Geo-Spatial Location Spoofing Detection For Internet of Things

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
1
Geo-spatial Location Spoofing Detection for

Internet of Things
Jing Yang Koh, Ido Nevat, Derek Leong, and Wai-Choong Wong
AbstractWe develop a new location spoofing detection

algorithm for geo-spatial tagging and location-based services
in the Internet of Things (IoT), called Enhanced Location
Spoofing Detection using Audibility (ELSA), which can be
implemented at the backend server without modifying existing
legacy IoT systems. ELSA is based on a statistical decision
theory framework and uses two-way time-of-arrival (TW-TOA)
information between the users device and the anchors. In
addition to the TW-TOA information, ELSA exploits the
implicit audibility information (or outage information) to improve
detection rates of location spoofing attacks. Given TW-TOA
and audibility information, we derive the decision rule for the
verification of the devices location, based on the generalized
likelihood ratio test. We develop a practical threat model for delay
measurements spoofing scenarios, and investigate in detail the
performance of ELSA in terms of detection and false alarm rates.
Our extensive simulation results on both synthetic and real-world
datasets demonstrate the superior performance of ELSA
compared to conventional non-audibility-aware approaches.
Index TermsLocation spoofing detection, Internet of Things,
Geo-spatial tagging, Audibility, Likelihood ratio test.
I. I NTRODUCTION
Wireless localization has been an active research topic
in the last decade due to its significance in many existing
applications. In particular, the area of detecting location
spoofing attempts has become increasingly important. With
the expansion of the Internet of Things (IoT), more and
more users are expecting reliable and trustworthy estimates
of the locations of the things in their systems. Without
reliable information, location-based services may be severely
disrupted, causing inconvenience to end users or even resulting
in the loss of human lives especially in hazardous applications.
Spatially deployed anchors (or reference nodes) can be
used to estimate the distance of targets in the range-based
time-of-arrival (TOA) localization techniques [1][3].
Specifically, we focus on the TOA-based two-way ranging
(TWR) protocol [1][3] where a target (user device or tag)
simply needs to reply to range request packets sent from
the anchors. This enables the anchors to estimate their
distances from the target by making use of the time of flight
(delay) information. However, a malicious target can attempt
J. Y. Koh, I. Nevat, and D. Leong are with the Institute for Infocomm
Research (I2 R), Singapore. W.-C. Wong is with the Department of Electrical
and Computer Engineering, National University of Singapore.
The work of J. Y. Koh was supported in part by the Agency for Science,
Technology and Research (A*STAR) Graduate Scholarship. The work of
I. Nevat was supported in part by A*STAR, Singapore, under SERC Grant
1224104048. The work of D. Leong was supported in part by A*STAR,
Singapore, under SERC Grant 1224104049.
Copyright (c) 2016 IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be
obtained from the IEEE by sending a request to pubs-permissions@ieee.org.
Legacy IoT system

Anchor 4
Target
Anchor 1
Proposed
detection
test ELSA
Two-Way Ranging
Protocol
Internet
Anchor 2
Anchor 3
Fusion center
Fig. 1. System model with a target, multiple anchors, and a fusion center. The
target is inaudible to anchor 1 and audible to anchors 2, 3, and 4. The proposed
detection test ELSA can be implemented at the backend server which receives
the TOA delay measurements from the anchors via the fusion center, without
changing the legacy IoT system.
to spoof its location by affecting the delay measurements

received by the anchors. Therefore, many location spoofing
detection schemes [4][12] have been proposed to deal with
this threat. Typically, the detection system uses trilateration
(or multilateration) [1], [13] to fuse three or more distance
estimates to localize a node in two dimensions [2], [8], [9],
[12], reducing ambiguity in the location estimates.
However, we show that this basic requirement of obtaining
distance estimates from at least three audible anchors can
be relaxed localization can often be done reliably with
fewer audible anchors. Two nodes A and B are said to be
audible to each other if they are able to successfully decode the
transmitted signals from each other, i.e., their received signal
strengths have to be above a predefined threshold in order for
them to be mutually audible. This will be formally defined
in Definition 2. In contrast to prior works that simply ignore
inaudible anchors (e.g., the inaudible anchors are excluded
from the trilateration calculations), we exploit the implicit
audibility information (or outage information) to improve the
location spoofing detection rate at essentially no additional
cost.
Using the concept of audibility, we develop a generalized
likelihood ratio test (GLRT) [14] called Enhanced Location
Spoofing Detection using Audibility (ELSA) to detect location
spoofing attacks. The statistical GLRT hypothesis testing
technique is a well-recognized approach that can be applied
to the received TOA delay measurements to distinguish an
honest target from a malicious target. ELSA can be applied to
a wide range of legacy IoT systems to improve localization and
the detection of spoofing attempts at essentially no additional
cost because it uses implicit audibility information available
in conventional TOA-based localization systems. This allows
our approach to be implemented solely at the backend server
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
without changing existing client IoT devices or network

communications protocols (see Fig. 1).
A. Related Work
Location verification schemes have mainly relied on either
the TOA or received signal strength (RSS) range-based
approaches. In range-based approaches, deterministic
geometrical boundaries are often used to decide whether to
accept or reject localization claims. Vora et al. [15] adopt
a geometric approach to detect location spoofing attacks,
using sharply defined boundaries for acceptance (circular
zone) and rejection (polygonal zone), with an ambiguity
zone between the two boundaries. Audibility is assumed
to be guaranteed within the circular acceptance zone. Such
deterministic methods do not account for the variance of
the naturally occurring noise. Our statistical model, on the
other hand, generalizes this approach by accounting for the
naturally occurring observation noise via a Gaussian noise
2
term (see (1)) Wi N (0, W
). The geometric approach is
therefore a special case of our model where Wi N (0, 0).
In addition, several works used cryptographic security
protocols and message exchanges to prevent location spoofing
attacks. The work in [16] presents a framework for using
witness nodes to validate the location of targets via a
cryptographic asserted location proof protocol to verify their
distances to the target. Next, [8] presents a similar but
distributed cooperative witnesses protocol to verify location
claims through a series of message exchanges. Likewise, [10]
proposes a method to check if the target lies within a claimed
region and whether the claimed location exceeds a reasonable
bound. Distance bounding protocols (e.g., [11]) have also
been proposed to verify that a target is located within a
geometric region from the anchors. This is achieved by rapidly
exchanging messages based on random nonces to bound the
distances between the target and the anchors.
Special features such as anonymous beacons are used in [7]
to verify a target location. Capkun et al. [9] further use hidden
and mobile anchors not known by the adversary to verify the
location of targets via a simple challenge-response scheme.
Basilico et al. [12] model the location verification problem
as a non-cooperative two-player game between the anchors
and the malicious target to compute the best placement for
the anchors. Our work is similar to [4][6], [17] which use
the information theoretic likelihood ratio test (LRT) approach
to verify the location of targets via RSS readings. We also
adopt the LRT framework but tackle the additional challenge
of having the anchors localize the target themselves.
B. Our Contributions
To the best of our knowledge, this is the first attempt
to model and incorporate audibility information to improve
location spoofing detection using a statistical approach based
on the missing-not-at-random (MNAR) [18] concept (explained
in Section II). The key contributions of this paper can be
summarized as follows:
We introduce the notion of audibility and develop a

framework for using it to improve the detection of
location spoofing attempts.
We design ELSA, an audibility-aware GLRT to detect
location spoofing attempts, and prove that it has
better detection performance than the conventional
non-audibility-aware GLRT.
We verify the efficacy of ELSA using both extensive
simulations and a real-world experimental dataset.
Notation: Uppercase letters denote random variables and
the corresponding lowercase letters their realizations, and bold
letters represent vectors. With a slight abuse of notation,
we use lowercase p(x) to represent both the probability
density function (pdf) and probability mass function (pmf),
and uppercase P (event) to represent the probability of
an event. The normal pdf is represented by N (x; , 2 ) =
(x)2
1 e 22 , and the
2
R x t2
1
e 2 dt. We use
2
standard normal cdf by (x) =
1() to denote the indicator function

which equals one if its argument () is true and zero otherwise.
Organization: The rest of this paper is organized as follows.
Section II presents a motivating example for our proposed
framework. The analytic model is introduced in Section III and
the problem formulation is presented in Section IV. Section
V discusses our experimental results. Finally, conclusions are
drawn in Section VI. An extended version of this paper,
including the proofs and appendices, can be found in [19].
II. E XAMPLE F OR P ROPOSED AUDIBILITY F RAMEWORK
We first illustrate with an example the concept of audibility
before elaborating how audibility aids in detecting the location
spoofing attacks.
A. How Audibility Aids in Location Spoofing Detection
Using the conventional trilateration technique [1], [13]
(without utilizing audibility information), distance estimates
from at least three different non-collinear anchors are needed
to localize a target. Otherwise, there may exist ambiguity. For
example, the target may be equally likely to be at two separate
regions as seen from the targets likelihood heat map in
Fig. 2a. However, this ambiguity can be significantly reduced
once we incorporate the audibility information (see Fig. 2b).
As a result, the bottom right region is now unlikely since
there exists a nearby anchor that does not receive any delay
measurement (not audible). Therefore, by taking advantage
of the missing delay measurements or the (in)audibility
information, we are able to relax the fundamental three
distance estimates assumption without using any additional
hardware or message exchanges. This leads to an improved
accuracy of the TOA localization algorithm at no extra cost.
The audibility information can be exploited because the
missing observations are missing-not-at-random (MNAR) as
termed by Rubin in his seminal work [18] where he developed
a statistical framework to account for missing data.
B. Toy Example on the Use of Audibility Information
Shown in Fig. 3 is a room with an anchor at each corner.
Suppose that a malicious target at the left side of the room
Things Journal
A3
A1
100
Maximum audible
distance of anchor 3
Adversary
200
Target
300
Anchor
400
Target
Anchor
Original
estimate
500
Proposed
estimate
600
(a) Log-likelihood heat map using conventional TOA approach.

120
Fig. 3. Proposed method where a malicious target attempts to spoof its

location by adding delays to the delay measurements between the target and
the anchor, denoted by t(target, anchor).
Anchor
100
A4
A2
700
0
1
Target
100
t propagation
200
80
300
60
t reply
A
t round
400
40
Target node
Anchor
500
600
20
700
0
0
t propagation
20
40
60
80
100
120
(b) Log-likelihood heat map using TOA with audibility information.

Fig. 2. Log-likelihood heat maps for the location of a target with three anchors
(of which two are audible). Regions with higher probabilities for the targets
location are represented by red.
(denoted by the circle) is in the audible range of two anchors

and wishes to spoof its location to appear at the other side
of the room (marked with a cross). The malicious target can
add additional delays to increase its TOA delay measurement
and hence increase the estimated distance from itself to the
two anchors. Using the conventional approaches, a detection
system will not be able to detect the location spoofing attempt
as there is insufficient contradictory information to raise
suspicions. However, using the additional implicit audibility
information as input, it is now unlikely that the target is located
at the cross since it is not in the range of the two anchors at the
right side of the room. The target is more likely to be located at
the square1 shown in Fig. 3. Hence, we can detect the location
spoofing attack by comparing the likelihood probabilities.
III. N ETWORK M ODEL
In this section, we introduce the definitions for audibility
and describe our system and threat models for the location
spoofing detection system which uses the TOA-based two-way
ranging (TWR) protocol.
A. Connectivity Model
In order for two nodes A and B to communicate with each
other, the transmitted signals should be audible to the other
1 Note that in actual scenarios, the location estimates may be a small region
of equally likely points (see Fig. 2) instead of an exact location point as in
Fig. 3, but the concept remains the same.
Fig. 4. Message exchanges of the two-way ranging (TWR) distance estimation

protocol [21]. The two time segments marked A and B represent the possible
points of attack by an adversary (see our threat model in Section III-C).
party. We adopt the widely used log-normal propagation (path

loss) model [1], [20] and define audibility as follows.
Definition 1 (Path loss model). The received signal power (in
dBm) by a node A located at A = [xA , yA ] from a signal
sent by node B which is located at B = [xB , yB ] is given
by
d (A , B )
+ r ,
d0
where Pt is the received power from node B at a reference
distance d0 (typically
1m), is the path-loss exponent,
q
Pr = Pt 10 log
d (A , B ) := (xA xB ) + (yA yB ) is the Euclidean

distance between nodes A and B, and r N 0, 2 is the
received power noise (due to the shadowing effect).
Definition 2 (Audibility). Node B is said to be audible to
node A if
d (A , B )
+ r ,
d0
where is a predefined threshold representing the receivers
sensitivity. Otherwise, it is said to be inaudible.
PR = PT 10 log
B. System Model
We consider a scenario where a fusion center receives
some delay measurements from its anchors and transmits the
measurements to a backend server for verifying a targets
location along with the following assumptions:
1) Assume a wireless network with n static anchors where
the location of the ith anchor (verifier) is denoted by
xi = [xi , yi ],
Things Journal
where its 2D coordinates xi , yi R for i {1, . . . , n}.

2) The true location of the target (prover) is denoted by
= [x , y ],
where its 2D coordinates x , y R. Depending on the
deployment scenario, we assume that there is a prior
distribution p() for the targets location. A uniform
prior can be assigned if the target is equally likely to
exist anywhere in the considered region.
3) We consider a scenario where the TWR protocol [21]
is used (see Fig. 4). The anchor transmits a request
packet to the target which then replies with a response
packet. Each anchor i in the communication range of
the target will receive a delay measurement [1] which
can be represented by:
ti =
d(, xi )
+ Wi ,
vp
(1)
where d (A , B ) is the Euclidean distance between

two locations A and B , vp is the signal propagation
speed, and Wi is the time delay error assumed to be
an i.i.d. Gaussian random variable2 given by Wi
2
).
N (0, W
4) In our audibility model, each anchor i in the
communication range of the target will receive a signal
with a received power Pi (see Definition 1) that is equal
or higher than the minimum signal receiving threshold
:
d(, xi )
+ i .
(2)
Pi = Pt 10 log
d0
The target is said to be audible to the anchor (see
Definition 2).
5) If an anchor i does not receive any signal from the
target, we can treat the received signal as having a
received power Pi that is less than the minimum signal
receiving threshold , i.e., Pi < . The target is said to
be inaudible to the anchor (see Definition 2).
6) We let ri be an indicator variable that depends on
whether the anchor i receives a delay measurement from
the target (see (2)):
(
1 if Pi ,
ri =
(3)
0 otherwise.
Empirical Support for Our Models: Our chosen TOA and
RSS models in (1) and (2) respectively are supported by the
experimental measurements obtained from [22].
environment is given by (1). A malicious target or anchor

(in the case of an internal adversary) can falsify the targets
location by adding a delay i before replying to a TWR request
message such that the received delay measurement becomes
ti =
d(, xi )
+ Wi + i ,
vp
i.i.d.
where we assume i N ( , 2 ). The malicious target can

insert the delay at point A (as shown in Fig. 4) in the TWR
protocol while a malicious anchor may insert the delay at point
B. The malicious targets may collude to fool the anchors by
appearing to be closer or further from them. This scenario is
accounted by the i.i.d. Gaussian attacker delay model in (4).
A positive attacker delay i will fool an anchor into believing
that the target is further away from its actual position while a
negative attacker delay i will make the target appear nearer
to the anchor than it really is. The collusion is assumed to
be limited to nearby nodes in the vicinity due to our i.i.d.
Gaussian attacker delay model. The Gaussian model is used
for analytical convenience as the adversary may be able to
launch distance enlargement or distance reduction attacks [23].
An external adversary (which cannot compromise nodes) may
increase the delay measurement by some i , which may not
necessarily be positive, by attacking the PHY layer [24].
IV. ELSA: E NHANCED L OCATION S POOFING D ETECTION
USING AUDIBILITY
We present the location spoofing detection test Enhanced
Location Spoofing Detection using Audibility (ELSA), which
utilizes both TOA measurements and the implicit audibility
information to verify that a target is not spoofing its delay
measurements.
A. Problem Formulation: Optimal Detection
In order to achieve this task, a common approach would
be to construct a binary hypothesis test to verify the
received delay measurements. The well-known likelihood
ratio test (LRT) which is the optimal test (justified by the
Neyman-Pearson lemma [14]) can be used to detect location
spoofing attempts under the two competing hypotheses:
H0 : no location spoofing
H1 : location spoofing attempt.
The LRT3 can be formulated as:
(t, r) ,
C. Threat Model
We consider an internal and external adversary whose goal
is to significantly perturb a targets perceived location by the
b from its true location by manipulating
fusion center
the response time of the target, thus affecting the TOA delay
measurements received by the anchors as discussed in our
example in Section II. Recall from Section III-B that the delay
measurement received at the ith anchor in a non-adversarial
2 Note
that Wi may also be from any other known parametric distribution.
(4)
p(t, r|H1 ) H1
,
p(t, r|H0 ) H0
(5)
where the bold letters t and r represent vectors of delay

observations t = [t1 , . . . , tn ] and audibility indicator values
r = [r1 , . . . , rn ] from the n anchors respectively, and is a
chosen threshold.
Under the Neyman-Pearson lemma, the LRT is the most
powerful test at each significance level (false alarm rate)
3 The
LRT for the conventional non-audibility-aware approach (see
Appendix-A of [19]) is (t) ,
p(t|H1 )
p(t|H0 )
H1
H0
Things Journal
for a threshold where p((t, r) > |H0 ) = . The

functions p(t, r|H0 ) and p(t, r|H1 ) represent the likelihood
functions for the null hypothesis and alternative hypothesis
respectively. Since we treat as an unknown random variable,
the likelihood functions can be formulated as
Z
p(t, r|Hj ) = p(t, r|, Hj )p(|Hj ) d
Z
= p(t|r, , Hj )p(r|, Hj )p(|Hj ) d.
However, a closed form expression to the above integral is
intractable due to the non-linear relationship in p(t, r|, Hj ).
Hence, the LRT in (5) is no longer applicable. Instead,
it is common to use the generalized likelihood ratio test
(GLRT) [14], given by
(t, r) ,
b H1 ) H1
p(t, r|H1 ,
MAP
,
0
b
p(t, r|H0 , H
MAP ) H0
(6)
where
we
approximate
p(t, r|Hj )
using
the
maximum-a-posteriori (MAP) estimate (see Appendix-B
j
bH
of [19]) given by
MAP =
n
X
d(, xi )
2
log N (ti ;
+ i , W
)1(ri = 1)
arg max
v
p
i=1
+
n
X
Parameter
Value (equivalent distance)
TOA noise, W
RSS noise,
Attacker delay mean,
Attacker delay s.d.,
Only positive attacker delays | | were used.
i
Path loss exponent,
Transmit power, Pt at d0 = 1 m
Signal receiving threshold,
108 s
(3 m)
10 dBm
4 108 s (12 m)
4 108 s (12 m)
(See Equation (4))
3.2
40 dBm
102 dBm
prove using the following theorem that ELSA provides better

detection rates than the conventional non-audibility-aware
GLRT for the same false alarm rate tradeoff.
Theorem 1. For a fixed false alarm rate, the proposed
audibility-aware GLRT will have a detection rate PdA that is
higher than the conventional GLRT PdNA which does not take
into account audibility, i.e.,
PdA PdNA .
V. E XPERIMENTAL R ESULTS AND D ISCUSSION
log P (ri = 1|, Hj )1(ri = 1)

(7)
B. Derivation of Test Statistic

Under the null hypothesis H0 , the likelihood function is
simply
b H0 ),
b H0 )p(r|H0 ,
b H0 ) = p(t|r, H0 ,
p(t, r|H0 ,
MAP
MAP
MAP
Proof. See Appendix-C of [19].
i=1
+ P (ri = 0|, Hj )1(ri = 0) + log p(|Hj ).
TABLE I
S IMULATION PARAMETERS
(8)
b H0
where p(t|r, H0 , MAP )

n h
i
Y
b H0 , xi )
d(
MAP
2
=
N (ti ;
, W
)1(ri = 1) + 1(ri = 0) ,
vp
i=1
In this section, we evaluate the performance of our proposed

detection test ELSA against the conventional GLRT (labeled
as original in the figures) which does not take into account
audibility (similar to the work in [17]), in terms of the location
spoofing detection performance. Both simulations and data
from a real-world dataset (available in [25]) were used in our
evaluation. The MATLAB code used to obtain the simulation
results is available as supplemental material, which can be
found at [19], [26]. Unless otherwise stated, the parameters in
Table I were used in our simulations.
A. Simulation Results using Synthetic Data
b H0 )
First, we study the effects of utilizing the audibility
and p(r|H0 ,
MAP
information
using simulations. We consider the scenario where
n h
i
Y
H
H
there
exist
three
anchors at the corners of a 100 m 100 m
0
0
b )1(ri = 1)+P (ri = 0|
b )1(ri = 0) .
=
P (ri = 1|
MAP
MAP
area
as
shown
in
Fig. 2 and the target is selected uniformly at
i=1
1
1
random inside this area (hence, p() = 100
100
). We used
Under the alternative hypothesis H1 ,
a grid search with a one meter granularity to search for the
b H1 ) = p(t|r, H1 ,
b H1 )p(r|H1 ,
b H1 ),
p(t, r|H1 ,
(9) optimal target location using the MAP approach (see (7)).
MAP
MAP
MAP
1) ROC Curve Performance: We use the receiver operating
b H1 )
where p(t|r, H1 ,
MAP
characteristic (ROC) curve to compare the detection and
n h
i false alarm performance of ELSA, against the conventional
Y
b H1 , xi )
d(
MAP
2
+ , W
+2 )1(ri = 1)+1(ri = 0) , non-audibility-aware GLRT. For a given decision rule , the
=
N (ti ;
vp
i=1
detection rate is given by
H1
b
and p(r|H1 , MAP )
P ((t, r) > |H1 ),
n h
i
Y
b H1 )1(ri = 1) + P (ri = 0|
b H1 )1(ri = 0) . and the false alarm rate is given by
=
P (ri = 1|
MAP
MAP
i=1
Substitution of the values obtain from (8) and (9) into

(6) will give the test statistic in (10). Algorithm 1 (see
[19]) summarizes the steps in the proposed ELSA. Next, we
P ((t, r) > |H0 ).

In Fig. 5, we plot the ROC curves for scenarios when
an attacker adds a positive delay to the delay measurements
Things Journal
"
#
b H1 , xi )
d(
MAP
2
N (ti ;
(t, r) =
+ , W
+ 2 )1(ri = 1) + 1(ri = 0)
v
p
i=1
" n
# " n
#
. Y
Y
b H0 , xi )
d(
MAP
2
H1
H1
b
b
, W )1(ri = 1) + 1(ri = 0)
P (ri = 1|MAP )1(ri = 1) + P (ri = 0|MAP )1(ri = 0)

N (ti ;
vp
i=1
i=1
" n
#
. Y
H1
H
H
0
0
b )1(ri = 1) + P (ri = 0|
b )1(ri = 0) .
P (ri = 1|
n
Y
MAP
MAP
H0
i=1
(10)
0.9
0.9
ELSA
0.8
0.8
Detection rate
Detection rate
0.7
0.6
0.5
0.4
0.7
Original
0.6
0.5
0.3
0.4
0.2
0
0
0.2
0.4
0.6
0.8
Var=1dBm
Var=3dBm
Var=5dBm
0.3
ELSA
Original
0.1
0.2
0
0.1
False alarm rate
0.9
0.8
0.8
0.7
0.7
Detection rate
Detection rate
1
0.9
0.6
ELSA, u0=5x108s(15m)
Original, u0=5x108s(15m)
ELSA, u0=3x108s(9m)
ELSA, u0=1x108s(3m)
0.3
0.2
0.1
0
0
0.2
0.4
0.6
0.4
0.5
0.6
Fig. 7. ROC curves for different RSS noise variance 2 with three anchors.
0.4
0.3
False alarm rate
Fig. 5. ROC curves for three anchors, of which two are audible (see Fig. 2).
0.5
0.2
0.8
ELSA
Original
Original
0.6
ELSA
0.5
ELSA
0.4
Original
0.3
Var=1x108s(3m)
Var=r11rx108s(10m)
Var=r44rx108s(20m)
0.2
0.1
1
False alarm rate
0
0
0.2
0.4
0.6
0.8
False alarm rate
Fig. 6. ROC curves for different attacker delay mean with three anchors.
2 with three anchors.

Fig. 8. ROC curves for different TOA noise variance W
received by the anchors and the target is in the range of exactly

two audible anchors. The ROC curve for ELSA indicates
a significantly better detection performance compared to the
conventional approach where it is difficult to detect the attack
without making use of additional information from the third
anchor. Despite a slight model mismatch, an attacker who
only adds positive delays does not significantly degrade the
detection rate of ELSA.
2) ROC Curve Performance under Different Conditions:
Next, we evaluate the performance of the GLRT tests for
different , , W parameters and randomize the target
locations for each iteration. The chosen signal receiving
threshold includes different inaudible scenarios depending
on the target location. In Fig. 6, we plot the ROC curves for
different attacker delay mean values. A higher value
perturbs the delay measurements further and increases the
spoofed distance of the target at the expense of increased
detection rate by the GLRT. Similar to Fig. 5, the detection
performance of the conventional GLRT is worse than ELSAs.

The impact of obstacles and multipaths can affect the
detection performance of the proposed test by increasing
the TOA observation noise variance [22]. Similarly, the RSS
variance will also increase due to the shadowing and multipath.
In Figs. 7 and 8, we vary the RSS noise variance 2 and TOA
2
noise variance W
respectively to verify that the proposed
ELSA can still function correctly under large noise variances.
Note that the performance of the conventional non-audibility
aware GLRT is largely unaffected by the RSS noise variance.
However, the performance of ELSA depends more heavily
on the RSS readings which affect the audibility information.
2
In Fig. 8, the detection rates for both tests drop as W
increases because the attacker delay is dominated by the TOA
observation noise. Hence, the impact of the attack also drops
2
when W
is high. Next, we increase the number of deployed
anchors and plot the detection performance in Fig. 9 for fixed
false alarm rates. We placed an anchor at each corner of the
Things Journal
7
Fig. 9. Detection rates for different number of anchors with fixed false alarm
rates (Pf ) of 0.02 and 0.05, using synthetic data.
Fig. 11. Detection rates for different number of anchors with = 61 dBm
for false alarm rates (Pf ) of 0.02 and 0.05, using the real-world dataset.
1
0.9
0.8
Detection rate
0.7
0.6
0.5
0.4
0.3
0.2
ELSA
Original
0.1
0
0
0.2
0.4
0.6
0.8
False alarm rate
Fig. 10. ROC curves with = 61 dBm and 41 different target locations
and three anchors, using the real-world dataset.
100 m 100 m area and another two anchors in the middle.

Similarly, the detection rate of the conventional approach
is less than the proposed ELSAs as it does not account
for audibility. However, the detection performance for both
tests will improve with diminishing returns as the number of
anchors increases.
B. Simulation Results using Real-World Dataset
To validate our proposed audibility framework, we use a
real-world dataset comprising TOA and RSS measurements
taken by Patwari et al. [22], [25], [27]. The considered network
consisted of 44 sensor nodes distributed in an office area
in Motorola Labs Florida Communications Research Lab,
in Plantation, FL. Both TOA and RSS measurements were
recorded between each sensor node and a high SNR was
maintained throughout the experiment to ensure the reliability
of the recorded data. We set the minimum signal receiving
threshold to add inaudible scenarios and evaluated the
performance of ELSA and the conventional approach under
different scenarios. We use three of the anchors (node numbers
10, 35, 44) as used by the original authors, and an attacker
delay mean of = 1.5 108 s (4.5 m approx.). The anchors
are located at the corners of the testbed.
ROC Curve Performance: In Fig. 10, we plot the ROC
curves for = 61 dBm. The chosen scenario includes a good
mix of different numbers of audible anchors and highlights
the superiority of ELSA compared to the conventional GLRT.

For a fixed false alarm rate, ELSA has a significantly higher
detection rate. The ROC curve for the conventional GLRT,
however, is closer to the diagonal line (not drawn) at low false
alarm rates which indicates its poorer detection rate trade-off.
In Fig. 11, we vary the number of deployed anchors and
plot the detection rates of the tests for a fixed false alarm
rate. ELSA offers improved detection performance compared
to the conventional approach, and this improved performance
is more significant in the real-world dataset compared to our
synthetic data as shown in Fig. 9. This could be due to the
limited target locations and their clustered distribution in the
real-world dataset whereas in our synthetic data, we uniformly
picked the location of each target in each iteration.
VI. C ONCLUSION
A new audibility-aware framework has been introduced
in this paper for detecting location spoofing attempts. We
showed how the conventional TOA-based method may not
be able to detect location spoofing attempts especially
during inaudible scenarios, and developed an audibility-aware
detection test called ELSA to do so. In addition, we have
also demonstrated that ELSA has better detection performance
compared to the conventional GLRT using experimental
results with both synthetic data and a real-world dataset.
A future research direction would be to investigate other
deployment environment-specific TOA, RSS-based, or even
energy-harvesting models to further improve existing detection
performance.
R EFERENCES
[1] N. Patwari, J. N. Ash, S. Kyperountas, A. Hero, R. L. Moses, and N. S.
Correal, Locating the nodes: Cooperative localization in wireless sensor
networks, IEEE Signal Process. Mag., vol. 22, no. 4, pp. 5469, Jul.
2005.
[2] I. Guvenc and C.-C. Chong, A survey on TOA based wireless
localization and NLOS mitigation techniques, IEEE Commun. Surveys
Tuts., vol. 11, no. 3, pp. 107124, Aug. 2009.
[3] IEEE Standard for IEEE Amendment to Part 15.3: Wireless Medium
Access Control (MAC) and Physical Layer (PHY) Specifications for
High Rate Wireless Personal Area Networks (WPAN): Amendment to
MAC Sublayer, IEEE Std 802.15.3b-2005 (Amendment to IEEE Std
802.15.3-2003), 2006.
Things Journal
[4] S. Yan, R. Malaney, I. Nevat, and G. Peters, An information theoretic
location verification system for wireless networks, in Proc. IEEE Global
Commun. Conf. (GLOBECOM), Dec. 2012, pp. 54155420.
[5] , Optimal information-theoretic wireless location verification,
IEEE Trans. Veh. Technol., vol. 63, no. 7, pp. 34103422, Sep. 2014.
[6] , Location verification systems for VANETs in Rician fading
channels , IEEE Trans. Veh. Technol. (accepted).
[7] F. Malandrino, C. Borgiattino, C. Casetti, C.-F. Chiasserini, M. Fiore,
and R. Sadao, Verification and inference of positions in vehicular
networks through anonymous beaconing, IEEE Trans. Mobile Comput.,
vol. 13, no. 10, pp. 24152428, Oct. 2014.
[8] M. Fiore, C. Ettore Casetti, C. Chiasserini, and P. Papadimitratos,
Discovery and verification of neighbor positions in mobile ad hoc
networks, IEEE Trans. Mobile Comput., vol. 12, no. 2, pp. 289303,
Feb. 2013.
[9] S. Capkun, K. Bonne Rasmussen, M. Cagalj, and M. Srivastava, Secure
location verification with hidden and mobile base stations, IEEE Trans.
Mobile Comput., vol. 7, no. 4, pp. 470483, Apr. 2008.
[10] Y. Wei and Y. Guan, Lightweight location verification algorithms for
wireless sensor networks, IEEE Trans. Parallel Distrib. Syst., vol. 24,
no. 5, pp. 938950, May 2013.
[11] J. Chiang, J. Haas, J. Choi, and Y.-C. Hu, Secure location verification
using simultaneous multilateration, IEEE Trans. Wireless Commun.,
vol. 11, no. 2, pp. 584591, Feb. 2012.
[12] N. Basilico, N. Gatti, M. Monga, and S. Sicari, Security games for node
localization through verifiable multilateration, IEEE Trans. Dependable
and Secure Comput., vol. 11, no. 1, pp. 7285, Jan. 2014.
[13] S. Misra, G. Xue, and S. Bhardwaj, Secure and robust localization in a
wireless ad hoc environment, IEEE Trans. Veh. Technol., vol. 58, no. 3,
pp. 14801489, Mar. 2009.
[14] J. Neyman and E. S. Pearson, On the problem of the most efficient
tests of statistical hypotheses, Philosophical Transactions of the Royal
Society of London. Series A, Containing Papers of a Mathematical or
Physical Character, vol. 231, pp. 289337, 1933.
[15] A. Vora and M. Nesterenko, Secure location verification using radio
broadcast, IEEE Trans. Dependable and Secure Comput., vol. 3, no. 4,
pp. 377385, Oct. 2006.
[16] R. Hasan, R. Khan, S. Zawoad, and M. Haque, WORAL: A witness
oriented secure location provenance framework for mobile devices,
IEEE Trans. Emerg. Topics Comput., vol. PP, no. 1, pp. 113, 2015.
[17] S. Yan, R. Malaney, I. Nevat, and G. Peters, Timing information in
wireless communications and optimal location verification frameworks,
in Proc. Australian Communications Theory Workshop (AusCTW), Feb.
2014, pp. 144149.
[18] D. B. Rubin, Inference and missing data, Biometrika, vol. 63, no. 3,
pp. 581592, 1976.
[19] J. Y. Koh, I. Nevat, D. Leong, and W.-C. Wong, Geo-spatial location
spoofing detection for Internet of Things, arXiv:1602.05335, 2016.
[20] T. Rappaport, Wireless Communications: Principles and Practice,
2nd ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, 2001.
[21] IEEE Standard for Information technology Local and metropolitan
area networks Specific requirements Part 15.4: Wireless Medium
Access Control (MAC) and Physical Layer (PHY) Specifications for
Low-Rate Wireless Personal Area Networks (WPANs): Amendment 1:
Add Alternate PHYs, IEEE Std. 802.15.4a-2007, 2007.
[22] N. Patwari, A. Hero, M. Perkins, N. Correal, and R. ODea, Relative
location estimation in wireless sensor networks, IEEE Trans. Signal
Process., vol. 51, no. 8, pp. 21372148, Aug. 2003.
[23] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y.
Le Boudec, The Cicada attack: Degradation and denial of service in
IR ranging, in Proc. IEEE Int. Conf. Ultra-Wideband (ICUWB), vol. 2,
Sep. 2010, pp. 14.
[24] L. Taponecco, P. Perazzo, A. DAmico, and G. Dini, On the
feasibility of overshadow enlargement attack on IEEE 802.15.4a distance
bounding, IEEE Commun. Lett., vol. 18, no. 2, pp. 257260, Feb. 2014.
[25] N. Patwari, A. Hero, M. Perkins, N. Correal, and
R. ODea, Wireless Sensor Network Localization Measurement
Repository, 2006 (accessed Nov. 11, 2015). [Online]. Available:
http://web.eecs.umich.edu/ hero/localize/
[26] MATLAB code for our simulation results, (accessed Nov. 11, 2015).
[Online]. Available: http://idonevat.wix.com/idonevat#!about2/c1hlk
[27] N. Patwari and S. K. Kasera, Robust location distinction using temporal
link signatures, in Proc. ACM Mobile Computing and Networking
(MobiCom), Sep. 2007, pp. 111122.
Jing Yang Koh received the B.Eng. degree in

computer engineering from Nanyang Technological
University, Singapore in 2013. He is currently
a Ph.D. candidate in the National University of
Singapore, Singapore and attached to the Institute for
Infocomm Research (I2 R), Singapore. His research
mainly focuses on using statistical signal processing,
machine learning, and optimization techniques for
wireless network security and privacy.
Ido Nevat received the B.Sc. degree in electrical

engineering from the Technion-Israel Institute of
Technology, Haifa, Israel in 1998 and the Ph.D.
degree in Electrical Engineering from the University
of NSW, Sydney, Australia, in 2010. From
2010-2013 he was a post doctoral research fellow
with the Wireless and Networking Technologies
Laboratory at CSIRO, Australia. Currently he is a
team leader at the Institute for Infocomm Research
(I2 R), Singapore. His main areas of interests include
statistical signal processing, machine learning and
Bayesian statistics.
Derek Leong is a scientist with the Sense
and Sense-abilities programme at the Institute
for Infocomm Research (I2 R), Singapore. He
received the B.S. degree in electrical and computer
engineering from Carnegie Mellon University in
2005, and the M.S. and Ph.D. degrees in
electrical engineering from the California Institute
of Technology in 2008 and 2013 respectively.
His research and development interests include
distributed systems and sensor networks.
Wai-Choong (Lawrence) Wong is Professor in the

Department of Electrical and Computer Engineering,
National University of Singapore (NUS). Since
joining NUS in 1983, he served in various leadership
positions at the department, faculty and university
levels. Prior to joining NUS in 1983, he was
a Member of Technical Staff at AT&T Bell
Laboratories, Crawford Hill Lab, NJ, USA, from
1980 to 1983. He received the B.Sc. and Ph.D.
degrees in Electronic and Electrical Engineering
from Loughborough University, UK. His research
interests include wireless and sensor networks and systems, ambient intelligent
platforms, localization and source matched transmission techniques with over
280 publications and 5 patents in these areas. He has received several awards
including the IEEE Marconi Premium Award in 1989, IEEE Millennium
Award in 2000, e-nnovator Awards (Open Category) in 2000, Best Paper
Award at the IEEE International Conference on Multimedia and Expo (ICME)
2006, and Best Paper Award at the 2nd International Conference on Ambient
Computing, Applications, Services and Technology (AMBIENT), 2012.

Geo-Spatial Location Spoofing Detection For Internet of Things

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Geo-Spatial Location Spoofing Detection For Internet of Things

Cargado por

Copyright:

Formatos disponibles

This article has been accepted for publication in a future issue of this journal, but has not been

Geo-spatial Location Spoofing Detection for

AbstractWe develop a new location spoofing detection

Legacy IoT system

to spoof its location by affecting the delay measurements

without changing existing client IoT devices or network

We introduce the notion of audibility and develop a

standard normal cdf by (x) =

1() to denote the indicator function

(a) Log-likelihood heat map using conventional TOA approach.

Fig. 3. Proposed method where a malicious target attempts to spoof its

(b) Log-likelihood heat map using TOA with audibility information.

(denoted by the circle) is in the audible range of two anchors

Fig. 4. Message exchanges of the two-way ranging (TWR) distance estimation

party. We adopt the widely used log-normal propagation (path

d (A , B ) := (xA xB ) + (yA yB ) is the Euclidean

where its 2D coordinates xi , yi R for i {1, . . . , n}.

where d (A , B ) is the Euclidean distance between

environment is given by (1). A malicious target or anchor

where we assume i N ( , 2 ). The malicious target can

that Wi may also be from any other known parametric distribution.

where the bold letters t and r represent vectors of delay

LRT for the conventional non-audibility-aware approach (see

Appendix-A of [19]) is (t) ,

for a threshold where p((t, r) > |H0 ) = . The

Value (equivalent distance)

prove using the following theorem that ELSA provides better

V. E XPERIMENTAL R ESULTS AND D ISCUSSION

log P (ri = 1|, Hj )1(ri = 1)

B. Derivation of Test Statistic

Proof. See Appendix-C of [19].

+ P (ri = 0|, Hj )1(ri = 0) + log p(|Hj ).

where p(t|r, H0 , MAP )

In this section, we evaluate the performance of our proposed

Substitution of the values obtain from (8) and (9) into

P ((t, r) > |H0 ).

P (ri = 1|MAP )1(ri = 1) + P (ri = 0|MAP )1(ri = 0)

False alarm rate

False alarm rate

False alarm rate

False alarm rate

2 with three anchors.

received by the anchors and the target is in the range of exactly

performance of the conventional GLRT is worse than ELSAs.

False alarm rate

100 m 100 m area and another two anchors in the middle.

the superiority of ELSA compared to the conventional GLRT.

Jing Yang Koh received the B.Eng. degree in

Ido Nevat received the B.Sc. degree in electrical

Wai-Choong (Lawrence) Wong is Professor in the

También podría gustarte