Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

7. secure distance based localization in the presence of cheating beacon nodes


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

7. secure distance based localization in the presence of cheating beacon nodes

  1. 1. IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009 1 Secure Distance-based Localization in the Presence of Cheating Beacon Nodes Murtuza Jadliwala, Member, IEEE, Sheng Zhong, Member, IEEE, Shambhu Upadhyaya, Senior Member, IEEE, Chunming Qiao, Senior Member, IEEE and Jean-Pierre Hubaux, Fellow, IEEE Abstract—Secure distance-based localization in the presence of cheating beacon (or anchor) nodes is an important problem in mobile wireless ad hoc and sensor networks. Despite significant research efforts in this direction, some fundamental questions still remain unaddressed: In the presence of cheating beacon nodes, what are the necessary and sufficient conditions to guarantee a bounded error during a two-dimensional distance-based location estimation? Under these necessary and sufficient conditions, what class of localization algorithms can provide this error bound? In this paper, we attempt to answer these and other related questions by following a careful analytical approach. Specifically, we first show that when the number of cheating beacon nodes is greater than or equal to a given threshold, there do not exist any two-dimensional distance-based localization algorithms that can guarantee a bounded error. Furthermore, when the number of cheating beacons is below this threshold, we identify a class of distance-based localization algorithms that can always guarantee a bounded localization error. Finally, we outline three novel distance-based localization algorithms that belong to this class of bounded error localization algorithms. We verify their accuracy and efficiency by means of extensive simulation experiments using both simple and practical distance estimation error models. Index Terms—Wireless networks, distance-based localization, security. 31 I NTRODUCTIONL OCALIZATION or location discovery in distributed wireless networks is the problem of determining thelocation, with respect to some local or global coordi- B1 (x1, y1 ) B2(x2, y2) T ′ (xT ′ , yT ′ ) B1 (x1, y1 ) z1 z2 ′ z3 B3(x′3, y3) ′ B2 (x2, y2) ′ z2nate system, of a (mobile) device in the network in an z1 T (xT , yT ) z3efficient and accurate fashion. Distributed localization T (xT , yT ) B4(x4, y4) z4 z4 z3protocols in such networks can be broadly classified B3 (x3, y3) B4 (x4, y4)into range-based and range-free techniques [1]. Range- B3(x3, y3)based techniques can be further classified into twobroad categories, viz., (a) Beacon-based techniques and(b) Beacon-free techniques. In this work, we focus pri-marily on beacon-based localization algorithms. Beacon- (a) (b)based algorithms such as [2], [3], [4], [5], [6], [7], [8], Fig. 1. Distance-based (range-based) localization (a)[9] require the presence of special nodes, called beacon Trilateration (b) Cheating beaconsor anchor nodes, which know their own location andare strategically placed in the network. Other nodesfirst compute the distance (or angle) estimates to a set tively, act as beacon nodes. The target node T estimatesof neighboring beacons and then estimate their own distances z1 , z2 , z3 and z4 , respectively, to these beaconlocation using basic trilateration (or triangulation). The nodes and computes its own location (xT , yT ) by tri-working of a two-dimensional beacon-based localization lateration. Efficient techniques for estimating distancesscheme using distance estimates to neighboring beacons such as Received Signal Strength Indicator (RSSI) [10],is shown in Figure 1(a). Time of Arrival (ToA) [11], and Time Difference of Arrival In Figure 1(a), nodes B1 , B2 , B3 and B4 located at (TDoA) [12] exist and have been successfully used in thepositions (x1 , y1 ), (x2 , y2 ), (x3 , y3 ) and (x4 , y4 ), respec- various beacon-based localization protocols listed above. Although beacon-based techniques are very popular in• Murtuza Jadliwala and Jean-Pierre Hubaux are with the Laboratory for computer Communications and Applications (LCA1) at the Ecole Poly- most wireless systems, they have one shortcoming. Most technique F´d´rale de Lausanne (EPFL), Lausanne, CH-1015, Switzerland. e e beacon-based techniques in the literature assume that the E-mail: {murtuza.jadliwala,jean-pierre.hubaux} nodes acting as beacons always behave honestly. It is• Sheng Zhong, Shambhu Upadhyaya and Chunming Qiao are with the Department of Computer Science and Engineering, State Uni- not surprising that beacon-based methods perform well versity of New York at Buffalo, Buffalo, NY 14260, USA. E-mail: when all the beacon nodes are honest. But their accuracy {szhong,shambhu,qiao} Sheng Zhong was supported in suffers considerably in the presence of malicious or part by NSF CNS-0845149. cheating beacon nodes. Beacons can cheat by broadcast-
  2. 2. 2 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009ing their own locations inaccurately or by manipulating bounded error. We transition from theory to practicethe distance estimation process, thus adversely affecting by proposing three illustrative algorithms that belong tothe location computation by the other nodes. This is this class of robust distance-based algorithms. The firstdepicted in Figure 1(b). In this figure, we can see that algorithm, called the Polynomial Time algorithm, uses anbeacon nodes B1 , B2 and B4 behave honestly, whereas exhaustive search strategy to provide good localization ′beacons B3 and B3 cheat. This causes the target node T accuracy with a polynomial (cubic) run-time complexityto compute its location incorrectly as (xT ′ , yT ′ ) instead (in terms of the number of available beacons) in theof (xT , yT ). worst case. But in practice, the Polynomial Time algo- Earlier research efforts in securing distance-based lo- rithm runs very inefficiently. To overcome this problem,calization techniques have focused on either removing we propose two other algorithms. These algorithms usethis (over)dependence on beacon nodes ( [13], [14], [15]) simple heuristics to securely compute locations and haveor on minimizing the effects of malicious beacons ( [16], a much better execution efficiency. Finally, we verify[17]) during localization. But before delving into the pos- the performance of these algorithms through extensivesible solutions for secure localization, we feel that there simulation experiments and present a detailed compara-is a need to address the following questions that have tive analysis based on the simulation results. We alsobeen ignored by earlier research efforts: Under what extend the existing localization framework to includecondition(s) do there exist algorithms that can overcome more practical distance estimation error models andthe cheating effect of malicious beacons? How do we also study their effect on the accuracy of the proposeddetermine these algorithms when these condition(s) are localization algorithms.satisfied, if at all? What kind of guarantee on the solution The rest of the paper is organized as follows. In Sectionquality (in terms of bounds on the error in localization) 2, we provide some background on secure localizationcan such algorithms provide? None of the research ef- and discuss the related work, and in Section 3 we presentforts undertaken previously provide an answer to all the network and adversary model. In Section 4, we de-these questions. Eren et al. [18] study the problem of rive the conditions for secure distance-based localizationdistance-based localization from a theoretical standpoint and define the class of bounded error distance-basedand provide conditions for unique network localization localization algorithms. In Section 5, we propose threeusing graph rigidity theory, but their results assume non- algorithms that belong to this class and in Section 6cheating beacon nodes. What has been missing in the we discuss their simulation results. In Section 7, weliterature is a comprehensive theoretical framework for extend the existing localization framework to includestudying the hardness and feasibility of the distance- more practical distance estimation error models. Webased localization problem in the presence of cheat- conclude the paper with a summary of contributions anding beacons. A systematic analytical study would not some directions for future research in Section 8.only help in designing efficient algorithms to solve thisproblem, but would also help in deriving performance 2 BACKGROUND AND R ELATED W ORKbounds guaranteed by these algorithms, thus facilitating In this section, we survey some earlier research effortsan effective comparative analysis. In this paper, we at- towards securing distance-based localization schemes.tempt to fill this gap between theory and practice by first Most of the prior works in this area have followed one ofestablishing the necessary and sufficient conditions for the following two themes – (1) detection and eliminationthe problem of secure distance-based localization in the of cheating nodes, or (2) localization in the presence ofpresence of cheating beacon nodes and then outlining a cheating nodes and large errors.class of algorithms that can always guarantee a boundedlocalization error. Specifically, we make the following contributions. 2.1 Malicious Node Detection and EliminationFirst, we prove that if the number of malicious beacons One approach followed by researchers to secureis greater than or equal to n−2 , where n is the total num- 2 distance-based localization approaches is to detect theber of beacons providing distance information, then no cheating nodes and eliminate them from considerationalgorithm can guarantee a bounded localization error for during the localization process. Liu et al. [17] proposeall cases. In other words, as long as the above inequality a method for securing beacon-based localization byholds, any distance-based algorithm will fail to estimate eliminating malicious data. This technique, called attack-the target location within a small error bound for at resistant Minimum Mean Square Estimation (MMSE), takesleast one scenario or set-up of beacons. Next, we show advantage of the fact that malicious location referencesthat there exist algorithms that provide a guaranteed introduced by cheating beacons are usually inconsis-degree of localization accuracy (for all the cases), if the tent with the benign ones. Similarly, the Echo locationnumber of malicious beacons is less than or equal to n−3 . 2 verification protocol proposed by Sastry et al. [19] canThese two inequalities are also referred to as the necessary securely verify location claims by computing the relativeand sufficient conditions for robust localization. Given the distance between a prover and a verifier node using theabove conditions, we define a class of distance-based ˘ time of propagation of ultrasound signals. Capkun et al.localization algorithms that can always localize with a [20] shortlist various attacks related to node localization
  3. 3. JADLIWALA et al.: SECURE DISTANCE-BASED LOCALIZATION IN THE PRESENCE OF CHEATING BEACON NODES 3in wireless sensor networks and propose mechanisms nodes. However, SeRLoc is based on the assumptionsuch as authenticated distance estimation, authenticated that jamming of the wireless medium is not feasible.distance bounding, verifiable trilateration and verifiable To overcome this problem, Lazos et al. [29] also presenttime difference of arrival, to secure localization. Pires a hybrid approach, called RObust Position Estimationet al. [21] propose protocols to detect malicious nodes (ROPE), which unlike SeRLoc, provides robust locationin distance-based localization approaches by detecting computation and verification without centralized man-message transmissions whose signal strength is incom- agement and vulnerability to jamming. In another recentpatible with its originator’s geographical position. In research effort by Misra et al. [30], the authors pro-another similar work by Liu et al. [22], the authors pose a convex optimization based scheme to secure thepropose techniques to detect malicious beacon nodes by distance-based localization process, which uses Barrier’semploying special detector nodes. method to solve the optimization problem.2.2 Robust Localization Schemes 2.3 Discussion Malicious node detection and elimination strategies, asThe second approach towards securing localization is discussed in Section 2.1, take into account the incon-to design techniques that are robust enough to tolerate sistency (caused by cheating behavior) in measurementthe cheating effect of malicious nodes (or beacons), of a particular network parameter in order to detectrather than explicitly detecting and eliminating them. cheating nodes. One shortcoming of such an approach isPriyantha et al. [4] propose the CRICKET system that the requirement that verifier nodes have to be completelyeliminates the dependence on beacon nodes by using honest. Moreover, these solutions do not provide anycommunication hops to estimate the network’s global fixed guarantees of the number of detected cheatinglayout, and then apply force-based relaxation to optimize beacon nodes or the accuracy of the ensuing localizationthis layout. Some other research attempts also try to algorithms. Any undetected cheating beacon node willsolve the secure localization problem by formulating only add to the error of the localization as a global optimization problem. For example, Li On the contrary, a majority of the localization schemeset al. [16] develop robust statistical methods such as discussed in Section 2.2 attempt to improve the robust-adaptive least squares and least median squares to make ness of the localization procedure by employing opti-beacon-based localization attack-tolerant. Alternatively, mization techniques. The main focus of these schemesDoherty et al. [23] address the problem of beacon-based is to minimize the effect of inconsistent or erroneouslocalization in the presence of large range measurement data on the overall localization accuracy. Some short-errors, and describe a localization method using con- comings of such a strategy includes the complexity of thenectivity constraints and convex optimization. Moore et proposed solutions, e.g., [14], [25]; or sometimes the re-al. [24] formulate the localization problem in wireless quirement of special hardware and equipment, e.g., [28].sensor networks as a two-dimensional graph realization Moreover, most of the research efforts in this directionproblem and describe a beaconless (anchor-free), dis- have failed to study the feasibility of the distance-basedtributed, linear-time algorithm for localizing nodes in localization problem under adverse conditions.the presence of large range measurement noise. Liu In view of the above, our primary goal here is to con-et al. [17] design an intelligent strategy, called voting- duct a thorough analytical study of the distance-basedbased scheme, where the deployment area is divided into localization problem in the presence of cheating beacons.a grid of cells such that the target node resides in The secure distance-based localization framework andone of the cells. Every beacon node votes on each cell the associated results that we present in this paper aredepending on the distance between the target node and very general. The algorithms for secure localization thatitself and the location of the target node is estimated as we propose achieve provable security and are computa-being within the cell that had the maximum number of tionally feasible and efficient. As a matter of fact, it willbeacon votes. In another approach, Yi et al. [25] and Ji be clear later that the class of bounded error distance-et al. [14] apply efficient data analysis techniques such based localization algorithms proposed in this paperas Multi-Dimensional Scaling (MDS) using connectivity also includes other algorithms such as the optimization-information and distances between neighboring nodes based scheme by Misra et al. [30] and the voting-basedto infer target locations. Fang et al. [15] model the technique by Liu et al. [17]. Next, we first outline thelocalization problem as a statistical estimation problem. network and adversary model for the secure distance-The authors use Maximum Likelihood Estimation (MLE) in based localization framework.order to estimate the most probable node location, givena set of neighborhood observations. Recently, ideas fromcoding theory have also been applied to achieve robust 3 N ETWORK AND A DVERSARY M ODELlocalization, for example [26], [27]. In another work, In our network model, a device M in a non-trustworthyLazos et al. [28] propose a range independent distributed environment, wants to compute its own location bylocalization algorithm using sectored antennas, called using distance estimates to a set of beacon nodes. TheseSeRLoc, that does not require any communication among beacon nodes know their own locations and may or may
  4. 4. 4 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009not cheat about their locations to the other nodes. The all the malicious beacon nodes (all Bi ∈ H) and decidestarget node M and the beacon nodes are currently as- ˜ di for them. This is a very strong adversary model thatsumed to be located on a two-dimensional area (plane), in addition to independent adversaries also covers alli.e., the location of each of these entities can be rep- possibilities of collusion.resented as two-dimensional coordinates (x, y) where, As a distance-based localization strategy is assumedx, y ∈ R. here, the output O of the corresponding localization Suppose that the target node M has a total of n beacon algorithm can be defined by a function F of the mea-nodes available for localization. Let these beacon nodes ˜ sured distances (di ) from the device M to every availablebe denoted as B1 , . . . , Bn . Among these n beacons, ˜ ˜ beacon node, i.e., O = F (d1 , . . . , dn ).some beacons are malicious (or cheating beacons). Let k The error e of the localization algorithm is the expecteddenote the number of malicious or cheating beacons. It is value of the Euclidean distance between the actual po-important to note that k is not necessarily known to the sition of M and the one output by the algorithm, i.e.,target node or to any of the honest beacons. However, e = E[dst(M, O)].the value of k clearly has a great influence on whether In the next section, we outline the framework fora bounded localization error can be achieved or not. bounded error distance-based localization in the pres-Let kmax (≤ n) be an upper bound on the number of ence of malicious beacon nodes.malicious nodes, i.e., kmax is the maximum number ofmalicious nodes that can exist in the network at anytime. The parameter kmax is a system or environment-dependent constant and is assumed to be known to the 4 B OUNDED E RROR D ISTANCE - BASED L O -localization algorithm. CALIZATION Beacons that are not malicious are honest, i.e., theyfully cooperate with the localization protocol by dis- Before describing our secure localization framework, weclosing the information as truthfully as possible. More derive the necessary condition for bounded error local-details on the cheating behavior by the beacon nodes will ization in the presence of cheating beacons. This con-follow shortly. Regardless of being honest or dishonest, dition fixes the minimum number of beacons requiredeach beacon Bi provides1 M with a measurement di of ˜ to correctly compute the target node location by usingthe distance between Bi and M . The precise distance just the distance information, assuming that some of thebetween Bi and M is the Euclidean distance between beacon nodes will cheat during localization.the position coordinates of Bi and M , and is denoted bydst(Bi , M ). Let the set of honest beacons be denoted by ˜H. Then, for each beacon Bi ∈ H, di is a random variable 4.1 Necessary Conditionthat follows some probability distribution, denoted as ˜msr(dst(Bi , M )), such that E[di ] = dst(Bi , M ), i.e., the In order to achieve a bounded localization error, theexpected (mean) value of the estimated distance di for ˜ first step is to derive a threshold for the number ofeach beacon Bi in H, is the precise distance between malicious beacons k (in terms of the total number ofthe beacon Bi and the node M . In the case when Bi available beacons n) such that if k is greater than oris honest, the difference between the estimated and the equal to this threshold then no algorithm would be abletrue distance is very small, i.e., to guarantee a bounded localization error just based on the distances to the beacon nodes. Consequently, having ˜ |di − dst(Bi , M )| < ǫ (1) the number of malicious beacons below this threshold is a necessary condition for getting a bounded localizationwhere ǫ is the maximum distance estimation error. Ide- error out of any distance-based localization, this difference should be zero, but such discrepan- This condition is given by Theorem 4.1.cies in distance estimates can occur due to measurementerrors, either at the source or target. Currently, ǫ can be Theorem 4.1. Suppose that k ≥ n−2 . Then, for any distance- 2assumed to be a small constant. Later in Section 7, we based localization algorithm, for any locations of the beacons,extend the current network model to include a more there exists a scenario in which e is unbounded.practical representation for the distance estimation error. For each beacon Bi ∈ H, i.e., a cheating beacon, the For the sake of brevity, we skip the proof of this ˜corresponding di is a value selected (possibly arbitrarily) theorem. Interested readers can find the proof in [31].by the adversary such that it may or may not follow Theorem 4.1 proves that having n−2 or more cheating 2Equation 1. Note that we allow colluding attacks in this beacons makes it impossible to compute the location ofmodel, i.e., we assume that a single adversary controls the target node M with a bounded error. In the next set of results, we establish that having n−3 or fewer cheating 2 1. In practice, each beacon Bi actually provides M with some beacons makes it possible to compute the location of ˜information from which the distance di can be computed efficiently M with a bounded error. This condition can also beby M . In order to simplify the current exposition, we assume that ˜Bi provides M the distance measurement di directly. This should not regarded as a sufficient condition for secure and robustaffect the presented results. distance-based localization.
  5. 5. JADLIWALA et al.: SECURE DISTANCE-BASED LOCALIZATION IN THE PRESENCE OF CHEATING BEACON NODES 54.2 Class of Robust Localization Algorithms continuous region r such that r is contained in the intersectionBefore defining the class of algorithms that can achieve of at least k + 3 rings.bounded error localization in the presence of cheating The class of robust localization algorithms definedbeacons, let us introduce some terminology used for its above is a non-empty class of algorithms. This statementdefinition (See Figure 2). For each beacon Bi , define a follows from the following theorem that proves that as Continuous Arc long as k ≤ n−3 , it is always possible to find a non- 2 Inner Boundary Circle empty continuous region r satisfying the requirements of Definition 4.4. Theorem 4.2. For k ≤ n−3 , there exists a non-empty 2 2ǫ continuous region r in the intersection of at least k + 3 rings. B1 B3 For the sake of brevity, we skip the proof for this theorem. Interested readers can find the proof in [31]. In fact, an example algorithm that belongs to this Outer Boundary Circle B2 class is the voting-based localization scheme proposed Continuous Region by Liu et al. [17]. In this scheme, the authors compute Critical Point the intersection region by dividing the entire localization area into a square grid, and then take a vote for each can- didate location on the grid. The candidate locations withFig. 2. Terminology for the class of robust localization the maximum votes belong to the intersection area. Inalgorithms another similar research effort, Misra et al. [30] estimate the target location by approximating the centroid of thering2 Ri using the following inequality: intersection region using convex optimization. Although ˜ ˜ reasonably accurate, both the voting-based scheme by di − ǫ < dst(Bi , X) < di + ǫ. Liu et al. and the optimization technique by Misra etAs mentioned in Section 3, ǫ is assumed to be a constant al. are computationally intensive. In Section 5, we willdenoting some (small) maximum distance estimation propose three novel algorithms in this class of robusterror. Clearly, there are altogether n rings. The bound- localization algorithms. But, first we derive the worst-aries of these n rings consists of 2n circles — called the case error bound for this class of algorithms.boundary circles. In particular, the inner circle of the ringis called an inner boundary circle and the outer circle is 4.3 Error Bound Analysiscalled an outer boundary circle. To analyze the error bound of algorithms in this class,Definition 4.1. A point is a critical point if it is the two new definitions are needed.intersection of at least two boundary circles. Definition 4.5. The beacon distance ratio (γ) is defined asDefinition 4.2. An arc is a continuous arc if it satisfies the the minimum distance between a pair of beacons divided byfollowing three conditions: the maximum distance between a beacon and the target device. • The arc is part of a boundary circle. minBi ,Bj dst(Bi , Bj ) • It is either a complete circle or an arc with two distinct γ= maxBi dst(Bi , M ) end points, both of which are critical points. • There is no other critical point inside the arc. Definition 4.6. Consider the lines going through pairs of beacons. Denote by ang(Bi Bj , Bi′ Bj ′ ) the angle betweenDefinition 4.3. An area is a continuous region if it satisfies lines Bi Bj and Bi′ Bj ′ — to avoid ambiguity, we requirethe following two conditions: that 0◦ ≤ ang(Bi Bj , Bi′ Bj ′ ) ≤ 90◦ . The minimum beacon • The boundary of this area is one or more continuous arcs. angle (α) is defined as the minimum of such angles. • There is no other continuous arc inside the area. α= min ang(Bi Bj , Bi′ Bj ′ ) Bi ,Bj ,Bi′ ,Bj ′ The class of robust localization algorithms can then bedefined as follows. The following theorem bounds the maximum localiza- tion error possible in the presented robust localizationDefinition 4.4. A localization algorithm is in the class of framework.robust localization algorithms if its output is a point in a Theorem 4.3. For k ≤ n−3 , if ǫ ≪ minBi dst(Bi , M ) and 2 2. Note that although we use a ring to model the error between the there are no three beacons in the same line, then the outputactual distance and the measured distance, it does not imply that weassume a circular or disc like coverage for each beacon. Given that each error of any algorithm in the class of algorithms for robustbeacon is equipped with an omni-directional antenna (with an irregular localization, as defined in Definition 4.4, istransmission/coverage pattern) with some maximum transmissionrange and maximum distance estimation error ǫ, the distance sent from 2ǫeach beacon to M , regardless of where M is relative to the beacon, can e< arcsin(γ sin(α/2))be assumed to lie within a ring. min sin 2 , cos arcsin(γ 2 sin(α/2))
  6. 6. 6 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009 Proof: Consider the continuous region r in the inter- Therefore, V1 V2 V3 V4 is actually a rhombus. In a rhombus,section of at least k + 3 rings (by Theorem 4.2). As there the farthest distance between two points is the length ofare at most k dishonest beacons, at least 3 of these rings its longer diagonal line. Therefore,belong to the set of honest beacons. Suppose that R1 , R2 , 2ǫand R3 are these three rings, and let r′ be the continuous e = dst(M, O) ≤ sin(∠V2 V1 V3 )region in the intersection of R1 , R2 , and R3 . It is clear 2ǫthat r′ contains r. As O is in r, clearly O is also in r′ . = ∠V2 V1 V4Next, let’s show that M is also in r′ . As M is also in the sin 2intersection of R1 , R2 , and R3 , to show that M is in r′ 2ǫonly the following lemma is needed, a proof of which ≈ ang(B1 M,B2 M ) ang(B1 M,B2 M ) min sin 2 , sin 90◦ − 2can be found in the Appendix:Lemma 4.4. If ǫ ≪ minBi dst(Bi , M ) and there are no three 2ǫbeacons in the same line then the intersection of R1 , R2 , and ≤ arcsin(γ sin(α/2)) arcsin(γ sin(α/2))R3 has only one continuous region. min sin 2 , cos 2 From Lemma 4.4 we have established that both M andO are in r′ . We will use this fact to show that 2ǫ 4.4 Discussion e< We now discuss the security implications of the analyti- min sin arcsin(γ 2 sin(α/2)) , cos arcsin(γ 2 sin(α/2)) cal results that have been presented so far. Theorems 4.1But before this result can be proved, we need another and 4.2 prove that if a total of n beacons are availablelemma that characterizes the angle formed by M with for localization, then secure distance-based localizationthe honest beacon pairs. The proof of the lemma can be is possible if and only if there are no more than n−3 2found in the Appendix. cheating beacons among them. In other words, if these conditions are satisfied, then no matter how all theLemma 4.5. If there are no three beacons in the same line, malicious beacons cheat, i.e., individually or in collusionthen either with each other, a bounded error (given by Theorem 4.3) can always be guaranteed. It is not possible for ang(B1 M, B2 M ) ≥ arcsin(γ sin(α/2)), cheating beacons, even by colluding with every other cheating beacon, to localize the target node such that theor localization error is greater than this upper bound, i.e., ang(B1 M, B3 M ) ≥ arcsin(γ sin(α/2)). they cannot succeed in localizing the target node outside of the continuous region formed by the intersection of at Using Lemma 4.5, without loss of generality let us least k + 3 rings. In the worst case, the cheating beaconsassume that (maximum k) can influence the size of this continuous ang(B1 M, B2 M ) ≥ arcsin(γ sin(α/2)). region in the intersection of at least k + 3 rings (still bounded by the 3 honest beacon rings) or can colludeDenote by r′′ , the continuous region in the intersection to maximize the localization error (Theorem 4.3) of theof R1 and R2 that contains r′ . As both M and O are in target node within the continuous region. This can easilyr′ , they should also be in r′′ . be thwarted by considering the continuous region in the Each of the two rings involved has a pair of circles. intersection of a maximum number, but at least k + 3,Consider the four intersection points of these two pairs rings. Finally, if Theorem 4.1 is not satisfied, then aof circles. Without loss of generality, suppose that the continuous region in the intersection of at least k+3 ringsfour intersection points are V1 , V2 , V3 , and V4 , ordered cannot be guaranteed and cheating beacons can makein the clockwise direction, and that ∠V2 V1 V4 is acute. As the localization error arbitrarily large. If the adversaryǫ ≪ minBi dst(Bi , M ), r′′ can be approximated using the model, in this case, is relaxed to remove the possibilityquadrangle V1 V2 V3 V4 . It is easy to show that of collusion, then simple majority-based schemes such as the voting [17] can be used for securing localization. ang(V1 V2 , B1 M ) ≈ 90◦ ≈ ang(V3 V4 , B1 M ) In the next section, we propose three novel algorithms that belong to the class of robust localization algorithmsThus, it is clear that the line V1 V2 is parallel to the line and can guarantee a bounded localization error.V3 V4 . Similarly, we can get that the line V1 V4 is parallelto the line V2 V3 . Therefore, V1 V2 V3 V4 is a parallelogram. 5 B OUNDED E RROR A LGORITHMSFurthermore, it can be seen that The class of robust localization algorithms, as defined 2ǫ in Definition 4.4, contains algorithms that output the ∠V2 V1 V3 = arcsin dst(V1 , V3 ) location of a target in the continuous region of at least = ∠V3 V1 V4 . k + 3 rings. In this section, we propose three algorithms
  7. 7. JADLIWALA et al.: SECURE DISTANCE-BASED LOCALIZATION IN THE PRESENCE OF CHEATING BEACON NODES 7that belong to this class. The first algorithm, called the 1: Let S be a set initially containing the two boundaryPolynomial Time algorithm, has a polynomial time (in circles of ring R1terms of number n of available beacons) worst-case 2: for i = 2, . . . , n docomputational complexity, which is much faster than an 3: Let Si be a set initially containing the two bound-exhaustive search of all the grid points [17]. However, ary circles of ring Riin practice it is still very slow. We also propose two 4: for each arc in S and each arc in Si doheuristic-based algorithms. It is not known if their worst- 5: if the above two arcs intersect thencase complexity is any better than that of the Polynomial 6: Split each of these two arcs using the intersec-Time algorithm. Yet, the probability of reaching the tion(s), and replace them in the correspondingworst-case is less and the heuristic-based algorithms run arc sets (S or Si ) with the new splitted arcsefficiently in most cases and for most network topolo- (result of the splitting operation)gies. Recall that all the three algorithms work under the 7: end ifcondition k ≤ n−3 . Thus, an upper bound for k (number 2 8: end forof malicious beacons) can be defined as kmax = n−3 . All 2 9: Let S = S ∪ Sithe algorithms presented here output a point within the 10: end forcontinuous region r in the intersection of kmax + 3 rings 11: for each arc cj in S doas the location of the target node, but they differ in the 12: Set the corresponding counter λj to 0way they determine this point. 13: for i = 1, . . . , n do 14: if Ri is related to cj then5.1 Polynomial Time Algorithm 15: λj = λj + 1 16: end ifBefore outlining details of the Polynomial Time algo- 17: end forrithm, we give a lemma that defines the relationship 18: if λj ≥ kmax + 2 thenbetween a continuous region and a continuous arc. 19: if cj is on an inner boundary circle thenDefinition 5.1. A ring is related to a continuous arc if the 20: Output is defined on the side out of this circlecontinuous arc is inside, but not on the boundary of this ring. 21: else if cj is on an outer boundary circle then 22: Output is defined on the side inside this circleLemma 5.1. Suppose that r is a continuous region and c 23: end ifis a continuous arc on the boundary of r. Then, r is in the 24: Stop the algorithmintersection of at least k + 3 rings if and only if at least k + 2 25: end ifrings are related to c. 26: end for (We skip the proof of Lemma 5.1 as it is very straight- Algorithm 1: Polynomial Time Algorithmforward.) The main idea behind the Polynomial Time algorithmis that in order to determine a continuous region in the an exhaustive search to determine the boundary of theintersection of at least kmax + 3 rings, it is sufficient to continuous region in the intersection of kmax + 3 ringscount the number of rings related to each continuous and then outputs a point within it as the target location.arc, and then find a continuous arc such that at least But there are other efficient ways to estimate such a pointkmax +2 rings are related to it (It is easy to check whether with a high probability, as discussed next.a ring is related to a continuous arc by comparing thedistance between the arc’s end points and the center ofthe ring to the inner and outer radii of the ring). Once 5.2 Heuristic 1such an arc is found, depending on whether the arc is The first heuristic attempts to estimate the target locationon an outer boundary circle or an inner boundary circle, around a critical point that lies on the intersection of aa point can be picked from either the inner region or the large number of rings. It can be observed that kmax + 3outer region of the arc respectively. The details of the is already a large number of rings (more than half ofPolynomial Time algorithm are shown in Algorithm 1. the total number of rings in the network). We need to determine the region r contained in at least kmax + 3Lemma 5.2. The worst-case time complexity of the Polyno- rings. It is highly probable that the rings containing suchmial Time algorithm (Algorithm 1) is O(n3 log n). a region r are intersecting with large numbers of other Although the worst-case time complexity of Algorithm rings. In other words, if a ring, say Ri , is intersecting1 is polynomial (cubic) in terms of the total number of with a large number of rings then it is very likely thatavailable beacons, it does not perform very efficiently Ri contains r. Therefore, the heuristic first considers thein practice. Simulation experiments (discussed later in rings intersecting with a large number of other rings inSection 6.2) show that it runs rather slowly for most order to determine the critical point around which thecases. This is because, it always computes all the possible target location is guessed. This continues until a targetcontinuous arcs and searches among them for a related location within the continuous region in the intersectionarc that satisfies Lemma 5.1. In other words, it first uses of at least kmax + 3 rings is estimated. The details of
  8. 8. 8 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009Heuristic 1 are outlined in Algorithm 2, as shown below. 1: Count the number of rings intersecting with each ring 1: Count the number of rings intersecting with each 2: for each ring Ri , in the order of decreasing number ring of rings intersecting with it do 2: for each ring Ri , in the order of decreasing number 3: for each ring Rj , Rj+1 , Rj+2 |Rj , Rj+1 , Rj+2 = Ri , of rings intersecting with it do in the order of decreasing number of rings inter- 3: for each ring Rj , Rj = Ri , in the order of decreas- secting with it do ing number of rings intersecting with it do 4: Compute the intersection points of the boundary 4: Compute the intersection points of the boundary circles of Ri and Rj , Ri and Rj+1 and Ri and circles of Ri and Rj Rj+2 5: for m = 1, . . . , γ do 5: Choose a point (x1 , y1 ) from the intersection of 6: Choose a random intersection point computed the ring pair Ri , Rj at random. Similarly, choose above intersection points (x2 , y2 ) and (x3 , y3 ) from the 7: Choose a random point O near this inter- other two pairs section point (such that the distance between 6: Compute O = ( x1 +x2 +x3 , y1 +y2 +y3 ) 3 3 them is less than ǫ) 7: Count the number of rings containing O 8: Count the number of rings containing O 8: if there are at least kmax + 3 rings containing O 9: if there are at least kmax + 3 rings containing then O then 9: Output O10: Output O 10: Stop the Algorithm11: Stop the Algorithm 11: end if12: end if 12: end for13: end for 13: end for14: end for Algorithm 3: Heuristic 215: end for Algorithm 2: Heuristic 1 6 E VALUATION The next heuristic attempts to further improve the The evaluation of the proposed robust localization al-quality of localization, by trying to estimate a point gorithms includes the verification of accuracy and ef-closer to the center of the continuous region formed by ficiency of each of these algorithms and comparisonkmax + 3 intersecting rings. with other known techniques such as the voting-based scheme by Liu et al. [17]. The simulations for these algo- rithms are carried out for varying values of parameters5.3 Heuristic 2 such as beacon node distribution, number of malicious beacon nodes and distance estimation error of the targetThe second heuristic tries to guess the location of the node. Currently, we do not evaluate any network-specifictarget closer to the center (or centroid) of the continuous property of these algorithms such as the communi-region of at least kmax + 3 intersecting rings. This is cation overhead. This is because these algorithms, asbecause the actual location of the target is more likely proposed currently, are very general and properties suchto be near the center of the continuous region than as communication overhead would depend on networknear the boundary. Thus, assuming that the continuous specific factors such as hardware, signal type, rangingregion is convex, we first compute three distinct critical technique and the network topology. In the first partpoints, instead of just one, that lie on the intersection of a of this simulation-based analysis, we aim to comparelarge number of rings. If (x1 , y1 ), (x2 , y2 ) and (x3 , y3 ) are the performance of the proposed algorithms under idealthe coordinates of these critical points, the coordinates network conditions with a small independent distance(xM , yM ) of the target location are guessed by computing estimation error. Later in Section 7, we extend the initialthe centroid of the triangle formed by (x1 , y1 ), (x2 , y2 ) simple simulation setup to include more realistic dis-and (x3 , y3 ), as shown below: tance estimation error models. Results from these initial x1 + x2 + x3 simulation experiments will serve as a stepping stone for xM = improving these algorithms further and porting them to 3 y1 + y2 + y3 more complex network platforms and environments. yM = 3If this guessed point (xM , yM ) lies in the intersection of 6.1 Simulation Setupkmax + 3 rings, then it is output as the location of the The simulation area consists of a 500m × 500m twotarget, otherwise the procedure is repeated for a new set dimensional terrain. The optimal number and placementof critical points. Details of this heuristic are outlined in of beacon nodes is important. But as optimal beaconAlgorithm 3 (or Heuristic 2) shown below. placement is not the main focus of this paper, we assume
  9. 9. JADLIWALA et al.: SECURE DISTANCE-BASED LOCALIZATION IN THE PRESENCE OF CHEATING BEACON NODES 9 1.2 13 2.5 6 Average Localization Error (meters) Average Localization Error (meters) 12.5 5.75 Average Simulation Time (Secs) Average Simulation Time (Secs) 12 5.5 1 11.5 2 11 5.25 10.5 5 0.8 10 4.75 9.5 1.5 9 4.5 0.6 8.5 4.25 8 1 4 0.4 7.5 3.75 7 3.5 6.5 0.5 0.2 6 3.25 5.5 3 5 2.75 0 4.5 0 4 2.5 3.5 2.25 -0.2 3 -0.5 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Number of Malicious Nodes Number of Malicious Nodes Number of Malicious Nodes Number of Malicious Nodes (b) (a) (c) (d) Legend: ǫ = 0m; ǫ = 1m; ǫ = 2m; ǫ = 3m; ǫ = 4m; ǫ = 5mFig. 3. Simulation of the Polynomial Time algorithm (a) Localization error vs No. of malicious nodes and (b) Simulationtime vs No. of malicious nodes with measurement error uniformly distributed between [−ǫ, +ǫ]. (c) Localization error vsNo. of malicious nodes and (d) Simulation time vs No. of malicious nodes with measurement error normally distributed ǫbetween [−ǫ, +ǫ] with mean 0 and standard deviation 2 .a small but reasonable beacon node population of 43 bea- can be seen that the average localization error shows ancon nodes (approximately 1 beacon for every 10m×10m), increasing trend when ǫ increases, which is very natural.which is scattered uniformly over the 500m × 500m When ǫ = 0, e is also 0. The reason is that in thisarea. The position of the target node is also uniformly case the continuous region is just a single point in theselected and there is no node mobility (beacon or target). intersection of at least kmax + 3 rings. Also it can be seenCurrently, the maximum radio ranges of the nodes are that e increases as k increases. This is consistent with theselected such that every beacon node is available for intuition that more number of malicious beacon nodeslocalization (≈ 250m). In this set of simulations, we should decrease localization precision. For lower valuesassume an independent distance estimation error se- of k, i.e., k < kmax , more honest rings are available for lo-lected from some fixed distribution. In order to verify the calization, resulting in a smaller sized continuous regionaccuracy and efficiency of the proposed algorithms for and thus a more accurate localization. As the number ofdifferent distributions of the distance estimation error, malicious nodes increases, the number of honest ringswe simulate the algorithms for both uniformly and diminishes and thus the quality of localization decreases.normally distributed distance estimation errors. For each Figure 3(b) depicts the average execution time of theof these distributions, we intend to study the influence of Polynomial Time algorithm under varying values of kthe number of malicious beacons (k) and the maximum and ǫ. From the figure, we can see that the averagedistance measurement error (ǫ) on the localization error simulation time does not increase very sharply with k.and the execution time of the algorithms. This observation is also not surprising because in all the cases the Polynomial Time algorithm always computes all the possible continuous arcs. Increasing the value6.2 Polynomial Time Algorithm of k does not guarantee a lower number of continuousIn this section, we discuss the simulation results for the arcs because the locations of the malicious beacons arePolynomial Time algorithm. selected uniformly over the 500m × 500m area. But the simulation time increases with an increase in the value6.2.1 Experiments with Uniform Measurement Error of ǫ. This is because, for lower values of ǫ, the innerIn the first set of simulations, we evaluate the Polynomial and outer boundary circles are much closer to eachTime algorithm for the case when the distance estima- other (width of the ring is smaller) as compared totion error is uniformly distributed between [−ǫ, ǫ]. We higher values of ǫ, thus resulting in lesser number ofobserve the performance of the algorithm for increasing possible continuous arcs. In summary, the maximumvalues of ǫ, as the number k of malicious nodes increases localization error of the Polynomial Time algorithm isfrom 0 up to some maximum tolerable value. As the less than 1m for a maximum distance error of 5m (fortotal number of available beacons is fixed (n = 43), the Uniform distribution case), which is an error ratiothe maximum number of malicious beacons that the ( e ) of approximately 0.2. The maximum simulation time ǫalgorithm can tolerate is 43−3 = 20 (from Theorem 4.2). for this case is just under 12 secs, which is a bit high. 2The algorithm is executed for each value of ǫ from 0mto 5m in steps of 1m and for each value of k from 0 to 6.2.2 Experiments with Normal Measurement Error20 (kmax = 20). We then plot the average localization To verify that the evaluation results are consistent anderror e as an average of the error in localization of the not restricted to a particular distribution, we repeat thetarget over 100 runs of the algorithm (See Figure 3). In simulations for the Polynomial Time algorithm usingeach new run, the beacon and target nodes are assigned a normally distributed distance measurement error. Allnew positions, the coordinates of which are uniformly other simulation parameters are kept unchanged exceptselected over the 500m × 500m area. From Figure 3(a), it that the distance measurement error takes values from a
  10. 10. 10 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, X 2009truncated normal distribution with mean 0 and standard the slight increase in the simulation time is that more ǫdeviation 2 . To make sure that the distance estimation number of malicious beacons make it harder to find theerror always takes values between −ǫ and ǫ, the normal right continuous region (in the intersection of kmax + 3distribution is modified such that the probability density rings). For all values of k and ǫ, the average localizationoutside [−ǫ, +ǫ] becomes 0; the probability density inside error of Heuristic 1 is just under 25m, which is an errorthe interval [−ǫ, +ǫ] is scaled up a little, accordingly. ratio ( e ) of around 0.5, whereas the execution time in the ǫ Figures 3(c) & 3(d) show the plots for the simulation worst case is less than 0.035 secs.results. Figure 3(c) plots the average localization errorfor each pair of (k, ǫ) when the distance estimation 6.3.2 Experiments with Normal Measurement Errorerror follows a normal distribution. Figure 3(d) shows Once again, to ensure that the evaluation results arethe corresponding simulation time plot. We can observe not restricted to only uniformly distributed errors, thethat these plots are analogous to Figures 3(a) and 3(b), simulations for Heuristic 1 are repeated with a normallyrespectively, except that the localization error increases distributed distance estimation error. All other experi-more slowly with k in the current case. These plots verify ment parameters are unchanged. The distance measure-that the behavior of the Polynomial Time algorithm is ment error follows a normal distribution with mean 0consistent for other distributions of the distance mea- ǫ and standard deviation 2 . As before, the distributionsurement error as well. In summary, we observe that is modified such that the probability density outsidealthough the accuracy of the Polynomial Time algorithm [−ǫ, +ǫ] becomes good, it is very inefficient and slow, with execution Figure 4(c) plots the average localization error e fortime in the order of seconds. each pair of (k, ǫ) when the measurement error follows a normal distribution. Figure 4(d) plots the corresponding6.3 Heuristic 1 simulation time. We can observe that the curves are analogous to those in Figures 4(a) and 4(b) respectively,In this section, we discuss the evaluation of Heuristic 1. except that the localization error e increases much more slowly with k.6.3.1 Experiments with Uniform Measurement ErrorSimilar to the Polynomial Time algorithm, we first eval-uate Heuristic 1 for uniformly distributed values of 6.4 Heuristic 2the distance measurement error. The simulation of the The values of the simulation parameters for Heuristic 2algorithm is run for each value of ǫ from 0m to 50m are similar to those used for Heuristic 1. As before, wein steps of 10m and for each value of k from 0 to 20 evaluate Heuristic 2 for both uniformly and normally(kmax = 20). Note that here we have drastically increased distributed distance measurement errors. Plots of thethe value of ǫ, compared to the previous experiments. simulation results are shown in Figures 4 (e), (f), (g)It would be worthwhile to observe the effects of larger & (h). One very obvious trend in the plot for averagemeasurement errors on the localization accuracy and localization error e, as can be seen from Figures 4 (e)execution time of Heuristic 1. Average localization error & (g), is that the error does not increase with k, bute is plotted as an average of the error in localization of increases with ǫ. In other words, k does not influence thethe target node over 1000 runs (See Figure 4 (a) & (b)). In localization accuracy of the algorithm in a major way,each run, the beacons and target node are assigned new which is a good thing. This trend in the localizationpositions, coordinates of which are uniformly selected accuracy is also not surprising. Because here we areover the 500m × 500m area. computing the centroid of the three boundary points, From Figure 4(a), we can see that the average localiza- the localization accuracy depends on the width of rings,tion error e increases as ǫ increases, which is an intuitive which in turn depends on the value of ǫ. The executionobservation. Also, e increases as k increases. This is time, however, decreases with the increase in ǫ. This isalso consistent with the intuition that more number of because, for larger values of ǫ, the continuous region ismalicious beacon nodes decreases localization precision. larger thus making it more probable that the computedFor lower values of k, i.e., k < kmax , more honest centroid lies within the continuous region. For the uni-rings are available for localization, resulting in a smaller form distribution case, the error ratio ( e ) is just under ǫ 10region of intersection and eventually a more precise 50 = 0.2, which is similar to the one provided by thelocalization. As the number of malicious nodes increases, Polynomial Time algorithm. Also, the execution time inthe number of honest rings reduces (but still satisfying the worst case is around 0.01 seconds (see Figure 4 (f)),the necessary and sufficient conditions), and thus the which is much faster (roughly, 1000 times) as comparedquality of localization decreases. to the Polynomial Time algorithm. Figure 4(b) shows that the average simulation time From the above experimental results, we can concludeof Heuristic 1 increases in k, but increases only very that both the Polynomial Time algorithm and Heuristicslightly. This observation is also not surprising because 2 have very good localization accuracy, but Heuristic 2the algorithm is computing the intersection of the same runs very efficiently compared to the other two algo-number of rings for each value k. The main reason for rithms and outperforms them in execution speed.