IEEE TRANSACTION ON MOBILE COMPUTING 1 A Trigger ... › ~mythai › files › TMC_Jamming.pdf ·...

IEEE TRANSACTION ON MOBILE COMPUTING 1

A Trigger Identification Service for DefendingReactive Jammers in WSN

Ying Xuan, Yilin Shen, Nam P. Nguyen, My T. Thai

Abstract—During the last decade, Reactive Jamming Attack has emerged as a great security threat to wireless sensor networks,due to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering thespecific characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes,whose transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger-identification procedure canwork as an application-layer service and benefit many existing reactive-jamming defending schemes. In this paper, on the onehand, we leverage several optimization problems to provide a complete trigger-identification service framework for unreliablewireless sensor networks. On the other hand, we provide an improved algorithm with regard to two sophisticated jammingmodels, in order to enhance its robustness for various network scenarios. Theoretical analysis and simulation results are includedto validate the performance of this framework.

Index Terms—Reactive Jamming, Jamming Detection, Trigger Identification, Error-tolerant Nonadaptive Group Testing, Opti-mization, NP-Hardness.

F

1 INTRODUCTION

S INCE the last decade, the security of wireless sensornetworks (WSNs) has attracted numerous attentions,

due to its wide applications in various monitoring systemsand vulnerability toward sophisticated wireless attacks.Among these attacks, jamming attack where a jammer nodedisrupts the message delivery of its neighboring sensornodes with interference signals, has become a critical threatto WSNs. Thanks to the efforts of researchers toward thisissue, as summarized in [12], various efficient defensestrategies have been proposed and developed. However, areactive variant of this attack, where jammer nodes stayquite until an ongoing legitimate transmission (even hasa single bit) is sensed over the channel, emerged recentlyand called for stronger defending system and more efficientdetection schemes.

Existing countermeasures against Reactive Jamming at-tacks consist of jamming (signal) detection and jammingmitigation. On the one hand, detection of interferencesignals from jammer nodes is non-trivial due to the dis-crimination between normal noises and adversarial signalsover unstable wireless channels. Numerous attempts to thisend monitored critical communication related objects, suchas Receiver Signal Strength (RSS), Carrier Sensing Time(CST), Packet Delivery Ratio (PDR), compared the resultswith specific thresholds, which were established from basicstatistical methods and multi-modal strategies [9][12]. Bysuch schemes, jamming signals could be discovered, but tolocate the jammer nodes based on these signals is muchmore complicated and has not been settled.

• Y. Xuan, Y. Shen, Nam P. Nguyen and My T. Thai are with theDepartment of Computer Information Science and Engineering.E-mail: {yxuan, yshen, nanguyen, mythai}@cise.ufl.edu

On the other hand, various network diversities are in-vestigated to provide mitigation solutions [6]. Spreadingspectrum [12][5][8] making use of multiple frequencybands and MAC channels, Multi-path routing benefitingfrom multiple pre-selected routing paths [6] are two goodexamples of them. However, in this method, the capabilityof jammers are assumed to be limited and powerless tocatch the legitimate traffic from the camouflage of thesediversities. However, due to the silent behavior of reactivejammers, they have more powers to destruct these mitiga-tion methods. To this end, other solutions are in great need.A mapping service of jammed area has been presented in[11], which detects the jammed areas and suggests thatrouting paths evade these areas. This works for proactivejamming, since all the jammed nodes are having low PDRand thus incapable for reliable message delay. However, inthe case of reactive jamming, this is not always the case.Only a proportion of these jammed nodes, named triggernodes, whose transmissions wake up the reactive jammers,are blocked to avoid the jamming effects.

In this paper, we present an application-layer real-timetrigger-identification service for reactive-jamming in wire-less sensor networks, which promptly provides the list oftrigger-nodes using a lightweight decentralized algorithm,without introducing neither new hardware devices, norsignificant message overhead at each sensor node.

This service exhibits great potentials to be developedas reactive jamming defending schemes. As an example,by excluding the set of trigger nodes from the routingpaths, the reactive jammers will have to stay idle sincetransmissions cannot be sensed. Even though the jammersmove around and detect new sensor signals, the list oftrigger nodes will be quickly updated, so are the routingtables. As another example, without prior knowledge ofthe number of jammers, the radius of jamming signals and


specific jamming behavior types, it is quite hard to locatethe reactive jammers even the jammed areas are detected(e.g. by [11]). However, with the trigger nodes localized, wecan narrow down the possible locations of reactive jammers.

Although the benefits of this trigger-identification serviceare exciting, its hardness is also obvious, which duesto the efficiency requirements of identifying the set oftrigger nodes out of a much large set of victim nodes, thatare affected jamming signals from reactive jammers withpossibly various sophisticated behaviors. To address theseproblem, a novel randomized error-tolerant group testingscheme as well as minimum disk cover for polygons areproposed and leveraged.

The basic idea of our solution is to first identify the setof victim nodes by investigating corresponding links’ PDRand RSS, then these victim nodes are grouped into multipletesting teams. Once the group testing schedule is made atthe base station and routed to all the victim nodes, theythen locally conducts the test to identify each of them asa trigger or non-trigger. The identification results can bestored locally for reactive routing schemes or delivered tothe base station for jamming localization process.

In the remainder of this paper, we first present theproblem definition in Section 2, where the network model,victim model and attacker models are included. Then weintroduce three kernel techniques for our scheme, Random-ized Error-Tolerant Non-adaptive Group Testing, Clique-independent Set and Minimum Disk Cover in a SimplePolygon in Section 3. The core of this paper: trigger-node identification and its error-tolerant extension towardsophisticated jammer behaviors are presented respectivelyin Section 4 and 5. A series of simulation results for evalu-ating the system performance and validating the theoreticalresults are included in Section 6. We present related worksin Section 7 and summarize the paper in Section 8.

2 PROBLEM MODELS AND NOTATIONS2.1 Network ModelWe consider a wireless sensor network consisting of nsensor nodes and one base station (larger networks withmultiple base stations can be split into small ones to satisfythe model). Each sensor node is equipped with a globallysynchronized time clock, omnidirectional antennas, m ra-dios for in total k channels throughout the network, wherek > m. For simplicity, the power strength in each directionis assumed to be uniform, so the transmission range of eachsensor can be abstracted as a constant rs and the wholenetwork as a unit disk graph (UDG) G = (V,E), whereany node pair i, j is connected iff the Euclidean distancebetween i, j: δ(i, j) ≤ rs. We leave asymmetric powers andpolygonal transmission area for further study.

2.2 Attacker ModelWe consider both a basic attacker model and severaladvanced attacker models in this paper. Specifically, weprovide a solution framework toward the basic attackermodel, and validate its performance toward multiple ad-vanced attacker models theoretically and experimentally.

2.2.1 Basic Attacker Model

Conventional reactive jammers [12] are defined as mali-cious devices, which keep idle until they sense any ongoinglegitimate transmissions and then emit jamming signals(packet or bit) to disrupt the sensed signal (called jammerwake-up period), instead of the whole channel, whichmeans once the sensor transmission finishes, the jammingattacks will be stopped (called jammer sleep period). Threeconcepts are introduced to complete this model.

Jamming range R. Similar to the sensors, the jammersare equipped with omnidirectional antennas with uniformpower strength on each direction. The jammed area canbe regarded as a circle centered at the jammer node, witha radius R, where R is assumed greater than rs, forsimulating a powerful and efficient jammer node. All thesensors within this range will be jammed during the jammerwake-up period. The value of R can be approximated basedon the positions of the boundary sensors (whose neighborsare jammed but themselves not), and then further refined.

Triggering range r. On sensing an ongoing transmis-sion, the decision whether or not to launch a jamming signaldepends on the power of the sensor signal Ps, the arrivedsignal power at the jammer Pa with distance r from thesensor, and the power of the background noise Pn.

According to the traditional signal propagation model,the jammer will regard the arrived signal as a sensortransmission as long as the Signal-Noise-Ratio is higherthan some threshold, i.e., SNR = Pa

Pn> θ where Pa =

Psrξ· Y with θ and ξ called jamming decision threshold

and path-loss factor, Y as a log-normally random variable.Therefore, r ≥ ( θ·PnPs·Y )

1ξ is a range within which the sensor

transmission will definitely trigger the jamming attack,named as triggering range. As will be shown later, thisrange r is bounded by R from above, and rs from below,where the distances from either bounds are decided by thejamming decision threshold θ. For simplicity, we assumetriggering range is the same for each sensor.

Jammer distance. Any two jammer nodes are assumednot to be too close to each other, i.e., the distance betweenjammer J1 and J2 is δ(J1, J2) > R. The motivationsbehind this assumptions are three-fold: 1) the deployment ofjammers should maximize the jammed areas with a limitednumber of jammers, therefore large overlapping betweenjammed areas of different jammers lowers down the attackefficiency; 2) δ(J1, J2) should be greater than R, since thetransmission signals from one jammer should not interferethe signal reception at the other jammer. Otherwise, thelatter jammer will not able to correctly detect any sensortransmission signals, since they are accompanied with highRF noises, unless the jammer spends a lot of efforts in de-noising or embeds jammer-label in the jamming noise forthe other jammers to recognize. Both ways are infeasible foran efficient attack; 3) the communications between jammersare impractical, which will expose the jammers to anomalydetections at the network authority.


V1 0950 victim 30

Fig. 1. sensor periodical status report message

2.2.2 Advanced Attacker ModelTo evade detections, the attackers may alter their behaviorsto evade the detection, for which two advanced reactivejamming models: probabilistic attack and asymmetric re-sponse time delay are considered in this paper. In the firstone, the jammer responds each sensed transmission with aprobability η independently. In the second one, the jammerdelays each of its jamming signals with an independentlyrandomized time interval.

We do not specify the possible changes of jamming rangeR as an advanced model, since the trigger set in this casewill not change, though the victim set varies. Further, wedo not theoretically analyze the effects of various jammingdecision threshold θ in this paper version, but we evaluateall these above factors in the simulation section. Jammermobilities are out of the scope of this paper, which assumesthat the jammers are static during our trigger-identificationphase. This is quite reasonable, since the time length of thisphase is short, as to be shown later.

2.3 Sensor ModelBesides monitoring the assigned network field and gen-erating alarms in case of special events (e.g., fire, hightemperature), each sensor periodically sends a status reportmessage to the base station, which includes a header anda main message body containing the monitored results,battery usage, and other related content. As shown inFig.1, the header is designated for anti-jamming purpose,which is 4-tuple: Sensor ID as the ID of the sensornode, Time Stamp as the sending out time indicating thesequence number, as well as a Label referring to the node’scurrent jamming status and TTL as the time-to-live fieldwhich is initialized as the 2D with network diameter D.

According to the jamming status, all the sensor nodescan be categorized into four classes: trigger nodes TN ,victim nodes V N , boundary nodes BN and unaffectednode UN . Trigger nodes refer to the sensor nodes whosesignals awake the jammers, i.e. within a distance less than rfrom a jammer. Victim nodes are those within a distance Rfrom an activated jammer and disturbed by the jammingsignals. Since R > r, TN ⊆ V N . Other than thesedisturbed sensors, UN and BN are the unaffected sensorswhile the latter ones have at least one neighbor in V N ,hence BN ⊆ UN , and V N ∩UN = ∅. The Label field ofeach sensor indicates the smallest class it belongs to. Therelationships among these classes are shown in Fig. 2.

There are two issues orthogonal to our solution. Oneone hand, the detection of jammed signals at each sensor

Fig. 2. Nodes in grey and blue are victim nodes around jammer nodes,where blue nodes are also trigger nodes, which invoke the jammer nodes.Nodes surrounding the jammed are are boundary nodes, while the others areunaffected nodes.

node is orthogonal to this work, and can be completed viasophisticated reactive jamming detection techniques, suchas comparing the SNR, PDR and RSS with predefinedthresholds, as shown in [9]. With regard to the effectsof detection errors on our solution, we provide sometheoretical analysis at the end of Section 5.1.1. On theother hand, the detailed attack schemes adopted by thereactive jammers are orthogonal with our application-layerservice. As long as the jamming detection techniques thatwe resort to can efficiently detect these malicious signals,either high RF noises, fraud message segments, etc, oursolution service is feasible.

3 THREE KERNEL TECHNIQUES

In this section, three kernel techniques for the proposedprotocol are introduced. Most existing anti-jamming worksconsider only proactive jammers, while reactive jammerscan bring up larger damage due to efficient attack andhardness to detect. To this end, we embed a group testingprocess, i.e., the randomized error-tolerant group testingby means of our designed random (d, z)-disjunct matrix,to the routing update scheme, which avoids unnecessarilylarge isolated areas as [11] does. Moreover, most existingtopology-based solutions [24][25] can only handle thesingle-jammer case, since lacking of knowledge over thejamming range and inevitable overlapping of the jammedareas bring ups the analytical difficulties, for which weresort to a minimum disk cover problem in a simple polygonproblem and a clique-independent set problem.

3.1 Error-tolerant Randomized Non-AdaptiveGroup TestingGroup Testing was proposed since WWII to speed upthe identification of affected blood samples from a largesample population. This scheme has been developed witha complete theoretical system and widely applied to med-ical testing and molecular biology during the past severaldecades [1]. Notice that the nature of our work is to identifyall triggers out of a large pool of victim nodes, so thistechnique intuitively matches our problem.


M =

0 0 0 0 1 1 1 10 0 1 1 0 0 1 10 1 0 1 0 1 0 11 1 1 1 0 0 0 01 1 0 0 1 1 0 01 0 1 0 1 0 1 0

testing=⇒ V =

001111

Fig. 3. Binary testing matrix M and testing outcome vector V . Assumedthat item 1 (1st column) and item 2 (2nd column) are positive, then only thefirst two groups return negative outcomes, because they do not contain thesetwo positive items. On the contrary, all the other four groups return positiveoutcomes.

The key idea of group testing is to test items in multipledesignated groups, instead of individually. The principle oftraditional group testing are sketched in the Appendix.

3.1.1 Traditional Non-adaptive Group Testing

The key idea of group testing is to test items in multipledesignated groups, instead of testing them one by one.The traditional method of grouping items is based ona designated 0-1 matrix Mt×n where the matrix rowsrepresent the testing group and each column refers to anitem (Fig. 3). M [i, j] = 1 if the jth item appears in theith testing group, and 0 otherwise. Therefore, the numberof rows of the matrix denotes the number of groups testedin parallel and each entry of the result vector V refers tothe test outcome of the corresponding group (row), where 1denotes positive outcome and 0 denotes negative outcome.

Given that there are at most d < n positive itemsamong in total n ones, all the d positive items can beefficiently and correctly identified on condition that thetesting matrix M is d-disjunct: any single column is notcontained by the union of any other d columns. Owingto this property, each negative item will appear in atleast one row (group) where all the positive items do notshow up, therefore, by filtering all the items appearingin groups with negative outcomes, all the left ones arepositive. Although providing such simple decoding method,d-disjunct matrix is non-trivial to construct [1][2] whichmay involve with complicated computations with highoverhead, e.g., calculation of irreducible polynomials onGalois Field. In order to alleviate this testing overhead, weadvanced the deterministic d-disjunct matrix used in [7][27]to randomized error-tolerant d-disjunct matrix, i.e., a matrixwith less rows but remains d-disjunct w.h.p. Moreover, byintroducing this matrix, our identification is able to handletest errors under sophisticated jamming environments.

In order to handle errors in the testing outcomes, theerror-tolerant non-adaptive group testing has been devel-oped using (d, z)-disjunct matrix, where in any d + 1columns, each column has a 1 in at least z rows whereall the other d columns are 0. Therefore, a (d, 1)-disjunctmatrix is exactly d-disjunct. Straightforwardly, the d posi-tive items can still be correctly identified, in the presenceof at most z − 1 test errors. In the literature, numerousdeterministic designs for (d, z)-disjunct matrix have beenprovided (summarized in [1]), however, these constructionsoften suffer from high computational complexity, thus are

not efficient for practical use and distributed implementa-tion. On the other hand, to our best knowledge, the onlyrandomized construction for (d, z)-disjunct matrix dues toCheng’s work via q-nary matrix [20], which results in a(d, z)-disjunct matrix of size t1 × n with probability p′,where t1 is

4.28d2 log2

1− p′+4.28d2 log n+9.84dz+3.92z2 ln

2n− 1

1− p′

with time complexity O(n2 log n). Compared with thiswork, we advance a classic randomized construction ford-disjunct matrix, namely, random incidence construction[1][2], to generate (d, z)-disjunct matrix which can not onlygenerate comparably smaller t× n matrix, but also handlethe case where z is not known beforehand, instead, only theerror probability of each test is bounded by some constantγ. Although z can be quite loosely upperbounded by γt,yet t is not an input. The motivation of this constructionlies in the real test scenarios, the error probability of eachtest is unknown and asymmetric, hence it is impossible toevaluate z before knowing the number of pools.

We only show the performance of this new construction,namely, ETG algorithm in this section. The details of theconstruction and analysis are included in the Appendix.

Theorem 3.1: The ETG algorithm produces a (d, z)-disjunct matrix with probability p′ where p′ can be arbi-trarily approaching 1.• The worst-case number of rows of this matrix

is bounded by 3.78(d + 1)2 log n + 3.78(d +1) log( 2

1−p′ )−3.78(d+1)+5.44(d+1)(z−1), muchsmaller than 4.28d2 log 2

1−p′ +4.28d2 log n+9.84dz+

3.92z2 ln 2n−11−p′ .

• If z ≤ γt, the worst-case number of rows becomes t =τ lnn(d+1)2−2τ(d+1) ln(1−p′)

(τ−γ(d+1))2 where τ = (d/(d + 1))d

and asymptotically t = O(d2 log n).Proof: See Section B in the appendix.

Theorem 3.2: The ETG algorithm has smaller time com-plexity O(d2n log n) than O(n2 log n), when d <

√n.

3.2 Minimum Disk Cover in a Simple PolygonGiven a simple polygon with a set of vertices inside, theproblem of finding a minimum number of variable-radiidisks that not only cover all the given vertices, but also areall within the polygon, can be efficiently solved.

The latest results due to the near-linear algorithm pro-posed recently by [26], which investigates the medial axisand voronoi diagram of the given polygon, and providesthe optimal solution using O($ + κ(log$ + log6κ)) timeand O($ + κ log log κ) space, where the number of edgesof the polygon is $ and nodes within it as κ. We employthis algorithm to estimate the jamming range R.

3.3 Clique-Independent SetCliques-Independent Set is the problem to find a set of max-imum number of pairwise vertex-disjoint maximal cliques,which is referred to as a maximum clique-independent set


(MCIS) [4]. Since this problem serves as the abstractedmodel of the grouping phase of our identification, itshardness is of great interest in this scope. To our bestknowledge, it has already been proved to be NP-hard forcocomparability, planar, line and total graphs, however itshardness on UDG is still open. We propose its NP-completeproof in the appendix.

There have been numerous polynomial exact algorithmsfor solving this problem on graphs with specific topology,e.g., Helly circular-arc graph and strongly chordal graph[4], but none of these algorithms gives the solution onUDG. In this paper, we employ the scanning disk approachin [3] to find all maximal cliques on UDG, and then findall the MCIS using a greedy algorithm.

4 TRIGGER-NODE IDENTIFICATION

We propose a decentralized trigger-identification procedure.It is lightweight in that all the calculations occur at thebase station, and the transmission overhead as well as thetime complexity is low and theoretically guaranteed. Noextra hardware is introduced into the scheme, except for thesimple status report messages sent by each sensor, and thegeographic locations of all sensors maintained at the basestation. Three main steps of this procedure are as follows:

1) Anomaly Detection – the base station detects potentialreactive jamming attacks, each boundary node tries toreport their identities to the base station.

2) Jammer Property Estimation – The base station cal-culates the estimated jammed area and jamming rangeR based on the locations of boundary nodes.

3) Trigger Detection –• the base station makes a short encrypted testing

schedule message Z which will be broadcastedto all the boundary nodes.

• boundary nodes keep broadcasting Z to all thevictim nodes within the estimated jammed areafor a period Q.

• all the victim nodes locally execute the testingprocedure based on Z , identify themselves astriggers or non-triggers.

4.1 Anomaly Detection

Each sensor periodically sends a status report message tothe base station. However, once the jammers are activatedby message transmissions,the base station will not receivethese reports from some sensors. By comparing the ratio ofreceived reports to a predefined threshold ψ, the base stationcan thus decide if a jamming attack is happening in thenetworks. When generating the status report message, eachsensor can locally obtain its jamming-status and decide thevalue of the Label field (Initially trigger ”TN”). In detail,if a node v hears jamming signals, it will not try to sendout messages but keep its label as victim. If v cannot sensejamming signals, its report will be routed to the base stationas usual, however, if it does not receive ACK from itsneighbor on the next hop of the route within a timeout

period, it tries for 2 more retransmissions. If no ACKs arereceived, it is quite possible that that neighbor is a victimnode, then v updates Label tuple as boundary ”BN” in itsstatus report. Another outgoing link from v with the mostavailable capacity is taken to forward this message. If thestatus report is successfully delivered to the base stationwith Label = TN, the corresponding node is regarded asunaffected. All the messages are queued in the buffer ofthe intermediate nodes and forwarded in an FCFS manner.The TTL value is reduced by 1 per hop for each message,and any message will be dropped once its TTL = 0.

The base station waits for the status report from eachnode in each period of length P . If no reports have beenreceived from a node v with a maximum delay time, thenv will be regarded as victim. The maximum delay time isrelated with graph diameter and will be specified later. Ifthe aggregate report amount is less than ψ, the base stationstarts to create the testing schedule for the trigger nodes,based on which the routing tables will be updated locally.

4.2 Jammer Property EstimationWe estimate the jamming range as R and the jammed areasas simple polygons, based on the locations of the boundaryand victim nodes.

For sparse-jammer where the distribution of jammers isrelatively sparse and there is at least one jammer whosejammed area does not overlap with the others, like J2 inFig. 2. By denoting the set of boundary nodes for the ith

jammed area as BNi, we can estimate the coordinate ofthis jammer as

(XJ , YJ) = (

∑BNik=1 Xk

|BNi|,

∑BNik=1 Yk|BNk|

)

where (Xk, Yk) is the coordinate of a node k is the jammedarea BNi and the jamming range R is

R = min∀BNi

{ maxk∈BNi

(√

(Xk −XJ)2 + (Yk −XJ)2)}

for we assume that all the jammers have the same range.For dense-jammer, shown in Fig. 4, we first estimate the

jammed areas, which are simple polygons (unnecessarilyconvex) containing all the boundary and victim nodes. Thisprocess consists of three steps: (1) discovery of convex hullsof the boundary and victim nodes, where no unaffectednodes are included in the generate convex polygons. (2)for each boundary node v not on the hull, choose twonodes on the hull and connect v to them in such a waythat the internal angle at this reflex vertex is the smallest,hence the polygon is modified by replacing an edge (dottedone in Fig. 4) by the two new ones. The resulted polygonis the estimated jammed area. (3) execute the near-linearalgorithm [26] to find the optimal variable-radii disk coverof all the victim nodes, but constrained in the polygon, andreturn the largest disk radius as R.

4.3 Trigger DetectionSince the jammer behavior is reactive, in order to find allthe trigger nodes, a straightforward way is that let each


Reflex

Vertex

R

Reflex

Vertex

Fig. 4. Estimated R and Jammed Area

sensor broadcast one by one, and listen to possible jammingsignals. However, this individual detection is quite time-consuming and all the victim nodes thus have to be isolatedfor a long detection period, or even returns wrong detectionresult in the presence of mobile jammers. In this case,the network throughput would be dramatically decreased.Therefore, to promptly and accurately find out these triggersfrom a large pool of victim nodes, emerges as the mostchallenging part of the proposed protocol, for which theidea of group testing is applied.

In this section, we only consider a basic attack modelwhere the jammers deterministically and immediatelybroadcasts jamming signals once it senses the sensor signal.Therefore as long as at least one of the broadcasting victimnodes is a trigger, some jamming signals will be sensed, andvice versa. The performance of this protocol toward sophis-ticated attacker models with probabilistic attack strategieswill be validated in the next section.

All the following is the encrypted testing schedule overall the victim nodes, which is designed at the base sta-tion based on the set of boundary nodes and the globaltopology, stored as a message (illustrated in Table 1) andbroadcasted to all the boundary nodes. The broadcasting ofthe testing scheduling message adopts a routing mechanismsimilar to reverse path forwarding. In detail, all the statusreport messages relayed to the base station will record allthe nodes’ IDs on their routing paths. Therefore, withoutconsidering mobile jammers, those routing paths can bereused to send out these testing scheduling messages andevade the jammed areas.

After receiving this message, each boundary node broad-casts this message one time using simple flooding methodto its nearby jammed area. All the victim nodes execute thetesting schedule and indicate themselves as non-triggers ortriggers. Since all the sensor nodes are equipped with aglobal uniform clock, and no message transmissions to thebase station are required during the detection, the mecha-nism is easy to implement and practical for applications.

As shown in Table 1, for each time slot, m sets of victimsensors will be tested. The selection of these sets involvesa two-level grouping procedure.

First-level, the whole set of victims are divided into sev-eral interference-free testing teams. Here by interference-free we mean that if the transmissions from the victimnodes in one testing team invokes a jammer node, itsjamming area will not reach the victim nodes in anothertesting team. Therefore, by trying broadcasting from victim

TABLE 1Message Containing Trigger Detection Schedule

Time Slot Channel Node List0 f1 v1, v3, · · · , vn0 f2 v1, v2, v4, · · · , vn−1

0... · · ·

0 fm v2, v5, · · · , vn1 f1 v2, v4, · · · , vn−2

...... · · ·

Fig. 5. Interference Teams

nodes in each testing team and monitoring the jammingsignals, we can conclude if any members in this team aretriggers. In addition, all the tests in different testing teamscan be executed simultaneously since they will not interfereeach other. Fig. 5 provides an example for this. 3 maxi-mal cliques C1 = {v1, v2, v3, v4}, C2 = {v3, v4, v5, v6},C3 = {v5, v7, v8, v9} can be found within 3 jammed areas.Imagine these three cliques are respectively the three teamswe test at the same time. If v4 in the middle team keepsbroadcasting all the time and J2 is awaken frequently, nomatter the trigger v2 in the leftmost team is broadcastingor not, v3 will always hear the jamming signals, so thesetwo teams interfere each other. In addition, node-disjointgroups do not necessarily interference-free, as the leftmostand rightmost teams show.

Second-level, within each testing team, victims are fur-ther divided into multiple testing groups. This is completedby constructing a randomized (d, 1)-disjunct matrix, asmentioned in Section 3.1, mapping each sensor node toa matrix column, and make each matrix row as a testinggroup (sensors corresponding to the columns with 1s inthis row are chosen). Apparently tests within one groupwill possibly interfere that of another, so each group willbe assigned with a different frequency channel.

The duration of the overall testing process is t timeslots, where the length of each slot is L. Both t and Lare predefined, yet the former depends on the total numberof victims and estimated number of trigger nodes, andthe latter depends on the transmission rate of the channel.Specifically, at the beginning of each time slot, all thesensors designated to test in this slot broadcast a τ -bit testpacket on the assigned channel to their 1-hop neighbors.Till the end of this slot, these sensors keeps detectingpossible jamming signals. Each sensors will label itself as atrigger unless in at least one slot of its testing, no jammingsignal is sensed.

The correctness of this trigger identification procedureis theoretically straightforward. Given that all the testing


teams are interference-free, then the testing with differentteams can be executed simultaneously. Given that we havean upperbound d on the number of trigger nodes andeach testing group follow the (d, 1)-disjunct matrix, whichguarantees that each non-trigger node will be included in atleast one group, which does not contain any trigger node,so each non-trigger node will not hear jamming signals inat least one time slot, but the trigger nodes will since thejammers are activated once they broadcast the test packets.Therefore, two critical issues need to be addressed to ensurethis correctness: how to partition the victim set intomaximal interference-free testing teams and estimate thenumber of trigger nodes d, as follows. Though these twoinvolve geometric analysis over the global topology, sinceit only takes the information of boundary and victim nodesas inputs, and is calculated at the base station, no messagecomplexity is introduced.

4.3.1 Discovery of Interference-free Testing TeamsAs stated above, two disjoint sets of victim nodes areinterference-free testing teams iff the transmission withinone set will not invoke a jammer node, whose jammingsignals will interfere the communications within the otherset. Although we have estimated the jamming range R, it isstill quite challenging to find these interference-free teamswithout knowing the accurate locations of the jammers.Notice that it is possible to discover the set of victimnodes within the same jammed area, i.e. with a distanceR from the same jammer node. Any two nodes withinthe same jammed area should be at most 2R far fromeach other, i.e. if we induce a new graph G′ = (V ′, E′)with all these victim nodes as the vertex set V ′ andE′ = {(u, v)|δ(u, v) ≤ 2R}, the nodes jammed by thesame jammer should form a clique. The maximum numberof vertex-disjoint maximal cliques (i.e. clique-independentset (CIS) ) of this kind provides an upperbound of possiblejammers within the estimated jammed area, where eachmaximal clique is likely to correspond to the nodes jammedby the same jammer.

The solution consists of three steps: CIS discoveryon the induced graph from the remaining victim with-out test schedules, boundary-based local refinement andinterference-free team detection. We iterate three steps todecide the schedule for every victim node.

CIS discovery. We first employ Gupta’s MCE algorithm[3] to find all the maximal cliques, then use a greedyalgorithm, as shown in Alg. 1 to get the CIS.

input : Induced Subgraph G′ = (W,E′)output: The set C of maximum number of disjoint maximal cliques.

Find out the set S of all maximal (not disjoint) cliques by using Gupta’sMCE algorithm [3];while S 6= ∅ do

Choose clique C ∈ S which intersects with the minimum number ofother cliques in S;C ← C ∪ {C};Remove all the maximal cliques intersecting with C;S ← S \ {C};

end

Algorithm 1: CIS discovery

V1

V0

V2

V3

V4

V5

V6

V7

V1

V0

V2

V3

V4

V5

V6

V7

Fig. 6. Clique C1 = V1V2V3V4 is chosen by CIS, but its concentric circleCC′ covers boundary node V0, then clique C2 = V4V5V6V7 replaces C1 inthe testing team for the first round. Clique V1V2V3 are left for the next round.

Local Refinement. Each clique we select is expected torepresent the jammed area poisoned by the same jammer,and this area should not cover the boundary nodes. How-ever, we did not take this into account when discoveringthe CIS, and need to locally update it. Specially, foreach clique, we find its circumscribed circle CC and theconcentric circle CC ′ with radius R of CC. In the case thatCC ′ covers any boundary nodes, we locally select anotherclique by adding/removing nodes from this clique, to seeif the problem can be solve. If not, we keep this clique asit is, otherwise, we update it. This is illustrated in Fig. 6.

Team Detection. The cliques in CIS can also interfereeach other, e.g. the clique V1V2V3V4 and V5V7V8V9 in Fig.5. This is because the signals from V4 will wake J2, whowill try to block these signals with noises and affect V5 bythe way. But if any two cliques C1 and C2 are not con-nected by any single edge, then they are straightforwardlyinterference-free, since the shortest distance between anynode in C1 and C2 is larger than 2R. But the farthestjammer waken by and from C1 is r < R distance away,whose jamming range can only reach another R distancefurther, which is thus away from C2. Therefore, the cliquesin the obtained CIS of this kind are selected as testingteams. While the others are left for the next time slot.

In addition, in the worst case, any single maximal cliqueC has at most 12 interfering cliques in the CIS, as theshadowed ones in Fig. 7. Therefore, at most 13 testingteams are required to cover all these cliques. If the numberof channels k given is larger than 13, then a frequency-division is available, i.e. these interfering cliques can stillbecome simultaneous testing teams, on the condition eachteam can only use min{d k13e,m} of the given channels,where m is the number of radios per sensor. Otherwise, wehave to use time-divisions, i.e. they have to be tested indifferent time slots.

4.3.2 Estimation of Trigger Upperbound

Before bounding the trigger quantity from above, the trig-gering range r should be estimated. As mentioned in theattacker model, r depends not only on the power of bothsensors and jammers, but also the jamming threshold θ andpath-loss factor ξ:

r ≥ (Pn · θPs · Y

)1ξ


Fig. 7. Maximum # InterferingCliques

R

r

J

J1 J2

J3 J4

J5 J6

Fig. 8. Maximum # JammersInvoked by One Team

since the real time Pn and Ps are not given, we estimate rbased on the SNR cutoff θ′ of the network setting. In fact,the transmission range of each sensor rs is a maximumradius to guarantee

SNR =PaPn

=Ps · YPn · rξs

≥ θ′

Therefore, we can estimate r as

r ≈ rs(θ

θ′)

1ξ

where θ′ and ξ are parts of the network input, while θ isassumed as a constant, which indicates the aggressivenessof the jammer. For this estimation, θ can be first set as 10db,which is the normally lower bound of SNR in wirelesstransmission, and then adaptively adjusted to polish theservice quality.

With estimated r, since all the trigger nodes in the sameteam should be within a 2r distance from each other,by finding another induced graph G′′ = (Wi, E

′′) fromthe victim nodes Wi in team i, with E′′ = {(u, v) ∈E′′ if δ(u, v) ≤ 2r}, the size of the maximal cliqueindicates the upperbound of the trigger nodes, thus can bean estimate over d.

As mentioned above, all the parallel testing teams se-lected are interference-free, therefore we roughly regardeach team to be the jammed area of one jammer. As adeeper investigation, the number of jammers that can beinvoked by the nodes in the same team (six 3-clique withinthe red circles) can be up to 6, since the minimum distancebetween two jammers is greater than R and r ≤ R, asshown in Fig. 8. Therefore on the induced graph, the largest6 cliques form the possible trigger set. However, sincethe jammer distribution cannot be that dense for the sakeof energy-conserving, the former estimate over d is largeenough.

4.4 Analysis of Time and Message Complexity

Time complexity: By time complexity we mean theidentification delay counted since the attack happens tillall the nodes successfully identify themselves as triggeror non-trigger. Therefore, the complexity break downs intofour parts: (1) the detection of jamming signals at locallinks Td; (2) the routing of sensor report to the base stationfrom each sensor node, and the testing schedule to each

victim node from the base station, aggregated as Tr; (3)the calculation of CIS and R at the base station Tc; (4) thetesting at each jammed area Tt.

The local jamming signal detection involves the statisti-cal properties of PDR, RSS and SNR, which is orthogonalto our work. We regard Td as O(1) since it is an entirelylocal operation and independent with the network scale.

The routing time overhead is quite complicated, sincecongestions need to be considered. For simplicity, weconsider that all the 1-hop transmission takes O(1) time andbound Tr using the diameter D of the graph. As mentionedearlier, the base station waits at most O(2D) for the reports,so that is the upperbound of the one-way routing. As to theother way, we also bound it using O(2D) to match anycollision and retransmission cases.

The calculation of CIS resorts to the algorithm in[3], which finds O(l∆) maximal cliques on UDG withinO(l∆2) time, where l = |E| and ∆ refers to the maxi-mum degree. We used a greedy algorithm to find a MCISfrom these O(l∆) cliques with O(l3∆3Q) time: O(l∆)-time for each clique to check the overlapping with othercliques, O(l∆)-time to find a clique overlapping withminimum other cliques, and Q denotes the number oftesting teams. Notice that in practice, sensor networks arenot quite dense, so the number of edges l and maximumdegree ∆ are actually limited to small values. On theother hand, the time complexity of estimating R is up toO(n∆

2 +n(log n∆2 +log6 n) using the minimum disk cover

algorithm as mentioned.The testing delay Tt depends on the number of testing

rounds and the length of each round. Since the reactivejamming signal disappears as soon as these sensed 1-hop transmission finishes, each round length is then O(1).The number of testing rounds is however complicated andbounded by Theorem 4.1.

Lemma 4.1: Based on the ETG algorithm, the numberof tests to identify d trigger nodes from |W | victim nodesis upperbounded by t(|W |, d) = O(d2

i dln |W |e) w.h.p.Theorem 4.1: (Main) The total number of testing rounds

is upper bounded by

O(Q

maxi=1{13 min{d2

i dln |Wi|e, |Wi|}m

})

w.h.p, with di = min{∑6s=1 |cs(Gi)|, |Wi|} and cs(Gi) is

the sth largest clique over an induced unit disk subgraphGi = (Wi, Ei, 2r) in the testing team i.

Proof: First, from Lemma 4.1, at most t(|W |,d)m =

d2i dln |W |em testing rounds are needed to identify all nodes

in testing team i. Second, the set of testing teams that canbe tested in parallel is 13, as mentioned earlier. Combiningwith the worst-case upperbound of triggers in each team,the upperbound on round is derived.

If the jamming range R is assumed known beforehand,similar to [7], the whole time complexity is thus

O(Q

maxi=1{13d2

i dln |Wi|e, |Wi|}m

)

and asymptotically bounded by O(n2 log n). It is asymp-


totically smaller than that of [7]:

O(

∆(H)∑i=1

maxjd(2 + o(1))

d2j log2

2 |Wj |log2

2(dj log2 |Wj |),/me)

where ∆(H) refers to the maximum degree of the inducedgraph H (in this new solution, maximum degree is notinvolved). By taking the calculation overhead for R intoaccount, the overall time complexity is asymptoticallyO(n2 log n+ n log6 n), which is O(n log6 n) for n ≥ 4.Message Complexity: On the one hand, the broadcastingof testing schedule Z from the base station to all thevictim nodes costs O(n) messages in the worst case. Onthe other hand, the overhead of routing reports toward thebase station depends on the routing scheme used and thenetwork topology as well as capacity. The upperbound isstraightforward obtained in a line graph with the base sta-tion at one end, whose message complexity is O(n(n−1)

2 ).With regard to the message overhead of the testing

process. Considering that there are approximately |Wi|d+1

victim nodes in each testing group of team Wi (mentionedin the construction of randomized (d, z)-disjunct matrix inAppendix), the overhead of each testing group in a testinground is |Wi|

d+1 1-hop testing message broadcasted by allvictim nodes in each group of team Wi. Therefore, theover message complexity is

O(n2 +

Q∑i=1

|Wi|Q

maxi=1{didln |Wi|e, |Wi|}m)

which is O(n2 log n).

5 ADVANCED SOLUTIONS TOWARD SO-PHISTICATED ATTACK MODELS

In this section, we consider two sophisticated attacker mod-els: probabilistic attack and variant response time delay,where the jammers rely each sensed transmission with dif-ferent probabilities, instead of deterministically, or delay thejamming signals with a random time interval, instead of im-mediately. This may mismatch with the original definitionof reactive jamming, which targets at transmission signals,instead of nodes or channels. However, clever jammers canpossibly change their strategies to evade possible senseddetections. Also, a common sense indicates that as longas an activity is sensed by the jammer, it is quite possiblethat some other activities are following this. So delayingthe response time still guarantees the attack efficiency, butminimize the risk of being caught by reactive detections.

Since our scheme is robust and accurate in the stepsof grouping, generating disjunct matrix and decoding thetesting results, the only possible test errors arise from thegeneration of testing outcomes. Nevertheless, by using theerror-tolerant disjunct matrix and relaxing the identificationprocedures to asynchronous manner, our scheme will pro-vide small false rates in these cases. Some notations can befound in Table 2. In this section, the terms test and group,the terms column and nodes are interchangeable.

TABLE 2Notations

Notation ContentT+ The number of false positive outcomesT− The number of false negative outcomesu(i) The number of trigger nodes in test ix(i) The reaction time of jammer toward test ig(i) The outcome of test i

5.1 Upperbound on the Expected Value of zFirst, we investigate the properties of both jamming be-haviors and obtain the expected number of error tests inboth cases through the following analysis. Since in practice,it is not trivial to establish accurate jamming models, wederive an upperbound of the error probability which doesnot require the beforehand knowledge of the objectivejamming models, which is therefore feasible for real-timeidentifications. Since it is a relaxed bound, it could befurther strengthened via learning the jamming history.5.1.1 Probabilistic Jamming Response(Detection)A clever jammer can choose not to respond to some sensedongoing transmissions, in order to evade the detection.Assume that each ongoing transmission has an independentprobability η to be responded. In our construction algorithmETG, where each matrix entry is IID and has a probabilityp to be 1, therefore for any single test i with i ∈ [1, t]:

Pr[u(i) = x] =

(d

x

)px(1− p)d−x (1)

For each test i, the event that it contains at least one triggerbut returns a negative result, has a probability at most:

Pr[g(i) = 0 & u(i) ≥ 1] (2)

=

d∑x=1

(1− η)x(d

x

)px(1− p)d−x (3)

= [(1− η)p+ 1− p]d − (1− p)d (4)= (1− ηp)d − (1− p)d < (1− η)p (5)

Meanwhile, the event that it contains no trigger nodes butreturns a positive result, has a probability:

Pr[g(i) = 1 & u(i) = 0] = 0 (6)

Since in practical η ≥ 12 , we therefore have the expected

number of false positive and negative tests is respectivelyat most pt/2 and 0.

Instead of the jamming behavior, the jamming signaldetection errors can be analyzed using the same method.Given that each node detects possible jamming signalssuccessfully with probability q, then following Eqn. 1, wecan similarly have the false negative rate of each test i:

Pr[g(i) = 0 & u(i) ≥ 1] (7)

=

d∑x=1

(1− q)x(d

x

)px(1− p)d−x (8)

= [(1− q)p+ 1− p]d − (1− p)d (9)= (1− qp)d − (1− p)d < (1− q)p (10)


which is also small considering p = 1d+1 .

5.1.2 Variant Reaction Time

The introduction of group testing techniques aims to de-crease the identification latency to the minimum, there-fore, if the jammer would not respond intermediately aftersensing the ongoing transmissions, but instead wait for arandomized time delay, the test outcomes would be messedup. Since it is expensive to synchronize the tests amongsensors, we use a predefined testing length as L, thus thetest outcome of test i ∈ [1, t] is generated within timeinterval [(d ime − 1)L, d imeL]. There are two possible errorevents regarding any test i.

• Fp(i): test i is negative, but some jamming signalsare delayed from previous tests and interfere this test,where we have a false positive event;

• Fn(i): test i is positive, but the jammer activated inthis test delayed its jamming signals to some subse-quent tests, meanwhile, no delayed jamming signalsfrom previous tests exists, where we have a falsenegative event.

Since the jammers in this paper are assumed to blockcommunications only on the channels where transmissionsare sensed, for the following analysis, we claim that theinterferences can only happen between any two tests i, jwith i ≡ j(mod m). Denote the delay of jamming signalsas a random variable X = {x(1), x(2), x(3), · · ·x(t)}where x(i) is the delay for possible jamming signals arisenfrom test i. (1) For event Fp(i), consider the test i −m,in order to have its jamming signals delayed to test i,we have a bound on x(i − m) ∈ (0, 2L). Similarly,in order to have the signals of any test j delayed to i,we have x(j) ∈ [( i−jm − 1)L, ( i−jm + 1)L]. Further theprobability density function of X is P(i) = Pr[X = x(i)].Consider all the tests prior to i, which are i mod m, 1 +i mod m, · · · , i−m, we have the probability for Fp(i):

(1−p)di−m∑

j=i mod m

∫ ( i−jm +1)L

( i−jm −1)LP(w)dw(1−(1−p)d) (11)

To simplify this expression, we assume that X/L follows auniform distribution within the range [0, β] with a small β,which is reasonable and efficient for attackers in practice.Since the nature of jamming attacks lies in adapting theattack frequency due to the sensed transmissions, too largedelay does not make sense to tackle the ongoing trans-missions. Under a uniform distribution, the probability ofFp(i) becomes:

(1− (1− p)d)(1− p)di−m∑

j=max i mod m,i−m−β−1

2

β

= (1− (1− p)d)(1− p)d(d ime − 1)

2

β

Therefore, the expected number of false positive tests is atmost

T+ ≤t∑i=1

(1− (1− p)d)(1− p)d(β)2

β

≤ 2

t∑i=1

(1− (1− p)d)(1− p)d

≤ 2(1− (1− p)d)(1− p)dt(2) For event Fn(i), following the similar arguments

above, we have an upperbound of the probability for Fn(i)(assume that any delays larger than l at test i will interferethe tests j following i where j ∈ [max(i mod m, i−m−β − 1), i−m]):

(1− (1− p)d)∫ +∞

l

P(w)dw

·

1−∑j

∫ ( i−jm +1)L

( i−jm −1)LP(w)dw(1− (1− p)d)

≤ (1− (1− p)d)(1− 2(1− (1− p)d))(β − l)/β≤ (1− (1− p)d)(1− 2(1− (1− p)d))

So the expected number of false negative tests is at most

T− ≤ (1− (1− p)d)(1− 2(1− (1− p)d))t (12)

Therefore, we could use a union bound and obtain a worst-case error rate of each test:

γ =p

2+ 2(1− (1− p)d)(1− p)d

+(1− (1− p)d)(1− 2(1− (1− p)d))= (10τ − 8τ2 − τ−d − 1)/2

where τ = (d/(d + 1))d. Intuitively, we can have anupperbound on the number of error tests as z = γt =(10τ−8τ2−τ−d−1)/2, and take it as an input to constructthe (d, z)-disjunct matrix. However, notice that z dependson t, i.e., the number of rows of the constructed matrix, wetherefore derive another bound of t related to γ, as shownin the appendix.

5.2 Error-tolerant Asynchronous Testing withineach testing team

By applying the derived worst-cast number of error testsinto the ETG construction, we can obtain the followingalgorithm where tests are conducted in an asynchronousmanner to enhance the efficiency.

As shown in Algorithm 2, after all the groups aredecided, conduct group testing on them in m pipelines,where in each pipeline any detected jamming signals willend the current test and trigger the next tests while groupsreceiving no jamming signals will be required to resendtriggering messages and wait till the predefined round timehas passed. These changes over the original algorithm,especially the asynchronous testing are located in eachtesting team, thus will not introduce significant overheads,however, the resulted error rates are quite low.


input : n victim nodes in a testing teamoutput: all trigger nodes within these victim nodesEstimate d as mentioned;Set γ = (10τ − 8τ2 − τ−d − 1)/2 ; // upper bound of errorprobability for each test

Set t =τ lnn(d+1)2

(τ−γ(d+1))2; // number of rows

Construct a (d, z)-disjunct matrix using ETG algorithm with t rows, anddivide all the n victim nodes into t groups accordingly {g1, g2, · · · , gt};// For each round, conduct group testing on m groups

using m different channels (radios). The testingis asynchronous in that, the m groups tested inparallel do not wait for each other to finish thetesting, instead, any finished test j will triggerthe test j +m, i.e., the tests are conducted in mpipelines.

for i = 1 to dt/me doConduct group testing in groups gim+1, gim+2, gim+m in parallel;

If any nodes in group gj with j ∈ [im+ 1, im+m] detects jammingnoises, the testing in this group finishes and start testing on gj+m;

If no nodes in group gj detect jamming noises, while at least one othertest in parallel detects jamming noises, let all the nodes in group gjresend 3 more messages to activate possible hidden jammers.

If no jamming signals are detected till the end of the predefined roundlength (L), return a negative outcome for this group and start testing ongj+m;

end

Algorithm 2: Asynchronous Testing

6 EXPERIMENTAL EVALUATION

6.1 OverviewAs a lightweight distribute trigger-identification service, oursolution will be experimentally evaluated from four facets:• in order to show the benefit of this service, we compare

it with JAM [11] in terms of the end-to-end delay anddelivery ratio of the detour routes from the base stationto all the sensor nodes, as the number of sensors n,sensor range rs, and number of jammers J vary withinpractical intervals.

• in order to show the acceleration effect of the clique-independent set in this solution, we compare thecomplexity of this solution to our previous centralizedone [7], with varying the above four parameters,where both jamming and triggering range R and rare assumed to be known beforehand.

• in order to show the accuracy of estimating the jam-ming range by using the polygon disk cover algorithm,we provide the estimated jamming ranges as well asthe error rate to the actual values.

• in order to show its performance and robustnesstowards tricky attackers, we assess its false posi-tive/negative rate and the estimation of R, for thosetwo advanced jammer models.

The simulation is developed using C++ on a Linux Work-station with 8GB RAM. A 1000×1000 square sensor fieldis created with uniformly distributed n sensor nodes, onebase station and J randomly distributed jammer nodes. Allthe simulation results are derived by averaging 20 randominstances.

6.2 Benefits for Jamming-resistent RoutingJAM [11] proposed a jamming-resistent routing scheme,where all the detected jammed areas will be evaded and

packets will not pass through the jammed nodes. Thismethod is dedicated for proactive jamming attacks, whichsacrifices significant packet delivery ratio due to the unnec-essarily long routes selected, though the effects of jammingsignals are avoided. We compare the end-to-end delay be-tween each sensor node and the base station, of the selectedroutes by evading the jammed areas detected by JAM, withthat of the ones evading only trigger nodes. Although thereare many existing routing protocols for unreliable networkenvironments, the aim of this experiment is to show thepotential of this service to various applications, instead ofbeing a dedicated routing protocol.

Three key parameters for routing could be the numberof Jammers J , jamming range R, jamming threshold θ.As mentioned earlier, θ indicates the aggressiveness of theattacker and the triggering range r ≈ rs(

θθ′ )

1ξ . Therefore,

with rs, θ′ and ξ as fixed network inputs, the effect of θcan be exactly indicated by studying the effect of r instead.

The whole network has n = 1500 nodes and sensortransmission range rs = 50. The results with respect to thethree parameters J ∈ [1, 20], R ∈ [100, 200], r ∈ [50, 150]are included in Fig.9(a), 9(b) and 9(c) respectively. Noticethat for each experiments, the other two parameters areset as the median value of their corresponding intervals.Therefore, R = 150 for Fig.9(c), which matches theextreme case R = r. Furthermore, for the nodes that are injammed areas for JAM and that are triggers for our method,in another word, unable to deliver packets to or from thebase station, we count the delay as n + 1, which is anupperbound of the route length.

As shown in Fig. 9(a) and 9(b), when j and R increases,the routing delay goes up, which is quite reasonable sincethe jamming areas get larger and more detours have to betaken. The length of routes based on JAM quickly climbsup to the upperbound, while that of our trigger method ismuch lower and more stable (less than 900 seconds). Whentriggering range r is small, as in Fig.9(c), the end-to-enddelay of Trigger-based routing is much smaller than theother, while as r increases the two approaches each other,since more victim nodes are triggers.

6.3 Improvements on Time Complexity

In our previous work [7], we proposed a preliminary idea ofthis trigger detection, and provided a disk-based solution.However, its high time complexity limits its usage in real-time networks. As mentioned above, the time complex-ity of our new clique-based detection is proved to beasymptotically lower than the previous, while the messagecomplexities are approaching each other.

Although the computational overhead for estimating Ris asymptotically huge, the phase is not the key part of ourscheme, and can be easily improved by machine learningtechniques. Therefore, in this section, we assume that bothR and r are known beforehand, and validate the theoreticalresults through simulations on network instances with var-ious settings. Specifically, the network size n ranging from450 to 550 with step 2, transmission rs from 50 to 60 with


200

400

600

800

1000

1200

1400

2 4 6 8 10 12 14 16 18

ave

rag

e e

nd

-to

-en

d d

ela

y

number of jammers

JAMTrigger

(a) Average end-to-end delay by J

600

800

1000

1200

1400

100 120 140 160 180 200

ave

rag

e e

nd

-to

-en

d d

ela

y

jamming range R

JAMTrigger

(b) Average end-to-end delay by R

400

600

800

1000

1200

1400

60 80 100 120 140

ave

rag

e e

nd

-to

-en

d d

ela

y

triggering range r

JAMTrigger

(c) Average end-to-end delay by θ

Fig. 9. Benefits for routing

step 0.2 and number of jammers J from 3 to 10 with step1. Parameter values lower than these intervals would makethe sensor network less connected and jamming attack lesssevere, while higher values would lead to impractical densescenarios and unnecessary energy waste.

Since the length of each reactive attack is equal to thetransmission delay of the object sensor signal, note that inour trigger detection, only one message is broadcast by eachsensor in the testing groups. Therefore, it is reasonable topredefine the length of each testing round as a constant.We set this as 1 second, which is far more enough forany single packet to be transmitted from one node to itsneighboring nodes. Henceforth, the time cost shown inFig. 6.3 only indicates the number of necessary rounds tofind out all the triggers, and can be further reduced. Themessage complexity is measured via the average messagecost on each sensor node.

As shown in Fig. 10(a) and 10(b), this clique-basedscheme completes the identification with steadily less than10 seconds, compared to the increasing time overhead withmore than 15 seconds of the disk-based solution, as thenetwork grows denser with more sensor nodes. Meanwhile,its amortized communication overheads are only slightlyhigher than that of the other solution, whereas both arebelow 10 messages per victim node. Therefore, the newscheme is even more efficient and robust to large-scalenetwork scenarios.

With the sensor transmission radius growing up, the timecomplexity of the disk-based solution gradually ascends(Fig. 10(d) and 10(c)) due to the increased maximum degree∆(H) mentioned in the above analysis. Comparatively,the time cost of clique-based solution remains below 10seconds, while the two message complexities are similar.

Since sensor nodes are uniformly distributed, the morejammer nodes placed in the networks, the more victimnodes are expected to be tested, the identification complex-ity will therewith raises, as the performance of disk-basedscheme shows in Fig. 10(f) and 10(e). Encouragingly, theproposed scheme can still finish the identification promptlywith less than 10 seconds, which grows up much slowerthan the other. It has slightly more communication over-heads (10 messages per victim nodes) but is still affordableto power-limited sensor nodes.

Actual R 50 60 70 80 90 100

Estimated R 51.9542 61.378 72.5228 80.7886 92.9285 104.826

!R 3.91% 2.29% 3.60% 0.99% 3.25% 6.21%

Actual R 50 60 70 80 90 100

Estimated R 52.9438 63.496 73.4763 82.4191 93.9339 104.202

J=10

J=5

!R 5.88% 5.83% 4.96% 3.02% 4.37% 4.21%

Actual R 50 60 70 80 90 100

Estimated R 51.6574 65.5034 73.5997 83.4615 96.6998 107.21

!R 3.31% 9.17% 5.14% 4.33% 7.44% 7.21%

J=15

Fig. 11. Estimation error of R

6.4 Accuracy in Estimating Jammer PropertiesThough the estimate of jamming range R is only to providean upperbound for R, such that the testing teams obtainedaccordingly are interference-free, we are also interested inthe accuracy of this estimation. As shown in Fig. 11, weinvestigate the error rate ∆R for R = [50, 100] when thereare respectively J = 5, 10, 15 jammers.

Two observations are straightforward from these results:(1) all the estimated values are above the actual ones, how-ever, less than 10% difference. This meets our requirementfor a tight upperbound of R. (2) the error rates in case offewer jammers are lower than those with more jammers.This is because the jammer areas can have larger overlaps,which introduces estimate inaccuracies.

6.5 Robustness to Various Jammer ModelsIn order to show the precision of our proposed solutionunder different jamming environments, we vary the twoparameters of the jammer behaviors above: Jammer Re-sponse Probability η and Testing Round Length/MaximumJamming Delay L/X and illustrate the resulted false ratesin Fig. 12(a) and 12(b). To simulate the most dangerouscase, we assume a hybrid behavior for all the jammers,for example, the jammers in the simulation of Fig. 12(a)not only launch the jamming signals probabilistically, butalso delay the jamming messages with a random periodof time up to 2L. On the other hand, the jammers in thesimulation of Fig. 12(b) respond each sensed transmissionwith probability 0.5 as well. All the simulation results arederived by averaging 10 instances for each parameter team.

As shown in both figures, we consider the extremecases where jammers respond transmission signals with a


5

10

15

20

25

30

460 480 500 520 540

tim

e c

om

ple

xity (

se

c)

number of sensor nodes n

Disk-basedClique-based

(a) # Rounds by n

2

4

6

8

10

12

14

16

18

20

460 480 500 520 540

nu

mb

er

of

me

ssa

ge

pe

r n

od

e

number of sensor nodes n


(b) # Messages by n

5

10

15

20

25

30

35

40

45

50

50 52 54 56 58 60

tim

e c

om

ple

xity (

se

c)

triggering range r


(c) # Rounds by r

2

4

6

8

10

12

14

16

18

20

50 52 54 56 58 60

nu

mb

er

of

me

ssa

ge

s p

er

no

de

triggering range r


(d) # Messages by r

5

10

15

20

25

30

35

40

3 4 5 6 7 8 9 10

tim

e c

om

ple

xity (

se

c)

number of jammers J


(e) # Rounds by J

2

4

6

8

10

12

14

3 4 5 6 7 8 9 10

tim

e c

om

ple

xity (

se

c)

number of jammers J


(f) # Messages by J

Fig. 10. Time and Message complexity

probability as small as 0.1, or delay the signals to up to10 testing rounds later. This actually contradicts with thenature of reactive jamming attacks, which aim at disruptingthe network communication as soon as any legitimate trans-mission starts. The motivation of such parameter setting isto show the robustness of this scheme even if the attackerssense the detection and intentionally slow down the attacks.The overall false rates are below 20%.

In Fig. 12(a), when η > 1/2 which corresponds to prac-tical cases, we find that the false negative rates generallydecrease from 10% to 5% as η increases. Meanwhile thefalse positive rate grows gently, but is still below 14%, thisis because as more and more jamming signals are sent, dueto their randomized time delays, more and more followingtests will be influenced and become false positive. In Fig.12(b), considering the practical cases where L/X > 1/2,both rates are going down from around 10% to 1%, sincethe maximum jamming delay becomes shorter and shortercompared to the testing round length L, as the number ofinterferences between consecutive tests decreases.

7 RELATED WORKSExisting countermeasures against jamming attacks in WSNcan be categorized into two facets: signal detection andmitigation, both of which have been well studied anddeveloped with various defense schemes. On the one hand,a majority of detection methods focus on analyzing specificobject values to discover abnormal events, e.g., Xu et.al [16] studied a multi-model (PDR, RSS) to consistentlymonitor jamming signals. Work based on similar ideas[17][15][14] improved the detection accuracy by investigat-ing sophisticated decision criteria and thresholds. However,reactive jamming attacks, where the jammer node are notcontinuously active and thus unnecessary to cause huge de-viations of these variables from normal legitimate profiles,

(a) Probabilistic Jammer Response

0

0.05

0.1

0.15

0.2

0.25

0.3

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Fa

lse

Ra

te

Round Length / Max Jamming Delay

fpfn

(b) Random Jamming Delay

Fig. 12. Solution Robustness

cannot be efficiently tackled by these methods. In addi-tion, some recent works proposed methods for detectingjammed areas [11] and directing normal communicationsbypass possible jammed area using wormhole [18]. Thesesolutions can effectively mitigate jamming attacks, but theirperformances rely on the accuracy of detection on jammedareas, i.e. the transmission overhead would be unnecessarilybrought up if the jammed area is much larger than itsactual size. On the other hand, mitigation schemes whichbenefit from channel surfing [13], frequency hopping andspatial retreats[12], reactively help legitimate nodes escapefrom the jammed area or frequency. Unfortunately, beinglack of pre-knowledge over possible positions of hiddenreactive jammer nodes, legitimate nodes cannot efficientlyevade jamming signals, especially in dense sensor networkwhen multiple mobile nodes can easily activate reactivejammer nodes and cause the interference. For the sake ofovercoming these limitations above, in [7] we studied on


the problem of identification trigger nodes with a shortperiod of time, whose results can be employed by jamming-resistent routing schemes, to avoid the transmissions ofthese trigger nodes and deactivate the reactive jammernodes. In this paper, we complete this trigger identificationprocedure as a lightweight service, which is prompt andreliable to various network scenarios.

8 DISCUSSION AND CONCLUSIONS

One leftover problem to this service framework is thejammer mobility. Although the identification latency hasbeen shown small, it would not be efficient toward jammersthat are moving at a high speed. This would become aninteresting direction of this research.

Another leftover problem is the application of this ser-vice. Jamming-resistent routing and jammer localizationsare both quite promising, yet the service overhead has tobe further reduced to for real-time requirements.

As a summary, in order to provide an efficient trigger-identification service framework, we leverage several op-timization problem models and provide corresponding al-gorithms to them, which includes the clique-independentproblem, randomized error-tolerant group testing, and min-imum disk cover for simple polygon. The efficiency of thisframework is proved through both theoretically analysistoward various sophisticated attack models and simulationsunder different network settings. With abundant possibleapplications, this framework exhibits huge potentials anddeserves further studies.

ACKNOWLEDGEMENT

This work is partially supported by NSF Career Award# 0953284 and DTRA, Young Investigator Award, BasicResearch Program # HDTRA1-09-1-0061 and DTRA #HDTRA1-08-10.

REFERENCES[1] D. Z. Du and F. Hwang, Pooling Designs: Group Testing in Molecular Biology,

World Scientific, Singapore, 2006.[2] M. Goodrich, M. Atallah, and R. Tamassia. “Indexing information for data

forensics.” 3rd ACNS, Lecture Notes in Computer Science, Springer, 2005.[3] R. Gupta, J. Walrand, and O. Goldschmidt, “Maximal cliques in unit disk

graphs: Polynomial approximation.” Conference of the European NetworkOptimization Group (INOC), Portugal, 2005.

[4] V. Guruswami and C. P. Rangan, “Algorithmic aspects of clique-transversal andclique-independent sets.” Discrete Applied Mathematics, 100:183–202, 2000.

[5] W. Hang, W. Zanji, and G. Jingbo, “Performance of DSSS against repeaterjamming.” Electronics, Circuits and Systems (ICECS), 2006.

[6] P. Tague, S. Nabar, J. A. Ritcey, and R. Poovendran, “Jamming-aware trafficallocation for multiple-path routing using portfolio selection”, IEEE/ACMTransactions on Networking, 2010.

[7] I. Shin, Y. Shen, Y. Xuan, M. T. Thai, and T. Znati, “Reactive jamming attacksin multi-radio wireless sensor networks: an efficient mitigating measure byidentifying trigger nodes.” FOWANC, in conjunction with MobiHoc, 2009.

[8] O. Sidek and A. Yahya, “Reed solomon coding for frequency hopping spreadspectrum in jamming environment.” American Journal of Applied Sciences,5(10):1281–1284.

[9] M. Strasser, B. Danev, and S. Capkun. “Detection of reactive jamming in sensornetworks.” ACM Transactions on Sensor Networks (TOSN), 2010.

[10] H. Wang, J. Guo, and Z. Wang. “Feasibility assessment of repeater jammingtechnique for DSSS.” IEEE WCNC, 2007.

[11] A. D. Wood, J. Stankovic, and S. Son. “A jammed-area mapping service forsensor networks.” RTSS, 2003.

[12] W. Xu, K. Ma, W. Trappe, and Y. Zhang. “Jamming sensor networks: attackand defense strategies.” IEEE Network, 2006.

[13] W. Xu, T. Wood, W. Trappe, and Y. Zhang. “Channel surfing and spatialretreats: Defenses against wireless denial of service.” ACM workshop onWireless security, pages 80–89, 2004.

[14] Mingyan Li, I. Koutsopoulos, and R. Poovendran. “Optimal jamming attacksand network defense policies in wireless sensor networks”. IEEE INFOCOM,2007.

[15] R. A. Poisel. “Modern communications jamming principles and techniques”.Artech House, 2004.

[16] W. Xu, W. Trappe, Y. Zhang, and T. Wood. “The feasibility of launching anddetecting jamming attacks in wireless networks”. MobiHoc, 2005.

[17] M. Cakiroglu and A. T. Ozcerit. “Jamming detection mechanisms for wirelesssensor networks.” 3rd InfoScale, 2008.

[18] M. Cagalj, S. Capkun, and J. P. Hubaux. “Wormhole- based antijammingtechniques in sensor networks.”IEEE Transactions on Mobile Computing, 2007.

[19] I. Shin, R. Tiwar, T. N. Dinh, M. T. Thai and T. Znati, “A localized algorithmto locate reactive jammers with trigger nodes in wireless sensor networks”.Manuscript, 2009.

[20] Y.-X. Chen and D.-Z. Du, “New constructions of one- and two-stage poolingdesigns”, Journal of Computational Biology, 2008

[21] Garey, M.G., Johnson, D.S, “The rectilinear steiner tree problem is NP-Complete”, SIAM J. Appl. Math. 32, 826C834, 1977

[22] L. G. Valiant, “Universality considerations in VLSI circuits”, IEEE Transac-tions on Computers 30 (1981), 135C140.

[23] K. Pelechrinis, I. Koutsopoulos, I. Broustis, S. V. Krishnamurthy, “Lightweightjammer localization in wireless networks: system design and implementation”,Globecom 2009.

[24] H. Liu, W. Xu, Y. Chen, Z. Liu, “Localizing jammers in wireless networks”,PWN 2009.

[25] Z. Liu, H. Liu, W. Xu, Y. Chen, “Wireless jamming localization by exploitingnodes’ hearing ranges”, DCOSS 2010.

[26] H. Kaplan, M. Katz, G. Morgenstern and M. Sharir, “Optimal cover of pointsby disks in a simple polygon”, European Symposium on Algorithms 2010.

[27] I. Shin, Y. Shen, Y. Xuan, M. T. Thai, and T. Znati, “A Novel Approach AgainstReactive Jamming Attacks”, Ad Hoc & Sensor Wireless Network, to appear.

Ying Xuan received the BE degree in computerengineering from the University of Science andTechnology of China, Anhui, China, in 2006. He isnow a PhD candidate at the Department of Com-puter and Information Science and Engineering,University of Florida, under the supervision of Dr.My T. Thai. His research topics include appliedgroup testing theory, social networking and networkvulnerability.

Yilin Shen received the BS degree in appliedmathematics from Donghua University, Shanghai,China, in 2005. He is currently working toward thePhD degree at the Department of Computer andInformation Science and Engineering, University ofFlorida, under the supervision of Dr. My T. Thai.His research topics include network security, andnetwork reliability and social networks.

Nam P. Nguyen received his bachelor’s degreefrom Vietnam National University in 2007 and mas-ter of science degree from Ohio University-USA in2009, both in Mathematics. He is currently workingtowards the PhD degree in Computer Science atCISE Department, University of Florida, USA. Hisinterests include community detection methods forboth static and dynamic networks, and effectiveapproximation algorithms for networking problems.


My T. Thai received her PhD degree in computerscience from the University of Minnesota, TwinCities, in 2006. She is an assistant professor in theDepartment of Computer and Information Sciencesand Engineering at the University of Florida. Hercurrent research interests include algorithms andoptimization on network science and engineering.She also serves as an associate editor for theJournal of Combinatorial Optimization (JOCO) andOptimization Letters and a conference chair of CO-COON 2010 and several workshops in an area of

network science. She is a recipient of DoD Young Investigator Awards andNSF CAREER awards. She is a member of the IEEE.

IEEE TRANSACTION ON MOBILE COMPUTING 1 A Trigger ... › ~mythai › files › TMC_Jamming.pdf ·...

Documents

Transcript of IEEE TRANSACTION ON MOBILE COMPUTING 1 A Trigger ... › ~mythai › files › TMC_Jamming.pdf ·...