Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer.

Published byKatherine King Modified over 9 years ago

Similar presentations

Presentation on theme: "DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer."— Presentation transcript:

1 DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia June 19, 2007

2 2 / 24 Wireless Sensor Networks Embedded in physical environment Devices with limited resources Large scale static deployment Diverse applications: military, volcano monitoring, zebra tracking, healthcare, emergency response... MICAz mote: 8 MHz 8-bit uP 128 MB code 4 KB data mem 250 Kbps radio IEEE 802.15.4 radios: MICAz, Telos/Tmote/Tmini, iMote2, XYZ

3 3 / 24 Physical-Layer DoS Threats and Vulnerabilities: –WSNs becoming ubiquitous, connected to IP networks –Devices are easy to compromise –Jamming is easy to do in software –DoS attacks will spread to WSNs A ► Attacker’s goal: disrupt communication as steathily and energy-efficiently as possible

4 4 / 24 A Physical-Layer DoS State of the Art: –Military hardware –Detection of jamming, evasion by physically moving, channel surfing (Xu et al.) –Data blurting, schedule switching (Law et al.) –Multi-frequency protocols: Bluetooth, Tang et al., Zhou et al. –Wormholes to exfiltrate data (Cagalj et al.) –Low-density parity codes (Noubir) 0101101 x

5 5 / 24 Physical-Layer DoS Our approach: –Hide messages from the jammer –Evade the jammer’s search –Reduce impact of corrupted messages –Raise the bar for jamming DoS attackers ► DEEJAM: defeating jamming at the MAC-layer A

6 6 / 24 Contributions Define, implement, and show efficacy of four jamming attack classes: –interrupt jamming, activity jamming, scan jamming, pulse jamming Propose four complementary solutions that together greatly improve communication: –frame masking, channel hopping, packet fragmentation, redundant encoding Evaluate integrated protocol on MICAz platform to show suitability for popular embedded hardware. Empirically show continued communication despite an ongoing attack

7 7 / 24 Assumptions Static wide-area deployment, no mobility Lightweight cryptographic primitives available Key distribution, time synchronization available Each pair of neighbors shares K N, used to generate other keys and pseudo-random sequences. Attacker compromises mote or uses mote-class hardware –Can use all resources available to regular node

8 8 / 24 IEEE 802.15.4 Transceivers 802.15.4 defines: 250 Kbps, 16 channels, DSSS, 4-bit symbols, 32 chips/symbol Transmit path: –micro fills TXFIFO, issues transmit command –after small delay, radio chip transmits frame Receive path: –search for DSSS coding –sync 4-bit symbols on preamble –sync bytes on Start of Frame Delimeter (SFD) –buffer frame, signal micro –micro reads RXFIFO, parses packet

9 9 / 24 A1: Interrupt Jamming Attack goal: only jam when message on air Configure radio to generate interrupt on SFD In SFD interrupt vector, issue transmit command Only need to invalidate Frame Check Sequence internal radio stabilization delay [128-192us] time to initialize state and radio registers [10us]

10 10 / 24 D1: Frame Masking Defense goal: prevent interrupt upon message header reception Neighbors use secret SFD sequence: K S = E Kn (0) SS = { E Ks (i) mod 2 q }, q is length of SFD [1 or 2B] Without knowing SS, attacker’s radio: –synchronizes on DSSS encoding in preamble –searches for its configured SFD (not SS i ) –does not capture message or generate interrupt

11 11 / 24 A2: Activity Jamming Attack goal: poll channel energy to find message Attacker’s micro polls RSSI / CCA output of radio When activity is detected, initiate jamming Less reliable detection (false positives), more latency minimum time to sample RSSI [128us] sampling period

12 12 / 24 D2: Channel Hopping Defense goal: evade activity check Neighbors channel hop according to secret shared sequence: K C = E Kn (1) CS = { E Kc (i) mod C }, C is number of channels [16] Attacker has 1 / C chance of sampling correct channel, U / C chance of detecting a message for channel utilization U

13 13 / 24 A3: Scan Jamming Attack goal: find messages and jam Attacker scans channels, checking for activity and jamming if detected minimum time to change frequency and stabilize [132us]

14 14 / 24 A3: Scan Jamming For C channels, attacker can always jam if: Since channel is chosen randomly, probability of successful scan jamming is at most: ► Defender wants to increase C and/or decrease T pkt

15 15 / 24 D3: Packet Fragmentation Defense goal: hop away before jammer reacts Fragment packets based on minimum reactive jam time Reassemble sequence of fragments at receiver

16 16 / 24 A4: Pulse Jamming Attack goal: blindly disrupt fragments Transmit with duty cycle sufficient to corrupt any fragments present on a chosen channel: T hdr / (2T hdr + T frag ) [< 50%] Disadvantages: –Not reactive, not stealthy –Cannot selectively jam by inspecting header

17 17 / 24 D4: Redundant Encoding Defense goal: recover from damaged fragments Redundantly encode fragments with configurable rate R (Some) fragments corrupted on a pulse jammed channel are recoverable Requirement for CS : C i ≠ C i+1

18 18 / 24 DEEJAM MAC Protocol Summary Compute FCS for entire packet Divide into small fragments Encode redundantly with rate R Assign SFD from receiver’s current SS Transmit on channel in receiver’s current CS ► Channel hopping by itself is not sufficient ► Cannot assume a priori that attacker pulse jams

19 19 / 24 Implementation Prototype implementation in nesC for TinyOS, using MICAz’s TI Chipcon CC2420 To minimize fragment length: –shortened T txdelay to 4B –shortened preamble to 1B –removed unused IEEE 802.15.4 MAC fields Interrupt jamming: byte-serial receive mode + FIFOP interrupt with threshold zero

20 20 / 24 Evaluation Sender to receiver, attacker jamming Five 60s runs, 32 msg/s, 39B total length Total of 9595 messages per datum Use 16 channels Transmit power -7 dBm Measure: –Packet Delivery Ratio with attacks –Jamming effort –PDR with no attacks A

21 21 / 24 Performance (with attacks) 100% effective 89% PDR despite pulse jamming Scanning too slow

22 22 / 24 Jamming Effort Effort of jammer greatly increases—even without real traffic present. (Bps)

23 23 / 24 Performance (no attacks) ► Impact of DEEJAM on PDR with no attacks is small Loss of any fragment causes loss of entire packetRecover from loss (R=2)

24 24 / 24 Conclusions ► For many systems, recovery of performance during attack is worth the overhead ► More powerful jamming is possible—but without countermeasures it is not necessary With no defense, a stealthy interrupt jamming attack is 100% effective Adding defenses forces attacker to adapt Ultimately, despite an active pulse jamming attack, PDR drops by only 11%

25 End

Download ppt "DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer."

Similar presentations

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.
SoNIC: Classifying Interference in 802.15.4 Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.

SoNIC: Classifying Interference in Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Denial of Service in Sensor Networks Szymon Olesiak.

Denial of Service in Sensor Networks Szymon Olesiak.
DENIAL OF SERVICE IN SENSOR NETWORKS Pratik Zirpe Instructor – Dr. T. Andrew Yang.

DENIAL OF SERVICE IN SENSOR NETWORKS Pratik Zirpe Instructor – Dr. T. Andrew Yang.
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
PERFORMANCE MEASUREMENTS OF WIRELESS SENSOR NETWORKS Gizem ERDOĞAN.

PERFORMANCE MEASUREMENTS OF WIRELESS SENSOR NETWORKS Gizem ERDOĞAN.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
Murat Demirbas Youngwhan Song University at Buffalo, SUNY

Murat Demirbas Youngwhan Song University at Buffalo, SUNY
Computer Science Department University of Virginia Gang Zhou 1 Spread Spectrum and CC2420.

Computer Science Department University of Virginia Gang Zhou 1 Spread Spectrum and CC2420.
DOT3 Radio Stack Sukun KimJaein Jeong A DOT3 Mote Design & Implementation Motivation Evaluation MICA is not enough for large scale applications. DOT3 is.

DOT3 Radio Stack Sukun KimJaein Jeong A DOT3 Mote Design & Implementation Motivation Evaluation MICA is not enough for large scale applications. DOT3 is.
Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.
DOT3 Radio Stack Jaein Jeong, Sukun Kim Nest Retreat January 16, 2003.

DOT3 Radio Stack Jaein Jeong, Sukun Kim Nest Retreat January 16, 2003.
IEEE 802.15.4 Standardized radio technology for low power personal area networks Joe Polastre January 14, 2004.

IEEE Standardized radio technology for low power personal area networks Joe Polastre January 14, 2004.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.

INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Resilience To Jamming Attacks

Resilience To Jamming Attacks
Ethernet: CSMA/CD (Carrier Sense Multiple Access with Collision Detection) Access method: method of controlling how network nodes access communications.

Ethernet: CSMA/CD (Carrier Sense Multiple Access with Collision Detection) Access method: method of controlling how network nodes access communications.
1 Ultra-Low Duty Cycle MAC with Scheduled Channel Polling Wei Ye Fabio Silva John Heidemann Presented by: Ronak Bhuta Date: 4 th December 2007.

1 Ultra-Low Duty Cycle MAC with Scheduled Channel Polling Wei Ye Fabio Silva John Heidemann Presented by: Ronak Bhuta Date: 4 th December 2007.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 13th Lecture 06.12.2006 Christian Schindelhauer.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Wireless Sensor Networks 13th Lecture Christian Schindelhauer.

Similar presentations

Ads by Google