Fast Jamming Detection in Sensor Networks

Kartik Siddhabathula, Qi Dong, Donggang Liu and Matthew Wright

Department of Computer Science
University of Texas at Arlington
{kartik.siddhabathula, qi.dong}@mavs.uta.edu, {dliu, mwright}@cse.uta.edu

Abstract—Wireless Sensor Networks (WSN) are vulnerable to may have already been disrupted. However, the sensor nodes
jamming attacks where an adversary injects strong noises to on the edge of the jammed area can often get their alerts out
interfere with the normal transmission. It is crucial to detect such since some of their neighbors are outside of the jammed area
jamming attacks as fast as possible. Existing studies have shown
that an effective indicator of jamming is the packet delivery [18]; these nodes will be the ones who detect jamming attacks
ratio (PDR). However, current PDR-based schemes use the end- and also report alerts to the base station.
to-end packet delivery ratio, which requires one to observe The remaining problem is thus how to quickly detect
communication for a long time before a good decision is made. jamming attacks. Previous studies have shown that the nodes
In this paper, we propose collaborative detection, which evaluates being jammed will see a substantial drop in the packet delivery
the packet delivery ratio in an given area instead of a pair of
nodes. The intuition is that the attacker often jams an area of his rate (PDR) [20]. Hence, once a node realizes that its packet
interest, not just two specific nodes. The benefit is that we can delivery ratio drops significantly, a jamming alert can be
detect jamming attacks in a much faster way. We have evaluated produced. However, current PDR-based schemes use the end-
the performance of our idea on TelosB motes. The results show to-end packet delivery ratio, which requires one to observe
that we can effectively and quickly detect jamming attacks. communication for a long time before any good decision is
made. In this paper, we propose a collaborative detection
I. I NTRODUCTION
scheme. The main idea is to evaluate the packet delivery ratio
Wireless sensor networks consist of autonomous sensors in an area instead of pairs of nodes since the attacker usually
to monitor the conditions in an area of interest and report jams the area of his interest, not just the communication
their observations to a base station for further analysis. They between some specific pairs of nodes. In other words, we
have become a useful tool in civilian, industrial and scientific use observations from other nodes to speed up the jamming
applications such as border security, land slide detection, green detection. We have evaluated the performance of our protocol
house monitoring. In hostile environments like border security, on TelosB motes. The results show that we can effectively and
the security of the sensor network has to be ensured. quickly detect jamming attacks.
Due to the shared medium of communication, wireless This paper is organized as follows. The next section outlines
sensor networks are vulnerable to Denial of Service (DoS) the related work. In Section III we discuss the network and
attacks [2], e.g., the jamming attacks. A jammer hampers attack models. In Section IV we give a description of the
the communication between benign nodes by attacking either protocol. In Section V we evaluate the proposed scheme. In
the network layer, the physical layer, or the Medium Access Section VI we present the experimental results. In Section VII
Control (MAC) layer. In this paper, we focus on the MAC we give our conclusion and some future work.
layer jammers for wireless communication medium. A MAC
layer jammer does not adhere to the MAC protocol and emits II. R ELATED W ORK
a radio signal which interferes with the normal working of the Detecting jamming attacks in wireless networks has at-
network and causes a DoS attack. Depending on the power of tracted a lot of attention recently [9], [20], [18]. In [9], the
jammers, it can either cause a part of the network to fail or authors proposed to build a model for the signal collision
even bring down the whole network. rate when there are no attacks. Such model is then used to
Jamming causes many problems for real world applications. detect if the network is under jamming attacks in hostile
For example, in border security, an intruder can jam the situations. The paper provided a theoretical study on the trade-
communication and cross the border without being detected. off between the detection time, detection rate, and false alarm
Thus, in hostile environments, it is essential to be able to detect rate. In our paper, we use real experiments to study the
the place where the channel is jammed [9], [20], [18] or deliver performance of jamming detection. In [20], the authors studied
the messages out of the jammed area [19], [3], [9], [1]. various jamming attacks on WSN and proposed a detection
In this paper, we focus on methods to detect the place method based on Received Signal Strength Indicator (RSSI)
where jamming attacks are launched. To achieve this, we need and Packet Delivery Ratio (PDR). However, their protocol
to first detect the jamming attacks. Once we notice that the requires a sensor node to observe the communication for many
communication is jammed, we can send an alert to the base rounds before a good decision is made. In our protocol, we use
station. Certainly, a node inside a jammed area may not be able the observations from multiple nodes to speed up the detection.
to send its alerts out since the packet reception of its neighbors In [18], the authors proposed to locate the jammed area once
the jamming attacks are detected. They assumed the existence Figure 1 shows the influence of our constant jammer on the
of a jamming detection technique. In our paper, the focus is on communication between sensor nodes. The experiment focuses
how to detect such attacks quickly. Several papers have studied on the reception of messages. In the experiment, three nodes
how to efficiently jam sensor networks. In [21], the authors (a jammer, a receiver, and a sender) were placed in a straight
proposed an efficient jamming attacker model for situations line with a distance of 10 inches from each other. The receiver
when the attacker has no knowledge about the target protocol. was placed in the middle. We carried out 100 trials with
In [9], the authors described jamming strategies that are easy the receiver node being under attack and another 100 trials
to launch but difficult to detect. when the jammer is replaced with a normal node sending
out messages continuously to simulate the signal collision
III. N ETWORK AND ATTACK M ODEL that happens frequently in benign situations. In each trial, the
sender sent out 100 packets while the receiver node kept track
We consider the network to be a static network, i.e., sensor
of the number of packets received. In the figure, the X-axis
nodes do not change their locations after deployment. All
represents the index of the trial and the Y-axis represents the
the nodes have limited supply of energy. We assume that
number of times the PDR was found to have that value in the
the communication in the network is protected by the shared
corresponding trial. Note that PDR here is the packet reception
keys between sensor nodes. Many existing key establishment
rate for a receiver node. From the figure we can see that there
schemes [13], [5], [10] can be used for such purpose. We do
is a clear distinction in the number of packets a node receives
not consider compromised nodes in the network.
with and without jamming attacks.
We assume that the attacker’s goal is to disable the network
function for a period that is long enough to accomplish a task, IV. T HE P ROPOSED P ROTOCOL
e.g., crossing the border without being caught. As a result, the
Our intuition is that an observation of packet loss over an
attacker will need to interrupt the communication dramatically
area leads to decide regarding the existence of jammer faster
so that no or very few messages can get out of the jammed
when compared to observing the packet loss between a pair
area, e.g., the path for crossing the border. In addition, the
of nodes. Specifically, we divide the time line into multiple
attacker has to jam the area that is large enough to cover all
intervals and have sensor nodes periodically send out beacon
possible nodes that may receive the reports from the nodes
signals. We then observe the loss of messages within each
that sense the intruders.
time interval for jamming detection. From Figure 1, we know
Due to the above reason, we believe that it is more interest-
that there is a huge difference in the PDRs with and without
ing to quickly detect jamming attacks that substantially reduce
jamming attacks. As a result, for a given time interval, if a
the packet delivery rate. One example is the so-called constant
node sees a significant drop on the number of beacons received
jammer [20]. This type of jammers continuously emits radio
from neighbors when compared to what was observed in the
signals to cause jamming. In this paper, we have implemented
last time interval, we know that this node is jammed. Certainly,
a constant jammer using a TelosB mote that uses a CC2420
frequently broadcasting beacon messages allows us to detect
radio chip. We implemented it by disabling the Clear Channel
jamming faster but consumes more energy and drains out the
Assessment (CCA) bit. Our jammer continuously sends out a
batteries of the nodes faster. Hence, the length of time intervals
packet irrespective of the activity on the channel. Note that
have to be adjusted to make a good trade-off between the
although our experiment is based on a constant jammer, our
detection time and the energy consumption.
method works on any jammer that substantially reduces the
packet delivery rate. A. Decision Process
Each node maintains two arrays which (for the ease of un-
derstanding) we will call as Current and History. Current
contains the list of the nodes whose beacons was received in
the current time interval and the array History contains the
list of the nodes whose beacon was received in the previous
time interval. Each element in the array is either 0 or 1. 0
means that the beacon of the corresponding node has not been
received, and 1 means that the beacon of the corresponding
node has been received. Both arrays are initialized to all 0s. We
assume that sensor nodes are organized into clusters. This can
be achieved by using some existing clustering algorithms [11],
[15]. Each cluster conducts jamming detection and reports at
most one alert in case of jamming.
The protocol carried out by each node in a cluster are as
follows. First, each node in a cluster broadcasts a beacon that
carries its ID repeatedly at each time interval. This helps the
Fig. 1. Influence of jammers on PDR nodes which receive this beacon to keep track of the number
of beacons they are able to receive within this time interval. δ should be large enough to give us a good trade-off between
Each node broadcasts it’s beacon only once in each interval. energy consumption and detection. We can also see that the
Second, when a sensor node receives a beacon message, length of time intervals has no impact on the detection rate.
it marks the corresponding bit in the array Current as 1,
meaning that it has received the beacon from the corresponding
cluster member. At the end of each time interval, every sensor
node carries out a check to see whether there is jamming in the
network. If yes, an alert will be send to the base station. The
decision regarding the existence of jammers is made according

,#&)%'#&#*-'*#+%
to the following: Let Xn denotes the number of nodes whose
beacon was received during the time interval tn . An alert is
raised if Xn < τ × Xn−1 , where τ is a threshold. The alert
will be send to the base station δ times to ensure that the base
station receives it with a high probability.
At the end of each time interval, the content of array
Current is copied into the array History and the array
Current is then re-initialized to 0. !"#$$%&'&())'*#+%

B. Threshold selection Fig. 2. The false alarm rate

The decision regarding the existence of jammer is based
on the comparison between the number of beacons received A false alarm is an alert raised by a node in the network
by a node in two consecutive time intervals. A threshold τ is without the presence of a jammer. Note that an alert should
used in such comparison. Certainly, the selection of a good be raised if a node receives less than τ times the beacons it
τ is important. In this paper, τ is configured empirically, received in the previous time interval. If this happens when
i.e., through a set of real experiments. We use the results in there are no jammers, the alert is a false alarm. Given that the
Figure 1. τ is assigned a value which lies between the two number of nodes in a cluster is N , a node expects to receive
distributions. In this paper, we simply set τ to 0.55, which beacons from N − 1 nodes. If the channel loss rate is p, then
clearly separates the two distributions. that node will receive (N − 1) × (1 − p) beacons on average.
V. T HEORETICAL A NALYSIS The probability that a false alarm will be generated can thus
be estimated by the probability of Xn < τ ×(N −1)×(1−p).
In this section we will analyze the detection rate, false alarm Therefore, the false alarm rate F A can be estimated by
rate, and detection time. For the sake of presentation, we list
some important notations used in our analysis: N −1 " #
! N − 1 ((N −1)−i) i
• N : Total number of nodes in a cluster. FA = p (1 − p) .
• M : Total Number of jammed nodes in a cluster.
i
i=(1−τ )(N −1)(1−p)
• p: Probability that a message is lost due to channel noise
or packet collision. Figure 2 shows the false alarm rate for different values of N .
• δ: Number of alert messages sent by a jammed node. From the graph, we can see that increase in the channel loss
The detection of jamming will be done whenever a jammed rate results in a higher false alarm rate.
node is able to send an alert message out of the jammed The detection time is defined as the time difference between
area and that message is successfully received by at least one the time when the attack was launched and when an alert was
non-jammed node. There will be no detection if all the alert successfully received by a non-jammed node. In our protocol,
messages are lost, which can happen if all the nodes in the the time at which a node receives a message is random as well
cluster and their neighbors are getting jammed. In this case, as the time at which jammer launches attack. For simplicity,
we will resort to other clusters to do the detection. Thus, we assume that there are no packet losses without the presence
for simplicity, we assume that the cluster is not completely of the jammer. If the length of the time interval is t time units,
jammed, and at least one unjammed node is located within the we divide it into two sub intervals. The first sub interval lasts
radio range of each jammed node. Given that the probability for τ × t time units, and the second sub interval lasts for
that a message is lost is p, the number of alert messages (1 − τ ) × t time units. If the attack is launched during the
sent out by a node in case of detection is δ and the number first sub interval, then the attack will be detected at the end of
of jammed nodes is M , the total number of alert messages the current time interval, and if the attack is launched during
generated in case of jamming detection are M × δ. The the second sub-interval, then it will be detected at the end of
probability that all the alert messages are lost is thus at most the next time interval. Thus, the average time for detection at
pM×δ . Therefore the detection rate RD can be estimated by the end of current time interval will be t − (t × τ )/2 and the
RD = 1 − pM×δ . For example, if M = 2, δ = 5, and p = 0.3, average time for detection completed at the end of next time
then the probability of detection is about 0.99999. In general, interval will be 2t − (t × (1 − τ ))/2. Therefore,the overall
average detection time for the protocol can be estimated by orientation to jam different number of motes for each position
(t × τ ) (1 − τ ) and orientation of the jammer. The jammer was placed outside
(τ × (t − ) + ((1 − τ ) × (2t − (t × )). the perimeter of the network. The range of the TelosB motes
2 2
is reduced in an indoor environment. We also further reduced
This equation can be further reduced to their range by making them transmit at the lowest power level
(tτ ) (tτ ) tτ 2 tτ 2 t which is 1. The effective range of the motes transmitting at
(tτ ) + − 2tτ + − − + 2t − . power level 1 was ranging between 15-25 inches. 40 motes
2 2 2 2 2
Finally, the average detection time can be estimated by which were running the protocol were arranged in a grid
topology as it made for an easier deployment. Each mote
3t was placed at a separation of 5 inches. The jammer was also
− t × τ 2.
2 programmed to transmit at the same power level as the motes
We can see that our scheme can detect jamming attacks after which is power level 1. Figure 3 shows the network topology
1.5 rounds of transmission on average, which is much faster and the jammer’s various position for testing the protocol.
than the schemes in [20] where a node has to observe many Depending on the position of a mote in the network, the
(e.g., 10) rounds of transmission to make a good decision. number of neighbors for a mote varied from 6 to 14 motes.
Though the motes were not time synchronized, they were all
running at the same interval of time interval. Motes which
lies on the edge of the network were having less number
of neighbors and motes which lies inside the network were
having more number of neighbors. Tests were carried out to
record the detection time, detection rate, and the false alarm
rate of the protocol.
4$'$0'"1&%'"#$%./$01&2/3

!"#$%"&'$()*+%+$&,'-%./$01&2/3

Fig. 3. Network layout Fig. 4. Detection time

To calculate the detection time, one of the non-jammed mote

VI. I MPLEMENTATION AND E XPERIMENTS was connected to the computer. Whenever that mote received
The performance of our Protocol was tested on TelosB an alert message it would print the reception time on the
motes [4] running TinyOS [6]. TinyOS is a free and open system. This gave us the time at which detection was complete.
source component-based operating system that targets embed- To get the time when the attack was launched, another mote
ded systems like sensor nodes. TinyOS applications are written was also connected to the computer which sent a message
in NesC, a dialect of the C programming language which has to the jammer on reception of which the jammer starts the
been optimized for the memory limitations of wireless sensor attack on the network. That mote will print the time when the
networks. TelosB motes use a CC2420 chipcon radio [16]. For jammer is launching the attack on the system screen. By taking
our testing, the jammer and the benign motes transmit at the the difference between the two times we get the detection
same power level. We assign the value of δ to be 10, i.e. each time. For the detection time, the length of time intervals are
mote will send the alert message 10 times whenever it detects configured in five different ways, i.e., five sets of experiments
jamming in the network. Each alert message will be sent with are conducted, each having different interval length. Figure 4
a random time interval between 0 to 100 ms to reduce signal shows the box plot for the detection time for five different
collision. time intervals which are 5 secs, 10 secs, 20 secs, 30 secs and
The experiment was carried out inside the lab in an area of 60 secs and a curve that represents the theoretical average
900 sq. inches. The protocol was tested against one constant detection time for each of the time interval length. From the
jammer which was placed at various positions and at different figure, it is clear that, as the time interval increases the average
detection time increases. We can also see that the experiment has a very low false alarm rate. In the future, we would like
results are consistent with the theoretical analysis result. to test our protocol against different attacker models.
In Figure 3, the motes next to the letters are jammers, and
R EFERENCES
each letter also indicates the position. When the jammer was
placed at different position with different orientation, different [1] G. Alnie and R. Simon. A multi-channel defense against jamming
attacks in wireless sensor networks. In ACM International Workshop
number of motes were jammed. When the jammer was placed on Modeling Analysis and Simulation of Wireless and Mobile Systems,
at position A, 16 motes were jammed; at position B, 12 pages 95–104, 2007.
motes were jammed; at position C, 20 motes were jammed; [2] AUSCERT. Denial of Service Vulnerability in IEEE 802.11 Wireless
Devices. http://www.auscert.org.au/render.html?it=4091.
at position D, 8 motes were jammed; at position E, 6 motes [3] M. Cagalj, S. Capkun, and J.P. Hubaux. Wormhole-based antijamming
were jammed. Figure 5 shows the detection rate of the protocol techniques in sensor networks. IEEE Transactions on Mobile Computing
for each case. In experiments, 100 attacks were carried out (TMC), 6, Jan 2007.
[4] Crossbow Technology Inc. Wireless sensor networks. http://www.xbow.
for each position of the jammer. Our protocol achieved 100% com/Home/HomePage.aspx. Accessed in July 2009.
detection rate when the jammer was placed at position E and [5] L. Eschenauer and V. D. Gligor. A key-management scheme for
B. The lowest detection rate was 97% in case of jammer being distributed sensor networks. In Proc. ACM Conf. on Computer and
Communications Security (CCS), November 2002.
placed at position D. In the other two cases, i.e., when the [6] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D.E. Culler, and K. S. J. Pister.
jammer was placed at A and C, the detection rate is 98%. System architecture directions for networked sensors. In Architectural
Support for Programming Languages and Operating Systems, pages 93–
104, 2000.
[7] Meng-Yen Hsieh, Yueh-Min Huang, and Han-Chieh Chao. Adaptive
security design with malicious node detection in cluster-based sensor
networks. Comput. Commun., 30(11-12):2385–2400, 2007.
[8] Issa Khalil, Saurabh Bagchi, and Ness Shroff. Analysis and evaluation
of secos, a protocol for energy efficient and secure communication in
sensor networks. Ad Hoc Networks., 5(3):360–391, 2007.
[9] M. Li, I. Koutsopoulos, and R. Poovendran. Optimal jamming attacks
and network defense policies in wireless sensor networks. In IEEE
International Conference on Computer Communications (INFOCOM),
pages 1307–1315, May 2007.
[10] D. Liu and P. Ning. Establishing pairwise keys in distributed sensor
networks. In Proc. ACM Conference on Computer and Communications
Security (CCS), October 2003.
[11] Donggang Liu. Resilient cluster formation for sensor networks. In Pro-
ceedings of the 27th International Conference on Distributed Computing
Fig. 5. Detection rate Systems (ICDCS), page 40, 2007.
[12] Leonardo B. Oliveira, Adrian Ferreira, Marco A. Vilaça, Hao Chi Wong,
Marshall Bern, Ricardo Dahab, and Antonio A. F. Loureiro. Secleach-on
For the false alarm part, the motes were programmed to the security of clustered sensor networks. Signal Process., 87(12):2882–
transmit a packet, other than their beacon packet every 993 2895, 2007.
millisecond with a certain probability. Transmitting a packet [13] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar. SPINS:
Security protocols for sensor networks. In Proc. Intl. Conf. on Mobile
other than the beacon of the mote creates a situation where Computing and Networks (MobiCom), July 2001.
motes will be running multiple protocols. We wanted to see [14] Michael Sirivianos, Dirk Westhoff, Frederik Armknecht, and Joao Girao.
the impact of other protocols might have on our protocol. Non-manipulable aggregator node election for wireless sensor networks.
In ICST WiOpt, January 2007.
Additional packets by the motes increases the traffic of the [15] Kun Sun, Pai Peng, Peng Ning, and Cliff Wang. Secure distributed
network. With increased traffic, the chances of collision in- cluster formation in wireless sensor networks. In Proceedings of the
creases which results in loss of packets. The jammer was 22nd Annual Computer Security Applications Conference (ACSAC),
pages 131–140, 2006.
removed and only the 40 motes operated for 3 hours with [16] Texas Instruments Inc. 2.4 GHz IEEE 802.15.4 / ZigBee-ready RF
a time interval of 10 seconds, i.e., a total of 1080 intervals. Transceiver. http://focus.ti.com/lit/ds/symlink/cc2420.pdf. Accessed in
Interestingly, in all the cases with different probabilities for January 2008.
[17] Sudarshan Vasudevan, Brian DeCleene, Neil Immerman, Jim Kurose,
the additional packet being transmitted, only once was an alert and Don Towsley. Leader election algorithms for wireless ad hoc net-
raised in the network. Therefore, the false alarm rate of the works. In Proceedings of DARPA Information Survivability Conference
1
protocol is only 1080 ≈ 0.0009. and Exposition, pages 261– 272, 2003.
[18] A. Wood, J. Stankovic, and S. Son. JAM: A jammed-area mapping
VII. C ONCLUSION AND F UTURE W ORK service for sensor networks. In Proceedings of IEEE Real-Time Systems
Symposium, pages 286–297, 2003.
Wireless Sensor Networks are being widely used in various [19] W. Xu, W. Trappe, and Y. Zhang. Anti-jamming timing channels
fields for different types of data collection and monitoring. for wireless networks. In WiSec ’08: Proceedings of the first ACM
conference on Wireless network security, pages 203–213. ACM, 2008.
They are a useful commodity in various civilian, industrial and [20] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The feasibility of launching
scientific applications. Jamming attacks are one of the most and detecting jamming attacks in wireless networks. In Proceedings
popular attacks on WSN to cause a DoS. There is a need for of ACM International Symposium on Mobile Ad Hoc Networking and
Computing (MobiHoc), 2005.
the detection of these attacks quickly and accurately. In this [21] Y.W.Law, L.V.Hoesel, J.Doumen, P.HartelL, and P.Havinga. Energy
paper we show through experiments that an observation of efficient link-layer jamming attacks against wireless sensor network mac
packet loss over an area gives us a faster detection of jamming protocols. In Proceedings of ACM Workshop on Security of ad hoc and
attacks. From the experiment we also found that the protocol Sensor Networks (SASN), pages 76 – 88, 2005.