Anomaly-based intrusion detection of jamming attacks, local versus collaborative detection

We present intrusion detection algorithms to detect physical layer jamming attacks in wireless networks. We compare the performance of local algorithms on the basis of the signal-to-interference-plus-noise ratio (SINR) executing independently at several monitors, with a collaborative detection algorithm that fuses the outputs provided by these algorithms. The local algorithms fall into two categories: simple threshold that raise an alarm if the output of the SINR-based metrics we consider deviates from a predefined detection threshold and cumulative sum (cusum) algorithms that raise an alarm if the aggregated output exceeds the predefined threshold. For collaborative detection, we use the Dempster–Shafer theory of evidence algorithm. We collect SINR traces from a real IEEE 802:11 network, and with the use of a new evaluation method, we evaluate both the local and the Dempster–Shafer algorithms in terms of the detection probability, false alarm rate, and their robustness to different detection threshold values, under different attack intensities. The evaluation shows that the cusums achieve higher performance than the simple threshold algorithms under all attack intensities. The Dempster–Shafer algorithm when combined with the simple algorithms, it can increase their performance by more than 80%, but for the cusum algorithms it does not substantially improve their already high performance. Copyright © 2013 John Wiley & Sons, Ltd.