randomly deployed wireless sensor networks q

ARTICLE IN PRESS

Ad Hoc Networks xxx (2007) xxx–xxx

www.elsevier.com/locate/adhoc

Secure probabilistic location verification inrandomly deployed wireless sensor networks q

E. Ekici a,*, S. Vural a, J. McNair b, D. Al-Abri b

a Department of Electrical and Computer Engineering, Ohio State University, Columbus, OH, United Statesb Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL, United States

Received 24 August 2006; received in revised form 23 November 2006; accepted 27 November 2006

Abstract

Security plays an important role in the ability to deploy and retrieve trustworthy data from a wireless sensor network.Location verification is an effective defense against attacks which take advantage of a lack, or compromise, of locationinformation. In this work, a secure probabilistic location verification method for randomly deployed dense sensor net-works is proposed. The proposed Probabilistic Location Verification (PLV) algorithm leverages the probabilistic depen-dence of the number of hops a broadcast packet traverses to reach a destination and the Euclidean distance betweenthe source and the destination. A small number of verifier nodes are used to determine the plausibility of the claimed loca-tion, which is represented by a real number between zero and one. Using the calculated plausibility metric, it is possible tocreate arbitrary number of trust levels in the location claimed. Simulation studies verify that the proposed solution pro-vides high performance in face of various types of attacks.� 2006 Elsevier B.V. All rights reserved.

Keywords: Wireless sensor networks; Localization; Location verification; Modeling; Trust

1. Introduction

Wireless sensor networks (WSNs) typically con-sist of a large number of inexpensive sensor devicesthat are both transmission and battery power-con-strained, and that have limited computation andcommunication capabilities. However, the flexibil-

1570-8705/$ - see front matter � 2006 Elsevier B.V. All rights reserved

doi:10.1016/j.adhoc.2006.11.006

q A preliminary version of this paper has appeared in theProceedings of IEEE ICC 2006, Istanbul, Turkey.

* Corresponding author. Tel.: +1 614 292 0495; fax: +1 614 2927596.

E-mail addresses: [email protected] (E. Ekici), [email protected] (S. Vural), [email protected] (J. McNair), [email protected] (D. Al-Abri).

Please cite this article in press as: E. Ekici et al., Secure probadoi:10.1016/j.adhoc.2006.11.006

ity, fault tolerance, high sensing fidelity, low cost,and rapid deployment characteristics of sensor net-works create many new and exciting applicationsfor in situ sensing via WSNs. An important concernfor various applications of WSNs is the ability tovalidate the integrity of the sensor network as wellas the retrieved data. Various types of securityattacks include: (1) the injection of false informationinto the regular data stream, (2) the alteration ofrouting paths due to malicious nodes advertisingfalse positions (sink holes and worm holes), and(3) the forging of multiple identities by the samemalicious node (Sybil nodes). Thus, location-based security plays an important role in the

.

bilistic location verification in ..., Ad Hoc Netw. (2007),

mailto:[email protected]

mailto:vurals@ece. osu.edu

mailto:vurals@ece. osu.edu

mailto:[email protected]

mailto:alabri@ ufl.edu

mailto:alabri@ ufl.edu

2 E. Ekici et al. / Ad Hoc Networks xxx (2007) xxx–xxx

ARTICLE IN PRESS

trustworthiness of WSNs and the results that areobtained from them.

Although secure, point-to-point communicationmechanisms can potentially prevent introductionof new adversary nodes into communication stream,it is likely that a compromised node can easily infil-trate such mechanisms. Location Verification

emerges as a lightweight first line of defense, whichmakes sure that the information and its claimedsource location are associated with a high level oftrust. Information for which the source locationcannot be verified is deemed not trustworthy andrejected to ensure the integrity of accepted data.

Over the past 5 years, researchers have developedmany protocols for localization [1–3]. However,security in localization has been considered onlyrecently [4–6]. In [4], a method is proposed thatcombines conventional multialteration with dis-tance bounding for computation and verificationof positions of wireless devices. However, devicesmust have a bounded processing time which maynot be met by most existing hardware. The tech-nique proposed in [5] uses directional antennae forsecure positioning. Other techniques have beenproposed using statistical methods, including [6],consistency among beacon signals, and votingschemes [7] to achieve robustness. Recent researchalso demonstrates that location verification can becombined with a non-secure localization scheme toproduce a system that is more robust and resilientto attack than localization alone. The protocol pre-sented in [8] verifies the presence of a node usingradio frequency and sound. The hybrid system of[9] combines secure location computation with alocation verification step that ensures a node cannotclaim to be closer to a locator (reference node) thanits actual distance. However, this approach relies onthe existence of a secure localization scheme.

In this work, a probabilistic approach to locationverification in dense sensor networks, Probabilistic

Location Verification (PLV) algorithm, is proposedwhere nodes are deployed randomly. The proposedapproach leverages the probabilistic dependence ofthe number of hops a broadcast packet traversesto reach a destination and the Euclidean distancebetween the source and the destination. A smallnumber of verifier nodes calculate the likelihood thata broadcast packet that contains the geographiclocation of a node is received over a number of hopsrecorded in the packet. Observations of individualverifiers are combined to determine the plausibility

of the location claim, which refers to the level of


confidence that the claimed location results in theobserved number of hops from the claimant sourceto all verifiers. The plausibility is represented by areal number between zero and one, which can sim-ply be compared against a threshold to validate orinvalidate the claimed location. The non-binaryproperty of plausibility also enables the use ofmultiple levels of trust in the claimed location.The salient properties of our proposed PLV algo-rithm can be summarized as follows:

(1) Sensor nodes do not need to be equipped withspecialized hardware.

(2) Only a small number of specialized verifiersare needed.

(3) The plausibility of a location claim isexpressed as a real-number, not a hard binarydecision.

(4) The PLV algorithm is resilient against a num-ber of attacks and provides graceful degrada-tion in performance.

The remainder of the paper is structured as follows:In Section 2, the WSN architecture and assumptionsare outlined. In Section 3, a new set of probabilistictools to verify a node’s claimed location in pre-sented, which is based on the comparison of thenode’s Euclidean distance with the hop count ofthe verification packet. The probabilistic locationverification algorithm is outlined in Section 4 andthe performance evaluation results are presented inthe same section. In Section 5, the analysis of differ-ent types of attacks, solution methods, and associ-ated performance evaluations are introduced.Finally, Section 6 concludes the paper with futureresearch directions.

2. WSN architecture and assumptions

2.1. Network architecture

The sensor network architecture is shown inFig. 1. The wireless sensors are deployed randomlyin the network with a known density, which coversa number of scenarios ranging from battle field sur-veillance to observation of hazardous environments.We assume that the deployed sensor is of large scaleand sensor locations follow a random Poisson pointprocess, resulting in uniform node deployment.Each sensor node i determines its position (xi,yi)in a two-dimensional Euclidean coordinate systemthrough a (non-secure) localization method such


Fig. 1. Proposed WSN architecture.

E. Ekici et al. / Ad Hoc Networks xxx (2007) xxx–xxx 3

ARTICLE IN PRESS

as presented in [1–3]. It is assumed that all sensorshave the same communication range and transmitat the same signal strength. It is worth noting thatthe communication range may change in an actualdeployment even if the transmit power of all sensorsis the same. However, the probabilistic estimation ofdistances used in this paper allows for graceful deg-radation in case of non-uniform communicationrange estimations. Furthermore, we also assumethat there are no big gaps in the sensor deploymentand no big obstacles are present that disturb theuniform distribution assumption. In case suchobstacles exist, the performance of our proposedmethods decrease.1

As shown in Fig. 1, we assume the presence of asmall number of verifier nodes, which have theresponsibility of verifying the location of the sensornodes. Although the positions of the verifiers can berandom, they must not be closely located to ensureaccurate and independent observations. The verifi-ers know their locations. Location verification isperformed either periodically to establish the trust-worthiness of a specific node and its reported posi-tion, or aperiodically to verify the positional originof a critical message. Each verifier is assumed tohave sufficient computational ability to calculate

1 A similar case is discussed in Section 5.2 and Fig. 6 as relatedto denial of service attack mitigation.


its own likelihood function based on the packetsreceived from a particular node as well as the overallplausibility value for a claim. The communicationbetween verifiers is assumed to be reliable, and pro-tected by encryption. For the purposes of this anal-ysis, it is assumed that the verifiers are secure andcannot be compromised.

Also, as shown in Fig. 1, we assume the presenceof a small number of malicious nodes. It is assumedthat the malicious nodes possess the same propertiesas regular sensor nodes, i.e., the same processingpower and the same communication hardware. Inother words, a malicious node is assumed to be anequivalent version of a compromised sensor node.

2.2. Authentication of verification messages

We assume that the sensors are able to use twolevels of authentication: one using symmetric keys,and another using asymmetric keys. The symmetrickey is used to associate the given verification requestwith a sensor node identity. Every sensor nodekeeps a key that is used to encrypt the verificationrequest. The key is then used at the verifier todecrypt the request and to map the request to a sen-sor node ID. Although a unique key for each nodeis desirable, the large number of sensor nodes makesthe unique assignment unfeasible. Thus, a limitednumber of keys are randomly assigned to the sensor



ARTICLE IN PRESS

nodes before deployment, and the ID-key associa-tions are stored in the verifiers. The use of the map-ping between the keys and the sensor node IDs isdescribed in detail in Section 5.

An asymmetric key is used by each node to helpinfer the hop count traversed from the length of thereceived verification packet. A low complexityasymmetric key system is assumed, such as TinyPK[10], where all sensors share the private key toencrypt data, but which they cannot use to decrypt.The public key is maintained only in the verifiers,which is used to decrypt the request packets. Theinference of the hop count from the packet size isalso described in detail in Section 5.

3. Probabilistic tools to verify location

The main idea behind the proposed mechanism isto leverage the statistical relationships between thenumber of hops in a sensor network and the Euclid-ean distance that is covered. The so-called hop-dis-tance relationship has first been investigated in [11]for linear sensor networks and possible extensionsto two-dimensional networks have been proposed.In the following sections, relevant outcomes areoutlined.

3.1. The CDF of the k-hop distance

The analysis in [11] shows that the distance dk

covered in k hops in a linear network of nodedensity k and communication range R has a pdf thatcan successfully be approximated with a Gaussiandistribution with the same average and standarddeviation. As this analysis is derived for a one-dimensional network, we use a transformation ofthe two-dimensional network density to make itcompatible with the derived results. For this pur-pose, we assume that there exists a ‘‘band’’ of widthR2

along the line connecting two points in the WSN,where the nodes can be assumed to be in a linearformation. Hence, the projected line density k is cal-culated as k ¼ k0 R

2, where k 0 is the two-dimensional

density of the network. Based on this approxima-tion, the average hop length �r can be computed bysolving the implicit equation

R� �r ¼ 1� e�k�rð1þ k�rÞkð1� e�k�rÞ : ð1Þ

Then, the expected value �rk � E½dk� of the k-hop dis-tance dk is computed simply by multiplying �r by k:


�rk � E½dk� ¼ k � �r: ð2Þ

The computation of the variance of the k-hop dis-tance r2

k follows an iterative formula:

r2k ¼ f2ðkÞ � k2�r2; ð3Þ

where

f2ðkÞ ¼ f2ðk � 1Þ þ 2ðk � 1Þ�r2 þ E½r2�; ð4Þf2ð2Þ ¼ 2E½r2� þ 2�r2; ð5ÞE½r2� ¼ �R2 þ 2R�r þ E½r2

e �; and ð6Þ

E½r2e � ¼��r2e�k�r � 2

k�re�k�r þ 2k2 ð1� e�k�rÞ

1� e�k�r; ð7Þ

where re is defined as re � R � r for the first hop.With these statistical measures, the cdf of thek-hop distance dk can be approximated as follows:

Prfdk < djK ¼ kg ¼Z d

�1

1

rk

ffiffiffiffiffiffi2pp e

�ðd��rk Þ2

2r2k dd

¼ 1

21þ erf

d � �rk

rk

ffiffiffi2p

� �� ; ð8Þ

where K is the random variable representing thenumber of hops taken, and �rk and rk are as definedin Eqs. (2) and (3). Obviously, a packet cannot tra-verse more than k Æ R in any direction in k hops, andthe approximation needs to be upper-bounded inrange. Note that the width of the band to calculatek can be varied according to the density. Our addi-tional analysis has shown that a band width ofk2

leads to a successful linear network approxima-tion for two dimensional densities as low as 3 ·10�2 nodes/m2.

3.2. The PMF of the number of hops k

Consider the case where a node i broadcasts itslocation (xi,yi) in a packet that is flooded in the net-work. Let us assume that the packet is received in k�vhops by a verifier node v located at (xv,yv). Wewould like to know the probability that a packetoriginating at (xi,yi) traverses k hops to be receivedby v at (xv,yv). The conditional CDF given in Eq. (8)can be used to calculate the probability that a mes-sage is relayed in k hops to traverse a distance of

d ¼ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðxv � xiÞ2 þ ðyv � yiÞ

2q

. For this purpose, wedefine an error margin � used to compute finiteprobabilities for the hop distances. We use theBaye’s Theorem applied on Eq. (8) to compute thePMF of the hop number K conditioned on thedistance d:



ARTICLE IN PRESS

PrfK ¼ kjd � � < dk 6 d þ �g

¼ Prfd � � < dk 6 d þ �jK ¼ kg � PrfK ¼ kgPrfd � � < dk 6 d þ �g :

¼12

erf dþ��rk

rkffiffi2p

� �� erf d��rk

rkffiffi2p

� �h iPrfK ¼ kg

Prfd � � < dk 6 d þ �g :

ð9ÞIn Eq. (9), the two unconditional probabilities mustbe computed based on the location of the verifier(xv,yv), the shape of the sensor field A, the nodedensity k (and hence, k 0), and the average hopdistance �r. The unconditional probability Pr{d � � <dk 6 d + �} is simply the ratio of the number ofnodes in a ring of radius d and thickness 2� aroundthe verifier node v to the total number of nodes. Ifv is at least d + � away from all edges of the sensorfield, this probability can be computed as follows:

Prfd � � < dk 6 d þ �g ¼ k0pððd þ �Þ2 � ðd � �Þ2ÞN

;

ð10Þwhere N is the total number of nodes in the sensorfield. Obviously, if the ring around the verifier nodev is not completely contained in the sensor field, thenumerator of the fraction should be computed suchthat only the segments of the ring contained in thesensor field are accounted for. Similarly, if the veri-fier node v is at the origin of a sensor field A, thenthe probability that a node is k hops away from v iscomputed as follows:

PrfK ¼ kg ¼ ððk þ 1Þ2 � k2Þ � p�r2R Rðh;rÞ2A

r�r

r dr dh

; ð11Þ

where �r is given in Eq. (1), and (h, r) corresponds tothe polar coordinates of a location inside the sensorfield A. Note that the unconditional probability ofEq. (11) is independent of the density of the network.For finite size sensor networks, these quantitiescan be calculated before deployment numericallyconsidering the intersection of the rings aroundthe verifier nodes and the sensor field. Moreover,Pr{K = kjd � � < dk 6 d + �} values can also becomputed for all values of k and small incrementsof d offline and stored as tables in verifier nodes.The online computation burden of the verifiers canbe minimized by using these tabulated values.

3.3. Relating probabilities with plausibility

After the verifier node v receives the locationinformation (xi,yi) of node i, v can compute the con-


ditional probability mass function Pr{K = kjd � � <dk 6 d + �} for the number of hops needed to coverthe distance d. This, along with the actual hop dis-tance covered k�v , is used to determine how much averifier can contribute to the overall decision pro-cess. Let us assume that a verifier v computes thedistance d from a source claiming to be at (xi,yi)based on the information contained in a broadcastpacket. Let us also assume that the non-zero prob-abilities of the PMF of Eq. (9) are {0.2, 0.3, 0.4,0.1} for hop counts {4,5,6,7}, respectively. Themost likely number of hops the packet must havetaken is 6 according to the PMF calculation. How-ever, if a packet reaches the verifier in k* = 5 hops,the verifier should not declare the claimed locationimplausible. Furthermore, the relative position ofthe probability associated with k* in the entirePMF should also be taken into account.

To this end, we consider the difference betweenthe maximum value in the PMF and the probabilityassociated with k*: The larger this differencebecomes, the less one should trust the claimed loca-tion. On the other hand, if this difference is small,the verifier should not be alarmed regardless ofthe k* value. Theoretically there are an infinite num-ber of non-zero probabilities for this PMF. How-ever, for the sake of simplicity, we also ignore thecases that have a very small probability associatedwith them.

Let P maxv ðdÞ be the maximum probability com-

puted for any number of hops based on (xi,yi) andv’s location:

P maxv ðdÞ ¼max

n2NPrfK ¼ njd � � < dk 6 d þ �g; ð12Þ

where N is the set of natural numbers. We alsodefine a probability slack function Svðd; k�vÞ whichis the difference between the maximum probabilitythe verifier v can provide and the probability ofthe source being k�v hops away:

Svðd; k�vÞ ¼ P maxv � PrfK ¼ k�v jd � � < dk 6 d þ �g:

ð13Þ

Scaling Svðd; k�vÞ by P maxv ðdÞ, i.e., Svðd;k�v Þ

P maxv ðdÞ, one obtains

the distrust in the claimed location based on theobserved number of hops.

An important observation at this point should bemade regarding the distrust levels of individual ver-ifiers. Let us consider two verifiers that calculatePMFs, one resulting in a very ‘‘peaked’’ distribution(say, {0.3, 0.6, 0.1}), and the other in a more uni-form distribution (say, {0.1,0.2, 0.2,0.2,0.2, 0.1}).



ARTICLE IN PRESS

Let the first verifier compute a distrust value of0:6�0:3

0:6¼ 0:5, and the other verifier compute

0:2�0:10:2¼ 0:5. Intuitively, one can claim that the sec-

ond verifier can only make a very uncertain decisionbecause of the shape of the distribution. On theother hand, the first verifier has a ‘‘stronger’’ opin-ion, be it supporting or against the acceptance ofthe claimed location. Hence, the second verifier’sinput should be weighed less than the input of thefirst verifier. We propose to use P max

v ðdÞ as a mea-sure of the confidence in a verifier’s opinion.Although there exist many other ways to expressthe level of confidence, such as using a function ofthe PMF variance, weighing the distrust levels withP max

v ðdÞ both provides a good measure (as observedthrough simulations) and simplifies the plausibilitycalculations. If there are V verifiers participatingin the verification process, then the overall plausibil-ity Pi of node i’s location claim can be computed as

Pi ¼ 1�

PVj¼1

P maxj �PrfK¼k�j jd��<dk6dþ�g

P maxj

� P maxjPV

j¼1P maxj

¼ 1�PV

j¼1Sjðd; k�j ÞPVj¼1P max

j

: ð14Þ

Hence, verifiers only need to exchange Svðd; k�vÞ andP max

v values to compute the plausibility Pi.

4. Probabilistic location verification

4.1. The basic probabilistic location verification

(PLV) algorithm

The location verification is initiated by a claim-ant node and only involves broadcasting the loca-tion information of the claimant node throughoutthe network. The broadcast packets should containthe hop count in addition to the claimed locationinformation. The hop count is used for both verifi-cation procedures and also during broadcasting: Anode receiving a broadcast packet re-broadcaststhe packet only if it has the lowest hop count ofthe same information received so far.

It is assumed that there are V verifier nodeslocated at sufficiently distant locations in the net-work such that the individual observations areassumed independent of each other. The main stepsof the proposed algorithm are outlined below:

(1) A node i broadcasts its location (xi,yi) in thenetwork using flooding. Every packet must


contain the hop count as well as the claimedlocation information.

(2) Each of the V verifiers receive the messageover k�v hops and compute their relative dis-tance dv.

(3) Using k�v and dv, each verifier node v computesits probability slack Svðd; k�vÞ and maximumprobability P max

v ðdÞ values.(4) Svðd; k�vÞ and P max

v ðdÞ values of all V verifiersare collected at a central node, e.g., a desig-nated verifier node, and a common plausibilityPi for the location advertisement is computed.

(5) Pi value is compared with a set of classifica-tion thresholds to assess the trustworthinessof the claimed location. In its simplest form,a single threshold level leads to a decisionabout acceptance or rejection of this locationassociation.

As outlined above, the PLV algorithm can be usedto verify (or reject) a location claim. When a nodeclaims to be at an arbitrary point in the network(x,y), the claim is evaluated by the verifiers, whichforward their information to the central node,which then calculates the plausibility of the node’sreported location. To illustrate this, we formed anetwork of 1000 nodes of communication radiusR = 10 m randomly placed on a 100 m · 100 mfield. The verifiers are placed at four corners, each5 m away from the closest edges. Fig. 2a–d showsthe overall plausibility Pi (Eq. (14)) of a locationclaim (x,y) originating from a node i at (76.1, 33.8)(marked with a green line protruding the surface)in the presence of one, two, three, and four verifiers,respectively. As shown in Fig. 2a, a single verifiercan accept a significant portion of the location spaceas plausible. When two verifiers are used, the possi-bility of finding a unique neighborhood is not guar-anteed as shown in Fig. 2b since two ‘‘rings’’ canintersect in two regions. To guarantee a singleneighborhood of highest plausibility, at least threeverifiers are required as shown in Fig. 2c. Fig. 2dshows the plausibility when four verifiers are used,which results in a small plateau of plausibility value1 around the source. Hence, a higher number of ver-ifiers can detect a false location claim with a higherprobability.

4.2. Performance of the basic PLV algorithm

The performance of the basic PLV algorithm isassessed through simulations. The results presented


Fig. 2. Plausibility of a node’s claimed location for different number of verifiers (a) one verifier, (b) two verifiers, (c) three verifiers, (d) fourverifiers.


ARTICLE IN PRESS

in this section are the averages of 1000 samplestaken from 50 independent random sensor net-works. Unless otherwise stated, each of the randomnetworks is composed of 1000 nodes of R = 10 mrandomly distributed over a 100 m · 100 m area.A claim location is considered true if it lies withinR/4 distance of the actual location. We assume abinary decision system where PLV either rejects oraccepts a claim by comparing plausibility with athreshold value.

4.2.1. Effect of number of verifiers

Fig. 3 shows the probability of detection asa function of the probability of false alarm for1–4 verifiers. This plot is also referred to as theReceiver Operating Curve (ROC) and indicates thesuccess of a classification method independent of


the threshold values. ROCs are generated bysweeping the range of the classification threshold,in our case 0–1 in increments of 0.01. A good clas-sifier provides high detection probability for verysmall values of false alarm probability, i.e., it ispushed more towards the coordinates (0, 1).Another indication of the quality of the classifieris the area under the ROC. The larger the areaunder the curve, the better is the discriminationof invalid location claims. As expected, the perfor-mance for four verifiers is the strongest, while oneverifier is the weakest with respect to both detec-tion and false alarms. As discussed in Section 4.1,at least three verifiers are required to obtain aunique and small plateau of plausibility. Addi-tional verifiers further improve the classificationperformance.


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of False Alarm

Pro

babi

lity

of D

etec

tion

Receiver Operating Curve, ε = 0.25⋅ R

1 Verifier, Area = 0.9032 Verifiers, Area = 0.9743 Verifiers, Area = 0.9814 Verifiers, Area = 0.985

2 Verifiers

3 Verifiers

4 Verifiers

1 Verifier

Fig. 3. Receiver operating curve.


ARTICLE IN PRESS

4.2.2. Effect of node density

In Fig. 4, the effect of the node density on theclassification performance is depicted. The perfor-mance curves, which reflect the area under theROC, show that a high number of verifiers consis-tently result in higher classification accuracy. Fur-thermore, as the number of verifiers increases, theeffect of the density on the performance decreases.The curve for four verifiers is almost flat while thecurve for one verifier shows a clear maximum inthe given range. This observation supports the the-ory that a higher number of verifiers lends robust-ness to changes in the network characteristics. Theperformance degradation of one verifier system forhigh node densities is aligned with the observationsreported in [11]: As the node density increases, theaccuracy of the Gaussian approximation of the dis-tance covered in k hops decreases. Since there are noother verifiers, errors made during classificationbecome more pronounced.

4.2.3. Effect of verifier separation

Since the PLV mechanism is based on the estima-tion of hop distances, the estimations of individualverifiers should be as independent as possible. Forthis purpose, we have proposed in Section 4.1 to


place them far apart from each other. We have alsorun simulations to investigate the effects of the veri-fier separation on the classification performance.The verifiers are located at the corners of a squarewith edge lengths ranging between 10 and 90 mand centered at the center of the sensor network.For cases with less than four verifiers, we accordingnumber of verifiers were removed from the system.The results shown in Fig. 5 indicate that three andfour verifiers reach a steady state performance at50 m separation. The two verifier performanceimproves as the separation increases since the dis-tance between the two verifiers increase and thepotential for two intersection areas within the sensornetwork. The same observation can also be made forthe single verifier case: Although there is no otherverifier in the network, the increasing edge lengthof the constellation pushes the verifier towards a cor-ner, which reduces the area of the ring inside the sensornetwork for which the plausibility level is high. There-fore, the performance of the algorithm increases.

5. Security analysis and PLV improvements

In addition to claiming a false location, severalother types of attacks can be launched against a


0.5 1 1.5 2

x 10−1

0.88

0.9

0.92

0.94

0.96

0.98

1

Node Density

Are

a un

der

RO

C

Effect of Density on ROC

1 Verifier2 Verifiers3 Verifiers4 Verifiers

Fig. 4. Effect of node density.

10 20 30 40 50 60 70 80 900.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

Minimum Verifier Seperation

Are

a un

der

RO

C

Effect of Verifier Seperation on ROC

1 Verifier

2 Verifiers

3 Verifiers

4 Verifiers

Fig. 5. Effect of minimum verifier separation.


ARTICLE IN PRESS

sensor network employing the basic PLV algo-rithm. Most of these attacks are based on exploit-ing vulnerabilities of intermediate communication


steps. In the following sections, some of theseattacks and possible solutions are discussed. Theaccompanying simulation results are generated



ARTICLE IN PRESS

based on the same parameters as described inSection 4.2.

5.1. Disreputation through impersonation

5.1.1. Problem description

A malicious node m located at (xm,ym) can try toinvalidate the trustworthiness of another node i

located at (xi,yi) by sending a location verificationmessage containing i’s identity and some randomlocation information. If the attack succeeds, the ver-ifiers can reject the location claim based on the lowplausibility score and blacklist the victim node i. Toprevent this attack, node identities must be verifiedthrough security mechanisms. As an unencryptedportion of a message is always prone to modifica-tion attacks along the way, we need to encrypt theidentity along with the location claim.

5.1.2. Proposed solutionA straight-forward way would be to use a sym-

metric key system, where every sensor node is asso-ciated with a unique key. The same key would alsobe kept at verifiers along with their associated nodeIDs. To establish the correctness of the identity, ver-ifiers would have to try to decrypt the message withall possible keys (since node IDs are encrypted, aswell) and check the matching of the key with theID contained in a message. Since the number ofnodes in a WSN is very high, the use of unique keysis not feasible. Instead, a limited number of privatekeys NK, where N K �N, can be randomly assignedto sensors before deployment, and ID-key associa-tions are stored in the verifiers. A verifier receivingan encrypted message would only need to try thevalid NK keys to match the encrypted ID with thekey used. With this strategy, a malicious node m

would succeed to disrepute a node i with a probabil-ity of 1/NK, in which case the i and m would havethe same key. A high NK value would yield betterperformance, but also increase the computationalload on verifiers.

5.2. Denial of service through payload alterations


Another major type of attack can be performedby altering the payload of the broadcast claim pack-ets to make the verifiers ignore the received mes-sages on the grounds of authenticity. Let a sourcenode i send the claim packet and a malicious nodem alter its content during broadcasting. The altered


packet would reach a verifier node v only if m lies ona shortest path between i and v. In other cases, thepacket m forwards would be suppressed in the net-work because an intermediate forwarder would pre-fer a packet with smaller hop count. If the verifiersare distributed far from each other and if there aresufficient number of redundant verifiers, then theeffect of such an attack would be minimal. A mali-cious node m would have the most adverse effecton the claimant nodes in its close neighborhoodsince m may lie in that case on a number of shortestpaths to the verifiers.

5.2.2. Proposed solution 1

If an intermediate node j receives inconsistentcopies of a packet, it may infer that there is a mali-cious node m in its near vicinity. In such a case, astraight-forward precaution is to refrain from for-warding any information. To accomplish this, nodesshould wait for a predetermined time period andcollect copies of the same claim packet beforeattempting to forward them. This approach wouldcreate ‘‘holes’’ in the network around the maliciousnodes where no information is forwarded.

Fig. 6 demonstrates the resilience of our PLValgorithm in the presence of denial of service (DoS)attacks. The PLV algorithm is modified such thatnodes refrain from forwarding information as theydiscover inconsistencies, creating ‘‘holes’’ in theforwarding grid where verification packets areabsorbed. Fig. 6 clearly shows the performance deg-radation as the number of malicious nodes increases.The vulnerability of one- and two-verifier cases isclearly visible, as their performance decreases shar-ply when the number of malicious nodes increasesbeyond 3. On the other hand, the three- and four-verifier cases show higher resilience and their perfor-mance starts decreasing sharply only at 12 maliciousnodes.

5.2.3. Proposed solution 2

It is also possible to identify and suppress nodesthat consistently alter packets before forwarding. Asimilar method has also been proposed in [12] toidentify and penalize selfish nodes in an ad hoc net-work. Let a malicious node m receive a packet froman intermediate node j, and alter its content beforeforwarding. A third node l, which lies in the trans-mission range of both j and m, can identify the alter-ation and record this event. If the occurrence ofsuch alterations exceed a particular threshold, m

can be marked by l (and possibly by its other neigh-


0 3 6 9 12 150.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

Number of Malicious Nodes

Are

a un

der

RO

C

Resilience against Denial of Service Attacks

1 Verifier

2 Verifiers

3 Verifiers

4 Verifiers

Fig. 6. DoS attacks with payload alterations.


ARTICLE IN PRESS

bors) as malicious. Consequently, all neighbors thatlocate malicious nodes would ignore packets origi-nating from m. The effect of such an exclusionwould be the reduction of the node density. Asshown in Fig. 4, fluctuations in density is well toler-ated by three or more verifier PLV systems. Hence,if possible, malicious node identification should bepreferred over refraining from forwarding inconsis-tent packets.

5.3. Denial of service through hop

count alterations


During broadcasting, the hop count of a packetmust be increased every time it is forwarded to com-pute the hop distance between a claimant and theverifiers. Since every node should be able to changethe hop count, it constitutes a weak spot in the ver-ification system. A malicious node m can easilyreplace the hop count with a very small number,e.g., 1, without changing the payload. In that case,m would act as a new source and cause a false esti-mation of the hop distance, which leads to low plau-sibility values and blacklisting of the claimant node.The effect of such an attack is shown in Fig. 7assuming the use of the basic PLV algorithm withno countermeasures. The area under ROC for this


type of attack drops very rapidly with the increasingnumber of malicious nodes. Considering a value of0.5 refers to a completely random decision aboutplausibility (either accept or reject without regardto the received information), the severity of hopcount reset attacks becomes more pronounced.

5.3.2. Proposed solution

To prevent hop count reset attacks, we proposeto infer the hop count from the length of the packetrather than a field contained in the header. Weassume that there is a low complexity asymmetrickey system such as TinyPK [10] where all sensorsshare the private key K1 to encrypt data, but whichthey cannot use to decrypt. The public key K2 ismaintained only in the verifiers, which is used todecrypt data. Let an intermediate node j receive apacket P. Node j forwards the packet after append-ing a fixed string X to P and encrypting X + P usingK1. Given an encrypted packet, the hop count canbe inferred from its packet length if the length ofthe original message is known. To determine iftwo packets P1 and P2 are copies of each other,the following procedure is used: The hop countsk1 and k2 associated with P1 and P2 are inferredfrom the packet sizes. Let k1 < k2. Then, P1 isencrypted k2 � k1 more times, each time afterappending X. If the resulting packet is the same as


0 5 10 150.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Number of Adversaries

Are

a un

der

RO

C

Effect of Hop Count Reset Attackson Basic PLV

1 Verifier2 Verifiers3 Verifiers4 Verifiers

Fig. 7. Effect of hop count reset attacks.


ARTICLE IN PRESS

P2, then P1 is forwarded instead of P2. Otherwise, j

concludes that P1 and P2 are different broadcastpackets. When verifiers receive a packet, they useK2 to decrypt the information.

Using this method, every node can only increasethe hop count by appending X and encrypting it,but cannot decrease the hop count while preservingthe integrity of payload. Increasing the hop countof a packet more than once is still possible. How-ever, such packets are generally absorbed in the net-work since smaller hop count packets would exist inthe WSN with high probability. The effect of hopcount increment attacks are shown in Fig. 8, wherethe malicious nodes increase the hop count by one.The simulation results show that the PLV algorithmcan absorb the hop count increment attacks quitesuccessfully. We also observe that the overall per-formance is better for higher density networks(k = 0.1) and the variations are higher for the lowerdensity networks (k = 0.05). In additional simula-tions, we also observed that the PLV performanceincreases if malicious nodes choose to increase thehop count by more than one. The increase in perfor-mance is due to elimination of tempered verificationpackets during broadcasting. As a final note, mali-cious nodes that increase the hop counts can alsobe identified and isolated using third party observa-tions as described in Section 5.2.


5.4. Denial of service through packet replay


Yet another denial of service attack can belaunched by malicious node by re-inserting cachedverification packets into the network. As a result,the innocent claimant node whose identity wasincluded in the verification packet would appearas launching a denial of service (resource exhaus-tion) attack, and would be blacklisted by the verifi-ers. Furthermore, such attacks would indeedconsume valuable energy resources in the network,whether the original source is blacklisted or not.


To mitigate the problem of blacklisting, wepropose using the well-known sequence numbermethod. The source can include a sequence numberin the verification request packet, which is encryptedalong with the node ID and the location informa-tion. Consequently, verifiers can easily identifywhether or not a location verification is a genuineone or a repeated copy of an old claim. The verifiersdiscard the packets they discover to be repeated.This can also be used as an indication of the pres-ence of malicious nodes in the network. To counterthe problem of inherent resource exhaustion for thisattack, we can resort to the method of local identi-


0 5 10 15

0.88

0.9

0.92

0.94

0.96

0.98

1


Are

a un

der

RO

C

Resilience against Hop Count Increment Attacks

1 Verifier

2 Verifiers

3 Verifiers

4 Verifiers

0 5 10 15

0.88

0.9

0.92

0.94

0.96

0.98

1


λ = 0.05λ = 0.1

1 Verifier

2 Verifiers

3 Verifiers

4 Verifiers

Fig. 8. Resilience against hop count increment attacks.


ARTICLE IN PRESS

fication: When the neighbors of the malicious nodedetects a copy of the same packet multiple times,they can locally blacklist the malicious node andignore packet sent by it. The sequence number alsosolves the problem of colluding malicious nodes inthe network, where the original packet is relayedto a distant node and replayed at its new locationafter the original packet has been alreadydisseminated.

5.5. Wormhole attacks


In this work, we assume that malicious nodes donot possess more resources than the regular sensornodes. Therefore, the wormhole attacks can belaunched only through tunneling packets betweencolluding nodes. Once a malicious node mi receivesa verification packet, it simply tunnels the packetthrough a wormhole to other malicious nodes mj.The verification packet is inserted into the networkby mj without alteration. This packet would sup-press all other copies of the same claim at all verifi-ers to which mj is closer than mi. Consequently, the


plausibility score of the claimant node would be cal-culated incorrectly.


The wormhole attacks are generally very hard tocounter, and this one is not an exception. In theliterature, there are several proposals to identifywormholes in a wireless sensor network [13–15].These methods can be directly used to identify andavoid wormholes (given the sensor network satisfiesassociated requirements in hardware). In additionto these methods, we propose a two-step approachto address the wormhole attacks using the PLVtools. In the first step, the verifiers need to identifythe existence (not the locations) of wormholes inthe network. The presence of wormholes can beidentified if there is a consistent discrepancybetween probability slack values for messages orig-inating from a region. Alternatively, the verifiersmay also check for wormholes periodically. Thesecond step deals with the identification of worm-holes. To this end, a verifier vi acts as the sourceof the verification packets. Note that the verifiersare trustworthy and know their location and their



ARTICLE IN PRESS

hop mutual hop distances accurately. Whenever averifier vj receives a verification packet from thesource verifier vi, vj can detect any inconsistenciesin the hop count. These inconsistencies are inter-preted as results of wormhole attacks. Furthermore,the location of one end of the tunnel can be identi-fied by tracing the hop count gradient in reverse. Wenote that these methods should be further analyzedin detail and defer this task to our future work.

6. Conclusions

In this work, the Probabilistic Location Verifica-tion (PLV) algorithm for dense sensor networks ispresented. Assuming that the compromised nodesmake up a small percentage of the total sensor nodepopulation, a small number of verifier nodes wasused to conclude whether or not the claimed loca-tion is a plausible one. It is assumed that the averagedensity of the sensor nodes in the sensing field andthe communication range of sensor nodes areknown. Using a new set of probabilistic tools,PLV compares the node’s Euclidean distance withthe hop count of the verification packet. Simulationresults confirm the accuracy and effectiveness of thislight-weight location verification system. In ourfuture work, the PLV algorithm will be improvedto with built-in measures against wormhole attacksand cooperative attacks of multiple maliciousnodes. New methods to ensure the hop count andcontent integrity will also be investigated to reducethe computational burden on sensor and verifiernodes.

References

[1] D. Niculescu, B. Nath, Ad hoc positioning system (aps)using aoa, in: Proc. IEEE INFOCOM, 2003.

[2] T. He, C. Huang, B. Blum, J. Stankovic, T. Abdelzaher,Range-free localization schemes for large scale sensornetworks, in: Proc. Mobicom, 2003.

[3] L. Fang, W. Du, P. Ning, A beacon-less location discoveryscheme for wireless sensor networks, in: Proc. IEEE INFO-COM, 2005.

[4] S. Capkun, J.-P. Hubaux, Secure positioning of wirelessdevices with application to sensor networks, in: Proc. IEEEINFOCOM, 2005.

[5] L. Lazos, R. Poovendran, Serloc: secure range-independentlocalization for wireless sensor networks, in: ACM Work-shop on Wireless Security (ACM WiSe), 2004.

[6] Z. Li, W. Trappe, Y. Zhang, B. Nath, Robust statisticalmethods for securing wireless localization in sensor net-works, in: Proc. IPSN, 2005.


[7] D. Liu, P. Ning, W. Du, Attack-resistant location estimationin sensor networks, in: Proc. IPSN, 2005.

[8] N. Sastry, U. Shankar, D. Wagner, Secure verification oflocation claims, in: ACM Workshop on Wireless Security(ACM WiSe), 2003.

[9] L. Lazos, R. Poovendran, S. Capkun, Rope: Robust positionestimation in wireless sensor networks, in: Proc. IPSN, 2005.

[10] R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, P.Kruus, TinyPK: Securing sensor networks with public keytechnology, in: Proc. of ACM Workshop on Security of AdHoc and Sensor Networks, 2004, pp. 59–64.

[11] S. Vural, E. Ekici, Analysis of hop-distance relationship inspatially random sensor networks, in: Proc. ACM MobiHoc,2005, pp. 320–331.

[12] Q. He, D. Wu, P. Khosla, Sori: A secure and objectivereputation-based incentive scheme for ad-hoc networks, in:Proc. IEEE WCNC, 2004.

[13] L. Lazos, R. Poovendran, C. Meadows, P. Syverson, L.Chang, Preventing wormhole attacks on wireless ad hocnetworks: a graph theoretic approach, in: IEEE Wireless andCommunications and Networking Conference (WCNC),2005.

[14] A. Pirzada, C. McDonald, Circumventing sinkholes andwormholes in wireless sensor networks, in: Interna-tional Conference on Wireless Ad Hoc Networks (IWWAN),2005.

[15] E. Ngai, J. Liu, M. Lyu, On the intruder detection forsinkhole attack in wireless sensor networks, in: IEEEInternational Conference on Communication (ICC), 2006.

Eylem Ekici is an Assistant Professor ofElectrical and Computer Engineering atthe Ohio State University. He receivedhis Ph.D. degree in Electrical and Com-puter Engineering from Georgia Insti-tute of Technology, Atlanta, GA, in2002. His current research interestsinclude wireless sensor networks, vehic-ular communication systems, and nextgeneration wireless networks, with afocus on routing and medium access

control protocols, resource management, and analysis of networkarchitectures and protocols. He also conducts research on inter-
facing of dissimilar networks.
Serdar Vural is pursuing his Ph.D.degree in Electrical and ComputerEngineering at the Ohio State Univer-sity. He received his B.S. degree inElectrical Engineering from BogaziciUniversity, Istanbul, Turkey, in 2003and his M.S. degree in Electrical andComputer Engineering from the OhioState University in 2005. He his currentlypursuing his Ph.D. degree in Electricaland Computer Engineering at the Ohio

State University. His research interests include modeling anddevelopment of routing protocols for wireless sensor networks.


etworks xxx (2007) xxx–xxx 15

ARTICLE IN PRESS

Janise McNair earned her Ph.D. inElectrical and Computer Engineering
from the Georgia Institute of Technol-ogy in 2000. Currently, she is an Assis-tant Professor in the Department ofElectrical and Computer Engineering atthe University of Florida, where sheleads the Wireless and Mobile SystemsLaboratory. Her current research inter-ests are integrated wireless infrastruc-tured and ad hoc networks, wireless
sensor networks, and next generation wireless networks.

E. Ekici et al. / Ad Hoc N


Dawood Al-Abri received his B.S. degreein Electrical and Electronics Engineeringfrom Sultan Qaboos University, Omanin 1999 and a Master of Science degree inElectrical and Computer Engineeringfrom the University of Florida in 2002.He is currently pursuing a Ph.D. inElectrical and Computer Engineering atthe University of Florida. His researchfocus is security and location verificationfor wireless sensor networks.


Documents

randomly deployed wireless sensor networks q