VIEWS: 109 PAGES: 16 CATEGORY: Graduate POSTED ON: 10/16/2011
IEEE TRANSACTION ON MOBILE COMPUTING 1 A Trigger Identiﬁcation Service for Defending Reactive Jammers in WSN Ying Xuan, Yilin Shen, Nam P. Nguyen, My T. Thai Abstract—During the last decade, Reactive Jamming Attack has emerged as a greatest security threat to wireless sensor networks, due to its mass destruction to legitimate sensor communications and difﬁculty to be disclosed and defended. Considering the speciﬁc characteristics of reactive jammer nodes, a new scheme to deactivate them by efﬁciently identifying all trigger nodes, whose transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger-identiﬁcation procedure can work as an application-layer service and beneﬁt many existing reactive-jamming defending schemes. In this paper, on the one hand, we leverage several optimization problems to provide a complete trigger-identiﬁcation service framework for unreliable wireless sensor networks. On the other hand, we provide an improved algorithm with regard to two sophisticated jamming models, in order to enhance its robustness for various network scenarios. Theoretical analysis and simulation results are included to validate the performance of this framework. Index Terms—Reactive Jamming, Jamming Detection, Trigger Identiﬁcation, Error-tolerant Nonadaptive Group Testing, Opti- mization, NP-Hardness. ! 1 I NTRODUCTION On the other hand, various network diversities are in- the last decade, the security of wireless sensor vestigated to provide mitigation solutions [6]. Spreading S INCE networks (WSNs) has attracted numerous attentions, due to its wide applications in various monitoring systems spectrum [12][5][8] making use of multiple frequency bands and MAC channels, Multi-path routing beneﬁting and invulnerability toward sophisticated wireless attacks. from multiple pre-selected routing paths [6] are two good Among these attacks, jamming attack where a jammer examples of them. However, in this method, the capability node disrupts the message delivery of its neighboring of jammers are assumed to be limited and powerless to sensor nodes with interference signals, has become the most catch the legitimate trafﬁc from the camouﬂage of these critical threat to WSNs. Thanks to the efforts of researchers diversities. However, due to the silent behavior of reactive toward this issue, as summarized in [12], various efﬁ- jammers, they have more powers to destruct these mitiga- cient defense strategies have been proposed and developed. tion methods. To this end, other solutions are in great need. However, a reactive variant of this attack, where jammer A mapping service of jammed area has been presented in nodes stay quite until an ongoing legitimate transmission [11], which detects the jammed areas and suggests that (even has a single bit) is sensed over the channel, emerged routing paths evade these areas. This works for proactive recently and called for stronger defending system and more jamming, since all the jammed nodes are having low PDR efﬁcient detection schemes. and thus incapable for reliable message delay. However, in Existing countermeasures against Reactive Jamming at- the case of reactive jamming, as we will show later, this tacks consist of jamming (signal) detection and jamming is not always the case. Only a proportion of these jammed mitigation. nodes, named as trigger nodes, whose transmissions wake On the one hand, detection of interference signals from up the reactive jammers, are required to be blocked to avoid jammer nodes is non-trivial due to the discrimination be- the jamming effects. tween normal noises and adversarial signals over unstable In this paper, we present an application-layer real-time wireless channels. Numerous attempts to this end monitored trigger-identiﬁcation service for reactive-jamming in wire- critical communication related objects, such as Receiver less sensor networks, which promptly provides the list of Signal Strength (RSS), Carrier Sensing Time (CST), Packet trigger-nodes using a lightweight decentralized algorithm, Delivery Ratio (PDR), compared the results with speciﬁc without introducing neither new hardware devices, nor thresholds, which were established from basic statisti- signiﬁcant message overhead at each sensor node. cal methods and multi-modal strategies [9][12]. By such This service exhibits great potentials to be developed schemes, jamming signals could be discovered, however, as reactive jamming defending schemes. As an example, how to locate and catch the jammer nodes based on these by excluding the set of trigger nodes from the routing signals is much more complicated and has not been settled. paths, the reactive jammers will have to stay idle since transmissions can be sensed. Even though the jammers • Y. Xuan, Y. Shen, Nam P. Nguyen and My T. Thai are with the move around and detect new sensor signals, the list of Department of Computer Information Science and Engineering. trigger nodes will be quickly updated, so are the routing E-mail: {yxuan, yshen, nanguyen, mythai}@cise.uﬂ.edu tables. As another example, without prior knowledge of IEEE TRANSACTION ON MOBILE COMPUTING 2 the number of jammers, the radius of jamming signals and we will ﬁrst illustrate our framework solution toward the speciﬁc jamming behavior types, it is quite hard to locate basic attacker model, and then validate its performance the reactive jammers even the jammed areas are detected toward multiple advanced attacker models theoretically and (e.g. by [11]). However, with the trigger nodes localized, experimentally. the possible locations of reactive jammers are signiﬁcantly narrowed down. 2.2.1 Basic Attacker Model Although the beneﬁts of this trigger-identiﬁcation service are exciting, its hardness is also obvious, which dues Conventional reactive jammers [12] are deﬁned as mali- to the efﬁciency requirements of identifying the set of cious devices, which keep idle until they sense any ongoing trigger nodes out of a much large set of victim nodes, that legitimate transmissions and then emit jamming signals are affected jamming signals from reactive jammers with (packet or bit) to disrupt the sensed signal (called jammer possibly various sophisticated behaviors. To address these wake-up period), instead of the whole channel, which problem, a novel randomized error-tolerant group testing means once the sensor transmission ﬁnishes, the jamming scheme as well as minimum disk cover for polygons are attacks will be stopped (called jammer sleep period). Three proposed and leveraged. concepts are introduced to complete this model. The basic idea of our solution is to ﬁrst identify the set Jamming range R. Similar to the sensors, the jammers of victim nodes by investigating corresponding links’ PDR are equipped with omnidirectional antennas with uniform and RSS, then these victim nodes are grouped into multiple power strength on each direction. The jammed area can testing teams. Once the group testing schedule is made at be regarded as a circle centered at the jammer node, with the base station and routed to all the victim nodes, they a radius R, where R is assumed greater than rs , for then locally conducts the test to identify each of them as simulating a powerful and efﬁcient jammer node. All the a trigger or non-trigger. The identiﬁcation results can be sensors within this range will be jammed during the jammer stored locally for reactive routing schemes or delivered to wake-up period. The value of R can be approximated based the base station for jamming localization process. on the positions of the boundary sensors (whose neighbors In the remainder of this paper, we ﬁrst present the are jammed but themselves not), and then further reﬁned. problem deﬁnition in Section 2, where the network model, Triggering range r. On sensing an ongoing transmis- victim model and attacker models are included. Then we sion, the decision whether or not to launch a jamming signal introduce three kernel techniques for our scheme, Random- depends on the power of the sensor signal Ps , the arrived ized Error-Tolerant Non-adaptive Group Testing, Clique- signal power at the jammer Pa with distance r from the independent Set and Minimum Disk Cover in a Simple sensor, and the power of the background noise Pn . Polygon in Section 3. The core of this paper: trigger iden- According to the traditional signal propagation model, tiﬁcation procedure and its error-tolerant extension toward the jammer will regard the arrived signal as a sensor sophisticated jammer behaviors are presented respectively transmission as long as the Signal-Noise-Ratio is higher Pa in Section 4 and 5. A series of simulation results for evalu- than some threshold, i.e., SN R = Pn > θ where Pa = ating the system performance and validating the theoretical Ps rξ · Y with θ and ξ called jamming decision threshold results are included in Section 6. We also present some and path-loss factor, Y as a log-normally random variable. θ·Pn 1 related works in Section 7 and summarize the whole paper Therefore, r ≥ ( Ps ·Y ) ξ is a range within which the sensor in Section 8. transmission will deﬁnitely trigger the jamming attack, named as triggering range. As will be shown later, this 2 P ROBLEM M ODELS AND N OTATIONS range r is bounded by R from above, and rs from below, 2.1 Network Model where the distances from either bounds are decided by the We consider a wireless sensor network consisting of n jamming decision threshold θ. For simplicity, we assume sensor nodes and one base station (larger networks with triggering range is the same for each sensor. multiple base stations can be split into small ones to Jammer distance. Any two jammer nodes are assumed satisfy the model). Each sensor node is equipped with not to be too close to each other, i.e., the distance between omnidirectional antennas, m radios for in total k channels jammer J1 and J2 is δ(J1 , J2 ) > R. The motivations throughout the network, where k > m. For simplicity, the behind this assumptions are three-fold: 1) the deployment power strength in each direction is assumed to be uniform, of jammers should maximize the jammed areas with a so the transmission range of each sensor can be abstracted limited number of jammers, therefore large overlapping as a constant rs and the whole network as a unit disk graph between jammed areas of different jammers lowers down (UDG) G = (V, E), where any node pair i, j is connected the attack efﬁciency; 2) δ(J1 , J2 ) should be greater than R, iff the Euclidean distance between i, j: δ(i, j) ≤ rs . We since the transmission signals from one jammer should not leave asymmetric powers and polygonal transmission area interfere the signal reception at the other jammer, otherwise, for further study. the sensed sensor signals mixed with the jamming signals from the other jammer will not invoke this jammer; 3) the 2.2 Attacker Model communications between jammers are impractical, which We consider both a basic attacker model and several ad- will expose the jammers to anomaly detections at the vanced attacker models in this paper. In the next sections, network authority. IEEE TRANSACTION ON MOBILE COMPUTING 3 We assume that the detection of jammed signals can be 100% correctly completed via comparing the SNR, PDR and RSS, as shown in [9] in this work. Although this V1 0950 victim 30 detection problem is also quite challenging, it is orthogonal to the service framework proposed in this paper. We will dig into this problem in our future work, where various real- time applications embedded with this service framework Fig. 1. sensor periodical status report message will be developed. 2.2.2 Advanced Attacker Model 3 T HREE K ERNEL T ECHNIQUES Although the basic reactive jamming model is quite energy- In this section, we mention three kernel techniques that efﬁcient, the attackers may alter their behaviors to evade we resort to in the proposed protocol. Most existing anti- the detection, for which two advanced reactive jamming jamming works consider only proactive jammers, while re- models: probabilistic attack and asymmetric response time active jammers can bring up larger damage due to efﬁcient delay are considered in this paper. In the ﬁrst one, the jam- attack and hardness to detect. To this end, we embed a mer responds each sensed transmission with a probability η group testing process, i.e., the randomized error-tolerant independently. In the second one, the jammer delays each group testing by means of our designed random (d, z)- of its jamming signals with an independently randomized disjunct matrix, to the routing update scheme, which avoids time interval. unnecessarily large isolated areas as [11] does. Moreover, We do not specify the possible changes of jamming range most existing topology-based solutions [24][25] can only R as an advanced model, since the trigger set in this case handle the single-jammer case, since lacking of knowledge will not change, though the victim set varies. Further, we over the jamming range and inevitable overlapping of the do not theoretically analyze the effects of various jamming jammed areas bring ups the analytical difﬁculties. Regard- decision threshold θ in this paper version, but we evaluate ing these issues, we resort to a minimum disk cover problem all these above factors in the simulation section. Jammer in within simple polygon problem and a clique-independent mobilities are out of the scope of this paper, which assumes set problem. that the jammers are static during our trigger-identiﬁcation phase. This is quite reasonable, since the time length of this 3.1 Error-tolerant Randomized Non-Adaptive phase is short, as to be shown later. Group Testing Group Testing was proposed since WWII to speed up 2.3 Sensor Model the identiﬁcation of affected blood samples from a large Besides monitoring the assigned network ﬁeld and gen- sample population. This scheme has been developed with erating alarms in case of special events (e.g., ﬁre, high a complete theoretical system and widely applied to med- temperature), each sensor periodically sends a status report ical testing and molecular biology during the past several message to the base station, which includes a header and decades [1]. Notice that the nature of our work is to identify a main message body containing the monitored results, all triggers out of a large pool of victim nodes, so this battery usage, and other related content. As shown in technique intuitively matches our problem. Fig.1, the header is designated for anti-jamming purpose, The key idea of group testing is to test items in multiple which is 4-tuple: Sensor ID as the ID of the sensor designated groups, instead of testing them one by one. A node, Time Stamp as the sending out time indicating the sketch of the traditional group testing can be ﬁnd in the sequence number, as well as a Label referring to the node’s Appendix. current jamming status and TTL as the time-to-live ﬁeld which is initialized as the 2D where D is the diameter of 3.1.1 Traditional Non-adaptive Group Testing this network. The key idea of group testing is to test items in multiple According to the jamming status, all the sensor nodes designated groups, instead of testing them one by one. can be categorized into four classes: trigger nodes T N , The traditional method of grouping items is based on victim nodes V N , boundary nodes BN and unaffected a designated 0-1 matrix Mt×n where the matrix rows node U N . Trigger nodes refer to the sensor nodes whose represent the testing group and each column refers to an signals awake the jammers, i.e. within a distance less than r item, as Fig. 2 shows. M [i, j] = 1 implies that the j th item from a jammer. Victim nodes are those within a distance R appears in the ith testing group, and 0 otherwise. Therefore, from an activated jammer and disturbed by the jamming the number of rows of the matrix denotes the number of signals. Since R > r, T N ⊆ V N . Other than these groups tested in parallel and each entry of the result vector disturbed sensors, U N and BN are the unaffected sensors V refers to the test outcome of the corresponding group while the latter ones have at least one neighbor in V N , (row), where 1 denotes positive outcome and 0 denotes hence BN ⊆ U N , and V N ∩ U N = ∅. The Label ﬁeld of negative outcome. each sensor indicates the smallest class it belongs to. The Given that there are at most d < n positive items relationships among these classes are shown in Fig. 3. among in total n ones, all the d positive items can be IEEE TRANSACTION ON MOBILE COMPUTING 4 0 0 0 0 1 1 1 1 0 lies in the real test scenarios, the error probability of each 0 0 1 1 0 0 1 1 0 test is unknown and asymmetric, hence it is impossible to 0 1 0 1 0 1 0 1 testing 1 M = =⇒ V = evaluate z before knowing the number of pools. 1 1 1 1 0 0 0 0 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 We only show the performance of this new construction, namely, ETG algorithm in this section. For the review purpose, we include the details of the construction and Fig. 2. Binary testing matrix M and testing outcome vector V . Assumed analysis in the Appendix. that item 1 (1st column) and item 2 (2nd column) are positive, then only the ﬁrst two groups return negative outcomes, because they do not contain these Theorem 3.1: The ETG algorithm produces a (d, z)- two positive items. On the contrary, all the other four groups return positive disjunct matrix with probability p′ where p′ can be arbi- outcomes. trarily approaching 1. • The worst-case number of rows of this matrix is bounded by 3.78(d + 1)2 log n + 3.78(d + efﬁciently and correctly identiﬁed on condition that the 1) log( 1−p′ ) − 3.78(d + 1) + 5.44(d + 1)(z − 1), much 2 testing matrix M is d-disjunct: any single column is not 2 smaller than 4.28d2 log 1−p′ +4.28d2 log n+9.84dz + contained by the union of any other d columns. Owing 3.92z 2 ln 2n−1 . 1−p′ to this property, each negative item will appear in at least • Assume z ≤ γt, the worst-case number of rows one row (group) where all the positive items do not show 2 −2τ (d+1) ′ up, therefore, by ﬁltering all the items appearing in groups becomes t = τ ln n(d+1)−γ(d+1))2 ln(1−p ) where τ = (τ with negative outcomes, all the left ones are positive. Al- (d/(d + 1))d and asymptotically t = O(d2 log n). though providing such simple decoding method, d-disjunct Theorem 3.2: The time complexity of the ETG algorithm matrix is non-trivial to construct [1][2] which may involve is O(d2 n log n), smaller than O(n2 log n), provided that √ with complicated computations with high overhead, e.g., d < n. calculation of irreducible polynomials on Galois Field. In order to alleviate this testing overhead, we advanced the 3.2 Minimum Disk Cover in a Simple Polygon deterministic d-disjunct matrix used in [7] to randomized Given a simple polygon with a set of vertices inside, the error-tolerant d-disjunct matrix, i.e., a matrix with less rows problem of ﬁnding a minimum number of variable-radii but remains d-disjunct w.h.p. Moreover, by introducing this disks that not only cover all the given vertices, but also are matrix, our identiﬁcation is able to handle test errors under all within the polygon, can be efﬁciently solved. sophisticated jamming environments. The latest results due to the near-linear algorithm pro- In order to handle errors in the testing outcomes, the posed recently by [26], which investigates the medial axis error-tolerant non-adaptive group testing has been devel- and voronoi diagram of the given polygon, and provides oped using (d, z)-disjunct matrix, where in any d + 1 the optimal solution using O(ϖ + κ(log ϖ + log 6 κ)) time columns, each column has a 1 in at least z rows where and O(ϖ + κ log log κ) space, where the number of edges all the other d columns are 0. Therefore, a (d, 1)-disjunct of the polygon is ϖ and nodes within it as κ. We employ matrix is exactly d-disjunct. Straightforwardly, the d posi- this algorithm to estimate the jamming range R. tive items can still be correctly identiﬁed, in the presence of at most z − 1 test errors. In the literature, numerous deterministic designs for (d, z)-disjunct matrix have been 3.3 Clique-Independent Set provided (summarized in [1]), however, these constructions Cliques-Independent Set is the problem to ﬁnd a set of max- often suffer from high computational complexity, thus are imum number of pairwise vertex-disjoint maximal cliques, not efﬁcient for practical use and distributed implementa- which is referred to as a maximum clique-independent set tion. On the other hand, to our best knowledge, the only (MCIS) [4]. Since this problem serves as the abstracted randomized construction for (d, z)-disjunct matrix dues to model of the grouping phase of our identiﬁcation, its Cheng’s work via q-nary matrix [20], which results in a hardness is of great interest in this scope. To our best (d, z)-disjunct matrix of size t1 × n with probability p′ , knowledge, it has already been proved to be NP-hard for where t1 is cocomparability, planar, line and total graphs, however its 2 2n − 1 hardness on UDG is still an open issue. We prove that this 4.28d2 log +4.28d2 log n+9.84dz+3.92z 2 ln problem is NP-complete and include the detailed proof in 1 − p′ 1 − p′ the appendix. with time complexity O(n2 log n). Compared with this There have been numerous polynomial exact algorithms work, we advance a classic randomized construction for for solving this problem on graphs with speciﬁc topology, d-disjunct matrix, namely, random incidence construction e.g., Helly circular-arc graph and strongly chordal graph [1][2], to generate (d, z)-disjunct matrix which can not only [4], but none of these algorithms gives the solution on generate comparably smaller t × n matrix, but also handle UDG. In this paper, we employ the scanning disk approach the case where z is not known beforehand, instead, only the in [3] to ﬁnd all maximal cliques on UDG, and then ﬁnd all error probability of each test is bounded by some constant the MCIS using a greedy algorithm. In fact, by abstracting γ. Although z can be quite loosely upperbounded by γt, this problem as a Set Packing problem, we can obtain a √ yet t is not an input. The motivation of this construction n-approximation algorithm, however, it exhibits worse IEEE TRANSACTION ON MOBILE COMPUTING 5 performance than the greedy algorithm proposed in our value of the Label ﬁeld (Initially trigger ”TN”). In detail, trigger identiﬁcation procedure. if a node v hears jamming signals, it will not try to send out messages but keep its label as victim. If v cannot sense 4 T RIGGER I DENTIFICATION P ROCEDURE jamming signals, its report will be routed to the base station as usual, however, if it does not receive ACK from its We propose a decentralized trigger-identiﬁcation procedure. neighbor on the next hop of the route within a timeout It is lightweight in that all the calculations occur at the period, it tries for 2 more retransmissions. If no ACKs are base station, and the transmission overhead as well as the received, it is quite possible that that neighbor is a victim time complexity is low and theoretically guaranteed. No node, then v updates Label tuple as boundary ”BN” in its extra hardware is introduced into the scheme, except for the status report. Another outgoing link from v with the most simple status report messages sent by each sensor, and the available capacity is taken to forward this message. If the geographic locations of all sensors maintained at the base status report is successfully delivered to the base station station. Three main steps of this procedure are as follows: with Label = TN, the corresponding node is regarded as 1) Anomaly Detection – the base station detects potential unaffected. All the messages are queued in the buffer of the reactive jamming attacks, each boundary node tries to intermediate nodes and forwarded in an FCFS manner. The report their identities to the base station. TTL value is reduced by 1 per hop for each message, and 2) Jammer Property Estimation – The base station cal- the message will be dropped once its TTL = 0, to avoid culates the estimated jammed area and jamming range self-loops. R based on the locations of boundary nodes. The base station waits for the status report from each 3) Trigger Detection – node in each period of length P. If no reports have been • the base station makes a short testing schedule received from a node v with a maximum delay time, then message Z which will be broadcasted to all the v will be regarded as victim. The maximum delay time is boundary nodes. related with graph diameter and will be speciﬁed later. If • boundary nodes keep broadcasting Z to all the the aggregate report amount is less than ψ, the base station victim nodes within the estimated jammed area starts to create the testing schedule for the trigger nodes, for a period Q. based on which the routing tables will be updated locally. • all the victim nodes locally execute the testing procedure based on Z and a global uniform 4.2 Jammer Property Estimation clock, identify themselves as trigger or non- We estimate the jamming range as R and the jammed areas trigger. as simple polygons, based on the locations of the boundary and victim nodes. In the sparse-jammer case where the distribution of jammers is relatively sparse and there is at least one jammer whose jammed area does not overlap with the others, like J2 in Fig. 3. By denoting the set of boundary nodes for the ith jammed area as BNi , the coordinate of this jammer can be estimated as ∑BNi ∑BNi k=1 Xk Yk (XJ , YJ ) = ( , k=1 ) |BNi | |BNk | where (Xk , Yk ) is the coordinate of a node k is the jammed area BNi and then further the jamming range R can be estimated as Fig. 3. Nodes in grey and blue are victim nodes around jammer nodes, √ where blue nodes are also trigger nodes, which invoke the jammer nodes. R = min { max ( (Xk − XJ )2 + (Yk − XJ )2 )} Nodes surrounding the jammed are are boundary nodes, while the others are ∀BNi k∈BNi unaffected nodes. since we assume all the jammers have the same range. Otherwise in the dense-jammer case, as shown in Fig. 4, we need to ﬁrst estimate the jammed areas, which are 4.1 Anomaly Detection simple polygons (unnecessarily convex) containing all the Each sensor periodically sends a status report message to boundary and victim nodes. This process consists of three the base station. However, once the jammers are activated steps: (1) discovery of convex hulls of the boundary and by message transmissions,the base station will not receive victim nodes, where no unaffected nodes are included in these reports from some sensors. By comparing the ratio of the generate convex polygons. (2) for each boundary node received reports to a predeﬁned threshold ψ, the base station v not on the hull, choose two nodes on the hull and connect can thus decide if a jamming attack is happening in the v to them in such a way that the internal angle at this networks. When generating the status report message, each reﬂex vertex is the smallest, hence the polygon is modiﬁed sensor can locally obtain its jamming-status and decide the by replacing an edge (dotted one in Fig. 4) by the two IEEE TRANSACTION ON MOBILE COMPUTING 6 TABLE 1 Reflex Message Containing Trigger Detection Schedule Vertex Time Slot Channel Node List 0 f1 v1 , v3 , · · · , vn R 0 f2 v1 , v2 , v4 , · · · , vn−1 . Reflex . Vertex 0 . ··· 0 fm v2 , v5 , · · · , vn 1 f1 v2 , v4 , · · · , vn−2 . . Fig. 4. Estimated R and Jammed Area . . . . ··· new ones. The resulted polygon is the estimated jammed area. (3) execute the near-linear algorithm [26] to ﬁnd the optimal variable-radii disk cover of all the victim nodes, but constrained in the polygon, and return the largest disk radius as R. 4.3 Trigger Detection Fig. 5. Interference Teams Since the jammer behavior is reactive, in order to ﬁnd all the trigger nodes, a straightforward way is that each sensor broadcasts one by one, and monitors if the jammers nodes in one testing team invokes a jammer node, its are invoked by sensing the jamming signals. However, jamming area will not reach the victim nodes in another this individual detection is quite time-consuming and all testing team. Therefore, by trying broadcasting from victim the victim nodes thus have to be isolated for a long nodes in each testing team and monitoring the jamming detection period, or even returns wrong detection result in signals, we can conclude if any members in this team are the presence of mobile jammers. In this case, the network triggers. In addition, all the tests in different testing teams throughput would be dramatically decreased. Therefore, to can be executed simultaneously since they will not interfere promptly and accurately ﬁnd out these triggers from a large each other. Fig. 5 provides an example for this. 3 maxi- pool of victim nodes, emerges as the most challenging part mal cliques C1 = {v1 , v2 , v3 , v4 }, C2 = {v3 , v4 , v5 , v6 }, of the proposed protocol, for which the idea of group testing C3 = {v5 , v7 , v8 , v9 } can be found within 3 jammed areas. is applied. Assume these three cliques are respectively the three teams In this section, we only consider a basic attack model we test at the same time. If v4 in the middle team keeps where the jammers deterministically and immediately broadcasting all the time and J2 is awaken frequently, no broadcasts jamming signals once it senses the sensor signal. matter the trigger v2 in the leftmost team is broadcasting Therefore as long as at least one of the broadcasting victim or not, v3 will always hear the jamming signals, so these nodes is a trigger, some jamming signals will be sensed, and two teams interfere each other. In addition, node-disjoint vice versa. The performance of this protocol toward sophis- groups do not necessarily interference-free, as the leftmost ticated attacker models with probabilistic attack strategies and rightmost teams show. will be validated in the next section. Second-level, within each testing team, victims are fur- All the following is the testing schedule over all the ther divided into multiple testing groups. This is completed victim nodes, which is designed at the base station based on by constructing a randomized (d, 1)-disjunct matrix, as the set of boundary nodes and the global topology, stored mentioned in Section 3.1, mapping each sensor node to as a message (illustrated in Table 1) and broadcasted to a matrix column, and make each matrix row as a testing all the boundary nodes. After receiving this message, each group (sensors corresponding to the columns with 1s in boundary node broadcasts this message one time using this row are chosen). Apparently tests within one group simple ﬂooding method to its nearby jammed area. All will possibly interfere that of another, so each group will the victim nodes execute the testing schedule and indicate be assigned with a different frequency channel. themselves as non-triggers or triggers. Since all the sensor The duration of the overall testing process is t time nodes are equipped with a global uniform clock, and no slots, where the length of each slot is L. Both t and L message transmissions to the base station are required are predeﬁned, yet the former depends on the total number during the detection, the mechanism is easy to implement of victims and estimated number of trigger nodes, and and practical for applications. the latter depends on the transmission rate of the channel. As shown in Table 1, for each time slot, m sets of victim Speciﬁcally, at the beginning of each time slot, all the sensors will be tested. The selection of these sets involves sensors designated to test in this slot broadcast a τ -bit test a two-level grouping procedure. packet on the assigned channel to their 1-hop neighbors. First-level, the whole set of victims are divided into sev- Till the end of this slot, these sensors keeps detecting eral interference-free testing teams. Here by interference- possible jamming signals. Each sensors will label itself as a free we mean that if the transmissions from the victim trigger unless in at least one slot of its testing, no jamming IEEE TRANSACTION ON MOBILE COMPUTING 7 signal is sensed, in which case, the label is converted to a V0 V0 non-trigger. V5 V5 V1 V1 The correctness of this trigger test procedure is theo- V4 V4 V7 V7 retically straightforward. Given that all the testing teams V2 V2 are interference-free, then the testing with different teams V3 V3 V6 V6 can be executed simultaneously. Given that we have an upperbound d on the number of trigger nodes and each testing group follow the (d, 1)-disjunct matrix, which guar- antees that each non-trigger node will be included in at Fig. 6. clique C1 = V1 V2 V3 V4 is chosen by CIS, but its CC ′ covers least one group, which does not contain any trigger node, boundary node V0 , then clique C2 = V4 V5 V6 V7 replaces C1 in the testing team for the ﬁrst round. Clique V1 V2 V3 are left for the next round. so each non-trigger node will not hear jamming signals in at least one time slot, but the trigger nodes will since the jammers are activated once they broadcast the test packets. input : Induced Subgraph G′ = (W, E ′ ) Therefore, two critical issues need to be addressed to ensure output: The set C of maximum number of disjoint maximal cliques. this correctness: how to partition the victim set into Find out the set S of all maximal (not disjoint) cliques by using Gupta’s maximal interference-free testing teams and estimate the MCE algorithm [3]; while S ̸= ∅ do number of trigger nodes d, as follows. Though these two Choose clique C ∈ S which intersects with the minimum number of involve geometric analysis over the global topology, since other cliques in S; C ← C ∪ {C}; it only takes the information of boundary and victim nodes Remove all the maximal cliques intersecting with C; as inputs, and is calculated at the base station, no message S ← S \ {C}; end complexity is introduced. Algorithm 1: CIS discovery Local Reﬁnement. Each clique we select is expected to represent the jammed area poisoned by the same jammer, and this area should not cover the boundary nodes. How- 4.3.1 Discovery of Interference-free Testing Teams ever, we did not take this into account when discovering the CIS, and need to locally update it. Specially, for each clique, we ﬁnd its circumscribed circle CC and the As stated above, two disjoint sets of victim nodes are concentric circle CC ′ with radius R of CC. In the case that interference-free testing teams iff the transmission within CC ′ covers any boundary nodes, we locally select another one set will not invoke a jammer node, whose jamming clique by adding/removing nodes from this clique, to see signals will interfere the communications within the other if the problem can be solve. If not, we keep this clique as set. Although we have estimated the jamming range R, it is it is, otherwise, we update it. This is illustrated in Fig. 6. still quite challenging to ﬁnd these interference-free teams Team Detection. The cliques in CIS can also interfere without knowing the accurate locations of the jammers. each other, e.g. the clique V1 V2 V3 V4 and V5 V7 V8 V9 in Fig. Notice that it is possible to discover the set of victim 5. This is because the signals from V4 will wake J2 , who nodes within the same jammed area, i.e. with a distance will try to block these signals with noises and affect V5 by R from the same jammer node. Any two nodes within the way. But if any two cliques C1 and C2 are not con- the same jammed area should be at most 2R far from nected by any single edge, then they are straightforwardly each other, i.e. if we induce a new graph G′ = (V ′ , E ′ ) interference-free, since the shortest distance between any with all these victim nodes as the vertex set V ′ and node in C1 and C2 is larger than 2R. But the farthest E ′ = {(u, v)|δ(u, v) ≤ 2R}, the nodes jammed by the jammer waken by and from C1 is r < R distance away, same jammer should form a clique. The maximum number whose jamming range can only reach another R distance of vertex-disjoint maximal cliques (i.e. clique-independent further, which is thus away from C2 . Therefore, the cliques set (CIS) ) of this kind provides an upperbound of possible in the obtained CIS of this kind are selected as testing jammers within the estimated jammed area, where each teams. While the others are left for the next time slot. maximal clique is likely to correspond to the nodes jammed In addition, in the worst case, any single maximal clique by the same jammer. C has at most 12 interfering cliques in the CIS, as the shadowed ones in Fig. 7. Therefore, at most 13 testing The solution consists of three steps: CIS discovery teams are required to cover all these cliques. If the number on the induced graph from the remaining victim with- of channels k given is larger than 13, then a frequency- out test schedules, boundary-based local reﬁnement and division is available, i.e. these interfering cliques can still interference-free team detection. We iterate three steps to become simultaneous testing teams, on the condition each decide the schedule for every victim node. team can only use min{⌈ 13 ⌉, m} of the given channels, k CIS discovery. We ﬁrst employ Gupta’s MCE algorithm where m is the number of radios per sensor. Otherwise, we [3] to ﬁnd all the maximal cliques, then use a greedy have to use time-divisions, i.e. they have to be tested in algorithm, as shown in Alg. 1 to get the CIS. different time slots. IEEE TRANSACTION ON MOBILE COMPUTING 8 4.4 Analysis of Time and Message Complexity J1 J2 Time complexity: By time complexity we mean the J identiﬁcation delay counted since the attack happens till all the nodes successfully identify themselves as trigger r R J3 J4 or non-trigger. Therefore, the complexity break downs into J5 J6 four parts: (1) the detection of jamming signals at local links Td ; (2) the routing of sensor report to the base station from each sensor node, and the testing schedule to each victim node from the base station, aggregated as Tr ; (3) Fig. 7. Maximum # Interfering Fig. 8. Maximum # Jammers Cliques invoked by one team the calculation of CIS and R at the base station Tc ; (4) the testing at each jammed area Tt . The local jamming signal detection involves the statisti- 4.3.2 Estimation of Trigger Upperbound cal properties of PDR, RSS and SNR, which is orthogonal to our work. We regard Td as O(1) since it is an entirely Before bounding the trigger quantity from above, the trig- local operation and independent with the network scale. gering range r should be estimated. As mentioned in the The routing time overhead is quite complicated, since attacker model, r depends not only on the power of both congestions need to be considered. For simplicity, we sensors and jammers, but also the jamming threshold θ and consider that all the 1-hop transmission takes O(1) time and path-loss factor ξ: bound Tr using the diameter D of the graph. As mentioned Pn · θ ξ 1 earlier, the base station waits at most O(2D) for the reports, r≥( ) so that is the upperbound of the one-way routing. As to the Ps · Y other way, we also bound it using O(2D) to match any since the real time Pn and Ps are not given, we estimate r collision and retransmission cases. based on the SNR cutoff θ′ of the network setting. In fact, The calculation of CIS resorts to the algorithm in the transmission range of each sensor rs is a maximum [3], which ﬁnds O(l∆) maximal cliques on UDG within radius to guarantee O(l∆2 ) time, where l = |E| and ∆ refers to the maxi- Pa Ps · Y mum degree. We used a greedy algorithm to ﬁnd a MCIS SN R = = ≥ θ′ Pn ξ Pn · rs from these O(l∆) cliques with O(l3 ∆3 Q) time: O(l∆)- time for each clique to check the overlapping with other Therefore, we can estimate r as cliques, O(l∆)-time to ﬁnd a clique overlapping with θ ξ r ≈ rs ( ) 1 minimum other cliques, and Q denotes the number of θ ′ testing teams. Notice that in practice, sensor networks are ′ not quite dense, so the number of edges l and maximum where θ and ξ are parts of the network input, while θ is assumed as a constant, which indicates the aggressiveness degree ∆ are actually limited to small values. On the of the jammer. For this estimation, θ can be ﬁrst set as 10db, other hand, the time complexity of estimating R is up to which is the normally lower bound of SNR in wireless O( n∆ + n(log n∆ + log6 n) using the minimum disk cover 2 2 transmission, and then adaptively adjusted to polish the algorithm as mentioned. service quality. The testing delay Tt depends on the number of testing With estimated r, since all the trigger nodes in the same rounds and the length of each round. Since the reactive team should be within a 2r distance from each other, jamming signal disappears as soon as these sensed 1- by ﬁnding another induced graph G′′ = (Wi , E ′′ ) from hop transmission ﬁnishes, each round length is then O(1). the victim nodes Wi in team i, with E ′′ = {(u, v) ∈ The number of testing rounds is however complicated and E ′′ if δ(u, v) ≤ 2r}, the size of the maximal clique bounded by Theorem 4.1. indicates the upperbound of the trigger nodes, thus can be Lemma 4.1: Based on the ETG algorithm, the number an estimate over d. of tests to identify d trigger nodes from |W | victim nodes As mentioned above, all the parallel testing teams se- is upperbounded by t(|W |, d) = O(d2 ⌈ln |W |⌉) w.h.p. i lected are interference-free, therefore we roughly regard Theorem 4.1: (Main) The total number of testing rounds each team to be the jammed area of one jammer. As a is upper bounded by deeper investigation, the number of jammers that can be Q 13 min{d2 ⌈ln |Wi |⌉, |Wi |} invoked by the nodes in the same team (six 3-clique within O(max{ i }) i=1 m the red circles) can be up to 6, since the minimum distance ∑6 between two jammers is greater than R and r ≤ R, as w.h.p, with di = min{ s=1 |cs (Gi )|, |Wi |} and cs (Gi ) is shown in Fig. 8. Therefore on the induced graph, the largest the sth largest clique over an induced unit disk subgraph 6 cliques form the possible trigger set. However, since Gi = (Wi , Ei , 2r) in the testing team i. the jammer distribution cannot be that dense for the sake Proof: First, from Lemma 4.1, at most t(|W |,d) = m di ⌈ln |W |⌉ 2 of energy-conserving, the former estimate over d is large m testing rounds are needed to identify all nodes enough. in testing team i. Second, the set of testing teams that can IEEE TRANSACTION ON MOBILE COMPUTING 9 be tested in parallel is 13, as mentioned earlier. Combining TABLE 2 with the worst-case upperbound of triggers in each team, Notations the upperbound on round is derived. Notation Content If the jamming range R is assumed known beforehand, T+ The number of false positive outcomes similar to [7], the whole time complexity is thus T− The number of false negative outcomes u(i) The number of trigger nodes in test i Q 13d2 ⌈ln |Wi |⌉, |Wi |} x(i) The reaction time of jammer toward test i O(max{ i ) g(i) The outcome of test i i=1 m and asymptotically bounded by O(n2 log n). It is asymp- totically smaller than that of [7]: Since our scheme is robust and accurate in the steps of grouping, generating disjunct matrix and decoding the ∑ ∆(H) d2 log2 |Wj | j 2 testing results, the only possible test errors arise from the O( max⌈(2 + o(1)) ,/m⌉) i=1 j log2 (dj log2 |Wj |) 2 generation of testing outcomes. Nevertheless, by using the error-tolerant disjunct matrix and relaxing the identiﬁcation where ∆(H) refers to the maximum degree of the induced procedures to asynchronous manner, our scheme will pro- graph H (in this new solution, maximum degree is not vide small false rates in these cases. Some notations can be involved). By taking the calculation overhead for R into found in Table 2. In this section, the terms test and group, account, the overall time complexity is asymptotically the terms column and nodes are interchangeable. O(n2 log n + n log6 n), which is O(n log6 n) for n ≥ 4. Message Complexity: On the one hand, the broadcasting of testing schedule Z from the base station to all the 5.1 Upperbound on the Expected Value of z victim nodes costs O(n) messages in the worst case. On the other hand, the overhead of routing reports toward the First, we investigate the properties of both jamming be- base station depends on the routing scheme used and the haviors and obtain the expected number of error tests in network topology as well as capacity. The upperbound is both cases through the following analysis. Since in practice, straightforward obtained in a line graph with the base sta- it is not trivial to establish accurate jamming models, we tion at one end, whose message complexity is O( n(n−1) ). derive an upperbound of the error probability which does 2 With regard to the message overhead of the testing not require the beforehand knowledge of the objective jamming models, which is therefore feasible for real-time process. Considering that there are approximately |Wi |d+1 identiﬁcations. Since it is a relaxed bound, it could be victim nodes in each testing group of team Wi (mentioned further strengthened via learning the jamming history. in the construction of randomized (d, z)-disjunct matrix in Appendix), the overhead of each testing group in a testing 5.1.1 Probabilistic Jamming Response round is |Wi | 1-hop testing message broadcasted by all d+1 victim nodes in each group of team Wi . Therefore, the A clever jammer can choose not to respond to some sensed over message complexity is ongoing transmissions, in order to evade the detection. Assume that each ongoing transmission has an independent Q ∑ Q probability η to be responded. In our construction algorithm O(n +2 |Wi | max{di ⌈ln |Wi |⌉, |Wi |}m) ETG, where each matrix entry is IID and has a probability i=1 i=1 p to be 1, therefore for any single test i with i ∈ [1, t]: which is O(n2 log n). ( ) d x Pr[u(i) = x] = p (1 − p)d−x (1) x 5 A DVANCED S OLUTIONS TOWARD S O - Hence for each test i, the event that it contains no trigger PHISTICATED ATTACK M ODELS nodes but returns a positive result, has a probability at most: In this section, we consider two sophisticated attacker mod- Pr[g(i) = 0 & u(i) ≥ 1] els: probabilistic attack and variant response time delay, ∑d ( ) d x where the jammers rely each sensed transmission with dif- = (1 − η)x p (1 − p)d−x x ferent probabilities, instead of deterministically, or delay the x=1 jamming signals with a random time interval, instead of im- = [(1 − η)p + 1 − p]d − (1 − p)d mediately. This may mismatch with the original deﬁnition = (1 − ηp)d − (1 − p)d < (1 − η)p of reactive jamming, which targets at transmission signals, instead of nodes or channels. However, clever jammers can Meanwhile, the event that it contains at least one trigger possibly change their strategies to evade possible sensed but returns a negative result, has a probability: detections. Also, a common sense indicates that as long Pr[g(i) = 1 & u(i) = 0] = 0 (2) as an activity is sensed by the jammer, it is quite possible that some other activities are following this. So delaying Since in practical η ≥ 1 , we therefore have the expected 2 the response time still guarantees the attack efﬁciency, but number of false positive and negative tests is respectively minimize the risk of being caught by reactive detections. at most pt/2 and 0. IEEE TRANSACTION ON MOBILE COMPUTING 10 5.1.2 Variant Reaction Time Therefore, the expected number of false positive tests is at most ∑t 2 The introduction of group testing techniques aims to de- T+ ≤ (1 − (1 − p)d )(1 − p)d (β) i=1 β crease the identiﬁcation latency to the minimum, there- fore, if the jammer would not respond intermediately after ∑ t ≤ 2 (1 − (1 − p)d )(1 − p)d sensing the ongoing transmissions, but instead wait for a i=1 randomized time delay, the test outcomes would be messed ≤ 2(1 − (1 − p)d )(1 − p)d t up. Since it is expensive to synchronize the tests among sensors, we use a predeﬁned testing length as L, thus the test outcome of test i ∈ [1, t] is generated within time (2) For event F n(i), following the similar arguments interval [(⌈ m ⌉ − 1)L, ⌈ m ⌉L]. There are two possible error i i above, we have an upperbound of the probability for F n(i) events regarding any test i. (assume that any delays larger than l at test i will interfere the tests j following i where j ∈ [max(i%m, i − m − β − • F p(i): test i is negative, but some jamming signals 1), i − m]): are delayed from previous tests and interfere this test, ∫ +∞ where we have a false positive event; (1 − (1 − p)d ) P(w)dw • F n(i): test i is positive, but the jammer activated in l this test delayed its jamming signals to some subse- ∑∫ ( i−j +1)L m quent tests, meanwhile, no delayed jamming signals · 1 − P(w)dw(1 − (1 − p)d ) j ( i−j −1)L m from previous tests exists, where we have a false negative event. ≤ (1 − (1 − p)d )(1 − 2(1 − (1 − p)d ))(β − l)/β ≤ (1 − (1 − p)d )(1 − 2(1 − (1 − p)d )) Since the jammers in this paper are assumed to block So the expected number of false negative tests is at most communications only on the channels where transmissions are sensed, for the following analysis, we claim that the T − ≤ (1 − (1 − p)d )(1 − 2(1 − (1 − p)d ))t (4) interferences can only happen between any two tests i, j Therefore, we could use a union bound and obtain a worst- with i ≡ j(mod m). Denote the delay of jamming signals case error rate of each test: as a random variable X = {x(1), x(2), x(3), · · · x(t)} p where x(i) is the delay for possible jamming signals arisen γ = + 2(1 − (1 − p)d )(1 − p)d from test i. (1) For event F p(i), consider the test i − m, 2 +(1 − (1 − p)d )(1 − 2(1 − (1 − p)d )) in order to have its jamming signals delayed to test i, we have a bound on x(i − m) ∈ (0, 2L). Similarly, in order to = (10τ − 8τ 2 − τ −d − 1)/2 have the signals of any test j delayed to i, we have x(j) ∈ where τ = (d/(d + 1))d . Intuitively, we can have an [( i−j − 1)L, ( i−j + 1)L]. Further assume the probability m m upperbound on the number of error tests as z = γt = density function of X is P(i) = Pr[X = x(i)]. Consider (10τ −8τ 2 −τ −d −1)/2, and take it as an input to construct all the tests prior to i, which are i%m, 1+i%m, · · · , i−m, the (d, z)-disjunct matrix. However, notice that z depends we then have the probability for F p(i): on t, i.e., the number of rows of the constructed matrix, we therefore derive another bound of t related to γ, as shown ∑ i−m ∫ ( i−j +1)L m by Corollary B.1 in the appendix. (1 − p) d P(w)dw(1 − (1 − p)d ) (3) j=i%m ( i−j −1)L m 5.2 Error-tolerant Asynchronous Testing within To simplify this expression, we assume that X/L follows a each testing team uniform distribution within the range [0, β] with a small β, By applying the derived worst-cast number of error tests which is reasonable and efﬁcient for attackers in practice. into the ETG construction, we can obtain the following Since the nature of jamming attacks lies in adapting the algorithm where tests are conducted in an asynchronous attack frequency due to the sensed transmissions, too large manner to enhance the efﬁciency. delay does not make sense to tackle the ongoing trans- As shown in Algorithm 2, after all the groups are missions. Under a uniform distribution, the probability of decided, conduct group testing on them in m pipelines, F p(i) becomes: where in each pipeline any detected jamming signals will ∑ i−m 2 end the current test and trigger the next tests while groups (1 − (1 − p)d )(1 − p)d receiving no jamming signals will be required to resend β j=max i%m,i−m−β−1 triggering messages and wait till the predeﬁned round time i 2 has passed. These changes over the original algorithm, = (1 − (1 − p)d )(1 − p)d (⌈ ⌉ − 1) especially the asynchronous testing are located in each m β IEEE TRANSACTION ON MOBILE COMPUTING 11 testing team, thus will not introduce signiﬁcant overheads, 6.2 Beneﬁts for Jamming-resistent Routing however, the resulted error rates are limited to a quite low JAM[11] proposed a jamming-resistent routing scheme, level. where all the detected jammed areas will be evaded and input : n victim nodes in a testing team packets will not pass through the jammed nodes. This output: all trigger nodes within these victim nodes Estimate d as mentioned; method is dedicated for proactive jamming attacks, which Set γ = (10τ − 8τ 2 − τ −d − 1)/2 ; // upper bound of error sacriﬁces signiﬁcant packet delivery ratio due to the unnec- probability for each test τ ln n(d+1)2 Set t = (τ −γ(d+1))2 ; // number of rows essarily long routes selected, though the effects of jamming Construct a (d, z)-disjunct matrix using ETG algorithm with t rows, and signals are avoided. We compare the end-to-end delay be- divide all the n victim nodes into t groups accordingly {g1 , g2 , · · · , gt }; tween each sensor node and the base station, of the selected // For each round, conduct group testing on m groups routes by evading the jammed areas detected by JAM, with using m different channels (radios). The testing is asynchronous in that, the m groups tested in that of the ones evading only trigger nodes. Although there parallel do not wait for each other to finish the are many existing routing protocols for unreliable network testing, instead, any finished test j will trigger the test j + m, i.e., the tests are conducted in m environments, the aim of this experiment is to show the pipelines. potential of this service to various applications, instead of for i = 1 to ⌈t/m⌉ do Conduct group testing in groups gim+1 , gim+2 , gim+m in parallel; being a dedicated routing protocol. If any nodes in group gj with j ∈ [im + 1, im + m] detects jamming Three key parameters for routing could be the number noises, the testing in this group ﬁnishes and start testing on gj+m ; of Jammers J, jamming range R, jamming threshold θ. If no nodes in group gj detect jamming noises, while at least one other test in parallel detects jamming noises, let all the nodes in group gj As mentioned earlier, θ indicates the aggressiveness of the θ 1 resend 3 more messages to activate possible hidden jammers. attacker and the triggering range r ≈ rs ( θ′ ) ξ . Therefore, If no jamming signals are detected till the end of the predeﬁned round length (L), return a negative outcome for this group and start testing on with rs , θ′ and ξ as ﬁxed network inputs, the effect of θ gj+m ; can be exactly indicated by studying the effect of r instead. end The whole network has n = 1500 nodes and sensor Algorithm 2: Asynchronous Testing transmission range rs = 50. The results with respect to the three parameters J ∈ [1, 20], R ∈ [100, 200], r ∈ [50, 150] are included in Fig.9(a), 9(b) and 9(c) respectively. Notice 6 E XPERIMENTAL E VALUATION that for each experiments, the other two parameters are set as the median value of their corresponding intervals. 6.1 Overview Therefore, R = 150 for Fig.9(c), which matches the As a lightweight distribute trigger-identiﬁcation service, our extreme case R = r. Furthermore, for the nodes that are in solution will be experimentally evaluated from four facets: jammed areas for JAM and that are triggers for our method, • in order to show the beneﬁt of this service, we compare in another word, unable to deliver packets to or from the it with JAM [11] in terms of the end-to-end delay and base station, we count the delay as n + 1, which is an delivery ratio of the detour routes from the base station upperbound of the route length. to all the sensor nodes, as the number of sensors n, As shown in Fig. 9(a) and 9(b), when j and R increases, sensor range rs , and number of jammers J vary within the routing delay goes up, which is quite reasonable since practical intervals. the jamming areas get larger and more detours have to be • in order to show the acceleration effect of the clique- taken. The length of routes based on JAM quickly climbs independent set in this solution, we compare the up to the upperbound, while that of our trigger method complexity of this solution to our previous centralized is much lower and more stable, speciﬁcally keeps less one [7], with varying the above four parameters, than 900 seconds. When triggering range r is small, as where both jamming and triggering range R and r in Fig.9(c), the end-to-end delay of Trigger-based routing are assumed to be known beforehand. is much smaller than the other, while as r increases the two • in order to show the accuracy of estimating the jam- approaches each other, since more victim nodes are triggers ming range by using the polygon disk cover algorithm, now. we provide the estimated jamming ranges as well as the error rate to the actual values. 6.3 Improvements on Time Complexity • in order to show its performance and robustness In our previous work [7], we proposed a preliminary idea of towards tricky attackers, we provide its false posi- this trigger detection, and provided a disk-based solution. tive/negative rate, when taking into account those two However, its high time complexity limits its usage in real- advanced jammer models, as well as the estimation of time networks. As mentioned above, the time complex- R. ity of our new clique-based detection is proved to be The simulation is developed using C++ on a Linux Work- asymptotically lower than the previous, while the message station with 8GB RAM. A 1000 × 1000 square sensor ﬁeld complexities are approaching each other. is created with uniformly distributed n sensor nodes, one Although the computational overhead for estimating R base station and J randomly distributed jammer nodes. All is asymptotically huge, the phase is not the key part of our the simulation results are derived by averaging 20 random scheme, and can be easily improved by machine learning instances. techniques. Therefore, in this section, we assume that both IEEE TRANSACTION ON MOBILE COMPUTING 12 1400 JAM JAM 1400 JAM average end-to-end delay average end-to-end delay average end-to-end delay Trigger 1400 Trigger Trigger 1200 1200 1200 1000 1000 800 1000 800 600 800 400 600 200 600 400 2 4 6 8 10 12 14 16 18 100 120 140 160 180 200 60 80 100 120 140 number of jammers jamming range R triggering range r (a) Average end-to-end delay by J (b) Average end-to-end delay by R (c) Average end-to-end delay by θ Fig. 9. Beneﬁts for routing R and r are known beforehand, and validate the theoretical J=5 Actual R 50 60 70 80 90 100 results through simulations on network instances with var- Estimated R 51.9542 61.378 72.5228 80.7886 92.9285 104.826 ious settings. Speciﬁcally, the network size n ranging from R 3.91% 2.29% 3.60% 0.99% 3.25% 6.21% 450 to 550 with step 2, transmission rs from 50 to 60 with J=10 Actual R 50 60 70 80 90 100 step 0.2 and number of jammers J from 3 to 10 with step Estimated R 52.9438 63.496 73.4763 82.4191 93.9339 104.202 1. Parameter values lower than these intervals would make R 5.88% 5.83% 4.96% 3.02% 4.37% 4.21% J=15 the sensor network less connected and jamming attack less Actual R 50 60 70 80 90 100 severe, while higher values would lead to impractical dense Estimated R 51.6574 65.5034 73.5997 83.4615 96.6998 107.21 R 3.31% 9.17% 5.14% 4.33% 7.44% 7.21% scenarios and unnecessary energy waste. Since the length of each reactive attack is equal to the transmission delay of the object sensor signal, note that in Fig. 11. Estimation error of R our trigger detection, only one message is broadcast by each sensor in the testing groups. Therefore, it is reasonable to than the other. It has slightly more communication over- predeﬁne the length of each testing round as a constant. heads (10 messages per victim nodes) but is still affordable We set this as 1 second, which is far more enough for to power-limited sensor nodes. any single packet to be transmitted from one node to its neighboring nodes. Henceforth, the time cost shown in Fig. 6.3 only indicates the number of necessary rounds to 6.4 Accuracy in Estimating Jammer Properties ﬁnd out all the triggers, and can be further reduced. The Though the estimate of jamming range R is only to provide message complexity is measured via the average message an upperbound for R, such that the testing teams obtained cost on each sensor node. accordingly are interference-free, we are also interested in As shown in Fig. 10(a) and 10(b), this clique-based the accuracy of this estimation. As shown in Fig. 11, we scheme completes the identiﬁcation with steadily less than investigate the error rate ∆R for R = [50, 100] when there 10 seconds, compared to the increasing time overhead with are respectively J = 5, 10, 15 jammers. more than 15 seconds of the disk-based solution, as the Two observations are straightforward from these results: network grows denser with more sensor nodes. Meanwhile, (1) all the estimated values are above the actual ones, its amortized communication overheads are only slightly however, less than 10% difference. This meets our require- higher than that of the other solution, whereas both are ment for a tight upperbound of R. (2) the error rates in below 10 messages per victim node. Therefore, the new case of fewer jammers are relatively lower than those with scheme is even more efﬁcient and robust to large-scale more jammers. This is because jammers could have large network scenarios. overlaps in their jamming areas, which introduces estimate With the sensor transmission radius growing up, the time inaccuracies. Thanks to the accurate estimation of R, the complexity of the disk-based solution gradually ascends overall false positive/negative rate is quite small, as to be (Fig. 10(d) and 10(c)) due to the increased maximum degree shown next. ∆(H) mentioned in the above analysis. Comparatively, the time cost of clique-based solution remains below 10 seconds, while the message complexity still approximates 6.5 Robustness to Various Jammer Models the other one. In order to show the precision of our proposed solution Since sensor nodes are uniformly distributed, the more under different jamming environments, we vary the two jammer nodes placed in the networks, the more victim parameters of the jammer behaviors above: Jammer Re- nodes are expected to be tested, the identiﬁcation complex- sponse Probability α and Testing Round Length/Maximum ity will therewith raises, as the performance of disk-based Jamming Delay L/X and illustrate the resulted false rates scheme shows in Fig. 10(f) and 10(e). Encouragingly, the in Fig. 12(a) and 12(b). To simulate the most dangerous proposed scheme can still ﬁnish the identiﬁcation promptly case, we assume a hybrid behavior for all the jammers, with less than 10 seconds, which grows up much slower for example, the jammers in the simulation of Fig. 12(a) IEEE TRANSACTION ON MOBILE COMPUTING 13 30 20 50 number of message per node Disk-based Disk-based Disk-based Clique-based 18 Clique-based 45 Clique-based 25 time complexity (sec) time complexity (sec) 16 40 14 35 20 12 30 15 10 25 8 20 10 15 6 4 10 5 2 5 460 480 500 520 540 460 480 500 520 540 50 52 54 56 58 60 number of sensor nodes n number of sensor nodes n triggering range r (a) # Rounds by n (b) # Messages by n (c) # Rounds by r 20 40 number of messages per node Disk-based Disk-based 14 Disk-based 18 Clique-based 35 Clique-based Clique-based time complexity (sec) time complexity (sec) 16 12 30 14 25 10 12 10 20 8 8 15 6 6 10 4 4 5 2 2 50 52 54 56 58 60 3 4 5 6 7 8 9 10 3 4 5 6 7 8 9 10 triggering range r number of jammers J number of jammers J (d) # Messages by r (e) # Rounds by J (f) # Messages by J Fig. 10. Time and Message complexity 0.3 not only launch the jamming signals probabilistically, but fp 0.25 fn also delay the jamming messages with a random period 0.2 False Rate of time up to 2L. On the other hand, the jammers in the 0.15 simulation of Fig. 12(b) respond each sensed transmission 0.1 with probability 0.5 as well. All the simulation results are 0.05 derived by averaging 10 instances for each parameter team. 0 As shown in both ﬁgures, we consider the extreme 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Jammer Response Probability p cases where jammers respond transmission signals with a probability as small as 0.1, or delay the signals to up to (a) Probabilistic Jammer Response 10 testing rounds later. This actually contradicts with the 0.3 nature of reactive jamming attacks, which aim at disrupting fp fn 0.25 the network communication as soon as any legitimate trans- 0.2 False Rate mission starts. The motivation of such parameter setting is 0.15 to show the robustness of this scheme even if the attackers 0.1 sense the detection and intentionally slow down the attacks. 0.05 The overall false rates are below 20% for any parameter 0 values. 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Round Length / Max Jamming Delay In Fig. 12(a), when α > 1/2 which corresponds to prac- tical cases, we ﬁnd that the false negative rates generally (b) Random Jamming Delay decrease from 10% to 5% as α increases. Meanwhile the false positive rate grows gently, but is still below 14%, this Fig. 12. Solution Robustness is because as more and more jamming signals are sent, due to their randomized time delays, more and more following tests will be inﬂuenced and become false positive. In Fig. 12(b), considering the practical cases where L/X > 1/2, mitigation, both of which have been well studied and both rates are going down from around 10% to 1%, since developed with various defense schemes. On the one hand, the maximum jamming delay becomes shorter and shorter a majority of detection methods focus on analyzing speciﬁc compared to the testing round length L, in which case, object values to discover abnormal events, e.g., Xu et. the number of interferences between consecutive tests is al [16] studied a multi-model (PDR, RSS) to consistently decreasing. monitor jamming signals. Work based on similar ideas [17][15][14] improved the detection accuracy by investigat- ing sophisticated decision criteria and thresholds. However, 7 R ELATED W ORKS reactive jamming attacks, where the jammer node are not Existing countermeasures against jamming attacks in WSN continuously active and thus unnecessary to cause huge de- can be categorized into two facets: signal detection and viations of these variables from normal legitimate proﬁles, IEEE TRANSACTION ON MOBILE COMPUTING 14 cannot be efﬁciently tackled by these methods. In addi- embedded in the plane using O(|V |2 ) area units such that tion, some recent works proposed methods for detecting its vertices are at integer coordinates and its edges consist jammed areas [11] and directing normal communications of line segments of the form x = i or y = j, for any bypass possible jammed area using wormhole [18]. These integers i and j. solutions can effectively mitigate jamming attacks, but their Theorem A.1: Clique-Independent Set problem is NP- performances rely on the accuracy of detection on jammed hard on Unit Disk Graph. areas, i.e. the transmission overhead would be unnecessarily Proof: Given an instance G′ = (V ′ , E ′ ) of such a MIS brought up if the jammed area is much larger than its problem, whose optimal value is denoted as M IS(G′ ), we actual size. On the other hand, mitigation schemes which construct an instance G = (V, E) of the CIS problem as beneﬁt from channel surﬁng [13], frequency hopping and follows: spatial retreats[12], reactively help legitimate nodes escape ′ • Embed G in the plane in the way mentioned above from the jammed area or frequency. Unfortunately, being [22]. ′ lack of pre-knowledge over possible positions of hidden • For each node vi ∈ V , attach two new nodes vi1 reactive jammer nodes, legitimate nodes cannot efﬁciently and vi2 to it and form a triangle Ni = {vi1 , vi2 , vi3 }, evade jamming signals, especially in dense sensor network where each edge of this triangle Ni is of a unit length √ when multiple mobile nodes can easily activate reactive r = 33 . jammer nodes and cause the interference. For the sake of • Since each nodes vi is incident to at most three overcoming these limitations above, in [7] we studied on edges, for all edges (vi , u), · · · , (vi , v), move their the problem of identiﬁcation trigger nodes with a short endpoint from vi to different vij s, e.g., (v1 , u) changes period of time, whose results can be employed by jamming- to (v11 , u) and (v1 , v) to (v12 , v). Afterwards, for resistent routing schemes, to avoid the transmissions of each of such edges e = (u, v), assume that it is these trigger nodes and deactivate the reactive jammer of length t, we divide it into t pieces and replace nodes. In this paper, we complete this trigger identiﬁcation each piece with a concatenation of 2 triangles (not procedure as a lightweight service, which is prompt and necessarily equilateral), as shown in Fig. 13(b). There- reliable to various network scenarios. fore, any edge eij = (vi , vj ) ∈ E ′ of length |eij | becomes a concatenation of 2|eij | 3-cliques, denoted 8 D ISCUSSION C ONCLUSIONS |e |,1 |e |,2 AND as {c1,1 , c1,2 , c2,1 , · · · cijij , cijij }. Because of the ij ij ij One leftover problem to this service framework is the triangles Ni s, the two triangles at each corner of Fig. jammer mobility. Although the identiﬁcation latency has 13(b) may need slight stenches, which can be done in been shown small, it would not be efﬁcient toward jammers polynomial time. that are moving at a high speed. This would become an • The resulting graph G is then a unit disk graph with √ interesting direction of this research. radius r = 33 . Another leftover problem is the application of this ser- vice. Jamming-resistent routing and jammer localizations V1 are both quite promising, yet the service overhead has to be further reduced to for real-time requirements. As a summary, in order to provide an efﬁcient trigger- V2 V4 identiﬁcation service framework, we leverage several op- timization problem models and provide corresponding al- V3 gorithms to them, which includes the clique-independent (a) G′ = (V ′ , E ′ ) problem, randomized error-tolerant group testing, and min- N1 imum disk cover for simple polygon. The efﬁciency of this framework is proved through both theoretically analysis toward various sophisticated attack models and simulations under different network settings. With abundant possible N2 N4 applications, this framework exhibits huge potentials and deserves further studies. A PPENDIX A NP- HARDNESS OF CIS ON UDG N3 (b) G = (V, E) We prove the NP-hardness of this problem on UDG via a polynomial-time reduction from the Maximum Independent Fig. 13. Polynomial Time Reduction Set problem on planar graph with maximum node degree 3 to it. The reduction is as follows: From [21], the Maximum Independent Set problem is NP- (⇒): if G′ has a maximum independent set M , for hard on planar graph with maximum degree 3, and from each ui ∈ M , we choose cliques of two kinds in the [22], any planar graph G with maximum degree 4 can be corresponding instance G: (1) the clique Ni at ui ; (2) IEEE TRANSACTION ON MOBILE COMPUTING 15 for each incident edge eij = (ui , uj ), choose cliques |e |,2 {c1,2 , c2,2 , c3,2 , · · · , cijij }. Since the clique Nj at uj ij ij ij (infeasible by assert 1) |e |,2 or shares a vertex with cijij , it cannot be selected. For any edge ejk = (uj , uk ) where uj ∈ M and uk ∈ M , choose / / z − 1 + ln s + (d + 1) ln n |e |,2 p(1 − p)d ≥ cliques {c1,2 , c2,2 , · · · cjkjk }. It is easy to verify that all jk jk √ t the cliques selected are vertex-disjoint from each other. ln2 (snd+1 ) + 2(z − 1) ln snd+1 Assume that after embedding G′ into the plane, each + t node vi ∈ V ′ has coordinate (xi , yi ), then edge length |eij | =∥ vi , vj ∥1 = |xi −xj |+|yi −yj |. Therefore if we have Therefore, we can derived the lower bound ( ) an independent set of size |M | = k for G′ , we then have ∑ (d + 1)d+1 a clique independent set of size k ′ = k + (i,j)∈E ′ |eij |. t≥2 (z − 1 + ln s + (d + 1) ln n) dd (⇐): if G has a clique independent set of size k ′ , since the lengths of the embedded edges are constant, then G′ has ∑ Corollary B.1: Given that each test has an indepen- exactly an independent set of size k = k ′ − (i,j)∈E ′ |eij |. dent error probability γ, M is (d, z)-disjunct matrix with The proof is complete. τ ln n(d+1)2 −2τ (d+1) ln 1 t = (τ −γ(d+1))2 s with probability (1 − 1 ) for s arbitrarily large s. A PPENDIX B Proof: Substituting z by γt in the proof above com- C ONSTRUCTION OF R ANDOMIZED E RROR - pletes this proof. TOLERANT d- DISJUNCT M ATRIX (Theorem ) B.1: M is (d, z)-disjunct matrix with t = R EFERENCES d+1 2 (d+1)d d (z − 1 + ln s + (d + 1) ln n) rows with prob- [1] D. Z. Du and F. Hwang, Pooling Designs: Group Testing in Molecular Biology, World Scientiﬁc, Singapore, 2006. ability (1 − s ) for a constant s where s can be arbitrarily 1 [2] M. Goodrich, M. Atallah, and R. Tamassia. “Indexing information for large. data forensics.” 3rd ACNS, Lecture Notes in Computer Science 3531, Springer, 2005. Proof: [3] R. Gupta, J. Walrand, and O. Goldschmidt, “Maximal cliques in unit M is not (d, z)-disjunct matrix if for any single column disk graphs: Polynomial approximation.” INOC ’05, Portugal, March c0 and any other d columns c1 , · · · cd , there are at most 2005. [4] V. Guruswami and C. P. Rangan, “Algorithmic aspects of clique- z − 1 rows where c0 has 1 and all c1 , · · · cd have 0. By transversal and clique-independent sets.” Discrete Applied Mathemat- 1 denoting p = ( 2 )l , considering a particular column and d ics, 100:183–202, 2000. other columns in the matrix, the probability of such failure [5] W. Hang, W. Zanji, and G. Jingbo, “Performance of dsss against repeater jamming.” Electronics, Circuits and Systems, ICECS ’06, pattern is: Dec. 2006. ∑(t) z−1 [6] P. Tague, S. Nabar, J. A. Ritcey, and R. Poovendran, “Jamming- Aware Trafﬁc Allocation for Multiple-Path Routing Using Portfolio [p(1 − p)d ]i [1 − p(1 − p)d ]t−i Selection”, IEEE/ACM Transactions on Networking, 2010. i=0 i [7] I. Shin, Y. Shen, Y. Xuan, M. T. Thai, and T. Znati, “Reactive jamming attacks in multi-radio wireless sensor networks: an efﬁcient mitigating So use the union bound for all possible combinations and measure by identifying trigger nodes.” FOWANC, in conjunction with permutations of (d + 1) columns, we have the failure MobiHoc, 2009. possibility bounded by [8] O. Sidek and A. Yahya, “Reed solomon coding for frequency hopping spread spectrum in jamming environment.” American Journal of ( ) ∑( ) z−1 Applied Sciences, 5(10):1281–1284. n t P1 ≤ (d+1) [p(1−p)d ]i [1−p(1−p)d ]t−i [9] M. Strasser, B. Danev, and S. Capkun. “Detection of reactive jamming d + 1 i=0 i in sensor networks.” ETH Zurich D-INFK Technical Report, August 2009. Here consider the CDF of binomial series and assume that [10] H. Wang, J. Guo, and Z. Wang. “Feasibility assessment of repeater z − 1 ≤ tp(1 − p)d (assert 1), we then have jamming technique for dsss.” WCNC2007. IEEE, pages 2322–2327, March 2007. (tp(1 − p)d − z + 1)2 [11] A. D. Wood, J. Stankovic, and S. Son. “A jammed-area mapping P1 ≤ nd+1 exp(− ) service for sensor networks.” RTSS ’03, pages 286–297, 2003. 2tp(1 − p)d [12] W. Xu, K. Ma, W. Trappe, and Y. Zhang. “Jamming sensor networks: Attack and defense strategies.” IEEE Network, 20:41–47, 2006. by Chernoff bound. To bound this by 1 , i.e., s [13] W. Xu, T. Wood, W. Trappe, and Y. Zhang. “Channel surﬁng and spatial retreats: Defenses against wireless denial of service.” 2004 (tp(1 − p)d − z + 1)2 1 ACM workshop on Wireless security, pages 80–89, 2004. P1 ≤ nd+1 exp(− )≤ [14] Mingyan Li, I. Koutsopoulos, and R. Poovendran. “Optimal Jamming 2tp(1 − p)d s Attacks and Network Defense Policies in Wireless Sensor Networks”. we can derive that (assert 2) INFOCOM ’07, May 2007. [15] R. A. Poisel. “Modern Communications Jamming Principles and Techniques”. Artech House, 2004. z − 1 + ln s + (d + 1) ln n [16] W. Xu, W. Trappe, Y. Zhang, and T. Wood. “The feasibility of p(1 − p)d ≤ launching and detecting jamming attacks in wireless networks”. √ t MobiHoc ’05, pages 46–57, New York, NY, USA, 2005. [17] M. Cakiroglu and A. T. Ozcerit. “Jamming Detection Mechanisms ln2 (snd+1 ) + 2(z − 1) ln snd+1 for Wireless Sensor Networks.” 3rd InfoScale, Brussels, Belgium, − 2008. t IEEE TRANSACTION ON MOBILE COMPUTING 16 [18] M. Cagalj, S. Capkun, and J. P. Hubaux. “Wormhole- Based Antijam- ming Techniques in Sensor Networks.”IEEE Transactions on Mobile Computing, 2007. [19] I. Shin, R. Tiwar, T. N. Dinh, M. T. Thai and T. Znati, “A localized algorithm to locate reactive jammers with trigger nodes in wireless sensor networks”. Manuscript, 2009. [20] Y.-X. Chen and D.-Z. Du, “New Constructions of One- and Two- Stage Pooling Designs”, Journal of Computational Biology, 2008 [21] Garey, M.G., Johnson, D.S, “The Rectilinear Steiner Tree Problem is NP-Complete”, SIAM J. Appl. Math. 32, 826C834 (1977) [22] L. G. Valiant, “Universality considerations in VLSI circuits”, IEEE Transactions on Computers 30 (1981), 135C140. [23] K. Pelechrinis, I. Koutsopoulos, I. Broustis, S. V. Krishnamurthy, “Lightweight Jammer Localization in Wireless Networks: System Design and Implementation”, Globecom 2009. [24] H. Liu, W. Xu, Y. Chen, Z. Liu, “Localizing Jammers in Wireless Networks”, PWN 2009. [25] Z. Liu, H. Liu, W. Xu, Y. Chen, “Wireless Jamming Localization by Exploiting Nodes’ Hearing Ranges”, DCOSS 2010. [26] H. Kaplan, M. Katz, G. Morgenstern and M. Sharir, “Optimal cover of points by disks in a simple polygon”, in the proceeding of European Symposium on Algorithms 2010.