Fast Detection of Mobile Replica Node Attacks in Wireless ...

1

Fast Detection of Mobile Replica Node Attacks inWireless Sensor Networks Using Sequential

Hypothesis TestingJun-Won Ho, Matthew Wright, and Sajal K. Das

Department of Computer Science and EngineeringThe University of Texas at Arlington

[email protected],{mwright, das}@uta.edu

Abstract—Due to the unattended nature of wireless sensornetworks, an adversary can capture and compromise sensornodes, make replicas of them, and then mount a variety of attackswith these replicas. These replica-node attacks are dangerousbecause they allow the attacker to leverage the compromiseof a few nodes to exert control over much of the network.Several replica node detection schemes have been proposed inthe literature to defend against such attacks in static sensornetworks. However, these schemes rely on fixed sensor locationsand hence do not work in mobile sensor networks, wheresensors are expected to move. In this work, we propose a fastand effective mobile replica node detection scheme using theSequential Probability Ratio Test. To the best of our knowledge,this is the first work to tackle the problem of replica node attacksin mobile sensor networks. We show analytically and throughsimulation experiments that our scheme detects mobile replicasin an efficient and robust manner at the cost of reasonableoverheads.

Index Terms—Replica detection, sequential analysis, mobilesensor networks, security.

I. I NTRODUCTION

Advances in robotics have made it possible to develop avariety of new architectures for autonomous wireless networksof sensors. Mobile nodes, essentially small robots with sens-ing, wireless communications, and movement capabilities,areuseful for tasks such as static sensor deployment, adaptivesampling, network repair, and event detection [4]. These ad-vanced sensor network architectures could be used for a varietyof applications including intruder detection, border monitor-ing, and military patrols. In potentially hostile environments,the security of unattended mobile nodes is extremely critical.The attacker may be able to capture and compromise mobilenodes, and then use them to inject fake data, disrupt networkoperations, and eavesdrop on network communications.

In this scenario, a particularly dangerous attack is thereplica node attack[11], in which the adversary takes thesecret keying materials from a compromised node, generatesa large number of attacker-controlled replicas that share thecompromised node’s keying materials and ID, and then spreadsthese replicas throughout the network. With a single capturednode, the adversary can create as many replica nodes ashe has the hardware to generate. Note that replica nodesneed not be identical robots; a group of static nodes canmimic the movement of a robot and other mobile nodes or

even humans with handheld devices could be used. The onlyrequirement is that they have the software and keying materialto communicate in the network, all of which can be obtainedfrom the captured node.

The time and effort needed to inject these replica nodes intothe network should be much less than the effort to captureand compromise the equivalent number of original nodes. Thereplica nodes are controlled by the adversary, but have keyingmaterials that allow them to seem like authorized participantsin the network. Protocols for secure sensor network commu-nication would allow replica nodes to create pairwise sharedkeys with other nodes and the base station, thereby enablingthe nodes to encrypt, decrypt, and authenticate all of theircommunications as if they were the original captured node.

The adversary can then leverage this insider position inmany ways. For example, he can simply monitor a signifi-cant fraction of the network traffic that would pass throughthese nodes. Alternately, he could jam legitimate signals frombenign nodes or inject falsified data to corrupt the sensors’monitoring operation. A more aggressive attacker could under-mine common network protocols, including cluster formation,localization, and data aggregation, thereby causing continualdisruption to network operations. Through these methods, anadversary with a large number of replica nodes can easilydefeat the mission of the deployed network.

A straightforward solution to stop replica node attacks isto prevent the adversary from extracting secret key materialsfrom mobile nodes by equipping them with tamper-resistanthardware. We might expect such measures to be implementedin mobile nodes with security-critical missions. However,although tamper-resistant hardware can make it significantlyharder and more time-consuming to extract keying materialsfrom captured nodes, it may still be possible to bypass tamperresistance for a small number of nodes given enough timeand attacker expertise. Since the adversary can generate manyreplicas from a single captured node, this means that replicaattacks are even more dangerous when compared with thepossibility of compromising many nodes. We thus believe thatit is very important to develop software-based countermeasuresto defend mobile sensor networks against replica node attacks.

Several software-based replica node detection schemes havebeen proposed for static sensor networks [3], [11], [17]. Theprimary method used by these schemes is to have nodes report

2

location claimsthat identify their positions and for other nodesto attempt to detect conflicting reports that signal one nodeinmultiple locations. However, since this approach requiresfixednode locations, it cannot be used when nodes are expected tomove. Thus, our challenge is to design an effective, fast, androbust replica detection scheme specifically for mobile sensornetworks.

In this paper, we propose a novel mobile replica detec-tion scheme based on theSequential Probability Ratio Test(SPRT) [15]. We use the fact that an uncompromised mobilenode should never move at speeds in excess of the system-configured maximum speed. As a result, a benign mobilesensor node’s measured speed will nearly always be less thanthe system-configured maximum speed as long as we employa speed measurement system with a low error rate. On theother hand, replica nodes are in two or more places at thesame time. This makes it appear as if the replicated node ismoving much faster than any of the benign nodes, and thus thereplica nodes’ measured speeds will often be over the system-configured maximum speed. Accordingly, if we observe that amobile node’s measured speed is over the system-configuredmaximum speed, it is then highly likely that at least two nodeswith the same identity are present in the network.

However, if the system decides that a node has beenreplicated based on a single observation of a node movingfaster than it should, we might get many false positives becauseof errors in speed measurement. Raising the speed thresholdor other simple ways of compensating can lead to high falsenegative rates. To minimize these false positives and falsenegatives, we apply the SPRT, a hypothesis testing methodthat can make decisions quickly and accurately. We performthe SPRT on every mobile node using a null hypothesis thatthe mobile node has not been replicated and an alternatehypothesis that it has been replicated. In using the SPRT, theoccurrence of a speed that is less than or exceeds the system-configured maximum speed will lead to acceptance of thenull or alternate hypotheses, respectively. Once the alternatehypothesis is accepted, the replica nodes will be revoked fromthe network.

We validate the effectiveness, efficiency, and robustnessof our scheme through analysis and simulation experiments.Specifically, we find that the main attack against the SPRT-based scheme is when replica nodes fail to provide signedlocation and time information for speed measurement. To over-come this attack, we employ a quarantine defense technique toblock the non-compliant nodes. We then study this techniquein two ways. First, we show through quarantine analysis thatthe amount of time, during a given time slot, that the replicascan impact the network is very limited. Second, we provide adetailed game-theoretic analysis that shows the limits of anyattacker strategy over any number of time slots. Specifically,we formulate a two-player game to model the interactionbetween the attacker and the defender, derive the optimalattack and defense strategies, and show that the attacker’sgainis greatly limited when the attacker and the defender followtheir respective optimal strategies. We provide analyses ofthe number of speed measurements needed to make replicadetection decisions, which we show is quite low, and the

amount of overhead incurred by running the protocol.We also evaluate the performance of our scheme via simula-

tion study using ns-2 simulator. In particular, we considertwotypes of replicas for performance evaluation:mobileandstatic.In case of mobile replicas, we investigate how replica mobilityaffects the detection capability of our scheme. In case of static(immobile) replicas, the attacker keeps his replica nodes closetogether and immobile to lessen the chance of speed-baseddetection. An exploration of the static replica case is usefulsince this case represents the worst case for detection, andthus we can see how our scheme works in the worst case. Thesimulation results of both cases show that this scheme veryquickly detects mobile replicas with low false positive andnegative rates. A preliminary version of this work appearedin [5].

The rest of paper is organized as follows. Section IIdescribes the problem statement, network assumptions, andadversary models for our scheme. Section III presents theproposed mobile replica detection scheme using the SPRTalong with security and performance analyses. Section IVpresents the results of simulations we conducted to evaluatethe proposed scheme. Section V presents the related work.Finally, Section VI concludes the paper.

II. PROBLEM DEFINITION

In this section, we first state the problem and the networkassumptions for our proposed scheme and then describe theattacker models we use to evaluate our approach.

A. Problem Statement

We define a mobile replica nodeu′ as a node having thesame ID and secret keying materials as a mobile nodeu.An adversary creates replica nodeu′ as follows: He firstcompromises nodeu and extracts all secret keying materialsfrom it. Then he prepares a new nodeu′, sets the ID ofu′

to the same asu, and loadsu’s secret keying materials intou′. There may be multiple replicas ofu, e.g.u′1, u′2, . . . , andthere may be multiple compromised and replicated nodes. Ourgoal is to detect the fact that bothu andu′ (or u′1, u′2, . . . )operate as separate entities with the same identity and keys.

B. Network Assumptions

We consider a two-dimensionalmobile sensor networkwhere sensor nodes freely roam throughout the network. Weassume that every mobile sensor node’s movement is physi-cally limited by the system-configured maximum speed,Vmax.We also assume that all direct communication links betweensensor nodes are bidirectional. This communication model iscommon in the current generation of sensor networks. Weassume that every mobile sensor node is capable of obtainingits location information and also verifying the locations of itsneighboring nodes. This can be implemented by employingsecure localization methods [2], [7]. We assume that the clocksof all nodes are loosely synchronized. This can be achievedwith the help of secure time synchronization protocols [12],[13]. We also assume that the nodes in the mobile sensor

3

network communicate with a base station. The base stationmay be static or mobile, although we focus on a static basestation for our simulations, as long as the nodes have a wayto communicate reliably to the base station on a regular basis.

C. Attacker Models

We assume that an adversary may compromise and fullycontrol a subset of the sensor nodes, enabling him to mountvarious kinds of attacks. For instance, he can inject false datapackets into the network and disrupt local control protocolssuch as localization, time synchronization, and route discoveryprocess. Furthermore, he can launch denial of service attacksby jamming the signals from benign nodes. However, we placesome limits on the ability of the adversary to compromisenodes. We note that if the adversary can compromise a majorfraction nodes of the network, he will not need nor benefitmuch from the deployment of replicas.

To amplify his effectiveness, the adversary can also launcha replica node attack, which is the subject of our investigation.We assume that the adversary can produce many replica nodesand that they will be accepted as a legitimate part of thenetwork. We also assume that the attacker attempts to employas many replicas of one or more compromised sensor nodes inthe network as will be effective for his attacks. The attackercan allow his replica nodes to randomly move or he couldmove his replica nodes in different patterns in an attempt tofrustrate our proposed scheme. We discuss this possibilityinSection III-B.

We also assume that the base station is a trusted entity. Thisis a reasonable assumption in mobile sensor networks, becausethe network operator collects all sensor data and can typicallycontrol the nodes’ operation through the base station. Thus,the basic mission of the sensor network is already completelyundermined if the base station is compromised.

III. M OBILE REPLICA DETECTION USING SEQUENTIAL

PROBABILITY RATIO TEST

This section presents the details of our technique to detectreplica node attacks in mobile sensor networks.

In static sensor networks, a sensor node is regarded as beingreplicated if it is placed in more than one location. If nodesare moving around in network, however, this technique doesnot work, because a benign mobile node would be treatedas a replica due to its continuous change in location. Hence,we must use some other technique to detect replica nodes inmobile sensor networks. Fortunately, mobility provides uswitha clue to help resolve the mobile replica detection problem.Specifically, a benign mobile sensor node should never movefaster than the system-configured maximum speed,Vmax. Asa result, a benign mobile sensor node’s measured speed willappear to be at mostVmax as long as we employ a speedmeasurement system with a low rate of error. On the otherhand, replica nodes will appear to move much faster thanbenign nodes and thus their measured speeds will likely beoverVmax because they need to be at two (or more) differentplaces at once. Accordingly, if the mobile node’s measured

speed exceedsVmax, it is then highly likely that at least twonodes with the same identity are present in the network.

We propose a mobile replica detection scheme by leveragingthis intuition. Our scheme is based on the Sequential Proba-bility Ratio Test (SPRT) [15] which is a statistical decisionprocess. The SPRT can be thought of as one-dimensionalrandom walk with the lower and upper limits [8]. Before therandom walk starts, null and alternate hypotheses are definedin such a way that the null hypothesis is associated with thelower limit while the alternate one is associated with the upperlimit. A random walk starts from a point between two limitsand moves toward the lower or upper limit in accordance witheach observation. If the walk reaches (or exceeds) the lowerorupper limit, it terminates and the null or alternate hypothesisis selected, respectively. We believe that the SPRT is wellsuited for tackling the mobile replica detection problem sincewe can construct a random walk with two limits in such away that each walk is determined by the observed speed ofa mobile node. The lower and upper limits can be configuredto be associated with speeds less than and in excess ofVmax,respectively.

We apply the SPRT to the mobile replica detection problemas follows. Each time a mobile sensor node moves to anew location, each of its neighbors asks for a signed claimcontaining its location and time information and decidesprobabilistically whether to forward the received claim tothebase station. The base station computes the speed from everytwo consecutive claims of a mobile node and performs theSPRT by considering speed as an observed sample. Each timethe mobile node’s speed exceeds (resp. remains below)Vmax,it will expedite the random walk to hit or cross the upper(resp. lower) limit and thus lead to the base station acceptingthe alternate (resp. null) hypothesis that the mobile node hasbeen (resp. not been) replicated. Once the base station decidesthat a mobile node has been replicated, it revokes the replicanodes from the network.

Let us first describe the detection scheme and then analyzeits security and performance.

A. Protocol Description

Before deployment, every sensor node gets secret keyingmaterials for generating digital signatures. We will use anidentity-based public key scheme. It has been demonstratedthat public key operations can be efficiently implementedin static sensor devices [9], [16]. Moreover, most replicadetection schemes in static sensor networks [3], [11] employidentity-based public key signatures. Mobile sensor devices aregenerally more powerful than static ones in terms of batterypower, due to the fact that the mobile sensor node consumesa lot of energy to move. Additionally, the energy consump-tion due to movement is known to be substantially largerthan that for public key operations. For example, the powerconsumption for the movement of a mobile sensor device hasbeen measured at 720 mW [4]. The energy consumption forcomputing and verifying a public key signature have beenmeasured at between 2.9 mW to 48 mW and between 3.5 mWto 58.5 mW, respectively, in accordance with existing sensor

4

hardware platforms [9]. Thus, we believe that a public keysignature scheme can be practical for mobile sensor networks.Our proposed protocol proceeds in two phases.

1) Claim Generation and Forwarding:Each time a mobilesensor nodeu moves to a new location, it first discovers itslocationLu and then discovers its set of neighboring nodes,N(u). Every neighboring nodev ∈ N(u) asks nodeu for anauthenticatedlocation claimby sending its current timeT tonodeu. Upon receivingT , nodeu checks whetherT is validor not. If |T ′ − T | > δ + ǫ, whereT ′ is the claim receipttime atu, δ is the estimated transmission delay of claim, andǫ is a maximum error in time synchronization, then nodeuwill ignore the request. Otherwise,u generates location claimCu = {u||Lu||T ||Sigu} and sends it tov, whereSigu is thesignature over the tuple (u, Lu, T ) generated using nodeu’sprivate key. If u denies the claim requests, or if its claimcontains invalid time information or fails to authenticate, thenu will be removed fromN(v). Also, if u claims a locationLusuch that the distance betweenLv andLu is larger than theassumed signal range ofv, then it will be removed fromN(v).Once the above filtering process is passed, each neighborv ofnodeu forwardsu’s claim to the base station with probabilityp.

Regarding errors in the measurement of time and location,we can consider both random and systematic errors. Sincespeed is measured based on location and time, the errorscan come from either measurement. We note that the time ofeach claim is measured and verified by the requesting node,rather than the measured node. Since claim verification andforwarding is done probabilistically, the chance of havingtwoverified and forwarded claims from the same requesting nodeis low. Thus, systematic time measurement error at the re-questing node is likely to result in independent errors betweeneach location claim for the nodes being measured. Systematiclocation measurement error means that the measurements arenot independent. However, if we assume that the measurementerror is consistent and biased in one direction, then the speedof a node will be measured accurately in most cases. Randomlocation measurement errors are more likely to lead to errorsin speed measurement. Thus, for our system, we treat errorfrom one claim to the next as random and independent for themeasurement of nodes’ speeds.

2) Detection and Revocation:Upon receiving a locationclaim from nodeu, the base station verifies the authenticityof the claim with the public key ofu and discards the claim ifit is not authentic. We denote the authentic claims from nodeuby C1

u, C2u, . . . The base station extracts location information

Liu and time informationTi from claimCiu. Let di denote theEuclidean distance from locationLiu at time Ti to Li+1

u atTi+1. Let oi denote the measured speed at timeTi+1, wherei = 1, 2, . . .. In other words,oi is defined as:

oi =di

|Ti+1 − Ti|(1)

Let Si denote a Bernoulli random variable defined as:

Si =

{

0 if oi ≤ Vmax1 if oi > Vmax

Then the success probabilityλ of the Bernoulli distribution isdefined as:

Pr(Si = 1) = 1 − Pr(Si = 0) = λ (2)

If λ is less than or equal to a preset thresholdλ′, it is likelythat nodeu has not been replicated. On the other hand, ifλ > λ′, it is likely that nodeu has been replicated. Theproblem of deciding whetheru has been replicated or not canbe formulated as a hypothesis testing problem with null andalternate hypotheses ofλ ≤ λ′ andλ > λ′, respectively. In thisproblem, we need to devise an appropriate sampling strategyin order to prevent hypothesis testing from making the wrongdecision. In particular, we should specify the maximum chanceerrors that we want to tolerate for a good sampling strategy.Todo this, we reformulate the above hypothesis testing problemas one with null and alternate hypotheses ofλ ≤ λ0 andλ ≥ λ1, respectively, such thatλ0 < λ1. In this reformulatedproblem, the acceptance of the alternate hypothesis is regardedas a false positive error whenλ ≤ λ0, and the acceptance ofthe null hypothesis is regarded as false negative error whenλ ≥ λ1. To prevent the decision process from making thesetwo types of errors, we define a user-configured false positiverate α′ and false negative rateβ′ in such a way that thefalse positive and negative rates should not exceedα′ andβ′,respectively.

To understand the basis of this sampling plan, we presenthow the SPRT is performed to make a decision about nodeufrom then observed samples, where a measured speed ofuis treated as a sample. We first define the null hypothesisH0

and the alternate oneH1 as follows:H0 is the hypothesis thatnodeu has not been replicated andH1 is the hypothesis thatuhas been replicated. We then defineLn as the log-probabilityratio onn samples, given as:

Ln = lnPr(S1, . . . , Sn|H1)

Pr(S1, . . . , Sn|H0)(3)

We assume that each speed measurement for a given nodeis independent of the other speed measurements. Thus, weassume thatSi is independent and identically distributed(i.i.d.). Then,Ln can be rewritten as:

Ln = ln

∏ni=1 Pr(Si|H1)

∏ni=1 Pr(Si|H0)

=

n∑

i=1

lnPr(Si|H1)

Pr(Si|H0)(4)

Let ωn denote the number of times thatSi = 1 in the nsamples. Thus we have

Ln = ωn lnλ1

λ0+ (n− ωn) ln

1 − λ1

1 − λ0(5)

Where:

λ0 = Pr(Si = 1|H0), λ1 = Pr(Si = 1|H1).

The rationale behind the configuration ofλ0 andλ1 is as fol-lows. On the one hand,λ0 should be configured in accordancewith the likelihood of the occurrence that a benign node’smeasured speed exceedsVmax due to time synchronization andlocalization errors. On the other hand,λ1 should be configuredto consider the likelihood of the occurrence that replica nodes’

5

measured speeds exceedVmax. Since the former likelihood islower than the latter one,λ0 should be set lower thanλ1.

On the basis of the log-probability ratioLn, the SPRT forH0 againstH1 is given as follows:

• Ln ≤ ln β′

1−α′: acceptH0 and terminate the test.

• Ln ≥ ln 1−β′

α′: acceptH1 and terminate the test.

• ln β′

1−α′< Ln < ln 1−β′

α′: continue the test process with

another observation.

We can rewrite the SPRT as follows:

• ωn ≤ τ0(n) : acceptH0 and terminate the test.• ωn ≥ τ1(n) : acceptH1 and terminate the test• τ0(n) < ωn < τ1(n) : continue the test process with

another observation.

Where:

τ0(n) =ln β′

1−α′+ n ln 1−λ0

1−λ1

ln λ1

λ0

− ln 1−λ1

1−λ0

, τ1(n) =ln 1−β′

α′+ n ln 1−λ0

1−λ1

ln λ1

λ0

− ln 1−λ1

1−λ0

If a mobile nodeu is judged as benign, the base station restartsthe SPRT with newly arrived claims fromu. If, however,uis determined to be replicated, the base station terminatestheSPRT onu and revokes all nodes with identityu from thenetwork.

B. Security Analysis

In this section, we will first describe the detection accuracyof our proposed scheme and then present attack scenarios tobreak this scheme and a defense strategy we propose to limitthese attacks. Finally, we will show that the attacker’s gain issubstantially limited by the defense strategy.

1) Detection Accuracy:In the SPRT,α andβ are definedas the error probability that the SPRT acceptsH1 (resp.H0)whenH0 (resp.H1) is true. SinceH0 is the hypothesis that anodeu has not been replicated,α andβ are the false positiveand false negative probabilities of the SPRT, respectively.According to Wald’s theory [15], the upper bounds ofα andβ are calculated asα ≤ α′

1−β′and β ≤ β′

1−α′, respectively.

Furthermore, it has been shown [15] that the sum of the falsepositive and negative probabilities of the SPRT is limitedby the sum of user-configured false positive and negativeprobabilities. Namely, the inequalityα + β ≤ α′ + β′ holds.Sinceβ is the false negative probability,(1−β) is the replicadetection probability. Accordingly, the lower bound on thereplica detection probability is(1 − β) ≥ 1−α′−β′

1−α′. From

the above inequalities, we observe that low user-configuredfalse positive and negative probabilities will lead to a lowfalsenegative probability for the sequential test process. Hence, itwill result in high detection rates. For instance, if the userconfigures bothα′ andβ′ to 0.01, then the replica detectionis guaranteed with probability0.99.

2) Limitations of Replica Node Attacks:Let us now dis-cuss ways in which the attacker could attempt to evade ourdetection scheme and defensive countermeasures that we canemploy.

First, a malicious nodeu may attempt to forge a claim,either by sending a claim with incorrect data or by sending aclaim with a bad signature. However, all ofu’s neighbors will

check the validity ofu’s identity, reported location, reportedtime, and the signature over these values using nodeu’spublic key. Alternatively, nodeu can simply ignore the claimrequests. In our scheme, ifu’s benign neighbor does notreceive a claim despite sending a claim request, it will removeu from its neighboring set and will not communicate withu.

We note that if one ofu’s neighbors is malicious, themalicious node can serve asu’s neighbor for forwardingpackets. However, there is little benefit to the attacker ofhaving a replica node in the same area as another compromisednode. The compromised node can just as easily report fakedata, participate in local control protocols, and eavesdrop onmessages sent through it. Furthermore, if the attacker needsone compromised node to accompany each replica node inthe network, there will be a very high cost for replica nodeattacks.

Similarly, an attacker will not gain much benefit from hav-ing multiple replicas of a single node form a group that alwaysmoves together and stays close enough so that all replicascan claim the same location. This is because these nodeswould essentially have the same set of neighbors. Considera compromised nodeu and its replicau′ communicatingwith neighboring nodev. From v’s perspective, there is nodifference between the two replicas, andv treats all messagesas coming from a single node. The two nodes thus can notdo anything that a single compromised nodeu could not doby itself. If the replicas can claim the same location whilereaching a slightly larger set of neighbors, then the attackercan gain a small amount of additional influence through thereplica attack, but no more than it could gain with a betterantenna and more signal power.

An interesting variant of this attack, however, is to keepreplicas close to each other so that the perceived velocitybetween their location claims is less thanVmax. To do this, anattacker coordinates a set of replicas to respond with correctclaims only to those claim requests that make it appear as asingle node never moving faster thanVmax. The attacker canhave some replicas grouped closely together for this purpose;replicas that are further away must ignore claim requests orrespond with false claims to avoid detection. To illustratethisattacker’s strategy, let us consider a simple attack scenario inwhich a compromised nodeu and its replicau′ are fixed tosome locations in such a way that the distance between thesetwo nodes is set tod. We assume that nodesu andu′ initiatethe neighbor discovery process at timeT0 and T0 + d

Vmax,

respectively. Moreover, suppose that nodeu receives a claimrequest from neighborv at timeT0 + ξ and nodeu′ receives arequest from neighborw at timeT0+

dVmax

+ξ. Nodesu andu′

send claims tov andw and ignore all incoming claim requestsfrom other neighbors or give them false claims. Even thougheither v or w may move to a new location, the attacker cancontrol nodesu andu′ to accept claim requests from newlydesignated neighbors in such a way that the claim receipt timeof u remains d

Vmaxtime ahead of that ofu′. In this way, the

attacker can successfully deceive the base station to believethat u moves back and forth with speedVmax. This attackscenario can be generalized to the case of a set of replicasand to allow for movement.

6

Since the replicas do not provide valid claims that wouldmake the observed speed exceedVmax, they can trick thebase station into acceptingH0, the hypothesis that they arenot replicas. To stop this attack, we propose to have the basestation check whether each node responds with correct claimsto all incoming claim requests.

Specifically, each time a malicious nodeu ignores a claimrequest from a benign neighbor nodev or responds withfalse claims,v generates adenial of claim request notificationmessage,DCN = {v||u||MACKv

[v||u]} and sends it to thebase station, whereMAC is a message authentication codecalculated usingKv, a the shared secret key betweenv andthe base station. Upon receiving theDCN message fromv,the base station first checks the authenticity of theDCN andrejects it if it is invalid. Assume that the entire time domainis divided into time slots. The base station maintains aDCNcounter for each node such that it initializes each counter to 0and then resets it to 0 at the beginning of each time slot. Eachtime the base station receives aDCN message onu fromv, it increases theDCN counter foru. If the DCN counterfor u exceeds a predefined thresholdρ during a time slot, itis highly likely thatu has discarded a substantial fraction ofclaim requests during the time slot and is likely to be a replicanode attempting to evade detection.

In this case, the base station will temporarilyquarantineufrom the network by disregarding all messages fromu andbroadcasting the quarantine information to all nodes. Uponreceiving this quarantine message, all nodes will stop com-municating withu except for exchanging claim request andresponse messages. If theDCN counter foru does not exceedthresholdρ during the quarantine period, the base station willrelease the quarantine that it imposed onu after the expiry ofthe quarantine period and broadcast the release information.Otherwise, it will extend the quarantine period by one timeslot. The quarantine period needs to long enough to ensure thatthe replica nodes would be quarantined for longer periods thanthey would be able to participate freely in the network. Thisprinciple will also help prevent frequent oscillation betweenquarantine and non-quarantine states. Since the base stationdetermines in each time slot whether to impose quarantineon a node, it can satisfy the above principle by setting thequarantine period to be multiple time slots.

To trick the base station into putting benign nodes intothe quarantine, the attacker could send many fake DCNmessages. Specifically, if the base station receives more thanρ fakeDCN messages on the benign nodev, thenv will bequarantined even though it responds correctly to all incomingclaim requests. To discourage this type of attack, we restricteach node from sending more than oneDCN per time slot.If the base station receives more than oneDCN from anode during a time slot, it will accept only oneDCN fromthe node and discard the others. Hence, the attacker needsmore thanρ compromised nodes per time slot to force abenign node to be quarantined, thus suppressing him frommounting a fakeDCN attack. From this analysis, we see thatρ needs to be configured in accordance with the number ofcompromised nodes in the network. From the perspective thatthe main benefit of replica node attacks is to substantially

reduce the time and efforts required for wide-spread nodecompromise, the attacker will be interested in having onlya few compromised nodes when he employs replica nodeattacks. Therefore, it will be reasonable forρ to be set toa small value in practice.

3) Short-Term Quantitative Analysis of Quarantine DefenseStrategy: We now quantitatively determine a limit on theamount of time for which a set of replicas can avoid detectionand quarantine when they follow a strategy of responding onlyto selected claims. Our underlying argument is that the replicanodes must ignore a minimum number of claim requests toavoid detection, but we will configure the quarantine systemto react and stop the replica node attacks when many claimsare ignored.

Suppose thatr replicas of a compromised nodeu are fixedto some locations. We model the arrival of claim requeststo each replica as a homogeneous poisson process. We usea poisson process due to the following reasons: First, weassume that mobile nodes’ movements in disjoint intervals areindependent from each other and thus the number of timesthat mobile nodes meet to replicas in disjoint intervals areaccordingly independent from each other. Second, the proba-bility distribution of the number of claim requests received byreplicas in a time interval should be modeled to only dependon the length of the interval. This is reasonable in the sensethat the number of claim requests received by replicas in a timeinterval varies in accordance with the length of the interval.Note that the sum of multiple homogeneous poisson processesis also a homogeneous poisson process with the rates summedtogether. Thus, we model the claim request arrival process ofthe r replicas as the homogeneous poisson process with rateparameterθ. Note that the interarrival times in the poissonprocess have an exponential distribution with parameterθ. LetXi, i = 1, 2, . . . be independent, identically distributed (i.i.d.)exponential random variables with parameterθ.

Let ∆T denote the duration of a time slot. Suppose thatclaim requests arrive atr replicas from the beginning to theend of a time slot. Letoi be the speed measured accordingto the ith and the(i + 1)th claim requests during∆T time.Thus,oi is defined asdi

Xi, wheredi is the Euclidean distance

between a pair of replicas that receive theith and the(i+1)thclaim requests. Letp′(di) be the probability thatoi exceedsVmax during ∆T time, where di

Vmax≤ ∆T . Clearly, p′(di)

is equivalent to the probability Pr(Xi <di

Vmax| Xi ≤ ∆T ).

SinceXi follows an exponential distribution with parameterθ,we compute the probabilityp′(di) with the aid of the improperintegral:

p′(di) = Pr

(

Xi <di

Vmax

∣

∣

∣

∣

∣

Xi ≤ ∆T

)

=

limc→

di

Vmax

1 − e−cθ

1 − e−θ∆T

=1 − e−

θdi

Vmax

1 − e−θ∆T

We defineYi as a Bernoulli random variable with success

7

0 5 10 15 20 250

5

10

15

20

25

30

35

R

T (sec)

Case I : dmin=20m, =20/s Case II : dmin=40m, =40/s Case III : dmin=60m, =60/s

Fig. 1. Analysis: ∆R vs. ∆T .

probabilityp′(di) such that:

Yi =

{

0 if Xi ≥ di

VmaxgivenXi ≤ ∆T

1 if Xi <di

VmaxgivenXi ≤ ∆T

Note thatµ = θ × ∆T is the expected number of eventsthat occur during∆T time in the homogeneous poissonprocess with rateθ. Accordingly, the expected number ofclaim requests during∆T time isµ. By considering the claimforwarding probabilityp, the expected number of legitimateclaims forwarded to the base station during∆T time is at mostpµ, corresponding topµ−1 samples. Hence,

∑pµ−1i=1 p′(di) is

the expected number of times thatYi = 1 in pµ− 1 samples.

Let dmin be the shortest distance between a pair of replicas.Sincep′(dmin) ≤ p′(di), the sum

∑pµ−1i=1 p′(di) should be no

less thanp′(dmin)×(pµ−1). Therefore, the expected numberof samples that cause the measured speed to exceedVmaxduring∆T time is bounded from below byp′(dmin)×(pµ−1).As a consequence, ifp′(dmin)× (pµ−1) > ⌈τ1(pµ−1)⌉−1,the replicas should ignore at least∆R claim requests during∆T time in order to prevent them from being detected, where∆R = p′(dmin) × (pµ − 1) − ⌈τ1(pµ − 1)⌉ + 1. However,if they ignore all ∆R requests, they will be quarantined aslong as∆R > ρ. In this sense, the replicas are stuck betweengetting detected and quarantined. Thus, we should setρ to beless than∆R to ensure that we either detect or quarantinereplicas.

Let us now investigate how to configure∆T to keep∆R >ρ under different settings of distancedmin and claim requestarrival rateθ. For this purpose, we use the following fixedconfiguration:Vmax = 20 m/s,p = 0.05, λ0 = 0.1, λ1 = 0.95,α′ = 0.01, andβ′ = 0.01. We consider three different casesas shown in Figure 1. In all three cases,∆R mainly increaseswith ∆T . This implies that∆T needs to be configured inproportion toρ to ensure that∆R > ρ. For instance, if weset ρ = 4, ∆T should be more than 10, 5, and 4 seconds inCases I, II, and III, respectively, so as to ensure that∆R > ρ.This means that the replicas can avoid quarantine during lessthan∆T time, which is just a few seconds whenρ = 4 in ourexample scenarios.

Finally, the attacker’s only option to avoid detection andquarantine is to move the replicas to an entirely new locationbefore the arrivals of the claim requests that force replicasto be detected or quarantined. However, this will allow thereplicas to evade detection and quarantine only during less

TABLE IFREQUENTLY USED NOTATIONS IN LONG-TERM ANALYSIS.

r number of replica nodes.Nc number of compromised nodes.η maximum number of claim requests received by

r replicas.ψi attacker’s replica placement strategy in theith

time slot.ψ attacker’s longterm replica placement strategy

consisting ofψ1, ψ2, . . . , ψi, . . .f(ψi) fraction of η whenψi is used.g(ψi) ratio of the number of samples that exceedVmax

to the total number of samples in the SPRT whenψi is used.

h(ψi) number of claim requests that are ignored orones to which replicas respond with illegitimateclaims as to not be detected whenψi is used.

I(h(ψi)) function ofh(ψi) with output of 0 and 1.ρmax maximum value of quarantine thresholdρ.p claim forwarding probability.q quarantine period in unit of time slot.

than∆T time and thus will greatly limit the attacker’s abilityto control parts of the network for any length of time.

4) Long-Term Game-Theoretic Analysis of Quarantine De-fense Strategy:Through the above analysis, we showedthat the quarantine defense strategy substantially restricts theattacker’s gains from employing a selective claim requestresponding strategy when the duration of a single time slot isreasonably configured. However, the above analysis does notfully reflect the interactions between attacker and defender,since it focuses on a single time slot. To analyze how thequarantine strategy provides resilience against the selectiveclaim request responding strategy for a long period of time,we develop a game theoretic model of claim response andquarantine defense. This model is useful to understand whatthe optimal attack and defense strategies are and how muchthe attacker’s gains are limited by the optimal defense strategywhen he employs the optimal attack strategy. In particular,weformulate a game theoretic problem as a two-player repeatedgame with perfect information, where the two players arethe attacker and the defender. We believe that the repeatedgame is suitable for the analysis from the perspective offully capturing the interactions between the attacker and thedefender for a long period of time. In Table I, we summarizethe notations that are frequently used in our long-term gametheoretic analysis.

Suppose that the attacker deploysr replicas of a compro-mised nodeu. Let Nc denote the number of compromisednodes in the network. Letη denote the total maximum numberof claim requests that can be received byu’s replicas. Letψidenote the attacker’sreplica placement strategyduring theithtime slot. Specifically,ψi indicates how the attacker configuresthe distances between each pair of replicas during theith timeslot. We defineψ as attacker’s long-term replica placementstrategy consisting ofψ1, ψ2, . . . , ψi, . . . Let f(ψi) denote the

8

fraction of η such that0 < f(ψi) ≤ 1 whenψi is used. Letg(ψi) denote the ratio of the number of samples that exceedVmax to the total number of samples in the SPRT such that0 < g(ψi) < 1 whenψi is used. Recall thatp is the claimforwarding probability. Leth(ψi) denote the number of claimrequests that are ignored or ones to which replicas respondwith illegitimate claims as to not be detected whenψi is used.Thenh(ψi) is given by

h(ψi) = max(g(ψi)f(ψi)(pη−1)−⌈τi(f(ψi)(pη−1))⌉+1, 0)(6)

We configure the quarantine thresholdρ as a positive integersuch that1 ≤ ρ ≤ ρmax = ⌈maxh(ψi)⌉−1. The rationale be-hind ρmax is to quarantine replicas whose placement achievesthe maximum value ofh(ψi). Let I(h(ψi)) be a function ofh(ψi). It is 0.0 if u’s replicas are under quarantine during theith time slot; otherwise, it is 1.0. The quarantine periodq isthe number of quarantine time slots. Ifh(ψi) > ρ, u’s replicasare quarantined from the(i+ 1)th to the(i+ q)th time slotsand thusI(h(ψj)) = 0 for i+ 1 ≤ j ≤ i+ q. For each timeslot in whichh(ψj) is more thanρ, the quarantine period isincremented by one time slot. The pseudo-code for computingI(h(ψi)) is described as Function 1.

Function 1 Computation ofI(h(ψi))

INITIALIZATION: I(h(ψ1)) = 1VARIABLES: k, lINPUT: h(ψi), i ≥ 1OUTPUT: 0 or 1if h(ψi) ≤ ρ then

if I(h(ψi)) 6= 0 thenI(h(ψi+1)) = 1

end ifelse

if I(h(ψi)) 6= 0 thenfor (k = 1; k ≤ q; k++)

I(h(ψi+k)) = 0l = i+ q + 1

elseI(h(ψl)) = 0l = l + 1

end ifend if

We model the attacker’s payoff for a single time slot asthe total number of nodes affected by ther replicas ofu andthe Nc compromised nodes. Specifically, we regard a nodev as being affected by a replica ofu if it sends a claimrequest to the replica and receives a valid claim, becausev accepts the replica as its neighbor after receiving a validand validating the claim. In the worst case, in whichu’sreplicas receive one claim request per neighbor, the numberof nodes that are affected byu’s replicas is equivalent tothe number of claim requests to whichu’s replicas respondwith legitimate claims as long as those replicas are neitherdetected nor quarantined. Since the attacker will get zerogain for the entire time period if the replicas are detected,he needs to ignore claim requests that contribute to detection

or respond with illegitimate claims to those requests whilelosing the payoff corresponding to the number of ignoredor illegitimately responded claim requests. However, if thenumber of ignored or illegitimately responded claim requestsis more than quarantine thresholdρ during a time slot, theattacker will gain nothing during the quarantined time slots.Thus, he needs to limit the number of ignored or illegitimatelyresponded claim requests in order to reduce his loss incurredby the quarantine defense strategy. By considering thesefactors, the number of nodes affected byu’s replicas during theith time slot is represented as(f(ψi)η−h(ψi))I(h(ψi)) in theworst case. This expression indicates that the attacker’s gainis the number of claim requests to whichu’s replicas respondwith legitimate claims out of the received claim requestsduring the ith time slot as long as the number of ignoredor illegitimately responded claim requests is at mostρ in theworst case. Also, we regard a nodev as being affected byρ compromised nodes if it is quarantined due to false DCNmessages sent byρ compromised nodes. By exploiting theproperty that quarantined nodes are put under quarantine forat leastq time slots, the attacker can make at mostq benignnodes be quarantined per time slot by usingρ compromisednodes. Accordingly, the total number of affected nodes byNccompromised nodes during theith time slot is at mostqNc

ρ.

To model the attacker’s payoff for long period of time, weuse the limit-of-means payoff as in [14]. This model is usefulin the sense that attacker’s long term payoff is expressed interms of the expected payoff per time slot and thus it canconverge to a certain value when the number of time slotsgoes to infinity. We denote the attacker’s long term payoff byU(ρ, ψ), defined as:

U(ρ, ψ) = limM→∞

1

M

M∑

i=1

(f(ψi)η − h(ψi))I(h(ψi)) +qNcρ

(7)whereM is the number of time slots.

To explore the interactions between the attacker and thedefender for long period of time, we formulate a minimaxrepeated game withU(ρ, ψ) as follows:

minρ

maxψ

U(ρ, ψ) (8)

In this game, the strategies of the attacker and the defenderareψ andρ, respectively. The attacker’s goal is to maximize hislong term payoffU(ρ, ψ) by controlling the replica placementstrategyψ. On the other hand, the defender’s goal is tominimize the maximum value ofU(ρ, ψ) by controlling thequarantine thresholdρ. The optimal strategies for the attackerand the defender are the ones that lead most closely totheir respective goals. We now solve the above minimaxoptimization problem to find the optimal strategies for theattacker and the defender.

Let ψ∗ and ψmax be the attacker’s replica placementstrategies, such that

argmaxψi

[f(ψi)η − h(ψi)] =

{

ψ∗ if 0 ≤ h(ψi) ≤ ρψmax if h(ψi) > ρ

Let us definew(ψ∗) such thath(ψ∗) = w(ψ∗)ρ and 0 ≤

9

w(ψ∗) ≤ 1. We derive the optimal replica placement strategyψ∗ in the following lemma.

Lemma 3.1:The argument of the maximum ofU(ρ, ψ) as afunction ofψ is ψ∗ under the condition that quarantine periodq ≥ f(ψmax)η−h(ψmax)

f(ψ∗)η−h(ψ∗) − 1.

Proof: Let us denoteA(ψi) = f(ψi)η − h(ψi). Weconsider two cases, depending onρ. In the case that0 ≤h(ψi) ≤ ρ,

∑Mi=1A(ψi) ≤ ∑M

i=1 A(ψ∗) holds. In the casethat h(ψi) > ρ,

∑Mi=1A(ψi) ≤

∑Mi=1 A(ψmax) holds. Recall

that the quarantine period isq time slots. If replica placementstrategyψmax is used in a time slot, replicas are underquarantine for the nextq time slots. Hence, the use ofψmax

effectively results in the consumption ofq + 1 time slots. Letus denote byϕM the number of times thatψmax is used inM time slots. By combining these two cases, we derive thefollowing inequality on

∑Mi=1A(ψi) with ϕ as follows:

M∑

i=1

A(ψi)I(h(ψi)) ≤ ϕMA(ψmax)+(M−ϕ(q+1)M)A(ψ∗)

Therefore, the following inequality onU(ρ, ψ) also holds:

U(ρ, ψ) ≤ ϕ(A(ψmax)−A(ψ∗)(1+ q))+A(ψ∗)+qNcρ

(9)

If A(ψmax) < A(ψ∗)(1 + q), the right side of Inequality 9 isa strictly decreasing function ofϕ because its derivative withrespect toϕ is less than zero and reaches its maximum whenϕ = 0. Accordingly,U(ρ, ψ) ≤ A(ψ∗) + qNc

ρ. If A(ψmax) =

A(ψ∗)(1+q), thenU(ρ, ψ) ≤ A(ψ∗)+ qNc

ρalso holds. Hence,

if q ≥ A(ψmax)A(ψ∗) − 1 = f(ψmax)η−h(ψmax)

f(ψ∗)η−h(ψ∗) − 1, thenU(ρ, ψ)reaches its maximum value whenψi = ψ∗ for all i ≥ 1.By Lemma 3.1, minρmaxψi

U(ρ, ψ) is equivalent tominρ U(ρ, ψ∗). Let us denoteV (ψ∗) such thatV (ψ∗) =

η

(g(ψ∗)−ν2

ν0)(pη−1)

. We also denoteν0, ν1, ν2 such thatν0 =

ln λ1

λ0

− ln 1−λ1

1−λ0

, ν1 = ln 1−β′

α′andν2 = ln 1−λ0

1−λ1

.Lemma 3.2:The argument of the minimum ofU(ρ, ψ∗) as

a function ofρ is ρ∗ under the conditions thatν1ν0> 1 and the

quarantine periodq ≥ f(ψmax)η−h(ψmax)f(ψ∗)η−h(ψ∗) − 1. ρ∗ is given by

ρ∗ =

1 if qNc

V (ψ∗)−1 ≤ w(ψ∗) ≤ 1

1 if qNc

2(V (ψ∗)−1) ≤ w(ψ∗) < qNc

V (ψ∗)−1

min(m, ρmax) if qNc

m(m+1)(V (ψ∗)−1) ≤ w(ψ∗) and

w(ψ∗) < qNc

(m−1)m(V (ψ∗)−1)

ρmax if w(ψ∗) = 0

for m ≥ 2.Proof: In the case thatw(ψ∗) = 0, U(ρ, ψ∗) = qNc

ρ+

f(ψ∗)η holds. SincedU(ρ,ψ∗)dρ

< 0 on the interval[1, ρmax],U(ρ, ψ∗) is decreasing function ofρ on the interval[1, ρmax]and reaches its minimum value atρ = ρmax on the interval[1, ρmax]. Hence,ρ∗ = ρmax.

In the case that0 < w(ψ∗) ≤ 1, U(ρ, ψ∗) = qNc

ρ+

f(ψ∗)η − w(ψ∗)ρ holds. By using the property that

⌈τ1(f(ψi)(pη − 1))⌉ = τ1(f(ψi)(pη − 1)) + z(ψi)

such that0 ≤ z(ψi) < 1 and the Equation 6, we can express

f(ψ∗) as follows:

f(ψ∗) =w(ψ∗)ρ+ ν1

ν0+ z(ψ∗) − 1

(g(ψ∗) − ν2ν0

)(pη − 1)(10)

By pluggingf(ψ∗) into U(ρ, ψ∗), we have

U(ρ, ψ∗) = w(ψ∗)(V (ψ∗) − 1)ρ+qNcρ

+ν1ν0

+ z(ψ∗) − 1

V (ψ∗)

Since the number of claim requests received by replicas isalways larger than the number of claim requests to which theyrespond with legitimate claims as not to be detected whenψ∗ is used,f(ψ∗)η > h(ψ∗) holds. Accordingly,V (ψ∗) >0 also holds under the condition thatν1

ν0> 1. If V (ψ∗) =

η

(g(ψ∗)−ν2

ν0)(pη−1)

> 0, then V (ψ∗) > 1 holds because0 <

g(ψ∗)− ν2ν0< 1 and0 < p < 1. With the propertyV (ψ∗) > 1

under the condition thatν1ν0> 1, we consider three sub-cases

as follows:Sub-case 1: If qNc

V (ψ∗)−1 ≤ w(ψ∗) ≤ 1, dU(ρ,ψ∗)dρ

≥w(ψ∗)(V (ψ∗)− 1)− qNc

ρ2≥ 0 holds on the interval[1, ρmax].

Accordingly,U(ρ, ψ∗) is an increasing function ofρ on theinterval [1, ρmax] and reaches its minimum value atρ = 1.Hence,ρ∗ = 1.

Sub-case 2: If qNc

2(V (ψ∗)−1) ≤ w(ψ∗) < qNc

V (ψ∗)−1 , then

U(ρ, ψ∗) ≥ qNcρ2 + qNc

ρ+

ν1

ν0+z(ψ∗)−1

V (ψ∗) holds. SincedU(ρ,ψ∗)dρ

≥qNc

2 − qNc

ρ2> 0 on the interval[2, ρmax] andminU(1, ψ∗) =

minU(2, ψ∗), U(ρ, ψ∗) reaches its minimum value atρ = 1.Hence,ρ∗ = 1.

Sub-case 3: If qNc

m(m+1)(V (ψ∗)−1) ≤ w(ψ∗) <qNc

(m−1)m(V (ψ∗)−1) , then U(ρ, ψ∗) ≥ qNcρm(m+1) + qNc

ρ+

ν1

ν0+z(ψ∗)−1

V (ψ∗) holds. SincedU(ρ,ψ∗)dρ

= qNc

m(m+1) − qNc

ρ2> 0

on the interval [m + 1, ρmax] and minU(m,ψ∗) =minU(m + 1, ψ∗), U(ρ, ψ∗) reaches its minimum value atρ = m. Sinceρ should be configured to be at mostρmax,ρ∗ = min(m, ρmax).

Theorem 3.1:If we set the quarantine periodq such thatq ≥ f(ψmax)η−h(ψmax)

f(ψ∗)η−h(ψ∗) − 1, the strategiesψ∗ and ρ∗ areoptimal for the attacker and defender, respectively.

Proof: By Lemmas 3.1, 3.2, the arguments of the min-imax of U(ρ, ψ) are ψ∗ and ρ∗ under the condition thatq ≥ f(ψmax)η−h(ψmax)

f(ψ∗)η−h(ψ∗) − 1. Therefore, the optimal strategiesof the attacker and defender areψ∗ and ρ∗ if q is at leastf(ψmax)η−h(ψmax)f(ψ∗)η−h(ψ∗) − 1.

Now we examine the characteristics of the functionsf(ψi), g(ψi), and h(ψi) in terms of ψi. Assume that theaverage distance between a pair of replicas inψai is lessthan 1.0 inψbi . As the distance between a pair of replicasdecreases, the overlapped neighborhood areas between a pairof replicas increases; accordingly the total number of affectednodes decreases. Hence,f(ψai ) is less thanf(ψbi ). Moreover,the decrease of the distance between a pair of replicas leadsto a reduction of the measured speed of replicas, and thus thelikelihood that a sample exceedsVmax in the SPRT falls off.Hence, bothg(ψai ) andh(ψai ) are less thang(ψbi ) andh(ψbi ).

Next we investigate the limitation on the attacker’s gainwhen the defender and attacker adhere to their optimal strate-

10

gies. In particular, we explore the limitation on the attacker’sbenefit in accordance with conditions ofw(ψ∗). In the casethat w(ψ∗) = 1.0, ρ∗ is set to 1.0 and thush(ψ∗) = 1.0.According to the characteristics ofh(ψ∗), the average distancebetween a pair of replicas is short inψ∗ such thath(ψ∗) = 1.Thus, f(ψ∗) is also a small value. Hence, we have a smallvalue of f(ψ∗)η − h(ψ∗). The number of nodes affected bycompromised nodes will also be limited byNc. In the casethat w(ψ∗) = 0, ρ∗ is set to ρmax and thush(ψ∗) = 0.This leads to a small value off(ψ∗)η − h(ψ∗). Moreover,the compromised nodes only affectqNc

ρmax nodes. In the casethat 0 < w(ψ∗) < 1.0, ρ∗ is set to a value between 1.0andρmax. As w(ψ∗) goes to zero and one,ρ∗ goes toρmax

and1.0 and accordinglyh(ψ∗) = w(ψ∗)ρ∗ goes to zero andone, respectively. Therefore,h(ψ∗) takes on larger values asw(ψ∗) is further away from zero and one. Under this intuition,we denote the maximum values ofw(ψ∗) andρ∗ by φ1 andφ2ρ

max such that0 < φ1, φ2 < 1, respectively. Hence, themaximum value ofh(ψ∗) is denoted byφ1φ2ρ

max. Since thevalue of h(ψ∗) is limited by φ1φ2ρ

max, f(ψ∗)η − h(ψ∗)is also limited by replica placement strategyψ∗ such thath(ψ∗) = φ1φ2ρ

max. We therefore have only qNc

φ1φ2ρmax nodesaffected byNc compromised nodes.

In all three cases, we see that attacker has limited benefitfrom employing replicas and compromised nodes when de-fender and attacker follow their optimal strategies.

C. Performance Analysis

We now analyze the performance of our scheme in termsof communication, computation, and storage overheads.

1) Communication Overhead:We first describe how manyobservations on an average are required for the base stationto make a decision as to whether a node has been replicatedor not. Then we will present the communication overhead ofour scheme.

Let n denote the number of samples to terminate the SPRT.Sincen varies with the types of samples, it is treated as arandom variable with expected valueE[n]. According to [15],E[n] is obtained as follows:

E[n] =E[Ln]

E[

ln Pr(Si|H1)

Pr(Si|H0)

] (11)

From this equation, we compute the expected numbers ofnconditioned on the hypothesesH0 andH1 as follows:

E[n|H0] =(1 − α′) ln β′

1−α′+ α′ ln 1−β′

α′

λ0 ln λ1

λ0

+ (1 − λ0) ln 1−λ1

1−λ0

E[n|H1] =β′ ln β′

1−α′+ (1 − β′) ln 1−β′

α′

λ1 ln λ1

λ0

+ (1 − λ1) ln 1−λ1

1−λ0

(12)

We study howE[n|H0] andE[n|H1] are affected by thevalues ofλ0 andλ1. As shown in Figures 2 and 3,E[n|H0]andE[n|H1] tend to increase in proportion toλ0 whenλ1 isfixed to 0.7 and 0.9, respectively. This implies that a smallvalue of λ0 contributes to detecting replicas with a smallnumber of claims. Whenλ0 is fixed,E[n|H0] andE[n|H1]

for the case ofλ1 = 0.7 are larger than the correspondingvalues for the case ofλ1 = 0.9. This means that a largervalue ofλ1 reduces the number of claims required for benignnode decision and replica detection.

Now let us compute the communication overhead of ourscheme. We define the communication overhead as the averagenumber of claims that are sent or forwarded by nodes in thenetwork. Each time a mobile nodeu receivesb claim requestson an average at a location, it sends an average ofb×p claimsto the base station, wherep is the probability that the claimis forwarded to the base station. Let us consider the worstcase scenario in which every mobile node receivesb claimrequests at a location and sendsb×p claims to the base stationat the same time. Since the average hop distance betweentwo randomly chosen nodes is given byO(

√N) [11] where

N is the total number of sensor nodes, the communicationoverhead in the worst case will beO(b×p×N ×

√N). Each

node’sb claim requests contain the same location informationL. Indeed,O(1) claim per locationL is enough for the basestation to perform the replica detection. In this sense,b × pcan be reduced toO(1) by settingp to k 1

b= O(1

b), for some

constantk. In this configuration, the probability that a node’sclaim is forwarded by at least one neighbor to the base stationis computed as1 − (1 − p)b. For example, this probabilitybecomes 0.961 whenb = 20, k = 3, and p = k(1

b) = 3

20 ,ensuring that the base station receives a node’s claim with highprobability. Thus, the communication overhead in the worstcase can be rewritten asO(N

√N).

2) Computation and Storage Overhead:We define compu-tation and claim storage overhead as the average number ofpublic key signing and verification operations per node andthe average number of claims that needs to be stored by anode, respectively.

Each time a mobile node receivesb claim requests on anaverage at a location, it needs to performb signature generationoperations. Similarly, each time a mobile node sendsb claimrequests on an average at a location, it needs to verify up tobsignatures. In the worst case, every mobile node sendsb × pclaims to the base station at the same time and the base stationthus needs to verify up tob× p×N signatures. Ifp is set tok(1

b), the base station will verify up tok × N signatures on

average in the worst case.The base station stores location claims in order to perform

the SPRT, whereas the sensor nodes do not need to keep itsown or other nodes’ claims. Thus, we only need to computethe number of claims that are stored by the base station. In theSPRT, a sampleoi is obtained from two consecutive locationclaims of nodeu, namelyCi−1

u andCiu. Once a sampleoi isobtained, the previous location claimCi−1

u is discarded andcurrent location claimCiu is maintained by the base station.This process is repeated until the SPRT is terminated. Hence,the base station needs to store only one claim per node, so atmostN claims are required to be stored in the base station.

IV. SIMULATION STUDY

In this section, we will first describe the simulation envi-ronment we used to evaluate our scheme and then present ourexperimental results.

11

0.00 0.05 0.10 0.15 0.20 0.25 0.300

2

4

6

8

10

12

14

16

E[n|H

0]

0

1=0.7 1=0.9

Fig. 2. E[n|H0] vs. λ0 whenα′ = 0.01 andβ′ = 0.01.

0.00 0.05 0.10 0.15 0.20 0.25 0.300

2

4

6

8

10

12

14

E[n|H

1]

0

=0.7 =0.9

Fig. 3. E[n|H1] vs. λ0 whenα′ = 0.01 andβ′ = 0.01.

0 10 20 30 40 50 60 70 80 90 100 1102.53.03.54.04.55.05.56.06.57.07.58.08.59.09.5

10.010.511.0

Ave

rage

Num

ber o

f Cla

ims

Vmax (m/s)

trueNegative, =0.01 truePositive, =0.01 trueNegative, =0.1 truePositive, =0.1 trueNegative, =0.2 truePositive, =0.2

Fig. 4. Average number of claims vs. Vmax.

A. Simulation Environment

We simulated the proposed mobile replica detection schemein a mobile sensor network with the help of the ns-2 networksimulator. In our simulation, 500 mobile sensor nodes areplaced within a square area of 500 m× 500 m.

We use the Random Waypoint Mobility (RWM) model todetermine mobile sensor node movement patterns. In partic-ular, to accurately evaluate the performance of the scheme,we use the RWM model with the steady-state distributionprovided by the Random Trip Mobility (RTM) model [1].In the RWM model, each node moves to a randomly chosenlocation with a randomly selected speed between a predefinedminimum and maximum speed. After reaching that location,it stays there for a predefined pause time. After the pausetime, it then randomly chooses and moves to another location.This random movement process is repeated throughout thesimulation period. We use code from [10] to generate RWM-based movements model with a steady-state distribution.

All simulations were performed for 1000 simulation sec-onds. We fixed a pause time of 20 simulation seconds and aminimum moving speed of 1.0 m/s of each node. Each nodeuses IEEE 802.11 as the medium access control protocol inwhich the transmission range is 50 m. We set both the user-configured false positive thresholdα′ and the false negativethresholdβ′ to 0.01.

To emulate the speed errors caused by the inaccuracy oftime synchronization and localization protocols, we modifythe measured speeds with maximum speed error rateγ.Specifically, we take speeds measured using perfect timesynchronization and localization protocols and generate speeds′ selected uniformly at random from the range[s−sγ, s+sγ].We evaluated the scheme withγ values of 0.01, 0.1, and0.2. We setλ0 and λ1 in accordance withγ and Vmax asshown in Table II, whereL, M , H , and V indicate low

TABLE IIPARAMETER VALUES USED IN SIMULATION EXPERIMENTS.

γ 0.01 0.1, 0.2Mobility Rate L,M H V L,M H V

λ0 0.1 0.05 0.01 0.2 0.15 0.1λ1 0.95 0.9 0.8 0.9 0.85 0.8

(Vmax = 10 m/s), moderate (Vmax = 20, 40 m/s), high(Vmax = 60 m/s), and very high (Vmax = 80, 100 m/s) mo-bility rates, respectively. When we consider robotic vehicularplatforms, low (no more than 36 km/hour) and moderate (nomore than 72 or 144 km/hour) mobility rates may be suitable.High (no more than 216 km/hour) and very high (no morethan 288 or 360 km/hour) mobility rates may be suitable formodeling autonomous aircraft.

The rationale behind the general configurations ofλ0 andλ1, which are used in the SPRT, is discussed in Section III-C.As shown in Table II, these two parameters are modified ininverse proportion to changes in the mobility rate. The mainreason for these configurations is because both mobility andspeed error contribute to reduce the chance that a mobilenode’s speed exceedsVmax.

In our simulation, we consider two cases:mobileReplicaand staticReplica. In the mobileReplica case, we use onebenign node and one compromised node along with its replicaas claim generators. Furthermore, these three nodes’ initialplacements are randomly chosen and their movements arerandomly determined by the RWM model with a steady-statedistribution. In the staticReplica case, we use one compro-mised node along with its replica as claim generators. Thesetwo nodes do not move, as we fix their locations to theinitial placements. By studying the staticReplica case, wecaninvestigate how the distance between the compromised nodeand its replica affects the replica detection capability. ThestaticReplica case represents a strategic attacker and effectivelythe worst case for detection. The attacker keeps his nodesclose together and immobile to lower the chance of detection.As analyzed in Section III-B, this also limits the attackers’seffectiveness. In all scenarios, we assume that all claims thathave been forwarded to the base station reach it without anyloss. We repeated each simulation scenario 1000 times in sucha way that the mobile nodes are initially placed in a differentrandom location each time.

12

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 400.000.020.040.060.080.100.120.140.160.180.200.220.240.260.280.300.320.340.36

P

roba

bilit

y

Number of Claims

Vmax = 100 m/s Vmax = 10 m/s

Fig. 5. Probability distribution of the numberof claims whenγ = 0.1.

5 10 15 205.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

Ave

rage

Num

ber o

f Cla

ims

D (m)

truePositive, =0.01 truePositive, =0.1 truePositive, =0.2

Fig. 6. Average number of claims vs. D whenVmax= 10 m/s.

0 10 20 30 405.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

Ave

rage

Num

ber o

f Cla

ims

D (m)



20 40 60 805.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

Ave

rage

Num

ber o

f Cla

ims

D (m)



20 40 60 80 100 1205.0

5.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

Ave

rage

Num

ber o

f Cla

ims

D (m)



40 60 80 100 120 140 1605.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

10.5

11.0

11.5

12.0

12.5

Ave

rage

Num

ber o

f Cla

ims

D (m)



40 60 80 100 120 140 160 180 200 2205.5

6.0

6.5

7.0

7.5

8.0

8.5

9.0

9.5

10.0

10.5

11.0

11.5

12.0

Ave

rage

Num

ber o

f Cla

ims

D (m)



0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 300.00

0.04

0.08

0.12

0.16

0.20

0.24

0.28

0.32

0.36

0.40

0.44

Pro

babi

lity

Number of Claims

D = 20 m D = 5 m

Fig. 12. Prob. distribution of the number ofclaims (Vmax=10 m/s).

0 4 8 12 16 20 24 28 32 36 40 44 48 520.00

0.04

0.08

0.12

0.16

0.20

0.24

0.28

0.32

0.36

0.40

0.44

Pro

babi

lity

Number of Claims

D = 200 m D = 50 m

Fig. 13. Prob. distribution of the number ofclaims (Vmax=100 m/s).

B. Simulation Results

We use the following metrics to evaluate the performanceof our scheme:

• Number of Claimsis the number of claims requiredfor the base station to decide whether a node has beenreplicated or not.

• False Positiveis the error probability that a benign nodeis misidentified as a replica node.

• False Negativeis the error probability that a replica nodeis misidentified as a benign node.

For each execution, we obtain each metric as the average ofthe results of the SPRTs that are repeated. Note that the SPRTwill be terminated if it decides that the claim generator hasbeen replicated. The average of the results of 1000 executionsis presented here.

In the experiments, the average number of claim requests,b, was measured between17 and20, depending onVmax. Weassociate the configuration of claim forwarding probability pwith b. Specifically,p is configured to0.05 in order to setb×pto one whenb is assumed to be 20 at allVmax. The rationale

behind this configuration is to make sure that one claim perlocation is forwarded to the base station on average.

1) Mobile Replica Results:In the mobileReplica case, weinvestigate the false positive and false negative rates andthenumber of claims while increasingVmax in the range from10 m/s to 100 m/s. The results for the mobileReplica case aresummarized as follows.

First, both false positives and false negatives were below0.013 at all speed error rates and mobility rates. Specifically,the lowest and highest false positives were measured as 0.0,0.007 whenγ = 0.01, 0.1 and 0.003, 0.013 whenγ = 0.2,respectively. We also observed that there were zero false neg-atives whenγ = 0.01, while the lowest and the highest falsenegative rates were 0.0, 0.006 whenγ = 0.1, 0.2, respectively.Thus, the replica was detected with at least probability of 0.994and the benign node was misidentified as a replica with at mostprobability of 0.013 at all speed error rates and mobility rates.

Second, the results of the average number of claims areshown in Figure 4. We present the results for two cases. One isthat the claim generator is a benign node and the SPRT decidesthat this node is benign. We denote this case bytrueNegative

13

in Figure 4. The other case is that the claim generators consistof a compromised node and its replica node, and the SPRTdecides that these nodes are a compromised node and itsreplica. We denote this case bytruePositivein Figure 4.

In the trueNegative case, the average number of claimsreaches a maximum of 5.03 whenVmax = 80 m/s andγ = 0.2. In the truePositive case, the average number ofclaims reaches a maximum of 9.089 whenVmax = 10 m/sandγ = 0.2. Thus, the base station reaches correct decisionswith a few claims in both cases. Moreover, we see that theaverage atγ = 0.1, 0.2 is higher than that atγ = 0.01 in bothcases. This indicates that a substantial increase in the speederror rate leads to a rise in the average number of claims.

We also observe that the average number of claims tends toslightly increase and decrease as mobility rate rises in thecaseof trueNegative and truePositive, respectively. We infer fromthis observation that a rise in mobility increases the chancethat the speed of a benign node is erroneously measured to beoverVmax, thus delaying the test from moving towardH0. Onthe other hand, a rise in mobility leads to a reduction in thechance that the replicated node generates claims containing thesame location but different time, and thus expedites movingthe test towardH1.

Finally, Figure 5 shows the probability distribution of thenumber of claims in the case of truePositive whenγ = 0.1.For this distribution, we examine two scenarios: low mobility(Vmax = 10 m/s) and very high mobility(Vmax = 100 m/s).A total of 76.3% and 73.65% of the cases fall in the rangefrom four to nine claims in the case of low and very highmobility rates, respectively. This implies that, in most cases,the number of claims is less than or close to the average andthus the SPRT detects replicas with at most nine claims inmost cases.

2) Static Replica Results:In the staticReplica case, weinvestigate the same metrics as in mobileReplica case. Wefix the positions of the compromised nodeu and its replicau′, but vary their initial positions such that the distanceDbetween them varies in the range fromDmax

2 to 2Dmax, whereVmax = Dmax/s and the range ofVmax is from 10 m/s to100 m/s. We do this to determine the ability of our scheme todetect replica nodes that are relatively close together, whichis important when detection is based on speed.

First, false negative rates were measured as 0.008 forD = 20 m, Vmax = 40 m/s, andλ = 0.1, 0.2. Theywere 0.0 for all other speed error rates, mobility rates, andD. Accordingly,u and u′ were detected with at least 0.992probability in all cases. Every mobile node checks whetherto send claim requests tou or u′ every 0.5 seconds. Thus, amobile node’s claim request time period is at least 0.5 seconds.Under this claim request time period, we infer from the highdetection rate that the inter-arrival time between the claimrequests tou and u′ are highly likely to be less than D

Vmax.

Subsequently, this implies that attacker needs to configurethedistanceD in less thanDmax

2 under the above claim requesttime period configuration to have a reasonable chance thatuandu′ are not detected.

Second, Figures 6, 7, 8, 9, 10, and 11 show the averagenumber of claims whenVmax = 10, 20, 40, 60, 80, 100 m/s,

respectively. In the truePositive case, the average numberofclaims is below 10.5 at all mobility ratesVmax and distancesD. Hence, the base station detectsu andu′ with a reasonablenumber of claims. In terms of the affect ofγ on the averagenumber of claims, we see that the substantial increase ofγfrom 0.01 to 0.1, 0.2 contributes to a rise in the averagenumber of claims. However, the number of claims remainssmall. In terms of the affect ofD on the average number ofclaims, we observe that the rise ofD from Dmax

2 to Dmax,2Dmax results in an increase in the average number of claimsto detection. We infer from this observation that larger valuesof D defer the occurrence that the inter-arrival times betweenthe claim requests tou andu′ exceed D

Vmax, leading to delay

in moving the test towardH1.Finally, Figures 12 and 13 show the probability distribution

of the number of claims in truePositive cases whenγ = 0.1andVmax=10 m/s,γ = 0.1 andVmax=100 m/s, respectively.For each case, we examine two scenarios: short distanceD =Dmax

2 and long distanceD = 2Dmax. In case ofVmax=10m/s, the average number of claims (µ′) and standard deviation(σ′) in the short and long distance scenarios are 7.207 and1.792, 8.425 and 3.762, respectively. In case ofVmax=100m/s, µ′ and σ′ in the short and long distance scenarios are7.112 and 3.854, 9.905 and 6.899, respectively. The fractionof the number of claims up toµ′+σ′ is at least 86% and 82%in the case ofVmax=10 m/s andVmax=100 m/s, respectively.This means that in most cases, the number of claims does notexceedµ′ + σ′.

In short and long distance scenarios, a total of 91.8% and80.6% of the case ofVmax=10 m/s fall in the range fromfive to nine claims, respectively. In addition, a total of 80.1%and 61.1% of the cases ofVmax=100 m/s fall in the rangefrom four to nine claims in short and long distance scenarios,respectively. Thus, detection occurs quickly with few claimsin most cases in all the scenarios we examined.

V. RELATED WORK

The first work on detecting replica node attacks is dueto Parno et al. [11], who proposed randomized and line-selected multicast schemes to detect replicas instaticwirelesssensor networks. In those two schemes, nodes report locationclaims that identify their positions and attempt to detectconflicting reports that signal one node in multiple locations.Conti et al. [3] proposed a scheme to enhance the line-selected multicast scheme of [11] in terms of replica detectionprobability, as well as storage and computation overheads byusing trusted random values. Ho et al. [6] proposed severalschemes for distributed detection of replica nodes that takeadvantage of group deployment knowledge to reduce thecommunication, computation, and storage overheads requiredfor replica detection and improve on the replica detectioncapability of the line-selected scheme of [11]. Xing et al. [17]proposed a fingerprint-based replica node detection scheme. Inthis scheme, nodes report fingerprints, which identify a setoftheir neighbors, to the base station. The base station performsreplica detection by using the property that fingerprints ofreplicas conflict each other.

14

However, none of these solutions is suitable for replica nodedetection inmobile sensor networks. If the schemes in [3],[6], [11] are used in mobile sensor networks, sensor nodes’location claims will be continuously changed in accordancewith their movements, and thus location claims from the samebenign node will always conflict each other. Similarly, if thescheme in [17] is used in mobile sensor networks, mobilitywill continuously make nodes have different fingerprints, andthus fingerprints of the same benign node will conflict eachother.

Recently, Yu et al. [18] proposed schemes to detect nodereplica attacks in mobile sensor networks. The key idea of [18]is to detect mobile replicas by leveraging the intuition thatthe number of mobile nodes encountered by mobile replicasin a time interval is more than the number encountered bya benign mobile node. The worst-case communication andstorage overheads in our scheme are computed asO(N

√N)

andO(1), respectively; whereas these values are respectivelyO(N2) andO(N) when the schemes in [18] are used. There-fore, our scheme works with less overhead than those in [18].The main strength of [18] is that it detects mobile replicasin fully distributed manner, while our scheme relies on thebase station for mobile replica detection. However, replicascan evade this detection technique by carefully controlling thenumber of encounters each replica has with other nodes. Theattacker can selectively uses its encounters to maximize theeffectiveness of the attacks it is trying to mount with the replicanodes. Since this puts a limitation on the attacker, it remainsto be studied whether the detection scheme is enough to detereffective replica attacks.

VI. CONCLUSIONS

In this paper, we have proposed a replica detection schemefor mobile sensor networks based on the Sequential Proba-bility Ratio Test (SPRT). We have analytically demonstratedthe limitations of attacker strategies to evade our detectiontechnique. In particular, we first showed the limitations ofa group attack strategy in which the attacker controls themovements of a group of replicas. We presented quantitativeanalysis of the limit on the amount of time for which agroup of replicas can avoid detection and quarantine. Wealso modeled the interaction between the detector and theadversary as a repeated game and found a Nash equilibrium.This Nash equilibrium shows that even the attacker’s optimalgains are still greatly limited by the combination of detectionand quarantine. We performed simulations of the scheme undera random movement attack strategy in which the attackerlets replicas randomly move in the network and under astatic placement attack strategy in which he keeps his replicasfrom moving to best evade detection. The results of thesesimulations show that our scheme quickly detects mobilereplicas with a small number of location claims against eitherstrategy.

VII. A CKNOWLEDGEMENTS

We sincerely thank the anonymous reviewers for insight-ful comments which helped us improve the quality of the

manuscript significantly. Jun-Won Ho was supported by ITScholarship Program under the supervision of IITA(Institutefor Information Technology Advancement) and MIC(Ministryof Information and Communication) in Republic of Korea.This work is partially supported by NSF Grant IIS-0326505,CNS-0721951 and CNS-0916221 and AFOSR Grant A9550-08-1-0260. The work of S. K. Das is also supported by (whileserving at) the National Science Foundation. Any opinion,findings, and conclusions or recommendations expressed inthis material are those of the authors and do not necessarilyreflect the views of the National Science Foundation.

REFERENCES

[1] J-Y. L. Boudec and M. Vojnovic. Perfect simulation and stationary of aclass of moblity models. InIEEE INFOCOM, pages:2743-2754, March2005.

[2] S. Capkun and J.P. Hubaux. Secure positioning in wireless networks.IEEE Journal on Selected Areas in Communications, 24(2):221–232,February 2006.

[3] M. Conti, R.D. Pietro, L.V. Mancini, and A. Mei. A randomized,efficient, and distributed protocol for the detection of node replicationattacks in wireless sensor networks. InACM Mobihoc, pages:80-89,September 2007.

[4] K. Dantu, M. Rahimi, H. Shah, S. Babel, A. Dhariwal, andG. S. Sukhatme. Robomote: enabling mobility in sensor networks. InIEEE IPSN, pages:404-409, April 2005.

[5] J. Ho, M. Wright, and S. K. Das. Fast detection of replca node attacks inmobile sensor networks using sequential analysis. InIEEE INFOCOM,pages:1773-1781, April 2009.

[6] J. Ho, D. Liu, M. Wright, and S. K. Das. Distributed detection ofreplicas with deployment knowledge in wireless sensor networks. AdHoc Networks, 7(8):1476 - 1488, November 2009.

[7] L. Hu and D. Evans. Localization for mobile sensor networks. In ACMMobicom, pages:45-57, September 2004.

[8] J. Jung, V. Paxon, A.W. Berger, and H. Balakrishnan. Fastportscandetection using sequential hypothesis testing. InIEEE Symposium onSecurity and Privacy, pages:211-225, May 2004.

[9] A. Liu and P. Ning. TinyECC: a configurable library for elliptic curvecryptography in wireless sensor networks. InIEEE IPSN, pages:245-256, April 2008.

[10] S. PalChaudhuri, J-Y. L. Boudec, and M. Vojnovic. Perfect simulationsfor random trip mobility models. In38th Annual Simulation Symposium,April 2005.

[11] B. Parno, A. Perrig, and V.D. Gligor. Distributed detection of nodereplication attacks in sensor networks. InIEEE Symposium on Securityand Privacy, pages:49-63, May 2005.

[12] H. Song, S. Zhu, and G. Cao. Attack-resilient time synchronizationfor wireless sensor networks.Ad Hoc Networks, 5(1):112–125, January2007.

[13] K. Sun, P. Ning, C. Wang, A. Liu, and Y. Zhou. TinySeRSync: secureand resilient time synchronization in wireless sensor networks. InACMCCS, pages:264-271, October 2006.

[14] G. Theodorakopoulos and J.S.Baras. Game theoretic modeling ofmalicious users in collaborative networks.IEEE Journal on SelectedAreas in Communications, 26(7):1317 - 1326, 2008.

[15] A. Wald. Sequential analysis.Dover Publications, 2004.[16] H. Wang, B. Sheng, C.C. Tan, and Q. Li. Comparing symmetric-key

and public-key based security schemes in sensor networks: acase studyof user access control. InIEEE ICDCS, pages:11-18, June 2008.

[17] K. Xing, F. Liu, X. Cheng, and H.C. Du. Real-time detection of cloneattacks in wireless sensor networks. InIEEE ICDCS, pages:3-10, June2008.

[18] C.-M. Yu, C.-S. Lu, and S.-Y. Kuo. Efficient and distributed detectionof node replication attacks in mobile sensor networks. InIEEE VTCFall, September 2009.

Jun-Won Ho received his B.S. degree from the Departmentof Computer Science at Yonsei University, Seoul, South Korea,M.S. degree from the Department of Electrical and ComputerEngineering at University of Wisconsin at Madison, Ph.D.degree from the Department of Computer Science at the

15

University of Texas at Arlington in May, 2010. His dissertationwork focuses on the detection and prevention of wide-spreadnode compromise in wireless sensor networks. His currentresearch interests include security in wireless sensor networks.

Matthew Wright is an assistant professor at the Universityof Texas at Arlington. He graduated with his Ph.D fromthe Department of Computer Science at the University ofMassachusetts in May, 2005, where he earned his M.S. in2002. His dissertation work addresses the robustness of anony-mous communications. His other interests include intrusiondetection, security and privacy in mobile and ubiquitous sys-tems, and the application of incentives to security and privacyproblems. Previously, he earned his B.S. degree in ComputerScience at Harvey Mudd College. He is a recipient of theOutstanding Paper Award at the 2002 Symposium on Networkand Distributed System Security.

Sajal K. Das is received the B.S. degree in computerscience from Calcutta University, Kolkata, India, in 1983,theM.S. degree in computer science from the Indian Instituteof Science, Bangalore, India, in 1984, and the Ph.D. degreein computer science from the University of Central Florida,Orlando, in 1988. He is currently with the Department ofComputer Science and Engineering, the University of Texasat Arlington, where he is a Distinguished Scholar ProfessorofComputer Science and Engineering and the Founding Directorof the Center for Research in Wireless Mobility and Network-ing (CReWMaN). He is also currently a Program Director withthe Division of Computer Networks and Systems, NationalScience Foundation (NSF). He is the author of more than 400published papers and more than 35 invited book chapters. Heis a coauthor of the books Smart Environments: Technology,Protocols, and Applications (Wiley, 2005) and Mobile Agentsin Distributed Computing and Networking (Wiley, 2009). Heis the Founding Editor-in-Chief of Elseviers Pervasive andMobile Computing journal. He is an Associate Editor ofACM/Springer Wireless Networks, Journal of Parallel and Dis-tributed Computing, and Journal of Peer-to-Peer Networking.His current research interests include wireless and sensornet-works, mobile and pervasive computing, smart environments,pervasive security, applied graph theory, and game theory.Inaddition to several best paper awards, he is a recipient of theIEEE Computer Society Technical Achievement Award (2009)and the IEEE Region 5 Outstanding Engineering EducatorAward (2009). He is an Associate Editor of IEEE Transactionson Mobile Computing and IEEE Transactions on Paralleland Distributed Systems. He has served as the General andTechnical Program Chair of numerous conferences.

Fast Detection of Mobile Replica Node Attacks in Wireless ...

Documents