Detection of Jamming Attacks in Mobile Ad Hoc Networks Using Statistical Process Control

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 83 (2016) 26 – 33

The 7th International Conference on Ambient Systems, Networks and Technologies (ANT 2016)

Detection of Jamming Attacks in Mobile Ad Hoc Networks using Statistical Process Control Mohammed-Alamine El Houssainia,*, Abdessadek Aarouda, Ali El Horea, Jalel BenOthmanb a

Department of Computer Science, Faculty of Sciences, Chouaib Doukkali University, El Jadida, Morocco b Department of Computer Science, Galilee Institute, Paris 13 University, Paris, France

Abstract A mobile ad hoc network is a group of mobile hosts that depends on wireless network interfaces with no use of fixed infrastructure or centralized administration. The main equipments of a mobile station are wireless transmitters/receivers. In this respect, the network can be seen as random chart because of the nodes ‘movement. The change of network topology relies on time when nodes move or adjust their transmission and reception parameters. The design of these networks is characterized by its vulnerability to denial of service attacks (DOS).Thus, it is very challenging. In this paper, the focus lies on a special kind of denial of service attacks called Jamming. Indeed, stations in a mobile ad hoc network share a wireless medium. Therefore, a radio signal can be jammed or interfered, which leads to the corruption and loss of the message .In this study , we suggest a new method of detection of that predictable attack by the application of the statistical process control (SPC). The SPC can be the key element of the detection of jamming attack, applied on the packet drop ratio (PDR) which refers as the number of dropped packets to the total of packets sent. The assimilation of this metric shows the nonconforming fraction. As we evaluated the performance, we substantiate that the control chart for fraction nonconforming based on the PDR detects the jamming attack in a real time by a visual graph. © Published by by Elsevier B.V.B.V. This is an open access article under the CC BY-NC-ND license 2016The TheAuthors. Authors. Published Elsevier © 2016 (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs. Peer-review under responsibility of the Conference Program Chairs Keywords: Mobile ad hoc network; IEEE 802.11; Jamming attack; Statistical process control.

* Corresponding author. E-mail address: [email protected]

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs doi:10.1016/j.procs.2016.04.095

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

1. Introduction Jamming attack can deliberately lead to the stoppage or disruption of wireless communication. Interferences at the transmissions are due to jamming attack. It may appear on purpose by network load or in form of attack. A jammer can easily fulfilled by listening to the shared medium and transmitting in the same bandwidth as network, with no need of particular hardware. The wireless medium causes various security threats to wireless networks12. Any station equipped with a transceiver can spy on going transmissions, inject fake messages, or block the transmission of legitimate ones. One of the essential keys for damaging the network performance is by jamming wireless transmissions. In the straightforward form of jamming, the scamper distorts transmitted messages due to interferences in the network’s operational frequencies, and in closeness to the targeted receivers. As jamming attacks lower the performance of wireless networks, some effective methods are needed to detect their existence .Among techniques used in wireless medium, we have steady, tricky, reactive, smart, and random jammers. Various metrics are used in the literature to describe jamming attacks 5: • Packet delivery ratio refers to the ratio overall number of packets correctly received to the total number of packets received. • Packet sent ratio, which is measured at the transmitter side, is the total number of acknowledgments packets received to the total number of packets transmitted. • Carrier sensing time can be seen as the time when a station has to wait for the channel to get inactive to start its transmission. • Signal strength is meant the power that is clearly seen on the receiver end. In our study, the focus will be on another metric for the jamming attack as we will highlight through the simulation results. This metric is called the packet drop ratio (PDR). This latter refers the number of dropped packets to the total of packets sent. This paper is divided into six sections: The next section is about a concise summary of previous work done on jamming detection and classification in wireless networks. The third section provides an analysis on the impact of the jamming attacks. The fourth section explains our proposed model for the detection of the jamming attacks. The forth section, the authors evaluate the performance of their approach using NS2 simulator. The last section sheds light on conclusions and perspective. 2. Related work In the nature of the wireless medium in ad hoc network, attackers can easily monitor communications between wireless devices and launch simple denial of service attack against wireless networks by jamming or interfering communication. In this respect, via conventional security mechanisms, such attacks in the physical layer cannot be detected. There are various attack strategies that a jammer can perform so as to overlap with other wireless communications. The authors in5 classify the types of jammers as follow: • Constant Jammer can be seen as the continuous emission of a radio signal that performs random bits. • Deceptive Jammer refers to the fact that it does not transmit random bits instead of transmitting semi-valid packets unlike the continuous jammers. That is, the packet header is valid but the payload is useless. • Random Jammer means the Alternation between two modes namely sleeping and jamming the channel. The first one jams for a random period of time (it can behave either like a constant jammer or a deceptive jammer), the second one (the sleeping mode) turns its transmitters off for another random period of time. • Reactive Jammer‘s aim is not to waste resources by the fact of jamming when it senses the act of transmission. The key focus is on the receiver, trying to input as much noise as possible in the packet to modify many bits relying on less amount of power needed to modify enough bits so that when a checksum is performed over that packet at the receiver it will be grouped as not legitimate and therefore rejected. Several approaches have been proposed in the literature for the detection of the jamming attack in wireless networks: A new detection scheme for the jamming attack was suggested by the authors in9; the packet delivery ratio and signal strength were chosen as the jamming attack metrics for their system. The scheme utilizes a multimodal consistency check for jamming detection. Each node compares the value (packet delivery ratio, signal strength) with

27

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

thresholds that are decided by experiments. To detect the existence of jamming attack in ad hoc networks a new model based on the measure of relationship among the error and the correct reception times proposed by the authors in10. The core objective is to identify a specific type of jamming; the authors believe that the jammer transmits only when valid radio activity is signaled from its radio hardware. A transmission node measures the Error Probability (EP) and the Correlation Coefficient (CC). The CC is among the reception error time and the correct reception time. Therefore, the network is regarded as jammed when CC is larger than produced relative EP. In this paper11, a three dimensional model is proposed by the authors. It is based on signal strength, PDR (Packet Delivery Ratio), and pulse width (PW) of the signal causing a significant improvement in accuracy in addition to classifying jamming attacks in a better way. It considers that PDR, signal strength variation, and pulse width yield results which conform with experimental results. 3. Impact of jamming attack To determine the impact of the jamming attack in IEEE 802.11 on the performance of the network, the simulator NS-28 with the following simulation parameters are selected (Table 1), In the NS-2 simulations we can use some useful tools for processing traces files as described by1,2: Table 1 . Platform and parameters Parameters Values Computer HP Compaq 6730s Operating System Ubuntu 10.10 Version of the simulator ns-2.348 Trace file processing language Perl Graph construction tool Microsoft Excel 2007 Transmission rate (Mb/s) 2 MAC layer 802.117 Physical layer Direct Sequence Spread Spectrum Simulation surface (m) 500x500 Transmission range (m) 250 Radio propagation model Shadowing Traffic generator CBR Constant Bit Rate Simulation time (s) 60 Packet size (byte) 1000 Routing Protocol AODV Node speed (m/s) Randomly selected between 0 and 15 Mobility model Random Way Point6

Our simulations were focused on the transmitter with the aim of evaluating the performance of two metrics: the throughput and the packet drop ratio. First, we have chosen a small network of 4 nodes in total including a receiver, and we compared two scenarios (with and without attack). At the thirtieth second, we activated a jammer. Figures 1 and 2 show the results of simulation with a granularity of one second: Node1

Node2

Node3

0.8 0.7 Throughput in Mb/s

28

0.6 0.5 0.4 0.3 0.2 0.1 0 1

11

21

31 Time in s

41

51

Fig.1 . Measure of the throughput under jamming attack.

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

Node1

Node2

Node3

0.51 Packet drop ratio

0.49 0.47 0.45 0.43 0.41 0.39 0.37 0.35 1

11

21

31

41

51

Time in s

Fig.2 . Measure of the packet drop ratio under jamming attack.

The figure 1 and the figure 2 show that the three nodes are at the foot of equality and oscillate about the same throughput, and the same packet drop ratio. The oscillatory character of the curves can be explained by IEEE 802.11 equity in term of the access to the transmission channel. The effect of the movement speed on the performance of transmissions is also tested. Actually during the simulation time nodes moved with an arbitrarily selected speed between 0 and 15m/s. This reveals the absence of the influence of the movement speed. It appears evidently that the throughput decreased to reach 0 after the jammer activated from the thirtieth second. The packet drop ratio increased and became less fluctuant. The throughput in the presence of a jammer decreased to become zero, because of interferences that lead to useless transmitted data. In figure 2 we investigated all packets, including routing packet and those relating to the MAC layer. In the following section we suggest a new detection strategy based on statistical quality control approach (statistical process control).We use the control chart for fraction nonconforming, applied on the packet drop ratio. This new strategy for detection can be applied to any transmitting node to monitor the network in real time, as we will demonstrate by simulation; modifications of the IEEE 802.11 standard are not required by the suggested detection scheme. We claim that our approach has not been proposed before in the literature to detect jamming attack in mobile ad hoc networks.

4. Proposed detection system 4.1. Basic idea The basic idea of our strategy for detecting the jamming attack in mobile ad hoc networks emerges from the shift observed on the packet drop ratio. In the previous section we displayed that this attack caused an increase of the packet drop ratio for honest nodes. As we have demonstrated through NS2 simulation results another metric for the jamming attack in our paper is considered. This metric is the PDR (packet drop ratio) which is defined as the number of dropped packets to the total of packets sent. The PDR is assimilated to the fraction nonconforming. The basis of our detection method is the supervision of the packet drop ratio by two limits in a graph. These graphs are called control chart. The detection of deviation is one of the basic principles of this control. No variations on a system require modification. Actually, two processes are never exactly similar. There are many sources of variations of low

29

30

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

amplitude that cannot be removed. The common causes of dispersion 3 are represented by all these variations of low amplitude. The SPC method provides a strong tool to separate the ordinary from the extraordinary by plotting powerful control charts, among these charts are: The control chart for fraction nonconforming3. 4.2. The control chart for fraction nonconforming The fraction nonconforming is defined as the ratio of the number of nonconforming items in a population to the number of items in that population4. The fraction nonconforming is usually expressed as a decimal. The base of the control chart for fraction nonconforming is the binomial distribution. The average of fraction of nonconforming is expressed by4: ’ത ൌ

σౣ ౟సభ ୈ౟

(1)

୫୬

Where m is the number of samples, n is the sample size and Di is the number of nonconforming in the sample size n. The center line (CL), the upper control limit (UCL) and the lower control limit (LCL) for fraction nonconforming are calculated as follow4: ഥ ሺଵି୮ ഥሻ ୮

 ൌ ’ത ൅ ͵ට

(2)

୬

‡–‡”Ž‹‡ ൌ ’ത  ൌ ’ത െ ͵ට

(3)

ഥሺଵି୮ ഥሻ ୮

(4)

୬

4.3. Detection system The main objective is to identify a reactive jammer. Concerning this kind of jammer, it is not essential to jam the channel while none is on communication. Rather, when the channel is inactive, the jammer remains quiet and at the same time starts diffusing a radio signal once it feels activity on the channel. It is necessary to indicate that a reactive jammer does not exigently save energy as the jammer’s radio has to be permanently on so as to feel the channel. However, the principal advantage for a reactive jammer is the possibility of being difficult to identify5. The p indicated in the chart stands for the packet drop ratio, n refers to the total number of packets (sample size), and ’ത to the average of the packet drop ratio. We suggest inspecting and plotting the packet drop ratio by control chart through this controlling procedure (Table 2). Table 2 . Look–Up table of the chart parameters The fraction of nonconforming Packet drop ratio Average of the packet drop ratio (center line)

‡–‡” Ž‹‡ ൌ ’ത

Upper control limit of the fraction nonconforming control chart

’തሺͳ െ ’തሻ  ൌ ’ത ൅ ͵ඨ 

Lower control limit of the fraction nonconforming control chart

’തሺͳ െ ’തሻ  ൌ ’ത െ ͵ඨ 

We can sum up the judgment and the perceptions of the novel detection strategy in the following block diagram (Figure 3):

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

Identtification of jamming metric (the PDR packet drop ratio )

Collect of sttatistical measures (PDR packet drop ratio) in normal case (without jamming)

Calculate the parameters of the chart (UCL, Center line and LCL)

Represent the measurements above on the chart (if there are points that come out of the controll limits they should be eliminated and recalculate the chart settings)

Monitoringg the PDR using the control chart for fraction nonconforming

If there has been a great deviation If the curve oscillates onn either side of the mean and that all the pointts are inside the limits The network is under jamming attack

Our communication is under control and no jamming attack exist

Fig.3 Block diagram of the detection scheme

We need a minimum of 20 values3 with regard to the calculation of the thresholds (control chart parameters). Nevertheless, we draw each computed valuue (packet drop ratio) for the network monitoring. Thhis is the real-time identification that we highlight in our paper. The identification of the pattern is operated at any a diffusing node. Obviously, each node is allowed to take bennefit from its diffused packets. We can focus on the faact that one genuine node in the state of diffusion is enough for calculating c the parameters of the control diagram. We devote the following part to the perform mance study of the suggested identification scheme throough NS-2 simulations. The shadowing model is used inn our simulations parameters as a Radio Propagation Model M that is very close to the realistic radio propagation, takinng into consideration the losses of energy. 5. Performance evaluation 5.1. Computation of control limits First of all, the control limits and center linees have been calculated depending on the simulation reesults in normal case (without jamming attack) by means of equations e from (1) to (4). Results are depicted in Table 3:

Chart type

Table 3 . Control charts parameters for packet drop ratio Chart Parameters Values

Fraction nonconforming

UCL CENTER LINE LCL

0.48498 0.42035 0.35572

5.2. Monitoring of the network In this situation, our metric (packet drop rattio) is supervised in the control chart below which connsists of the control limits that we calculated in the previous part p regardless jamming attacks in the network. Thhen, at the thirtieth second, a jammer was switched on. As it is i mentioned in the control chart (Figure 4) before thhe thirtieth second,

31

32

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

curve of the packet drop ratio oscillate on each side of the mean and that the majority of the points are inside the limits. Apparently, it can be concluded that this node connects in an environment without jamming attack. Later on, when the jammer is activated from the thirtieth second, the upper control limit has been crossed by the curve, a strong detour is noticed. As a result, it can be concluded that this node is under a jamming attack. We can add that in the presence of a constant jammer, we will see a curve crossing the upper control limit for all the simulation time. Unlike the random jammer where the packet drop ratio goes to oscillate on each side of the upper control limit. Packet drop ratio

LCL

CL

UCL

Packet drop ratio

0.55 0.5 0.45 0.4 0.35 0.3 1

11

21

31 Time in s

41

51

Fig.4 Monitoring of the packet drop ratio by the control chart for fraction nonconforming.

5.3. Generalization of the detection method The average of the packet drop ratio is plotted as a function of the number of nodes. The graphic below (Figure 5) demonstrates the results. It can be noticed that miniscule and random variations in the curve are identified. The chart parameters should be calculated for each nodes number in order to get greater network supervision. 0.55

Packet drop ratio

0.5 0.45 0.4 0.35 0.3 0.25 0.2 2

7

12

17

Number of nodes

Fig.5 Average of the packet drop ratio as a function of the number of nodes.

We tried to compute the center line based on the number of nodes because the main factor for the packet drop ratio is the network’s load. Accordingly, the control chart parameters are updated by every transmitter for every number of nodes. In this study, the identification scheme was evaluated in an excellent situation that is based on the nodes number with regular bit rate traffic. The statistical process control represents a practical and a solid means for the supervision and the identification of strong derivations in any kind of situations (realistic or theoretical).So, the objective is the detachment of the exceptional from the familiar cases. The latter is called common case (without jamming attack). Our proposed scheme has several advantages better than other methods existing in the literature. It works in real time, based on one metric and doesn’t demand modifications to the IEEE 802.11 protocol. 6. Conclusion The jamming attack may drive to the deterioration of the network’s performance. In this research, we tried to suggest a novel identification scheme concerning this attack depending on the supervision of one metric (packet

Mohammed-Alamine El Houssaini et al. / Procedia Computer Science 83 (2016) 26 – 33

drop ratio) by means of analytical process charts. There are many benefits of the identification scheme. Changes are needless in the IEEE 802.11 protocol also, we can implement the identification scheme at any diffusing node, and the most important benefit is the identification of an identical attack in genuine time by a visual graph. We are going to do our best so as to broaden the suggested scheme through offering other performance measurements for the sake of developing other identification systems. Moreover, we will try to make an implementation of the identification strategy in a realistic situation. References 1. Van C. Bouras, S. Charalambides, M. Drakoulelis, G. Kioumourtzis, and K. Stamos, «A tool for automating network simulation and processing tracing data files», Simulation Modelling Practice and Theory, Volume 30, January 2013, Pages 90–110. 2. A. U. Salleh, Z. Ishak, N. M. Din, and M. Z. Jamaludin, «Trace Analyzer for NS-2», 4th Student Conference on Research and Development (SCOReD 2006), Shah Alam, Selangor, MALAYSIA, 27-28 June, 2006. 3. M. Pillet. Appliquer la maitrise statistique des procédés MSP/SPC. Edition d’organisation. 3ème edition. 4. Douglas Montgomery, C. 2008. Introduction to Statistical Quality Control, 6th ed. United States of America: John Wiley & Sons, Inc. 5. W Xu, W Trappe, Y Zhang and T Wood. The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. In proceeding of MobiHoc, Urbana-Champaign, Illinois, USA. 6. F. Bai, A. Helmy A, «A Survey of Mobility Modeling and Analysis in Wireless Ad-Hoc Networks» in Wireless Ad-Hoc and Sensor Networks, ed 2004. 7. IEEE Standards Association. 2012. “IEEE 802.11 Standard for Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.” IEEE Standards Association (March): 818-40. 8. Information Sciences Institute. 1995. “The Network Simulator –ns-2.” Information Sciences Institute. Accessed July 10, 2015. http://www.isi.edu/nsnam/ns/. 9. Ju, K. and Chung, K. (2012) Jamming Attack Detection and Rate Adaptation Scheme for IEEE 802.11 Multi Hop Tactical Networks. International Journal of Security and Its Applications, 6, 149-154. 10. Hamieh, A.; Ben-othman, J., "Detection of Jamming Attacks in Wireless Ad Hoc Networks Using Error Distribution", in IEEE International Conference on Communications, 2009 ICC '09, pp.1-6, 14-18 June 2009. 11. N. Sufyan, N. A. Saqib, and Z. Muhammad, "Detection of jamming attacks in 802.11b wireless networks" EURASIP Journal on Wireless Communications and Networking, vol. 2013, article 208, 2013. 12. I. Aad, J.-P. Hubaux, and E. W. Knightly, “Denial of service resilience in ad hoc networks”, In Proceedings of Mobicom, 2004.

33