Wireless communication is vulnerable to jamming-based Denial-of-Service (DoS) attacks in which an attacker purposefully launches signals to corrupt wireless communications.

Jamming cannot be adequately addressed by common security mechanisms such as confidentiality, authentication, and integrity, because jamming targets at the basic transmission and reception capabilities of the physical devices. Moreover, none of the cryptographic constructions such as encryption/decryption can be directly adopted to solve the problem. Thus, we have to seek new solutions to deal with this severe attack.

[Hoang Nguyen; Alibi framework for identifying reactive jamming nodes in wireless LAN 2010] [Ying Xuan; On Trigger Detection Against Reactive Jamming Attacks: A Clique-Independent Set Based Approach
IEEE 2009]

Two types of jamming: Active and Reactive jamming

Active jamming strategies, attackers jam channels regardless of whether there are on-going communication activities on the channels. Drawback: not energy efficient. Example: continuous jamming, periodic jamming and random jamming [Definition : Jamming-resistant communications are necessary but not sufficient because as long as the jamming nodes are not identified, they always have effective jamming attacks on the network.] Reactive Jamming: only jam the channels when there are on-going communication activities. Examples: scan-and-jam (on multi-channel networks) and listen-and-jam strategy (on single-channel networks). [Definition: Jamming-resistant communications are necessary but not sufficient because as long as the jamming nodes are not identified, they always have effective jamming attacks on the network.]

Problem: Problem of identifying compromised nodes who launch reactive jamming attacks. Reactive jamming is a very challenging problem because the attackers are assumed to know any shared secret and protocols in the network and try to stay undetected as long as possible while maximizing the damage done to the network First, many approaches are only concerned about how to build jamming-resistant communications without identifying the source of jamming. Jamming-resistant communications are necessary but not sufficient because as long as the jamming nodes are not identified, they always have effective jamming attacks on the network. Second, there are also several works on identifying mis-behaving nodes. However, because the attackers leave no identity information in the jammed packets detection systems relying on identity clues to infer nodes causing the jammed packet do not work

The jamming attack can be easily launched since it can be implemented by simply listening to the open medium and broadcasting in the same frequency band as the sensor networks. Many existing countermeasures against jamming focus on spread spectrum Traditional method (Physical Layer): 1.DSSS 2. FHSS Drawbacks: too costly for the energy and frequency constrained sensor networks To successfully communicate under jamming attack, both sender and receiver need to know the same hopping or spreading sequence beforehand and keep it secret. Uncoordinated frequency hopping (UFHSS) and direct spread spectrum (UDSSS) have been proposed to enable key establishment between a pair of nodes without a pre-shared secret under a jammer.

Disadvantage: These approaches are typically not applicable to WSNs since they are designed for one-to-one communication or require sophisticated wireless interface to support direct spread spectrum. Group-based schemes: Broadcast communication, group-based schemes have been proposed. The idea is to divide receivers into multiple broadcast groups and different groups use predefined different channels. A compromised receiver can only jam the communication in the same group. Then, a divide-and-conquer strategy is applied to remove malicious receivers. Disadvantage: Require a large number of available channels. Otherwise, the compromised nodes could coordinate to jam all channels in a group. Channel surfing algorithm: Channel surfing to deal with a narrow-band and intermittent jammer. Basic idea is to let sensor nodes switch channels in a way that the jammer cannot predict them. All nodes switch to a different channel to evade jamming after jamming is detected C(n + 1) = FK(C(n)) where K is a group key shared by all nodes, F is a pseudorandom function and C(n) is the original channel used before jamming. Problem: This technique is limited to outsider attacks and it does not work under node compromises since an insider attacker knows the group key K and the function F. Other methods: wormhole-based anti-jamming techniques[1], channel surfing [2] and timing channel [3]. Security schemes against Jamming
detection techniques, proactive countermeasures, reactive countermeasures, and mobile agent (MA)-based countermeasures.

Paper: Jamming Sensor Networks: Attack and Defense Strategies W. Xu 2006

The first strategy involves avoiding the jammer in either the spectral or spatial sense, and can be achieved by changing channel allocations or, in mobile sensor networks, by moving nodes away from the jammer. The second strategy involves competing with the jammer by adjusting the transmission power levels and employing error correction in order to have more resilience against jamming.

Definition: Jamming is defined as the act of intentionally directing electromagnetic energy towards a communication system to disrupt or prevent signal transmission. This can be achieved by the jammer by attacking at the physical layer or at the data-link layer. [Definition: In the jamming attack, an attacker injects a high level of noise into the wireless system which significantly reduces the signal to noise and interference ratio (SINR) and reducing probability of successful message receptions.] At the physical layer, the jammer can only jam the receiver by transmitting at high power at the network frequency and lowering the signal-to noise ratio below the receivers threshold; however, it cannot prevent the transmitter from transmitting, and hence it cannot jam the transmitter. At the data link layer, it can jam the receiver by corrupting legitimate packets through protocol violations, and can also jam the transmitter by preventing it to transmit by capturing the carrier through continuous transmission The main difference between jamming and RF interference (RFI) is that the former is intentional and against a specific target while the latter is unintentional, as a result of nearby transmitters that transmit in the same or very close frequencies
There are two classifications of jamming attacks [1]: _ Physical layer jamming. _ By ignoring MAC layer rules.

Communication Protocol Stack:

Physical layer: responsible for frequency selection, carrier frequency generation, signal deection, data encryption and modulation. This is the layer that suffers the most damage from radio jamming attacks. Data link layer: responsible for the multiplexing of data streams, data frame detection, medium access control(MAC),dataencryption,anderrorcontrol;aswellasensuringreliablepoint-to-pointandpoint-tomultipointconnections.ThislayerandmorespecicMAC are heavily damaged by link-layer jamming. In link-layer jamming sophisticated jammer scan take advantage of the data link layer (DLL) to achieve energy efcient jamming. Compared to radio jamming, link-layer jamming offers better energy efciency. Network layer: responsible for specifying the assignment of addresses and how packets are forwarded. Transport layer: responsible for the reliable transport of packets and data encryption. Application layer: responsible for specifying how the data are requested and provided for both individual sensor nodes and interactions with the end user.

Physical Layer: (Radio Jamming) Jamming Attack: [ W. Xu 2006]

1. Constant Jammer: The constant jammer continually emits a radio signal. A constant jammer can
effectively prevent legitimate traffic sources from getting hold of a channel and sending packets. They are not energy efficient 2. Deceptive Jammer: Instead of sending out random bits, the deceptive jammer constantly injects regular packets to the channel without any gap between subsequent packet transmissions. It is highly effective but is as energy inefficient as the constant jammer. 3. Random Jammer: Instead of continuously sending out a radio signal, a random jammer alternates between sleeping and jamming. Specifically, after jamming for a while, it turns off its radio and enters a sleeping mode. Good for jammers that do not have unlimited power supply. It is less effective than the jammer whom it imitates (constant or deceptive) but is more energy efficient than it.

4. Reactive Jammer: Quiet when the channel is idle, transmits when it senses channel activity Targets
the reception of a message and harder to detect. It is most effective but not very energy-efficient as it spends considerable amount of energy in constantly listening to the network.

Basic jamming attack models: [Sudip Misra Sensors 2010]

1. Spot Jammer: A jammer which knows the exact radio frequency of the target network, and attacks the
network on that frequency (spot frequency) only. It requires less power to jam the network, and is the most efficient and effective jammer. Disadvantage: The target network can change the frequency (channel surfing/frequency hopping) to evade jamming 2. Sweep Jammer: A jammer which does not know the target frequency, and therefore sweeps across the probable spectrum either periodically or aperiodically, thus jamming the affected networks temporarily. 3. Barrage Jammers: It cover a large bandwidth of the radio spectrum at a time, leaving very little scope for the target network to evade jamming. In barrage jamming, a range of frequencies is jammed at the same time. Its main advantage is that it is able to jam multiple frequencies at once with enough power to decrease the SNR ratio of the enemy receivers. However, as the range of the jammed frequencies grows bigger the output power of the jamming is reduced proportionally.

Data Link Layer:

The S-MAC protocol has these time segments: synchronization, listening, control, data, and sleep.Law et al. [11] have suggested four types of energy-efficient jammers for attacking a network following the S-MAC protocol: By exploiting the semantics of the link-layer protocol (aka MAC protocol), an attacker can achieve better efficiency than blindly jamming the radio signals alone. [Law, Y.; Link-layer jamming attacks on S-MAC European Workshop on Wireless Sensor Networks, 2005] Energy efficient jammers for various MAC protocols Periodic Listening Interval Jammer attacks when the nodes are in listening period and sleeps at all other times. Periodic Control Interval Jammer attacks when the nodes are in the control period and sleeps during rest of the time. Periodic Data Packet Jammer listens to the channel during the control interval and attacks the data segment. Periodic Cluster Jammer is meant for attacking networks following encrypted packets. It uses k-means clustering algorithm to separate clusters of the network and statistical estimations to determine the timing of the data segment, and then attacks the same accordingly. [Wood, A.; S. JAM: a jammed area mapping service for sensor networks. IEEE DEC 2003] Interrupt Jammer is a variation of Reactive Jammer in the sense that instead of listening to the channel constantly, it gets activated by means of a hardware interrupt when a preamble and start of frame delimiter (SFD) are detected from a received frame. Activity Jammer is yet another variation of Interrupt Jammer (in fact, that of a Reactive Jammer) meant for encrypted packets where detection of the SFD is other-wise not possible. Scan Jammer is similar to the Sweep Jammer. Instead of detecting a packet in a single channel, it searches out all possible channels for a packet during a defined period of time, and having succeeded, it then attacks the channel. Pulse Jammer is akin to the Constant Jammer in the sense that it sends small packets constantly to jam a channel.

[Rajani, M.; Jamming attack detection and countermeasures in wireless sensor network using ant system. 2006] Single-Tone Jammer attacks one channel at a time (akin to Spot Jammer) Multi-Tone Jammer can attack some or all the channels of a multi-channel receiver Pulsed-Noise Jammer is a wide band jammer, sending pulsed jamming signals by turning on and off periodically at a slow or fast rate. Electronic Intelligence (ELINT): as they describe, is typically a passive system that tries to break down or analyze radar or communication TCF signals, and thus, strictly speaking, is not a jamming attack model.

SOLUTIONS TO JAMMING ATTACKS AND COUNTERMEASUREMENTS

Refer: http://aegean.academia.edu/DamianosGavalas/Papers/772232/An_effective_defensive_nod e_against_jamming_attacks_in_sensor_networks

[Sudip Misra; using honeynodes for defense against jamming attacks in wireless infrastructure-based networks ELSIVIER 2010]
Existing techniques A thorough study was carried out to determine the various existing techniques used to mitigate jamming attacks in wireless networks. _ _ _ _ _ Channel Surfing Spatial Retreats Using Wormholes Mapping jammed regions Spread Spectrum Techniques

Channel Surfing: Channel Surfing is based on a spectral evasion mechanism in which a node under jamming attack follows the mitigation strategy of moving away to a different channel of operation. On detection of an attack, the nodes change their channel of operation on the basis of a pre-defined pseudorandom sequence communicated to them during association. An access point frequently sends beacons to all its associated nodes to check if they are still with it or not. If any of them does not respond to its beacon, it issues a channel change command telling all the remaining nodes to jump to a new channel of operation decided as per the pre-defined pseudorandom sequence. Spatial Retreats: Spatial Retreats algorithm is based on spatial evasion. Access points are immobile components of the network and remain stationary, but normal associated nodes move from the region of their current access point (which is currently being jammed) to the region of an emergency access point based on the emergency access point list given to them by their access point during association. The node while moving away from its access point towards the emergency access point tries to connect to its jammed access point. If a connection is found, the node stops moving, else, it moves into the zone of the emergency access point and gets associated with it through a proper handoff mechanism. Using Wormholes: In wormhole attacks, two or more attackers act as a single attacker through a coordinated attack mechanism. A similar mechanism in which a jammed node communicates with an un-jammed node through an un-jammed medium is followed for attack mitigation. The un-jammed shared medium is referred to as wormhole. Jammed region mapping: Rather than focussing on counter measures of any sort, this technique concentrates on mapping out the jammed region by defining a mapping protocol. This is based on the responses received by the nodes which lie on the boundary of the jammed region. The aim is to mitigate the impact of a jammer by identifying and isolating the jammed region, and then trying to determine alternate routing paths for the data packets. Spread spectrum techniques: The traditional systems try hard to forcibly push-in maximum amount of information into the minimum amount of available bandwidth. High-power jamming frequency covering the frequency band of the particular system can easily jam the system. In spread spectrum systems, the signal is spread over a range of bandwidth in the widest possible manner, thereby making the communication very hard to be detected and jammed. There are two different types of spread spectrum techniques that can be used. These are direct sequence spread spectrum (DSSS) [7,16,18] and frequency

hopping spread spectrum (FHSS)

Drawbacks: too costly for the energy and frequency constrained sensor networks To successfully communicate under jamming attack, both sender and receiver need to know the same hopping or spreading sequence beforehand and keep it secret.

Channel Surfing, Spatial Retreats and Wormholes-based mechanisms do not suffer from the aforementioned problem, but they do have their own drawbacks. Spatial Retreats has a serious drawback that it involves physically moving mobile nodes from the range of the jammed access point to the range of an emergency access point. This restricts the mobility of the nodes. A better solution is using Wormholes, but it requires providing an additional secure channel between all node pairs. Another aspect that is missing in all of the techniques discussed so far is that they only provide attack mitigation mechanisms, but not attack prevention mechanisms. We believe that the presence of an attack prevention mechanism would reduce the network downtime considerably. Spread spectrum techniques are very effective in coping with jamming attacks, but the amount of bandwidth that they consume for transferring small quantity of information, in addition to the complexity of transmitters and receivers required for their operation renders them impractical for everyday communication. However, where security is of utmost importance, they are considered to be amongst the best defense mechanisms currently available. Channel Surfing provides a continuous service with minimal resource consumption and additional infrastructure requirement. Hence, it provides a solution which can be easily integrated into the existing network architecture.

Detecting Jamming attack in Sensor Networks: [ W. Xu 2006]

Detecting jamming attacks is important because it is the first step toward building a secure and dependable wireless network.

A. Basic statistical methods Signal Strength: Using low transmitted power decreases the discovery probability from an attacker (an attacker must locate rst the target before transmitting jamming signal).Higher transmitted power implies higher resistance against jamming because a stronger jamming signal is needed to overcome the original signal. Carrier Sensing Time: Packet Delivery Ratio: The ratio of the number of packets successfully sent out by the node (i.e., the number of packets for which the node has got the acknowledgement from the destination) to the total number of packets sent out by the node. The PDR is calculated by keeping counts of the acknowledgements of the successfully delivered packets and the total number of packets sent by the node and then by finding their ratio as a percentage. Packet send ratio: PSR of a node as the ratio of the number of packets actually sent by the node during a given time period to the number of packets intended to be sent by the node during that given period.