1. Jamming for good: a fresh approach to authentic communication in WSNs
I.Martinovic, P.Pichota, J.B.Schmitt
WiSec’09

2. Outline 0. Wireless Sensor Network 1. Motivation
2. Wireless Security Primitives
3. Jam Where It Hurts
4. Wireless Security Design
5. Overall Network Analysis
6. Conclusion
7. Comment

3. 0. Wireless Sensor Network
Definition
Consists of spatially distributed autonomous sensors
Capability
to cooperatively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion or pollutants

4. 1. Motivation Completely abandoned cryptographic methods
Instead of conventional message authentication by receiving, verifying, and then discarding fake data
Sensor nodes are prevented from receiving fake data at all
Novel security design relying merely on physical properties of wireless communications – by frequency jamming (although usually used as adversarial tools)

5. 2. Wireless Security Primitives
Some experimental results that demonstrate the unpredictable nature of the signal propagation

6. 2. Wireless Security Primitives
2.1 Radio signal propagation

7. 2. Wireless Security Primitives
2.2 Transmission control
By setting only frames with RSS ∈ [RSSmin,RSSmax] are accepted & processed
This simple countermeasure forces an adversary to chose between two attack vectors:
(i) Impersonate: inject fake frame on receivers by adapting its transmission power
(ii) Jamming: launching a frequency jamming attack by producing RSS >RSSmax
However, in this case, its frames are not accepted by the receivers, (i.e., this attack can only serve for jamming and not for impersonation)

8. 2. Wireless Security Primitives
2.3 Jamming for Good
Low-cost WSN devices are, in general, not capable of sending and receiving frames at the same time
To jam or not?
Therefore, to support jamming of the fake data frames, the idea is to integrate jamming into the communication protocol (in Section 4.4)

9. 2. Wireless Security Primitives
2.3 Jamming for Good
This is done by separating the data exchange into two frames
DFN: a small Data Follows Notification frame
DATA: a Data Content frame
Inter-Frame Time Gap (between DFN & DATA)
First, frames will be rejected if arrived too soon or too late
Second, other sensors are provided with enough time to analyze the authenticity of the DFN frame, and decide whether to jam

10. 3. Jam Where It Hurts
SHR: synchronization header (for symbol synchronization and frequency offset at potential receivers)
SFD: start of frame delimiter (for byte synchronization and to indicate the end of this phase)
PHR: physical header
PSDU: Physical-layer Service Data Unit

11. 3. Jam Where It Hurts 3.2 Timing and Jam Duration Factors of delay
Transceiver recalibration
In-system processing
Hence, the mean delay itself is not that crucial
More important is the variance and granularity of available timers

12. 3. Jam Where It Hurts
3.2 Timing and Jam Duration

13. 3. Jam Where It Hurts 3.2 Timing and Jam Duration [t0−80 , t0+80]
Initial acceptance interval; t0 denotes the exact point in time
[t0−112 , t0+80]
With respect to transmission delay of 32µs
[t0−192 , t0+80]
The transmission commences 80µs before or after t0
Since the jammer itself is subject to limited accuracy (every WSN node can be a potential jammer)
[t0−272 , t0+80]
Scheduled to eliminate all uncertainties
Total duration: 352µs

14. 3. Jam Where It Hurts
3.2 Timing and Jam Duration

15. 3. Jam Where It Hurts 3.3 How Many Concurrent Jammers?
The number of jammers should be active during a fake transmission
Also, since acceptance intervals limit an adversary’s RSS to RSSmax during an injection attack, legitimate nodes are able to transmit at least equally strong signal as an adversary

16. 4. Wireless Security Design
The main objective: data authentication
A WSN should be able to verify whether sensor data originated from legitimate sensors.
Using two mechanisms
(1) attack detection:
Fake transmissions are identified (detected)
(2) attack cancellation:
Utilize jamming to prevent sensors from receiving the fake data (jamming)

17. 4. Wireless Security Design
4.2 Attack Detection
During this phase all sensors periodically change their transmission frequencies and power levels
Attack 1: Offline attack (brute-force)
Fail; for the adversary must find a configuration of transmission properties that fulfill the acceptance intervals on the receivers
Attack 2: Active probing attack
To probe the acceptance intervals; and it’s also the reason why dynamically changes the frequency
Can introduce further methods to detect & countermeasure

18. 4. Wireless Security Design
4.2 Attack Detection

19. 4. Wireless Security Design
4.3 Attack Cancellation
After detecting not in the acceptance interval
Assumption of the attack
The adversary should not be able to exactly predict the jammers of the next fake transmission (that is, the adversary cannot selectively attack the legitimate nodes for battery-exhaustion attack)
To reduce the jamming redundancy by controlling the ratio of jams per fake transmission (as discussed in Section 3.3)
so having large number of potential jammers (nodes that detect the injected frame)
but keep the number of active jammer low.

20. 4. Wireless Security Design
4.4 Adaptive Jamming
Each node bears an Individual probability p for jamming a detected impersonation attack
To keep the adversary from guessing the next jammer, and
To avoid permanent jamming from a single node
Jamming functions
increase: f1 : p ← p · (1 − log10 p)
decrease: f2 : p ← p · (1 − log10 p)−1

21. 4. Wireless Security Design
4.4 Adaptive Jamming
Three cases during their monitoring of the channel
1. DFN impersonated ∧ DATA received
No jamming activity; the attack was successful
Hence, the node increases its jamming probability p by applying some function f1(p)
2. DFN impersonated ∧ JAM received
Detected and received other nodes’ JAM frame
Applies f2(p) to decrease p
3. DFN impersonated ∧ JAM sent
Detected; decrease p by f2(p)

22. 4. Wireless Security Design
4.4 Adaptive Jamming

23. 5. Overall Network Analysis
5.2 Threat Model
The attacker’s goal:
to maximize the number of messages sent on behalf of I
which are correctly received and accepted by T for each frequency f by adjusting the parameters p and p∗
Tuple (f , p, p∗)
In order to determine the impersonation success he repeatedly emits 100 messages addressed to T for each wireless configuration represented by a tuple (f , p, p∗)
( I: intermediary sensor; T: corresponding sensor; f: frequency
p: applied power level; p∗: pretended power level )

24. 5. Overall Network Analysis
5.4 Evaluation Results
The results and discussion focus on
the maximum success rate a virtual attacker can achieve
the number of sensors able to overhear malicious transmissions
how many of them eventually take countermeasures

25. 5. Overall Network Analysis
5.4 Evaluation Results

26. 6. Conclusion
Take advantage of jamming to provide new authentication mechanisms
Rather than spending battery power to receive, verify, and then discard the data, a wireless device can
Impersonation attacks can be easily detected and avoided
By using jamming with other properties of wireless communications
such as the unpredictable nature of radio propagation, this work demonstrated that without relying on any secrets

27. 7. Comment Countermeasure to active probing?
By periodically, dynamically changing acceptance interval?
How to build a strong “acceptance interval” generator?