SELFISH JAMMER DETECTION IN

MULTIPLE P2P COMMUNICATION

NETWORKS
Abstract- Cooperating jamming is an opportunistic a protocol with the primary goal to obtain performance
communication technology designed to help the source benefits itself, the attack is referred to as misbehavior. If the
node send the data simultaneously to cooperative node attacker does not directly manipulate protocol parameters but
can selfish jammer node detected in multiple p2p exploits protocol semantics and aims at indirect benefits by
communication networks. Selfish cooperative nodes are a unconditionally disrupting network operation, the attack is
serious security problem because they significantly termed jamming or Denial-of-Service (DoS), depending on
degrade the performance of a P2P communication whether one looks at the cause or the consequences of it.
networks. The proposed work provides selfish Misbehavior in wireless networks stems from the selfish
cooperative jammer detection technique, called inclination of wireless network entities to improve their own
COOPON, which will detect the attacks of selfish derived utility at the expense of other nodes’ performance
cooperative nodes by the cooperation of other legitimate deterioration, by deviating from legitimate protocol
neighboring nodes. The COOPON algorithm make use of operation at various layers. The utility is expressed in
the autonomous decision capability of an ad-hoc terms of consumed energy or achievable throughput on a
communication network based on exchanged information per link or end-to-end basis.
among neighboring nodes Keywords- Jamming, security, Wireless Sensor Networks (WSN) receives increasing
Jamming detection and mitigation, wireless sensor attention due to their wide application in military as well as
network. in living life [2]. The most essential applications are monitor
systems, such as military monitor system or security service
system. These applications can allow some normal messages
I. INTRODUCTION lost in a short period. It cannot tolerate the lost of numerous
The fundamental characteristic of wireless networks that packets or critical event messages. The attacker deploys the
renders them vulnerable to attacks is the broadcast nature of jammers randomly to jam the area. The jammers can disturb
their medium. This exposes them to passive and active the communication between sensor nodes or launch the radios
attacks, which are different in their nature and objectives frequency to interfere open wireless environment. Although
[1]. In the former ones, the malicious entity does not take the jammers are randomly deployed, the damage on the
any monitor systems is still markedly. The lost of some crucial
action apart from passively observing the ongoing messages may destroy the entire system.
communication that is, eavesdropping with the intention to Conventional cryptographic security mechanisms are
intervene with the privacy of network entities involved in the being translated to the sensor domain in order to defend
transaction. On the other hand, in active attacks the attacker is against attacks like packet injection and spoofing network
involved in transmission as well. Depending on attacker level control information. However, in spite of the progress
objectives, different terminology is used. If the attacker being made to apply network security in the sensor realm,
abuses sensor networks will remain vulnerable to attacks that target
their use of the wireless medium. IEEE 802.11 is based on a
carrier sensing approach to multiple accesses. Because of
their use of carrier sensing for medium access control
(MAC), these systems are susceptible to a simple and severe
jamming problem: an adversary can simply disregard the
medium access protocol and continually transmit on a
wireless
channel. By doing so, it prevents users from being able to C. Random
commence with legitimate MAC operations, or introduces jammer
packet collisions that force repeated backoffs, or even jam
transmissions.

Monitor Sensor

J
ammer Jamming Radio
Fig. 1 Illustration of jamming attacks

There are many different attack strategies an adversary can

use to jam wireless communications.

A. Constant
jammer
The constant jammer continually emits a radio signal,
and can be implemented using either a wave form generator
that continuously sends a radio signal [3] or a normal
wireless device that continuously sends out random bits to
the channel without following any MAC-layer etiquette [4].
Normally, the underlying MAC protocol allows legitimate
nodes to send out packets only if the channel is idle. Thus,
a constant jammer
can effectively prevent legitimate traffic sources from getting
hold of a channel and sending packets.

B. Deceptive
jammer
Instead of sending out random bits, the deceptive
jammer constantly injects regular packets to the channel
without any gap between subsequent packet transmissions.
As a result, a normal communicator will be deceived into
believing there is
a legitimate packet and be duped to remain in the receive
state. For example, in TinyOS, if a preamble is detected,
a node remains in the receive mode, regardless of whether
that node has a packet to send or not. Even if a node has
packets to send, it cannot switch to the send state because a
constant stream of incoming packets will be detected.
 Instead of continuously sending out a radio signal, a incurred cost for the attacker. With regard to the machinery
random jammer alternates between sleeping and and impact
jamming. Specifically, after jamming for a while, it turns
off its radio and enters a “sleeping” mode. It will resume
jamming after sleeping for some time. During its jamming
phase, it can behave like either a constant jammer or a
deceptive jammer. This jammer model tries to take energy
conservation into consideration, which is especially
important for those jammers that do not have unlimited power
supply.

D. Reactive
jammer
The three models discussed above are active jammers in
the sense that they try to block the channel irrespective of the
traffic pattern on the channel. Active jammers are usually
effective because they keep the channel busy all the time. An
alternative approach to jamming wireless communication is
to employ a reactive strategy. The reactive jammer stays
quiet when the channel is idle, but starts transmitting a radio
signal as soon as it senses activity on the channel. One
advantage of a reactive jammer is that it is harder to detect.

II. RELATED WORK

The work of [1] considers a scenario where a
sophisticated jammer jams an area in a single channel
wireless sensor network. The jammer controls the probability
of jamming and transmission range to cause maximal
damage to the network in terms of corrupted communication
links. The jammer action ceases when it is detected by a
monitoring node
in the network and a notification message is transferred out
of the jamming region. The jammer is detected at a monitor
node by employing an optimal detection test based
on the percentage of incurred collisions. The work of [5]
studies the jamming defense strategy over a single-radio
multi-channel network and presents two channel surfing
strategies, where the wireless channels are re-assigned or
dynamically switched under jamming attacks. The work of
[6] designs a jamming- resistant MAC protocol for single
hop wireless networks and the work of [7] evaluates the
throughput performance degradation of the IEEE 802.11
MAC protocol under various jamming models, including
periodic or memory less jammers, and channel oblivious or
channel-aware jammers. The work in [8] focuses on optimal
detection of access layer misbehaviour in terms of number of
required observation samples to derive a decision. The worst-
case attack is found out of the class of most significant
attacks in terms of incurred performance losses. The
framework captures uncertainty of attacks and the case of
intelligent attacker that can adapt its policy to delay its
detection. Jamming can disrupt wireless transmission and
occur either unintentionally in the form of interference, noise,
or collision at the receiver, or in the context of an attack.
A jamming attack is particularly effective from the
attacker’s point of view since, the adversary does not
need
special hardware to launch it, the attack can be implemented
by simply listening to the open medium and broadcasting in
the same frequency band as the network uses, and If
launched wisely, it can lead to significant benefits with small
of jamming attacks, they usually aim at the physical layer in from other nodes and need to be forwarded or they may be
the sense that they are realized by means of a high previously sent and
transmission power signal that corrupts a communication
link or an entire area. Conventional defense techniques
against physical layer jamming rely on spread spectrum
which can be too energy consuming for resource-constrained
sensors [9]. Jamming attacks also occur at the access layer,
whereby an adversary either corrupts control packets or
reserves the channel for the maximum allowable number of
slots, so that other nodes experience lower throughput by not
being able to access the channel [10]. The work in [11]
studies the problem of a legitimate node and a jammer
transmitting to a common receiver in an on-off mode in a
game-theoretic framework. Other jamming instances can
have impact on the network layer by malicious packet
injection along certain routes or at the transport layer by SYN
message flooding for instance.
The work in [12] presents attack detection in computer
networks based on observing the IP port scanning profile
prior to an attack and using sequential detection techniques.
The work [13] uses controlled authentication to detect spam
message attacks in wireless sensor networks launched by a
set of malicious nodes and addresses the trade-off between
resilience to attacks and computational cost. The work in
[14] considers passing attack notification messages out of
a jammed region by creation of wormhole links between
sensors, one of which resides out of the jammed area. The
links are created through frequency hopping over a channel
set either in a predetermined or in an ad hoc fashion.
In [15], a physical layer jammer termed constant jammer,
and three types of link layer jammer termed deceptive,
random, and reactive jammer are studied. The reactive
jammer is the most sophisticated one as it launches its attack
after sensing ongoing transmission. The authors propose
empirical methods based on signal strength and packet
delivery ratio measurements to detect jamming. In [16],
Channel surfing involves on-demand frequency hopping as a
countermeasure against jamming is studied. The case of an
attacker that corrupts broadcasts from a base station (BS) to
a sensor network is considered in [17]. The interaction
between the attacker and the BS is modelled as a zero-sum
game with a long-term payoff for the attacker. The
attacker selects the number of sensors it will jam and the
BS chooses the probability with which it will sample sensor
status with regard to message reception. This paper
investigates the jamming defense strategies via optimal
channel switching.

III. SYSTEM MODEL

A. Network
Model
This paper models a multi-hop multi-
channel
wireless network as a directed graph G= (V,E,C). The
network could use a set of orthogonal wireless channels
denoted by C. For example, in the IEEE 802.11b standard,
|C| = 3. Each node v is equipped with κ(v) radios. All nodes
are assumed to be continuously backlogged, so that there are
always packets in each node’s buffer in each slot. Packets can
be generated by higher layers of a node, or they may come
collided packets to be retransmitted. Here the term collision by the monitor node (i.e., collision/not collision) and decides
an event of multiple simultaneous transmissions received by whether there is an attack or not. On one hand, the
(not necessarily intended to) a node and no transmission observation window should
attempt by that node.

B. Jamming
Model
Consider a multi-hop wireless network under
jamming attacks. It has a constant traffic generating rate and
a jamming range. Assume that they are smart jammers that
can totally occupy the channels when sending jamming
traffic. Each network node is equipped with multiple radios
and each jamming node is equipped with one radio, which
can transmit
jamming data at any of these n channels. The jammer may
use its sensing ability in order to sense ongoing activity in
the network. Clearly, sensing ongoing network activity prior
to jamming is beneficial for the attacker in the sense that its
energy resources are not aimlessly consumed and the jammer
is not needlessly exposed to the network. The jammer
transmits a small packet which collides with legitimate
transmitted packets at their intended receivers. The goal
of this paper is to investigate the network restoration
schemes that can minimize the performance degradation in
the event of jamming attacks.

C. Attack Detection
Model
The network employs a mechanism for monitoring
network status and detecting potential malicious activity.
The monitoring mechanism consists of: 1) determination
of a
subset of nodes M that act as monitors, and 2) employment of
a detection algorithm at each monitor node. The assignment
of the role of monitor to a node is affected by potential
existing energy consumption and node computational
complexity limitations, and by detection performance
specifications.
This paper fixes attention to a specific monitor node
and the detection scheme that it employs. First, it need to
define the quantity to be observed at each monitor. In this
case, the
readily available metric is the probability of collision that a
monitor node experiences, namely the percentage of packets
that are erroneously received. During normal network
operation and in the absence of a jammer, it consider a large
enough training period in which the monitor node learns the
percentage of collisions it experiences as the long-term limit
of the ratio of number of slots where there was collision over
total number of slots of the training period. Now let the
network operate in the open after the training period has
elapsed and fix attention to a time window much smaller than
the training period. An increased percentage of collisions in
the time window compared to the learned long-term ratio
may be an indication of an ongoing jamming attack that
causes additional collisions. However, it may happen as well
that the network operates normally and there is just a
temporary irregular increase in the percentage of collisions
compared to the learned ratio for that specific interval. A
detection algorithm is part of the detection module at a
monitor node; it takes as input observation samples obtained
be small enough, such that the attack is detected in a timely is quantified by the average sample number (ASN), needed
manner and appropriate countermeasures are initiated. On until a decision is reached, where the expectation is with
the other hand, this window should be sufficiently large, such respect to the distribution of the observations.
that the chance of a false alarm notification is reduced.
The sequential nature of observations at consecutive IV. PROPOSED SYSTEM
time slots motivates the use of sequential detection
techniques. A sequential decision rule consists of: 1) a The proposed work provides selfish cooperative jammer
stopping time, indicating when to stop taking observations, detection technique, called COOPON, which will detect the
and 2) a final decision rule that decides between the two attacks of selfish cooperative nodes by the cooperation of other
hypotheses (i.e., occurrence or not of jamming). A sequential legitimate neighboring nodes. The COOPON algorithm make
decision rule is efficient if it can provide reliable decision as use of the autonomous decision capability of an ad-hoc
fast as possible. The probability of false alarm PFA and communication network based on exchanged information among
probability of missed detection PM constitute inherent trade- neighboring nodes .Our proposed COOPON selfish jammer
offs in a detection scheme in the sense that a faster decision node detection method is very reliable since it is based on
unavoidably leads to higher values of these probabilities deterministic information. We focus on selfish jammer node of
while lower values are attained at the expense of detection neighboring nodes toward multiple p2p communication
delay. For given values of PFA and PM, the detection test networks.
that minimizes the average number of required observations
(and thus average delay) to reach a decision among all ADVANTAGE
sequential and non sequential tests for which PFA and PM do
not exceed the predefined values above is Wald’s Sequential • Autonomous and cooperative characteristics for better
Probability Ratio Test (SPRT) [18]. When SPRT is used for detection reliabilities.
sequential testing between two hypotheses concerning two
probability distributions, SPRT is optimal in that sense as • Reduce computational complexity of the power
well [19]. optimization.
SPRT collects observations until significant evidence
• Higher Reliability.
in favor of one of the two hypotheses is accumulated. After
each observation at the kth stage, choose between the • Lower Complexity.
following options: accept one or the other hypothesis
and stop Dijkstra’s algorithm
observing, or defer decision for the moment and obtain
another observation k + 1. In SPRT, there exist two One algorithm for finding the shortest path from a starting node
thresholds a and b that aid the decision. The computed figure to a target node in a weighted graph is Dijkstra’s algorithm.
of merit at each step is the logarithm of the likelihood ratio The algorithm creates a tree of shortest paths from the starting
of the accumulated sample vector until that step. In this case, vertex, the source, to all other points in the graph.
the test is between hypotheses H0 and H1 that involve
Bernoulli with probability mass functions (p.m.fs.) f0 and Dijkstra’s algorithm, published in 1959 and named after its
f1 defined by Pr(c=1) = θi=1 - Pr(C=0) where c = 1 denotes creator Dutch computer scientist Edsger Dijkstra, can be applied
the event of collision in a slot. That is, H0 concerns the on a weighted graph. The graph can either be directed or
hypothesis about absence of jamming with Bernoulli p.m.f. undirected. One stipulation to using the algorithm is that the
f0 with parameter θ0, while H1 corresponds to the hypothesis graph needs to have a nonnegative weight on every edge.
of jamming with a Bernoulli p.m.f. f1 with parameter θ1.
Dijkstra's algorithm in action on a non-directed graph Suppose a
Thus, the logarithm of likelihood ratio at stage k with student wants to go from home to school in the shortest possible
accumulated samples x1,…..,xk is:
way. She knows some roads are heavily congested and difficult
to use. In Dijkstra's algorithm, this means the edge has a large
weight--the shortest path tree found by the algorithm will try to
avoid edges with larger weights. If the student looks up
where f1(x1,….xk) is the joint probability mass function of directions using a map service, it is likely they may use
sequence (x1,….xk) based on hypothesis Hi, for I = 0,1. Dijkstra's algorithm, as well as others.
The decision is taken based on the following criteria:

Sk > a : accept H1,

Sk < b : accept H0,
b ≤ Sk < a : take another observation.

The objective of the detection rule is to minimize

the number of required observation samples to derive a
decision about existence or not of jamming. The detection
performance
 [4] W. Xu et al., “The Feasibility of Launching and Detecting
V. CONCLUSION Jamming Attacks in Wireless Net works,” MobiHoc ’05: Proc. 6th
By using the deterministic channel allocation ACM Int’l. Symp. Mobile Ad Hoc Net. and Comp., 2005, pp. 46–57.
[5] W. Xu, W. Trappe, and Y. Zhang, “Channel Surfing:
information, COOPON which gives very highly reliable selfish Defending
attack detection results by simple computing. The proposed Wireless Sensor Networks from Interference,” in Proc. Of Information
reliable and simple computing technique can be well fitted for Processing in Sensor Networks, 2007.
[6] B. Awerbuch, A. Richa, and C. Scheideler, “A Jamming-
practical use in the future. A new approach is designed for Resistant MAC Protocol for Single-Hop Wireless Networks,” in
cognitive radio ad-hoc networks. This make use of ad-hoc Proc. Of Principles of Distributed Computing, 2008.
network advantages such as autonomous and cooperative [7] Bayraktaroglu, C. King, X. Liu, G. Noubir, R. Rajaraman, and
characteristics for better detection reliabilities.For future work B.
Thapa, “On the Performa nce of IEEE 802.11 under Jamming,” in
cryptographic model and game theory to do theoretical analysis Proc. of IEEE INFOCOM, 2008.
of more than one selfish SU in a neighbor, which gives less [8] S. Radosavac, I. Kout sopoulos, and J.S. Baras, “A Framework
detection accuracy.
for MAC Protocol Misbehavior Detection in Wireless Networks,”
Proc. ACM Workshop Wireless Security (WiSe), 2005.
[9] A.D. Wood and J.A. Stankovic, “Denial of Service in
REFERENCES Sensor
[1] Optimal Jamming Attack Strategies and Net work Defense Policies Networks,” Computer, vol. 35, no. 10, pp. 54-62, Oct 2002.
in Wireless Sensor Net works Mingyan Li, Member, IEEE, [10] R. Negi and A. Perrig, “Jamming Analysis of MAC
Iordani s Kout sopoulos, Member, IEEE, and Radha Protocols,”
Poovendran, Senior Member, IEEE.. IEEE transactions on mobile Carnegie Mellon Technical Memo, 2003.
computing, vol. 9, no. 8, August 2010. [11] R. Mallik, R. Scholtz, and G. Papavassilopoulos, “Analysi s of an
[2] F. Akyildiz, W. Su, Y. Sankara subramaniam, and E. Cayirci, “A On- Off Ja mming Situation as a Dynamic Game,” IEEE Trans.
survey on sensor net works”, Communications Magazine IEEE, Vol. Comm., vol. 48, no. 8, pp. 1360-1373, Aug. 2000.
40, issue. [12] Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, “Fast Portscan
8, Aug. 2002, pp. 102–114. Detection Using Sequential Hypothesis Testing,” Proc. IEEE Symp
Security and Privacy, 2004.
[3] W. Xu et al., “Channel Surfing and Spatial Retreats: Defenses
[13] Coskun, E. Cayirci, A. Levi, and S. Sancak, “Quarantine Region
Against
Scheme to Mitigate Spa m Attacks in Wireless Sensor Networks,”
Wireless Denial of Service,” Proc. 2004 ACM Wksp. Wireless
IEEE Trans. Mobile Computing, vol. 5, pp. 1074-1086, Aug 2006.
Security,
[14] M. Cagalj, S. Capkun, and J.-P. Hubaux, “Wormhole-Based Anti-
2004, pp. 80–89.
Jamming Techniques in Sensor Net works,” IEEE Trans.
Mobile Computing, vol. 6, no. 1, pp. 1-15, Jan. 2007.
[15] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The Feasibility of
Launching and Detecting Jamming Attacks in Wireless Net
works,” Proc. ACM MobiHoc, 2005.
[16] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel
Surfing:Defending Wireless Sensor Net works from Interference,”
Proc. IEEE Int’l Conf. Information Processing in Sensor Networks
(IPSN),
[17] J.M. McCune, E. Shi, A. Perrig, and M.K. Reiter, “Detection of
Denial-of-Message Attacks on Sensor Network Broadcasts,” Proc.
IEEE Symp. Security and Privacy, 2005.
[18] Wald, Sequential Analysis. Wiley,
1947.
[19] V.P. Dragalin, AG. Tartakovsky, and V.V. Veeravalli,
“Multihypothesis Sequential Probability Ratio TestsPart I:
Asymptotic Optimality,” IEEE Trans. Information Theory, vol. 45,
no. 7, pp. 2448-
2461, Nov. 1999.