Effective Wireless Communication Architecture for Resisting Jamming Attacks

Over time, the use of wireless technologies has significantly increased due to bandwidth improvements, cost-effectiveness, and ease of deployment. Owing to the ease of access to the communication medium, wireless communications and technologies are inherently vulnerable to attacks. These attacks include brute force attacks such as jamming attacks and those that target the communication protocol (Wi-Fi and Bluetooth protocols). Thus, there is a need to make wireless communication resilient and secure against attacks. Existing wireless protocols and applications have attempted to address the need to improve systems security as well as privacy. They have been highly effective in addressing privacy issues, but ineffective in addressing security threats like jamming and session hijacking attacks and other types of Denial of Service Attacks. In this article, we present an “architecture for resilient wireless communications” based on the concept of Moving Target Defense. To increase the difficulty of launching successful attacks and achieve resilient operation, we changed the runtime characteristics of wireless links, such as the modulation type, network address, packet size, and channel operating frequency. The architecture reduces the overhead resulting from changing channel configurations using two communication channels, in which one is used for communication, while the other acts as a standby channel. A prototype was built using Software Defined Radio to test the performance of the architecture. Experimental evaluations showed that the approach was resilient against jamming attacks. We also present a mathematical analysis to demonstrate the difficulty of performing a successful attack against our proposed architecture.

A preliminary version of this work was presented at the IEEE International Conference on Cloud and Autonomous Computing 2017 (ICCAC 2017) [2]. This study is an extension of the previous work to which the authors now provide additional insights through deeper and more detailed experimentation and analysis. Newer algorithms have been implemented to ensure that the proposed system could be utilized for a broader class of applications. Moreover, a dedicated section has been incorporated to describe the architecture's tolerance to attacks and analyze the performance and overhead. Finally, an entire section has been added to discuss certain complexity aspects of the architecture and mathematically prove that the proposed approach shows sub-quadratic VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ time behavior for some attack scenarios. Moreover, we have confirmed that the configuration time is linear with respect to the available redundant links and the attack probability. Therefore, our resilient wireless communications architecture has demonstrated evidence of efficient performance. Our robust methodology is based upon the paradigm of a Moving Target Defense (MTD). MTD uses a diverse positioning mechanism. It randomly alters the position to constrain the exposure of existing vulnerabilities and present significantly fewer opportunities for successfully launched attacks to prevail [3], [4]. For example, we can variably readjust radio frequency communications parameters such as packet size, operating frequency, modulation scheme, and network address, to decrease the vulnerability of wireless communications. The selected methodology uses a Software Defined Radio (SDR) program for executing MTD algorithms [5]. We use two radio channels: an active channel, and the other a standby channel. The standby channel is used when an attack succeeds in damaging the active radio channel. A radio jamming attack is a DoS attack in which the attacker continuously transmits a signal that prevents communicating entities from using the services they need [6].
The remainder of this article is structured as follows. Section II discusses related works in addition to defining the technologies used to implement the solution, namely MTD and SDR. Section III provides a short background of the method. Section IV elaborates further upon the details of the execution approach. Section V exhibits our assessment of the robust methodology and explains how it can be used to tolerate large numbers of attacks. Section VI shows execution time measures and proves the sub-quadratic complexity of some elements in our approach that contribute to sustaining its temporal efficiency. Finally, Section VII concludes the paper and proposes the future direction for this research.

II. RELATED WORK A. JAMMING ATTACK MECHANISMS
Jamming attacks are the most significant type of attack against wireless communication, and can be launched through different approaches [7], [8]. In the first approach, the attacker scans the traffic to detect the Start of Frame Delimiter (SFD) to prevent the receiver from getting the transmitted packets by jamming the channel. A pseudo number agreement between the sender and the receiver for the SFD generation can prevent this type of jamming attack. In the second approach, the radio channels are periodically scanned by the jammer. If the signal power is known, the jammer will then attack the channel. The sender should use frequency hopping to defend against such an attack further altering the functioning frequency linked with every phase. In the third approach, the attacker scans all communication channels for short intervals of time in a cyclic fashion aiming to determine the active communication channel. On detecting the active communication channel, the attacker jams the channel. Communication packets are split into smaller sizes to prevent the attacker from having enough time to detect the message. In the fourth approach, a jammer sends short pulses via the channel, thus affecting all messages transmitted. Packet encoding prevents the attacker from executing this attack successfully.
Recent literature provides examples of several approaches for jamming attack detection and countermeasures. For example, a fault management scenario, in which, a fault occurs in a power network and alarm messages propagate along its nodes is analyzed in [9]. There are situations where some nodes cannot be reached because, among other possible reasons, malicious jamming attacks also occur. This leads to a situation in which other nodes do not receive the alarm message and possibly damage the nearby devices. For that reason, an approach is proposed for a Fault Detection, Isolation, and Service Restoration (FDIR) system whose main aim is to find the exact location of the fault, analyze it, and verify it. A related discussion, in the context of the power grid has been developed and a complete taxonomy of attacks including jamming has been presented in [10]. The authors discuss the obstruction of wireless sensor networks caused by jamming attacks in [11]. Using simulated scenarios and results, the significance of such obstructions could be determined.
The Maximum Attacking Strategy using Spoofing and Jamming (MASS-SJ) is presented in [12]. This attack strategy applies optimal power distribution to maximize the adversarial effects in order to interfere with the maximum number of signal channels. In the Request to Send (RTS) fake jamming attack, the attacker scouts the network; if the network is weak, the attacker will convey a false RTS to the access point, which responds with a Clear to Send (CTS) and reserves the bandwidth. In this process, the attacker stops receivers from transferring for the duration set by CTS. If the access point observes the grid, this type of attack might be averted [6].

B. MOVING TARGET DEFENSE
MTD is used to ''make, assess, and set out strategies and mechanisms that are repeatedly changed, varied, and altered over a period of time. It enhances costs and difficulty for attackers and constrains the exposure to opportunities and risk of assaults, enhancing the resiliency of system'' [13]. The following points describe the stages of an attack: 1) Reconnaissance: In this stage, the attacker gathers all the information from the target system environment. For wireless communication, this information includes the operating channel, modulation type, and bit rate; 2) Planning: During this stage, the attacker plans the attack and decides on a strategy based on the information obtained during the reconnaissance stage; 3) Execution: In the execution stage, the attacker carries out the attack on the target. MTD provides a resilient solution to network attacks by changing the configuration of the communications parameters at random time intervals. The application of MTD to wireless communications reduces the level of existing communication vulnerabilities that can be exploited by the attackers, in the event of a successful attack; however, this will last for a short period only. The attack will fail after the communication parameters are changed, consequently ensuring communication resilience.
The notion of MTD is applicable at different stages of the hierarchy of structural design from the network level to the application level. The IP address can be randomly changed at the network level [14]. In this situation, both real and virtual IP addresses are used. The attacker cannot determine the origin of the packet as it utilizes the Virtual IP address (VIP). Before the packet arrives at the desired network, VIP is used throughout the system, and the receiver then converts the VIP to the Real IP address (RIP). To run each application, the MTD alters the implementation environment [15], [16].
In MTD, replication, diversity and random shuffling techniques are implemented to change the execution environment. The MTD approach can be generalized in order to create robust smart city services [17]. The robust practice uses significant elements at the level of resilient command and control applications as well as resilient communication services. All the communication and computation resources involved in this approach will be altered for conveying city services, making it highly challenging to penetrate; it would also be difficult to determine the properties of the communication links used. This would make it difficult to execute cyberattacks and would guarantee that all smart city facilities are running properly.

C. NETWORK CYBERSECURITY AND RESILIENCE
Existing cybersecurity precautions have failed to protect and secure network operations and services. The resilient network approach is one of the most promising approaches to mitigate any type of attack. In addition, network programmable systems can be applied to improve the system's robustness [18]. The ''network programmability'' property refers to a network's ability to alter its behavior according to existing system conditions. This results in the ability to eliminate attacks and ensure normal operations. Using programmable networks, the researchers in [18] achieved the resiliency to detect and protect against flash crowd attacks using programmable networks to detect and mitigate malicious attack. The detection mechanism is based on comparing the response traffic volume with the expected value. If the values are beyond the normal threshold, then an attack occurrence is declared. After confirming the attack, one of the following two solutions is used: The first is to change the direction of packets and to distribute them among other routers. The second solution is to release harmful packets along the routes of the attacker.
The development of highly resilient and secure network services became possible after the introduction of Software Defined Networking (SDN). Some researchers have mitigated Distributed DoS Attacks (DDoS) using the SDN strategy [19]. Using a pairwise key, other scholars have emphasized resiliency in wireless systems, which could be executed in three steps: initialization, direct key setup, and path key setup. According to the process, the essential properties of wireless systems security are integrity, authentication, and confidentiality [20]. By contrast, the survivability requirements for wireless systems are reliability, availability, and energy efficiency.
Researchers are still interested in detecting new types of DDoS attacks. A model for a structural health monitoring network system has been proposed in [21]. The model is designed to protect against a flooding attack, a type of DDoS attack. The authors examined several network configurations, parameters, attack options, and scenarios. Based on their analysis, a new type of DDoS attack has been reported: Delayed Distributed Denial of Service attack (DDDoS). Jamal et al. [22] discuss the RTS attack, a form of DoS attack where malicious nodes reserve the medium unnecessarily for a prolonged period of time. Additionally, the authors provided a mitigation technique to restore network performance. Several modeling approaches for capturing the uncertainty in DoS attack strategies have been discussed in [23]. Special attention is paid to the Tail-Probability Based Failure Models (TPBFM) for describing the jamming attacks affecting wireless channels.
A resilient wireless network can also be developed through a channel hopping technique [20]. The resilience of this method relies on the channel frequency, randomness, and hopping rate. The resilience and performance of a wireless network are affected by the hopping time. Considering configuration time, the hopping time should not be set to a very small value. However, the duration should not be long, as that would provide the attacker with adequate time to determine the current vulnerabilities and launch a successful attack. Another approach to achieve resilience has been presented in [20], [24]. This is based on using multiple redundant and diversified routes to tolerate attacks when one of the routes is being compromised.

D. SOFTWARE DEFINED RADIO
The SDR approach is a reconfigurable radio built using Field Programmable Gate Arrays (FPGA). This implements different communication protocols and signal processing mechanisms using software rather than hardware. The radio includes a special mixer to change the signal into an Intermediate Frequency (IF) based on the Radio Frequency (RF) if the configuration requires the use of SDR in the Rx mode, or if it requires conversion from the IF mode to the RF mode. It comprises a converter for Digital-to-Analogue Conversion (DAC) and Analogue-to-Digital Conversion (ADC), and an FPGA or digital signal processor for processing signal commands produced from the software of SDR [5], [25]. The GNU-Radio toolkit [5], [26] is the most widely used SDR software environment. The GNU-Radio is an open source software utilized for implementing SDR algorithms. This radio supports the C++ and Python programming languages and provides tools for signal processing. We deployed the MTD algorithm to implement our resilient communication system so that the constraints of GNU-Radio modules can be randomly changed. This will be explained further in subsequent sections. VOLUME 8, 2020 SDR has become significant because it enables different signal processing mechanisms and radio communication protocols to be applied using software instead of hardware techniques [5]. The alignment of the digital signal processor for DAC and ADC is a part of the SDR programming tools. Several previous studies have emphasized supporting SDR programmability to enhance the efficiency and usage of the radio spectrum [5], [27]- [29]. SDR can be used in cognitive radio to enhance the service quality for secondary receivers by assessing the features of every group and picking the ones that enhance user quality of service [28]. In our research, we take a complimentary approach by using the SDR programmability to design a resilient radio communication system that can continue to operate normally despite being attacked.

III. RESILIENT WIRELESS COMMUNICATION ARCHITECTURE
Let us suppose a scenario where we have only one configuration (which never changes) for the communication link. In such a scenario, an attacker will have sufficient time to inspect the communication channel as the communication link properties do not change. Hence, the attacker can determine the weakness and then perform a successful attack.
Our method is based on using the MTD technique to achieve resilient wireless communications [3], [15]. In this approach, the SDR function is used to change the properties of the communication link between two nodes. Therefore, a successful attack on our proposed wireless communications architecture will be a challenging task. Let us assume that the attacker inspects the communications channel when configuration A is active. The attacker would then require some time to identify the vulnerability, plan, and thereafter, launch an attack. However, the attack is thwarted because the time will not be sufficient if the properties of the communication link are quickly changed within short time intervals from configuration A to configuration B, and thereafter, from configuration B to configuration C, and so on. By considering this methodology, the communications channel attains new properties every time an attack is launched.
The programmability of the SDR technology is utilized in our methodology to randomly alter the communication link properties so that the attacker would not succeed in disturbing the wireless communication. The configurability of SDR is used to utilize the MTD method in radio communication, thus altering the communication link properties between two nodes, as depicted in Fig. 1. One or more of the channel properties could be changed based on the type of communication and level of protection required.
MTD organizes the receiver and transmitter modules so that they can function with varying packet lengths; the modulation and frequencies can also be randomly altered to avoid identification and therefore prevent assaults [14], [30]. Our research has used two radio links: the first is the standby channel, and the second is the primary channel [7]. If an attack affects the active radio channel, the system will use the data delivered through the standby channel and consequently tolerate the attack.
An example of our approach deployed in a military tactical scenario is depicted in Fig. 2. In this example, two different radio channels are used for each link with respect to packet size, signal frequency, and modulation. A 20-byte packet size, 2 GHz frequency, and Quadrature Phase Shift Keying (QPSK) modulation are used for the active channel of link 1, whereas a 30-byte packet size, 1 GHz frequency, and Binary Phase Shift Keying (BPSK) modulation are used for its standby channel. In this configuration, the system will tolerate an attack if the target is the active channel (red box), as the data provided by the standby channel (blue box) can be used to maintain the communication of link 1 during the attack.

IV. IMPLEMENTATION APPROACH
In this section, we describe our testbed which contains the transmitter, receiver, and the MTD module that will use SDR to randomly change the configuration during runtime [4], [5].

A. SOFTWARE DEFINED RADIO
Two SDR systems, a receiver and a transmitter were used in our testbed. On the transmitter side, a configuration program is deployed using GNU-Radio modules and Python. This program allows the user to automatically change the configuration for each communication cycle, as listed in Table 1. The same configuration table is utilized at the receiver side to configure the link after random intervals of time. As discussed before, the resilient algorithm changes the configurations and the shuffling rate (reconfiguration time) automatically based on two parameters: 1) the key value; and 2) the iteration number. We utilized the Diffie-Hellman key exchange algorithm to maintain key confidentiality and prevent eavesdropping [34]. This key exchange algorithm uses symmetric encryption techniques. Both sides are required to agree on a base number (g) and a modulus (p). If a sender (Alice) and a receiver (Bob) want to exchange a key, both must use the same values (g) and (p), and they are both required to generate a random number. In this case, Alice's random number is y, whereas Bob's random number is x. Alice shall compute (g y mod p) and send the result to Bob. Conversely, Bob shall compute (g x mod p) and then send the result to Alice. Both Alice and Bob then compute the key value (Key) by finding (g xy mod p) through multiplication of (g x mod p) by (g y mod p).
Configuration (i) signifies the type of configuration (configuration interval, packet length, and frequency) to be adopted during each iteration. For example, after computing the key (Key) on both sides, the communication process is started using the configuration; the reconfiguration time can be determined using the following two equations: where N is the number of configurations available, i denotes the communication cycle or iteration number, and Tc is the value for a predefined communication interval. Moreover, (1) shows that the configuration utilized defines the interval of reconfiguration. From (2), it is evident that the reconfiguration interval will change as the iteration number (i) and key value (Key) change. At this point it is important to note how crucial the selection of the Diffie-Hellman algorithm modulus p is because it determines the keys to be used in our proposed procedure. In our testbed, we made p = N (the number of configurations available). The specific values considered for N will be presented in Section V. However, in Section VI, we can see that the values for N can grow in an arbitrary way, i.e., by increasing the security strength (based on the Diffie-Hellman algorithm), and without affecting our proposal's time complexity. Fig. 3 illustrates the structural design and operations of the implemented resilient communications system. Fig. 4 depicts the underlying algorithm. Initially, in the ResilientCommunicationService_SDRProcedure, the system starts with an operation message including a special key for defining the reconfiguration and configuration time denoted by Tc. The Diffie-Hellman key exchange algorithm is used in steps 3 to 9 to prevent from getting identified [14], [31]- [33]. The configuration is defined by each end-user and the timeframe to initiate the process of communication (Steps 10 to 12).
In the ResilientCommunicationService_Transmitter algorithm, each message is transferred via two channels at the transmitter side (i.e., standby and active channels), and each one of them uses a different configuration. On the receiver side, the ResilientCommunicationService_Receiver algorithm receives the data and interprets it via the standby and active channels.

B. JAMMING ATTACKS
On our own test bed, we experimentally demonstrated that the approach is feasible for tolerating multiple attacks. A jamming attack was introduced by transmitting a jamming signal to prevent the system from accurately receiving transmitted data. In the testbed on channel 3, the attacker launches a continuous signal with a frequency of 90 MHz using Gaussian frequency shift keying (GFSK) modulation, and a 512-packet length, as listed in Table 1. The jamming signal interfered through the transmitting channel configuration and transmitted a signal of attack to corrupt the data on the active channel. The system then immediately switched the data communication operations to the standby channel that was not affected by the attack as it used a different configuration.

V. ARCHITECTURE's TOLERANCE TO ATTACKS
To analyze the overhead and performance of our proposed architecture, we will present the resilience of the approach analytically. At first, we present how to compute a successful attack probability by using the reconfiguration time. Second, we demonstrate the manner in which the probability value is changed by the reconfiguration time based on different time slots.

A. SUCCESSFUL ATTACK PROBABILITY
In our approach, we change the radio link configurations randomly to make it extremely difficult for attacks to occur. We need to set the parameter numbers for random selection to calculate a successful attack probability between reconfigurations. Table 2 lists the configuration parameters available for the random selection using SDR links and the number of options for each configuration. For instance, with a channel spacing value of 25 kHz, the operating value of the frequency ranges from 225 to 400 MHz. There are approximately 7,000 channels available in this case; and therefore, we can    For our experiment, we used the following packet length values: 2048 B, 1024 B, 512 B, 256 B, and 128 B. For synchronization, we selected the access code of the GNU-Radio as the transmitter. The receiver should have an identical access code value to receive the data correctly. Additionally, a 24-bit length access code was used in our implementation, which gave us a total of 224 options. In this case, the probability of selection for each code is 1 in 16,777,216.
A successful attack probability (Pr(A s )) depends on the number of possible configurations the attacker could try for each reconfiguration. Therefore, the probability in this case depends on the length of the reconfiguration interval because increasing the reconfiguration interval would enable VOLUME 8, 2020 the attacker to perform additional attempts. Thus, Pr(A s ) can be mathematically represented as: Tc is the configuration interval, Mod is the number of available modulation schemes, Freq is the number of available frequency channels, and Len is the number of possible packet lengths. For simplicity, we have excluded the number of possibilities for access codes in (3). We have also assumed that the reconfirmation time of the attacker is 1 ms.
As an example, the probability of a successful attack based on (3) is 0.0095 if our reconfiguration interval is 2000 ms, as depicted in Fig. 5. The figure clearly shows that the probability of a successful attack is less than 0.01 when the reconfiguration interval is less than 2 s. The probability is 0.1 if the time is less than 21 s. We can reduce the probability to approximately zero by considering a shorter reconfiguration interval. We can use diversified and redundant communication links to enhance the resiliency of our system. In this scenario, we calculate the probability of a successful attack using the following equation: where L represents the number of links being used redundantly. For instance, in the case of four redundant links being used to transmit data, the probability of a successful attack would be zero for the chosen reconfiguration time.

B. PROBABILITY OF A SUCCESSFUL ATTACK WITH SLOTTED RECONFIGURATION TIME
To further increase the resilience of the approach used in this study, we have distributed the time into consecutive slots.
Here, we present the computation of the average probability during a time slot for a successful attack.
We divided the configuration interval (Tc) into multiple time slots (Ts) by assuming that the attacker would change the configuration for every time slot as he would be required to make a new attempt for each slot. The probability of a successful attack is presented as P; the number of combinations for frequencies, packet lengths, and modulation schemes is N; and the number of attacked time slots is represented by M.
Two possible attack scenarios are considered here. A random combination or serial combinations could be utilized by the attacker for every attempt. For each scenario, two different types of attacks are simulated: a jamming attack, where the used channel is jammed by the attacker and the configuration is altered when the user discovers the attack; and a scanning attack, where the entire channel is scanned by the attacker to gain access to the data while the end-user is unaware of the attack. In the scanning attack scenario, the configuration remains the same until the end of Tc.

C. RANDOM COMBINATIONS 1) RANDOM SCANNING ATTACK ANALYSIS
For the random scanning attack, the attacker uses a random configuration for every attempt regardless of the combinations used during past attempts. If the attack succeeds, this success lasts until there is a change in the configuration. For example, if the attack becomes successful during the first time slot, then P is equivalent to Ts/N. However, if the attack fails on the first attempt, then the average probability for the second time slot becomes (N − 1)/N · 1/N · (Ts − 1).
In this regard, the projected probability of the attack is calculated as follows: Ts (5) where i denotes the communication cycle or iteration number. Fig. 6 illustrates the probability of a successful random scanning attack for different combinations of time slots.

2) RANDOM JAMMING ATTACK ANALYSIS
In the random jamming attack, a random combination is utilized by the attacker for each attempt. However, because a legitimate user is capable of detecting the jamming attack after a successful attempt, the configuration is immediately changed for the next time slot. Equation (6) can be used to find the probability of a successful attack, as in this scenario, the attacker must randomly guess the configuration of each time slot as depicted in Fig. 7.
Probability of a successful random jamming attack using different combinations.

D. SERIAL COMBINATIONS
In this type of attack, the attacker attempts to use new configurations that have not been used before. For example, if the first combination attempted by the attacker used a frequency of 130 MHz, a packet length of 128 B, and GFSK modulation, then the second combination would use a frequency of 900 MHz, a packet length of 512 B and Gaussian minimum shift keying (GMSK) modulation.

1) SERIAL SCANNING ATTACK ANALYSIS
As the attack cannot be detected by the user, there would be no change in the configuration until the end of Tc. As the attack attempts are serial, the expected probability for the attack can be calculated using the following equation and the results are depicted in Fig. 8.
2) SERIAL JAMMING ATTACK ANALYSIS We can use (5) to calculate the probability of success for the expected serial jamming attack. The length of the consistent success line is denoted by Ls, whereas N denotes the time interval of Ls = N · E[P serial−scan ]. Moreover, the duration of the failure is represented as Lf, which is equivalent as illustrated in Fig. 9. During the first time slot, immediately after the failed time duration Lf if a successful attack attempt takes place, this leads to a change in the configuration of the sender whereas the attacker will still be using the configuration from the previous channel that resulted in a successful attack. Hence, one significant successful attack occurs in the Lf+2 time slot, which is calculated using the following equation: Fig. 10 depicts the probability of a successful jamming attack for a combination of several numbers. It is evident that previously analyzed attacks do not distinguish random attacks from serial attacks. However, at this point, we are dealing with different types of attacks. For the sake of completeness, we have presented results of such attacks in their respective FIGURE 10. Probability of a successful serial jamming attack. VOLUME 8, 2020 subsections, and Figures 7 and 10. Nevertheless, it is also important to mention the effective presence of differences in the probabilities associated with these attacks. To provide evidence, a difference has been calculated for one case (N = 210), which is illustrated in Fig. 11. In the following section we will see the presence of this behavior in the context of the execution times required by our algorithm for dealing with such attacks. These are the interesting features of our proposal as it provides evidence of a uniform behavior under different types of attacks. Verification of all analytical results has been conducted through simulations that used the same parameter values as those we used in our analysis. There is less than 1% difference between the analytical results and the simulations.

VI. SOME COMPLEXITY ASPECTS
We conducted several experiments and they all indicate that our algorithm is capable of tolerating attacks targeting one of the communication links by using redundant diversified links that are not affected by the attack. Fig. 12 depicts an instance for the considered playground of the experiments dealing with the robustness against radio attacks for the random combinations' scenario. The overhead and performance of the approach with consideration for execution time is summarized in Table 3. For our methodology, the overhead results from the key exchange and the random variations in the communication channels.
Subsections VI.A to VI.D discuss the determination of some complexity aspects starting from the equations presented in Section V. The main idea is to provide some theoretical elements that support the aspects regarding the execution time of our proposal under several attack scenarios.

A. ABOUT THE REQUIRED CONFIGURATION TIME
The perspective we are going to follow now is based on the fact that it is possible to determine an appropriate configuration time in terms of the probability of an attack and the number of redundant links. Configuration time is a preponderant aspect to be considered determining the execution time of our approach. In more formal terms, the discussion in this section regards how configuration time behaves; that is, increases in the attack probability and the number of used redundant links. The probability of a successful attack, Pr(A L ), is given by (3) and (4): L describes the number of used redundant links. Note that specific values for Mod (the number of available modulation schemes), Freq (the number of available frequency channels), and Len (the number of possible lengths) describe the configuration of a specific communication system [34], as mentioned earlier in Section V. Therefore, they can be unified into a constant k given by k = Mod · Freq · Len. The aforementioned equation is then solved for Tc, and owing to constant k, from an asymptotic point of view can be despised, we directly obtain the following new equation with its corresponding restrictions:   Such a limit is consistent with the practice because as the number of links being used redundantly increases, the configuration time Tc will also increase. This is also consistent with the behavior of the algorithms shown in Section IV. A visual inspection of Fig. 13 and Fig. 14  Therefore, the linear function L is tight bound for the configuration time Tc (Pr(A L ), L). It has been verified from an asymptotic point of view that the linearity of the required reconfiguration time can be calculated using the following equation: The important observation here is that the configuration time behaves linearly with respect to these parameters: 1) attack probability, and 2) the number of links being used redundantly. As mentioned earlier, the configuration time contributes to the execution time of our approach, and the fact that we have identified its linear complexity enhances the notion of the time efficiency of our approach, and more specifically, a low temporal efficiency in some of its conforming elements. Furthermore, the practical application of (10) lies in the sense that for a specific communication system, configuration time can be properly adjusted by considering the expected attack probability and the number of available redundant channels.

B. RANDOM SCANNING ATTACK TIME COMPLEXITY (RANDOM COMBINATIONS)
Let E upper [P random−scan ] be an upper bound for (5) obtained by substituting the term (N − 1)/N by 1, then: Here, i is the number of iterations in our proposed algorithm, Ts is the number of time slots in which the whole configuration time Tc has been distributed, E[P random−scan ] is an attack probability (5), and N is the number of combinations for frequencies, packet lengths, and modulation schemes. Now, we solve for Ts from (14). Therefore, we get: Suppose E upper [P random−scan ] is the same probability given for (5), that is: Moreover, by assuming E upper [P random−scan ] as a constant term, we find that (15) computes an upper bound for the time slots Ts required for a fixed attack probability for the random scanning attack, as described in Subsection V.C.1. Clearly, Ts is also expressed in terms of combinations for frequencies, packet lengths, and modulation schemes. Now, to have a more precise idea about the algorithm's time complexity both sides of (15) should be multiplied by the number c of executed steps in each one of the algorithm's iterations i = 1, 2, 3, . . . , Ts. As previously observed, our algorithm depends on some computations such as the Diffie-Hellman Key Exchange procedure which in turn depends on the Discrete Logarithm Problem. As mentioned in Section III.A, the Diffie-Hellman algorithm requires as input a value p corresponding to a considered modulus. Choosing a right modulus impacts on the execution time; however, as pointed out by several researchers, O(p 1/2 ) is the commonly accepted time for solving such a problem [35]. Thereafter, suppose c = p 1/2 = N 1/2 and E upper [P random−scan ] is a fixed constant, then by a straight calculation on the right side of (15), the time complexity for dealing with a random scanning attack, T random−scan , is given by: C. SERIAL SCANNING ATTACK TIME COMPLEXITY (SERIAL COMBINATIONS) We solved for Ts from (7), and obtained: Equation (18) computes the time slots Ts required for a fixed attack probability for the serial scanning attack, as described in Subsection V.D.1, which depends on the number N of combinations for frequencies, packet lengths, and modulation schemes. Both sides of (18) are multiplied by the number c of executed steps in each one of the algorithm's iterations i = 1, 2, 3, . . . , Ts. Then, such as was done in the previous subsection, let us suppose c = p 1/2 = N 1/2 and E[P serial−scan ] is a fixed constant, then the time complexity for dealing with a serial scanning attack, T serial−scan , is given by: D. SERIAL JAMMING ATTACK TIME COMPLEXITY (SERIAL COMBINATIONS) By substituting (7) into (8), we obtain: Now, if we solve for Ts from (20), then, we obtain: Equation (21) computes the time slots Ts required for a fixed attack probability for the serial jamming attack, as described in Subsection V.D.2. Both sides of (21) are multiplied by the number c of executed steps in each one of the algorithm's iterations i = 1, 2, 3, . . . , Ts. Then, again if we assume c = p 1/2 = N 1/2 and E[P serial−jam ] is a fixed constant, the time complexity for dealing with a serial jamming attack, T serial−jam , can be obtained as:

VII. CONCLUSION
This article presents a resilient wireless communication architecture based on MTD modules. Using SDR in wireless communication enables us to dynamically program the radio network and provide two differentiated yet redundant channels. The active channel is the primary channel used for data transmission whereas the standby channel is utilized in case the active channel is successfully attacked. Each configuration channel is randomly changed after every reconfiguration. The configuration link is defined with properties such as modulation type, packet size, and link frequency. The resilience of this approach has been experimentally validated, and the probability of a successful attack has been quantified. Our assessment demonstrated that the presented resilient methodology can tolerate a wide range of wireless attacks including jamming attacks. Moreover, by properly setting the reconfiguration time and shuffling change rate, we can reduce the probability of successful attacks to approximately zero. The proposed approach exhibited linear time behavior in some of its elements. In this specific study, we confirmed that the configuration time is effectively linear in terms of the available redundant links and attack probability. Moreover, we proposed three time complexity bounds for the cases dealing with random scanning, serial scanning, and serial jamming attacks. In all these three cases, the algorithms' complexity is sub-quadratic with respect to the number of combinations for frequencies, packet lengths, and modulation schemes. Therefore, our resilient wireless communications architecture has shown evidence of efficient performance. Future research might consider the possibility of utilizing our approach of resilient/redundant wireless communications for industrial control systems, specifically for the communication between controllers and actuators, or for wireless sensorcontrollers. SALIM HARIRI (Senior Member, IEEE) received the M.Sc. degree from The Ohio State University, in 1982, and the Ph.D. degree in computer engineering from the University of Southern California, in 1986. He is currently a Professor with the Department of Electrical and Computer Engineering, The University of Arizona, where he is also the Director of the NSF Center for Cloud and Autonomic Computing. His current research interests include autonomic computing, cybersecurity, cyber resilience, secure critical infrastructures, and cloud security. VOLUME 8, 2020