- 1. IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY
2012793A Trigger Identification Service for Defending Reactive
Jammers in WSNYing Xuan, Yilin Shen, Nam P. Nguyen, and My T. Thai,
Member, IEEEAbstractDuring the last decade, Reactive Jamming Attack
has emerged as a great security threat to wireless sensor networks,
dueto its mass destruction to legitimate sensor communications and
difficulty to be disclosed and defended. Considering the
specificcharacteristics of reactive jammer nodes, a new scheme to
deactivate them by efficiently identifying all trigger nodes,
whosetransmissions invoke the jammer nodes, has been proposed and
developed. Such a trigger-identification procedure can work as
anapplication-layer service and benefit many existing
reactive-jamming defending schemes. In this paper, on the one hand,
we leverageseveral optimization problems to provide a complete
trigger-identification service framework for unreliable wireless
sensor networks.On the other hand, we provide an improved algorithm
with regard to two sophisticated jamming models, in order to
enhance itsrobustness for various network scenarios. Theoretical
analysis and simulation results are included to validate the
performance of thisframework.Index TermsReactive jamming, jamming
detection, trigger identification, error-tolerant nonadaptive group
testing, optimization,NP-hardness. 1 INTRODUCTIONS INCE the last
decade, the security of wireless sensorOn the other hand, various
network diversities arenetworks (WSNs) has attracted numerous
attentions, investigated to provide mitigation solutions [6].
Spreadingdue to its wide applications in various monitoring systems
spectrum [12], [5], [8] making use of multiple frequencyand
vulnerability toward sophisticated wireless attacks. bands and MAC
channels, Multipath routing benefitingAmong these attacks, jamming
attack where a jammer node from multiple pre-selected routing paths
[6] are two gooddisrupts the message delivery of its neighboring
sensor examples of them. However, in this method, the
capabilityhttp://ieeexploreprojects.blogspot.comnodes with
interference signals, has become a critical threat of jammers are
assumed to be limited and powerless toto WSNs. Thanks to the
efforts of researchers toward this catch the legitimate traffic
from the camouflage of theseissue, as summarized in [12], various
efficient defense diversities. However, due to the silent behavior
of reactivestrategies have been proposed and developed. However, a
jammers, they have more powers to destruct these mitiga-reactive
variant of this attack, where jammer nodes stay tion methods. To
this end, other solutions are in great need.quite until an ongoing
legitimate transmission (even has a A mapping service of jammed
area has been presented insingle bit) is sensed over the channel,
emerged recently and [11], which detects the jammed areas and
suggests thatcalled for stronger defending system and more
efficient routing paths evade these areas. This works for
proactivedetection schemes.jamming, since all the jammed nodes are
having low PDR Existing countermeasures against Reactive Jamming
and thus incapable for reliable message delay. However, inattacks
consist of jamming (signal) detection and jamming the case of
reactive jamming, this is not always the case.mitigation. On the
one hand, detection of interference Only a proportion of these
jammed nodes, named triggersignals from jammer nodes is nontrivial
due to the nodes, whose transmissions wake up the reactive
jammers,discrimination between normal noises and adversarial are
blocked to avoid the jamming effects.signals over unstable wireless
channels. Numerous at-In this paper, we present an
application-layer real-timetempts to this end monitored critical
communication related trigger-identification service for
reactive-jamming in wire-objects, such as Receiver Signal Strength
(RSS), Carrier Sensing less sensor networks, which promptly
provides the list ofTime (CST), Packet Delivery Ratio (PDR),
compared the trigger-nodes using a lightweight decentralized
algorithm,results with specific thresholds, which were established
without introducing neither new hardware devices, norfrom basic
statistical methods and multimodal strategies significant message
overhead at each sensor node.[9], [12]. By such schemes, jamming
signals could be This service exhibits great potentials to be
developed asdiscovered, but to locate the jammer nodes based on
these reactive jamming defending schemes. As an example, bysignals
is much more complicated and has not been settled. excluding the
set of trigger nodes from the routing paths,the reactive jammers
will have to stay idle since transmis-sions cannot be sensed. Even
though the jammers move. The authors are with the Department of
Computer Information Science and around and detect new sensor
signals, the list of trigger Engineering, University of Florida,
CSE Building, Gainesville, Florida nodes will be quickly updated,
so are the routing tables. As 32611-6120. E-mail: {yxuan, yshen,
nanguyen, mythai}@cise.ufl.edu.another example, without prior
knowledge of the numberManuscript received 1 Mar. 2010; revised 9
Mar. 2011; accepted 18 Mar. of jammers, the radius of jamming
signals and specific2011; published online 6 Apr. 2011.For
information on obtaining reprints of this article, please send
e-mail to:jamming behavior types, it is quite hard to locate
[email protected], and reference IEEECS Log Number
TMC-2010-03-0103. reactive jammers even the jammed areas are
detected (e.g.,Digital Object Identifier no. 10.1109/TMC.2011.86.by
Wood et al. [11]). However, with the trigger nodes
1536-1233/12/$31.00 2012 IEEE Published by the IEEE CS, CASS,
ComSoc, IES, & SPS
2. 794 IEEE TRANSACTIONS ON MOBILE COMPUTING,VOL. 11, NO. 5, MAY
2012localized, we can narrow down the possible locations of (packet
or bit) to disrupt the sensed signal (called jammerreactive
jammers. wake-up period), instead of the whole channel, which
Although the benefits of this trigger-identification means once the
sensor transmission finishes, the jammingservice are exciting, its
hardness is also obvious, which attacks will be stopped (called
jammer sleep period). Threedues to the efficiency requirements of
identifying the set of concepts are introduced to complete this
model.trigger nodes out of a much large set of victim nodes,
thatJamming range R. Similar to the sensors, the jammers areare
affected jamming signals from reactive jammers with equipped with
omnidirectional antennas with uniformpossibly various sophisticated
behaviors. To address thesepower strength on each direction. The
jammed area can beproblem, a novel randomized error-tolerant group
testingregarded as a circle centered at the jammer node, with
ascheme as well as minimum disk cover for polygons areproposed and
leveraged. radius R, where R is assumed greater than rs , for
simulating The basic idea of our solution is to first identify the
set of a powerful and efficient jammer node. All the sensors
withinvictim nodes by investigating corresponding links PDR this
range will be jammed during the jammer wake-upand RSS, then these
victim nodes are grouped into multiple period. The value of R can
be approximated based on thetesting teams. Once the group testing
schedule is made at the positions of the boundary sensors (whose
neighbors arebase station and routed to all the victim nodes, they
then jammed but themselves not), and then further refined.locally
conducts the test to identify each of them as a triggerTriggering
range r. On sensing an ongoing transmission,or nontrigger. The
identification results can be stored locally the decision whether
or not to launch a jamming signalfor reactive routing schemes or
delivered to the base station depends on the power of the sensor
signal Ps , the arrivedfor jamming localization process. signal
power at the jammer Pa with distance r from the In the remainder of
this paper, we first present the sensor, and the power of the
background noise Pn .problem definition in Section 2, where the
network model,According to the traditional signal propagation
model,victim model, and attacker models are included. Then, wethe
jammer will regard the arrived signal as a sensorintroduce three
kernel techniques for our scheme, Rando- transmission as long as
the Signal-Noise-Ratio is higher thanmized Error-Tolerant
Nonadaptive Group Testing, Clique-inde- some threshold, i.e., SNR
Pa > where Pa Ps Y with P rnpendent Set (CIS), and Minimum Disk
Cover in a Simple and called jamming decision threshold and
path-loss factor,Polygon in Section 3. The core of this paper:
trigger-node Y as a log-normally random variable. Therefore, r ! Pn
1 is Ps Yidentification and its error-tolerant extension toward
sophis- a range within which the sensor transmission will
definitelyticated jammer behaviors are presented, respectively, in
trigger the jamming attack, named as triggering range. As
willSections 4 and 5. A series of simulation results for evaluating
http://ieeexploreprojects.blogspot.com r is bounded by R from
above, andthe system performance and validating the theoreticalbe
shown later, this rangers from below, where the distances from
either bounds areresults are included in Section 6. We present
related worksin Section 7 and summarize the paper in Section
8.decided by the jamming decision threshold . For simplicity,we
assume triggering range is the same for each sensor. Jammer
distance. Any two jammer nodes are assumed2 PROBLEM MODELS AND
NOTATIONSnot to be too close to each other, i.e., the distance
between2.1 Network Model jammer J1 and J2 is J1 ; J2 > R. The
motivations behindWe consider a wireless sensor network consisting
of this assumptions are three-fold: 1) the deployment ofn sensor
nodes and one base station (larger networks with jammers should
maximize the jammed areas with a limitedmultiple base stations can
be split into small ones to satisfy number of jammers, therefore
large overlapping betweenthe model). Each sensor node is equipped
with a globally jammed areas of different jammers lowers down the
attacksynchronized time clock, omnidirectional antennas,
efficiency; 2) J1 ; J2 should be greater than R, since them radios
for in total k channels throughout the network, transmission
signals from one jammer should not interferewhere k > m. For
simplicity, the power strength in each the signal reception at the
other jammer. Otherwise, thedirection is assumed to be uniform, so
the transmission latter jammer will not able to correctly detect
any sensorrange of each sensor can be abstracted as a constant rs
and transmission signals, since they are accompanied with highthe
whole network as a unit disk graph (UDG) G V ; E, RF noises, unless
the jammer spends a lot of efforts inwhere any node pair i; j is
connected iff the euclidean denoising or embeds jammer-label in the
jamming noise fordistance between i; j: i; j rs . We leave
asymmetric the other jammers to recognize. Both ways are infeasible
forpowers and polygonal transmission area for further study. an
efficient attack; 3) the communications between jammersare
impractical, which will expose the jammers to anomaly2.2 Attacker
Modeldetections at the network authority.We consider both a basic
attacker model and severaladvanced attacker models in this paper.
Specifically, we 2.2.2 Advanced Attacker Modelprovide a solution
framework toward the basic attacker To evade detections, the
attackers may alter their behaviorsmodel, and validate its
performance toward multiple to evade the detection, for which two
advanced reactiveadvanced attacker models theoretically and
experimentally. jamming models: probabilistic attack and asymmetric
responsetime delay are considered in this paper. In the first one,
the2.2.1 Basic Attacker Modeljammer responds each sensed
transmission with a prob-Conventional reactive jammers [12] are
defined as mal- ability independently. In the second one, the
jammericious devices, which keep idle until they sense any ongoing
delays each of its jamming signals with an independentlylegitimate
transmissions and then emit jamming signals randomized time
interval. 3. XUAN ET AL.: A TRIGGER IDENTIFICATION SERVICE FOR
DEFENDING REACTIVE JAMMERS IN WSN795Fig. 1. Sensor periodical
status report message. We do not specify the possible changes of
jammingrange R as an advanced model, since the trigger set in
thiscase will not change, though the victim set varies. Further,we
do not theoretically analyze the effects of variousjamming decision
threshold in this paper version, but weevaluate all these above
factors in the simulation section.Jammer mobilities are out of the
scope of this paper, whichassumes that the jammers are static
during our trigger- Fig. 2. Nodes in gray and blue are victim nodes
around jammer nodes,identification phase. This is quite reasonable,
since the time where blue nodes are also trigger nodes, which
invoke the jammerlength of this phase is short, as to be shown
later. nodes. Nodes surrounding the jammed are boundary nodes,
while the others are unaffected nodes.2.3 Sensor ModelBesides
monitoring the assigned network field and generat- consider only
proactive jammers, while reactive jammersing alarms in case of
special events (e.g., fire, high can bring up larger damage due to
efficient attack andtemperature), each sensor periodically sends a
status report hardness to detect. To this end, we embed a group
testingmessage to the base station, which includes a header and a
process, i.e., the randomized error-tolerant group testing bymain
message body containing the monitored results, means of our
designed random d; z-disjunct matrix, to thebattery usage, and
other related content. As shown in routing update scheme, which
avoids unnecessarily largeFig. 1, the header is designated for
antijamming purpose, isolated areas as [11] does. Moreover, most
existingwhich is 4-tuple: Sensor_ID as the ID of the sensor node,
topology-based solutions [23], [24] can only handle theTime_Stamp
as the sending out time indicating the single-jammer case, since
lacking of knowledge over thesequence number, as well as a Label
referring to the nodes jamming range and inevitable overlapping of
the jammedcurrent jamming status, and TTL as the time-to-live field
areas bring ups the analytical difficulties, for which wewhich is
initialized as the 2D with network diameter D.
http://ieeexploreprojects.blogspot.com cover problem in a simple
polygon resort to a minimum disk According to the jamming status,
all the sensor nodes can problem and a clique-independent set
problem.be categorized into four classes: trigger nodes T N,
victimnodes V N, boundary nodes BN, and unaffected node UN. 3.1
Error-Tolerant Randomized Nonadaptive GroupTrigger nodes refer to
the sensor nodes whose signals awake Testingthe jammers, i.e.,
within a distance less than r from a Group Testing was proposed
since WWII to speed up thejammer. Victim nodes are those within a
distance R from an identification of affected blood samples from a
large sampleactivated jammer and disturbed by the jamming signals.
population. This scheme has been developed with aSince R > r, T
N V N. Other than these disturbed sensors, complete theoretical
system and widely applied to medicalUN and BN are the unaffected
sensors while the latter ones testing and molecular biology during
the past severalhave at least one neighbor in V N, hence BN UN,
andV NUN ;. The Label field of each sensor indicates the decades
[1]. Notice that the nature of our work is tosmallest class it
belongs to. The relationships among these identify all triggers out
of a large pool of victim nodes, soclasses are shown in Fig. 2.
this technique intuitively matches our problem. There are two
issues orthogonal to our solution. On oneThe key idea of group
testing is to test items in multiplehand, the detection of jammed
signals at each sensor node is designated groups, instead of
individually. The principlesorthogonal to this work, and can be
completed via of traditional group testing are sketched in the
Appendix,sophisticated reactive jamming detection techniques, such
which can be found on the Computer Society Digitalas comparing the
SNR, PDR, and RSS with predefined Library at
http://doi.ieeecomputersociety.org/10.1109/thresholds, as shown in
[9]. With regard to the effects of TMC.2011.86.detection errors on
our solution, we provide sometheoretical analysis at the end of
Section 5.1.1. On the other 3.1.1 Traditional Nonadaptive Group
Testinghand, the detailed attack schemes adopted by the reactive
The key idea of group testing is to test items in multiplejammers
are orthogonal with our application-layer service. designated
groups, instead of testing them one by one. TheAs long as the
jamming detection techniques that we resort traditional method of
grouping items is based on ato can efficiently detect these
malicious signals, either high designated 0-1 matrix Mtn where the
matrix rowsRF noises, fraud message segments, etc., our solution
represent the testing group and each column refers to anservice is
feasible. item (Fig. 3). Mi; j 1 if the jth item appears in the ith
testing group, and 0 otherwise. Therefore, the number of rows of
the matrix denotes the number of groups tested in3 THREE KERNEL
TECHNIQUESparallel and each entry of the result vector V refers to
theIn this section, three kernel techniques for the proposed test
outcome of the corresponding group (row), where 1protocol are
introduced. Most existing antijamming works denotes positive
outcome and 0 denotes negative outcome. 4. 796IEEE TRANSACTIONS ON
MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012 We only show the
performance of this new construction, namely, ETG algorithm in this
section. The details of the construction and analysis are included
in the Appendix, available in the online supplemental material.
Theorem 3.1. The ETG algorithm produces a d; z-disjunctFig. 3.
Binary testing matrix M and testing outcome vector V . Assumedthat
item 1 (first column) and item 2 (second column) are positive, then
matrix with probability p0 where p0 can be arbitrarilyonly the
first two groups return negative outcomes, because they do
notapproaching 1.contain these two positive items. On the contrary,
all the other fourgroups return positive outcomes.. The worst-case
number of rows of this matrix isbounded byGiven that there are at
most d < n positive items among 2in total n ones, all the d
positive items can be efficiently and3:78d 12 log n 3:78d 1
logcorrectly identified on condition that the testing matrix M is1
p0d-disjunct: any single column is not contained by the union 3:78d
1 5:44d 1z 1;of any other d columns. Owing to this property, each
much smaller than 4:28d2 log 1p0 4:28d2 log n 2negative item will
appear in at least one row (group) where22n1 9:84dz 3:92z ln 1p0
.all the positive items do not show up, therefore, by filteringall
the items appearing in groups with negative outcomes, all the . If
z t, the worst-case number of rows becomesleft ones are positive.
Although providing such simple ln nd 12 2d 1 ln1 p0 decoding
method, d-disjunct matrix is nontrivial to con-tstruct [1], [2]
which may involve with complicated d 12computations with high
overhead, e.g., calculation ofwhere d=d 1d and asymptotically t
irreducible polynomials on Galois Field. In order to Od2 log
n.alleviate this testing overhead, we advanced the determi-nistic
d-disjunct matrix used in [7] to randomized error- Proof. See
Section B in the Appendix, available in the onlinetolerant
d-disjunct matrix, i.e., a matrix with less rows butsupplemental
material.u tremains d-disjunct w.h.p. Moreover, by introducing this
Theorem 3.2. The ETG algorithm has smallertime complexitypmatrix,
our identification is able to handle test errors under Od2 n log n
than On2 log n, when d < n.sophisticated jamming environments.In
order to handle errors in the
http://ieeexploreprojects.blogspot.com Cover in a Simple Polygon
testing outcomes, the 3.2 Minimum Diskerror-tolerant nonadaptive
group testing has been developed Given a simple polygon with a set
of vertices inside, theusing d; z-disjunct matrix, where in any d 1
columns, problem of finding a minimum number of variable-radiieach
column has a 1 in at least z rows where all the other d disks that
not only cover all the given vertices, but also arecolumns are 0.
Therefore, a d; 1-disjunct matrix is exactly all within the
polygon, can be efficiently solved.d-disjunct. Straightforwardly,
the d positive items can stillThe latest results due to the near
linear algorithmbe correctly identified, in the presence of at most
z 1 testproposed recently by Kaplan et al. [25], which
investigateserrors. In the literature, numerous deterministic
designs for the medial axis and voronoi diagram of the given
polygon,d; z-disjunct matrix have been provided (summarized in and
provides the optimal solution using O$ log $ [1]), however, these
constructions often suffer from high- log6 time and O$ log log
space, where the numbercomputational complexity, thus are not
efficient for of edges of the polygon is $ and nodes within it as .
Wepractical use and distributed implementation. On the other employ
this algorithm to estimate the jamming range R.hand, to our best
knowledge, the only randomizedconstruction for d; z-disjunct matrix
dues to Chengs work 3.3 Clique-Independent Setvia q-nary matrix
[19], which results in a d; z-disjunct Cliques-Independent Set is
the problem to find a set ofmatrix of size t1 n with probability p0
, where t1 is maximum number of pairwise vertex-disjoint
maximalcliques, which is referred to as a maximum
clique-independent 222 2 2n 1 set (MCIS) [4]. Since this problem
serves as the abstracted4:28d log 4:28d log n 9:84dz 3:92z ln ;1
p01 p0model of the grouping phase of our identification, its
hardnesswith time complexity On log n. Compared with this work, is
of great interest in this scope. To our best knowledge, it has 2we
advance a classic randomized construction for d- already been
proved to be NP-hard for cocomparability,disjunct matrix, namely,
random incidence construction planar, line, and total graphs;
however, its hardness on UDG[1], [2], to generate d; z-disjunct
matrix which can not only is still open. We propose its NP-complete
proof in thegenerate comparably smaller t n matrix, but also handle
Appendix, available in the online supplemental material.the case
where z is not known beforehand, instead, only theThere have been
numerous polynomial exact algorithmserror probability of each test
is bounded by some constant for solving this problem on graphs with
specific topology,. Although z can be quite loosely upper bounded
by t, yet e.g., Helly circular-arc graph and strongly chordal
grapht is not an input. The motivation of this construction lies in
[4], but none of these algorithms gives the solution on UDG.the
real test scenarios, the error probability of each test is In this
paper, we employ the scanning disk approach in [3] tounknown and
asymmetric, hence it is impossible to find all maximal cliques on
UDG, and then find all theevaluate z before knowing the number of
pools.MCIS using a greedy algorithm. 5. XUAN ET AL.: A TRIGGER
IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN
WSN7974TRIGGER-NODE IDENTIFICATIONWe propose a decentralized
trigger-identification proce-dure. It is lightweight in that all
the calculations occur at thebase station, and the transmission
overhead as well as thetime complexity is low and theoretically
guaranteed. Noextra hardware is introduced into the scheme, except
for thesimple status report messages sent by each sensor, and
thegeographic locations of all sensors maintained at the
basestation. Three main steps of this procedure are as follows:
Fig. 4. Estimated R and jammed area.1. Anomaly Detectionthe base
station detects potential4.2 Jammer Property Estimation reactive
jamming attacks, each boundary node tries to report their
identities to the base station.We estimate the jamming range as R
and the jammed areas2. Jammer Property EstimationThe base station
calcu- as simple polygons, based on the locations of the boundary
lates the estimated jammed area and jamming rangeand victim nodes.
R based on the locations of boundary nodes. For sparse-jammer where
the distribution of jammers is3. Trigger Detectionrelatively sparse
and there is at least one jammer whosejammed area does not overlap
with the others, like J2 in Fig. 2. a. the base station makes a
short encrypted testingBy denoting the set of boundary nodes for
the ith jammed areaschedule message Z which will be broadcastedas
BNi , we can estimate the coordinate of this jammer asto all the
boundary nodes. PBNiPBNi ! b. boundary nodes keep broadcasting Z to
all thek1 XkYkXJ ; YJ ; k1 ;victim nodes within the estimated
jammed area jBNi jjBNk jfor a period Q. c. all the victim nodes
locally execute the testingwhere Xk ; Yk is the coordinate of a
node k is the jammedprocedure based on Z, identify themselves
asarea BNi and the jamming range R istriggers or nontriggers.qR min
maxXk XJ 2 Yk XJ 2;4.1 Anomaly Detection8BNi k2BNiEach sensor
periodically sends a status report message tofor we assume that all
the jammers have the same range.the base station. However, once the
http://ieeexploreprojects.blogspot.com jammers are activated For
dense-jammer, shown in Fig. 4, we first estimate theby message
transmissions, the base station will not receive jammed areas,
which are simple polygons (unnecessarilythese reports from some
sensors. By comparing the ratio of convex) containing all the
boundary and victim nodes. Thisreceived reports to a predefined
threshold , the base process consists of three steps: 1) discovery
of convex hulls ofstation can thus decide if a jamming attack is
happening in the boundary and victim nodes, where no unaffected
nodesthe networks. When generating the status report message, are
included in the generate convex polygons. 2) for eacheach sensor
can locally obtain its jamming status and decide boundary node v
not on the hull, choose two nodes on thethe value of the Label
field (Initially trigger TN). In detail, hull and connect v to them
in such a way that the internalif a node v hears jamming signals,
it will not try to send out angle at this reflex vertex is the
smallest, hence the polygonmessages but keep its label as victim.
If v cannot sense is modified by replacing an edge (dotted one in
Fig. 4) byjamming signals, its report will be routed to the base
station the two new ones. The resulted polygon is the estimatedas
usual, however, if it does not receive ACK from its jammed area. 3)
execute the near-linear algorithm [25] toneighbor on the next hop
of the route within a time out find the optimal variable-radii disk
cover of all the victimperiod, it tries for two more
retransmissions. If no ACKs are nodes, but constrained in the
polygon, and return thereceived, it is quite possible that that
neighbor is a victim largest disk radius as R.node, then v updates
Label tuple as boundary BN in itsstatus report. Another outgoing
link from v with the most 4.3 Trigger Detectionavailable capacity
is taken to forward this message. If the Since the jammer behavior
is reactive, in order to find all thestatus report is successfully
delivered to the base station trigger nodes, a straightforward way
is that let each sensorwith Label TN, the corresponding node is
regarded as broadcast one by one, and listen to possible
jammingunaffected. All the messages are queued in the buffer of the
signals. However, this individual detection is quite
timeintermediate nodes and forwarded in an FCFS manner. The
consuming and all the victim nodes thus have to be isolatedTTL
value is reduced by 1 per hop for each message, and for a long
detection period, or even returns wrong detectionany message will
be dropped once its TTL 0. result in the presence of mobile
jammers. In this case, theThe base station waits for the status
report from each network throughput would be dramatically
decreased.node in each period of length P. If no reports have been
Therefore, to promptly and accurately find out thesereceived from a
node v with a maximum delay time, then v triggers from a large pool
of victim nodes, emerges as thewill be regarded as victim. The
maximum delay time is most challenging part of the proposed
protocol, for whichrelated to graph diameter and will be specified
later. If the the idea of group testing is applied.aggregate report
amount is less than , the base stationIn this section, we only
consider a basic attack modelstarts to create the testing schedule
for the trigger nodes, where the jammers deterministically and
immediately broad-based on which the routing tables will be updated
locally. casts jamming signals once it senses the sensor signal. 6.
798IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012
TABLE 1 Message Containing TriggerDetection ScheduleFig. 5.
Interference teams.Second-level, within each testing team, victims
arefurther divided into multiple testing groups. This iscompleted
by constructing a randomized d; 1-disjunctmatrix, as mentioned in
Section 3.1, mapping each sensorTherefore, as long as at least one
of the broadcasting victim node to a matrix column, and make each
matrix row as anodes is a trigger, some jamming signals will be
sensed, and testing group (sensors corresponding to the columns
with 1svice versa. The performance of this protocol toward in this
row are chosen). Apparently, tests within one groupsophisticated
attacker models with probabilistic attack will possibly interfere
that of another, so each group will bestrategies will be validated
in the next section. assigned with a different frequency
channel.All the following is the encrypted testing schedule overThe
duration of the overall testing process is t time slots,all the
victim nodes, which is designed at the base stationwhere the length
of each slot is L. Both t and L arebased on the set of boundary
nodes and the global topology,predefined, yet the former depends on
the total number ofstored as a message (illustrated in Table 1) and
broadcastedto all the boundary nodes. The broadcasting of the
testing victims and estimated number of trigger nodes, and
thescheduling message adopts a routing mechanism similar to latter
depends on the transmission rate of the channel.reverse path
forwarding. In detail, all the status report Specifically, at the
beginning of each time slot, all the sensorsmessages relayed to the
base station will record all the designated to test in this slot
broadcast a -bit test packet onnodes IDs on their routing paths.
Therefore, without the assigned channel to their 1-hop neighbors.
Till the endconsidering mobile jammers, those routing paths can be
of this slot, these sensors keep detecting possible jammingreused
to send out these testing scheduling messages and signals. Each
sensors will label itself as a trigger unless in atevade the jammed
areas. least one slot of its testing, no jamming signal is
sensed.After receiving this message, each
http://ieeexploreprojects.blogspot.com trigger identification
procedure is boundary node broad- The correctness of thiscasts this
message one time using simple flooding method to theoretically
straightforward. Given that all the testingits nearby jammed area.
All the victim nodes execute the teams are interference free, then
the testing with differenttesting schedule and indicate themselves
as nontriggers or teams can be executed simultaneously. Given that
we havetriggers. Since all the sensor nodes are equipped with a an
upper bound d on the number of trigger nodes and eachglobal uniform
clock, and no message transmissions to the testing group follow the
d; 1-disjunct matrix, whichbase station are required during the
detection, the mechan- guarantees that each nontrigger node will be
included inism is easy to implement and practical for
applications.at least one group, which does not contain any trigger
node,As shown in Table 1, for each time slot, m sets of victim so
each nontrigger node will not hear jamming signals in atsensors
will be tested. The selection of these sets involves a least one
time slot, but the trigger nodes will since thetwo-level grouping
procedure. jammers are activated once they broadcast the test
packets.First-level, the whole set of victims are divided into
Therefore, two critical issues need to be addressed to
ensureseveral interference-free testing teams. Here, by
interference this correctness: how to partition the victim set
intofree we mean that if the transmissions from the victim maximal
interference-free testing teams and estimate thenodes in one
testing team invokes a jammer node, its number of trigger nodes d,
as follows: Though these twojamming area will not reach the victim
nodes in another involve geometric analysis over the global
topology, since it onlytesting team. Therefore, by trying
broadcasting from victim takes the information of boundary and
victim nodes as inputs, andnodes in each testing team and
monitoring the jamming is calculated at the base station, no
message complexity issignals, we can conclude if any members in
this team areintroduced.triggers. In addition, all the tests in
different testing teamscan be executed simultaneously since they
will not interfere 4.3.1 Discovery of Interference-Free Testing
Teamseach other. Fig. 5 provides an example for this. ThreeAs
stated above, two disjoint sets of victim nodes aremaximal cliques
C1 fv1 ; v2 ; v3 ; v4 g, C2 fv3 ; v4 ; v5 ; v6 g,C3 fv5 ; v7 ; v8 ;
v9 g can be found within three jammed areas. interference-free
testing teams iff the transmission within oneImagine these three
cliques are, respectively, the three set will not invoke a jammer
node, whose jamming signalsteams we test at the same time. If v4 in
the middle team will interfere the communications within the other
set.keeps broadcasting all the time and J2 is awaken frequently,
Although we have estimated the jamming range R, it is stillno
matter the trigger v2 in the leftmost team is broadcasting quite
challenging to find these interference-free teamsor not, v3 will
always hear the jamming signals, so these two without knowing the
accurate locations of the jammers.teams interfere each other. In
addition, node-disjoint groups Notice that it is possible to
discover the set of victim nodesdo not necessarily interference
free, as the leftmost and within the same jammed area, i.e., with a
distance R fromrightmost teams show. the same jammer node. Any two
nodes within the same 7. XUAN ET AL.: A TRIGGER IDENTIFICATION
SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN 799Fig. 6. Clique C1
V1 V2 V3 V4 is chosen by CIS, but its concentric circleCC 0 covers
boundary node V0 , then clique C2 V4 V5 V6 V7 replaces C1 inFig. 7.
Maximum # interfering cliques.the testing team for the first round.
Clique V1 V2 V3 are left for the nextround.by and from C1 is r <
R distance away, whose jammingjammed area should be at most 2R far
from each other, i.e., range can only reach another R distance
further, which isif we induce a new graph G0 V 0 ; E 0 with all
these victimthus away from C2 . Therefore, the cliques in the
obtainednodes as the vertex set V 0 and E 0 fu; vju; v 2Rg, theCIS
of this kind are selected as testing teams. While thenodes jammed
by the same jammer should form a clique. others are left for the
next time slot.The maximum number of vertex-disjoint maximal
cliquesIn addition, in the worst case, any single maximal
clique(i.e., clique-independent set) of this kind provides an upper
C has at most 12 interfering cliques in the CIS, as thebound of
possible jammers within the estimated jammed shadowed ones in Fig.
7. Therefore, at most 13 testing teamsarea, where each maximal
clique is likely to correspond toare required to cover all these
cliques. If the number ofthe nodes jammed by the same
jammer.channels k given is larger than 13, then a
frequency-divisionThe solution consists of three steps: CIS
discovery on theis available, i.e., these interfering cliques can
still becomeinduced graph from the remaining victim without
testsimultaneous testing teams, on the condition each team
cankschedules, boundary-based local refinement and interfer-only
use minfd13e; mg of the given channels, where m is theence-free
team detection. We iterate three steps to decidenumber of radios
per sensor. Otherwise, we have to use timethe schedule for every
victim node. divisions, i.e., they have to be tested in different
time slots.CIS discovery. We first employ Guptas MCE algorithm
4.3.2 Estimation of Trigger Upper Bound[3] to find all the maximal
cliques, then use a greedyalgorithm, as shown in Algorithm 1 to get
the CIS. Before bounding the trigger quantity from above, the
triggering range r should be estimated. As mentioned
inhttp://ieeexploreprojects.blogspot.comAlgorithm 1. CIS
discovery.the attacker model, r depends not only on the power of
both sensors and jammers, but also the jamming threshold and
path-loss factor 1 Pn r! ; Ps Ysince the real time Pn and Ps are
not given, we estimate rbased on the SNR cutoff 0 of the network
setting. In fact,the transmission range of each sensor rs is a
maximumradius to guarantee Local refinement. Each clique we select
is expected to Pa Ps YSNR ! 0 :represent the jammed area poisoned
by the same jammer,P n Pn rsand this area should not cover the
boundary nodes.Therefore, we can estimate r asHowever, we did not
take this into account when discover-ing the CIS, and need to
locally update it. Specially, for each 1 clique, we find its
circumscribed circle CC and the r % rs 0 ; concentric circle CC 0
with radius R of CC. In the case thatCC 0 covers any boundary
nodes, we locally select another where 0 and are parts of the
network input, while isclique by adding/removing nodes from this
clique, to see if assumed as a constant, which indicates the
aggressivenessthe problem can be solve. If not, we keep this clique
as it is, of the jammer. For this estimation, can be first set as
10 db,otherwise, we update it. This is illustrated in Fig. 6. which
is the normally lower bound of SNR in wireless Team detection. The
cliques in CIS can also interferetransmission, and then adaptively
adjusted to polish theeach other, e.g., the clique V1 V2 V3 V4 and
V5 V7 V8 V9 in Fig. 5. service quality.This is because the signals
from V4 will wake J2 , who willWith estimated r, since all the
trigger nodes in the sametry to block these signals with noises and
affect V5 by the team should be within a 2r distance from each
other, byway. But if any two cliques C1 and C2 are not connected
byfinding another induced graph G00 Wi ; E 00 from the victimany
single edge, then they are straightforwardly inter- nodes Wi in
team i, with E 00 fu; v 2 E 00 if u; v 2rg,ference free, since the
shortest distance between any node in the size of the maximal
clique indicates the upper bound ofC1 and C2 is larger than 2R. But
the farthest jammer wakenthe trigger nodes, thus can be an estimate
over d. 8. 800 IEEE TRANSACTIONS ON MOBILE COMPUTING,VOL. 11, NO.
5, MAY 2012The testing delay Tt depends on the number of testing
rounds and the length of each round. Since the reactive jamming
signal disappears as soon as these sensed 1-hop transmission
finishes, each round length is then O1. The number of testing
rounds is however complicated and bounded by Theorem 4.1. Lemma
4.1. Based on the ETG algorithm, the number of tests to identify d
trigger nodes from jW j victim nodes is upper bounded by tjW j; d
Od2 dln jW je w.h.p.iFig. 8. Maximum # jammers invoked by one team.
Theorem 4.1 (Main). The total number of testing rounds is As
mentioned above, all the parallel testing teams selected upper
bounded byare interference free; therefore, we roughly regard each
team to be the jammed area of one jammer. As a deeperQ13 minfd2 dln
jWi je; jWi jg iO max;investigation, the number of jammers that can
be invoked i1 mby the nodes in the same team (six 3-clique within
the red P w.h.p, with di minf 6 jcs Gi j; jWi jg and cs Gi is the
s1circles) can be up to 6, since the minimum distance betweensth
largest clique over an induced unit disk subgraph Gi two jammers is
greater than R and r R, as shown in Fig. 8. Wi ; Ei ; 2r in the
testing team i.Therefore on the induced graph, the largest 6
cliques form thed2 dln jW jepossible trigger set. However, since
the jammer distribution Proof. First, from Lemma 4.1, at most tjW
j;d i mmcannot be that dense for the sake of energy conserving,
thetesting rounds are needed to identify all nodes in testingformer
estimate over d is large enough.team i. Second, the set of testing
teams that can be tested in parallel is 13, as mentioned earlier.
Combining with the4.4 Analysis of Time and Message Complexity worst
case upper bound of triggers in each team, theTime complexity. By
time complexity we mean the upper bound on round is derived.
tuidentification delay counted since the attack happens tillall the
nodes successfully identify themselves as trigger ornontrigger.
Therefore, the complexity break downs intoIf the jamming range R is
assumed known beforehand,four parts:similar to [7], the whole time
complexity is thushttp://ieeexploreprojects.blogspot.com 13d2 dln
jWi je; jWi j 1. the detection of jamming signals at local links Td
;Qi O max ; 2. the routing of sensor report to the base station
fromi1m each sensor node, and the testing schedule to each and
asymptotically bounded by On2 log n. It is asympto- victim node
from the base station, aggregated as Tr ; 3. the calculation of CIS
and R at the base station Tc ;tically smaller than that of [7] 4.
the testing at each jammed area Tt . H & ! Xd2 log2 jWj jj2 The
local jamming signal detection involves the statis-O max 2 o1 2 ; m
;tical properties of PDR, RSS, and SNR, which is orthogonali1jlog2
dj log2 jWj jto our work. We regard Td as O1 since it is an
entirely local where H refers to the maximum degree of the
inducedoperation and independent with the network scale. The
routing time overhead is quite complicated, since graph H (in this
new solution, maximum degree is notcongestions need to be
considered. For simplicity, we involved). By taking the calculation
overhead for R intoconsider that all the 1-hop transmission takes
O1 time account, the overall time complexity is asymptotically26
6and bound Tr using the diameter D of the graph. As On log n n log
n, which is On log n for n ! 4.mentioned earlier, the base station
waits at most O2D for Message complexity. On the one hand, the
broadcastingthe reports, so that is the upper bound of the one-way
of testing schedule Z from the base station to all the
victimrouting. As to the other way, we also bound it using O2D
nodes costs On messages in the worst case. On the otherto match any
collision and retransmission cases. hand, the overhead of routing
reports toward the base The calculation of CIS resorts to the
algorithm in [3], which station depends on the routing scheme used
and thefinds Ol maximal cliques on UDG within Ol2 time, network
topology as well as capacity. The upper bound iswhere l jEj and
refers to the maximum degree. We used straightforward obtained in a
line graph with the basea greedy algorithm to find a MCIS from
these Ol cliques station at one end, whose message complexity is
Onn1.with Ol3 3 Q time: Ol-time for each clique to check2With
regard to the message overhead of the testingthe overlapping with
other cliques, Ol-time to find a process. Considering that there
are approximately jWi j victimclique overlapping with minimum other
cliques, and Qd1denotes the number of testing teams. Notice that in
practice, nodes in each testing group of team Wi (mentioned in
thesensor networks are not quite dense, so the number of edges l
construction of randomized d; z-disjunct matrix in Appen-and
maximum degree are actually limited to small values. dix, available
in the online supplemental material), the jWi jOn the other hand,
the time complexity of estimating R is up overhead of each testing
group in a testing round is d1 1-hopto On nlog n log6 n using the
minimum disk cover testing message broadcasted by all victim nodes
in each group 22algorithm as mentioned.of team Wi . Therefore, the
overhead message complexity is 9. XUAN ET AL.: A TRIGGER
IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN801 d x
TABLE 2 Prui x p 1 pdx :1 x Notations For each test i, the event
that it contains at least one trigger but returns a negative
result, has a probability at most Prgi 0 & ui ! 1 2 Xd d x 1 x
p 1 pdx 3 ! x1 xXQQ O n2 jWi j maxfdi dln jWi je; jWi jgm ;i1 i1 1
p 1 pd 1 pd4which is On2 log n. 1 pd 1 pd < 1 p:55 ADVANCED
SOLUTIONS TOWARD SOPHISTICATEDMeanwhile, the event that it contains
no trigger nodes butATTACK MODELSreturns a positive result, has a
probabilityIn this section, we consider two sophisticated attacker
Prgi 1 & ui 0 0:6models: probabilistic attack and variant
response time delay,Since in practical ! 1 , we therefore have the
expectedwhere the jammers rely each sensed transmission with
2number of false positive and negative tests is,
respectively,different probabilities, instead of deterministically,
or delayat most pt=2 and 0.the jamming signals with a random time
interval, instead Instead of the jamming behavior, the jamming
signalof immediately. This may mismatch with the original detection
errors can be analyzed using the same method.definition of reactive
jamming, which targets at transmis- Given that each node detects
possible jamming signalssion signals, instead of nodes or channels.
However, clever successfully with probability q, then following
(1), we canjammers can possibly change their strategies to evade
similarly have the false negative rate of each test ipossible
sensed detections. Also, a common sense indicatesthat as long as an
activity is sensed by the jammer, it is Prgi 0 & ui ! 17quite
possible that some other activities are following this.So delaying
the response time still
http://ieeexploreprojects.blogspot.comguarantees the attack Xd d
xefficiency, but minimize the risk of being caught by 1 qxp 1
pdx8x1xreactive detections. Since our scheme is robust and accurate
in the steps ofgrouping, generating disjunct matrix and decoding
the 1 qp 1 pd 1 pd 9testing results, the only possible test errors
arise from thegeneration of testing outcomes. Nevertheless, by
using 1 qpd 1 pd < 1 qp;10the error-tolerant disjunct matrix and
relaxing the identifi- 1cation procedures to asynchronous manner,
our scheme which is also small considering p d1 .will provide small
false rates in these cases. Some notations 5.1.2 Variant Reaction
Timecan be found in Table 2. In this section, the terms test
andgroup, the terms column and nodes are interchangeable. The
introduction of group testing techniques aims to decrease the
identification latency to the minimum, there-5.1 Upper Bound on the
Expected Value of z fore, if the jammer would not respond
intermediately afterFirst, we investigate the properties of both
jamming sensing the ongoing transmissions, but instead wait for
abehaviors and obtain the expected number of error testsrandomized
time delay, the test outcomes would be messed up. Since it is
expensive to synchronize the tests amongin both cases through the
following analysis. Since in sensors, we use a predefined testing
length as L, thus thepractice, it is not trivial to establish
accurate jamming test outcome of test i 2 1; t is generated within
timemodels, we derive an upper bound of the error probabilityii
interval dme 1L; dmeL. There are two possible errorwhich does not
require the beforehand knowledge of the events regarding any test
i.objective jamming models, which is therefore feasible
forreal-time identifications. Since it is a relaxed bound, it
could.F pi: test i is negative, but some jamming signalsbe further
strengthened via learning the jamming history.are delayed from
previous tests and interfere this test, where we have a false
positive event;5.1.1 Probabilistic Jamming Response (Detection) . F
ni: test i is positive, but the jammer activated inA clever jammer
can choose not to respond to some sensed this test delayed its
jamming signals to someongoing transmissions, in order to evade the
detection.subsequent tests, meanwhile, no delayed jammingAssume
that each ongoing transmission has an independent signals from
previous tests exists, where we have aprobability to be responded.
In our construction algorithm false negative event.ETG, where each
matrix entry is IID and has a probability pSince the jammers in
this paper are assumed to blockto be 1, therefore for any single
test i with i 2 1; t communications only on the channels where
transmissions 10. 802 IEEE TRANSACTIONS ON MOBILE COMPUTING,VOL.
11, NO. 5, MAY 2012 pare sensed, for the following analysis, we
claim that the 21 1 pd 1 pd 2interferences can only happen between
any two tests i; j 1 1 pd 1 21 1 pd with i jmod m. Denote the delay
of jamming signals asa random variable X fx1; x2; x3; . . . xtg
where xi 10 8 2 d 1=2;is the delay for possible jamming signals
arisen from test i. where d=d 1d . Intuitively, we can have an
upper1) For event F pi, consider the test i m, in order to
havebound on the number of error tests as z t its jamming signals
delayed to test i, we have a bound on 10 8 2 d 1=2, and take it as
an input to constructxi m 2 0; 2L. Similarly, in order to have the
signals ofthe d; z-disjunct matrix. However, notice that z
dependsany test j delayed to i, we have xj 2 ij 1L; ij 1L. m mon t,
i.e., the number of rows of the constructed matrix, weFurther the
probability density function of X is Pi therefore derive another
bound of t related to , as shownPrX xi. Consider all the tests
prior to i, which arein the Appendix, available in the online
supplementali mod m; 1 i mod m; . . . ; i m, we have the
probabilitymaterial.for F pi5.2 Error-Tolerant Asynchronous Testing
within Z ij1LEach Testing Team X im m1 pdPwdw1 1 pd : 11 By
applying the derived worst cast number of error tests ji mod m ij1L
minto the ETG construction, we can obtain the followingalgorithm
where tests are conducted in an asynchronousTo simplify this
expression, we assume that X=L follows amanner to enhance the
efficiency.uniform distribution within the range 0; 11. with a
small 12. , As shown in Algorithm 2, after all the groups arewhich
is reasonable and efficient for attackers in practice.decided,
conduct group testing on them in m pipelines,Since the nature of
jamming attacks lies in adapting thewhere in each pipeline any
detected jamming signals willattack frequency due to the sensed
transmissions, too large end the current test and trigger the next
tests while groupsdelay does not make sense to tackle the ongoing
transmis- receiving no jamming signals will be required to
resendsions. Under a uniform distribution, the probability of F
pitriggering messages and wait till the predefined round
timebecomes has passed. These changes over the original
algorithm,especially the asynchronous testing are located in each
2Xim1 1 pd 1 pd testing team, thus will not introduce significant
overheads,jmax i mod m;im 13. 1 14. however, the resulted error
rates are quite low. http://ieeexploreprojects.blogspot.com dd
i2Algorithm 2. Asynchronous Testing. 1 1 p 1 p 1:m 15. Therefore,
the expected number of false positive tests is atmost Xt 2 T1 1 pd
1 pd 16. i1 17. X t 2 1 1 pd 1 pd i1 21 1 pd 1 pd t: 2) For event F
ni, following the similar arguments above,we have an upper bound of
the probability for F ni (assumethat any delays larger than l at
test i will interfere the tests jfollowing i where j 2 maxi mod m;
i m 18. 1; i m):Z 1 d 1 1 p Pwdw l! X Z m 1L ijd 1 Pwdw1 1 p j ij1L
m 1 1 pd 1 21 1 pd 19. l= 20. 1 1 pd 1 21 1 pd : 6 EXPERIMENTAL
EVALUATION6.1 OverviewSo the expected number of false negative
tests is at mostAs a lightweight distribute trigger-identification
service, our T 1 1 pd 1 21 1 pd t:12 solution will be
experimentally evaluated from four facets:Therefore, we could use a
union bound and obtain a worst. in order to show the benefit of
this service, wecase error rate of each testcompare it with JAM
[11] in terms of the end-to-end 21. XUAN ET AL.: A TRIGGER
IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN WSN
803Fig. 9. Benefits for routing. delay and delivery ratio of the
detour routes from three parameters J 2 1; 20, R 2 100; 200, r 2
50; 150 are the base station to all the sensor nodes, as the
included in Figs. 9a, 9b, and 9c, respectively. Notice that for
number of sensors n, sensor range rs , and number of each
experiments, the other two parameters are set as the jammers J vary
within practical intervals. median value of their corresponding
intervals. Therefore, . in order to show the acceleration effect of
the clique- R 150 for Fig. 9c, which matches the extreme case R r.
independent set in this solution, we compare the Furthermore, for
the nodes that are in jammed areas for complexity of this solution
to our previous centra- JAM and that are triggers for our method,
in another word, lized one [7], with varying the above four para-
unable to deliver packets to or from the base station, we meters,
where both jamming and triggering range R count the delay as n 1,
which is an upper bound of the and r are assumed to be known
beforehand.route length. . in order to show the accuracy of
estimating the As shown in Figs. 9a and 9b, when j and R increases,
jamming range by using the polygon disk cover the routing delay
goes up, which is quite reasonable since algorithm, we provide the
estimated jamming the jamming areas get larger and more detours
have to be ranges as well as the error rate to the actual values.
taken. The length of routes based on JAM quickly climbs up . in
order to show its performance and robustness to the upper bound,
while that of our trigger method is toward tricky attackers, we
assess its false positive/ much lower and more stable (less than
900 seconds). When negative rate and the estimation of R, for those
two triggering range r is small, as in Fig. 9c, the end-to-end
http://ieeexploreprojects.blogspot.com advanced jammer models.delay
of Trigger-based routing is much smaller than theThe simulation is
developed using C++ on a Linux Work- other, while as r increases
the two approaches each other,station with 8 GB RAM. A 1;000 1;000
square sensor field since more victim nodes are triggers.is created
with uniformly distributed n sensor nodes, one6.3 Improvements on
Time Complexitybase station and J randomly distributed jammer
nodes. Allthe simulation results are derived by averaging 20 random
In our previous work [7], we proposed a preliminary idea
ofinstances.this trigger detection, and provided a disk-based
solution.However, its high time complexity limits its usage in
real-6.2 Benefits for Jamming-Resistent Routingtime networks. As
mentioned above, the time complexity ofJAM [11] proposed a
jamming-resistent routing scheme, our new clique-based detection is
proved to be asympto-where all the detected jammed areas will be
evaded and tically lower than the previous, while the message
complex-packets will not pass through the jammed nodes. This ities
are approaching each other.method is dedicated for proactive
jamming attacks, which Although the computational overhead for
estimating R issacrifices significant packet delivery ratio due to
the asymptotically huge, the phase is not the key part of
ourunnecessarily long routes selected, though the effects of
scheme, and can be easily improved by machine learningjamming
signals are avoided. We compare the end-to-end techniques.
Therefore, in this section, we assume that bothdelay between each
sensor node and the base station, of the R and r are known
beforehand, and validate the theoreticalselected routes by evading
the jammed areas detected by results through simulations on network
instances withJAM, with that of the ones evading only trigger
nodes. various settings. Specifically, the network size n
rangingAlthough there are many existing routing protocols for from
450 to 550 with step 2, transmission rs from 50 to 60unreliable
network environments, the aim of this experi- with step 0.2, and
number of jammers J from 3 to 10 withment is to show the potential
of this service to various step 1. Parameter values lower than
these intervals wouldapplications, instead of being a dedicated
routing protocol. make the sensor network less connected and
jamming Three key parameters for routing could be the number of
attack less severe, while higher values would lead toJammers J,
jamming range R, jamming threshold . As impractical dense scenarios
and unnecessary energy waste.mentioned earlier, indicates the
aggressiveness of the Since the length of each reactive attack is
equal to the1 attacker and the triggering range r % rs 0 .
Therefore, with transmission delay of the object sensor signal,
note that inrs , 0 and as fixed network inputs, the effect of can
be our trigger detection, only one message is broadcast byexactly
indicated by studying the effect of r instead.each sensor in the
testing groups. Therefore, it is reasonable The whole network has n
1;500 nodes and sensor to predefine the length of each testing
round as a constant.transmission range rs 50. The results with
respect to the We set this as 1 second, which is far more enough
for any 22. 804 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO.
5, MAY 2012Fig. 10. Time and message complexity.single packet to be
transmitted from one node to its the accuracy of this estimation.
As shown in Fig. 11, weneighboring nodes. Henceforth, the time cost
shown in investigate the error rate R for R 50; 100 when
thereSection 6.3 only indicates the number of necessary rounds are,
respectively, J 5; 10; 15 jammers.to find out all the triggers, and
can be further reduced. TheTwo observations are straightforward
from these results:message complexity is measured via the average
message 1) all the estimated values are above the actual ones,cost
on each sensor node.http://ieeexploreprojects.blogspot.com percent
difference. This meets ourhowever, less than 10 As shown in Figs.
10a and 10b, this clique-based scheme requirement for a tight upper
bound of R. 2) the error ratescompletes the identification with
steadily less than 10 sec- in case of fewer jammers are lower than
those with moreonds, compared to the increasing time overhead with
more jammers. This is because the jammer areas can have largerthan
15 seconds of the disk-based solution, as the network overlaps,
which introduces estimate inaccuracies.grows denser with more
sensor nodes. Meanwhile, itsamortized communication overheads are
only slightly 6.5 Robustness to Various Jammer Modelshigher than
that of the other solution, whereas both are In order to show the
precision of our proposed solutionbelow 10 messages per victim
node. Therefore, the new under different jamming environments, we
vary the twoscheme is even more efficient and robust to
large-scaleparameters of the jammer behaviors above: Jammer
Responsenetwork scenarios.Probability and Testing Round
Length/Maximum Jamming With the sensor transmission radius growing
up, theDelay L=X and illustrate the resulted false rates in Figs.
12atime complexity of the disk-based solution graduallyand 12b. To
simulate the most dangerous case, we assume aascends (Figs. 10d and
10c) due to the increased maximumhybrid behavior for all the
jammers, for example, thedegree H mentioned in the above analysis.
Compara-tively, the time cost of clique-based solution remains
below jammers in the simulation of Fig. 12a not only launch10
seconds, while the two message complexities are similar. the
jamming signals probabilistically, but also delay the Since sensor
nodes are uniformly distributed, the more jamming messages with a
random period of time up to 2L.jammer nodes placed in the networks,
the more victim On the other hand, the jammers in the simulation of
Fig. 12bnodes are expected to be tested, the identification
complex-ity will therewith raises, as the performance of
disk-basedscheme shows in Figs. 10f and 10e. Encouragingly,
theproposed scheme can still finish the identification promptlywith
less than 10 seconds, which grows up much slowerthan the other. It
has slightly more communication over-heads (10 messages per victim
nodes) but is still affordableto power-limited sensor nodes.6.4
Accuracy in Estimating Jammer PropertiesThough the estimate of
jamming range R is only to providean upper bound for R, such that
the testing teams obtainedaccordingly are interference free, we are
also interested in Fig. 11. Estimation error of R. 23. XUAN ET AL.:
A TRIGGER IDENTIFICATION SERVICE FOR DEFENDING REACTIVE JAMMERS IN
WSN 805other hand, mitigation schemes which benefit from
channelsurfing [13], frequency hopping and spatial retreats
[12],reactively help legitimate nodes escape from the jammedarea or
frequency. Unfortunately, being lack of preknow-ledge over possible
positions of hidden reactive jammernodes, legitimate nodes cannot
efficiently evade jammingsignals, especially in dense sensor
network when multiplemobile nodes can easily activate reactive
jammer nodes andcause the interference. For the sake of overcoming
theselimitations above, in [7] we studied on the problem ofFig. 12.
Solution robustness.identification trigger nodes with a short
period of time,whose results can be employed by
jamming-resistentrespond each sensed transmission with probability
0.5 asrouting schemes, to avoid the transmissions of these
triggerwell. All the simulation results are derived by averaging
10nodes and deactivate the reactive jammer nodes. In thisinstances
for each parameter team.paper, we complete this trigger
identification procedure as As shown in both figures, we consider
the extreme casesa lightweight service, which is prompt and
reliable towhere jammers respond transmission signals with a
prob-various network scenarios.ability as small as 0.1, or delay
the signals to up to 10 testingrounds later. This actually
contradicts with the nature ofreactive jamming attacks, which aim
at disrupting the 8 DISCUSSION AND CONCLUSIONSnetwork communication
as soon as any legitimate transmis- One leftover problem to this
service framework is thesion starts. The motivation of such
parameter setting is to jammer mobility. Although the
identification latency hasshow the robustness of this scheme even
if the attackers been shown small, it would not be efficient toward
jammerssense the detection and intentionally slow down the attacks.
that are moving at a high speed. This would become anThe overall
false rates are below 20 percent.interesting direction of this
research. In Fig. 12a, when > 1=2 which corresponds to practical
Another leftover problem is the application of this service.cases,
we find that the false negative rates generally decrease
Jamming-resistent routing and jammer localizations arefrom 10 to 5
percent as increases. Meanwhile the false both quite promising, yet
the service overhead has to bepositive rate grows gently, but is
still below 14 percent, this is further reduced to for real-time
requirements.because as more and more jamming signals are sent, due
tohttp://ieeexploreprojects.blogspot.comorder to provide an
efficient trigger-As a summary, intheir randomized time delays,
more and more following tests identification service framework, we
leverage severalwill be influenced and become false positive. In
Fig. 12b, optimization problem models and provide
correspondingconsidering the practical cases where L=X > 1=2,
both rates algorithms to them, which includes the
clique-independentare going down from around 10 to 1 percent, since
the problem, randomized error-tolerant group testing, andmaximum
jamming delay becomes shorter and shorter minimum disk cover for
simple polygon. The efficiency ofcompared to the testing round
length L, as the number of this framework is proved through both
theoreticallyinterferences between consecutive tests decreases.
analysis toward various sophisticated attack models andsimulations
under different network settings. With abun-7RELATED WORKSdant
possible applications, this framework exhibits hugepotentials and
deserves further studies.Existing countermeasures against jamming
attacks in WSNcan be categorized into two facets: signal detection
andmitigation, both of which have been well studied
andACKNOWLEDGMENTSdeveloped with various defense schemes. On the
one hand,This work was partially supported by US National Sciencea
majority of detection methods focus on analyzing specific
Foundation Career Award # 0953284 and DTRA, Youngobject values to
discover abnormal events, e.g., Xu et al. [16] Investigator Award,
Basic Research Program # HDTRA1-studied a multimodel (PDR, RSS) to
consistently monitor 09-1-0061 and DTRA # HDTRA1-08-10.jamming
signals. Work based on similar ideas [17], [15], [14]improved the
detection accuracy by investigating sophisti-cated decision
criteria and thresholds. However, reactive REFERENCESjamming
attacks, where the jammer node are not continu- [1] D.Z. Du and F.
Hwang, Pooling Designs: Group Testing in Molecularously active and
thus unnecessary to cause huge deviationsBiology. World Scientific,
2006.[2] M. Goodrich, M. Atallah, and R. Tamassia, Indexing
Informationof these variables from normal legitimate profiles,
cannot be for Data Forensics, Proc. Third Applied Cryptography and
Networkefficiently tackled by these methods. In addition, some
Security Conf. (ACNS), 2005.recent works proposed methods for
detecting jammed areas[3] R. Gupta, J. Walrand, and O. Goldschmidt,
Maximal Cliques inUnit Disk Graphs: Polynomial Approximation, Proc.
Intl Network[11] and directing normal communications bypass
possibleOptimization Conf. (INOC), 2005.jammed area using wormhole
[18]. These solutions can[4] V. Guruswami and C.P. Rangan,
Algorithmic Aspects of Clique-effectively mitigate jamming attacks,
but their performancesTransversal and Clique-Independent Sets,
Discrete Applied Math.,rely on the accuracy of detection on jammed
areas, i.e., thevol. 100, pp. 183-202, 2000.[5] W. Hang, W. Zanji,
and G. Jingbo, Performance of DSSS Againsttransmission overhead
would be unnecessarily brought up Repeater Jamming, Proc. IEEE 13th
Intl Conf. Electronics, Circuitsif the jammed area is much larger
than its actual size. On theand Systems (ICECS), 2006. 24. 806 IEEE
TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 5, MAY 2012[6]P.
Tague, S. Nabar, J.A. Ritcey, and R. Poovendran, Jamming-Ying Xuan
received the BE degree in computer Aware Traffic Allocation for
Multiple-Path Routing Using engineering from the University of
Science and Portfolio Selection, IEEE/ACM Trans. Networking, vol.
19, no. 1,Technology of China, Anhui, in 2006. He is now pp.
184-194, Feb. 2011.working toward the PhD degree in the
Depart-[7]I. Shin, Y. Shen, Y. Xuan, M.T. Thai, and T. Znati,
Reactivement of Computer and Information Science and Jamming
Attacks in Multi-Radio Wireless Sensor Networks: AnEngineering,
University of Florida, under the Efficient Mitigating Measure by
Identifying Trigger Nodes, Proc.supervision of Dr. My T. Thai. His
research Second ACM Intl Workshop Foundations of Wireless Ad Hoc
and topics include applied group testing theory, Sensor Networking
and Computing (FOWANC), in conjunction withsocial networking, and
network vulnerability. MobiHoc, 2009.[8]O. Sidek and A. Yahya, Reed
Solomon Coding for Frequency Hopping Spread Spectrum in Jamming
Environment, Am. J. Applied Sciences, vol. 5, no. 10, pp.
1281-1284, 2008.Yilin Shen received the BS degree in applied[9]M.
Strasser, B. Danev, and S. Capkun, Detection of Reactive
mathematics from Donghua University, Shang- Jamming in Sensor
Networks, ACM Trans. Sensor Networks, vol. 7, hai, China, in 2005.
He is currently working pp. 1-29, 2010.toward the PhD degree at the
Department of[10] H. Wang, J. Guo, and Z. Wang, Feasibility
Assessment of Computer and Information Science and Engi- Repeater
Jamming Technique for DSSS, Proc. IEEE Wirelessneering, University
of Florida, under the super- Comm. and Networking Conf. (WCNC),
2007. vision of Dr. My T. Thai. His research topics[11] A.D. Wood,
J. Stankovic, and S. Son, A Jammed-Area Mappinginclude network
security, and network reliability Service for Sensor Networks,
Proc. IEEE 24th Real-Time Systemsand social networks. Symp. (RTSS),
2003.[12] W. Xu, K. Ma, W. Trappe, and Y. Zhang, Jamming Sensor
Networks: Attack and Defense Strategies, IEEE Network, vol. 20,Nam
P. Nguyen received the bachelors degree no. 3, pp. 41-47, May/June
2006.from Vietnam National University in 2007 and[13] W. Xu, T.
Wood, W. Trappe, and Y. Zhang, Channel Surfing and Spatial
Retreats: Defenses Against Wireless Denial of Service,the masters
of science degree from Ohio Proc. ACM Workshop Wireless Security,
pp. 80-89, 2004. University in 2009, both in mathematics. He is[14]
M. Li, I. Koutsopoulos, and R. Poovendran, Optimal Jammingcurrently
working toward the PhD degree in Attacks and Network Defense
Policies in Wireless Sensor Net- computer science at the CISE
Department, works, Proc. IEEE INFOCOM, 2007.University of Florida.
His interests include com-munity detection methods for both static
and[15] R.A. Poisel, Modern Communications Jamming Principles and
Techniques. Artech House, 2004.dynamic networks, and effective
approximation[16] W. Xu, W. Trappe, Y. Zhang, and T. Wood, The
Feasibility of algorithms for networking problems. Launching and
Detecting Jamming Attacks in Wireless Net- works, Proc. ACM
MobiHoc, 2005.[17] M. Cakiroglu and A.T. Ozcerit, Jamming Detection
Mechanisms My T. Thai received the PhD degree in computer for
Wireless Sensor Networks, Proc. Third Intl Conf. Scalablescience
from the University of Minnesota, Twin Information Systems
(InfoScale), 2008. http://ieeexploreprojects.blogspot.comCities, in
2006. She is an assistant professor in[18] M. Cagalj, S. Capkun,
and J.P. Hubaux, Wormhole-Based the Department of Computer and
Information Antijamming Techniques in Sensor Networks, IEEE Trans.
Mobile Sciences and Engineering at the University of Computing,
vol. 6, no. 1, pp. 100-114, Jan. 2007.Florida. Her current research
interests include[19] Y.-X. Chen and D.-Z. Du, New Constructions of
One- and Two- algorithms and optimization on network science Stage
Pooling Designs, J. Computational Biology, vol. 15, pp. 195-and
engineering. She also serves as an associ- 205, 2008. ate editor
for the Journal of Combinatorial[20] M.G. Garey and D.S. Johnson,
The Rectilinear Steiner Tree Optimization (JOCO) and Optimization
Letters Problem is NP-Complete, SIAM J. Applied Math., vol. 32, pp.
826- and a conference chair of COCOON 2010 and several workshops in
the 834, 1977.area of network science. She is a recipient of DoD
Young Investigator[21] L.G. Valiant, Universality Considerations in
VLSI Circuits, IEEE Awards and US National Science Foundation
CAREER awards. She is a Trans. Computers, vol. 30, no. 2, pp.
135-140, Feb. 1981. member of the IEEE.[22] K. Pelechrinis, I.
Koutsopoulos, I. Broustis, and S.V. Krishna- murthy, Lightweight
Jammer Localization in Wireless Networks: System Design and
Implementation, Proc. IEEE 28th Conf. Global . For more information
on this or any other computing topic, Telecomm. (GlobeCom 09),
2009. please visit our Digital Library at
www.computer.org/publications/dlib.[23] H. Liu, W. Xu, Y. Chen, and
Z. Liu, Localizing Jammers in Wireless Networks, Proc. IEEE Intl
Conf. Pervasive Computing and Comm. (PWN), 2009.[24] Z. Liu, H.
Liu, W. Xu, and Y. Chen, Wireless Jamming Localization by
Exploiting Nodes Hearing Ranges, Proc. Intl Conf. Distributed
Computing in Sensor Systems (DCOSS), 2010.[25] H. Kaplan, M. Katz,
G. Morgenstern, and M. Sharir, Optimal Cover of Points by Disks in
a Simple Polygon, Proc. 18th Ann. European Symp. Algorithms,
2010.