Embed Size (px)
Citation preview
Demonstrating self-contained on-node counter measuresfor various jamming attacks in Wireless Sensor Networks
Peter Langendoerfer, Steffen Ortmann, Stephan KornemannIHP, Im Technologiepark 25
D-15234 Frankfurt (Oder), Germany{langendoerfer|ortmann|kornemann}@ihp-microelectronics.com
ABSTRACTIn this paper we shortly introduce our real-time jammingdetection approach which can be executed on standard wire-less sensor nodes.The benefits of our approach are that nothresholds need to be defined since it detects jamming basedon deviations of the Received Signal Strength Indication(RSSI) and the fact that for doing so it needs only 422 Bytesof memory including execution code and stored RSSI values.We implemented a mock-up demonstrator that allows to vi-sualise how various attacks of permanent, periodic and ran-dom jamming effect RSSI values and how the sensor nodesin the network independently of the location of the jammerreliably indicate ongoing jamming.
Categories and Subject DescriptorsC.2.0 [Computer-Communication Networks]: General—Security and protection; C.2.1 [Computer-CommunicationNetworks]: Network Architecture and Design—Wirelesscommunication
General TermsSecurity
KeywordsJamming detection, Wireless sensor networks, Security
1. INTRODUCTIONWireless sensor networks (WSNs) are more and more con-
sidered as a basis for new applications, e.g., in the area of au-tomation control or critical infrastructure protection. Suchapplications require a significant level of dependability. Jam-ming is an attack which needs to be considered as extremelydangerous. It can be easily executed by anybody since itneither needs any detailed knowledge about the system tobe attacked nor expensive equipment. In addition, its ef-fect is significant since it immediately distorts the expectedsystem behaviour. Different jamming models as well as re-spective counter measures have been researched in depth inthe past. Among others, random, reactive, periodic or con-stant jamming models are applied for both single and multi-channel attacks. Thereby fixed thresholds have proven tobe unsuitable for jamming detection in wireless networks nomatter which channel characteristic is monitored [1, 2, 3].Beside physical conditions around the node, the distance tothe jammer predominantly influences the changes in channelcharacteristics by jamming. Since the location of a jammer
is hard or impossible to predict, sensor nodes cannot be pre-configured for reliable jamming detection, e.g., by definingthresholds, even if the jamming characteristic is known. In-stead, sensor nodes must learn distinguishing regular fromirregular (jamming) channel conditions. This is a difficulttask since normal operation within the WSN, e.g., duringcontention phases, can look like jamming and by that causefalse positives.
In the next sections we sketch the idea behind our jam-ming detection scheme, the experimental setup and overviewresults taken from real measurements in the test bed. Weintend to demonstrate the various facilities of jamming inWSNs and suitable counter measures in a live demo allow-ing detailed parameter configuration, such as the jammingpattern, different network layouts, channel selection etc.
2. ASSESSMENT OF THE RSSIThe metric best reflecting the physical conditions of the
wireless channel is the Received Signal Strength Indication(RSSI). RSSI measurements can be easily read from the ra-dio module. From our point of view, RSSI is the most suit-able metric for jamming detection since any interference,whether or not caused by jamming, is reflected by changesof the RSSI. The challenge of analysing RSSI for jammingdetection is distinguishing abnormal (or anomalous) RSSIfrom usual behaviour by assessing the actual RSSI value. Weindicate the significance of changes in the RSSI as the degreeof deviation from the expected range of values learnt fromprevious trend. Determining the average and the variance ofprevious readings is not very complex according to mathe-matics, but it originally is unsuitable for sensor networks dueto its calculation and memory effort. This especially holdstrue when it is used for on-node jamming detection, whereevery new RSSI value has to be processed immediately.
Our approach processes RSSI measurements on the fly intwo stages, i.e., a significance analysis followed by a peakassessment. The significance analysis rates shifts in the ac-tual RSSI readings. Therefore, we adapted a variance-basedestimate of RSSI measurements to sensor needs determiningthe most significant changes. It states by what multiple theactual RSSI diverges from the expected parameters learntfrom previous trend and thereby automatically detects sig-nificant deviations without the need for predefined thresh-olds. The complexity of the significance analysis is constantto O(14), which is equivalent to O(1), and the memory con-sumption in theory collapses to storing three integer values.On the sensor nodes using the MSP430 microprocessor, thesignificance analysis requires 422 Bytes of memory only in-
Figure 1: Network layout for jamming experiments.
cluding all parameters and execution code. Based on thesignificance analysis, the peak assessment determines themost abnormal peaks in the significance-rated RSSI valuesto finally decide whether detected changes in RSSI are mostpossibly caused by jamming or not. It determines a weightedratio between the actual RSSI, the RSSI significance, previ-ously detected jamming attacks and the probability of beingcaused by usual traffic. Of course, the latter mainly de-pends on the protocol used, e.g., whether an increased RSSIoccurred within certain time slot or contention phases.
2.1 Experimental setup & evaluation resultsFor our experiments we used wireless sensor nodes manu-
factured by ourselves providing an MSP430 microprocessorfrom TI and three different radio modules, i.e., a CC1100,a CC2500 and a CC2520. We mainly experimented withthe CC2500 and CC2520 radios using 2.4 GHz communica-tion. Figure 1 represents the network topology used. Thedashed lines in figure 1 represent wireless connections and bythat the WSN, whereas the solid lines are dedicated wiredbackbones collecting information about measured RSSI andjamming related data for visual feedback, only. I.e. theseconnections are just there for demonstrating purposes. Thecommunication setting is as follows. The sender periodi-cally sends UDP packets to the receiver using wireless Zig-Bee communication at 2.4 GHz while a jammer tries to dis-turb the wireless channel. We implemented various attacksof permanent, periodic and random jamming on our sen-sor nodes which can be selected via a GUI. In addition,we implemented a simple monitoring node collecting RSSImeasurements for independently determining channel condi-tions without being involved in normal operation. By thatwe intend displaying the effects of jamming from various,user-defined, positions of the jamming and of the monitor-ing nodes.
Figure 2 shows the impact of jamming on the RSSI (2(a)),the calculated significance of RSSI (2(b)) and the jammingdetection result (2(c)) at the receiving sensor node. Here weexecuted a periodic jamming attack that causes short inter-vals with a constantly high RSSI. This figure also shows thatpeaks of the RSSI value occur also in periods when there areno attacks. This is due to channel impairments but also toother sources of interference such as Bluetooth and WLANcommunication. However, our approach achieves an imme-diate jamming indication independently of the position ofthe jamming device and its jamming intensity. From ourpoint of view the detection speed is of high importance sinceit can give the network under attack time to initiate propercounter measures. We are aware of the fact that there is notmuch a sensor node can do under jamming. However, stor-ing sensed data, changing the wireless channel, trigger an
(c)
(b)
(a)
RSS
I [dB
m]
−125−100
−75−50−25
0
Time [seconds]3.1 3.2 3.5 3.6
Sign
ifica
nce
01020304050
Time [seconds]3.1 3.2 3.5 3.6
Jam
min
g de
tect
ion
0
1
Time [seconds]3.1 3.2 3.3 3.4 3.5 3.6
Figure 2: Influence of jamming to the RSSI at thereceiver using the CC 2520 (ZigBee) radio chip, itsreflection in the significance analysis and the jam-ming indication after assessment of abnormal peaksin RSSI changes.
alarm that jamming is ongoing are potential counter mea-sures. The first will help to provide data for forensics, thesecond might help the network to survive -at least for a shortwhile, and the last one may be even a basis for a networkmanager to start counter measures, such as go and searchfor the jamming device.
3. CONCLUDING REMARKSIn this extended abstract we have presented the idea and
the experimental setup of our jamming experiments in wire-less sensor networks. Our approach immediately reacts onchanges in the monitored RSSI and thereby omits the needfor preconfigured values, which are difficult to get and inaddition are difficult to use since the impact on the chan-nel depends on the position of the jammer. Applying avariance-based estimate of RSSI measurements adapted tosensor needs, our approach provides reliable jamming indi-cation independently of the location of the jammer. Forfuture experiments we intend to implement varying trans-mission power at the jammer to simulate various jammingintensities. In addition, we will test the approach on furtherchannel characteristics, e.g., using the Signal-to-Noise Ratio(SNR) or the Packet Delivery Ratio (PDR).
4. REFERENCES[1] M. Cakiroglu and A. T. Ozcerit. Jamming detection
mechanisms for wireless sensor networks. In Proceedingsof the 3rd international conference on Scalableinformation systems, InfoScale ’08, pages 4:1–4:8,ICST, Brussels, Belgium, 2008. ICST.
[2] A. Fragkiadakis, V. Siris, and N. Petroulakis.Anomaly-based intrusion detection algorithms forwireless networks. In 8th International Conference onWired/Wireless Internet Communications, pages192–203, Lulea, Sweden, June 2010. Springer.
[3] K. Reese, A. Salem, and G. Dimitoglou. Using standarddeviation in signal strength detection to determinejamming in wireless networks. Computers Applicationsin Industry and Engineering, 2010.
