指导美国essay,指导美国计算机网络作业,Link-Layer Jamming Attack against the Wireless Sensor Network LMAC Protocol and Countermeasure
Abstract
While Wireless Sensor Networks (WSN) are becomingmore technologically and economically feasible it is importantfor these systems to be robust in order to makean investment in a WSN worthwhile. At present, WSN'sparticularly sensitive to DoS attacks on the physicaland data link layer.
A strategy to attack LMAC [5] as proposed by Lawet al. [3] is given, implemented and demonstrated on theAmbientRT Node platform. Next a strategy to defendagainst these kinds of attacks is proposed, implementedand demonstrated.
1 Introduction
Xu et al. [6] propose four generic jammer models: (1) theconstant jammer, (2) the deceptive jammer, (3) the random
jammer and (4) the reactive jammer.A constant jammer emits a constant noise. A deceptive
jammer either fabricates or replays valid signals. Arandom jammer sleeps for a random amount of time andjams for a random time after which it sleeps again. Areactive jammer listens for activity on the medium andsends out a random signal when activity is detected.
These four methods serve the same purpose: to causecollisions with existing signals on the medium and thus
making this instance of communication worthless. Lawet al. [3] have proposed a jamming attack which isencoding-agnostic (i.e. packets may or may not be encrypted,their content is of no interest) and as e ectiveas constant, deceptive or reactive jamming yet at the
same time more energy ecient than random jammingor reactive jamming.Such jamming attacks can be realized by exploiting
knowledge of the data link layer. Law et al. [3] havesimulated these attacks on S-MAC, LMAC and B-MACand have proven jamming attacks can be carried oute ectively and energy-eciently.
It was indicated that MAC protocols at present donot provide a high entry barrier, and as such jamming aWSN could be considered a low-cost attack. As a result,a WSN can never in any practical sense be secure.
As objective one we set out to implement a jammingattack proposed to be e ective against LMAC. The aimis to disrupt communication within the WSN to such anextend that throughput approaches zero. As objectivetwo we then present and implement some countermeasures,and prove their e ectiveness.
1.1 Requirements
Requirements related to both objectives are the following:
The jamming must be performed energy-eciently.If the jammer outlives the WSN when given comparableenergy budgets while successfully jammingthe WSN's communication it has proven to be successful.
The jamming should preferably happen in such away that the WSN is not aware of it. The WSNmight detect something is wrong but it should notdetect it is being jammed.
1.2 Outline
The paper is structured as follows. First some backgroundinformation about the Lightweight Medium AccessControl (LMAC) protocol is provided in section 2.#p#分页标题#e#
Then in section 3 we elaborate a strategy on attackingLMAC and its implementation. Next a strategy for
a countermeasure is elaborated in section 4. This isfollowed by the results in section 5 and conclusions insection 6.
2 About LMAC
LMAC [5] is a Time Division Multiple Access (TDMA)
protocol. Time is divided into frames, and the frames
are divided into slots. Each slot is occupied by one node.
A slot is further divided into two parts: a control message(CM) and a data message (DM). If a node occupiesa slot it always sends a control message and if the nodehas any data to send it also sends a data message.
1
Since control messages are crucial for addressing othernodes and synchronization, nodes always wake-up to listento control messages. If a message is not destined fora node it immediately goes back to sleep until the nextslot.
3 Attack against LMAC
3.1 Assumptions
The jammer operates under the following assumptions.
LMAC control messages (CM) can be observed. Inhe case of the LMAC implementation on the Ambient
Node [4] from Ambient Systems this is alreadyrealized by using a di erent address for control anddata messages.
The probability that two consecutive occupied slots
can be observed is at least larger than 0.5. We use
four nodes to test our implementation, so in order
to realize a high probability of consecutive slots we
modify the frame size of LMAC (the number of slots
per frame) to eight slots. Law et al. [3] provided
Equation 1 for this. Equation 2 proofs that for a
frame with s = 8 slots and n = 4 of those slots are
occupied this holds.
Pr(at least two occupied slots are consecutive)
3.2 Strategy
The jammer only knows that LMAC is a frame basedprotocol using slots. It knows which radio transmissionsare CM messages. To determine the slot size it mustobserve the minimum time di erence between CM messages.Once the jammer has established theslot size it mustsynchronize its timer to the start of a CM message. Thejammer now exhibits the same energy-ecient listensleep
behavior as the WSN.
Every time the timer is triggered the jammer sendsout a small message to cause a collision with the CMstransmitted by the WSN nodes. The non-arrival of CMs
will disrupt the network.
The message sent out to collide with the CM is shorterthan the CM so the WSN looses more energy in the
collision.
3.3 Node Implementation
The jamming node uses the same hardware as theLMAC nodes, in our case the Ambient Node from
Ambient Systems. The node is powered by AmbientRT,[1, 2] a realtime operating system.
The implementation is straight-forward. There arethree tasks mac sync, mac timer and button event.
These tasks operate a state machine Figure 1.Figure 1: State machine of the Jammer
mac sync is subscribed to the RADIOIN event. Whentriggered it determents the slot size and synchronizesthe TIMER0 to the rest of the network. Nowthe state is switched to jamming.mac timer is subscribed to the TIMER0 event. Whentriggered by the TIMER0 event and it is in the jammingstate a small message is send in the hope that#p#分页标题#e#
it creates an collision.button event is subscribed to the IO1 event. Theevent is triggered by the button on the Node, when
pressed it switches between a o state and a on state
of the jamming node.
4 Countermeasure
4.1 Strategy
Modify the LMAC protocol in such a way that the jammer
cannot accurately observe the size of a slot and thus
2
it cannot synchronize its listen-sleep pattern to that of
the WSN.
To achieve this we shift the start of a slot by a pseudorandom amount forward in time. The jammer only observesthe time between the start point of slots since itis observing CM messages and cannot compute a correctslottime to set its timer to and thus cannot succesfullydisrupt the network by jamming the CMs. Essentially,the WSN it trying to stay a step ahead of the jammer.
4.2 Node Implementation
For the pseudo random generator and the distributionof the seed existing frequency hopping code in the radiodriver and LMAC is reused. The o set for the triggertime of the mac timer is preset in an array which isaccessed by the index of the seed.
Next to this only two other modi cation were neededto LMAC. First the LMAC Sync method needs to add the
o set for the next trigger of mac timer using the presetin the array. Secondly the LMAC Timer function needs to
increment the seed to the next seed and obtain the nextshift amount.
4.3 E ect on Throughput
The original LMAC implementation has a slot time of2048 ticks. In one slot it transmits a CM and a DMof up to 255 bytes or 2040 bits. With 32768 ticks/secthroughput has a maximum of 32640 bps. The http://www.ukassignment.org/daixieEssay/meiguoessaydaixie/countermeasureimplemented adds a pseudo-random time to aslot, which results in a lower amount of slots per secondand thus implies a decrease in throughput. The penalties
are shown in Table 1.Case Slot Size TP (bps) P (bps) P (%)standard 2048 32640 | |
minimum 2080 32138 502 1.5average 2094 31923 717 2.2
maximum 2109 31696 944 2.9
Table 1: Throughput penalties of countermeasure
The countermeasures are successful in defending theWSN against the jammer attack. The average slottimeconverges to 2094, as a result the penalty imposed onthroughput is a mere 2.2 percent.
This kind of countermeasure, however, is a pseudorandompattern. With the current implementation the
pattern repeats every 127 ticks. The shift value changes16 times per second, as a result the pattern repeats every
指导美国essay,指导美国计算机网络作业,8 seconds.
If an attacking node is able to measure and store atleast 127 measurements and then perform a patternmatchingoperation on it the defense against jammingattacks is compromised because the attacker now knowsthe pattern and only needs to lock on to it.#p#分页标题#e#
5 Results
Figure 2, 3 and 4 respectively show the link quality reportedby the nodes to the gateway. The value for thelink quality is obtained from the lmac neighbour tablestructure on the gateway node. This is plotted per frameand the duration of a frame is 12 second
In this setup node 2 and 3 are at roughly equal distancefrom the gateway node and node 4 is around threetimes as far away.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25
link quality
#frames
jamming near gateway (LMAC)
node 2
node 3
node 4
Figure 2: Jamming near the gateway node
Figure 2 shows the jammer active near the gatewaynode. The gateway looses node 2, 3 and 4 roughly atthe same moment in time. When the jammer is turned
o node 4 returns rst.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70
link quality
#frames
jamming near gateway (LMAC+CM)
node 2
node 3
node 4
Figure 3: Jamming near node four
Figure 3 shows the jammer active near node 4 that is
the furthest away. Node 4 is completely lost, but nodes
2 and three are not a ected.
Figure 4 shows the same as in the setup used for Figure
2, but now the WSN used the modi ed LMAC code.
The jammer still has some a ect now and then but not
enough to disrupt the network.
3
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25
link quality
#frames
jamming near gateway (LMAC+CM)
node 2
node 3
node 4
Figure 4: Jamming near the gateway node
6 Conclusions
LMAC is vulnerable against an attack as described insection 3. If the jammer can determine the slot size and
synchronize to the timing used in the network it can successfullydisrupt the communication within the network.
This disruption only a ect nodes that are in the collisiondomain of the jammer. Furthermore, due to thenature of the hardware (i.e. clock drifting) eventuallythe jammer will loose synchronization.
The proposed countermeasure is e ective against theattacks described above. By shifting the trigger point ofthe timer of a node forward in time we can prevent thejammer from observing the correct slot size. The jammercan synchronize to the network using a calculatedslot time, but the next slot it will already be out of sync.
There are however some drawbacks to this countermeasure.One of those is that the slots are larger thus thethroughput decreases. Another one is that the shiftingpattern might be observed reasonably energy-eciently,making this countermeasure obsolete.
7 Future Work
It still has to be proven the the jammer is energy ef- cient. Currently it jams every slot which is not veryecient given that not all the slots are occupied. Consequently,the strategy could be improved by only jammingslots that are occupied. If the jammer knows thecorrect slot size it could listen and check from time totime which slots are occupied and which slots are not.#p#分页标题#e#
Then it will only jam when it is certain a collision willoccur, reducing its own energy expenditure.The strategy of the jammer could also be improvedregarding the proposed countermeasure. If the jammer
becomes more intelligent it could recognize the patternof slot sizes used by the modi ed LMAC. This patternis static and once discovered by the jammer it can againdisrupt the network. A drawback here is more intelligencemeans a larger drain of resources and thus shorteningof the life of the jammer.
指导美国essay,指导美国计算机网络作业,References
[1] Stefan Dulman, Tjerk Hofmeijer, and Paul Havinga. AmbientRT- real time, data centric system software for wirelesssensor networks. In Proceedings of the 21st sensor symposiumon sensors, micromachine and applied systems (SMAS 2004),October 2004.
[2] T. Hofmeijer, S. Dulman, P. G. Jansen, and P. J. M. Havinga.
AmbientRT - real time system software support for data centricsensor networks. In 2nd Int. Conf. on Intelligent Sensors,Sensor Networks and Information Processing, pages 61{66.IEEE Computer Society, Washington, DC, December 2004.
[3] Y. W. Law, L. F. van Hoesel, J. M. Doumen, P. H. Hartel,and P. J. M. Havinga. Energy-ecient link-layer jammingattacksagainst three wireless sensor network mac protocols.In V. Atluri, P. Samarati, P. Ning, and W. Du, editors,3rd ACM Workshop on Security of Ad Hoc and Sensor Networks(SASN), Alexandria, Virginia, pages 76{88, New York,November 2005. ACM Press. Imported from DIES.
[4] TJH. AmbientRT 1.1 for Node 2.0 Manual. Ambient SystemsB.V, Enschede, the Netherlands, 0.9.1 edition, December2005.
[5] L.F.W van Hoesel and P.J.M. Havinga. Design aspects of anenergy-ecient, lightweight medium access control protocolfor wireless sensor networks. Unpublished, January 2006.
[6] Wenyuan Xu, Wade Trappe, Yanyong Zhang, and TimothyWood. The feasibility of launching and detecting jamming
attacks in wireless networks. In MobiHoc '05: Proceedingsof the 6th ACM international symposium on Mobile ad hocnetworking and computing, pages 46{57, New York, NY, USA,2005. ACM Press.
4
|