25-09-2013, 02:12 PM
DEFENDING WIRELESS NETWORKS FROM RADIO INTERFERENCE ATTACKS
WIRELESS NETWORKS FROM RADIO .pdf (Size: 1.75 MB / Downloads: 40)
ABSTRACT
Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct
radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of
either transmission or reception functionalities. These attacks can be easily accomplished by
an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at
jamming a particular channel. In this thesis, we examine the issue of jamming wireless net-
works, and sensor networks in particular, by studying both the attack and defense side of the
problem. On the attack side, we present four different jamming attack models that can be used
by an adversary to disable the operation of a wireless network, and evaluate their effectiveness
in terms of how each method affects the ability of a wireless node to send and receive packets.
In order to cope with the problem of jamming, we discuss a two-phase strategy involving the
diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that sin-
gle measurement statistics are not enough to reliably classify the presence of a jamming attack,
and propose multimodal detection methods. To cope with jamming, we propose a technique,
channel surfing, which involves evading the interferer in the spectral domain. Several different
channel surfing models are presented, and we evaluate their effectiveness using a testbed of
MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is
possible to establish a low data rate jamming resistant communication channel by modulating
the interarrival times between jammed packets.
Introduction
Motivation
Wireless networks are progressively becoming more affordable, and consequently are being
deployed in a variety of different modalities, ranging from wireless local area networks to mesh
and sensor networks. For example, WiFi (IEEE 802.11) is widely used both for residential and
enterprise settings to enable users to access the Internet. WiMAX (IEEE 801.16) provides
users high-speed broadband network access in a metropolitan area. Further, networks are being
deployed in a wide range of settings to monitor and collect data. As people increasingly rely on
these wireless technologies to exchange crucial information, being able to assure their security
and trustworthiness is an issue of critical importance
Problem Overview
We set the stage for the problem by starting with a parable. Suppose Alice and Bob are socializ-
ing with each other at a party and, suddenly, the malicious Mr. X walks up. Without any regard
for proper social etiquette, he interrupts them and begins to take over the conversation. Each
time Alice tries to talk, Mr. X interrupts her and tells an inane story. Bob, likewise, doesn’t
fare any better. Alice and Bob both wait a polite amount of time in order to give Mr. X an
opportunity to remedy his behavior. However, after some time, it becomes clear that Mr. X will
not give in and that our two heroes are destined to have a poor reunion and regret ever attending
the party.
The story of the social party is a simple, motivating example for the problem of wireless
radio interference we study in this dissertation. In the case of wireless communication, Alice
and Bob correspond to two communicating nodes A and B, while Mr. X corresponds to an
adversarial interferer X. The adversary X, who may or may not be intentionally trying to
disrupt communication, may interfere with A and B’s ability to communicate by either ignoring
MAC-layer protocols (e.g. perhaps X does not know the proper MAC-layer etiquette or perhaps
he actively chooses to ignore MAC protocols)
A Brief Survey of Jamming and Defense Strategies
In this chapter, we will briefly overview the problem of radio interference by providing ex-
amples of how easily RF-interference can disrupt wireless communications in various wireless
networks. We will then provide a high-level overview of a general strategy to overcome in-
terference, which consists of a multi-phased approach involving interference detection (see
Chapter 4) and then the use of an evasion strategy. Although, in this chapter, we will outline
two different evasion strategies, channel surfing and spatial retreats, we will focus our attention
only on a more detailed analysis of channel surfing in Chapter 5.
We begin in subsection 2.1 by presenting case studies on the RF-interference problem.
We introduce the three different wireless network scenarios that we will study in this section
in subsection 2.2. Following the setup of the problem, we present channel surfing, our first
defense against MAC/PHY-layer denial of service attacks in subsection 2.3. Channel surfing
involves valid participants changing the channel they are communicating on when a denial of
service attack occurs. In subsection 2.4, we examine spatial retreats, which involves legitimate
network devices moving away from the adversary.
Non-MAC-compliant Interferer Case Study
In this section, we study the impact that a Non-MAC-compliant interferer has on communica-
tion. In particular, we examine the impact the interferer has on carrier sensing time as well as
packet delivery ratio (PDR).
During normal operation of CSMA, when A tries to transmit a packet, it will continually
sense the channel until it detects the channel is idle, after which it will wait an extra amount
of time (known as the propagation delay) in order to guarantee the channel is clear. Then, if
RTS/CTS is used it will send the RTS packet, or otherwise will send the data packet. Suppose
the adversary X is continually blasting on a channel and that A attempts to transmit a packet.
Then, since X has control of the channel, A will not pass carrier-sensing, and A may time-out
or hang in the carrier-sensing phase. As a result, no packets from A can be sent out.
To validate our analysis carrier sensing time and PDR we performed a set of experiment
using MICA2 motes. Each mote had a ChipCon CC1000 RF transceiver and used TinyOS
1.1.1 as the operating system, which used a fixed threshold for determining idleness. To build
the jammer X, we disabled the back off operations to bypass the MAC protocol.
Cross-channel Interference Case Study
In this discussion we examine the issue of channel selection and the impact it can have on
communications. Unlike the interferers studied in the previous case study, where the jammers
do not follow MAC rules and can completely take the channel, the interferers discussed in this
sub-section can be regular network nodes that follow a proper MAC protocol.
In order to demonstrate how channel selection can interfere with network communications,
we conducted a set of experiments using Berkeley motes. In these experiments, two motes act
as the communicator and receiver, denoted by A and B. A continuously sends out 31-byte
packets to B, resulting in a throughput of 3.6Kbps. We then placed interferers or jammers in
different locations. In the first set of experiments, we used motes as interferers. We tried three
interferer scenarios, which are illustrated in Figures 2.3.
Two-Party Radio Communication
Consider the radio scenario depicted in Figure 2.9(a). In this scenario, jammer X1 or X2
has disrupted communication between A and B. We desire both A and B to change to a
new channel in order to avoid X’s interference. Using some detection techniques discussed
in Chapter 4, once A and B have detected jamming, they will change to a new channel, and
resume communication in the new channel.
To facilitate channel surfing, both parties have to agree on the channel adaptation sequence,
since A and B cannot negotiate with each other while they are within the jamming range.
Additionally, we emphasize the importance of using orthogonal channels, since if A and B
evade to a new channel that is not orthogonal to the original one, A or B will still be interfered
with by X’s signal. For many wireless networks, it is necessary to determine the number of
orthogonal channels experimentally. For example, the specifications for the radio employed in
Berkeley motes state that a channel separation of 150kHz is recommended in order to prevent
cross-channel interference. As noted earlier, we have found through experiments that 800kHz is
a safer value for channel separation in order to maintain effective network-layer orthogonality.