Secure Neighbor Position Discovery in VANETs
Marco Fiore, Claudio Casetti, Carla Fabiana Chiasserini, Panagiotis Papadimitratos
aa r X i v : . [ c s . CR ] J un Secure Neighbor Position Discovery in VANETs
M. Fiore, C. Casetti, C.-F. Chiasserini, and P. Papadimitratos
Abstract —Many significant functionalities of vehicular ad hocnetworks (VANETs) require that nodes have knowledge of thepositions of other vehicles, and notably of those within commu-nication range. However, adversarial nodes could provide falseposition information or disrupt the acquisition of such infor-mation. Thus, in VANETs, the discovery of neighbor positionsshould be performed in a secure manner. In spite of a multitude ofsecurity protocols in the literature, there is no secure discoveryprotocol for neighbors positions. We address this problem inour paper: we design a distributed protocol that relies solely oninformation exchange among one-hop neighbors, we analyze itssecurity properties in presence of one or multiple (independentor colluding) adversaries, and we evaluate its performance ina VANET environment using realistic mobility traces. We showthat our protocol can be highly effective in detecting falsifiedposition information, while maintaining a low rate of false positivedetections.Index Terms: Vehicular ad hoc networks, neighbor positiondiscovery, security in vehicular networks.
I. I
NTRODUCTION
VANETs are envisioned to enable a range of applications,spanning from enhanced transportation safety and efficiencyto mobile infotainment, while security and privacy enhancingtechnologies have been broadly accepted as prerequisites forthe deployment of such systems. A number of on-goingefforts have yielded a multitude of proposed schemes, in-cluding coordinated efforts such as those of the IEEE 1609working group, the Car-to-Car Communication Consortium,the CAMP/VSC-2 project, and the SeVeCom project, whichproduced a full-fledged security architecture for vehicle-to-vehicle and vehicle-to-infrastructure communications.Many aspects of security and privacy have already beenaddressed (e.g., in [1]–[3]) but no solution has been yet pro-posed for the secure discovery of the position of other nodes,in particular those within direct communication range. Thisis an important problem because vehicular nodes are location-aware, and location information is embedded in many VANETmessages to support various applications; transportation safetyand geographical forwarding (or GeoCast) are characteristicexamples, while traffic monitoring and management, as well asaccess to location-based services are also closely related. In allsuch cases, nodes are required to reliably identify neighboringnodes and determine their positions. Nonetheless, adversarialor faulty nodes can falsify or alter such information, resultingin the disruption of system operations.Secure discovery of the positions of neighbors cannot beachieved by any of the solutions in the literature. Securelocalization techniques, which allow a reliable determinationof own location, are a building block but not the solution to theproblem at hand. Simply put, the reason is that an adversarycould advertise a false position in any discovery protocol. Thepresence of trusted nodes would make the problem easier to solve: road-side infrastructure or trustworthy specializedvehicles could help to securely localize other vehicles. Insuch case, techniques in the literature, designed for mobilead-hoc networks, could be employed. However, this approachhas severe limitations when applied to vehicular environments:the presence of road-side infrastructure is envisioned to berather sparse and the presence of trustworthy nodes cannot beguaranteed at all times, whereas position discovery is neededat any time and location among any two or more vehicles.To address this problem, we propose our Secure NeighborPosition Discovery (SNPD) protocol, which enables any node(i) to discover the position of its neighbors on-demand andin real-time; and (ii) to detect and discard faulty positionsand, thus, ignore their originators. SNPD therefore allowsany vehicular node to autonomously obtain a set of verifiedneighbor positions, leveraging the contributions of its peersto weed out wrong-doers, without any prior assumption abouttheir trustworthiness.In the rest of the paper, we first discuss related work andintroduce the system and adversary model we adopt, then wedescribe our SNPD protocol in detail. A security analysis ofSNPD follows, along with a performance evaluation based onrealistic vehicular mobility traces.II. R
ELATED W ORK
Secure neighbor position discovery for vehicular environ-ments is, to the best of our knowledge, an open problem.Nevertheless, it relates to a number of other problems thathave instead been addressed before, as discussed next. Weemphasize that our SNPD protocol is compatible with state-of-the-art security architectures for vehicular networks, includingthose proposed by IEEE 1609.2 [4] and SeVeCom [5].
Securing own location and time information is orthogonalto our problem, as adversaries can acquire their own locationsin a reliable manner, but then advertise false positions totheir neighbors. Own positioning and time synchronization isthus a building block for SNPD, as it is for secure vehicularnetworking. In vehicular environments, self-localization ismainly achieved through Global Navigation Satellite Systems,e.g., GPS, whose security can be provided by cryptographicand non-cryptographic defense mechanisms [6]; alternatively,other terrestrial special-purpose infrastructure (beacons) couldbe used [7], along with techniques to deal with non-honestbeacons [8]. In the rest of this paper, we assume that devicescan determine securely their own position and time reference.
Secure neighbor discovery (SND) , that is, the discoveryof directly reachable nodes (communicating neighbors) ornodes within a distance (physical neighbors) [9], is only astep towards the solution we are after. To put it simply, anadversarial node could be securely discovered as neighbor and be indeed a neighbor (within some SND range), but it couldstill cheat about its position within the same range. SND isa subset of the SNPD problem, since it lets a node assesswhether another node is an actual neighbor but it does notverify the location it claims to be at. Nonetheless, propertiesof SND protocols with proven secure solutions [10], [11], areuseful in our context: as an example, signal Time of Flight-based and other distance measurements between two nodes canprevent relay attacks (i.e., malicious nodes relaying, stealthilyand verbatim, messages of other correct nodes).
Neighbor position verification was investigated in the con-text of ad-hoc networks, with solutions relying on dedicatedmobile or hidden base stations [12], or on the availability ofa number of trustworthy devices [13]. Our SNPD protocol,instead, is a fully distributed solution that does not requirethe presence of any particular infrastructure or a-priori trustedneighbors. Also, unlike previous works, our solution targetshighly mobile environments and it only assumes RF com-munication; indeed, non-RF communication, e.g., infra-red orultra-sound, is unfeasible in VANETs, where non-line-of-sightconditions are frequent and car-to-car distances often are in theorder of tens or hundreds of meters.III. S
YSTEM AND ADVERSARY MODEL
We consider a vehicular network whose nodes communicateover a high-bit-rate data link through an RF interface. Weassume that each node knows its own location with somemaximum error ǫ p , and that it shares a common time referencewith the other nodes in the network: both requirements canbe met by equipping vehicles with GPS receivers, already amajor trend in today’s car manufacturing . Also, nodes canperform Time of Flight (ToF)-based RF ranging using onemessage transmission, with a maximum error equal to ǫ r :as discussed in [13], [14], this is a reasonable assumption,although it requires modifications to the current off-the-shelfradio interfaces; ǫ p and ǫ r are assumed to be equal for allnodes.Each node has a unique identity, and carries cryptographickeys that allow it to authenticate messages from other nodesin the network. Although there are various ways to enableauthentication, here we only require that message authentica-tion is done locally and we assume that each node X holds itsown pair of private and public keys, k X and K X , respectively,as well as a set of one-time use keys { k ′ X , K ′ X } . X canencrypt and decrypt data with its key(s) and the public keysof other nodes; also, it can produce digital signatures with itsprivate key. We assume that the binding between X and K X can be validated by any node, as in state-of-the-art vehicularcommunication architectures.Nodes either comply with the SNPD protocol ( correct )or they deviate from it ( faulty or adversarial ). Adversarialnodes can advertise arbitrarily erroneous positions in mes-sages they inject, to mislead other nodes about their position. With the help of GPS, user synchronization, fine time granularity and arelatively precise location information is available. Currently, small-footprintand low-cost GPS receivers are commercially available, which achieve lowsynchronization error and low localization error.
Adversaries are external or internal , depending on whetherthey lack or possess the cryptographic keys and credentialsof system nodes, respectively. External adversaries can onlyrelay or replay messages without changes, or jam the com-munication. Internal adversaries are more powerful in thatthey can fully participate in the protocol execution, forgingarbitrary messages with faked own positions. Recall thoughthat each adversary can inject messages only according to thecryptographic keys it possesses; it cannot forge messages onbehalf of other nodes whose keys it does not have. Anotherclassification of adversaries that is of interest to us is between independent and colluding adversaries: the former act withoutknowledge of other adversaries in the neighborhood, while thelatter, by far the most dangerous, coordinate their actions byexchanging information.In this work, we focus primarily on internal adversaries withstandard equipment (e.g., omnidirectional antennas, standard–compliant wireless cards, etc.). We distinguish them into (i) knowledgeable , i.e., adversaries that at any point in time knowthe exact positions of all their communication neighbors, and(ii) unknowledgeable , otherwise. In Section V, we will outlinethe threats which can be posed by both independent andcolluding adversaries, and discuss possible additional threatscarried out by adversaries using non-standard equipment (e.g.,directional antennas).IV. S ECURE NEIGHBOR POSITION DISCOVERY PROTOCOL
The SNPD protocol we propose allows any node in thenetwork to discover and verify the position of its communica-tion neighbors participating in the protocol message exchange.SNPD can be initiated in a reactive manner by any node,which we refer to as the verifier . Our solution is based ona best-effort, cooperative approach that leverages informationcollected by neighboring nodes thanks to the broadcast natureof the wireless medium. With such information, the verifiercan compute, via ToF-based ranging, distances between pairsof neighbors, and then perform a sequence of tests that allowit to classify its communication neighbors as: • Verified , i.e., nodes the verifier deems to be at the claimedposition; • Faulty , i.e., nodes the verifier deems to have announcedan incorrect position; • Unverifiable , i.e., nodes the verifier cannot prove to beeither correct or faulty; due to insufficient informationon these nodes or inconclusive test outcome.The objective of our SNPD protocol is to be robust toadversarial nodes, i.e., to correctly identify and reject falsepositions and ignore their originators. In other words, itis necessary to minimize false negative and false positiveoutcomes, i.e., adversaries with positions deemed verified andcorrect nodes with positions deemed faulty, as well as thenumber of unverifiable nodes.We stress that the SNPD protocol only verifies the positionof those neighbors with which the message exchange takesplace successfully. It therefore disregards nodes for which theprotocol exchange prematurely ends, e.g., due to message lossor communication neighbors that refuse to take part in the protocol. SNPD assumes that the nodes position does not varysignificantly during one protocol execution, which is realisticif we consider that a complete message exchange takes nomore than a few hundreds of milliseconds. Also, SNPD doesnot aim at building a consistent map of verified nodes, as everyverifier autonomously tags its neighbors as verified, faulty orunverifiable.Next, we detail the message exchange between the verifierand its communication neighbors, followed by a descriptionof the security tests run by the verifier. Table I summarizesthe notations used throughout the protocol description.
A. Message exchange
We denote by t X the time at which a node X starts a broad-cast transmission and by t XY the time at which a node Y startsreceiving that same transmission; p X is the current position of X , and N X is the current set of its communication neighbors.Consider a verifier S that initiates the SNPD protocol. Themessage exchange procedure is outlined in Algorithm 1 for S ,and in Algorithm 2 for any of S ’s communication neighbors.The verifier starts the protocol by broadcasting a POLL whose transmission time t S is stored locally (Alg. 1, lines 2-3). Such message is anonymous, since (i) it does not containthe verifier’s identity, (ii) it is transmitted employing a freshMAC address, and (iii) it contains a public key K ′ S from a one-time use private/public key pair k ′ S , K ′ S , taken from a pool ofanonymous keys which do not allow neighbors to map themonto a specific node. Including a one-time key in the the POLL also ensures that the message is fresh (i.e., the key acts as anonce).A communication neighbor X ∈ N S that receives the POLL stores its reception time t SX , and extracts a randomwait interval T X ∈ [0 , T max ] (Alg. 2, lines 2-5). After T X has elapsed, X broadcasts a REPLY message using a freshMAC address, and records the corresponding transmissiontime t X (Alg. 2, lines 6-10). The REPLY contains encryptedinformation for S , namely the signed neighbor identity, Sig X ,and the POLL reception time: we refer to these data as X ’s commitment , X . The hash h K ′ S , derived from the verifier’spublic key, K ′ S , is also included to bind POLL and
REPLY belonging to the same message exchange.Upon reception of a
REPLY message from a communicationneighbor Y , the verifier S stores the reception time t Y S and the commitment Y (Alg. 1, lines 4-6). A differentcommunication neighbor of S , e.g., X , receives the REPLY message broadcast by Y , if Y is a communication neighborof both S and X , i.e., Y ∈ N S ∩ N X . In such case, X too storesthe reception time t Y X and the commitment Y (Alg. 2, lines11-13). Note that also REPLY messages are anonymous, hencea node records all commitments it receives without knowingtheir origin.After a time T max + ∆ + T jitter , S broadcasts a REVEAL message; ∆ accounts for the propagation and contention lagof REPLY messages scheduled at time T max , and T jitter is arandom time added to thwart jamming efforts on this message.Through the REVEAL , the verifier S (i) unveils its identity byincluding its signature and its public key to decrypt it, and (ii) proves to be the author of the original POLL . The latter isachieved by attaching the encrypted hash E k ′ S { h K ′ S } (Alg. 1,lines 7-9).Once the identity of the verifier is known, each neighbor X ,which received S ’s original POLL , unicasts to S an encryptedand signed REPORT message containing its own position,the transmission time of its
REPLY , and the list of pairsof reception times and commitments referring to the
REPLY broadcasts it received (Alg. 2, lines 14-17). Commitments areincluded ‘as they are’, since only S can decrypt them andmatch the identity of the nodes that created the commitmentswith the reported reception times. B. Position verification
Once the message exchange is concluded, S decrypts thereceived data and acquires the position of all neighbors thatparticipated in the protocol, i.e., { p X , ∀ X ∈ N S } . S alsoknows the transmission time of its POLL and learns thetransmission time of all subsequent
REPLY messages, as wellas the corresponding reception times recorded by the recipientsof such broadcasts. Applying a ToF-based technique, S canthus compute its distance from each communication neighbor,as well as the distances between pairs of communicationneighbors that happen to share a link. In particular, denotingby c the speed of light, we define d XY = ( t XY − t X ) · c , i.e.,the distance that S computes from the timing information itcollected about the broadcast message sent by X . Similarly,we define d Y X = ( t Y X − t Y ) · c , i.e., the distance that S computes using the information related to the broadcast by Y .Exploiting its knowledge, the verifier can run verification teststo fill the set F S of faulty communication neighbors, the set V S of verified nodes, and the unverifiable set U S .The first verification is carried through the Direct Sym-metry (DS) test, detailed in Algorithm 3, where | x | denotesthe modulus of x and k p X − p Y k is the Euclidean distancebetween locations p X and p Y . For direct links between theverifier and each of its communication neighbors, S checkswhether reciprocal ToF-derived distances are consistent (i)with each other, (ii) with the position advertised by theneighbor, and (iii) with a proximity range R . The proximityrange R upper bounds the distance at which two nodes cancommunicate, or, in other words, corresponds to the maximumnominal transmission range.The first check is performed by comparing the distances d SX and d XS obtained from ranging, which shall not differ bymore than twice the ranging error (Alg. 3, line 4). The secondcheck verifies that the position advertised by the neighbor isconsistent with such distances, within an error margin equal to ǫ p + ǫ r (Alg. 3, line 5). This check is trivial but fundamental,since it correlates positions to verified distances: without it,an attacker could fool the verifier by simply advertising anarbitrary position along with correct broadcast transmissionand reception timings. Finally, S verifies that d SX is not largerthan R (Alg. 3, line 6), and declares a neighbor as faulty if amismatch surfaced in any of these checks . The latter two checks are performed on both d SX and d XS , however inAlgorithm 3 they are done on d SX only, for clarity of presentation. The DS test implies direct verifications that compare trustedinformation collected by the verifier against data advertisedby each neighbor. The content of the messages received by S , however, allows also cross -verifications, i.e., checks on theinformation mutually gathered by each pair of communicatingneighbors. Such checks are done in the Cross-Symmetry (CS) test, in Algorithm 4.The CS test ignores nodes already declared as faulty by the DS test (Alg. 4, line 6) and only considers nodes that provedto be communication neighbors between each other, i.e., forwhich ToF-derived mutual distances are available (Alg. 4, line7). Then, it verifies the symmetry of such distances (Alg. 4,line 9), their consistency with the positions declared by thenodes (Alg. 4, line 10), and their feasibility with respect tothe proximity range (Alg. 4, line 11). For each communicationneighbor X , a link counter l X and a mismatch counter m X are maintained. The former is incremented at every new cross-verification on X , and records the number of links between X and other communication neighbors of S (Alg. 4, line 8).The latter is incremented every time at least one of the cross-checks on distances and positions fails (Alg. 4, line 12), andidentifies the potential for X being faulty.Once all neighbor pairs have been processed, a node X is added to the unverifiable set U S if it shares less thantwo neighbors with S (Alg. 4, line 17). Indeed, in this casethe information available on the node is considered to beinsufficient to tag the node as verified or faulty (see Sec. Vfor more details). Otherwise, if S and X have two or morecommon neighbors, X is declared as faulty, unverifiable, orverified, depending on the percentage of mismatches in thecross-checks it was involved (Alg. 4, lines 18-22). Moreprecisely, X is added to F S , U S or V S , depending on whetherthe ratio of the number of mismatches to the number of checksis greater than, equal to, or less than a threshold δ .We point out that the lower the δ , the fewer the failedcross-checks needed to declare a node as faulty, while thehigher the δ , the higher the probability of false negatives.In the following, we set δ = 0 . so that a majority rule isenforced: the verifier makes a decision on the correctness of anode by relying on the opinion of the majority of shared com-munication neighbors. If not enough common neighbors areavailable to build a reliable majority, the node is unverifiable.As shown in the next section, this choice makes our SNPDprotocol robust to attacks in many different situations.The third verification, the Multilateration (ML) test, isdetailed in Algorithm 5. The ML test searches the verified setdetermined through the DS and CS algorithms for suspicioussituations, in which nodes in V S declare a high number ofasymmetric links. When a suspect node is found, the ML testexploits as anchors other nodes in V S , and multilaterates theactual position of the node under verification.The ML test looks for each verified neighbor X of theinitiator S that did not notify a link instead reported by anotherparty Y (Alg. 5, line 7). When such a node is found, it is addedto a waiting set W S (Alg. 5, line 8) and a curve L X ( S, Y ) iscomputed. Such curve is the locus of points that can generatea transmission whose Time Difference of Arrival (TDoA)at S and Y matches that measured by the two nodes, i.e., | t XS − t XY | . It is easy to verify that the curve is a hyperbola,which is added to the set L X (Alg. 5, line 9).Once all couples of verified nodes have been checked, W S is filled with suspect neighbors. For each node X in W S , S exploits the hyperbolae in L X to multilaterate theposition of X , referred to as p MLX , similarly to what is donein [13] (Alg. 5, line 14). Note that L X must include at leasttwo hyperbolae for S to be able to compute the position X through multilateration, and this implies the presence of atleast two shared neighbors between S and X (Alg. 5, line13). The resulting position p MLX is then compared against thatadvertised by X , p X . If the difference exceeds a given errormargin, neighbor X is moved from the verified set to the faultyone (Alg. 5, lines 15-17).V. S ECURITY ANALYSIS
We analyze the security properties of the proposed schemein presence of adversarial nodes, whose objective is to makethe verifier believe that the fake positions they advertise arecorrect. We consider scenarios of increasing complexity: westart by discussing the basic workings of the SNPD protocol inpresence of a single adversary and different shared neighbor-hoods; we then move to the case of multiple adversaries, at firstassuming they act independently and, then, that they cooperateto perform the attack; finally, we examine the resilience of thescheme to a number of well-known attacks.
A. Single adversary, no common neighbors
Consider a verifier S that starts the SNPD protocol inpresence of an adversary M , with which it shares no commonneighbor. In order to bring a successful attack, M must tamperwith the data S uses for ranging, so that the resulting distanceconfirms its fake advertised position. To this end, M can forgeat its convenience the time information in the messages itgenerates. In particular, let p ′ M be the fake position that M wants to advertise; we denote by t ′ SM the fake timing that M introduces in its REPLY , and by t ′ M the fake timing insertedin its REPORT (in addition to p ′ M ).The DS test (Alg. 3) run by S on M checks the consistencybetween distances, by verifying that | d SM − d MS | ≤ ǫ r , or: | ( t ′ SM − t S ) · c − ( t MS − t ′ M ) · c | ≤ ǫ r (1)and that positions are also coherent with the distances, i.e., |k p S − p ′ M k − d SM | ≤ ǫ p + ǫ r , or, equivalently: |k p S − p ′ M k − ( t ′ SM − t S ) · c | ≤ ǫ p + ǫ r (2)Thus, the adversary must forge t ′ M and t ′ SM , so that (1)–(2) still hold after its real position p M is replaced with p ′ M .Solving the equation system obtained by setting the errormargin to zero in (1)–(2), we obtain: t ′ M = t MS − k p S − p ′ M k c = t M + k p S − p M k c − k p S − p ′ M k c (3) t ′ SM = t S + k p S − p ′ M k c = t SM − k p S − p M k c + k p S − p ′ M k c (4) Note that p ′ M is chosen by M , and that M knows t M in (3)(since this is the actual transmission time of its own REPLY )and t SM in (4) (since this is the time at which it actuallyreceived the POLL from S ). We therefore have a system of twoequations that M can solve, in the two unknowns t ′ M and t ′ SM ,only if it is aware of p S , i.e., it is a knowledgeable adversary.We stress that, for M to be knowledgeable, two conditionsmust hold: first, M must have previously run the SNPDprotocol to discover the identity and position of its neighbors;second, the verifier’s position must have not changed sincesuch discovery procedure. Clearly, as M cannot foresee when S starts the SNPD protocol, such conditions are extremely hardto fulfill, especially in a highly dynamic environment such asthe vehicular one.Nevertheless, if M is aware of S ’s location, the advertisedposition p ′ M will pass the DS test provided that it is within theproximity range R , as shown in Fig. 1. Given such potentialweakness, the SNPD protocol marks isolated neighbors asunverifiable in the CS test, even if they pass the DS test. B. Single adversary, one common neighbor
We now add to the previous scenario a node X , which is acorrect neighbor, common to S and M . Recall that, in bringingits attack, M can forge messages with altered information, butit cannot modify the content of messages sent by other nodes,since they are all encrypted and signed.The discussion in Sec. V-A applies again, since the fakeposition advertised by M needs to pass the DS test: M mustbe aware of S ’s current position and must forge t ′ M and t ′ SM according to p S and p ′ M . However, the presence of thecommon neighbor introduces two additional levels of security.First, the POLL and
REPLY messages are anonymous, hence M does not know if the verifier is S or X upon receptionof such messages. However, if it wants to take part in theprotocol, M is forced to advertise the fake POLL receptiontime t ′ SM in its REPLY message, before receiving the
REVEAL and discovering the verifier’s identity. The only option for M is then to randomly guess who the verifier is, and properlychange t SM into t ′ SM , as in (4), and this implies a 0.5probability of failure in the attack.Second, the CS test on the pair ( M, X ) requires that | d XM − d MX | ≤ ǫ r and |k p X − p M k − d XM | ≤ ǫ p + ǫ r .Exactly as before, to pass these checks, M is forced toadvertise the fake timings: t ′ M = t M + k p X − p M k c − k p X − p ′ M k c (5) t ′ XM = t XM − k p X − p M k c + k p X − p ′ M k c (6)If M knows X ’s current position p X , it can solve (6) andannounce the forged t ′ XM in its REPORT to S . However, (5)introduces a second expression for t ′ M , whereas M can onlyadvertise one single t ′ M . In order to pass both DS and CS tests, M needs to announce a t ′ M that satisfies (3) and (5),which implies: k p S − p M k − k p S − p ′ M k = k p X − p M k − k p X − p ′ M k (7) In other words, M is constrained to choose locations withthe same distance increment (or decrement) from S and X . In (7), p S , p X , and p M are fixed and known, hencedistances between p S and p M , and between p X and p M can beconsidered as constant. Since p ′ M is variable over the plane,we rewrite (7) as k p X − p ′ M k − k p S − p ′ M k = k , which isthe equation describing a hyperbola with foci in p S and p X ,and passing through p M . It follows that only positions onsuch hyperbola satisfy the four constraints in (3), (4), (5), and(6), and p ′ M must lie on that curve in order to pass all tests.Examples of this condition are shown in Fig. 2.Summarizing, the presence of a common neighbor X dras-tically reduces the vulnerability of the verifier to attacks,since M is now required (i) to be knowledgeable, (ii) tocorrectly guess the verifier’s identity, and (iii) to advertisea fake position only along a specific curve. However, sincesome space for successful attacks remains, the CS test marksas unverifiable nodes that passed the DS test but share onlyone neighbor with the verifier. We also stress that, if M tweaksthe timings so as to pass the DS test and does not care aboutthe matching with X , it will still be tagged as unverifiable. C. Single adversary, two or more common neighbors
In the case of two or more common neighbors, we split thediscussion into the two following cases: (i) a generic networktopology and (ii) collinear nodes. (i) Generic network topology . When a second correct neigh-bor Y is shared between S and M , the discussion in Sec. V-Bcan be extended as follows. We noting that, as before, theadversary M has to be knowledgeable, but a second commonneighbor reduces to 0.33 the probability that M correctlyguesses the verifier’s identity. More importantly, by applyingthe same reasoning as in Sec. V-B, M has now to forgefour time values, i.e., t ′ M , t ′ SM , t ′ XM , and t ′ Y M , so that sixequations are satisfied, i.e., (3), (4), (5), (6), and the twoequations corresponding to the cross-check with the secondcommon neighbor Y .To fulfill the constraints on t ′ M , now M has to announce aposition p ′ M that is equally farther from (or closer to) S , X and Y with respect to its actual location p M . The point satisfyingsuch condition lies at the intersection of three hyperbolae withfoci in p S and p X , p S and p Y , p X and p Y , respectively, andsuch single point actually corresponds to the real position ofthe adversary, p M .Accordingly, in presence of two common neighbors, the CS test marks a node with no mismatches as verified. The majorityrule (i.e., δ = 0 . ) results instead in the adversary being taggedas faulty when mismatches are recorded with both commonneighbors. Finally, the adversary is added to the unverifiableset if it is capable of fooling S and either X or Y , since thatleads to one mismatch over two links checked.We stress that deceiving S and one of the common neigh-bors requires, beside the knowledge of their current positions Note that we do not make any assumption on the connectivity between X and Y . The latter two equations can be obtained from (5)–(6) by replacing p X , t XM and t ′ XM , respectively, with p Y , t Y M and t ′ Y M . and a correct guess on the verifier’s identity, also the pinningof which REPLY comes from which neighbor (i.e., M mustrandomly map t XM onto p X and t Y M onto p Y for thecomputations on the hyperbolae to work). Thus, the guesstaken by M in the hope of being marked as unverifiable has asuccess probability of 0.165, jointly given by the probabilityof guessing the right verifier (0.33) and the probability ofguessing the right mapping (0.5) of REPLY reception timesonto neighbor positions.When three or more common neighbors are present between S and M , the chances of a successful attack drop to zero.Indeed, not only the probability of guessing the right orig-inators of the different messages shrinks as the size of thecommon neighborhood grows, but the majority rule doomsthe adversary to insertion in the faulty set, even when allrandom guesses are exact. By extending the above analysison the hyperbolae, we observe that, with a threshold δ = 0 . ,when S and M share n ≥ communication neighbors, themismatch-to-links ratio is n − n > δ .A summary of the security of the SNPD protocol, inpresence of a single adversary and in a generic networktopology, is presented in Tab. II, where different rows identifydifferent behaviors of the neighbor X under verification by S .The columns represent the number of correct neighbors sharedby S and X . For each combination, we report the set to which X is assigned by S , possibly with a probability value due tothe adversary’s random guessing on the roles of neighbors. (ii) Collinear nodes . When the majority of common neigh-bors is collinear to S and an adversary M , and lies on the sameside as S with respect to p M , a degree of freedom exists for theattacker. Indeed, M is verified if it announces a fake positionthat is collinear with p M and p S , within a distance R from S ,and such that the majority of the common neighbors still lieson the same side as S with respect to p ′ M . This case, however,hardly leads to an advantage for the adversary, since p ′ M mustremain aligned with the positions of the other nodes, mustrespect the ordering with the majority of them, and cannotexceed S ’s proximity range. D. Multiple independent adversaries
We now consider the presence of multiple uncoordinatedadversaries. It is easy to see that independent attackers damageeach other, by announcing false positions that reciprocallyspoil the time computations discussed in the previous sections.Cross checks on couples of non-colluding adversaries willalways result in mismatches in the CS test, increasing thechances that such nodes are tagged as faulty by the initiator.Where multiple independent attackers can harm the systemis in the verification of correct neighbors. As a matter offact, a node is ruled verified if it passes the strict majorityof cross controls it undergoes. A correct node surroundedby several adversarial neighbors could thus be marked asfaulty (unverifiable), if it shares with the initiator a numberof adversarial nodes greater than (equal to) the number ofcorrect nodes. An example is provided in Fig. 3. However, itis to be said that, under the assumption that the percentage ofattackers among all nodes in the network is small, situations where a correct node shares mostly uncoordinated adversarialneighbors with the initiator are very unlikely to occur. E. Multiple colluding adversaries, basic attack
Coordinated attacks carried out by colluding adversariesare obviously harder to counter than those independentlyled by individual adversarial nodes. The SNPD protocol isresistant to coordinated attacks, unless the presence of collud-ing adversaries in the neighborhood of the initiator node isoverwhelming.The goal of adversarial nodes remains that of inducing theinitiator S into trusting the fake positions they announce.The basic way they can cooperate to that end is by mutu-ally validating the false information they generate. Indeed,colluding adversaries can advertise to S reception times (ofreciprocal REPLY messages) forged so that the values derivedthrough ToF-based ranging confirm the positions they made upin the CS test. In other words, a perfect cooperation resultsin the colluding adversaries’ capability of “moving” all linksamong them without being noticed by the initiator. Our SNPDprotocol can counter the basic attack from colluders, as long as50% plus one of the neighbors in common to the verifier andan adversary are correct. Indeed, a strict majority of correctshared neighbors allows the identification of attackers throughthe CS test. An example with three colluding attackers isprovided in Fig. 4. F. Multiple colluding adversaries, hyperbolae-based attack
A more sophisticated version of the basic coordinated attackcan be organized by colluding adversaries as follows. Havingreceived the
POLL message, the attackers not only agree on theidentity of the initiator S , but also pick a common neighbor X that they share with S : each colluder determines the hyperbolawith foci S , X , and passing through its own actual position,and announces a fake position on such curve. This allows theadversaries to announce correct links (i) with the initiator S ,(ii) with the selected neighbor X , and (iii) among themselves.Node X becomes an involuntary allied in the attack: in orderto work properly, the CS test, based on the majority rule,needs that more than 50% plus three of the common neighborsbetween the initiator and communicating node are correct. Thetwo additional correct neighbors are required to counter theeffect of X becoming an unintentional colluder during thecross verification. G. Multiple colluding adversaries,
REPLY -disregard attack
A second variation to the attack presented in Sec. V-E relieson a coordinated action against
REPLY messages received fromcorrect nodes. As a matter of fact, the CS test can controlthe symmetry of links between couples of neighbors only ifToF-based ranging is performed in both directions. Thus, byintentionally excluding from their REPORT the commitmentsreceived from correct nodes while including all those receivedby colluding nodes, adversaries can selectively avoid crosssymmetry tests with correct nodes, so that no mismatches arefound. We refer to this as a
REPLY -disregard attack and stress that it requires at least three colluding nodes forming a clique,or the adversaries would result unverifiable to the initiator,since they would share less than two (bidirectional) neighborswith it.The SNPD protocol is robust to
REPLY -disregard attacks,thanks to the controls run in the ML test. More precisely,an adversary carrying out a disregard attack together with N colluders can safely advertise up to N − wrong receptiontimes from correct nodes, being still tagged as verified by themajority rule. This means that there must be at least N + 1 correct neighbors, shared by an adversary and the initiator, forthe adversary to be forced to disregard one or more REPLY ,and for two correct shared neighbors to be in the conditionof participating in the ML test and identify the colluder. Thismeans that 50% plus two of the shared neighbors must becorrect for our SNPD protocol to work properly.As a final remark on coordinated attacks, we commenton the significant resources and a strong effort they requirefrom the colluding adversaries. Colluders have to share out-of-band links through which they can exchange informationto coordinate the attack, upon reception of the POLL message.Exploiting such links, they first have to agree on the initiator’sidentity, either by a shared random guess or by employing amultilateration technique to disclose it. Then, colluders have toinform each other about the fake positions they will announce,and about the estimated transmission time of their
REPLY messages: this way, each cooperating adversary is able torecognize the anonymous
REPLY of a colluder node and tocompute a reception time that is consistent with the fakeposition advertised by such colluder. Finally, this exchangeof information must occur in a very limited time interval afterthe
POLL message has been broadcast, so that colluders cantransmit their
REPLY messages well before the T max deadline. H. Denial of Service (DoS) attacks
Jamming.
An adversary M may jam the channel and erase REPLY or REPORT messages. To successfully perform such anattack, M should jam the medium continuously for a longtime, since it cannot know when exactly each of the nodeswill transmit its REPLY or REPORT message. Or, M coulderase the REVEAL message, but, again, jamming should coverthe entire T jitter time; jamming a specific REPLY transmissionis not straightforward either as the
REPLY transmission timeis randomly chosen by each node. Overall, there is no easypoint to target; a jammer has to basically jam throughout theSNPD execution, an action that is possible for any wirelessprotocol and orthogonal to our problem.
Clogging.
An adversary could induce SNPD traffic in anattempt to congest the wireless channel, e.g., by initiatingthe protocol multiple times in a short period and gettingrepeated
REPLY and
REPORT messages from other nodes.
REPORT messages are large and unicast, and generated in ashort period after the reception of the
REVEAL message. Theyare thus likely to cause the most damage. However, SNPDhas a way of preventing that: the initiator must unveil itsidentity before such messages are transmitted by neighbors.An exceedingly frequent initiator can be identified and rate-limited, its excessive
REVEAL messages ignored. Conversely,
REPLY messages are small in size, they are broadcast (andthus require no ACK) and they are spread over the timeinterval T max . Their damage is somewhat limited, but theirunnecessary transmission is much harder to thwart. Indeed, REPLY messages should be sent following an anonymous
POLL message; such anonymity is a requirement that is hardto dismiss, since it is instrumental to keeping adversariesunknowledgeable. As a general rule, correct nodes can rea-sonably self-limit their responses if
POLL s arrive at excessiverates. Overall, clogging DoS have only local effect, within theneighborhood of the adversary, which could anyway resort tojamming and obtain the same effect.
I. Adversarial use of directional antennas
Assume that adversarial nodes are equipped with directionalantennas and multiple radio interfaces. Then, as a correctnode S starts the SNPD protocol, a knowledgeable adversary M can send REPLY messages through the different interfacesat different time instants, so as to fool the communicationneighbors shared by M and S : a correct neighbor X wouldrecord a time t ′ MX , which is compliant with the fake position, p ′ M , announced by M and, thus, can pass the correspondingcross check in the CS test. If the adversary is able to foola sufficient number of neighbors, it succeeds and is taggedas verified; however, we stress that the adversary needs asmany directional antennas and radio interfaces as the numberof neighbors it wants to fool. Moreover, it must hope that notwo such neighbors are within the beam of the same antenna.The complexity, cost, and chances of failure make this attackhardly viable.VI. P ERFORMANCE EVALUATION
To test our SNPD protocol, we selected a real-world roadtopology that consists of a 5 × portion of the urban areaof the city of Zurich [15]. These traces describe the individualmovement of cars through a queue-based model calibratedon real data: they thus provide a realistic representation ofvehicular mobility at both microscopic and macroscopic levels.We extracted 3 hours of vehicular mobility, in presence of mildto heavy traffic density conditions; the average number of carsin the area at a given time is 1200.Traces have a time discretization of 1 s. Thus, given atrace, every second we randomly select 1% of the nodes asverifiers. For each node, we consider that all devices within theproximity range R are communication neighbors of the node.Clearly, the larger the R , the higher the number of neighborstaking part in the same instance of the SNPD protocol: forexample for R equal to 50 m and 500 m, the average nodedegree is 8 and 104.8 and the variance is 5.9 and 71.8,respectively. Also, we set ǫ r to 6.8 m and ǫ p to 5 m [14].Since unknowledgeable adversaries are always tagged asfaulty in the DS test, in the following we present resultsconsidering that all adversaries are always knowledgeable . Westress that this is a very hard condition to meet in dynamicnetworks, hence all results are to be considered as an upperbound to the success probability of an attack. When independent adversaries are considered, we randomlyselect a ratio (a varying parameter in our analysis) of thenodes as attackers. In case of colluders, instead, we randomlyselect some nodes as adversaries, and for each we furtherrandomly identify neighbors who will collude with it so asto form an attackers group of size σ (or up to the numberof neighbors available). We assume that colluding adversariesperform hyperbolae-based attacks, which, as previously dis-cussed, are the hardest to contrast. For every scenario understudy, we statistically quantify the outcome of the verificationtest and compare it to the actual behavioral model of the nodes(namely, correct or adversary).We first report results in terms of probabilities that the testsreturn false positives and false negatives (Figs. 5(a) and 5(c))as well as of probability that a (correct or adversary) node istagged as unverifiable (Figs. 5(b) and 5(d)). The former gaugethe reliability of our scheme, while the latter is a mark ofthe protocol accuracy. The plots showing the false positivesand false negatives, when the ratio of adversaries varies and R =250 m, confirm that our scheme errs on the side of caution:indeed, as the number of adversaries increases, it is more likelyfor a correct node to be mislabeled than for an adversary tobe verified (the latter probability amounting to less than 0.02).Instead, widening the proximity range with a fixed adversaryratio, namely 0.05, only plays into the verifier’s hands, thanksto the greater number of nodes (the majority of which arecorrect) that can be tested. As for the probability that a node isunverifiable, while little sensitivity to the ratio of adversariesis observed, a small R (hence fewer neighbors) affects theprotocol capability to reach a conclusive verdict on eithercorrect or adversary nodes. We also estimated that the degreeof freedom that a successful adversary has in setting its fakeposition, for R =250 m and a ratio of 0.05 attackers, is suchthat, on average, the fake and actual positions of a verifiedadversary are collinear and differ by 40 m.We then fix the adversaries ratio to 0.05 and R to 250 mand we consider the presence of colluders. Figs. 6(a) and 6(b)show the excellent performance of our scheme as the colludergroup size σ varies. The impact of colluders on the resultsappears to be negligible, mainly thanks to the large numberof neighbors defeating even big groups of colluders.Finally, we comment on the overhead introduced by SNPD,in terms of number and size of messages. SNPD generatesat most N + 2 messages for one execution initiated by averifier with N communication neighbors. This is twice thecost of an unsecured NPD protocol that would consist of onepoll and N position replies from neighbors. Moreover, SNPDmessages are relatively small in size: with SHA-1 hashingand ECDSA-160 encryption [16], the length of signaturesis 21 bytes (with coordinates compression). Assuming thatmessages include headers with 4-byte source and destinationidentifiers and 1-byte message type field, POLL, REPLY,and REVEAL are all less than 100 bytes in size (to beprecise, 26, 71, and 67 bytes, respectively). The REPORTlength is variable, depending on the number of commitmentsit carries: e.g., for 5 commitments, its size is only 295 bytes,and up to 28 commitments can fit in a single 1500-byteIP packet. Obviously, the on-demand nature of the protocol makes it best suited to event-triggered applications, such assafety and tolling ones. In these scenarios, SNPD induces verylow overhead in the network. The limited number and thesmall size of messages make the proactive use of the protocolfeasible, for relatively low rate execution, e.g., once in a fewtens of seconds. VII. C ONCLUSION
We proposed a lightweight, distributed scheme for securelydiscovering the position of communication neighbors in vehic-ular ad hoc networks. Our solution does not require the useof a-priori trustworthy nodes, but it leverages the informationexchange between neighbors. Our analysis showed the schemeto be very effective in identifying independent as well ascolluding adversaries. Results derived using realistic vehiculartraces confirmed such ability and highlighted the good perfor-mance of our solution in terms of both false negatives/positivesand uncertain neighbor classifications.Future work will aim at assessing the performance of theproposed secure neighbor position discovery protocol whenadversaries have partial or out-of-date knowledge on the othernodes’ positions, and at adapting our scheme to a high-frequency proactive utilization.R
EFERENCES[1] A. Wasef, X. Shen, “ASIC: Aggregate Signatures and CertificatesVerification Scheme for Vehicular Networks,”
IEEE Globecom,
IEEE INFOCOM , 2010.[3] R. Lu, X. Lin, H. Zhu, P. H. Ho, X. Shen, “ECPP: Efficient ConditionalPrivacy Preservation Protocol for Secure Vehicular Communications,”
IEEE INFOCOM,
IEEE Comm. Mag. , 2008.[6] P. Papadimitratos, A. Jovanovic, “GNSS-based Positioning: Attacks andCountermeasures,”
IEEE MILCOM , 2008.[7] R. Poovendran, L. Lazos, “A graph theoretic framework for preventingthe wormhole attack”,
Wireless Networks , 2007.[8] S. Zhong, M. Jadliwala, S. Upadhyaya, C. Qiao, “Towards a Theoryof Robust Localization Against Malicious Beacon Nodes,”
IEEE INFO-COM , 2008.[9] P. Papadimitratos, M. Poturalski, P. Schaller, P. Lafourcade, D. Basin,S. ˇCapkun, J.-P. Hubaux, “Secure Neighborhood Discovery: A Funda-mental Element for Mobile Ad Hoc Networking,”
IEEE Comm. Mag. ,2008.[10] M. Poturalski, P. Papadimitratos, J-P. Hubaux, “Secure Neighbor Dis-covery in Wireless Networks: Formal Investigation of Possibility,”
ASIACCS , 2008.[11] M. Poturalksi, P. Papadimitratos, J.-P. Hubaux, “Towards ProvableSecure Neighbor Discovery in Wireless Networks,”
Workshop on FormalMethods in Security Engineering , 2008.[12] S. Capkun, K. Rasmussen, M. Cagalj, M. Srivastava, “Secure LocationVerification with Hidden and Mobile Base Stations,”
IEEE Trans. onMobile Comp. , 2008.[13] S. ˇCapkun, J.-P. Hubaux, “Secure Positioning in Wireless Networks,”
IEEE JSAC , 2006.[14] M. Fiore, C. Casetti, C.-F. Chiasserini, P. Papadimitratos, “SNPDProtocol: Security Analysis and Implementation Issues,”
Tech. Rep.,
IEEE standard specifications for public-keycryptography- amendment 1: Additional techniques, 2004 . Algorithm 1 : Message exchange protocol: verifier node node S do S → ∗ : h POLL , K ′ S i S : store t S when receive REPLY from Y ∈ N S do S : store t Y S , Y end after T max + ∆ + T jitter do S → ∗ : h REVEAL , E k ′ S { h K ′ S } , K S , Sig S i end end Algorithm 2 : Message exchange protocol: neighbor node forall X ∈ N S do when receive POLL by S do X : store t SX X : extract T X uniform r.v. ∈ [0 , T max ] end after T X do X : X = E K ′ S { t SX , K X , Sig X } X → ∗ : h REPLY , X , h K ′ S i X : store t X end when receive REPLY from Y ∈ N S ∩ N X do X : store t Y X , Y end when receive REVEAL from S do X : t X = { ( t Y X , Y ) ∀ Y ∈ N S ∩ N X } X → S : h REPORT , E K S { p X , t X , t X , Sig X }i end end Algorithm 3 : Direct Symmetry (DS) test node S do S : F S ← ∅ forall X ∈ N S do if | d SX − d XS | > ǫ r or |k p S − p X k − d SX | > ǫ p + ǫ r or d SX > R then S : F S ← X endif end end Algorithm 4 : Cross-Symmetry (CS) test node S do S : U S ← ∅ , V S ← ∅ forall X ∈ N S , X / ∈ F S do S : l X = 0 , m X = 0 end forall ( X, Y ) | X, Y ∈ N S , X, Y / ∈ F S , X = Y do if ∃ d XY , d Y X then S : l X = l X + 1 , l Y = l Y + 1 if | d XY − d Y X | > ǫ r or |k p X − p Y k − d XY | > ǫ p + ǫ r or d XY > R then S : m X = m X + 1 , m Y = m Y + 1 endif end end forall X ∈ N S , X / ∈ F S do if l X < then S : U S ← X else switch m X l X do case m X l X > δ S : F S ← X case m X l X = δ S : U S ← X case m X l X < δ S : V S ← X end end end verifier M RS adversary fake positionadversary
Fig. 1. If M knows S ’s position, it can advertise any fake position, providedits distance from S is at most equal to R . M adversary M M S RX correctverifieradversary fake position
Fig. 2. M , M , and M depict different situations in which a singleadversary can be. In the general case (as M ), a knowledgeable adversary thatcorrectly guessed the verifier’s identity can pass all tests if its fake positionis on a hyperbola with foci in S , X , passing by M . Particular cases thatdetermine a degeneration of the hyperbola are: (i) the adversary is equidistantfrom S and X (as M ), constraining the fake position on the symmetry axisof S and X ; (ii) the adversary is aligned with S and X (as M ), and notbetween them: then, the fake location needs to be on the same line, between X and a point at distance R from S . TABLE IS
UMMARY OF NOTATIONS
Notation Description k X (resp. K X ) private (resp. public) key of node Xk ′ X (resp. K ′ X ) private (resp. public) one-time key of node Xt X (resp. t ′ X ) actual (resp. fake) transmission time of a message by node Xt XY (resp. t ′ XY ) actual (resp. fake) reception time at node Y of a message sent by node Xp X (resp. p ′ X ) actual (resp. fake) position of node Xd XY distance between nodes X and Yǫ p (resp. ǫ r ) position (resp. ranging) error R node proximity range N X current set of communication neighbors of node XT X random wait interval after reception of POLL at node
XSig X signed identity of node X X commitment of node X V X set of verified communication neighbors of node X U X set of unverifiable communication neighbors of node X F X set of faulty communication neighbors of node X Algorithm 5 : Multilateration (ML) test node S do S : W S ← ∅ forall X ∈ V S do S : L X ← ∅ end forall ( X, Y ) | X, Y ∈ V S , X = Y do if ∃ t XY and ∄ t Y X then if X / ∈ W S then S : W S ← X S : L X ← L X ( S, Y ) end end forall X ∈ W S do if | L X | ≥ then S : p MLX = arg min p P L i ,L j ∈ L X k p − L i ∩ L j k if (cid:13)(cid:13) p X − p MLX (cid:13)(cid:13) > ǫ p then S : F S ← X , V S = V S \ X end end end end TABLE IIS
UMMARY OF SECURITY ANALYSIS IN A GENERIC NETWORK TOPOLOGY ❵❵❵❵❵❵❵❵❵ X | N S \ X | U S U S V S V S Unknowledgeable ad-versary F S F S F S F S Knowledgeable adver-sary U S U S (0.5) F S (0.5) U S (0.165) F S (0.835) F S (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) M M RXS verifiercorrectadversaryadversary fake position
Fig. 3. Clique of four nodes: the verifier S , a correct neighbor X , andtwo adversaries ( M , M ). M ( M ) announces a fake position along ahyperbola with foci on p S and p ′ M ( p ′ M ). However, the latter information isfake, leading to a mismatch in the cross-check on ( M , M ). Also, since eachattacker can “move” at most one link other than that with S , the checks on( X , M ) and ( X , M ) fail as well. Thus, M and M damage each other andare tagged as faulty. X , although correct, is added to F S , since all neighborsit shares with S happen to be adversaries. Z M M MS RXY (a) Actual positions and links (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) (cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:0)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1)(cid:1) X M M MS RYZ (b) Coordinated attackFig. 4. Coordinated attack by M , M , and M against S . All links betweenadversaries appear consistent with the false positions they advertise, but linkswith correct neighbors X , Y , and Z result in mismatches in the CS test. M ,sharing with S two colluders but no correct nodes, results as verified. Thesame holds for M , sharing with S two colluders and one correct node. M is instead marked as faulty, thanks to the three correct common neighbors. P r ob . o f f a l s e neg ./ po s . Ratio of adversariesCorrect tagged as faultyAdversary tagged as verified (a) U n v e r i f i ab l e p r obab ili t y Ratio of adversariesCorrect tagged as unverifiableAdversary tagged as unverifiable (b) P r ob . o f f a l s e neg ./ po s . Proximity range [m]Correct tagged as faultyAdversary tagged as verified (c) U n v e r i f i ab l e p r obab ili t y Proximity range [m]Correct tagged as unverifiableAdversary tagged as unverifiable (d)Fig. 5. Independent adversaries: probability of false negatives/positives and probability of classifying a neighbor as unverifiable. In (a) and (b), R = 250 mwhile the ratio of adversaries varies; in (c) and (d), the ratio of adversaries is 0.05 and the proximity range R varies. P r ob . o f f a l s e neg ./ po s . Colluder group sizeCorrect tagged as faultyAdv. tagged as verified (a) U n v e r i f i ab l e p r obab ili t y Colluder group sizeCorrect tagged as unverifiableAdv. tagged as unverifiable (b)Fig. 6. Colluding adversaries: probability of false negatives/positives and probability of classifying a neighbor as unverifiable, for ratio of adversaries equalto 0.05, R = 250 m, and varying group size σσ