Amobile ad hoc network is a group of mobile nodes that do

Size: px

Start display at page:

Download "Amobile ad hoc network is a group of mobile nodes that do"

Janis Davidson
5 years ago
Views:

1 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY Game Theoretc Analyss of Cooperaton Stmulaton and Securty n Autonomous Moble Ad Hoc Networks We Yu and K.J. Ray Lu, Fellow, IEEE Abstract In autonomous moble ad hoc networks, nodes belong to dfferent authortes and pursue dfferent goals; therefore, cooperaton among them cannot be taken for granted. Meanwhle, some nodes may be malcous, whose objectve s to damage the network. In ths paper, we present a jont analyss of cooperaton stmulaton and securty n autonomous moble ad hoc networks under a game theoretc framework. We frst nvestgate a smple yet llumnatng two-player packet forwardng game and derve the optmal and cheat-proof packet forwardng strateges. We then nvestgate the secure routng and packet forwardng game for autonomous ad hoc networks n nosy and hostle envronments and derve a set of reputaton-based cheat-proof and attack-resstant cooperaton stmulaton strateges. When analyzng the cooperaton strateges, besdes Nash equlbrum, other optmalty crtera, such as Pareto optmalty, subgame perfecton, farness, and cheat-proofng, have also been consdered. Both analyss and smulaton studes have shown that the proposed strateges can effectvely stmulate cooperaton among selfsh nodes n autonomous moble ad hoc networks under nose and attacks, and the damage that can be caused by attackers s bounded and lmted. Index Terms Autonomous moble ad hoc networks, securty, cooperaton stmulaton, game theory. Ç 1 INTRODUCTION Amoble ad hoc network s a group of moble nodes that do not requre a fxed network nfrastructure n whch nodes can communcate wth each other out of ther drect transmsson ranges through cooperatvely forwardng packets. In tradtonal emergency or mltary applcatons, nodes n a moble ad hoc network usually work n a fully cooperatve way. Recently, emergng applcatons of moble ad hoc networks have also been envsoned n cvlan usage [1], where nodes typcally do not belong to the same authorty and may not pursue common goals. Consequently, fully cooperatve behavors, such as uncondtonally forwardng packets for each other, cannot be taken for granted. On the contrary, n order to save lmted resources, nodes tend to be selfsh. We refer to such networks as autonomous moble ad hoc networks. Before ad hoc networks can be successfully deployed n an autonomous way, however, the ssue of node cooperaton must be resolved frst. In the lterature, many schemes have been proposed to stmulate node cooperaton n ad hoc networks [], [3], [4], [5], [6], [7], [8], [9], [10], [11], [1], [13], [14], [15], [16]. One way to stmulate cooperaton among selfsh nodes s to use payment-based methods, such as those proposed n [], [3], [4], [5], [6]. Although these schemes can effectvely stmulate cooperaton among selfsh nodes, the requrement of tamper-proof hardware or central bllng servces greatly lmts ther potental applcatons.. The authors are wth the Department of Electrcal and Computer Engneerng and The Insttute for Systems Research, Unversty of Maryland, College Park, MD 074. E-mal: weyu@glue.umd.edu, kjrlu@sr.umd.edu. Manuscrpt receved 6 June 006; revsed 7 Jan. 006; accepted 5 Sept. 006; publshed onlne 7 Feb For nformaton on obtanng reprnts of ths artcle, please send e-mal to: tmc@computer.org, and reference IEEECS Log Number TMC Dgtal Object Identfer no /TMC Another way to stmulate cooperaton among selfsh nodes s to use reputaton-based methods wth necessary montorng [7], [8], [9], [10]. In [7], a reputaton-based system was proposed to mtgate nodes msbehavor, where each node launches a watchdog to montor ts neghbors packet forwardng actvtes. Followng [7], Core was proposed to enforce cooperaton among selfsh nodes [8] and CONFIDANT was proposed to detect and solate msbehavng nodes and, thus, make t unattractve to deny cooperaton [9]. Recently, ARCS was proposed to smultaneously stmulate cooperaton among selfsh nodes and defend aganst varous attacks [10]. Meanwhle, efforts have also been made toward mathematcally analyzng cooperaton n autonomous ad hoc networks n a game theoretc framework, such as [11], [1], [13], [14], [15], [16]. In ths paper, we also focus on desgnng reputatonbased cooperaton stmulaton strateges for autonomous moble ad hoc networks under a game theoretc framework. However, there are several major dfferences to dstngush our work from the exstng work, such as [11], [1], [13], [14], [15], [16]. Frst, nstead of focusng only on selfsh behavor, n our analyss, the effect of possble malcous behavor has also been ncorporated. Second, we have addressed these ssues under more realstc scenaros by consderng errorprone communcaton channels, whle most exstng cooperaton schemes can only work well n deal envronments. Thrd, we have also fully explored possble cheatng behavor and derved cheat-proof strateges, whle most exstng work requre nodes to honestly report ther prvate nformaton. Fourth, n our analyss, besdes Nash equlbrum, other optmalty crtera, such as Pareto optmalty, cheat-proofng, and farness, have also been appled. We frst studed a smple yet llumnatng two-player packet forwardng game and nvestgated the Nash equlbra. Snce ths game usually has multple equlbra, we /07/$5.00 ß 007 IEEE Publshed by the IEEE CS, CASS, ComSoc, IES, & SPS

2 460 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 then nvestgated how to apply extra optmalty crtera, such as subgame perfecton, Pareto optmalty, farness, and cheat-proofng, to further refne the obtaned Nash equlbrum solutons. Fnally, a unque Nash equlbrum soluton s derved whch suggests that a node should not help ts opponent more than ts opponent has helped t. The analyss s then extended to handle multnode scenaros n nosy and hostle envronments by modelng the dynamc nteractons between nodes as secure routng and packet forwardng games. By takng nto consderaton the dfference between the two-node case and multnode case, we have also derved attack-resstant and cheat-proof cooperaton stmulaton strateges for autonomous moble ad hoc networks. Both analyss and smulaton studes have shown that the proposed strateges can effectvely stmulate cooperaton under nose and attacks, and the damage that can be caused by attackers s bounded and lmted. The rest of ths paper s organzed as follows: Secton studes the two-player packet forwardng game. Secton 3 nvestgates the secure routng and packet forwardng game for autonomous ad hoc networks n nosy and hostle envronments. In Secton 4, extensve smulatons have been conducted to evaluate the performance of the proposed strateges under varous scenaros. Fnally, Secton 5 concludes ths paper. OPTIMAL STRATEGIES IN A TWO-PLAYER PACKET FORWARDING GAME.1 Game Model In ths paper, we focus on the most basc networkng functon, namely, packet forwardng. We frst study a smple yet llumnatng two-player packet forwardng game. In ths game, there are two players, denoted by N ¼f1; g. Each player needs ts opponent to forward a certan number of packets n each stage. For each player, the cost to forward a packet s c, and the gan t can get for each packet that ts opponent has forwarded for t s g.to smplfy our llustraton, we assume that all packets have the same sze. Here, the cost can be the consumed energy and the gan s usually applcaton-specfc. It s reasonable to assume that g c and there exsts a c max wth c c max. Let B be the number of packets that player wll request ts opponent to forward n each stage. Here, B, c, and g are player s prvate nformaton, whch s not known to ts opponents unless player reports them (ether honestly or dshonestly). In each stage, let A 1 ¼f0; 1;...;B g denote the set of actons that player 1 can take and let A ¼f0; 1;...;B 1 g denote the set of actons that player can take. That s, a A denotes that player wll forward a packets for ts opponent n ths stage. We refer to an acton profle a ¼ ða 1 ;a Þ as an outcome and denote the set A 1 A of outcomes by A. Then, n each stage, players payoffs are calculated as follows, provded the acton profle a beng taken: u 1 ðaþ ¼a g 1 a 1 c 1 ; u ðaþ ¼a 1 g a c : That s, the payoff of a player s the dfference between the total gan t obtaned wth the help of ts opponent and the total cost t spent to help ts opponent. We refer to uðaþ ¼ðu 1 ðaþ;u ðaþþ as the payoff profle assocated wth the acton profle a. ð1þ ðþ Fg. 1. Feasble and enforceable payoff profles. It s easy to check that, f ths game wll only be played for one tme, the only Nash equlbrum (NE) s a ¼ð0; 0Þ. Accordng to the backward nducton prncple [17], ths s also true when the stage game wll be played for fnte tmes wth game termnaton tme known to both players. Therefore, n such scenaros, for each player, ts only optmal strategy s to always play noncooperatvely. However, n most stuatons, these two players may nteract many tmes and no one can know exactly when ts opponent wll qut the game. Next, we show that, under a more realstc settng, besdes the noncooperatve strategy, cooperatve strateges can also be obtaned. Let G denote the repeated verson of the above one-stage packet forwardng game. Let s denote player s behavor strategy, and let s ¼ðs 1 ;s Þ denote the strategy profle. Next, we consder the followng two utlty functons: 1 X T U ðsþ ¼ lm u ðsþ; U ðs; Þ ¼ð1 Þ X1 t u ðsþ: ð3þ T!1 T t¼0 t¼0 Utlty functon U ðsþ can be used when the game wll be played for nfnte tmes and the dscounted verson U ðs; Þ can be used when the game wll be played for fnte tmes, but no one knows the exact termnaton tme. Here, the dscount factor (wth 0 <<1) characterzes each player s expected playng tme. Snce, n general, the results obtaned based on U ðsþ can also be appled to the scenaros when U ðs; Þ s used as long as approaches 1, n ths secton, we wll manly focus on U ðsþ. Now, we analyze possble NE for the game G wth utlty functon U ðsþ. Accordng to the Folk theorem [17], for every feasble and enforceable payoff profle, there exsts at least one NE to acheve t, where the set of feasble payoff profles for the above game s V 0 ¼ convex hullfv j9a A wth uðaþ ¼vg and the set of enforceable payoff profles, denoted by V 1,s V 1 ¼fv j v V 0 and 8 : v v ; where v ¼ mn max u ða ;a Þg: ð5þ a A a A Fg. 1 depcts these sets for the game wth B 1 ¼ 1 and B ¼, where the vertcal axs denotes player 1 s payoff and the horzontal axs denotes player s payoff. The payoff profles nsde the convex hull of fð0; 0Þ; ðg 1 ; c Þ; ðg 1 c 1 ; g c Þ; ð c 1 ; g Þg ð4þ

3 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC (ncludng the boundares) are the set of feasble payoff profles V 0 ; the set of payoff profles nsde the shadng area (ncludng the boundares) are the set of feasble and enforceable payoff profles V 1. We can easly check that, as long as g 1 g >c 1 c, there exsts an nfnte number of NE. To smplfy our llustraton, n ths paper, we wll use x ¼ ðx 1 ;x Þ to denote the set of NE strateges correspondng to the enforceable payoff profle ðx g 1 x 1 c 1 ;x 1 g x c Þ.. Nash Equlbrum Refnements Based on the above analyss, we can see that the nfntely repeated game G may have an nfnte number of NE. It s also easy to check that not all the obtaned NE payoff profles are smultaneously acceptable to both players. For example, the payoff profle ð0; 0Þ wll not be acceptable from both players pont of vew f they are ratonal. Next, we show how to perform equlbrum refnement, that s, how to ntroduce new optmalty crtera to elmnate those NE solutons whch are less ratonal, less robust, or less lkely. Specfcally, the followng optmalty crtera wll be consdered: Pareto optmalty, subgame perfecton, proportonal farness, and absolute farness...1 Subgame Perfecton Our frst step toward refnng the NE solutons s to rule out those empty threats based on more credble punshments, known as subgame perfect equlbrum. Accordng to the perfect Folk theorem [17], every strctly enforceable payoff profle v V s a subgame perfect equlbrum payoff profle of the game G, where V ¼fv j v V 0 and 8 : v > v ; where v ¼ mn max u ða ;a Þg: ð6þ a A a A That s, after applyng the crteron of subgame perfecton, only a small set of NE are removed... Pareto Optmalty Our second step toward refnng the set of NE solutons s to apply the crteron of Pareto optmalty. 1 It s easy to check that only those payoff profles lyng on the boundary of the set V 0 could be Pareto optmal. Let V 3 denote the subset of feasble payoff profles whch are also Pareto optmal. For the case depcted n Fg. 1, V 3 s the set of payoff profles whch le on the segment between ðg 1 ; c Þ and ðg 1 c 1 ; g c Þ and on the segment between ðg 1 c 1 ; g c Þ and ð c 1 ; g Þ. After applyng the crteron of Pareto optmalty, although a large porton of NE have been removed from the feasble set, there stll exst an nfnte number of NE. Let V 4 ¼ V 3 \ V...3 Proportonal Farness Next, we try to further refne the soluton set based on the crteron of proportonal farness. Here, a payoff profle s proportonally far f U 1 ðsþu ðsþ can be maxmzed, whch can be acheved by maxmzng u 1 ðsþu ðsþ n each stage. Then, we can reduce the soluton set V 4 to a unque pont as follows: 1. Gven a payoff profle v V 0, v s sad to be Pareto optmal f there s no v 0 V 0 for whch v 0 >v for all N; v s sad to be strongly Pareto optmal f there s no v 0 V 0 for whch v 0 v for all N and v 0 >v for some N [17]. 8 >< x ¼ >: c g þ g 1 c1 B 1 ;B 1 f ðb ;B 1 Þ f c c 1 g þ g ðb ; 1 c B Þ f B 1 B < c g þ g 1 c1 c 1 g þ g 1 B1 g þ g c1 B 1 c c B 1 g þ g 1 B > c1 :..4 Absolute Farness In many stuatons, absolute farness s also an mportant crteron. We frst consder absolute farness n payoff, whch refers to the fact that the payoff of these two players should be equal. Then, we can reduce the soluton set V 4 to a unque pont as follows: 8 < g 1 þc x g þc 1 B 1 ;B 1 ¼ : B ; g þc 1 g 1 þc B f f B 1 B g þc 1 g 1 þc ; B 1 B g þc 1 g 1 þc : Another smlar crteron s absolute farness n cost, whch refers to the fact that the cost ncurred to both players should be equal. Then, we can also reduce the soluton set V 4 to a unque pont as follows: 8 < c x c 1 B 1 ;B 1 ¼ : B ; c1 c B f f B 1 B c1 c ; B 1 B c1 c :.3 Optmal and Cheat-Proof Packet Forwardng Strateges In Secton., we have obtaned several unque solutons after applyng dfferent optmalty crtera to refne the orgnal solutons. However, all these solutons nvolve some prvate nformaton reported by each selfsh player. Due to players selfshness, honestly reportng prvate nformaton cannot be taken for granted and players may tend to cheat whenever they beleve cheatng can ncrease ther payoffs. In ths paper, we refer to a NE as cheat-proof f no player can further ncrease ts payoff by revealng false prvate nformaton to ts opponents. In the Appendx, we have examned the three solutons (7), (8), and (9). The analyss shows that none of them s cheat-proof wth respect to the prvate nformaton c and g. Snce all these unque solutons are strongly Pareto optmal, the ncrease of ts opponent s payoff wll lead to the decrease of ts own payoff. Therefore, players have no ncentve to honestly report ther prvate nformaton. On the contrary, they wll cheat whenever cheatng can ncrease ther payoff. What s the consequence f both players wll cheat wth respect to c and g? Let us frst examne the soluton (7). In ths case, based on the analyss n the Appendx, both players wll report a c =g value as hgh as possble. Snce we have assumed g c and c c max, both players wll set g ¼ c ¼ c max and the soluton (7) wll become the followng form: x ¼ðmnðB 1 ;B Þ; mnðb 1 ;B ÞÞ: ð10þ After applyng smlar analyss on the solutons (8) and (9), we can also see that they wll also converge to the form (10). Accordngly, the correspondng payoff profle s v ¼ ððg 1 c 1 Þ mnfb 1 ;B g; ðg c Þ mnfb 1 ;B gþ: ð11þ It s easy to check that soluton (10) forms Nash equlbrum, s Pareto optmal, and s cheat-proof wth respect to prvate nformaton c and g. ð7þ ð8þ ð9þ

4 46 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 From the above analyss, we have learned that nodes can report false c and g to ncrease ther payoff. Recall that B s also regarded as prvate nformaton reported by player. Then, a natural queston s: In the obtaned solutons (7), (8), (9), and (10), can player further ncrease ts payoff by reportng false B value? The answer s NO after examnng all these four unque solutons. In other words, all these unque solutons are cheat-proof wth respect to the prvate nformaton B. Next, we analyze why these solutons are cheat-proof wth respect to B. Let us frst determne whether player 1 can further ncrease ts payoff by reportng a hgh false B 1 value. Here, we use B 1 to denote the actual number of packets that player 1 needs ts opponent to forward n each stage; that s, player 1 cannot get any extra gan f player wll forward more packets than B 1. Let B 0 1 be a certan value that player 1 may report to ts opponent. Now, let us examne the consequence when player 1 reports a false B 0 1 >B 1. By checkng the four solutons, we can see that such a B 0 1 can never decrease x 1 (.e., the number of packets that player 1 needs to forward for player ). Further, we can see that, when x 1 s ncreased upon reportng a false B 0 1 >B 1, the optmal x s always B 1. Therefore, reportng a B 0 1 >B 1 can never ncrease player 1 s payoff. How about reportng a false B 0 1 <B 1? After checkng all these solutons, we can see that such actons wll ether cause no effect on these solutons or wll decrease x. Although such actons may also decrease x 1, the penalty due to the decrease of x s always less than the gan due to the decrease of x 1. Therefore, reportng a B 0 1 <B 1 can never ncrease player 1 s payoff. Due to the symmetry between these two players, t s easy to check that reportng a false B 0 can never ncrease player s payoff too. Based on the above analyss, we can conclude that, n the two-player packet forwardng game, n order to maxmze ts own payoff and be resstant to possble cheatng behavor, a player should not forward more packets than ts opponent does for t. Specfcally, for each player N, n each stage, t should forward mnðb 1 ;B Þ packets for ts opponent unless there was a prevous stage n whch ts opponent forwarded less than mnðb 1 ;B Þ packets for t, n whch case t wll stop forwardng packets for ts opponent forever. We refer to the above strategy as two-player cheat-proof packet forwardng strategy..4 Dscusson The strateges proposed n [11], [1] may look smlar to the one descrbed above. In [11], Srnvasan et al. studed the cooperaton n ad hoc networks by focusng on the energyeffcent aspects of cooperaton, where, n ther soluton, the nodes are classfed nto dfferent energy classes and the behavor of each node depends on the energy classes of the partcpants of each connecton. They have demonstrated that, f two nodes belong to the same class, they should apply the same packet forwardng rato. However, they requre nodes to honestly report ther classes, and a node can easly cheat to ncrease ts own performance, such as the approach mentoned n [16] (Secton 8). Meanwhle, usng normalzed throughput alone as the performance metrc may not be a good choce n general, as to be explaned n the Secton 3.5. In [1], Urp et al. clamed that t s not possble to force a node to forward more packets than t sends on average (Lemma 6.), and then concluded that cooperaton can be enforced n a moble ad hoc network, provded that enough members of the network agree on t, and f no node has to forward more traffc that t generates (Theorem 6.3). However, the above analyss has shown that a strategy profle can stll be enforceable even ths may requre a node to forward more packets than t sends on average, as llustrated n solutons (7), (8), and (9). Second, n moble ad hoc networks, due to the multhop nature, n general, the number of packets a node forwards should be much more than the number of packets t generates. Accordngly, ther strategy s not applcable n most scenaros. The works presented n [5], [6] are also related to ours n the sense that cheatng behavor has also been consdered. They have proposed aucton-based schemes to stmulate packet forwardng partcpaton, where, by usng VCGbased second prce auctonng, these schemes force selfsh nodes to honestly report ther true prvate nformaton (such as cost) to maxmze ther proft. However, n ther schemes, a trusted thrd-party auctoneer s requred per route selecton and central bankng servces are needed to handle bllng nformaton, whch usually cannot be satsfed n a moble ad hoc network. In our work, we focus on the scenaro that nether a trusted thrd-party auctoneer nor central bankng servce s avalable. 3 SECURE ROUTING AND PACKET FORWARDING GAME 3.1 System Descrpton and Game Model Next, we wll nvestgate how to stmulate cooperaton for autonomous moble ad hoc networks n nosy and hostle envronments. We focus on the scenaro that the network wll keep alve for a relatvely long tme, and there exst a fnte number of users, such as students n a campus. Each user wll stay n the network for a reasonably long tme, but s allowed to leave and reconnect to the network when necessary. We assume that each legtmate user has a unque regstered and verfable dentty (e.g., a publc/prvate key par), whch s ssued by some central authorty and wll be used to perform necessary access control and authentcaton. We focus on an nformaton-push model where t s the source s duty to guarantee the successful delvery of packets to ther destnatons. For each user, forwardng a packet wll ncur some cost, and a successful delvery of a packet orgnatng from t to ts destnaton can brng some gan. Here, the cost can be the consumed energy and the gan s usually user and/or applcaton-specfc. Snce ad hoc networks are usually deployed n adversaral envronments, some nodes may be malcous, whose goal s to cause damage to other nodes. In ths paper, we focus on nsder attackers, that s, the attackers also have legtmate denttes. Preventng outsde attackers from enterng the network can be easly acheved through employng necessary access control and communcatng through shared secret channels. Instead of forcng all users to act fully cooperatvely (whch has been shown not achevable n some stuatons [16], [6]), our goal s to stmulate cooperaton among selfsh nodes as much as possble. In general, not all packet forwardng decsons can be perfectly executed. For example, when a node has decded to help another node to forward a packet, the packet may

5 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC stll be dropped due to lnk breakage or the transmsson may fal due to channel errors. In ths paper, we use p e to denote the packet droppng probablty owng to nose. We also assume that some underlyng montorng schemes, such as those presented n [18], [10], have been launched, where the source can know whether ts packets have been successfully delvered through end-to-end acknowledgement and can detect who has dropped ts packets. In order to formally analyze cooperaton and securty n such networks, we model the nteractons among nodes as a secure routng and packet forwardng game:. Players: The fnte number of users n the network, denoted by N.. Types: Each player N has a type, where ¼fselfsh; malcousg. Let N s denote the set of selfsh players and N m ¼ N N s denote the set of (nsder) attackers.. Strategy space: Routng and packet forwardng are jontly consdered, and each packet forwardng transacton s dvded to three stages: 1. Route partcpaton stage: For each player, after recevng a request askng t to be on a certan route, t can ether accept or refuse ths request.. Route selecton stage: For each player who has a packet to send, after dscoverng a vald route, t can ether use or not use ths route to send the packet. 3. Packet forwardng stage: For each relay, once t has receved a packet requestng t to forward, ts decson can be ether forward or drop ths packet.. Cost: For any player N, transmttng a packet, ether for tself or for the others, ncurs cost c.. Gan: For each selfsh player N s, f a packet orgnated from t can be successfully delvered to ts destnaton, t can get gan g, where g c.. Utlty: For each player N, T ðtþ denotes the number of packets that player needs to send by tme t, S ðtþ denotes the number of packets that have been successfully delvered to ther destnatons by tme t wth player beng the source, F ðj; tþ denotes the number of packets that has forwarded for player j by tme t, and F ðtþ ¼ P jn F ðj; tþ. Let W ðj; tþ denote the total number of useless packet transmssons that player has caused to player j by tme t due to droppng the packets forwarded by j. Let t f be the lfetme of ths network. Then, we model the players utlty as follows: 1. For any selfsh player N s, ts objectve s to maxmze U s ðt fþ wth U s ðt fþ¼ S ðt f Þg F ðt f Þc : ð1þ T ðt f Þ. For any malcous player j N m, ts objectve s to maxmze U m j ðt fþ wth. We refer to all those factors whch can cause mperfect decson executon as nose, ncludng those uncertanty factors such as channel errors, lnk breakages, congeston, etc. Uj m ðt fþ¼ 1 X W j ð; t f ÞþF ðj; t f Þ c F j ðt f Þc j : t f N s ð13þ If the game wll be played for an nfnte duraton, then ther utltes wll become lm tf!1 U s ðt fþ and lm tf!1 U m j ðt fþ, respectvely. On the rght-hand sde of (1), the numerator denotes the net proft (.e., total gan mnus total cost) that the selfsh node obtaned, and the denomnator denotes the total number of packets that needs to send. Ths utlty functon represents the average net proft that can obtan per packet. We can see that maxmzng (1) s equvalent to maxmzng the total number of successful delveres subject to the total avalable cost constrant. If c ¼ 0, ths s equal to maxmzng the throughput. The numerator of the rght-hand sde of (13) represents the net damage caused to the other nodes by j. Snce, n general, ths value may ncrease monotoncally, we normalze t usng the network lfetme t f. Now, ths utlty functon represents the average net damage that j causes to the other nodes per tme unt. From (13), we can see that, n ths game, the attackers goal s to waste the selfsh nodes cost (or energy) as much as possble. The attackers are allowed to collude to maxmze ther performance. Other possble alternatves, such as mnmzng the others payoff, wll be dscussed n Secton Attack-Resstant and Cheat-Proof Cooperaton Stmulaton Strateges Based on the system descrpton n Secton 3.1, we can see that the multnode scenaro s much more complcated than the two-node scenaro, and drectly applyng the two-player cooperaton strateges to multnode scenaros may not work. In ths secton, we frst explore the challenges to stmulate cooperaton for autonomous moble ad hoc networks n nosy and hostle envronments, then devse attack-resstant and cheat-proof cooperaton stmulaton strateges. Frst, n autonomous moble ad hoc networks, the repeated game model s not applcable any more. For example, a source may request dfferent nodes to forward packets at dfferent tmes and may act as a relay for dfferent sources. Meanwhle, the request rates of each node to other nodes are usually varable, whch can be caused ether by ts nherent varable traffc generaton rate or by moblty. A drect consequence of such a nonrepeated model s that favors cannot be smultaneously granted. In [19], Dawkns demonstrated that recprocal altrusm s benefcal for every ecologcal system when favors are granted smultaneously. However, when favors cannot be granted smultaneously, altrusm may not guarantee satsfactory future payback, especally when the future s unpredctable. Ths makes cooperaton stmulaton n autonomous moble ad hoc networks an extremely challengng task. Second, n wreless networks, nose s nevtable and can cause severe trouble. For a two-player cheat-proof packet forwardng strategy, f some packets are dropped due to nose, the game wll be termnated mmedately and the performance wll be degraded drastcally. Ths wll also happen n most exstng cooperaton enforcement schemes, such as [11], [16]. In these schemes, nose can easly cause the collapse of the whole network, where, fnally, all nodes wll act noncooperatvely. Dstngushng the msbehavor

6 464 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 caused by nose from that caused by malcous ntenton s a challengng task. Thrd, snce autonomous moble ad hoc networks are usually deployed n adversaral envronments, some nodes may even be malcous. If there exst only selfsh nodes, stmulatng cooperaton wll be much easer accordng to the followng logc as demonstrated n [16]: Msbehavor can result n the decrease of servce qualty experenced by some other nodes, whch may consequently decrease the qualty of servce provded by them; ths qualty degradaton wll then be propagated back to the msbehavng nodes. Therefore, selfsh nodes have no ncentve to ntentonally behave malcously n order to enjoy a hgh qualty of servce. However, ths s not the case when some nodes are malcous. Snce the attackers goal s to degrade the network performance, such qualty degradaton s exactly what they want to see. Ths makes cooperaton stmulaton n hostle envronments extremely challengng. Unfortunately, malcous behavors have been heavly overlooked when desgnng cooperaton stmulaton strateges. In the rest of ths secton, we study how to combat these challenges. We partton the secure routng and packet forwardng game nto a set of subgames, where each subgame s played by a par of nodes. To effectvely stmulate cooperaton among selfsh nodes n nosy and hostle envronments, a credt mechansm s ntroduced to allevate the effect of nonsmultaneous favor return, and a statstcal attacker detecton mechansm s ntroduced to dstngush malcous behavor from msbehavor caused by nose. We frst ntroduce the credt mechansm. For any two nodes ; j N, we defne D ðj; tþ as follows: D ðj; tþ ¼F ðj; tþ F j ð; tþ: ð14þ Now, consder the followng strategy: Each node wll lmt the number of packets that t wll forward for any other node j n such a way that the total number of packets that has forwarded for j by any tme t should be no more than F j ð; tþþd max ðj; tþ, that s, D ðj; tþ D max ðj; tþ: ð15þ Here, D max ðj; tþ s a threshold set by for two purposes: 1) stmulate cooperaton between and j, and ) lmt the possble damage that j can cause to. By lettng D max ðj; tþ be postve, agrees to forward some extra packets for j wthout gettng nstant payback. Meanwhle, unlke actng fully cooperatvely, the extra number of packets that wll forward for j wll be bounded to lmt the possble damage when j plays noncooperatvely. Ths s analogous to a credt card system where D max ðj; tþ can be regarded as the credt lne that sets for j at tme t. Lke a credt card company adjusts credt lnes, D max ðj; tþ can also be adjusted by over tme. We refer to D max ðj; tþ as the credt lne set by to j. It s easy to see that an optmal settng of credt lnes s crucal to effectvely stmulatng cooperaton n nosy and hostle envronments. Next, we llustrate how to set good credt lnes. If the request rates between and j are constant, then settng the credt lne to be 1 wll be optmal n the sense that no request wll be refused when two nodes have the same request rate. However, due to moblty and nodes nherent varable traffc generaton rates, the request rates between and j are usually varable. In ths case, f the credt lnes are set to be too small, some requests wll be refused even when the average request rates between them are equal. Let f ðj; tþ denote the number of tmes that needs j to help forward packets by tme t. If we set the credt lnes as follows: D max D max j ðjþ ¼maxf1;f ðj; tþ f j ð; tþg; t ðþ ¼maxf1;f j ð; tþ f ðj; tþg; t ð16þ then, except the frst several requests, no other requests wll be refused when the average request rates between them are equal. If the average request rates between them f are not equal, assumng that lm ðj;tþ t!1 f jð;tþ > 1, then no matter how large D max ðjþ s, a certan porton of s requests wll have to be refused. Ths makes sense snce j has no ncentve to forward more packets for. Ths also suggests that arbtrarly ncreasng credt lnes cannot always ncrease the number of accepted requests. It s worth pontng out that (16) requres f ðj; tþ and f j ð; tþ to be known by and j. However, such pror knowledge s usually not avalable snce each node may not know a pror the others request rates. A smple soluton to ths s to set the credt lnes to be reasonably large postve constants, as n our smulatons. It has been shown n [16] that topology wll also play a crtcal role n enforcng cooperaton for fxed ad hoc networks and, n most stuatons, cooperaton cannot be enforced. For example, a node n a bad locaton may never be able to get help from other nodes due to the fact that no one wll need t to forward packets. In ths work, we focus on moble ad hoc networks. In such networks, a node n a bad locaton at a certan tme may move to a better locaton later, or vce versa. Ths suggests that, when a node receves a packet forwardng request from another node, t should not refuse ths request smply because the requester cannot help t currently, snce the requester may be able to help t later. Next, we ntroduce a statstcal droppng packet attack detecton mechansm to dstngush packet droppng caused by malcous behavor from those caused by nose. To smplfy our analyss, we frst model packet droppng due to nose as follows: For any player, when t has decded to forward a packet for any other player j, wth probablty 1 p e, ths packet may be dropped due to nose. That s, packet droppng caused by nose s modeled usng a Bernoull random process. p e can be ether estmated by nodes onlne or traned offlne. Let R ðj; tþ denote the number of packets that has requested j to forward and j has agreed by tme t. Based on the Central Lmt Theorem [0], for any x R þ, we can have lm Prob R ðj;tþ!1 where! F j ð; tþ R ðj; tþp e pffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff x ¼ ðxþ; R ðj; tþp e ð1 p e Þ ðxþ ¼ 1 Z x pffffffffff e t = dt: 1 ð17þ ð18þ

7 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC That s, when R ðj; tþ s large, the suffcent statstcs F j ð; tþ R ðj; tþp e can be approxmately modeled as a random varable wth mean 0 and varance R ðj; tþp e ð1 p e Þ: Let sbad ðjþ denote s belef about j s type, where sbad ðjþ ¼1 ndcates that beleves j s malcous, whle sbad ðjþ ¼0 ndcates that beleves j s good. Then, the followng hypothess testng rule can be used by to judge whether j has malcously dropped ts packets wth 1 ðxþ beng the maxmum allowable false postve probablty: sbad ðjþ ¼ ( p 1 f F j ð; tþ R ðj; tþp e < x ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff R ðj; tþp e ð1 p e Þ; p 0 f F j ð; tþ R ðj; tþp e x ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff R ðj; tþp e ð1 p e Þ: ð19þ By summarzng the above results, we can arrve at the followng cooperaton stmulaton strateges, whch we refer to as Multnode attack-resstant and cheat-proof cooperaton strategy: In the secure routng and packet forwardng game, for any selfsh node N s, ntally, sets sbad ðjþ ¼0 for all j N. Then, n dfferent stages, the followng strategy wll be used by : 1. In the route partcpaton stage, f has been requested by j to be on a certan route, wll accept ths request f j has not been marked as malcous by and (15) holds; otherwse, wll refuse.. In the route selecton stage, a source wll use a vald route wth n hops to send packets only f a) no ntermedate nodes on ths route have been marked as malcous, b) the expected gan s larger than the expected cost, that s, ð1 p e Þ n g >nc, and c) ths route has the mnmum number of hops among all those vald routes wth no nodes beng marked as malcous by. 3. In the packet forwardng stage, wll forward a packet for j f has agreed before and j has not been detected as malcous by ; otherwse, wll drop ths packet. 4. Let 1 ðxþ be the maxmum allowable false postve probablty from s pont of vew, then, as long as R ðj; tþ s large for any node j N (e.g., larger than 00), the detecton rule (19) wll be appled by after each packet forwardng transacton ntated by t. 3.3 Strategy Analyss under No Attacks Ths secton analyzes the optmalty of the proposed strateges when no attackers exst. We frst consder an nfnte lfetme stuaton wth T ðtþ!1 as t!1. The fnte lfetme stuaton wll be dscussed later. We assume that credt lnes are set n such a way that, for any node, lm t!1 D max ðj; tþ ¼ 0; T ðtþ ð0þ f and for any par of nodes and j, when lm ðj;tþ t!1 f jð;tþ 1, at most a fnte number of s requests wll be refused by j due to the fact that (15) does not hold. We also assume that, due to moblty, each par of nodes n the network can meet nfnte tmes when t f!1. Lemma 1. For any selfsh node N n the secure routng and packet forwardng game wth no attackers, once has receved a route partcpaton request from any other node j N, f (15) holds and the multnode attack-resstant and cheat-proof cooperaton strategy s used by player j, then acceptng the request s always an optmal decson from player s pont of vew. Proof. From player s pont of vew, refusng the request may cause t to lack enough balance to request player j to forward packets for t n the future (.e., D j ð; tþ >D max j ð; tþ), whle agreeng to forward the packet wll not ntroduce any performance loss due to the assumpton (0). Therefore, acceptng the request s an optmal decson. tu Lemma. In the secure routng and packet forwardng game where some packet forwardng decsons may not be perfectly executed, from the pont of vew of any player j N, f the multnode attack-resstant and cheat-proof cooperaton strategy s followed by all the other nodes, n the packet forwardng stage ntentonally droppng a packet that t has agreed to forward cannot brng t any gan. Proof. When a player j N ntentonally drops a packet that t has agreed to forward for any other player N, t cannot get any gan except savng the cost to transmt ths packet. However, snce player follows the multnode attack-resstant and cheat-proof cooperaton strategy, F that s, t wll always try to mantan lm ðj;tþ t!1 F j ð;tþ 1, by droppng ths packet, player j also loses a chance to request player to forward a packet for t. To get the chance back, player j has to forward another packet for player. Therefore, ntentonally droppng a packet cannot brng any gan to player j. tu Theorem 1. In the secure routng and packet forwardng game wth no attackers, the strategy profle that all players follow the multnode attack-resstant and cheat-proof cooperaton strategy forms a subgame perfect equlbrum, s cheat-proof, and acheves absolute farness n cost f c ¼ c for all N. If T 0 < lm ðtþ t!1 T jðtþ < 1 for any ; j N, ths strategy profle s also strongly Pareto optmal. Proof. We frst prove that ths strategy profle forms a subgame perfect equlbrum. Snce ths multplayer game can be decomposed nto many two-player subgames, we only need to consder the two-player subgame played by player and player j. Suppose that player j does not follow the above strategy; that s, ether t wll refuse to forward packets for player when t should, t wll ntentonally drop packets that t has agreed to forward for player, t wll forward more packets than t should for player, or t wll use nonmnmum cost routes to send packets. Frst, from Lemma 1 and Lemma, we know that refusng to forward packets for other players when t should or ntentonally droppng packets that t has agreed to forward wll not ntroduce any performance gan. Second, forwardng many more packets (.e., more than ðj; tþ) than player j has forwarded for t wll not D max

8 466 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 ncrease ts own payoff too accordng to the assumpton of credt lne selectons. Thrd, usng a nonmnmum cost route to send a packet wll decrease ts expected gan. Based on the above analyss, we can conclude that the above strategy profle (the multplayer attack-resstant and cheat-proof cooperaton strategy) forms a Nash equlbrum. To check that the profle s subgame perfect, note that, n every subgame off the equlbrum path, the strateges are ether to play noncooperatvely forever f player j has dropped a certan number of packets that t has agreed to forward for player, whch s a Nash equlbrum, or stll to play the multplayer cheat-proof packet forwardng strategy, whch s also a Nash equlbrum. Snce no prvate nformaton of g and c has been nvolved, based on the analyss presented n Secton, we can conclude that the proposed cooperaton stmulaton strategy s cheat-proof. Snce we have F ðj; tþ F j ð; tþ <D max ðj; tþ for any D player ; j N and lm max ðj;tþ t!1 T ðtþ ¼ 0, and we have assumed that c ¼ c for all N, t always holds that P jn;j6¼ lm F ðj; tþ t!1 PjN;j6¼ F ¼ 1: ð1þ jð; tþ That s, ths strategy can acheve absolute farness n cost. Now, we show that the strategy profle s strongly Pareto optmal. From payoff functon (1), we can see that, to ncrease ts own payoff, a player can ether try to ncrease S ðtþ or decrease F ðtþ. However, accordng to the above strategy, mnmum cost routes have been used; therefore, F ðtþ cannot be further decreased wthout affectng the others payoff. In order to ncrease ts payoff, the only way that player can do s to ncrease lm t!1 S ðtþ T ðtþ, whch means that some other players wll have to forward more packets for player. Snce all T ðtþs are n the same order, ncreasng player s payoff wll defntely decrease the other players payoff. Therefore, the above strategy profle s strongly Pareto optmal. tu In the proof of Theorem 1, we have assumed that 1) D max ðj; tþ s large enough such that forwardng D max ðj; tþ more packets than player j has forwarded for t wll not ncrease ts own payoff, and ) D max ðj; tþ s also small D enough such that lm max ðj;tþ t!1 T ðtþ ¼ 0. If D max ðj; tþ cannot satsfy the above two requrements, the proposed strategy profle s not necessarly a Nash equlbrum. Fndng a D max ðj; tþ to satsfy the frst requrement s easy, whle to satsfy both requrements may be dffcult or may even be mpossble when nodes requests rates and moblty patterns are not known a pror. However, our smulaton results show that, n many stuatons, even a nonoptmal D max ðj; tþ can stll effectvely stmulate cooperaton. From the above analyss, we can see that, as long as g s larger than a certan value, such as ð1 p e Þ L max g >L max c, where L max s a system parameter to ndcate the maxmum possble number of hops that a route s allowed to have, then varyng g wll not change the strategy desgn. Untl now, we have manly focused on the stuaton that the game wll be played for nfnte duraton. In most stuatons, a node wll only stay n the network for fnte duraton. Then, for each player, fd max ðjþ s too large, t may have helped ts opponents much more than ts opponents have helped t, whle, f D max ðjþ s too small, t may lack enough nodes to forward packets for t. How to select a good D max ðjþ stll remans as a challenge. Secton 4 has studed the trade-off between the value of D max ðjþ and the performance through smulatons, whch shows that, under gven smulaton scenaros, a relatvely small D max ðjþ value s good enough to acheve near-optmal performance (compared to settng D max ðjþ to be 1) and good farness (comparng to absolute farness n cost). Here, t s also worth pontng out that the optmalty of the proposed strateges cannot be guaranteed n fnte duraton scenaros. 3.4 Strategy Analyss under Attacks In ths paper, we focus on the followng two wdely used attack models are consdered: droppng packet attack and njectng traffc attack. To smplfy our llustraton, we assume that c ¼ c and g ¼ g for all N. We frst study droppng packet attack. By droppng other nodes packets, attackers can decrease the network throughput and waste other nodes lmted resources. Accordng to the proposed attacker detecton strategy, from an attacker s pont of vew, droppng all packets may not be a good strategy snce ths can be easly detected. Intutvely, n order to maxmze the damage, attackers should selectvely drop some porton of packets to avod beng detected. Accordng to the multnode attack-resstant and cheat-proof cooperaton strategy, the maxmum number of packets that an attacker can drop p wthout beng detected s upperbounded by np e þ x ffffffffffffffffffffffffffffffffffffffffffffff np e ð1 p e Þ, where n s the number of tmes that t has agreed to p forward. That s, t has to forward at least nð1 p e Þ x ffffffffffffffffffffffffffffffffffffffffffffff np e ð1 p e Þ packets. However, among those dropped packets, nð1 p e Þ packets can be caused by nose even f no attackers are p present. Thus, the extra damage s upper-bounded by x ffffffffffffffffffffffffffffffffffffffffffffff p np e ð1 p e Þc. Meanwhle, the extra cost s nð1 p e Þc x ffffffffffffffffffffffffffffffffffffffffffffff np e ð1 p e Þc. Snce, for any constant value x R þ, we have p x ffffffffffffffffffffffffffffffffffffffffffffff np e ð1 p e Þ lm ¼ 0; ðþ n!1 nð1 p e Þ selectvely droppng packets can brng no gan to the attackers. In other words, f the game wll be played for an nfnte duraton, droppng packet attack cannot cause damage to selfsh nodes. Now, we study njectng traffc attack. By njectng an overwhelmng number of packets to the network, attackers can consume other nodes resources when they help the attacker s forwardng packets. Snce, for each selfsh node N s, we have D ðj; tþ D max ðj; tþ, the maxmum number of packets that an attacker j can request to forward wthout payng back s upper-bounded by D max ðj; tþ. Therefore, the damage that can be caused by njectng traffc attack s bounded and lmted and becomes neglgble when lm max ðj;tþ D t!1 T ðtþ ¼ 0.

9 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC In summary, when the multnode attack-resstant and cheat-proof strategy s used by all selfsh nodes, attackers can only caused lmted damage to the network. Further, the relatve damage wll go to 0 when the game wll be played for nfnte duraton. Snce R ðj; tþ and F j ð; tþ are n the same order, for any constant value x R þ, we always have p ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff lm R ðj;tþ!1 x R ðj; tþpð1 pþ ¼ 0: F j ð; tþ ð3þ Therefore, except some false postve, selfsh players overall payoff wll not be affected under attacks. Although false postve may cause a node unable to get help from some other nodes, ths wll not become a bg ssue snce the false postve probablty can be made to approach 0 by usng a large constant x wthout decreasng the overall payoff. From the above analyss, we can also see that no matter what objectves the attackers have and what attackng strategy they use, as long as selfsh nodes apply the multnode attack-resstant and cheat-proof cooperaton strategy, the selfsh nodes performance can be guaranteed. Based on the above analyss, we can conclude that, for the nfnte duraton case, an attacker j s overall payoff s upper-bounded by U m j X lm t!1 Dmax t N s ðj; tþ c; ð4þ provded that all selfsh nodes follow the multnode attackresstant and cheat-proof cooperaton strategy. Ths upperbound can be acheved by the followng attackng strategy, whch we refer to as Optmal Attackng Strategy: In the secure routng and packet forwardng game, for any attacker j N m, t should always refuse n the route partcpaton stage, should always pck the route ncludng no attackers n the route selecton stage, and should not forward packets n the packet forwardng stage. Followng smlar arguments as n the proof of Theorem 1, we can also show that, n the nfnte duraton secure routng and packet forwardng game, the strategy profle where all selfsh players follow the multnode attackresstant and cheat-proof cooperaton strategy and all attackers follow the above optmal attackng strategy forms a subgame perfect equlbrum, s cheat-proof and strongly Pareto optmal, and acheves absolute farness n cost under some mld condtons. When the game wll only be played for fnte duraton, the above attackng strategy s not optmal any more. Now, the attackers can try to drop some nodes packets wthout beng detected, snce the statstcal droppng packet attacker detecton wll not be ntated unless havng collected enough nteractons (.e., R ðj; tþ s large enough n (19)) to avod hgh false postve probablty. In ths case, selfsh nodes performance wll be degraded a lttle bt. However, as long as the game wll be played for a reasonably long tme, whch s the focus of ths paper, the relatve damage s stll nsgnfcant. 3.5 Dscusson Compared wth exstng work, such as [11], [1], [13], [14], [15], [16], we have addressed cooperaton stmulaton under more realstc and challengng scenaros: nosy envronment, exstence of (nsder) attackers, varable traffc rate, etc. In such scenaros, nstead of enforcng all nodes to act fully cooperatvely, our goal s to stmulate cooperaton among nodes as much as possble. One major dfference between our scheme and most exstng reputaton-based schemes s that, n our scheme, parwse relatonshps have been mantaned by nodes. That s, each selfsh node wll keep track of the nteractons wth all the other nodes met by t. The drawback s that t requres per-node montorng and wll result n extra storage overhead. However, the advantage les n that t can effectvely stmulate cooperaton n nosy and hostle envronments. Actually, for each node, at any tme, t only needs to mantan the records R ðjþ, sbad ðjþ, F ðjþ, and F j ðþ for any other node j that has nteracted wth, so the maxmum storage overhead s upper-bounded by 4jNj. As long as jnj s not too large, for most moble devces, such as notebook and PDA, the storage requrement s nsgnfcant. In most exstng work, such as n [11], [1], [15], [16], however, each node makes ts decson based solely on ts own experenced qualty of servce, such as throughput. Although the overhead s much lower than our scheme due to that only end-to-end acknowledge s requred and each node only needs to keep ts own past state, they cannot effectvely stmulate cooperaton at all n nosy and hostle envronments. As explaned n Secton 3., ther logc s that no node wll behave malcously snce msbehavors wll be propagated back later and the qualty of servce experenced by the msbehavng nodes wll also be decreased. However, such logc cannot hold n nosy and hostle envronments. Frst, attackers wll be wllng to see such performance degradaton; therefore, they wll try to behave malcously f possble. Second, even only nose tself can cause such msbehavor propagaton and performance degradaton snce nose can cause packet droppng. Meanwhle, wthout per-node montorng, attackers can always behave malcously and cause damage to the others wthout beng detected. In [11], [16], when a node makes ts cooperaton decson at each step, t only bases on the normalzed throughput that t has experenced. If only normalzed throughput s used, a greedy user can set a low forwardng rato, but try to send a lot of packets. Therefore, unless the others also try to send a lot of packets, from the greedy node s pont of vew, even after a large porton of ts packets have been dropped by other nodes, t can stll enjoy a hgh throughput, although the normalzed throughput may be low. Meanwhle, as mentoned before, applyng the same forwardng rato to all nodes s not far to those who have acted cooperatvely. To resolve ths problem, n our scheme, each node apples a dfferent packet forwardng decson for dfferent nodes based on ts past nteractons between them. In addton to reputaton-based cooperaton stmulaton schemes, prcng-based schemes have also been proposed n the lterature, such as [], [3], [4], [5], [6]. Comparng to prcng-based schemes, the major drawback of reputatonbased schemes s that some nodes may not get enough help to send out all ther packets. The most underlyng reasons are that favors cannot be returned mmedately and the future s not predctable. In other words, when a node s requested by another node to forward packets, snce t cannot get compensaton mmedately and t s not sure whether the requester wll return the favor later, t usually has no strong ncentve to accept the request. Prcng-based schemes do not suffer such problems snce a node can get mmedate

10 468 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 Fg.. Selfsh nodes performance under the proposed strateges. monetary payback after provdng servces. However, prcng-based schemes requre tamper-proof hardware or central bankng servce to handle bllng nformaton, whch s ther major drawback. If such a requrement can be effcently satsfed wth low overhead, prcng-based schemes can be a better choce than reputaton-based schemes. Meanwhle, t s worth pontng out that prcngbased schemes also suffer from nose and possble malcous behavor, and the proposed statstcal attacker detecton mechansm s also applcable to prcng-based scenaros. In general, necessary montorng s needed when stmulatng cooperaton among nodes. For example, n [7], watchdog s proposed to detect whether some nodes have dropped packets. In ths paper, we assume that the underlyng montorng mechansm can provde accurate per-node montorng. Although ths can be a strong assumpton n some scenaros, t can greatly smplfy our analyss and, at the same tme, provde thoughtful nsghts. It s worth mentonng that, n some stuatons, perfect montorng s ether not avalable or too expensve to afford. Meanwhle, n our current analyss, the cost ncurred by the underlyng montorng mechansm has not been ncluded. The study of mperfect montorng s beyond the scope of ths paper, but wll be nvestgated n our future work. In our analyss, we have assumed that the packet drop rato p e s the same for all nodes at all tmes, whch may not hold n general. If dfferent nodes may experence dfferent p e, the nodes experencng lower p e may experence hgh false postve probabltes when performng the proposed attacker detecton mechansm. In ths case, to decrease false postve probablty, nodes need set the threshold to be large enough, that s, usng a larger x and p e n (19). Although ths may be taken advantage of by the attackers to cause more damage, as long as the gap between the packet droppng ratos experenced by dfferent nodes s not large, whch s usually the case, the extra damage s stll lmted. It s also worth mentonng that the securty of the proposed strategy also reles on the exstng secure protocols such as those n [10], [18], [1], [], [3], [4], [5], [6], [7], [8], [9], [30]. In general, besdes droppng packets and njectng traffc, attackers can also have a varety of ways to attack the network, such as jammng, slander, etc. Instead of tryng to address all these attacks, n ths paper, our goal s to provde nsght on stmulatng cooperaton n nosy and hostle envronments. 4 SIMULATION STUDIES We have conducted a set of smulatons to evaluate the performance of the proposed strateges under varous scenaros. In these smulatons, 100 selfsh nodes and varous numbers of attackers are randomly deployed nsde a rectangular area of 1; 000 m 1; 000 m. Each node may ether be statc or move accordng to the random waypont model [31]: A node starts at a random poston, wats for a duraton called the pause tme, then randomly chooses a new locaton and moves toward the new locaton wth a velocty unformly chosen between v mn and v max. The physcal layer assumes that two nodes can drectly communcate wth each other successfully only f they are n each other s transmsson range, whch s set to be 50 m. The MAC layer protocol smulates the IEEE DCF wth a four-way handshakng mechansm [3]. The lnk bandwdth s 4 Mbps and the data packet sze s 1,04 bytes. DSR [33] s used as the underlyng routng protocol. For each smulaton, each node randomly pcks another node as the destnaton to send packets accordng to a Posson random process. The average packet nterarrval tme s 1 s for each selfsh node and 0. s for each attacker. Meanwhle, when a packet s dropped, no retransmsson wll be appled. We set g ¼ 1, c ¼ 0:1, and t f ¼ 15;000 s. 4.1 Smulaton Studes wth Dfferent Credt Lnes We frst study how dfferent credt lnes can affect cooperaton stmulaton. In ths set of smulatons, there are only moble selfsh nodes whch follow the multnode attack-resstant and cheat-proof cooperaton strategy. Each moble node follows the random waypont moblty pattern wth v mn ¼ 10 m=s, v max ¼ 30 m=s, and pause tme 100 s. In each smulaton, the credt lne (CL) s fxed to the same for all selfsh nodes. The smulaton results are depcted n Fg.. Fg. a demonstrates the relatonshp between CL, the average payoff, and the normalzed throughput of selfsh nodes. From these results, we can see that, when the credt lne s over 80, the selfsh nodes average payoff does not ncrease any more, though the throughput may stll

YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC... 469 TABLE 1 The Four Ad Hoc Networks Consdered ncrease a lttle bt.

11 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC TABLE 1 The Four Ad Hoc Networks Consdered ncrease a lttle bt. Ths suggests that settng CL ¼ 80 s almost optmal. Now, we examne each ndvdual node s payoff. Fg. b shows the ndvdual nodes payoff under three CL settngs. Frst, we can see that, for each node, settng CL ¼ 60 results n much hgher payoff than settng CL ¼ 10. Second, although, on average, settng CL ¼ 30 can result n a slghtly hgher payoff than settng CL ¼ 60, t s also easy to notce that a large porton of nodes (more than 0 percent) suffer much lower payoff than settng CL ¼ 60. The reason s that these nodes have acted too generously n the sense that they have forwarded many more packets for the others than the others have done for t, whch consequently decreases ther payoff. Ths suggests that, when a node wll only stay n the network for a fnte duraton, t may not be a good choce to set a very hgh credt lne. In the followng smulatons, each selfsh node wll set CL ¼ Smulaton Studes under Dfferent Networks In ths secton, we nvestgate the performance of the proposed cooperaton strateges n dfferent ad hoc networks. We stll consder only selfsh nodes where all nodes follow the multnode attack-resstant and cheat-proof cooperaton strategy. However, nstead of consderng only moble ad hoc networks, we have also conducted smulatons n statc and partally moble ad hoc networks. Specfcally, the followng four types of ad hoc networks are consdered n Table 1. Fg. 3 depcts each ndvdual node s payoff under each of the four network settngs. Frst, we can see that most nodes have very low payoff n the statc ad hoc network. Ths s easy to understand: After these nodes have used up all the credt lnes assgned by ther neghbors to them, and snce ther neghbors may not need ther help due to topology dependence, these nodes cannot request that ther neghbors forward packets for them any more. Second, we can also see that some nodes n a statc network stll have very hgh Fg. 3. Performance comparson n dfferent networks. payoff (almost 0.9). Ths s becausem for these nodes, ther destnatons are wthn ther one-hop transmsson range, so they do not rely on the others to forward packets. What f some nodes are moble n the network? Now, let us examne selfsh nodes performance under partally moble ad hoc networks. Frst, the 50 moble nodes (the nodes wth ndex between 1 and 50) have almost comparable payoff to nodes n moble ad hoc networks, though several of them stll have a lttle bt lower payoff. Second, for the 50 statc nodes (wth ndex between 51 and 100), the majorty of them suffer farly low payoff, though some of them have hgh payoff because ther destnatons are wthn ther transmsson ranges. Thrd, comparng to the statc ad hoc network, even those 50 statc nodes have much hgher payoff. These results suggest that moblty can play a very postve role n allevatng the effect of topology dependency. Now, let us come back to moble ad hoc networks. Frst, from Fg. 3, we can see that, n both moble ad hoc networks (Moble network 1 and ), all nodes experence farly hgh payoff, and all payoffs le n a narrow range. These results suggest that the proposed strateges can effectvely smulate cooperaton among selfsh nodes n moble ad hoc networks. Second, nodes n moble network have slghtly hgher payoff than nodes n moble network 1. Ths s because moble network has a lower moblty rate than moble network 1, whch leads to low lnk breakage rato. It s worth pontng out that, accordng to the random waypont model, each moble node can move globally nsde the specfed area. Sometmes nodes movement may be restrcted n a certan local area. In the future, we wll also nvestgate how restrcted movement can affect cooperaton stmulaton. Actually, the above partally moble network can be regarded as a specal case of such network wth restrcted movement snce half nodes of ths network are restrcted to fxed locatons. 4.3 Smulaton Studes under Attacks Now, we study how the proposed cooperaton stmulaton strateges can effectvely handle attacks, specfcally, droppng packets attack and njectng traffc attacks. In ths set of smulatons, selfsh nodes follow the multnode attackresstant and cheat-proof cooperaton strategy and attackers follow the optmal attackng strategy. All nodes are moble, and each follows the random waypont moblty pattern wth v mn ¼ 10 m=s, v max ¼ 30 m=s, and pause tme 100s. For each selfsh node, the maxmum allowable false postve probablty s set to be 0.1 percent, and the lnk breakage rato p e s estmated based on ts own experence, whch s the rato between the total number of lnk breakages t has experenced wth tself beng the transmtter and the total number of transmssons t has tred. Fg. 4 draws the estmated values of p e under the current

12 470 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 Fg. 4. Estmated lnk breakage rato. network confguraton, whch shows that all nodes have almost the same lnk breakage rato (here, percent). We frst study how well the proposed strateges can scale wth the ncreased number of attackers. Fg. 5a shows the selfsh nodes average payoff under varous number of attackers, and Fg. 5b shows the total damage that the attackers have caused to selfsh nodes, where total damage s defned n (13) wthout beng dvded by t f. Frst, from Fg. 5b, we can see that the total damage that the attackers can cause ncreases almost lnearly wth the ncrease of attacker number. Ths makes sense snce, the hgher the number of attackers, the more traffc they can nject and the more packets they can drop. Second, from Fg. 5a, we can see that the selfsh nodes average payoff decreases only very slghtly wth the ncreased number of attackers. Further, n the above smulaton results, there also exst some ponts where the selfsh nodes payoff may even ncrease a lttle bt wth the ncreased number of attackers. Such behavor can be better llustrated by Fg. 5c, where, n ths fgure, we have drawn the selfsh nodes average payoff wth the ncrease of tme under both no attackers and under 0 attackers. From Fg. 5c we can see that, n the frst 4,000 s, the selfsh nodes can have hgher payoff under no attackers than under 0 attackers, whle, later, the selfsh nodes payoff under attacks may even outperform the payoff under no attacks. Ths phenomenon can be explaned as follows: Intally, the damage s manly caused by njectng traffc attacks, then, after attackers have used up all the credt lnes assgned by the selfsh nodes, the damage s contrbuted mostly by droppng packet attacks. However, snce the lnk breakage rato s low, the attackers can only drop very few packets wthout beng detected. The reasons the selfsh nodes payoff under attacks may even outperform the payoff under no attacks come from 1) the randomness of each smulaton and ) because, by partcpatng packet forwardng, the attackers can also decrease the average number of hops per selected route, whch consequently ncreases the selfsh nodes payoff. In the fnal set of smulatons, we demonstrate why settng a very hgh credt lne may not be a good choce. In ths set of smulatons, we fx the number of attackers to be 0, but vary the credt lnes n each smulaton, rangng from 0 to 100. The smulaton results are llustrated n Fg. 6. From Fg. 6b, we can see that, wth the ncrease of credt lne, the damage that can be caused by attackers wll also ncrease lnearly because attackers can nject more packets. From Fg. 6a, we can see that ncreasng the credt lne may even decrease the selfsh nodes performance. For example, the selfsh nodes wth CL ¼ 100 have even lower payoff than selfsh nodes wth CL ¼ 80. Ths can be easly understood by examnng the results presented n Fg. 6b: Settng the credt lne to be 100 wll let the selfsh nodes suffer more damage than settng the credt lne to be CONCLUSION In ths paper, we have formally nvestgated secure cooperaton stmulaton n autonomous moble ad hoc Fg. 5. Performance study under attacks. Fg. 6. The effect of credt lnes under attacks.

13 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC Fg. 7. Player 1 falsely reports the value of 1. (a) 0 1 <. (b) 0 1 >. networks under a game theoretc framework. Besdes selfsh behavor, possble attacks have also been studed, and attack-resstant cooperaton stmulatons have been devsed whch can work well under nosy and hostle envronments. Frst, a smple yet llumnatng two-player packet forwardng game s studed. To fnd good cooperaton strateges, equlbrum refnements have been performed on obtaned Nash equlbrum solutons under dfferent optmalty crtera, ncludng subgame perfecton, Pareto optmalty, farness, and cheat-proofng. Fnally, a unque Nash equlbrum soluton s derved, whch states that, n the two-node packet forwardng game, a node should not help ts opponent more than ts opponent has helped t. The results are then extended to handle multnode scenaros n nosy and hostle envronments, where the dynamc nteractons between nodes are modeled as secure routng and packet forwardng games. By takng nto consderaton the dfference between two-node case and multnode case, an attack-resstant and cheat-proof cooperaton stmulaton strategy has been devsed for autonomous moble ad hoc networks. The analyss has demonstrated the effectveness of the proposed strategy and shown that t s optmal under certan condtons. The analyss has also shown that the damage that can be caused by attackers s bounded and lmted when the proposed strateges are used by selfsh nodes. Smulaton results have also llustrated that the proposed strateges can effectvely stmulate cooperaton among selfsh nodes n nosy and hostle envronments. APPENDIX CHEAT-PROOFNESS ANALYSIS FOR SOLUTION (7), (8), AND (9) We frst study the soluton (7). Let ¼ c =g denote player s cost-gan (CG) rato. We frst analyze whether player can ncrease ts payoff by reportng a false CG rato gven that player wll honestly report ts CG value. That s, we fx the value of, lettng 1 be player 1 s true value, and lettng 0 1 be the value that player 1 wll falsely report wth 0 1 > 1. Let 1 ¼ þ 1 ; ¼ 1 þ 1 1 ; 0 1 ¼ þ ; and 0 ¼ 0 1 þ 1 : It s easy to check that 1 < 0 1 and < 0. Recall that B s the maxmum number of packets that player wll request ts opponent to forward for t n each stage. Let ðx 1 ;x Þ denote the number of packets n average they wll forward for each other n each stage accordng to the soluton (7) gven that the true values of B 1 and B are known by both players. The relatonshp between x =x 1 and B 1 =B under dfferent stuatons s llustrated n Fg. 7a and Fg. 7b. In these two fgures, the dashed curve corresponds to the relatonshp between x =x 1 and B 1 =B gven that player 1 honestly reports ts CG value, whch s 1, whle the sold curve corresponds to the relatonshp between x =x 1 and B 1 =B gven that player 1 falsely reports ts CG value, whch s 0 1. From the results llustrated n Fg. 7, we can see that, by falsely reportng a hgher CG rato, n most stuatons, player 1 can ncrease the rato of x =x 1. Next, we study the effect of falsely reportng a hgh CG rato on player 1 s payoff. We frst consder the stuaton that 1 0, whch s llustrated n Fg. 7a. In ths case, the whole feasble space can be parttoned nto fve subareas along the feasble range of B 1 =B :. For any value of B 1 =B nsde range I, the soluton correspondng to 1 s! þ 1 1 B 1 ;B 1 and the soluton correspondng to 0 1 s þ B 1 ;B 1!: Snce 0 1 > 1, by falsely reportng a hgher CG rato, player 1 can forward fewer packets for player than t should, consequently ncreasng ts own payoff.. For any value of B 1 =B nsde range II, the soluton correspondng to 1 s ðb ;B 1 Þ and the soluton correspondng to 0 1 s þ B 1 ;B 1!: Snce B > þ B 1, by falsely reportng a hgher CG rato, player 1 can forward fewer packets for player than t should, consequently ncreasng ts own payoff.

14 47 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 007 Fg. 8. Player 1 falsely reports ts cost.. For any value of B 1 =B nsde range III, the soluton correspondng to 1 s ðb ;B 1 Þ and the soluton correspondng to 0 1 s also ðb ;B 1 Þ. That s, n ths stuaton, by changng the value of 1 to 0 1, player 1 s payoff wll not change.. For any value of B 1 =B nsde range IV, the soluton correspondng to 1 s B ;! 1 þ 1 B and the soluton correspondng to 0 1 s ðb ;B 1 Þ. Snce B 1 > 1þ 1 B, by falsely reportng a hgher CG rato, player 1 can request player to forward more packets for t than player should, consequently ncreasng ts own payoff.. For any value of B 1 =B nsde range V, the soluton correspondng to 1 s B ;! 1 þ 1 B and the soluton correspondng to 0 1 s B ; 0 1 þ 1 B!: Snce 0 1 þ 1 B > 1þ 1 B, by falsely reportng a hgher CG rato, player 1 can request player to forward more packets for t than player should, consequently ncreasng ts own payoff. Smlar results can also be obtaned for the case that 1 0 >, where player 1 can now ncrease ts own payoff over all possble values of B 1 =B by falsely reportng a hgher 1 value gven that s fxed. In summary, by falsely reportng a hgher 1 value, n most stuatons, player 1 can ncrease ts payoff and, n no stuatons, player 1 s payoff wll be decreased. Further, the hgher player 1 reports the value of the CG rato, the more beneft player 1 can get. Smlarly, player can also ncrease ts beneft by falsely reportng a hgher CG rato. Next, we consder the soluton (8). Now, let ¼ g þc 1 g 1 þc and 0 ¼ g þc 0 1 g 1þc, where c 1 <c 0 1. Fg. 8a llustrates the relatonshp between x =x 1 and B 1 =B for the two dfferent reported cost values c 1 and c 0 1, where g 1, g, and c are fxed. Smlarly as n Fg. 7, the dashed curve corresponds to the case that player 1 reports a true cost value, whle the sold curve corresponds to the case that player 1 reports a false cost value. From Fg. 8a, we can see that, by falsely reportng a hgher cost value, n all stuatons, player 1 can ncrease the rato of x =x 1. Next, we study the effect of falsely reportng a hgher cost on player 1 s payoff. As shown n Fg. 8a, the whole space can be parttoned nto three subareas along the feasble range of B 1 =B :. For any value of B 1 =B nsde range I, the soluton correspondng to c 1 s ðb 1 =; B 1 Þ and the soluton correspondng to c 0 1 s ðb 1= 0 ;B 1 Þ. Snce 0 >,by falsely reportng a hgher cost, player 1 can forward fewer packets for player than t should, thus ncreasng ts own payoff.. For any value of B 1 =B nsde range II, the soluton correspondng to c 1 s ðb ;B Þ and the soluton correspondng to c 0 1 s ðb 1= 0 ;B 1 Þ. Snce B 1 = 0 <B and B 1 >B, by falsely reportng a hgher cost, player 1 can forward fewer packets for player than t should and request player to forward more packets for t than player should, thus ncreasng ts own payoff.. For any value of B 1 =B nsde range III, the soluton correspondng to c 1 s ðb ;B Þ and the soluton correspondng to c 0 1 s ðb ; 0 B Þ. Snce 0 >, by falsely reportng a hgher cost, player 1 can always request player to forward more packets for t than player should do, thus ncreasng ts own payoff. In summary, by falsely reportng a hgher c 1 value, n all stuatons, player 1 can ncrease ts payoff gven that c and g are fxed. Further, the hgher player 1 reports the value of c 1, the hgher the beneft that player 1 can get. Applyng smlar analyss, t s also easy to show that, by falsely reportng a lower g 1 value, n all stuatons, player 1 can ncrease ts payoff gven that c and g are fxed. Smlarly, player can also ncrease ts beneft by falsely reportng a hgher c or a lower g gven that g 1 and c 1 are fxed. Now, we consder the soluton (9). Fg. 8b llustrates the relatonshp between x =x 1 and B 1 =B for the two dfferent reported cost values c 1 and c 0 1 wth c0 1 >c 1 and

YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC... 473 c fxed. From Fg.

ACKNOWLEDGMENTS The authors would lke to thank the anonymous revewers for ther valuable comments and feedback. Ths work was supported n part by the US Army Research Offce under URI Award No.

15 YU AND LIU: GAME THEORETIC ANALYSIS OF COOPERATION STIMULATION AND SECURITY IN AUTONOMOUS MOBILE AD HOC c fxed. From Fg. 8b, we can see that, by falsely reportng a hgher c 1 value, n all stuatons, player 1 can ncrease the rato of x =x 1. ACKNOWLEDGMENTS The authors would lke to thank the anonymous revewers for ther valuable comments and feedback. Ths work was supported n part by the US Army Research Offce under URI Award No. DAAD REFERENCES [1] J.P. Hubaux, T. Gross, J.-Y. Le Boudec, and M. Vetterl, Toward Self-Organzed Moble Ad Hoc Networks: The Termnodes Project, IEEE Comm. Magazne, Jan [] L. Buttyan and J.P. Hubaux, Enforcng Servce Avalablty n Moble Ad-Hoc Networks, Proc. ACM MobHoc, 000. [3] L. Buttyan and J.P. Hubaux, Stmulatng Cooperaton n Self- Organzng Moble Ad Hoc Networks, Moble Networks and Applcatons, vol. 8, no. 5, pp , Oct [4] S. Zhong, J. Chen, and Y.R. Yang, Sprte: A Smple, Cheat-Proof, Credt-Based System for Moble Ad-Hoc Networks, Proc. IEEE INFOCOM, 003. [5] L. Anderegg and S. Edenbenz, Ad Hoc-VCG: A Truthful and Cost-Effcent Routng Protocol for Moble Ad Hoc Networks wth Selfsh Agents, Proc. ACM MobCom, 003. [6] S. Zhong, L. L, Y.G. Lu, and Y.R. Yang, On Desgnng Incentve- Compatble Routng and Forwardng Protocols n Wreless Ad- Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques, Proc. ACM MobCom, pp , 005. [7] S. Mart, T.J. Gul, K. La, and M. Baker, Mtgatng Routng Msbehavor n Moble Ad Hoc Networks, Proc. ACM MobCom, 000. [8] P. Mchard and R. Molva, Core: A COllaboratve REputaton Mechansm to Enforce Node Cooperaton n Moble Ad Hoc Networks, Proc. IFIP Comm. and Multmeda Securty Conf., 00. [9] S. Buchegger and J.-Y. Le Boudec, Performance Analyss of the CONFIDANT Protocol, Proc. ACM MobHoc, 00. [10] W. Yu and K.J.R. Lu, Attack-Resstant Cooperaton Stmulaton n Autonomous Ad Hoc Networks, IEEE J. Selected Areas n Comm., vol. 3, no. 1, pp , Dec [11] V. Srnvasan, P. Nuggehall, C.F. Chassern, and R.R. Rao, Cooperaton n Wreless Ad Hoc Networks, Proc. IEEE INFOCOM, 003. [1] A. Urp, M. Bonuccell, and S. Gordano, Modelng Cooperaton n Moble Ad Hoc Networks: A Formal Descrpton of Selfshness, Proc. Workshop Modelng and Optmzaton n Moble, Ad Hoc and Wreless Networks (WOPT 03), 003. [13] J. Crowcroft, R. Gbbens, F. Kelly, and S. Ostrng, Modellng Incentves for Collaboraton n Moble Ad Hoc Networks, Proc. Workshop Modelng and Optmzaton n Moble, Ad Hoc, and Wreless Networks (WOPT 03), 003. [14] P. Mchard and R. Molva, A Game Theoretcal Approach to Evaluate Cooperaton Enforcement Mechansms n Moble Ad Hoc Networks, Proc. Workshop Modelng and Optmzaton n Moble, Ad Hoc, and Wreless Networks (WOPT 03), 003. [15] E. Altman, A.A. Kheran, P. Mchard, and R. Molva, Non- Cooperatve Forwardng n Ad-Hoc Networks, techncal report, INRIA, Sopha Antpols, 004. [16] M. Felegyhaz, J.-P. Hubaux, and L. Buttyan, Nash Equlbra of Packet Forwardng Strateges n Wreless Ad Hoc Networks, IEEE Trans. Moble Computng, vol. 5, no. 5, pp , Sept.-Oct [17] M.J. Osborne and A. Rubnste, A Course n Game Theory. The MIT Press, [18] W. Yu, Y. Sun, and K.J.R. Lu, HADOF: Defense aganst Routng Dsruptons n Moble Ad Hoc Networks, Proc. IEEE INFOCOM, 005. [19] R. Dawkns, The Selfsh Gene, second ed. Oxford Unv. Press, [0] O. Kallenberg, Foundatons of Modern Probablty. Sprnger-Verlag, [1] L. Zhou and Z. Haas, Securng Ad Hoc Networks, IEEE Network Magazne, vol. 13, no. 6, Nov./Dec [] J.P. Hubaux, L. Buttyan, and S. Capkun, The Quest for Securty n Moble Ad Hoc Networks, Proc. ACM MobHoc, 001. [3] Y.-C. Hu, A. Perrg, and D.B. Johnson, Aradne: A Secure On- Demand Routng Protocol for Ad Hoc Networks, Proc. ACM MobCom, 00. [4] P. Papadmtratos and Z. Haas, Secure Routng for Moble Ad Hoc Networks, Proc. SCS Comm. Networks and Dstrbuted Systems Modelng and Smulaton Conf. (CNDS 0), Jan. 00. [5] K. Sanzgr, B. Dahll, B.N. Levne, C. Shelds, and E.M. Beldng- Royer, A Secure Routng Protocol for Ad Hoc Networks, Proc. Int l Conf. Network Protocols (ICNP 0), Nov. 00. [6] M.G. Zapata and N. Asokan, Securng Ad Hoc Routng Protocols, Proc. Int l Conf. Web Informaton Systems Eng., 00. [7] Y.-C. Hu, A. Perrg, and D.B. Johnson, Rushng Attacks and Defense n Wreless Ad Hoc Network Routng Protocols, Proc. Int l Conf. Web Informaton Systems Eng., 003. [8] Y.-C. Hu, A. Perrg, and D.B. Johnson, Packet Leashes: A Defense aganst Wormhole Attacks n Wreless Networks, Proc. IEEE INFOCOM, 003. [9] Y.-C. Hu, A. Perrg, and D.B. Johnson, SEAD: Secure Effcent Dstance Vector Routng for Moble Wreless Ad Hoc Networks, Ad Hoc Networks J., vol. 1, pp , 003. [30] W. Yu and K.J.R. Lu, Secure Cooperatve Moble Ad Hoc Networks aganst Injectng Traffc Attacks, Proc. IEEE Int l Conf. Sensor and Ad Hoc Comm. and Networks (SECON 05), 005. [31] J. Yoon, M. Lu, and B. Noble, Sound Moblty Models, Proc. ACM MobCom, 003. [3] IEEE Standard , Wreless LAN Medum Access Control (MAC) and Physcal Layer (PHY) Specfcatons, IEEE Computer Soc. LAN MAN Standards Commttee, [33] D.B. Johnson and D.A. Maltz, Dynamc Source Routng n Ad Hoc Wreless Networks, Moble Computng, Moble Computng, pp , We Yu receved the BS degree n computer scence from the Unversty of Scence and Technology of Chna (USTC) n 000, the MS degree n computer scence from Washngton Unversty n St. Lous n 00, and the PhD degree n electrcal engneerng from the Unversty of Maryland n 006. From August 000 to May 00, he was a graduate research assstant at Washngton Unversty n St. Lous. From September 00 to July 006, he was a graduate research assstant wth the Communcatons and Sgnal Processng Laboratory and the Insttute for Systems Research at the Unversty of Maryland. He joned Mcrosoft Corporaton n August 006. Hs research nterests nclude network securty, wreless communcatons and networkng, game theory, wreless multmeda, and pattern recognton. K.J. Ray Lu (F 03) receved the BS degree from Natonal Tawan Unversty and the PhD degree from the Unversty of Calforna, Los Angeles, both n electrcal engneerng. He s currently a professor and assocate char of graduate studes and research n the Electrcal and Computer Engneerng Department at the Unversty of Maryland, College Park. Hs research contrbutons encompass broad aspects of wreless communcatons and networkng, nformaton forenscs and securty, multmeda communcatons and sgnal processng, bonformatcs and bomedcal magng, and sgnal processng algorthms and archtectures. He s the recpent of numerous honors and awards ncludng best paper awards from the IEEE Sgnal Processng Socety (twce), the IEEE Vehcular Technology Socety, and EURASIP. He also receved the EURASIP Mertorous Servce Award and the US Natonal Scence Foundaton Young Investgator Award and was named an IEEE Sgnal Processng Socety Dstngushed Lecturer. He also receved varous teachng and research recogntons from the Unversty of Maryland, ncludng the Dstngushed Scholar-Teacher Award, the Poole and Kent Company Senor Faculty Teachng Award, and the Inventon of the Year Award. He s the vce presdent of publcatons and on the board of governors of the IEEE Sgnal Processng Socety. He was the edtor-n-chef of the IEEE Sgnal Processng Magazne and the foundng edtor-n-chef of the EURASIP Journal on Appled Sgnal Processng. He s a fellow of the IEEE.

Categories and Subject Descriptors ABSTRACT. General Terms. Keywords 1. INTRODUCTION. C.2.1. [Computer-Communication Networks]: Network Architecture

Categories and Subject Descriptors ABSTRACT. General Terms. Keywords 1. INTRODUCTION. C.2.1. [Computer-Communication Networks]: Network Architecture On Desgnng Incentve-Compatble Routng and Forwardng Protocols n Wreless Ad-Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang