Adversarial Jamming Models

• Adversarial jamming models are formal frameworks that characterize strategic disruptions by specifying constraints on jammers’ adaptivity, reactivity, and power budgets.
• They drive the design of robust communication protocols by ensuring a guaranteed throughput fraction under worst-case jamming scenarios.
• Game-theoretic and learning-based methodologies in these models reveal adversarial thresholds and optimal countermeasures across physical, MAC, and higher network layers.

Adversarial jamming models formalize the strategic interaction between communication systems and intelligent or constrained adversaries aiming to disrupt transmissions. These models encompass a broad spectrum of assumptions about the jammer's capabilities, objectives, information, and constraints. They provide a rigorous theoretical and algorithmic foundation for designing resilient protocols and evaluating their worst-case performance guarantees across physical, MAC, and upper-layer protocols.

1. Definition and Taxonomy of Adversarial Jamming Models

Adversarial jamming models specify the limitations and strategic options of jammers in terms of causality, adaptivity, reactivity, power constraints, and their knowledge of protocol or traffic history.

• Causality and Adaptivity: An adaptive jammer bases its decisions on the entire history of the system up to the current time slot, possibly including the full protocol execution and observed signals. A non-adaptive adversary cannot condition on past events (Richa et al., 2010).
• Reactivity: A reactive jammer senses the medium at the start of each slot (e.g., via carrier sense), distinguishes idle/busy, and may decide to jam accordingly within that slot, maximizing impact where legitimate transmissions are likely (Richa et al., 2010).
• Jamming Budget: Models include (T, 1–ε)-bounded adversaries that can jam at most a (1–ε) fraction of slots in any window of length ≥T, thereby guaranteeing at least an ε fraction of opportunities for honest communication (Richa et al., 2010). Others impose only average power or no explicit budget (Jurdzinski et al., 2013, Firouzbakht et al., 2013).
• Worst-case and Online Faults: Some models allow the adversary to choose arbitrary sets of jamming times and arrival patterns, subject to minimal nontrivial throughput constraints for the optimal offline algorithm (Jurdzinski et al., 2013).
• Knowledge and Learning: Recent paradigms model the jammer itself as a learner (multi-armed bandit, RL agent, or deep neural network), targeting either packet errors or learning to predict spectrum utilization for optimal jamming placement (Amuru et al., 2014, Erpek et al., 2018, Wang et al., 2020, Wang et al., 2021).

2. Canonical Jamming Models: Representative Examples

The precise adversarial power and resulting model structure depend on the system under study. Key representatives include:

Reference	Channel/Protocol	Jammer Model	Jammer Info/Action	Metric
(Richa et al., 2010)	MAC, time-slotted	(T,1−ε)-bounded, adaptive, reactive	Carrier sense slot, jam ≤(1−ε) of any w≥T slots	Competitive throughput S/U
(Jurdzinski et al., 2013)	Point-to-point	Unrestricted jam times, arbitrary packet arrivals	Instantaneous abort of ongoing transmission	Relative algorithmic throughput
(Firouzbakht et al., 2013)	Wireless AWGN	Zero-sum constrained-power game	Mixed/randomized jamming power	Nash equilibrium value
(Huynh et al., 2019, Erpek et al., 2018, Wang et al., 2020, Wang et al., 2021)	RL-based resource allocation	DRL-based/adaptive, possibly listens and learns	Observational feedback + sensing	Cumulative throughput, adaptation speed
(Xie et al., 2022)	Modulation (16-QAM)	Adversarial waveform design, L_p norm constraint	White-box, perturbs symbols under budget	Bit/Symbol error rate

These models are leveraged to rigorously study the effectiveness of anti-jamming schemes (e.g., AntiJam MAC (Richa et al., 2010)), optimal scheduling under faults (Jurdzinski et al., 2013), and physical-layer countermeasures, as well as the fundamental efficiency loss caused by adversarial jamming.

3. Algorithmic and Analytical Frameworks

Adversarial jamming models have led to provably robust algorithms and performance bounds.

• Competitive MAC Protocols: The AntiJam protocol maintains a moving window probability vector, adapting transmit probabilities in lockstep with observed idle or successful slots and synchronizing across all nodes upon a successful decode. Provably, AntiJam achieves a Θ(1)-fraction of possible throughputs given an ε fraction of available slots under a (T,1−ε)-adversary, independent of network size and window parameter T (Richa et al., 2010).
• Throughput Bounds in Adversarial Scheduling: For online packet scheduling on adversarially jammed links, the relative throughput of any deterministic algorithm is no better than 1/2 in the simplest case (or specific ratios for arbitrary packet lengths), unless additional resources (e.g., speedup) are introduced, in which case throughput can be restored to optimal (Jurdzinski et al., 2013).
• Game-Theoretic and Bandit Models: The rate-adaptive AWGN packet link under a Nash-game approach precisely identifies a jamming threshold: above this, the adversary’s randomized mixed strategy forces the same zero-sum payoff as always jamming at full power, with randomization enabling the adversary to be equally effective with much less average power (Firouzbakht et al., 2013). Multi-armed bandit models allow a learning jammer to provably converge to the best attack strategy in dynamic environments, and sub-linear regret bounds characterize exploitability (Amuru et al., 2014).
• Deep Learning and RL Adversaries: DRL-based jammers outperform memoryless or basic sensing attackers by learning the temporal structure or spectrum access patterns of the system. Attackers using GAN-augmented datasets can, with as few as 10 real observations, synthetically generate accurate predictors for targeted jamming (Erpek et al., 2018). Ensemble policy defenses and minimum-correlation rotations at the user side show substantial recovery of throughput or accuracy (Wang et al., 2021, Wang et al., 2020).

4. Extensions: Physical-Layer Effects, Multi-Domain Attacks, and Covertness

• Physical Layer Jamming: Adversarial jamming is extended beyond wireless MAC/PHY to elastic optical networks (Bensalem et al., 2020), where an adversarial power increment ε is incorporated into nonlinear impairment models for OSNR calculations. The peak impact (blocking probability, slot utilization drop) is non-monotonic: the worst service denial occurs at moderate ε (≈1.75–2 dB), not at maximum power, due to nonlinear crosstalk.
• Intelligent Surfaces and Passive Jamming: 360-degree fully-passive jamming models with intelligent omni-surfaces (DIOS-FPJ) randomize refractive and reflective coefficients to induce active channel aging and break channel reciprocity, with quantifiable performance impact provably independent of quantization precision (under constant amplitude assumptions) (Huang et al., 2024).
• Integrated Sensing-Enabled Jammers: ISAJ adversaries simultaneously jam a victim’s band and use full-duplex energy scanning over other network frequencies to detect countermeasures—even under Kerckhoffs’ principle knowledge. Analysis uses mutual information (entropy) metrics to characterize the adversary's uncertainty, with network-centric cooperative countermeasures optimizing reliability-covertness tradeoffs (Hazra et al., 16 Apr 2025).
• Deep Network Robustness and Adversarial Attacks: In jamming identification (detection and classification), white-box adversaries can craft imperceptible perturbations against deep learning classifiers of time–frequency records, requiring randomized masking, differential attention, and consistent dual-branch training to double adversarial robustness relative to standard defenses (Wang et al., 17 Aug 2025).

5. Practical Significance and Design Implications

• Protocol Robustness: Carefully designed distributed MAC protocols (e.g., AntiJam) maintain constant competitive throughput despite high-power, reactive, history-aware adversaries, providing strong fairness guarantees and effective operation where IEEE 802.11 can be entirely disabled (Richa et al., 2010).
• Performance Bounds: Online algorithms and resource allocation strategies under the strongest adversaries can guarantee only a fixed fraction (1/2 or less) of the throughput achievable without jamming, unless resource augmentation (speedup, multipath) is provided (Jurdzinski et al., 2013).
• Defensive Strategies: Defensive measures include synchronized probability adaptation, ensemble policy rotation, imitation attacker randomization, diversified channel selection, adversarial noise training, and cooperative network-centric actions, all evaluated against specific adversarial models (Richa et al., 2010, Wang et al., 2020, Erpek et al., 2018, Djuhera et al., 2024, Hazra et al., 16 Apr 2025).
• Information-Theoretic and Game-Theoretic Limits: Nash-game models and saddle-point analyses give exact thresholds where adversarial resources become overwhelming, and randomized adversarial strategies may be as effective on average as brute-force jamming (Firouzbakht et al., 2013, El-Geresy et al., 2 Dec 2025).
• Learning Adversaries: Models that treat the adversary as a learner (bandit, Q-learning, deep RL) model both the most damaging and stealthy attacks as well as the richest, most realistic environments for resilient system design (Amuru et al., 2014, Wang et al., 2020).
• Physical-Layer Countermeasures: Recognizing spectral and nonlinear propagation (optical, radio, MIMO) enables optimal placement of defensive resources or strategic adaption of coding, protocol parameters, and even physical infrastructure (Zhang et al., 2019, Huang et al., 2024, Bensalem et al., 2020).
• Extensions to Next-Generation Systems: Adversarial jamming now includes cross-layer, multi-agent and collaborative scenarios (UAV swarms, federated learning with LLMs, backscatter/rate adaptation, integrated sensing), driving ongoing research in hierarchical MARL, multi-agent Stackelberg games, and information-theoretic covert communications (Huynh et al., 2019, Yang et al., 11 Aug 2025, Djuhera et al., 2024).

6. Concluding Perspective and Open Directions

Adversarial jamming models have profoundly influenced the design of resilient wireless and optical networks, online algorithms, deep learning systems for communications, and game-theoretic protocol design. Central to their success is the precise characterization of adversary capabilities, coupled with worst-case analysis and robust learning-theoretic or game-theoretic frameworks.

Open directions include:

• Predictive/persistent adversaries with memory and semantic awareness (Yang et al., 11 Aug 2025).
• Multi-domain and hybrid active–passive attacks (e.g., combining jamming, spoofing, and eavesdropping).
• Certified robustness (provable information-theoretic or learning-theoretic guarantees) in deep learning-based jamming/anti-jamming.
• Richer network-centric and cooperative countermeasures, especially incorporating physical-layer, MAC, and application-layer interaction under limited or cached adversarial knowledge (Hazra et al., 16 Apr 2025, Huang et al., 2024).
• Extensions to distributed and federated learning in adversarial radio environments, unifying signal, protocol, and ML-level defense (Djuhera et al., 2024).

Adversarial jamming models thus sustain a central role in both foundational research and practical secure communication system design, bridging physical, algorithmic, and learning-theoretic domains.