Channel hopping scheme to mitigate jamming attacks in wireless LANs
© The Author(s). 2017
Received: 7 June 2016
Accepted: 5 December 2016
Published: 9 January 2017
Although a jamming attack is an important problem in Wi-Fi networks, there is no effective solution to this problem yet. In this paper, we propose a new approach to resolve jamming attacks in Wi-Fi networks based on the concept of channel hopping. If we assume that the attacker does not jam all the channels simultaneously, then it might be possible to circumvent a jamming attack by changing the channel. A channel hopping mechanism is designed so that the access point (AP) and a normal user can agree on the next channel with a high probability without pre-sharing of any secret information between the AP and a user node. The proposed scheme is evaluated through experiment in a test bed.
Wireless local area networks (LANs) are getting more popular nowadays because of easy deployment and the introduction of diverse types of Wi-Fi devices. However, despite all the advantages offered, wireless communication suffers from security vulnerabilities, such as jamming attacks, denial of service (DoS) attacks, or man-in-the-middle (MITM) attacks. One important issue among them is the jamming attack. An attacker with a radio transceiver intercepts a transmission, injects spurious packets, and blocks or jams the legitimate transmission [1–3]. The shared nature of the wireless medium allows the jammer to disable the entire network within the radio range. In this case, the jamming attack is regarded as a wireless version of a DoS attack. As the usage of wireless networks gets more prevalent, the jamming attack might influence a wider range of users, including military or business networks. Jammers can be classified according to their method: constant jammers, deceptive jammers, random jammers, and reactive jammers . A constant jammer continuously sends jamming signals to interfere with the victim. A deceptive jammer constantly injects regular packets and keeps the channel busy all the time. Instead of sending continuous jamming signals, a random jammer sends a jamming signal randomly from time to time. A reactive jammer sends a jamming signal after sensing transmission on the current channel.
Reactive jamming is considered more sophisticated than other methods, because detection of reactive jammers is more difficult, and they can launch different jamming attacks in the physical layer or the medium access control (MAC) layer. Moreover, the reactive jamming method is energy efficient and can be done with any Wi-Fi-equipped device. In this paper, we model the attacker node after the reactive jammer.
Several approaches have been proposed to prevent jamming [4–6]. Channel hopping is one of the most practical approaches, because it might enable packet delivery even in the presence of jammers. One of the critical issues for this method is that the next channel should be determined without prior negotiation. If any prior negotiation is done by exchanging messages between users, those messages might be intercepted by the attackers, resulting in disclosure of the next channel to the attacker. Another problem is, if we consider a Wi-Fi hot spot where users come and go frequently, it may not be easy to exchange messages with the access point (AP) in the presence of an attacker.
In order to overcome the limitations of prior negotiation-based schemes, we propose a channel hopping mechanism that provides channel agreement between user nodes and the AP without prior negotiation. We use transmission power and received signal strength (RSS) to derive a channel number common to both the user and the AP.
When two APs are within the communication range of each other, a network administrator usually assigns the channel for each AP manually to minimize interference between them, or the APs search for the least congested channel, usually among the non-overlapping channels, by themselves . However, Mishra et al.  showed that the total capacity of a wireless LAN can be improved by using partially overlapped channels among adjacent APs, rather than using only non-overlapping channels. When a specific AP is within the communication range of a jammer, even though the AP selects a partially overlapped channel as the next channel, the application traffic throughput may not be zero, depending on the physical distance between the AP and the jammer and the channel separation. Thus, in our proposed scheme we consider any channel except the jammed channel as a candidate for the next channel in order to lower the prediction ability of the jammer.
When the AP and the user select the next channel under a jamming attack, if they know the channel numbers used by other adjacent APs, then it would be better to avoid those channels as the next selection. However, when APs are densely deployed, it may not be easy to find any remaining non-overlapping channel. Furthermore, interfering channels monitored by a specific AP might be different from the channels monitored by a user node due to the hidden terminal problem. Thus, any channel except the jammed channel would be considered a candidate for the next channel in our proposed scheme, as mentioned above.
We propose a new channel hopping scheme that does not require prior negotiation.
Using transmission power and received signal strength, we determine the next channel, and implementation of the scheme does not require special devices, such as a frequency hopping spread spectrum transmitter and a receiver. Thus, the proposed scheme can be deployed in existing wireless networks.
We analytically investigate the effect of the proposed channel hopping scheme on throughput.
The rest of this paper is organized as follows. In Section 2, we review the existing approaches. In Section 3, we introduce the signal strength-based channel number generation scheme. In Section 4, we analyze the effect of the channel selection algorithm on throughput. Sections 5 and 6 describe the experiment topology and the experiment results, respectively. Section 7 concludes the paper.
2 Related work
In proactive approaches, the user node and AP change channels periodically at an interval of fixed length without checking for jammers [4, 10]. One disadvantage to this approach is that the nodes must change channels persistently, even when there is no jammer. This kind of unnecessary channel switching lowers throughput significantly. Moreover, if the next channel is determined according to a specific pattern, the scheme may not work when that pattern is detected by an attacker.
In reactive approaches, the AP and the user nodes start to change their channels after the detection of channel jamming [12, 13]. Several techniques have been proposed to detect channel jamming [14–19]. However, the main issue in this approach is to derive a new channel number that is common to both APs and users. If a jamming attack starts, it may not be possible to exchange messages between the APs and users. Most approaches rely on prior channel negotiation.
In order to implement a reactive approach, it is first necessary to detect jamming. Well-known jamming detection methods usually use packet delivery ratio, packet loss rate, packet latency, and signal strength [2, 14, 17]. Jamming detection schemes can be classified into two categories: the signal strength consistency-based approach and the location consistency-based approach. In the signal strength consistency-based approach, a low packet delivery ratio and a high received signal strength usually indicate a jamming attack. A location consistency-based approach determines the location of a node and measures throughput. If the throughput is low for a node that is close by, it might be due to a jamming attack. The signal strength consistency-based approach of Xu et al.  is used to detect a jamming attack in our proposed scheme.
Navda et al.  proposed a proactive channel hopping protocol with pseudo-random channels to avoid jamming. They assumed that the sequence of hopping channels is pseudo-random, and it is difficult to predict the next channel. However, a pseudo-randomly generated sequence is not truly random, because it is completely determined by a relatively small set of initial values. Thus, using a previous channel hopping sequence, the attacker might calculate or predict the next channel. They assumed that the channel sequence is only known to legitimate users and the AP. Another limitation of this approach is that it may not work in public Wi-Fi hot spots, where people come and leave frequently. If the users do not know the seed for the pseudo-random scheme, they cannot predict the next channel.
Frequency hopping is similar to channel surfing in that both of them change frequency during communications, but frequency hopping is a physical-layer technology, which requires more advanced transceivers, while channel hopping is a link-layer technology that can be applied to existing wireless devices without a frequency hopping feature. Lee et al.  proposed a frequency hopping method that does not require pre-key establishment before data transmission. Although they introduced a scheme to make different nodes meet on the same channel without any pre-shared information under a jamming attack, they do not discuss how different nodes can change channels in a synchronized manner afterwards. The quorum rendezvous channel hopping scheme  guarantees at least one rendezvous between two different nodes within c time slots, where c is the total number of available channels. Thus, if the channel hopping scheme proposed in  is used repeatedly, even after the first channel agreement, the throughput is likely to remain low for a large c. Contrarily, we design a channel hopping scheme carefully so as to maintain the agreement of the channels between the AP and a user node over adjacent time slots.
Yang et al.  and Tang et al.  investigated the issue of optimal power control for a user in the presence of a smart jammer. They modeled the power control problem with a smart jammer as a Stackelberg game  and investigated an optimal strategy to control the transmission power of the user with a utility defined based on the signal-to-interference-plus-noise ratio (SINR) reward and power consumption penalty. However, the utility did not include the factor of throughput between the legitimate transmitter and receiver, which is an important performance metric in wireless LAN environments. When the channel of an AP is fixed, if an attacker jams that channel continuously, simple power control on that channel may not be enough to overcome a low-throughput problem. Channel switching might be needed in this case. However, channel switching, i.e., coordinated channel switching between the AP and a user node, has not been specifically discussed in those game theory-based approaches yet.
3 Signal strength-based channel number generation
Major parameters and variables
Clear channel assessment (CCA) level for 802.11g
Adjusted RSS value, i.e., summation of its own transmission power and received signal strength
Group size, i.e., a margin to determine the similarity between two different RSS values
Transmission power of node i for the jth packet
Received signal strength of the lth packet measured at node k
Channel switching time (= channel sojourn time = time slot)
Channel number in the nth time slot
Number of available channels in 802.11g
Average traffic rate during the time slot where the AP and a user node stays on the same channel
r a ran
Average throughput when the AP and the user node randomly select the next channel
r a sel
Average throughput when the AP and the user node select the next channel according to our proposed scheme
Channel disagreement probability, i.e., probability that the AP and a user node select different next channel numbers under the condition they stay on the same channel in the current time slot
Probability that the AP and the user node select the same next channel number under the condition that they stay on different channels in the current time slot
The received signal strength depends on the distance between the user and the AP. If two user nodes stay at two different positions from the AP, they have different signal strength values for the frames coming from the AP. That means we can measure different signal strengths from different locations around the AP. Even though an attacker is located near a user, the signal strength measured by the attacker might be different from that of the user. Thus, it is not easy to measure signal strength between two remote nodes. We will use this feature as a key to determine the next channel [24, 25].
According to Chen et al. , the property of reciprocity declares that bidirectional wireless channel states should be identical between two transceivers at a given instant of time. However, this may not always be true in a real environment.
Let us assume that the AP and a user node exchange two frames, one in each direction, and measure the signal strength at the same time. Let S 1 and S 2 denote the signal strength (in dBm) measured by the AP and by the user node, respectively. If we compare S 1 and S 2 as floating point numbers, they might be close to each other, but a complete agreement between them will be a very rare event. This means that if each node attempts to generate the next channel number using S 1 or S 2 at floating point precision, then they are not likely to agree on the same channel number.
In Fig. 1, if the measured signal strength belongs to the interval [δ 0 + (i − 1)δ, δ 0 + iδ], then that signal strength belongs to group G i , and the next channel is generated using group index i instead of the signal strength value itself to induce the same next channel number, assuming the measured signal strength values are similar between the AP and user node. The group size δ determines the resolution for signal strength comparison.
3.1 Next channel number generation scheme
If a legitimate client and the AP communicate on a static channel, jammers can easily identify the channel and can jam that channel indefinitely. Hopping methods usually require legitimate users to move to another channel in order to avoid the jammer. There are two approaches to avoid jamming: proactive and reactive. Our proposed scheme follows the reactive approach, and in our scheme, each user node and the AP move to another channel only after finding that the current channel is jammed.
Tx(A,1) on the left-hand side of the above equation is the packet transmission power at node A. Because the transmission power at node A is determined by node A, node A knows the value of Tx(A,1). Rx(A,2) is the received signal strength measured by node A for the second packet. Thus, node A knows this value as well. Node B knows the values of Tx(B,2) and Rx(B,1) for similar reasons. Equation (2) can be summarized as follows. Even when the transmission power is different between two communicating nodes, if they add their own transmission power (in dBm) to the received signal strength (in dBm), then the two communicating nodes can obtain the same summation value by Eq. (2), which is referred to as adjusted RSS value in this paper, in case of path loss symmetry on the bidirectional channel. S denotes the most recent value of adjusted RSS, and this can be used as a seed to generate the next channel number.
where c is the number of available channels, h() is a uniform random hash function, and x||y means bit-level concatenation of x and y, and we use MD5 for h() in this paper. ⌊x⌋ is the largest integer that is less than or equal to x. The outcome of the hash function will be a non-negative integer, but it can be a large number, although the number of available channels is usually limited to a small number. In this paper, we consider IEEE 802.11g, and, thus, the number of channels is 11. We apply the modular operator % to map a large integer, the outcome of the hash function, to one of the available channel numbers with c of 11. We use ⌊(S − δ 0 )/δ⌋, which is referred to as the quantized RSS value in this paper, instead of the adjusted RSS value (S) itself in order to increase the channel agreement probability between the AP and the user, as explained in Fig. 1.
According to Eq. (3), the next channel number C n is determined based on the previous channel number C n − 1 and the adjusted RSS value S. Thus, the AP and the user node that share the same previous channel number are likely to share the same next channel number as long as they observe a similar signal strength.
Our scheme is based on the reciprocity of wireless channels, meaning that the channel gain between two nodes is identical when the role of each node changes, i.e., the transmitter becomes the receiver while the receiver becomes the transmitter. It is well known that channel reciprocity holds even in multipath fading channels with slow/fast fading [27, 28]. In practice, however, channel reciprocity may not always be true, since the channel measurement times are not identical at each node, and the noise level depends on the transceiver circuit. Indeed, there are many approaches to ensure channel reciprocity in wireless systems, such as interpolation and filtering . The interpolation methods emulate the identical channel measurement times at the nodes [29, 30] and the filtering methods eliminate the high frequency components in noise [31, 32]. Unfortunately, these techniques are not perfect. That is the reason we use the quantized RSS value in Eq. (3) instead of the adjusted RSS value, as is. As the signal strength group size δ increases, our scheme becomes more robust to imperfect channel reciprocity. However, when δ increases, the attacker might easily obtain the quantized RSS value of the user node or the AP from its own signal strength measurement. If the attacker can calculate the next channel from Eq. (3) in this case, the throughput will be lowered again. We analyze the effect of δ on throughput through experiment in Section 6.
3.2 Attacker model
We assume that the attacker is fully aware of our proposed protocol. We assume that the jammer node also has the same performance as a usual node, and the jammer cannot jam all channels at the same time. We consider a reactive jammer model in this paper. In more detail, the attacker first attempts to guess the channel number of the AP according to the formula of our proposed protocol, i.e., Eq. (3). If there is a hit on the channel number, then the attacker launches a jamming attack. Otherwise, the attacker scans the busy channel and launches a jamming attack on the detected busy channel until the AP leaves the channel. If the AP changes channels, then the attacker repeats the same attack pattern of channel guessing, scanning, and jamming. The attacker uses a MAC layer jamming attack method.
4 Effect of channel selection scheme on throughput
We next consider the average throughput (r a sel) when the AP and the user node select the next channel according to our proposed scheme. In our scheme, the probability that the AP and the user node select the same next channel can be different, depending on whether they are currently on the same channel. If the AP and the user node stay on the same channel in the current time slot, then they can select the same channel again with a very high probability of 1 − p e , according to the algorithm described in Section 3, where p e is the channel disagreement probability between the AP and a user node from inconsistent signal strength measurement. However, they may select a different channel with a low probability of p e if the adjusted RSS values are significantly different between those two nodes.
Let p a denote the probability that the AP and the user node select the same next channel number under the condition that they stay on different channels in the current time slot. If the AP and the user node stay on a different channel in the current time slot, then the user node first detects the discrepancy between its own channel number and the channel number of the AP and actively scans the channels to find the channel of the AP. The user node can find the next channel correctly only when it acquires the channel number of the AP in a given time slot, and the quantized RSS value of the node agrees with that value of the AP by Eq. (3). Although the user node attempts to search for the channel of the AP in this case, that search may not always be successful, that is, p a may not always be equal to 1 because the channel scanning time can vary dynamically, on the order of hundreds of milliseconds in 802.11 networks .
If we compare r a ran in Eq. (7) and r a sel in Eq. (10), it is possible to show that r a sel > r a ran when c ≥ 2 and p e < p a , which is likely to be valid for a sufficiently large value of δ, because p e tends to decrease as δ increases by the definition of p e . Specifically, when p e (i.e., the channel disagreement probability) is negligibly small, r a sel gets close to r on, the theoretical upper bound of throughput, by Eq. (10).
5 Experiment topology
Specification of each node involved in the experiment
2.3 GHz Quad Core
Ubuntu 12.04 LTS
1.4 GHz Intel Celeron
Ubuntu 12.04 LTS
Wireless user node
1.4 GHz Intel Celeron
Ubuntu 12.04 LTS
Wired user node
1.4 GHz Intel Celeron
Ubuntu 12.04 LTS
6 Experiment results
In Fig. 5, when channel switching (channel sojourn) time increases, the throughput tends to decrease. As we stay on the selected channel longer, the attacker has a higher chance of jamming the channel after finding it, resulting in lower throughput. On the other hand, the channel switching time should not be too small. There must be enough time to reconfigure the connection between the user and the AP. Even though users do not authenticate and associate after changing channels, MAC layer access delay might lead to low throughput, especially when the channel sojourn time is very short . The channel switching time will be fixed at 250 ms hereafter, considering the result of Fig. 5.
Random channel selection without an attacker
Proposed scheme without an attacker
Random channel selection scheme with an attacker
Proposed scheme with an attacker
Figure 10 shows that the proposed scheme yields much higher throughput compared to the random channel selection scheme. In the proposed scheme, the throughput sometimes goes down to zero due to disagreement over channel numbers selected by the AP and the user node. However, we find that the idle period due to such disagreements is usually shorter than the busy period with higher throughput.
We proposed a new channel hopping scheme to mitigate jamming attacks in the wireless LAN environment. The proposed scheme does not require an exchange of secret keys between the AP and user node prior to a jamming attack. This makes it harder for the attacker to guess the next channel number under our proposed scheme. The next channel is determined using the previous channel number and a combination of transmission power and received signal strength between the AP and user node. Since the next channel number generation scheme is designed to exploit the path loss symmetry between the AP and a user node, they are likely to switch to the same next channel as long as they stayed on the same channel previously. In case of an attack, even though the attacker finds the current busy channel number, it cannot easily predict the next channel because the path loss information between the AP and user node is not available. The effect of the proposed channel selection scheme on throughput was investigated analytically, and the experiment results show that meaningful throughput can be achieved with the proposed scheme in the presence of a jammer, compared to nearly zero throughput of the random channel selection scheme.
In this paper, we fixed the number of wireless normal users to one, just to concentrate on the operation of our proposed scheme in an adversarial environment. When there are multiple normal users, we need to consider both the aggregate throughput of normal users and fairness of throughput for each user. This complicated issue will be investigated in our future work.
This research was supported by the 2015 Yeungnam University Research Grant.
The authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
- N Sufyan, NA Saqib and M, Detection of jamming attacks in 802.11b wireless networks, EURASIP Journal on Wireless Communications and Networking 2013:108 (2013). doi:10.1186/1687-1499-2013-208.
- W Xu, W Trappe, Y Zhang, T Wood, The feasibility of launching and detecting jamming attacks in wireless networks. ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc) (Urbana-Champaign, IL, USA, 2005)View ArticleGoogle Scholar
- DJ Thuente and M Acharya, Intelligent jamming in wireless networks with applications to 802.11b and other networks, in Proceedings of IEEE Communication Society Military Communications Conference (MILCOM), Washington, DC, USA, pp. 1075–1081, Oct. 2006.Google Scholar
- V Navda, A Bohra, S Ganguly, D Rubenstein, Using channel hopping to increase 802.11 resilience to jamming attacks, in Proceedings of IEEE International Conference on Computer Communications (INFOCOM), Anchorage, AK, USA, pp. 2526–2530, May 2007.Google Scholar
- EK Lee, SY Oh, M Gerla, Randomized channel hopping scheme for anti-jamming communication, in Proceedings of IFIP Wireless Days (WD), Venice, Italy, pp. 1–5, Oct. 2010.Google Scholar
- K Bicakci, B Tavli, Denial-of-service attacks and countermeasures in IEEE 802.11 wireless networks. Comput. Stand. Interfaces 31(5), 931–941 (2009)View ArticleGoogle Scholar
- J Geier, Assigning 802.11b access point channels, Wi-Fi Planet, http://www.wi-fiplanet.com/tutorials/article.php/972261/Assigning-80211b-Access-Point-Channels.htm. Accessed 16 Aug 2016.
- A Mishra, V Shrivastava, S Banerjee, W Arbaugh, Partially overlapped channels not considered harmful, in Proc. of ACM SIGMETRICS, Saint-Malo, France, pp. 63–74, June 2006.Google Scholar
- K Pelechrinis, M Iliofotou, SV Krishnamurthy, Denial of service attacks in wireless networks: the case of jammers. IEEE Commun. Surv. Tutorials 13(2), 245–257 (2011)View ArticleGoogle Scholar
- W Xu, T Wood, W Trappe, and Y Zhang, Channel surfing and spatial retreats: defenses against wireless denial of service, in Proceedings of the ACM Workshop on Wireless Security (WiSe), Philadelphia, PA, USA, pp. 80–89, Oct. 2004.Google Scholar
- L Wang, AM Wyglinski, A combined approach for distinguishing different types of jamming attacks against wireless networks, in Proceedings of IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PacRim), Victoria, BC, Canada, pp. 809–814, Aug. 2011.Google Scholar
- SR Gummadi, D Wetheral, B Greenstein, S Seshan, Understanding and mitigating the impact of RF interference on 802.11 networks, in Proceedings of ACM SIGCOMM, Kyoto, Japan, pp. 385–396, Aug. 2007.Google Scholar
- W Hu, K Ma, W Trappe, Y Zhang, Jamming sensor networks: attacks and defense strategies. IEEE Netw. 20(3), 41–47 (2006)View ArticleGoogle Scholar
- A Hamieh, J Ben-Othman, Detection of jamming attacks in wireless ad hoc networks using error distribution, Communications, in Proceedings of IEEE International Conference on Communications (ICC), Dresden, Germany, pp. 1 – 6, June 2009.Google Scholar
- AL Toledo, X Wang, Robust detection of MAC layer denial-of-service attacks in CSMA/CA wireless networks. IEEE Trans. Inf. Forensics Secur. 3(3), 347–358 (2008)View ArticleGoogle Scholar
- K Pelechrinis, C Koufogiannakis, SV Krishnamurthy, On the efficacy of frequency hopping in coping with jamming attacks in 802.11 networks. IEEE Trans. Wirel. Commun. 9(10), 3258–3271 (2010)View ArticleGoogle Scholar
- G Liu, J Liu, Y Li, L Xiao, Y Tang, Jamming detection of smartphones for WiFi signals, in Proceedings of IEEE Vehicular Technology Conference (VTC), Glasgow, pp. 1–3, May 2015.Google Scholar
- M Spuhler, D Giustiniano, V Lenders, M Wilhelm, JB Schmitt, Detection of reactive jamming in DSSS-based wireless communications. IEEE Trans. Wirel. Commun. 13(3), 1593–1603 (2014)View ArticleGoogle Scholar
- O Punal, I Aktas, C Schnelke, G Abidin, K Wehrle, J Gross, Machine learning-based jamming detection for IEEE 802.11: design and experimental evaluation, in Proceedings of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), Sydney, Australia, pp. 1–10, June 2014.Google Scholar
- D Yang, G Xue, J Zhang, A Richa, X Fang, Coping with a smart jammer in wireless networks: a Stackelberg game approach. IEEE Trans. Wirel. Commun. 12(8), 4038–4047 (2013)View ArticleGoogle Scholar
- X Tang, P Ren, Y Wang, Q Du, L Sun, Securing wireless transmission against reactive jamming: a Stackelberg game framework, in Proceedings of IEEE Globecom, San Diego, CA, pp. 1–6, Dec. 2015.Google Scholar
- D Fudenberg and J Tirole, Game Theory, (The MIT Press, Cambridge, MA, 1991)Google Scholar
- IEEE P802.11-REVmc™/D4.0—part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications, (Revision of IEEE Std 802.11™-2012), Jan. 2015.Google Scholar
- R Wilson, D Tse, RA Scholtz, Channel identification: secret sharing using reciprocity in ultrawideband channels. IEEE Trans. Inf. Forensics Secur. 2(3), 364–375 (2007)View ArticleGoogle Scholar
- K Zeng, Physical layer key generation in wireless networks: challenges and opportunities. IEEE Commun. Mag. 53(6), 33–39 (2015)View ArticleGoogle Scholar
- S Chen, K Zeng, P Mohapatra, Jamming-resistant communication: channel surfing without negotiation, in Proceedings of IEEE Conference on Communications (ICC), Cape Town, South Africa, pp. 1 – 6, May, 2010.Google Scholar
- J Zhang, TQ Duong, A Marshall, R Woods, Key generation from wireless channels: a review. IEEE Access 4, 614–626 (2016)View ArticleGoogle Scholar
- Zhang, et. al., “Experimental study on channel reciprocity in wireless key generation,” in Proceedings of IEEE International Workshop on Signal Processing Advances in Wireless Communications (SPAWC), Edinburgh, UK, 2016.Google Scholar
- N Patwari, J Croft, S Jana, SK Kasera, High-rate uncorrelated bit extraction for shared secret key generation from channel measurements. IEEE Trans. Mobile Comput. 9(1), 17–30 (2010)View ArticleGoogle Scholar
- H Liu, J Yang, Y Wang and Y Chen, “Collaborative secret key extraction leveraging received signal strength in mobile wireless networks,” in Proceedings of IEEE Conference on Computer Communications (INFOCOM), Orlando, Florida, USA, 2012.Google Scholar
- H Liu, J Yang, Y Wang and Y Chen, “Fast and practical secret key extraction by exploiting channel response,” in Proceedings of IEEE Conference on Computer Communications (INFOCOM), Turin, Italy, 2013.Google Scholar
- X Zhu, F Xu, E Novak, C C. Tan, Q Li and G Chen, “Extracting secret key from wireless link dynamics in vehicular environments,” in Proceedings of IEEE Conference on Computer Communications (INFOCOM), Turin, Italy, 2013.Google Scholar
- D Murray, M Dixon, T Koziniec, Scanning delays in 802.11 Networks, in Proceedings of International Conference on Next Generation Mobile Applications, Services and Technologies (NGMAST), Cardiff, UK, pp, 255–260, Sep. 2007.Google Scholar
- P Chatzimisios, AC Boucouvalas, V Vitsas, IEEE 802.11 packet delay—a finite retry limit analysis, in Proceedings of IEEE Globecom, San Francisco, USA, pp. 950–954, Dec. 2003.Google Scholar