Defending Wireless Sensor Networks from Jamming Attacks Aristides Mpitziopoulos Damianos Gavalas Grammati Pantziou Charalampos Konstantopoulos Department of Cultural Technology and Communication, University of the Aegean Mytilene,Greece crmaris@aegean.gr Department of Cultural Technology and Communication, University of the Aegean Mytilene,Greece dgavalas@aegean.gr Department of Informatics, Technological Education Institute of Athens Athens, Greece pantziou@teiath.gr Research Academic Computer Technology Institute Abstract- Wireless sensor networks (WSNs) are used in many applications which often include the monitoring and recording of sensitive information. Hence, their critical importance raises many security concerns. In the context of WSNs, jamming is the type of attack which interferes with the radio frequencies used by network nodes. In the event that an attacker uses a rather powerful jamming source, disruptions of WSNs proper function are likely to occur. As a result, the use of countermeasures against jamming in WSN environments is of immense importance. The main contribution of this article is the discussion of various defence methods against jamming that would allow a WSN to survive and work properly in a hostile jamming environment. Our focus is on frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS), two of the most effective countermeasures against jamming. We suggest the use of a specific FHSS technique in 5 GHz band with 55 frequency channels wherein the channel sequence is generated using a secret word, known only to the sink and the sensor nodes, as a seed. Each channel uses DSSS modulation with 16 bit Pseudo Noise (PN) code, which derives from the same secret word used for FHSS channel generation. I. INTRODUCTION Most of the nodes deployed in contemporary WSNs are ZigBee [9] and IEEE 802.15.4 [2] compatible and use DSSS modulation. Notably, these protocols have not been originally designed taking radio jamming into account. WSN nodes design also presents the same problem. Thus with typical WSNs in use today no effective measures against jamming are possible, which represents a major security issue. In this article, we outline the possible jamming attack scenarios that a WSN may encounter. We propose the adaptation of a hybrid FHSS-DSSS concept on the particular requirements of WSNs (e.g. limited energy availability and transmission range) and explain a simple method to achieve fast and effective nodes’ frequency synchronization. The main contributions of this article are:  proposal of several methods that could be implemented in a sensor node to effectively defend jamming attacks; Patras, Greece konstant@cti.gr  introduction of design specifications of a prototype node Hermes that guarantees network operation even in heavily jammed environments;  specification of a new communication scheme which borrows some features from Zigbee;  evaluation and verification of Hermes nodes operation in worst-case jamming scenarios through extensive simulation tests that prove the pre-eminence of our method against alternative anti-jamming techniques. The remainder of the paper is organized as follows: Section II reviews work related to our research while section III presents an overview of possible countermeasures against jamming. In Section IV, we describe the design of Hermes node, proposed as an efficient anti-jamming node. Section V presents and analyzes various simulation results, while Section VI concludes the paper and presents future directions of our work. II. RELATED WORK To the best of our knowledge, there is no previous work discussing the design requirements of nodes that can effectively defend jamming attacks. In [5] the detection and mapping of jammed regions is proposed in order to increase network efficiency. However, this method presents several drawbacks: first, it cannot practically defend in the scenario that the attacker jams the entire WSN or a significant percentage of nodes; second, in the case that the attacker targets some specific nodes (e.g. those that guard a security entrance) to obstruct their data transmission, again this technique fails to protect nodes under attack. Radio interference relations among the nodes of a WSN and the design of a radio interference detection protocol (RID) are discussed in [8]. However, jamming from external sources is not investigated, hence RID remains highly vulnerable from jamming attacks. Law et al. [3] examine link-layer jamming algorithms and conclude that in typical contemporary WSN systems no effective measures against link-layer jamming are possible. They recommend: (a) encrypting link-layer packets to ensure a high entry barrier for jammers, (b) the use of spread spectrum hardware, and (c) the use of a TDMA protocol. Yet, neither specific hardware design nor a new efficient communication protocol is proposed as we do herein. Xu et al. [6] proposed two evasion strategies against constant jammers: channel surfing and spartial retreat. Channel surfing is essentially an adaptive form of FHSS. Instead of hopping continuously from one channel to another, a node switches to a different channel only when it discovers that the current channel is being jammed. Spartial retreat is an algorithm according to which two nodes move in Manhattan distances to escape from a jammed region. The main shortcoming of the two above mentioned strategies is that they are effective only against constant jammers and they have no results against more intelligent or follow-on jammers. Furthermore Xu et al. in [7] explore various techniques for detecting the presence of jamming attacks in WSNs. Their focus is on the analysis and detection of jamming signals and they do not deal with effective countermeasures against jamming. In summary, existing research efforts attempted to solve jamming attacks based on existing hardware and communications protocols.In summary, existing research efforts attempted to solve jamming attacks based on existing hardware and communications protocols. Herein, we propose the implementation of innovative hardware that incorporates the most efficient countermeasures against jamming attacks along with a new communication scheme which inherits some characteristics from Zigbee. III. COUNTERMEASURES AGAINST JAMMING In this section we will present some methods that may help a node to deal with a possible radio jamming scenario. A. Regulated transmitted power Using low transmitted power decreases the discovery probability from an attacker (an attacker must locate first the target before transmitting jamming signal). Higher transmitted power implies higher resistance against jamming because a stronger jamming signal is needed to overcome the original signal. B. Hybrid FHSS-DSSS Hybrid FHSS-DSSS communication between WSN nodes represents a promising anti-jamming measure. In general terms direct-sequence systems achieve their processing gains through interference attenuation using a wider bandwidth for signal transmission, while frequency hopping systems achieve their processing gains through interference avoidance. Consequently using both these two modulations, resistance to jamming may be highly increased. Also Hybrid FHSS-DSSS compared to standard FHSS or DSSS modulation provides better low-probability-of-detection/low-probability-ofinterception (LPD/LPI) properties. Fairly specialized interception equipment is required to mirror the frequency changes uninvited. It is stressed though that both the frequency sequence and the PN code of DSSS should be known to recover the original signal. Thus Hybrid FHSSDSSS improves the ability to combat the near-far problem which arises in DSSS communications schemes. Another invited feature is the ability to adapt to a variety of channel problems. In the remainder of the article we will analyze how hybrid FHSS-DSSS could be combined in a sensor node and make it almost invulnerable to jamming. We named this prototype node Hermes. IV. THE HERMES NODE Hermes nodes use an advanced radio unit capable of Hybrid FHSS-DSSS communication. Hermes will also have the ability to regulate its transmitted power. In low-probabilityof-detection (LPD) operation transmission power will be kept low (0 DBm). In case of strong received signal or interference it will boost transmitted power into anti-jam mode (AJ) with 4 DBm transmitting power. Figure 1. PIC16C84 - AD7008 DDS for Fast Frequency Hop is able to jump frequencies up to 100,000 hops per second. It is noted that contemporary fast-follower military jammers are able of jamming FHSS communications that perform even thousands of hops/sec [4]; Nevertheless small circuits like the one shown in Fig. 1 will make Hermes able of performing 100,000 frequency hops/sec and less vulnerable to jamming by fast follower jammers. To further hinder potential attackers, the use of DSSS modulation is proposed. The main advantage of this approach is that the attacker receives a signal that resembles white noise and cannot detect the communication radio band. As a result, the attacker will monitor the entire band not being aware whether the received signal is noise or actual data (the attacker should discover not only the frequency hopping sequence but also and the direct sequence PN code). Furthermore, taking into account the limited transmitting power of Hermes in LPD mode, the task of the attacker is even more difficult since a very sensitive radio receiver required; even then, it would not be feasible to monitor the entire WSN but only a part of it, unless a number of receivers are scattered in the WSN field. The band that we propose for communication among Hermes nodes is the unlicensed 5 GHz band (5650 MHz to 5925 MHz). Since the 2.4 GHz band is heavily used (802.11 b/g WLANs, Bluetooth) using the 5 GHz band gives Hermes the advantage of restricted interference. Also as the frequency raises the transmitted signal beam becomes narrower and more directional and covers less distance than e.g. a same output power signal in 2.4 GHz band. In the 5 GHz band that we propose, there is 275 MHz of bandwidth available for spread-spectrum transmission. The same digital modulation that ZigBee incorporates will be used (O-QPSK for 5 GHz band). Hermes will have 55 frequency channels for FHSS with 5 MHz of bandwidth each available for DSSS. Each channel will use DSSS modulation with 270 KHz modulating (pre-spreading) bandwidth and 5 MHz total (two-sided) spread-spectrum signal bandwidth and so a 12.67 db processing gain. The resulting raw, over-the-air data rate is approximately 252 Kbps per channel in the 5 GHz band. The Hermes node as noted above will perform frequency hops 100,000 times/sec. The sequence of channels used will be determined by a channel sequence generation algorithm that will use as a seed a secret word known only to the nodes and the sink (for security reasons it will be ‘hard-coded’ onto nodes prior to the WSN deployment). A simple, fast and secure way for the generation of sequence is to employ the linear congruential method [6]. That method is an efficient way to generate a sequence of pseudo-random numbers, based on the recursive function: X (n+1) = (a X (n) + c) mod m, n>=0    (1) where: m = 55 (the number of available channels) a, c: constants its adjacent nodes. In the end all the nodes will be synchronized with the sink. Any new joining node could request synchronization from an adjacent, already synchronized, node by transmitting a special signal at a specific frequency. Another solution to the synchronization problem could be the use of GPS receivers in some nodes; however, that would drastically increase the cost, while GPS signals would also be vulnerable to jamming. V. SIMULATION RESULTS Our simulation tests have been conducted with a simulation tool (see Fig. 2) that we developed using Borland Delphi [1] programming language. We have examined a variety of scenarios taking into account various aspects (e.g. jammer and nodes antenna gain, path loss, etc.). Table 1 shows the simulation parameters, along with the configuration of jammer and nodes/sink. As mentioned in Section 4, if SNR<1 then jamming is considered as effective and therefore packet loss reaches 100%. In our simulations the power output of the nodes radio unit (4 dBm) is the same with Bluetooth class 2 radio and provides a 10m range in 2.4 GHz band (in clear terrain, lacking obstacles and interference). TABLE 1 SIMULATION PARAMETERS X(0), the starting number (seed), 0 ≤ X(0) ≤ 55 In our proposed scheme, each character of the secret word is first converted to its corresponding ASCII code. The sum of the individual ASCII codes generate the seed (X(0)). If the sum exceeds 55 then X(0) = sum mod 55. Hermes node will have a DSSS chip with 5 MHz chip rate. The PN code, 16 bit long, will also be derived from the seed as follows: For each of the first 16 frequency channels X(1), …, X(16) generated based on the recursive function (1), we map the corresponding bit of the 16-bit PN code. If the channel number is odd the corresponding PN code bit will equal to 1; if the channel number is even the bit will equal to 0. Using ‘aris’ as the secret word the first 16 generated channels are 41,24,7,45,28,11,49,32,15,53,36,19,2,40,23,6 so the PN code is 1011011011010010. For even more enhanced security, the PN code may periodically change, using different channel numbers at a time for generating the PN bit code. Post the deployment of the WSN, the sink will be able to change the secret word using the secure hybrid FHSS-DSSS data scheme. A problem that will arise is that once the network has been deployed, any new joining nodes will not be able to communicate with their peers since they will not be aware of the secret word and thus the PN code. To overcome this problem, we propose to hard-code the current secret word on any new joining node. Clearly, our proposed scheme requires precise synchronization of communicating nodes so as to perform simultaneous frequency hops. The synchronization signal could be transmitted by the sink to the whole network using some nodes as routers. The basic idea is that an already synchronized node will transmit the synchronization signal to Terrain # nodes (including the sink) # Jammers Nodes & jammer placement Traffic Per Minute (#packets) 650m × 450m 120 1 Random 10,000 JAMMER CONFIGURATION Power output for frequencies used in simulations Antenna transmit gain Type of antenna Polarization 50dBm (100 Watt) 15 Dbi Directional Circular NODES/SINK CONFIGURATION Power output for frequencies used in simulations Antenna transmit gain System gain Type of antenna 4 dBm (2.5 mWatt) 3 Dbi 85 dBm Omni-Directional Path loss has been modeled using Friis Equation (2). This equation gives a more complete accounting for all the factors from the transmitter to the receiver. Path loss simply reflects the power loss of spreading the energy of an RF signal of a given frequency (f) out equally over a sphere whose radius (d) is equal to the distance between the transmitter and receiver. P Rx  P Tx G Tx  G Rx  λ 2 16  π 2  d 2  L where: GTx: transmitter antenna gain GRx: receiver antenna gain λ: wavelength (same units as d) d: distance between Tx and Rx antennas (2) L: system loss factor (≥ 1) The placement of the jammer and nodes/sink on the plane is random (see Fig. 2). We assume absence of obstacles and also line-of-sight between the jammer and the nodes. The blue outlined rectangle with caption “A” represents the attacker (jammer), the circle with caption “1” the sink while the other numbered circles denote the sensor nodes. Figure 3. SNR ratio for simulated WSN (2405 MHz jamming) Fig. 4 summarizes the results of jamming in the 915 MHz. The jamming is once again very effective with SNR far below 1. Consequently the packet loss is 100%. The final conclusion from these simulation results is that for a WSN that follows the ZigBee communications protocol, a powerful jamming attack can be disastrous for the network, even if the output power of the nodes reaches 4 dBm (typically the output power is 0 dBm). 0,6 Signal To Noise Ratio 0,5 0,4 0,3 0,2 0,1 0 1 8 15 22 29 36 43 50 57 64 71 78 85 92 99 106 113 120 Number of Sensors Signal To Noise Ratio Figure 4. SNR ratio for simulated WSN (915 MHz jamming) Figure 2. Jammer and WSN simulated topology. In our first simulation the WSN follows the ZigBee protocol (DSSS modulation) and the nodes are using the first ZigBee channel with center frequency 2405 MHz and 3 MHz bandwidth. We assume that the attacker has the capability for barrage jamminga in the entire channel and the output power is 100 watt for every MHz in the 3 MHz range. Fig. 3 illustrates the simulation results. It is noted that reported results have been averaged over ten individual simulation runs. The SNR for the sink and the nodes is ~0.4, therefore the WSN is completely out of order and the packet loss is 100%. 0,5 0,45 Signal To Noise Ratio 0,4 0,35 0,3 0,25 0,2 0,15 0,1 0,05 0 1 8 15 22 29 36 43 50 57 64 71 78 85 92 99 106 113 120 Number of Sensors Signal To Noise Ratio a In Barrage jamming a range of frequencies is jammed at the same time. In the following simulation we consider a network of Hermes nodes. We investigate a jamming scenario wherein the attacker is able to generate 5 MHz barrage jamming with equal output power of 100 watt per MHz. Therefore, one channel of the 55 at a time can be jammed. In our simulation the time interval is 12 seconds. The secret word used for generating FHSS channels and DSSS PN code is ‘aris’. Each simulation run lasts for 1 minute while the overall packet traffic is 10,000 packets/minute for the entire WSN (packets inter-arrival times follow a gausian distribution). Taking into account that Hermes hops 100,000 channels per second the frequency channels used per 12 seconds are 1,200,000. Simulation results are illustrated in Fig. 5. Notably, Hermes nodes achieve a rather high packet success delivery rate (~ 98%) and a limited number of jammed channels. Hence, a WSN composed of Hermes nodes is expected to operate efficiently even under heavy barrage jamming attacks. Packet Success Delivery Rate % 98,3 98,2 [8] G. Zhou, T. He, J.A. Stankovic, .T.F. Abdelzaher, “RID: Radio Interference Detection in Wireless Sensor Networks”, Proceedings of the IEEE INFOCOM’2005, 2005. 98,15 [9] 98,1 98,05 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 Simulation Ellapsed Time Packet Success Delivery Rate % Figure 5. Simulation results for packet success delivery rate. VI. CONCLUSIONS AND FUTURE WORK In this article, we presented Hermes, a prototype node capable of performing frequency hopping along with DSSS to effectively defend jamming attacks. Our simulations have shown that Hermes nodes guarantee a satisfactory packet success delivery rate even in heavily jammed environments, as opposed to typical sensor nodes communication schemes. Admittedly, the implementation of Hermes node is not a straight-forward task due to the technologies that are incorporated, hence a significant amount of research is needed in various fields. First, a radio unit that complies with the Hermes standards needs to be designed along with a new communication protocol that uses the 5 GHz band. Also a more secure algorithm for generation of frequency change is needed. The algorithm must put minimum burden on nodes processor and be difficult to reverse-engineer. Our future research will focus on the implementation of Hermes node, along with its testing in heavily jammed environments. REFERENCES [1] Borland Delphi, www.borland.com/delphi. [2] J.A. Gutierrez, E.H. Callaway, R. Barrett, “IEEE 802.15.4 Low-Rate Wireless Personal Area Networks”, ISBN 0-7381-3677-5 SS95127, October 2003. Y.W. Law, L. van Hoesel, J. Doumen, P.H. Hartel, P.J. M. Havinga, “Energy-Efficient Link-Layer Jamming Attacks Against Wireless Sensor Network MAC Protocols”, Proceedings of SASN’2005, pp 7688, 2005. [4] Schleher, D. Curtis: Electronic Warfare in the Information Age. Artech [5] A.D. Wood, J.A. Stankovic, S.H. Son, “JAM: A Jammed-Area House, Norwood MA, p.605, 999. Mapping Service for Sensor Networks”, 24th IEEE Real-Time Systems Symposium (RTSS’2003), pp. 286-297, 2003. [6] W. Xu, W. Trappe, Y. Zhang, T. Wood, “The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks”, Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing, pp. 46-57, 2005. 98,25 98 [3] [7] W. Xu, T. Wood, W. Trappe, and Y. Zhang. Channel surfing and spatial retreats: defenses against wireless denial of service.In WiSe ’04: Proceedings of the 2004 ACM workshop on Wireless security, pages 80–89, New York, NY, USA, 2004. ZigBee Alliance, http://www.zigbee.org.