The Second International Conference on Innovations in Information Technology (IIT05)

DAWWSEN: A DEFENSE MECHANISM AGAINST WORMHOLE ATTACKS IN WIRELESS SENSOR NETWORKS

Rouba El Kaissi, Ayman Kayssi, Ali Chehab and Zaher Dawy Department of Electrical and Computer Engineering American University of Beirut Beirut, Lebanon. {rze03, ayman, chehab, zaher.dawy}@aub.edu.lb

ABSTRACT
Many obstacles impede the successful deployment of sensor networks. In addition to the limited resources issue, security is a major concern especially for applications such as home security monitoring, military, and battle field applications. In this paper we present a defense mechanism against wormhole attacks in wireless sensor networks. Specifically, a simple routing tree protocol is proposed and shown to be effective in defending against wormhole attacks through ns-2 simulations. Keywords: Wireless sensor and ad hoc networks, wormhole attack, routing tree protocol.

1. INTRODUCTION
Wireless sensor networks (WSNs) constitute a rapidly emerging area of interest [1-6]. They have a wide range of potential applications including habitat monitoring [3], indoor sensor networks with sensor-enabled user interfaces [4], nuclear power plants and battlefield monitoring [5], target tracking, and seismic monitoring of buildings [6]. WSNs are built with a large number of tiny and inexpensive sensor nodes that are typically resource constrained, with low-power sensors, limited memory, slow embedded processors, and low-bandwidth radios. Due to their limited power and short range, sensor nodes need to collaboratively work in multihop wireless communication architectures to allow the transmission of their sensed and collected data to the nearest base station. Unlike wired networks where the physical wires prevent an attacker from compromising the security of the network, wireless sensor networks face many security challenges that represent a prerequisite to a successful deployment of wireless sensor networks especially for military applications. Moreover, the resource-starved nature of sensor nodes makes the security issue very critical; in fact, the deployment of maximum security services in each node will produce a significant drain on the system resources, and thus reduce the nodes lifetime. This paper addresses the security concerns in wireless sensor networks. More specifically, we address the wormhole attack, which is a severe attack in wireless sensor networks whereby an attacker stores transmitted packets and then replays them into the network. Defending against such an attack is challenging because it can be launched even if all network communication is authentic and confidential. The rest of this paper is organized in the following way. Section 2 presents the possible attacks on sensor networks. Related previous work is provided in Section 3. Our proposed design of setting up a secure wireless sensor network and defending against the wormhole attack is detailed in Section 4. Simulation results are shown in Section 5. Conclusions and future work are presented in Section 6.

The Second International Conference on Innovations in Information Technology (IIT05)

2. ATTACKS ON WIRELESS SENSOR NETWORKS

This section describes possible attacks on wireless sensor networks. Two types of attacks can be distinguished; the insider attacks and the outsider attacks. The insider attack or node compromise is a real threat for the sensor network; a compromised node is actually a legitimate node in the sensor network that was captured by an adversary. This node may possess all the secret keys in the case of encrypted and authenticated communications and thus, will be capable of participating in the communications and disrupting the network. The outsider attacks are achieved by unauthorized nodes that can easily eavesdrop on the packets exchanged between sensor nodes due to the shared wireless medium, in an attempt to get access to private information. The attacker in this case is also capable of altering or spoofing the information, and injecting erroneous packets. Furthermore, it may refuse to forward every packet it receives and simply drops them; this attack is called the selective forwarding attack. Some outsider attacks can only be achieved by an attacker that includes itself on the route that packets take. This is possible for example through the construction of sophisticated attacks that tend to eventually destroy the routing protocol [7]. One of these attacks is the sinkhole attack which is started by an attacker aiming to attract all the traffic destined to the base station by simply replaying a high quality routing advertisement. The transmission of this routing advertisement lets each neighboring node of the attacker forward the packets intended to the base station through this attacker. Note that the effect of this high quality route will propagate to the nodes located many hops away from the attacker. As an example, a laptop-class adversary has a strong power radio transmitter that allows it to provide a high-quality route by transmitting with enough power to reach a wide area of the network. The sinkhole attack in the case of routing tree protocol is shown in Figure 1.
Base Station Attacker

Figure 1: Sinkhole Attack. Another attack is the Sybil attack where a node illegitimately presents multiple identities to the nodes in the network. This attack is most critical in a routing protocol where a node selects with equal probability an upstream neighbor as the next hop towards the base station. Therefore, by pretending to have multiple identities, the Sybil attacker will be chosen with high probability as the next hop. Hence, a sinkhole will be created and the attacker will be capable of performing selective forwarding, spoofing and altering the packets, etc.

The Second International Conference on Innovations in Information Technology (IIT05)

Another attack is the acknowledgment spoofing attack which has a serious impact on the routing protocol. This attack is launched by an attacker that attempts to encourage the nodes to transmit packets on weak or dead links; this can be achieved by convincing the sender that a weak link is strong by spoofing acknowledgement packets for overheard packets that are destined to neighboring nodes. Finally, the wormhole attack which will be the core of this paper is a very critical attack that can be launched by an attacker that records the transmitted packets and then replays them into the network. The attacker can be either an ordinary sensor or a stronger node (eg. laptop-class node). This attack is very dangerous against the routing protocol since the attacker might launch these attacks during the neighbor discovery phase. Consider for instance the case where an attacker is placed in the neighborhood of Node A (see Figure 2); when A broadcasts the routing request packet, the attacker receives this packet and replays it in its neighborhood. Each node receiving this replayed packet will consider itself to be in the range of Node A, and will mark this node as its parent. Hence, the attacker is capable of convincing the nodes that would normally be multiple hops from A that they are only one hop away as shown in Figure 2.
Attacker

Wormhole link

Node A

Node C

Node A

Node C

Node B

Node B

Figure 2: Normal Network (left), Network under Wormhole Attack (right). Note that an attacker with a high power radio transmitter is capable of transmitting to a longer range compared to an ordinary sensor attacker, and therefore it disrupts more sensor nodes.

3. PREVIOUS WORK
Recently, the problem of securing ad-hoc networks has become a major concern, and many solutions have been proposed in the literature [9-13]. Unfortunately, due to the resource constrained nature of the sensor nodes, the solutions proposed for the latter cannot be applied to sensor networks. This fact has given rise to new research in order to address the security issues in wireless sensor networks. Perrig et al. present a collection of security protocols for sensor networks [2]. The model integrates two major components, SNEP (Secure Network Encryption Protocol) and Tesla (Timed Efficient Stream Loss-tolerant Authentication). SNEP is a protocol for data confidentiality and two party data authentication, while Tesla is a protocol for broadcast data authentication. This scheme provides a light authenticated routing protocol which increases the difficulty of launching many possible attacks on sensor networks. LEAP (localized encryption and authentication protocol) is an efficient protocol for inter-node traffic authentication which is developed by Zhu et al. [14]. This protocol relies on a key sharing approach that authorizes in-network processing, and at the same time mitigates a number of possible attacks.

The Second International Conference on Innovations in Information Technology (IIT05)

In [15], two security protocols for real-world applications are proposed by Chen et al. The first one addresses the base station to mote confidentiality and authentication; it recommends that the authenticity and the confidentiality of the messages can be provided by the use of a shared-key algorithm, e.g. RC5. The second protocol is close to the one used by TESLA [16] which aims to achieve mote authentication. Park and Shin present LISP (a Lightweight Security Protocol for wireless sensor networks) [17] which is an efficient protocol that proposes a new re-keying mechanism in order to make a tradeoff between security and resource consumption of sensor nodes. It is shown that this protocol was capable of defending against various attacks. In [18], Jones et al. propose a novel solution to the problem of securing WSNs; the proposed model is based on the use of the frequency hopping technique that leads to a lightweight and strong mechanism for securing wireless sensor networks. A distinguishing feature of this model is that it is applicable to networks in which the sensor nodes are unaware of their location. The papers listed above propose different protocols that provide the sensor network with a high level of security since they are capable of defending against various types of attacks. However, none of them has effectively handled the wormhole attack. The wormhole attack in wireless sensor networks was first introduced by C. Karlof and D. Wagner who analyze in [7] the security issues of different routing protocols in WSNs, and discuss for each routing protocol the possible attacks (e.g. Sybil, sinkhole, selective forwarding, wormhole, etc.). Then, they propose the countermeasures that should be applied in order to defend against these attacks. For the wormhole attack, C. Karlof and D. Wagner mentioned the geographic routing protocol [19] as a resistant protocol to this attack; this protocol is actually an on-demand routing protocol based on the exchange of coordinate information used to route geographically addressed packets. Hence, the wormhole attack can be detected if a route was noticed to be created between two consecutive nodes that are actually distant in geographic location, and the integrity of this route is thus suspected. However this routing protocol requires that each node is aware of its own location, its immediate one hop neighbors, and the destination location. On the other hand, ways of defending against this attack in ad-hoc networks have received a great deal of well-deserved attention in the literature. They were mentioned by Dahill et al. [20], Papadimitratos et al. [21], and Hu et al. [22]. One way of defending against this attack is to improve the signal processing technique; however, this technique cannot be readily applied in the case of sensor networks due to their processing constraints. Another solution [23] proposes the adoption of directional antennas; each couple of nodes has to examine the directions of the received signals from each other and from a shared witness. Hence, the neighbor relation is set only if the directions of both pairs match. Recognizing the position of a node [24, 25] is also helpful to prevent wormhole attacks. Actually, the regular nodes or a centralized controller will be capable of discovering the presence of an attacker by the detection of two conflicting positions in the original packet and the sent packet. However, it is not easy to apply this method in outdoor environments. Capkun et al. propose a new approach to detect the wormhole attack without the need of clock synchronization [26]. Each node is asked to respond to a one bit challenge without any delay. Then, the challenger has to measure the round trip time of the signal very accurately in order to calculate the distance between the nodes Hu et al. present the packet leash solution [22] which requires that, for each transmitted packet, the leash should be added in order to restrict the transmission distance.

The Second International Conference on Innovations in Information Technology (IIT05)

It can be seen that due to the difference in characteristics between ad hoc networks and sensor networks, it will be very expensive to employ these approaches in a wireless sensor network.

4. BUILDING A SECURE WSN

In this section, we design DAWWSEN (Defense mechanism Against Wormhole attacks in Wireless SEnsor Networks). First, we describe our network model, and then present how the routing tree is hierarchically constructed and how it can defend against the wormhole attack. 4.1 Network Model The network model we use is as follows. We consider a network composed of a small number of base stations, and a massive number of wireless sensor nodes randomly distributed in the target area. These nodes have limited processing power, energy and bandwidth while the base stations are resource-rich in terms of their computational capabilities, storage capacity, and energy lifetime. Another assumption is that sensor nodes are not mobile during the duration of their lifetime and are equipped with omni-directional antennas. Moreover, the deployed sensor nodes are trustworthy and cannot be compromised by attackers. This means that an internal attack is impossible and hence, the attack can be achieved only by hostile nodes or anti-nodes which are generally capable of performing various kinds of outside attacks as discussed in Section 2. Most of the outside attacks can be avoided by a simple encryption and authentication of the messages (routing and data packets); the encryption and authentication prevent an attacker from injecting packets in the network, they also eliminate the possibility of altering packets, as well as creating sinkholes and making selective forwarding, etc. However, the resource-starved nature of sensor networks poses great challenges for security. Public key cryptography such as RSA was proved to be infeasible at present for sensor nodes [2], as it is computationally expensive for them. Instead, lightweight symmetric key cryptography such as RC5 has been shown to be effective [8]. We propose to use a global key that is shared by all nodes in the network. Using a global key for encrypting information is attractive in terms of storage requirements and ease of use. However, due to the use of a lightweight symmetric key cryptography, it will be necessary to periodically refresh the global key. With the above model in mind, we can effectively prevent all attacks that rely on the alteration of packets and impersonation of other nodes. However, the routing protocol is seriously threatened by the wormhole attack that can eventually disrupt routing in the WSN. 4.2 DAWWSEN In order to combat the wormhole attack, we design DAWWSEN, a proactive routing protocol based on the construction of a hierarchical tree where the base station is the root node, and the sensor nodes are the internal or the leaf nodes of the tree. The tree construction is initiated by the base station which broadcasts a request packet in order to discover its children nodes. A request packet contains the ID of the node that originates the request packet and the hop count which is equal to one in the case of a request packet sent by the base station. The nodes receiving the first request packet cannot immediately decide its parent; they still have to wait for a period of time in order to collect a number of request packets since it is still impossible to know if a received request packet is replayed by a wormhole attacker or not. Therefore, each node receiving a request packet inserts a new entry in its request list that contains the IDs of all the nodes from which it has received a request packet, and their

The Second International Conference on Innovations in Information Technology (IIT05)

corresponding hop count. The insertion of a new entry is done in a sorted way; the one with the lowest hop count will be placed at the head of the list (Figure 3).
NodeID1 Hop Count 1 NodeID2 Hop Count 2 NodeID3 Hop Count 3 Hop Count 1 Hop Count 2 Hop Count 3

Figure 3: Request List of a Node Receiving three Request Packets. A Reply Timer is set to expire after a period of REPLY_DELAY seconds from the reception of the first received request packet. When the timer expires, the node sends a reply packet which contains its ID, the destination ID which is the ID of the first node in its request list and its corresponding hop count, and then updates its replay table which contains the following fields: destination ID, hop count, number of replayed packets (Num_Rep) and the Recv_Accept field. The first 2 fields are respectively set to the values of the destination ID and hop count in the reply packet, and the last 2 fields are set to zero (Figure 4).

NodeID1

Hop Count 1

Num_Rep =0

Recv_Accept =0

Figure 4: Replay Table of a Node after the Transmission of a Reply Packet. Then, it sets another timer, the Check Timer, which expires after a period of CHECK_DELAY seconds from the transmission of the reply packet. During this period, the node sending this reply packet keeps listening to the transmitted reply packets, and increments the Num_Rep field for each received packet with source ID and destination ID respectively equal to its own ID and to the destination ID in the replay table (NodeID1). On the other hand, the node receiving a reply packet inserts in its reply list (Figure 5) a new entry which contains the ID of the node sending the reply packet, its hop count, and the number of the identical received reply packets (Num_reply) which is set to one for a new received reply packet.
NodeIDa Hop Counta Num_replya NodeIDb Hop Countb Num_replyb NodeIDc Hop Countc Num_replyc

Figure 5: Reply List of a Node Receiving Three Reply Packets. Upon the reception of the first reply packet, the node sets the Accept Timer which expires after a period of ACCEPT_DELAY seconds from the reception of this packet. For each received reply packet during this period, the node navigates over the reply list for a match of the NodeID. If an entry was found, its Num_reply field will be incremented by one; otherwise a new entry will be added to the list with Num_reply equal to one.

The Second International Conference on Innovations in Information Technology (IIT05)

Once its Accept Timer expires, the node sends for each entry in its reply list an equivalent accept packet which contains its own ID as a source ID, the NodeID in the reply list as the destination ID, and the Num_reply field which designated the number of repeated reply packets received by the destination node. The node receiving an accept packet should check the source ID that should be the same as the NodeID in its replay table. If this is not the case, this will mean that this packet was stored by an attacker during a previous construction of the routing tree and replayed now, and therefore should be dropped. If not, the node receiving this packet updates its replay table by setting the Recv_accept field to one and checks if the Num_reply field in the accept packet is one value greater than Num_Rep in the replay table of this node. Num_reply = Num_Rep + 1 (1) If the above condition is not verified, a wormhole attack is detected by this node which will: 1- Drop the received accept packet. 2- Add the ID of the originator of the accept packet to its NAP (Not Accepted Packets) table. 3- Update its replay table by setting all the values to zero. 4- Send another reply which corresponds to the second entry in its request list or wait for another request packet if not available. Hence, the NAP table of a node contains the IDs of all the nodes that cannot be a parent of this node. It is important to mention that the IDs in this table can be kept forever since we are assuming that the nodes are fixed; therefore, if a node was added to the NAP table of a node, it can never be a neighbor of this node and each request packet received afterward from a node whose ID is in the NAP table will be immediately dropped. Until now, nothing was mentioned about the Check Timer which is of major importance. To illustrate its role, consider the case of an attacker that replays request and reply packets only. Hence, a node receiving a replayed request packet will send a reply packet and keeps waiting for the accept packet. Here comes the importance of the Check Timer which expires after a period of CHECK_DELAY seconds from the transmission of the reply packet. At this moment, the node sending the reply packet checks the Recv_Accept field in its replay table. If equal to zero, this means that no accept packet was received for the transmitted reply packet, and a new reply packet has to be sent. It is worth mentioning that the Accept Timer should be set to expire before the Check Timer. On the other hand, if equation (1) is verified, the node receiving the accept packet marks the originator of this packet as its parent, updates its routing table with the ID and the hop count of this parent and rebroadcasts a request packet with a hop count field incremented. Consequently, a hierarchical 3-way handshake routing tree for a multi-hop wireless sensor network can be rapidly created. A distinguishing feature of DAWWSEN is that it is the responsibility of the node receiving the accept packet to mark its parent and that the sensor nodes are not aware of their children. However, this does not have any influence on the network since all the data packets are sent only from the child to its parent. It is also noticeable that although the tree is rooted at the base station, each node has no idea of which base station it is routing to. This means that such a scheme can also be deployed in the case of the presence of more than a single base station. Finally, it is important to mention that the base station waits Trefresh seconds before the retransmission of a new request packet and thus the construction of a new routing tree. This

The Second International Conference on Innovations in Information Technology (IIT05)

parameter should be set according to the energy consumption of the sensor nodes. Actually, it is important to ensure that we do not starve the nodes so that all data packets are guaranteed to be transmitted and processed if necessary. Remember that each node has a single route to the base station; hence, if the battery of a node is depleted, all the data that are usually transmitted through this node will be lost.

5. SIMULATION
To evaluate the performance of our routing protocol, we used ns-2 simulation environment [26] to run the simulations described in this section. First, we define the parameters used in our scenario, and then we show our simulation results. 5.1 Simulation Setup This protocol was tested on 18 sensor nodes randomly distributed over a square field of 200m by 200m. The deployed nodes have fixed positions during the entire simulation. Node 0 is chosen as a base station, node 3 as an attacker, while the other 16 nodes are normal sensor nodes (Figure 6). Our simulation uses the IEEE 802.11 physical and MAC layers which are fully simulated in ns-2 and each node has a fixed radio range of 50 meters. The parameters Trefresh, REPLY_DELAY, CHECK_DELAY, ACCEPT_DELAY and the duration of the simulation are respectively set to 120, 0.005, 0.08, 0.025, 400 seconds. 5.2 Simulation Results In order to evaluate the performance of our routing protocol, 3 scenarios were tested. In the first one, the attacker (node 3) replays only the request packet received from the base station (node 0). Therefore, each node receiving this packet: Updates its request list and sets the Reply Timer Transmits a reply packet after 0.005 seconds Updates its replay table and sets its Check Timer Checks its replay table after 0.08 seconds.

Since the Recv_Accept field in their replay table is equal to zero, and no other request packet was received till this moment, the nodes that are more than 50m away from the Base Station wait for another request packet which will be sent later by node 2 with a hop count equal to 2 and update their NAP tables with the ID of the Base Station. In the second scenario, the attacker replays the request packet sent by the base station and the reply packet sent by node 9. The same procedures are performed by the nodes, and the wormhole attack can be detected the same way. In the third scenario, the attacker replays the 3 packets transmitted between the base station and node 9. In this case, node 9 checks equation (1) after the reception of the accept packet replayed by the attacker and thus detects a wormhole attack and waits for another request packet. Finally, after checking the routing tables of all the sensor nodes, it was possible to sketch the equivalent routing tree of our scenario as shown in Figure 7.

The Second International Conference on Innovations in Information Technology (IIT05)

Base Station(0)

8 7 1 Attacker (3) 2 4 5 6 14 10 9 11 12 13 15 16 17

Figure 6: The Simulated Scenario

Figure 7: The Routing Tree

As a conclusion, DAWWSEN has showed its ability to detect and defend against the wormhole attack in all the 3 cases described above and needed only 0.14 seconds to accomplish the construction of the tree.

CONCLUSION AND FUTURE WORK

In this paper, we have presented a new protocol called DAWWSEN that incorporates a detection and defense mechanism against the wormhole attack, a powerful attack that has serious consequences on sensor routing protocols. A great advantage of DAWWSEN is that it doesnt require any geographical information about the sensor nodes, and doesnt take the time stamp of the packet as an approach for detecting a wormhole attack, which is very important for the resource constrained nature of the sensor nodes. Finally, we have examined the performance of DAWWSEN through ns-2 simulations, and the results have shown that our routing protocol can efficiently defend against the wormhole attack and achieve low delay. In future work, we will try to introduce some modifications to our routing protocol in order to get a balanced tree where the load would be fairly distributed among the nodes since this will considerably help in reducing the value of Trefresh. We will also try to test our routing protocol in the case of 2 or more collaborating attackers.

REFERENCES
[1] J. Deng, R. Han, and S. Mishra, INSENS: Intrusion-Tolerant Routing in Wireless Sensor Networks, In proceedings of the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003), Providence, May 2004. [2] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. Tygar, SPINS: Security Protocols for Sensor Networks, In proceedings of the Seventh Annual International Conference on Mobile Computing and Networks (MOBICOM 2001), July 2001. [3] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J. Anderson, Wireless Sensor Networks for Habitat Monitoring, In proceedings of WSNA02, 2002. [4] J. Carlson, R. Han, and et.al, Rapid Prototyping of Mobile Input Devices Using Wireless Sensor Nodes, In proceedings of WMCSA03, Monterey, California, USA, October 2004. [5] U. A. F. ARGUS, Advanced Remote Ground Unattended Sensor Systems, Department of Defense, Argus, http://www.globalsecurity.org/intell/systems/arguss.htm.

The Second International Conference on Innovations in Information Technology (IIT05) [6] J. Hill, R. Szewczyk, A.Woo, S. Hollar, D. Culler, K. Pister, System Architecture Directions for Networked Sensors, Architectural Support for Programming Languages and Operating Systems, 2000. [7] C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures, In proceedings of IEEE International Workshop on Wireless Sensor Network Protocols and Applications, 2004. [8] J. Deng, R. Han, and S. Mishra, The performance evaluation of intrusion-tolerant routing in wireless sensor networks, In proceedings of IPSN03, Palo Alto, CA, USA, April 2004. [9] Y.-C. Hu, A. Perrig, and D. Johnson, Ariadne: A Secure On-Demand Routing Protocol for Ad-Hoc Networks, In proceedings of the 8th ACM International Conference on Mobile Computing and Networking (MOBICOM 2002), ACM, Atlanta, GA, September 2002. [10] P. Ning and K. Sun, How to misuse AODV: A Case Study of Insider Attacks against Mobile Ad-hoc Routing Protocols, In proceedings of IEEE Workshop on Information Assurance United States Military Academy, June 2003 [11] Y.-C. Hu, D. Johnson, and A. Perrig, SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks, In proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications, June 2002. [12] K. Sanzgiri, B. Dahill, B.Levine, C. Shields, and E. Royer, A Secure Routing Protocol for Ad Hoc Networks, In proceedings of the 10th IEEE International Conference on Network Protocols (ICNP 02), November 2002. [13] L. Zhou and Z. Haas, Securing Ad Hoc Networks, IEEE Network Magazine, vol. 13, no. 6, pages 24-30, November/December 1999. [14] S. Zhu, S. Setia and S. Jajodia, LEAP: Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks, In proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), Washington D.C., October, 2004. [15] M. Chen, W. Cui, V. Wen, and A.Woo (2000): Security and Deployment Issues in a Sensor Network, http://www.cs.berkeley.edu/ wdc/classes/cs294-1- report.pdf, December 2000. [16] A. Perrig, R. Canetti, J. D. Tygar, Dawn Xiaodong Song, Efficient Authentication and Signing of Multicast Streams over Lossy Channels, In proceedings of IEEE Symposium on Security and Privacy, May 2000. [17] T. Park and K. Shin, LISP: A Lightweight Security Protocol for Wireless Sensor Networks, In proceedings of ACM transaction on Embedded Computing systems, August 2004. [18] K.Jones, A. Wadaa, S. Olanu, L.Wison, M. Eloweissy, Towards a New Paradigm for Securing Wireless Sensor Networks, In proceedings of ACM, 2004. [19] Y. Yu, R. Govindan, D. Estrin, Geographical and energy aware routing: a recursive data dissemination protocol for wireless sensor networks, Tech. Rep. UCLA/CSD-TR-01- 0023, Computer Science Department, University of California at Los Angeles, May 2001. [20] B. Dahill, B. Levine, E. Royer, and C. Shields, A Secure Routing Protocol for Ad hoc Networks, Tech Report 02-32, Dept. of Computer Science, University of Massachusetts, Amherst, 2001. [21] P. Papadimitratos and Z. Haas, Secure Routing for Mobile Ad Hoc Networks, In proceedings of SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS), 2002. [22] Y. Hu, A. Perrig, and D. Johnson, Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks, In proceedings of INFOCOM, 2004. [23] L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole Attacks, In proceedings of Network and Distributed System Security Symposium (NDSS), 2004. [24] P. Bahl and V. Padmanabhan, RADAR: An In-Building RF-Based User Location and Tracking System, In proceedings of INFOCOM, 2000. [25] N. Sastry, U. Shanker, and D. Wagner, Secure Verification of Location Claims, In proceedings of ACM Workshop on Wireless Security (WiSe), 2003. [26] S. Capkun, L. Buttyan, and J. Hubaux, SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks, In proceedings of ACM Workshop on Security of Ad Hoc and Sensor Networks, 2003.

10