Discovery and Verification of Neighbor Positions in Mobile Ad Hoc Networks

Size: px

Start display at page:

Download "Discovery and Verification of Neighbor Positions in Mobile Ad Hoc Networks"

Marian Ryan
5 years ago
Views:

1 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY Disovery and Verifiation of Neighbor Positions in Mobile Ad Ho Networks Maro Fiore, Member, IEEE, Claudio Ettore Casetti, Member, IEEE, Carla-Fabiana Chiasserini, Senior Member, IEEE, and Panagiotis Papadimitratos, Member, IEEE Abstrat A growing number of ad ho networking protools and loation-aware servies require that mobile nodes learn the position of their neighbors. However, suh a proess an be easily abused or disrupted by adversarial nodes. In absene of a priori trusted nodes, the disovery and verifiation of neighbor positions presents hallenges that have been sarely investigated in the literature. In this paper, we address this open issue by proposing a fully distributed ooperative solution that is robust against independent and olluding adversaries, and an be impaired only by an overwhelming presene of adversaries. Results show that our protool an thwart more than 99 perent of the attaks under the best possible onditions for the adversaries, with minimal false positive rates. Index Terms Neighbor position verifiation, mobile ad ho networks, vehiular networks Ç 1 INTRODUCTION LOCATION awareness has beome an asset in mobile systems, where a wide range of protools and appliations require knowledge of the position of the partiipating nodes. Geographi routing in spontaneous networks, data gathering in sensor networks, movement oordination among autonomous roboti nodes, loation-speifi servies for handheld devies, and danger warning or traffi monitoring in vehiular networks are all examples of servies that build on the availability of neighbor position information. The orretness of node loations is therefore an allimportant issue in mobile networks, and it beomes partiularly hallenging in the presene of adversaries aiming at harming the system. In these ases, we need solutions that let nodes 1) orretly establish their loation in spite of attaks feeding false loation information, and 2) verify the positions of their neighbors, so as to detet adversarial nodes announing false loations. In this paper, we fous on the latter aspet, hereinafter referred to as neighbor position verifiation (NPV for short). Speifially, we deal with a mobile ad ho network, where a pervasive infrastruture is not present, and the loation data must be obtained through node-to-node ommuniation. Suh a senario is of partiular interest sine it leaves the door open for adversarial nodes to misuse or disrupt the loation-based servies. For example, by advertising forged. M. Fiore is with the CITI Laboratory, INRIA, INSA Lyon, Bat. Chappe, 6 Avenue des Arts, Villeurbanne Cedex, Frane. maro.fiore@insa-lyon.fr.. C.E. Casetti and C.-F. Chiasserini are with the Dipartimento di Elettronia, Politenio di Torino, Corso Dua degli Abruzzi 24, Torino, Italy. {asetti, hiasserini}@polito.it.. P. Papadimitratos is with the Shool of Eletrial Engineering at KTH, KTH Campus, Osquldas v. 10, Stokholm, Sweden. papadim@kth.se. Manusript reeived 17 Mar. 2011; revised 26 Sept. 2011; aepted 18 Nov. 2011; published online 8 De For information on obtaining reprints of this artile, please send to: tm@omputer.org, and referene IEEECS Log Number TMC Digital Objet Identifier no /TMC positions, adversaries ould bias geographi routing or data gathering proesses, attrating network traffi and then eavesdropping or disarding it. Similarly, ounterfeit positions ould grant adversaries unauthorized aess to loation-dependent servies, let vehiles forfeit road tolls, disrupt vehiular traffi or endanger passengers and drivers. In this ontext, the hallenge is to perform, in absene of trusted nodes, a fully distributed, lightweight NPV proedure that enables eah node to aquire the loations advertised by its neighbors, and assess their truthfulness. We therefore propose an NPV protool that has the following features:. It is designed for spontaneous ad ho environments, and, as suh, it does not rely on the presene of a trusted infrastruture or of a priori trustworthy nodes;. It leverages ooperation but allows a node to perform all verifiation proedures autonomously. This approah has no need for lengthy interations, e.g., to reah a onsensus among multiple nodes, making our sheme suitable for both low- and highmobility environments;. It is reative, meaning that it an be exeuted by any node, at any point in time, without prior knowledge of the neighborhood;. It is robust against independent and olluding adversaries;. It is lightweight, as it generates low overhead traffi. Additionally, our NPV sheme is ompatible with state-ofthe-art seurity arhitetures, inluding the ones that have been proposed for vehiular networks [1], [2], whih represent a likely deployment environment for NPV. The rest of the paper is organized as follows: In Setion 2, we review previous works, highlighting the novelty of our solution. In Setion 3, we desribe the system model, while the ommuniation protool, the objetives of the verifiation proedure and our main results are outlined in Setion 4. The details of the NPV protool and of verifiation tests are then presented in Setion 5, and the /13/$31.00 ß 2013 IEEE Published by the IEEE CS, CASS, ComSo, IES, & SPS

2 290 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 resiliene of our solution to different attaks is analyzed in Setion 6. Finally, we provide a performane evaluation of the protool in a vehiular senario in Setion 7, and draw onlusions in Setion 8. 2 RELATED WORK Although the literature arries a multitude of ad ho seurity protools addressing a number of problems related to NPV, there are no lightweight, robust solutions to NPV that an operate autonomously in an open, ephemeral environment, without relying on trusted nodes. Below, we list relevant works and highlight the novelty of our ontribution. For larity of presentation, we first review solutions to some NPV-related problems, suh as seure positioning and seure disovery, and then we disuss solutions speifially addressing NPV. Seurely determining own loation. In mobile environments, self-loalization is mainly ahieved through Global Navigation Satellite Systems, e.g., GPS, whose seurity an be provided by ryptographi and nonryptographi defense mehanisms [3]. Alternatively, terrestrial speialpurpose infrastruture ould be used [4], [5], along with tehniques to deal with nonhonest beaons [6]. We remark that this problem is orthogonal to the problem of NPV. In the rest of this paper, we will assume that devies employ one of the tehniques above to seurely determine their own position and time referene. Seure neighbor disovery (SND) deals with the identifiation of nodes with whih a ommuniation link an be established or that are within a given distane [7]. SND is only a step toward the solution we are after: simply put, an adversarial node ould be seurely disovered as neighbor and be indeed a neighbor (within some SND range), but it ould still heat about its position within the same range. In other words, SND is a subset of the NPV problem, sine it lets a node assess whether another node is an atual neighbor but it does not verify the loation it laims to be at. SND is most often employed to ounter wormhole attaks [8], [9], [10]; pratial solutions to the SND problem have been proposed in [11], while properties of SND protools with proven seure solutions an be found in [12], [13]. Neighbor position verifiation was studied in the ontext of ad ho and sensor networks; however, existing NPV shemes often rely on fixed [14], [15] or mobile [16] trustworthy nodes, whih are assumed to be always available for the verifiation of the positions announed by third parties. In ad ho environments, however, the pervasive presene of either infrastruture or neighbor nodes that an be aprioristially trusted is quite unrealisti. Thus, we devise a protool that is autonomous and does not require trustworthy neighbors. In [17], an NPV protool is proposed that first lets nodes alulate distanes to all neighbors, and then ommends that all triplets of nodes enirling a pair of other nodes at as verifiers of the pair s positions. This sheme does not rely on trustworthy nodes, but it is designed for stati sensor networks, and requires lengthy multiround omputations involving several nodes that seek onsensus on a ommon neighbor verifiation. Furthermore, the resiliene of the protool in [17] to olluding attakers has not been demonstrated. The sheme in [18] suits stati sensor networks too, and it requires several nodes to exhange information on the signal emitted by the node whose loation has to be verified. Moreover, it aims at assessing not the position but whether the node is within a given region or not. Our NPV solution, instead, allows any node to validate the position of all of its neighbors through a fast, one-time message exhange, whih makes it suitable to both stati and mobile environments. Additionally, we show that our NPV sheme is robust against several different olluding attaks. Similar differenes an be found between our work and [19]. In [20], the authors propose an NPV protool that allows nodes to validate the position of their neighbors through loal observations only. This is performed by heking whether subsequent positions announed by one neighbor draw a movement over time that is physially possible. The approah in [20] fores a node to ollet several data on its neighbor movements before a deision an be taken, making the solution unfit to situations where the loation information is to be obtained and verified in a short time span. Moreover, an adversary an fool the protool by simply announing false positions that follow a realisti mobility pattern. Conversely, by exploiting ooperation among nodes, our NPV protool is 1) reative, as it an be exeuted at any instant by any node, returning a result in a short time span, and 2) robust to fake, yet realisti, mobility patterns announed by adversarial nodes over time. The sheme in [21] exploits Time-of-Flight (ToF) distane bounding and node ooperation to mitigate the problems of the previous solutions. However, the ooperation is limited to ouples of neighbor nodes, whih renders the protool ineffetive against olluding attakers. To our knowledge, our protool is the first to provide a fully distributed, lightweight solution to the NPV problem that does not require any infrastruture or a priori trusted neighbors and is robust to several different attaks, inluding oordinated attaks by olluding adversaries. Also, unlike previous works, our solution is suitable for both low and high mobile environments and it only assumes RF ommuniation. Indeed, non-rf ommuniation, e.g., infrared or ultrasound, is unfeasible in mobile networks, where non-line-of-sight onditions are frequent and devie-todevie distanes an be in the order of tens or hundreds of meters. An early version of this work, skething the NPV protool and some of the verifiation tests to detet independent adversaries, an be found in [22]. 3 SYSTEM AND ADVERSARY MODEL We onsider a mobile network and define as ommuniation neighbors of a node all the other nodes that it an reah diretly with its transmissions [7]. We assume that eah node knows its own position with some maximum error p, and that it shares a ommon time referene with the other nodes: both requirements an be met by equipping ommuniation nodes with GPS reeivers. 1 In addition, 1. Small-footprint GPS reeivers are ommerially available, whih ahieve low synhronization and loalization errors [23].

3 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 291 Fig. 2. Example of topologial information stored by verifier S at the end of the message exhange and effet of a fake position announement by M. Fig. 1. Message exhange overview, during one instane of the NPV protool. nodes an perform Time-of-Flight-based RF ranging with a maximum error equal to r. As disussed in [17], this is a reasonable assumption, although it requires modifiations to off-the-shelf radio interfaes; also, promising tehniques for preise ToF-based RF ranging have been developed [24]. We assume that node positions do not vary signifiantly during a protool exeution, sine a omplete message exhange takes no more than a few hundreds of milliseonds. The relative spatial movements of the nodes during suh a period are taken into aount through the tolerane value m. Nodes arry a unique identity 2 and an authentiate messages of other nodes through publi key ryptography [27]. In partiular, we assume that eah node X owns a private key, k X, and a publi key, K X, as well as a set of one-time use keys {k 0 X ;K0 X }, as proposed in emerging arhitetures for seure and privay-enhaning ommuniation [2], [25]. Node X an enrypt and derypt data with its keys and the publi keys of other nodes; also, it an produe digital signatures (Sig X ) with its private key. We assume that the binding between X and K X an be validated by any node, as in state-of-the-art seure ommuniation arhitetures [2], [26]. Nodes are orret if they omply with the NPV protool, and adversarial if they deviate from it. As authentiation essentially thwarts external adversaries, we fous on the more powerful internal ones, i.e., nodes that possess the ryptographi material to partiipate in the NPV and try to exploit it, by advertising arbitrarily erroneous own positions or injet misleading information. Internal adversaries annot forge messages on behalf of other nodes whose keys they do not have. Thus, attaks against the ryptosystem are not onsidered, as orret implementation of ryptographi primitives makes them omputationally infeasible. We further lassify adversaries into: knowledgeable, ifat eah time instant they know positions and (temporary) identities of all their ommuniation neighbors, and unknowledgeable, otherwise; independent, if they at individually, and olluding, if they oordinate their ations. 4 COOPERATIVE NPV: AN OVERVIEW We propose a fully distributed ooperative sheme for NPV, whih enables a node, hereinafter alled the verifier,to disover and verify the position of its ommuniation neighbors. For larity, here we summarize the priniples of 2. This an be a permanent identifier or a temporary pseudonym, so as to ensure user privay [25]. the protool as well as the gist of its resiliene analysis. Detailed disussions of message format, verifiation tests, and protool resiliene are provided in Setions 5 and 6. A verifier, S, an initiate the protool at any time instant, by triggering the 4-step message exhange depited in Fig. 1, within its 1-hop neighborhood. The aim of the message exhange is to let S ollet information it an use to ompute distanes between any pair of its ommuniation neighbors. To that end, POLL and REPLY messages are first broadasted by S and its neighbors, respetively. These messages are anonymous and take advantage of the broadast nature of the wireless medium, allowing nodes to reord reiproal timing information without dislosing their identities. Then, after a REVEAL broadast by the verifier, nodes dislose to S, through seure and authentiated REPORT messages, their identities as well as the anonymous timing information they olleted. The verifier S uses suh data to math timings and identities; then, it uses the timings to perform ToF-based ranging and ompute distanes between all pairs of ommuniating nodes in its neighborhood. One S has derived suh distanes, it runs several position verifiation tests in order to lassify eah andidate neighbor as either: 1. Verified, i.e., a node the verifier deems to be at the laimed position; 2. Faulty, i.e., a node the verifier deems to have announed an inorret position; 3. Unverifiable, i.e., a node the verifier annot prove to be either orret or faulty, due to insuffiient information. Clearly, the verifiation tests aim at avoiding false negatives (i.e., adversaries announing fake positions that are deemed verified) and false positives (i.e., orret nodes whose positions are deemed faulty), as well as at minimizing the number of unverifiable nodes. We remark that our NPV sheme does not target the reation of a onsistent map of neighborhood relations throughout an ephemeral network: rather, it allows the verifier to independently lassify its neighbors. The basi priniple the verifiation tests build upon is best explained by means of the example in Fig. 2. There, M is a maliious node announing a false loation M 0,soasto fraudulently gain some advantage over other nodes. The figure portrays the atual network topology with blak edges, while the modified topology, indued by the fake position announed by M, is shown with gray edges. It is evident that the displaement of M to M 0 auses its edges with the other nodes to rotate, whih, in turn, fores edge lengths to hange as well. The tests thus look for disrepanies in the node distane information to identify inorret node positions.

4 292 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 TABLE 1 Summary of Notations first bit of the message at the physial layer. To retrieve the exat transmission and reeption time instants, avoiding the unpreditable latenies introdued by interrupts triggered at the drivers level, a solution suh as that implemented in [28] is required. 3 Furthermore, the GPS reeiver should be integrated in the ard; software defined radio solutions ombining GPS and apabilities are proposed, among others, in [29], [30]. Now, onsider a verifier S that initiates the NPV protool. The message exhange proedure is outlined in Algorithm 1 for S, and in Algorithm 2 for any of S s ommuniation neighbors. Algorithm 1. Message exhange protool: verifier. A maliious node, knowing the protool, an try to outsmart the tests in a number of different ways. Setion 6 ontains a omprehensive disussion of the protool resiliene, overing oneivable attak strategies that adversarial nodes ould adopt. Overall, our analysis proves that:. An unknowledgeable adversary has no possibility of suess against our NPV protool;. An independent knowledgeable adversary M an move at most two links (with the verifier S and with a shared neighbor X) without being deteted: however, any additional link (e.g., with another shared neighbor Y ) leads to inonsistenies between distanes and positions that allow to identify the attaker: this is the situation depited in Fig. 2. In a nutshell, independent adversaries, although knowledgeable, annot harm the system;. Colluding knowledgeable adversaries an announe timing information that reiproally validate their distanes, and pose a more dangerous threat to the system. However, we prove that an overwhelming presene of olluders in the verifier neighborhood is required for an attak to be suessful. Additionally, simulations in realisti senarios prove the robustness of the NPV protool even against large groups of olluding knowledgeable adversaries. 5 NPV PROTOCOL We detail the message exhange between the verifier and its ommuniation neighbors, followed by a desription of the tests run by the verifier. Table 1 summarizes the notations used throughout the protool desription. 5.1 Protool Message Exhange The value p X is the urrent position of X, and IN X is the urrent set of its ommuniation neighbors. We denote by t X the time at whih a node X starts a broadast transmission and by t XY the time at whih a node Y starts reeiving it. Note that these time values refer to the atual instant at whih the node starts transmitting/reeiving the Algorithm 2. Message exhange protool: any neighbor. POLL message. The verifier starts the protool by broadasting a POLL whose transmission time t S it stores loally (Algorithm 1, lines 2-3). The POLL is anonymous, sine 1) it does not arry the identity of the verifier, 2) it is transmitted employing a fresh, software-generated MAC address, and 3) it ontains a publi key KS 0 taken from S s pool of anonymous one-time use keys that do not allow neighbors to map the key onto a speifi node. We stress that keeping the identity of the verifier hidden is important in order to make our NPV robust to attaks (see the protool analysis in Setion 6). Sine a soure address has to be inluded in the MAC-layer header of the message, a fresh, software-generated MAC address is needed; note that this is onsidered a part of emerging ooperative systems [2], [25]. Inluding a one-time key in the POLL also ensures that the message is fresh (i.e., the key ats as a none). 3. This leads to a timing preision of around 23 ns, ditated by the 44 MHz lok of standard a/b/g ards. As mentioned above, we aount for these errors through the r parameter.

5 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 293 REPLY message. A ommuniation neighbor X 2 IN S that reeives the POLL stores its reeption time t SX, and extrats a random wait interval T X 2½0;T max Š (Algorithm 2, lines 2-4). After T X has elapsed, X broadasts an anonymous REPLY message using a fresh MAC address, and loally reords its transmission time t X (Algorithm 2, lines 5-9). For implementation feasibility, the physial layer transmission time annot be stamped on the REPLY, but it is stored by X for later use. The REPLY ontains some information enrypted with S s publi key (KS 0 ), speifially the POLL reeption time and a none X used to tie the REPLY to the next message sent by X: we refer to these data as X s ommitment, C j X (Algorithm 2, line 7). The hash h K 0, S derived from the publi key of the verifier, KS 0, is also inluded to bind POLL and REPLY belonging to the same message exhange. Upon reeption of a REPLY from a neighbor X, the verifier S stores the reeption time t XS and the ommitment C j X (Algorithm 1, lines 4-5). When a different neighbor of S, e.g., Y, Y 2 IN S \ IN X, broadasts a REPLY too, X stores the reeption time t YX and the ommitment C j Y (Algorithm 2, lines 10-11). Sine REPLY messages are anonymous, a node reords all ommitments it reeives without knowing their originators. REVEAL message. After a time T max þ þ T jitter, the verifier broadasts a REVEAL message using its real MAC address (Algorithm 1, line 6). aounts for the propagation and ontention lag of REPLY messages sheduled at time T max, and T jitter is a random time added to thwart jamming efforts on this message. The REVEAL ontains: 1) a map Im S, that assoiates eah ommitment C j X reeived by the verifier to a temporary identifier i X (Algorithm 1, line 7); 2) a proof that S is the author of the original POLL through the enrypted hash E k 0S fh K 0 g; 3) the verifier identity, i.e., its S ertified publi key and signature (Algorithm 1, line 8). Note that using ertified keys urtails ontinuous attempts at running the protool by an adversary who aims at learning neighbor positions (i.e., at beoming knowledgeable) or at launhing a logging attak (see Setion 6.4). REPORT message. One the REPORT message is broadast and the identity of the verifier is known, eah neighbor X that previously reeived S s POLL uniasts to S an enrypted, signed REPORT message. The REPORT arries X s position, the transmission time of X s REPLY, and the list of pairs of reeption times and temporary identifiers referring to the REPLY broadasts X reeived (Fig. 2, lines 12-14). The identifiers are obtained from the map Im S inluded in the REVEAL message. Also, X disloses its own identity by inluding in the message its digital signature and ertified publi key; through the none X, it orrelates the REPORT to its previously issued REPLY. We remark that all sensitive data are enrypted using S s publi key, K S,so that eavesdropping on the wireless hannel is not possible. At the end of the message exhange, only the verifier knows all positions and timing information. If needed, ertified keys in REPORT messages allow the mathing of suh data and node identities (temporary or long-term, with the help of an authority if needed [2]). 5.2 Position Verifiation One the message exhange is onluded, S an derypt the reeived data and aquire the position of all neighbors that partiipated in the protool, i.e., fp X ; 8X 2 IN S g. The verifier S also knows the transmission time t S of its POLL and learns that of all subsequent REPLY messages, i.e., ft X ; 8X 2 IN S g, as well as the orresponding reeption times reorded by the reipients of suh broadasts, i.e., ft XY ; 8X; Y 2 IN S [fsgg. Applying a ToF-based tehnique, S thus omputes its distane from eah ommuniation neighbor, as well as the distanes between all neighbor pairs sharing a link. More preisely, by denoting with the speed of light, the verifier omputes, for any ommuniating pair ðx; Y Þ with X; Y 2 IN S [fsg, two distanes: d XY ¼ðt XY t X Þ, from the timing information related to the broadast message sent by X, and d YX ¼ðt YX t Y Þ, from the information related to the broadast message by Y. One suh distanes have been omputed, S an run the following three verifiation tests to fill the sets IF S, jv S, and U S with, respetively, faulty, verified and unverifiable nodes The Diret Symmetry Test (DST) DST is the first verifiation performed by S and is detailed in Algorithm 3. There, jj denotes the absolute value operator and kp X p Y k the eulidean distane between loations p X and p Y. In the DST, S verifies the diret links with its ommuniation neighbors. To this end, it heks whether reiproal ToF-derived distanes are onsistent 1) with eah other, 2) with the position advertised by the neighbor, and 3) with a proximity range R. The latter orresponds to the maximum nominal transmission range, and upper bounds the distane at whih two nodes an ommuniate. More speifially, the first hek verifies that the distanes d SX and d XS, obtained from ranging, do not differ by more than twie the ranging error plus a tolerane value m (Algorithm 3, line 4), aounting for node spatial movements during the protool exeution. The seond hek verifies that the position advertised by the neighbor is onsistent with suh distanes, within an error margin of 2 p þ r (Algorithm 3, line 5). Although trivial, this hek is fundamental sine it orrelates positions to omputed distanes: without it, an attaker ould fool the verifier by simply advertising an arbitrary position along with orret broadast transmission and reeption timings. Finally, as a sanity hek, S verifies that d SX is not larger than R (Algorithm 3, line 6). The verifier tags a neighbor as faulty if a mismath is found in any of these heks, 4 sine this implies an inonsisteny between the position p X and the timings announed by the neighbor (t SX, t X ) or reorded by the verifier (t XS, t S ). Algorithm 3. Diret Symmetry Test (DST) 4. The latter two heks are performed on both d SX and d XS, however in Algorithm 3 they are done on d SX only, for larity of presentation.

6 294 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY The Cross-Symmetry Test (CST) In Algorithm 4, implements ross verifiations, i.e., it heks on the information mutually gathered by eah pair of ommuniation neighbors. The CST ignores nodes already delared as faulty by the DST (Algorithm 4, line 5) and only onsiders nodes that proved to be ommuniation neighbors between eah other, i.e., for whih ToF-derived mutual distanes are available (Algorithm 4, line 6). However, pairs of neighbors delaring ollinear positions with respet to S are not taken into aount (Algorithm 4, line 7, where lineðp X ;p Y Þ is the line passing by points p X and p Y ). As shown in the next setion, this hoie makes our NPV robust to attaks in partiular situations. For all other pairs ðx; Y Þ, the CST verifies the symmetry of the reiproal distanes (Algorithm 4, line 9), their onsisteny with the positions delared by the nodes (Algorithm 4, line 10), and with the proximity range (Algorithm 4, line 11). For eah neighbor X, S maintains a link ounter l X and a mismath ounter m X. The former is inremented at every new rosshek on X, and reords the number of links between X and other neighbors of S (Algorithm 4, line 8). The latter is inremented every time at least one of the ross-heks on distane and position fails (Algorithm 4, line 12), and identifies the potential for X being faulty. Algorithm 4. Cross-Symmetry Test (CST) We point out that the lower the, the higher the probability of false positives, while the higher the, the higher the probability of false negatives. In the following, we set ¼ 0:5 so that the verifier makes a deision on the orretness of a node by relying on the opinion of the majority of shared (nonollinear) ommuniation neighbors. As shown later, this hoie makes our NPV highly resilient to attaks, unless the presene of adversaries beomes overwhelming The Multilateration Test (MLT) MLT, in Algorithm 5, ignores nodes already tagged as faulty or unverifiable and looks for suspet neighbors in W S. For eah neighbor X that did not notify about a link reported by another node Y, with X; Y 2 W S, a urve L X ðs;y Þ is omputed and added to the set IL X (Algorithm 5, lines 5-7). Suh a urve is the lous of points that an generate a transmission whose Time Differene of Arrival (TDoA) at S and Y mathes that measured by the two nodes, i.e., jt XS t XY j. It is easy to verify that suh a urve is a hyperbola, with foi in p S and p Y, and passing through the atual position of X. Algorithm 5. Multilateration Test (MLT) One all neighbor pairs have been proessed, a node X is added to the unverifiable set U S if it shares less than two non-ollinear neighbors with S (Algorithm 4, line 14). Indeed, in this ase, the information available on the node is onsidered to be insuffiient to tag the node as verified or faulty (see Setion 6 for details). Otherwise, if S and X have two or more nonollinear ommon neighbors, X is delared as faulty, unverifiable, or onditionally verified, depending on the perentage of mismathes in the rossheks it was involved in (Algorithm 4, lines 15-18). Speifially, X is added to IF S or U S, depending on whether the ratio of the number of mismathes to the number of heks is greater or equal to a threshold. If suh a ratio is less than, X is added to a temporary set W S for onditionally verified nodes. One all ouples of nodes in W S have been heked, eah node X for whih two or more unnotified links, hene two or more hyperbolas in IL X, exist is onsidered as suspet (Algorithm 5, line 9). In suh a ase, S exploits the hyperbolae in IL X to multilaterate X s position, referred to as p ML X, similarly to what is done in [17] (Algorithm 5, line 10). Note that IL X must inlude at least two hyperbolae for S to be able to ompute p ML X, and this implies the presene of at least two shared neighbors between S and X. p ML X is then ompared with the position advertised by X, p X (Algorithm 5, line 11). If the differene exeeds an error margin 2 p, X is moved to the faulty set IF S. At the end of the test, all nodes still in W S are tagged as verified and moved to jv S (Algorithm 5, lines 12-13). 6 RESILIENCE ANALYSIS We analyze the robustness of our sheme against different types of internal adversaries. We lassify the oneivable attaks into two lasses, depending on the goal of the adversaries:

7 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 295. Attaks where the adversaries aim at letting the verifier validate their own fake position;. Attaks where the adversaries aim at disrupting the verifiation of orret node positions. We fous on attaks of the first ategory in Setions 6.1 and 6.2, where we disuss the ase of independent and olluding adversaries, respetively. In ase of attaks of this first type, adversaries an tamper with the timing information in the REPLYs and REPORTs they generate, so that these onfirm their false advertised loations. By onsidering the geometrial properties of the ToF-based ranging, we analyze the entire spae of attaks against NPV. The effets of ombinations of attaks of the first type is then investigated in our performane evaluation. Attaks of the seond ategory are analyzed in Setion 6.3, where adversaries try to indue the verifier to tag a orret neighbor as faulty or unverifiable. Finally, in Setion 6.4 we disuss the robustness of our NPV sheme to generi attaks that are not speifi to NPV. It is worth remarking that the NPV verifiation tests disregard nodes for whih inomplete information is reeived, e.g., due to link or node failures. Suh failures, when involving orret nodes, have the effet of degrading the number of nodes that orroborate other nodes legitimate laims. We have taken into aount message losses in our simulation study of the protool (Setion 7). In this setion, instead, we evaluate the NPV resiliene level onsidering only the behavior of nodes partiipating in the whole message exhange, that is, for whih the verifier has olleted all the required information. 6.1 Faking Own Position: Independent Adversaries We start by analyzing the attaks of the first type that an be launhed by a single independent adversary in diverse network onditions, and explain the NPV protool reations they trigger. The disussion on the effets of the presene of multiple independent adversaries follows Basi Attak In the simplest senario, a verifier S runs the NPV protool in presene of an adversary M, with whih it shares no ommon neighbor. Let p 0 M be the fake position that M advertises: as briefly mentioned above, M an announe a fake timing t 0 SM in its REPLY, and a fake timing t0 M in its REPORT, so that p 0 M is aepted by the verifier (i.e., M 2jV S ). More preisely, the DST run by S on M verifies that the reiproal distanes are onsistent, i.e., that jd SM d MS j 2 r þ m, or: ðt 0 SM t SÞ ðt MS t 0 M Þ 2r þ m ; ð1þ and that positions are also oherent with the distanes, whih implies p S p 0 M dsm 2p þ r, or, equivalently: p S p 0 M ðt 0 SM t S Þ 2p þ r : ð2þ Therefore, the adversary must forge t 0 M and t0 SM, so that (1)- (2) still hold after its real position p M is replaed with p 0 M. Solving the equation system obtained by setting the error margin to zero in (1)-(2) and expressing the ToF using the node positions, we obtain t 0 M ¼ t MS p S p 0 M ¼ t M þ p k S p M k p S p 0 M t 0 SM ¼ t S þ p S p 0 M ¼ t SM p k S p M k þ p S p 0 M : ð4þ Note that p 0 M is hosen by M, and that M knows t M in (3) (sine this is the atual transmission time of its own REPLY) and t SM in (4) (sine this is the time at whih it atually reeived S s POLL). Thus, we have a system of two equations in the two unknowns t 0 M and t0 SM ; M an solve it if it knows p S. We all this forging of transmission and reeption timings with respet to S the basi attak. We stress that, in order to know p S, M must be a knowledgeable adversary, whih implies two onditions: first, M must have previously run the NPV protool to disover the identity and position of its neighbors; seond, the position of the verifier must have not hanged sine suh disovery proedure. Clearly, as M annot foresee when S starts the NPV protool, suh a ondition is not easy to fulfill, espeially in highly mobile environments. Nevertheless, if aware of S s loation, M ould suessfully run a basi attak, provided that the advertised position p 0 M is within the proximity range R. As a onsequene, the NPV marks isolated neighbors as unverifiable in the CST. Let us now add to the previous senario n 1 nodes, X 1 ;...;X n, whih are orret neighbors ommon to S and M. The disussion above still holds, sine the fake position advertised by M must still pass the DST. Thus, M has to know S s urrent position and to forge t 0 M and t0 SM aording to p S and p 0 M, as in (3)-(4). However, the presene of ommon neighbor(s) introdues two additional levels of seurity, whih make the basi attak ineffetual. First, the POLL and REPLY messages are anonymous; hene, upon their reeption, even a knowledgeable M does not know whih node among S, X 1 ;...;X n is the verifier. Nevertheless, in order to take part in the protool, M is fored to advertise the fake POLL reeption time t 0 SM in its REPLY, before reeiving the REVEAL and disovering the identity of the verifier. The only option for M is then to randomly guess who the verifier is and properly hange t SM into t 0 SM, as in (4). This implies a probability of suess in guessing the atual sender of the POLL equal to 1=ðn þ 1Þ. Seond, in presene of shared (nonollinear) neighbors, S an run the CST on the ðm;x i Þ pairs, with i ¼ 1;...;n.As the basi attak only forges messages transmission and reeption timings with respet to S, the fake position p 0 M will present disrepanies with the reiproal reeption times of REPLY messages at M and X i. This will result in a CST failure, revealing and thus preventing the attak REPLY-Disregard Attak Whenever there are n neighbors X 1 ;...;X n ommon to S and M, a possible strategy for the adversary, provided that it orretly guesses the identity of the verifier, is not to announe one or more of the ommon neighbors. That is, M will not inlude the ðt XiM;i Xi Þ data in its REPORT, thus deliberately denying to have reeived X i s REPLY. We name this REPLY-disregard attak. It follows that S annot perform a ross-hek on the pairs ðm;x i Þ in the CST. However, a REPLY-disregard attak ð3þ

8 296 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 does not bring any signifiant advantage to M. Indeed, the exlusion of (some or all of) the ommon neighbors redues the system to one of the senarios disussed for the basi attak, hene the adversary is at most tagged as unverifiable by S. More importantly, the maximum number of REPLYs an adversary an disregard is exatly one, otherwise it is lassified as faulty in the MLT Hyperbola-Based Attak This attak again attempts to fool the CST. More speifially, it sales up the basi attak by also forging the timings relative to the shared neighbor(s). First, onsider that S and M share a nonollinear ommon neighbor X. The CST on the ðm;xþ pair at S requires that jd XM d MX j 2 r þ m and jkp X p M k d XM j 2 p þ r. Applying the same substitutions as in (3) and (4), this means that M is fored to advertise the following fake timings: t 0 M ¼ t M þ p k X p M k p X p 0 M ; ð5þ t 0 XM ¼ t XM p k X p M k þ p X p 0 M : ð6þ If M is knowledgeable, and thus aware of X s urrent position p X, it an solve (6) and announe the forged t 0 XM in its REPORT to S. However, (5) introdues a seond expression for t 0 M, while M an advertise only one t0 M in its REPORT. In order to pass both the DST and the CST, M needs to announe a t 0 M that satisfies (3) and (5), whih implies kp S p M k p S p 0 M ¼ k px p M k p X p 0 M : ð7þ In other words, M is onstrained to hoose loations with the same distane inrement (or derement) from S and X. In (7), p S, p X, and p M are fixed and known, hene the distanes between p S and p M, and between p X and p M, an be onsidered as onstant. We thus rewrite (7) as p X p 0 M ps p 0 M ¼ k. This is the equation, with the unknown p 0 M, of a hyperbola with foi in p S and p X that passes through p M. It follows that only positions p 0 M on suh hyperbola an satisfy the four onstraints in (3), (4), (5), and (6). As a onlusion, the hyperbola-based attak onsists in advertising a fake position that lies on the aforementioned urve, as well as message transmission and reeption times that validate suh a position. An example is provided in Fig. 3a. Note that, in order to suessfully perform a hyperbolabased attak, an adversary has to 1) know the position of both S and X, 2) orretly guess the identity of the verifier, and 3) advertise a fake position only along a speifi urve. Although these are restritive onditions, the CST still marks as unverifiable the nodes that passed the DST but share only one neighbor with the verifier, so as to avoid any possibility of suessful hyperbola-based attak. We now onsider a seond orret, nonollinear node Y 2 IN S \ IN M, and show that, in suh a senario, also the hyperbola-based attak beomes futile. Note that no assumption is made on the onnetivity between the two neighbors X and Y. By extending the previous reasoning, in presene of two ommon orret neighbors, X and Y, M has to forge four time values, i.e., t 0 M, t0 SM, t0 XM, and t0 YM,so Fig. 3. Hyperbola-based attak: (a) If it orretly guesses S s identity, a knowledgeable adversary M an forge timings with respet to S and X (blak lines), so that they agree with any fake position M 0 lying on the hyperbola with foi in S, X, and passing by M. M is unverifiable. (b) M an only forge timings in agreement with fake positions that lie on both hyperbolae of foi in S, X, and S, Y, and passing by M. The only suh point, i.e., the intersetion, mathes M s atual position. When moving on the hyperbola of foi S and X, the timing with respet to Y (rossed gray line) is not verified. that six equations are satisfied, i.e., (3), (4), (5), (6) and two additional equations 5 orresponding to the ross-hek with the seond ommon neighbor Y. This implies that the fake REPLY transmission time t 0 M announed by M must now fulfill three onstraints, or, equivalently, M must advertise a position p 0 M that is equally farther from (or loser to) S, X, and Y with respet to its atual loation p M. The only point satisfying suh a ondition lies at the intersetion of three hyperbolae with foi in p S and p X, p S and p Y, p X, and p Y, respetively, and it orresponds to the real position of the adversary, p M. In other words, if it shares two neighbors with S, an adversary annot suessfully laim to be at any loation other than its atual one, not even if it is knowledgeable, it orretly guesses the role of all other nodes, and it performs a hyperbola-based attak. An example is provided in Fig. 3b. We also stress that the presene of additional shared neighbors simply introdues other onstraints on t 0 M, and thus further binds M to its atual position. Similarly, ombining a hyperbola-based attak with a REPLY-disregard attak yields no hane of suess. As a matter of fat, ignoring REPLY messages from one or multiple shared neighbors results in reverting the system to one of the ases previously analyzed, with the adversary being tagged at best as unverifiable Collinear Attak The above disussion shows that the presene of two or more orret ommon neighbors, whih an be used to perform the ross-heks in the CST, is a ondition that foils all the attak strategies introdued so far. There exists however a last type of attak, whih we name ollinear attak, that we need to disuss. The ollinear attak builds on the following geometrial property: if three points are ollinear (i.e., lie on the same line), the hyperbola having as foi two of the points (one of whih is that in the middle) and passing by the third degenerates into the half-line originating at the intermediate point and passing by the third one. This property implies that, if two shared neighbors X and Y lie between S and the adversary M, and all four nodes are ollinear, the hyperbolae that pin the atual position of the adversary p M degenerate to partially overlapping half-lines. This allows M to forge timings relative to S, X, and Y onsistent 5. The latter two equations an be obtained from (5)-(6) by replaing p X, t XM,andt 0 XM, respetively, with p Y, t YM,andt 0 YM.

9 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 297 Fig. 4. Collinear attak: (a) The hyperbola of foi in S, X (Y ) and passing by M degenerates into a half-line with origin in X (Y ). The hyperbolae intersetion region, over whih M an announe a fake position M 0 with orret timings, beomes the segment originating at Y and bounded by R (dashed gray line). M is unverifiable. (b) M an announe timings that are onsistent with its fake position M 0 with respet to the three ollinear neighbors X, Y, and Z (blak lines). This is not possible with respet to J and K (rossed-out gray lines). As a ountermeasure, ollinear neighbors are not ross-heked in the CST. M is tagged as faulty. with any fake position over the segment originating at the shared ollinear neighbor that is loser to M, passing by p M and bounded by R. An example is given in Fig. 4a. In the more general ase of any number of ommon neighbors to S and M, the ollinear attak would allow an adversary to appear orret to the shared neighbors that are ollinear with it and S, as in Fig. 4b. Again, this requires the adversary to be knowledgeable, to orretly guess the origin of POLL and REPLY messages it reeives, and to limit the hoie of its fake position to a speifi segment. As a ountermeasure to ollinear attaks, in the CST S disards pairs of neighbors that announe ollinear positions with it (Algorithm 4, line 7). When ollinear neighbors are dropped, a ollinear attak results, for instane, in the adversary being tagged as unverifiable in Fig. 4a (sine there are no nonollinear shared neighbors) and as faulty in Fig. 4b (sine there are two nonollinear shared neighbors). We remark that, on the one hand, not allowing rossheks that involve ollinear nodes prevents ollinear attaks. On the other, it redues the number of orret neighbors that an ontribute to identifying adversarial nodes. However, as shown in Setion 7, this approah ensures high resiliene to attaks as well as reliability in identifying orret nodes as verified Multiple Independent Adversaries Multiple independent adversaries in the neighborhood of the verifier just damage eah other, by announing false positions that reiproally spoil the time omputations disussed in the previous setions. Thus, all ross-heks on pairs of nonolluding adversaries result in mismathes in the CST, inreasing their hanes to be tagged as faulty by the verifier. Where multiple independent adversaries an harm the system is in the verifiation of orret neighbors. As a matter of fat, a node is tagged as verified if it passes the strit majority of ross-heks it undergoes. A orret node surrounded by several adversaries an thus be marked as faulty (unverifiable), if it shares with the verifier a number of nonollinear independent adversaries greater than (equal to) the number of nonollinear orret nodes. However, situations where a orret node shares mostly unoordinated adversarial neighbors with the verifier are unlikely to our in realisti senarios, as also shown by our performane evaluation Summary We onlude that a single independent adversary annot perform any suessful attak against the NPV sheme. Indeed, in presene of a limited number of nonollinear neighbors in ommon with the verifier, a knowledgeable adversary an attempt one of the strategies outlined before, but it is tagged at most as unverifiable. When the shared neighborhood inreases in size, the probability that the adversary is tagged as faulty rapidly grows to 1. Multiple independent adversaries an only harm eah other, thus reduing their probability of suessfully announing a fake position. 6.2 Faking Own Position: Colluding Adversaries We assume that olluders share out-of-band links with negligible lateny, through whih they exhange information, and an perform omplex distributed omputations. This notwithstanding, in the following we show that our sheme is resistant to oordinated attaks 6 as well, unless the presene of olluding adversaries in the neighborhood of the verifier beomes overwhelming Basi Attak The simplest way adversarial nodes an ooperate to make the verifier S trust the fake positions they announe is by extending the basi attak introdued in Setion More preisely, other than individually announing POLL reeption timings that agree with their fake positions, olluding adversaries an mutually validate the false information they generate. They an forge the reeption times of reiproal REPLY messages, so that all ross-heks in the CST involving the olluders are passed. A perfet ooperation thus results in the olluding adversaries ability to alter all distanes between them without being notied. We remark that the adversaries still need to know S s position in order to ompute and advertise timings that onfirm their fake position. This time, however, if at least three adversaries ooperate to perform the attak, they do not need to be knowledgeable. As a matter of fat, they an exploit their real positions and POLL reeption times to multilaterate the oordinates of the verifier. Our NPV orretly identifies suh a basi attak through the CST, as long as the majority of the (nonollinear) neighbors shared by S and an adversary are not olluding with the latter. An example is shown in Fig REPLY-Disregard Attak As in the ase of independent adversaries, multiple olluders an gain advantage by ignoring REPLY messages from nonolluding nodes. This lets them avoid ross-heks that ould result in mismathes, and, eventually, in being tagged as faulty. Indeed, n 3 olluders ould disregard the REPLY reeived from all nonolluding nodes and still advertise a number n 1 2 of neighbors that would report onsistent timings with theirs a suffiient ondition to pass the CST. This behavior, however, is properly handled in our NPV by the MLT, whih tags as faulty a neighbor that disregarded (intentionally or not) two or more REPLY messages and announed a loation other than the multilaterated one. 6. Note that, sine our NPV exploits ToF-based ranging, wormhole attaks redue to Sybil attaks, as disussed in Setion 6.4.

10 298 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 Fig. 5. Cooperative basi attak. The olluding adversaries M 1, M 2, and M 3 an forge timings that validate their fake positions M1 0, M0 2, and M3 0 with respet to S, as well as to eah other (blak lines). However, ross-heks with nonolluding neighbors fail (rossed-out gray lines). M 1, sharing with S the other two olluders and X, is tagged as verified. M 2, sharing with S the other two olluders and X, Y, is unverifiable. M 3, sharing with S the other two olluders and X, Y, Z, is marked as faulty Hyperbola-Based Attak The olluding attakers agree not only on the position of the verifier (either guessed or multilaterated), but also pik a nonollinear ommon neighbor, X, that they share with S: eah olluder then omputes the hyperbola with foi S, X, and passing through its own real position, and announes a fake loation on suh a urve. This allows the adversaries to announe orret links 1) with the verifier, 2) among themselves, and 3) with the seleted neighbor X, whih beomes an involuntary ally in the attak. Again, the loation of X must be randomly guessed by two olluders, while it an be multilaterated by three or more ooperating adversaries. In presene of suh a hyperbola-based attak, the CST orretly tags an adversary M as faulty if the nonollinear ommon neighbors between the verifier and M that do not ollude with M outnumber the olluding ones by 3. Note that the two additional orret neighbors are required to ounter the effet of X unintentionally taking part into the attak. An example is depited in Fig Collinear Attak Unlike independent adversaries (Setion 6.1.4), multiple olluders an take advantage of a ollinear attak. In partiular, one or more adversaries an purposely announe positions that are ollinear with those of some nonolluding neighbors, so as to avoid ross-heks with them. Then, they an rely on olluders that delared nonollinear positions to pass the CST, as in Fig. 7. In other words, olluders an launh a ollinear attak as a legal mean to avoid unwanted neighbors. Suh a gain omes at the ost of a restrited freedom of movement, Fig. 6. Cooperative hyperbola-based attak: If two olluding adversaries, M 1 and M 2, are knowledgeable and orretly guess the identity of S, they an forge timings with respet to S and X as well as to eah other (blak lines) and announe the fake positions M1 0 and M0 2, respetively. M1 0 (M0 2 ) an be any point on the hyperbola with foi in S, X, and passing by M 1 (M 2 ). However, M 1 shares four orret and one olluding, nonollinear neighbors with S, while M 2 shares two orret and one olluding, nonollinear neighbors with S, hene M 1 is tagged as faulty and M 2 is tagged as verified. Fig. 7. Cooperative ollinear attak. The adversary M 1 announes a fake position M 0 1 that is ollinear with the verifier S and the nonolluding neighbors X, Y, avoiding ross-heks with the latter two. M 2 and M 3, olluding with M 1, delare nonollinear false loations (M 0 2, M0 3 ), thus guaranteeing to M 1 a majority of validated rossheks. The adversary M 1 is tagged as verified, while M 2 and M 3 are marked as faulty. sine the fake position must lie on a speifi segment (see Setion 6.1.4). The robustness of our NPV to this kind of attaks depends on the network layout: environments where nodes tend to form straight topologies (suh as vehiular ones) are more prone to suffer from ollinear attaks. In general, the NPV is resistant to ollinear attaks as long as the majority of the shared neighbors are not olluding or ollinear Summary As a onlusion on oordinated attaks, it is the nature of the neighborhood that determines the performane of the NPV sheme in presene of olluders. However, the simulation results in Setion 7 show that, in realisti environments, our solution is very robust even to attaks launhed by large groups of knowledgeable olluders. 6.3 Disrediting Other Neighbors A different objetive of the adversary an be to disredit other nodes by induing the verifier to tag them as faulty or unverifiable. To this end, an adversary M needs to announe a fake timing t 0 XM (i.e., the time at whih M laims it has reeived X s REPLY), for any neighbor X 2 IN S \ IN M that it wants to disredit. By doing so, M an disrupt the ross-heks made by S on the pair ðx; MÞ in the CST. When launhed by a single adversary, suh an attak an sueed if there are only two additional orret nodes (whih are tagged as unverifiable by S). In all other onfigurations, a single adversary annot affet the assessment of other orret nodes. When launhed by multiple adversaries, no matter whether they are independent or olluding, the effet of this attak is the same as the one highlighted in Setion We reall that our NPV protool provides protetion to a orret node X, as long as the number of adversarial neighbors it shares with the verifier S is lower than that of orret ommon neighbors. Vie versa, if the number of adversarial shared neighbors trying to disredit X is greater than (equal to) the number of orret ommon neighbors, X is tagged as faulty (unverifiable). 6.4 Other Attaks Jamming This is the only external attak that an harm the system. Any adversary (internal or external) an jam the hannel and erase REPLY or REPORT messages. However, to sueed, M should jam the medium ontinuously for a long time, sine it annot know when exatly a node will

11 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 299 transmit its REPLY or REPORT. Or, M ould erase the REVEAL, but, again, jamming should over the entire T jitter time. Overall, there is no easy point to target: a jammer has to at throughout the NPV exeution, whih implies a high energy onsumption and is a disruptive ation possible against any wireless protool. In addition, mobility makes it harder to repeatedly jam different instanes of the NPV protool run by the same verifier Clogging An adversary ould initiate the NPV protool multiple times in a short period and get repeated REPLY and REPORT messages from other nodes, so as to ongest the hannel. In partiular, REPORTs are larger in size, thus likely ause the most damage. However, NPV has a way of preventing that: the initiator must unveil its identity before suh messages are transmitted by neighbors. An exeedingly frequent initiator an be identified, and its REVEALs ignored, thanks to the use of ertified keys. REPLYs instead are small in size and are broadast messages (thus require no ACK): their damage is limited, but their unneessary transmission is muh harder to thwart. Indeed, REPLY messages are sent after an anonymous POLL; suh an anonymity is a hard-to dismiss requirement, sine it is instrumental for keeping the identity of the verifier hidden. As a general rule, orret nodes an reasonably self-limit their responses if POLLs arrive at exessive rates Adversarial Use of Diretional Antennas Assume that adversaries are equipped with diretional antennas and multiple radio interfaes. As a orret node S starts the NPV protool, a knowledgeable adversary M an send different REPLYs through eah interfae at different time instants: any orret neighbor X would reord a time t 0 MX, ompliant with the fake position p0 M, allowing M to pass the ross-hek with X in the CST. IfM an fool a suffiient number of neighbors, it is tagged as verified. However, M needs as many diretional antennas and radio interfaes as the number of neighbors it wants to fool, hoping that no two suh neighbors are within the beam of the same antenna. The omplexity, ost, and hanes of failure make this attak hardly viable. We also remark that, sine our approah exploits ToF-based ranging, suh an attak annot be launhed by using a steerable antenna, whih takes an exeedingly long time to swap from one setor to another Sybil and Relay (Wormhole) Attaks An adversary an assume several trusted identities, M¼fM 1 ;...;M I g, if 1) it owns several ertifiated pairs of publi/private keys (Sybil attak), or 2) it impersonates olluding adversaries at the end of wormholes. The availability of several identities ould be used by an adversary to aquire its neighbor positions, i.e., to beome knowledgeable. However, as shown in Setion 6.1, attaks launhed by independent, knowledgeable adversaries have no hane of suess. Furthermore, by announing timings that are onsistent among the identities in M, the adversary an behave as a group of olluders of size I. The analysis in Setion 6.2 thus applies to suh attaks as well, exept for the fat that the adversary annot aquire the position of other nodes through triangulation. A verifier suspeting 7 that this attak is being launhed an run the MLT to determine whether messages from nodes in M ome from the same loation. 7 PERFORMANCE EVALUATION We evaluated the performane of our NPV protool in a vehiular senario. Results obtained in a pedestrian senario are available as supplemental material, whih an be found on the Computer Soiety Digital Library at doi.ieeeomputersoiety.org/ /tmc We fous on knowledgeable adversaries whose goal is to make the verifier believe their fake positions, and we desribe the best attak strategy they an adopt in Setion 7.1. Suh a strategy, whih depends on the neighborhood of the adversary and builds on a ombination of the attaks desribed in Setions 6.1 and 6.2, will be assumed while deriving the results shown in Setion 7.2. The results, whih therefore represent a worst ase analysis of the proposed NPV, are shown in terms of the probability that the tests return false positives and false negatives as well as of the probability that a (orret or adversary) node is tagged as unverifiable. In addition, we plot the average differene between the true position of a suessful adversary and the fake position it advertises, as well as the overhead introdued by our NPV sheme. The results on attaks aimed at disrediting the position of other nodes are omitted, sine they are very lose to those we present later in this setion. 7.1 Adversaries Attak Strategy The adversary deision on the kind of attak to launh is driven by the tradeoff between the hanes of suess and the freedom of hoie on its fake position. The basi attak allows the adversary to hoose any false position, but it requires a high perentage of olluders in the neighborhood in order to be suessful. The hyperbola-based attak implies less freedom of hoie but has higher hanes of suess. The ollinear attak pins the adversary into a preise angle with the verifier, and stritly bounds its distane from the verifier itself. However, if the network topology features a suffiient number of ollinear nodes, this attak has the highest suess probability. It follows from Setion 6 that the best strategy that an adversary an adopt depends on its neighborhood. First, if it olludes with other adversaries outnumbering the nonolluding neighbors, a basi attak is launhed. Otherwise, if the ratio between olluding and nonolluding neighbors is not greater than (but lose enough to) 1, a hyperbola-based attak is attempted. As a third option, if nonolluding neighbors greatly outnumber the olluding ones, but some of the former are ollinear with the verifier and among themselves, the adversary launhes a ollinear attak. Through it, the adversary an have the nonolluding, ollinear neighbors thrown out of the ross-heks in the CST. If none of the above onditions are met, the adversary piks a hyperbola-based attak, i.e., the one with the 7. An example of suspet situation is the ase where the neighborhood of the verifier is split into groups of nodes, whose members pass the rossheks in the CST only with the nodes belonging to the same group.

12 300 IEEE TRANSACTIONS ON MOBILE COMPUTING, Fig. 8. Road layout of the 7 3 km2 vehiular senario. highest hanes of suess in absene of nonolluding, ollinear neighbors. Also, an adversary always runs a REPLY-disregard on one nonolluding neighbor, avoiding a mismath with it. Reall that disregarding just one REPLY does not trigger the MLT on the adversary. 7.2 Results We employed movement traes representing vehile traffi over a real-world road topology. More preisely, we onsidered ar movements within a 20 km2 portion of the Karlsruhe urban area depited in Fig. 8, extrating 3 hours of vehiular mobility that reprodue mild to heavy traffi density onditions. These syntheti traes were generated using the IDM-LC model of the VanetMobiSim simulator, whih takes into aount ar-to-ar interations, traffi lights, stop signs, and lane hanges, and has been proven to realistially reprodue vehiular movement patters in urban senarios [31]. In our simulations, we set Tmax ¼ 200 ms, Tjitter ¼ 50 ms, ¼ 1 ms and assume that CSMA/CA is used to aess the wireless medium, hene messages an be lost due to ollisions. Unless otherwise speified, we fix the proximity range, R, whih is equal to the maximum nominal transmission range, to 250 m (resulting in an average neighborhood size of 73.4 nodes), while r ¼ 6:8 m, p ¼ 10 m, and the tolerane value m ¼ 5 m (roughly orresponding to the ase of two vehiles moving at 50 km/h in opposite diretions). To evaluate the performane of our NPV, at every simulation seond we randomly selet 1 perent of the nodes as verifiers. Then, for eah verifier, we ompare the outome of the verifiation tests with the atual nature of the neighbors. We onsider olluding adversaries ating in groups, referred to as lusters. Note that a olluding luster size equal to 1 orresponds to independent attaks. Also, adversaries are knowledgeable, i.e., they perfetly know the identity and loation of all olluding and nonolluding neighbors, and always adopt the best attak strategy as VOL. 12, NO. 2, FEBRUARY 2013 desribed in Setion 7.1. In the following, unless otherwise speified, adversaries amount to 5 perent of the overall nodes and are divided into lusters of five olluders eah. In the legend of the plots, C stands for orret node (e.g., the label C faulty refers to the probability of false positives), while M/Bas, M/Hyp, and M/Col stand for adversaries launhing, respetively, the basi, hyperbola-based and ollinear attak (e.g., the label M/Bas verified refers to the probability of false negatives due to basi attaks). We first examine the NPV protool performane for different values of olluding luster sizes and R ¼ 250 m (Figs. 9a and 9b). The false negative/positive probability in Fig. 9a learly shows that 1) the hane of wrong lassifiation reahes 0.01 only for a very large adversarial luster size, namely 10, 2) the hyperbola-based and the ollinear attaks are the most threatening and 3) an attak by the olluders is most effetive in passing themselves off as verified when there are at least three of them. The luster size also affets the olluders ability to disrupt the positioning of orret nodes, whih exhibit as high as a 0.4 perent hane to be tagged as faulty. Conversely, as shown in Fig. 9b, the luster size does not ause more orret nodes to be unverifiable, sine the main reason for orret nodes to be tagged as unverifiable is the lak of nonollinear neighbors that an verify them. The hane for an adversary to be unverifiable inreases with the luster size, although it is signifiant only in ase of ollinear attaks. This is in agreement with the fat that the outome of the ollinear attak is the avoidane of a sizable number of ross-heks between the adversary and orret nodes, thus likely leading the adversary to be tagged as unverifiable. The neighborhood size proves to play an important role, as evident in Figs. 9 and 9d where we onsider a 5-olluder luster and vary the transmission range. A small R (hene few neighbors) affets the NPV apability to orretly tag a node. Widening the transmission range with a fixed olluding luster size signifiantly favors the verifier, allowing it to reah a onlusive and exat verdit on either orret or adversary nodes: the larger the R, the higher the number of ross-heks involving orret nodes in the CST. We note that, for transmission ranges larger than 300 m, we obtain false positive/negative probabilities that are smaller than Below 150-m ranges (orresponding to an average neighborhood size of 12 nodes), suh probabilities are still Fig. 9. Probability that a neighbor is tagged inorretly or as unverifiable, versus the olluder luster size (a,b), and versus R (,d). C: orret; M/Bas, M/Hyp, and M/Col: adversaries launhing the basi, hyperbola-based and ollinear attak, eah ombined with the REPLY-disregard attak.

13 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 301 Fig. 10. Probability that a neighbor is tagged inorretly or as unverifiable, versus the ratio of adversaries (a,b), and position error (,d). C: orret; M/Bas, M/Hyp, and M/Col: adversaries launhing the basi, hyperbola-based, and ollinear attak, eah ombined with the REPLY-disregard attak. Beside the impat of the luster size and of the transmission range, it is important to understand the effet of the perentage of adversaries in the vehiular network. Thus, in Fig. 10a we fix R to 250 m and the luster size to 5, and we show the robustness of our NPV to the density of adversaries: the probability that adversaries are verified inreases ever so slightly with their density. The highest effet is on the probability of orret nodes being tagged as faulty, whih however reahes its highest value (0.1) only for 30 perent of adversaries in the network. A further effet of the growing presene of adversaries, as shown in Fig. 10b, is the unverifiable tag being slapped onto more orret nodes. A final observation an be made looking at the false positive/negative probability as the positioning error varies (Figs. 10 and 10d). Interestingly, for any positioning error different from 0, the metris are only marginally affeted. Finally, we further inrease the level of detail of our analysis and study the advantage obtained by adversaries that perform a suessful attak against the NPV protool. Suh an adversarial gain is expressed in terms of spatial displaement, i.e., differene of position between the real and fraudulently advertised loations of the suessful attaker: learly, a larger displaement range implies a higher freedom of movement, whih, in turn, enables potentially more dangerous ations against the system. The results in Fig. 11a are broken down based on the type of attak launhed by the suessful adversary, and are limited to the impat of the transmission range, sine the other parameters did not show signifiant influene on the displaement of suessful attakers. Fig. 11. Displaement gain of adversaries running a suessful attak against the NPV (a) and traffi load indued by one instane of the protool (b). We an observe that suessful ollinear attaks yield small advantage for adversaries, who are fored to announe positions quite lose to their real loations. Moreover, we reall that these attaks onstrain adversaries to advertise fake positions along a preise axis, thus further limiting their freedom of movement. We an onlude that ollinear attaks, typially those with the highest hanes of suess as previously disussed, are also those resulting in the smallest gain for the adversaries. Conversely, basi attaks allow the largest average displaements, but we showed that they have extremely low suess probability. The hyperbola-based attaks appear then to be the most dangerous ones, if the displaement gain is taken into onsideration. However, suh a gain beomes signifiant only for large transmission ranges, in presene of whih we already observed that the atual suess probability of the attaks beomes negligible. Finally, we omment on the overhead introdued by our sheme. The NPV protool generates at most 2n þ 2 messages for one exeution initiated by a verifier with n ommuniation neighbors. Also, NPV messages are relatively small in size: with SHA-1 hashing and ECDSA- 160 enryption [27], the length of signatures is 21 bytes (with oordinates ompression). Assuming that messages inlude headers with 4-byte soure and destination identifiers and 1-byte message type field, POLL, REPLY, and REVEAL are 26, 71, and 67 bytes in size, respetively. The REPORT length depends on the quantity of ommon neighbor data it arries, amounting to 4 bytes per shared neighbor: information on more than 360 neighbors an thus fit in a single IP paket. Fig. 11b portrays the traffi indued on the network by one instane of the NPV protool. The plot only aounts for transmission range variations sine, one more, the other parameters do not have an impat on the overhead. We an observe that seurity omes at a ost, sine the traffi load of the NPV protool is higher than that of a basi nonseure neighbor position disovery, onsisting of only one poll and assoiated position replies from neighbors. More preisely, the NPV protool overhead is omparable to that of the nonseure disovery for smaller transmission ranges, while the differene tends to inrease for larger ranges. However, the ost of the NPV protool is affordable in absolute terms, sine one run requires just a few tens of kbytes to be exhanged among nodes, even in presene of dense networks and large transmission ranges. Note that the results above do not take into aount the overhead

14 302 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 12, NO. 2, FEBRUARY 2013 indued by the distribution of ertifiates, as it is out of the sope of this work (the interested reader an refer to [26]). Summary. Given that we assumed the best possible onditions for the adversaries, the above results prove our NPV to be highly resilient to attaks. Indeed, we observed typial probabilities of false positives/negatives below 1 perent, while that of a node being tagged as unverifiable is below 5 perent. Moreover, we showed that a signifiant portion of the suessful attaks yields small advantage to the adversaries in terms of displaement. Finally, the overhead introdued by the NPV protool is reasonable, as it does not exeed a few tens of kbytes even in the most ritial onditions. 8 CONCLUSION We presented a distributed solution for NPV, whih allows any node in a mobile ad ho network to verify the position of its ommuniation neighbors without relying on a priori trustworthy nodes. Our analysis showed that our protool is very robust to attaks by independent as well as olluding adversaries, even when they have perfet knowledge of the neighborhood of the verifier. Simulation results onfirm that our solution is effetive in identifying nodes advertising false positions, while keeping the probability of false positives low. Only an overwhelming presene of olluding adversaries in the neighborhood of the verifier, or the unlikely presene of fully ollinear network topologies, an degrade the effetiveness of our NPV. Future work will aim at integrating the NPV protool in higher layer protools, as well as at extending it to a proative paradigm, useful in presene of appliations that need eah node to onstantly verify the position of its neighbors. ACKNOWLEDGMENTS This work was supported by the Regione Piemonte through the IoT j ToI projet, whih is part of the seond all of POR F.E.S.R. 2007/2013. REFERENCES [1] : IEEE Trial-Use Standard for Wireless Aess in Vehiular Environments - Seurity Servies for Appliations and Management Messages, IEEE, [2] P. Papadimitratos, L. Buttyan, T. Holzer, E. Shoh, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, Seure Vehiular Communiations: Design and Arhiteture, IEEE Comm. Magazine, vol. 46, no. 11, pp , Nov [3] P. Papadimitratos and A. Jovanovi, GNSS-Based Positioning: Attaks and Countermeasures, Pro. IEEE Military Comm. Conf. (MILCOM), Nov [4] L. Lazos and R. Poovendran, HiRLo: High-Resolution Robust Loalization for Wireless Sensor Networks, IEEE J. Seleted Areas in Comm., vol. 24, no. 2, pp , Feb [5] R. Poovendran and L. Lazos, A Graph Theoreti Framework for Preventing the Wormhole Attak, Wireless Networks, vol. 13, pp , [6] S. Zhong, M. Jadliwala, S. Upadhyaya, and C. Qiao, Towards a Theory of Robust Loalization against Maliious Beaon Nodes, Pro. IEEE INFOCOM, Apr [7] P. Papadimitratos, M. Poturalski, P. Shaller, P. Lafourade, D. Basin, S. Capkun, and J.-P. Hubaux, Seure Neighborhood Disovery: A Fundamental Element for Mobile Ad Ho Networks, IEEE Comm. Magazine, vol. 46, no. 2, pp , Feb [8] Y.-C. Hu, A. Perrig, and D.B. Johnson, Paket Leashes: A Defense against Wormhole Attaks in Wireless Networks, Pro. IEEE INFOCOM, Apr [9] J. Eriksson, S. Krishnamurthy, and M. Faloutsos, TrueLink: A Pratial Countermeasure to the Wormhole Attak in Wireless Networks, Pro. IEEE 14th Int l Conf. Network Protools (ICNP), Nov [10] R. Maheshwari, J. Gao, and S. Das, Deteting Wormhole Attaks in Wireless Networks Using Connetivity Information, Pro. IEEE INFOCOM, Apr [11] R. Shokri, M. Poturalski, G. Ravot, P. Papadimitratos, and J.-P. Hubaux, A Pratial Seure Neighbor Verifiation Protool for Wireless Sensor Networks, Pro. Seond ACM Conf. Wireless Network Seurity (WiSe), Mar [12] M. Poturalski, P. Papadimitratos, and J.-P. Hubaux, Seure Neighbor Disovery in Wireless Networks: Formal Investigation of Possibility, Pro. ACM Symp. Information, Computer and Comm. Seurity (ASIACCS), Mar [13] M. Poturalksi, P. Papadimitratos, and J.-P. Hubaux, Towards Provable Seure Neighbor Disovery in Wireless Networks, Pro. Workshop Formal Methods in Seurity Eng., Ot [14] E. Ekii, S. Vural, J. MNair, and D. Al-Abri, Seure Probabilisti Loation Verifiation in Randomly Deployed Wireless Sensor Networks, Elsevier Ad Ho Networks, vol. 6, no. 2, pp , [15] J. Chiang, J. Haas, and Y. Hu, Seure and Preise Loation Verifiation Using Distane Bounding and Simultaneous Multilateration, Pro. Seond ACM Conf. Wireless Network Seurity (WiSe), Mar [16] S. Capkun, K. Rasmussen, M. Cagalj, and M. Srivastava, Seure Loation Verifiation with Hidden and Mobile Base Stations, IEEE Trans. Mobile Computing, vol. 7, no. 4, pp , Apr [17] S. Capkun and J.-P. Hubaux, Seure Positioning in Wireless Networks, IEEE J. Seleted Areas in Comm., vol. 24, no. 2, pp , Feb [18] A. Vora and M. Nesterenko, Seure Loation Verifiation Using Radio Broadast, IEEE Trans. Dependable and Seure Computing, vol. 3, no. 4, pp , Ot.-De [19] J. Hwang, T. He, and Y. Kim, Deteting Phantom Nodes in Wireless Sensor Networks, Pro. IEEE INFOCOM, May [20] T. Leinmüller, C. Maihöfer, E. Shoh, and F. Kargl, Improved Seurity in Geographi Ad Ho Routing through Autonomous Position Verifiation, Pro. ACM Third Int l Workshop Vehiular Ad Ho Networks (VANET), Sept [21] J.-H. Song, V. Wong, and V. Leung, Seure Loation Verifiation for Vehiular Ad-Ho Networks, Pro. IEEE Globeom, De [22] M. Fiore, C. Casetti, C.-F. Chiasserini, and P. Papadimitratos, Seure Neighbor Position Disovery in Vehiular Networks, Pro. IEEE/IFIP 10th Ann. Mediterranean Ad Ho Networking Workshop (Med-Ho-Net), June [23] Fed. Highway Administration, High Auray-Nationwide Differential Global Positioning System Test and Analysis: Phase II Report, FHWA-HRT , July [24] NA5TR1.pdf, [25] PRECIOSA: Privay Enabled Capability in Co-Operative Systems and Safety Appliations, [26] G. Calandriello, P. Papadimitratos, A. Lioy, and J.-P. Hubaux, On the Performane of Seure Vehiular Communiation Systems, IEEE Trans. Dependable and Seure Computing, vol. 8, no. 6, pp , Nov./De [27] IEEE Standard Speifiations for Publi-Key Cryptography - Amendment 1: Additional Tehniques, IEEE 1363a 2004, [28] M. Ciurana, F. Barelo-Arroyo, and F. Izquierdo, A Ranging System with IEEE Data Frames, Pro. IEEE Radio and Wireless Symp., Jan [29] F. Carpenter, S. Srikanteswara, and A. Brown, Software Defined Radio Test Bed for Integrated Communiations and Navigation Appliations, Pro. Software Defined Radio Tehnial Conf., Nov [30] E. Del Re, L.S. Ronga, L. Vettori, L. Lo Presti, E. Falletti, and M. Pini, Software Defined Radio Terminal for Assisted Loalization in Emergeny Situations, Pro. First Int l Conf. Wireless Comm., Vehiular Tehnology, Information Theory and Aerospae Eletroni Systems Tehnology (CTIF Wireless Vitae), May [31] J. Härri, M. Fiore, F. Filali, and C. Bonnet, Vehiular Mobility Simulation with VanetMobiSim, Trans. So. Modeling & Simulation, 2009.

2004, respetively, and the PhD degree from the Politenio di Torino in 2008. He is an assistant professor at INSA Lyon and an INRIA researher within the SWING team hosted by the CITI Lab.

He is an assistant professor in the Dipartime nto di Elettronia at the Politenio di Torino.

15 FIORE ET AL.: DISCOVERY AND VERIFICATION OF NEIGHBOR POSITIONS IN MOBILE AD HOC NETWORKS 303 Maro Fiore reeived two MS degrees from the University of Illinois at Chiago and the Politenio di Torino in 2003 and 2004, respetively, and the PhD degree from the Politenio di Torino in He is an assistant professor at INSA Lyon and an INRIA researher within the SWING team hosted by the CITI Lab. He has been a visiting researher at Rie University and the Universitat Politenia de Catalunya. His researh interests are in the field of mobile networking with a fous on vehiular networks. He is a member of the IEEE. Claudio Ettore Casetti reeived the graduate degree in eletrial engineering from the Politenio di Torino in 1992 and the PhD degree in eletroni engineering from the same institution in He is an assistant professor in the Dipartime nto di Elettronia at the Politenio di Torino. He has oauthored more than 130 journal and onferene papers in the fields of networking and holds three patents. His interests fous on ad ho wireless networks and vehiular networks. He is a member of the IEEE. Carla-Fabiana Chiasserini reeived the PhD degree from Politenio di Torino in She has worked as a visiting researher at UCSD in , and she is urrently an assoiate professor at Politenio di Torino. Her researh interests inlude arhitetures, protools, and performane analysis of wireless networks. She has published more than 190 papers in prestigious journals and leading international onferenes, and she serves as an assoiated editor of several journals. She is a senior member of the IEEE and the IEEE Computer Soiety. Panagiotis Papadimitratos reeived the PhD degree from Cornell University, Ithaa, New York. He was a postdotoral fellow at Virginia Teh, Blaksburg, VA, a sientist at EPFL, Lausanne, Switzerland, and a visiting faulty member at Politenio di Torino. He is now an assoiate professor in the Shool of Eletrial Engineering at KTH, Stokholm, Sweden. His researh is onerned with seurity and networked systems, with more than 70 related tehnial publiations. He is a member of the IEEE.. For more information on this or any other omputing topi, please visit our Digital Library at

Dynamic Neighbor Positioning In Manet with Protection against Adversarial Attacks

International Journal of Computational Engineering Research Vol, 03 Issue, 4 Dynamic Neighbor Positioning In Manet with Protection against Adversarial Attacks 1, K. Priyadharshini, 2, V. Kathiravan, 3,