HackMD
Outline
PERAL Lab Meeting
-
時間:112 年 07 月 07 日 9:00
-
地點:線上
-
線上會議連結 : Online
-
出席者:吳坤熹老師、謝萬霖、劉怡君、田蕙瑜、紀見如、劉冠伶、林大智、繆亭霄、蘇翊荃、陳嘉璐、陳品妤、陳姿澖
-
會議主題:Modeling of the Channel-Hopping Anti-Jamming Defense in Multi-Radio Wireless Networks
-
主講者: 蘇翊荃
-
主記: 陳嘉璐
會議內容
Background
- Radio Jamming
- Radio jamming is a DoS (Denial of Service) attack targeting physical and link layers of wireless networks.
- Single/Multi-radio Networks
- Single-radio Networks:
- Only one radio to send/receive data
- If the channel is jammed, the only way is to change the channel to another not being jammed
- Multi-radio Networks:
- There are multi radio that can increase overall network capacity
- Single-radio Networks:
- Channel Hopping
- 透過 Channel Hopping 反干擾
- Channel hopping, whereby channel switching is controlled at the software-level. It utilizes the fact that there is several orthogonal radio channels in many of today’s wireless standards, and has been proposed to mitigate jamming in wireless networks.
- Error-correcting Code (ECC)
- With ECC, data with redundancy will divide into n pieces, which then get transmitted over the unreliable communication channel.
- The original piece of data can be recovered from any combination of m out of the n pieces.
Attack and Defense in Multi-Radio Networks
- System Model
- Sender(defense) Node:
- Base-station Node:
- Sender(defense) Node:
- Attack Model
- Scanning Attack:
- Scanning attackers hop between channels so that the set of jammed channels change over time.
- Scanning attackers will sense channel activity to determine if the channel is being used and keep hopping until it finds a channel that has activity. It takes a certain delay call channel-sensing-time.
- Two variations of the scanning attack:
- Exploratory(探索性) Scanning Attack:Jammers at unused channels select the next target channels randomly from the set of unjammed channels.
- Conservative(保守性) Scanning Attack:Jammers at unused channels select their next targets randomly from a set containing all channels (including currently jammed channels) in anticipation of the deceptive defense.
- Defense Model:
- Proactive(主動式) hopping defense:Radios periodically switch channels regardless of jamming detection.
- Reactive(被動式) hopping defense:Each radio stays at its current channel as long as no jamming is detected.When radio detects jamming, it switches to a different channel.
- Jamming detection algorithm:If the waiting time for a free channel or the number of consecutive, unsuccessful transmission attempts exceeds a threshold (臨界值), jamming is assumed and the radio hops to a different channel.
- Two variations of the reactive defense:
- Straightforward(直接) Reactive Defense:Jammed radios select the next target channels randomly from the set of unused channels.
- Deceptive(欺騙性) Reactive Defense:Jammed radios select their next channels randomly from a set containing all channels (including currently used channels).
Maximizing Goodput Problem
- Relation Between Goodput
Markovian Models
- Motivation:
- Since goodput depends on the attack strategy, which may not be always known beforehand. To maximize the goodput, authors build a model which drive an adaptive mechanism that infers the unknown attack strategy and adjusts the defense strategy to maximize goodput.
- What is Markov Chain?
- Markovian Models:
- Drawing Without Replacement Formula:
- Straightforward Defense vs. Conservative Attack
- Deceptive Defense vs. Conservative Attack
- Straightforward Defense vs. Exploratory Attack
- Deceptive Defense vs. Exploratory Attack
Simulation Analysis and Model Validation
- Defense and attack parameter
- Effect of number of communication and attack radios
- * # of channels is set to 12
- Difference Between Model and Simulation
- This difference may occur when channel hopping occurs more frequently (many radios with less room to escape) and the effect of the non-zero hopping delay (compared to 0 delay in the model) becomes more pronounced.
- Difference Between Model and Simulation
- This bump occurs at number of radios exactly half of the number of channels.
- The reason is that the system alternates between all radios being jammed followed by all radios free in the next and so on.
- This bump did not occur in the simulations because the non-zero hopping delay breaks this synchronized alternation.
- Effect of number of channels
- Effect of number of attack radios
- Summary of Experiment Result
- Exploratory attacks are more effective in all cases.
- Straightforward defense is more effective except when the number of radios is half that of the channels.
- Effect of ECC code and number of attackers
- Usage of the model
- Since the number of attack radios cannot be known beforehand. This model can discover the number of attack radios and adjust the ECC parameters accordingly to achieve the best goodput.
- Periodically, the goodput is measured and fed into the models to predict the number of attack radios.
Summary
- Introduce jamming attack/defense in multi-radio networks
- Define the problem of maximizing network goodput
- Develop a models for reactive defense strategies against scanning attack strategies
建議&問題
-
Louise What is an "orthogonal channel"?
Ans: 代表頻道和頻道之間不會有所干擾的頻道,像是 1、6、11
所以傳送資料的時候就不會相互的去打架 -
Louise For those defensive strategies, will they be statically adopted, or dynamically selected?
Ans: 作者設計的模型可以讓我們知道目前採取哪一種防禦機制最好。通常在這個實驗有得出一個結論,我們直接 straightforward reactive defense 是較好的結果,如圖。
-
Edgar
p.12Reactive hopping defense 的作法,發生 jamming 時,隨機選擇 channel 跳過去,這時候接收方要如何得知發送方頻道跳到哪裡?不像 Proactive hopping defense 會有一個表。
Ans: Base Station 可收全部 channel, 故無須通知它要換去哪裡。 -
Edgar
p.28橫軸意思,你說 channel 的數量被定在12,這邊是代表有多少個訊號在上面傳嗎?
Ans: channel 的數量是指目前通訊提供多少channel 在上面跑。Number of radios 發送方以及攻擊,他們在這12 channels中會針對多少個channel 進行攻擊以及傳送資料。 -
Edgar
p.29Model 和 Simulation 不同的原因能不能再解釋一次?
Ans: block 成功的計算是指在這個模型中以有 hopping 才是有block到,而不是算在有 jamming 才被算做一次。 -
Edgar
p.30機率 0.5 的原因也是一樣嗎?
Ans: 原因不太一樣。如果 jamming channel 是一半,成功率在 0 和 1 之間切換,所以平均是 0.5。 -
Edgar
p.35如果傳輸的過程中發生了臨界值的變化,而 ECC 有不同參數的變化,decoder or receiever 要怎麼做調整?
Ans: paper 沒有詳細介紹到。 -
大智
p.30模擬是對稱,但Simulation卻是下降 的,會不會是 model 用錯?
Ans: model 設計不夠嚴謹,它的delay設成0, 導致model誤計算它的遺失率,導致它整個上升,channel hopping 應該會受影響,但作者卻選擇性把它忽略了。
Ans: Solomon 要回過頭去檢視公式是不是二項式曲線. 我贊同大智的直覺,他可能公式有錯。 -
Jennifer
p.7會不會原本 1 2 3 4 5 經過 Jamming 剩一個,可以透過 ECC 還原原始資料嗎?
Ans: 根據 ECC 是沒辦法的,在這個例子中它需要只少3個資料才能還原。 -
Jennifer
P.13在Deceptive Reactive Defense 中可能會跳回原本受干擾的channel,這樣會不會是不好的結果?
Ans: Attacker 以為我會跳走,它就改為攻擊其他 channel。所以我留在原 channel, 反而就不會受到干擾。 -
Jennifer How long is the delay?
Ans: In the model, the delay is 0. Real value is not specified. -
August
p.15不懂計算 goodput 保持在最大值會是最好的是效率?
Ans: goodput 的原始定義是「原本封包中有用的資訊/封包上所有的資訊」。假設 goodput 為 1 ,代表所有封包都是有價值的,但實際上有些封包有一些 header or payload 加在我們資料裡面,所以不太可能為 1。
Ans: Solomon 這不考慮 header overhead. (3,1)-ECC的goodput就是1/3. -
August
p.28圖片解圖疑慮
Ans: 12個channel有10個channel在傳送資料和被attack,而被擋掉的機率趨近於0。
1 : 如果能成功接收到一個完整的封包的話,就有能力回復整個資訊
如果是 10 vs 10 ,他們的 overlapping 應該還不會讓全部被擋掉,所以趨近於0。 -
Ashely
p.22~p.25這些公式可以得到什麼資訊?
Ans: 可能要實際去算出數字才能知道它實際代表著什麼意思。 -
Ashely
p.19左下角 數值是什麼意思?
Ans:
-
蕙瑜
p.19矩陣內的意思( x, y 初始值所代表的意思 )
Ans:
Ans: It can be either [1,0] or [0,1]. Both will converge to the same steady state. -
Yukino
p.9大圈圈是node,小圈圈是channel? node 具體來說是什麼意思? 是送不同的資料,還是同資料的不同部分?
Ans: 一份資料的不同部分。Node is a device. It has multiple antenna. -
Ellie
p.31紅色部分不懂
Ans: radios = channel 數量的一半,會導致兩邊互相跳來跳去
,導致預測和實驗結果很奇怪。
-
Ellie
p.32attack 11 channels (among 12 channels), 成功阻斷 80% 通訊?
Ans: 成本很高。 -
Phoebe 對 ECC 有無祥細說明,在這篇論文?
Ans: 相關資訊稍少,像是 IDA ECC 就比較少. (3,3)-ECC其實就是完全沒有ECC. (3,1)則是整份duplicate. -
Phoebe
p.33ECC(3,3) == use without ECC?
Ans: Yes -
Phoebe 它已經先設定好幾種ECC(像ECC(3,1)、ECC(3,2)…)
Ans:在這實驗它是這樣設定,但你可以任意指定要用哪一種ECC。先透過 goodput以及目前所使用的ECC,推測目前已經受到多少attack,然後畫籤直線就可以得知,使用哪一種ECC可以達到最好的
goodput。
-
Angela 建議
- 在
p.35之前的圖片,都沒有p.35這張X、Y 軸的詳細說明,建議有圖片的時候就可以標上。 - Solomon 可以在左邊的第一張圖片標上。
- 在
待追蹤事項
無
臨時動議
- 職務交接,目前負責人請更新SOP,時間改為7/10(一)14:00~17:00集中交接。
- 停電公告,VM, NAS與MS15暫停服務 : 0:00(7/8)~19:00(7/9)
散會結束時間:10:42
