Jammers in wsn

A Trigger Identification Service forDefending Reactive Jammers in WSN

Ying Xuan, Yilin Shen, Nam P. Nguyen, and My T. Thai, Member, IEEE

Abstract—During the last decade, Reactive Jamming Attack has emerged as a great security threat to wireless sensor networks, due

to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering the specific

characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes, whose

transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger-identification procedure can work as an

application-layer service and benefit many existing reactive-jamming defending schemes. In this paper, on the one hand, we leverage

several optimization problems to provide a complete trigger-identification service framework for unreliable wireless sensor networks.

On the other hand, we provide an improved algorithm with regard to two sophisticated jamming models, in order to enhance its

robustness for various network scenarios. Theoretical analysis and simulation results are included to validate the performance of this

framework.

Index Terms—Reactive jamming, jamming detection, trigger identification, error-tolerant nonadaptive group testing, optimization,

NP-hardness.

Ç

1 INTRODUCTION

SINCE the last decade, the security of wireless sensornetworks (WSNs) has attracted numerous attentions,

due to its wide applications in various monitoring systemsand vulnerability toward sophisticated wireless attacks.Among these attacks, jamming attack where a jammer nodedisrupts the message delivery of its neighboring sensornodes with interference signals, has become a critical threatto WSNs. Thanks to the efforts of researchers toward thisissue, as summarized in [12], various efficient defensestrategies have been proposed and developed. However, areactive variant of this attack, where jammer nodes stayquite until an ongoing legitimate transmission (even has asingle bit) is sensed over the channel, emerged recently andcalled for stronger defending system and more efficientdetection schemes.

Existing countermeasures against Reactive Jammingattacks consist of jamming (signal) detection and jammingmitigation. On the one hand, detection of interferencesignals from jammer nodes is nontrivial due to thediscrimination between normal noises and adversarialsignals over unstable wireless channels. Numerous at-tempts to this end monitored critical communication relatedobjects, such as Receiver Signal Strength (RSS), Carrier SensingTime (CST), Packet Delivery Ratio (PDR), compared theresults with specific thresholds, which were establishedfrom basic statistical methods and multimodal strategies[9], [12]. By such schemes, jamming signals could bediscovered, but to locate the jammer nodes based on thesesignals is much more complicated and has not been settled.

On the other hand, various network diversities areinvestigated to provide mitigation solutions [6]. Spreadingspectrum [12], [5], [8] making use of multiple frequencybands and MAC channels, Multipath routing benefitingfrom multiple pre-selected routing paths [6] are two goodexamples of them. However, in this method, the capabilityof jammers are assumed to be limited and powerless tocatch the legitimate traffic from the camouflage of thesediversities. However, due to the silent behavior of reactivejammers, they have more powers to destruct these mitiga-tion methods. To this end, other solutions are in great need.A mapping service of jammed area has been presented in[11], which detects the jammed areas and suggests thatrouting paths evade these areas. This works for proactivejamming, since all the jammed nodes are having low PDRand thus incapable for reliable message delay. However, inthe case of reactive jamming, this is not always the case.Only a proportion of these jammed nodes, named triggernodes, whose transmissions wake up the reactive jammers,are blocked to avoid the jamming effects.

In this paper, we present an application-layer real-timetrigger-identification service for reactive-jamming in wire-less sensor networks, which promptly provides the list oftrigger-nodes using a lightweight decentralized algorithm,without introducing neither new hardware devices, norsignificant message overhead at each sensor node.

This service exhibits great potentials to be developed asreactive jamming defending schemes. As an example, byexcluding the set of trigger nodes from the routing paths,the reactive jammers will have to stay idle since transmis-sions cannot be sensed. Even though the jammers movearound and detect new sensor signals, the list of triggernodes will be quickly updated, so are the routing tables. Asanother example, without prior knowledge of the numberof jammers, the radius of jamming signals and specificjamming behavior types, it is quite hard to locate thereactive jammers even the jammed areas are detected (e.g.,by Wood et al. [11]). However, with the trigger nodes

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 793

. The authors are with the Department of Computer Information Science andEngineering, University of Florida, CSE Building, Gainesville, Florida32611-6120. E-mail: {yxuan, yshen, nanguyen, mythai}@cise.ufl.edu.

Manuscript received 1 Mar. 2010; revised 9 Mar. 2011; accepted 18 Mar.2011; published online 6 Apr. 2011.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TMC-2010-03-0103.Digital Object Identifier no. 10.1109/TMC.2011.86.

1536-1233/12/$31.00 � 2012 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

localized, we can narrow down the possible locations ofreactive jammers.

Although the benefits of this trigger-identificationservice are exciting, its hardness is also obvious, whichdues to the efficiency requirements of identifying the set oftrigger nodes out of a much large set of victim nodes, thatare affected jamming signals from reactive jammers withpossibly various sophisticated behaviors. To address theseproblem, a novel randomized error-tolerant group testingscheme as well as minimum disk cover for polygons areproposed and leveraged.

The basic idea of our solution is to first identify the set ofvictim nodes by investigating corresponding links’ PDRand RSS, then these victim nodes are grouped into multipletesting teams. Once the group testing schedule is made at thebase station and routed to all the victim nodes, they thenlocally conducts the test to identify each of them as a triggeror nontrigger. The identification results can be stored locallyfor reactive routing schemes or delivered to the base stationfor jamming localization process.

In the remainder of this paper, we first present theproblem definition in Section 2, where the network model,victim model, and attacker models are included. Then, weintroduce three kernel techniques for our scheme, Rando-mized Error-Tolerant Nonadaptive Group Testing, Clique-inde-pendent Set (CIS), and Minimum Disk Cover in a SimplePolygon in Section 3. The core of this paper: trigger-nodeidentification and its error-tolerant extension toward sophis-ticated jammer behaviors are presented, respectively, inSections 4 and 5. A series of simulation results for evaluatingthe system performance and validating the theoreticalresults are included in Section 6. We present related worksin Section 7 and summarize the paper in Section 8.

2 PROBLEM MODELS AND NOTATIONS

2.1 Network Model

We consider a wireless sensor network consisting ofn sensor nodes and one base station (larger networks withmultiple base stations can be split into small ones to satisfythe model). Each sensor node is equipped with a globallysynchronized time clock, omnidirectional antennas,m radios for in total k channels throughout the network,where k > m. For simplicity, the power strength in eachdirection is assumed to be uniform, so the transmissionrange of each sensor can be abstracted as a constant rs andthe whole network as a unit disk graph (UDG) G ¼ ðV ;EÞ,where any node pair i; j is connected iff the euclideandistance between i; j: �ði; jÞ � rs. We leave asymmetricpowers and polygonal transmission area for further study.

2.2 Attacker Model

We consider both a basic attacker model and severaladvanced attacker models in this paper. Specifically, weprovide a solution framework toward the basic attackermodel, and validate its performance toward multipleadvanced attacker models theoretically and experimentally.

2.2.1 Basic Attacker Model

Conventional reactive jammers [12] are defined as mal-icious devices, which keep idle until they sense any ongoinglegitimate transmissions and then emit jamming signals

(packet or bit) to disrupt the sensed signal (called jammerwake-up period), instead of the whole channel, whichmeans once the sensor transmission finishes, the jammingattacks will be stopped (called jammer sleep period). Threeconcepts are introduced to complete this model.

Jamming range R. Similar to the sensors, the jammers areequipped with omnidirectional antennas with uniformpower strength on each direction. The jammed area can beregarded as a circle centered at the jammer node, with aradius R, where R is assumed greater than rs, for simulatinga powerful and efficient jammer node. All the sensors withinthis range will be jammed during the jammer wake-upperiod. The value of R can be approximated based on thepositions of the boundary sensors (whose neighbors arejammed but themselves not), and then further refined.

Triggering range r. On sensing an ongoing transmission,the decision whether or not to launch a jamming signaldepends on the power of the sensor signal Ps, the arrivedsignal power at the jammer Pa with distance r from thesensor, and the power of the background noise Pn.

According to the traditional signal propagation model,

the jammer will regard the arrived signal as a sensor

transmission as long as the Signal-Noise-Ratio is higher than

some threshold, i.e., SNR ¼ PaPn> � where Pa ¼ Ps

r�� Y with �

and � called jamming decision threshold and path-loss factor,

Y as a log-normally random variable. Therefore, r � ð��PnPs�Y Þ1� is

a range within which the sensor transmission will definitely

trigger the jamming attack, named as triggering range. As will

be shown later, this range r is bounded byR from above, and

rs from below, where the distances from either bounds are

decided by the jamming decision threshold �. For simplicity,

we assume triggering range is the same for each sensor.Jammer distance. Any two jammer nodes are assumed

not to be too close to each other, i.e., the distance betweenjammer J1 and J2 is �ðJ1; J2Þ > R. The motivations behindthis assumptions are three-fold: 1) the deployment ofjammers should maximize the jammed areas with a limitednumber of jammers, therefore large overlapping betweenjammed areas of different jammers lowers down the attackefficiency; 2) �ðJ1; J2Þ should be greater than R, since thetransmission signals from one jammer should not interferethe signal reception at the other jammer. Otherwise, thelatter jammer will not able to correctly detect any sensortransmission signals, since they are accompanied with highRF noises, unless the jammer spends a lot of efforts indenoising or embeds jammer-label in the jamming noise forthe other jammers to recognize. Both ways are infeasible foran efficient attack; 3) the communications between jammersare impractical, which will expose the jammers to anomalydetections at the network authority.

2.2.2 Advanced Attacker Model

To evade detections, the attackers may alter their behaviorsto evade the detection, for which two advanced reactivejamming models: probabilistic attack and asymmetric responsetime delay are considered in this paper. In the first one, thejammer responds each sensed transmission with a prob-ability � independently. In the second one, the jammerdelays each of its jamming signals with an independentlyrandomized time interval.

794 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012

We do not specify the possible changes of jammingrange R as an advanced model, since the trigger set in thiscase will not change, though the victim set varies. Further,we do not theoretically analyze the effects of variousjamming decision threshold � in this paper version, but weevaluate all these above factors in the simulation section.Jammer mobilities are out of the scope of this paper, whichassumes that the jammers are static during our trigger-identification phase. This is quite reasonable, since the timelength of this phase is short, as to be shown later.

2.3 Sensor Model

Besides monitoring the assigned network field and generat-ing alarms in case of special events (e.g., fire, hightemperature), each sensor periodically sends a status reportmessage to the base station, which includes a header and amain message body containing the monitored results,battery usage, and other related content. As shown inFig. 1, the header is designated for antijamming purpose,which is 4-tuple: Sensor_ID as the ID of the sensor node,Time_Stamp as the sending out time indicating thesequence number, as well as a Label referring to the node’scurrent jamming status, and TTL as the time-to-live fieldwhich is initialized as the 2D with network diameter D.

According to the jamming status, all the sensor nodes canbe categorized into four classes: trigger nodes TN , victimnodes VN , boundary nodes BN , and unaffected node UN .Trigger nodes refer to the sensor nodes whose signals awakethe jammers, i.e., within a distance less than r from ajammer. Victim nodes are those within a distance R from anactivated jammer and disturbed by the jamming signals.Since R > r, TN � VN . Other than these disturbed sensors,UN and BN are the unaffected sensors while the latter oneshave at least one neighbor in VN , hence BN � UN , andVN \ UN ¼ ;. The Label field of each sensor indicates thesmallest class it belongs to. The relationships among theseclasses are shown in Fig. 2.

There are two issues orthogonal to our solution. On onehand, the detection of jammed signals at each sensor node isorthogonal to this work, and can be completed viasophisticated reactive jamming detection techniques, suchas comparing the SNR, PDR, and RSS with predefinedthresholds, as shown in [9]. With regard to the effects ofdetection errors on our solution, we provide sometheoretical analysis at the end of Section 5.1.1. On the otherhand, the detailed attack schemes adopted by the reactivejammers are orthogonal with our application-layer service.As long as the jamming detection techniques that we resortto can efficiently detect these malicious signals, either highRF noises, fraud message segments, etc., our solutionservice is feasible.

3 THREE KERNEL TECHNIQUES

In this section, three kernel techniques for the proposedprotocol are introduced. Most existing antijamming works

consider only proactive jammers, while reactive jammerscan bring up larger damage due to efficient attack andhardness to detect. To this end, we embed a group testingprocess, i.e., the randomized error-tolerant group testing bymeans of our designed random ðd; zÞ-disjunct matrix, to therouting update scheme, which avoids unnecessarily largeisolated areas as [11] does. Moreover, most existingtopology-based solutions [23], [24] can only handle thesingle-jammer case, since lacking of knowledge over thejamming range and inevitable overlapping of the jammedareas bring ups the analytical difficulties, for which weresort to a minimum disk cover problem in a simple polygonproblem and a clique-independent set problem.

3.1 Error-Tolerant Randomized Nonadaptive GroupTesting

Group Testing was proposed since WWII to speed up theidentification of affected blood samples from a large samplepopulation. This scheme has been developed with acomplete theoretical system and widely applied to medicaltesting and molecular biology during the past severaldecades [1]. Notice that the nature of our work is toidentify all triggers out of a large pool of victim nodes, sothis technique intuitively matches our problem.

The key idea of group testing is to test items in multipledesignated groups, instead of individually. The principlesof traditional group testing are sketched in the Appendix,which can be found on the Computer Society DigitalLibrary at http://doi.ieeecomputersociety.org/10.1109/TMC.2011.86.

3.1.1 Traditional Nonadaptive Group Testing

The key idea of group testing is to test items in multipledesignated groups, instead of testing them one by one. Thetraditional method of grouping items is based on adesignated 0-1 matrix Mt�n where the matrix rowsrepresent the testing group and each column refers to anitem (Fig. 3). M½i; j� ¼ 1 if the jth item appears in the ithtesting group, and 0 otherwise. Therefore, the number ofrows of the matrix denotes the number of groups tested inparallel and each entry of the result vector V refers to thetest outcome of the corresponding group (row), where 1denotes positive outcome and 0 denotes negative outcome.

XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 795

Fig. 1. Sensor periodical status report message.

Fig. 2. Nodes in gray and blue are victim nodes around jammer nodes,where blue nodes are also trigger nodes, which invoke the jammernodes. Nodes surrounding the jammed are boundary nodes, while theothers are unaffected nodes.

Given that there are at most d < n positive items amongin total n ones, all the d positive items can be efficiently andcorrectly identified on condition that the testing matrix M isd-disjunct: any single column is not contained by the unionof any other d columns. Owing to this property, eachnegative item will appear in at least one row (group) whereall the positive items do not show up, therefore, by filteringall the items appearing in groups with negative outcomes, all theleft ones are positive. Although providing such simpledecoding method, d-disjunct matrix is nontrivial to con-struct [1], [2] which may involve with complicatedcomputations with high overhead, e.g., calculation ofirreducible polynomials on Galois Field. In order toalleviate this testing overhead, we advanced the determi-nistic d-disjunct matrix used in [7] to randomized error-tolerant d-disjunct matrix, i.e., a matrix with less rows butremains d-disjunct w.h.p. Moreover, by introducing thismatrix, our identification is able to handle test errors undersophisticated jamming environments.

In order to handle errors in the testing outcomes, theerror-tolerant nonadaptive group testing has been developedusing ðd; zÞ-disjunct matrix, where in any dþ 1 columns,each column has a 1 in at least z rows where all the other dcolumns are 0. Therefore, a ðd; 1Þ-disjunct matrix is exactlyd-disjunct. Straightforwardly, the d positive items can stillbe correctly identified, in the presence of at most z� 1 testerrors. In the literature, numerous deterministic designs forðd; zÞ-disjunct matrix have been provided (summarized in[1]), however, these constructions often suffer from high-computational complexity, thus are not efficient forpractical use and distributed implementation. On the otherhand, to our best knowledge, the only randomizedconstruction for ðd; zÞ-disjunct matrix dues to Cheng’s workvia q-nary matrix [19], which results in a ðd; zÞ-disjunctmatrix of size t1 � n with probability p0, where t1 is

4:28d2 log2

1� p0 þ 4:28d2 lognþ 9:84dzþ 3:92z2 ln2n� 1

1� p0 ;

with time complexity Oðn2 lognÞ. Compared with this work,we advance a classic randomized construction for d-disjunct matrix, namely, random incidence construction[1], [2], to generate ðd; zÞ-disjunct matrix which can not onlygenerate comparably smaller t� n matrix, but also handlethe case where z is not known beforehand, instead, only theerror probability of each test is bounded by some constant�. Although z can be quite loosely upper bounded by �t, yett is not an input. The motivation of this construction lies inthe real test scenarios, the error probability of each test isunknown and asymmetric, hence it is impossible toevaluate z before knowing the number of pools.

We only show the performance of this new construction,namely, ETG algorithm in this section. The details of theconstruction and analysis are included in the Appendix,available in the online supplemental material.

Theorem 3.1. The ETG algorithm produces a ðd; zÞ-disjunctmatrix with probability p0 where p0 can be arbitrarily

approaching 1.

. The worst-case number of rows of this matrix isbounded by

3:78ðdþ 1Þ2 lognþ 3:78ðdþ 1Þ log2

1� p0

� �� 3:78ðdþ 1Þ þ 5:44ðdþ 1Þðz� 1Þ;

much smaller than 4:28d2 log 21�p0 þ 4:28d2 logn þ

9:84dzþ 3:92z2 ln 2n�11�p0 .

. If z � �t, the worst-case number of rows becomes

t ¼ � lnnðdþ 1Þ2 � 2�ðdþ 1Þ lnð1� p0Þð� � �ðdþ 1ÞÞ2

where � ¼ ðd=ðdþ 1ÞÞd and asymptotically t ¼Oðd2 lognÞ.

Proof. See Section B in the Appendix, available in the onlinesupplemental material. tu

Theorem 3.2. The ETG algorithm has smaller time complexity

Oðd2n lognÞ than Oðn2 lognÞ, when d <ffiffiffinp

.

3.2 Minimum Disk Cover in a Simple Polygon

Given a simple polygon with a set of vertices inside, theproblem of finding a minimum number of variable-radii

disks that not only cover all the given vertices, but also areall within the polygon, can be efficiently solved.

The latest results due to the near linear algorithmproposed recently by Kaplan et al. [25], which investigatesthe medial axis and voronoi diagram of the given polygon,and provides the optimal solution using Oð$þ �ðlog$þlog6�ÞÞ time and Oð$þ � log log�Þ space, where the numberof edges of the polygon is $ and nodes within it as �. Weemploy this algorithm to estimate the jamming range R.

3.3 Clique-Independent Set

Cliques-Independent Set is the problem to find a set ofmaximum number of pairwise vertex-disjoint maximalcliques, which is referred to as a maximum clique-independent

set (MCIS) [4]. Since this problem serves as the abstractedmodel of the grouping phase of our identification, its hardnessis of great interest in this scope. To our best knowledge, it hasalready been proved to be NP-hard for cocomparability,planar, line, and total graphs; however, its hardness on UDGis still open. We propose its NP-complete proof in theAppendix, available in the online supplemental material.

There have been numerous polynomial exact algorithmsfor solving this problem on graphs with specific topology,e.g., Helly circular-arc graph and strongly chordal graph[4], but none of these algorithms gives the solution on UDG.In this paper, we employ the scanning disk approach in [3] tofind all maximal cliques on UDG, and then find all theMCIS using a greedy algorithm.


Fig. 3. Binary testing matrix M and testing outcome vector V . Assumedthat item 1 (first column) and item 2 (second column) are positive, thenonly the first two groups return negative outcomes, because they do notcontain these two positive items. On the contrary, all the other fourgroups return positive outcomes.

4 TRIGGER-NODE IDENTIFICATION

We propose a decentralized trigger-identification proce-dure. It is lightweight in that all the calculations occur at thebase station, and the transmission overhead as well as thetime complexity is low and theoretically guaranteed. Noextra hardware is introduced into the scheme, except for thesimple status report messages sent by each sensor, and thegeographic locations of all sensors maintained at the basestation. Three main steps of this procedure are as follows:

1. Anomaly Detection—the base station detects potentialreactive jamming attacks, each boundary node triesto report their identities to the base station.

2. Jammer Property Estimation—The base station calcu-lates the estimated jammed area and jamming rangeR based on the locations of boundary nodes.

3. Trigger Detection

a. the base station makes a short encrypted testingschedule message Z which will be broadcastedto all the boundary nodes.

b. boundary nodes keep broadcasting Z to all thevictim nodes within the estimated jammed areafor a period Q.

c. all the victim nodes locally execute the testingprocedure based on Z, identify themselves astriggers or nontriggers.

4.1 Anomaly Detection

Each sensor periodically sends a status report message tothe base station. However, once the jammers are activatedby message transmissions, the base station will not receivethese reports from some sensors. By comparing the ratio ofreceived reports to a predefined threshold , the basestation can thus decide if a jamming attack is happening inthe networks. When generating the status report message,each sensor can locally obtain its jamming status and decidethe value of the Label field (Initially trigger “TN”). In detail,if a node v hears jamming signals, it will not try to send outmessages but keep its label as victim. If v cannot sensejamming signals, its report will be routed to the base stationas usual, however, if it does not receive ACK from itsneighbor on the next hop of the route within a time outperiod, it tries for two more retransmissions. If no ACKs arereceived, it is quite possible that that neighbor is a victimnode, then v updates Label tuple as boundary “BN” in itsstatus report. Another outgoing link from v with the mostavailable capacity is taken to forward this message. If thestatus report is successfully delivered to the base stationwith Label ¼ TN, the corresponding node is regarded asunaffected. All the messages are queued in the buffer of theintermediate nodes and forwarded in an FCFS manner. TheTTL value is reduced by 1 per hop for each message, andany message will be dropped once its TTL ¼ 0.

The base station waits for the status report from eachnode in each period of length P. If no reports have beenreceived from a node v with a maximum delay time, then vwill be regarded as victim. The maximum delay time isrelated to graph diameter and will be specified later. If theaggregate report amount is less than , the base stationstarts to create the testing schedule for the trigger nodes,based on which the routing tables will be updated locally.

4.2 Jammer Property Estimation

We estimate the jamming range as R and the jammed areasas simple polygons, based on the locations of the boundaryand victim nodes.

For sparse-jammer where the distribution of jammers isrelatively sparse and there is at least one jammer whosejammed area does not overlap with the others, likeJ2 in Fig. 2.By denoting the set of boundary nodes for the ith jammed areaas BNi, we can estimate the coordinate of this jammer as

ðXJ; YJÞ ¼PBNi

k¼1 Xk

jBNij;

PBNi

k¼1 YkjBNkj

!;

where ðXk; YkÞ is the coordinate of a node k is the jammedarea BNi and the jamming range R is

R ¼ min8BNi

maxk2BNi

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðXk �XJÞ2 þ ðYk �XJÞ2

q� �� ;

for we assume that all the jammers have the same range.For dense-jammer, shown in Fig. 4, we first estimate the

jammed areas, which are simple polygons (unnecessarilyconvex) containing all the boundary and victim nodes. Thisprocess consists of three steps: 1) discovery of convex hulls ofthe boundary and victim nodes, where no unaffected nodesare included in the generate convex polygons. 2) for eachboundary node v not on the hull, choose two nodes on thehull and connect v to them in such a way that the internalangle at this reflex vertex is the smallest, hence the polygonis modified by replacing an edge (dotted one in Fig. 4) bythe two new ones. The resulted polygon is the estimatedjammed area. 3) execute the near-linear algorithm [25] tofind the optimal variable-radii disk cover of all the victimnodes, but constrained in the polygon, and return thelargest disk radius as R.

4.3 Trigger Detection

Since the jammer behavior is reactive, in order to find all thetrigger nodes, a straightforward way is that let each sensorbroadcast one by one, and listen to possible jammingsignals. However, this individual detection is quite timeconsuming and all the victim nodes thus have to be isolatedfor a long detection period, or even returns wrong detectionresult in the presence of mobile jammers. In this case, thenetwork throughput would be dramatically decreased.Therefore, to promptly and accurately find out thesetriggers from a large pool of victim nodes, emerges as themost challenging part of the proposed protocol, for whichthe idea of group testing is applied.

In this section, we only consider a basic attack modelwhere the jammers deterministically and immediately broad-casts jamming signals once it senses the sensor signal.


Fig. 4. Estimated R and jammed area.

Therefore, as long as at least one of the broadcasting victimnodes is a trigger, some jamming signals will be sensed, andvice versa. The performance of this protocol towardsophisticated attacker models with probabilistic attackstrategies will be validated in the next section.

All the following is the encrypted testing schedule overall the victim nodes, which is designed at the base stationbased on the set of boundary nodes and the global topology,stored as a message (illustrated in Table 1) and broadcastedto all the boundary nodes. The broadcasting of the testingscheduling message adopts a routing mechanism similar toreverse path forwarding. In detail, all the status reportmessages relayed to the base station will record all thenodes’ IDs on their routing paths. Therefore, withoutconsidering mobile jammers, those routing paths can bereused to send out these testing scheduling messages andevade the jammed areas.

After receiving this message, each boundary node broad-casts this message one time using simple flooding method toits nearby jammed area. All the victim nodes execute thetesting schedule and indicate themselves as nontriggers ortriggers. Since all the sensor nodes are equipped with aglobal uniform clock, and no message transmissions to thebase station are required during the detection, the mechan-ism is easy to implement and practical for applications.

As shown in Table 1, for each time slot, m sets of victimsensors will be tested. The selection of these sets involves atwo-level grouping procedure.

First-level, the whole set of victims are divided intoseveral interference-free testing teams. Here, by interferencefree we mean that if the transmissions from the victimnodes in one testing team invokes a jammer node, itsjamming area will not reach the victim nodes in anothertesting team. Therefore, by trying broadcasting from victimnodes in each testing team and monitoring the jammingsignals, we can conclude if any members in this team aretriggers. In addition, all the tests in different testing teamscan be executed simultaneously since they will not interfereeach other. Fig. 5 provides an example for this. Threemaximal cliques C1 ¼ fv1; v2; v3; v4g, C2 ¼ fv3; v4; v5; v6g,C3 ¼ fv5; v7; v8; v9g can be found within three jammed areas.Imagine these three cliques are, respectively, the threeteams we test at the same time. If v4 in the middle teamkeeps broadcasting all the time and J2 is awaken frequently,no matter the trigger v2 in the leftmost team is broadcastingor not, v3 will always hear the jamming signals, so these twoteams interfere each other. In addition, node-disjoint groupsdo not necessarily interference free, as the leftmost andrightmost teams show.

Second-level, within each testing team, victims arefurther divided into multiple testing groups. This iscompleted by constructing a randomized ðd; 1Þ-disjunctmatrix, as mentioned in Section 3.1, mapping each sensornode to a matrix column, and make each matrix row as atesting group (sensors corresponding to the columns with 1sin this row are chosen). Apparently, tests within one groupwill possibly interfere that of another, so each group will beassigned with a different frequency channel.

The duration of the overall testing process is t time slots,where the length of each slot is L. Both t and L arepredefined, yet the former depends on the total number ofvictims and estimated number of trigger nodes, and thelatter depends on the transmission rate of the channel.Specifically, at the beginning of each time slot, all the sensorsdesignated to test in this slot broadcast a �-bit test packet onthe assigned channel to their 1-hop neighbors. Till the endof this slot, these sensors keep detecting possible jammingsignals. Each sensors will label itself as a trigger unless in at

least one slot of its testing, no jamming signal is sensed.The correctness of this trigger identification procedure is

theoretically straightforward. Given that all the testingteams are interference free, then the testing with differentteams can be executed simultaneously. Given that we havean upper bound d on the number of trigger nodes and eachtesting group follow the ðd; 1Þ-disjunct matrix, whichguarantees that each nontrigger node will be included inat least one group, which does not contain any trigger node,so each nontrigger node will not hear jamming signals in atleast one time slot, but the trigger nodes will since thejammers are activated once they broadcast the test packets.Therefore, two critical issues need to be addressed to ensurethis correctness: how to partition the victim set into

maximal interference-free testing teams and estimate the

number of trigger nodes d, as follows: Though these twoinvolve geometric analysis over the global topology, since it onlytakes the information of boundary and victim nodes as inputs, andis calculated at the base station, no message complexity isintroduced.

4.3.1 Discovery of Interference-Free Testing Teams

As stated above, two disjoint sets of victim nodes areinterference-free testing teams iff the transmission within oneset will not invoke a jammer node, whose jamming signalswill interfere the communications within the other set.Although we have estimated the jamming range R, it is stillquite challenging to find these interference-free teamswithout knowing the accurate locations of the jammers.Notice that it is possible to discover the set of victim nodeswithin the same jammed area, i.e., with a distance R fromthe same jammer node. Any two nodes within the same


TABLE 1Message Containing Trigger

Detection Schedule

Fig. 5. Interference teams.

jammed area should be at most 2R far from each other, i.e.,if we induce a new graph G0 ¼ ðV 0; E0Þ with all these victimnodes as the vertex set V 0 and E0 ¼ fðu; vÞj�ðu; vÞ � 2Rg, thenodes jammed by the same jammer should form a clique.The maximum number of vertex-disjoint maximal cliques(i.e., clique-independent set) of this kind provides an upperbound of possible jammers within the estimated jammedarea, where each maximal clique is likely to correspond tothe nodes jammed by the same jammer.

The solution consists of three steps: CIS discovery on theinduced graph from the remaining victim without testschedules, boundary-based local refinement and interfer-ence-free team detection. We iterate three steps to decidethe schedule for every victim node.

CIS discovery. We first employ Gupta’s MCE algorithm[3] to find all the maximal cliques, then use a greedyalgorithm, as shown in Algorithm 1 to get the CIS.

Algorithm 1. CIS discovery.

Local refinement. Each clique we select is expected torepresent the jammed area poisoned by the same jammer,and this area should not cover the boundary nodes.However, we did not take this into account when discover-ing the CIS, and need to locally update it. Specially, for eachclique, we find its circumscribed circle CC and theconcentric circle CC0 with radius R of CC. In the case thatCC0 covers any boundary nodes, we locally select anotherclique by adding/removing nodes from this clique, to see ifthe problem can be solve. If not, we keep this clique as it is,otherwise, we update it. This is illustrated in Fig. 6.

Team detection. The cliques in CIS can also interfereeach other, e.g., the clique V1V2V3V4 and V5V7V8V9 in Fig. 5.This is because the signals from V4 will wake J2, who willtry to block these signals with noises and affect V5 by theway. But if any two cliques C1 and C2 are not connected byany single edge, then they are straightforwardly inter-ference free, since the shortest distance between any node inC1 and C2 is larger than 2R. But the farthest jammer waken

by and from C1 is r < R distance away, whose jammingrange can only reach another R distance further, which isthus away from C2. Therefore, the cliques in the obtainedCIS of this kind are selected as testing teams. While theothers are left for the next time slot.

In addition, in the worst case, any single maximal cliqueC has at most 12 interfering cliques in the CIS, as theshadowed ones in Fig. 7. Therefore, at most 13 testing teamsare required to cover all these cliques. If the number ofchannels k given is larger than 13, then a frequency-divisionis available, i.e., these interfering cliques can still becomesimultaneous testing teams, on the condition each team canonly use minfd k13e;mg of the given channels, where m is thenumber of radios per sensor. Otherwise, we have to use timedivisions, i.e., they have to be tested in different time slots.

4.3.2 Estimation of Trigger Upper Bound

Before bounding the trigger quantity from above, thetriggering range r should be estimated. As mentioned inthe attacker model, r depends not only on the power of bothsensors and jammers, but also the jamming threshold � andpath-loss factor �

r � Pn � �Ps � Y

� �1�

;

since the real time Pn and Ps are not given, we estimate rbased on the SNR cutoff �0 of the network setting. In fact,the transmission range of each sensor rs is a maximumradius to guarantee

SNR ¼ PaPn¼ Ps � YPn � r�s

� �0:

Therefore, we can estimate r as

r rs�

�0

� �1�

;

where �0 and � are parts of the network input, while � isassumed as a constant, which indicates the aggressivenessof the jammer. For this estimation, � can be first set as 10 db,which is the normally lower bound of SNR in wirelesstransmission, and then adaptively adjusted to polish theservice quality.

With estimated r, since all the trigger nodes in the sameteam should be within a 2r distance from each other, byfinding another induced graphG00 ¼ ðWi;E

00Þ from the victimnodes Wi in team i, with E00 ¼ fðu; vÞ 2 E00 if �ðu; vÞ � 2rg,the size of the maximal clique indicates the upper bound ofthe trigger nodes, thus can be an estimate over d.


Fig. 6. Clique C1 ¼ V1V2V3V4 is chosen by CIS, but its concentric circleCC0 covers boundary node V0, then clique C2 ¼ V4V5V6V7 replaces C1 inthe testing team for the first round. Clique V1V2V3 are left for the nextround.

Fig. 7. Maximum # interfering cliques.

As mentioned above, all the parallel testing teams selectedare interference free; therefore, we roughly regard each teamto be the jammed area of one jammer. As a deeperinvestigation, the number of jammers that can be invokedby the nodes in the same team (six 3-clique within the redcircles) can be up to 6, since the minimum distance betweentwo jammers is greater than R and r � R, as shown in Fig. 8.Therefore on the induced graph, the largest 6 cliques form thepossible trigger set. However, since the jammer distributioncannot be that dense for the sake of energy conserving, theformer estimate over d is large enough.

4.4 Analysis of Time and Message Complexity

Time complexity. By time complexity we mean theidentification delay counted since the attack happens tillall the nodes successfully identify themselves as trigger ornontrigger. Therefore, the complexity break downs intofour parts:

1. the detection of jamming signals at local links Td;2. the routing of sensor report to the base station from

each sensor node, and the testing schedule to eachvictim node from the base station, aggregated as Tr;

3. the calculation of CIS and R at the base station Tc;4. the testing at each jammed area Tt.

The local jamming signal detection involves the statis-tical properties of PDR, RSS, and SNR, which is orthogonalto our work. We regard Td as Oð1Þ since it is an entirely localoperation and independent with the network scale.

The routing time overhead is quite complicated, sincecongestions need to be considered. For simplicity, weconsider that all the 1-hop transmission takes Oð1Þ timeand bound Tr using the diameter D of the graph. Asmentioned earlier, the base station waits at most Oð2DÞ forthe reports, so that is the upper bound of the one-wayrouting. As to the other way, we also bound it using Oð2DÞto match any collision and retransmission cases.

The calculation of CIS resorts to the algorithm in [3], whichfinds Oðl�Þ maximal cliques on UDG within Oðl�2Þ time,where l ¼ jEj and � refers to the maximum degree. We useda greedy algorithm to find a MCIS from these Oðl�Þ cliqueswith Oðl3�3QÞ time: Oðl�Þ-time for each clique to checkthe overlapping with other cliques, Oðl�Þ-time to find aclique overlapping with minimum other cliques, and Qdenotes the number of testing teams. Notice that in practice,sensor networks are not quite dense, so the number of edges land maximum degree � are actually limited to small values.On the other hand, the time complexity of estimatingR is upto Oðn�

2 þ nðlog n�2 þ log6 nÞ using the minimum disk cover

algorithm as mentioned.

The testing delay Tt depends on the number of testing

rounds and the length of each round. Since the reactive

jamming signal disappears as soon as these sensed 1-hop

transmission finishes, each round length is then Oð1Þ. The

number of testing rounds is however complicated and

bounded by Theorem 4.1.

Lemma 4.1. Based on the ETG algorithm, the number of tests to

identify d trigger nodes from jW j victim nodes is upper

bounded by tðjW j; dÞ ¼ Oðd2i dln jW jeÞ w.h.p.

Theorem 4.1 (Main). The total number of testing rounds is

upper bounded by

O maxQ

i¼1

13 minfd2i dln jWije; jWijgm

� �� ;

w.h.p, with di ¼ minfP6

s¼1 jcsðGiÞj; jWijg and csðGiÞ is the

sth largest clique over an induced unit disk subgraph Gi ¼ðWi;Ei; 2rÞ in the testing team i.

Proof. First, from Lemma 4.1, at most tðjW j;dÞm ¼ d2

i dln jW jem

testing rounds are needed to identify all nodes in testing

team i. Second, the set of testing teams that can be tested in

parallel is 13, as mentioned earlier. Combining with the

worst case upper bound of triggers in each team, the

upper bound on round is derived. tu

If the jamming range R is assumed known beforehand,

similar to [7], the whole time complexity is thus

O maxQ

i¼1

13d2i dln jWije; jWij

m

� �� ;

and asymptotically bounded by Oðn2 lognÞ. It is asympto-

tically smaller than that of [7]

OX�ðHÞi¼1

maxjð2þ oð1ÞÞ

d2j log2

2 jWjjlog2

2ðdj log2 jWjjÞ;

�m

& ’ !;

where �ðHÞ refers to the maximum degree of the induced

graph H (in this new solution, maximum degree is not

involved). By taking the calculation overhead for R into

account, the overall time complexity is asymptotically

Oðn2 lognþ n log6 nÞ, which is Oðn log6 nÞ for n � 4.Message complexity. On the one hand, the broadcasting

of testing schedule Z from the base station to all the victim

nodes costs OðnÞ messages in the worst case. On the other

hand, the overhead of routing reports toward the base

station depends on the routing scheme used and the

network topology as well as capacity. The upper bound is

straightforward obtained in a line graph with the base

station at one end, whose message complexity is Oðnðn�1Þ2 Þ.

With regard to the message overhead of the testing

process. Considering that there are approximately jWijdþ1 victim

nodes in each testing group of team Wi (mentioned in the

construction of randomized ðd; zÞ-disjunct matrix in Appen-

dix, available in the online supplemental material), the

overhead of each testing group in a testing round is jWijdþ1 1-hop

testing message broadcasted by all victim nodes in each group

of team Wi. Therefore, the overhead message complexity is


Fig. 8. Maximum # jammers invoked by one team.

O n2 þXQi¼1

jWijmaxQ

i¼1fdidln jWije; jWijgm

!;

which is Oðn2 lognÞ.

5 ADVANCED SOLUTIONS TOWARD SOPHISTICATED

ATTACK MODELS

In this section, we consider two sophisticated attackermodels: probabilistic attack and variant response time delay,where the jammers rely each sensed transmission withdifferent probabilities, instead of deterministically, or delaythe jamming signals with a random time interval, insteadof immediately. This may mismatch with the originaldefinition of reactive jamming, which targets at transmis-sion signals, instead of nodes or channels. However, cleverjammers can possibly change their strategies to evadepossible sensed detections. Also, a common sense indicatesthat as long as an activity is sensed by the jammer, it isquite possible that some other activities are following this.So delaying the response time still guarantees the attackefficiency, but minimize the risk of being caught byreactive detections.

Since our scheme is robust and accurate in the steps ofgrouping, generating disjunct matrix and decoding thetesting results, the only possible test errors arise from thegeneration of testing outcomes. Nevertheless, by usingthe error-tolerant disjunct matrix and relaxing the identifi-cation procedures to asynchronous manner, our schemewill provide small false rates in these cases. Some notationscan be found in Table 2. In this section, the terms test andgroup, the terms column and nodes are interchangeable.

5.1 Upper Bound on the Expected Value of z

First, we investigate the properties of both jammingbehaviors and obtain the expected number of error testsin both cases through the following analysis. Since inpractice, it is not trivial to establish accurate jammingmodels, we derive an upper bound of the error probabilitywhich does not require the beforehand knowledge of theobjective jamming models, which is therefore feasible forreal-time identifications. Since it is a relaxed bound, it couldbe further strengthened via learning the jamming history.

5.1.1 Probabilistic Jamming Response (Detection)

A clever jammer can choose not to respond to some sensedongoing transmissions, in order to evade the detection.Assume that each ongoing transmission has an independentprobability � to be responded. In our construction algorithmETG, where each matrix entry is IID and has a probability pto be 1, therefore for any single test i with i 2 ½1; t�

Pr½uðiÞ ¼ x� ¼ d

x

� �pxð1� pÞd�x: ð1Þ

For each test i, the event that it contains at least one triggerbut returns a negative result, has a probability at most

Pr½gðiÞ ¼ 0 & uðiÞ � 1� ð2Þ

¼Xdx¼1

ð1� �Þx d

x

� �pxð1� pÞd�x ð3Þ

¼ ½ð1� �Þpþ 1� p�d � ð1� pÞd ð4Þ

¼ ð1� �pÞd � ð1� pÞd < ð1� �Þp: ð5Þ

Meanwhile, the event that it contains no trigger nodes butreturns a positive result, has a probability

Pr½gðiÞ ¼ 1 & uðiÞ ¼ 0� ¼ 0: ð6Þ

Since in practical � � 12 , we therefore have the expected

number of false positive and negative tests is, respectively,at most pt=2 and 0.

Instead of the jamming behavior, the jamming signaldetection errors can be analyzed using the same method.Given that each node detects possible jamming signalssuccessfully with probability q, then following (1), we cansimilarly have the false negative rate of each test i

Pr½gðiÞ ¼ 0 & uðiÞ � 1� ð7Þ

¼Xdx¼1

ð1� qÞx d

x

� �pxð1� pÞd�x ð8Þ

¼ ½ð1� qÞpþ 1� p�d � ð1� pÞd ð9Þ

¼ ð1� qpÞd � ð1� pÞd < ð1� qÞp; ð10Þ

which is also small considering p ¼ 1dþ1 .

5.1.2 Variant Reaction Time

The introduction of group testing techniques aims todecrease the identification latency to the minimum, there-fore, if the jammer would not respond intermediately aftersensing the ongoing transmissions, but instead wait for arandomized time delay, the test outcomes would be messedup. Since it is expensive to synchronize the tests amongsensors, we use a predefined testing length as L, thus thetest outcome of test i 2 ½1; t� is generated within timeinterval ½ðd ime � 1ÞL; d imeL�. There are two possible errorevents regarding any test i.

. FpðiÞ: test i is negative, but some jamming signalsare delayed from previous tests and interfere thistest, where we have a false positive event;

. FnðiÞ: test i is positive, but the jammer activated inthis test delayed its jamming signals to somesubsequent tests, meanwhile, no delayed jammingsignals from previous tests exists, where we have afalse negative event.

Since the jammers in this paper are assumed to block

communications only on the channels where transmissions


TABLE 2Notations

are sensed, for the following analysis, we claim that the

interferences can only happen between any two tests i; j

with i jðmod mÞ. Denote the delay of jamming signals as

a random variable X ¼ fxð1Þ; xð2Þ; xð3Þ; . . .xðtÞg where xðiÞis the delay for possible jamming signals arisen from test i.

1) For event FpðiÞ, consider the test i�m, in order to have

its jamming signals delayed to test i, we have a bound on

xði�mÞ 2 ð0; 2LÞ. Similarly, in order to have the signals of

any test j delayed to i, we have xðjÞ 2 ½ði�jm � 1ÞL; ði�jm þ 1ÞL�.Further the probability density function of X is PðiÞ ¼Pr½X ¼ xðiÞ�. Consider all the tests prior to i, which are

i mod m; 1þ i mod m; . . . ; i�m, we have the probability

for FpðiÞ

ð1� pÞdXi�m

j¼i mod m

Z ði�jmþ1ÞL

ði�jm�1ÞLPðwÞdwð1� ð1� pÞdÞ: ð11Þ

To simplify this expression, we assume that X=L follows auniform distribution within the range ½0; � with a small ,which is reasonable and efficient for attackers in practice.

Since the nature of jamming attacks lies in adapting theattack frequency due to the sensed transmissions, too largedelay does not make sense to tackle the ongoing transmis-sions. Under a uniform distribution, the probability of FpðiÞbecomes

ð1� ð1� pÞdÞð1� pÞdXi�m

j¼max i mod m;i�m��1

2

¼ ð1� ð1� pÞdÞð1� pÞd i

m

� � 1

� �2

:

Therefore, the expected number of false positive tests is atmost

Tþ �Xti¼1

ð1� ð1� pÞdÞð1� pÞdðÞ 2

� 2Xti¼1

ð1� ð1� pÞdÞð1� pÞd

� 2ð1� ð1� pÞdÞð1� pÞdt:

2) For eventFnðiÞ, following the similar arguments above,

we have an upper bound of the probability for FnðiÞ (assumethat any delays larger than l at test i will interfere the tests jfollowing iwhere j 2 ½maxði mod m; i�m� � 1Þ; i�m�):

ð1� ð1� pÞdÞZ þ1l

PðwÞdw

� 1�Xj

Z ði�jmþ1ÞL

ði�jm�1ÞLPðwÞdwð1� ð1� pÞdÞ

!

� ð1� ð1� pÞdÞð1� 2ð1� ð1� pÞdÞÞð � lÞ=� ð1� ð1� pÞdÞð1� 2ð1� ð1� pÞdÞÞ:

So the expected number of false negative tests is at most

T� � ð1� ð1� pÞdÞð1� 2ð1� ð1� pÞdÞÞt: ð12Þ

Therefore, we could use a union bound and obtain a worstcase error rate of each test

� ¼ p2þ 2ð1� ð1� pÞdÞð1� pÞd

þ ð1� ð1� pÞdÞð1� 2ð1� ð1� pÞdÞÞ¼ ð10� � 8�2 � ��d � 1Þ=2;

where � ¼ ðd=ðdþ 1ÞÞd. Intuitively, we can have an upperbound on the number of error tests as z ¼ � t ¼ð10� � 8�2 � ��d � 1Þ=2, and take it as an input to constructthe ðd; zÞ-disjunct matrix. However, notice that z dependson t, i.e., the number of rows of the constructed matrix, wetherefore derive another bound of t related to �, as shownin the Appendix, available in the online supplementalmaterial.

5.2 Error-Tolerant Asynchronous Testing withinEach Testing Team

By applying the derived worst cast number of error testsinto the ETG construction, we can obtain the followingalgorithm where tests are conducted in an asynchronousmanner to enhance the efficiency.

As shown in Algorithm 2, after all the groups aredecided, conduct group testing on them in m pipelines,where in each pipeline any detected jamming signals willend the current test and trigger the next tests while groupsreceiving no jamming signals will be required to resendtriggering messages and wait till the predefined round timehas passed. These changes over the original algorithm,especially the asynchronous testing are located in eachtesting team, thus will not introduce significant overheads,however, the resulted error rates are quite low.

Algorithm 2. Asynchronous Testing.

6 EXPERIMENTAL EVALUATION

6.1 Overview

As a lightweight distribute trigger-identification service, oursolution will be experimentally evaluated from four facets:

. in order to show the benefit of this service, wecompare it with JAM [11] in terms of the end-to-end


delay and delivery ratio of the detour routes fromthe base station to all the sensor nodes, as thenumber of sensors n, sensor range rs, and number ofjammers J vary within practical intervals.

. in order to show the acceleration effect of the clique-independent set in this solution, we compare thecomplexity of this solution to our previous centra-lized one [7], with varying the above four para-meters, where both jamming and triggering range Rand r are assumed to be known beforehand.

. in order to show the accuracy of estimating thejamming range by using the polygon disk coveralgorithm, we provide the estimated jammingranges as well as the error rate to the actual values.

. in order to show its performance and robustnesstoward tricky attackers, we assess its false positive/negative rate and the estimation of R, for those twoadvanced jammer models.

The simulation is developed using C++ on a Linux Work-station with 8 GB RAM. A 1;000� 1;000 square sensor fieldis created with uniformly distributed n sensor nodes, onebase station and J randomly distributed jammer nodes. Allthe simulation results are derived by averaging 20 randominstances.

6.2 Benefits for Jamming-Resistent Routing

JAM [11] proposed a jamming-resistent routing scheme,where all the detected jammed areas will be evaded andpackets will not pass through the jammed nodes. Thismethod is dedicated for proactive jamming attacks, whichsacrifices significant packet delivery ratio due to theunnecessarily long routes selected, though the effects ofjamming signals are avoided. We compare the end-to-enddelay between each sensor node and the base station, of theselected routes by evading the jammed areas detected byJAM, with that of the ones evading only trigger nodes.Although there are many existing routing protocols forunreliable network environments, the aim of this experi-ment is to show the potential of this service to variousapplications, instead of being a dedicated routing protocol.

Three key parameters for routing could be the number ofJammers J , jamming range R, jamming threshold �. Asmentioned earlier, � indicates the aggressiveness of theattacker and the triggering range r rsð��0Þ

1� . Therefore, with

rs, �0 and � as fixed network inputs, the effect of � can be

exactly indicated by studying the effect of r instead.The whole network has n ¼ 1;500 nodes and sensor

transmission range rs ¼ 50. The results with respect to the

three parameters J 2 ½1; 20�, R 2 ½100; 200�, r 2 ½50; 150� areincluded in Figs. 9a, 9b, and 9c, respectively. Notice that foreach experiments, the other two parameters are set as themedian value of their corresponding intervals. Therefore,R ¼ 150 for Fig. 9c, which matches the extreme case R ¼ r.Furthermore, for the nodes that are in jammed areas forJAM and that are triggers for our method, in another word,unable to deliver packets to or from the base station, wecount the delay as nþ 1, which is an upper bound of theroute length.

As shown in Figs. 9a and 9b, when j and R increases,the routing delay goes up, which is quite reasonable sincethe jamming areas get larger and more detours have to betaken. The length of routes based on JAM quickly climbs upto the upper bound, while that of our trigger method ismuch lower and more stable (less than 900 seconds). Whentriggering range r is small, as in Fig. 9c, the end-to-enddelay of Trigger-based routing is much smaller than theother, while as r increases the two approaches each other,since more victim nodes are triggers.

6.3 Improvements on Time Complexity

In our previous work [7], we proposed a preliminary idea ofthis trigger detection, and provided a disk-based solution.However, its high time complexity limits its usage in real-time networks. As mentioned above, the time complexity ofour new clique-based detection is proved to be asympto-tically lower than the previous, while the message complex-ities are approaching each other.

Although the computational overhead for estimating R isasymptotically huge, the phase is not the key part of ourscheme, and can be easily improved by machine learningtechniques. Therefore, in this section, we assume that bothR and r are known beforehand, and validate the theoreticalresults through simulations on network instances withvarious settings. Specifically, the network size n rangingfrom 450 to 550 with step 2, transmission rs from 50 to 60with step 0.2, and number of jammers J from 3 to 10 withstep 1. Parameter values lower than these intervals wouldmake the sensor network less connected and jammingattack less severe, while higher values would lead toimpractical dense scenarios and unnecessary energy waste.

Since the length of each reactive attack is equal to thetransmission delay of the object sensor signal, note that inour trigger detection, only one message is broadcast byeach sensor in the testing groups. Therefore, it is reasonableto predefine the length of each testing round as a constant.We set this as 1 second, which is far more enough for any


Fig. 9. Benefits for routing.

single packet to be transmitted from one node to itsneighboring nodes. Henceforth, the time cost shown inSection 6.3 only indicates the number of necessary roundsto find out all the triggers, and can be further reduced. Themessage complexity is measured via the average messagecost on each sensor node.

As shown in Figs. 10a and 10b, this clique-based schemecompletes the identification with steadily less than 10 sec-onds, compared to the increasing time overhead with morethan 15 seconds of the disk-based solution, as the networkgrows denser with more sensor nodes. Meanwhile, itsamortized communication overheads are only slightlyhigher than that of the other solution, whereas both arebelow 10 messages per victim node. Therefore, the newscheme is even more efficient and robust to large-scalenetwork scenarios.

With the sensor transmission radius growing up, thetime complexity of the disk-based solution graduallyascends (Figs. 10d and 10c) due to the increased maximumdegree �ðHÞ mentioned in the above analysis. Compara-tively, the time cost of clique-based solution remains below10 seconds, while the two message complexities are similar.

Since sensor nodes are uniformly distributed, the morejammer nodes placed in the networks, the more victimnodes are expected to be tested, the identification complex-ity will therewith raises, as the performance of disk-basedscheme shows in Figs. 10f and 10e. Encouragingly, theproposed scheme can still finish the identification promptlywith less than 10 seconds, which grows up much slowerthan the other. It has slightly more communication over-heads (10 messages per victim nodes) but is still affordableto power-limited sensor nodes.

6.4 Accuracy in Estimating Jammer Properties

Though the estimate of jamming range R is only to providean upper bound for R, such that the testing teams obtainedaccordingly are interference free, we are also interested in

the accuracy of this estimation. As shown in Fig. 11, weinvestigate the error rate �R for R ¼ ½50; 100� when thereare, respectively, J ¼ 5; 10; 15 jammers.

Two observations are straightforward from these results:1) all the estimated values are above the actual ones,however, less than 10 percent difference. This meets ourrequirement for a tight upper bound of R. 2) the error ratesin case of fewer jammers are lower than those with morejammers. This is because the jammer areas can have largeroverlaps, which introduces estimate inaccuracies.

6.5 Robustness to Various Jammer Models

In order to show the precision of our proposed solutionunder different jamming environments, we vary the twoparameters of the jammer behaviors above: Jammer Response

Probability � and Testing Round Length/Maximum Jamming

Delay L=X and illustrate the resulted false rates in Figs. 12aand 12b. To simulate the most dangerous case, we assume ahybrid behavior for all the jammers, for example, thejammers in the simulation of Fig. 12a not only launchthe jamming signals probabilistically, but also delay thejamming messages with a random period of time up to 2L.On the other hand, the jammers in the simulation of Fig. 12b


Fig. 10. Time and message complexity.

Fig. 11. Estimation error of R.

respond each sensed transmission with probability 0.5 aswell. All the simulation results are derived by averaging 10instances for each parameter team.

As shown in both figures, we consider the extreme caseswhere jammers respond transmission signals with a prob-ability as small as 0.1, or delay the signals to up to 10 testingrounds later. This actually contradicts with the nature ofreactive jamming attacks, which aim at disrupting thenetwork communication as soon as any legitimate transmis-sion starts. The motivation of such parameter setting is toshow the robustness of this scheme even if the attackerssense the detection and intentionally slow down the attacks.The overall false rates are below 20 percent.

In Fig. 12a, when � > 1=2 which corresponds to practicalcases, we find that the false negative rates generally decreasefrom 10 to 5 percent as � increases. Meanwhile the falsepositive rate grows gently, but is still below 14 percent, this isbecause as more and more jamming signals are sent, due totheir randomized time delays, more and more following testswill be influenced and become false positive. In Fig. 12b,considering the practical cases where L=X > 1=2, both ratesare going down from around 10 to 1 percent, since themaximum jamming delay becomes shorter and shortercompared to the testing round length L, as the number ofinterferences between consecutive tests decreases.

7 RELATED WORKS

Existing countermeasures against jamming attacks in WSNcan be categorized into two facets: signal detection andmitigation, both of which have been well studied anddeveloped with various defense schemes. On the one hand,a majority of detection methods focus on analyzing specificobject values to discover abnormal events, e.g., Xu et al. [16]studied a multimodel (PDR, RSS) to consistently monitorjamming signals. Work based on similar ideas [17], [15], [14]improved the detection accuracy by investigating sophisti-cated decision criteria and thresholds. However, reactivejamming attacks, where the jammer node are not continu-ously active and thus unnecessary to cause huge deviationsof these variables from normal legitimate profiles, cannot beefficiently tackled by these methods. In addition, somerecent works proposed methods for detecting jammed areas[11] and directing normal communications bypass possiblejammed area using wormhole [18]. These solutions caneffectively mitigate jamming attacks, but their performancesrely on the accuracy of detection on jammed areas, i.e., thetransmission overhead would be unnecessarily brought upif the jammed area is much larger than its actual size. On the

other hand, mitigation schemes which benefit from channelsurfing [13], frequency hopping and spatial retreats [12],reactively help legitimate nodes escape from the jammedarea or frequency. Unfortunately, being lack of preknow-ledge over possible positions of hidden reactive jammernodes, legitimate nodes cannot efficiently evade jammingsignals, especially in dense sensor network when multiplemobile nodes can easily activate reactive jammer nodes andcause the interference. For the sake of overcoming theselimitations above, in [7] we studied on the problem ofidentification trigger nodes with a short period of time,whose results can be employed by jamming-resistentrouting schemes, to avoid the transmissions of these triggernodes and deactivate the reactive jammer nodes. In thispaper, we complete this trigger identification procedure asa lightweight service, which is prompt and reliable tovarious network scenarios.

8 DISCUSSION AND CONCLUSIONS

One leftover problem to this service framework is thejammer mobility. Although the identification latency hasbeen shown small, it would not be efficient toward jammersthat are moving at a high speed. This would become aninteresting direction of this research.

Another leftover problem is the application of this service.Jamming-resistent routing and jammer localizations areboth quite promising, yet the service overhead has to befurther reduced to for real-time requirements.

As a summary, in order to provide an efficient trigger-identification service framework, we leverage severaloptimization problem models and provide correspondingalgorithms to them, which includes the clique-independentproblem, randomized error-tolerant group testing, andminimum disk cover for simple polygon. The efficiency ofthis framework is proved through both theoreticallyanalysis toward various sophisticated attack models andsimulations under different network settings. With abun-dant possible applications, this framework exhibits hugepotentials and deserves further studies.

ACKNOWLEDGMENTS

This work was partially supported by US National ScienceFoundation Career Award # 0953284 and DTRA, YoungInvestigator Award, Basic Research Program # HDTRA1-09-1-0061 and DTRA # HDTRA1-08-10.

REFERENCES

[1] D.Z. Du and F. Hwang, Pooling Designs: Group Testing in MolecularBiology. World Scientific, 2006.

[2] M. Goodrich, M. Atallah, and R. Tamassia, “Indexing Informationfor Data Forensics,” Proc. Third Applied Cryptography and NetworkSecurity Conf. (ACNS), 2005.

[3] R. Gupta, J. Walrand, and O. Goldschmidt, “Maximal Cliques inUnit Disk Graphs: Polynomial Approximation,” Proc. Int’l NetworkOptimization Conf. (INOC), 2005.

[4] V. Guruswami and C.P. Rangan, “Algorithmic Aspects of Clique-Transversal and Clique-Independent Sets,” Discrete Applied Math.,vol. 100, pp. 183-202, 2000.

[5] W. Hang, W. Zanji, and G. Jingbo, “Performance of DSSS AgainstRepeater Jamming,” Proc. IEEE 13th Int’l Conf. Electronics, Circuitsand Systems (ICECS), 2006.


Fig. 12. Solution robustness.

[6] P. Tague, S. Nabar, J.A. Ritcey, and R. Poovendran, “Jamming-Aware Traffic Allocation for Multiple-Path Routing UsingPortfolio Selection,” IEEE/ACM Trans. Networking, vol. 19, no. 1,pp. 184-194, Feb. 2011.

[7] I. Shin, Y. Shen, Y. Xuan, M.T. Thai, and T. Znati, “ReactiveJamming Attacks in Multi-Radio Wireless Sensor Networks: AnEfficient Mitigating Measure by Identifying Trigger Nodes,” Proc.Second ACM Int’l Workshop Foundations of Wireless Ad Hoc andSensor Networking and Computing (FOWANC), in conjunction withMobiHoc, 2009.

[8] O. Sidek and A. Yahya, “Reed Solomon Coding for FrequencyHopping Spread Spectrum in Jamming Environment,” Am.J. Applied Sciences, vol. 5, no. 10, pp. 1281-1284, 2008.

[9] M. Strasser, B. Danev, and S. Capkun, “Detection of ReactiveJamming in Sensor Networks,” ACM Trans. Sensor Networks, vol. 7,pp. 1-29, 2010.

[10] H. Wang, J. Guo, and Z. Wang, “Feasibility Assessment ofRepeater Jamming Technique for DSSS,” Proc. IEEE WirelessComm. and Networking Conf. (WCNC), 2007.

[11] A.D. Wood, J. Stankovic, and S. Son, “A Jammed-Area MappingService for Sensor Networks,” Proc. IEEE 24th Real-Time SystemsSymp. (RTSS), 2003.

[12] W. Xu, K. Ma, W. Trappe, and Y. Zhang, “Jamming SensorNetworks: Attack and Defense Strategies,” IEEE Network, vol. 20,no. 3, pp. 41-47, May/June 2006.

[13] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel Surfing andSpatial Retreats: Defenses Against Wireless Denial of Service,”Proc. ACM Workshop Wireless Security, pp. 80-89, 2004.

[14] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal JammingAttacks and Network Defense Policies in Wireless Sensor Net-works,” Proc. IEEE INFOCOM, 2007.

[15] R.A. Poisel, Modern Communications Jamming Principles andTechniques. Artech House, 2004.

[16] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The Feasibility ofLaunching and Detecting Jamming Attacks in Wireless Net-works,” Proc. ACM MobiHoc, 2005.

[17] M. Cakiroglu and A.T. Ozcerit, “Jamming Detection Mechanismsfor Wireless Sensor Networks,” Proc. Third Int’l Conf. ScalableInformation Systems (InfoScale), 2008.

[18] M. Cagalj, S. Capkun, and J.P. Hubaux, “Wormhole-BasedAntijamming Techniques in Sensor Networks,” IEEE Trans. MobileComputing, vol. 6, no. 1, pp. 100-114, Jan. 2007.

[19] Y.-X. Chen and D.-Z. Du, “New Constructions of One- and Two-Stage Pooling Designs,” J. Computational Biology, vol. 15, pp. 195-205, 2008.

[20] M.G. Garey and D.S. Johnson, “The Rectilinear Steiner TreeProblem is NP-Complete,” SIAM J. Applied Math., vol. 32, pp. 826-834, 1977.

[21] L.G. Valiant, “Universality Considerations in VLSI Circuits,” IEEETrans. Computers, vol. 30, no. 2, pp. 135-140, Feb. 1981.

[22] K. Pelechrinis, I. Koutsopoulos, I. Broustis, and S.V. Krishna-murthy, “Lightweight Jammer Localization in Wireless Networks:System Design and Implementation,” Proc. IEEE 28th Conf. GlobalTelecomm. (GlobeCom ’09), 2009.

[23] H. Liu, W. Xu, Y. Chen, and Z. Liu, “Localizing Jammers inWireless Networks,” Proc. IEEE Int’l Conf. Pervasive Computing andComm. (PWN), 2009.

[24] Z. Liu, H. Liu, W. Xu, and Y. Chen, “Wireless JammingLocalization by Exploiting Nodes’ Hearing Ranges,” Proc. Int’lConf. Distributed Computing in Sensor Systems (DCOSS), 2010.

[25] H. Kaplan, M. Katz, G. Morgenstern, and M. Sharir, “OptimalCover of Points by Disks in a Simple Polygon,” Proc. 18th Ann.European Symp. Algorithms, 2010.

Ying Xuan received the BE degree in computerengineering from the University of Science andTechnology of China, Anhui, in 2006. He is nowworking toward the PhD degree in the Depart-ment of Computer and Information Science andEngineering, University of Florida, under thesupervision of Dr. My T. Thai. His researchtopics include applied group testing theory,social networking, and network vulnerability.

Yilin Shen received the BS degree in appliedmathematics from Donghua University, Shang-hai, China, in 2005. He is currently workingtoward the PhD degree at the Department ofComputer and Information Science and Engi-neering, University of Florida, under the super-vision of Dr. My T. Thai. His research topicsinclude network security, and network reliabilityand social networks.

Nam P. Nguyen received the bachelor’s degreefrom Vietnam National University in 2007 andthe master’s of science degree from OhioUniversity in 2009, both in mathematics. He iscurrently working toward the PhD degree incomputer science at the CISE Department,University of Florida. His interests include com-munity detection methods for both static anddynamic networks, and effective approximationalgorithms for networking problems.

My T. Thai received the PhD degree in computerscience from the University of Minnesota, TwinCities, in 2006. She is an assistant professor inthe Department of Computer and InformationSciences and Engineering at the University ofFlorida. Her current research interests includealgorithms and optimization on network scienceand engineering. She also serves as an associ-ate editor for the Journal of CombinatorialOptimization (JOCO) and Optimization Letters

and a conference chair of COCOON 2010 and several workshops in thearea of network science. She is a recipient of DoD Young InvestigatorAwards and US National Science Foundation CAREER awards. She is amember of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

Jammers in wsn