The Discovery of Jamming Attackers in Wireless Sensor Networks

Kaiqi Xiong
College of Computing and Information Sciences
Rochester Institute of Technology
Abstract
Recent years have witnessed a rapid growth of wire-
less sensor network applications in civil and military
environments. Radio interference tends to be a serious
threat in such applications. Jamming attacks are a di-
rect consequence of radio interference that an adversary
may intentionally launches. It is necessary but difcult
to defend against jamming attacks in order for sensor
communication channels to be available and reliable. In
this paper, we develop a systematic approach to tackling
jamming attacks. We design a time-based window scheme
to mitigate jamming attacks and propose robust fault-
tolerant algorithms for the location discovery of jamming
attackers that permit us to remove jamming attackers
from wireless sensor networks. Then, we investigate the
proposed approach through theoretical analysis and exper-
iments. Our analytical and numerical results demonstrate
the efciency and effectiveness of the proposed approach.
I. Introduction
Recent years have witnessed the emergence of wireless
sensor networks for a variety of civil and military appli-
cations such as health care monitoring, re alarms, light
control, volcano monitoring, humidity and temperature
monitoring, and security alarms. Radio interference tends
to be a serious threat in wireless sensor networks and
it is a root of jamming attacks. Unlike traditional denial
of service attacks that ll with the buffers of user- and
kernel domains, jamming attacks exploit the shared nature
of the wireless medium to prevent sensor nodes from
receiving and sending messages through the occupation
of communication channels. Restraining jamming attacks
from wireless sensor networks has become challenging
but very necessary in the above applications due to the
constraint of a sensors energy, computation, and com-
munication. For instance, these constraints result in the
infeasible installation of a GPS receiver on each sensor
node for the discovery of a jamming attacker or a jammer.
Many research efforts have sought to address the jam-
ming attack problem in wireless networks through spread-
ing spectrum techniques such as Frequency Hopping (FH),
Direct Sequence Spread Spectrum (DSSS), and Chirp
Spread Spectrum (CSS) in Poisel [13]. Spreading spectrum
is a sophisticated physical-layer technique that requires
expensive transceivers. As discussed in Xu et al. [18],
those transceivers are not affordable in commodity sensor
networks. Instead, a carrier sensing approach has been em-
ployed for medium access control in sensor devices such
as Berkeley Mica2 and MicaZ. Recent studies in Law et al
[5] and Xu et al. [19] have shown that such an approach is
very susceptible to jamming attacks. Thus, channel surng
for the adaptation of data-link layer frequency allocations
has been proposed to copy with jamming attacks in Xu et
al. [18]. However, a rapid change of frequency allocations
at a data-link layer may cause a poor network connectivity.
In this paper, we will develop a systematic approach
to tackling jamming attacks. we rst design a technique
to mitigate jamming attacks using the concept of Additive
Increase/Multiplicative Decrease (AIMD). Our technique
adopts a time-based window scheme (briey referred to
as the time-based scheme) rather than a change of fre-
quency allocations in a data-link layer. Then, we further
propose robust fault-tolerant algorithms for the location
discovery of jamming attackers that permit us to remove
jamming attackers from wireless sensor networks. Here,
robust means that our proposed algorithms can achieve
the maximum tolerant rate of 50% malicious sensor nodes.
That is, our approach has the ability to cope with up to
50% malicious nodes in sensor networks besides jamming
attackers. Moreover, we investigate the proposed approach
through theoretical analysis and numerical experiments.
Our numerical results demonstrate the efciency and ef-
fectiveness of the proposed approach.
The contributions of this paper are: First, we develop a
systematic approach to dealing with not only the mitigation
of jamming attacks but also the removal of jamming at-
tackers. Second, the algorithms for the removal of jamming
attackers is robust that has the ability to cope with up
to 50% other malicious nodes in sensor networks besides
jamming attackers. Third, the technique for the mitigation
of jamming attacks adopts a time-based scheme rather than
a change of frequency allocations that avoids to restore the
network connectivity among multiple frequency channels.
The rest of this paper is organized as follows. Section
II will give our system model and assumption. We present
our approach to tackling jamming attacks in Section III
that includes the mitigation of jamming attacks in Section
III-A, and the proposed robust algorithms for the loca-
tion discovery of jamming attackers with their theoretical
analysis in Section III-B. The analytical and experimental
evaluations of the proposed approach will be given in
Section IV. Section V will review related work. Our study
with future work will be concluded in Section VI.
II. The Sensor Network Model With Its As-
sumptions
In this paper, our wireless sensor network model con-
sists of a large number of resource-constrained sensor
nodes, each with a unique ID. The sensor nodes are
randomly distributed in a eld. Some of them may act
as malicious nodes who will eavesdrop, modify, forge, or
replay a message besides jamming attackers who will jam
wireless channels so as to cause denial of service attacks.
Broadcasting is considered in the paper because it is easier
to suffer jamming attacks compared to others such as point-
to-point routing or multicast routing.
Generally speaking, it may be difcult to achieve time
synchronization on a network-wide basis due to slow
clock drift over time, and the effect of temperature and
humidity on clock frequencies, coordination and correction
amongst thousands of deployed nodes with low messag-
ing overhead, as indicated in Sundararaman et al. [16].
However, radio interference often affects neighborhood
nodes rather than distant nodes. Thus, it is reasonable to
assume that time synchronization is achieved in a group of
sensor nodes that are physically close to each other. Such
group of nodes is called a cluster of the sensor network.
That is, sensor nodes across the network are organized
into clusters for communication efciency and scalability
improvement. Many approaches have been proposed to
address time synchronization in wireless sensor networks.
For example, Faizulkhakov [3], Sivrikaya and Yener [15],
and Sundararaman et al. [16] gave a survey on time
synchronization, respectively. Moreover, denote by n the
number of sensor nodes in the network and m the number
of malicious nodes where 0 m n/2 < n. That is, no
more than half nodes are malicious in the sensor network.
Otherwise, there is no way to tackle attackers since they
are majority in the network. Let N be the number of
link layer channels available for data communications in
the sensor network. In this paper, our research goal is to
tackle jamming attacks through the mitigation of jamming
attacks and the location discovery of jamming attackers
that permits us to remove jamming attackers from the
sensor network.
III. The Approach to Tackling Jamming At-
tacks
The approach for tackling jamming attacks consists
of the mitigation of jamming attacks and the location
discovery of jamming attackers.
A. The Mitigation of Jamming Attacks
Jamming is a very harmful attack that prevents legiti-
mate sensor nodes from sending and receiving messages.
Jamming attackers can constantly occupy wireless chan-
nels that results in denial of service attacks. In the paper,
we propose an approach to mitigating jamming attacks
by introducing a time-based window scheme. Due to the
nature of wireless sensor networks, there is no way to
have a scheme that eliminates jamming attacks. Instead, the
objective of our approach for the mitigation of jamming
attacks is to reduce their harm to sensor networks. We
aim at developing an effective and efcient approach that
reduces the harm of jamming attacks as much as possible
and limits the overhead of communication and computation
of the approach as much as possible.
As we know, it is time and energy-consuming to run
algorithms to detect and locate a jamming attacker and
it usually requires a certain period of time to monitor a
sensor network and collect necessary message transmission
information for such a detection. Let T be the period of
time called the unit time slot. Thus, during the unit time
slot of T, we enforce the time-based window scheme to
mitigate jamming attacks. Our intuition is that the more
times a node experiences jamming, the higher chance such
a node may be a jamming attacker when each node is
considered as same. Hence, those sensors who experience
jamming are required to wait a longer time to send a
message. We use the following notation. Denote by m the
broadcast message of a sensor, and T the current waiting
time of a sensor node. That is, the sensor can transmit
a message only after waiting the time T. [0, T] is
considered as a waiting time window. Thus, it is called the
time-based window scheme that is described as follows.
1) Initialization. Before deployment, a unique ID and
a waiting window will be assigned to each sensor.
The waiting time T is randomly selected as a
value between 0 and so that there is no jamming
once sensors start to communicate, where is a
reasonably small value. After deployment, sensor
nodes will be formed into clusters, each with a
cluster leader. A cluster formation and the election
of a cluster leader can be found in the literature such
as Liu [6] and Dong and Liu [2]. All members in a
cluster will have a full list of member IDs.
2) Message Transmission. Each sensor will be able
to scan and nd available channels for sending a
message after its individual waiting time T.
3) The Update of the Waiting Time Window. Each node
is required to update its own waiting time window
according to the following scheme: if a node plans to
send a message but there is no channel available (i.e.,
jamming occurs), then both senders are required to
increase their waiting time based on an increasing
function (T); the node who successfully sends
out a message without jamming will update its
waiting time based on a decreasing function (T).
Meanwhile, the cluster leader will update the waiting
time windows of all sensor nodes and make sure that
each node follows the above predened rule. Since
each cluster leader is re-elected periodically, the duty
of a cluster leader is fully distributed among sensor
nodes.
When a collision is occurred, both regular senders and
jammers are required to increase their waiting times since
they are not distinguishable. Moreover, jamming is ONLY
one of the collision causes. Actually, the above scheme
may also mitigate other collision causes such as Denial of
Services (DoS). Furthermore, the time-based scheme will
be analyzed in detail in Section IV-A. Next, we will discuss
the location discovery of jamming attackers.
B. The Discovery and Removal of Jamming
Attackers
Each sensor is associated with an ID but the ID informa-
tion may be alerted during communication. Furthermore,
the ID information may be known only within its cluster.
In order for us to eliminate jamming attackers, the location
of the sensors is required. In this section, we develop
algorithms to discover the location of jamming attackers.
1) The Location Discovery Problem of Jamming At-
tackers: As stated before, we assume that there may
exist malicious nodes besides jamming attackers in the
sensor network. Once jamming attacks are detected, a
natural question is how to locate and remove jamming
attackers. In this section, we attempt to nd the location
of jamming attackers based on the location information of
all the sensors except jamming attackers across a sensor
network rather than a sensor cluster, which is referred to
as the location discovery problem of jamming attackers.
Specically, when there are jamming attacks, how can
a cluster leader nd the location of a jamming attacker
based on the location information of sensor nodes and
their received signal strengths. The problem has at least
two essential and important differences from the sensor
localization problem that has been extensively studied for
the past several years.
1) The distances between sensors and the jamming
attacker are unknown.
2) The transmission power used by the jamming at-
tacker is unknown. The power level may be changed
in the course of message transmissions.
These two major differences make it difcult to solve the
location discovery problem of jamming attackers. For pre-
sentation purposes, we only consider one jamming attacker.
But, the following discussion can be iteratively applied to
nd the location of multiple jamming attackers. According
to the Friis transmission equation, the received power of
an antenna is calculated through P
r
= P
t
G
t
G
r
_

4d
_
2
,
where P
t
is the power input to the transmitting antenna. G
t
and G
r
are the antenna gains of transmitting and receiving
antennas, respectively. is the wavelength and d is the
distance. Therefore, the square of the distance is expressed
by d
2
= G
t
G
r
Pt
Pr
_

4
_
2
. For notational simplicity, we
write it as d
2
= cP
t
where c = G
t
G
r
1
Pr
_

4
_
2
. As we
know, P
t
may be varied by a jamming attacker and it is
unknown to the sensor nodes that receive signals from the
jamming attacker. Thus, the jammer localization problem
is to nd (x, y) satisfying with
(x x
i
)
2
+ (y y
i
)
2
= c
i
P
t
(i) (1)
where (x
i
, y
i
, P
t
(i)) is the coordinate of sensor i and
c
i
is a known constant like c. P
t
(i) is the transmission
power that the jamming attacker sends to sensor i and it
is unknown to sensor i. However, only a few transmission
power levels can be selected by a sensor. Assume that there
are L transmission power levels that the jamming attacker
can choose, where L is relatively small in existing sensor
motes compared to the number of nodes in the network.
For presentation purpose, we assume that there is only
one power level used by the attacker, i.e., P
t
(i) = P
t
. Our
following discussion can be easily extended to the case
of multiple power levels used by an attacker. Thus, by
manipulating (1), we obtain a system of linear equations:
2(x
i
x
i+1
)x + 2(y
i
y
i+1
)y (c
i+1
c
i
)P
t
=
(x
2
i
x
2
i+1
) + (y
2
i
y
2
i+1
)
2(x
n
x
1
)x + 2(y
n
y
1
)y (c
1
c
n
)P
t
=
(x
2
n
x
2
1
) + (y
2
n
y
2
1
) (2)
or its matrix form:
AX = Z (3)
where X = (x, y, P
t
)
T
is a 3 1 vector. A is an n 3
matrix consisting the coefcients of the left-hand side in
linear system (2) and Z is is an n1 vector consisting the
right-hand side of linear system (2). Thus, the localization
problem becomes the linear regression given in (3). That
is, the coordinate (x, y, P
t
) is easily determined by solving
the minimization problem:
min
x,y,Pt
AX Z (4)
where is a predened norm, e.g., L
1
-norm or L
2
-norm.
Each measurement is treated equally in the minimiza-
tion problem of (4), which implies that a mean value metric
is used in solving (4). However, it has been proved in
Rousseeuw and Leroy [14] that a mean value metric poorly
deals with malicious location measurements.
Rousseeuw and Leroy [14] proposed a variety of linear
regression methods to tackle malicious measurements.
Thus, a direct strategy is to apply these methods to no
malicious measurement in the system of linear equations
(3). By considering the fact that the closer a sensor node
the more effect the node. Thus, the coordinate (x, y, P
t
) is
estimated by solving the following weighted minimization
problems of Least Trimmed Square (LTS):
(LTA) min
x,y,Pt
h

i=1

1
c
i
P
t
r
i

= min
x,y,Pt
h

i=1

r
i
c
i

(5)
where r
i
= (AXZ)
(i)
that is the i-th element of residual
vector AX Z and d
2
i
= c
i
P
t
is a weight at node i. Our
intuition here is that in order to estimate a right location
of a jamming, we require that more than half of redundant
measurement tuples should be benign, which means that
h should be chosen as n/2 + 1.
As shown in Rousseeuw and Leroy [14], the estimator
has a breakdown point (i.e., tolerant rate) of 50% in
most situations. LTA has a lower order of computational
complexity compared to other robust estimators, so we
only consider LTA in the paper.
Furthermore, in order to give a correct estimate for the
location of a jammer through (3), we require that more
than half of linear equations in the system (3) should be
benign. Below is a proposition showing its possibility.
Proposition 1: When the tolerant rate is the highest,
the probability that one of the linear equations in the
system (3) does not consist of any malicious location
measurement is 0.25; furthermore, the probability that both
two equations consisting of three measurement tuples are
not malicious is 0.125.
Proof. When the tolerant rate is the highest, half of location
measurements are malicious. Thus, when two measurement
tuples are randomly selected, the probability that none
of them is malicious is 0.5 0.5 = 0.25. Furthermore,
when three measurement tuples are randomly selected,
the probability that both two equations consisting of three
measurement tuples are not malicious is 0.5
3
= 0.125.
Proposition 1 clearly shows that it is unlikely that
more than half of linear equations consist of all non-
malicious measurement tuples. Hence, it is infeasible
to apply the methods in Rousseeuw and Leroy [14] to
the system of linear equations (3) as shown in (5). In-
stead, we should directly deal with (1) rather than (2).
That is, r
i
should be selected as the nonlinear residual
r
i
=
_
(x x
i
)
2
+ (y y
i
)
2
c
i
P
t
instead of r
i
=
(AX Z)
(i)
in the minimization problem of LTA. But,
the exact solution of these three minimization problem
is computationally hard to nd. Thus, in this paper, we
develop a feasible approximation algorithm to solve the
problem. These algorithms are robust, which means that
they can tolerate up to 50% malicious nodes. We will start
with a brute-force robust approximation algorithm and then
present the feasible approximation algorithm. Before the
presentation, let us investigate the consistency of a set of
all references provided by sensors.
2) -Consistency of Sensor References: Due to the
assumption that more than half of these location references
are benign, these benign references should consistently
derive the same location and transmission power of the
jammer with a small error. We notice that a location
reference is a measurement data taken by sensors. Under a
normal (or attack-free) environment, a measurement error
follows a standard normal distribution. Instead, an attacker
usually intends to disrupt a process of location estimation
through reporting a position and distance far away from its
true ones. The residue of those malicious references does
not follow a normal standard distribution. Usually, benign
and malicious references will not be consistent. Based
on these observations, we give a denition of reference
consistency.
Denition 1: Sensor references given by the tuples:
P
ij
= (x
ij
, y
ij
, c
ij
P
t
) for j = 1, 2, ..., s are called -
consistent if
min
x, y, P
t
_
s

j=1

(x x
i
j
)
2
+ (y y
i
j
)
2
c
i
j
Pt

2
_
< (6)
where number > 0 is to be determined, and s 3 since
at least three references can determine a jammers location
and transmission power.
Clearly, the consistency of a group of sensor references
depends heavily on the value of . Thus, a selection of
plays in a key role in the reference consistency. The
absolute value on the left-hand side of (6) represents an
estimation error based on these given sensor references.
Thus, it should follow a standard normal distribution in an
attack-free environment. An abnormal error may indicate
a potential malicious attack.
Let L(x) be

s
j=1

_
(x x
ij
)
2
+ (y y
ij
)
2

c
ij
P
t

2
. It can be mathematically shown that L(x)
2
follows a
2
(v)-distribution, where v = s 3 is the
degree of freedom. This because three points that are not
in a line determine the location of a jammer. According
to statistical theory, can be determined through a
hypothesis test: Probability
_
L(x)
2

= , where is
referred to as a signicance level of the test, and L(x) is a

2
(v)-distribution with v = s 3 degree of freedom. The
hypothesis test states that the probability that L(x)
2
is equal to . According to Denition 1, L(x)
2
indicates the presence of malicious measurements, with
the probability of a false alarm being . By choosing a
value for , we can determine . (Note that is dependent
on the difference between k and n.) For example, let
= 0.01 and v = 1 or s = 4. Based on
2
-distribution,
we can get
2
= 6.63, or equivalently = 2.57.
3) The Brute-force Robust Algorithm: We propose a
brute-force robust algorithm for secure localization by
using the notion of consistency. They identify and remove
those location references who are not consistent with
the majority of location references. All those consistent
location references are used to estimate the location of
the jammer through the ordinary linear regression. The
brute-force robust algorithms consist of the two parts:
the location prediction and the location correction. In the
estimate prediction step, we develop a way to predict the
rough location of the jammer. Our intuition is that the
more consistent location references are, the smaller the
reference residuals are. Thus, we choose that estimate lo-
cation with the smallest residual as our predicted location.
In the estimate correction step, we rene the predicted
location estimate. By considering it with other location
references, we nd out the most number of consistent
location references which are used to estimate the location
of a jammer. Below is a detailed description of these two
steps for the brute-force robust algorithm.
Brute-force Robust Algorithm
The Location Prediction Step: It identies what location
references determine such a location that is most likely to
be the true location of the jammer, or most closet to be
the true location. We start with 3 location references in
the paper, which is the minimal number of references that
can determine a location of the jammer. (The following
discussion of the paper can be easily adjusted to 4 refer-
ences.) We select all subsets of 3 location references from
all n location references. Each subset whose references are
not in a line can be used to estimate the location of the
jammer, denoted by ( x
l
, y
l
), where l = 1, 2, , m, and
m is the number of 3 references choosing from n location
references, i.e., m = n(n 1)(n 2)/3 = (n
3
).
For each location estimate, we compute its residual
r
i, x
l
=
_
( x
l
x
i
)
2
+ ( x
l
y
i
)
2
c
i
P
t
As discussed before, the reference residual r
i,( x
l
, y
l
)
re-
ects the consistency of location estimate ( x
l
, y
l
) and
location reference (x
i
, y
i
). Recall that h is the minimal
number of benign references. Thus, we select the h small-
est absolute value of residuals, denoted by |r
i1,( x
l
, y
l
)
|,
|r
i2,( x
l
, y
l
)
|, , |r
i
h
,( x
l
, y
l
)
|, and S
l
=

h
j=1
|r
ij,( x
l
, y
l
)
|for
l = 1, 2, , m. Our intuition here is that the more
consistent location references are, the more accurate their
location estimate is; thus, it is more likely that the absolute
values of the rst h location residuals are smaller, i.e., S
l
is
smaller. Then, the estimate with the smallest S
l
is selected
as our estimate in the prediction step.
The Location Correction Step: It renes the location
estimate in the prediction step that is derived by a set of
three location references, denoted by D. By considering the
value of S
l
, we gradually add the rest of location references
into D. We rst add those location references with the
smaller value of S
l
, and then check if they are -consistent
with D. If yes, we add them into D as a set of location
references. If no, we exam them one by one with such an
S
l
. For that location reference that is not examined before,
it will be rst examined. Continue to examine the rest of
location references until all of them are examined. The
nal set D is used to derive the location estimate of the
jammer by using the ordinary weighted linear regression
as shown in (5).
Let us now consider the time complexity of the brute-
force robust algorithm. In the location prediction step,
it takes (n) to compute n location residuals r
i, x
l
for
each xed the location estimate ( x
l
, y
l
). The most ef-
cient algorithm to order those n location residuals re-
quires (nlog n) time, and a sum of the h smallest
location residuals requires (h) time. Furthermore, the
ordinary linear regression requires (h
2
) time. Thus, the
time complexity of the brute-force robust algorithm is
(n
3
) + (n) + (nlog n) + (h) + (h
2
) = (n
3
).
4) The Feasible Robust Algorithm: As seen in Section
III-B3, the brute-force robust algorithm requires (n
3
)
time, which may be too costly to used in a resource-
limited network, e.g., a wireless sensor network which
has limited power and computational capacity. We notice
that the (n
3
) time is only contributed from the prediction
step of the brute-force robust algorithm. Thus, the location
prediction step is only our concern in the aforementioned
brute-force algorithm.
The objective of this section is to develop a feasible
robust algorithm that can be used in a resource-limited
network. As discussed in Section III-B3, the brute-force
robust algorithm has the complexity of (n
3
) due to a
consideration of all combinations of 3 location references
among n ones. However, we notice that such a considera-
tion may not be necessary. The key in that step is to nd
three benign location references so that we can start with in
the location correction step. Thus, we may only consider a
part of combinations of 3 location references. That is, the
feasible robust algorithm is the same as the brute-force
robust algorithm except the prediction step where only r
combinations of 3 references will be randomly selected.
The change will signicantly enhance the efciency of
the brute-force robust algorithm without a compromise in
security. Its detailed analysis will be given in Section IV-B.
IV. The Evaluation and analysis of The Pro-
posed Approach
We present our security and performance analysis of
the proposed approach with experimental evaluations.
A. Analysis of the Proposed Approach for
the mitigation of jamming attacks
As mentioned before, each sensor node will have a list
of all node IDs once a cluster is formed and an elected
cluster leader will be responsible for cluster related tasks
including the time-based window scheme management and
channel allocations. Each node will communicate with
each other by following the above scheme to update its
waiting-time window.
The analysis of the waiting time window. Which all
channels are occupied, a jamming attacker may declare
its intention to sending a message but it does not plan
to do so for increasing the waiting time window of a
legitimate node. However, according to the above scheme,
the jamming attacker will get the waiting time window
increased as well. Thus, the jamming attacker may suc-
cessfully attack those sensors who have lower power than
the attacker individually but it is impossible to disturb the
whole sensor network for a long period of time because
it will run out power if the attacker attempts to attack all
nodes in the network.
Clearly, the choice of (T) and (T) plays in
a key role in the waiting time window. In this paper,
we select them as the functions used in additive in-
crease/multiplicative decrease (AIMD) algorithms. Speci-
cally, (T) = T +a and (T) = T/b where a > 0
and b > 1. It is assumed that T ranges from T
min
to
T
max
. Denote by q be the percentage of messages sent
by node i that cause jamming. Let T
i
(j) be the waiting
time of node i after j messages are sent. Then, we can
derive the following properties.
Proposition 2: Assume that the number of jamming
messages is more than the number of non-jamming mes-
sages at a node. Then, the waiting time T
i
(j) is at least
1
2
j

1 +
1
b

j
T
i
(0) +

1
1
2
j

1 +
1
b

ab
b 1
(7)
which implies that the waiting time is at least
ab
b1
after a
large number of message transmissions, where T
i
(0) is
the initial waiting time given when the sensor is deployed.
Proof. According to the assumption, we have that
T
i
(j) = q(T
i
(j 1) + a) + (1 q)
T
i
(j 1)
b
Since the number of jamming messages is more than the
number of non-jamming messages, we have that 1q q.
That is,
1
2
q 1. Therefore, we can obtain that
T
i
(j)
1
2
_
1 +
1
b
_
T
i
(j 1) +
1
2
a
which derives (7). Thus, lim
j+
infT
i
(j) should be
at least
ab
b1
.
As stated in Section I, robustness is one of our design
goals in the proposed approach. We have obtained that
Proposition 3: The higher percentage of jamming mes-
sages the longer the waiting time. That is, the proposed
waiting-based window scheme is robust.
Proof. The waiting time T
i
(j) is given by
T
i
(j) =
_
q + (1 q)
1
b
_
j
T
i
(0)
+aq
1
_
q + (1 q)
1
b

j
(1 q)(1
1
b
)
which means that
T
i
(j)
aq
(1 q)(1
1
b
)
as j + (8)
Let f(x) be
a(1x)
x(1
1
b
)
where x = 1q. It is easy to prove that
f(x) is a decreasing function with respect to variable x.
As we know, x represents the percentage time that there is
at least a channel available for message transmission. That
means that the higher percentage of jamming messages
the longer the waiting time. That is, the proposed waiting-
based window scheme is robust.
Corollary 1: The waiting time T
i
becomes zero if
there is no jamming message and it tends to a very large
value if almost all messages are jamming.
Proof. It is resulted from Proposition 3 when q = 0 and
q 1

respectively.
Proposition 4: If the number of jamming messages is
no more than
1
1
b
a

T times as much as the number of

no jamming messages, i.e.,
q
1q

1
1
b
a

T . Then, the
waiting time will eventually be less than

T, where

T >
0 is a predened value for quality of control.
Proof. From the assumption of the proposition and (8), we
can see that the result holds.
From Proposition 4, we can control the waiting time of
each message by using the predened value

T > 0.
Furthermore, we consider the security of the approach
for the mitigation of jamming attacks.
The probability for jamming attackers to jam channels
successfully. Assume that benign sensors and jamming
attackers would generate trafc arrivals to channels with
rates of
b
and
a
as well as the service rate of channels
would be . Let recall that N be the number of channels.
In the current sensor networks, N may be 1 or 2. Then,
the number of channels to be busy ranges from 0 to N.
Thus, a (N+1)-states Markov chain can be used to model
the availability of channels. We consider two classes of
jamming attackers below.
1) Random Jamming Attackers. They randomly jam
channels.
2) Intelligent Jamming Attackers. They specically se-
lect a certain number of channels and only jam those
channels.
Proposition 5: In the case of random jamming attack-
ers, the probability for jamming (i.e., all channels are
occupied) is given by
P(N) =
(
a
+
b
)
N
N!
N
_
_
N

j=0
(
a
+
b
)
j
j!
j
_
_
1
Proposition 5 and the following proposition can be proved
through the state transition of the Markov chain and its
balance equations, which is not given due to the page limit.
Assume that intelligent jamming attackers would only
jam N
a
channels where 1 N
a
N. Thus, we have that
Proposition 6: In the case of intelligent jamming at-
tackers, we have that
1) The probability for all preselected N
a
to be jam-
ming (i.e., all selected N
a
channels are occupied) is
expressed by

N
j=Na
P(j).
2) The probability for all channels to be jamming is
given by P(N) =
(a+
b
)
Na

NNa
b
N!
N
P(0), where
P(j) are obtained by solving the balance equation
given by P(j) =
(a+
b
)
j
P(j 1) if 1 j < N
a
,
and P(j) =

b
j
P(j 1) if N
a
j N;

N
j=0
P(j) = 1.
The goal of the time-based scheme is to reduce
a
but
increase
b
so that the probability for jamming attackers
to jam channels successfully will be reduced.
B. Analysis of Robust Algorithms
Recall that there are h benign references among n ones.
Suppose that we randomly select 3 location references
from n ones. In such a selection, all 3 location references
are benign with the probability of p =
(
h
3
)
(
n
3
)
. To ensure
that all 3 selected references are benign with a good
probability, we can repeatedly and randomly select 3
location references from n ones. If the repeated number
is r, then the probability for all 3 references to be benign
in at least one selection is P
r
= 1 (1 p)
r
. Table I
gives the number of combinations
_
n
3
_
in the brute-force
robust algorithm and the repeated number r to ensure that
at least 3 benign references are selected with the chance of
99.5%. As shown in Table I, r is much smaller than
_
n
3
_
.
TABLE I. Parameters to ensure P
r
99.5%
n 50 100 500 1000 5000 10000
h 26 51 251 501 2501 5001

n
3

19600 161700 2.1E+07 1.7E+08 2.1E+10 1.7E+11

r 23 23 23 23 23 23
Thus, in the location prediction step of the efcient robust
algorithm, we randomly select 3 location references from n
ones as a reference group. Repeat such a selection r times.
Then, we use all these r reference groups to replace a set
of all combinations of 3 location references from n in the
feasible robust algorithm. As discussed earlier, the location
correction step is unchanged. Similar to the analysis in the
brute-force robust algorithm, the complexity of the feasible
robust algorithm is (r +nlog n+h
2
). It is interesting to
see in Table I that r=23. We are actually able to derive a
closed-form solution for r below.
Proposition 7: In order for at least one group of all 3
selected references to be benign with the probability ,
we require that the repeated number r is not less than
log(1)
log 0.875
17.24 log(1 ), where 0 < 1.
Proof. As discussed earlier, the probability for at least one
group of all 3 selected references to be benign is P
r
= 1
(1 p)
r
. To ensure P
r
, we require that r
log(1)
log(1p)
.
As seen above, p =
(
h
3
)
(
n
3
)
and h =
n
2
+ 1. Thus, on the
one hand, p can be extended to
p
_n
2
+1
3
_
_
n
3
_ =
(
n
2
+ 1)(
n
2
)(
n
2
1)
n(n 1)(n 2)
which derives lim
n>+
sup p
1
8
. On the other hand,
we have the following inequality
p
_n
2
3
_
_
n
3
_ =
(
n
2
)(
n
2
1)(
n
2
2)
n(n 1)(n 2)
Thus, lim
n>+
inf p
1
8
. Thus, lim
n>+
p =
1
8
.
Furthermore, r
log(1)
log(1
1
8
)
17.24 log(1 ).
The result presented in Proposition 7 is signicant. It
not only provides a closed-form solution for the repeated
number r but also shows that the solution is independent
of n, the number of sensors. This means that r will not
change as n increases. Table II shows the repeated number
r to guarantee that at least one group of selected 3 location
references are benign with the probability . As indicated
TABLE II. r to ensure at least one group of 3
benign references with the probability P
r

0.80 0.85 0.90 0.95 0.99 0.999 0.9999 0.99999
r 13 15 18 23 35 52 69 87
in Table II, the repeated number r is small. It is only 87
even if =0.99999. This implies that it is very easy to get
all 3 benign references in a selection. Hence, Proposition
7 shows that the feasible robust algorithm is efcient.
The above analysis is based on the assumption that
each selected 3 references can determine the location of a
jammer, i.e., these references are not in a line. However,
this assumption is not necessarily true due to possibly
arbitrary action introduced by an attacker. There are two
strategies to tackle this issue. (a) The rst straightforward
strategy is that if three references are (or closely are) in a
line, such a selection is not counted, and we are required
to randomly re-select 3 references from the pool until the
repeated number given in Table II is reached. (b) The
second strategy is that we may select 4 location references
in each selection but only use 3 good ones for the location
estimation. In such a situation, Table III shows the repeated
number r to guarantee that at least one group of selected 4
location references are benign with the probability . All
TABLE III. r to ensure at least one group of 4
benign references with the probability P
r

0.80 0.85 0.90 0.95 0.99 0.999 0.9999 0.99999
r 25 30 36 47 72 108 143 179
values of r are still relatively small. The rst strategy is
used in our numerical implementation.
C. Experimental Evaluation
We adopt the existing approach in Liu [6] and Dong and
Liu [2] for the formation of a cluster and the selection of
a cluster leader in the evaluation. The proposed approach
consists of the two components. We have investigate it by
using a variety of numerical experiments. We only select
a few typical results here due to the page limit. All the
experiments are executed in Matlab 7.04 on a DELL PC
running Windows XP, which has a 3.0 GHz Pentium 4
processor and 2 GB memory.
0%
20%
40%
60%
80%
100%
120%
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.05
(a) Jamming interval-arrival time
J
a
m
m
i
n
g

r
a
t
i
o
Without our approach
With our approach
0%
20%
40%
60%
80%
100%
120%
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.05
(b) Jamming interval-arrival time
J
a
m
m
i
n
g

r
a
t
i
o
A single jammer
Two jammers
Three jammers
0
20
40
60
80
100
120
140
0 1 2 3 4 5 6 7 8 9 10
(c) Experi ment ti me i n logarithmi c scal e (base 2)
A
v
e
r
a
g
e

w
a
i
t
i
n
g

t
i
m
e
A regular node
A jammer
0%
10%
20%
30%
40%
50%
60%
70%
80%
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95
(d) Jamming arri val rate
J
a
m
m
i
n
g

r
a
t
i
o
One channel
Two channels
Fig. 1. Jamming ratio and average waiting time
In the experiments, we randomly deploy 450 sensors
in a square area of 300m 300m, each cluster with 50
nodes. That is, there are 9 clusters. We assume that each
sensor would take 1 second to process a message including
a security check and its channel transmission time would
be 0.5 seconds. That is, the channel occupation time is 0.5
seconds for the sensor to send a message. The message
interval-arrival time sent by sensors is 0.5. Let a = 1 and
b = 2.We measure a jamming ratio in 10 minutes for the
cases of different jamming interval-arrival times shown in
Figures 1 (a) and (b) where the jamming ratio is dened as
a ratio of the number of jammed messages and the number
of messages sent in 10 minutes. As shown in Figure 1
(a), the jamming ratios of using the proposed approach
are low in all cases, which means that the proposed
approach effectively contains jamming attacks. Figure 1 (b)
further shows the jamming ratios of no using the proposed
approach in cases of multiple jammers. The jamming ratios
of using the proposed approach is not shown in the gure
because they are low like the ones in Figure 1 (a). We also
monitor the change of waiting times during an experiment
of using the proposed approach in case of a single jammer
that is shown in Figure 1 for a simulation run of 500. As
we see, the waiting time becomes controllable for a regular
sensor but the waiting time of the jammer tends to a large
value. Then, we consider
b
= 18 and = 48. Figure 1
(d) shows the probability for a jammer to jam channel(s)
successfully (also referred to as a jamming ratio) with a
different jamming rates.
Furthermore, we evaluate the accuracy of the proposed
algorithms for the location discovery of a jammer. We
simulate the attacks in the following way: We assume
that the attacker is intended to move the location of a
jammer from its true location d distance away to (x
a
, y
a
)
with P
a
t
, in a random direction in the plane. The attacker
then calculates the malicious sensor measurements using
the Euclidean distance, and replace a number of normal
sensor measurements with the malicious ones. We set
as the value such that Probability [L(x)
2
] =
0.995. Moreover, we set parameter h in the feasible robust
algorithm as the value that makes P
h
= 0.995. We measure
the Euclidean distance error between the true location
and estimated one using the above two algorithms. For
each data point in our simulation, we repeat the simulated
attacks 500 times and obtain the average of the above
evaluation metrics. Due to the high computational cost of
the brute-force robust algorithm, we limit the number of
sensors to be 10 that exclude a jammer. Figures 2 (a)
and (b) shows the accuracy and execution time of the
two algorithms. Figure 2 (c) further gives the accuracy
of feasible robust algorithm for a case of 450 nodes.
V. Related Work
As discussed in Section I, several anti-jamming tech-
niques have been suggested, for instance, FH, DSSS, and
CSS in a physical layer, and channel surng in a data-link
layer. While physical-layer techniques require expensive
transceivers, channel surng may cause a poor network
connectivity due to the change of frequency allocations.
Thus, some jamming countermeasures have been proposed
that include the rate adaption algorithms, such as AMRR in
Lacage et al. [4], Onoe in [10] and SampleRate in [9] and
the ACK-Guide Immediate Link rate Estimation algorithm
(AGILE) in Verma et al. [17]. Ancillotti et al. [1] gave
the performance evaluation of rate adaptation algorithms.
However, rate adaptation algorithms usually has a number
of inherent limitations such as inaccuracy, slow response
to changing conditions, packet loss, inexibility, and poor
scalability. Thus, the time-based window scheme is sug-
gested to better address these issues in the paper. It adds the
time delay to attackers. The idea is better than the method
of a message puzzle that has been used to mitigate DoS
attacks (e.g., see Ning [11]). This is because the method
of a message puzzle requires a message sender to have
powerful computation capacity that is usually not true in
sensor networks. The location discovery of jammers has
been studied in the literature (e.g., ). Pelechrinis et al. [12]
proposed a distributed, lightweight jammer localization
system by using a gradient descent based algorithm to
locate a jammer. Liu et al [8] developed the Virtual Force
Iterative Localization (VFIL) algorithm to estimate the
location of a jammer by utilizing the network topology that
used RSS to compute the transmission power of a jammer.
0
2
4
6
8
10
12
14
16
0 1 2 3 4 5
(b) Distance error that an attacker intends to
introduce in logarithmicscale(base 2)
A
v
e
r
a
g
e

e
x
e
c
u
t
i
o
n

t
i
m
e

(
m
s
)
Brute-force robust
algrorithm
Feasi bl e robust
algorithm
0.0
0.5
1.0
1.5
2.0
0 1 2 3 4 5
(a) Distance error that an attacker intends to i ntroduce
in logarithmic scale (base2)
L
o
c
a
t
i
o
n

e
s
t
i
m
a
t
i
o
n

e
r
r
o
r
(
m
e
t
e
r
)
Brut e-force robust
algrorithm
Feasible robust
0. 0
0. 5
1. 0
1. 5
2. 0
2. 5
3. 0
3. 5
0 1 2 3 4 5 6 7 8
(c) Distance error that an attacker i ntends to introduce
in logarithmicscal e(base 2)
L
o
c
a
t
i
o
n

e
s
t
i
m
a
t
i
o
n

e
r
r
o
r

(
m
e
t
e
r
)
Feasibl e robust
algorithm (450 nodes)
Fig. 2. Accuracy and efciency of robust algorithms
Most existing techniques considered a single jammer and
does not permit other malicious sensors besides a jammer
in the networks. Liu et al. [7] extended the results of
Liu et al [8] to the case of multiple jammers, but it is
mainly based on signal-to-noise ratio (SNR). Moreover,
most of exiting studies are lack of the theoretical analysis
of the proposed algorithms. In this paper, we consider the
transmission power as an unknown variable and directly
estimate it based on the location information of other
sensors. Furthermore, we proposed the location discovery
of jammers where other malicious nodes may coexist with
jammers in a network that reects real-world applications.
In particular, the theoretical analysis of the proposal algo-
rithms has been given.
VI. Conclusion and Future Work
In this paper, we have studied the mitigation of jamming
attacks and the location discovery of jammers in a wireless
sensor network where there may be other malicious nodes
except jammers. Jamming attacks are the consequence of
radio interference that becomes a serious threat in sensor
network applications. In this paper, we have proposed
a systematic approach to tackling jamming attacks. The
approach consists of the mitigation of jamming attacks
and the discovery and removal of jamming attackers.
Since jamming attacks could be launched randomly, we
have developed the time-based window scheme to restrain
jamming attacks from a sensor network. By sufciently
considering a intrinsic relationship between the problem
and the linear regression, we proposed to formulate the
problem of a jammers location discovery as an LTA-
type minimization problem. To tackle this problem, we
introduced the concept of consistency among sensor loca-
tion references. Then, we developed the brute-force robust
algorithm and the feasible robust algorithm for the location
discovery of jamming attackers that permit us to remove
jamming attackers from wireless sensor networks. We have
further evaluated the proposed approach through theoret-
ical analysis and numerical experiments. Our numerical
results have demonstrated the efciency and effectiveness
of these algorithms. In the future, we would like to extend
our approach to support other cases such as the mobility
of nodes including jamming attackers.
References
[1] E. Ancillotti, R. Bruno, and M. Conti. Experimentation and
performance evaluation of rate adaptation algorithms in wireless
mesh networks. In Proceedings of the 5th ACM PE-WASUN, 2008.
[2] Q. Dong and D. Liu. Resilient cluster leader election for wireless
sensor networks. In Proceedings of SECON, 2009.
[3] Y. Faizulkhakov. Time synchronization methods for wireless sensor
networks: A survey. Programming and Computer Software, 33:214
226, 2007.
[4] M. Lacage, M. Manshaei, and T. Turletti. IEEE 802.11 rate
adaptation: A practical approach. In Proceedings of MSWiM, 2004.
[5] Y. Law, P. Hartel, J. Hartog, and P. Havitnga. Link-layer jamming
attacks on S-MAC. In Proceedings of EWSN, 2005.
[6] D. Liu. Resilient cluster formation for sensor networks. In
Proceedings of ICDCS, 2007.
[7] H. Liu, Z. Liu, Y. Chen, and W. Xu. Localizing multiple jammers
in wireless networks. In Proceedings of ICDCS, 2011.
[8] H. Liu, W. Xu, Y. Chen, and Z. Liu. Localizing jammers in wireless
networks. In Proceedings of WiCOM, 2009.
[9] J. Bicket. Bit-rate selection in wireless networks. In MIT, M.S.
Thesis.
[10] MadWi driver documentation. Onoe rate control. In
http://madwi.org/wiki/UserDocs/RateControl.
[11] P. Ning, A. Liu, and W. Du. Mitigating dos attacks against broadcast
authentication in wireless sensor networks. ACM Transactions on
Sensor Network, 4, 2008.
[12] K. Pelechrinis, I. Koutsopoulos, I. Broustis, and S. Krishnamurthy.
Lightweight jammer localization in wireless networks: system de-
sign and implementation. In Proceedings of Globecom, 2009.
[13] R. Poisel. Modern Communications Jamming Principles and
Techniques. Artech House Publishers, 2003.
[14] P. Rousseeuw and A. Leroy. Robust regression and outlier detection.
Wiley-Interscience, 2003.
[15] F. Sivrikaya and B. Yener. Time synchronization in sensor networks:
a survey. IEEE Network, 18:4550, 2004.
[16] B. Sundararaman, U. Buy, and A. Kshemkalyani. Clock synchro-
nization for wireless sensor networks: A survey. Ad Hoc Networks,
2005.
[17] L. Verma, S. Kim, S. Choi, and S. Lee. AGILE Rate Control for
IEEE 802.11 Networks. Future Generation Information Technology,
Lecture Notes in Computer Science, Volume 5899. Springer-Verlag,
2009.
[18] W. Xu, W. Trappe, and Y. Zhang. Defending wireless sensor
networks from radio interference through channel adaptation. ACM
Transactions on Sensor Network, 4, 2008.
[19] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The feasibility of
launching and detecting jamming attacks in wireless networks. In
Proceedings of MobiHoc, pages 4557, 2005.