and victim nodes, where no unaffected nodes
the networks. When generating the status report message, are included in the generate convex polygons. 2) for each
each sensor can locally obtain its jamming status and decide boundary node v not on the hull, choose two nodes on the
the value of the Label field (Initially trigger “TN”). In detail, hull and connect v to them in such a way that the internal
if a node v hears jamming signals, it will not try to send out angle at this reflex vertex is the smallest, hence the polygon
messages but keep its label as victim. If v cannot sense is modified by replacing an edge (dotted one in Fig. 4) by
jamming signals, its report will be routed to the base station the two new ones. The resulted polygon is the estimated
as usual, however, if it does not receive ACK from its jammed area. 3) execute the near-linear algorithm [25] to
neighbor on the next hop of the route within a time out find the optimal variable-radii disk cover of all the victim
period, it tries for two more retransmissions. If no ACKs are nodes, but constrained in the polygon, and return the
received, it is quite possible that that neighbor is a victim largest disk radius as R.
node, then v updates Label tuple as boundary “BN” in its
status report. Another outgoing link from v with the most 4.3 Trigger Detection
available capacity is taken to forward this message. If the Since the jammer behavior is reactive, in order to find all the
status report is successfully delivered to the base station trigger nodes, a straightforward way is that let each sensor
with Label ¼ TN, the corresponding node is regarded as broadcast one by one, and listen to possible jamming
unaffected. All the messages are queued in the buffer of the signals. However, this individual detection is quite time
intermediate nodes and forwarded in an FCFS manner. The consuming and all the victim nodes thus have to be isolated
TTL value is reduced by 1 per hop for each message, and for a long detection period, or even returns wrong detection
any message will be dropped once its TTL ¼ 0. result in the presence of mobile jammers. In this case, the
The base station waits for the status report from each network throughput would be dramatically decreased.
node in each period of length P. If no reports have been Therefore, to promptly and accurately find out these
received from a node v with a maximum delay time, then v triggers from a large pool of victim nodes, emerges as the
will be regarded as victim. The maximum delay time is most challenging part of the proposed protocol, for which
related to graph diameter and will be specified later. If the the idea of group testing is applied.
aggregate report amount is less than , the base station In this section, we only consider a basic attack model
starts to create the testing schedule for the trigger nodes, where the jammers deterministically and immediately broad-
based on which the routing tables will be updated locally. casts jamming signals once it senses the sensor signal.


TABLE 1
Message Containing Trigger
Detection Schedule

Fig. 5. Interference teams.

Second-level, within each testing team, victims are
further divided into multiple testing groups. This is
completed by constructing a randomized ðd; 1Þ-disjunct
matrix, as mentioned in Section 3.1, mapping each sensor
Therefore, as long as at least one of the broadcasting victim node to a matrix column, and make each matrix row as a
nodes is a trigger, some jamming signals will be sensed, and testing group (sensors corresponding to the columns with 1s
vice versa. The performance of this protocol toward in this row are chosen). Apparently, tests within one group
sophisticated attacker models with probabilistic attack will possibly interfere that of another, so each group will be
strategies will be validated in the next section. assigned with a different frequency channel.
All the following is the encrypted testing schedule over
The duration of the overall testing process is t time slots,
all the victim nodes, which is designed at the base station
where the length of each slot is L. Both t and L are
based on the set of boundary nodes and the global topology,
predefined, yet the former depends on the total number of
stored as a message (illustrated in Table 1) and broadcasted
to all the boundary nodes. The broadcasting of the testing victims and estimated number of trigger nodes, and the
scheduling message adopts a routing mechanism similar to latter depends on the transmission rate of the channel.
reverse path forwarding. In detail, all the status report Specifically, at the beginning of each time slot, all the sensors
messages relayed to the base station will record all the designated to test in this slot broadcast a -bit test packet on
nodes’ IDs on their routing paths. Therefore, without the assigned channel to their 1-hop neighbors. Till the end
considering mobile jammers, those routing paths can be of this slot, these sensors keep detecting possible jamming
reused to send out these testing scheduling messages and signals. Each sensors will label itself as a trigger unless in at
evade the jammed areas. least one slot of its testing, no jamming signal is sensed.
After receiving this message, each boundary node broad- The correctness of this trigger identification procedure is
casts this message one time using simple flooding method to theoretically straightforward. Given that all the testing
its nearby jammed area. All the victim nodes execute the teams are interference free, then the testing with different
testing schedule and indicate themselves as nontriggers or teams can be executed simultaneously. Given that we have
triggers. Since all the sensor nodes are equipped with a an upper bound d on the number of trigger nodes and each
global uniform clock, and no message transmissions to the testing group follow the ðd; 1Þ-disjunct matrix, which
base station are required during the detection, the mechan- guarantees that each nontrigger node will be included in
ism is easy to implement and practical for applications. at least one group, which does not contain any trigger node,
As shown in Table 1, for each time slot, m sets of victim so each nontrigger node will not hear jamming signals in at
sensors will be tested. The selection of these sets involves a least one time slot, but the trigger nodes will since the
two-level grouping procedure. jammers are activated once they broadcast the test packets.
First-level, the whole set of victims are divided into Therefore, two critical issues need to be addressed to ensure
several interference-free testing teams. Here, by interference this correctness: how to partition the victim set into
free we mean that if the transmissions from the victim maximal interference-free testing teams and estimate the
nodes in one testing team invokes a jammer node, its number of trigger nodes d, as follows: Though these two
jamming area will not reach the victim nodes in another involve geometric analysis over the global topology, since it only
testing team. Therefore, by trying broadcasting from victim takes the information of boundary and victim nodes as inputs, and
nodes in each testing team and monitoring the jamming is calculated at the base station, no message complexity is
signals, we can conclude if any members in this team are
introduced.
triggers. In addition, all the tests in different testing teams
can be executed simultaneously since they will not interfere 4.3.1 Discovery of Interference-Free Testing Teams
each other. Fig. 5 provides an example for this. Three
As stated above, two disjoint sets of victim nodes are
maximal cliques C1 ¼ fv1 ; v2 ; v3 ; v4 g, C2 ¼ fv3 ; v4 ; v5 ; v6 g,
C3 ¼ fv5 ; v7 ; v8 ; v9 g can be found within three jammed areas. interference-free testing teams iff the transmission within one
Imagine these three cliques are, respectively, the three set will not invoke a jammer node, whose jamming signals
teams we test at the same time. If v4 in the middle team will interfere the communications within the other set.
keeps broadcasting all the time and J2 is awaken frequently, Although we have estimated the jamming range R, it is still
no matter the trigger v2 in the leftmost team is broadcasting quite challenging to find these interference-free teams
or not, v3 will always hear the jamming signals, so these two without knowing the accurate locations of the jammers.
teams interfere each other. In addition, node-disjoint groups Notice that it is possible to discover the set of victim nodes
do not necessarily interference free, as the leftmost and within the same jammed area, i.e., with a distance R from
rightmost teams show. the same jammer node. Any two nodes within the same


Fig. 6. Clique C1 ¼ V1 V2 V3 V4 is chosen by CIS, but its concentric circle
CC 0 covers boundary node V0 , then clique C2 ¼ V4 V5 V6 V7 replaces C1 in
Fig. 7. Maximum # interfering cliques.
the testing team for the first round. Clique V1 V2 V3 are left for the next
round.
by and from C1 is r R distance away, whose jamming
jammed area should be at most 2R far from each other, i.e., range can only reach another R distance further, which is
if we induce a new graph G0 ¼ ðV 0 ; E 0 Þ with all these victim thus away from C2 . Therefore, the cliques in the obtained
nodes as the vertex set V 0 and E 0 ¼ fðu; vÞjðu; vÞ 2Rg, the CIS of this kind are selected as testing teams. While the
nodes jammed by the same jammer should form a clique. others are left for the next time slot.
The maximum number of vertex-disjoint maximal cliques In addition, in the worst case, any single maximal clique
(i.e., clique-independent set) of this kind provides an upper C has at most 12 interfering cliques in the CIS, as the
bound of possible jammers within the estimated jammed shadowed ones in Fig. 7. Therefore, at most 13 testing teams
area, where each maximal clique is likely to correspond to are required to cover all these cliques. If the number of
the nodes jammed by the same jammer. channels k given is larger than 13, then a frequency-division
The solution consists of three steps: CIS discovery on the is available, i.e., these interfering cliques can still become
induced graph from the remaining victim without test simultaneous testing teams, on the condition each team can
k
schedules, boundary-based local refinement and interfer- only use minfd13e; mg of the given channels, where m is the
ence-free team detection. We iterate three steps to decide number of radios per sensor. Otherwise, we have to use time
the schedule for every victim node. divisions, i.e., they have to be tested in different time slots.
CIS discovery. We first employ Gupta’s MCE algorithm
4.3.2 Estimation of Trigger Upper Bound
[3] to find all the maximal cliques, then use a greedy
algorithm, as shown in Algorithm 1 to get the CIS. Before bounding the trigger quantity from above, the
triggering range r should be estimated. As mentioned in
Algorithm 1. CIS discovery. the attacker model, r depends not only on the power of both
sensors and jammers, but also the jamming threshold and
path-loss factor
1
Pn Á
r! ;
Ps Á Y
since the real time Pn and Ps are not given, we estimate r
based on the SNR cutoff 0 of the network setting. In fact,
the transmission range of each sensor rs is a maximum
radius to guarantee

Local refinement. Each clique we select is expected to Pa Ps Á Y
SNR ¼ ¼ ! 0 :
represent the jammed area poisoned by the same jammer, P n Pn Á rs
and this area should not cover the boundary nodes.
Therefore, we can estimate r as
However, we did not take this into account when discover-
ing the CIS, and need to locally update it. Specially, for each 1

clique, we find its circumscribed circle CC and the r % rs 0 ;

concentric circle CC 0 with radius R of CC. In the case that
CC 0 covers any boundary nodes, we locally select another where 0 and are parts of the network input, while is
clique by adding/removing nodes from this clique, to see if assumed as a constant, which indicates the aggressiveness
the problem can be solve. If not, we keep this clique as it is, of the jammer. For this estimation, can be first set as 10 db,
otherwise, we update it. This is illustrated in Fig. 6. which is the normally lower bound of SNR in wireless
Team detection. The cliques in CIS can also interfere transmission, and then adaptively adjusted to polish the
each other, e.g., the clique V1 V2 V3 V4 and V5 V7 V8 V9 in Fig. 5. service quality.
This is because the signals from V4 will wake J2 , who will With estimated r, since all the trigger nodes in the same
try to block these signals with noises and affect V5 by the team should be within a 2r distance from each other, by
way. But if any two cliques C1 and C2 are not connected by finding another induced graph G00 ¼ ðWi ; E 00 Þ from the victim
any single edge, then they are straightforwardly inter- nodes Wi in team i, with E 00 ¼ fðu; vÞ 2 E 00 if ðu; vÞ 2rg,
ference free, since the shortest distance between any node in the size of the maximal clique indicates the upper bound of
C1 and C2 is larger than 2R. But the farthest jammer waken the trigger nodes, thus can be an estimate over d.


The testing delay Tt depends on the number of testing
rounds and the length of each round. Since the reactive
jamming signal disappears as soon as these sensed 1-hop
transmission finishes, each round length is then Oð1Þ. The
number of testing rounds is however complicated and
bounded by Theorem 4.1.
Lemma 4.1. Based on the ETG algorithm, the number of tests to
identify d trigger nodes from jW j victim nodes is upper
bounded by tðjW j; dÞ ¼ Oðd2 dln jW jeÞ w.h.p.
i
Fig. 8. Maximum # jammers invoked by one team.
Theorem 4.1 (Main). The total number of testing rounds is
As mentioned above, all the parallel testing teams selected upper bounded by
are interference free; therefore, we roughly regard each team
to be the jammed area of one jammer. As a deeper Q 13 minfd2 dln jWi je; jWi jg
i
O max ;
investigation, the number of jammers that can be invoked i¼1 m
by the nodes in the same team (six 3-clique within the red P
w.h.p, with di ¼ minf 6 jcs ðGi Þj; jWi jg and cs ðGi Þ is the
s¼1
circles) can be up to 6, since the minimum distance between sth largest clique over an induced unit disk subgraph Gi ¼
two jammers is greater than R and r R, as shown in Fig. 8.
ðWi ; Ei ; 2rÞ in the testing team i.
Therefore on the induced graph, the largest 6 cliques form the d2 dln jW je
possible trigger set. However, since the jammer distribution Proof. First, from Lemma 4.1, at most tðjW j;dÞ ¼ i m
m
cannot be that dense for the sake of energy conserving, the testing rounds are needed to identify all nodes in testing
former estimate over d is large enough. team i. Second, the set of testing teams that can be tested in
parallel is 13, as mentioned earlier. Combining with the
4.4 Analysis of Time and Message Complexity
worst case upper bound of triggers in each team, the
Time complexity. By time complexity we mean the
upper bound on round is derived. t
u
identification delay counted since the attack happens till
all the nodes successfully identify themselves as trigger or
nontrigger. Therefore, the complexity break downs into If the jamming range R is assumed known beforehand,
four parts: similar to [7], the whole time complexity is thus

1. the detection of jamming signals at local links Td ; Q 13d2 dln jWi je; jWi j
i
O max ;
2. the routing of sensor report to the base station from i¼1 m
each sensor node, and the testing schedule to each
and asymptotically bounded by Oðn2 log nÞ. It is asympto-
victim node from the base station, aggregated as Tr ;
3. the calculation of CIS and R at the base station Tc ; tically smaller than that of [7]
4. the testing at each jammed area Tt . ÁðHÞ
’!
X d2 log2 jWj j
j 2
The local jamming signal detection involves the statis- O max ð2 þ oð1ÞÞ 2 ; m ;
tical properties of PDR, RSS, and SNR, which is orthogonal i¼1
j log2 ðdj log2 jWj jÞ
to our work. We regard Td as Oð1Þ since it is an entirely local
where ÁðHÞ refers to the maximum degree of the induced
operation and independent with the network scale.
The routing time overhead is quite complicated, since graph H (in this new solution, maximum degree is not
congestions need to be considered. For simplicity, we involved). By taking the calculation overhead for R into
consider that all the 1-hop transmission takes Oð1Þ time account, the overall time complexity is asymptotically
and bound Tr using the diameter D of the graph. As Oðn2 log n þ n log6 nÞ, which is Oðn log6 nÞ for n ! 4.
mentioned earlier, the base station waits at most Oð2DÞ for Message complexity. On the one hand, the broadcasting
the reports, so that is the upper bound of the one-way of testing schedule Z from the base station to all the victim
routing. As to the other way, we also bound it using Oð2DÞ nodes costs OðnÞ messages in the worst case. On the other
to match any collision and retransmission cases. hand, the overhead of routing reports toward the base
The calculation of CIS resorts to the algorithm in [3], which station depends on the routing scheme used and the
finds OðlÁÞ maximal cliques on UDG within OðlÁ2 Þ time, network topology as well as capacity. The upper bound is
where l ¼ jEj and Á refers to the maximum degree. We used straightforward obtained in a line graph with the base
a greedy algorithm to find a MCIS from these OðlÁÞ cliques
station at one end, whose message complexity is OðnðnÀ1ÞÞ.
with Oðl3 Á3 QÞ time: OðlÁÞ-time for each clique to check 2
With regard to the message overhead of the testing
the overlapping with other cliques, OðlÁÞ-time to find a
process. Considering that there are approximately jWi j victim
clique overlapping with minimum other cliques, and Q dþ1

denotes the number of testing teams. Notice that in practice, nodes in each testing group of team Wi (mentioned in the
sensor networks are not quite dense, so the number of edges l construction of randomized ðd; zÞ-disjunct matrix in Appen-
and maximum degree Á are actually limited to small values. dix, available in the online supplemental material), the
On the other hand, the time complexity of estimating R is up overhead of each testing group in a testing round is jWi j 1-hop
dþ1
to OðnÁ þ nðlog nÁ þ log6 nÞ using the minimum disk cover
2 2
testing message broadcasted by all victim nodes in each group
algorithm as mentioned. of team Wi . Therefore, the overhead message complexity is


d x
TABLE 2 Pr½uðiÞ ¼ xŠ ¼ p ð1 À pÞdÀx : ð1Þ
x
Notations
For each test i, the event that it contains at least one trigger
but returns a negative result, has a probability at most

Pr½gðiÞ ¼ 0 uðiÞ ! 1Š ð2Þ

Xd
d x
¼ ð1 À Þx p ð1 À pÞdÀx ð3Þ
! x¼1
x
X
Q
Q
O n2 þ jWi j maxfdi dln jWi je; jWi jgm ;
i¼1
i¼1
¼ ½ð1 À Þp þ 1 À pŠd À ð1 À pÞd ð4Þ
which is Oðn2 log nÞ.
¼ ð1 À pÞd À ð1 À pÞd ð1 À Þp: ð5Þ
5 ADVANCED SOLUTIONS TOWARD SOPHISTICATED Meanwhile, the event that it contains no trigger nodes but
ATTACK MODELS returns a positive result, has a probability
In this section, we consider two sophisticated attacker Pr½gðiÞ ¼ 1 uðiÞ ¼ 0Š ¼ 0: ð6Þ
models: probabilistic attack and variant response time delay,
Since in practical ! 1 , we therefore have the expected
where the jammers rely each sensed transmission with 2
number of false positive and negative tests is, respectively,
different probabilities, instead of deterministically, or delay
at most pt=2 and 0.
the jamming signals with a random time interval, instead Instead of the jamming behavior, the jamming signal
of immediately. This may mismatch with the original detection errors can be analyzed using the same method.
definition of reactive jamming, which targets at transmis- Given that each node detects possible jamming signals
sion signals, instead of nodes or channels. However, clever successfully with probability q, then following (1), we can
jammers can possibly change their strategies to evade similarly have the false negative rate of each test i
possible sensed detections. Also, a common sense indicates
that as long as an activity is sensed by the jammer, it is Pr½gðiÞ ¼ 0 uðiÞ ! 1Š ð7Þ
quite possible that some other activities are following this.
So delaying the response time still guarantees the attack X
d
d x
efficiency, but minimize the risk of being caught by ¼ ð1 À qÞx p ð1 À pÞdÀx ð8Þ
x¼1
x
reactive detections.
Since our scheme is robust and accurate in the steps of
grouping, generating disjunct matrix and decoding the ¼ ½ð1 À qÞp þ 1 À pŠd À ð1 À pÞd ð9Þ
testing results, the only possible test errors arise from the
generation of testing outcomes. Nevertheless, by using ¼ ð1 À qpÞd À ð1 À pÞd ð1 À qÞp; ð10Þ
the error-tolerant disjunct matrix and relaxing the identifi-
1
cation procedures to asynchronous manner, our scheme which is also small considering p ¼ dþ1 .
will provide small false rates in these cases. Some notations
5.1.2 Variant Reaction Time
can be found in Table 2. In this section, the terms test and
group, the terms column and nodes are interchangeable. The introduction of group testing techniques aims to
decrease the identification latency to the minimum, there-
5.1 Upper Bound on the Expected Value of z fore, if the jammer would not respond intermediately after
First, we investigate the properties of both jamming sensing the ongoing transmissions, but instead wait for a
behaviors and obtain the expected number of error tests randomized time delay, the test outcomes would be messed
up. Since it is expensive to synchronize the tests among
in both cases through the following analysis. Since in
sensors, we use a predefined testing length as L, thus the
practice, it is not trivial to establish accurate jamming
test outcome of test i 2 ½1; tŠ is generated within time
models, we derive an upper bound of the error probability i i
interval ½ðdme À 1ÞL; dmeLŠ. There are two possible error
which does not require the beforehand knowledge of the events regarding any test i.
objective jamming models, which is therefore feasible for
real-time identifications. Since it is a relaxed bound, it could . F pðiÞ: test i is negative, but some jamming signals
be further strengthened via learning the jamming history. are delayed from previous tests and interfere this
test, where we have a false positive event;
5.1.1 Probabilistic Jamming Response (Detection) . F nðiÞ: test i is positive, but the jammer activated in
A clever jammer can choose not to respond to some sensed this test delayed its jamming signals to some
ongoing transmissions, in order to evade the detection. subsequent tests, meanwhile, no delayed jamming
Assume that each ongoing transmission has an independent signals from previous tests exists, where we have a
probability to be responded. In our construction algorithm false negative event.
ETG, where each matrix entry is IID and has a probability p Since the jammers in this paper are assumed to block
to be 1, therefore for any single test i with i 2 ½1; tŠ communications only on the channels where transmissions


p
are sensed, for the following analysis, we claim that the
¼ þ 2ð1 À ð1 À pÞd Þð1 À pÞd
2
interferences can only happen between any two tests i; j
þ ð1 À ð1 À pÞd Þð1 À 2ð1 À ð1 À pÞd ÞÞ
with i jðmod mÞ. Denote the delay of jamming signals as
a random variable X ¼ fxð1Þ; xð2Þ; xð3Þ; . . . xðtÞg where xðiÞ ¼ ð10 À 8 2 À Àd À 1Þ=2;
is the delay for possible jamming signals arisen from test i. where ¼ ðd=ðd þ 1ÞÞd . Intuitively, we can have an upper
1) For event F pðiÞ, consider the test i À m, in order to have bound on the number of error tests as z ¼
t ¼
its jamming signals delayed to test i, we have a bound on ð10 À 8 2 À Àd À 1Þ=2, and take it as an input to construct
xði À mÞ 2 ð0; 2LÞ. Similarly, in order to have the signals of the ðd; zÞ-disjunct matrix. However, notice that z depends
any test j delayed to i, we have xðjÞ 2 ½ðiÀj À 1ÞL; ðiÀj þ 1ÞLŠ.
m m
on t, i.e., the number of rows of the constructed matrix, we
Further the probability density function of X is PðiÞ ¼ therefore derive another bound of t related to
, as shown
Pr½X ¼ xðiÞŠ. Consider all the tests prior to i, which are in the Appendix, available in the online supplemental
i mod m; 1 þ i mod m; . . . ; i À m, we have the probability material.
for F pðiÞ 5.2 Error-Tolerant Asynchronous Testing within
Z ðiÀjþ1ÞL
Each Testing Team
X
iÀm m
ð1 À pÞd PðwÞdwð1 À ð1 À pÞd Þ: ð11Þ By applying the derived worst cast number of error tests
j¼i mod m ðiÀjÀ1ÞL
m into the ETG construction, we can obtain the following
algorithm where tests are conducted in an asynchronous
To simplify this expression, we assume that X=L follows a
manner to enhance the efficiency.
uniform distribution within the range ½0;

,
As shown in Algorithm 2, after all the groups are
which is reasonable and efficient for attackers in practice. decided, conduct group testing on them in m pipelines,
Since the nature of jamming attacks lies in adapting the where in each pipeline any detected jamming signals will
attack frequency due to the sensed transmissions, too large end the current test and trigger the next tests while groups
delay does not make sense to tackle the ongoing transmis- receiving no jamming signals will be required to resend
sions. Under a uniform distribution, the probability of F pðiÞ triggering messages and wait till the predefined round time
becomes has passed. These changes over the original algorithm,
especially the asynchronous testing are located in each
2X
iÀm
ð1 À ð1 À pÞd Þð1 À pÞd testing team, thus will not introduce significant overheads,
j¼max i mod m;iÀmÀ

however, the resulted error rates are quite low.

d d i 2 Algorithm 2. Asynchronous Testing.
¼ ð1 À ð1 À pÞ Þð1 À pÞ À1 :
m

Jammers in wsn

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Jammers in wsn

Semelhante a Jammers in wsn (20)

Jammers in wsn