Protection Against Mobile Tracing Through Motion-MIX for Mobile Wireless Nodes

2406 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 58, NO. 5, JUNE 2009

Protection Against Mobile Tracing ThroughMotion-MIX for Mobile Wireless Nodes

Jiejun Kong, Member, IEEE, Xiaoyan Hong, Member, IEEE, and Dapeng Oliver Wu, Senior Member, IEEE

Abstract—Mobile wireless networks, such as mobile ad hoc net-works (MANETs), are vulnerable to passive attacks that threatenthe privacy of communications. Moreover, threats can now belaunched from mobile platforms and with new techniques foreavesdropping, locating, and fingerprinting wireless transmis-sions. Recently, many wireless anonymous schemes have beenstudied, and mobility often plays an important role with regardto the effectiveness of wireless anonymity. In this paper, we focuson the impact of node motion behaviors. We first illustrate theemerging anonymity threat of venue privacy attacks (VPAs) totrace mobile wireless nodes. We then propose “motion-MIX” asthe countermeasure to defend against the threat. Motion-MIXcalls for protection at all the layers of the protocol stack. We fur-ther use a new asymptotic security model to verify motion-MIX’seffectiveness against VPAs. In a scalable ad hoc network, we provethat the probability of security breach is negligible with respect tothe number of network nodes.

Index Terms—Anonymity, mobile ad hoc network (MANET),mobile tracing, motion MIX.

I. INTRODUCTION

P ROTECTING privacy for wireless communications ismore challenging due to advances in techniques for eaves-

dropping, locating, and fingerprinting wireless transmissions[13], [17], [32], [39]. In particular, the threats can nowbe launched from mobile and coordinated platforms, greatlystrengthening the capabilities of the adversary to track wirelesstransmissions moving in real time. For example, embeddedreal-time systems with wireless traffic sensors carried by palm-size unmanned aerial vehicles [UAVs; see Fig. 1(a)] can movefast and trace any wireless target nodes that move at a lowerspeed. The mobility of both the guarding and adversarialtracing sides introduces new privacy problems, e.g., a node’smotion pattern and standing position, as well as the dynamicnetwork topology, all become new interests of the new mobilewireless adversary. In situations where mobile users want tocommunicate among themselves through multihop wireless

Manuscript received February 19, 2008; revised June 22, 2008. First pub-lished September 19, 2008; current version published May 11, 2009. Thework was supported in part by the National Science Foundation under GrantCNS-0627147. An early version of this paper appeared in the Proceedingsof the Third ACM Workshop on Security of Ad Hoc and Sensor Networks,Alexandria, VA, November 2005. The review of this paper was coordinated byDr. W. Zhuang.

J. Kong is with Scalable Network Technologies, Inc., Los Angeles, CA90045 USA (e-mail: [email protected]).

X. Hong is with the Department of Computer Science, University ofAlabama, Tuscaloosa, AL 35487 USA (e-mail: [email protected]).

D. O. Wu is with the Department of Electrical and Computer Engineering,University of Florida, Gainesville, FL 32611 USA (e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2008.2005990

connections without support from wired or wireless infrastruc-ture, additional information will be revealed through routingmessages, because each node participates in routing operationsto maintain a self-organized network (e.g., mobile ad hocnetworks, MANETs). The first line of protection is to includeanonymizing techniques in both data and routing messages. Forexample, many anonymous routing schemes have recently beenproposed to protect ad hoc networks [1], [6], [25]–[27], [37],[40], [41].

As the wireless medium is open to any device in the trans-mission range, anonymity concerns and solutions expand tomany layers in the protocol stack. Underlying these techniques,mobility plays an important role on how effective they are whenwireless eavesdropping techniques, encryption methods, usertraffic patterns, and motion patterns can all be different. Inaddition, the security model of each design can be different, andit is needed to formally measure the effectiveness of a design.

In this paper, we make three contributions, with emphasis onthe impact of the node’s motion behaviors: First, we study howmobile wireless traffic sensors can trace mobile nodes to obtaintheir motion and traffic patterns. We illustrate several mobileanonymity attacks that challenge the privacy defense systemof an ad hoc network. Second, we propose a new concept ofmotion-MIX and design principles to protect the mobile nodes.Using a motion-MIX, we create a dynamic geographic area thathides the motion trajectories among multiple nodes moving inand out of the area. Motion-MIX differs from other geographic-area-based mixing concepts [3] in that it is proposed as acountermeasure that requires the efforts of all layers, and its sizeand location are dynamically determined by the mobility andnetwork settings of both the guarding and adversarial tracingsides. We discuss the necessary conditions in implementinga motion-MIX with dynamic features controlled by mobileguarding nodes and strategies that address many layers in theprotocol stack. In particular, we discuss practical strategiesbased on anonymous routing that ensure packets to be free ofany form of network identities to defend against compromisednetwork members and to be (computationally) indistinguish-able from random packet transmissions. Third, we introduce“scalable network security,” which is an asymptotic networksecurity model, to formally measure the anonymity protectionprovided in the motion-MIX. In the asymptotic model, securityprotection can be measured as subpolynomial (i.e., “negligible”in complexity theory [15]) with regard to an input networkmetric, such as the number of network nodes. In a large-scalenetwork, the motion-MIX model ensures k-anonymity [38] forall k nodes inside a local MIX area and negligibility of theMIXing failure over polynomially many MIX areas.

0018-9545/$25.00 © 2009 IEEE

KONG et al.: PROTECTION AGAINST MOBILE TRACING THROUGH MOTION-MIX FOR MOBILE WIRELESS NODES 2407

Fig. 1. (a) Street patrol. (b) Mobile sensor platform.

This paper is organized as follows: In Section II, we presentattacks that are feasible to implement through a mobile trafficsensor network. Section III proposes the concept of “motion-MIX,” discusses its differences from other existing models,and shows the necessary conditions to implement a motion-MIX. Section IV presents an analysis to quantify the anonymityprotection provided by the motion-MIX design. We reviewrelated work in Section V. In addition, Section VI concludesthis paper.

II. MOBILE TRACING AND ANONYMITY

A. Concept of Venue

Each network member is identified by a unique networkidentity (e.g., medium-access control (MAC) address, InternetProtocol (IP) address, or any static pseudonym). The concept ofanonymity is defined as the state of being nonidentifiable withinan anonymity set of peer nodes [31]. It can be measured bythe size of the set or information theoretic metrics [11], [36].In mobile networks, a mobile node’s location of transmissionalso demands anonymity protection. In terms of the adversary’spositioning capability, we define the concept of venue for thetransmission location. A venue is the smallest area to which theadversary can “pinpoint” a node via the node’s radio commu-nication. In this paper, we do not consider any identificationmethod other than wireless radio communications (e.g., visualidentification) for the purpose of wireless security research.

The size of a venue relates to the effectiveness of wirelesslocalization techniques. For low-cost techniques, it can be anarea with a certain size, e.g., the receiving area of an off-the-shelf IEEE 802.11 interface may reach a hundred meters orso, depending on the complexity of the terrain. Such an areaallows obfuscation within the area. More sophisticated local-ization techniques, e.g., triangulations using signal-strength-based distance estimation, or angle of arrival, can be usedby the adversary to reduce the area size. Many techniquesare able to provide precise location support. However, theycould extremely be expensive in cost. They mostly requirecooperation from the node being traced and dense deploymentof locating devices, e.g., many anchor points within a unit area.These limitations prevent the techniques from being used easilyor with low cost by the adversary in a random mobile network.We quantify the obfuscating area, i.e., the venue, with a radiusof Δ that is not infinitesimal. Our work intends to localizetechniques of practically low cost.

When mapping the venues to vertices in a graph, we candefine an undirected graph G = 〈V,E〉, where all possiblevenues form a vertex/venue set V , and (multihop) wireless ra-dio links form an edge set E. Likewise, the venue anonymity setcomprise all venues, where the sender/recipient venue shouldnot be identifiable within the venue anonymity set, given allintercepted wireless transmissions flowing from a venue toanother. Drawing graph G characterizes the capability of acollection of colluding wireless traffic analysts staying in theentire network.

B. Mobile Traffic Sensor Network

Recent advances in manufacturing technologies have enabledthe physical realization of small, lightweight, low-power, andlow-cost micro air vehicles (MAVs) [23]. These MAVs referto a new breed of UAVs or aerial robots that are significantlysmaller than currently available UAVs. The dimension of MAVscan be as small as 5 in, and the development of insect-sizeMAVs is expected in the future. MAVs can have fixed, rotary,or flapping wings like insects. These aerial robots, which areequipped with information sensing, radio transmission, andpositioning (e.g., Global Positioning System, GPS) capabili-ties, extend the sphere of awareness and mobility of humanbeings and allow for surveillance or exploration of environ-ments that are too hazardous or remote for humans. The next-generation MAVs to be developed are expected to serve asan enabling technology for a plethora of civilian and militaryapplications, including homeland security, reconnaissance, sur-veillance, tracking of terrorists/suspects, search and rescue, andhighway/street patrol [see Fig. 1(a)]. Fig. 1(b) shows the MAVsystem with onboard sensors and ground control station.

C. Mobile Anonymity Attacks

Here, we consider five passive attacking scenarios that canbe launched by a set of faster mobile traffic sensors/analysts.

1) Mobile location inference attack: A single mobile ad-versarial MAV with a less sophisticated radio can inferthe positions of a target such as a person’s or a car’scommunication device through its own motion. Fig. 2(a)shows that, with snapshots taken at two different times T0and T1, the adversary can sort nodes into four regions:1) newcomers; 2) insiders; 3) leavers; and 4) outsiders.With three adversarial nodes to form a trigroup, they can


Fig. 2. (a) Single mobile sensor. (b) Trigroup mobile sensors. (c) Colluding eavesdropping network. The solid black nodes are adversarial.

locate the position with more accuracy. Fig. 2(b) showsthat they can divide the field into eight regions based onall the different combinations of the snapshots that eachone obtains. For example, a target that is heard by all thethree nodes must be in the region of 111. Target A is onlyheard by one adversary and is in the region of 010.

2) Motion pattern tracing attack by mobile platform: Thetrigroup of adversarial nodes are capable of locating awireless sender at the granularity of the venue. If the ad-versary’s mobility speed is faster than that of the victim, itcan always follow an identifiable sender and trace its mo-tion pattern. Due to the small size of MAVs, the trackingof MAVs is almost unnoticed by the target being tracked.The velocity of a MAV ranges from 10 to 30 mi/h,which is fast enough to track a human being or anautomobile on local roads. As a result, an active mobilesender is always vulnerable to the attack launched by afaster mobile adversary.

3) Privacy of network topology: Additionally, in a fixed net-work, network topology is physically determined a priori.Hence, there are no privacy concerns on protecting thenetwork topology. However, in mobile wireless networks,the network topology constantly changes due to mobility.If the adversary is able to acquire the fresh networktopology, it can then visualize the mobile network all thetime. The privacy of the network topology becomes a newanonymity aspect in mobile networks, as demonstrated inthe succeeding examples.

4) Venue privacy attack (VPA): A global attacking can bedeployed when a field is covered by a number of eaves-dropping venues [see Fig. 2(c)], or a mobile adversarycan attack the privacy of the network topology by quicklyscanning every venue and combining the partial results.An active route between L1 and L2 is identified, andthe venues going through are shaded. At each venue, theadversary can name and correlate node identities withits own exact location (obtained via its own positioningsystem, such as GPS). In addition, given any venue Lshown in Fig. 2(c), the inside wireless traffic sensormay gather and quantify (approximate) information aboutlocal mobile nodes, e.g., enumerating the set of currentlyactive nodes in L (VPA-a); computing related metrics,such as the size of the set (VPA-b); and doing traffic

analysis against one or more venues (VPA-c), e.g., howmany and what kind of connections in and out of a venueand which sender venue is sending traffic flows to a recip-ient venue. It is important to note that the adversary hasalready reached its positioning optimality according tothe definition of “venue.” Thus, the positions of differentmobile nodes inside a venue are thus indistinguishable.

5) Venue traffic analysis: It is possible to hide a node’sreal identity using a static pseudonym (e.g., an encryptedversion of the real identity). Unfortunately, such a staticpseudonym becomes another identity of the node. Thispseudonymous scheme hides only the real identity andnot the measurements associated with the real identity.The network is at least vulnerable to VPA-b and VPA-cattacks. For instance, the adversary can use its ownpseudonym system to name each detected distinct node.Then, its VPA-b and VPA-c attacks are unaffected, eventhough every local node is renamed to another staticpseudonym. Intuitively, given arbitrarily x (e.g., x = 100)locally intercepted data packets, the adversary may seethe traffic pattern with regard to the 100 packets. Twoextreme cases are given as follows: 1) All 100 packetswere transmitted from a single node to another singlenode, and 2) the 100 packets were transmitted from 100distinct nodes to another 100 distinct nodes. Ideally, ananonymous protocol for mobile networks must ensurethat the two extreme cases and all the cases in betweenare equally likely to the adversary.

III. COUNTERMEASURE

In this section, we describe the concept of motion-MIXand several associated design aspects. We include the designprinciples for anonymous routing, i.e., identity-free routing andone-time packet content, as necessary conditions to realizemotion-MIX. We further discuss the strategies relating to manylayers in the protocol stack. These strategies prevent VPAs andmobile tracing attacks.

A. Design Assumption

We assume that the set of nodes that a targeted node hidesin, i.e., the anonymity set, is public and finite. For example, if


the 32-bit IPv4 address is treated as the identity anonymity setASid, then the size of the anonymity set |ASid| is at most 232

for the entire Internet. Thus, the best case is that a targeted IPaddress can be any of the 232 addresses. The bounded publicnetwork area is the venue anonymity set ASvenue comprisingpublic and finite amounts of venues.

We assume that mobile nodes can be hijacked and compro-mised. Once intruded, all the cryptographic materials known bythe victim node are revealed to the adversary. Nevertheless, weonly assume an honest-but-curious adversary (i.e., it correctlyfollows protocol but tries to learn as much information aspossible from its execution). A dishonest adversary belongs toa different threat model and will be addressed in the future. Forintact network members, the adversary is external. The externaladversary is a polynomial-bounded cryptanalyst who cannot in-vert one-way functions or differentiate cryptographically strongpseudorandom bits from truly random bits with nonnegligibleprobability.

We assume a protocol stack that is similar to the IP protocolstack. An item of interest is a wireless transmission of a link-layer frame. A link- or network-layer payload is encryptedwith a per-hop key that is unique for this hop. This requiresa pairwise key agreement scheme for any pair of nodes in thenetwork. The transport-layer payload is encrypted with an end-to-end session key to protect message privacy. In this paper, wedo not study the key agreement problem; we assume a pairwisesymmetric key shared between any pair of communicatingnetwork nodes. We demand that no node identity is revealedduring key agreement. Examples of anonymous key agreementscan be found in protocols ANODR [25] and MASK [41].

B. Motion-MIX

The definition of motion-MIX is based on the venue aroundeach tracing adversarial node (see Fig. 2). Because the tracingadversarial nodes are completely passive and covert, it is hard todetect their existence. The guarding side has to assume that theentire network area is divided into an array of venues. However,due to the guarding side’s mobility, the actual geographicalarea is larger than the venue (which is only determined by theadversary’s localization capability). Because nodes can roam inand out of the venue within a time δt. Given an average motionspeed of vavg and a transmission interval of δt, the motion-MIX is a region with radius Δ′, which is larger than or equal toΔ + vavg · δt, as shown in Fig. 3. It shows that any mobile nodethat has ever transmitted a packet δt ago and within the distancevavg · δt of the venue could be in the motion-MIX now.

In mobile networks, motion-MIX is used to protect themobile (transmitting) node’s motion pattern. A motion-MIX isa geographical area that can hide the relation among mobilenodes that move in and out of the area. This is shown in Fig. 4,where the entry and exit points of mobile nodes ai and bj aremerely figures of speech. They could be anywhere on the area’sborder.

The size of a motion-MIX is dynamic and is controlled byboth the localization technique and the mobile nodes. Anymobile node can create a larger motion-MIX size of venuewhen possible. A mobile node can delay its transmissions

Fig. 3. Dynamics in motion-MIX (with Δ being determined by the adversaryand vavg · δt being determined by the guarding nodes).

Fig. 4. Motion-MIX on the aggregation of mobile nodes or traffic flows (ai

and bj are anonymous nodes or anonymous flows).

(increasing δt so that more mobile nodes can roam into thearea) or increase its motion speed (through vavg) to increase thesize of the motion-MIX. Given the same venue Δ, a node cancreate a Δ′ that is larger than or equal to (Δ + vavg · δt). Here,Δ + vavg · δt represents an average case that can be guessedby an adversary; therefore, it measures the worst case to breakmotion-MIX protection. This reflects that, when a mobile nodebeing traced actively sends at least a packet every δt, the equalrelation holds for the node. When the node sends packets at alower rate, δt is larger, and the inequality is true. This strategyincreases the motion-MIX size. Such strategies are suitable forapplications tolerating delay. For example, in delay-tolerantcommunication [12], the time interval δt between two con-secutive transmissions is enlarged to give more mobile nodeschances to roam into the venue. Obviously, the delay-tolerantcommunication approach is inapplicable to time-critical appli-cations, such as multimedia streaming. The speed-up approachis inapplicable to stationary sensor networks. Both the delay-tolerant and the speed-up approaches incur performance degra-dation in the time-critical mobile ad hoc routing, where routeoutage is mainly caused by node inaction and node mobility.

Chaum presented the original notion of message/packet“MIX” [8]. Geographical-area-based mixing concepts have also


been studied for location privacy, e.g., “MIX zones” [3]. The“motion-MIX” is different from these mixing-based techniquesin three aspects.

1) A motion-MIX is a strict analog of Chaumian MIX byreplacing messages with mobile nodes. In Chaum’s mes-sage MIXing, a message MIX node is a private processorthat hides the relation between multiple incoming mes-sages and multiple outgoing messages. A motion-MIX isa private geographic area that hides the relation betweenmultiple incoming nodes and multiple outgoing nodes.The adversary is incapable of seeing the internal stateof a single MIX, either Chaumian or motion. Such ananalog allows one to extend the venue-based anonymityby reasoning on the venues only. Thus, the differencebetween message MIX and motion-MIX is that motion-MIX’s goal is to hide motion. In addition, a motion-MIXincludes design strategies to ensure perfect (identity)anonymity, as discussed in later identity-free schemes ofthis section.

2) A motion-MIX is defined by “venue,” based on the ad-versary’s positioning capability. In addition, the guardingnodes can dynamically create a motion-MIX or enlargean existing motion-MIX by sending decoy traffic and/ordelay-tolerant communication [12], [22] at any time.Because a guarding node cannot detect a passive attackernor know the size of venue, it has to assume that attackersare located everywhere with a constant venue size. Thus,it must opt to create a larger motion-MIX all the time byapplying the discussed strategies. Thus, a motion-MIX isa dynamic network entity that can be created and changedby both the adversary’s behavior and the guarding nodes’actions. In contrast, according to [3], MIX zones are static“geographic regions” with boundaries where pseudonymsare concerned. The zones are fixed during the networklifetime and do not depend on either the adversary’spositioning capability or the guarding nodes’ motionbehaviors.

3) A motion-MIX protects the entire protocol stack (see thenext two sections). In contrast, a MIX zone is defined formiddleware systems to protect user identities and linkingto locations. The privacy studied in location-based ser-vices [28] prevents users from revealing accurate locationinformation to the service providers in a posttransmissionway. The originally collected wireless packets can stillbe traced to a node via the network identities/addressesof the user’s mobile device when an adversary comesfrom the nonservice provider side. For example, unlikemotion-MIX (which is related to identity-free ANODR),the network-layer anonymous routing is not a researchsubject in MIX zone.

C. Strategies Based on Motion-MIX

Motion-MIX has to face the adversary who performs timingand content analyses. As a countermeasure, motion-MIX con-sists of a set of necessary strategies.

1) Strategies Against Timing Analysis: Timing analysis cor-relates the timing instances of messages. In motion-MIX, any

mobile node inside a motion-MIX should send out messages toshow its existence. When each transmission looks differently, kof them during the system unit time Δt1 can illustrate at most knodes within the motion-MIX. In the worst case, when, duringunit time Δt, there is only one node sending out one real packet;a necessary condition to ensure k-anonymity is for all nodes(including the node itself) in the motion-MIX venue to send outk − 1 decoy packets in total during the same interval. In thisway, a multihop traffic flow from one venue to another remotevenue, which is vulnerable to timing analysis, is hidden in thedecoy traffic.

The probabilistic Algorithm A running on mobile nodesensures that there are approximately k wireless transmissions(including decoy transmissions) in its one-hop neighborhoodduring unit time Δt.

Algorithm A: Distributed Decoy Traffic Regulation per NodePrerequisite: System parameter k and Δt.1 Divide current unit time Δt into k slices.2 FOR (each time slice i) DO

3 IF (I have only heard x < i transmissions so farduring the current interval Δt)

4 In the next time slice, transmit a decoy packet withprobability (i − x)/i.

5 END IF6 END FOR

2) Strategies Against Content Analysis: Content analysisinspects message contents and length. Thus, a motion-MIXshould produce indistinguishable messages, even including de-coy messages. For a motion-MIX-compliant anonymous pro-tocol, two necessary conditions thus must be satisfied: 1) Amobile node should be indistinguishable from other nodes inthe same motion-MIX from the adversary’s view. This leadsto the identity-free routing design. Otherwise, the (internal)adversary can launch a VPA-a attack to distinguish a nodefrom another by seeing the unique identities. 2) A mobilenode’s traffic should be indistinguishable from another node’straffic in the same motion-MIX from the adversary’s view. Thisleads to the one-time packet content design. Otherwise, theadversary can distinguish one node’s traffic pattern from that ofanother node.

D. Necessary Conditions

The success of motion-MIX lies on defending against nodecapture and compromise and external eavesdropping. Defend-ing these adversaries requires necessary conditions for motion-MIX in many aspects, from all the layers at the protocol stackto general principles for routing protocols. Typically, a mobilenode sends data packets and routing control packets. For datapackets, nodes along the routing path have chances to inspectthe header information. For routing messages, possibly all thenodes will process the routing information. Here, we discuss

1Δt is a system parameter for measuring anonymity. δt is the time intervalfor calculating the size of a motion-MIX.


the necessary conditions, first for routing to defend againstcompromised nodes, then for contents to defeat external trafficanalysis, and finally for issues relating to many layers.

1) Identity-Free Routing: In wireless ad hoc networks, anode must rely on at least one of its neighbors to forward itspackets. In normal routing and packet forwarding processes, themobile node reveals its identity to another node. However, withpassive attacks, a sender cannot determine whether a neighboris compromised or not. In that case, the sending node’s identitycompromises its anonymity if the receiving node is adversarial.The condition of identity-free routing requests that every mobilenode does not reveal its own identity to other nodes.

One solution is to use link identities, instead of sender-receiver identities. In wired Internet, PipeNet [9] and OnionRouting [33] employ an anonymous virtual circuit in routingand data forwarding. Recently, ANODR [25] and MASK [41]apply the same design to wireless ad hoc networks. In theserouting schemes, each forwarding node maintains a routingtable with two columns of virtual circuit identifiers (VCIs)in the form of “vcix ←→ vciy .” If a node receives a packetand the packet is stamped with a vcix stored in its routing table,the node then accepts the packet, overrides the stamp with thecorresponding vciy , and sends the changed packet to the nexthop. (The source and the destination are denoted with specialVCI tags.) In a nutshell, the virtual-circuit-based data packetforwarding scheme is practical and free of node identities.

The link-layer frame (using the IEEE 802.11 as an example)in an anonymous virtual circuit can reuse the same formatbut with modified address and payload, e.g., the special MACaddress FF : FF : FF : FF : FF : FE for identifying both itselfand its receiver for the purpose of anonymous transmissions.

Establishing a virtual circuit on a multihop path requiresa signaling procedure to establish the VCI routing tables onall forwarding nodes, and the signaling procedure must bedesigned to be identity free as well. In existing anonymousvirtual circuit schemes, PipeNet, Onion Routing, and MASKare not identity free in their signaling procedure, and ANODR[25] uses a global trapdoor design in its signaling process toserve the identity-free need.

Nevertheless, identity-free routing only prevents a local inter-nal attacker from launching VPA-a. As will be described here,the requirement of one-time packet content is needed to thwartVPA-b and VPA-c.

2) One-Time Packet Content: In one-time packet contentdesign, packet contents (particularly data packet contents) arecomputationally one time. In other words, any two trans-missions X → Y and X ′ → Y ′ (i.e., the packet sender’spseudonym is X or X ′, and the packet recipient’s pseudonymis Y or Y ′) are independent in the eyes of any node whois not X , X ′, Y , or Y ′. Because two randomly generatedmessages are independent by definition, the one-time packetcontent design is feasible if the adversary cannot differentiatethe two transmissions X → Y and X ′ → Y ′ from two trulyrandom transmissions.

Using cryptographically strong pseudorandom bits in ananonymous virtual circuit, two communicating neighboringnodes va and vb should use their agreed key material Kab togenerate cryptographically strong pseudorandom bits to protect

their packet contents. In packet forwarding and routing, thismeans that every field in a link-layer frame must satisfy one ofthe following conditions: 1) The field is the same for all frames(e.g., the field FF : FF : FF : FF : FF : FE for MAC addresses).2) The field itself is a cryptographically strong pseudorandombitstring. 3) The field is XOR-ed with a cryptographically strongpseudorandom bitstring. 4) In decoy frames, cryptographicallystrong pseudorandom bits are replaced by truly random bits.For any third party who is neither va nor vb, it does not knowthe secret seed/key and thus sees bits that are indistinguishablefrom truly random bits. Therefore, for every uncompromisedpairwise key/secret, the adversary sees that every packet trans-mission protected by the key/secret is indistinguishable fromrandom traffic.

The adversary can always trace a packet flow if the packetsin the flow are recognizable with unique bit streams. Withthis one-time packet content design principle, when there aremultiple packet flows going through a motion-MIX, they areMIXed together (see Fig. 4).

3) Protocol Stack Issues: In the protocol stack, a transport-layer packet is the payload at the network layer encryptedwith an end-to-end key. Related anonymity attacks and coun-terattacks only involve the two ends. The related end-to-endanonymity protection includes anonymous aliases [2], [34] andanonymous rendezvous [20]. This design goal is orthogonal tothe motion-MIX design and thus is not studied in this paper.

At the network layer, wireless packets transmitted from amotion-MIX could be of different types: control packets ordata packets. For example, the Internet Engineering Task Forcestandard Ad-hoc On-demand Distance Vector (AODV) [30]has the following network-layer packet types: route request(RREQ), route reply (RREP), route reply acknowledgment(RREP-ACK), route error (RERR), and DATA, where the initialfour types are control flows. In anonymous routing, a major taskis to design an anonymous control flow. It is important to notethat two conditions must be satisfied with regard to the packettypes.

1) Any two packets, including decoy packets, of the samepacket type must be indistinguishable from each other.This requires the following: 1) All packets of the sametype must be of the same length. 2) The type field andother similar common fields of the packet type must beidentical in all packets of the type. 3) For flooding packets(e.g., RREQ in AODV), the fields prepared for the otherend (source/destination) are identical in one flood round,but these fields must be computationally one time perflood. 4) All other fields are changed per hop. These fieldsmust be computationally one time per hop, i.e., either(cryptographically strong) pseudorandom for real packetsor truly random for decoy packets.

2) Any two packets of different types must be independentfrom the adversary’s view. Control packets and datapackets must not have correlation patterns that can bedistinguished from truly random transmission events. Fora motion-MIX, this requires the inside nodes to inde-pendently process each type of packets. That is, if thereare m types of packet in the network, every node mustindependently run Algorithm A for each packet type.


At the MAC layer, IEEE 802.11b/a/g MAC layer framesuse MAC addresses that must be anonymized, as previouslydescribed. It also uses acknowledgment (ACK)/request-to-send/clear-to-send control frames for reliable delivery andvariable data rates with distances. Like AODV packet types,these packet types provide evidences for traffic analysis [21].For motion-MIX, the per-packet-type treatment previously de-scribed also applies to the MAC layer. At the MAC layer,anonymity can be achieved by broadcasting all the frames tohide the real receiver. This appealing approach creates a relia-bility problem. An alternative approach is to use an anonymousMAC protocol that provides reliability [24]. Other strategiesinclude those used in location privacy research, e.g., decoytraffic or random delay.

At the physical layer, an attacker may use more sophisticatedequipment to capture different mobile nodes’ radio signatures.Although the signal amplitude should not reveal anything morethan a signal strength measurement, different nodes may useslightly different signal frequencies due to drifted clock im-plementations. Typically, an error of up to 25 ppm is toleratedin the standards. For example, at 2.4-GHz carrier frequency, afrequency offset of up to (2.4 × 109 × 2 × 25)/106 = 120 kHzwould be tolerated. Consequently, within a motion-MIX, aradio device should add a deliberate and random frequency off-set, so that two different nodes span over similar transmissionfrequency ranges [7]. Other wireless fingerprinting techniquesare studied [13], [17], [18], [32], [39], e.g., using a vector ofRSSI measurements or probing the channel. Despite the factthat they are less practical as an attacking tool due to therequirement for dense deployment or active nature, physical-layer deliberations are necessary.

IV. NETWORK SECURITY ANALYSIS

In this section, we present an analysis on the security guar-antee of motion-MIX in wireless ad hoc networks with anasymptotic security model.

A. Principle of Scalable Network Security

In modern cryptography, security is defined on the concept of“negligibility,” which is asymptotically subpolynomial with re-spect to a predefined system parameter n. Intuitively, parametern is the key length.

1) Definition 1: (Negligible): A positive function μ : N →R is negligible if, for every positive integer c and all sufficientlylarge n’s (i.e., there exists Nc, for all n > Nc)

μ(n) <1nc

.

When the system parameter n polynomially (e.g., linearly)increases, a quantity exponentially decreasing toward 0 isnegligible. For example, once a 128-bit Advanced EncryptionStandard encryption key is chosen, the probability of guessingthe correct key is not 0 but at least 1/2n, with n = 128, and isconjectured to be subpolynomial. Security can be achieved bylinearly increasing key length n. We believe that this subpoly-

nomial concept is also applicable to network security research.In all security analyses, we will show that the probability ofsecurity failure (which, in this paper, is the failure of mobilenode MIXing together) exponentially decreases toward 0 whenthe corresponding network metrics linearly increase. In thispaper, the network scale (i.e., the number of network members)N replaces key length n in cryptography. N becomes thecritical system parameter in network security. As a result, incryptography, the longer the key length, the more asymptoti-cally secure the cryptosystem. In our analysis, the larger thenetwork scale, the more asymptotically secure the network.

B. Security Guarantee of Motion-MIX

For a network deployed in a bounded system area, thelocation of a mobile node at an arbitrary time instant t can bemodeled by a spatial Poisson point process with the averageprobability density function ρ1. ρ1 can be obtained from relatedstochastic analysis and simulation, e.g., the results presented in[5] and [20]. Given this ρ1, we treat it as the arrival rate ofa mobile node to each standing “position.” For this study, wefollow the stochastic mobility model, with the assumption ofuniform spatial distribution in a venue quantified by Δ (andthe analysis can easily be extended to the nonuniform case).Thus, the probability that there are exactly k nodes in a specificarea Δ is

Pr[x = k] =(Nρ1 · Δ)k

k!· e−Nρ1·Δ.

N is the number of nodes in the network. In addition,we adopt a probabilistic adversarial model. Among all the Nnetwork members, there are γ · N uncompromised nodes and(1 − γ) · N compromised nodes. Here, γ is the probabilisticnetwork healthy ratio.

As shown in Fig. 3, any wireless transmission is equallylikely to be from any mobile transmitting nodes in the motion-MIX Δ′, where Δ′ ≥ Δ + vavg · δt. That is, given an in-tercepted transmission at the current moment, the adversarycannot decide who is the transmitter among all the nodes inthe enlarged area Δ′. Given the security goals of k-anonymityand antitracing, we show that the failure probability follows thescalable network security model.

1) k-Anonymity: The notion of k-anonymity says that theadversary is able to learn something about the sender or re-cipient of a particular message but cannot narrow down itssearch to a set of less than k participants. It is important toknow that a motion-MIX ensures k-anonymity for all mobilenodes inside during a certain time Δt. In a motion-MIX of sizeΔ′, the expectation of the number of targeting nodes E(kΔ′)is computable for the spatial Poisson point process: E(kΔ′) =∑∞

i=0 i · Pr[x = i] = Nγρ1 · Δ′. Let us investigate the relationbetween k and E(kΔ′). The following analytic result willsuggest that an appropriate k should be set to approximatelyE(kΔ′).

Theorem 1: (min(k,E(kΔ′))-anonymous motion-MIX): Amotion-MIX is min(k,E(kΔ′))-anonymous, where k < N is


the preselected system parameter per Δt and Δ′ = (Δ + vavg ·δt) is the size of the least enlarged venue based on venue sizeΔ, the average node motion speed vavg, and the minimal delaybetween any two consecutive transmissions δt.

Proof (Sketch): A critical assumption in the proof isthe publicity and finiteness of the anonymity sets ASid andASvenue. The adversary knows all the venues and all the possi-ble identities (and, certainly, network scale N ). It can estimatenetwork characteristics such as the distribution of mobile nodes.

The public and finite network area ASvenue is partitionedinto individual venues. For each venue quantified by Δ, theadversary expects that there are E(kΔ′) = Nγρ1 · Δ′ possibleidentities that are capable of transmitting from the venue.Using a decoy traffic regulation algorithm (e.g., Algorithm A),the capable nodes will transmit at least k packets from thevenue. (If multiple packet types are concerned, in Section III-D,we already stated that different packet types are separatelyregulated with independent k’s.)

Due to the identity-free routing, one-time packet content,and physical radio deliberation requirements, any transmissionis equally likely from any identity-free transmissions inside amotion-MIX. If k < E(kΔ′), then (E(kΔ′) − k) inside nodesdo not win the chance to transmit decoy traffic. If k > E(kΔ′),then either some nodes inside the motion-MIX transmit moredecoy traffic or some (k − E(kΔ′)) previously silent nodeshave roamed into the motion-MIX and just started their trans-missions. �

2) Assurance of k-Anonymity: Given the system require-ment of k-anonymity, we have the following theorem:

Theorem 2: The security failure probability of motion-MIX,i.e., the probability that there are less than k uncompromisednodes in the area quantified by Δ′, is negligible with respect tonetwork scale N .

Proof (Sketch): The security failure probability is

P failΔ′ = Pr[x < k] =

k−1∑i=1

Pr[x = i]

=k−1∑i=1

((Nγρ1 · Δ′)i

i!· e−Nγρ1·Δ′

). (1)

Given a constant k, there are k items in (1), and eachof them has a polynomial coefficient (Nγρ1 · Δ′)i/i! but anexponentially decreasing e−Nγρ1·Δ′

. Thus, P failΔ′ is negligible

with respect to N . In addition, we notice that, given venue Δ′,there are, on average, m = E(kΔ′)/γρ1 · Δ′ number of nodesinside the venue. Thus, when N is less than m, the probabilityis a deterministic value. This observation does not violate thenegligibility property, because, as long as Δ′ is given, theincrease in N will lead to negligibility. �

3) Untraceability: With motion-MIX, the untraceability iswhether the adversary can trace any specific single node v. Asuccessful tracing by an adversary is a collection of venues thatare identified to belong to the same node v. The motion of v canbe modeled as a stochastic process in a time epoch composingof a set of discrete time intervals T = (t1, t2, . . .). The lengthof each time interval is a unit time Δt.

Fig. 5. Radio range: 150 m.

Theorem 3: The security failure probability of node tracing,i.e., the probability that the adversary can trace an activetransmitting mobile node v’s motion pattern without losing thetarget, is negligible with respect to N and |T |.

Proof (Sketch): Using our motion-MIX design, at least ktransmissions occur per Δt if there is at least one node in thevenue. The adversary’s knowledge about the venue is one oftwo cases: 1) no node in the venue during Δt because thereis no transmission and 2) some uncertain number of nodes inthe venue. They transmit k indistinguishable messages duringthe interval. For tracing purposes, for a venue of size Δ, theadversary can successfully trace an active node if there isno other node in the corresponding venue of size Δ′ duringthe previous time interval Δt. Otherwise, it is equally likely(from the adversarial view) that the victim target stays thereor keeps on moving to any neighboring venues. Therefore, theprobability that the adversary can successfully trace a node vall the time is negligible with respect to N and |T |, i.e.,

Ptrace_v ≤∏t∈T

Pr[x = 0] = (e−Nγρ1·Δ′)|T |. (2)

�

C. Numerical Results

We illustrate the trends of the scalable security properties ofthe k-anonymity and the untraceability. According to mobilityresearch, stochastic mobility models can reveal a nonuniform[5] or a uniform spatial distribution [4] (with a bounce-backor wraparound border of the system area). Here, we use theprobability density function ρ1 of the random waypoint mobil-ity model [5]. According to the results presented in the papers,we set ρ1 to be at a magnitude of 10−6 and vary the size of thevenue and the network scale. We set γ to be 0.9.

Fig. 5 shows the failure property for various k-anonymityrequirements (k = 5, 10, 15, 20, respectively). We select thetransmission range to be 150 m. This value is the largest valuethat meets the need to reach the expected number of nodesinside the venue, i.e., 20. The figure shows the exponentialdecreasing trends for all the k values when the network scale


Fig. 6. 10-anonymity.

Fig. 7. Untraceability.

increases. The close-to-1 probability comes from the obser-vation that there is not enough nodes inside the venue whenN is small. The decreasing trends are clear. Fig. 6 shows thecurves with different transmission ranges for 10-anonymity.It is expected that there is a necessary number of nodes toguarantee k-anonymity in motion-MIX. As analyzed earlier, thenecessary value of N is determined by the transmission ranges.The smaller probabilities when N is smaller come from the factthat there are not many nodes inside the motion-MIX.

Fig. 7 shows the probability for an adversary to trace a targetnode under motion-MIX. As expected, the probabilities expo-nentially decease when the number of nodes linearly increases.

V. RELATED WORK

Existing anonymity schemes for wireless networks fall into aspectrum of classes. In “last-hop” wireless networks (includingcellular networks and wireless local area networks), the demandof user roaming requires more promising assurance on theprivacy of mobile users. The network participants considered inrelated research are typically the mobile user, the home serverof the user, the foreign agent server local to the user, and the

eavesdroppers, including the other users. In [2], [19], and [34],mobile users are associated with dynamic aliases that appearunintelligible to anyone, except the home server. Then, theforeign agent server accepts the user’s connections upon thehome server’s request. Hu and Wang [20] proposed the use ofanonymous rendezvous, i.e., an anonymous bulletin board, tolet mobile nodes anonymously connect to their communicators.These efforts provide unlinkability protections between nodeidentities and their credentials during end-to-end anonymoustransactions. This design goal is above the network layer and isorthogonal to the motion-MIX study.

In MANETs, the on-demand routing approach has beenadopted by several recent designs to support anonymous con-nection. In ANODR [25], the source creates an onion in theRREQ flood packet. Each forwarder adds a self-aware layer tothe onion. Eventually, the destination receives an onion that canbe used to deliver an RREP packet back to the source end, andan on-demand anonymous virtual circuit is established betweenthe two ends. Protocols MASK [41] and ASRPAKE [27] usea pairing-based key predistribution and anonymous neighbordetection scheme prior to on-demand RREQ. This backgroundoperation reduces cryptographic processing overheads for thetime-critical on-demand route-discovery process. MASK alsocreates anonymous virtual circuits using a routing procedure.Protocols SDAR [6] and AnonDSR [37] use an approach closeto a MIX-net with on-demand route discovery. A neighbordetection protocol is devised to let each mobile node explicitlysee its neighbors. After the on-demand route is established,data packets are delivered between the two ends using MIX-net onions. Source privacy is studied in [40], which uses plainflooding to establish a secrete onion dada path. The multi-cast approach is introduced in [1], where the packet-codingtechnique is used to combine multicast and onion routing. Inthese schemes, motion-MIX helps in mixing an ad hoc routingscheme’s control and data packet flows. Currently, the controlflows in these schemes do not implement Algorithm A (mostlydue to performance concerns) and are thus traceable by a globaltiming analyst. As to data flows, SDAR is vulnerable to packetflow tracing. ANODR is not vulnerable, because it pays thecost of “neighborhood traffic mixing,” which is a variant ofAlgorithm A. MASK employs a delay-tolerant approach, whichis part of the motion-MIX design.

In wireless sensor networks, location privacy issues for thesources and sinks are studied in [10] and [29]. Both proposalsseek to prevent the adversary from tracing network packet flowsback to the sources or the sinks. The network presented is static,although the source and the sink can be mobile. Motion-MIXhelps stop tracing by mixing packet flows together in a singlemotion-MIX en route.

In wireless location privacy, disposable addresses, MIXzones, and silent period are studied to decorrelate the changingpseudonyms of MAC addresses [3], [16], [22] to enhancelocation privacy with respect to time accuracy and positionaccuracy. The work of MIX zones focuses on static “geographicregions” with boundary lines. They protect user identities to-ward the upper layer, which do not tackle on-the-fly network,link layer identities, or radio signatures at the physical layer,as studied in the motion-MIX design. For location privacy in


vehicular networks, the MIX zone concept has been studiedat intersections where bounded areas provide the mixing [14].Random silent periods are used to decorrelate consecutivepseudonyms [35] when vehicles broadcast safety messages.

VI. CONCLUSION

In this paper, we have shown that a mobile adversary canintercept control and data packets to launch various VPAs inmobile ad hoc wireless networks where routing services areessential for communications. Common routing and packet-forwarding protocols are vulnerable to various VPAs. In thispaper, mobile nodes can create and enlarge motion-MIXesto stop VPAs. Motion-MIXes dynamically create geographicregions and protect on-the-fly wireless transmissions. We haveshown that identity-free routing, one-time packet content, andvarious protocol stack implementation concerns are necessaryconditions to stop identity and traffic analysis attacks withina single motion-MIX. We have used an asymptotic networksecurity model to study the anonymity protection provided ina motion-MIX, which shows that the network scale plays a rolein proving negligible probability that an adversary can breakmotion-MIX’s anonymity protection.

REFERENCES

[1] I. Aad, C. Castelluccia, and J.-P. Huubaux, “Packet coding for stronganonymity in ad hoc networks,” in Proc. SecureComm Workshops, 2006,pp. 1–10.

[2] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik, “Untraceablemobility or how to travel incognito,” Comput. Netw., vol. 31, no. 8,pp. 871–884, Apr. 1999.

[3] A. R. Beresford and F. Stajano, “Mix zones: User privacy in location-aware services,” in Proc. Pervasive Comput. Commun. Security (PerSec),2004, pp. 127–131.

[4] C. Bettstetter, “Mobility modeling in wireless networks: Categorization,smooth movement, and border effects,” ACM Mobile Comput. Commun.Rev., vol. 5, no. 3, pp. 55–67, 2001.

[5] C. Bettstetter and C. Wagner, “The spatial node distribution of the randomwaypoint mobility model,” in Proc. German WMAN, 2002, pp. 41–58.

[6] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, “SDAR: A securedistributed anonymous routing protocol for wireless and mobile ad hocnetworks,” in Proc. 29th IEEE Int. Conf. LCN, 2004, pp. 618–624.

[7] C. Castelluccia and P. Mutaf, “Shake them up (A movement-based pairingprotocol for CPU-constrained devices),” in Proc. ACM/Usenix MobiSys,2005, pp. 51–64.

[8] D. L. Chaum, “Untraceable electronic mail, return addresses, and digitalpseudonyms,” Commun. ACM, vol. 24, no. 2, pp. 84–90, Feb. 1981.

[9] W. Dai, PipeNet 1.1, 1996. [Online]. Available: http://www.eskimo.com/~weidai/pipenet.txt

[10] J. Deng, R. Han, and S. Mishra, “Intrusion tolerance and anti-trafficanalysis strategies for wireless sensor networks,” in Proc. IEEE Int. Conf.DSN, 2004, pp. 594–603.

[11] C. Díaz, S. Seys, J. Claessens, and B. Preneel, “Towards measuringanonymity,” in Proc. Privacy Enhancing Technol. Workshop (PET),R. Dingledine and P. Syverson, Eds., 2002, vol. 2482, pp. 54–68.

[12] K. Fall, “A delay-tolerant network architecture for challenged internets,”in Proc. ACM SIGCOMM, 2003, pp. 27–34.

[13] D. B. Faria and D. R. Cheriton, “Detecting identity-based attacks inwireless networks using signal prints,” in Proc. 5th ACM Workshop WiSe,2006, pp. 43–52.

[14] J. Freudiger, M. Raya, M. Félegyházi, P. Papadimitratos, and J.-P. Hubaux,“Mix-zones for location privacy in vehicular networks,” in Proc. WiN-ITS,Aug. 2007, pp. 1–7.

[15] O. Goldreich, Foundations of Cryptography: Basic Tools, vol. 1.Cambridge, U.K.: Cambridge Univ. Press, 2001.

[16] M. Gruteser and D. Grunwald, “Anonymous usage of location-based ser-vices through spatial and temporal cloaking,” in Proc. MobiSys, 2003,pp. 31–42.

[17] J. Hall, M. Barbeau, and E. Kranakis, “Frequency fingerprinting usingphase characteristics of signals,” in Proc. 3rd IASTED Int. Conf. WOC,Banff, AB, Canada, Jul. 2003.

[18] J. Hall, M. Barbeau, and E. Kranakis, “Detecting rogue devices in blue-tooth networks using radio frequency fingerprinting,” in Proc. IASTEDInt. Conf. Commun. Comput. Netw., Lima, Peru, Oct. 2006.

[19] Q. He, D. Wu, and P. Khosla, “The quest for personal control over mobilelocation privacy,” IEEE Commun. Mag., vol. 42, no. 5, pp. 130–136,May 2004.

[20] Y.-C. Hu and H. J. Wang, “A framework for location privacyin wireless networks,” in Proc. ACM SIGCOMM Asia Workshop,2005, pp. 1–8.

[21] D. Huang, “Traffic analysis-based unlinkability measure for IEEE802.11b-based communication systems,” in Proc. ACM Workshop WiSe,Los Angeles, CA, Sep. 2006, pp. 65–74.

[22] L. Huang, K. Matsuura, H. Yamane, and K. Sezaki, “Enhancing wire-less location privacy using silent period,” in Proc. IEEE WCNC, 2005,pp. 1187–1192.

[23] P. G. Ifju, S. M. Ettinger, D. Jenkins, Y. Lian, W. Shyy, and M. Waszak,“Flexible-wing-based micro air vehicles,” in Proc. 40th AIAA Aerosp. Sci.Meeting, 2002, pp. 1–5.

[24] S. Jiang, “An anonymous MAC protocol for wireless ad hoc networks,”in Proc. Int. Workshop Res. Challenges Security Privacy Mobile WirelessNetw. (WSPWN), Miami, FL, Mar. 2006.

[25] J. Kong and X. Hong, “ANODR: Anonymous on demand routing with un-traceable routes for mobile ad-hoc networks,” in Proc. ACM MOBIHOC,2003, pp. 291–302.

[26] J. Kong, X. Hong, and M. Gerla, “An identity-free and on-demand routingscheme against anonymity threats in mobile ad hoc networks,” IEEETrans. Mobile Comput., vol. 6, no. 8, pp. 888–902, Aug. 2007.

[27] X. Lin, R. Lu, H. Zhu, P.-H. Ho, X. S. Shen, and Z. Cao,“ASRPAKE: An anonymous secure routing protocol with authenticatedkey exchange for wireless ad hoc networks,” in Proc. IEEE ICC,Jun. 2007, pp. 4646–4651.

[28] M. F. Mokbel, “Privacy in location-based services: State-of-the-art and re-search directions,” in Proc. IEEE Int. Conf. MDM, Mannheim, Germany,2007, p. 228.

[29] C. Ozturk, Y. Zhang, and W. Trappe, ”Source-location privacy inenergy-constrained sensor network routing,” in Proc. ACM SASN, 2004,pp. 88–93.

[30] C. E. Perkins, E. M. Royer, and S. Das, Ad-hoc On Demand Dis-tance Vector (AODV) Routing, Jul. 2003. [Online]. Available: http://www.ietf.org/rfc/rfc3561.txt

[31] A. Pfitzmann and M. Köhntopp, “Anonymity, unobservability,and pseudonymity—A proposal for terminology,” in Proc. DIAU,H. Federrath, Ed., 2000, vol. 2009, pp. 1–9.

[32] K. B. Rasmussen and S. Capkun, “Implications of radio fingerprintingon the security of sensor networks,” in Proc. IEEE SecureComm, Nice,France, Sep. 2007, pp. 331–340.

[33] M. G. Reed, P. F. Syverson, and D. M. Goldschlag, “Anonymous con-nections and onion routing,” IEEE J. Sel. Areas Commun., vol. 16, no. 4,pp. 482–494, May 1998.

[34] D. Samfat, R. Molva, and N. Asokan, “Untraceability in mobile net-works,” in Proc. ACM MOBICOM, 1995, pp. 26–36.

[35] K. Sampigethaya, M. Li, L. Huang, and R. Poovendran, “AMOEBA:Robust location privacy scheme for VANET,” IEEE J. Sel. AreasCommun.—Special Issue on Vehicular Networks, vol. 25, no. 8, pp. 1569–1589, Oct. 2007.

[36] A. Serjantov and G. Danezis, “Towards an information theoreticmetric for anonymity,” in Proc. Privacy Enhancing Technol. Work-shop (PET), R. Dingledine and P. Syverson, Eds., 2002, vol. 2482,pp. 41–53.

[37] R. Song, L. Korba, and G. Yee, “AnonDSR: Efficient anonymous dynamicsource routing for mobile ad-hoc networks,” in Proc. ACM WorkshopSASN, 2005, pp. 33–42.

[38] L. Sweeney, “k-anonymity: A model for protecting privacy,” Int. J. Un-certainty, Fuzziness Knowledge-Based Syst., vol. 10, no. 5, pp. 557–570,2002.

[39] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, “Fingerprints inthe ether: Using the physical layer for wireless authentication,” in Proc.IEEE Int. Conf. Commun., Jun. 2007, pp. 4646–4651.

[40] L. Yang, M. Jakobsson, and S. Wetzel, “Discount anonymous on de-mand routing for mobile ad hoc networks,” in Proc. SecureComm, 2006,pp. 1–10.

[41] Y. Zhang, W. Liu, and W. Lou, “Anonymous communications in mobilead hoc networks,” in Proc. IEEE INFOCOM, 2005, pp. 1940–1951.


Jiejun Kong (S’00–M’04) received the Ph.D. degreein computer science from the University of Califor-nia, Los Angeles, in 2004.

He is currently with Scalable Network Technolo-gies, Inc., Los Angeles. He has contributed to thedesign, implementation, and testing of network pro-tocols within the NSF iMASH, Office of NavalResearch MINUTEMAN/STTR, and the NationalScience Foundation WHYNET projects. His re-search interests include secure and anonymous rout-ing; authentication; access control; distributed data

harvesting; network security modeling in mobile wireless networks, particu-larly those with challenging network constraints and high security demands,such as mobile ad hoc networks and underwater sensor networks; and thedevelopment of efficient, scalable, and secure network protocols for wirelessnetworks.

Xiaoyan Hong (S’01–M’04) received the Ph.D. de-gree in computer science from the University ofCalifornia, Los Angeles, in 2003.

She is currently an Assistant Professor with theDepartment of Computer Science, University ofAlabama, Tuscaloosa. Her research interests includenetwork protocol design, performance evaluationand prototyping for mobile and wireless networks,challenged networks, and wireless sensor networks.Her current research interests include routing, mobil-ity, privacy, and security issues.

Dapeng Oliver Wu (S’98–M’04–SM’06) receivedthe Ph.D. degree in electrical and computer engineer-ing from Carnegie Mellon University, Pittsburgh, PA,in 2003.

Since 2003, he has been with the Department ofElectrical and Computer Engineering, University ofFlorida, Gainesville, where he is currently AssociateProfessor. His research interests include network-ing, communications, signal processing, computervision, and machine learning.

Prof. Wu was the recipient of the Office of NavalResearch Young Investigator Program Award in 2008, the National ScienceFoundation CAREER Award in 2007, the 2001 IEEE TRANSACTIONS ON

CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY Best Paper Award, andthe 2006 Best Paper Award from the International Conference on Quality ofService in Heterogeneous Wired/Wireless Networks.

Documents

Protection Against Mobile Tracing Through Motion-MIX for Mobile Wireless Nodes