alert

1

ALERT: An Anonymous Location-based EfficientRouting Protocol in MANETs

Haiying Shen*, Member, IEEE , Lianyu Zhao, Student Member, IEEE

�

Abstract—Mobile Ad Hoc Networks (MANETs) use anonymous routingprotocols that hide node identities and/or routes from outside observersin order to provide anonymity protection. However, existing anonymousrouting protocols relying on either hop-by-hop encryption or redundanttraffic, either generate high cost or cannot provide full anonymity pro-tection to data sources, destinations, and routes. The high cost exacer-bates the inherent resource constraint problem in MANETs especiallyin multimedia wireless applications. To offer high anonymity protectionat a low cost, we propose an Anonymous Location-based EfficientRouting proTocol (ALERT). ALERT dynamically partitions the networkfield into zones and randomly chooses nodes in zones as intermediaterelay nodes, which form a non-traceable anonymous route. In addition,it hides the data initiator/receiver among many initiators/receivers tostrengthen source and destination anonymity protection. Thus, ALERToffers anonymity protection to sources, destinations, and routes. It alsohas strategies to effectively counter intersection and timing attacks. Wetheoretically analyze ALERT in terms of anonymity and efficiency. Ex-perimental results exhibit consistency with the theoretical analysis, andshow that ALERT achieves better route anonymity protection and lowercost compared to other anonymous routing protocols. Also, ALERTachieves comparable routing efficiency to the GPSR geographical rout-ing protocol.

Index Terms—Mobile ad hoc networks, Anonymity, Routing protocol,Geographical routing

1 INTRODUCTIONRapid development of Mobile Ad Hoc Networks(MANETs) has stimulated numerous wireless applica-tions that can be used in a wide number of areas suchas commerce, emergency services, military, educationand entertainment. MANETs feature self-organizing andindependent infrastructures, which make them an idealchoice for uses such as communication and informationsharing. Because of the openness and decentralizationfeatures of MANETs, it is usually not desirable toconstrain the membership of the nodes in the network.Nodes in MANETs are vulnerable to malicious entitiesthat aim to tamper and analyze data and trafficanalysis by communication eavesdropping or attackingrouting protocols. Although anonymity may not be arequirement in civil-oriented applications, it is criticalin military applications (e.g., soldier communication).Consider a MANET deployed in a battlefield. Throughtraffic analysis, enemies may intercept transmitted pack-ets, track our soldiers (i.e., nodes), attack the commandernodes, and block the data transmission by comprisingrelay nodes, thus putting us at a tactical disadvantage.

• * Corresponding Author. Email: [email protected]; Phone: (864) 6565931; Fax: (864) 656 5910.

• The authors are with the Department of Electrical and Computer Engi-neering, Clemson University, Clemson, SC, 29634.E-mail: {shenh,lianyuz}@clemson.edu

Anonymous routing protocols are crucial in MANETsto provide secure communications by hiding node iden-tities and preventing traffic analysis attacks from outsideobservers. Anonymity in MANETs includes identity andlocation anonymity of data sources (i.e., senders) anddestinations (i.e., recipients), as well as route anonymity.“Identity and location anonymity of sources and des-tinations” means it is hard if possible for other nodesto obtain the real identities and exact locations of thesources and destinations. For route anonymity, adver-saries, either en route or out of the route, cannot tracea packet flow back to its source or destination, andno node has information about the real identities andlocations of intermediate nodes en route. Also, in or-der to dissociate the relationship between source anddestination (i.e., relationship unobservability [1]), it isimportant to form an anonymous path between the twoendpoints and ensure that nodes en route do not knowwhere the endpoints are, especially in MANETs wherelocation devices may be equipped.

Existing anonymity routing protocols in MANETs canbe mainly classified into two categories: hop-by-hopencryption [2], [3], [4], [5], [6] and redundant traffic [7],[8], [9], [10], [11], [12], [13]. Most of the current ap-proaches are limited by focusing on enforcing anonymityat a heavy cost to precious resources because public-keybased encryption and high traffic generate significantlyhigh cost. In addition, many approaches cannot pro-vide all of the aforementioned anonymity protections.For example, ALARM [5] cannot protect the locationanonymity of source and destination, SDDR [14] cannotprovide route anonymity, and ZAP [13] only focuseson destination anonymity. Many anonymity routing al-gorithms [3], [4], [13], [5], [6], [11], [10] are based onthe geographic routing protocol (e.g. Greedy PerimeterStateless Routing (GPSR) [15]) that greedily forwards apacket to the node closest to the destination. However,the protocol’s strict relay node selection makes it easy toreveal the source and destination and to analyze traffic.

On the other hand, limited resource is an inherentproblem in MANETs, in which each node labors underan energy constraint. MANETs’ complex routing andstringent channel resource constraints impose strict lim-its on the system capacity. Further, the recent increasinggrowth of multimedia applications (e.g., video transmis-sion) imposes higher requirement of routing efficiency.However, existing anonymous routing protocols gen-erate a significantly high cost, which exacerbates theresource constraint problem in MANETs. In a MANETemploying a high-cost anonymous routing in a battle-

Digital Object Indentifier 10.1109/TMC.2012.65 1536-1233/12/$31.00 © 2012 IEEE

IEEE TRANSACTIONS ON MOBILE COMPUTINGThis article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.

2

field, a low quality of service in voice and video datatransmission due to depleted resources may lead todisastrous delay in military operations.

In order to provide high anonymity protection (forsources, destination, and route) with low cost, we pro-pose an Anonymous Location-based and Efficient Rout-ing proTocol (ALERT). ALERT dynamically partitions anetwork field into zones and randomly chooses nodesin zones as intermediate relay nodes, which form a non-traceable anonymous route. Specifically, in each routingstep, a data sender or forwarder partitions the networkfield in order to separate itself and the destination intotwo zones. It then randomly chooses a node in the otherzone as the next relay node and uses the GPSR [15]algorithm to send the data to the relay node. In thelast step, the data is broadcasted to k nodes in thedestination zone, providing k-anonymity to the destina-tion. In addition, ALERT has a strategy to hide the datainitiator among a number of initiators to strengthen theanonymity protection of the source. ALERT is also re-silient to intersection attacks [16] and timing attacks [16].We theoretically analyzed ALERT in terms of anonymityand efficiency. We also conducted experiments to eval-uate the performance of ALERT in comparison withother anonymity and geographic routing protocols. Insummary, the contribution of this work includes:

1) Anonymous routing. ALERT provides routeanonymity, identity and location anonymityof source and destination.

2) Low cost. Rather than relying on hop-by-hop en-cryption and redundant traffic, ALERT mainly usesrandomized routing of one message copy to pro-vide anonymity protection.

3) Resilience to intersection attacks and timing attacks.ALERT has a strategy to effectively counter inter-section attacks, which have proved to be a toughopen issue [16]. ALERT can also avoid timingattacks because of its non-fixed routing paths fora source-destination pair.

4) Extensive simulations. We conducted comprehensiveexperiments to evaluate ALERT’s performance incomparison with other anonymous protocols.

The remainder of this paper is organized as follows.In Section 2, we present the design of the ALERT routingprotocol. Section 3 discusses the anonymity performanceof ALERT and its strategies to deal with certain attacks.In Section 4, we theoretically analyzed ALERT in termsof anonymity and efficiency. Experimental performanceof the ALERT protocol is evaluated in Section 5. InSection 6, we describe related anonymous routing ap-proaches in MANETs. The conclusion and future workare given in Section 7.

2 ALERT: AN ANONYMOUS LOCATION-BASED EFFICIENT ROUTING PROTOCOL

2.1 Networks and Attack Models and AssumptionsALERT can be applied to different network modelswith various node movement patterns such as randomway point model [17] and group mobility model [18].Consider a MANET deployed in a large field wheregeographic routing is used for node communication inorder to reduce the communication latency. The location

of a message’s sender may be revealed by merely expos-ing the transmission direction. Therefore, an anonymouscommunication protocol that can provide untraceabilityis needed to strictly ensure the anonymity of the senderwhen the sender communicates with the other side of thefield. Moreover, a malicious observer may try to blockthe data packets by compromising a number of nodes,intercept the packets on a number of nodes, or even traceback to the sender by detecting the data transmissiondirection. Therefore, the route should also be unde-tectable. A malicious observer may also try to detectdestination nodes through traffic analysis by launchingan intersection attack. Therefore, the destination nodealso needs the protection of anonymity.

In this work, the attackers can be battery powerednodes that passively receive network packets and detectactivities in their vicinity. They can also be powerfulnodes that pretend to be legitimate nodes and injectpackets to the network according to the analytical re-sults from their eavesdropped packets. The assumptionsbelow apply to both inside and outside attackers.(1) Capabilities. By eavesdropping, the adversary nodes

can analyze any routing protocol and obtain infor-mation about the communication packets in theirvicinity and positions of other nodes in the network.They can also monitor data transmission on the flywhen a node is communicating with other nodesand record the historical communication of nodes.They can intrude on some specific vulnerable nodesto control their behavior, e.g., with denial-of-service(DoS) attacks, which may cut the routing in existinganonymous geographic routing methods.

(2) Incapabilities. The attackers do not issue strong activeattacks such as black hole. They can only performintrusion to a proportion of all nodes. Their com-puting resources are not unlimited; thus, both sym-metric and public/private key cannot be brutallydecrypted within a reasonable time period. There-fore, encrypted data is secure to a certain degreewhen the key is not known to the attackers.

2.2 Dynamic Pseudonym and Location ServiceIn one interaction of node communication, a source nodeS sends a request to a destination node D and thedestination responds with data. A transmission session isthe time period that S and D interact with each othercontinuously until they stop. In ALERT, each node usesa dynamic pseudonym as its node identifier rather thanusing its real MAC address, which can be used to tracenodes’ existence in the network. To avoid pseudonymcollision, we use a collision-resistant hash function, suchas SHA-1 [19], to hash a node’s MAC address andcurrent time stamp. To prevent an attacker from re-computing the pseudonym, the time stamp should beprecise enough (e.g., nanoseconds). Considering the net-work delay, the attacker needs to compute, e.g., 105,times for 1 packet per node. There may also be manynodes for an attacker to listen, so the computing over-head is not acceptable, and the success rate is low. To fur-ther make it more difficult for an attacker to compute thetimes tamp, we can increase the computation complexityby using randomization for the time stamps. Specifically,we keep the precision of time stamp to a certain extent,say 1 second, and randomize the digits within 1/10th.


3

Thus, the pseudonyms cannot be easily reproduced. Anode’s pseudonym expires after a specific time periodin order to prevent adversaries from associating thepseudonyms with nodes. If pseudonyms are changedtoo frequently, the routing may get perturbed; and ifpseudonyms are changed too infrequently, the adver-saries may associate pseudonyms with nodes acrosspseudonym changes. Therefore, the pseudonym changefrequently should be appropriately determined. Eachnode periodically piggybacks its updated position andpseudonym to “hello” messages, and sends the messagesto its neighbors. Also, every node maintains a routingtable that keeps its neighbors’ pseudonyms associatedwith their locations.

As previous works [10], [13], we assume that thepublic key and location of the destination of a datatransmission can be known by others, but its real identityrequires protection. We can utilize a secure location ser-vice [20], [21], [22], [23], [24] to provide the informationof each node’s location and public key. Such a locationservice enables a source node, who is aware of theidentity of the destination node, to securely obtain thelocation and public key of the destination node. Thepublic key is used to enable two nodes to securely estab-lish a symmetric key Ks for secure communication. Thedestination location enables a node to determine the nexthop in geographic routing. Specifically, trusted normalnodes or dedicated service provider nodes are used toprovide location service. Each node has a location server.When a node A wants to know the location and publickey of another node B, it will sign the request containingB’s identity using its own identity. Then, the locationserver of A will return an encrypted position of B and itspublic key, which can be decrypted by A using the pre-distributed shared key between A and its location server.When node A moves, it will also periodically update itsposition to its location server.

For high reliability, the location serves can replicatedata between each other. Thus, the location servers areallowed to fail, because each node can be in contactwith all location servers in range. For example, currentlocation service solutions such as [20] are able toseamlessly let node switch between location servers.We assume that the attacker will not compromise andutilize the location to find out the real identities ofnodes that contact with the compromised locationserver, which is the common assumption of currentlocation services [20], [21]. We leave the work on securelocation service as our future.

The existence of the location servers are opposed tothe ad-hoc property of MANETs, and it is not necessaryto use location servers in a MANET without securityconsideration. However, anonymous communication re-quires third-party servers to reliably collect and transmitconfidential information, and this solution was used inmany of previously proposed works such as [4], [11],[13]. With the advance of wireless access point (AP), thedeployment of location services can be conducted byplacing several APs in the whole WIMAX network ofcivil use at a reasonable cost. It is difficult to preserveall stable location servers in a battle field, but sincethe location servers are not necessarily be functional allthe time and each node only needs to have one usablelocation server, the location servers can be buried under

A2 S

D A1 RF1

A2 S

D RF1

B1 B2

RF2

S

D

A1

S

D

A2 A1

S

D

B2

RF2

…

RF1

C1 C2 A1

S

RF1

Dest

inat

ion

zone

De

stin

atio

n

zone

… …

RF1’

Fig. 1: Examples of different zone partitions.the ground where anonymous communication is needed.

2.3 The ALERT Routing AlgorithmFor ease of illustration, we assume the entire networkarea is generally a rectangle in which nodes are ran-domly disseminated. The information of the bottom-right and upper-left boundary of the network area isconfigured into each node when it joins in the system.This information enables a node to locate the positionsof nodes in the entire area for zone partitions in ALERT.

ALERT features a dynamic and unpredictable routingpath, which consists of a number of dynamically deter-mined intermediate relay nodes. As shown in the upperpart of Figure 1, given an area, we horizontally partitionit into two zones A1 and A2. We then vertically partitionzone A1 to B1 and B2. After that, we horizontallypartition zone B2 into two zones. Such zone partitioningconsecutively splits the smallest zone in an alternatinghorizontal and vertical manner. We call this partitionprocess hierarchical zone partition. ALERT uses the hier-archical zone partition and randomly chooses a node inthe partitioned zone in each step as an intermediate relaynode (i.e., data forwarder), thus dynamically generatingan unpredictable routing path for a message.

Figure 2 shows an example of routing in ALERT.We call the zone having k nodes where D resides thedestination zone, denoted as ZD. k is used to controlthe degree of anonymity protection for the destination.The shaded zone in Figure 2 is the destination zone.Specifically, in the ALERT routing, each data sourceor forwarder executes the hierarchical zone partition.It first checks whether itself and destination are in thesame zone. If so, it divides the zone alternatively in thehorizonal and vertical directions. The node repeats thisprocess until itself and ZD are not in the same zone.It then randomly chooses a position in the other zonecalled temporary destination (TD), and uses the GPSRrouting algorithm to send the data to the node closest toTD. This node is defined as a random forwarder (RF).Figure 3 shows an example where node N3 is the closestto TD, so it is selected as a RF . ALERT aims at achievingk-anonymity [25] for destination node D, where k is apre-defined integer. Thus, in the last step, the data isbroadcasted to k nodes in ZD, providing k-anonymityto the destination.

Given an S-D pair, the partition pattern in ALERTvaries depending on the randomly selected TDs andthe order of horizontal and vertical division, whichprovides a better anonymity protection. Figure 1 showstwo possible routing paths for a packet pkt issued bysender S targeting destination D in ALERT. There are


4

AB C

S

RF1

RF2

RF3

DRF4

Relay-node

S: Source

RFi: Random-forwarder

D: Destination

Fig. 2: Routing among zones in ALERT.

TD

N1 N2

N3 N4

Fig. 3: Choosing a RF according to a given TD.also many other possible paths. In the upper routingflow, data source S first horizontally divides the area intotwo equal-size zones, A1 and A2, in order to separateS and ZD. S then randomly selects the first temporarydestination TD1 in zone A1 where ZD resides. Then, Srelies on GPSR to send pkt to TD1. The pkt is forwardedby several relays until reaching a node that cannot finda neighbor closer to TD1. This node is considered to bethe first random-forwarder RF1. After RF1 receives pkt,it vertically divides the region A1 into regions B1 andB2 so that ZD and itself are separated in two differentzones. Then RF1 randomly selects the next temporarydestination TD2 and uses GPSR to send pkt to TD2. Thisprocess is repeated until a packet receiver finds itselfresiding in ZD, i.e., a partitioned zone is ZD having knodes. Then, the node broadcasts the pkt to the k nodes.

The lower part of Figure 1 shows another routing pathbased on a different partition pattern. After S verticallypartitions the whole area to separate itself from ZD,it randomly chooses TD1 and sends pkt to RF1. RF1

partitions zone A2 into B1 and B2 horizontally and thenpartitions B1 into C1 and C2 vertically, so that itselfand ZD are separated. Note that RF1 could verticallypartition A2 to separate itself from ZD in two zonesbut may choose a TD further away from the destinationthan the TD that resulted from the horizontal partition.Therefore, ALERT sets the partition in the alternativehorizontal and vertical manner in order to ensure that apkt approaches D in each step.

As GPSR, we assume that the destination node willnot move far away from its position during the datatransmission, so it can successfully receive the data. Inthis design, the tradeoff is the anonymity protectiondegree and transmission delay. A larger number ofhierarchies generate more routing hops, which increasesanonymity degree but also increases the delay. To en-sure the delivery of packets, the destination sends aconfirmation to the source upon receiving the packets.If the source has not received the confirmation during apredefined time period, it will re-send the packets.

2.4 The Destination Zone PositionThe reason we use ZD rather than D is to avoid exposureof D. Zone position refers to the upper-left and bottom-right coordinates of a zone. One problem is how to findthe position of ZD, which is needed by each packetforwarder to check whether it is separated from the

destination after a partition and whether it resides in ZD.Let H denote the total number of partitions in order toproduce ZD. Using the number of nodes in ZD (i.e., k),and node density ρ, H is calculated by

H = log2(ρ · G

k),

where G is the size of the entire network area. Using thecalculated H , the size G, the positions (0, 0)and(xG, yG)of the entire network area, and the position of D, thesource S can calculate the zone position of ZD. AssumeALERT partitions zone vertically first. After the firstvertical partition, the positions of the two generatedzones are (0, 0), (0.5xG, yG) and (0.5xG, 0), (xG, yG). Sthen finds the zone where ZD is located and dividesthat zone horizontally. This recursive process continuesuntil H partitions are completed. The final generatedzone is the desired destination zone, and its positioncan be retrieved accordingly. Therefore, the size of thedestination zone is G

2H . For example, for a network withsize G = 8 and position represented by (0, 0) and (4, 2),if H = 3 and the destination position is (0.5, 0.8), theresulting destination zone’s position is (0, 0) and (1, 1)with size of 8

23 = 1.

2.5 Packet Format of ALERTFor successful communication between S and D, Sand each packet forwarder embeds the followinginformation into the transmitted packet.(1) The zone position of ZD, i.e., the Hth partitionedzone.(2) The encrypted zone position of the Hth partitionedzone of S using D’s public key, which is the destinationfor data response.(3) The current randomly selected TD for routing.(4) A bit (i.e., 0/1), which is flipped by each RF,indicating the partition direction (horizontal or vertical)of the next RF.

With the encrypted Hth partitioned zone in the infor-mation of (2), an attacker needs very high computationpower to be able to launch attacks such as dictionaryattack to decrypt it in order to discover the source S ofa session with a specific destination D. Moreover, theHth partitioned zone is the position of a zone ratherthan a position, which makes it even harder to locate thesource S. Such an attack from an attacker with very highcomputation power is beyond our practical assumption.

In order to save computing resources, we let thesource node calculate the information of (1) and (2) andforward it along the route rather than letting each packetforwarder calculate the values. In order to hide thepacket content from adversaries, ALERT employs cryp-tography. The work in [26] experimentally proved thatgenerally symmetric key cryptography costs hundredsof times less overhead than public key cryptographywhile achieving the same degree of security protection.Thus, instead of using public key cryptography, ALERTuses symmetric key encryption for transmitted data.Recall that S can get D’s public key from the securelocation service. In a S-D communication, S first embedsa symmetric key KS

s , encrypted using D’s public key,into a packet. Later, D sends S its requested contents,encrypted with KS

s , decrypted by its own public key.Therefore, the packets communicated between S and Dcan be efficiently and securely protected using KS

s .


5

RREQ/RREP/NAK SP DP SzL DzL RFL

h H SpubK RN

pubKTTL)( D

pubKBitmap)(

data (NULL in NAK)

Fig. 4: Packet format of ALERT.Figure 4 shows the packet format of ALERT, which

omits the MAC header. Because of the randomizedrouting nature in ALERT, we have a universal format forRREQ/RREP/NAK. A node use NAK to acknowledgethe loss of packets. The data field of RREQ/RREP is leftblank in NAK packets. Flooding-based anonymity rout-ing usually uses ACKs, while NAKs are often adopted ingeographic routing-based approaches [13] to reduce traf-fic cost. For the same purpose, we choose to use NAKs.In the packet, PS is the pseudonym of a source; PD is thepseudonym of the destination; LZS

and LZDare the posi-

tions of the Hth partitioned source zone and destinationzone, respectively; LTD is the currently selected TD’scoordinate; h is the number of divisions so far, H is themaximum allowed number of divisions; and KS

s denotesthe symmetric key of a source. Particularly, (TTL)KRN

pub

is used for the protection of source anonymity and willbe introduced in Section 2.6, and (Bitmap)KD

pubis used

for solving intersection attack and will be discussed inSection 3.3. When node A wants to know the locationand public key of another node B, it will contact itslocation server as described in Section 2.2, thus there isno need to exchange shared keys between nodes.

2.6 Source AnonymityALERT contributes to the achievement of anonymityby restricting a node’s view only to its neighbors andconstructing the same initial and forwarded messages.This makes it difficult for an intruder to tell if a nodeis a source or a forwarding node. To strengthen theanonymity protection of the source nodes, we furtherpropose a lightweight mechanism called “notify andgo”. Its basic idea is to let a number of nodes send outpackets at the same time as S in order to hide the sourcepacket among many other packets.

“Notify and go” has two phases: “notify” and “go”.In the first “notify” phase, S piggybacks its data trans-mission notification with periodical update packets tonotify its neighbors that it will send out a packet. Thepacket includes two random back-off time periods, tand t0. In the “go” phase, S and its neighbors wait fora certain period of randomly chosen time ∈ [t, t + t0]before sending out messages. S’s neighbors generateonly several bytes of random data just in order to coverthe traffic of the source. t should be a small value thatdoes not affect the transmission latency. A long t0 maylead to a long transmission delay while a short t0 mayresult in interference due to many packets being sentout simultaneously. Thus, t0 should be long enough tominimize interference and balance out the delay betweenS and S’s farthest neighbor in order to prevent any in-truder from discriminating S. This camouflage augmentsthe privacy protection for S by η-anonymity where ηis the number of its neighbors. Therefore, it is difficultfor an attacker to analyze traffic to discover S even if itreceives the first notification.

ALERT utilizes a TTL field in each packet to preventthe packets issued in the first phase from being for-warded in order to reduce excessive traffic. Only the

packets of S are assigned a valid TTL, while the coveringpackets only have a TTL=0. After S decides the next TD,it forwards the packet to the next relay node (RN), whichis its neighbor based on GPSR. To prevent the coveringpackets from being differentiated from the ones sent byS, S encrypts the TTL field using KRN

pub obtained fromthe periodical “hello” packets between neighbors. Everynode that receives a packet but cannot find a valid TTLwill try to decrypt the TTL using its own private key.Therefore, only NRN will be able to successfully decryptit, while other nodes will drop such a packet.

2.7 Will Dead-End Compromise Anonymity?Dead-end is one common problem in the geographicrouting in which each node is aware of the positionsof its neighbors in order to forward a packet to theneighbor nearest to the destination. A dead-end occurswhen a packet is forwarded to a node whose neighborsare all further away from the destination than itself andthen the packet is routed between neighbors iteratively.ALERT can incorporate existing solutions [24], [27], [28],such as face routing, to avoid the dead-end problemwithout compromising anonymity protection. In ALERT,the transmission of each packet is based on a seriesof RFs who decide which region a packet should besent to. Between any two RFs, the relays perform theGPSR routing. Each relay has no information on theS or D except the destination zone information. Itsrouting action is based on the coordinate of the nextTD. Therefore, relays can incorporate existing solutionsto avoid the dead-end problem without exposing anydirect information about the S or D.

3 ANONYMITY PROTECTION AND STRATE-GIES AGAINST ATTACKSThis section discusses the performance of ALERT inproviding anonymity protection and its performanceand strategies to deal with some attacks.

3.1 Anonymity ProtectionALERT offers identity and location anonymity of thesource and destination, as well as route anonymity.Unlike geographic routing [29], [3], [4], [10], [11], whichalways takes the shortest path, ALERT makes the routebetween a S-D pair difficult to discover by randomlyand dynamically selecting the relay nodes. The resultantdifferent routes for transmissions between a given S-D pair make it difficult for an intruder to observe astatistical pattern of transmission. This is because the RFset changes due to the random selection of RFs duringthe transmission of each packet. Even if an adversarydetects all the nodes along a route once, this detectiondoes not help it in finding the routes for subsequenttransmissions between the same S-D pair.

Additionally, since an RF is only aware of its proceed-ing node and succeeding node in route, the source anddestination nodes cannot be differentiated from othernodes en route. Also, the anonymous path between Sand D ensures that nodes on the path do not knowwhere the endpoints are. ALERT strengthens the privacyprotection for S and D by the unlinkability of the trans-mission endpoints and the transmitted data [1]. That is,S and D cannot be associated with the packets in theircommunication by adversaries. ALERT incorporates the


6

D

a

e

d

cb

f g

(a)

D

a

ed

cb

fg

(b)

RF

D

(c)

Fig. 5: Intersection attack and solution.“notify and go” mechanism to prevent an intruder fromidentifying which node within the source neighborhoodhas initiated packets. ALERT also provides k-anonymityto destinations by hiding D among k receivers in ZD.Thus, an eavesdropper can only obtain information onZD, rather than the destination position, from the pack-ets and nodes en route.

The route anonymity due to random relay node selec-tion in ALERT prevents an intruder from interceptingpackets or compromising vulnerable nodes en route toissue DoS attacks. In ALERT, the routes between twocommunicating nodes are constantly changing, so it isdifficult for adversaries to predict the route of the nextpacket for packet interception. Similarly, the communi-cation of two nodes in ALERT cannot be completelystopped by compromising certain nodes because thenumber of possible participating nodes in each packettransmission is very large due to the dynamic routechanges. In contrast, these attacks are easy to perform ingeographic routing, since the route between a given S-Dpair is unlikely to change for different packet transmis-sions, and thus, the number of involved nodes is muchsmaller than in ALERT.

3.2 Resilience to Timing AttacksIn timing attacks [16], through packet departure andarrival times, an intruder can identify the packets trans-mitted between S and D, from which it can finally detectS and D. For example, two nodes A and B communicatewith each other at an interval of five seconds. After along observation time, the intruder finds that A’s packetsending time and B’s packet receiving time have a fixedfive second difference such as (19:00:55, 19:01:00) and(20:01:33, 20:01:38). Then, the intruder would suspectthat A and B are communicating with each other.

Avoiding the exhibition of interaction between com-munication nodes is a way to counter timing attacks.In ALERT, the “notify and go” mechanism and thebroadcasting in ZD both put the interaction between S-D into two sets of nodes to obfuscate intruders. Moreimportantly, the routing path between a given S-D andthe communication delay (i.e., time stamp) change con-stantly, which again keeps an intruder from identifyingthe S and D.

3.3 Strategy to Counter Intersection AttacksIn an intersection attack, an attacker with informationabout active users at a given time can determine thesources and destinations that communicate with eachother through repeated observations. Intersection attacksare a well-known problem and have not been wellresolved [16]. Though ALERT offers k-anonymity to D,an intersection attacker can still identify D from repeatedobservations of node movement and communication ifD always stays in ZD during a transmission session. This

is because as long as D is conducting communication,the attacker can monitor the change of the members inthe destination zone containing D. As time elapses andnodes move, all other members may move out of thedestination zone except D. As a result, D is identifiedas the destination because it always appears in thedestination zone.

Figure 5(a) is the status of a ZD after a packet isbroadcasted to the zone. The arrows show the movingdirections of nodes. We can see that nodes a, b, c, d, andD are in ZD. Figure 5(b) is the subsequent status of thezone the next time a packet is transmitted between thesame S-D pair. This time, nodes d, e, f , g and D are inZD. Since the intersection of the in-zone nodes in bothfigures includes d and D, D could be identified by theattacker. Therefore, the longer an attacker watches theprocess, the easier it is to identify the destination node.

To counter the intersection attack, ZAP [13] dynami-cally enlarges the range of anonymous zones to broad-cast the messages or minimizes communication sessiontime. However, the former strategy increases the com-munication overhead, while the latter may not be suit-able for long-duration communication. Instead of adopt-ing such a mitigating mechanism, we propose anotherstrategy to resolve this problem. Note that the attackercan be puzzled and lose the cumulated observation bymaking it occasionally fail to observe D’s reception ofpackets. Since packets are delivered to ZD constantlyin long-duration sessions rather than using direct localbroadcasting in the zone, the last RF multicasts packetpkt1 to a partial set of nodes, say m nodes out of the totalk nodes in the zone. The m nodes hold the packets untilthe arrival of the next packet pkt2. Upon the arrival of thenext packet, the m nodes conduct one-hop broadcastingto enable other nodes in the zone to also receive thepacket in order to hide D.

Fig 5(c) shows the two-step process with the first stepin solid arrows and the second step in dashed arrows.We can see that the first step reaches a number of nodesin the destination zone, but the destination is reachedin the second step. Because the deliveries of pkt1 andpkt2 are mixed, an attacker observes that D is not inthe recipient set of pkt1 though D receives pkt1 in thedelivery time of pkt2. Therefore, the attacker would thinkthat D is not the recipient of every packet in ZD in thetransmission session, thus foiling the intersection attack.

Because the attacker may grab and analyze packetson air, the last forwarding node alters a number of bitsin each packet to prevent the attacker from identifyingidentical packets in one broadcasting. This function isprovided by the field (Bitmap)KD

pubin each packet. The

Bitmap records the altered bits and is encrypted usingthe destination’s public key KD

pub for recovering theoriginal data. Since destination is not always within therecipient set, and the packet forwarded to a destinationis different from the original packet, the attacker cannotidentify the destination from its observation history bycalculating the intersection set of nodes. This approachincurs two extra costs. One is the one-hop broadcastingof the recipients in the destination zone. The other is theencryption cost of changed bits.

The percentage of nodes in ZD that can receive thepacket (i.e., coverage percent) is m

k + (1 − mk ) × pc =

pc + m × 1−pc

k , where pc denotes the percentage of the


7

k−m nodes that receive the packet from the m nodes inthe second step. To ensure that D receives the packet, pc

should equal 1. pc = 1 can be achieved by a moderatevalue of m considering node transmission range. Alower transmission range leads to a higher value of mand vice versa.4 THEORETICAL ANALYSISIn this section, we theoretically analyze the anonymityand routing efficiency properties of ALERT. We analyzethe number of nodes that can participate in routing thatfunction as camouflages for routing nodes. We estimatethe number of RFs in a routing path, which showsthe route anonymity degree and routing efficiency ofALERT. We calculate the anonymity protection degreeof a destination zone as time passes to demonstrateALERT’s ability to counter intersection attacks. In thissection, we also use figures to show the analytical resultsto clearly demonstrate the relationship between thesefactors and the anonymity protection degree.

In our analysis scenario, we assume that the entirenetwork area is a rectangle with side lengths lA and lBand the entire area is partitioned H times to producea k-anonymity destination zone. For the parameters ofresults in the figures, unless otherwise indicated, the sizeof the entire network zone is 1000m × 1000m and thenumber of nodes equals 200. We set H = 5 to ensure thata reasonable number of nodes are in a destination zone.

We first introduce two functions to calculate the twoside lengths of the hth partitioned zone:

a(h, lA) =lA

2�h/2� , (1)

b(h, lB) =lB

2�h/2� . (2)

The side lengths of the destination zone after H parti-tions are a(H, lA) and b(H, lB). Figure 6 shows an ex-ample of three partitions of the entire network area. Theside lengths of the final zone after the three partitionsare

a(3, lA) =lA

2�3/2� = 0.5lA (3)

andb(3, lB) =

lB2�3/2� = 0.25lB . (4)

4.1 The Number of Possible Participating NodesThe intention of this analysis is to characterize howmany possible nodes are able to participate in one S-Drouting. The number of these nodes shows how manynodes can become camouflages in a routing path. Thesepossible participating nodes include RFs and the relaynodes between two RFs using GPSR. The nodes thatactually conduct the routing are not easily discoveredamong the many possible participating nodes, thusmaking the routing pattern undetectable. Because thepositions of both S and D affect the number of possibleparticipating nodes in routing, the positions influencerouting anonymity.

We first calculate the probability that σ partitions areneeded to separate S and D denoted as ps(σ). We use σto denote the closeness between S and D. ps(σ) actually isthe probability that D is located in a position that can beseparated from a given S using σ partitions. We can get:

ps(σ) =12σ

, 0 < σ ≤ H. (5)

Al

Bl

AA lla 5.0),3(

BB llb 25.0),3(

Fig. 6: The side lengths ofthe 3rd partitioned zone.

r’ r

Fig. 7: Approximating azone using a circle.

We use Ne(σ) to denote the expected number of nodesthat possibly take part in routing based on a givencloseness σ:

Ne(σ) = a(σ, lA)b(σ, lB)ρ, (6)where ρ denotes the density of nodes. By considering dif-ferent closeness σ, we arrive at the final expected num-ber of possible participating nodes from a S to any D:

Ne =H∑

σ=1

Ne(σ)ps(σ) =H∑

σ=1

(a(σ, lA)b(σ, lB)ρ)12σ

. (7)

We set the total number of nodes in the network to 100,200 and 400 respectively and use Formula (5) to calculatethe number of possible participating nodes. Figure 8(a)shows the result versus the number of partitions. Weobserve that the number of possible partitioning nodesexhibits a relatively faster increase when the numberof partitions H increases from 1 to 2. Later on, as Hincreases, the increase speed of the number slows downand tends to maintain around a constant (about 1/4 ofthe total number of nodes). When H = 1, the destinationzone is large, and the probability that D is located in aposition that can be separated from a given S using onepartition, ps(σ), equals 1

2 . The probability that D and Scannot be separated using one partition is also 1

2 , and inthis case, no random forwarders are needed, leading toa relatively low number of possible participating nodes.When H increases to 2, S and D have higher probabilityto be separated. Thus, more random forwarders areselected and the number of possible participating nodesincreases. As H continues to increase, the probabilitythat S and D need H partitions to separate from eachother (ps(σ)) exponentially decreases, and then thenumber of possible participating nodes increases moreand more slowly. The result implies that H shouldbe appropriately determined in order to balance thetradeoff between the degree of anonymity protectionand routing cost.

4.2 The Number of Random-ForwardersThe number of RFs determines the length of the routingpath in ALERT. Therefore, it reflects the energy-efficiencyand degree of anonymity of ALERT. From the anonymityview, for a network with a fixed number of nodes, moreRFs offer higher anonymity but will reduce the numberof nodes in the destination zone, and consequentlyreduce the anonymity protection of destination node.Therefore, the number of RFs should be carefully deter-mined to ensure a sufficient number of nodes located inthe destination zone. For a pair of S-D with closeness σ,we define pi(σ, i) as the probability that an S-D routingpath has i RFs. The number of RFs is determined bythe zone partition pattern. For example, in the bottom-right part in Figure 1, the random forwarder randomly


8

0

20

40

60

80

100

120

140

1 2 3 4 5 6 7

Num

ber o

f pos

sibl

e pa

rtici

patin

g no

des

Number of partitions

00 nodes4

200 nodes

100 nodes

(a) Estimated possible participat-ing nodes.

0

0.5

1

1.5

2

2.5

3

3.5

1 2 3 4 5 6 7

Num

ber o

f ran

dom

-fo

rwar

ders


(b) Estimated random-forwarders.

Fig. 8: Estimated routing nodes.

0

2

4

6

8

10

12

14

0 10 20 30 40 50

The

num

ber o

f rem

aini

ng

node

s

Data transmission duration (sec.)

Node density = 200/km2



(a) Density variation

0

1

2

3

4

5

6

7

0 10 20 30 40 50

The

num

ber o

f rem

aini

ng

node

s


speed = 0m/s

speed = 2m/s

speed = 4m/s

(b) Speed variation

Fig. 9: Estimated destination anonymity protection.

chosen by S could be in area B2 or C1. If S choosesRF1

′ in area B2, a random forwarder in area C1 may besubsequently chosen. If S chooses RF1 in area C1, it losesthe opportunity to select an RF in area B2, which meansthis routing has one RF less than the previous case. Weuse RF+ to represent the former case and use RF− torepresent the latter case.

Recall that H is the maximum number of partitionsfor an S-D pair. σ is the number of partitions performedbefore the first RF is chosen. Therefore, pi(σ, i) is de-termined by i RF choices that lead to RF+, and by(H − σ − i) RF choices that lead to RF−. For each RFselection, it has 1

2 probability to result in RF−, and alsohas 1

2 probability to result in RF+. Moreover, pi(σ, i) isonly related to the number of RF+s and RF−s insteadof the sequence of such RF+ and RF− choices, so it fitsthe Binomial distribution. Therefore,

pi(σ, i) = CiH−σ(

12)i(

12)H−σ−i = Ci

H−σ(12)H−σ. (8)

Using NRF (σ) to denote the expected number of RFs,we get

NRF (σ) =H−σ∑

i=1

pi(σ, i)i =H−σ∑

i=1

CiH−σ(

12)H−σi (9)

Finally, considering the probability of different closenessbetween S and D in Equation (5), we have

NRF =H∑

σ=1

H−σ∑

i=1

CiH−σ(

12)H−σ i

2σ, (10)

where NRF denotes the expected number of RFs.

Figure 8(b) demonstrates the number of RFs versus thenumber of partitions calculated using Formula (8). Theresult indicates that the number of RFs increases linearlyas the number of partitions increases. This is because onepartition may generate one more RF, and more partitionsgenerate more RFs. For a S-D pair, each partition leadsto either RF+ or RF− with the same probability. Sincethe final number of RFs depends on RF+ choices, thenumber of RFs increases proportionally as H increases.The figure shows the number of RFs by consideringdifferent location relationships of S and D.

More RFs in a routing path provide higher anonymityprotection to the route and two endpoints. Althoughwe can achieve a large number of RFs with a large H ,the zone for RF selection becomes smaller and smaller.Thus, the number of options for random RF selectiondecreases, which means that the anonymity protectionis enhanced with a decreasing speed. This means it isimportant to decide an appropriate H that can achievehigh anonymity protection without incurring significantoverhead due to many partitions and long path length.

4.3 Destination Anonymity Protection

Destination anonymity is determined by the number ofnodes in the destination zone, which is related to nodedensity and the size of the destination zone. Accordingto the work in [13], the probability that a node with amoving speed v remains in the destination zone, whichis a circular area with radius r, after time period t,denoted by pr(t), is exponentially distributed:

pr(t) = e−t/β(r), (11)where β(r) =

πr

2v. (12)

In order to apply Formulas (11) and (12) to ourmethod, we assume the Hth partitioned destinationzone is a square that can be approximated by a circlecovering approximately the same area. This assumptionis feasible, which only requires a square for the entirenetwork area (i.e., lA = lB) and an even number ofpartitions (i.e., a(H, lA) = b(H, lA)). We use 2r′ to denotethe side length of the destination zone. Hence, we cancalculate the radius of this approximate circle as below:

πr2 = (2r′)2 → r =2r′√

π. (13)

Thus β(r) =√

πr′

v. (14)

We use Nr(t) to denote the number of nodes remain-ing in the destination zone after a time period t. Then,we have

Nr(t) = pr(t)a(H, lA)b(H, lB)ρ = e−tv√

πr′ a(H, lA)2ρ. (15)According to Formulas (11) and (14), pr(t) is only re-lated to the nodes’ moving speed v and the destinationzone side length 2r′. Then, we can conclude that fora network with a given node density, in ALERT, thenumber of remaining nodes in the destination zonedecreases constantly as time goes on. After time t, it isdetermined only by nodes’ moving speed and the sizeof the destination zone.

We use Formula (13) to calculate the number ofremaining nodes in a destination zone (remaining nodesfor short) based on node density and moving speed. Weassume the process of node movement in a destinationzone follows exponential distribution [13]. We use theterm data transmission duration to denote the elapsed timeof node communicates. Figure 9(a) shows the numberof remaining nodes at node moving speed of 2m/s withnode densities 100, 200, and 400 over time. As node den-sity decreases, the number of remaining nodes drops andhence the degree of destination anonymity protectiondecreases correspondingly. Also, the number of remanetnodes decreases as the time increases. Figure 9(b)demonstrates the number of remaining nodes when thenode density equals to 200/km2 versus different node


9

moving speed over time. The number of remainingnodes decreases when the speed of nodes in the desti-nation zone becomes faster, so the degree of anonymityprotection of the destination decreases. Moreover, thenumber drops as time elapses due to the node mobility.The figures confirm our conclusion that the anonymityprotection of the destination is determined by the nodes’moving speed and the size of the destination zone, andthe protection degree decreases constantly over time.

For ALERT to be usable, we need to ensure that thepseudonym and location exchange cost is low comparedwith regular communication messages. Let N , NL, f ,F , and T denote the total number of nodes, the num-ber of location servers, the frequency of pseudonymand location updates and the frequency of regularcommunication messages, respectively. The number ofmessages exchanged between location servers withintime T is NL × (NL − 1) × f × T , the number ofmessages for pseudonym updates is N × f × T . Thenumber of communication messages in the network isN × F × T . Therefore, if the location servers incur onlya small fraction of messages, we need to make sure thatNL×(NL−1)×f×T+N×f×T

N×F×T � 1. Regular communicationfrequency should be much higher than update exchangemessages. Thus, f � F , so that N×f×T

N×F×T � 1. Therefore,NL×(NL−1)×f×T+N×f×T

N×F×T � 1 → NL×(NL−1)×f×TN×F×T � 1 →

NL×(NL−1)×fN×F � 1, which can be satisfied if NL is com-

parable to√

N . This is reasonable when the transmissionrange of nodes is modest so that only a small numberof location servers are needed.

5 PERFORMANCE EVALUATION

In this section, we provide experimental evaluation ofthe ALERT protocol, which exhibit consistency with ouranalytical results. Both prove the superior performanceof ALERT in providing anonymity with low cost ofoverhead. Recall that anonymous routing protocols canbe classified into hop-by-hop encryption and redundanttraffic. We compare ALERT with two recently proposedanonymous geographic routing protocols: AO2P [10]and ALARM [5], which are based on hop-by-hop en-cryption and redundant traffic, respectively. All of theprotocols are geographic routing, so we also compareALERT with the baseline routing protocol GPSR [30] inthe experiments. In GPSR, a packet is always forwardedto the node nearest to the destination. When such anode does not exist, GPSR uses perimeter forwardingto find the hop that is the closest to the destination. InALARM, each node periodically disseminates its ownidentity to its authenticated neighbors and continuouslycollects all other nodes’ identities. Thus, nodes can builda secure map of other nodes for geographical routing. Inrouting, each node encrypts the packet by its key whichis verified by the next hop en route. Such disseminationperiod was set to 30s in this experiment. The routing ofAO2P is similar to GPSR except it has a contention phasein which the neighboring nodes of the current packetholder will contend to be the next hop. This contentionphase is to classify nodes based on their distance fromthe destination node, and select a node in the class thatis closest to destination. Contention can make the ad hocchannel accessible to a smaller number of nodes in order

to decrease the possibility that adversaries participate,but concurrently this leads to an extra delay. Also, AO2Pselects a position on the line connecting the sourceand destination that is further to the source node thanthe destination to provide destination anonymity, whichmay lead to long path length with higher routing costthan GPSR.

5.1 Network ModelsWe use two different network models, random waypoint model [17] and group mobility model [18]. Withthe random way point model as the default setting, wealso compare the performance of ALERT in the groupmobility model. In the group mobility model, we setthe movement range of each group to 150m with 10groups [6] and to 200m with 5 groups.

5.2 ParametersThe tests were carried out on NS-2.29 simulator using802.11 as the MAC protocol with a standard wirelesstransmission range of 250m and UDP/CBR traffic [31]with a packet size of 512 bytes. The test field in our ex-periment was set to a 1000m×1000m area with 200 nodesmoving at a speed of 2m/s, unless otherwise specified.The density was set to 50, 100, 150 and 200 nodes persquare meters. The duration of each simulation was setto 100s unless otherwise indicated. The number of pairsof S-D communication nodes was set to 10 and S-D pairsare randomly generated. S sends a packet to D at aninterval of 2s. The final results are the average of resultsof 30 runs. The confidence interval can be thus calculatedfrom different runs and are shown when necessary. Theconfidence interval information is drawn along with theaverage point (in a “I” shape) on those figures.

For encryption, the symmetric encryption algorithm isAES and the public key encryption is RSA. Data are gen-erated randomly according to the packet size specifiedin the paper. Packets are encrypted whenever needed.The encryption algorithm is single threaded, runningalong with other parts of the experiment on a 1.8Ghzprocessor. A typical symmetric encryption costs severalmilliseconds while a public key encryption operationcosts 2-3 hundred milliseconds.

We use the following metrics to evaluation the routingperformance in terms of effectiveness on anonymityprotection and efficiency:(1) The number of actual participating nodes. These nodes

include RFs and relay nodes that actually participatein routing. This metric demonstrates the abilityof ALERT’s randomized routing to avoid routingpattern detection.

(2) The number of random-forwarders. This is the numberof actual RFs in a S-D routing path. It shows routinganonymity and efficiency.

(3) The number of remaining nodes in a destination zone.This is the number of original nodes remaining ina destination zone after a time period. A largernumber provides higher anonymity protection to adestination and to counter the intersection attack.We measure this metric over time to show effec-tiveness on the destination anonymity protection.

(4) The number of hops per packet. This is measured asthe accumulated routing hop counts divided by the


10

0

10

20

30

40

50

60

70

5 15 25 35 45 55 65 75

Num

ber o

f act

ual

parti

cipa

ting

node

s

Number of data packets transmitted

GPSR (200 nodes)ALERT (200 nodes)ALARM (200 nodes)AO2P (200 nodes)GPSR (100 nodes)ALERT (100 nodes)ALARM (100 nodes)AO2P (100 nodes)

(a) Different number of packetstransmitted.

0

5

10

15

20

25

50 100 150 200

Num

ber o

f act

ual

parti

cipa

ting

node

s

Number of nodes

GPSRALERTALARMAO2P

(b) Different network size.

Fig. 10: The number of actual participating nodes.

0

0.5

1

1.5

2

2.5

3

3.5

4

1 2 3 4 5 6 7

Num

ber o

f ran

dom

-fo

rwar

ders


Fig. 11: The # of random-forwarders.

0

2

4

6

8

10

12

14

0 10 20 30 40 50

The

num

ber o

f rem

aini

ng n

odes


Node Density = 100Node Density = 150Node Density = 200

Fig. 12: Destinationanonymity.

number of packets sent, which shows the efficiencyof routing algorithms.

(5) Latency per packet. This is the average time elapsedafter a packet is sent and before it is received. Itincludes the time cost for routing and cryptography.This metric reflects the latency and efficiency ofrouting algorithms.

(6) Delivery rate. This is measured by the fraction ofpackets that are successfully delivered to a destina-tion. It shows the robustness of routing algorithmsto adapt to mobile network environment.

5.3 The number of actual participating nodesFigure 10(a) demonstrates the cumulated actual partici-pating nodes in ALERT, GPSR, ALARM and AO2P, with100 and 200 nodes moving at a speed of 2m/s, respec-tively. Since ALARM and AO2P are similar to GPSR inthe routing scheme and thus have similar number ofactual participating nodes, we use GPSR to also repre-sent ALARM and AO2P in discussing the performancedifference between them and ALERT. We see that ALERTgenerates many more actual participating nodes since itproduces many different routes between each S-D pair.The figure shows that the number of actual participatingnodes is up to 30 in the 100 nodes case and is up to 45 inthe 200 nodes case. The results are close to the analyticalresults of the number of possible participating nodes(approximately 30 and 60 in Figure 8(a)). In ALERT,more nodes in the network produce more participatingnodes because each routing involves more new randomforwarders, which is a key property of ALERT to providerouting anonymity. On the contrary, GPSR only hasslight increase in the number of participating nodes be-cause it always takes the shortest path by greedy routing.

Figure 10(b) shows the number of actual participatingnodes after the transmission of 20 packets versus thenumber of nodes in the network. We see that the numberof actual participating nodes in GPSR is steady witha marginal increase. This is due to the reason thatthe increased node density provides shorter routes. Wealso can see that ALERT generates dramatically moreparticipating nodes than GPSR. GPSR has only 2-3 nodeswhile ALERT has 13-20. More participating nodes leadsto more randomized routes that are difficult to detector intercept. Therefore, the results in Figure 10(a) andFigure 10(b) illustrate higher route anonymity propertyof ALERT. On the contrary, the shortest routing pathsin ALARM, AO2P and GPSR follow the same greedyrouting principle, which are easy to be identified bythe adversaries through traffic analysis. Especially, whenthere are only few nodes communicate in the network,the route between two nodes could become very clear.

5.4 The number of random-forwardersFigure 11 demonstrates the number of RFs versus thenumber of partitions in ALERT. We see the average num-ber of RFs follows approximately a linear trend as thenumber of partitions increases. This experimental resultis consistent with the analytical results in Figure 8(b). Ahigher number of partitions H lead to more RFs, hencehigh anonymity protection. Recall that H = log2(ρ·G

k )and k controls the anonymity protection degree of thedestination. Thus, k should be set to a value that will notgenerate a high cost for broadcasting while still provid-ing high anonymity protection. Therefore, it is importantto discover an optimal tradeoff point for H and k.

5.5 Destination anonymity protectionFigure 12 depicts the number of remaining nodes with5 partitions and a 2m/s node moving speed when thenode density equals 100, 150, and 200, respectively.The figure shows that the number of remaining nodesincreases as node density grows while it decreases astime goes on. This is because higher node density leadsto more nodes in the destination zone, and more nodescould remain in the destination zone after certain a timethan with lower node density. Also, because of nodemobility, the number of nodes that have moved out ofthe destination zone increases as time passes. This figurefits well with our analysis in Figure 9(a).

Figure 13(a) shows the number of remaining nodeswith different numbers of partitions H , and node mov-ing speed, denoted by v. In this experiment, we setthe node moving speed to 0m/s, 2m/s and 4m/s, re-spectively. We observe that higher node mobility leadsto less remaining nodes and hence negatively impactsthe anonymity protection of the destination. This meansALERT is more suitable in low mobility environmentsto protect destinations from intersection attacks. Thisconclusion is consistent with the analytical results inFigure 9(a) and Figure 9(b). Comparing the two figuresin Figure 13(a), we observe similar slopes in both figures,which confirms the negative effect of node mobilityon the destination anonymity protection. Further, thenumber of remaining nodes when H = 4 is morethan that when H = 5. Less partitions generate larger-area destination zone with more nodes, thus providinghigher anonymity protection to the destination whilealso increasing the energy consumption in broadcasting.

In Figure 13(b), we fixed the number of nodes indestination zone (i.e., the number of remaining nodesin destination zone) and set the data transmission to10s. Therefore, destination anonymity is represented asa function of both node speed and density. We can


11

0

5

10

15

20#

of re

mai

ning

no

des

v = 0 v = 2 v = 4

0

2

4

6

8

0 10 20 30 40 50

# of

rem

aini

ng

node

s


H=4

H=5

(a) H = 4 and 5 (200 nodes).

0

50

100

150

200

250

300

350

400

450

0 5 10

Nod

e de

nsity

Node speed

Destination anonymity = 5Destination anonymity = 10

(b) Fixed destination anonymity.

Fig. 13: Influence of node moving speed and partitionson destination anonymity.

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

50 100 150 200

Late

ncy

(sec

.)

Number of nodes

GPSRALERTALARMAO2P

(a) Different node density.

0

0.2

0.4

0.6

0.8

1

1.2

0 2 4 6 8

Late

ncy

(sec

.)

Node moving speed

GPSRALERTGPSR (no dest. update)ALERT (no dest. update)ALARMAO2P

(b) Different node moving speed.

Fig. 14: Latency caused by encryption and routing.

see that as the node speed increases, the required nodedensity also increases. This is reasonable because fastermovement blanks out nodes originally in the destinationzone more quickly.

5.6 Routing performanceIn this experiment, we evaluated the routing perfor-mance of ALERT compared with GPSR, AO2P andALARM in terms of latency, number of hops per packet,and delivery rate. We also conducted tests with andwithout destination update in location service to showthe routing performance of different methods. In ourexperiment, for GPSR, if a destination node has movedaway from its original position without location up-date, the forwarding nodes will continue to forwardthe packet to other nodes until the routing path lengthreaches a predefined TTL. The TTL was set to 10 in theexperiments. In a transmission session, if the positionof a packet’s destination is changed but is not updatedin the location service, the packet may not successfullyreach the destination.

Figure 14(a) presents the latency per packet versus thetotal number of nodes (i.e., node density). Recall thatALERT does not take the shortest path in routing, whileALARM and AO2P take the shortest path in routing. Itis intriguing to see that the latency of ALERT is muchlower than ALARM and AO2P. This is caused by thetime cost of encryption. ALERT is based on symmetrickey encryption for packets, which takes shorter timethan the public key encryption used in ALARM andAO2P. Also, ALERT encrypts packets once, while AO2Pneeds to encrypt packets in each hop in routing andALARM needs to periodically authenticate neighbors.In ALARM and AO2P, the latency caused by the publickey cryptography outweighs the benefit of short latencyusing the shortest path. Therefore, even though ALERTgenerates more routing hops than AO2P and ALARMas shown in Figure 15, the latency of ALERT is stillsignificantly lower than ALARM and AO2P. The resultsconfirm that ALERT generates less cost due to encryp-tion than ALARM and AO2P. The latency of AO2Pis a little higher than ALARM because AO2P has acontention phase and may generate a slightly longerpath length as explained previously.

We also see that ALERT generates a slightly longerlatency than GPSR. ALERT does not aim to find a short-est route. Instead, it deliberately chooses a number ofRFs to provide routing anonymity. Another observationis that the latency of all methods decreases as the nodedensity increases. ALARM and AO2P exhibit a relativelyfaster drop, while ALERT’s latency decreases from 12ms

to 11ms and GPSR’s latency decreases from 11ms to6ms. This is because a higher node density providesmore options for relay nodes, leading to shorter routingpaths. Also, reduced public key encryption operationsin ALARM and AO2P significantly reduce the latency.In ALERT, the transmission between two RFs dependson GPSR, so its latency is reduced as well.

Figure 14(b) shows the latency versus node movingspeed varied from 2m/s to 8m/s. We can also observethat AO2P generates marginally higher latency thanALARM, both of them produce dramatically higherlatency than GPSR and ALERT, and ALERT producesslightly higher latency than GPSR due to the samereasons in Figure 14(a). When with destination update,experimental data indicates GPSR and ALERT have rela-tively stable latency with respect to node moving speed.This is because the destination node location can alwaysbe updated in time, so the routing path is always theshortest regardless of the moving speed. When withoutdestination update, the experimental results shows thatGPSR increases from 7ms to 11ms and ALERT increasesfrom 11ms to 12 ms though the phenomenon is notobvious in the figure. When a forwarding node fails toforward a message to the destination, it continues toforward the packet to other nodes until the path lengthreaches the TTL=10. Thus, the number of hops in a routeincreases, leading to longer routing latency.

Figure 15(a) shows the average hops per packet withthe number of nodes. In order to show the high cost ofthe group key dissemination in ALARM, we also includethe hops traversed for node identity dissemination intothe routing hops for the metric calculation, denoted by“ALARM (include id dissemination hops)” in the figure.ALERT has approximately one more hop per packet thanALARM, AO2P and GPSR since ALERT’s random relayselection generates longer path length than the shortestpath and others take the shortest path. The number ofhops per packet of AO2P and ALARM is similar toGPSR because AO2P and ALARM use the GPSR routingmechanism. However, the GPSR routing algorithm witha strict node selection cannot provide anonymity sinceadversaries can easily observe the nodes in the routingpath. The figure also shows that “ALARM (include iddissemination hops)” generates significantly higher hopsper packet than others, which is doubled of that ofALERT. This result verifies the dramatically high costof redundant traffic for anonymity in ALARM.

The periodical dissemination of node identities inALARM costs an additional large number of hops. Com-bining the results in Figure 14, we can conclude thatcompared to the hop-by-hop encryption AO2P method


12

0

2

4

6

8

10

12

50 100 150 200

Ave

rage

hop

s pe

r pac

ket

Number of nodes

GPSRALERTALARM (include id dissemination hops)AO2PALARM


0

1

2

3

4

5

6

7

8

9

10

0 2 4 6 8

Ave

rage

hop

s pe

r pac

ket

Node moving speed

GPSRALERTGPSR (no dest. update)ALERT (no dest. update)ALARM (include id dissemination hops)AO2PALARM


Fig. 15: Transmission cost.

0

0.2

0.4

0.6

0.8

1

1.2

50 100 150 200

Del

iver

y ra

te

Number of nodes

GPSRALERTALARMAO2P


0

0.2

0.4

0.6

0.8

1

1.2

0 2 4 6 8

Del

iver

y ra

te

Node moving speed

GPSRALERTGPSR (no dest. update)ALERT (no dest. update)ALARMAO2P


Fig. 16: Transmission delivery rate.

and the redundant traffic ALARM method, ALERT gen-erates lower computing cost. Also, though ALERT leadsto a slight increase in routing hop cost, it provides ahigher anonymity guarantee due to its undeterminedrouting path.

Figure 15(b) shows the average hops per packet whenthe moving speed of nodes is varied from 2m/s to 8m/s.We see that the number of hops of ALERT and GPSRincreases as the the moving speed increases when thereis no destination update. This is because the locationchange of nodes leads to longer route. When there isdestination update, the destination of routing is alwaysthe updated location, so the packet will be routed tothe destination following the shortest path regardless ofthe moving speed. We also see that “ALARM (includeid dissemination hops)” still has the highest cost dueto its periodical dissemination of node identity. ALERThas slightly higher hops per packet than ALARM, AO2Pand GPSR. These results are consistent with those inFigure 15(a) due to the same reasons.

Figure 16(a) shows the delivery rate versus the num-ber of nodes with destination update. We see that deliv-ery rate of all methods are close to 1, except in the sparseenvironment where node density is only 50 nodes/km2.This is due to the unavailability of relay nodes in asparse environment sometimes. In Figure 16(b), whenthere is destination update, ALERT and other methodscan also maintain a delivery rate steadily with dif-ferent node moving speeds from 2m/s to 8m/s. ForALERT and the base-line method GPSR, when there isno destination update, the delivery rates decrease asnode moving speed increases because of the mobilityof destinations during data transmission. An interestingobservation is that ALERT produces a higher deliveryrate than GPSR. This is a benefit of the final local broad-cast process in ALERT, which increases the possibility ofpacket delivery when the destination is not too far away.

We also measured the performance of ALERT undertwo movement models, random way point model [17]and group mobility model [18]. For group mobilitymodel, we set the movement range of each group to150m with 10 groups and 200m with 5 groups, respec-tively. Figure 17 shows the delay of different movementmodels. It can be seen that the delay of ALERT increasesslightly in the group movement model, this is becauseALERT in the random way point model relies on therandomly distributed nodes around each sender andforwarders, while nodes are less randomly distributedin the group mobility model. As the number of groupsincreases, each group contains less nodes, and the mobil-ity of the entire network will become more randomized.Therefore, ALERT with 5 groups generates higher delaythan ALERT with 10 groups, as shown in the figure.

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

50 100 150 200

Ave

rage

del

ay p

er p

acke

t

Number of nodes

ALERTALERT (10 groups)ALERT (5 groups)

Figure 17: Delay under differ-ent movement models.

In summary, theexperimental resultsexhibit consistencywith the theoreticalanalysis andshow that ALERTachieves better routeanonymity protectioncompared withexisting anonymousrouting protocols dueto its random relaynode selection. It hassignificantly lower energy consumption compared toAO2P and ALARM, and provides comparable routingefficiency with AO2P, ALARM and GPSR.

6 RELATED WORKAnonymous routing schemes in MANETs have been

studied in recent years. By the different usage of topolog-ical information, they can be classified into on-demandor reactive routing methods [8], [33], [34], [32], [3],[4], [11], [10], [13], and proactive routing methods [5].Also there are anonymous middleware working betweennetwork layer and application layer [9]. Since topol-ogy routing does not need the node location informa-tion, location anonymity protection is not necessary.Table 1 shows the classification of the methods alongwith their anonymity protection. To clearly show thefeatured anonymity protection in different reactive rout-ing methods, the table provides a finer classificationof different anonymity methods, including hop-by-hopencryption [8], [33], [34], [32], [3], [4], [11], [10] andredundant traffic routing [8], [11], [13].

In hop-by-hop encryption routing, a packet is en-crypted in the transmission of two nodes en route,preventing adversaries from tampering or analyzing thepacket contents to interrupt the communication or iden-tify of the two communicating nodes. Hop-by-hop en-cryption routing can be further divided into onion rout-ing and hop-by-hop authentication. In onion routing,packets are encrypted in the source node and decryptedlayer by layer (i.e., hop by hop) along the routingpath. It is used in Aad [8], ANODR [33] and Discount-ANODR [34] topological routing. Aad [8] combinesonion routing, multicast and uses packet coding policiesto constantly change the packets in order to reinforceboth destination and route anonymity. The onion used inANODR [33] is called TBO (trapdoor boomerang onion),which uses a trapdoor function instead of public key-based encryption. ANODR needs onion construction inboth route discovery and return routing, generating highcost. To deal with this problem, the authors further


13

TABLE 1: Summary of existing anonymous routing protocols.

Category Name Identity anonymityLocation anonymityRoute anonymity

Reactive

Hop-by-hop encryption

TopologyMASK [32] source n/a yes

ANODR [33] source, destination n/a yesDiscount-ANODR [34]source, destination n/a yes

Geographic

Zhou et al. [3] source, destination source, destination noPathak et al. [4] source, destination source, destination no

AO2P [10] source, destination source, destination noPRISM [6] source, destination source, destination no

Redundant trafficTopology Aad [8] destination n/a yes

Geographic ASR [11] source, destination source, destination noZAP [13] destination destination no

Proactive Redundant traffic Topology ALARM [5] source, destination source noMiddleware Redundant traffic Geographic MAPCP [9] source, destination n/a yes

proposed Discount-ANODR that constructs onions onlyon the return routes.

Hop-by-hop authentication is used to prevent adver-saries from participating in the routing to ensure routeanonymity [32], [3], [4], [11], [10], [7], [35]. MASK [32]topological routing uses neighborhood authentication inrouting path discovery to ensure that the discoveredroutes consist of legitimate nodes and are anonymousto attackers. The works in [3], [4], [11], [10] are basedon geographic routing. In GSPR [3], nodes encrypt theirlocation updates and send location updates to the lo-cation server. However, GSPR does not provide routeanonymity because packets always follow the shortestpaths using geographic routing, and the route can bedetected by adversaries in a long communication ses-sion. In [4], a mechanism called geographic hash is usedfor authentication between two hops en route, but theanonymity is compromised because the location of eachnode is know to nodes in the vicinity. In the AO2P [10]geographic routing algorithm, pseudonyms are used toprotect nodes’ real identities, and a node chooses theneighbor that can reduce the greatest distance from thedestination. Since AO2P does not provide anonymityprotection to destinations, the authors further improve itby avoiding the use of destination in deciding the classi-fication of nodes. The improved AO2P selects a positionon the line connecting the source and destination that isfurther to the source node than the destination and re-places the real destination with this position for distancecalculation. ASR [11] conducts authentication betweenthe source and the destination before data transmission.The source and each forwarder embed their public keysto the messages and locally broadcast the messages. Thedestination responds to the source in the same way. Ineach step, the response is encrypted using the previousnode’s public key so that only the previous forwardercan decrypt the message and further forward it. How-ever, such public key dissemination in routing makes itpossible for attackers to trace source/destination nodes.Ariadne [7] uses TESLA [36] to conduct broadcasting-style authentication between two neighboring hops enroute. Although it uses symmetric key cryptographyin the authentication, a high amount of traffic is in-evitably incurred in broadcasting. SEAD [35] uses low-cost one-way hash functions rather than asymmetriccryptographic operations in conducting authenticationfor lower cost. However, all of these hop-by-hop encryp-tion methods generate high cost due to the use of hop-by-hop public-key cryptography or complex symmetrickey cryptography.

Redundant traffic-based routing uses redundant traf-fic, such as multicast, local broadcasting, and flooding,

to obscure potential attackers. Multicast is used in theAad [8] topological routing algorithm to construct amulticast tree or forest to hide the destination node.Broadcast is used in MAPCP topological routing [9] andother geographic routing protocols [5], [11]. ASR [11]shuffles packets to prevent traffic analysis in addition tothe hop-by-hop authentication mentioned above. How-ever, its routing anonymity is compromised because thepublic key dissemination in routing makes it possible forthe attackers to trace back to the source and destination.ZAP [13] uses a destination zone, and locally broadcaststo a destination zone in order to reach the destinationwithout leaking the destination identity or position. Adisadvantage of redundant traffic-based methods is thevery high overhead incurred by the redundant opera-tions or packets, leading to high cost. Although somemethods such as ZAP only perform local broadcast in adestination zone, these methods cannot provide sourceor routing anonymity.

ALARM [5] uses proactive routing, where each nodebroadcasts its location information to its authenticatedneighbors so that each node can build a map for lateranonymous route discovery. However, this map con-struction leaks destination node locations and compro-mises the route anonymity. Different from all otherstudied methods, MAPCP [9] is a middleware betweennetwork and application layers, in which every hopin the routing path executes probabilistic broadcastingthat chooses a number of its neighbors with a certainprobability to forward messages.

Mix zones [12] and GLS [24] are zone-based locationservices. Mix zones is an anonymous location servicethat unveils the positions of mobile users in a long timeperiod in order to prevent users’ movement from beingtracked. Each location aware application that can moni-tor nodes’ locations on top of Mix zones is only allowedto monitor the nodes that are registered to it. Therefore,by letting each node associate with some zones butstay unregistered, these users’ location changes are un-traceable in unregistered zones. Although GLS also useshierarchical zone partitioning, its use is for location ser-vice while in ALERT, its use is for anonymous routing.ALERT is also different from GLS in the zone divisionscheme. A zone in ALERT is always divided into twosmaller rectangles, while GLS divides the entire squarearea into four sub squares and then recursively dividesthese into smaller squares. The zone division in ALERToccurs when selecting a next forwarding node, so thezones are formed dynamically as a message is beingforwarded. In contrast, the zone division and hierarchiesin GLS are configured in advance and the locationservers are selected based on the different hierarchies.


14

7 CONCLUSION AND FUTURE WORKPrevious anonymous routing protocols, relying on eitherhop-by-hop encryption or redundant traffic, generatehigh cost. Also, some protocols are unable to pro-vide complete source, destination, and route anonymityprotection. ALERT is distinguished by its low costand anonymity protection for sources, destinations androutes. It uses dynamic hierarchical zone partitions andrandom relay node selections to make it difficult for anintruder to detect the two endpoints and nodes en route.A packet in ALERT includes the source and destinationzones rather than their positions to provide anonymityprotection to the source and the destination. ALERT fur-ther strengthens the anonymity protection of source anddestination by hiding the data initiator/receiver amonga number of data initiators/receivers. It has the “notifyand go” mechanism for source anonymity, and uses lo-cal broadcasting for destination anonymity. In addition,ALERT has an efficient solution to counter intersectionattacks. ALERT’s ability to fight against timing attacks isalso analyzed. Experiment results show that ALERT canoffer high anonymity protection at a low cost when com-pared to other anonymity algorithms. It can also achievecomparable routing efficiency to the base-line GPSRalgorithm. Like other anonymity routing algorithms,ALERT is not completely bullet-proof to all attacks.Future work lies in reinforcing ALERT in an attemptto thwart stronger, active attackers and demonstratingcomprehensive theoretical and simulation results.

ACKNOWLEDGEMENTSThis research was supported in part by U.S. NSFgrants CSR-1025649, OCI-1064230, CNS-1049947, CNS-1156875, CNS-0917056 and CNS-1057530, CNS-1025652,CNS-0938189, CSR-2008826, CSR-2008827, MicrosoftResearch Faculty Fellowship 8300751, Sandia NationalLaboratories grant 10002282 and Oak Ridge Award2008833. An early version of this work [37] waspresented in the Proc. of ICPP’09.

REFERENCES[1] A. Pfitzmann, M. Hansen, T. Dresden, and U. Kiel. Anonymity,

unlinkability, unobservability, pseudonymity, and identity man-agement a consolidated proposal for terminology. version 0.31.Technical report, 2005.

[2] Sk. Md. M. Rahman, M. Mambo, A. Inomata, and E. Okamoto.An Anonymous On-Demand Position-Based Routing in MobileAd Hoc Networks. In Proc. of SAINT, 2006.

[3] Z. Zhi and Y. K. Choong. Anonymizing Geographic Ad HocRouting for Preserving Location Privacy. In Proc. of ICDCSW,2005.

[4] V. Pathak, D. Yao, and L. Iftode. Securing location aware servicesover VANET using geographical secure path routing. In Proc. ofICVES, 2008.

[5] K. El Defrawy and G. Tsudik. Alarm: Anonymous location-aidedrouting in suspicious manets. In Proc. of ICNP, 2007.

[6] K. El Defrawy and G. Tsudik. Prism: Privacy-friendly routing insuspicious manets (and vanets). In Proc. of ICNP, 2008.

[7] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: a secure on-demand routing protocol for ad hoc networks. Wirel. Netw., 2005.

[8] I. Aad, C. Castelluccia, and J. Hubaux. Packet coding for stronganonymity in ad hoc networks. In Proc. of Securecomm, 2006.

[9] C.-C. Chou, D. S.L. Wei, C.-C. Jay Kuo, and K. Naik. An efficientanonymous communication protocol for peer-to-peer applicationsover mobile ad-hoc networks. In JSAC, pages 192–203, 2007.

[10] X. Wu. AO2P: Ad Hoc On-Demand Position-Based PrivateRouting Protocol. TMC, 2005.

[11] B. Zhu, Z. Wan, M. S. Kankanhalli, F. Bao, and R. H. Deng.Anonymous Secure Routing in Mobile Ad-Hoc Networks. In Proc.of LCN, 2004.

[12] A. R. Beresford and F. Stajano. Mix zones: User privacy inlocation-aware services. In Proc. of PERCOMW, 2004.

[13] X. Wu, J. Liu, X. Hong, and E. Bertino. Anonymous Geo-Forwarding in MANETs through Location Cloaking. TPDS, 2008.

[14] K. El-Khatib, L. Korba, R. Song, and G. Yee. Anonymous securerouting in mobile ad-hoc networks. In Proc. of ICPPW, 2003.

[15] S. Ratnasamy, B. Karp, S. Shenker, D. Estrin, R. Govindan, L. Yin,and F. Yu. Data-centric storage in sensornets with GHT, ageographic hash table. Mob. Netw. Appl., 8(4):427–442, 2003.

[16] J. Raymond. Traffic Analysis: Protocols, Attacks, Design Issues,and Open Problems. In Proc. of WDIAU, pages 10–29, 2001.

[17] T. Camp, J. Boleng, and V. Davies. A survey of mobility modelsfor ad hoc network research. WCMC, 2002.

[18] X. Hong, M. Gerla, G. Pei, and C.C. Chiang. A group mobilitymodel for ad hoc wireless networks. In Proc. of MSWiM, 1999.

[19] http://www.debian-administration.org/users/dkg/weblog/48.[20] X. Wu. DISPOSER: distributed secure position service in mobile

ad hoc networks: Research Articles. WCMC, 2006.[21] M. F. Mokbel, C.-Y. Chow, and W. G. Aref. The new casper: Query

processing for location services without compromising privacy. InProc. of VLDB, 2006.

[22] J. Li, J. Jannotti, D. S. J. De, D. S. J. De Couto, D. R. Karger,and R. Morris. A scalable location service for geographic ad hocrouting. In Proc. of MOBICOM, 2000.

[23] Y. Xue, B. Li, and K. Nahrstedt. A scalable location managementscheme in mobile ad-hoc networks. Technical report, 2001.

[24] Jinyang Li, John Jannotti, Douglas S. J. De, Couto David,R. Karger, and Robert Morris. A scalable location service forgeographic ad hoc routing. In Proc. of MOBICOM, 2000.

[25] L. Sweeney. k-anonymity: a model for protecting privacy. Int. J.Uncertain. Fuzziness Knowl.-Based Syst., 10(5):557–570, 2002.

[26] N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K. Jha. Ana-lyzing the energy consumption of security protocols. In Proc. ofISLPED, 2003.

[27] H. Frey and I. Stojmenovic. On delivery guarantees of face andcombined greedy-face routing in ad hoc and sensor networks. InProc. of MobiCom, 2006.

[28] K. C. Lee, J. Haerri, L. Uichin, and M. Gerla. Enhanced perimeterrouting for geographic forwarding protocols in urban vehicularscenarios. In Proc. of Globecom Workshops, 2007.

[29] X. Wu. Disposer: distributed secure position service in mobile adhoc networks: Research articles. WCMC, 2006.

[30] http://www.cs.binghamton.edu/k̃liu/research/ns2code/index.html.[31] http://www.isi.edu/nsnam/ns/.[32] Y. Zhang, W. Liu, and W. Luo. Anonymous Communications in

Mobile Ad Hoc Networks. In Proc. of INFOCOM, 2005.[33] J. Kong, X. Hong, and M. Gerla. ANODR: Anonymous on

demand routing protocol with untraceable routes for mobile ad-hoc networks. In Proc. of MobiHoc, pages 291–302, 2003.

[34] L. Yang, M. Jakobsson, and S. Wetzel. Discount AnonymousOn Demand Routing for Mobile Ad hoc Networks. In Proc. ofSecurecomm, 2006.

[35] Y.-C. Hu, D. B. Johnson, and A. Perrig. SEAD: Secure EfficientDistance Vector Routing for Mobile Wireless Ad Hoc Networks.In Proc. of WMCSA, 2002.

[36] A. Perrig, R. Canetti, D. Song, and J. D. Tygar. Efficient and securesource authentication for multicast. In Proc. of NDSS, 2001.

[37] L. Zhao and H. Shen. Alert: An anonymous location-basedefficient routing protocol in manets. In Proc. of ICPP, 2011.

Haiying Shen Haiying Shen received the BSdegree in Computer Science and Engineeringfrom Tongji University, China in 2000, and theMS and Ph.D. degrees in Computer Engineer-ing from Wayne State University in 2004 and2006, respectively. She is currently an AssistantProfessor in the ECE Department at ClemsonUniversity. Her research interests include dis-tributed computer systems and computer net-works with an emphasis on P2P and contentdelivery networks, mobile computing, wirelesssensor networks, and grid and cloud computing.

Lianyu Zhao Lianyu Zhao received the BS andMS degrees in Computer Science from Jilin Uni-versity, China. He is currently a Ph.D. student inthe ECE Department at Clemson University. Hisresearch interests include wireless networks,routing protocols, applications and security is-sues in P2P networks.


alert

Documents

incorporate

high computation

symmetric

ds public

scalable location

group mobility

unpredictable

public key