ANovelSecureLocalizationApproachin WirelessSensorNetworks

Hindawi Publishing CorporationEURASIP Journal on Wireless Communications and NetworkingVolume 2010, Article ID 981280, 12 pagesdoi:10.1155/2010/981280

Research Article

A Novel Secure Localization Approach inWireless Sensor Networks

Honglong Chen,1 Wei Lou,1 and Zhi Wang2

1 Department of Computing, The Hong Kong Polytechnic University, Kowloon, Hong Kong2 State Key Laboratory of Industrial Control Technology, Zhejiang University, Hangzhou 310027, China

Correspondence should be addressed to Honglong Chen, [email protected]

Received 11 February 2010; Revised 14 June 2010; Accepted 3 November 2010

Academic Editor: Xiang-Yang Li

Copyright © 2010 Honglong Chen et al. This is an open access article distributed under the Creative Commons AttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properlycited.

Recent advances in wireless networking technologies, along with ubiquitous sensing and computing, have brought significantconvenience for location-based services. The localization issue in wireless sensor networks under the nonadversarial scenariohas already been well studied. However, most existing localization schemes cannot provide satisfied performance under theadversarial scenario. In this paper, we propose three attack-resistant localization schemes, called basic TSCD, enhanced TSCDand mobility-aided TSCD secure localization schemes, respectively, to stand against the distance-consistent spoofing attack inwireless sensor networks. The idea behind the basic TSCD scheme is to adopt the temporal and spatial properties of locators todetect some attacked locators firstly and then utilize the consistent property of the detected attacked locators to identify otherattacked locators. Enhanced TSCD and mobility-aided TSCD schemes are designed based on the basic TSCD scheme to improvethe performance. Simulation results demonstrate that our proposed schemes outperform other existing approaches under thesame network parameters.

1. Introduction

Wireless sensor networks (WSNs) [1] have increasinglydrawn attentions of researchers in the areas of wirelesscommunication, sensor technology, distributed systems, andembedded computing. These sensor networks consist of alarge number of low-cost, low-power, and multifunctionalsensor nodes that communicate through wireless media.Various WSN applications have been proposed, for example,military target tracking, environment monitoring, medicaltreatment, emergency rescue and smart home, and so forth.A fundamental requirement in the above applications is thelocation awareness of the system. Therefore, the acquisitionof sensors’ location becomes an important issue since sensingresults without location information are mostly inapplicable.Considering the nature of random deployment of mostsensor networks, it is laborious, if not impossible, to prede-termine the location of each sensor node before deployment.A common approach in most localization schemes is touse enough special nodes, called locators or beacons, which

can obtain their locations by GPS or from infrastructure.Locations of normal sensor nodes are then estimated byinteracting with locators to obtain the distance or angleinformation. Once the location information of at least threenoncollinear locators are available, the relative positions ofthe sensors can be converted into physical positions.

Energy efficiency, accuracy and security account forthe major metrics in localization systems. The former twometrics have already been investigated for nearly a decadeand a large amount of achievements [2–4] have beenpublished. The security, however, has been addressed only inrecent years. In practice, localization schemes in WSNs maywork under the adversarial scenario where malicious attacksexist. For example, a simple replay attack [5] can modifythe distance measurement, leading to the malfunction of thelocalization schemes. Therefore, it is necessary to design asecure localization scheme which can be competent in thehostile environment.

There are many different kinds of attackers in thehostile wireless sensor networks. Generally, these attackers

2 EURASIP Journal on Wireless Communications and Networking

can be classified into two categories, external attackers andinternal attackers [6]. External attackers can distort thenetwork behavior without the system’s authentication, whileinternal attackers are authenticated ones, and thus, moredangerous to the system security. Most attacks in WSNsare coming from the aforementioned two types of attackers.For instance, the wormhole attack [7] is conducted bytwo colluding external attackers, and the false position anddistance dissemination attack [8] is accomplished by aninternal attacker.

In range-based localization procedure, the internalattackers can revise the measured distances randomly todisrupt the localization. This kind of attack can be defendedusing the consistency check method proposed in [9]. How-ever, if the attackers do not revise the measured distancesrandomly, but make the modified distances be consistent,which is called the distance-consistent spoofing attack, thestrategy proposed in [9] will be failed under this scenario. Inthis paper, the distance-consistent spoofing attack in WSNs istherefore investigated, based on which we propose an attack-resistant localization scheme, called basic TSCD (TemporalSpatial Consistent based Detection) secure localization. Byfurther exploring the consistency and the mobility propertiesof the sensor, enhanced TSCD and mobility-aided TSCDschemes are proposed, respectively, to improve the localiza-tion performance. Simulation results demonstrate that ourproposed schemes achieve better performance than existingapproaches under the same network settings.

The main contributions of this paper are summarized asfollows.

(i) We address a new distance-consistent spoofing attackwhich can easily attack the localization in WSNs,

(ii) We summarize four secure properties of a WSN whenit is under the distance-consistent spoofing attack,

(iii) We propose three secure localization schemes, whichmake use of these properties to detect and defendagainst the distance-consistent spoofing attack,

(iv) We conduct theoretical analysis on the probabilityof identifying all the attacked locators, which isvalidated by simulations,

(v) We analyze the effects of network parameters on theperformance of our proposed schemes and comparethem with other existing methods.

The remainder of this paper is organized as follows. InSection 2, we provide the related work on secure localization.Section 3 gives the problem statement and Section 4 sum-marizes four secure properties of wireless communicationin WSNs. In Section 5, the basic TSCD, enhanced TSCD,and mobility-aided TSCD schemes are proposed as well asthe theoretical analysis. Section 6 presents the performanceevaluation and Section 7 concludes the paper and putsforward our future work.

2. Related Work

There have been some recent achievements [5] on securelocalization. In [10], message authentication is used to

prevent wholesale beacon location report forgeries, and alocation reporting algorithm is proposed to minimize theimpact of compromised beacons. Lazos et al. propose arobust positioning system called ROPE [11] that allowssensors to determine their locations without centralizedcomputation. In addition, ROPE provides a location veri-fication mechanism that verifies the location claims of thesensors before data collection. DRBTS [12] is a distributedreputation-based beacon trust security protocol aimed atproviding secure localization in sensor networks. Based on aquorum voting approach, DRBTS drives beacons to monitoreach other and then enables them to decide which should betrusted.

To provide secure location services, Liu et al. [13]introduce a suit of techniques to detect malicious beaconsthat supply incorrect information to sensor nodes. Thesetechniques include a method to detect malicious beaconsignals, techniques to detect replayed beacon signals, theidentification of malicious beacons, the avoidance of falsedetections, and the revoking of malicious beacons. By clus-tering of benign location reference beacons, Wang et al. [14]propose a resilient localization scheme that is computationalefficiency. In [15], robust statistical methods are proposed,including triangulation and RF-based fingerprinting, tomake localization attack-tolerant. SPINE [8] is a range-basedpositioning system that enables verifiable multilaterationand verification of positions of mobile devices for securecomputation in the presence of attackers. In [16], a securelocalization scheme is presented to make the locationestimation of the sensor secure, by transmission of nonces atdifferent power levels from the beacon nodes. In [17], Chenet al. propose to make each locator build a conflicting-set andthen the sensor can use all conflicting sets of its neighboringlocators to filter out incorrect distance measurements of itsneighboring locators. The limitation of the scheme is that itonly works properly when the system has no packet loss. Asthe attackers may drop the packets purposely, the packet lossis inevitable when the system is under a wormhole attack.The distance-consistency-based secure localization schemeproposed in [18, 19] can also tolerate the packet loss.

By localizing the sensor node with directional anten-nae equipped on locators, SeRLoc [20] is robust againstwormhole attacks, sybil attacks and sensor compromises. Onthe basis of SeRLoc, HiRLoc [21] further utilizes antennarotations and multiple transmit power levels to providericher information for higher localization resolution. Liu etal. [9] propose two secure localization schemes. The firstone is attack-resistant Minimum Mean Square Estimation,which filters out malicious beacon signals by the consistencycheck. The other one is voting-based location estimation.However, SeRLoc requires directional antennae which arecomplex in real deployment. The schemes in [9] wouldfail under the distance-consistent spoofing attack when theattacked location references are malicious colluding ones,that is, consistent. The TSCD secure localization scheme,proposed in this paper, is able to conquer both the twodrawbacks. It does not require any complex hardware, andworks well even when the revised distance measurements ofthe attacked locators are consistent. In addition, it consumes

EURASIP Journal on Wireless Communications and Networking 3

less computation time than that of [9] while obtaining betterperformance.

3. Problem Statement

In this section, the network model and related assumptionsas well as the localization approach are given, followed by theattack model which we focus on.

3.1. Network Model. We assume that there are three typesof nodes in a WSN, namely locators, sensors, and attackers,respectively. The locators are location-fixed nodes whichknow their coordinates after deployment. The sensors,while continuously moving around the network, estimatetheir own locations by measuring distances to neighboringlocators. Each sensor and locator has its own unique identi-fication and they also share a hash function which is used forthe verification (we will describe it in next subsection). Theattackers, known as adversarial nodes, intentionally disturbthe localization procedure of the sensors. A pair of attackerscan collude to spoof a sensor in the network. We assumethat all the nodes in the network have the same transmissionrange R. However, the communication range between twocolluded attackers is unlimited as they can communicatewith each other using certain communication technique.

We also assume that the locators are deployed indepen-dently with a density of ρl, and the probability that a sensorhears k locators follows the Poisson distribution: P(LS =k) = ((πR2ρl)

k/k!)e−πR2ρl . Each locator is able to measure

the distances to neighboring sensors. The measurement errorfollows a Gaussian distribution N(μ, σ2), where the mean μis 0 and the standard deviation σ is within a threshold. Theattackers also measure the distances to neighboring locatorsand send the distance measurements to its colluder—anotherattacker—to replay the measurements to a sensor in anotherregion, thus providing faulty measurements.

3.2. Localization Approach. As a sensor always moves aroundin the network, it continuously changes its locations. When-ever needed, the sensor can rely on the localization procedureto determine its current position. The localization procedureis as follows. The sensor maneuvers in the region, stopsand broadcasts a requesting signal Loc request including itslocal timestamp ts to its neighboring locators whenever itneeds localization. Upon receiving the Loc request signal,each locator, within the communication range of the sensor,estimates the distances to the sensor based on the Loc requestsignal (e.g., TDoA [3] or RSSI [22]). Then each locatorreplies a Loc ack signal to the sensor which includes its ID,the measured distance and H(ts), here H(·) denotes the hashfunction shared by the nodes in the network. When receivingthe Loc ack signal from its neighboring locator, the sensorwill check whether theH(ts) in Loc ack is valid by comparingit with its own generated hash number H(ts). The sensor willonly accept the verified Loc ack signal.

The sensor also measures the response time of eachlocator during the above process to eliminate the randomdelay at the MAC layer of the locators. Once enough distance

measurements obtained, the sensor starts location estimationusing the maximum likelihood estimation (MLE) method[23]: Assume that the coordinates of the n neighboring loca-tors of the sensor are (x1, y1), (x2, y2), (x3, y3), . . . , (xn, yn),respectively, and the distance measurements from the nlocators to the sensor are d1, d2, d3, . . . , dn. Then thelocation of the sensor, denoted as X =

[xy

], can be obtained

by

X =(ATA

)−1ATb, (1)

where

A =

⎡⎢⎢⎢⎢⎢⎢⎢⎣

2(x1 − xn) 2(y1 − yn

)

2(x2 − xn) 2(y2 − yn

)

......

2(xn−1 − xn) 2(yn−1 − yn

)

⎤⎥⎥⎥⎥⎥⎥⎥⎦

,

b =

⎡⎢⎢⎢⎢⎢⎢⎢⎣

x21 − x2

n + y21 − y2

n − d21 + d2

n

x22 − x2

n + y22 − y2

n − d22 + d2

n

...

x2n−1 − x2

n + y2n−1 − y2

n − d2n−1 + d2

n

⎤⎥⎥⎥⎥⎥⎥⎥⎦.

(2)

3.3. Attack Model. In this paper, we consider an adversarialWSN where a pair of colluding attackers can launch a so-called distance-consistent spoofing attack. In [9], the attackercan only revise the distance measurement randomly todisrupt the localization procedure. The distance consistencycheck proposed in [9] claimed that all distance measure-ments from neighboring locators to a sensor are consistent,that is, these distance measurements can converge to anidentical location. Therefore, this distance consistency checkscheme can be used to resist such kind of attack effectivelybecause the malicious distance measurements generatedby attacker will be inconsistent. In the distance-consistentspoofing attack, to increase their capacity of localizationdisrupting, the colluding attackers can deliberately revise thedistance measurement messages sent from all the attackedlocators and make the revised distance measurements fake avirtual location, which makes the distance consistency checkscheme lose its efficacy. Note that the attackers in this paperbelong to the internal attackers, which can revise the messagecontent in the network, but they are not able to compromiseany node in the network which requires more resource forthe attackers. For example, the attackers cannot obtain thehash function H(·) shared by the nodes. Therefore, theycannot generate fake messages for nonexisted locators due tothe verification procedure with H(ts).

An example of the distance-consistent spooking attack isshown in Figure 1(a). As two colluding attackers A1 and A2

can communicate with each other via an attack link, locatorsL4, L5 and L6 can, therefore, communicate with the sensor Sthrough the attack link. For L6, the Loc request signal sentfrom S travels through the attack link to reach L6, and L6

responds a Loc ack signal. Attacker A1 measures the distance


LocatorSensorAttacker

L4

2R A1

d5

d6

d′5

d′6A2

L5

L6

L3

Attack linkd4

d′4

R

L2

L1

S

(a)


A1

S3

2RA2

L5

L6

L3

Attack linkS1

L4

RS2

L2

L1

S

(b)

Figure 1: The attack scenarios in WSN. (a) Attacker model in range-based localization; (b) Attacked locators with temporal and spatialproperties.

to L6 as d6 after receiving the Loc ack signal. A1 forwards theLoc ack signal with the distance measurement informationto A2 through the attack link. A2 modifies the distancemeasurement information in the Loc ack signal to makeit consistent with others. For example, when A2 receivedthe message sent from L6 to S, if A2 modifies the distancemeasurement information in the message to be d6 and relaysthe message to S, S will consider the distance to L6 as d6

instead of the actual distance d′6. Similarly, S considers thedistances to L4 and L5 as d4 and d5, respectively, instead of theactual distances d′4 and d′5. Consequently, the revised distancemeasurements d4, d5 and d6 will be consistent, and they canconverge to an identical location, that is, the point of A1 inFigure 1(a).

4. Secure Properties andCorresponding Detection Schemes

In this section, we summarize the characteristics of a WSN asfour secure properties when it is under a distance-consistentspoofing attack: the temporal property of the locators, thespatial property of the locators, the consistent propertyof the legitimate locators, and the consistent property ofthe attacked locators. The detection schemes are thereforeproposed based on the corresponding properties. Thoughthe detection schemes based on the temporal and spatialproperties have been used in [20] and the detection schemebased on the consistent property of legitimate locators hasbeen used in [9], we jointly use these properties to defendagainst the distance-consistent spoofing attack.

4.1. Temporal Property and Corresponding Detection Scheme

4.1.1. Temporal Property. The sensor can receive at mostone message from the same locator for each localizationprocedure. That is, if the sensor receives more than onesignals from a locator, this locator is attacked.

4.1.2. Detection Scheme D1 Based on Temporal Property. Asshown in Figure 1(b), suppose an attacked locator lies inthe shading domain S1, which is the common transmissionarea of sensor S and attacker A1. When S broadcasts theLoc request signal, L4 can hear it twice, one directly from S,and the other from A1 which is replayed by A2 to A1 throughthe attack link. L4 will also reply the Loc ack signal throughthese two pathes. Therefore, S will receive more than onemessages from L4, based on which S can determine that L4

is attacked.The sensor S can also differentiate the correct distance

message from the incorrect one based on the followingscheme: As the localization approach only countervails thetime delay at the MAC layer of the locators when measuringthe response time of the message, if the message goes throughthe attack link, the MAC layer delay introduced by the twoattackers still exists. Therefore, the response time of therevised Loc ack signal from L4 to S, which travels through theattack link, will be longer than that of the original Loc acksignal which travels from L4 to S directly. S will consider theLoc ack signal with a shorter response time from a locator tobe correct while treating the other as attacked.

4.2. Spatial Property and Corresponding Detection Scheme

4.2.1. Spatial Property. The sensor cannot receive messagesfrom two different locators for each localization procedure ifthe distance between these two locators are larger than 2R.That is, if the sensor has received messages from two locatorswhose distance between each other is larger than 2R, one ofthese two locators is attacked.

4.2.2. Detection Scheme D2 Based on Spatial Property. Whenan attacked locator lies farther than 2R away from one ofthe legitimate locators, the sensor can detect it based on thespatial property. As shown in Figure 1(b), L5 is an attackedlocator which lies farther than 2R away from L1. S can detect


that one of the two locators is attacked. To differentiate theattacked locator from these two locators, observing that theMAC layer delay introduced by the attackers will increase theresponse time of the Loc ack signal sent from the attackedlocator, the response time of the message from the attackedlocator will be longer than the one from the legitimatelocator. Therefore, by comparing the response time of thetwo locators, S can further determine that the locator witha longer response time is the attacked one, which is L5 in thiscase.

4.3. Consistent Property of Legitimate Locators and Corre-

sponding Detection Scheme

4.3.1. Consistent Property of Legitimate Locators. Assumethat the coordinates of the n locators are (x1, y1),(x2, y2), (x3, y3), . . . , (xn, yn), and the distance measurementsfrom the n locators to the sensor are d1, d2,d3, . . . ,dn.The estimated location of the sensor is (x, y). The meansquare error of the estimated location δ2 = ∑n

i=1((di −√(x − xi)2 + ( y − yi)

2)2/n). The consistent property of legit-imate locators means that the mean square error of thelocation estimation, generated from legitimate distance mea-surements, is lower than that containing malicious distancemeasurements.

4.3.2. Detection Scheme D3 Based on Consistent Propertyof Legitimate Locators. To detect the attacked locators, apredefined threshold of the mean square error, τ2, has tobe determined in advance. The sensor estimates its locationbased on distance measurements to all its neighboringlocators, and determines whether the mean square errorbased on the estimation result is lower than the threshold.If yes, the estimated result will be considered as correct;otherwise, it calculates its location repeatedly using allpossible subsets of these locators with one fewer locator,and chooses the subset with the least mean square error toeliminate the locator which is out of the subset. The sensorrepeats the above process until the mean square error is lowerthan the threshold or there are only 3 locators left. Note thatthis scheme works only when the majority of locators arelegitimate.

4.4. Consistent Property of Attacked Locators and Correspond-

ing Detection Scheme

4.4.1. Consistent Property of Attacked Locators. The distance-consistent spoofing attack can make the sensor measurethe distances to the attacked locators consistent to a fakelocation. That is, the location estimation based on theattacked locators has a low mean square error.

4.4.2. Detection Scheme D4 Based on Consistent Property ofAttacked Locators. If the sensor has already detected twoor more attacked locators, it can identify other attackedlocators using the consistent property of attacked locators.Let Lts denote the set of attacked locators that have been

detected and Lr denote the set of remaining locators. Thesensor repeats to select one locator Li from Lr each timeand calculates the mean square error based on Lts ∪ {Li}. Ifthe mean square error is lower than the threshold τ2, Li isconsidered as an attacked one; otherwise, Li is considered asa legitimate one. The sensor repeats this until all locators inLr have been checked.

5. TSCD Secure Localization Schemes

In this section, we propose three novel schemes that apply theproperties described in the previous section. We first proposea secure localization scheme, namely basic TSCD (B-TSCD),which applies the temporal property, spatial property, andconsistent property of attacked locators. Based on B-TSCD,we also propose an enhanced TSCD (E-TSCD) scheme whichfurther applies the consistent property of legitimate locators.Another extended scheme, called mobility-aided TSCD (M-TSCD), is further designed to improve the overall perfor-mance. At the end, we analyze the theoretical probability ofidentifying all the attacked locators and the computationalcomplexity of these schemes.

5.1. Basic TSCD Secure Localization. As mentioned above,the idea behind the B-TSCD scheme is to apply thetemporal property, spatial property, and consistent propertyof attacked locators to detect all attacked locators. The sensorfirst applies both temporal and spatial properties to detectsome attacked locators. If two or more attacked locators aresuccessfully detected, the sensor can identify other attackedlocators based on their consistency. After attacked locatorsare removed, the sensor can conduct the localization basedon the remaining locators.

The procedure of B-TSCD is listed in Algorithm 1. Whenthe sensor requires the location estimation, it broadcaststhe Loc request message to the network, and waits for theLoc ack messages from neighboring locators. If it receivesLoc ack messages from the same locator more than once,it uses the detection scheme D1 to distinguish the correctdistance measurement and the spoofing distance measure-ment. Meanwhile, when it receives Loc ack signals fromneighboring locators, it checks whether there are two locatorswhose distance between each other is larger than 2R. If yes,it uses the detection scheme D2 to identify the legitimatelocator and the attacked one. If the sensor has successfullydetected at least two attacked locators, it further uses thedetection scheme D4 to detect all other locators. When allneighboring locators are checked, the sensor conducts theMLE localization based on the remaining locators.

5.2. Enhanced TSCD Secure Localization. In the B-TSCDscheme, if the sensor fails to detect at least two attackedlocators based on the detection schemes D1 and D2, itcannot use the detection scheme D4. It then conducts thelocalization using the remaining locators. However, theremay still exist some attacked locators undetected, leadingto the deterioration of the localization. The enhancedTSCD secure localization (E-TSCD) scheme is based on


(1) Broadcast the Loc request message.(2) Wait for the Loc ack message, conduct the distance

estimation and calculate the response time of each locator.(3) Use the detection schemes D1 and D2 to detect attacked locators.(4) if the detected attacked locators ≥ 2 then(5) Use the detection scheme D4 to detect other attacked locators.(6) end if(7) Conduct the MLE localization based on the remaining locators.

Algorithm 1: Basic TSCD secure localization scheme.

the observation that if the sensor cannot use the detectionschemes D1 and D2 to detect two attacked locators, thesensor most likely has more legitimate neighboring locatorsthan undetected attacked ones. Therefore, if the sensor hasdetected fewer than two attacked locators, it can further usethe detection scheme D3 to detect other attacked ones.

The procedure of the E-TSCD is shown in Algorithm 2.The sensor firstly uses the schemes D1 and D2 to detectattacked locators. If the number of detected attacked locatorsis over two, the detection scheme D4 is used to detect otherattacked locators; otherwise, the sensor uses the detectionscheme D3 to eliminate other attacked locators. At the end,the MLE localization based on the remaining locators is usedto obtain the location result. Note that we do not use thoseattacked locators detected from the detection scheme D3as a priori for conducting the detection scheme D4. Thoselocators are considered “attacked” because they are beyondthe distance consistency threshold. However, these excessesmight be not due to the attack, but other reasons, such as themeasurement error.

5.3. Mobility-Aided TSCD Secure Localization. As the sensormoves around, it may need to conduct the localization pro-cess continuously because its location continues changing.We assume that a sensor periodically conducts the localiza-tion process and marks itself a state after the localization.The sensor marks itself with an attacked state if it detectsany attacked locator; otherwise, it marks itself with a safestate. Thus, there will be four possible state transitionsfor the two consecutive states of a sensor, which is shownin Figure 2: (1) from previous safe state to current safestate; (2) from previous safe state to current attacked state;(3) from previous attacked state to current safe state; and(4) from previous attacked state to current attacked state.Although the historical data obtained from the previoussecure localization process may not be useful in the formerthree state transitions, it can be used in the last statetransition to assist the sensor to detect the current attackedlocators.

We propose an extended secure localization scheme,called mobility-aided TSCD (M-TSCD), which allows asensor to utilize its historical data to detect the currentattacked locators. For the sensor, if it detects some attackedlocators based on the temporal and spatial properties, itknows that it is currently in an attacked state. Then, itchecks its historical data and treats all those detected attackedlocators in the previous state as the attacked locators in the

current state. It also records the current detected attackedlocators as the historical data for the next state. Otherwise,if it detects no attacked locator, it empties the historicaldata. Since the attacked locators recorded in the historicaldata for the previous state are also considered attacked onthe current state, it increases the probability that a sensordetects at least two attacked locators. If the detected attackedlocators are more than two, the sensor can use the detectionscheme D4 to detect other attacked locators; otherwise,it uses the detection scheme D3 to detect other attackedlocators. Finally, it conducts the MLE localization based onthe remaining locators. The procedure of M-TSCD is shownin Algorithm 3.

Note that there is a precondition for the M-TSCDscheme, which assumes that the distance between twoconsecutive localization processes is relatively short so thatwhen a distance-consistent spoofing attack occurs on thecurrent state it is impossible for another different distance-consistent spoofing attack to occur on the previous state orthe next state. In other words, if the sensor is attacked onboth the previous state and current state, these two attackscome from the same attack source and they attack the samegroup of locators. This precondition makes sense when thedensity of the attack sources is low and the behavior of theattack sources does not change dramatically.

5.4. Probability of Identifying All Attacked Locators. To ana-lyze the probability of identifying all the attacked locators forthe B-TSCD scheme, we assume for simplicity that the sensorcan achieve this goal if it can detect at least two attackedlocators. We denote the disk with center U and radius Ras DR(U). As illustrated in Figure 3, the overlapped regionof the transmission areas of the sensor S and attacker A1 isdenoted as S1.

As shown in Figure 3, when the sensor is under thedistance-consistent spoofing attack, the probability that itlies in the region dxdy equals to dx dy/πR2. Assumingthat the sensor can identify m attacked locators using thedetection scheme D1 and identify n attacked locators usingthe detection scheme D2, the probability that the sensor canidentify at least two attacked locators using schemes D1 andD2 can be calculated as

Pxy = 1− P(m = 0)P(n = 0)− P(m = 0)P(n = 1)

− P(m = 1)P(n = 0),(3)



estimation and calculate the response time of each locator.(3) Use the detection schemes D1 and D2 to detect attacked locators.(4) if the detected attacked locators ≥ 2 then(5) Use the detection scheme D4 to detect other attacked locators.(6) else(7) Use the detection scheme D3 to detect other attacked locators.(8) end if(9) Conduct the MLE localization based on the remaining locators.

Algorithm 2: Enhanced TSCD secure localization scheme.

1 S A 4

2

3

Figure 2: State transitions of the sensor in a WSN under thedistance-consistent spoofing attack. S and A denote the safe stateand attacked state, respectively.

where

P(m = 0) = e−S1ρl ,

P(m = 1) = S1ρle−S1ρl ,

P(n = 0) = e−S2ρl ,

P(n = 1) = S2ρle−S2ρl .

(4)

Here, S2 is the region in DR(A1) which is more than2R away from at least one of the locators in DR(S), that is,the area of the corresponding shadow region S2 in Figure 3.Note that all the locators in DR(A1) are attacked by thedistance-consistent spoofing attack, and if any locator lies inS2, the sensor can identify it as an attacked locator using thedetection scheme D4.

Thus, we can obtain

P = 1πR2

∫∫

DR(A2)\S1

Pxydx dy, (5)

where

Pxy = 1− e−(S1+S2)ρl[1 + (S1 + S2)ρl

],

S1 = 2R2arccosL

2R− L

√√√√(R2 − L2

4

).

(6)

L is the distance between S and A1 as shown in Figure 3.For the E-TSCD and M-TSCD schemes, the probability

of identifying all the attacked locators cannot be explicitlyrepresented as a mathematical formula. However, the proba-bility P obtained from the B-TSCD scheme can be consideredas the lower bound of that probability for these two schemes.

6. Simulation Evaluation

In this section, we evaluate the performance of our pro-posed schemes in terms of the probability of successfullocalization and time consumption. The localization isconsidered successful if the distance difference between theestimated position and the real position of the sensor is lessthan a threshold. Because of the existence of the distancemeasurement error, the sensor’s position estimated by thelocalization algorithm cannot be the same as its real positioneven there has no attack at all. When the attack exists,the sensor’s estimated position may be further deviated.Therefore, we consider the localization of the sensor tobe successful under the attack if the distance between theestimated position without the attack and the real position,say d1, and the distance between the estimated positionwith the attack detection and the real position, say d2,satisfy the condition d2 ≤ 2d1. That is, the localizationis considered successful if the impact of the attack onthe localization is bounded by the double of the distancemeasurement error. We also interest in the time consumptioncost of the proposed algorithms considering the energy-constrained nature of sensor nodes. As the communicationcost is similar among different algorithms, the difference oftime consumption cost indicates the effectiveness of thesealgorithms.

We adopt the following parameters in our simulation: thetransmission range R = 15 m; the density of locators ρl =0.006/m2 (with the average degree of the network equals to4.24); the standard deviation of the distance measurementerror σ = 0.5; the threshold of the mean square error usedin the consistent property is 1. The label L/R of the x axisdenotes the ratio of the distance L between the sensor S andthe attacker A1 to the transmission range R.

Figure 4 shows the performance comparison of thefollowing schemes: the scheme using only the temporal andspatial properties (TSD), the scheme using the consistencyproperty of legitimate locators (CD) [9], B-TSCD, E-TSCDand M-TSCD. For the M-TSCD scheme, we assume that thesensor conducts the localization periodically and we denotethe distance for two consecutive localization processes asthe length of one step. We can see that all TSCD schemesyield much better performance than the other two schemes,especially when L/R is less than 2. Among these TSCD



estimation and calculate the response time of each locator.(3) Use the detection schemes D1 and D2 to detect attacked locators.(4) if the attacked locators are detected then(5) Treat previous detected attacked locators as current detected attacked locators.(6) Update the historical data with current detected attacked locators.(7) else(8) Empty the historical data.(9) end if(10) if the current detected attacked locators ≥ 2 then(11) Use the detection scheme D4 to detect other attacked locators.(12) else(13) Use the detection scheme D3 to detect other attacked locators.(14) end if(15) Conduct the MLE localization based on the remaining locators.

Algorithm 3: Mobility-aided TSCD secure localization scheme.


2R

L2

2R

2R

A1

S1

S2A2

Attack link

dx

L1

L3

dy

S

Figure 3: Theoretical analysis of the mathematical probabilityunder the distance-consistent spoofing attack.

schemes, E-TSCD achieves an improvement over B-TSCD,and M-TSCD outperforms E-TSCD.

As the signals from attacked locators always come laterthan that from legitimate ones, an intuitive approach,referred to as first-three-locators scheme, is to only take thefirst-three-signals from neighboring locators into account forthe sensor’s localization. However, due to the existence ofdistance measurement errors, the first-three-locators schemewill deteriorate the localization accuracy remarkably. Thereason is that it takes no account of the remaining legitimatelocators when there exist more than three legitimate locators.Figure 5 shows the performance comparison of the first-three-locators scheme and the B-TSCD scheme at differentdensities of locators. The simulation result shows that theB-TSCD scheme outperforms the first-three-locators schemedramatically for all densities of locators.

0.2

0.3

0.4

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.5

0.6

0.7

0.8

0.9

1

0 0.5

TSD

CDB-TSCD

E-TSD

M-TSCD

1 1.5 2 2.5 3 3.5 4

L/R

Figure 4: Performance of existing schemes and our schemes (thestep length is 0.25R for the mobility-aided TSCD scheme).

The effects of ρl on the performance of B-TSCD andE-TSCD are shown in Figures 6(a) and 6(b), respectively.From both figures, we can see that as the ρl increases, theprobability of successful localization also increases. This ismainly because the increase of ρl enlarges the probabilityof detecting at least two attacked locators by the temporaland spatial properties. However, when ρl is large enough,the improvement of increasing ρl is insignificant. Theperformance of B-TSCD, when ρl is large, is similar to thatof E-TSCD. Therefore, A tradeoff can be made betweenhardware deployment (applying B-TSCD when ρl is large)and computation capability (applying E-TSCD).

The effect of the step length on the performance ofM-TSCD is shown in Figure 7, compared to the E-TSCDscheme. It can be observed that M-TSCD with different


0

0.2

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.4

0.6

0.8

1

0.006 0.008

First-three-locatorsB-TSCD

0.01 0.012 0.014 0.016 0.18 0.02

Density of locators

Figure 5: Performance of the first-three-locators scheme and theB-TSCD scheme.

step lengths all outperform E-TSCD. For M-TSCD, theperformance is increased when the step length increases.However, as the step length increases, the probability thatthe historical data are valid also gets lower. To get the bestperformance, a tradeoff of the step length should also betaken into account.

Figure 8 validates the correctness of the theoretical anal-ysis of the probability of successfully identifying all attackedlocators. The maximum difference between the simulationand the mathematical result is about 3%, showing that thetheoretical analysis matches the simulation result quite well.

To study the time consumption of each scheme, weconducted 20,000 times self-localization in a simulationprogram running on a PC with Pentium 2.4 G CPU. Figure 9shows the time consumed by TSD, CD, B-TSCD, E-TSCD,and M-TSCD, respectively. Apparently, TSD scheme is themost timesaving and CD scheme consumes the most timesince the detection scheme D3 is the most time-consumingscheme. As E-TSCD uses the detection scheme D3 whenfewer than two attacked locators are detected by the detectionschemes D1 and D2, it requires more time than B-TSCD.Compared to E-TSCD, M-TSCD increases the probabilityof detecting at least two attacked locators, which lowers theprobability to use the detection scheme D3. Therefore, M-TSCD always consumes less time than E-TSCD, and does lessthan B-TSCD when L/R is over 1.5. When the L/R is over 2.5,M-TSCD is even comparable to TSD.

Figures 10, 11, and 12 show the effects of the packetloss on the performance of B-TSCD, E-TSCD and M-TSCDsecure localization schemes, respectively. For the packet loss,we assume that when the distance d between two nodes isless than αR, there is no packet loss; when d is within [αR,R],the probability of packet loss is (d − αR)/(R − αR), where0 ≤ α ≤ 1. From Figures 10, 11, and 12, we can find thatwhen increasing the packet loss ratio (reducing α), the securelocalization performance of our proposed three schemes will

0.8

0.82

0.84

0.86

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.88

0.9

0.92

0.94

0.96

0.98

1

0 0.5

ρl = 0.006

ρl = 0.012ρl = 0.018

1 1.5 2 2.5 3 3.5 4

L/R

(a)

0.8

0.82

0.84

0.86

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.88

0.9

0.92

0.94

0.96

0.98

1

0 0.5

ρl = 0.006

ρl = 0.012ρl = 0.018

1 1.5 2 2.5 3 3.5 4

L/R

(b)

Figure 6: Performance evaluation: (a) the effect of ρl on basic TSCDscheme; (b) the effect of ρl on enhanced TSCD scheme.

descend. However, even when α = 0.85, the descending scalesof the performance of the three schemes are limited (lessthan 10%), which indicates that our proposed schemes areeffective when the packet loss exits.

7. Conclusion and Future Work

In this paper, we address the distance-consistent spoofingattack in hostile wireless sensor networks and discuss thedrawbacks of the existing secure localization schemes. Basedon the secure properties of wireless communication underthe distance-consistent spoofing attack, we propose threesecure localization schemes: basic TSCD, enhanced TSCDand mobility-aided TSCD. We evaluate the performances


0.9

0.91

0.92

0.93

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.94

0.95

0.96

0.97

0.98

0.99

1

0 0.5

E-TSCD

M-TSCD, 0.25R step lengthM-TSCD, 0.5R step lengthM-TSCD, 0.75R step length

1 1.5 2 2.5 3 3.5 4

L/R

Figure 7: The effect of step length on mobility-aided TSCD scheme.

0.5

0.55

0.6

0.65

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.7

0.75

0.8

0.85

0.9

0.95

1

0 0.5

SimulationTheoretical

1 1.5 2 2.5 3 3.5 4

L/R

Figure 8: Probability of successfully identifying all attacked loca-tors: simulation versus theoretical.

of our proposed schemes and compare them with exitingschemes by simulations. The simulation results demonstratethat our schemes outperform the existing schemes under thesame network parameters.

In this paper, we assume that no region is attacked bymultiple attacks simultaneously. When a sensor is attackedby several attacks simultaneously, it will be very complicatedand difficult to obtain secure localization. A potential solu-tion is to separate the localization from the attack detection.That is, when multiple attacks are detected, the systemcan try to identify the locations of the attackers and theneliminate them. We will focus on the detection of multipleattacks and the localization of the attackers in the future

0

5

10

Tim

eco

nsu

mpt

ion

(s)

15

20

25

30

35

40

0 0.5

TSDCDB-TSCD

E-TSD

M-TSCD

1 1.5 2 2.5 3 3.5 4

L/R

Figure 9: Time consumption of existing schemes and our schemes(the step length is 0.25R for the mobility-aided TSCD scheme).

0.7

0.75

0.8

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.85

0.9

0.95

1

0 0.5

α = 0.85α = 0.9α = 0.95

1 1.5 2 2.5 3 3.5 4

L/R

Figure 10: The effect of α on basic TSCD scheme.

work. In the M-TSCD scheme, we have a precondition thatthe distance between two consecutive localization processesis relatively short so that when a distance-consistent spoofingattack occurs on the current state it is impossible for anotherdifferent distance-consistent spoofing attack to occur onthe previous state or the next state. A possible solution torelease this precondition is to verify whether it is attacked bythe same attacker by checking its neighborhood of the twoconsecutive states. The M-TSCD scheme will be conductedonly if the node verifies that it is attacked by the same attackeron the two consecutive states. Thus, the other direction ofour future work is to release this precondition.


0.8

0.82

0.84

0.86

0.88

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.9

0.92

0.94

0.96

0.98

1

0 0.5

α = 0.85α = 0.9α = 0.95

1 1.5 2 2.5 3 3.5 4

L/R

Figure 11: The effect of α on enhanced TSCD scheme.

0.8

0.82

0.84

0.86

0.88

Pro

babi

lity

ofsu

cces

sfu

lloc

aliz

atio

n

0.9

0.92

0.94

0.96

0.98

1

0 0.5

α = 0.85α = 0.9α = 0.95

1 1.5 2 2.5 3 3.5 4

L/R

Figure 12: The effect of α on mobility-aided TSCD scheme (thestep length is 0.25R).

Acknowledgment

This work is supported in part by Grants PolyU 5236/06E,PolyU 5243/08E, PolyU 5253/09E, 1-ZV5N, ZJU-SKLICT0903, NSFC 60873223, NSFC 90818010, and by theInternational Cooperative Project of Science and TechnologyDepartment of Zhejiang Province (2009C34002).

References

[1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci,“A survey on sensor networks,” IEEE Communications Maga-zine, vol. 40, no. 8, pp. 102–105, 2002.

[2] P. Bahl and V. N. Padmanabhan, “RADAR: an in-building RF-based user location and tracking system,” in Proceedings of

the 19th Annual Joint Conference of the IEEE Computer andCommunications Societies (IEEE INFOCOM ’00), pp. 775–784,March 2000.

[3] A. Savvides, C. C. Han, and M. B. Strivastava, “Dynamicfine-grained localization in ad-hoc networks of sensors,” inProceedings of the 7th Annual International Conference onMobile Computing and Networking (INFOCOM ’00), pp. 166–179, July 2001.

[4] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. Abdelza-her, “Range-free localization schemes for large scale sensornetworks,” in Proceedings of the 9th Annual InternationalConference on Mobile Computing and Networking (MobiCom’03), pp. 81–95, September 2003.

[5] A. Srinivasan and J. Wu, “A survey on secure localization inwireless sensor networks,” Encyclopedia of Wireless and MobileCommunications, 2007.

[6] Y. C. Hu, A. Perrig, and D. B. Johnson, “Ariadne: a secure on-demand routing protocol for ad hoc networks,” in Proceedingsof The 8th Annual International Conference on Mobile Comput-ing and Networking, pp. 12–23, September 2002.

[7] Y. C. Hu, A. Perrig, and D. B. Johnson, “Packet leashes: adefense against wormhole attacks in wireless networks,” inProceedings of the 22nd Annual Joint Conference on the IEEEComputer and Communications Societies, pp. 1976–1986, April2003.

[8] S. Capkun and J. P. Hubaux, “Secure positioning of wirelessdevices with application to sensor networks,” in Proceedingsof the 24th Annual Joint Conference of the IEEE Computer andCommunications Societies (INFOCOM ’05), pp. 1917–1928,Miami, Fla, USA, March 2005.

[9] D. Liu, P. Ning, and W. K. Du, “Attack-resistant locationestimation in sensor networks,” in Proceedings of the 4thInternational Symposium on Information Processing in SensorNetworks (IPSN ’05), pp. 99–106, April 2005.

[10] M. Pirretti, N. Vijaykrishnan, P. McManiel, and B. Madan,“SLAT: secure localization with attack tolerance,” Tech. Rep.,2006.

[11] L. Lazos, R. Poovendran, and S. Capkun, “ROPE: robust posi-tion estimation in wireless sensor networks,” in Proceedings ofthe 4th International Symposium on Information Processing inSensor Networks (IPSN ’05), pp. 324–331, April 2005.

[12] A. Srinivasan, J. Teitelbaum, and W. Jie, “DRBTS: distributedreputation-based beacon trust system,” in Proceedings of the2nd IEEE International Symposium on Dependable, Autonomicand Secure Computing (DASC ’06), pp. 277–283, October2006.

[13] D. Liu, P. Ning, and W. Du, “Detecting malicious Beaconnodes for secure localization discovery in wireless sensornetworks,” in Proceedings of the 25th IEEE InternationalConference on Distributed Computing Systems (ICDCS ’05), pp.609–619, Columbus, Ohio, USA, 2005.

[14] C. Wang, A. Liu, and P. Ning, “Cluster-based minimummean square estimation for secure and resilient localizationin wireless sensor networks,” in Proceedings of the 2nd AnnualInternational Conference on Wireless Algorithms, Systems, andApplications (WASA ’07), pp. 29–37, August 2007.

[15] Z. Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statisticalmethods for securing wireless localization in sensor networks,”in Proceedings of the 4th International Symposium on Informa-tion Processing in Sensor Networks (IPSN ’05), pp. 91–98, April2005.

[16] F. Anjum, S. Pandey, and P. Agrawal, “Secure localizationin sensor networks using transmission range variation,” inProceedings of the 2nd IEEE International Conference on Mobile


Ad-Hoc and Sensor Systems (MASS ’05), vol. 2005, pp. 195–203, 2005.

[17] H. Chen, W. Lou, and Z. Wang, “Conflicting-set-based worm-hole attack resistant localization in wireless sensor networks,”in Proceedings of the 6th International Conference on UbiquitousIntelligence and Computing (UIC ’09), vol. 5585 of LectureNotes in Computer Science, pp. 296–309, 2009.

[18] H. Chen, W. Lou, and Z. Wang, “A Consistency-based securelocalization scheme against wormhole attacks in WSNs,” inProceedings of the 4th International Conference on WirelessAlgorithms, Systems, and Applications (WASA ’09), vol. 5682of Lecture Notes in Computer Science, pp. 368–377, 2009.

[19] H. Chen, W. Lou, X. Sun, and Z. Wang, “A secure local-ization approach against wormhole attacks using distanceconsistency,” EURASIP Journal on Wireless Communicationsand Networking, vol. 2010, 11 pages, 2010.

[20] L. Lazos and R. Poovendran, “SeRLoc: robust localizationfor wireless sensor networks,” ACM Transactions on SensorNetworks, pp. 73–100, 2005.

[21] L. Lazos and R. Poovendran, “HiRLoc: high-resolution robustlocalization for wireless sensor networks,” IEEE Journal onSelected Areas in Communications, vol. 24, no. 2, pp. 233–246,2006.

[22] F. Bouchereau and D. Brady, “Bounds on range-resolutiondegradation using RSSI measurements,” in Proceedings of theIEEE International Conference on Communications, pp. 20–24,June 2004.

[23] M. Zhao and S. D. Servetto, “An analysis of the maximumlikelihood estimator for localization problems,” in Proceedingsof the 2nd International Conference on Broadband Networks, pp.982–990, 2005.

Documents

ANovelSecureLocalizationApproachin WirelessSensorNetworks