7/30/2019 1569572499

1/9

The Discovery of Jamming Attackers in Wireless Sensor Networks

Kaiqi XiongCollege of Computing and Information Sciences

Rochester Institute of Technology

Abstract

Recent years have witnessed a rapid growth of wire-

less sensor network applications in civil and military

environments. Radio interference tends to be a serious

threat in such applications. Jamming attacks are a di-

rect consequence of radio interference that an adversarymay intentionally launches. It is necessary but difficult

to defend against jamming attacks in order for sensor

communication channels to be available and reliable. In

this paper, we develop a systematic approach to tackling

jamming attacks. We design a time-based window scheme

to mitigate jamming attacks and propose robust fault-

tolerant algorithms for the location discovery of jamming

attackers that permit us to remove jamming attackers

from wireless sensor networks. Then, we investigate the

proposed approach through theoretical analysis and exper-

iments. Our analytical and numerical results demonstrate

the efficiency and effectiveness of the proposed approach.

I. Introduction

Recent years have witnessed the emergence of wireless

sensor networks for a variety of civil and military appli-

cations such as health care monitoring, fire alarms, light

control, volcano monitoring, humidity and temperature

monitoring, and security alarms. Radio interference tends

to be a serious threat in wireless sensor networks and

it is a root of jamming attacks. Unlike traditional denial

of service attacks that fill with the buffers of user- and

kernel domains, jamming attacks exploit the shared nature

of the wireless medium to prevent sensor nodes from

receiving and sending messages through the occupation

of communication channels. Restraining jamming attacksfrom wireless sensor networks has become challenging

but very necessary in the above applications due to the

constraint of a sensors energy, computation, and com-

munication. For instance, these constraints result in the

infeasible installation of a GPS receiver on each sensor

node for the discovery of a jamming attacker or a jammer.

Many research efforts have sought to address the jam-

ming attack problem in wireless networks through spread-

ing spectrum techniques such as Frequency Hopping (FH),

Direct Sequence Spread Spectrum (DSSS), and Chirp

Spread Spectrum (CSS) in Poisel [13]. Spreading spectrum

is a sophisticated physical-layer technique that requires

expensive transceivers. As discussed in Xu et al. [18],

those transceivers are not affordable in commodity sensor

networks. Instead, a carrier sensing approach has been em-ployed for medium access control in sensor devices such

as Berkeley Mica2 and MicaZ. Recent studies in Law et al

[5] and Xu et al. [19] have shown that such an approach is

very susceptible to jamming attacks. Thus, channel surfing

for the adaptation of data-link layer frequency allocations

has been proposed to copy with jamming attacks in Xu et

al. [18]. However, a rapid change of frequency allocations

at a data-link layer may cause a poor network connectivity.

In this paper, we will develop a systematic approach

to tackling jamming attacks. we first design a technique

to mitigate jamming attacks using the concept of Additive

Increase/Multiplicative Decrease (AIMD). Our technique

adopts a time-based window scheme (briefly referred toas the time-based scheme) rather than a change of fre-

quency allocations in a data-link layer. Then, we further

propose robust fault-tolerant algorithms for the location

discovery of jamming attackers that permit us to remove

jamming attackers from wireless sensor networks. Here,

robust means that our proposed algorithms can achieve

the maximum tolerant rate of 50% malicious sensor nodes.

That is, our approach has the ability to cope with up to

50% malicious nodes in sensor networks besides jamming

attackers. Moreover, we investigate the proposed approach

through theoretical analysis and numerical experiments.

Our numerical results demonstrate the efficiency and ef-

fectiveness of the proposed approach.The contributions of this paper are: First, we develop a

systematic approach to dealing with not only the mitigation

of jamming attacks but also the removal of jamming at-

tackers. Second, the algorithms for the removal of jamming

attackers is robust that has the ability to cope with up

to 50% other malicious nodes in sensor networks besides

jamming attackers. Third, the technique for the mitigation

of jamming attacks adopts a time-based scheme rather than

7/30/2019 1569572499

2/9

a change of frequency allocations that avoids to restore the

network connectivity among multiple frequency channels.

The rest of this paper is organized as follows. Section

II will give our system model and assumption. We present

our approach to tackling jamming attacks in Section III

that includes the mitigation of jamming attacks in Section

III-A, and the proposed robust algorithms for the loca-tion discovery of jamming attackers with their theoretical

analysis in Section III-B. The analytical and experimental

evaluations of the proposed approach will be given in

Section IV. Section V will review related work. Our study

with future work will be concluded in Section VI.

II. The Sensor Network Model With Its As-

sumptions

In this paper, our wireless sensor network model con-

sists of a large number of resource-constrained sensor

nodes, each with a unique ID. The sensor nodes are

randomly distributed in a field. Some of them may act

as malicious nodes who will eavesdrop, modify, forge, or

replay a message besides jamming attackers who will jam

wireless channels so as to cause denial of service attacks.

Broadcasting is considered in the paper because it is easier

to suffer jamming attacks compared to others such as point-

to-point routing or multicast routing.

Generally speaking, it may be difficult to achieve time

synchronization on a network-wide basis due to slow

clock drift over time, and the effect of temperature and

humidity on clock frequencies, coordination and correction

amongst thousands of deployed nodes with low messag-

ing overhead, as indicated in Sundararaman et al. [16].

However, radio interference often affects neighborhoodnodes rather than distant nodes. Thus, it is reasonable to

assume that time synchronization is achieved in a group of

sensor nodes that are physically close to each other. Such

group of nodes is called a cluster of the sensor network.

That is, sensor nodes across the network are organized

into clusters for communication efficiency and scalability

improvement. Many approaches have been proposed to

address time synchronization in wireless sensor networks.

For example, Faizulkhakov [3], Sivrikaya and Yener [15],

and Sundararaman et al. [16] gave a survey on time

synchronization, respectively. Moreover, denote by n thenumber of sensor nodes in the network and m the number

of malicious nodes where 0 m n/2 < n. That is, nomore than half nodes are malicious in the sensor network.

Otherwise, there is no way to tackle attackers since they

are majority in the network. Let N be the number oflink layer channels available for data communications in

the sensor network. In this paper, our research goal is to

tackle jamming attacks through the mitigation of jamming

attacks and the location discovery of jamming attackers

that permits us to remove jamming attackers from the

sensor network.

III. The Approach to Tackling Jamming At-

tacksThe approach for tackling jamming attacks consists

of the mitigation of jamming attacks and the location

discovery of jamming attackers.

A. The Mitigation of Jamming Attacks

Jamming is a very harmful attack that prevents legiti-mate sensor nodes from sending and receiving messages.

Jamming attackers can constantly occupy wireless chan-

nels that results in denial of service attacks. In the paper,

we propose an approach to mitigating jamming attacks

by introducing a time-based window scheme. Due to the

nature of wireless sensor networks, there is no way to

have a scheme that eliminates jamming attacks. Instead, the

objective of our approach for the mitigation of jamming

attacks is to reduce their harm to sensor networks. We

aim at developing an effective and efficient approach that

reduces the harm of jamming attacks as much as possible

and limits the overhead of communication and computation

of the approach as much as possible.As we know, it is time and energy-consuming to run

algorithms to detect and locate a jamming attacker and

it usually requires a certain period of time to monitor a

sensor network and collect necessary message transmission

information for such a detection. Let T be the period oftime called the unit time slot. Thus, during the unit time

slot of T, we enforce the time-based window scheme tomitigate jamming attacks. Our intuition is that the more

times a node experiences jamming, the higher chance such

a node may be a jamming attacker when each node is

considered as same. Hence, those sensors who experience

jamming are required to wait a longer time to send a

message. We use the following notation. Denote by m thebroadcast message of a sensor, and T the current waitingtime of a sensor node. That is, the sensor can transmit

a message only after waiting the time T. [0, T] isconsidered as a waiting time window. Thus, it is called the

time-based window scheme that is described as follows.1) Initialization. Before deployment, a unique ID and

a waiting window will be assigned to each sensor.

The waiting time T is randomly selected as avalue between 0 and so that there is no jammingonce sensors start to communicate, where is areasonably small value. After deployment, sensor

nodes will be formed into clusters, each with a

cluster leader. A cluster formation and the election

of a cluster leader can be found in the literature such

as Liu [6] and Dong and Liu [2]. All members in a

cluster will have a full list of member IDs.2) Message Transmission. Each sensor will be able

to scan and find available channels for sending a

message after its individual waiting time T.3) The Update of the Waiting Time Window. Each node

is required to update its own waiting time window

7/30/2019 1569572499

3/9

according to the following scheme: if a node plans to

send a message but there is no channel available (i.e.,

jamming occurs), then both senders are required to

increase their waiting time based on an increasing

function (T); the node who successfully sendsout a message without jamming will update its

waiting time based on a decreasing function (T).Meanwhile, the cluster leader will update the waiting

time windows of all sensor nodes and make sure that

each node follows the above predefined rule. Since

each cluster leader is re-elected periodically, the duty

of a cluster leader is fully distributed among sensor

nodes.When a collision is occurred, both regular senders and

jammers are required to increase their waiting times since

they are not distinguishable. Moreover, jamming is ONLY

one of the collision causes. Actually, the above scheme

may also mitigate other collision causes such as Denial of

Services (DoS). Furthermore, the time-based scheme will

be analyzed in detail in Section IV-A. Next, we will discussthe location discovery of jamming attackers.

B. The Discovery and Removal of JammingAttackers

Each sensor is associated with an ID but the ID informa-

tion may be alerted during communication. Furthermore,

the ID information may be known only within its cluster.

In order for us to eliminate jamming attackers, the location

of the sensors is required. In this section, we develop

algorithms to discover the location of jamming attackers.

1) The Location Discovery Problem of Jamming At-

tackers: As stated before, we assume that there may

exist malicious nodes besides jamming attackers in the

sensor network. Once jamming attacks are detected, a

natural question is how to locate and remove jamming

attackers. In this section, we attempt to find the location

of jamming attackers based on the location information of

all the sensors except jamming attackers across a sensor

network rather than a sensor cluster, which is referred to

as the location discovery problem of jamming attackers.

Specifically, when there are jamming attacks, how can

a cluster leader find the location of a jamming attacker

based on the location information of sensor nodes and

their received signal strengths. The problem has at least

two essential and important differences from the sensor

localization problem that has been extensively studied forthe past several years.1) The distances between sensors and the jamming

attacker are unknown.2) The transmission power used by the jamming at-

tacker is unknown. The power level may be changed

in the course of message transmissions.These two major differences make it difficult to solve the

location discovery problem of jamming attackers. For pre-

sentation purposes, we only consider one jamming attacker.

But, the following discussion can be iteratively applied to

find the location of multiple jamming attackers. According

to the Friis transmission equation, the received power of

an antenna is calculated through Pr = PtGtGr

4d

2,

where Pt is the power input to the transmitting antenna. Gtand Gr are the antenna gains of transmitting and receiving

antennas, respectively. is the wavelength and d is thedistance. Therefore, the square of the distance is expressed

by d2 = GtGrPtPr

4

2. For notational simplicity, we

write it as d2 = cPt where c = GtGr1Pr

4

2. As we

know, Pt may be varied by a jamming attacker and it isunknown to the sensor nodes that receive signals from the

jamming attacker. Thus, the jammer localization problem

is to find (x, y) satisfying with

(x xi)2 + (y yi)

2 = ciPt(i) (1)

where (xi, yi, Pt(i)) is the coordinate of sensor i andci is a known constant like c. Pt(i) is the transmissionpower that the jamming attacker sends to sensor i and it

is unknown to sensor i. However, only a few transmissionpower levels can be selected by a sensor. Assume that there

are L transmission power levels that the jamming attackercan choose, where L is relatively small in existing sensormotes compared to the number of nodes in the network.

For presentation purpose, we assume that there is only

one power level used by the attacker, i.e., Pt(i) = Pt. Ourfollowing discussion can be easily extended to the case

of multiple power levels used by an attacker. Thus, by

manipulating (1), we obtain a system of linear equations:

2(xi xi+1)x + 2(yi yi+1)y (ci+1 ci)Pt =

(x2i x2i+1) + (y

2i y

2i+1)

2(xn x1)x + 2(yn y1)y (c1 cn)Pt =(x2n x

21) + (y

2n y

21) (2)

or its matrix form:AX = Z (3)

where X = (x,y,Pt)T is a 3 1 vector. A is an n 3matrix consisting the coefficients of the left-hand side in

linear system (2) and Z is is an n1 vector consisting theright-hand side of linear system (2). Thus, the localization

problem becomes the linear regression given in (3). That

is, the coordinate (x, y, Pt) is easily determined by solvingthe minimization problem:

minx,y,Pt

AX Z (4)

where is a predefined norm, e.g., L1-norm or L2-norm.Each measurement is treated equally in the minimiza-

tion problem of (4), which implies that a mean value metric

is used in solving (4). However, it has been proved in

Rousseeuw and Leroy [14] that a mean value metric poorly

deals with malicious location measurements.

Rousseeuw and Leroy [14] proposed a variety of linear

regression methods to tackle malicious measurements.

Thus, a direct strategy is to apply these methods to no

7/30/2019 1569572499

4/9

malicious measurement in the system of linear equations

(3). By considering the fact that the closer a sensor node

the more effect the node. Thus, the coordinate (x, y, Pt) isestimated by solving the following weighted minimization

problems of Least Trimmed Square (LTS):

(LTA) minx,y,Pt

hi=1

1ciPt ri = minx,y,Pthi=1

rici (5)where ri = (AXZ)(i) that is the i-th element of residualvector AX Z and d2i = ciPt is a weight at node i. Ourintuition here is that in order to estimate a right location

of a jamming, we require that more than half of redundant

measurement tuples should be benign, which means that

h should be chosen as n/2 + 1.As shown in Rousseeuw and Leroy [14], the estimator

has a breakdown point (i.e., tolerant rate) of 50% in

most situations. LTA has a lower order of computational

complexity compared to other robust estimators, so we

only consider LTA in the paper.

Furthermore, in order to give a correct estimate for the

location of a jammer through (3), we require that more

than half of linear equations in the system (3) should be

benign. Below is a proposition showing its possibility.

Proposition 1: When the tolerant rate is the highest,

the probability that one of the linear equations in the

system (3) does not consist of any malicious location

measurement is 0.25; furthermore, the probability that both

two equations consisting of three measurement tuples are

not malicious is 0.125.

Proof. When the tolerant rate is the highest, half of location

measurements are malicious. Thus, when two measurement

tuples are randomly selected, the probability that noneof them is malicious is 0.5 0.5 = 0.25. Furthermore,when three measurement tuples are randomly selected,

the probability that both two equations consisting of three

measurement tuples are not malicious is 0.53 = 0.125.Proposition 1 clearly shows that it is unlikely that

more than half of linear equations consist of all non-

malicious measurement tuples. Hence, it is infeasible

to apply the methods in Rousseeuw and Leroy [14] to

the system of linear equations (3) as shown in (5). In-

stead, we should directly deal with (1) rather than (2).

That is, ri should be selected as the nonlinear residualri = (x xi)2 + (y yi)2 ciPt instead of ri =(AX Z)(i) in the minimization problem of LTA. But,the exact solution of these three minimization problem

is computationally hard to find. Thus, in this paper, we

develop a feasible approximation algorithm to solve the

problem. These algorithms are robust, which means that

they can tolerate up to 50% malicious nodes. We will start

with a brute-force robust approximation algorithm and then

present the feasible approximation algorithm. Before the

presentation, let us investigate the consistency of a set of

all references provided by sensors.

2) -Consistency of Sensor References: Due to theassumption that more than half of these location references

are benign, these benign references should consistently

derive the same location and transmission power of the

jammer with a small error. We notice that a location

reference is a measurement data taken by sensors. Under anormal (or attack-free) environment, a measurement error

follows a standard normal distribution. Instead, an attacker

usually intends to disrupt a process of location estimation

through reporting a position and distance far away from its

true ones. The residue of those malicious references does

not follow a normal standard distribution. Usually, benign

and malicious references will not be consistent. Based

on these observations, we give a definition of reference

consistency.

Definition 1: Sensor references given by the tuples:

Pij = (xij , yij , cijPt) for j = 1, 2,...,s are called -consistent if

minx,y,Pt

sj=1

(x xij )2 + (y yij )2 cij Pt2

< (6)

where number > 0 is to be determined, and s 3 sinceat least three references can determine a jammers location

and transmission power.

Clearly, the consistency of a group of sensor references

depends heavily on the value of . Thus, a selection of plays in a key role in the reference consistency. Theabsolute value on the left-hand side of (6) represents an

estimation error based on these given sensor references.

Thus, it should follow a standard normal distribution in an

attack-free environment. An abnormal error may indicate

a potential malicious attack.Let L(x) bes

j=1

(x xij )2 + (y yij )2 cijPt

2. It can be mathematically shown that L(x)2follows a 2(v)-distribution, where v = s 3 is thedegree of freedom. This because three points that are not

in a line determine the location of a jammer. According

to statistical theory, can be determined through ahypothesis test: Probability

L(x) 2

= , where is

referred to as a significance level of the test, and L(x) is a2(v)-distribution with v = s 3 degree of freedom. Thehypothesis test states that the probability that L(x) 2

is equal to . According to Definition 1, L(x) 2

indicates the presence of malicious measurements, with

the probability of a false alarm being . By choosing avalue for , we can determine . (Note that is dependenton the difference between k and n.) For example, let = 0.01 and v = 1 or s = 4. Based on 2-distribution,we can get 2 = 6.63, or equivalently = 2.57.

3) The Brute-force Robust Algorithm: We propose a

brute-force robust algorithm for secure localization by

using the notion of consistency. They identify and remove

those location references who are not consistent with

7/30/2019 1569572499

5/9

the majority of location references. All those consistent

location references are used to estimate the location of

the jammer through the ordinary linear regression. The

brute-force robust algorithms consist of the two parts:

the location prediction and the location correction. In the

estimate prediction step, we develop a way to predict the

rough location of the jammer. Our intuition is that themore consistent location references are, the smaller the

reference residuals are. Thus, we choose that estimate lo-

cation with the smallest residual as our predicted location.

In the estimate correction step, we refine the predicted

location estimate. By considering it with other location

references, we find out the most number of consistent

location references which are used to estimate the location

of a jammer. Below is a detailed description of these two

steps for the brute-force robust algorithm.

Brute-force Robust Algorithm

The Location Prediction Step: It identifies what location

references determine such a location that is most likely to

be the true location of the jammer, or most closet to bethe true location. We start with 3 location references in

the paper, which is the minimal number of references that

can determine a location of the jammer. (The following

discussion of the paper can be easily adjusted to 4 refer-

ences.) We select all subsets of 3 location references from

all n location references. Each subset whose references arenot in a line can be used to estimate the location of the

jammer, denoted by (xl, yl), where l = 1, 2, , m, andm is the number of 3 references choosing from n locationreferences, i.e., m = n(n 1)(n 2)/3 = (n3).

For each location estimate, we compute its residual

ri,xl =

(xl xi)2 + (xl yi)2 ciPt

As discussed before, the reference residual ri,(xl,yl) re-flects the consistency of location estimate (xl, yl) andlocation reference (xi, yi). Recall that h is the minimalnumber of benign references. Thus, we select the h small-est absolute value of residuals, denoted by |ri1,(xl,yl)|,

|ri2,(xl,yl)|, , |rih,(xl,yl)|, and Sl =h

j=1 |rij ,(xl,yl)|forl = 1, 2, , m. Our intuition here is that the moreconsistent location references are, the more accurate their

location estimate is; thus, it is more likely that the absolute

values of the first h location residuals are smaller, i.e., Sl issmaller. Then, the estimate with the smallest Sl is selected

as our estimate in the prediction step.The Location Correction Step: It refines the location

estimate in the prediction step that is derived by a set of

three location references, denoted by D. By considering thevalue ofSl, we gradually add the rest of location referencesinto D. We first add those location references with thesmaller value ofSl, and then check if they are -consistentwith D. If yes, we add them into D as a set of locationreferences. If no, we exam them one by one with such an

Sl. For that location reference that is not examined before,it will be first examined. Continue to examine the rest of

location references until all of them are examined. The

final set D is used to derive the location estimate of thejammer by using the ordinary weighted linear regression

as shown in (5).

Let us now consider the time complexity of the brute-force robust algorithm. In the location prediction step,

it takes (n) to compute n location residuals ri,xl foreach fixed the location estimate (xl, yl). The most ef-ficient algorithm to order those n location residuals re-quires (n log n) time, and a sum of the h smallestlocation residuals requires (h) time. Furthermore, theordinary linear regression requires (h2) time. Thus, thetime complexity of the brute-force robust algorithm is

(n3) + (n) + (n log n) + (h) + (h2) = (n3).4) The Feasible Robust Algorithm: As seen in Section

III-B3, the brute-force robust algorithm requires (n3)time, which may be too costly to used in a resource-

limited network, e.g., a wireless sensor network whichhas limited power and computational capacity. We notice

that the (n3) time is only contributed from the predictionstep of the brute-force robust algorithm. Thus, the location

prediction step is only our concern in the aforementioned

brute-force algorithm.

The objective of this section is to develop a feasible

robust algorithm that can be used in a resource-limited

network. As discussed in Section III-B3, the brute-force

robust algorithm has the complexity of (n3) due to aconsideration of all combinations of 3 location references

among n ones. However, we notice that such a considera-tion may not be necessary. The key in that step is to find

three benign location references so that we can start with in

the location correction step. Thus, we may only consider a

part of combinations of 3 location references. That is, the

feasible robust algorithm is the same as the brute-force

robust algorithm except the prediction step where only rcombinations of 3 references will be randomly selected.

The change will significantly enhance the efficiency of

the brute-force robust algorithm without a compromise in

security. Its detailed analysis will be given in Section IV-B.

IV. The Evaluation and analysis of The Pro-

posed ApproachWe present our security and performance analysis of

the proposed approach with experimental evaluations.

A. Analysis of the Proposed Approach forthe mitigation of jamming attacks

As mentioned before, each sensor node will have a list

of all node IDs once a cluster is formed and an elected

cluster leader will be responsible for cluster related tasks

including the time-based window scheme management and

channel allocations. Each node will communicate with

7/30/2019 1569572499

6/9

each other by following the above scheme to update its

waiting-time window.

The analysis of the waiting time window. Which all

channels are occupied, a jamming attacker may declare

its intention to sending a message but it does not plan

to do so for increasing the waiting time window of a

legitimate node. However, according to the above scheme,the jamming attacker will get the waiting time window

increased as well. Thus, the jamming attacker may suc-

cessfully attack those sensors who have lower power than

the attacker individually but it is impossible to disturb the

whole sensor network for a long period of time because

it will run out power if the attacker attempts to attack all

nodes in the network.

Clearly, the choice of (T) and (T) plays ina key role in the waiting time window. In this paper,

we select them as the functions used in additive in-

crease/multiplicative decrease (AIMD) algorithms. Specifi-

cally, (T) = T+a and (T) = T /b where a > 0

and b > 1. It is assumed that T ranges from Tmin toTmax. Denote by q be the percentage of messages sentby node i that cause jamming. Let Ti(j) be the waitingtime of node i after j messages are sent. Then, we canderive the following properties.

Proposition 2: Assume that the number of jamming

messages is more than the number of non-jamming mes-

sages at a node. Then, the waiting time Ti(j) is at least

1

2j

1 +

1

b

jTi(0) +

1

1

2j

1 +

1

b

j abb 1

(7)

which implies that the waiting time is at least abb1 after a

large number of message transmissions, where Ti(0) is

the initial waiting time given when the sensor is deployed.Proof. According to the assumption, we have that

Ti(j) = q(Ti(j 1) + a) + (1 q)Ti(j 1)

bSince the number of jamming messages is more than the

number of non-jamming messages, we have that 1q q.That is, 12 q 1. Therefore, we can obtain that

Ti(j) 1

2

1 +

1

b

Ti(j 1) +

1

2a

which derives (7). Thus, limj+ infTi(j) should beat least ab

b1 .

As stated in Section I, robustness is one of our design

goals in the proposed approach. We have obtained that

Proposition 3: The higher percentage of jamming mes-

sages the longer the waiting time. That is, the proposed

waiting-based window scheme is robust.

Proof. The waiting time Ti(j) is given by

Ti(j) =

q+ (1 q)

1

b

jTi(0)

+aq1

q+ (1 q)1

b

j(1 q)(1 1

b)

which means thatTi(j)

aq

(1 q)(1 1b

)as j + (8)

Let f(x) be a(1x)

x(1 1b)

where x = 1q. It is easy to prove that

f(x) is a decreasing function with respect to variable x.As we know, x represents the percentage time that there is

at least a channel available for message transmission. Thatmeans that the higher percentage of jamming messages

the longer the waiting time. That is, the proposed waiting-

based window scheme is robust.

Corollary 1: The waiting time Ti becomes zero ifthere is no jamming message and it tends to a very large

value if almost all messages are jamming.

Proof. It is resulted from Proposition 3 when q = 0 andq 1 respectively.

Proposition 4: If the number of jamming messages is

no more than1 1

b

aT times as much as the number of

no jamming messages, i.e., q1q 1 1

b

aT . Then, the

waiting time will eventually be less than T, where T >0 is a predefined value for quality of control.Proof. From the assumption of the proposition and (8), we

can see that the result holds.

From Proposition 4, we can control the waiting time of

each message by using the predefined value T > 0.Furthermore, we consider the security of the approach

for the mitigation of jamming attacks.

The probability for jamming attackers to jam channels

successfully. Assume that benign sensors and jamming

attackers would generate traffic arrivals to channels with

rates of b and a as well as the service rate of channelswould be . Let recall that N be the number of channels.In the current sensor networks,

Nmay be 1 or 2. Then,

the number of channels to be busy ranges from 0 to N.Thus, a (N+1)-states Markov chain can be used to modelthe availability of channels. We consider two classes of

jamming attackers below.1) Random Jamming Attackers. They randomly jam

channels.2) Intelligent Jamming Attackers. They specifically se-

lect a certain number of channels and only jam those

channels.Proposition 5: In the case of random jamming attack-

ers, the probability for jamming (i.e., all channels are

occupied) is given by

P(N) = (a + b)N

N!N Nj=0

(a + b)j

j!j1

Proposition 5 and the following proposition can be proved

through the state transition of the Markov chain and its

balance equations, which is not given due to the page limit.

Assume that intelligent jamming attackers would only

jam Na channels where 1 Na N. Thus, we have thatProposition 6: In the case of intelligent jamming at-

tackers, we have that

7/30/2019 1569572499

7/9

1) The probability for all preselected Na to be jam-ming (i.e., all selected Na channels are occupied) isexpressed by

Nj=Na

P(j).2) The probability for all channels to be jamming is

given by P(N) =(a+b)

NaNNab

N!NP(0), where

P(j) are obtained by solving the balance equation

given by P(j) = (a+b)j P(j 1) if 1 j < Na,

and P(j) = bj

P(j 1) if Na j N;Nj=0 P(j) = 1.

The goal of the time-based scheme is to reduce a butincrease b so that the probability for jamming attackersto jam channels successfully will be reduced.B. Analysis of Robust Algorithms

Recall that there are h benign references among n ones.Suppose that we randomly select 3 location references

from n ones. In such a selection, all 3 location references

are benign with the probability of p =(h3)(n3)

. To ensure

that all 3 selected references are benign with a good

probability, we can repeatedly and randomly select 3location references from n ones. If the repeated numberis r, then the probability for all 3 references to be benignin at least one selection is Pr = 1 (1 p)

r . Table I

gives the number of combinationsn3

in the brute-force

robust algorithm and the repeated number r to ensure thatat least 3 benign references are selected with the chance of

99.5%. As shown in Table I, r is much smaller thann3

.

TABLE I. Parameters to ensure Pr 99.5%n 50 100 500 1000 5000 10000

h 26 51 251 501 2501 5001n3

19 600 1 617 00 2 .1 E+ 07 1. 7E+ 08 2. 1E+ 10 1 .7 E+ 11

r 23 23 23 23 23 23

Thus, in the location prediction step of the efficient robust

algorithm, we randomly select 3 location references from nones as a reference group. Repeat such a selection r times.Then, we use all these r reference groups to replace a setof all combinations of 3 location references from n in thefeasible robust algorithm. As discussed earlier, the location

correction step is unchanged. Similar to the analysis in the

brute-force robust algorithm, the complexity of the feasible

robust algorithm is (r + n log n + h2). It is interesting tosee in Table I that r=23. We are actually able to derive aclosed-form solution for r below.

Proposition 7: In order for at least one group of all 3

selected references to be benign with the probability ,we require that the repeated number r is not less thanlog(1)log 0.875 17.24 log(1 ), where 0 < 1.

Proof. As discussed earlier, the probability for at least one

group of all 3 selected references to be benign is Pr = 1(1p)r . To ensure Pr , we require that r

log(1)log(1p) .

As seen above, p =(h3)(n3)

and h = n2 + 1. Thus, on the

one hand, p can be extended to

p

n2+13

n3

= (n2 + 1)(n2 )(n2 1)n(n 1)(n 2)

which derives limn>+ supp 18 . On the other hand,

we have the following inequality

p

n2

3

n3

= (n2 )(n2 1)(n2 2)n(n 1)(n 2)

Thus, limn>+ infp 18 . Thus, limn>+p =

18 .

Furthermore, r log(1)

log(1 18) 17.24 log(1 ).

The result presented in Proposition 7 is significant. It

not only provides a closed-form solution for the repeated

number r but also shows that the solution is independentof n, the number of sensors. This means that r will notchange as n increases. Table II shows the repeated numberr to guarantee that at least one group of selected 3 locationreferences are benign with the probability . As indicated

TABLE II. r to ensure at least one group of 3benign references with the probability Pr 0.80 0.85 0.90 0.95 0.99 0.999 0.9999 0.99999

r 13 15 18 23 35 52 69 87

in Table II, the repeated number r is small. It is only 87even if =0.99999. This implies that it is very easy to getall 3 benign references in a selection. Hence, Proposition

7 shows that the feasible robust algorithm is efficient.

The above analysis is based on the assumption that

each selected 3 references can determine the location of a

jammer, i.e., these references are not in a line. However,

this assumption is not necessarily true due to possibly

arbitrary action introduced by an attacker. There are two

strategies to tackle this issue. (a) The first straightforward

strategy is that if three references are (or closely are) in a

line, such a selection is not counted, and we are required

to randomly re-select 3 references from the pool until the

repeated number given in Table II is reached. (b) Thesecond strategy is that we may select 4 location references

in each selection but only use 3 good ones for the location

estimation. In such a situation, Table III shows the repeated

number r to guarantee that at least one group of selected 4location references are benign with the probability . All

TABLE III. r to ensure at least one group of 4benign references with the probability Pr 0.80 0.85 0.90 0.95 0.99 0.999 0.9999 0.99999

r 25 30 36 47 72 108 143 179

values of r are still relatively small. The first strategy isused in our numerical implementation.

C. Experimental Evaluation

We adopt the existing approach in Liu [6] and Dong andLiu [2] for the formation of a cluster and the selection of

a cluster leader in the evaluation. The proposed approach

consists of the two components. We have investigate it by

using a variety of numerical experiments. We only select

a few typical results here due to the page limit. All the

experiments are executed in Matlab 7.04 on a DELL PC

running Windows XP, which has a 3.0 GHz Pentium 4

processor and 2 GB memory.

7/30/2019 1569572499

8/9

0%

20%

40%

60%

80%

100%

120%

1 0 .9 0. 8 0. 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 .0 5

(a) Jamming interval-arrival time

Jammingratio

Without our approach

With ourapproach

0%

20%

40%

60%

80%

100%

120%

1 0 .9 0 .8 0 .7 0 .6 0 .5 0 . 4 0 .3 0 . 2 0 . 1 0 .0 5

(b) Jamming interval-arrival time

Jammingratio

A single jammerTwo jammersThree jammers

0

20

40

60

80

100

120

140

0 1 2 3 4 5 6 7 8 9 10

(c)Experi ment time in logarithmic scale (base 2)

Averagewaitingtime

A regular node

A jammer

0%

10%

20%

30%

40%

50%

60%

70%

80%

0 5 10 15 20 25 30 35 4045 50 55 60 65 70 75 80 8590 95

(d) Jamming arrival rate

Jammingratio

One channel

Two channels

Fig. 1. Jamming ratio and average waiting time

In the experiments, we randomly deploy 450 sensors

in a square area of 300m 300m, each cluster with 50nodes. That is, there are 9 clusters. We assume that each

sensor would take 1 second to process a message including

a security check and its channel transmission time would

be 0.5 seconds. That is, the channel occupation time is 0.5

seconds for the sensor to send a message. The message

interval-arrival time sent by sensors is 0.5. Let a = 1 andb = 2.We measure a jamming ratio in 10 minutes for thecases of different jamming interval-arrival times shown in

Figures 1 (a) and (b) where the jamming ratio is defined as

a ratio of the number of jammed messages and the number

of messages sent in 10 minutes. As shown in Figure 1

(a), the jamming ratios of using the proposed approach

are low in all cases, which means that the proposed

approach effectively contains jamming attacks. Figure 1 (b)

further shows the jamming ratios of no using the proposed

approach in cases of multiple jammers. The jamming ratios

of using the proposed approach is not shown in the figure

because they are low like the ones in Figure 1 (a). We also

monitor the change of waiting times during an experimentof using the proposed approach in case of a single jammer

that is shown in Figure 1 for a simulation run of 500. As

we see, the waiting time becomes controllable for a regular

sensor but the waiting time of the jammer tends to a large

value. Then, we consider b = 18 and = 48. Figure 1(d) shows the probability for a jammer to jam channel(s)

successfully (also referred to as a jamming ratio) with a

different jamming rates.

Furthermore, we evaluate the accuracy of the proposed

algorithms for the location discovery of a jammer. We

simulate the attacks in the following way: We assume

that the attacker is intended to move the location of ajammer from its true location d distance away to (xa, ya)with Pat , in a random direction in the plane. The attackerthen calculates the malicious sensor measurements using

the Euclidean distance, and replace a number of normal

sensor measurements with the malicious ones. We set

as the value such that Probability [L(x) 2] =0.995. Moreover, we set parameter h in the feasible robustalgorithm as the value that makes Ph = 0.995. We measure

the Euclidean distance error between the true location

and estimated one using the above two algorithms. For

each data point in our simulation, we repeat the simulated

attacks 500 times and obtain the average of the above

evaluation metrics. Due to the high computational cost of

the brute-force robust algorithm, we limit the number of

sensors to be 10 that exclude a jammer. Figures 2 (a)

and (b) shows the accuracy and execution time of thetwo algorithms. Figure 2 (c) further gives the accuracy

of feasible robust algorithm for a case of 450 nodes.

V. Related WorkAs discussed in Section I, several anti-jamming tech-

niques have been suggested, for instance, FH, DSSS, and

CSS in a physical layer, and channel surfing in a data-link

layer. While physical-layer techniques require expensive

transceivers, channel surfing may cause a poor network

connectivity due to the change of frequency allocations.

Thus, some jamming countermeasures have been proposed

that include the rate adaption algorithms, such as AMRR in

Lacage et al. [4], Onoe in [10] and SampleRate in [9] andthe ACK-Guide Immediate Link rate Estimation algorithm

(AGILE) in Verma et al. [17]. Ancillotti et al. [1] gave

the performance evaluation of rate adaptation algorithms.

However, rate adaptation algorithms usually has a number

of inherent limitations such as inaccuracy, slow response

to changing conditions, packet loss, inflexibility, and poor

scalability. Thus, the time-based window scheme is sug-

gested to better address these issues in the paper. It adds the

time delay to attackers. The idea is better than the method

of a message puzzle that has been used to mitigate DoS

attacks (e.g., see Ning [11]). This is because the method

of a message puzzle requires a message sender to have

powerful computation capacity that is usually not true insensor networks. The location discovery of jammers has

been studied in the literature (e.g., ). Pelechrinis et al. [12]

proposed a distributed, lightweight jammer localization

system by using a gradient descent based algorithm to

locate a jammer. Liu et al [8] developed the Virtual Force

Iterative Localization (VFIL) algorithm to estimate the

location of a jammer by utilizing the network topology that

used RSS to compute the transmission power of a jammer.

7/30/2019 1569572499

9/9

0

2

4

6

8

10

12

14

16

0 1 2 3 4 5

(b) Distance error that an attacker intends to

introduce in logarithmicscale(base 2)

Averageexecutiontime(ms)

Brute-force robust

algrorithmFeasible robust

0.0

0.5

1.0

1.5

2.0

0 1 2 3 4 5

(a) Distance error that an attacker intends to introduce

in logarithmic scale (base2)

Locationestimation

error(meter)

Brute-force robust

algrorithmFeasible robust

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 6 7 8

(c) Distance error that an attacker intends to introduce

in logarithmicscale(base 2)

Lo

cationestimationerror(meter)

Feasible robust

algorithm (450 nodes)

Fig. 2. Accuracy and efficiency of robust algorithms

Most existing techniques considered a single jammer and

does not permit other malicious sensors besides a jammer

in the networks. Liu et al. [7] extended the results of

Liu et al [8] to the case of multiple jammers, but it is

mainly based on signal-to-noise ratio (SNR). Moreover,

most of exiting studies are lack of the theoretical analysis

of the proposed algorithms. In this paper, we consider the

transmission power as an unknown variable and directlyestimate it based on the location information of other

sensors. Furthermore, we proposed the location discovery

of jammers where other malicious nodes may coexist with

jammers in a network that reflects real-world applications.

In particular, the theoretical analysis of the proposal algo-

rithms has been given.

VI. Conclusion and Future Work

In this paper, we have studied the mitigation of jamming

attacks and the location discovery of jammers in a wireless

sensor network where there may be other malicious nodes

except jammers. Jamming attacks are the consequence of

radio interference that becomes a serious threat in sensornetwork applications. In this paper, we have proposed

a systematic approach to tackling jamming attacks. The

approach consists of the mitigation of jamming attacks

and the discovery and removal of jamming attackers.

Since jamming attacks could be launched randomly, we

have developed the time-based window scheme to restrain

jamming attacks from a sensor network. By sufficiently

considering a intrinsic relationship between the problem

and the linear regression, we proposed to formulate the

problem of a jammers location discovery as an LTA-

type minimization problem. To tackle this problem, we

introduced the concept of consistency among sensor loca-

tion references. Then, we developed the brute-force robustalgorithm and the feasible robust algorithm for the location

discovery of jamming attackers that permit us to remove

jamming attackers from wireless sensor networks. We have

further evaluated the proposed approach through theoret-

ical analysis and numerical experiments. Our numerical

results have demonstrated the efficiency and effectiveness

of these algorithms. In the future, we would like to extend

our approach to support other cases such as the mobility

of nodes including jamming attackers.

References

[1] E. Ancillotti, R. Bruno, and M. Conti. Experimentation andperformance evaluation of rate adaptation algorithms in wirelessmesh networks. In Proceedings of the 5th ACM PE-WASUN, 2008.

[2] Q. Dong and D. Liu. Resilient cluster leader election for wireless

sensor networks. In Proceedings of SECON, 2009.[3] Y. Faizulkhakov. Time synchronization methods for wireless sensor

networks: A survey. Programming and Computer Software, 33:214226, 2007.

[4] M. Lacage, M. Manshaei, and T. Turletti. IEEE 802.11 rateadaptation: A practical approach. In Proceedings of MSWiM, 2004.

[5] Y. Law, P. Hartel, J. Hartog, and P. Havitnga. Link-layer jammingattacks on S-MAC. In Proceedings of EWSN, 2005.

[6] D. Liu. Resilient cluster formation for sensor networks. InProceedings of ICDCS, 2007.

[7] H. Liu, Z. Liu, Y. Chen, and W. Xu. Localizing multiple jammersin wireless networks. In Proceedings of ICDCS, 2011.

[8] H. Liu, W. Xu, Y. Chen, and Z. Liu. Localizing jammers in wirelessnetworks. In Proceedings of WiCOM, 2009.

[9] J. Bicket. Bit-rate selection in wireless networks. In MIT, M.S.Thesis.

[10] MadWifi driver documentation. Onoe rate control. In

http://madwifi.org/wiki/UserDocs/RateControl.[11] P. Ning, A. Liu, and W. Du. Mitigating dos attacks against broadcastauthentication in wireless sensor networks. ACM Transactions onSensor Network, 4, 2008.

[12] K. Pelechrinis, I. Koutsopoulos, I. Broustis, and S. Krishnamurthy.Lightweight jammer localization in wireless networks: system de-sign and implementation. In Proceedings of Globecom, 2009.

[13] R. Poisel. Modern Communications Jamming Principles andTechniques. Artech House Publishers, 2003.

[14] P. Rousseeuw and A. Leroy. Robust regression and outlier detection.Wiley-Interscience, 2003.

[15] F. Sivrikaya and B. Yener. Time synchronization in sensor networks:a survey. IEEE Network, 18:4550, 2004.

[16] B. Sundararaman, U. Buy, and A. Kshemkalyani. Clock synchro-nization for wireless sensor networks: A survey. Ad Hoc Networks,2005.

[17] L. Verma, S. Kim, S. Choi, and S. Lee. AGILE Rate Control for

IEEE 802.11 Networks. Future Generation Information Technology,Lecture Notes in Computer Science, Volume 5899. Springer-Verlag,2009.

[18] W. Xu, W. Trappe, and Y. Zhang. Defending wireless sensornetworks from radio interference through channel adaptation. ACMTransactions on Sensor Network, 4, 2008.

[19] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The feasibility oflaunching and detecting jamming attacks in wireless networks. InProceedings of MobiHoc, pages 4557, 2005.