Defending Wireless Sensor Networks from Jamming
Attacks
Aristides Mpitziopoulos
Damianos Gavalas
Grammati Pantziou
Charalampos Konstantopoulos
Department of
Cultural Technology
and Communication,
University of the Aegean
Mytilene,Greece
crmaris@aegean.gr
Department of
Cultural Technology
and Communication,
University of the Aegean
Mytilene,Greece
dgavalas@aegean.gr
Department of
Informatics,
Technological Education
Institute of Athens
Athens, Greece
pantziou@teiath.gr
Research Academic Computer
Technology Institute
Abstract- Wireless sensor networks (WSNs) are used in many
applications which often include the monitoring and recording
of sensitive information. Hence, their critical importance raises
many security concerns. In the context of WSNs, jamming is the
type of attack which interferes with the radio frequencies used
by network nodes. In the event that an attacker uses a rather
powerful jamming source, disruptions of WSNs proper function
are likely to occur. As a result, the use of countermeasures
against jamming in WSN environments is of immense
importance. The main contribution of this article is the
discussion of various defence methods against jamming that
would allow a WSN to survive and work properly in a hostile
jamming environment. Our focus is on frequency hopping
spread spectrum (FHSS) and direct sequence spread spectrum
(DSSS), two of the most effective countermeasures against
jamming. We suggest the use of a specific FHSS technique in 5
GHz band with 55 frequency channels wherein the channel
sequence is generated using a secret word, known only to the
sink and the sensor nodes, as a seed. Each channel uses DSSS
modulation with 16 bit Pseudo Noise (PN) code, which derives
from the same secret word used for FHSS channel generation.
I. INTRODUCTION
Most of the nodes deployed in contemporary WSNs are
ZigBee [9] and IEEE 802.15.4 [2] compatible and use DSSS
modulation. Notably, these protocols have not been originally
designed taking radio jamming into account. WSN nodes
design also presents the same problem. Thus with typical
WSNs in use today no effective measures against jamming
are possible, which represents a major security issue.
In this article, we outline the possible jamming attack
scenarios that a WSN may encounter. We propose the
adaptation of a hybrid FHSS-DSSS concept on the particular
requirements of WSNs (e.g. limited energy availability and
transmission range) and explain a simple method to achieve
fast and effective nodes’ frequency synchronization.
The main contributions of this article are:
proposal of several methods that could be implemented in a
sensor node to effectively defend jamming attacks;
Patras, Greece
konstant@cti.gr
introduction of design specifications of a prototype node
Hermes that guarantees network operation even in heavily
jammed environments;
specification of a new communication scheme which
borrows some features from Zigbee;
evaluation and verification of Hermes nodes operation in
worst-case jamming scenarios through extensive simulation
tests that prove the pre-eminence of our method against
alternative anti-jamming techniques.
The remainder of the paper is organized as follows:
Section II reviews work related to our research while section
III presents an overview of possible countermeasures against
jamming. In Section IV, we describe the design of Hermes
node, proposed as an efficient anti-jamming node. Section V
presents and analyzes various simulation results, while
Section VI concludes the paper and presents future directions
of our work.
II. RELATED WORK
To the best of our knowledge, there is no previous work
discussing the design requirements of nodes that can
effectively defend jamming attacks. In [5] the detection and
mapping of jammed regions is proposed in order to increase
network efficiency. However, this method presents several
drawbacks: first, it cannot practically defend in the scenario
that the attacker jams the entire WSN or a significant
percentage of nodes; second, in the case that the attacker
targets some specific nodes (e.g. those that guard a security
entrance) to obstruct their data transmission, again this
technique fails to protect nodes under attack. Radio
interference relations among the nodes of a WSN and the
design of a radio interference detection protocol (RID) are
discussed in [8]. However, jamming from external sources is
not investigated, hence RID remains highly vulnerable from
jamming attacks. Law et al. [3] examine link-layer jamming
algorithms and conclude that in typical contemporary WSN
systems no effective measures against link-layer jamming are
possible. They recommend: (a) encrypting link-layer packets
to ensure a high entry barrier for jammers, (b) the use of
spread spectrum hardware, and (c) the use of a TDMA
protocol. Yet, neither specific hardware design nor a new
efficient communication protocol is proposed as we do
herein. Xu et al. [6] proposed two evasion strategies against
constant jammers: channel surfing and spartial retreat.
Channel surfing is essentially an adaptive form of FHSS.
Instead of hopping continuously from one channel to another,
a node switches to a different channel only when it discovers
that the current channel is being jammed. Spartial retreat is an
algorithm according to which two nodes move in Manhattan
distances to escape from a jammed region. The main
shortcoming of the two above mentioned strategies is that
they are effective only against constant jammers and they
have no results against more intelligent or follow-on jammers.
Furthermore Xu et al. in [7] explore various techniques for
detecting the presence of jamming attacks in WSNs. Their
focus is on the analysis and detection of jamming signals and
they do not deal with effective countermeasures against
jamming. In summary, existing research efforts attempted to
solve jamming attacks based on existing hardware and
communications protocols.In summary, existing research
efforts attempted to solve jamming attacks based on existing
hardware and communications protocols. Herein, we propose
the implementation of innovative hardware that incorporates
the most efficient countermeasures against jamming attacks
along with a new communication scheme which inherits some
characteristics from Zigbee.
III. COUNTERMEASURES AGAINST JAMMING
In this section we will present some methods that may help a
node to deal with a possible radio jamming scenario.
A. Regulated transmitted power
Using low transmitted power decreases the discovery
probability from an attacker (an attacker must locate first the
target before transmitting jamming signal). Higher
transmitted power implies higher resistance against jamming
because a stronger jamming signal is needed to overcome the
original signal.
B. Hybrid FHSS-DSSS
Hybrid FHSS-DSSS communication between WSN nodes
represents a promising anti-jamming measure. In general
terms direct-sequence systems achieve their processing gains
through interference attenuation using a wider bandwidth for
signal transmission, while frequency hopping systems achieve
their processing gains through interference avoidance.
Consequently using both these two modulations, resistance to
jamming may be highly increased. Also Hybrid FHSS-DSSS
compared to standard FHSS or DSSS modulation provides
better
low-probability-of-detection/low-probability-ofinterception (LPD/LPI) properties. Fairly specialized
interception equipment is required to mirror the frequency
changes uninvited. It is stressed though that both the
frequency sequence and the PN code of DSSS should be
known to recover the original signal. Thus Hybrid FHSSDSSS improves the ability to combat the near-far problem
which arises in DSSS communications schemes. Another
invited feature is the ability to adapt to a variety of channel
problems. In the remainder of the article we will analyze how
hybrid FHSS-DSSS could be combined in a sensor node and
make it almost invulnerable to jamming. We named this
prototype node Hermes.
IV. THE HERMES NODE
Hermes nodes use an advanced radio unit capable of Hybrid
FHSS-DSSS communication. Hermes will also have the
ability to regulate its transmitted power. In low-probabilityof-detection (LPD) operation transmission power will be kept
low (0 DBm). In case of strong received signal or interference
it will boost transmitted power into anti-jam mode (AJ) with
4 DBm transmitting power.
Figure 1. PIC16C84 - AD7008 DDS for Fast Frequency Hop is able to jump
frequencies up to 100,000 hops per second.
It is noted that contemporary fast-follower military jammers
are able of jamming FHSS communications that perform even
thousands of hops/sec [4]; Nevertheless small circuits like the
one shown in Fig. 1 will make Hermes able of performing
100,000 frequency hops/sec and less vulnerable to jamming
by fast follower jammers. To further hinder potential
attackers, the use of DSSS modulation is proposed. The main
advantage of this approach is that the attacker receives a
signal that resembles white noise and cannot detect the
communication radio band. As a result, the attacker will
monitor the entire band not being aware whether the received
signal is noise or actual data (the attacker should discover not
only the frequency hopping sequence but also and the direct
sequence PN code). Furthermore, taking into account the
limited transmitting power of Hermes in LPD mode, the task
of the attacker is even more difficult since a very sensitive
radio receiver required; even then, it would not be feasible to
monitor the entire WSN but only a part of it, unless a number
of receivers are scattered in the WSN field.
The band that we propose for communication among
Hermes nodes is the unlicensed 5 GHz band (5650 MHz to
5925 MHz). Since the 2.4 GHz band is heavily used (802.11
b/g WLANs, Bluetooth) using the 5 GHz band gives Hermes
the advantage of restricted interference. Also as the frequency
raises the transmitted signal beam becomes narrower and
more directional and covers less distance than e.g. a same
output power signal in 2.4 GHz band. In the 5 GHz band that
we propose, there is 275 MHz of bandwidth available for
spread-spectrum transmission. The same digital modulation
that ZigBee incorporates will be used (O-QPSK for 5 GHz
band). Hermes will have 55 frequency channels for FHSS
with 5 MHz of bandwidth each available for DSSS. Each
channel will use DSSS modulation with 270 KHz modulating
(pre-spreading) bandwidth and 5 MHz total (two-sided)
spread-spectrum signal bandwidth and so a 12.67 db
processing gain. The resulting raw, over-the-air data rate is
approximately 252 Kbps per channel in the 5 GHz band. The
Hermes node as noted above will perform frequency hops
100,000 times/sec.
The sequence of channels used will be determined by a
channel sequence generation algorithm that will use as a seed
a secret word known only to the nodes and the sink (for
security reasons it will be ‘hard-coded’ onto nodes prior to the
WSN deployment). A simple, fast and secure way for the
generation of sequence is to employ the linear congruential
method [6]. That method is an efficient way to generate a
sequence of pseudo-random numbers, based on the recursive
function:
X (n+1) = (a X (n) + c) mod m, n>=0
(1)
where:
m = 55 (the number of available channels)
a, c: constants
its adjacent nodes. In the end all the nodes will be
synchronized with the sink. Any new joining node could
request synchronization from an adjacent, already
synchronized, node by transmitting a special signal at a
specific frequency. Another solution to the synchronization
problem could be the use of GPS receivers in some nodes;
however, that would drastically increase the cost, while GPS
signals would also be vulnerable to jamming.
V. SIMULATION RESULTS
Our simulation tests have been conducted with a simulation
tool (see Fig. 2) that we developed using Borland Delphi [1]
programming language. We have examined a variety of
scenarios taking into account various aspects (e.g. jammer
and nodes antenna gain, path loss, etc.). Table 1 shows the
simulation parameters, along with the configuration of
jammer and nodes/sink. As mentioned in Section 4, if SNR<1
then jamming is considered as effective and therefore packet
loss reaches 100%. In our simulations the power output of the
nodes radio unit (4 dBm) is the same with Bluetooth class 2
radio and provides a 10m range in 2.4 GHz band (in clear
terrain, lacking obstacles and interference).
TABLE 1
SIMULATION PARAMETERS
X(0), the starting number (seed), 0 ≤ X(0) ≤ 55
In our proposed scheme, each character of the secret word
is first converted to its corresponding ASCII code. The sum
of the individual ASCII codes generate the seed (X(0)). If the
sum exceeds 55 then X(0) = sum mod 55.
Hermes node will have a DSSS chip with 5 MHz chip
rate. The PN code, 16 bit long, will also be derived from the
seed as follows: For each of the first 16 frequency channels
X(1), …, X(16) generated based on the recursive function (1),
we map the corresponding bit of the 16-bit PN code. If the
channel number is odd the corresponding PN code bit will
equal to 1; if the channel number is even the bit will equal to
0. Using ‘aris’ as the secret word the first 16 generated
channels are 41,24,7,45,28,11,49,32,15,53,36,19,2,40,23,6 so
the PN code is 1011011011010010. For even more enhanced
security, the PN code may periodically change, using
different channel numbers at a time for generating the PN bit
code.
Post the deployment of the WSN, the sink will be able to
change the secret word using the secure hybrid FHSS-DSSS
data scheme. A problem that will arise is that once the
network has been deployed, any new joining nodes will not
be able to communicate with their peers since they will not be
aware of the secret word and thus the PN code. To overcome
this problem, we propose to hard-code the current secret word
on any new joining node.
Clearly, our proposed scheme requires precise
synchronization of communicating nodes so as to perform
simultaneous frequency hops. The synchronization signal
could be transmitted by the sink to the whole network using
some nodes as routers. The basic idea is that an already
synchronized node will transmit the synchronization signal to
Terrain
# nodes (including the sink)
# Jammers
Nodes & jammer placement
Traffic Per Minute (#packets)
650m × 450m
120
1
Random
10,000
JAMMER CONFIGURATION
Power output for frequencies used in
simulations
Antenna transmit gain
Type of antenna
Polarization
50dBm (100 Watt)
15 Dbi
Directional
Circular
NODES/SINK CONFIGURATION
Power output for frequencies used in
simulations
Antenna transmit gain
System gain
Type of antenna
4 dBm (2.5 mWatt)
3 Dbi
85 dBm
Omni-Directional
Path loss has been modeled using Friis Equation (2). This
equation gives a more complete accounting for all the factors
from the transmitter to the receiver. Path loss simply reflects
the power loss of spreading the energy of an RF signal of a
given frequency (f) out equally over a sphere whose radius (d)
is equal to the distance between the transmitter and receiver.
P Rx
P Tx
G Tx G Rx λ 2
16 π 2 d 2 L
where: GTx: transmitter antenna gain
GRx: receiver antenna gain
λ: wavelength (same units as d)
d: distance between Tx and Rx antennas
(2)
L: system loss factor (≥ 1)
The placement of the jammer and nodes/sink on the plane
is random (see Fig. 2). We assume absence of obstacles and
also line-of-sight between the jammer and the nodes. The blue
outlined rectangle with caption “A” represents the attacker
(jammer), the circle with caption “1” the sink while the other
numbered circles denote the sensor nodes.
Figure 3. SNR ratio for simulated WSN (2405 MHz jamming)
Fig. 4 summarizes the results of jamming in the 915 MHz.
The jamming is once again very effective with SNR far below
1. Consequently the packet loss is 100%. The final conclusion
from these simulation results is that for a WSN that follows
the ZigBee communications protocol, a powerful jamming
attack can be disastrous for the network, even if the output
power of the nodes reaches 4 dBm (typically the output power
is 0 dBm).
0,6
Signal To Noise Ratio
0,5
0,4
0,3
0,2
0,1
0
1
8
15
22
29
36
43
50
57
64
71
78
85
92
99
106
113
120
Number of Sensors
Signal To Noise Ratio
Figure 4. SNR ratio for simulated WSN (915 MHz jamming)
Figure 2. Jammer and WSN simulated topology.
In our first simulation the WSN follows the ZigBee
protocol (DSSS modulation) and the nodes are using the first
ZigBee channel with center frequency 2405 MHz and 3 MHz
bandwidth. We assume that the attacker has the capability for
barrage jamminga in the entire channel and the output power
is 100 watt for every MHz in the 3 MHz range. Fig. 3
illustrates the simulation results. It is noted that reported
results have been averaged over ten individual simulation
runs. The SNR for the sink and the nodes is ~0.4, therefore
the WSN is completely out of order and the packet loss is
100%.
0,5
0,45
Signal To Noise Ratio
0,4
0,35
0,3
0,25
0,2
0,15
0,1
0,05
0
1
8
15
22
29
36
43
50
57
64
71
78
85
92
99
106
113
120
Number of Sensors
Signal To Noise Ratio
a
In Barrage jamming a range of frequencies is jammed at the same time.
In the following simulation we consider a network of
Hermes nodes. We investigate a jamming scenario wherein
the attacker is able to generate 5 MHz barrage jamming with
equal output power of 100 watt per MHz. Therefore, one
channel of the 55 at a time can be jammed. In our simulation
the time interval is 12 seconds. The secret word used for
generating FHSS channels and DSSS PN code is ‘aris’.
Each simulation run lasts for 1 minute while the overall
packet traffic is 10,000 packets/minute for the entire WSN
(packets inter-arrival times follow a gausian distribution).
Taking into account that Hermes hops 100,000 channels per
second the frequency channels used per 12 seconds are
1,200,000. Simulation results are illustrated in Fig. 5.
Notably, Hermes nodes achieve a rather high packet success
delivery rate (~ 98%) and a limited number of jammed
channels. Hence, a WSN composed of Hermes nodes is
expected to operate efficiently even under heavy barrage
jamming attacks.
Packet Success Delivery Rate %
98,3
98,2
[8]
G. Zhou, T. He, J.A. Stankovic, .T.F. Abdelzaher, “RID: Radio
Interference Detection in Wireless Sensor Networks”, Proceedings of
the IEEE INFOCOM’2005, 2005.
98,15
[9]
98,1
98,05
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59
Simulation Ellapsed Time
Packet Success Delivery Rate %
Figure 5. Simulation results for packet success delivery rate.
VI. CONCLUSIONS AND FUTURE WORK
In this article, we presented Hermes, a prototype node capable
of performing frequency hopping along with DSSS to
effectively defend jamming attacks. Our simulations have
shown that Hermes nodes guarantee a satisfactory packet
success delivery rate even in heavily jammed environments,
as opposed to typical sensor nodes communication schemes.
Admittedly, the implementation of Hermes node is not a
straight-forward task due to the technologies that are
incorporated, hence a significant amount of research is
needed in various fields. First, a radio unit that complies with
the Hermes standards needs to be designed along with a new
communication protocol that uses the 5 GHz band. Also a
more secure algorithm for generation of frequency change is
needed. The algorithm must put minimum burden on nodes
processor and be difficult to reverse-engineer.
Our future research will focus on the implementation of
Hermes node, along with its testing in heavily jammed
environments.
REFERENCES
[1]
Borland Delphi, www.borland.com/delphi.
[2]
J.A. Gutierrez, E.H. Callaway, R. Barrett, “IEEE 802.15.4 Low-Rate
Wireless Personal Area Networks”, ISBN 0-7381-3677-5 SS95127,
October 2003.
Y.W. Law, L. van Hoesel, J. Doumen, P.H. Hartel, P.J. M. Havinga,
“Energy-Efficient Link-Layer Jamming Attacks Against Wireless
Sensor Network MAC Protocols”, Proceedings of SASN’2005, pp 7688, 2005.
[4]
Schleher, D. Curtis: Electronic Warfare in the Information Age. Artech
[5]
A.D. Wood, J.A. Stankovic, S.H. Son, “JAM: A Jammed-Area
House, Norwood MA, p.605, 999.
Mapping Service for Sensor Networks”, 24th IEEE Real-Time Systems
Symposium (RTSS’2003), pp. 286-297, 2003.
[6]
W. Xu, W. Trappe, Y. Zhang, T. Wood, “The Feasibility of Launching
and Detecting Jamming Attacks in Wireless Networks”, Proceedings of
the 6th ACM international symposium on Mobile ad hoc networking
and computing, pp. 46-57, 2005.
98,25
98
[3]
[7]
W. Xu, T. Wood, W. Trappe, and Y. Zhang. Channel surfing and
spatial retreats: defenses against wireless denial of service.In WiSe ’04:
Proceedings of the 2004 ACM workshop on Wireless security, pages
80–89, New York, NY, USA, 2004.
ZigBee Alliance, http://www.zigbee.org.