Documentos de Académico
Documentos de Profesional
Documentos de Cultura
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
1
I. I NTRODUCTION
Wireless localization has been an active research topic
in the last decade due to its significance in many existing
applications. In particular, the area of detecting location
spoofing attempts has become increasingly important. With
the expansion of the Internet of Things (IoT), more and
more users are expecting reliable and trustworthy estimates
of the locations of the things in their systems. Without
reliable information, location-based services may be severely
disrupted, causing inconvenience to end users or even resulting
in the loss of human lives especially in hazardous applications.
Spatially deployed anchors (or reference nodes) can be
used to estimate the distance of targets in the range-based
time-of-arrival (TOA) localization techniques [1][3].
Specifically, we focus on the TOA-based two-way ranging
(TWR) protocol [1][3] where a target (user device or tag)
simply needs to reply to range request packets sent from
the anchors. This enables the anchors to estimate their
distances from the target by making use of the time of flight
(delay) information. However, a malicious target can attempt
J. Y. Koh, I. Nevat, and D. Leong are with the Institute for Infocomm
Research (I2 R), Singapore. W.-C. Wong is with the Department of Electrical
and Computer Engineering, National University of Singapore.
The work of J. Y. Koh was supported in part by the Agency for Science,
Technology and Research (A*STAR) Graduate Scholarship. The work of
I. Nevat was supported in part by A*STAR, Singapore, under SERC Grant
1224104048. The work of D. Leong was supported in part by A*STAR,
Singapore, under SERC Grant 1224104049.
Copyright (c) 2016 IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be
obtained from the IEEE by sending a request to pubs-permissions@ieee.org.
Anchor 1
Proposed
detection
test ELSA
Two-Way Ranging
Protocol
Internet
Anchor 2
Anchor 3
Fusion center
Fig. 1. System model with a target, multiple anchors, and a fusion center. The
target is inaudible to anchor 1 and audible to anchors 2, 3, and 4. The proposed
detection test ELSA can be implemented at the backend server which receives
the TOA delay measurements from the anchors via the fusion center, without
changing the legacy IoT system.
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
A. Related Work
Location verification schemes have mainly relied on either
the TOA or received signal strength (RSS) range-based
approaches. In range-based approaches, deterministic
geometrical boundaries are often used to decide whether to
accept or reject localization claims. Vora et al. [15] adopt
a geometric approach to detect location spoofing attacks,
using sharply defined boundaries for acceptance (circular
zone) and rejection (polygonal zone), with an ambiguity
zone between the two boundaries. Audibility is assumed
to be guaranteed within the circular acceptance zone. Such
deterministic methods do not account for the variance of
the naturally occurring noise. Our statistical model, on the
other hand, generalizes this approach by accounting for the
naturally occurring observation noise via a Gaussian noise
2
term (see (1)) Wi N (0, W
). The geometric approach is
therefore a special case of our model where Wi N (0, 0).
In addition, several works used cryptographic security
protocols and message exchanges to prevent location spoofing
attacks. The work in [16] presents a framework for using
witness nodes to validate the location of targets via a
cryptographic asserted location proof protocol to verify their
distances to the target. Next, [8] presents a similar but
distributed cooperative witnesses protocol to verify location
claims through a series of message exchanges. Likewise, [10]
proposes a method to check if the target lies within a claimed
region and whether the claimed location exceeds a reasonable
bound. Distance bounding protocols (e.g., [11]) have also
been proposed to verify that a target is located within a
geometric region from the anchors. This is achieved by rapidly
exchanging messages based on random nonces to bound the
distances between the target and the anchors.
Special features such as anonymous beacons are used in [7]
to verify a target location. Capkun et al. [9] further use hidden
and mobile anchors not known by the adversary to verify the
location of targets via a simple challenge-response scheme.
Basilico et al. [12] model the location verification problem
as a non-cooperative two-player game between the anchors
and the malicious target to compute the best placement for
the anchors. Our work is similar to [4][6], [17] which use
the information theoretic likelihood ratio test (LRT) approach
to verify the location of targets via RSS readings. We also
adopt the LRT framework but tackle the additional challenge
of having the anchors localize the target themselves.
B. Our Contributions
To the best of our knowledge, this is the first attempt
to model and incorporate audibility information to improve
location spoofing detection using a statistical approach based
on the missing-not-at-random (MNAR) [18] concept (explained
in Section II). The key contributions of this paper can be
summarized as follows:
(x)2
1 e 22 , and the
2
R x t2
1
e 2 dt. We use
2
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
A3
A1
100
Maximum audible
distance of anchor 3
Adversary
200
Target
300
Anchor
400
Target
Anchor
Original
estimate
500
Proposed
estimate
600
Anchor
100
A4
A2
700
0
1
Target
100
t propagation
200
80
300
60
t reply
A
t round
400
40
Target node
Anchor
500
600
20
700
0
0
t propagation
20
40
60
80
100
120
B. System Model
We consider a scenario where a fusion center receives
some delay measurements from its anchors and transmits the
measurements to a backend server for verifying a targets
location along with the following assumptions:
1) Assume a wireless network with n static anchors where
the location of the ith anchor (verifier) is denoted by
xi = [xi , yi ],
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
d(, xi )
+ Wi ,
vp
(1)
d(, xi )
+ Wi + i ,
vp
i.i.d.
C. Threat Model
We consider an internal and external adversary whose goal
is to significantly perturb a targets perceived location by the
b from its true location by manipulating
fusion center
the response time of the target, thus affecting the TOA delay
measurements received by the anchors as discussed in our
example in Section II. Recall from Section III-B that the delay
measurement received at the ith anchor in a non-adversarial
2 Note
(4)
p(t, r|H1 ) H1
,
p(t, r|H0 ) H0
(5)
p(t|H1 )
p(t|H0 )
H1
H0
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
b H1 ) H1
p(t, r|H1 ,
MAP
,
0
b
p(t, r|H0 , H
MAP ) H0
(6)
where
we
approximate
p(t, r|Hj )
using
the
maximum-a-posteriori (MAP) estimate (see Appendix-B
j
bH
of [19]) given by
MAP =
n
X
d(, xi )
2
log N (ti ;
+ i , W
)1(ri = 1)
arg max
v
p
i=1
+
n
X
Parameter
TOA noise, W
RSS noise,
Attacker delay mean,
Attacker delay s.d.,
Only positive attacker delays | | were used.
i
Path loss exponent,
Transmit power, Pt at d0 = 1 m
Signal receiving threshold,
108 s
(3 m)
10 dBm
4 108 s (12 m)
4 108 s (12 m)
(See Equation (4))
3.2
40 dBm
102 dBm
i=1
TABLE I
S IMULATION PARAMETERS
(8)
b H0
b H0 )
First, we study the effects of utilizing the audibility
and p(r|H0 ,
MAP
information
using simulations. We consider the scenario where
n h
i
Y
H
H
there
exist
three
anchors at the corners of a 100 m 100 m
0
0
b )1(ri = 1)+P (ri = 0|
b )1(ri = 0) .
=
P (ri = 1|
MAP
MAP
area
as
shown
in
Fig. 2 and the target is selected uniformly at
i=1
1
1
random inside this area (hence, p() = 100
100
). We used
Under the alternative hypothesis H1 ,
a grid search with a one meter granularity to search for the
b H1 ) = p(t|r, H1 ,
b H1 )p(r|H1 ,
b H1 ),
p(t, r|H1 ,
(9) optimal target location using the MAP approach (see (7)).
MAP
MAP
MAP
1) ROC Curve Performance: We use the receiver operating
b H1 )
where p(t|r, H1 ,
MAP
characteristic (ROC) curve to compare the detection and
n h
i false alarm performance of ELSA, against the conventional
Y
b H1 , xi )
d(
MAP
2
+ , W
+2 )1(ri = 1)+1(ri = 0) , non-audibility-aware GLRT. For a given decision rule , the
=
N (ti ;
vp
i=1
detection rate is given by
H1
b
and p(r|H1 , MAP )
P ((t, r) > |H1 ),
n h
i
Y
b H1 )1(ri = 1) + P (ri = 0|
b H1 )1(ri = 0) . and the false alarm rate is given by
=
P (ri = 1|
MAP
MAP
i=1
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
"
#
b H1 , xi )
d(
MAP
2
N (ti ;
(t, r) =
+ , W
+ 2 )1(ri = 1) + 1(ri = 0)
v
p
i=1
" n
# " n
#
. Y
Y
b H0 , xi )
d(
MAP
2
H1
H1
b
b
, W )1(ri = 1) + 1(ri = 0)
MAP
MAP
H0
i=1
(10)
0.9
0.9
ELSA
0.8
0.8
Detection rate
Detection rate
0.7
0.6
0.5
0.4
0.7
Original
0.6
0.5
0.3
0.4
0.2
0
0
0.2
0.4
0.6
0.8
Var=1dBm
Var=3dBm
Var=5dBm
0.3
ELSA
Original
0.1
0.2
0
0.1
0.9
0.8
0.8
0.7
0.7
Detection rate
Detection rate
1
0.9
0.6
ELSA, u0=5x108s(15m)
Original, u0=5x108s(15m)
ELSA, u0=3x108s(9m)
Original, u0=3x108s(9m)
ELSA, u0=1x108s(3m)
Original, u0=1x108s(3m)
0.3
0.2
0.1
0
0
0.2
0.4
0.6
0.4
0.5
0.6
Fig. 7. ROC curves for different RSS noise variance 2 with three anchors.
0.4
0.3
Fig. 5. ROC curves for three anchors, of which two are audible (see Fig. 2).
0.5
0.2
0.8
ELSA
Original
Original
0.6
ELSA
0.5
ELSA
0.4
Original
0.3
Var=1x108s(3m)
Var=r11rx108s(10m)
Var=r44rx108s(20m)
0.2
0.1
1
0
0
0.2
0.4
0.6
0.8
Fig. 6. ROC curves for different attacker delay mean with three anchors.
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
7
Fig. 9. Detection rates for different number of anchors with fixed false alarm
rates (Pf ) of 0.02 and 0.05, using synthetic data.
Fig. 11. Detection rates for different number of anchors with = 61 dBm
for false alarm rates (Pf ) of 0.02 and 0.05, using the real-world dataset.
1
0.9
0.8
Detection rate
0.7
0.6
0.5
0.4
0.3
0.2
ELSA
Original
0.1
0
0
0.2
0.4
0.6
0.8
Fig. 10. ROC curves with = 61 dBm and 41 different target locations
and three anchors, using the real-world dataset.
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2016.2535165, IEEE Internet of
Things Journal
[4] S. Yan, R. Malaney, I. Nevat, and G. Peters, An information theoretic
location verification system for wireless networks, in Proc. IEEE Global
Commun. Conf. (GLOBECOM), Dec. 2012, pp. 54155420.
[5] , Optimal information-theoretic wireless location verification,
IEEE Trans. Veh. Technol., vol. 63, no. 7, pp. 34103422, Sep. 2014.
[6] , Location verification systems for VANETs in Rician fading
channels , IEEE Trans. Veh. Technol. (accepted).
[7] F. Malandrino, C. Borgiattino, C. Casetti, C.-F. Chiasserini, M. Fiore,
and R. Sadao, Verification and inference of positions in vehicular
networks through anonymous beaconing, IEEE Trans. Mobile Comput.,
vol. 13, no. 10, pp. 24152428, Oct. 2014.
[8] M. Fiore, C. Ettore Casetti, C. Chiasserini, and P. Papadimitratos,
Discovery and verification of neighbor positions in mobile ad hoc
networks, IEEE Trans. Mobile Comput., vol. 12, no. 2, pp. 289303,
Feb. 2013.
[9] S. Capkun, K. Bonne Rasmussen, M. Cagalj, and M. Srivastava, Secure
location verification with hidden and mobile base stations, IEEE Trans.
Mobile Comput., vol. 7, no. 4, pp. 470483, Apr. 2008.
[10] Y. Wei and Y. Guan, Lightweight location verification algorithms for
wireless sensor networks, IEEE Trans. Parallel Distrib. Syst., vol. 24,
no. 5, pp. 938950, May 2013.
[11] J. Chiang, J. Haas, J. Choi, and Y.-C. Hu, Secure location verification
using simultaneous multilateration, IEEE Trans. Wireless Commun.,
vol. 11, no. 2, pp. 584591, Feb. 2012.
[12] N. Basilico, N. Gatti, M. Monga, and S. Sicari, Security games for node
localization through verifiable multilateration, IEEE Trans. Dependable
and Secure Comput., vol. 11, no. 1, pp. 7285, Jan. 2014.
[13] S. Misra, G. Xue, and S. Bhardwaj, Secure and robust localization in a
wireless ad hoc environment, IEEE Trans. Veh. Technol., vol. 58, no. 3,
pp. 14801489, Mar. 2009.
[14] J. Neyman and E. S. Pearson, On the problem of the most efficient
tests of statistical hypotheses, Philosophical Transactions of the Royal
Society of London. Series A, Containing Papers of a Mathematical or
Physical Character, vol. 231, pp. 289337, 1933.
[15] A. Vora and M. Nesterenko, Secure location verification using radio
broadcast, IEEE Trans. Dependable and Secure Comput., vol. 3, no. 4,
pp. 377385, Oct. 2006.
[16] R. Hasan, R. Khan, S. Zawoad, and M. Haque, WORAL: A witness
oriented secure location provenance framework for mobile devices,
IEEE Trans. Emerg. Topics Comput., vol. PP, no. 1, pp. 113, 2015.
[17] S. Yan, R. Malaney, I. Nevat, and G. Peters, Timing information in
wireless communications and optimal location verification frameworks,
in Proc. Australian Communications Theory Workshop (AusCTW), Feb.
2014, pp. 144149.
[18] D. B. Rubin, Inference and missing data, Biometrika, vol. 63, no. 3,
pp. 581592, 1976.
[19] J. Y. Koh, I. Nevat, D. Leong, and W.-C. Wong, Geo-spatial location
spoofing detection for Internet of Things, arXiv:1602.05335, 2016.
[20] T. Rappaport, Wireless Communications: Principles and Practice,
2nd ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, 2001.
[21] IEEE Standard for Information technology Local and metropolitan
area networks Specific requirements Part 15.4: Wireless Medium
Access Control (MAC) and Physical Layer (PHY) Specifications for
Low-Rate Wireless Personal Area Networks (WPANs): Amendment 1:
Add Alternate PHYs, IEEE Std. 802.15.4a-2007, 2007.
[22] N. Patwari, A. Hero, M. Perkins, N. Correal, and R. ODea, Relative
location estimation in wireless sensor networks, IEEE Trans. Signal
Process., vol. 51, no. 8, pp. 21372148, Aug. 2003.
[23] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y.
Le Boudec, The Cicada attack: Degradation and denial of service in
IR ranging, in Proc. IEEE Int. Conf. Ultra-Wideband (ICUWB), vol. 2,
Sep. 2010, pp. 14.
[24] L. Taponecco, P. Perazzo, A. DAmico, and G. Dini, On the
feasibility of overshadow enlargement attack on IEEE 802.15.4a distance
bounding, IEEE Commun. Lett., vol. 18, no. 2, pp. 257260, Feb. 2014.
[25] N. Patwari, A. Hero, M. Perkins, N. Correal, and
R. ODea, Wireless Sensor Network Localization Measurement
Repository, 2006 (accessed Nov. 11, 2015). [Online]. Available:
http://web.eecs.umich.edu/ hero/localize/
[26] MATLAB code for our simulation results, (accessed Nov. 11, 2015).
[Online]. Available: http://idonevat.wix.com/idonevat#!about2/c1hlk
[27] N. Patwari and S. K. Kasera, Robust location distinction using temporal
link signatures, in Proc. ACM Mobile Computing and Networking
(MobiCom), Sep. 2007, pp. 111122.
2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.