Bishal Thapa

Abstract: In this paper, we address the problem of countering jamming of broadcast control channels in wireless communication systems. Targeting control traffic on a system, e.g., BCCH channel in GSM, leads to smart attacks that can be four orders of magnitude more efficient than blind jamming. We propose several schemes based on coding theory and its applications that can counter both external and internal attackers (traitors). We introduce a T-(traitor) resilient scheme that requires less than (Tlog_TN)² control information transmissions and guarantees delivery of control information against any coalition of T traitors. The proposed scheme also allows the identification of persistently jamming traitors.(Published)[Full Paper]

Abstract: We introduce a platform that simplifies the development, performance evaluation, and comparison (DEC) of cross-layer protocols for multi-hop ad hoc networks (MANET). To the best of our knowledge, this is the first platform that provides an integrated API for con- trolling and assessing, on a per-packet basis, the physical layer and MAC/LLC parameters (e.g. frequency channel, power, rate, coding/modulation, fragmentation, number of retransmissions) for IEEE802.11 network interfaces. Today, performance evaluation of wireless mobile ad hoc networks heavily relies on sim- ulation, which is limited in reflecting real environment scenarios due to the channel modeling approximations. Experimental comparisons of protocols in real-world propaga- tion environment are difficult because of limited reproducibility of the channel propaga- tion, environment, and mobility scenarios. We introduce a DEC platform that provides a network virtualization above the physical/link layers. It runs multiple protocols in TDMA- like timeslots guaranteeing an equitable share of the medium, seamless switching between protocols and synchronization between the nodes, all in a transparent fashion to developers. An extensive experimental evaluation demonstrates the usefulness of the platform.(Published)[Full Paper]

Abstract: In this paper, we study the performance of the IEEE 802.11 MAC protocol under a range of jammers that covers both channel-oblivious and channel-aware jamming. We study two channel-oblivious jammers: a periodic jammer that jams deterministically at a specified rate, and a memory less jammer whose signals arrive according to a Poisson process. We also develop new models for channel-aware jamming, including a reactive jammer that only jams non-colliding transmissions and an omniscient jammer that optimally adjusts its strategy according to current states of the participating nodes. Our study comprises of a theoretical analysis of the saturation throughput of 802.11 under jamming, an extensive simulation study, and a test bed to conduct real world experimentation of jamming IEEE 802.11 using GNU Radio and USRP platform. In our theoretical analysis, we use a discrete-time Markov chain analysis to derive formulae for the saturation throughput of IEEE 802.11 under memory less, reactive and omniscient jamming. One of our key results is a characterization of optimal omniscient jamming that establishes a lower bound on the saturation throughput of 802.11 under arbitrary jammer attacks. We validate the theoretical analysis by means of Qualnet simulations. Finally, we measure the real-world performance of periodic and memory less jammers using our GNU radio jammer prototype.(Published)[Full Paper]

Abstract: We propose a game theoretic model to study broadcast communication in the presence of internal attackers (traitors). The server preassigns channel access keys to all users including the unknown traitors. Each user receives a unique set of access keys of fixed size. The traitor selectively jams the channels corresponding to the keys he possesses to prevent users that share keys with him from successfully receiving the message. The server, on the other hand, tries to counteract by transmitting information using a set of keys that maximizes the number of legitimate users receiving the message. The jamming and anti-jamming between the traitor and the server can be modeled as a two-player non-cooperative game. Assuming that the players are rational and they have complete information on each other's payoff function and strategy space, we derive a closed expression for the Nash Equilibrium (NE) for a general class of utility functions (not necessarily zero-sum). We show that under our game formulation, the complexity for computing the NE is polynomial in the number of users.(Submitted)[Full Paper]

Abstract: We consider the problem of key establishment over a wireless radio channel in the presence of a communication jammer, initially introduced in Strasser08. The communicating nodes are not assumed to pre-share any secret. The established key can later be used by a conventional spread-spectrum communication system. Our approach is based on the novel concepts of intractable forward-decoding and efficient backward-decoding. Decoding under our mechanism requires at most twice the computation cost of the conventional SS decoding and one packet worth of signal storage. We introduce techniques that applies key schedule to packet spreading and develop a provably optimal key schedule to minimize the bit-despreading cost. We also use efficient FFT-based algorithms for packet detection. We evaluate our techniques and show that they are very efficient both in terms of resiliency against jammers and computationally. Finally, our technique has additional desirable features such as the inability to detect packet transmission by non-source nodes until the last few bits are being transmitted, and the destination-specific transmissions. To the best of our knowledge, this is the first solution that is optimal in terms of communication energy cost with little storage and computation overhead.(Published)[Full Paper]

Abstract: Spread spectrum (SS) communication relies on the assumption that some secret is shared beforehand among communicating nodes in order to establish the spreading sequence for long-term wireless communication. Strasser et al. identified the circular dependency problem (CDP), which arises from the fact that a method designed to communicate secret messages over an insecure channel requires a safe medium to pre-share secret for initialization itself [2]. This problem is exacerbated in large networks where nodes join and leave the network frequently, and pre-configuration of secrets through physical contact is infeasible. In this work, we introduce an efficient and adversary-resilient secret sharing mechanism based on two novel paradigms (intractable forward-decoding, efficient backward-decoding) called Time Reversed Message Extraction and Key Scheduling (TREKS) that enables SS communication with zero pre-shared secret. TREKS is four orders of magnitude more efficient compared to previous solutions to the CDP. Furthermore, our approach can either be used to establish SS keys pre-communication or to operate long-term SS communication without ever needing any keys. Unlike previous solutions, the energy cost under TREKS is provably optimal with minimal storage overhead, and computation cost of at most twice that of traditional SS. We evaluate TREKS through simulation and real-world implementation using an experimental testbed consisting of USRP, GNU Radio, and GPU-equipped nodes. Using TREKS under a modest hardware setup, we can computationally sustain a 1Mbps longterm SS communication spread by a factor of 100 (i.e., 100 Megachips per second) over a 200MHz bandwidth in real-time. (Submitted)[Full Paper]

Abstract:We study the performance of the IEEE 802.11 MAC protocol under a range of jammers that covers both channel-oblivious and channel-aware jamming.We consider two channel-oblivious jammers: a periodic jammer that jams deterministically at a specified rate, and a memoryless jammer whose interfering signals arrive according to a Poisson process.We also develop new models for channel-aware jamming, including a reactive jammer that only jams noncolliding transmissions and an omniscient jammer that optimally adjusts its strategy according to current states of the participating nodes. Our study comprises of a theoretical analysis of the saturation throughput of 802.11 under jamming, an extensive simulation study, and a testbed to conduct real world experimentation of jamming IEEE 802.11 using a software defined radio (GNU Radio combined with USRP boards). In our theoretical analysis, we use a discrete-time Markov chain analysis to derive formula for the saturation throughput of 802.11 under memoryless, reactive and omniscient jamming. One of our key results is a characterization of optimal omniscient jamming that establishes a lower bound on the saturation throughput of 802.11 under arbitrary jammer attacks. We validate the theoretical analysis by means of Qualnet simulations. Finally, we measure the real-world performance of periodic, memoryless and reactive jammers using our GNURadio/USRP aided experimentation testbed. (To Appear)[Full Paper]

Abstract:Coordination (control) channels are essential to the operation of wireless communication networks. Wireless networks are often constrained by the limited radio-frequency bandwidth and energy available to the participating nodes. Therefore, wireless networks use various control mechanisms to conserve energy and allow efficient medium access control. An example is the use of broadcast control channels in celluar networks for sending system access and control information. For example, in a GSM cellular network, multiple control channels are employed for different functionalities [2], [3]. The broadcast channels, such as the Brodcast Control CHannel (BCCH), the Synchronization CHannel (SCH), and the Frequency correction CHannel (FCH), carry the network/cell identity, the structure of the current control channels and synchronization information respectively. The common control channels (CCCH), such as the Access Grant CHannel (AGCH) and the Paging CHannel (PCH) are used for the subscriber channel assignment and paging notifications. A subscriber must first lock to a predefined channel of the nearby base station to monitor the broadcast control channels and send a connection request before getting assigned a dedicated control/traffic channel for initiating calls. Therefore, broadcast control channels/mechanism are at the heart of operating mobile communication system in a resource-efficient way. The extensive use of control channels is not unique to the GSM system, it is a commonly used mechanism in all cellular networks to conserve resources and allow efficient operation of the system. For example, the 4th generation Long Term Evolution (LTE) wireless communication standard uses a Master Information Block (MIB), transmitted on the Physical Broadcast Channel (PBCH), and is necessary for the cell search and synchronization procedure [4]. BCCHs are usually defined by frequency, time, and spreading code. (Submitted)[Full Paper]

Abstract:We investigate the resiliency of IEEE802.11 rate adaptation algorithms (RAA) against smart jamming attacks. We consider several classes of state-of-the-art RAAs that include the SampleRate, ONOE, AMRR, and the RAA used in Microsoft Windows. We model the behavior of these algorithms, and show the existence of very efficient attacks that exploit RAA-specific vulnerabilities as well as the inherent weaknesses that exist in the design of IEEE802.11 MAC and link layer protocol, in particular the overt packet rate information being transmitted, predictable rate selection mechanism, performance anomaly caused by the equiprobability of transmissions among all nodes regardless of the data rates being employed, and finally the lack of interference differentiation from collisions with IEEE802.11 RAAs. In this work, we present algorithms that determine optimal jamming strategies against RAAs within a given jamming budget, and experimentally demonstrate the efficiency of these smart jamming attacks, which can be orders of magnitude more efficient than naive jamming. For example, in the case of SampleRate, eight reactive jamming pulses every second are sufficient to achieve the same network throughput degradation as achieved by a periodic jammer with the jamming energy cost 100 times higher. Some of the RAAs react even worse to smart jamming attacks; ONOE in particular suffers from the phenomenon of congestion collapse where the nodes fail to recover from the lowest data rate even after the jamming stops. Finally, we look at fundamental reasons behind such RAA vulnerabilities and propose a preliminary set of mitigation techniques. We leave the experimental demonstration of the efficiency of the proposed mitigation mechanisms for future work. (Accepted)