Messages: Message from the general chairs

Abstract

Welcome to the 18th IEEE Virtual Reality conference. As with past conferences, we hope to excite and inspire you with the many events scheduled as part of IEEE VR 2011. Also, we want to emphasize that IEEE VR comes to Asia for only the second time in its long history. It was in Yokohama, Japan in 2001, and this time it will be held in Singapore, one of the most advanced and still rapidly advancing countries in Asia.

Full text

i
A Message from the General Chairs
The workshop on Research Challenges in Security and Privacy for Mobile and Wireless
Networks (WSPWN) was held in Miami, Florida on March 15 & 16, 2006 and was
funded by the National Science Foundation (NSF), in cooperation with the Department of
Electrical Engineering and Computer Science of the College of Engineering at the
University of Toledo, and with the Telecommunications and Information Technology
Institute (IT2) of the College of Engineering and Computing at the Florida International
University (FIU) to establish the main research challenges in security and privacy for
Mobile and Wireless networks, to serve the rapidly emerging security area for mobile and
wireless community of researchers and practitioners. The workshop provides a single,
cohesive, and high-quality forum for disseminating research and experience in this
emerging field. Of significance is the integration of many diverse communities. The areas
of security and privacy for mobile and wireless networks combine the best of both
worlds, namely academia and industry. The objective of the workshop is to define and
establish a common infrastructure of the discipline and to develop a consensus-based
document that will provide a foundation for implementation, standardization, and further
research.
The Workshop Program Chairs Dr. Peter Reiher (University of California at Los
Angeles), Dr. Kami. Makki (University of Toledo) assembled a truly impressive
program committee. Together with the program committee, they worked diligently
to select papers and speakers that met the criteria of high quality and relevance to
our various fields of interest. It takes time and effort to review a paper carefully,
and every member of the program committee is to be commended for his/her
contribution to the success of this workshop. The papers contained in these
proceedings focus on original research results in the areas of theory, design,
implementation, and applications of the security and privacy for mobile and wireless
networks. They identify challenging problems facing the development of such
technologies and provide novel, innovative, and fundamental advances in the areas.
We sincerely believe you will find the manuscripts included in these proceedings to
be of significant technical merit.
A lot of work went into organizing this workshop, forming this program, and
producing the proceedings. We would like to express our deepest personal thanks to
keynote speakers, invited speakers, speakers, and the various workshop organizers
for their efforts. We take this opportunity to acknowledge the excellent work done
by Program Chairs Peter Reiher and Kami Makki. We are grateful to NSF who
generously funded this workshop. Specifically, we would like to thank the honorary
conference chair Dr. Joseph Evans, National Science Foundation (NSF).
It was our great honor and pleasure to accept the responsibilities and challenges
of general chairs. We are pleased to offer an excellent program, and we hope that
you all took advantage of these opportunities for professional development. We
hope that the workshop was stimulating, informative, enjoyable, and a fulfilling
experience for all who attended.
Kia Makki, Florida International University
Niki Pissinou, Florida International University

ii
A Message from the Program Chairs
On behalf of the program committee it gives us a great pleasure to present the
program and the proceedings for the workshop on Research Challenges in Security and
Privacy for Mobile and Wireless Networks (WSPWN06), which was held in Miami,
Florida on March 15 & 16, 2006. The workshop has got off to an excellent start with a
very strong program for the inaugural offering. We have papers on many important
current and emerging topics ranging from modeling worms that take advantage of
mobility to new models of sensor nets that are more resilient to important forms of attack.
These papers are results of latest research activities in the exciting and rapidly expanding
area of privacy and security in the mobile and wireless world. Each manuscript was
reviewed by at least three reviewers. The quality of the accepted papers shows the
diligent work of the authors and reviewers. I wish to thank all authors of submitted papers
for their hard work and ideas; it has been a difficult job selecting papers for inclusion in
the proceedings. The workshop accepted a total of 10 papers from 21 submissions an
acceptance ratio of 47 percent. We also have two invited papers.
We would like to thank the keynote speakers and invited presenters for agreeing
to present special sessions at the workshop. These sessions have greatly enhanced the
program. We would like to thank the workshop Program Committee members for helping
to organize the program and for doing an outstanding job in referring the submitted
papers. Our thanks go also to the external reviewers, particularly those who were given
short notice to do some extra reviews.
Our special thanks go to the Applied Computational Electromagnetic Society
(ACES) for handling the submission of the papers, registrations and all the other
logistics.
We are sure you will find the workshop on Research Challenges in Security and
Privacy for Mobile and Wireless Networks (WSPWN) an interesting and exciting
workshop.
Peter Reiher, University of California at Los Angeles
Kami Makki, University of Toledo

iii
Organizing Committee
Honorary Conference Chair
Joseph Evans, National Science Foundation/The University of Kansas
General Co-Chairs
Kia Makki, Florida International University
Niki Pissinou, Florida International University
Program Co-Chairs
Peter Reiher, UCLA
Kami Makki, University of Toledo
International Vice-Chairs
Xiaohua Jia, City University of Hong Kong
Mohsen Guizani, Western Michigan University
Workshop Proceedings Chair
Shamila Makki, Florida International University
Finance Co-Chairs
E.K. Park, University of Missouri, Kansas City
Senad Busovaca, California State University, Sacramento
Local arrangement Chair
Kang Yen, Florida International University
Osama Mohammad, Florida International University
Program Committee
Ehab Al-Shaer, DePaul University
John Baras, University of Maryland
Bharat Bhargarva, Purdue University
Mike Burmester, Florida State University
Senad Busovaca, California State University, Sacramento
Roy Campbell, University of Illinois, Urbana Champaign
Christos Douligeris, University of Piraeus, Greece
Ophir Frieder, Illinois Institute of Technology
Virgil Gligor, University of Maryland
Xiaohua Jia, City University of Hong Kong
Parviz Kermani, IBM Watson
Jiejun Kong, UCLA
Birgitta Koenig-Ries, Karlsruhe University
Wenke Lee, Georgia Tech
Jinbao Li, Heilongjiang University
Xuan Liu, IBM Watson

iv
Douglas Maughan, HSARPA, Department of Homeland Security
Jelena Mirkovic, University of Delaware
Wuxu Peng, Texas State University
Adrian Perrig, Carnegie Mellon University
Frank Seliger, IBM Pervasive Computing, Germany
Mani Srivastava, UCLA
Peng-Jun Wan, Illinois Institute of Technology
Weili Wu, University of Texas at Dallas
Jie Wu, Florida Atlantic University
Guoliang Xue, Arizona State University
Yelena Yesha, University of Maryland, Baltimore County
Yongguang Zhang, HRL Labs

v
Table of Contents
 A message from the General Chairs………………………………………………….....……. i
 A message from the Program Chairs……………………………………………..................... ii
 WSPWN 2006 Organizing Committee……………………………………………….…........ iii
 WSPWN 2006 Technical Committee……………………………………………….……….. iii
Keynote Address: Joseph Evans, NSF/UK
Session 1: Trust
 Pervasive systems: Enhancing trust negotiation with privacy support….......................... 1
Kajetan Dolinar, Tomaz Klobucar, and Jan Porekar
 An Overview of Models applying Trust Management as a Component of Security
Services in MANETs……………………………………………………………………….. 11
Dagmara Speiwak and Thomas Engel
 A Framework for Computing Trust in Mobile Ad Hoc Networks………………...…..... 31
Tirthankar Ghosh, Niki Pissinou, Kia Makki, and Ahmad Farhat
Session 2: Invited papers
 Reactive and Proactive approaches to Secure Routing in MANETs…………………… 45
Mike Burmester and Tri Van Le
 Toward Efficient Solutions to Resist Mobile Traffic Sensors: How Much Performance
Cost is Paid by On-demand Anonymous Routing Protocols…………............................. 61
Jiejun Kong, Jun Liu, Xiaoyan Hong, and Mario Gerla
Session 3: Miscellaneous Topics
 Computer Ecology: Responding to Mobile Worms with Location-Based Quarantine
Boundaries………………………………………………………………………………..… 71
Baik Hoh and Marco Gruteser
 Approaches for Ensuring Security and Privacy in Unplanned Ubiquitous Computing
Interactions………………………………………………………………………….…….... 86
V. Ramakrishna, Kevin Eustice, and Matthew Schnaider
 Mobile Handset Authentication and Authorization in Distributed Wireless
Environments……………………………………………………………………………… 104
Pankaj Aggarwal, Kartikeya Tripathi, Janise McNair, and Haniph A. Latchman
Session 4: Ad Hoc and Sensor Networks
 Hardware/Software Solution to Improve Security in Mobile Ad-hoc Networks……... 116
Sirisha Medidi and Jose G. Delgado-Frias
 An Anonymous MAC Protocol for Wireless Ad Hoc Networks…………...…………... 122
Shu Jiang
 Opportunistic Networks: The Concept and Research Challenges in Privacy and
Security………………………………………………………………………….…………. 134
Leszek Lilien, Zille Huma Kamal, and Ajay Gupta

Session 1
Trust

Pervasive systems: Enhancing trust negotiation with privacy support
Kajetan Dolinar
1
, Jan Porekar
1
, Aleksej Jerman-Blažič
1
and Tomaž Klobučar
2
1
SETCCE (Security Technology Competence Centre)
Jamova 39, Ljubljana, Slovenia
kajetan@setcce.org ,
jan@setcce.org, aljosa@setcce.org
2
Jožef Stefan Institute
Jamova 39, Ljubljana, Slovenia
klobucar@e5.ijs.si
Abstract: This paper covers topics related to privacy and trust negotiation applied in pervasive information
systems. We consider the turbulent nature of pervasive environments and highlight special privacy and trust
issues that arise from it. The current state of trust negotiation is summarized. We propose an extended
negotiation model that not only enables parties’ access control but produces a privacy agreement as the outcome
of the negotiation. This privacy agreement needs to be mutually signed by both parties and is the starting point
for enforcement strategies in the event of abuse of agreed privacy practices. In the paper we also describe
privacy risks of the state-of-the-art trust negotiation methods.
Keywords: Pervasive systems, ubiquitous systems, trust negotiation, privacy negotiation, privacy threat,
privacy agreement
1. Introduction
Pervasive or ubiquitous systems have been the subject of intense conceptual research in recent years [1, 2].
In favour of the sceptics, who believe that a physical world around us is complicated enough and that
humankind has more important things to do than to build its digital counterpart, one can easily observe that such
pervasive systems are still pure science fiction in terms of technical implementation today.
The number of electronic devices connected to the network is expected to rise exponentially and will
eventually outnumber humans living on the planet. Mobile devices such as laptops, personal digital assistants
and cellular phones will steadily increase in number. Standard household appliances and machines will be
connected to the network and new intelligent appliances and biosensors will emerge.
The vision of pervasive systems is to integrate all those different devices in a world where computer
technology will slowly disappear from everyday lives and eventually become invisible - A world in which
computer systems will seamlessly adapt to user context and will help a user perform tasks by inferring his
intent. A world in which a digital representation of the user, the user’s data and the user’s digital workplace will
constantly be copied across various network nodes in order to follow the user in his real world geographical
movements. Many of these devices will have a certain degree of passive and active intelligence built in and will
act as sensors or reality aware processing nodes. Aside from these peripheral devices, a vast network of
intelligent middleware will have to be provided in order to achieve the synchronous intelligent behaviour of the
whole pervasive network.

In order for this to be achieved, a large amount of private user data, preferences, behavioural habits and
other information about the user will need to be processed and exchanged among various network nodes and
subsystems. With the data inferred, related conclusions will again be exchanged all over the system. In such a
system, it is of paramount importance to assure privacy and maintain control of turbulent private information
flow, whilst preventing leakages of sensitive private information.
Another aspect which further blurs privacy issues is diminishing of conventional role of thin, not-trusted-
user-client and large-corporate-service. Pervasive systems are service oriented platforms where everything can
potentially act as a service, including the user. The opposite is also true: every service will potentially be able to
take on the role of a user. In pervasive systems, a user and service are simply roles that can be swapped or
interchanged. These two roles merely describe the nature of the communication, since the user is the party that
initiates the communication and the service is the party that replies and grants access to the user. To avoid
confusion, we will use terms supplicant for the user and supplier for the service. Distributed systems are
traditionally seen as environments where the user is normally not a trusted party and services are more or less
trusted. In pervasive systems such as the DAIDALOS pervasive platform [9], this relation between a small user
and fat service disappears or can even be intertwined.
The concepts of privacy protection are supported by three distinguishable mechanisms which conduct the
process of privacy terms agreement, data access control and anonymization of the subjects involved in the
process. These concepts are also known as privacy or trust negotiation, virtual identities and (access control)
credentials. The first step towards protecting a user’s private data is a multiparty understanding of the terms,
conditions and content of private data collected and used. When a bilateral (or multilateral) agreement is
reached, a selection of virtual identities is generated and activated, interpreting subjects and their context behind
different levels of anonymous identifiers. The final step in the process is to relate selected identities with the
user context to be used by the service and to unveil private data access control rules enforcing credentials.
The initial and principal step of privacy mechanisms is the negotiation process which defines the framework
for private data protection. We therefore investigate the current state of trust or/and access control negotiation
and highlight the need for it to be extended with assertions about privacy in order to satisfy the privacy
constraints of the pervasive environment. The result of such a negotiation would be: the granting of access to
services and a privacy agreement that could be used by privacy enforcement systems. In the paper we also
describe privacy risks of the state-of-the-art trust negotiation methods.
2. Trust Negotiation
Trust negotiation is a process through which mutual trust is incrementally established by the gradual
exchange of digital credentials and requests for credentials among entities that may have no pre-existing
knowledge of each other. Digital credentials are an electronic analogue of paper credentials used to establish
trust in the every day world. Upon successful trust negotiation the supplicant is granted access to the protected
resource [3, 4].
During trust negotiation, the disclosure of credentials is governed by access control policies. Trust
negotiation has been intensely discussed in various publications in recent years [3-6, 12, 13]. You will also find
a brief description of a trust negotiation protocol in this document.
The parties involved in trust negotiation will be named the supplicant and the supplier. The supplicant is the
party that requests access to resource R, and the supplier is the service providing it. Trust negotiation protocol
consists of two types of messages which are exchanged between the supplicant and supplier:
1. Requests for credentials or resources;

2. Disclosures of credentials or resources.
In the text below we describe a typical negotiation example. In the first step of negotiation a supplicant
sends a request to a supplier for access to the resource R. The supplier can either grant access to the resource R
directly or request an additional set of credentials C1 to be sent first. In this case, the supplicant can decide
whether he trusts the supplier enough to disclose C1. If the supplicant doubts about the supplier’s
trustworthiness, he can reply by requesting an additional set of credentials C2 from the supplier. When the
supplier replies by presenting credentials C2, the supplicant replies by sending credentials C1 back to the
supplier. Because all requests have been satisfied and appropriate credentials presented by both parties, the
supplicant is granted access to the requested resource R. For better clarity, the example is presented in
Fig. 1
.
Fig. 1: Trust negotiation schema
In general, negotiation may consist of several steps. In each step, one of the two parties may disclose some
credentials that were requested by the other party during the previous step. In addition to the disclosure of
credentials a party may choose to request additional credentials to be disclosed by the other negotiating party,
before it trusts the other party enough for the requested credential to be revealed. The exact flow of the
exchanged credentials depends on decisions made by each party involved in negotiation and is referred to as
“strategy” [4, 6]. Strategies determine which credentials are to be revealed, at what times and when to terminate
the negotiation. Strategies can be either more liberal or more conservative in terms of willingness to disclose the
information. In this manner the trust is gradually established between both negotiating parties.
3. Weaknesses of trust negotiation
We define privacy risk, or privacy threat, as a measure of the possibility that private data, which is desired
to stay private, is revealed without the owner having the ability to prevent this. A Privacy leak is defined as any
unintentional disclosure of private data, either as a consequence of negligence, weak privacy provision methods,
or capability to compromise these. Thus, any leak is also a threat, fulfilled threat, and it depends on degree of
information leaked how big threat it is.

The main goal of the trust negotiation process described above is to grant the supplicant access to the
requested resource. The very fact that sensitive attributes are revealed during the negotiation process calls for
attention, in fact under certain conditions even access control policies can be regarded as private or sensitive
information that needs to be handled with special care.
Apart from the straightforward disclosure of private information during manipulation, privacy can be at risk
in a far more indirect and opaque sense. Pervasive environments make information processing highly intensive
and penetrating and can render small pieces of information which can be stepping stones to the disclosure of
greater secrets. Quite naturally, a large amount of personal information will already be available to systems in
the pervasive environment after a longer period of use of the system. Although data have probably been made
adequately anonymous as far as possible (compare methods for pseudonymizing in [7] or the virtual identity
approach in [9]), inference capabilities of a pervasive environment can aid in correlating sets of anonymous data
with each other. This can make aggregating correlated data possible and resolving personal profiles to an extent
where it is finally unambiguous in relation to one unique person. This possibility is called linkability of
(anonymous) personal information. We want to avoid this is the effect by all means and aggravating this is one
of the major concerns of identity management systems in a pervasive environment (compare again [7] and [9]).
For this reason we compare the pervasive environment to the example of a chaotic dynamic system with respect
to the degree and significance of information disclosed over time. Any information available can consequently
result in a disclosure of certain private data which was not intended in the first place – thereby resulting in a
privacy leak. The measures taken to prevent linkability can therefore never be exaggerated and every procedure
involved in disclosing private data has to be evaluated from this viewpoint.
In this section we study weaknesses of the described trust negotiation methods that can lead to privacy leaks
in the sense of the straightforward disclosure of private data, for example disclosing a sensitive credential, or
due to linkability. Some of the weaknesses have already been discussed in literature [4] and some of them
reflect our original work. The related leaks and threats pertain to supplier as well as to supplicant, especially
straightforward disclosure. But while the supplier is often (but not necessary) a publicly known entity, it is
characteristic for the supplicant to focus more relative importance on maintaining anonymity and thus linking is
of more threat to supplicant.
Disclosing credentials could be a privacy risk.
When the supplicant is requested to disclose certain
credentials during the negotiation, it may react to the request in various ways. If the credential is not valuable
enough to the supplicant in the context of the current negotiation, the supplicant may choose to willingly present
the credential without much hassle. An example of such a negotiation situation would the case where a
supplicant is trying to buy a camera from an online store and he gets offered a discount if he is willing to
present credentials that prove that they are a citizen of the European Union. If user is not concerned with anyone
finding out that he or she is indeed a citizen of EU, disclosing the credential results in minimal privacy threat.
On the other hand if a British Secret Service agent is asked to provide an MI5 membership credential in order to
get discount on a camera he is trying to buy, it is a obviously a different matter. MI5 membership credentials is
sensitive information that is not to be shown to just anyone and disclosing it could be a serious privacy risk, thus
highlighting another category of linking private data.
Obviously a disclosure of credentials is a potential privacy leak. But the answer to the request for certain
credentials can also potentially yield information. An example of such an information leak would be that of a
supplier requesting a supplicant present an “MI5 Membership Credential”. In order for the supplicant to
determine if the supplier is trusted enough, the supplicant asks the supplier to provide the “Ring of Secret
Service trusted Membership” credential. When the supplier receives the additional request from the supplicant it
can assume with a certain degree of probability that the supplicant possesses the credential that was requested in
the first place. The amount of probability depends on different negotiation strategies that supplicant chooses to
pursue and his ability to bluff.

Not disclosing credentials could in some cases also yield useful information for linking. The sole fact that
the supplicant has attempted to access a supplier resource could limit the scope of possible supplicants.
Credentials may indicate that the supplicant belongs to one of two mutually disclosing classes of supplicants.
Inability to provide the requested credential, either due to disagreement or failing to posses one, could also
enable the supplier to categorise the supplicant and thus to help linking of data in the future.
Disclosing access control policies could be a privacy risk. When a supplier is asked to grant access to the
requested resource it can provide the feedback about requested credentials back to the supplicant in many
different ways. If the supplier has its access control policies on public display, it is fully acceptable for it to
return the whole policy back to the supplicant. Afterwards the supplicant accepts can then navigate through
many parallel options in order to find the combinations of credential disclosures that are optimal for him. While
this is fully acceptable if the supplier is a governmental organisation that provides its services to citizens and
has published access control policies; it is not the case when a supplier is a service providing sensitive
resources. For example if a supplier is a server of the British Secret Service, which is providing sensitive top-
secret data to its agents on the road it will not publish its policies to the public, since the policies contain
valuable data on the organisational hierarchy of the supplier, and revealing the policies would provide valuable
information which could be potentially misused. Instead, the supplier will try to minimize the amount of
information provided at each step of negotiation by requesting one credential after the other or maybe choosing
not to provide information detailing which credentials should be disclosed to the user at all.
Exploiting negotiation to steal private data – trust negotiation piracy. With careful design of trust
negotiation algorithms it can be possible to exploit the trust negotiation protocol to serve private information
under pretext of a legal purport. The purport is more likely to be abused by a supplier role in the context of a
service provider with a range of services, promised large enough to relate to a wide scope of interesting
categories about supplicants. Consider following example.
The supplier is a service offering bets in several categories, depending on the supplicant profile. The
supplicant is provided a possibility to apply for the service as a pseudonymous user with its true identity hidden.
Systems for auditing in a pervasive platform architecture make non-repudiation of debts possible (compare [10]
for example). Although the service might actually provide what it has claimed to provide (it has also been
certified so), let us suppose that it also has the intention to aggregate the profile information of supplicants in
order to (at least partially) determine their identity. The handshaking could possibly proceed as follows:
1. Supplicant: accesses the service web portal.
2. Supplier: “We offer several categories for bets: bets on the outcome of sport events, bets on the
outcome of political events, bets on the results of science research … Select your interest …”
3. Supplicant: chooses politics.
4. Supplier: “Which event from following: the outcome of upcoming elections, …, the outcome of the
acceptance of last week’s formal proposal for amendment to act 26.8/2005, …”
5. Supplicant: chooses an event.
6. Supplier: demands a credential that supplicant’s age is above 18.
7. Supplicant: demands credential that supplier will not use this information for any other purpose than
service provisioning.
8. Supplier: provides the credential.
9. Supplicant: provides the credential.
10. Supplier: “We only allow bets above 1.000,00 € for this category.” Demands a credential on
supplicant’s financial liability.
11. Supplicant: demands credential that supplier will not use this information for any other purpose than
service provisioning. Supplicant: provides the credential.
12. Supplier: provides the credential.
13. Supplicant: provides the credential.

14. Supplier: demands a credential that supplicant is not employed in a state department service. The
supplier imposes the restriction based on the fact that access to privileged information would help to
win bets, and is not allowed.
15. Supplicant: withdraws.
If we analyze the above sequence we can figure out that supplier could deliberately design categories to
address classes of people and their interest. When the supplicant has revealed his interest via selection in step 3,
the supplier can then assign the supplicant to this category. Further suppose that the supplicant designed events
according to increasing political awareness, as carefully as it can imply certain political skills and positions.
Then selection under step 5 further scopes the category.
After step 5 the true exchange of credentials in the sense of trust negotiation starts. The resource here
negotiated for is a betting account on a respective event. After each credential is received, the supplicant can
determine a more focused scope of potential persons satisfying specific attributes: age, financial profile and
associated implications … And finally, the supplicant can also determine why a supplicant has withdrawn –
possible causes could involve people with significant political positions. Moreover, the sequence could be
designed as to gradually lead the supplicant through the disclosure of credentials with less privacy threat, and
then to present requests for credentials with higher threat so that many credentials will have already been
disclosed before the supplicant finally refuses to make further disclosures and withdraws.
Similar services already exist in today’s Internet world and there is no reason to think that such scenarios
would not appear in a pervasive environment. The supplier could have sophisticated systems for reasoning in
place, as this is not unusual aspect of pervasive system capabilities. If we assume an appropriate degree of
information processing and a large enough period of time, the supplier can deduce information about people
concerning their bets, their financial status, and their interests – and can enable the linking of this information to
real persons and then use this for blackmailing and other illegal activities. With this in mind, the above
resolutions are not really unbelievable.
The first weakness of trust negotiation apparent from the above example is that disclosing interest in step 3
and 5 is not included in trust negotiation. If we consider that in pervasive systems it will be practically
impossible for a supplicant to perform or even only supervise privacy related procedures because of the high
degree of information exchanged in very short time periods, trust negotiation and the remaining subsequent
enforcement has to be done in a computer aided manner. The supplicant will rely on the privacy subsystem in
order to have privacy adequately maintained. Disclosure of this kind of information as in steps 3 and 5 was done
willingly, but supplicant software components were not given the chance to evaluate the consequences and
make this subject to identity management. Thus this could represent a privacy threat and allow future privacy
leaks. General terms about the attitude towards abstract notions of disclosing, as for example a specific interest,
which needs to be identified in the overall negotiation and provided for processing to enforcement systems. For
example, this is necessary for identity management if it should be able to extract information on how big a
threat of linking is with respect to the disclosed interest and what virtual (or partial) identity should be selected.
The second weakness is that at the end of the above sequence the supplicant didn’t get access to the
resource, but has still revealed quite a large amount of personal information. Trust negotiation cannot happen in
pure general terms arguing on meaning of resources and credentials in advance. By applying purely general
terms of negotiation we could resolve collisions in attitudes of supplier and supplicant before any resources or
credentials are disclosed, and thus supplier is left only information about supplicant attitudes, while credentials
were preserved.

4. Extending trust negotiation to support privacy
In the document above we have shown the need for current trust negotiation to be extended to support
privacy issues. Generally speaking two different approaches could be undertaken to achieve this.
The first one is to introduce negotiation of general terms of privacy practices exercised on information both
parties are about to disclose in the future and do this before trust negotiation. We have chosen to name this new
kind of negotiation a privacy negotiation. Here we keep this separated from trust negotiation. To facilitate such
a negotiation no resource is explicitly necessary to be disclosed in order to achieve a resulting agreement;
instead we argue about the attitude towards opposite side practices with respect to manipulating private data. A
way of formal description of resources is required, and related semantics and a means of semantic processing so
that reasoning on relevant statements can be performed. For a possible example of a suitable framework see
[14]. Privacy policies need to be specified in a formal way suitable for computer processing. Privacy policies
need to be specified in a formal way suitable for computer processing. Much interesting research for this has
been done with respect to an ontology approach; compare for example [16]. We will avoid presenting here
detailed techniques to technically facilitate such a formal negotiation as the scope of this paper focuses mostly
on specific problems of protocols and related threats. The outcome of a negotiation is a set of statements
expressing the attitude of a supplier and supplicant to the matters exposed in the negotiation, whose meaning
can be resolved against resources. This set is respected as a privacy agreement, a formal document which is
mutually signed. After this negotiation the parties would proceed and start a well known trust negotiation.
The second approach extends current models of trust negotiation to support privacy negotiation requests and
corresponding privacy negotiation agreements as responses, relying on the approach from the previous
paragraph. After successful negotiation all privacy agreements from various levels of negotiation are merged
into a final privacy agreement, while trust negotiation itself is still performed in parallel.
In a naive way the first approach could be implemented using existing solutions. For the privacy negotiation
practice, P3P policies can be used [15]. The user is presented the P3P privacy policy when trying to use the
service. The only option for the user is to accept the privacy policy presented by the service and opt in, or out,
of certain issues. Beside the mentioned opting not much of negotiation takes place using P3P policies. With user
accepting the P3P terms of the privacy policy privacy agreement is reached. The next stage would be to
negotiate for access to requested resource using one of the negotiation systems available today (i.e. Peer Trust,
Trust Builder, etc.) (see [12, 13]). The problem with this approach is that in many cases trust cannot be
evaluated solely on a general basis but some credentials have to be disclosed in order to proceed. There are
several reasons why pure privacy negotiation cannot efficiently bring the negotiation to an end. Negotiating
general terms would result in resolving a very huge problem space of possible solutions to the negotiation
because a peer (supplier or supplicant) doesn’t have options clearly defined; a peer explicitly requests a
credential in order to continue negotiation; etc. This leaves us with no other option than merging privacy
negotiation and trust negotiation into a common framework.
5. Proposed trust protocol extended to support privacy
Based on the statements in the previous section we construct a protocol supporting integration of privacy
measures into trust negotiation. Four different types of assertions are part of the protocol:
1. request for credentials or resources
2. disclosure of credentials or resources
3. request to agree with certain privacy practices (proposals of privacy agreements)
4. acceptance of privacy practices proposals (accepted and signed privacy agreements)

The parties involved in a process of negotiation are a supplicant and a supplier. An example of negotiation
is described below that corresponds to
Fig. 2
. The supplicant is the party requesting access to a specified
resource R and the supplier is the service providing this resource. In the first step of negotiation the supplicant
sends a request to access R to the supplier. The supplier can either grant access to the supplicant or request
additional credentials C1 to be revealed. In case of additional credentials being requested the supplicant can
either disclose the requested credential or reply back to the supplier with another request.
Fig. 2: Schema of privacy extended trust negotiation
But, as a difference to an ordinary trust negotiation, it is now possible to follow data minimisation
principles (for definition see [8]): we don’t want to disclose the requested credential at this point as we’re not
sure whether negotiation will succeed at all. In case the negotiation was unsuccessful, we would end with a
series of credentials disclosed, but no real effect achieved (as described in Chapter 3). From the data
minimisation principle aspect this is not allowed. Data minimisation principle imposes a requirement for
amount of private data disclosed for service provisioning being as small as possible, disclosing only really
necessary information. But in this case we have possibly already disclosed a significant amount of private
information before negotiation failed by revealing credentials about various attributes associated to user’s
private life. Instead of this here we rather argue about privacy terms in general at this point, applying only
privacy negotiation until this is still possible from logical viewpoint.
The partial agreement that was done in sense of privacy negotiation sequence will from now on be called a
micro-agreement to avoid confusion with a cumulative privacy negotiation agreement that aggregates all the
micro-agreements which were reached and signed during the process of privacy negotiation. This cumulative
privacy negotiation agreement is mutually signed as well.
6. Privacy agreement
The privacy negotiation agreement consists of many independent micro-agreements (MA). Each of the
micro-agreements being mutually signed by both parties involved in negotiation in order to limit potential
repudiation of the agreement.

No matter of the result of negotiation the micro-agreements are bound into privacy negotiation agreements
after the negotiation is finished. If negotiation outcome was successful, the privacy negotiation agreements are
mutually signed by both parties. In case the negotiation was terminated before access control was granted, the
micro-agreements can still be bundled into a privacy negotiation agreement. This way potential misuse of
information about sensitive attributes is prevented in at least a formal juridical way.
Privacy agreement can be viewed as a digital analogue of the paper based contracts and agreements
exchanged by parties every day, which consist of obligations that both parties involved in a contract or
agreement need to fulfil. In real world examples these obligations are usually payment on one hand and
providing resources, products or services on the other. In the context of privacy agreements the obligations are
private or sensitive information on one hand and privacy practices on the other. By the term privacy practices
we refer to the way private information is handled, to which 3rd parties it will be transferred and how it is
inferred, aggregated or statistically manipulated.
Privacy agreement is a starting point for different privacy enforcement systems to act upon. These systems
can either be identity management components or components that are analogous to legal prosecution systems
of real world, such as auditing and logging components in DAIDALOS [9]. The agreements are taken as input
information for systems determining whether the services or users comply with promised privacy practices.
If one of the parties denies signing the privacy negotiation agreement when negotiation was not successful
and resulted in termination, it can be treated as intent of privacy agreement misuse and this can immediately be
reported to privacy enforcement components of the system.
Fig. 3: Privacy Negotiation Agreement is an aggregation of micro-agreements

7. Conclusions
The privacy policy negotiation process involves gradual step-by-step disclosure of attribute values between
both the supplier and the supplicant and is therefore a possible source of privacy leakage. Both supplier and
supplicant need to negotiate firmly and conservatively in order to minimize this leakage. If a conservative
strategy is used consistently, less and less negotiations will end in a positive resolution. In the current model
there is no way for the user to determine the type of negotiation strategy to use with the given service – whether
the user initially should have conservative or liberal stance towards the service.
In order to expand this, the current privacy negotiation models should be composed with existing trust
modelling techniques using the trust and risk computation modelling techniques. Fusion of these trust
management systems, privacy negotiation and identity management models should introduce a concept of initial
measure of trust between user and service. Upon this trust the negotiation strategy could be chosen (either
conservative – privacy paranoid, neutral, or liberal – give all information away like). This trust would be
constantly updated through a loop – like feedback of trust reporting. The initial measure of user’s trust is based
on the aggregation of previous experience of users with the service using different trust and risk computation
techniques [11].
References
[1] D. Saha, A. Mukherjee. Pervasive Computing: A Paradigm for 21st century, IEEE Computer Society,
March, 2003.
[2] M. Satyanarayanan. Pervasive computing: Vision and Challenges, IEEE Personal Communications, IEEE
Computer Society, August, 2001.
[3] B. Bhargava, L. Lilien, A. Rosenthal, M. Winslett. The Pudding of Trust, IEEE Intelligent Systems, IEEE
Computer Society, September / October, 2004.
[4] K. E. Seamons, M. Winslett, T. Yu, L. Yu, R. Jarvis. Protecting Privacy During On-line Trust Negotiation,
Lecture Notes in Computer Science, Springer-Verlag GmbH, 2002, Volume 2482 / 2003, pp. 129 – 143.
[5] K. E. Seamons, M. Winslett, T. Yu. Limiting the Disclosure of Access Control Policies during Automated
Trust Negotiation, Proc. symposium on network and distributed systems security, NDSS, 2001.
[6] W. Chen, L. Clarke, J. Kurose, D. Towsley. Optimizing Cost-sensitive Trust-negotiation Protocols,
Technical Report 04-29, Dept. of Computer Science, UMass, Amherst, 2004.
[7] Prime Consortium. PRIME – Architecture version 0 - Deliverable D14.2.a, 2004.
[8] Prime Consortium. PRIME – Framework version 1 - Deliverable D14.1.a, 2005.
[9] DAIDALOS Consortium. DAIDALOS pervasive systems privacy and security framework and mechanisms
- Deliverable D421, 2004.
[10] DAIDALOS Consortium. A4C Framework Design Specification – Deliverable D341, 2004.
[11] M. Richardson, R. Agrawal, P. Domingos. Trust Management for the Semantic Web, Proc. 2nd
International Semantic Web Conf., LNCS 2870, Springer-Verlag, 2003, pp. 351-368.
[12] W. Nejdl, D. Olmedilla, M. Winslett. PeerTrust: Automated Trust Negotiation for Peers on the
Semantic Web, Secure Data Management, pp. 118-132, 2004.
[13] M. Winslett , T. Yu, K.E. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, L. Yu. Negotiating trust
in the Web, Internet Computing, IEEE, Nov/Dec 2002, Vol. 6, pp. 30-37.
[14] OpenCyc, http://www.opencyc.org.
[15] Wenning, R. (Ed.). The Platform for Privacy Preferences 1.1 (P3P1.1) Specification, W3C Working
Draft, July 2005.
[16] W. Nejdl, D. Olmedilla, M. Winslett, C.C. Zhang. Ontology-Based Policy Specification and
Management, European Semantic Web Conference (ESWC 2005), May/Jun. 2005, Heraklion, Greece.

An Overview of Models applying Trust as a Component of Security Services
in MANETs
Dagmara Spiewak and Thomas Engel
SECAN-Lab
University of Luxembourg, 6, r. Richard Coudenhove-Kalergi, L-1359 Luxembourg
Dagmara.Spiewak@uni.lu
SECAN-Lab
University of Luxembourg, 6, r. Richard Coudenhove-Kalergi, L-1359 Luxembourg
Thomas.Engel@uni.lu
Abstract: Mobile ad-hoc networks (MANETs) are systems of wireless and mobile nodes that
interconnect in an arbitrary way. Because of the dynamical self-organized network topologies and the
principally missing infrastructure, required to achieve correct and secure communications and to ensure
proper behavior, security in MANETs is assumed trickier than in conventional and hierarchical network
systems. Unfortunately, traditional and approved security mechanisms such as Public Key Infrastructures
(PKI) with central certification authorities (CA) or other trusted third parties (TTP) are not applicable in
such almost anarchistic network structures. Thus, the establishment of Trust as a component of security
services in networks or as an essential foundation for succeeding security procedures is virtually
ubiquitous and could lead to a milestone regarding security in mobile ad-hoc networks. In this paper, we
present an overview of several trust evaluation, trust evidence and trust evidence distribution approaches
with regard to their applicability to mobile ad-hoc networks. Additionally, to our description of already
existing trust models, such as Pretty Good Privacy (PGP) or the Distributed Public Key Trust Model, we
discuss a new Trust Evidence Distribution Model founded on an Ant-Based Algorithm (ABED).
Keywords: Trust, MANET, Security, Attacks
1. Introduction
Security-sensitive data and applications transmitted within mobile ad-hoc networks require a high
degree of security. Because of the absence of fixed base stations and infrastructure services like routing,
naming and certification authorities, mobile ad-hoc networks differ highly from traditional hierarchical
and wireless IP networks. In MANETs nodes form and leave the network dynamically, sometimes even
without leaving a trace and the network topology may change rapidly. Consequently, it is very important
to provide security services such as authentication, confidentiality, access control, non-repudiation,
availability and integrity. Due to the fact that certification authorities (CA) as trusted third parties (TTP)

are not applicable in mobile ad-hoc networks the notion of Trust becomes more and more important.
Although Trust is well known in everybody’s life, the formal definition poses several challenges. In [13]
Pradip Lamsal presents a wide expertise on the description of trust in networks and its relationship
towards Security.
Nowadays the concept of Trust mainly appears in combination with the Internet, especially when
considering online banking or online shopping using for example the PayPal Payment System that can be
utilized for securely transferring money over the Internet. In [14] we find a direct comparison between
trust systems applied in the Internet and the requirements on trust systems in spontaneous emerged mobile
ad-hoc networks, where the trust establishment has to be performed without the presence of a trust
infrastructure. Due to the dynamical character and quick topology changes, trust establishment in
MANETs should support among others a short, fast, online, flexible, uncertain and incomplete trust
evidence model and should be independent of pre-established trust infrastructures.
In this context Pirzada and McDonald [16] emphasize the interdependency of trust and security, while
security is highly dependent on trusted key exchange and trusted key exchange on the other side can only
proceed with requisite security services. Ad-hoc networks rest on trust-relationships towards the
neighbors that evolve and elapse on the fly and have typically only short durability. Assuming such an
environment misleadingly as cooperative by default would ignore the high vulnerability to attacks on
these trust relationships. Because selfish, malicious, or faulty nodes can pose a threat to availability in
mobile ad-hoc networks or even exploit these trust relationships in order to reach desired goals. To
overcome these difficulties, trust in mobile ad-hoc networks has been established, introducing several
conditions, such as the presence of a central authority. Unfortunately, these solutions are mainly against
the real nature of spontaneous ad-hoc networks.
Trust Management is defined by Audun Josang, Claudia Keser and Theo Dimitrikos in [1] as "The
activity of creating systems and methods that allow relying parties to make assessments and decisions
regarding the dependability of potential transaction involving risk, and that also allow players and
system owners to increase and correctly represent the reliability of themselves and their systems".
This paper presents an overview of different methods on how to establish trust, to evaluate trust and
to distribute trust evidence in mobile ad-hoc networks. In Section 2 we present the possible security
attacks in MANETs before Section 3 will subsequently give a summary of already existing Trust Models.
Section 4 discusses the idea of ant-based algorithm for trust evidence distribution in mobile ad-hoc
networks. Finally Section 5 concludes the paper.
2. Attack Analysis for MANETs
Two different kinds of security attacks can be launched against mobile ad-hoc networks, passive and
active attacks. The attacker rests unnoticed in the background while performing a passive attack. He does
not disturb the functions of the routing protocol, but he is able to eavesdrop on the routing traffic in order
to extract worthwhile information about the participating nodes. Running an active attack, the attacking
node has to invest some of its energy to launch this attack. In active attacks, malicious nodes can disturb
the correct functionality of the routing protocol by modifying routing information, by redirection of
network traffic, or launching Denial of Service attacks (DoS) by altering control message fields or by
forwarding routing messages with falsified values. Below are detailed several of the attack categories that
can occur associated with vulnerabilities of mobile ad-hoc systems.

2.1 Passive Attacks
A malicious node in the mobile ad-hoc network executes a passive attack, without actively initiating
malicious actions in order to fool other network participants, by ignoring operations, supposed to be
accomplished by it. Hence, the malicious node attempts to learn important information from the system
by monitoring and listening on the communication between parties within the MANET. For instance, if
the malicious node observes that the connection to a certain node is requested more frequently than to
other nodes, the passive attacker would be able to recognize, that this node is crucial for special
functionalities within the MANET, like for example routing. Switching its role from passive to active the
attacker at this moment has the ability to put the certain node out of operation, for example by performing
a Denial of Service attack, in order to collapse parts or even the complete MANET.
An additional example of passive attacks represent selfish nodes. They derivate from the usual
routing protocol for the reason of preventing power loss for instance by not forwarding incoming
messages. In [5] the importance of trust is stressed in order to isolate these malicious nodes and to be able
to establish reputation systems in all nodes that enable them to detect misbehavior of network
participants.
2.2 Active Attacks
Active attacks mainly occur subsequent to passive attacks, for example after the malicious node
finished eavesdropping the required information on the network traffic. The variety of active attacks on
mobile ad-hoc networks is similar to the attacks in traditional and hierarchical networks. But due to the
lack in infrastructure and the vulnerability of wireless links, the currently admitted routing protocols for
mobile ad-hoc networks allow launching also different types of attacks. Compared to passive attacks,
malicious nodes running an active attack can interrupt the accurate execution of a routing protocol by
modifying routing data, by fabricating false routing information or by impersonating other nodes. So
basically, active security attacks against ad-hoc routing protocols can be classified in three groups [17],
such as integrity, masquerade and tampering attacks.
2.2.1 Integrity Attacks in MANETs
Especially attacks using modifications are aimed against the integrity of routing information. By
launching this type of attack the malicious entity can drop messages, redirect traffic to a different
destination, or compute longer routes to the destination in order to increase the communication delays.
For example, by sending fake routing packets to other nodes, all traffic can be redirected to the attacker or
another compromised node. An example of a modification attack is the set-up of a Blackhole [23]. First of
all, the malicious node analyzes the routing protocol by the use of a passive attack, like eavesdropping
information on the network traffic. Subsequently, this node lies and announces itself, during the route
discovery phase of a routing protocol, as knowing an accurate path to the requested target node, in order
to be able to intercept packets. Finally, all packets are transferred to the attacker’s node and he discards all
of them. Consequently, the malicious node controlled by the attacker represents the Blackhole in the
MANET, where all packets will be swallowed.
As an extension of the Blackhole attack, the active attacker might generate a Greyhole [24]. In this
case, the malicious grey node has the ability to switch its course of action from forwarding routing
packets or discarding others. The decisions of its behavior depend on the intention of the attack. For
example, for the purpose of isolating particular nodes in the MANET the malicious grey node drops

packets which pilot towards their destination. Packets meant for other nodes rest unmodified und are
forwarded to their destination accordingly.
Even trickier is the generation of a tunnel in the network between two or more cooperating and by
the attacker compromised malicious nodes that are linked through a private network connection within the
MANET. This attack is known as Wormhole [25].
It allows the attacker to short-cut the normal flow of routing messages by the construction of a
fictitious vertex cut in the network that is controlled by the two cooperating malicious nodes. The attacker
records packets or parts of packets at one selected location in the MANET. After tunneling them to
another point in the MANET, the attacker replays the packets into the network.
Especially, ad-hoc network routing protocols are vulnerable to Wormhole attacks. For instance,
launching this attack against a routing protocol allows the attacker to tunnel each ROUTE REQUEST
packet, which is transmitted during the route discovery phase, straight to the target destination node.
Consequently, any routes other than through the Wormhole are avoided from being discovered. By this
technique the attacker has the capability to create an appearance to know the shortest path to a desired
destination node. This grants the attacker an exceptionally high probability of being selected by the
routing protocol to forward packets. Once selected, the attacker is able to subsequently launch a
Blackhole or Greyhole attack by discarding selected packets.
Furthermore, Wormhole attacks empower the attacker to be able to influence the neighbor discovery
functionality of several routing protocols. For example, assuming node A wishes to communicate with its
neighbors and tries to knock at their doors by sending a HELLO broadcast packet. At the same time the
attacker uses the Wormhole to tunnel this packet directly to node B. On the other side he tunnels all
HELLO packets sent by B directly to node A. Finally, A and B belief that they are neighbors, which
would cause the routing protocol to fail to discover routes when they are not really neighbors.
Additional advantages of the Wormhole for the attacker are his possibility to discard selected data
packets or to maintain a Denial of Service attack, because no other route to the destination can be
determined as long as the attacker controls the Wormhole. Yin-Chun Hu, Adrian Perrig and David B.
Johnson introduce in [25] a mechanism, called “Packet Leashes” for effectively detecting and defending
against Wormhole attacks by limiting the transmission distance of a link. The authors present the TIK
protocol which implements temporal leashes using hash trees.
Both Blackhole and Wormhole attacks belong to the group of Byzantine Attacks in Ad Hoc Networks
and are discussed in [3]. In this contribution the authors extend the scheme of Wormhole to the concept of
Byzantine Wormhole attacks. The difference to traditional Wormhole attacks is the fact that in traditional
Wormhole attacks the attacker can fool two honest nodes into believing that there exists a direct link
between them. But in the Byzantine case the Wormhole link exists between the compromised nodes and
not between the honest nodes, which means that the end nodes cannot be trusted to follow the protocol
accordingly.
Therefore, the previously mentioned “Packet Leashes” [25] are effective against traditional
Wormhole attacks but they can not be used to discover and to prevent the extended Byzantine Wormhole
attacks.
Figure1 shows the classification of these attacks in MANETs.

Fig 1. Classification of Attacks in MANETs
2.2.2 Masquerade Attacks in MANETs
By masquerading as another node, malicious nodes can run many attacks in a network. These types of
attack are often known as Spoofing. The attacker modifies either the MAC or the IP address in outgoing
packets in order to adopt another identity in the network and appear as a good-natured node. By this
technique he is then able to operate as a trustworthy node and can for example advertise incorrect routing
information to other participants of the network. Creation of loops in the routing computation is one
famous example of this exploit and results in unreachable nodes or a partitioned network.
Another dangerous attack in MANETs is known as the Sybil Attack [26]. Here malicious nodes may
not only impersonate one node but can even represent multiple identities by maintaining false identities.
This attack particularly weakens systems and protocols that employ redundancy. Redundancy is deployed
to resist security threats from faulty or malicious network participants and is often used to ensure that
transmitted packets are forwarded from node A to node B accordingly. By launching a Sybil Attack the
attacker can pretend that the allegedly different paths are formed by disjoint nodes, although in reality
these paths share at least one node which is the attacker’s one.
Especially MANETs that apply a Recommendations-Based Trust Model are vulnerable to Sybil
attacks. Here the malicious node, which represents multiple identities, can generate fake
recommendations about the trustworthiness of a particular node in order to attract more network traffic to
it. This offers the attacker an ideal starting point for subsequent attacks, like for example the Byzantine

Wormhole attack. Furthermore, forging of multiple identities for malicious intent leads to a set of faulty
nodes in the network represented through a larger set of identities. Another purpose of such an attack is to
compromise a disproportionate share of the system in order to overthrow any assumption of designed
reliability based on a limited proportion of faulty nodes.
2.2.3 Tampering Attacks in MANETs
This group of attacks, often called Fabrication Attacks, is based on the generation of falsified routing
messages. Because of the fact that these routing packets are received as valid, fabrication attacks are very
difficult to identify and trace. An example for such an attack is the in [19] introduced Rushing Attack that
acts as an effective Denial of Service attack against all currently proposed on-demand ad-hoc network
routing protocols, including those designed to be secure. Here an attacker rapidly spreads routing
messages all through the network, disabling authorized routing messages with the consequence that other
nodes delete them as multiple copies. Obviously, also computational routes to a destination can be
canceled by constructing routing error messages, asserting that the neighbor can not be reached. So, since
flooding is the famous mechanism used by on-demand routing protocols to establish paths, disturbing
flooding is an effective attack against these kinds of protocols.
Considering the routing strategy of an on-demand ad-hoc network protocol, where node A wishes to
obtain a route to a destination node B. Node A floods the MANET with ROUTE REQUEST packets. In
order to limit the network traffic, each intermediate node C forwards only one ROUTE REQUEST packet
from any Route Discovery phase or even only the ROUTE REQUEST packet that arrives C at first will be
forwarded by C. If the attacker launches falsified ROUTE DISCOVERY sessions for non-existing
destination nodes and if the attacker’s ROUTE REQUEST packet reaches the intermediate node C prior
to the ROUTE REQUEST packet from node A, then the legitimate REQUEST will be discarded by C and
the attacker’s REQUEST will be forwarded accordingly. With this technique the attacker is able to isolate
certain nodes in the MANET or can even partition the network. Otherwise, if the attacker’s rushed
ROUTE REQUEST packets are the first to reach every neighbor of the target node B, then any route
discovered by this ROUTE DISCOVERY process will include a hop through the attacker. Hence, node A
will be unable to discover any trusted route, without the attacker’s influence, to the target node B. In order
to speed-up the broadcast of falsified ROUTE REQUEST packets the attacker can combine the Rushing
attack with the Byzantine Wormhole attack to create a tunnel for his ROUTE REQUEST packets.
Actually, the fact that only the first ROUTE REQUEST packet is forwarded by an intermediate node
C is not necessary for the attacker to be able to launch this kind of attack. The Rushing Attack can be
extended to compromise the functionality of any protocol that forwards any particular ROUTE
REQUEST packet for each ROUTE DISCOVERY process.
3. Existing Trust Models
The establishment of Trust as a component of security services in networks or as a foundation for
succeeding security tasks resounds throughout the land. In our opinion, many solutions misleadingly
introduce Trust as a matter of course but simultaneously using it as the basis for further security issues,
such as for the goal of confidentiality, integrity, authentication or non-repudiation, without even
constructing a conclusive trust metric. In this section we present already existing trust models, with the
aim to expose their differences, before we start to examine new research results in the following section 4.
As in [18] clarified, “trust is interpreted as a relation among entities that participate in various
protocols ". The trustworthiness of a certain entity depends on the former behavior within the protocol.

3.1 PGP Trust Model
Pretty Good Privacy or PGP, is an important milestone in the history of cryptography, because for the
first time it makes cryptography available to a wide community. PGP was principally created for
encrypting or signing e-mail messages and offers a hybrid cryptosystem. In a public cryptosystem it’s not
necessary to protect public-keys form disclosure. Actually, public-keys ought to be widely accessible by
all network participants for encryption. But it’s very important to protect public keys from tampering, to
make sure that a public-key really belongs to the person to whom it appears to belong.
Pretty Good Privacy (PGP) [21] supports the idea, that all users operate as autonomous certification
authorities, which gives them the authorization to sign and verify keys of other entities. The absence of a
central trusted third party (TTP) was the innovation in this model. The introduction of the decentralized
Web of Trust allows each entity to sign other keys in order to build a set of virtual interconnections of
trust. For example, A knows that B’s public-key certificate is authentic and signs it with its private-key.
In the following, C wants to communicate with B privately and B forwards its signed certificate to C. C
trusts A and finds A among B’s certificate signers. Therefore, C can be sure that B’s public-key is
authentic. However, had C not trusted any of B’s certificate signers, including A, C would be skeptical
about the authenticity of B’s public-key and B would have to find another network participant whom C
trusts to sign its public-key certificate. Generally, PGP uses the terminology that if A signs B’s public-
key then A becomes an introducer of B’s key. As this process goes on, it establishes a Web of Trust.
Public-key certificates are essential to PGP and are indispensable to bind the public-key to a network
member. Each certificate contains the key owner’s user ID, the public-key itself, a unique key ID and the
time of creation. Everything may be signed by any number of network participants.
There are two areas where Trust is currently introduced into the PGP Model. At fist, PGP combines
three levels of confidence from “undefined” to “marginal” and to “complete” trust for the trustworthiness
of public-key certificates. This value defines whether a PGP public-key certificate is reliable or not in the
binding between the ID and the public-key itself. Secondly, four levels of trustworthiness to a public-key
are assigned, ranging from “don’t know”, “untrustworthy” and “marginal” to “full” trust. This value
corresponds to how much C thinks B as the owner of the public-key can be trusted to be the signer or
introducer to another trustworthy public-key certificate. PGP requires one “completely” trusted signature
or two “marginal” trusted signatures to establish a key as valid.
However, why is PGP not suitable for mobile ad-hoc networks even though it sounds obvious that
this Trust Model might be applied to the idea of decentralized systems without the existence of a
centralized certification authority?
Although the establishment of a central certification authority in the PGP model is not necessary,
because public-keys are established and signed by network participants themselves, the distribution of
public keys is based on continuously accessible public-key directories that reside on centrally managed
servers. For this reason, PGP is not well applicable for mobile ad-hoc networks where nodes interconnect
in an arbitrary way. Additionally, in MANETs nodes form and leave the network dynamically and
therefore it is not possible to determine nodes that act as always available public-key certificate servers.
For this reason PGP is suitable for wired networks, where this central key server or more central key
servers can maintain all keys in a secure database. But the dynamic of wireless links in mobile ad-hoc
networks and their spontaneous topology make PGP not applicable in MANETs.
3.1.1
Applying an adjusted PGP Model in MANETs
Although PGP public-keys are issued by the participants of the network themselves, the distribution
of public-keys is based on uninterrupted and accessible public-key directories that reside on centrally
managed servers.

In [9] Jean-Pierre Hubaux, Levente Buttyan and Srdjan Capkun extend the design of PGP by
establishing a public-key distribution system that better fits to the self-organized nature of mobile ad-hoc
networks. Similar to PGP, public-key certificates are issued, signed and verified by nodes in the MANET
themselves based on their individual acquaintances. But, in contrast to PGP no continuously accessible
public-key directories for the distribution of public-key certificates are necessary. As a substitute, public-
key certificates are stored and distributed by the nodes. The main idea in [9] is that each node maintains a
public-key certificate storage area, called local certificate repository that contains a subset of public-keys
of other entities in the MANET.
The relationships between nodes are represented as a directed graph, called Trust Graph that contains
all nodes in the network. The vertices characterize the nodes or public-keys and the edges represent the
public-key certificates issued by other nodes. For instance, there is a directed edge from vertex A to
vertex B if node A issued a public-key certificate to node B. The directed path from vertex A to vertex B
corresponds to a public-key certificate chain from node A to node B. Thus, the existence of a public-key
certificate chain from node A to node B means that vertex B is reachable from vertex A in the directed
graph. The local certificate repository of every node in the MANET consists of two parts. One part to
maintain all public-key certificates issued by the node itself and the second part to store several selected
public-key certificates issued by other nodes in the MANET. This means that each node A stores the
outgoing edges in conjunction with the corresponding vertices from vertex A as well as an additional set
of selected edges in conjunction with the corresponding vertices of the Trust Graph. The set of selected
edges and vertices of node A, which is also the local certificate repository, is called the Subgraph that
belongs to node A.
In the event that node A wants to verify the public-key of node B, A and B merge their local
certificate repositories and A tries to discover a suitable public-key certificate chain from node A to node
B in the merged public-key certificate storage area. In view of the graph model, A and B merge both
Subgraphs and in the following A tries to find a path from vertex A to vertex B in the merged Subgraph.
A and B use the same Subgraph Selection Algorithm. After node A has verified B’s public-key as valid A
can start using B’s public-key for example to prove his digital signature.
An important element of this model is the Subgraph Selection Algorithm because it influences the
performance of the system. One characteristic of the Subgraph Selection Algorithm is the size of the
Subgraphs that it selects. Obviously, the performance of Subgraph Selection Algorithm and consequently
the performance of the system can be increased by selecting larger Subgraphs, but then nodes need more
memory to store their Subgraphs, which may lead to scalability problems. This shows that the small
amount of memory storage of a node and the performance of the Subgraph Selection Algorithm are
opposite requirements in this model.
The authors introduce the Shortcut Hunter Algorithm as Subgraph Selection Algorithm. It assumes
that there are a dense number of nodes in a small area in order to provide good performance. Shortcuts are
found between nodes to keep the Subgraphs small in order to reduce the storage space on each node.
They are stored into the local certificate repository based on the number of the shortcut certificates
connected to the nodes. A shortcut certificate is a certificate that, when removed from the graph makes
the shortest path between two nodes A and B previously connected by this certificate strictly larger than
two. The algorithm selects a Subgraph by computing an out-bound and an in-bound path from node A to
node B. Both path selection techniques are similar. However the out-bound path algorithm selects in each
round an outgoing edge whereas the in-bound path algorithms selects in each round an incoming edge. In
conclusion, a public-key certificate chain from node A to node B is found.
So far, this solution assumes that each user is honest and does not issue falsified public-key
certificates. In order to compensate for dishonest users an authentication metric is introduced into the
model. In this sense, an authentication metric is a function with two nodes A and B and the Trust Graph
as input. This function returns a numeric value that represents the assurance with which A can obtain the
authentic public-key value of B using the information in the Trust Graph.

The big advantage of this solution is the self-organized distribution of public-key certificates in the
MANET without the requirement of continuously accessible public-key directories.
However, the authors emphasize that before being able to verify a public-key, each node must first
build its local certificate repository, which is a computationally complex operation. Although this
initialization phase is performed very rarely, it should be noted that local certificate repository become
outdated if a large number of public-key certificates are revoked. Consequently, the certificate chains
might no longer be valid. Hence, due to the limited memory and computational power of communicating
devices in MANETs, which mainly consist of Personal Digital Assistants (PDAs) or mobile phones and
the extensive computational and memory requirements of this self-organized model, this model is
considered as confining for mobile ad-hoc networks.
Furthermore, while analyzing the Shortcut Hunter Algorithm for Subgraph Selection it strikes that
verifying a public-key certificate chain from node A to node B, node A must trust the issuer of the public-
key certificate for correctly checking that the public-key in the certificate indeed belongs to node B,
because of the fact that node A has to select an incoming edge during the in-bound path algorithms. When
public-key certificates are issued by mobile nodes of an ad-hoc network, like in MANETs, this method is
very vulnerable to malicious nodes that issue false certificates. In order to minimize this problem the
authors introduce an authentication metric to determine the degree of authenticity of a public-key by
computing the output of a function f that uses two nodes A and B and the Trust Graph as input
parameters. Function f could, for example, return the number of disjoint public-key certificate chains from
A to B.
Unfortunately, this assumption is vulnerable to Sybil Attacks where a malicious node may generate
multiple identities for itself to be used at the same time. By launching a Sybil Attack the attacker can
pretend that different paths are formed by disjoint nodes, although in reality these paths share at least one
node which is the attacker’s one. Finally, a disproportionate share of the system can become compromise
although public-key certificates are utilized.
3.2
Decentralized Trust Model
In 1996 appearing as pioneers Matt Blaze, Joan Feigenbaum and Jack Lacy supported the idea of
"Decentralized Trust Management" [4] as an important component of security in network services.
Decentralized Trust Management model was the first system to take a comprehensive approach to trust
problems independent of any particular application or service.The main achievement was the construction
of a system called PolicyMaker in order to define policies and trust relationships. Handling of queries is
the fundamental function of the PolicyMaker with the aim to determine whether a specific public-key has
the permission to access certain services according to local policy. Policies are composed in the special
PolicyMaker Language. A central authority for evaluating credentials is not necessary. Although locally
managed, each entity has the competence to achieve own decisions.
An important point in this model targets the typical problem that, although the binding of the public-
key to a network identity was successfully verified, usually the application itself has to subsequently
ensure that this network participant is authorized to perform certain actions or is authorized to access
security sensitive data. The application for instance looks-up the network identity’s name in a database
and tries to verify that it matches the required service. The Decentralized Trust Model approach wants to
establish a generic method that should facilitate the development of security features in a wide range of
application, unlike other systems like for example PGP.
So this approach extends the common identity-based certificates, which bind a public-key to a unique
identity, by means of reliably mapping identities to the actions they are trusted to perform. In this sense,
the specification of policies is merged with the binding of public keys to trusted actions. Consequently,
both questions “Who is the holder of the public-key?” and “Can a certain public-key be trusted for a

certain purpose?” are clarified with the Decentralized Trust Model. Basically, each network entity that
receives a request must have a policy that serves as the ultimate source of authority in the local
environment.
Currently, the PolicyMaker approach binds public-keys to predicates rather than to the identities of
the public-key holders. The PolicyMaker Language is provided in order to express conditions under
which a network participant is trusted to sign a certain action. Consequently, a network entity has the
ability to distinguish between the signatures of different entities depending on the required services. By
this means for instance, network entity A may trust certificates from signed by network entity B for small
transaction but may insist upon certificates from more reliable network entity C for large transactions.
Abstractly, the PolicyMaker service appears to applications like a database query engine and
functions as a trust management engine. The input is composed of a set of local policy statements
(credentials) as well as a string describing the desired trusted action. After evaluating the input, the
PolicyMaker system finally returns either a yes/no answer or propositions that make the desired action
feasible.
All security policies are defined in terms of predicates, called filters that are combined with public-
keys. The function of the filters is to assure if the owner of the corresponding secret-key is accepted or
rejected to perform the desired action. A specific action is considered acceptable if there is a chain from
the policy to the key requesting the action, in which all filters are traversed successfully. The design and
interpretation of action descriptions, called action strings, is not part or even not known to the
PolicyMaker. Action strings are interpreted only by the calling application and might confer various
capabilities as signing messages or logging into a computer system. Action strings are accepted or
rejected by the filters.
Signatures can be verified by any public-key cryptosystem, for instance PGP. The main reason for it
is that the PolicyMaker system does not verify the signatures by itself and that the associated action
strings are also application specific. Generally, an application calls the PolicyMaker after composing the
action string and determining the identity, from which the desired action originated. Finally, PolicyMaker
decides whether the action string is permitted according the local security policy.
So the basic function of the PolicyMaker system is to process queries composed with the
PolicyMaker Language of the form:
key
1
, key
2
, …, key
n
REQUEST Action String
A query is a request for information about the trust that can be placed in a certain public-key. The
PolicyMaker system processes queries based on trust information that is included in assertions.
Assertions assign authority on keys and are of the form:
Source
ASSERTS AuthorityStruct WHERE Filter
In this sense, each a credential is a type of assertion, which binds a filter to a sequence of public-keys,
called an authority structure. Source indicates the origin of the assertion and AuthorityStruct
specifies the
public-key(s) to whom the assertion applies. Hence, a Filter is the predicate that action strings must
satisfy for the assertion to hold. For example, the following PolicyMaker credential
pgp:“0x01234567abcdefa0a1b2c4d5e6a4f7“
ASSERTS
pgp:“0xb0034261abc7efa0a1b2c5d4e6a4a3“
WHERE
PREDICATE=regexp:“From A“;

indicates that the source PGP key
“0x01234567abcdefa0a1b2c4d5e6a4f7“
asserts that A’s PGP
key is
“0xb0034261abc7efa0a1b2c5d4e6a4a3“.
There are two types of assertions: certificates and policies. The major difference is that policies are
unconditionally trusted locally and certificates are signed messages binding a particular Authority
Structure to a filter. The Source field in a policy assertion is the keyword “POLICY”, rather than the
public-key of an entity granting authority.
While this approach provides a basis for expressing and evaluating trust, it does not consider the
simultaneous problem of how to continuously control and manage trust over a longer period of time.
These problems are discussed by Brent N. Chun and Andy Bavier in [6], where a layered architecture for
mitigating the trust management problem in federated systems is proposed. The authors stress that the
PolicyMaker approach presumes the existence of secure, authenticated channels, for example using
preexisting public-key infrastructure, which makes it inapplicable for trust management in MANETs.
3.3 Distributed Trust Model
The Distributed Trust Model in [2] applies a recommendation protocol to exchange, revoke and
refresh recommendations about other network entities. Therefore each entity needs its own trust database
to store different categories of trust values ranging form -1 (complete distrust) to 4 (complete trust). By
executing this recommendation protocol, the network entity can determine the trust level of the target,
while requesting for a certain service. The accordant trust level for a single target is obtained by
computing the average value for multiple recommendations. Although this model does not explicitly
target ad-hoc networks it could be used to find the selfish, malicious, or faulty entities in order to isolate
them so that misbehavior will result in isolation and thus cannot continue.
3.4 Distributed Public-Key Trust Model
The core of the Distributed Public-Key Trust Model, examined by Lidong Zhou and Zygmund J.Haas
[20] is the use of threshold cryptography in order to build a highly secure and available key management
service. The difficulty of the establishment of a Certification Authority (CA) for key management in
MANETs was mentioned in the introductory paragraph. Obviously, the CA, which is responsible for the
security of the entire network, is a vulnerable single point of failure that must be continuously accessible
by every node.
Threshold cryptography implicates sharing of a key by multiple entities called shareholders involved
in authentication and encryption. In [20] the system, as a whole, has a public-/private-key pair and the
private-key is distributed over n of nodes. Consequently, a central Certification Authority is not
necessary. All nodes in the network know the public-key and trust any certificate signed using the
corresponding private-key. Additionally, each node has a pubic-/private-key pair and can submit requests
to get the public-key of another node or requests to change their own public-key.
The ingenious idea is that (t+1) out of n shareholders have the ability to compute the private-key by
combining their partial keys but not less then (t+1). In order to obtain the private-key, (t+1) nodes must
be compromised. For the service of signing a certificate, each shareholder generates a partial signature
for the certificate using its private key share and submits the partial signature to one arbitrary
shareholder, called combiner. With (t+1) correct partial signatures the combiner is able to compute the
signature for the certificate. In the case of one or more incorrect partial signatures generated by
compromised nodes, it is not possible to unnoticeably establish a legal signature for the certificate.
Fortunately, the combiner has the ability to verify the correctness of the signature by using the system
public-key. However, if the verification fails, the combiner tries other sets of (t + 1) partial signatures and

continues this process until a verifiably correct signature from (t+1) truthful partial parts can be
established.
In order to tolerate mobile adversaries and to adapt to changes in the network the Distributed Public-
Key Trust Model employs a share refreshing method. Mobile adversaries have the capacity to temporarily
compromise one or more shareholders and can then move to the next victim. By this technique an
adversary may compromise all shareholders and gather more than t or even all private-key shares over an
extended period of time. Finally, the adversary would be allowed to generate any valid certificate signed
by the private-key. Share refreshing allows shareholders to compute new private-key shares from their
old ones in collaboration but without disclosing the private-key. The new shares are independent from the
old and because of this the adversary cannot combine old with new shares in order to recover the private-
key.
Although the model offers strong security, like authentication of communicating nodes, it has some
factors that inhibit its deployment to mobile ad-hoc networks. The pre-establishment of a distributed
central authority requires a huge computational complexity and asymmetric cryptographic operations are
known to consume precious node battery power. Additionally, the (t+1) parts of the private key may not
be reachable to a node requiring authentication and following asymmetric cryptographic services.
Furthermore, the establishment of the system’s public-/private-key pair as well as the generation and
distribution of private-key-shares to the shareholders is not examined and could initiate subsequent
security problems. Finally, the distribution of signed certificates within the MANET is not sufficiently
discussed and questionable.
3.4.1 RSA-Based Threshold Cryptography in MANETs
Levent Ertaul and Nitu Chavan visualize in [7] the potentialities and difficulties of RSA-based
threshold cryptography in MANETs. The examined RSA threshold scheme involves key generation,
encryption, share generation, share verification, and share combining algorithm. It employs the Shamir’s
t-out-of-n scheme based on Lagrange’s interpolation. The central idea of this secret sharing scheme is the
construction of a (t – 1)-degree polynomial over the field GF(q) in order to allow t out of n entities to
construct the secret.
f(x) = a
0
+ a
1
x + …+ a
t-1
x
t-1
The coefficient a
0
is the secret and all other coefficients are random elements in the field. The field is
known by all entities and each of the n shares is a pair (x
i
, y
i
) fulfilling the following condition:
f(x
i
) = y
i
and x
i
≠ 0
With t known shares, the polynomial is uniquely determined and the secret a
0
can be computed. The
success of the scheme is based on the fact that using t-1 shares, the secret can be any element of the field
and is not determinable.
The RSA-Based Threshold Cryptography approach makes use of this secret sharing scheme in the
following way. After node A has constructed its public-/private-key pair (e,d), the threshold is
determined. If node A has n neighbors than the private-key d is partitioned into n partial keys and the
neighbors act as shareholders. The threshold t is randomly selected under certain conditions:
t ≥ (n+1)/2, t < n, where n ≥ 2

In the subsequent step Shamir’s secret sharing scheme is applied to calculate key shares and for
combining partial messages. Depending on the type of threshold scheme, the secret, and this is always the
coefficient
a
0
of the polynomial, is different. For threshold encryption, the coefficient
a
0
would be e,
while for threshold decryption it would be set to d.
Considering a RSA-Based Threshold Cryptography based signature scheme between nodes A and B.
At first, node A distributes the key shares together with the
x
i
– values among its n neighbors acting as
shareholders.
x
i
– values are selected by A and are public coordinates. The threshold t is not published to
the shareholders and A notifies only B about t and its public-key e. Consequently, each neighbor has the
ability to calculate the partial key
f(x
i
). Then, A sends the message M securely to all shareholders for
partial signature generation
.
Shareholders apply
f(x
i
)
s
to M and send the partial signature
C
i
s along with
the
x
i
– values to node B. After obtaining at least t partial signature
C
i
s
, B sends t selected
C
i
s
to A for
recovery of C. B encrypts
x
i
– values using A’s public-key e. In the following, A calculates
x
i
´- values
using Lagrange interpolation and sends them back to B. Finally, B combines the
x
i
´- values to the partial
signatures in order to get the original C. With
C
e
= M, node B gets the message M for verification.
Due to the exponential computations, the RSA-Based Threshold Cryptography scheme requires lots of
computational capacity, bandwidth, power and storage. Thus, the authors stress that this approach is
unsuitable in resource-constrained MANETs. Another crucial vulnerability of this system is the fact that
the neighbors acting as shareholders must not authenticate towards node A, from which they get the
message M as well as the
x
i
– values. If the attacker compromises n-t or even more shareholders he will
be able to fake partial signatures in order to disturb the communication between A and B. Although RSA-
Based Threshold Cryptography does not need a central party to generate shares, it does not consider the
vulnerability of wireless links and does not apply to mobility and the dynamically changing network
topology in MANETs.
3.4.2 ECC-Based Threshold Cryptography in MANETs
As a result of previous achievements, Levent Ertaul and Nitu Chavan adapt their idea to ECC -based
threshold cryptography in [8]. Due to the combination of threshold cryptography and Elliptic Curve
Cryptography , to securely transmit messages in n shares within mobile ad-hoc networks, the performance
of ECC is more efficient in comparison to RSA-based threshold cryptography.
Table 1 [15] demonstrates, that key sizes can be selected to be much smaller for ECC than for RSA
achieving the same level of security and protection against known attacks.
Table 1. Key sizes for equivalent security levels (in bits)
Although threshold cryptography is a significant approach to build a key management service by
distributing the key among a group of entities, the amount of communication for generating the keys,
determining the threshold and generating the share could be beyond the scope of available resources in
mobile ad-hoc networks, such as computational power, without even considering the problem of finding

out a number of routes of disjoint nodes between the sender and receiver in order to choose a number of n
shares. All in all, this approach is not well applicable for MANETs.
3.5 Subjective Logic Trust Model
Josang emphasizes in [12] that public-key certificates alone do not assure authentication in open
networks including mobile ad-hoc networks, for example because of the missing reliable certification
authority acting as a Trusted Third Party. His solution introduces an algebra for the characterization of
trust relations between entities. A statement such as: "the key is authentic" can only be either true or false
but nothing in between. However, because of the imperfect knowledge about reality it is impossible to
know with certainty wheatear such statements are true or false, so that it is only feasible to have an
opinion about it. This introduces the notion of belief and disbelief as well as uncertainty. Therefore,
uncertainty can bridge the gap in the presence of belief and disbelief. The relationship between these three
attributes can be mathematically formulated as follows:
b + d+ u = 1, {b,d,u} є[ 0, 1] ³ where b, d and u designate belief, disbelief
and uncertainly.
Triples ω = {b, d, u} that satisfy the above condition b + d+ u = 1 are called opinions. Figure 1
demonstrates that the condition b + d+ u = 1 defines a triangle. An opinion ω can be uniquely described
as a point {b, d, u} in the triangle.
Fig 2. Opinion Triangle

The line between disbelief and belief corresponds to situations without uncertainty. Generally,
uncertainty is caused by missing evidences in order to either support belief or disbelief. Obviously,
opinions are 2-dimensional measures for binary events and binary statements, that either take place or not.
Opinions are composed by a probability dimension and an uncertainty dimension and are according to
this determined by uncertain probabilities. By mapping the 2-dimensional measures to 1-dimensional
probability space a probability expectation value is produced:
E({b,d,u}) = b + u/2
Opinions of two different entities about the same subject, like for example the binding of a key to an
identity, may differ and are not automatically objective. Consequently, the notion of subjectivity is
introduced in order to express these circumstances. The mathematical technique to characterize
subjectivity is called Subjective Logic. It offers an algebra for determining trust chains by using various
logical operators for combing opinions that are characterized by uncertain probabilities. By enhancing the
traditional Logic, which typically consists of three operators (AND for conjunction, OR for disjunction
and NOT for negation), with non-traditional operators such as recommendation and consensus, the
Subjective Logic approach is able to deal with opinions that are based on other entities’ recommendations
as well as to produce a single opinion about a target statement in the presence of more then one
recommendations. As a result, this scheme expands the idea of public-key certificates by introducing trust
relations between entities to guarantee authentication.
In the following scenario node A receives the public-key of an unknown node B. After ensuring that
node B is not included in A’s list of opinions about the key authenticity, which offers an opinion about
the binding between keys and key owners, and consequently ensuring that B is not included in A’s list of
opinions about the recommendation trustworthiness, which explains how much A trusts the key owners to
actually recommend keys of other entities, A examines B’s public-key certificate. The certificate contains
opinions about the key authenticity as well as opinions about the recommendation trustworthiness
assigned by other nodes. Although there might be more then one recommended certification paths to B’s
key, node A has the capability to determine the authenticity of B’s key by computing the consensus
between the authenticities obtained for each path.
An important assumption of the Subjective Logic Trust model is that only opinions based on first-
hand evidence should be recommended to other nodes in order to guarantee the independence of opinions.
Thus, opinions based on recommendations from other nodes (second-hand evidence) should never be
passed to other nodes.
By introducing uncertainty in trust it is possible to estimate the consequences of decisions based on
trust and recommendations. However, trustworthy authentication of B’s public-key requires an unbroken
chain of certificates and recommendations. This is a critical condition taking the characteristics of
MANETs into account, including the vulnerability to breakage of wireless links and the dynamically
changing topology. Finally, we can conclude that although the Subjective Logic Trust approach appears
as it needs no Central Trusted Third Party since authenticity of public-keys is based on recommendations,
it is not well applicable to mobile ad-hoc networks.
4. Recent Trust Models in MANETs
In this section several state-of-the-art approaches to establish and evaluate Trust in mobile ad-hoc
networks are presentd. The first is performed by Tao Jiang and John S. Baras at the University of
Maryland [11] within the Institute for Systems Research and introduces the idea to utilize Ant-based
algorithm in order to compute Trust Evidence. George Theodorakopoulus and John S. Baras focus in the
second approach on Trust Evaluation in [18].

4.1 Ant-based Trust Algorithm
The work of Tao Jiang and John S. Baras [11] presents a scheme for distributing Trust Certificates,
which is absolutely distributed and adaptive to the spontaneous and dynamical nature of mobile ad-hoc
networks called ABED- Ant-Based Evidence Distribution Algorithm. Their approach is fundamentally
based on the Swarm Intelligence Paradigm that is used for optimization problems, like for instance the
Traveling Salesman Problem (TSP) and routing [22]. The major idea of the paradigm is the term
stigmergy offering a method of communication in systems in which the individual parts communicate
with one another by modifying the environment. A typical example of stigmergy is pheromone laying on
the paths. Ants, for instance, interact with one another by laying down pheromones along their trails and
they follow those trails that have the highest pheromone concentration in order to find the optimal path
toward their food.
The presented trust model consists of mainly two parts. The first, so called trust computation model
evaluates the trust level of each entity in the network based on previously retrieved behavioral data or
trust evidence. The problem of trust evaluation is dedicated to another performed work and not addressed
in this approach. The second part of a trust model, which is fairly independent of the specific computation
of trust, is responsible for the trust evidence distribution in order to distribute the calculated trust values to
the participating entities. Evidence is presented by trust certificates that are signed by their issuers’
private-key and can contain different information depending on the trust model, like for example the
public-key or access rights. Jiang and Baras emphasise the importance of trust evidence distribution
because it offers the input for the first part of the trust model, which is accordingly the evaluation model.
The main contribution in this work is the reactive ABED- Ant-Based Evidence Distribution
Algorithm. The procedure starts with several ants that are sent out, when a certain certificate, which
serves as a trust evidence of the participating entity, is required. Each node holds its own certificate table,
while each entry in this table matches with one certificate. The metric is the probability of choosing a
neighbor as the next communicating entity (next hop) instead of the count to destinations.
Two different kinds of forward ants can be mobilized to deliver the required certificate. So-called
Unicast ants are send out to the neighbors that have the highest probability in the certificate table.
Broadcast ants on the other hand are only sent out when there is no preference to the neighbors, if for
example there is no entry in the certificate table for the required certificate. This can occur in the case
when either no path to the certificate has been ascertained or the information is outdated. The density of
pheromone decides whether the information is valid or outdated. Generally, pheromone is utilized in
order to route the ants to discover the most favorable path to the required certificate. Furthermore, the
decrease of the pheromone density allows the system to update information in order to prevent the
mentioned outdated information and to look for new paths. The decrease of pheromone is a function of
elapsed time, which can be interpreted as a function of mobility. In this manner, a higher mobility means
a faster decrease of the pheromone. A threshold value τ
0
is determined in order to assure the freshness of
the pheromone.
Once a forward ant has found the required certificate, a backward ant is generated. This ant retraces
the path of the forward ant back to the source and hands the claimed certificate. By the use of a special
Reinforcement Rule that is comparable with a learning rule, which is the heart of the ABED, backward
ants have the ability to induce certificate table modifications to perform changes. Each node on the path
of the backward ant stores the certificate so that trust certificates are distributed and the certificate table
entries of nodes are updated each time the backward ants visit the nodes. A simple Reinforcement Rule
can be mathematically formulated as follows:
P
i
(n) = (P
i
(n-1) + ∆p) / ( 1+ ∆p)
P
j
(n) = (P
j
(n-1) + ∆p) / ( 1+ ∆p)

jє N
k
, where N
k
is the neighbor set of node k
i≠j and i is the neighbor the backward ant came from
∆p = k / f(c)
k > 0 is a constant and f(c) is a non-decreasing cost-function
Parameter c corresponds to the cost which reveals the information of evidence and could for instance
be a measure of hops from the current node to the node where the certificate is located. The authors stress
the possibility of including a security metric into this model for example by assigning a trust value to a
path as the cost c and concluding that the higher this trust value is, the lower the cost is. The
Reinforcement Rule is more complex for the purpose of exploring all information carried by the backward
ant and it contains the pheromone deposit τ
i
.
The main striking question in this approach is, how flexible are ants, particularly backward ants to
mobility and especially to link breaks e.g. in the case when two nodes move far apart?
ABED introduces a special parameter η
j
representing the goodness of a link between the current node
and its neighbor j, which is included in the enhanced Reinforcement Rule. In the scenario of link break
this parameter is set to a small value and it only assigns a negative reinforcement to the certificate.
However, the procedure of finding a secure path from the source to the target node has to be repeated. In a
quickly changing MANET this solution would lead to long delay. On the other hand the pheromone,
which is used by the ants to mark the crossed path, can be utilized to find much quicker a suitable and
trustworthy path to the target node.
The authors have simulated the ABED algorithm and have compared the results with those of the P2P
Freenet scheme by taking the following three aspects into consideration: the number of hops that ants
transit to carry the certificate back to the requestor, the delay time elapsed from sending out the forward
ant until receiving the first backward ant and finally the Success Rate measured in percentage of requests
for which the requestor successfully receives the certificate. The cost-function f(c) of the Reinforcement
Rule is the number of hops to the node storing the certificate. Both algorithms converge to the same value,
but ABED shows faster convergence at the beginning, which is extremely desired for MANETs. Finally,
the ABED algorithm outperforms the Freenet-based scheme in the terms of Success.
Nevertheless the Ant-Based Evidence Distribution Algorithm assumes that trust certificates are signed
by a well known and authenticated signer and that the authentication process takes place before the setup
of the network. This assumption does not satisfy the nature of mobile ad-hoc networks where nodes may
join or leave the network dynamically. Allowing new nodes to join the network would implicate the
requirement of continuous and secure access to the signer in order to authorize the nodes’ public-key by
his signature.
The main weakness of the ABED approach is its vulnerability to Denial of Service attacks. Obviously,
a malicious and by the attacker compromised node has the capacity to send a huge amount certificate
requests for non-existing certificates simultaneously by sending broadcast ants to all its neighbors. Each
request will provoke the neighbor nodes to create broadcast ants, because they won’t be able to find an
entry in their certificate table matching the requested certificate. Consequently, the traffic load increases
and may result in a network breakdown.
Furthermore the attacker may launch a Wormhole attack considering the following scenario based on
the fact that the pheromone deposit which is integrated in the Reinforcement Rule and is used to attract
ants can only be modified by backward ants. In ABED, backward ants are only generated once a forward
ant has found the requested certificate and they retrace the path of the forward ant back to the node that

has requested the certificate. If the attacker’s node behaves inconspicuously and generates unicast and
broadcast ants in accordance with the algorithm, forward ants will find the path to the requested
certificate and generate a backward ant passing the attacker’s node. In the moment the backward ant
reaches the attacker’s node and wants to modify its certification table the attacker discards the backward
ant and may obtain the certificate out of the backward ant’s packet. As a result the requesting node won’t
be able to receive the certificate as trust evidence.
However, the ant-based evidence distribution algorithm offers an innovative approach to obtain the
distribution of previously, by the trust model defined, trust values within a network, like a mobile ad-hoc
network.
4.2 Using Cooperative Games and Distributed Trust Computation in MANETs
In [10] Tao Jiang and John S. Baras demonstrate that dynamic cooperative games provide a natural
framework for analyzing several problems in MANETs and concentrate on the distributed trust
computation in addition to trust distribution, explained in the above paragraph. Assuming that trust
computation is distributed and restricted to only local interaction, a MANET is modeled as an undirected
graph (V,E) and the edges represent connections to exchange trust information. In this context it is not
necessary that two end-nodes of an edge are neighbors in geometrical distance although they have a trust
relationship. The distributed trust computation model is based on elementary voting methods and only
nodes in node’s neighborhood have the right to vote. By this technique it is possible to mark a node as
trustworthy or not. A secure path in this concept is a path consisting only of trusted nodes.
Unfortunately, this approach is vulnerable to Sybil attacks, where the attacker can represent multiple
identities and has then the capacity to generate fake recommendations about the trustworthiness of a
certain node in order to attract more traffic to this node.
4.3 Using Semirings to evaluate Trust in MANETs
In [18] George Theodorakopoulos and John Baras introduce a concept on how to establish an indirect
trust relationship without previous direct interactions within an ad-hoc network. By the use of the theory
of semirings, the presented approach is also robust in the presence of attackers. The significant idea is to
view the trust inference problem as a generalized shortest path problem on a weighted graph G(V,E), also
referred to as trust graph. A weighted edge corresponds to the opinion, consisting of two values the trust
value and the confidence value that an entity has about another entity in the graph (network). In this
approach, a node has the ability to rely on other’s past experiences and not just his own, which might be
insufficient, to ascertain if the target node is trustworthy.
The second problem addressed in this work is finding a trusted path of nodes, so that the traffic can be
routed securely though them. This scheme does not need any centralized infrastructure and users need not
have personal, direct experience with every other user in the network in order to compute an opinion
about them.
5. Conclusions
Security-sensitive data and applications transmitted within mobile ad-hoc networks require a high
degree of security. Trust as a concept of security services has the ability to achieve the required level of
security with respect to mobility and constraints in resources of the participating devices. In this paper, we
presented several trust models, such as PGP as well as new approaches taking the dynamic and mobile
nature of mobile ad-hoc networks into consideration. We belief that trust as a security concept turns out to
be more and more important in MANETs, because using trust recommendations and second-hand

information, based on trusted relationships, can significantly speed up the discovery and consequent
isolation of malicious nodes in mobile ad-hoc networks. Especially, the discussed Ant-based Adaptive
Trust Evidence Distribution Model provides the necessary adaptivity to network changes and tolerance of
faults in networks and offers a dynamic method to obtain trust evidence in MANETs. We encourage and
support the idea of ant-based trust algorithms also for the collection of trust evidences in mobile ad-hoc
networks. Combining both, the trust evidence collection and trust evidence distribution will satisfy our
ambition of designing an independent Trust Management system for mobile ad-hoc networks.
References
[1] A. Josang, C. Keser, and T. Dimitrakos, Can We Manage Trust?, In the Proceedings of the Third
International Conference on Trust Management (iTrust) 2005.
[2] AAlfarez Abdul-Rahman and Stephen Hailes, A distributed trust model, n Proceedings of the 1997
workshop on New security paradigms 1997.
[3] Baruch Awerbuch, Reza Curtmola, David Holmer, Cristina Nita-Rotau and Hubert RubensMitigating
Byzantine Attacks in Ad Hoc Wireless Networks, Technical Report Version 1, March 2004.
[4] Matt Blaze and Joan Feigenbaum and Jack Lacy, Decentralized Trust Management, In Proceedings
IEEE Conference on Security and Privacy, Oakland, 96-17, May 1996.
[5] S. Buchegger and J. Le Boudec, Self-Policing Mobile Ad-Hoc Networks by Reputation, IEEE
Communication Magazine, 2006.
[6] AB. Chun and A. Bavier, Decentralized Trust Management and Accountability in Federated Systems,
In Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04),
Jan. 05-08, 2004, Big Island, Hawaii , 2005.
[7] Levent Ertaul and Nitu Chavan, Security of Ad Hoc Networks and Threshold Cryptography, 2005
International Conference on Wireless Networks, Communications, and Mobile Computing,
Wirelesscom, 2005 .
[8] Levent Ertaul and Weimin Lu, ECC Based Threshold Cryptography for Secure Data Forwarding and
Security Key Exchange in MANET (I), NETWORKING 2005: 4th International IFIP-TC6
Networking Conference, Waterloo, Canada, 2005 Proceedings, May 2005.
[9] Jean-Pierre Hubaux, Levente Buttyan and Srdjan Capkun, The Quest for Security in Mobile Ad Hoc
Networks, roceeding of the ACM Symposium on Mobile Ad Hoc Networking and Computing
(MobiHOC),2001.
[10] Tao Jiang and John S. Baras, Cooperative Games, Phase Transition on Graphs and Distributed Trust
in MANET, in the Proceedings of 43rd IEEE Conference on Decision and Control, 2004, Atlantis,
Bahamas, 2004.
[11] Tao Jiang and John S. Baras, Ant-based Adaptive Trust Evidence Distribution in MANET, in the
Proceedings of the 2nd International Workshop on Mobile Distributed Computing (MDC), March
2004.
[12] A. Josang, An Algebra for Assessing Trust in Certification Chains, In Proceedings of the Network
and Distributed Systems Security (NDSS’99) Symposium, 1999.
[13] Pradip Lamsal, Understanding Trust and Security, Department of Computer Science, University of
Helsinki, Finland , 2001.
[14] Laurent Eschenauer, Virgil D. Gligor and John S. Baras, On trust establishment in mobile ad-hoc
networks, ACM Conference on Computer and Communications Security 2002: 41-47, 2002.
[15] Kristin Lauter, The Advantages of Elliptic Curve Cryptography for Wireless Security, IEEE Wireless
Communications , February 2004.
[16] Asad Amir Pirzada and Chris McDonald, Establishing trust in pure ad-hoc networks, CM
International Conference Proceeding Series in Proceedings of the 27th conference on Australasian
computer science, 2004.
[17] K. Sanzgiri and B. Dahill and B. Levine and E. Belding-Royer, A secure routing protocol for ad hoc

networks, In International Conference on Network Protocols (ICNP), Paris, France, November 2002
[18] George Theodorakopoulos and John S. Baras, Trust Evaluation in Ad-Hoc Networks, in the
Proceedings of the 2004 ACM workshop on Wireless security {WiSE`04} , 2004.
[19] Yih-Chun Hu, Adrian Perrig and David B. Johnson, Rushing Attacks and Defense in Wireless Ad
Hoc Network, WiSE 2003, San Diego, California, USA, September 19, 2003.
[20] Lidong Zhou and Zygmunt J. Haas, Securing Ad Hoc Networks, IEEE Network, 1999.
[21] Philip R. Zimmermann, The Official PGP User's Guide, Department of Computer Science,
University of Helsinki, Finland, MIT Press, 1995.
[22] Baruch Awerbuch, David Holmer and Herbert Rubens, Swarm Intelligence Routing Resilient to
Byzantine Adversaries, 2004
[23] Sanjay Ramaswamy, Huirong Fu, Manohar Sreekantaradhya, John Dixon and Kendall Nygard.
Prevention of Cooperative Black Hole Attack in Wireless Ad Hoc Networks, in Proceedings of the
International Conference on Wireless Networks, Las Vegas, June, 2003.
[24] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Ariadne: A secure on-demand routing protocol
for ad hoc networks. In Proceedings of the 8th Annual ACM International Conference on Mobile
Computing and Networking (MobiCom ’02), September 2002.
[25] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Packet Leashes: A Defense against Wormhole
Attacks in Wireless Ad Hoc Network, Rice University Department of Computer Science, Technical
Report TR01-384, December 2001.
[26] John R. Douceur. The Sybil Attack. In Proceedings of the IPTP02, Cambridge, MA (USA), March
2002.

A Framework for Computing Trust in Mobile Ad Hoc Networks
Tirthankar Ghosh
Department of Statistics and Computer Networking
St. Cloud State University
College of Science and Engineering
St. Cloud, Minnesota, USA
tghosh@stcloudstate.edu
Niki Pissinou, Kia Makki, Ahmad Farhat
Telecommunications and Information Technology Institute
College of Engineering and Computing
Florida International University
Miami, Florida, USA
Abstract
In this paper we have proposed a framework for computing trust in ad hoc networks. Our proposed
framework is unique and different from the other schemes in that it tries to analyze the behavioral pattern
of the attacker and quantifies the malicious behavior in the computational model. The trust computation,
distribution and maintenance are all incorporated in the network layer to avoid any unnecessary layering
interoperability. We have carried out extensive simulation to show that the protocol is scalable as well as
efficient with network size and mobility.
1. Introduction
Modeling and computing trusts in ad hoc network applications is a challenging problem. It is very
difficult to form a true and honest opinion about the trustworthiness of the nodes, as they can be engaged
in malicious activities in different ways. This intricacy in trust computation, together with frequent
topology changes among nodes, quite often causes the whole network to get compromised or disrupted.
Different malicious activities of the nodes can very well be misinterpreted as the regular erratic behavior
of the wireless networks in general and ad hoc networks in particular, thus making trust computation all
the more difficult. In this paper we have proposed a framework for modeling and computing trusts that
take into account different malicious behavior of the nodes. Our proposed model tries to explore the
behavioral pattern of the attacker in different ways and quantifies those behaviors to form a computing
framework.
Selfish behavior in ad hoc networks has been prevented by proposed schemes that used either a
reputation-based incentive mechanism [13,28,32], or a price-based incentive mechanism [30]. In both the
mechanisms, nodes are given incentives to suppress their malicious intention in favor of the network. But
nodes with malicious intention at their subconscious self always try to find ways to bypass these incentive
mechanisms. In our work, instead of forcing the nodes to act in an unselfish way, we propose to develop a
trust model by collaborative effort and use this model in the trusted routing solution proposed by us in our
earlier work [19, 29].

2. Related work
Establishing security associations based on distributed trust among nodes in an ad hoc network is an
important consideration while designing a secure routing solution. Although some work has been done
lately to design trusted routing solution in ad hoc networks, not much work has been done to develop a
trust model to build-up, distribute and manage trust levels among the ad hoc nodes. Most of the proposed
schemes talk about the general requirement of trust establishment [22,23,24,34,40]. Some work has been
done to propose models for building up trust [45,46], but they do not specify the detailed incorporation of
different malicious behavior in those models. In [46] the authors proposed a trust establishment model
based on the theory of semirings. A trust distribution model has been proposed in [45] using distributed
certificates based on ant systems. However, none of the models proposed so far have tried to analyze the
behavioral pattern of the attacker and quantify those behaviors in the computational framework.
Modeling and computing trust for a distributed environment has been actively researched for quite a
long time [25,26,33]. Most of these distributed trust models combine direct and recommended trusts to
come up with some sort of trust computations, although we do not encourage such a framework for our
computational model. The reason for that will be discussed in later sections when we describe the model
in detail.
Watchdog mechanism [31], based on promiscuous mode operation of the ad hoc nodes, has been the
fundamental assumption in any trust computational model. In [15] the authors have proposed a trust
evaluation-based secure routing solution. The trust evaluation is done based on several parameters stored
in a trust matrix at each ad hoc node. However, the mechanism for collecting the required parameters was
not discussed by the authors. Also, some of the parameters suggested by the authors are not realistic in a
highly sensitive application. In [16] the authors have proposed a model for trust computation based on
parameter collection by the nodes in promiscuous mode. However, the trust computation is based only on
the success and failure of transmission of different packets and does not take into account different forms
of malicious behavior.
In [18] the authors have proposed an authentication scheme based on Public Key infrastructure and
distributed trust relationship. The trust relationship is established by direct as well as recommended trusts.
Composite trust is computed by combining both direct and recommended trust relationships.
Some work has also been done to establish trust based on distribution of certificates. In [21] the
authors have proposed such a trust management scheme. Trust revocation is done by carrying out a
weighted analysis of the accusations received from different nodes. However, the proposed scheme lacks
any specific framework for computing the indices.
Another model has been proposed based on subjective logic [17]. The concept of subjective logic was
first proposed by Josang [42,43,44]. Subjective logic is “a logic which operates on subjective beliefs
about the world, and uses the term opinion to denote the representation of a subjective belief” [42]. An
opinion towards another entity x is represented by three states: belief [b(x)], disbelief [d(x)] and
uncertainty [u(x)], with the following equality:
b(x) + d(x) + u(x) = 1
The concept of subjective logic has been extended to propose a trusted routing solution in [17]. Each
node maintains its trust relationships with neighbors, which are updated depending on positive or negative
impression based upon successful or failed communication with neighboring nodes. The opinion of a
node about another node is represented in a three-dimensional metric representing trust, distrust and
uncertain opinions. However, this scheme fails to save the network from an internal attack, where a
malicious node either refuses to forward the packets and duly authenticates itself to the source, or it
cooperates with the source node and acts as a black hole.
Some mechanisms have been proposed to give incentives to the nodes for acting unselfishly. In [28]
authors have proposed a secure reputation-based incentive scheme (SORI) that prevents the nodes from
behaving in a selfish way. The scheme, however, does not prevent a malicious node from selectively
forwarding packets or from other malicious behavior.

3. Proposed model
3.1 Understanding different malicious behavior
Our motivation for developing the trust model is to form a true and honest impression about the
trustworthiness of the nodes and to punish the nodes with the slightest malicious intention. To do this we
need to understand clearly the ways a node can engage itself in different malicious acts. Below we
highlight the different malicious behavior.
‚ A node engaging in selfish behavior by not forwarding packets meant for other nodes, or selectively
forwarding smaller packets while discarding larger ones.
‚ A node falsely accusing another node for not forwarding its packets, thus isolating the node from
normal network operation.
‚ A node placing itself in active route and then coming out to break the route, thus forcing more route
request packets to be injected into the network. By repeating this malicious act, a large number of
routing overhead is forcefully generated wasting valuable bandwidth and disrupting normal network
operation.
3.2 Assumptions
The model that we are going to propose is based on certain assumptions. First, all the nodes
communicate via a shared wireless channel and all communication channels are bi-directional. Second, all
the nodes operate in a promiscuous mode, i.e., any node can overhear all the communication of any other
node within its transmission range. Third, there is an existence of an on-demand routing protocol on top
of which our proposed trust computational model can be built. Last, but not the least, we do not
encourage the notion of trust transitivity, i.e., “if A trusts B and B trusts C, then A trusts C”. This is to
prevent any colluding malicious behavior among nodes where two or more nodes can conspire to claim
themselves trustworthy.
3.3 The model
Our model has been developed with a view to form a true and honest opinion about the
trustworthiness of the nodes with collaborative effort from their neighbors and to punish the nodes with
the slightest malicious intention. In the following section we analyze different malicious behavior and
quantify them to gradually develop the model.
3.3.1 Trust model against selfish behavior
The development of the model to punish a node for selfish behavior is based on the Secure and
Objective Reputation-based Incentive (SORI) scheme proposed in [28] with several modifications. We
will elaborate more on these modifications as we describe the trust model. The parameters are described
below:
(i)
N
NNL = N
eighbor Node List (each node maintains a list of its neighbors, either by receiving Hello
messages, or by learning from overhearing).
(ii)
*+
XRF
N
(Request for Forwarding) = total number of packets node N has forwarded to node X for
further forwarding.
(iii)
*+
XHF
N
(Has Forwarded) = total number of packets that have been forwarded by X and noticed by
N.

We are not discussing the details of updating these parameters, which can be found in [28]. With the
above parameters, node N can create a local evaluation record (denoted by
*+
XLER
N
) about X. The
record
*+
XLER
N
consists of two parameters shown below:
*+
XLER
N
= Local Evaluation Record of node N of node X. It reflects the evaluation of the behavior
of node X by another node N.
where,
*+
XG
N
= Forwarding ratio of node N on node X.
*+
XC
N
= Confidence level of N on X.
In [28] the authors have set
*+
XC
N
=
*
+
XRF
N
. This gives quite an accurate estimation about the
trustworthiness of a node when weighted by the confidence level. But the trust computation does not take
into account a node’s “selective forwarding” behavior, where it only forwards small packets while
selectively discarding larger ones. To reflect this kind of malicious behavior in our trust model, we
compute the confidence level C
N
(X) as given below:
*+
*+
*
+*+
*
+
*+
Â
Â
,
?
i
i
i
i
i
N
i
N
N
sizePkt
sizePktXRFXHF
XC
_
_/
Node N computes its confidence level on X after sending a specified number of packets to X. The
computation is weighted by the packet size to reflect the “selective forwarding” behavior of a node.
We propose a similar propagation model proposed in SORI. Each node updates its local evaluation
record (LER) and sends it to its neighbors. When a node N receives the LER
i
(X) from node i, it computes
the overall evaluation record of X (denoted by OER
N
(X)), as given below:
*+
*+
*
+
*
+
*+ * +
Â
Â
Œ
Œ
,
,,
?
XiNNLi
iN
XiNNLi
iiN
N
XCiC
XGXCiC
XOER
,
,
where, C
N
(i) = confidence level of node N on node i from which it receives LER
i
(X)
C
i
(X) = confidence level of node i on node X
G
i
(X) = forwarding ratio of node i on X
3.3.2 Trust model against malicious accuser
In this section we extend the above model to take into account the malicious accusation of a node
about another node. We foresee a threat where a node falsely accuses another node of not forwarding its
packets, eventually to isolate that node as an untrustworthy one. This malicious act should also be
reflected in the trust computation, where every node should be given a chance to defend itself. We have
modified the equation above to reflect such a malicious act in the computation of the confidence level.
The modified equation is shown below:

*+
*+
*
+*+
*
+
*+
Â
Â
,
?
i
i
i
i
i
N
i
N
N
sizePkt
sizePktXRFXHF
XC
_
_/
*
+
N
X
c
,
where,
c
x
(N) = accusation index of N by X
0; if X falsely accuses N
=
1; otherwise
Node N keeps a track of the packets it received from X and packets it forwarded. If N finds out that
X is falsely accusing it for non-cooperation, it recomputes its confidence level on X by taking into
account the accusation index. It then broadcasts the new LER
N
(X) with new C
N
(X), thus resulting in
computation of a new OER
N
(X), which is low enough to punish X. Thus, any sort of malicious behavior
of X by falsely accusing other nodes gets punished eventually.
3.3.3 Trust model against malicious topology change
In this section our proposed model is extended to reflect the malicious behavior of a node where it
forces the network topology to change frequently, eventually generating a large overhead. If such a
behavior is detected, the confidence level must be changed in order to punish the malicious node.
However, detection of such a behavior is not easy, as any such topology change can be viewed as a
normal characteristic of an ad hoc network. We have tried to capture such a malicious act by statistically
modeling the action and reflecting it in the computation of trust.
To develop the model, we require each node to maintain a table called a neighbor remove table,
where it keeps track of any node moving out of the path. The table is populated by successive Hello
misses in AODV, or from the unreachable node address field in the RERR packet in DSR. A snapshot of
the table is shown below:
Table 1
Snapshot of Neighbor Remove Table
Node Address Time of Leaving Time Difference
X T1 t0 = 0
X T2 t1 = T2 – T1
X T3 t2 = T3 – T2
X T4 t3 = T4 – T3
Mean =
t
Each node periodically scans the table to find whether any particular node is leaving at frequent
intervals. It computes the mean, o
t
of the time difference of any particular node leaving the network. If o
t
is found lower than a threshold value (denoted by t
threshold
), then the node is identified as malicious and the
confidence level is computed as follows:

*+
*+
*
+*+
*
+
*+
Â
Â
,
?
i
i
i
i
i
N
i
N
N
sizePkt
sizePktXRFXHF
XC
_
_/
*
+
Xm
,
where, m(X) = malicious index of node X
0; if o
t
<= t
threshold
=
1; otherwise
The choice of the threshold value can be selected based on the typical application for which the ad
hoc network is deployed. A network that demands frequent topology change can have a higher threshold
to accommodate the normal network behavior. The choice is not discussed in this paper and is left for
future consideration.
Finally, to combine all the malicious behavior discussed earlier and to reflect those behavior in trust
computation, the confidence level of node N on X is computed as shown below:
*+
*+
*
+*+
*
+
*+
Â
Â
,
?
i
i
i
i
i
N
i
N
N
sizePkt
sizePktXRFXHF
XC
_
_/
*
+
*
+
XmN
X
,
,
c
The final overall evaluation record (OER), when computed based on the local LERs, will reflect the
different malicious behavior of a node as computed in the confidence level, and finally any malicious act
gets detected and punished.
4. Simulation and Results
We have used Glomosim [39] for our simulation. Glomosim is a scalable simulation software used
for mobile ad hoc networks. We have carried out the simulation with two different scenarios. We defined
a region of 2 Km by 2 Km and placed the nodes randomly within that region. In the first scenario, the
nodes moved with uniform speed chosen between 0 to 10 meters/sec with 30 seconds pause between each
successive movement. We increased the number of nodes and studied the network performance. In the
second scenario, we have increased the node speed, keeping the similar infrastructure, to carry out our
analysis. The parameters for both the scenarios are shown in the table below.
Table 2
Parameters chosen for simulation
Independent
variable
Set of parameters compared
Scenario
1
Number of
nodes
Routing
overhead
Number
of routes
selected
Number
of route
errors
Independent
variable
Set of parameters compared
Scenario
2
Node speed
Routing
overhead
Number
of routes
selected
Number
of route
errors

We have incorporated trust computation directly into the routing protocol to avoid any unnecessary
layering interoperability. We have extended the Ad Hoc On-Demand Distance Vector (AODV) routing
protocol [41] to incorporate the trust computation and exchange. The modified protocol has been
benchmarked with AODV to study its scalability and efficiency. To avoid any unwanted overhead we
have ensured the trust information exchange to be piggybacked with the route request packet header.
From figure 1 we can see that our protocol scales as good as the original AODV with increasing number
of nodes. Even though we have incorporated extensive trust computation at each node both by its own
spying mechanism as well as by exchanging information from its neighbors, we can see that our protocol
does not add any significant overhead.
Figure 1. Comparison of routing overhead with
number of nodes
Similar results can be seen from figures 2 and 3 where we have benchmarked our modified protocol
with AODV in terms of routes selected and route errors sent. Number of routes selected and route errors
are dependent on several factors like localized clustering of the nodes, MAC layer load and also routing
and transport layer load. The parameters show random variation as quite expected from the ad hoc nature
of the whole network. In both the cases we can see that the modified protocol scales as good as AODV
even with large network size.

Figure 2. Comparison of routes selected with
number of nodes
Figure 3. Comparison of route errors with
number of nodes
Figures 4 and 5 compare the average end-to-end delay (in seconds) and throughput (in bits per
second) respectively for the base AODV and the modified protocol. It can be concluded from the results
that the modified protocol scales as good as the original one with respect to these parameters as well.
These parameters also depend upon the localized clustering of the ad hoc nodes and overall network load
including MAC layer, network layer and transport layer loads. Hence these parameters also show random
variation for the two protocols.

Figure 4. Comparison of average end-to-end delay with
number of nodes
Figure 5. Comparison of throughput with number of
nodes
Our next set of simulation is to evaluate the modified protocol with increasing node speed. This
parameter has been selected to see the protocol scalability and efficiency with frequent changes in
network topology. We can see from figure 6 that our modified protocol does not add any overhead, even
with higher node movement. Figures 7 and 8 conclude in a similar way that the protocol scales very well
in terms of routes selected and route errors sent.
As we have piggybacked the confidence information into the route request messages to control
routing overhead, we can conclude that mobility will help in updating trust and confidence information in
our modified protocol. As the topology of the network changes more frequently necessitating more and
more route request packets to be generated, more recent information about the trusts are circulated in the

network. Thus, we can conclude that our modified protocol is not only efficient and scalable with
network size and node speed, it also gives a better picture of trust and confidence with higher node speed.
Figure 6. Comparison of routing overhead with
node speed
Figure 7. Comparison of route errors with node speed

Figure 8. Comparison of routes selected with node speed
Figure 9 compares the average end-to-end delay (in seconds) for the base AODV and the modified
protocol. We can see that the modified protocol scales as good as the original AODV with increasing
node speed with respect to the delay.
As we can see from Figures 6 to 9, the parameters for the modified protocol vary randomly with
comparison to the base AODV with sometimes lower and sometimes higher values. This is attributed
mainly to the ad hoc nature of the network with random waypoint mobility model. The parameters are
dependent upon factors like localized node clustering, MAC layer load and also transport and network
layer load, as we have discussed previously. These factors change with every simulation run with random
waypoint mobility, which attributes to the somewhat
random variation between the two protocols.
Figure 9 Comparison of Average End-to-end Delay

5. Conclusion
We have developed a model for trust computation in ad hoc networks based on different malicious
behavior of the nodes. Our model is unique in the sense that it tries to explore different behavioral pattern
of the attacker in various ways and quantifies those behaviors to form a computing framework, where any
malicious act eventually gets detected. This model for computing and updating trusts is to be integrated
with the trusted routing protocol proposed by us [19,29] to come up with a secure and robust routing
solution that can efficiently withstand attacks from malicious nodes acting either independently or in
collusion.
Although our proposed model forms a foundation for trust computation based on different malicious
behavior in an ad hoc network, we feel that there is much to be done in this area. More malicious
behaviors need to be identified and quantified into the model. Furthermore, trust updating in case of false
accusation must resolve a trust level conflict where both the accused and the accuser have same trust
levels. We are currently working on developing a more robust and full-proof trust computational model
and integrating it with the trusted routing solution proposed by us in our earlier work [19,29].
References
[1] Seung Yi, Prasad Naldurg and Robin Kravets, “Security-Aware Ad hoc Routing for Wireless
Networks”, Report No. UIUCDCS-R-2001-2241, UILU-ENG-2001-1748, August 2001.
[2] Panagiotis Papadimitratos and Zygmunt J. Haas, “Secure Routing for Mobile Ad hoc Networks”, In
Proc. SCS Communication Networks and Distributed Systems Modeling and Simulation Conference
(CNDS 2002), San Antonio, TX, January 27-31, 2002.
[3] Panagiotis Papadimitratos and Zygmunt J. Haas, “Secure Link State Routing for Mobile Ad hoc
Networks”, In Proc. IEEE Workshop on Security and Assurance in Adhoc Networks, in conjunction with
the 2003 International Symposium on Applications and the Internet, Orlando, FL, January 28, 2003.
[4] Yih-Chun Hu, Adrian Perrig and David B. Johnson, “Ariadne: A Secure On-Demand Routing
Protocol for Ad hoc Networks”, MobiCom ’02, September 23-26, 2002, Atlanta, Georgia, USA.
[5] Yih-Chun Hu, David B. Johnson and Adrian Perrig, “SEAD: Secure Efficient Distance Vector
Routing for Mobile Wireless Ad hoc Networks”, In Fourth IEEE Workshop on Mobile Computing
Systems and Applications (WMCSA ’02), June 2002, pages 3-13, June 2002.
[6] Manuel Guerro Zapata and N. Asokan, “Securing Ad hoc Routing Protocols”, WiSe’02, September 28,
2002, Atlanta, Georgia, USA.
[7] Kimaya Sanzgiri et al, “A Secure Routing Protocol for Ad hoc Networks”, In Proc. of the 10
th
IEEE
International Conference on Network Protocols (ICNP’02), 2002
[8] Hao Yang, Xiaoqiao Meng, Songwu Lu, “Self-Organized Network Layer Security in Mobile Ad hoc
Networks”, WiSe ’02, September 28, 2002, Atlanta, Georgia, USA.
[9] Lidong Zhou and Zygmunt J. Haas, “Securing Ad hoc Networks”, IEEE Network,
November/December 1999.
[10] Frank Stajano and Ross Anderson, “The Resurrecting Duckling: Security Issues for Ad hoc Wireless
Networks, 15
th
September, 1999.
[11] Patrick Albers et. al., “Security in Ad hoc Networks: a General Intrusion Detection Architecture
Enhancing Trust Based Approaches”, Wireless Information Systems, Ciudad Real, Spain, 2002.
[12] Hongmei Deng, Wei Li and Dharma P. Agrawal, “Routing Security in Wireless Ad Hoc Networks”,
IEEE Communications Magazine, October 2002.
[13] Sonja Buchegger and Jean-Yves Le Boudec, “Performance Analysis of the CONFIDANT Protocol
(Cooperation Of Nodes: Fairness In Dynamic Ad-hoc Networks), MOBIHOC ’02, June 9-11, 2002,
Switzerland.

[14] Bradley R. Smith, Shree Murthy, J.J. Garcia-Luna-Aceves, “Securing Distance-Vector Routing
Protocols”, In Proceedings of Internet Society Symposium on Network andDistributed System Security,
San Diego, CA, February, 1997.
[15] Zheng Yan, Peng Zhang, Teemupekka Virtanen, “Trust Evaluation Based Security Solution in Ad
Hoc Networks”,
http://www.nokia.com/library/files/docs/Trust_Evaluation_Based_Security_Solution_in_Ad_Hoc_Networ
ks.pdf.
[16] Asad Amir Pirzada and Chris McDonald, “Establishing Trust in Pure Ad-hoc Networks”, appeared in
27
th
Australian Computer Science Conference, The Univ. of Otago, Dunedin, New Zealand, 2004.
[17] Xiaoqi Li, Michael R. Lyu, Jiangchuan Liu, “A Trust Model Based Routing Protocol for Secure Ad
Hoc Networks”, Proceedings 2004 IEEE Aerospace Conference, Big Sky, Montana, U.S.A., March 6-13
2004.
[18] Edith C. H. Ngai and Michael R. Lyu, “Trust and Clustering-Based Authentication Services in
Mobile Ad Hoc Networks”, Proceedings of the 2nd International Workshop on Mobile Distributed
Computing (MDC'04), Tokyo, Japan, March 23-26 2004.
[19] Niki Pissinou, Tirthankar Ghosh, Kia Makki, “Collaborative Trust Based Secure Routing in
Multihop Ad Hoc Networks”, in Proceedings of The Third IFIP-TC6 Networking Conference
(Networking '04): Springer Verlag, Series:Lecture Notes in Computer Science, Vol. 3042, pp. 1446 –
1451, Athens, Greece, May 9-14, 2004.
[20] Tirthankar Ghosh, Kia Makki, Niki Pissinou, “An Overview of Security Issues for Multihop Mobile
Ad Hoc Networks”, Network Security: Technology Advances, Strategies, and Change Drivers, ISBN: 0-
931695-25-3, 2004.
[21] Carlton R. Davis, “A Localized Trust Management Scheme for Ad Hoc Networks”, in Proceedings
of the 3
rd
International Conference on Networking (ICN ’04), March 2004.
[22] Raja Rai Singh Verma, Donal O’Mahony and Hitesh Tewari, “NTM – Progressive Trust Negotiation
in Ad Hoc Networks”, in Proceedings of the 1
st
joint IEI/IEE Symposium on Telecommunications Systems
Research, Dublin, November 27, 2001.
[23] Laurent Eschenauer, Virgil D. Gligor and John Baras, “On Trust Establishment in Mobile Ad Hoc
Networks”, in Proceedings of the Security Protocols Workshop, Cambridge, U.K.: Springer-Verlag, April
2002.
[24] Lalana Kagal, Tim Finin and Anupam Joshi, “Moving from Security to Distributed Trust in
Ubiquitous Computing Environments”, IEEE Computer, December 2001.
[25] Huafei Zhu, Bao Feng, Robert H. Deng, “Computing of Trust in Distributed Networks”,
http://eprint.iacr.org/, 2003/056.
[26] Thomas Beth, Malte Borcherding, Bitgit Klein, “Valuation of Trust in Open Networks”, Proceedings
of the European Symposium on Research in Computer Security (ESORICS), 1994, Brighton, UK, pp.3-18,
LNCS 875, Springer-Verlag.
[27] Matt Blaze, Joan Feigenbaum, Jack Lacy, “Decentralized Trust Management”, Proc. IEEE
Conference on Security and Privacy, Oakland, CA, May 1996.
[28] Qi He, Dapeng Wu, Pradeep Khosla, “SORI: A Secure and Objective Reputation-based Incentive
Scheme for Ad-hoc Networks”, WCNC 2004.
[29] Tirthankar Ghosh, Niki Pissinou, Kia Makki, “Collaborative Trust-based Secure Routing Against
Colluding Malicious Nodes in Multi-hop Ad Hoc Networks”, in Proceedings of 29
th
IEEE Annual
Conference on Local Computer Networks (LCN), Nov 16-18, 2004, Tampa, Florida, USA.
[30] Levente Buttyán and Jean-Pierre Hubaux, “Stimulating Cooperation in Self-Organizing Mobile Ad
Hoc Networks”, MONET Journals of Mobile Networks, 2002.
[31] Sergio Marti, T.J. Giuli, Kevin Lai and Mary Baker, “Mitigating Routing Misbehavior in Mobile Ad
Hoc Networks”, in Proceedings of the 6th annual international conference on Mobile computing and
networking (MobiCom), August 06 - 11, 2000, Boston, Massachusetts, United States.

[32] Pietro Michiardi and Refik Molva, “CORE: A Collaborative Reputation Mechanism to Enforce Node
Cooperation in Mobile Ad hoc Networks”,
[33] Alfarez Abdul-Rahman & Stephen Hailes, “A Distributed Trust Model”, ACM New Security
Paradigm Workshop, 1997.
[34] Pradip Lamsal, “Requirements for Modeling Trust in Ubiquitous Computing and Ad Hoc Networks”,
Ad Hoc Mobile Wireless Networks- Research Seminar on Telecommunications Software, 2002.
[35] Po-Wah Yau and Chris J. Mitchell, “Reputation Methods for Routing Security for Mobile Ad Hoc
Networks”,
[36] Elizabeth Gray, et.al. “Trust Propagation in Small Worlds”, in Proceedings of the 1
st
International
Conference on Trust Management, 2002.
[37] Karl Aberer, Zoran Despotovic, “Managing Trust in a Peer-2-Peer Information Systems”, CIKM’01,
November 5-10, 2001, Atlanta, Georgia, USA.
[38] Tirthankar Ghosh , Niki Pissinou, Kia Makki, "Towards Designing a Trusted Routing Solution in
Mobile Ad Hoc Networks", in the ACM Journal “Mobile Networks and Applications (MONET)” vol. 10,
no. 6, pp:
985 - 995, December 2005.
[39] Xiang Zeng, Rajive Bagrodia and Mario Gerla, “Glomosim: A Library for Parallel Simulation of
Large-scale Wireless Networks”, Proceedings of the 12
th
Workshop on Parallel and Distributed
Simulations – PADS ’98, May 26-29, Alberta, Canada, 1998.
[40] Sonja Buchegger, Jean-Yves Le Boudec, “Nodes Bearing Grudges: Towards Routing Security,
Fairness, and Robustness in Mobile Ad Hoc Networks”, in Proceedings of the Tenth Euromicro
Workshop on Parallel, Distributed, Network-based Processing, pages 403-410, Canary Islands, Spain,
January 2002.
[41] C. Perkins and E. Royer, “Ad hoc On-Demand Distance Vector Routing”, In Proc. IEEE Workshop
on Mobile Computing Systems and Applications, 1999.
[42] A. Josang, “A Logic for Uncertain Probabilities”, International Journal of Uncertainty, Fuzziness
and Knowledge-based Systems, 9(3): 279-311, 2001.
[43] A. Josang, “A Subjective Metric of Authentication”, in Proceedings of ESORICS: European
Symposium on Research in Computer Security, LNCS, Springer-Verlag, 1998.
[44] A. Josang, “Prospectives for Modelling Trust in Information Security”, in Proceedings of
Australasian Conference on Information Security and Privacy, pages 2-13, 1997.
[45] David B. Johnson and David A. Maltz, “The Dynamic Source Routing Protocol for Mobile Ad Hoc
Networks”, Internet Draft, MANET Working Group, IETF, October, 1999.
[45] Tao Jiang, John S. Baras, “Ant-based Adaptive Trust Evidence Distribution in MANET”, in
Proceedings of the 24
th
International Conference on Distributed Computing Systems Workshops
(ICDCSW’04), 2004.
[46] George Theodorakopoulos, John S. Baras, “Trust Evaluation in Ad-Hoc Networks”, WiSE’04,
Philadelphia, PA, October 1, 2004.

Session 2
Invited Papers

Reactive and Proactive Approaches
to Secure Routing in MANETs
⋆
Mike Burmester and Tri Van Le
Department of Computer Science, Florida State University
Tallahassee, Florida 323206-4530
{burmester,levan}@cs.fsu.edu
Abstract: Mobile ad hoc netwo rks are collections of wire less mobile nodes with
links that a re made or broken in an arbitrary way. They have constrained re-
sources, restricted broadcast range and no fixed infrastructure. For these net-
works communication is achieved via routes whose nodes relay packets. Several
routing algorithms have been proposed in the literature. These focus mainly on
efficiency with security relegated to weak adversary models. In this paper we
consider the problem of secure routing in malicious environments. We propose
two complementary solutions: an optimistic algorithm that traces malicious be-
havior and an adaptive multipath algorithm that to lerates malicious behavior,
and prove that they are secure.
Keywords: Ad hoc Networks, Routing Algorithms, Provable Security.
1 Introduction
Mobile ad hoc networ ks are collections of self-organizing mobile nodes with dy-
namic to pologies and no fixed infrastructure. The no des can be regarded as wir e-
less mobile hosts with limited power (operating off batteries) and constrained
bandwidth. Transmission is in a broadcast medium. The recent rise in popularity
of mobile wireless devices and technological developments have made poss ible
the deployment of such networks for several applications, such as emergency de-
ployments, disaster recovery, search and rescue missions and military operations.
Finding and maintaining communication routes in an ad hoc network is a
major challenge, especially with r e spect to fault tolerance and security. To date,
most of the research has focused on performance and services (see e.g., [3, 21,
22]) with security being given a lower priority, a nd in many cases, regarded as
an add-on afterthought technology rather than a design feature (e.g., [1, 20]).
Although such an approach may be appropriate for networks with predictable
faults, it is not suitable for networks with unpredictable, malicious faults. In par-
ticular one cannot trace malicious behavior by exploiting o nly s tochastic network
⋆
This material is based on work supported in part by the U.S. Army Research Labo-
ratory and the U.S. Research Office under grant number DAAD19-02-1-0235 and in
part by t he National Science Foundation under grant number NSF-009316.

aspects, because malicious nodes may avoid detection by colluding and behav-
ing normally whenever a fault detection mechanism is triggered. Of par ticular
concern in military applications is the possibility that an established route is
taken over by the adversary, and then used at a critical time when damage is
maximized and when there is not sufficient time to fix the route or to find alter-
native routes. In such cases multipath routing and communication is of benefit.
Multipath routing will also enhance ba ndwidth usage, load balancing and mo re
generally efficiency (see e.g., [25]). Another co ncern is that, besides packet drop-
ping, malicious nodes may render a network useless by disseminating confusing
information regarding the state of the system, e.g., by blaming non-faulty nodes
for failures and for dropping or co rrupting packets. It is therefore important to
trace malicious behavior and to prevent faulty nodes from taking part in future
attacks.
In this paper we consider the pro blem of secure routing in mobile ad hoc
networks when there are malicious faults. We first overview the current sec urity
threats of such networks and discuss countermeasures, focusing on routing issues.
We co ns ider networks with a varying degree of ad hocness, ranging from almost
static to extremely mobile. Our main contribution is to propose two novel routing
algorithms that address malicious behavior. The first is pr o active and traces
malicious behavior while the seco nd is reactive and tolerates malicious behavior.
We prove that both algorithms are secure in our model.
The paper organized as follows. In Section 2 we present our model that
captures at an appropriate degree o f abstrac tion the bas ic stochastic asp e cts of
mobile ad hoc netwo rks and give our definitions. In Section 3 we overview the
security threats of routing algorithms. In Section 4 we present an algorithm that
traces malicious faults and in Section 5 we present an adaptive multipath routing
algorithm that tolerates malicious behavior.
2 Models and Definitions
2.1 A model for ad hoc networks
There are several ways in which one ca n model the unpredictable nature of a mo-
bile ad hoc network. Whichever way is used, there are important mobility aspects
that must be reflected in the model. In particular, ad hoc networks are stochastic
finite state systems. The following definition captures this requirement.
Definition 1. Let V be a finite state system with state space S. The elements
of V a re mobile nodes: each node is a probabilistic finite state machine. A mobile
ad hoc network is a random process
G = {(G
1
, S
1
)}, { (G
2
, S
2
)}, . . . , {(G
t
, S
t
)}, . . . , {(G
T
, S
T
)},
where G
t
= (V, E
t
), t = 1, 2, . . ., is a graph with node set V , link set E
t
, and
S
t
∈ S, t = 1, 2, . . ., is the internal state of V at time t, subject to the following
constraints:
2

(i) Markov constraint. Given the current network state (G
t
, S
t
), the next state
(G
t+1
, S
t+1
) is independent of all prev ious states (G
1
, S
1
), . . . , (G
t−1
, S
t−1
).
(ii) Mobility constraint. The transitional probabilities Pr [(G
t+1
, S
t+1
) | (G
t
, S
t
)],
t = 1, 2, . . . , are independent of t. The distribution generated by these prob-
abilities is called the mobility distribution µ of the network.
(iii) Medium constraints. The communication medium,
– is promiscuous: if node x transmits a packet at time t then this will be
received at time t
′
> t simultaneously by all its neighbors (linked to it
at time t
′
). The time taken for a single transmission to be received (one
hop) is bounded by a co ns ta nt τ.
– is bidirectional: if x, y are neighbors, then x can transmit a message to y
and vice versa y can transmit a message to x.
– has limited bandwidth: simultaneous transmissions in a neighborhood be-
yond a certa in threshold will result in transmission failure, irrespective
of the number of nodes in the area.
This model is time dependent: changes in the topology of the network occur over
time and transmissions are time bounded. The mobility distribution µ is deter-
mined by the internal sta tes of the nodes of G and Nature. Nature’s contribution
comes from the environment and the fact that the communication is wireless. A
wide variety of facto rs may affect the communication, ra nging from weather to
radio interference and physical obstacles.
Our definition specifies the basic requirements of a mobile ad hoc network
system. We do not exclude the pos sibility that some nodes may have additional
out-of-system links, either out-of-band or by using more powerful broadca sting
devices. These are out-of-system facilities and may be used by nodes that do not
adhere to the system specifications. Such nodes are regarded as faulty and will
be discussed in Section 2.2 below.
Definition 2. A mobile ad hoc network G is simulatable if there is an efficient
algorithm σ called the simulator that simulates G according to its mobility dis-
tribution µ. That is, σ generates random samples (
ˆ
G
1
,
ˆ
S
1
), (
ˆ
G
2
,
ˆ
S
2
), . . . , such
that: Pr[(
ˆ
G
1
,
ˆ
S
1
), . . . , (
ˆ
G
t
,
ˆ
S
t
)] = Pr[(G
1
, S
1
), . . . , (G
t
, S
t
)], for all t ≥ 1.
Communication in ad hoc networks is achieved by forwarding packets via
routes. Traditionally, a route is a path that links a source node to a destination
node. However the notion of a route can be extended to allow for a more general
definition.
Definition 3. A route R(s, d) with source s a nd destination d is a list of nodes of
G, that starts at s and ends at d, through which packets are forwarded. This list
may not be known to s, or to any other node. Nodes on the list may know their
successor, or may not. Routes may change over time and may not be connected
for any time period: it is sufficient that the links of adjacent nodes are connected
in turn, over time. We shall also consider multipath routes that have several
node-disjoint path lists linking s, d.
3

2.2 The threat model
Our model allows for a very powerful adversary. The adversary interacts with
the network via nodes that are under her control. These nodes are regarded as
faulty. Faulty nodes may have hidden channels (used for wormhole and rus hing
attacks [14]) and may also vary their transmission range or use directional an-
tennas. For ex ample, a malicious node x may present itself as a neighbor to a
non-faulty node, when it is not. With a directional antenna x may also “select”
its neighbors. Furthermore, faulty nodes may replicate.
Definition 4. Let Γ be a family of subsets V
′
of the node set V . We call Γ an
Adversary Structure [11]. The adversary Adv = Adv
Γ
selects a subset V
′
∈ Γ
and can corrupt all its nodes during the lifetime o f the system.
1
Adv controls
the nodes of V
′
and may use them to undermine the security of the network.
We call these nodes corrupted or faulty and refer to Adv a s a Γ -adversary. The
adversary may be passive or active. A passive adversary (also called honest-but-
curious) will only eavesdro p on the network communication. An active adversary
may use the corrupted nodes to prevent the normal functioning of the network
via snooping, dropping, modifying, and/or fabricating network message s. Nodes
that are actively involved in such attacks and the correspo nding faults ar e called
malicious or Byzantine. Malicious nodes may use hidden (covert) channels or
“wormholes” through which they can communicate or tunnel packets. A partic-
ular case of the Adversary Structure model is the Byzantine faults model [24]
for which Γ = {V
′
⊂ V | |V
′
| ≤ k}, for some threshold k. In this model the
number of faulty nodes that Adv = A
k
can control is bounded by a threshold
k. We call A
k
a k-adversary.
Definition 5. Let G be a mobile ad hoc network and P a distributed algorithm
of G. We say that P tolerates a Γ - adversary if for all Γ -adversaries Adv, the
probability π
P
Adv
that P terminates success fully when Adv is active is the same
as the probability π
P
0
that P terminates successfully when Adv is passive. We say
that P tolerates a Γ -adversary with error ε if | π
P
Adv
−π
P
0
|< ε. The probabilities
π
P
0
and π
P
Adv
are taken over the random coin tosses of P and Adv and the input
of P .
Normally we require that the “reliability” distribution π
P
0
is close to 1, but we
do not exclude other values. In this definition ε specifies the level of Γ -tolerance.
For ε = 0 we get perfect Γ -tolerance. We can als o define computational tolerance,
by requiring that the distributions π
P
Adv
, π
P
0
are computationally indistinguish-
able [9]. Although our definition is not formal, it can easily be described in the
formal security framework of [2, 19]. We note however that in our threat model
we allow for the distribution of π
P
0
to be bounded away from 1. For example we
1
There are several generalizations of this model. One such gen eralization allows Γ to
be dynamic: at regular intervals Adv can replace V
′
by V
′′
∈ Γ , that is, release the
nodes of V
′
\V
′′
and replace them by the nodes of V
′′
\V
′
. Another generalization
involves hybrid faults: malicious faults and physical faults. We shall not consider
these models here.
4

may have π
P
0
≈ 0.75, in which case the “application” P may have to be repeated
a few times (the functionality of P allows for random failures).
2.3 Security mechanisms
For data integrity, Message Authentication Codes (MACs) may be us e d. For au-
thenticity and integrity, digital signa tures are used. For confidentia lity (privacy)
encryption mechanisms are used [24]. These are all keyed cryptosystems. There
are two types of cryptosystems: symmetric and public key. Symmetric cryptosys-
tems require one shared secret key. Public key cryptosystems require two keys, a
public key and a secret key. In our algorithms we shall use the following notation:
– [data]
sd
: data, and its keyed MAC with the shared key of s, d.
– [data]
x
: data, and its digital sig nature with the signing key of x.
– h as h (data): the (cryptographic) hash of data [24].
We assume in this paper that all MACs and digital signatures are unforgeable. In
particular, that the network nodes and the adversary are polynomially bounded
in the sec urity parameter of the signatures. Consequently, the security is condi-
tional, and the error probability must take into account the er ror probabilities
of these cryptographic mechanisms.
The computational cost of public key cryptosystems is relatively high for
most ad hoc network applications. This can be reduced by using Elliptic Curve
(EC) cryptosystems or the NTRU [24], but it is preferable to use symmetric key
mechanisms whenever appropriate. However with symmetric key mechanisms,
integrity c an only be checked by those who share the secret key. In particular,
symmetric mechanisms will not support non-repudiation. For authentication we
must therefor e use digital signatures.
We shall assume that each network node is assigned a unique secre t signing
key and given a lis t of public keys that corr espond to the assigned secret keys.
This will allow nodes to link dig ita lly signed messages to their owners and to
authenticate nodes. It is important however to note that malicious nodes may
choose to shar e their secret signing keys. This will make it possible for them to
app e ar to be pres e nt in several virtual places of the network at the same time
(this is the Sybil attack [5] which we shall discuss in Section 3.2 ). We therefore
view malicious nodes as collections of virtual nodes, each one corresponding to
a unique signing key.
The inability to bind entities (or messages) to a unique physical node is an
inherent limit of Public Key Cryptography. It is not restricted to networks and
applies to all protoco ls that rely on cryptographic primitives for authentication.
3 Security issues for routing algorithms
Depending on where mo st of the ro uting effort takes place, there ar e two types of
routing: network-centric and source-centric. With network-centric routing (such
as DSDV [21], WR [3] and AODV [22]) the routing effort is distributed within
5

the network; with source-centric routing (such as DSR [16]) most of the routing
effort is done by the source node.
Network-centric routing requires c onsiderable cooperation between the nodes
of the network in order to update and maintain a distributed database of routing
information such as routes, cost, distance, reliability, time, etc. This type of
routing is appropriate for networks whose node mobility is low and changes are
less frequent. Its advantage is that the routing service is always available and
communication can start almo st immediately. ¿From a security point of view,
network-centric routing requires substantial cooperation between network nodes
and strong trust relationships. These algor ithms are therefore mo re vulnerable
to malicious faults. Ther e is no way to prevent such faults, because the ro uting
service is provided by remote nodes (that may be faulty).
With source-centric routing, the source s is r e sponsible for discovering the
topology of the network, for finding a route and for updating any changes, with
less help from other nodes. When a node needs to send a packet, a route to the
destination is constructed on-demand by the node and updated according to the
changes in the network. Cooperation from other nodes is often limited to for-
warding packets or collecting local information. Since there is almost no status
information to maintain, this kind of routing is flexible and appropriate for net-
works that change frequently. Source-centric ro uting lessens the dependence on
intermediate node cooperation, and thus is less vulnerable to malicious attacks.
Furthermore, since the source and destination have control over the routes, they
are also more flexible in dealing with DoS. For these rea sons, when security issues
are of concern, source-centric routing is preferable.
3.1 Denial of Service attacks and countermeasures
There are several ways in which a DoS can be triggered. For example, the ad-
versary can cause a DoS by flooding the network with irrelevant pa ckets (via
faulty nodes). Another way to trigger a DoS is by flooding queries in dense net-
works. We also have DoS attacks on routes. If the adversary succeeds in taking
control of a route, for example by having one or more nodes under his control
selected by a route discovery algorithm, then the adversary will establish routes
that may not exist or that may have loops, which could prevent routing updates
from settling and route convergence. DoS is also triggered by packet dropping.
For example, malicious nodes in a route discovery algorithm may drop packets
to prevent the source getting path information. Packet dropping can also take
place during communication. This problem is agg ravated when malicious nodes
collude.
Non-malicious DoS caused by flo oding in dense networks is controlled by
reducing the broadcast redundancy. Gossip protocols [10, 4] use this approach.
Malicious DoS caused by flooding may be c ontrolled by using Intrusion Detec-
tion mechanisms. One way to deal with malicious DoS attacks on routes is to use
fault tracing algorithms. Awerbuch-Holmer-Nita Rotaru-Rubens [1] use an adap-
tive fault probing algorithm that is triggered when faults occur at a rate higher
than that of ordinary link failures (non-malicious). There are several problems
6

with such an approach, due pr imarily to the fact that a malicious node need
not exhibit faulty behavior when pro bed, but only during communication. Fur-
thermore, malicious nodes may collude to prevent failure reports reaching the
source and make bogus reports to confuse other nodes. In Section 4 we describe
an algorithm that will trace malicious behavior when it occurs.
3.2 Man-in-the-Middle attacks and countermeasures
In a man-in-the-middle attack the adversary takes control of the communication
channel between the source and destination by interposing between them. In
their simplest form these attacks are passive, with the adversary relaying packets
between two no des x, y via nodes under his control. The relaying node(s) is
(are) transparent to x and y, and x is fooled into believing that y is in range (a
neighbor). In particular x, y will a ppear to be adjacent in any route containing
them. The attacker will not be listed on the route, but the nodes x, y will be.
Consequently, the route will appear to be shorter than it actually is, and may be
selected in preference to other routes. In this way the adversary can take control
of the route. Authentication mechanisms are of no help: the adversary simply
relays the authenticators.
Active man-in-the-middle attacks in which the attacker is an “insider”, that
is a malicious node that is trusted, are the hardest to control. In such attacks,
the attacker is properly authenticated and controls nodes on routes originating
at the source. In a wormhole attack [14] the adversary succeeds in fooling a
source node into believing that a route is short by tunneling packets intended for
the des tination via nodes under her control. A rushing attack [14] is a wormhole
attack in which the adversary succeeds in sending packets through the wormhole
faster than normal netwo rk traffic. With s uch attacks it may not possible to
distinguish non-faulty nodes from malicious nodes because the adversary may
disguise the attack to mimic (stochastically) a failure caused by Nature. In a
Sybil attack [5] a malicious node z presents multiple identities. In this way z
succeeds in fooling the source into believing that there are ma ny short r outes
to the destination. These r outes “ pass through” conspiring nodes z
i
that may
actually be far away (in broadcast hops), but are used as proxy nodes by the
nearby node z. In this attack z knows the secret authentication keys of the
conspiring nodes z
i
and uses them to authenticate the z
i
.
Man-in-the-middle attacks in ad hoc networks are hard to counter, if not
impossible. There are two general approaches that can be used with such attacks:
a temporal and a locational approach. The former exploits the time taken for
each broadcast hop. In most cases this can be used to prevent the attacker from
falsifying the length of routes. The latter uses the physical location of the nodes.
Each node certifies its own position. In most cases this approach will trace nodes
that claim false positions (by non-faulty neighbo r nodes).
7

3.3 Security at the physical and data link layers
There are two types of faults that may occur in a routing algorithm: faults
whose effect is stochastically indistinguishable from ordinary link failures caused
by the mobility of the system, radio interference, power failure etc, and faults
whose effect can be distinguished. Malicious faults tend to be of the second
type, although the first type should not be excluded. For example, as obs e rved
earlier, the adversary may try to evade detection by causing faults that mimic the
statistics of natural failures. Further more, malicious physical faults may affect
the mobility of the system.
Faults that deviate from ordinary failures can be controlled by using redun-
dancy. In particular, error detection, error correction and erasure mechanisms.
These faults are best dealt with at the physical or data link layer of the protocol
stack with Medium Access Control protocols. At these layers one can also deal
with jamming attacks (using frequency-hopping spread spectrum techniques)
and most isolated DoS attacks.
Faults of the second type, although by definition statistically detectable,
can b e quite hard to trac e or locate. They include malicious faults. Ma licious
faults may occur when they are least expected, and may not be tracea ble with
statistical failure analysis. The reason for this is that any analysis based on
reported failures can be manipulated by the adversary. Faults of this type have
to be addressed at the netwo rk layer. In this paper we are concerned with such
faults.
3.4 Security issues of Ariadne, SE AD and SAODV
Several routing protocols in the literature address security is sues (see e.g., [20]).
Here we discuss three of the more popular ones: Ariadne [12], SEAD [13] and
Secure AODV [27].
Ariadne is a source-centric r outing algorithm bas ed on DSR that uses an
authentication mechanism with a keyed hash chain called TESLA for pa th in-
tegrity. The security of this a lgorithm is based on the ass umption that all nodes
on a route (insiders ) will protect the integrity of path information. It therefore
will not tolerate insider faults. In particular it does not tolerate DoS caused by
packet dropping. SEAD is a source-centric variant of Ariadne. This algorithm
also does not tolerate insider faults. Secure AODV (SAODV) is a network-centric
routing algorithm that is based on the AODV algorithm [22]. It uses digital sig-
natures and hash chains to protect the integrity of path information. As with
the previo us two algorithms it will no t tolerate insider faults.
Rushing attacks on routing algorithms are the hardest to control. With these
attacks two colluding nodes, one close to the source s the other close to the
destination d, tunnel packets intended for d and sent by s via a wormhole, slightly
faster than nor mal network traffic. The colluding nodes are authenticated a nd
may inse rt conspiring nodes (using a Sybil attack) on the path to make its length
app e ar “normal” and be selected in preference to other paths. Such attacks are
not tolerated by Ariadne, SEAD and SAODV.
8

4 Tracing malicious faults
In this section we describe a routing algorithm that will trace ma licious fa ults
by identifying malicious behavior. Faulty nodes that ar e traced may have their
keys invalidated by the non-faulty nodes, thus preventing future attacks.
Observe that failure rates based on reported failures of nodes to forward
packets may be inaccurate. This is because faulty nodes may fail to repo rt s uch
events –even worse, fabricate events. Consequently tracing mechanisms that are
triggered by failure rates exceeding a certain threshold may fail. Fur ther more it
is not possible in general to tell from a report by a node that claims that another
node is faulty, which node is actually faulty: the reporting or the repo rted node.
Two approaches can be used with malicious k-adversaries. In the first, malicious
behavior is established when more than k (distinct) reports a re available. In the
second, each time a node is reported as malicious, both the reporting and the
reported node are treated as malicious and eliminated. In this case the malicious
nodes can cause up to k faults, but will then be eliminated together with up to
k non-faulty nodes.
4.1 An optimi stic algorithm that traces malicious faults
We describe an optimistic
2
algorithm that will trace malicious node behavior.
For this algorithm there is no additional cost when there are no faults. When
faults do occur, the cost to loca te a fault is one tracing round and one digital
signature. Compared to [1], our algorithm will locate faults when malicious nodes
collude and it also uses less rounds. Each participating node only needs to know
its neighbors on the path. In this algorithm faults that can be dealt with at the
data link layer by error correction and re-sending packets are treated as non-
malicious. The protocol is described in Figure 1. We use the following notation:
– p kt
s
= [s, d, sn, seq
s
, data]
sd
: a packet consisting of identifiers s, d, a ses-
sion number sn for tracing algorithm (unique to each session), the sequence
number seq
s
for pkt
s
, and data.
– ack
d
= [s, d, sn, seq
s
]
sd
: an acknowledgment by the destination d.
– p rob
s
= [s, d, sn, seq
s
, hash(pkt
s
)]
s
: a probing request by s.
– n ack
y
= [s, d, y, succ(y), sn, seq
s
]
y
: an acknowledgment of failure o f succ(y)
reported by y.
– timer
xy
: a bound on time taken for a round trip from x to y for pkt
s
.
– p rec(x), succ(x): the node that precedes , succeeds x on the path taken by
pkt
s
.
In the protocol, the source s sends a packet pkt
s
to succ(s) to be delivered
to the destination d. If there are no faults then the packet reaches d that will
send back to s an authenticated acknowledgment ack
d
. If there is a fault and
this is detected by an intermediate nodes y, then a nack
y
will be sent to s.
Otherewise the source s will send a prob
s
with details of ack
d
requesting from
2
Optimistic algorithms have optimal performance when they are no faults.
9

intermediate nodes to check the validity of any received nack
y
or ack
d
. Thus, for
an intermediate node x, either succ(x) is faulty or x should have received from
succ(x),
1. after x
pkt
s
−→ succ(x) and before timer
xd
timeouts: a valid nack
y
(when node y
has detected faulty behavior by succ(y)) or an ack
d
for which (s, d, sn, seq
s
)
have the correct values, or
2. after x
pro b
s
−→ succ(x) and before the reset timer
xd
timeouts: a valid na ck
y
.
It follows that s will receive a valid nack
y
and consequently a fault will be traced.
Observe that in the protocol s, d check the validity of pkt
s
and ack
d
, and if there
are no faults, the intermediate nodes check only for matching acknowledgments
ack
d
; if there are faults, intermediate nodes will also check the validity of n a ck
y
and prob
s
.
Source s. Set seq
s
= 0. While a connection to d has not terminated do:
1. Set timer
sd
and send pkt
s
to succ(s).
2. If a valid ack
d
for pkt
s
is received before timeout then set seq
s
= seq
s
+ 1.
3. Else if a valid nack
y
for pkt
s
is received before timeout then y or succ(y)
is malicious.
4. Else if an invalid ack
d
is received:
(a) Reset t imer
sd
and send prob
s
to succ(s).
(b) If a valid nack
y
for pkt
s
is received before timeout then y or succ(y)
is malicious.
(c) Else succ(s) is malicious.
5. O t herwise succ(s) is malicious.
Intermediate node x. When pkt
s
is received:
1. Set timer
xd
and send pkt
s
to succ(x).
2. If a matching ack
d
is received before timer
xd
timeouts then
(a) Set timer
xs
and send ack
d
to prec(x).
(b) If a valid prob
s
for pkt
s
is received before timer
xs
timeouts then
i. Reset timer
xd
and send prob
s
to succ(x)
ii. If a valid nack
y
for pkt
s
is received before timer
xd
timeouts then
Send nack
y
to prec(x).
iii. Else construct and send nack
x
to prec(x).
3. Else If a valid nack
y
for pkt
s
is received before timer
xd
timeout then
(a) Send nack
y
to prec(x).
4. O t herwise construct and send nack
x
to prec(x).
Destination d. When a valid pkt
s
is received:
1. Construct and send ack
d
to prec(d).
Fig. 1. An optimistic tracing algorithm.
10

Theorem 1. For any Γ -adversary, the tracing algorithm in Figure 1 will ei-
ther deliver pkt
s
to the destination d or will trace at least one faulty node. In
particular:
1. If all nodes adhere to the protocol then d will receive pkt
s
and the source s
will receive ack
d
before its timeout.
2. If s receives an ack
d
before its timeout then d has received pkt
s
.
3. If s does not receive an ack
d
before its timeout then at least one faulty node
is traced.
Proof. (Sketch) We consider each part separately.
1. Clearly if all nodes adhere to the protoc ol then d will get pkt
s
and s will get
ack
d
.
2. If s gets ack
d
, then because signa ture s are unforgeable and d will only sign
a matching ack
d
if the received pkt
s
is valid, d must have received pkt
s
.
3. If s ha s not received ack
d
before its timeout, it will send a probe prob
s
downstream requesting intermediate nodes to check the last transmitted
pkt
s
. Note that any non faulty intermediate node x that has received pkt
s
upstream will send back upstr eam either an ack
d
, a nack
x
or a nack
y
, for
some y, before its timeout. If s did not receive a valid nack
y
for some y
before its timeout, then succ(s) must faulty, and if s did receive a valid
nack
x
= [s, d, sn, seq, x, y] for some x, y before its timeout, then at least one
of {x, y} is faulty. In both cases s succeeds in tr acing at least one faulty
node. The full proof will be given in the journal version of this paper. 
In this tra c ing algorithm when there are no faults, a short ack is sent back.
When faults do occur, a short prob and nack are sent. In either case, a packet is
confirmed successfully delivered, or a fault location is determined with only two
digital signatures. This is the most efficient ro uting algorithm that will trace
malicious b e havior even when faulty nodes collude. It improves on the fault
tracing algorithm in [1], which requires at least log(n) communication rounds
and signatures to locate a malicious fault, and does not consider collusions.
4.2 Tracing mali cious behavior with AODV and DSR
Most of the routing algorithms can easily be extended to incorporate our tracing
mechanism in the communication phase. For example, for distance vector based
routings such as DSDV and AODV, malicio us faults will be traced by using
Step 2, Step 3 and Step 4 of the source and intermediate nodes in the tracing
algorithm, for packet processing (the stor e-and-forward process).
With the DSR a lgorithm, we trace malicious faults by adding Step 2, Step 3
and Step 4 of the s ource and intermediate nodes in the tracing algorithm at the
network layer, i.e., after er ror check ing at the data link layer. In this case, the
error reporting at the data link layer is redundant, although it can be useful to
optimize the tracing time.
11

5 Adaptive Multipath Routing
Multipath routing involves the esta blishment of multiple paths between sour c e
and destination pairs. These paths may be used for redundant communication
to control ma licious attacks. A major adva ntages in using multipaths is that,
by exploiting redundancy we can guarantee ser vice continuity, even when the
adversary is active.
5.1 An Adaptive Multipath Routing algorithm
Finding routes with multiple paths in networks that do not have a fixed in-
frastructure is a challenge and in general requires a different approach to that
used with fixed infrastructures. In this section we consider a multipath routing
algorithm that combines in parallel a distributed version of Ford-Fulkerson Max
Flow algor ithm [6] (at the source) with a local network discovery algorithm (for
nearby nodes) to find vertex-disjoint paths that link the so urce to the desti-
nation. When there are no malicious faults, a single route is used. Otherwise,
the route is adaptively reconstructed to deal with the faults. Only the shortest
route(s) is (are) are actually used, while the rest are kept alive.
The protocol is given in Figures 2 and 3. Figure 2 describes the actions of the
source s. Initially s broadcasts a request req
s
for neighbor lists. A hop-by-hop
Source s
1. Set G
∗
= ∅, f low = ∅, t = 1, radius = ∆.
2. Start using f low for communication whenever value(flow) ≥ 1.
3. AddLinks(s, neighbors(s) ; flow , G
∗
).
4. While a connection to d has not terminated do
(a) While value(flow) < t do
i. Set seq
s
, ttl
s
, timeout
s
and broadcast req
s
.
ii. For each valid rep
x
received before timeout
s
do
AddLinks(x, neighbors(x); f low, G
∗
).
iii. Set radius = radius + ∆.
(b) If errorrate(path) > ǫ
0
for all path ∈ f low then
i. t = t + 1.
Fig. 2. An adaptive multipath routing algorithm, I
(on-the-fly) version of Ford- Fulkerson Max Flow algorithm
3
is used to construct
a local graph G
∗
= (V
∗
, E
∗
) with neighbo r lists obtained from netwo rk nodes.
G
∗
is a directed graph which is a vertex expanded ver sion of the network graph
G: each node x in G corresponds to two nodes x
+
, x
−
linked by (x
+
, x
−
) in G
∗
,
3
The Ford-Fulkerson Max Flow algorithm is given for static ne tworks. Here we con-
sider an extension for mobile environments.
12

and each link (x, y) of G corresponds to a link (x
−
, y
+
) in G
∗
, and conversely.
Initially G
∗
= ∅. The sourc e adds to G
∗
its neighbors and the links to them.The
following variables are used:
– f low: a list of vertex-disjoint paths that link s to d in G
∗
; v alue(flow): the
number of paths in f low.
– req
s
= [s, d, sn, seq
s
, ttl
s
]
s
: a request by s for neighbor lists consisting of
identifiers for s, d, a session number sn, a sequence number seq
s
for re q
s
,
and the time-to-live ttl
s
for req
s
.
– rep
x
= [x, sn, seq
s
, ttl
x
, neighbor(x)]
x
: a report by x.
– ctime
z
: the current time for node z.
– radius: an upperbound of the hop distance for req
s
; ∆: an initial hop radius.
– seq
s
= ctime
s
; ttl
s
= ctime
s
+ radius × τ; timeout
s
= ttl
s
+ radius × τ.
– t: the number of disjoint paths of the multipath.
– ǫ
0
: a threshold for the er ror rate of a non faulty path.
– errorrate(path): the error rate of path.
Procedure AddLinks(x, neighbors(x); G
∗
)
1. G
∗
= G
∗
+ {(x
+
, x
−
), (x
−
, y
+
), (y
+
, y
−
) | y ∈ neighbors(x)}.
2. L e t reverse (S) := {(x, y) | (y, x) ∈ S}, for a set of links S of G.
3. For each path p from s
−
to d
+
in G
∗
such that p = (p − fl ow) + (p ∩
reverse(f low)),
set f low = f low + p − reverse(p).
Observe that each edge of G
∗
has capacity 1. Consequently f low is a set of edge-
disjoint paths in G
∗
. If (s
−
, x
+
1
, x
−
1
, . . . , x
+
n−1
, x
−
n−1
, d
+
) is a directed path in flow
then the corresponding path in G is (s, x
1
, . . . , x
n−1
, d) –pr ovided all the reverse
links (x
−
i
, x
+
i−1
) are also in G
∗
. It is not hard to see that if {(s
−
, x
+
1
, x
−
1
, . . . ,
x
+
n−1
, x
−
n−1
, d
+
)} is a set of edge-disjoint paths in G
∗
then the corresponding
paths { (s, x
1
, . . . , x
n−1
, d)} in G are vertex-disjoint, and vice-versa.
Figure 3 describes the actions of the intermediate nodes and the destination.
On receiving a request req
s
each intermediate node x checks its validity and
Intermedi ate node x and the destination
1. If a new valid req
s
is received such that ttl
s
≤ ctime
x
then
(a) Set ttl
x
and timeout
x
.
(b) Broadcast rep
x
and req
s
.
(c) For each new valid rep
y
received before timeout
x
do
if ttl
y
≤ ctime
x
then broadcast rep
y
.
Fig. 3. The adaptive multipath routing algorithm, II
ttl
s
. If these are in order, x sends a report rep
x
to s with its neighbor list and
forwards req
s
. Similarly, when x receives a report rep
y
from a y it checks its
validity and ttl
y
. If these are in order, x broadcasts rep
y
.
13

Theorem 2. The adaptive multipath routing algorithm tolerates any k-adversary,
provided that the network graph is (k + 1)-connected, k ≥ 1.
Proof. (Sketch) If there are no fa ulty nodes then, when the source s reques ts
local connectivity information from the nodes in radius ∆, each node in r ange
will forward the reques t and reply with its list of neighbors. By timeout
s
, s will
have received a complete connectivity graph of the nodes that are no more than
radius hop counts from it. Observe that radius increases adaptively, until s finds
t disjoint paths from s to d, where t ≤ k + 1, and the graph is (k + 1)-connected.
Then, by the property of the Ford-Fulkerson algorithm, s will eventually succeed
in finding t such paths. Note that since there are no malicious faults in this case,
the value of t stays at 1.
Next consider the c ase when there are up to k malicio us nodes. The faulty
nodes may manipulate or fabricate packets but this will no t affect the outcome of
the algorithm because intermediate nodes always forward a new messag e before
timeout, regardless of the actions or the states of their neighbors. Since we are
assuming that the graph is (k + 1)-connected, there must be a non faulty path
between any pair of nodes. Consequently the request req
s
of s will reach every
intermediate node x in range, and conversely a report by any intermediate node
x in range of req
s
will always reach s.
In either c ase the route discovery always succeeds in finding routes. In the
communication phas e, the number of paths t needed increases adaptively until
at least one good path is in the flow. Since the graph is (k + 1)-connected, this
process takes at most k steps, at which point f low is assured to contains at least
one non-faulty path. This adaptive approach avoids finding unnecessary paths
when the adversary is partially active. The full pro of will be given in the journal
version of this paper. 
5.2 Discussion
The novelty of this route disc overy algorithm is that it is resistant to malicious
DoS attacks which are addressed adaptively. In particular, when there are no
attacks a single ro ute is used. With each malicio us attack, the multipath is
adaptively reconstructed to deal with the threat. Communication is activated as
soon as a path b ec omes available, so there are no unnecessary delays.
In general when faults in a t-multipath occur beyond a certain acceptable
threshold, the source s will use a (t + 1)-multipath. Since the new set of paths is
already constructed in the background, the delay caused by faults is minimized.
Most of the time, there should be no delay. Furthermore, in our algorithm, the
set of vertex-disjoint paths of the multipath is constructed incrementally, so that
even when delays are unavoidable, they are minimal.
For efficiency, each node on a path only needs to know its upstrea m and
downstream neighbor. So the path information needs to be sent to intermediate
nodes only at the beginning. When changes are made to the multipath, the
source needs only send the changes to all nodes on the new paths. The nodes
will discard unused information after a period of inactivity.
14

Observe that having local information available centrally is more effective
than having it distributed. In particular, the procedure used in the adaptive
routing a lgorithm by the source allows more vertex-disjoint pa ths to be found
than by the distributed process used in most other multipath routing protocols
(becaus e all the routing information is available locally). As a co ns e q uence fewer
communication rounds may be needed when faults occur.
Finally, observe that we can combine our ada ptive multipath routing al-
gorithm with the Dynamic Source Routing algorithm [16] to get an adaptive
multipath DSR alg orithm. Similarly, we may combine the adaptive multipath
routing algorithm with the tracing mechanism in Section 4.1 to get an adaptive
routing alg orithm that will tr ace malicious behavior.
References
1. B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rub ens, An On-Demand Secure
Routing Protocol Resilient to Byzantine Failures, ACM Workshop on Wireless Se-
curity – WiSe’02 2002.
2. D. Beaver, Foundations of secure interactive computing, Proc. CRY PTO ’91,
Springer Verlag LNCS, vol. 576, pp. 377-391, 1991.
3. E.M. Belding-Royer and C.-K. Toh, A review of current routing protocols for ad-
hoc mobile wireless networks, IEEE Personal Communications Magazine, pp. 46-55,
1991.
4. M. Burmester, Tri van Le and A. Yasinsac. Adaptive gossip protocols: managing
security and redundancy in dense ad hoc networks. Journal of Ad hoc Networks,
Elsevier, 2006.
5. J. R. Douceur, The Sybil attack, Proc. 1st International Workshop on Peer-to-Peer
Systems – IPTPS ’02, 2002.
6. L.R. Ford and D.R. Fulkerson, Flows in Networks. Princeton University Press,
Princeton, NJ, 1962.
7. D. Cavin, Y. Sasson and A. Schiper, On the Accuracy of MANET Simulators.
Proc. of the 2nd ACM international workshop on Principles of mobile computing,
Toulouse, France, pp.38-43, 2002.
8. M. Felegyhazi, L. Buttyan and J.-P. Hubaux, Equilibrium analysis of packet for-
warding strategies in wireless ad hoc networks –the static case. Lecture Notes in
Computer Science #2775, Springer-Verlag, pp. 776–789, 2003.
9. O . Goldreich, S. Micali, and A. Wigderson. How to play any mental game. Proc. of
the 19th ACM conference on Theory of Computing, ACM Press, pp. 218–229, 1987.
10. Z.J. Haas, J.Y. Halpern and L. Li. Gossip-based ad hoc routing. Proc. INFO-
COM’02, pp. 1707-1716, 2002.
11. M. Hirt and U. Maurer, Player Simulation and General Adversary Structures in
Perfect Multiparty Computation, Journal of Cryptology, Vol 13 No 1, pp. 31-60,
2000.
12. Y-C Hu, D.B. Johnson and A. Perrig. Ariadne: A Secure O n-Demand Routing
protocol for Ad Hoc Networks. ACM Mobicom 2002.
13. Y-C Hu, D.B. Johnson and A. Perrig. SEAD: Secure Efficient Distance Vector
Routing for Mobile Wireless Ad Hoc Networks. Proc. 4th IEEE Workshop on Mobile
Computing Systems & Applications (WMCSA 2002), IEEE, Calicoon, NY , 2002.
14. Y-C. Hu, A. Perrig and D.B. Johnson. Rushing attacks and defense in wireless ad
hoc network routing protocols – WiSe2003, pp. 30-40, 2003.
15

15. A. Jardosh, E. M. Belding-Royer, K. C. Almeroth and S. Suri, Towards realistic
mobility models for mobile ad hoc networks, Proc. 9th Annual International Confer-
ence on Mobile Computing and Networking, pp. 217-229, 2003.
16. D.B. Johnson and D.A. Maltz, Dynamic Source Routing in Ad-Hoc Wireless Net-
works, ed. T. Imielinski and H. Korth, Mobile Computing, Kluwer Academic Pub-
lisher, pp. 152-181, 1996.
17. G. Koh, D. Oh and H. Woo, A graph-based approach to compute multiple paths in
mobile ad hoc networks, Lecture Notes in Computer Science #2713, Springer-Verlag,
pp. 323–331, 2003.
Proc. ACM/IEEE MOBICOM ’98 (1998).
18. G. Lin, G. Noubir and R. Rajaraman, Mobility Models for Ad hoc Network Simu-
lation. Proc. IEEE INFOCOM, 2004.
19. S. Micali, P. Rogaway, Secure Computation, Crypt o ’91, LNCS 576, pp. 392-404,
1991.
20. P. Papadimitratos and Z.H. Haas. Secure Routing for Mobile Ad hoc Networks.
Mobile Computing and Communications Review, Vol 6, No 4, 2002.
21. C.E. Perkins and P.Bhagwat, Highly Dynamic Destination-Sequenced Distance-
Vector Routing for Mobile Computers, Computer Communications Review, pp. 224-
244, 1994.
22. C.E. Perkins and E.M. Royer, Ad hoc on-demand distance vector routing, IEEE
Workshop on Mobile Computing Systems and Applications, pp. 90-100, 1999.
23. N. Salem, L. Buttyan, J. Hubaux and M. Jakobsson, A charging and rewarding
scheme for packet forwarding in multi-hop cellular networks. In Mobihoc 2003, pp.
13-24, 2003.
24. A.J. Menezes, P.C. van Oorschot and S.A. Vanscott, Handbook of Applied Cryp-
tography, CRC Press, 1996.
25. A. Tsirigos and Z.J. Haas Analysis of multipath routing, part 1: The effect on the
packet delivery ratio, IEEE Transactions on Wireless Communications, Vol. 3, No.
1, pp. 138-146, 2004.
26. Jungkeun Yoon, Mingyan Liu, Brian Noble, Random Waypoint Considered Harm-
ful. Proc. IEEE INFOCOM, 2003.
27. M.G. Zapata. Secure Ad hoc On-Demand Vector (SAODV) Routing. IETF Internet
Draft. draft-guerrero-manet-saodv-00.txt. Aug 2001 (work in progress).
16

Toward Efficient Solutions to Resist Mobile Traffic Sensors:
How Much Performance Cost is Paid by
On-demand Anonymous Routing Protocols
∗
Jiejun Kong
†
, Jun Liu
∗
, Xiaoyan Hong
∗
, Mario Gerla
†
†
Department of Computer Science
∗
Department of Computer Science
University of California University of Alabama
Los Angeles, CA 90095 Tuscaloosa, AL 35487
Abstract
The recent progress in embedded real-time system develop-
ment has realized mobile traffic sensors, for example, embed-
ded systems carried by palm-size Unmanned Aerial Vehicles
(UAV). This has great impact on privacy design in mobile ad
hoc networks because mobility introduces new privacy tar-
gets for the traffic sensors. In a mobile network, a node’s mo-
tion pattern, traffic pattern, standing venue and route-driven
packet flows, and even the dynamic network topology, all be-
come new interests of the mobile traffic sensors, bringing in
new privacy challenges in addition to conventional identity
privacy and message privacy. In particular, in wireless ad hoc
networks mobile nodes must rely on ad hoc routing in com-
munication. As the wireless medium is open to anyonewithin
the transmission range, the baseline of the mobile traffic sen-
sors is to exploit this routing opportunity to conduct various
attacks threatening the network security and privacy.
Recently, the on-demand routing approach has been used
by several anonymous routing schemes to prevent mobile
nodes from being traced by mobile traffic sensors[29]. In
this paper we seek to compare the overhead incurred by
security and anonymity operations of two recently pro-
posed on-demand anonymous routing schemes, namely
ANODR [28][27] (with an enhanced variant ASR [50])
and SDAR [8]. We use the standard on-demand scheme
AODV [37] in the comparison to show how much overhead is
paid by each anonymous on-demand scheme. Our simulation
study shows that various design choices in anonymous
routing trade performance with security protection. We
conclude that extensive performance study is needed to
evaluate the practicality of the existing and new anonymous
routing schemes and their enhancements.
Keywords—Performance study, Mobile traffic sensor,
Anonymous routing, On demand routing
∗
Part of the work is funded by ONR MINUTEMAN grant N00014-01-C-
0016 and NSF NRT WHYNET grant ANI-0335302.
1 Introduction
An ad hoc network can establish an instant communication
structure for many time-critical and mission-critical applica-
tions. However, the intrinsic characteristics of ad hoc net-
works, such as wireless transmissionand node mobility, make
it very vulnerable to security threats. Even though many se-
curity protocol suites have been proposed to protect wire-
less communications, they nevertheless do not consider ano-
nymity protection and leave identity information intercepted
by nearby passive eavesdroppers. The goal of passive attacks
is very different from other related routing security problems
such asresistance to routedisruptionor preventionof “denial-
of-service” attacks. In fact, the passiveenemy will avoid such
aggressiveschemes, in the attempt to be as “invisible” as pos-
sible, until it traces, locates, and then physically destroys le-
gitimate assets. Consider for example a battlefield scenario
with ad hoc, multi-hop wireless communications support.
The adversary could deploy reconnaissance and surveillance
sensor networks in the battlefield and maintains communica-
tions among them. Via intercepted wireless transmissions,
they could infer the location, movement, number of partici-
pants, and even the goals of our task forces. Anonymity and
location privacy guarantees for our ad hoc networks are criti-
cal, else the entire mission may be compromised. This poses
challenging constraints on routing and data forwarding.
1.1 Mobile traffic sensor network
Recent advances in manufacturing technologies have enabled
the physical realization of small, light-weight, low-power,
and low-cost miniature aerial vehicles (MAVs) [22][21].
These MAVs refer to a new breed of unmanned aerial ve-
hicles (UAVs) or aerial robots that are significantly smaller
than currently available UAVs. Figure 1 illustrates the WASP
MAV recently tested by DARPA. It is a 32 cm ”flying wing”
made of a plastic lithium-ion battery material that provides
both electrical power and wing structure. The wing utilizes
synthetic battery materials that generate an average output of
more than nine watts during flight — enough power to propel
the miniature aircraft for one hour forty-seven minutes. Such
aerial robots, equipped with information sensing and trans-

mission capabilities, extend the sphere of awareness and mo-
bility of human beings, and allow for surveillance or explo-
ration of environments too hazardous or remote for humans.
Figure 1: Micro Aerial Vehicle (MAV) capable of trac-
ing mobile wireless traffic sent from pedestrian nodes
The MAV research group of our collaborator has estab-
lished a long track record in designing, building, and test-
flying autonomous MAVs. The next-generation MAVs to be
developed are expected to serve as an enabling technology
for a plethora of civilian and military applications, includ-
ing homeland security, reconnaissance, surveillance, tracking
of terrorists/suspects, rescue and search, and highway/street
patrol. With signal processing techniques (and other out-of-
band techniques like visual perception which will not be dis-
cussed in this paper), one can use three MAVs to locate the
position of a target such as a person’s or a car’s communica-
tion interface. Due to the small size of MAVs, the tracking of
MAVs is almost unnoticed by the target being tracked. The
velocity of an MAV is from 10 to 30 miles per hour, which is
fast enough to track a human being or an automobile on local
roads. In regard to ad hoc routing schemes, the mobile traffic
sensors carried by MAVs can trace where a mobile wireless
sender node is, infer the motion pattern of the mobile node,
or identify a multi-hop path between a pair of nodes.
1.2 On-demand routing
Most routing protocols in ad hoc networks fall into two cate-
gories: proactive routing and reactive routing (aka., on de-
mand routing) [9]. In proactive ad hoc routing protocols
like OLSR, TBRPF and DSDV, mobile nodes constantly ex-
change routing messages which typically include node identi-
ties and their connection status to other nodes (e.g., link state
or distance vector), so that every node maintains sufficient
and fresh network topological information to allow them to
find any intended recipients at any time. On the other hand,
on demand routing has become a major trend in ad hoc net-
works. AODV [36] and DSR [25] are common examples.
Unlike their proactive counterparts, on demand routing oper-
ation is triggered by the communication demand at sources.
Typically, an on demand routing protocol has two compo-
nents: route discovery and route maintenance. In the route
discovery phase, the source establishes a route towards the
destination by first flooding a route request (RREQ) message,
and then receiving a route reply (RREP) sent by the destina-
tion. In the route maintenancephase, nodes on the route mon-
itor the status of the forwarding path, and report to the source
about route errors. Optimizations could lead to local repairs
of broken links.
Clearly, transmitted routing messages and cached routing
tables, if revealed to the adversary, leak a large amount of
private information about the network. When this happens,
proactive protocols and on-demand protocols show different
levels of damages by design. With proactive routing, a com-
promised node has fresh topological knowledge about other
proactivenodes during the entire network lifetime. It can also
translate the topological map to a physical map using several
anchor points (e.g., by techniques similar to sensor network’s
localization service [33][46]). This way, a single-point of in-
trusion allows the adversary to visualize the entire network
and know where each node is. On the other hand, with on
demand routing, the adversary has reduced chance in tracing
the mobile network in the sense that only active routing en-
tries are in cache and in transmission, and the traffic pattern
is probabilistic (depending on application needs) and expires
after a predefined timeout.
1.3 Contributions
In this paper, our goal is to carry out a systematic perfor-
mance study of anonymous routing protocols following the
on-demand approach. We illustrate the security overhead
incurred by two recently-proposed on-demand anonymous
routing schemes, namely ANODR [28][27] (enhanced by
ASR [50]) and SDAR [8]. We use the standard on-demand
scheme AODV [37] in the comparison to show how much
overheadis paid by each anonymouson-demandscheme. Our
simulation study shows that various design choices in ano-
nymous routing trade performance with security protection.
So far no anonymous routing scheme is able to surpass other
competing schemes in all ad hoc scenarios studied. We con-
clude that extensive performance study is needed to evalu-
ate the practicality of existing and new anonymous routing
schemes.
The rest of the paper is organized as follows. In Section 2
we describe ANODR, ASR and SDAR protocols in details.
In Section 3 we evaluate their routing performance. Sec-
tion 4 describes related work in wireless networks. Finally
Section 5 summarizes the paper.
2 Anonymous routing revisited
In this section we briefly review anonymous routing ap-
proaches that do not use an on-demand design style first. We
then revisitthe two recently-proposedon-demandanonymous
routing schemes. We show the idiosyncrasies of each scheme
and how the design choices affect routing protocol perfor-
mance.
2.1 Anonymous routing not based on the on-
demand approach
Before ANODR [28], ASR [50] and SDAR [8], global-
knowledge-based routing approach and proactive routing ap-

proach were the dominant choices in anonymous routing de-
sign.
In global-knowledge-based routing approach, the network
topology is fixed and pre-stored on each node. This includes
the following designs. (i) In Chaum’s DC-net [12], the net-
work topology is suggested as a fixed and closed ring. (ii)
In Chaum’s MIX-net [11], each message sender pre-stores
the entire network topology, and then selects a random path
from the known network topology in message routing. All
subsequent MIX-net designs [39][23][26][6] inherit this as-
sumption. (iii) In Crowds [43] and sorting network [41], all
nodes are one logical hopaway, pairwise communicationsex-
ist with uniform cost. Anonymous messages are forwarded
to the next node which is selected in a random manner. If
this node is unavailable due to mobility or system crash, then
another selection must be made following the same proba-
bilistic method. In other words, every Crowds node (named
as “jondo” in [43]) or sorting network node is a member of
an overlay network. Although at the network IP layer ev-
ery node-to-node (or jondo-to-jondo) route is comprised of
multiple IP routers, at the anonymized overlay layer such a
node-to-node route is a single-hop logical link. This overlay
anonymous network assumes either a globalrouting design or
a proactiverouting design at the IP network layer. In contrast,
static and global topology knowledge is no longer available
in mobile ad hoc networks where the network topology con-
stantly changes due to mobility, frequent route outage, and
node joining/leaving. Maintaining the same global topology
knowledge that is identical to fixed networks is very expen-
sive and reveals the changing topological knowledge to node
intruders.
In proactive routing approach, every node proactively and
periodically exchanges routing messages with other nodes.
Similar to the global routing approach, every node main-
tains fresh topology knowledge by paying routing commu-
nication overheads. In mobile ad hoc networks, various op-
timized proactive routing schemes, such as OLSR [1] and
TBRPF [34], have been proposed to reduce the incurred rout-
ing communication overheads. However, like their wired
counterparts, the proactive ad-hoc routing schemes let ev-
ery message sender maintain fresh topology knowledgeabout
the network (even though the incurred communication over-
head is less than their wired counterparts). Based on the
proactively collected fresh routing knowledge, it is then pos-
sible to route anonymous messages to the next stop, which in
turn routes the messages toward the final destination. This
includes the following designs. (i) All MIX-nets leverage
proactive routing protocols at the IP layer to acquire network
topology knowledge, which is then used at the anonymized
overlay MIX layer to route messages. (ii) Like MIX-nets,
an overlay of Crowds [43] or sorting network [41] lever-
ages proactive routing information as well. (iii) In wired
Internet, PipeNet [13] and Onion Routing [42] employ ano-
nymous virtual circuit in data forwarding. After a connec-
tion establishment procedure, a sequence of routing tables
are created on the forwarding nodes to deliver data packets.
Each route table holds two columns of virtual circuit identi-
fiers (VCI) in the form of ‘vci
x
↔vci
y
’. If a node receives
a packet and the packet is stamped with a vci
x
stored in its
routing table, the node then accepts the packet, overrides the
stamp with the corresponding vci
y
, and sends the changed
packet to next stop. Both PipeNet and Onion Routing assume
that the underlying proactive routing scheme has already pro-
vided the needed routing service. Besides, every node in the
anonymous network knows its immediate previous stop (up-
stream node) and immediate next stop (downstream node).
(iv)In MIXroute [24], a backbonenetworkis formedto cover
a mobile network. Every backbonenode is a MIX, which uses
proactive routing protocols to maintain fresh network topol-
ogy of the backbone MIX-net.
In a nutshell, these global-knowledge-based routing and
proactive routing schemes treat the underlying network as ei-
ther a stationary graph, or fresh snapshots that can be treated
as stationary graphs per proactive period. A shortcoming of
applying these approaches in mobile networks comes from
node intrusions. If adequate physical protection cannot be
guaranteed for every mobile node, intrusion is inevitable
within a long time window. The adversary can compro-
mise one mobile node, gather fresh network topology from
the node’s knowledge, then use network localization schemes
(e.g., distance vector based APS [33]) to pinpoint every mo-
bile node in the network.
Therefore, although various anonymous mechanisms, such
as anonymous virtual circuit [13], MIX-net onion and
backbone-style MIX-net [24] remain feasible in ad hoc net-
works, the global routing topology caching and proactive
routing topology acquisition approaches are gradually re-
placed by the on-demand routing approach. Now we de-
scribe the recently-proposed on-demand anonymous routing
schemes following the order of publication.
2.2 ANODR and ASR
Like PipeNet [13] and Onion Routing [42], ANODR [28][27]
and ASR [50] uses anonymous virtual circuit in routing and
data forwarding. But unlike infrastructure-based PipeNet
and Onion Routing, every ANODR and ASR node does not
know its immediate upstream node and immediate down-
stream node in a mobile environment. Instead, the node only
knows the physical presence of neighboring ad hoc nodes.
This is achievedby a special anonymoussignaling procedure.
Route discovery The source node initiates the anonymous
signaling procedure. It creates an anonymous global trap-
door and an onion in a one-time route request (RREQ) flood
packet.
1. Anonymous global trapdoor: The global trapdoor is a
(semantically secure [17]) encryption of a well-known
tag message (e.g., a pre-determined bit-string “You are
the destination”) that can only be decrypted by the desti-
nation. Once the destination receives the flooded RREQ
packet, it decrypts the global trapdoor and sees the well-
known tag. But all other nodes see random bits after

decryption. The design of global trapdoor requires ano-
nymous end-to-end key agreement between the source
and the destination.
2. Onion: As the RREQ packet is flooded from the source
to the destination, each RREQ forwarding node adds a
self-aware layer to the onion. Eventually the destination
receivesan onion that can be used to delivera route reply
(RREP) unicast packet back to the source. The signal-
ing procedure ends when the source receives RREP, and
the anonymous virtual circuit is established during the
RREP phase.
RREQ flood is a very expensive procedure, while pub-
lic key crypto-processing is also expensive. According to
measurement reports [10] on low-end mobile devices, com-
mon public key cryptosystems require 30–100 milliseconds
of computation per encryption or per signature verification,
80–900 milliseconds of computation per decryption or per
signature generation. Therefore,combiningpublic keycrypto
and RREQ flood likely degrades routing protocol’s perfor-
mance. ASR [50] does not study how to establish the shared
symmetric key between the source and the destination. AN-
ODR [27] proposes to avoid public key crypto except in the
first RREQ flood between a pair of communicators. In AN-
ODR [27], each node is capable of doing encryption and de-
cryption in both symmetric and public key cryptosystems. To
establish the symmetric key shared between the source and
the destination, the source must cache the certified public key
of any intended destination prior to communication. (1) This
implies that every network node must acquire a signed cre-
dential from an offline authority Ψ prior to network opera-
tions. The credentialcan be verifiedby thewell-knownP K
Ψ
.
The credential is in the form of “[id, pk
id
, validtime]
SK
Ψ
”
signed by SK
Ψ
, where a unique network address id is as-
signed to a node, pk
id
is the certified public key of the id,
and validtime limits the valid period of the credential. In-
stead of using the unprotected plain id, the source remembers
the credential and avoids using id in communication. (2) The
credentials are not secret messages. They can be freely ex-
changed in the network to facilitate source nodes’ caching
experience. In contrast, the selection of a destination’s pk
id
is a secret random choice of the source node. (3) The selected
pk
id
of the destination is the global trapdoor key used in the
first RREQ flood between the source and the destination. For
better performance, a symmetric key is piggybacked in the
first global trapdoor. Then the source would use the sym-
metric key in later global trapdoors between the same pair of
source and destination. This spares the need of public key
decryption in later RREQ floods.
At route reply (RREP) phase, the onion
1
is decrypted to
establish routing tables en route. When the onion comes
back from the destination in the reverse order of encryption.
The RREP upstream node chooses a random number vci and
1
In onion encryption/decryption, ANODR uses AES [32], while ASR
replaces AES with Vernam cipher [47].
places it with the onion. The RREP downstream node re-
ceives this vci, then functions as the successive upstream
node to choose its own vci and overrides the same field in
the packet. As the RREP packet is processed and forwarded
towards the source node, each route table on a forwarder Y
holds two columns of virtual circuit identifiers (VCI) in the
form of ‘vci
x
↔vci
y
’, where vci
x
is choosen by Y ’s RREP
upstream node X, and vci
y
is choosen by Y itself. Later in
data packetdelivery,if a nodereceivesa packet and the packet
is stamped with a vci
x
stored in its routing table, the node
then accepts the packet, overrides the stamp with the corre-
sponding vci
y
, and sends the changed packet to next stop (the
source and the destination are denoted with special VCI tags
vci
src
and vci
dst
).
Data delivery ANODR and ASR seek to make every data
packet computationally one-time. This prevents traffic analy-
sis and replay attacks. Hence a vci must be a secret shared on
a forwarding hop. It is used as the cipher key to encrypt the
link frame payload (i.e., IP header and payload). Besides, the
explicit VCIs stamped on data packets are computationally
one-time. They are cryptographically strong pseudorandom
sequences generated from the shared vci, which is now used
as the shared secret seed. To share the secret vci on a hop,
a per-hop key exchange scheme is needed. (1) At RREQ
phase, an RREQ upstream node (which is later the RREP
downstream) must put a one-time temporary public key in
the RREQ flood packet. This one-time temporary public key
is recorded by the RREQ downstream node (which is later
the RREP upstream) for the source/destination session. The
RREQ downstream node then overrides the field with its own
temporary public key. (2) At RREP phase, the RREP up-
stream node (earlier the RREQ downstream) uses the stored
one-time public key to encrypt the contents of RREP packet
including the vci and the coming-back onion. If a one-hop
RREP receiver decrypts the encrypted contents and sees the
onion it sent out previously at RREQ phase, then this re-
ceiver (earlier the RREQ upstream) is en route. The ano-
nymous virtual circuit is established when the source node
receives the onion core it sent out a while ago. This way, the
one-time public keys are plain data bits during RREQ floods.
Per-hop key agreement overhead (using public key encryp-
tion/decryption) is paid during RREP unicasts.
Performance impact ANODR and ASR have to pay expen-
sive public key crypto-processing overhead during the first
RREQ flood between a pair of communicators and all RREP
unicasts. This significantly affects their routing performance.
In addition, all the anonymous routing schemes reviewed in
this section, i.e., ANODR, ASR and SDAR, have not imple-
mented route optimizationtechniques specified in AODV and
DSR (e.g., gratuitous route reply, proactive route fix using
constrained flooding, etc.).
2.3 SDAR
SDAR [8] is a combination of proactiveand on-demand route
discovery. Unlike the purely on-demand ANODR and ASR,

every SDAR node uses a proactive and explicit neighbor de-
tection protocol to constantly see the snapshot of its one-hop
mobile neighborhood. Every SDAR node periodically sends
out a HELLO message holding the certified public key of the
node. The SDAR HELLO messages are significantly longer
than regular beacon messages because it holds long public
keys (typically ≥1024-bit in a common public key cryptosys-
tem like RSA and El Gamal).
An SDAR node is named as the central node as it sits at
the center of its own one-hop transmission circle. A central
node X explicitly sees its neighbors’ network IDs and ver-
ifies associated credentials. X classifies its neighbors into
three trust levels according to their behavior. Routing prefer-
ence is given to the higher level nodes. This is implemented
by group key management. X randomly chooses a key for
all neighbors in the same trust level (except the lowest level,
which is not protected by cryptoschemes). The key is then
shared by X and these nodes. Routing messages intended for
the highest level is encrypted with the group key correspond-
ing to the highest level. Routing messages intended for the
medium level is encrypted with either the group key corre-
sponding to the medium level or the one corresponding to the
highest level. Routing messages intended for the lowest level
is not encrypted and thus seen by all listening nodes.
Route discovery SDAR also employs an on-demand route
discovery procedure to establish ad hoc routes. Similar to
ANODR and ASR, an SDAR source node S puts a global
trapdoor in its RREQ flood packet. While the global trap-
door is encrypted with the destination D’s certified public
key, a symmetric key is piggybacked into the global trap-
door to fulfill end-to-end key agreement. Nevertheless, unlike
ANODR/ASR which uses identity-free tags, SDAR uses the
destination D’s ID in the global trapdoor. This differentiates
ANODR/ASR’s identity-free global trapdoor from SDAR’s
ID-based global trapdoor.
Unlike ANODR and ASR, SDAR’s RREQ forwarding
events do not form any onion. Instead, a sequence of key
agreement operations are implemented. the source node S
puts its one-time public key T P K in the RREQ flood packet.
S also piggybacks the corresponding one-time private key
T SK in the global trapdoor,so that both S and D can decrypt
any data encrypted by T P K. Each RREQ forwarder records
T P K, chooses a random symmetric key K, and uses T P K
to encrypt this per-stop K. This encrypted block is appended
to the current RREQ packet. Finally when a RREQ packet
reaches the destination D after traversing l hops, it contains l
such appended T P K-encrypted blocks. D opens the global
trapdoor and knows T SK, then uses T SK to decrypt every
T P K-encrypted block and thus shares a symmetric key with
every forwarder of the received RREQ packet.
Similar to MIX-net, now the SDAR destination D has the
l (symmetric) keys to form an RREP packet in the form of
MIX-net onion. The destination D puts all symmetric key
Ks in the innermost core sothat onlythe sourceS can decrypt
the onion core and share D’s symmetrickeywith everyRREP
forwarder.
Once the source S receives the coming-back RREP, both
the source S and the destination D have made a symmetric
key agreement with every intermediate forwarder. Like the
way RREP packet is delivered, S and D use MIX-net onion
to deliver data payloads to each other.
Data delivery The SDAR literature [8] claims that the data
delivery design is similar to Onion Routing [42] (which uses
anonymous virtual circuit), but its data delivery protocol de-
scription matches MIX-netonion rather than Onion Routing’s
virtual circuit. In fact, as described below in Section 3, adopt-
ing virtual circuit in data delivery has great impact on routing
performance.
Performance impact Compared to the purely on-demand
ANODR, SDAR incurs extra neighbor detection overhead.
Each neighbor detection message is significantly longer than
short beacon messages, and also incurs a number of public
key authentication and key exchange operations in the chang-
ing mobile neighborhood.
In on-demand route discovery, SDAR incurs large crypto-
processing and communication overheads. Every RREQ for-
warding must pay the cost of a public key encryption using
T P K. This incurs expensive public key encryption overhead
in the entire network per RREQ flood. SDAR’s RREQ and
RREP packets are very long. Each RREQ packet holds l
′
T P K-encrypted blocks where l
′
is the hop count from the
source S to the current RREQ forwarder, each of the blocks
is as long as the public key length (typically ≥1024-bit in a
common public key cryptosystem like RSA and El Gamal).
Every RREP packet and DATA packet has l MIX-net onion
layers, each of the layers is at least 128-bit long (a typical
symmetric key length).
2.4 Summary
Table 1 compares several design choices that may have sig-
nificant impact on routing protocol performance and on secu-
rity/performance tradeoffs.
Table 1: Protocol comparison
ANODR ASR SDAR
Fully Fully Fully Proactive
on-demand? neighbor detection
PKC in First First All
RREQ flood contact contact the time
Data Virtual Virtual MIX-net
delivery circuit circuit onion
Neighbor No No Exposed
exposure
We compare the above aspects due to the following rea-
sons. (1) Proactive neighbor detection incurs periodic com-
munication and computational overheads on every mobile
node. (2) Using expensive public key cryptography (PKC

encryption/decryption) with expensive RREQ flood incurs
intensive communication and computational overheads per
flood. (3) In terms of data delivery performance, virtual cir-
cuit based schemes are more efficient than MIX-net’s onion
based schemes. The latter one incurs l real-time encryption
delay on the source node and then a single real-time decryp-
tion delay on every packet receiving nodes. (4) In MIX-net,
a one-hop neighborhood is exposed to an internal (and possi-
bly external)adversary. This is not a security problemin fixed
networks. But in mobile networks, this reveals the changing
local network topology to mobile traffic sensors, which could
quickly scan the entire network for once and assemble every
neighborhood together to obtain an estimation of the entire
network topology. (5) Recipient anonymity (of the destina-
tion’s network ID) is a critical security concern. Otherwise,
every RREQ packet receiver (i.e., every node participating in
the RREQ flooding) can see how busy a destination node is
from the received RREQ packets. This traffic analysis can
be used by the mobile traffic sensors to define the priority in
node tracing.
3 Performance evaluation
The performance of the anonymous ad-hoc routing protocols
discussed in this paper is evaluated through simulation in our
empirical study. In the evaluation, the aforementioned ano-
nymous ad-hoc routing protocols are presented for compar-
ison together with the original AODV. Our evaluation con-
cerns the influence from processing overhead incurred by the
cryptosystems in use and also the influence of routing control
overhead caused by different size of routing control packets.
The simulation of the protocols are all implemented based on
AODV. Each of them implementsthe main principles but uses
differentcryptosystemsin establishing the secret hop key vci.
The cryptosystems include the public key cryptography and
a variant of efficient Key Pre-distribution Schemes (KPS). In
a public key scheme, the network needs an offline authority
to grant every network member a credential signed by the au-
thority’s signing key, so that any node can verify a presented
credential with the authority’s well-known public key. The
standard ANODR, SDAR and ASR described in Section 2
uses public key cryptography. In a KPS scheme, the network
needs an offline authority to load every node with personal
key materials. Afterward, any two nodes can use their key
materials and agree on a symmetric key. If the underlying
KPS scheme is a probabilistic one [16][15] rather than a de-
terministic one [7], then the key agreement succeeds with a
high probability. Besides the original public key based AN-
ODR, a variants of ANODR using KPS (in RREP unicasts) is
tested in our simulation study. It uses the probabilistic KPS
scheme proposed by Du et al. [15] ( denoted as ANODR-DU-
KPS). In ANODR-DU-KPS, the probability of achieving a
successful key agreement at each hop is 98%. In other words,
key vci agreement fails with 2% at every RREP hop. A new
route discovery procedure will be invoked eventually by the
source.
3.1 Crypto-processing performance measure-
ment
The processing overhead used in our simulation is based
on actual measurement on low-end devices. Table 2 shows
our measurements on the performance of different cryptosys-
tems. For public key cryptosystems, the table shows pro-
cessing latency per operation. For symmetric key cryptosys-
tems (the five AES final candidates), the table shows encryp-
tion/decryption bit-rate.
Table 2: Processing overhead of various cryptosystems (on
iPAQ3670 pocket PC with Intel StrongARM 206MHz CPU)
Cryptosystem decryption encryption
ECAES (160-bit key) 42ms 160ms
RSA (1024-bit key) 900ms 30ms
El Gamal (1024-bit key) 80ms 100ms
AES/Rijndael (128-bit key & block) 29.2Mbps 29.1Mbps
RC6 (128-bit key & block) 53.8Mbps 49.2Mbps
Mars (128-bit key & block) 36.8Mbps 36.8Mbps
Serpent (128-bit key & block) 15.2Mbps 17.2Mbps
TwoFish (128-bit key & block) 30.9Mbps 30.8Mbps
Clearly, different cryptosystems introduce different pro-
cessing overhead, thus have different impact on anonymous
routing performance. For all public key cryptographic op-
erations in the simulation, we use ECAES with 160-bit key.
For the symmetric cryptography, we use AES/Rijndael with
128-bit key and block. The coding bandwidth is about
29.2Mbps. As an example, in ANODR, computational de-
lay is approximately 0.02 ms for each onion construction dur-
ing each RREQ and RREP forwarding, and another public
key processing time 160 + 4 2 = 202ms for RREP packets.
The KPS based ANODR trades link overhead for process-
ing time, i.e., ANODR-DU-KPS uses 1344 bits and 1288 bits
key agreement material for RREQ and RREP packets respec-
tively. Each of them requires only 1ms extra time in symmet-
ric key crypto-processing.
3.2 Simulation model
The simulation is performed in QualNet
T M
[45], a packet
level simulator for wireless and wired networks developed by
Scalable Network Technologies Inc. The distributed coordi-
nation function (DCF) of IEEE 802.11 is used as the MAC
layer in our experiments. It uses Request-To-Send (RTS) and
Clear-To-Send (CTS) control packets to provide virtual car-
rier sensing for unicast data packets to overcome the well-
known hidden terminal problem. Each unicast data trans-
mission is followed by an ACK. The radio uses the two-ray
ground reflection propagation model and has characteristics
similar to commercial radio interfaces (e.g., WaveLAN). The
channel capacity is 2Mbps.
The networkfield is 2400m×600mwith 150nodes initially
uniformly distributed. The transmission range is 250m. Ran-
dom Way Point (RWP) model is used to simulate node mobil-
ity. In our simulation, the mobility is controlled in such a way
that minimum and maximum speeds are always the same (to

fix a recentlydiscoveredproblem [48]), but increase from 0 to
10 m/sec in different runs. The pause time is fixed to 30 sec-
onds. CBR sessions are used to generate network data traffic.
For each session, data packets of 512 bytes are generated at
a rate of 4 packets per second. The source-destination pairs
are chosen randomly from all the nodes. During 15 minutes
simulation time, a constant, continuously renewed load of 5
short-livedpairs is maintained. All simulations are conducted
in identical network scenarios (mobility, communication traf-
fic) and routing configurations across all schemes in compari-
son. All results are averaged overmultiple runs with different
seeds for the random number generator.
3.3 Routing performance measurement
We evaluate the performance of these protocols in terms of
five metrics: packet delivery ratio, average end-to-end data
packet delay, average route acquisition delay, and normalized
routing load in bytes and number of packets per data packet
delivered. SDAR requires each node to periodical broadcast
messages to neighboring one hop nodes. When we compare
the fiveperformancemetrics, we leaveout the periodicalrout-
ing control overhead for SDAR and study it in a separate dis-
cussion.
0.5
0.6
0.7
0.8
0.9
1
1.1
1.2
0 2 4 6 8 10
Delivery Fraction
Mobility (m/s)
Original AODV
ANODR-DU-KPS
ASR
ANODR
SDAR
Figure 2: Delivery Fraction
Figure 2 shows the comparison of packet delivery ratio.
No doubt that under an environment without any attackers,
the original AODV protocol indicates the best performance
possible on this metric. ANODR-DU-KPS has the similar
performance with the original AODV, as it only uses efficient
symmetric cryptography when exchanging routing packets,
effectively accelerating the route discovery process and mak-
ing the established routes more durable. The other three pro-
tocols result in significant degradation in delivery ratio, pri-
marily caused by the longer delay required for asymmetric
key encryption/decryption. In a mobile environment, exces-
sive delay in route discovery process makes it harder to estab-
lish and maintain routes. SDAR has the worst performance,
because SDAR requires public key encryption/decryption to
forward both route request messages and route reply mes-
sages, while the other two protocols only run public key en-
cryption/decryption when forwarding route reply messages.
All of the curves show a more or less yet steady descendant
when mobility increases. This is natural as increasing mobil-
ity will cause more packet loss.
0
500
1000
1500
2000
2500
3000
3500
0 2 4 6 8 10
Data Packet Latency (ms)
Mobility (m/s)
SDAR
ASR
ANODR
ANODR-DU-KPS
Original AODV
Figure 3: Data Packet Latency (ms)
Figure 3 illustrates the data packet latency. Again, as
SDAR uses public key cryptography throughout the round
trip of route discovery, a node needs to wait longer time be-
fore a route is established. ANODR and ASR have similar
average data packet latency and both of them only use public
key encryption/decryption when forwarding route reply mes-
sages. ANODR-DU-KPS has nearly the same data packet de-
lay with the original AODV, thanks to the efficient symmetric
encryption algorithms and hash functionsused. When there is
little mobility, all protocols display small data packet latency,
because once a route is established, a stable network allows a
longer average route lifetime. When mobility increases, data
packet latency increases accordingly. It generally stops in-
creasing at some point and starts to decrease because beyond
the summit, more and more data packets are lost due to mo-
bility, thus only the routes with relatively small hop counts
can survive and be used to transmit data packets efficiently.
0
500
1000
1500
2000
2500
0 2 4 6 8 10
Average Route Acquisition Delay (ms)
Mobility (m/s)
SDAR
ANODR
ASR
Original AODV
ANODR-DU-KPS
Figure 4: Average Route Acquisition Delay (ms)
Figure 4 shows the average route acquisition delay under
different node mobility. The overall trend is similar with fig-
ure 3, with the exception that unlike data packet latency, when
mobility is small, the route acquisition delay is at a very high
level. This can be explained by the fact that when nodes are

moving, it’s easier for them to encounter other nodes either
closer to the destination or moving in the direction of the des-
tination.
0
5
10
15
20
25
30
0 2 4 6 8 10
Normalized Control Packets
Mobility (m/s)
ASR
ANODR
ANODR-DU-KPS
SDAR
Original AODV
Figure 5: Normalized Control Packets
Figure 5 compares the number of normalized control pack-
ets over all of the protocols. All of the anonymous ad-hoc
protocols have similar normalized control packets. They are
all significantly higher than that of the original AODV, as the
added cryptographic delay results in more route error mes-
sages and route repairs. Also, as the mobility increases, more
route error will be generated.
0
2
4
6
8
10
0 2 4 6 8 10
Normalized Control Bytes
Mobility (m/s)
ANODR-DU-KPS
ASR
ANODR
SDAR
Original AODV
Figure 6: Normalized Control Bytes
Figure 6 compares the normalized control overhead in
terms of bytes. The trend of the curves is about the same
with figure 5, however it’s clear that ANODR-DU-KPS in-
curs much more overhead. This is expected because having
a similar number of normalized control packets, the compar-
ison of normalized control bytes will be determined by the
control packet size. As we can see, the size of the control
packets (RREQ and RREP, primarily) of ANODR-DU-KPS
is about two times or more as that of ANODR, SDAR and
ASR, three times or more as that of the original AODV.
Figure 7 reports the overhead of the proactive key estab-
lishment of SDAR. It shows the normalized number and bytes
of neighbor authentication packets under different mobility
condition. SDAR uses periodical hello messages containing
public keys for community management. Thus the number of
8
9
10
11
12
13
14
15
16
17
0 2 4 6 8 10
0.25
0.3
0.35
0.4
0.45
0.5
0.55
0.6
0.65
Normalized Authentication Packets
Normalized Authentication Bytes
Mobility (m/s)
SDAR, Packets
SDAR, Bytes
Figure 7: SDAR Normalized Neighbor Authentication
Overhead
periodical control packets are not affected by mobility. How-
ever, since the number of packets delivered decreases as the
mobility increases, the overhead packets increases gradually
when mobility increases (the scale is given at the left side of
Figure 7). Similar trend for overhead measured in bytes is
observed (the scale is shown at the right side of Figure 7). On
the other hand, the number of authentication packets are de-
termined by the frequency of the Hello message. In this sim-
ulation we use the default AODV Hello frequency, i.e., one
Hello message per second. Compared with the normalized
routing overhead presented in Figures 5 and 6, the current
periodic packet overhead close to the overhead generated by
the route discovery and maintenance (Figure 5). Reduction
of this neighbor authentication overhead could be achieved
through possible adaption on Hello interval. However, SDAR
has a lower lever of normalized authentication bytes than its
routing control bytes (Figure 6). This is because that the
size of Hello message is smaller than the sizes of RREQ and
RREP packets in SDAR.
In summary, the simulation results explicitly demonstrate
the existence of trade-offs between routing performance and
security protection. Because the ad hoc route discovery
(RREQ/RREP) procedure is time critical in a mobile net-
work, excessive crypto-processing latency would result in
stale routes and hence devastated routing performance. In or-
der to design a practical anonymous ad hoc routing scheme,
we must find the optimal balance point that can both avoid
expensive cryptographic processing and provide needed se-
curity protection at the same time. Our results show that AN-
ODR and ASR are suitable in mobile ad hoc networks with
heterogeneous nodes (including low-end nodes) and medium
mobility. SDAR is only suitable in mobile ad hoc networks
with high-end nodes that can run public key cryptography ef-
ficiently. In addition, compared to ANODR’s anonymousvir-
tual circuit design, SDAR’s onion-based data delivery design
incurs significant routing overhead per data packet. The ano-
nymous communication demandand the routing performance
demand together call for the future work to study more ano-
nymous ad hoc routing proposals in regard to their routing
performance and security guarantee.

4 Related Work
Existing anonymity schemes for wireless networks fall into
a spectrum of classes. In “last hop” wireless networks (in-
cluding cellular networks and wireless LANs), the demand of
user roaming requires more promising assurance on the pri-
vacy of mobile users. The network participants considered
in related research are typically the mobile users, the home
servers of the users, the foreign agent servers local to the
users, and the eavesdroppers (could be other mobile users).
In [44][2], mobile users are associated with dynamic aliases
that appear unintelligible to anyone except the home server.
Then the foreign agent server accepts the user’s connections
upon the home server’s request. In [19], mobile users em-
ploy Chaum’s blind signature to establish authenticated but
anonymous connections to the foreign agent server. Hu and
Wang [20] propose to use anonymous rendezvous, an ano-
nymous bulletin board, to let mobile nodes anonymouslycon-
nect to their communicators. These efforts provide unlinka-
bility protections between node identities and their creden-
tials during anonymous transactions. This design goal is or-
thogonal to anonymous on-demand routing.
In wireless sensor networks, distributed sensor nodes mon-
itor target events, function as information sources and send
sensing reports to a number of sinks (command center) over
multi-hop wireless paths. The sensor nodes and sinks are
typically stationary in WSN. Deng et al. [14] propose to use
multi-path routes and varying traffic rates to protect recipient
anonymity for the network sinks. Ozturk et al. [35] prevent
a mobile adversary (e.g., a poacher) from tracing a sensor re-
port packet flow back to a mobile target’s location (e.g., a
panda). The sensor nodes must report the mobile target’s sta-
tus to the sinks via phantom flooding, which is a sequential
combination of random walk and controlled flooding. Both
proposals seek to prevent the adversary from tracing network
packet flows back to the sources or the sinks. In these propos-
als, routers (i.e., forwarding nodes) are stationary. They are
not applicable to a network where every router is mobile.
In geographic services, both Location-Base Services [18]
and Mix Zones [5] study how to use middlewareservice to en-
sure location privacy with respect to time accuracy and posi-
tion accuracy. They study user anonymity protection in static
“geographic regions” with boundary lines. The regions are
fixed during the network lifetime, and anonymity protection
degrades in a single region. Besides, since the anonymity
protection stops at the middleware layer (typically above the
network IP layer), the adversary can trace a mobile node us-
ing network identities/addresses at the network layer and the
link layer, or radio signatures at the physical layer. These
middleware services protect upper layer user identities that
are different from routing identities.
5 Conclusion
In this paper we have illustrated the connections amongst
the two recently-proposed on-demand anonymous routing
schemes, namely ANODR (and its variant ASR) and SDAR.
We analyze various factors that affect their routing perfor-
mance and security. We further demonstrate that tradeoffs ex-
ist betweenthe performanceand the degreeof protection. Our
simulation study verifies that various choices in anonymous
routing design have significant impact on anonymous routing
protocol performance. Our results show that ANODR and
ASR are suitable in mobile ad hoc networks with heteroge-
neous nodes (including low-end nodes) and medium mobil-
ity. SDAR is only suitable in mobile ad hoc networks with
high-end nodes that can run public key cryptography effi-
ciently. We conclude that more extensive performance study
is needed to evaluate the practicality of the proposed ano-
nymous proposals, the enhancements of them, and the new
anonymous routing schemes.
References
[1] C. Adjih, T. Clausen, P. Jacquet, A. Laouiti, P. Minet, P. Muh-
lethaler, A. Qayyum, and L. Viennot. Optimized Link State
Routing Protocol. Internet Draft.
[2] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik. Un-
traceable Mobility or How to Travel Incognito. Computer Net-
works, 31(8):871–884, 1999.
[3] ATM Forum. Asynchronous Transfer Mode. http://www.
atmforum.org/.
[4] D. Balfanz, G. Durfee, N. Shankar, D. K. Smetters, J. Staddon,
and H.-C. Wong. Secret Handshakes from Pairing-Based Key
Agreements. In IEEE Symposium on Security and Privacy,
pages 180–196, 2003.
[5] A. R. Beresford and F. Stajano. Location Privacy in Pervasive
Computing. IEEE Pervasive Computing, 2(1):46–55, 2003.
[6] O. Berthold, H. Federrath, and S. K¨opsell. Web MIXes: A
system for anonymous and unobservable Internet access. In
H. Federrath, editor, DIAU’00, Lecture Notes in Computer Sci-
ence 2009, pages 115–129, 2000.
[7] R. Blom. An Optimal Class of Symmetric Key Generation
System. In T. Beth, N. Cot, and I. Ingemarsson, editors, EU-
ROCRYPT’84, Lecture Notes in Computer Science 209, pages
335–338, 1985.
[8] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba. SDAR: A
Secure Distributed Anonymous Routing Protocol for Wireless
and Mobile Ad Hoc Networks. In 29th IEEE International
Conference on Local Computer Networks (LCN’04), pages
618–624, 2004.
[9] J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and
J. Jetcheva. A Performance Comparison of Multi-Hop Wire-
less Ad Hoc Network Routing Protocols. In ACM MOBICOM,
pages 85–97, 1998.
[10] M. Brown, D. Cheung, D. Hankerson, J. L. Hernandez,
M. Kurkup, and A. Menezes. PGP in Constrained Wireless
Devices. In USENIX Security Symposium (Security ’00), 2000.
[11] D. L. Chaum. Untraceable electronic mail, return addresses,
and digital pseudonyms. Communications of the ACM,
24(2):84–88, 1981.
[12] D. L. Chaum. The Dining Cryptographers Problem: Uncondi-
tional Sender and Recipient Untraceability. Journal of Cryp-
tology, 1(1):65–75, 1988.

[13] W. Dai. PipeNet 1.1. http://www.eskimo.com/
∼
weidai/pipenet.txt, 1996.
[14] J. Deng, R. Han, and S. Mishra. Intrusion Tolerance and Anti-
Traffi c Analysis Strategies for Wireless Sensor Networks. In
IEEE International Conference on Dependable Systems and
Networks (DSN), pages 594–603, 2004.
[15] W. Du, J. Deng, Y. S. Han, and P. K. Varshney. A Pairwise
Key Pre-distribution Scheme for Wireless Sensor Networks.
In ACM CCS, pages 42–51, 2003.
[16] L. Eschenauer and V. D. Gligor. A Key-Management Scheme
for Distributed Sensor Networks. In ACM CCS, pages 41–47,
2002.
[17] S.Goldwasser and S. Micali. Probabilistic Encryption. Journal
of Computer and System Sciences, 28(2):270–299, 1984.
[18] M. Gruteser and D. Grunwald. Anonymous Usage of
Location-Based Services Through Spatial and Temporal
Cloaking. In MobiSys03, 2003.
[19] Q. He, D. Wu, and P. Khosla. Quest for Personal Control over
Mobile Location Privacy. IEEE Communications Magazine,
42(5):130–136, 2004.
[20] Y.-C. Hu and H. J. Wang. A Framework for Location Privacy
in Wireless Networks. In ACM SIGCOMM Asia Workshop,
2005.
[21] P. G. Ifju, S. M. Ettinger, D. Jenkins, Y. Lian, W. Shyy, and
M. Waszak. Flexible-wing-based Micro Air Vehicles. In 40th
AIAA Aerospace Sciences Meeting, 2002.
[22] P. G. Ifju, S. M. Ettinger, D. Jenkins, and L. Martinez. Com-
posite materials for Micro Air Vehicles. SAMPE Journal,
37(4):7–13, 2001.
[23] A. Jerichow, J. M¨uller, A. Pfi tzmann, B. Pfi tzmann, and
M. Waidner. Real-Time MIXes: A Bandwidth-Efficient Ano-
nymity Protocol. IEEE Journal on Selected Areas in Commu-
nications, 16(4), 1998.
[24] S. Jiang, N. Vaidya, and W. Zhao. A MIX Route Algorithm for
Mix-net in Wireless Ad hoc Networks. In IEEE International
Conference on Mobile Ad-hoc and Sensor Systems (MASS),
2004.
[25] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in
Ad Hoc Wireless Networks. In T. Imielinski and H. Korth, ed-
itors, Mobile Computing, volume 353, pages 153–181. Kluwer
Academic Publishers, 1996.
[26] D. Kesdogan, J. Egner, and R. Buschkes. Stop-and-go MIXes
Providing Probabilistic Security in an Open System. Second
International Workshop on Information Hiding (IH’98), Lec-
ture Notes in Computer Science 1525, pages 83–98, 1998.
[27] J. Kong. Anonymous and Untraceable Communications in Mo-
bile Wireless Networks. PhD thesis, University of California,
Los Angeles, June 2004.
[28] J. Kong and X. Hong. ANODR: ANonymous On Demand
Routing with Untraceable Routes for Mobile Ad-hoc Net-
works. In ACM MOBIHOC’03, pages 291–302, 2003.
[29] J. Kong, X. Hong, and M. Gerla. A New Set of Passive Rout-
ing Attacks in Mobile Ad Hoc Networks. In IEEE MILCOM,
2003.
[30] F. J. MacWilliams and N. J. A. Sloane. The Theory of
Error-Correcting Codes. Amsterdam, The Netherlands, North-
Holland, 1988.
[31] R. Motwani and P. Raghavan. Randomized algorithms. Cam-
bridge University Press, 1995.
[32] National Institute of Standards and Technology. Ad-
vanced Encryption Standard. http://csrc.nist.gov/
encryption/aes/, 2001.
[33] D. Niculescu and B. Nath. Ad hoc positioning system (APS).
In IEEE GLOBECOM, 2001.
[34] R. Ogier, M. Lewis, and F. Templin. Topology Dis-
semination Based on Reverse-Path Forwarding (TBRPF).
http://www.ietf.org/internet-drafts/
draft-ietf-manet-tbrpf-07.txt, March 2003.
[35] C. Ozturk, Y. Zhang, and W. Trappe. Source-Location Pri-
vacy in Energy-Constrained Sensor Network Routing. In ACM
SASN, pages 88–93, 2004.
[36] C. E. Perkins and E. M. Royer. Ad-Hoc On-Demand Distance
Vector Routing. In IEEE WMCSA’99, pages 90–100, 1999.
[37] C. E. Perkins, E. M. Royer, and S. Das. Ad-hoc On Demand
Distance Vector (AODV) Routing. http://www.ietf.
org/rfc/rfc3561.txt, July 2003.
[38] A. Pfi tzmann and M. K¨ohntopp. Anonymity, Unobservability,
and Pseudonymity - A Proposal for Terminology. In H. Fed-
errath, editor, DIAU’00, Lecture Notes in Computer Science
2009, pages 1–9, 2000.
[39] A. Pfi tzmann, B. Pfi tzmann, and M. Waidner. ISDN-
Mixes: Untraceable Communication with Very Small Band-
width Overhead. In GI/ITG Conference: Communication in
Distributed Systems, pages 451–463, 1991.
[40] A. Pfi tzmann and M. Waidner. Networks Without User Ob-
servability: Design Options. In F. Pichler, editor, EURO-
CRYPT’85, Lecture Notes in Computer Science 219, pages
245–253, 1986.
[41] C. Rackoff and D. R. Simon. Cryptographic defense against
traffic analysis. In Symposium on the Theory of Computation
(STOC), pages 672–681, 1993.
[42] M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Ano-
nymous Connections and Onion Routing. IEEE Journal on
Selected Areas in Communications, 16(4), 1998.
[43] M. K. Reiter and A. D. Rubin. Crowds: Anonymity for Web
Transactions. ACM Transactions on Information and System
Security, 1(1):66–92, 1998.
[44] D. Samfat, R.Molva, and N. Asokan. Untraceability in Mobile
Networks. In ACM MOBICOM, pages 26–36, 1995.
[45] Scalable Network Technologies (SNT). QualNet. http://
www.qualnet.com/.
[46] Y. Shang, W. Ruml, Y. Zhang, and M. P. J. Fromherz. Local-
ization from Mere Connectivity. In ACM MOBIHOC, pages
201–212, 2003.
[47] G. S. Vernam. Cipher Printing Telegraph Systems for Secret
Wire and Radio Telegraphic Communications. Journal Amer-
ican Institute of Electrical Engineers, XLV:109–115, 1926.
[48] J. Yoon, M. Liu, and B. Noble. Sound Mobility Models. In
ACM MOBICOM, pages 205–216, 2003.
[49] Y. Zhang, W. Liu, and W. Lou. Anonymous Communications
in Mobile Ad Hoc Networks. In IEEE INFOCOM, 2005.
[50] B. Zhu, Z. Wan, M. S. Kankanhalli, F. Bao, and R. H. Deng.
Anonymous Secure Routing in Mobile Ad-Hoc Networks. In
29th IEEE International Conference on Local Computer Net-
works (LCN’04), pages 102–108, 2004.

Session 3
Miscellaneous Topics

Computer Ecology: Responding to Mobile Worms with Location-Based
Quarantine Boundaries
Baik Hoh
WINLAB, ECE Department
Rutgers, The State University of New Jersey
baikhoh@winlab.rutgers.edu
Marco Gruteser
WINLAB, ECE Department
Rutgers, The State University of New Jersey
gruteser@winlab.rutgers.edu
Abstract
The local wireless links in mobile ad hoc net-
works allow worms to propagate, without passing
through central gateways where service providers can
deploy intrusion detection systems (IDS). On mobile
nodes, conventional intrusion detection and intrusion
response techniques such as address blacklisting and
content filtering are more difficult to deploy due to the
lack of central entities and the resource constraints of
mobile nodes. We analyze the magnitude of this threat
by characterizing the propagation speed and infection
rates that worms could obtain using the example of a
vehicular mobile ad hoc network environment.
We then propose techniques for modeling the spread
of such worms through ecologically inspired diffusion-
reaction and advection, and discuss their application
in managing an intrusion response. Since infection
patterns in ad hoc networks are highly correlated with
geographic proximity, these models allow estimation
of the origin and the current spread of a worm based
on a set of intrusion reports and their geographic po-
sitions. Service providers could use these models for
constructing a quarantine boundary and target a con-
tainment response, especially for devices that have
both short-range radios for ad hoc communication and
a low-bandwidth backhaul link to the service provider.
1 Introduction
A current trend in pervasive devices is towards
multi-radio support, allowing direct local interaction
between devices in addition to maintaining long-haul
links to infrastructure networks. Many current cell
phones already contain Bluetooth radios that enable
peer-to-peer exchange of files and usage of services
from nearby devices. Bluetooth is also available in
some automobiles and the US Federal Communica-
tions Commission has reserved spectrum for Dedi-
cated Short Range Communications (DSRC), a wire-
less communications standard for inter-vehicle net-
works based on the IEEE 802.11 medium access pro-
tocol [6]. Example applications are collaborative crash
warning and avoidance, dynamic traffic light con-
trol, or ad hoc forwarding of traffic probe informa-
tion [30, 31].
Unfortunately, peer-to-peer interaction between de-
vices provides an alternative propagation path for
worms and virus. The Internet experience illus-
trates that worm attacks are a significant concern and
a proof-of-concept Bluetooth worm, Cabir, has al-
ready been implemented.
1
More aggressive worms
that exploit bugs (e.g., buffer overflow in bluetooth
software/protocol stack [32, 29] ) and make unwanted
phone calls are not hard to imagine [5, 27], and likely
as financial incentives increase.
Regardless of the sophistication of the prevention
strategies, in an environment with high reliability re-
quirements it is only prudent to also plan for outbreaks
with appropriate containment strategies. Peer-to-peer
replication over short-range wireless networks creates
a challenge for intrusion detection and response, be-
cause the worm cannot be observed and blocked by in-
trusion detection and response systems in the cellular
1
In fact, a Cabir outbreak was recently reported during a sport-
ing event at the Helsinki Olympic Stadium [22].

service provider’s core network. Instead intrusion de-
tection must be deployed on resource-constrained mo-
bile devices or on specialized honeypot devices dis-
tributed in high-traffic zones [33, 2]. Regardless of
the employed intrusion detection method, these con-
straints will lead to a delay between the time of out-
break and alarm because of distributed processing de-
lays and human analysis. Thus, the intrusion response
system only has at best an outdated few of the current
worm propagation.
In this work, we consider an intrusion response
architecture where a service provider remotely ad-
ministers mobile nodes over the wide-area infrastruc-
ture wireless network. Using ecologically inspired
location-based quarantine boundary estimation tech-
niques, the service provider can estimate a set of likely
infected nodes. This allows the service provider to
concentrate efforts on infected nodes and minimize in-
convenience and danger to non-affected parties.
The remainder of this paper is structured as fol-
lows. Section 2 clarifies threat model and system as-
sumptions. It also defines the estimation problem that
this paper addresses. Section 3 develops a quaran-
tine boundary estimation algorithm from ecological
diffusion-reaction and advection models. We evalu-
ate our proposed algorithm by applying it to two ad
hoc network scenarios: a pedestrian random-walk and
an a vehicular network on a highway. These results
are reported in section 4. In section 5, we analyze the
simulation results and discuss the effectiveness of the
approach. In addition, we discuss how to locate Pa-
tient 0 based on a set of intrusion reports. Section 6
compares our work with directly related prior works
before we conclude.
2 Threat assessment
We consider a network system that comprises mo-
bile radio nodes with ad hoc networking capabilities
and a wide-area wireless infrastructure network with
central network management by a service provider.
Each mobile node is connected to the infrastructure
network, provided that radio coverage is available, and
can directly communicate with other mobile nodes
over a short-range radio interface. Examples of such
a system are a CDMA/GSM cell-phone network with
Bluetooth handsets or an automotive telematics sys-
tem supporting CDMA and DSRC . We assume that
the service provider can locate each mobile node. This
could be implemented through Assisted GPS on the
nodes or triangulation technology in the infrastructure.
Hybrid approaches are also possible.
In this network system, worms and viruses may
spread through ad hoc connections over the short-
range interface, rather than the infrastructure network.
Mobile nodes can be infected if they are a neighbor,
meaning in the communication range Cr, of an al-
ready infected node. Typically, aninfected node is able
to identify its neighbors through network discovery
mechanisms (e.g., IEEE 802.11 probe request, probe
response protocol) or by monitoring communications
within its range. Not all neighbors must be susceptible
to the attack because an attack might depend on a vul-
nerability in a particular implementation or the config-
uration of the device.
2
We can assume, however, that
malware will infect these susceptible nodes through
software vulnerabilities soon after they first enter the
communication range of an infected node. On Blue-
tooth networks, the BlueSmack attack [18], however,
already provides an example of malware that exploits a
buffer overflow vulnerability in a Bluetooth implemen-
tation. BlueSmack sends an oversized L2CAP echo
request packet to a Bluetooth host to overflow the al-
located receive buffer. While this attack only crashes
the Bluetooth stack, similar vulnerabilities will prob-
ably allow future malware to execute arbitrary code.
Even though any specific realization of such an attack
is to date unknown, this will likely allow malware to
spread without any user intervention through software
exploits, similar the spread of worms among Internet
hosts.
Malware spreading over the ad hoc network is more
difficult to detect and contain than malware spread-
ing over an infrastructure network, because the net-
work does not contain concentration points (choke-
points) where centralized intrusion detection and traf-
fic filtering techniques can be applied. Instead detec-
tion and response techniques must be implemented in
a highly distributed architecture on the mobile nodes
themselves. While it is plausible that malware propa-
gates over both the short-range and the infrastructure
2
In particular, settings such as the Bluetooth non-discoverable
mode might provide limited protection against some attacks while
other brute force scan mechanisms are still possible [27].

network, we ignore this case here because the infras-
tructure connections can be prevented with traditional
defenses.
3
We are especially concerned with unknown mal-
ware, which signature-based intrusion detection sys-
tems cannot yet detect. The service provider may learn
a new epidemic through different mechanisms rang-
ing from mundane user calls to its service hotline to a
sophisticated anomaly detection system. We observe
that any of these mechanisms suffer from a high false-
alarm probability and thus require the intervention of
human analyst to verify that an actual outbreak exists.
This leads to a detection delay of minutes in the best
case. Even in a fully automated system, a distributed
intrusion detection system would add delay due to the
distributed detection processing and the latency over-
head of delay-tolerant communication. During this
time the malware can spread further (and anomaly re-
ports from new nodes may again require verification)
leaving the analyst with an incorrect, delayed view of
the epidemic.
This work assumes, however, that the analyst can
accurately locate patient 0, the initially infected node.
If every node runs an intrusion detection system with
sufficient memory for logging events, the infection can
generally be traced to its origin. An inaccurate esti-
mate of patient 0’s position will lead to degraded sys-
tem performance. We will discuss more about how to
locate patient 0 from multiple intrusion reports of in-
trusion detection systems in section 5. We leave mak-
ing the system more robust to the patient 0 estimate for
future work.
In summary, the service provider will determine
from a range of clues whether an intrusion took place.
The service provider characterizes an intrusion by a tu-
ple (pos
x
, pos
y
, time) that describes the time and po-
sition of patient 0 at the start of the outbreak.
3
Shigesada et al. modeled a biological invasion the expansion
of which is driven by a combination of neighborhood diffusion
and long-distance dispersal that occur within a species by a strati-
fied dispersal process. Its early expansion mainly occurs by neigh-
borhood interaction, but later new colonies are created by long-
jump migrants which accelerate the expansion. [24] This ecologi-
cal study can have much correlation with one of our future studies.
2.1 Intrusion Response
Given that an intrusion event occurred, a service
provider’s main interest lies in minimizing inconve-
nience and potential danger (e.g., users may depend
on cell phones for 911/112 emergency calls or distrac-
tions from an infected in-vehicle system may cause car
accidents) to customers.
Responding effectively requires a secure manage-
ment interface to the mobile nodes that allows service
providers to remotely regain control of a compromised
mobile node. Remote management interfaces are com-
mon practice for managing servers in larger data cen-
ters and have become increasingly prevalent in the cell
phone world. For example, the Open Mobile Alliance
Client Provisioning Architecture [1] allows over-the-
air configuration of mobile nodes. It also specifies a
privileged configuration context, whose settings can-
not be modified by users or applications. Such in-
terfaces could be further hardened to ensure avail-
ability when malicious code controls the phone. On
the whole, remote management can provoke a con-
cern on user privacy but we do not consider an in-
sider attack which is taken by authorized employees
(e.g., a patch developer) maliciously inject an infected
patch through a secured provisioning channel. Protec-
tion against unauthorized modification of patch can be
achieved by ”message authentication code (MAC)” or
”digital signature”.
Given an over-the-air provisioning architecture,
possible responses to an intrusion event include:
1. Sending a warning to users of the mobile nodes
2. Deactivating mobile nodes
3. Disable the short-range network interface on mo-
bile nodes
4. Installing port or content-based filters
5. Installing patches to remove exploits
6. Provisioning patches to remove the worm
All of these responses can slow or stop the spread
of the virus, however, they also incur user inconve-
niences of its own. For example, frequent use of re-
sponse 1 may reduce its effectiveness, response 2 may

Figure 1. Southern New Jersey highway network
modeled in PARAMICS microscopic simulation soft-
ware. The simulation model shown here contains
2162 nodes, approximately 4000 links and 137 de-
mand zones. Probe vehicles are selected randomly
during the simulation process as they leave their re-
spective origin zones. At each time step of the sim-
ulation (0.5 seconds), the x and y coordinates of the
probe vehicles are recorded until they reach their des-
tination zones.
prevent emergency calls, and response 3 may prevent
the use of hands-free operation by drivers. Responses
3-6 require a more detailed understanding of the worm
implementation and so may allow the worm to spread
unrestricted for a period of hours or days. Even then,
installing hastily developed patches often leads to fail-
ures on a subset of phones.
We define the intrusion response planning problem
as identifying an optimal set of nodes to minimize the
impact of the worm and the inconvenience anddangers
cause by (partial) service outages due to the response.
An optimal response plan only targets nodes that have
already been infected or will be infected until the pro-
visioning process is completed.
Figure 2. The propagation of mobile worms in
southern New Jersey highway network. At each time
unit, y value of each point depicts the Euclidean dis-
tance between the farthest infected vehicle and the
origin of mobile worm. In terms of propagation
speed, mobile worm spread has three phases: (a)
Early stage, (b) Acceleration stage, and (c) Stable
stage.
2.2 A Threat of Mobile Worms in Vehicular Net-
works
To assess a threat posed by mobile worms in ve-
hicular networks, we take a simple experiment which
shows how fast mobile worms propagate (i.e., propa-
gation speed) and how many vehicles can be infected
over time (i.e., infection rate). Here we discuss our
preliminary results on propagation speed and infec-
tion rate. Although they do not represent statistical
result, they are enough to show a typical scenario. In
this experiment, we take the section of the southern
New Jersey highway network as a sample map in fig-
ure 1 and generate 1839 vehicles on it. We drop an
initially infected node on the center of map and use a
Susceptible-Infectious-Recovered (SIR) model for an
epidemic dynamics. We set an ad hoc communica-
tion range to 200 meters. Each vehicle’s movement
is modeled by a well-known microscopic traffic simu-
lator, PARAMICS [20]. Details on simulation model
will be explained in section 4.2.
The case study in figure 2 shows that mobile worms
can infect vehicles within 11.6 kilometers radius circle
during only 10 minutes. At this speed, mobile worms

Figure 3. The infection rate over time in southern
New Jersey highway network. Totally, 1839 vehicles
are injected onto map and 90 percent of them are in-
fected within 800seconds, approximately13 minutes.
can traverse New Jersey from North to South in four
hours (The vertical length of New Jersey is about 280
kilometers). This evaluation underestimates the spread
of mobile worms due to the scarcity of susceptible ve-
hicles in stable stage. In an acceleration stage where
there are enough susceptible vehicles to be infected,
propagation speed is 120 percent faster than in stable
stage. Figure 3 shows that it takes about 13 minutes
(800 seconds) to infect 90 percent of 1839 vehicles in
southern New Jersey area.
Staniford and Paxson [26] stated that conventional
worms can infect up to 300,000 hosts within 8 hours
and fast scanning worms such as flash worm can
infect even faster (same number of hosts within 1
hour). Compared to Internet worms, mobile worms
are slower but fast enough to make containment diffi-
cult (e.g., mobile worms can spread over New Jersey
within only 4 hours).
3 Quarantine Boundary Estimation
The optimal response set can be best found through
an estimation technique because the service provider’s
knowledge about the spread of the mobile worm is in-
complete. Anomaly reports usually trickle in only af-
ter nodes are infected and may be severely delayed in
areas of sparse coverage from the infrastructure wire-
less network.
3.1 A Macroscopic Model of Worm Propagation
Diffusion-reaction and advection models [17] have
been successfully applied to describe the spatial and
temporal distributions of diverse phenomena ranging
from animal dispersion
4
to groundwater contamina-
tion.
The diffusion-reaction model comprises a diffusion
process and a reproduction process. The diffusion pro-
cess describes random movements and is characterized
by the diffusion coefficient D. The reproduction pro-
cess describes the exponential population growth and
is specified by parameter α. Equation 1 specifies the
diffusion-reaction model. It assumes polar coordinates
centered at the position of an initially infected node (r
indicates the distance from the origin), isotropic dis-
persal with constant diffusivity D, and growth propor-
tional to the population density S.
∂S
∂t
=
D
r
∂
∂r

r
∂S
∂r

+ αS (1)
This model has a closed form solution by solving
under the initial condition that at time t = 0, m in-
fected nodes are concentrated at location of patient 0
(r = 0). From this solution shown in equation 2, the
radius R of the frontal wave can be calculated from
the propagation speed which depends on α and D as
described in equation 3.
S = (m/4πDt) exp(αt − r
2
/4Dt) (2)
R = 2
√
αDt (3)
Thus the propagation boundary is proportional to
the time since the outbreak, t and the boundary moves
with velocity v = 2
√
αD. The parameter α and D are
depended on the exact scenario. Table 1) identifies the
parameter dependencies in an automotive scenario.
4
An early notable application of diffusion-reaction model was
designing a hostile barrier for stopping the dispersal of Muskrats.
In 1905, Muskrat was imported to Europe but some of them es-
caped and started to reproduce in the wild [7]. Skellam [25] later
modeled the dispersal of Muskrats though a diffusion-reaction
equation.

Model Parameter Correspondence in automotive scenario
Diffusivity Models minor roads and collector streets or
pedestrian movements
Growth rate Rate of new infections depends on density
and distribution of susceptible nodes, com-
munication range, and node velocity
Origin Positions of initially infected nodes
Table 1. Mapping of model parameters to au-
tomotive networking scenario.
When a toxic pollutant diffuses going along the
groundwater paths, its model consists of a uni-
directional movement by mean flows, called advection
together with diffusion-reaction processes [23]. In ve-
hicular network, advection term is governed by the ve-
locity u in x-axis and v in y-axis in two-dimensional
space.
If we take an advection effect and ignore a diffu-
sion process, equation 1 is changed into an advection
equation model described by equation 4.
∂S
∂t
= −
∂
∂x
(uS) −
∂
∂y
(vS) + αS (4)
This model can be used in modeling the behavior
of mobile worms in highway networks (e.g., Southern
New Jersey Highway Networks).
3.2 Algorithms
Given an initial position of each infected node i,
(x
i
, y
i
) for all i at time T
o
, the algorithms should esti-
mate the frontal wave of propagation at
T
c
= T
o
+ T
∆
, where T
o
is the time of outbreak and T
∆
means time
delay. We can divide the problem into estimating the
worm propagation velocity and estimating the spatial
distribution.
In an ad hoc network where mobile nodes move
randomly in x-y coordinates, the propagation speed is
governed by equation 3. Constant diffusivity D and re-
productivity α guarantee constant propagation speed.
As long as the same node density and velocity is main-
tained, the propagation velocity remains constant (see
figure 7 and figure 8).
Figure 4. Different proportions of inter-vehicle dis-
tance to communication range lead to different worm
propagation velocities.
However, in the vehicular scenario, every road seg-
ment may have a different propagation velocity be-
cause vehicle speeds and inter-vehicle distances dif-
fer. Figure 4 illustrates how the relationship between
communication range and inter-vehicle distance af-
fects propagation velocity. In the case (a) the inter-
vehicle distance R is greater than the communication
range C
r
, so that an infected car cannot communicate
with neighboring cars. Thus, the propagation velocity
V
′
is solely determined by the vehicle speed V . In case
(b) however, the communication range is greater than
the inter-vehicle distance. Thus the worm can travel
over the wireless medium to the foremost car in com-
munication range in addition to the vehicle speed. If a
worm manages n such hops per second, this leads to
the following equation.
V
′
=

V + nR

C
r
R

if R ≤ C
r
V else
Because a one hop communication can never go far-
ther than C
r
, an upper bound for V
′
can be obtained by
substituting C
r
for R(C
r
/R), yielding
V
′
= V + nC
r
(5)
The inter-vehicle distance R and mean vehicle
speed V on each highway segment can be obtained
from Department of Transportation inductive loop sen-
sors on an hourly basis, for example. They could also
be inferred from tracking the position of probe vehi-
cles on the highway network.

Given this propagation velocity, a straightforward
isotropic estimate for worm distribution can be ob-
tained with the diffusion-reaction equations. For each
independent outbreak this approach yields a circular
boundary estimate centered at the location of patient 0
(at the time of the outbreak). The radius of the circle
increases linearly with the time duration T
∆
since the
outbreak.
This approach is suitable when nodes movements
do not exhibit any directional trends, such as in a ran-
dom walk. Estimation can be improved, however,
when mobile nodes move on an underlying network
of roads or walkways. We frame our discussion of this
algorithm in the context of an automobile vehicular ad
hoc network, but the concepts are generally applicable
to nodes that follow a network of paths.
This algorithm assumes the availability of carto-
graphic material so that the position of patient 0 at the
initial outbreak can be mapped onto a road segment.
The maps must contain road classifications and the ge-
ographical positions of roads and their intersections.
For example, this data is available from the US Ge-
ological Survey which publishes detailed transporta-
tion network information in the spatial data transfer
standard. These maps also classify roads into express-
ways, arterial, and collector roads, according to their
size and traffic volume. The algorithm also requires
a mapping of the position of patient 0 at the time of
outbreak onto a road segment. This mapping can be
achieved by finding the road segment with the mini-
mum Euclidian distance to the patient 0 position.
The key idea of this algorithm is to build an advec-
tion model using the transportation network informa-
tion. The underlying heuristic is that the maximum
propagation speed will be observed along the road
network—propagation across parallel road segments
in communication range and along smaller roads is
ignored by this heuristic. The algorithm 1 follows
all possible propagation paths using a traversal of the
road network graph and a propagation speed estimate
for each road segment. It outputs a polygon that in-
cludes all (partial) road segments that a worm could
have reached in the time since the outbreak.
For example, consider the section of the southern
New Jersey highway network in figure 5. Assume that
patient 0 lies on the link L
n
between junction 3 (J3)
and junction 4 (J4). If we know the propagation speed
Algorithm 1 QuarantineBoundaryEstimat ion
generates a polygon which estimates the frontal wave
of mobile worms at T
r
given P at ient0 at T
0
.
1: {Inputs: P atient0, the position of initially in-
fected node; T
0
, the time of outbreak; T
c
, the time
of intrusion response; v
n
, the average car speed
on nth road segment; R
n
, the average distance be-
ween adjacent cars on nth road segment;
Parameters: J
n
, nth junction’s x and y coordinates
and every junction should have information on its
neighbor junctions; C
r
, Communication range
Outputs: Quarantine polygons}
2: (A) Estimate the worm propagation speed, V
n
for all n with v
n
and R
n
3: if R ≥ C
r
then
4: V
n
= v
n
5: else
6: V
n
= v
n
+ α ∗ C
r
7: end if
8: (B) Estimate the spatial distribution
9: Calculate T
∆
[0][0] = T
c
− T
0
.
10: Locate the link (L
n
) which P atient0 lies on.
11: Set P atient0 as the starting points of traversal and
push it into queue, Q[0]
12: Keep pushing all junctions in two ways to be vis-
ited next in Q until the last level
13: i = 0;
14: while Any T
∆
[i][] ≥ 0 do
15: i + +
16: K = the number of elements in Q[i][]
17: for j = 1 to K do
18: Save the parent junction of Q[i][j] into Prev
19: T
j
=
D(P rev,Q[i][j])
V
n
where n is the link index
between Prev and Q[i][j]
20: T
∆
[i][j] = T
∆
[i − 1][parent]
21: if T
∆
[i][j] ≥ T
j
then
22: Generate a rectangular boundary from
P rev to Q[i][j]
23: else
24: Generate a rectangular boundary from
P rev to T
∆
[i][j] ∗V
n
25: end if
26: T
∆
[i][j] = T
∆
[i][j] − T
j
27: end for
28: end while
29: Merge all rectangular boundaries into polygon.

3.5 3.6 3.7 3.8 3.9 4 4.1 4.2
x 10
4
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3
x 10
4
x (m)
y (m)
Junction 1
Junction 2
Junction 3
Junction 4
Junction 5
Junction 6
Junction 7
Junction 8
Figure 5. In our target map, there are 8 junctions
and 7 links between them. This region is the part of
Southern New Jersey Highway Networks 1. Every
black dot depicts the position of individual car at spe-
cific time.
V
n
on that link, we can calculate after how much time
a mobile worm arrives at either junction. Let us denote
T
3
and T
4
for the arrival time at J3 and J4. If the time
since outbreak
T
∆
= T
c
− T
o
is greater than T
3
, the mobile worm has already passed
this junction and has most likely propagated along
both the link J1-J3 and the link J2-J3. This process
is repeated for each link until a junction with arrival
time greater than T
∆
is found. This segment is then
only partially infected and the infection boundary is
known based on the estimated link propagation speed.
The same process is also repeated in the opposite di-
rection from patient 0, towards J4. The algorithm then
encloses each fully infected link in a rectangle with
length and width set to the road length and road width,
respectively. Partially infected links are only enclosed
up to the infection boundary. All rectangles are then
merged into a polygon.
5
Once we get a polygon,
we group nodes within a polygon into the optimal re-
sponse set by using ’Point-In-Polygon Algorithm [8]’.
5
This can be implemented using well-known algorithms such
as provided by the polybool function [13] in MATLAB
4 Evaluation
This evaluation studies the performance of the quar-
antine boundary estimation algorithms in a random
walk and a vehicular ad hoc network scenario. We
compare the accuracy of the macroscopic quarantine
boundaries against infection patterns generated by a
microscopic simulation model.
4.1 Metrics and Measures
Informally, the algorithm should maximize the
number of infected nodes within the boundary and
minimize the number of clean (uninfected) nodes
within it. We measure the accuracy of the quarantine
boundary estimation through detection and false-alarm
probability.
The detection probability is defined as the ratio
of infected nodes within the boundary to all infected
nodes. More formally, P
d
=
i
I
, where P
d
is the de-
tection probability, i is the number of infected nodes
within the boundary and I is the total number of in-
fected nodes. We define the false-alarm probability
as the ratio of clean nodes within the boundary to all
clean nodes. Accordingly, P
f
=
c
i+c
, where P
f
is the
false alarm probability, c is the number of clean nodes
within the boundary and C is the total number of clean
nodes. Notice that c + i is the number of nodes within
the quarantine boundary and C + I is the total number
of nodes in the scenario. A perfect quarantine bound-
ary has a detection probability of 1 and a false-alarm
probability of 0.
The Jaccard similarity J provides a convenient way
to combine above two probabilities into one number as
an ROC curve (i.e., receiver-operating characteristics)
does in detection theory community. It is defined as
shown in equation (6), where X is the optimum quar-
antine boundary in x-y coordinates and Y indicates an
estimated quarantine boundary.
J =
2 (|X
T
Y |)
|X| + |Y |
(6)
It can be computed from detection and false alarm
probabilities by substituting X = I and Y = i + c,
yielding equation (7).
J =
2P
d
(1 − P
f
)
1 + P
d
− P
f
(7)

The Jaccard similarity lies in the interval [0, 1] with
1 indicating a perfect estimate, corresponding to detec-
tion probability 1 and false-alarm probability 0. Jac-
card similarity can be used to balance between detec-
tion probability and false alarm probability.
4.2 Simulation Model
We use the SIR model [3] for implementing the dy-
namics among susceptible nodes, infected nodes and
recovered nodes. This model is characterized by the
fraction of nodes that are susceptible to infection, the
infection probability when a susceptible node is in
contact with an infected node, and a recovery proba-
bility. In our model a susceptible node is in contact
with an infected node, if they are in communication
range C
r
of each other.
Generally, we chose aggressive parameters for our
simulations to evaluate a near worst-case worm. We
set the infection probability to 1, which assumes the
absence of any communication errors. In other words
if a susceptible node is within the communication
range of an infected node it becomes infected. We
assume that infected nodes can only be recovered by
the service provider only if they are within the quaran-
tine boundary. Worm propagation then depends on the
communication range and the exact mobility model.
We choose the initially infected nodes randomly
among all nodes in random walk scenario. However,
in VANET scenario, we choose them only on the link
between J3 and J4, which is at the center of the map
in figure 5. The position of initially infected node is
independent from the performance of our quarantine
boundary algorithm, but placing them on that link en-
ables us to extend the simulation duration.
For a random walk scenario, we choose 5 seconds
as T
∆
. After T
∆
elapsed in pedestrian scenario, the
number of infected nodes amounts up to 40-50% of
whole nodes and the propagation for each initially in-
fected node covers up to the circle with about 13m ra-
dius. Because our network is 50m by 50m, this amount
of T
∆
is appropriate to measure detection, false alarm
probabilities. In VANET case, we choose a time de-
lay, T
∆
from 25 seconds to 45 seconds. In the case of
T
∆
=45 seconds, the propagation approaches almost 5
links out of all 7 links.
For the random walk model, we chose parameters to
reflect dense pedestrian movements with short-range
(e.g., Bluetooth) communications. Node density is
varied from 100 to 300 in a 50m by 50m area with
node velocity ranging between 1m/s to 3m/s. Commu-
nication range is set to 5m, 10m, and 20m, to represent
different path loss and interference environments.
6
For the vehicular scenario, we obtained loca-
tion traces from a microscopic traffic model for the
PARAMICStransportation system simulator [20]. The
model is calibrated to real traffic observed in a sec-
tion of the southern NewJersey highway network. [19]
The full simulation model contains 2162 nodes, ap-
proximately 4000 links and 137 demand zones, from
which serve as origins and destinations for vehicles.
Out of all vehicles in the simulation model a fraction
of susceptible vehicles are selected randomly during
the simulation process as they leave their respective
origin zones. This ensures that the overall traffic pat-
terns remain realistic even though we assume that only
a percentage of cars is equipped with susceptible com-
munications equipment. At each time step of the sim-
ulation (0.5 seconds), the x and y coordinates of the
susceptible vehicles are recorded until they reach their
destination zones. For a low susceptibility scenario we
selected 200 vehicles and for a moderate susceptibility
scenario we chose about 1800 random cars. This rep-
resents about 5% of total traffic during the simulation
which was restricted to 4min 10s, for computational
tractability. The communication range is set to 50m,
100m and 200m in this scenario. 200m approximates
free space propagation of a DSRC system [11, 21],
while the shorter ranges model higher path loss envi-
ronments, such as in congested traffic.
4.3 Pedestrian Scenario Results
To gain a better understanding of the effect of dif-
ferent model parameters we first discuss results from
the less complex diffusion-reaction estimation model.
The estimator’s worm propagation speed is set to 2.56
m/s and the time delay T
∆
is set to 5 seconds for these
experiments.
Figure 6 shows estimation accuracy of the
diffusion-reaction estimator for different node densi-
6
These parameters approximate a sport event environment such
as the one in the Helsinki Olympic Stadium, where an outbreak of
the Cabir virus was reported [22].

50 100 150 200 250 300 350
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1.1
1.2
User density [numbers in fixed area]
Probability
Detection probability
False alarm probability
Figure 6. Estimation accuracy of diffusion-reaction
model for random-walk scenario.
ties. Mean and standard deviation for one hundred tri-
als are shown. A mean detection probability between
95%-100% can be achieved with a false alarm rate of
approximately 40%-50%. Our quarantine method be-
haves slightly more effective in the 200 node network
because the worm propagation speed best matched this
case. A change of +/-100 nodes increases the false
alarm probability by about 10%.
The following results analyze the worm propaga-
tion speed in more detail. The speed is affected by
node density, communication range, and node mobil-
ity. Figure 7 shows the distance of the farthest in-
fected node from original position of patient 0 over
differnt node velocities. Node density is set to 200 in
the 50m by 50m region and communication range is
10m. Again, the graph shows mean and standard de-
viation over one hundred trials. As expected, propaga-
tion speed increases with node velocity. An increase
in node velocity has an additive effect on propagation
speed. The graph also exposes that propagation speed
remains constant over time, further supporting that a
linear model fits well. A linear regression for v=2m/s
yields intercept 2.1 and slope 2.8m/s.
The effect of changes in communication range C
r
to
worm propagation speed are shown in figure 8. Node
velocity is set to 1m/s and other parameters remain
the same as before. Propagation speed increases with
higher node velocity. A larger communication range
increases the likelihood that susceptible nodes are in
1 2 3 4 5 6 7 8 9 10 11
0
5
10
15
20
25
30
35
40
45
time [sec]
Radius of frontal wave [m]
V=1m/s
V=2m/s
V=3m/s
Figure 7. Distance of the farthest infected node from
the outbreak position over time. Increasing node ve-
locity has an additive effect on propagation speed.
Propagation speed remains constant over time.
rage, which hastens the spread of the worm. Propa-
gation speed remains near-constant over time for each
communication range.
4.4 Vehicular Scenario Results
The first experiment measures the worm propaga-
tion velocity that can be expected in a highway out-
break. While prior works [28, 4, 10] have developed
analytical equations for information propagation speed
on road networks, these are not easily transferable
to the worm scenario. The average radius of frontal
wave is estimated by averaging 50 simulations and it
is repeated for different communication ranges (50m,
100m and 200m). The estimated radius of frontal wave
is shown in figure 9. The results show that for a com-
munication range of 200m, the worm travels at a mean
velocity of about 75m/s, significantly faster than typi-
cal highway traffic. Lower communication ranges re-
sult in reduced velocity.
The next experiment compares the estimation accu-
racyof the advection model over the diffusion-reaction
model in the highway scenario. The communication
range is set to 100m. Figure 10 and figure 11 show the
detection and false alarm probability, respectively. The
results from the advection algorithm described in sec-
tion 3 are labeled “advection with analytical model”.
To allow a more detailed analysis, the graphs also con-

1 2 3 4 5 6 7 8 9 10 11
0
10
20
30
40
50
60
time [sec]
Radius of frontal wave [m]
Cr=3m
Cr=5m
Cr=7m
Cr=9m
Figure 8. Dependency of propagation speed on com-
munication range C
r
. A larger communication range
increases the likelihood that susceptible nodes are in
rage, which hastens the spread of the worm.
0 20 40 60 80 100
0
1000
2000
3000
4000
5000
6000
time [sec]
Radius of frontal wave [m]
Cr=50m
Cr=100m
Cr=200m
Figure 9. Worm propagation in highway model with
5% of vehicles susceptible
20 25 30 35 40 45 50
0.5
0.6
0.7
0.8
0.9
1
1.1
1.2
time [sec]
Detection probability
Only diffusion
Only advection with same speed
Only advection with different speed
Only advection with analytical model
Figure 10. Detection probability on highway net-
work. The advection models achieve superior accu-
racy over the diffusion-reaction model.
tain two additional curves, which assume that a more
precise estimate of worm propagation speed is avail-
able. In the “advection with same speed” approach,
we use the average worm propagation speed (obtained
from the previously described simulation) for all road
segments. The “advection with different speed” ap-
proach, uses more detailed speed estimates, one per
road segment, also derived from simulations.
These figures show that the advection mod-
els achieve superior detection probability over the
diffusion-reaction model, while the false-alarm proba-
bility does not differ more than about 10% between ad-
vection and diffusion. The detailed knowledge about
information propagation speed does not lead to a dis-
cernible improvement in detection probability. How-
ever, when worm propagation speed is known per road
segment, the mean false alarm probability improves by
up to 10%. This shows that at least slight improve-
ments to the presented estimation techniques are pos-
sible.
5 Discussion
Our location-based quarantine boundary estimation
is achieved in two steps: (1) locating patient 0 and
(2) estimating a quarantine boundary with based on
patient 0 location and propagation speed. Thus the
quarantine boundary estimation depends on accurate

20 25 30 35 40 45 50
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
time [sec]
False alarm probability
Only diffusion
Only advection with same speed
Only advection with different speed
Only advection with analytical model
Figure 11. False-alarm probability on highway net-
work. The advection model’s better detection proba-
bility does not lead to a significant increase in false
alarms.
knowledge of patient 0 location. So far we assumed
that the service provider can locate patient 0 accurately
from a set of intrusion reports in this work. Here, we
discuss how the location might be obtained, if initially
unknown. We leave the detailed analysis for future
work. We also discuss the the impact of slightly inac-
curate quarantine boundaries and other synergies be-
tween computer security and ecology.
5.1 Estimating Patient 0 Location
In a pedestrian scenario, triangularization can help
a service provider locate the initially infected node.
We assume that only a limited number of mobile units
have intrusion detection systems due to high cost. If
mobile worm originates from the point (x
0
, y
0
) at time
t
0
and propagates isotropically with a speed v in two
dimensional space, eventually a distributed intrusion
detection system at (x
i
, y
i
) reports an anomaly at time
t
i
to the service provider. Every IDS report forms a
nonlinear equation which says the mobile worm can
propagate from (x
i
, y
i
) to (x
0
, y
0
) within
t
∆
= t
i
− t
0
at the speed of v. Assuming prior knowledge of propa-
gation speed and more than three intrusion reports, the
service provider can apply triangularization algorithms
(similar to the GPS localization problem). Without this
prior knowledge numerical methods such as Newton-
Raphson could be applied, but at a higher computa-
tional cost.
Because the vehicle scenario confines mobile worm
propagation to road network topology rather than an
isotropic two-dimensional space, it requires a more
complex solution with three steps: (1) guessing the
approximate road segment on which the patient 0 lo-
cation lies, (2) setting up and solving a set of linear
equations using recursive least squares (RLS), and (3)
repeating the second step over neighboring segments
around the starting segment. Given at least three re-
ports, triangularization might be used to obtain the
approximate road segment. The second step refines
the estimated patient 0 position within the approxi-
mate segment given from the previous step using linear
equations where the unknown variables are time t
0
and
the relative position on the given road segment. After
repeating this step for neighboring segments, the seg-
ment with the best least squares fit is chosen.
5.2 Effectiveness of Partial Containment
Estimation will necessarily lead to imperfect con-
tainment. Can this effectively slow worm propaga-
tion? We model the accuracy of quarantine boundary
through an immunization probability P
imm
between
0.8 and 1 and simulate worm propagation in the pedes-
trian random-walk scenario after such an imperfect
containment. Figure 12 depicts the infection rates af-
ter one containment was performed at T
c
= 5seconds.
Detection probabilities greater than 0.95%, such as
achieved by the advection model, significantly slow
the propagation of a worm, yielding additional anal-
ysis time for security engineers.
So far, we assumed that the intrusion response is
only performed once. Repeated application, however,
could further slow worm propagation. One approach
would be to wait for any intrusion reports after the
first response and then retry with an enlarged bound-
ary. Another approach would treat every remaining
infectious node as a new outbreak. However, this re-
quires changes to the estimation model because the
worm will continue to spread from multiple locations,
rather than a single origin.
The current solution aims for a high detection prob-
ability, to effectively slow worms. In some scenar-

0 10 20 30 40 50 60
0
20
40
60
80
100
120
140
160
180
200
time [sec]
number of infected nodes (total=200)
no containment
80% containment
90% containment
95% containment
99% containment
100% containment
Figure 12. Effect of imperfect containment on worm
propagation speed. Containment techniques with
more than 95% detection probability can significantly
slow worms.
ios a more balanced approach that also minimizes the
false alarm probability may be desirable. Higher Jac-
card similarity values, for example, can be obtained
when small reductions in detection probability yield
large reductions in false-alarm probability. To opti-
mize Jaccard similarity we could choose a smaller ra-
dius
ˆ
R = γR = γ2
√
αDt for the random walk sce-
nario (γ is less than 1).
ˆ
R denotes the effective radius
which equals the square root of the propagation area
enclosed by a real boundary (not a circle) against time.
Our usage of R instead of
ˆ
R also explains the adapta-
tion of our algorithm over different node densities.
5.3 Other Synergies between Ecology and Com-
puter Security
The successful application of ecological models to
estimating worm propagation raises the question about
other potential synergies between the fields. Biologi-
cally inspired interdisciplinary work has long affected
computer security. For example, computer immunol-
ogy improves virus defenses [9]. Epidemiology en-
ables us to investigate the spread of computer viruses
on a hybrid networks that combine computer network
and social networks, such as email [16]. In ecology
the Allee effect (or reduced per capita reproduction
when animals are scarce) may be useful for describ-
ing the dynamic change of the infection rate when we
have disconnections in the ad hoc network. The effect
of dispersal on competing populations (e.g., Predator-
Prey model) also holds promise for modeling com-
petition
7
or the cooperation of malicious codes [27].
As a further step of this work, we can model the mo-
bile worm propagation which also uses infra-structure
network such as MMS or SMS-based downloaders
(long-distance dispersion) as well as a local interac-
tion (neighborhood diffusion) by a stratified dispersal
process [24].
6 Related Work
Moore and colleagues [15] investigated and com-
pared the existing containment methods for Internet
worms which can be implemented in gateway, firewall
and router. The hierarchical structure of the Internet
allows an administrator to partition and shut down a
local sub-network which is infected. In wireless net-
works, however, an infected node can move and com-
municate with a susceptible node via localized inter-
action such as Bluetooth. Our work instead focuses
on estimating the geographic propagation pattern of
short-range wireless worms. The notion of locality is
less meaningful in wired networks where worms often
use random probing.
Khayam and Radha [12] investigated the param-
eters governing the spread of active worms over
VANET. They define the average degree of a VANET
node and use a SIR model for the spread of worms. In
our work, we provide a spatial and temporal distribu-
tion of the propagating worms rather than an infection
rate over time.
Wu and Fujimoto [28] presented an analytical
model for information propagation in Vehicle-to-
Vehicle Networks. Worm propagation is very similar
to information dissemination except that it has an ma-
licious purpose and it lacks cooperation of neighboring
nodes. Our work concentrated on practical estimation
algorithms that are tractable for larger highway net-
works. We also presented simulation results from a
calibrated highway simulation.
Several intrusion detection system for wireless ad
hoc networks have been designed [33, 14]. Zhang and
Lee present a collaborative intrusion detection system
7
In 2001, the counterattacking CodeGreen appeared to disin-
fect CodeRed.

for ad hoc and assume that every node runs an IDS
agent. Anjum and colleagues have investigated the op-
timal placement of intrusion detection nodes in an ad
hoc network to reduce the need for one IDS agent per
node [2]. This intrusion detection work concentrates
mostly on external attacks such as distributing erro-
neous routing information. They do not address how
to catch up with a propagating worm. Our work shows
how to take advantage of a wireless infrastructure net-
work and how to forecast the propagation of the worm.
7 Conclusions
Wireless ad hoc networks requires a new worm
intrusion response architecture and mechanisms be-
cause it lacks central infrastructure choke-points such
as routers, gateways and firewalls where network in-
trusion detection such as address blacklisting or con-
tent filtering can take place. We have considered a
scenario in which a service provider manages the se-
curity of an hybrid (ad hoc with wide-area network)
network over a low-bandwidth, wide-area infrastruc-
ture wireless network. This work proposed to develop
location-based quarantine boundary estimation tech-
niques. These techniques let service providers identify
the current set of likely infected nodes when intrusion
information is incomplete or delayed. Specifically, we
found that
• a mobile worm could spread in a typical high-
way network with a mean velocity of about 75m/s
even though only 5% of vehicles are susceptible
to attack.
• advection-based estimation techniques can esti-
mate the group of currently infected nodes with
a detection probability greater than 95% and a
false-alarm rate of less than about 35%. This pro-
vides a significant improvement over having to
target a response at all nodes in a large geographic
region.
Future Work There are several directions for future
work. First, we should design an algorithm robust to
the inaccuracy of geographic origin of the outbreak.
Second, it appears valuable to develop techniques that
effectively address partial outages of the wide-area
wireless network. Finally, the system could take ad-
vantage of propagation speed information gained from
the time difference in intrusion reports from different
nodes.
Acknowledgment
The authors would like to thank Dr. Ozbay for pro-
viding a location trace file from Southern New Jersey
Highway Network available for the purposes of this
study.
References
[1] O. M. Alliance. Provisioning architecture overview.
http://www.openmobilealliance.org/
release
program/docs/ClientProv/
V1
1-20050428-C/OMA-WAP-ProvArch-v1
1-20050428-C.pdf, Apr 2005.
[2] F. Anjum, D. Subhadrabandhu,and S. Sarkar. Intrusion
detection for wireless adhoc networks. In Proceedings
of Vehicular Technology Conference, Wireless Security
Symposium. IEEE, October 2003.
[3] N. T. Bailey. The Mathematical Theory of Infectious
Diseases and its Applications. Hafner Press, New
York, 1975.
[4] L. Briesemeister, L. Schafers, and G. Hommel. Dis-
seminating messages among highly mobile hosts based
on inter-vehicle communication. In IEEE Intelligent
Vehicles Symposium, October 2000.
[5] D. Dagon, T. Martin, and T. Starner. Mobile phones
as computing devices: The viruses are coming! IEEE
Pervasive Computing, 3(4):11–15, 2004.
[6] DSRC-5GHz-Standards-Group. Standard Specifica-
tion for Telecommunications and Information Ex-
change Between Roadside and Vehicle Systems - 5GHz
Band DedicatedShort RangeCommunications(DSRC)
Medium Access Control (MAC) and Physical Layer
(PHY) Specifications. ASTM E2213-03, 2003.
[7] C. S. Elton. The Ecology of Invasions by Animals and
Plants. Methuen Co. Ltd., London, 1958.
[8] D. R. Finley. Point-in-polygon algorithm: De-
termining whether a point is inside a complex
polygon. http://www.alienryderflex.com/
polygon/, 1998.
[9] S. Forrest, S. Hofmeyr, and A. Somayaji. Com-
puter immunology. Communications of the ACM,
40(10):88–96,1997.
[10] S. Goel, T. Imielinski, and K. Ozbay. Ascertaining
the viability of wifi based vehicle-to-vehicle network
for traffic information dissemination. In Proceedings
of the 7th Annual IEEE Intelligent Transportation Sys-
tems Conference (ITSC), October 2004.

[11] J. P. Hubaux, S. Capkun, and J. Luo. The security and
privacy of smart vehicles. IEEE Security and Privacy
Magazine, 2(3):49–55, June 2004.
[12] S. A. Khayam and H. Radha. Analyzing the spread
of active worms over vanet. In Proceedings of the first
ACM workshop on Vehicular ad hoc networks, January
2004.
[13] MathWorks-Inc. Overlaying polygons with set
logic. http://www.mathworks.de/access/
helpdesk/help/toolbox/map/polybool.
html, 2005.
[14] A. Mishra, K. Nadkarni, and A. Patcha. Intrusion de-
tection in wireless ad hoc networks. IEEE Wireless
Communications, 11:48–60, 2004.
[15] D. Moore, C. Shannon, G. M. Voelker, and S. Savage.
Internet quarantine: Requirements for containing self-
propagating code. In INFOCOM. ACM, 2003.
[16] M. E. J. Newman, S. Forrest, and J. Balthrop. Email
networks and the spread of computer viruses. Physical
Review, 66(035101), 2002.
[17] A. Okubo and S. A. Levin. Diffusion and Ecological
Problems: Modern Perspectives. Springer, 2002.
[18] Open-Interface. Bluetooth security overview. http:
//www.oi-us.com/service
additions/
security whitepaper docpage.html, Dec
2005.
[19] K. Ozbay and B. Bartin. South jersey real-time mo-
torist information system. NJDOT Project Report,
March 2003.
[20] Quadstone-Limited. Paramics v4.0 - microscopictraf-
fic simulation system. www.paramics-online.
com.
[21] M. Raya and J. P. Hubaux. The security of vehicular
ad hoc networks. In Proceedings of SASN‘05, Novem-
ber 2005.
[22] Reuters. Mobile phone virus infects helsinki
championships: The cabir virus uses bluetooth
to jump between cell phones. http://www.
computerworld.com/securitytopics/
security/virus/story/0,10801,103835,
00.html, Aug 2005.
[23] M. Sadiq. Toxic metal chemistry in marine environ-
ments. New York : Marcel Dekker, New York, 1992.
[24] N. Shigesada, K. Kawasaki, and Y. Takeda. Modeling
stratified diffusion in biological invasions. American
Naturalist, 146(2):229–251, 1995.
[25] J. G. Skellam. Random dispersal in theoretical popu-
lations. Biometrika, 38(4):196–218, 1951.
[26] S. Staniford, V. Paxson, and N. Weaver. How to own
the internet in your spare time. In Proceedings of
the 11th USENIX Security Symposium, pages 149–167,
Berkeley, CA, USA, 2002. USENIX Association.
[27] P. Szor. The Art of Computer Virus Research and De-
fense. Addison-Wesley Professional, symantec press,
2005.
[28] H. Wu, R. Fujimoto, and G. Riley. Analytical models
for data dissemination in vehicle-to-vehicle networks.
In Proceedings of IEEE 2004-fall Vehicle Technology
Conference (VTC), September 2004.
[29] Xatrix-Security. Widcomm bluetooth connectiv-
ity software multiple buffer overflow vulnerabil-
ities. http://www.xatrix.org/article.
php?s=3663, Aug 2004.
[30] Q. Xu, R. Sengupta, and D. Jiang. Design and anal-
ysis of highway safety communication protocol in 5.9
ghz dedicated short range communication spectrum. In
IEEE VTC Spring 2003, April 2003.
[31] J. Yin, T. ElBatt, G. Yeung, B. Ryu, S. Habermas,
H. Krishnan, and T. Talty. Performance evaluation
of safety applications over dsrc vehicular ad hoc net-
works. In VANET ’04: Proceedings of the 1st ACM
international workshop on Vehicular ad hoc networks,
pages 1–9, 2004.
[32] ZDNet-UK. Year-old bluetooth vulnerability in-
vites mobile worm. http://news.zdnet.
co.uk/internet/security/0,39020375,
39162400,00.htm, Aug 2004.
[33] Y. Zhang and W. Lee. Intrusion detection in wire-
less ad-hoc networks. In The Sixth International Con-
ference on Mobile Computing and Networking (Mobi-
Com). ACM, August 2000.

1
Approaches for Ensuring Security and Privacy in
Unplanned Ubiquitous Computing Interactions
V. Ramakrishna, Kevin Eustice and Matthew Schnaider
Laboratory for Advanced Systems Research
Computer Science Department
University of California, Los Angeles, CA 90095
{vrama,kfe,matt}@cs.ucla.edu
Abstract
Modern technology and omnipresent computing and communication facilities are leading us closer to
the ubiquitous computing vision. However, the very nature of ubicomp infrastructure, the openness of the
environments and the characteristics of the interactions pose unique security and privacy challenges. We
anticipate that the vast number of interactions will be unplanned and will occur among mutually unknown
and untrusted systems. Mobile components will often find themselves in unfamiliar surroundings, forced to
work with infrastructure whose trustworthiness cannot be determined. We must identify and address the
security issues inherent in these types of interactions before a large-scale deployment of vulnerable
infrastructure begins to pose a serious threat. Current security solutions for mobile computing and wireless
communication are not sufficiently scalable or flexible to protect the heterogeneous and highly dynamic
systems of the future; they do not even satisfactorily solve current mobile computing security issues.
In this paper we address the problems inherent in the infrastructure and in the interacting devices
themselves. We also identify device theft as a problem exacerbated by mobile and ubiquitous computing.
We emphasize device-based approaches towards handling security and privacy, broadly classifying them
into three categories which, when taken collectively, form a three-layer defense for devices. These
categories are: 1) resource and content protection mechanisms, 2) secure protocols for service discovery
and assignment of resource access, and 3) trust frameworks. These categories are neither mutually
exclusive nor exhaustive, yet they collectively address challenges inherent in a wide range of ubicomp
scenarios. We emphasize protocol-based solutions and, to a lesser extent, trust frameworks. These
aproaches are being investigated in the context of the QED and policy-guided negotiation work currently
underway as part of our Panoply ubiquitous computing project.
1. Introduction
Ubiquitous computing promises a vision of computing capabilities at any place and at
any time, supporting all kinds of human activities, including even the most mundane. A transition
from mobile computing to ubiquitous computing is well underway thanks to both academic
research efforts and commercial enterprises. Three important technological factors are
contributing to this transition: 1) rapid growth and proliferation of wireless networking facilities,
2) computing and sensing components embedded in our surrounding environments, and 3)
availability of smaller portable devices that can run most applications required by a mobile user.
Mark Weiser envisioned a future in which computers would fade into the background
[Weiser1991]. A more realistic vision, and one that is currently attainable, still involves devices

2
that are recognizable to users as computers. This model of computing is typically distinguished
from ubiquitous computing (ubicomp) as pervasive computing. In the pervasive computing
paradigm, devices and networks communicate with each other and deal with each other in a more
aware and intelligent fashion, without involving a human unless absolutely necessary. Most of
these interactions occur in a mobile context and in an unplanned fashion. The onus is upon the
devices and the applications to ensure that tasks proceed smoothly, hiding details from users. The
challenges in pervasive and ubiquitous computing are similar to mobile computing, but with a
higher scale of mobility, dynamism, and heterogeneity.
Primary networking challenges have more or less been addressed. These include the
ability to discover networks and associate with them, and the addressing issues that are necessary
to establish and maintain network connections. Efforts at the application layer have been made,
and are still ongoing, to achieve seamless mobility of networked applications. As a result, the
networking infrastructure can now handle complex tasks that were formerly relegated to the user.
Even as we design technology with new and better functionality, we must explore
potential pitfalls. What happens when one or more of the participants in a mobile interaction do
not play by the rules the designers of the mechanisms envisioned? Attackers could use their
anonymity and the nature of network-based protocols to breach the security of trusting devices or
obtain sensitive information. The networking infrastructure that makes mobile computing
possible could also be subverted for illegitimate purposes. We will further explore the
vulnerabilities inherent in these unplanned interactions and discuss how a complex balancing act
is required to make ubiquitous computing usable, as well as secure.
1.1 Characteristics of Ubiquitous Computing Interactions
Ubiquitous interactions rely primarily on wireless network connectivity between
numerous classes of devices. In this context, wired portable computing is significantly less
interesting, and the networking and addressing issues have, for the most part, been dealt with;
additionally, there is a much higher level of trust and accountability.
Interactions among mobile devices and ubiquitous infrastructure components are directed
towards the discovery and access of external resources and information that are required for local
applications. These include services provided by the immediate environment—typically wireless
connectivity, connections to remote computers through the Internet, and sensory output. Most
current applications of mobile computing involve access of web-based services. This requires that
devices be able to associate with networks and configure Internet connections; the remaining
application tasks are explicitly performed by the users. The transformation to a pervasive
computing environment will increase the demands on the devices and the networks to which they
connect. A much wider variety of tasks will be supported, and the devices must be more
intelligent and aware in order to minimize the work that users must do. Users will expect less
intrusiveness, seamless communication, and better performance.
Devices and networks will become more autonomic, specifically more self-configuring,
self-adjusting, and self-healing. In the simplest form of mobile computing, where users explicitly
handle applications and provide other input, the networking issues have relatively fewer security
implications. When devices and applications are expected to perform tasks that satisfy user
desires, without low-level user input, and sense and adapt to context changes, the security
problems are magnified. Workable solutions must be provided so that users can trust their devices
to run in an automated fashion and handle private data.
Ad hoc or unplanned interactions, which we believe will be very common in the
emerging computing landscape, will present situations where there is a lack of familiarity or trust

3
among the interacting entities. We cannot guarantee that different mobile devices and networks
will have the same security or data privacy standards, and one challenge is to determine the
opposite party’s standards. Even in cases where interactions occur between known entities or
entities with verifiable security relationships, the lack of trustworthiness of the wireless
communication medium calls for precautions. This medium enables anonymity of entities; if such
entities turn out to be malicious or compromised, they could provide fake services and obtain
sensitive information. It is conceivable that the problem could be mitigated somewhat through the
imposition of strict security standards and a universal trust framework, but such a worldwide
standard would be impractical and impossible to enforce. It would also limit the options for each
independent domain to determine its security policies. It also does not solve the problem of
adaptation with context, since all possible situations cannot be planned for in advance.
1.2 Trading off Security, Privacy and Usability
Security has proven to be a challenge when it conflicts with user convenience and ease of
use. Users dislike entering passwords repeatedly in order to perform tasks that require extra
privilege. If the system provides an option of storing the password for subsequent use, many users
would make use of it. Likewise, when a sensitive transaction requires the release of identity
information and secret keys, privacy is often sacrificed with little thought. These examples and
others indicate that there is a three-way tradeoff in security, privacy and usability that every
system designer must address. In this context, we define usability as the ease of handling devices
and applications, with minimal input and feedback required from the user for successful
operation.
This complex tradeoff acquires a new dimension in mobile and ubiquitous computing due
to the wireless medium, the open environments, the unplanned nature of interactions, and the
anonymity of computing entities. In a static context, there is an added degree of trust, which is
absent in a mobile wireless context. When communicating with strangers, the more knowledge a
device gains about the other party, the better it can assess the appropriate level of trust to place in
that party. Intrusive procedures for assessing trust could be used, indirectly leading to more
security. This would make an entity more confident about allowing access to a local resource or
giving up some private information in the hope that this might result in some benefit without the
cost of misuse. Trust-based security therefore inevitably results in a loss of privacy. Conversely, a
conservative policy could result in more privacy but a lower probability of a successful
interaction because neither entity will be able to gain sufficient trust in the other. Also, in order to
be absolutely secure, many security decisions will have to be made explicitly by the user, which
is contrary to the ubiquitous computing goal of reducing human intervention. Many applications
will also require the free exchange of privileged information such as location, local capabilities,
and constraints. Applications could run in an automated fashion if free exchanges were allowed,
but privacy constraints could force a more conservative approach. Various service discovery and
access mechanisms could also result in inadvertent exposure of private content and resources,
owing to careless design or a lax policy. Submitting to privacy demands could detract from the
user experience by restricting the performance of tasks. Alternatively, if the system cannot
reconcile privacy demands with the task requirements, user intervention may be required.
Privacy, therefore, will often be at cross-purposes with usability.
This three-way tradeoff severely impacts and potentially restricts security and privacy
choices in ubiquitous computing, where usability and performance are key. Most research efforts
in wireless networking and ubiquitous computing have emphasized the usability aspect at the cost
of security and privacy [Brooks1997] [Román2002]. Though this results in a richer set of
applications and functionality, a retrofitted security solution usually employs fairly rigid policies

4
which interfere with many of the features that make the system usable. The approach we take is to
analyze ubicomp interactions as a whole, rather than on a per-application basis. In this paper we
attempt to identify the unique security threats and privacy and access control issues that are posed
by device mobility and mutual anonymity of interacting devices and networks. In Section 2 we
outline the threats posed by insecure infrastructure and malicious entities, and observe how
mobility impacts systems in a negative way. In Section 3 we describe currently used and
proposed approaches for maintaining security and privacy. We classify device-based security
solutions into three categories, each providing security at a different level; this helps us to better
understand and analyze these solutions.
2. Challenges of Unplanned Interactions
In the traditional computing paradigm, devices operate in a few established
environments. Ubicomp necessitates a break from this pattern. Traveling from well-known and
presumably safe environments to unfamiliar and potentially hostile ones poses many security
challenges in mobile and pervasive computing. Likewise, the computing elements embedded in
the infrastructure will encounter new and possibly unsafe devices all the time. Though a certain
amount of paranoia is both healthy and necessary, it should not prevent devices from running
essential tasks for users. Both users and their devices must take precautions. Devices should be
able to verify the authenticity of the networking infrastructure, and the machines with which they
communicate. Additionally, they must be able to assess the security risks in carrying out such
interactions. Similar caution must be exercised by infrastructural components when interacting
with unknown mobile devices that have entered communication range. Even if the external
environment does not pose a threat, it may hardly be friendly. In these circumstances, protecting
the integrity of system resources and data, as well as maintaining a necessary amount of privacy,
is difficult. Challenges arise primarily due to communication with strangers, but in the absence of
a trustworthy networking infrastructure, similar problems may afflict communication with known
entities too. We address security and privacy issues both from an infrastructural and a device
point of view; these issues include device and service provider authentication, the risks of
habitual mobility, intelligent failure modes, and software agents. Challenges in each area must be
addressed by researchers in order to achieve a complete security solution.
2.1 Infrastructure Security and Privacy
With traditional 802.3 Ethernet-based networking, when one plugs a device into a wall
jack, it is typically assumed that the device receives connectivity from the local infrastructure.
Clearly, there are possible attacks in this space, but in general this is a reasonable assumption
since a physical wire acts as a physical metaphor tying the device to the physical environment.
Wireless communications lacks this metaphor; absent policy, our mobile wireless devices can and
will receive connectivity from any accessible service providers. This poses potential problems in
that traditionally we have trusted our infrastructure to provide network services such as routing
and name lookup. Malicious service providers can capture wireless clients and reroute requests to
malicious services; such services are intended to duplicate legitimate services and capture
personal identification information such as logins, passwords, credit card information, and so on.
This type of session hijacking can be performed at the routing layer or by subverting DNS.
There are several security problems here—one is the assumption that the networking
infrastructure should provide routing and naming services in a secure and trusted manner; another
is that on
s device will associate with a given infrastructural component. These problems are
related, especially if we seek to use trust relationships to deal with the former. The latter

5
challenge is a problem of device authentication—i.e., how do we make sure we connect to the
s access point and not the malicious access point in a patr s backpack? This is a subset of
the general device authentication problem—how do two mutually unknown devices authenticate
one another?
Apart from ensuring the authenticity of the service provider whose network a mobile
device is using, we must also deal with issues of data confidentiality and location privacy. These
problems are exacerbated by the broadcast nature of the wireless medium, where eavesdropping
is trivial for any device with a wireless card. Data confidentiality can be handled through
encryption, and much research has gone into developing standards for 802.11 networks, which
are mentioned in Section 3.1. But even if the communicated data cannot be interpreted, an
eavesdropper can still infer the location of the communicating device and the entities it is talking
to, which is information mobile users might want to keep private.
2.2 Device Security and Privacy
A number of security and access control problems lie within devices (or the end points of
network connections) themselves. The problems arise due to misconfiguration, ineffective or bad
security policies, vulnerable applications and insecure processes for remote discovery, access, and
use of resources. Similar problems occur even in static desktop-based computing when
communicating over the web, but the nature of devices in pervasive computing, mobility, and the
frequency of contact with strangers worsens existing problems, as described below.
The Risks of Mobility
Mobility tends to exacerbate existing security and privacy challenges, such as system
vulnerabilities and information leaks in network protocols. A mobile device moves in and out of
environments with many unknown and potentially hostile devices, without the protection of
infrastructure-based firewalls. This behavior exposes the device to more potential attackers,
magnifying the risk of software vulnerabilities. When the mobile device is eventually taken home
or to work, it passes behind traditional firewalls, possibly carrying an infection or an intruder.
A next-generation security system needs to be aware of these peripatetic devices that
operate within its purview. The knowledge that a device is mobile and transient may allow the
infrastructure to provide better support. Steps need to be taken to ensure the integrity of mobile
devices and protect the rest of the local network from potential abuse. Challenges here include
developing techniques to protect the network from mobile nodes while not overly inhibiting
functionality.
Intelligent Failure Modes for Pervasive Security
Failure is an unfortunate fact of life. Mobile devices will be compromised, either over the
network or by theft. It is incredibly important that the failure modes of such devices be
engineered to minimize the impact of compromise. To that end, we need to focus on theft
mitigation, reducing the ability to use or harvest data from a stolen device, as well as application
limitations that restrict the powers of a compromised application, thereby protecting system
integrity.

6
Theft Mitigation
Expensive and highly-portable mobile devices present tempting targets to thieves. In a
time when identification theft is becoming all too common, these devices also represent a treasure
trove of personal information. An important challenge thus is to mitigate the impact of theft—that
is, reduce the utility of a stolen device, both in terms of actual functionality and in terms of
extractable information. Additionally, recovery mechanisms including “phone home” features
and secure remote localization capabilities would be valuable in the mobile device feature set.
Restricting Capabilities and Information Leaks
Mobility-oriented applications must be designed to limit the impact of compromise
through segregation of functionality and by adopting the least privilege paradigm, limiting the
applicati s privileges and data to those necessary to accomplish its tasks. This helps reduce the
impact of malicious or compromised applications. Applications may deal with sensitive user data,
including authentication information and financial data, as well as sensitive user context such as
location or social relationships. A related challenge here is to limit the exposure of this data to the
minimum necessary. Context can be made accessible at multiple fidelity levels, and only the
necessary level of context should be exposed to the application. For example, location context can
have levels such as “UCLA,” “Boelter Hall,” and “3564 Boelter Hall.” The level of context
exported to the application may depend on user policy, application needs, or the security
characteristics of the local environment.
Similarly, the least privilege paradigm must be applied to information that is being
transmitted. Remote computers should not be allowed to see more than is necessary for
immediate purposes. Otherwise, information such as system or user identification information,
system behavior patterns, etc., may be leaked to potentially hostile users. This information could
be used by thieves to better target victims—i.e., the thief knows that one bus passenger has an
expensive laptop and can determine which passenger, without even seeing the laptop. Similarly, if
the presence of a given laptop in one
s home is highly correlated with user presence, then radio
emissions can be used to determine when someone is at home. In general, we need to be more
careful about the radio emissions of our devices, as they do leak substantial information.
Software Agents and Mobile Code
Software agents and mobile code are frequently used in ubiquitous computing contexts to
enable interoperability, application segmentation and migration, as well as customized handling
of system operation. This raises serious security challenges. Mobile code may potentially harm
the hosting device, or behave in unpredictable ways. The issuer of the mobile agent wishes to
trust the result of the mobile code
s execution, but the hosting device has control over the code.
This poses a problem. Although this problem exists in the wired Internet, future pervasive
environments may depend hugely on mobile agents to perform tasks, including the discovery of
networks and services when devices are mobile. Such agents will be especially valuable in
handling unplanned interactions.
Today’s users already run a great deal of mobile code in the form of Java, JavaScript,
Shockwave/Flash, and ActiveX controls. In many cases, mobile code intentionally or
unintentionally has access to sensitive user data, often much more data than it strictly requires.
We need reliable methods for protecting user data from disclosure and tampering while still
permitting the execution of mobile code that is beneficial to the user. Accepting and running
mobile code will require enhanced approaches for verification of code properties and
establishment of trust.

7
3. Approaches
The concerns raised in the previous section can be summarized as: 1) protecting the
integrity of the devices and networks, 2) preventing unnecessary data exposure, and 3) granting
unknown entities permission to access private resources. As discussed in Section 1, enabling open
interactions among mobile and infrastructure-based devices is a primary ubicomp goal. An
impenetrable security system, though desirable in principle, would restrict access to many types
of ubiquitous computing services. Instead, an effective system must be flexible in its approach to
ensure both security and usability.
We can and must try to secure the networking infrastructure from malicious entities and
eavesdroppers. Approaches to address this are discussed in Section 3.1. These will not solve the
complete problem; traditional end-to-end security is still necessary. For the purposes of this
discussion, we have chosen to define three subclasses within the solution space. While these
subclasses are not exhaustive, we believe these are areas where further research could
substantially address security and privacy challenges faced by most ubicomp scenarios.
The first class of approaches (Section 3.2.1) attempts to secure resources and content
directly at the time of access. Such approaches also include situations where the device in
question falls under the control of external entities, directly through theft or indirectly using
mobile code. The second class of approaches (Section 3.2.2) comprises secure processes and
protocols for interactions between devices, resulting in discovery of external resources and
assignment of permissions to access those resources. The security and privacy solutions are
managed by the device and are not tied to individual resources; the devices here are containers
and controllers for a set of resources and services. The third class of approaches (Section 3.2.3)
consists of cross-domain security frameworks that impose security solutions in a top-down
manner. Any two entities that come across each other in a pervasive computing world can
determine the nature of their relationship and the scope of their interactions through such a shared
framework. All trust frameworks, certificate hierarchies, and access control solutions for open
systems fall under this category.
From one perspective, these three classes of solutions could form three layers of defense
for any kind of interaction that takes place in a ubiquitous environment [Eustice2003a]. The trust
approaches could help to determine the security basis for interaction among computing entities.
Protocols could be used by such entities to discover each other’s resources, securely configure
permissions for access, and perform security-sensitive actions. At the innermost layer, once
devices get to know each other’s resource capabilities, they could directly access those resources
which are guarded by low-level protection mechanisms. These three sets of approaches are
neither mutually exclusive nor exhaustive. Furthermore, it is unlikely that a complete security
solution can be drawn from any one of them alone. Trust frameworks are usually coupled with
secure protocols for determining trust in external entities before permitting discovery and access.
Resource protection mechanisms can be used in a scalable way in this context only if they are
accompanied by a dynamic process of discovery and reconfiguration of local security state. An
ideal security solution would combine appropriate features from all three classes of approaches
that prove well suited to deployment in dynamic environments. Before we look at examples of
different approaches from each of the categories defined above, we consider some mechanisms
for securing network infrastructure.

8
3.1 Networking Infrastructure Security and Privacy Approaches
The most obvious technique used to maintain data confidentiality over any network link
is encryption. As mentioned in Section 2, the broadcast nature of wireless communication makes
this problem harder. Despite this, cryptographers and security engineers have developed workable
security solutions for data confidentiality at the wireless MAC layer. Given the initial failure of
the 802.11 WEP standard, [Borisov2001], WPA was developed to overcome WEP’s problems
with stronger authentication schemes and a key management system. At higher layers in the
network stack, devices have even more choices, and we can select from a variety of cryptographic
schemes and key exchange protocols.
Preventing an eavesdropper from inferring the location of a device and the identity of the
devices it is communicating with is still hard, mainly because of the broadcast nature of the
communication medium. Also of interest is research in secure network discovery and connection
to authentic service providers. This handles simultaneous discovery and authentication of a
wireless network through automated means, which is complementary to the problem of private
communication after connection establishment. Secure enrollment of a device to a network
promises to mitigate the security problems associated with service provider selection and
authentication, as described in Section 2.1.
Device Enrollment
The general problem of secure network enrollment within pervasive computing
environments has been considered by several other projects. The canonical reference is Stajano
and Anderson’s Resurrecting Duckling [Stajano1999] where the authors presented a model for
imprinting wireless devices with network membership information through brief physical contact.
In the model, physical contact is required to create a logical connection between two otherwise
wireless devices. The mother duck controlling device would maintain absolute control over a set
of duckling devices and their respective policies.
The duckling model has been further extended by PARC [Balfanz2002] and applied to
home and enterprise-wide wireless LAN setup [Balfanz2004]. PARC removes the requirement
for a secure side-band channel through the use of public key cryptography—this increases the
baseline requirements for member devices, but allows more open side-band channels such as
infrared. Recently, other approaches have investigated the use of embedded cameras to capture
visual authentication information embedded in barcodes attached to devices [McCune2005], as
well as the use of audio cues [Goodrich2005] coupled with displayed textual information.
3.2 Device-Based Security and Privacy Approaches
In this section we discuss approaches for maintaining security and privacy that are
executed locally on devices. In general, these solutions assume the presence of a trusted
communication infrastructure, though some trust-based solutions circumvent the networking
problem altogether by enforcing stringent authentication schemes at the end points.

9
3.2.1 Resource/Content Protection and Access Control
In the world of pervasive and ubiquitous computing, data is often at risk for disclosure or
tampering. Data lives on mobile and portable devices and may be subject to theft. One approach
to protecting the privacy of user data is to integrate the protection mechanisms with the resources
themselves.
Secure File Systems
Cryptographically secure file systems have been available for more than ten years
[Blaze1993] [Wright2003]. In practice, though, such file systems are not widely in use.
Furthermore, even when such systems are used, it is common for users to store sensitive key
material on the same device that is being protected. As a result, when devices are lost or stolen, it
is likely that the information on those devices can be easily accessed by even modestly skilled
attackers.
Additionally, when a device is taken over by malicious code, that code normally has full
access to data on the device, including any encrypted data that the user may access. Typically,
users rely on one master key or password to access their encrypted file systems. Thus, if the user
accesses any encrypted data item, it is likely that all encrypted data items within that data-store
are exposed to any malicious code that may be running on the device.
In order to protect data in this scenario, portable devices should not be the custodians of
the key(s) to the sensitive data they hold. Rather, keys should be stored elsewhere and provided to
applications on demand, based upon context and policy. If this were the case, certain data would
be completely inaccessible to even the most determined attacker if the device was lost or stolen.
Even in the case of device infection, much, if not all, sensitive data would be protected, ideally
until the malicious code was discovered and purged.
Zero-Interaction Authentication
One system that possesses many of the properties mentioned above is Zero-Interaction
Authentication (ZIA) [Corner2002]. In ZIA, each file is encrypted under a symmetric key, and
that key is then encrypted with a key-encrypting key. A small security token, separate from the
device itself, is the only entity that can decrypt file keys. The device must be in the presence of
the token in order to access its own encrypted files. Thus, in our loss or theft scenario, ZIA
cryptographically protects user data from disclosure from even the most determined adversary.
In addition to ZIA, other novel uses of cryptographic file systems and key management
could greatly reduce the risk of disclosure of sensitive data through device loss or theft, or even
device infection. Such systems should be informed by context and policy to provide more fine-
grained and flexible control over encrypted data and associated keys than is currently provided by
ZIA and other encrypted file systems.
Proof-Carrying Code
Although we can mitigate the dangers of device loss and theft, and we can to some extent
limit the amount of sensitive data that is exposed in any particular context, it may be desirable or
useful to run foreign code in various ubiquitous computing scenarios. Though many mobile code
systems employ some facility for sand-boxing, much mobile code still has far more access than

10
necessary, and often far more access than is safe. One possible approach to alleviating this
problem is to use proof-carrying code [Necula1997]. In the ubiquitous world, devices will likely
be offered mobile code from a variety of trusted and untrusted parties. In many cases, the user
will explicitly run such code. In other instances, the device will be asked to run the code on behalf
of the user. Proof-carrying code would maintain the usability we want, while preserving the
safety and security of sensitive resources.
Proof-carrying code can provide proof of programmatic side-effects and invariants that
can be reconciled with local policy. Depending on the level of trust (if any) ascribed to the
provider of the code, the device can make safe and informed decisions without having to involve
the user every time the question of executing mobile code is raised. Not only can proof-carrying
code protect against malicious code that steals or tampers with sensitive user data, it can also
preserve the overall integrity of the device, and may also have the added benefit of increasing the
reliability of the device as a whole.
Proof-carrying code has addressed a very important problem, but we feel its complete
potential has yet to be explored. A large number of ubicomp applications will depend on mobile
code, and quick verification of security policy compliance would be very valuable. Application of
proof-carrying code to ubicomp warrants further research.
3.2.2 Secure Interaction Protocols
Various situations will occur in ubiquitous computing where devices will need to
discover each other’s services and establish access permissions. The processes and protocols for
managing secure discovery and assignment of access permissions comprise a different set of
approaches, complementary to the resource protection mechanisms described above.
Trust Management
Trust management is a process that unifies security policies, credentials, authorization,
and access control. This concept was introduced in PolicyMaker [Blaze1998] and refined in
KeyNote [Blaze1999]. The process involves a request to perform a security-impacting action or
to access private information or resources. The requestee runs a compliance checker taking as
input the request, associated credentials from the requestor, and its local policies. If no conflict is
detected, the request is granted; otherwise it is refused. This security or trust management
solution requires a common trust framework, including a credential vocabulary, in order to be
effective. In the mobile computing context, this solution maintains security and access control to
the degree specified by the policies. One drawback is that the policies are static and are not
sensitive to context changes. Although this process maintains the privacy and security of the
requestee, it is not sensitive to the privacy considerations of the requester, who must provide all
information and credentials demanded if the interaction is to succeed. Though both PolicyMaker
and KeyNote were designed with traditional computing in mind, the technique could as well be
used in pervasive computing when combined with a suitable process for discovery of networks
and services.
Quarantine and Examination for Mobile Computing
We have explored a new paradigm for mobile and ubiquitous security called QED
[Eustice2003b], or Quarantine, Examination, and Decontamination. In this paradigm, before
mobile devices are allowed to join a wireless network, they are inserted into a quarantine zone.

11
This is done to protect other local network participants from potential malware carried by the
mobile device. While in quarantine, the device is subjected to an examination process that can
include a variety of techniques such as external port scans and service identification, as well as
internal tests that require cooperation of the device, such as virus scans and service patch
determination. If problems such as vulnerabilities, undesirable services, or compromised software
are found, the device may go through a decontamination phase in which the problems are, if
possible, rectified. Once the infrastructure is confident that the device poses no threat, it is
allowed to fully participate in the local network.
A system like QED demonstrates how security and privacy requirements may be at odds
in a pervasive computing scenario. Security is enhanced if mobile devices run foreign code as
instructed and report results truthfully. But this results in a loss of privacy for the device. Also,
running arbitrary code itself requires a high measure of trust in the code provider. These are
extremely important issues that require further research. The use of proof-carrying code
techniques to verify policy compliance of examination modules deserves serious investigation.
Also, verification of authenticity of returned examination results is an interesting problem; this
could also have implications for digital rights management.
The Cisco Network Admission Control (NAC) system [Cisco2003], a commercial
product that is part of the Cisco Self-Defending Network Initiative, enforces access control in a
domain through quarantine and examination. Access control decisions are based on a domain’s
security policies and involve checking incoming devices for vulnerabilities and infections. NAC
suffers from certain drawbacks compared to QED; notably, it does not provide support for
decontamination. Also, QED is completely software-based and open source, whereas NAC is
integrated with Cisco hardware products. Using QED, security policies could be enforced in a
flexible manner with access limits varying with degree of compliance. Also, the relationship
between the mobile device and the network is more symmetric; this allows both the network and
the mobile device to consider the privacy implications of running foreign code or releasing
sensitive information. The primary goal of NAC is to enable domains to enforce security policies,
and the relationship is inherently asymmetric. This solution will only work when a device
interacts with familiar networks, and it is not flexible or scalable enough for ubicomp
interactions.
Solutions performing QED functions are very valuable to mobile users who would be
more tolerant of the added overhead. In the ubiquitous computing vision, applications must run
smoothly in the face of frequent context changes. Scaling QED to work in those types of
environments is well worth exploration.
Automated Peer Negotiation
We are exploring automated and flexible negotiation techniques among peers to enable
interoperation among heterogeneous devices with diverse security and privacy policies
[Eustice2003a]. Services can be discovered and resource access agreements can be reached via
negotiation, while maintaining local security and privacy policies. Negotiation itself is not a new
security mechanism, but rather ensures as much security as can be obtained through existing
enforcement mechanisms. The policies, which are private to a system, describe the various
constraints and inter-dependencies among system objects, and also describe the state of the
system and the properties of its resources and mechanisms. The high level constructs are
described in a common semantic language; we are leveraging Semantic Web frameworks like
RDF and XML for this purpose.
Negotiation is a flexible way for two entities in a ubicomp context to access each other’s
resources up to the maximum allowable risk and within the resource usage policies local to each.

12
Most other approaches usually fall under extremes. At one end of the spectrum, some approaches
for interaction obey rigid protocol semantics and are usually not applicable outside a particular
domain. At the other end, open environments allow free and easy access without regard to
security, such as early versions of Jini [Waldo1999]. Negotiation offers a way to balance the risk
of resource access or exposure of private information and the utility of permitting that operation.
The crucial aspects are: 1) a trust/risk model that allows assessment of the risk associated with an
operation or the trust gained in the other party, 2) a utility model that allows assessment of the
benefits of gaining certain resources, and 3) a set of heuristic functions that allows an entity to
determine when utility outweighs risk. Of course, there will be situations where the other party
could be determined to be malicious, or mobile code found to contain a virus, in which case
utility will rarely balance risk. The functions can be computed using the policies local to a
system, which include user preferences as well as knowledge of security properties; e.g., risk of
opening up a network port, how much trust does possession of certificate X inspire, and so on.
The negotiation protocol proceeds through a strategy whereby the parties can trade information,
propose alternatives, and compromise within the limits of their policy constraints and the derived
heuristic values. The policy language itself is backed by logical semantics and has a reasoning
engine that enables query processing, knowledge chaining, and determination of conflicts. This is
promising research, both from the security and privacy viewpoint and from the viewpoint of
matching heterogeneous systems with available resources in a context-sensitive manner.
Negotiation as described above enhances the scope of prior work in automated trust
negotiation [Winslett2003], best illustrated by the TrustBuilder [Winslett2002] and PeerTrust
[Gavriloaie2004] [Nejdl2004] projects. Automated trust negotiation is a way of controlling access
to a private resource over the web through a gradual process of trust building. In a typical
instance of the protocol, requests for resource access generate counter-requests for credentials or
other information, which in turn generate similar counter-requests. The process continues until a
point of trust is reached or until failure occurs due to a conflict of privacy policies. Though trust
negotiation was designed for the web, it can be adapted to the mobile and wireless context,
though it would have to be augmented with secure discovery protocols. Through this process,
resource access can be requested and obtained with minimum privacy loss for either party.
Zhu et al. [Zhu2005] outline a service discovery protocol for pervasive computing which
preserves privacy without third party mediation. The service provider and client expose partial
sensitive information in a progressive approach. The protocol terminates when both parties reach
an agreement about the extent of exposure of the service and authentication information. Upon a
mismatch or an unsatisfied request, the protocol can be terminated without loss of privacy. This
protocol is meant to handle fake service providers as well as unauthorized clients. Since entities
are assumed to share low-level security information, which is the basis on which they negotiate,
the scalability of this approach is debatable. Still, protocols of this type provide novel ways to
maintain security and access control constraints in a decentralized manner without sacrificing
openness.
3.2.3 Cross-Domain Security Frameworks
In a utopian world, all devices, networks, and enterprise domains would be completely
open to any other entity that wished to interact with them. This is not practical, since every device
cannot and does not trust every other device in mobile environments. Certain device properties,
such as identity and relationships, reflect the amount of confidence that different humans have in
each other, and by implication, affect device interactions. With perfect trust in the other party and
in the communication channel, the process of interaction and the mechanisms used for resource
and data access cease to matter. In practice, perfect trust is not feasible, especially when

13
interacting entities are mutually anonymous. For example, a user could take his laptop to his
office and immediately obtain access to the local network, as well as a range of other resources,
given his role as a trusted member of that organization. Apart from basic authentication
mechanisms that allow his laptop to connect and be admitted to the network, and similar
authentication by the laptop to verify the network access point, strict security is generally not
required for discovering the available resources or accessing privileged information. If the
authentication framework and the process for handing out authentication information are
foolproof, this will work. If a device is compromised or the owner turns malicious, there are
serious consequences. If we put aside the issue of trusted entities turned malicious, having an
overarching trust framework could enable free interoperation among any set of devices and
networks. Such trust-based security solutions are commonly in use within limited domains, but an
enterprise-based framework does not scale globally, and bottom-up growth of infrastructure also
poses an obstacle to deployment. Below, we examine solutions that help in assessment of trust
and discuss their advantages and drawbacks.
Centralized, Monolithic Security
A globally centralized security solution is a potential approach. Currently, efforts are
being made to deploy single-provider, city-wide 802.11 network connectivity in a variety of
metropolitan areas [Google2005]. In theory, access to these services could be dependent on
accepting a universal security policy. Every mobile device and network would be confident that
all other entities would be constrained by that policy. This is conceptually a legitimate approach if
it can be achieved at a worldwide scale, except for the fact that it would be undesirable to invest
so much trust and power in one organization. This model creates a single point of failure which
threatens user privacy as well as system reliability.
In the absence of a global security framework and policy, as well as an enforcement
scheme, we need to devise frameworks for the dynamic establishment and assessment of trust in
order to verify communication channels and enroll securely into foreign environments. These
approaches are discussed below.
Certificate Hierarchies
The traditional distributed computing trust solution involves certificates. A certificate, in
its simplest form, is a public key signed by certificate authorities. Gaining or verifying trust using
certificates requires a hierarchy of certificate authorities. An ad hoc interaction could involve the
presentation of a certificate; if the recipient shares a common parent with the certificate owner at
some level in the hierarchy, a trust relationship can be established. Though this approach provides
a certain degree of trust in mobile and ubiquitous computing, it has serious drawbacks which limit
its use. First, given the bottom-up growth of ubicomp infrastructure, it is difficult to force
everyone to accept one particular certificate hierarchy, and the higher up the common authority
lies, the lower the value of trust becomes. Second, with a huge and unwieldy infrastructure,
revocation and updates will be very inefficient. Third, this does not handle cases where strangers
meet in a virtual bubble, possibly having no connection with a common trust authority. Last, and
most important, certificates in their basic forms (or the way they are currently used in web
transactions) are identity-based, and do not say anything more; every mobile device or network
has different concerns and priorities, and simply verifying that a particular authority has certified
the opposite party may not mean anything.

14
Peer-to-Peer Trust
Delegation has been proposed and used by various researchers to make the certificate
distribution and verification scheme less strictly hierarchical and more suited to dynamic mobile
environments. For example: entity A could delegate to entity B the right to issue certificates in
A’s name. Therefore, a delegated certificate issued by B could be trusted if A is a trusted source.
This scheme has the property of creating chains and webs of trust [Zimmermann1994], which
effectively form a peer-to-peer security framework that could be used as a basis for interaction.
Though more dynamic, decentralized, and more resilient to network partitions, this kind of
framework suffers from the same problems that afflict certificate hierarchies; it is difficult to
assess the value of a credential issued by any particular peer. What makes the issuer of the
credential trust a particular entity is not clear, especially if the distance along the chain between
the certificate owner and the examiner is long. Clearly these delegated credentials need to provide
more information than just identities. In this respect, we are building a voucher mechanism in
which a voucher can be provided by one entity to another, certifying certain properties such as
rights, group affiliation, and state. The use of a rights-delegating voucher is similar to SPKI
[RFC2693].
Closely associated with webs and chains of trust is the notion of reputation, which in
theory adds some more weight to the trust or confidence level in another party. Reputation is a
way of assessing the trustworthiness of entities based on what other known and trusted entities
say about them [Xiong2004]. If this were to work, it would be a strictly more reliable framework
than one based on identity. Reputation models have not seen much success due to the impact of
lying or colluding parties, and the huge number of variables involved in trust assessment
[Sen2002]. Still, this is one way of establishing an overarching web of trust that could potentially
cover most unplanned ubicomp interactions, and research in this area should be watched closely.
Role-based access control is a popular security framework adopted by open systems,
where privileges are tied to a defined role. In its simplest form, this kind of access control works
in the mobile context only if familiar entities interact. If strangers must interact securely, the
system must be augmented by some process of role determination. Given a common credential
vocabulary, a web of trust, and delegation permissions, privileges can be determined through a
recursive process of proof-building, as demonstrated in the dynamic RBAC model
[Freudenthal2002]. Combining role-based access control with delegation and trust chains has
been employed in ubicomp middleware like Centaurus [Kagal2001a] and Vigil [Kagal2001b]
[Kagal2002].
Quantitative Trust Models
Newer approaches have argued for a more dynamic notion of trust, and one that
reproduces the way humans interact among themselves, such as the Secure project [English2002]
[Cahill2003]. The dynamic nature of trust can be reproduced through the processes of trust
formation and trust evolution, both of which use the history of past interactions in the trust
evaluation functions. This project, as its basis, advocates making personal observations of an
entity’s behavior a part of the trust assessment function. A system for monitoring applications and
reacting to events [English2004] is based on such dynamic trust models. This is a promising
approach for managing dynamic environments, as it has the best potential for allowing secure
interactions among strangers. Apart from identifying the important features of a trust framework,
we need quantitative models to generate and make use of trust relationships. One approach could
be a unified model that uses both identity and contextual properties and which expresses trust as a
continuum [Shankar2002]. A different model attempts to model trust using probabilities, and in
addition proposes ways to interpret the information during the actual process of performing a

15
security-sensitive action [Jøsang1999].
We feel that dynamic trust models of the type discussed above hold great promise, and
indeed are some of the few trust frameworks that scale to ubicomp environments. We cannot of
course abandon identity and possession of certificates as a means of assessing trust; these are and
will be key mechanisms for trust building. Therefore, research must concentrate on producing
trust frameworks that make use of identity, properties, and observed results of actions. These
kinds of trust frameworks also form the basis of automated peer negotiation, which was discussed
earlier, and this is a promising research area that we are actively investigating.
4. Conclusion
We have discussed a wide spectrum of security and privacy issues that must be addressed
before we can trust our devices to perform automated tasks on our behalf in a mobile context.
Trustworthy and secure communication infrastructure is a prerequisite for secure mobile
computing. Our own mobile devices and the other devices they interact with in the environment
must have security and privacy solutions built in so that they can discover and access each other’s
resources even when connections are established in an ad hoc manner. In a ubiquitous computing
world, usability is of primary importance, and security and privacy solutions must be designed in
such a way that they preserve this property.
We have classified device-based solutions into three categories, roughly corresponding to
three layers of defense for a mobile or infrastructure-based device interacting in dynamic
circumstances with entities that may or may not be familiar. Each class of solutions has
drawbacks if employed in isolation. Resource or content protection mechanisms employed
without secure protocols for discovery and a trust basis either provides weak security (for
interactions with strangers) or does not scale and would require some amount of manual
configuration. Similarly, a secure negotiation protocol for sharing of resources without the
enforcement mechanisms at the resource access level or a trust basis is not a comprehensive
security solution. Trust frameworks without secure means of trust inference and enforcement at
lower levels do not provide much value. A hybrid of the three classes of approaches is required
for a scalable security solution, and for mobile devices to trust their surrounding environment and
service providers when interactions are required.
We have also identified a number of promising approaches that address security and
privacy challenges faced by mutually unknown entities interacting in an unplanned manner. We
envision secure enrollment schemes growing in importance. More applications inevitably lead to
more software vulnerabilities, and QED-like integrity analysis will be indispensable for halting
the spread of malware. Some flavor of negotiation will inevitably come into play when
interacting with strangers, since this promises to address the subtle balance required between
security, privacy, and usability. Trust frameworks that are not purely identity-based are the weak
point in today’s research, and further investigation in this area would be very welcome.
We can assume that decentralized operation and numerous unplanned interactions will be
predominant features of emerging ubiquitous computing systems. Dealing with unknown entities
and unplanned events will pose numerous challenges. By limiting the risks of exposure and
compromise at multiple levels, systems may remain secure, despite the dangerous and hostile
intent of others. Taking lessons from the approaches discussed in this paper, future security
framework designs must focus on risk minimization as a primary goal.

16
References
[Balfanz2002] D. Balfanz, D. K. Smetters, P. Stewart, and H. C. Wong, “Talking to Strangers:
Authentication in Ad-Hoc Wireless Networks.” NDSS 2004.
[Balfanz2004] D. Balfanz, G. Durfee, R. Grinter, D. K. Smetters, and P. Stewart, “Network-in-a-Box: How
to Set Up a Secure Wireless Network in Under a Minute,” USENIX Security 2004.
[Blaze1993] M. Blaze, “A cryptographic file system for UNIX,” 1st ACM Conference on Computer and
Communications Security, pages 9-16, November 1993.
[Blaze1998] M. Blaze, J. Feigenbaum, and M. Strauss, “Compliance Checking in the PolicyMaker Trust
Management System,” Proceedings of the Financial Cryptography Conference, Lecture Notes in Computer
Science, vol. 1465, pages 254-274, Springer, 1998.
[Blaze1999] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis, “The KeyNote Trust
Management System Version 2,” RFC 2704, September 1999.
[Borisov2001] Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile Communications:
the Insecurity of 802.11,” Proceedings of the 7th annual International Conference on Mobile computing
and networking, pages 180-189, July 2001, Rome, Italy.
[Brooks1997] R. Brooks, “The Intelligent Room Project,” Proceedings of the 2nd International Cognitive
Technology Conference, 1997, Aizu, Japan.
[Cahill2003] V. Cahill, E. Gray, J. Seigneur, C. D. Jensen, Y. Chen, B. Shand, N. Dimmock, A. Twigg, J.
Bacon, C. English, W. Wagealla, S. Terzis, P. Nixon, G. di Marzo Serugendo, C. Bryce, M. Carbone, K.
Krukow, and M. Nielsen, “Using Trust for Secure Collaboration in Uncertain Environments,” IEEE
Pervasive Computing, vol. 02, no. 3, pages 52-61, July-September, 2003.
[Cisco2003] White paper—“Network Admission Control Executive Positioning Document,”
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd800fdd66.shtml.
[Corner2002] M. Corner and B. Noble, “Zero-Interaction Authentication,” Conference on Mobile
Computing and Networking (MobiCom), September 2002.
[English2002] C. English, P. Nixon, S. Terzis, A. McGettrick, and H. Lowe, “Dynamic Trust Models for
Ubiquitous Computing Environments,” Proceedings of Workshop on Security in Ubiquitous Computing,
Ubicomp 2002.
[English2004] C. English, S. Terzis, and P. Nixon, “Towards Self-Protecting Ubiquitous Systems:
Monitoring Trust-based Interactions,” Journal of Personal and Ubiquitous Computing, Volume 10, Issue 1,
December 2005, pages 50-54.
[Eustice2003a] K. Eustice, L. Kleinrock, S. Markstrum, G. Popek, V. Ramakrishna, and P. Reiher,
“Enabling Secure Ubiquitous Interactions,” Proceedings of the 1st International Workshop on Middleware
for Pervasive and Ad-Hoc Computing (in conjunction with Middleware 2003), 17 June 2003, Rio de
Janeiro, Brazil.
[Eustice2003b] K. Eustice, L. Kleinrock, S. Markstrum, G. Popek, V. Ramakrishna, and P. Reiher,
“Securing WiFi Nomads: The Case for Quarantine, Examination, and Decontamination,” Proceedings of
the New Security Paradigms Workshop (NSPW) 2003.
[Freudenthal2002] E. Freudenthal, T. Pesin, L. Port, E. Keenan, and V. Karamcheti, “dRBAC: Distributed
Role-Based Access Control for Dynamic Coalition Environments,” Proceedings of the 22nd International
Conference on Distributed Computing Systems (ICDCS
, IEEE Computer Society, July 2002.
[Gavriloaie2004] R. Gavriloaie, W. Nejdl, D. Olmedilla, K. Seamons, and M. Winslett, “No Registration
Needed: How to Use Declarative Policies and Negotiation to Access Sensitive Resources on the Semantic
Web,” Proceedings of the 1st First European Semantic Web Symposium, Heraklion, Greece, May 2004.
[Goodrich2005] M. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun, “Loud and Clear: Human-
Verifiable Authentication Based on Audio,” WISE 2005.

17
[Google2005] V. Kopytoff and R. Kim, “Google offers S.F. Wi-Fi—for free / Company’s bid is one of
many in response to mayo
call for universal online access,” http://www.sfgate.com/cgi-
bin/article.cgi?file=/c/a/2005/10/01/MNGG9F16KG1.DTL.
[Jøsang1999] A. Jøsang, “Trust-Based Decision Making for Electronic Transactions,” Proceedings of the
Fourth Nordic Workshop on Secure IT Systems (NORDSEC
, Stockholm, Sweden (Stockholm
University Report, pages 99-105, 1999.)
[Kagal2001a] L. Kagal, V. Korolev, H. Chen, A. Joshi, and T. Finin, “Centaurus: A Framework for
Intelligent Services in a Mobile Environment,” 21st International Conference on Distributed Computing
Systems Workshops (ICDCSW
, April 16 - 19, 2001, Mesa, Arizona.
[Kagal2001b] L. Kagal, T. Finin, and A. Joshi, “Moving from Security to Distributed Trust in Ubiquitous
Computing Environments”, IEEE Computer, December 2001.
[Kagal2002] L. Kagal, J. Undercoffer, F. Perich, A. Joshi, and T. Finin, “A Security Architecture Based on
Trust Management for Pervasive Computing Systems,” Proceedings of Grace Hopper Celebration of
Women in Computing, 2002.
[McCune2005] J. M. McCune, A. Perrig, and M. K. Reiter, “Seeing is Believing: Using Camera Phones for
Human-Verifiable Authentication,” IEEE Symposium on Security and Privacy, 2005.
[Necula1997] G. Necula, “Proof-Carrying Code,” Proceedings of the 24th Annual ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Langauges (POPL
, January 1997.
[Nejdl2004] W. Nejdl, D. Olmedilla, and M. Winslett, “PeerTrust: Automated Trust Negotiation for Peers
on the Semantic Web,” Secure Data Management 2004, pages 118-132.
[RFC2693] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen, “SPKI Certificate
Theory.”
[Román2002] M. Román, C. Hess, R. Cerqueira, A. Ranganathan, R. Campbell, and K. Nahrstedt, “Gaia: A
Middleware Infrastructure to Enable Active Spaces,” IEEE Pervasive Computing, pages 74-83, Oct-Dec
2002.
[Sen2002] S. Sen and N. Sajja, “Robustness of Reputation-Based Trust: Boolean Case,” Proceedings of
the First International Joint Conference on Autonomous Agents and Multiagent Systems: part 1, July 15-
19, 2002, Bologna, Italy.
[Shankar2002] N. Shankar and W. A. Arbaugh, “On Trust for Ubiquitous Computing,” Invited paper in
Workshop on Security for Ubiquitous Computing, UBICOMP, October 2002.
[Stajano1999] F. Stajano and R. Anderson, “The Resurrecting Duckling: Security Issues for Ad-hoc
Wireless Networks,” 7th International Workshop on Security Protocols, Cambridge UK, 1999.
[Waldo1999] J. Waldo, “The Jini Architecture for Network-Centric Computing,” Communications of the
ACM, Vol. 42, No. 7, pages 76-82, 1999.
[Weiser1991] M. Weiser, “The Computer for the 21
st
Century,” Scientific American 265(30), pp. 94-104,
1991.
[Winslett2002] M. Winslett, T. Yu, K. E. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, and L. Yu,
“Negotiating Trust on the Web,” IEEE Internet Computing, Nov-Dec 2002.
[Winslett2003] M. Winslett, “An Introduction to Trust Negotiation,” 1st International Conference on Trust
Management, Crete, Greece, May 2003.
[Wright2003] C. P. Wright, M. Martino, and E. Zadok, “NCryptfs: A Secure and Convenient
Cryptographic File System,” Proceedings of the Annual USENIX Technical Conference, pages 197-210,
June 2003.
[Xiong2004] L. Xiong and L. Liu, “PeerTrust: Supporting Reputation-Based Trust in Peer-to-Peer
Electronic Communities,” IEEE Transactions on Knowledge and Data Engineering (TKDE), Special Issue
on Peer-to-Peer Based Data Management, 2004.

18
[Zimmermann1994] P. Zimmermann, “PGP User’s Guide,” MIT, October 1994.
[Zhu2005] F. Zhu, W. Zhu, M. W. Mutka, and L. M. Ni, “Expose or Not? A Progressive Exposure
Approach for Service Discovery in Pervasive Computing Environments,” PerCom 2005, pages 225-234.

1
Mobile Handset Authentication and Authorization in Distributed
Wireless Environments
Pankaj Aggarwal Kartikeya Tripathi Janise McNair Haniph Latchman
Dept. of Electrical & Computer Engineering
University of Florida
P.O. Box 116130, Gainesville, FL 32611
Phone: +1-352-392-2629,Fax: +1-352-392-0044
Email: mcnair@ece.ufl.edu
Abstract
This paper develops and analyzes a novel scheme for mobile handset authentication and autho-
rization in a geographically wide spread area spanning the coverage of multiple network service
providers. The existing technology provides for roaming for a mobile node by the exchange of
a large number of control signals between the foreign network and mobile node, and between
foreign network and home network for authentication and authorization. Such a large amount
of information exchange is vulnerable to eavesdropping and malicious attacks. Our scheme pro-
vides a lesser number of transactions for this purpose and incorporates multiple layers of security
against hacks. First, the mobile device is equipped with an encrypted bit sequence that contains
its authentication and authorization information. Then, when it moves into the domain of a for-
eign network, its bit sequence is read in order to provide it with the appropriate services. By
doing this, the procedure eliminates the need for the foreign network to communicate with the
home network for establishing the mobiles identity. We show, through Op-Net simulations, its
effectiveness by comparing the authentication time between the existing set up and the proposed
scenario.
Keywords: wireless, cellular, mobility, paging, handoff, Mobile IP
I. I
NTRODUCTION
With the arrival of third generation technologies in the world of mobile and cellular sys-
tems and a growing user base demanding reliable and high data rate Internet and multi-media
based services (both commercial and personal), extensive business deals between various service
providers for anywhere-anytime coverage have begun to be forged [1]. Security from a wireless
networks perspective has to be addressed in all layers of the system. For example, in modern
wireless systems, Content Provider, Service Provider, Carrier Provider and User represent dif-
ferent players in business chain. Different mechanisms are used to secure these layers in terms

2
of open system interconnection (OSI) model, where IP spoofing is an attack at network layer,
sniffing is at physical layer and data link layer and viruses enter through application layer. AAA
(authentication, authorization, and accounting) is one of the areas of the security architecture that
is needed at several layers, including the network layer and the application layer. AAA schemes
maintain the status of the user in a network in terms of letting the right people use the services
they are entitled to use, and maintaining log of their usage for billing purposes [2]. Authentica-
tion establishes the identity of a user to check if that user is actually recognized by the system. It
is based on password-oriented access to services. Authorization, checks precisely which services
the user can access. Accounting is a tab of how long the service has been used.
In a centralized security architecture, the home network maintains a database of all users,
so that a mobile node (MN) visiting a foreign network (FN) is always authenticated by home net-
work (HN). Legacy wireless networks, such as GSM, are based on this centralized architecture
implemented by the visitor and home location registers (VLR/HLR) and by the authentication
center (AuC). This architecture requires heavy signaling traffic in the backbone network, and
information exchange between the location registers, leading to a large overhead and drop in
throughput. As a result, the issues of seamless inter-network handoffs in conjunction with the
problems of eavesdropping and service theft are now being dealt with comprehensively [3], [4].
Current research focuses onthe optimization of this exchange between foreign network and home
network during the time of a handoff [5], [6]. This paper investigates a mobile-assisted authenti-
cation protocol that reduces the involvement of inter-system information exchange between loca-
tion registers by employinga unique code for each user that can be exchanged locally between the
user and a foreign network. Section II reviews existing authentication techniques, many of which
have evolved from the GSM system. Then, Section III gives the overview of the Mobile Assisted
Bit Sequence Authentication and Authorization (MABSAA) protocol. Section IV discusses the
procedure to acquire the MABSAA bit sequence, and the key management scheme. Section V
outlines the simulation approach, and Section VI shows the results. Section VII concludes the
paper.
II. R
ELATED WORK ON AUTHENTICATION ARCHITECTURES
GSM authentication is based on a challenge-response mechanism that employs secret key
algorithms. For each subscriber, the HLR stores authentication information in the form of a
triplet, consisting of a subscriber-unique random challenge (RAND), and expected signature re-
sponse (SRES), and a cipher-key. To authenticate a mobile node, the home network transmits a
non-predictable number RAND to the mobile node, which then computes the signature using the
”A3” algorithm and a secret key. The mobile node then transmits the signature back to the ne-

3
Internet
GGSN
SGSN
RNC
WLAN Gateway
HSS
3GAAA
server
Tight
coupling
Loose
coupling
Node B
AP
AP
AP
MT
HLR
GGSN: Gateway GPRS service node
SGSN: Serving GPRS support node
RNC: Radio network controller
HSS: Home subscriber server
HLR: Home Location register
Fig. 1. Mobile Architecture
towrk,which tests it for validity. When a mobile node is in a foreign network, the HLR can use the
triplet to validate the node without revealing the secret key to the VLR. The mobile node sends its
International mobile subscriber identity(IMSI) to the VLR, which then contacts the correspond-
ing HLR to request the triplet. The HLR forwards the triplet after validating the VLR with the
authentication center. The VLR can then send the challenge to a mobile node, which generates
its response and sends it to VLR. The VLR can compare the response from the mobile node to
the response included in the triplet. Matching reponses allow the VLR to authenticate the mobile
node. UMTS employs a similar authentication procedure, based on the 3G architecture, shown
in Figure 1. The authentication and key agreement procedures now involve the user subscriber
identity module (USIM), the serving gateway support node (SGSN) , and the GSM authentication
center (AuC/HLR). In addition, authentication is segregated between the circuit-switched mode
of UMTS and the packet-switched mode of UMTS, with independent authentication mechanisms
being carried out, respectively.
A signifcant issue that arises out of distributed networks is the presence of unknown users.
In the GSM and UMTS systems described above, each user is known and catalogued by the ne-
towrk. In future integrated wireless systems, such as 3G/WLAN, unknown users may gain access
to the UMTS infrastructure through the WLAN network. Thus, authentication now must occur at
the WLAN level, as well as the UMTS level. The European Telecommunications Standards In-
stitute (ETSI) specifies two generic approaches for interworking 3G/WLAN: loose coupling and
tight coupling [7], as shown in Figure 1. With loose coupling the WLAN bypasses the UMTS
core network, and directly connects to Internet. In this case, UMTS and WLAN use different
mechanisms to handle authentication, mobility and billing. The WLAN is able to access the sub-
scriber databases in the UMTS network for security, billing, etc, but has no data traffic interface

4
to UMTS core network. In tight coupling approach, the WLAN is connected to the UMTS core
network via the Serving GPRS Support Node (SGSN) in the same manner as any other radio
access network (RAN), such as GPRS RAN and UMTS terrestrial RAN (UTRAN). The WLAN
gateway implements all the UMTS protocols required in UMTS terrestrial radio access network
(UTRAN). Thus, the WLAN data traffic goes through the UMTS core network before reaching
the external data network. As a result, the mechanisms for mobility and AAA in the UMTS core
network can be reused directly over the WLAN.
Finally, as the popularity of the Internet Protocol becomes a growing force in mobile
and wireless networks, we discuss the authentication techniques for Mobile IP. In Mobile IP
with AAA Extensions, a local AAA server (AAAL) in in a subnet shares a security association
with a home AAA server (AAAH) of the roaming mobile node, so that the AAAL can securely
transmit mobile node’s credentials. In this configuration, the local and the home authority share
the trust relationship. Depending on the security model used, this configuration can cause a
quadratic growth in the number of trust relationships, as the number of AAA authorities (AAAL
and AAAH) increases. (This has also been identified as a problem by the roamopsworking group
[8].) Using brokers is a possible solution to the scalability problems associated with requiring
direct business/roamingrelationships between every two administrativedomains. In order to pro-
vide scalable networks in manyservice providers and large numbers of privatenetworks, multiple
layers of brokers should be used. AAA Extension with Mobility Support has also been proposed
for seamless Internet roaming and mobility support in combination with AAA extensions for
inter-domain roaming among networks [9], [10]. In this architecture, mobility support is inte-
grated with AAA functions through carefully designed signaling messages.
In this paper, the goal of the MABSAA architecture is to reduce the overhead and back-
ground signaling involved in the related techniques. The reduction in signaling will not only
reduce interference and increase throughput, but will also increase security for control signaling
operations. In the next section, the MABSAA architecture is described.
III. MABSAA A
RCHITECTURE
The new Mobile Assisted Bit Sequence Authentication and Authorization (MABSAA) is
based on a simple idea that information about the user is encrypted in the mobile node in the form
of a pre-defined sequence of bits set in its memory. This sequence follows a fixed format [11], and
the bits are set by the home network at the time of purchase of the device, or can be reconfigured
by home network if required. Each segment of the sequence signifies some attribute of the user
in terms of its identity and privileges. When the mobile user wanders into the coverage area
of a foreign network that has a business association with the home network, the user can be

5
Fig. 2. Difference between MABSAA and Centralized Architecture
authenticated by the foreign network. The foreign network reads the users bit sequence, decrypts
it on the basis of a shared secret key, and provides services accordingly.
Figure 2 shows the basic difference between MABSAA and the common procedures of
existing systems like GSM and UMTS, in terms of the extent of signaling issued when a mobile
user visits a foreign network. Specifically, in the existing system, there are four sets of messages
being exchanged between the mobile, the foreign network and the home network:
1) Between the mobile and the foreign network, the mobile’s Electronic Serial Number (ESN)
and Mobile Serial Number (MSN).
2) Between the foreign network and the home network, confirmation of the identity of the
user and the types of services allowed for the user.
3) Between the home network and the foreign network, after the home network has processed
the look-up request and updated its location database.
4) Between the foreign network and the user, to conform service, after having received infor-
mation from home network and updated its visitor database.
In comparison, the MABSAA approach has the following sets of message exchanges:
1) Between the mobile node and the foreign network, through the mobile’s MABSAA se-
quence.
2) Foreign network processes the sequence, and grants access to the user right away (if it
can). Simultaneously, the foreign network informs the home network of the presence of
this node. This parallel processing significantly reduces the time of authentication from the

6
Fig. 3. MABSAA Bit Sequence Encapsulation by a Software Interface
sequential nature of the existing system.
IV. S
EQUENCE ACQUISITION AND KEY MANAGEMENT
The MABSAA bit sequence is both readable (by the home network and any authorized
foreign network) and writable (only by the home network- in case some of the privileges have
to be changed). To facilitate these operations, and to prevent accidental or malicious access to
the sequence, it is encapsulated by a software interface that acts as an upper layer, as shown in
the Figure 3. The interface has two Access Codes - one that can be matched only by the home
networkand the other that can be matched by any legitimate foreign network. The home networks
code opens a read/write port to the bit sequence, and the foreign networks code opens a read-only
port. On proper authorization (authentication), the interface either transmits the encrypted bit
sequence or changes it. The foreign network requires the access code for the interface (all the
foreign networks are giventhe same code), and a secret keywith which to decrypt the received bit
sequence. So any network in contract with several other networks will have the guests network
ID, the access code from that network, and the shared secret key from that network.
To buttress the security in MABSAA against the possibility of interception of the decryp-
tion key, the home network periodically changes the encryption key for its set of mobile nodes,
when ever they are in range. The home network also distributes the new key to other partner for-
eign networks. In case the mobile node is not present in its home network, it will be bookmarked
for change whenever it comes in the home network territory. The foreign network maintains both
the present key and the old key for a guest network. When a visitor mobile node comes in, the
latest key is used first to decrypt the bit sequence. If the mobile node hasnt had its bit sequence
rewritten in accordance with the new key, the foreign network would not be able to read it. In fact
it would recognize the fallacy of the decryption by the garbled network ID that doesnt match any

7
Fig. 4. OPNET Configuration
existing guest networks ID. Then the previous key will be applied to the sequence for decryption.
This way, the exchange of bit sequence will be more reliable and less prone to hacker intrusions.
V. S
IMULATION DESCRIPTION
To test MABSAA, we simulated the office enterprise architecture of OPNET with 4 office
buildings, each having a single wireless local area network (WLAN) subnet. This is shown in
Figure 4(a). Each subnet has a wireless access point that serves all of the resident mobile devices.
It has the IP Gateway Function enabled with OPNET default Ethernet parameters, IGMP and
TCP parameters. The WLAN has a data rate of 1 Mbps with frequency hopping spread spectrum
physical characteristics and has a receive lifetime of 0.5 seconds.
Each subnet supports 20 mobile devices, each of which supports MABSAA traffic. Each
subnet also supports WLAN server running on SUN Ultra 10 333 MHz simple CPU. This server
acts as a MABSAA authentication server. Therefore, a MABSAA server in that WLAN authen-
ticates every mobile node in a particular subnet (thereby simulating a collection of home and
foreign networks). The mobile terminals can access each of the servers with equal probability.
All the nodes were configured as sources of HTTP, FTP and E-mail traffic. Nodes were mod-
eled so that their traffic starts after the authentication phase. The subnet architecture is shown in
Figure 4(b).
For the purpose of comparison, both MABSAA as well as Secure Socket Layer (SSL) are
generated.

8
A. MABSAA Traffic
MABSAA traffic is modeled based on the sequence of information flow presented in Sec-
tion III. The mobile device, on entering the foreign network, sends a hello message. The authen-
tication server then replies by access codes. Depending upon the validity of access codes, mobile
device sends the encrypted bit sequence. After receiving encrypted bit sequence, authentication
server decrypts the bit sequence using the secret key.
OPNET custom application design is used for traffic modeling. It comprises a hierarchy
of objects. At the bottom of the hierarchy is the task, which is a basic unit of user activity
within the context of the application. In MABSAA modeling a single task, known as MABSAA
Authentication, is considered. Included in a task is a phase, which is an interval of related activity,
e.g. a data transfer process. A task specification is a table that describes the sequence of phases
and steps involved in a task. The next step in the hierarchy is an application. The application
epitomizes a software product that is used to perform a task. At the top of the hierarchy lies
the profile definition. The profile determines the manner of execution of the application, and on
which objects it is executed. In MABSAA Authentication, six different phases, as shown in the
Table V-A, are designed. These phases executes sequentially one after another.
Phase Name Source Destination
Initial Setup MABSAA Client MABSAA Server
Server Access MABSAA Server MABSAA Client
Client Processing MABSAA Client Not Applicable
Client MABSAA BitSeq MABSAA Client MABSAA Server
Server Processing MABSAA Server Not Applicable
Final Setup MABSAA Server MABSAA Client
TABLE I
PHASES OF MABSAA ARCHITECTURE
Table V-A presents the parameters of the MABSAA traffic model. The Request Packet
Size was a major factor in the network traffic. It was dependent on the data being transmitted
over the network for a particular phase.
B. SSL Traffic Comparison
The MABSAA protocol is compared with OPNETs secure sockets layer (SSL) applica-
tion. SSL has become the de facto standard for secure communications between end users and

9
Attributes Values
Initialization Exponential(0)
Request Count Constant(1)
Inter-request Time Constant(0)
Request Packet Size Constant (1024)
Packets per Request Constant (1)
TABLE II
TRAFFIC CHARACTERISTICS
Internet sites, and today, SSL support is built into virtually every browser. The SSL protocol
includes two sub protocols - the SSL handshake protocol and the SSL record protocol. Both
provide authenticated, confidential and tamper-resistant connections to applications, particularly
HTTP. SSL’s footprint fits into the Internet’s processing stack, above TCP/IP and below the ap-
plication layer without significantlyaffecting the other protocol layers. OPNETs SSL application
simulates the SSL Handshake protocol that authenticates the client and the server. The messages
involved authenticate the server and the client to each other, and allow the client and the server to
select cryptographic algorithms and the level of security that they want. Sequences of messages
in the SSL model are:
1) Initial Setup
2) Processing in FN
3) Contact HN of Mobile Node
4) Processing by HN
5) Transmit to FN
6) Processing by FN
7) Final Setup
VI. OPNET S
IMULATION RESULTS
The first set of results, shown in Figure 5, describes the parameters related to the MAB-
SAA authentication traffic. The traffic generated by the MABSAA can be categorized as the traf-
fic received from the MABSAA server to the mobile node, and the traffic sent from the mobile
node to the MABSAA server. The graph shows that initially when all the 20 nodes are unauthen-
ticated, traffic generated is much greater than the traffic generated in the middle of the simulation,
where any node, randomly picked, is getting authenticated. This also shows the maximum traffic
generated is equals 1109 bytes per sec.

10
Fig. 5. MABSAA Signaling Traffic
Statistic Average Maximum Minimum
Data Dropped 0 0 0
Delay (sec) 0.128 0.0420 0.0077
Load (bps) 98115 344164 1604
Throughput 84362 316740 802
TABLE III
WLAN STATISTICS DURING MABSAA ARCHITECTURE
Fig. 6. MABSAA Scenario Load and Delay
Table VI shows the load in bits/sec when the FTP, HTTP and E-mail traffic is in the
network. It can be seen that no data was dropped. Hence, it can be assumed that the resending of
any of the packets did not generate the network load.

11
Fig. 7. Comparison between MABSAA and SSL Scenarios
Figures 6(a) and (b) show the average load and average delay due to MABSAA traffic,
respectively.
The comparison between MABSAA and SSL scenarios is shown in Figures 7 (a) and (b)
respect to the same metricsof load and delay. These clearly show that delay in MABSAA scheme
is less than SSL. This initial delay corresponds to authentication time of the system. However
with the lowering of authentication time, total load on the system is increased. For example,
Increase in the load = 98115 88367 = 9748 (bytes/sec)
Percentage increase in load = 9748/98115 = 11.03 %
Decrease in authentication time = 0.0149 - 0.0128 = 0.0021(sec)
Percentage decrease in authentication time 0.0021/0.0149 = 14.09%.
With the increase in 11.03% load on the overall system, total authentication time is de-
creased by 14.09%.
VII. CONCLUSION
The goal of MABSAA is to significantly optimize resource utilization. As mentioned
earlier, the current methodologies require the exchange of control and identification messages
between home and foreign networks, apart from the extensive data base management for location
databases. Our technique will not only limit the use of bandwidth for sending such signals and the
delays incurred therewith, but also reduce the infrastructural and maintenance costs. In addition,
the fact that the foreign network can simultaneously perform the two steps of providing services
to the user and informing the home network of the users presence will cause the system to be
much quicker. Extensive simulation scenarios that compare the performance of a typical wireless

12
communicationsystem with MABSAA and other data exchange schemes usually employed show
clearly the advantage in terms of time to authentication for roaming users. This benefit gains
significance in the context of time sensitive applications like multimedia and VoIP.
R
EFERENCES
[1] L. Robert, N. Pissinou, and S. Makki, “Third generation wireless network: The integration of gsm and mobile ip,” in IEEE
Wireless Communicaitons and Networking Conference (WCNC), September 2000, vol. 3, pp. 1291–1296.
[2] Internet Engineering Task Force, Authentication, Authorization and Accounting (AAA) Transport Profile, February 2006,
available here: <http://www.ietf.org>.
[3] W. Stallings, Cryptography and Network Security, Prentice Hall, 4 edition, 2006.
[4] J. McNair and F. Zhu, “Vertical handoffs in multi-network fourth generation (4g) environments,” IEEE Wireless Communi-
cations, vol. 11, no. 3, pp. 8–15, June 2004.
[5] A. Platt, “Cost implications of mobility management,” in IEEE Colloquium on NetworkingAspects of Radio Communication
Systems, 1996, pp. 1–5.
[6] H. Kim and H. Afifi, “Improving mobile authentication with new aaa protocols,” in IEEE International Conference on
Communications (ICC), 2003, pp. 497–501.
[7] European Telecommunications Standards Institute(ETSI), Requirements andArchitectures for Interworking betweenHiPer-
LAN/3 and 3rd Generation Cellular S7-ystems, August 2001, Technical Report ETSI TR 101 957.
[8] B. Aboba and G. Zorn, “Criteria for Evaluating Roaming Protocols,” RFC 2477, December 1998.
[9] M. Barton, D. Atkins, J. Lee, S. Narain, D. Ritcherson, K.E. Tepe, and K.D. Wong, “Integration of IP Mobility and Security
for Secure Wireless Communications,” in 2002 IEEE International Conference on Communications,, 2002, pp. 1045–1049.
[10] M. Cappiello, A. Floris, and L. Veltri, “Mobility amongst Heterogeneous Networks with AAA Support,” in IEEE ICC
2002, 2002, vol. 4, pp. 2064–2069.
[11] P. Aggarwal, K. Tripathi, J. McNair, and H. Latchman, “Mobile assisted bit sequence authentication and authorization,” in
Int’l Conference on Cybernetics and Information Technologies, Systems, and Applications, July 2004.

Session 4
Ad Hoc and Sensor Networks

Hardware/Software Solution to Improve Security in Mobile Ad-hoc
Networks
Sirisha Medidi and José G. Delgado-Frias
School of Electrical Engineering and Computer Science
Washington State University
Pullman, WA 99164-2752
Abstract: In this position paper, we advocate for developing comprehensive software/hardware
techniques to mitigate the effects of malicious nodes – these techniques must be integrated into
routing protocols. The techniques include novel hardware monitoring schemes. One fundamental
issue that needs to be addressed is how to secure these networks while guaranteeing a level of
performance. We believe that research in this field needs to be focused on two major thrusts: (i)
detection, identification and isolation of malicious nodes by software/hardware techniques and
(ii) secure, Quality-of-Service-aware routing. Involving different layers of the protocol stack,
identifying interdependencies of the problem solutions to fine-tune them, and using independent
hardware monitoring schemes could accomplish these objectives. The proposed multi-layer
software/hardware approach will greatly enhance ad-hoc networks security.
Key Words:
secure communication, malicious nodes, secure routing
1. Introduction
Ad hoc networks are the preferred means of communication where infrastructure is not
available in hostile environments for information gathering and time critical decision-making
activities. Additionally it would helpful if networks are able to support secure communication
while maintaining a high level of network performance. Ad hoc networking opens up a host of
security issues, including: (1) Wireless links are especially vulnerable to eavesdrop. This may
give an adversary access to secret/private information. (2) Establishing trust among the
communicating parties is difficult. There is no centralized infrastructure to manage and/or to
certify trust relationships. This is compounded by the fact these networks are often very dynamic
–with nodes free to join and leave at will– and thus having network topology and traffic changing
dynamically. (3) Malicious nodes are difficult to identify by behavior alone. Many perfectly
legitimate behaviors in wireless networking may seem like an attack. (4) Selfish behavior or node
misbehavior is also likely. Due to node limitations/constrains nodes may opt to go into selfish
mode.
Achieving security for ad-hoc networks - To achieve a secure ad-hoc network will
undoubtedly require a more comprehensive approach with more sophisticated resources that are
integrated into the information-gathering strategies of wireless ad-hoc routing protocols. The
proposed approach takes a thorough look at secure wireless ad-hoc networking from a real-time
perspective. We propose to incorporate design for security (or design for intrusion-intolerance) as
an integral part of the ad-hoc networks operational specification. The integration includes
augmentation of protocols with security and Quality-of-Service (QoS) primitives. Rather than
relying on technologies designed for wired networks and currently implemented at the network
layers on wireless systems, we believe that multiple strategies are needed to make ad-hoc systems
wireless-aware, efficient, and secure.
Handling malicious or unreliable nodes. There are three steps in handling a malicious
node: detect malicious behavior, identify the malicious node, and remove the undesirable node

from the network or otherwise cope with it. Ideally techniques to mitigate the effects of malicious
or unreliable nodes should: (i) require no modification to protocols, (ii) work with existing
routing protocols, (iii) have minimal or no security associations that require the cooperation of
other nodes in the network, and (vi) not contribute itself for further attacks on the communication
and the routing protocols.
Hardware Monitor. Behavior monitoring by software alone definitely is effective in the
detection mechanism. However, false positives could be higher due to the evolving nature of the
ad-hoc networks. To have a control on this issue and to further enhance the security of the
network, a hardware monitor that provides information to the software layers that is independent
of the node’s software would be extremely valuable. The hardware monitor should ideally
provide the software layers information about: (i) malicious packet drop, (ii) malicious misroute,
and (iii) bogus routing information.
Routing problems. Spurious route requests by malicious nodes could cripple the
network by introducing broadcast-storm and route-reply storm problems. It is desirable to find a
route that has a higher likelihood of surviving over a period of time in spite of node mobility and
that has better network resources. Providing routes that are stable based on route statistics could
reduce communication disruption time. For effective performance, one needs these features in the
routing protocol (all must be energy-efficient): (i) mechanisms to distinguish between false and
valid route requests, (ii) ability to adapt to dynamically changing QoS requirements such as
battery life, signal strength, bandwidth and latency, and (iii) adaptive mechanisms to detect
intrusions and non-cooperative or selfish behavior.
cache monitor
Routing
algorithm
Software
monitor
Upper
layers
Routing
Hardware
monitor
Node’s
hardware
Node i
Routing
algorithm
Software
monitor
Upper
layers
Node j
Figure 1. Relationship between software/hardware monitoring and routing
Our Approach. Once undesirable behavior is detected, the malicious nodes will be
identified and isolated: doing this leads to secure and QoS-aware routing protocols that strengthen
the process of identifying and isolating undesirable nodes. The strength of our approach lies in
our ability to incorporate a hardware-monitoring scheme, which is independent of software
monitoring techniques. This in turn provides a considerable advantage over existing hardware
only or software only techniques. The proposed research aims at developing solutions for
misbehavior detection for datagram traffic in addition to the common techniques that are based on
TCP (transport control protocol) traffic without any additional security associations that is more
common in other solutions. The status information from the hardware monitor will be effectively
used in routing decisions to improving the network security as well as the performance.

2. Background and Related work
2.1 Detection, Identification, and Isolation of Malicious Nodes
“Watchdog” [4] is a technique in which each node “snoops” the retransmission of every
packet it forwards. If the watchdog detects that a node has not correctly retransmitted the packet,
it raises a warning. This requires omni-directional antennas. We developed an unobtrusive
monitoring technique [1,2,3], which relies on readily available information at different network
levels to detect malicious nodes. The strength of the method is that a single source node can use it
without relying on others, making it easy to implement and deploy. Further, there is also no need
for security associations between the nodes. Local data such as route request and route error
messages, ICMP time exceeded and destination unreachable messages, and TCP timeouts are
used to detect misbehavior. Finally, the information is processed to determine if any malicious
activity is taking place. In case of undesirable activity, the node is alerted so that it can act.
Currently the technique can identify Byzantine faults such as packet drop attack and misrouting.
Experiments were conducted using an ns-2 network simulator (details in [1,2,3]). The detection
effectiveness improves with increase in the percentage of malicious nodes.
We have proposed techniques to improve the performance of nodes in a network by
means of novel hardware. This includes buffer schemes that use more efficiently the buffer space
in a multiple port node [6]. We proposed an original high-performance cache technique for
routing [7,8,9]. This technique takes advantage of temporal and geographical locality of packets.
T. Chiueh and P. Pradhan [10] proposed to use a conventional cache; this approach has problems
with collations due to its associativity limitations.
2.2 Secure and QoS-aware Routing
To achieve optimal availability, routing protocols should be robust against both
dynamically changing topology and malicious attacks. Routing protocols proposed so far do not
handle security and quality of service with in the same protocol. Routing protocols proposed for
ad-hoc networks cope well with a dynamically changing topology [11], but none can defend
against malicious attacks. We proposed a source-initiated ad-hoc routing protocol (QuaSAR)
[12] that adds quality control to all the phases of an on-demand routing protocol. QuaSAR gathers
information about battery power, signal strength, bandwidth and latency during route discovery
and uses it in route choosing. Also, our approach has proactive route maintenance features in
addition to the reactive maintenance. Simulation experiments confirm that QuaSAR performs
better than Dynamic Source Routing (DSR) in terms of throughput and delivery ratio [12].
3. Comprehensive Software/Hardware Schemes for Security in Ad-hoc Networks
In this section we present our proposed approach to security and QoS in Ad-hoc networks. We
have divided this proposed research ideas into two broad categories: (i) Misbehavior detection,
identification and isolation of malicious nodes, and (ii) Secure, QoS-aware routing.
3.1 Detecting Misbehavior, identifying and Isolating Malicious Nodes
3.1.1 Software Monitoring
The algorithms we have developed for misbehavior include detection of packet dropping
and packet misrouting done offline by analyzing the simulation traces. Algorithms to detect

attacks on routing protocols also need to be developed. Techniques such as varying both detection
interval and alert threshold will decrease false positives. To further generate triggers for potential
attack scenarios or intrusions on the routing protocol, one can use a model-based pattern analysis
technique that is loosely based on an expected model of behavior of the routing protocol being
used. This can be done modeling the protocol activities as a finite state machine, identifying the
sequence of unusual state changes, and getting information from the hardware monitor. Certain
learning mechanisms will be incorporated to help with identifications. These techniques will help
detect both non-cooperative and selfish behaviors such as nodes that refuse to provide routing
service to others (perhaps to conserve battery power) but also ask for and accept service when in
need. Experimental results from ns-2 simulations can be used to fine-tune the system. One good
way to identify malicious nodes is for each node to initiate the identification process by itself. We
can use TCP time out, ICMP destination unreachable message, and route error messages to
narrow the malicious node to a set of two nodes. Once the malicious nodes are identified, the
source nodes can use this information in their routing decisions.
3.1.2 Hardware Monitoring
We propose a novel hardware based node monitoring approach. In this approach a
number of monitoring schemes are implemented in hardware. These monitors are kept
independent from the nodes software. The hardware schemes observe traffic within the node,
status of queues, and status of neighboring nodes.
The hardware monitor provides information about the nodes potential underperformances
to neighbors. The information that is passed on to other nodes includes: packet drop rate above a
preset threshold, input queue full rate, and routing modification. Software solutions to identify
communication paths that may include a malicious node in Ad Hoc networks are usually good.
But, these solutions have problems in pinpointing the exact node that is misbehaving. In these
cases, the proposed hardware monitoring technique can help software to identify these nodes and,
above all, the potential cause of the problem.
Hardware detects the malicious behaviors through the mechanism called internal
monitoring. A hardware monitor observes the behavior of the node’s software and reports to
neighboring nodes accordingly. When a software layer drops packets, the hardware monitor
determines the drop rate and reports this if the drop rate reaches a pre-defined threshold value to
other nodes in the same Ad Hoc network. The assumption is that all the mobile nodes have the
proposed hardware.
The implementation of internal monitoring is through an adaptive counter that records the
packet-dropping rate of the software layers. The counter registers the number of packets drop
during a given period of time. If the counter reaches a threshold value, a reporting mechanism is
triggered. Both the period of time and threshold are adaptive. They can be adjusted according to
the traffic and other factors. For example, the detection period could be shortened for a heavy
burdened node.
Another hardware monitor checks the input buffer to determine the time that this buffer is
full. This is an important issue since packet dropping may be due to lack of memory resources. If
the time that the buffer is full is higher than a threshold value, the hardware will report this to
other nodes. This in turn will indicate to the other nodes that the current node is handling many
packets and it is not a malicious node.
3.1.3 Software/Hardware Monitoring
The software monitoring will enable us in detecting, identifying and isolating malicious
nodes. Through the help of hardware monitoring, the software layer will be assisted to make a
more precise determination of malicious nodes and the causes of potential problems. The

software layer will determine the actions that need be taken to avoid malicious nodes and to
improve throughput, quality of service, and/or reliability.
It should be pointed out that hardware flow monitor makes no decisions rather it provides
independent information to its own node and adjacent nodes. Novel algorithms are going to be
developed that take into account this additional information. Since there is a new independent
source of information, the new algorithms for detecting, identifying and isolating malicious nodes
will be more precise with far fewer false positive outcomes. Our groundwork on this project has
yielded extremely positive results that need be fully studied and integrated in the proposed
research.
3.2 Secure, QoS-aware Routing
3.2.1 Software Techniques
To achieve IETF (Internet Engineering Task Force)-compatible protocol specification of
the secure routing, we propose extensions of DSR that encapsulate source routing capabilities, but
with minimal changes and overhead. Messages such as route request (RREQ) and route reply
(RREP) need to be augmented to reflect the malicious nodes or suspicious activity by the nodes in
the path, and also quality of service requirements. Above and beyond format specification, a key
technical challenge lies in managing RREQ implosion (the “broadcast storm” problem). Some
of the techniques we employed in quality of service routing [12] can apply to secure routing. A
second issue is the route reply storm problem that is created due to the number of routes that are
sent back to the source. Selective route replies that we developed in [12] can be adapted to
alleviate this problem. A third issue is that there needs to be a proactive mechanism to preempt
route breaks arising due to signal strength weakening (when the mobile node moves out of range),
battery power depletion, and memory shortage (node becomes selfish and drops packets). One
way to address this is to send a route change request (RCR) to find a new route. In [13], a
proactive mechanism is proposed to preempt route breaks based on signal strength measurements.
This idea can be enhanced to also include route breaks due to low battery power and memory
shortage. Finally, one can incorporate learning mechanisms in the routing process to detect
intrusions including spurious route requests and non-cooperative or selfish behaviors. The
knowledge gained through our misbehavior detection and identification process will be integrated
with the routing decisions to further improve the routing performance. Testing and refining these
protocols and algorithms in an actual ad-hoc network test-bed would provide us insight into how
the proposal works.
3.2.2 Hardware Support
Routing cache monitor is another innovative technique to observe and report changes in
the routing. As a routing path is established, information about this path is inserted in a cache
memory. As packets for this path pass through the node, the cache checks packet forwarding. If
the routing is changed, this may trigger a reporting mechanism of a potential problem. Our cache
technique takes advantage of temporal and geographical locality of the packets [8]. When bogus
routing information is reported, the routing protocol incorporates this into its routing decisions.
We anticipate that using this additional information will further enhance the security and
performance of the network.
4. Implications and Future Research
In this position paper, we claim that to realize secure communication in ad-hoc networks,
one needs to develop comprehensive techniques to detect, identify and isolate malicious nodes in

the network and then integrate this information into routing decisions. Based on our preliminary
results and our experience, we believe such integration would not only improve the security of the
network but also its performance. In our experience, software only solutions have given us good
detection effectiveness in terms of malicious behavior detection and reasonable false positive
level. Providing
an independent source of monitoring with hardware integrated into the software
layers would greatly reduce the false positives and increase the detection effectiveness of our
techniques. Further using route-cache monitor would greatly enhance routing security. This
multi-layer hardware/software approach will significantly enhance the security and performance
of mobile ad-hoc networks.
As explained in this position paper, we have came to the conclusion that having two
independent monitors (software and hardware monitors) could lead to a significant enhancement
of security and performance of mobile ad-hoc networks.
5. References
[1] S. Medidi, M. Medidi, and S. Gavini, “Detecting Packet Dropping Faults in Mobile Ad-hoc
Networks,” In Proc. of IEEE ASILOMAR Conference on Signals, Systems and Computers,
volume 2, pp. 1708–1712, 2003.
[2] S. Medidi, M. Medidi, S. Gavini, and R. L. Griswold, “Detecting Packet Mishandling in
MANETs,” In Proc. of Security and Management Conference, pp. 40–44, 2004.
[3] R. L. Griswold and S. Medidi, “Malicious Node Detection in Ad-hoc Wireless Networks,” In
Proc. SPIE AeroSense Conference on Digital Wireless Communications, volume 5100, pp.
40–49, April 2003.
[4] S. Marti, T. J. Guili, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc
networks,” In Proc. of ACM SIGCOMM, pp. 255–265, 2001.
[5] S. Buchegger and J. Y. Le Boudec, “Nodes bearing grudges: Towards routing security,
fairness, and robustness in mobile ad hoc networks,” In Proc. of the Parallel, Distributed and
Network-based Processing, pp. 403–410, Jan. 2002.
[6] J. Liu and J. Delgado-Frias, “DMAQ Self-Compacting Buffer Schemes for Systems with
Network-on-Chip,” In Proc. of Int. Conf. on Computer Design, pp. 97-103, 2005.
[7] J. Nyathi and J. G. Delgado-Frias, “A Hybrid Wave-Pipelined Network Router,” IEEE
Transactions on Circuits and Systems, 49(12): 1764–1772, Dec. 2002.
[8] J. J. Rooney, J. G. Delgado-Frias, and D. H. Summerville, “An Associative ternary cache for
IP routing,” In Proceedings of IEE Section E: Computers and Digital Techniques, volume
151, pp. 409–416, 2004.
[9] D. H. Summerville, J. G. Delgado-Frias, and S. Vassiliadis, “A Flexible Bit-Associative
Router for Interconnection Networks,” IEEE Transactions on Parallel and Distributed
Systems, 7(5): 477– 485, 1996.
[10] T. Chiueh and P. Pradhan, “Cache Memory Design for Internet Processors,” 6th
Symposium on High Performance Computer Architecture (HPCA-6), Toulouse, France,
January 2000.
[11] D. B. Johnson, D. A. Maltz, Y. C. Hu, and J. G. Jetcheva, “The dynamic source routing
protocol for mobile ad hoc networks (DSR),” Internet draft, Mar. 2003.
www.ietf.org/proceedings/03mar/I-D/draft-ietf-manet-dsr-08.txt
[12] S. Medidi and K. Vik, “QoS-Aware Source-Initiated Ad-hoc Routing,” In Proc. of IEEE
Conference on Sensor and Ad Hoc Communications and Networks, pp. 108–117, Oct. 2004.
[13] T. Goff, N. Abu-Ghazaleh, D. Phatak, and R. Kahvecioglu, “Preemptive routing in ad
hoc networks,” Journal of Parallel and Distributed Computing, 63(2): 123–140, 2001.

An Anonymous MAC Protocol for Wireless Ad Hoc Networks
Shu Jiang
Dept. of Computer Science
Texas A&M University
jiangs@cs.tamu.edu
Abstract
Anonymity is an important privacy feature in communication networks. Providing anonymity
support in wireless ad hoc networks is a challenging task, which involves such issues as anonymous
routing, anonymous data forwarding, etc. To make a data packet untraceable, an appealing approach
is to hide the receiver of the packet at each hop on its forwarding route. This can be achieved
conveniently in wireless ad hoc networks, with link encryption and broadcasting of the packet. We
propose a MAC protocol that provides reliability service for anonymous data packets. The protocol
is designed to be against a powerful adversary who can locate and track all nodes and link the source
of each transmission to a particular node. It is shown that there is a trade-off between reliability and
anonymity.
Keywords: MAC protocol, Anonymous transmission, Reliability
1 Introduction
A wireless ad hoc network can be formed by a set of mobile hosts that communicate over wireless
medium. Due to ease of deployment, it has many applications in military (e.g., battlefield) as well as
in civilian (e.g., conference) environments. However, the use of wireless medium makes it vulnerable
to eavesdropping and node intrusion attacks. Therefore, communication privacy is a major concern
for this type of network. As an important part of privacy, connection anonymity improves security by
making it difficult for adversaries to trace network routes and nodes at the end of those routes. In tactical
networks, the connection information, i.e., who is communicating with whom, may pose serious threats
to the success of covert missions [7].
Achieving connection anonymity is challenging in wireless ad hoc networks, where routing of data
packets require cooperation of all network nodes. There are two types of routing algorithms. Several
routing algorithms such as AODV [9] and DSDV [8] maintain a routing table at each node, which
contains the next hop information (e.g., node address) for delivering packets to different destination
nodes. During data forwarding, the destination of a packet must be exposed so that a node currently
holding the packet can query its routing table and decide where to forward the packet. Source routing
algorithms such as DSR [6] maintain a route cache at each node, which contains “source routes” to other
nodes. During data forwarding, each packet carries the entire route to its destination inside the packet
header and all intermediate nodes forward a packet based on the route. Both types of routing algorithms
allow eavesdroppers or compromised nodes to trace a data flow easily, unless suitable mechanisms are
taken.
To provide anonymity support in wireless ad hoc networks, several schemes have been proposed
recently in the literature [7, 3, 14]. Generally, an anonymity scheme consists of two components, i.e.,
an anonymous routing protocol and an anonymous data forwarding protocol. The anonymous routing

protocol finds routes between nodes without disclosing the source and destination of each route. It is also
responsible for route maintenance when network topology changes. The anonymous data forwarding
protocol enables forwarding of data packets along the established routes and prevents eavesdroppers
or compromised nodes from detecting the source and destination of each packet. Take ANODR [7]
as an example. An anonymous route discovery process establishes an on-demand route between two
nodes. Each hop en route is assigned a unique route pseudonym, and each node on the route stores
the correspondence between the route pseudonyms of its previous hop and its next hop in a forwarding
table. Data packets are forwarded based on the route pseudonyms. Specifically, the source node of a
connection stamps its packets with the route pseudonym of the first hop on the route and broadcasts
each packet locally. The receiver MAC address of each packet is set to all-1’s, the predefined broadcast
address. All local receiving nodes must look up the route pseudonyms in their forwarding tables. The
node discards the packet if no match is returned. Otherwise, it changes the route pseudonym to the
one associated with the next hop, and then broadcasts the changed data packet locally. The procedure
is repeated until the data packet arrives at the destination. To make data forwarding untraceable, the
protocol ensures unlinkability of route pseudonyms and payloads.
It is appealing to transform a unicast packet to a broadcast packet, for the purpose of hiding its
receiver, during data forwarding. This should make the adversaries more difficult to trace a packet.
Also, it incurs negligible overhead, because broadcast is an inherent property of wireless transmission.
ANODR employs this method and uses route pseudonym as an “implicit address” [11] of the receiver
node of each local broadcast. This method can also be applied to source routing scheme with two levels
of encryption involved. One is the encryption of source route. The objective is that each intermediate
node only knows its previous and next neighbors on the route, instead of the entire route. For this
purpose, we can either use the connectionless approach used by the Chaum’s MIX network [4], or use
the connection-based approach used by the Onion Routing protocol [12]. Another level of encryption
is per hop packet payload encryption, or link encryption. The IEEE 802.11 MAC protocol provides
support for link encryption, usually referred as WEP (Wired Equivalent Privacy) [5]. A shared secret
between two nodes at each end of a link is used as WEP key to encrypt and decrypt packet payload.
With link encryption, the next hop node address of a packet at each hop can be hidden in an inserted and
encrypted pseudo MAC header, while the apparent destination address in the MAC header is all-1’s. At
each hop, the packet is broadcast locally. All local receiving nodes will try to decrypt the packet payload
and extract the receiver node address in the pseudo header. If a node’s address matches with the receiver
address, then it is the intended receiver of the packet. The node should find the address of the next hop
node, change the pseudo header, reencrypt the packet payload and broadcast the packet. The procedure
is repeated until the packet arrives at the destination.
An anonymity scheme based on anonymous broadcast technique is resistant against both outside
eavesdroppers and compromised nodes. As shown in [7], compromised nodes may expose multiple
segments of a route, but it is hard to link together the compromised segments. Link encryption and use of
mixing technique (e.g., dummy packet) effectively prevent outside eavesdroppers from launching traffic
analysis attacks. However, this scheme cannot ensure reliable delivery of packet at each transmission,
due to the lack of support in the IEEE 802.11 MAC protocol. To overcome the problem, ANODR
proposes using anonymous acknowledgments. In the protocol, upon receipt of a data packet, the receiver
should locally broadcast an anonymous ACK packet, and if the sender does not receive the anonymous
ACK, it should retransmit the data packet (up to a maximum limit). In an anonymous ACK packet,
the source and destination MAC address are both set to all-1’s. This prevents an eavesdropper from

encrypted
TA
RA Duration
Frame
Control
Sequence
FCS
Padding
IV
MAC header
Figure 1: POLL frame format
encrypted
RA Duration
Frame
Control
Sequence
FCS
Padding
IV
Bitmap
MAC header
Figure 2: REPLY frame format
deducing the receiver of a data packet from the sender of the ensuing ACK packet. But if the adversary
is capable of locating a transmitting node [1, 13], masking the source MAC address is not sufficient to
hide the node identity. For example, the adversary can deploy many near-invisible sensors (e.g., camera)
to locate and track all nodes in a particular area. In this case, the anonymous acknowledgment scheme
could compromise untraceability of routes.
In this paper, we propose a MAC protocol to improve reliability of anonymous broadcasts. Our
protocol is resistant against powerful eavesdroppers we described above, who can reveal the senders of
all transmissions. In our protocol, each node broadcasts a batch of data packets, instead of one data
packet, at a time. The packets in the batch may be addressed to different receivers. It is possible that
some packets are lost due to collisions or interferences. In order to deliver as many packets as possible,
the sender needs to query every receiver about their receiving status and decide which packets need to be
retransmitted. This is achieved by a polling scheme. The sender selects a subset of neighbors and sends
POLL messages to each of them individually. Each node being polled should send a REPLY message
back. All messages are encrypted, which contain information such as the sequence numbers of received
packets. The polling list is constructed independently from the list of receivers to which data packets
have been sent. So the adversary cannot build strong links between the two lists.
The rest of the paper is organized as follows. In section 2, we describe the details of the protocol
design. In section3, we present a security analysis of the protocol. In section 4, we showtheperformance
evaluation results of the protocol obtained from ns-2 [2] simulations. Finally, section 5 concludes the
paper.
Frame
Control
encrypted
RA Message
Sequence
FCS
Padding
TA
pseudo header
Duration
IV
RA
MAC header
Figure 3: Anonymous data frame

2 Protocol Design
In this section, we describe the details of the proposed anonymous MAC protocol. To conform with the
IEEE 802.11 protocol, we call units of transmission as “frames”, instead of packets. This protocol serves
two purposes. First, it can hide the receiver of a unicast data frame. This is achieved by transforming a
unicast frame to a broadcast frame and encrypting the receiver node address along with the frame pay-
load. We assume that the sender and receiver share a secret WEP key. Since the receiver of a transmitted
data frame is not identified by explicit node address, each node within the sender’s transmission range
has possibility of being the receiver. These nodes comprise the “anonymity set” [10] for the frame. Sec-
ond, it provides reliability for anonymous data frames. This service is provided under the premise that
it does not compromise receiver anonymity of the frames. We assume a strong adversary model, where
the adversary can link the source of each transmission to a particular node. In other words, there is no
source anonymity of frames. We design a sender-initiated polling mechanism to achieve the goal. In the
following, we first define the formats of control frames and anonymous data frame, and then describe
the sender’s protocol and the receiver’s protocol.
2.1 Frame Format
Fig. 1 shows the format of a POLL frame. The RA is the address of the node being polled, and the SA is
the address of the node transmitting the POLL frame. The duration value is the time required to complete
the current poll, which is calculated as the transmission time of a REPLY frame plus one
interval.
The IV is the initiation vector used in WEP encryption. The sequence number is explained below. The
padding is a number of random bytes produced to prevent content attack (explained in section 3). The
last two fields comprise the plaintext for encryption.
Fig. 2 shows the format of a REPLY frame. The RA is the address of the node transmitting POLL.
The sequence number and bitmap fields are used by the ARQ protocol (explained below). The padding
field has the same function as in POLL frame.
Fig. 3 shows the format of an anonymous data frame. The pseudo header has three fields: RA is the
address of the intended recipient node, Sequence is the sequence number assigned to the frame, Padding
is a number of random bytes.
2.2 Sender’s Protocol
Each node maintains a FIFO queue, holding frames that are waiting to be transmitted or retransmitted.
When a new frame is received from the upper layer, it is given a sequence number. The sender and
receiver use this sequence number to track and retransmit lost frames. For this purpose, each node
maintains a variable with respect to each neighbor node . is initiated to 0 at the system setup
time. For each new frame transmitted to , node assigns to the frame and increments by 1.
This ensures that node receives frames from node with contiguous sequence numbers. If a number is
missing, the frame must be lost during transmission.
At each node
, with respect to each neighbor node , a sending window is main-
tained to record the range of sequence numbers of frames stored in the queue.
is the lowest
sequence number of frames, from to , currently in the queue, while is the highest sequence
number. Node advances in two cases:
a) Node
acknowledges receiving of the frame with sequence number ;

POLL
2 * SIFS
time
SIFS
REPLY
DATA DATA
SIFS
SIFS SIFS
POLL POLL
REPLY
DATA
Figure 4: An illustration of the scheme
b) Node
fails to transmit the frame with sequence number after a maximum number of
attempts and discards it.
At each node
, if the queue is not empty, the following algorithm is executed:
1. Node
follows the CSMA/CA protocol in IEEE 802.11 to obtain the right to transmit. It works
as follows. The node first senses the channel. If the channel is busy, it just waits until the channel
becomes idle. If the channel has been idle for at least
period (= 50 s), the node enters
a state of collision avoidance and backs off from transmitting for slots of time, where is a
random number within the contention window. In the collision avoidance state, if the channel is
sensed busy, the node will suspend its backoff timer immediately and resume the timer only after
the channel is again sensed free for a
period. When the backoff timer counts down to zero,
go to step 2.
2. Node
constructs a polling set by adding all receivers of data frames currently in the queue. If
the polling set size is smaller than a preset value
, it randomly
chooses nodes within the transmission range to add in.
3. Node
polls nodes in the polling set at a random order. If a polled node is , the corresponding
POLL frame has the current value of in its sequence field. For each polled node, after node
transmits the POLL frame, it switches to the receiving mode and waits for reply. If the channel is
still free after two intervals, node assumes that the polled node does not receive the POLL
frame and starts polling the next node. If a valid REPLY frame is received from the polled node,
node
will update its state based on the information in it (e.g., releasing acknowledged frames,
advancing the sending window, incrementing retry counters of unacknowledgedframes), and polls
the next node after one
interval. If node receives a corrupted REPLY frame or senses a
busy medium during the interval, it will follow the binary exponential backoff algorithm in
802.11 and go to step 1.
4. If all nodes in the polling set have been polled, the nodes from which REPLY frames are suc-
cessfully received are “available receivers”. Node
transmits only frames to available receivers in
the queue. So some frames may be skipped. For a retransmitted frame, node
needs to change
the padding value in the pseudo header and reencrypt the frame. Consecutive frames are spaced
by intervals. There is a maximum number of frames that can be transmitted in a batch.
This is a system parameter (referred as
) whose value affects the system
performance. In our experiments, we set to 4. The possibility exists,
especially when network load is extremely high, that node
received no REPLY frames from any
polled nodes. In this case, node
would abort the transmission, follow the binary exponential
algorithm and go to step 1. If a node fails to reply consecutive pollings for a maximum number of

times, the link is assumed to be broken and all frames to be sent on that link are purged from the
sender’s queue.
2.3 Receiver’s Protocol
At each node , with respect to each neighbor node , a receiving window is maintained to record the
sequence numbers of received frames. In Selective Repeat ARQ protocol, a common approach is to use
two variables to implement a receiving window: a Lowest Bound and a one-byte Bitmap .
All frames from
with sequence numbers lower than have been received. The indicates the
receiving status of frames whose sequence numbers higher than . Specifically, if the -th bit of
is 1, it means that the frame with sequence number has been received. For example, a
of 100 and a of 11100110 indicate that node has correctly received frames 0-99, 101, 102,
105, 106, 107, whereas frames 100, 103, 104 were lost. Node advances its receiving window in two
cases:
a) When a POLL from node
is received, if , it means that the sender node has
advanced its sending window and given up its attempts to retransmit frames lower than .
This could happen when node
experienced temporary severe interference. In this case, node
synchronizes its receiving window with node ’s sending window by advancing to .
b) When a data frame from node
is received, if its sequence number matches with , then node
can advance its receiving window, i.e., incrementing the by 1 and right-shifting the
for one bit. Node can repeat the adjustment until the lowest bit of is 0. If the sequence
number of the received data frame is larger than
and is not a duplicate, the is updated
to indicate the receiving status.
Unlike many Selective Repeat ARQ based protocols, we do not maintain a “receiver buffer” at the
MAC layer to hold out-of-sequence frames. Instead, a receiver passes each received frame immediately
to the upper layer (i.e., network). There are two reasons. First, this reduces the queueing delay. Second,
frames transmitted on a link belong to different end-to-end flows and typically have different next hop
receivers. Frame loss of one flow should not affect the frame delivery of other flows. This is similar to
the head-of-line problem in router design. By relaxing the in-sequence constraint, we can increase the
overall network throughput. Notice that to provide reliable message delivery for users, the destination
node now has responsibility for sequencing.
The described protocol is illustrated in Fig. 4. In the figure, the first polled node does not send a
REPLY frame, probably not receiving the POLL. Therefore, the sender sends the second POLL (to a
different node) after two
intervals. Since any node can transmit if the channel remains free for
, having sender transmitting the second POLL earlier, without waiting for the transmission time
of a REPLY frame, prevents any neighbor from interrupting the polling process. The second and third
POLLs are replied. Each polled node transmits the REPLY frame immediately, after one
interval.
Data frames in the current batch are transmitted continuously, with one
spacing between two
consecutive frames. So, during the entire process, the medium is never idle for more than .

A
MIX
(a) in a switching network
(b) in an anonymous broadcast network
B
Figure 5: Different attacking scenarios against MIX
3 Security Analysis
In this section, we present a security analysis of the protocol. The objective of an adversary is to trace a
packet from its source to its destination. To achieve this goal, the adversary needs to reveal the receiver
of the packet at each hop while it is being forwarded. In our protocol, the receiver address at each hop is
encrypted in the pseudo header of the packet. We assume that the adversary is not capable of breaking
the link encryption through cryptanalysis. He or she has only two choices. One is to compromise nodes.
Another is to launch traffic analysis attack.
3.1 Compromised node
If a node is compromised, the adversary can immediately reveal partial route of each packet forwarded
by the node. Whether the entire route of a packet can be revealed depends on whether there are enough
compromised nodes on the route such that the exposed segments can be linked together. Kong et al’s
analysis on route traceability in the presence of compromised nodes also applies here [7].
When there are compromised nodes in a sender’s neighbor set, the maximum receiver anonymity
that can be achieved for a packet is determined by the number of uncompromised nodes in the set. In
the current design, the polling set is a subset of the sender’s neighbor set. A more secure design is to
make the polling set be exactly the sender’s neighbor set. However, our simulation results show that
the performance of this design would be very poor when the average node degree is more than 6. The
current design tries to implement a trade-off between security and performance.
3.2 Traffic analysis attack
For a conventional MIX, the attacker tries to find correlation between an input message and an output
message of the MIX. To achieve this goal, the attacker can utilize message content, size, timing infor-
mation, or can manipulate the input and output messages. Specifically, content attack compares the
contents of two messages bit by bit, looking for match; size attack examines the message lengths and
is only effective against protocols using variable-length messages; timing attack searches for temporal

dependencies between transmissions. Flooding attack (aka. node flushing attack, attack) is a
special form of content attack. In case of a simple threshold
MIX, which flushes after receiving
messages, the attack proceeds as follows: When the attacker observes a targeted message entering the
MIX, it sends messages into the MIX to make it fire. Since the attacker can recognize all his own
messages when they leave the MIX, the remaining one must be the targeted message and its destination
is revealed.
The above description of traffic analysis attacks applies to MIXes in a switching network. In an
anonymous broadcast network, each attack may take a bit different form, in that the attacker searches for
correlation between apparently independent transmissions by different nodes (see Fig. 5). For example,
node
transmits a frame at time , and node , one of its neighbors, transmits at time . This
may suggest that node is the receiver of node ’s frame and is forwarding the frame to its next hop.
However, for this timing attack to succeed, the following conditions must be satisfied:
1. The queue is empty when node
receives the frame, and
2. All other neighbors of node
have no frames to transmit.
If any of the above conditions is not satisfied, then the probability of a successful attack would
be reduced, due to a larger delay between two transmissions of the same frame. This suggests that
each node having a non-empty queue, i.e., always in saturation mode, has benefits to security. The
queue here serves a similar function as the “pool” in a conventional MIX. Again, there is a trade-off
between security and performance. In the current design, the scheme does not generate dummy data
frames, and only generates dummy polls, based on the assumption that network users provide enough
traffic loads. However, it can be easily extended to apply to low-traffic networks, by allowing nodes to
generate dummy data frames. It worths noting that the proposed scheme does batching and reordering
in a different fashion than a conventional MIX. Frames are transmitted first-in-first-out on a per each
destination basis, but on the node level, frames are transmitted in a different order than when they arrive.
The scheme is also veryefficient in achieving the security goal. With one broadcast, all neighbors receive
a masked data frame. To an unintended receiver, it provides a coverfor the node’s ensuing transmissions.
To achieve the same effect in switching network, multiple transmissions on explicit links to neighbors
are needed.
In addition to timing attack, the proposed scheme is also resistant to other attacks. As we mentioned,
the padding in a frame’s pseudo header must be changed when the frame is retransmitted. This prevents
content attack. Size attack is prevented by using fixed-size data frames. Per-hop encryption of frames
effectively stops flooding attack.
4 Performance Evaluation
In this section, we present the simulation experiments we have carried out to evaluate the performance of
our protocol using the Network Simulator, ns-2 [2]. We present results obtained from experiments in a
static wireless ad hoc network which consists of 50 nodes. The radio interface of each node simulates the
commercial 914MHz Lucent WaveLAN DSSS radio interface with the transmission range of 250m and
the nominal data rate of 2 Mbits/sec. The ns-2 simulator uses the Two-way Ground model to simulate
radio signal propagation in open space. In our experiments, nodes are randomly distributed in a 1000m

0.5
0.55
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
1 2 3 4 5
Delivery Fraction
Packet Generation Rate (pkt/s)
No Ack
MIN_POLLING_SET_SIZE = 2
MIN_POLLING_SET_SIZE = 3
MIN_POLLING_SET_SIZE = 4
Figure 6: Data Packet Delivery Ratio
x 1000m square area, and there are 20 CBR connections in the network that generate traffic. The source-
destination pairs are randomly chosen from all nodes. The source node of each connection continuously
generates data packets of 512 bytes. The average packet generation rate is a parameter that can be varied
to control the traffic load. For each connection, a shortest path set is computed at simulation start-up
time. Then, when each packet is generated, a path in the set is selected for routing the packet. We do
not use a dynamic routing algorithm because we wish to isolate the behavior of our protocol. In each
experiment, the simulation run time is 600 seconds. Results are averaged over 10 runs with identical
parameter values but different seeds for the random number generator.
In Fig. 6, we show the end-to-end data packet delivery fractions under different traffic loads. For
comparison purpose, we also show the performance of a “pure” broadcast scheme, i.e., without acknowl-
edgment. We can see that even with light traffic load, the pure broadcast cannot ensure delivery of all
frames, and when traffic load increases, its delivery fraction drops fast. At the same time, our scheme
achieves significantly higher delivery fractions. The figure also illustrates the effects of the minimal
polling set size on the performance. When a larger polling set is required, the duration of the polling
process has to be longer, which increases the probability that a data frame is corrupted by hidden nodes’
transmissions.
In Fig. 7, we show the average end-to-end data packet latency under different traffic loads. Since the
network is static, there is no routing delay. We also ignore the CPU processing delay at each intermediate
node. Therefore, the end-to-end packet latency here includes queueing delays, retransmission delays and
propagation delays. It is shown that, on the average, our scheme has much higher packet latency than
unreliable, pure broadcast scheme. This is caused by retransmission and batching. When the minimal
polling set size increases, the packet latency increases very fast, especially when traffic load is high. The
reason is that a larger polling set means higher probability of transmission failure, which makes each
node wait for a longer time before next retry. If user’s application has delay constraint, a trade-off on
security may be needed.
In Fig. 8, we show the overhead of our scheme under different traffic loads. We use the metric
Normalized control byte overhead, which is defined as the total bytes of transmitted control data (POLL,

0
100
200
300
400
500
600
700
800
900
1 2 3 4 5
Average Data Packet Latency (msec)
Packet Generation Rate (pkt/s)
No Ack
MIN_POLLING_SET_SIZE = 2
MIN_POLLING_SET_SIZE = 3
MIN_POLLING_SET_SIZE = 4
Figure 7: End-to-end Data Packet Latency
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1 2 3 4 5
Normalized Control Bytes
Packet Generation Rate (pkt/s)
No Ack
MIN_POLLING_SET_SIZE = 2
MIN_POLLING_SET_SIZE = 3
MIN_POLLING_SET_SIZE = 4
Figure 8: Normalized Control Bytes

REPLY, MAC header) divided by the total bytes of received data payloads by all nodes. For pure
broadcast, this overhead is a constant, equal to the size of a MAC header divided by the size of a MAC
frame body. It is shown that the normalized control overhead decreases as the traffic load increases. The
reason is that, in this case, there tend to be multiple frames in a node’s queue, and each polling process
can be followed by multiple data transmissions. In other words, each polling is more efficient. Another
observation is that the normalized control overhead is high when the minimal polling set size is large.
This is because more dummy POLLs may need to be generated to meet the minimal polling set size
constraint.
5 Conclusions
In this paper, we present the design of an anonymous MAC protocol for wireless ad hoc networks.
We set two goals for the protocol. One is receiver anonymity. Another is reliability. The former is
achieved with link encryption and broadcasting of data frames. The latter is achieved by a selective
repeat retransmission scheme, combined with a polling mechanism. We present a security analysis of
the protocol and discussed its behavior under different attacks. We also evaluated the performance of
the protocol. Simulation results indicate that the protocol increases the packet delivery ratio at a cost of
larger packet latency. It is also shown that different trade-offs between the two goals can be achieved by
varying a parameter value. This protocol could be incorporated with source routing algorithm such as
DSR to provide a good solution for connection anonymity in wireless ad hoc networks.
6 Acknowledgements
We are extremely grateful to Prof. Nitin H. Vaidya for inspiring discussions and critical comments
during the preparation of this paper.
References
[1] P. Bahl and V. N. Padmanabhan. RADAR: An in-building RF-based user location and tracking system. In
IEEE INFOCOM, pages 775–784, 2000.
[2] U. Berkeley, LBL, USC/ISI, and Xerox-PARC. ns notes and documentation, 2003. http://www-
mash.cs.berkeley.edu/ns.
[3] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba. A novel solution for achieving anonymity in wireless ad
hoc networks. In ACM Workshop on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous
Networks (PE-WASUN 2004), Venice, Italy, Oct. 2004.
[4] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the
ACM, 24(2):84–88, Feb. 1981.
[5] IEEE. IEEE std 802.11, 1999 edition, wireless LAN medium access control (MAC) and phyiscal layer
(PHY) specifications. http://standards.ieee.org/getieee802/802.11.html.
[6] D. Johnson and D. A. Maltz. Dynamic source routing in ad hoc wireless networks. In T. Imielinski and
H. Korth, editors, Mobile Computing, volume 353, pages 153–181. Kluwere Academic Publishers, 1996.
[7] J. Kong and X. Hong. ANODR: Anonymous on demand routing with untraceable routes for mobile ad-hoc
networks. In MobiHoc’03, Annapolis, MD, USA, June 2003.
[8] C. Perkins and P. Bhagwat. Highly dynamic destination-sequenced distance-vector routing (DSDV) for
mobile computers. In ACM SIGCOMM’94 Conference on Communications Architectures, Protocols and
Applications, pages 234–244, 1994.

[9] C. E. Perkins. Ad-hoc on-demand distance vector routing. In MILCOM ’97, 1997.
[10] A. Pfitzmann and M. K¨ohntopp. Anonymity, unobservability, and pseudonymity: A proposal for terminol-
ogy. Draft, version 0.14, Jul 2000.
[11] A. Pfitzmann and M. Waidner. Networks without user observability – design options. In EUROCRYPT’85,
volume 219 of Lecture Notes in Computer Science. Springer-Verlag, 1985.
[12] M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous connections and onion routing. In IEEE
Symposium on Security and Privacy, Dec. 1997.
[13] A. Smailagic and D. Kogan. Location sensing and privacy in a context-aware computing environment. IEEE
Wireless Communications, 9(10), Oct. 2002.
[14] X. Wu and B. Bhargava. AO2P : Ad hoc on-demand position-based private routing protocol. IEEE Trans-
action on Mobile Computing, 2005.

Opportunistic Networks:
The Concept and Research Challenges in Privacy and Security
Leszek Lilien, Zille Huma Kamal, Vijay Bhuse, and Ajay Gupta
WiSe (Wireless Sensornet) Lab
Department of Computer Science
Western Michigan University, Kalamazoo, MI 49008, USA
{llilien, zkamal, vsbhuse, gupta}@cs.wmich.edu
Abstract: We introduce a new paradigm and a new technology, which we call opportunistic networks or
oppnets. An oppnet grows from its seed—the original set of nodes employed together at the time of the initial
oppnet deployment. The seed grows into a larger network by extending invitations to join the oppnet to foreign
devices, node clusters, or networks that it is able to contact. A new node that becomes a full-fledged member, or
helper, may be allowed to invite external nodes. All helpers collaborate on realizing the goals of the oppnet.
They can be employed to execute different kinds of tasks, even though in general they were not designed to
become elements of the oppnet that invited them. Oppnets, as an epitome of pervasive computing, are subject to
significant privacy and security challenges, inherent to all pervasive systems. To the best of our knowledge, we
are the first to define and investigate opportunistic networks.
Keywords: Computer networks, opportunistic networks, privacy, security, pervasive computing, emergency
response, disaster recovery
1. Introduction
We propose a new paradigm and a new technology of opportunistic networks or oppnets to enable an
integration of the diverse communication, computation, sensing, storage and other resources that surround us
more and more. We not only find ourselves in their midst but depend on them increasingly as necessities rather
than luxuries. Few would deny that communications and computing are more and more pervasive.
The goal for oppnets is to leverage the wealth of pervasive resources and capabilities that are within our
reach. This is often a treasure that remains useless due to “linguistic” barriers. Different devices and systems are
either unable speak to each other, or do not even try to communicate. They remain on different wavelengths—
sometimes literally, always at least metaphorically.
This occurs despite devices and systems gaining ground in autonomous behavior, self-organization
abilities, adaptability to changing environments, or even self-healing when faced with component failures or
malicious attacks. It might look somewhat ironic to a person unaware of interoperability challenges that such
ever more powerful and intelligent entities are not making equally great strides in talking to each other.
With oppnets, we chart a new direction within the area of computer networks. To the best of our knowledge
it is a direction not explored in this way by others. A co-author of this paper invented opportunistic sensor
networks [BLWR04]. The idea was later generalized to opportunistic networks [LiGu06]. We are now the first
to scrutinize oppnets and their inherent challenges.
The oppnets and their salient features can be characterized as follows. Typically, the nodes of a single
network are all deployed together, with the size of the network and locations of its nodes pre-designed (either in
a fully “deterministic” fashion, or with a certain degree of randomness, as is the case with ad hoc or mobile

networks). In contrast, the size of an oppnet and locations of all but the initial set of its nodes—known as the
seed nodes—can not be even approximately predicted. This is the category of networks where diverse devices,
not employed originally as its nodes, are invited to join the seed nodes to become oppnet helpers. Helpers
perform certain tasks they have been invited (or ordered) to participate in. By integrating helpers into its fold, a
seed oppnet grows into an expanded oppnet.
The oppnet goals can be realized by alleviating first of all the communication problems—including
bottlenecks and gaps—that are often the root causes of resource shortages (similarly as transportation
inadequacies—not a lack of food in the world—are the root causes of famines).
If the researchers, developers, and manufacturers succeed in building oppnets, the payoff will be swift and
substantial. Armies of helpers, mobilized by oppnets, will be capable of contributing towards their objectives at
a very low or no cost, especially in emergency situations.
The potential of oppnets in all kinds of emergency situations—including man-made and natural disasters—
is especially noteworthy. In the past few years we have seen great disasters, such as 9/11 terrorist attack,
tsunami in the Southeast Asia and Hurricane Katrina. The casualties and damages are too often compounded by
problems faced by the first responders and relief agency workers. There is a common thread to all these
problems: lack of adequate communication facilities in the disaster areas and beyond. Therefore, providing
means of dependable communication in emergencies must be viewed as a fundamental challenge to
communication and information technologies.
The following scenario illustrates a possible use of an oppnet deployed after an earthquake. One of its
helpers,
a surveillance system, “looks” at a public area scene with many objects. The image is passed to another
helper that analyzes it, and recognizes one of the objects as an overturned car. Another helper decides that the
license plate number of the car should be obtained, and (maybe another) image analysis helper provides this
information. The plate number is used by another helper to check in a vehicle database whether the car is
equipped with the OnStar™ communication system. If it is, the appropriate OnStar center facility is contacted,
becomes a helper, and obtains a connection with the OnStar device in the car. The OnStar device in the car
becomes a helper and is asked to contact BANs (body area networks) on and within bodies of car occupants.
Each BAN available in the car becomes a helper and reports on the vital signs of its owner. The reports from
BANs are analyzed by prioritizing helpers that schedule the responder teams to ensure that people in the most
serious condition are rescued sooner than others. With the exception of the BAN link that is just a bit futuristic
(its widespread availability could be measured in years not in decades), all other helper capabilities are already
quite common.
With so many helper capabilities available, we need “only” to integrate them in a clever way. We believe
that our paradigm provides a very useful framework—including a conceptual frame of thought—for such
integration.
We can look at oppnets as an epitome of pervasive computing. The most critical problems inherent to
pervasive computing were very aptly expressed as follows [Thib02]:
Pervasive computing has pervasive problems, not the least of which are interoperability, security
and privacy.
Oppnets confront all three enumerated problems head on (though in this paper we concentrate on the
discussion of privacy and security issues). Therefore, work on oppnets
will be a test case for attacking the
pervasive computing problems.
The next Section describes the basics of oppnet operation. Section 3 delineates scenarios for benevolent and
malevolent uses for oppnets. Section 4 briefly presents areas of related work. Privacy and security challenges
facing oppnets are presented in Sections 5 and 6. Finally, Section 7 concludes the paper and sketches directions
for future work.

2. Basics of Oppnet Operation
A. Seed Oppnet and Its Growth
Each opportunistic network grows from a seed that is a set of nodes employed together at the time of the
initial oppnet deployment. The seed is pre-designed (and can therefore be viewed as a network in its own right).
In the extreme it can consist of a single node.
The seed grows into a larger network by extending invitations to join the oppnet to foreign devices, node
clusters, networks, or other systems which it is able to contact. Any new node that becomes a full-fledged
oppnet member, that is a helper, may be allowed to invite external nodes. By inviting “free” collaborative
nodes, the opportunistic networks can be very competitive economically. The issues that have to be addressed
are proper incentives or enforcements so that invited nodes are willing or required to join, and potentially lower
credibility of invited collaborators that, in general, can’t be fully trusted (at least till they prove themselves).
Helpers collaborate on realizing the oppnet’s goal. They can be deployed to execute all kinds of tasks even
though, in general, they were not designed to become elements of an oppnet that invites them.
B. Oppnet Helpers
1) Potential Oppnets Helpers: The set of helpers includes even entities not usually thought of as network
nodes, both wired and wireless, free-standing and embedded. Even nodes with no sensing capabilities, such as
networked mainframes from LANs or wireless-equipped processors embedded in cars, can significantly
contribute to processing or communication capabilities of an oppnet. After all, any networked PC or embedded
processor has some useful sensing, processing, or communication capabilities. For example, information about
user’s presence or absence, her work habits and Internet access patterns can be collected by her desktop and her
PDA; information about user’s location – by his cellphone (even one without GPS can be triangulated); and data
about food consumed by user’s household – by a processor embedded in a refrigerator and RFID-equipped food
packages and containers. As an example, a PC becomes “invitable” once the seed identifies a subset of IP
addresses located in its geographical area and contacts them. In larger areas, it is not difficult to do, with IP
addresses hierarchically organized by location.
2) Helper Functionalities: It should be noted that, in general, working in the “disaster mode” does not
require any new functionalities from the helpers. For example, in case of fire monitoring tasks, the weather
sensornet that became a helper can be simply told to stop collecting precipitation data, and use the released
resources to increase the sampling rates for temperature and wind direction.
It is possible that more powerful helpers could be reprogrammed on the fly. Also, oppnet nodes might be
built with excess general-purpose communication, computation, storage, sensing, and other capabilities useful
in case of unforeseen emergencies. For example, excess sensing capabilities could be facilitated by multisensor
devices that are becoming cheaper and cheaper as new kinds of sensors are being developed all the time (for
example, novel biosensors for detection of anthrax [IHRR02]).
C. Critical Mass for an Oppnet and Growth Limitations
1) Critical Mass: Oppnets can be really effective if they are able to build up their size (by inviting other
nodes) enough to reach a certain “critical mass” in terms of size, node locations, and node capabilities. Once
this threshold is passed, they are ready to communicate, calculate, and measure aspects of entities and physical
environment in their midst in an unprecedented detail. They can gather data for damage assessment when used
in emergencies or disaster recovery. Some sensornets that become helpers—such as sensor nodes embedded in
roads, buildings, and bridges—are designed primarily for damage assessment. Others helpers (whether from
sensornets or not) can gather data—legitimately or not—on general public, employees, or other monitored
individuals.

2) Growth Limitations: The network stops inviting more nodes when it obtains enough helpers providing
sufficient sensing, processing, and communication capabilities (cost/benefit analysis of inviting more nodes
might be performed). It should avoid recruiting superfluous nodes that wouldn’t help and might reduce
performance by using resources just to “gawk.” This does not mean that network configuration becomes
frozen. As the area affected by the monitored activity (e.g., an earthquake) changes and the required monitoring
level (due, say, to the severity of damage) in different locations shifts, the oppnet reconfigures dynamically,
adapting its scope and its capabilities to its needs (e.g., to the current disaster recovery requirements).
D. Applications for Oppnets
1) Emergency Applications: We see important applications for opportunistic networks in all kinds of
emergency situations, for example in hurricane disaster recovery and homeland security emergencies. We
believe that they have the potential to significantly improve efficiency and effectiveness of relief and recovery
operations. For predictable disasters (like hurricanes or firestorms, whose path can be predicted with some
accuracy), seed oppnets can be put into action and their build-up started (or even completed) before the
disaster, when it is still much easier to locate and invite other nodes and clusters into the oppnet. The first
helpers invited by the seed could be the sensornets deployed for structural damage monitoring and assessment,
such as the ones embedded in buildings, roads, and bridges.
2) Benevolent and Malevolent Oppnet Applications: As most technologies, opportunistic networks can be
used to either benefit or harm humans, their artifacts, and technical infrastructure they rely upon. Invited nodes
might be “kept in the dark” about the real goals of their host oppnets. Specifically, “good guys” could be
cheated by a malevolent oppnet and believe that they will be used to benefit users. Similarly, “bad guys” might
be fooled by a benevolent oppnet into believing that they collaborate on objectives to harm users, while in fact
they would be closely controlled and participate in realizing positive goals.
On the negative side, home-based opportunistic networks could be the worst violators of individual’s
privacy, if they are able to exploit PCs, cellphones, computer-connected security cameras, embedded home
appliance processors, etc.
3) Counteracting Malevolent Oppnet Applications: To counteract malevolent oppnets threats, predator
networks that feed on all kinds of malevolent networks —including malevolent oppnets— can be created. They
detect malevolent nets, plant spies in them, and use the spies to discover true goals of suspicious networks
(some of the suspicious networks might actually be benevolent ones, victims of false positives). Conversely,
intelligent adversaries can deploy malevolent predator networks that feed on all kinds of benevolent networks,
including benevolent opportunistic networks.
3. Example Oppnet Use Scenarios
Below we show two example oppnet application scenarios: a benevolent one and a malevolent one. Both
rely on some reconfiguration capabilities of non-opportunistic (regular) sensornets.
A. Benevolent Oppnet Scenario —“Citizens Called to Arms”
A seed oppnet is deployed in the area where an earthquake occurred. It is an ad hoc wireless network with
nodes much more powerful than in a “typical” ad hoc network (more energy, computing and communication
resources). Once activated, the seed tries to detect any nodes that can help in damage assessment and disaster
recovery. It uses any available method for detection of other networks, including radio-based (including
cellphone-based) detection, searching for nodes using the IP address range for the affected geographic area, and
even AI-based visual detection of some appliances and PCs (after visual detection, the seed still needs to find
a network contact for a node to be invited).
The oppnet “calls to arms” the optimal subset of detected and contacted “citizens,” inviting all devices,
clusters, and entire networks, which are able to help in communicating, computing, sensing, etc. In emergency

situations, entities with any sensing capabilities (whether members of sensornets or not), such as cellphones
with GPS or desktops equipped with surveillance cameras, can be especially valuable for the oppnet.
Let us suppose that the oppnet is able to contact three independent sensornets in the disaster area, deployed
for weather monitoring, water infrastructure control, and public space surveillance. They become helper
candidates and are ordered (this is a life-or-death emergency!) to immediately abandon their normal daily
functions and start assisting in performing disaster recovery actions. For example, the weather monitoring
sensornet can be called upon to sense fires and flooding, the water infrastructure sensornet with multisensor
capabilities (and positioned under road surfaces) —to sense vehicular movement and traffic jams, and the public
space surveillance sensornet —to automatically search public spaces for images of human victims.
B. Malevolent Oppnet Scenario — “Bad Guys Gang Up”
Suppose that foreign info warriors use agents or people unaware of their goals to create an apparently
harmless weather monitoring sensornet. Only they know that, when activated, the original sensornet becomes
a seed of a malevolent oppnet. The sensornet starts recruiting helpers.
The seed will not reveal its true goals to any of its helpers. Instead, it uses a cover of a beneficial
application, proclaiming to pursue weather monitoring for research. Actually, this opportunistic sensornet
monitors weather but for malicious reasons: it analyzes wind patterns that can contribute to a faster spread of
poisonous chemicals. Once the “critical mass” in terms of geographical spread and sensing capabilities is
reached, the collected data can be used to make a decision on starting a chemical attack.
4. Related Work Areas
Oppnets might be perceived as networks that lie within the intersection of ad hoc networks, P2P systems,
and sensor networks. They can use (after modifications) ad hoc node localization and self-organization
techniques from ad hoc networks, growth-by-joining approaches from P2P systems, and data aggregation
algorithms from sensornets. Hence, the fact that a lot of related work comes from these three areas should not be
surprising. However, we look at three more categories of related work.
There are six major areas of related technologies useful for opportunistic networks, that we identified and
explore for useful methods, protocols, and algorithms:
1. Ad hoc networks
2. Peer-to-peer systems
3. Sensornet
4. Grid computing (for resource integration and management)
5. Benevolent Trojans (for helper search)
6. Miscellaneous other (e.g., techniques from the CenWits project from the University of Colorado).
There is a tremendous amount of knowledge and experience in the above areas that we can learn from but
we can not employ any of the existing techniques ‘as-is’ in our opportunistic networks, due to unique
characteristic of oppnets.
We omit the details as not necessary in this Privacy and Security Research Challenges paper.
5. Privacy Challenges in Oppnets
The proposed opportunistic network technology is one of possible approaches for moving towards the
ultimate goal of pervasive computing. Since huge privacy risks are associated with all pervasive computing
approaches, oppnets—being such an approach—must face significant privacy perils.

Pervasiveness must breed privacy threats, as we explain in our 2004 paper [BLRW04]:
Pervasive devices with inherent communication capabilities might […] self-organize into huge,
opportunistic sensor networks, able to spy anywhere, anytime, on everybody and everything within their
midst. […] Without proper means of detection and neutralization, no one will be able to tell which and
how many snoops are active, what data they collect, and who they work for (an advertiser? a nosy
neighbor? Big Brother?). Questions such as “Can I trust my refrigerator?” will not be jokes—the
refrigerator will be able to snitch on its owner’s dietary misbehavior to the owner’s doctor.
We very clearly recognize the crucial issue of privacy in oppnets (as well as in all other pervasive
computing approaches). Privacy guarantees, are indispensable for realization of the promise of pervasive
computing. We strongly believe that without proper privacy protection built into any technology attempting to
become pervasive, the public will justifiably revolt against it. Any oppnet solution (or other pervasive
computing solution) compromising on privacy protection is doomed to a total failure. Simply, privacy
protection is the “make it or break it” issue for oppnets and pervasive computing in general.
There is no inherent reason why an oppnet would need to enslave the device asked to help it, exploiting its
sensitive resources. There is no inherent reason why the helper device would need to disclose all such resources
to the oppnet. In the simplest solution, the candidate helper will keep its private data in a secure vault (e.g.,
enciphered in its storage) before agreeing to join an oppnet that asked for help. In case of an involuntary
conscription (in an emergency situation), the oppnet will allow the candidate helper to save private data in
helper’s own vault before mustering it.
Other solution we consider will rely on a strict separation of private and public areas within the helper
device or network. This will ensure that a benevolent oppnet will never (even when it malfunctions) attempt to
capture helper’s private data. It will also provide protection against malevolent oppnets that might attack
privacy of other devices or networks pretending they need them as their helpers.
Still other techniques—proposed in [Lili05]—include:
•
Protecting privacy of entities (including oppnet helpers) that are under oppnet surveillance by, for example,
assuring their anonymity or pseudonymity.
• Providing algorithms for detecting malevolent oppnet, which masquerade as benevolent oppnets in order to
attack prospective helpers. Detection will deny them opportunity to compromise privacy of helpers.
• Developing methods to protect
oppnets against all kinds of privacy attacks, and to disable malicious uses of
oppnets for privacy attacks.
Some relaxation of the strictest privacy protection standards might be permissible in emergency situation,
especially in life-and-death situations. For example, a victim searching for help will probably not object to an
oppnet taking over her Body Area Network (BAN), controlling devices on and within her body. We will
consider exploring this possibility with a full concern for legal and ethical issues involved. If we do, we will
follow two basic assumptions: (1) an entity should give up only as much privacy as is indispensable for
becoming a helper for the requesting oppnet; and (2) an entity’s privacy disclosure should be proportional to the
benefits expected for the entity or to a broader common good. The latter is especially important in emergencies,
when the goals like saving a life of one person takes precedence over the comfort of another.
Our earlier work on privacy includes a solution for privacy-preserving data dissemination [LiBh05], which we
might adapt to improve the oppnet-helper relationships.
Finally, we need to note that privacy (and security) in pervasive computing is a very active investigation area.
We can use many other privacy solutions conceived by other researchers working on networks and, in general,
on pervasive computing.

6. Security and Privacy Challenges for Oppnets
One of the sources of privacy and security threats is the fact that authentication cannot, in general, be
performed when devices join the network. It is not possible to guarantee that malicious devices will not join.
Moreover we might not be able to classify or rate devices as malicious until they join the oppnet, and we detect
their notorious behavior. Delivering secret keys securely to all non-malicious devices (and only to non-
malicious devices) is very difficult in such an ad hoc environment. Hence, relying alone on cryptography-based
authentication mechanisms (e.g., Kerberos) will not help in all situations. So, MITM, packet dropping, ID
spoofing (masquerading), DoS and other attacks are even bigger threats in oppnets. If not controlled, they can
defeat the purpose of oppnet.
Figure 1 displays general security scheme for oppnets. In the absence of initial authentication mechanism all
five steps marked by outgoing arrows from the adder circle are mandatory.
The privacy and security challenges for opportunistic networks can be listed as follows (in the order in
which, we think, they should be investigated):
A.
Increasing trust and secure routing
B.
Helper privacy and oppnet privacy
C.
Protecting data privacy
D.
Ensuring data integrity
E.
Identifying most dangerous attacks and sketching solutions
F.
Intrusion detection
No initial
authentication
Observe helper behavior
Robust routing (to prevent common attacks)
Use special intrusion detection techniques for
sophisticated attacks by helper (like MITM)
Find “bad guys”
Permanently
eliminate, isolate,
avoid “bad guys”
during routing so
that they can’t join
Fig. 1. General oppnet security scheme.
New helper
joining oppnet
Grant access to helper based on roles
Authorize helper to perform certain operations

A. Increasing Trust and Secure Routing
A list of “more trusted” devices can be maintained. For example, we can trust more the devices owned by
certain institutions, such as devices at police stations, government offices, hospitals, public libraries, universities
or reputable companies. Once a list of trusted devices is made (which is a challenge), these devices will be used
for more critical tasks than unknown devices or distrusted devices (such a ‘black list’ could be maintained as
well). Secure routing can use both lists. Selecting a route that passes through only trusted devices (or as many
trusted devices as possible) is challenging. Numerous papers have been written on individual ad hoc routing
protocols. A survey of secure wireless ad hoc routing can be found in [HuPe04].
Secure wireless ad hoc routing protocol most relevant to oppnet is Ariadne [HuPJ02]. It is an on-demand
protocol that works in the presence of compromised nodes. Ariadne uses symmetric cryptography. It
authenticates routing messages using one of the three schemes:
• Shared secrets between each pair of nodes.
• Shared secrets between communicating nodes combined with broadcast authentication.
• Digital signatures.
Solutions proposed for securing routing protocols in wireless or ad hoc networks or the Internet cannot be
used directly in oppnets because oppnets are highly heterogeneous. Their nodes have different processing
abilities, power sources, modes of transmission (wired or wireless), etc. The proposed approaches—e.g., IPSec,
WEP and ssh—use mostly cryptographic solutions to minimize the probability and effects of possible attacks.
Trusted devices with battery power should be used sparingly to increase their lifetime. This is necessary to
maintain network connectivity, the goal of oppnet. This might be easier in oppnets than in other systems, as
oppnets can rely on growth to amass needed resources (even with a big safety margin).
B. Helper Privacy and Oppnet Privacy
In this section, by “protecting privacy of the system” we mean no intrusions into the system, no illegal
access to data, resources and software of systems. So by privacy we do not mean data privacy or confidentiality
which is discussed in Subsection 6.C.
Oppnet can be feasible only if privacy of helpers can be guaranteed. Privacy of a helper can be guaranteed
by its access controls (authentication and authorization) and by its intrusion prevention (using security
primitives, relying on trust, secure routing etc.).
Intrusion detection should be used as the second line of privacy defense for helpers when prevention fails or
cannot be used due to its inefficiency. Elimination or isolation of bad entities from oppnet via intrusion
detection is very important for benevolent nodes. The problem of guaranteeing access control and performing
real-time intrusion detection for oppnets are more difficult than for the Internet, wireless or ad hoc networks
because of the highly heterogeneous nature of participating devices and the spontaneous manner in which
oppnets are formed.
Privacy of oppnet is also important. Malicious entities can join the oppnet with the sheer purpose of
violating privacy of oppnet members. A fear of having one’s privacy violated can prevent candidate helpers
invited by an oppnet from joining, or can cause reluctance (a passive or an active resistance) of the candidate
helpers ordered by an oppnet to join.
Since it is very difficult to uncover the motives of any device or system invited/ordered by an oppnet to
join, the only way to find bad helpers is by intrusion detection.
C. Protecting Data Privacy
In the subcategory of oppnets that have a central controller, the following kinds of messages are most
important.
1) Broadcast from the controller: Mostly some announcements may be made by the controller (for e.g. water

level will rise by 6 inches in half an hour in the whole city) for which privacy might not be desired. But there
can be messages from the controller which may require privacy since they will be intended to only few nodes in
the oppnet. The lack of shared secret or a key between the controller and intended recipients makes the problem
of providing data privacy difficult. Even if we assume that there is a shared secret key (for symmetric key
cryptography encryption) between controller and intended recipients, the biggest problem with the symmetric
key cryptography is capture of even a single device (especially in crisis when providing physical protection is
even more difficult) leading to the failure of the whole scheme.
2) Messages from nodes to the controller: These messages may require privacy. (You may have to tell
something to your manager but may not want to share with your colleagues.) Encryption is a way of providing
data privacy. Asymmetric key cryptography (or public key cryptography, using PKI) can be used to protect
privacy of messages from nodes to the controller. The controller can broadcast its public key to all the devices
in the oppnet. Devices can encrypt their data with the public key and the controller can decrypt them with its
private key. So when data is traveling towards the controller, the nodes that forward them can see only their
encrypted form.
A malicious device can pose as a controller by distributing its own public key. The above will not work if
the controller cannot exclude such ‘competition’ in distributing its forged public key. We need a secure
mechanism to broadcast a public key either before an emergency (for predictable emergencies, to potential
helpers that can be identified), during an emergency, or after an emergency.
Apart from the above discussed messages, messages in oppnet might be sent from one device to another
device (peer to peer), or there can be intra-cluster communication among devices in some specific area. A local
cluster head (a trusted device doing an extra job) can use public key cryptography while communicating with its
neighbors. A cluster head can announce its public key. Nodes can encrypt data with the public key and, upon
receiving encrypted data, the cluster head can decrypt them with its private key. But a malicious device can
pose as a cluster head and can distribute its own public key. So, this approach will not work if the cluster head
cannot exclude such ‘competition’ in distributing its forged public key.
D. Ensuring Data Integrity
Data integrity is a part of data security, also a part of any secure communication. Digital signatures can be
used to guarantee integrity of data. But they are too expensive computationally for weak devices (like
cellphones, PDAs etc.) running on a limited battery power. Hence, alternatives should be devised to guarantee
integrity of data packets.
Also, packet sizes may vary when it travels through an oppnet. Suppose that a packet is sent from
a cellphone to the base station through a PC connected to the Internet. In this case, the packet size when it
travels from the cellphone to the PC will be different from the packet size when it travels from the PC to the
base station. If packet fragmentation and aggregation cannot be performed securely, the end-to-end security
mechanisms could fail.
E. Identifying Most Dangerous Attacks and Sketching Solutions
Below we discuss some of the most important attacks, their effects and initial solutions to prevent those
attacks.
• MITM: Suppose a malicious device is on the path connecting a person in the house that needs help and the
central controller. In this case, if the person sends request destined to the controller, the malicious device
instead of forwarding it might inform the person that help is on the way. It could also tamper with messages
broadcast by the controller.
Solution: A person in need can send redundant messages to the controller through multiple neighbors. This
will increase the chances that least one of the multiple message copies will reach the controller, even if there
are attackers on some paths. So, redundancy of routes can be exploited to avoid the attackers.
• Packet dropping: The malicious device in the above scenario might drop some or all the packets between the

person in need and the controller. In the worst case, it might forward packets containing insignificant
information and drop packets containing critical information.
Solution: The above proposed idea of sending redundant messages using multiple neighbors may work if no
adversary is situated on at least one path. Again, redundancy of routes can be exploited to avoid the
attackers.
• DoS attacks by malicious devices: False requests for help can be generated by malicious devices. They will
keep the rescue team busy and unavailable for real emergencies.
Solution: Upper limit can be placed on the number of requests any device can generate. Thus, it will limit the
number of times any device can send a false help request. In addition, the rescue team can attempt contacting
the requester to confirm an emergency request.
• DoS attacks on weak links: DoS attacks may target a “weak” device, such as a cellphone that is critical to
oppnet operation (e.g., if it is the only device that connects two parts of a city). The battery of the cellphone
is a very precious resource and should be used sparingly till an alternative connection is found. Some attacks
may target only critical weak devices. Such surgical attacks are capable of defeating the goal of oppnets,
which is to maintain connectivity in crisis.
Solution: Identification of weak devices, their strengthening (e.g., providing backups for them), or
minimizing their workload is a major task for maintaining connectivity in oppnets.
• ID spoofing: Mapping some node properties (like location) into node ID by a controller can be dangerous.
A malicious device capable of masquerading can generate requests with multiple IDs, resulting in many false
alarms for the rescue team. Services that need authentication can be misused if their IDs can be spoofed.
A device capable of spoofing ID of a trusted node or a node with critical functions can pose many kinds of
attacks.
Solution: Although it is difficult to guarantee that malicious nodes will not join the oppnet, nodes can watch
their neighbors for possible attempts of ID spoofing. The SAVE protocol [LMRZ01] can provide routers
with information needed for source address validation. This protocol needs to be modified to suit the
heterogeneous nature of oppnets.
F. Intrusion Detection
Malicious devices or malicious networks will be able to join an oppnet because of the lack of an initial
authentication mechanism. Therefore, there is a need to detect and isolate malicious nodes, clusters, or
networks. Securely distributing information about malicious entities in the presence of malicious entities is
a challenge. If shared securely, this second-hand reputation information can be used by all oppnet nodes to
protect themselves from attackers. Even if that information could be distributed securely, avoiding those entities
while maintaining connectivity is another challenge.
For a review of intrusion detection in wireless ad hoc networks we refer reader to [MiNP04]. However, we
need to emphasize that the highly heterogeneous nature of oppnets makes real-time intrusion detection and
response in them even more challenging than in other types of networks.
The intrusion detection approach most relevant for oppnets comes from the AAFID project [Zamb01], in
which autonomous agents perform intrusion detection using embedded detectors. An embedded detector is an
internal software sensor that has added logic for detecting conditions that indicate a specific type of attack or
intrusion. Embedded detectors are more resistant to tampering or disabling, because they are a part of the
program they monitor. Since they are not executing continuously, they impose a very low CPU overhead. They
perform direct monitoring because they have access to the internal data of the programs they monitor. Such data
does not have to travel through an external path (a log file, for example) between its generation and its use. This
reduces the chances that data will be modified before an intrusion detection component gets it.
7. Conclusions
This paper presents the new concept of opportunistic networks (oppnets), and presents related research
challenges.

Oppnets constitute a newly identified category of computer networks. When deployed, oppnets attempt to
detect systems existing in their relative vicinity—ranging from sensing and monitoring, to computing and
communication systems—and integrate them under their own control. When such a system is detected, oppnet
evaluates its potential benefit, and—if the evaluation is positive—invites it to become its helper. In this manner,
an oppnet can grow from a small seed into a stupendous network with vast sensing, communication, and
computation capabilities.
An integrated network has been called for in various critical or emergency situations [USGo01]. Oppnet
can be used to enable connectivity in an area where any existing communication or information infrastructure
has been fractured or partially destroyed. It integrates various systems that were not designed to work together
to facilitate creation of a bigger and better picture of the region it is deployed in. The integration allows flow of
information that, for example, can assist in rescue and recovery efforts for devastated areas, or can provide more
data on phenomena that are just developing, such as wildfires or flash torrents.
Answering to the identified challenges in oppnets will contribute to advancing knowledge and
understanding of the opportunistic networks, while simultaneously advancing the state of the art of the general-
purpose computer networks.
We take on many challenges, continuing our investigation of oppnets, and designing oppnet architectures
with their associated components: methods, protocols, and algorithms. The planned prototype opportunistic
network will provide a proof of concept, as well as stimulation and feedback necessary for fine-tuning oppnet
architectures and their components
Acknowledgements
This work was supported in part by the National Science Foundation under Grant IIS-0242840, and in part by
the U.S. Department of Commerce under Grant BS123456.
The authors would also like to acknowledge Western Michigan University for its support and its contributions
to the WiSe (Wireless Sensornet) Laboratory, Computational Science Center and Information Technology and
Image Analysis (ITIA) Center.
L. Lilien, a co-PI on the NSF grant providing a partial support for this research, would like to thank Professor
Bharat Bhargava from Purdue University, the PI for this grant. He is affiliated with the CERIAS security center
at Purdue University.
Any opinions, finding, conclusions or recommendation expressed in the paper are those of the authors and do
not necessarily reflect the views of the funding agencies or institutions.
References and Bibliography
[AnYC05] Z. Anwar, W. Yurcik, and R. H. Campbell, “A Survey and Comparison of Peer-to-Peer Group
Communication System Suitable for Network-Centric Warfare,” SPIE 2005.
[BaPa00] P. Bahl and V.N. Padmanabhan, ”RADAR: An In-Building RF-based User Location and Tracking
System,” INFOCOM (2), March 2000, pp. 775-784.
[BFHX05] X. Bao, B. Fang, M. Hu, and B. Xu, "Heterogeneous Search in Unstructured Peer-to-Peer
Networks," IEEE Distributed Systems Online, vol. 6, no. 2, 2005.
[BoGS03] A. Boulis, S. Ganeriwal, and M. Srivastava, “Aggregation in Sensor Networks: An Energy
Accuracy Trade-off,” Proc. 1st IEEE Intl. Workshop on Sensor Network Protocols and
Applications (SNPA’03), May 2003, Anchorage, Alaska.

[BEGH01] N. Bulusu, D. Estrin, L. Girod and J. Heidemann, “Scalable Coordination for Wireless Sensor
Networks: Self-Configuring Localization Systems,” Proc. Sixth Intl. Symp. on Communication
Theory and Applications (ISCTA 2001), Ambleside, United Kingdom, July 2001.
[BLRW04]
B. Bhargava, L. Lilien, A. Rosenthal, and M. Winslett, “Pervasive Trust,” IEEE Intelligent
Systems, vol. 19(5), Sep./Oct.2004, pp. 74-77.
[CeEs02] A. Cerpa and D. Estrin, “ASCENT: Adaptive Self-Configuring Sensor Networks Topologies,”
Proc. Twenty First Intl. Annual Joint Conf. of the IEEE Computer and Communications Societies
(INFOCOM 2002), New York, NY, June 2002.
[ChHa03] S. Chatterjea, and P. Havinga, “A Dynamic Data Aggregation Scheme for Wireless Sensor
Networks,” ProRISC 2003, November 2003, Veldhoven, Netherlands.
[ChBe02] W. Cheswick and S. Bellovin, Firewalls and Internet Security, 2nd ed., Addison-Wesley, 2002.
[Flor03] R. A. Flores-Mendez, “Towards Standardization of Multi-Agent System Frameworks,” 2003.
http://turing.acm.org/crossroads/xrds5-4/multiagent.html
[Gong02] L. Gong, “Peer-to-Peer Networks in Action,” IEEE Internet Computing, January – February 2002.
[GuAA05] A. Gupta, D. Agrawal, and A. E. Abbadi, “Distributed Resource Discovery in Large Scale
Computing,” SAINT 2005.
[Hein00] W. Heinzelman, “Application-Specific Protocol Architectures for Wireless Networks,” Ph.D.
Thesis, Department of Electrical Engineering and Computer Science, MIT, Cambridge, MA, June
2000.
[HiBo01] J. Hightower and G. Borriello, “Location Systems for Ubiquitous Computing,” IEEE Computer,
August 2001.
[HeCB00] W. Heinzelman, A. Chandrakasan, and H. Balakrisnan, “Energy-efficient Communication Protocol
for Wireless Microsensor Networks,” Proc. 33rd Intl. Conf. on System Sciences (HICSS), January
2000.
[HSIG01] J. Heidemann, F. Silva, C. Intanagonwiwat, R. Govindan, D. Estrin, and D. Ganesan, “Building
Efficient Wireless Sensor Networks with Low-Level Naming,” Proc. 18th ACM Symp. on
Operating Systems Principles, October 2001.
[HVBW01] J. Hightower, C. Vakili, G. Borriello, and R. Want, “Design and Calibration of the SpotOn Ad-
Hoc Location Sensing System,” unpublished manuscript, August 2001.
[HuPJ02] Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad
Hoc Networks,” Proc. 8th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom 2002),
Atlanta, Georgia, September 2002, pp. 12–23.
[HuPe04] Y.-C. Hu and A. Perrig, “A Survey of Secure Wireless Ad Hoc Routing,” IEEE Security &
Privacy, Special Issue on Making Wireless Work, Vol. 2(3), May/June 2004, pp.28-39.
[IHRR02] H. Inerowicz, S. Howell, F. Regnier, and R. Reifenberger, “Protein Microarray
Fabrication for
Immunosensing,” Proc. 224
th
American Chemical Society (ACS) National Meeting, Aug. 2002.
[ItGE00] C. Itanagonwiwat, R. Govindan, and D. Estrin, “Directed Diffusion: A Scalable and Robust
Communication Paradigm for Sensor Networks,” Proc. Sixth Annual Intl. Conf. on Mobile
Computing and Networks (MobiCom), 2000.
[IyBr03] S. Iyenger and R. Brooks, Distributed Sensor Networks, CRC Press, Inc., 2003.

[KrEW02] B. Krishanamachari, D. Estrin, and S. Wicker, “The Impact of Data Aggregation in Wireless
Sensor Networks,” Proc. Intl. Workshop on Distributed Event Based Systems (DEBS), Vienna,
Austria, July 2002.
[KuWu01] H.T. Kung and C. H. Wu, "Hierarchical Peer-to-Peer Networks," Technical Report IIS-TR-02-015,
Institute of Information Science, Academia Sinica, Taiwan, April 2001.
[LiBh05] L. Lilien and B. Bhargava, “A Scheme for Privacy-preserving Data Dissemination,” IEEE
Transactions Systems, Man, and Cybernetics, accepted, final version submitted in October 2005,
to appear.
[LiGu06] L. Lilien and A. Gupta "Opportunistic Networks for Emergency Preparedness and Response,"
submitted for publication.
[Lili05] L. Lilien, “Opportunistic Sensor Networks,” Proposal to the Faculty Research and Creative
Activities Support Fund (FRACASF), Western Michigan University, December 2, 2005.
[LMRZ01] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. "SAVE: Source Address Validity
Enforcement Protocol," UCLA Technical Report 01-0004, Los Angeles, CA, 2001.
[MiNP04] A. Mishra, K. Nadkarni, A. Patcha, "Intrusion Detection in Wireless Ad Hoc Networks", IEEE
Wireless Communications, Vol. 11(1), February 2004, pp. 48-60.
[Mena03] D.A. Menascé, “P2P Search,” IEEE Internet Computing, March – April 2003.
[MICA03] MICA2 Wireless Measurement
System Datasheet, Crossbow Technology Inc., San Jose, CA,
September 2003,
http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/6020-0042-01_A_MICA2.pdf.
[MOWW04] T. Moscibroda, R. O’Dell, M.Wattenhofer, and R. Wattenhofer, “Virtual Coordinates for Ad
Hoc and Sensor Networks,” ACM Joint Workshop on Foundations of Mobile Computing (DIALM-
POMC), Philadelphia, Pennsylvania, USA, October 2004.
[Mote03] Mote Documentation and Development Information, UC Berkeley, Berkeley, CA, 2003,
http://www.cs.berkeley.edu/~awoo/smartdus.
[OnSt05] “On Star Explained,” Accessed on November 26, 2005,
http://www.onstar.com/us_english/jsp/explore/index.jsp
[Oppe78] A. Oppenheim, Applications of Digital Signal Processing, Prentice-Hall, Inc., 1978.
[PBSJ05] P.N. Pathirana, N. Bulusu, A.V. Savkin, and S. Jha, “Node Localization Using Mobile Robots in
Delay-Tolerant Sensor Networks,” IEEE Transactions On Mobile Computing, Vol. 4, No. 3,
May/June 2005, pg 285-296.
[PrCB00] N. Priyantha, A. Chakraborty, and H. Balakrishnan, “The Cricket Location Support System,” Proc.
ACM Int’l Conf. Mobile Computing and Networking (MobiCom ’00), pp. 32-43, Aug. 2000.
[Ripe02] M. Ripeanu, “ Peer-to-peer Architecture Case Study: Gnutella Network,” Internet2 Workshop:
Collaborative Computing in Higher Education: Peer-to-Peer and Beyond, January, 2002, Tempe,
Arizona.
[SaHS01] A. Savvides, C. Han, and M. Srivastava, “Dynamic Fine-Grained Localization in Ad-Hoc
Networks of Sensors,” Proc. ACM Int’l Conf. Mobile Computing and Networking (MobiCom ’01),
pp. 166-179, July 2001.
[SMKKB01] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan, “Chord: A scalable peer-to-
peer lookup service for internet applications,” Proc 2001 Conf. on Applications, Technologies,

Architectures, and Protocols for Computer Communications (SIGCOMM), pages 149–160. ACM
Press, 2001.
[TGBKS04] M. Terwilliger, A. Gupta, V. Bhuse, Z. Kamal, and M. Salahuddin “A Localization System Using
Wireless Sensor Networks: A Comparison of Two Techniques.” Workshop on Positioning,
Navigation and Communication, Hanover, Germany, 2004.
[TeGC05a] M. Terwilliger, A. Gupta and C. Coullard, “Localization with Confidence in Sensor Networks,”
submitted for publication, 2005.
[TerGC05b] M. Terwilliger, A. Gupta and C. Coullard, “On Bounding Localization Errors,” submitted for
publication, 2005.
[Thib02]
P. Thibodeau, “Pervasive computing has pervasive problems,” ComputerWorld, Vol.36(41), Oct.
7, 2002.
[USGo01] U.S. Government Printing Office via GPO Access, "Combating Terrorism: Assessing the Threat of
a Biological Weapons Attack." Online Resource last accessed on December 15, 2005.
http://www.armscontrolcenter.org/cbw/resources/hearings/snsvair_20011012_combating_terroris
m_assessing_biological_weapons_attack.htm
[WhCu03] K. Whitehouse and D. Culler, “Macro-Calibration in Sensor/Actuator Networks,” Mobile
Networks and Applications, Kluwer Academic Publishers 2003.
[YHRC98] K. Yao, R. Hudson, C. Reed, D. Chen, and F. Lorenzelli, “Blind Beamforming on a Randomly
Distributed Sensors Array System,” Proc. 1998 IEEE Workshop on Signal Processing Systems
(SiPS ‘98), October 1998.
[Zamb01] D. Zamboni, “Using Internal Sensors for Computer Intrusion Detection”, CERIAS Technical
Report 2001-42, CERIAS, Purdue University, West Lafayette, IN, August 2001.