Random Access Performance of Distributed Sensors Attacked by Unknown Jammers

In this paper, we model and investigate the random access (RA) performance of sensor nodes (SN) in a wireless sensor network (WSN). In the WSN, a central head sensor (HS) collects the information from distributed SNs, and jammers disturb the information transmission primarily by generating interference. In this paper, two jamming attacks are considered: power and code jamming. Power jammers (if they are friendly jammers) generate noises and, as a result, degrade the quality of the signal from SNs. Power jamming is equally harmful to all the SNs that are accessing HS and simply induces denial of service (DoS) without any need to hack HS or SNs. On the other hand, code jammers mimic legitimate SNs by sending fake signals and thus need to know certain system parameters that are used by the legitimate SNs. As a result of code jamming, HS falsely allocates radio resources to SNs. The code jamming hence increases the failure probability in sending the information messages, as well as misleads the usage of radio resources. In this paper, we present the probabilities of successful preamble transmission with power ramping according to the jammer types and provide the resulting throughput and delay of information transmission by SNs, respectively. The effect of two jamming attacks on the RA performances is compared with numerical investigation. The results show that, compared to RA without jammers, power and code jamming degrade the throughput by up to 30.3% and 40.5%, respectively, while the delay performance by up to 40.1% and 65.6%, respectively.


Introduction
With the development of a wide range of intelligent and tiny wireless sensing devices, wireless sensor networks (WSNs) are being used for many applications in the fields of medical, industry, defense, smart homes, etc. In addition to these applications, WSNs currently drive Internet of Things (IoT) and machine-to-machine communications. WSNs consist of numerous sensor nodes (SNs) that are usually interconnected through radio frequency (RF) communication links.
Since the signal quality on a wireless medium such as RF easily degrades by unwanted interference, WSNs are vulnerable to malfunctioning SNs. In WSNs, attackers can create malicious SNs that can disrupt desired wireless transmission by generating interference and noise [1,2], which is so-called jamming [3]. Jamming attacks severely degrade the performance of WSNs, to a large extent, in energy consumption, throughput and delay.
Jamming attacks may be viewed as a special case of denial of service (DoS) attacks, which prevent or inhibit the normal use or management of communications through flooding a network with useless presented in Section 2. In Section 3, we present the success probability of preamble transmission, the throughput and the access delay. We compare RA performances of SNs attacked by power and code jamming with numerical investigation in Section 4. Finally, conclusions are presented in Section 5. The main notations used in this paper are listed in Table A1 in Appendix C.

System Description and RA Procedure
We consider a cluster-tree-based WSN that consists of multiple noncooperative SNs and an HS. SNs measure certain (local, ambient) information and send it to the HS through an RF channel called a physical RACH (PRACH is a well-known terminology used in 3GPP standards. In this paper, however, PRACH does not imply a specific one used in current standards, but is a generic term that just indicates some physical-layer definitions for RACH described in the following). Every node is assumed to be equipped with a single omnidirectional antenna. We assume that a frame of PRACH is 20 ms long, which consists of 15 access slots, as in Figure 1. When an SN has information to send, a frame-long message (referred to as MSG) is assumed to encapsulate the information wholly and to be sent to the HS using PRACH. To send MSG successfully, the SN should completes three steps: transmitting a preamble on PRACH, receiving the AI of the preamble from the HS and sending MSG, which is referred to as a transmission cycle (TC) in this paper. For a TC, SN starts with preamble transmission (PT). In PT, SN randomly selects an access code in a set of available orthogonal signature codes and an access slot among available slots. HS usually broadcasts a list of available codes and slots for SNs' information. We assume that the preamble is 256 repetitions of the selected orthogonal spreading code of 16 chips long. It is noted that no user-specific information is carried by the preamble.
If HS receives the preamble successfully, it sends AI on the downlink (from HS to SN) AI channel (AICH in Figure 1). Unless the SN receives the AI adequately, it retransmits the same preamble again at a higher power level after a random back-off delay. Preamble retransmission will continue up to an allowable maximum number or until the preamble request is successfully received [17,19]. Parameter values used in PT (e.g., the transmission power range, the power control parameters and the maximum number of preamble retransmissions) are received through the higher layer control messages from HS.
If PT is successful and AI is correctly received by SN, MSG transmission (MT) will start using the same (selected) signature code used for PT and the same power level used in the latest PT. MSG usually delivers the information data, as well as the control data, which include pilot bits and/or the frame information. A TC is completed after successful PT and MT.

Jamming Types
In power jamming, the jammer is assumed to send arbitrary signals or just sine-waves with full transmitting power at each slot. It causes the same level of interference to every SN in the system. On the other hand, in code jamming, the jammer is assumed to send a preamble using a randomly or specifically selected access code with the full power. It targets influencing the SNs using the same access code, but also works as interference for the other SNs. Since the code jammer works like a legitimate SN, it can hear AI from HS if PT is successful, and then, it sends a fake MSG using the same code, which further distorts the utilization of radio resources in the WSN.

Traffic and RF Channel Model
The arrival of composite PTs (including initial transmissions and retransmissions) is modeled by a Poisson process with rate G, which is also known as the offered traffic. Let N be the number of (legitimate) SNs contending for the same access slot. The distribution of N is therefore: Let us denote a representative SN by SN-A (i.e., anonymous SN) for the purpose of presentation. Let s and K be the number of available access codes and the number of SNs selecting the same code with SN-A for accessing the same slot, respectively. Given s and N = n, the probability that SN-A collides with other K − 1 SNs that choose the same code is given by: We assume that PRACH suffers from frequency-selective multipath Rayleigh slow-fading. Assuming that the shadowing and attenuation effects can be compensated by the open-loop power control used in UMTS RACH [19], the envelope of the received signal in one path is therefore a Rayleigh random variable. Let us assume that a perfect RAKE receiver with L fingers is used at HS. Additionally, we also assume that µ is the average received power from each path, and the received power of each finger P (l) has an exponential distribution, i.e., f P (l) (x) = e −x/µ /µ (x > 0). Then, the signal powers distributed in L independent paths can be aggregated together so that the total received power P = ∑ L l=1 P (l) has a gamma distribution, i.e., It is noted that if we assume a narrow-band transmission like in narrow-band IoT, then PRACH can be assumed to suffer from a frequency-non-selective Rayleigh channel. In this case, L = 1 in (3) builds the probability distribution.

Power Capture Model for Preamble Transmission
Let us consider a typical access slot where there are s access codes available and k SNs (including SN-A) select the same code. Let n p (previously n) denote the number of SNs that are in simultaneous PT, n J be the total number of jammers and n m be the number of SNs that are transmitting MSG in this slot. If code jamming is considered, we assume that there are one code jammer and n J − 1 power jammers. Let P (p) i , P (m) j and P J be the total received power from SN-i transmitting a preamble, from SN-j transmitting MSG and from a hostile jammer, respectively. Since the preamble contains only the repetitions of a selected code, assuming a perfect RAKE receiver, HS can aggregate the power of PTs from those k code-collided SNs (including SN-A) and the jammer (if it uses code jamming) [20,21]. Let β p be the minimum signal-to-interference-plus-noise ratio (SINR) required to decode a preamble successfully. Then, the condition for correct reception of the preamble sent by SN-A (or SNs using the same code) when the attack is power jamming is: where η represents interfering power from other sources (for example, from a neighbor WSN using an adjacent RF channel) plus background noise. If the attack includes code jamming, the above condition becomes: where P J in the numerator is the received power from the code jammer transmitting a fake preamble using the same code and (n J − 1)P J is the sum of powers from power jammers and/or the other code jammers that are using different access codes. Let q denote the probability of successful reception of AI by an SN, which is assumed independent of all other uplink probabilistic matters since AI is received through the downlink. Additionally, let W be the number of SNs that successfully receive AI among K − 1 SNs except SN-A. Then:

Power Capture Model for Message Transmission
When an SN receives AI successfully, it sends its MSG that occupies z access slots. Let t (1 ≤ t ≤ z) denote a time index of the access slots used by delivered MSG. Additionally, let n p,t and n m,t denote the number of SNs transmitting a preamble and the number of SNs transmitting MSG at access slot t, respectively. In MT, the desired MSG from an SN is received by HS through L signal paths. A collision-outage is assumed to occur if the received power, from SN-A for example, of at least one path drops below the power from other SNs that use the same code. If the collision-outage occurs, the desired MSG is corrupted by other MSGs. Recalling that w denotes the number of SNs that receive the same AI with SN-A, the probability of safe reception of MSG from SN-A without collision-outage at HS is given by: where P (m,l) i is the received MSG power at the l-th finger from SN-i. It is noted that P is presented in Appendix A. Since a code jammer behaves similarly to legitimate SNs, it causes further interference additional to the interfering powers in the right-hand side of (7). With code jamming, the above collision-outage probability then becomes: where P (m,l) J is the received power of the l-th finger from the code jammer that transmits a fake message. If the jammer cannot receive the AI, then it is assumed to transmit a fake preamble and hence works like a power jammer. A closed-form expression of P j,t be the total received power from SN-i transmitting a preamble and SN-j transmitting MSG (using the different access codes from SN-A) at the t-th (1 ≤ t ≤ z) access slot, respectively. Let n p,t and n m,t be the corresponding numbers of SNs transmitting a preamble and MSG at the t-th access slot, respectively. Then, the SINR of MSG signals from SN-A, γ m A , is defined by: Thus, γ A ≥ β m is the condition for correct reception of MSG sent by SN-A, where β m is the SINR requirement. In this paper, since we model that condition γ A is equally obtained for power and code jamming.

Power Ramping for Preamble Transmission and Message Transmission
By using open-loop power estimation, an SN can adjust its initial transmission power based on the received signal strength from the HS [17]. The aim is to let the received power at the HS exceed a predetermined power level. For the initial PT, we assume that all SNs have the same target power level µL, recalling that µ is an average path power and L is the number of effective paths. If the initial PT fails, a higher target power level is used for retransmission. We assume that µL is the power increment unit adopted at each of preamble retransmissions as in [22]. Let us denote the number of retransmissions by r, and let m r (def) = r + 1. Then, m r µL represents the target power level in the r-th preamble retransmission. Hereafter, we denote the average number of preamble retransmissions by m, and thus, mµL means that the average power level is used in PT. Average jamming power is also represented by m J (in the unit of power increment step µL), such that m J µL = P J , where P J is the maximum power level of jamming signals.
After PT is successful, SNs that received AI send MSG with an adjusted power level. Let us denote a power increasing factor for MSG transmission by α(≥ 1). When an SN receives AI successfully after r or them-th preamble retransmission, it sends its MSG using power level αm r µL or αmµL, respectively.

Success Probability of r-th Preamble Retransmission
Given that n p , n m , k and n J , let us denote the conditional success probability at the r-th preamble retransmission (i.e., at the (r + 1)-th PT) by u • (r|n p , k, n m , n J ), where • ∈ {P, S} and furthermore P for power jamming and S for code jamming. The probability can be obtained analogously by the method used in [22] according to the criteria (4) and (5), respectively.
where the three interim variables a, b and c for the power jamming (i.e., • = P) are defined as: and for the code jamming (i.e., • = C): Aggregating u • (r|n p , k, n m , n J ) for all possible values on n p and k gives: where an interim functionũ • (r|n p , k, n m , n J ) represents eitherũ P (r|n p , k, n m , n J ) = u P (r|n p , k, n m , n J ) for power jamming or: for code jamming. Furthermore, u C,1 and u C,2 in (14) represent whether SN-A selects the code being jammed by a code jammer or not, respectively. Hereafter, we use u • (r) (def) = u • (r|n m , n J ) for notational brevity.

Derivation of m
Let G 0 and G r denote the arrival rates of the initial PT and the r-th preamble retransmissions, respectively. Let S P be the throughput of PT, and let r max be the maximum number of preamble retransmissions allowed. Let q A denote the probability that SN-A receives AI successfully. The relationship between G 0 and G r is then: The composite offered traffic is therefore G = ∑ r max r=0 G r . From (15), G r is given by: The average number of retransmissions m to measure the corresponding average power level in the unit of µL is then given by: It should be noted the success probability u • (r) in (13) is a function of m, while m as expressed in (17) is a function of u • (r). Therefore, (13) and (17) are to be solved recursively in order to get m.

Throughput of Random Access Request
Let q J denote the probability that a jammer receives AI successfully. The success probability of MT after the successful r-th preamble retransmission in the presence of the power jamming and the code jamming for given n m , n m,t , n p,t and n J can be derived as: and: respectively. Hereafter, we use T • (r) (def) = T • (r|n m , n m,t , n p,t , n J ) for notational brevity. Practically, the terms (I) (also (III)) and (II) are not independent when w ≥ 1 and a closed-form expression of (18) (also for (19)) is not tractable. In this paper, we assume that the terms are independent for brevity. If w = 0, (I) becomes one, and the independent assumption is valid. Now, the term (II) can be derived based on the result in (10): where the three interim variables a, b and c are defined as: From (18) and (19), the throughput of the preamble and the message transmission can be derived as:

Access Delay of Random Access Request
The success of TC consists of both successes of PT and MT. The failure of TC then occurs when the number of preamble retransmissions exceeds r max or MT fails after the SN receives AI. If TC is declared to be a failure, SNs restarts PT in a new TC with setting the transmitting power at an initial level, i.e., m r = 1. Let C be the number of restarts of TC to an end of successful MT. By assuming that all transmission attempts are independent, the distribution of C is given by: Let T

(M)
• (r|n m , n m,t , n p,t , n J ) be the probability that MT has failed though PT (i.e., the r-th retransmission), and receiving AI are successful, given n m , n m,t , n p,t and n J . T • (r|n m , n m,t , n p,t , n J ) can be expressed as in (24) and (25) for power and code jamming, respectively.
A ≥ β m |n m,t , n p,t , w, n J } + n J s u C (r|n p , k, n m , n J )(1 − q J ) + s − n J s u P (r|n p , k, n m , n J ) A ≥ β m |n m,t , n p,t , w, n J } .
Let us denote the average delay (in the unit of access slot) occurring in PT and receiving AI by D P . Let D S and D F be the average delay occurred in TC when TC terminates successfully or not, respectively. By using (19) and (25) for D S , and (18) and (24) for D F , we can have, in addition to (16), where Ω F = 1 − ∑ r max r=0 G r G T • (r), and: where Ω S = ∑ r max r=0 G r T • (r)/G. By using (23), (26) and (27), the total access delay D T is given by:

Numerical Results
Computer simulation is done using the parameter values given in Table 1. The number of SNs transmitting preamble signals follows a Poisson distribution with mean G, and we assume that n m = n m,t = n p,t = G for all t. Thus, when G ≥ 2, it is assumed in the simulation that SNs during PT are interfered by other multiple SNs that are transmitting either MSG or preamble. Additionally, scenarios with a different number of jammers n J = 1, 2, 3 are also tested, respectively. Figures 2-4 compare the success probability u • (r) of PT under different jamming attacks by the different numbers of jammers when the offered traffic G is 1, 3 and 5, respectively. In the figures, it is seen that the code jamming is less harmful than the power jamming in terms of the success probability. This is because, referring to (5), the signal power of the code jammer is added to desired signal power from SNs that select the same access code with the jammer, which increases u • (r) at HS. In power jamming, on the other hand, the whole power is treated as interference. In the same context, it is seen that the performance definitely degrades as the number of power jammers increases in Figures 2-4. In code jamming, however, more jammers can contribute to improving the performance: for example, if the number of code jammers increases to 1, 2 and 3, in Figure 2 (when G = 1), u • (0) also increases to 0.38, 0.4 and 0.41, respectively. It should be noted that the code jammers do not always contribute to increasing u • (r): for example, when r ≥ 3 in Figure 2, it is seen that the more code jammers provide the lower u • (r), which is also true for the overall range of tested r in Figure 4 (when G = 5). Furthermore, code jamming (with one or two jammers) sometimes (when 0 ≤ r ≤ 4) gives better performance than PT without jamming especially when G = 5 in Figure 4. Comparing Figures 2-4, it is seen that jamming severely degrades the performance of u • (r) especially in the light offered load. In the very heavy load, code jamming sometimes increases u • (r). In terms of u • (r), power jamming is more harmful than code jamming over a wide range of parameter values. Figure 5 compares the throughput of final MSG transmission S T for increasing offered traffic G, where code and power jamming attacks with 1-3 jammers are considered, respectively. If the same number of jammers is considered, the throughput with code jamming is smaller than that with power jamming over all G tested, though code jamming achieves usually better u • (r) than power jamming in Figures 2-4. This is because MSGs from desired SNs have collided with those from the code jammers using the same code. When G = 2, 21%, 25%, 30%, 36%, 30% and 40% of throughput are lost due to 1 power jammer, 1 code jammer, 2 power jammers, 3 power jammers, 2 code jammers and 3 code jammers, respectively. When G = 3, the amount of throughput loss is not distinguishable between the numbers of power jammers. Moreover, when G = 4, the throughput with and without power jamming becomes equal due to the overwhelming interference. However, code jammers further degrade the throughput compared to power jammers over all G tested. Table 1. Parameter values used in numerical evaluation.

Parameter Value
The number of resolvable paths L = 3 Average received power from one path µ = 1 Interference plus noise power η = 2 Minimum SINR for correct preamble reception β p = −5 dB Power increment ratio for message transmission α = 1.2 Minimum SINR for correct message reception β m = −5 dB Maximum number of preamble retransmission r max = 5 The number of available access codes s = 16 Probability of successfully receiving AI by an SN or a jammer q = q A = q J = 0.      Figure 6 compares the access delay D T of final MSG transmission for increasing offered traffic G, where code and power jamming attacks with 1-3 jammers are considered, respectively. The result in Figure 6 certainly matches that in Figure 5. If the same number of jammers is considered, the delay with code jamming is greater than that with power jamming over all G tested, which is a similar trend that can be expected from Figure 5. When G = 2, 27%, 34%, 40%, 56%, 40% and 65% of greater delay than without-jamming result due to 1 power jammer, 1 code jammer, 2 power jammers, 3 power jammers, 2 code jammers and 3 code jammers, respectively. When G = 3, the amount of delay increase is not distinguishable with the numbers of power jammers. Moreover, when G = 4, the delay with and without power jamming becomes equal due to overwhelming interference. However, code jammers further increase the delay compared to power jammers over all G tested. From the above numerical investigations, we can address two ideas to detect whether the jammers exist or not if HS has certain measurement data, the implementation of which would be left for future study. One is using the concave throughput graphs achieved in Figure 5. We assume that HS have measurement data on received power (RxP) vs. throughput without jammers. Since the offered load cannot be directly measured, RxP is used to estimate the load. The jammer seems to generate additional interference, by which HS may overestimate the offered load since it has accordingly low throughput. For example, with one power jammer, the throughput in Figure 5 is about 0.47 when G = 2.0, which can be achieved when either G = 1.2 or 3.0 if the jammer does not exist. Let us assume that 0.47 is the current throughput seen at HS. If HS has the measurement data, then HS can judge whether current 0.47 is due to the low load or possibly due to the jammer. Let us denote the RxP measured when the throughput is 0.47 by R 1 and R 2 (R 1 ≤ R 2 ), which represent two different loads G = 1.2 and 3.0 (noting that both provide the same throughput 0.47), respectively. Of course, HS does not know G exactly, but understands that throughput 0.47 is achieved by different load conditions: low and high, respectively. If current RxP is approximately equal to R 1 , then the throughput is due to low load. However, if it is much greater than R 1 , HS sends a signaling message that temporarily prevents each SN from sending preambles with certain probability p(0 < p < 1). Then, the load should be increased if throughput 0.47 is due to the high load. Otherwise, the load should be decreased, and there probably exits a jammer.
The other idea is using the monotonically increasing delay graphs in Figure 6. If HS is assumed to have measurement data on RxP vs. delay without jammers, then it can guess that the current excessive delay is possibly due to jamming powers. Other methods to avoid or detect jamming such as using directional antennas are intensively summarized in [23].

Conclusions
We have investigated RA performances in a WSN where power or code jammers actively disturb the information transmission from distributed SNs to a central HS. Average throughput and average delay for the information message are modeled, respectively. Numerical investigation shows that power jamming is more harmful than code jamming in the stage of PT. However, code jamming finally degrades the modeled performances more severely. Code jamming falsely attracts HS to send AI and thus further deteriorates the resource allocation in the WSN. As a remedy of code jamming, a new secure code, which is different from the access code used in PT and hardly known to code jammers, can be used in sending MSG. This requires a more sophisticated protocol to allocate the secure codes, which is left for future work. The model and results in this paper are certainly useful in building up better and more sophisticated RA methods that tolerate attacks from malicious transmitters.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: ∼ exp (αm r µ) follows the exponential distribution with mean αm r µ. Therefore, the i.i.d finger path is considered as: According to order statistics [24], ∼ exp m J µ be also an exponential distribution with mean m J µ. Using the same approach as above, According to order statistics [24], Pr P  Table A1. Notations.

N
The number of legitimate SNs contending for the same access slot G Arrival rate of composite PT is modeled by a Poisson process s The number of available access codes K The number of SNs selecting the same code in the same time slot L The number of fingers in a RAKEreceiver µ Average received power from each path P (l) Received power at each finger n p The number of SNs in simultaneous PT The number of SNs transmitting a preamble at access slot t n m,t The number of SNs transmitting MSG at access slot t w The number of SNs that receive the same AI with SN-A P Power increment ratio for MSG transmission u • (r|n p , k, n m , n J ) Conditional success probability at the r-th preamble transmission P State variable for indicating power jamming S State variable for indicating code jamming G 0 Arrival rate of initial PT G r Arrival rate of the r-th preamble retransmissions S P Throughput of PT r max The maximum number of allowable preamble retransmissions q A Probability that SN-A receives AI successfully q J Probability that a jammer receives AI successfully T • (r) Success probability of MT after the successful r-th preamble retransmission S T Throughput of PT and MSG transmission C The number of restarts of TC T • (r) Probability that MT is failed D P Average delay occurred in PT and receiving AI D S Average delay occurred in TC when TC terminates successfully D F Average delay occurred in TC when TC terminates with a failure D T Total access delay (def) = Definition declaration · Floor function