The Smallville Effect: Social Ties Make Mobile Networks More Secure Against the Node Capture Attack

The Smallville Effect: Social T ies Make Mobi le Networks More S ecur e Against the Node Captur e Attack Mauro Conti ∗ Department of Computer Science Vrije Universiteit Amster dam 1081 HV - Amster d am, The Netherlands mconti@few .vu.nl Roberto Di Pietro † UNESCO Chair in Data Privacy Universitat Rovira i V ir gili 43700 - T arragona, Spain r oberto.d ipietr o@urv .cat Andrea Gabrielli, Luigi V . Mancini, and Alessandro Mei Dipartimento di Informatica Universit ` a di Roma “Sap ienza” 00198 - Roma, Italy { a.ga brielli, mancini, mei } @di.unir oma1.it Abstract Mobile Ad Hoc networks, due to the un attended natu r e o f the network itself and th e dispersed location of nod es, ar e subject to sever al uniq ue security issues. One of the mo st vexed security th r eat is nod e capture . A few solutions have alr ea dy been pr opo sed to add r ess this p r oblem; however , those s olutions ar e either centralized or focused on theoret- ical mo bility models a lone. In th e former ca se the solution does not fit well the distrib uted natur e of the network while, in the la tter case, the qua lity of the solutions obta ined for r ea listic mobility models sever ely differ s fr o m the r esults ob- tained fo r th eor etical mod els. The rationale of this pape r is inspir ed by the ob servation th at r e-encou nters of mobile nodes do elicit a form of social ties. Le veraging these ties, it is po ssible to design e fficient and distributed algo rithms that, with a moderated de g r ee of node coo peration, enforce the emer gent pr op erty of n ode capture detection. I n partic- ular , in this pa per we pr ovide a pr oof of con cept pr oposin g a set o f algorithms th at lever age, to differ ent extent, node mobility and nod e cooperation—tha t is, identifyin g soc ial ties—to th wart nod e capture atta ck. In particular , we test these algorithms on a r ealistic mobility scenario. Extensive simulations show the quality of the pr opo sed solutions and, mor e impo rtant, the viability of the pr oposed appr oach. 1 Intr oduction Ad Hoc ne tworks are an ideal candid ate fo r the deploy- ment in h arsh environments, due to their capacity of operat- ing without an existing in frastructure. The app lication sce- narios include la w enforcem ent, sear ch-and- rescue, disaster ∗ Also wit h Cen ter for Secure Information Systems, George Mason Uni- versi ty , Fairf ax, V A, USA. E-mail: mconti1@g mu.edu. † Also with Dipartimento di Matematica, Uni versit` a di Roma Tre, Roma, Ital y . E-mail: dipie tro@mat.uni roma3.it. recovery , and others. In these cases, Ad Hoc Netw orks have the add itional appealing feature to be able to op erate in an unattende d mann er . Howe ver , this comes at a cost: Ad Ho c networks are vulnera ble to different kinds of novel attacks. For instance, an a dversary cou ld eavesdrop all the network commun ications, or it mig ht cap ture ( i.e. remove) nod es from the network. Captured n odes can be re-pro grammed and r e-deployed in the ne twork area, with the goal o f sub - verting the data aggregation , the d ecision making p rocess, or other operations. Moreover, they can be re-p rogram med, replicated in many cop ies, and re-d eployed in the network to perform any sort of vicious attack, amplified by the pres- ence o f many malicious devices. In this paper , we start from the observation that all o f th ese attack s start fr om the cap - ture of one of the nodes. Therefor e, bein g able to detect this malicious acti vity becomes a for midable way to stop many of the threats to Ad Hoc networks. The node captur e attack may also be of ind ependen t in- terest, an example co mes f rom the LANdroids [20] research progr am by th e U.S. Defense Advanced Research Projects Agency (D ARP A). Th is research pro gram has the goa l o f developing smart robotic radio relay nodes for battlefield deployment. LANdroid mo bile nod es a re sup posed to be deployed in a hostile environment, establish a n ad -hoc net- work, and provide connectivity as well a s valuable inf orma- tion for soldiers that would later ap proach the deployme nt area. An adversary might attem pt to capture on e o f these nodes to reduce the efficiency of the network. The unique requirements o f the Ad Hoc netw ork context call for ef ficient an d distributed solu tions to the node cap- ture attack. W e believe that any solution to this problem has to satisfy the following r equiremen ts: (i) to detect th e node capture as e arly as possible; (ii) to have a low rate of false positiv es—nodes that are believed to b e c aptured and thus subject to a rev ocation process, but that were not actu - ally taken by the adversary; (iii) to have a low r ate of false negativ es–nodes that are believed to be not captured , but 2 that were actually c aptured; (iv) to introd uce a small over- head. The solutio ns prop osed so far are not efficient [25]. Moreover , na¨ ıve centralized solutions, althoug h they can in principle be a pplied, present d rawbacks like single point of failure and non uniform energy consu mption. In this paper we tackle the problem of detecting the node capture attack in the context of mo bile Ad Hoc networks of devices like sm art-phon e or PD As carried b y individuals. These networks ha ve attracted the attention of a large num- ber of researchers in th e field of netw orking. T hey ar e often called Pocket Switched Networks, and they are part o f th e class of the Delay T olerant Ne tworks. In Pocket Switched Networks the co ntacts b etween devices are used as o ppor- tunities of message forwarding. Actually , a large part of the work in this field has the goal o f de signing mu lti-hop ro ut- ing me chanisms that are able to deliver m essages between any ar bitrary pair of devices in the n etwork efficiently . I n these networks th e mobility p attern has so me uniq ue fea- tures. Since devices are c arried by h umans, the pattern o f contacts between de vices mimic the s ocial nature of human mobility . This observation has been used to build for ward- ing mechanisms that use the notio n o f com munity to m ake messages find their way from source to destination. In particu lar , this p aper describ es how to make use of the so- cial nature of contacts to get a network stronger against the node captur e attack. T o the best of our knowledge, this is th e first work tha t demonstra tes that social-based mobility has a strong imp act on security . In our solution, nodes are resp on- sible, in a distributed fashion, to mon itor the pr esence of one or more oth er peers. If the mob ility pattern were irregular, or arbitrary , or if e very nod e m oved indepen dently , like in the rand om way-point mobility model, then any choice o f pairs of monitoring and monitored no de wou ld essentially be the same. O ur key observation is that social mobility has a uniqu e pattern , and so there i s a way to assign responsibil- ities in the network to imp rove consider ably the efficiency of our protoc ols for the node capture attack. Quite natu- rally , we will see that the the best pe rforman ce is achieved when the monitoring nod e an d the m onitored node hav e a strong social tie. Just lik e in the real life, if we disappea r for some time the first p ersons that get worried are our family members and our frien ds at work . Or just lik e what hap- pens in small villages, where social ties are traditionally very strong an d wh ere, if so mething wron g happ ens, very quickly someone re alizes an d aler t e verybody . Th is is why we call this pheno menon the Smallville effect. W e will d escribe the prob lem in ter ms of capture and rev o cation of captured no des. Howe ver, our solution can be applied also in more gener al scenarios. As an exam- ple, there could be a trust relationship established b etween a group of users such that the y stop trusting nodes that disap- pear from the n etwork for a given time-interval. Th e no de, in case its absence was not due t o a capture, could be asked to g o thr ough some expensive and secur e pr ocedure (e.g . obtaining a n ew commu nication key form a central server) in order to join again the group in the trust-relationship . W e will validate o ur solutio n with a large set of expe ri- ments p erforme d using r eal traces publicly available, those collected at INFOCOM 200 5, and we will see that the Smal- lville effect can be conside rably strong. The rest of th e pap er is o rganized as follows. I n Section 2 we review th e related work in th e area. In Section 3 we present the system mo del an d th e assump tion used in this work. Our proposal is presented in Section 4, while the per- forman ces results are discussed in Section 5. W e con clude the work in Section 6. 2 Related W ork W ireless social community networks are emerging as an alternative to traditional networks to p rovide wireless d ata services. This type of networks relies on users—a wire- less commun ity can rapid ly dep loy a high -quality data ac- cess in frastructur e in a n inexpensi ve way . T o the best of our knowledge, no security issues ha ve been in vestigated in the p articular context of social wir eless commu nities net- works. Intere st in wireless social comm unities network has been recently shown b y th e research com munity fro m d if- ferent point of views, lik e network coverage [23] or the d e- tection of the s ource-star vation [15 ]. Also the identification of communities in more traditional network, su ch as the file sharing p eer-to-peer network, has been of interest for the research commun ity [19]. Mobility as a mean s to e nforce security in mobile net- works has been considered in [3]. I n [21], the authors iden- tified social and situational factors which impact grou p for- mation for wir eless gro up key establishmen t. Fur ther , mo- bility has been considered in the context of routing [13] and of network property optimizatio n [ 22]. I n particular, [13] lev erages node mobility in order to disseminate inf orma- tion ab out destinatio n location without in curring any co m- munication overhea d. In [22] the sink mo bility is used to optimize the energy co nsumption of th e whole n etwork. A mobility-b ased solu tion for detecting the sybil attack has been recently pr esented in [26] . Finally , note that a few so- lutions exist for node failure detec tion in ad hoc network s [11, 12, 14, 27]. Ho wev er , such solutions a ssume a static net- work, missing a fund amental co mpone nt of our scenario , as shown in the following. Node capture attack is c onsidered as m ajor th reat in many secur ity solutions for WSN. In particular, in [16] both oblivious and smart no de captu re is consid ered fo r the d e- sign of a key manag ement scheme for WSN. A deeper anal- ysis on the mo deling of the capture attack has been pr e- sented in [ 32, 33]. In [32], it is shown ho w different greedy heuristics can b e developed f or node captur e attacks and how m inimum cost node capture attacks can be pr ev ented in particular setting. In [33], th e authors formalize node capture attacks using the vuln erability metric as a nonline ar integer programmin g minimization problem. Node mobility an d no de coop eration in a mo bile ad hoc setting has been consider ed alread y in Disru ption T olerant 3 Networks (DTNs) [9, 30]. However , such a m essage passing paradigm has no t been used , so far, to support security . W e lev erage the concept introduced with DTN to coo peratively control the presence of a network node. In [7, 8] a proof of conc ept that it is possible to design a node capture detectio n protocol lev eraging th e network mo- bility is gi ven—more specifically leveraging the expected “re-meeting ” time between no des. Howe ver, [7 , 8] p resent capture detection solutions f ocusing on a specific mo bility model, the Random W aypoin t Mob ility (R WM) mod el [2] . R WM shown different p roblems. One of these is that the av erage spee d of th e network tends to d ecrease du ring the life of the network itself and, if th e minimum sp eed that can b e selected b y the nod es is zero , then average speed of the system con verges to zero [36 ]. In [3 6] it is also sug- gested to set the m inimum speed to a value strictly gre ater than zero. I n this case, the a verage speed of th e system con- tinue decreasing, but it conv erges to a non- zero asymptotic value. Other prob lems related to spatial nod e d istribution have be en c onsidered by d ifferent author s [18, 28, 36 ]. Fi- nally , the R WM model can be far f rom describin g realistic mobility pattern s [6 , 18, 3 6]. The work in [6] high lighting that in realistic mobility: 1. Som e sin gle nodes meet all the other nodes with a very low frequen cy . In the following we will refer to such a type of node as to isolated nodes. 2. Th ere are subset o f nodes that meet between them wit h a significantly h igher freq uency than the average. W e will ref er to such a type o f subset as to co mmunities . As examples of everyday life, we can think to students that attend the same class or people tha t work o r live in the same building. In this work w e do n ot con sider mobility traces synth e- sized using th e R WM mo del. Instead, w e consider o nly real tra ces. Among the p ublicly avail able tr aces for mob ile nodes (e. g. from [1]) , we consider the traces co llected at I N- FOCOM 2005 conference [2 9], already used in pre vious r e- search work s [ 4, 5, 17, 34]. In particular , the traces of mo bile nodes wer e gathered using Bluetooth d evices distrib uted to 41 people attending the INFOCOM 2005 conferen ce. 3 System Model and Assumptions In the following we state all the assumptions used throug hout th is paper as we ll as the overhead mo del u sed to assess the perform ance of the propo sal. First, we clearly state the threat we are going to address. Definition 3.1 Node Capture. An adversary physica lly r e- moves a n ode fr om the network—or just tamper with the node—in a way such th at the nod e can not communicate with the other nodes in the network. The attack can last for ever or just for a given period of time. T able 1 r esumes the notation used in this paper . Network a ssumptions W e assume that th e system pro- vides a broad casting primitive. T his p rimitive is easily im- plementab le by usin g a flooding mechan ism. F urther, we assume that nod es in th e systems hav e a protoco l abid ing behavior , and that n o comp romised nod e is pre sent when the pro tocol starts—indeed, n ode captur e is a p re-requisite for node compr omise. Moreover , in the propo sed solution ev ery n ode m aintains its own clock. T o embr ace the mor e gener al case, we a lso assume that nodes are not equippe d with localization de- vices, like GPS. However , we require that clo cks among nodes are lo osely synch ronized. No te that there a re a fe w solutions propo sed in the litera ture to provide loose time synchro nization, like [ 31]. Th erefore, in the following we will assume that skew and dr ift errors are negligible. Fi- nally , security of network com munication s is out of the scope of this work ; however , note that in order to enfo rce required security proper ties, we could rely on one of the many protocols propo sed in the literature. For instance, the solution in [10] co uld be used to provide node au thentica- tion. Message overhead model The main overhe ad intro- duced by the p rotocol due to message br oadcast. I n [35] a classification of the different solutions for b roadcasting scheme is pr ovided: (i) Simple Flooding ; (ii) probab ilistic- based schemes; (iii) are a ba sed sche mes that assume loca - tion aw areness; (i v ) n eighbor k nowledge schem es that as- sume knowledge of two ho p n eighbor hood. An alyzing o r comparin g broa dcasting cost is out of the scope of this pa- per . Ho w e ver , fo r a better com parison of the so lutions pro - posed in this p aper, we need to set a broadca st co st that will be expressed in te rms of unicast me ssages. In fact, the overhead associated to the broad casting varies with dif- ferent network parameters (fo r in stance, n ode de nsity and commun ication radius). A deep er analysis on the overhead generated for different broadc asting pro tocols is presented in [24]. Finally , note that a message could be received mor e than once, for instance bec ause the receiver is in th e transmission range of dif ferent rely nod es. Howe ver, in the following we assume that a b roadcasted message reaching all the nodes is received (then counted) on ly once for eac h nod e—it costs as 1 sent and 1 received message for eac h node. A similar assumption is used for example in [24]. 4 The Pr otocol In this section, we present our solution. In particular, to help the reader capture th e insigh ts o f o ur final propo sal, we refer to the case where just o ne n ode is capture d and describe in the following two referen ce solutions: • Ben chmark pr oto col. The benchmark pr otocol is a simple solution that does not use node mobility and 4 T able 1. Time-related notation Symbol Meaning σ Message propagat ion delay . τ Interv al time between presence claim for the Benchmark protoc ol. λ Alarm time-out. δ T ime av ailable to the alleged ly captured node to prov e its presence. γ Interv al time for node coopera tion requests in the AdaBo protocol . n Nu mber of nodes in the network . K T otal number of nodes tra cke d by each node K A Number of nodes track ed by each node using adapt i ve ness. K B Number of nodes track ed by each node using booking . contact pattern s [ 8]. W e br iefly report this so lution in Section 4.1. • Base pr otocol. Similar ly , the base protocol introduc ed in [7, 8] is briefly recalled in Section 4.2. W e use bo th the Ben chmark and the Base protocol as simple ref erence protoco ls to compa re with. Af ter these simple solution s, we present o ther two proto cols, ea ch of them capturin g different aspects of the realistic mobility model introduce d: • Boo king pr otocol. This protocol addr esses the isolated nodes tha t can result in realistic mobile environments. It is described in Section 4.3. • Ada ptive pr otoc ol. T his pr otocol leverages the com- munities that naturally emerge in realistic mobile en vi- ronmen ts. I t is described in Section 4.4. Finally , we combine the tw o pre vious protoc ols as build- ing blocks of our final propo sal, the AdaBo protoco l. 4.1 Benc hm ark P roto col In this section, we rep ort a n a ¨ ıve so lution for th e node capture detection tha t does n ot make use o f nod e mobility . First, assume that a Base Station is present i n the network— we will show later how to rem ove this assumption . E ach node period ically (f or instance, ev ery τ seconds) sends a message to the BS carrying some evidence of its own pres- ence. In this way , the base station can check w hether a nod e is presen t. If a n ode does no t send the claim of its presenc e to the BS when it is assumed to do that (after t secon ds f rom the previous cla im), the base station will rev o ke th e co rre- sponding n ode ID from the n etwork (f or in stance, flooding the network with a re vocation message). T o remove the centralization point gi ven by the presence of the BS, we requ ire each node to notify its presence to any other node in the n etwork (instead of just to the BS). A node can p rove its presence thr ougho ut a broadca sted and floo ded message. A node r eceiving this claim would restart a tim e- out set to τ + σ , where σ acco unts for network propag ation delay . Sh ould the presence claim not be received before the time-out e lapses, the re vocation proced ure would be trig- gered. Howev er , no te th at if a node is requ ired to store the ID of any oth er node as well as th e receiving time of the received claim message, O ( n ) memo ry locations would be needed in ev ery nod e. T o red uce the mem ory requ irement on n ode, it is possible to assume that the presen ce in the net- work of each nod e is tracked by a small subset of the nodes of the network. Hen ce, if a node is absent from the network for more than τ seconds, its absence can still be detected by a set of nodes. Note that for the Bench mark protocol the average n um- ber of messages m ( t u ) each nod e sends (the equ ation actu- ally holds also for the num ber of recei ved messages) over a time unit t u obeys to the following equation: m ( t u ) = t u τ · n (1) where n is the number of nod es, and τ is the time-inter val between presence flooding s sent by a single node. Assum - ing a smart attacker that captu res the node a just a fter the presence claim flooded by node a , τ also correspo nds to the detection time. 4.2 Base Proto c ol In this section, we report a recent p rotocol [7 , 8] d esigned for the R WM model [ 2]. In the p resent work, we refer to this previous pro posal as the b ase proto col. T he a pproach in [7, 8] is based on the following observation. Fir st, if node a h as eavesdropped a tr ansmission orig inated by node b , at time t , we will say that a meeting occurred. Now , nodes a an d b are mobile, so they w ill leave the commun ication range of each oth er after some time. Howe ver, these two nodes a re expec ted to re-me et ag ain within a cer tain time- interval, or at least with a certain pr obability within a certain time-interval. In the Base protoco l, each node a is given the task of wit- nessing fo r the pre sence of a specific set T a of oth er nodes (we will say that a is trac king no des in T a ). In pa rticular , the n ode a selects the n odes to be in T a as the first K nod es a meets (where K is the d esired cardinality of T a ). For each node b ∈ T a that a gets into the commun ication range o f, a sets the corre sponding meeting time to the v a lue of its inter- nal clo ck an d starts the co rrespond ing time-out, that would expire after λ seconds. As a p rotocol o ption, the meeting nodes can also c ooperate, exch anging info rmation on the meeting time o f nod es of interests—that is, n odes that are tracked by both a and b . I f the time-ou t expires (that is, a an d b did no t re-m eet within λ seconds) , the network is flooded with a node-m issing alarm trigge red by n ode a . If node b does n ot prove its presence within δ seco nds after 5 0 5000 10000 15000 20000 25000 1 5 10 15 20 25 30 35 40 Meetings ID Figure 1. INFOCOM traces: Nodes meetings the broad casted node -missing alarm is flo oded, ev ery node in the network will re voke node b . 4.3 Bo oking Proto col In this section, we addre ss the first characterizatio n of realistic mobility mo del. That is, there are some iso lated nodes that meet all th e other n odes with a very low fre- quency (co mpared to the meeting frequ ency the other nodes have). In particular, an isolated node can appear for the first time in the network (i.e. having the first mee ting with a n- other node) a while after the network opera tions are started. Observe th at, if such a n ode is captured befor e th e first meeting, th ere would be no n ode track ing it (hence its cap- ture would go u ndetected), fo r th e Base p rotocol. An e vi- dence of th e presen ce of isolated nodes can b e seen in Fig- ure 1. In fact, Fig ure 1 sho ws for each node (INFOCOM traces) on the x-ax is, the number of meeting s for that node, on the y-axis. From Figure 1 it is possible to note ho w node 13, as well as node 18, can be consider ed as isolated nodes. Lev eraging this obser vation, we introdu ce the Booking protoco l. Actually , this protoco l is just a slightly mo difi- cation of th e Base pro tocol. In par ticular , the on ly d iffer - ence is in the way the K nodes tha t a no de is going to track are selected. In particu lar , we assum e that the n etwork ad - ministrator decides for every node wha t are the IDs of the other nod es it is going to track . In this way , the network administrator can g uarantee that every node is tracked b y a fixed num ber of o ther nod es. The Booking proto col n ot only guarantees that every n ode is going to b e tracked by someone (proper ty not satisfied b y the Base protocol) ; it is also possible f or a n ode a to rev o ke a node b that it nev er meets ( e.g. b could had b een ca ptured at the network d e- ployment time or before the node a met i t for the first time). W e observe that in the Booking protocol communities are not lev eraged to optimize the node tracking. 4.4 Adaptiv e Proto col In realistic mobility pattern, it has b een observed [6] that there are subsets o f nodes which elements meet b etween them with higher frequency than the a verage (here, commu- nities emerge). Differently f rom the base proto col, that ha s been de- signed fo r th e R WM model, we can actu ally leverage this behavior in the d esign of the ca pture detec tion pro tocol for a realistic mobile environment. In fact, we expect that the capture detection proto col would have better perf ormances if we were able to let th e nodes tr ack the other n odes that they meet with higher frequ encies, instead of just a ny K out o f the N nodes. In g eneral, th is imp rovement ca n lead to a m ore ef ficien t protocol (lower n umber of node- missing alarm) or to a more effecti ve pr otocol (lower detec- tion time). As the communities c annot be alw ay s predicted (e. g. by the network a dministrator) , we would also like that the nodes au tonomo usly discover who are the node s th at they meet with higher freq uency . Fur thermore , a n ice prop erty of the pro tocol would be for the node to ad apt its set of tracked nodes in the case that the mobility pattern changes. W ith all these o bservations as a rationale, we de sign the Adaptive protoco l. Th e aim of this p rotocol is that wh ile the time goes by , the K nodes that a node is tracking are the K better node s for it to be tracked, i.e. o ut of the N no des, the K n odes for which it does not raise nod e-missing alarm. The behaviour of the Adaptiv e proto col can be summarized as follow: • Nod e a starts tracking the first K nodes it m eets (the first selection of the tracked nodes is as for th e Base protoco l). • When a raises a node-m issing alarm for a node, say b , while b actu ally proves it presence , a stops tracking node b and start tracking the next node it meets. As an enhanc ement to this p rotocol, we let the no des using some memory slots to silently track nod es. W e will r efer to such type o f slots as Silent Memory Slots (SMSs). In particular, a node a uses these slots as follows: • The SMSs are p opulated as for the regular track ing slot, consider ing the IDs of t he fi rst nodes that a meets. • For each nod e in the SMSs, node a keep s note of th e number of meetings (nor malized fo r a tim e unit). In the following, we r efer to such statistical value as the score . • When node a ra ises a n ode-missing alarm f or a node, say b , th at actu ally proves its presence, the next no de to b e tr acked is not cho sen as the first newly enco un- tered node. Instead , the next no de to b e tracked is th e first in th e SMSs list. Note th at we consider the SMSs list o rdered based on the sco re s. In this way , nod e a 6 a a’s memory booking part (one slot) adaptive part (only SMSs) b ; score(b) d b’s memory ... c ; score(c) c ; score(c) ... f ; score(f) a meets d: a proposes to exchange token for b with token for c Figure 2. AdaBo protocol: booking t oken ex- change proposal. will track the nodes that it met with h igher fr equency; intuitively , the best one to be tracked among the no des a has in the SMSs. • At r egular time- intervals (a protoco l par ameter), a re- moves f rom its SMSs the node with th e lower sco re , and put-in the next node it meets. 4.5 The AdaBo Proto col On one hand, the Bookin g p rotocol aims to g uarantee that all the nodes (inclu ding the isola ted o nes) ar e tracked. Howe ver, its efficiency could be questionable. On the other hand, the Adaptive pro tocol aims to let each n ode be ef - ficiently tracked while not giving the gu arantee provided by the Booking protocol. In th is section, we d escribe th e AdaBo protoc ol that gives the guaran tee of the Book ing protoco l—i.e. that all the no des are tracked—while being quite ef ficient. Further, o ptimization are also introdu ced. The simp le idea we start fro m is to dedicate: (i) part of the node ’ s memory slot to b e man aged accordin g to the Booking proto col; (ii) the rem aining portion of th e no de’ s memory to managed according to the Adaptive p rotocol. As for the num ber of mem ory slots to be d edicated to the Booking pro tocol, we just observe that for each node a , having one other node to track it is enou gh to guarantee that ev ery nod e is tra cked by at least one nod e. Indeed, for any captured node there will be a node detectin g the capture and raising the correspon ding node-missing alarm. As a result, we need that each no de tra cks in booking mod e just on e other node to have the above property holding. For ease of expo sition, in th e r esults pr esented in Section 5 we will consider the AdaBo protoco l where just one memory slot is dedicated to the booking approach. In this section, we refer to the example of Figure 2. As p ointed ou t in Section 4.3, the booking ap proach does not le verage t he communities. That is, it does not aim to ef- ficiently assign the tr acking of a no de a , to the best no de that can track it—e. g. the node that meets a with higher fre- quency . W e further observed (Sectio n 4.2) that f or a no de a , track ing the first no de that it meets, is a na¨ ıve choice to leverage commu nities. In the AdaBo protoco l, we op ti- mize th e way the b ooking part of th e memor y is used. In particular, all the me mory dedicated by the AdaBo to the adaptive appr oach will be con sidered as SMSs. The infor- mation about n odes in SMSs will be used to o ptimize the bookin g part—allowing n odes to exchange the nod es they are track ing in book ing. AdaBo proto col can be described as follows: • In itialization. First, we let each node start having in boo king the token—i. e. the ID—of himself. Of course, this is do ne just as a set-up cho ice. Th e node will n ot actu ally track himself—there would be no util- ity in doing it as th e nod e should detect the captu re of himself. Fur thermore , we a ssign to eac h node a m ax- imum n umber o f available token exchan ges it can be part of. When the protocol starts each no de has not participated in any e xchange yet. Each no de uses all the memo ry dedicated to the adap- ti ve appro ach in th e silent mode (Sectio n 4.4) —i.e. just k eeping note of the numb er of meeting o ver a time unit for the nodes in this memory . • Sta rt-up. W e give to the n odes a set-up time-in terval (that is a pro tocol par ameter) dur ing whic h th e no des just collect statistics of the meetin gs with other n odes (for the score in th e SMSs). No n ode-missing alarms are raised in this time-in terval; n o token e xchanges are made as well. As soon as the set-up time expires. Each node will try to pass-it-on the token it holds (referred to himself) to the no de in the SMSs with higher score — the nod e he met more frequently . The token exchang es occurs based o n node meetin g and one -hop communi- cation only . That is, in this case the exchange will be done as soon as the node meets its first node in the SMSs, c . No te that in this case the n ode’ s aim is to b e tracked by some other node. • Iterated step. After the first token exchange (p revious point), the n ode, say a , con tinues im proving the q ual- ity of its tracking; that is, to track the best node it can track, from the scor e poin t of vie w—let c be th is nod e. Note that, as a consequen ce of the previous exch anges, this condition can not yet hold for all the nodes just af- ter the first exchange. Fur thermore, this condition can also be unach ie vable for some node a : this happens ei- ther if (i) a n ev er meets the node that is ha ving c in bookin g; or, (ii) the n ode that is trackin g c in b ooking is not available for the token-exchan ge, accordin gly with the ev a luation described in the following. De spite this, the node a tries to r each its final (poten tial) tar get (tracking the nod e with th e highest score in its SMSs) in a greedy way: as soon as it has th e chance to im- prove the quality of its tracking, a attempt to imp rove it. For example, assume nod e a meets node d , that it is currently trackin g n ode c . Assume that a checks that 7 it can track the node c with higher perf ormance when compare d to the quality o f the tracking of node b that is currently bo oking ( a chec ks that it is having with c an higher nu mber of me etings comp ared to th e m eetings with b ). In th is case, node a pr oposes to th e no de d to exchange th e tokens—i.e. th e IDs—of the node s they are respectively tracking in boo king. Whether the ex- change actually succeeds depends on node d . In partic- ular , on whethe r node d will decrease the performance over the booked node. T o e valuate this, node d checks, for the currently booked node c , its score value (if any; a node in bo oking is not n ecessary also in the SMSs). If a n ode p roposed for the exchan ge ( c or b ) is not in d ’ s SMSs, it is a ssigned score = − ∞ . Finally , no de d will agree for the exchange if f: score ( c ) ≥ score ( b ) . Note th at, if no de d d oes have neither c nor b in its SMSs, the previous equ ation ac counts for d helpin g a improving its tracking perf ormance s. Finally , observe that in any case an exchange happens, both exchanges counter of a and d ar e incr emented. Also, no te that if a nod e reach ed th e maximum n umber of exchang es it can participa te in , it will no t be ab le to prop ose ex- changes. In the AdaBo protoco l we also consider an improvement on the way a no de sends th e node -missing alarm. That is, assume a tim e-out λ relative to n ode b is expiring on no de a . Nod e a , befor e flood ing th e network with a nod e-missing alarm for b , will ask the no des it meets in the last small time- interval γ of λ , if they can prove him the pr esence of b with in the last λ time-interval. If the latter is the case, a will upd ate b ’ s presen ce with the time just proved to him. Otherwise, as it happ ens for all the other p resented pr otocols, a will flood the network with a node-m issing alarm re lati ve to the capture of node b . W e o bserve that for the described solution the following problem s could arise. If a node is captu red while it has the token of him self, no one will detect its captur e. Such a prob - lem could be solved b y considerin g one more bo oking slot (used on ly fo r the set-up time-interval) where IDs in book - ing are ass igned by th e network administrato r in such a w ay that each node does not have its o wn token. After the set-u p time—i.e. after the nodes have given the token r eferred to themselves to some other nod es—this second boo king slot can be used as SMSs. A similar pro blem can also be foun d if we want to d e- ploy more no des in subsequent times. A solu tion similar to the one just described for the initial phase can b e used. In this case, an un desirable pr operty w ill h old: th e new set of de ployed nodes would be considered as an indepen dent network itself. Tha t is, at the time o f the new deployment, a node belonging to the set of newly dep loyed nod es will be tr acked just b y n odes f rom the same set. Howe ver , n ote that as soon as th e ne wly deployed nodes meet the previ- ously dep loyed ones, the f ormer ones will exchange tokens with the latter ones, so removing the initial undesired prop- erty . Howe ver , if a single alone node is deployed, we sh ould use some other mechanism; e.g. the B S could communicate with a n ode already in the network to e xchange the booking token with the ne wcomer . Finally , note that we d escribed o ur solution privileging ease of expo sition. Howe ver , the proposed solution cou ld also address the pro blem of the change s in m obility pat- terns. Such pattern mobility changes can be captured by the pro posed protoco l re-runn ing the start-up p hase at reg- ular time-interval. W e lea ve as fu ture work a detailed in- vestigation of this issue, togeth er with an assessment of the efficiency of such mechanisms. 5 Simulations and Discussion In this section, we pr esent the results of the simulations that we made in o rder to asses the perfor mance of the pro - posed solution. I n particular, the main aim of t he simulation has been to inves tigate the pro tocol effectiv eness (i.e. the detection time) versus the protoco l effi ciency (i.e. the cost in terms of messages). Furthermore, we also investi gated the false negative r ate of the different pro tocols presen ted in Sectio n 4. W e point ou t that our pro tocols do not h a ve false p ositi ves. In fact, assume that n ode a floods the n et- work with a node-missing alarm related to nod e b while b is actually within the network—we assume in this case b can commun icate with the other network n odes. In our p roto- cols, b has δ secon ds to prove its p resence: δ accou nts for the pro pagation time of both (i) the node- missing me ssage sent by a ; and, (ii) the p resence proving message sent by b . Hence, on the one hand, if node b can not be reached by the flooded node-missing alarm it means b is iso lated from th e other n odes: cor rectly con sidered as captu red, indeed . On the other hand , if it is reached by the node-m issing alarm, it can prove its presence—p rev enting false positi ves to occur . W e implemented a simu lator of our p rotocols that takes as input a trace of nodes mobility—every nodes meeting is described by the co uple of par ticipating n odes ID and the time of the meeting. W e ran multip le simulations o f the protoco ls we proposed in Section 4 . W e used as an inpu t traces derived from the mo bility traces collected at INFO- COM 2005 [29] . W e describe the traces in Section 5.1. The setting o f th e simulation are describ ed in Section 5.2. Fi- nally , the simulation results are presented in Section 5.3. 5.1 Real T races The traces considered in o ur simulation h a ve been o b- tained from the mobility traces co llected du ring the I NFO- COM 2005 Con ference [2 9]. Inf ormation fo r the traces in [29] has bee n gathered using Bluetoo th devices distributed to 41 peop le attending the con ference. In particular, we 8 are inter ested in the m obility and the social interaction be- tween people during the d aylight. Thus, we selected from these tr aces the events within the 73,000th seco nd and the 115,0 00th second. Then, we removed: (i) the events re- lated to Blueto oth devices not explicitly in volved in the ex- periment (th at are , d e vices not assigned by the experiment organizer [29 ]); and, (ii) events related to devices inv olved in the expe riment but not reporting any m eeting in the se- lected time-interval (node with I Ds 21 a nd 41). The re- sulting traces have 3 9 n odes. T o run extensively simula- tion, we considere d 10 times the subsequent repetitio n of the obtain ed ev ents. This choice is moti vated by the fact that nod es of social networks tend to repeat their mobility pattern. The resulting traces consists of 420,000 seconds of ev ents. Finally , we assume that the events in the traces ar e symmetric: if nod e a meets node b (that is node a knows to be in the co mmunicatio n range of node b ), then node b meets a too. Observe th at the resulting tr aces we used in our simulation still main tain th e ch aracteristics of a social network: it shows a po wer-la w inter - meeting time. 5.2 Sim ulation Setting W e simulated different nod e cap tures, varying the cap- tured node and the capture time. In particular, starting from 10 0,000 second s after th e network dep loyment, we have consid ered the e ven ts sp lit in 13 intervals o f 6 hour s each. For e ach of the 39 no des in th e traces, we simulated the c apture at the beginning of each o f th ese intervals. In other words, the first capture is simulated at 100,000 sec- onds f rom the network deployment, an d the last cap ture is simulated at 359 ,200 seco nds from the network deploymen t (12 · 6 hou rs later). T hese r esulting in a total o f 507 simu- lated captu res for every combinatio n of the proto col and λ chosen. For e very simulation, we run the protocol and mea- sured the detection time and the number o f messages sent from the nodes in the network. In the simulation results, we count the nu mber of m es- sages sent by the no des wh en a node-missing alar m or a presence-cla im is bro adcasted. Moreover , in the AdaBo protoco l we coun t the messages sent w hen two n odes ex- change their tokens, and th e messages sent when a no de asks fo r cooperation in the last sma ll time-inter val γ of λ before sending a cap ture alarm. As we do no t want that the set-up phase influenc es the e valuation of the general cost of the p rotocol (that in p ractice cou ld last more that the simu- lated time), w e start measu ring the perf ormance of the pro - tocols from the 84,000 th second onwards. T hat is, the mes- sages sent before the 84,00 0th second are not considered in the final mean value of sent messages. Note that we assume th at a nod e b ecomes aware of the nodes that are in its co mmunicatio n ran ge, thanks to the commun ication activity of the no des, or thank s to the co n- trol messages of the network; as in th e case of the INFO- COM traces, the blueto oth p rotocol. Th us, we d o not co n- sider the commun ication activity fo r the meeting event as an overhead of the captur e detection protocol. As for the numb er o f m emory slots used by the proto - cols, we considered a small value because we observed that increasing the nu mber o f tr acked n odes would just lead to an h igher protoco l overhead while no t imp roving the pro- tocol per formanc e in terms of detection. This characteriz a- tion is com mon f or all the p rotocols we considered in this work. Furthermo re, we observe that using a small value as fo r memo ry slots is particu larly suitable f or resou rce- constrained d e vices like sen sor network. In pa rticular, we used one slot for the tracked node, and 5 slots for the SMSs of the Adaptive and AdaBo protocols. In the simulation pe rformed for the AdaBo pro tocol, the nodes start exchan ging th eir token after 4 2,000 seconds from the network d eployment. Further more, a node can propo se a token e x change wit h another node if its e xchange counter is not greater than 3. T he time-interval γ during which a node asks for cooperation b efore sending a node- missing alarm is equal to 3,600 seconds. 5.3 Proto co l Ov erall P erformance In Figure 3, we plo t the results o f the simulatio ns: th e mean o f th e messages sent by each nod e p er hou r (y-a xis) for multiple resulting detection times (x-ax is). Each point is obtained as th e mean of th e results of 507 simulation s exe- cuted for each specific p rotocol and a fixed λ . In particu lar , for each proto col we report the results for 6 different v alu es of λ : 12,6 00, 14 ,400, 16 ,200, 18,000, 19,800 , and 2 3,400 seconds. 0 2 4 6 8 10 12 14 16 18 6000 8000 10000 12000 14000 16000 18000 20000 22000 Messages per hour Detection Time(s) AdaBo Adaptive Base Benchmark Booking Figure 3. INFOCOM traces: Cost vs. Detec- tion W e obser ve th at the Benchmar k proto col has the worst perfor mance with r espect to the other simulated protoco ls. In fact, ch osen a desired detection time, it required the higher number o f messages per hour . For example, giv en 9 a detection time equ als to 12,0 00 second s, each node has to send almost 12 message s per hour . Mean while, th e other protoco ls sen d about 5.2 messages per hou r in the worst case (i.e. the Bookin g proto col). Note that the protocols we implemented , that are the AdaBo, the Ad aptive, th e Base, and the Book ing pr otocol, all le vera ge the meeting e vents to detect a node capture. T his confirms our intu ition that mobility and so cial ties can b e leveraged to increase the per- forman ce of the protoc ols used in the network. A f air comp arison between the AdaBo, the Adapti ve, th e Base, an d the Booking protoco ls can be made dividing th ese protoco ls in two classes: • first class. AdaBo and the Booking proto cols. • secon d class. Adaptive and the Base proto cols. The pr otocols in th e first c lass guar antee that all the nod es of the network are m onitored. Th e protoco ls in th e sec- ond class do not guarantee that all the nodes of the network are monitored. When a protoco l of the first class is u sed, we can always d etect a node capture. While, when a pro- tocol of the second class is used, it could b e po ssible that a node capture goes u ndetected. That is, a false negativ e can occu r . Becau se there is not a first class protocol that has b etter perfo rmance than the ones in the seco nd class, there is not a pro tocol without false negative and with per- forman ce better than the oth ers. T hus, assuming that the network administrator can not tolerate false negative detec- tion, she h as to adopt a pro tocol o f the first class; otherwise, she can use a protoco l o f the second class, depend ing on the number of false negative the ne twork can bear (discussed later). Fro m th e results reported in Figure 3, we can o b- serve that the p roperty of the first class protoco ls, that is to guaran tee that all the nod es are tracked, comes at the prize of more messages sent. In fact, the AdaBo and the Bookin g protoco ls, on the contrary of the Adapti ve an d the Base pro- tocol, monito r all th e node in the network. Consequ ently , they mo nitor also the isolated no des, ev en if these isolated nodes cause a high number of node-missing alarm. In the Boo king pro tocol, we assume that the network administrator d ecides for every nod e what is th e ID of the other n ode it is g oing to trac k. In particular, in ou r simu la- tion th e nod e with ID i m onitors the node with I D i + 1 mo d- ulo 39 . Figu re 3 also shows that between the two protoco ls of the fi rst class , the AdaBo has better performa nce than the Booking one. W e remin d the reader that, the Bookin g pro- tocol, differently from the AdaBo o ne, does n ot le verage the commun ities to optimize the no de tracking . Th e results sup- port our thesis that the s ocial chara cteristics of the networks can be lev eraged to increase the protocols performance. Comparing the p rotocols of th e second class, the Base and the Adaptive ones, th e Adap ti ve is better than the Base protoco l u nder two points of view . In the first p lace, fro m the point of view of the performa nce. In fact, in Figure 3 we can see that, fixed a capture detectio n time, in the Ad aptiv e protoco l the number of messages sent per hour is lower than the ones in the Bas e proto col. In the second place, from the point of view of the f alse ne gativ e percentage. Ind eed, from our simulation results, w e observed that the mean of the false negativ e of the Base p rotocol over all the sim ulations is a bout 43 .6%, while the mean of the Adaptive p rotocol is abo ut 42.9 %. Thus, the Adaptiv e pr otocol not only has better performan ce respect to the Base one, b u t it has also a lower percentage of false negati ve. 6 Conclusions In this paper we have sho wed that it is possible to lever - age both node mob ility and commu nities of node s that nat- urally em erge in mobile network s to enf orce security p rop- erties. In particular, we hav e designed two class of p roto- cols tha t take in to consider ation realistic m obility mo dels to th wart n ode cap ture attack. The first class o f p rotocols provides the monitoring of the whole nodes in the network, sacrificing some efficiency , while the second one releases the control on isolated nodes, achieving efficiency gains. The prop osed p rotocols have been tested on real traces, and the results con firmed ou r intuition: proto cols le verag ing emergent social ties provide better perf ormances than pro to- cols le veraging mobility o nly . T o the best o f ou r kn owledge, this is the first result in the area and could open up a vein of research aimed at com bining mobility an d emergent social ties in mobile networks to enforce security properties. Refer ences [1] CRA WD AD: A C ommunity Resource for Archiving W ire- less Data At Dartmouth. http://crawda d.cs. dartmouth.edu / , 2009. [2] J. Broch, D. A. Maltz, D. B. Johnson, Y .-C. Hu, and J. Jetchev a. A performance comparison of multi-hop wi re- less ad hoc network routing protocols. In MobiCom ’98 , pages 85–97, 1998. [3] S . Capkun, J.-P . Hubaux, and L. Butty ´ an. Mobility helps security in ad hoc network s. I n MobiHoc ’03 , pages 46–56 , 2003. [4] A. Chaintreau, A. Mtibaa, L. Massoulie, and C. Diot. T he diameter of opp ortunistic mobile networks. In CoNEXT ’07 , pages 1–12, 2007. [5] M. C. C huah. Social network aided multicast delivery scheme for human contact-bas ed networks. In SIMPLEX ’09 , pages 1–6, 2009. [6] M. Conti, R . Di Pietro, A. Gabrielli, L. V . Mancini, and A. Mei. The quest fo r mobility mod els to an alyse security in mobile ad hoc networks. In WWIC ’09 , pages 85–96, 2009. [7] M. Conti, R. Di Pietro, L. V . Mancini, and A. Mei. Emer- gent properties: Detection of the node-capture attack in mo- bile wireless sensor networks. In W iSec ’08 , pages 21 4–219, 2008. [8] M. Conti, R. Di Pietro, L . V . Mancini, and A. Mei. Mobility and cooperation to thwart node capture attacks in manets. W ir eless Communications and Networking (EURASIP) , 2009. 10 [9] E. M. Dal y and M. Haahr . Social network analysis for rout- ing in disconnected delay-tolerant manets. In MobiHoc ’07 , pages 32–4 0, 2007. [10] R. Di P ietro, L. V . Mancini, and A. Mei. Energy effi- cient node-to-node authentication and communication con- fidentiality in wireless sensor networks. W ir eless N etworks , 12(6):709–7 21, 2006. [11] C. fan Hsin and M. Li u. A distributed monitoring mecha- nism for wireless senso r networks. In W iSe ’02 , pages 57–66, 2002. [12] C. fan Hsin and M. Liu. Self-monitoring of wireless sensor networks. Computer Communications (Elsevier) , 29(4):46 2– 476, 2006. [13] M. Grossglauser and M. V etterli. Locating nodes with EASE: last enco unter routing in ad hoc netwo rks t hrough mobility diffusion. In IN FOCOM ’03 , pages 1954– 1964, 2003. [14] N. H ayashibara, A. Cherif, and T . Katayama. Failure detec- tors for large-scale distributed systems. In SRDS ’02 , pages 404–40 9, 2002. [15] C. Hua and R . Zheng. Starvation modeling and i dentifica- tion in dense 802.11 wireless community networks. In IN- FOCOM ’08 , pages 1022–1 030, 2008. [16] D. Huang, M. Mehta, D. Medhi, and L. Harn. Location- aw are k ey manage ment scheme for w ireless senso r networks. In SASN ’04 , pages 29–42 , 2004. [17] P . Hui, A. Chaintreau, J. Scott, R. Gass, J. Crowcroft, and C. Diot. P ocke t switched networks and human mobility in conference en vironments. In WDT N ’05 , pages 244–251, 2005. [18] E. Hyyti ¨ a, P . Lassila, and J. V irtamo. S patial node distribu- tion of the random waypoint mobility model with applica- tions. IE EE Tr ansactions on Mobile Computing , 5(6):680– 694, 2006. [19] A. Iamnitchi, M. Ri peanu, and I. Foster . S mall-world file- sharing commun ities. In INFOCOM ’03 , pages 952–96 3, 2003. [20] Information Processing T echnology Office (IPTO) De- fense Advan ced Research Projects A genc y ( D ARP A). B AA 07-46 LANdroids Broad Agency Announcement. http://www.da rpa.mil/IPTO/s olicit/open/ BAA- 07- 46_PIP.pdf , 20 07. [21] C. Kuo , A. S tuder , and A. Perri g. Mind your manners: So- cially appropriate wireless ke y establishment for groups. I n W iSec ’08 , pages 125–130, 2008. [22] J. L uo and J.-P . Hubaux. Joint mobility and routing for life- time elongation in wireless sensor netwo rks. In INFOCOM ’05 , pages 1735 –1746, 2005. [23] M. H. Mansha ei, J. Freudiger, M. F elegyh azi, P . Marbach, and Jean-PierreHubaux. On wireless social community net- works. In INFOCOM ’08 , pages 1552–15 60, 2008. [24] L. Orecchia, A. Panconesi, C. Petrioli, and A. V italetti. Lo- calized techniques for broadcasting in wireless sensor net- works. In DIALM-POMC ’04 , pages 41–51, 2004. [25] A. P errig, J. Stanko vic, and D. W agner . Security in wireless sensor networks. Commununications of A CM , 47(6):53–57, 2004. [26] C. Piro, C. Shields, and B. N. Levine. Detecting the sybil attack in mobile ad hoc n etworks. In Secur eComm ’06 , pages 1–11, 2006. [27] S. Rangana than, A. D. Geor ge, R. W . T odd, and M. C . Chidester . Gossip-style fa ilure detection and distributed con- sensus for scalable heterogeneo us clusters. Cluster Comput- ing (Spring er) , 4(3):197–209, 2001. [28] G. Resta and P . S anti. An analysis of the node spatial dis- tribution of the random waypoint mobility model for ad hoc networks. In POMC ’02 , pages 44–50, 2002. [29] J. Scott, R. G ass, J. Crowcroft, P . Hui, C. Diot, and A. C haintreau. Crawdad data set cambridge/haggle (v . 2006-01-31). http://c rawdad.cs.dart mouth. edu/cambridge /haggle/imote/ infocom , 2006. [30] J. P . G. Sterbenz, R. Krishnan, R. R. Hain, A. W . Jackson, D. Le vin, R. Ramanathan, and J. Zao. Survi v able mobile wireless networks: issues, challenges, and research direc- tions. In W i Se ’02 , pages 31–40, 2002. [31] K. Sun, P . Ning, and C. W ang. Fault-tolerant cluster- wise clock synchronization for wireless sensor networks. IEEE T ransactions on Dependable and Secur e C omputing , 2(3):177–18 9, 2005. [32] P . T ague and R. P oov endran. Modeling adapti ve node cap- ture attacks in multi-hop wireless netw orks. A d Hoc Network (Elsevier) , 5(6):801 –814, 2007. [33] P . T ague, D. Slater, J. Rogers, and R. Poove ndran. V ulnera- bility of network traf fi c u nder no de captu re attacks u sing cir - cuit theoretic analysis. In INFOCOM ’08 , pages 161–165, 2008. [34] J. T ang, M. Musolesi, C . Mascolo, and V . Latora. T emporal distance metrics for social network analysis. In WOSN ’09 , pages 31–36, 2009. [35] B. W ill iams and T . Camp. Comparison of b roadcasting tech- niques for mobile ad hoc netwo rks. In MobiHoc ’02 , pages 194–20 5, 2002. [36] J. Y oon, M . Liu, and B. Noble. Random waypoint considered harmful. In INFOC OM ’03 , page s 1312–1321, 2003.