UFDC Home  myUFDC Home  Help 



Full Text  
PAGE 1 1 ENHANCING THE ROBUSTNESS AND SECURITY OF LOCALIZATION SCHEMES THROUGH EFFECTIVE LOCA TION VERIFICATI ON IN WIRELESS SENSOR NETWORKS By DAWOOD ALABRI A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLOR IDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2008 PAGE 2 2 2008 Dawood AlAbri PAGE 3 3 To my family PAGE 4 4 ACKNOWLEDGMENTS I am very grateful for Dr. Janise McNair for her patience, guidance, and encouragement during the course of this work. Her openness and support to my investigative ideas had helped me to become a better researcher. I am also thankful for Dr. John Shea, Dr. Liuqing Yang, and Dr. Shigang Chen for serving on my Ph.D. committee. Their valuable comments and constructive criticism help improve the quality of this work greatly. Special thanks are also due to Dr. Abdelsalam Helal for his insightful suggestions and for his help even when he is thousands of mile s away in his sabbatical leave. Many thanks are due to former lab members (Yuan Gao, Fang Zhu, Katiheya Tripathi, and Hetal Patel) for their advice and ma ny discussions that made my first days in research a lot easier and more comfortable. Thanks are also due to the current lab members (Gustavo Vejarano, Dexiang Wang, Xiaoyuan Li, Madhan Sivakumar, and Arvindhan Kumar) for their fresh and stimulating questions that give me a new perspective and help me focus my ideas. I am very grateful for my wife, Latifa, for her encouragement and patience with me; something that help me reach this far. Tha nks also to my daughter, Hanneen, whose innocence and smiles took away a lot of the research stress. Finally, I would like to thank my family a nd my wifes family for their constant encouragement and support. PAGE 5 5 TABLE OF CONTENTS page ACKNOWLEDGMENTS...............................................................................................................4 LIST OF TABLES................................................................................................................. ..........8 LIST OF FIGURES.........................................................................................................................9 ABSTRACT...................................................................................................................................12 CHAP TER 1 INTRODUCTION..................................................................................................................15 2 BACKGROUND.................................................................................................................... 17 2.1 Wireless Sensor Networks............................................................................................ 17 2.2 Localization in W ireless Sensor Networks................................................................... 17 2.3 Secure Localization in W i reless Sensor Networks....................................................... 19 2.4 Localization Error .........................................................................................................19 2.5 Location Verification ....................................................................................................20 2.6 Scheduling in W ireless Sensor Networks..................................................................... 21 3 COMMUNICATION RANGEBASED LOCATION VE RI FICATION FOR WIRELESS SENSOR NETWORKS..................................................................................... 24 3.1 Introduction ................................................................................................................... 24 3.2 Related W ork................................................................................................................ 27 3.3 Network Model and Assum ptions................................................................................. 29 3.4 The COmmunication Range VAr iation (CORVA) Protocol ........................................30 3.5 Coverage Analysis ........................................................................................................ 31 3.5.1 Notation ............................................................................................................32 3.5.2 Coverage Probability ......................................................................................... 33 3.5.2.1 Circular region ....................................................................................37 3.5.2.2 Defor med circular region.................................................................... 37 3.5.2.3 Probability of verification in the rectangular network model............. 39 3.5.2.4 Coverage probability results ............................................................... 40 3.6 Security Analysis .......................................................................................................... 41 3.6.1 Single Malicious NodeNor mal Capabilities................................................... 42 3.6.2 Single Malicious NodeBig Ear and Mouth (BEM) Node ............................... 42 3.6.3 Several Colluding Malicious Nodes..................................................................44 3.6.3.1 Location spoofing attack..................................................................... 44 3.6.3.2 Wor mhole attack................................................................................. 46 3.7 Practical Considerations ................................................................................................46 3.7.1 Energy Consum ption......................................................................................... 47 3.7.2 Impact of Inhomogeneous Communication Range...........................................49 PAGE 6 6 3.7.3 Impact of Physical Channel Impairment........................................................... 51 3.7.3.1 Shadowing impact ..............................................................................53 3.7.3.2 Rayleigh fading im pact...................................................................... 54 3.7.3.3 Com bined lognormal shadowing and Rayleigh fading impact.......... 55 3.7.3.4 Misclassification of a norm al node as BEM node............................. 57 3.8 Summ ary.......................................................................................................................58 4 CONTENTIONBASED PROTOCOL FOR S CHEDULING VERIFICATION REQUESTS IN WIRELESS SENSOR NETWORKS........................................................... 72 4.1 Introduction ................................................................................................................... 72 4.2 The Network Model ......................................................................................................74 4.3 The RESTRAIN Protocol .............................................................................................75 4.3.1 Node Operation ................................................................................................. 77 4.3.2 Server Operation ............................................................................................... 78 4.3.3 Exam ple ............................................................................................................ 79 4.4 Numerical Results......................................................................................................... 82 4.4.1 The RESTRAIN Protocol Perform ance............................................................ 82 4.4.2 Comparison with TDMAlike Clus teringbased (TLCB) Scheduling Schemes ............................................................................................................ 83 4.5 Summ ary.......................................................................................................................85 5 IMPACT OF LOCALIZATION ERROR ON T HE PERFORMANCE OF LOCATION VERIFICATION SCHEMES.................................................................................................90 5.1 Introduction ................................................................................................................... 90 5.2 Case Study: The CORVA Protocol ............................................................................... 92 5.2.1 Probability of Verification in the Pres ence of Localization E rror given that no CRV is Detected........................................................................................... 93 5.2.2 Probability of not Detecting a Communication Range Violation ..................... 94 5.2.3 Numerical Results............................................................................................. 96 5.3 Proposed Localization and Locati on Verification Server Model .................................. 97 5.3.1 Localization Server ...........................................................................................97 5.3.2 Location Verification Server .............................................................................98 5.3.3 Classifications ...................................................................................................98 5.3.3.1 Discrete localization (DL) .................................................................. 98 5.3.3.2 Continuous localization (CL) ............................................................. 98 5.3.3.3 Continuous location verification (CLV) ............................................. 99 5.3.3.4 Discrete location verification (DLV) .................................................. 99 5.4 Perform ance Analysis................................................................................................. 100 5.4.1 Continuous Location Verification A nalysis.................................................... 101 5.4.1.1 Discrete localizationcontinuous verification ................................... 101 5.4.1.2 Continuous localization continuous verification ............................ 101 5.4.2 Discrete Location Verification Analysis .........................................................102 5.4.2.1 Discrete localizationdi screte verification ........................................102 5.4.2.2 Continuous localizationdi screte verification ................................... 103 5.5 Numerical Results....................................................................................................... 103 PAGE 7 7 5.6 Summ ary.....................................................................................................................105 6 LVFEED: LOCATION VERIFICA TION FEE DBACK TO IMPROVE LOCALIZATION ACCURACY IN WIRELESS SENSOR NETWORKS........................ 111 6.1 Introduction ................................................................................................................. 111 6.2 Terminology and Assumptions................................................................................... 112 6.2.1 Term inology and Notation.............................................................................. 112 6.2.2 Assum ptions.................................................................................................... 114 6.3 LVFEED: LV Feedback Schem es to Improve Localization Accuracy..................... 115 6.3.1 LVFEED for MILEN ETs............................................................................. 115 6.3.1.1 DLVFEED for MILENETs ............................................................115 6.3.1.2 CLVFEED for MILENETs ............................................................. 116 6.3.2 LVFEED for SILENETs .............................................................................. 116 6.3.2.1 Correction angle j ~ estimation........................................................ 117 6.3.2.2 Deviation distance ............................................................................ 118 6.3.2.3 Optim al correction distance.............................................................. 119 6.3.2.4 Modifications for DLVbased schemes............................................119 6.3.2.5 Modifications for networks w ith discrete localization ..................... 120 6.3.3 Impact of Angular Bias................................................................................... 121 6.3.4 Percentage of Node Meeting th e Network Accuracy Requirem ent................ 124 6.4 Numerical Results....................................................................................................... 127 6.5 Summ ary.....................................................................................................................129 7 SUMMARY AND DIRECTIONS FOR FUTURE WORK................................................. 136 7.1 Summ ary.....................................................................................................................136 7.2 Directions for Future Work ......................................................................................... 137 LIST OF REFERENCES.............................................................................................................140 BIOGRAPHICAL SKETCH.......................................................................................................144 PAGE 8 8 LIST OF TABLES Table page 41. Default simulation parameters............................................................................................. ...86 51. CDF or probability of veri fication for the four cases. .......................................................... 107 PAGE 9 9 LIST OF FIGURES Figure page 31. The use of location verification to enha nce the security of nonsecure localization schem es and overall network security...............................................................................59 32. Network model............................................................................................................. ......59 33. Construction of a tr iangle enclosing a point p using three points out 3 N....................60 34. A circle cut by a line at distance LXfrom the center p .....................................................60 35. A circle of radius r cut by another circle of radius R .......................................................61 36. Coverage Probability for a network with dim ensions (a) 200x200 and (b) 40x40............ 62 37. Location spoofing attack: BEM and colluding malicious nodes....................................... 63 38. View of a BEM node range extracted from a simulation run where verifier density is 0.013...................................................................................................................................63 39. Probability of BEM attack detection for different BEM ranges ........................................ 64 310. Relative probability (with respect to th e AVL base schem e) of detection for two RLDS and two CBDS schemes......................................................................................... 65 311. Probability of verification when there are two classes of verifiers in the network with communication ranges as given in the R array...................................................................65 312. )( VVPs as a function of the shadowing standard deviation for various values of path loss exponent and verification tolerance............................................................................ 66 313. )( VVPs as a function of the shadowing standard deviation for various values of path loss exponent and verification tolera nce for the 1outofN scheme................................. 67 314. )( VVPs for the 1outofN scheme as a function of N for various values of path loss exponent and verification tolerance................................................................................... 68 315. )(VVPf as a function of the pa th loss exponent for various verification tolerance......... 68 316. )(VVPf for the 1outN scheme as a function of the path loss exponent for various verification tolerance and values ofN...............................................................................69 317. )(VVPfs as a function of the shadowing standa rd deviation for various values of path loss exponent and verifi cation tolerance in the pr esence of shadowing and fading.................................................................................................................................69 PAGE 10 10 318. )(VVPfs as a function of the shadowing standa rd deviation for various values of path loss exponent and verifi cation tolerance for the 1outofN scheme in the presence of shadowing and fading.....................................................................................70 319. )( VVPs for the 1outofN scheme as a function of N for various values of path loss exponent and verification to lerance in the presence of shadowing and fading................. 71 320. Probability of misclassification of a norm al node as a BEM node in the presence of shadowing and fading........................................................................................................71 41. Illustration of servers operati on in the RESTRAINR Protocol. ....................................... 86 42. The average number of requests comple ted for the exponential (E) and random (R) versions of the RESTRAIN protocol for different combination of SRTandRpSB...........87 43. The average response delay for the exponen tial (E) and random (R ) versions of the RESTRAIN protocol for different combination of SRTandRpSB...................................87 44. The average number of requests comple ted for the exponential (E) and random (R) versions of the RESTRAIN prot ocol for different values ofDLC....................................88 45. The average response delay for the exponen tial (E) and random (R ) versions of the RESTRAIN protocol for different values ofDLC.............................................................88 46. The average number of request s com pleted for various schemes...................................... 89 47. The average response delay for various schemes.............................................................. 89 51. A node located at Lestimates its location to beL...........................................................107 52. Impact of localization error on verificati on probability for tw o values of tolerance ... 108 53. A general highlevel model to study the imp act of localization error on L V protocols.. 109 54. The performance results (p robability of verification fo r DLVs and CDF of deviation distance for CLVs) for the four analyzed combinations of localization and LV schemes............................................................................................................................110 61. Illustration of some notions used in this chapter. ............................................................ 130 62. An overview of LV based feedback a pproach to im prove localization accuracy............ 130 63. DLVFEED for MILENETs...........................................................................................131 64. CLVFEED for MILENETs........................................................................................... 131 65. One iteration of the CLVFEED fo r SILENETs PDUCAOS algorithm ..................... 132 PAGE 11 11 66. Percentage of nodes meeting the network accuracy requirement k at the kth iteration for MILENETs and SILENETs......................................................................133 67. Percentage of nodes meeting the network accuracy requirement k at the kth iteration for networks with discrete localization.............................................................. 134 68. Percentage of nodes meeting the network accuracy requirement k at the kth iteration for SILENET when the x and ylocalization error components have different standard deviation.............................................................................................135 PAGE 12 12 Abstract of Dissertation Pres ented to the Graduate School of the University of Florida in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy ENHANCING THE ROBUSTNESS AND SECU RITY OF LOCALIZATION SCHEMES THROUGH EFFECTIVE LOCATION VERI FICATION IN WI RELESS SENSOR NETWORKS By Dawood AlAbri May 2008 Chair: Janise McNair Major: Electrical and Computer Engineering A wireless sensor network consists of a large collection of sensors that are sampling one or more environment variables and forwarding the measurements toward data sinks. In most applications, there is a need to associate the da ta with the location where the measurements are taken to deliver meaningful information to the user. As result, many localization schemes have been developed. Unfortunately, the majority of these schemes assume a nonhostile environment and consequently are susceptible to security attacks. Recently, researchers have begun to focus on secure localization schemes. However, most of these schemes are complex and possibly too processingintensive for the limitedcapabilities sensors. Location Verification is a promising approach to enhance the robus tness of localization schemes in wireless sensor networks. The objective of a location verification scheme is to verify whether the claim of a node about its location is true or not. By combing a relatively simple (nonsecure) localization scheme with locati on verification, one could obtain a more robust hybrid localization scheme. This approach pr ovides modularity (one can pick another localization scheme without affecting the overa ll protocol) and selectiv ity (verification to selected nodes or regions in the network) a nd hence a less expensive process for the network. PAGE 13 13 In this dissertation, we study the use of loca tion verification to enha nce the robustness and security of localization. First, we propose a communication range based location verification scheme (CORVA). Although location ve rification has been discussed be fore in literature, this is the first point tunable communica tion rangebased location verification protocol proposed. We study the coverage probability of the proposed scheme both analytically and through simulation. In addition, we perform a secur ity analysis on the proposed scheme to assess its robustness to various attacks that may hinder the protocol ope ration. Our results show that a high coverage could be achieved using a relativel y small number of verifiers. Moreover, we demonstrate that the proposed protocol is robust ag ainst location spoofing attacks. Then, we study how to schedule the verificati on service, and propose a scheduling scheme based on random access. Results show a high service throughput while maintaining a reasonable response delay its performance is better than TDMAlike clusteringbased schemes when the interference between clusters is taken into account. We then turn our attention to study the problem of the impact of lo calization error on the performance of location verification. We exam ine how our proposed CORVA protocol with respect to how the verification probability varies with error parameters. We also present an abstract model to study the problem in a more ge neral setting. Based on the proposed model, we analyze four combinations of localization and location verification sche mes. Our study indicates that an effective verification pr otocol must have a builtin mech anism to handle effectively the localization error present in most practical localization schemes. Finally, we focus on exploiting the location verification as a feedback mechanism to improve the localization accurac y. We propose several novel location verification feedback (LVFEED) algorithms to improve the localization accuracy. Analysis of these algorithms shows that PAGE 14 14 a significant improvement in lo calization accuracy can be acco mplished in a few iterations of executing the location verifi cation feedback schemes. PAGE 15 15 CHAPTER 1 INTRODUCTION W ireless sensor networks consist of a large collection of sensors that are sampling some environment variable(s) and forwarding the meas urements toward data sinks. In many of the envisioned applications, hundreds or thousands of sensors are need ed to be deployed. With such a model of deployment, the cost of a single sensor must be as inexpensive as possible, which in turn means the capabilities (e.g. computing, co mmunications) of such sensors are limited. In addition, to extend the network lif e, sensors must conserve powe r consumption since, once the sensor is deployed, it is not pract ical to recharge batteries either because it is impossible (a dangerous environment) or it is not practical (due to the large num ber of sensors). Due to all of these constrains, sensor networks are usually highly optimized for specific applications. Despite being specialized, in most applicat ions, there is a need to associate the measurements collected with the locations at which the measurements are taken in order to delivery meaningful information to the network opera tor. However, due to cost considerations, it is not possible to equip each sensor with a de vice for location determination (e.g. GPS). As a compromise, only a fraction of the total nodes in the network are capable of determining their own locations. These nodes are referred to as refe rence nodes. The rest of nodes must infer their locations from contact with the reference nodes. The task of de termining the node location is known as localization. Generally speaking, localization protocols can be broadly classified into two categories: rangebased and rangeindependen t. In rangebased approaches, a sensor can estimate its distance to other nodes using techniques such as received signal strength or angleofarrival [2]. In the rangeindepe ndent approaches, the nodes do not know the distance to other nodes and generally use their proximity informatio n to reference nodes to estimate their location PAGE 16 16 [3]. Most of these schemes assume a nonhostile e nvironment and therefore ar e left vulnerable to attacks. Recently, researchers have begun to focus on secure localization schemes. However, most of these schemes are complex and are likely to be too costly for the distribution of hundreds to thousands of limitedcapability sensors. A pr omising approach to en hance the robustness of location services is location veri fication. In location verification, th e node is already assumed to have computed its location (e.g. through a nonsecure localization scheme ) and the goal is to verify the nodes location and consequently de vise schemes to react accordingly (e.g. discard data from that particular sensor). The use of verification makes it possi ble to use a relatively simple (nonsecure) localization scheme and th en based on request verify that the location reported through the localization scheme is accu rate to the degree required by the network operator. The rest of this dissertation is organized as follows. In Chapter 2, we review the relevant background. In Chapter3, we propose a new verifi cation protocol where verifier nodes change their communication range in order to triangulate the position of a node and analyze its coverage and security characteristics. In Chapter 4, we present a contentionbase d scheduling scheme. In Chapter 5, we study how localizati on error impacts the performan ce of verification schemes by analyzing our CORVA protoc ol as a case study and through a ge neral abstract model. In Chapter 6, we present several algorithms to improve the localization accuracy by using location verification as a feedback mechanism. Finally, Chapter 7 presents summa ry and directions to future work. PAGE 17 17 CHAPTER 2 BACKGROUND 2.1 Wireless Sensor Networks W ireless sensor networks (WSNs) are made up of nodes that have sensing, processing, and communication capabilities. These nodes usually wo rk in a distributed manner to measure or detect a phenomenon of interest (e.g. gas leak) and report these finding to a data sink. A WSN typically consists of a large number of densely deployed nodes with topology that changes frequently. Nodes also have limited power, me mory, computing, and communication capabilities and are prone to failure [1]. These limitations make the protocol design for WSN a challenging task. Wireless sensor networks have wide applica tions in habitat and environmental monitoring, military applications, rescue operations, etc. In [2], a system architecture for habitat monitoring is proposed and its application to monitor breeding site is describe d. In [3], a system to detect sniper is described and results indicates it have performance advantage over other detection system in urban environment. An application fo r search and rescue is described in [4] and demonstrated using a rescuer robot that is controlled by a base station to localize and track a target robot. 2.2 Localization in Wireless Sensor Networks A localization schem e is one that is used by a sensor node to compute its locations in the network. Localization is fundamental service in most WSN applicati ons as it usually important to associate the gathered data w ith location where they were obt ained. Moreover, many protocols needs the location information to operate corr ectly (e.g. [5]). Generally speaking, localization schemes can be broadly classified into: range based and rangeindepend ent. In rangebased approaches, the location is computed using the ab solute distance information to other nodes or PAGE 18 18 anchors (nodes that know their locat ion). In such approaches, the se nsor can estimate its distance to other nodes using techniques such as received signal strength [6], time difference of arrival [7], or angleofarrival [8]. In [6], the mobile user carry a device th at periodically broadcast beacon which are recorded by three base stations. The signal streng th received by the three base stations is used to determine the user location by looking up a ta ble containing empirical results that relates user location to the received signal st rengths at the base sta tions (built offline). A system to compute the location by measure the time difference of the arriva l of an RF signal and ultrasound signal emit concurrently by a beacon in desc ribed in [7]. In [8], a scheme is proposed for inferring the position and orientation for netw orks with nodes that have the capability of measuring the angle of the received signals. The other category of localization schemes ar e the rangeindependent localization [911]. In these approaches, the nodes do not know the di stance to other nodes and generally use their proximity information to some reference nodes to estimate their location. In [9], the node estimates its location as the centroid of all th e reference nodes locations that meet certain connectivity metric. In [10], a scheme is described where nodes estimates their distance to anchors through various propagation methods and then uses these information to compute their location. For example, one propagation method (ref erred to as DVhop) is based on the idea that the distance to an anchor is the number of hops to that anchor times the average hop distance. In [11], a scheme is proposed that also utilize anchor nodes to aid in th e location determination process. The scheme uses an areabased appro ach where the network is divided in triangular areas based on the anchors and each node determ ine its location based on its knowledge of its presence inside or outside these triangular areas. Recently, Fang et al. proposed localization PAGE 19 19 scheme that uses deployment knowledge to elim inate the use of reference nodes [12]. Most of these schemes assume a nonhostile environment and therefore are vulnerable to attacks. 2.3 Secure Localization in Wireless Sensor Networks The issue of security in localization has been re cently addressed by researchers [1318]. In [13], a technique is proposed that combines conven tional multilateration with distance bounding for computation and verification of positions of wire less devices. However, devices must have a bounded processing time which may not be met by mo st exiting hardware. In [14], a technique is proposed for secure positioning, but requires using directional antennae. Several techniques have been proposed using statistical methods [15] consistency among beacon signals, and voting schemes [16] to achieve robustness. But thes e methods require enough data (e.g. honest beacon signals, location estimates, etc.) to have accepta ble performance which may not be available in all setting. In [17], a scheme is proposed to de tect anomalies in localization that uses the deployment knowledge and neighbors information to detect if a location estimate is consistence with its observations. A scheme that utilize hidden and mobile nodes to compute the nodes location securely is described in [18]. 2.4 Localization Error Most practical localization schem es have an inherent localization error due to technology limitations (e.g. inaccurate clock used in the rangi ng process), lack of information available to the node (e.g. few anchor nodes), or malicious activ ity targeting the localization infrastructure. Several researchers have worked to identify the parameters that induce errors, develop models for use in localization performance evaluation as well as to analyze the impact of localization error the performance of various applications. In [19], the authors examine the behavior of error inducing parameters in multihop localizati on systems and study the trends in the error induced by the measurement technology accuracy, the network density, the beacon node PAGE 20 20 concentration, and the beacon uncer tainty. It is found that locati on uncertainty increased rapidly with the reduction in the number of nei ghbors per node, specifically, for less than 10 neighbors/node. In [20], the authors design a model to predict the deviation of distance estimation in hopcount based localization schemes. It is demonstrated that a longer path, i.e., more hop counts contributes to a less accurate loca lization estimate. This work also highlights the impact of network density on the localization error. In [21] the authors analyze the error characteristics of range/angle free, range based, angle based, and multimodal positioning algorithms where a CramerRao lower bound for pos itioning error of multihop range/angle free localization algorithms is derived. Also, the perf ormance of a multimodel algorithm that uses both angle and range measurements is analyzed. In [11], the authors investigated the impact of localization error on the performa nce of routing and tracking protocols and concluded that the degradation is graceful when the error is le ss than 0.4 times the communication radio radius. A study of the impact of localizati on error on geographic face routing is reported in [22] and the authors concluded that a small localization error can have a noticeable degradation in performance. Moreover, the authors proposed fixe s that boost the performance to almost ideal errorfree case. 2.5 Location Verification There has been little work done in developing location verification protocols. In [23], a protocol is described that verifi es the presence of a node in a gi ven region. However, the protocol requires the node to be able to communicate using both radio frequency (RF) and sound. The nodes should also be able to bound their processi ng delay. In [24], a hybrid system is proposed that combines secure location computation and verification of location claims. The verification simply ensures that a node cannot claim to be clos er to a locator (reference) node than its actual distance to the locator. This approach is sufficien t for a secure localization scheme, but it will not PAGE 21 21 provide enough security to systems using a nonsecure localization scheme. In [25], a probabilistic approach to verification is presented that exploi ts the results in [26], which show the probabilistic dependence of the number of ho ps a broadcast packet traverses to reach a destination and the Euclidean distance between th e source and the destinati on. The plausibility of the claimed location is calculated by a few verifi ers and the calculated plausibility metric can used to make to associate a trust level to th at the claimed node. Anothe r probabilistic approach, which also based on the results in [26] utiliz es the hopdistance information collected by nodes along the path (called witnesses) to central node (e.g. sink) to make a decision as to whether accept or reject the claim of the node. An inregion verification protocol is proposed in [27] that utilize two types of verifiers node s: acceptors and rejectors. Thes e nodes are strategically located in such a way that if the claima nt node is located inside the area of interest, it transmission will be heard by the acceptors but not by the rejectors. In [28], a verification scheme is proposed based distance bounding protocols bu t due to the nature of precise timing needed in distance bounding protocols, this approach ma y be an expensive choice for limitedcapabilities sensors. In [29], two algorithms are proposed that use the node location estimate as well as its neighbors information for the location verification. 2.6 Scheduling in Wireless Sensor Networks Many interesting scheduling proble m s in WSNs have been studied that aim to improve the overall performance of the network. For exampl e, there is an extensive work on devising algorithms to schedule the sleep/w akeup intervals of nodes and link activation to c onserve their energies and hence extend the lifetime of the node [3033]. In this dissertation, our interest in schedu ling is focused on scheduling the verification service in the sense that during the service phase the medium is reserved only for the node and the server involved in the verification only. The problem that we are considering here overlaps PAGE 22 22 with the reservationbased MAC pr otocols [3436]. In general, mo st reservationbased protocols have two phases: reservation phase, and transm ission phase. In the reservation phase, nodes usually contend through some form of random access (e.g. CSMA) to reserve transmission slot(s). A coordinator (e.g. cluster head) usually decides slots assignment to the nodes that made reservation request successfully. In the transmission phase, each node transmits during its assigned slot to it intended receiv er. In [34], a reservation protocol is proposed that uses adaptive TDMAlike superframe structure for networks th at organized in clustered hierarchical. The superframe is divided in four parts: short control slot, CS MAbased contention reservation window, short reservation confirma tion slot, and data slots. The cluster head (CH) broadcast control information (e.g. length of the superframe ) during first part of the frame. Following that, nodes contend using nonpersistant CSMA to requests reservation. Next, the CH computes the slots assignments to requesting nodes and broa dcasts it during the reservation confirmation phase. In the final phase, nodes transmit during th eir assigned slots. The size of the frame is adjusted according to traffic stat us as indicated by the number of unsuccessful transmission. In [35], a reservation protocol for application wi th different QoS priorities is introduced. The protocol also uses a TDMAlike frame that is divided into three pe riods: reservation period, scheduled access period, and cont ention period. The rese rvation period is further divided into two subparts: the first part used by nodes to request reservation by competing using slotted aloha, and the second part is used by the CH to compute the schedule and broadcast it. In scheduled access period, the node s transmit to the CH during th eir assigned timeslots. The contention period is used for intercluster commun ication in order to relay the data to the sink. The CH uses the 802.11 DCF as their contention mechan ism. In [36], the protocol is also divided into a reservation phase and transmission phase with sim ilar functions to the previously PAGE 23 23 described schemes. However, in this case, no hierarchal structure is assumed. Moreover, the durations of these two phases ar e determined by the first node that wins access to the medium and are varied according to the traffic loa d. The IEEE 802.15.4 [37], which a highly suitable standard for WSNs, includes a mechanism through which a personal area network (PAN) coordinator allocates certain num ber of slots of the superframe called GuaranteedTime Slots (GTSs), for some requesting nodes. PAGE 24 24 CHAPTER 3 COMMUNICATION RANGEBASED LOCA TION VE RIFICATION FOR WIRELESS SENSOR NETWORKS Localization plays a crucial role in wireless sensor networks, since the network must associate sensor readings with a valid location in order to deli ver meaningful information. One approach to enhance the robustnes s and the security of localization is location verification, which evaluates the validity of a nodes claimed location. In this ch apter, we propose a new lightweight location verification protocol called COmmunication Range VAr iation (CORVA). In CORVA, verifier nodes vary their communi cation range to triangulate the pos ition of a claimant node. We describe a general procedure to compute the veri fication coverage probability and show that a high coverage probability can be achieved with CORVA, even with a relatively low density of verifier nodes. Moreover, a secu rity analysis is provided, wher e we capture analytically the probability of attack detection for various attack scenarios, and show through simulation that CORVA is robust against several location spoofing attacks. Finally, we focus on three practical issues that may affect CORVA performa nce: energy consumption, inhomogeneous communication range, and physical channel impairme nts. We provide anal ytical derivation to assess the impact of these issues and demonstrate that, if the inhomogeneity is small, the impact on verification probability is minimal. Moreove r, the impact of physical impairment can be reduced by repeating the verifi cation test several times. 3.1 Introduction W ireless sensor networks (WSNs) consist of a large collection of sens ors that are highly constrained in terms of their computing power communication capabilities, and battery power. These sensors work in an ad hoc manner to esta blish a wireless network that is optimized to accomplish a specific goal. WSNs can be used in a large number of applications, including monitoring of hazardous material, st ructural monitoring, medical care, rescue operations, etc. In PAGE 25 25 any WSN, Location plays an important role as se nsors need to associate their readings with a valid location in order to deliver meaningful information. However, due to considerations such as cost or size, it may not be feasible to equi p each node with a device for determining location, such as GPS device. Therefore, only a certain percentage of the total deployed nodes are generally assumed to have the ability to dete rmine their location. Thes e are called reference nodes. The rest of the nodes must estimate thei r location using relative information received from the reference nodes. Unfortunately, many of the localization schemes developed are vulnerable to hostile attacks. One promising appro ach to enhance the robu stness and security of existing localization scheme s is location verification. In the location verification problem, a node is assumed to know and claim its location, and the objective is to verify the claim (as compared with the localization problem, where the node has no idea about its location and needs to comput e its location). Note that verification is independent of the localization problem. To illustra te, consider a person on a street corner in a downtown area. The person can determine their lo cation in several ways, e.g., by looking at a map, using a GPS device, looking at street signs and building a ddresses, or asking a passerby. This is the localization problem Suppose the person then makes a telephone call to report their location to a second individual. The second individua l must determine if the report can be trusted independent of how the location was origina lly determined. For example, if the second individual has friends in the area that can see the street corner, the friends can queried to see if the report is valid. This is the location veri fication problem. However, location verification can be combined with a nonsecure localization scheme to produce a hybrid localization system that is more robust and resilien t to attacks than the original localization scheme. As can be i llustrated in Figure 31, the result of the verification process can PAGE 26 26 be conveyed back to the claimant nodes to enable them to react accordingly. Nodes with correct locations are assured of their positions, while nodes with incorrect locations will seek to correct their positions (for example, by using a different set of re ference nodes to compute their locations). We note that a hybrid approach has an advantage over a pur e secure localization scheme, since one can selectively apply verification to the areas th at are more vulnerable or to the areas that may have a greater impact in the final resultthereby reducing the overall communications cost. In addition to improving the security of nonsecure loca lization schemes, location verification can be a viable tool to enhance the overall security of the network. For example, as in Figure 31, the verification resu lts can be passed to an intrus ion detection system (IDS) and incorporated with other alerts to identify malicio us activities in the netw ork. As before, incorrect locations reported in a given region will signal a possible attack against localization in that region. Even correct locations are us eful to an IDS to possibly identify a Sybil attack [38], where a single physical node assumes several different identities. Using the hybrid system, several nodes that appear to be at the same location can trigger a Sybil attack warning. In this chapter, we propose a new lightweight COmmunication Range VAriation (CORVA) based location verificatio n protocol that increases the robustness and security of a localization system. In Section 3.2, we review the related work. Section 3.3 describes the network model and assumptions, followed by a deta iled description of th e CORVA protocol in Section 3.4. In Section 3.5, we provide a covera ge analysis where we state and prove the necessary and sufficient condition for successful verification. Moreover, we derive a general expression for probability of verification fo r an arbitrary communi cation range. We then compute the probability of verification in our network model taking into account boundary PAGE 27 27 effects. The analytical results for the probability of verificati on are verified through simulation. In Section 3.6, we analyze our proposed technique with respect to several attack scenarios. Following that, we examine in Section 3.7 to th ree practical issues that may impact the performance of our protocol: energy consum ption, the inhomogeneity of the communication range, and the localization error. Finally, Section 3.8 presents the chapter summary. 3.2 Related Work Although researchers have developed m any protocols for localization [6, 8, 9, 11, 12], recently, researchers have begun to address the issu e of security in localiz ation[1315]. In [13], a technique is proposed that combines conventional multilateration with distance bounding for computation and verification of positions of wi reless devices. However, devices must have a bounded processing time which may not be met by most exiting hardware. In [14], a technique is proposed for secure positioning, but requires using directional ante nnae. Several techniques have been proposed using statistical methods [15] consistency among beacon signals, and voting schemes [16] to achieve robustness. But thes e methods require enough data (e.g. honest beacon signals, location estimates, etc.) to have acceptabl e performance which may not be available in all setting. There has been little work done in developing location verification protocols. In [23], a protocol is described that verifi es the presence of a node in a gi ven region. However, the protocol requires the node to be able to communicate using both radio frequency (RF) and sound. The nodes should also be able to bound their processi ng delay. In [24], a hybrid system is proposed that combines secure location computation and verification of location claims. The verification simply ensures that a node cannot claim to be clos er to a locator (reference) node than its actual distance to the locator. This approach is sufficien t for a secure localization scheme, but it will not provide enough security to systems using a nonsecure localization scheme. In [25], a PAGE 28 28 probabilistic approach to verification is presente d that leverages the probabilistic dependence of the number of hops a broadcast packet traverses to reach a destination and the Euclidean distance between the source and the destin ation. An inregion verification pr otocol is proposed in [27] that utilize two types of verifi ers nodes: acceptors and rejectors. These nodes are strategically located in such a way that if the claimant node is located inside the area of interest, it transmission will be heard by the acceptors but not by the rejectors. In [28], a verification scheme is proposed based distance bounding protocols but due to the nature of precise timing needed in distance bounding protocols, this a pproach may be an expensive choice for limitedcapabilities sensors. We note that use of a nodes distance to three points is a well known approach to determine the location of node. However, different techniques are used to estimate the distance between the node and the reference nodes, e.g., tim e of flight, received signal strength (RSS), etc. The closest approach to our s is the use of RSS to locate a node. However, there are three differences in our approach. Firs t, the goal of our approach is verification and not localization. Second, in the RSSbased schemes, the nodes are required to be able to correlate the received signal strength to distance, which is not a requ irement in our protocol. Third, also in these schemes, the communication range is not varied as it is in our protocol. One also may view our work as a generalization of [23] which determines if a node is present within a communication range of verifier. However, in [23], verification is based on elapsed time calculation, whereas in ours it is based on presence/absence of a node in changeable communicat ion range. Finally, in our work, nodes can be confined to an arbitrarily small area (idea lly a point). We note also that range variation have been used in [39] for localization and not location verification as in our case. Also, the scheme [39] is centralized sche me whereas ours can be implemented both in a PAGE 29 29 distributed and centralized manner. That scheme requires the anchors nodes to broadcast several nonces at different ranges as contrast to ours where a verifier needs to transmit at one range. 3.3 Network Model and Assumptions In this chapter, we consider the twotier ne twork architecture, which consists of two types of nodes: sensor nodes (nodes) and verifier nodes (verifiers). E ach node is equipped with an omnidirectional antenna with ci rcular coverage range. The se nsor nodes are responsible for collecting data and are assumed to be static or to move infrequently. It is also assumed that there exists a motive to participate in the verification process (e.g., to have access to certain network resources or avoid being isolat ed by the network operator). Verifier nodes are responsible for confirming the location of a given sensor node. They are assumed to be randomly deployed, but distributed uniformly over the network area. The verifiertosensor communication range has a maximum radius ofmaxR, but we assume that the verifiers can vary the communication range (e.g., by cha nging the transmission power level). Each verifier is assumed to know the locations of the other verifiers within its communication range, and the verifiers are assumed to be loosely synchronized. The method used to determine the location of the neighboring verifier is not impor tant for the execution of the algorithm. This could be achieved by an initialization phase where each verifier makes an encrypted broadcast so that all of the verifiers that can hear this transmission reply back with their ID and location. We also assume that the sensor nodes and veri fiers a share secret key. This can be achieved for example by using a key predistribution scheme [40]. Finally, we do not consider physical or MAC layer attacks such as ja mming in this dissertation. PAGE 30 30 3.4 The COmmunication Range VAriation (CORVA) Protocol Our proposed location verification protocol, CORVA, is based on the ability of the verifier nodes to vary their communication range in order to triangulate the position of a sensor node. At least three verifiers m ust be able to form a triangle around the claimant node to determine its location, i.e., three verifiers will be chosen to vary their communication range to confine the claimant node into their overlap region, which can be made arbitr arily small (ideally a point). Note that our triangulation scheme does not requ ire an ability to corr elate the received signal strength (RSS) with distance, as in some other localization schemes. Here, only the knowledge of the presence or absenc e of the node in the communication ra nge of the verifier is required. Consider the sensor network illustrated in Figure 32. The CORVA protocol begins when the claimant node, node L, makes an authenti cated broadcast contai ning its location and a verification request. The w ithinrange verifiers (321,, VVV) hear the broadcasted request. One of the verifiers that hears this broadcast acts as verifi cation coordinator (VC). (The criteria for selecting the VC could be simply the closest verifier to th e claimant node, or the verifier with lowest ID number, etc.) The VC then picks two verifiers wh ich form a triangle with the VC to enclose the claimant node, where the triangular positioning can be determined using any point in a triangle test [6]. If there are no two verifiers that can form a triangle with the VC, then the VC checks if there is any set of three verifiers that meet this criteria. If such a set exists, the VC passes the coordination responsibility to one of three. Othe rwise, the verification fails and the location is UNVERIFIABLE If three verifiers that meet th e criteria exist, the chosen VC sets the verification process start time. At the specified time, each verifier adjusts its communication range to match its distance to the claimant node (LR) plus a predetermined c onstant tolerance distance ( ). The PAGE 31 31 addition of a constant tolerance distance is intend ed to account for the uncertainty in the location calculation, depending on the locali zation scheme. Moreover, the cons tant should also take into account the uncertainty in setting the communication range to a specific value. Each verifier then challenges the claimant node with a nonce encryp ted with the secret sh ared key between the verifier and the claimant node. The nonce ensures freshness of the message. In order to prove its location, the claimant node must respond to each verifiers challenge by sending back the nonce with the location information encr ypted with the shared key. The inclusion of the location in the response message forces the claimant node to decrypt the received message and hence ensure that the claimant node possesses the shared ke y. Each of the three verifiers compares the received nonce (after decryption) with the nonce se nt. If the results match, the verifier sends a VALIDATE message to the VC, otherwise, it sends an INVALID message. If all three verifiers validate the location of the node, the location is VERIFIED otherwise, it is DENIED 3.5 Coverage Analysis An i mportant aspect of the verification protoc ol is whether it can successfully verify the location claim of an arbitrary node in the ne twork. This, of course, will depend on the distribution of verifiers in the network. The higher the density of the verifier nodes, the higher the probability that the location of a given node can be verified. In this section, an expression for the verification coverage probability is derived, wh ere the coverage probability is the probability that a given location is indeed located within a distance ofmaxRof at least three verifiers which are forming a triangle enclosing that location. (As a re sult, these three veri fiers are able to confirm the presence of a node at that location. Thus, we use the terms coverage probability and verification probability interchangeably.) Our ap proach to compute the verification probability applies to deformed communication range s as well as symmetrical ranges. PAGE 32 32 3.5.1 Notation Here we present som e useful notation that will be convenient for discussion. Let ))(,( nP be a curve in a polar coordinate system with origin located at n.},),({ nmPSis the area located inside )( nP and bounded by the rays originated at mand making angles of and with the horizontal (reference) line, respectiv ely. To avoid ambiguity, we are considering the sector which is determined as we go from to in counterclockwise direction. Whenever mand n are the same, we drop the subscript from )( nP. ][ xAis the area of region x The density of verifiers in the network isv i.e. number of verifiers/network area, and the corresponding number of verifi ers can be estimated using abNv v where is the floor function, ais network length, and bis the network width. To derive the verification probability will make use of the following theorem: Theorem 1. Consider 3 Npoints inside a simp le closed (Gordon) curve and a point p. There exist at least th ree points (out of the N points) which form a tr iangle enclosing a point p if and only if no line exis ts that passes throughpand splits the area inside the curve into two parts such that all of the N points are confined inside one part. Proof: Assume first that no line exists that passes throughpand splits the area inside the curve into two parts such that all the N points }{kqare confined to one part. We will show how to construct a triangle enclosingp. Let the ordered set of angles that the points }{kq make with the reference line be }{)( k and the corresponding order set of points be }{)( kq (i.e. smallest angle is)1( second smallest angle is)2( and so on). By assumption, we must have )1()( N. We start our construction by picking the points )1(qand )( Nqas two vertices of the sought triangle. (To illustrate, we consider the simple closed curve in Figure 33.) To complete the construction of PAGE 33 33 the sought triangle, we need to find a point inside the region pBCDp in Figure 33. If there such point, we are done. Therefore, assume that there is nopBCDp qi )(. This implies that 4 N and that all remaining points must be inside both of the regions pABp and pDEFp to satisfy the assumption (note there are no points insidepFGAp because we are considering ordered set}{)( kq.) Now pick two points )( jqand )( kqas follows: )( jqis the point inside pABp with maximum angle )( j and )( kqis the point inside pDEFp with minimum angle)( k The line passing through )( jqand )( kqmust pass through the regionpBCDpor else the line passing throughpand parallel to the line through )( jqand )( kq will confine all points inside one pa rt violating the assumption. Therefore, the required triangle can be constructed using the points)( jq,)( kq and either )1(qor )( Nq. Conversely, assume that th ere are three points, say1q, 2q, and 3q, forming a triangle enclosing the point p. It suffices to show that we cannot find a line through p that splits the area inside the curve into two such that these three points are enclosed inside one part. If the three points were in one part, then the sum of two of the angles21pqq 32pqq and 13pqqwould have to be less than and the third one woul d be greater than but this impossible for a point p inside the triangle 321qqq since one of the triangles jipqq would have angles with sum greater than QED Now, we shall utilize the theorem above to find the coverage probability. 3.5.2 Coverage Probability Consider an arbitrary nodeLlocated inside an arbitrary simple closed curve (as pin Figure 33). The curve represents the area in which th e node can send and receive transmission from verifiers. We refer to such an area as the potential verifiers area (PVA) of nodeL. In order to verify the location of this node, at least three verifiers must be within PVA of node Land at least PAGE 34 34 three out of these withinrange ve rifiers must form a triangle around the node. To calculate the probability of the verifiers form ing at least one triangle around the node, we start by assuming that there areN verifiers in the PVA of nodeL. Let Vbe the event that node Lis verifiable; and )( Lfand)( LFare the probability density and cumulativ e probability functions of the angle distribution of the verifi ers within the PVA of Lwith L as the center. As a direct corollary to the Theorem 1, these verifiers will NOT form a triangle enclosing Lif and only if we can find a splitter line through L which confines these verifiers to insi de one part of the area inside the PVA. Considering the order set of verifiers angles}{)( k this equivalent to saying that the separation angles between consecutive verifiers}{)( kq cannot be all less than Mathematically, let )()(),( ijji be the separation angle between verifiers iand j()i, then the probability that Lis not verifiable is equi valent to occurrence of one of the following events: }{} {),1( 1 1 )1,( N N i ii NV (3.1) Observe that the event } {),1( Nis simply equivalent to saying the angle between last verifier )( Nq and first one )1(q (going counterclockwise) is greater than Notice also that these events are mutually exclusive events; for if there were two or more of these events occurred simultaneously, we would have the sum of separation angles greater 2which impossible. From basic order statistics theory [41], the joint pdf of two angles is given by: )!()!1()!1( )](1)[()]()()[()(! ),()( )( 1 )()()()( 1 )()(),(jNiji FfFFfFN fjN j j ij i jjLi i L jiji (3.2) where 2 0)()(ji. Consequently, the pdf of ),( ji can be expressed as: We express it in this manner to be consistence with definition of range in the literature of order statistics. PAGE 35 35 2 0 ),( ),(),()( dwfwji ji. (3.3) Using Eqs. 3.2 and 3.3, and after some al gebraic manipulation, one can show that: 0 1 2 )1,( )1,()](1)[()( )( }) ({ d FfF i N idww PiN L L i L ii ii (3.4) for 1 ...,,2,1 Ni Using Eq. 3.4, we can compute the probability of the event 1 1 )1,(} { N i ii as follows: N L N L L N L N L L L iN L i L N i L N i iN L L i L N i iiFd F FfN d F F FfN d FF i N fN d FfF i N i P )](1[)](1)()[( )](1[)](1)([)( )](1)[( 1 )( )](1)[()( )} {(0 1 0 1 1 1 0 1 1 1 1 0 1 1 1 )1,( (3.5) where we have used integration by parts in the firs t step, simplified the expression in the second step using the binomial expansion, and separately integrated the second term in the third step. Similarly, the probability of the event } {),1( N can be shown to be N L N L LL N L LL N NFdF FfN dF FfNdww P )](1[)]()()[( )]()()[( )( }) ({0 1 2 0 1 0 ),1( ),1( (3.6) By adding Eqs (3.5) and (3.6), we can find the probability that node L is NOT verifiable, i.e. 2 1 0 1)](1)()[( )]()()[()( dF FfNdF FfNNVPN L LL N L LL (3.7) PAGE 36 36 where we have used change of variables in Eq. 3.5 above. Observe that, the terms)()( L LF F and )(1)( L LF F are simply the probabilities that a verifier is located inside the sector } ,),({ PSLfor ) ,0[ and) 2,[ respectively. Based on our assumptions, that probability is also given by ][/},),({ PVAA PSL for both cases. Therefore, Eq. 3.7 can be expressed more compactly as follows: 2 0 1][ },),({ )()( d PVAA PS fNNVPN L L. (3.8) And hence, the probability of verification given N verifiers inside the PVA of a node is given by: 2 0 1][ },),({ )(1)( d PVAA PS fNNVPN L L. (3.9)In general, the above integration cannot be co mputed directly for arbitrary PVA and needs to be evaluated numerically. From order statistics point of view, the above expression represents the probability that the range of th e verifiers angles are at least Finally, if the network area is given by ][NTAand the verifiers are distributed uniformly, then for any verifier, it is either inside the PVA of a given node with probability ][/][NTAPVAA or not with probability 1, which indicates that the nu mber of verifiers inside the PVA follows binomial distribution. He nce, for a network with a total of vN verifiers, the probability of verification is given by: iN i N i vv vi N iVPVP )1()()(3. (3.10) We now consider a few important PVA region types: PAGE 37 37 3.5.2.1 Circular region This corresponds to nodes that do not suffe r from boundary effects. According to our model, the area of the PVA is2 max][ RPVAA, the area of the sector },),({ PSLis ][ 2 1 PVAA, and, due to uniform dist ribution of verifiers,1)2()(Lf. Substituting this in Eq. 3.9 and evaluating the integration, we have 12 1)(NN NVP. (3.11) Using this in Eq. 3.10, we derive, after some manipulation, 1 3)2/1( )1(1 )()1( )( v v v vN v N iN i N i vN iVP i N VP (3.12) where )/(2 maxabR, the probability that a verifier is in the communication range of a given node assuming a circular region. Next, we describe approaches to consider boundary e ffect, where the circular region can be cut by a line or by a circle. 3.5.2.2 Deformed circular region 3.5.2.2.1 A Circle Cut by a Line Here we consider a circle cut by a line at a distance LXfrom the center of the circle p as shown in Figure 34. This situation arises at the bounda ry of a rectangular network area, as in our model. Let )( pCLbe the curve enclosing the deformed circle areaABC. The area )]([ pCLAis the area of the sector }2,),({ CLSpplus the area of the trianglepAB i.e. )2sin( 2 1 )()]([2 2 RR CLAp, (3.13) where R XL 1cos In this case, the area of the sector },0),({ CLSpis given by PAGE 38 38 2 2)2tan( 2 1 )]([ 2 )()sin( 2 1 )tan( 2 1 },0),({2 2 L p L L pX CLA R XR X CLS (3.14) Now, using Eq. 3.14, we can find },),({ CLSpas follows: 2 },0),({},0),({)]([ },0),({},0),({ },),({ CLS CLSCLA CLS CLS CLSp p p p p p, (3.15) and then, the pdf of the angle distribution can be computed: )]([ },0),({ )( )( p p p pCLA CLS F f. (3.16) Substituting from Eq. 3.14, we find: 2 2)(sec 2 )(sec )]([2 1 )(22 2 22 L L p pX R X CLA f (3.17) Eqs 3.13, 3.15, and 3.17 can be used in Eq. 3.9 to computed the conditional probability of verification in a circle cut by a line given kverifiers and the distance between the line the circle center LX, i.e. ),(L CLXkVP, by evaluating the integral numericall y. This can then be used in Eq. 3.10 to compute)(L CLXVP. 3.5.2.2.2 A Circle Cut by another Circle Here we consider a circle, of radius r cut by another circle, of radiusR, and the distance their centers as shown in Figure 35. This situation arises at the boundary of circular network area. It is easy to see that rRrR to ensure that the circle RCcut the circlerC. The development of the result is similar to that in Section 3.5.2.2.1 above and it is briefly outlined below. PAGE 39 39 Let )( oCCbe the curve enclosing the deformed circle (in this case, it is the same curve that enclose the overlap ar ea of the two circles) and be the distance between the two circles centers. Using basic geometry, the overlap area )]([ oCCAcan be shown, after some algebraic manipulation, to be 2222 22 222 12 222 12) (45.0 2 cos 2 cos)]([ rR R r Rr r R rR RCCAo (3.18) Now, to get the probability, we need to find the area of the sector },0),({ CCSo 2 2}2,0),({)]([ 2 )(5.0},0),({ 0))sin((5.0)sin()(5.0 },0),({0 2 2CCSCCA r CCS R Rs CCSo o R R o (3.19) Where s is the length of the line segment OB, and may be computed by applying the cosine law on the triangle OBC to compute the length of BC(=R) and then solving the resultant quadratic equation for s The angle R can then be computed by a second application of the cosine law on the same triangle. This gives R sRR 2 cos222 1 (3.20) The rest of the computations parallel those presented in the previous section and we will leave the detail to the reader. 3.5.2.3 Probability of verification in the rectangular n etwork model In our model, the network is assumed to be rectangular with dimensionsba. If the network size is much greater thanmaxR, then the boundary effect is negligible and the verification probability can be approximated very well by probability of the verification in a circle (Eq. 3.4). However, when this is not th e case, we need to take into account the boundary effect which may be divided further into a side effect and corner effect. In the side effect, the PAGE 40 40 circular PVA is cut by the network side (Section 3.5.2.2.1). In the corner effect, the circular PVA is cut by two perpendicular lines. In this case, the probability of verificati on in the rectangular network can be computed as follows: maxmax max00 0 max 2 max)()1(),( )()(RR R CL CLL NTR dx xVP R dydx yxVP VPVP (3.21) where is the probability that a node is locate d in the middle portion of the network (no boundary effect) (see Figure 32), and is calculated: ab RbRa )2)(2(max max (3.22) is the probability that a node is located in one of the fourmax maxRR squares at the corners of the network (corner effect) and is given by ab R2 max4 The integration in the above expression is to average out the impact of the va riation of boundary nodes distances to the network perimeter. In the middle term,),( yxVPCLL represents the probability of ve rification of a node whose center is located at distances x and y from two perpendicular lines (as in the corner.) The computation of this probability is very similar to that of )( xVPCL(Section 3.5.2.2.1 above), except that we start with different sector area. 3.5.2.4 Coverage probability results The coverage probability resu lts are shown in Figure 36 fo r two different network sizes and four cases: 1) the th eoretical result ignoring boundary effects (Eq. 3.12), ltheoretica P _, 2) the theoretical value taking into account boundary effects (Eq. 3.21), Bltheoretica P _, 3) the result computed in simulation over the central part of the network, excluding the boundary PAGE 41 41 effect,centP _, and 4) the result computed in si mulation over the entire network area, totP _. The verifier density, v begins at a value that will result in approximately thre e verifiers in the potential verifiers area (PVA) of a given node. We first note that the simulation results demonstrate an excellent agreement with the theo retical values. Next, we note that, in a large network (Figure 36 (a)), the boundary effect is ne gligible and the covera ge probability can be approximated very well using the simple expres sion given in Eq. 3.12. In small networks, where boundary effects are prominent, such approximation will lead to large erro r, requiring the use of Eq. 3.21. 3.6 Security Analysis There are tw o types of attack s that are of particular c oncern to location verification protocols: i) denial of service and ii) location spoofing. In a de nial of service attack, a malicious node or group of nodes continually requests verification in orde r to deplete the verifiers batteries. A possible defense is to limit the number of times a node can request verification. Even if the battery depletion threat is not present (for example, verifiers powered through solar cells), the verifiers should still limit the number of times a node can request verification to allow fair access to the verification service for all nodes. In a location spoofing attack, the objective is to convi nce the verifiers that a node is located at a certain position when it is not We consider several scenarios to carry out a location spoofing attack, including a single malic ious node, colluding malicious nodes, big ear and mouth (BEM) nodes, and wormholes. PAGE 42 42 3.6.1 Single Malicious NodeNormal Capabilities A single m alicious node with the normal capabilitie s of all of the other nodes is not able to carry out a location spoofing attack. If it is not with in range of the verifiers, then it will not be able to request verification, nor respond to the submitted challenge. 3.6.2 Single Malicious NodeBig Ear and Mouth (BEM) Node A single m alicious node may be more powerful than the normal node, e.g., it may have a receiver with a higher sensitivity compared to the other nodes and/or a more powerful antenna. We refer to such a node as a Big Ear and Mouth (BEM) node. We assume that the BEM node has obtained legitimate keys (for example, by compri sing another node). Such a node can attack even if it is not in the overlap region of the verifiers, since it hears th e verifiers transmissions using a highly sensitive receive r. It then can use its powerful antenna to reply to the verifiers challenges. If the BEM has an omnidirectional antenna, then this attack can be easily detected by other verifiers since there will be some contradiction between where the BEM claims to be located and the reach of its transmission which will be larger than the maxRthe maximum distance at which the transmission of a normal node can be received. We refer to this inconsistency between a node location claim and its larger transmission reach (based on that claim) as Communication Range Violation (CRV). For example, in Figure 37, the BEM attempts to convince the verifiers that it is located atL, but the more powerful transmission may be heard by verifier4V, which violates the capabilities of a normal node located atL. A more devastating attack could be launched by a BEM equipped with directional antenna. The detection of such an at tack may be possible if there is at least one verifier in one of the sectors that can detect a transmission range violation. Otherwise, if the verifiers have th e capabilities to detect the angl e of arrival of the signal, then PAGE 43 43 the BEM attack can be easily detected by mappi ng the location of the BEM using the method in [2]. Notice that the BEM node will be only able to execute a spoofing attack on areas where verification is possible with veri fiers that are located within its transmission range. We refer to the sum of these areas as the Maximum Spoofable Ar ea (MSA). This is at most equal to the total verifiable area located within the BEM range. We define the probability of detecting a BEM node attack as the percentage of MSA where attack is detectable (other verifiable locations are not relevant since verification th ere requires participation of veri fiers that are not reachable by the BEM node.) In Figure 38, this is represented by the blue area divided by the sum of the blue and yellow areas. The figure also illustrate that the BEM is succe ssful in carrying out the attack in areas closer to it where it is less suspicious to verifiers. In our simulation, the BEM node will set its communication range to the minimum required to include the verifier s that are needed to verify that location. The communication range vi olation check is done considering only the verifiers within this minimum range setup. The probability of BEM node attack detecti on is shown in Figure 39. The BEM node is placed randomly in the network. In our simulation, the value of is 0.5. For a single BEM node, with an omnidirectional antenna, placed randomly in the network (Figure 39(a)), the detection probability increases as the verifier density incr eases as expected, since the presence of more verifiers increases the chance that one will dete ct a violation of comm unication range capability. Moreover, the detection probability increases as the BEM node range increases. Intuitively, the more powerful the BEM node, the larger number of verifiers that fall und er its range and hence can detect its abnormality. In Figure 39 (b), th e probability of BEM att ack detection is shown for the case when the BEM node is equipped with directional antennas. We consider two cases: PAGE 44 44 three and six sector scenarios. As before, the pr obability increases with the increase of verifier density and BEM range. In additi on, the probability decreases with increase of sectors, as the BEM node has more flexibility in controlling the r each of its transmission in different directions. 3.6.3 Several Colluding Malicious Nodes Several m alicious nodes can collude with each ot her to trick the verifiers into incorrectly believing that a node is located at certain position. In this s cenario, the malicious nodes are strategically located near the verifiers such that there is at least one malicious node in the communication range of each verifier i nvolved in the triangulation process (321,, mmmin Figure 37. Note that 2mcan spoof both1Vand2V.) Each malicious node liste ns for the transmission of challenge packets from its withinrange verifier Then, the malicious node forwards the challenge packet to the malicious claimant node, which is at a different location. The malicious claimant node then replies to the challeng e by forwarding its responses back to the verifiers via the other malicious nodes. 3.6.3.1 Location spoofing attack The probability that the location spoo fing a ttack launched by the colluding malicious nodes is successful is represented here by the prob ability that there is at least one malicious node in the coverage areas of each of three triangulating verifiers. ) () ( ) ()()()() ( ) ( success)(1 3 3 2 2 1 3 2 1 3 2 1 3 2 1C C C C C C C C C C C C C C CMMPMMP MMPMPMPMPMMMP MMMP P (3.23) where iCMis the event that th ere is at least one malicious node inside the coverage areaiC of verifier iV. We assume that themmalicious nodes are uniformly dist ributed. Then, the probability that there is at least one ma licious node inside the circle iC is calculated: PAGE 45 45 m i m C CA CA A A MPMPi i NT][ ][ 11 NT][ ]A[CNT][ 1)(1)(i (3.24) In most practical situations, th e area of the network is much greater than the coverage area of the verifiers, i.e. NT][][ ACAi. Hence, we can approximate Eq. 3.24 using the binomial series as follows: NT][ ][ NT][ ][)1( 1)(0A CAm A CA r m MPi r i rr m r Ci (3.25) In a similar way, the probability that there is at least one malicious node inside area X where network)()( AXA is given by: ]N[ ][ ][ ][ 11)( TA XAm NTA XA MPm X (3.26) The above result can be used to compute the probability of the pr esence of at least one malicious node inside each of two intersecting circles: NT][ ][ )}()()({ NT][ ) ()()() ( A CCAm CCACACA A m MMPMPMPMMPji ji j i C C C C C Cj i j i j i (3.27) Using Eqs. 3.26 and 3.27, Eq. 3.23 reduces to: )( NT][ ] [ 11 NT][ ] [ )}()( )()()()() ({ NT][ success)(321321 321 13 32 21 3 2 1 321 CCC mMP A CCCA A CCCAm CCACCA CCACACACACCCA A m P (3.28) The approximations in the last equation are valid as long as the area over which the probability is computed is much smaller than th e network area. In other words, if the network area is much larger than each verifier coverage area and if the number of malicious nodes is small and they are uniformly distributed, then the most likely scenario for a successful attack is PAGE 46 46 the presence of at least one malic ious node in the overlap area of the three circles. (Most likely it is one; otherwise the density of malicious nodes is very high.) Intuitively, in a large network, uniformly distributed malicious node s will not be very close to each other but rather spread far apart. Given a sparse population of colluding malicious nodes, the most likely successful scenario is the presence of one malicious node in the overlap regi on. In this case, the malicious node is basically verifying its own location. So, in this case, the successful attack is useless. Notice the previous analysis apply to the case wh ere the attacker is not able to comprise an arbitrary node. However, for the general case, one could place a time limit on the response time from the node such that there is no time for the colluding nodes to communi cate with each other. The malicious nodes could in principle counter this by sharing the key information of the claimant node and each malicious node respond to the respected verifier without the need to forward the challenge to the claimant malicious node and hence replay in the timeframe set by the scheme. A simple defense is to require the claimant node replay to eac h verifier to include the nonces from the other two verifiers. 3.6.3.2 Wormhole attack Finally, the colluding nodes m ay conduct a wo rmhole attack, i.e., a malicious node is connected to other point in th e network through wormhole and claims its presence at the other end of the wormhole. Such an attack may be prevented by limiting the time given to the node to respond to the verifiers challe nges. The time given to the no de should just be enough for processing the challenge and no more. This will depend on the processing capability of the node (type of processor, memory, clocking frequency, etc.) 3.7 Practical Considerations In this sec tion, we consider three issues that have an impact on performance of our protocol. The first is the energy consumption in the BEM node detection scheme. The second is PAGE 47 47 that the network may contain ve rifiers that have different co mmunication ranges because, for example, the hardware came from different vendor s. The third issue that we consider is the impact of the fading and shadowing on the probabili ty of verification. In the following analysis, we ignore the boundary effect, although we can take it into account using the approach described in Section 3.4. 3.7.1 Energy Consumption Since energ y is a scarce resource in WS Ns, it is important to minimize energy consumption. The detection scheme just described in which all verifiers listen to detect CRV (discussed in Section 3.6) is not the most energy efficient. It is possible to attain an acceptable detection performance with less energy expenditu re by using fewer verifiers for detection and making the rest go into sleep mode. This could result in large savings given that the energy consumption in sleep mode is considerable lower than in other modes (transmit or receive). For example, the Atlas WiFi Communication Module [42] has a current consumption of 350mA in receive (or listen) mode and 75mA in sleep mode. There several ways that one may devise to arrange which verifiers goes to sleep mode. We here examin e two possible approaches of accomplishing this: Random Listening Detection Strategy with % of the total verifiers are listening and the rest is on sleep state ( %RLDS) where the onverifiers are picked at random, and ClusterBased Detection Strategy where th e network is divided into a number of nonoverlapping clusters each of size nm and only the verifiers in one cluster are listen at a given time (nm CBDS). Observe that one can regard %RLDS as an extreme case of nm CBDS by considering that each verifier is enclosed in a tiny cluster and several clusters are on at given time. To analyze the energy saving using these two approaches, let the energy consumption in sleep and listening modes be sEandlE, respectively and the ratio between them be For the PAGE 48 48 base scheme, where all verifiers are li stening (AVL), the energy consumption islv AVLENE For the %RLDS, the energy consumption is sv lv RLDSEN EN E )1(% and therefore the percentage energy saving PES is given by )1)(1( 1% % AFL RLDSk RLDSE E PES (3.29) Observe that for nm CBDS and uniform distri bution of verifiers, as in our case, the approximate percentage of verifi ers that are listening equals to)/( abmn. Based on the observation, it can be easily shown that the percen tage energy saving for this case is given by: )1)(1(ab mn PESCBDSnm (3.30) To evaluate these two schemes, lets take the aforementioned Atlas Module. One can estimate the value of as2)75/350(. In this simulation, the radius of the BEM node BEMR is 20, maximum communication range maxR is 10, and the tolerance is 0.5. We consider the following schemes: 6.25%RLDS, 25%RLDS, 5050 CBDS, and100100 CBDS. Observe that the first and third schemes have approximate ly the same number of listening verifiers, and similarly for the second and fourth ones in or der make the comparison fair. This gives a percentage energy saving of 89.5% for the 6.25%RLDS and 5050 CBDS schemes, and 71.6% for the 25%RLDS and 100100 CBDS schemes. The relative probability of detection with respect to the AFL base scheme for these four schemes is shown in the Figure 310. It is clear that the RLDS schemes perform better than th e corresponding CBDS. This can be intuitively understood by observing that at a given time, the RLDS provide a better coverage of the network since the verifiers that are liste ning are randomly selected from a ll over the network as compared to the highly localized detection provided by the CBDS. Also, unlike the RLDS schemes, the PAGE 49 49 CBDS schemes performance does not change that mu ch with increase of the verifier density. This again is a result of the localized detec tion nature of the CBDS schemes since only the cluster in which BEM is located or nearby clusters can detect the BEM. Hence the other clusters will not benefit from the increased number of verifiers per cluster and consequently such increase will not have a key impact in detec tion process. This can be improved by turning on more than one cluster but of course with energy penalty. 3.7.2 Impact of Inhomogeneous Communication Range It m ay happen that the network consists of inho mogeneous set of verifiers in the sense that their communication ranges are different. This coul d be a result of using hardware from different venders or that some verifiers energy level is low and need to reduce their transmission power, and hence communication range, to extend their lifespan. To analyze this situation, assume that we have kclasses of verifiers; each class is be ing characterized by its communication rangeiR. Let ipthe percentage of the thiclass of verifiers out of the to tal number of verifiers in the network. Let maxRbe the maximum of all theiRs. To compute the probability of verification for this inhomogene ous situation, observe that, for a given node, the verifiers that can potentially verify the node location are those located at a distance of a most maxRfrom the node. However, only the verifi ers at proper range can participate in the verification process, i.e. a verifier of the thiclass must be at a distance that is less than or equal to iRfrom the node. Since we have a uniform distri bution of verifiers, the probability that a verifier of the thiclass is at a proper range is given by )/(2 max 2RRi Hence, the probability that a verifier is at a proper range is given by: PAGE 50 50 k i ii kRp R P P1 2 2 max 1i th th1 )class i from verifier ()class i from verifier range proper at isverifier ( (3.31) Now, assume that they are Nwithin maxRof the node. Then, the probabil ity of verification for an inhomogeneous case can be computed as follows: 1 3 1 3)2/1()1(1 )1( 2 1 )range proper at verfiersi(range) proper at verifiers()( N N iN i N i i N i inhN i N i P iVPNVP (3.32) Consequently, the probability of verification in the network can be computed as follows: 2 2 1 1 2 2 1 3 3 max)1()2/1()1()1( )2/1( )1()2( 2 )1( )1()1(1 )1()( )node theof within verifiersi()()( v v v v v v v vN vv N v N v Nv vv N v N iN i N i v inh N i inh inhNN N N NN N i N iVP R PiVPVP (3.33) where ab R2 max is the probability that a verifier is located within a distance of maxRof a node. Figure 311 illustrates the impact of i nhomogeneous communication range on the probability of verification when there are two classe s of verifiers present in network with verifier density of 0.020. The probability of verification is shown as func tion of the percentage of the verifiers that belong to the cl ass of the maximum range (i.e. 10 R) out the total number of verifiers in the network p (i.e. pp 11andpp 2). We observe that the probability of verification increases as p increases, i.e. as the verifiers with larger communication range increases. Also, observe that the change in the pr obability of verification is more dramatic when PAGE 51 51 the two classes of verifiers ha ve larger difference in their communication range. For example, for]105[ R, the probability of veri fication increases from a bout from 0.08 to 0.72 (800% increase) while it increases from about 0.6 to 0.72 (20% increase) for the case of]109[ R. Moreover, if the network consists mainly of the verifiers of the second class (i.e. p is very close to 1), then the communication ra nge of the first class of verifiers have little impact on the probability of verification. Said differently, if th e network originally cons ists of one class of verifiers and due to operational needs, some ve rifiers have to reduce their communication range, then the impact on the verification service is mi nimal if the percentage of those reducedrange verifiers is kept small. 3.7.3 Impact of Physical Channel Impairment In this sec tion, we analyze the impact of shadowing and fading on the probability of verification of our proposed scheme. We start by defining the following events: V the event that the node is verifiable in the absence of shadowing and fading, sV the event that the node is verifi able in the presence of shadowing, fV the event that the node is veri fiable in the presence of fading, fsV the event that the node is verifiable in the presence of both shadowing and fading, and xV any one of sV, fV, or fsV Moreover, we assume that if th e link between the veri fier and node is reliable (i.e. received signal is above the receiver threshold), then th e communication between the node and the verifier is possible. Let the probability th at the link between the node and th e verifier is reliable denoted bylp. PAGE 52 52 Now, since the node needs to have a successful communication with all the three verifiers to pass the verification check, then the probability of verification in the presence of shadowing or/and fading given that the node is verifiable in absence of shadowing and fading is 3)(l xpVVP (3.34) In the other words, the percentage decrease in verification probability due to the presence of shadowing and/or fading is given by)(1VVPx To mitigate the imp act of physical channel impairment, we consider 1 out of N scheme where the verifiers repeat the verification check N times and the result is consider a pass if the node passes one out of these test. For this oneoutofNrule, )(VVPxcan be easily shown to be: N l xofNp VVP3 111)( (3.35) In the absence of shadowing/ fading, the average path loss PLchanges logarithmically with distance and it can be expressed for an separation distance dbetween the transmitter and the receiver as [43]: 0 0log10)(])[( d d ndPLdBdPL (3.36) where nis path loss exponent and )(0dPLis the average path loss at a reference distance 0d. Now, consider a verifier that is attempting to verify the claim of a node at a distanced. Because the CORVA protocol allows for a tolerance of the verifier will take the separation distance as d. Moreover, it needs to ensure that the average received signal level at a distance d must equal to the r eceiver threshold levelthP. Hence, the verifier needs to transmit at a power (in dB) equal to PAGE 53 53 th th tP d d n d d ndPL P d d ndPLdBP log10 log10)( log10)(][0 0 0 0 (3.37) In other words, the received signal power by a node at a distance dfrom the verifier is given by th rP d d ndBP log10][ (3.38) Observe that the received signal is above th e required reception threshold by an amount equal to d d nlog10. This provides a power margin that will help to reduce the impact of shadowing/fading as we shall see shortly. In the following analysis, we assume that th e verifiers use Eq. 3.37 to compute the required transmission power (and hence know the values of n and )(0dPL). 3.7.3.1 Shadowing impact In the presence of shadowing, th e path loss is given by [43]: X d d ndPLdBdPL 0 0log10)(])[( (3.39) where Xis Gaussian random variable (in dB) w ith zeromean and standard deviation (also in dB). Hence, the probability that the received si gnal will greater than the required receiver threshold (i.e. probability of communication between a node and a verifier) can be expressed using the Qfunction [43] as: d n QPvn/1log10 1 (3.40) PAGE 54 54 Since the verifiernode distance dtakes values between 0and maxRwith probability density function of 2 max2 )( R d dfD, the average probability of a su ccessful communication exchange between the verifier and the node (i .e. link reliability) is given by: d n Q R pR l max0 2 max/1log10 2 1 (3.41) Now, we can use Eq. 3.41 in Eqs. 3.34 and 3.35 to compute the probability of verification for the basic scheme and the 1 out of N scheme. Figure 312 shows )( VVPs as a function of the shadowing standard deviation for the basic scheme. As expected, the probabili ty of verification in the presen ce of shadowing decreases with heavy shadowing but the extent is less when we have large verification to lerance and large path loss. This is because the power margin is larger in these cases (s ee Eq. 3.38 ). The results for the 1outofN scheme are shown Fi gure 313. Here, we can see how the curves in Figure 312 are lifted up when the verifiers re peat the verification test N time s and the node pass if it passes one of these test. The improvement in the verification probability increases with the increase N. This is further demonstrated in Figure 314 wher e we see that the impact of shadowing can be reduced considerable by increasing N to a large value. 3.7.3.2 Rayleigh fading impact For a Rayleigh fading channel, the power vari ation (in absolute unit, not dB) follows exponential distribution [43] and m ay be written as: avg avgP x P xp exp 1 )( (3.42) PAGE 55 55 where avgPis the average received signal (in absolute units). For this distri bution, the probability that the received faded signal power frP,exceeds certain level t(both in absolute units) is easily computed as avg frP t tP exp)Pr(, (3.43) To utilize the last equation, we assume that the average (local) signal power is given by Eq. 3.38 and hence the average link reliability is given by d R d R pR n R nPP lth th max max0 2 max 0 /1log1.01.0 2 max1exp 2 10exp 2 (3.44) where we substituted in Eq. 3.43 the values of rPandthP(after converting them to absolute value) and took the average over all the possible verifiers distances. The impact of fading on the probability of verification is shown in Figure 315 as a function of the path loss exponent and three values of verification tolerance. As with shadowing, larger values of for the path loss exponent and verification tolerance resu lt in smaller impact of fading since they cause the verifier to transmit at much higher power a nd hence provide a large power gain that help mitigate the impact of fading. Figure 316 shows how the effect of fading can be reduced by using the 1outofN scheme and picking large value for N and/or Moreover, observe that as the path exponent increases, the probability of verification in the presence of fading increases. 3.7.3.3 Combined lognormal shadowing and Rayleigh fading impact Following Suzuki [44], to com bine the shadow ing and Rayleigh fading, we assume that the local (smallscale) variation follows the Rayleigh distribution superim posed on (largescale) PAGE 56 56 lognormal shadowing distribution. Now, let denote the received shadowed signal power (in dB). Therefore, the probability that the received signal power in presence of both shadowing and fading fsrP ,is above the required threshold thP may be written using Eq. 3.43 as 10 ,10exp) Pr(TP thfsrthEPP (3.45) where )( Eis the expectation opera tor (over all value of ). Since is lognormally distributed with mean given by Eq. 3.38 and standard deviation Eq. 3.45 becomes: d dBP PPr P thfsrth 2 2 10 ,2 ][ exp 2 1 10exp) Pr( (3.46) Therefore, the average link reliability is given by: dd P n R pR P th lth max0 10 2 2 2 max10 2 /1log10 exp 12 (3.47) This equation can be used in Eqs. 3.34 and 3.35 to compute )( VVPfs and)(1VVPfsofN The values for )( VVPfs are shown in Figure 3.17 where we see that the combined effect of shadowing and fading result in very low proba bility of verification when we have small verification tolerance and/or sma ll path loss exponent. Recall that nand determine the power margin (see Eq. 3.38 ) but, of course, the value of nis determined by the medium of transmission and in reality, the network operator can contro l only the value of verification tolerance Another way to mitigate the effect is to use the 1outofN approach which is demonstrated in Figures 3.18 and 3.19 which show that the probabili ty of verification incr eases with the increase of N. For example, from Figure 3.19 and for 2 nand1 we see that the )( VVPfs jump PAGE 57 57 from about 0.1 in the basic to about 0.3 in the 1outof3 scheme (200% increase), and to about 0.45 in the 1outof5 scheme (350% increase). The improvement is even higher for large nand 3.7.3.4 Misclassification of a normal node as BEM node In the previous sections, we have seen how the physical channel im pairment reduces the probability of verification due to effectively the reduction in the communication range. In this section, we discuss the consequences of the increase in comm unication range of a node due to the physical channel impairments. A question of intere st here is about false pos itive, that is, is it possible for a node to pass verification when it should not? For our protocol, the answer is no since that node will appear as a BEM node b ecause its transmission reaches further than it should. However, this misclassification of a nor mal node as a BEM node may be harmful for the network because it could result in discarding data from perf ectly innocent nodes. One way to reduce this effect is to require more than one verifier or observer to detect the communication range violation (CRV) before the node is assumed to be a BEM node. Moreover, one can consider the verifiers that are lo cated at a distance greater than maxRwhere is a design parameter that should be chosen based on th e environment and the level of the physical impairments to reduce the probabili ty of misclassification to the de sired value. Notice that these measures will not impact greatly our ability to detect a real BEM node since the real BEM node will have a higher transmission power to start wi th compared to a normal node and hence, it is easily detected by more verifiers at greater distances. Figure 320 show the probability of misclassification of a normal node as a BEM node in the presence of shadowing and fading. The valu es shown are the averages of 20000 simulation runs. Observe that, for this partic ular environment, the misclassif ication probability can be made PAGE 58 58 insignificant by requiring about 5 verifiers to detect CRV before classifying the node as a BEM node. Alternatively, we can reduce the required number of independe nt observers (verifiers) if we consider the verifiers at the larg er distances (e.g., use 4 verifiers when3 ). 3.8 Summary In this chapter, we have presented a protoc ol for verification of location claim s. Unlike many other similar protocols, the CORVA prot ocol does not require very fast processing hardware. It only requires the ab ility of the verifiers to vary their communication range. By varying their communication range, three verifiers can confine a cl aimant node in their overlap area. We have outlined a general procedure to de rive the verification cove rage probability, i.e. the probability that a given network spot is covere d by at least three verifiers, for an arbitrarily communication range. Based on this procedure, we derived a few special cases, which we used to derive the coverage probability taking into account the impact of network boundary effects. We have also shown that the protocol is resilient to attacks when the density of the malicious nodes is small through simulation and through analyt ical derivation for several important cases. Moreover, we analyzed analytically the impact of three important practical issues: energy saving, the inhomegeneity of the communication range of the verifiers, and the presence of physical impairments. We demonstrated that an accepta ble BEM detection probability is possible with %RLDS strategy while achieving large energy sa ving compared to the base allon scheme. We showed that if the communica tion range of the majority of ve rifiers is kept the same, the impact of the rest of verifiers on the probability of verification is minimal. Moreover, we analyzed the impact of lognormal shadowing a nd Rayleigh fading on the verification probability. The results show that the impact is most se vere when the both phenomenon combined and the impact can be reduced by repeating the verificatio n test several times and considering the result as pass if the node succeed in one these tests. PAGE 59 59 Figure 31. The use of location verification to enhance the security of nonsecure localization schemes and overall network security. a maxR bmaxR maxR maxR maxR L1V3V2V Figure 32. Network model. PAGE 60 60 )1(q)( iq)( Nq )1( )( k p )( jq Figure 33. Construction of a triangle enclosing a point p using three points out 3 N. LXR ) tan( LX p A B CD Figure 34. A circle cut by a line at distance LXfrom the center p PAGE 61 61 R R r R RCrC Figure 35. A circle of radius r cut by another circle of radius R PAGE 62 62 0 0.2 0.4 0.6 0.8 1 1.2 0.010.0150.020.0250.030.0350.040.0450.05 Verifiers Density (#of verifiers /network area)Coverage Probabilit y P_theoretical P_theoretical_B P_cent(simulation) P_tot(simulation) (a) 0 0.2 0.4 0.6 0.8 1 1.2 0.010.0150.020.0250.030.0350.040.0450.05 Verifiers Density (#of verifiers /network area)Coverage Probabilit y P_theoretical P_theoretical_B P_cent(simulation) P_tot(simulation) (b) Figure 36. Coverage Probability for a ne twork with dimensions (a) 200x200 and (b) 40x40. PAGE 63 63 1V2V3V4V 2C1C3C1m 2m 3m L Figure 37. Location spoofing attack : BEM and colluding malicious nodes. Figure 38. View of a BEM node range extracted from a simulation run where verifier density is 0.013. The union of blue and yellow areas (the two inner most regions) is the Maximum Spoofable area (MSA). The middle blue area is where attack detection is possible. The outer green area is where th e verification is possible but requires participate of verifiers from outside the BEM range (BEM cannot carry attack in this portion). PAGE 64 64 0 0.2 0.4 0.6 0.8 1 1.2 0.010.0160.0220.0280.0340.040.046 Verifier Density ( # of verifiers / network area)BEM Attack Detection Probab ility R_BEM =15 R_BEM =25 R_BEM =35 (a) 0 0.2 0.4 0.6 0.8 1 1.2 1.4 0.010.0160.0220.0280.0340.040.046 Verifier Density (#of verifiers / network area)BEM Attack Detection Probability R_BEM=15, Sect. = 3 R_BEM=15, Sect. = 6 R_BEM=25, Sect. = 3 R_BEM=25, Sect. = 6 R_BEM=35, Sect. = 3 R_BEM=35, Sect. = 6 (b) Figure 39. Probability of BEM attack detection for different BEM ranges (BEMR= 15, 25, and 35) and maxR=10 when the BEM is equipped with (a) omnidirectional antenna and (b) directional antennas with three and six sectors. PAGE 65 65 0 0.2 0.4 0.6 0.8 1 1.2 0.010.0160.0220.0280.0340.040.046 Verifier Density (# verifiers / network area )Relative Pro. of Detectio n 6.25%RLDS 25%RLDS 50x50CBDS 100x100CBDS Figure 310. Relative probability (with respect to the AVL base scheme) of detection for two RLDS and two CBDS schemes. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 pProb. of Verification R=[5 10] R=[7 10] R=[9 10] Figure 311. Probability of verification when th ere are two classes of ve rifiers in the network with communication ranges as given in the R array. The percentage of verifiers of the second class (R=10) out of the total number of verifiers is p. PAGE 66 66 0 1 2 3 4 5 6 7 8 9 10 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 [dB]P(VsV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 Figure 312. )(VVPs as a function of the shadowing standa rd deviation for various values of path loss exponent and verification tolerance. PAGE 67 67 0 1 2 3 4 5 6 7 8 9 10 0.4 0.5 0.6 0.7 0.8 0.9 1 [dB]P(VsV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 (a) N=3 0 1 2 3 4 5 6 7 8 9 10 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 [dB]P(VsV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 (b) N=5 Figure 313. )( VVPs as a function of the shadowing standa rd deviation for various values of path loss exponent and verification to lerance for the 1outofN scheme. PAGE 68 68 1 2 3 4 5 6 7 8 9 10 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 NP(VsV)=5dB n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 Figure 314. )( VVPs for the 1outofN scheme as a function of N for various values of path loss exponent and verification tolerance. 2 2.5 3 3.5 4 4.5 5 5.5 6 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Path Loss Exponent, nP(VfV) =1 =2 =3 Figure 315. )( VVPf as a function of the pa th loss exponent for variou s verification tolerance. PAGE 69 69 2 2.5 3 3.5 4 4.5 5 5.5 6 0.4 0.5 0.6 0.7 0.8 0.9 1 Path Loss Exponent, nP(VfV) =1, N=3 =1, N=5 =2, N=3 =2, N=5 =3, N=3 =3, N=5 Figure 316. )( VVPf for the 1outN scheme as a function of the path loss exponent for various verification tolerance and values ofN. 1 2 3 4 5 6 7 8 9 10 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 [dB]P(Vs+fV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 Figure 317. )( VVPfs as a function of the shadowing standa rd deviation for various values of path loss exponent and verifi cation tolerance in the pr esence of shadowing and fading. PAGE 70 70 1 2 3 4 5 6 7 8 9 10 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 [dB]P(VsV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 (a) N = 3 1 2 3 4 5 6 7 8 9 10 0.4 0.5 0.6 0.7 0.8 0.9 1 [dB]P(VsV) n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 (b) N = 5 Figure 318. )( VVPfs as a function of the shadowing standa rd deviation for various values of path loss exponent and verifi cation tolerance for the 1outofN scheme in the presence of shadowing and fading. PAGE 71 71 1 2 3 4 5 6 7 8 9 10 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 NP(Vs+fV)=5dB n=2, =1 n=2, =2 n=2, =3 n=5, =1 n=5, =2 n=5, =3 Figure 319. )(VVPs for the 1outofN scheme as a function of N for various values of path loss exponent and verificati on tolerance in th e presence of shadowing and fading. 1 2 3 4 5 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Number of independent observersProb. of misclassification v=0.013, =1, =5, n=4 =0 =1 =3 Figure 320. Probability of misc lassification of a normal node as a BEM node in the presence of shadowing and fading. PAGE 72 72 CHAPTER 4 CONTENTIONBASED PROTOCOL FOR SCHE DULING VERIFICATION RE QUESTS IN WIRELESS SENSOR NETWORKS In this chapter, we describe a scheme to schedule location veri fication requests. The scheme is based on random contention and restrain ing the operations of th e nodes and the servers to reduce collision and hence improve the overall pe rformance. Although we intend it to be used for scheduling location verification requests, the protocol is qu ite general and can be easily adapted for similar services. The results show that high number of reque sts can be completed within a reasonable response tim e and its performance is better than TDMAlike clusteringbased schemes when the interference between clusters is taken into account. 4.1 Introduction W ireless sensor networks consist of devices that are highly constrained in their communication, computation, and power capabilitie s. The highly constrained nature of a WSN has resulted in many interesting scheduling problems that aim to improve the overall performance of the networks. For example, there is an extensive work on devising algorithms to schedule the sleep/wakeup interv als of nodes and link activation to conserve energy and hence extend the lifetime of the network [3032]. In this chapter, we are interested in schedu ling the verification service in the sense that during the service phase the medium is reserved only for the node and the server involved in the verification only (i.e. slot assignment to the entities involve d in the verification). The problem that we are considering here ove rlaps with the reservationbased MAC protocols [3436]. In [34], a reservation protocol is proposed that uses adaptive TDMAlike superframe structure for networks that organized in cluste red hierarchical. The superframe is divided in four parts: short control slot, CSMAbased conten tion reservation window, short reservation confirmation slot, and data slots. The cluster head (CH) broa dcast control informa tion (e.g. length of the PAGE 73 73 superframe) during first part of the frame. In the second part, nodes contend using nonpersistant CSMA to requests reservation. Next, the CH com putes the slots assignments to requesting nodes and broadcasts it during the reservation conf irmation phase. In the final part, nodes transmit during their assigned slots. The size of the fram e is adjusted according to traffic status as indicated by the number of unsuccessful transm ission. In [35], a reservation protocol for application with different QoS priorities is in troduced. The protocol also uses a TDMAlike frame that is divided into three periods: reservation pe riod, scheduled access period, and contention period. The reservation pe riod is further divided into two subparts: the first part used by nodes to request reservation by competing using slotted ALOHA, and the second part is used by the CH to compute the schedule and broadc ast it. In scheduled access period, the nodes transmit to the CH during their assigned timeslots The contention period is used for intercluster communication, through the IEEE802.11 DCF, in orde r to relay the data to the sink. In[36], the protocol is also divided into a reservation phase and transmission phase with similar function the previously described schemes. However, in this case, no hier archal structure is assumed. Moreover, the durations of these two phases are de termined by the first node that wins access to the medium and are varied according to the traffic load. In general, most reservati onbased protocols have two phases: reservation phase, and transmission phase. In the rese rvation phase, nodes usually c ontend through some form of random access (e.g. CSMA) to reserve transmission slot(s). A coordinator (e.g. cluster head) usually decides slots assignment to the nodes that made reservation request successfully. In the transmission phase, each node transmits during its assigned slot to its intended receiver. Our work differs from these schemes in that we are considering several server s, which do more than coordinating access, and we are not assuming that th e network is fully connected or that there is PAGE 74 74 no interference between clusters which is more suitable for real networks. Observe, however, that as special case, the servers could act as access coordinator to regulate which node gets the medium to transmit its data. Moreover, in our prot ocol, we do not assume any frame structure as most reservationbased MAC prot ocols. From point of the server, there three phases in our protocol: request phase, scheduling phase, and service phase. The duration of each phase is determined dynamically based on the request rate and the few protocol parameters that specify when the server can respond. Notice here that is not globally occurring at the same time for all servers but each server may observe different phase at the same time. We also note here that the problem of contention resolution in multiplenod e multipleserver environment has been studied before (e.g. [45]). However, the problem set up assumes that each node has a set of messages with each message is destined to a specific server where the access to each server is done through a separate contentionbased channel. Th is is different from our problem where the message is broadcast on a single channel shared by all servers and all nodes and any server, of those that receive the broadcast, can respond. The rest of this chapter is organized as fo llows. In Section 4.2, we present the network model, followed by the protocol description in Section 4.3. Our numerical results are presented in Section 4.4. Finall y, the chapter is conc luded in Section 4.5. 4.2 The Network Model In this chapter, we consider wireless networks that can be regarded from functional point of view as consisting of two components: nodes and servers. The nodes are the entities that are interested to receive the veri fication service which is provide d by the servers. Upon receiving a service request from a node, th e servers determine an appropriate time that can be used to fulfilled the request and then broadcast that sche dule. The service is carried during the assigned PAGE 75 75 time. We assume that time is slotted and that the nodes and servers are time synchronized. In addition, we assume a single communicat ion channel and halfduplex operation. From the point view of an enti ty (node or server), a timeslot can be either busy or idle. A busy timeslot is one that is reserved or one durin g which a transmission occurs. An idle timeslot is one that is not busy. A reserved timeslot is one that a server has designated to be used for fulfilling a particular node request. The Perceived Me dium Status (PMS) of an entity is its view of the status of each timeslots in the time line as regard to weather it is busy or idle. Obviously, whenever the entity detects a transmission, it knows that that timeslot is busy. In addition, through extracting the reserved timeslots inform ation from the broadcasted schedules, it can update the status of future timeslots. However, it possible that an entity perceived a timeslot as an idle when in fact that timeslot is reserve d. This can happen if the node hidden from the server that makes the schedule broadcast. Hence, the PMS provides only a partial view of the actual status of the medium. We refer to the actual status of the medium as the Global Medium Status (GMS). We define the direct link connectivity (DLC) as the probability that a link connecting two entities is present. For example, 1 DLCrepresents the case where ev ery entity is connected to every other entity (fully connected network) while 0 DLCrepresents a network consisting of isolated entities. 4.3 The RESTRAIN Protocol In this sectio n, we describe the propo sed random accessbased scheduling scheme operation. We first start by an overview of the sche me. A node interested in receiving the service requests the service by making a br oadcast expressing its interest. Each server of those that receive this broadcast queues this request. Whenever the number of queued request reach a PAGE 76 76 certain threshold, called the server response threshold (RST), the server schedules the first RpSB requests in the queue (RpSB is a design parameter that determine the number of r equests p er s chedule b roadcasted) by picking a suitabl e time in the future and then broadcasts this schedule. Every entity that receives this schedule, record s the reserved times so as to avoid transmitting during them. When the reserved time for a node starts, that node makes a broadcast acknowledging the reception of the sc hedule and its readiness to ente r the service phase. In this acknowledgement broadcast, the node includes a copy of the received broadcasted schedule to help in spreading the scheduling information to the nodes/servers that are hidden from the server that made the schedule, and hence reduce the probability of collision. Following a successful acknowledgement, the node and the server enter the service phase which is carried in accordance with service protocol. Observe here that the particularities of the service phase are not of concern to us in this work and will depend on the serv ice being sought. For example, the service phase may consist of the several challenge/response pack et exchanges between the server and the node to verify the location of the node. The cont ent of these exchange d packets and how the information in these packets is utilized to ve rify the location of the node are dictated by the verification protocol. Our concern here is to guarantee that there is a time period that is reserved for the node and the server to carry out the service phase without interference from neighbouring nodes and servers. At the end of the assigned ti me, the server removes the request out of its requests queue regardless if the service is co mpleted correctly or not (say because the node acknowledgement is not received). It is the responsibility of the node to make the request again if its older request is not fulfilled. The protocol restrains the operation of both the nodes and the servers. Nodes are not allowed to transmit a new requests until its current request is cleared and PAGE 77 77 servers cannot respond immediately but rather wait till the number of rece ived requests exceeds the RST. Therefore, we refer to our protocol as the RESTRAIN protocol. Now we will describe the nodes and servers operations in more detail: 4.3.1 Node Operation Nodes use the ordinary CSMA/CA with Truncated Binary Exponential Backoff (TBEB) scheme to broadcast their requests (similar to [46]) with a timeout timer to trigger retransmission. Briefly, this works as follows: whenever a node needs to make a request, it must sense the medium for nTtimeslots. If the medium is idle during this time, the node sets its backoff counter ib to a value between 0 and 1 CWwhere CWis contention window width. The node decreases ib every timeslots that is idle. Whenever ib reaches zeros, the node broadcasts its request. If during the backoff inte rval, the node senses that there is a busy timeslot (this includes reserved timeslots by definition) it must go through the same process again but it does not compute a new value for ibbut rather uses whatever is left from the previous backoff interval. Whenever the node makes a request, it sets its re transmission timer. If the retransmission timer expired and the node did not rece ive any schedule from any server, it retransmits the request again. However, this time it picks it backoff counter between 0 and12 CW; i.e. it doubles its contention window. The value of CWis set to minCWwhenever a new request needs to be broadcasted and the node keep doubling every time it needs to retransmit that request up a maximum limit of maxCW; at which time, the node resets it back tominCW. The process continues until either the request is fulfilled or it is discarded after reaching maximum number retransmission attempts (ReTxLimit). Notice that we require that the node do not transmit more than one request until the current request is clea red (completed or discarded). This restraining reduces the possibility of a node dominating the se rvice. Moreover, whenever the node receives a PAGE 78 78 schedule broadcast from a server, it considers th e interval from the reception time till the last reserved timeslot specified in the broadcast schedule as reserved timeslots. The reason to start the reservation interval from the reception time as opposed to starting from the time specified in the schedule itself is mainly to reduce the probab ility of collision since the server will schedule in the first timeslot following the last busy slot known to the server and hence the node will be also utilizing indirectly the PMS of the server. 4.3.2 Server Operation Whenever a server receives a requ est it adds it to a request queue that includes all previously received requests that have not been scheduled so far. When the number of requests in the queue exceeds a certain threshold, called server response threshold (SRT), the server enters the scheduling phase where it attempts to schedul e a certain number of the requests queued (i.e. assign these requests to some future timeslots). The number of requests that is scheduled is determined by the requests per schedule broadcasted (RpSB). We require here that RpSB be less than or equal to theSRT value. Once the number of requests queued reaches SRT value, the sever starts computing for access by using a modified CMSA/CA. The modified version works in the same way as we have described in th e node operation but with following changes: the medium is sensed for sTtimeslots instead of nT(nsTT ) and the backoff counter is picked randomly between 0 and 1 SSBWwhere SSBWis the servers scheduling broadcast window. SSBWis a fixed design contention interval that s hould be large enough to reduce the probability of collision between the servers. Moreover, the server starts its sTsensing interval following a busy timeslot. In most cases, this would be the ti meslot in which the server receives the request that makes the total number of requests queued equal toSRT. Whenever a server receive the broadcasted schedule of another server, it remove any request that are included its requests PAGE 79 79 queue. If some of the removed requests are on the prepared schedule, the server prepare a new schedule by scheduling additional requests so that the total scheduled is RpSB again and continue its countdown to transmi ssion. Notice that the server does not restart its access process when it detects another server tr ansmission (this is also differe nt from the ordinary CSMA/CA operation, where nodes have to restart the proc ess whenever there is a transmission or a collision as we described in the nodes operation above). It only re starts the process whenever it detects a collision or a reserved timeslot. Moreover, whenever the server enters the schedule broadcast process, it does not leave it until it makes a schedule broadcast or the number of request queued becomes less than RpSB value. Notice that SRTacts as a trigger to enter the schedule broadcast state but does not play any role on leaving it. To schedule the chosen set of requests (assign requests to slots) the server picks whichever is the maximum of the timeslots that comes directly after the last busy slot in its PMS or the slot that is 1 SSBWtimeslots after the current timeslot. This scheduling me thod ensures that there is at least 1 SSBWtimeslot not reserved which may be used by the other serv ers to make broadcast if they need to. For comparison reasons, we also implemented a version of the protocol where the servers use the TBEB scheme as the nodes. Of course, th e server still cannot star t the broadcast process before the number of queued requests reaches SRTand does not leave it until it makes a schedule broadcast or the number of request queued becomes less than RpSB value. We refer to the original version as REST RAINR and to the new version as RESTRAINE. 4.3.3 Example W e will now present an illustrative example to highlight the key ideas using the RESTRAINR protocol. Toward that, consider Fi gure 41, where two server s are shown that are part of a larger network. Moreover, we assume that servers need to reserve two slots to each PAGE 80 80 request that they need to serv e (1 slot for the node acknowledg ement and another for the actual verification service). Here, we assume that the two servers have received enough requests (i.e.SRT ) to enter the schedule broadcast phase and that1 RpSB. Observe that the two servers share two common requests 1rand2rwith server B having an additional request 3r(of some node that is hidden from serverA). In the top of the figure, we see the Global Medium Status (GMS) that indicates the busy slots with solid shades. However, this info rmation may not be available to all servers. This is because some of the schedu le broadcasts may not reach all entities in the network since some will be outside the comm unication ranges of both the server making the broadcast and the node acknowledging that schedule broadcast. For example, slots 7 and 8 are busy (probable reserved by a third server to fu lfill the request of so me node) but server B is not aware of this fact as can be seen from its Pe rceived Medium Status (PMS). Now, suppose that the backoff values of server A and server B are 1 and 2 respectively. Following the busy slot 0, both servers will wait for sT(which is taken as 1 in this exampl e) and since the slot 1 is idle, both server start there countdow n to transmission (server A for 1 slot and server B for two slots). As a result, server A will make a broadcast first and it will schedule the first request 1rin its queue. Since its PMS indicates that the last slot reserved, as known to server A, is slot 8 (which is also more than 21 SSBWfrom timeslot 3), then it will schedule 1rfor timeslots 9 and 10. Server B will detect this transmission and because the tr ansmission is done by another server, it will not restart its medium access procedure but rather it will continue its countdown to broadcast. In addition, by examining the broadcasted schedule, server B learns that server A have already schedule 1r and hence it removes 1rfrom its requests queue and instead schedules 2rfor slots 11 and 12 (since through server A broadcast, server knows that medium is reserved in slot 10). For illustration purposes, suppose that server B schedules 2r in any idle timeslots known to it as PAGE 81 81 opposed to scheduling it in the slots that follows the last busy slot known to the server as done above. Following this schedule in any idle slot strategy, server B could potentially picks slots 7 and 8 since it is not aware that they are busy as seen from the GMS. This can create a situation where the nodes scheduled for 7 and 8 interfere w ith each other and/or with the servers that are suppose to serve them. In contrast, using schedul e in the first slot following the last busy one reduces the occurrence of such undesirable situat ion as the servers will be indirectly utilizing each other knowledge of the medium For example, due to server A broadcast, server B reasons out that sever Amust have knowledge of some reserved slot s that extend to slot 8 and as a result, it used 9 and 10 instead of any earlier slots. At the start of the re served time, the node for which the reservation is made broadcast an acknowledgement message to confirm to the server that it is rea dy to go with verification phase. The acknowledgement message includes a copy of the original schedule to help in spreading the scheduling information to the nodes that did not hear the original sche dule (particular those hidden from the server). Here, any entity that hears this acknowledgement broadcast, extract the reserved timeslots information out of it to update its PMS and hence have a better view of the medium status. Then, in the following timeslot, the verification is carried out. Observe that, if both servers pick the same backoff value, there w ould be a collision and their attempt to schedule 1rwill not be successful. However, it is po ssible that another server may schedule1rif it hear this request, otherwise the node will have to retransmit its request again if the retransmission timer expired before receiving any scheduling information. PAGE 82 82 4.4 Numerical Results In this section, we present our num erical re sults. The default simulation parameters are shown in Table 4.1. The results are the average of 30 experiments. Each node is assumed to have a request ready to transmit in any given timeslot. 4.4.1 The RESTRAIN Protocol Performance Figure 42 shows the average num ber of reque sts completed for different values of SRTandRpSB. From the figure, we notice that, in general, for a fixedSRT, the average number of requests completed increases with the increase ofRpSB. For example, with4 SRTand for RESTRAINR protocol, the aver age number of requests completed is about 41 and 53 for 1 RpSBand4 RpSB, respectively. The reason for this is that with large values ofRpSB, the number of schedule broadcast needed by the serv ers to schedule the queued requests is less; hence reducing the probability of collision and improving the performance. Moreover, the RESTRAINR is generally performing bette r than the RESTRAINE. For example, with1 RpSB SRT, the average number of requests completed is about 34 for the RESTRAINE, while it is about 45 for the RESTRAINR; about 32% better. Notice that for a fixedRpSB, the average number of requests completed decreases slightly as the value of SRT(RpSB ) increases. The reason for this is again, with large value of SRTand smallRpSB, servers need to make more schedule broa dcasts to schedule all queued requests and hence increase the probability of collision. Th ese observations suggest that to increase the number of requests completed, on e should choose large value of SRT(at least 2) and set RpSB=SRT. However, this will also result in longe r response delay as can be seen from Figure 43. This to be expected since servers will have to wait longer ti ll the number of requests reaches the SRTvalue and hence start scheduling the re quests. On the other hand, for fixedSRT, the PAGE 83 83 average response delay decreases with the increase of RpSBbecause of the fewer schedule broadcast that the servers have to ma ke as we have discussed previously. Figures 44 and 45 show the impact of the direct link connectivity (DLC) on the percentage of requests completed and the response delay. In general, the performance degraded with large value of DLCbecause the number of neighbors per an entity increases and hence the collision probability also increases. This also implies that our scheme is much suited for a network environment since, in such case; each node/server will have a very small number of neighbors out of the total in the network (i.e. low value ofDLC). 4.4.2 Comparison with TDMAlike Clusteri ngbased (TLCB) Scheduling Schemes A typical TDMAlike scheme is a good choice for a singleserver multiplenode environment. One way to use it in a large netw ork is to create clusters around the servers typically under the assumption th at there is no intercluster in terference (ICI). However, in a dense network, such assumption may not hold well due to the close proximity of the clusters. In this section, we compare our proposed scheme with a simple TDMAlike Clusteringbased (TLCB) scheme that we have designed as we are not able to find a scheme that uses the same set of assumptions that we are considering in th is chapter. We believe that our TLCB scheme capture the essence of a typical TLCB. We will also see that our TLCB performs extremely well when there is no ICI as typically assumed in such approach. Our TLCB scheme is partially inspired by the Guaranteed Time Slots (GTS) mechanism in the IEEE 802.15.4 [37]. The designed TLCB scheme works as follows Following a beacon slot, a node with a request to transmit picks a slot randomly within a request contention window (RCW) and transmits its request in the selected slot. In the slot that follows theRCW, the server broadcast a schedule that specifies which of the nodes will be served within a reserved slots window (RSW). PAGE 84 84 Of course, the number of request s that can be served within RSWis determined by the size of RSW and the number of slots needed to serve e ach request. A new beacon is then broadcasted and the whole process is repeated. If the schedule broadcasted does not include a node request, that node will retransmit its request again in the following beacon interval. The node keeps retransmitting its request in each new beacon interval until it is scheduled by the server or it reaches the retransmission limit (ReTxLimit). To compare the different schemes, we set 8 RCWand 4 RSW(i.e., a maximum of two requests can be served within a beacon interval). We experimented with different values of RCWand RSWand the above chosen values are the ones th at seems to give the best performance for our simulation setup. For the RESTRAIN protocol, we set 0 SSBWand 2 RpSB SRT (i.e., in a single broadcast, two requests can be scheduled to receive serv ice). To create a dense network, we placed 5 servers and 50 nodes rando mly and uniformly in 20m by 20m network. The communication range is chosen to 10m, i.e. tw o entities within 10m can hear each other. Figures 46 and 47 show the simula tion results. Observe first that, in the absence of intercluster interference (w/o ICI), the TLCB has the highest average num ber of requests completed per node (ANRCpN). However, with ICI, the value of ANRCp N drops sharply due to the collision that is caused by the transmission in the adjusting clus ters. Moreover, the RESTRAINR has a better ANRCpN value compared to that of TLCB with ICI but of course the RESTRAINR does not require settingup clusters and ma intaining them. The performan ce of RESTRAINR can further be enhanced by setting up clusters in the sense that each node associate itself with one server which becomes responsible for serving that node (RESTRAINR, Clstr, w/ICI). Also, for comparison, the ANRCpN is shown for the RESTRA INR when there is no ICI interference which result in a performance jump although lower than TLCB under ideal condition. This PAGE 85 85 suggests that, if the ICI is not present or ne gligible, a TLCB is a very efficient scheduling scheme. However, where ICI is significant or th e cost of maintaining clusters is high, our RESTRAINR is a valuable choice. Observe also from Figure 46 that performance of RESTRAINE is lower than that of RESTRAINR but st ill it has a comparable performance to the TLCB with ICI. Moreover, when RESTRAINE is used in conjunction with clustering (and ICI), it will outperfor m TLCB with ICI. Figure 47 shows th at the average response time (ART) for the TLCB scheme is the best. This is to be expected as TLCB uses a frame structure that repeats periodically and hence the requests are fu lfilled faster than in the RESTRAIN protocol where the server have to wait till the number re quests reach the threshold. However, the ART for the RESTRAIN is reasonable and not that excessive. 4.5 Summary In this chapter, we have presented a protoc ol to schedule verifica tion requests using a contentionb ased approach. The protocol is designed for network with multiple nodes and servers without requiring a frame structure. Un like many reservation protocols, ours does not assume a clusterbased hierarchy with zeroin terference between cluste rs and hence a better deployment advantage. The responsive of the se rvers can be controlled through two parameters: sever response thresholdSRT, and requests per schedule broadcastedRpSB. Results show that a high number of requests can be complete d by choosing large value for SRT and settingSRTRpSB Moreover, the RESTRAIN protocol out performs the TDMAlike clusteringbased approach in terms of the average num ber of requests completed per node under the practical consideration of intercluster interference. PAGE 86 86 Table 41. Default simulation parameters. No. of Servers 5 No. of Nodes 25 sT 1 timeslots SSBW 5 timeslots nT 7 timeslots DLC 0.5 minCW 8 timeslots maxCW 1024 timeslots Retransmission Timer 120 timeslots Simulation Time 10000 timeslots Perceived Medium Status Tx Events r1, r2Request Queue Perceived Medium Status Tx Events R1, R2, R3Request Queue Global Medium Status r1, r2, r3 Server A Server B neigbhors SA:r1 SB:r2 r2 r2, r3 r3 1 sT2 sT sTSSBW11 b22 b 01234567891011121314151617... ... ... Figure 41. Illustration of servers operation in the RESTRAINR Protocol. PAGE 87 87 0 10 20 30 40 50 60 123456 Server Response Threshold (SRT)Avg. Num Req. Completed per Nod e RpSB=1,E RpSB=1,R RpSB=2,E RpSB=2,R RpSB=3,E RpSB=3,R RpSB=4,E RpSB=4,R RpSB=5,E RpSB=5,R RpSB=6,E RpSB=6,R Figure 42. The average number of requests co mpleted for the exponen tial (E) and random (R) versions of the RESTRAIN protocol for different combination of SRTandRpSB. 0 50 100 150 200 250 123456 Server Response Threshold (SRT)Avg. Response Delay (slots ) RpSB=1,E RpSB=1,R RpSB=2,E RpSB=2,R RpSB=3,E RpSB=3,R RpSB=4,E RpSB=4,R RpSB=5,E RpSB=5,R RpSB=6,E RpSB=6,R Figure 43. The average response delay for the exponential (E) and random (R) versions of the RESTRAIN protocol for different combination of SRTandRpSB. PAGE 88 88 0 10 20 30 40 50 60 70 80 0.2 0.4 0.6 0.8 1DLCAvg. Num Req. Completed per Nod e SRT=2, RpSB=2 (E) SRT=2, RpSB=2 (R) SRT=4, RpSB=2 (E) SRT=4, RpSB=2 (R) SRT=4, RpSB=4 (E) SRT=4, RpSB=4 (R) Figure 44. The average number of requests co mpleted for the exponen tial (E) and random (R) versions of the RESTRAIN prot ocol for different values ofDLC. 0 50 100 150 200 250 300 0.20.40.60.81DLCAvg. Response Delay (slots ) SRT=2, RpSB=2 (E) SRT=2, RpSB=2 (R) SRT=4, RpSB=2 (E) SRT=4, RpSB=2 (R) SRT=4, RpSB=4 (E) SRT=4, RpSB=4 (R) Figure 45. The average response delay for the exponential (E) and random (R) versions of the RESTRAIN protocol for different values ofDLC. PAGE 89 89 0 20 40 60 80 100 120 TLCB, w/o ICITLCB, w/ ICIRESTRAINRRESTRAINR, Clstr, w/o ICI RESTRAINR, Clstr, w/ ICI RESTRAINERESTRAINE, Clstr, w/o ICI RESTRAINE, Clstr, w/ ICIAvg. Num Req. Completed per Node Figure 46. The average number of re quests completed for various schemes. 0 20 40 60 80 100 120 140 160 180 TLCB, w/o ICITLCB, w/ ICIRESTRAINRRESTRAINR, Clstr, w/o ICI RESTRAINR, Clstr, w/ ICI RESTRAINERESTRAINE, Clstr, w/o ICI RESTRAINE, Clstr, w/ ICIAvg. Response Delay (slots) Figure 47. The average response delay for various schemes. PAGE 90 90 CHAPTER 5 IMPACT OF LOCALIZATION ERROR ON T HE PERFORMANCE OF LOCATION VERIFICATION SCHEMES Location verification is a technique used to enhance the robustness of localization schemes in wireless sensor networks (WSNs). The objec tive of a location verification scheme is to provide a simple way to validate a nodes claimed position by comparing an independent result with the result of the localizati on process. It has been demonstr ated that localization schemes suffer from estimation error, due to measuremen t accuracy, network densit y, and other factors. Thus, it is inevitable that a reported location resu lt that suffers from such an error will impact the result of the location verification scheme. In this chapter, we study the impact of localization error on the performan ce of location verification scheme s. We first illustrate this problem by analyzing how locali zation error impacts the perform ance of our CORVA protocol. Next, we propose a general mode l, called the localiz ation and location ve rification server model, and categorize the schemes into four cl asses based on the granularity used. We then provide an analysis of the pr obability of verification for th e discrete location verification schemes and the cdf of the devi ation distance for the continuous location ve rification schemes. Numerical results show that without a proper builtin mechanism to tolerate the inherent estimation error, lo cation verification can result in the rejection of almost all node location estimates, and hence lose its inte nded benefit to the network. 5.1 Introduction W ireless sensor networks (WSNs) consist of a large number of sensors that are used to measure various environmental parameters, such as sound, temperature, presence of light or gas emissions, etc. The results of these measurements are then forwarded to a data sink, where in most applications, the association of the measurement with a specific location is crucial for the delivery of meaningful data. For example, a report of a harmful gas leak is only useful if the location of the leak is PAGE 91 91 also known. Many localization schemes have been de veloped for WSNs to allow nodes to estimate their locations [6, 9, 47]. However, due to the limited com putational abilities and battery power, many of these schemes are designed to be simple in nature and many use large granularities for the indication of a nodes location. Thus, localization techniques tend to be vulnerable to estimation errors. Several researchers have worked to identify the parameters that induce errors, as well as develop models for use in localization performa nce evaluation. In [19], the authors examine the behavior of error inducing parame ters in multihop localization sy stems and study the trends in the error induced by the measurement technol ogy accuracy, the network density, the beacon node concentration, and the beacon uncertainty. It is found that location un certainty increased in rapidly with the reduction in the number of ne ighbors per node, specifically, for less than 10 neighbors/node. In [20], the authors design a model to predict the deviation of distance estimation in hopcount based localization schemes. It is demonstrated that a longer path, i.e., more hop counts contributes to a more inaccurate localization estimate. This work also highlights the impact of network density on the localization error. In [21] the authors analyze the error characteristics of range/angle free, range based, angle based, and multimodal positioning algorithms where a CramerRao lower bound for pos itioning error of multihop range/angle free localization algorithms is derived. Also, the perf ormance of a multimodel algorithm that uses both angle and range measurements is analyzed. A promising approach to improve the resilien ce of localization schemes in the presence of estimation errors is location veri fication. In location verification, the estimated location of a node obtained through a localization sc heme is validated via a deci sion of independent reference nodes. If the location reported by the node in que stion passes the verification test, then the network trusts the association of the nodes data with the report ed location. If th e node fails the verification test, then there is a problem with the association, wh ether the problem lies with the PAGE 92 92 location, the location estimate, or with the node itself. In either case, the network has been notified and can appropriately r eact, which often involves dis carding possibly useful data. In this chapter, we study the impact of loca lization error on the performance of verification schemes. Our goal here is to crea te a framework that can be used to analyze the impact of errors that appear in the inputs to location verification schemes. In Section 5.2, we analyze the impact of localization error on the CORVA protocol. Following that, we propose a general model to study the impact of localization error, called the localization a nd location verification server model, and provide a categorizat ion of localizationlocation ve rification schemes based on the granularity used. In Section 5.4, we analyze the effectiveness of the schemes based on the category and on the deviation from the actual loca tion. Section 5.5 presents numerical results for each of the general cases. Finally, we summarize the chapter in Section 5.6. 5.2 Case Study: The CORVA Protocol In this section, we study the im pact of lo calization error on the performance of our CORVA protocol described in the previous chapter. To analyze th e impact of localization error on the verification probability, we m odel the error as additive noise ),(yxee where xe and ye are Gaussian iids with mean mand standard deviation As a result, a node located at Lthat estimates its location to be at L will be verifiable if: i) the location L is verifiable, ii) the node is located within the ove rlap area formed by the verifiers around L and iii) no communication range violation is detected by any verifier located within the node PVA. In the following analysis, we ignore the boundary effect, although we can take it into account using the approach described in Section 3.5. We first compute the probability that the node is verifiable ignoring communication range violations (dis cussed in detail in the security analysis in Section 3.6). PAGE 93 93 5.2.1 Probability of Verification in the Presen ce of Localization Error given that no CRV is Detected Since only the verifiers within the PVA of the node can hear the verification request, the locationL at radial distance r fromL, is verifiable if it is verifiable considering the verifiers within the PVA of the node. This is equivalent to the case we discussed in Section 3.5.2.2.2, i.e. the probability of verifica tion in circle radius maxR cut by circle of radius maxR (we denote this probability by),(max maxrRRPCC .) Moreover, the node will estimate its location to be within an infinitesimal area centered at ),( r, with respect to a polar coordinate system centered at the node, with probability drdrf ),(, where ),( rfis the joint pdf of xeand yein polar coordinate system. This, after little alge braic manipulation, can be shown to be: 2 ]))cos(sin2(5.0))2sin(1(exp[ ),(2 r r rf, (5.1) where 2 22 m Therefore the probab ility the node is veri fiable is given by: drdrfTLPrRRP CRVNOVPR r L CC LE),()(),( )(2 00 max maxmax (5.2) where ) ( LTLPis the probability the node located at L is within the overlap area LT formed by the verifiers that are attempti ng to verify a node located at L Obtaining a closed form for such probability is a rather intractactable endeavor as the shape of LT will depend on the location of the node, the lo cation of verifiers, the radii of verifiers at the time of verification, and th e density of the verifiers. Noneth eless, the expression above is useful to estimate a lower and upper bound for)( CRVNOVPLE. For the lower bound, observe that Observe that the integration element is drd and not rdrd since r is absorbed in the expression of ),( rf PAGE 94 94 the node at L will be at least at radial distance equal to from the boundary of overlap area LT. Therefore, for the purposes of this calculation, LTcan be thought of as a circle of radius Thus,) ( LTLPis equal to one if the distance between L and L (i.e. r in the integration above) is less than and zero otherwise. In a similar wa y, the upper bound may be obtained by considering LTas a circle of radius 2 max 2 max max)( R Rr Notice also that the limit of inner integration may also be adjusted to or maxrdepending on whether we ar e calculating the lower bound or upper bound. 5.2.2 Probability of not Detecting a Communication Range Violation If the node has large localizati on error, then the verificati on may fail because one of the verifiers in its communication ra nge detects a communication range violation, that is, a node claims to be at distance which is greater than maxRfrom a verifier that ca n hear its verification request. To calculate such probability, consider Fi gure 51. Here a node at Lestimates its location to be at L ),( xand there is a verifier V located at),( A communication range violation will be det ected if the distance d between Vand L is greater than maxR. To be able to compute the probability, we will need the pdfs of and x Since the verifiers distribution is uniform, the pdf of is 2 max2)( R fand the pdf of is 21. The pdf of may be computed using the following relation ddr r r d ffr0 2 ,2 ]))cos(sin2(5.0))2sin(1(exp[ 2 1 ),()(, (5.3) where we have assumed that and are independent of each other and the pdf of is computed by integrating r out in Eq. 5.1. With some algebraic manipulation and interchanging the order of integration, the equation above becomes: PAGE 95 95 drd r r fr)) 4 cos(2exp()2/exp( )2( )2exp( )(0 2 2 (5.4) To evaluate the middle integral, let )) 4 (exp( jz where 1 jand for convenience, let ra ) 4 exp( jb and Cbe a positively oriented simple contour enclosing the origin, 2 1 )2( 2 )2exp( )1(2 )!( 2 )2exp( )2/exp( )!( 2 )2exp( )( )2( )( )2/exp( )2( )2exp( )/exp()( 1 )2/exp( )2( )2exp( )) (exp( )2/exp( )2( )2exp( )(0 0 2 0 122 0 2 0 0 2 2 0 0 2 2 0 1* 2 2 n n n n n n n n n n n r n C n r r Cn n n drrr n dr n ab j n ab jr drdz z zab abz n jr drdz z zbbza jr f (5.5) where we have used Maclau rin series expansion of ) exp( abz in the second step above and then integrated termwise using Cauchys Residue theorem in third step. Finally, the resultant integral in r was expressed in term of the Gamma function ) 1( n (! n for integer values). Now, observe that 222yxeexand xe and ye are Gaussian iids with mean mand standard deviation Therefore, 2xfollows noncentral chisquare distri bution with 2 degrees of freedom. Using the wellknown distribution for2x one can easily show that the pdf of x is given by PAGE 96 96 2 0 2 22 22 2 )2( exp)( mx I xm x xfX, (5.6) where )(0yIis the 0th order modified Bessel function of the first kind. The CDF of the distance between a verifier and estimated location dmay now be computed by observing that) cos(2222 xxd Hence ddxdxfffdFX D)()()()( (5.7) where is the region where 2 22)cos(2 dxx Therefore, the probability that a verifier wi ll not detect a communica tion range violation is given by)(max RFd. Consequently, in a ne twork with a total of vNverifiers, the probability that a communication range violation by a give n node will not be detected is given by: v v v vN N kN k N k v k LEk N P )1()1(1 )1( le) undetectab CRV(1 (5.8) By taking the product Eq. 5.2 and Eq. 5.8, a nd using appropriate integration limits for r in equation Eq. 5.2, we can obtain lower and upper b ounds that take into account the CRV issue. 5.2.3 Numerical Results The simulation results and bounds curves are shown in Figure 52 for following values of tolerance: (a) = 1 and (b) = 3. Here, the verifier and node densities are both equal to 0.015 and the network dimension is 200x200. For these va lues, the probability of verification is 0.54 in the absence of localization. In general, the veri fication probability decreases as the error mean and standard deviation increase. Compared to the ideal case, where there is no localization error, the verification probability decreases by close to 100% for moderate error deviation for = 1. The decrease is less as the tolerance increases. Th is demonstrates that, for small tolerance values, PAGE 97 97 the protocol is sensitive enough to detect small de viations from the actual location and therefore it provides a reliable verification mechanism. On other hand, the networ k operator can relax the verification requirements by increa sing the tolerance; say, if the operator is interested in verifying the presence of the node in a given regi on rather than an exact location. Also observe, for a given error mean, the simulation curve fe ll between the upper bound curve and lower curve with exception of a few points (mainl y at high values of error standa rd deviation). This is due to the unavoidable error of numeri cal computation of various expressions which becomes more prominent when the values of the verifi cation probability become very small. 5.3 Proposed Localization and Location Verification Server Model In order to study the impact of localization error in a more general context, we propose the use of the model shown in Figure 53. In this model, both localizati on and verification are thought of as services that are provided through servers. For example, in [9], a localization scheme uses reference nodes to broadcast locatio n beacons which are then used by other nodes in the network to determine their locations. Our model c onsiders these refere nce nodes as location servers. 5.3.1 Localization Server As shown in Figure 53, a localization server consists of an ideal localization stage, a mapping stage, and additive error. The output of the ideal localization stage is the exact position of the node in question. Next, the mapping stage im plements any manipulation that is peculiar to the localization scheme. For example, in [9], the node estimates its location to be the centroid of all the locations of the reference nodes that have connectivity exceeding a certain threshold to the node in question. This scheme provides a manytoone mapping, where all nodes that use the same set of reference nodes will have the same location estimate. Finally, the additive error stage, introduces given noise components. Afte r the localization process has completed, a node PAGE 98 98 or the network may request verification of the reported location from the location verification server. 5.3.2 Location Verification Server In Figure 53, the verification compone nt is split into two stages: the verification process, and the decision rule The verification process is the mechanism used to check the validity of the location claim. The output of the verification pr ocess is a set of metrics which are combined together according to a prescribed decision rule to produce the fi nal decision. For example, the verification process may consist of 2 independent evaluations by several verification servers (or verifier nodes, as in [48]), while the decision rule may be to rule in favor of the majority of the verification servers (m ajority voting rule). To further facilitate our study, we classify localization schemes into two major categories based on the location granularity: discrete locali zation (DL) and continuo us localization (CL) (finegrain and grossgrain localiz ation approaches). Likewise, we classify location verification schemes in two similar classes: discrete lo cation verification (DLV) and continuous location verification (CLV). 5.3.3 Classifications 5.3.3.1 Discrete localization (DL) In DL, each node estimates its location to be one of a finite set of possible locations based on some optimization criteria. Because of the fini teness of the location set, it is possible that several nodes will be mapped to the same estimated location, particularly when there are a limited number of reference nodes. 5.3.3.2 Continuous localization (CL) In CL schemes, any location estimate is possible, and the probability that two nodes at different locations are assigned the same location estimate is zero. An example of this is the PAGE 99 99 AHLoS scheme in [47] as well as most rangebas ed localization schemes. Notice also that the classification CL can be relative in nature, since it must be based on a spatial threshold. If the distance between two nodes in the network is greater than the threshold distance, then the localization scheme can distingu ish between the two positions. Ot herwise they appear to be located in the same place. 5.3.3.3 Continuous location verification (CLV) In the CLV schemes, the final outcome is a nu mber that indicates the amount of trust that the verification service has assigned to the lo cation estimate. An example of this is the probabilistic location verification (P LV) protocol in [25]. This a pproach to verification relates the probabilistic dependence of the number of hops traversed by a broa dcast packet to the Euclidean distance between the source and the destination. The protocol returns a number between and to indicate the plausibility of a nodes location claim. 5.3.3.4 Discrete location verification (DLV) In DLV, the final outcome of the verification can be only one of two values: pass or fail. An example of this is the CORVA protocol [ 48], where a node requests verification from within range verfiers that must at least form a triangle enclosing the node. The verifiers then adjust their communication range to the distance of the clai med location (plus some predetermined design parameter which controls the tolerance towards a ny uncertainty), and chal lenges the node with a nonceencrypted key. If the nodes responses to th ree of the verifiers are correct, then the node passes the verification, otherwise, it fails. Taking these models and classifications into account, we now analyze the performance of the location verification approaches, and study how the localization e rror impacts the final outcome of the verification scheme. PAGE 100 100 5.4 Performance Analysis We represent the network area asN, and specify a nodes position as),( yx. The pdf of the nodes locations in the network is denoted),( yxn, and the deviation distance, D is the distance between the nodes claimed location and the nodes actual location. First, we must designate some parameters based on the localization classification. As mentioned previously, in DL schemes, each node estim ates its location to be one of a finite set of possible locations, and it is assu med that the node picks the closes t of these locations to be its estimated position (minimum deviation distance criteria.) We define the number of permissible locations asNPL, the cardinality of the set of possible estimated locations,, where we use NPLto denote both the actual elements of as well as its cardinality (intended meaning clear from the context). The probability distribution fu nction (pdf) of these permissible locations is denoted by),( yxv. Moreover, for DL schemes we set the a dditive noise to zero, since the main source of localization error is the mapping of continuous space lo cations to a finite set of locations. (There may be additional localization e rror from other sources, such as reference GPS nodes with finite resolution, but it is assumed that these errors are neglig ible compared to the error caused by the discrete nature of the DL lo calization.) On the other hand, in CL schemes, any location estimate is possible and the a dditive localization error takes the form ),( where and have a joint pdf),(, f. In other words, given an actual location),( yx, a CL scheme will return an estimated location),() ~ ~ ( yxyx. Next, we consider the two classes of location verification schemes, a nd analyze the impact of the localization errors. PAGE 101 101 5.4.1 Continuous Location Verification Analysis In a CLV scheme, the verification stage output is a number that indicates the amount of trust that the verification service assigns to the location estimate. For this measure, we choose the Euclidean distance between the actual location and estimated location. Lower values indicate higher assurance of the claim. Although other possibilities exist, this choice is suitable since the returned value relates to the difference between the claimed location and the actual location. Since the verification scheme return s the deviation distance, denoted D we choose to use the cumulative distribution function (CDF) of the de viation distance as ou r performance metric. 5.4.1.1 Discrete localizationcontinuous verification In this case, a node picks the location from the set _that minimizes the deviation distance, D and the verification scheme returns the devia tion distance as a response to a nodes request. By the definition of the CDF, we calculate th e probability that a node will have a deviation distance less than or equal tod. (This is equivalent to sa ying that within a distance dof the actual location of the node, there is a least one permissible location since by our assumption, the node will estimate its location to be closest perm issible location.) Given that the actual location is),( yx, the probability that the deviation distance D is less than or equal to dis calculated: NPL yxCddwdzzwv yxdDP ),(),( 11)),((, (5.9) Consequently, by averaging over all possi ble node locations, we obtain the CDF: dxdyyxnyxdDPdFD),()),(()( (5.10) 5.4.1.2 Continuous localization continuous verification For this case, a node whose actual location is ),( yxwill receive a location estimate),() ~ ~ ( yxyxfrom the localization service. Base d on the localization error model, PAGE 102 102 the deviation distance is given by 22d. It is straightforward to show that the joint pdf of and in Polar coordina tes is given by: )sin,cos(),(, f f (5.11) Using this equation, CDF of the de viation distance can be expressed: dd fdFd D0 2 0 ,)sin,cos( )( (5.12) 5.4.2 Discrete Location Verification Analysis In DLV, the final outcome of the verification is either pass or fail. However, we assume that DLV schemes have a tolerance for uncertainty in the localization scheme. Otherwise, no node with a localization erro r would be verified. We ch aracterize the tolerance by which represents the radius of a circular region, ),( yxCcentered on the nodes actual location. If the nodes estimated location lies within this circle, the DV scheme passes the estimate. Otherwise, it fails. Therefore, we use the probability of successfully passing the location verification test,)( VP, as the performance metric. 5.4.2.1 Discrete localizationdiscrete verification Here, the verification scheme passes the nodes location estimate if the nodes deviation distance is less than the tolerance Using the result derived above for DLCLV, the probability of verification is given by: dxdyyxnyxDPVP ),()),(()(, (5.13) where )) ,(( yxDP is given in Eq. 5.9. PAGE 103 103 5.4.2.2 Continuous localizationdiscrete verification In this case, the node will be verifiable if the deviation dist ance between its actual location ),( yxand its estimated location ),() ~ ~ ( yxyxis less than the tolerance of the verification scheme. Based on our previous discussion for CL CLV, the probability of verification is given by dd fVP0 2 0 ,)sin,cos( ) (. (5.14)We note that it is also possible to consider an Llevel DLV scheme where the output describes the trust level that the verification scheme places on the nodes location claim. We discuss this case briefly in Section 5.5 as a discretization of the CLV scheme. 5.5 Numerical Results For the numerical results, we consider a rectangular network of dimensionsba, where200ba. The locations of the nodes in the network ),( yxnare assumed to be uniformly distributed, as are the permissible locations,),( yxv. We assume that the localization error in each direction, and are identical, independently distribute d Gaussian random variables with mean mand standard deviation Under these assumptions, an ev aluation of each of the cases presented in the previous sect ion is shown in Table 51. Figure 54(a) shows )( dFDfor the DLCLV case in Eq. 5.10. This represents the percentage of nodes that will be verifiab le, for a tolerance of deviation distanced. We observe that the discrete nature of the localization sche me has a very large impact. For example, for a tolerance of15 d, if the number of permissible locations, NPLis doubled from 40 to 80, then the percentage of nodes that wi ll be verified increased from %50 to%75. Tripling to 120NPLfurther increases the percentage of verifiable nodes to roughly%85. This result can PAGE 104 104 also be used to find out the verification probabili ty if the network operato r decides to discretize the CV by setting cutoff levels. For example, a fivelevel verification scheme can be created by specifying the following levels: very trustful, trustful, indecisive, doubtful, or very doubtful to be associated with a deviation distance in the range)5,0[,)10,5[,)15,10[, [)20,15, or )25,20[respectively. Then, the network operator co uld, based on any opera tional requirements, adjust the levels of the cutoffs to produce any de sired distribution of the nodes inside each level. The CDF of deviation distance for CLCLV case is shown in Figure 54(b). For varying mean and standard deviation of the positioning errors, the continuous lo calization allows for tuning the verfication result. For example, the percentage of nodes that are verifiable approaches a common level, regardless of the characterizatio n of the positioning erro rs, after the deviation distance reaches a certain threshold. Before the th reshold, nodes with low mean and low standard deviation errors can be included, while nodes with larger errors are rejected. Figure 54(c) shows the probability of verification,)( VP, for the DLDLV case. Notice that for low NPLand a low tolerance, the verification probability is also very low. However, the probability improves with the increase of either or both of these parameters. This is to be expected since low NPLcorresponds to a large deviation distance (from our simulations 23 dwhen 20 NPLand decreases to 8 when140 NPL). We can conclude here that a DLV scheme with low tolerance will no t work well with a DL scheme that has poor location resolution as measured by NPLin our case. Figure 54(d) shows the probability of veri fication for CLDLV case. These results highlight the impact of the standard deviation of the errors on the locati on verification results. For wellbehaved errors that have mean less than the tolerance and exhibit a low standard deviation, the probability of verification is high, i.e., %60and above. For widely ranging errors PAGE 105 105 with mean greater than the tolera nce and large standard deviation, the probability of verification is low, i.e., %40_ and below. For small tolerance and comparable localizat ion error mean, the verification probability increases before it starts to decrease again. This is explai ned as follows. Because of the localization error, the location estimates are inside a region surrounding the localization error mean point. Let us call the region where ___ percentage of the estimate are located the effective error region (EER). The probability of verificati on will approximately equal the percentage of EER that is inside the tolerance circle, i.e. ove rlap area of EER and tolerance circle divided by the area of EER. When the localiz ation error mean is comparable to the tolerance value, the center of the error region will be close to the bounda ry of the tolerance circle. So for small values of the majority of estimate will be centered on the mean. As a result, there is a small overlap area between the tolerance circle and the EER, i.e., the verification probability is small. As _increases, the overlap area gradually increases, thereby increasing the verification probability. Eventually reaches a value such that the tolerance circle is totally contained in the EER, i.e., overlap area will be equal to the tolera nce circle, and any further increase in will decrease the ratio between the fixed overlap area and the increasing EER area. 5.6 Summary In this chapter, we have studied the imp act of localization er ror on the verification probability of location verification scheme. To high light the problem, we analyzed the impact of verification probability in presence of localizat ion error for our CORVA protocol. The results show the probability of verifi cation remains almost unchanged for small localization error but drop by close to 100% for larger values. Howeve r, by adjusting the tolerance of our CORVA scheme, the probability can be improved greatly. We also presented a highlevel model to PAGE 106 106 facilitate our study of the impact of localization error for differe nt classes of localization and verification schemes. In general discrete localization schemes suffer more since by their nature, there is inevitable large localizat ion error present in their estimates. The situation could be improved by increasing the number of permissible locations for the scheme or/and increasing the tolerance of discrete verification scheme. The results show also that without tunable builti n mechanism to tolerate the localization error, all location claims will be rejected unl ess nodes have access to errorfree localization scheme which is not possible practically. Contin uous location verification schemes may be better than discrete ones, since they associate a tr ust value to each location and consequently, the network operator can, if there is a need, decides verification cuto ff value which can be adjusted dynamically based on network conditions. PAGE 107 107 Table 51. CDF or probability of verification for the four cases. V L L d x Figure 51. A node located at Lestimates its location to beL Case Evaluated Metric Equation DLCLV NPL Dab d dF 211)( 5.10 CLCLV d m I e dFd m D 0 2 0 2/)2( 22 1 )(222 5.12 DLDLV NPLab VP 211)( 5.13 CLDLV d m I e VPm 0 2 0 2/)2( 22 1 )(222 5.14 PAGE 108 108 0 0.1 0.2 0.3 0.4 0.5 0.6 0.511.522.533.544.5Prob. of Verification sim, m=0 sim, m=1 sim, m=2 sim, m=3 upb, m=0 upb, m=1 upb, m=2 upb, m=3 lwb, m=0 lwb, m=1 lwb, m=2 lwb, m=3 (a) =1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.511.522.533.544.5Prob. of Verification sim, m=0 sim, m=1 sim, m=2 sim, m=3 upb, m=0 upb, m=1 upb, m=2 upb, m=3 lwb, m=0 lwb, m=1 lwb, m=2 lwb, m=3 (b) =3 Figure 52. Impact of locali zation error on verificati on probability for two values of tolerance The simulation results (sim) are shown in solid lines, the upper bound curves (upb) are shown in dotted lines and solid marker s, and the lower bound curves (lwb) are shown in solid lines and hollow markers. Pr obability of verification is 0.54 in the absence of localization error. PAGE 109 109 L L L L L Figure 53. A general highlevel model to study the impact of lo calization error on LV protocols. PAGE 110 110 5 10 15 20 25 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 dFD(d) npl=40 npl=80 npl=120 5 10 15 20 25 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 dFD(d) m=0, =2.5 m=0, =4.5 m=1, =2.5 m=1, =4.5 m=2, =2.5 m=2, =4.5 (a) DLCLV (b) CLCLV 20 40 60 80 100 120 140 0 0.05 0.1 0.15 0.2 0.25 nplP(V) = 1 = 3 = 5 0.5 1 1.5 2 2.5 3 3.5 4 4.5 0 0.2 0.4 0.6 0.8 1 P(V) =1, m=0 =1, m=2 =3, m=0 =3, m=2 =5, m=0 =5, m=2 (c) DLDLV (d) CLDLV Figure 54. The performance results (probability of verification for DLVs and CDF of deviation distance for CLVs) for the four analyzed combinations of localization and LV schemes. PAGE 111 111 CHAPTER 6 LVFEED: LOCATION VERI FICATION FEE DBACK TO IMPROVE LOCALIZATION ACCURACY IN WIRELESS SENSOR NETWORKS The ability of a node to determine its locati on is an important task in wireless sensor networks as users are usually interested in know ing where the measurements are taken. In this chapter, we study the use of location verifica tion as a feedback mechanism to improve the localization accuracy. In this ch apter, we propose several location verification feedback (LVFEED) algorithms to improve the localization accuracy. Analysis of these algorithms shows that a significant improvement in lo calization accuracy can be acco mplished in a few iterations of executing the location verifi cation feedback schemes. 6.1 Introduction Wireless sensors networks (WSNs) are envi sioned as an interface between the physical environment and the networked world. WSNs consist of large number of nodes that are equipped with one or more sensors and are capable to communicate wirelessly with each other. These nodes usually operate in a distributed manner to accomplish some task, such as monitoring chemical agents in air. In most applications it is crucial to know the location where the measurements were taken in order to deliver m eaningful information to users. Therefore, nodes need to have the capabilities to determine their locations. This is the localization problem. Researchers have developed many localization protocols for WSNs. In general, most schemes use reference nodes, i.e. nodes that know th eir locations (through a GPS device or manual configuration.) Reference nodes peri odically broadcast information th at is needed by the rest of nodes to compute their locations. Another locationrelated problem is location verification (LV) where the objective is to verify a nodes claim about its lo cation. LV schemes [23, 25, 27, 48] can be used to secure localization schemes or to enable context access to network servi ces. In general, an LV scheme PAGE 112 112 does not need to compute the actual location of that node; it needs only th e ability to accept or reject that claim. In this chapter, we study the use of LV as a feedback mechanism to improve localization accuracy. To the best of our knowledge, this appro ach has not been studied in the literature. We present several algorithms for va rious practical situations, cons idering two types of networks: networks where a node can obtain several independent estimates (e.g., by consulting different reference nodes) and networks where a node can only obtain a single estimate. For each type, we consider both discrete and continuous LV schemes. We also di scuss how to adapt the proposed schemes for networks that use discrete localiza tion and localization schemes that exhibit angular bias. The rest of this chapter is organized as follo ws. In Section 6.2, we present the terminology and assumptions. Our proposed schemes are presente d in Section 6.3, followed by the numerical results in Section 6.4. Finally, Section 6.5 conclude s the chapter. 6.2 Terminology and Assumptions In this section, we presen t the terminology and assumptions used in this chapter. 6.2.1 Terminology and Notation We consider two types of networks: networks where the node can obtain m ultiple i ndependent l ocation e stimates from the localization serv ices (e.g. by consulting different reference nodes), and networks where the node can only obtain a si ngle l ocation e stimate. We refer to the former as MILENET and to the late r as SILENET. By independence of the location estimates, we mean that a new location estimat e for a node is not aff ected by the previous location estimates. In this chapter, we differentiate between two types of LV schemes: discrete and continuous. In discrete LV (DLV), the final outco me of the LV scheme is pass or fail. A DLV PAGE 113 113 can be characterized by a tolerance factorLV that is the maximum de viation distance between the actual location and estimated location that allows the node to pass the verification. In other words, if the deviation distance between the actual location and estimated location is less thanLV the node passes the LV check; otherwise it fails. In conti nuous LV (CLV), the scheme returns a numerical value that indicates how much the scheme trusts the nodes claim about its location. For example, a value of 0 could mean the LV does not trust the nodes claim at all whereas a value of 1 means that the LV fully belie ves the nodes claim. Other values inbetween indicate different levels trust. In general, the trust level s hould be related to the deviation distance between the actual location a nd the estimated location of the node. The localization accuracy requirement of the network will be characterized by maximum allowable deviation distance,net Nodes with deviati on distances less than net have an acceptable accuracy from the network point of view. The actual location of a node is denoted by),( yxwhile the jth estimate of the node location obtained from the localiz ation service is represented by) (jjyx. The nodes own jth estimate of its location is denoted by) ~ ~ (jjyx. Here, we differentiate between location estimates obtained from the localization service ) (jjyx and the nodes own estimates of its location ) ~ ~ (jjyx which may involve further processing of the values ) (jjyx based on the feedback received from the LV scheme. The deviation di stance between the actual location of the node and its jth estimate of location will be denoted by jd(see Figure 61.) We define the deviation angle for jth iteration devj, as the angle that the line through the actual location and the jth location estimate makes with some reference line with the estimated location as the origin. The node estimate of this angle is denoted by j ~ and we refer to j ~ as the correction angle. PAGE 114 114 In describing the algorithms in chapter, we use the phrase the node corrects it location by a distance ofj in the directionj ~ to simply mean that the node updates its location estimate from ) ~ ~ (jjyx to ) ~ ~ (11 jjyx using the following rule (see Figure 61): ) ~ sin ~ ~ cos ~ () ~ ~ (11jjjjjj jjy xyx (6.1) To characterize the localizati on accuracy improvement in th e nodes location estimates, we trackj the percentage of nodes that meet the netw ork accuracy requirement in jth iteration of the algorithms presented. This is equivalent to the probability that a node passes the LV check since net LV in our case as we shall see shortly in the next subsection. 6.2.2 Assumptions In this chapter, we consider networks that have both localization and location verification services. For discrete LV schemes, we assume that the maximum allowable deviation distance net is equal to the LV toleranceLV i.e. LVnet Notice this choice is the best for our application. Ifnet LV some nodes that do not meet the network accuracy requirement will be pass LV and so we will not have a good feedback signal. On the other hand, ifnet LV some nodes will not pass LV despite meeting the accuracy requirement of the network. For continuous LV schemes, we assume that scheme returns higher values for accurate location estimates. Localization scheme error is modeled as com ponentwise additive Gaussian noise, that is ),() (jijijjyxyx wherej andj are iids Gaussian. We assume that the noise components have zero mean (otherwise, one can subtract th e means from the respect ive components in each ) (jjyxto have a mean of zero). We further assume the error standard deviation is the same for all the noise components. All dist ances are normalized by the value of i.e. 1 PAGE 115 115 6.3 LVFEED: LV Feedback Schemes to Improve Localization Accuracy In this section, we study how localization schemes can bene fit from LV feedback. The basic idea of the LV feedbackb ased improvement schemes proposed is illustrated conceptually in Figure 62. A node initially ob tains a location estimat e using the available localization service. Then, a verification scheme should be chosen and tuned such that the node passes the verification only if it meets the networ k localization accuracy requirement (net LV ). If the node passes the verification step, then the node co ncludes that it meets the accuracy requirement of the network and therefore no further processing is required. On the other hand, if the node fails the LV step, the node attempts to adjust its lo cation, as we shall describe in more detail in the subsequent sections, and goes through the LV step again. The cycle repeats until the node passes the LV step or some maximu m number of iterations is reached. We first describe the LVFEED algorithms fo r MILENETs in Section 6.3.1 and later the LVFEED algorithm for SILENETs in Section 6. 3.2. We primarily desc ribe algorithms for networks with continuous localization. However, we will show how the algorithm for the SILENET can be adopted for network with discrete locali zation scheme. 6.3.1 LVFEED for MILENETs In this section, we consider ne tworks where the node can obtain m any i ndependent l ocation e stimates (MILENET.) We present schemes for networks with DLV schemes and those with CLV schemes. 6.3.1.1 DLVFEED for MILENETs For this case, we propose the correction algorithm shown in Figure 63. The node improves its location estimates by iteratively obtaining a new estimate from the localization service and then computing its own location estimator ) ~ ~ (jjyxas the average of all the previous PAGE 116 116 obtained location estimates ) (jjyx. Then, the node requests LV with the claimed location as) ~ ~ (jjyx. If the result of the LV is pass, the process terminates. Otherwise, it repeats until the maximum number of iterations allowed by the ne twork is reached. Observe that, based on the proposed error model; the maximum likelihood (ML) es timator is equivalent to the least square estimator which is, for our case, given by the average described above. 6.3.1.2 CLVFEED for MILENETs In this type of LV, the node will get a numer ical value that indicates the trust level the network has concerning the nodes location claim. In this type of situation, we propose the correction algorithm shown in Figure 64. After obtaining a new estimate, the node forms an estimator which is the average of the previous location estimates obtained from the localization service. Then, it requests LV. If this estimator fails to pass the LV check, the node requests LV using the estimate it just obtaine d from the network. This may seem counterinitiative as the estimator in step b has less variance than the estimator in step c. The reason for the LV request in step c is that we need to obtain the returned LV value (weight) for this location estimate to compute the weighted average in step e. However, based on our simulation results, the performance penalty of deleting step b is small as the weighted aver age is a very robust estimator for this case. Hence, for situations where one is interested in minimizing the number of LV requests and willing to accept a small performance penalty, deleting step b is a valuable choice. 6.3.2 LVFEED for SILENETs In SILENETs, the node will be able to obt ain an initial location estimate and cannot obtain any further estimation. Hence, the node must try to improve its estimation based solely on the LV feedback. We will describe a general strategy for CLV schemes and then we will describe modifications necessary for DLV scheme s and for networks with discrete localization PAGE 117 117 later in this section. To motivate the sche me, observe that the maximum improvement can happen if each node knows its deviati on distance from its actual locationjd as well as the deviation angle (or direction)devj, In such case, each node would be able to determine its actual location in one iteration (by correcting its location byjdin the direction ofdevj, .) However, such a situation is far from being practical. We propos e the algorithm shown in Figure 65. We refer to our algorithm as P robe D irection U niformly and C orrect A lways using O ptimal S tep PDUCAOS. Now, the only thing that we know is the general distribution of the error. Therefore, instead of having individual values forjd, we will determine, for each algorithm iteration, a single correction distance k for all nodes and then each node will correct its location by step k in an optimal direction. The PDUCAOS algor ithm has two important components: optimal correction distance determination and correction angle determination. Based on the error model, the deviation angle distribution is uniform. Therefore, there is no need for a joint correction distance/direction optimization here since, all directions are eq ually likely and hence no single direction (for all nodes) will give any advantage. It is more advantageous that each node determine its best correcti on direction independently. 6.3.2.1 Correction angle j ~ estimation Since the deviation angle distri bution is uniform, the best st rategy for each individual node is to pick randomly an angle from the range )2,0( and corrects its location by the optimal distance in that direction and note the weight returned by the CLV scheme. If that value corresponds to the required accuracy requirement, th e node needs not to proceed any further. If not, the node makes another request and again re cords the LV value returned. This continues PAGE 118 118 until the maximum test angles number Nis reached. The node then estimates its deviation angle to be the weighted average of the angles with highest two LV values. In this section, we also seek a correction distance k that maximizesk the number of nodes that pass the network accuracy requirement in the kth iteration. Here, we assume that, in the kth iteration, the nodes will corr ect their location estimates by a distance k in the direction of the deviation angle (assuming perf ect estimation of deviation angles.) 6.3.2.2 Deviation distance From the error model, the deviation distance is Rayleigh distributed. However, we cannot use this distribution for our optimization since some nodes will have a small deviation distance and as a result, they will be satisfying the network accuracy requirement. Therefore, we need to consider the deviation dist ances that are greater than The required distribution is that of truncated Rayleigh distri bution (distribution of r given that r ) which can be easily shown to be rU r r rft2 22 2 02 exp)(, (6.2) where )(rUis the unit step function. The subscript indicates the iteration number (initial iteration) and superscript refers to the truncated nature of the distribution. Next, we need to determine how the distribution will change when nodes make correction in the optimal direction. If each of these nodes makes correction in the optimal direction by a distance then its new deviation distance will bed As a result the distribution of deviation distance after this correction is equivalent to distribution of 'rr where the distribution of r is as given above, i.e. )()();(0 0 0rpfrfrft t s. (6.3) PAGE 119 119 6.3.2.3 Optimal correction distance The optimal initial correction distance 0 is the value of that maximizes the probability that the deviation distance is between 0 and that is drrfs 0 0 0);(maxarg. (6.4) Now, after the nodes make the correction, some nodes will be close enough to their actual location and hence will meet the network accu racy requirement. We remove these from consideration when we compute the optimal correc tion step for the next iteration. So, essentially we will have to go over the same steps just described: truncating the distribution from the previous iteration and then shifting it. Mathem atically, the set of recursive equations is: and the optimal correction step in the kth iteration is given by drrfs k k 0);(maxarg. (6.7) 6.3.2.4 Modifications for DLVbased schemes Here, we present the necessary modification to use the scheme described in Figure 65 with a DLV scheme instead of CLV. The major problem with using DLV is that it does not provide any clue about the quali ty of the estimate; it only re turns pass if the node has the 0 1 11)(1 )();( )(drrf rUrf rfs k k s k t k, (6.5) )()();(rfrfrft k t k s k (6.6) PAGE 120 120 required network accuracy requirement. Therefore, the node is not able to infer any information about the optimal correction direction and the be st it can do is try as many angles as possible before moving to the next iteration in which the node will repeats the same process but with different values of k In other words, the iteration fo r this case consists of steps b and c of the algorithm in Figure 65 with the modification of L4 to check if the LV returned value is pass. Another modification is that the values of k need to be computed differently because if the node did not pass the LV check, it cannot make an adjustment since it has no information about the optimal correction angle. Therefore, nodes that fail LV check must not modify their locations. This necessitates that the expression for truncated distribution given in Eq. 65 be replaced with following expression: This expression can be easily obtained by obser ving that in the (k1)t h iteration, the nodes that pass verification are those whos e deviation distances are between 1kand 1k. Therefore, these distances are excluded in the next iteration computation. Notice here that Eq. 6.6 and Eq. 6.7 still hold for this case. We refe r to this modified version of the PDUCAOS algorithm as P robe D irection U niformly and C orrect o n P ass using O ptimal S tep PDUCoPOS. 6.3.2.5 Modifications for networks with discrete localization By the nature of DL scheme, each node will be able to obtain a single estimate (i.e. closest point in the set). Hence, the schemes that we have described for SILENETs (PDUCAOS and PDUCoPOS) apply to networks with discrete localization scheme as well but we need to use the appropriate pdf of deviation distance wh ich can be easily obtained by differentiating Eq. 1 1)(1 ) () (1)( )(1 1 1 1k kdrrf rU rUrf rft k k k t k t k (6.8) PAGE 121 121 5.10 (Table 5.1). This can then be used to obtai n the initial truncated di stribution which can be shown: rU ab ab r ab rNPL rfNPL NPL t 2 1 2 01 1 2 )(, (6.9) An objection that may be raised here is that the distribution of deviation angle may not be uniform as in previous cases and hence some modification for the algorithm is necessary. However, we will show in the next section that, ev en if the distribution of deviation angle is not uniform, our PDUCAOS and PDUCoPOS algorithm can perform very well. 6.3.3 Impact of Angular Bias So far, we describe algorithms for MILENETs and SILENETs with both DLV and CLV feedback schemes. However, all the schemes described implicitly (through localization error model) handle the uniform distribution of deviation angle. In this section, we discuss the necessary modifications to the algorithms proposed when the dist ribution of the deviation angle is not uniform and exhibits some bias towards so me direction. Within the proposed error model, this can happen as a result of one or more of the following: the localization error means are not zeros, the localization er ror components are correlated, or/and the localization error components have different standard deviation. If the localization error means x and y are not zeros, then a simple preprocessing step of subtracting the me ans from the location estimate obtained from the localization service ) () (yjxj jjyxyx is sufficient to brought us back to our original problem. If the localization error components are correlated or have different standard deviation, then schemes for the MILENETs still ap plicable without an y modification. PAGE 122 122 Now, we shall show that our proposed stra tegies for SILENET will perform well with little modification in the presence of radial bias. An approach to deal with radial bias that suggests itself here is to pick, at each kth iteration, a common correction step and angle ),(kk that maximizes the number of nodes that pass verification. More precisely, suppose that truncated joint pdf of deviation distance and deviation angle in the kth iteration is given by ),(rft k and let )),(;,(rfs kdenote the resultant distributi on after each node corrects its location by steps in the direction Then, the common correction step and angle should be picked as follows: drd rfs k kk)),(;,(maxarg),(2 00 ),(. (6.10) We refer to this strategy in which all the nodes correct using the o ptimal j oint c orrection s tep and a ngle ),(kk as OJCSA Now, suppose that the jth node passes the LV after updating its location using the optimal joint correction step and angle),(kk Then, it must be the case that jk jd d. Therefore, if the jth node corrects by a distancek in the direction devj instead of correcting in the directionk it will also pass the LV. He nce, the strategy where each node corrects by k steps in its optimal direction is at le ast as good as the strategy where all the nodes correct with a common step and angle),(kk Under the assumption that each node knows its optimal direction; we can further increa se the number of nodes that pass the LV in the kth step by directly computing the optimal step size using Eq. 6.7 but, of course, with the right deviation distance distribution )( rf. Since )( rf can be found from the joint distribution of deviation distance and deviation angle ),( rfby averaging out the deviation angle, then a reasonable way to estimate the deviation angle is to uniformly test differe nt direction as we had PAGE 123 123 done previously. For example, if the zeromean error components have different standard deviation (which causes angular bias), say x andy then the algorithm in Figure 65 (or the DLVbased version of it if the netw ork has DLV) can be executed but )( rf should be [49]: 22 222 0 22 2224 )( 4 )( exp )(yx yx yx yx yxr I r r rf (6.11) where )(0yIis the 0th order modified Bessel function of the first kind. As we just mentioned, our strategies for SILENETs will perform well as long as we use the right distribution of deviation distance and ha ve a reasonable estimation of angle (e.g. have enough test angles). A question of interest here, if we have poor estimation of angle (say, we have less than 3 test angles), then OJCSA w ill probably perform better but should nodes correct always (CAOJMSA) or should they correct on pass (CoPOJMSA) when we are using DLVbased scheme? A little deliberation will reveal th at both of these strategies will have the same performance. To see this, observe first that the initial optimal correction for both strategies is the same as the optimization is carried out on the exact same initial dist ribution of deviation distance. Now, consider an arbitrary node at),( yx. If this node passes, then it will not affect subsequent calculations of optimal correction step and angle. Th erefore, assume that the node fails the LV. Assume that the optimal correction step s in kth iteration, in Cartesian coordinates, are),(ca k ca kyx and ),(cop k cop kyxfor the CAOJMSA and CoPOJMSA schemes, respectively. Then, if the node uses the CAOJMSA strategy, th en its first location estimate will be ) ~ ~ () ~ ~ (0000 11 ca ca cacayyxxyx while its location estimate using CoPOJMSA will be ) ~ ~ () ~ ~ (00 11yxyxcopcopas it will not make any move since it fa ils the LV. In the second iteration, the node will have an estimated location ) ~ ~ () ~ ~ (1111 22 cacacaca cacayyxxyx using CAOJMSA. If the node passes the LV step, then one can easily fi nd a move step using the CoPOJMSA strategy PAGE 124 124 that will also result in the node passing the LV step; namely ),(),(1010 11 cacacaca copcopyxxxyx This shows that every node that passes LV usi ng CAOJMSA will pass using CoPOJMSA with equivalent step),(11 copcopyx. Now, we will show that there is no other node that will pass using CoPOJMSA with step),(11 copcopyx. Toward that, suppose there is a node at ),(yxthat passes using CoPOJMSA but not with CAOJMSA. Then, this node estimated location at the second iteration must be ) ~ ~ () ~ ~ (1010 22 cop cop cop copyyxxyx but this the same as if this node moves by ),(00 cacayxin the first iteration, and then move by),(11 cacayx, i.e. the node could pass if it followed the CAOJMSA strategy, which contradicters our assumption. Therefore, the same number nodes will pass using both strategies by the end of second iteration. Observe that the step ),(11 copcopyx is optimal for CoPOJMSA for if this were not the case, then we would be able to find an optimal step),(* 1 1 cop copyx. However, this would mean that there is a step ),(),(0 10 1 1 1 ca copca cop cacayyxxyx for CAOJSMA that would result in larger number of nodes passi ng the LV step than if the nodes move by ),(11 cacayxbut this contradicts the fact that ),(11 cacayxis optimal. This establishes the result. Now, it is easy to see, th rough induction, that the two strate gies are equivalent at the kth iteration and their optimal co rrection steps are related by),(),(1 1 k j ca j k j ca j cop k cop kyx yx. 6.3.4 Percentage of Node Meeting th e Network Accuracy Requirement In this section, we will derive the expression forj the percentage of nodes that will pass the network accuracy requirement in the jth iteration (this is the same as the probability of passing the LV step sincenet LV ). We first start with the DLVbased scheme for the MILENET. For convenience, let 2 2)1(j jdjr where jdis the deviation distance as defined in Section 6.2.1. Since, for the initial iteration 2 0 2 0 2 00 drand the variables0 and0 are zeromean PAGE 125 125 independent Gaussians, then 0ris chisquare distributed variab le with two degrees of freedom and hence its pdf is: 2 0 2 02 exp 2 1 )(0r rfR. (6.12) If the node did not pass verification, the node will obtain a new estimate ) (11yx from the localization service and pr oduce its own new estimate) ~ ~ (11yx. In this case, 2 10 2 101 r, and for a given value of ),(00 1rfollows the noncentral chisquare pdf with two degrees of freedo m and noncentrality parameter 0r Due to the angular symmetry of the problem, the values ),(00 are not important in dete rmining the distribution of1r; only the radial distance between ),(00 and the actual location of the node (i.e.0r) is essential for the computation of the distribution of1r. As result, we have: 2 10 0 2 10 2 012 )( exp 2 1 )(1 rr I rr rrfR. (6.13) Continuing this line of reasoning, we see that in the jth iteration, we have 2 1 2 1)()(jj jjjr (6.14) where 1 0 1j k k jand 1 0 1j k k j. Again because of the angular symmetry, the distribution ofjrdepends only the radial distance between ),(11 jj and the actual location of the node 1 jr. Consequently, )(),,...,(1 011 jjR jjRrrfrrrrfj j. By a similar argument to that used to derive Eq. 6.13, we see that PAGE 126 126 2 )( exp 2 1 )(),,...,(2 1 0 2 1 2 1 011 jj jj jjR jjRrr I rr rrfrrrrfj j (6.15) Using Eqs. 6.12 and 6.15, the joint pdf of sRj'is given by: j k kk kk j jjRRRrr I rr r rrr fjj1 2 1 0 2 1 2 0 12 01 ,...,,2 exp 2 exp )2( 1 ),...,,(01 (for consistency, we define 1)(0 1 kkf) (6.16) Now, to computej the probability that a node will meet the network accuracy requirement in the jth iterati on, observe that the node must have failed verification in all previous iterations; i.e. kdfor1...,,1,0 jk. In terms ofsrk', this condition is translated into 22)1( krkfor1...,,1,0 jk. If the node is to pass verification in the jth iteration, we must have jdor equivalently; 22)1( jrj. As a result, the value of j is given by 22 22 01 22)1( 0 4 1001 ...,,,...)...,,,( j j jjRRR j jdrdrdrrrrfjj (6.17) The derivation of a similar expression for the CLVbased feedback for MILENET is not possible since we do not know any information about the distribution of the values (or weights) returned by the CLV scheme. For the SILENETs schemes, the optimal value for j is given by drrfj s jj 0);( (6.18) where );(j s jrfand j are as given by Eqs. 6.6 and 6.7 respectively. The last equation gives an upper bound for j for SILENETs. Observe that the actual value of j will depend on how well PAGE 127 127 each node estimate the deviation angle. For good estim ation of deviation angle, Eq. 6.18 gives a very good approximation. 6.4 Numerical Results In this section, we present our simulation results for the various schemes presented in this chapter. For our simulation, we distributed 10,000 nodes uniformly in a 200x200 rectangular network. For CLV schemes, we took the returned LV value (weight) as the reciprocal of the deviation distance. The results shown here are th e averages of 15 simulation runs. In general, all the schemes result in improved localization accuracy with schemes that are CLVbased performing better than those that are based on DLV. The result for the performance of the propos ed schemes for the MILENET is shown in Figure 66 (a) and (b). Observe that, for both the DLV and CLV ba sed schemes, the percentage of nodes reach close to 100% for sm all localization e rror (i.e. small ). Moreover, the performance advantage of the CLVbased scheme over the DLVbased one is also evident in the figure. For example, by the end of the 8th iteration, 50% of nodes using DLV for MILE meet network accuracy requirement while the percentage is close to 80% for the CLVbased scheme for MILE for 4 (i.e. large localization error). This observation is also true at any iteration. This behavior agrees with intuition since CLV schemes provide better feedback, i.e., a value that indicates how close the location estimate to the actual location as opposed to the pass/fail signal provided by DLV. The performance result for the proposed scheme s for the SILENET is shown in Figure 66 (c) and (d). Again, as in schemes for the MI LENET, the CLVbased scheme for SILENET is performing much better than the DLVbased one We observe also that for SILENETs, the performance is lower that for MILENETs since the nodes have to work with a single location estimate and improve on it. The performance can be enhanced by increasing the number of test PAGE 128 128 angles Nthat node can try before it makes its location adjustment. For example, in Figure 66 (c) and for4 we observe that by the end of the 8th iteration, about 10 % of nodes meet the network accuracy requirement if we use one test angle. The percentage increases to 30% if we use five test angles. Of course with perfect angle estimation (as with infinite number of test angle), these schemes reach 100% afte r few iterations. Observe that for N, the best strategy for the nodes is to always update their location estimates since that wi ll results in a better estimates. In other words, there is no differe nce between DLVbased and CLVbased schemes with perfect deviation an gle estimation (and hence the performance curves are the same for these two schemes for N). The results for networks with discrete loca lization are shown in Figure 67. Here, we notice that the improvement is much lower fo r the DLVbased scheme compared to the CLVbased scheme. This is because the small number of permissible location (NPL) and relatively poor feedback information that nodes received us ing the DLVbased scheme. Observe here also that not all nodes will be able to pass the LV even with perfect angle estimation and infinite number of iteration if the value of NPL is sm all. This is because there may be no nearby permissible location that is within a distance of the node. Notice that the curve for perfect angle estimation (N) is the same for both DLVbased and CLVbased scheme as we have discuss before (which we omitted in Figure 67 (a) and (b) to improve the readability of the data since its addition will push the three curre ntly shown curves cl ose to each other). The simulation results for the SILENET when the standard deviation of the x and ylocalization error components are different (i.e. when there is a ngular bias) is shown in Figure 68. Here, we are using the same algorithm as the ordinary SILENET with modification described in Section 6.3.3. We also included fo r comparison reasons the results for using the CA PAGE 129 129 and CoP versions of optimal joint correction step and angle (OJCSA). As we have shown, these essentially performing equally and there is no ad vantage of each one over the other (and hence we will simply refer to them as OJCSA). It is clear that our proposed algorithm PDUCoPOS is performing well even in the pres ence of angular bias. Moreov er, the modified PDUCoPOS algorithm can outperform the OJCSA easily if use fe w test angles (about 3). This is very clear especially with CLVbased feedback since it result s in a better estimation of correction angle. It also evident, that with perfect deviation angle estimation, the PDUCoPOS has a large performance advantage over the OJCSA. For example, with 2 x andy =5, the 5 is close to 1 for the PDUCoPOS while it is about 0.25 for the OJCSA. 6.5 Summary In this chapter, we studied how the location ve rification results can be exploited to improve the localization accuracy. We have presented several schemes to improve the localization accuracy based on location verifica tion feedback. We analyzed thes e algorithms analytically and through simulation. The results show that a significant improvement in th e localization accuracy can be achieved in few iterations. Also, CLV based schemes perform better than DLV based schemes since the former provide better f eedback signals for nodes. For SILENETs, the improvement can be enhanced by increasing the accuracy of move angle estimation. PAGE 130 130 jd ),( yxdev j ) ~ ~ (jjyx ) ~ ~ (11 jjyx j ~ j Figure 61. Illustra tion of some notions used in this chapter. Stop Adjust the Location Estimate Figure 62. An overview of LV based feedb ack approach to improve localization accuracy. PAGE 131 131 Do until max. number of iterations is reached or the LV result is pass: Obtain a new loc. Estimate ) (jjyx Compute the following loc. estimator 1 1 ) ~ ~ (0 0j y j x yxj k k j k k jj jth iteration Request LV with ) ~ ~ (jjyx Figure 63. DLVFEED for MILENETs. Do until max. number of iterations is reached or LV result is pass: Obtain a new loc. Estimate ) (jjyx Compute the following loc. estimator 1 1 ) ~ ~ (0 0j y j x yxj k k j k k jj Request LV with ) ~ ~ (jjyx, If pass, stop Else Request LV with) (jjyx, notejw. If pass, stop Else Compute the following loc. estimator j k k j k kk j k k j k kk jjw yw w xw yx0 0 0 0 ) ~ ~ ( jth iteration Request LV with ) ~ ~ (jjyx Figure 64. CLVFEED for MILENETs. PAGE 132 132 a Initialization: )1,0(),( iihhw b Compute k For Ni:1 L1 Generate )1,0(2,randik L2 Compute )sin ,cos () ~ ~ (, ,, ikkestikkest ikiky xyx L3 Request LV with ) (,, ikikyx c L4 If LV returned value w correspond to pass, stop Else if w> ),max(21hhww, replace min. of 1hw and 2hwwith wand the corresponding angle withik d Set )/( ~ 212211 hhhhhhkwwww e Compute ) ~ sin ~ cos () ~ ~ (kkestkkest kky xyx f Request LV with ) ~ ~ (kkyx Figure 65. One iteration of the CLVFEED for SILENETs PDUCAOS algorithm. PAGE 133 133 Figure 66. Percentage of nodes me eting the network accuracy requirement k at the kth iteration for MILENETs and SILENETs ( : localization error standard deviation andN: number of test angles.) 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk =1 =2 =3 =4 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk =1 =2 =3 =4 (a) DLVbased feedback (MILENETs) (b) CLVbased feedback (MILENETs) 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk =2, N=1 =2, N=3 =2, N=5 =2, N= =4, N=1 =4, N=3 =4, N=5 =4, N= 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk =2, N=1 =2, N=3 =2, N=5 =2, N= =4, N=1 =4, N=3 =4, N=5 =4, N= (c) DLVbased feedback (SILENETs) (d) CLVbased feedback (SILENETs) PAGE 134 134 Figure 67. Percentage of nodes me eting the network accuracy requirement k at the kth iteration for networks with discrete localization (N: number of test angles.) 0 1 2 3 4 5 6 7 8 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 Iteration, kk N=1 N=3 N=5 0 1 2 3 4 5 6 7 8 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 0.18 Iteration, kk N=1 N=3 N=5 (a) NPL=80 (DLVbased) (b) NPL=120 (DLVbased) 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk N=1 N=3 N=5 N= 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk N=1 N=3 N=5 N= (c) NPL=80 (CLVbased) (d) NPL=120 (CLVbased) PAGE 135 135 Figure 68. Percentage of nodes me eting the network accuracy requirement k at the kth iteration for SILENET when the x and ylocalization error components have different standard deviation (N: number of test angles.) 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk N=1 N=3 N=5 N= CAOJCSA CoPOJCSA 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk N=1 N=3 N=5 N= CAOJCSA CoPOJCSA (a) DLVbased feedback (3,2 y x ) (b) DLVbased feedback (5,2 y x ) 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk OJCSA N=1 N=3 N=5 N= 0 1 2 3 4 5 6 7 8 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Iteration, kk OJCSA N=1 N=3 N=5 N= (c) CLVbased feedback (3,2 y x ) (d) CLVbased feedback (5,2 y x ) PAGE 136 136 CHAPTER 7 SUMMARY AND DIRECTIONS FOR FUTURE WORK 7.1 Summary Location verification is promising approach to enhance the security of localization schemes as well as the overall security of the network. The Location verification problem deals with validating the location claim of a node. Lo cation verification can be combined with a localization scheme to create hybri d localization scheme that is more secure and robust against attacks. In this dissertation, various aspects of the location verifica tion problem have been studied. This work starts by introducing the problem and relevant background in Chapter 1 and Chapter 2, respectively. Following that, a loca tion verification protoc ol, called CORVA, is proposed in Chapter 3. In CORVA, verifier nodes vary their communication range to triangulate the position of a claimant node. We have analyz ed the coverage charac teristics of the CORVA protocol and perform a security analysis. Moreov er, the performance of the protocol has been considered under various practical conditions: energy consump tion, inhomogeneous communication range, and physical channel impairments. Chapter 4 introduces a contentionbased scheme to schedule the verification service. The results show that a high number of requests can be fulfilled with a reasonable response delay. Moreover, our proposed protocol outperforms th e TDMAlike clusteringbased approach in terms of the average number of requests comple ted per node under the pract ical consideration of intercluster interference. In Chapter 5, we analyzed the problem of how the localization error impacts the performance of location verificati on schemes. This problem is hi ghlighted first by analyzing our CORVA protocol in the presence of localization error, and then, more generally, through a high PAGE 137 137 level model. Results indicate that a good locat ion verification scheme should have builtin tuneable mechanism to tolerate localizat ion error to be useful for wider use. In Chapter 6, several location verificationbased feedback (LVFEED) to improve the localization error have been in troduced. Results show that si gnificant improvement can be gained by applying these algorithms particularly for those networks where the node can obtain several independent location es timates. For networks where the nodes can obtain only a single estimate, the performance gain is slight lowe r the former network but can be improved through efficient correction angle estimation. Next, we point out few possi ble research directions. 7.2 Directions for Future Work In this section, we discuss few possible research directions that can be pursued further by capitalizing on the ideas presen ted in this dissertation: Optimal coexistence of localiz ation and location verification services: as we have shown in this dissertation, the location verification can improve localization in at least two ways: make it more secure and more accurate. Howeve r, a question of interest here is how to select the optimal number of localization servers and location verification servers to maximize both the security and accuracy aspects. To illuminate this problem further, observe that in a network with large number of verification servers, the localization accuracy, through the verification feedback a pproach, may reach a level which cannot be improved any further even by adding more local ization servers and hence such addition will not be necessary. On the other hand, if we have few verification servers, we could obtain a high level of localization accuracy by adding more localizati on servers but the low number of verification servers may result in poor security performance. This suggests that there may be an optimal number of localizat ion servers and location verification servers PAGE 138 138 that exists simultaneously in the network a nd achieve the target performance goals (e.g. more than 90% of the nodes meets the networ k accuracy requirements ability to detect 85% of location spoof ing attacks, etc.) Location verification as an intrusion detection system (IDS) tool: an IDS aims to detect any attempts to compromise the network operation through the detection of abnormal behavior for example. In networks with location verification capabilities, it would advantageous to utilize the information gathered from the verification service to detect any attacks on the network operation (particularly those targeting the locationrelated services). For example, if many nodes within certain regi on fail the location veri fication check, this may be an indication of an attack against the localization service in that region. Moreover, can such information be incorporated with other indicators to isolate the infected localization servers? Another issue of interest he re is what set of events should be used as trigger to perform location verification check or when or how frequently the LV servers should report their results to the IDS. Verification beyond location: th is would be a generalization of the idea of location verification to include the capability to verify the correctness of other parameters that are deemed to be crucial to the operation of the network and/or the application under consideration. For example, in some applicati on, it is important to associate the events of interest with their time of occurrence. Hence, time verification may be useful in such application to reject any reported data with incorrect time information. However, achieving such capability is very challenging as a malicious node can keep an accurate clock and use it whenever it need to pass any verification check but include invalid time data in its reported data to the sink. This suggests that it may be more advantageous to verify the PAGE 139 139 content of the packets in tran sit to the sink through possibly verifiers spread throughout the network. In principle, these verifiers could, for example, compare the reported time and compare it to their clock; and if the time difference is large, the time information is considered invalid. Still, this may not work well especially in ne twork where the nodes do not report their data instanta neously for example due to energy saving considerations which force the node to go to sleep for some duration of time. As a result, such a time verification scheme should have a way to tolera te such situation; and possibly the ability to adapt as situation changes. This also illu strates the challenge of implementing a more general verification servi ce in the sense it can verify more parameters. PAGE 140 140 LIST OF REFERENCES [1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, "A Survey on Sensor Networks," IEEE Communications Magazine vol. 40, no. 8, Aug. 2002, pp. 102114. [2] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J. Anderson, "Wireless Sensor Networks for Habitat Monitoring," Proc. WSNA 2002, Atlanta, Georgia, USA, Sept. 2002. [3] G. Simon, M. Marti, Ldeczi, G. Balogh, B. Kusy, A. Ndas, G. Pap, J. Sallai, and K. Frampton, "Sensor Networkba sed Countersniper System," Proc. SenSys 2004, Baltimore, MD, USA, Nov. 2004. [4] R. Severino and M. Alves, "Engineering a Search and Rescue Application with a Wireless Sensor Network based Localization Mechanism," Proc. IEEE WOWMOM 2007, Helsinki, Finland, June 2007, pp 14. [5] M. Mauve, J. Widmer, and H. Hartenstein, "A Survey on PositionBased Routing in Mobile Ad Hoc Networks," IEEE Network Magazine, vol. 15, no. 6, Nov./Dec. 2001, pp. 3039. [6] P. Bahl and V. N. Padmanabhan, "RADAR: An InBuilding RFbased User Location and Tracking System," Proc. IEEE INFOCOM 2000 Tel Aviv, Israel, vol. 2, Mar. 2000, pp. 77584. [7] N. B. Priyantha, A. Chakraborty, and H. Balakrishnan, "The Cricket LocationSupport System," Proc. MOBICOM 2000 Boston, Massachusetts, USA, Aug. 2000. [8] D. Niculescu and B. Nath, "Ad hoc Positioning System (APS) using AoA," Proc. IEEE INFOCOM 2003 San Francisco, USA, April 2003. [9] N. Bulusu, J. Heidemann, and D. Estrin, "GPSless Low Cost Outdoor Localization for Very Small Devices," IEEE Personal Communications Magazine vol. 7, no. 5, Oct. 2000, pp. 2834. [10] D. Niculescu and B. Nath, "DV Based Positioning in Ad hoc Networks," Kluwer Journal of Telecommunication Systems vol. 22, no. 14, Jan. 2003, pp. 267280. [11] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. A bdelzaher, "Rangefree Localization Schemes for Larg e Scale Sensor Networks," Proc. MOBICOM 2003 San Diego, CA, USA, Sept. 2003. [12] L. Fang, W. Du, and P. Ning, "A Beac onless Location Discovery Scheme for Wireless Sensor Networks," Proc. IEEE INFOCOM 2005 Miami, USA, Mar. 2005. [13] S. Capkun and J.P. Hubaux, "Secure Pos itioning of Wireless Devices with Application to Sensor Networks," Proc. IEEE INFOCOM 2005 Miami, USA, Mar. 2005. PAGE 141 141 [14] L. Lazos and R. Poovendran, "SeRLoc: Secure RangeIndependent Localization for Wireless Sensor Networks," Proc. ACM WiSe 2004 Philadelphia, PA, Oct. 2004. [15] Z. Li, W. Trappe, Y. Zhang, and B. Nath, "Robust Statistical Methods for Securing Wireless Localization in Sensor Networks," Proc. IPSN 2005, Los Angeles, CA, April 2005. [16] D. Liu, P. Ning, and W. Du, "AttackResis tant Location Estimation in Sensor Networks," Proc. IPSN 2005, Los Angeles, CA, USA, April 2005. [17] W. Du, L. Fang, and P. Ning, "LAD: Localization Anomaly Detection for Wireless Sensor Networks," Proc. IPDPS'05, Denver, Colorado, USA, April 2005. [18] S. Capkun, M. Cagalj, and M. Srivastava, "Secure Localization with Hidden and Mobile Base Stations," Proc. INFOCOM 2006 Barcelona, Spain, April 2006. [19] A. Savvides, W. L. Garber, R. L. Moses, and M. B. Srivastava, "An Analysis of Error Inducing Parameters in Multihop Sensor Node Localization," IEEE Trans. on Mobile Computing, vol. 4, no. 6, Nov.Dec. 2005, pp. 567577. [20] J.C. Kuo and W. Liao, "Estimation Errors of HopCount Based Localization in Wireless Sensor Networks," Proc. IEEE GLOBECOM '06 San Francisco, California, USA, Nov.Dec. 2006. [21] D. Niculescu and B. Nath, "Error Characteristics of Ad Hoc Positioning Systems," Proc. MOBIHOC 2004, Tokyo, Japan, May 2004. [22] K. Seada, A. Helmy, and R. Govindan, "On the Effect of Localization Errors on Geographic Face Routing in Sensor Networks," Proc. IPSN 2004, Berkeley, California, USA, April 2004. [23] N. Sastry, U. Shankar, and D. Wagner, "Secure Verification of Location Claims," Proc. ACM WiSe 2003 San Diego, CA, USA, Sept. 2003. [24] L. Lazos, R. Poovendran, and S. Capkun, "ROPE: Robust Position Estimation in Wireless Sensor Networks," Proc. IPSN 2005 Los Angeles, CA, USA, April 2005. [25] E. Ekici, J. McNair, and D. AlAbri, "A Probabilistic Approach to Location Verification in Wireless Sensor Networks," Proc. IEEE ICC 2006 Istanbul, Turkey, May 2006. [26] S. Vural and E. Ekici, "Analysis of HopDistance Relationship in Spatially Random Sensor Networks," Proc. ACM MobiHoc 2005 UrbanaChampaign, IL, USA, May 2005. PAGE 142 142 [27] A. Vora and M. Nesterenko, "Secure Location Verification Us ing Radio Broadcast," IEEE Trans. on Dependable and Secure Computing, vol. 3, no. 4, Oct.Dec. 2006, pp. 377385. [28] D. Singelee and B. Preneel, "Location Verification using Secure Distance Bounding Protocols," Proc. IEEE MASS 2005, Washington, DC, Nov. 2005. [29] Y. Wei, Z. Yu, and Y. Guan, "Location Verification Algorithms for Wireless Sensor Networks," Proc. ICDCS07, Toronto, Ontario, Canada, June 2007. [30] H. Liu, X. Jia, P.J. Wan, C.W. Yi, S. K. Makki, and N. Pissinou, "Maximizing Lifetime of Sensor Surveillance Systems," IEEE/ACM Trans. on Networking vol. 15, no. 2, April 2007, pp. 334 345. [31] G. Lu, N. Sadagopan, B. Krishnamachari, and A. Goel, "Delay Efficient Sleep Scheduling in Wireless Sensor Networks," Proc. IEEE INFOCOM 2005 Miami, USA, Mar. 2005. [32] Y. Wang and I. Henning, "A Determinis tic Distributed TDMA Scheduling Algorithm for Wireless Sensor Networks," Proc. WiCom 2007 Shanghai, China, Sept. 2007. [33] H. Liu, P. Wan, and X. Jia, "Maxim al Lifetime Scheduling for Sensor Surveillance Systems with K Sensors to One Target," IEEE Trans. on Parallel and Distributed Systems, vol. 17, no. 12, Dec. 2006 pp. 1526 1536. [34] S. Mishra and A. Nasipuri, "An Adaptiv e Low Power Reservation based MAC Protocol for Wireless Sensor Networks," Proc IEEE IPCCC 2004 Phoenix, Arizona, April 2004. [35] N. Aslam, W. Robertson, S. C. Sivaku mar, and W. Phillips, "Reservation based Medium Access Control Protocol for Wireless Sensor Networks," Proc. IEEE CCNC 2006 Las Vegas, Nevada, USA, Jan. 2006. [36] S. Yessad, F. NaitAbdesselam, T. Ta leb, and B. Bensaou, "RMAC: Reservation Medium Access Control Protocol for Wireless Sensor Networks," Proc. IEEE LCN 2007, Dublin, Ireland, Oct. 2007. [37] IEEE Standard2003, "Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for LowRate Wireless Personal Area Networks (LRWPANs)," 2003. [38] J. Newsome, E. Shi, D. Song, and A. Pe rrig, "The Sybil Attack in Sensor Networks: Analysis & Defenses," Proc. IPSN 2004 Berkeley, California, USA, April 2004. [39] F. Anjum, S. Pandey, and P. Agrawal, "Secure Localization in Sensor Networks using Transmission Range Variation," Proc. IEEE MASS05, Washington, DC, USA, Nov. 2005. PAGE 143 143 [40] H. Chan, A. Perrig, and D. Song, "Ra ndom Key Predistribution Schemes for Sensor Networks," Proc. IEEE Symposium on Security and Privacy 2003 Oakland, California, USA, May 2003. [41] N. Balakrishnan and C. R. Rao, "Order Statistics: An Introduction," in Handbook of Statistics 1st ed., vol. 16, N. Balakrishnan and C. R. Rao, Eds. Amsterdam, The Netherland: Elsevier Scie nce B. V., 1998, pp. 324. [42] Pervasa Inc. (2007, July), Atlas WiF i Communication Module. [Online]. Available: http://www.pervasa.com/store/ca talog/im ages/00ACMWF.pdf [43] T. S. Rappaport, Wireless Communications: Principles and Practice, 2nd ed., PrenticeHall, 2002. [44] H. Suzuki, "A Statistical M odel for Urban Radio Propagation," IEEE Trans. on Communications vol. COM25, no. 7, July 1977, pp. 673680. [45] L. A. Goldberg and P. D. MacKenzie, "Analysis of Practical Backoff Protocols for Contention Resolution with Multiple Servers," Journal of Computer and System Sciences vol. 58, no. 1, Feb. 1999, pp. 232258. [46] ANSI/IEEE Std 802.111999, "Part 11: Wire less LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 1999. [47] A. Savvides, C.C. Han, and M. B. Stri vastava, "Dynamic Fineg rained Localization in AdHoc Networks of Sensors," Proc. MOBICOM 2007 Rome, Italy, Sept. 2001. [48] D. AlAbri, J. McNair, and E. Ekici, "Location Verification us ing Communication Range Variation for Wireless Sensor Networks," Proc. IEEE MILCOM06, Washington, DC, Oct. 2006. [49] H. Weil, "The Distribution of Radial Error," The Annals of Mathematical Statistics vol. 25, no. 1, Mar. 1954, pp. 168170. PAGE 144 144 BIOGRAPHICAL SKETCH Dawood AlAbri received a bachelor of electrical and electronics en gineering from Sultan Qaboos University, Oman in 1999, M.S., and Ph.D. both in electrical and computer engineering from University of Florida in 2002 and 2008, re spectively. His research focuses on wireless sensor network. 