cerias tech report 2005-145 defending against …...cerias tech report 2005-145 defending against...

CERIAS Tech Report 2005-145Defending Against Wormhole Attacks in Mobile Ad Hoc Networks

by W Wang, B Bhargava, Y Lu, X WuCenter for Education and ResearchInformation Assurance and Security

Purdue University, West Lafayette, IN 47907-2086

Defending against Wormhole Attacks in Mobile Ad HocNetworks

��

Weichao Wang Bharat Bhargava Yi Lu Xiaoxin Wuwangwc, bb, yilu, wu @cs.purdue.edu

Department of Computer Sciences, Purdue University, W. Lafayette, Indiana

In ad hoc networks, malicious nodes can carry wormhole attacks to fabricate afalse scenario on neighbor relations among mobile nodes. The attacks threaten thesafety of ad hoc routing protocols and some security enhancements. We propose aclassification of the attacks according to the format of the wormholes. It establishesa basis on which the detection capability of the approaches can be identified. Theanalysis shows that previous approaches focus on the prevention of wormholes be-tween neighbors that trust each other. As a more generic approach, we present anend-to-end mechanism that can detect wormholes on a multi-hop route. Only trustbetween the source and the destination is assumed. The mechanism uses geographicinformation to detect anomalies in neighbor relations and node movements. To re-duce the computation and storage overhead, we present a scheme, Cell-based OpenTunnel Avoidance(COTA), to manage the information. COTA achieves a constantspace for every node on the path and the computation overhead increases linearlyto the number of detection packets. We prove that the savings do not deteriorate thedetection capability. The schemes to control communication overhead are studied.We show by simulations and experiments on real devices that the proposed mecha-nism can be combined with existent routing protocols to defend against wormholeattacks.

I. Introduction

As ad hoc networks are merging into the perva-sive computing environment, security becomesa central requirement. Distributed node be-haviour monitoring has been applied to enhancesecurity. A system integrating watchdog andpathrater with the Dynamic Source Routing pro-tocol (DSR) [1] is presented in [2]. In securityenhanced Ad hoc On-demand Distance Vectorprotocol (AODV-S) [3], the neighbors collabo-ratively authorize a token to the node before itjoins the network activities. The researchers haveproposed several protocols that use hash chainsor digital signatures to protect the integrity andauthenticity of routing information. The SecureAODV protocol (SAODV) [4] adopts both mech-anisms. Secure Efficient Ad hoc Distance vector

�This work is supported by NSF ANI 0219110, IIS

0242840, CERIAS, MOTOROLA, and CISCO URP.�The paper is accepted to appear in Wiley Journal Wire-

less Communications and Mobile Computing (WCMC)

routing (SEAD) [5] and Ariadne [6] use a variantof the Timed Efficient Stream Loss-tolerant Au-thentication (TESLA) [7] to accomplish authen-tication. A security-aware routing environmenthas been presented in [8].

Intrusion detection systems (IDS) have beenadopted as the second line of defense to protectad hoc networks. Zhang and Lee presented ageneric multi-layer integrated IDS structure [9].Bharghavan [10] and Haas et al [11] exploredthe security issues in wireless LANs and ad hocnetworks respectively. An architecture that com-bines IDS with trust is presented by Alberts etal [12]. Intrusion detection using mobile agentsis studied in [13].

In this paper, we focus on the detection ofwormhole attacks in ad hoc networks. Since themobile devices use a radio channel to send infor-mation, the malicious nodes can eavesdrop thepackets, tunnel them to another location in thenetwork, and retransmit them. This generates afalse scenario that the original sender is in the

1

neighborhood of the remote location. The tunnel-ing procedure forms a wormhole. It is conductedby collusive attackers. If a fast transmission path(e.g. a dedicated channel shared by attackers) ex-ists between the two ends of the wormhole, thetunneled packets can propagate faster than thosethrough a normal multi-hop route. This forms the“rushing attack” studied by Hu et al [14].

Wormhole attacks put severe threats to both adhoc routing protocols and some security enhance-ments. In many routing protocols, mobile nodesdepend on the neighbor discovery procedure toconstruct the local network topology. If the at-tackers tunnel the neighbor discovery beaconsthrough wormholes, the good nodes will get falseinformation about their neighbors. This maylead to the choice of a non-existent route. Zero-interaction authentication (ZIA) [15] is designedto protect the data on mobile devices from the il-legal access. The files are decrypted only whenan authentication token that is worn by the usercan directly communicate to the device through ashort-range wireless channel. If a wormhole ex-ists between the token and the device, the datamay be disclosed.

Some efforts have been put on this problemand encouraging results have been collected [16–18]. However, the classification in section IIshows that the previous research focuses on thedetection of closed wormholes. Half open andopen wormholes, whose detection requires infor-mation exchanges beyond direct neighbors, havenot been studied. In this paper, we propose anend-to-end mechanism that can detect wormholesalong a multi-hop path on which the interme-diate nodes do not necessarily trust each other.The mechanism combines authentication with lo-cation information. To prevent the destinationnode from being overwhelmed by the computa-tion and storage overhead, a scheme called Cell-based Open Tunnel Avoidance (COTA) is intro-duced to manage the position records. COTA en-ables a node to pre-determine the resources that itwants to consume on wormhole detection. It re-duces the overhead without hurting the detectioncapability. The frequency to conduct the detec-tion is also studied to examine the communica-tion overhead. The proposed mechanism can becombined with existent ad hoc routing protocols.

The contributions of this paper are:� A classification of the wormholes is pro-

posed. We divide the attacks into threegroups (closed, half open, and open) accord-ing to the format of the tunnel and attacker’scapability. The classification establishes abasis on which the detection capability ofthe approaches can be identified.

� We propose an end-to-end mechanism thatcan detect closed, half open, and openwormholes in ad hoc networks. Consideringthe limited resources available to a mobilenode, we design COTA to manage the in-formation. The communication overhead in-troduced by the proposed mechanism is alsostudied.

� Simulation is conducted to evaluate theoverhead, detection capability, and accu-racy of the proposed mechanism. Exper-iments on off-the-shelf mobile devices areconducted to examine the practicability ofthis method in real world.

The remainder of this paper is organized as fol-lows: Section II describes the wormhole attacksand their impacts on ad hoc network security. Theclassification is given out. In section III, we re-view the previous work. Section IV presents andjustifies our assumptions. Section V describes theend-to-end mechanism and COTA in detail. Theproblems such as detection capability and param-eter determination are studied. Section VI stud-ies the frequency to conduct wormhole detectionand the method to control communication over-head. Section VII investigates the robustness ofthe proposed mechanism. Section VIII presentsthe simulation results. Section IX discusses thefuture work and section X concludes the paper.

II. Problem Statement

In a wormhole attack, if the malicious nodes havea dedicated channel, the tunneling procedure canbe conducted in real time. Since the packets areresent in the exactly same way, encryption orauthentication alone cannot prevent the attacks.Other nodes cannot tell whether the packets arefrom the real originator or from the resender. Agroup of collusive attackers can form a wormhole

2

that has as many ends as the number of maliciousnodes.

Wormhole attacks put severe threats to ad hocrouting protocols. In the protocols that use dis-tance vector technique, such as Ad hoc On-demand Distance Vector protocol (AODV) [19]and Destination-Sequenced Distance Vector pro-tocol (DSDV) [20], the hop count of a path af-fects the choice of routes. A pair of attackerscan form a long tunnel and fabricate the false sce-nario that a short path exists between the sourceand the destination. The fake path will attractthe data traffic. As soon as the packets are ab-sorbed to the wormhole, the attackers can eitherdrop them or compromise them. The attacks canalso do harm to the hierarchical routing proto-cols such as Hierarchical State Routing protocol(HSR) [21], Clusterhead Gateway Switch Rout-ing protocol (CGSR) [22], and Adaptive Rout-ing using Clusters (ARC) [23]. They may con-fuse the clustering procedure and lead to a wrongtopology. If a wormhole controls the link be-tween two clusterheads or a link close to the rootof the routing hierarchy, it can partition the net-work.

The safety and effectiveness of some securityenhancements for ad hoc networks would be im-proved if wormholes can be defended. The exam-ple on ZIA has been shown in section I. Anotherexample shows the impacts of such attacks on thedistributed monitoring of node misbehaviours. InAODV-S [3], the neighbors collaboratively au-thorize a token to the node before it joins the net-work activities. If a wormhole exists beside themisbehaved node, the attackers can selectivelytunnel the good-looking packets to the remoteside. The good nodes at the remote side moni-tor all these packets and can not detect any secu-rity violations. The new token will be authorized.This may conflict with the conclusion drawn bythe real neighbors. We can settle this embarrass-ment through preventing wormholes.

The classification of such attacks will facilitatethe design of detection methods. According towhether the attackers are visible on the route, weclassify the wormholes into three types: closed,half open, and open. The examples that includetwo malicious nodes are shown in Figure 1. For

M1S

DS

DM1S

M2

False route

(c) Open wormhole

{ } WormholePhysical link

B }{ A

M2 }B{ A

{ M1 M2 }BA

(b) Half open wormhole

(a) Closed wormhole

D

Figure 1: The classification of wormholes.

the clearance of the remainder of the paper, weuse

��and

��to represent the malicious nodes,�

and � to represent the good nodes as sourceand destination, and � , � , � � . as the good nodeson the route.

The nodes between the curly-braces (“ �� ”) arethose on the path but invisible to

�and � be-

cause they are in a wormhole. We borrow thewords “closed” and “open” from the definitionof an interval, where “closed” means “start fromand include”, and “open” means “start from butnot include”. In Figure 1-(a),

��and

��tunnel

the neighbor discovery beacons from�

to � , andvice versa, so

�and � think that they are direct

neighbors. Both��

and��

are in the worm-hole. In Figure 1-(b),

��is a neighbor of

�and

it tunnels its beacons through��

to � . Only onemalicious node is visible to

�and � . In an open

wormhole, both attackers are visible to�

and � ,as shown in Figure 1-(c).

The previous research focuses on the preven-tion of closed wormholes. The mechanisms thatonly examine direct neighbors cannot guaranteethe detection of the other two types. For exam-ple,

�and

��, and � and

��are real neighbors

in Figure 1-(c). This does not impact the estab-lishment of an open wormhole between

��and��

. Therefore, an end-to-end mechanism mustbe designed to defend against the half open andopen wormholes.

Wormhole detection needs to be conductedwhen a neighbor relation or a route is first estab-

3

lished. Besides, it must be conducted repeatedlyduring the lifetime of the neighbor relation or theroute because the nodes are moving and worm-holes can be formed dynamically. The detectionfrequency impacts the overhead and the detectionaccuracy. This problem is studied in section VI.

III. State of Art

The wormhole attackers encapsulate the receivedpackets into their packets and tunnel them to an-other location. Ironically, this technique was firstintroduced to overcome some difficulties in net-working. IP-tunnel is used in Mobile IP to trans-fer packets from home agents to remote agents[24]. In Virtual Private Networks (VPN), thetunnels are used to connect two LANs, allowingthem to share data, but keeping them behind thefirewalls [25]. IP-tunnels are also used in Multi-Protocol Label Switch (MPLS) [26].

Wormhole attacks threaten the safety of Inter-net routing protocols such as RIP2 [27]. Butthe attacker needs to have a total control on arouter, which is not easy to achieve. Furthermore,through using static routes, such attacks can beprevented. Because of the dynamic membershipand frequent topology changes, a node in ad hocnetworks does not have this luxury.

Wormhole attacks on mobile ad hoc networkswere independently discovered by Dahill et al[28], Hass et al [29], and Hu et al [16]. To de-fend against them, some efforts have been puton hardware design and signal processing tech-niques. If the data bits are transferred in somespecial modulating method known only to theneighbor nodes, they are resistant to the closedwormholes. Another approach, RF watermark-ing, works in the similar way. It modulates the ra-dio waveform in a specific pattern to accomplishauthentication. Both mechanisms will be com-promised if the malicious nodes can accuratelycapture the signal patterns. Neither of them canprevent half open or open wormholes.

The adoption of directional antenna [30, 31]by mobile devices can raise the security levels.A solution that uses such equipments to defendagainst closed wormholes has been presented in[18]. The nodes examine the directions of the

received signals from each other and a witness.Only when the directions of both pairs match, theneighbor relation is confirmed.

Another potential solution is to integrate theprevention methods into Intrusion Detection Sys-tems. The traffic monitoring module of IDS willfind that the ends of wormholes act as packetsinks: many data packets which are not destinedto them will lose their tracks at these nodes. Thejoint response generated by the neighbors of themalicious node will expose the anomalous trafficpattern.

Some mechanisms proposed to locate the po-sition of a mobile node in an indoor environ-ment [32–34] can be applied to prevent worm-holes. For example, both the original packet andthe resent one will be captured by the locationsensors and two conflicting positions of the samenode will be detected. Either the good nodes ora centralized controller will discover this anoma-lous result. However, it will not be easy to portsuch methods to outdoor environments.

One approach to detect closed wormholeswithout clock synchronization is proposed byCapkun �� in [17]. Every node is assumedto be equipped with a special hardware that canrespond to a one-bit challenge without any de-lay. The challenger measures the round trip timeof the signal with an accurate clock to calculatethe distance between the nodes. The probabil-ity that an attacker can guess all bits correctlydecreases exponentially as the number of chal-lenges increases.

Another approach to detect closed wormholesis packet leash, which was proposed by Hu, Per-rig and Johnson [16]. The leash is the informa-tion added into a packet to restrict its transmis-sion distance. In the geographical leashes, thelocation information and loosely synchronizedclocks together verify the neighbor relation. Intemporal leashes, the packet transmission dis-tance is calculated as the product of signal prop-agation time and the speed of light. Both mecha-nisms use lightweight hash chains to authenticatethe nodes [7]. The Message Authentication Code(MAC) can be calculated in real time.

One advantage of packet leashes is the lowcomputation overhead. Similar to geographical

4

leashes, the end-to-end mechanism proposed inthis paper assumes the knowledge of location in-formation and loosely synchronized clocks. Itcan be deployed in the environments where ge-ographical leashes can be used to detect closed,half open, and open wormholes.

IV. Assumptions and Notations

IV.A. Network assumptions

We assume that the links among nodes are bidi-rectional. Two neighbor nodes can always sendpackets to each other. This assumption will holdunder most conditions in the real environment.Many medium access control protocols [35, 36]are also based on this assumption.

The security threats to mobile ad hoc networkscome from all layers. The malicious node canjam the physical layer. There have been ap-proaches using spread spectrum [37] to provideresistance to such attacks. There are also Deny ofService (DoS) attacks on the medium access con-trol layer [38]. For example, if a malicious nodekeeps sending noises and causes collisions, thecommunication within the neighborhood will beparalyzed. The fairness control mechanisms suchas time division multiple access [39] can avoidone attacker eating up all available bandwidth. Inthis paper we will not discuss solutions to thoseattacks.

The network itself acts in Byzantine manners[40]. It may drop or corrupt packets. The packetscan be duplicated or forwarded out of order.

IV.B. Node assumptions

A node can locate its geographic position. Therehave been off-the-shelf devices, such as GlobalPositioning System (GPS) [41], that can provideaccurate positioning service. The accuracy of po-sition information will affect the detection capa-bility of the proposed mechanism. For example,if the direct communication range among neigh-bors is � and the maximum error of the distancebetween two locations is � , they introduce a rel-ative error up to �� . The mechanisms such asGPS can locate the position with the accuracy of15 feet.

In certain environments, using the distance be-tween two nodes to verify the neighbor relationcannot guarantee the detection. For example,even if an obstacle (e.g. a building) exists be-tween two nodes and blocks all signals, a posi-tion based mechanism may still consider them asneighbors. To detect such conditions, the nodesneed a more accurate signal propagation model inthat environment. It is able to determine whetherthe two nodes can actually communicate to eachother when the positions are given. In this paper,we assume that any two nodes having a distanceshorter than � can communicate to each other.

Each node has a clock, and we assume that theclocks are loosely synchronized with the maxi-mum relative error � . By this we mean that thedifference between the clocks of any two nodes issmaller than � if we sample the time at the samemoment.

The mobile nodes have limited computationresources. But they can accomplish the opera-tions required by the security mechanisms, suchas the calculation and verification of digital sig-natures, encryption using symmetric keys, andcalculation of the MAC code.

We do not assume that a node can control thelongest buffering time of a packet before it is for-warded. We do not assume trusted hardware suchas tamper-proof wireless cards. They may restrictthe deployment of the proposed mechanism.

IV.B.1. Assumption justification

A lot of research in ad hoc networks has beenconducted based on the position awareness as-sumption. They cover from routing [42–44], en-ergy consumption [45, 46], to location based ser-vices [47, 48]. Some work has been conductedbased on loose synchronization assumption, suchas geographical leashes [16], Secure Trackingof Node Encounters (SECTOR) [17], Ariadne[6], and Light-weight Hop-by-hop Authentica-tion Protocol (LHAP) [49]. In this part, we jus-tify our assumptions based on the available tech-niques and application scenarios.

Location-based services using GPS are readyto launch with the progresses that reduce ex-pense, size, weight, and power consumption of

5

such devices. Motorola has unveiled one kind ofGPS chip set whose unit cost is about $10 [50]. Itis cheap and small enough to fit in PDAs and cellphones. Sprint PCS alone has sold over 8.8 mil-lion GPS-enabled handsets by March, 2003 [51].The positioning device is becoming a commonpart of the wireless node for both military andcivilian usage.

A lot of efforts have been put on clock syn-chronization in ad hoc and sensor networks.There have been solutions based on LORAN-C [52], WWVB [53], Reference Broadcast [54],TINY/MINI-SYNC [55], Tree-based solution[56], and GPS [57]. A good survey can be foundin [56]. In this paper we only assume looselysynchronized clocks among nodes, for example,� � �� . If every node is equipped withGPS, its clock is accurate enough to satisfy thisrequirement. The mobile nodes do not need ex-tra hardware or a complex protocol to get moreaccurate time.

The security of GPS has been studied forsome time. Solutions for anti-jamming and anti-spoofing civilian GPS signals have been pro-posed in [58–60]. Here we do not present thedetails. GPS signals can be weak or biased inan indoor environment. But as discussed in sec-tion III, a more accurate positioning scheme insuch an environment can be implemented to de-fend against wormholes.

IV.C. Key setup

The safety of the end-to-end mechanism relies onthe secrecy and authenticity of the keys stored innodes. The authentication can be accomplishedby pairwise secret keys, digital signatures, or avariant of TESLA [7].

The advantage of pairwise keys is that thenodes can use symmetric cryptographic methodsand avoid the expensive operations such as expo-nential computation. It is very important to themobile nodes with limited resources. The disad-vantages are two folds. First, if there are � nodesin the network, we need to set up �� keys. This can impact the scalability of the pro-posed mechanism. Second, it will be difficult toauthenticate multicast or broadcast packets. Al-though there has been research on allowing mul-

tiple users to share a group key, it will put threatsto the whole scheme if one node is compromised[61].

If digital signatures are used, we only needto set up � keys. The method supports the au-thentication of multicast traffic and has the non-repudiation property. But the computation of adigital signature can be three orders of magni-tude slower than that of the symmetric mecha-nisms [62]. With the emergence of high speedsignature algorithms [63, 64] and more powerfulportable processors, computing digital signatureswill cause less overhead on the mobile nodes.

With the assumption of loosely synchronizedclocks, if the end-to-end delay can be accuratelypredicted, a variant of TESLA can be applied toaccomplish authentication. We only need to setup � keys and the nodes do not have to do the ex-pensive computations. The disadvantage is thatthe packets may not be authenticated immedi-ately. The receiver needs to temporarily bufferthe packet until the key is disclosed. This mayrequire more storage space.

To set up the keys, either centralized mecha-nisms, such as a key distribution center or a Pub-lic Key Infrastructure (PKI), or a pre-load methodduring initialization, can be applied. A surveyof key establishment in mobile networks can befound in [65]. Another solution proposed in [66]applies a PGP-like mechanism to distribute thekeys.

IV.D. Model of attackers

The attackers do not have the computation powerto crack the secret keys. To tunnel the packets be-yond a long distance without interfering with thesignals sent by the good nodes, the attackers havea dedicated, speed-of-light communication chan-nel. The attackers have a total control over thewormholes. They can choose to tunnel a packetthrough or drop it without knowing the content ofthe packet.

IV.E. Notations

For the clearance of the remainder of the paper,we give out the following notations:

6

If pairwise keys are applied, �� and �� aresame and both represent the secret key betweennode � and node � .

� �� represents the

MAC code computed over message�

with key� . If digital signatures are applied,

�� represents the signature of � over message

�.

All nodes that have the public key can verify thesignature.

Every node can locate its geographic position.The position of node � is �� . The maximumerror of the distance between two positions is� . If node � and node � read their positionsat the same time, the real distance between them�� . The clocks are looselysynchronized. The difference between the clocksof any two nodes is smaller than � . We also as-sume that � is the upper bound of the velocity ofnode movement.

V. Detecting Wormhole Attacks

V.A. Basic end-to-end mechanism

Design goals

In the end-to-end wormhole detection mecha-nism, we only assume that the source and the des-tination of a route trust each other. This assump-tion holds under most conditions. If on-demandrouting protocols are used, the source and thedestination can negotiate the parameters such asthe frequency to send wormhole detection pack-ets through the routing request and reply. If geo-graphical routing protocols are used, the destina-tion can pre-determine the parameters and sub-mits them to the location servers. The source willget them when acquiring the position of the des-tination.

As shown in section II, wormholes need to beexamined repeatedly during the route’s lifetime.The detection information can be attached to therouting packets or the data packets. If the fre-quency of data packets is too low, wormhole de-tection packets can be sent separately. For multi-ple applications that use the same route, only onegroup of detection packets need to be sent. Nodetection is required for a route if it is no longerin use.

Compared to the mechanisms that only de-

tect closed wormholes, the end-to-end mecha-nism has two special features:

First, every intermediate node will attach itstimestamps and positions to the detection pack-ets, but all examining operations are conductedby the destination node. In this way it can detectthe conflicting information sent by the attacker todifferent neighbors. However, a scheme must bedesigned to prevent the destination node from be-ing overwhelmed by the overhead.

Second, cross packet examination must beadopted by the end-to-end mechanism. Exam-ining the packets independently can miss somewormholes. For example, in the half open worm-hole shown in Figure 1-(b),

��can declare that

it receives a packet at the position of��

and for-wards it at the position of

��. As long as the

distance �� and the declared buffering time satisfy � �� !�#" , examining the singlepacket cannot find any anomaly.

In the cross packet examination, if a node de-clares its position �$� at its clock time %� , and ��at its clock time &� , the destination can estimateits average moving speed and examines whetherit is lying. If

�� '� (��)�*� �� +� ,�-�*�.� � / � (1)

the node lies about its positions and there is awormhole on the path.

Delivery of detection packets

We assume that the pairwise keys have beendeployed. Every node � on the path has a secretkey �0�21 with the destination � . � knows thepath length in hops and the identity of every nodealong the path. This can be achieved through therouting protocols such as DSR [1] or the explicitattachment of node identify to the routing pack-ets.

When a wormhole detection packet is sentfrom the source, it contains seven fields: sourceaddress

�, destination address � , the message�

, a sequence number � for this route, the lo-

cal time &354 6 798 when the packet is sent, the po-sition ��354 6 798 at that time, and the MAC code� �:�;��<.= � ��> � > � >? � > &354 6 798 > ��3@4A6 798 � . �

canbe a routing packet, a data packet, or void if thedetection packet is sent separately. Every time af-

7

A

AD

Arecv

Ssend SsendS: h = MAC (S, D, M, id, ( t , P ))

Arecv AsendArecv AsendA: h = MAC (Received packet, (t , P ), (t , P ))

A −> B: (Received packet, (t , P ), (t , P ), h )

BDK BsendBrecv Brecv BsendB: h = MAC (Received packet , (t , P ), (t , P ))

Asend

S −> A: (S, D, M, id, (t , P ), h )Ssend S

B

Brecv Brecv Bsend Bsend BB −> D: (Received packet, (t , P ), (t , P ), h )

S KSD

Ssend

A K

Arecv Asend

Figure 2: The delivery of a wormhole detectionpacket in the end-to-end mechanism.

ter sending a detection packet for this route, thesource increases

� by 1. Examining the received � s, � can find out how many detection packetshave been dropped.

When an intermediate node � forwards thepacket, it attaches two � time, position � pairs:� ,�� 6�� > � �� 6�� when it receives the packet, and� ,�24 6 798 > � ��4 6A7 8�� when it forwards the packet.Then it attaches

� �:�� 5= � � � � , where� � in-

cludes both the received packet and the two at-tached pairs. Figure 2 shows an example of thedelivery procedure.

Two potential problems exist in the proposedmechanism. First, how can a node get the accu-rate sending time and calculate it into the MACcode? Second, how does the signal propagationtime affect the detection? For the first problem,the end-to-end mechanism has a weaker require-ment on the accuracy of the sending timestampthan packet leashes. So we can adopt either ofthe two approaches [16] for temporal leashes.

For the second problem, taking the signal prop-agation time �� into account, we have the fol-lowing equation for the sending time +4A6 798 at thisnode and the receiving time �� 6�� at the next hop:

�*� �� 6�� &4A6 7 8-�*� � � � �� (2)

If the direct communication range betweenneighbors is known, we can estimate �� . The sending time and the receiving time ofthe same transmission always satisfy:

�� 6�� &4 6 798-�� (3)

Detection operations at the destination

When � receives a detection packet, it willcheck the following items: (a) All MAC codes

are calculated correctly. (b) The neighbor nodesare within the direct communication range whenthe packet is passed. (c) The average movingspeed of a node between it receives and forwardsthe packet does not exceed � . (d) The sendingand receiving time of the same transmission sat-isfy equation 3. (e) The new � time, position � pairand the previous pairs of the same node do notconflict as shown in equation 1.

Items (a), (b), (c) and (d) focus on a singlepacket. The MAC codes guarantee the authen-ticity and integrity of the � time, position � pairs.Since the MAC codes cover the whole packet(including the information attached by previousnodes), it is very difficult for the attacker torecord a part of the packet and conduct resendattacks. If the attacker resends the whole packet,it is the same as the duplicate packet generatedby the network. Item (b) will detect the closedwormholes on the route.

Item (e) implements the cross packet exami-nation. Through calculating the average mov-ing speed of the intermediate nodes using theircurrent and previous � time, position � records,the destination node monitors their movements.Items (c), (d) and (e) together prevent the mali-cious node from cheating the wormhole detectionmechanism by declaring fake positions.

The wormhole detection packets may get lostbecause of the unreliable network. They can alsobe intentionally dropped or corrupted by the ma-licious nodes. Using the sequence number, thedestination node can monitor how many detec-tion packets have been lost. If a wormhole is de-tected, or � consecutive detection packets are alllost, the destination node will broadcast a mes-sage which notifies the source to abort the currentroute and activate the reinitiation. The relationbetween the value of � and the position informa-tion density is discussed in section VI. The samecondition will happen if a route becomes expiredand no more detection packets are sent. Underthis condition, the source will ignore the broad-cast message.

Compared to previous approaches, the end-to-end mechanism does not let the intermedi-ate nodes verify the neighbor relations by them-selves. On the contrary, all examinations are con-

8

ducted by the destination. The proposed mech-anism can detect closed wormholes because thegood nodes at different ends of the tunnels willnot lie about their positions. For half open andopen wormholes, if the malicious nodes sendtheir real positions in the detection packets, thefake neighbor connections will be discovered be-cause they are longer than the direct communi-cation range. To avoid being detected, a smartattacker can buffer the packets and declare that itmoves to the other end of the wormhole and for-wards the data. This attack can be prevented byintroducing packet lifetime into the network. Itwill restrict the longest moving distance of a nodeduring the delivery of a single packet so that thelength of the tunnel will be limited. It will alsoguarantee the position information density of theintermediate nodes as shown in section VI.

Restricted by the positioning and clock syn-chronization errors, the end-to-end mechanismcould introduce false alarms into the system. Forexample, the attacker will be able to tunnel thepackets � beyond � without being detected if thedestination considers the positioning error whencalculating the distance between two points. Onthe contrary, if the destination ignores the error,some connections having a distance close to �will be wrongly accused as wormholes. With theprogresses in the positioning and synchronizationtechniques, the error rate will become smaller.

V.B. Overhead of basic end-to-end mech-anism

Since the mobile devices have limited resources,the end-to-end mechanism, as a security enhance-ment, must consider the communication, compu-tation, and storage overhead.

Every intermediate node attaches two � time,position � pairs and a MAC code to each detec-tion packet. If pairwise keys are used, it has beenshown in [16] that a PDA can accomplish 220Ktimes MAC code calculation in one second. Sothere is not much computation overhead at the in-termediate nodes. And they do not need to storeany information.

The communication overhead includes byteoverhead and packet overhead. If we use aneight-byte timestamp (if the time unit is

� � � , it

covers more than 500 years), an eight-byte posi-tion (on the surface of the Earth, it locates a posi-tion within �� ), and an eight-byte MAC code,every intermediate node will attach 40 bytes tothe packet. If the maximum transmission unit(MTU) is 1,500 bytes and

�is 1,000 bytes,

twelve nodes can attach their information.

In this way the byte overhead will increase fastto the path length. It does not scale well to longroutes. To control the byte overhead, the desti-nation node can choose a part of the intermediatenodes to attach their information. It changes theselected nodes to guarantee that everyone is ex-amined. If � consecutive nodes on the route arechosen, it is the same as an end-to-end detectionon these � nodes. More details of this method andits impact on the detection capability are studiedin section VI. The packet overhead is determinedby the frequency to send the detection packets.This question is also studied in section VI.

All examining operations are conducted by thedestination node. We assume that the path lengthis�, and

�packets carrying the detection infor-

mation arrive at the destination. It needs � � � �operations to examine a single packet. For ev-ery intermediate node, there will be

�� time,position � pairs. If the cross packet examinationcalculates the average moving speed between ev-ery two pairs, there will be � � � � � operations foreach node. So the total computation overhead forthe

�packets will be � � � � � � � � � .

For the same reason, the destination needs tostore

�� time, position � pairs for every interme-diate node. The required storage space will be� � � � �

.

The� � � entry in the computation overhead and

� �entry in the storage space put challenges to the

mobile nodes with limited resources. For exam-ple, if a route is ten-hop long and 1,800 worm-hole detection packets are received, the destina-tion needs to store 36K � time, position � pairs(about 580 Kbytes), and conducts 65M opera-tions. As the number of routes increases, the nodecannot afford the required resources. In the nextsection, we propose a mechanism called COTAthat requires � � � � � � space and � � �.� � � �

compu-tation overhead (where � � and �.� are constant),but having the same wormhole detection capabil-

9

ity as the end-to-end mechanism.

V.C. Cell-based Open Tunnel Avoidance

COTA avoids to record and compare all � time,position � pairs. It divides the whole area intosame-sized cells (hexagon), and divides the timeinto same-length slots. COTA only stores thefirst received � time, position � pair of every nodethat falls into the same cell and the same slot.Through adjusting the cell size and slot length,a node can control the efforts that it wants to puton the wormhole detection. The whole structureis a three dimensional cube of � time, position �records, and the format of the index is � node iden-tity, cell number, slot number � . When a new� time, position � pair of a node arrives, the des-tination selects from each cell a record of thatnode that has the shortest time difference fromthe new timestamp and calculates the averagemoving speed. In this way some pairs belongingto the same node are not compared. In sectionV.D we prove that after adding an offset to equa-tion 1, COTA has the same detection capabilityas the end-to-end mechanism.

We also define the lifetime ��%6 of a packet.If a packet has traveled in the network for a timelonger than ��%6 , it will be discarded by the des-tination node. Since the clocks are loosely syn-chronized, COTA can estimate the packet travel-ing time. To guarantee that the packet arrives atthe destination � within its lifetime, the sendingtime at

�and the receiving time at � should sat-

isfy �� 1 � 6�� 3@4A6 798 � ��%6 � � .

Two advantages have been brought to COTAby the definition of packet lifetime. First, it re-stricts the number of time slots that COTA needsto store for every intermediate node. If the slotlength is � , the destination node only needs tostore at most ��%6 � � � � � � � records for everyintermediate node in every cell. Second, it re-stricts the longest moving distance of a node dur-ing the delivery of a single packet. It prevents theattacker in an open or half open wormhole frombuffering the packet for a long time and declaringthat it moves to the new position and forwards thepacket.

An example of cell division and the data struc-ture is shown in Figure 3. Every record contains

Cell 5

r

Y

(a) Cell division of network area

Node A

Node B

Node X

Cell 4

header Null

NullNull

Arrayheader

(6.18, P4n)

Cell 2

X

Cell 1

(b) Data structure organization

Cell 37 Cell Kn

Expire time

Expire timeExpire timeExpire time

Expire time Expire time Expire time

Arrayheader

Array(3.11, P31)(3.26, P32)Null

Null

Cell 1

Cell 3

Cell 4Cell 6

Cell 7

(3.18, P1)

(4.18, P3)

Expire time

Expire time

Expire time

Cell 3

Expire time Expire time

Cell K1

Cell K2Cell 10Cell 4

Figure 3: Cell division and data structure ofCOTA in one destination node.

a � time, position � pair. We assume that the timeslot is 100 ms. For one intermediate node, thedestination will only store one record in everyslot in a cell. Now assuming that another recordof node � with the content � %� = 3.18 sec, po-sition = �'�� is received, and it falls into cell 3.Since there is already a record of node � in cell3 in the slot 3.1 – 3.2 second, the new entry willnot be recorded. Then the destination will selectfrom each cell the record of node � that has theshortest time difference from the new timestamp.In this example, they will be (3.11, ��?� ) in cell 3and (6.18, �� 7 ) in cell 4. If the selected pair isrepresented as � &� > � �� , � will calculate the aver-age moving speed of node � between these twopositions by

�� > �� '� (��@��

�*� +� ,�-��.� � (4)

If�� / � , we know that � sent false information

and there is a wormhole on the route.

10

Now let us consider another example. A record� � = 4.18, position = � �� of node � is received,and it falls into cell 4. There is no record of node� in cell 4 in the slot 4.1 – 4.2 second. So the newentry will be recorded by the destination. Then� will select the record of node � from each cellthat has the shortest time difference from the newtimestamp and calculates the average speed. Inthis case, they will be (3.26, � � � ) in cell 3 and(6.18, �� 7 ) in cell 4.

COTA only stores and compares a part of the� time, position � records to reduce the storage andcomputation overhead. There are two questionsthat we have to ask: (1) can COTA detect allanomalies that the end-to-end mechanism can de-tect? (2) how much space and computation do wesave? We discuss the answers in the next two sec-tions.

V.D. Detection capability of COTA

COTA simplifies the end-to-end mechanism toreduce the storage and computation overhead.But it may miss the detection of some anomaly.An example is given out as follows. Wehave four � time, position � pairs of node

� �as � &� � � > �� , � &� � � > �� , � &� � �

> �� , and� &� � �

> �� . The first two pairs fall into cell 1and slot 1. The second two pairs fall into cell2 and slot 2. We calculate the average movingspeed between every two pairs using equation 4.The speed between pair two and four is fasterthan � , but the speed between any other two pairsis not. If we record and compare all pairs, we willfind the anomaly and detect the wormhole. How-ever, if COTA is applied and pair one and threearrive first, they will be recorded. Later when pairtwo and four arrive, they will not be stored andthey are never compared to each other. COTAdoes not detect this anomaly.

However, adding an offset to equation 4 willenable COTA to detect all wormholes that theend-to-end mechanism can detect. The proof isgiven as follows.

Lemma 1 : If COTA uses

�� > �� 7 6�� (��4 6 � 6�� (� � �

�*� 7 6�� &4A6 � 6��?�*� � � (5)

to calculate the average moving speed betweenthe new and the selected � time, position � pairs,it can detect all wormholes that can be detectedby the end-to-end mechanism. In equation 5, � isthe maximum error of the distance,

�is the radius

of cells, � is the highest speed of nodes, � is thelength of a time slot, and � is the clock error.

Proof 1 : We assume that we have two pairs,� +� > �'� � and � ,� > �� , of the same node that showthe anomaly

�� '� (��)�*� �� +� ,�-�*�.� � / � (6)

And without losing generality, we assume that� +� > �'� � is received by the destination first. When� ,� > �� arrives, there are two possible condi-tions:

Condition I: � +� > �'�� is recorded by COTA.

If � +� > � � � is selected to be compared with� ,� > �� , the average moving speed (after adding�� ) is faster than � , and the anomaly willbe detected.

If it is not selected, there must be another pair� � > � �� that falls into the same cell as �$� but hasa shorter time difference from &� . So we have�� ,�-�*� � �� +� ,�)�*� . Since � � and �'� arein the same cell, the longest distance between thetwo positions is 2r. So we have:

�� ,�)�*� � �� +� ,�-�*�� (��@�� '� (��)�*� (7)

Combining equation 6 and 7, we must have

�*� �� (� �)�� ;� �� ,�-�*�.� � / � (8)

Condition II: If � %� > �'� � is not recorded byCOTA, there must be another pair � � > � �� thatis recorded. It falls into the same cell and sameslot as � %� > �'� � , but it arrives earlier. So we have:

�� (��@�� '� (��)�*��*� � ,�-�� +� ,�-�*� (9)

If � � > � �� is selected to be compared with� ,� > �� , combining equation 6 and 9, we will get:

�*� ��(��)�*�� ;� �� ,�-�*�.� � / � (10)

11

If � � > � �� is not selected to be compared with� ,� > �� , there must be another recorded pair� � > �� that falls into the same cell but has ashorter time difference. So we have:

�� ,�-�*� � � �� ,�-�� +� ,�-�*� (11)

Combining equation 6 and 11, we will get

�*� � � (��)�*�� ;� �� ,�-�*�.� � / � (12)

Combining all conditions shown in equation 6,8, 10, and 12, we have:

�*� ��4 6 � 6�� (� 7 6��$�*� �;� �� *� &4A6 � 6�� 7 6�� *�.� � / � (13)

�

After introducing the offset�� into

COTA, we guarantee that it can detect all worm-holes that the end-to-end mechanism can detect.We define

�� as the� � � � �� of COTA.

An optimistic node can use COTA as in equation4. It will allow all neighbors that are within thedirect communication range to exchange packets.But in some cases, a real attacker is able to tunnela packet as far as

�� beyond the range. Amore conservative node can use the format shownin equation 5. It will guarantee the detection ca-pability, but in some cases it will introduce falsepositive alarms. The impact of false alarms willbe studied through simulation in section VIII.

V.E. Parameter determination

There are three parameters in COTA: packet life-time, cell size, and time slot length. The choicesof the parameters impact not only the detectioncapability of COTA, but also the storage andcomputation overhead. We now discuss themseparately.

The choice of packet lifetime is directly relatedto the end-to-end delay in ad hoc networks. Esti-mating this delay accurately is a difficult prob-lem because it is affected by traffic load, pathlength, movement model, network size, and otherfeatures. There have been theoretical analysesof this problem in simplified network scenarios[67–70]. The results provide valuable guidelines

for the design of protocols. However, the vari-ous simplifying assumptions do not always holdin real network settings.

Another approach is to conduct real measure-ments. The results collected from simulationshave been shown in [71–74]. The typical valueof the average delay is a few hundred millisec-onds in the studied network scenarios. In this pa-per, we assume the similar network conditions,thus the similar average delay is also assumed.The analysis in [73] shows that after the modeof the curve, the probability density function ofdelay decreases exponentially as time increases.To control the fraction of detection packets thatare discarded because of unexpected long delay,we set �� 6 an order of magnitude longer thanthe average delay. The typical value of ��%6 is afew seconds. When an approach for more accu-rate delay estimation appears, we can replace thismethod without impacting other components ofCOTA.

Now let us consider the required storage spaceand computation operations of COTA. We as-sume that the packet lifetime is ��%6 . The des-tination node only needs to record the � time,position � pairs that were sent in the past ��%69� � .During this period, the possible position of agood node must be within a circle with the di-ameter � ��%6'� � � (use the position when �� %6 � � � � � as the center, and � ��%6 � � � � � asthe radius). If there are no wormholes, the num-ber of cells that have active records for the nodeis at most

� �A� ��%6 � � � � � � �� (14)

In each cell, at most ��%6'� � � � � � �records

are stored. So the total number of records storedby the destination for one node is at most

� � � ��%6 � � � �� %6 � ��

� �� 6�� (15)

If the path length is�, the destination needs to

store at most� "� � � � �� records for one

route.

When a new record arrives, the destination willselect from each cell a record of that node to com-

12

pare with it. There are at most �� 6 � � � � � � �records in each cell for the node. If a linear searchis applied, the new record needs at most

� �A� �� %6 � � � � � � �� " � � ��%6 � ��

� �� (16)

operations to accomplish the cross packet ex-amination. If a balanced tree is used to storethe records in each cell for a node, the ex-amination in one cell can be accomplished in�� %6 � � � � �(� � � � � operations. But themaintenance overhead for the tree structure mayoutrun the benefits. In the following analysis,we assume that the linear search is applied. Ifthere are

�COTA packets for the route and the

path length is�, the total number of operations

required by COTA is

�� " � � � �� (17)

We examine a practical example to show thesavings of COTA. We assume that

�is 12 m,

� ��%6 is 5 seconds, � is 20 m/s, � is 200 ms,�

is 10 hops, and 1,800 wormhole detection pack-ets are received. The destination node needs tostore at most 9 K � time, position � pairs. If a lin-ear search is used to locate the record in everycell, the destination needs to conduct 32.5 M op-erations. Compared to the overhead of the end-to-end mechanism shown in section V.B, COTAsaves 75% on space and 50% on computation.Examining equation 15 and 16, we find that when�

/� �� , COTA will save in both space

and computation. As the number of wormholedetection packets increases, COTA can save morebecause the required space does not change andthe computation overhead increases at a linearspeed.

If the� � � � �� of COTA,

�� , is pre-determined, we can choose suitable values of

�

and � to minimize the required storage space andthe computation overhead. From equation 15 and16, we find that both requirements are minimizedat the same values of

�and � . Figure 4 shows

the consumed space for one intermediate nodefor different

� � � � �� values. It can also beviewed as the curve of computation overhead.

We assume that�� , where � is a

2010 1550Radius of a cell (m)

25 30

Req

uire

d st

orag

e sp

ace

for

one

inte

rmed

iate

nod

e (p

airs

)

35

2r + vT = 60

25000

20000

15000

10000

5000

0

2r + vT = 502r + vT = 202r + vT = 302r + vT = 40

Figure 4: Storage space of COTA with differentvalues of

� � � � �� .

constant. Equation 15 is minimized when �� !� �� #" � � � (18)

The optimal value of�

equals to �� . It shows

that the best choices of the cell size and theslot length increase linearly when the value of� � � � �� becomes larger. This allows a mobilenode to pre-determine the resources that it wantsto consume to defend against wormhole attacks.If we take the results back, we find that COTA hasachieved its design goals: for every intermediatenode, a constant storage space and the computa-tion overhead that increases linearly to the num-ber of the detection packets.

From Figure 4 we find that the storage andcomputation overhead of COTA is relatively sta-ble within a large interval of

�. Therefore, when

the chosen�

and � are biased from the optimalvalues, the overhead does not increase sharply.Since the resources available to mobile nodesvary greatly, this enables the nodes to make flex-ible choices on the parameters. Table 1 comparesthe overhead between the optimized COTA andthe end-to-end mechanism. It assumes a 10-hoproute and 1,800 wormhole detection packets. Thevalues of ��%6 and � are the same as before.

Table 1: Overhead comparison between the end-to-end mechanism and COTA.

Basic end-to-end Optimized COTAsensitivity storage(pair) operation storage(pair) operation

30m 36 K 65 M 5.20 K 18.66 M40m 36 K 65 M 2.25 K 8.12 M50m 36 K 65 M 1.12 K 4.04 M60m 36 K 65 M 0.70 K 2.49 M70m 36 K 65 M 0.43 K 1.57 M

13

V.F. Data structure maintenance

COTA uses a complex data structure. If it cannotbe efficiently maintained, the overhead caused bythe insertion/deletion of records and the collec-tion of unused space will cancel out all bene-fits described in previous sections. We are goingto answer two questions about COTA: (1) Howto organize the stored records? (2) How to effi-ciently recollect the space of the expired records?

A practical data structure in the destinationnode is shown in Figure 3-(b). All nodes thathave active records are put into a link list. Thedestination remembers the expiration time of thelatest � time, position � pair of every node. Itis used in space collection. Every node has alink list, which stores the cells that have activerecords. Each cell also remembers the expirationtime of the latest pair in it. In each cell, an arrayof records are maintained. The size of the array is�� %6�� . Every entry has a bit to iden-tify whether the data is available in it. To avoidmemory copy as time elapses, the array is usedin a cyclical way and a pointer is used to identifythe current array header.

When a new � time, position � pair of a node ar-rives, the destination first locates the cell list ofthat node. Then for each cell of that node, it usesa linear search to locate the record that has theshortest time difference from the new timestamp.

This linear search is also used to abort thoseexpired records and to recollect the space if allrecords in that cell have expired. It resets theavailable bits of those expired entries and movesthe array header according to current time. If thelatest pair in a cell has expired, COTA can takethe memory back without looking into the arraybecause all records must have expired.

This space collection method works well ifnew records of a node keep arriving. On the con-trary, if a node is not on any active routes and nonew records for it arrive, the space occupied byit cannot be efficiently recollected. To overcomethis difficulty, the destination node needs to peri-odically traverse the node list to examine the ex-piration time of the latest record of every node. Ifthe latest record has expired, all space occupiedby that node can be recollected.

The maintenance of the data structure will in-crease the space requirement within a limitedrange. If all pointers are four-byte and times-tamps are eight-byte, the required space will in-crease less than 10%. Resetting the availablebits and moving the array headers can be accom-plished when COTA traverses the array of eachcell. They do not add much computation over-head. Referring to the results shown in Table1, we find that COTA can still save a lot of re-sources.

V.G. Experiments on real devices

In this section, we present some results on thecomputation efficiency of COTA. They are col-lected through experiments on real mobile de-vices. We assume that symmetric cryptographicoperations are used.

We define the procedure that locates the recordin an array who has the shortest time differencefrom the new timestamp and calculates the aver-age moving speed as a � � �� . It correspondsto the operations that examine a new record inone cell. It also clears out the expired records inthat cell. We design a test program that executes100 million � � �� and run it on a CompaqiPAQ 3630 with 206 MHz CPU and 64M RAM.Different values of

� � � � �� are examined andthe size of an array is determined by the optimalvalue of the time slot length. The computationefficiency of COTA is shown in Table 2.

Table 2: Computation efficiency of COTA.

Sensitivity (m) 20 30 40 50 60Optimal

size of an array 19 13 10 8 7� 7 � � ��.6�� / sec 1.05M 1.54M 2.01M 2.54M 2.86M

For example, when the� � � � �� is 30 m,

the device can execute 1.54 million � � �� in one second with the optimal values of cell sizeand time slot length. Therefore, as the destinationof a 10-hop route that receives 5 wormhole detec-tion packets per second, the node will use 0.28%of its CPU to check the records in these packets.If it uses 5% of its CPU to conduct wormholedetection, it can support 17 such routes simulta-neously.

14

VI. Controlling CommunicationOverhead

The design of COTA allows a mobile node to pre-determine the storage and computation resourcesthat it wants to put on wormhole detection. In thissection, we focus on the communication over-head. We study packet overhead and byte over-head separately.

VI.A. Frequency to conduct wormholedetection

Wormhole detection needs to be conducted re-peatedly during the lifetime of a route. The detec-tion frequency determines the packet overhead.It also impacts the intervals between the received� time, position � pairs of the intermediate nodes.

An intermediate node cannot control thelongest buffering time of a detection packet in it.However, the source and the destination can de-termine the frequency to send such packets whenthe route is established. Through adjusting thisfrequency, the destination can control the longestinterval between the received timestamps of anintermediate node. If the interval between thetimestamps of the source in any two consecutivedetection packets is shorter than � 7 � , and at leastone of � consecutive detection packets will reachto the destination, the longest interval �� 7 � be-tween the received timestamps of the source sat-isfies � � 7 � � � � 7 � . If the lifetime of a packet is� ��%6 , we have:

Lemma 2 : If the longest interval between thereceived timestamps of the source is �� 7 � , thelongest interval between the received timestampsof any intermediate node is �� 7 � � ��%6%� � � . Here� is the error of clock, and ��%6 is the packet life-time.

Proof 2 : Let’s consider the � � >�� pairs of an intermediate node � received by thedestination. The pairs received in the same detec-tion packet have the same sub-index. If we ran-domly select a � � >�� pair, there aretwo possible conditions:

Condition I: the selected pair records a receiv-ing event. We assume that it is � �� 6��%� > � �� 6�� .

There must be a record, � &��4A6 798%� > ��24 6 798+�� , thatremembers the sending of this packet. And wehave &�24 6 798+�� ,�� 6��%� > ,�� 6�%�� %6�� . Therefore,when searching in the direction that the time in-creases, we must be able to find another recordof � within the interval ��%6 .

The longest interval between the receivedtimestamps of the source is �� 7 � . There-fore, there must be a received record of thesource � 3 �� 6 3�6 798 > ��3 �� 6 3�6 798�� that satisfies&3 �� 6 3�6 7 8�� ,�� 6�� %6 � � 7 � � > ,�� 6��%� � ��%6 � � . The receiving and sending times-tamps of this packet at node � must be smallerthan ,�� 6��%� . Considering the clock error, whensearching in the direction that the time decreases,we must be able to find one record of � within theinterval � ��%6 � � � 7 �� .

Condition II: the selected pair records a send-ing event. Similar analysis can be conducted.

Therefore, the longest interval between the re-ceived timestamps of any intermediate node is� � 7 �� 6�� .

�

Since the position information is received to-gether with the timestamps, this interval also de-termines the density of the position informationof an intermediate node. For example, if the in-terval is 10 seconds and �� 6 and � are set asbefore, � � 7 � = 3 seconds. If the probability thata packet gets lost or corrupted on the path is � ,the probability that all � detection packets arelost is �� if the events are independent. For ex-ample, if the probability that a detection packetgets lost is 25% and � = 5, the probability thatfive consecutive wormhole detection packets areall lost is less than 0.1%. The source needs tosend one detection packet every 0.6 second. Theend-to-end mechanism will not add packet over-head if the data packet density is larger than 2packet/second.

VI.B. Controlling byte overhead

The analysis in V.B shows that the end-to-endmechanism does not scale well to very longroutes if every intermediate node attaches its� time, position � pairs. To avoid this problem,the destination can choose a part of the nodes

15

to attach their records. The selected intermediatenodes are switched to guarantee that every neigh-bor relation is examined. For example, the des-tination can ask the first � ��

nodes on theroute to attach their records for � detection pack-ets, then the second � ��

nodes on the routewill attach their records for � detection packets.The two halves of the nodes are overlapped toavoid the detection gap. In this way the byteoverhead will decrease for more than 50%. How-ever, the longest interval between the receivedtimestamps of an intermediate node will become�� 7 �� %6�� . This may allow a wormhole

to exist for a longer time before it is detected.

VII. Security Analysis

Because of the error of position, the error ofclock, and the

� � � � �� of COTA, there ex-ist false alarms in the end-to-end mechanism. Ifthe node adopts a conservative policy, some realneighbor relations will be considered as worm-holes. The destination will abort the route andactivates the routing re-initiation. This leads tothe increase in routing overhead and the averagedelay. On the contrary, if an optimistic policy isadopted, the real neighbor relations will not bewrongly accused. However, the attackers will beable to tunnel the packets beyond the direct com-munication range without being detected. In sec-tion VIII we study both conditions through simu-lations.

A malicious node can eavesdrop the wormholedetection packets. The position information at-tached by the intermediate nodes is protected bythe MAC codes. The malicious node cannot sendfake information in other node’s name to fabri-cate a wormhole on the route. Every intermedi-ate node calculates the MAC code based on thewhole packet. An attacker cannot take a partof the detection packet and conducts the resendattack. If it resends the whole packet, it is thesame as a duplicate packet generated by the un-reliable network. For multiple connections thathave the same source and destination and use thesame route, only one group of wormhole detec-tion packets need to be sent. A malicious nodecannot overwhelm the destination by establishingmultiple connections at the same time. The adop-

tion of COTA allows the destination to control theoverhead on each route. It helps to defend againstthe Distributed Deny of Service (DDoS) attacksgenerated by a group of collusive attackers.

A wormhole tries to fabricate a non-existentroute. The malicious node cannot drop the de-tection packets to avoid being discovered. If aviolation is detected in the received information,the destination will broadcast the anomaly condi-tion. The source receiving this message will tryto establish a new route. When a wormhole isdetected, the end-to-end mechanism does not tryto identify the attacker. Therefore, the maliciousnode cannot frame a good node.

VIII. Simulation and Results

We study the practical impacts of the proposedwormhole detection mechanism through simula-tion. The experiments are deployed using ns2[75]. Two properties are of special interest: falsealarm ratio and communication overhead.

VIII.A. Simulation setup

We assume that pairwise keys have been de-ployed. AODV [19] is chosen as the routing pro-tocol and is updated to combine with the detec-tion mechanism. When the source initiates therouting request (RREQ) packet, it proposes itschoices of the parameters such as the

� � � � ��and the frequency to send out wormhole detec-tion packets. When an intermediate node for-wards the routing request, it will attach its iden-tity. The source and the intermediate nodes willprotect the attached information using keyed hashcodes. When the destination receives the request,it knows the identities of all intermediate nodes.The destination reviews the proposed parameters.If they satisfy its requirements, the destinationwill accept them. Otherwise, it will propose itschoices in the routing reply (RREP). Besides theparameters, the destination will also determinethe starting value of the sequence number for thedetection packets. When the source receives thereply, it will start to send out the data packets andthe detection packets.

RREQ and RREP accomplish the route discov-

16

ery and try to settle the wormhole detection pa-rameters. There are chances that the source andthe destination cannot agree with each other onthe parameters. A separate round of negotiationcan be conducted after the route is establishedand before the data packets are transferred. Amethod similar to the negotiation procedure inthe Internet Key Exchange (IKE) protocol [76]can be adopted.

Table 3 lists the simulation parameters of ns2.

Table 3: Simulation Parameters.Simulation duration 1000 secondsSimulation area 1000 * 1000 mNumber of mobile nodes 50Transmission range 250 mMovement model Random waypointHighest node speed 8 – 20 m / sNumber of connections 30Traffic type CBR (UDP)Data payload 512 bytesPacket rate 2 pkt / sNode pause time 0 second

The node moving speed covers a range fromhuman jogging to vehicle riding in the countryfield. We assume that the moving speeds of thenodes are uniformly distributed from 0 to thehighest value. The sources and the destinationsof the connections are randomly picked from themobile nodes. For each examined condition, fiveconnection scenarios and four node movementscenarios are generated and the average values ofthe simulation results are shown in figures.

The parameters of the detection mechanism areas follows: �� 6 = 5 seconds, � � 7 � = 3 seconds, �= 1 second, and � = 10m. The longest interval be-tween two consecutive detection packets sent bythe source is 0.6 second, which is a little longerthan the average interval between data packets.Therefore, most of the wormhole detection infor-mation can be attached to data packets. We definethe longest distance that a node can move in onesecond as the unit distance. It can be calculatedas � " �� . Different values of

� � � � ��(from 0.5 to 2.5 times of the unit distance) areexamined.

Since the wormhole detection mechanism is asecurity enhancement, its false alarm ratio is ofspecial interest. Both false positive and false neg-

The highest node speed

1 1.5 2

Num

ber

of F

alse

Pos

itive

Ala

rms

8 m/s

Sensitivity / The unit distance

10 m/s15 m/s20 m/s

2.50

0.50

400

350

300

250

200

150

100

50

Figure 5: False positive alarms: no wormholes,sensitivity / the unit distance changes.

ative mistakes are studied. The storage and com-putation overhead has been discussed extensivelyin section V. In this part we focus on the commu-nication overhead in packets and bytes.

VIII.B. Results on false alarms

Figure 5 and 6 illustrate the false positive alarmsin an environment where no wormhole exists. InFigure 5, all destination nodes adopt the pro-posed mechanism as in equation 5 to guaranteethe detection capability. The curves show the re-lation between the number of false alarms and the� � � � �� . Four values of the highest speed,from 8m/s to 20m/s, are examined. The val-ues of

�and � are determined to minimize the

computation and storage overhead. The value ofthe

� � � � �� increases from 0.5 to 2.5 timesof the unit distance. From Figure 5, we findthat as the ratio increases, the number of falsealarms increases faster than a linear function. An-other interesting point is that the curves for dif-ferent speeds stay close to each other. In theproposed mechanism, it is the ratio between the� � � � �� and the unit distance, instead of theabsolute value of it, that determines the numberof false positive alarms.

False positive alarms lead to breaks of existentroutes and an increase in communication over-head. To lower the number of such mistakes,equation 5 can be updated to the following for-mat:

�� > �*� � 796 � ��4A6 � 6��?�*��

�*� 7 6�� &4A6 � 6��+�*�.� � (19)

17

0.50 1

400

1.5


2

Num

ber

of F

alse

Pos

itive

Ala

rms

Added offset / The unit distance

Sensitivity / The unit distance = 2.5

2.5

15 m/s

350

300

250

200

150

100

50

0

8 m/s10 m/s

20 m/s

Figure 6: False positive alarms: no wormholes,added offset / the unit distance changes.

in which the added offset is a value between 0and the

� � � � �� to achieve different tradeoffsbetween the detection capability and false alarmratio. Figure 6 illustrates the relation betweenthe number of false positive alarms and the addedoffset. The network setup is the same as in Figure5. The ratio between the

� � � � �� and the unitdistance is 2.5. The number of false alarms in-creases as the added offset increases. Comparedto Figure 5, fewer false positive alarms are intro-duced in Figure 6. The curves for different speedsare close to each other.

When the added offset is smaller than the� � � � �� , it causes fewer false positive mis-takes. However, as the analysis shows in sectionV, it may also miss the detection of some realwormholes. The following experiments are con-ducted to study this impact. Among the 50 nodesin the network, two pairs of nodes are randomlyselected as “potential attackers”. Each pair hasa long-range, out-of-band wireless channel thatcan be used to construct a wormhole. The attack-ers’ channels do not interfere with each other orthe channel used by the good nodes. To constructthe wormholes that cannot be detected when theadded offset is 0, the longest distance that the at-tackers can tunnel beyond the direct communica-tion range is the

� � � � �� . Therefore, the at-tackers will form a wormhole only when the dis-tance between them falls into that interval. Othersimulation parameters are the same as in Figure6. Figure 7 and 8 illustrate the false positive andnegative mistakes as the added offset changes.

In Figure 7, the curves are similar to those inFigure 6. Since some real wormholes are intro-duced into the system, fewer false positive mis-

Added offset / The unit distance


2.5


Num

ber

of F

alse

Pos

itive

Ala

rms

21.510.50

10 m/s

250

200

150

100

50

0

8 m/s

15 m/s20 m/s

Figure 7: False positive alarms: wormholes exist,added offset / the unit distance changes.


Added offset / The unit distance2.5


Num

ber

of F

alse

Neg

ativ

e A

larm

s21.510.5

70

8 m/s

60

50

40

30

20

10

0

10 m/s15 m/s20 m/s

Figure 8: False negative alarms: wormholes ex-ist, added offset / the unit distance changes.

takes are made. In Figure 8, as the added off-set increases, fewer and fewer real wormholesare missed by the detection mechanism. Throughadjusting the choices of the

� � � � �� and theadded offset, a mobile node can achieve a bettertradeoff between the false alarm ratio and the de-tection capability.

VIII.C. Results on communication over-head

The following experiments explore the ex-tra communication overhead introduced by thewormhole detection mechanism. We study bothpacket overhead and byte overhead. To establishthe baseline for the comparison, we also exam-ine the overhead caused only by the routing pro-tocol when the detection mechanism is not en-abled. Figure 9 and 10 illustrate the results col-lected from an environment in which no worm-holes exist.

As stated in section VIII.A, most of the detec-tion information is attached to the data packets.The extra packet overhead is primarily caused bythe route re-discovery procedure after the detec-

18

16 18 20

Pack

et o

verh

ead

/ del

iver

ed d

ata

pack

et

The highest node speed (m/s)

added offset / unit distance = 0.5


added offset / unit distance = 1.0added offset / unit distance = 1.5added offset / unit distance = 2.0

no wormhole detection enabled


4

141210864

3.5

3

2.5

2

1.5

Figure 9: Packet overhead of the wormhole de-tection mechanism.

16 18 20

Byt

e ov

erhe

ad /

deliv

ered

dat

a pa

cket

The highest node speed (m/s)




added offset / unit distance = 1.0added offset / unit distance = 1.5


no wormhole detection enabled300

141210864

350

250

200

150

100

50

Figure 10: Byte overhead of the wormhole detec-tion mechanism.

tion of a “wormhole”(could be a false alarm).From Figure 9 we find that as the added offsetincreases, more packet overhead is introduced.But the increase is small when the ratio betweenthe added offset and the unit distance is small.Through adjusting the values of

� � � � �� andthe added offset, a node can control the increaseof packet overhead.

The increase in byte overhead shown in Figure10 is more notable. The extra bytes are primar-ily caused by the � time, position � pairs attachedby the intermediate nodes, so the number of falsealarms does not impact them to a large extent.The curves for different values of the ratio areclose to each other. But compared to the overheadwhen no wormhole detection is enabled, the in-crease is sharp. The justifications for this increaseare two folds. First, the overhead is still reason-able for the applications in which the wormholesmust be prevented. The communication peers canlower the relative byte overhead by increasing thelength of data packets. Second, since the routesin the simulation are not long, we do not enablethe byte overhead control method stated in VI.B.The adoption of that method may help the nodes

to improve the efficiency.

IX. Discussion and Future Work

The analysis shows that the� � � � �� repre-

sents a tradeoff between the detection capabil-ity and the required resources. Many featurescan impact the choice of its “optimal” value andhere we only explore a few of them. First, the� � � � �� is restricted by the positioning ac-curacy because two records having a distanceshorter than � could represent the same pointin the network. Second, the

� � � � �� is im-pacted by the movement patterns of the nodes.The example in V.D shows that COTA missessome anomalies because the records falling intothe same slot and the same cell might be ignored.Therefore, taking the movement patterns into ac-count, we can choose a suitable

� � � � �� valueand determine

�and � to control the occurrence

of such events. More experiments will be con-ducted to explore their relations so that we canpredict the optimal interval of the

� � � � ��given a certain scenario.

As illustrated in section V.C and VI.A, the def-inition of packet lifetime ��%6 can restrict thenumber of stored records at the destination node.The other contribution of ��%6 is to guaranteethe record density of the intermediate nodes. Itcan prevent the attacker in an open or half openwormhole from declaring that it moves back andforth between two ends of the wormhole and for-wards the packets. If the proposed mechanismcan be integrated with IDS, this attack can bedetected by examining the anomaly in the nodemovement patterns. Under that condition, the re-striction of ��%6 can be loosened and replaced bya more generic time window duration.

In the proposed mechanism, wormhole detec-tion is conducted in a pro-active manner. We mayexpect that a re-active wormhole detection mech-anism will cause less communication and compu-tation overhead. To enable this update, the mech-anism needs to be combined with the intrusiondetection systems so that it will be activated whensuspicious conditions are discovered.

In the proposed mechanism every mobile nodeacts individually to detect wormholes. The com-

19

putation overhead and detection accuracy canbe further improved if the nodes can share theknowledge securely and cooperate on the detec-tion operations. Mechanisms will be designed toenable this information exchange procedure andto verify the authenticity of the information. Themechanisms can also be applied to defend againstwormhole attacks conducted by a group of collu-sive attackers.

Geographic based wormhole detection can beviewed as an example of the emerging LocationBased Services (LBS). One security concern ofLBS is the disclosure of the location and move-ment patterns of a mobile node. For example,in COTA, the destination has the real time loca-tion information of the source and every interme-diate node. This may conflict with the privacyconcerns of some users. A potential extensionis to use a “shadow” position to replace the realitem while keeping the distance among nodes thesame. The work is motivated by the researchin multi-dimensional scaling [77]. It allows thenodes to take advantages of LBS while achievingprivacy preservation.

X. Conclusion

The classification of wormhole attacks on ad hocnetworks constructs a basis on which the detec-tion mechanisms can be examined and compared.It divides the attacks into three groups: closed,half open, and open. The previous solutions fo-cus on the prevention of closed wormholes. Thisleads to the requirement of a more generic ap-proach.

An end-to-end mechanism is presented thatcan detect closed, half open and open wormholes.To reduce the storage and computation overhead,we present a new scheme, COTA, to manage thedetection information. It records and compares apart of the � time, position � pairs. With a suitablerelaxation, COTA has the same detection capa-bility as the end-to-end mechanism. Through ad-justing the cell size and time slot length, a nodecan control the resources that it wants to put onwormhole detection.

The schemes to control communication over-head are studied. Through adjusting the fre-

quency to send detection packets, the longest in-terval between position information of any inter-mediate node is guaranteed. To improve the scal-ability of the proposed mechanism, the destina-tion can select a part of the nodes to attach theirwormhole detection information.

The practicability of the proposed mechanismis examined using both simulation and experi-ments on real mobile devices. The false alarmratio can be controlled by adjusting the parame-ters such as the

� � � � �� and the added offset.When the

� � � � �� is 30m, a Compaq iPAQ3630 with 206M Hz CPU and 64M RAM canuse 0.28% of its CPU to accomplish the worm-hole detection on a 10-hop route. COTA does notdepend on a specific authentication mechanism.It can be combined with other approaches suchas TESLA to construct new wormhole detectionmechanisms.

The immediate extensions to our work consistof two parts. First, we propose to combine themechanism with the location based routing pro-tocols. Second, new schemes to reduce the de-tection packet frequency and byte overhead areunder development. They will lead to a generic,efficient approach that helps the ad hoc networksto defend against the wormhole attacks.

Acknowledgement

The authors would like to thank the editor andthe anonymous reviewers for their valuable com-ments and suggestions.

References

[1] D. Johnson, D. Maltz, and J. Jetcheva. DSR:The Dynamic Source Routing Protocol forMulti-Hop Wireless Ad Hoc Network. AdHoc Networking, Addison-Wesley, 2001.

[2] S. Marti, T. J. Giuli, K. Lai, and M. Baker.Mitigating routing misbehavior in mobilead hoc networks. In Proceedings of theSixth annual ACM/IEEE International Con-ference on Mobile Computing and Network-ing, 2000.

20

[3] H. Yang, X. Meng, and S. Lu. Self-organized network-layer security in mo-bile ad hoc networks. In Proceedingsof ACM Workshop on Wireless Security(WiSe), 2002.

[4] M. Zapata and N. Asokan. Securing ad-hoc routing protocols. In Proceedingsof ACM Workshop on Wireless Security(WiSe), 2002.

[5] Y. Hu, D. Johnson, and Adrian Perrig. Sead:Secure efficient distance vector routing formobile wireless ad hoc networks. In Proc.of the IEEE Workshop on Mobile Comput-ing Systems and Applications, 2002.

[6] Y. Hu, A. Perrig, and D. Johnson. Ariadne:A secure on-demand routing protocol for adhoc networks. In Proc. of ACM MobiCom,2002.

[7] A. Perrig, R. Canetti, D. Song, and D. Ty-gar. Efficient and secure source authenti-cation for multicast. In Proc. of Networkand Distributed System Security Symposium(NDSS), 2001.

[8] S. Yi, P. Naldurg, and R. Kravets. Security-aware ad hoc routing for wireless networks.In Proc. of the ACM Symposium on MobileAd Hoc Networking and Computing (Mobi-HOC), 2001.

[9] Y. Zhang and W. Lee. Intrusion detection inwireless Ad-Hoc networks. In Proceedingsof ACM MobiCom, 2000.

[10] V. Bharghavan. Secure wireless LANs. InProc. of the ACM Conference on Computersand Communications Security, 1994.

[11] Z. Zhou and Z. Haas. Securing Ad Hoc net-works. IEEE Networks, 13(6):24–30, 1999.

[12] P. Albers and O. Camp. Security in Ad Hocnetwork: A general ID architecture enhanc-ing trust based approaches. In Proceedingsof International Conference on EnterpriseInformation Systems, 2002.

[13] O. Kachirski and R. Guha. Intrusion de-tection using mobile agents in wireless adhoc networks. In Proceedings of IEEEWorkshop on Knowledge Media Network-ing (KMN), 2002.

[14] Yih-Chun Hu, Adrian Perrig, and David B.Johnson. Rushing attacks and defense inwireless ad hoc network routing protocols.In Proc. of the ACM Workshop on WirelessSecurity (WiSe), 2003.

[15] M. Corner and B. Noble. Zero-interactionauthentication. In Proceedings of the EighthAnnual International Conference on MobileComputing and Networking (MobiCom),2002.

[16] Y. Hu, A. Perrig, and D. Johnson. Packetleashes: A defense against wormhole at-tacks in wireless ad hoc networks. In Pro-ceedings of INFOCOM, 2003.

[17] S. Capkun, L. Buttyan, and J. Hubaux. Sec-tor: Secure tracking of node encounters inmulti-hop wireless networks. In Proceed-ings of the ACM Workshop on Security ofAd Hoc and Sensor Networks, 2003.

[18] L Hu and D. Evans. Using directional an-tennas to prevent wormhole attacks. to ap-pear in the Proceedings of Network andDistributed System Security Symposium(NDSS), 2004.

[19] C. Perkins and E. Royer. Ad-Hoc On-Demand Distance Vector Routing. In Pro-ceedings of the 2nd IEEE Workshop on Mo-bile Computing Systems and Applications,1999.

[20] C. Perkins. Highly dynamic destination-sequenced distance-vector routing (DSDV)for mobile computers. In Proceedings ofSIGCOMM, 1994.

[21] G. Pei, M. Gerla, X. Hong, and C.-C. Chi-ang. A wireless hierarchical routing proto-col with group mobility. In Proc. of IEEEWCNC, 1999.

21

[22] C. Chiang. Routing in Clustered Multi-hop, Mobile Wireless Networks with Fad-ing Channel. In Proceedings of IEEESICON, 1997.

[23] E. Royer. Hierarchical routing in ad hocmobile networks. Wireless Communicationand Mobile Computing, 2(5), 2002.

[24] C. Perkins, B. Woolf, and S. Alpert. MobileIP: Design Principles and Practices. Print-ice Hall, 1998.

[25] B. Gleeson, A. Lin, J. Heinanen, G. Ar-mitage, and A. Malis. A framework for IPBased Virtual Private Networks. IETF RFC2764, 2000.

[26] D. Awduche, L. Berger, D. Gan, T. Li,V. Srinivasan, and G. Swallow. RSVP-TE:Extensions to RSVP for LSP Tunnels. IETFRFC 3209.

[27] S. Bellovin. Security problems in theTCP/IP protocol suite. Computer Commu-nications Review, 19(2):32–48, April 1989.

[28] B. Dahill, B. Levine, E. Royer, andC. Shields. A secure routing protocol forad hoc networks. Tech report 02-32, Dept.of Computer Science, University of Mas-sachusetts, Amherst, 2001.

[29] P. Papadimitratos and Z. Haas. Secure rout-ing for mobile Ad Hoc networks. In Pro-ceedings of SCS Communication Networksand Distributed Systems Modeling and Sim-ulation Conference (CNDS), 2002.

[30] Y. Ko, V. Shankarkumar, and N. Vaidya.Medium access control protocols using di-rectional antennas in ad hoc networks. InProc. of INFOCOM, pages 13–21, 2000.

[31] R. Choudhury, X. Yang, R. Ramanathan,and N. Vaidya. Using directional antennasfor medium access control in ad hoc net-works. In Proceedings of ACM MobiCom,2002.

[32] N. Sastry, U. Shanker, and D. Wagner. Se-cure verification of location claims. In Pro-ceedings of the ACM Workshop on WirelessSecurity (WiSe), 2003.

[33] Paramvir Bahl and Venkata N. Padmanab-han. RADAR: An in-building RF-baseduser location and tracking system. In Proc.of INFOCOM, 2000.

[34] A. Ward, A. Jones, and A. Hopper. Anew location technique for the active office.IEEE Personnel Communications, 4(5):42–47, 1997.

[35] N. Jain, S. Das, and A. Nasipuri. A multi-channel MAC protocol with receiver-basedchannel selection for multihop wireless net-works. In Proceedings of the 9th Int.Conf. on Computer Communications andNetworks (IC3N), 2001.

[36] E. Jung and N. Vaidya. A power controlMAC protocol for ad-hoc networks. In Pro-ceedings of ACM MOBICOM, 2002.

[37] R. Pickholtz, D. Schilling, and L. Milstein.Theory of spread spectrum communications– a tutorial. IEEE Trans. Comm., 1982.

[38] V. Gupta, S. Krishnamurthy, and M. Falout-sos. Denial of service attacks at the MAClayer in wireless ad hoc networks. In Pro-ceedings of Milcom, 2002.

[39] Patrik Bjorklund, Peter Varbrand, andDi Yuan. Resource optimization of spatialTDMA in ad hoc radio networks: A columngeneration approach. In Proceedings of IN-FOCOM, 2003.

[40] L. Lamport, R. Shostak, and M. Pease. TheByzantine generals problem. ACM Trans.Program. Languages, 4(3):382–401, 1982.

[41] P. Misra and P. Enge. Global PositioningSystem, Signals, Measurements, and Perfor-mance. Ganga-Jamuna Press, 2001.

[42] Y. Ko and N. Vaidya. Location-aided rout-ing(LAR) in mobile ad hoc networks. InProceedings of MobiCom, 1998.

22

[43] S. Basagni, I. Chlamtac, and V.R. Syrotiuk.Dynamic source routing for ad hoc net-works using the global positioning system.In Proceedings of IEEE Wireless Communi-cation and Networking Conference, 1999.

[44] R. Jain, A. Puri, and R. Sengupta. Geo-graphical routing using partial informationfor wireless ad hoc networks. IEEE Per-sonal Communication, pages 48–57, Feb2001.

[45] Ya Xu, John S. Heidemann, and DeborahEstrin. Geography-informed energy conser-vation for ad hoc routing. In Proc. of ACMMobile Computing and Networking, pages70–84, 2001.

[46] H. Takagi and L. Kleinrock. Optimal trans-mission ranges for randomly distributedpacket radio terminals. IEEE Transactionson Communications, pages 246–257, 1984.

[47] T. Hodes and R. Katz. Composable adhoc location based services for heteroge-neous mobile clients. Wireless Networks,5(5):411–427, 1999.

[48] J. Agre, A. Akinyemi, L. Ji, R. Masuoka,and P. Thakkar. A layered architecture forlocation-based services in wireless ad hocnetworks. In Proc. of IEEE Aerospace Con-ference, 2002.

[49] S. Zhu, S. Xu, S. Setia, and S. Jajodia.LHAP:a lightweight hop-by-hop authenti-cation protocol for ad-hoc networks. In Pro-ceedings of International Workshop on Mo-bile and Wireless Network, 2003.

[50] Ashton Applewhite. What knows whereyou are? IEEE Pervasive Computing, Oct-Dec 2002.

[51] Federal communications com-mission(FCC) report 03-133.� � � � � � � � � � � � �� , 2003.

[52] D. Mills. A computer-controlled LORAN-C receiver for precision timekeeping. Tech-nical report 92-3-1, Dept. of Electrical

and Computer Engineering, University ofDelaware, 1992.

[53] D. Mills. A precision radio clock for wwvtransmissions. Technical report 97-8-1, De-partment of Electrical and Computer Engi-neering, University of Delaware, 1997.

[54] J. Elson, L. Girod, and D. Estrin. Fine-grained network time synchronization usingreference broadcasts. In Proceedings of theFifth Symposium on Operating systems De-sign and Implementation, 2002.

[55] M. Sichitiu and C. Veerarittiphan. Simple,accurate time synchronization for wirelesssensor networks. In Proceedings of IEEEWireless Communications and NetworkingConference (WCNC), 2003.

[56] Jana van Greunen and Jan Rabaey.Lightweight time synchronization forsensor networks. In Proceedings of ACMWorkshop on Wireless Sensor Networksand Applications, 2003.

[57] B. Hofmann-Wellenhof, Herbert Lichteneg-ger, and James Collins. Global Position-ing System: Theory and Practice. SpringerWien, New York, 1997.

[58] A. Brown. High accuracy GPS and antijamprotection using a p(y) code digital beam-steering receiver. In Proceedings of IONGPS Conference, 2001.

[59] L. Scott. Anti-spoofing and authenticatedsignal architectures for civil navigation sys-tems. In Proc. of ION GPS/GNSS Confer-ence, 2003.

[60] K. Deergha Rao. Anti-FM jamming in GPSreceivers using a Kalman-type nonlinearadaptive filter. In Proc of ION GPS/GNSSConference, 2003.

[61] P. Kruss. A survey of multicast security is-sues and architectures. In Proceedings of21st National Information Systems SecurityConference, 1998.

23

[62] M. Brown, D. Cheung, D. Hankerson,J. Hernandez, M. Kirkup, and A. Menezes.PGP in constrained wireless devices. InProceedings of the 9th USENIX SecuritySymposium, 2000.

[63] N. Courtois, L. Goubin, and J. Patarin.Flash, a fast multivariate signature algo-rithm. In Proceedings of Cryptographers’Track RSA Conference, 2001.

[64] Guillaume Poupard and Jacques Stern. Onthe Fly signatures based on factoring. InACM Conference on Computer and Com-munications Security, pages 37–45, 1999.

[65] C. Boyd and A. Mathuria. Key establish-ment protocols for secure mobile communi-cations: A selective survey. Lecture Notesin Computer Science, 1998.

[66] J. Hubaux, L. Buttyan, and S. Capkun. Thequest for security in mobile ad hoc network.In Proceedings of the ACM Symposium onMobile Ad Hoc Networking and Computing(MobiHOC), 2001.

[67] B. Shrader, M. Sanchez, and T. Giles.Throughput-delay analysis of conflict-freescheduling in multihop ad-hoc networks. InProceedings of the 3rd Swedish Workshopon Wireless Ad-hoc Networks, 2003.

[68] N. Bansal and Z. Liu. Capacity, delay andmobility in wireless ad-hoc networks. InProceedings of IEEE InfoCom, 2003.

[69] G. Sharma and R. R. Mazumdar. Delay andcapacity trade-offs for wireless ad hoc net-works with random mobility. Tech Reportof ECE Department, Purdue University andsubmit for review, 2003.

[70] Eugene Perevalov and Rick Blum. De-lay limited capacity of ad hoc networks:Asymptotically optimal transmission andrelaying strategy. In Proceedings of IEEEInfoCom, 2003.

[71] C. Perkins, E. Royer, and S. Das. Perfor-mance comparison of two on-demand rout-ing protocols for Ad Hoc networks. In Pro-ceedings of INFOCOM, 2000.

[72] T. Camp, J. Boleng, B. Williams, L. Wilcox,and W. Navidi. Performance comparison oftwo location based routing protocols for AdHoc networks. In Proc. of the IEEE INFO-COM, 2002.

[73] J. Kim and M. Krunz. Fluid analysis of de-lay performance for QoS support in wirelessnetworks. In Proc. of Seventh Annual Inter-national Conference on Network Protocols,1999.

[74] Y. Lu and B. Bhargava. Self-adjusting con-gestion avoidance routing protocol for adhoc networks. Technical report, PurdueUniversity, Department of Computer Sci-ences, February 2003.

[75] Network simulator – ns2.http://www.isi.edu/nsnam/ns/.

[76] D. Harkins and D. Carrel. The internet keyexchange (IKE) protocol. IETF RFC 2409,1998.

[77] W. Torgeson. Multidimensional scalingof similarity. Psychometrika, 30:379–393,1965.

24

cerias tech report 2005-145 defending against …...cerias tech report 2005-145 defending against...

Documents