Abstract 抽象
Wireless communications are vulnerable against radio frequency (RF) interference which might be caused either intentionally or unintentionally. A particular subset of wireless networks, Vehicular Ad-hoc NETworks (VANET), which incorporate a series of safety-critical applications, may be a potential target of RF jamming with detrimental safety effects. To ensure secure communications between entities and in order to make the network robust against this type of attacks, an accurate detection scheme must be adopted. In this paper, we introduce a detection scheme that is based on supervised learning. The k-nearest neighbors (KNN) and random forest (RaFo) methods are used, including features, among which one is the metric of the variations of relative speed (VRS) between the jammer and the receiver. VRS is estimated from the combined value of the useful and the jamming signal at the receiver. The KNN-VRS and RaFo-VRS classification algorithms are able to detect various cases of denial-of-service (DoS) RF jamming attacks and differentiate those attacks from cases of interference with very high accuracy.
无线通信容易受到射频 (RF) 干扰的影响,这可能是有意或无意造成的。无线网络的一个特定子集,即车载自组网(VANET),它包含一系列安全关键型应用,可能是射频干扰的潜在目标,具有有害的安全影响。为了确保实体之间的安全通信,并使网络能够抵御此类攻击,必须采用准确的检测方案。在本文中,我们介绍了一种基于监督学习的检测方案。使用了k最近邻(KNN)和随机森林(RaFo)方法,包括特征,其中一种是干扰器和接收机之间相对速度(VRS)变化的度量。VRS是根据接收机的有用信号和干扰信号的组合值估算的。KNN-VRS 和 RaFo-VRS 分类算法能够检测各种拒绝服务 (DoS) 射频干扰攻击情况,并以非常高的精度将这些攻击与干扰情况区分开来。
1. Introduction 1. 引言
A prevalent prediction is that fully autonomous vehicles, capable of self-navigating in unpredictable real-world environments with little human feedback, will flood the global market by 2025 [1]. Autonomous vehicle control imposes very strict security requirements for the wireless communication channels [2] which are used by a fleet of vehicles [3]. Specifically, the connected vehicles use the connected adapted cruise control (CACC) technology, in which the following vehicles learn the lead vehicle’s dynamics via intervehicle communication and through them they determine their movement. However, an RF jamming attack can overload the wireless medium leading to large packet losses. So, the platoons of vehicles can become unsafe and collisions are possible. Moreover, with the intelligent vehicle grid technology, each vehicle becomes a sensor platform absorbing information from the environment or from other vehicles (also called Internet of Vehicles (IoV)). Vehicles also feed each other or infrastructure for assisting in safe navigation and traffic management.
一个普遍的预测是,到2025年,能够在不可预测的现实世界环境中自我导航的全自动驾驶汽车将充斥全球市场[1]。自动驾驶汽车控制对车队使用的无线通信信道[2]提出了非常严格的安全要求[3]。具体来说,联网车辆使用联网自适应巡航控制(CACC)技术,其中后续车辆通过车辆间通信学习前方车辆的动力学,并通过它们确定其运动。但是,射频干扰攻击可能会使无线介质过载,从而导致大量数据包丢失。因此,车辆排可能变得不安全,并且可能会发生碰撞。此外,借助智能车联网技术,每辆车都成为一个传感器平台,从环境或其他车辆(也称为车联网(IoV))吸收信息。车辆还相互喂食或基础设施,以协助安全导航和交通管理。
Wireless communications, however, are vulnerable against a wide range of attacks. An attack that is particularly hard to detect in every wireless network is the RF jamming attack [4]. An RF jamming attack reduces the availability of the wireless medium making the successful detection of a jamming attack may be obstructed by several conditions that might occur in an urban environment, such as unintentional interference caused by other wireless nodes, poor link conditions, etc. In a VANET, RF jamming attack detection is even more challenging due to the constant and rapid changes in topology and the high mobility of the vehicles. Detection becomes even harder with the presence of a variety of jammers and unintentional interference sources in the same area. Jamming may affect the communication between vehicles (V2V communication) or the communication between vehicles and roadside units, namely, RSUs (V2R communication).
然而,无线通信容易受到各种攻击。在每个无线网络中都特别难以检测到的攻击是射频干扰攻击[4]。射频干扰攻击会降低无线介质的可用性,因此成功检测干扰攻击可能会受到城市环境中可能发生的多种情况的阻碍,例如其他无线节点造成的无意干扰、链路条件差等。在VANET中,由于拓扑结构的不断快速变化和车辆的高机动性,射频干扰攻击检测更具挑战性。由于同一区域存在各种干扰器和无意干扰源,检测变得更加困难。干扰可能会影响车辆之间的通信(V2V通信)或车辆与路边单元之间的通信,即RSU(V2R通信)。
Over the last few years, there have been several experimental approaches for jamming detection [4–7], some of which suggest the use of machine learning techniques [6, 8]. However, only Puñal et al. [6] examine closely the adoption of machine learning techniques for jamming detection. None of the related works that focused on machine learning-based schemes has investigated the use of the speed of the involved vehicles as an extrafeature for classifying jamming attacks in VANETS. In this work, we show that this is a critical feature and, more specifically, the variations of relative speed (VRS) metric. VRS is used as a new feature for jamming classification in realistic scenarios with a minimum number of assumptions leading to increases in classification accuracy.
在过去的几年里,已经有几种干扰检测的实验方法[4\u20127],其中一些建议使用机器学习技术[6,8]。然而,只有Puñal等[6]仔细研究了机器学习技术在干扰检测中的应用。专注于基于机器学习的方案的相关工作都没有研究过使用相关车辆的速度作为VANETS中干扰攻击分类的额外特征。在这项工作中,我们展示了这是一个关键特征,更具体地说,是相对速度 (VRS) 指标的变化。VRS 被用作在真实场景中干扰分类的新功能,具有最少数量的假设,从而提高了分类精度。
The proposed VRS metric, extracted at the application layer [9, 10], is combined with classic physical layer metrics leading to a cross-layer classification scheme. The intuition behind the use of the VRS is the following. In the general case, jamming reduces the receiver signal-to-interference-and-noise ratio (SINR), a problem that can be addressed with classic communication algorithms. However, SINR can be reduced due to unintentional interference, a problem very prevalent in dense populated areas where vehicles operate. Hence, for jamming detection, the actual reason behind the reduction in the SINR and the packet-delivery-ratio (PDR) has to be determined. The proposed VRS metric reveals the behavior of the jammer in relation to the receiver, specifically, the variations of its relative speed. An unintentional source of interference does not exhibit a specific pattern in its relative speed, allowing us thus to effectively differentiate the cases where a malicious intentional source of interference, namely, jammer, moves in ways that intend to disrupt communication. Our extensive results indicate that the proposed scheme can effectively differentiate the case of jamming attack from that of an interfering wireless source.
所提出的VRS指标在应用层[9,10]提取,与经典的物理层指标相结合,形成跨层分类方案。使用 VRS 背后的直觉如下。在一般情况下,干扰会降低接收机信干噪比(SINR),这个问题可以通过经典通信算法来解决。然而,由于无意干扰,SINR可能会降低,这个问题在车辆运行的人口稠密地区非常普遍。因此,对于干扰检测,必须确定SINR和数据包传输比(PDR)降低背后的实际原因。所提出的VRS指标揭示了干扰机相对于接收器的行为,特别是其相对速度的变化。无意干扰源的相对速度不会表现出特定的模式,因此我们可以有效地区分恶意故意干扰源(即干扰器)以意图破坏通信的方式移动的情况。实验结果表明,所提方案能够有效区分干扰攻击和干扰无线源的干扰攻击。
Accurate detection is also important because these two problems could be addressed differently; that is, in the case of interference, an interference cancellation (IC) scheme [11] is needed, while techniques such as spectral evasion (channel surfing and spatial retreats) scheme can be used for jamming attacks. With the use of more sophisticated techniques for alleviating the problem, the proposed scheme can be used as a first step of a process that aims at keeping alive the wireless communication between a transmitter and receiver, by detecting the exact cause of the wireless interference followed by appropriate actions related to the physical location of the nodes. Such actions could be the de-routing of the malicious vehicle from a specific area or the rerouting of legitimate vehicles towards different areas, free of any RF jamming or interference. Lack of such smart detection mechanisms could lead to incorrect de-routing decisions that may compromise the different objectives of applications that use intervehicle communications (IVC). For this reason, we tested both, a typical form of RF jamming, which is the continuous jamming, and a more smart reactive jamming.
准确的检测也很重要,因为这两个问题可以以不同的方式解决;也就是说,在干扰的情况下,需要干扰消除(IC)方案[11],而频谱规避(信道冲浪和空间撤退)方案等技术可用于干扰攻击。通过使用更复杂的技术来缓解该问题,所提出的方案可以用作旨在保持发射器和接收器之间无线通信的过程的第一步,方法是检测无线干扰的确切原因,然后采取与节点物理位置相关的适当行动。此类操作可能是将恶意车辆从特定区域移除路线,或将合法车辆重新路由到不同区域,不受任何射频干扰或干扰。缺乏这种智能检测机制可能会导致错误的去路由决策,从而可能损害使用车辆间通信 (IVC) 的应用的不同目标。出于这个原因,我们测试了两种形式,一种是射频干扰的典型形式,即连续干扰,另一种是更智能的反应性干扰。
The main contribution of this paper is the introduction of a proactive detection method against potential RF jamming attacks with fairly good detection results. This detection system is also able to differentiate interference from malicious RF jamming. Additionally, it is able to distinguish the unique characteristics of each attack especially when the proposed VRS metric is utilized among the other cross-layer features. The accuracy of the proposed detection method is about or over under different supervised learning testing cases and under realistic values of the relative speed between the jammer and the receiver. This result is significantly improved as compared to other corresponding methods in the literature.
本文的主要贡献是介绍了一种针对潜在射频干扰攻击的主动检测方法,并取得了较好的检测结果。该检测系统还能够区分干扰和恶意射频干扰。此外,它能够区分每个攻击的独特特征,特别是当建议的 VRS 指标与其他跨层特征一起使用时。在不同的监督学习测试用例下,在干扰机和接收机之间的相对速度的实际值下,所提出的检测方法的精度大致或超过。与文献中的其他相应方法相比,该结果得到了显着改善。
One key application area for our scheme is vehicle platoons in which an exterior or an interior attacker can cause significant instability in the CACC of the vehicle stream [12]. Our classifier could be used as a trustworthy indicator of a jamming attack; thus, the control model of the platoon could change from CACC to noncooperative adaptive cruise control (ACC), relying solely on radar techniques. This control mode switch can be considered as a mitigation technique to the impact of the attack [12]. For the evaluation of our approach, one interference-only scenario and two jamming attack scenarios have been designed and tested.
我们方案的一个关键应用领域是车辆队列,其中外部或内部攻击者可能导致车辆流的CACC严重不稳定[12]。我们的分类器可以用作干扰攻击的可靠指标;因此,该排的控制模型可以从CACC转变为非合作自适应巡航控制(ACC),完全依靠雷达技术。这种控制模式开关可以看作是攻击影响的缓解技术[12]。为了评估我们的方法,设计并测试了一种仅干扰场景和两种干扰攻击场景。
The rest of this paper is structured as follows. Section 2 provides an overview of related work in the domain of attack detection. Section 3 describes the topology and the channel model of our scenarios. Section 4.1 describes the methodology used for the estimation of the relative speed. Section 4.2 presents the proposed machine learning-based jamming detection system. Section 5 describes the simulation setup. Section 6 presents the experimental results and comparisons. Finally, Section 7 summarizes our findings and concludes our work.
本文的其余部分结构如下。第 2 节概述了攻击检测领域的相关工作。第 3 部分介绍了我们方案的拓扑和通道模型。第 4.1 节描述了用于估计相对速度的方法。第4.2节介绍了所提出的基于机器学习的干扰检测系统。第 5 节介绍了仿真设置。第6节介绍了实验结果和比较。最后,第7节总结了我们的发现并总结了我们的工作。
2. Related Work 二、相关工作
Several recent works have proposed machine learning-based techniques for attack detection in vehicular ad-hoc networks. Puñal et al. [6] used metrics that include the noise and channel busy ratio (CBR), packet delivery ratio (PDR), maximum inactive time (Max IT), and received signal strength (RSS), to detect attacks with machine learning techniques, and examined the cases of reactive and constant jammers.
最近的几项工作提出了基于机器学习的车载自组织网络攻击检测技术。Puñal等[6]使用包括噪声和信道繁忙比(CBR)、数据包传输比(PDR)、最大非活动时间(Max IT)和接收信号强度(RSS)在内的指标,通过机器学习技术检测攻击,并检查了反应性和恒定干扰器的情况。
Azogu et al. [5] proposed a new mechanism, called the hideaway strategy, according to which all nodes should remain silent while the network is under a jamming attack. Bißmeyer et al. [13] proposed a detection scheme that is based on the verification of vehicle movement data and on the assumption that a certain space will be occupied by only one vehicle at a certain time.
Azogu等[5]提出了一种称为隐蔽策略的新机制,根据该机制,当网络受到干扰攻击时,所有节点都应保持沉默。Bißmeyer等[13]提出了一种检测方案,该方案基于对车辆运动数据的验证,并假设在特定时间只有一辆车占用一定空间。
Malebary et al. [14] presented a two-phase jamming detection method that utilized metrics such as the RSS, the packet delivery/send ratio (PDSR), and the packet loss ratio (PLR), as well consistency, checks to distinguish a jamming from a no-jamming situation. In the first phase, which is the initialization phase, the values of the RSS, the packet delivery/send ratio (PDSR), and packet loss ratio (PLR) are calculated by the RSUs in a jammer-free network. Furthermore, a max value for the RSS is obtained for every PDSR value as well as two threshold values, equal to the maximum PDSR and to the minimum PLR, respectively. In the second phase, when a PDSR value is lower than the defined threshold and a PLR value is higher than the respective threshold, a consistency check is conducted to determine whether the low PDSR value is consistent with the RSS value assigned in phase one, thus determining a jamming or no-jamming situation.
Malebary等[14]提出了一种两阶段干扰检测方法,该方法利用RSS、数据包发送/发送比(PDSR)和丢包率(PLR)等指标以及一致性检查来区分干扰和无干扰情况。在第一阶段,即初始化阶段,RSS、数据包发送率 (PDSR) 和数据包丢失率 (PLR) 的值由无干扰网络中的 RSU 计算。此外,每个PDSR值的RSS最大值以及两个阈值分别等于最大PDSR和最小PLR。在第二阶段,当PDSR值低于定义的阈值而PLR值高于相应的阈值时,进行一致性检查,以确定低PDSR值是否与第一阶段分配的RSS值一致,从而确定干扰或无干扰情况。
The authors in [15] proposed a data mining-based method for real-time detection of radio jamming DoS attacks in IEEE 802.11p V2V communications for platoon of vehicles. The state-of-the-art methods are compared with the proposed method which allows operating under the realistic assumption of random jitter accompanying every cooperative awareness message (CAM) transmission. However, only features from the network layer are utilized. Mokdad et al. [16, 17] proposed a scheme for detecting a jamming attack in vehicular ad-hoc networks that depends on the variations of the PDR. The approach is based on the premise in which only packets that originate from the sender are allowed through the cyclic redundancy check (CRC) and the PDR is equal to the ratio of these packets and the total number of packets received. Puñal et al., in [18], generated a set of jammers and implemented a variety of jamming scenarios, both indoor and outdoor, under different jamming behaviors (constant, reactive, and pilot jamming) in order to address the impact of an RF jammer in VANET communications.
作者在[15]中提出了一种基于数据挖掘的方法,用于实时检测IEEE 802.11p V2V通信中车辆排的无线电干扰DoS攻击。将最先进的方法与所提出的方法进行了比较,该方法允许在每次协同感知消息(CAM)传输附带随机抖动的现实假设下运行。但是,仅使用网络层中的要素。Mokdad等[16,17]提出了一种检测车辆自组织网络干扰攻击的方案,该方案取决于PDR的变化。该方法基于这样一个前提,即只允许来自发送方的数据包通过循环冗余校验 (CRC),并且 PDR 等于这些数据包与接收的数据包总数的比率。Puñal等人在[18]中生成了一组干扰器,并在不同的干扰行为(恒定、无功和导频干扰)下实现了室内和室外的各种干扰场景,以解决射频干扰器在VANET通信中的影响。
Quyoom et al. [19] presented an RF jamming attack that consists of radio signals maliciously emitted to disrupt legitimate communications. This type of jamming is already known to be a big threat for any type of wireless network. With the rise in safety-critical vehicular wireless applications, this is likely to become a constraining issue for their deployment in the future.
Quyoom等[19]提出了一种射频干扰攻击,该攻击由恶意发射的无线电信号组成,以破坏合法通信。众所周知,这种类型的干扰对任何类型的无线网络来说都是一个巨大的威胁。随着安全关键型车载无线应用的兴起,这可能会成为未来部署的一个制约问题。
RoselinMary et al. [20] proposed an approach that is based on the detection of malicious and irrelevant packets using the number of broadcast packets per second (frequency) and the velocity of the vehicle that the packets are sent from. This method calculates the frequency, e.g., the number of broadcast packets per second, and the velocity and then starts the detection algorithm. If the frequency and the velocity are both high and above a threshold, then the packets are malicious, whereas if they are between a low and a high threshold value, the packet is real.
RoselinMary等[20]提出了一种方法,该方法基于使用每秒广播数据包的数量(频率)和发送数据包的车辆的速度来检测恶意和不相关的数据包。该方法计算频率,例如每秒广播数据包的数量和速度,然后启动检测算法。如果频率和速度都很高且高于阈值,则数据包是恶意的,而如果它们介于低阈值和高阈值之间,则数据包是真实的。
A subcategory of related papers dealt with real-time medium access control- (MAC-) based jamming detection method to meet the requirements of safety applications in vehicular networks. These methods operate either under realistic assumption of random jitter accompanying every CAM transmission [21] or the decision of the detector (monitor) depends on the number of nearby vehicles and the number of successful transmissions and failed transmissions [22]. These detection methods can more accurately distinguish the causes of failed transmissions such as contention collisions, interference, and jamming attacks. In [23], the authors proposed a method for DoS attack detection in wireless sensor networks (WSNs). This method is based on the grouping of sensor nodes and the timestamp and the PDR calculated from one node to another one. However, all the above papers focused on simplistic jamming attacks such as “random jamming” or “ON-OFF jamming” without taking into account smarter jammers such as reactive jammer. Lastly, Mowla et al. [24] proposed a federated learning-based on-device jamming attack detection security architecture for flying ad-hoc network (FANET) using the RSSI and PDR features with a fairly good accuracy results in detecting the RF jamming attack. All the aforementioned jamming detection approaches used parameters only from the MAC or the physical layer for training and testing without exploiting upper layer features. Feng and Hua [25] proposed jamming detection schemes based on a variety of machine learning algorithms. They incorporate the information from the physical layer, the MAC layer, and the network layer (such as RSS, carrier sense time, noise, and PDR) for training and testing. Lastly, there are recent works in the literature that use either machine learning [26] or deep learning for a multistage jamming detection scheme in 5G networks: the cloud radio access network (C-RAN) [27]. However, these methods have not been tested on vehicular networks that have special features such as high-speed moving nodes. Only the authors, in [28], adopt a cross-layer approach incorporating also an application layer features for detecting and classifying different types of RF jamming attacks in VANETs. Specifically, the IDS that was proposed in [28] is able to differentiate a RF jamming attack from spoofing attacks in connected autonomous vehicles (CAVs).
相关论文的一个子类别涉及基于实时介质访问控制(MAC)的干扰检测方法,以满足车载网络安全应用的要求。这些方法要么在每次CAM传输都伴随着随机抖动的现实假设下运行[21],要么检测器(监视器)的决定取决于附近车辆的数量以及成功传输和失败传输的数量[22]。这些检测方法可以更准确地区分传输失败的原因,例如争用冲突、干扰和干扰攻击。在文献[23]中,作者提出了一种在无线传感器网络(WSN)中检测DoS攻击的方法。此方法基于传感器节点的分组以及从一个节点到另一个节点计算的时间戳和 PDR。然而,上述所有论文都集中在简单的干扰攻击上,如“随机干扰”或“ON-OFF干扰”,而没有考虑更智能的干扰器,如反应干扰器。最后,Mowla等[24]提出了一种基于联邦学习的基于设备端干扰攻击检测安全架构,该架构利用RSSI和PDR特征进行飞行自组网(FANET),在检测射频干扰攻击方面具有较好的准确率。上述所有干扰检测方法仅使用来自MAC或物理层的参数进行训练和测试,而不利用上层特征。Feng和Hua[25]提出了基于多种机器学习算法的干扰检测方案。它们结合了来自物理层、MAC 层和网络层的信息(如 RSS、载波检测时间、噪声和 PDR)进行训练和测试。 最后,文献中最近有一些工作使用机器学习[26]或深度学习在5G网络中进行多级干扰检测方案:云无线接入网络(C-RAN)[27]。然而,这些方法尚未在具有特殊功能(例如高速移动节点)的车辆网络上进行测试。在文献[28]中,只有作者采用了一种跨层方法,结合了应用层特征来检测和分类VANET中不同类型的射频干扰攻击。具体来说,[28]中提出的IDS能够区分联网自动驾驶汽车(CAV)中的射频干扰攻击和欺骗攻击。
Sharanya and Karthikeyan [29] proposed a support vector machine (SVM) algorithm with modified fading memory (MFM) for classifying legitimate and malicious nodes. The proposed classification scheme considers the following critical parameters to classify a node as malicious node, namely, power ratio, signal strength, packet delivery ratio, speed of node, number of packets generated, and transmission power. Their proposed system has two specific phases.
Sharanya和Karthikeyan [29]提出了一种支持向量机(SVM)算法,该算法具有改进的衰落记忆(MFM),用于对合法节点和恶意节点进行分类。该分类方案考虑了以下关键参数将节点归类为恶意节点,即功率比、信号强度、数据包传递率、节点速度、生成数据包数和传输功率。他们提出的系统有两个特定的阶段。
Lastly, Karagiannis and Argyriou [10] proposed an RF jamming attack detection scheme using unsupervised learning with clustering. The novelty of the above paper is that the relative speed metric is utilized between the jammer and the receiver, along with other parameters, in order to differentiate intentional from unintentional jamming as well as identify the unique characteristics of each jamming attack. However, this relative speed metric is assumed to be available without any form of estimation.
最后,Karagiannis和Argyriou[10]提出了一种使用无监督学习和聚类的射频干扰攻击检测方案。上述论文的新颖之处在于,在干扰器和接收器之间使用相对速度度量以及其他参数,以区分有意和无意干扰,并识别每个干扰攻击的独特特征。但是,假设此相对速度指标在没有任何形式的估计的情况下可用。
In all the previous works that were proposed, machine-learning based schemes, the estimated variations of the relative speed have not been considered as a classification feature. Our proposed system is the first one in the literature that uses the point-to-point RF communication in order to estimate the relative speed metric.
在之前提出的所有基于机器学习的方案中,相对速度的估计变化尚未被视为分类特征。我们提出的系统是文献中第一个使用点对点射频通信来估计相对速度指标的系统。
3. System Model 3. 系统型号
3.1. Topology 3.1. 拓扑
Our system topology is represented in Figure 1. In the left part (a), an interference scenario is presented, in which we assume that no jammer is present in the network. This scenario is important in order to be able to evaluate the efficiency of our method in differentiating jamming from interference. The vehicle travels, when, at some point, it passes through an area with significant RF interference that is caused by a RSU. In the right part of this figure (b), a jamming situation is presented. The topology we adopt for this case involves a moving vehicle , which serves as the target of the jammer, another vehicle that is the transmitter of the useful signal, and the jamming vehicle that tries to intervene in the communication between and . The travelling speed of , namely, , is equal to the travelling speed of , namely, . Moreover, we assume the presence of a static object in the area that causes multipath fading from reflections, as it is usually in urban environments. Upon spotting its target, the jammer begins following it and starts jamming either continuously or periodically (in order to stay undetected for as long as possible).
我们的系统拓扑如图 1 所示。在左部分(a)中,提出了一个干扰场景,我们假设网络中不存在干扰器。这种情况对于能够评估我们的方法在区分干扰和干扰方面的效率非常重要。当车辆在某个时候经过由 RSU 引起的具有显着射频干扰的区域时,车辆就会行驶。在图(b)的右侧,显示了干扰情况。我们在这种情况下采用的拓扑结构涉及一个移动的车辆,它作为干扰器的目标,另一个车辆是有用信号的发射器,以及试图干预 和 之间的通信的干扰车辆。的行进速度,即 ,等于 的行进速度,即 。此外,我们假设该区域存在一个静态物体,该物体会导致反射产生多径衰落,就像在城市环境中一样。一旦发现目标,干扰器就会开始跟踪它并开始连续或周期性地干扰(以便尽可能长时间地保持不被发现)。
3.2. Rician Fading Model 3.2. Rician Fading模型
In our work, we adopt the Rician fading model that is a channel model which includes path loss and also Rayleigh fading [30]. When a signal is transmitted, whether it is a useful signal or a jamming one, this model adds multipath fading in addition to thermal noise. It is assumed that a line-of-sight (LOS) ray and nonline-of-sight (NLOS) ray exist in the area. The combined baseband signal that the receiver receives from the jammer and the transmitter is
在我们的工作中,我们采用了Rician衰落模型,这是一个包括路径损耗和瑞利衰落的信道模型[30]。当信号被传输时,无论是有用信号还是干扰信号,该模型除了热噪声外,还增加了多径衰落。假设该区域存在视距 (LOS) 射线和非视距 (NLOS) 射线。接收机从干扰机和发射机接收的组合基带信号为where 哪里where are the Rician fading channel models between transmitter-receiver and jammer-receiver, respectively. This type of channel model includes path loss and also Rayleigh fading. and are complex Gaussian variables capturing the Rayleigh fading between transmitter-receiver and jammer-receiver, and are the symbols that are transmitted from the transmitter and the jammer, respectively, for which the BPSK modulation is used. This modulation scheme is preferred because it achieves lower bit error rate providing a reliable communication between and . Moreover, this modulation scheme is the most robust in a high interference environment. In (2) and (3), is the carrier frequency, is the maximum Doppler shift, and are the transmission power per symbol of the useful and of the jamming signal, respectively, and is the channel noise at time instant . The terms correspond to the distance between the transmitter and the reflected object and between the jammer and the reflected object, respectively.
分别是发射机-接收机和干扰机-接收机之间的 Rician 衰落信道模型。这种类型的信道模型包括路径损耗和瑞利衰落。并且是捕获发射机-接收机和干扰机-接收机之间瑞利衰落的复高斯变量,分别是从发射机和干扰机发射的符号,用于使用BPSK调制。这种调制方案是首选,因为它实现了较低的误码率,从而在 和 之间提供了可靠的通信。此外,这种调制方案在高干扰环境中是最鲁棒的。在(2)和(3)中,是载波频率,是最大多普勒频移,分别是有用信号和干扰信号的每个符号的发射功率,是瞬间的信道噪声。这些项分别对应于发射机与反射物体之间以及干扰器与反射物体之间的距离。
The terms correspond to the distance between the transmitter and the receiver and between the jammer and the receiver. In (2) and (3), the travel distance of the LOS rays is equal to . On the contrary, the travel distance of the NLOS rays is , respectively. Moreover, is the incidence angle of departure (AOD) between the vector of speed and the signal vector of the transmitter, is the incidence AOD between the vector of speed and the signal vector of the jammer, is the excess delay time for the transmitter and jammer signal ray (that may be caused due to ground reflection), and is the current time instant. For the remainder of this paper, we will use the parameter as the transmitter-receiver complex amplitude associated with the LOS path and the parameter as the jammer-receiver complex amplitude. The above complex amplitude values are known at the receiver.
这些术语对应于发射器和接收器之间以及干扰器和接收器之间的距离。在(2)和(3)中,LOS射线的传播距离等于。相反,NLOS射线的传播距离分别为。此外,是速度矢量和发射机信号矢量之间的入射离去角(AOD),是速度矢量和干扰机信号矢量之间的入射AOD,是发射机和干扰机信号射线的超额延迟时间(可能是由于地面反射引起的), 并且是当前时间时刻。在本文的其余部分,我们将使用该参数作为与LOS路径相关的发射机-接收机复数幅度,并将该参数用作干扰机-接收机复数幅度。上述复振幅值在接收器处是已知的。
3.3. System Overview
In our system model, a fixed number of known pilot symbols are sent using the wireless IEEE 802.11p standard [14] over consecutive time instants from the transmitter to the receiver. At the same time, the jammer simultaneously transmits over consecutive time instants’ random jamming symbols to the receiver. Using these pilots, the LOS channel and the NLOS channels between the jammer and the receiver are estimated by the receiver.
The basic idea is to first estimate the relative speed between the jammer and the receiver, exploiting the RF Doppler shift. We use the variations of the estimated relative speed as a new feature in a supervised machine learning algorithm for RF jamming attack detection. Along with the relative speed from the application layer, we use cross-layer data that we obtain from the physical layer, such as the received signal strength indicator (RSSI), the SINR, and the PDR. Two classification algorithms are investigated, namely, the k-nearest neighbors (KNN) and the random forest (RaFo) algorithm, respectively.
3.4. Jamming Scenarios
We assume that the jammer continuously transmits so as to overload the wireless medium conducting a DoS attack [31]. We investigate three different attack scenarios, namely, interference scenario, smart attack scenario, and constant attack scenario, each representing a jamming attack case that could affect a VANET in real life.
我们假设干扰器连续传输,以使无线介质过载,从而进行DoS攻击[31]。我们研究了三种不同的攻击场景,即干扰场景、智能攻击场景和持续攻击场景,每种场景都代表了现实生活中可能影响VANET的干扰攻击案例。
In the interference scenario, we assume that no jammer is present in the network. This scenario is useful for evaluating the efficiency of our method in differentiating jamming from interference. The vehicle travels, when, at some point, it passes through an area with significant RF interference that affects the communication with other vehicles or the RSU. The smart attack scenario models an intelligent jammer behavior [32]. This smart jammer is designed to start transmitting in a reactive way upon sensing energy above a certain threshold. We set the latter to as it is empirically determined to be an average threshold between jammer sensitivity and false transmission detection rate [18, 33]. Using this minimum threshold, each ongoing transmission can be detected by the reactive jammer. The standard protocol wireless access in vehicular environment (WAVE) IEEE 802.11p orthogonal frequency-division multiplexing (OFDM) frame format consists of the OFDM PHY layer convergence protocol (PLCP) preamble, PLCP header, MAC header, wave short message protocol (WSMP) header, PLCP service data unit (PSDU), tail bits, and pad bits. In the PLCP preamble field, the preamble consists of ten identical short training symbols and two identical long training symbols. The smart jammer is designed to affect the header of the 802.11p frame sent from to . When the next OFDM signal can be transmitted, there is an idle time of required to set up the next transmission. If the detected energy exceeds the threshold during a certain time span , an ongoing 802.11p transmission is assumed by the jammer. The time interval of the detection is the sum between the idle time and a small value as the detection time to avoid reacting to sporadic noise power peaks. In the case where the detected energy exceeds the threshold during a certain time span, the jammer starts its transmission for a duration of in order to jam a substantial part of the packet header to prevent being decoded by the receiver, as illustrated in Figure 2.
在干扰场景中,我们假设网络中不存在干扰器。该方案有助于评估我们的方法在区分干扰和干扰方面的效率。当车辆在某个时候经过具有明显射频干扰的区域时,车辆就会行驶,该区域会影响与其他车辆或 RSU 的通信。智能攻击场景模拟智能干扰器行为[32]。这种智能干扰器设计为在感应到能量超过特定阈值时以反应性方式开始传输。我们将后者设置为,因为根据经验,它被确定为干扰器灵敏度和错误传输检测率之间的平均阈值[18,33]。使用这个最小阈值,反应性干扰器可以检测到每个正在进行的传输。车载环境无线接入标准协议 (WAVE) IEEE 802.11p 正交频分复用 (OFDM) 帧格式由 OFDM PHY 层收敛协议 (PLCP) 前导码、PLCP 报头、MAC 报头、波形短报文协议 (WSMP) 报头、PLCP 服务数据单元 (PSDU)、尾位和焊盘位组成。在 PLCP 前导码字段中,前导码由 10 个相同的短训练符号和 2 个相同的长训练符号组成。智能干扰器旨在影响从 发送到 的 802.11p 帧的标头。当可以传输下一个OFDM信号时,需要一个空闲时间来设置下一个传输。如果检测到的能量在一定时间跨度内超过阈值,则干扰器假定正在进行的802.11p传输。检测的时间间隔是空闲时间与检测时间的小值之间的总和,以避免对零星噪声功率峰值做出反应。 如果检测到的能量在一定时间跨度内超过阈值,干扰器将开始传输一段时间,以干扰数据包报头的很大一部分,以防止被接收器解码,如图 2 所示。
Specifically, a smart jammer starts following the victim vehicle, while transmitting a jamming signal. When the jammer reaches its target at a distance of about , it retreats to a different position in order to stay undetected and transmits in a reactive way as described above. The most common approach in [33] is when the jammer keeps changing its transmission power, thus achieving the same disrupt or thwart in the communication (DoS attack) without the need of changing its distance from the target. With our smart attack, we aim at affecting the communication of the – pair, with the jammer detection being more difficult, pointing out the importance of the proposed VRS metric for the detection accuracy results. For that reason, the smart jammer alters also its position with the aim of staying undetected.
具体来说,智能干扰器开始跟随受害车辆,同时发送干扰信号。当干扰器在大约距离内到达目标时,它会撤退到不同的位置以保持不被发现,并以如上所述的反应方式进行传输。[33]中最常见的方法是干扰器不断改变其发射功率,从而在通信中实现相同的中断或阻挠(DoS攻击),而无需改变其与目标的距离。通过我们的智能攻击,我们旨在影响-对的通信,干扰器检测更加困难,指出了所提出的VRS指标对检测精度结果的重要性。出于这个原因,智能干扰器也会改变其位置,以保持不被发现。
In the constant attack scenario, we study the case of a jammer that follows the receiver while transmitting constantly at a minimum power. When the jammer reaches its target, it begins transmitting constantly with its full power without any intention to stay undetected as in the smart attack scenario.
在持续攻击场景中,我们研究了干扰器跟随接收器同时以最小功率不断发射的情况。当干扰器到达目标时,它开始以全功率不断发射,而无意像在智能攻击场景中那样不被发现。
4. Proposed Detection System Based on Supervised Learning
4. 基于监督学习的检测系统
4.1. Relative Speed Estimation
4.1. 相对速度估计
In this section, we present the basic idea regarding the estimation of the relative speed between the jammer and the victim vehicle. Based on the obtained values, the VRS metric is generated and then used for classification. The relative speed metric as defined in [10] is
在本节中,我们介绍了有关估计干扰器与受害车辆之间相对速度的基本思想。根据获取的值生成VRS指标,然后用于分类。[10] 中定义的相对速度指标为where and are the speed of the jammer and the speed of the receiver, respectively.
其中 和 分别是干扰器的速度和接收器的速度。
From (3), the multipath combined channels are estimated, using a minimum mean square error (MMSE) estimator [9]. By exploiting the Doppler phenomenon for modeling the LOS channel between the jammer and the receiver, we estimate the above-defined relative speed metric, as described in [9]. Note that the jammer estimation method is based on the passive communication between –.
4.2. Proposed Algorithm
To make our detection method robust, apart from using physical and network metrics that were already used in related works, we use the VRS metric that is derived from the application layer and can be efficiently estimated from the RF signals (see Section 4.1). Our method uses this new metric, as an extrafeature in a cross-layer approach, along with other metrics from the physical layer for the classification process. All these metrics are presented in Table 1.
To generate the VRS metric for classification, we make three fundamental assumptions [34]:(1)When the relative speed is equal to zero and remains unchanged, it indicates the existence of a constant jammer that follows the victim vehicle(2)When the relative speed is not equal to zero and remains unchanged, it indicates the absence of a moving jammer as the relative speed is equal to the speed of the receiver and the speed of the jammer is equal to zero(3)When the relative speed is not equal to zero for a period of time and then becomes zero while remaining unchanged, it indicates the existence of a jammer that begins following the target after reaching it
The common characteristic of these assumptions is that the speed of the participating nonmalicious vehicles remains unchanged and is always greater than zero.
However, in a real-life scenario, such as the one that we study, the speed—and as a consequence the relative speed—may not remain constant during the observation period. In other words, if we want to accurately model an urban environment, we have to consider the fact that the vehicles can alter their travelling speed. To handle these real-life situations, while still using the previously presented assumptions, we introduce the Variations of Relative Speed (Algorithm 1) (VRS algorithm).
|
The VRS algorithm detects changes in the relative speed of the training sample. To ensure that the relative speed in the current time instance along with the speed from previous as well as subsequent observations are used along with a series of control flow statements, the algorithm is divided into two main parts; the first considers the case in which the relative speed value is not equal to zero and the second the opposite case, each one with its own logical checks to determine the existence of a threat.
Apart from the estimated relative speed, in order to handle cases of speed alterations, the speed of the receiver has to be examined as well. If is not equal to zero, then either there is no jammer present (and only interference may potentially affect the wireless communication) or there is a jammer that has not yet reached the receiver. To identify in which case we are, we have to examine whether or not there has been a variation in the relative speed compared to a previous time instance.
Observing a variation in the relative speed, however, it is not, by itself, a clear indicator of the presence or absence of a jammer. For that reason, the speed of the receiver is, also, used. The equality between the relative speed () and the speed , while changes, indicates the absence of a jammer, since the speed of the jammer is equal to zero and the speed of the receiver is in fact the relative speed. On the contrary, a difference between and indicates the presence of a jammer that follows the receiver.
On the contrary, if no alteration of the relative speed is observed while the relative speed value is not equal to the speed value, a possible presence of a jammer is registered. This could occur in a situation where the target vehicle would reduce its speed due to an obstacle. Following our assumption, the jammer would, also, decrease its travelling speed, thus keeping the relative speed unchanged but also different from the travelling speed of the receiver. Contrary to the previous, if no alteration in the relative speed value is observed (for the previous and the next measurement), while having , we conclude that a jammer is not following the receiver.
Having examined the case where the observed relative speed value is not equal to zero, we proceed to the opposite case. With , a simplistic form of the proposed algorithm (VRS algorithm) is presented, indicating the existence of a jammer that has reached its target and follows it closely with the same speed. A real-life environment, however, is more complicated. If the travelling speed of the receiver is not equal to zero, while , a jammer has reached the receiver and follows it while disrupting the communications. On the contrary, if the travelling speed is zero (while ), there might be a jammer present that has stopped moving (following the behavior of the target). In that case, we have to examine the previous observation for equality between relative speed and travelling speed as well as the trigger value to determine the situation.
The variables and represent an array of estimated relative speed values and real travelling speed values of the receiver, respectively, M is the number of the available observations upon which the algorithm operates, vrs is an array used to store the classification result (A for attack or NA for not attack) of the current observation, and trigger is a binary variable which indicates the presence of a jammer (value is equal to 1) or its absence (value is equal to 0). The NA and A values are two extreme and distinct values able to differentiate the attack from the no attack cases and guide the classification process.
4.3. Supervised Learning Algorithms
The supervised learning methods that are used in this work are KNN [35] and random forests [36]. Their choice does not affect the efficiency of our algorithm as our proposed feature is not constrained by the type of the supervised learning algorithm that is used. The VRS (Algorithm 1) generates the new metric which is used as an extrafeature for classification.
Both supervised learning techniques are very popular, with the KNN being robust against noisy training data like the ones obtained from a real-life urban environment and random forests being one of the most accurate algorithms, due to the fact that it reduces the chance of overfitting (by averaging several trees, there is a significantly lower chance of overfitting). As it is previously stated, our detection scheme is currently based on offline training that leverages the use of a dataset of collected measurements in order to train the classifier.
5. Simulation Setup
Figures 3(a)–3(c) illustrate the behavior of the jammer by plotting how SINR varies in time for each of the three scenarios, namely, interference scenario, smart attack scenario, and constant attack scenario.
5.1. Supervised-Learning Testing Cases
Apart from the scenarios that we use to evaluate the performance of the overall system, we also created a series of test cases that are presented in Table 2. They allow for a deeper exploration of the proposed method depending on the set of observations that are utilized for both training and testing.
These cases only affect how the training and testing is performed, without any further implications in the scenarios. They are created in such a way so as to provide insight about the importance of using the VRS metric for classification under different circumstances [37]. Specifically, it is evaluated for the cases that use or omit the VRS metric as an extrametric for the classification process. For the sake of completeness, the trained prediction model is also tested using data that were collected under a receiver speed of 25 m/s, that is, under a speed different from the 15 m/s that we trained the prediction model. We also conducted additional experiments using data measurements from the 25 m/s receiver speed range used for training. Finally, the data are normalized prior to their use for training and testing. By normalization, we refer to the process of changing the data so as to belong in the 0-1 range. It should be noted that, in all the other cases than those declared, the data are not normalized prior to their use for training and testing.
5.2. VANET Simulation Assumptions
Regarding the details of our simulation setup, the speed of the vehicles involved in the legitimate communication , the initial distance between the jammer and the pair of –, the distance that separates the receiver from the transmitter throughout the course of the simulation as well as the power of all the transmitted signals , and the reference distance , with which the path loss component is estimated, are presented in Table 3.
The power of all transmitted signals is measured in milliwatts (mW) and is converted in the dBm scale prior to using them in the algorithm. Each signal that is transmitted from both the jammer and the transmitter consists of streams that are 500 bits long. In all scenarios, 1000 packets are transmitted from the transmitter to the receiver. Using a time sample of 0.1 sec, we simulate the system for 100 seconds and obtain 1000 measurements.
We used Veins that combines the Simulation of Urban Mobility (SUMO) and the OMNET++/VEINS [38]. SUMO is adopted as our traffic simulator and OMNET++ is used to simulate the wireless communication. Furthermore, the GEMV (a geometry-based efficient propagation model for V2V) [39] tool was integrated into the VEINS network simulator for a more realistic simulation of the PHY layer [32]. For describing the modeled area, GEMV takes the map of a real area as an input and uses the outlines of vehicles, buildings, and foliage. Based on the outlines of the objects, it forms R-trees. R-tree is a tree data structure in which objects in the field are bound by rectangles and are hierarchically structured based on their location in space. Hence, GEMV employs a simple geometry-based small-scale signal variation model and calculates the additional stochastic signal variation and the number of diffracted and reflected rays based on the information about the surrounding objects. Last, to set up and test our classification algorithms for the RF jamming attacks detection on the previously obtained data, we chose to use the programming language R [40]. Part of the Erlangen city (see the evaluation setup in [41]) is used for conducting the simulations.
6. Evaluation
6.1. Detection System Evaluation Setup
To underline the significance of our proposed system, we implement and analyze the performance of our model under the different cases presented previously. In particular, for each supervised learning testing case presented in Table 2, we execute a simulation which lasts for 300 seconds and is equally split in the three jamming scenarios discussed in Section 3.4 so that the first 100 sec represent the smart attack scenario, the next 100 sec represent the interference scenario, and the last 100 sec represent the constant attack scenario. All the above scenarios are independent from each other and are run at consecutive time instants.
To avoid testing with “previously seen data,” thus leading to biased classification results, we have to ensure that the training and testing sets are completely separated. So, prior to presenting the classification results, we have to define the size of the training and testing sets as well as the total number of observations used, so as to make them more interpretable. The overall simulation utilizes a set of 3000 observations equally split into the three attack scenarios examined. To avoid overfitting (overfitting occurs when the classifier tends to memorize the training set and thus generalize poorly when facing previously unseen data), only 30% of the total number of the observations are used for training, while the remaining 70% are used for testing.
Based on the ratio above, the number of the observations in the training set is 941 (that is, 293 observations from the interference scenario, 319 from the smart attack scenario, and 329 from the constant attack scenario), whereas the number of the observations in the testing set is 2059 (that is, 703 observations from the interference scenario, 685 from the smart attack scenario, and 671 from the constant attack scenario), randomly chosen but almost equally split among the three scenarios in both cases.
根据上述比率,训练集中的观测值数量为 941 个(即来自干扰场景的 293 个观测值、来自智能攻击场景的 319 个观测值和来自持续攻击场景的 329 个观测值),而测试集中的观测值数量为 2059 个(即来自干扰场景的 703 个观测值, 685 来自智能攻击场景,671 来自持续攻击场景),随机选择,但在两种情况下几乎平均分配在三种场景之间。
To present the classification results, the confusion matrix is used, where the rows represent classification output and the columns represent the ground truth. To evaluate the performance of our detection system in the various scenarios previously described, we use the accuracy of the prediction model. Accuracy is a measure that is obtained from the confusion matrix and is equal to the ratio of all the correctly predicted labels over all the predictions. The correctly predicted labels are the labels of the main diagonal of the confusion matrix. As an example of the above-defined confusion matrix for the accuracy calculation of our prediction model for the Same_KNN case compared to the Same_KNN-VRS case, we present the subsequent confusion matrices for the KNN algorithm (see Table 4).
为了显示分类结果,使用了混淆矩阵,其中行表示分类输出,列表示基本事实。为了评估我们的检测系统在前面描述的各种场景中的性能,我们使用了预测模型的准确性。准确度是从混淆矩阵中获得的度量,等于所有正确预测的标签与所有预测的比率。正确预测的标签是混淆矩阵主对角线的标签。作为上述定义的混淆矩阵的一个例子,用于与Same_KNN-VRS情况相比,我们的预测模型在Same_KNN情况下的准确性计算,我们提出了KNN算法的后续混淆矩阵(见表4)。
6.2. Same_KNN-VRS vs. Same_KNN and Same_RaFo-VRS vs. Same_RaFo Case Classification Results
6.2. Same_KNN-VRS 与Same_KNN 和 Same_RaFo-VRS 与Same_RaFo病例分类结果
Starting from the first case, the accuracy of the prediction model achieved while using the VRS metric as an extrafeature in the classification process is 82.27% for the KNN and 80.04% for the random forest algorithm.
从第一种情况开始,在分类过程中使用VRS指标作为额外特征时,预测模型的准确率为KNN的82.27%,随机森林算法的准确率为80.04%。
On the contrary, when omitting the VRS metric, we observe not only a drop in the classification accuracy but also a high confusion between interference and jamming cases. The accuracy of the prediction model is now equal to 79.16% and 76.54% for the KNN and the random forest algorithms, respectively, so the impact of the VRS metric is evident. Apart from the fact that it increases the success rate of the classification (compared to the cases where the VRS metric is omitted) it ensures, almost perfectly, the differentiation between the cases of intentional and unintentional jamming (see Table 5).
相反,当省略VRS指标时,我们不仅观察到分类精度下降,而且干扰和干扰情况之间也高度混淆。对于 KNN 和随机森林算法,预测模型的准确率现在分别等于 79.16% 和 76.54%,因此 VRS 指标的影响是显而易见的。除了它提高了分类的成功率(与省略VRS指标的情况相比)之外,它几乎完美地确保了有意和无意干扰情况的区分(见表5)。
6.3. Different_KNN-VRS vs. Different_KNN and Different_RaFo-VRS vs. Different_RaFo Case Classification Results
6.3. Different_KNN-VRS 与 Different_KNN 和 Different_RaFo-VRS 与 Different_RaFo 案例分类结果
As stated previously, these cases examine the situation in which training and testing are based on observations that were collected under different speeds. The accuracy achieved while using the VRS metric as an extrafeature in the classification process is equal to 66.97% for KNN and 69.84% for random forest, respectively.
如前所述,这些案例检查了训练和测试基于在不同速度下收集的观察结果的情况。在分类过程中使用 VRS 指标作为额外特征时,KNN 和随机森林的准确率分别为 66.97% 和 69.84%。
On the contrary, when the VRS metric is not used, the accuracy of the prediction model is reduced to 56% for the KNN and to 55.37% for the random forest algorithm. Figures 4 and 5 provide insight to the results for the random forest, respectively.
相反,当不使用 VRS 度量时,KNN 的预测模型准确率降低到 56%,随机森林算法的准确率降低到 55.37%。图 4 和图 5 分别提供了对随机森林结果的见解。
The color of the figures indicates the class in which each observation is predicted to belong to. The smart attack scenario is represented by the red and lasts for the first 100 seconds, the interference scenario is represented by the black lasts for the time interval 100–200 seconds, and the constant attack scenario is represented by the green color and lasts for the time time interval between 200 and 300 seconds(as described in Section 5.2). In Figure 4, we explain in more detail the detection process for each scenario:
图形的颜色表示每个观测值所属的类。智能攻击场景用红色表示,持续前 100 秒,干扰场景用黑色表示,持续 100-200 秒,持续攻击场景用绿色表示,持续 200 到 300 秒(如第 5.2 节所述)。在图 4 中,我们更详细地解释了每个场景的检测过程:(1)The appearance of black or green colors in the smart attack scenario (0–100 seconds) indicates the misclassification of this scenario with the interference and the constant attack scenarios, respectively. On the contrary, the points with red color indicate a correct detection of this attack scenario.
在智能攻击场景(0-100 秒)中出现黑色或绿色表示该场景分别与干扰和持续攻击场景进行了错误分类。相反,带有红色的点表示正确检测到此攻击场景。(2)The points with green or red colors in the interference scenario (100–200 seconds) indicate the misclassification of this scenario with the constant attack scenario and the smart attack scenario, respectively. The black color indicates a correctly detected of the interference scenario.
干扰场景(100-200 秒)中带有绿色或红色的点分别表示该场景与持续攻击场景和智能攻击场景的错误分类。黑色表示正确检测到干扰情况。(3)Lastly, for the constant attack scenario during the time interval between (200–300 seconds), the presence of points with black or red colors indicates the misclassification with the interference and the smart attack scenarios, respectively. On the contrary, the appearance of the green color indicates a proper detection of the sonstant attack scenario.
最后,对于在200-300秒之间的时间间隔内的持续攻击场景,黑色或红色点的存在分别表示干扰和智能攻击场景的错误分类。相反,绿色的出现表明正确检测到了 sonstant 攻击场景。
Based on the classification results presented above, we can reach an important conclusion. When testing the prediction model with observations from a different speed—compared to the one used in training—we observe an overall reduction in accuracy. Nevertheless, the use of the VRS metric significantly increases prediction accuracy (in both supervised algorithms examined in this paper), while also achieving a clear separation between interference and jamming.
根据上面给出的分类结果,我们可以得出一个重要的结论。当使用不同速度的观测值(与训练中使用的观测值相比)测试预测模型时,我们观察到准确性总体上有所降低。尽管如此,VRS度量的使用显著提高了预测精度(在本文研究的两种监督算法中),同时还实现了干扰和干扰之间的明确分离。
6.4. Norm_KNN-VRS vs. Norm_KNN and Norm_RaFo-VRS vs. Norm_RaFo Case Classification Results
6.4. Norm_KNN-VRS 与 Norm_KNN 和 Norm_RaFo-VRS 与 Norm_RaFo 案例分类结果
In these two cases, we try to determine whether normalizing the data prior to using them in training and testing affects the classification results, with and without the use of the VRS metric. The accuracy achieved while using the VRS metric is equal to 81.25% for the KNN algorithm and 80.09% for the random forest, with its omission leading to an accuracy equal to 78.1% and 76.4%, respectively. Once more, the use of the VRS metric in the classification process leads to a upturn in the accuracy of the prediction model. In addition to that, if we compare the previous classification results of the Same_KNN and Same_RaFo cases with the respective ones that derive when no normalization is applied to the data prior to their use, we observe that there is no significant increase in accuracy results. Thus, we conclude that a normalization of the measurements is not necessary. It should be noted that in all the previous and the next presented classification results, the data are not normalized prior to their use for training and testing.
在这两种情况下,我们尝试确定在训练和测试中使用数据之前对数据进行规范化是否会影响分类结果,无论是否使用 VRS 指标。使用 VRS 指标时,KNN 算法和随机森林的准确率分别为 81.25% 和 80.09%,省略 VRS 指标时,准确率分别为 78.1% 和 76.4%。再一次,在分类过程中使用 VRS 指标会导致预测模型的准确性提高。除此之外,如果我们将 Same_KNN 和 Same_RaFo 案例的先前分类结果与在使用之前未对数据应用归一化时得出的相应结果进行比较,我们观察到准确性结果没有显着提高。因此,我们得出结论,没有必要对测量进行归一化。应该注意的是,在之前和接下来呈现的所有分类结果中,数据在用于训练和测试之前不会进行归一化。
6.5. Same_KNN-VRS_25 m/s vs. Same_KNN_25 m/s and Same_RaFo-VRS_25 m/s vs. Same_RaFo_25 m/s Case Classification Results
6.5. Same_KNN-VRS_25 m/s 与 Same_KNN_25 m/s 和 Same_RaFo-VRS_25 m/s 与 Same_RaFo_25 m/s 案例分类结果
As already stated, our RF jamming attack detection system is based on offline training, using a dataset of measurements collected under a speed of 15 m/s so as to train the classifier prior to its use for testing. For the sake of completeness, we examine the Same_KNN-VRS and Same_RaFo-VRS and Same_KNN and Same_RaFo cases presented previously using the data measurements from a higher speed at about 25 m/s speed range for training.
如前所述,我们的射频干扰攻击检测系统基于离线训练,使用在 15 m/s 速度下收集的测量数据集,以便在用于测试之前训练分类器。为了完整起见,我们检查了 Same_KNN-VRS 和 Same_RaFo-VRS 以及之前介绍的Same_KNN和Same_RaFo案例,使用在大约 25 m/s 速度范围内从更高速度测量的数据进行训练。
For the Same_KNN-VRS_25 m/s and Same_RaFo-VRS_25 m/s cases, the accuracy of the prediction model achieved is equal to 94.46% for the KNN and 94.61% for the random forest algorithm. For the Same_KNN_25 m/s and Same_RaFo_25 m/s cases, on the contrary, the calculated accuracy is equal to 88.68% for the KNN and 89.22% for the random forest algorithm, respectively.
对于 Same_KNN-VRS_25 m/s 和 Same_RaFo-VRS_25 m/s 的情况,KNN 和随机森林算法的预测模型准确率分别为 94.46% 和 94.61%。相反,对于 Same_KNN_25 m/s 和 Same_RaFo_25 m/s 的情况,KNN 和随机森林算法的计算精度分别为 88.68% 和 89.22%。
From the classification results presented above, an important observation can be made. There is an increase in classification accuracy when the training is done using data from a higher speed. The higher classification accuracy comes from the fact that the increase in speed adversely influences the effects of jamming. More concretely, in the constant attack scenario, the jammer overtakes the sender-receiver pair faster, in the interference scenario, the sender-receiver pair remains in the jamming area for a shorter period of time, and in the smart attack scenario, the jammer reaches its target at a higher speed, thus the gradual effect of the jamming observed at lower speeds is greatly reduced. All the above lead to a significant increase in the quality of the measurements obtained, hence leading to higher classification accuracy as well as to better distinction between the different types of jammers affecting the communication, as seen in Figure 6, for the KNN algorithm.
从上面介绍的分类结果中,可以得出一个重要的观察结果。当使用更高速度的数据完成训练时,分类准确性会提高。更高的分类精度来自这样一个事实,即速度的增加会对干扰的影响产生不利影响。更具体地说,在持续攻击场景中,干扰机更快地超越发送-接收对,在干扰场景中,发送-接收对在干扰区域停留的时间较短,而在智能攻击场景中,干扰机以较高的速度到达目标,因此在较低速度下观察到的干扰的渐进效应大大降低。综上所述,所获得的测量质量显著提高,从而提高了分类精度,并更好地区分了影响通信的不同类型的干扰器,如图6所示,对于KNN算法。
We also investigate more thoroughly the effect of the relative speed metric in the detection probability of a RF jamming attack in a multiclass environment with three classes (class of reactive jamming attack, class of continuous jamming attack, and class of interference). In Figure 7, we present the detection probabilities of the proposed model using the KNN algorithm for a range of relative speed . We observe that, in the medium range of values, we achieve a perfect RF jamming detection result. This result is attributed to the specific characteristics of each type RF jamming attack. Specifically, the continuous jammer transmits continuously deteriorating the wireless communication between the transmitter-receiver. On the contrary, the reactive jammer starts its activity only when it retreats to a safe position (close to the receiver). So, for a small range of values, both types of RF jamming attackers (reactive and continuous) have started their attack leading to several misclassification errors between the two corresponding classes. Finally, at higher values over , we have some misclassification errors between the classes of reactive jamming and interference because the relative speed value is approximately equal to the speed of the receiver () when there is no attacker in the area but only a static RSU that interferes the wireless communication between the transmitter-receiver.
我们还更深入地研究了相对速度指标在具有三类(反应性干扰攻击、连续干扰攻击和干扰类)的多类环境中射频干扰攻击检测概率的影响。在图 7 中,我们展示了使用 KNN 算法在相对速度范围内所提出的模型的检测概率。我们观察到,在中等值范围内,我们获得了完美的射频干扰检测结果。这一结果归因于每种类型的射频干扰攻击的特定特征。具体而言,连续干扰器发射不断恶化发射机-接收机之间的无线通信。相反,无功干扰器只有在撤退到安全位置(靠近接收器)时才开始活动。因此,对于小范围的值,两种类型的射频干扰攻击者(反应式和连续式)都开始了攻击,导致两个相应类别之间的几个错误分类错误。最后,在较高的值下,我们在无功干扰和干扰类别之间存在一些误分类错误,因为当该区域没有攻击者而只有一个静态RSU干扰发射机-接收机之间的无线通信时,相对速度值大约等于接收机的速度()。
In Table 6, we summarize the classification accuracy, exploiting the usage of the proposed VRS metric as an extra feature, achieved while training with measurements from a speed of 15 m/s and a speed of 25 m/s, respectively.
在表 6 中,我们总结了分类准确性,利用所提出的 VRS 指标作为额外特征的使用,分别在 15 m/s 和 25 m/s 的速度进行测量时实现。
6.6. Result Summary and Comparison with State of the Art
6.6. 结果总结和与现有技术的比较
Figure 8 summarizes classification accuracy percentages that are presented above. These are achieved by both the KNN and the random forest algorithms when based only on the features previously used in the literature for jamming attack detection [26], compared to the proposed approaches, KNN-VRS and RaFo-VRS, that use the VRS metric. The VRS metric increases the accuracy of the classifier and ensures almost perfect differentiation between cases of intentional and unintentional jamming. When using the VRS metric while testing with data from the same speed, there is an increase up to about in the classification accuracy. When testing with data of a different speed, the increase in accuracy is even greater up to about .
图 8 总结了上面显示的分类准确率百分比。与使用VRS度量的KNN-VRS和RaFo-VRS相比,仅基于文献中先前用于干扰攻击检测的特征[26]时,KNN和随机森林算法都可以实现这些目标。VRS 指标提高了分类器的准确性,并确保几乎完美地区分有意和无意干扰的情况。在使用相同速度的数据进行测试时使用 VRS 指标时,分类准确性会提高至高。当使用不同速度的数据进行测试时,精度的提高甚至更大,最高可达 .
We also compare the accuracy of the proposed scheme versus recent state-of-the-art work. We compare RF jamming detection methods with the same complexity and without using extrahardware (e.g., multiple antennas at the receiver [42]). For collecting the used jamming detection metrics, we assume only a completely passive scheme that is based on RF communication between the transmitter-receiver under the presence of a jammer in the area.
As we explained earlier, the authors in [24] proposed a federated learning-based on-device jamming attack detection security architecture for FANET. In order to compare our proposed RF jamming detection method with this method (Federated-Nischat-2019), we preprocess the simulated datasets to derive two unbalanced subdatasets. The first subdataset contains a higher percentage of nonjamming instances () and a lower percentage of jamming instances (). We show in Figure 9 that the method (Federated-Nischat-2019) achieves an accuracy of under the ns-3 simulated FANET dataset. This performance is better only for the cases where VRS metric is not used.
We also compare the KNN and the RaFo algorithm for reactive and constant jamming attack detection using the cross-layer combination of metrics proposed by Feng et al. named (feng2018-KNN) and (feng2018-RaFo). We observe in Figure 10 that when the receiver moves at low speeds of , we have the same accuracy. When the receiver increases its speed and it moves with a speed of , our proposed jamming detection scheme using the VRS metric achieves a much better accuracy (an increase of about ) than the competing methods.
Finally, we compare with the work of Lyamin et al. [21], where the authors use historical observation of events in the V2V channel for the jamming detection. The method is evaluated for two jamming models: random and ON-OFF jamming. To represent random jamming in our model, the reactive jammer transmits its jamming signal randomly and independently with a probability when it is triggered. When comparing the jamming detection results of the method [21] with the proposed jamming detection method for a random jammer with , we have a probability of attack detection (true positive rate) at about for the random reactive jammer, while the method in [21] achieves a probability of attack detection at about for the same type of jamming. Additionally, a priori knowledge about a platoon is employed for this method to achieve better detection results. Only when the number of receivers increases to 20 in the form of a platoon of vehicles (also increasing the received observations for the training phase), the method in [21] manages to reach the probability of attack detection that we achieve using our proposed jamming detection method with a single receiver.
最后,我们与Lyamin等人[21]的工作进行了比较,作者使用V2V信道中事件的历史观测来进行干扰检测。该方法针对两种干扰模型进行了评估:随机干扰和ON-OFF干扰。为了在我们的模型中表示随机干扰,反应性干扰器在触发干扰信号时随机且独立地传输其干扰信号。将方法[21]的干扰检测结果与所提出的随机干扰干扰检测方法进行比较时,我们发现随机反应干扰器的攻击检测概率(真阳性率)约为随机干扰器,而[21]中的方法在相同类型的干扰中实现了攻击检测概率。此外,该方法还采用了关于排的先验知识,以获得更好的检测结果。只有当接收器的数量以一排车辆的形式增加到 20 个时(也增加了训练阶段的接收观测值),[21] 中的方法才能达到我们使用我们提出的干扰检测方法实现的攻击检测概率与单个接收器。
From this set of comparative results, the effect of the proposed VRS metric in RF jamming classification is clear. Especially, when the receiver increases its speed to a speed of , the accuracy of the proposed method increases by over . This performance is much higher than the other corresponding methods in the literature.
从这组比较结果来看,所提出的VRS指标在射频干扰分类中的作用是显而易见的。特别是,当接收机将速度提高到 时,所提方法的精度提高了一半以上。这种性能远高于文献中的其他相应方法。
7. Conclusions 7. 结论
In this paper, we presented a method for detecting a specific type of DoS attack, namely, RF jamming, based on a cross-layer set of features and supervised machine learning. We introduced a novel metric from the application layer, namely, the variations of the relative speed between the jammer and the target. The relative speed is passively estimated from the combined value of the desired and the jamming signal at the target vehicle combined with metrics from the network and physical layer. To evaluate the significance of the proposed metric and its estimation algorithm, we implemented three different scenarios: two with a jammer and one with interference only.
在本文中,我们提出了一种基于跨层特征集和监督机器学习来检测特定类型的 DoS 攻击(即射频干扰)的方法。我们从应用层引入了一个新指标,即干扰器和目标之间相对速度的变化。相对速度是根据目标车辆的所需信号和干扰信号的组合值以及来自网络和物理层的指标被动估计的。为了评估所提出的指标及其估计算法的重要性,我们实现了三种不同的场景:两种使用干扰器,一种仅使用干扰。
With our work, we introduced a proactive approach against potential RF jamming attacks which is able to differentiate interference from malicious RF jamming. Additionally, it is able to distinguish the unique characteristics of each attack, especially when the offline training is conducted with a higher speed than . Through our evaluation results, we were able to highlight the vital role of the relative speed and its variations, in addition to other metrics obtained from the physical layer and in jamming detection and unintentional jamming cases differentiation, as well as in the overall increase in the prediction accuracy.
通过我们的工作,我们引入了一种针对潜在射频干扰攻击的主动方法,该方法能够将干扰与恶意射频干扰区分开来。此外,它能够区分每次攻击的独特特征,尤其是当离线训练以高于 .通过我们的评估结果,除了从物理层获得的其他指标外,我们还能够突出相对速度及其变化在干扰检测和无意干扰情况区分中的重要作用,以及在预测准确性的整体提高中。
As part of our future work, we plan to investigate the efficiency of our idea in complex vehicular networks with a large number of communicating nodes and several attackers. The target of this classification process will be the characterization of the behavior of a node as malicious or as regular node, mainly using the proposed VRS metric. The classification results can be collected and managed from a Trusted Central Authority (TCA) in an area with V2X communication. Having this information, the TCA could reroute vehicles towards more jamming friendly areas.
作为我们未来工作的一部分,我们计划研究我们的想法在具有大量通信节点和多个攻击者的复杂车辆网络中的效率。此分类过程的目标是将节点的行为描述为恶意节点或常规节点,主要使用建议的 VRS 指标。分类结果可以从具有 V2X 通信的区域中的可信中央机构 (TCA) 收集和管理。有了这些信息,TCA可以将车辆改道到更易干扰的区域。
Data Availability 数据可用性
The data presented in this study are available from the corresponding author upon request. The data are not publicly available due to privacy reasons.
本研究中提供的数据可应要求从通讯作者处获得。由于隐私原因,数据不公开。
Disclosure 披露
A preliminary version of the article appears on arxiv at https://arxiv.org/abs/1812.11886.
该文章的初步版本出现在 arxiv 上,网址为 https://arxiv.org/abs/1812.11886。
Conflicts of Interest 利益冲突
All authors declare no conflicts of interest.
所有作者均声明无利益冲突。