- Research Article
- Open Access

# Probabilistic Localization and Tracking of Malicious Insiders Using Hyperbolic Position Bounding in Vehicular Networks

- Christine Laurendeau
^{1}Email author and - Michel Barbeau
^{1}

**2009**:128679

https://doi.org/10.1155/2009/128679

© C. Laurendeau and M. Barbeau. 2009

**Received:**12 December 2008**Accepted:**1 April 2009**Published:**24 May 2009

## Abstract

A malicious insider in a wireless network may carry out a number of devastating attacks without fear of retribution, since the messages it broadcasts are authenticated with valid credentials such as a digital signature. In attributing an attack message to its perpetrator by localizing the signal source, we can make no presumptions regarding the type of radio equipment used by a malicious transmitter, including the transmitting power utilized to carry out an exploit. Hyperbolic position bounding (HPB) provides a mechanism to probabilistically estimate the candidate location of an attack message's originator using received signal strength (RSS) reports, without assuming knowledge of the transmitting power. We specialize the applicability of HPB into the realm of vehicular networks and provide alternate HPB algorithms to improve localization precision and computational efficiency. We extend HPB for tracking the consecutive locations of a mobile attacker. We evaluate the localization and tracking performance of HPB in a vehicular scenario featuring a variable number of receivers and a known navigational layout. We find that HPB can position a transmitting device within stipulated guidelines for emergency services localization accuracy.

## Keywords

- Location Error
- Receive Signal Strength
- Vehicular Network
- Simulation Grid
- Receiver Pair

## 1. Introduction

Insider attacks pose an often neglected threat scenario when devising security mechanisms for emerging wireless technologies. For example, traffic safety applications in vehicular networks aim to prevent fatal collisions and preemptively warn drivers of hazards along their path, thus preserving numerous lives. Unmitigated attacks upon these networks stand to severely jeopardize their adoption and limit the scope of their deployment.

The advent of public key cryptography, where a node is authenticated through the possession of a public/private key pair certified by a trust anchor, has addressed the primary threat posed by an outsider without valid credentials. But a vehicular network safeguarded through a Public Key Infrastructure (PKI) is only as secure as the means implemented to protect its member nodes' private keys. An IEEE standard has been proposed for securing vehicular communications in the Dedicated Short Range Communications Wireless Access in Vehicular Environments (DSRC/WAVE) [1]. This standard advocates the use of digital signatures to secure vehicle safety broadcast messages, with tamper proof devices storing secret keys and cryptographic algorithms in each vehicle. Yet a convincing body of existing literature questions the resistance of such devices to a motivated attacker, especially in technologies that are relatively inexpensive and readily available [2, 3]. In the absence of strict distribution regulations, for example, if tamper proof devices for vehicular nodes are available off the shelf from a neighborhood mechanic, a supply chain exists for experimentation with these devices for the express purpose of extracting private keys. The National Institute of Standards and Technology (NIST) has established a certification process to evaluate the physical resistance of cryptographic processors to tampering, according to four security levels [4]. However, tamper resistance comes at a price. High end cryptographic processors certified at the highest level of tamper resistance are very expensive, for example, an IBM 4764 coprocessor costs in excess of 8000 USD [5]. Conversely, lower end tamper evident cryptographic modules, such as smartcards, feature limited mechanisms to prevent cryptographic material disclosure or modification and only provide evidence of tampering after the fact [6]. The European consortium researching solutions in vehicular communications security, SeVeCom, has highlighted the existence of a gap in tamper resistant technology for use in vehicular networks [7]. While low end devices lack physical security measures and suffer from computational performance issues, the cost of high end modules is prohibitive. The gap between the two extremes implies that a custom hardware and software solution is required, otherwise low end devices may be adopted and prove to be a boon for malicious insiders.

Vehicle safety applications necessitate that each network device periodically broadcast position reports, or *beacons*. A malicious insider generating false beacons whose digital signature is verifiable can cause serious accidents and possibly loss of life. Given the need to locate the transmitter of false beacons, we have put forth a mechanism for attributing a wireless network insider attack to its perpetrator, assuming that a malicious insider is unlikely to use a digital certificate linked to its true identity. Any efforts to localize a malicious transmitter must assume that an attacker may willfully attempt to evade detection and retribution. As such, only information that is revealed outside a perpetrator's control can be utilized. A number of existing wireless node localization schemes translate the radio signal received signal strength (RSS) at a set of receivers into approximated transmitter-receiver (T-R) distances, in order to position a transmitter. However, these assume that the effective isotropic radiated power (EIRP) used by the signal's originator is known. While this presumption may be valid for the location estimation of reliable and cooperative nodes, a malicious insider may transmit at unexpected EIRP levels in order to mislead localization efforts and obfuscate its position. Our hyperbolic position bounding (HPB) algorithm addresses a novel threat scenario in probabilistically delimiting the candidate location of an attack message's originating device, assuming neither the cooperation of the attacker nor any knowledge of the EIRP [8]. The RSS of an attack message at a number of trusted receivers is employed to compute multiple hyperbolic areas whose intersection contains the source of the signal, with a degree of confidence.

We demonstrate herein that the HPB mechanism is resistant to varying power attacks, which are a known pitfall of RSS-based location estimation schemes. We present three variations of HPB, each with a different algorithm for computing hyperbolic areas, in order to improve computational efficiency and localization granularity. We extend HPB to include a mobile attacker tracking capability. We simulate a vehicular scenario with a variable number of receiving devices, and we evaluate the performance of HPB in both localizing and tracking a transmitting attacker, as a function of the number of receivers. We compare the HPB performance against existing location accuracy standards in related technologies, including the Federal Communications Commission (FCC) guidelines for localizing a wireless handset in an emergency situation.

Section 2 reviews existing work in vehicular node location determination and tracking. Section 3 outlines the HPB mechanism in its generic incarnation. Section 4 presents three flavours of the HPB algorithm for localizing and tracking a mobile attacker. Section 5 evaluates the performance of the extended HPB algorithms. Section 6 discusses the simulation results obtained. Section 7 concludes the paper.

## 2. Related Work

A majority of wireless device location estimation schemes presume a number of constraints that are not suitable for security scenarios. We outline these assumptions and compare them against those inherent in our HPB threat model in [9]. For example, a number of publications related to the location determination of vehicular devices focus on self-localization, where a node seeks to learn its own position [10, 11]. Although the measurements and information provided to these schemes are presumed to be trustworthy, this assumption does not hold for finding an attacker invested in avoiding detection and eviction from the network.

Some mechanisms for the localization of a vehicular device by other nodes are based on the principle of location verification, where a candidate position is proposed, and some measured radio signal characteristic, such as time of flight or RSS, is used to confirm the vehicle's location. For example, in [12, 13], Hubaux et al. adapt Brands and Chaum's distance bounding scheme [14] for this purpose. Yet a degree of cooperation is expected on the part of an attacker for supplying a position. Additionally, specialized hardware is necessary to measure time of flight, including nanosecond-precision synchronized clocks and accelerated processors to factor out relatively significant processing delays at the sender and receiver. Xiao et al. [15] employ RSS values for location verification but they assume that all devices, including malicious ones, use the same EIRP. An attacker with access to a variety of radio equipment is unlikely to be constrained in such a manner.

Location verification schemes for detecting false position reports may be beacon based or sensor based. Leinmüller et al. [16] filter beacon information through a number of plausibility rules. Because each beacon's claimed position is corroborated by multiple nodes, consistent information is assumed to be correct, based on the assumption of an honest majority of network devices. This presumption leaves the scheme vulnerable to Sybil attacks [17]. If a rogue insider can generate a number of Sybil identities greater than the honest majority, then the attacker can dictate the information corroborated by a *dishonest majority* of virtual nodes. In ensuring a unique geographical location for a signal source, our HPB-based algorithms can detect a disproportionate number of colocated nodes.

Tang et al. [18] put forth a sensor-based location verification mechanism, where video sensors, such as cameras and RFID readers, can identify license plates. However, cameras perform suboptimally when visibility is reduced, for example, at night or in poor weather conditions. This scheme is supported by PKI-based beacon verification and correlation by an honest majority, which is also vulnerable to insider and Sybil attacks. Another sensor-based mechanism is suggested by Yan et al. [19], using radar technology for local security and the propagation of radar readings through beacons on a global scale. Again, an honest majority is assumed to be trustworthy for corroborating the beacons, both locally and globally.

Some existing literature deals explicitly with mobile device tracking, including the RSS-based mechanisms put forth by Mirmotahhary et al. [20] and by Zaidi and Mark [21]. These presume a known EIRP and require a large number of transmitted messages so that the signal strength variations can be filtered out.

## 3. Hyperbolic Position Bounding

The log-normal shadowing model predicts a radio signal's large-scale propagation attenuation, or *path loss*, as it travels over a known T-R distance [22]. The variations in signal strength experienced in a particular propagation environment, also known as the *signal shadowing*, behave as a Gaussian random variable with mean zero and a standard deviation obtained from experimental measurements. In this model, the path loss over T-R distance
is computed as

where is a predefined reference distance close to the transmitter, is the average path loss at the reference distance, and is a path loss exponent dependent upon the propagation environment. The signal shadowing is represented by a random variable with zero mean and standard deviation .

In [8], we adapt the log-normal shadowing model to estimate a range of T-R *distance differences*, assuming that the EIRP is unknown. The minimum and maximum bounds of the distance difference range between a transmitter and a receiver pair
and
, with confidence level
, are computed as

where is the RSS measured at receiver , represents a dynamically estimated EIRP interval, represents the normal distribution constant associated with a selected confidence level , and is the signal shadowing interval associated with this confidence level. The amount of signal shadowing taken into account in the T-R distance difference range is commensurate with the degree of confidence . For example, a confidence level of , where , encompasses a larger proportion of signal shadowing around the mean path loss than , where . A higher confidence level, and thus a larger signal shadowing interval, translates into a wider range of T-R distance differences.

Hyperbolas are computed at the minimum and maximum bounds, and , respectively, of the distance difference range. The resulting candidate hyperbolic area for the location of a transmitter is situated between the minimum and maximum hyperbolas and contains the transmitter with probability . The intersection of hyperbolic areas computed for multiple receiver pairs bounds the position of a transmitting attacker with an aggregated degree of confidence, as demonstrated in [23].

## 4. Localization and Tracking of Mobile Attackers

We demonstrate that by dynamically computing an EIRP range, we render the HPB mechanism impervious to varying power attacks. We propose three variations of HPB for computing sets of hyperbolic areas and the resulting candidate areas for the location of a transmitting attacker. We also describe our HPB-based approach for estimating the mobility path of a transmitter in terms of location and direction of travel.

### 4.1. Mitigating Varying Power Attacks

The use of RSS reports has been criticized as a suboptimal tool for estimating T-R distances due to their vulnerability to varying power attacks [24]. An attacker that transmits at an EIRP other than the one expected by a receiver can appear to be closer or farther simply by transmitting a stronger or weaker signal. Our HPB-based algorithms are immune to such an exploit, since no fixed EIRP value is expected. Instead, measured RSS values are leveraged to compute a likely EIRP range, as demonstrated in Heuristic 1.

In order for HPB to compute a set of hyperbolic areas between pairs of receivers upon detection of an attack message, a candidate range for the EIRP employed by the transmitting device must be dynamically estimated. We use the RSS values registered at each receiver as well as the log-normal shadowing model captured in (1) for this purpose. The path loss is replaced with its equivalent, the difference between the EIRP and the measured at a given receiver . Our strategy takes the receiver with the maximal RSS as an approximate location for the transmitter and computes the EIRP range a device at those coordinates would need to employ in order for a signal to reach the other receivers with the RSS values measured for the attack message.

We begin by identifying the receiver measuring the maximal RSS for an attack message. Given that this device is likely to be situated in nearest proximity to the transmitter, we deem it the *reference receiver*. For every other receiving device
, we use the log-normal shadowing model to calculate the range of EIRP
that a transmitter would employ for a message to reach
with power RSS_{k}, assuming the transmitter is located at exactly the reference receiver coordinates. The global EIRP range
for the attack message is calculated as the intersection of all receiver-computed ranges
.

Heuristic 1 (EIRP range computation)

where is the Euclidian distance between and , for any .

The estimated EIRP range employed by a transmitter is the intersection of receiver-computed EIRP intervals within which every receiver can reach . Since must be smaller than , we iterate through the ascending ordered sets and , for all , to find a supremum of EIRP values with minimal shadowing that is lower than an infimum of maximal shadowing EIRP values. Assuming the size of is , and thus the size of is , we compute the estimated EIRP range as shown in Pseudocode 1.

The only case where the pseudocode above can fail is if every is greater than every for all , . This is impossible, since (4) and (5) taken together indicate that for any , must be smaller than .

**Pseudocode 1**

7: exit

8: end if

13: exit

14: end if

15: end if

18: end while

The log-normal shadowing model indicates that, for a fixed T-R distance, the expected path loss is constant, albeit subject to signal shadowing, regardless of the EIRP used by a transmitter. Any EIRP variation induced by an attacker translates into a corresponding change in the RSS values measured by all receivers within radio range. As a result, an EIRP range computed with Heuristic 1 incorporates an attacker's power variation and is commensurate with the actual EIRP used, as are the measured RSS reports. The values cancel each other out when computing an HPB distance difference range, yielding constant values for the minimum and maximum bounds of this range, independently of EIRP variations.

Lemma 1 (varying power effect).

Let be the set of all receivers within range of an attack message. Let a probable EIRP range , for this message be computed as set forth in Heuristic 1. Let the distance difference range between a transmitter and receiver pair be calculated according to (2) and (3). Then any increase (or decrease) in the EIRP of a subsequent message influences a corresponding proportional increase (or decrease) in RSS reports, effecting no measurable change in the range of distance differences estimated with a dynamically computed EIRP range.

Proof.

The same logic can be used to demonstrate that .

A varying power attack is thus ineffective against HPB, as the placement of hyperbolic areas remains unchanged.

### 4.2. HPB Algorithm Variations

The HPB mechanism estimates the originating location of a single attack message from a static snapshot of a wireless network topology. Given sufficient computational efficiency, the algorithm executes in near real time to bound a malicious insider's position at the time of its transmission.

Hyperbolic areas constructed from (2) and (3) are used by HPB to compute a candidate area for the location of a malicious transmitter.

Definition 1 (hyperbolic area).

where and are defined in (2) and (3).

A set of hyperbolic areas may be computed according to three different algorithms, depending on the set of receiver pairs considered.

Definition 2 (receiver pair set).

where for all where , and where .

Our original HPB algorithm employs all possible combinations of receiver pairs to compute a set of hyperbolic areas. The intersecting space of the hyperbolic areas yields a probable candidate area for the location of a transmitter.

Algorithm 1 ( : all-pairs algorithm).

The algorithm generates hyperbolic areas for every possible receiver pair, for a total of pairs given receivers, as put forth in Algorithm 1. While this approach works adequately for four receivers, additional receiving devices have the effect of dramatically increasing computation time as well as reducing the success rate due to the accumulated amount of signal shadowing excluded. The HPB execution time is based on the number of hyperbolic areas computed, which in turn is contingent upon the number of receivers. For , receivers locate a transmitter with a complexity of .

An alternate algorithm aims to scale down the computational complexity by reducing the number of hyperbolic areas. We separate the set of all receivers into subsets of size . Each receiver subset computes an intermediate candidate area as the intersection of the hyperbolic areas constructed from all receiver pair combinations within that subset. The final candidate area for a transmitter consists of the intersection of the intermediate candidate areas computed over all receiver subsets.

Algorithm 2 ( : -pair set algorithm).

*r*-

*pair*set algorithm groups receivers in subsets of size , computes intermediate candidate areas for each subset using the all-pairs approach within the subset, and yields an ultimate candidate area for a transmitter as the intersection of the receiver subset intermediate candidate areas. Let be the set of all receivers within range of an attack message. Let represent the disjoint partition of sets of receivers, with the th element of containing the remaining receivers:

For the algorithm, the number of hyperbolic areas depends on the set size as well as the number of receivers . Thus locates a transmitter with a complexity of . For a small value of , for example, , the execution time is proportional to at most .

A third HPB algorithm, the perimeter-pairs variation , is proposed to bound the geographic extent of a candidate area within an approximated transmission range, based on the coordinates of the receivers situated farthest from a signal source. We establish a rudimentary perimeter around a transmitter's estimated radio range, with the logical center of this range calculated as the centroid of all receiver coordinates. The range is partitioned into four quadrants from the center, along two perpendicular axes. Four perimeter receivers are identified as the farthest in each quadrant from the center. Hyperbolic areas are computed between all combinations of perimeter receiver pairs as well as between every remaining nonperimeter receiver and the perimeter receivers in the other three quadrants.

Algorithm 3 ( : perimeter-pairs algorithm).

In terms of complexity, the algorithm is equivalent to . Given receivers and four perimeter receivers such that , executes in time .

The candidate area for the location of a malicious transmitter is computed as the intersection of a set of hyperbolic areas, , , or , determined according to Algorithms 1, 2, or 3.

Definition 3 (candidate area).

*grid candidate area*, where , is defined as the subset of grid points in situated in the intersection of every hyperbolic area computed according to Algorithms , , or :

*vehicular candidate area*, where , is defined as the subset of vehicular layout points in situated in the intersection of every hyperbolic area computed according to Algorithms , , or :

While a candidate area contains a malicious transmitter with probability , the tracking of a mobile device requires a unique point in Euclidian space to be deemed the likeliest position for the attacker. In free space, we can use the centroid of a candidate area, which is calculated as the average of all the coordinates in this area. In a vehicular scenario, we use the road location closest to the candidate area centroid.

Definition 4 (centroids).

### 4.3. Tracking a Mobile Attacker

We extend HPB to approximate the path followed by a mobile attacker, as it continues transmitting. By computing a new candidate area for each attack message received, a malicious node can be tracked using a set of consecutive candidate positions and the direction of travel inferred between these points. We establish a mobility path in our vehicular scenario as a sequence of vehicular layout coordinates over time, along with a mobile transmitter's direction of travel at every point.

Definition 5.

where is an inverse tangent function returning values over the range to take direction into account (as first defined for the Fortran 77 programming language [25]).

In order to approximate the dynamically changing position of an attacker, we discretize the time domain into a series of time intervals . At each discrete , we sample a snapshot of the vehicular network topology consisting of a set of receiving devices and their locations. Our approach is analogous to the discretization phase in digital signal processing, where a continuous analog radio signal is sampled periodically for conversion to digital form. We thus estimate the mobility path taken by an attacker by executing an HPB algorithm for an attack message received at every interval over a time period . The vehicular centroids of the resulting candidate areas constitute the estimated attacker positions, and the angle from one estimated point to the next determines the approximated direction of travel.

Algorithm 4 (mobile attacker tracking).

For every attack message , an estimated transmitter location must be determined. An execution of HPB using the RSS values corresponding to yields a vehicular candidate area , as put forth in Definition 3. The road centroid of is computed as , according to Definition 4. It is by definition the closest point in the vehicular layout to the averaged center of the , and thus the natural choice for an estimated value of the true transmitter location . The direction of travel of a transmitter is stated in Definition 5 as the angle between consecutive positions in Euclidian space. We follow the same logic to compute the estimated direction of travel between transmitted messages and as the angle between the corresponding estimated positions and .

Example 1.

Figure 2 depicts an example mobility path of a malicious insider, with consecutive traveled points labeled from 1 to 20. The transmitter broadcasts an attack message at every fourth location, labeled as points 4, 8, 12, 16 and 20.

## 5. Performance Evaluation

We describe a simulated vehicular scenario to evaluate the localization and tracking performance of the extended HPB mechanisms described in Section 4.2. In order to model a mobile attacker transmitting at 2.4 GHz, we employ Rappaport's log-normal shadowing model [22] to generate simulated RSS values at a set of receivers, taking into account an independently random amount of signal shadowing experienced at each receiving device. According to Rappaport, the log-normal shadowing model has been used extensively in experimental settings to capture radio signal propagation characteristics, in both indoor and outdoor channels, including in mobility scenarios. In our previous work, we have evaluated HPB results with both log-normal shadowing simulated RSS values and RSS reports harvested from an outdoor field experiment at 2.4 GHz [9]. We found that the simulated and experimental location estimation results are nearly identical, indicating that at this frequency, the log-normal shadowing model is an appropriate tool for generating realistic RSS values.

We compare the success rates of the , and algorithms at estimating a malicious transmitter's location within a candidate area, as well as the relative sizes of the grid and vehicular candidate areas. We model a mobile transmitter's path through a vehicular scenario and assess the success in tracking it by measuring the distance between the actual and estimated positions, in addition to the difference between the approximated direction of travel and the real one.

### 5.1. Hyperbolic Position Bounding of Vehicular Devices

Generally, both the and sizes decrease as the number of receivers increases, since additional hyperbolic areas pose a higher number of constraints on a candidate area, thus decreasing its extent. We see in Figures 6 and 7 that consistently yields larger candidate areas than for the same reason, as generates a significantly greater number of hyperbolic areas. For example, while computes an average of 10% and 3% of the simulation grid with eight and 16 receivers, yields areas of 15% and 9%, respectively. By contrast, yields a size of 5-6% but its reliability is greater, as demonstrated by the higher success rates achieved. The nearly constant 5% GA size computed with has an average success rate of 81% for 16 receivers, while the 9% GA generated by is 79% reliable and the 3% GA obtained with features a dismal 68% success rate. Indeed, Figures 5 and 6 taken together indicate that smaller candidate areas provide increased granularity at the cost of lower success rates, and thus decreased reliability. This phenomenon is consistent with the intuitive expectation that a smaller area is less likely to contain the transmitter.

### 5.2. Tracking a Vehicular Device

We generate 1000 attacker mobility paths , as stipulated in Definition 5, of 20 consecutive points evenly spaced at every 25 meters. Each path begins at a random start location along the central square of the simulation grid depicted in Figure 4. We keep the simulated transmitter location within the area covered by four fixed RSUs, presuming that an infinite grid features at least four RSUs within radio range of a transmitter. The direction of travel for the start location is determined randomly. Each subsequent point in the mobile path is contiguous to the previous point, along the direction of travel. Upon reaching an intersection in the simulation grid, a direction of travel is chosen randomly among the ones available from the current position, excluding the reverse direction.

The , and algorithms are executed at every fourth point of each mobility path , corresponding to a transmitted attack signal at every 100 meters. The algorithms are executed for confidence levels , with each of four, eight, 16 and 32 receivers. In every case, the receivers consist of four static RSUs, and the remaining are OBUs randomly placed at any point on the simulated roads.

For each execution of
,
and
, a vehicular candidate area
is computed, and its centroid
is taken as the probable location of the transmitter, as described in Algorithm 4. Two metrics are aggregated over the executions: the root mean square *location error*, as the distance in meters between the actual transmitter location
and its estimated position
; and the root mean square *angle error* between the angle of travel
for each consecutive actual transmitter location and the angle
computed for the approximated locations.

## 6. Discussion

The location error results of Figure 8 shed an interesting light on the HPB success rates discussed in Section 5.1. For example in the presence of 32 receivers, for confidence level , only 50% of executions yield a candidate area containing a malicious transmitter, as shown in Figure 5. Yet the same scenario localizes a transmitter with a root mean square location error of 45 meters of its true location, whether it lies within the corresponding candidate area or not. This indicates that while a candidate area may be computed in the wrong position, it is in fact rarely far from the correct transmitter location. This may be a result of our strict definition of a successful execution, where only a candidate area in the intersection of all hyperbolic areas is considered. We have observed in our simulations that a candidate area may be erroneous solely because of a single misplaced hyperbolic area, which results in either a wrong location or an empty candidate area. In our simulations tracking a mobile attacker, we notice that while and generate an empty for 10% and 14% of executions, does so in 31% of the cases. This phenomenon is likely due to the greater number of hyperbolic areas generated with the approach and the subsequent greater likelihood of erroneously situated hyperbolic areas. While the success rates depicted in Figure 5 omit the executions yielding empty candidate areas as inconclusive, future work includes devising a heuristic to recompute a set of hyperbolic areas in the case where their common intersection is empty.

In comparing the location accuracy of HPB with related technologies, we find that, for example, differential GPS devices can achieve less than 10 meter accuracy. However, this technology is better suited to self-localization efforts relying on a device's assistance and cannot be depended upon for the position estimation of a noncooperative adversary. The FCC has set forth regulations for the network-based localization of wireless handsets in emergency 911 call situations. Service providers are expected to locate a calling device within 100 meters 67% of the time and within 300 meters in 95% of cases [28]. In the minimalist case involving four receivers, the HPB perimeter-pairs variation localizes a transmitting device with a root mean square location error of 107 meters. This translates into a location accuracy of 210 meters in 95% of cases and of 104 meters in 67% of executions. While the former case is fully within FCC guidelines, the latter is very close. With a larger number of receivers, for example, eight receiving devices, yields an accuracy of 188 meters 95% of the time and of 93 meters in 67% of cases. Although HPB is designed for the location estimation of a malicious insider, its use may be extended to additional applications such as 911 call origin localization, given that its performance closely matches the FCC requirements for emergency services.

## 7. Conclusion

We extend a hyperbolic position bounding (HPB) mechanism to localize the originator of an attack signal within a vehicular network. Because of our novel assumption that the message EIRP is unknown, the HPB location estimation approach is suitable to security scenarios involving malicious or uncooperative devices, including insider attacks. Any countermeasure to this type of exploit must feature minimalist assumptions regarding the type of radio equipment used by an attacker and expect no cooperation with localization efforts on the part of a perpetrator.

We devise two additional HPB-based approaches to compute hyperbolic areas between pairs of trusted receivers by grouping them in sets and establishing perimeter receivers. We demonstrate that due to the dynamic computation of a probable EIRP range utilized by an attacker, our HPB algorithms are impervious to varying power attacks. We extend the HPB algorithms to track the location of a mobile attacker transmitting along a traveled path.

The performance of all three HPB variations is evaluated in a vehicular scenario. We find that the grouped receivers method yields a localization success rate up to 11% higher for a 6% increase in candidate area size over the all-pairs approach. We also observe that the perimeter-pairs algorithm provides a more constant candidate area size, independently of the number of receivers, for a success rate up to 13% higher for a 2% increase in candidate area size over the all-pairs variation. We conclude that the original HPB mechanism using all pairs of receivers produces a smaller localization error than the other two approaches, when a large number of receiving devices are available. We observe that for a confidence level of 95%, the former approach localizes a mobile transmitter with a granularity as low as 45 meters, up to 40–50% more precisely than the grouped receivers and perimeter-pairs methods. However, the computational complexity of the all-pairs variation is significantly greater, and its performance with fewer receivers is less granular than the perimeter-pairs method. Of the two approaches with complexity , the perimeter-pairs method yields a success rate up to 8% higher for consistently smaller candidate area sizes, location, and direction errors.

In a vehicular scenario, we achieve a root mean square location error of 107 meters with four receivers and of 96 meters with eight receiving devices. This granularity is sufficient to satisfy the FCC-mandated location accuracy regulations for emergency 911 services. Our HPB mechanism may therefore be adaptable to a wide range of applications involving network-based device localization assuming neither target node cooperation nor knowledge of the EIRP.

We have demonstrated the suitability of the hyperbolic position bounding mechanism for estimating the candidate location of a vehicular network malicious insider and for tracking such a device as it moves throughout the network. Future research is required to assess the applicability of the HPB localization and tracking mechanisms in additional types of wireless and mobile technologies, including wireless access networks such as WiMAX/802.16.

## Declarations

### Acknowledgments

The authors gratefully acknowledge the financial support received for this research from the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Automobile of the 21st Century (AUTO21) Network of Centers of Excellence (NCE).

## Authors’ Affiliations

## References

- IEEE Intelligent Transportation Systems Committee : IEEE Trial-Use Standard for Wireless Access in Vehicular Environments—Security Services for Applications and Management Messages. IEEE Std 1609.2-2006, July 2006Google Scholar
- Anderson R, Bond M, Clulow J, Skorobogatov S: Cryptographic processors—a survey.
*Proceedings of the IEEE*2006, 94(2):357-369.View ArticleGoogle Scholar - Anderson R, Kuhn M: Tamper resistance: a cautionary note.
*Proceedings of the 2nd USENIX Workshop on Electronic Commerce, November 1996, Oakland, Calif, USA*1-11.Google Scholar - National Institute of Standards and Technology : Security Requirements for Cryptographic Modules. Federal Information Processing Standards 140-2, NIST, May 2001Google Scholar
- IBM : IBM 4764 PCI-X Cryptographic Coprocessor. http://www.ibm.com
- Williams DE: A Concept for Universal Identification. White paper, SANS Institute, December 2001Google Scholar
- SeVeCom :
*Security architecture and mechanisms for V2V/V2I, deliverable 2.1.*Tech. Rep. D2.1, Secure Vehicle Communication, Paris, France; August 2007.Google Scholar - Laurendeau C, Barbeau M: Insider attack attribution using signal strength-based hyperbolic location estimation.
*Security and Communication Networks*2008, 1(4):337-349. 10.1002/sec.35View ArticleGoogle Scholar - Laurendeau C, Barbeau M: Hyperbolic location estimation of malicious nodes in mobile WiFi/802.11 networks.
*Proceedings of the 2nd IEEE LCN Workshop on User MObility and VEhicular Networks (ON-MOVE '08), October 2008, Montreal, Canada*600-607.Google Scholar - Boukerche A, Oliveira HABF, Nakamura EF, Loureiro AAF: Vehicular ad hoc networks: a new challenge for localization-based systems.
*Computer Communications*2008, 31(12):2838-2849. 10.1016/j.comcom.2007.12.004View ArticleGoogle Scholar - Parker R, Valaee S: Vehicular node localization using received-signal-strength indicator.
*IEEE Transactions on Vehicular Technology*2007, 56(6, part 1):3371-3380.View ArticleGoogle Scholar - Hubaux J-P, Čapkun S, Luo J: The security and privacy of smart vehicles.
*IEEE Security & Privacy*2004, 2(3):49-55.View ArticleGoogle Scholar - Čapkun S, Hubaux J-P: Secure positioning in wireless networks.
*IEEE Journal on Selected Areas in Communications*2006, 24(2):221-232.View ArticleGoogle Scholar - Brands S, Chaum D: Distance-bounding protocols. In
*Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT '94), May 1994, Perugia, Italy, Lecture Notes in Computer Science*.*Volume 765*. Springer; 344-359.Google Scholar - Xiao B, Yu B, Gao C: Detection and localization of sybil nodes in VANETs.
*Proceedings of the Workshop on Dependability Issues in Wireless Ad Hoc Networks and Sensor Networks (DIWANS '06), September 2006, Los Angeles, Calif, USA*1-8.Google Scholar - Leinmüller T, Schoch E, Kargl F: Position verification approaches for vehicular ad hoc networks.
*IEEE Wireless Communications*2006, 13(5):16-21.View ArticleGoogle Scholar - Douceur JR: The Sybil attack. In
*Peer-to-Peer Systems, Lecture Notes in Computer Science*.*Volume 2429*. Springer, Berlin, Germany; 2002:251-260.Google Scholar - Tang L, Hong X, Bradford PG: Privacy-preserving secure relative localization in vehicular networks.
*Security and Communication Networks*2008, 1(3):195-204. 10.1002/sec.31View ArticleGoogle Scholar - Yan G, Olariu S, Weigle MC: Providing VANET security through active position detection.
*Computer Communications*2008, 31(12):2883-2897. 10.1016/j.comcom.2008.01.009View ArticleGoogle Scholar - Mirmotahhary N, Kohansal A, Zamiri-Jafarian H, Mirsalehi M: Discrete mobile user tracking algorithm via velocity estimation for microcellular urban environment.
*Proceedings of the 67th IEEE Vehicular Technology Conference (VTC '08), May 2008, Singapore*2631-2635.Google Scholar - Zaidi ZR, Mark BL: Real-time mobility tracking algorithms for cellular networks based on Kalman filtering.
*IEEE Transactions on Mobile Computing*2005, 4(2):195-208.View ArticleGoogle Scholar - Rappaport TS:
*Wireless Communications: Principles and Practice*. 2nd edition. Prentice-Hall, Upper Saddle River, NJ, USA; 2002.Google Scholar - Laurendeau C, Barbeau M: Probabilistic evidence aggregation for malicious node position bounding in wireless networks.
*Journal of Networks*2009, 4(1):9-18.View ArticleGoogle Scholar - Chen Y, Kleisouris K, Li X, Trappe W, Martin RP: The robustness of localization algorithms to signal strength attacks: a comparative study. In
*Proceedings of the 2nd IEEE International Conference on Distributed Computing in Sensor Systems (DCOSS '06), June 2006, San Francisco, Calif, USA, Lecture Notes in Computer Science*.*Volume 4026*. Springer; 546-563.Google Scholar - American National Standards Institute : Programming Language FORTRAN. ANSI Standard X3.9-1978, 1978Google Scholar
- Liechty LC:
*Path loss measurements and model analysis of a 2.4 GHz wireless network in an outdoor environment, M.S. thesis*. Georgia Institute of Technology, Atlanta, Ga, USA; August 2007.Google Scholar - Liechty LC, Reifsnider E, Durgin G: Developing the best 2.4 GHz propagation model from active network measurements.
*Proceedings of the 66th IEEE Vehicular Technology Conference (VTC '07), September-October 2007, Baltimore, Md, USA*894-896.Google Scholar - Federal Communications Commission 911 Service, FCC Code of Federal Regulations, Title 47, Part 20, Section 20.18, October 2007Google Scholar

## Copyright

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.