ieee transactions on mobile computing, … and truthful detection of packet dropping attacks in...

Privacy-Preserving and Truthful Detectionof Packet Dropping Attacks in Wireless

Ad Hoc NetworksTao Shu and Marwan Krunz, Fellow, IEEE

Abstract—Link error and malicious packet dropping are two sources for packet losses in multi-hop wireless ad hoc network. In this

paper, while observing a sequence of packet losses in the network, we are interested in determining whether the losses are caused by

link errors only, or by the combined effect of link errors and malicious drop. We are especially interested in the insider-attack case,

whereby malicious nodes that are part of the route exploit their knowledge of the communication context to selectively drop a small

amount of packets critical to the network performance. Because the packet dropping rate in this case is comparable to the channel error

rate, conventional algorithms that are based on detecting the packet loss rate cannot achieve satisfactory detection accuracy. To

improve the detection accuracy, we propose to exploit the correlations between lost packets. Furthermore, to ensure truthful calculation

of these correlations, we develop a homomorphic linear authenticator (HLA) based public auditing architecture that allows the detector

to verify the truthfulness of the packet loss information reported by nodes. This construction is privacy preserving, collusion proof, and

incurs low communication and storage overheads. To reduce the computation overhead of the baseline scheme, a packet-block-based

mechanism is also proposed, which allows one to trade detection accuracy for lower computation complexity. Through extensive

simulations, we verify that the proposed mechanisms achieve significantly better detection accuracy than conventional methods such

as a maximum-likelihood based detection.

Index Terms—Packet dropping, secure routing, attack detection, homomorphic linear signature, auditing

Ç

1 INTRODUCTION

IN a multi-hop wireless network, nodes cooperate in relay-ing/routing traffic. An adversary can exploit this coopera-

tive nature to launch attacks. For example, the adversarymay first pretend to be a cooperative node in the route dis-covery process. Once being included in a route, the adver-sary starts dropping packets. In the most severe form, themalicious node simply stops forwarding every packetreceived from upstream nodes, completely disrupting thepath between the source and the destination. Eventually,such a severe denial-of-service (DoS) attack can paralyze thenetwork by partitioning its topology.

Even though persistent packet dropping can effectivelydegrade the performance of the network, from the attacker’sstandpoint such an “always-on” attack has its disadvan-tages. First, the continuous presence of extremely highpacket loss rate at the malicious nodes makes this type ofattack easy to be detected [25]. Second, once being detected,these attacks are easy to mitigate. For example, in case theattack is detected but the malicious nodes are not identified,one can use the randomized multi-path routing algorithms[28], [29] to circumvent the black holes generated by theattack, probabilistically eliminating the attacker’s threat. Ifthe malicious nodes are also identified, their threats can be

completely eliminated by simply deleting these nodes fromthe network’s routing table.

A malicious node that is part of the route can exploit itsknowledge of the network protocol and the communicationcontext to launch an insider attack—an attack that is intermit-tent, but can achieve the same performance degradationeffect as a persistent attack at a much lower risk of beingdetected. Specifically, the malicious node may evaluate theimportance of various packets, and then drop the smallamount that are deemed highly critical to the operation ofthe network. For example, in a frequency-hopping network,these could be the packets that convey frequency hoppingsequences for network-wide frequency-hopping synchroni-zation; in an ad hoc cognitive radio network, they could bethe packets that carry the idle channel lists (i.e., whitespaces) that are used to establish a network-wide controlchannel. By targeting these highly critical packets, theauthors in [21], [24], [25] have shown that an intermittentinsider attacker can cause significant damage to the networkwith low probability of being caught. In this paper, we areinterested in combating such an insider attack. In particular,we are interested in the problem of detecting the occurrenceof selective packet drops and identifying the maliciousnode(s) responsible for these drops.

Detecting selective packet-dropping attacks is extremelychallenging in a highly dynamic wireless environment. Thedifficulty comes from the requirement that we need to notonly detect the place (or hop) where the packet is dropped,but also identify whether the drop is intentional orunintentional. Specifically, due to the open nature ofwirelessmedium, a packet drop in the network could be caused byharsh channel conditions (e.g., fading, noise, and interfer-ence, a.k.a., link errors), or by the insider attacker. In an open

� T. Shu is with the Department of Computer Science and Engineering,Oakland University, Rochester, MI. E-mail: [email protected].

� M. Krunz is with the Department of Electrical and Computer Engineering,the University of Arizona, Tucson, AZ. E-mail: [email protected].

Manuscript received 13 Apr. 2013; revised 18 Mar. 2014; accepted 3 June2014. Date of publication 12 June 2014; date of current version 2 Mar. 2015.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TMC.2014.2330818

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 4, APRIL 2015 813

1536-1233� 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

wireless environment, link errors are quite significant, andmay not be significantly smaller than the packet droppingrate of the insider attacker. So, the insider attacker can cam-ouflage under the background of harsh channel conditions.In this case, just by observing the packet loss rate is notenough to accurately identify the exact cause of a packet loss.

The above problem has not been well addressed in theliterature. As discussed in Section 2, most of the relatedworks preclude the ambiguity of the environment byassuming that malicious dropping is the only source ofpacket loss, so that there is no need to account for the impactof link errors. On the other hand, for the small number ofworks that differentiate between link errors and maliciouspacket drops, their detection algorithms usually require thenumber of maliciously-dropped packets to be significantlyhigher than link errors, in order to achieve an acceptabledetection accuracy.

In this paper, we develop an accurate algorithm fordetecting selective packet drops made by insider attackers.Our algorithm also provides a truthful and publicly verifi-able decision statistics as a proof to support the detectiondecision. The high detection accuracy is achieved by exploit-ing the correlations between the positions of lost packets, ascalculated from the auto-correlation function (ACF) of thepacket-loss bitmap—a bitmap describing the lost/receivedstatus of each packet in a sequence of consecutive packettransmissions. The basic idea behind this method is thateven though malicious dropping may result in a packet lossrate that is comparable to normal channel losses, the stochas-tic processes that characterize the two phenomena exhibitdifferent correlation structures (equivalently, different pat-terns of packet losses). Therefore, by detecting the correla-tions between lost packets, one can decide whether thepacket loss is purely due to regular link errors, or is a com-bined effect of link error and malicious drop. Our algorithmtakes into account the cross-statistics between lost packets tomake a more informative decision, and thus is in sharp con-trast to the conventional methods that rely only on the distri-bution of the number of lost packets.

The main challenge in our mechanism lies in how to guar-antee that the packet-loss bitmaps reported by individualnodes along the route are truthful, i.e., reflect the actual sta-tus of each packet transmission. Such truthfulness is essen-tial for correct calculation of the correlation between lostpackets. This challenge is not trivial, because it is natural foran attacker to report false information to the detection algo-rithm to avoid being detected. For example, the maliciousnode may understate its packet-loss bitmap, i.e., some pack-ets may have been dropped by the node but the node reportsthat these packets have been forwarded. Therefore, someauditing mechanism is needed to verify the truthfulness ofthe reported information. Considering that a typical wirelessdevice is resource-constrained, we also require that a usershould be able to delegate the burden of auditing and detec-tion to some public server to save its own resources.

Our solution to the above public-auditing problem is con-structed based on the homomorphic linear authenticator(HLA) cryptographic primitive [2], [3], [27], which is basi-cally a signature scheme widely used in cloud computingand storage server systems to provide a proof of storagefrom the server to entrusting clients [30]. However, direct

application of HLA does not solve our problem well, mainlybecause in our problem setup, there can be more than onemalicious node along the route. These nodes may collude(by exchanging information) during the attack and whenbeing asked to submit their reports. For example, a packetand its associated HLA signature may be dropped at anupstream malicious node, so a downstream malicious nodedoes not receive this packet and the HLA signature from theroute. However, this downstream attacker can still open aback-channel to request this information from the upstreammalicious node. When being audited, the downstream mali-cious node can still provide valid proof for the reception ofthe packet. So packet dropping at the upstream maliciousnode is not detected. Such collusion is unique to our prob-lem, because in the cloud computing/storage server sce-nario, a file is uniquely stored at a single server, so there areno other parties for the server to collude with. We show thatour newHLA construction is collusion-proof.

Our construction also provides the following new fea-tures. First, privacy-preserving: the public auditor shouldnot be able to decern the content of a packet delivered onthe route through the auditing information submitted byindividual hops, no matter how many independentreports of the auditing information are submitted to theauditor. Second, our construction incurs low communica-tion and storage overheads at intermediate nodes. Thismakes our mechanism applicable to a wide range of wire-less devices, including low-cost wireless sensors thathave very limited bandwidth and memory capacities.This is also in sharp contrast to the typical storage-serverscenario, where bandwidth/storage is not considered anissue. Last, to significantly reduce the computation over-head of the baseline constructions so that they can beused in computation-constrained mobile devices, apacket-block-based algorithm is proposed to achievesscalable signature generation and detection. This mecha-nism allows one to trade detection accuracy for lowercomputation complexity.

The remainder of this paper is organized as follows. InSection 2 we review the related work. The system/adver-sary models and problem statement are described in Section3. We present the proposed scheme and analyze its securityperformance and overheads in Section 4. The low-computa-tion-overhead block-based algorithm is proposed in Section5. Simulation results are presented in Section 6, and we con-clude the paper in Section 7.

2 RELATED WORK

Depending on howmuch weight a detection algorithm givesto link errors relative to malicious packet drops, the relatedwork can be classified into the following two categories.

The first category aims at high malicious dropping rates,where most (or all) lost packets are caused by maliciousdropping. In this case, the impact of link errors is ignored.Most related work falls into this category. Based on themethodology used to identify the attacking nodes, theseworks can be further classified into four sub-categories. Thefirst sub-category is based on credit systems [9], [34], [10]. Acredit system provides an incentive for cooperation. A nodereceives credit by relaying packets for others, and uses its

814 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 4, APRIL 2015

credit to send its own packets. As a result, a maliciouslynode that continuous to drop packets will eventuallydeplete its credit, and will not be able to send its own traffic.The second sub-category is based on reputation systems[12], [8], [14], [19], [20], [11], [4]. A reputation system relieson neighbors to monitor and identify misbehaving nodes. Anode with a high packet dropping rate is given a bad repu-tation by its neighbors. This reputation information is prop-agated periodically throughout the network and is used asan important metric in selecting routes. Consequently, amalicious node will be excluded from any route. The thirdsub-category of works relies on end-to-end or hop-to-hopacknowledgements to directly locate the hops where pack-ets are lost [18], [22], [23], [5], [6], [32]. A hop of high packetloss rate will be excluded from the route. The fourth sub-category addresses the problem using cryptographic meth-ods. For example, the work in [17] utilizes Bloom filters toconstruct proofs for the forwarding of packets at each node.By examining the relayed packets at successive hops alonga route, one can identify suspicious hops that exhibit highpacket loss rates. Similarly, the method in [16], [33] tracesthe forwarding records of a particular packet at each inter-mediate node by formulating the tracing problem as aRenyi-Ulam game. The first hop where the packet is no lon-ger forwarded is considered a suspect for misbehaving.

The second category targets the scenario where the num-ber of maliciously dropped packets is significantly higherthan that caused by link errors, but the impact of link errorsis non-negligible. Certain knowledge of the wireless channelis necessary in this case. The authors in [26] proposed toshape the traffic at the MAC layer of the source nodeaccording to a certain statistical distribution, so that inter-mediate nodes are able to estimate the rate of received traf-fic by sampling the packet arrival times. By comparing thesource traffic rate with the estimated received rate, thedetection algorithm decides whether the discrepancy inrates, if any, is within a reasonable range such that the dif-ference can be considered as being caused by normal chan-nel impairments only, or caused by malicious dropping,otherwise. The works in [13] and [31] proposed to detectmalicious packet dropping by counting the number of lostpackets. If the number of lost packets is significantly largerthan the expected packet loss rate made by link errors, thenwith high probability a malicious node is contributing topacket losses.

All methods mentioned above do not perform well whenmalicious packet dropping is highly selective. More specifi-cally, for the credit-system-based method, a malicious nodemay still receive enough credits by forwarding most of thepackets it receives from upstream nodes. Similarly, in thereputation-based approach, the malicious node can main-tain a reasonably good reputation by forwarding most ofthe packets to the next hop. While the Bloom-filter schemeis able to provide a packet forwarding proof, the correctnessof the proof is probabilistic and it may contain errors. Forhighly selectively attacks (low packet-dropping rate), theintrinsic error rate of Bloom filer significantly underminesits detection accuracy. As for the acknowledgement-basedmethod and all the mechanisms in the second category,merely counting the number of lost packets does not give asufficient ground to detect the real culprit that is causing

packet losses. This is because the difference in the numberof lost packets between the link-error-only case and thelink-error-plus-malicious-dropping case is small when theattacker drops only a few packets. Consequently, the detec-tion accuracy of these algorithms deteriorates when mali-cious drops become highly selective.

Our study targets the challenging situation where linkerrors and malicious dropping lead to comparable packetloss rates. The effort in the literature on this problem hasbeen quite preliminary, and there is a few related works.Note that the cryptographic methods proposed in [24] tocounter selective packet jamming target a different issuethan the detection problem studied in this paper. The meth-ods in [24] delay a jammer from recognizing the significanceof a packet after the packet has been successfully transmit-ted, so that there is no time for the jammer to conduct jam-ming based on the content/importance of the packet.Instead of trying to detect any malicious behavior, theapproach in [24] is proactive, and hence incurs overheadsregardless of the presence or absence of attackers.

3 SYSTEM MODELS AND PROBLEM STATEMENT

3.1 Network and Channel Models

Consider an arbitrary path PSD in a multi-hop wireless adhoc network, as shown in Fig. 1. The source node S continu-ously sends packets to the destination nodeD through inter-mediate nodes n1; . . . ; nK , where ni is the upstream node ofniþ1, for 1 � i � K � 1. We assume that S is aware of theroute PSD, as in Dynamic Source Routing (DSR) [15]. If DSRis not used, S can identify the nodes in PSD by performing atraceroute operation. Here we mainly focus on static orquasi-static wireless ad hoc networks, i.e., we assume thatthe network topology and link characteristics remainunchanged for a relatively long period of time. Example net-works include wireless mesh networks (WMNs) and ad hocnetworks formed in nomadic computing. Extension to ahighly mobile environment is out of our scope and will beconsidered in the futurework.

We model the wireless channel of each hop along PSD asa random process that alternates between good and badstates. Packets transmitted during the good state are suc-cessful, and packets transmitted during the bad state arelost. In contrast to the classical Gilbert-Ellioit (GE) channelmodel, here we do not assume any Markovian property onthe channel behavior. We only require that the sequence ofsojourn times for each state follows a stationary distribu-tion, and the autocorrelation function of the channel state,say fcðiÞ, where i is the time lag in packets, is also

Fig. 1. Network and attack model.

SHU AND KRUNZ: PRIVACY-PRESERVING AND TRUTHFUL DETECTION OF PACKET DROPPING ATTACKS IN WIRELESS AD HOC... 815

stationary. Here we limit our study to quasi-static networks,whereby the path PSD remains unchanged for a relativelylong time, so that the link error statistics of the wirelesschannel is a wide-sense stationary (WSS) random process(i.e., fcðiÞ is stationary). Detecting malicious packet dropsmay not be a concern for highly mobile networks, becausethe fast-changing topology of such networks makes routedisruption the dominant cause for packet losses. In thiscase, maintaining stable connectivity between nodes is agreater concern than detecting malicious nodes. The func-tion fcðiÞ can be calculated using the probing approach in[1]. In brief, a sequence ofM packets are transmitted consec-utively over the channel. By observing whether the trans-missions are successful or not, the receiver obtains arealization of the channel state ða1; . . . ; aMÞ, whereaj 2 f0; 1g for j ¼ 1; . . . ;M. In this sequence, “1” denotesthe packet was successfully received, and “0” denotes thepacket was dropped. fcðiÞ is derived by computing theautocorrelation function of this sample sequence:

fcðiÞ def¼ Efajajþig for i ¼ 0; . . . ;M, where the expectation is

calculated over all transmitted packets j ¼ 1; . . . ;M. Thisautocorrelation function describes the correlation betweenpacket transmissions (successful/lost) at different times, asa function of the time lag. The time invariant nature of fc isguaranteed by the WSS assumption of the wireless channel.The measurement of fcðiÞ can take place online or offline. Adetailed discussion on how fcðiÞ is derived is out of thescope of this paper, and we simply assume that this infor-mation is given as input to our detection algorithm.

There is an independent auditor Ad in the network. Ad isindependent in the sense that it is not associated with anynode in PSD and does not have any knowledge of the secrets(e.g., cryptographic keys) held by various nodes. The audi-tor is responsible for detecting malicious nodes on demand.Specifically, we assume S receives feedback fromDwhenDsuspects that the route is under attack. Such a suspicionmay be triggered by observing any abnormal events, e.g., asignificant performance drop, the loss of multiple packets ofa certain type, etc. We assume that the integrity and authen-ticity of the feedback from D to S can be verified by S usingresource-efficient cryptographic methods such as the Ellip-tic Curve Digital Signature Algorithm (ECDSA). Once beingnotified of possible attacks, S submits an attack-detectionrequest (ADR) to Ad. To facilitate its investigation, Ad needsto collect certain information (elaborated on in the next sec-tion) from the nodes on route PSD. We assume that eachsuch node must reply to Ad’s inquiry, otherwise the nodewill be considered as misbehaving. We assume that normalnodes will reply with truthful information, but maliciousnodes may cheat. At the same time, for privacy reasons, werequire that Ad cannot determine the content of the normalpackets delivered over PSD from the information collectedduring the auditing.

3.2 Adversarial Model

The goal of the adversary is to degrade the network’s perfor-mance by maliciously dropping packets while remainingundetected. We assume that the malicious node has knowl-edge of the wireless channel, and is aware of the algorithmused for misbehavior detection. It has the freedom to choosewhat packets to drop. For example, in the random-drop

mode, the malicious node may drop any packet with a smallprobability pd. In the selective-mode, the malicious node onlydrops packets of certain types. A combination of the twomodes may be used. We assume that any node on PSD can bea malicious node, except the source and the destination. Inparticular, there can bemultiplemalicious nodes onPSD.

We consider the following form of collusion betweenmalicious nodes: A covert communication channel mayexist between any two malicious nodes, in addition to thepath connecting them on PSD. As a result, malicious nodescan exchange any information without being detected by Ad

or any other nodes in PSD. Malicious nodes can take advan-tage of this covert channel to hide their misbehavior andreduce the chance of being detected. For example, anupstream malicious node may drop a packet on PSD, butmay secretely send this packet to a downstream maliciousnode via the covert channel. When being investigated, thedownstream malicious node can provide a proof of the suc-cessful reception of the packet. This makes the auditorbelieve that the packet was successfully forwarded to thedownstream nodes, and not know that the packet was actu-ally dropped by an upstream attacker.

3.3 Problem Statement

Under the system and adversary models defined above, weaddress the problem of identifying the nodes on PSD thatdrop packets maliciously. We require the detection to beperformed by a public auditor that does not have knowl-edge of the secrets held by the nodes on PSD. When a mali-cious node is identified, the auditor should be able toconstruct a publicly verifiable proof of the misbehavior ofthat node. The construction of such a proof should be pri-vacy preserving, i.e., it does not reveal the original informa-tion that is transmitted on PSD. In addition, the detectionmechanism should incur low communication and storageoverheads, so that it can be applied to a wide variety ofwireless networks.

4 PROPOSED DETECTION SCHEME

4.1 Overview

The proposed mechanism is based on detecting the correla-tions between the lost packets over each hop of the path.The basic idea is to model the packet loss process of a hopas a random process alternating between 0 (loss) and 1 (noloss). Specifically, consider that a sequence of M packetsthat are transmitted consecutively over a wireless channel.By observing whether the transmissions are successful ornot, the receiver of the hop obtains a bitmap ða1; . . . ; aMÞ,where aj 2 f0; 1g for packets j ¼ 1; . . . ;M. The correlationof the lost packet is calculated as the auto-correlationfunction of this bitmap. Under different packet droppingconditions, i.e., link-error versus malicious dropping, theinstantiations of the packet-loss random process shouldpresent distinct dropping patterns (represented by the cor-relation of the instance). This is true even when the packetloss rate is similar in each instantiation. To verify this prop-erty, in Fig. 2 we have simulated the auto-correlation func-tions of two packet loss processes, one caused by 10 percentlink errors, and the other by 10 percent link errors plus10 percent malicious uniformly-random packet dropping. It


can be observed that significant gap exists between thesetwo auto-correlation functions. Therefore, by comparing theauto-correlation function of the observed packet loss pro-cess with that of a normal wireless channel (i.e., fcðiÞ), onecan accurately identify the cause of the packet drops.

The benefit of exploiting the correlation of lost packetscan be better illustrated by examining the insufficiency ofthe conventional method that relies only on the distributionof the number of lost packets. More specifically, under theconventional method, malicious-node detection is modeledas a binary hypothesis test, where H0 is the hypothesis thatthere is no malicious node in a given link (all packet lossesare due to link errors) and H1 denotes there is a maliciousnode in the given link (packet losses are due to both linkerrors and malicious drops). Let z be the observed numberof lost packets on the link during some interval t. Then,

z ¼ x; under H0 ðno malicious nodesÞxþ y; under H1ðthere is a malicious nodeÞ;

�(1)

where x and y are the numbers of lost packets caused bylink errors and by malicious drops, respectively. Both xand y are random variables. Let the probability densityfunctions of z conditioned on H0 and on H1 be h0ðzÞ andh1ðzÞ, respectively, as shown in Fig. 3a. We are interestedin the maximum-uncertainty scenario where the a prioriprobabilities are given by PrfH0g ¼ PrfH1g ¼ 0:5, i.e., theauditor has no prior knowledge of the distributions of H0

and H1 to make any biased decision regarding the pres-ence of malicious nodes. Let the false-alarm and miss-detection probabilities be Pfa and Pmd, respectively. Theoptimal decision strategy that minimizes the total detectionerror Pdedef¼0:5ðPfa þ PmdÞ is the maximum-likelihood(ML) algorithm:

if z � zth; accept H0;otherwise; accept H1;

�(2)

where the threshold zth is the solution to the equationh0ðzthÞ ¼ h1ðzthÞ. Under this strategy, Pfa and Pmd are theareas of the shaded regions shown in Fig. 3a, respectively.The problem with this mechanism is that, when the mean ofy is small, h1ðzÞ and h0ðzÞ are not sufficiently separated, lead-ing to largePfa andPmd, as shown in Fig. 3b. This observationimplies that when malicious packet drops are highly selec-tive, counting the number of lost packets is not sufficient toaccurately differentiate between malicious drops and link

errors. For such a case, we use the correlation between lostpackets to form amore informative decision statistic.

To correctly calculate the correlation between lost pack-ets, it is critical to enforce a truthful packet-loss bitmapreport by each node. We use HLA cryptographic primitivefor this purpose. The basic idea of our method is as follows.An HLA scheme allows the source, which has knowledge ofthe HLA secret key, to generate HLA signatures s1; . . . ; sMfor M independent messages r1; . . . ; rM , respectively. Thesource sends out the ri’s and si’s along the route. The HLAsignatures are made in such a way that they can be used asthe basis to construct a valid HLA signature for any arbi-

trary linear combination of the messages,PM

i¼1 ciri, withoutthe use of the HLA secret key, where ci’s are randomly cho-

sen coefficients. A valid HLA signature forPM

i¼1 ciri can beconstructed by a node that does not have knowledge of thesecret HLA key if and only if the node has full knowledgeof s1; . . . ; sM . So, if a node with no knowledge of the HLA

secret key provides a valid signature forPM

i¼1 ciri, it impliesthat this node must have received all the signaturess1; . . . ; sM . Our construction ensures that si and ri are senttogether along the route, so that knowledge of s1; . . . ; sMalso proves that the node must have received r1; . . . ; rM .

Our detection architecture consists of four phases: setup,packet transmission, audit, and detection. We elaborate onthese phases in the next section.

4.2 Scheme Details

4.2.1 Setup Phase

This phase takes place right after route PSD is established,but before any data packets are transmitted over the route.In this phase, S decides on a symmetric-key crypto-systemðencryptkey; decryptkeyÞ and K symmetric keys key1; . . . ;

keyK , where encryptkey and decryptkey are the keyed encryp-tion and decryption functions, respectively. S securely dis-tributes decryptkey and a symmetric key keyj to node nj onPSD, for j ¼ 1; . . . ; K. Key distribution may be based on thepublic-key crypto-system such as RSA: S encrypts keyjusing the public key of node nj and sends the cipher text tonj. nj decrypts the cipher text using its private key to obtain

keyj. S also announces two hash functions, H1 andHMACkey , to

all nodes in PSD. H1 is unkeyed while HMACkey is a keyed hash

function that will be used for message authentication pur-poses later on.

Besides symmetric key distribution, S also needs to setup its HLA keys. Let e : G�G ! GT be a computable bilin-ear map with multiplicative cyclic group G and support Zp,where p is the prime order of G, i.e., for all a, b 2 G and q1,

Fig. 2. Comparison of correlation of lost packets.

Fig. 3. Insufficiency of conventional detection algorithms when maliciouspacket drops are highly selective.


q2 2 Zp, eðaq1 ;bq2Þ ¼ eða;bÞq1q2 . Let g be a generator of G.

H2ð:Þ is a secure map-to-point hash function: f0; 1g� ! G,which maps strings uniformly to G. S chooses a randomnumber x 2 Zp and computes v ¼ gx. Let u be another gen-erator of G. The secret HLA key is sk ¼ x and the publicHLA key is a tuple pk ¼ ðv; g; uÞ.

4.2.2 Packet Transmission Phase

After completing the setup phase, S enters the packet trans-mission phase. S transmits packets to PSD according to thefollowing steps.

Before sending out a packet Pi, where i is a sequencenumber that uniquely identifies Pi, S computesri ¼ H1ðPiÞ and generates the HLA signatures of ri fornode nj, as follows:

sji ¼�H2ðijjjÞuri

�x; for j ¼ 1; . . . ; K; (3)

where jj denotes concatenation. These signatures are thensent together with Pi to the route by using a one-waychained encryption that prevents an upstream node fromdeciphering the signatures intended for downstream nodes.More specifically, after getting sji for j ¼ 1; . . . ; K, S itera-tively computes the following:

~sKi ¼ encryptkeyK ðsKiÞ;tKi ¼ ~sKijjMACkeyK ð~sKiÞ;

~sK�1i ¼ encryptkeyK�1ðsK�1ijjtKiÞ;

tK�1i ¼ ~sK�1ijjMACkeyK�1ð~sK�1iÞ;

..

.

~sji ¼ encryptkeyjðsjijjtjþ1iÞ;tji ¼ ~sjijjMACkeyjð~sjiÞ;

..

.

~s1i ¼ encryptkey1ðs1ijjt2iÞ;t1i ¼ ~s1ijjMACkey1ð~s1iÞ;

(4)

where the message authentication code (MAC) in each stage j

is computed according to the hash function HMACkeyj

. After get-

ting t1i, S putsPijjt1i into one packet and sends it to node n1.When node n1 receives the packet from S, it extracts Pi,

~s1i, and MACkey1ð~s1iÞ from the received packet. Then, n1

verifies the integrity of ~s1i by testing the following equality:

MACkey1ð~s1iÞ ¼ HMACkey1

ð~s1iÞ: (5)

If the test is true, then n1 decrypts ~s1i as follows:

decryptkey1ð~s1iÞ ¼ s1ijjt2i: (6)

Then, n1 extracts s1i and t2i from the decrypted text. It storesri ¼ H1ðPiÞ and s1i in its proof-of-reception database forfuture use. This database is maintained at every node onPSD. It can be considered as a FIFO queue of size M, whichrecords the reception status for the most recent M packetssent by S. Finally, n1 assembles Pijjt2i into one packet andrelays this packet to node n2. In case the test in (5) fails, n1

marks the loss of Pi in its proof-of-reception database anddoes not relay the packet to n2.

The above process is repeated at every intermediate nodenj, j ¼ 1; . . . ; K. As a result, node nj obtains ri and its HLA

signature sji for every packet Pi that the node has received,and it relays Pijjtjþ1i to the next hop on the route. The lasthop, i.e., node nK , only forwards Pi to the destination D. Asproved in Theorem 4 in Section 4.3, the special structure ofthe one-way chained encryption construction in (4) dictatesthat an upstream node on the route cannot get a copy of theHLA signature intended for a downstream node, and thusthe construction is resilient to the collusion model definedin Section 3.2. Note that here we consider the verification ofthe integrity of Pi as an orthogonal problem to that of verify-ing the tag tji. If the verification of Pi fails, node n1 shouldalso stop forwarding the packet and should mark it accord-ingly in its proof-of-reception database.

4.2.3 Audit Phase

This phase is triggered when the public auditor Ad receivesan ADR message from S. The ADR message includes the idof the nodes on PSD, ordered in the downstream direction,i.e., n1; . . . ; nK , S’s HLA public key information pk ¼ðv; g; uÞ, the sequence numbers of the most recent M packetssent by S, and the sequence numbers of the subset of theseM packets that were received by D. Recall that we assumethe information sent by S and D is truthful, because detect-ing attacks is in their interest. Ad conducts the auditing pro-cess as follows.

Ad submits a random challenge vector ~cj ¼ ðcj1; . . . ; cjMÞto node nj, j ¼ 1; . . . ; K, where the elements cji’s are ran-domly chosen from Zp. Without loss of generality, let thesequence number of the packets recorded in the currentproof-of-reception database be P1; . . . ; PM , with PM beingthe most recent packet sent by S. Based on the informationin this database, node nj generates a packet-reception bit-

map ~bj ¼ ðbj1; . . . ; bjMÞ, where bji ¼ 1 if Pi has been receivedby nj, and bji ¼ 0 otherwise. Node nj then calculates the lin-

ear combination rðjÞ ¼ PMi¼1;bji 6¼0 cjiri and the HLA signature

for the combination as follows:

sðjÞ ¼Y

i¼1;bji 6¼0

scjiji : (7)

Node nj submits ~bj, rðjÞ, and sðjÞ to Ad, as proof of the pack-

ets it has received.

Ad checks the validity of rðjÞ and sðjÞ by testing the follow-ing equality:

eðsðjÞ; gÞ ¼ eYM

i¼1;bji 6¼0

H2ðijjjÞcjiurðjÞ ; v

0@

1A: (8)

If the equality holds, then Ad accepts that node nj received

the packets as reflected in ~bj. Otherwise, Ad rejects ~bj and

judges that not all packets claimed in~bj are actually receivedby nj, so nj is a malicious node. We prove the correctness ofthis auditing algorithm in Section 4.3.

Note that the above mechanism only guarantees that anode cannot understate its packet loss, i.e., it cannot claimthe reception of a packet that it actually did not receive.This mechanism cannot prevent a node from overly statingits packet loss by claiming that it did not receive a packetthat it actually received. This latter case is prevented byanother mechanism discussed in the detection phase.


4.2.4 Detection Phase

The public auditorAd enters the detection phase after receiv-ing and auditing the reply to its challenge from all nodes onPSD. Themain tasks ofAd in this phase include the following:detecting any overstatement of packet loss at each node, con-structing a packet-loss bitmap for each hop, calculating theautocorrelation function for the packet loss on each hop, anddecidingwhethermalicious behavior is present.More specif-ically,Ad performs these tasks as follows.

Given the packet-reception bitmap at each node, ~b1; . . . ;~bK , Ad first checks the consistency of the bitmaps for anypossible overstatement of packet losses. Clearly, if there isno overstatement of packet loss, then the set of packetsreceived at node jþ 1 should be a subset of the packetsreceived at node j, for j ¼ 1; . . . ; K � 1. Because a normalnode always truthfully reports its packet reception, thepacket-reception bitmap of a malicious node that overstatesits packet loss must contradict with the bitmap of a normaldownstream node. Note that there is always at least onenormal downstream node, i.e., the destinationD. So Ad only

needs to sequentially scan ~bj’s and the report from D toidentify nodes that are overstating their packet losses.

After checking for the consistency of ~bj’s, Ad starts con-

structing the per-hop packet-loss bitmap ~mj from ~bj�1 and~bj. This is done sequentially, starting from the first hop fromS. In each step, only packets that are lost in the current hopwill be accounted for in mj. The packets that were notreceived by the upstream node will be marked as “not lost”for the underlying hop. Denoting the “lost” packet by 0 and“not lost” by 1, ~mj can be easily constructed by conducting

a bit-wise complement-XOR operation of ~bj�1 and ~bj. Forexample, consider the following simple case with threeintermediate nodes (four hops) on the route and with

M ¼ 10. Suppose that ~b1 ¼ ð0; 1; 1; 1; 1; 1; 1; 1; 0; 1Þ, ~b2 ¼ð0; 1; 1; 1; 1; 1; 1; 1; 0; 1Þ, ~b3 ¼ ð0; 1; 0; 1; 1; 0; 1; 1; 0; 1Þ, and the

destination D reports that ~bD ¼ ð0; 1; 0; 1; 1; 0; 1; 1; 0; 1Þ. Thenthe per-hop packet-loss bitmaps are given by ~m1 ¼ð0; 1; 1; 1; 1; 1; 1; 1; 0; 1Þ, ~m2 ¼ ð1; 1; 1; 1; 1; 1; 1; 1; 1; 1Þ, ~m3 ¼ð1; 1; 0; 1; 1; 0; 1; 1; 1; 1Þ, and ~m4 ¼ ð1; 1; 1; 1; 1; 1; 1; 1; 1; 1Þ.

The auditor calculates the autocorrelation function gj foreach sequence ~mj ¼ ðmj1; . . . ;mjMÞ, j ¼ 1; . . . ; K, as follows:

gjðiÞ ¼PM�i

k¼1 mjkmjkþi

M � i; for i ¼ 0; . . . ;M � 1; j ¼ 1; . . . ; K: (9)

The auditor then calculates the relative difference betweengj and the ACF of the wireless channel fc as follows:

�j ¼XM�1

i¼0

gjðiÞ � fcðiÞ��

fcðiÞ : (10)

The relative difference �j is then used as the decision statis-tic to decide whether or not the packet loss over the jth hopis caused by malicious drops. In particular, if �j � �th, where�th is an error threshold, then Ad decides that there is mali-cious packet drop over the hop. In this case, both ends ofthe hop will be considered as suspects, i.e., either the trans-mitter did not send out the packet or the receiver chose toignore the received packet. S may choose to exclude bothnodes from future packet transmissions, or alternatively,

apply a more extensive investigation to refine its detection.For example, this can be done by combining the neighbor-overhearing techniques [12] used in the reputation system.By fusing the testimony from the neighbors of these twonodes, Ad can pin-point the specific node that dropped thepacket. Once being detected, the malicious node will bemarked and excluded from the route to mitigate its damage.

The above detection process applies to one end-to-endpath. The detection for multiple paths can be performed asmultiple independent detections, one for each path. Althoughthe optimal error threshold that minimizes the detection erroris still an open problem, our simulations show that throughtrial-and-error, one can easily find a good �th that provides abetter detection accuracy than the optimal detection schemethat utilizes only the pdf of the number of lost packets.

Public verifiability. After each detection, Ad is required topublish the information it received from involved nodes,

i.e., ~bj, rðjÞ, sðjÞ, for j 2 PSD, so that a node can verify all cal-

culation has been performed correctly. Note that no knowl-edge of the HLA secret key x is required in the verificationprocess. At the same time, because Ad has no knowledge ofx, there is no way for it to forge a valid HLA signature for

rðjÞ. In other words, Ad cannot claim a misbehaving node tobe a normal one. Furthermore, the privacy-preserving prop-erty of the scheme (see Theorem 4 in Section 4.3) ensuresthat publishing the auditing information will not compro-mise the confidentiality of the communication.

4.3 Security Analysis

We prove that the proposed scheme has the following secu-rity properties.

Theorem 1. The verification of rðjÞ and sðjÞ, as specified in (8),

is correct, i.e., (8) must hold for a ð~cj; rðjÞ, sðjÞÞ tuple thatis constructed according to the specification presented inSection 4.2.3.

Proof. The correctness of (8) is shown as follows:

eðsðjÞ; gÞ ¼ eYM

i¼1;bji 6¼0

scjiji ; g

0@

1A

¼ eYM

i¼1;bji 6¼0

nH2ðijjjÞuri

oxcji; g

0@

1A

¼ eYM

i¼1;bji 6¼0

nH2ðijjjÞuri

ocji; g

0@

1A

x

¼ eYM

i¼1;bji 6¼0

H2ðijjjÞcjiucjiri ; g

0@

1A

x

¼ eYM

i¼1;bji 6¼0

H2ðijjjÞcjiurðjÞ ; gx

0@

1A

¼ eYM

i¼1;bji 6¼0

H2ðijjjÞcjiurðjÞ ; v

0@

1A: (11)

So Theorem 1 holds. tu


Theorem 2. The construction specified in Section 4.2 is secureunder the collusion model defined in Section 3.2, i.e., an adver-sary that does not receive a packet Pi cannot claim receiving

this packet in its ~bj by forging a HLA signature for a randomlinear combination of the received packets, even if this adver-sary colludes with any other malicious node in PSD.

Proof. For a given node nj, our construction essentially fol-lows the BLS-signature-based HLA constructiondescribed in [27]. Under the implicitly assumed condi-tion of no collusion between attackers, the authors in [27]proved that the construction is secure, i.e., no adversarycan forge a response to a random challenge if it does notknow the HLA signature of each packet in the linearcombination. So here, we only need to show that collu-sion between malicious nodes does not give the attackermore information about the HLA signature of the pack-ets. This can be shown by observing the following novelproperties of our HLA construction:

1) For a packet Pi, the signature scheme specified in(3) dictates that its HLA signature sji is not onlytied to the packet sequence number (i), but alsorelated to the node index (j) that is relaying thepacket. This means that for the same packet, eachhop on PSD is given a different HLA signature.The verification scheme in (8) accounts for both iand j. In the no-collusion case, by treating the con-catenation of ðijjjÞ as a meta packet sequencenumber, the security of our construction can beproved in the same way as that in [27].

2) The way that the HLA signatures are distributed tonodes on PSD, as specified in (4), dictates that anupstream node nj cannot get a copy of theHLA sig-nature sj0i of a downstream node nj0 , where

j < j0 � K, unless the downstream node nj0

receives the signature sj0i first on PSD and then

sends it through the covert channel to the upstreamnode nj. Therefore, there is no way for a down-streammalicious node to get any information on itsHLA signature if the upstream attacker drops thepacket. As a result, the secret information exchangeon the covert channel does not help the adversaryto get more information on its HLA signature thanthe scenariowhere there is no collusion.

Combining the above arguments, Theorem 2 isproved. tu

Theorem 3. The proposed scheme ensures that the packet-recep-tion bitmap reported by a node in PSD is truthful.

The validity of Theorem 3 is straightforward, becauseTheorem 2 guarantees that the node cannot understate itspacket loss information. At the same time, from our discus-sion in Section 4.2.4, it is clear that a malicious node cannotoverstate its packet loss either. So a node must report itsactual packet reception information truthfully to Ad.

Theorem 4. Our HLA construction is publicly verifiable and pri-vacy preserving, i.e., the auditor Ad does not require the secretkey of the HLA scheme to verify a node’s response. In addition,Ad cannot determine the content of the packets transmittedover PSD from the information submitted by nodes.

Proof. Public verifiability is clear from the construction ofthe scheme. The privacy-preserving property is guaran-teed by the application of the secure hash function H1.More specifically, instead of directly computing the HLAsignature for a packet Pi, our construction computes thesignature for the image of the packet ri ¼ H1ðPiÞ. Duringthe auditing phase, Ad can collect a set of linear combina-tions of ri’s. So it is possible for Ad to calculate ri’s bysolving a set of linear equations, if a sufficient number ofcombinations are collected. Even if Ad can recover ri, itshould not be able to guess Pi because of H1’s resilienceto the pre-image attack. tu

4.4 Overhead Analysis

The proposed scheme requires relatively high computationcapability at the source, but incurs low communication andstorage overheads along the route, as explained below.

4.4.1 Computation Requirements

Most of the computation is done at the source node (for gen-erating HLA signatures) and at the public auditor (for con-ducting the detection process). We consider the publicauditor as a dedicated service provider that is not con-strained by its computing capacity. So the computationaloverhead should not be a factor limiting the application ofthe algorithm at the public auditor. On the other hand, theproposed algorithm requires the source node to generate KHLA signatures for a K-hop path for each data packet. Thegeneration of HLA signatures is computationally expensive,and may limit the applicability of the algorithm. We pro-pose a block-based HLA signature and detection mecha-nism in Section 5, whereby the processing is based on blockof packets rather than individual packets, to reduce thiscomputation overhead by multiple folds. We evaluate theperformance of the proposed mechanism by extensive sim-ulations in Section 6.2.4.

4.4.2 Communication Overhead

The communication overhead for the setup phase is a one-time cost, incurred when PSD is established. Here we mainlyfocus on the recurring cost during the packet transmissionand auditing phases (there is no communication overheadin the detection phase). For a transmitted packet Pi, S needsto send one encrypted HLA signature and one MAC to eachintermediate node on PSD. Our HLA signature follows theBLS scheme in [7]. So an HLA signature sij is 160-bit long. Ifencrypted by DES, the encrypted signature ~sij is 192 bits inlength (a block in DES is 64-bit long, so the length of thecipher text of DES is multiples of 64 bits). The MAC-related

hash function HMACkey can be implemented in SHA-1 and has

a length of 160 bits. So for each packet, the per-hop commu-nication overhead incurred by the proposed scheme in thepacket transmission phase is 192þ 160 ¼ 352 bits, or44 bytes. For a path of K intermediate hops, the total com-munication overhead for transmitting a packet is 44K bytes.For example, when K ¼ 10, the overhead is 440 bytes/packet. For an IEEE 802.11 system, this is about 19 percentof the maximumMSDU (2,304 bytes).


In the auditing phase, the auditorAd sends a random chal-lenge vector~cj to each node nj. Let each element in this vectorbe a 32-bit integer. The challenge has a length of 4M bytes.Based on our simulation in Section 6, M ¼ 50 is typicallyenough to achieve good detection accuracy. So this meanseach challenge can be delivered in one packet. Node nj replies

to the challenge with ~bj, rðjÞ, and sðjÞ. Among them, ~bj is an

M-bit bitmap. rðjÞ is the linear combination of the SHA-1

image of the packets, so rðjÞ also has a length of 160 bits. sðjÞ isan HLA signature of rðjÞ, so it is also 160-bit long. Overall, thereply from a node to Ad has a length of 320þM bits, whichcan also be delivered in one packet.

4.4.3 Storage Overhead

During its operation, a node nj on PSD needs to store thekey keyj, the H1 hash image, and the associated HLA sig-nature for each of the M most recently received packets.Assuming encryptkey and decryptkey are based on DES, keyjhas a length of 56 bits. Let the hash function H1 be basedon SHA-1. So the H1 image of a packet is 160-bit long. TheHLA signature is based on BLS (Boneh-Lynn-Shacham)scheme [7] and is 160-bit long. So in total the storage over-head at nj is 320M þ 56 bits, or 40M þ 7 bytes. This storageoverhead is quite low. For example, when M � 50, thestorage overhead at a node is less than 2 KB.

5 REDUCING COMPUTATION OVERHEAD:BLOCK-BASED HLA SIGNATURE GENERATION

AND DETECTION

As discussed in Section 4.4.1, one major limitation of theproposed baseline HLA detection algorithm is the highcomputation overhead of the source node. In this section,we proposed a block-based solution that can reduce thisoverhead by multiple folds. The main idea is to make theHLA signature scalable: instead of generating per-packetHLA signatures, per-block HLA signatures will be gener-ated, where a block consists of L > 1 packets. Accordingly,the detection will be extended to blocks, and each bit in thepacket-loss bitmap represents a block of packets rather thana single packet. The details of this extension are elaboratedas follows.

In the Packet Transmission Phase, rather than generatingHLA signatures for every packet, now the signatures arebased on a block of packets. In particular, L consecutivepackets are deemed as one block. Accordingly, the streamof packets is now considered as stream of blocks. Denotethe L packets in block i as Pi1; . . . ; PiL, respectively. Thesource S generates block-HLA signatures for block i asfollows:

1) S computes ri ¼ H1ðPi1Þ. S then computes HLA sig-natures of ri for node nj, say sji, where j ¼ 1; . . . ; K,according to (3).

2) For each node nj, S generates L random numbers

kð1Þji ; . . . ; k

ðLÞji 2 Zp, such that

PLl¼1 k

ðlÞji ¼ sji. This could

be done, e.g., but first generating L� 1 arbitrarynumbers and then make the Lth number equal to

sji �PL�1

l¼1 kðlÞji .

3) For packet Pil, S assigns kðlÞji ’s, j ¼ 1; . . . ; K, as the

block-HLA signatures for node 1; . . . ; K, respec-tively. These signatures are then transmitted withpacket Pil by following the one-way chainedencryption and decryption scheme described in (4)through (6).

In line with the above block-HLA signatures, a node nj is

able to compute sji ¼PL

l¼1 kðlÞji if and only if it receives all L

packets of block i. Node nj stores ri and sji in its proof-of-reception database as the proof for block i.

Auditing is now based on blocks. In particular, at nodenj, suppose the sequence number of the blocks recorded inthe proof-of-reception database are B1; . . . ; BM . Based onthe information in the database, node nj generates a block-

reception bitmap ~bj ¼ ðbj1; . . . ; bjMÞ, where bji ¼ 1 if andonly if all L packets in block Bi has been received by nj, andbji ¼ 0 otherwise. Except the above, Ad still follows thesame algorithm in Section 4.2.3 to submit random challenge,receive response, and verify the truthfulness of the reportedblock-reception bitmap.

In the detection phase, the ACF of the wireless channelneeds to be coarsened such that one unit of lag represents Lconsecutive packets. This could be done by first coarseningthe packet reception bitmap observed in the training phaseusing blocks: L consecutive 1’s are mapped to a 1 in theblocked-based bitmap, otherwise a 0 will be mapped. TheACF of the coarsened wireless channel is then comparedwith the ACF of the block-reception bitmap reported byeach node to detect possible malicious packet drops.

From the above description, it is clear that the block-based HLA signature and detection mechanism can in gen-eral reduce the computation overhead by L folds. However,the coarser representation of lost packets makes it difficultto accurately capture the correlation between them. Forexample, even with a small block size, say L ¼ 2, it is notpossible to tell whether a block loss is due to the loss of onepacket or both packets in the block, which correspond tovery different packet-loss correlations. Therefore, it isexpected that the reduced computational overhead comesat the cost of less detection accuracy. We study the perfor-mance of the block-based algorithm in Section 6.2.4.

6 PERFORMANCE EVALUATION

6.1 Simulation Setup

In this section, we compare the detection accuracyachieved by the proposed algorithm with the optimal max-imum likelihood algorithm, which only utilizes the distri-bution of the number of lost packets. For given packet-lossbitmaps, the detection on different hops is conducted sepa-rately. So, we only need to simulate the detection of onehop to evaluate the performance of a given algorithm. Weassume packets are transmitted continuously over this hop,i.e., a saturated traffic environment. We assume channelfluctuations for this hop follow the Gilbert-Elliot model,with the transition probabilities from good to bad andfrom bad to good given by PGB and PBG, respectively. Weconsider two types of malicious packet dropping: randomdropping and selective dropping. In the random droppingattack, a packet is dropped at the malicious node with


probability PM . In the selective dropping attack, the adver-sary drops packets of certain sequence numbers. In oursimulations, this is done by dropping the middle N of theM most recently received packets, i.e., setting the N bits inthe middle of the packet-loss bitmap to 0 (if a packet inthese positions is dropped due to link errors, then the setof 0’s extends to an extra bit in the middle). PM and N aresimulation parameters that describe the selectivity of theattack. In both cases, we let �th ¼ 10% for the proposedalgorithm.

We are interested in the following three performancemetrics: probability of false alarm (Pfa), probability of miss-detection (Pmd), and the overall detection-error probability(Perror). We collect these statistics as follows. In each run, wefirst simulate 1,000 independently generated packet-loss bit-maps for the hop, where packet losses are caused by linkerrors only. We execute our detection algorithm over thesepacket-loss bitmaps and collect the number of cases wherethe algorithm decides that an attacker is present. Let thisnumber be Ifa. Pfa of this run is calculated as Pfa ¼ Ifa=

1;000. We then simulate another 1,000 independently gener-ated packet-loss bitmaps, where losses are now caused byboth link errors and malicious drops. Let the number ofcases where the detection algorithm rules that an attacker isnot present be Imd. Pmd of the underlying run is given byPmd ¼ Imd=1;000. Perror is given by Perror ¼ ðIfa þ ImdÞ=2; 000. The above simulation is repeated 30 times, and themean and 95 percent confidence interval are computed forthe various performance metrics.

6.2 Results

6.2.1 Random Packet Dropping

The detection accuracy is shown in Fig. 4 as a function of themalicious random-drop rate PM . In each subfigure, there aretwo sets of curves, representing the proposed algorithm andthe optimal ML scheme, respectively. In each set of curves,the one in the middle represents the mean, and the other tworepresent the 95 percent confidence interval. In general, thedetection accuracy of both algorithms improves with PM (i.e.,the detection error decreases with PM ). This is not surprising,becausemalicious packet drops becomemore statistically dis-tinguishable as the attacker starts to drop more packets. Inaddition, this figure shows that for �th ¼ 10%, the proposedalgorithm provides slightly higher false-alarm rate (subfigure(c)) but significantly lower miss-detection probability

(subfigure (b)) than the ML scheme. A low miss-detectionprobability is very desirable in our context, because itmeans amalicious node can be detectedwith a higher probability. Theslightly higher false-alarm rate should not be a problem,because a false alarm can be easily recognized and fixed in thepost-detection investigation phase. Most importantly, theoverall detection-error probability of the proposed scheme islower than that of theML scheme (subfigure (a)).We are espe-cially interested in the regime when PM is comparable to theaverage packet loss rate due to link errors, given by

PGBPGBþPBG

¼ 0:010:01þ0:5 � 0:02. This regime represents the scenario

inwhich the attacker hides its drops in the background of linkerrors bymimicking the channel-related loss rate. In this case,the ML scheme cannot correctly differentiate between linkerrors and malicious drops. For example, when PM ¼ 0:01,the ML scheme results in Pmd ¼ 80% and Pfa ¼ 23%. This isclose to arbitrarily ruling that every packet loss is due to linkerror only, leading to an overall detection-error rate of 50 per-cent (see subfigure (a)). Our proposed algorithm, on the otherhand, achieves a much better detection accuracy, because itsPmd and Pfa are both lower than those under the ML scheme.As a result, when PM ¼ 0:01, the total detection-error rate ofthe proposed algorithm is about 35 percent. When PM isincreased to 0.04, Perror of the proposed scheme reduces toonly 20 percent, which is roughly half of the error rate of theML scheme at the same PM . Remembering that the detection-error rate of the ML scheme is the lowest among all detectionschemes that only utilize the distribution of the number oflost packets, the lower detection-error rate of the proposedscheme shows that exploiting the correlation between lostpackets helps in identifying the real cause of packet dropsmore accurately. The effect of exploiting the correlation isespecially visiblewhen themalicious packet-drop rate is com-parable with the link error rate. Meanwhile, we also note thatthe 95 percent confidence interval of the proposed scheme iswider than that of theML scheme. This is because the decisionvariable �j in the proposed scheme is a second-order functionof the random packet loss process, while the decision variablein the ML scheme (i.e., number of lost packets) is a first orderfunction of the same packet loss process. As a result, the deci-sion variable of the proposed scheme possesses more ran-domness than that of the ML scheme, as reflected by thewider 95 percent confidence interval.

In Fig. 5, we plot the detection accuracy as a functionof the size of the packet-loss bitmap ðMÞ. It can be

Fig. 4. Detection accuracy versus PM (random packet-drop case).


observed that Perror for the proposed scheme decreaseswith M. However, as M becomes sufficiently large, e.g.,M ¼ 30 in our case, a further increase in the size of thebitmap does not lead to additional improvement in thedetection accuracy. This can be explained by noting thatthe two-state Markovian GE channel model has a short-range dependence, i.e., the correlation between twopoints of the fluctuation process decays rapidly with theincrease in the separation between these points. Thisshort-range dependence is reflected in an exponentiallydecaying autocorrelation function for the channel. As aresult, a good estimation of the autocorrelation functioncan be derived as long as M is long enough to cover thefunction’s short tail. This phenomenon implies that anode does not need to maintain a large packet-receptiondatabase in order to achieve a good detection accuracyunder the proposed scheme. It also explains the low stor-age overhead incurred by our scheme.

The detection accuracy is plotted in Fig. 6 as a function ofthe channel state transition rate PGB. It can be observedfrom this figure that Perror for both algorithms increaseswith PGB. This is not surprising because at its initial point ofPGB ¼ 0:01, the expected link error rate is about 0.02, whichis much smaller than the malicious packet drop rate ofPM ¼ 0:1. So it is relatively easy to differentiate between thecase where packet drops are caused by link errors only andthe one where such drops are caused by the combined effectof link errors and malicious drops. As PGB increases, thelink error probability approaches PM , making the statisticalseparation of the two cases harder. As a result, the detection

error increases with PGB. For all values of PGB in this figure,the proposed algorithm always achieves significantly lowerdetection-error probability than the ML scheme.

6.2.2 Selective Packet Dropping

The detection error as a function of the number of mali-ciously dropped packets is shown in Fig. 7. At the low endof the x-axis, maliciously dropped packets account for only1=50 ¼ 2% of the total packets in the packet-loss bitmap.This is identical to the link error rate of 0.02, assumed in thesimulation. Similar performance trends can be observed tothe case of the random packet dropping. Fewer detectionerrors are made by both algorithms when more packets aremaliciously dropped. In all the simulated cases, the pro-posed algorithm can detect the actual cause of the packetdrop more accurately than the ML scheme, especially whenthe number of maliciously dropped packets is small. Whenthe number of maliciously dropped packets is significantlyhigher than that caused by link errors (greater than fourpackets in our simulation), the two algorithms achieve com-parable detection accuracy. In this scenario, it may be wiseto use the conventional ML scheme due to its simplicity(e.g., no need to enforce truthful reports from intermediatenodes, etc.).

The detection errors are plotted in Fig. 8 as a function ofthe size of the packet-loss bitmap (M). To conduct a faircomparison, as we increase M, we also increase the numberof maliciously dropped packets, so as to maintain a mali-cious packet-dropping rate of 10 percent. It can be observedthat a smallM is enough to achieve good detection accuracy

Fig. 5. Detection accuracy versusM (random packet-drop case).

Fig. 6. Detection accuracy versus PGB (random packet-drop case).


under the proposed scheme, due to the short-range depen-dence property of the channel.

In Fig. 9, the detection errors are plotted as a function ofthe channel state transition probability PGB. Similar trendsare observed to those in the random packet dropping case,i.e., the algorithms make more detection errors when thelink error rate approaches the malicious packet-drop rate.Once again, the proposed algorithm consistently outper-forms the ML scheme in all the tested cases.

6.2.3 Dropping of Control Packets

Our simulations so far have not made any application-semantic (use case) assumption on the dropped packets. Inreality, however, because these packets are usually used forcontrol purposes, the loss of these packets may generate sig-nificant impacts on the transmission of other (i.e., data)packets. In this series of simulations, we evaluate how thecorrelation between the control and data packets affects theperformance of the proposed scheme. In particular, we con-sider a multi-hop cognitive radio network, where controlpackets are exchanged over an end-to-end path to maintainchannel synchronization between consecutive hops. A con-trol packet contains the channel id that the two ends of ahop should tune to. The exchange of these packets could beend-to-end (i.e., the entire path operates over a channelcommonly available to all hops) or local (the path consistsof several segments, each of which operates over a differentchannel available only to the hops of that segment). In eithercase, the drop of a control packet will disrupt the frequency

synchronization of a hop, so that data packets transmittedover the hop will be lost until the frequency synchronizationis resumed by the next valid exchange of control packets. Inthis simulation, we assume that a random number of ldatadata packets are sent between two consecutive control pack-ets. We assume that ldata follows geometric distribution withmean parameter Ldata (i.e., the continuous idle time of achannel is exponentially distributed, as commonly assumedin the cognitive radio literature). In addition, we alsoassume that an attacker uniformly randomly drops a certainpercentage of the control packets. This percentage and Ldata

are parameters varied in the simulation. Finally, we use thesame Gilbert-Elliot model as previous simulations to gener-ate the wireless channel.

Fig. 10a plots detection accuracy as a function of the con-trol packet dropping rate. It can be observed that under thecorrelated control and data packet losses, the proposedscheme achieves significantly better detection accuracy thanthe ML scheme for all tested control packet dropping rates, asimilar trend to those observed when such correlation is notconsidered (e.g., see the random packet drops in Fig. 4a).Meanwhile, it can also be observed from Figs. 10a and 4athat, comparedwith the results of uncorrelated packet drops,the detection-error probability under correlated packetlosses is in general smaller, indicating that the correlationbetween control and data packet losses may help to improvethe detection accuracy. This is true for both schemes. This isbecause such correlation further amplifies the distinctionbetween the statistics of the wireless channel and the mali-cious packet drops, making the detection easier.

Fig. 7. Detection accuracy versus number of maliciously dropped packets (selective packet-drop case).

Fig. 8. Detection accuracy versusM (selective packet-drop case).


We study the detection accuracy as a function of aver-age number of data packets transmitted between twoconsecutive control packets (Ldata) in Fig. 10b. It can beobserved that this parameter has little impact on the MLscheme, because under a given control packet loss rate,the overall (control+data) packet loss rate does notchange with Ldata. ML scheme relies on detecting thenumber of lost packets, and thus is not affected by Ldata.In contrast, the proposed scheme may benefit from alarger Ldata: even if the average detection accuracy doesnot improve much, its 95 percent confidence intervalshrinks significantly with Ldata. This is explained bycomparing the packet loss patterns of the wireless chan-nel and the correlated packet drops. Specifically, on aver-age two packets are lost in a row in a wireless link error(this is given by 1=ð1� PBGÞ ¼ 1=0:5 ¼ 2), while on aver-age Ldata packets are lost under each malicious drop.Therefore, the distinction between the above two packet-loss patterns increases with Ldata. The proposed schemeexploits such a distinction in patterns and thus can bene-fit from larger Ldata.

In Fig. 10c we plot the detection-error probability as afunction of channel state transition parameter PGB. It canbe observed that the detection accuracy deteriorates withthe increase of PGB, because it becomes more and moredifficult to decide the actual source of packet loss whenlink error rate approaches the malicious packet droppingrate. Once again, the proposed scheme consistentlyachieves higher detection accuracy than ML scheme inall simulated cases.

6.2.4 Block-Based Detection

In this series of simulations, we study the detection accuracyof block-based algorithms as a function of block size.Fig. 11a plots the detection accuracy for random packetdrops under two packet drop probabilities: high (PM ¼ 0:08)and low (PM ¼ 0:01). The performance of the ML scheme isalso plotted in the same figure for comparison. In general, itshows that for both cases the detection error increases withthe block size. This is expected, as a larger block size hidesmore details of packet losses, and therefore makes the actualcorrelation of lost packets more difficult to calculate. Mean-while, the benefits of blocked-based algorithm is alsoobserved: it is able to trade computation complexity for bet-ter detection accuracy. For example, under low packet drop-ping rate, it shows that the block-based algorithm canreduce the computation overhead of the baseline HLAdetection by 10 folds, and still be able to achieve better detec-tion accuracy than the ML scheme. At high packet droppingrate, the block-based algorithm can achieves a 4� computa-tion overhead reduction, while still achieving slightly betterdetection accuracy than the ML scheme.

Fig. 11b plots the detection accuracy for random packetdrops under two packet sampling methods. In the firstmethod, we fix the total number of packets used in the sam-ple, and therefore the number of sampled blocks varieswith the block size. In the second method, we fix the num-ber of sampled blocks, but the number of sampled packetschanges with the block size. Note that the amount of com-putation required to compute the block-based signaturesdecreases with the block size in the first method, but

Fig. 9. Detection accuracy versus PGB (selective packet-drop case).

Fig. 10. Detection accuracy for control packet drops.


remains the same in the second method. The second methoddoes not reduce the amount of computation, rather, itreduces the intensity of the computation by distributing itover a larger time interval (more packets). From this figure,it can be observed that under both methods, the detectionaccuracy deteriorates with the block size, but the deteriora-tion is more severe under the first method. This is not sur-prising, because in method one the block-reception bitmapbecomes shorter with the increase of block size, and there-fore the computed ACF is less accurate, due to the insuffi-cient sample size. Meanwhile, it can be observed that, at adetection accuracy comparable to that of the ML scheme,the second method achieves 4� computation overheadreduction over the baseline algorithm, whereas the savingof the first method is only 2�. This observation suggeststhat, to maintain a good detection accuracy, block-basedalgorithm may be better used as a way to reduce the compu-tation intensity of the source node, rather than a way toreduce the absolute amount of the computation.

Fig. 11c plots the detection accuracy for selective packetdrops under two packet dropping rates: high (three out ofevery 50 packets are dropped) and low (one out of every50 packets is dropped). A similar trend to Fig. 11a can beobserved. This observation suggests that the property–block-based algorithm can trade computation complexityfor detection accuracy—is universal (i.e., holds under vari-ous attack models).

7 CONCLUSIONS

In this paper, we showed that compared with conventionaldetection algorithms that utilize only the distribution of thenumber of lost packets, exploiting the correlation betweenlost packets significantly improves the accuracy in detectingmalicious packet drops. Such improvement is especially vis-ible when the number of maliciously dropped packets iscomparable with those caused by link errors. To correctlycalculate the correlation between lost packets, it is critical toacquire truthful packet-loss information at individualnodes. We developed an HLA-based public auditing archi-tecture that ensures truthful packet-loss reporting by indi-vidual nodes. This architecture is collusion proof, requiresrelatively high computational capacity at the source node,but incurs low communication and storage overheads overthe route. To reduce the computation overhead of the

baseline construction, a packet-block-based mechanism wasalso proposed, which allows one to trade detection accuracyfor lower computation complexity.

Some open issues remain to be explored in our futurework. First, the proposed mechanisms are limited to static orquasi-static wireless ad hoc networks. Frequent changes ontopology and link characteristics have not been considered.Extension to highly mobile environment will be studied inour future work. In addition, in this paper we have assumedthat source and destination are truthful in following theestablished protocol because delivering packets end-to-endis in their interest. Misbehaving source and destination willbe pursued in our future research. Moreover, in this paper,as a proof of concept, we mainly focused on showing the fea-sibility of the proposed cypto-primitives and how second-order statistics of packet loss can be utilized to improvedetection accuracy. As a first step in this direction, our analy-sis mainly emphasize the fundamental features of the prob-lem, such as the untruthfulness nature of the attackers, thepublic verifiability of proofs, the privacy-preserving require-ment for the auditing process, and the randomness of wire-less channels and packet losses, but ignore the particularbehavior of various protocols that may be used at differentlayers of the protocol stack. The implementation and optimi-zation of the proposed mechanism under various particularprotocols will be considered in our future studies.

ACKNOWLEDGMENTS

The work of T. Shu was supported in part by US NationalScience Foundation (NSF) under Grant CNS-1343156. Thework of M. Krunz was supported by NSF (Grants CNS-1016943 and IIP-1265960) and by ARO (Grant W911NF-13-1-0302). Any opinions, findings, conclusions, or recommen-dations expressed in this paper are those of the author(s)and do not necessarily reflect the views of NSF or ARO. Apreliminary version of this paper was presented in ACMWiSec 2012 Conference, Tucson, AZ, April 2012.

REFERENCES

[1] J. N. Arauz, “802.11 Markov channel modeling,” Ph.D. dissertation,School Inform. Sci., Univ. Pittsburgh, Pittsburgh, PA, USA, 2004.

[2] C. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z.Peterson, and D. Song, “Provable data possession at untrustedstores,” in Proc. ACM Conf. Comput. and Commun. Secur., Oct. 2007,pp. 598–610.

Fig. 11. Detection accuracy of block-based algorithms.


[3] G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from homo-morphic identification protocols,” in Proc. Int. Conf. Theory Appl.Cryptol. Inf. Security, 2009, pp. 319–333.

[4] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H.Rubens, “ODSBR: An on-demand secure byzantine resilient rout-ing protocol for wireless ad hoc networks,” ACM Trans. Inform.Syst. Security, vol. 10, no. 4, pp. 1–35, 2008.

[5] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H.Rubens, “ODSBR: An on-demand secure byzantine resilient rout-ing protocol for wireless ad hoc networks,” ACM Trans. Inf. Syst.Secur., vol. 10, no. 4, pp. 11–35, 2008.

[6] K. Balakrishnan, J. Deng, and P. K. Varshney, “TWOACK: Pre-venting selfishness in mobile ad hoc networks,” in Proc. IEEEWireless Commun. Netw. Conf., 2005, pp. 2137–2142.

[7] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from theweil pairing,” J. Cryptol., vol. 17, no. 4, pp. 297–319, Sep. 2004.

[8] S. Buchegger and J. Y. L. Boudec, “Performance analysis of theconfidant protocol (cooperation of nodes: Fairness in dynamic ad-hoc networks),” in Proc. 3rd ACM Int. Symp. Mobile Ad Hoc Netw.Comput. Conf., 2002, pp. 226–236.

[9] L. Buttyan and J. P. Hubaux, “Stimulating cooperation in self-organizing mobile ad hoc networks,” ACM/Kluwer Mobile Netw.Appl., vol. 8, no. 5, pp. 579–592, Oct. 2003.

[10] J. Crowcroft, R. Gibbens, F. Kelly, and S. Ostring, “Modellingincentives for collaboration in mobile ad hoc networks,” pre-sented at the First Workshop Modeling Optimization Mobile, AdHoc Wireless Netw., Sophia Antipolis, France, 2003.

[11] J. Eriksson, M. Faloutsos, and S. Krishnamurthy, “Routing amidcolluding attackers,” in Proc. IEEE Int. Conf. Netw. Protocols, 2007,pp. 184–193.

[12] W. Galuba, P. Papadimitratos, M. Poturalski, K. Aberer, Z.Despotovic, and W. Kellerer, “Castor: Scalable secure routing forad hoc networks,” in Proc. IEEE INFOCOM, Mar. 2010, pp. 1 –9.

[13] T. Hayajneh, P. Krishnamurthy, D. Tipper, and T. Kim, “Detectingmalicious packet dropping in the presence of collisions and chan-nel errors in wireless ad hoc networks,” in Proc. IEEE Int. Conf.Commun., 2009, pp. 1062–1067.

[14] Q. He, D. Wu, and P. Khosla, “Sori: A secure and objective reputa-tion-based incentive scheme for ad hoc networks,” in Proc. IEEEWireless Commun. Netw. Conf., 2004, pp. 825–830.

[15] D. B. Johnson, D. A. Maltz, and J. Broch, “DSR: The dynamicsource routing protocol for multi-hop wireless ad hoc networks,”in Ad Hoc Networking. Reading, MA, USA: Addison-Wesley, 2001,ch. 5, pp. 139–172.

[16] W. Kozma Jr. and L. Lazos, “Dealing with liars: Misbehavioridentification via Renyi-Ulam games,” presented at the Int.ICST Conf. Security Privacy in Commun. Networks, Athens,Greece, 2009.

[17] W. Kozma Jr., and L. Lazos, “REAct: Resource-efficientaccountability for node misbehavior in ad hoc networks basedon random audits,” in Proc. ACM Conf. Wireless Netw. Secur.,2009, pp. 103–110.

[18] K. Liu, J. Deng, P. Varshney, and K. Balakrishnan, “An acknowl-edgement-based approach for the detection of routing misbehav-ior in MANETs,” IEEE Trans. Mobile Comput., vol. 6, no. 5,pp. 536–550, May 2006.

[19] Y. Liu and Y. R. Yang, “Reputation propagation and agreement inmobile ad-hoc networks,” in Proc. IEEE WCNC Conf., 2003,pp. 1510–1515.

[20] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing mis-behavior in mobile ad hoc networks,” in Proc. ACM MobiComConf., 2000, pp. 255–265.

[21] G. Noubir and G. Lin, “Low-power DoS attacks in data wireleslans and countermeasures,” ACM SIGMOBILE Mobile Comput.Commun. Rev., vol. 7, no. 3, pp. 29–30, Jul. 2003.

[22] V. N. Padmanabhan and D. R. Simon, “Secure traceroute to detectfaulty or malicious routing,” in Proc. ACM SIGCOMM Conf., 2003,pp. 77–82.

[23] P. Papadimitratos and Z. Haas, “Secure message transmission inmobile ad hoc networks,” Ad Hoc Netw., vol. 1, no. 1, pp. 193–209,2003.

[24] A. Proano and L. Lazos, “Selective jamming attacks in wirelessnetworks,” in Proc. IEEE ICC Conf., 2010, pp. 1–6.

[25] A. Proano and L. Lazos, “Packet-hiding methods for preventingselective jamming attacks,” IEEE Trans. Depend. Secure Comput.,vol. 9, no. 1, pp. 101–114, Jan./Feb. 2012.

[26] R. Rao and G. Kesidis, “Detecting malicious packet droppingusing statistically regular traffic patterns in multihop wireless net-works that are not bandwidth limited,” in Proc. IEEE GLOBECOMConf., 2003, pp. 2957–2961.

[27] H. Shacham and B. Waters, “Compact proofs of retrievability,” inProc. Int. Conf. Theory Appl. Cryptol. Inf. Secur., Dec. 2008, pp. 90–107.

[28] T. Shu, M. Krunz, and S. Liu, “Secure data collection in wirelesssensor networks using randomized dispersive routes,” IEEETrans. Mobile Comput., vol. 9, no. 7, pp. 941–954, Jul. 2010.

[29] T. Shu, S. Liu, and M. Krunz, “Secure data collection in wirelesssensor networks using randomized dispersive routes,” in Proc.IEEE INFOCOMConf., 2009, pp. 2846–2850.

[30] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-preserving pub-lic auditing for data storage security in cloud computing,” in Proc.IEEE INFOCOMConf., Mar. 2010, pp. 1–9.

[31] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility oflaunching and detecting jamming attacks in wireless networks,”in Proc. ACMMobiHoc Conf., 2005, pp. 46–57.

[32] Y. Xue and K. Nahrstedt, “Providing fault-tolerant ad-hoc routingservice in adversarial environments,” Wireless Pers. Commun., Spe-cial Issue Secur. Next Generation Commun., vol. 29, no. 3, pp. 367–388, 2004.

[33] Y. Zhang, L. Lazos, and W. Kozma, “AMD: Audit-based misbe-havior detection in wireless ad hoc networks,” IEEE Trans. MobileComput., PrePrint, Vol. 99, published online on 6 Sept. 2013.

[34] S. Zhong, J. Chen, and Y. R. Yang, “Sprite: A simple cheat-proof,credit-based system for mobile ad-hoc networks,” in Proc. IEEEINFOCOMConf., 2003, pp. 1987–1997.


Tao Shu received the BS and MS degrees inelectronic engineering from the South China Uni-versity of Technology, Guangzhou, China, in1996 and 1999, respectively, and the PhD degreein communication and information systems fromTsinghua University, Beijing, China, in 2003. Hereceived the PhD degree in electrical and com-puter engineering from the University of Arizonain December 2010. He was a senior engineer atQualcomm Inc. at San Jose, CA, from December2010 to July 2011. He is currently an assistant

professor at the Department of Computer Science and Engineering,Oakland University. His research aims at addressing the security, pri-vacy, and performance issues in wireless networking systems, withstrong emphasis on system architecture, protocol design, and perfor-mance modeling and optimization.

Marwan Krunz received the PhD degree in elec-trical engineering from Michigan State Universityin 1995. He is a professor of electrical and com-puter engineering at the University of Arizona. Heholds a joint (courtesy) appointment at the samerank at the Department of Computer Science. Heis the site co-director of Broadband WirelessAccess and Applications Center (BWAC), arecently inaugurated US National Science Foun-dation (NSF)/industry IUCRC center that includesfive universities and 20þ industry members.

From 2008 to 2014, he was the UA site director of the NSF IUCRC“Connection One” center. He joined the University of Arizona in January1997, after a brief postdoctoral stint at the University of Maryland. In2010, he was a visiting chair of excellence at the University of Carlos IIIde Madrid, and concurrently a visiting researcher at Institute IMDEA Net-works. In 2011, he received the Fulbright Senior Expert Award, throughwhich he visited with the University of Jordan, King Abdullah II School ofInformation Technology. He previously held other visiting research posi-tions at INRIA-Sophia Antipolis, HP Labs - Palo Alto, University of ParisVI, University of Paris V, and US West Advanced Technologies. Hisresearch interests lie in the areas of wireless communications and net-working, with emphasis on resource management, adaptive protocols,and security issues. Recently, he has been involved in projects relatedto cognitive radios and dynamic spectrum access, wireless security,power-controlled protocols for wireless networks, multichannel MIMOsystems, secure satellite communications, energy management insolar-powered WSNs, and full-duplex communications. He has pub-lished more than 200 journal articles. He received the 2012 IEEE Com-munications Society TCCC Outstanding Service Award. He received theUS NSF CAREER award in 1998. He currently serves on the editorialboard for the IEEE Transactions on Network and Service Management.Previously, he served on the editorial boards for the IEEE/ACM Transac-tions on Networking, the IEEE Transactions on Mobile Computing, theComputer Communications Journal, and the IEEE CommunicationsInteractive Magazine. He was a guest coeditor for special issues in IEEEMicro and IEEE Communications Magazines. He was the generalcochair for the ACM WiSec 2012 Conference, and served as a TPCchair for various international conferences, including INFOCOM’04,SECON’05, and WoWMoM’06. He has served and continues to serveon the executive and technical program committees of numerous inter-national conferences, and on the panels of several funding agencies. Hewas the keynote speaker, an invited panelist, and a tutorial presenter atvarious international conferences. He is a fellow of the IEEE, an ArizonaEngineering Faculty Fellow (2011-2014), and an IEEE CommunicationsSociety Distinguished lecturer (2013 and 2014).

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


ieee transactions on mobile computing, … and truthful detection of packet dropping attacks in...

Documents