27-06-2012, 02:10 PM
Packet-Hiding Methods for Preventing Selective Jamming Attacks
Packet-Hiding Methods for Preventing Selective Jamming Attacks.pdf (Size: 844.39 KB / Downloads: 79)
Abstract
The open nature of the wireless medium leaves it vulnerable to intentional interference attacks, typically referred to as jamming.
This intentional interference with wireless transmissions can be used as a launchpad for mounting Denial-of-Service attacks on wireless
networks. Typically, jamming has been addressed under an external threat model. However, adversaries with internal knowledge of protocol
specifications and network secrets can launch low-effort jamming attacks that are difficult to detect and counter. In this work, we address the
problem of selective jamming attacks in wireless networks. In these attacks, the adversary is active only for a short period of time, selectively
targeting messages of high importance. We illustrate the advantages of selective jamming in terms of network performance degradation and
adversary effort by presenting two case studies; a selective attack on TCP and one on routing.We show that selective jamming attacks can be
launched by performing real-time packet classification at the physical layer. To mitigate these attacks, we develop three schemes that prevent
real-time packet classification by combining cryptographic primitives with physical-layer attributes. We analyze the security of our methods
and evaluate their computational and communication overhead.
Index Terms—Selective Jamming, Denial-of-Service, Wireless Networks, Packet Classification.
1 INTRODUCTION
Wireless networks rely on the uninterrupted availability of
the wireless medium to interconnect participating nodes.
However, the open nature of this medium leaves it vulnerable
to multiple security threats. Anyone with a transceiver
can eavesdrop on wireless transmissions, inject spurious
messages, or jam legitimate ones. While eavesdropping and
message injection can be prevented using cryptographic
methods, jamming attacks are much harder to counter.
They have been shown to actualize severe Denial-of-Service
(DoS) attacks against wireless networks [12], [17], [36], [37].
In the simplest form of jamming, the adversary interferes
with the reception of messages by transmitting a continuous
jamming signal [25], or several short jamming pulses [17].
Typically, jamming attacks have been considered under
an external threat model, in which the jammer is not
part of the network. Under this model, jamming strategies
include the continuous or random transmission of highpower
interference signals [25], [36]. However, adopting an
“always-on” strategy has several disadvantages. First, the
adversary has to expend a significant amount of energy
to jam frequency bands of interest. Second, the continuous
presence of unusually high interference levels makes this
type of attacks easy to detect [17], [36], [37].
Conventional anti-jamming techniques rely extensively
on spread-spectrum (SS) communications [25], or some
form of jamming evasion (e.g., slow frequency hopping,
or spatial retreats [37]). SS techniques provide bit-level protection
by spreading bits according to a secret pseudo-noise
(PN) code, known only to the communicating parties. These
methods can only protect wireless transmissions under the
external threat model. Potential disclosure of secrets due
A preliminary version of this paper was presented at IEEE ICC 2010 Conference.
This research was supported in part by NSF (CNS-0844111, CNS-1016943). Any
opinions, findings, conclusions, or recommendations expressed in this paper are
those of the author(s) and do not necessarily reflect the views of NSF.
to node compromise, neutralizes the gains of SS. Broadcast
communications are particularly vulnerable under an internal
threat model because all intended receivers must be
aware of the secrets used to protect transmissions. Hence,
the compromise of a single receiver is sufficient to reveal
relevant cryptographic information.
In this paper, we address the problem of jamming under
an internal threat model. We consider a sophisticated
adversary who is aware of network secrets and the implementation
details of network protocols at any layer in the
network stack. The adversary exploits his internal knowledge
for launching selective jamming attacks in which specific
messages of “high importance” are targeted. For example,
a jammer can target route-request/route-reply messages at
the routing layer to prevent route discovery, or target TCP
acknowledgments in a TCP session to severely degrade the
throughput of an end-to-end flow.
To launch selective jamming attacks, the adversary must
be capable of implementing a “classify-then-jam” strategy
before the completion of a wireless transmission. Such
strategy can be actualized either by classifying transmitted
packets using protocol semantics [1], [33], or by decoding
packets on the fly [34]. In the latter method, the jammer
may decode the first few bits of a packet for recovering
useful packet identifiers such as packet type, source and
destination address. After classification, the adversary must
induce a sufficient number of bit errors so that the packet
cannot be recovered at the receiver [34]. Selective jamming
requires an intimate knowledge of the physical (PHY) layer,
as well as of the specifics of upper layers.
Our Contributions–We investigate the feasibility of realtime
packet classification for launching selective jamming
attacks, under an internal threat model. We show that
such attacks are relatively easy to actualize by exploiting
knowledge of network protocols and cryptographic primitives
extracted from compromised nodes.We investigate the
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 9, NO. 1, JAN-FEB 2012
Preamble PHY hdr Payload
PHY
trailer
Frame
control
Source
adr.
Dest.
adr.
Seq.
number
MAC hdr
MAC
CRC
Addl.
param.
(a) (b)
Fig. 1. (a) Realization of a selective jamming attack, (b) a generic frame format for a wireless network.
impact of selective jamming on critical network functions.
Our findings indicate that selective jamming attacks lead
to a DoS with very low effort on behalf of the jammer.
To mitigate such attacks, we develop three schemes that
prevent classification of transmitted packets in real time.
Our schemes rely on the joint consideration of cryptographic
mechanisms with PHY-layer attributes. We analyze
the security of our schemes and show that they achieve
strong security properties, with minimal impact on the
network performance.
The remainder of the paper is organized as follows. In
Section 2, we describe the problem addressed, and state the
system and adversarial model. In Section 3, we show the
feasibility of selective jamming attacks. Section 4 illustrates
the impact of selective jamming. In Sections 5, 6, and 7,
we develop methods for preventing selective jamming. In
Section 8, we evaluate the impact of our attack mitigation
methods on the network performance. Section 9, presents
related work. In Section 10, we conclude.
2 PROBLEM STATEMENT AND ASSUMPTIONS
2.1 Problem Statement
Consider the scenario depicted in Fig. 1(a). Nodes A and B
communicate via a wireless link. Within the communication
range of both A and B there is a jamming node J. When A
transmits a packet m to B, node J classifies m by receiving
only the first few bytes of m. J then corrupts m beyond
recovery by interfering with its reception at B. We address
the problem of preventing the jamming node from classifying
m in real time, thus mitigating J’s ability to perform selective
jamming. Our goal is to transform a selective jammer to
a random one. Note that in the present work, we do not
address packet classification methods based on protocol
semantics, as described in [1], [4], [11], [33].
2.2 System and Adversary Model
Network model–The network consists of a collection of
nodes connected via wireless links. Nodes may communicate
directly if they are within communication range, or
indirectly via multiple hops. Nodes communicate both in
unicast mode and broadcast mode. Communications can be
either unencrypted or encrypted. For encrypted broadcast
communications, symmetric keys are shared among all
intended receivers. These keys are established using preshared
pairwise keys or asymmetric cryptography.
Communication Model–Packets are transmitted at a rate
of R bauds. Each PHY-layer symbol corresponds to q bits,
where the value of q is defined by the underlying digital
modulation scheme. Every symbol carries
q data bits,
where α/β is the rate of the PHY-layer encoder. Here, the
transmission bit rate is equal to qR bps and the information
bit rate is
qR bps. Spread spectrum techniques such
as frequency hopping spread spectrum (FHSS), or direct
sequence spread spectrum (DSSS) may be used at the PHY
layer to protect wireless transmissions from jamming. SS
provides immunity to interference to some extent (typically
20 to 30 dB gain), but a powerful jammer is still capable of
jamming data packets of his choosing.
Transmitted packets have the generic format depicted
in Fig. 1(b). The preamble is used for synchronizing the
sampling process at the receiver. The PHY layer header
contains information regarding the length of the frame,
and the transmission rate. The MAC header determines
the MAC protocol version, the source and destination addresses,
sequence numbers plus some additional fields. The
MAC header is followed by the frame body that typically
contains an ARP packet or an IP datagram. Finally, the
MAC frame is protected by a cyclic redundancy check
(CRC) code. At the PHY layer, a trailer may be appended
for synchronizing the sender and receiver.
Adversary Model–We assume the adversary is in control
of the communication medium and can jam messages at any
part of the network of his choosing (similar to the Dolev-
Yao model). The adversary can operate in full-duplex mode,
thus being able to receive and transmit simultaneously. This
can be achieved, for example, with the use of multi-radio
transceivers. In addition, the adversary is equipped with
directional antennas that enable the reception of a signal
from one node and jamming of the same signal at another.
For analysis purposes, we assume that the adversary can
pro-actively jam a number of bits just below the ECC
capability early in the transmission. He can then decide to
irrecoverably corrupt a transmitted packet by jamming the
last symbol. In reality, it has been demonstrated that selective
jamming can be achieved with far less resources [32], [34].
A jammer equipped with a single half-duplex transceiver is
sufficient to classify and jam transmitted packets. However,
our model captures a more potent adversary that can be
effective even at high transmission speeds.
The adversary is assumed to be computationally and
storage bounded, although he can be far superior to normal
nodes. In particular, he can be equipped with special purpose
hardware for performing cryptanalysis or any other
required computation. Solving well-known hard cryptographic
problems is assumed to be time-consuming. For the
purposes of analysis, given a ciphertext, the most efficient
method for deriving the corresponding plaintext is assumed
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 9, NO. 1, JAN-FEB 2012
to be an exhaustive search on the key space.
The implementation details of every layer of the network
stack are assumed to be public. Furthermore, the adversary
is capable of physically compromising network devices
and recovering stored information including cryptographic
keys, PN codes, etc. This internal adversary model is realistic
for network architectures such as mobile ad-hoc,
mesh, cognitive radio, and wireless sensor networks, where
network devices may operate unattended , thus being
susceptible to physical compromise.
3 REAL-TIME PACKET CLASSIFICATION
In this section, we describe how the adversary can classify
packets in real time, before the packet transmission is
completed. Once a packet is classified, the adversary may
choose to jam it depending on his strategy.
Consider the generic communication system depicted in
Fig. 2. At the PHY layer, a packet m is encoded, interleaved,
and modulated before it is transmitted over the wireless
channel. At the receiver, the signal is demodulated, deinterleaved,
and decoded, to recover the original packet m.
Fig. 2. A generic communication system diagram.
The adversary’s ability in classifying a packet m depends
on the implementation of the blocks in Fig. 2. The channel
encoding block expands the original bit sequence m, adding
necessary redundancy for protecting m against channel
errors. For example, an α/β-block code may protect m
from up to e errors per block. Alternatively, an α/β-rate
convolutional encoder with a constraint length of Lmax, and
a free distance of e bits provides similar protection. For our
purposes, we assume that the rate of the encoder is α/β.
At the next block, interleaving is applied to protect m from
burst errors. For simplicity, we consider a block interleaver
that is defined by a matrix Ad×
1. The de-interleaver is
simply the transpose of A. Finally, the digital modulator
maps the received bit stream to symbols of length q, and
modulates them into suitable waveforms for transmission
over the wireless channel. Typical modulation techniques
include OFDM, BPSK, 16(64)-QAM, and CCK.
In order to recover any bit of m, the receiver must collect
d·β bits for de-interleaving. The d·β de-interleaved bits are
then passed through the decoder. Ignoring any propagation
and decoding delays, the delay until decoding the first
block of data is ⌈ d
q ⌉ symbol durations. As an example, in
the 802.11a standard, operating at the lowest rate of 6 Mbps,
1. Without loss of generality we assume that the number of columns of
the interleaving matrix is equal to the length of the codewords.
data is passed via a 1/2-rate encoder before it is mapped
to an OFDM symbol of q = 48 bits. In this case, decoding
of one symbol provides 24 bits of data. At the highest data
rate of 54 Mbps, 216 bits of data are recovered per symbol.
From our analysis, it is evident that intercepting the first
few symbols of a packet is sufficient for obtaining relevant
header information. For example, consider the transmission
of a TCP-SYN packet used for establishing a TCP connection
at the transport layer. Assume an 802.11a PHY layer
with a transmission rate of 6 Mbps. At the PHY layer, a 40-
bit header and a 6-bit tail are appended to the MAC packet
carrying the TCP-SYN packet. At the next stage, the 1/2-
rate convolutional encoder maps the packet to a sequence
of 1,180 bits. In turn, the output of the encoder is split into
25 blocks of 48 bits each and interleaved on a per-symbol
basis. Finally, each of the blocks is modulated as an OFDM
symbol for transmission. The information contained in each
of the 25 OFDM symbols is as follows:
- Symbols 1-2 contain the PHY-layer header and the
first byte of the MAC header. The PHY header reveals
the length of the packet, the transmission rate, and
synchronization information. The first byte of the MAC
header reveals the protocol version and the type and
subtype of the MAC frame (e.g., DATA, ACK).
- Symbols 3-10 contain the source and destination MAC
addresses, and the length of the IP packet header.
- Symbols 11-17 contain the source and destination IP
addresses, the size of the TCP datagram carried by the
IP packet, and other IP layer information. The first two
bytes of the TCP datagram reveal the source port.
- Symbols 18-23 contain the TCP destination port, sequence
number, acknowledgment number, TCP flags,
window size, and the header checksum.
- Symbols 24-25 contain the MAC CRC code.
Our example illustrates that a packet can be classified at
different layers and in various ways. MAC layer classification
is achieved by receiving the first 10 symbols. IP layer
classification is achieved by receiving symbols 10 and 11,
while TCP layer classification is achieved by symbols 12-19.
An intuitive solution to selective jamming would be
the encryption of transmitted packets (including headers)
with a static key. However, for broadcast communications,
this static decryption key must be known to all intended
receivers and hence, is susceptible to compromise. An
adversary in possession of the decryption key can start
decrypting as early as the reception of the first ciphertext
block. For example, consider the cipher-block chaining
(CBC) mode of encryption [27]. To encrypt a message m
with a key k and an initialization vector IV, message m is
split into x blocks m1,m2, . . .mx, and each ciphertext block
ci, is generated as:
c1 = IV, ci+1 = Ek(ci ⊕ mi), i = 1, 2, . . . , x, (1)
where Ek(m) denotes the encryption of m with key k. The
plaintext mi is recovered by:
mi = ci ⊕ Dk(ci+1), i = 1, 2, . . . , x. (2)
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING ,VOL. 9, NO. 1, JAN-FEB 2012
0 0.2 0.4 0.6 0.8
100
101
102
103
Jamming Probability p
E[D] (sec)
TCP-ACK
RTS/CTS
Data
Random
0 0.2 0.4 0.6 0.8
102
103
104
105
Jamming Probability p
E[T] (bps)
TCP-ACK
RTS/CTS
Data
Random
0 0.2 0.4 0.6 0.8
100
101
102
103
Jamming Probability p
Number of Packets
TCP-ACK
RTS/CTS
Data
Random
(a) (b) ©
0 0.2 0.4 0.6 0.8
10−8
10−6
10−4
10−2
100
Jamming Probability p
t (normalized)
TCP-ACK
RTS/CTS
Data
Random
R. 0.3 R. 0.5 R. 0.7 R. 0.9 Sel. Con.
0
0.2
0.4
0.6
0.8
1
Routes (normalized)
R 0.3 R 0.5 R 0.7 R 0.9 Sel. Con.
10−5
10−4
10−3
10−2
10−1
100
t (normalized)
(d) (e) (f)
Fig. 3. (a) Average application delay E[D], (b) average effective throughput E[T ], © number of packets jammed, (d) fraction
of time the jammer is active, (e) number of connections established in the network, (f) fraction of time the jammer is active.
R p: random jammer with probability p; Con.: constant jammer; Sel.: selective jammer.
Note from (2) that reception of ci+1 is sufficient to recover
mi if k is known (c1 = IV is also known). Therefore, realtime
packet classification is still possible.
One solution to the key compromise problem would
be to update the static key whenever it is compromised.
However, such a solution is not useful if the compromised
node obtains the new key. This can only be avoided if there
is a mechanism by which the set of compromised nodes can
be identified. Such a task is non-trivial when the leaked key
is shared by multiple nodes. Any node that possesses the
shared key is a candidate malicious node.
Moreover, even if the encryption key of a hiding scheme
were to remain secret, the static portions of a transmitted
packet could potentially lead to packet classification. This
is because for computationally-efficient encryption methods
such as block encryption, the encryption of a prefix
plaintext with the same key yields a static ciphertext prefix.
Hence, an adversary who is aware of the underlying
protocol specifics (structure of the frame) can use the static
ciphertext portions of a transmitted packet to classify it.