Title: Graph-theoretic framework for identifying trigger nodes against probabilistic reactive jamming attacks
Full Citation
Permanent Link: http://ufdc.ufl.edu/UF00101378/00001
 Material Information
Title: Graph-theoretic framework for identifying trigger nodes against probabilistic reactive jamming attacks
Physical Description: Book
Language: English
Creator: Xuan, Ying
Shen, Yilin
Shin, Incheol
Thai. My T.
Publisher: Department of Computer and Information Science and Engineering, University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2010
Copyright Date: 2010
Abstract: During the last decade, Reactive Jamming Attack has emerged as a greatest security threat to wireless sensor networks,due to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering the specific characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes, whose transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger identification procedure could serve as a leverage subroutine for a jamming-resistant routing scheme and exhibit great potentials in enhancing the defense efficiency. By modeling this procedure as a graph optimization problem, in this paper, on the one hand, we employed an advanced randomized error-tolerant non-adaptive group testing technique and a classic clique-independent set problem to further speed up the identification process, compared to our previous work. On the other hand, by investigating two sophisticated jamming behavior models, we proposed an efficient algorithm which limits the identification false rates to desirable low levels. The theoretical analysis and simulation results illustrate the robustness and efficiency of the proposed solution
 Record Information
Bibliographic ID: UF00101378
Volume ID: VID00001
Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.


This item has the following downloads:


Full Text


A Graph-theoretic Framework

for Identifying Trigger Nodes against

Probabilistic Reactive Jamming Attacks

Ying Xuan, Yilin Shen, Incheol Shin, My T Thai

Abstract-During the last decade, Reactive Jamming Attack has emerged as a greatest security threat to wireless sensor networks,
due to its mass destruction to legitimate sensor communications and difficulty to be disclosed and defended. Considering the
specific characteristics of reactive jammer nodes, a new scheme to deactivate them by efficiently identifying all trigger nodes, whose
transmissions invoke the jammer nodes, has been proposed and developed. Such a trigger identification procedure could serve as a
leverage subroutine for ajamming-resistent routing scheme and exhibit great potentials in enhancing the defense efficiency. By modeling
this procedure as a graph optimization problem, in this paper, on the one hand, we employed an advanced randomized error-tolerant non-
adaptive group testing technique and a classic clique-independent set problem to further speed up the identification process, compared
to our previous work. On the other hand, by investigating two sophisticated jamming behavior models, we proposed an efficient algorithm
which limits the identification false rates to desirable low levels. The theoretical analysis and simulation results illustrate the robustness
and efficiency of the proposed solution.

Index Terms-Trigger Identification, Clique-Independent Set, Error-tolerant Nonadaptive Group Testing, Graph Theory, Optimization,

SINCE the last decade, the security of wireless sensor
networks (WSNs) has attracted numerous attentions, due
to its wide applications in various monitoring systems and
invulnerability toward sophisticated wireless attacks. Among
these attacks, jamming attack where a jammer node disrupts
the message delivery of its neighboring sensor nodes with
interference signals, has become the most critical threat to
WSNs. Thanks to the efforts of researchers toward this issue,
as summarized in [11], various efficient defense strategies have
been proposed and developed. However, a reactive variant of
this attack, where jammer nodes stay quite until an ongoing
legitimate transmission (even has a single bit) is sensed over
the channel, emerged recently and called for stronger defending
system and more efficient detection schemes.
Existing countermeasures against Reactive Jamming attacks
consist of jamming (signal) detection and jamming mitigation.
On the one hand, detection of interference signals from jammer
nodes is non-trivial due to the discrimination between normal
noises and adversarial signals over unstable wireless channels.
Numerous attempts to this end monitored critical communica-

SY Xuan, Y Shen, I. Shin and My T Thai are with the Department of
Computer Information Science and Engineering.
E-mail: {yxuan, yshen, ishin, mythai}@ cise.ufl.edu
This is an extended version of "Y Xuan, Y Shen, I Shin, M. T Thai, "On
Trigger Detection Against Reactive Jamming Attacks: A Clique-Independent
Set Based Approach", IPCCC, Phoenix, Arizona, 2009."

tion related objects, such as Receiver Signal Strength (RSS),
Carrier Sensing Time (CST), Packet Delivery Ratio (PDR),
compared the results with specific thresholds, which were
established from basic statistical methods and multi-modal
strategies [8][11]. By such schemes, jamming signals could
be discovered, however, how to locate and catch the jammer
nodes based on these signals is much more complicated and
has not been settled. On the other hand, in order to mitigate
these attacks, two strategies were adopted at sensor nodes to
escape from the detected interference, namely, channel surfing
and spatial retreats [11]. The former one employs frequency
hopping techniques at both communication ends [5][7][9], in
which case jammer nodes are unable to find the current channel
that is used for the communication, so that the attack efficiency
is greatly decreased. The latter one requires sensor nodes to
retreat from the possible jammed areas, then no sensor nodes
will be effected by the jamming signals [10][12]. However,
owing to the limited power and spectral diversity [8] of wireless
sensors, these mitigation schemes are inefficient due to their
considerable computation and communication overheads.
Instead of discovering the jammed areas, which may be
inaccurate and unnecessarily large, we proposed a new solution
to mitigate the attacks by identifying the trigger nodes in [6],
whose transmissions invoke the jammer nodes, and preventing
these trigger nodes from transmitting messages. Specifically,
we provided a novel jamming-resistent routing scheme with
regulating all identified trigger nodes as terminals, therefore
no messages will be transmitted from the trigger nodes and


all jammer nodes will stay quiet. The motivation of studying
this trigger identification problem is not limited in this reactive
jamming scenario, but to provide a solution framework to the
mitigations against the reactive variant of a general scope of
Since the performance of the trigger identification is criti-
cal for the routing scheme and other applications that make
benefit from it, in this paper, we develop a solution for real
sophisticated attack scenarios. Specifically, as many attackers
play tricks to evade detections, the feedbacks of jammer nodes
toward sensed message transmissions can be non-deterministic
or along with randomized time delays. To handle these unsure
factors, we introduce a novel randomized error-tolerant group
testing scheme, which is combined with a clique-independent
set model, and speeds up the identification procedure with low
error rates under unreliable environments. The basic idea of our
solution is to partition the victim nodes (which are interfered
by jamming signals) into multiple testing teams, and then
conduct group testing based on the constructed randomized
(d, z)-disjunct matrix, by letting each victim node broadcast
test messages simultaneously and some leader nodes gather
the feedbacks (interference signals) from the jammers. By
generating test outcomes from these gathered feedbacks, all
the trigger nodes are identified via a prompt decoding process.
Compared with our previous work [6], more sophisticated
jammer behaviors are considered and handled in this paper by
the new group testing scheme, with lower time and communi-
cation complexity, as well as accuracy guarantees. Moreover,
we model the partitioning phase of victim nodes as a clique-
independent set problem, whose NP-Hardness on UDG (unit
disk graph) is shown.
In the remainder of this paper, we first present the problem
definition in Section 2, where the network model, victim
model and attacker models are included. Then we introduce
two kernel techniques for our scheme, clique-independent
set and randomized error-tolerant non-adaptive group testing
in Section 3. The core of this paper: trigger identification
procedure and its error-tolerant extension toward sophisticated
jammer behaviors are presented respectively in Section 4 and
5. A series of simulation results for evaluating the system
performance and validating the theoretical results are included
in Section 6. We also present some related works in Section 7
and summarize the whole paper in Section 8.

2.1 Network Model
We consider a wireless sensor network consisting of n sensor
nodes and one base station (larger networks with multiple base
stations can be split into small ones to satisfy the model).
Each sensor node has a uniform transmission radius r and is
equipped with m radios for in total k channels throughout the
network, where k > m. The network can abstracted as a unit
disk graph (UDG) G (V, E), where any node pair i, j is
connected iff the Euclidean distance between i, j: 6(i, j) < r.

2.2 Victim Model
Victim nodes refer to those sensor nodes whose transmissions
are disturbed by jamming signals, i.e., node v is a victim node
iff 6(J, v) < R for some activated jammer J. In this paper,
we assume that each sensor can identify received jamming
signals and justify whether itself is a victim node. Furthermore,
the results of these self-identifications are reported to the
base station by means of the existing message forwarding
schemes periodically, therefore the set of victim nodes is
maintained at the base station. Since the detection of jamming
signals have been well developed with multi-modal statistical
methods, the above assumptions are feasible even in unreliable
As a subset of the victim nodes, trigger nodes refer to
a subset of victim nodes, whose transmissions activate the
jammer nodes. In another word, node v is a trigger node
iff 6(J, v) < r for some activated jammer J. Therefore the
problem studied in this paper is to identify all the trigger nodes
from a given set of victim nodes.

2.3 Attacker Model
We consider both a basic attacker model and several advanced
attacker models in this paper. In the next sections, we will
first illustrate our framework solution toward the basic attacker
model, and then validate its performance toward multiple
advanced attacker models theoretically and experimentally.

2.3.1 Basic Attacker Model
The basic attacker model is defined as follows: there exists
at most J < n reactive jammer nodes in the network,
whose transmission radiuses are R = ar with a > 1.
These jammer nodes keep idle until they sense any ongoing
legitimate transmissions and broadcast interference signals to
jam all the sensors in distance R on this specific channel. The
maximum damages caused by the jammer nodes are limited
to the interference toward specific sensor nodes on specific
transmission channels for a short period, instead of long-term
disabling the sensors. The motivation behind this assumption
arises from the basic goal of reactive jamming: disrupt the
message delivery with minimum energy cost. As soon as the
sensors detect any jamming signals, the transmissions will be
terminated, or continue on some other channels. Thus it is
unnecessary for the jammer nodes to keep sending interference
signals on this channel for a long time, or either disrupt all
the channels with large energy overheads as an active jammer
does. Moreover, from the standpoint of the attacker, it will
be a waste to deploy two jammer nodes too close to each
other, thus we assume that for any two jammer nodes J1 and
J2, 6(Ji, J2) > 2R R' with a small overlap R' such that
R' < R r (see Fig. 3 in the next section).

2.3.2 Advanced Attacker Models
Considering possible adjustments at the jammer nodes to
evade the detection, we take into account two probabilistic


attacker models: probabilistic attack and variant response time
delay. In the first one, the jammer responds each sensed
transmission with a probability q independently. Practically, q
is approaching 1, to guarantee the attack efficiency. However,
in order to validate the accuracy of our solution toward extreme
cases, we also consider small q in the theoretical analysis and
simulations. In the other model, the jammer delays each of
its jamming signals with an independently randomized time
interval. Similarly, too large delays do not make sense for
practical attacks, but our solution is also satisfiable under these
extreme cases.
It is evident that most tricks in reactive jamming attack
can be abstracted into either of these two models. Therefore,
showing the efficiency of our identification toward such models
suffices validating its applicability to practical defense systems
and unreliable WSN environments.

This section includes two advanced techniques which benefit
our identification procedure. We first provide the NP-hardness
proof of the Clique-Independent Set problem along with a sim-
ple approximation algorithm, then introduce the randomized
error-tolerant group testing by providing our novel design for
randomized (d, z)-disjunct matrix.

3.1 Clique-Independent Set
Cliques-Independent Set is the problem to find a set of max-
imum number of pairwise vertex-disjoint maximal cliques,
which is referred as a maximum clique-independent set (MCIS)
[4]. Since this problem serves as the abstracted model of the
grouping phase of our identification, its hardness is of great
interest in this scope. To our best knowledge, it has already
been proved to be NP-hard for cocomparability, planar, line
and total graphs, however its hardness on UDG is still an open

3.1.1 NP-hardness
In this section, we prove the NP-hardness of this problem
on UDG via a polynomial-time reduction from the Maximum
Independent Set problem on planar graph with maximum node
degree 3 to it.
From [20], the Maximum Independent Set problem is NP-
hard on planar graph with maximum degree 3, and from [21],
any planar graph G with maximum degree 4 can be embedded
in the plane using O(IV 2) area units such that its vertices are
at integer coordinates and its edges consist of line segments of
the form x = i or y = j, for any integers i and j.
Theorem 3.1: Clique-Independent Set problem is NP-hard
on Unit Disk Graph.
Proof: Given an instance G' (V', E') of such a MIS
problem, whose optimal value is denoted as MIS(G'), we
construct an instance G (V, E) of the CIS problem as

Embed G' in the plane in the way mentioned above [21].
For each node vi e V', attach two new nodes vil and v22
to it and form a triangle Ni {vi, v2, vi3}, where each
edge of this triangle Ni is of a unit length r = 3
Since each nodes vi is incident to at most three edges,
for all edges (vi, u), - (vi, v), move their endpoint from
vi to different s e.g., (vl, u) changes to (v11, u) and
(vl, v) to (v12, v). Afterwards, for each of such edges
e (u, v), assume that it is of length t, we divide it
into t pieces and replace each piece with a concatenation
of 2 triangles (not necessarily equilateral), as shown in
Fig. l(b). Therefore, any edge ej = (vi, vj) e E' of
length ejl becomes a concatenation of 21r .I 3-cliques,
denoted as {c cJ ci2 c" c"i }. Because of
the triangles Nis, the two triangles at each comer of Fig.
l(b) may need slight stenches, which can be done in
polynomial time.
The resulting graph G is then a unit disk graph with radius
r =


V2 V4

(a) Instance G' (V',E') of MIS
problem on planar graph with maximum
degree 3

112C 3114

0a 3 a N 9 a
(b) Instance G (V, E) with radius 3 of
Clique-Independent Set problem on UDG

Fig. 1. Polynomial Time Reduction

The reduction is as follows:
(=): if G' has a maximum independent set M, for each
ui e M, we choose cliques of two kinds in the corresponding
instance G: (1) the clique N, at ui; (2) for each incident edge
r 1,2 2,2 3 2 |e,|,2
ej = (ui, j), choose cliques {c c2 c }.
Since the clique Nj at uj shares a vertex with cij it cannot
be selected. For any edge ejk (uj, Uk) where uj M and
uke M, choose cliques {c2, c ,2 .. c j ,2} It is easy to


verify that all the cliques selected are vertex-disjoint from each
Assume that after embedding G' into the plane, each node
vi e V' has coordinate (xi, yi), then edge length |eij| =II
vi,vj I|1= xi xjl + |yi yjl. Therefore if we have an
independent set of size |M| k for G', we then have a clique
independent set of size k' = k + (i,j) E' i .
(4=): if G has a clique independent set of size k', since the
lengths of the embedded edges are constant, then G' has
exactly an independent set of size k = k' E(i,j)E' eij.
The proof is complete. [E

3.1.2 Algorithms
There have been numerous polynomial exact algorithms for
solving this problem on graphs with specific topology, e.g.,
Helly circular-arc graph and strongly chordal graph [4], but
none of these algorithms gives the solution on UDG. In this
paper, we employ the scanning disk approach in [3] to find all
maximal cliques on UDG, and then find all the MCIS using
a greedy algorithm. In fact, by abstracting this problem as a
Set Packing problem, we can obtain a /n-approximation algo-
rithm, however, it exhibits worse performance than the greedy
algorithm proposed in our trigger identification procedure.

3.2 Error-tolerant Randomized Non-Adaptive Group
Group Testing was proposed since WWII to speed up the
identification of affected blood samples from a large sample
population. This scheme has been developed with a complete
theoretical system and widely applied to medical testing and
molecular biology during the past several decades [1]. Notice
that the nature of our work is to identify all triggers out of a
large pool of victim nodes, so this technique intuitively matches
our problem.

3.3 Traditional Non-adaptive Group Testing
The key idea of group testing is to test items in multiple
designated groups, instead of testing them one by one. The
traditional method of grouping items is based on a designated
0-1 matrix Mt,, where the matrix rows represent the testing
group and each column refers to an item, as Fig. 2 shows.
M[i, j] 1 implies that the jth item appears in the ith testing
group, and 0 otherwise. Therefore, the number of rows of the
matrix denotes the number of groups tested in parallel and each
entry of the result vector V refers to the test outcome of the
corresponding group (row), where 1 denotes positive outcome
and 0 denotes negative outcome.
Given that there are at most d < n positive items among
in total n ones, all the d positive items can be efficiently and
correctly identified on the condition that the testing matrix M
is d-disjunct: any single column is not contained by the union
of any other d columns. Owing to this property, each negative
item will appear in at least one row (group) where all the


Fig. 2. Binary testing matrix M and testing outcome vector
V. Assumed that item 1 (1st column) and item 2 (2nd
column) are positive, then only the first two groups return
negative outcomes, because they do not contain these two
positive items. On the contrary, all the other four groups
return positive outcomes.

positive items do not show up, therefore, by filtering all the
items appearing in groups with negative outcomes, all the left
ones are positive. Although providing such simple decoding
method, d-disjunct matrix is non-trivial to construct [1][2]
which may involve with complicated computations with high
overhead, e.g., calculation of irreducible polynomials on Galois
Field. In order to alleviate this testing overhead, we advanced
the deterministic d-disjunct matrix used in [6] to randomized
error-tolerant d-disjunct matrix, i.e., a matrix with less rows
but remains d-disjunct w.h.p. Moreover, by introducing this
matrix, our identification is able to handle test errors under
sophisticated jamming environments.

3.4 Error-tolerant Randomized Designs
In order to handle errors in the testing outcomes, the error-
tolerant non-adaptive group testing has been developed using
(d, z)-disjunct matrix, where in any d+l columns, each column
has 1 in at least z rows where all the other d columns are 0.
Therefore, a (d, 1)-disjunct matrix is exactly d-disjunct. By
use of (d, z)-disjunct matrix, we can still correctly identify d
positive items, even in the presence of at most z -1 test errors.
A prompt decoding scheme by differentiating positive and
negative items based on their number of appearances in groups
with negative outcomes is summarized in [1]: considering any
single positive item i and negative item j. Suppose there are
c negative groups containing i, then these c groups (tests)
have errors, hence there are at most z 1 c other groups
turning negative outcomes to positive outcomes. Due to the
definition of (d, z)-disjunct matrix, column j appears in at
least z negative groups where none of the d positive items
exist, so even z 1 c of these groups are turned into positive
ones, the number of negative groups containing j is at least
z (z 1 c) c + 1 > c. It is evident that by sorting all
the suspected items by their number of appearances in negative
groups, those d items with smallest number of appearances are
In the literature, one the one hand, numerous deterministic
designs for (d, z)-disjunct matrix have been provided [1],



however, these constructions often suffer from high compu-
tational complexity, thus are not efficient for practical use
and distributed implementation. On the other hand, to our
best knowledge, the only randomized construction for (d, z)-
disjunct matrix dues to Cheng's work via q-nary matrix [19],
which results in a (d, z)-disjunct matrix of size tl x n with
probability p', where

11 = 4.28d2 log -
1 -p'

+ 4.28d2 log n + 9.84dz

2 2n 1
+3.92z22 In
1 p'
with time complexity O(n2 log n). Compared with this work,
we advance a classic randomized construction for d-disjunct
matrix, namely, random incidence construction [1][2], to gen-
erate a (d, z)-disjunct matrix which can not only generate
comparably smaller t x n matrix, but also handle the case where
z is not known beforehand, instead, only the error probability
of each test is bounded by some constant 7. Although z can be
quite loosely upperbounded by yt, yet t is not an input. The
motivation of this construction lies in the real test scenarios,
the error probability of each test is unknown and asymmetric,
hence it is impossible to evaluate z before knowing the number
of pools.
We only show the performance of this new construction,
namely, ETG algorithm in this section. For the review purpose,
we include the details of the construction and proofs in the
Theorem 3.2: ETG algorithm produces a (d, z)-disjunct ma-
trix with

1 N
1 + n( ) + (d+ 1) nn
1 -p'

rows with probability p' for an arbitrarily large constant p'.
Corollary 3.1: The (d, z)-disjunct matrix is asymptotically
smaller than the one constructed by Cheng [19].
Corollary 3.2: The time complexity of ETG algorithm is
asymptotically smaller than that of Cheng's algorithm, given
that d < v/n.
Corollary 3.3: Given that each test has an independent error
probability 7, ETG algorithm produces a (d, z)-disjunct matrix
with t = 7nn(d )2 2 (dl) In(1 ) with probability p',
where = (d/(d + 1))d.

In this section, we present the trigger identification
procedure for the basic attacker model, where the jammers
deterministically and immediately broadcasts jamming signals
on the particular channel which carries the sensed message
transmissions between sensor nodes. Therefore, as long
as some jamming signals are received, at least one of the
broadcasting victim nodes is a trigger. In the next section,

we will further investigate the performance of our solution
towards some sophisticated attack models, in order to show
the robustness of this scheme in real scenarios.

4.1 Identification Overview
The trigger identification can be sketched as follows (Fig. 3):
Assume that at the beginning of the identification phase, all
jammer nodes are idle and all the victim nodes in grey and
blue have been discovered beforehand. The set of victims are
divided into interference-free teams, where the transmissions of
victim nodes within one team will not invoke a jammer node,
whose interference signals will disrupt the communications
within another team, as shown in Fig. 3. We call these teams
testing teams in the remainder of the paper.

/ase Station /
/ I \

-L 0

S ensor \
Nods '

Fig. 3. Nodes in grey and blue are victim nodes around
jammer nodes, where blue nodes are also trigger nodes,
which invoke the jammer nodes.

The identification of trigger nodes involves two parallel
testing types: (1) Denote the set of victim nodes within each
testing team as W, and the number of trigger nodes (to
be estimated) as d, then a group testing procedure will run
simultaneously over each testing team, to identify the d trigger
nodes from IW victim ones; (2) Victim nodes within each
testing team will be divided into the multiple groups, according
to a randomized (d, 1)-disjunct matrix, as mentioned in Section
3.2. Each group of victim nodes will be tested on a different
channel, to avoid interference among groups.
The testing procedure within each pool is two-fold: (1) Each
group i is corresponding to a row in the testing matrix M, and
assigned with a different channel frequency f from that of
other groups. Let a victim node j broadcast a single bit on
f, iff M[i,j] = 1, to activate possible jammer nodes nearby.
Assume M has t rows and each sensor has m radios, then
only m groups can be tested at a time, and all t groups can
be tested within [-] rounds. This is because one victim node

t 2 ((d+l)d ') (z


can exist in all the t groups, and it cannot broadcast on k >
m different channels in parallel. (2) A minimum dominating
set (DS) of the induced subgraph within each testing team is
also discovered. Upon detecting any jamming signals, a victim
node will generate a jamming alarm and send it to the nearest
DS node (one-hop transmission due to the definition of DS).
Among the multiple DS nodes within a testing team, the one
which has the shortest distance from the base station will be
elected as a leader. All the jamming alarms collected by the DS
nodes will be transmitted to this leader, using channel surfing
schemes. The leader nodes of all the testing teams will send all
the testing results (jamming alarms) along with the grouping
information ((d, 1)-disjunct matrix used) to the base station,
where the idlciiiik.ii.ii ii are completed by decoding.
In principle, the flow of the identification algorithm is: (1)
Find a maximum number of disjoint interference-free testing
teams of untested victim nodes. Nodes that are not covered
by these teams will be left for the next iteration; (2) Conduct
nonadaptive group testing within each testing team, by dividing
the team members into multiple groups following a (d, 1)-
disjunct matrix, and testing each group of victim nodes on
different channels; (3) Within each testing team, let a set of
dominating nodes (DS) collect all the testing results and send
them to the DS leader, who then transmit the results to the base
station; (4) The base station decodes the results and identifies
all the trigger nodes within the current set of tested victim
nodes; (5) Iterate the above four steps until all the victim nodes
are tested.
Take Fig. 3 as an example to show the procedure: the grey
nodes and blue nodes (known as grey before identified as a trig-
ger) are all victim nodes, thus divided into three testing teams:
{V5, V7, V9, V1, V161, {V0l, V12, V17, V19}, {v6, V14, V13}. Each
of the testing teams are further divided into small groups and
tested based on a (d, 1)-disjunct matrix. The test outcomes will
be sent to the base station for decoding.
Two critical issues of this identification are how to partition
the victim set into maximal interference-free testing teams,
and how to estimate the number of trigger nodes d to
determine the testing matrix, which are illustrated along with
theoretical performance analysis in the following sections.

4.2 Discovery of Interference-free Testing Teams
As stated above, two disjoint sets of victim nodes are
interference-free testing teams iff the transmission within one
set will not invoke a jammer node, whose jamming signals will
interfere the communications within the other set. Although the
positions of jammer nodes cannot be precisely anticipated, it
is possible to discover the set of victim nodes within the same
jammed area, i.e. with a distance R from the same jammer
node. Any two nodes within the same jammed area should be
at most 2R far from each other. Consequently, if we induce
a new subgraph with all the victim nodes by connecting each
node pair with a distance less than 2R, then the ones jammed
by the same jammer node should form a clique. Based on this

motivation, we discover all the interference-free testing teams
in two steps: (1) Find a set of maximum number of vertex-
disjoint maximal cliques (clique-independent set); (2) Identify
the interference between these maximal cliques, and decide
interference-free testing teams. With a subgraph G' (W, E')
where W refers to the set of victim nodes in the network, and
E' = {(u, v)6(u,v) < 2R}, it is likely that cliques in G'
correspond to the victim nodes jammed by the same jammer.
However, maximal cliques which intersect with each other at
some victim nodes can cause interference when testing each
of these cliques as a testing team in parallel. An example in this
case is shown in Fig. 4. To this end, we find all the clique-
independent set by adapting Gupta's MCE algorithm [3], as
shown in Algorithm 1.

Algorithm 1 Finding Clique-Independent Set (FCIS)
1: Input: Induced Subgraph G' (W, E').
2: Output: The set C of maximum number of disjoint maxi-
mal cliques.
3: Find out the set S of all maximal (not disjoint) cliques by
using Gupta's MCE algorithm [3].
4: while S / 0 do
5: Choose clique C E S which intersects with the mini-
mum number of other cliques in S;
6: C-CU {C}
7: Remove all the maximal cliques intersecting with C;
8: S \{C}
9: end while
10: return C

Denote the number of cliques returned by Algorithm 1 as
Q. It is possible that any two such maximal disjoint cliques
can still interfere each other, which is also shown by Fig. 4.
Therefore, we study on the minimum distance between any
two maximal disjoint clique pair to guarantee interference-free
for further group testing.
Definition 4.1: The shortest clique-path (SCP) between any
two maximal disjoint cliques, is defined as the path between
the nearest two nodes of these two cliques, which goes through
the least number of maximal cliques. As in Fig. 4, the SCP
between clique Ci and C3 is of length 1(C2).
Lemma 4.1: Two testing teams are interference-free iff the
length of SCP between them is at least 2.
Proof: Given two disjoint maximal cliques C, and Cj,
denote the two nearest nodes of them as vi and vj. Since
SCP > 2, there is no such a path between C, and Cj that
consists of the edges in only one maximal clique, then the
shortest distance between vi and vj is larger than 2R, according
to the construction of the subgraph G'. Therefore, C, and Cj
have no nodes that are jammed by or activating the same
jammer node. Consequently, no transmissions within C, can
interfere that within Cj and vice versa. [
Lemma 4.2: For any single maximal clique C, it has at most
12 other disjoint maximal cliques, each of which has SCP of


Fig. 4. 3 maximal cliques C1 {vi, v1,v3,V4}, C2 =
{v3, v4, 5, v}, C3 {vs, v7,vs, v9} can be found within
3 jammed areas. C1 and C2 are overlapped and if they
are tested on the same channel simultaneously, when J2
is activated by v4, jamming alarm reported by v3 might
interfere the testing in C1. Meanwhile, Ci and C3 are
disjointed, but interference still exists in that, J2 activated
by v4 in C0 can disrupt the transmission at vs, which
causes error tests in C3.


Fig. 5. In the worst case, all the 12 cliques that are 2-
hops away from C will have interference with C, similar to
the two triangles.

length 1 from C.
Proof: This is straightforward and shown in Fig. 5. [
Based on Lemma 4.1 and Lemma 4.2, we can determine
the interference-free testing teams by Algorithm 2 as follows:
(1) For testing teams which have 2-length pairwise SCP are
interference-free, therefore each team can use up to k channels
for testing simultaneously, meanwhile, since each sensor has
at most m radios, only m groups can be tested within each
testing team. (2) For any two testing teams which have only 1-
length SCP from each other, test them using different channels
at a time. According to Lemma 4.2, each team can have up
to 12 neighbors with 1-length SCP from it, therefore up to
13 channels are required to test them simultaneously. If k >
13, then each team can have min{ [ ], m} groups tested in

4.3 Estimation of Trigger Upperbound
Given the number of victim nodes \Wi\ in testing team i,
we first find a deterministic upperbound di on the number

Fig. 6. Maximum number of jammer nodes that can be
activated by one testing team.

Algorithm 2 Testing on Interference-Free Testing Teams
1: Input: A set S of disjoint maximal cliques returned by
Algorithm 1.
2: Output: Interference-free testing teams.
3: if the number of channels k > 13 then
4: use all the disjoint maximal cliques in S as testing
teams, however, any two testing teams with 1-length
SCP, are tested on different channels.
5: else
6: construct an auxiliary graph H = (C, E) where each
maximal clique in S is mapped into a node v e C. Two
nodes are connected iff their corresponding cliques have
1-length SCP from each other.
7: find a maximal independent set (MIS) in H and test
the cliques corresponding to this MIS using arbitrary
channels, since they are interference-free.
8: update H by removing all tested cliques, and iterate step
6-7 until all cliques are tested.
9: end if

of trigger nodes within this team in Theorem 4.1, and then
decrease di by statistically analyzing the number of jammer
nodes activated by this team. Notice that we avoid assuming
the deployment of jammer nodes as [6] did and all the results
shown are in the worst case.
Lemma 4.3: The triggers in each testing team can activate
at most 4 jammer nodes.
Proof: As shown in Fig. 6, suppose that there are 6 jammer
nodes that can be activated by this clique. Notice that this only
happens when all the jammer nodes form a hexagon around the
clique. Since the largest distance between any 2 jammer nodes
(J2 and J5) in this case is at least 2(2R R') (because the
distance between two adjacent jammer nodes in the hexagon
(Ji and J6) is at least 2R R', we have the distance between
the two trigger nodes vl and v2, which activate J2 and J5
respectively, is at least 2(2R R') 2r. According to our
assumption R R' > r, this distance should be larger than 2R,


The Probabilities of i jammer nodes activated by one
Si1 Probability p
2 [(2c2 arccos(c2/4ci) 2 C (2 /4)2)/ (c2)] 2
3 [(2c arccos(c2/2a 3c ) 2c2 C (c 2 3)2) /(wc)]
4 [(22 arccos( 2c2/4ci C) 2- 2 c ( 2c22/4)2)/(wc2)]4

which contradicts with the definition of testing team. Therefore,
only one jammer of such pair (Ji, J4), (J2, J5), (J3, J6) will
be activated by this team, so the upperbound of the activated
jammer nodes is 4, by considering the center J0. [
Theorem 4.1: The upper bound d, on the number of trigger
nodes is min{Z1E |1 c(Gi)|, Wil}, where c,(Gi) is the sth
largest clique over an induced unit disk subgraph Gi =
(Wi, E,, 2r) in the testing team i.
Proof: It is straightforward that the maximum distance
between two trigger nodes that invoke the same jammer node
is 2r. According to Lemma 4.3, each testing team can activate
at most 4 jammer nodes. In light of this fact, we can construct
another unit disk graph Gi = (Wi, E,, 2r) on testing team i by
connecting each victim node pair with distance less than 2r.
In this sense, the trigger nodes which invoke the same jammer
nodes are supposed to be in the same clique.
By discovering all the maximal cliques on this new subgraph
Gi using Gupta's algorithm [3], we can find the 4 largest
maximal cliques and their aggregate size, i.e., E=1 Ic,(G,)|
is thus the maximum number of trigger nodes. Since the
upperbound should not exceed the size of the testing team,
so di= mi{Z4 I ,(cG)l, IWil}. D
Lemma 4.4: The upperbounds on probabilities of different
number of jammer nodes that can be activated by one testing
team are shown in Table 1, where cl R R', C2 2R R',
3 = sin (T/10).
Proof: Due to the page limit, we just show the proof
for the probability of the case that only 2 jammer nodes are
activated. Other results can be calculated similarly.
Assume that the 2 jammer nodes are deployed as shown
in Fig. 7. Their positions are unnecessarily like this, but we
require the two jammed areas to have no overlapping, in order
to maximize the probability for the team to activate two jammer
nodes. Without loss of generality, we assume that the sensor
nodes are deployed randomly over the disk F with radius R -
R', therefore by denoting the two areas in shadow as Si and
S2 respectively, we can have the probability of this case is
upperbounded by S1 S2/ S2, where S refers to the area of
the disk with radius R R' (same as the jammed area). To
maximize this probability, we assume S S2 in the following
Since IAFI R R' and EFI R'/2, we have IDFI =
IAFI (IAFI EFI)/2 = C2/4. As a result, SFBAC
[2arccos(|DFI/lBF)/2l7]2lBF2 = c2 arccos(c2/4ci).
For the triangle FBC, IBDI = ,BFi2 IDF2

/c1 (c2/4)2, we have SAFBC = 1/2BC DF = BD
DF C= C2c- (c/4)2. Hence SBAEC 2(SFBAC -
SAFBc) and the probability is equal to (SBAEC/S)2
[(2c arccos(c2/4cl) 2c2V /c (c2/4)2)/(7 )]2, which
completes the proof. [
Therefore, the conclusion from Theorem 4.1 can be im-
proved by replacing the deterministic maximum number of
jammer nodes with its expected value derived from the above
results. Since the calculation of this part is quite complicated,
but not the core of our solution, it is not included in this paper.

4.4 Analysis of Time and Message Complexity
Time complexity: The time overhead of this trigger identifi-
cation procedure is three-fold: (1) the discovery of maximum
number of disjoint maximal cliques; (2) the iterative tests on
multiple testing teams. As mentioned above, the algorithm in
[3] finds O(lA) maximal cliques on UDG, within O(lA2)
time, where 1 = E and A refers to the maximum degree.
We used a greedy algorithm to find a MCIS from these O(lA)
cliques with O(13A3Q) time: O(lA)-time for each clique to
check the overlapping with other cliques, O(lA)-time to find a
clique overlapping with minimum other cliques, and Q denotes
the number of testing teams. Notice that in practice, sensor
networks are not quite dense, so the number of edges I and
maximum degree A are actually limited to small values. Since
the efficiency of this phase depends on the MCIS algorithms,
which hopefully can be further improved, this section therefore
only focuses on (2), which is also the kernel of our scheme.
Since the group testing procedures are conducted within each
testing team, which is a clique that can be covered by a disk
with radius 2R, therefore the transmission latency between
nodes within each testing team is quite low and thus negligible.
Moreover, no new testing rounds can start until all the activated
jammer nodes hibernate again. Therefore, the length of each
testing round could be set to a predefined constant, which does
not rely on the size of each testing group. To this end, we
count the time complexity of this phase in terms of the total
number of testing rounds needed. Specifically, each testing
round is counted since the victim nodes broadcasting testing
signals to activate jammer nodes nearby, till the DS leader
node finishing collecting the testing results. Under this basic
jamming environment, where jammer deterministically reply to
any sensed legitimate transmissions with interference signals,
we conduct all the tests within the same testing team in a
synchronized manner, i.e. set the length of each testing round
as a predefined value, therefore by denoting the number of total
testing rounds as , the length of identification period is 0().
However, under some sophisticated jamming environments to
be discussed later, we will relax the synchronized constraint,
advance the tests to asynchronous ones, and make benefit from
this change to alleviate test errors.
Lemma 4.5: Based on the ETG algorithm, the minimum
number of tests to identify d trigger nodes from |W vic-



J1 A F J2

si --- 52

Fig. 7. The maximum probability of 2 jammer nodes being
activated by one testing team

tim nodes can be loosely upperbounded (for simplicity) by
t(IWl, d) O(d? rln IWV1) w.h.p.
Theorem 4.2: (Main) The total number of testing rounds is
upper bounded by

SO(m 13minJ{dI[lnW1], I Wil })
max m

w.h.p, with di = min{ZE |cs(G)|l, |Wj\} and Cs(Gi) is the
8th largest clique over an induced unit disk subgraph G =-
(Wi, E,, 2r) in the testing team i.
Proof: First, from Lemma 4.5, at most =
n W testing rounds are needed to identify all nodes in
testing team i. Second, the set of testing teams that can be
tested in parallel is corresponding to a MIS on H constructed
in Algorithm 2, according to Lemma 4.2, nodes in H has a
maximum degree 12. It is straightforward to see the maximum
degree of the resulting graph H' by iteratively removing a MIS
from it decreases by at least 1 in every iteration, therefore all
the nodes can be covered by up to 13 MIS. Therefore, from
Theorem 4.1, the proof is completed. [D
Notice that the computation overhead of the randomized
(d, 1)-disjunct matrix is quite small, and thus not included in
the analysis. Compared with the number of testing rounds
A(H) logIW
O(1 max[min {(2 + o(l))- l | jW,}/m)
i1 3 log2(d log |W,|)

in [6] where A(H) refers to the maximum degree of the an
induced graph H, our result is asymptotically better since no
maximum degree is involved.

Message Complexity: Based on our assumptions above, the
jammer nodes will be activated upon receiving a single mes-
sage from the trigger nodes. Considering that there are approx-
imately 1 victim nodes in each testing group of team Wi
(mentioned in the construction of randomized (d, z)-disjunct
matrix in Appendix), the communication overhead of each
testing group in a testing round is three-fold: (1) 47 testing
message broadcasted by all victim nodes in each group of team
Wi; (2) jamming alarm message sent to some DS nodes
by victim nodes that senses the jamming signals; (3) 1 result
report messages from each DS node to the DS leader node and
1 testing result message sent to the base station by each DS


Notation Content
T+ The number of false positive outcomes
T The number of false negative outcomes
u(i) The number of trigger nodes in test i
x(i) The reaction time of jammer toward test i
g(i) The outcome of test i

header node. Since the size of DS for each group Wi is at most
|Wi the overall communication complexity is
O( | J r mx{i ln|I |WV, IWi}m)

according to Theorem 4.2. Notice that this is slightly larger
than that of [6], however, we did not take into account the
amount of result report message, which contributes the most
in the message complexity above.

In this section, we consider two sophisticated attacker models:
probabilistic attack and variant response time delay, where
the jammers rely each sensed transmission with different
probabilities, instead of deterministically, or delay the jamming
signals with a random time interval, instead of immediately.
Since our scheme is robust and accurate in the steps of
grouping, generating disjunct matrix and decoding the testing
results, the only possible test errors arise from the generation
of testing outcomes. Nevertheless, by using the error-tolerant
disjunct matrix and relaxing the identification procedures to
asynchronous manner, our scheme will provide small false rates
in these cases. Some notations can be found in Table 2. In this
section, the terms test and group, the terms column and nodes
are interchangeable.

5.1 Upperbound on the Expected Value of z
First, we investigate the properties of both jamming behaviors
and obtain the expected number of error tests in both cases
through the following analysis. Since in practice, it is not
trivial to establish accurate jamming models, we derive an
upperbound of the error probability which does not require
the beforehand knowledge of the objective jamming models,
which is therefore feasible for real-time identifications. Since it
is a relaxed bound, it could be further strengthened via learning
the jamming history.

5.1.1 Probabilistic Jamming Response
A clever jammer can choose not to respond to some sensed
ongoing transmissions, in order to evade the detection. Assume
that each ongoing transmission has an independent probability


q to be responded. In our construction algorithm ETG, where
each matrix entry is IID and has a probability p to be 1,
therefore for any single test i with i E [1, t]:

Pr[u(i) x] ( t l--p)d (1)

Hence for each test i, the event that it contains no trigger nodes
but returns a positive result, has a probability at most:

Pr[g(i)= 0 & u(i) > 1]

S ( l)')p'(1- p)d-
[(1 l)p+ 1 (1 -p)d
(1 p) (1 _p)d < (1 r)p
Meanwhile, the event that it contains at least one trigger but
returns a negative result, has a probability:

Pr[g(i) = 1 & u(i) = 0] = 0 (2)
Since in practical r > 1, we therefore have the expected
number of false positive and negative tests is respectively at
most pt/2 and 0.

5.1.2 Variant Reaction Time
The introduction of group testing techniques aims to decrease
the identification latency to the minimum, therefore, if the
jammer would not respond intermediately after sensing the
ongoing transmissions, but instead wait for a randomized time
delay, the test outcomes would be messed up. Since it is
expensive to synchronize the tests among sensors, we use a
predefined testing length as , thus the test outcome of test
i E [1, t] is generated within time interval [( ] -1), [ ].
There are two possible error events regarding any test i.
Fp(i): test i is negative, but some jamming signals are
delayed from previous tests and interfere this test, where
we have a false positive event;
Fn(i): test i is positive, but the jammer activated in this
test delayed its jamming signals to some subsequent tests,
meanwhile, no delayed jamming signals from previous
tests exists, where we have a false negative event.
Since the jammers in this paper are assumed to block
communications only on the channels where transmissions
are sensed, for the following analysis, we claim that the
interference can only happen between any two tests i,j with
i j(mod m). Denote the delay of jamming signals as a
random variable X = {x(1), x(2),x(3), x- (t)} where x(i)
is the delay for possible jamming signals arisen from test i.
(1) For event Fp(i), consider the test i m, in order to have
its jamming signals delayed to test i, we have a bound on
x(i m) E (0, 2). Similarly, in order to have the signals of
any test j delayed to i, we have x(j) E [(M 1), (C +
1)]. Further assume the probability density function of X is
P(i) Pr[X = (i)]. Consider all the tests prior to i, which

are '. 1 + ' i m, we then have the probability
for Fp(i):

i-m ,( 1)C
(1-p )d J j 1)
jii%m 777

P(w)dw(l (1- p)d) (3)

To simplify this expression, we assume that X/L follows a
uniform distribution within the range [0, 3] with a small 3,
which is reasonable and efficient for attackers in practice.
Since the nature of jamming attacks lies in adapting the attack
frequency due to the sensed transmissions, too large delay does
not make sense to tackle the ongoing transmissions. Under a
uniform distribution, the probability of Fp(i) becomes:

(1 -(1 -p)d)(1 )

m 2
j=max i%m,i m-3- 1

S((1 1-p)e)( 1-)d(r j1)o

Therefore, the expected number of false positive tests is at most

T+ < 1(1

(1 -p))(1 -p)d(3)2

< 2 (1 (1 -p)d)(1 -p)
< 2(1 (1 -p)d)(1 -p)dt

(2) For event Fn(i), following the similar arguments above,
we have an upperbound of the probability for Fn(i) (assume
that any delays larger than I at test i will interfere the tests j
following i where j E [max( i. i m 3 1), i m]):

(1 (1 -p))


(1 p))

(/ 1)/

So the expected number of false negative tests is at most
T < (1 (1 -p)d)(1 -2(1 (1 -p)d))t (4)
Therefore, we could use a union bound and obtain a worst-case
error rate of each test:
P + 2(1 (1 p)d)(1 -_ p)d
S 2

+(1 (1 p))(1 2(1 (1
(10T -8T2 T-- 1)/2

p) ))

where T (d/(d + 1))d. Intuitively, we can have an upper-
bound on the number of error tests as z = t = (10T 8T2 -


1- ( / (w)dw (1

< (1 (1 i)d)(1 2(1 (1 -.
< (1- (1 -p)I)(1 2(1 (1 .


T d 1)/2, and take it as an input to construct the (d, z)-
disjunct matrix. However, notice that z depends on t, i.e., the
number of rows of the constructed matrix, we therefore derive
another bound of t related to 7, as shown by Corollary 3.3 in
the appendix.

5.2 Error-tolerant Asynchronous Testing within each
testing team
By applying the derived worst-cast number of error tests into
the ETG construction, we can obtain the following algorithm
where tests are conducted in asynchronous manner to enhance
the efficiency.

Algorithm 3 Asynchronous Testing
1: Input: n victim nodes in a testing team.
2: Output: all trigger nodes within these victim nodes.
3: Estimate d as mentioned.
4: Set 7 (10T 8T2 T- 1)/2. //upper bound of error
probability for each test.
5: Set t In n(d1) //number of rows.
6: Construct a (d, z)-disjunct matrix using ETG algorithm
with t rows, and divide all the n victim nodes into t groups
accordingly {gl, g2, gt}.
8: /* For each round, conduct group testing on m groups
using m different channels (radios). The testing is asyn-
chronous in that, the m groups tested in parallel do not wait
for each other to finish the testing, instead, any finished test
j will trigger the test j + m, i.e., the tests are conducted
in m pipelines. */
9: for i 1 to [t/m] do
10: Conduct group testing in groups gim+l, gim+2, ~ im+m
in parallel;
11: If any nodes in group gj with j E [im + 1, im + m]
detects jamming noises, the testing in this group finishes
and start testing on gj+,.
12: If no nodes in group gj detect jamming noises, while at
least one other test in parallel detects jamming noises,
let all the nodes in group gj resend 3 more messages to
activate possible hidden jammers. If no jamming signals
are detected till the end of the predefined round length
(C), return a negative outcome for this group and start
testing on gj+m.
13: end for

As shown in Algorithm 3, after all the groups are decided,
conduct group testing on them in m pipelines, where in each
pipeline any detected jamming signals will end the current test
and trigger the next tests while groups receiving no jamming
signals will be required to resend triggering messages and wait
till the predefined round time has passed. These changes over
the original algorithm, especially the asynchronous testing are
located in each testing team, thus will not introduce, igIili k.i.l

overheads, however, the resulted error rates are limited to a
quite low level. The corresponding simulation results will be
shown in the next section.

For the sake of validating the theoretical results obtained
and showing the applicability of this approach to real-time
identification, we simulated the proposed trigger identification
procedure on a 1000 x 1000 square sensor field with uniformly
distributed n sensor nodes, one base station and J randomly
distributed jammer nodes. We did not investigate more sophis-
ticated node deployments, since our solution is orthogonal and
robust with them, and the simulation results suffice reflecting
the efficiency of this scheme.
In detail, we set the transmission radius r 50 for the
sensor nodes, and R = 2r for the jammer nodes. m 3
radios with k > m channels are implemented with no packet-
loss or external noise (except jamming signals), to guarantee
the accuracy of jamming detection and test results generation.
The reason why we limit R to only 2r is, jammer nodes with
extremely large transmission range can be favored by attackers,
but this has huge energy cost and risk to be disclosed. Notice
from the above analysis, the performance of our solution does
not rely on this assumption.
The performance assessments are two-fold: (1) since the
only existing trigger identification work is our previous result
in [6], we compare our new approach (referred as Clique-Based
below) with that one (referred as Disk-Based below) through
two benchmarks: average number of the testing rounds and the
communication messages per victim node, with different envi-
ronment settings. (2) besides the time and message complexity,
we investigate the precision of this new solution in terms
of false positive/negative rate, in the presence of a different
jamming behaviors. Although changes of network size, number
of jammers, transmission radius will probably affect the false
rate of our identification, since in principle, we divide the
victim nodes into small testing teams and further tested in
even smaller groups, the influences of the jammer behaviors
are intuitively much more Nignilikiill than those parameters.

6.1 Time and Message Complexity
We range n ranges from 450 to 550 with step 2, r from 50 to
60 with step 0.2 and J from 3 to 10 with step 1 to show the
robustness of our solution in time and message complexity.
Parameter values lower than these intervals would make the
sensor network less connected and jamming attack less severe,
while higher values would lead to impractical dense scenarios
and unnecessary energy waste.
As shown in Fig. 8(a) and 8(b), this clique-based scheme
completes the identification with steadily less than 10 rounds,
compared to the increasing time overhead with more than
15 rounds of the disk-based solution, as the network grows
denser with more sensor nodes. Meanwhile, its amortized


communication overheads are only slightly higher than that
of the other solution, whereas both are below 10 messages per
victim node. Therefore, the new scheme is even more efficient
and robust to large-scale network scenarios.
With the sensor transmission radius growing up, the time
complexity of the disk-based solution gradually ascends (Fig.
8(d) and 8(c)) due to the increased maximum degree A(H)
mentioned in the analysis above. Comparatively, the time cost
of clique-based solution remains below 10 rounds, while the
message complexity still approximates the other one.
Since sensor nodes are uniformly distributed, the more
jammer nodes placed in the networks, the more victim nodes
are expected to be tested, the identification complexity will
therewith raises, as the performance of disk-based scheme
shows in Fig. 8(f) and 8(e). Encouragingly, the proposed
scheme can still finish the identification promptly with less
than 10 rounds, which grows up much slower than the other. It
has slightly more communication overheads (10 messages per
victim nodes) but is still affordable to power-limited sensor

6.2 False Positive/ Negative Rate
In order to show the precision of our proposed solution under
different jamming environments, we vary the two parameters of
the jammer behaviors above: Jammer Response Probability a
and Testing Round Length/Maximum Jamming Delay C/X and
illustrate the resulted false rates in Fig. 8(g) and 8(h). To simu-
late the most dangerous case, we assume a hybrid behavior for
all the jammers, for example, the jammers in the simulation of
Fig. 8(g) not only launch the jamming signals probabilistically,
but also delay the jamming messages with a random period of
time up to 2. On the other hand, the jammers in the simulation
of Fig. 8(h) respond each sensed transmission with probability
0.5 as well. All the simulation results are derived by averaging
10 instances for each parameter team.
As shown in both figures, we consider the extreme cases
where jammers respond transmission signals with a probability
as small as 0.1, or delay the signals to up to 10 testing rounds
later. This actually contradicts with the nature of reactive
jamming attacks, which aim at disrupting the network com-
munication as soon as any legitimate transmission starts. The
motivation of such parameter setting is to show the robustness
of this scheme even if the attackers sense the detection and
intentionally slow down the attacks. The overall false rates are
below ._ for any parameter values.
In Fig. 8(g), when a > 1/2 which corresponds to practical
cases, we find that the false negative rates generally decrease
from 11' to -.'. as a increases. Meanwhile the false positive
rate grows gently, but is still below 1 I'. this is because
as more and more jamming signals are sent, due to their
randomized time delays, more and more following tests will be
influenced and become false positive. In Fig. 8(h), considering
the practical cases where C/X > 1/2, both rates are going
down from around 11"'. to 1%, since the maximum jamming

delay becomes shorter and shorter compared to the testing
round length , in which case, the number of interference
between consecutive tests is decreasing.
Overall, the new solution not only improves the efficiency
of the trigger-identification procedure with much smaller time
complexity and acceptable message overhead, but also limits
the identification false rate to the desirable low levels in
the presence of various jamming behaviors. Considering the
prompt testing procedure could be iteratively conducted, the
false rate would be further decreased to enhance the identifi-
cation accuracy. With these performance guarantee, this pro-
cedure is promising to be developed into a jamming-resilient
routing scheme.

Existing countermeasures against jamming attacks in WSN can
be categorized into two facets: signal detection and mitigation,
both of which have been well studied and developed with
various defense schemes. On the one hand, a majority of
detection methods focus on analyzing specific object values
to discover abnormal events, e.g., Xu et. al [15] studied
a multi-model (PDR, RSS) to nisisLc'il\ monitor jamming
signals. Work based on similar ideas [16][14][13] improved
the detection accuracy by investigating sophisticated decision
criteria and thresholds. However, reactive jamming attacks,
where the jammer node are not continuously active and thus
unnecessary to cause huge deviations of these variables from
normal legitimate profiles, cannot be efficiently tackled by
these methods. In addition, some recent works proposed meth-
ods for detecting jammed areas [10] and directing normal
communications bypass possible jammed area using wormhole
[17]. These solutions can effectively mitigate jamming attacks,
but their performances rely on the accuracy of detection
on jammed areas, i.e. the transmission overhead would be
unnecessarily brought up if the jammed area is much larger
than its actual size. On the other hand, mitigation schemes
which benefit from channel surfing [12], frequency hopping
and spatial retreats[11], reactively help legitimate nodes escape
from the jammed area or frequency. Unfortunately, being
lack of pre-knowledge over possible positions of hidden reac-
tive jammer nodes, legitimate nodes cannot efficiently evade
jamming signals, especially in dense sensor network when
multiple mobile nodes can easily activate reactive jammer
nodes and cause the interference. For the sake of overcoming
these limitations above, in [6] we studied on the problem of
identification trigger nodes with a short period of time, whose
results can be employed by jamming-resistent routing schemes,
to avoid the transmissions of these trigger nodes and deactivate
the reactive jammer nodes. In this paper, we improve this
scheme by introducing a novel randomized error-tolerant group
testing technique, which enhances the identification speed, and
handles error tests under unreliable network environments as


Clique-Based --
25 Disk-Based +
20 '
15 +


460 480 500 520 540
# Sensor Nodes n
(a) # Rounds by n


3 4 5 6 7 8 9 10
# Jammer Nodes J
(e) # Rounds by J

18 Clique-Based
16 Disk-Based -
6 1
460 480 500 520 540
# Sensor Nodes n
(b) # Messages by n


3 4 5 6 7 8 9 10
# Jammer Nodes J
(f) # Messages by J

Clique-Based -
Disk-Based --

\ V i,
+vv *v

50 52 54 56 58 60
Sensor Tranmission Radius r
(c) # Rounds by r
025 n +
0 15
Jammer Response Probability


50 52 54 56 58 60
Sensor Tranmission Range r
(d) # Messages by r
025 fn
Round Length / Max Jamming Delay

(g) False Rate by different Jammer Response (h) False Rate by different Ratios of Testing
Probability Round Length/Maximum Jamming Delay

Fig. 8. Performance Under Different Circumstances


We proposed the idea of identifying trigger nodes using
group testing schemes in previous work. In this paper, we
improve this mitigation method by optimizing the grouping
scheme and testing matrix by employing an advanced clique-
independent set algorithm and a randomized (d, z)-disjunct
matrix construction. Through theoretical proof and analysis,
the identification procedure has a lower time complexity than
the previous solution. We also provide preliminary simulation
results to elaborate the applicability and robustness of this
scheme to wireless sensor network with various settings.
Moreover, we analyze two representative jamming behavior
models and propose an error-tolerant asynchronous identi-
fication algorithm which allows very few test errors under
unreliable jamming environments. Since both our new con-
struction of (d, z)-disjunct matrix and the discovery of clique-
independent set have the potential to be implemented distribu-
tively (Gupta et al. already proposed a distributed algorithm
for finding maximal cliques with unit radius on UDG in[3]),
the distributed version of this trigger identification is quite
promising and will become a part of our future work.


We include the proofs of several theorems mentioned in
Section 3 regarding the performance of this algorithm.

Proof of Theorem 3.2.

Algorithm 4 ETG construction
1: Input: n, d, z, p';
2: Output: (d, z)-disjunct matrix with probability p'
3: Set P dl
4: Set t -2 ( ) z 1 + In + (d + l)l nn
5: Construct a t x n matrix M by letting each entry to be 1
with probability p.
6: return M

M is not (d, z)-disjunct matrix if for any single column co
and any other d columns cl, - Cd, there are at most z -1 rows
where co has 1 and all cl, Cd have 0. By denoting p = ( ),
considering a particular column and d other columns in the
matrix, the probability of such failure pattern is:

z- 1
[pC _( 1d! [1 _-t p) A t-i

So use the union bound for all possible combinations and
permutations of (d+ 1) columns, we have the failure possibility
bounded by

Pi < (d+ 1)

n ;i) ) (1 p)d]f[1 -p( _p)d]t-
d+1 i=0

Here consider the CDF of binomial series and assume that
z 1 < tp(1 p)d(assert 1), we then have

S (tp( p)
P < n exp(- t

z +1)

I +


by ( Ai, i. 'if bound. To bound this by 1 p', i.e.,

(t-(1 _-p)d z + 1)2
P, < nd+lexp(- -P Z- ) ) < 1
2t (1 p)
we can derive that (assert 2)

p(1 -p)d

z- 1+ In +(d + 1) lnn

Yln2( +,nd 1)+2(z

for each entry, the overall time complexity is loosely upper-
bounded by O(d2nlogn).
p' Given that d < /n which is practical, this is smaller than that
of Chang's algorithm, O(n2 log n).
Proof of Corollary 3.3.
Substituting z by yt in the proof of Theorem 3.2 completes
-this proof. [

1)ln 1 ,n+

(infeasible by assert 1)

p( p)d >

S- 1 +In 1 (d+ 1) lnn

/ln2(-nd+ l) 2(z


Therefore, we can derive the lower bound

S (d d z 1 + n(

1)ln 1 ,d+

) + (d+ 1)lnn)

Proof of Corollary 3.1.
From Theorem 3.2, we have

t < 2( )d(d+ 1)[z 1 +In(1 ) + (d + 1) nn]
d 1 pl

< 2ed + 1) [z 1 +In(2 ) + (d + 1) In n]
< 2c(d+l)z-l+ln( (dpnn]
1 -p

Since limdoo(1 + )d
increases, we have

e and (1 + -)d monotonically

t < 3.78(d 1)2 logn +3.78(d + 1)log( 2)
1 -p'
-3.78(d + 1)+ 5.44(d + l)(z 1)

Compared with the number of rows of the matrix constructed
by Cheng [19], which is denoted as tl as mentioned:
tl = 4.28d21og + 4.28d2 log n + 9.84dz
1 p'
2n 1
+3.92z2 In
1 p'

with d > 2, z > d+ 1, p' < 2 and n > d, it is evident that
t < t.

Proof of Corollary 3.2.
Since ETG algorithm only contains one probability calculation

[1] D. Z. Du and F. Hwang, Pooling Designs: Group Testing in Molecular
Biology, World Scientific, Singapore, 2006.
[2] M. Goodrich, M. Atallah, and R. Tamassia. "Indexing information for data
forensics." 3rd ACNS, Lecture Notes in Computer Science 3531, Springer,
[3] R. Gupta, J. Walrand, and 0. Goldschmidt, "Maximal cliques in unit disk
graphs: Polynomial approximation." INOC '05, Portugal, March 2005.
[4] V. Guruswami and C. P. Rangan, "Algorithmic aspects of clique-
transversal and clique-independent sets." Discrete Applied Mathematics,
100:183-202, 2000.
[5] W. Hang, W. Zanji, and G. Jingbo, "Performance of dsss against repeater
jamming." Electronics, Circuits and Systems, ICECS '06, Dec. 2006.
[6] I. Shin, Y. Shen, Y. Xuan, M. T. Thai, and T. Znati, "Reactive jamming
attacks in multi-radio wireless sensor networks: an efficient mitigating
measure by identifying trigger nodes." FOWANC, in conjunction with
MobiHoc, 2009.
[7] 0. Sidek and A. Yahya, "Reed solomon coding for frequency hopping
spread spectrum in jamming environment." American Journal of Applied
Sciences, 5(10):1281-1284.
[8] M. Strasser, B. Danev, and S. Capkun. "Detection of reactive jamming in
sensor networks." ETH Zurich D-INFK Technical Report, August 2009.
[9] H. Wang, J. Guo, and Z. Wang. i.. ,..ii. assessment of repeater
jamming technique for dsss." WCNC2007. IEEE, pages 2322-2327, March
[10] A. D. Wood, J. Stankovic, and S. Son. "A jammed-area mapping service
for sensor networks." RTSS '03, pages 286-297, 2003.
[11] W. Xu, K. Ma, W. Trappe, and Y. Zhang. "Jamming sensor networks:
Attack and defense strategies." IEEE Network, 20:41-47, 2006.
[12] W. Xu, T. Wood, W. Trappe, and Y. Zhang. "Channel surfing and spatial
retreats: Defenses against wireless denial of service." 2004 ACM workshop
on Wireless security, pages 80-89, 2004.
[13] Mingyan Li, I. Koutsopoulos, and R. Poovendran. "Optimal Jamming
Attacks and Network Defense Policies in Wireless Sensor Networks".
INFOCOM '07, May 2007.
[14] R. A. Poisel. "Modern Communications Jamming Principles and Tech-
niques". Artech House, 2004.
[15] W. Xu, W. Trappe, Y. Zhang, and T. Wood. "The f. i..,, of launching
and detecting jamming attacks in wireless networks". MobiHoc '05, pages
46-57, New York, NY, USA, 2005.
[16] M. Cakiroglu and A. T. Ozcerit. "Jamming Detection Mechanisms for
Wireless Sensor Networks." 3rd I I .... Brussels, Belgium, 2008.
[17] M. Cagalj, S. Capkun, and J. P. Hubaux. "Wormhole- Based Antijamming
Techniques in Sensor Networks."IEEE Transactions on Mobile Comput-
ing, 2007.
[18] I. Shin, R. Tiwar, T. N. Dinh, M. T. Thai and T. Znati, "A localized
algorithm to locate reactive jammers with trigger nodes in wireless sensor
networks". Manuscript, 2009.
[19] Y.-X. Chen and D.-Z. Du, "New Constructions of One- and Two- Stage
Pooling Designs", Journal of Computational Biology, 2008
[20] Garey, M.G., Johnson, D.S, "The Rectilinear Steiner Tree Problem is
NP-Complete", SIAM J. Appl. Math. 32, 826C834 (1977)
[21] L. G. Valiant, "Universality considerations in VLSI circuits", IEEE
Transactions on Computers 30 (1981), 135C140.

University of Florida Home Page
© 2004 - 2010 University of Florida George A. Smathers Libraries.
All rights reserved.

Acceptable Use, Copyright, and Disclaimer Statement
Last updated October 10, 2010 - - mvs