A measurement driven, 802.11 anti-jamming system

A measurement driven, 802.11 anti-jamming system K onstantinos P elechrinis ∗ , Ioannis Broustis ∗ , Srikanth V . Krishnam ur th y ∗ , Christos Gk antsidi s † ∗ Unive rsity of Calif or nia, Riverside † Microsoft Research, Cambridge, UK { kp ele, broustis, krish } @cs.ucr.edu christos.gk ant sidis@micros oft.com ABSTRA CT Dense, unm anaged 802.11 deployments t empt saboteu rs into launching jamming attacks by injecting malicio us interfer- ence. No wadays, jammers can be portable de v ices that trans- mit intermittently at low power in o rder to conserve energy . In this pa per , we ﬁrst cond uct exten si ve experimen ts on an indoor 8 02.11 network to assess the ab ility of two phy sical layer fun ctions, rate ad aptation and power control, in miti- gating jammin g. In the pr esence o f a jammer we ﬁnd that: (a) the use of pop ular r ate adap tation a lgorithms can sig- niﬁcantly degrade network p erformance and , (b) ap propri- ate tuning of the car rier sen sing thr eshold allows a transmit- ter to send packets even when b eing jamm ed and enab les a receiver c aptur e the desired signal. Based on our ﬁndings, we build ARES, an Anti-jamming REinforceme nt System, which tunes the parameters of rate adaptation and po wer con- trol to improve the performan ce in the presen ce of jammers. ARES ensures tha t oper ations und er b enign co nditions are unaffected. T o demonstra te the effectiveness and gen erality of ARES, we ev alu ate it in three wire less testbeds: (a) an 802.1 1n WLAN with MIMO nodes, (b) an 802.11a/g mesh network with mob ile jammers a nd (c) an 802. 11a WLAN. W e observe that ARES improves the network throughput across all testbeds by up to 150%. Categories and Subject Descriptors C.2.0 [ General ]: Security and Pr otection; C.2.3 [ Com puter Communication Net works ]: Net w ork Op e rations General T erms Design, Exp erimentation, Meas uremen t, Performance, Security Keyw o rds IEEE 802.11 , Rate Control, Po wer Cont rol, Jamming, MIMO 1. INTR ODUC TION The widespre ad proliferatio n of 802.1 1 wireless net- works makes them an attra ctiv e tar get for sab oteurs with jamming dev ices [1]. Numerous jamming a ttac ks hav e b een rep orted in the recen t pa st [2, 3, 4 ]; this makes the defense aga ins t such attacks very critical. A jammer tr a nsmits either dummy pack ets or s imply elec- tromagnetic e nergy to hinder leg itimate co mm unications on the wireles s medium. A jamming attack ca n cause the following eﬀects in an 802.1 1 netw or k : (a) Due to carrier s e ns ing, co-channel transmitters detect activity on the medium and thus, defer their packet transmis- sions for pr o longed p erio ds. (b) The jamming signal collides with legitimate pack ets at receivers. As a co n- sequence, the thr oughput is signiﬁcantly reduced b e- cause of these eﬀects. F requency hopping tec hniques hav e b een previo usly pro posed for av oiding jammers [5 ] [6]. Such schemes howev er, are not eﬀective in scenar - ios with wide- ba nd jammers [7, 8]. F urthermore , g iv en that 80 2.11 op erates on r elativ ely few frequency chan- nels, m ultiple jamming devices op erating on diﬀeren t channels ca n signiﬁcantly hurt p erformance in spite of using fre q uency hopping [9]. More than that, although F requency Ho pping Sprea d Sp ectrum was av ailable in the initial 802.11 standar d, it was not later included in the 802.1 1a/b/g standards that ar e p o pular today [10]. In this pap er, we ask the question: How c an le gacy 802.1 1 devic es al leviate the eﬀe cts of a jammer t hat re- sides on the same channel as a le gitimate c ommunic ating p air, in re al time? W e address this challenge by de- veloping ARES 1 , a nov el, mea suremen t dr iv en system, which detects the prese nce o f jammers and inv o k es rate adaptation and pow er control str ategies to allevia te jam- ming eﬀects. Clearly , not muc h can be done to mitigate jammers with unlimited resource s in terms o f transmis- sion p ow er and sp ectrum eﬃciency . Note howev er tha t in a plurality of ca s es the jamming device can b e re- source constr a ined, with capabilities s imilar to that of the legitimate device 2 . Portable, battery-op erated jam- mers are typically conﬁgured to transmit int ermittently and so metimes at low p ow er, in order to conserve ener gy and har m the netw or k for extended perio ds of time. Ad- ditionaly , misconﬁguration of “legitimate” dev ices can transform them to a resource-co nstrained jammer [3]. In thes e and similar cases, ARES c an eﬀectively ﬁght against the malicio us entit y , as we discus s later . Our contributions in this pa per are the fo llowing: 1 ARES [p ron. “´ aris”] w as th e go d of war in Greek mythology; w e choose th e name as a symbol of the com bat with jammers. 2 W e implemen t a jamming utility on a commodity 802.11 NIC as described in more detail in Section 3. 1 1. Understanding the im pact of jammers in an 802.11 net work wi th rate/p ow er con trol. First, we p erform an in-depth measur emen t-bas ed exp erimen- tal study on our indo or testb ed, to quantify the impact of jamming when employing rate a nd/ or power control. T o the bes t of our knowledge, there a re no such studies to date. With ra te control, a tr a nsmitter can increa se or lo wer its transmission ra te dep ending on the obser v ed pack et deliv ery ratio (PDR) at the receiver. With p ow er control, no des may incr ease their tra nsmission p ow ers and/or c le ar channel asses s men t (CCA) thres holds [11] in or de r to increase the proba bilit y of successful packet reception. The design o f ARE S is driven by our tw o key exp erimen ta l obser v ations: i) R ate adaptation c an b e c ounter-pr o du ctive: In the presence o f a jammer that is active intermitten tly (and sleeps in b et ween), the use of ra te ada ptation is not always b eneﬁcial. W e conduct exp eriments with three p opular rate a da ptation alg orithms: SampleRate [12], Ono e [13] and AMRR (Adaptiv e Multi Rate Retry ) [14]. With ev ery s c heme, we observe that the use of r ate adaptation may work in favor of t he jammer! This is bec ause, rate adaptatio n wastes a lar ge p ortion of a jam- mer’s s leeping time in order to gradua lly converge to the “b est” rate. W e a nalytically deter mine when ﬁxed r ate op erations may b e prefer able to the use o f r ate adapta- tion. ii) T uning the c arr i er sense thr eshold i s b ene- ﬁcial: W e collect throughput measurements with many diﬀerent tra nsmission p ow ers and CCA thres holds. W e ﬁnd that: (a) In the presence of a jammer, legitimate transmissions with maximum p ow er could lea d to sig- niﬁcant beneﬁts, only when op erating at low data r ates. (b) Increa sing the CC A threshold ca n allow a transmit- ter that is b eing jammed to send pac kets a nd a t the same time, fac ilita te the c aptur e o f pack ets in the pres- ence o f jamming interference; together, these eﬀects can signiﬁcantly re duce the thro ughput degradation. 2. Designing ARES, a no vel an ti -jamming sys- tem. The ab o ve obs erv atio ns drive the design of ARES. ARES primarily cons is ts of tw o mo dules. The r ate c on- tr ol mo dul e dec ide s betw een ﬁxed-r ate a s signmen t and rate adaptatio n, ba sed on channel conditions and the jammer characteristics. The pr imary o b jective of this mo dule is to eﬀectively utilize the p erio ds when a jam- mer is asleep. The p ower c ontr ol mo dule adjusts the CCA threshold to facilitate the tr ansmission a nd the re- ception ( c aptur e ) of legitimate pack ets during jamming. Care is ta ken to av oid starv a tio n of no des due to the cre- ation of a symmetric links [11]. This mo dule is used to facilitate successful communications while the jammer is a ctiv e. Although ra te a nd p o wer co n tro l hav e be e n prop osed as in ter ference allevia tion tec hniques , their be - havior ha s not b een studied in ja mming e nvironments. Our work is the ﬁrst to conduct such a study , as dis- cussed later . 3. Implementing and exp erimen tall y v alidating ARES. W e implement and ev aluate the mo dules of ARE S on real hardware, ther eb y making ARES one of the few anti-jamming system implementations for 80 2 .11 net- works. ARES also contains a jammer detection mo d- ule that incor pora tes a mechanism pro posed previo usly in [15]. T o de mo nstrate the eﬀectiveness and general- it y of our sys tem, we a pply it on three diﬀerent exp er- imen tal netw ork s : a sta tic 802.11 n WLAN with MIMO enabled node s , a n 8 02.11a/g mesh netw ork with mo- bile jammers, and a static 8 02.11a WLAN with uplink TCP traﬃc. Our mea suremen ts demons tr ate that ARES provides p erformance b eneﬁts in all the three netw or k s; throughput improvemen ts of up to 150% are obser v ed. The r emainder of the pap er is structured as follows. In section 2, we provide so me background on jamming and discuss related studies. In section 3, w e describ e our wireless testb ed a nd the exp eriment al metho dology . W e describ e o ur extensive exp eriments to understand the impact of r ate and p o wer control in the presence of a jammer in section 4. In se c tion 5, we cons truct ARES based o n our obser v ations. W e pre s en t our ev aluations of ARES in section 6 . Section 7 discusses the scop e of our study . W e conclude in section 8. 2. B A CK GR OUND AND RELA TED WORK In this sec tio n, ﬁrst we brieﬂy describ e the o peratio ns of a ja mmer and its attac k capabilities. Nex t, we discuss relev ant previo us studies. T yp es o f Jammi ng Atta c ks. Jammers can be dis- tinguished in terms of their attack strateg y; a detailed discussion can b e found in [15]. Non-stop jamming: Constant jammers contin uo us ly emit electromagnetic energy on a channel. Now a da y s , constant jammer s are commercially av ailable a nd easy to obtain [1, 7 ]. While cons ta n t jammers emit no n- decipherable messag es, de c eptive jammer s transmit seem- ingly legitimate back-to-back dummy data pack ets . Hence, they can mislead other no des and monitor ing systems int o believ ing that legitimate traﬃc is b eing sent. Intermittent Jamming: As the name sugge s ts, these jammers are active intermitten tly; the primary goal is to conserve battery life. A r andom jammer typically alter- nates b et ween uniformly-distributed jamming a nd sleep- ing p erio ds; it jams for T j seconds and then it sleeps for T s seconds. A r e active jammer starts emitting energy only if it detects traﬃc on the medium. This makes the jammer diﬃcult to detect. How e ver, implemen ting reactive jammers can be a challenge. F o r the purp oses of this w ork, we prima rily co nsider the random jammer model. Attac kers ar e mo tiv ated in to using a random jammer be cause putting the jammer to sleep intermitten tly can increase its lifetime and decre a se the proba bilit y of detection [15]. F urthermor e, it is the most ge neralized re presen tation o f a jammer; appro pri- ately cho osing the sleep times could tur n the jammer int o a cons tan t jammer or (with high probability) a reac- tive jammer. Mo reov er, reactive jammer s are not e asily av ailable since they are har der to implement a nd require sp ecial exp e rtise o n the part of the a ttac ker. W e dis cuss 2 the a pplicabilit y of ARES with consta n t a nd r eactiv e jammers, in section 7. Related work. Mos t previous studies employ fre- quency ho pping to avoid jammers. F r e quency ho pping, how ever, cannot alleviate the inﬂuence of a wide-ba nd jammer [7, 8 ], whic h can eﬀectively jam a ll the a v a ilable channels. In addition, r ecen t s tudies have shown that a few cleverly-coo rdinated, narrow-band jammers can practically blo ck the who le sp ectrum [9]. Thus, ARES do es not rely on frequency hopping. Studies b ase d on fr e quency hopping: Na vda et al. [5] implement a pro activ e freque nc y hopping proto - col with pseudo - random channel switching. They com- pute the optimal frequency hopping para meter s, assum- ing that the jammer is aw ar e of the pro cedure follow ed. Xu et al. [6] prop ose t wo an ti-ja mming techniques: reac- tive c ha nnel surﬁng a nd spatial retr eats. How ever, their work is on senso r net works which only supp ort very low data rates a nd transmiss ion p ow ers. Gummadi et al. [16] ﬁnd that 802.11 devices are v ulnerable to sp eciﬁc patterns of narr o w - band in ter ference r elated to time re- cov ery , dynamic r a nge selectio n and PLC P -header pro- cessing. They s ho w that due to these limitations, an in- telligent jammer with a 100 0 times weak er signal (than that of the legitimate transce iv er ) can still corrupt the reception of pack ets. In order to alleviate these eﬀects, they prop ose a rapid frequency hopping stra tegy . Other r elevant work: Xu et a l. [15] develop ef- ﬁcient mechanisms for jammer detection at the PHY lay er (for all the 4 types of jammers ). How ever, they do not pro pose any jamming mitigatio n mechanisms. In [17], the s ame a uthors suggest that comp etition str ate- gies, where trans c eiv er s adjust their transmissio n p o wers and/or erro r corr ection co des, might alleviate jamming eﬀects. How ever, they neither pr opos e a n a n ti-jamming proto col nor p erform ev a luations to v a lidate their sug- gestions. Lin and No ubir [1 8] present an analy tical ev al- uation of the use of cryptog raphic in ter le a vers with dif- ferent coding schemes to improv e the robustness o f wire- less LANs. In [1 9], the a uthors show that in the a bsence of erro r-correction co des (as with 802.11 ) the jammer can conserve battery p ow er by destroying only a p ortion of a legitimate pack et. Noubir [20] als o prop oses the use of a combination of dir ectional antennae a nd no de-mobility in order to allev iate jammers . ARES can easily b e used in conjunction with dir ectional antennae or with error correctio n co des. Prior wor k on r ate and p ower c ontr ol: Ra te and power control techniques hav e b een prop osed in the lit- erature, as means of mitigating int erference (e.g. [21, 12, 11 , 22] and the references therein). Ho wever, they do no t account for a hostile jamming environmen t; with these schemes, no des co op erate in o r der to mitiga te the impact of ” legitimate” interference, thereby improving the p erforma nce. On the other hand, ARES is sp ecial- ized tow ar ds ha ndling malicious interference of jammers, which attempt to disrupt ongoing communications. Figure 1: The depl oymen t of our wireless testb ed. 3. EXPERIMENT AL SETUP In this sectio n, we descr ibe our wir e less testb ed and the exp erimen tal methodo logy that we follow. T estb ed Des cription: Our wireless testb ed [23] is deploy ed in the thir d ﬂo or of Engineering Building I I, at the Universit y of California, Riverside. Our testbe d consists of 37 So ekris net48 26 no des [2 4], which mount a Debian Linux distribution with kernel v2.6 , over NFS. The no de lay o ut is depicted in Figure 1. Thirty o f these no des are ea c h equipp ed with tw o miniP CI 80 2.11a/g WiFi cards , a n EMP-86 02 6G with Atheros chipset and an Intel-2915 . The other 7 no de s are equipped with one EMP-8602 6G and one R T2860 ca rd that supp orts MIMO-based (802.11n) commun ications. W e use the MadWiﬁ driver [25] for the EMP-8602 6G cards. W e hav e modiﬁed the Lin ux client driver [26] of the R T2860 to enable STB C (Space Time Blo ck Co ding) s upport. W e use a propr ietary version of the ipw22 00 AP (acces s po in t) and client dr iv er /ﬁrm w are of the Intel-2915 card. With this version we are able to tune the CCA threshold parameter. Exp erimen tal S e ttings and Metho dol ogy: W e exp erimen t with diﬀerent rate adaptation a lgorithms in the presence o f rando m ja mmers. W e also p erform ex- per imen ts with v a rious transmissio n p ow ers of jammers and p o wers/CCA thres holds of legitimate no des. Our measurements encompa ss an exhaustive se t of wireless links, routes of diﬀerent lengths, as well a s static and mobile jammers. W e exa mine bo th SISO and MIMO links. W e exp eriment with three mo des of op eration: 802.11 a/g/n (unless other wise stated throughout this pap er, o ur obs e rv ations a re consistent for a ll three mo des of op eration). The exp eriments are p erformed late at night in order to isolate the impac t o f the jammers by av oiding interference fro m co-lo cated WLANs. By de- fault, all devices (legitimate no des and jammers) set their transmiss ion p o wers to 18 dBm. Implementing a r andom jammer: Our implemen- tation o f a random jammer is based o n a sp eciﬁc conﬁg- uration (CCA = 0 dBm) and a user space utilit y that 3 sends broa dcast pack ets as fast as p ossible. F or the pur- po ses of res earch, we hav e implement ed our own ra ndom jammer on a n 802 .11 legacy device, by se tting the CCA threshold to 0 dBm. B y setting the CCA thresho ld to such a high v alue, we force the device to igno re a ll legit- imate 80 2 .11 signa ls even a fter carrier sens ing ; pa c kets arrive a t the jammer’s circ uitr y w ith p o wers less than 0 dBm (even if the distances betw een the jammer and the legitima te transceivers a re very sma ll). An eﬀective random jammer should b e able to tra ns mit packets on the medium, as fast a s p ossible, during ra ndom active time in terv als. W e develop a user- space soft ware utility with the following functiona lities: • The jammer tra nsmits bro adcast UDP tra ﬃc. This ensures that its packets a re transmitted back-to- back and that the jammer do es not wait for a n y A CK messages (by default the bac koﬀ functionalit y is disa bled in 802.1 1 for broadcas t traﬃc); in other words, this set up a llows the jamming no de to de- fer its back-to-back tr ansmissions fo r the minimum po ssible time (i.e. D I F S + min B ackOf f ). Our util- it y employs r aw so ckets , which allow the constr uc- tion of UDP packets from scratch and the for w ar d- ing of each pack et dir ectly down to the hardware 3 . Note that this implemen tation byp asses t he 802.1 1 pr oto c ol a nd hence, the jammer do es not wait in the back o ﬀ state after each pack et transmission. • Our utilit y schedules uniformly- distributed ra ndom jamming in terv als. The jammer is in the active state fo r a r andom pe r iod o f time, during which it constantly transmits pack e ts back-to-back. It then transits to an idle (sleeping) state for a diﬀere nt, randomly c hosen perio d of time during which it do es not emit energy . The tw o states alternate a nd their durations are computed anew at the b egin- ning of each cycle (a cycle consists of an active and an idle p erio d). W e use a se t of 4 nodes as ja mmers on our tes tb ed; these are equipp ed with Intel-2915 cards which a llo w CCA tuning. T r aﬃc char acteristics: W e utilize the ip erf mea- surement to ol to generate UDP data traﬃc among le- gitimate no des; the pack et size is 150 0 bytes. The du- ration of each exp erimen t is 1 hour. F or eac h exp er- imen t, w e ﬁrst enable ip erf tr aﬃc b et w een legitimate no des, and subsequently , we activ ate the jammer(s). W e consider b oth mesh and WLAN connectivity . W e ex- per imen t with diﬀerent jammer distributions, namely: (a) fr e qu en t jammers , which are a ctiv e a lmo st all of the time, (b) r ar e jammers , which sp end mos t o f their time sleeping, and (c) b alanc e d jammers that hav e sim- ilar av era ge jamming and sleeping times. W e hav e dis- abled R TS/CTS message exchange throug ho ut our ex- per imen ts (a common design decision in practice [27]). 3 Administration priv ileges are required for this op eration. 4. DERIVING SYSTEM GUIDELINES In this section, we descr ibe o ur exp eriment s tow a rds understanding the b ehavioral tr ends of power and rate adaptation techniques, in the presence o f r andom jam- mer(s). Our goa l is to determine if there are prop erties that can b e exploited in order to allevia te jamming ef- fects. W e p erform exp eriments on b oth s ingle-hop and m ulti-hop conﬁgur ations. 4.1 Rate Adaptation in Jamming En vironments Rate a daptation algorithms are utilized to select an appropria te transmission rate as p er the current c hannel conditions. As interference levels incr ease, lower data rates are dynamically c hos en. Since legitimate no des consider jammers as interferers, rate adapta tion will r e- duce the transmissio n ra te on legitimate links while jam- mers a re active. Hence, one could p otentially a r gue that rate control on legitimate links incr eases reliability by reducing rate a nd thus, can provide thro ughput beneﬁts in jamming environments. T o examine the v alidity of this a rgumen t, we exp er- imen t with thr ee diﬀerent, p opular rate a da ptation al- gorithms, SampleRate [1 2], AMRR [1 4] and Ono e [1 3 ]. These algorithms are alre ady implemen ted on the Mad- Wiﬁ dr iv er that we use. F or s implicit y , we ﬁrst co nsider a balanced jammer, which s elects the sleep duration from a unifor m distribution U [1 , 8] and the jamming duration from U [1 , 5] (in sec onds). Details on the exp erimental pr o c ess: W e per- form exp eriment s with b oth sing le-hop a nd multi-hop conﬁguratio ns. F or each exper imen t, we ﬁrst lo ad the particular ra te-con trol Linux-kernel mo dule (SampleR- ate, AMRR or Ono e) o n the wireles s car ds of legitimate no des. W e initiate data traﬃc b et ween the no des and after a ra ndom time, we activ ate the jammer. W e collect throughput measurements on ea c h da ta link once every 500 msec. W e use the following ter minology: 1) Fixe d tr ansmission r ate R f : This is the nominal transmission rate conﬁgur ed on the wire le ss ca rd. 2) Satura te d r ate R s : It is the rate a c hieved when R f is chosen to be the r ate o n the wir eless card. In or der to compute R s , for a given R f , we consider links where the pack et delivery ratio (PDR) 4 is 10 0 % for the particu- lar setting of R f ; we then measure the ra te achiev ed in practice. W e notice that for lo wer v alues of R f , the sp ec- iﬁed rate is actually ac hieved on such links. Howev er, for higher v alues of R f (as a n example R f = 54 Mbps), the achiev ed data ra te is muc h low er due to MAC lay er ov er - heads, such as MAC lay er retra nsmissions [28]. T a ble 1 contains a mapping, derived from measurements o n our testbed, b et ween R f and R s . 3) A ppl ic ation data r ate R a : This is the rate at which the application gener ates data. It is diﬃcult (if not imp ossible) to a prior i determine the b est ﬁx ed rate on a link. Given this diﬃcult y , we 4 W e refer to the application lay er packe t deliv ery ratio, which includes the MA C la yer retransmissions. 4 R f 6 9 12 18 24 36 48 54 R s 6 9 12 18 24 26 27 27 T able 1: The saturated-throughput matrix in Mbps. set R f = { min R f : R f ≥ R a } , which is the maximum rate that is re q uired by the applica tion (we dis c uss the implications o f this choice later ). O ur key obser v a tions are summarized b elow: • Rate adaptation algo rithms p erform p o orly on high-quality links due to the long times that they incur for conv e rgi ng to the appro- priate high rate. • On lossless l inks, the ﬁxed rate R f is b etter, while ra te adaptat ion is b eneﬁcial on lossy links. W e defer deﬁning what co nstitute lossless or lossy links to later ; conceptually , we consider lossles s links to be those links that can achiev e higher lo ng-term thr ough- puts using a ﬁxed transmission r ate R f , ra ther than by applying rate adaptatio n. 4.1.1 Sing le-hop Conﬁgurations Our exp eriments with one-ho p connectivit y inv olve 80 sets o f sender- receiver pa irs and one jammer per pair. W e imp ose tha t a jammer interferes with one link a t a time and that the legitimate da ta links do not interfere with ea c h other . Thus, we pe r form 2 0 diﬀerent sets o f exp erimen ts, with 4 isolated data links and 4 jammers in each exp eriment. Rate adaptation consumes a signiﬁcant part of the jamme r’s slee p ti me, to conv erge to the ap- propriate rate: As so on as the jammer “go es to sleep”, the link quality improv es and thus, the rate con trol algo- rithm sta r ts increasing the ra te pr ogressively . How ever, since the purp ose of a jamming attack is to co rrupt a s many transmis s ions as p ossible, the jammer will typi- cally not sleep for a long time. In such a case , the sleep duration of the jammer will not b e enoug h for the r ate control to reach the highest rate p ossible. T o illustrate this we cho o se tw o links on our tes tbed, one that can sup- po rt 12 Mbps a nd the other that ca n suppo r t 54 Mbps. Figure 2 depicts the results. W e observe that (a) irr e- sp ectiv e of whether SampleRate or a ﬁxed r ate strateg y is used, during jamming the thro ughput dro ps to v alues close to zero since the jammer blo cks the medium for the sender, and (b) the thr oughput achieve d with SampleR- ate is quite low, and much lower than if we ﬁx the r ate to the c onstant value of 12 Mbps. Note that we hav e observed the sa me b ehavior with AMRR and Ono e. Fixed rate assignment outp erforms rate adap- tation on lossl ess links: As alluded to ab ov e, in o rder to ﬁnd the b est rate on a link after the impact of a jam- mer, the r ate adaptation mechanisms gradually increase the r ate, inv oking transmissio ns at all the low e r rates int erim, until the b e st ra te is r eac hed. F or links that can inheren tly suppo rt high rates, this pro cess might consume the sleep pe r iod o f the ja mmer (as sug g ested by the res ults in Figure 2 ). If the b est ra te for a link was known a prior i, at the instance that the jammer go es to sleep, transmissions may be in vok ed at tha t r ate. This would utilize the s le e p p erio d of the jammer more eﬀectively . As observed in Figur e 3, the throughputs achiev ed with ﬁxed rate ass ignmen t ar e m uch higher than those a c hieved w ith rate adaptation on s uc h links . Determining the right tr ansmission r ate p olicy: Implic ations of setting R f = { m i n R f : R f ≥ R a } : Since the application do es not require the link to sus ta in a higher rate, the highest throughput for that a pplica- tion rate is rea c hed either with this c ho ice of R f or with some rate that is low er than R a . If the rate adaptatio n algorithm conv erges to a r ate that results in a thr o ugh- put that is higher than with the chosen R f , then the adaptive rate stra tegy should b e used. If instead, during the jammer’s sleep per iod, the ra te adaptation technique is unable to conv erg e to such a r ate, the ﬁxe d rate strat- egy is be tter. Analy tic al ly determining t he right ra t e: In order to de- termine whether it is b etter to use a ﬁxed or an adaptiv e- rate a pproach for a g iv en link, we p erform a n analysis based on the following pa rameters: 1. The distr ibutio n of the jammer’s a ctiv e and sleep per iods (we call this the jammer’s distribution ). 2. The applica tio n data ra te, R a . 3. The p erformance metric o n the considered legiti- mate link, i.e., PDR, link throughput, etc. 4. The rate ada ptation scheme that is employed, i.e., Ono e, SampleRate, etc. The key scheme-speciﬁc factor is the transitio n time from a low er r a te to the next higher ra te, under conducive conditions. 5. The eﬀe ctiveness of the jammer F , measured by the achiev able throug hput while the jammer is on. The low er the throughput, the more eﬀective the jammer. Let us supp ose tha t the exp ected s le eping duration o f the jammer during a cyc le , is g iv en by E [ t s ] a nd the exp ected p erio d for which it is active, by E [ t j ]. The ex- pec ted dur a tion of a cycle is then E [ t s ] + E [ t j ]. As an example, if the jammer picks its sleeping p erio d fro m a uniform distribution U [ a, b ] and its jamming per iod from U [ c, d ], E [ t s ] and E [ t j ] ar e equa l to b + a 2 and d + c 2 , resp ec- tively . F or simplicity let us as s ume tha t the link-quality metric emplo yed 5 is the PDR. With application data rate R a and ﬁxe d transmission rate R f , the through- put achiev ed during a jammer’s cyc le is: T f ixed = E [ t s ] E [ t s ] + E [ t j ] · P D R f · R s + E [ t j ] E [ t s ] + E [ t j ] · F, (1) 5 Our analysis can b e mo d iﬁed to adopt an y other link-qualit y metric. 5 0 2 4 6 8 10 12 14 0 10 20 30 40 50 60 Throughput (Mbps) Time (sec) Fixed rate 12Mbps Sample rate 12Mbps 0 5 10 15 20 25 30 35 0 10 20 30 40 50 60 Throughput (Mbps) Time (sec) Fixed rate 54Mbps Sample rate 54Mbps Figure 2: Rate adaptation algo ri thms ma y not ﬁnd the b est rate during the slee p p erio d of the jammer. W e sho w cases for 2 diﬀerent links, one with R a = 1 2 Mbps (l eft) and one with R a = 5 4 Mbps (ri gh t). 0 5 10 15 20 25 54 48 36 24 18 12 9 6 Average Throughput (Mbps) Rate(Mbps) Fixed Rate Sample Rate AMRR ONOE Figure 3: Fixed rates outp er- form rate adaptation for high- qualit y li nks, under random jam- ming. ( R a = R f ) where P D R f is the PDR of the link at r ate R f . Recall that the rate achieved in practice with a sp eciﬁed r a te R f is R s . T o co mpute the throug hput with r ate adaptation , we pro ceed a s follows. Let us a ssume that x ( F , R s ) corr e- sp onds to the convergence time o f the rate ada ptation algorithm (sp eciﬁc to the chosen algorithm). W e con- sider the following t wo cases. 1) x ( F, R s ) < E [ t s ] . This case holds when the jam- mer’s sleep dur ation is suﬃcien t (o n average) for the rate control algo rithm to conv er ge to the b est r ate R s . In this scenario, the achiev able thro ughput is: T adapt = [ E [ t s ] − x ( R s )] · R s + X R i y ( R i ) · R i + E [ t j ] · F E [ t s ] + E [ t j ] , where R i ∈ S , S b eing the set of a ll intermediate rates from F to R s . y ( R i ) is the time that the rate control al- gorithm spends at the co rresp onding rate R i . The v a lues of y ( R i ) a re sp eciﬁc to the implementation of the r ate control algo rithm. Note that x ( F, R s ) can b e easily com- puted fr om y ( R i ) b y adding all the individual durations for the rates b elonging to the set S . 2) x ( F , R s ) ≥ E [ t s ] . In this scenario, the average sleep time o f the jammer is insuﬃcient for the r ate control algorithm to conv e rge to the desire d r ate. When the jammer wak e s up, the r a te will aga in drop to low er levels due to increased interference. Here, the throughput that can b e achiev ed during a jammer’s cycle is : T adapt = n X i =1 y ( R i ) · R i + " E [ t s ] − n X i =1 y ( R i ) # · R n +1 + E [ t j ] · F E [ t s ] + E [ t j ] where n = max { k : k X i =1 y ( R i ) ≤ E [ t s ] } . Based on the ab o ve analys is , we deﬁne a link to b e lossy , when T f ixed ≤ T adapt ; the links on whic h T f ixed > T adapt are class iﬁed as loss less links. C le arly for lo ssy links it is better to use the rate adaptation algor ithm. The analysis can b e used to compute P D R T H f , a thresh- old v alue of P D R f below which, a rate adaptatio n stra t- egy p erforms b etter tha n the ﬁxed rate a pproach. In particular, by setting T f ixed = T adapt and so lving this equation, one can co mpute P D R T H f . Based on this, a decision can b e ma de on whether to enable rate a dapta- tion or use ﬁx ed-rate a s signmen t. If the observed PDR is la r ger than the computed thr e s hold, ﬁxed rate sho uld be used; otherwis e, rate adaptation sho uld b e used. V alidation of o ur analysi s : In o r der to v alidate our analysis, we measure P D R T H f on 80 diﬀerent links in the presence of a bala nced jammer. W e then com- pare them aga inst the P D R T H f v a lues co mputed with our analysis. Note here that the analysis itself dep ends on meas ur ed v alues o f cer tain quantities (such a s the jammer distributio n and the function y ( R i )). In this exp erimen t, we consider the SampleRate algorithm, and measure the v alues of x ( F, R s ) and y ( R i ). The jammer’s sleep time follows U [0 , 4 ] and the jamming time follows U [1 , 6]. Figure 4 plots the v alues of function y for diﬀer- ent v alues of R f . In T a ble 2, we compar e the theoretica lly computed PDR thresholds with the ones measured o n our testbed, for v a rious v alues of R f . W e obser v e that the P D R f thresholds computed with our analy sis a re very similar to the o nes measured on our testb ed. Ther e ar e slight discrepancies since our analysis is based on using mea- sured average v alues which may change to so me extent ov er time. W e wish to s tress that while we verify our analysis a ssuming tha t the ja mmer is active and idle for uniformly distributed p erio ds of time, our a nalysis de- pends only on exp ected v alues and is there fo re v alid for other jammer distributions . Finally , Fig ure 5 shows the adv antage of using a ﬁxed r ate approa c h ov er SampleR- ate for v ar ious PDR v alues and with R f = 5 4 Mbps. W e observe that SampleRate pro v ides higher throughputs only for very low PDR v alues . Next, w e consider tw o extreme ca ses of jamming: fre- quent and rare jammers (see section 3). The distribu- tions tha t we use in our exp erimen ts for these jammer s are shown in T able 3. Note that by choosing the jam- mer’s sleeping and jamming time from distr ibutions lik e the one o f the frequen t jammer, we essentially co nstruct a constant ja mmer . With frequent jammers, the diﬀer- 6 0 5 10 15 20 25 30 35 40 0 2 4 6 8 10 12 14 Rate (Mbps) Time(sec) 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps Figure 4: Measured con ver- gence times of the MadWiﬁ SampleRate algorithm, for the diﬀerent application data rates. -5 0 5 10 15 0 0.2 0.4 0.6 0.8 1 Throughput gain (Mbps) PDR Figure 5: Throughput gain of ﬁxed rate Vs. SampleR- ate, for v arious li nk qualities and for application data rate of 54 Mbps. 0 5 10 15 20 25 30 54 48 36 24 18 12 9 6 Average Throughput (Mbps) Rate(Mbps) Fixed Rate Sample Rate Figure 6: The p erformance with rare jammers is aligne d with our observ ations for the case with balanced jamm e rs. ( R a = R f ) R f Measured P D R T H f Analytical P D R T H f 6 0.82 0.83 9 0.52 0.55 12 0.40 0.41 18 0.26 0.27 24 0.19 0.21 36 0.19 0.20 48 0.17 0.185 54 0.15 0.185 T able 2: P D R f thresholds ence in the p erformance b e t ween ﬁxed r a te assignment and rate adaptation is lar ger, while for a rar e jammer it is s maller. This is b ecause with r are jamming, rate adaptation will hav e more time to conv erg e and there- fore often succeeds in achieving the highest rate pos s ible; one obser ves the opp osite eﬀect when we ha ve a frequent jammer. The res ults ar e plotted in Figur es 6 a nd 7. - Sleep time (sec) Jamming time (sec) Balanced U[1,8] U[1,5] Rare U[1,5] U[1,2] F requent U[1,2] U[1,15] T able 3: The jamming distributi ons that we use in our exp eriments. 4.1.2 Ra ndom J amming in Multi-hop T opologies Next, w e examine the impact of a ra ndo m ja mmer on the end-to- end throug hput o f a multi-hop pa th. W e e x - per imen t with 15 diﬀerent r outes on our testb ed. W e ﬁx static routes o f v a rious lengths (from 2 to 4 links per route) utilizing the r oute Unix to ol in o rder to mo dify the routing tables of no des. W e place a jammer such that it aﬀects one o r mo r e links. Along each r oute, links that a re no t a ﬀected by the jammer consistently use a rate adapta tio n algor ithm. On the links that ar e su b- je ct to jamming, our analysis dictates the de cision on whether to use ﬁx e d or adaptive r ate assignment. W e measure the end-to-end thro ughput on the route. W e show our results for routes on which, in the absence of a jammer, end- to-end throughputs of 6 and 12 Mbps were observed. F rom Figur e 8 we see that the b ehavior with r ate adaptation on multi-hop r outes, in the pr esenc e of a r andom jammer, is t he same as that on a single-hop link . In particula r , with low da ta r ates, a s uﬃcien tly high PDR has to b e sustained ov er the r oute, in order for a ﬁxed ra te appr oach to p erform b etter than rate adaptation. On the o ther ha nd, when r outes s upport high data rates, ﬁxing the rate on the individual links (that are aﬀected by the jammer) as p e r o ur a nalytical framework, provides higher beneﬁts. Cho osing the righ t p ol icy in practice: T o sum- marize our ﬁndings, our analys is demonstra tes that us- ing a ﬁxed rate may b e attractive on loss less links while it w o uld b e b etter to use rate adaptation o n loss y links. How ever, as discussed, determining when to use o ne ov er the other in rea l time during system o p erations is diﬃcult; the deter mina tion requires the knowledge of x ( F, R s ), y ( R i ) and estimates of how o ften the jammer is active/asleep, on av e r age. Thus, we cho o se a s impler practical appro ac h that w e call MRC for Marko vian Rate Control. W e will des c r ibe MR C in detail later (in s ection 5) but in a nutshell, MRC induces memory in to the s y s- tem and keeps track of the feas ible ra tes during b enign jamming-free perio ds; as so on as the jammer goes to sleep, legitima te tr ansmissions a re inv oked at the most recent ra te used during the previous sleeping cyc le of the jammer. W e also p erform oﬄine mea s uremen ts by di- rectly using our a nalytical formulation (with knowledge of the afore mentioned par ameters); these measurements serve a s b enchmarks for ev aluating the eﬃcacy of MRC (discussed in section 6). 4.2 P erformance of Po wer Contr ol in the Pr es- ence of Random Jamming Next, we examine whether tuning power le vels ca n help cop e with the interference injected by a jammer. If we consider a s ingle legitimate da ta link and a jam- mer, incr emen ting the tra nsmission p ow er on the data link should increas e the SINR (signal- to-in ter ference plus noise ra tio) o f the received data pa c kets. Thus, one could argue that increa s ing the transmission p ow er is always bene ﬁc ia l in jamming en vironments [18]. W e v a ry the transmissio n p ow ers of b oth the jammer and leg itima te transce iv er , as well as the CCA threshold 7 0 1 2 3 4 5 6 7 8 54 48 36 24 18 12 9 6 Average Throughput (Mbps) Rate(Mbps) Fixed Rate Sample Rate Figure 7: Fixed rate im- pro ves the p erformance more than rate adaptation at high rates, wi th frequen t jam- mers. ( R a = R f ) 0 1 2 3 4 5 12 6 Average Throughput (Mbps) Rate(Mbps) Fixed Rate Sample Rate Figure 8: Rate adaptation presen ts the same b ehav ior in m ul tihop l inks; it pro- vides lo wer throughput at high rates. 0 0.2 0.4 0.6 0.8 1 (18,5) (18,18) Throughput (%) sustained (P L dBm,P J dBm) 6Mbps 54Mbps Figure 9: Perc en tage of the isolated throughput, for v ar- ious P L and P J com bi nations, for tw o diﬀeren t transm i s- sion rates. of the latter. Note that the jammer’s transmis sion dis- tribution is not very r elev ant in this par t of our s tudy . Our exp ectation is that tuning the p o wer of legitimate transceivers will pro v ide b eneﬁts while the jammer is active. In other wor ds, one c an exp e ct that the b eneﬁts fr om p ower c ontr ol wil l b e similar with any typ e of jammer. W e deﬁne the following: • RS S I T R : The RSSI of the signal of the legitimate transmitter at its receiver. • RS S I RT : The RSSI o f the signal in the r e v er s e direction (the r e c eiv er is now the tra nsmitter). • RS S I J T and RS S I J R : T he RSSI v alues of the jamming sig nal at the leg itimate transmitter and receiver, res p ectively . • RS S I J : The minimum of { R S S I J T , RS S I J R } . • P L and C C A L : The trans mission p ow er and the CCA threshold at leg itimate trans ceiv er s. • P J : The transmission p ow er of the jammer. Our main obser v ations are the following: • Mitig ating jamming eﬀects by i ncremen ting P L is viable at l o w data rates. It is extremely diﬃcult to ov e rcome the jamming in terfer- ence at high rates, simply with p ower adap- tation . • Increasing C C A L restores (in m ost cases) the isolated throughput (the throughput achiev ed in the absen ce of jamm ers). W e presen t o ur exp erimen ts and the interpretations thereo f, in what follows. 4.2.1 Increasing P L to co pe with jamming interfer- ence Increasing P L will incr ease the SINR a nd one might exp ect that this would r educe the impact of jamming int erference on the thro ughput. In our exp erimen ts we quantify the gains from employing suc h a “brute-fo rce” approach. Details on the exp erimental pr o c ess: W e per fo rm measurements on 80 diﬀerent links a nd with 4 jammers. W e consider diﬀerent ﬁxed v a lue s for P J (from 1 dBm to 1 8 dBm). F o r each of these v alues we v ary P L be- t ween 1 and 18 dBm and obser v e the throug hput in the presence of the jammer, for all p ossible ﬁxed tra nsmis- sion rates . F or each chosen pair o f v alues { P L , P J } , we run 60-minute r epeated exp eriments a nd collect a new throughput mea suremen t once every 0.5 seconds. Both end-no des of a legitimate link use the same transmission power. The combination of high P L and l ow data rate helps mitigate the i mpact o f low-p ow er jammers. W e ex periment with many diﬀerent loc a tions of the jam- mers. Our measurements indicate that when high trans- mission rates a re used, increasing P L do es not help al- leviate the impact of jammer s. Sample results ar e de- picted in Figure 9. In this ﬁgur e , we plo t the p ercentage of the iso lated throughput a c hieved in the presence of jamming, for t wo r e pr esen ta tiv e co m binations of P L and P J and for 2 diﬀerent rates. In our exp erimen ts on the 80 considered links, ther e wer e no links wher e incr ement- ing P L incr e ase d the thr oughput at high data r ates, even with very low jamming p owers. While there could ex- ist cas e s wher e incrementing P L could yield b eneﬁts a t high rates, this was not o bserved. In contrast, we ob- serve that with lo w data ra tes and when P J is low, data links can ov er come jamming to a large extent b y increa s- ing P L . Figure 10 depicts a nother r epresent ative subset of o ur meas uremen t results where all legitimate no des use P L =18 dBm, while P J is v a ried b et w een 1 a nd 18 dBm. W e observe that the combination of high P L with low da ta r ate helps overcome the impa ct of jamming, when P J is low. Note a lso that when P J is high, it is extremely diﬃcult to achieve high av er age throughput. The a b ov e obse rv ations can b e explained by taking a careful lo ok at the following tw o ca s es: Str ong jammer : Let us cons ider a jammer s uc h that RS S I J > C C A L . This can result in tw o eﬀects: (a) The sender will sens e that the medium is constantly busy and will defer its pa c ket tr ansmissions for pro lo nged per iods of time. (b) The signals of bo th the sender and the jam- 8 0 0.2 0.4 0.6 0.8 1 0 2 4 6 8 10 12 14 16 18 Throughput (%) P J (dBm) 6 Mbps 9 Mbps 12 Mbps 18 Mbps 24 Mbps 36 Mbps 48 Mbps 54 Mbps Figure 10: P e rcen tage of the isolated throughput in the presence of a balanced jam- mer for v arious P J and P J v alues and data rates. Figure 11: P e rcen tage of the isolated throughput in the presence of a balanc ed jam- mer Vs. RS S I J , for C C A L = –80 dBm. Figure 1 2: P ercen tage of the isolated throughput, for v ar- ious R S S I J v alues , and for C C A L = – 50 dBm. 0 0.2 0.4 0.6 0.8 1 -80 -75 -70 -65 -60 -55 -50 -45 -40 Throughput (%) CCA(dBm) P L 20dBm P L 15dBm P L 10dBm P L 05dBm Figure 1 3: P ercen tage of the isolated throughput, for v ari- ous C C A L v alues and v arious P L v alues . P J = 2 0 dBm. 0 0.2 0.4 0.6 0.8 1 -40 -80 Throughput (%) CCA(dBm) Figure 14: Careful CCA adaptation signiﬁcant ly improv es the end-to-end throughput along a route. 0 5 10 15 20 25 54 48 36 24 18 12 9 6 Average Throughput (Mbps) Rate(Mbps) Fixed Rate Sample Rate MRC with K=3 MRC with K=30 Figure 15: MR C outp er- forms curren t rate adapta- tion algorithms, esp ecially for hi gh v al ue s of K . mer will arrive at the re ceiv er with RSSI v alues higher than C C A L . This will result in a pa c ket co llision at the receiver. In bo th case s, the throughput is degraded. Our measurements show that it is not p ossible to miti- gate str ong jammers simply by incr e asing P L . We ak jammer : Let us supp ose that the jammer’s signals ar riv e with low RSSI at legitimate no des. This may b e either due to energ y-conserv ation strategie s im- plement ed by the jammer causing it to use low P J (e.g., 2 dBm), or due to p oo r ch annel conditions betw een a ja m- mer a nd a legitimate transceiver. At high transmissio n rates, the SINR required for the succes sful deco ding o f a pack et is larger than what is re q uired at low rates (shown in T a ble 4) [11]. Our throughput measurements show that even in the presence o f weak ja mmers, the SINR requirements a t high tra nsmission rates are typically not satisﬁed. How ever, since the SINR requirements at low er data rates ar e less stringent, the c ombination of high P L and low r ate, pr ovides signiﬁc ant thr oughput b eneﬁt s . Data Rate 6 9 12 18 24 3 6 4 8 54 SINR (dB) 6 7.8 9 10.8 17 18.8 24 24.6 T able 4: SINR le vels required for successful pac k et deco ding, in 802. 1 1a/g. 4.2.2 T uning C C A L on single-hop settings Next, we in vestigate the potential of a djusting C C A L in conjunction with P L . Implementation and exp erimental details: F or these exp eriments we exclusively use the Intel-2915 cards; these ca rds allow us to tune the CCA thr eshold. W e ha ve mo diﬁed a prototype version of the AP/client driver, in order to p erio dically collect measurements for R S S I T R , RS S I RT and R S S I J . W e c onsider 80 AP-clie nt data links, with traﬃc ﬂowing from the AP to the client. As befo re, we divide the 80 data link s into 20 sets o f 4 iso - lated links. W e use Intel’s proprie tary rate adaptation algorithm, which has been implemented in the ﬁrmw a re of the Intel-2915 car ds. W e measure the achieved data throughput for diﬀerent v alues of P L and C C A L . B oth no des of a data link use the same p o wer and CCA thre sh- old v a lues. T uning the CCA thres h o ld is a p oten ti al jam- ming m itigation tec hnique. T o b egin with, we p er- form throughput mea suremen ts with the default C C A L v a lue (-80 dBm), a nd with v a rious RS S I J v a lues. W e observe from Figure 11 that when R S S I J < C C A L , data links a chieve high thro ughputs. This is b ecause signa ls with RSSI < C C A L are ignored by the tr ansceiver’s hardware. In par ticular, (a) such signals do not r en- der the medium busy , and (b) r e ceiv er s are trying to latch onto signa ls with RSSI > C C A L , while other sig - nals are co nsidered to b e background no ise. Moreov er , even when R S S I J is slightly lar ger than C C A L , we still observe decent thr oughput achiev ements for the ca ses wherein da ta links op erate at high SINR regimes. These measurements imply that the ability to tune C C A L can 9 help receive data pack e ts correctly , even while jammer s are active. In order to further ex plo re the p otential of s uch an approach, we v a r y C C A L from - 75 to -30 dBm on ea c h of the considered 80 links. Figure 12 depicts the re- sults for the ca se where C C A L is eq ual to -50 dBm.W e observe that i ncr e asing C C A L r esults i n signiﬁ- c antly higher data thr oughputs, even wi th quite high RS S I J values. Mo re sp eciﬁcally , from Figure 12 we obser v e that when R S S I J is low er than C C A L , links can a c hieve up to 9 5% of the throughput that is achiev ed when the link op erates in isolatio n (jamming- free). When R S S I J ≈ C C A L , data links still achiev e up to 7 0% of the jamming-free throughput (capture of data packet s is still p ossible to a sig niﬁcan t e x ten t). As one might exp ect, if R S S I J ≫ C C A L , there ar e no p er- formance b eneﬁts. Our observ atio ns also hold in some scenar io s where, P J > P L . Figure 1 3 pr esen ts the results fr om o ne such scenario. W e obser v e that appropriate CCA settings can allow legitimate no des to exchange tra ﬃc eﬀectiv ely , even when P J ≫ P L . This is p ossible if the link co ndi- tions b et ween the jammer and the leg itima te transceivers are po or and result in low R S S I J . Note here that one cannot incr ease C C A L to ar bitrarily high v a lues on le - gitimate no des. Doing so is likely to compromise con- nectivity b etw een no des or degrade the thro ughput due to failure o f ca pturing pa ckets as seen in Figure 13 for P L = 5 dB m a nd P L = 1 0 dB m . 4.2.3 T uning C C A L in multi-hop conﬁgu rati ons W e p erform exp eriments with v ar ious CCA thresholds along a ro ute. Prev io us studies ha ve shown that in order to av oid s tarv a tio n due to asymmetric links, the trans- mission p ow er and the CCA threshold need to b e jointly tuned for all no des of the same co nnec ted (sub)net work [11]. In particula r, the pro duct C = P L · C C A L m ust be the sa me for a ll no des. Given this, we ensure that C is the sa me for all no des that a re par t of a route. In particular, we set P L to b e equal to the maximum p os- sible v alue of 20 dBm on a ll no des of a r oute; for ea c h run, C C A L is therefore set to b e the same on all of the no des on the route. Thr oughout o ur ex p eriments with m ulti-hop tra ﬃc, no des on one ro ute do not in terfere with no des that are on other routes. In scena rios where no des b elonging to diﬀerent routes interfere with each other, if all no des use the s a me P L , their C C A L v a lues m ust b e the sa me [11], [29]. How ever, we did not ex- per imen t with such scenarios given that our ob jective is to isolate the impact of a jammer and not to examine int erference b et ween co existing sessions in a netw ork . W e exp eriment with the sa me mu lti-hop settings a s in section 4.1.2. Figure 1 4 pre sen ts the results observed on one o f our routes. W e observe tha t careful CCA tuning can provide signiﬁca nt av e r age end-to -end throughput bene ﬁts alo ng a route. 5. DESIGNING ARES In this section, we design our system ARES based on the o bserv a tions fro m the previo us section. ARES is comp osed of tw o main mo dules: (a) a ra te mo dule that decides b etw een ﬁx e d or adaptive-rate assignment, and (b) a p ower c ontr ol mo dule that facilitates appropr iate CCA tuning on legitimate no des. Rate Mo dule i n AR ES: As discuss ed in section 4.1, our exp eriments with three p opular r ate a daptation al- gorithms show that the conv er gence time of the a lgo- rithms aﬀects the link p erformance in r andom-jamming environmen ts. This conv e r gence time is large ly imple- men tation sp eciﬁc. As an example, our exp erimen ts with bo th SampleRate and O noe s ho w that in many cases it takes more tha n 10 sec for b oth algorithms to co n verge to the “b est” rate; [30 ] re p orts similar obser v ations . The rate mo dule in ARES decides on whether a ﬁxed o r a n adaptive-rate a ppr oach should be applied. MR C: Markovian R ate Contr ol: MRC is an algorithm– patch that can b e implemented o n top of any rate con- trol algo rithm. MRC is motiv ated by our analys is in section 4. How ever, as discusse d earlier, it do es not di- rectly apply the analysis, since this would r equire exten- sive oﬄine measurements (the co llection of which can b e time-consuming) and es timates of the jammer active and sleep p eriods . The key idea that drives MRC is that a rate adaptation algor ithm need not examine the p erfor- mance a t a ll the tra ns mission ra tes during the sleeping per iod o f the ja mmer . The algorithm simply needs to re- mem ber the previously used tra nsmission rate, and use it a s so on a s the jammer goes to sleep. Simply put , MR C in tro duces m emory in to the s ystem. The system keeps tr ac k of past tra nsmission rates and ho ps to the stored highe s t-rate state as so on as the jammer go es to sleep. Since the c hannel conditions may also change due to the v ariability in the environmen t, MRC inv o k es the re-scanning of all r a tes p erio dically , once every K con- secutive sleeping/ jamming cycles . When K = 1 we do not exp ect to hav e any b eneﬁts, since the scanning takes place in each cyc le . Note here that the appro priate v a lue of K dep ends on the en v ir onmen t and the sleep and active pe r iods of the jammer. O ne could ada ptiv ely tune the K v alue. As an example, an a dditiv e incr ease a dditiv e dec r ease strategy may b e used whe r e one would increase the v a lue of K un til a degrada tion is seen. The K v alue would then be decre a sed. The implementation of such a strategy is beyond the scop e of this pap e r a nd will be co nsidered in the future. Implementation details of MRC : The implement ation (a) keeps tra c k of the highest transmiss ion ra te used o ver a b enign time p erio d (when the jammer is asleep) and, (b) applies this rate immediately up on the detection of the next transition fro m the jammer’s active pe riod to the sleeping p erio d. Figure 15 pr esen ts a set o f mea suremen ts with MRC, with in termittent SampleRate in vo cations (o nce every K cycles) for K = { 3 , 30 } . W e obser v e that MRC outp er- forms pur e SampleRate in jamming environments, es- 10 pec ially with larger v alues of K . With small K , the rate adaptatio n algorithm is inv oked often and this re- duces the ach ieved b eneﬁts. F urthermo re, MR C pro- vides thro ughput that is clo se to the maximum achiev- able on the link (whic h ma y be either with ﬁxed or adap- tive rate, dep ending o n whether the link is lossy or loss- less). P ow er Control Mo dule in ARES: As dis cussed in section 4.2, increasing P L is b eneﬁcial at low ra tes; while at high r ates this is not particularly useful, it do es not hu rt either. Since our goa l in this pap er is to prop ose metho ds for ov er c oming the eﬀects of jamming (and no t legitimate) interference, w e imp o se the use of the max i- m um P L by all no des in the presence o f ja mmers. The design of a p o wer control mechanism that in a dditio n takes into a ccoun t the imp osed legitimate interference (due to high P L ) is b eyond the scop e of this pap er. More signiﬁcan tly , our p ow er cont rol mo dule o ver- comes jamming int erference by adaptively tuning C C A L . The mo dule requires the following inputs on each link: • The v alues of RS S I T R , RS S I RT , RS S I J R , and RS S I J T . These v alues ca n b e eas ily o bserved in real time. • An estimation for the shadow fading v a riation o f the channel, ∆. Due to shadow fading, the a bov e RSSI v a lues ca n o ccasionally v ary b y ∆. The v alue of ∆ is dependent on the environment o f deploy- men t. One can p erform o ﬄine measure ments and conﬁgure the v alue of ∆ in ARES. W e deter mine the v ariations in RSSI measurements via exp erimen ts on a la rge set o f links. The measurements indicate that ∆ is approximately 5 dB for our testb ed (a less conserv ative v alue than w ha t is rep orted in [31]). The v alue of C C A L has to b e at least ∆ dB lower than bo th RS S I T R and R S S I RT , to g ua rant ee connectiv ity at all times. Hence, ARES s ets: C C A L = min ( R S S I T R , RS S I RT ) − ∆ , if max ( RS S I J T ,R S S I J R ) ≤ min ( RS S I T R ,R S S I RT ) − ∆ . Otherwise, C C A L is not changed 6 . This ens ures that le- gitimate no de s ar e a lways c onnected, while the ja mmer’s signal is ignor ed to the ex ten t p ossible. Our exp erimen ts indicate that, esp ecially if max ( RS S I J T ,R S S I J R ) ≤ min ( RS S I T R ,R S S I RT ) − 2∆ , the data link can op erate as if it is jamming-free. In order to avoid starv ation eﬀects, the tuning o f the CCA threshold s hould b e p erformed only when no des that participate in pow er con trol belong to the same net work [29]. Unless collo cated netw orks c o op erate in joint ly tuning their CCA (as per our sch eme), our p o wer control mo dule will not b e used. Note that when jam- ming attacks b ecome mo r e prev a le n t, co oper ation b e- t ween co existing netw orks may b e ess e n tial in or der to 6 W e c ho ose not to tune C C A L , unless we are certain th at it can help alleviate jamming interference. ﬁght the attack er s. Hence, in such cases collo cated net- works ca n have an ag r eemen t to join tly increase the CCA thresholds when there is a jammer. Implementation details: Our p ow er control algo- rithm can b e applied in a centralized manner by having all leg itimate no des r e port the r equired RSSI v alues to a central ser v er . The central server then applies the same C C A L v a lue to all no des (of the same connected net- work). The chosen C C A L is the highest p ossible CCA threshold that guar an tees connectivit y betw een le g iti- mate no des. This repo rting requires trivia l mo diﬁcations on the wir eless drivers. W e hav e implemented a central- ized functionality when our netw ork is conﬁgured as a m ulti-hop wireless mesh. In a distributed s etting, our algor ithm is applicable as long as legitimate no des are able to e x c hang e RSSI information. Each no de can then independently deter- mine the C C A L v a lue. T o demonstrate its via bilit y , we implemen t and tes t a distr ibuted version o f the p ow er control mo dule in a 80 2.11a/g WLAN conﬁgur ation. In particular, we mo dify the Intel pro tot yp e AP driver, by adding an extr a ﬁeld in the “Beacon” template. This new ﬁeld contains a matrix of RSSI v alues of neigh b oring jammers and legitimate no des. W e enable the deco ding of rec e iv ed b eacons in the AP dr iv er (they do not read these by default). Assuming that a jammer imp oses al- most the same amount of interference on all devices (AP and clients) within a cell, the AP of the cell determines the ﬁna l C C A L after a series o f iter ations in a manner very simila r to the approaches in [29], [11]. Com bining the mo dules to form ARES: W e com- bine our ra te and p ow er control mo dules to constr uct ARES as s hown in Figur e 16. ARES also includes a jamming detection functionality . T owards this we in- corp orate a mechanism that was prop osed in [15]; this functionality p erforms a consis tency chec k b et ween the instantaneous PDR and RSSI v alues. If the P DR is ex- tremely low while the RSSI is m uch higher than the de- fault C C A L , the no de is c o nsidered to b e jammed. The goal of ARES is to detect jammers a nd apply the individual mo dules as a ppr opriate. ARES applies the power co n trol mo dule ﬁrst, since with this mo dule, the impact of the jammer(s) co uld b e completely ov er c ome. If the rece iver is able to captur e and deco de a ll pack ets in s pite of the jammer’s tra nsmissions, no further ac- tions a r e r equired. Note that even if C C A L > R S S I J , the jammer ca n still aﬀect the link p erformance. This is b ecause with CCA tuning the jamming signal’s p ow er is added to the noise p ow er . Hence, even though the throughput may increas e , the link may no t achieve the “jamming-free per formance” while the jammer is active. If the jammer still has an eﬀect on the netw or k per- formance after tuning C C A L , (or if CCA tuning is in- feasible due to the pres ence of collo cated uncoo pera tive net works) ARES enables the ra te module. Note that the t wo mo dules can op erate indepe ndently and the sy s tem can bypass any of them in case the ha rdw a re/softw are do es no t suppo rt the spe c iﬁc functionality . 11 C > Δ ? CCA = B - Δ CCA Unchanged no OR Po w e r C o n tr o l Mo d u l e 3 4 6 5 C C A tunable ? no ST ART A = max (RSSI JT , RSSI JR ) B = min (RSSI RT , RSSI TR ) C = B - A Jammers detected ? MRC R a te C o n tr o l Mo d u l e CCA RA TE 8 END 9 I s j a mmi n g completely overcome? 7 no Pre se nce of uncooperative networks ? 1 yes no yes yes 2 yes Figure 16: ARES: our An ti-jamm ing Reinforcem e n t System. 6. EV ALU A TING OUR SYSTE M W e ﬁrst ev a lua te ARES by examining its p erformance in three diﬀerent net works: a MIMO-bas ed WLAN, a mesh netw ork in the presence of mobile- jammers, and an 802.11 a WLAN se tting where uplink TCP tr aﬃc is considered. ARES b o osts the throughput of our MIMO WLAN under jamming b y as m uc h as 100%: O ur ob jective her e is tw ofold. Fir st, we seek to obs erv e and understand the b eha vio r of MIMO netw orks in the pres- ence o f jamming. Second, we wish to mea sure the ef- fectiveness of ARES in such settings. T ow a rds this, we deploy a set of 7 no des equipp e d with R alink R T2860 miniPCI cards . Exp erimental set-up: W e examine the ca se for a WLAN setting, since the R T2860 dr iv er do es not cur- rently supp ort the ad-ho c mo de of ope rations. MIMO links with Space-Time Blo ck Co des (STBC) a re exp ected to provide r obustness to signal v ariatio ns , ther eb y re- ducing the av era ge SINR that is r equired for achieving a des ir ed bit er ror rate, a s compare d to a corres ponding SISO (Single-Input Sing le-output) link. W e mo dify the client driver of the car ds to enable 2 × 2 STB C supp ort. This inv olves a dding the line { "HtS tbc", Set HtStbc Pr oc } int o the R TMP PRIV A TE SUPPOR T PROC struct ar- ray , lo cated in os/li nux/sta ioctl. c in the driver. W e consider 2 APs , with 2 and 3 clients ea c h, and tw o jam- mers. F ully-satur a ted downlink UDP tr aﬃc ﬂows fro m each AP to its client s. Applying ARES on a MIMO-b ase d WLAN: W e ﬁrst run exp erimen ts without enabling ARES. Interest- ingly , we o bserve that in s pite o f the fact that STB C is used, 802.11 n links present the sa me vulnera bilities as 802 .1 1a o r g links. In o ther words, MIMO do es not oﬀer signiﬁca nt b eneﬁts b y itself, in the prese nc e of a jammer. This is due to the fact that 8 02.11n is still employing CSMA/CA a nd as a result the jamming sig- nals ca n render the medium busy for a MIMO no de a s well. Mor eo ver, for STBC co des to work eﬀectiv ely and provide a reduction in the SINR for a desired bit er- ror rate (BER), the sig nals received on the t wo antenna elements will hav e to exper ience indep endent multipath fading eﬀects. In other words, a line of sight or dominant path must b e absent. How ever, in our indo or testb ed, given the pro ximit y of the comm unicating transceiver pair, this may not b e the case. Thus, little diversity is achieved [3 2] a nd do es not suﬃce in c oping with the jamming eﬀects. Next, w e apply ARES and observe the behavior. The path that ARES follows (in Fig ure 16) is 1 → 5 → 7 → 8 → 9. Since the CCA thresho ld is not tunable with the R T2860 cards, ARES derives decisions with reg a rds to rate control o nly . Figure 17 depicts the r esults. W e observe that the conﬁg ur ation with ARES outp e r forms the rate adapta tion scheme that is implemented on the R T2860 car ds in the presence of the jammer , by a s m uch as 100%. Note that higher g ains would b e p ossible, if ARES was able to inv oke the p o wer co n tro l mo dule. In Figure 1 7 we also c o mpare the throughput with MR C aga inst the sug gested settings with our ana lysis (these s ettings allow us to obtain b ench mark mea sure- men ts po ssible with glo bal information). The param- eters input to the analysis are the following: (a) The jammer is ba lanced with a jamming distribution U [1 , 5] and a sleep distribution U [1 , 6 ]. (b) W e exa mine 4 R a v a lues: 13.5, 27 , 40.5 , 54 Mbps. (c) F = 0 Mbps. (d) W e input estimates of the y ( R i ) v alues which are ob- tained via comprehensive oﬄine measur emen ts. (e) The oﬄine measured P DR f . W e obser v e tha t the p erfor- mance with MRC is quite clo se to o ur b enchmark mea- surements. Thes e results show that in spite o f having no informatio n with reg ards to the jammer distribution or the conv ergence times of the rate ada ptation algo- rithms, MRC is able to signiﬁcantly help in the presence of a random jammer. ARES i ncreases the li nk throughput b y up to 150% in a mesh depl o yment with m obile jam- mers: Next, we apply ARES in a n 80 2.11a/g mes h net- work with mobile ra ndo m jammers. W e a lso conside r a freq uen t jammer (jamming distr ibution U [1 , 20] a nd sleeping distribution U [0 , 1]). The ja mmer mov es to- wards the vicinity of the legitimate no des, remains there for k sec o nds, and subs equen tly moves aw ay . F or the mobile jammer we used a laptop, equipp ed with one o f our In tel cards, and c a rried it a round. The power c on tro l mo dule is implemen ted in a centralized manner. ARES increases C C A L in order to ov er come the eﬀects of jam- ming in ter ference, to the ex tent p ossible. In this ca se, due to the a g gressiveness of the co nsidered jammer (pro- longed jamming duration), the rate adaptation mo dule 12 0 5 10 15 20 25 30 35 13.5 27 40.5 54 Average Throughput (Mbps) Rate(Mbps) Benchmark Results Performance with ARES Performance without ARES Figure 17: ARES pro vides signiﬁcan t throughput b eneﬁts in a MIMO net work in the presence of jammers. 0 5 10 15 20 25 30 0 100 200 300 400 500 600 700 Throughput (Mbps) Time With ARES Without ARES Figure 18: ARES pro vides signiﬁcan t throughput i mpro v e- men t in mobil e- jamming scenarios. 0 5 10 15 20 25 30 0 20 40 60 80 100 120 Throughput (Mbps) Time With ARES Without ARES Figure 19: ARES i m- pro ves the client-AP link throughput by 130% wi th TCP traf- ﬁc s cenarios . 0 5 10 15 20 3 APs 2 APs 1 AP Average AP throughput (Mbps) Number of neighbor APs Without ARES With ARES Figure 20: MRC im- pro ves the through- put of nei gh b or legiti- mate devices, as com - pared to SampleRate. do es not provide any b eneﬁts (since ra te control helps only when the jammer is sleeping). In this sce nario, ARES follows the pa th: 1 → 2 → 3 → 4 → 6 → 7 → 8 → 9. Figure 1 8 depicts thr oughput-time traces, with and without ARES, fo r a n arbitrar ily chosen link and k ≈ 200 . The use o f ARES tremendous ly incr e a ses the link throughput during the jamming p e riod (b y as muc h as 15 0 %). W e have observed the same b ehavior with a distributed implementation o f the p ow er cont rol module in an 802.1 1a WLAN setting. ARES improv es the total AP throughput by up to 13 0% wi th TCP traﬃc: Next, we a pply ARES on a 80 2.11a WLAN. F or this exp erimen t, w e use nodes equipp e d with the In tel-291 5 cards . W e consider a set- ting with 1 AP a nd 2 clients, where clients ca n sense each others’ trans missions. W e place a balanced jammer (jamming distr ibutio n U [1 , 5] and sleeping U [1 , 8]) such that all 3 leg itimate no des can s ense its presence. W e en- able fully-saturated uplink TCP tr a ﬃc from all clien ts to the AP (using ip erf ) and we mea sure the total through- put a t the AP , once every 0.5 sec. I n this sce na rio, ARES follows the path: 1 → 2 → 3 → 4 → 6 → 7 → 8 → 9. F r om Figure 19, we observe that the t otal AP thr ough- put is impr ove d by up to 130% during the p erio ds that t he jammer is active . T he b eneﬁts are less a pparen t when the jammer is sleeping b ecause TCP’s own cong estion control algorithm is unable to fully exploit the a dv a n- tages oﬀered by the ﬁxe d rate strateg y . Applying MRC o n an AP improv es the through- put of neig h b or APs b y as m uc h as 23%: With MR C, a jammed no de utilizes the lo west rate (when the jammer is active) a nd hig he s t rate (when the jam- mer is s leeping) that provide the maximum long -term throughput. With this, the jammed no de avoids exam- ining the intermediate rates and, as we showed ab o ve, this increases the link throug hput. W e now examine how this ra te adaptation stra tegy a ﬀects the p erformance o f neighbor leg itimate no des. W e per form expe rimen ts on a top ology consisting of 4 APs and 8 clients, with 2 client s asso ciated with each AP , all s et to 80 2.11a mo de. A bal- anced jammer with a jamming distribution U [1 , 5] and a sleep distribution U [1 , 6 ] is placed such that aﬀects only one of the APs. Only the aﬀected AP is running MR C; the rest of the APs use SampleRate. W e activ ate diﬀerent num b ers of APs at a time, a nd we enable fully- saturated downlink tra ﬃc from the APs to their clients. Figure 20 depicts the av er a ge total AP throughput. In- terestingly , we obser v e that the use of MRC on jamme d links impr oves t he p erformanc e of neighb or APs that ar e not even aﬀe cte d by the jammer . This is b ecause the jammed AP do es no t send any pack e ts using intermedi- ate bit rates (such as with the default op eration of rate adaptation alg orithms). Since MRC av oids the tr ans- mission of pack ets a t low e r (that the highest s ustained) bit rates, the jammed AP do es not o ccup y the medium for as prolong ed p erio ds a s with the default ra te con- trol techniques; the tra nsmission of pa c kets at the high rate (while the jammer is a sleep) takes less time. Hence, this pr o v ides more opportunities for neighbo r APs to access the medium, thereby increas ing the AP thro ugh- put. Sp eciﬁcally , we observe that the throughput o f one neighbor AP is impr o ved by 2 3% (when the to polog y consists of only 2 APs, one of which is jammed). As we further incre ase the num b er of neighbor APs , the ben- eﬁts due to MRC are less pronounced, due to incr eased conten tion (Figure 20). W e elab orate of the eﬃcacy of MR C in the following se c tion. ARES conv e rges relativ e ly quick ly: Finally , we per form exp eriments to asses s how quickly the distributed form of ARES con verges to a r ate and pow er control setting. In a nutshell, o ur implementation has demo n- strated that the net work-wide co n vergence time of ARES is relatively small. With MRC, the rate control mo dule can very rapidly make a decision with regards to the rate setting; a s so on as the jammer is detected, MR C applies the appropr iate stored low est and highest rates. With regar ds to the conv ergence o f the p ow er control mo dule, recall that our implementation involv es the dis- semination of the c o mputed CCA v alue through the p e- rio dic tr ansmission o f b eacon frames (one b eacon frame per 10 0 ms ec is transmitted with our ipw2200 driver) [29]. As one might exp e c t, the jammer’s signal may col- lide with beac o n frames, and this makes it more diﬃcult for the pow er con tro l mo dule to c o n verge. Note also 13 that a s rep orted in [29, 33], b eacon tra ns missions are not always timely , esp ecially in conditions o f hig h load and p oo r-quality links (such as in jamming scena rios). W e mea sure the net work-wide co n vergence time, i.e., the time e la psed from the moment that we activ a te the jam- mer until all legitimate devices have adjusted their CCA threshold as p er our p ow er control scheme. First, we per form mea suremen ts o n a m ulti-hop mesh top ology consisting o f 5 AP s and 10 clients (2 clients p er AP , all equipp e d with the Intel 2915 car ds). In order to hav e an idea ab o ut whether the obser v ed conv erg ence time is sig- niﬁcant, we also per form ex periments without jammers, wherein we manually inv oke the power control mo dule through a user-level so c ket int erface on one of the APs. W e obser ve that the conv er gence time for the sp eciﬁc setting is approximately 1.2 sec. Then, we activ ate a de c eptive jammer in a close proximit y to 2 neighbor APs (MR C is disabled; the jammer a ﬀects only the 2 APs). T a ble 5 contains v ar ious average conv er gence times for the sp eciﬁc setting and for diﬀerent P J v a lues. P J (dB) Con v ergence time (sec) 1 1.8 2 2.4 3 2.8 4 3.5 T able 5: Av erage con vergence times (in s ec) for diﬀerent P J v alues . W e obser v e that even tho ug h the conv er gence time in- creases due to jamming, it still remains rather short. F ur thermore, we p erform extensive exp eriments with 8 APs, 19 c lie n ts and 4 balanced jammers with P J = 3 dBm, all unifor mly deplo yed. W e obs e rv e that in its distributed for m the p ower control module conv erg es in approximately 1 6 se c in our net work-wide exp erimen ts. Although one may exp ect diﬀeren t (lo wer or higher) con- vergence times with diﬀerent ha rdw a re/softw are and/or mobile jammer s, these results s ho w that in a sta tic top ol- ogy the power control mo dule conv erge s rela tiv ely quickly . 7. SCOPE OF ARES F r om our ev aluations , it is eviden t that ARES ca n pr o - vide p erformance b eneﬁts in the pr esence of jamming , even with other wireless technologies, and b oth in s ta tic and dynamically changing environment s. In this section, we discuss some design choices and the a pplicabilit y re- quirements of ARES. ARES do es not r e qui r e additional c ompli c ate d har dw ar e or softwar e functionaliti es: The tw o mo d- ules that constitute ARES ar e relatively ea sy to im- plement in the driv e r /ﬁrm ware of co mmodity wireless cards, and do not require any ha rdw a re changes. The only softw ar e mo diﬁcation neede d in the ﬁr m ware in- volv es the CCA tuning functionality . Spec iﬁc a lly , it should be pos sible to c hange the CCA threshold a s per the commands sent throug h a driver-ﬁrmw are so ck et inter- face. T o facilitate a distributed WLAN implementation of ARES, the AP driver needs to be modiﬁed to read the new Beac on template from the Beacons received fro m neighbor co -c ha nnel APs. Finally , clients need to apply the p ow er and CCA settings determined by their aﬃli- ated AP . On the eﬀe ctiveness of MRC: Our ana ly sis pro- vided in s ection 4 is an accurate to ol that decides b e- t ween the use of a ﬁx e d r ate o r a rate adaptatio n s trat- egy . How ever, a pplying the ana ly sis in a r eal system is quite challenging, for v a rious rea sons. In particular, as discussed earlier the analysis requir es a se t of inputs which may not be re adily av aila ble . If the analysis were to b e applied in real time, ARES would need to obser v e these v alues on the ﬂy and inv oke the rate mo dule when- ever signiﬁcant, non-temp oral changes ar e o bserved. It is also diﬃcult to der iv e the jammer’s distribution acc u- rately and quickly . Such requirements ma k e the appli- cation of the analys is somewhat infeasible in re al-time systems. F urthermor e, the ana lysis can acco un t for the presence of one jammer only . In s c enarios with multi- ple jammers, it cannot de c ide b etw een ﬁx ed or adaptive rate. In contrast, o ur more practical scheme MR C does not need any inputs. It ca n op erate eﬃciently even with m ultiple jammer s. Note tha t MRC in its cur ren t for m takes into account the time 7 that has e la psed s ince the last time tha t rate co n trol was in voked. The policy is to inv oke the ra te adapta tio n stra tegy after p erio dic in ter - v a ls. The optimal rate a t which rate a daptation should be inv oked depends on the temp oral v ariability of the channel. In particular, to pe rform this optimally , ARES would need to measure (or estimate) the coherence time τ of the channel (time for which the channel r emains unch anged [34]) and inv oke the r ate control algorithm every τ secs. While this is not possible with current 802.11 har dw ar e, it may be p ossible in the future [3 4]. Alternatively ARES could employ a learning strategy a s discussed in Section 5. Enhancing the rate cont rol mo d- ule to address these issues is in our future plans. ARES wi th r e active and c onstant jammers: F or the most pa rt in this work we cons ide r ed v arious types of random jammers. With co nstan t ja mmers, r ate adapta- tion is not exp ected to provide beneﬁts, since the contin- uous jamming interference does not allow the use of high rates. Nevertheless, rate control (even as a s t andalo n e mo dule) is exp ected to provide beneﬁts in the pr esence of reactiv e jamming. In pa rticular, let us consider a link consisting of legitimate no des A and B. The rea c - tive jammer J needs to sense the ongoing transmissio n and quickly transmit its jamming signal. If we deno te by t f light , the ﬂight time of the legitimate packet and with t sense the time nee ded for J to sense this pack et, then the probability of succesful pack et c orruption 8 can 7 In its current form, this time is in terms of the number of jamming cycles; this can b e easily mo diﬁed to use more generic time units. 8 W e assume an optimal reactive jammer, i.e., one which is able to jam at the exact time instance when it senses a legiti- mate pac ket (b est case scenario for the adversary). In reality , this will not b e the case. 14 be calcula ted as: P j am = P ( t sense < t f light ). Assum- ing that t sensing is uniformly dis tr ibuted at the interv a l [0 , D I F S ] 9 we ge t: P j am = t f light Z 0 1 D I F S dt = t f light D I F S = # by tes/pack et rate · D I F S (2) F r om Eq. 2 it is clear that thro ug h the use of high bit rates and/ o r reduced pack et sizes the pro babilit y of succesful r eactiv e jamming ca n be decrea sed. How ever, there is a tr a deoﬀ b etw een success ful reception and de- creased jamming proba bilit y that needs to be examined more carefully . Finally , the pow e r control mo dule of ARES, can be useful in the pr esence of b oth constant (as shown in the pr evious section) and reactive jamming. 8. CONCLUSIONS W e des ign, implement and ev aluate ARES, a n anti- jamming system for 802.1 1 netw o rks. ARES has b een built based on observ ations from extensive meas uremen ts on a n indo or testb ed in the presence of r andom jammers, and is primarily comp osed of tw o mo dules. The p ower c ontr ol m o dule tunes the CCA thresholds in order to al- low the transmission a nd ca pture of legitima te pack ets in the pr esence of the jammer’s s ignals, to the extent po ssible. The r ate c ont r ol mo dule decides b et ween ﬁxed or ada ptiv e-r ate assig nmen t. W e demonstrate the e ﬀec- tiveness o f ARES in three diﬀerent deployments (a) a 802.11 n based MIMO WLAN, (b) a mesh netw or k in- fested with mo bile ja mmers, and (c) a 802.1 1a WLAN with uplink TCP traﬃc. ARES ca n b e used in con- junction with other jamming mitigation techniques (such as frequency hopping or direc tio nal antennas). Ov er all, the application o f ARES leads to signiﬁcant p erformance bene ﬁts in jamming environments. Acknowledgmen ts The authors would like to thank Ralink T echnologies for providing us the Lin ux source driver for the R T28 60 AP and Intel Research, fo r providing us with the prototype ﬁrmw are of ipw2200 AP . 9. REFERENCES [1] SESP jammers. htt p://www.sesp.com/. [2] Jammi ng attac k at hack er conference. h ttp://ﬁndarticles.com/p /articles/mi m0EIN/ is 2005 August 2/ai n1484156 5. [3] T ec h w orld news. http://www.tec hw orld.com/mobili ty/ news/index.cfm?newsid=10941. [4] R F Jamming Att ac k. h ttp://manageengine.adv ent net.com/ products/wiﬁ-manager/rfj amm ing-atta c k.h tml. [5] V . Navd a, A. Bohra, S. Ganguly , and D. Rubenstein. Using Channel Hopping to Increase 802.11 Resili ence to Jamming At tac ks. In IEEE INFOCOM mini-co nfer enc e , 2007. [6] W. Hu, T. W o od, W. T rapp e, and Y. Zhang. Channel Surﬁng and Spatial Retreats: Defenses Against Wireless Denial of Service. In ACM Workshop on Wir eless Se curity , 2004. 9 This is a reasonable assumption to make since the protocol allo ws for a DIFS p eriod in order to sense any transmission. [7] ISM Wide-band Jammer s. h ttp://69.6.206.22 9/e-commerce-solutions-catalog1 .0.4.html. [8] ISA: Users f ear wireless net works for con trol . h ttp://lists.jammed.com/ISN/2007/ 05/0122.h tml. [9] K. P el echrinis, C . Koufogiannakis, and S.V. Krisnamurth y . Gaming the Jammer: Is F requency Hopping Eﬀective ? In WiOpt , June 2009. [10] IEEE Std 802.11g Pa rt 11: Wir eless LAN M edium Access Con tr ol (MAC) and Phy sical La yer (PHY) sp eciﬁcat ions. 2003. [11] V. Mhatre, K. Papa giannaki, and F. Baccelli. Interference Mitigation through Po wer Control in High Density 802.11 WLANs. In IEEE INFOCOM , 2007. [12] J. Bick et. B i t-rate Selection in Wireless Net works. In MS Thesis, Dept. of Ele ctr. Engin. and Comp. Scienc e, MIT , 2005. [13] Onoe Rate Cont r ol. h ttp://madwiﬁ.org/bro wser/trunk/ath rate/onoe. [14] S. Pa l, S. R. K undu, K. Basu, and S. K . Das. IEEE 802.11 Rate Con trol Algorithms: Exp eriment ation and P erformance Ev aluation in Infrastructure Mo de. In P AM , 2006. [15] W. Xu, W. T rapp e, Y. Zhang, and T. W oo d. The F easibility of Launc hing and Detecting Jamming Att ac ks i n Wireless Net works. In ACM MOBIHOC , 2005. [16] R. Gummadi, D. W etheral, B. Greenstein, and S. Seshan. Understanding and Mitigating the Impact of RF In terf er enc e on 802.11 Netw orks. In A CM SIGCOMM , 2007. [17] W. Hu, K. Ma, W. T r appe, and Y. Zhang. Jammi ng Sensor Net works: Att ac ks and Defense Strategies. In IEEE Network , M a y/June 2006. [18] G. Lin and G. N oubir. On Li nk Lay er Denial of Service in Data Wireless LANs. In Wi r eless Communic ations and Mobile Computing , May 2003. [19] G. Noubir and G. Lin. Low-pow er DoS Attac ks in Data Wireless LANs and Coun termeasures. In ACM MOBIHOC (p oster) , 2003. [20] G. Noubir. On Connectivit y in Ad Hoc Netw ork under Jamming Using Directional Ant ennas and Mobility. In Wir e d/Wir eless Internet Communic ations, V ol. 2957/2004 , pp. 186-200, 2004 . [21] S.W ong, H.Y ang, S.Lu, and V.Bharghav an. Robust Rate Adaptation in 802.11 Wireless Net works. In MOBICOM , 2006. [22] V.Shah and S.V.Kr isnam ur th y . Handling Assymetry in Po wer Heterogeneous Ad ho c N et works: A Cross Lay er Approac h. In IEEE ICDCS , 2005. [23] I. Broustis, J. Eriksson, S. V. Krishnamurth y , and M. F aloutsos. A Blueprint for a M anage able and Aﬀordable Wireless T estbed: Design, Pitfall s and Lessons Learned. In IEEE TRIDENTCOM , 2007. [24] UCR Wir eless testbed. h ttp://net works.cs.ucr.edu/testbed. [25] The M adWiFi driver. ht tp://madwiﬁ-pro ject.org/. [26] R T2860 wireless dri v er. h ttp://www.ralinktec h.com/ralink/Home /Support/Linux.h tml. [27] D. S. J. De Couto, D. Agua yo, J. Bick et, and R . Morri s. A High Throughput Path Metric for MultiHop Wireless Routing. In ACM MOBICOM , 2003. [28] J. C. Chen and J. M. Gilbert. Measured P erf ormance of 5-GHz 802.11a Wireless LAN Systems. In A t her os Comm. White Pap er , August 2001. [29] I. Broustis, K. Papag iannaki, S. V. Krishnamurth y , M. F aloutsos, and V. Mhatre. MDG: Measurement-Driv en Guidelines f or 802.11 WLAN Design. In A CM MOBICOM , 2007. [30] SampleRate Bug. http://madwiﬁ.org/tic ke t/989. [31] S. Zv ano vec, P . Pec hac, and M. Klepal. Wireless LAN Net works Design: Site Syrvey or Pr opag ation Models? In R adio engine ering, V ol. 12, No. 4 , Dec. 2003. [32] H.Jafarkhani. Sp ac e-Time Co ding: The ory and Pr act ic e . Camb ridge Univ er sit y Press, 2005. [33] S. V asudev an et al. F acilitating Access P oin t Selection in IEEE 802.11 Wireless Net works. In ACM IMC , 2005. [34] J. Camp and E. W. Knightly . Mo dulation Rate Adaptation in Urban and V ehicular En vi ronmen ts: Cross- Lay er 15 Implemen tation and Exp erimen tal Ev aluation. In A CM MOBICOM , 2008. 16

A measurement driven, 802.11 anti-jamming system

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment