To Lie Or To Comply: Defending against FloodAttacks in Disruption Tolerant Networks

Qinghua Li*, Wei Gao, Sencun Zhu, Guohong CaoDepartment of Computer Science and Engineering

The Pennsylvania State University{qxl118, wxg139, szhu, gcao}@cse.psu.edu

Abstract—Disruption Tolerant Networks (DTNs) utilize themobility of nodes and the opportunistic contacts among nodesfor data communications. Due to the limitation in networkresources such as contact opportunity and buffer space, DTNsare vulnerable to flood attacks in which attackers send as manypackets or packet replicas as possible to the network, in order todeplete or overuse the limited network resources. In this paper,we employ rate limiting to defend against flood attacks in DTNs,such that each node has a limit over the number of packetsthat it can generate in each time interval and a limit over thenumber of replicas that it can generate for each packet. Wepropose a distributed scheme to detect if a node has violatedits rate limits. To address the challenge that it is difficult tocount all the packets or replicas sent by a node due to lack ofcommunication infrastructure, our detection adopts claim-carry-and-check: Each node itself counts the number of packets orreplicas that it has sent and claims the count to other nodes;the receiving nodes carry the claims when they move, and cross-check if their carried claims are inconsistent when they contact.The claim structure uses the pigeonhole principle to guaranteethat an attacker will make inconsistent claims which may leadto detection. We provide rigorous analysis on the probability ofdetection, and evaluate the effectiveness and efficiency of ourscheme with extensive trace-driven simulations.

Index Terms—DTN, security, flood attack, detection

I. INTRODUCTION

Disruption Tolerant Networks (DTNs) [1] consist of mobilenodes carried by human beings [2], [3], vehicles [4], [5],etc. DTNs enable data transfer when mobile nodes are onlyintermittently connected, making them appropriate for appli-cations where no communication infrastructure is availablesuch as military scenarios and rural areas. Due to lack ofconsistent connectivity, two nodes can only exchange datawhen they move into the transmission range of each other(which is called a contact between them). DTNs employ suchcontact opportunity for data forwarding with “store-carry-and-forward”; i.e., when a node receives some packets, it storesthese packets in its buffer, carries them around until it contactsanother node, and then forwards them. Since the contactsbetween nodes are opportunistic and the duration of a contactmay be short because of mobility, the usable bandwidth whichis only available during the opportunistic contacts is a limitedresource. Also, mobile nodes may have limited buffer space.

Due to the limitation in bandwidth and buffer space, DTNsare vulnerable to flood attacks. In flood attacks, maliciouslyor selfishly motivated attackers inject as many packets aspossible into the network, or instead of injecting differentpackets the attackers forward replicas of the same packet

to as many nodes as possible. For convenience, we call thetwo types of attack packet flood attack and replica floodattack, respectively. Flooded packets and replicas can wastethe precious bandwidth and buffer resources, prevent benignpackets from being forwarded and thus degrade the networkservice provided to good nodes. Moreover, mobile nodes spendmuch energy on transmitting/receiving flooded packets andreplicas which may shorten their battery life. Therefore, it isurgent to secure DTNs against flood attacks.

Although many schemes have been proposed to defendagainst flood attacks on the Internet [6] and in wirelesssensor networks [7], they assume persistent connectivity andcannot be directly applied to DTNs that have intermittentconnectivity. In DTNs, little work has been done on floodattacks, despite the many works on routing [8], [4], [9],data dissemination [10], [11], blackhole attack [12], wormholeattack [13] and selfish dropping behavior [14], [15]. Wenoted that the packets flooded by outsider attackers (i.e., theattackers without valid cryptographic credentials) can be easilyfiltered with authentication techniques (e.g., [16]). However,authentication alone does not work when insider attackers(i.e., the attackers with valid cryptographic credentials) floodpackets and replicas with valid signatures. Thus, it is still anopen problem is to address flood attacks in DTNs.

In this paper, we employ rate limiting [17] to defend againstflood attacks in DTNs. In our approach, each node has a limitover the number of packets that it, as a source node, can sendto the network in each time interval. Each node also has a limitover the number of replicas that it can generate for each packet(i.e., the number of nodes that it can forward each packet to).The two limits are used to mitigate packet flood and replicaflood attacks respectively. If a node violates its rate limits, itwill be detected and its data traffic will be filtered. In this way,the amount of flooded traffic can be controlled.

Our main contribution is a technique to detect if a nodehas violated its rate limits. Although it is easy to detect theviolation of rate limit on the Internet and in telecommunicationnetworks where the egress router and base station can accounteach user’s traffic, it is challenging in DTNs due to lackof communication infrastructure and consistent connectivity.Since a node moves around and may send data to anycontacted node, it is very difficult to count the number ofpackets or replicas sent out by this node. Our basic idea ofdetection is claim-carry-and-check. Each node itself countsthe number of packets or replicas that it has sent out, andclaims the count to other nodes; the receiving nodes carry the

claims around when they move, exchange some claims whenthey contact, and cross-check if these claims are inconsistent.If an attacker floods more packets or replicas than its limit, ithas to use the same count in more than one claim according tothe pigeonhole principle1, and this inconsistency may lead todetection. Based on this idea, we use different cryptographicconstructions to detect packet flood and replica flood attacks.

Because the contacts in DTNs are opportunistic in nature,our approach provides probabilistic detection. The more traffican attacker floods, the more likely it will be detected. Thedetection probability can be flexibly adjusted by system pa-rameters that control the amount of claims exchanged in acontact. We provide a lower and upper bound of detectionprobability and investigate the problem of parameter selectionto maximize detection probability under a certain amount ofexchanged claims. The effectiveness and efficiency of ourscheme are evaluated with extensive trace-driven simulations.

This paper is structured as follows. Section II motivatesour work. Section III presents our models and basic ideas.Section IV and V present our scheme. Section VI presentssecurity and cost analysis. Section VII presents simulationresults. The last two sections present related work and con-clusions, respectively.

II. MOTIVATION

A. The Potential Prevalence of Flood Attacks

Many nodes may launch flood attacks for malicious orselfish purposes. Malicious nodes, which can be the nodesdeliberately deployed by the adversary or subverted by theadversary via mobile phone worms [18], launch attacks tocongest the network and waste the resources of other nodes.

Selfish nodes may also exploit flood attacks to increase theircommunication throughput. In DTNs, a single packet usuallycan only be delivered to the destination with a probabilitysmaller than 1 due to the opportunistic connectivity. If aselfish node floods many replicas of its own packet, it canincrease the likelihood of its packet being delivered, since thedelivery of any replica means successful delivery of the packet.With packet flood attacks, selfish nodes can also increase theirthroughput, albeit in a subtler manner. For example, supposeAlice wants to send a packet to Bob. Alice can construct100 variants of the original packet which only differ in oneunimportant padding byte, and send the 100 variants to Bobindependently. When Bob receives any one of the 100 variants,he throws away the padding byte and gets the original packet.

B. The Effect of Flood Attacks

To study the effect of flood attacks on DTN routing andmotivate our work, we run simulations on the MIT Realitytrace [19] (see more details about this trace in Section VII).

We consider three general routing strategies in DTNs. 1)Single-copy routing (e.g., [20], [8]): After forwarding a packetout, a node deletes its own copy of the packet. Thus, eachpacket only has one copy in the network. 2) Multi-copy routing

1The pigeonhole principle states that if α items are put into β pigeonholeswith α > β, then at least one pigeonhole must contain more than one item.

(e.g., [21]): The source node of a packet sprays a certainnumber of copies of the packet to other nodes and eachcopy is individually routed using the single-copy strategy. Themaximum number of copies that each packet can have is fixed.3) Propagation routing (e.g., [19], [22], [23]): When a nodefinds it appropriate (according to the routing algorithm) toforward a packet to another encountered node, it replicatesthat packet to the encountered node and keeps its own copy.There is no preset limit over the number of copies a packet canhave. In our simulations, SimBet [8], Spray-and-Focus [21] (3copies allowed for each packet) and Propagation are used asrepresentatives of the three routing strategies respectively. InPropagation, a node replicates a packet to another encounterednode if the latter has more frequent contacts with the destina-tion of the packet.

Two metrics are used, The first metric is packet deliveryratio, which is defined as the fraction of packets deliveredto their destinations out of all the unique packets generated.The second metric is the fraction of wasted transmissions (i.e.,the transmissions made by good nodes for flooded packets).The higher fraction of wasted transmissions, the more networkresources are wasted. We noticed that the effect of packet floodattacks on packet delivery ratio has been studied by Burgess etal [24] using a different trace [4]. Their simulations show thatpacket flood attacks significantly reduce the packet deliveryratio of single-copy routing but do not affect propagationrouting much. However, they do not study replica flood attacksand the effect of packet flood attacks on wasted transmissions.

In our simulations, a packet flood attacker floods packetsdestined to random good nodes in each contact until thecontact ends or the contacted node’s buffer is full. A replicaflood attacker replicates the packets it has generated to everyencountered node that does not have a copy. Each good nodegenerates thirty packets on the 121st day of the Reality trace,and each attacker does the same in replica flood attacks. Eachpacket expires in 60 days. The buffer size of each node is5MB, bandwidth is 2Mbps and packet size is 10KB.

Figure 1 shows the effect of flood attacks on packet deliveryratio. Packet flood attack can dramatically reduce the packetdelivery ratio of all three types of routing. When the fraction ofattackers is high, replica flood attack can significantly decreasethe packet delivery ratio of single-copy and multi-copy routing,but it does not have much effect on propagation routing.

Figure 2 shows the effect of flood attacks on wastedtransmission. Packet flood attack can waste more than 80% ofthe transmissions made by good nodes in all routing strategieswhen the fraction of attackers is higher than 5%. When 20%of nodes are attackers, replica flood attack can waste 68% and44% of transmissions in single-copy and multi-copy routingrespectively. However, replica flood attack only wastes 17%of transmissions in propagation routing. This is because eachgood packet is also replicated many times.

Remarks. The results show that all the three types ofrouting are vulnerable to packet flood attack. Single-copy andmulti-copy routing are also vulnerable to replica flood attack,but propagation routing is much more resistant to replica flood.Motivated by these results, this paper addresses packet floodattack without assuming any specific routing strategy, and

0 0.05 0.1 0.15 0.20

0.1

0.2

0.3

0.4

0.5

0.6

0.7

Fraction of Attackers within Network

Pac

ket D

eliv

ery

Rat

io

Absent NodePacket Flood AttackReplica Flood Attack

(a) Single-copy Routing

0 0.05 0.1 0.15 0.20

0.1

0.2

0.3

0.4

0.5

0.6

0.7

Fraction of Attackers within Network

Pac

ket D

eliv

ery

Rat

io

Absent NodePacket Flood AttackReplica Flood Attack

(b) Multi-copy Routing

0 0.05 0.1 0.15 0.20

0.2

0.4

0.6

0.8

1

Fraction of Attackers within Network

Pac

ket D

eliv

ery

Rat

io

Absent NodePacket Flood AttackReplica Flood Attack

(c) Propagation RoutingFig. 1. The effect of flood attacks on packet delivery ratio. In Absent Node, attackers are simply removed from the network. Attackers are selectivelydeployed to high-connectivity nodes.

0 0.05 0.1 0.15 0.20

0.2

0.4

0.6

0.8

1

Fraction of Attackers within Network

Fra

ctio

n of

Was

ted

Tra

nsm

issi

ons

Single−Copy RoutingMulti−Copy RoutingPropagation Routing

(a) Packet Flood Attack

0 0.05 0.1 0.15 0.20

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Fraction of Attackers within Network

Fra

ctio

n of

Was

ted

Tra

nsm

issi

ons

Single−Copy RoutingMulti−Copy RoutingPropagation Routing

(b) Replica Flood AttackFig. 2. The effect of flood attacks on wasted transmission. Attackers arerandomly deployed.

addresses replica flood attack for single-copy and multi-copyrouting only.

III. OVERVIEW

A. Problem Definition

1) Defense against Packet Flood Attacks: We consider ascenario where each node has a rate limit L on the number ofunique packets that it as a source can generate and send intothe network within each time interval T . The time intervalsstart from time 0, T , 2T , etc. The packets generated withinthe rate limit are deemed legitimate, but the packets generatedbeyond the limit are deemed flooded by this node. To defendagainst packet flood attacks, our goal is to detect if a node asa source has generated and sent more unique packets into thenetwork than its rate limit L per time interval.

A node’s rate limit L does not depend on any specificrouting protocol, but it can be determined by a service contractbetween the node and the network operator as discussed inSection III-A3. Different nodes can have different rate limitsand their rate limits can be dynamically adjusted.

The length of time interval should be set appropriately. Ifthe interval is too long, rate limiting may not be very effectiveagainst packet flood attacks. If the interval is too short, thenumber of contacts that each node has during one intervalmay be too nondeterministic and thus it is difficult to set anappropriate rate limit. Generally speaking, the interval shouldbe short under the condition that most nodes can have asignificant number of contacts with other nodes within oneinterval, but the appropriate length depends on the contactpatterns between nodes in the specific deployment scenario.

2) Defense against Replica Flood Attacks: As motivated inSection II, the defense against replica flood considers single-copy and multi-copy routing protocols. These protocols requirethat, for each packet that a node buffers no matter if this packethas been generated by the node or forwarded to it, there is a

limit l on the number of times that the node can forward thispacket to other nodes. The values of l may be different fordifferent buffered packets. Our goal is to detect if a node hasviolated the routing protocol and forwarded a packet moretimes than its limit l for the packet.

A node’s limit l for a buffered packet is determined by therouting protocol. In multi-copy routing, l = L′ (where L′ is aparameter of routing) if the node is the source of the packet,and l = 1 if the node is an intermediate hop (i.e., it receivedthe packet from another node). In single-copy routing, l = 1no matter if the node is the source or an intermediate hop.Note that the two limits L and l do not depend on each other.

We discuss how to defend against replica flood attacks forquota-based routing [25], [21], [26] in Section IV-I.

3) Setting the Rate Limit L: One possible method is to setL in a request-approve style. When a user joins the network,she requests for a rate limit from a trusted authority whichacts as the network operator. In the request, this user specifiesan appropriate value of L based on prediction of her trafficdemand. If the trusted authority approves this request, it issuesa rate limit certificate to this user, which can be used bythe user to prove to other nodes the legitimacy of her ratelimit. To prevent users from requesting unreasonably large ratelimits, a user pays an appropriate amount of money or virtualcurrency (e.g., the credits that she earns by forwarding datafor other users [27]) for her rate limit. When a user predicts anincrease (decrease) of her demand, she can request for a higher(lower) rate limit. The request and approval of rate limit maybe done offline. The flexibility of rate limit leaves legitimateusers’ usage of the network unhindered. This process canbe similar to signing a contract between a smartphone userand a 3G service provider: the user selects a data plan (e.g.,200MB/month) and pays for it; she can upgrade or downgradethe plan when needed.

B. Models and Assumptions

1) Network Model: In DTNs, since contact durations maybe short, a large data item is usually split into smaller packets(or fragments) to facilitate data transfer. For simplicity, weassume that all packets have the same predefined size. Al-though in DTNs the allowed delay of packet delivery is usuallylong, it is still impractical to allow unlimited delays. Thus, weassume that each packet has a lifetime. The packet becomesmeaningless after its lifetime ends and will be discarded.

We assume that every packet generated by nodes is unique.This can be implemented by including the source node ID and

S

A

m1, S, cp=1,

t=1

B

C

D

m2, S, cp=2, t=2

m3, S, cp=3, t=3m4, S, cp=3, t=4

E

m3, S,cp=3, t

=3

S,H(m

4),cp=3, t=4

packet meta data

Detection

attacker good node

(a) Packet flood (L = 3)

S

A

B

C

S,A,m,ct=1, t=1

S, B, m, ct=2, t=2

S, C, m, ct=2, t=3 S,

C,H(m),ct=2, t=3

Detection

(b) Replica flood by the source (l = 2)

R

A

B

R, A, m,

ct=1, t=1

R, B, m, ct=1, t=2

R, B, H(m),

ct=1, t=2

Detection

(c) Replica flood by a relay (l = 1)Fig. 3. The basic idea of flood attack detection. cp and ct are packet count and transmission count, respectively. The arrows mean the transmission of packetor meta data which happens when the two end nodes contact.

a locally unique sequence number, which is assigned by thesource for this packet, in the packet header.

We also assume that time is loosely synchronized, such thatany two nodes are in the same time slot at any time. Since theinter-contact time in DTNs is usually at the scale of minutesor hours, the time slot can be at the scale of one minute. Suchloose time synchronization is not hard to achieve.

2) Adversary Model: There are a number of attackers in thenetwork. An attacker can flood packets and/or replicas. Whenflooding packets, the attacker acts as a source node. It createsand injects more packets into the network than its rate limitL. When flooding replicas, the attacker forwards its bufferedpackets (which can be generated by itself or received fromother nodes) more times than its limit l for them. The attackersmay be insiders with valid cryptographic keys. Some attackersmay collude and communicate via out-band channels.

3) Trust Model: We assume that a public-key cryptographysystem is available. For example, Identity-Based Cryptography(IBC) [28] has been shown to be practical for DTNs [29]. InIBC, only an offline Key Generation Center (KGC) is needed.KGC generates a private key for each node based on the node’sid, and publishes a small set of public security parameters tothe node. Except the KGC, no party can generate the privatekey for a node id. With such a system, an attacker cannot forgea node id and private key pair. Also, attackers do not knowthe private key of a good node (not attacker).

Each node has a rate limit certificate obtained from a trustedauthority. The certificate includes the node’s ID, its approvedrate limit L, the validation time of this certificate and thetrusted authority’s signature. The rate limit certificate can bemerged into the public key certificate or stand alone.

C. Basic Idea: Claim-Carry-and-Check

1) Packet Flood Detection: To detect the attackers thatviolate their rate limit L, we must count the number of uniquepackets that each node as a source has generated and sent tothe network in the current interval. However, since the nodemay send its packets to any node it contacts at any time andplace, no other node can monitor all of its sending activities.To address this challenge, our idea is to let the node itselfcount the number of unique packets that it, as a source, hassent out, and claim the up-to-date packet count (together witha little auxiliary information such as its ID and a timestamp) ineach packet sent out. The node’s rate limit certificate is alsoattached to the packet, such that other nodes receiving thepacket can learn its authorized rate limit L. If an attacker isflooding more packets than its rate limit, it has to dishonestly

claim a count smaller than the real value in the flooded packet,since the real value is larger than its rate limit and thus a clearindicator of attack. The claimed count must have been usedbefore by the attacker in another claim, which is guaranteed bythe pigeonhole principle, and these two claims are inconsistent.The nodes which have received packets from the attackercarry the claims included in those packets when they movearound. When two of them contact, they check if there is anyinconsistency between their collected claims. The attacker isdetected when an inconsistency is found.

Let us look at an example in Fig. 3(a). S is an attackerthat successively sends out four packets to A, B, C and D,respectively. Since L = 3, if S claims the true count 4 in thefourth packet m4, this packet will be discarded by D. Thus, Sdishonestly claims the count to be 3, which has already beenclaimed in the third packet m3. m3 (including the claim) isfurther forwarded to node E. When D and E contact, theyexchange the count claims included in m3 and m4, and checkthat S has used the same count value in two different packets.Thus, they detect that S as an attacker.

2) Replica Flood Detection: Claim-carry-and-check canalso be used to detect the attacker that forwards a bufferedpacket more times than its limit l. Specifically, when the sourcenode of a packet or an intermediate hop transmits the packetto its next hop, it claims a transmission count which means thenumber of times it has transmitted this packet (including thecurrent transmission). Based on if the node is the source or anintermediate node and which routing protocol is used, the nexthop can know the node’s limit l for the packet, and ensure thatthe claimed count is within the correct range [1, l]. Thus, if anattacker wants to transmit the packet more than l times, it mustclaim a false count which has been used before. Similarly asin packet flood attacks, the attacker can be detected. Examplesare given in Fig. 3(b) and 3(c).

IV. OUR SCHEME

Our scheme uses two different cryptographic constructionsto detect packet flood and replica flood attacks independently.When our scheme is deployed to propagation routing proto-cols, the detection of replica flood attacks is deactivated.

The detection of packet flood attacks works independentlyfor each time interval. Without loss of generality, we onlyconsider one time interval when describing our scheme. Forconvenience, we first describe our scheme assuming that allnodes have the same rate limit L, and relax this assumptionin Section IV-H. In the following, we use SIGi(∗) to denotenode i’s signature over the content in the brackets.

S A B

mP-claim

of S

T-claim

of Sm

P-claim

of S

T-claim

of A

A’s collected

claims

B’s collected

claims

Fig. 4. The conceptual structure of a packet and the changes made at eachhop of the forwarding path.

A. Claim Construction

Two pieces of meta data are added to each packet (seeFig. 4), Packet Count Claim (P-claim) and Transmission CountClaim (T-claim). P-claim and T-claim are used to detect packetflood and replica flood attacks, respectively.

P-claim is added by the source and transmitted to later hopsalong with the packet. T-claim is generated and processedhop-by-hop. Specifically, the source generates a T-claim andappends it to the packet. When the first hop receives thispacket, it peels off the T-claim; when it forwards the packetout, it appends a new T-claim to the packet. This processcontinues in later hops. Each hop keeps the P-claim of thesource and the T-claim of its previous hop to detect attacks.

1) P-claim: When a source node S sends a new packet m(which has been generated by S and not sent out before) to acontacted node, it generates a P-claim as follows:

P-claim: S, cp, t,H(m), SIGS(H(H(m)|S|cp|t)) (1)

Here, t is the current time. cp (cp ∈ [1, L]) is the packet countof S, which means that this is the cthp new packet S has createdand sent to the network in the current time interval. S increasescp by one after sending m out.

The P-claim is attached to packet m as a header field, andwill always be forwarded along with the packet to later hops.When the contacted node receives this packet, it verifies thesignature in the P-claim, and checks the value of cp. If cp islarger than L, it discards this packet; otherwise, it stores thispacket and the P-claim.

2) T-claim: When node A transmits a packet m to node B,it appends a T-claim to m. The T-claim includes A’s currenttransmission count ct for m (i.e., the number of times it hastransmitted m out) and the current time t. The T-claim is:

T-claim: A,B,H(m), ct, t, SIGA(H(A|B|H(m)|ct|t)) (2)

B checks if ct is in the correct range based on if A is thesource of m. If ct has a valid value, B stores this T-claim.

In single-copy and multi-copy routing, after forwarding mfor enough times, A deletes its own copy of m and will notforward m again.

B. Inconsistency Caused by Attack

In a dishonest P-claim, an attacker uses a smaller packetcount than the real value. (We do not consider the case wherethe attacker uses a larger packet count than the real value, sinceit makes no sense for the attacker.) However, this packet countmust have been used in another P-claim generated earlier. Thiscauses an inconsistency called count reuse, which means theuse of the same count in two different P-claims generated bythe same node. For example in Fig. 3(a) the count value 3 isreused in the P-claims of packet m3 and m4. Similarly, countreuse is also caused by dishonest T-claims.

C. Protocol

Suppose two nodes contact and they have a number ofpackets to forward to each other. Then our protocol is sketchedin Algorithm 1.

When a node forwards a packet, it attaches a T-claim to thepacket. Since many packets may be forwarded in a contactand it is expensive to sign each T-claim separately, an efficientsignature construction is proposed in Section IV-G. The nodealso attaches a P-claim to the packets that are generated byitself and have not been sent to other nodes before (called newpacket in line 3, Algorithm 1).

When a node receives a packet, it gets the P-claim andT-claim included in the packet. It checks them against theclaims that it has already collected to detect if there is anyinconsistency (see Sec. IV-E). Only the P-claims generated inthe same time interval (which can be determined by the timetag) are cross-checked. If no inconsistency is detected, thisnode stores the P-claim and T-claim locally (see Sec. IV-D).

To better detect flood attacks, the two nodes also exchange asmall number of the recently collected P-claims and T-claimsand check them for inconsistency. This meta data exchangeprocess is separately presented in Sec. V.

When a node detects an attacker, it adds the attacker intoa blacklist and will not accept packets originated from orforwarded by the attacker. The node also disseminates an alarmagainst the attacker to other nodes (see Sec. IV-F).

Algorithm 1 : The protocol run by each node in a contact1: Meta data (P-claim and T-claim) exchange and attack detection2: if Have packets to send then3: For each new packet, generate a P-claim;4: For all packets, generate their T-claims and sign them with a hash tree;5: Send every packet with the P-claim and T-claim attached;6: end if7: if Receive a packet then8: if Signature verification fails or the count value in its P-claim or T-

claim is invalid then9: Discard this packet;

10: end if11: Check the P-claim against those locally collected and generated in the

same time interval to detect inconsistency;12: Check the T-claim against those locally collected for inconsistency;13: if Inconsistency is detected then14: Tag the signer of the P-claim (T-claim, resp.) as an attacker and

add it into a blacklist;15: Disseminate an alarm against the attacker to the network;16: else17: Store the new P-claim (T-claim, resp.);18: end if19: end if

D. Local Data Structures

Each node collects P-claims and T-claims from the packetsthat it has received and stores them locally to detect floodattacks. Let us look at a received packet m and the P-claimand T-claim included in this packet. Initially, this pair of P-claim and T-claim are stored in full with all the componentsshown in Formula 1 and 2. When this node removes m from itsbuffer (e.g., after m is delivered to the destination or droppeddue to expiration), it compacts this pair of claims to reduce thestorage cost. If this pair of claims have been sampled for meta

data exchange, they will be stored in full until the exchangeprocess ends and be compacted afterward.

1) Compact P-claim Storage: Suppose node W stores a P-claim CP = {S, cp, t,H(m), SIGS}. It compacts the P-claimas follows. Using the timestamp t, W gets the index i of thetime interval that t belongs to. The signature is discarded sinceit has been verified. The compacted P-claim is:

S, i, cp, H8 (3)

where H8 is a 8-bit string called hash remainder. It is obtainedby concatenating 8 random bits of the packet hash H(m). Theindices of these 8 bits in the hash are determined by 8 locators.The locators are randomly and independently generated by Wfor S at the beginning of the ith interval, and are shared byall the P-claims issued by S in the ith interval. Each locatoronly has log2 h bits where h denotes the size of a hash (e.g.,256 for SHA-256). W keeps these locators secret.

Suppose node W has collected n P-claims generated by Sin interval i. For all these claims, only one source node ID andinterval index is stored. Also, instead of directly storing thepacket count values cp included in these P-claims, the compactstructure uses a L-bit long bit vector to store them. If value cappears in these P-claims, the cth bit of the vector is set. LetCiS denote the compact structure of these P-claims. Then:

CiS = S, i, bit-vector, locators, [H81 , H82 , ..., H8n ] (4)

2) Compact T-claim Storage: Suppose node W stores aT-claim CT = {R,W,H(m), ct, t, SIGR} issued by nodeR. The signature is discarded since it has been verified. Wdoes not need to store its own ID and t is not useful forinconsistency check. Then the compacted T-claim is:

R, ct, H32 (5)

where H32 is a 32-bit hash remainder defined similarly as H8.Suppose W has collected n T-claims generated by R. Thenthe compact structure of these T-claims is:

CR = R, locators, [H321 , ct1 ], ..., [H32n , ctn ] (6)

The locators are randomly and independently generated by Wfor R, and are shared by all the T-claims issued by R.

E. Inconsistency Check

Suppose node W wants to check a pair of P-claim andT-claim against its local collections to detect if there is anyinconsistency. The inconsistency check against full claims istrivial: W simply compares the pair of claims with thosecollected. In the following, we describe the inconsistencycheck against compactly stored claims.

1) Inconsistency Check with P-claim: From the P-claim n-ode W gets: the source node ID S, packet count cp, timestampt and packet hash H . To check inconsistency, W first uses Sand t to map the P-claim to the structure Ci

S (see Eq. 4). Thenit reconstructs the hash remainder of H using the locators inCiS . If the bit indexed by the packet count cp is set in the

bit-vector but the hash remainder is not included in CiS , count

reuse is detected and S is an attacker.The inconsistency check based on compact P-claims does

not cause false positive, since a good node never reuses anycount value in different packets generated in the same interval.

The inconsistency check may cause false negative if the twoinconsistent P-claims have the same hash remainder. However,since the attacker does not know which bits constitute the hashremainder, the probability of false negative is only 2−8. Thus,it has minimal effect on the overall detection probability.

2) Inconsistency Check with T-claim: From the T-claimnode W gets: the sender ID R, receiver ID Q and transmissioncount ct. If Q is W itself (which is possible if the T-claim hasbeen sent out by W but returned by an attacker), W takes noaction. Otherwise, it uses R to map the T-claim to the structureCR (see Eq. 6). If there is a 2-tuple [H ′

32, c′t] in CR that satisfies

1) H ′32 is the same as the remainder of H , and 2) c′t = ct,

then the issuer of the T-claim (i.e., R) is an attacker.The inconsistency check based on compact T-claims does

not cause extra false negative. False positive is possible but itcan be kept low as follows. Node W may falsely detect a goodnode R as an attacker if it has received two T-claims generatedby R that satisfy two conditions: (i) they are generated for twodifferent packets, and (ii) they have the same hash remainder.For 32-bit hash remainder, the probability that each pair of T-claims lead to false detection is 2−32. In most cases, we expectthat the number of T-claims generated by R and received byW is not large due to the opportunistic contacts of DTNs, andthus the probability of false detection is low. As W receivesmore T-claims generated by R, it can use a longer (e.g., 64-bit)hash remainder for R to keep the probability of false detectionlow. Moreover, such false detection is limited to W only, sinceW cannot convince other nodes to accept the detection withcompact T-claim.

F. Alarm

Suppose in a contact a node receives a claim Cr from aforwarded data packet or from the meta data exchange process(see Sec. V-C) and it detects inconsistency between Cr and alocal claim Cl that the node has collected. Cr is a full claimas shown in Formula 1 (or 2), but Cl may be stored as a fullclaim or just a compact structure shown in Formula 3 (or 5).

If Cl is a full claim, the node can broadcast (via Epidemicrouting [30]) a global alarm to all the other nodes to speed upthe attacker detection process. The alarm includes the two fullclaims Cl and Cr. When a node receives an alarm, it verifiesthe inconsistency between the two included claims and theirsignatures. If the verification succeeds, it adds the attackerinto its blacklist and broadcasts the alarm further; otherwise,it discards the alarm. The node also discards the alarm if ithas broadcast another alarm against the same attacker.

If the detecting node stores Cl as a compact structure,it cannot convince other nodes to trust the detection sincethe compact structure does not have the attacker’s signature.Thus it cannot broadcast a global alarm. However, since theattacker may have reused the count value of Cr to otherclaims besides Cl, the detecting node can disseminate a localalarm that only contains Cr to its contacted nodes who havereceived those claims. These contacted nodes can verify theinconsistency between Cr and their collected claims, and alsodetect the attacker. If any of these nodes still stores a fullclaim inconsistent with Cr, it can broadcast a global alarm asdone in the previous case; otherwise, it disseminates a local

H12

TC1

H14

H34

TC2 TC3 TC4 TC5 TC6 TC7 TC8

H1 H2 H3 H4 H5 H6 H7 H8

H18

H56

H58

H78

hash

SIG

Fig. 5. The Merkle hash tree constructed upon eight T-claims TC1,...,TC8.In the tree, Hi is the hash of TCi, and an inner node is the hash of its childnodes. The signature of TC1 includes H2, H34, H58 and SIG.

alarm. As this iterative process proceeds, the attacker can bequickly detected by many nodes. Each node only disseminatesone local alarm for each detected attacker.

A local alarm and a global alarm against the same attackermay be disseminated in parallel. If a node receives the globalalarm first and then receives the local alarm, it discards thelocal alarm. If it receives the local alarm first, when it receivesthe global alarm later, it discards the local alarm and keepsthe global alarm.

An attacker may falsify an alarm against a good node.However, since it does not have the node’s private key (asour assumption), it cannot forge the node’s signatures for theclaims included in the alarm. Thus, the alarm will be discardedby other nodes and this attack fails.

G. Efficient T-claim AuthenticationThe T-claims of all the packets transmitted in a contact

should be signed by the transmitting node. Since the contactmay end at any unpredictable time, each received T-claim mustbe individually authenticated. A naive approach is to protecteach T-claim with a separate public-key signature, but it hashigh computation cost in signature operations.

Our scheme uses Merkle hash tree [31] to amortize thecomputation cost of public-key based signature on all the T-claims that the node sends out in a contact. Specifically, aftera node generates the T-claims (without signature) for all thepackets it want to send, it constructs a hash tree upon thesepartial T-claims, and signs the root of the tree with a public-keybased signature. Then the signature of a T-claim includes thisroot signature and a few elements of the tree. Fig. 5 showsthe hash tree constructed upon eight T-claims and the treeelements included in the signature of the first T-claim. Werefer to the original paper [31] for details. In this way, for allthe T-claims sent by the sender in a contact, only one public-key based signature is generated by the sender and verified bythe receiver.

H. Dealing with Different Rate LimitsPreviously we have assumed that all nodes have the same

rate limit L. When nodes have different rate limits, for ourdetection scheme to work properly, each intermediate nodethat receives a packet needs to know the rate limit L of thesource of the packet, such that it can check if the packet countis in the correct range 1, 2, ..., L. To do so, when a source nodesends out a packet, it attaches its rate limit certificate to thepacket. The intermediate nodes receiving this packet can learnthe node’s authorized rate limit from the attached certificate.

I. Replica Flood Attacks in Quota-based Routing ProtocolsOur scheme to detect replica flood attacks can also be

adapted to quota-based routing protocols [25], [21], [26].Quota-based routing works as follows. Each node has a

quota for each packet that it buffers, and the quota specifies thenumber of replicas into which the current packet is allowed tobe split. When a source node creates a packet, its quota for thepacket is L′ replicas, where L′ is a system parameter. Whenthe source contacts a relay node, it can split multiple replicasto the relay according to the quality of the relay. After thesplit, the relay’s quota for the packet is the number of replicassplit to it, and the source node’s quota is reduced by the sameamount. This procedure continues recursively, and each nodecarrying the packet can split out a number of replicas less thanits current quota for the packet. It can be seen that each packetcan simultaneously have at most L′ replicas in the network.

In quota-based routing, replica flood attacks (where anattacker sends out more replicas of a packet than its quota)can be detected by our approach as follows.

First, we observe that quota-based routing (with the totalquota determined at the source) can be emulated by single-copy routing if different replicas of the same packet appeardifferent to intermediate nodes and each replica is forwarded ina similar way as single-copy routing. A node can split multiplereplicas of a packet to another node, but it can only send eachreplica out once. For instance, if a node has forwarded Replica1 to one relay, it must remove Replica 1 from its local buffer,and it cannot forward this replica again to another relay.

To differentiate replicas, the source assigns a unique index toeach replica as a header field, and signs the replica to preventintermediate nodes from modifying the index. The index valueshould be in range [1, L′], and replicas with invalid index willbe discarded. In this way, a node’s local quota for a packet isrepresented by the number of replicas (with different indices)that it buffers. Note that an intermediate node cannot increaseits quota by forging replicas since it does not have the sourcenode’s key to generate a valid signature.

To prevent a node from abusing its quota, we need to ensurethat the node only forwards each replica once. T-claim canbe used to achieve this goal. Particularly, when a node splitsmultiple replicas of a packet to another node, it generates aT-claim for each replica. The inconsistency check (see SectionIV.E) can be applied here to detect the attackers that transmitthe same replica more than once.

V. META DATA EXCHANGE

When two nodes contact they exchange their collected P-claims and T-claims to detect flood attacks. If all claims areexchanged, the communication cost will be too high. Thus, ourscheme uses sampling techniques to keep the communicationcost low. To increase the probability of attack detection, onenode also stores a small portion of claims exchanged from itscontacted node, and exchanges them to its own future contacts.This is called redirection.

A. SamplingSince P-claims and T-claims are sampled together (i.e.,

when a P-claim is sampled the T-claim of the same packet

S

A

S, m1, c

p=1

B

S, m2, cp=1

C

E

D

S, H(m2), cp=1

S, H(m1

), cp=1

S, H(m1), cp=1

S, H(m1),

cp=1

Detection

Detection

Contacted node

set of B

Contacted node

set of A

packet

exchanged claims

redirected claims

Fig. 6. The idea of redirection which is used to mitigate the stealthy attack.

is also sampled), in the following we only consider P-claims.A node may receive a number of packets (each with a P-

claim) in a contact. It randomly samples Z (a system param-eter) of the received P-claims, and exchanges the sampled P-claims to the next K (a system parameter) different nodes itwill contact, excluding the sources of the P-claims and theprevious hop from which these P-claims are received.

However, a vulnerability to tailgating attack should beaddressed. In tailgating attack, one or more attackers tailgatea good node to create a large number (say, d) of frequentcontacts with this node, and send Z packets (not necessarilygenerated by the attackers) to it in each contact. If this goodnode sends the Zd P-claims of these contacts to the next Kgood nodes it contacts, much effective bandwidth betweenthese good nodes will be wasted, especially in a large networkwhere K is not small.

To address this attack, the node uses an inter-contactsampling technique to determine which P-claims sampled inhistorical contacts should be exchanged in the current contact.Let SK denote a set of contacts. This set includes the minimumnumber of most recent contacts between this node and at leastK other different nodes. Within this set, all the contacts withthe same node are taken as one single contact and a total ofZ P-claims are sampled out of these contacts. This techniqueis not vulnerable to the tailgating attack since the number ofclaims exchanged in each contact is bounded by a constant.

B. Redirection

There is a stealthy attack to flood attack detection. Forreplica flood attacks, the condition of detection is that atleast two nodes carrying inconsistent T-claims can contact.However, suppose the attacker knows that two nodes A andB never contact. Then, it can send some packets to A, andinvalidly replicate these packets to B. In this scenario, thisattacker cannot be detected since A and B never contact.Similarly, the stealthy attack is also harmful for some routingprotocols like Spray-and-Wait [21] in which each packetis forwarded from the source to a relay and then directlydelivered from the relay to the destination.

To address the stealthy attack, our idea is to add one levelof indirection. A node redirects the Z P-claims and T-claimssampled in the current contact to one of the next K nodes itwill contact, and this contacted node will exchange (but notredirect again) these redirected claims in its own subsequentcontacts. Look at the example in Fig. 6. Suppose attacker Ssends mutually inconsistent packets to two nodes A and B

which will never contact. Suppose A and B redirect theirsampled P-claims to node C and D, respectively. Then solong as C and B or D and A or C and D can contact, theattack has a chance to be detected. Thus, the successful chanceof stealthy attack is significantly reduced.

C. The Exchange Process

Each node maintains two separate sets of P-claims (T-claims, resp. in the following) for meta data exchange, asampled set which includes the P-claims sampled from themost recent contacts with K different nodes (i.e., SK inSection V-A), and a redirected set which includes the P-claimsredirected from those contacts. Both sets include Z P-claimsobtained in each of those contacts.

When two nodes A and B contact, they first select KZ P-claims from each set with the inter-contact sampling technique(see Sec. V-A), and then send these P-claims to each other.When A receives a P-claim, it checks if this P-claim is in-consistent with any of its collected P-claims using the methoddescribed in Sec IV-E. If the received P-claim is inconsistentwith a locally collected one and the signature of the receivedP-claim is valid, A detects that the issuer (or signer) of thereceived P-claim is an attacker.

Out of all the P-claims received from B, A randomly selectsZ of the P-claims from the sampled set of B, and stores themto A’s redirected set. All other P-claims received from B arediscarded after inconsistency check.

D. Meta Data Deletion

A node stores the P-claims and T-claims collected fromreceived data packets for a certain time denoted by τ anddeletes them afterward. It deletes the claims redirected fromother nodes immediately after it has exchanged them to Kdifferent nodes.

VI. ANALYSIS

This section presents rigorous analysis over the security andcost of our scheme, and discusses the optimal parameter tomaximize the effectiveness of flood attack detection under acertain amount of exchanged meta data per contact.

A. Detection Probability

The following analysis assumes uniform and independentcontacts between nodes, i.e., at any time each node’s next con-tacted node can be any other node with the same probability.This assumption holds for mobility models such as RandomWaypoint where the contacts between all node pairs can bemodeled as i.i.d. Poisson processes [32]. When analyzing thedetection probability, we assume that each attacker acts alone.The case of collusion is analyzed separately in Section VI-D.

1) The Basic Attack: First we consider a basic attack (seeFig. 7(a)) in which an attacker S floods two sets of mutuallyinconsistent packets to two good nodes A and B, respectively.Each flooded packet received by A is inconsistent with one ofthe flooded packets received by B. In the contacts with Aand B, S also forwards some normal, not flooded, packets to

S

A

Flooded&

normalpkt.

B

Flooded &normal pkt.

C

DRedirected claims

Redirected claims

(a) Considered basic attack

A

C

B

D

time

detection window

(b) Lower bound scenario

A

C

B

D

time

detection window and its ithcontact

1 2 K

1 2 K

2 3 K1

i

1 2 K

(c) Upper bound scenario.Fig. 7. (a) The basic attack considered for detection probability analysis. Attacker S floods packets to A and then to B. (b) The scenario when the lowerbound detection probability can be obtained. (c) The scenario when the upper bound detection probability can be obtained.

TABLE IVARIABLES USED IN THE ANALYSIS

Si The K nodes that node i (i ∈ {A,B,C,D}) exchanges itssampled or redirected claims to.

ei A boolean event which means if node i (i ∈ {A,B}) has sampledat least one flooded packet (ei = TRUE) or not (ei = FALSE)

eAB A boolean event which means if node A and B have sampled atleast one pair of inconsistent packets (eAB = TRUE) or not

Ps The probability that event eA = TRUE (or eB = TRUE, resp.)Povp The conditional probability that if eA = eB = TRUE then

eAB = TRUE.Pd The probability that S is detected.P ld The lower-bound of Pd.

Pud The upper-bound of Pd.N The number of nodes in the network.M The number of attackers in the network.r The proportion of good nodes, i.e., r = N−M

N.

K The number of nodes that a claim is exchanged to. K ≪ N .a The number of flooded packets sent to A and B.n The total number of packets sent to A and B.y The proportion of flooded packets sent to A and B, i.e., y = a

n.

A and B to make the attack harder to detect. Let y denotethe proportion of flooded packets among those sent by S. Forsimplicity, we assume y is the same in both contacts. SupposeA and B redirect the claims sampled in the contact with S toC and D, respectively.

To consider the worst-case performance, suppose the flood-ed packets are not forwarded from A and B to other nodes(which is the case in Spray-and-Wait [21]), i.e., only A andB have the inconsistent claims. Note that the analysis alsoapplies to the detection of replica flood attacks.

For convenience, we define node A’s (or B’s) detectionwindow as from the time it receives the flooded packets to thetime it exchanges the sampled claims to K nodes, and nodeC’s (or D’s) detection window as from the time it receives theredirected claims to the time it exchanges them to K nodes.The attacker has a chance to be detected if node pairs ⟨A,B⟩,⟨A,D⟩, ⟨C,B⟩ and ⟨C,D⟩ can contact within their detectionwindows. Table I shows the variables used in the analysis.

Lower Bound The lower bound of detection probabilityis obtained in the following scenario (see Fig. 7(b)): When Breceives the packets from S, both A and C have finished theirdetection window. Due to the effect of sampling, the attackercan be detected 1) by A if A ∈ SB and eB = TRUE; or 2)by A if D is a good node, A ∈ SD and eB = TRUE; or3) by C if C is a good node, C ∈ SB and eAB = TRUE;or 4) by C if both C and D are good nodes, C ∈ SD andeAB = TRUE.

Since each of A and B exchanges the sampled claims to Knodes other than itself, and C (D) exchanges the redirectedclaims to K nodes other than A (B), according to the uniform

contact assumption, we have:

Pd =Ps[1− (1− K

N − 1) · (1− r

K

N − 2)·

(1− rK

N − 1PsPovp) · (1− r2

K

N − 2PsPovp)]

(7)

The expected number of flooded packets that A or B cansample is yZ. Since Z is typically small while a is notthat small (which we believe realistic), Povp is negligible.Considering that K ≪ N , Pd is approximated as follows:

Pd ≈ Ps[1− (1− K

N − 1)(1− r

K

N − 2)] ≈ Ps

1 + r

NK

Since random sampling is used, it is trivial to get:

Ps =1− n− a

n

n− a− 1

n− 1· · · n− a− Z + 1

n− Z + 1

≥ 1− (1− a/n)Z = 1− (1− y)Z

Thus, we have Pd ≥ K 1+rN (1− (1−y)Z), and a lower bound

of the detection probability is:

P ld = K

1 + r

N(1− (1− y)Z) (8)

Upper Bound The upper bound of detection probability isobtained in the following scenario (see Fig. 7(c)): D receivesthe redirected claims from B not later than the time C receivesthe redirected claims from A, and they are the first node thatA and B encounter after the contact with S. Besides the fourcases that we discussed when deriving the lower bound, theattacker can also be detected 1) by B if B ∈ SA and eA =TRUE; or 2) by B if C is a good node, B ∈ SC and eA =TRUE; or 3) by D if D is a good node, D ∈ SA and eAB =TRUE; or 4) by D if both C and D are good nodes, D ∈ SC

and eAB = TRUE.Similarly as in the lower bound case, we can obtain that

the detection probability is Pd ≈ 2K 1+rN Ps. Since Ps ≤ 1, an

upper bound of the detection probability is:

Pud =

2K(1 + r)

N(9)

2) Stronger Attacks: We use the number of times that acount value is reused to represent the strength of an attack.Intuitively, if each count value is used many times, the attackerfloods a lot of packets or replicas. Let X denote the numberof times a count value is reused. We want to derive therelation between X and the probability that the attacker willbe detected.

The stronger attacks we consider extends the basic attack(see Sec. VI-A1) as follows. Suppose the attacker has sent a set

of packets to a good node G0, and then it successively sendsthe same number of packets (reusing the count values of thepackets sent to G0) to X good nodes G1, ..., GX . All otherparameters in the basic analysis apply here. From a globalpoint of view, a total of X(X+1)

2 node pairs have inconsistentpackets, and each pair can detect the attacker independentlyas analyzed in Sec. VI-A1. Then the attacker will be detectedby at least one node pair with a probability:

PXd = 1− (1− Pd)

X(X+1)2 (10)

We can see that the stronger the attack is, the more likely theattacker will be detected.

B. Cost Analysis

1) Communication: The communication cost mainly hastwo parts. One part is the P-claim and T-claim transmitted witheach packet, and the other part is the partial claims transmittedduring meta data exchange. As to the latter, at most 4ZK P-claims and 4ZK T-claims are exchanged in each contact, withone half for sampled and the other half for redirected claims.

2) Computation: As to signature generation, a node gen-erates one signature for each newly generated packet. It alsogenerates one signature for all its T-claims as a whole sentin a contact. As to signature verification, a node verifies thesignature of each received packet. It also verifies one signaturefor all the T-claims as a whole received in one contact.

3) Storage: Most P-claims and T-claims are compactedwhen the packets are forwarded. The Z sampled P-claims andT-claims are stored in full until the packets are forwarded orhave been exchanged to K nodes, whichever is later, and thencompacted. For each received packet, less than 20 bytes ofcompact claims are stored for time duration τ .

C. Parameter Selection with Fixed Cost of Meta Data Ex-change

We study the following question: If we fix the commu-nication cost of meta data exchange (note that little can bedone with the transmission of claims within packets), then howshould we set parameter K and Z to maximize the detectionprobability? Note that the communication cost of meta dataexchange is proportional to ZK. As to detection probability,we consider the lower-bound detection probability for the basicattack which can be written as Pd = cK(1− (1− y)Z).

Lemma 1: If the communication cost of meta data ex-change is fixed at ZK = C, then Pd is maximized at K = Cand Z = 1.

Proof: Pd can be rewritten as Pd = cC 1−(1−y)Z

Z . Thederivative of Pd over Z is:

P ′d(Z) =

cC

Z2[(1− y)Z(1− ln (1− y)Z)− 1] (11)

Let u = (1−y)Z (0 < u ≤ 1), then P ′d(Z) = cC

Z2 (u−u lnu−1). Let g(u) = u − u lnu − 1. Then g′(u) = − lnu ≥ 0,which means g(u) monotonically increases. Since g(1) = 0,g(u) ≤ 0 when 0 < u ≤ 1. Therefore, P ′

d(Z) ≤ 0, whichmeans Pd monotonically decreases with Z. Thus, to maximizePd, Z should be set the minimum value 1.

Remarks In this parameter setting, the lower-bound de-tection probability can be written as Pd = yK 1+r

N . Supposethe attacker launches attacks independently. Then it can bedetected after N

yK(1+r) attacks. If the attacker wants to stayundetected for a longer time, it should maintain a smaller y,which means the attack effect is weaker; if it wants to make abig attack impact, it should maintain a high y, but this meansit will be detected in a shorter time. From another point ofview, since the attacker only uses y proportion its capacity forflood attack, it is equivalent that the attacker can attack at fullcapacity for only N

K(1+r) contacts. Thus, the attacks can beeffectively mitigated.

D. Collusion Analysis

1) Packet Flood Attack: One attacker may send a packetwith a dishonest packet count to its colluder, which willforward the packet to the network. Certainly, the colluder willnot exchange the dishonest P-claim with its contacted nodes.However, so long as the colluder forwards this packet to agood node, this good node has a chance to detect the dishonestclaim as well as the attacker. Thus, the detection probabilityis not affected by this type of collusion.

2) Replica Flood Attack: When attackers collude, they caninject invalid replicas of a packet without being detected, butthe number of flooded replicas is effectively limited in ourscheme. More specifically, in our scheme for a unique packetall the M colluders as a whole can flood a total of M − 1invalid replicas without being detected. To the contrast, whenthere is no defense, a total of N − M invalid replicas canbe injected by the colluders for each unique packet. Sincethe number of colluders is not very large, our scheme canstill effectively mitigate the replica flood attack. This will befurther evaluated in Sec. VII.

VII. PERFORMANCE EVALUATIONS

A. Experiment Setup

To evaluate the performance and cost of our scheme, werun simulations on a synthetic trace generated by the RandomWaypoint (RWP) [32] mobility model and on the MIT Realitytrace [19] collected from the real world.

In our synthetic trace, 97 nodes move in a 500×500 squarearea with the RWP model. The moving speed is randomlyselected from [1, 1.6] to simulate the speed of walking, andthe transmission range of each node is 10 to simulate that ofBluetooth. Each simulation lasts 5× 105 time units.

The Reality trace has been shown [33], [34] to have socialcommunity structures. 97 smartphones are carried by studentsand staff at MIT over 10 months. These phones run Bluetoothdevice discovery every five minutes and log about 110 thou-sand contacts. Each contact includes the two contact parties,the start time and duration of the contact.

In the simulations, 20% of nodes are deployed as attackers.They are randomly deployed or selectively deployed to high-connectivity nodes. The buffer size of each node is 5MB, theDrop Tail policy is used when buffer overflows. The bandwidthis 2Mbps. Each node generates packets of 10KB with randomdestinations at a uniform rate. Parameter Z = 1.

B. Routing Algorithms and Metrics

We use the following routing protocols in evaluations:• Forward A single-copy routing protocol where a packet

is forwarded to a relay if the relay has more frequentcontacts with the destination.

• SimBet [8] A single-copy routing protocol where a pack-et is forwarded to a relay if the relay has a higher simbetmetric, which is calculated from two social measures(similarity and betweenness).

• Spray-and-Wait [21] A multi-copy protocol, where thesource replicates a packet to L′ = 3 relays and eachrelay directly delivers its copy to the destination whenthey contact.

• Spray-and-Focus [21] It is similar to Spray-and-Wait,but each packet copy is individually routed to the desti-nation with Forward.

• Propagation A packet is replicated to a relay if the relayhas more frequent contacts with the destination.

We use the following performance evaluation metrics:• Detection rate The proportion of attackers that are

detected out of all the attackers.• Detection delay From the time the first invalid packet

is sent to the time the attacker is detected.• Computation cost The average number of signature

generations and verifications per contact.• Communication cost The number of P-claim/T-claim

pairs transmitted into the air, normalized by the numberof packets transmitted.

• Storage cost The time-averaged kilobytes stored for P-claims and T-claims per node.

C. Analysis Verification

We use the synthetic trace to verify our analysis resultsgiven in Section VI, since in this trace the contacts betweennode pairs are i.i.d. [32] which conforms to our assumption forthe analysis. We divide the trace into 10 segments, each with5×104 time units, and run simulations on each of the 3rd−7th

segments 3 times with different random seeds. Each data pointis averaged over the individual runs. Spray-and-Wait is usedas the routing protocol to consider the worst case of packetflood detection (see Sec. VI-A1). Here we only verify thedetection probability for the basic attack, since the detectionprobability for the strong attack can be derived from it in astraightforward way. In this group of simulations, each attackerlaunches the basic attack once. It sends out two sets of packetsto two good nodes with 10 packets in each set (i.e., n = 10),and these two sets contain mutually inconsistent packets. Wefirst fix parameter y = 1.0 (see Table I) but change parameterK from 0 to 10, and then we fix parameter K = 10 butchange y from 0 to 1.0. The results are shown in Fig. 8(a) and8(b), respectively. It can be seen that the simulation results arebetween the analytical lower bound and upper bound, whichverifies the correctness of our analysis.

D. Detection Rate

The Reality trace is used. We divide the trace into segmentsof one month, and run simulations on each of the 3rd − 7th

0 2 4 6 8 100

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

Parameter K

Det

ectio

n R

ate

SimulationAnalysis Lower BoundAnalysis Upper Bound

(a) Effect of Parameter K

0 0.2 0.4 0.6 0.8 10

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

Fraction of Flooded Packets an Attacker Sends (Para. y)

Det

ectio

n R

ate

SimulationAnalysis Lower BoundAnalysis Upper Bound

(b) Strength of Attack (Para. y)Fig. 8. Verification of analysis results on the synthetic trace. Spray-and-Waitis used as the routing protocol. Each attacker launches the basic attack once.

segments 3 times with different random seeds. Each data pointis averaged over the individual runs. By default, each attackerlaunches the basic attack once, and it floods one packet out(i.e., n = 1, y = 1.0). By default, attackers are selectivelydeployed to high-connectivity nodes.

Fig. 9(a) shows the effect of parameter K in differentrouting protocols. Generally speaking, when K increases, thedetection rate also increases because the inconsistent packetsare exchanged to more nodes and have more chances to bedetected. When K = 0, no attacker is detected in Spray-and-Wait, since no meta data is exchanged for detection. However,attackers can still be detected in the other three algorithms,because the inconsistent packets are forwarded to multiplenodes and the node that receives two inconsistent packetscan detect the attacker. Among these protocols, Propagationachieves the highest detection rate since it replicates incon-sistent packets the most number of times. Between the twosingle-copy routing protocols, SimBet has a higher detectionrate than Forward. This is because SimBet tends to forwardpackets to the more socially connected nodes and thus thesenodes are more likely to collect inconsistent packets.

Fig. 9(b) shows the results when each attacker launches thebasic attack independently for a varying number of times. Asthe attackers launch more attacks, the detection rate quicklyincreases for obvious reasons.

Fig. 9(c) shows the effect of the number of packets thatan attacker floods in each contact (i.e., parameter n). As anattacker floods more packets in each contact, the detectionrate decreases in Spray-and-Wait and SimBet, increases inForward and does not change much in Spray-and-focus andPropagation. The opposite trends are due to two factors thataffect the detection rate reversely. On the one hand, samplingdecreases detection rate. To explain this more clearly, let uslook at the basic attack scenario in Fig. 7(a) for Spray-and-Wait. Since Z = 1, A (B, resp.) only samples one packet outof all the packets received from the attacker and redirects itto C (D, resp.). When n = 1, C and D will receive mutuallyinconsistent claims, which means in Equation 7 Povp = 1.0.However, when n is larger than 1, C and D may not receive apair of inconsistent claims due to the independent sampling byA and B. As n increases, Povp decreases and thus the detectionrate also decreases. On the other hand, for the routing protocolswhere each packet is forwarded in multiple hops, when anattacker sends more attack packets in each contact, it is morelikely that one pair of inconsistent packets are forwarded tothe same intermediate node and lead to detection.

0 2 4 6 8 10

0

0.2

0.4

0.6

0.8

1.0

Parameter K

Det

ectio

n R

ate

Spray−and−WaitForwardSpray−and−FocusSimBetPropagation

(a) Parameter K

0 1 2 4 80

0.2

0.4

0.6

0.8

1

Number of Attacks Launched by each Attacker

Det

ectio

n R

ate

Spray−and−WaitForwardSpray−and−FocusSimBetPropagation

(b) Number of Attacks

1 4 7 100

0.2

0.4

0.6

0.8

1

Number of Packets Flooded per Contact

Det

ectio

n R

ate

Spray−and−WaitForwardSpray−and−FocusSimBetPropagation

(c) Packets Flooded per Contact

0 2 4 6 80

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Parameter K

Det

ectio

n R

ate

Attackers Randomly DeployedAttackers Selectively Deployed

(d) Attacker DeploymentFig. 9. The detection rate under different conditions. In (d), Forward is used as the routing protocol.

0 10 20 30 40 50 60 70 800

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Day

Cum

ulat

ive

Dis

trib

utio

n F

unct

ion

(CD

F)

Detection DelayRouting Delay

Fig. 10. The detection delay compared with the routing delay of Propagation.

Fig. 9(d) shows the effect of attacker deployment. Thedetection rate is lower when attackers are selectively deployedto high-connectivity nodes. This is because when attackers areselectively deployed they have more contacts with good nodes.The probability that a good node exchanges its sampled claimsto attackers rather than to other good nodes is higher, butattackers do not run detection against each other.

E. Detection delay

Fig. 10 shows the CDF of detection delay when Propagationis used as the routing protocol on the Reality trace. Forcomparison, the CDF of routing delay (i.e., from the time apacket is generated to the time it is delivered) is also plotted.Here, no lifetime is set for packets. It can be seen that 90% ofthe attacks can be detected by our scheme within 10 days. Onthe contrary, within 10 days only 60% of data packets can bedelivered by the routing protocol. Hence, the detection delayof our scheme is much lower than the routing delay.

F. Flooded Replicas under Collusion

As mentioned in Sec. VI-D2, colluders can flood a smallnumber of replicas without being detected. To evaluate theireffect, we run simulations on the Reality trace when all attack-ers collude. The simulation settings are the same as in SectionII-B. We compare our scheme with the case of no defense. Asshown in Fig. 11, even when 20% of nodes are attackers andcollude, our scheme can still limit the percentage of wastedtransmissions to 14% in single-copy routing (SimBet) and 6%in multi-copy routing (Spray-and-Focus), which is only 1/7-1/5 of the wasted transmissions when there is no defense.

G. Cost

To evaluate the cost of our scheme in a steady state (i.e.,all attackers have been detected), no attackers are deployed in

0 0.05 0.1 0.15 0.20

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Fraction of Attackers within Network

Fra

ctio

n of

Was

ted

Tra

nsm

issi

ons

SimBet UnsecuredSpray−and−Focus UnsecuredSimBet SecuredSpray−and−Focus Secured

Fig. 11. The effect of undetected replicas on wasted transmissions whenattackers collude to launch replica flood attacks.

this group of simulations. The Reality trace is used. Packetsare generated between the 61st and 120th day of the trace, andstatistics are collected from the 91th day. By default, each nodegenerates 2 packets per day, parameter τ (i.e., the time a claimis stored) is 30 days and K is 10. In a contact, a node mayreceive some packets but then immediately drop them due tobuffer overflow. In such cases, the transmission of the claimsattached to these packets is counted into the communicationoverhead, and the signature generations for these claims arecounted into the computation overhead. Since the receiver doesnot buffer these packets, it does not store these claims or verifytheir signatures.

We first evaluate the computation cost of our scheme, andFig. 12 shows the results. When Forward is used as therouting protocol (see Fig. 12(a)), as the packet generationrate increases, the computation cost also increases since morepackets need to be signed and verified. But the cost is still low,less than 20 signature generations and verifications, when eachnode generates 10 packets per day. Also, it can be seen thatthere are less signature generations than verifications. This isbecause in each contact our scheme only signs P-claims for thenewly generated packets (which constitute a very small portionof the packets transmitted), and it generates only one signaturein total for the T-claims of all forwarded packets due to the useof authentication tree. When Propagation is used as the routingprotocol (see Fig. 12(b)), similar trends hold. When the packetgeneration rates crosses 1, the signature verification cost turnsto decrease. This is because when the traffic load is high manyreceived packets are dropped due to buffer overflow.

Then we evaluate the communication cost. The communi-cation overhead mainly comes from two sources, the transmis-sion of claims attached to data packets, and the transmissionof claims in meta data exchange. The total communicationcost and the two components are shown in Fig. 13. When Kincreases from 2 to 10 (see Fig. 13(a)), the cost caused by meta

0.1 0.5 1 2 5 102

4

6

8

10

12

14

16

18

Packet Generation Rate (pkt/node/day)

Com

puta

tion

Cos

t

Signature GenerationSignature VerificationSignature Generation + Verification

(a) Forward

0.1 0.5 1 2 5 102

4

6

8

10

12

14

16

18

Packet Generation Rate (pkt/node/day)

Com

puta

tion

Cos

t

Signature GenerationSignature VerificationSignature Generation + Verification

(b) PropagationFig. 12. The computation cost of our scheme.

2 4 6 8 100

0.5

1

1.5

2

Parameter K

Num

ber

of P

−cl

aim

/T−

clai

m P

airs

Tra

nsm

itted

TotalTransmitted with PacketMeta Data Exchange

(a)

0.5 1 2 5 100

2

4

6

8

10

Packet Generation Rate (pkt/node/day)

Num

ber

of P

−cl

aim

/T−

clai

m P

airs

Tra

nsm

itted

Total

Transmitted with Packet

Meta Data Exchange

(b)Fig. 13. The communication cost of our scheme.

data exchange increases linearly since each sampled claim istransmitted more times. The cost caused by the transmission ofclaims attached to packets is always 1 due to the normalization.In total, less than 2 pairs of P-claim/T-claim are transmitted pertransmission of data packet. When the packet generation rateincreases (see Fig. 13(b)), the total normalized communicationcost decreases, because more data packets are transmittedin each contact but the number of claims transmitted formeta data exchange in each contact does not change with thetraffic load. When the packet generation rate is larger than 1,the communication cost is smaller than 3. When the packetgeneration rate is 0.5, the communication cost is higher (i.e.,10). However, at this point the number of packet transmissionsis very small, and hence the communication overhead is notan issue. Moreover, since the claims are small in size, they canbe attached to and transmitted with data packets and will notincur extra transmissions. Thus, the communication overheadis low.

Finally, we evaluate the storage cost of our scheme againsttwo factors, the time a claim is stored (parameter τ ) and thepacket generation rate. The results are shown in Table II.We can see that the storage space used for claims is low,only less than 150 kilobytes per node. This is due to thecompact structures we use to store P-claims and T-claims.We noticed that the storage cost does not increase after thepacket generation rate reaches 2 packets per node per day,because when the traffic load is high many received packetsare dropped due to buffer overflow.

VIII. RELATED WORK

Our scheme bears some similarity with previous approaches(e.g., [35]) that detect node clone attacks in sensor networks.Both rely on the identification of some kind of inconsistencyto detect the attacker. However, their approaches assumesconsistent connectivity between nodes which is unavailable inDTNs. Also, they do not handle the long delays of detection.

TABLE IITHE STORAGE (KB) USED FOR CLAIMS AND DATA PACKETS

τ (days) 10 20 30 40 50 -Claims 67 101 125 139 145 -Packets 3330 3301 3321 3336 3316 -

Pkt. Generation Rate 0.1 0.5 1 2 5 10(pkt/node/day)

Claims 65 93 113 125 124 114Packets 334 1572 2596 3321 3716 3808

A few recent works [12], [27], [14], [13], [15] also addresssecurity issues in DTNs. Li et al. [12] studied the blackholeattack in which malicious nodes forge routing metrics to attractpackets and drop all received packets. Their approach usesa primitive called encounter ticket to prove the existenceof contacts and prevent the forgery of routing metrics, butencounter ticket cannot be used to address flood attacks. Liand Cao [15] also proposed a distributed scheme to mitigatepacket drop attacks, which works no matter if the attackersforge routing metrics or not. Ren et al. [13] studied wormholeattacks in DTNs. Chen and Choon [27] proposed a credit-based approach and Shevade et al. proposed a gaming-basedapproach [14] to provide incentives for packet forwarding.Privacy issues have also be addressed [36], [37]. However,these work do not address flood attacks. Other works (e.g.,Sprite [38]) deter abuse by correlating the amount of networkresources that a node can use with the node’s contributions tothe network in terms of forwarding. This approach has beenproposed for mobile ad hoc networks, but it is still not clearhow the approach can be applied to DTNs, where nodes aredisconnected most of the time. Zhu et al. [16] proposed abatch authentication protocol which verifies multiple packetsignatures in an aggregated way. Their work is complementaryto ours, and their protocol can be used in our scheme to furtherreduce the cost of authentication.

Parallel to our work, Natarajan et al. [39] also proposed ascheme to detect resource misuse in DTNs. In their scheme,the gateway of a DTN monitors the activities of nodes anddetects an attack if there is deviation from expected behavior.Different from their work, our scheme works in a totallydistributed manner and requires no special gateway.

IX. CONCLUSIONS

In this paper, we employed rate limiting to mitigate floodattacks in DTNs, and proposed a scheme which exploits claim-carry-and-check to probabilistically detect the violation ofrate limit in DTN environments. Our scheme uses efficientconstructions to keep the computation, communication andstorage cost low. Also, we analyzed the lower bound andupper bound of detection probability. Extensive trace-drivensimulations showed that our scheme is effective to detect floodattacks and it achieves such effectiveness in an efficient way.Our scheme works in a distributed manner, not relying on anyonline central authority or infrastructure, which well fits theenvironment of DTNs. Besides, it can tolerate a small numberof attackers to collude.

ACKNOWLEDGMENT

This work was supported in part by Army Research Officeunder MURI grant W911NF-07-1-0318.

REFERENCES

[1] K. Fall, “A delay-tolerant network architecture for challenged internets,”Proc. SIGCOMM, pp. 27–34, 2003.

[2] P. Hui, A. Chaintreau, J. Scott, R. Gass, J. Crowcroft, and C. Diot,“Pocket switched networks and human mobility in conference environ-ments,” SIGCOMM Workshops, 2005.

[3] M. Motani, V. Srinivasan, and P. Nuggehalli, “PeopleNet: engineering awireless virtual social network,” Proc. MobiCom, pp. 243–257, 2005.

[4] J. Burgess, B. Gallagher, D. Jensen, and B. Levine, “Maxprop: Routingfor vehicle-based disruption-tolerant networks,” Proc. INFOCOM, 2006.

[5] S. J. T. U. Grid Computing Center, “Shanghai taxi trace data,”http://wirelesslab.sjtu.edu.cn/.

[6] J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher, “Internet denial ofservice: Attack and defense mechanisms,” Prentice Hall, 2005.

[7] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks:Attacks and countermeasures,” First IEEE International Workshop onSensor Network Protocols and Applications, 2003.

[8] E. Daly and M. Haahr, “Social network analysis for routing in discon-nected delay-tolerant MANETs,” Proc. MobiHoc, pp. 32–40, 2007.

[9] Q. Li, W. Gao, S. Zhu, and G. Cao, “A routing protocol for sociallyselfish delay tolerant networks,” Ad Hoc Networks, vol. 10, no. 8,November 2012.

[10] W. Gao, Q. Li, B. Zhao, and G. Cao, “Multicasting in delay tolerantnetworks: A social network perspective,” Proc. ACM MobiHoc, 2009.

[11] W. Gao, G. Cao, M. Srivatsa, and A. Iyengar, “Distributed maintenanceof cache freshness in opportunistic mobile networks,” in IEEE Interna-tional Conference on Distributed Computing Systems (ICDCS), 2012.

[12] F. Li, A. Srinivasan, and J. Wu, “Thwarting blackhole attacks indistruption-tolerant networks using encounter tickets,” Proc. IEEE IN-FOCOM, 2009.

[13] Y. Ren, M. C. Chuah, J. Yang, and Y. Chen, “Detecting wormhole attacksin delay tolerant networks,” IEEE Wireless Communications Magazine(IEEE WCM), vol. 17, no. 5, 2010.

[14] U. Shevade, H. Song, L. Qiu, and Y. Zhang, “Incentive-aware routingin dtns,” IEEE ICNP, 2008.

[15] Q. Li and G. Cao, “Mitigating routing misbehavior in disruption tolerantnetworks,” IEEE Trans. on Information Forensics and Security, 2011.

[16] H. Zhu, X. Lin, R. Lu, X. S. Shen, D. Xing, and Z. Cao, “Anopportunistic batch bundle authentication scheme for energy constraineddtns,” IEEE INFOCOM, 2010.

[17] B. Raghavan, K. Vishwanath, S. Ramabhadran, K. Yocum, and A. S-noeren, “Cloud control with distributed rate limiting,” Proc. ACMSIGCOMM, 2007.

[18] F-SECURE, “F-secure malware information pages: Smswor-m:symbos/feak,” http://www.f-secure.com/v-descs/smsworm symbosfeak.shtml.

[19] N. Eagle and A. Pentland, “Reality mining: sensing complex socialsystems,” Personal and Ubiquitous Computing, vol. 10, no. 4, pp. 255–268, 2006.

[20] Q. Li, S. Zhu, and G. Cao, “Routing in socially selfish delay tolerantnetworks,” Proc. IEEE INFOCOM, 2010.

[21] T. Spyropoulos, K. Psounis, and C. S. Raghavendra, “Efficient routingin intermittently connected mobile networks: The multiple-copy case,”IEEE/ACM Trans. on Networking (ToN), vol. 16, no. 1, pp. 77–90, 2007.

[22] A. Lindgren, A. Doria, and O. Schelen, “Probabilistic routing in inter-mittently connected networks,” ACM SIGMOBILE CCR, vol. 7, no. 3,pp. 19–20, 2003.

[23] W. Gao and G. Cao, “On exploiting transient contact patterns for dataforwarding in delay tolerant networks,” Proc. IEEE ICNP, 2010.

[24] J. Burgess, G. D. Bissias, M. Corner, and B. N. Levine, “Survivingattacks on disruption-tolerant networks without authentication,” Proc.ACM MobiHoc, 2007.

[25] S. C. Nelson, M. Bakht, and R. Kravets, “Encounter-based routing indtns,” Proc. IEEE INFOCOM, pp. 846–854, 2009.

[26] T. Spyropoulos, K. Psounis, and C. Raghavendra, “Spray and wait: anefficient routing scheme for intermittently connected mobile networks,”in Proceedings of 2005 ACM SIGCOMM workshop on Delay-tolerantnetworking, 2005, pp. 252–259.

[27] B. Chen and C. Choon, “Mobicent: A credit-based incentive system fordisruption tolerant network,” Proc. IEEE INFOCOM, 2010.

[28] C. Gentry and A. Silverberg, “Hierarchical id-based cryptography,” Proc.International Conference on the Theory and Application of Cryptogra-phy and Information Security, 2002.

[29] A. Seth, D. Kroeker, M. Zaharia, S. Guo, and S. Keshav, “Lowcostcommunication for rural internet kiosks using mechanical backhaul,”ACM Proc. of Mobicom, 2006.

[30] A. Vahdat and D. Becker, “Epidemic routing for partially connected adhoc networks,” Technical Report CS-200006, Duke University, 2000.

[31] R. Merkle, “Protocols for public key cryptosystems,” IEEE S&P, 1980.[32] R. Groenevelt, “Stochastic models in mobile ad hoc networks,” Technical

report, University of Nice, Sophia Antipolis, INRIA, 2006.[33] A. Chaintreau, A. Mtibaa, L. Massoulie, and C. Diot, “The diameter of

opportunistic mobile networks,” Proc. ACM CoNEXT, 2007.[34] P. Hui, J. Crowcroft, and E. Yoneki, “Bubble rap: social-based forward-

ing in delay tolerant networks,” Proc. MobiHoc, pp. 241–250, 2008.[35] B. Parno, A. Perrig, and V. Gligor, “Distributed detection of node

replication attacks in sensor networks,” Proc. IEEE S&P, 2005.[36] Z. Zhu and G. Cao, “Applaus: A privacy-preserving location proof

updating system for location-based services,” in IEEE INFOCOM, 2011.[37] Q. Li and G. Cao, “Efficient and privacy-preserving data aggregation in

mobile sensing,” in Proc. IEEE ICNP, 2012.[38] S. Zhong, J. Chen, and Y. R. Yang, “Sprite: A simple, cheat-proof, credit-

based system for mobile ad-hoc networks,” Proc. IEEE INFOCOM,vol. 3, pp. 1987–1997, 2003.

[39] V. Natarajan, Y. Yang, and S. Zhu, “Resource-misuse attack detectionin delay-tolerant networks,” Proceedings of International PerformanceComputing and Communications Conference (IPCCC), 2011.

Qinghua Li received the B.E. degree from XianJiaotong University, China, and the M.S. degreefrom Tsinghua University, China, in 2004 and 2007,respectively. He is currently a Ph.D. candidate in theDepartment of Computer Science and Engineeringat the Pennsylvania State University. His researchinterests include wireless networks and networksecurity. He is a student member of the IEEE.

Wei Gao received the B.E. degree in ElectricalEngineering from University of Science and Tech-nology of China in 2005, and the Ph.D. degreein Computer Science from the Pennsylvania StateUniversity in 2012. He is currently an AssistantProfessor in the Department of Electrical Engi-neering and Computer Science at the Universityof Tennessee, Knoxville. His research interests in-clude wireless and mobile network systems, mobilesocial networks, cyber-physical systems, pervasiveand mobile computing. He is a member of the IEEE.

Sencun Zhu received the B.S. degree in Preci-sion Instruments from Tsinghua University, Beijing,China, in 1996 and the M.S. degree in SignalProcessing from University of Science and Tech-nology of China, Graduate School at Beijing, in1999. He received the PhD degree in InformationTechnology from George Mason University in 2004.His research interests include network and systemssecurity, ad hoc and sensor networks, performanceevaluation, peer-to-peer computing. Currently he is

working on issues related to ad hoc and sensor network security, DDoS attackprevention, and Worm detection. His research is funded by NSF and ARO.He is also a member of the Networking and Security Research Center, theSystems and Internet Infrastructure Security Lab, and the Cyber Security Lab.

Guohong Cao received the BS degree in computerscience from Xian Jiaotong University and receivedthe PhD degree in computer science from the OhioState University in 1999. Since then, he has beenwith the Department of Computer Science and Engi-neering at the Pennsylvania State University, wherehe is currently a Professor. He has published morethan 150 papers in the areas of wireless networks,wireless security, vehicular networks, wireless sen-sor networks, cache management, and distributed

fault tolerant computing. He has served on the editorial board of IEEETransactions on Mobile Computing, IEEE Transactions on Wireless Com-munications, IEEE Transactions on Vehicular Technology, and has servedon the organizing and technical program committees of many conferences,including the TPC Chair/Co-Chair of IEEE SRDS’2009, MASS’2010, andINFOCOM’2013. He was a recipient of the NSF CAREER award in 2001.He is a Fellow of the IEEE.