having a certain product on sale could be useful or helpful to both a business ... The authors are with the Department of Computer Science and Engineer- ing, The Chinese ...... In an outdoor environment, we deployed two laptop computers ...
1526
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
A Node-to-Node Location Verification Method Dawei Liu, Student Member, IEEE, Moon-Chuen Lee, and Dan Wu
Abstract—In this paper, we study the problem of location claim verification of a mobile node in a wireless network. Existing verification methods rely primarily on cooperative approaches, which require the cooperation of several detecting nodes for the verification of a location claim from a target node. These methods all suffer from one or both of the drawbacks: 1) not able to cope with a sparse network situation and 2) the design being based on a particular measurement technique. To remedy the drawbacks, we propose a general location verification scheme. It employs a node-to-node approach for location verification and could use different measurement techniques; moreover, it supports location verification in sparse networks. The proposed verification scheme has been shown to be able to achieve satisfactory performance via extensive real-world Global-Positioning-System-based wireless sensor network experiments. Index Terms—Key management, localization, location verification, sensor networks.
I. I NTRODUCTION
T
HE PREVALENCE of wireless networks together with the pervasive use of mobile and embedded computing devices has created increasing demands for location-based services. Typical applications include emergency search and rescue [1], vehicle navigation control [2], baggage transportation [3], and personal tracking and protection [4]. The access of location-based services in wireless networks should be userfriendly and naturally combined with communication security. For example, being able to check whether a nearby store is having a certain product on sale could be useful or helpful to both a business operator and a customer, who should not be required to establish shared secret keys in advance for this kind of information. However, there are potential risks associated with using location-based technologies. In a hostile environment, an attacker could mislead location tracking by acting as a legitimate user and broadcasting false location information, and the attacker may interrupt or disable the location-aware application by exploiting the vulnerabilities of the underlying localization scheme. Because of the potential risks, location verification techniques have recently attracted more attention. In a wireless network, the location claim of a target user, called a target node (TN), is collected and verified by a group of detecting nodes (DNs). Once the location has been verified, the TN can be granted access to the network resources. On the other
Manuscript received December 20, 2008; revised November 30, 2009. First published December 31, 2009; current version published April 14, 2010. The authors are with the Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kong (e-mail: dwliu@ cse.cuhk.edu.hk). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TIE.2009.2038405
hand, those malicious TNs cheating on their locations could be excluded from the network. Some existing location verification approaches are reviewed in Section III. They mostly suffer from one or both of the problems below. • Designed for a specific type of network. Existing location verification methods are primarily designed for wireless sensor networks (WSNs). They require the presence of numerous network nodes to be evenly distributed to ensure having several DNs around each TN. Apparently, this requirement could hardly be met in most existing wireless local area networks (WLANs) and wireless cellular networks since the access point (AP) and the base station (BS) are always sparsely distributed. Furthermore, sparse network structure may appear at the boundaries of any networks. • Designed based on a particular measurement technique. The existing location verification methods often measure a node location by using one of the following measurement techniques: time of arrival (TOA) [5], time difference of arrival (TDOA) [6], round-trip time (RRT) [7], or angle of arrival [8]. Therefore, if a specific network does not support the measurement technique used by an existing location verification method, the said verification approach would not work properly. This paper proposes a practical general location verification scheme composed mainly of two parts: location estimation and location claim verification. It is characterized by the following: 1) using a node-to-node location estimation approach based on distance measurements and 2) exploiting an encrypted location claim for verification. It is stressed that the location estimation introduced in the proposed scheme is used to estimate the location of a TN to assist the location verification process; it is not for localization purposes. The remainder of this paper is organized as follows. Section II spells out the problem being addressed in this paper. Section III reviews the related work. Section IV presents the proposed node-to-node location estimation approach. Section V outlines the protocol used in the location verification scheme. Section VI analyzes the security aspect of the proposed general location verification scheme. Section VII demonstrates the effectiveness of the proposed scheme by extensive real-world GPS-based sensor network experiments. Section VIII concludes this paper. II. P ROBLEM S TATEMENT In a hostile environment, a malicious node may send out false location information about itself to its neighbors. Earlier studies [5], [6] suggest that existing localization techniques and location-based services are highly vulnerable to attacks caused by false location claims. We propose to address the problem
0278-0046/$26.00 © 2010 IEEE
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
Fig. 1.
1527
Verification of the location claim of a target node A. (a) Using three DNs. (b) Using two DNs. (c) Using one DN.
by using DNs in a wireless network to verify location claims from TNs. A. General Network Structure In this paper, a general wireless network is assumed to consist of a set of DNs D(D1 , . . . , Dm ), which hold each other’s identities, and a set of unidentified TNs A(A1 , . . . , An ), which may include some malicious nodes. It is not confined to any particular network structure and configuration, so the network could be a WSN, WLAN, or wireless cellular network, whose DNs could be beacon nodes (BNs), APs, and BSs, respectively. Those nodes located within the communication range are called neighbors. We assume that all neighbors would obtain their location information from the same localization system, such as GPS, cellular positioning system (CPS), or WLAN localization system. A forged location claim Xic from a malicious Ai should deviate from its real location Xi . Since the localization systems differ from each other in terms of underlying coordinate systems, DNs can easily identify a malicious TN that could produce a location claim Xic based on an unknown coordinate system. We consider the localization system as a third party with the locators’ information transparent to both the DNs and TNs, but due to the limited communication range or the privacy protection requirements, localization systems are unable to share location-related measurements of one node (a DN or a TN) with other nodes. This can be explained via Example 1. Example 1: Let us consider a WSN in an outdoor environment, involving a group of BNs, each equipped with a GPS receiver, which has been deployed beforehand for the localization of other mobile nodes. In a hostile environment, suppose that some of these BNs are malicious, and they produce forged location measurements. The malicious nodes are considered as TNs, and the benign BNs are considered as DNs. Assume that two neighbors Ai and Dj can cooperatively measure the distance rij between them without exposing their individual locations. The distance measurement scheme could be any of the following: TOA, RRT, or received signal strength (RSS). Consequently, we do not require the assumption, adopted in [5], [9], and [10], that Ai could manipulate rij by enlarging it only. Consider the case of using the RSS-based measurement technique [11] as an example. A malicious node could reduce the distance rij by decreasing the signal strength concerned. With the measured distance rij , Dj may estimate Xie (xi , yi ) of Ai using the following: � (1) rij = (xei − xj )2 + (yie − yj )2 .
Apparently, this equation represents a circle1 with center at Xj (xj , yj ) and radius rij . When three or more DNs are available for Ai , Xie can then be uniquely determined. Based on the work in [12], the underlying network can be considered having a rigid structure. B. Location Verification To verify a location claim Xic , Dj may compare it with the estimated location Xie . If Ai is a benign node, its location claim Xic should be identical to its true location Xi , and it should cooperate well with Dj in measuring rij . The estimated location Xie should be the same as Xi ; hence, it should also be the same as Xic . On the other hand, a forged location can be confirmed by identifying inconsistency between Xic and Xie or the inconsistency between rij and the reversely computed e distance rij based on Xie and Xj . For example, if Ai reports a forged Xic (at A� ) and cooperates well with Dj in measuring rij , the estimated location Xie (at A) would not be the same as Xic , as shown in Fig. 1(a). Previous works [5], [9], [10], [13] have provided some insight concerning how to check for this kind of inconsistency. However, when fewer than three DNs are available, the existing methods would fail to work since the network structure would then be not rigid, and the DNs are not capable of estimating an accurate Xie . As shown in Fig. 1(b), two DNs can only provide a location estimation with an uncertainty of 2 (we do not consider the special case with two circles touching at one point). Therefore, the malicious Ai could successfully hide itself by making a forged location claim at A�� . The situation is even worse when only one DN is available. As can be seen in Fig. 1(c), the uncertainty increases to n (in the form of a circle). The problem we address is concerned with how to use one DN to verify the location claim of its neighbor TN in a nonrigid network structure. This problem naturally arises in sparse networks or in network boundaries. To the best of our knowledge, this paper is the first attempt ever made for verifying the location claim of a TN using only one DN. III. R ELATED W ORK A. Localization Because of the potential applications, there has recently been an increasing interest in wireless localization research. A 2 = (xe − x )2 + (y e − y )2 + a 3-D space, the equation would be rij j j i i 2 − zj ) , which represents a sphere. For easy understanding, our discussion here will be primarily phrased in terms of circles in the plane. We will extend our analysis to the 3-D place in Section VII. 1 In
(zie
1528
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
mobile user may determine its location by different localization systems such as WSN-based localizations [14], wireless CPS [15], and GPS [16]. Among them, those distance-based wireless network localization approaches have received more attention from the research community possibly because of their relatively easy implementation and high accuracy. A survey can be found in [17]. However, traditional localization methods have been studied primarily in benign environments. In a hostile environment, an attacker could act as a BN, a BS, or a satellite and could provide false location information. In the worst case, they could disable the localization services of a wireless network. B. Location Verification Recently, a number of approaches have been proposed to detect location cheats on localization systems [18]. Depending on the underlying security model, the approaches can be generally classified into two categories. The first category employs distance information for location verification. Sastry et al. [10] proposed the ECHO protocol for verifying the location claim by using a challenge response mechanism. References [5] and [9] proposed cooperative verification schemes that require a TN to verify the distances between itself and three (or more) DNs to securely estimate its position. Capkun et al. [6] developed a location verification method based on using some hidden reference points to verify the location claim of TNs. Zhang et al. [13] further introduced a mobility-assisted secure localization scheme for ultrawideband sensor networks. Our proposed scheme belongs to this category and has been extended to cope with a sparse network situation. The second category employs “distance-free” approaches for location verification. The underlying principle is that, besides using the distance information, a location claim can be verified using any location-related measurement technique, such as one based on the arriving angle of a radio signal sent by a TN to a DN. Capkun et al. [19] proposed SecNav-F, a secure protocol for distance-free broadcast navigation and synchronization in wireless networks. Compared with the first category, the distance-free approaches have the advantage that they do not require accurate location estimation. As a result, they do not suffer from the localization problem when using sparse networks. Take Fig. 1(c) as an example. When using the distance-free approach, r1 would represent the communication range of DN, and any location claim within this range (the circle area) would be considered as honest. By using a directional antenna [8], this area can be reduced, which means that the localization could be made more accurate. Generally, the distance-free approaches can be used as a substitute for the first category in sparse networks; but they could suffer from low accuracy in location verification or additional costs for locationrelated measurements such as those based on using a directional antenna. IV. L OCATION E STIMATION Here, we present a node-to-node location estimation method. We are more concerned about the precision rather than the
accuracy of the proposed location estimation method. It is well known that the location of any node obtained via GPS could have localization error in practice. In the application being considered, what we care most is whether a DN can verify if a given TN is malicious. Since both the locations of the DN and the TN have similar GPS localization errors, their relative locations should remain unchanged (compared with their true locations) unless the location claim from the TN has more bias added for cheating purposes. Then, their relative locations would be different. At the moment, we assume that a DN Dj has already acquired location-related information from a TN Ai , i.e., the identity of Ai and distance rij between them. The method used to collect the above information in a secure manner will be elaborated in Section V. Before presenting the details, let us introduce the following three notations. Global Detecting Node (GDN). A locator is defined as a GDN for a pair of neighboring nodes Ai and Dj if it satisfies the following three properties: 1) it belongs to a different network; 2) its distances to both Ai and Dj are measurable; and 3) its location can be accessed by both Ai and Dj . Signal/Euclidian Distance. For a given pair of neighboring nodes Ai and Dj (DN or GDN), the distance between them can be estimated by two approaches: 1) using the radio signals to measure � the distance and 2) finding the (xi − xj )2 + (yi − yj )2 based on Euclidean distance the coordinates Xi and Xj . The former one is called the signal distance rij , and the latter one is called the Euclidean distance lij . Distance Residual. For a given pair of distances r and l, defined above, their absolute difference is referred to as distance residual τ . Concerning the properties of GDN mentioned above, the first property guarantees that a GDN would not assist attacks from malicious nodes. The other two properties enable us to estimate the location of Ai using (1). As an illustration, let us consider the WSN discussed in Example 1. Since each beacon node has been equipped with a GPS receiver for obtaining location information, those satellites observed by a pair of neighbors Dj and Ai are chosen as GDNs. Now, we build a WSN with one TN A0 and one DN D1 . Then, D1 directly collects from the satellites D2−7 their location coordinates; D2−7 are considered as GDNs. It also collects from A0 the signal distances between A0 and the GDNs. Refer to Table I for details. The GPS coordinate system, known as the earthcentered earth-fixed XYZ coordinate system, has been used. It is evident that a GDN with the aforementioned three properties could serve the same function as a real DN. A. Rigid Network Structure Consider first a network having one DN D1 and one TN A0 . With the signal distance r10 , D1 can estimate the location X0e of A0 using (1). As discussed in Section II-A, one DN cannot make a rigorous location estimation, which should require a rigid network formed by no fewer than three DNs. By attaching one directional antenna to each DN, Lazos and Poovendran [8] proposed a method to enhance the location estimation
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
1529
TABLE I GDN I NFORMATION IN A WSN, W HERE D2−7 A RE GDN S (S ATELLITES ); X, Y, Z: 3-D C OORDINATES OF THE N ODES; rm0 : S IGNAL D ISTANCES F ROM Dm TO A0 ; lm0 : E UCLIDEAN D ISTANCES F ROM Dm TO A0 ; τm0 : D ISTANCE R ESIDUALS B ETWEEN rm0 AND lm0 ; τi1 : D ISTANCE R ESIDUALS B ETWEEN rm1 (O MITTED ) AND lm1 (O MITTED )
Fig. 2. Location estimation using two GDNs (D2 and D3 ) and one DN (D1 ). (a) In an ideal situation. (b) With measurement errors.
accuracy using fewer than three DNs. However, the method is not suitable for a general network model, as it is difficult to meet the directional antenna requirement. Because of the properties of the GDN, we can perform rigorous location estimation using one DN and a group of GDNs. Specifically, each GDN can be used to estimate X0e by (1). Together with D1 , two GDNs can be used to form a rigid network for rigorous location estimation. An example can be seen in Fig. 2(a), where satellites D2 and D3 can be considered as GDNs. Alternatively, three GDNs can be used to form a rigid network, and D1 would not be involved. For security reasons (to be elaborated in Section VI-A), at least one TN should be used. Now, consider a network having multiple DNs and TNs. Traditional location estimation methods usually employ no fewer than three neighboring DNs for estimating the location X e of each TN. However, one serious drawback of these methods is that they require the DNs to cooperate with each other to estimate the location. If one or more of the DNs have been compromised, the estimated location would be inaccurate. To resolve this problem, we propose a node-to-node location estimation approach: form pairs of neighboring nodes DN and TN from the network, and estimate the location of the TN in each pair by using only one DN and two GDNs. Compared with the traditional approaches, the newly proposed method is more robust since the GDNs would not be compromised (according to property 1 of the GDN). Unless stated otherwise, all our location estimations are based on the node-to-node approach in the following sections. B. Location Estimation in Error Condition Here, we consider how to estimate the location of a TN, in the presence of measurement errors, for each pair of DNs and
TNs mentioned above. In reality, the presence of measurement errors could make it difficult to accurately do the estimation. Refer to Fig. 2 for an explanation. Fig. 2(a) represents the ideal situation where the signal propagation circles cross at a single point representing a unique location. Fig. 2(b) represents a practical situation with errors in the signal distances, so the circles do not cross at one single point; in fact, they may not cross at any point. This represents a scenario where we could not obtain a location with acceptable accuracy. Earlier research [5], [10] proposed some methods to solve the problem of location estimation in the presence of measurement errors in the WSN. They assume that the signal distances are similar in magnitude, and that the measurement errors involved are also similar in magnitude. However, their assumption is no longer valid for a network involving GDNs since the signal distance between a GDN and a TN is much bigger than the signal distance between a DN and a TN. Moreover, according to [1] and [16], the signal distance of a GDN could involve a measurement error of hundreds of meters caused by bad radio signal propagation conditions, time synchronization bias of a GPS receiver, and many other factors. Refer to Table I for the WSN mentioned above for an illustration; each entry in the distance residual column (τm0 ) of Table I represents the measurement error of a signal distance between a GDN and the TN A0 . It is obvious that all the errors are larger than the signal distance r10 between D1 and A0 . Therefore, such errors could cause a serious problem in location estimation as indicated in Fig. 2(b). Intuitively, to resolve the above measurement error problem, D1 should ask A0 to remove the error from rm0(m�=1) before sending it to D1 since rm0(m�=1) is the signal distance measured by A0 . However, in the case A0 is a malicious node, this approach would not work since A0 would not obey any instruction from D1 . We develop a method that could be employed by D1 to detect and mitigate the measurement error in rm0(m�=1) as follows. 1) Calculate the Euclidean distance lm1 between D1 and a GDN Dm based on the locations of D1 and Dm . 2) Compute the distance residual τm1 based on lm1 and the signal distance rm1 measured beforehand. 3) Remove τm1 from rm0 . The underlying principle of this method is that the measurement errors in the signal distances rm0 and rm1 have a similar value. Steps 1 and 2 above formulate the error in rm1 in terms of τm1 . To facilitate the argument below, we first
1530
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
assume that the GDNs can accurately localize DNs and TNs, similar to the ideal situation. Thus, the Euclidean distances lm0 and lm1 could be considered identical to the real distances between Dm(m�=1) (GDN) and D1 and A0 , respectively; and the measurement error in signal distances can be formulated in terms of distance residuals. According to the work [16], [20] in wireless localization systems, the errors are primarily caused by the nonline-of-sight (NLOS) propagation of radio signals or, in a more common term, the bad channel conditions. As Dm is very far away, D1 and A0 can be considered close to each other; we can assume the same channel condition for radio signal propagation from Dm to D1 and from Dm to A0 ; we can also assume rm1 and rm0 having similar measurement errors. Previous studies of NLOS [21], [22] suggest that the distance residuals are positive variables consisting of a nonnegative bias φm , which remains nearly a constant for some time to both DNs and TNs, and a zero mean independent random noise θm that varies from node to node. φm is much larger than θm in practice. Therefore, we make the approximation τm0 ≈ τm1 , which enables an error mitigation operation in step 3. Table I shows a set of distance residuals based on some real experiments. In such a practical situation, the above assumption that GDNs can localize DNs and TNs very accurately is no longer valid. It is clear that all distance residuals in the table are much bigger than the signal distance between D1 and A0 . This means that measurement errors are substantial. However, in all cases, τm0 ≈ τm1 is a good approximation for all GDNs. Therefore, even in a nonideal situation, the above three steps could effectively remove the measurement errors. Unlike the previous studies [21], [22] of NLOS error detection and elimination in wireless localization systems, which primarily focus on localization accuracy and distance measurement accuracy, we need not concern so much about localization accuracy in our proposed location estimation. The above shows how we could remove the measurement error in the form of distance residual from the signal distance between a TN and a GDN. To reflect the removal of the measurement error from the signal distance, the location estimation (1) could be rewritten as � e e (2) fi (x0 , y0 ) = ei − (xe0 − xi )2 + (y0e − yi )2 where ei0 = ri0 − τi0 if i refers to a GDN or ei0 = ri0 if i refers to a DN. fi represents the location estimation error. Now, the node-to-node location estimation would become as follows: apply (2) for n nodes (1 DN and n − 1 GDNs) to find the best solution (xe0 , y0e ) yielding the least fi . This problem has been widely studied [5], [13], [16], [19], [21], [23]. The MMSE method has been used most extensively to obtain � the best solution by minimizing F (xe0 , y0e ) = ni=1 fi2 (xe0 , y0e ), and the the estimated location computed as ς 2 = �nMSE of � (1/n) i=1 (ei − (xe0 − xi )2 + (y0e − yi )2 )2 has been used to evaluate the estimated location. Although we adopt the MMSE approach for location estimation, our proposed threestep measurement error removal method has been incorporated into (2). It is expected that the proposed node-to-node location estimation method could work better in error condition, as demonstrated in the experiments presented later.
Fig. 3.
Verification phase 1.
V. S ECURE L OCATION V ERIFICATION P ROTOCOL Here, we present a secure protocol for location verification. It enables a DN to verify the location claim of a TN in a secure manner, namely, 1) to identify the malicious TN with a forged location claim X c and 2) to protect the benign TN against eavesdropping during message passing. In particular, we develop a novel location-based encryption method that does not require any preshared secret keys for secure communication. The proposed location verification protocol has two phases. In phase 1, the DN determines the GDNs for estimating the TN location. In phase 2, the DN verifies the location claim X c of the TN. A detailed security analysis of this protocol can be found in Section VI. In some applications, upon receiving a location claim from a TN Ai , the DN Dj would start our proposed secure location verification protocol as follows. A. GDN Selection To verify a given location claim from Ai , Dj starts phase 1 to the location verification protocol to perform GDN selection, as outlined in Fig. 3. In step 1, the DN Dj sends a request to the TN Ai , asking for IDi , the identities of the locators. After receiving IDi , Dj compares, in step 3, IDi with IDj , the identities of locators observed by Dj . Then, Dj finds the common locators from IDi and IDj , denoted as M , which may serve as candidate GDNs for location estimation. In step 3, Dj also checks whether the size of M is smaller than 2. If yes, Dj cannot verify the claim from Ai , and the verification process should be terminated immediately. Note that no details of GDNs are disclosed in the above steps to prevent any other malicious node from obtaining the signal distances between Ai and the GDNs via eavesdropping for estimating the location of Ai . If the size of M is not smaller than 2, Dj proceeds to step 4 requesting Ai for two signal distances between Ai and two GDNs. In step 5, Ai sends Dj the requested signal distances rmi . There is no need to worry about eavesdropping attacks in this step unless a malicious node can measure the distance between itself and Ai , as it is not possible to perform an accurate location estimation using only two GDNs. However, if the malicious node could measure the distance between Ai and itself, it could estimate the location Xie of Ai using the same method mentioned in Section IV. One possible solution to this problem is to add noises to the signal distances rmi so that a malicious node that has obtained the distances by eavesdropping cannot correctly estimate Xie . To add such noises, we can modify steps 4 and 5 in Fig. 3 as
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
1531
Fig. 4. Location-based encryption. (a) Location-based index scheme of Q. (b) Unique mapping: without measurement noise. (c) One-to-many mapping: with measurement noises.
follows: In step 4, Dj also sends Ai a random parameter k for adding noises; in step 5, Ai sends k × rij + rmj instead of rmj . Obviously, with the knowledge of k and rij , Dj can recover rmj by removing k × rij . The subtle point of the proposed solution is that only Dj and Ai would know the distance rij , which should not be made known to any other node, provided that both Dj and Ai would not disclose rij themselves. Take the TOA measurement scheme as an example. Dj can measure the distance by rij = c × (tj − ti ), where ti is the time at which Ai sent out a signal, tj is the time at which the signal arrived at Dj , and c is the speed of the radio signal. It is unlikely that a malicious node could capture both ti and tj via eavesdropping. Similar analysis can be used when other measurement schemes such as TDOA, RSS, and RRT are considered. To save space, we do not show the aforementioned modified steps in another diagram. B. Location Verification After receiving the signal distances rmi between Ai and two GDNs, the DN Dj can estimate the location Xie and require Ai to report its location claim Xic for verification. There are two issues that should be addressed: 1) how to protect Xic against eavesdropping and 2) how to check for consistency between Xie and Xic . We are concerned about eavesdropping attacks because if Ai sends out Xic without any data security protection, a malicious neighbor may obtain Xic via eavesdropping, resulting in privacy violations; furthermore, the malicious neighbor could impersonate Ai by claiming its location as Xic . It is obvious that eavesdropping attacks can be thwarted by encrypting the relevant data before being sent out. In the following, we present phase 2 of the secure location verification protocol based on a novel location-based encryption scheme (Fig. 4). It is characterized by the following: 1) it does not require any preshared secret key between Dj and Ai for secure communication, and 2) it supports the consistency test for location verification via decryption. Fig. 5 outlines phase 2 of the protocol. In step 1 of phase 2, Dj estimates Xie of Ai by using the method proposed in Section IV and the noise threshold ς02 to be used for evaluating the MSE computed for a given estimated location. If Xie yields an MSE ς 2 that is bigger than ς02 , it would be considered as an inaccurate estimated location. Then, Ai would be considered as malicious because the inaccuracy could have been caused by Ai for not cooperating well with Di in location estimation, and location verification would be terminated in step 1. We employ the method proposed by
Fig. 5. Verification phase 2.
Liu et al. [23] to estimate this noise threshold in the present application: In (2), fi is considered as an independent random variable for location estimation error, and μi and σi2 are the mean and the variance of fi2 , respectively. If the estimated location of Ai is accurate, the probability distribution of ς 2 (MSE) 2 2 2 � � for ς 2 ≤ ς02 is limn→∞ � F [ς ≤ ς0 ] = Φ((nς0 − μ )/σ ), where μ� = Σni=1 μi , σ � = Σni=1 σi2 , and Φ(z) is the probability of a standard normal random variable being less than z. Since μ� and σ � are primarily determined by the signal distance measurement schemes used, they can be measured beforehand for a pair of neighboring nodes Dj and Ai . Then, the probability of ς 2 ≤ ς02 a benign node would be uniquely determined by ς02 . We need to find a value for ς02 , referred to as the noise threshold, satisfying the condition that the cumulative distribution F [ς 2 ≤ ς02 ] would be close to 100%. For a benign Ai cooperating well with Di in location estimation, the MSE ς 2 could be smaller than ς02 . On the other hand, an inaccurate estimated location Xie caused by a malicious Ai would yield an MSE ς02 that is bigger than ς 2 . Note that the threshold ς02 should be set carefully: If it is set too small, even an accurate estimated location would be considered inaccurate; on the other hand, if it is set too large, an inaccurate estimation could be considered accurate. After estimating the noise threshold in step 1, Dj generates an n × n key matrix Q and sends Ai the matrix together with a group of geographic indexes (X, Y ) in step 2. The matrix Q keeps n × n keys for encryption. The indexes are used for mapping a key to a pair of geographic coordinates. Specifically, given a key q(u,v) , the element on the uth column and the vth row of Q, the index is mapped to a c × c geographic area centered at the location (xu , yv ), as illustrated in Fig. 4(a). Any given location-based index can be uniquely mapped to get the corresponding key.
1532
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
In step 3, Ai finds a key q(a,b) based on its location claim Xic ; then, its encrypts Xic using the key, i.e., S = Eq(a,b) (Xic ). In step 4, Ai sends Dj its encrypted location S. After receiving S, Dj decrypts it in step 5. Obviously, Dj does not know the key q(a,b) used by Ai for encryption. However, Dj can locate the key based on the estimated location Xie . Consider first a simple scenario where the MSE ς = 0 and Xie = Xic . In this situation, Xie and Xic would be mapped to the same key q(a, b), as shown in Fig. 4(b). In a practical situation where MSE ς �= 0, Xie may deviate from Xic ; therefore, the key q(a� ,b� ) found according to Xie may not be the same as q(a,b) , the key used for encrypting S. One solution is to perform a local search around q(a� ,b� ) , and the search range can be determined based on the noise threshold ς02 . Specifically, Dj selects a (2ς0 /c + 1) × (2ς0 /c + 1) submatrix Q� with q(a� ,b� ) as the center, as shown in Fig. 4(c). If A0 is a benign node cooperating well with Dj in estimating Xie , and providing an honest Xic , q(a,b) should be within Q� , i.e., the difference between Xie and Xic should be smaller than ς0 ; and Dj should be able to find q(a,b) via a local search. On the other hand, if Dj cannot find the correct key for decryption, Ai is considered a malicious node. VI. S ECURITY A NALYSIS Here, we analyze the ability of the proposed location verification scheme to detect whether a TN is malicious. A malicious node here refers to a TN that is not honest about its location claim or does not cooperate with the DN for location estimation. The analysis would be focused on two different subnetwork structures in a sparse network. The first subnetwork structure consists of one DN (D0 ) and one TN (A1 ). In our analysis, A1 is assumed to be a malicious node. The second subnetwork structure consists of one DN (D0 ) and two TNs (A1 and A2 ). In our analysis, A1 is considered a malicious node and A2 a benign node. We assume that all TNs have the required facility to receive signals from GDNs. The two different subnetwork structures are analyzed below. A. Subnetwork Structure 1 Besides one TN and one DN, this subnetwork structure could consist of no fewer than two GDNs. To verify the location claim of A1 in verification phase 1, D0 requires from A1 the following: identities of two GDNs, signal distances between A1 and the GDNs, and the encrypted location claim S. If A1 does not honestly provide the identities of two GDNs, location verification would be terminated in step 3 of phase 1, and A1 can then be concluded as a malicious node. On the other hand, if A1 provides two proper GDN identities, it would be further requested to provide two signal distances in the protocol. If signal distances have been fabricated, verification phase 2 should be able to identify A1 as a malicious node. In verification phase 2, D0 checks the accuracy of the estimated location X1e of A1 in step 1. Since large measurement errors in the signal distances should have been removed by error mitigation, an inaccurate X1e should have been caused by a malicious A1 not cooperating with D0 in the location estimation. In this case, the verification protocol terminates at step 1,
and A1 is considered a malicious node. Then, D0 checks the consistency between the estimated location X1e and the location claim X1c of A1 . The presence of two GDNs and one DN forms a rigid network for estimating X1c . Then, D0 obtains X1c in an encrypted form from A1 for verification. Earlier studies [5], [9], [10], [13] have provided much insight into the checking for consistency of two given values X1e and X1c . These methods require the cooperation of several DNs. A GDN significantly differs from a DN in that it does not assist D0 in checking the consistency. If a GDN is used for location verification, A1 could attempt to maintain the consistency between X1e and X1c by 1) computing the Euclidean distance based on X1c and the location of the GDN and 2) sending D0 this distance, instead of an actual signal distance between A1 and the GDN. Refer to Fig. 1(a) for illustration. Let D1 , D2 , and D3 be GDNs. Since A1 can observe the locations of the GDNs, it can make the radius of the signal propagation circle be larger than or smaller than the actual circle. This way, it can make the circles D1 , D2 , and D3 to cross at any place by manipulating the radii r1 , r2 , and r3 . Therefore, the estimated location X1e (the crossing point of circles) could be made consistent with any location claim X1c . The above shows that the location verification using only GDNs could be questionable. This explains why we use two GDNs and one DN in the subnetwork structure 1 for location verification. As A1 does not know the location of the DN (D0 ), it cannot estimate X1e and so cannot maintain the consistency of X1e and X1c . Therefore, if A1 does not cooperate well with D0 in the distance measurement, or if A1 provides a fabricated location claim, D0 would not be able to obtain a proper estimated location X1e to decrypt the location claim from A1 . Therefore, it can be concluded in step 5 of verification phase 2 that A1 is a malicious node. B. Subnetwork Structure 2 The subnetwork structure considered consists of one DN, two TNs, and no fewer than two GDNs. In the presence of one benign TN A2 and one malicious TN A1 , the problem of Sybil attack [24] could occur, as A1 could eavesdrop the communication between D0 and A2 . No matter whether A1 has the facility to receive signals from GDNs, it could obtain the required GDN identities and the signal distances between GDNs and A2 via eavesdropping. Then, it could impersonate A2 by sending D0 the same GDN identities and signal distances in verification phase 1. Since these data values are from the benign node A2 , A1 may not be identified as malicious in the verification phase 1. To impersonate A2 in the verification phase 2, A1 should try to obtain the location of A2 . This can be achieved by two different techniques: 1) estimating X2e using the method discussed in Section IV and 2) getting the location claim X2c of A2 by eavesdropping. To prevent A1 from obtaining X2e and X2c , our proposed location verification scheme employs the following measures: 1) In verification phase 1, A2 adds a noise value to the signal distances between A2 and GDNs before sending it to D0 . The added noise is k × r20 , with k being set by D0 , and r20 is the distance between D0 and A2 . This noise prevents A1 from recovering the signal distances since r20 is
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
unknown to A1 . As a result, A1 cannot accurately estimate the location X2e of A2 . 2) In verification phase 2, X2c is transmitted in an encrypted form. As we do not require any preshared secret key between D0 and A2 , the previous encryption methods [8], [25] may not work here. In the proposed location-based encryption method, A2 encrypts X2c by using a key indexed by X2c . Since A1 cannot accurately estimate the location of A2 , A1 cannot find an appropriate key for decryption. Therefore, A1 cannot impersonate A2 . In the above analysis, we primarily focus on two basic subnetwork structures. In a large network of multiple DNs and multiple TNs, a malicious TN may be able to launch an attack by cooperating with other malicious TNs. A typical example is the wormhole attack in which a malicious node tunnels its location and distance information to another malicious node that can replay the information during a location verification. Previous studies [7], [8], [25] have already provided effective solutions to the foregoing attacks. Therefore, we have not considered handling such attacks in this paper. VII. E XPERIMENTAL S TUDY Here, we present the experimental study of the proposed location verification scheme using a GPS-based localization platform to demonstrate the effectiveness of the proposed scheme in a practical situation. We first introduce below the platform for doing the experiments and present some basic location data collected via experiments using the platform. Then, we evaluate the proposed verification scheme using different noise thresholds. A. System Configuration The GPS-based localization platform was set up as described below. In an outdoor environment, we deployed two laptop computers each attached with a GPS receiver. The receiver was equipped with a SiRF III GPS module and one on-chip antenna. This module is capable of providing real-time signal distances between the module and the satellites referred to as GDNs in our earlier discussion. The two computers can communicate with each other using 802.11 netcards. One of the computers is treated as a TN A0 and the other as a DN D1. Different data values were collected via the above platform and tabulated in Table I as introduced in Section IV. Fig. 6 shows the locations of D1 and A0 collected for a period of 60 s. For the present 2-D coordinate system, longitude–latitude coordinates are used. Assume that A0 is a benign TN. There are three sets of location records, including true location X1 of D1 , location claim X0c (the same as the true location X0 ) of A0 , and estimated location X0e of A0 . The first two sets were collected directly from GPS receivers, and the last set was estimated using D1 and three GDNs (D2 , D3 , and D4 ), assuming no measurement errors in r10 (signal distance between D1 and A0 ). In an ideal situation, X0c and X0e should be the same or nearly the same. However, as can be seen in Fig. 6(a), X0c and X0e do not overlap. These observations agree well with our discussion in Section IV-B of the measurement error and noise. Specifically, measurement
1533
Fig. 6. Location records of D1 and A0 for 60 s. (a) Relative locations of D1 and A0 . (b) True location X1 of D1 . (c) True location X0c of A0 . (d) Estimated location X0e of A0 .
errors in the signal distances between A0 and GDNs are positive variables consisting of a large constant φ and a small noise θ. As discussed in Section IV-B, the large error φ could have been removed from the signal distances, and the remaining small noise θ can be considered as a primary cause of a biased X0e in location estimation. Fig. 6(a) shows that the bias in X0e should not be substantial since X0e and X0c are close. Moreover, each of the three sets of locations spreads over different points in Fig. 6(a). It is interesting to note that for each set, the points spread out in a similar pattern. Ideally, each set of location values should correspond to one point. An enlarged view of the spread patterns of the points is shown in Fig. 6(b)–(d), where each dot represents a location record at one time instance. These observations suggest that 1) it is difficult to avoid the GPS localization error that could be accountable for the spread of the points, and 2) the localization error does not cause inconsistency between X0e and X0c when using our proposed location estimation approach. As the points spread with time, we require A0 to report its location claim in realtime to minimize the risk of a false verification caused by the localization errors that vary with time. B. Location Estimation We performed practical experiments to assess the performance of the proposed location verification scheme using different MSE thresholds that could have a big impact on the performance. We intend to find an appropriate threshold ς02 for location verification since an honest TN A0 could be considered as dishonest if ς02 has been set too small, whereas a malicious A0 could be considered as honest if ς02 has been set too large. If A0 is a malicious node, it could sometimes be identified as malicious in verification phase 1; otherwise, it could be identified in phase 2. In the following, we evaluate ς02 step by step. 1) Using the MSE to Measure Bias in the Signal Distance: The MSE has been widely used to assess an estimated location. Clearly, if the MSE is large, it means that the estimated location is not so good. In the present location verification application, as discussed above, large measurement errors could be removed during location estimation; a large MSE should have been
1534
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
Fig. 7. MSE in the presence of biased signal distances. (a) ri0 of a DN or a GDN is biased. (b) r30 and r40 are biased.
caused by a malicious node responsible for adding biases to the signal distances that are considered the primary source of the estimated location error. Therefore, we need to do experiments to find an appropriate MSE threshold ς02 for location verification purposes so that we can say that if the MSE is bigger than ς02 , A0 could be considered malicious. To show how the MSE could be affected by the biases in various signal distance biases, we performed simulation experiments by adding different biases to various signal distances based on the platform mentioned in Section VII-A. The results are as presented in Fig. 7(a) and (b). Fig. 7(a) shows the relation between ς 2 (MSE) and the biased signal distances ri (i=1,...,4) . Clearly, both negative and positive biases could cause ς 2 to increase. Also, the same bias in different ri0 could result in different ς 2 . This can be explained as follows: A biased estimated location X0e caused by a biased ri0 may deviate from the real location of A0 in various directions. If this direction is tangential to the signal propagation circle of Di , it should not cause a large fi in (2), and, hence, the MSE would be small. On the other hand, if the estimated location X0e is normal to the circle, the MSE would be large. For Fig. 7(a), we added a bias to one of the four signal distances at a time in experiments, whereas for Fig. 7(b), we used two biased signal distances for each experiment. Clearly, the presence of biases in r30 and r40 could cause ς 2 to increase. However, biased r30 and r40 could result in small ς 2 in some cases; for example, the MSE is quite small when biases in r30 and r40 are both 4. Again, this can be explained by X0e being on the tangent of the circle of the DN as mentioned above. The two sets of experiment results presented in Fig. 7 show that, in general, biases in signal distances could cause the MSE to increase. For an accurate location estimation, if the biases are small or close to zero, the MSE would be close to zero. Then, the estimated location can be considered acceptable. As explained above, a large MSE would imply that the biases have probably been added by a malicious TN. To detect a malicious node via location verification, we need to find an appropriate threshold ς 2 for the MSE. 2) Finding a Noise Threshold Based on [23]: We first applied the method proposed in [23] to carry out experiments
TABLE II S TATISTICAL I NFORMATION OF THE MSE FOR GDN S
Fig. 8.
Cumulative probability distribution of ς 2 < ς02 for the MSE.
to work out an appropriate noise threshold ς02 ; the parameters used in the proposed method were set based on our experiment platform. The threshold ς02 was intended to be used in the steps in location verification phase 2 to identify any malicious TN. Based on the discussion in Section V-B, the performance of a threshold ς02 is determined by μ (mean of the MSE), σ (variance of the MSE), and n (number of TN + DGNs). The computed μ and σ are as shown in Table II, which represent some statistical data for the GDNs observed by D1 for a duration of 60 s. Further experiment results are presented in Fig. 8. Consider a simple case with A0 being honest and μ1 = σ1 for the measurement noise. Fig. 8 shows the relation between ς02 /σ12 and the cumulative probability distribution of ς 2 < ς02 or, generally speaking, the chance of A0 being identified as honest based on a threshold ς02 . Clearly, the cumulative probability increases as ς02 /σ12 grows, suggesting that A0 has a better chance of being identified as honest for a larger threshold ς02 for
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
1535
Fig. 9. Identification rate based on different thresholds ς0 . (a) A0 is a benign node with a biased r10 . (b) A0 is a malicious node with a forged r10 . (c) A0 is a malicious node with forged location claims.
a given σ12 . The curve for n equal to 6 has the steepest descent, representing the best performance for location verification. These results agree well with the theoretical analysis in [23]. An exception is that for n = 7, the curve significantly differs from the others and has almost a constant cumulative probability of 0.2. This could be explained by the fact that D7 has much larger MSE noises σ 2 than others, as can be seen in Table II. The above observations suggest that 1) a GDN with a large noise in the signal distance would yield a low identification rate, and, hence, it should not be used in location verification, and 2) using more GDNs does not seem to produce significant improvement in the identification rate. For example, to achieve a 95% identification rate, the thresholds ς02 could be set as 1.69 × σ12 , 1.62 × σ12 , and 1.50 × σ12 for n equal to 4, 5, and 6, respectively. 3) Finding an Improved Noise Threshold: In the following, we first show our evaluation of the noise threshold (1.69 × σ12 ) obtained above for location verification. Then, we describe some experiments for finding an improved threshold. Subsequently, we show by experiments using the improved threshold for location verification and present at the same time our evaluation of the improved threshold. We first performed some field-test location verification experiments to identify/verify A0 to assess the threshold ς0 = 1.3 × σ1 (for n = 4) obtained from the experiments above, assuming that σ1 is equal to 1. For the first set of experiments, A0 was assumed to be a benign TN that should cooperate well with D1 in the distance measurement. However, due to the existence of measurement noises, the measured signal distance r10 between A0 and D1 could deviate from the true value by a bias of −2 to 2 m. Fig. 9(a) presents the identification rates for 100 separate experiments. It can be seen that the identification rates based on the threshold ς0 = 1.3 are much smaller than the theoretical result 95% obtained in Section VII-B2. For the case of an accurate r10 (with zero bias), the identification rate is around 50%. For the cases with r10 having a bias of 2 and −2 m, the identification rates become 15% and 45%, respectively. These observations suggest that the threshold obtained based on the method proposed in [23] may not be satisfactory for real-world applications; the reason for the degradation of the identification rate could be due to the fact that the method proposed in [23] relies on the central limit theorem and requires
a large number of nodes for location verification. In our experiments, we have only one DN and three GDNs. We notice that by using a modified threshold ς0 with a value of 2.5, we could obtain improved verification performance. As can be seen from Fig. 9(a), the identification rates become 90% for the cases with a bias ±2 in r10 . Therefore, ς0 with a value of 2.5 can be considered an improved threshold. Then, we performed the second set of location verification experiments to evaluate the improved threshold for identifying a malicious node A0 , which could give D1 a fabricated signal distance r10 . For simplicity, A0 was assumed to add the biases {−3, 3, −5, 5} one at a time to the signal distance r10 in our experiments. Fig. 9(b) presents the identification rates based on 100 experiments. It shows that we could have nearly a 100% identification rate for r10 with ±5 bias in r10 . For the cases with r10 having the biases ±3, the identification rates are around 9%, which can be considered a satisfactory performance. Lastly, we performed the third set of location verification experiments to evaluate the noise threshold (ς0 = 2.5) for identifying a malicious node A0 cheating on the location claim. In the experiments, A0 provided forged locations X0c to D1 ; assume that A0 prepared X0c by adding a bias of 0−3 to its true location. Fig. 9(c) shows the identification rates of A0 based on the results from over 10 000 experiments. Clearly, the identification rates are nearly 100% when the bias is larger than 2.5 m. When the bias is smaller than 2 m, A0 could be identified as a benign node since a relatively small bias could have been caused by some measurement noises. Furthermore, the same bias could differently affect the identification rate, depending on whether it is on the X-coordinate or the Y -coordinate. Refer to Fig. 9(c) for an example where there are two highlighted points: (1, 0, 0.2556) and (0, 1, 0.0333). For this particular example, a 1-m bias in X yields a much worse identification rate when compared with a 1-m bias in Y . This could be explained as follows: For a given biased X0c , the bias in the tangential direction of a signal propagation circle would yield a much smaller MSE than the same bias in the normal direction. The above location verification experiments show that the improved noise threshold obtained from our fieldtest experiments could identify a malicious node in most cases, much better than the threshold obtained by using the method proposed in [23].
1536
IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 57, NO. 5, MAY 2010
VIII. C ONCLUSION Our study shows that existing methods for location verification in wireless networks are mostly inadequate for different reasons. In particular, many of the methods could not effectively work in a sparse network situation. Another major reason is that they may fail to work in many wireless networks because many of the existing methods have been designed specifically for a particular network that often supports only a specific distance measurement scheme. Therefore, existing methods often support the distance measurement scheme of the network concerned. However, if a certain wireless network does not support that specific distance measurement scheme, the verification methods cannot be used. In this paper, we have proposed a general node-to-node location verification scheme to address many of the problems that are inherent in current location verification methods. With the introduction of GDNs to assist in location estimation and verification, the proposed scheme can work well even in a sparse network. The security analysis of our location verification protocol presented in Section V shows that the proposed locationbased encryption technique can tremendously facilitate location verification and the detection of a malicious node. It also indicates that the proposed general location verification scheme can prevent one TN from impersonating another TN. The satisfactory performance of the location verification protocol has been demonstrated by the extensive field-test experiments presented in Section VII. The MSE, widely used to evaluate an estimated location, has been also used to evaluate the estimated locations in our experiments to identify if a TN is malicious or benign; a noise threshold ς02 has been employed for this purpose. The theoretical threshold obtained based on the method proposed in [23] did not yield a satisfactory identification rate for the network we have used in the experiments. However, using the improved threshold obtained via extensive experiment on our experiment platform, we can obtain much improved location verification performance. Therefore, finding an appropriate threshold for a specific network can be critically important. In our future work, more research would be carried out on location verification, including GDN selection criteria, and the use of some other subnetwork structures besides those that have already been explored.
[7] D. Liu, P. Ning, and W. Du, “Detecting malicious beacon nodes for secure location discovery in wireless sensor networks,” in Proc. IEEE ICDCS, 2005, pp. 609–619. [8] L. Lazos and R. Poovendran, “SeRLoc: Secure range-independent localization for wireless sensor networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21–30. [9] F. Anjum, S. Pandey, and P. Agrawal, “Secure localization in sensor networks using transmission range variation,” in Proc. IEEE MASS, 2005, pp. 195–203. [10] N. Sastry, U. Shankar, and D. Wagner, “Secure verification of location claims,” in Proc. ACM Workshop Wireless Security, 2003, pp. 1–10. [11] Y. Chen, W. Trappe, and R. Martin, “Attack detection in wireless localization,” in Proc. IEEE INFOCOM, 2007, pp. 1964–1972. [12] N. Priyantha, H. Balakrishnan, E. Demaine, and S. Teller, “Mobileassisted localization in wireless sensor networks,” in Proc. IEEE INFOCOM, 2005, vol. 1, pp. 172–183. [13] W. Zhang, Y. Liu, Y. Fang, and D. Wu, “Secure localization and authentication in ultra-wideband sensor networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 4, pp. 829–835, Apr. 2006. [14] H. S. Ahn and K. H. Ko, “Simple pedestrian localization algorithms based on distributed wireless sensor networks,” IEEE Trans. Ind. Electron., vol. 56, no. 10, pp. 4296–4302, Oct. 2009. [15] S. Bartelmaos, K. Abed-Meraim, and E. Grosicki, “General selection criteria for mobile location in NLoS situations,” IEEE Trans. Wireless Commun., vol. 7, pt. 1, no. 11, pp. 4393–4403, Nov. 2008. [16] B. Parkinson and J. Spilker, Global Positioning System: Theory and Applications. Washington, DC: AIAA, 1996. [17] H. Liu, H. Darabi, P. Banerjee, and J. Liu, “Survey of wireless indoor positioning techniques and systems,” IEEE Trans. Syst., Man, Cybern., vol. 37, no. 6, pp. 1067–1080, Nov. 2007. [18] A. Boukerche, H. Oliveira, E. Nakamura, and A. Loureiro, “Secure localization algorithms for wireless sensor networks,” IEEE Commun. Mag., vol. 46, no. 4, pp. 96–101, Apr. 2008. [19] S. Capkun, K. Rasmussen, and M. Cagalj, “SecNav: Secure broadcast localization and time synchronization in wireless networks,” in Proc. ACM MobiCom, 2007, pp. 310–313. [20] M. Wylie and J. Holtzman, “The non-line of sight problem in mobile location estimation,” in Proc. IEEE Int. Conf. Universal Pers. Commun., 1996, vol. 2, pp. 827–831. [21] J. Caffery and G. Stuber, “Subscriber location in CDMA cellular networks,” IEEE Trans. Veh. Technol., vol. 47, no. 2, pp. 406–416, May 1998. [22] L. Cong and W. Zhuang, “Nonline-of-sight error mitigation in mobile location,” IEEE Trans. Wireless Commun., vol. 4, no. 2, pp. 560–573, Mar. 2005. [23] D. Liu, P. Ning, and W. Du, “Attack-resistant location estimation in sensor networks,” in Proc. ACM/IEEE IPSN, 2005, pp. 99–106. [24] J. Newsome, E. Shi, D. Song, and A. Perrig, “The Sybil attack in sensor networks: Analysis & defenses,” in Proc. ACM/IEEE IPSN, 2004, pp. 259–268. [25] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Location-based compromisetolerant security mechanisms for wireless sensor networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 247–260, Feb. 2006.
R EFERENCES [1] M. Silventoinen and T. Rantalainen, “Mobile station emergency locating in GSM,” in Proc. IEEE Personal Wireless Commun., 1996, pp. 232–238. [2] R. Daily and D. Bevly, “The use of GPS for vehicle stability control systems,” IEEE Trans. Ind. Electron., vol. 51, no. 2, pp. 270–277, Apr. 2004. [3] T. Takei, R. Imamura, and S. Yuta, “Baggage transportation and navigation by a wheeled inverted pendulum mobile robot,” IEEE Trans. Ind. Electron., vol. 56, no. 10, pp. 3985–3994, Oct. 2009. [4] E. Foxlin, “Pedestrian tracking with shoe-mounted inertial sensors,” IEEE Comput. Graph. Appl., vol. 25, no. 6, pp. 38–46, Nov./Dec. 2005. [5] S. Capkun and J. Hubaux, “Secure positioning of wireless devices with application to sensor networks,” in Proc. IEEE INFOCOM, 2005, vol. 3, pp. 1917–1928. [6] S. Capkun, K. Rasmussen, M. Cagalj, and M. Srivastava, “Secure location verification with hidden and mobile base stations,” IEEE Trans. Mobile Comput., vol. 7, no. 4, pp. 470–483, Apr. 2008.
Dawei Liu (S’08) received the B.Eng. degree in electronics information engineering from Hunan University, Changsha, China, in 2005. He is currently working toward the Ph.D. degree in the Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kong. His research interests include mobile localization and location-based services.
LIU et al.: NODE-TO-NODE LOCATION VERIFICATION METHOD
Moon-Chuen Lee received the B.Sc. degree from University College London, London, U.K., the M.Sc. degree from Imperial College of Science and Technology London, London, and the Ph.D. degree in computer science from the University of London, London. He is currently an Associate Professor in the Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kong. His research interests include the areas of content-based image retrieval, multimedia applications, network security, and mobile positioning.
1537
Dan Wu is currently working toward the Ph.D. degree in the Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kong. His main research interests include parallel and distributed systems, computer and network security, and storage systems.
