Collaborative Jamming and Collaborative Defense in Cognitive Radio Networks

Pervasive and Mobile Computing ( ) –

Contents lists available at SciVerse ScienceDirect

Pervasive and Mobile Computing

journal homepage: www.elsevier.com/locate/pmc

Fast track article

Collaborative jamming and collaborative defense in cognitiveradio networks✩

Wenjing Wang a, Shameek Bhattacharjee a, Mainak Chatterjee a,∗, Kevin Kwiat ba Electrical Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, United Statesb Air Force Research Laboratory, Information Directorate, Rome, NY 13441, United States

a r t i c l e i n f o

Article history:Available online xxxx

Keywords:Cognitive radio networksJamming power distributionCollaborative attacksCollaborative defenseSpectrum hopping

a b s t r a c t

In cognitive radio networks, cognitive nodes operate on a common pool of spectrumwhere they opportunistically access and use parts of the spectrum not being used byothers. Though cooperation among nodes is desirable for efficient network operations andperformance, there might be some malicious nodes whose objective could be to hindercommunications and disrupt network operations. The absence of a central authority orany policy enforcement mechanism makes these kinds of open-access network morevulnerable and susceptible to attacks.

In this paper, we analyze a common form of denial-of-service attack, i.e., collaborativejamming. We consider a network in which a group of jammers tries to jam the channelsbeing used by legitimate users who in turn try to evade the jammed channels. First, wecompute the distribution of the jamming signal that a node experiences by consideringa random deployment of jammers. Then, we propose different jamming and defendingschemes that are employed by the jammers and legitimate users, respectively. In particular,wemodel and analyze the channel availability when the legitimate users randomly chooseavailable channels and the jammers jam different channels randomly.We propose amulti-tier proxy-based cooperative defense strategy to exploit the temporal and spatial diversityfor the legitimate secondary users in an infrastructure-based centralized cognitive radionetwork. Illustrative results on spectrum availability rates show how to improve resiliencyin cognitive radio networks in the presence of jammers.

© 2012 Elsevier B.V. All rights reserved.

1. Introduction

A cognitive radio network (CRN) is one of the prominent communication technologies that is touted to drive the nextgenerations of digital communications. Cognitive radio enabled devices have the capability to dynamically access, use, andshare the radio spectrum in an opportunistic manner, in both the licensed and unlicensed bands [1]. Through constantsensing and monitoring of the radio frequency spectrum, these radios build a knowledge base of the spectrum usage andlearn the occupancy and vacancy of various bands. The vacant bands are considered available, and cognitive radios areallowed to operate on the best available channels. However, the bands must be vacated when the primary users (i.e., thelicenced owners) of those bands begin transmission.

✩ This research was supported by National Science Foundation, under award no. CCF-0950342 and the Air Force Office of Scientific Research (AFOSR).Approved for Public Release; Distribution Unlimited: 88ABW-2012-3749 dated 02 July 2012.∗ Corresponding author.

E-mail addresses:[email protected] (W. Wang), [email protected] (S. Bhattacharjee), [email protected] (M. Chatterjee),[email protected] (K. Kwiat).

1574-1192/$ – see front matter© 2012 Elsevier B.V. All rights reserved.doi:10.1016/j.pmcj.2012.06.008

2 W. Wang et al. / Pervasive and Mobile Computing ( ) –

Though there are major initiatives from industry, academia, and policy regulators on the dynamic, flexible, and efficientuse of the radio spectrum, there are certain vulnerability issues that need to be resolved before cognitive radio networkscan be commercially deployed. Since the spectrum is made available to unlicensed users, it is expected that all suchusers follow the regulatory aspects and the sharing rules. One can think of a variety of ways which would make CRNssusceptible to attacks, some of which might be radically different from those for traditional multi-channel wirelessnetworks.

In this research, we consider that both jammers and regular users are cognitive radio enabled, and that they operateon a common pool of spectrum. The regular users continuously scan for available channels and choose channels that areavailable or not being jammed. The jammers, on the other hand, try to jam the channels that are being used by the regularusers. We generalize the spectrum availability at different locations, i.e., the spectrum availability at the jammer side isdifferent from that at the regular user side, and the jammer has no clue which frequencies the transmitter/receiver pairwould use. Though Ref. [2] examines the jamming problem in a single-cell IEEE 802.11 network when a single cognitivejammer jams by sweeping all the available channels, such techniques cannot be directly applied to CRNs. To analyze thecumulative effect of multiple jammers on a single receiver, we first compute the jamming distribution from a single jammeron that receiver. We then compute the joint distribution, assuming that the jammers do not employ any transmit powercontrol and that they collaboratively apply a sweeping attack to jam the channels.We consider that the jammers collaborateto distribute their transmit power budget overmultiple channels formaximizing their jamming interference during the datatransmission periods of regular users. Next, we consider an infrastructured network (e.g., IEEE 802.22 network) in which theattacks are launched at both the base station and the users. The users use impetuous and conservative frequency hoppingto escape the attacks. We attempt to obtain the spectrum availability rates analytically for both hopping strategies at thebase station as well as at the user side. Further, we propose a collaborative defense strategy in which the users form tiers toexploit the temporal and spatial diversity to avoid jamming. Numerical and simulation results are presented to illustrate thespectrum availability rates when different attack/defense strategies are employed. We show the effects of the collaborativeattack to reveal how the spectrum availability rates change with different parameters. Subsequently we discuss trade-offsbetween goodput and latency, and show that the communication goodput is greatly enhanced when using communicationtiers at the cost of latency.

The rest of the paper is organized as follows. In Section 2, we discuss the vulnerabilities of CRNs and some recent worksthat have been proposed to deal with them. In Section 3, we analyze the distribution of jamming interference as experiencedby a receiver from multiple jammers. In Section 4, we discuss the system model of an infrastructured network. We showthe effect of jamming and anti-jamming that exploits temporal and spatial diversity through spectrum hopping in Section 5.In Section 6, we show how cooperation can help minimize the jamming probability. Numerical and simulation studies arepresented in Section 7. We discuss some performance trade-offs in Section 8. Section 9 presents our conclusions and futurework.

2. Preliminaries and related research

Just like traditional radios, cognitive radios are susceptible to harmful interference andmuchmore. Events such as denial-of-service (DoS) attacks could render legitimate cognitive radios spectrumless. This could easily be achieved if a maliciousradio pretends to be a primary transmitter and spoofs signals that resemble the signal characteristics of a licensed user. Thisis known as primary user emulation attack which occurs at the sensing slot. Since access is free-for-all in unlicensed bands,a malicious node can also try to jam the signals during the data transmission slots.

There are several ways in which communications of a cognitive radio network infrastructure can be jeopardized; acommon type of attack is denial-of-service [3]. In the context of wireless networks, DoS attacks are usually manifestedthrough radio jamming [4]. One of the ways for radio jamming is the sweeping attack, in which the malicious nodes attack achannel irrespective of the channel activity. Another alternative way of jamming is the scanning attack: the attackers firsttake a constant time to sense the channel to determine channel activity. The jammer will only jam the channel if it findslegitimate activity on the channel; otherwise, it will hop to sense another channel until it finds a target channel to jam.Withadvanced physical layer techniques, e.g., spread spectrum and directional antennas, it is feasible to defend the network fromattacks. Channel/frequency hopping is a popular anti-jamming approach [5,6].

Anti-jamming hopping is based on the availability of multiple orthogonal channels or non-overlapping frequencies sothat the transmitter/receiver pair can switch, access, and communicate over a different channel in case the original channelis jammed. The hopping can be triggered either reactively or proactively. In reactive hopping [5], the transmitter/receiverpair switch to another channelwhen they observe jamming, while in proactive hopping [6], the transmitter and receiver hoptheir channels as per a hopping sequence that is previously agreed upon. However, it is crucial that all the network entities(nodes) share a control channel to exchange information such as the hopping sequence. Anti-jamming considerations,e.g., using random assignment of cryptographic keys, and control channel frequency hopping, are also needed on thatchannel [7,8]. Therefore, it is highly desirable that algorithms and protocols that are devised for anti-jamming are distributedin nature [9,10] or shared key free [11,12].

There is some body of work that deals with guarding against spurious signal sent over channels for disruption orsensory manipulation [13–15]. In [16], where the primary incumbents are TV stations, the authors propose a method ofcountering such attacks by verifying the estimated location fromwhich the signal has been sent and comparingwith already

W. Wang et al. / Pervasive and Mobile Computing ( ) – 3

known locations of primary incumbents. In [14], a dedicated infrastructure-based defense against primary user emulation isproposed in which an underlying sensor network monitors malicious jamming on sensing slots. The work in [17] discusseshowprimary user emulation can be achieved by distributing the total power budget equally over a subset of channels chosenfrom set of available channels instead of just jamming one channel. There are otherworks, such as [18], which consider roguenodes that jam the secondary users. A selective escape strategy as opposed to randomhopping is pursued by regular nodes toavoid jamming. This work considers that channel usage statistics are known and that there is a trade-off between choosinggood channels and avoiding jamming by the attacker. This situation is modeled as a dogfight in spectrum in multiple stages.In the first stage, the dogfight is modeled as a normal zero-sum game, and the Nash equilibrium strategy (max–min point)is obtained. For the multi-stage game, the dogfight is essentially a stochastic game with partial observations and imperfectmonitoring. The same authors, in [19], have focussed on the problem of jamming and escaping under unknown channelstatistics andmodelled it as a adversarial multi-armed bandit problem. Lower bounds on performance for defenders, subjectto several typical attack strategies, are derived for the single-defender case. For all the above-mentioned works, the focusis mostly on jamming the sensing slot for denying correct sensing decisions on an otherwise available channel. However,we focus on jamming from a usability point of view, where the jamming could be in any of the sensing or data transmissionslots.

3. Jamming signal distribution

In this section, we analyze the effect of randomly distributed jammers on a single receiver. We first compute the effectof a single jammer and then sum the jamming signal strengths to compute the total interference as the jammers distributetheir transmit power budget over multiple channels.

3.1. System model and assumptions

We consider a network in which n legitimate users and m jammers are randomly scattered over a geographical region.The secondary users work on frequency bands that are not occupied by the primary users. We assume that both the groups(users1 and jammers) are self-coordinated, i.e., they do not jam each other within the group. Also, the primary users do notjam the secondary users.

We assume that the jammers have no prior knowledge of the specific channels that are being used by the regular users.Even if they come to know about the channel that a regular user is using and try to jam it, it is not necessary that the regularuser will continue to use the same channel. In fact, all regular users employ either a proactive or reactive approach towardschannel hopping. A jammer randomly selects a channel and uses its maximum transmit power to jam.

We intend to obtain the statistical distribution of jamming power from a single jammer that a user experiences. Then,we will find the expected total jamming at the user from multiple jammers. To obtain the jamming power distribution, weuse the following assumptions and definitions.

1. All users and jammers have omnidirectional transmit and receive antennas of the same gain.2. The receiving distance from which a user can correctly recover a transmitted signal is RT .3. The interference distance RI is defined as the maximum distance from which a receiving user can sense a carrier.4. R0 is the minimum distance between two users/jammers, i.e., no two users/jammers could be with a distance of R0 of

each other.5. The jammers do not employ transmit power control. Rather, they use the maximum possible power to cause maximum

damage. If a jammer jams multiple channels, it distributes the maximum power equally over all the channels.

Fig. 1 shows user i as the user under consideration. User i can correctly decode any transmission that lies with RT , i.e., itsintended transmitter (say j2) must be within RT . However, user i can be jammed by any jammer (say j1) that lies within RI .The commonly used notation is shown in Table 1. Some of the terms will be defined later.

3.2. Jamming power distribution

Let us compute the probability density function of the jamming signal from a jammer that lies within distance RIfrom receiver i. If R0 is the minimum distance between two active nodes, then we can write the cumulative distributionfunction (cdf) of the transmitter–receiver distance d, with uniformly random distributed jammer as well as regular nodes,as

FD(d)

=

d2 − R02

R2 − R02 in (R0, R]

= 1 d > R= 0 d ≤ R0,

(1)

1 We use the word ‘user’ to refer to ‘secondary user’.


Fig. 1. Interference model of jammers.

Table 1Notation.

Symbol Meaning

n Number of regular nodesm Number of jamming nodesNj Expected number of jammers for any nodeρn Density of regular nodesρm Density of jamming nodesRT Receiving distance of a nodeR Maximum sensing rangeRI Interference distance of a nodeR0 Minimum distance between two nodesNtot Total number of channelsN Number of channels at the users sideM Number of channels at the base station sidePt Total transmit power budget of a jammerk Number of channels a jammer decides to attack

where random variable (RV) d ranges from R0 through R, where R is the maximum sensing range. Note that RT ≤ RI ≤ R.Thus the corresponding probability density function is

fD(d)

=2d

R2 − R02 in (R0, R]

= 0 elsewhere.(2)

We know that the received power Pr at node i decays with the distance from the jammer, i.e., Pr ∝ d−α , where α is thepath loss exponent.

If we define RV y , d−α , then the cdf of y is

Fy(y)

= 1 − FD

y

−1α

in (R−α, R−α

0 ]

= 1 y ≥ R−α

= 0 y < R0−α .

(3)

Putting d = y−1α in the cdf and differentiating with respect to y, we get

fy(y)

=2y−

2α+1

α(R2 − R2

0)in (R−α, R−α

0 ]

= 0 elsewhere.

(4)

Since the received power varies inversely with d, we define the distribution of received interference power pr,ji at nodei due to a particular jammer j with a fixed transmit power Pt as

pr,ji = Ptd−αji , R0 < dji ≤ RI . (5)


Now, Pt being constant, pr,ji is a RV in the interval (PtR−αI , PtR−α

0 ). Thus the probability distribution function (pdf) of thereceived jamming interference power is given by

fpr,ji(pr)

=2p

−

2α+1

r

αP−

2α+1

t (R2

I − R20)

PtR−αI ≤ pr < PtR−α

0

= 0 elsewhere.

(6)

Similarly, we can obtain that the distribution of the received power at node i due to a legitimate transmitter T locatedwithin a distance of RT from i is given by

pr,Ti = Ptd−αTi , R0 < dTi ≤ RT . (7)

The corresponding pdf of the intended received power at node i from legitimate transmitter T is

fpr,Ti(pr)

=2p

−

2α+1

r

αP−

2α+1

t (R2

T − R20)

in PtR−αT ≤ pr < PtR−α

0

= 0 elsewhere.

(8)

3.3. Jamming power distribution over multiple channels

Though concentrating on a single channel could be very effective, the jammer’s success is based on the odds of selectinga channel that is in use by a regular node. To increase its chances of success, a jammermight decide to distribute its transmitpower budget among multiple randomly selected channels. This approach of equal power partial band spoofing [17] hasproved to be very effective when the geographical distribution and the in-use channels of the regular nodes are unknown tothe jammers. Of course, the drawback of such power distribution could lead to insufficient interference power on a channelthat is indeed being used by a regular node.

Since the jammers collaborate, we assume that all the jammers distribute their power equally over a fixed set of channelsand reinforce the interference power on each channel from various jammer locations. From a regular node’s perspective,the jamming power it experiences on any channel (if it uses one of the jammed channels) is due to the jammers that arewithin its interference range RI . Thus, the expected number of such jammers is given by

Nj = πR2I ρm − πR2

0ρm, (9)

where ρm is the density of the jammers, i.e., number of jammers per unit area.Note that the distribution obtained in Eq. (6) is due to a single jammer. To get the distribution of the total jamming power,

we have to add the received power from Nj jammers. Thus, the total jamming power is

SNj = pr1 + pr2 + · · · + prNj . (10)

We can safely assume that the random variables pr1 , pr2 , . . . , prNj are independent and identically distributed (i.i.d.). Hence,to obtain the density function of the total jammed power, we can use Nj-fold convolution since SNj is the sum of Nj i.i.d.random variables [28]. Thus, the density function of SNj is given by

fSNj (pr) = (fpr1 ⋆ fpr2 ⋆ · · · ⋆ fprNj)(pr), (11)

with fSNj (pr) having a support over the interval [NjPtR−αI ,NjPtR−α

0 ].

4. Infrastructured systemmodel

With the distribution of the jamming known, we proceed to propose an infrastructure for communication that wouldallow the users to evade the jamming to some extent. Though our analysis in Section 3.2 was generic, we consider aninfrastructure mode for the hierarchy in which the users try to connect to a base station using freely available channels.This model could be thought of as an IEEE 802.22 network that consists of a base station and multiple consumer premiseequipment in a cell.

We consider a network in which n users communicate with a base station (BS) as shown in Fig. 2. For the sake ofdiscussion, we assume that the number of available channels at the base station side is M . However, it is possible thatnot all of the M channels are available at the secondary users’ side, and we denote the frequencies available at the users’side as N channels, where M ≥ N . Given this scenario, we are interested in finding what portions of the communicationbetween the base station and the users are jammed givenm jammers. It is to be noted that the jammers coordinate amongthemselves to launch collaborative attacks.


Fig. 2. Infrastructure system model.

Before we can calculate which channels are jammed, we need to know how the jammers jam and how the users defend.We consider slotted time, in which the users and the jammers take actions in each of the equal-length time slots. A time slotis the minimum unit of time we consider in this analysis.2 As far as the jammers are concerned, at every slot, them jammerswill choose m different frequencies to jam and will change the jamming set at the next slot. This type of jamming is calledsweeping.

From the regular users’ perspective, they have two ways to defend.

• Impetuous hopping. The users, like the jammers, choose a new set of frequencies at every slot, irrespective of jamming.This is also called proactive hopping.

• Conservative hopping. The unjammed users will stay at the frequencies for the next slot, while the jammed users choosea set of new unused frequencies that exclude the jammed ones. This is also known as reactive hopping.

Further, we introduce a hypergeometric-like distribution function f (x, y, z, u, v), which represents the probability that,in a finite population of x unique items, and its subset z, where z ⊆ x, two independent uniformly distributed drawings ofy and u in x and z respectively share v common items.

f (x, y, z, u, v) =

zv

z−vu−v

x−uy−v

xy

zu

, (12)

where

xy

is the binomial coefficient.

5. Jamming and anti-jamming spectrum hopping

In this section, we analyze the expected spectrum availability rates with respect to various parameters. The spectrumavailability rateψ is defined as the ratio of available (unjammed) spectrum to the total spectrum from the users’ perspective.A larger spectrum availability rate implies higher anti-jamming efficiency. Depending on where the jamming occurs in thesystem, the analysis consists of two scenarios, i.e., jamming the base station and jamming the users.

5.1. Base station being jammed

When the jammers jam the spectrum at the base station, the jammers see M available frequencies, while there areN candidate frequencies that the users access. Based on the anti-jamming hopping strategies, we have the followingobservations.

2 Channel access time and switch time in the time slot are not in the scope of this paper.


Fig. 3. Four jammers and users. (a) Jammers choosemaximumpower to transmit, (b) jammers choosemoderate powerwithmoderate number of channelsto jam, (c) jammers choose lower power with many channels to jam.

Lemma 1. When the users adopt the impetuous hopping strategy, the spectrum availability rateψI = 1−

min(m,n)i=0 f (M,m,N,n,i)×i

N .

Sketch of Proof. The probability of i frequencies being jammed can be modeled using function f (). The problem is to findthe probability that the two drawings share i unique frequencies, given frequency drawings m from M and n from N . Theprobability, which can be expressed as f (M,m,N, n, i), shows the probability of jamming i channels. The summation overi ∈ [0,min(n,m)] is the total probability of jamming. �

To model the conservative hopping strategy, we construct a Markov chain. Let state i be the state when i frequencies arejammed.We assume that, when the conservative hopping strategy is adopted, in the next slot, j frequencies will be jammed.The transitions are characterized by probability pij, which further construct a transition matrix P(pij). It is natural that thisMarkov chain is ergodic, so the steady-state distribution 5 = limn→∞ Pn, where 5(πi)P = 5(πi). The next lemma showshow to obtain the elements in the transition matrix and calculate the spectrum availability rate.

Lemma 2. When the users adopt the conservative hopping strategy, the spectrum availability rate ψC = 1 −

i iπiN , and the

transition probability

pij =

jk=0

f (M,m,N − i, n − i, k)f (M − k,m − k,N − n, i, j − k).

Sketch of Proof. Consider the case when i frequencies are jammed, and the hoppings by both users and jammers resultin j frequencies being jammed. From the strategy description, i users will choose from a candidate frequency set of sizeN − n ⊆ M . Assume that, in the next slot, k of the n − i users that do not hop are jammed. The probability of jamming isgiven by f (M,m,N − i, n − i, k). Next, among the remaining i users that hop, a total of j − k users are jammed by a totalof m − k jammers. The frequency spaces for both jammers and users shrink to M − k and N − n, respectively. Thus, theprobability of j − k jamming in i hopping users is f (M − k,m − k,N − n, i, j − k). The boundaries for variable k are jointlygiven by k ∈ [0, j] and the requirement of the binomial coefficient is that x ≥ y ≥ 0. �

5.2. Users being jammed

When the jammers are in the vicinity of the users, the spectrum they sense is almost the same as what the users canaccess. Thus, the spectrum space for them to attack is reduced to N . Therefore, the spectrum availability rates is the sameas when the jammers are at the base station, except for replacingM by N . In particular, the spectrum availability rate whenthe users adopt the impetuous hopping strategy is

ψ(U)I = 1 −

min(m,n)i=0

f (N,m,N, n, i)× i

N,

and the spectrum availability rate when the users adopt the conservative hopping strategy isψ (U)C = 1 −

i iπiN , where πi is

obtained using the transition probability

p(U)ij =

jk=0

f (N,m,N − i, n − i, k)f (N − k,m − k,N − n, i, j − k).

We will show the difference between the two cases in Section 7.1.When the total transmit power of the jammer is a constraint, the jammer can choose to jam a single channel or multiple

channels. A jamming power distribution on multiple channels implies more channels being jammed i.e., as if there areadditional jammers. Of course, with multiple channels, the jamming rate is high, but the coverage is less. An illustrativeexample is shown in Fig. 3, where three different transmit powers are employed by the four jamming nodes for the same


geographical distribution of the jammers and the users. The jammers are shown using the solid dots and the users are shownusing the non-solid dots. In case (a), the jammers transmit with the maximum power (Pt ), each jamming only one channelbut able to reach most of the users. In case (c), the jammers choose to distribute the power to many channels, thereby onlybeing able to reach very few users but with a high probability of jamming those users. Clearly, there is a trade-off, which isshown by case (b).

5.3. Jamming trade-off

A jammer can cover the maximum area when it chooses to use the entire power budget on a single channel. We havealready denoted thismaximum jamming distance as RI . From a user’s perspective, any jamming from beyond RI will have noimpact. Thus, we can define the user receiver sensitivity, psenr , as theminimum jamming power that affects it. In other words,any received power that is less than psenr will have no jamming consequence. Thus, we can define the receiver sensitivity as

psenr = Pt × R−αI . (13)

Instead of focussing on a particular channel, a jammer might choose to distribute the total power budget on a subset ofk channels so as to increase its chances of jamming a user. Such distribution of power on k channels decreases the transmitpower on each channel by a factor k, i.e., the transmit power for each channel is Pt

k , which in turn reduces the coveragedistance for the jammer. If we define RI,k as the coverage radius when the total power is distributed over k channels, then itcan be shown that

RI,k =

Pt/kpsenr

1α

. (14)

With RI,k as the interference range, the expected number of users that a jammer can target on a particular channel is

Ni = πR2I,kρn − πR2

0ρn, (15)where ρn is the density of the users.

5.3.1. Bound on the number of channels attacked (k)Though increasing k means attacks on more channels, it necessarily means less jamming power to the users. Note that

it does not make sense for the jammers to use a transmit power less than psenr . If kmax is the maximum number of channelschosen to be attacked and Pt/kmax is the transmit power on each, then the jammer has to ensure that

Pt/kmaxR−α0 ≥ psenr , (16)

as R0 is the closest a jammer could be to a user. Thus, we get

kmax =Ptpsenr

R−α0 . (17)

5.3.2. Probability of jammingWith the total power distributed over k channels, we get the modified pdf (from Eq. (6)) of the received jamming power

at any node i as

fpr,jik (pkr )

=2(pkr )

−

2α+1

α(Pt/k)−

2α+1

(R2

I,k − R20)

PtkR−αI ≤ pkr <

PtkR−α0

= 0 elsewhere.

(18)

The sum of the received power on channel k from Nj,k jammers is

SkNj,k= pkr1 + pkr2 + · · · + pkrNj,k , (19)

where Nj,k = πR2I,kρm − πR0ρm is the modified number of jammers around the vicinity of any regular node, with power

distributed jamming strategy. Likewise, we can modify the density function for the sum of the receiver power as

fSkNj,k(pkr ) = (fpkr1

⋆ fpkr2⋆ · · · ⋆ fpkNj,k

)(pkr ), (20)

with fSkNj,k(pkr ) having a support over [Nj,k

Ptk R

−αI ,Nj,k

Ptk R

−α0 ].

Now, the jamming will be effective if the total power is greater than psenr . The probability that the total received power ismore than psenr is given by

P(SkNj> psenr ) =

NjPt/k

psenr

fSkNj(pkr ). (21)


Fig. 4. Cooperative defense among legitimate users. Each jammer can jam one channel at a time.

6. Anti-jamming through cooperation

From the previous section, it is intuitive that the jammers can collaborate to jam a set of frequencies—the more jammersthere are, themore frequencies there are that can be jammed. Nonetheless, it is possible that some of the communication cansurvive from such attacks as long as the number of jammers is less than the number of available frequencies. This motivatesus to explore ways by which the users can cooperatively exploit the unjammed frequencies.

Cooperative communication [20,21] is one of the methods to characterize the means of cooperation between differenttransmitting entities in a wireless network. Cooperative communication is based on the idea that single-antenna users ina multi-user scenario can share their antennas in such a way that creates a virtual multiple-input multiple-output (MIMO)system. With the help of the virtual MIMO system, all the users can take advantage of the time, frequency, and spacediversities to improve communication capacity, speed, and performance. In our scenario of combating the jammers, thefrequency and space diversities of channel availability enable the users to aggregate their communication with the BS onthe unjammed frequencies and relay information cooperatively.

6.1. Cooperation among legitimate users

For the time being, let us assume that theN available frequencies at the user end do not overlapwith theM frequencies atthe base station side. Using the N frequencies, the users can communicate among themselves. As shown in Fig. 4, we dividethe n users into two categories: proxy users (proxies) and follower users (followers). The proxy users act as relays betweenthe followers and the BS that add another layer in the communication hierarchy. Instead of connecting to the BS directly,the followers connect to proxies first and relay the information through proxies to the BS. The set of proxies can be eitherpre-selected or dynamically updated as long as their identities are revealed to all the followers.

The cooperation among the users works in three steps. First, the followers connect to the proxies and store theinformation to be sent to the BS at the proxies. Then, the proxies connect to the BS and act as relays for the followers. Last,the proxies relay the information from the BS back to the followers. Due to the broadcast nature of wireless communication,the proxies and followers must have an agreed sequence of hopping frequencies. With h proxies and n − h followers, thefollowers take turns to access the frequencies in groups of h. Each of the proxies listens to one frequency at a time. Aftern − h iterations, each of the h proxies listens to each of the followers only once. After the communication between proxiesand the BS, the proxies broadcast to the followers at h frequencies each time, and iterate over available frequencies h timesso that each follower can hear at least once. The connections among users can be modeled with a fully connected bipartitegraph of h(n − h) edges.

For them jammers,when the legitimate users cooperate, the jammerswill need to jamboth the proxies and the followers.Let us assume that l of the jammers are assigned to jam the communications between the proxy users and the BS. Theremaining of m − l jammers are responsible for jamming communications between followers and proxies. We take onecommunication cycle (i.e., one complete information exchange process between a follower user and the BS) as an exampleto analyze the channel availability rate.

In the first phase, the n − h followers connect to h proxies in groups of h. All of the follower and proxy pairs selectunique channels out of the N available channels, since we assume that the users collaborate. The m − l jammers are awareof the N available frequencies and try to jam the communications. Since the proxies and followers agree on a sequence of


channel hopping, it can be viewed as the legitimate users are defending using impetuous hopping. The spectrum jammingrate φ, which is defined as 1 − ψ (spectrum availability rate), can be derived from Lemma 1. For a particular follower,the communication between it and the proxy is unjammed as long as it connects to one of the k proxies successfully. Thejamming rate can be expressed as

φ1 = (1 − ψI)h

=

min(m−l,n−h)

i=0f (N,m − l,N, n − h, i)× i

N

h

. (22)

In the second phase, the proxies talk to the BS on behalf of the followers. In this setting, l jammers try to jam thebidirectional communication between h proxies and one BS, givenM available frequencies. According to our analysis above,the jamming rate is

φ2 = 1 − ψI =

min(l,h)i=0

f (M, l,N, h, i)× i

N. (23)

Finally, after the proxies successfully communicate with the BS, they relay the communication back to the followers.This process is the reverse of the first phase, where h proxies are transmitters and n − h followers are receivers. Each ofthe proxies will try to connect to each of the followers once. Due to the broadcast nature of the communication, multiplefollowers may connect to the same proxy at a time. Therefore, when m − l jammers are present, the jamming rate is givenas

φ3 = (1 − ψI)h

=

min(m−l,h)

i=0f (N,m − l,N, h, i)× i

N

h

. (24)

When we combine the three phases, we can obtain the total spectrum jamming rate with cooperative users as

φ = 1 − (1 − φ1)(1 − φ2)(1 − φ3). (25)

7. Numerical and simulation study

In this section, we show the effect of collaborative attacks on spectrum availability rates.We also showhow collaborativedefense can be employed to counter such attacks.

7.1. Effect of collaborative attack

We study how the spectrum availability rate changes with different parameters. A general observation is thatconservative hopping (CH) provides more spectrum availability rate than impetuous hopping (IH). We implement asimulator based on C++ to learn the jamming properties. During each round, both the jammers and the users choose arandom frequency from a set of available frequencies known only to their own group. This ensures that none of the jammersor users will jam within their group. A total of 10,000 rounds are simulated.

Fig. 5 represents the simulation and analytical results for different values ofM , n, andm. The plots suggest a good matchbetween the spectrum availability rate derived from our modeling and that obtained from the simulation. In addition,the figure shows that increasing M improves the spectrum availability rate when the spectrum size at the user side (N)is fixed. Fig. 6 is obtained when the number of users is fixed and the number of attackers varies. It clearly shows that thespectrumavailability rate decreaseswhenmore attackers are present in thenetwork. It is observed in Fig. 7 that the spectrumavailability rate increases with increasing N . Together with Fig. 5, this indicates that, when there are more attackers thanusers in the network, the spectrum availability rate drops. The jamming at the user side is illustrated in Fig. 8 with the samesettings as in Fig. 7. The reason why the spectrum availability rate decreases when jamming is at the user side is due to thereduced spectrum space the attackers can sense. Since the jammers know exactly what candidate frequencies are availableto the users, the jamming is more likely to be successful.

7.2. Collaborative defense

Just as the attackers collaborate, we let the users collaborate so that they can cooperatively form a tier to avoid jamming.We study the spectrum availability rate and compare with the performance of impetuous hopping (IH) strategy.


Fig. 5. Spectrum availability rate versusM .

Fig. 6. Spectrum availability rate versus m.

A general observation made from Figs. 9 and 10 is that, when users cooperate, the spectrum availability rate (ψ) issignificantly greater thanwith the IH strategy. The observation indicates that cooperation can effectively reduce the jammingprobability and improve the goodput of the network. WhenM and N increase, the spectrum availability rate also increases.This property, which is same as our observations in Figs. 5 and 7, shows the network performance gain from a larger pool ofavailable frequencies. It can be noted that, in Fig. 9, we only considerM ≥ N , as stated in the system model.

Figs. 13 and 14 show some trade-offs between the number of jammers at different locations. In Fig. 13, when morejammers are placed at the BS side, a decrease of proxy users will yield better spectrum availability rate, because it reducesthe probability of proxy users getting jammed. Fig. 14 suggests that, when a larger number of jammers are present at the BSside, fewer proxies help increase the performance. However, from the jammers’ perspective, with the increase in proxies,more jammers should be placed at the BS side.

7.3. Effect of jamming trade-off

We study the trade-offs between number of nodes affected and the probability of their channels being jammed when ajammer distributes the power over k channels.We define the attack utility product as the product of the number of channelsjammed at each node and the number of nodes affected. We observe that, while there is an increase in the probability of


Fig. 7. Spectrum availability rate versus N .

Fig. 8. Spectrum availability rate when jammers are at the user side.

jamming of a single node, as k increases, the number of users affected by the jammer reduces exponentially. We show theexponential reduction in number of nodes affected by a jammer in Fig. 11 for different values of α. We observe a targetnumber of nodes of less than 7 if the number of channels attacked is more than 10, for α = 4. The high number of targetsnodes for lower values of α is evident, as for lower path loss exponent a signal from the jammer reaches more users, but forhigher values of α we see a drop in the number of target nodes. Next, we show the attack utility product, which we observeto increase with increase in k in Fig. 12.We observe that there is significant linear increase in the attack utility product whenthe number of channel attacked by the distributed power budget increases with k.

8. Discussions

In this section, we show qualitatively the trade-offs between goodput and latency, and then we argue that scanningattacks are special cases of sweeping attacks.

8.1. Goodput versus latency

When all the legitimate users directly connect to the BS, the users can only exploit the frequency diversity. If theBS has multiple receivers, all the communication can be performed concurrently, which minimizes the latency incurred.


Fig. 9. Spectrum availability rate versus M , when users cooperate.

Fig. 10. Spectrum availability rate versus N , when users cooperate.

However, from our study, such direct communication suffers from low spectrum availability rates; thus the goodput iscompromised.

When the legitimate users cooperate with each other, communication is divided into tiers. From the jammers’perspective, they must also be divided into groups to jam communications between different tiers. Since a follower usercan communicate with all the proxies at different times, leaving duplicated copies of information on each of the proxies,communication robustness and goodput is greatly enhanced. In this case, it becomes harder for the jammers to jam.Nonetheless, the drawback is the latency incurred from the duplicated communication. In our example above, if we relaxthe assumption of N andM being mutually exclusive, n− h+ h = n extra time slots are needed to perform the informationexchange among tiers.

The trade-off between goodput and latency can also lead to optimized design in CRNs. Depending on the requirementsof the application, various parameters (e.g., cooperation versus IH/CH, value of h) of the defending schemes can be set whichyield different goodput and latency performance.


Fig. 11. Number of nodes affected over channels attacked.

Fig. 12. Attack utility product over channels attacked.

8.2. Scanning attack versus sweeping attack

In our analysis, we assume that the jammers use a sweeping attack, i.e., jamming the channel irrespective of channelactivity. Another type of jamming attack is a scanning attack [22]. In a scanning attack, the attackers first take a constanttime to sense the channel to determine channel activity. The jammer will only jam the channel if it finds the channel havinglegitimate activity; otherwise, it will hop to sense another channel until it finds a target channel to jam.

A scanning attack differs from a sweeping attack, and the jammers can rapidly switch to a channel with legitimatecommunication if the scanning is sufficiently fast. Nonetheless, the users can cooperatively use background communicationover unused frequencies to cover the intended communication. For examples, in our discussion in Section 6.1, when thefollower users are not taking their turns to connect to the proxies, they can mimic legitimate communication to occupysome currently unused frequencies. From the jammers’ perspective, they are deceived to jam those covering frequencies,leaving the intended communication frequencies unjammed. If we have λ intended communication frequencies,µ coveringfrequencies, and γ jammers, when the jammers scan and attack, it is equivalent to γ jammers sweeping and attacking over


Fig. 13. Spectrum availability rate versus l.M = 20,N = 15,m = 8, n = 5.

Fig. 14. Spectrum availability rate versus k.M = 20,N = 15,m = 10, n = 8.

λ+ µ frequencies on λ users. Therefore, a scanning attack can be regarded as a special case of a sweeping attack, and thuswe can apply the same methods as we have shown with sweeping attacks to the analysis and defense of scanning attacks.

9. Conclusions and future work

In this paper, we analyze the distribution of the jamming signals and study collaborative jamming attacks in cognitiveradio networks. We derive the distribution of the total jamming power a particular user is likely to experience with acollaborative jamming strategy by the jammers. We take the anti-jamming hopping strategy as an example and derivethe spectrum availability rates when the users apply different hopping strategies to defend themselves. We further proposea cooperative defense strategy which groups the users into tiers in order to take advantage of the temporal and spatialdiversity. Based on the analysis, we conduct a numerical evaluation. The results illustrate that the spectrum availabilityrate increases with the total spectrum at the base station and the spectrum available to the users, while it decreases whenmore attackers/jammers are present. When cooperation is assumed among the users, the spectrum availability rate can be


greatly improved. However, the performance gainwhich infers better goodput is coupledwith an increase in communicationlatency.

Though the performances of the proposed strategies have been evaluated numerically and through simulations, it wouldbe interesting to see how these strategies would fare when implemented in real systems. Recent advances in cognitiveradio hardware prototypes using FPGA [23] and an open-source software suite on commodity hardware [24] would allowsuch implementations. In particular, cognitive radio nodes can be programmed to sense the channel and switch frequenciesaccording to complex algorithms [25]. Future investigations can take advantage of such technologies and deploy a cognitiveradio testbed consisting of nodes simulating both jammer and legitimate user behavior. Testbeds can be used to validateand understand the performance and effectiveness of any anti-jamming strategies. Further, a public resource for cognitiveradio networks, e.g., Microsoft KNOWS [26], could be made use of, as that would provide a common platform to comparevarious propositions. Other worthwhile efforts would be to consider more realistic channel/link emulation or simulationsetup, e.g., using the framework of NS3 [27], that would allow a comprehensive software benchmark for the evaluation ofjamming and collaborative defense mechanisms in cognitive radio networks.

References

[1] I.F. Akyildiz, W.Y. Lee, M.C. Vuran, S. Mohanty, Next generation/dynamic spectrum access/cognitive radio wireless networks: a survey, ComputerNetworks 13 (2006) 2127–2159.

[2] A. Sampath, H. Dai, H. Zheng, B.Y. Zhao, Multi-channel jamming attacks using cognitive radios, in: IEEE ICCCN 2007, pp. 352–357.[3] T.X. Brown, A. Sethi, Potential cognitive radio denial-of-service vulnerabilities and protection countermeasures: a multi-dimensional analysis and

assessment, Mobile Networks and Applications 13 (2008) 516–532.[4] W. Xu, W. Trappe, Y. Zhang, T. Wood, The feasibility of launching and detecting jamming attacks in wireless networks, in: ACM Mobihoc 2005,

pp. 46–57.[5] S. Khattab, D. Mossé, R. Melhem, Jamming mitigation in multi-radio wireless networks: reactive or proactive? in: IEEE/ICST SecureComm 2008.[6] W. Xu, W. Trappe, Y. Zhang, Channel surfing: Defending wireless sensor networks from jamming and interference, in: IEEE IPSN 2007, pp. 499–508.[7] L. Lazos, S. Liu, M. Krunz, Mitigating control-channel jamming attacks in multi-channel ad hoc networks, in: ACMWiSec 2009, pp. 169–180.[8] P. Tague, M. Li, R. Poovendran, Mitigation of control channel jamming under node capture attacks, IEEE Transactions on Mobile Computing (9) (2009)

1221–1234.[9] A. Chan, X. Liu, G. Noubir, B. Thapa, Control channel jamming: resilience and identification of traitors, in: IEEE ISIT 2007, pp. 2496–2500.

[10] M. Strasser, C. Popper, S. Capkun, M. Cagalj, Jamming-resistant key establishment using uncoordinated frequency hopping, in: IEEE Symposium onSecurity and Privacy 2008, pp. 64–78.

[11] T. Jin, G. Noubir, B. Thapa, Zero pre-shared secret key establishment in the presence of jammers, in: ACMMobiHoc, 2009, pp. 219–228.[12] C. Popper, M. Strasser, S. Capkun, Jamming-resistant broadcast communication without shared keys, in: USENIX Security Symposium 2009.[13] Z. Jin, S. Anand, K.P. Subbalakshmi, Mitigating primary user emulation attacks in dynamic spectrum access networks using hypothesis testing, ACM

SIGMOBILE Mobile Computing and Communications 13 (2) (2009) 74–85.[14] R. Chen, J.M. Park, J.H. Reed, Defense against primary user emulation attacks, in: Cognitive Radio Theory and Applications, IEEE Journal on Selected

Areas in Commun 26 (1) (2008) 25–37. (special issue).[15] Yi Tan, Shamik Sengupta, K.P. Subbalakshmi, Analysis of coordinated denial-of-service attacks in IEEE 802.22 networks, IEEE Journal on Selected Areas

in Communications 29 (4) (2011).[16] R. Chen, J.M. Park, Ensuring trustworthy spectrumsensing in cognitive radio networks, in: 1st IEEEWorkshoponNetworking Technologies for Software

Defined Radio Networks, vol. 25, 2006, Sept. 2006, pp. 110–119.[17] Q. Peng, P.C. Cosman, L.B. Milstein, Optimal sensing disruption for a cognitive radio adversary, IEEE Transactions on Vehicular Technology 59 (4)

(2010).[18] H. Li, Z. Han, Blind dogfight in spectrum: combating primary user emulation attacks in cognitive radio systems with unknown channel statistics, in:

IEEE ICC 2010, pp. 1–6.[19] H. Li, Z. Han, Dogfight in spectrum: jamming and anti-jamming in multichannel cognitive radio systems, in: IEEE Globecomm 2009, pp. 1–6.[20] K.J.R. Liu, A.K. Sadek, W. Su, A. Kwasinski, Cooperative Communications and Networking, Cambridge University Press, 2009.[21] A. Nosratinia, T.E. Hunter, A. Hedayat, Cooperative communication in wireless networks, IEEE Communications Magazine 42 (10) (2004) 74–80.[22] A.D. Wood, J.A. Stankovic, G. Zhou, DEEJAM: defeating energy-efficient jamming in IEEE 802.15.4-based wireless networks, in: IEEE SECON 2007,

pp. 60–69.[23] S.M. Mishra, D. Cabric, C. Chang, D. Willkomm, B. Van Schewick, A. Wolisz, R.W. Brodersen, A real time cognitive radio testbed for physical and link

layer experiments, in: IEEE DySpan 2005, pp. 562–567.[24] A. Gonzalez, C.R. , C.B. Dietrich, S. Sayed, H.I. Volos, J.D. Gaeddert, P. Max Robert, J.H. Reed, Fr.E. Kragh, Open-source SCA-based core framework and

rapid development tools enable software-defined radio education and research, IEEE Communications Magazine 47 (10) (2009) 48–55.[25] S. Sengupta, K. Hong, R. Chandramouli, K.P. Subbalakshmi, SpiderRadio: a cognitive radio network with commodity hardware and open source

software, IEEE Communications Magazine 49 (3) (2011) 101–109.[26] Y. Yuan, P. Bahl, Ranveer Chandra, P.A. Chou, I. Ferrell, T. Moscibroda, S. Narlanka, Y. Wu, KNOWS: cognitive networking over white spaces, in: IEEE

DySpan 2007, pp. 416–427.[27] ns-3, http://http://www.nsnam.org/.[28] V.A. Dobrushkin, Methods in Algorithmic Analysis, CRC press, 2010.

Collaborative Jamming and Collaborative Defense in Cognitive Radio Networks

Documents

Transcript of Collaborative Jamming and Collaborative Defense in Cognitive Radio Networks