Theory:

JAMMING AND ANTI-JAMMING ATTACKS IN WLANS :

WLANs become increasingly important as they carry even more data traffic
than cellular networks. With the proliferation of wireless applications in smart
homes, smart buildings, and smart hospital environments, securing WLANs
against jamming attacks is of paramount importance. In this section, we study
existing jamming attacks and anti-jamming techniques for a WLAN as shown
in Fig. 2, where one or more malicious jamming devices attempt to disrupt
wireless connections of Wi-Fi devices. Prior to that, we first review the MAC
and PHY layers of WLANs, which will lay the knowledge foundation for our
review on existing jamming/anti-jamming strategies.
A. A Primer of WLANs As shown in Fig. 2, WLANs are the most dominant
wireless connectivity infrastructure for short-range and high-throughput
Internet services and have been widely deployed in populationdense
scenarios such as homes, offices, campuses, shopping malls, and airports.
Wi-Fi networks have been designed based on the IEEE 802.11 standards,
and 802.11a/g/n/ac standards are widely used in various commercial Wi-Fi
devices such as smartphones, laptops, printers, cameras, and smart
televisions. Most of Wi-Fi networks operate in unlicensed industrial,scientific,
and medical (ISM) frequency bands, which have 14 overlapping 20 MHz
channels on 2.4 GHz and 28 nonoverlapping 20 MHz channels bandwidth in 5
GHz [37]. Most Wi-Fi devices are limited to a maximum transmit power of 100
mW, with a typical indoor coverage range of 35 m. A Wi-Fi network can cover
up to 1 km range in outdoor environments in an extended coverage setting.
1) MAC-Layer Protocols: Wi-Fi devices use CSMA/CA as their MAC protocols
for channel access. A Wi-Fi user requires to sense the channel before it
sends its packets. If the channel sensed busy, the user waits for a DIFS time
window and backs off its transmissions for a random amount of time. If the
user cannot access the channel in one cycle, it cancels the random back-off
counting and stands by for the channel to be idle for the DIFS duration. In this
case, the user can immediately access the channel as the longer waiting
users have priority over the users recently joined the network. The CSMA/CA
MAC protocol, however, suffers from the hidden node problem. The hidden
node problem refers to the case where one access point (AP) can receive
from two nodes, but those two nodes cannot receive from each other. If both
nodes sense the channel idle and send their data to the AP, then packet
collision occurs at the AP. The RTS/CTS (Request-toSend and Clear-to-
Send) protocol was invented to mitigate the hidden node problem, and Fig. 3
shows the RTS/CTS protocol mechanism. The transmitter who intends to
access the channel waits for the DIFS duration. If the channel is sensed idle,
the transmitter sends an RTS packet to identify the receiver and the required
duration for data transmission. Every node receiving the RTS sets its Net
Allocation Vector (NAV) to defer its try for accessing the channel to the
subsequent frame exchange. While previous and current Wi-Fi networks (e.g.,
802.11g, 802.11n and 802.11ac) use the distributed CSMA/CA protocol for
medium access control, the next-generation 802.11ax WiFi networks
(marketed as Wi-Fi 6) come with a centralized architecture with features such
as OFDMA, both uplink and downlink MU-MIMO, trigger-based random
access, spatial frequency reuse, and target wake time (TWT) [39], [40].
Despite these new features, 802.11ax devices will be backward compatible
with the predecessor Wi-Fi devices. Therefore, the jamming and anti-jamming
attacks designed for 802.11n/ac Wi-Fi networks also apply to the upcoming
802.11ax Wi-Fi networks.
2) Frame Structures: Most Wi-Fi networks use OFDM modulation at the PHY
layer for both uplink and downlink transmissions. Fig. 4(a) shows the legacy
Wi-Fi (802.11a/g) frame, which consists of preamble, signal field, and data
field. The preamble comprises two STFs and two LTFs, mainly used for frame
synchronizations and channel estimation purposes. In particular, STF consists
of ten identical symbols and is used for start-of-packet detection, coarse time
and frequency synchronizations. LTF consists of two identical OFDM symbols
and is used for fine packet and frequency synchronizations. LTF is also used
for channel estimation and equalization. Following the preamble, the signal
(SIG) field carries the necessary packet information such as the adopted
modulation and coding scheme (MCS) and the data part’s length. SIG field is
always transmitted using BPSK modulation for minimizing the error probability
at the receiver side. Data field carries user payloads and user-specific
information. Wi-Fi may use different MCS (e.g., OQPSK, 16-QAM, 64-QAM)
for data bits modulation, depending on the link quality. Four pilot signals are
also embedded into four different tones (subcarriers) for further residual
carrier and phase offset compensation in the data field. Fig. 4(b) shows the
VHT format structure used by 802.11ac. As shown in the figure, it consists of
L-STF, L-LTF, L-SIG, VHT-SIG-A, VHT-STF, VHT-LTF, VHT-SIG-B, and Data
Field. To maintain its backward compatibility with 802.11a/g, the L-STF, L-
LTF, and L-SIG in the VHT frame are the same as those in Fig. 4(a). VHT-
SIG-A and VHT-SIG-B are for similar purpose as the header field (HT-SIG) of
11n and SIG field of 11a. In 802.11ac, signal fields are SIG-A and SIGB. They
describe channel bandwidth, modulation-coding and indicate whether the
frame is for a single user or multiple users. These fields are only deployed by
the 11ac devices and are ignored by 11a and 11n devices. VHT-STF has the
same function as that of the non-HT STF field. It assists the 11ac receiver to
detect the repeating pattern. VHT-LTF consists of a sequence of symbols and
is used for demodulating the rest of the frame. Its length depends on the
number of transmitted streams. It could be 1, 2, 4, 6, or 8 symbols. It is mainly
used for channel estimation purposes. Data field carries payload data from
the upper layers. When there are no data from upper layers, the field is
referred to as the null data packet (NDP) and is used for measurement and
beamforming sounding purposes by the physical layer.
3) PHY-Layer Signal Processing Modules: Fig. 5 shows the PHY-layer signal
processing framework of a legacy WiFi transceiver. On the transmitter side,
the data bitstream is first scrambled and then encoded using a convolutional
or LDPC encoder. The coded bits are modulated according to the pre-
selected MCS index. Then, the modulated data and pilot signals are mapped
onto the scheduled subcarriers and converted to the time domain using
OFDM modulation (IFFT operation). Following the OFDM modulation, the
cyclic prefix (CP) is appended to each OFDM symbol in the time domain. After
that, a preamble is attached to the time-domain signal. Finally, the output
signal samples are up-converted to the desired carrier frequency and
transmitted over the air using a radio frequency (RF) front-end module.
Referring to Fig. 5 again, on the receiver side, the received radio signal is
down-converted to baseband I/Q signals, which are further converted to digital
streams by ADC modules. The start of a packet can be detected by auto-
correlating the received signal stream with itself in a distance of one OFDM
symbol to identify the two transmitted STF signals within the frame. The
received STF signals can be used to coarsely estimate the carrier frequency
offset, which can then be utilized to correct the offset and improve the timing
synchronization accuracy. Timing synchronization can be done by cross-
correlating the received signal and a local copy of the LTF signal at the
receiver. LTF is also used for fine frequency offset correction. Once the signal
is synchronized, it is converted into the frequency domain using the OFDM
demodulation, which comprises CP removal and FFT operation. The received
LTF symbols are used to estimate the wireless channel between the Wi-Fi
transmitter and receiver for each subcarrier. Channel smoothing, which refers
to interpolating the estimated channel for each subcarrier using its adjacent
estimated subcarriers’ channels, is usually used to suppress the impact of
noise in the channel estimation process. The estimated channels are then
used to equalize the channel distortion of the received frame in the frequency
domain. The received four pilots are used for residual carrier frequency, and
phase offsets correction. After phase compensation, the received symbols are
mapped into their corresponding bits. This process is called symbol-to-bit
mapping. Following the symbol-to-bit mapping, convolutional or LDPC
decoder and descrambler are applied to recover the transmitted bits. The
recovered bits are fed to the MAC layer for protocol-level interpretation.

B. Jamming Attacks:
1) Generic Jamming Attacks: While there are many jamming attacks that were
originally proposed for Wi-Fi networks, they can also be applied to other types
of wireless systems.

Constant Jamming Attacks: Constant jamming attacks refer to the scenario

where the malicious device broadcasts a powerful signal all the time.
Constant jamming attacks not only destroy legitimate users’ packet reception
by introducing high-power interference to their data transmissions, but they
also prevent them from accessing the channel by continuously occupying it. In
constant jamming attacks, the jammer may target the entire or a fraction of
channel bandwidth occupied by legitimate users [31], [33]. In [41], Karishma
et al. analyzed the performance of legacy Wi-Fi communications under
broadband and partial-band constant jamming attacks through theoretical
exploration and experimental measurement. The authors conducted
experiments to study the impact of jamming power on Wi-Fi communication
performance when the data rate is set to 18 Mbps. Their experimental results
show that a Wi-Fi receiver fails to decode its received packets under
broadband jamming attack (i.e., 100% packet error rate) when the received
desired signal power is 4 dB less than the received jamming signal power
(i.e., signal-to-jamming power ratio, abbreviated as SJR, less than 4 dB). The
theoretical analysis in [41], [42] showed that Wi-Fi communication is more
resilient to partial-band jamming than broadband jamming attacks. The
experimental results in [41] showed that, for the jamming signal with
bandwidth being one subcarrier spacing (i.e., 312.5 KHz), Wi-Fi
communication fails when SJR < −19 dB. In [34], Vanhoef et al. used a
commercial Wi-Fi dongle and modified its firmware to implement a constant
jamming attack. To do so, they disabled the CSMA protocol, backoff
mechanism, and ACK waiting time. To enhance the jamming effect, they also
removed all interframe spaces and injected many packets for transmissions.

Reactive Jamming Attacks: Reactive jamming attack is also known as

channel-aware jamming attack, in which a malicious jammer sends an
interfering radio signal when it detects legitimate packets transmitted over the
air [43]. Reactive jamming attacks are widely regarded as an energy-efficient
attack strategy since the jammer is active only when there are data
transmissions in the network. Reactive jamming attack, however, requires
tight timing constraints (e.g., < 1 OFDM symbols, 4 µs) for real-world system
implementation because it needs to switch from listening mode to transmitting
mode quickly. In practice, a jammer may be triggered by either channel 6
energy-sensing or part of a legitimate packet’s detection (e.g., preamble
detection). In [44], Prasad et al. implemented a reactive jamming attack in
legacy Wi-Fi networks using the energy detection capability of cognitive radio
devices. In [45], [46], Yan et al. studied a reactive jamming attack where a
jammer sends a jamming signal after detecting the preamble of the
transmitted Wi-Fi packets. By doing so, the jammer is capable of effectively
attacking Wi-Fi packet payloads. In [47], Schulz et al. used commercial off-
the-shelf (COTS) smartphones to implement an energy-efficient reactive
jammer in Wi-Fi networks. Their proposed scheme is capable of replying ACK
packets to the legitimate transmitter to hijack its retransmission protocol,
thereby resulting in a complete Wi-Fi packet loss whenever packet error
occurs. In [48], Bayraktaroglu et al. evaluated the performance of Wi-Fi
networks under reactive jamming attacks. Their experimental results showed
that reactive jamming could result in a near-zero throughput in real-world Wi-
Fi networks. In [34], Vanhoef et al. implemented a reactive jamming attack
using a commercial off-the-shelf Wi-Fi dongle. The device decodes the
header of an on-the-air packet to carry out the attack implementation, stops
receiving the frame, and launches the jamming signal.

Deceptive Jamming Attacks: In deceptive jamming attacks, the malicious

jamming device sends meaningful radio signals to a Wi-Fi AP or legitimate
Wi-Fi client devices, with the aim of wasting a Wi-Fi network’s time,
frequency, and/or energy resources and preventing legitimate users from
channel access. In [49], Broustis et al. implemented a deceptive jamming
attack using a commercial Wi-Fi card. The results in [49] showed that a low-
power deceptive jammer could easily force a Wi-Fi AP to allocate all the
network’s resources for processing and replying fake signals issued by a
jammer, leaving no resource for the AP to serve the legitimate users in the
network. In [50], Gvozdenovic et al. proposed a deceptive jamming attack on
Wi-Fi networks called truncate after preamble (TaP) jamming and evaluated
its performance on USRP-based testbed. TaP attacker lures legitimate users
to wait for a large number of packet transmissions by sending them the
packets’ preamble and the corresponding signal field header only.

Random and Periodic Jamming Attacks: Random jamming attack (a.k.a.

memoryless jamming attack) refers to the type of jamming attack where a
jammer sends jamming signals for random periods and turns to sleep for the
rest of the time. This type of jamming attack allows the jammer to save more
energy compared to a constant jamming attack. However, it is less effective in
its destructiveness compared to constant jamming attack. Periodic jamming
attacks are a variant of random jamming attacks, where the jammer sends
periodic pulses of jamming signals. In [48], the authors investigated the
impact of random and periodic jamming attacks on Wi-Fi networks. Their
experimental results showed that the random and periodic jamming attacks’
impact became more significant as the duty-cycle of jamming signal
increases. The experimental results in [48] also showed that, for a given
network throughput degradation and jamming pulse width, the periodic
jamming attack consumes less energy than the random jamming attack. It is
noteworthy that, compared to the random jamming attack, periodic jamming
attack bears a higher probability of being detected as it follows a predictable
transmission pattern.

Frequency Sweeping Jamming Attacks: As discussed earlier, there are

multiple channels available for Wi-Fi communications on ISM bands. For a
low-cost jammer, it is constrained by its hardware circuit (e.g., very high ADC
sampling rate and broadband power amplifier) in order to attack a large
number of channels simultaneously. Frequency-sweeping jamming attacks
were proposed to get around of this constraint, such that a jammer can
quickly switch (e.g., in the range of 10 µs) to different channels. In [51],
Bandaru analyzed WiFi networks’ performance under frequency-sweeping
jamming attacks on 2.4 GHz, where there are only 3 non-overlapping 20 MHz
channels. The preliminary results in [51] showed that the sweeping-jammer
could decrease the total Wi-Fi network throughput by more than 65%.
2) WiFi-Specific Jamming Attacks: While the above jamming attacks are
generic and can apply to any type of wireless network, the following jamming
attacks are dedicated to the PHY signal processing and MAC protocols of Wi-
Fi networks.
Jamming Attacks on Timing Synchronization: As shown in Fig. 5, timing
synchronization is a critical component of the Wi-Fi receiver to decode the
data packet. Various jamming attacks have been proposed to thwart the
signal timing acquisition and disrupt the start-of-packet detection procedure,
such as false preamble attack, preamble nulling attack, and preamble warping
attack [32], [52], [53]. These attacks were sophisticatedly designed to thwart
the timing synchronization process at a Wi-Fi receiver. False preamble attack
[52], [53], also known as preamble spoofing, is a simple method devised to
falsely manipulate timing synchronization output injecting the same preamble
signal as that in legitimate Wi-Fi packets. By doing so, a Wi-Fi receiver will not
be capable of decoding the desired data packet as it will fail in the correlation
peak detection. Preamble nulling attack [52], [53] is another form of timing
synchronization attacks. In this attack, the jammer attempts to nullify the
received preamble energy at the Wi-Fi receiver by sending an inverse version
of the preamble sequence in the time domain. Preamble nulling attack,
however, requires perfect knowledge of the network timing, so it is hard to be
realized in real Wi-Fi networks. Moreover, preamble nulling attack may have
considerable error since the channels are random and unknown at the
jammer. Preamble warping attack [52], [53] designed to disable the STF-
based auto-correlation synchronization at a Wi-Fi receiver by transmitting the
jamming signal on the subcarriers where STF should have zero data.

Jamming Attacks on Frequency Synchronization: For a Wi-Fi receiver,

carrier frequency offset may cause subcarriers to deviate from mutual
orthogonality, resulting in interchannel interference (ICI) and SNR
degradation. Moreover, carrier frequency offset may introduce an undesired
phase deviation for modulated symbols, thereby degrading symbol
demodulation performance. In [54], Shahriar et al. argued that, under off-tone
jamming attacks, the orthogonality of subcarriers in an OFDM system would
be destroyed. This idea has been used in [55], where the jammer takes down
802.11ax communications by using 20–25% of the entire bandwidth to send
an unaligned jamming signal. In Wi-Fi communications,frequency offset in Wi-
Fi communications is estimated by correlating the received preamble signal in
the time domain. Then, the preamble attacks proposed for thwarting timing
synchronization can also be used to destroy the frequency offset correction
functionalities. In [56], two attacks have been proposed to malfunction the
frequency synchronization correction: preamble phase warping attack and
differential scrambling attack. In the preamble phase warping attack, the
jammer sends a frequency shifted version of the preamble, causing an error in
frequency offset estimation at the WiFi receiver. Differential scrambling attack
targets the coarse frequency correction in Fig. 5, where STF is used to
estimate the carrier frequency. The jammer transmits interfering signals
across the subcarriers used in STF, aiming to distort the periodicity pattern of
the received preamble required for frequency offset estimation.
Jamming Attacks on Channel Estimation: As shown in Fig. 5, channel
estimation and channel equalization are essential modules for a Wi-Fi
receiver. Any malfunction in their operations is likely to result in a false frame
decoding output. A Wi-Fi receiver uses the received frequency-domain
preamble sequence to estimate the channel frequency response of each
subcarrier. A natural method to attack channel estimation and channel
equalization modules is to interfere with the preamble signal. Per [52], [57],
the preamble nulling attack can also be used to reduce the channel estimation
process’s accuracy. The simulation results in [57] showed that, while
preamble nulling attacks are highly efficient in terms of active jamming time
and power, they are incredibly significant to degrade network performance.
However, it would be hard to implement preamble nulling attacks in real-world
scenarios due to the timing and frequency mismatches between the jammer
and the legitimate target device. The impact of synchronization mismatches
on preamble nulling attacks has been studied in [58]. In [59] and [60],
Sodagari et al. proposed the singularity of jamming attacks in MIMO-OFDM
communication networks such as 802.11n/ac, LTE, and WiMAX, intending to
minimize the rank of estimated channel matrix on each subcarrier at the
receiver. Nevertheless, the proposed attack strategies require the global
channel state information (CSI) to be available at the jammer to design the
jamming signal.

Jamming Attacks on Cyclic Prefix (CP): Since most wireless

communication systems employ OFDM modulation at the physical layer and
every OFDM symbol has a CP, jamming attacks on OFDM symbols’ CP have
attracted many research efforts. In [61], Scott et al. introduced a CP jamming
attack, where a jammer targets the CP samples of each transmitted AP User
1 NDPA NDP CBAF SIFS Time User 2 User 3 BRPF CBAF BRPF CBAF
SIFS SIFS SIFS SIFS SIFS Fig. 7: The beamforming sounding protocol in
802.11 VHT Wi-Fi networks. OFDM symbol, as shown in Fig. 6. The authors
showed that the CP jamming attack is an effective and efficient approach to
break down any OFDM communications such as Wi-Fi. The CP corruption
can easily lead to a false output of linear channel equalizers (e.g., ZF and
MMSE). Moreover, the authors also showed that the CP jamming attack
saves more than 80% energy compared to constant jamming attacks to pull
down Wi-Fi transmissions. However, jamming attack on CP is challenging to
implement as it requires jammer to have a precise estimation of the network
transmission timing.

Jamming Attacks on MU-MIMO Beamforming: Given the asymmetry of

antenna configurations at an AP and its serving client devices in Wi-Fi
networks, recent Wi-Fi technologies (e.g., IEEE 802.11ac and IEEE 802.11ax)
support multi-user MIMO (MU-MIMO) transmissions in their downlink, where a
multi-antenna AP can simultaneously serve multiple singleantenna (or multi-
antenna) users using beamforming technique [37]. To design beamforming
precoders (a.k.a. beamforming matrix), a Wi-Fi AP requires to obtain an
estimation of the channels between its antennas and all serving users. Per
IEEE 802.11ac standard, the channel estimation procedure in VHT Wi-Fi
communications is specified by the following three steps: First, the AP
broadcasts a sounding packet to the users. Second, each user estimates its
channel using the received sounding packet. Third, each user reports its
channel estimation results to the AP. Fig. 7 shows the beamforming sounding
protocol in VHT Wi-Fi networks. The AP issues a null data packet
announcement (NDPA) in order to reserve the channel for channel sounding
and beamforming processes. Following the NDPA signaling, the AP
broadcasts a null data packet (NDP) as the sounding packet. The users use
the preamble transmitted within the NDP to estimate the channel frequency
response on each subcarrier. Then, the Givens Rotations technique is
generally used to decrease the channel report overhead, where a series of
angles are sent back to the AP as the compressed beamforming action frame
(CBAF), rather than the original estimated channel matrices. The AP uses
beamforming report poll frame (BRPF) to manage the report transmissions
among users. In [62], Patwardhan et al. studied the VHT Wi-Fi beamforming
vulnerabilities. They have built a prototype of a radio jammer using a USRP-
based testbed that jams the NDP transmissions such that the users will no
longer be able to estimate their channels and then report false CBAFs. Their
experimental results showed that, in the presence of the NDP jamming attack,
less than 7% of packets could be successfully beamformed in MU-MIMO
transmission.
Jamming Attacks on MAC Protocols: A series of MAClayer jamming
attacks, also called intelligent jamming attacks, have been proposed in [63],
[64], aiming to degrade Wi-Fi communications’ performance. The main focus
of intelligent jamming attacks is on corrupting the control packets such as
CTS and ACK packets used by Wi-Fi MAC protocols. For CTS attack, the
jammer listens to the RTS packet transmitted by an active node, waits a SIFS
time slot from the end of RTS, and jams the CTS packet. Failing to decode
the CTS packet can simply stop data communication. A similar idea was
proposed to attack ACK packet transmissions. As the transmitter cannot
receive the ACK packet, it retransmits the data packet. Retransmission
continues until the TCP limit is reached or an abort is issued to the
application. An intelligent jamming attack can also target the data packet
where the jammer senses the RTS and CTS and sends the jamming signal
following a SIFS time slot. Per [63], [64], DIFS wait jamming is another form of
MAClayer attack, in which the jammer continuously monitors the channel
traffic and sends a short pulse jamming signal when it senses the channel idle
for a DIFS period, aiming to cause an interference for the next transmission.
Also, per [65], MAClayer jamming attacks can be designed to keep the
medium busy, preventing other nodes from accessing the channel by sending
fake RTS packet to reserve the channel for the longest possible duration. In
[34], Vanhoef et al. implemented a selfish jamming attack in Wi-Fi networks
using a cheap commercial Wi-Fi dongle. The dongle’s firmware was
particularly modified to disable the backoff mechanism and shrink the SIFS
time window to implement the attack.

Algorithm Attacks on Rate Adaptation: In Wi-Fi networks, rate adaptation

algorithms (RAAs) were mainly designed to make a proper modulation and
coding scheme (MCS) selection for data modulation. RRAs can be considered
as a defense mechanism to overcome lossy channels in the presence of
lowpower interference and jamming signals. However, the pattern designed
for RRAs can be targeted by jammer to degrade the network throughput
below a certain threshold. RAAs change the transmission MCS based on the
statistical information of the successful and failed decoded packets. The
Automatic Rate Fallback (ARF) [69], SampleRate [70], and ONOE [71] are the
main RAAs using in commercial Wi-Fi devices. In [66], Noubir et al.
investigated the RAAs’ vulnerabilities against periodic jamming attacks. In [67]
and [68], Orakcal et al. evaluated the performance of ARF and SampleRate
RAAs under reactive jamming attacks. The simulation results showed that, in
order to keep the throughput below a certain threshold in Wi-Fi point-to-point
communications, higher RoJ is required in ARF RAA compared to the
SampleRate RAA, where the RoJ is defined as the ratio of the number of
jammed packets to the total number of transmitted packets. This reveals that
SampleRate RAA is more vulnerable to jamming attacks. 3) A Summary of
Jamming Attacks: Table III summarizes existing jamming attacks in WLANs.
We hope such a table will facilitate the audience’s reading and offer a high-
level picture of different jamming attacks.

C. Anti-Jamming Techniques In this subsection, we review existing anti-

jamming countermeasures proposed to eliminate or alleviate the impacts of
jamming threats in WLANs. In what follows, we categorize the existing anti-
jamming techniques into the following classes: 9 channel hopping, MIMO-
based jamming mitigation, coding protection, rate adaptation, and power
control. We note that, given the destructiveness of jamming attacks and the
complex nature of WLANs, there are no generic solutions that can tackle all
types of jamming attacks.
1) Channel Hopping Techniques: Channel hopping is a low-complexity
technique to improve the reliability of wireless communications under
intentional or unintentional interference. Channel hopping has already been
implemented in Bluetooth communications to enhance its reliability against
undesired interfering signals and jamming attacks. In [72], Navda et al.
proposed to use channel hopping to protect Wi-Fi networks from jamming
attacks. They implemented a channel hopping scheme for Wi-Fi networks in a
real-world environment. The reactive jamming attack can decrease WiFi
network throughput by 80% based on their experimental results. It was also
shown that, by using the channel hopping technique, 60% Wi-Fi network
throughput could be achieved in the presence of reactive jamming attacks
when compared to the case without jamming attack. In [73], Jeung et al. used
two concepts of window dwelling and a deception mechanism to secure
WLANs against reactive jamming attacks. The window dwelling refers to
adjusting the Wi-Fi packets’ transmission time based on the jammer’s
capability. Their proposed deception mechanism leverages an adaptive
channel hopping mechanism in which the jammer is cheated to attack inactive
channels.

2) Spectrum Spreading Technique: Spectrum spreading is a classical

wireless technique that has been used in several real-world wireless systems
such as 3G cellular, ZigBee, and 802.11b. It is well known that it is resilient to
narrowband interference and narrowband jamming attack. 802.11b employs
DSSS to enhance link reliability against undesired interference and jamming
attacks. It uses an 11-bit Barker sequence for 1 Mbps and 2 Mbps data rates,
and an 8-bit complementary code keying (CCK) for 5.5 Mbps and 11 Mbps
data rates. In [41], Karishma et al. evaluated the resiliency of DSSS in
802.11b networks against broadband, constant jamming attacks through
simulation and experiments. Their simulation results show that the packet
error rate hits 100% when SJR < −3 dB for 1 Mbps data rate, when SJR < 0
dB for 2 Mbps data rate, when SJR < 2 dB for 5.5 Mbps data rate, and when
SJR < 5 dB for 11 Mbps data rate. Their experimental results show that an
802.11b Wi-Fi receiver fails to decode its received packets when received
SJR < −7 dB for 1 Mbps data rate, when SJR < −4 dB for 2 Mbps data rate,
when SJR < −1 dB for 5.5 Mbps data rate, and when SJR < 2 dB for 11 Mbps
data rate. In addition, [74] evaluated the performance of 11 Mbps 802.11b
DSSS communications under periodic and frequency sweeping jamming
attacks. The results show that 802.11b is more resilient against periodic and
frequency sweeping jamming attacks compared to OFDM 802.11g.

3) MIMO-based Jamming Mitigation Techniques: Recently, MIMO-based

jamming mitigation techniques emerge as a promising approach to salvage
wireless communications in the face of jamming attacks. In [45], [46], Yan et
al. proposed a jamming-resilient wireless communication scheme using MIMO
technology to cope with the reactive jamming attacks in OFDM-based Wi-Fi
networks. The proposed anti-jamming scheme employs a MIMO-based
interference mitigation technique to decode the data packets in the face of
jamming signal by projecting the mixed received signals into the subspace
orthogonal to the subspace spanned by jamming signals. The projected signal
can be decoded using existing channel equalizers such as zero-forcing
technique. However, this antijamming technique requires the knowledge of
channel state information of both the desired user and jammer.
Conventionally, a user’s channel can be estimated in this case because the
reactive jammer starts transmitting jamming signals in the aftermath of
detecting the preamble of a legitimate packet. Therefore, the user’s received
preamble signal is not jammed. Moreover, it is shown in [45] that the complete
knowledge of the jamming channel is not necessary, and the jammer’s
channel ratio (i.e., jammer’s signal direction) suffices. Based on this
observation, the authors further proposed inserting known pilots in the frame
and using the estimated user’s channel to extract the jammer’s channel ratio.
In [75], a similar idea called multi-channel ratio (MCR) decoding was
proposed for MIMO communications to defend against constant jamming
attacks. In the proposed MCR scheme, the jammer’s channel ratio is first
estimated by the received signals at each antenna when the legitimate
transmitter stays silent. The jammer’s channel ratio and the preamble in the
transmitted frame are then used to estimate the projected channel
component, which are later deployed to decode the desired signal.

While it is not easy to estimate channel in the presence of an unknown

jamming signal, research efforts have been invested in circumventing this
challenge. In [76], Zeng et al. proposed a practical anti-jamming solution for
wireless MIMO networks to enable legitimate communications in the presence
of multiple high-power and broadband radio jamming attacks. They evaluated
their proposed scheme using realworld implementations in a Wi-Fi network.
Their scheme benefits from two fundamental techniques: A jamming-resilient
synchronization module and a blind jamming mitigation equalizer. The
proposed blind jamming mitigation module is a low-complex linear spatial filter
capable of mitigating the jamming signals from unknown jammers and
recovering the desired signals from legitimate users. Unlike the existing
jamming mitigation algorithms that rely on the availability of accurate jamming
channel ratio, the algorithm does not need any channel information for
jamming mitigation and signal recovery. Besides, a jamming-resilient
synchronization algorithm was also crafted to carry out packet time and
frequency recovery in the presence of a strong jamming signal. The proposed
synchronization algorithm consists of three steps. First, it alleviates the
received time-domain signal using a spatial projection-based filter. Second,
the conventional synchronization techniques were deployed to estimate the
start of frame and carrier frequency offset. Third, the received frames by each
antenna were synchronized using the estimated frequency offset. The
proposed scheme was validated and evaluated in a real-world implementation
using GNURadioUSRP2. It was shown that the receiver could successfully
decode the desired Wi-Fi signal in the presence of 20 dB 10 stronger than the
signals of interest.

4) Coding Techniques: Channel coding techniques are originally designed to

improve the communication reliability in unreliable channels. In [77] and [78],
the performance of low-density parity codes (LDPC) and Reed-Solomon
codes were analyzed for different packet sizes under noise (pulse) jamming
attacks with low duty cycle. It was shown that, for long size packets (e.g., a
few thousand bits), LDPC coding scheme is a suitable choice as it can
achieve throughput close to its theoretical Shannon limit while bearing a low
decoding complexity

5) Rate Adaptation and Power Control Techniques: Rate adaptation and

power control mechanisms are proposed to combat jamming attacks,
provided that wireless devices have sufficient power supply and the jamming
signal’s power is limited. In [66], a series of rate adaptation algorithms (RAAs)
were proposed to provide reliable and efficient communication scheme for Wi-
Fi networks. Based on channel conditions, RAAs set a data rate such that the
network can achieve the highest possible throughput. Despite the differences
among existing RAAs, all RAAs trace the rate of successful packet
transmissions and may increase or decrease the data rate accordingly. A
power control mechanism is another technique that can be used to improve
wireless communication performance over poor quality links caused by
interference and jamming signals. However, the power control mechanisms
are highly subjected to the limit of power budget available at the transmitter
side. Clearly, rate adaptation and power control techniques will not work in the
presence of high power constant jamming attacks. In [79], [80], Pelechrinis et
al. studied the performance of these two techniques (rate adaptation and
power control) in jamming mitigation for legacy Wi-Fi communications via real-
world experiments. It was shown that the rate adaptation mechanism is
generally effective in lossy channels where the desired signal is corrupted by
low-power interference and jamming signals. When low transmission data
rates are adopted, the jamming signal can be alleviated by increasing the
transmit power. Nevertheless, power control is ineffective in jamming
mitigation at high data rates. In [81], a randomized RAA was proposed to
enhance rate adaptation capability against jamming attacks. The jammer
attack was designed to keep the network throughput under a certain
threshold, as explained earlier in RAA attacks. The main idea of this scheme
lies in an unpredictable rate selection mechanism. When a packet is
successfully transmitted, the algorithm randomly switches to another data rate
with a uniform distribution. The proposed scheme shows higher reliability
against this class of attacks. The results in [81] show that a jammer aiming to
pull down network throughput below 1 Mbps will need to transmit a periodic
jamming signal with 3× more energy in order to achieve the same
performance when legacy ARF algorithm applies. In [49], an alternative
approach was proposed for RAAs to cope with low-power jamming attacks
using packet fragmentation. Although the smaller-sized packet transmissions
induce more considerable overhead to the network, it can improve
communications reliability under periodic and noise jamming Cellular phone or
IoT Radio jammer Cellular tower Cellular signal Jamming signal Fig. 8:
Jamming attack in a cellular network. attacks by reducing each packet’s
probability of being jammed. In [82], Garcia et al. borrowed the concept of cell
breathing in cellular networks and deployed it in dense WLANs for jamming
mitigation purposes. Here, cell breathing refers to the dynamic power control
for adjusting an AP’s transmission range. That is, an AP decreases its
transmission range when bearing a high load and increases its transmission
range when bearing a light load. Meanwhile, load balancing was proposed as
a complementary technique to cell breathing. For a WLAN with cell breathing
capability, the jamming attack can be treated as a case with a high load
imposed on target APs [82].

6) Jamming Detection Mechanisms: In [83], Punal et al. ˜ proposed a learning-

based jamming detection scheme for WiFi communications. The authors used
the parameters of noise power, the time ratio of channel being busy, the time
interval between two frames, the peak-to-peak signal strength, and the packet
delivery ratio as the training dataset, and used the random forest algorithm for
classification. The performance of the proposed scheme was evaluated under
constant and reactive jamming attacks. The simulation results show that the
proposed scheme could detect the presence of jammer with 98.4% accuracy
for constant jamming and with 94.3% accuracy for reactive jamming.
7) A Summary of Anti-Jamming Techniques: Table IV summarizes existing
anti-jamming techniques designed for WLANs.
JAMMING AND ANTI-JAMMING ATTACKS IN ZIGBEE NETWORKS :
In this section, we survey existing jamming attacks and antijamming
techniques in ZigBee networks. Following the same structure of previous
sections, we first offer a primer of ZigBee communication and then explore
existing jamming and antijamming strategies that were uniquely designed for
ZigBee networks.
A. A Primer of ZigBee Communication ZigBee is a key technology for low-
power, low-datarate, and short-range wireless communication services such
as home automation, medical data collection, and industrial equipment control
[136]. With the proliferation of lowpower IoT devices, ZigBee becomes
increasingly important and emerges as a crucial component of wireless
networking infrastructure in smart home and smart city environments. ZigBee
was developed based on the IEEE 802.15.4 standard. It operates in the
unlicensed spectrum band from 2.4 to 2.4835 GHz worldwide, 902 to 928
MHz in North America and Australia, and 868 to 868.6 MHz in Europe. On
these unlicensed bands, sixteen 5 MHz spaced channels are available for
ZigBee communications. At the PHY layer, ZigBee uses offset quadrature
phase-shift keying (OQPSK) modulation scheme and direct-sequence spread
spectrum (DSSS) coding for data transmission. A typical data rate of ZigBee
transmission is 250 kbit/s, corresponding to 2 Mchip/s.
Fig. 14 shows the frame structure of ZigBee communication. The frame
consists of a synchronization header, PHY header, and data payload.
Synchronization header comprises a preamble and a start of frame delimiter
(SFD). The preamble field is typically used for chip and symbol timing, frame
synchronization, and carrier frequency and phase synchronizations. The
preamble length is four predefined Octets (32 bits) that all are binary zeros.
The SFD field is a predefined Octet, which is used to indicate the end of SHR.
Following the SFD is the PHY header, which carries frame length information.
PHY payload carries user payload and user-specific information from the
upper layers. Fig. 15 shows the block diagram of the baseband signal
processing in a ZigBee transceiver. Referring to Fig. 15(a), at a ZigBee
transmitter, every 4 bits of the data for transmission are mapped to a
predefined 32-chip pseudo-random noise (PN) sequence, followed by a half-
sine pulse shaping process. The chips of the PN sequence are modulated
onto carrier frequency by using the OQPSK modulation scheme. Referring to
Fig. 15(b), at a ZigBee receiver, the main signal processing block chain
comprises coarse and fine frequency correction, timing recovery (chip
synchronization), preamble detection, phase ambiguity resolution, and
despreading. The RF frontend module first demodulates the received signal
from carrier radio frequency to baseband. The received chip sequences are
passed through a matched filter to boost the received SNR. Then, an FFT-
based algorithm is typically used for coarse frequency offset estimation. What
follows is a closed-loop PLL-based algorithm for fine carrier frequency, and
phase offsets correction. Timing recovery (chip synchronization) can be
performed using classic methods such as zero-crossing or Mueller-Muller
error detection. Following the timing recovery is the preamble detection, which
can compensate for the phase ambiguity generated by the fine frequency
compensation module. Finally, the decoded chips are despreaded to recover
the original transmitted bits.
B. Jamming Attacks Since ZigBee is a wireless communication system, the
generic jamming attack strategies (e.g., constant jamming, reactive jamming,
deceptive jamming, random jamming, and frequency-sweeping jamming)
presented in Section II-B can also be applied to ZigBee networks. Here, we
focus on the jamming attack strategies that were delicatedly designed for
ZigBee networks, as shown in Fig. 16. Table IX presents the existing ZigBee-
specific jamming attacks in the literature. In what follows, we elaborate on
these jamming attacks. In [137], the authors studied the impact of constant
radio jamming attack on connectivity of an IEEE 802.15.4 (ZigBee) network.
They evaluated the destructiveness of jamming attack in an indoor ZigBee
environment via experiments. In their experiments, the ZigBee network was
configured in a tree topology, and a commercial ZigBee module with modified
firmware was used as the radio jammer. The authors reported the number of
nodes affected by a jamming attack when the jammer was located at different
locations. In [138], the authors studied reactive radio jamming attacks in
ZigBee networks, focusing on improving the effectiveness and practicality of
reactive jamming attacks. The reactive jammer first detects ZigBee packets in
the air by searching for the PHY header in ZigBee frames shown in Fig. 14,
and then sends a short jamming signal to corrupt the detected ZigBee
packets. The results show that the jamming signal of more than 26 µs time
duration suffices to bring the packets reception rate of a ZigBee receiver down
to zero. The authors also built a prototype of the proposed jamming attack on
a USRP testbed and evaluated its performance in an indoor environment.
Their experimental results show that the prototyped jammer blocks more 96%
packets in all scenarios.
In [139], Cao et al. presented an energy depletion attack targeting on ZigBee
networks. Through sending fake packets, the proposed attack intends to keep
the ZigBee receiver busy and waste its physical resources (e.g., CPU). The
authors evaluated the cost of such an attack in terms of energy consumption,
time requirement, and computational cost of processing the fake messages. It
was shown that the energy depletion attack can serve as a DoS attack in
ZigBee networks by depleting the airtime resource and leaving no airtime for
serving legitimate users.As proposed a cross-technology jamming attack on
ZigBee communications, where a Wi-Fi dongle was used as the malicious
jammer to interrupt ZigBee communication using Wi-Fi signal. The firmware of
Wi-Fi dongle was modified to disable its carrier sensing and set the SIFS and
DIFS time windows to zero, such that the Wi-Fi dongle can continuously
transmit packets. The reasons for using WiFi cross-technology to attack
ZigBee communications are three-fold: i) Wi-Fi dongle is cheap and easy to
be driven as a constant jammer; ii) a WiFi-based jammer is easy to detect as
its traffic tends to be considered legitimate; iii) Wi-Fi bandwidth (20 MHz) is
larger than ZigBee bandwidth (5 MHz), making it possible to pollute several
ZigBee channels at the same time.

C. Anti-Jamming Techniques Anti-jamming strategies such as MIMO-based

jamming mitigation and spectrum spreading techniques can also be applied to
ZigBee communications against jamming attacks. Particularly, ZigBee
employs DSSS at its PHY layer, which can enhance the link reliability against
jamming and interference signals. Table IX presents existing anti-jamming
attacks that were delicately designed for ZigBee networks. We elaborate on
these works in the following.As a performance baseline, Fang et al. [142]
studied the bit error rate (BER) performance of DSSS in ZigBee
communications. Their theoretical analysis and simulation show that, in the
AWGN channel, a ZigBee receiver renders BER = 10−1 when SNR = 3 dB,
BER = 10−2 when SNR = 6 dB, and BER = 10−3 when SNR = 8 dB. These
theoretical results provide a reference for the study of ZigBee communications
in the presence of jamming attacks.

In [141], Pirayesh et al. proposed a MIMO-based jammingresilient receiver to

secure ZigBee communications against constant jamming attack. They
employed an online learning approach for a multi-antenna ZigBee receiver to
mitigate unknown jamming signal and recover ZigBee signal. Specifically, the
proposed scheme uses the preamble field of a ZigBee frame, as shown in Fig.
14, to train a neural network, which then is used for jamming mitigation and
signal recovery. A prototype of the proposed ZigBee receiver was built using a
USRP SDR testbed. Their experimental results show that the proposed
ZigBee receiver achieves 100% packet reception rate in the presence of
jamming signal that is 20 dB stronger than ZigBee signal. Moreover, it was
shown that the proposed ZigBee receiver yields an average of 26.7 dB
jamming mitigation gain compared to commercial off-the-shelf ZigBee
receivers.In [143], a randomized differential DSSS (RD-DSSS) scheme was
proposed to salvage ZigBee communication in the face of a reactive jamming
attack. RD-DSSS decreases the probability of being jammed using the
correlation of unpredictable spreading codes. In [145] and [144], a scheme
called Dodge-Jam was proposed to defend IEEE 802.15.4 ACK frame
transmission against reactive jamming attacks. Dodge-Jam relies on two main
techniques: channel hopping and frame segmentation. Particularly, frame
segmentation is done by splitting the original frame into multiple small blocks.
These small blocks are shifted in order when retransmission is required. In
this scenario, the receiver can recover the transmitted frame after a couple of
retransmission. In [146], a MAC-layer protocol called DEEJAM was proposed
to reduce the impact of jamming attack in ZigBee communications. DEEJAM
offers four different countermeasures, namely frame masking, channel
hopping, packet fragmentation, and redundant encoding, to defend against
different jamming attacks. Specifically, frame masking refers to using a
confidential start of frame delimiter (SFD) symbols by the ZigBee transmitter
and receiver when a jammer is designed to use the SFD detection for its
transmission initialization. Channel hopping was proposed to defend against
reactive jamming attacks. Packet fragmentation was proposed to defend
against scan jamming. Redundant encoding (e.g., fragment replication) was
designed to defend against noise jamming.In [147], the impact of a
periodically cycling jamming attack on ZigBee communication was studied,
and a digital filter was designed to reject the frequency components of the
jamming signal. In [148] and [149], an anti-jamming technique was proposed
to defend against high-power broadband reactive jamming attacks for low
data rate wireless networks such as ZigBee. The proposed technique
undertakes reactive jammers’ reaction time and uses the unjammed time slots
to transmit data. In [150], Spuhler et al. studied a reactive jamming attack and
its detection method in ZigBee networks. The key idea behind their design is
to extract statistics from the jammingfree symbols of the DSSS synchronizer
to discern jammed packets from those lost due to bad channel conditions.
This detection method, however, focuses only on jamming attacks without
considering jamming defense mechanism. In [140], Chi et al. proposed a
detection mechanism to cope with cross-technology jamming attacks. Their
proposed detection technique consists of several steps, including multi-stage
channel sensing, sweeping channel, and tracking the number of consecutive
failed packets. Once the number of failed packets exceeds a certain
threshold, the ZigBee device transmits its packets even if the channel is still
busy, letting the signal recovery be made at the receiver side.

Research Directions:
Jamming attack is arguably the most critical security threat for wireless
networking services as it is easy to launch but hard to defend. The limited
progress in the design of jamming-resilient wireless systems underscores the
grand challenges in the innovation of anti-jamming techniques and the critical
need for securing wireless networks against jamming attacks. In what follows,
we point out some promising research directions.

1) MIMO-based Jamming Mitigation: Given the potential of MIMO

technology that has demonstrated in Wi-Fi and 4/5G cellular networks, the
exploration of practical yet efficient MIMO-based jamming mitigation
techniques is a promising research direction towards securing wireless
networks and deserves more research efforts. The past decade has
witnessed the explosion of MIMO research and applications in wireless
communication systems. With the rapid advances in signal processing and
antenna technology, MIMO has become a norm for wireless devices. Most
commercial Wi-Fi and cellular devices such as smartphones and laptops are
now equipped with multiple antennas for MIMO communication. Recent
results in [76] show that, compared to frequency hopping and spectrum
sharing, MIMO-based jamming mitigation is not effective in jamming mitigation
but also efficient in spectrum utilization.
In addition, the existing results from the research on MIMObased interference
management (e.g., interference cancellation, interference neutralization,
interference alignment, etc.) can be leveraged for the design of MIMO-based
anti-jamming techniques. In turn, the findings and results from the design of
MIMO-based anti-jamming techniques can also be applied to managing of
unknown interference (e.g., blind interference cancellation) in Wi-Fi, cellular,
and vehicular networks.

2) Cross-Domain Anti-Jamming Design: Most existing anti-jamming

techniques exploit the degree of freedom in a single (time, frequency, space,
code, etc.) domain to decode in-the-air radio packets in the presence of
interfering signals from malicious jammers. For instance, channel hopping,
which is used in Bluetooth, manipulates radio signals in the frequency domain
to avoid jamming attack; spectrum spreading employs a secret sequence in
the code domain to whiten the energy of narrow-band jamming signal to
enhance a wireless receiver’s resilience to jamming attacks; MIMO-based
jamming mitigation aims to project signals in the spatial domain so as to make
useful signal perpendicular to jamming signals. However, these single-domain
anti-jamming techniques appear to have a limited ability of handling jamming
signals due to a number of factors, such as the available spectrum bandwidth,
the computational complexity, the number of antennas, the resolution of ADC,
the nonlinearity of radio circuit, and the packet delay constraint. One research
direction toward enhancing a wireless network’s resilience to jamming attacks
is by jointly exploiting multiple domains for PHY-layer signal processing and
MAC-layer protocol manipulation. This direction deserves more research
efforts to explore practical and efficient anti-jamming designs.

3) Cross-Layer Anti-Jamming Design: For constant jamming attacks, most

existing countermeasures rely on PHYlayer techniques to avoid jamming
signal or mitigate jamming signal for signal detection. With the growth of smart
jamming attacks that target on specific network protocols (e.g., preamble/pilot
signals in Wi-Fi network and PSS/SSS in cellular network), cross-layer design
for anti-jamming strategies becomes necessary to thwart the increasingly
sophisticated jamming attacks. It calls for joint design of PHY-layer signal
processing, MAC-layer protocol design, and network resource allocation as
well as cross-layer optimization to enable efficient wireless communications in
the presence of various jamming attacks.

4) Machine Learning for Anti-Jamming Design: Machine learning has

become a powerful technique and has been applied to many real-world
applications such as image recognition, speech recognition, traffic prediction,
product recommendations, self-driving cars, email spam, and malware
filtering. It is particularly useful for solving complex engineering problems
whose underlying mathematical model is unknown. In recent years, machine
learning techniques have been used to secure wireless communications
against jamming attacks (e.g., [179], [216]) and produced some pioneering yet
exciting results. Therefore, the design of learning-based anti-jamming
techniques is a promising research direction that deserves more research
efforts for an in-depth investigation.