Jammer localization in wireless networks: An experimentation-driven approach☆
Introduction
The widespread proliferation of 802.11 wireless networks makes them an attractive target for various types of attacks [1], [2], [3]. Its open access nature makes it fairly easy for saboteurs with jamming devices [4], [5] to disrupt WiFi communications. A jamming device continuously emits electromagnetic energy on the medium. Numerous jamming attacks have been reported in the recent past [6], [7], [8], [9]. The effect of this behavior on a CSMA/CA network is twofold: (a) at the transmitter side it renders the medium busy resulting in large back-off times and, (b) at the receiver side, it dramatically decreases the SNR resulting in a large number of packet collisions. Jamming effects may also occur due to accidental activation of devices that do not serve a malicious cause, such as microwave ovens, cordless phones [10], etc. Following the detection of the presence of an attacker [11], localizing the jammer allows an administrator to pursue further countermeasures (such as deactivating the jamming device, isolating the attacker and capturing, punishing or even destroying it).
In this work, we design and implement a simple, lightweight approach for jammer localization. The main attribute of our approach that makes it attractive to use and straightforward to implement, is that it relies on Packet Delivery Ratio (PDR), a metric that is readily available at each node and is an indication of transmission corruption. Our technique exploits an intrinsic characteristic of the wireless medium: since the power of the jamming signal degrades with distance, farther transmitters do not sense strong jamming signals. As a consequence, the requirements for successful packet delivery at such transceivers are satisfied. This property cannot be manipulated by an attacker. A transceiver pair located further away from a jammer is more likely to be successful in exchanging packets; the transmitter is able to send more packets, while the receiver can decode more of those, due to increased SINR, resulting in an increased PDR.
Taking this property into account we design a simple localization algorithm, that borrows its rationale from the gradient-descent method in a continuous-valued variable space. Our algorithm starts from an initial node and terminates at another node, that is closer to the jammer than any of its neighbors. In particular, it is distributed and is progressively executed by nodes moving towards the proximity of the attacker. Specifically, nodes successively forward PDR measurements to neighbors towards assessing patterns related to PDR growth or degradation. The above structure of the algorithm is reminiscent of the iterative gradient-descent algorithm for identifying the minimum of a real-valued function f. The gradient-descent algorithm iteratively searches for a global optimum by moving from one point of the function’s domain S to another ∈ S. The point is towards the opposite direction of the gradient of f at ; this is the direction in which f exhibits the largest decrease with regards to its value at point . Note that in our case, the domain set consists of the discrete locations of the nodes. Hence, our scheme can be viewed as a discretized version of a gradient-descent algorithm. If the algorithm cannot proceed further, an optimum is declared1. As one can deduce, our scheme is greedy in nature, since each node takes the locally optimal choice to derive the global optimum (i.e., the position of the jammer).
Our full-fledged localization approach considers different starting points for the gradient-descent-based algorithm. We examine two algorithms as candidates for our approach. The first considers the distribution of the stopping points/nodes and applies a weighted centroid algorithm to estimate the position of the jammer. The second, which we include in our approach as the best solution, considers all the nodes where the kernel2 algorithm stops, and declares as the jammer’s position, the one with the smallest PDR. As might be evident, the latter scheme, similar to the kernel algorithm, always exhibits a non-zero error (since the position of the jammer is always assumed to be the same as that of a network node). However, as our evaluations indicate, it significantly reduces the uncertainty with respect to the position, as compared to both the vanilla gradient-descent-based algorithm and the weighted centroid algorithm.
Our main contributions in this work can be summarized as follows:
- •
Analytical and experimental assessment of the spatial effects of jamming: As previously mentioned, the jammer may affect both the transmitter and receiver operations; this has an impact on the PDR. We provide an analytical expression for quantifying the change in PDR at different locations in the network (relative to the jammer’s location). We validate the analytically computed expression via real experiments on our 802.11 wireless testbed. Specifically, we show that the tranceivers that are further from the jammer exhibit lower (or no) degradation in terms of PDR as compared to transceivers that are located closer to the jammer.
- •
Design of a lightweight jamming localization algorithm: Having shown that PDR is minimized in the vicinity of the malicious device, we design a gradient-descent based algorithm to locate the adversarial node. We further design two algorithms that are built on top of the above core algorithm to improve accuracy; one is based on weighted centroid localization and an annealing-like extension which provides the best performance in terms of localization and thus, it is used in our approach. The main advantages of our approach (as compared to previously proposed localization approaches) are: (a) simplicity, (b) does not require any special hardware support, and (c) can be easily integrated with higher layer functions, such as routing, to circumvent the jammer’s location.
- •
Implementation and evaluation of our scheme: We implement a prototype of our approach on our wireless testbed using the Click modular router [12]. We validate its performance through experiments on our indoor 802.11 testbed. We also evaluate the scalability of our approach through simulations (with larger topologies).
Our work in perspective: Our goal is to exploit the inherent propagation characteristics of the wireless channel in order to expose the presence of jamming devices and localize them. The jamming attacker might be able to hide itself from all but the wireless channel’s propagation characteristics. The attributes of the jamming signals (and in particular their spatial properties) can affect measurable attributes (such as the PDR) to varying degrees in different parts of the network, thereby revealing important information with regards to the location of the malicious device. The key novelty of our scheme is its distributed nature and its lightweight operations.
In particular, our proposed algorithms offers the benefit that they rely on the operations of existing network functionalities and measurable quantities at a device level. Hence, no additional hardware or mechanisms are needed. Moreover, to reiterate, the nature of the gradient-descent algorithm allows the distributed execution of our localization scheme. Furthermore, the achieved localization error, which is at the range of one communication hop3 significantly reduces the area that one needs to search for locating the misbehaving device. Equally novel and crucial is the adoptability of the designed scheme. In particular, the kernel can be used as a standalone module, the output of which can be processed in many various ways (e.g., a simulated annealing-like algorithm, a simple centroid calculation algorithm etc.). This flexibility further allows for building systems that can deal with more advanced attack models (see Section 5.5).
The rest of the paper is organized as follows. Section 2 provides the required background and describes related studies. Section 3 describes our analytical framework for quantifying the jamming effects on the PDR. Section 4 provides a progressive description of our component algorithms starting from the basic version to the full-fledged scheme. We present our experimental set-up and evaluations in Section 5. Our conclusions form Section 6.
Section snippets
Background and related studies
In this section we present representative studies of different types of localization algorithms. We further briefly introduce the gradient-descent optimization method and discuss approaches that have utilized it for network operations.
Signal processing-based localization techniques: Secure mobile device localization, and in particular jammer localization, has been studied in the literature. Various approaches have been proposed in order to locate the malicious device, such as the studies in [13]
System model and jamming effects on PDR
System model and metrics: We consider a wireless multi-hop (ad-hoc or mesh) network. We further assume that there exists a static malicious device whose location is unknown to the network operator. This device is a MAC layer jammer that aims at packet disruption at the transmitter and/or receiver of a wireless link. For our attack model we will consider a continuous-deceptive jammer that transmits continually seemingly legitimate packets on the medium [24]. Finally, central to our work is the
The proposed jammer localization algorithm
In this section we develop our localization scheme. We start by formally introducing our core algorithm, namely, the gradient-descent-based localization. We then present two full-fledged (also referred to as wrapper in what follows) algorithms. The first one is based on computing a weighted centroid, while our algorithm resembles the annealing optimization procedure.
Performance evaluation
In this section we present the experimentation and simulation-based evaluations of our scheme. We first verify our analytical results through measurements on a real testbed. We continue by presenting the evaluations of our full-fledged schemes through simulations on a large scale topology. Finally, we describe a prototype implementation of the core algorithm based on gradient-descent minimization. This serves as a proof-of-concept for the practicality of our design. We further showcase its
Conclusions
We design a low-overhead, distributed jammer localization algorithm. Our main observation that guides the construction of our system is related to the spatial effects of jamming. In particular, links that are further from the jammer experience higher PDRs as compared to nodes that reside closer to the jamming device. We adopt the rational of gradient-descent methods in order to resemble the searching process for the node that is closer to the jammer. The algorithm is greedy in nature; each node
Acknowledgment
We thank Dr. K. Papagiannaki from Telefonica Research (formerly with Intel Research), for providing the source code of the prototype driver. I. Koutsopoulos acknowledges the support of ERC08- RECITAL project, co-financed by Greece and the European Social Fund through the Operational Program Education and Lifelong Learning- NSRF (National Strategic Reference Framework) 2007–2013.
References (42)
- et al.
Denial-of-service attacks and countermeasures in IEEE 802.11 wireless networks
Comput. Stand. Interfaces
(2009) - et al.
Joint reactive jammer detection and localization in an enterprise Wi-Fi network
Els. Comput. Netw.
(2013) - et al.
Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset
Commun. Surv. Tut. IEEE
(2016) - et al.
Wi-Fi attack vectors
Commun. ACM
(2005) - SESP jammers,...
- ISM wide-band jammers,...
- Jamming attack at hacker conference....
- Techworld news,...
- RF jamming attack,...
- ISA: users fear wireless networks for control,...
Optimal jamming attacks and network defense policies in wireless sensor networks
IEEE INFOCOM
GIDL: generalized interference detection and localization system
ION GPS, Salt Lake City, UT
Signal detection and jammer localization in multipath channels for frequency hopping communications
DTIC
3-D jammer localization using out-of-plane multipath
RADARCON, Dallas, Texas, USA
Improved jammer localization using multiple focussing
Advanced signal-processing algorithms, architectures, and implementations
Overcoming the challenges of security in a mobile environment
IPCCC, Phoenix, AZ
Accuracy characterization for metropolitan-scale Wi-Fi localization
ACM MobiSys, Seattle, WA
Dynamic fine-grained localization in ad-hoc networks of sensors
ACM MobiCom, Rome, IT
Cited by (15)
Using a lightweight security mechanism to detect and localize jamming attack in wireless sensor networks
2022, OptikCitation Excerpt :However, to find the jammer using range-based localization methods, the connection across the jammer and node is formed using a wireless channel model. Pelechrinis et al. found that when the distance between a node and the jammer increased, the Packet Delivery Rate (PDR) decreased [24]. As a result, the PDR value might be used to show how much of an effect the jammer can have on the node.
An approximate factorization approach to multi-jammer location and range estimation from peer-to-peer connectivity measurements
2021, Computer NetworksCitation Excerpt :A survey of several jamming and anti-jamming techniques has been presented in [14]. Jammer localization has been widely studied in the literature [15–43]. A survey of several jammer localization techniques has been presented in [33].
Mobile jammer localization and tracking in multi-hop wireless network
2024, Journal of Ambient Intelligence and Humanized ComputingPhysical-Layer Jammer Detection in Multihop IoT Networks
2023, IEEE Internet of Things JournalJammer Localization in the Internet of Vehicles: Scenarios, Experiments, and Evaluation
2022, ACM International Conference Proceeding SeriesAn efficient metric for physical-layer jammer detection in internet of things networks
2021, Proceedings - Conference on Local Computer Networks, LCN
- ☆
An earlier version of this work has appeared in IEEE Globecom 2009.